massive lpr exploit attempt

From: Russell Fulton (r.fultonat_private)
Date: Sun Jun 24 2001 - 15:42:21 PDT

Next message: Homer Simpson: "Re: netbios scanning coming from IANA's internal class B...?"

Previous message: Rune Kristian Viken: "Re: Overwhelmed........"
Next in thread: Kevin van Haaren: "Re: massive lpr exploit attempt"
Reply: Kevin van Haaren: "Re: massive lpr exploit attempt"
Reply: Tony Lambiris: "RE: massive lpr exploit attempt"
Reply: E Kelly Bond: "Re: massive lpr exploit attempt"
Reply: Andy Duncan: "RE: massive lpr exploit attempt"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Yesterday (Sunday 24th) we were attacked from several different IP 
using an iterated X86 lpr exploit against any machine that response on 
port 515.  Even though we block 515 for the vast bulk of our addresses 
I logged over 80,000 probes to the 20 or so addresses that responded!

These attacks are the same as I saw a few months ago (hmm...  I'm sure 
I posted something about them then but I can't find anything in the 
archives). One feature of these attacks is that while the attacker is 
trying exploits on port 515 they are also making connection attempts on 
port 3897 (presumably looking for a root shell that signals that one of 
the exploits succeeded).  Thus if you run argus then you can pick up 
any successful exploits by dumping all established tcp sessions to port 
3897.

Overall there were 25 source addresses involved and at one time there 
were 10 active at once.  Since this attack requires tcp connections to 
deliver the exploit I don't believe any of these were decoys.

At midnight -- well 23:16 (local time) the activity stopped (odd - 
probably coincidence), however I have seen at least 10 lpr scans of 
another class C network that I monitor this morning.  Since there are 
no machines on this network that respond to lpr probes I can't state 
with any certainty that these are the same tool/worm/whatever although 
the scans look the same.

This activity puzzles me.  If this is some sort of coordinated attack 
then it seems very wasteful of resources  why repeat the attack from 
so many different sources?  One possible explaination is that the 
different attackers were trying different offset ranges in their 
exploits -- I have the tcp dump logs from snort if anyone wants to test 
this hypothetis.

The other possible explaination is that this attack has now been loaded 
into a worm, but if that is the case why the relatively narrow time 
window.  (time will tell if this is a small part of a wider 
distribution and that the clump is just coincidence).

Cheers, Russell.


Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand

Next message: Homer Simpson: "Re: netbios scanning coming from IANA's internal class B...?"
Previous message: Rune Kristian Viken: "Re: Overwhelmed........"
Next in thread: Kevin van Haaren: "Re: massive lpr exploit attempt"
Reply: Kevin van Haaren: "Re: massive lpr exploit attempt"
Reply: Tony Lambiris: "RE: massive lpr exploit attempt"
Reply: E Kelly Bond: "Re: massive lpr exploit attempt"
Reply: Andy Duncan: "RE: massive lpr exploit attempt"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun Jun 24 2001 - 20:22:43 PDT