I've seen similar WebDAV/SMB scans for a couple of months. Some of them are apparently targeted (IDs increment continuously across multiple iterations of the scan), and some of them just pass through my address space. Your ICMP traffic was different from most of mine - I usually see 32 Es (EEEEEEE etc) for the data. Scans usually include a ping sweep then probes on TCP 135 139 445, UDP 137, WebDAV requests identical to yours, and they often include a TCP 21 scan. Occasionally there will also be a TCP 1433 scan. WebDAV and SMB requests always seem to be there, and the other requests seem to vary slightly depending on the source. The ping sweep usually comes at the beginning of the scan, and the rest of the scans usually target only machines that respond to the ping. I had at least one scan where the targeted scan came before the ping sweep, indicating prior recon. Sometimes there is a continuous bombardment from a single address, repeating the scan hundreds or even thousands of times. I guess there is a script kiddie tool and that there is also a botnet toolkit running these scans. I agree that there is probably an associated DoS capability. -----Original Message----- From: Matt Power [mailto:mhpowerat_private] Sent: Sunday, March 30, 2003 17:50 To: incidentsat_private; intrusionsat_private Subject: new attack tool combining SMB and WebDAV? A possibly new attack tool is being used in the wild that sends traffic to a set of nearby IP addresses, using tcp ports 445 and 80. The observed traffic on port 80 (first noticed around 2200 GMT on 30 March) consisted of: OPTIONS / HTTP/1.1 translate: f User-Agent: Microsoft-WebDAV-MiniRedir/5.1.2600 Host: a.b.c.d Content-Length: 0 Connection: Keep-Alive where a.b.c.d is the destination IP address. The traffic on port 445 looked like the usual attack traffic described at, for example, http://www.cert.org/advisories/CA-2003-08.html In many cases, packets on both port 445 and 80 were sent to the same destination IP address. By "set of nearby IP addresses", I mean that the attacking machine was apparently trying to send data to all machines within an IP address range (rather than, for example, send data to IP addresses selected at random). It wasn't immediately clear why some IP addresses were skipped. A possibility is that the attacker had access to earlier reconnaissance data about which IP addresses were in use. The third type of traffic from the attacking machine consisted of very large ICMP echo-request packets, all going to the same destination IP address. The ICMP packet contents consisted entirely of the lowercase letters 'a' through 'w' repeated many times, e.g., abcdefghijklmnopqrstuvwabcdefghijklmnopqrstuvw... Anyway, this may mean that some type of WebDAV data-gathering or exploit capability has been incorporated into a software package that also compromises machines via SMB. There wasn't direct evidence that the software package was associated with planned exploitation of the CA-2003-09 vulnerability via WebDAV, although it may have been. The ICMP traffic suggests that the software package may have a DoS capability that's separate from the SMB and WebDAV traffic. Matt Power BindView Corporation, RAZOR Team mhpowerat_private ---------------------------------------------------------------------------- Powerful Anti-Spam Management and More... SurfControl E-mail Filter puts the brakes on spam, viruses and malicious code. Safeguard your business critical communications. Download a free 30-day trial: http://www.surfcontrol.com/go/zsfihl1
This archive was generated by hypermail 2b30 : Mon Mar 31 2003 - 14:07:54 PST