Last night we saw an single machine (or at least a single IP address) attack every IIS server on campus visible from the Internet. The attack was not preceeded by any obvious scan, although I have seen several systematic scans of port 80 in the last few weeks. Also, so far as I can tell from a quick sample, only IIS servers were attacked. I am wondering if this is someone trialing a 'flash' type worm... Individual attacks looked very much like standard nimda, here is the snort logs for one attack: <snort snarf output> 3 different signatures are present for 209.47.77.243 as a source * 4 instances of spp_unidecode: Invalid Unicode String detected * 5 instances of WEB-IIS .... access * 31 instances of WEB-IIS cmd.exe access There are 1 distinct destination IPs in the alerts of the type on this page. [**] [1:1002:2] WEB-IIS cmd.exe access [**] [Classification: Web Application Attack] [Priority: 1] 02/04-20:07:21.637359 0:0:C:46:5C:D1 -> 0:E0:1E:8E:31:71 type:0x800 len:0x7B 209.47.77.243:1220 -> 130.216.2.149:80 TCP TTL:108 TOS:0x0 ID:37968 IpLen:20 DgmLen:109 DF ***AP*** Seq: 0x5E02843B Ack: 0xC0CEDCBE Win: 0x4470 TcpLen: 20 [Snort log] [**] [1:1002:2] WEB-IIS cmd.exe access [**] [Classification: Web Application Attack] [Priority: 1] 02/04-20:07:24.641753 0:0:C:46:5C:D1 -> 0:E0:1E:8E:31:71 type:0x800 len:0x7B 209.47.77.243:1220 -> 130.216.2.149:80 TCP TTL:108 TOS:0x0 ID:38041 IpLen:20 DgmLen:109 DF ***AP*** Seq: 0x5E02843B Ack: 0xC0CEDCBE Win: 0x4470 TcpLen: 20 [Snort log] [**] [1:1002:2] WEB-IIS cmd.exe access [**] [Classification: Web Application Attack] [Priority: 1] 02/04-20:07:30.650475 0:0:C:46:5C:D1 -> 0:E0:1E:8E:31:71 type:0x800 len:0x7B 209.47.77.243:1220 -> 130.216.2.149:80 TCP TTL:108 TOS:0x0 ID:38206 IpLen:20 DgmLen:109 DF ***AP*** Seq: 0x5E02843B Ack: 0xC0CEDCBE Win: 0x4470 TcpLen: 20 [Snort log] [**] [1:1002:2] WEB-IIS cmd.exe access [**] [Classification: Web Application Attack] [Priority: 1] 02/04-20:07:42.664928 0:0:C:46:5C:D1 -> 0:E0:1E:8E:31:71 type:0x800 len:0x7B 209.47.77.243:1220 -> 130.216.2.149:80 TCP TTL:108 TOS:0x0 ID:38555 IpLen:20 DgmLen:109 DF ***AP*** Seq: 0x5E02843B Ack: 0xC0CEDCBE Win: 0x4470 TcpLen: 20 [Snort log] [**] [1:1002:2] WEB-IIS cmd.exe access [**] [Classification: Web Application Attack] [Priority: 1] 02/04-20:08:06.696708 0:0:C:46:5C:D1 -> 0:E0:1E:8E:31:71 type:0x800 len:0x7B 209.47.77.243:1220 -> 130.216.2.149:80 TCP TTL:108 TOS:0x0 ID:39197 IpLen:20 DgmLen:109 DF ***AP*** Seq: 0x5E02843B Ack: 0xC0CEDCBE Win: 0x4470 TcpLen: 20 [Snort log] [**] [1:1002:2] WEB-IIS cmd.exe access [**] [Classification: Web Application Attack] [Priority: 1] 02/04-20:08:54.760591 0:0:C:46:5C:D1 -> 0:E0:1E:8E:31:71 type:0x800 len:0x7B 209.47.77.243:1220 -> 130.216.2.149:80 TCP TTL:108 TOS:0x0 ID:40431 IpLen:20 DgmLen:109 DF ***AP*** Seq: 0x5E02843B Ack: 0xC0CEDCBE Win: 0x4470 TcpLen: 20 [Snort log] [**] [1:974:3] WEB-IIS .... access [**] [Classification: Web Application Attack] [Priority: 1] 02/04-20:10:34.518927 0:0:C:46:5C:D1 -> 0:E0:1E:8E:31:71 type:0x800 len:0x77 209.47.77.243:1659 -> 130.216.2.149:80 TCP TTL:108 TOS:0x0 ID:43025 IpLen:20 DgmLen:105 DF ***AP*** Seq: 0x6369055C Ack: 0xC38E8839 Win: 0x4470 TcpLen: 20 [Xref => http://www.securityfocus.com/bid/2218] [Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0229] [Snort log] [**] [1:974:3] WEB-IIS .... access [**] [Classification: Web Application Attack] [Priority: 1] 02/04-20:10:40.501824 0:0:C:46:5C:D1 -> 0:E0:1E:8E:31:71 type:0x800 len:0x77 209.47.77.243:1659 -> 130.216.2.149:80 TCP TTL:108 TOS:0x0 ID:43187 IpLen:20 DgmLen:105 DF ***AP*** Seq: 0x6369055C Ack: 0xC38E8839 Win: 0x4470 TcpLen: 20 [Xref => http://www.securityfocus.com/bid/2218] [Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0229] [Snort log] [**] [1:974:3] WEB-IIS .... access [**] [Classification: Web Application Attack] [Priority: 1] 02/04-20:10:52.516755 0:0:C:46:5C:D1 -> 0:E0:1E:8E:31:71 type:0x800 len:0x77 209.47.77.243:1659 -> 130.216.2.149:80 TCP TTL:108 TOS:0x0 ID:43513 IpLen:20 DgmLen:105 DF ***AP*** Seq: 0x6369055C Ack: 0xC38E8839 Win: 0x4470 TcpLen: 20 [Xref => http://www.securityfocus.com/bid/2218] [Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0229] [Snort log] [**] [1:974:3] WEB-IIS .... access [**] [Classification: Web Application Attack] [Priority: 1] 02/04-20:11:16.550005 0:0:C:46:5C:D1 -> 0:E0:1E:8E:31:71 type:0x800 len:0x77 209.47.77.243:1659 -> 130.216.2.149:80 TCP TTL:108 TOS:0x0 ID:44404 IpLen:20 DgmLen:105 DF ***AP*** Seq: 0x6369055C Ack: 0xC38E8839 Win: 0x4470 TcpLen: 20 [Xref => http://www.securityfocus.com/bid/2218] [Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0229] [Snort log] [**] [1:974:3] WEB-IIS .... access [**] [Classification: Web Application Attack] [Priority: 1] 02/04-20:12:04.615202 0:0:C:46:5C:D1 -> 0:E0:1E:8E:31:71 type:0x800 len:0x77 209.47.77.243:1659 -> 130.216.2.149:80 TCP TTL:108 TOS:0x0 ID:45684 IpLen:20 DgmLen:105 DF ***AP*** Seq: 0x6369055C Ack: 0xC38E8839 Win: 0x4470 TcpLen: 20 [Xref => http://www.securityfocus.com/bid/2218] [Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0229] [Snort log] [**] [1:1002:2] WEB-IIS cmd.exe access [**] [Classification: Web Application Attack] [Priority: 1] 02/04-20:12:11.992873 0:0:C:46:5C:D1 -> 0:E0:1E:8E:31:71 type:0x800 len:0x89 209.47.77.243:1891 -> 130.216.2.149:80 TCP TTL:108 TOS:0x0 ID:45909 IpLen:20 DgmLen:123 DF ***AP*** Seq: 0x6642FD14 Ack: 0xC4F680A7 Win: 0x4470 TcpLen: 20 [Snort log] [**] [1:1002:2] WEB-IIS cmd.exe access [**] [Classification: Web Application Attack] [Priority: 1] 02/04-20:12:13.852431 0:0:C:46:5C:D1 -> 0:E0:1E:8E:31:71 type:0x800 len:0x8C 209.47.77.243:1896 -> 130.216.2.149:80 TCP TTL:108 TOS:0x0 ID:45970 IpLen:20 DgmLen:126 DF ***AP*** Seq: 0x665238F6 Ack: 0xC4FE1CBE Win: 0x4470 TcpLen: 20 [Snort log] [**] [1:1002:2] WEB-IIS cmd.exe access [**] [Classification: Web Application Attack] [Priority: 1] 02/04-20:37:34.353490 0:0:C:46:5C:D1 -> 0:E0:1E:8E:31:71 type:0x800 len:0x95 209.47.77.243:1638 -> 130.216.2.149:80 TCP TTL:108 TOS:0x0 ID:29105 IpLen:20 DgmLen:135 DF ***AP*** Seq: 0x92A59D87 Ack: 0xDACA7498 Win: 0x4470 TcpLen: 20 [Snort log] [**] [110:4:1] spp_unidecode: Invalid Unicode String detected [**] 02/04-20:38:32.488761 0:0:C:46:5C:D1 -> 0:E0:1E:8E:31:71 type:0x800 len:0xA8 209.47.77.243:1798 -> 130.216.2.149:80 TCP TTL:108 TOS:0x0 ID:30991 IpLen:20 DgmLen:154 DF ***AP*** Seq: 0x94707438 Ack: 0xDB9E5DF5 Win: 0x4470 TcpLen: 20 [Snort log] [**] [110:4:1] spp_unidecode: Invalid Unicode String detected [**] 02/04-20:38:35.419224 0:0:C:46:5C:D1 -> 0:E0:1E:8E:31:71 type:0x800 len:0xA8 209.47.77.243:1798 -> 130.216.2.149:80 TCP TTL:108 TOS:0x0 ID:31060 IpLen:20 DgmLen:154 DF ***AP*** Seq: 0x94707438 Ack: 0xDB9E5DF5 Win: 0x4470 TcpLen: 20 [Snort log] [**] [110:4:1] spp_unidecode: Invalid Unicode String detected [**] 02/04-20:38:41.424957 0:0:C:46:5C:D1 -> 0:E0:1E:8E:31:71 type:0x800 len:0xA8 209.47.77.243:1798 -> 130.216.2.149:80 TCP TTL:108 TOS:0x0 ID:31303 IpLen:20 DgmLen:154 DF ***AP*** Seq: 0x94707438 Ack: 0xDB9E5DF5 Win: 0x4470 TcpLen: 20 [Snort log] [**] [1:1002:2] WEB-IIS cmd.exe access [**] [Classification: Web Application Attack] [Priority: 1] 02/04-20:38:48.965454 0:0:C:46:5C:D1 -> 0:E0:1E:8E:31:71 type:0x800 len:0x95 209.47.77.243:1839 -> 130.216.2.149:80 TCP TTL:108 TOS:0x0 ID:31531 IpLen:20 DgmLen:135 DF ***AP*** Seq: 0x94E3E208 Ack: 0xDBDB63CA Win: 0x4470 TcpLen: 20 [Snort log] [**] [110:4:1] spp_unidecode: Invalid Unicode String detected [**] 02/04-20:38:51.331883 0:0:C:46:5C:D1 -> 0:E0:1E:8E:31:71 type:0x8 len:0xA7 209.47.77.243:1798 -> 130.216.2.149:80 TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:153 ***AP*** Seq: 0xDB9E695D Ack: 0x947074AA Win: 0x43FE TcpLen: 20 [Snort log] [**] [1:1002:2] WEB-IIS cmd.exe access [**] [Classification: Web Application Attack] [Priority: 1] 02/04-20:38:53.554998 0:0:C:46:5C:D1 -> 0:E0:1E:8E:31:71 type:0x800 len:0x87 209.47.77.243:1849 -> 130.216.2.149:80 TCP TTL:108 TOS:0x0 ID:31657 IpLen:20 DgmLen:121 DF ***AP*** Seq: 0x9504B0CB Ack: 0xDBECD726 Win: 0x4470 TcpLen: 20 [Snort log] [**] [1:1002:2] WEB-IIS cmd.exe access [**] [Classification: Web Application Attack] [Priority: 1] 02/04-20:38:59.551558 0:0:C:46:5C:D1 -> 0:E0:1E:8E:31:71 type:0x800 len:0x87 209.47.77.243:1849 -> 130.216.2.149:80 TCP TTL:108 TOS:0x0 ID:32022 IpLen:20 DgmLen:121 DF ***AP*** Seq: 0x9504B0CB Ack: 0xDBECD726 Win: 0x4470 TcpLen: 20 [Snort log] [**] [1:1002:2] WEB-IIS cmd.exe access [**] [Classification: Web Application Attack] [Priority: 1] 02/04-20:39:11.568024 0:0:C:46:5C:D1 -> 0:E0:1E:8E:31:71 type:0x800 len:0x87 209.47.77.243:1849 -> 130.216.2.149:80 TCP TTL:108 TOS:0x0 ID:32355 IpLen:20 DgmLen:121 DF ***AP*** Seq: 0x9504B0CB Ack: 0xDBECD726 Win: 0x4470 TcpLen: 20 [Snort log] [**] [1:1002:2] WEB-IIS cmd.exe access [**] [Classification: Web Application Attack] [Priority: 1] 02/04-20:39:13.018196 0:0:C:46:5C:D1 -> 0:E0:1E:8E:31:71 type:0x800 len:0x97 209.47.77.243:1924 -> 130.216.2.149:80 TCP TTL:108 TOS:0x0 ID:32401 IpLen:20 DgmLen:137 DF ***AP*** Seq: 0x95CC571B Ack: 0xDC341154 Win: 0x4470 TcpLen: 20 [Snort log] [**] [1:1002:2] WEB-IIS cmd.exe access [**] [Classification: Web Application Attack] [Priority: 1] 02/04-20:39:14.421532 0:0:C:46:5C:D1 -> 0:E0:1E:8E:31:71 type:0x800 len:0x89 209.47.77.243:1928 -> 130.216.2.149:80 TCP TTL:108 TOS:0x0 ID:32446 IpLen:20 DgmLen:123 DF ***AP*** Seq: 0x95D85179 Ack: 0xDC39DDE4 Win: 0x4470 TcpLen: 20 [Snort log] [**] [1:1002:2] WEB-IIS cmd.exe access [**] [Classification: Web Application Attack] [Priority: 1] 02/04-20:39:15.843306 0:0:C:46:5C:D1 -> 0:E0:1E:8E:31:71 type:0x800 len:0x8F 209.47.77.243:1932 -> 130.216.2.149:80 TCP TTL:108 TOS:0x0 ID:32497 IpLen:20 DgmLen:129 DF ***AP*** Seq: 0x95E3EAFA Ack: 0xDC402DFC Win: 0x4470 TcpLen: 20 [Snort log] [**] [1:1002:2] WEB-IIS cmd.exe access [**] [Classification: Web Application Attack] [Priority: 1] 02/04-20:39:41.438956 0:0:C:46:5C:D1 -> 0:E0:1E:8E:31:71 type:0x800 len:0x95 209.47.77.243:1984 -> 130.216.2.149:80 TCP TTL:108 TOS:0x0 ID:33176 IpLen:20 DgmLen:135 DF ***AP*** Seq: 0x968CC14B Ack: 0xDC9DDE3B Win: 0x4470 TcpLen: 20 [Snort log] [**] [1:1002:2] WEB-IIS cmd.exe access [**] [Classification: Web Application Attack] [Priority: 1] 02/04-20:39:47.412938 0:0:C:46:5C:D1 -> 0:E0:1E:8E:31:71 type:0x800 len:0x95 209.47.77.243:1984 -> 130.216.2.149:80 TCP TTL:108 TOS:0x0 ID:33333 IpLen:20 DgmLen:135 DF ***AP*** Seq: 0x968CC14B Ack: 0xDC9DDE3B Win: 0x4470 TcpLen: 20 [Snort log] [**] [1:1002:2] WEB-IIS cmd.exe access [**] [Classification: Web Application Attack] [Priority: 1] 02/04-20:39:59.430222 0:0:C:46:5C:D1 -> 0:E0:1E:8E:31:71 type:0x800 len:0x95 209.47.77.243:1984 -> 130.216.2.149:80 TCP TTL:108 TOS:0x0 ID:33617 IpLen:20 DgmLen:135 DF ***AP*** Seq: 0x968CC14B Ack: 0xDC9DDE3B Win: 0x4470 TcpLen: 20 [Snort log] [**] [1:1002:2] WEB-IIS cmd.exe access [**] [Classification: Web Application Attack] [Priority: 1] 02/04-20:40:00.934488 0:0:C:46:5C:D1 -> 0:E0:1E:8E:31:71 type:0x800 len:0x87 209.47.77.243:2033 -> 130.216.2.149:80 TCP TTL:108 TOS:0x0 ID:33673 IpLen:20 DgmLen:121 DF ***AP*** Seq: 0x972DF2C3 Ack: 0xDCE59C93 Win: 0x4470 TcpLen: 20 [Snort log] [**] [1:1002:2] WEB-IIS cmd.exe access [**] [Classification: Web Application Attack] [Priority: 1] 02/04-20:40:05.474174 0:0:C:46:5C:D1 -> 0:E0:1E:8E:31:71 type:0x800 len:0x87 209.47.77.243:2046 -> 130.216.2.149:80 TCP TTL:108 TOS:0x0 ID:33810 IpLen:20 DgmLen:121 DF ***AP*** Seq: 0x97524B5A Ack: 0xDCF64611 Win: 0x4470 TcpLen: 20 [Snort log] [**] [1:1002:2] WEB-IIS cmd.exe access [**] [Classification: Web Application Attack] [Priority: 1] 02/04-20:40:16.116988 0:0:C:46:5C:D1 -> 0:E0:1E:8E:31:71 type:0x800 len:0x8F 209.47.77.243:2082 -> 130.216.2.149:80 TCP TTL:108 TOS:0x0 ID:34206 IpLen:20 DgmLen:129 DF ***AP*** Seq: 0x97ABC3FA Ack: 0xDD1DDF41 Win: 0x4470 TcpLen: 20 [Snort log] [**] [1:1002:2] WEB-IIS cmd.exe access [**] [Classification: Web Application Attack] [Priority: 1] 02/04-20:40:19.056085 0:0:C:46:5C:D1 -> 0:E0:1E:8E:31:71 type:0x800 len:0x8F 209.47.77.243:2082 -> 130.216.2.149:80 TCP TTL:108 TOS:0x0 ID:34281 IpLen:20 DgmLen:129 DF ***AP*** Seq: 0x97ABC3FA Ack: 0xDD1DDF41 Win: 0x4470 TcpLen: 20 [Snort log] [**] [1:1002:2] WEB-IIS cmd.exe access [**] [Classification: Web Application Attack] [Priority: 1] 02/04-20:41:54.996322 0:0:C:46:5C:D1 -> 0:E0:1E:8E:31:71 type:0x800 len:0x97 209.47.77.243:2312 -> 130.216.2.149:80 TCP TTL:108 TOS:0x0 ID:36822 IpLen:20 DgmLen:137 DF ***AP*** Seq: 0x9A7761A5 Ack: 0xDE856DCE Win: 0x4470 TcpLen: 20 [Snort log] [**] [1:1002:2] WEB-IIS cmd.exe access [**] [Classification: Web Application Attack] [Priority: 1] 02/04-20:42:34.343064 0:0:C:46:5C:D1 -> 0:E0:1E:8E:31:71 type:0x800 len:0x94 209.47.77.243:2383 -> 130.216.2.149:80 TCP TTL:108 TOS:0x0 ID:37884 IpLen:20 DgmLen:134 DF ***AP*** Seq: 0x9B56288D Ack: 0xDF15D5F2 Win: 0x4470 TcpLen: 20 [Snort log] [**] [1:1002:2] WEB-IIS cmd.exe access [**] [Classification: Web Application Attack] [Priority: 1] 02/04-20:42:42.960267 0:0:C:46:5C:D1 -> 0:E0:1E:8E:31:71 type:0x800 len:0x8C 209.47.77.243:2421 -> 130.216.2.149:80 TCP TTL:108 TOS:0x0 ID:38126 IpLen:20 DgmLen:126 DF ***AP*** Seq: 0x9BC713F5 Ack: 0xDF35A162 Win: 0x4470 TcpLen: 20 [Snort log] [**] [1:1002:2] WEB-IIS cmd.exe access [**] [Classification: Web Application Attack] [Priority: 1] 02/04-20:42:48.953262 0:0:C:46:5C:D1 -> 0:E0:1E:8E:31:71 type:0x800 len:0x8C 209.47.77.243:2421 -> 130.216.2.149:80 TCP TTL:108 TOS:0x0 ID:38312 IpLen:20 DgmLen:126 DF ***AP*** Seq: 0x9BC713F5 Ack: 0xDF35A162 Win: 0x4470 TcpLen: 20 [Snort log] [**] [1:1002:2] WEB-IIS cmd.exe access [**] [Classification: Web Application Attack] [Priority: 1] 02/04-20:42:50.470597 0:0:C:46:5C:D1 -> 0:E0:1E:8E:31:71 type:0x800 len:0x99 209.47.77.243:2453 -> 130.216.2.149:80 TCP TTL:108 TOS:0x0 ID:38358 IpLen:20 DgmLen:139 DF ***AP*** Seq: 0x9C1C1426 Ack: 0xDF5164CE Win: 0x4470 TcpLen: 20 [Snort log] [**] [1:1002:2] WEB-IIS cmd.exe access [**] [Classification: Web Application Attack] [Priority: 1] 02/04-20:42:54.891861 0:0:C:46:5C:D1 -> 0:E0:1E:8E:31:71 type:0x800 len:0x95 209.47.77.243:2465 -> 130.216.2.149:80 TCP TTL:108 TOS:0x0 ID:38490 IpLen:20 DgmLen:135 DF ***AP*** Seq: 0x9C3F6B03 Ack: 0xDF61EFFA Win: 0x4470 TcpLen: 20 [Snort log] [**] [1:1002:2] WEB-IIS cmd.exe access [**] [Classification: Web Application Attack] [Priority: 1] 02/04-20:42:59.278223 0:0:C:46:5C:D1 -> 0:E0:1E:8E:31:71 type:0x800 len:0x90 209.47.77.243:2470 -> 130.216.2.149:80 TCP TTL:108 TOS:0x0 ID:38626 IpLen:20 DgmLen:130 DF ***AP*** Seq: 0x9C4C4EE0 Ack: 0xDF7282E1 Win: 0x4470 TcpLen: 20 [Snort log] [**] [1:1002:2] WEB-IIS cmd.exe access [**] [Classification: Web Application Attack] [Priority: 1] 02/04-20:43:00.667441 0:0:C:46:5C:D1 -> 0:E0:1E:8E:31:71 type:0x800 len:0x9A 209.47.77.243:2482 -> 130.216.2.149:80 TCP TTL:108 TOS:0x0 ID:38685 IpLen:20 DgmLen:140 DF ***AP*** Seq: 0x9C6E69E7 Ack: 0xDF786E08 Win: 0x4470 TcpLen: 20 </snort snarf output> -- Russell Fulton, Computer and Network Security Officer The University of Auckland, New Zealand ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Feb 04 2002 - 13:10:25 PST