New Nimda scanning pattern ?

From: Russell Fulton (R.FULTONat_private)
Date: Mon Feb 04 2002 - 12:30:50 PST
Next message: Eryn Rachell: "Re: gibberish defacement?"
Previous message: John R. Marshall: "Re: gibberish defacement?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Last night we saw an single machine (or at least a single IP address)
attack every IIS server on campus visible from the Internet.  The attack
was not preceeded by any obvious scan, although I have seen several
systematic scans of port 80 in the last few weeks. Also, so far as I can
tell from a quick sample, only IIS servers were attacked.

I am wondering if this is someone trialing a 'flash' type worm...

Individual attacks looked very much like standard nimda, here is the
snort logs for one attack:

<snort snarf output>

3 different signatures are present for 209.47.77.243 as a source

    * 4 instances of spp_unidecode: Invalid Unicode String detected
    * 5 instances of WEB-IIS .... access
    * 31 instances of WEB-IIS cmd.exe access

There are 1 distinct destination IPs in the alerts of the type on this
page.


[**] [1:1002:2] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1]
02/04-20:07:21.637359 0:0:C:46:5C:D1 -> 0:E0:1E:8E:31:71 type:0x800
len:0x7B
209.47.77.243:1220 -> 130.216.2.149:80 TCP TTL:108 TOS:0x0 ID:37968
IpLen:20 DgmLen:109 DF
***AP*** Seq: 0x5E02843B Ack: 0xC0CEDCBE Win: 0x4470 TcpLen: 20 [Snort
log]
[**] [1:1002:2] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1]
02/04-20:07:24.641753 0:0:C:46:5C:D1 -> 0:E0:1E:8E:31:71 type:0x800
len:0x7B
209.47.77.243:1220 -> 130.216.2.149:80 TCP TTL:108 TOS:0x0 ID:38041
IpLen:20 DgmLen:109 DF
***AP*** Seq: 0x5E02843B Ack: 0xC0CEDCBE Win: 0x4470 TcpLen: 20 [Snort
log]
[**] [1:1002:2] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1]
02/04-20:07:30.650475 0:0:C:46:5C:D1 -> 0:E0:1E:8E:31:71 type:0x800
len:0x7B
209.47.77.243:1220 -> 130.216.2.149:80 TCP TTL:108 TOS:0x0 ID:38206
IpLen:20 DgmLen:109 DF
***AP*** Seq: 0x5E02843B Ack: 0xC0CEDCBE Win: 0x4470 TcpLen: 20 [Snort
log]
[**] [1:1002:2] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1]
02/04-20:07:42.664928 0:0:C:46:5C:D1 -> 0:E0:1E:8E:31:71 type:0x800
len:0x7B
209.47.77.243:1220 -> 130.216.2.149:80 TCP TTL:108 TOS:0x0 ID:38555
IpLen:20 DgmLen:109 DF
***AP*** Seq: 0x5E02843B Ack: 0xC0CEDCBE Win: 0x4470 TcpLen: 20 [Snort
log]
[**] [1:1002:2] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1]
02/04-20:08:06.696708 0:0:C:46:5C:D1 -> 0:E0:1E:8E:31:71 type:0x800
len:0x7B
209.47.77.243:1220 -> 130.216.2.149:80 TCP TTL:108 TOS:0x0 ID:39197
IpLen:20 DgmLen:109 DF
***AP*** Seq: 0x5E02843B Ack: 0xC0CEDCBE Win: 0x4470 TcpLen: 20 [Snort
log]
[**] [1:1002:2] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1]
02/04-20:08:54.760591 0:0:C:46:5C:D1 -> 0:E0:1E:8E:31:71 type:0x800
len:0x7B
209.47.77.243:1220 -> 130.216.2.149:80 TCP TTL:108 TOS:0x0 ID:40431
IpLen:20 DgmLen:109 DF
***AP*** Seq: 0x5E02843B Ack: 0xC0CEDCBE Win: 0x4470 TcpLen: 20 [Snort
log]
[**] [1:974:3] WEB-IIS .... access [**]
[Classification: Web Application Attack] [Priority: 1]
02/04-20:10:34.518927 0:0:C:46:5C:D1 -> 0:E0:1E:8E:31:71 type:0x800
len:0x77
209.47.77.243:1659 -> 130.216.2.149:80 TCP TTL:108 TOS:0x0 ID:43025
IpLen:20 DgmLen:105 DF
***AP*** Seq: 0x6369055C Ack: 0xC38E8839 Win: 0x4470 TcpLen: 20
[Xref => http://www.securityfocus.com/bid/2218]
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0229]
[Snort log]
[**] [1:974:3] WEB-IIS .... access [**]
[Classification: Web Application Attack] [Priority: 1]
02/04-20:10:40.501824 0:0:C:46:5C:D1 -> 0:E0:1E:8E:31:71 type:0x800
len:0x77
209.47.77.243:1659 -> 130.216.2.149:80 TCP TTL:108 TOS:0x0 ID:43187
IpLen:20 DgmLen:105 DF
***AP*** Seq: 0x6369055C Ack: 0xC38E8839 Win: 0x4470 TcpLen: 20
[Xref => http://www.securityfocus.com/bid/2218]
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0229]
[Snort log]
[**] [1:974:3] WEB-IIS .... access [**]
[Classification: Web Application Attack] [Priority: 1]
02/04-20:10:52.516755 0:0:C:46:5C:D1 -> 0:E0:1E:8E:31:71 type:0x800
len:0x77
209.47.77.243:1659 -> 130.216.2.149:80 TCP TTL:108 TOS:0x0 ID:43513
IpLen:20 DgmLen:105 DF
***AP*** Seq: 0x6369055C Ack: 0xC38E8839 Win: 0x4470 TcpLen: 20
[Xref => http://www.securityfocus.com/bid/2218]
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0229]
[Snort log]
[**] [1:974:3] WEB-IIS .... access [**]
[Classification: Web Application Attack] [Priority: 1]
02/04-20:11:16.550005 0:0:C:46:5C:D1 -> 0:E0:1E:8E:31:71 type:0x800
len:0x77
209.47.77.243:1659 -> 130.216.2.149:80 TCP TTL:108 TOS:0x0 ID:44404
IpLen:20 DgmLen:105 DF
***AP*** Seq: 0x6369055C Ack: 0xC38E8839 Win: 0x4470 TcpLen: 20
[Xref => http://www.securityfocus.com/bid/2218]
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0229]
[Snort log]
[**] [1:974:3] WEB-IIS .... access [**]
[Classification: Web Application Attack] [Priority: 1]
02/04-20:12:04.615202 0:0:C:46:5C:D1 -> 0:E0:1E:8E:31:71 type:0x800
len:0x77
209.47.77.243:1659 -> 130.216.2.149:80 TCP TTL:108 TOS:0x0 ID:45684
IpLen:20 DgmLen:105 DF
***AP*** Seq: 0x6369055C Ack: 0xC38E8839 Win: 0x4470 TcpLen: 20
[Xref => http://www.securityfocus.com/bid/2218]
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0229]
[Snort log]
[**] [1:1002:2] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1]
02/04-20:12:11.992873 0:0:C:46:5C:D1 -> 0:E0:1E:8E:31:71 type:0x800
len:0x89
209.47.77.243:1891 -> 130.216.2.149:80 TCP TTL:108 TOS:0x0 ID:45909
IpLen:20 DgmLen:123 DF
***AP*** Seq: 0x6642FD14 Ack: 0xC4F680A7 Win: 0x4470 TcpLen: 20 [Snort
log]
[**] [1:1002:2] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1]
02/04-20:12:13.852431 0:0:C:46:5C:D1 -> 0:E0:1E:8E:31:71 type:0x800
len:0x8C
209.47.77.243:1896 -> 130.216.2.149:80 TCP TTL:108 TOS:0x0 ID:45970
IpLen:20 DgmLen:126 DF
***AP*** Seq: 0x665238F6 Ack: 0xC4FE1CBE Win: 0x4470 TcpLen: 20 [Snort
log]
[**] [1:1002:2] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1]
02/04-20:37:34.353490 0:0:C:46:5C:D1 -> 0:E0:1E:8E:31:71 type:0x800
len:0x95
209.47.77.243:1638 -> 130.216.2.149:80 TCP TTL:108 TOS:0x0 ID:29105
IpLen:20 DgmLen:135 DF
***AP*** Seq: 0x92A59D87 Ack: 0xDACA7498 Win: 0x4470 TcpLen: 20 [Snort
log]
[**] [110:4:1] spp_unidecode: Invalid Unicode String detected [**]
02/04-20:38:32.488761 0:0:C:46:5C:D1 -> 0:E0:1E:8E:31:71 type:0x800
len:0xA8
209.47.77.243:1798 -> 130.216.2.149:80 TCP TTL:108 TOS:0x0 ID:30991
IpLen:20 DgmLen:154 DF
***AP*** Seq: 0x94707438 Ack: 0xDB9E5DF5 Win: 0x4470 TcpLen: 20 [Snort
log]
[**] [110:4:1] spp_unidecode: Invalid Unicode String detected [**]
02/04-20:38:35.419224 0:0:C:46:5C:D1 -> 0:E0:1E:8E:31:71 type:0x800
len:0xA8
209.47.77.243:1798 -> 130.216.2.149:80 TCP TTL:108 TOS:0x0 ID:31060
IpLen:20 DgmLen:154 DF
***AP*** Seq: 0x94707438 Ack: 0xDB9E5DF5 Win: 0x4470 TcpLen: 20 [Snort
log]
[**] [110:4:1] spp_unidecode: Invalid Unicode String detected [**]
02/04-20:38:41.424957 0:0:C:46:5C:D1 -> 0:E0:1E:8E:31:71 type:0x800
len:0xA8
209.47.77.243:1798 -> 130.216.2.149:80 TCP TTL:108 TOS:0x0 ID:31303
IpLen:20 DgmLen:154 DF
***AP*** Seq: 0x94707438 Ack: 0xDB9E5DF5 Win: 0x4470 TcpLen: 20 [Snort
log]
[**] [1:1002:2] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1]
02/04-20:38:48.965454 0:0:C:46:5C:D1 -> 0:E0:1E:8E:31:71 type:0x800
len:0x95
209.47.77.243:1839 -> 130.216.2.149:80 TCP TTL:108 TOS:0x0 ID:31531
IpLen:20 DgmLen:135 DF
***AP*** Seq: 0x94E3E208 Ack: 0xDBDB63CA Win: 0x4470 TcpLen: 20 [Snort
log]
[**] [110:4:1] spp_unidecode: Invalid Unicode String detected [**]
02/04-20:38:51.331883 0:0:C:46:5C:D1 -> 0:E0:1E:8E:31:71 type:0x8
len:0xA7
209.47.77.243:1798 -> 130.216.2.149:80 TCP TTL:240 TOS:0x10 ID:0
IpLen:20 DgmLen:153
***AP*** Seq: 0xDB9E695D Ack: 0x947074AA Win: 0x43FE TcpLen: 20 [Snort
log]
[**] [1:1002:2] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1]
02/04-20:38:53.554998 0:0:C:46:5C:D1 -> 0:E0:1E:8E:31:71 type:0x800
len:0x87
209.47.77.243:1849 -> 130.216.2.149:80 TCP TTL:108 TOS:0x0 ID:31657
IpLen:20 DgmLen:121 DF
***AP*** Seq: 0x9504B0CB Ack: 0xDBECD726 Win: 0x4470 TcpLen: 20 [Snort
log]
[**] [1:1002:2] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1]
02/04-20:38:59.551558 0:0:C:46:5C:D1 -> 0:E0:1E:8E:31:71 type:0x800
len:0x87
209.47.77.243:1849 -> 130.216.2.149:80 TCP TTL:108 TOS:0x0 ID:32022
IpLen:20 DgmLen:121 DF
***AP*** Seq: 0x9504B0CB Ack: 0xDBECD726 Win: 0x4470 TcpLen: 20 [Snort
log]
[**] [1:1002:2] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1]
02/04-20:39:11.568024 0:0:C:46:5C:D1 -> 0:E0:1E:8E:31:71 type:0x800
len:0x87
209.47.77.243:1849 -> 130.216.2.149:80 TCP TTL:108 TOS:0x0 ID:32355
IpLen:20 DgmLen:121 DF
***AP*** Seq: 0x9504B0CB Ack: 0xDBECD726 Win: 0x4470 TcpLen: 20 [Snort
log]
[**] [1:1002:2] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1]
02/04-20:39:13.018196 0:0:C:46:5C:D1 -> 0:E0:1E:8E:31:71 type:0x800
len:0x97
209.47.77.243:1924 -> 130.216.2.149:80 TCP TTL:108 TOS:0x0 ID:32401
IpLen:20 DgmLen:137 DF
***AP*** Seq: 0x95CC571B Ack: 0xDC341154 Win: 0x4470 TcpLen: 20 [Snort
log]
[**] [1:1002:2] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1]
02/04-20:39:14.421532 0:0:C:46:5C:D1 -> 0:E0:1E:8E:31:71 type:0x800
len:0x89
209.47.77.243:1928 -> 130.216.2.149:80 TCP TTL:108 TOS:0x0 ID:32446
IpLen:20 DgmLen:123 DF
***AP*** Seq: 0x95D85179 Ack: 0xDC39DDE4 Win: 0x4470 TcpLen: 20 [Snort
log]
[**] [1:1002:2] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1]
02/04-20:39:15.843306 0:0:C:46:5C:D1 -> 0:E0:1E:8E:31:71 type:0x800
len:0x8F
209.47.77.243:1932 -> 130.216.2.149:80 TCP TTL:108 TOS:0x0 ID:32497
IpLen:20 DgmLen:129 DF
***AP*** Seq: 0x95E3EAFA Ack: 0xDC402DFC Win: 0x4470 TcpLen: 20 [Snort
log]
[**] [1:1002:2] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1]
02/04-20:39:41.438956 0:0:C:46:5C:D1 -> 0:E0:1E:8E:31:71 type:0x800
len:0x95
209.47.77.243:1984 -> 130.216.2.149:80 TCP TTL:108 TOS:0x0 ID:33176
IpLen:20 DgmLen:135 DF
***AP*** Seq: 0x968CC14B Ack: 0xDC9DDE3B Win: 0x4470 TcpLen: 20 [Snort
log]
[**] [1:1002:2] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1]
02/04-20:39:47.412938 0:0:C:46:5C:D1 -> 0:E0:1E:8E:31:71 type:0x800
len:0x95
209.47.77.243:1984 -> 130.216.2.149:80 TCP TTL:108 TOS:0x0 ID:33333
IpLen:20 DgmLen:135 DF
***AP*** Seq: 0x968CC14B Ack: 0xDC9DDE3B Win: 0x4470 TcpLen: 20 [Snort
log]
[**] [1:1002:2] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1]
02/04-20:39:59.430222 0:0:C:46:5C:D1 -> 0:E0:1E:8E:31:71 type:0x800
len:0x95
209.47.77.243:1984 -> 130.216.2.149:80 TCP TTL:108 TOS:0x0 ID:33617
IpLen:20 DgmLen:135 DF
***AP*** Seq: 0x968CC14B Ack: 0xDC9DDE3B Win: 0x4470 TcpLen: 20 [Snort
log]
[**] [1:1002:2] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1]
02/04-20:40:00.934488 0:0:C:46:5C:D1 -> 0:E0:1E:8E:31:71 type:0x800
len:0x87
209.47.77.243:2033 -> 130.216.2.149:80 TCP TTL:108 TOS:0x0 ID:33673
IpLen:20 DgmLen:121 DF
***AP*** Seq: 0x972DF2C3 Ack: 0xDCE59C93 Win: 0x4470 TcpLen: 20 [Snort
log]
[**] [1:1002:2] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1]
02/04-20:40:05.474174 0:0:C:46:5C:D1 -> 0:E0:1E:8E:31:71 type:0x800
len:0x87
209.47.77.243:2046 -> 130.216.2.149:80 TCP TTL:108 TOS:0x0 ID:33810
IpLen:20 DgmLen:121 DF
***AP*** Seq: 0x97524B5A Ack: 0xDCF64611 Win: 0x4470 TcpLen: 20 [Snort
log]
[**] [1:1002:2] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1]
02/04-20:40:16.116988 0:0:C:46:5C:D1 -> 0:E0:1E:8E:31:71 type:0x800
len:0x8F
209.47.77.243:2082 -> 130.216.2.149:80 TCP TTL:108 TOS:0x0 ID:34206
IpLen:20 DgmLen:129 DF
***AP*** Seq: 0x97ABC3FA Ack: 0xDD1DDF41 Win: 0x4470 TcpLen: 20 [Snort
log]
[**] [1:1002:2] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1]
02/04-20:40:19.056085 0:0:C:46:5C:D1 -> 0:E0:1E:8E:31:71 type:0x800
len:0x8F
209.47.77.243:2082 -> 130.216.2.149:80 TCP TTL:108 TOS:0x0 ID:34281
IpLen:20 DgmLen:129 DF
***AP*** Seq: 0x97ABC3FA Ack: 0xDD1DDF41 Win: 0x4470 TcpLen: 20 [Snort
log]
[**] [1:1002:2] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1]
02/04-20:41:54.996322 0:0:C:46:5C:D1 -> 0:E0:1E:8E:31:71 type:0x800
len:0x97
209.47.77.243:2312 -> 130.216.2.149:80 TCP TTL:108 TOS:0x0 ID:36822
IpLen:20 DgmLen:137 DF
***AP*** Seq: 0x9A7761A5 Ack: 0xDE856DCE Win: 0x4470 TcpLen: 20 [Snort
log]
[**] [1:1002:2] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1]
02/04-20:42:34.343064 0:0:C:46:5C:D1 -> 0:E0:1E:8E:31:71 type:0x800
len:0x94
209.47.77.243:2383 -> 130.216.2.149:80 TCP TTL:108 TOS:0x0 ID:37884
IpLen:20 DgmLen:134 DF
***AP*** Seq: 0x9B56288D Ack: 0xDF15D5F2 Win: 0x4470 TcpLen: 20 [Snort
log]
[**] [1:1002:2] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1]
02/04-20:42:42.960267 0:0:C:46:5C:D1 -> 0:E0:1E:8E:31:71 type:0x800
len:0x8C
209.47.77.243:2421 -> 130.216.2.149:80 TCP TTL:108 TOS:0x0 ID:38126
IpLen:20 DgmLen:126 DF
***AP*** Seq: 0x9BC713F5 Ack: 0xDF35A162 Win: 0x4470 TcpLen: 20 [Snort
log]
[**] [1:1002:2] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1]
02/04-20:42:48.953262 0:0:C:46:5C:D1 -> 0:E0:1E:8E:31:71 type:0x800
len:0x8C
209.47.77.243:2421 -> 130.216.2.149:80 TCP TTL:108 TOS:0x0 ID:38312
IpLen:20 DgmLen:126 DF
***AP*** Seq: 0x9BC713F5 Ack: 0xDF35A162 Win: 0x4470 TcpLen: 20 [Snort
log]
[**] [1:1002:2] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1]
02/04-20:42:50.470597 0:0:C:46:5C:D1 -> 0:E0:1E:8E:31:71 type:0x800
len:0x99
209.47.77.243:2453 -> 130.216.2.149:80 TCP TTL:108 TOS:0x0 ID:38358
IpLen:20 DgmLen:139 DF
***AP*** Seq: 0x9C1C1426 Ack: 0xDF5164CE Win: 0x4470 TcpLen: 20 [Snort
log]
[**] [1:1002:2] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1]
02/04-20:42:54.891861 0:0:C:46:5C:D1 -> 0:E0:1E:8E:31:71 type:0x800
len:0x95
209.47.77.243:2465 -> 130.216.2.149:80 TCP TTL:108 TOS:0x0 ID:38490
IpLen:20 DgmLen:135 DF
***AP*** Seq: 0x9C3F6B03 Ack: 0xDF61EFFA Win: 0x4470 TcpLen: 20 [Snort
log]
[**] [1:1002:2] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1]
02/04-20:42:59.278223 0:0:C:46:5C:D1 -> 0:E0:1E:8E:31:71 type:0x800
len:0x90
209.47.77.243:2470 -> 130.216.2.149:80 TCP TTL:108 TOS:0x0 ID:38626
IpLen:20 DgmLen:130 DF
***AP*** Seq: 0x9C4C4EE0 Ack: 0xDF7282E1 Win: 0x4470 TcpLen: 20 [Snort
log]
[**] [1:1002:2] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1]
02/04-20:43:00.667441 0:0:C:46:5C:D1 -> 0:E0:1E:8E:31:71 type:0x800
len:0x9A
209.47.77.243:2482 -> 130.216.2.149:80 TCP TTL:108 TOS:0x0 ID:38685
IpLen:20 DgmLen:140 DF
***AP*** Seq: 0x9C6E69E7 Ack: 0xDF786E08 Win: 0x4470 TcpLen: 20

</snort snarf output>

-- 
Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Next message: Eryn Rachell: "Re: gibberish defacement?"
Previous message: John R. Marshall: "Re: gibberish defacement?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
This archive was generated by hypermail 2b30 : Mon Feb 04 2002 - 13:10:25 PST