Note: there is nothing new in the attacks described here except the pattern of their delivery. Over the last few days snort has been picking up some different patterns of IIS attacks from two addresses in China (in different address blocks). We are receiving appearently random probes to port 80 from these addresses, any machines running IIS that are hit then receive: [**] WEB-IIS CodeRed v2 root.exe access [**] 03/21-12:27:32.525198 0:0:C:46:5C:D1 -> 0:E0:1E:8E:31:71 type:0x800 len:0x7E 211.96.99.59:24296 -> 130.216.103.24:80 TCP TTL:102 TOS:0x0 ID:24324 IpLen:20 DgmLen:112 DF ***AP*** Seq: 0x53A99775 Ack: 0xE7BF981C Win: 0x4470 TcpLen: 20 47 45 54 20 2F 73 63 72 69 70 74 73 2F 72 6F 6F GET /scripts/roo 74 2E 65 78 65 3F 2F 63 2B 64 69 72 20 48 54 54 t.exe?/c+dir HTT 50 2F 31 2E 30 0D 0A 48 6F 73 74 3A 20 77 77 77 P/1.0..Host: www 0D 0A 43 6F 6E 6E 6E 65 63 74 69 6F 6E 3A 20 63 ..Connnection: c 6C 6F 73 65 0D 0A 0D 0A lose.... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ [**] WEB-IIS cmd.exe access [**] 03/21-12:27:44.539238 0:0:C:46:5C:D1 -> 0:E0:1E:8E:31:71 type:0x800 len:0x86 211.96.99.59:22721 -> 130.216.103.24:80 TCP TTL:102 TOS:0x0 ID:25664 IpLen:20 DgmLen:120 DF ***AP*** Seq: 0x39264B06 Ack: 0xE7F67A92 Win: 0x4470 TcpLen: 20 47 45 54 20 2F 63 2F 77 69 6E 6E 74 2F 73 79 73 GET /c/winnt/sys 74 65 6D 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 tem32/cmd.exe?/c 2B 64 69 72 20 48 54 54 50 2F 31 2E 30 0D 0A 48 +dir HTTP/1.0..H 6F 73 74 3A 20 77 77 77 0D 0A 43 6F 6E 6E 6E 65 ost: www..Connne 63 74 69 6F 6E 3A 20 63 6C 6F 73 65 0D 0A 0D 0A ction: close.... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ One thing that is interesting is that the probe rate we are seeing is much higher than nimda ( more like nimda in our /8). We are seeing about 130 probes per hour in our \16 address space. So far I have only noticed this from these two addresses but then I have not been looking. On a related note, anyone else noticed that nimda probes seem to have dropped significantly over the last week or so. I am now getting whole hours with no logged nimda attacks being recorded by snort. That's how I picked up the new pattern -- it may have been there before but the two probes would likely got lost in all the nimda logs... -- Russell Fulton, Computer and Network Security Officer The University of Auckland, New Zealand ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Mar 22 2002 - 08:37:52 PST