jump to navigation

Someone Learns Remote Exploit September 2, 2007

Posted by antoxz in Informatics.
trackback

It has been for a long time, i don’t see an attacker using remote exploit to attack my server. Ussually, many attacker use web application programming flaw such as SQL injection, Remote File Inclussion and XSS. I found a shellcode x86 on my snort logz. For a notice this snort is installed on my own server and not on a gateway.

[**] [1:648:8] SHELLCODE x86 NOOP [**]
[Classification: Executable code was detected] [Priority: 1]
08/30-09:56:51.720999 202.46.129.23:873 -> xxx.xxx.xxx.xxx:42742
TCP TTL:57 TOS:0x0 ID:5898 IpLen:20 DgmLen:1476 DF
***A**** Seq: 0x8B948072 Ack: 0x3F0B0E6C Win: 0x5FD TcpLen: 32
TCP Options (3) => NOP NOP TS: 29658221 951688730
[Xref => http://www.whitehats.com/info/IDS181%5D

[**] [1:648:8] SHELLCODE x86 NOOP [**]
[Classification: Executable code was detected] [Priority: 1]
08/30-09:56:56.714053 202.46.129.23:873 -> xxx.xxx.xxx.xxx:42742
TCP TTL:57 TOS:0x0 ID:8299 IpLen:20 DgmLen:1476 DF
***A**** Seq: 0x8BC72C32 Ack: 0x3F0B0E6C Win: 0x5FD TcpLen: 32
TCP Options (3) => NOP NOP TS: 29659470 951693188
[Xref => http://www.whitehats.com/info/IDS181%5D

host 202.46.129.23
23.129.46.202.in-addr.arpa domain name pointer ares.its.ac.id.

six months ago,
host 167.205.22.101
101.22.205.167.in-addr.arpa domain name pointer maxwell.ITB.ac.id
etc..

A nice try guys, but seems my firewall dropping your connection. Security of this server is in moderate category. Someone who installs this server doesn’t know security as well as me. I just hope this mirror server is usable for you. Be a paranoid is good but giving a nice service is better. Btw, i support you learning IT security.

Comments»

No comments yet — be the first.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: