Re: Large Attack

From: Passion (mil21@www.hansecure.com)
Date: 03/02/02


From: "Passion" <mil21@www.hansecure.com>
To: <doug@unc.edu>
Date: Sat, 2 Mar 2002 13:06:56 +0900

At first glance this log seems to be a directed attack to find web vulnerabilities in you systems.

example CIS , typhon .. these scanning tool use same pattern.

check sanning pattern and compare attack log!

CIS webscan - www.@stake.com/research/tools/webscan.exe ">http://www.@stake.com/research/tools/webscan.exe



Regrads,

K.Tommy


----- Original Message -----
From: "Douglas P. Brown" <dugbrown@email.unc.edu>
To: <incidents@securityfocus.org>; <unisog@sans.org>
Cc: "ITS Security" <security@unc.edu>
Sent: Saturday, March 02, 2002 4:44 AM
Subject: Large Attack


>
> FYI - Starting last night and continuing this morning we've seen at
> least 14 hosts from at least 7 different foreing subnets banging pretty
> heavy on our subnets. Below is a smart from the IDS logs for one of the
> bad hosts. The result has been that several NT and 2000 domains have
> had accounts locked out.
>
> 148 different signatures are present for x.x.x.x as a source
>
> 1 instances of WEB-IIS JET VBA access
> 1 instances of WEB-IIS getdrvrs access
> 1 instances of WEB-COLDFUSION administrator access
> 1 instances of WEB-IIS admin.dll access
> 1 instances of WEB-MISC .wwwacl access
> 1 instances of WEB-IIS uploadn.asp access
> 1 instances of WEB-CGI args.bat access
> 1 instances of WEB-MISC Domino catalog.ns access
> 1 instances of WEB-COLDFUSION exampleapp access
> 1 instances of WEB-IIS bdir.ht access
> 1 instances of WEB-MISC cpshost.dll access
> 1 instances of WEB-IIS getdrvs.exe access
> 1 instances of WEB-IIS anot.htr access
> 1 instances of WEB-IIS search97.vts
> 1 instances of WEB-FRONTPAGE shtml.exe
> 1 instances of WEB-COLDFUSION cfmlsyntaxcheck.cfm access
> 1 instances of WEB-FRONTPAGE form_results access
> 1 instances of WEB-FRONTPAGE authors.pwd access
> 1 instances of WEB-COLDFUSION beaninfo access
> 1 instances of WEB-MISC convert.bas access
> 1 instances of WEB-MISC AuthChangeUr accessl
> 1 instances of WEB-IIS codebrowser SDK access
> 1 instances of WEB-CGI wwwboard passwd access
> 1 instances of WEB-MISC ws_ftp.ini access
> 1 instances of WEB-MISC cart 32 AdminPwd access
> 1 instances of WEB-COLDFUSION fileexists.cfm access
> 1 instances of WEB-IIS adctest.asp access
> 1 instances of WEB-COLDFUSION evaluate.cfm access
> 1 instances of WEB-IIS CGImail.exe access
> 1 instances of WEB-COLDFUSION snippets attempt attempt
> 1 instances of WEB-COLDFUSION addcontent.cfm access
> 1 instances of WEB-COLDFUSION cfcache.map access
> 2 instances of WEB-MISC counter.exe access
> 2 instances of WEB-COLDFUSION exampleapp application.cfm
> 2 instances of WEB-IIS .asp access
> 2 instances of WEB-FRONTPAGE users.pwd access
> 2 instances of WEB-FRONTPAGE registrations.txt access
> 2 instances of WEB-FRONTPAGE dvwssr.dll access
> 2 instances of WEB-FRONTPAGE fpadmcgi.exe access
> 2 instances of WEB-COLDFUSION cfappman access
> 2 instances of WEB-IIS achg.htr access
> 2 instances of WEB-FRONTPAGE _vti_rpc access
> 2 instances of WEB-FRONTPAGE fpcount.exe access
> 2 instances of WEB-IIS codebrowser Exair access
> 2 instances of WEB-MISC shopping cart access access
> 2 instances of WEB-MISC ICQ webserver DOS
> 2 instances of WEB-IIS query.asp access
> 2 instances of SMTP expn root
> 2 instances of WEB-COLDFUSION application.cfm access
> 2 instances of WEB-IIS _vti_inf access
> 2 instances of WEB-IIS admin-default access
> 3 instances of WEB-IIS *.idc attempt
> 3 instances of WEB-CGI MachineInfo access
> 3 instances of RPC portmap listing
> 3 instances of WEB-IIS global-asa access
> 3 instances of WEB-COLDFUSION expeval access
> 3 instances of WEB-IIS asp-dot attempt
> 3 instances of WEB-IIS codebrowser access
> 3 instances of WEB-MISC Ecommerce checks.txt access
> 3 instances of WEB-CGI webgais access
> 3 instances of SCAN Synscan Portscan ID 19104
> 3 instances of WEB-IIS newdsn.exe access
> 3 instances of WEB-CGI websendmail access
> 3 instances of WEB-IIS jet vba access
> 4 instances of WEB-CGI post-query access
> 4 instances of WEB-CGI dumpenv.pl access
> 4 instances of WEB-CGI AT-admin.cgi access
> 4 instances of WEB-CGI whoisraw access
> 5 instances of WEB-MISC get32.exe access
> 5 instances of WEB-MISC .htpasswd access
> 5 instances of WEB-CGI classifieds.cgi access
> 5 instances of WEB-CGI sendform.cgi access
> 5 instances of WEB-CGI w3-msql access
> 5 instances of WEB-CGI files.pl access
> 5 instances of WEB-CGI AnyForm2 access
> 5 instances of WEB-CGI rksh access
> 5 instances of WEB-IIS admin access
> 6 instances of WEB-CGI bash access
> 6 instances of WEB-CGI glimpse access
> 6 instances of WEB-CGI maillist.pl access
> 6 instances of WEB-CGI w2tvars.pm access
> 6 instances of WEB-CGI wguest.exe access
> 6 instances of WEB-MISC shopping cart directory traversal
> 6 instances of WEB-CGI wais.p access
> 6 instances of WEB-MISC /cgi-bin/jj attempt
> 6 instances of WEB-CGI filemail access
> 6 instances of WEB-CGI edit.pl access
> 6 instances of WEB-CGI man.sh access
> 7 instances of WEB-CGI pfdisplay.cgi access
> 7 instances of WEB-MISC Ecommerce import.txt access
> 7 instances of WEB-CGI www-sql access
> 7 instances of WEB-IIS 5 .printer isapi
> 7 instances of WEB-CGI archie access
> 7 instances of WEB-MISC ~root
> 7 instances of WEB-CGI day5datacopier.cgi access
> 7 instances of WEB-MISC wwwboard.pl access
> 7 instances of WEB-CGI environ.cgi access
> 7 instances of WEB-CGI day5datanotifier.cgi access
> 8 instances of WEB-CGI survey.cgi access
> 8 instances of WEB-CGI redirect access
> 8 instances of WEB-CGI calendar access
> 8 instances of WEB-CGI perlshop.cgi access
> 8 instances of WEB-CGI rsh access
> 8 instances of WEB-MISC handler access
> 8 instances of WEB-CGI rwwwshell.pl access
> 8 instances of WEB-MISC guestbook.cgi access
> 8 instances of WEB-CGI testcounter.pl access
> 9 instances of WEB-MISC Domino log.nsf access
> 9 instances of WEB-CGI info2www access
> 9 instances of WEB-CGI upload.pl access
> 9 instances of WEB-MISC order.log access
> 9 instances of WEB-CGI ksh access
> 9 instances of WEB-IIS iisadmpwd attempt
> 10 instances of WEB-MISC mall log order access
> 10 instances of WEB-MISC Domino names.nsf access
> 10 instances of WEB-CGI bnbform.cgi access
> 11 instances of WEB-CGI campas access
> 11 instances of WEB-MISC /etc/passwd
> 11 instances of WEB-MISC netscape admin passwd
> 11 instances of WEB-CGI bb-hist.sh access
> 12 instances of WEB-CGI htmlscript access
> 12 instances of WEB-CGI faxsurvey access
> 13 instances of WEB-MISC piranha passwd.php3 access
> 13 instances of WEB-CGI NPH-publish access
> 13 instances of WEB-CGI csh access
> 13 instances of WEB-MISC nph-test-cgi access
> 13 instances of WEB-CGI wwwadmin.pl access
> 14 instances of WEB-MISC .htaccess access
> 14 instances of WEB-MISC webdist.cgi access
> 14 instances of WEB-MISC architext_query.pl access
> 14 instances of WEB-CGI flexform access
> 16 instances of WEB-CGI LWGate access
> 16 instances of WEB-MISC bigconf.cgi access
> 17 instances of WEB-MISC Attempt to execute cmd
> 17 instances of WEB-CGI tsch access
> 19 instances of WEB-MISC Domino domlog.nsf access
> 19 instances of WEB-MISC wrap access
> 19 instances of WEB-MISC Domino domcfg.nsf access
> 20 instances of WEB-CGI finger access
> 21 instances of WEB-CGI aglimpse access
> 27 instances of WEB-CGI formmail access
> 28 instances of WEB-FRONTPAGE fourdots request
> 29 instances of WEB-CGI test-cgi access
> 35 instances of WEB-CGI phf access
> 54 instances of CUSTOM Port 515 traffic
> 77 instances of FTP passwd attempt
> 159 instances of WEB-MISC http directory traversal
> 2369 instances of SCAN Proxy attempt
>
> There are 937 distinct destination IPs - we've taken steps on our end to
> block this traffic. I wanted to give everyone a heads up in case your
> next, and to see if anyone else is seeing similar traffic.
>
> Cheers,
> -Doug
> --
> Douglas P. Brown
> University of North Carolina
> Manager of Security Resources
> 105 Abernethy Hall
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
>
>



Relevant Pages

  • Re: Large Attack
    ... > 1 instances of WEB-IIS getdrvrs access ... > 1 instances of WEB-COLDFUSION administrator access ... > 1 instances of WEB-MISC Domino catalog.ns access ... > 1 instances of WEB-CGI wwwboard passwd access ...
    (Incidents)
  • Re: Re: Large Attack
    ... instances of WEB-IIS getdrvrs access ... instances of WEB-COLDFUSION administrator access ... instances of WEB-MISC Domino catalog.ns access ... instances of WEB-CGI wwwboard passwd access ...
    (Incidents)