Security Incidents mailing list archives

Re: New attack or old Vulnerability Scanner?

From: Jason Falciola <falciola () us ibm com>
Date: Tue, 29 Apr 2003 20:37:19 -0400


Mark,

You're very welcome.  I don't really need the tcpdump file that badly.  :-)

I found it interesting that it doesn't look like what you're seeing is
unique, nor is this a new attack pattern.  As I mentioned, [1] the
identical traffic was seen from a cable source and posted in a webmaster's
forum [2] as recently as 4/21/03.  It seems like the questions James raised
when he saw this last July [3] were not answered.  As he pointed out [4],
the attack was *very* similar, if not identical, right down to the TCP
connect to port 80, the 65 GET requests, and even the odd request for
shell.exe.

James - can you compare the actual GET requests and see if they match up in
terms of order and content?

It's still unclear to me:

 - whether this is a case of spammers taking up hacking techniques to look
for new boxes to send their cruft.  This may be the case as they're
targeting consumer broadband ranges more these days as other channels are
becoming scarce [5]
 - whether a box with a spam bot that is normally used to crawl websites
looking for email addresses has been compromised & is been used to launch
IIS scans
 - whether this is an attack tool written specifically to perform IIS
scans.  And whether this was written in Delphi or Borland C++ Builder (or
something else)
 - why there was a request for shell.exe

[1] http://www.securityfocus.com/archive/75/319878/2003-04-23/2003-04-29/2
[2] http://www.webmasterworld.com/forum11/1864.htm
[3] http://www.securityfocus.com/archive/75/319863/2003-04-23/2003-04-29/2
[4] http://cert.uni-stuttgart.de/archive/intrusions/2002/07/msg00119.html
[5] http://www.securityfocus.com/news/4217

Jason Falciola
Information Security Analyst
IBM Managed Security Services
falciola () us ibm com




                                                                                                                        
               
                      Mark Embrich                                                                                      
               
                      <mark_embrich@yah        To:       incidents () securityfocus com                                 
                  
                      oo.com>                  cc:                                                                      
               
                                               Subject:  Re: New attack or old Vulnerability Scanner?                   
               
                      04/29/2003 02:34                                                                                  
               
                      PM                                                                                                
               
                                                                                                                        
               
                                                                                                                        
               




In-Reply-To:
<OFAF55508B.5FB024D6-ON85256D14.0002DCAA-85256D14.00419468 () us ibm com>

Hello Jason,

Thanks for your help.

Can you post (or provide a link) to the full tcpdump traces for this scan
pattern?  It might aid in the analysis.


The full tcpdump trace is quite long, about 1.7MB per attack, so I can't
post it here.  It would be a real pain-in-the-ass to sanitize it, so I
don't really want to post or distribute it anyway.  If you really, really
want to take a look at it, I can sanitize it and email it to you directly.

When you say TCP connect, I assume you mean that you saw a simple
connection to see if the port is listening (as accomplished with '$ nmap
-sT ...').  Or did you also see a HEAD or GET request to determine if

this

was an IIS server?


I mean a simple connection to the port, not a HEAD or GET.
This attack didn't care that I was not running IIS.

I also did not see a ping sweep prior to the attacks, although I only
checked up to 2 hours earlier.

Thank you,
Mark Embrich





----------------------------------------------------------------------------
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the 
world's premier event for IT and network security experts.  The two-day 
Training features 6 hand-on courses on May 12-13 taught by professionals.  
The two-day Briefings on May 14-15 features 24 top speakers with no vendor 
sales pitches.  Deadline for the best rates is April 25.  Register today to 
ensure your place. http://www.securityfocus.com/BlackHat-incidents 
----------------------------------------------------------------------------

Current thread:

New attack or old Vulnerability Scanner? Mark Embrich (Apr 25)
- RE: New attack or old Vulnerability Scanner? Keith (Apr 28)
- <Possible follow-ups>
- RE: New attack or old Vulnerability Scanner? James C. Slora, Jr. (Apr 28)
- Re: New attack or old Vulnerability Scanner? Jason Falciola (Apr 28)
- Re: New attack or old Vulnerability Scanner? rhandwerker (Apr 28)
- Re: New attack or old Vulnerability Scanner? jac (Apr 29)
- Re: New attack or old Vulnerability Scanner? Mark Embrich (Apr 29)
- Re: New attack or old Vulnerability Scanner? Jason Falciola (Apr 30)
- Re: New attack or old Vulnerability Scanner? Jason Falciola (Apr 30)