Re: massive lpr exploit attempt

From: E Kelly Bond (ekbondat_private)
Date: Tue Jun 26 2001 - 18:03:33 PDT

  • Next message: Piotr Klaban: "Re: Printer exploit?"

    FWIW, here too...
    
    PROTO=6 65.80.225.117:1023 XX.XX.XX.XX:22 L=48 S=0x00 I=35824 F=0x4000
    T=52 SYN (#47)
    
    PROTO=6 202.105.200.125:1785 XX.XX.XX.XX:21 L=60 S=0x00 I=33878 F=0x4000
    T=45 SYN (#47)
    
    PROTO=6 64.108.63.210:1161 XX.XX.XX.XX:21 L=48 S=0x00 I=36837 F=0x4000
    T=112 SYN(#47)
    
    PROTO=6 64.111.152.180:2626 XX.XX.XX.XX:21 L=48 S=0x00 I=52796 F=0x4000
    T=112 SYN(#47)
    
    PROTO=6 24.93.8.130:2351 XX.XX.XX.XX:21 L=64 S=0x00 I=41993 F=0x4000 T=16
    SYN(#47)
    
    TCP 64.111.152.180:2849 XX.XX.XX.XX:21 L=48 S=0x00 I=53544 F=0x0040 T=112
    
    TCP 24.93.8.130:2573 XX.XX.XX.XX:21 L=64 S=0x00 I=42663 F=0x0040 T=16
    
    TCP 202.105.200.125:3192 XX.XX.XX.XX:21 L=60 S=0x00 I=38494 F=0x0040 T=46
    
    TCP 64.108.63.210:1590 XX.XX.XX.XX:21 L=48 S=0x00 I=39346 F=0x0040 T=112
    
    each entry repeated many times and across each of the servers on my
    network.
    
    K
    
    
    
    Andrew Doran wrote:
    
       I got one too...
       Jun 25 15:11:06 : Packet log: input REJECT eth0 PROTO=6
    210.102.23.70:4902
       aaa.bbb.ccc.ddd.eee:111 L=60 S=0x00 I=28779 F=0x4000 T=49 SYN (#8)
    
       -----Original Message-----
       From: Tony Lambiris [mailto:tlambirisat_private]
       Sent: Monday, June 25, 2001 1:33 PM
       To: r.fulton; incidents
       Subject: RE: massive lpr exploit attempt
    
       I had only recieved one of these entry in my log file:
    
       Jun 25 09:00:10 eclipse ipmon[29285]: 09:00:10.339608             fxp0
    @0:1
       b 155.135.31.128,1100 -> xx.xx.xx.xx,515 PR tcp len 20 60 -S IN
    
       > -----Original Message-----
       > From: r.fultonat_private [mailto:r.fultonat_private]
       > Sent: Sunday, June 24, 2001 6:42 PM
       > To: incidentsat_private
       > Subject: massive lpr exploit attempt
       >
       >
       > Yesterday (Sunday 24th) we were attacked from several different IP
       > using an iterated X86 lpr exploit against any machine that response
    on
       > port 515.  Even though we block 515 for the vast bulk of our
    addresses
       > I logged over 80,000 probes to the 20 or so addresses that responded!
       >
       > These attacks are the same as I saw a few months ago (hmm...  I'm
    sure
       > I posted something about them then but I can't find anything in the
       > archives). One feature of these attacks is that while the attacker is
       > trying exploits on port 515 they are also making connection attempts
    on
       > port 3897 (presumably looking for a root shell that signals that one
    of
       > the exploits succeeded).  Thus if you run argus then you can pick up
       > any successful exploits by dumping all established tcp sessions to
    port
       > 3897.
       >
       > Overall there were 25 source addresses involved and at one time there
       > were 10 active at once.  Since this attack requires tcp connections
    to
       > deliver the exploit I don't believe any of these were decoys.
       >
       > At midnight -- well 23:16 (local time) the activity stopped (odd -
       > probably coincidence), however I have seen at least 10 lpr scans of
       > another class C network that I monitor this morning.  Since there are
       > no machines on this network that respond to lpr probes I can't state
       > with any certainty that these are the same tool/worm/whatever
    although
       > the scans look the same.
       >
       > This activity puzzles me.  If this is some sort of coordinated attack
       > then it seems very wasteful of resources  why repeat the attack from
       > so many different sources?  One possible explaination is that the
       > different attackers were trying different offset ranges in their
       > exploits -- I have the tcp dump logs from snort if anyone wants to
    test
       > this hypothetis.
       >
       > The other possible explaination is that this attack has now been
    loaded
       > into a worm, but if that is the case why the relatively narrow time
       > window.  (time will tell if this is a small part of a wider
       > distribution and that the clump is just coincidence).
       >
       > Cheers, Russell.
       >
       >
       > Russell Fulton, Computer and Network Security Officer
       > The University of Auckland,  New Zealand
       >
       >
    
    
    
    
    
    
    
    ----------------------------------------------------------------------------
    
    
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:
    
    http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Wed Jun 27 2001 - 18:06:57 PDT