really odd traffic

From: Thomas Whipp (tkwat_private)
Date: Thu Oct 11 2001 - 09:10:58 PDT

  • Next message: Arta: "Re: Port 17889 - new attack?"

    Hi all,
    
    	overnight I got a cmd.exe attempt to one of the
    addresses within our netblock - nothing odd about that
    except that this address isn't active.
    
    Checking through our logs I found a range of other related
    attacks from the same source, all to the same unused
    address.  Checking our packet logs I found the following:
    
    22:12:13 TCP:  x.x.x.x:4137 ( ) -> y.y.y.y:80 ( ) FIN ACK 
    22:12:17 TCP:  x.x.x.x:4137 ( ) -> y.y.y.y:80 ( ) FIN PSH
    ACK 
    22:19:44 TCP:  x.x.x.x:3427 ( ) -> y.y.y.y:80 ( ) FIN ACK 
    22:19:47 TCP:  x.x.x.x:3427 ( ) -> y.y.y.y:80 ( ) FIN PSH
    ACK 
    22:22:44 TCP:  x.x.x.x:3964 ( ) -> y.y.y.y:80 ( ) FIN ACK 
    22:22:47 TCP:  x.x.x.x:3964 ( ) -> y.y.y.y:80 ( ) FIN PSH
    ACK 
    22:25:0  TCP:  x.x.x.x:4357 ( ) -> y.y.y.y:80 ( ) FIN ACK 
    22:25:3  TCP:  x.x.x.x:4357 ( ) -> y.y.y.y:80 ( ) FIN PSH
    ACK 
    22:26:30 TCP:  x.x.x.x:4634 ( ) -> y.y.y.y:80 ( ) FIN ACK 
    22:26:33 TCP:  x.x.x.x:4634 ( ) -> y.y.y.y:80 ( ) FIN PSH
    ACK 
    22:29:30 TCP:  x.x.x.x:3131 ( ) -> y.y.y.y:80 ( ) FIN ACK 
    22:29:33 TCP:  x.x.x.x:3131 ( ) -> y.y.y.y:80 ( ) FIN PSH
    ACK 
    22:31:0  TCP:  x.x.x.x:3394 ( ) -> y.y.y.y:80 ( ) FIN ACK 
    22:31:3  TCP:  x.x.x.x:3394 ( ) -> y.y.y.y:80 ( ) FIN PSH
    ACK 
    
    Notes:
    1) This is a *full* packet log - its not filtered in any way
    and it is correctly positioned to see all traffic.
    2) All FIN/PSH/ACK packets appear to have carried a payload
    either unicode cmd.exe or root.exe.
    2) x.x.x.x is attacker
    3) y.y.y.y is target
    
    We've replicated the traffic internally to a scratch NT IIS
    server but didn't see any entries in the log files.
    
    I'm at a loss - the traffic is definatly hostile, but it
    doesn't make any sense... anybody know if there are any
    Windows builds that might pass traffic of this profile to
    the application layer?
    
    regards
    
    	Tom
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Thu Oct 11 2001 - 09:18:21 PDT