I keep getting these entries into my log file at least 50-100 per hour. It was started two weeks ago. Tony Lambiris wrote: > I had only recieved one of these entry in my log file: > > Jun 25 09:00:10 eclipse ipmon[29285]: 09:00:10.339608 fxp0 @0:1 > b 155.135.31.128,1100 -> xx.xx.xx.xx,515 PR tcp len 20 60 -S IN > > > -----Original Message----- > > From: r.fultonat_private [mailto:r.fultonat_private] > > Sent: Sunday, June 24, 2001 6:42 PM > > To: incidentsat_private > > Subject: massive lpr exploit attempt > > > > > > Yesterday (Sunday 24th) we were attacked from several different IP > > using an iterated X86 lpr exploit against any machine that response on > > port 515. Even though we block 515 for the vast bulk of our addresses > > I logged over 80,000 probes to the 20 or so addresses that responded! > > > > These attacks are the same as I saw a few months ago (hmm... I'm sure > > I posted something about them then but I can't find anything in the > > archives). One feature of these attacks is that while the attacker is > > trying exploits on port 515 they are also making connection attempts on > > port 3897 (presumably looking for a root shell that signals that one of > > the exploits succeeded). Thus if you run argus then you can pick up > > any successful exploits by dumping all established tcp sessions to port > > 3897. > > > > Overall there were 25 source addresses involved and at one time there > > were 10 active at once. Since this attack requires tcp connections to > > deliver the exploit I don't believe any of these were decoys. > > > > At midnight -- well 23:16 (local time) the activity stopped (odd - > > probably coincidence), however I have seen at least 10 lpr scans of > > another class C network that I monitor this morning. Since there are > > no machines on this network that respond to lpr probes I can't state > > with any certainty that these are the same tool/worm/whatever although > > the scans look the same. > > > > This activity puzzles me. If this is some sort of coordinated attack > > then it seems very wasteful of resources why repeat the attack from > > so many different sources? One possible explaination is that the > > different attackers were trying different offset ranges in their > > exploits -- I have the tcp dump logs from snort if anyone wants to test > > this hypothetis. > > > > The other possible explaination is that this attack has now been loaded > > into a worm, but if that is the case why the relatively narrow time > > window. (time will tell if this is a small part of a wider > > distribution and that the clump is just coincidence). > > > > Cheers, Russell. > > > > > > Russell Fulton, Computer and Network Security Officer > > The University of Auckland, New Zealand > > > > > > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: > > http://aris.securityfocus.com -- Pavel IT Manager of Ixcelerator ICQ UIN 39596913 8990192 Phone (7-095)-938-9386 (7-095)-938-9387 (7-095)-938-9388 (7-095)-3630242 Unix is like a wigwam -- no Gates, no Windows, and an Apache inside. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Jun 27 2001 - 18:51:54 PDT