Security Incidents mailing list archives

Re: massive lpr exploit attempt

From: E Kelly Bond <ekbond () gnat net>
Date: Tue, 26 Jun 2001 21:03:33 -0400 (EDT)

FWIW, here too...

PROTO=6 65.80.225.117:1023 XX.XX.XX.XX:22 L=48 S=0x00 I=35824 F=0x4000
T=52 SYN (#47)

PROTO=6 202.105.200.125:1785 XX.XX.XX.XX:21 L=60 S=0x00 I=33878 F=0x4000
T=45 SYN (#47)

PROTO=6 64.108.63.210:1161 XX.XX.XX.XX:21 L=48 S=0x00 I=36837 F=0x4000
T=112 SYN(#47)

PROTO=6 64.111.152.180:2626 XX.XX.XX.XX:21 L=48 S=0x00 I=52796 F=0x4000
T=112 SYN(#47)

PROTO=6 24.93.8.130:2351 XX.XX.XX.XX:21 L=64 S=0x00 I=41993 F=0x4000 T=16
SYN(#47)

TCP 64.111.152.180:2849 XX.XX.XX.XX:21 L=48 S=0x00 I=53544 F=0x0040 T=112

TCP 24.93.8.130:2573 XX.XX.XX.XX:21 L=64 S=0x00 I=42663 F=0x0040 T=16

TCP 202.105.200.125:3192 XX.XX.XX.XX:21 L=60 S=0x00 I=38494 F=0x0040 T=46

TCP 64.108.63.210:1590 XX.XX.XX.XX:21 L=48 S=0x00 I=39346 F=0x0040 T=112

each entry repeated many times and across each of the servers on my
network.

K



Andrew Doran wrote:

   I got one too...
   Jun 25 15:11:06 : Packet log: input REJECT eth0 PROTO=6
210.102.23.70:4902
   aaa.bbb.ccc.ddd.eee:111 L=60 S=0x00 I=28779 F=0x4000 T=49 SYN (#8)

   -----Original Message-----
   From: Tony Lambiris [mailto:tlambiris () skillsoft com]
   Sent: Monday, June 25, 2001 1:33 PM
   To: r.fulton; incidents
   Subject: RE: massive lpr exploit attempt

   I had only recieved one of these entry in my log file:

   Jun 25 09:00:10 eclipse ipmon[29285]: 09:00:10.339608             fxp0
@0:1
   b 155.135.31.128,1100 -> xx.xx.xx.xx,515 PR tcp len 20 60 -S IN

   > -----Original Message-----
   > From: r.fulton () auckland ac nz [mailto:r.fulton () auckland ac nz]
   > Sent: Sunday, June 24, 2001 6:42 PM
   > To: incidents () securityfocus com
   > Subject: massive lpr exploit attempt
   >
   >
   > Yesterday (Sunday 24th) we were attacked from several different IP
   > using an iterated X86 lpr exploit against any machine that response
on
   > port 515.  Even though we block 515 for the vast bulk of our
addresses
   > I logged over 80,000 probes to the 20 or so addresses that responded!
   >
   > These attacks are the same as I saw a few months ago (hmm...  I'm
sure
   > I posted something about them then but I can't find anything in the
   > archives). One feature of these attacks is that while the attacker is
   > trying exploits on port 515 they are also making connection attempts
on
   > port 3897 (presumably looking for a root shell that signals that one
of
   > the exploits succeeded).  Thus if you run argus then you can pick up
   > any successful exploits by dumping all established tcp sessions to
port
   > 3897.
   >
   > Overall there were 25 source addresses involved and at one time there
   > were 10 active at once.  Since this attack requires tcp connections
to
   > deliver the exploit I don't believe any of these were decoys.
   >
   > At midnight -- well 23:16 (local time) the activity stopped (odd -
   > probably coincidence), however I have seen at least 10 lpr scans of
   > another class C network that I monitor this morning.  Since there are
   > no machines on this network that respond to lpr probes I can't state
   > with any certainty that these are the same tool/worm/whatever
although
   > the scans look the same.
   >
   > This activity puzzles me.  If this is some sort of coordinated attack
   > then it seems very wasteful of resources  why repeat the attack from
   > so many different sources?  One possible explaination is that the
   > different attackers were trying different offset ranges in their
   > exploits -- I have the tcp dump logs from snort if anyone wants to
test
   > this hypothetis.
   >
   > The other possible explaination is that this attack has now been
loaded
   > into a worm, but if that is the case why the relatively narrow time
   > window.  (time will tell if this is a small part of a wider
   > distribution and that the clump is just coincidence).
   >
   > Cheers, Russell.
   >
   >
   > Russell Fulton, Computer and Network Security Officer
   > The University of Auckland,  New Zealand
   >
   >







----------------------------------------------------------------------------


This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see:

http://aris.securityfocus.com

Current thread:

massive lpr exploit attempt Russell Fulton (Jun 24)
- Re: massive lpr exploit attempt Kevin van Haaren (Jun 24)
- RE: massive lpr exploit attempt Tony Lambiris (Jun 26)
  - RE: massive lpr exploit attempt Andrew Doran (Jun 26)
    - Re: massive lpr exploit attempt Galitz (Jun 27)
  - Re: massive lpr exploit attempt Pavel Lozhkin (Jun 27)
- <Possible follow-ups>
- Re: massive lpr exploit attempt E Kelly Bond (Jun 27)
- RE: massive lpr exploit attempt Andy Duncan (Jun 27)