RE: massive lpr exploit attempt

From: Tony Lambiris (tlambirisat_private)
Date: Mon Jun 25 2001 - 11:32:53 PDT

  • Next message: Alfred Huger: "Vacation Troller, Please Ignore."

    I had only recieved one of these entry in my log file:
    
    Jun 25 09:00:10 eclipse ipmon[29285]: 09:00:10.339608             fxp0 @0:1
    b 155.135.31.128,1100 -> xx.xx.xx.xx,515 PR tcp len 20 60 -S IN
    
    > -----Original Message-----
    > From: r.fultonat_private [mailto:r.fultonat_private]
    > Sent: Sunday, June 24, 2001 6:42 PM
    > To: incidentsat_private
    > Subject: massive lpr exploit attempt
    >
    >
    > Yesterday (Sunday 24th) we were attacked from several different IP
    > using an iterated X86 lpr exploit against any machine that response on
    > port 515.  Even though we block 515 for the vast bulk of our addresses
    > I logged over 80,000 probes to the 20 or so addresses that responded!
    >
    > These attacks are the same as I saw a few months ago (hmm...  I'm sure
    > I posted something about them then but I can't find anything in the
    > archives). One feature of these attacks is that while the attacker is
    > trying exploits on port 515 they are also making connection attempts on
    > port 3897 (presumably looking for a root shell that signals that one of
    > the exploits succeeded).  Thus if you run argus then you can pick up
    > any successful exploits by dumping all established tcp sessions to port
    > 3897.
    >
    > Overall there were 25 source addresses involved and at one time there
    > were 10 active at once.  Since this attack requires tcp connections to
    > deliver the exploit I don't believe any of these were decoys.
    >
    > At midnight -- well 23:16 (local time) the activity stopped (odd -
    > probably coincidence), however I have seen at least 10 lpr scans of
    > another class C network that I monitor this morning.  Since there are
    > no machines on this network that respond to lpr probes I can't state
    > with any certainty that these are the same tool/worm/whatever although
    > the scans look the same.
    >
    > This activity puzzles me.  If this is some sort of coordinated attack
    > then it seems very wasteful of resources  why repeat the attack from
    > so many different sources?  One possible explaination is that the
    > different attackers were trying different offset ranges in their
    > exploits -- I have the tcp dump logs from snort if anyone wants to test
    > this hypothetis.
    >
    > The other possible explaination is that this attack has now been loaded
    > into a worm, but if that is the case why the relatively narrow time
    > window.  (time will tell if this is a small part of a wider
    > distribution and that the clump is just coincidence).
    >
    > Cheers, Russell.
    >
    >
    > Russell Fulton, Computer and Network Security Officer
    > The University of Auckland,  New Zealand
    >
    >
    
    
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:
    
    http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Tue Jun 26 2001 - 10:17:46 PDT