###############################################################################
#  Search for the rpc.ttdbserverd exploit.
#
#  Strings searched for: 	/bin/
# 				
#	-sili@l0pht.com
###############################################################################


the_schema = library_schema:new( 1, [ "int", "ip", "ip" ], scope() );

tcp_exploits = [ "/bin/" ];

filter IPonyou ip() 
{
	#Watch for people connecting to portmapper, asking for ttdb. 
	if (udp.dport == 111)
	{
#		echo ("Connection to the Portmapper\n");
		$getport=byte(udp.blob,23);
		$program=long(udp.blob,40) + 65536;
		if (($getport == 3) && ($program == 100083)) 
			{
#			echo("Get port for ttdb requested\n");
			$attacked=ip.dst;
			$sport=udp.sport; #orig
			$attacker=ip.src;
			}
	}

	#Look for response from portmapper
	if ( (udp.dport == $sport) && (udp.sport==111) 
	     && (ip.src == $attacked) && (ip.dst == $attacker)	)	
	    
	{
		$ttdb=long(udp.blob, 24); #ttdb is running on this port
#		echo ("rpc.ttdbserverd is running on = ",$ttdb,"\n");
}

	#Look for the attacker connecting to ttdb port -- TCP
	if ( (ip.src == $attacker) && (ip.dst == $attacked) 
		&& (tcp.dport == $ttdb) )

	{
		declare $look inside tcp.connSym;
		$look = cat ($look, ip.blob);

		# Cycle through TCP exploit list. 
		foreach $thing inside (tcp_exploits) 
		{	
#			echo ("Looking for ",$thing," ",tcp.dport,"\n");
			$found=index($look, $thing);
			if ($found >= 0) 
			{
			  $success=1;
#			  echo ("EXPLOIT!\n");
			  record system.time, ip.src, ip.dst to the_recorder;
			}
			if ($success)
			 break;
		}
	}
}

the_recorder=recorder("bin/histogram packages/test/ttdb.cfg",
	"the_schema");