really odd traffic

From: Thomas Whipp (tkwat_private)
Date: Thu Oct 11 2001 - 09:10:58 PDT

Next message: Arta: "Re: Port 17889 - new attack?"

Previous message: James Willmore: "Re: Port 17889 - new attack?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi all,

	overnight I got a cmd.exe attempt to one of the
addresses within our netblock - nothing odd about that
except that this address isn't active.

Checking through our logs I found a range of other related
attacks from the same source, all to the same unused
address.  Checking our packet logs I found the following:

22:12:13 TCP:  x.x.x.x:4137 ( ) -> y.y.y.y:80 ( ) FIN ACK 
22:12:17 TCP:  x.x.x.x:4137 ( ) -> y.y.y.y:80 ( ) FIN PSH
ACK 
22:19:44 TCP:  x.x.x.x:3427 ( ) -> y.y.y.y:80 ( ) FIN ACK 
22:19:47 TCP:  x.x.x.x:3427 ( ) -> y.y.y.y:80 ( ) FIN PSH
ACK 
22:22:44 TCP:  x.x.x.x:3964 ( ) -> y.y.y.y:80 ( ) FIN ACK 
22:22:47 TCP:  x.x.x.x:3964 ( ) -> y.y.y.y:80 ( ) FIN PSH
ACK 
22:25:0  TCP:  x.x.x.x:4357 ( ) -> y.y.y.y:80 ( ) FIN ACK 
22:25:3  TCP:  x.x.x.x:4357 ( ) -> y.y.y.y:80 ( ) FIN PSH
ACK 
22:26:30 TCP:  x.x.x.x:4634 ( ) -> y.y.y.y:80 ( ) FIN ACK 
22:26:33 TCP:  x.x.x.x:4634 ( ) -> y.y.y.y:80 ( ) FIN PSH
ACK 
22:29:30 TCP:  x.x.x.x:3131 ( ) -> y.y.y.y:80 ( ) FIN ACK 
22:29:33 TCP:  x.x.x.x:3131 ( ) -> y.y.y.y:80 ( ) FIN PSH
ACK 
22:31:0  TCP:  x.x.x.x:3394 ( ) -> y.y.y.y:80 ( ) FIN ACK 
22:31:3  TCP:  x.x.x.x:3394 ( ) -> y.y.y.y:80 ( ) FIN PSH
ACK 

Notes:
1) This is a *full* packet log - its not filtered in any way
and it is correctly positioned to see all traffic.
2) All FIN/PSH/ACK packets appear to have carried a payload
either unicode cmd.exe or root.exe.
2) x.x.x.x is attacker
3) y.y.y.y is target

We've replicated the traffic internally to a scratch NT IIS
server but didn't see any entries in the log files.

I'm at a loss - the traffic is definatly hostile, but it
doesn't make any sense... anybody know if there are any
Windows builds that might pass traffic of this profile to
the application layer?

regards

	Tom

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Arta: "Re: Port 17889 - new attack?"
Previous message: James Willmore: "Re: Port 17889 - new attack?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Oct 11 2001 - 09:18:21 PDT