Security Incidents mailing list archives
RE: massive lpr exploit attempt
From: "Tony Lambiris" <tlambiris () skillsoft com>
Date: Mon, 25 Jun 2001 14:32:53 -0400
I had only recieved one of these entry in my log file: Jun 25 09:00:10 eclipse ipmon[29285]: 09:00:10.339608 fxp0 @0:1 b 155.135.31.128,1100 -> xx.xx.xx.xx,515 PR tcp len 20 60 -S IN
-----Original Message----- From: r.fulton () auckland ac nz [mailto:r.fulton () auckland ac nz] Sent: Sunday, June 24, 2001 6:42 PM To: incidents () securityfocus com Subject: massive lpr exploit attempt Yesterday (Sunday 24th) we were attacked from several different IP using an iterated X86 lpr exploit against any machine that response on port 515. Even though we block 515 for the vast bulk of our addresses I logged over 80,000 probes to the 20 or so addresses that responded! These attacks are the same as I saw a few months ago (hmm... I'm sure I posted something about them then but I can't find anything in the archives). One feature of these attacks is that while the attacker is trying exploits on port 515 they are also making connection attempts on port 3897 (presumably looking for a root shell that signals that one of the exploits succeeded). Thus if you run argus then you can pick up any successful exploits by dumping all established tcp sessions to port 3897. Overall there were 25 source addresses involved and at one time there were 10 active at once. Since this attack requires tcp connections to deliver the exploit I don't believe any of these were decoys. At midnight -- well 23:16 (local time) the activity stopped (odd - probably coincidence), however I have seen at least 10 lpr scans of another class C network that I monitor this morning. Since there are no machines on this network that respond to lpr probes I can't state with any certainty that these are the same tool/worm/whatever although the scans look the same. This activity puzzles me. If this is some sort of coordinated attack then it seems very wasteful of resources why repeat the attack from so many different sources? One possible explaination is that the different attackers were trying different offset ranges in their exploits -- I have the tcp dump logs from snort if anyone wants to test this hypothetis. The other possible explaination is that this attack has now been loaded into a worm, but if that is the case why the relatively narrow time window. (time will tell if this is a small part of a wider distribution and that the clump is just coincidence). Cheers, Russell. Russell Fulton, Computer and Network Security Officer The University of Auckland, New Zealand
This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- massive lpr exploit attempt Russell Fulton (Jun 24)
- Re: massive lpr exploit attempt Kevin van Haaren (Jun 24)
- RE: massive lpr exploit attempt Tony Lambiris (Jun 26)
- RE: massive lpr exploit attempt Andrew Doran (Jun 26)
- Re: massive lpr exploit attempt Galitz (Jun 27)
- Re: massive lpr exploit attempt Pavel Lozhkin (Jun 27)
- RE: massive lpr exploit attempt Andrew Doran (Jun 26)
- <Possible follow-ups>
- Re: massive lpr exploit attempt E Kelly Bond (Jun 27)
- RE: massive lpr exploit attempt Andy Duncan (Jun 27)