RE: Attack(s) caught by Okena

From: Chris Fussell (chrisfussell_at_hotmail.com)
Date: 06/10/03

  • Next message: Brad Bemis: "RE: Request for Raw Data"
    To: "'Dimitri Limanovski'" <dlimanov@sct.com>, <incidents@securityfocus.com>
    Date: Tue, 10 Jun 2003 17:39:26 -0400
    
    

    It looks like the load library call was meant to receive WS2_32.dll as the
    first parameter:

    00005753 325f3332 2e444c4c 00...
        W S 2 _ 3 2 . D L L

    I can't tell what the rest of the captured buffer in the event log is meant
    to do, if even related...

    - Chris

    -----Original Message-----
    From: Dimitri Limanovski [mailto:dlimanov@sct.com]
    Sent: Tuesday, June 10, 2003 10:53 AM
    To: incidents@securityfocus.com
    Cc: jmitchell@okena.com
    Subject: Attack(s) caught by Okena

    Hello everyone..
    In my evaluation of Okena (now Cisco) HIPS, I built a test system with
    "virgin" Win2K Server install that included full install of IIS.
    Machine was not patched (not even an SP1) and placed out in the wild
    without any kind of protection other than Okena's default Server,
    Firewall and IIS policy modules.
    As of two month of repetitive attacks, it has yet to be compromised.
    99% of the attacks are standard port scans and NetBIOS enumeration
    attempts along with numerous attempts to overflow buffer with various
    IIS vulnerabilities.
    Lately, I have seen the following entries in the Event Viewer that I
    can not interpret. Based on the time stamp, this looks like one attack
    but I can't figure out exactly which one. First two events look like
    standard buffer overflow against inetinfo.exe. It's interesting to
    note that while all of the usual dafault.ida?XXXXX and WebDAV attempts
    are recorded in Web logs, this one isn't showing up anywhere aside
    from Event Viewer. The third event looked to me like some kind of
    variant of SMBNuke/SMBDie attack, based on
    '\\TEST**\MAILSLOT\NET\NETLOGON' signature, but it's being called by
    inetinfo.exe which I haven't seen before.
    Has anyone seen anything like this before? Any input is much
    appreciated!

    Dimitri

    <start event 1>
    Event Type: Warning
    Event Source: StormWatchAgent
    Event Category: Kernel Rule
    Event ID: 256
    Date: 6/10/2003
    Time: 1:53:30 AM
    User: N/A
    Computer: IISTEST
    Description:
    The application 'C:\WINNT\system32\inetsrv\inetinfo.exe' (as user
    IISTEST\IUSR_IISTEST) tried to call the function LoadLibraryA from a
    buffer (the return address was 0x45b7b1). The code at this address is
    '00005753 325f3332 2e444c4c 00ff55f4 8945bce8 07000000 736f636b
    657400ff' This either happens when a program uses self-modifying code
    or when a program has been subverted by a buffer overflow attack. The
    user chose 'Terminate (no user interaction allowed)'.
    </end event 1>

    <start event 2>
    Event Type: Error
    Event Source: StormWatchAgent
    Event Category: Kernel Rule
    Event ID: 256
    Date: 6/10/2003
    Time: 1:53:30 AM
    User: N/A
    Computer: IISTEST
    Description:
    The application 'C:\WINNT\system32\inetsrv\inetinfo.exe' (as user
    IISTEST\IUSR_IISTEST) tried to call the function LoadLibraryA from a
    buffer (the return address was 0x45b7b1). The code at this address is
    '00005753 325f3332 2e444c4c 00ff55f4 8945bce8 07000000 736f636b
    657400ff' This either happens when a program uses self-modifying code
    or when a program has been subverted by a buffer overflow attack. The
    program was terminated.
    </end event 2>

    <start event 3>
    Event Type: Error
    Event Source: StormWatchAgent
    Event Category: Kernel Rule
    Event ID: 256
    Date: 6/10/2003
    Time: 1:53:32 AM
    User: N/A
    Computer: IISTEST
    Description:
    The process 'C:\WINNT\system32\inetsrv\inetinfo.exe' (as user NT
    AUTHORITY\SYSTEM) tried to open/write the file
    '\\TEST**\MAILSLOT\NET\NETLOGON' and was denied.
    </end event 3>

    ----------------------------------------------------------------------------
    ----------------------------------------------------------------------------

    ----------------------------------------------------------------------------
    ----------------------------------------------------------------------------


  • Next message: Brad Bemis: "RE: Request for Raw Data"