Repeated LPR attacks against wrong OS

From: Lance Spitzner (lanceat_private)
Date: Sun Apr 22 2001 - 06:15:59 PDT

  • Next message: Alexander Reelsen: "Re: Sustained attack, but seemingly random?"

    On Fri, 20 Apr 2001, Jim Forster wrote:
    
    > I had the same thing here over the past few days.  Initial SYN scans of the
    > network, then 350 + attempts to get into a staging NT server via 515 Linux
    > LPR exploit.   Odd.
    
    Actually, this is not odd, it merely demonstrates the tactics used
    by the blackhat community, specifically script kiddies.  As many of
    you know, script kiddies focus on a few exploits, then probe hundreds
    of thousands of systems for these few vulnerabilities.  Traditionally,
    blackhats, and script kiddies, would first determine if a system is
    vulnerable.  Once determined, they would then launch the exploit.
    
    Tactics have changed as script kiddies have become lazy.  Now, they just
    merely search for a specific service, once identified they launch their
    attack.  In your case, you most likely have a script kiddie using an
    'auto rooter' or worm that is attempting to exploit a well know Linux
    LPR vulnerability.  The tool search for this service, when identified
    it launches.  If success, they have root.  If it fails, they simply
    move on to the next victim.  Why bother taking the extra step and time
    to determine if you are vulnerable (and even the correct OS) when you
    can just launch the attack and that will determine for you.
    
    We have confirmed this brute force approach with the Honeynet Project.
    We have several different operating systems within our Honeynet, to
    include both Linux and Solaris.  Often both systems are attacked with
    the same exploit, even though the attacks are architecture dependent
    (such as X86 or Sparc).  For example, during the month of January our
    Solaris honeypot was hit with over 20 X86 rpc.statd attacks.
    
    The reason you see repeated LPR attempts (which is VERY common for this
    exploit) is the attack is most likely going through a series of different
    offsets for the exploit.
    
    Hope this helps :)
    
    lance
    



    This archive was generated by hypermail 2b30 : Sun Apr 22 2001 - 13:37:49 PDT