RE: [logs] nimda web server logs

From: Baklarz, Ron (BaklarzRat_private)
Date: Thu Jun 13 2002 - 05:49:45 PDT

  • Next message: quentynat_private: "Re: [logs] nimda web server logs"

    All:
    
    Thanks for the heads-up. We saw these signatures in our fw logs last
    evening. Some of the offending IPs:
    
    198.245.191.72
    218.2.151.38
    162.105.232.52
    205.244.63.84
    
    Ron Baklarz  CISSP, GSEC
    Chief Information Security Officer
    The American Red Cross
    
    8111 Gatehouse Road
    Falls Church, VA 22042
    
    Phone: 703-206-7279  
    Pager:  877-594-3354
    
    
    
    -----Original Message-----
    From: Jay D. Dyson [mailto:jdysonat_private] 
    Sent: Tuesday, June 11, 2002 8:07 PM
    To: Sweth Chandramouli
    Cc: Log Analysis; Incidents List
    Subject: Re: [logs] nimda web server logs
    
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1
    
    On Tue, 11 Jun 2002, Sweth Chandramouli wrote:
    
    > > Here's what I'm seeing -- anyone have any information on this variant?
    > >
    /msadc/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir+c:\\*.cif
    /s/b
    > > /a.asp/..%c1%1c../..%c1%1c../winnt/repair/sam
    > > /a.asp/..%c1%9c../..%c1%9c../winnt/repair/sam
    > > 
    > > This is definitely not Nimda, although it attempts to exploit the same 
    > > directory traversal vulnerability in IIS as Nimda
    > 
    > Perhaps this should be thrown over to the incidents list?
    
    	I concur.  Incidents folks, here's a summary of the present
    discussion from the Log Analysis list.
    
    	1.	Tina Bird requested a list of Nimda variant attack strings
    		(which I provided).  Upon review, she determined that the
    		style of attacks she was seeing (enumerated at the top of
    		this message) were not among the known Nimda variants.
    
    	2.	Michael Katz made the observation that the directory
    		traversal technique is the same as Nimda, though the 
    		attacks don't appear as a Nimda variant.  Mr. Katz
    		further suggested that the attacks may have been manually
    		executed.
    
    	3.	Sweth Chandramouli commented on the '.cif' request thus:
    		"This is the one that scares me; it's attempting to run a
    		recursive directory search on your C drive to find your 
    		Internet Explorer component information file--the file
    		that, for example, Windows Update uses to determine what
    		patches you have installed.  Presumably, if that request
    		succeeded, it would then download the CIF to find out what 
    		version of IE you have, etc., and try only those exploits
    		of relevance."
    
    	4.	Both Sweth and myself noted that the traversal to /winnt/
    		repair/sam had some large ramifications if the file access
    		attempt wasn't hung up with some sort of Microsoft access
    		sharing violation.  (The attacker would basically have a
    		load of goodies to feed l0phtcrack.)
    
    	Anyone else seeing this pop up in their logs?  Any honeypots
    collecting data of this sort?  It's a new one on me.
    
    - -Jay
    
      (    (                                                          _______
      ))   ))   .--"There's always time for a good cup of coffee"--.   >====<--.
    C|~~|C|~~| (>------ Jay D. Dyson -- jdysonat_private ------<) |    = |-'
     `--' `--'  `-- I'll be diplomatic...when I run out of ammo. --'  `------'
    
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.0.7 (TreacherOS)
    Comment: See http://www.treachery.net/~jdyson/ for current keys.
    
    iD8DBQE9BpC5GI2IHblM+8ERAukTAJ4yysPYcDmnBzSkMvMA8+w+PaoGtACfetJk
    hE4GalTiNp/d0VcmfOhyUqE=
    =oCYX
    -----END PGP SIGNATURE-----
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    
    ---------------------------------------------------------------------
    To unsubscribe, e-mail: loganalysis-unsubscribeat_private
    For additional commands, e-mail: loganalysis-helpat_private
    



    This archive was generated by hypermail 2b30 : Thu Jun 13 2002 - 11:06:09 PDT