Re: Re: Large Attack
From: Douglas P. Brown (dugbrown@email.unc.edu)Date: 03/02/02
- Previous message: Byrne Ghavalas: "Re: Update: UDP 770 Potential Worm"
- In reply to: zaire: "Re: Large Attack"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 02 Mar 2002 08:31:20 -0500 From: "Douglas P. Brown" <dugbrown@email.unc.edu> To: incidents@securityfocus.org, unisog@sans.org
Thank you all for your responses. To answer some of the questions - We
were seeing these scans/attacks across the entire breadth of one of our
class B subnets. Below you will find some of the source subnets for
these attacks:
63.120.163.0/24 "Tech Engine" - New York, USA
165.194.0.0/16 "Chungyang University" - Seoul, Korea
202.56.228.0/24 "Bharti British Telecom" - New Delhi, India
203.199.121.0/24 "ISP Link in Mumbai" - India
210.68.146.0/24 "Digital United Inc" - Taipei, Taiwan
210.69.0.0/16 "Chunghwa Telecom" - Taipei, Taiwan
210.178.195.0/24 "Yangpyong Technical High School" - Korea
Our policies prohibit me from disclosing the measures we took to stop
these attacks. I hope to provide packet captures later under separate
cover. We would be very interesting in seeing Sans or SecurityFocus
provide a site to list "dirty subnets" - those subnets from which we see
repeated attacks and receive no response to our complaints.
Cheers,
-Doug
-- Douglas P. Brown University of North Carolina Manager of Security Resources 105 Abernethy Hallzaire wrote: > > Doug, > > Rumor has it that allot of the defacement groups ( Silverlords ...etc) > will run cron jobs of cgi probers on a targeted network for a few weeks > prior to an actual penetration of a server in hopes that the ids > administrators will just start to ignore certain alerts or suffer from > information overload. > > What are some of the responses from your webservers look like? > > Have you seen any penetration on these servers or just allot of noise? > > Can you give us some of the packet captures to look at to compare with > some of the less used cgi scanners? > > How many source address's come from apnic? > > -zaire > > On Fri, 1 Mar 2002, Douglas P. Brown wrote: > > > > > FYI - Starting last night and continuing this morning we've seen at > > least 14 hosts from at least 7 different foreing subnets banging pretty > > heavy on our subnets. Below is a smart from the IDS logs for one of the > > bad hosts. The result has been that several NT and 2000 domains have > > had accounts locked out. > > > > 148 different signatures are present for x.x.x.x as a source > > > > 1 instances of WEB-IIS JET VBA access > > 1 instances of WEB-IIS getdrvrs access > > 1 instances of WEB-COLDFUSION administrator access > > 1 instances of WEB-IIS admin.dll access > > 1 instances of WEB-MISC .wwwacl access > > 1 instances of WEB-IIS uploadn.asp access > > 1 instances of WEB-CGI args.bat access > > 1 instances of WEB-MISC Domino catalog.ns access > > 1 instances of WEB-COLDFUSION exampleapp access > > 1 instances of WEB-IIS bdir.ht access > > 1 instances of WEB-MISC cpshost.dll access > > 1 instances of WEB-IIS getdrvs.exe access > > 1 instances of WEB-IIS anot.htr access > > 1 instances of WEB-IIS search97.vts > > 1 instances of WEB-FRONTPAGE shtml.exe > > 1 instances of WEB-COLDFUSION cfmlsyntaxcheck.cfm access > > 1 instances of WEB-FRONTPAGE form_results access > > 1 instances of WEB-FRONTPAGE authors.pwd access > > 1 instances of WEB-COLDFUSION beaninfo access > > 1 instances of WEB-MISC convert.bas access > > 1 instances of WEB-MISC AuthChangeUr accessl > > 1 instances of WEB-IIS codebrowser SDK access > > 1 instances of WEB-CGI wwwboard passwd access > > 1 instances of WEB-MISC ws_ftp.ini access > > 1 instances of WEB-MISC cart 32 AdminPwd access > > 1 instances of WEB-COLDFUSION fileexists.cfm access > > 1 instances of WEB-IIS adctest.asp access > > 1 instances of WEB-COLDFUSION evaluate.cfm access > > 1 instances of WEB-IIS CGImail.exe access > > 1 instances of WEB-COLDFUSION snippets attempt attempt > > 1 instances of WEB-COLDFUSION addcontent.cfm access > > 1 instances of WEB-COLDFUSION cfcache.map access > > 2 instances of WEB-MISC counter.exe access > > 2 instances of WEB-COLDFUSION exampleapp application.cfm > > 2 instances of WEB-IIS .asp access > > 2 instances of WEB-FRONTPAGE users.pwd access > > 2 instances of WEB-FRONTPAGE registrations.txt access > > 2 instances of WEB-FRONTPAGE dvwssr.dll access > > 2 instances of WEB-FRONTPAGE fpadmcgi.exe access > > 2 instances of WEB-COLDFUSION cfappman access > > 2 instances of WEB-IIS achg.htr access > > 2 instances of WEB-FRONTPAGE _vti_rpc access > > 2 instances of WEB-FRONTPAGE fpcount.exe access > > 2 instances of WEB-IIS codebrowser Exair access > > 2 instances of WEB-MISC shopping cart access access > > 2 instances of WEB-MISC ICQ webserver DOS > > 2 instances of WEB-IIS query.asp access > > 2 instances of SMTP expn root > > 2 instances of WEB-COLDFUSION application.cfm access > > 2 instances of WEB-IIS _vti_inf access > > 2 instances of WEB-IIS admin-default access > > 3 instances of WEB-IIS *.idc attempt > > 3 instances of WEB-CGI MachineInfo access > > 3 instances of RPC portmap listing > > 3 instances of WEB-IIS global-asa access > > 3 instances of WEB-COLDFUSION expeval access > > 3 instances of WEB-IIS asp-dot attempt > > 3 instances of WEB-IIS codebrowser access > > 3 instances of WEB-MISC Ecommerce checks.txt access > > 3 instances of WEB-CGI webgais access > > 3 instances of SCAN Synscan Portscan ID 19104 > > 3 instances of WEB-IIS newdsn.exe access > > 3 instances of WEB-CGI websendmail access > > 3 instances of WEB-IIS jet vba access > > 4 instances of WEB-CGI post-query access > > 4 instances of WEB-CGI dumpenv.pl access > > 4 instances of WEB-CGI AT-admin.cgi access > > 4 instances of WEB-CGI whoisraw access > > 5 instances of WEB-MISC get32.exe access > > 5 instances of WEB-MISC .htpasswd access > > 5 instances of WEB-CGI classifieds.cgi access > > 5 instances of WEB-CGI sendform.cgi access > > 5 instances of WEB-CGI w3-msql access > > 5 instances of WEB-CGI files.pl access > > 5 instances of WEB-CGI AnyForm2 access > > 5 instances of WEB-CGI rksh access > > 5 instances of WEB-IIS admin access > > 6 instances of WEB-CGI bash access > > 6 instances of WEB-CGI glimpse access > > 6 instances of WEB-CGI maillist.pl access > > 6 instances of WEB-CGI w2tvars.pm access > > 6 instances of WEB-CGI wguest.exe access > > 6 instances of WEB-MISC shopping cart directory traversal > > 6 instances of WEB-CGI wais.p access > > 6 instances of WEB-MISC /cgi-bin/jj attempt > > 6 instances of WEB-CGI filemail access > > 6 instances of WEB-CGI edit.pl access > > 6 instances of WEB-CGI man.sh access > > 7 instances of WEB-CGI pfdisplay.cgi access > > 7 instances of WEB-MISC Ecommerce import.txt access > > 7 instances of WEB-CGI www-sql access > > 7 instances of WEB-IIS 5 .printer isapi > > 7 instances of WEB-CGI archie access > > 7 instances of WEB-MISC ~root > > 7 instances of WEB-CGI day5datacopier.cgi access > > 7 instances of WEB-MISC wwwboard.pl access > > 7 instances of WEB-CGI environ.cgi access > > 7 instances of WEB-CGI day5datanotifier.cgi access > > 8 instances of WEB-CGI survey.cgi access > > 8 instances of WEB-CGI redirect access > > 8 instances of WEB-CGI calendar access > > 8 instances of WEB-CGI perlshop.cgi access > > 8 instances of WEB-CGI rsh access > > 8 instances of WEB-MISC handler access > > 8 instances of WEB-CGI rwwwshell.pl access > > 8 instances of WEB-MISC guestbook.cgi access > > 8 instances of WEB-CGI testcounter.pl access > > 9 instances of WEB-MISC Domino log.nsf access > > 9 instances of WEB-CGI info2www access > > 9 instances of WEB-CGI upload.pl access > > 9 instances of WEB-MISC order.log access > > 9 instances of WEB-CGI ksh access > > 9 instances of WEB-IIS iisadmpwd attempt > > 10 instances of WEB-MISC mall log order access > > 10 instances of WEB-MISC Domino names.nsf access > > 10 instances of WEB-CGI bnbform.cgi access > > 11 instances of WEB-CGI campas access > > 11 instances of WEB-MISC /etc/passwd > > 11 instances of WEB-MISC netscape admin passwd > > 11 instances of WEB-CGI bb-hist.sh access > > 12 instances of WEB-CGI htmlscript access > > 12 instances of WEB-CGI faxsurvey access > > 13 instances of WEB-MISC piranha passwd.php3 access > > 13 instances of WEB-CGI NPH-publish access > > 13 instances of WEB-CGI csh access > > 13 instances of WEB-MISC nph-test-cgi access > > 13 instances of WEB-CGI wwwadmin.pl access > > 14 instances of WEB-MISC .htaccess access > > 14 instances of WEB-MISC webdist.cgi access > > 14 instances of WEB-MISC architext_query.pl access > > 14 instances of WEB-CGI flexform access > > 16 instances of WEB-CGI LWGate access > > 16 instances of WEB-MISC bigconf.cgi access > > 17 instances of WEB-MISC Attempt to execute cmd > > 17 instances of WEB-CGI tsch access > > 19 instances of WEB-MISC Domino domlog.nsf access > > 19 instances of WEB-MISC wrap access > > 19 instances of WEB-MISC Domino domcfg.nsf access > > 20 instances of WEB-CGI finger access > > 21 instances of WEB-CGI aglimpse access > > 27 instances of WEB-CGI formmail access > > 28 instances of WEB-FRONTPAGE fourdots request > > 29 instances of WEB-CGI test-cgi access > > 35 instances of WEB-CGI phf access > > 54 instances of CUSTOM Port 515 traffic > > 77 instances of FTP passwd attempt > > 159 instances of WEB-MISC http directory traversal > > 2369 instances of SCAN Proxy attempt > > > > There are 937 distinct destination IPs - we've taken steps on our end to > > block this traffic. I wanted to give everyone a heads up in case your > > next, and to see if anyone else is seeing similar traffic. > > > > Cheers, > > -Doug > > -- > > Douglas P. Brown > > University of North Carolina > > Manager of Security Resources > > 105 Abernethy Hall > > > > ---------------------------------------------------------------------------- > > This list is provided by the SecurityFocus ARIS analyzer service. > > For more information on this free incident handling, management > > and tracking system please see: http://aris.securityfocus.com > >
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
- Previous message: Byrne Ghavalas: "Re: Update: UDP 770 Potential Worm"
- In reply to: zaire: "Re: Large Attack"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
