FWIW, here too... PROTO=6 65.80.225.117:1023 XX.XX.XX.XX:22 L=48 S=0x00 I=35824 F=0x4000 T=52 SYN (#47) PROTO=6 202.105.200.125:1785 XX.XX.XX.XX:21 L=60 S=0x00 I=33878 F=0x4000 T=45 SYN (#47) PROTO=6 64.108.63.210:1161 XX.XX.XX.XX:21 L=48 S=0x00 I=36837 F=0x4000 T=112 SYN(#47) PROTO=6 64.111.152.180:2626 XX.XX.XX.XX:21 L=48 S=0x00 I=52796 F=0x4000 T=112 SYN(#47) PROTO=6 24.93.8.130:2351 XX.XX.XX.XX:21 L=64 S=0x00 I=41993 F=0x4000 T=16 SYN(#47) TCP 64.111.152.180:2849 XX.XX.XX.XX:21 L=48 S=0x00 I=53544 F=0x0040 T=112 TCP 24.93.8.130:2573 XX.XX.XX.XX:21 L=64 S=0x00 I=42663 F=0x0040 T=16 TCP 202.105.200.125:3192 XX.XX.XX.XX:21 L=60 S=0x00 I=38494 F=0x0040 T=46 TCP 64.108.63.210:1590 XX.XX.XX.XX:21 L=48 S=0x00 I=39346 F=0x0040 T=112 each entry repeated many times and across each of the servers on my network. K Andrew Doran wrote: I got one too... Jun 25 15:11:06 : Packet log: input REJECT eth0 PROTO=6 210.102.23.70:4902 aaa.bbb.ccc.ddd.eee:111 L=60 S=0x00 I=28779 F=0x4000 T=49 SYN (#8) -----Original Message----- From: Tony Lambiris [mailto:tlambirisat_private] Sent: Monday, June 25, 2001 1:33 PM To: r.fulton; incidents Subject: RE: massive lpr exploit attempt I had only recieved one of these entry in my log file: Jun 25 09:00:10 eclipse ipmon[29285]: 09:00:10.339608 fxp0 @0:1 b 155.135.31.128,1100 -> xx.xx.xx.xx,515 PR tcp len 20 60 -S IN > -----Original Message----- > From: r.fultonat_private [mailto:r.fultonat_private] > Sent: Sunday, June 24, 2001 6:42 PM > To: incidentsat_private > Subject: massive lpr exploit attempt > > > Yesterday (Sunday 24th) we were attacked from several different IP > using an iterated X86 lpr exploit against any machine that response on > port 515. Even though we block 515 for the vast bulk of our addresses > I logged over 80,000 probes to the 20 or so addresses that responded! > > These attacks are the same as I saw a few months ago (hmm... I'm sure > I posted something about them then but I can't find anything in the > archives). One feature of these attacks is that while the attacker is > trying exploits on port 515 they are also making connection attempts on > port 3897 (presumably looking for a root shell that signals that one of > the exploits succeeded). Thus if you run argus then you can pick up > any successful exploits by dumping all established tcp sessions to port > 3897. > > Overall there were 25 source addresses involved and at one time there > were 10 active at once. Since this attack requires tcp connections to > deliver the exploit I don't believe any of these were decoys. > > At midnight -- well 23:16 (local time) the activity stopped (odd - > probably coincidence), however I have seen at least 10 lpr scans of > another class C network that I monitor this morning. Since there are > no machines on this network that respond to lpr probes I can't state > with any certainty that these are the same tool/worm/whatever although > the scans look the same. > > This activity puzzles me. If this is some sort of coordinated attack > then it seems very wasteful of resources why repeat the attack from > so many different sources? One possible explaination is that the > different attackers were trying different offset ranges in their > exploits -- I have the tcp dump logs from snort if anyone wants to test > this hypothetis. > > The other possible explaination is that this attack has now been loaded > into a worm, but if that is the case why the relatively narrow time > window. (time will tell if this is a small part of a wider > distribution and that the clump is just coincidence). > > Cheers, Russell. > > > Russell Fulton, Computer and Network Security Officer > The University of Auckland, New Zealand > > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Jun 27 2001 - 18:06:57 PDT