observations on recent unicode attacks against IIS servers

[Russell Fulton <r.fulton () auckland ac nz>]

Hi All,
        Looks like some new tools (but not new methods) are being used by
kiddies to attack IIS web servers.  There are at least two different
tools involved:

One leaves a snort finger print like this
    * 1 instances of WEB-IIS CodeRed v2 root.exe access
    * 2 instances of WEB-IIS msdac access
    * 61 instances of WEB-IIS cmd.exe access
for each host attacked.  Some times we see a systematic scan of our
address space followed by attacks on all IIS servers other times we see
single machines attacked.  The cmd.exe attacks are all unicode directory
traversal attacks so far as I can see. Nothing new in the methods used
just a big rise in the frequence of this paticular pattern of
signatures.

The other pattern we are seeing is one or two unicode directory
traversal attacks directed against all IIS servers on campus.  The
actual directory attacked varies but I think it is the same script being
used.

These two patterns have shown up in the last couple of weeks although I
have seen similar things in the past now I am seeing these several times
a day and the total number of unicode attacks have risen substantially.

I am also seeing a mutated or altered version of Nimda, the attack
signature is the same but the scanning pattern is different.  I am
seeing attacks from (what appear to be) nimda infected hosts in
unrelated networks at frequencies that suggest that the weighting of the
scan patterns have been changed.

Here is output from my port 80 probe counter for one hour counting
probes to 130.216/16:

Total address with two or more probes 314
    218.0.79.52 28 Jul 02 19:59:49 -- 28 Jul 02 20:59:42 # count 97
130.207.139.207 28 Jul 02 19:59:57 -- 28 Jul 02 20:57:54 # count 84
 211.91.255.154 28 Jul 02 20:00:05 -- 28 Jul 02 20:57:49 # count 84
  64.86.155.118 28 Jul 02 20:00:04 -- 28 Jul 02 20:59:36 # count 53
 211.150.197.74 28 Jul 02 20:02:01 -- 28 Jul 02 20:59:27 # count 34
    66.123.72.3 28 Jul 02 19:59:55 -- 28 Jul 02 20:59:22 # count 30
   218.64.36.64 28 Jul 02 20:00:07 -- 28 Jul 02 20:41:59 # count 6
216.200.130.201 28 Jul 02 20:01:21 -- 28 Jul 02 20:16:34 # count 4
   61.149.3.141 28 Jul 02 20:46:33 -- 28 Jul 02 20:59:20 # count 3
  200.67.77.121 28 Jul 02 20:50:36 -- 28 Jul 02 20:58:00 # count 2
 202.103.39.202 28 Jul 02 20:21:37 -- 28 Jul 02 20:31:06 # count 2
  65.82.184.122 28 Jul 02 20:23:35 -- 28 Jul 02 20:55:49 # count 2
 64.169.104.104 28 Jul 02 20:00:33 -- 28 Jul 02 20:42:47 # count 2
   65.95.109.59 28 Jul 02 20:35:11 -- 28 Jul 02 20:46:16 # count 2
   61.144.40.93 28 Jul 02 20:13:22 -- 28 Jul 02 20:28:13 # count 2
210.166.204.240 28 Jul 02 20:05:32 -- 28 Jul 02 20:41:19 # count 2
  218.70.158.29 28 Jul 02 20:05:25 -- 28 Jul 02 20:10:58 # count 2

Note that two of the top three are in unrelated /8 addresses.  I have
checked my snort logs and verified that both these machines launch
attacks that fit nimda signature.


-- 
Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand

'It aint necessarily so'  - Gershwin


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com