Mark, You're very welcome. I don't really need the tcpdump file that badly. :-) I found it interesting that it doesn't look like what you're seeing is unique, nor is this a new attack pattern. As I mentioned, [1] the identical traffic was seen from a cable source and posted in a webmaster's forum [2] as recently as 4/21/03. It seems like the questions James raised when he saw this last July [3] were not answered. As he pointed out [4], the attack was *very* similar, if not identical, right down to the TCP connect to port 80, the 65 GET requests, and even the odd request for shell.exe. James - can you compare the actual GET requests and see if they match up in terms of order and content? It's still unclear to me: - whether this is a case of spammers taking up hacking techniques to look for new boxes to send their cruft. This may be the case as they're targeting consumer broadband ranges more these days as other channels are becoming scarce [5] - whether a box with a spam bot that is normally used to crawl websites looking for email addresses has been compromised & is been used to launch IIS scans - whether this is an attack tool written specifically to perform IIS scans. And whether this was written in Delphi or Borland C++ Builder (or something else) - why there was a request for shell.exe [1] http://www.securityfocus.com/archive/75/319878/2003-04-23/2003-04-29/2 [2] http://www.webmasterworld.com/forum11/1864.htm [3] http://www.securityfocus.com/archive/75/319863/2003-04-23/2003-04-29/2 [4] http://cert.uni-stuttgart.de/archive/intrusions/2002/07/msg00119.html [5] http://www.securityfocus.com/news/4217 Jason Falciola Information Security Analyst IBM Managed Security Services falciolaat_private Mark Embrich <mark_embrich@yah To: incidentsat_private oo.com> cc: Subject: Re: New attack or old Vulnerability Scanner? 04/29/2003 02:34 PM In-Reply-To: <OFAF55508B.5FB024D6-ON85256D14.0002DCAA-85256D14.00419468at_private> Hello Jason, Thanks for your help. >Can you post (or provide a link) to the full tcpdump traces for this scan >pattern? It might aid in the analysis. The full tcpdump trace is quite long, about 1.7MB per attack, so I can't post it here. It would be a real pain-in-the-ass to sanitize it, so I don't really want to post or distribute it anyway. If you really, really want to take a look at it, I can sanitize it and email it to you directly. >When you say TCP connect, I assume you mean that you saw a simple >connection to see if the port is listening (as accomplished with '$ nmap >-sT ...'). Or did you also see a HEAD or GET request to determine if this >was an IIS server? I mean a simple connection to the port, not a HEAD or GET. This attack didn't care that I was not running IIS. I also did not see a ping sweep prior to the attacks, although I only checked up to 2 hours earlier. Thank you, Mark Embrich ---------------------------------------------------------------------------- Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the world's premier event for IT and network security experts. The two-day Training features 6 hand-on courses on May 12-13 taught by professionals. The two-day Briefings on May 14-15 features 24 top speakers with no vendor sales pitches. Deadline for the best rates is April 25. Register today to ensure your place. http://www.securityfocus.com/BlackHat-incidents ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Wed Apr 30 2003 - 10:39:35 PDT