Hi All, Looks like some new tools (but not new methods) are being used by kiddies to attack IIS web servers. There are at least two different tools involved: One leaves a snort finger print like this * 1 instances of WEB-IIS CodeRed v2 root.exe access * 2 instances of WEB-IIS msdac access * 61 instances of WEB-IIS cmd.exe access for each host attacked. Some times we see a systematic scan of our address space followed by attacks on all IIS servers other times we see single machines attacked. The cmd.exe attacks are all unicode directory traversal attacks so far as I can see. Nothing new in the methods used just a big rise in the frequence of this paticular pattern of signatures. The other pattern we are seeing is one or two unicode directory traversal attacks directed against all IIS servers on campus. The actual directory attacked varies but I think it is the same script being used. These two patterns have shown up in the last couple of weeks although I have seen similar things in the past now I am seeing these several times a day and the total number of unicode attacks have risen substantially. I am also seeing a mutated or altered version of Nimda, the attack signature is the same but the scanning pattern is different. I am seeing attacks from (what appear to be) nimda infected hosts in unrelated networks at frequencies that suggest that the weighting of the scan patterns have been changed. Here is output from my port 80 probe counter for one hour counting probes to 130.216/16: Total address with two or more probes 314 218.0.79.52 28 Jul 02 19:59:49 -- 28 Jul 02 20:59:42 # count 97 130.207.139.207 28 Jul 02 19:59:57 -- 28 Jul 02 20:57:54 # count 84 211.91.255.154 28 Jul 02 20:00:05 -- 28 Jul 02 20:57:49 # count 84 64.86.155.118 28 Jul 02 20:00:04 -- 28 Jul 02 20:59:36 # count 53 211.150.197.74 28 Jul 02 20:02:01 -- 28 Jul 02 20:59:27 # count 34 66.123.72.3 28 Jul 02 19:59:55 -- 28 Jul 02 20:59:22 # count 30 218.64.36.64 28 Jul 02 20:00:07 -- 28 Jul 02 20:41:59 # count 6 216.200.130.201 28 Jul 02 20:01:21 -- 28 Jul 02 20:16:34 # count 4 61.149.3.141 28 Jul 02 20:46:33 -- 28 Jul 02 20:59:20 # count 3 200.67.77.121 28 Jul 02 20:50:36 -- 28 Jul 02 20:58:00 # count 2 202.103.39.202 28 Jul 02 20:21:37 -- 28 Jul 02 20:31:06 # count 2 65.82.184.122 28 Jul 02 20:23:35 -- 28 Jul 02 20:55:49 # count 2 64.169.104.104 28 Jul 02 20:00:33 -- 28 Jul 02 20:42:47 # count 2 65.95.109.59 28 Jul 02 20:35:11 -- 28 Jul 02 20:46:16 # count 2 61.144.40.93 28 Jul 02 20:13:22 -- 28 Jul 02 20:28:13 # count 2 210.166.204.240 28 Jul 02 20:05:32 -- 28 Jul 02 20:41:19 # count 2 218.70.158.29 28 Jul 02 20:05:25 -- 28 Jul 02 20:10:58 # count 2 Note that two of the top three are in unrelated /8 addresses. I have checked my snort logs and verified that both these machines launch attacks that fit nimda signature. -- Russell Fulton, Computer and Network Security Officer The University of Auckland, New Zealand 'It aint necessarily so' - Gershwin ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Jul 29 2002 - 08:30:39 PDT