Security Incidents mailing list archives
Coordinated HTTP scan (NOT CodeRed or Nimda)?
From: Glenn Forbes Fleming Larratt <glratt () io com>
Date: Mon, 4 Mar 2002 14:33:54 -0600 (CST)
We run two instances of Snort just inside our border - one with a mostly standard 1.8.1-vintage ruleset, the other older with some special rules to catch CodeRed and Nimda. During the half-hour between 1305 and 1335 UTC (0705-0735 local time), we noted an abrupt appearance of entries of the form: Mar 3 07:13:47 gummo.rice.edu snort[3081]: [ID 702911 auth.alert] spp_portscan: End of portscan from 208.59.144.209: TOTAL time(20s) hosts(31) TCP(33) UDP(0) Mar 3 07:13:49 gummo.rice.edu snort[3081]: [ID 702911 auth.alert] spp_portscan: End of portscan from 24.132.199.169: TOTAL time(12s) hosts(34) TCP(35) UDP(0) Mar 3 07:14:12 gummo.rice.edu snort[3081]: [ID 702911 auth.alert] spp_portscan: End of portscan from 208.59.144.209: TOTAL time(11s) hosts(35) TCP(36) UDP(0) Investigation of the portscan.log file turned up some salient facts: - earliest hit was at 13:13:23 UTC, latest at 13:23:17; - every instance was a SYN scan against port 80; - SYN scans, thus no payload to trigger CR/Nimda rules, and thus probably *not* CR or Nimda; - exactly 10 source hosts were identified (noted below); - each source host scanned a precise region of our Class B (/16), as noted: hits source scanned who ---- --------------- --------- ---- 789 24.82.220.202 /24 subnets 6,7,9,10,11 shawcable.net 446 208.59.144.209 /24 subnets 17,18,19,20,21,22 rcn.com 292 66.183.11.57 /24 subnets 27,30,31,32 telus.net 361 206.172.81.25 /24 subnets 66,67,68,69 sympatico.ca 412 24.45.90.128 /24 subnets 81,82,83 optonline.net 166 204.26.122.47 /24 subnets 139,141 multitech.com / USWEST 539 64.252.197.190 /24 subnets 159,160,161,162 snet.net 440 68.9.1.36 /24 subnets 166,167,168,169,170 cox.com 116 149.99.203.126 /24 subnets 178,180,181 sprint.ca 448 24.132.199.169 /24 subnets 181,183,184,185,186 a2000.nl Distributed reconnaissance tool? Anyone recognize the signature? Anyone seen this? -g -- Glenn Forbes Fleming Larratt The Lab Ratt (not briggs :-) glratt () io com http://www.io.com/~glratt There are imaginary bugs to chase in heaven. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Coordinated HTTP scan (NOT CodeRed or Nimda)? Glenn Forbes Fleming Larratt (Mar 04)
- <Possible follow-ups>
- RE: Coordinated HTTP scan (NOT CodeRed or Nimda)? Kinsey, Robert (Mar 05)