different, nimda like, probes

From: Russell Fulton (R.FULTONat_private)
Date: Thu Mar 21 2002 - 16:07:24 PST

Next message: seren geti: "{MERIT-INP} 7.0.1.0 -> 14.0.2.13"

Previous message: cambriaat_private: "Port 1900/5000 connection attempts"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Note: there is nothing new in the attacks described here except
the pattern of their delivery.

Over the last few days snort has been picking up some different 
patterns of IIS attacks from two addresses in China (in different
address blocks). 

We are receiving appearently random probes to port 80 from these
addresses, any machines running IIS that are hit then receive:

[**] WEB-IIS CodeRed v2 root.exe access [**]
03/21-12:27:32.525198 0:0:C:46:5C:D1 -> 0:E0:1E:8E:31:71 type:0x800
len:0x7E
211.96.99.59:24296 -> 130.216.103.24:80 TCP TTL:102 TOS:0x0 ID:24324
IpLen:20 DgmLen:112 DF
***AP*** Seq: 0x53A99775  Ack: 0xE7BF981C  Win: 0x4470  TcpLen: 20
47 45 54 20 2F 73 63 72 69 70 74 73 2F 72 6F 6F  GET /scripts/roo
74 2E 65 78 65 3F 2F 63 2B 64 69 72 20 48 54 54  t.exe?/c+dir HTT
50 2F 31 2E 30 0D 0A 48 6F 73 74 3A 20 77 77 77  P/1.0..Host: www
0D 0A 43 6F 6E 6E 6E 65 63 74 69 6F 6E 3A 20 63  ..Connnection: c
6C 6F 73 65 0D 0A 0D 0A                          lose....

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] WEB-IIS cmd.exe access [**]
03/21-12:27:44.539238 0:0:C:46:5C:D1 -> 0:E0:1E:8E:31:71 type:0x800
len:0x86
211.96.99.59:22721 -> 130.216.103.24:80 TCP TTL:102 TOS:0x0 ID:25664
IpLen:20 DgmLen:120 DF
***AP*** Seq: 0x39264B06  Ack: 0xE7F67A92  Win: 0x4470  TcpLen: 20
47 45 54 20 2F 63 2F 77 69 6E 6E 74 2F 73 79 73  GET /c/winnt/sys
74 65 6D 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63  tem32/cmd.exe?/c
2B 64 69 72 20 48 54 54 50 2F 31 2E 30 0D 0A 48  +dir HTTP/1.0..H
6F 73 74 3A 20 77 77 77 0D 0A 43 6F 6E 6E 6E 65  ost: www..Connne
63 74 69 6F 6E 3A 20 63 6C 6F 73 65 0D 0A 0D 0A  ction: close....

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

One thing that is interesting is that the probe rate we are seeing is
much higher than nimda ( more like nimda in our /8).  We are seeing
about 130 probes per hour in our \16 address space.

So far I have only noticed this from these two addresses but then I
have not been looking.

On a related note, anyone else noticed that nimda probes seem to have
dropped significantly over the last week or so.  I am now getting 
whole hours with no logged nimda attacks being recorded by snort.
That's how I picked up the new pattern -- it may have been there
before but the two probes would likely got lost in all the nimda
logs...

-- 
Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: seren geti: "{MERIT-INP} 7.0.1.0 -> 14.0.2.13"
Previous message: cambriaat_private: "Port 1900/5000 connection attempts"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Mar 22 2002 - 08:37:52 PST