different, nimda like, probes

From: Russell Fulton (R.FULTON@auckland.ac.nz)
Date: 03/22/02 

From: Russell Fulton <R.FULTON@auckland.ac.nz>
To: incidents@securityfocus.com
Date: 22 Mar 2002 12:07:24 +1200

Note: there is nothing new in the attacks described here except
the pattern of their delivery.

Over the last few days snort has been picking up some different
patterns of IIS attacks from two addresses in China (in different
address blocks).

We are receiving appearently random probes to port 80 from these
addresses, any machines running IIS that are hit then receive:

[**] WEB-IIS CodeRed v2 root.exe access [**]
03/21-12:27:32.525198 0:0:C:46:5C:D1 -> 0:E0:1E:8E:31:71 type:0x800
len:0x7E
211.96.99.59:24296 -> 130.216.103.24:80 TCP TTL:102 TOS:0x0 ID:24324
IpLen:20 DgmLen:112 DF
***AP*** Seq: 0x53A99775 Ack: 0xE7BF981C Win: 0x4470 TcpLen: 20
47 45 54 20 2F 73 63 72 69 70 74 73 2F 72 6F 6F GET /scripts/roo
74 2E 65 78 65 3F 2F 63 2B 64 69 72 20 48 54 54 t.exe?/c+dir HTT
50 2F 31 2E 30 0D 0A 48 6F 73 74 3A 20 77 77 77 P/1.0..Host: www
0D 0A 43 6F 6E 6E 6E 65 63 74 69 6F 6E 3A 20 63 ..Connnection: c
6C 6F 73 65 0D 0A 0D 0A lose....

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] WEB-IIS cmd.exe access [**]
03/21-12:27:44.539238 0:0:C:46:5C:D1 -> 0:E0:1E:8E:31:71 type:0x800
len:0x86
211.96.99.59:22721 -> 130.216.103.24:80 TCP TTL:102 TOS:0x0 ID:25664
IpLen:20 DgmLen:120 DF
***AP*** Seq: 0x39264B06 Ack: 0xE7F67A92 Win: 0x4470 TcpLen: 20
47 45 54 20 2F 63 2F 77 69 6E 6E 74 2F 73 79 73 GET /c/winnt/sys
74 65 6D 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 tem32/cmd.exe?/c
2B 64 69 72 20 48 54 54 50 2F 31 2E 30 0D 0A 48 +dir HTTP/1.0..H
6F 73 74 3A 20 77 77 77 0D 0A 43 6F 6E 6E 6E 65 ost: www..Connne
63 74 69 6F 6E 3A 20 63 6C 6F 73 65 0D 0A 0D 0A ction: close....

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

One thing that is interesting is that the probe rate we are seeing is
much higher than nimda ( more like nimda in our /8). We are seeing
about 130 probes per hour in our \16 address space.

So far I have only noticed this from these two addresses but then I
have not been looking.

On a related note, anyone else noticed that nimda probes seem to have
dropped significantly over the last week or so. I am now getting
whole hours with no logged nimda attacks being recorded by snort.
That's how I picked up the new pattern -- it may have been there
before but the two probes would likely got lost in all the nimda
logs... 

-- 
Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Relevant Pages

  • New nimda variant?
    ... or 4 per hour) of nimda like attacks against web servers. ... Unlike nimda, which normally does 15 probes, this new variant only does ...
    (Incidents)
  • RE: Publishing Nimda Logs
    ... automated attacks and noise on the networks. ... From an incident response standpoint, the load is very demanding as the ... number of systems actively performing NIMDA scans grows/continues. ...
    (Incidents)
  • RE: 0.0.0.0 Probes
    ... Some probing tools can fake the source IP so that you won't know where the ... It is not a broadcast traffic but targeted attacks. ... I think you mentioned that your firewall is already dropping these packets. ... Subject: 0.0.0.0 Probes ...
    (Security-Basics)
  • Nimda affecting Linux?
    ... Subject: Nimda affecting Linux? ... Although Linux boxes are not susceptible to Nimda attacks or the ... Nimda worm scanner... ...
    (Incidents)
  • RE: Publishing Nimda Logs
    ... I've been tracking nimda attacks and IPs with a tiny PERL script. ... Subject: Publishing Nimda Logs ...
    (Vuln-Dev)