Security Incidents mailing list archives

Strange attacks

From: opus <opus () ircore com>
Date: Fri, 25 Oct 2002 11:47:25 -0500 (CDT)
Beginning on October 10th at 1:42am CDT what was considered a pretty 
significant attack took place.  These attack attempts were all web based.  
What is curious about these attacks is the number of unique strings used 
in the attacks.  In all there were 149 unique Snort rules triggered, from 
5 attacks in 14 days.

There were 5 total attacks to date, none of which were the same.  The last 
attack was the most aggressive and extensive.  A compiled list of the type 
of Snort rules that were triggered are at the end of this email.  These 
web servers are hardend and the attacks were not effective,  not to say 
that sooner or later i'll get bit.

I didn't want to post the actual attack strings, even though the 
vulnerabilities are known, I don't want to provide some one with an easy 
way of creating an attack.  Obviously these are already 
scripted/automated, are these new?

Has anyone else seen this?  I've not seen any mention of such attacks 
having taken place or have I been sleeping?  It's almost like some one 
took the Snort rules and created an attack string for each one.

Attack 1
        Attack Began Oct 10 01:42:41 CDT
        Attack Ended Oct 10 01:57:32 CDT
        From a .tampabay.rr.com computer
        1571 connection attempts
        Accross 17 web servers
        6 unique Snort rules triggered
        82 uniques HEAD and  3 GET strings that triggered the rules

Attack 2
        Attack Began Oct 10 19:00:07 CDT
        Attack Ended Oct 10 19:03:43 CDT
        From a .nas-corp.com computer
        693 connection attempts
        Accross 17 web servers
        9 unique Snort rules triggered
        82 uniques HEAD strings that triggered the rules

Attack 3
        Attack Began Oct 10 19:04:21 CDT
        Attack Ended Oct 10 19:10:35 CDT
        From a .mylinuxisp.com computer
        447 connection attempts
        Accross 17 web servers
        7 unique Snort rules triggered
        26 uniques HEAD strings that triggered the rules

Attack 4
        Attack Began Oct 19 09:49:19 CDT
        Attack Ended Oct 19 09:52:29 CDT
        From a .apid.com computer
        99 connection attempts
        Accross 17 web servers
        4 unique Snort rules triggered
        11 uniques GET strings that triggered the rules

Attack 5
        Attack Began Oct 24 16:14:18 CDT
        Attack Ended Oct 24 16:30:18 CDT
        From a .adsl.fx.apol.com.tw computer
        4242 connection attempts
        Accross 17 web servers
        139 unique Snort rules triggered
        343 uniques GET strings that triggered the rules

WEB-ATTACKS /bin/ls| command attempt 
WEB-CGI aglimpse access 
WEB-CGI AnyForm2 access 
WEB-CGI args.bat access 
WEB-CGI AT-admin.cgi access 
WEB-CGI bnbform.cgi access 
WEB-CGI campas access 
WEB-CGI classifieds.cgi access 
WEB-CGI dumpenv.pl access 
WEB-CGI edit.pl access 
WEB-CGI environ.cgi access 
WEB-CGI faxsurvey access 
WEB-CGI filemail access 
WEB-CGI files.pl access 
WEB-CGI finger access 
WEB-CGI formmail access 
WEB-CGI glimpse access 
WEB-CGI htmlscript access 
WEB-CGI info2www access 
WEB-CGI maillist.pl access 
WEB-CGI man.sh access 
WEB-CGI NPH-publish access 
WEB-CGI nph-test-cgi access 
WEB-CGI perl.exe access 
WEB-CGI perlshop.cgi access 
WEB-CGI pfdisplay.cgi access 
WEB-CGI phf access 
WEB-CGI php access 
WEB-CGI ppdscgi.exe access 
WEB-CGI rguest.exe access 
WEB-CGI rsh access 
WEB-CGI rwwwshell.pl access 
WEB-CGI survey.cgi access 
WEB-CGI test-cgi access 
WEB-CGI testcounter.pl access 
WEB-CGI uploader.exe access 
WEB-CGI view-source access 
WEB-CGI visadmin.exe access 
WEB-CGI w3-msql access 
WEB-CGI wais.p access 
WEB-CGI webgais access 
WEB-CGI websendmail access 
WEB-CGI wguest.exe access 
WEB-CGI whoisraw access 
WEB-CGI win-c-sample.exe access 
WEB-CGI wrap access 
WEB-CGI wwwadmin.pl access 
WEB-CGI wwwboard passwd access 
WEB-CGI www-sql access 
WEB-COLDFUSION cfmlsyntaxcheck.cfm access 
WEB-COLDFUSION exampleapp access 
WEB-COLDFUSION exampleapp application.cfm 
WEB-COLDFUSION expeval access 
WEB-COLDFUSION exprcalc access 
WEB-COLDFUSION fileexists.cfm access 
WEB-COLDFUSION getfile.cfm access 
WEB-COLDFUSION snippets attempt 
WEB-COLDFUSION startstop DOS access 
WEB-FRONTPAGE administrators.pwd 
WEB-FRONTPAGE authors.pwd access 
WEB-FRONTPAGE dvwssr.dll access 
WEB-FRONTPAGE form_results access 
WEB-FRONTPAGE form_results.htm access 
WEB-FRONTPAGE fourdots request 
WEB-FRONTPAGE fpadmcgi.exe access 
WEB-FRONTPAGE fpadmin.htm access 
WEB-FRONTPAGE fpremadm.exe access 
WEB-FRONTPAGE orders.htm access 
WEB-FRONTPAGE orders.txt access 
WEB-FRONTPAGE register.htm access 
WEB-FRONTPAGE register.txt access 
WEB-FRONTPAGE registrations.htm access 
WEB-FRONTPAGE registrations.txt access 
WEB-FRONTPAGE service.pwd 
WEB-FRONTPAGE shtml.dll access 
WEB-FRONTPAGE shtml.exe access 
WEB-FRONTPAGE users.pwd access 
WEB-IIS .... access 
WEB-IIS admin access 
WEB-IIS .asp access 
WEB-IIS asp-dot attempt 
WEB-IIS CGImail.exe access 
WEB-IIS CodeRed v2 root.exe access 
WEB-IIS fpcount access 
WEB-IIS global-asa access 
WEB-IIS iissamples access 
WEB-IIS ISAPI .ida attempt 
WEB-IIS ISAPI .idq access 
WEB-IIS ISAPI .idq attempt 
WEB-IIS ISAPI .printer access 
WEB-IIS jet vba access 
WEB-IIS _mem_bin access 
WEB-IIS msadc/msadcs.dll access 
WEB-IIS /msadc/samples/ access 
WEB-IIS msdac access 
WEB-IIS MSProxy access 
WEB-IIS newdsn.exe access 
WEB-IIS Overflow-htr access 
WEB-IIS SAM Attempt 
WEB-IIS /scripts/samples/ access 
WEB-IIS search97.vts access 
WEB-IIS site server config access 
WEB-IIS Unicode2.pl script (File permission canonicalization) 
WEB-IIS uploadn.asp access 
WEB-IIS _vti_inf access 
WEB-MISC /.... 
WEB-MISC adminlogin access 
WEB-MISC apache DOS attempt 
WEB-MISC ax-admin.cgi access 
WEB-MISC bigconf.cgi access 
WEB-MISC cachemgr.cgi access 
WEB-MISC cart 32 AdminPwd access 
WEB-MISC /cgi-bin/jj attempt 
WEB-MISC convert.bas access 
WEB-MISC count.cgi access 
WEB-MISC counter.exe access 
WEB-MISC cpshost.dll access 
WEB-MISC Domino catalog.ns access 
WEB-MISC Domino domcfg.nsf access 
WEB-MISC Domino domlog.nsf access 
WEB-MISC Domino log.nsf access 
WEB-MISC Domino names.nsf access 
WEB-MISC Ecommerce checks.txt access 
WEB-MISC Ecommerce import.txt access 
WEB-MISC /etc/passwd 
WEB-MISC get32.exe access 
WEB-MISC handler access 
WEB-MISC .htaccess access 
WEB-MISC .htpasswd access 
WEB-MISC http directory traversal 
WEB-MISC Lotus EditDoc attempt 
WEB-MISC mall log order access 
WEB-MISC order.log access 
WEB-MISC piranha passwd.php3 access 
WEB-MISC plusmail access 
WEB-MISC queryhit.htm access 
WEB-MISC /~root 
WEB-MISC shopping cart access access 
WEB-MISC showcode access 
WEB-MISC ultraboard access 
WEB-MISC viewcode access 
WEB-MISC webcart access 
WEB-MISC webdist.cgi access 
WEB-MISC ws_ftp.ini access 
WEB-MISC .wwwacl access 
WEB-MISC wwwboard.pl access 

-- 
    .~.
    /V\
   /( )\
   ^^-^^


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Current thread:

Strange attacks opus (Oct 25)
- Re: Strange attacks Havoc (Oct 27)
- Re: Strange attacks Russell Fulton (Oct 28)