On Fri, 20 Apr 2001, Jim Forster wrote: > I had the same thing here over the past few days. Initial SYN scans of the > network, then 350 + attempts to get into a staging NT server via 515 Linux > LPR exploit. Odd. Actually, this is not odd, it merely demonstrates the tactics used by the blackhat community, specifically script kiddies. As many of you know, script kiddies focus on a few exploits, then probe hundreds of thousands of systems for these few vulnerabilities. Traditionally, blackhats, and script kiddies, would first determine if a system is vulnerable. Once determined, they would then launch the exploit. Tactics have changed as script kiddies have become lazy. Now, they just merely search for a specific service, once identified they launch their attack. In your case, you most likely have a script kiddie using an 'auto rooter' or worm that is attempting to exploit a well know Linux LPR vulnerability. The tool search for this service, when identified it launches. If success, they have root. If it fails, they simply move on to the next victim. Why bother taking the extra step and time to determine if you are vulnerable (and even the correct OS) when you can just launch the attack and that will determine for you. We have confirmed this brute force approach with the Honeynet Project. We have several different operating systems within our Honeynet, to include both Linux and Solaris. Often both systems are attacked with the same exploit, even though the attacks are architecture dependent (such as X86 or Sparc). For example, during the month of January our Solaris honeypot was hit with over 20 X86 rpc.statd attacks. The reason you see repeated LPR attempts (which is VERY common for this exploit) is the attack is most likely going through a series of different offsets for the exploit. Hope this helps :) lance
This archive was generated by hypermail 2b30 : Sun Apr 22 2001 - 13:37:49 PDT