Nimda type attacks with broken GETs

From: Stephen Samuel (samuelat_private)
Date: Mon May 13 2002 - 22:38:02 PDT

Next message: Alphonse MacDonald: "Re: Windows Systems Defaced"

Previous message: Hugo van der Kooij: "Re: Got 'em. (was "Re: gw.ocg-corp.com")"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This may have already been mentioned on this list (I'm not
subscribed, but I've had this list suggested for this).

I've just noticed a Nimda-type attack where the 'get' line
is broken up into two parts (presumably an attempt to
confuse packet filters and IDSs).
Given that this type of split of a 'get' line seems to be rather rare,
I think that people depending on packet filters to help stop/identify
this type of attack can probably add this to their list of bad packets.

a sample of such a session is included (tethereal print below, and the
raw tcpdump file attached).

   1   0.000000 202.144.239.139 -> 210.45.202.98 TCP 4962 > http [SYN] Seq=1175453624 Ack=0 Win=16384 Len=0
   2   2.907647 202.144.239.139 -> 210.45.202.98 TCP 4962 > http [SYN] Seq=1175453624 Ack=0 Win=16384 Len=0
   3   2.935290 210.45.202.98 -> 202.144.239.139 TCP http > 4962 [SYN, ACK] Seq=886147005 Ack=1175453625 Win=8192 Len=0
   4   2.935572 202.144.239.139 -> 210.45.202.98 TCP 4962 > http [ACK] Seq=1175453625 Ack=886147006 Win=17520 Len=0
   5   2.935779 202.144.239.139 -> 210.45.202.98 HTTP GET
   6   2.937518 202.144.239.139 -> 210.45.202.98 HTTP Continuation
   7   3.027385 210.45.202.98 -> 202.144.239.139 TCP http > 4962 [ACK] Seq=886147006 Ack=1175453629 Win=8188 Len=0
   8   3.029238 202.144.239.139 -> 210.45.202.98 HTTP Continuation
   9   3.030202 202.144.239.139 -> 210.45.202.98 HTTP Continuation
  10   3.134727 210.45.202.98 -> 202.144.239.139 TCP http > 4962 [ACK] Seq=886147006 Ack=1175455089 Win=8192 Len=0
  11   3.334389 210.45.202.98 -> 202.144.239.139 TCP http > 4962 [ACK] Seq=886147006 Ack=1175457664 Win=5617 Len=0

packet 5 only contains the string  'GET'.
   packets 6,8 and 9 contain the actual payload (get string).

-- 
Stephen Samuel +1(604)876-0426                samuelat_private
		   http://www.bcgreen.com/~samuel/
Powerful committed communication, reaching through fear, uncertainty and
doubt to touch the jewel within each person and bring it to life.


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Alphonse MacDonald: "Re: Windows Systems Defaced"
Previous message: Hugo van der Kooij: "Re: Got 'em. (was "Re: gw.ocg-corp.com")"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue May 14 2002 - 11:24:34 PDT