RE: Increased IIS scans mainly on 66.0.0.0/8 - Update

From: Russell Fulton (r.fulton@auckland.ac.nz)
Date: 08/19/02 

From: Russell Fulton <r.fulton@auckland.ac.nz>
To: Richard Gilman <Richard.Gilman@ntn.com>
Date: 20 Aug 2002 09:27:17 +1200

On Tue, 2002-08-20 at 03:19, Richard Gilman wrote:
> I did a query of the WEB-IIS cmd.exe access alerts for 8/15 on our
> 66.0.0.0/8 network and I see 31 sources each send in multiples of 13
> attempts. Of the 31 hosts, 3 sources were not from 66/8.

These sound like standard nimda, which scans its /8 more heavily than
the rest of the net (except for the /16 which gets even more intensive
scanning) -- I forget the exact proportions.

One of those
> was from wanadoo.fr with 130 hits. The hits can come as fast as 2 per
> second, so I assume that it has to be scripted.

There are many scripted attacks that are being used by kiddies. Last
night someone when through a bunch of our IIS servers delivering around
10,000 probes against 20 different web servers over about 90 minutes.
At the same time another IIS server got hit by 70 probes.

 This is only an
> annoyance and does not do anything more that make noise in my logs, but
> I think it is some sort of worm because of the fact they all send in
> multiples of 13 and it seems that the odds of having 31 script kiddies

As I said above I think that the 13 probes are almost certainly nimda or
a close variant. Nimda normally delivers 14 unicode probes and one
probe for root.exe. 

-- 
Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand

"It aint necessarily so"  - Gershwin

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Relevant Pages

  • RE: Increased IIS scans mainly on 66.0.0.0/8 - Update
    ... the cmd.exe alerts made it into the top 5 hits summary report that I run ... night someone when through a bunch of our IIS servers delivering around ... At the same time another IIS server got hit by 70 probes. ...
    (Incidents)
  • Re: [PATCH 2/4] ftrace - add function_duration tracer
    ... target_set.stp is not really adequate. ... will work properly even if multiple monitoring tools are ... To measure latencies you need two probes, a start and a stop one. ... particular execution of that particular script. ...
    (Linux-Kernel)
  • Re: vulnerability in glocation.cgi?
    ... some odd web accesses to one of my webserver seemingly to exploit ... a vulnerability in a script called "glocation". ... So the harmless looking probes turned up to be much more. ... Ignoring incidents sounds wrong to me. ...
    (Incidents)
  • Re: [PATCH 2/4] ftrace - add function_duration tracer
    ... target_set.stp is not really adequate. ... To measure latencies you need two probes, a start and a stop one. ... particular execution of that particular script. ... kernel, this was the only practical way to do everything we needed. ...
    (Linux-Kernel)
  • Re: [9fans] dtrace for plan 9
    ... script, and the script goes through some sanity checking in the D ... The bytecode is sent to the kernel to execute. ... there are many interrupt routines that depend on ... how do you prevent probes from reading read-to-clear ...
    (comp.os.plan9)