Hi all, overnight I got a cmd.exe attempt to one of the addresses within our netblock - nothing odd about that except that this address isn't active. Checking through our logs I found a range of other related attacks from the same source, all to the same unused address. Checking our packet logs I found the following: 22:12:13 TCP: x.x.x.x:4137 ( ) -> y.y.y.y:80 ( ) FIN ACK 22:12:17 TCP: x.x.x.x:4137 ( ) -> y.y.y.y:80 ( ) FIN PSH ACK 22:19:44 TCP: x.x.x.x:3427 ( ) -> y.y.y.y:80 ( ) FIN ACK 22:19:47 TCP: x.x.x.x:3427 ( ) -> y.y.y.y:80 ( ) FIN PSH ACK 22:22:44 TCP: x.x.x.x:3964 ( ) -> y.y.y.y:80 ( ) FIN ACK 22:22:47 TCP: x.x.x.x:3964 ( ) -> y.y.y.y:80 ( ) FIN PSH ACK 22:25:0 TCP: x.x.x.x:4357 ( ) -> y.y.y.y:80 ( ) FIN ACK 22:25:3 TCP: x.x.x.x:4357 ( ) -> y.y.y.y:80 ( ) FIN PSH ACK 22:26:30 TCP: x.x.x.x:4634 ( ) -> y.y.y.y:80 ( ) FIN ACK 22:26:33 TCP: x.x.x.x:4634 ( ) -> y.y.y.y:80 ( ) FIN PSH ACK 22:29:30 TCP: x.x.x.x:3131 ( ) -> y.y.y.y:80 ( ) FIN ACK 22:29:33 TCP: x.x.x.x:3131 ( ) -> y.y.y.y:80 ( ) FIN PSH ACK 22:31:0 TCP: x.x.x.x:3394 ( ) -> y.y.y.y:80 ( ) FIN ACK 22:31:3 TCP: x.x.x.x:3394 ( ) -> y.y.y.y:80 ( ) FIN PSH ACK Notes: 1) This is a *full* packet log - its not filtered in any way and it is correctly positioned to see all traffic. 2) All FIN/PSH/ACK packets appear to have carried a payload either unicode cmd.exe or root.exe. 2) x.x.x.x is attacker 3) y.y.y.y is target We've replicated the traffic internally to a scratch NT IIS server but didn't see any entries in the log files. I'm at a loss - the traffic is definatly hostile, but it doesn't make any sense... anybody know if there are any Windows builds that might pass traffic of this profile to the application layer? regards Tom ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Oct 11 2001 - 09:18:21 PDT