Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

really odd traffic

From: Thomas Whipp <tkw () objectronix co uk>
Date: Thu, 11 Oct 2001 17:10:58 +0100
Hi all,

        overnight I got a cmd.exe attempt to one of the
addresses within our netblock - nothing odd about that
except that this address isn't active.

Checking through our logs I found a range of other related
attacks from the same source, all to the same unused
address.  Checking our packet logs I found the following:

22:12:13 TCP:  x.x.x.x:4137 ( ) -> y.y.y.y:80 ( ) FIN ACK 
22:12:17 TCP:  x.x.x.x:4137 ( ) -> y.y.y.y:80 ( ) FIN PSH
ACK 
22:19:44 TCP:  x.x.x.x:3427 ( ) -> y.y.y.y:80 ( ) FIN ACK 
22:19:47 TCP:  x.x.x.x:3427 ( ) -> y.y.y.y:80 ( ) FIN PSH
ACK 
22:22:44 TCP:  x.x.x.x:3964 ( ) -> y.y.y.y:80 ( ) FIN ACK 
22:22:47 TCP:  x.x.x.x:3964 ( ) -> y.y.y.y:80 ( ) FIN PSH
ACK 
22:25:0  TCP:  x.x.x.x:4357 ( ) -> y.y.y.y:80 ( ) FIN ACK 
22:25:3  TCP:  x.x.x.x:4357 ( ) -> y.y.y.y:80 ( ) FIN PSH
ACK 
22:26:30 TCP:  x.x.x.x:4634 ( ) -> y.y.y.y:80 ( ) FIN ACK 
22:26:33 TCP:  x.x.x.x:4634 ( ) -> y.y.y.y:80 ( ) FIN PSH
ACK 
22:29:30 TCP:  x.x.x.x:3131 ( ) -> y.y.y.y:80 ( ) FIN ACK 
22:29:33 TCP:  x.x.x.x:3131 ( ) -> y.y.y.y:80 ( ) FIN PSH
ACK 
22:31:0  TCP:  x.x.x.x:3394 ( ) -> y.y.y.y:80 ( ) FIN ACK 
22:31:3  TCP:  x.x.x.x:3394 ( ) -> y.y.y.y:80 ( ) FIN PSH
ACK 

Notes:
1) This is a *full* packet log - its not filtered in any way
and it is correctly positioned to see all traffic.
2) All FIN/PSH/ACK packets appear to have carried a payload
either unicode cmd.exe or root.exe.
2) x.x.x.x is attacker
3) y.y.y.y is target

We've replicated the traffic internally to a scratch NT IIS
server but didn't see any entries in the log files.

I'm at a loss - the traffic is definatly hostile, but it
doesn't make any sense... anybody know if there are any
Windows builds that might pass traffic of this profile to
the application layer?

regards

        Tom

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: