Beginning on October 10th at 1:42am CDT what was considered a pretty
significant attack took place. These attack attempts were all web based.
What is curious about these attacks is the number of unique strings used
in the attacks. In all there were 149 unique Snort rules triggered, from
5 attacks in 14 days.
There were 5 total attacks to date, none of which were the same. The last
attack was the most aggressive and extensive. A compiled list of the type
of Snort rules that were triggered are at the end of this email. These
web servers are hardend and the attacks were not effective, not to say
that sooner or later i'll get bit.
I didn't want to post the actual attack strings, even though the
vulnerabilities are known, I don't want to provide some one with an easy
way of creating an attack. Obviously these are already
scripted/automated, are these new?
Has anyone else seen this? I've not seen any mention of such attacks
having taken place or have I been sleeping? It's almost like some one
took the Snort rules and created an attack string for each one.
Attack 1
Attack Began Oct 10 01:42:41 CDT
Attack Ended Oct 10 01:57:32 CDT
From a .tampabay.rr.com computer
1571 connection attempts
Accross 17 web servers
6 unique Snort rules triggered
82 uniques HEAD and 3 GET strings that triggered the rules
Attack 2
Attack Began Oct 10 19:00:07 CDT
Attack Ended Oct 10 19:03:43 CDT
From a .nas-corp.com computer
693 connection attempts
Accross 17 web servers
9 unique Snort rules triggered
82 uniques HEAD strings that triggered the rules
Attack 3
Attack Began Oct 10 19:04:21 CDT
Attack Ended Oct 10 19:10:35 CDT
From a .mylinuxisp.com computer
447 connection attempts
Accross 17 web servers
7 unique Snort rules triggered
26 uniques HEAD strings that triggered the rules
Attack 4
Attack Began Oct 19 09:49:19 CDT
Attack Ended Oct 19 09:52:29 CDT
From a .apid.com computer
99 connection attempts
Accross 17 web servers
4 unique Snort rules triggered
11 uniques GET strings that triggered the rules
Attack 5
Attack Began Oct 24 16:14:18 CDT
Attack Ended Oct 24 16:30:18 CDT
From a .adsl.fx.apol.com.tw computer
4242 connection attempts
Accross 17 web servers
139 unique Snort rules triggered
343 uniques GET strings that triggered the rules
WEB-ATTACKS /bin/ls| command attempt
WEB-CGI aglimpse access
WEB-CGI AnyForm2 access
WEB-CGI args.bat access
WEB-CGI AT-admin.cgi access
WEB-CGI bnbform.cgi access
WEB-CGI campas access
WEB-CGI classifieds.cgi access
WEB-CGI dumpenv.pl access
WEB-CGI edit.pl access
WEB-CGI environ.cgi access
WEB-CGI faxsurvey access
WEB-CGI filemail access
WEB-CGI files.pl access
WEB-CGI finger access
WEB-CGI formmail access
WEB-CGI glimpse access
WEB-CGI htmlscript access
WEB-CGI info2www access
WEB-CGI maillist.pl access
WEB-CGI man.sh access
WEB-CGI NPH-publish access
WEB-CGI nph-test-cgi access
WEB-CGI perl.exe access
WEB-CGI perlshop.cgi access
WEB-CGI pfdisplay.cgi access
WEB-CGI phf access
WEB-CGI php access
WEB-CGI ppdscgi.exe access
WEB-CGI rguest.exe access
WEB-CGI rsh access
WEB-CGI rwwwshell.pl access
WEB-CGI survey.cgi access
WEB-CGI test-cgi access
WEB-CGI testcounter.pl access
WEB-CGI uploader.exe access
WEB-CGI view-source access
WEB-CGI visadmin.exe access
WEB-CGI w3-msql access
WEB-CGI wais.p access
WEB-CGI webgais access
WEB-CGI websendmail access
WEB-CGI wguest.exe access
WEB-CGI whoisraw access
WEB-CGI win-c-sample.exe access
WEB-CGI wrap access
WEB-CGI wwwadmin.pl access
WEB-CGI wwwboard passwd access
WEB-CGI www-sql access
WEB-COLDFUSION cfmlsyntaxcheck.cfm access
WEB-COLDFUSION exampleapp access
WEB-COLDFUSION exampleapp application.cfm
WEB-COLDFUSION expeval access
WEB-COLDFUSION exprcalc access
WEB-COLDFUSION fileexists.cfm access
WEB-COLDFUSION getfile.cfm access
WEB-COLDFUSION snippets attempt
WEB-COLDFUSION startstop DOS access
WEB-FRONTPAGE administrators.pwd
WEB-FRONTPAGE authors.pwd access
WEB-FRONTPAGE dvwssr.dll access
WEB-FRONTPAGE form_results access
WEB-FRONTPAGE form_results.htm access
WEB-FRONTPAGE fourdots request
WEB-FRONTPAGE fpadmcgi.exe access
WEB-FRONTPAGE fpadmin.htm access
WEB-FRONTPAGE fpremadm.exe access
WEB-FRONTPAGE orders.htm access
WEB-FRONTPAGE orders.txt access
WEB-FRONTPAGE register.htm access
WEB-FRONTPAGE register.txt access
WEB-FRONTPAGE registrations.htm access
WEB-FRONTPAGE registrations.txt access
WEB-FRONTPAGE service.pwd
WEB-FRONTPAGE shtml.dll access
WEB-FRONTPAGE shtml.exe access
WEB-FRONTPAGE users.pwd access
WEB-IIS .... access
WEB-IIS admin access
WEB-IIS .asp access
WEB-IIS asp-dot attempt
WEB-IIS CGImail.exe access
WEB-IIS CodeRed v2 root.exe access
WEB-IIS fpcount access
WEB-IIS global-asa access
WEB-IIS iissamples access
WEB-IIS ISAPI .ida attempt
WEB-IIS ISAPI .idq access
WEB-IIS ISAPI .idq attempt
WEB-IIS ISAPI .printer access
WEB-IIS jet vba access
WEB-IIS _mem_bin access
WEB-IIS msadc/msadcs.dll access
WEB-IIS /msadc/samples/ access
WEB-IIS msdac access
WEB-IIS MSProxy access
WEB-IIS newdsn.exe access
WEB-IIS Overflow-htr access
WEB-IIS SAM Attempt
WEB-IIS /scripts/samples/ access
WEB-IIS search97.vts access
WEB-IIS site server config access
WEB-IIS Unicode2.pl script (File permission canonicalization)
WEB-IIS uploadn.asp access
WEB-IIS _vti_inf access
WEB-MISC /....
WEB-MISC adminlogin access
WEB-MISC apache DOS attempt
WEB-MISC ax-admin.cgi access
WEB-MISC bigconf.cgi access
WEB-MISC cachemgr.cgi access
WEB-MISC cart 32 AdminPwd access
WEB-MISC /cgi-bin/jj attempt
WEB-MISC convert.bas access
WEB-MISC count.cgi access
WEB-MISC counter.exe access
WEB-MISC cpshost.dll access
WEB-MISC Domino catalog.ns access
WEB-MISC Domino domcfg.nsf access
WEB-MISC Domino domlog.nsf access
WEB-MISC Domino log.nsf access
WEB-MISC Domino names.nsf access
WEB-MISC Ecommerce checks.txt access
WEB-MISC Ecommerce import.txt access
WEB-MISC /etc/passwd
WEB-MISC get32.exe access
WEB-MISC handler access
WEB-MISC .htaccess access
WEB-MISC .htpasswd access
WEB-MISC http directory traversal
WEB-MISC Lotus EditDoc attempt
WEB-MISC mall log order access
WEB-MISC order.log access
WEB-MISC piranha passwd.php3 access
WEB-MISC plusmail access
WEB-MISC queryhit.htm access
WEB-MISC /~root
WEB-MISC shopping cart access access
WEB-MISC showcode access
WEB-MISC ultraboard access
WEB-MISC viewcode access
WEB-MISC webcart access
WEB-MISC webdist.cgi access
WEB-MISC ws_ftp.ini access
WEB-MISC .wwwacl access
WEB-MISC wwwboard.pl access
--
.~.
/V\
/( )\
^^-^^
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Oct 25 2002 - 16:13:44 PDT