Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Always the SRC IP is my server with Source Port 139 and the destination address is a windows client on the LAN. What do you thing? Is it a false positive or should I worry?
Anyway I suspect that windows client of some illegal activity from a while...
Payload:
length = 1239
000 : F8 13 5E 75 0A 8B 11 6A 01 FF 52 04 C2 04 00 8B ..^u...j..R.....
010 : 01 6A 00 FF 50 04 C2 04 00 90 90 90 90 90 90 90 .j..P...........
020 : 90 90 90 90 90 90 90 CC CC CC CC CC CC CC CC CC ................
030 : CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC ................
040 : CC CC CC CC CC CC CC 56 8B F1 E8 8A A9 F9 FF 8B .......V........
050 : 10 8B C8 FF 92 98 00 00 00 85 C0 74 2E 57 8B CE ...........t.W..
060 : E8 74 A9 F9 FF 8B 80 D0 00 00 00 8B CE 8B 78 58 .t............xX
070 : E8 64 A9 F9 FF 8B 88 D0 00 00 00 C7 44 B9 5C 14 .d..........D.\.
080 : 00 00 00 8B CE E8 B3 7C F9 FF 5F 5E C3 90 90 90 .......|.._^....
090 : 90 90 90 90 90 90 90 CC CC CC CC CC CC CC CC CC ................
0a0 : CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC ................
0b0 : CC CC CC CC CC CC CC 56 57 8B F1 E8 19 A9 F9 FF .......VW.......
0c0 : 8B 80 D0 00 00 00 8B CE 8B 78 58 E8 09 A9 F9 FF .........xX.....
0d0 : 8B 88 D0 00 00 00 8B 44 B9 5C 8B 4C 24 0C 5F 83 .......D.\.L$._.
0e0 : F8 14 5E 75 0A 8B 11 6A 01 FF 52 04 C2 04 00 8B ..^u...j..R.....
0f0 : 01 6A 00 FF 50 04 C2 04 00 90 90 90 90 90 90 90 .j..P...........
100 : 90 90 90 90 90 90 90 CC CC CC CC CC CC CC CC CC ................
110 : CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC ................
120 : CC CC CC CC CC CC CC 56 8B F1 E8 AA A8 F9 FF 8B .......V........
130 : 10 8B C8 FF 92 98 00 00 00 85 C0 74 2E 57 8B CE ...........t.W..
140 : E8 94 A8 F9 FF 8B 80 D0 00 00 00 8B CE 8B 78 58 ..............xX
150 : E8 84 A8 F9 FF 8B 88 D0 00 00 00 C7 44 B9 5C 16 ............D.\.
160 : 00 00 00 8B CE E8 D3 7B F9 FF 5F 5E C3 90 90 90 .......{.._^....
170 : 90 90 90 90 90 90 90 CC CC CC CC CC CC CC CC CC ................
180 : CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC ................
190 : CC CC CC CC CC CC CC 56 57 8B F1 E8 39 A8 F9 FF .......VW...9...
1a0 : 8B 80 D0 00 00 00 8B CE 8B 78 58 E8 29 A8 F9 FF .........xX.)...
1b0 : 8B 88 D0 00 00 00 8B 44 B9 5C 8B 4C 24 0C 5F 83 .......D.\.L$._.
1c0 : F8 16 5E 75 0A 8B 11 6A 01 FF 52 04 C2 04 00 8B ..^u...j..R.....
1d0 : 01 6A 00 FF 50 04 C2 04 00 90 90 90 90 90 90 90 .j..P...........
1e0 : 90 90 90 90 90 90 90 CC CC CC CC CC CC CC CC CC ................
1f0 : CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC ................
200 : CC CC CC CC CC CC CC 56 8B F1 E8 CA A7 F9 FF 8B .......V........
210 : 10 8B C8 FF 92 98 00 00 00 85 C0 74 2E 57 8B CE ...........t.W..
220 : E8 B4 A7 F9 FF 8B 80 D0 00 00 00 8B CE 8B 78 58 ..............xX
230 : E8 A4 A7 F9 FF 8B 88 D0 00 00 00 C7 44 B9 5C 15 ............D.\.
240 : 00 00 00 8B CE E8 F3 7A F9 FF 5F 5E C3 90 90 90 .......z.._^....
250 : 90 90 90 90 90 90 90 CC CC CC CC CC CC CC CC CC ................
260 : CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC ................
270 : CC CC CC CC CC CC CC 56 57 8B F1 E8 59 A7 F9 FF .......VW...Y...
280 : 8B 80 D0 00 00 00 8B CE 8B 78 58 E8 49 A7 F9 FF .........xX.I...
290 : 8B 88 D0 00 00 00 8B 44 B9 5C 8B 4C 24 0C 5F 83 .......D.\.L$._.
2a0 : F8 15 5E 75 0A 8B 11 6A 01 FF 52 04 C2 04 00 8B ..^u...j..R.....
2b0 : 01 6A 00 FF 50 04 C2 04 00 90 90 90 90 90 90 90 .j..P...........
2c0 : 90 90 90 90 90 90 90 CC CC CC CC CC CC CC CC CC ................
2d0 : CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC ................
2e0 : CC CC CC CC CC CC CC 56 8B F1 E8 EA A6 F9 FF 8B .......V........
2f0 : 10 8B C8 FF 92 98 00 00 00 85 C0 74 2E 57 8B CE ...........t.W..
300 : E8 D4 A6 F9 FF 8B 80 D0 00 00 00 8B CE 8B 78 58 ..............xX
310 : E8 C4 A6 F9 FF 8B 88 D0 00 00 00 C7 44 B9 5C 0C ............D.\.
320 : 00 00 00 8B CE E8 13 7A F9 FF 5F 5E C3 90 90 90 .......z.._^....
330 : 90 90 90 90 90 90 90 CC CC CC CC CC CC CC CC CC ................
340 : CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC ................
350 : CC CC CC CC CC CC CC 56 57 8B F1 E8 79 A6 F9 FF .......VW...y...
360 : 8B 80 D0 00 00 00 8B CE 8B 78 58 E8 69 A6 F9 FF .........xX.i...
370 : 8B 88 D0 00 00 00 8B 44 B9 5C 8B 4C 24 0C 5F 83 .......D.\.L$._.
380 : F8 0C 5E 75 0A 8B 11 6A 01 FF 52 04 C2 04 00 8B ..^u...j..R.....
390 : 01 6A 00 FF 50 04 C2 04 00 90 90 90 90 90 90 90 .j..P...........
3a0 : 90 90 90 90 90 90 90 CC CC CC CC CC CC CC CC CC ................
3b0 : CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC ................
3c0 : CC CC CC CC CC CC CC 56 8B F1 E8 0A A6 F9 FF 8B .......V........
3d0 : 10 8B C8 FF 92 98 00 00 00 85 C0 74 2E 57 8B CE ...........t.W..
3e0 : E8 F4 A5 F9 FF 8B 80 D0 00 00 00 8B CE 8B 78 58 ..............xX
3f0 : E8 E4 A5 F9 FF 8B 88 D0 00 00 00 C7 44 B9 5C 0D ............D.\.
400 : 00 00 00 8B CE E8 33 79 F9 FF 5F 5E C3 90 90 90 ......3y.._^....
410 : 90 90 90 90 90 90 90 CC CC CC CC CC CC CC CC CC ................
420 : CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC ................
430 : CC CC CC CC CC CC CC 56 57 8B F1 E8 99 A5 F9 FF .......VW.......
440 : 8B 80 D0 00 00 00 8B CE 8B 78 58 E8 89 A5 F9 FF .........xX.....
450 : 8B 88 D0 00 00 00 8B 44 B9 5C 8B 4C 24 0C 5F 83 .......D.\.L$._.
460 : F8 0D 5E 75 0A 8B 11 6A 01 FF 52 04 C2 04 00 8B ..^u...j..R.....
470 : 01 6A 00 FF 50 04 C2 04 00 90 90 90 90 90 90 90 .j..P...........
480 : 90 90 90 90 90 90 90 CC CC CC CC CC CC CC CC CC ................
490 : CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC CC ................
4a0 : CC CC CC CC CC CC CC 56 8B F1 E8 2A A5 F9 FF 8B .......V...*....
4b0 : 10 8B C8 FF 92 98 00 00 00 85 C0 74 2E 57 8B CE ...........t.W..
4c0 : E8 14 A5 F9 FF 8B 80 D0 00 00 00 8B CE 8B 78 58 ..............xX
4d0 : E8 04 A5 F9 FF 8B 88 .......
[...]
False Positives: The x86 NOP can frequently be found in day-to-day traffic, particularly when transfering large files.
GEN:SID 1:1394
Message SHELLCODE x86 NOOP
[...]
False Positives: High, This event may be generated by applications such as ftp and http when binary data is being transfered.
A false Positive can be generated if the snort sensor detects text from an IRC client or any other application that passes data plaintext. The event is generated if snort detects several (a) characters in a row - such as 'aaaaaaaaaa'.
No, they don't mention samba. But they mention "applications such as ftp/http when binary data is transfered". That does include samba.
And yes, I used to get that alert alot with the samba, nfs and netware fileservers in my LAN. The attack pattern (90 90 90 90 90 90 90 90 90 90 90 90 90 90 and aaaaaaaaaaaaaaaaaaaaa) is so broad that it's bound to exist in any binary file of a few megabytes. I'd set up a pass rule for your fileserver or else your logs will get flooded.
This does not appear to be valid shellcode, however if you suspect the client of mal practice it might
be wise to set up permanent sniffing for a week or so and see what they get upto.
however if you suspect the client of mal practice it might
be wise to set up permanent sniffing for a week or so and see what they get upto.
Can you give more details?
I will sniff the traffic from my suspect client.
Something like:
Code:
tcpdump -s 1515 -C 2000 -w content.lpc
Then I open it with ethereal. But, what am I looking for? What kind of traffic pattern do I have to search for?
How can I select the suspect traffic from the GBs of traffic that I sniff?
Hey, use tcpdump filters, such as "host 1.2.3.4"
tcpdump man page has much more info on this.
It will take a long time to examine manually, maybe
you could knock up some perl scripts for examining
the tcpdump output for the type of traffic you suspect him of.
Of course I will sniff only the traffic from the IP I am interested of. Otherwise I have to sniff more than 100GB per day. This is impossible.
My question is what should I be looking for?
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.