RE: Increased IIS scans mainly on 66.0.0.0/8 - Update

From: Richard Gilman (Richard.Gilmanat_private)
Date: Tue Aug 20 2002 - 06:40:51 PDT

  • Next message: Russell Fulton: "RE: Increased IIS scans mainly on 66.0.0.0/8 - Update"

    I guess what caught my attention regarding these hits, was the fact that
    the cmd.exe alerts made it into the top 5 hits summary report that I run
    every morning. I am very accustom to the constant background noise
    caused by the RedCode/nimda worms, but the increase has been quite
    dramatic in regards to the cmd.exe hits. I agree that they are similar
    to CodeRed/nimda, but no root.exe attempts are coming from these hosts.
    I guess I'm just curious as to why I am seeing the increase and if
    anyone is seeing the same.
    
    Regards
    Rich
    
    -----Original Message-----
    From: Russell Fulton [mailto:r.fultonat_private] 
    Sent: Monday, August 19, 2002 2:27 PM
    To: Richard Gilman
    Cc: incidentsat_private
    Subject: RE: Increased IIS scans mainly on 66.0.0.0/8 - Update
    
    On Tue, 2002-08-20 at 03:19, Richard Gilman wrote:
    > I did a query of the WEB-IIS cmd.exe access alerts for 8/15 on our
    > 66.0.0.0/8 network and I see 31 sources each send in multiples of 13
    > attempts. Of the 31 hosts, 3 sources were not from 66/8. 
    
    These sound like standard nimda, which scans its /8 more heavily than
    the rest of the net (except for the /16 which gets even more intensive
    scanning) -- I forget the exact proportions.
    
    
    One of those
    > was from wanadoo.fr with 130 hits. The hits can come as fast as 2 per
    > second, so I assume that it has to be scripted.
    
    There are many scripted attacks that are being used by kiddies. Last
    night someone when through a bunch of our IIS servers delivering around
    10,000 probes against 20 different web servers over about 90 minutes.
    At the same time another IIS server got hit by 70 probes.
    
     This is only an
    > annoyance and does not do anything more that make noise in my logs,
    but
    > I think it is some sort of worm because of the fact they all send in
    > multiples of 13 and it seems that the odds of having 31 script kiddies
    
    As I said above I think that the 13 probes are almost certainly nimda or
    a close variant.  Nimda normally delivers 14 unicode probes and one
    probe for root.exe.
    
    -- 
    Russell Fulton, Computer and Network Security Officer
    The University of Auckland,  New Zealand
    
    "It aint necessarily so"  - Gershwin
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Tue Aug 20 2002 - 08:43:31 PDT