Something new out there?
Page 1 of 2 12 LastLast
Results 1 to 10 of 17

Thread: Something new out there?

  1. #1
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197

    Something new out there?

    Is anyone else noticing the following:-

    1. Increased level of general IIS cmd.exe variants/ISAPI .ida attacks, (on every other day or so these are really high)

    2. Some less common alerts surfacing, (bad HTTP/1.1 requests), from the same machine running some of those in 1.

    3. And here's the kicker!!! WEB CGI ScriptAlias Access which is an attack against an Unix Server, (reference ), and I don't run any unix boxes but the attacking machine is running exploits against both Win32 and *nix.

    They are automated attacks since they are coming in fast and looking like the usual Nimda/CodeRed sets of alerts until you notice the unusual ones. They don't seem to be from a fixed code worm of any kind since the exploits and their sequence vary so I'm thinking there might be some kind of kiddie tool published recently that allows you to check a bunch of boxes to run the selected exploits and it then shows you if you made a "hit". That would explain the *nix attacks in my IIS boxes 'cos I never saw that before in automated attacks.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  2. #2
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,883
    Yes, infact I have a large alarm count for .ida indexing service overflow attacks. However, this is the only item consistant with what you are seeing.

    --TH13
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  3. #3
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    Probably cause of idiots like in my organization....

    [RANT] HOW IN THE HELL CAN YOU BE SO INEPT AS TO STICK A WINDOWS2000 BOX AT AN INTERNET ADDRESSIBLE ADDRESS WITH NO PATCHES AND NO AV? [/RANT]

    My IDS still sees tons of default.ida buffer overflow attempts a day....*sigh* At least there is one less infected host out there now...

    /nebulus


    EDIT: It is just variants of codered/nimda...
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  4. #4
    Senior Member
    Join Date
    Feb 2003
    Posts
    109
    I agree. I see ida overflows and cmd.exe access attempts all the time, but im running apache on gentoo. What gives? I think alot of kiddies out there just cant use nmap or use its output in a script.
    $person!=$kiddie or die(\"Alas, die you hotmail hacker!!\");
    SecureVision

  5. #5
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    It's only today I have seen the "hybrid" stuff. It's never happened before - in fact Apache attacks against my IIS boxes are rare enough to make me laugh - gotta figure "this chap is really up on his fingerprinting techniques".....

    I am really happy with patterns..... patterns make me comfortable...... Changes in patterns make me rather uneasy...... Hoss: You know..... that feeling you get when you smell the CS gas and know the effects are about 1/4 of a second behind..... I leave my external IDS to watch for everything and that's why I'm picking them up...... I do see some "odd" stuff from time to time with my logging systems but never what appears to be an automated "hybrid" attacker.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  6. #6
    Senior Member
    Join Date
    Feb 2003
    Posts
    109
    maybe the robots are getting ready to take over the world...or someone is just testing out a new script. Time to check my logs to see if im getting the same thing...

    <EDIT>Nope...</EDIT>
    $person!=$kiddie or die(\"Alas, die you hotmail hacker!!\");
    SecureVision

  7. #7
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,883
    that feeling you get when you smell the CS gas and know the effects are about 1/4 of a second behind.....
    A feeling I will not soon forget and hope to never experience again.

    <H1>VOMIT</H1>
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  8. #8
    AO Decepticon CXGJarrod's Avatar
    Join Date
    Jul 2002
    Posts
    2,038
    There was a new tool for finding security holes in IIS servers released at astalavista, so if this has been in the last couple of days, then people might be scanning with that tool. I played around with the tool and it had a lot of those cmd.exe attacks.
    N00b> STFU i r teh 1337 (english: You must be mistaken, good sir or madam. I believe myself to be quite a good player. On an unrelated matter, I also apparently enjoy math.)

  9. #9
    Senior Member RoadClosed's Avatar
    Join Date
    Jun 2003
    Posts
    3,834
    Code Red, and not the Mountain Dew drink. Anyone else think there is a conspiracy there? I understand that to be a classic code red signature?

    //edited out a stupid question
    West of House
    You are standing in an open field west of a white house, with a boarded front door.
    There is a small mailbox here.

  10. #10
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    There are tons of articles to look through, but a good one is at :

    http://www.eeye.com/html/Research/Ad...L20010717.html

    Basically a few things that could help explain why you are seeing more at certain times and irrespective of what server:

    1) There is a timing mechanism in Code Red that limits when it spreads...
    - If the date is past the 20th of the month (GMT), the thread will stop searching for systems to infect and will instead attack www.whitehouse.gov. The attack consists of the infected system sending 100k bytes of data (1 byte at a time + 40 bytes overheard for the actually TCP/IP packet) to port 80 of www.whitehouse.gov. This flood of data (410 megabytes of data every 4 and a half hours per instance of the worm) would potentially amount to a denial-of-service attack against www.whitehouse.gov.
    - If the date is between the 1st and the 19th of the month, this worm thread will not attack www.whitehouse.gov and will continue to try to find and infect new web servers.

    We have calculated that the worm can attempt to infect roughly half a million IP addresses a day. This is a rough estimate generated by testing on a very slow network.
    Of course there are now tons of variants that I am sure modify this somewhat...


    2) The worms, to the best of my knowledge, still do no checking of the server version before trying the exploits. They just blindly pick an address and go for it...http server or no...iis or no...

    3) There are plenty of skiddiots who still try this...

    4) It is possible that someone on your network had some kind of URL filtering in place (checkpoint does this and so does Cisco IOS (oddly enough PIX doesn't so far as I can tell)). I am not sure about checkpoint, but the Cisco URL checks DO NOT reassemble fragments and miss a variation that fragments the request to obscure it. Check and see if any of it changed.

    /nebulus
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •