|
-
July 22nd, 2003, 07:39 PM
#1
Something new out there?
Is anyone else noticing the following:-
1. Increased level of general IIS cmd.exe variants/ISAPI .ida attacks, (on every other day or so these are really high)
2. Some less common alerts surfacing, (bad HTTP/1.1 requests), from the same machine running some of those in 1.
3. And here's the kicker!!! WEB CGI ScriptAlias Access which is an attack against an Unix Server, (reference ), and I don't run any unix boxes but the attacking machine is running exploits against both Win32 and *nix.
They are automated attacks since they are coming in fast and looking like the usual Nimda/CodeRed sets of alerts until you notice the unusual ones. They don't seem to be from a fixed code worm of any kind since the exploits and their sequence vary so I'm thinking there might be some kind of kiddie tool published recently that allows you to check a bunch of boxes to run the selected exploits and it then shows you if you made a "hit". That would explain the *nix attacks in my IIS boxes 'cos I never saw that before in automated attacks.
Don\'t SYN us.... We\'ll SYN you..... 
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
-
July 22nd, 2003, 07:47 PM
#2
Yes, infact I have a large alarm count for .ida indexing service overflow attacks. However, this is the only item consistant with what you are seeing.
--TH13
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
-
July 22nd, 2003, 08:31 PM
#3
Probably cause of idiots like in my organization....
[RANT] HOW IN THE HELL CAN YOU BE SO INEPT AS TO STICK A WINDOWS2000 BOX AT AN INTERNET ADDRESSIBLE ADDRESS WITH NO PATCHES AND NO AV? [/RANT]  
My IDS still sees tons of default.ida buffer overflow attempts a day....*sigh* At least there is one less infected host out there now...
/nebulus
EDIT: It is just variants of codered/nimda...
There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.
(Merovingian - Matrix Reloaded)
-
July 22nd, 2003, 08:37 PM
#4
I agree. I see ida overflows and cmd.exe access attempts all the time, but im running apache on gentoo. What gives? I think alot of kiddies out there just cant use nmap or use its output in a script.
$person!=$kiddie or die(\"Alas, die you hotmail hacker!!\");
SecureVision
-
July 22nd, 2003, 08:41 PM
#5
It's only today I have seen the "hybrid" stuff. It's never happened before - in fact Apache attacks against my IIS boxes are rare enough to make me laugh - gotta figure "this chap is really up on his fingerprinting techniques".....
I am really happy with patterns..... patterns make me comfortable...... Changes in patterns make me rather uneasy...... Hoss: You know..... that feeling you get when you smell the CS gas and know the effects are about 1/4 of a second behind.....  I leave my external IDS to watch for everything and that's why I'm picking them up...... I do see some "odd" stuff from time to time with my logging systems but never what appears to be an automated "hybrid" attacker.
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
-
July 22nd, 2003, 08:50 PM
#6
maybe the robots are getting ready to take over the world...or someone is just testing out a new script. Time to check my logs to see if im getting the same thing...
<EDIT>Nope...</EDIT>
$person!=$kiddie or die(\"Alas, die you hotmail hacker!!\");
SecureVision
-
July 22nd, 2003, 08:56 PM
#7
that feeling you get when you smell the CS gas and know the effects are about 1/4 of a second behind.....
A feeling I will not soon forget and hope to never experience again. 
<H1>VOMIT</H1>
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
-
July 22nd, 2003, 09:12 PM
#8
There was a new tool for finding security holes in IIS servers released at astalavista, so if this has been in the last couple of days, then people might be scanning with that tool. I played around with the tool and it had a lot of those cmd.exe attacks.
N00b> STFU i r teh 1337 (english: You must be mistaken, good sir or madam. I believe myself to be quite a good player. On an unrelated matter, I also apparently enjoy math.)
-
July 22nd, 2003, 09:44 PM
#9
Code Red, and not the Mountain Dew drink. Anyone else think there is a conspiracy there?  I understand that to be a classic code red signature?
//edited out a stupid question
West of House
You are standing in an open field west of a white house, with a boarded front door.
There is a small mailbox here.
-
July 22nd, 2003, 09:52 PM
#10
There are tons of articles to look through, but a good one is at :
http://www.eeye.com/html/Research/Ad...L20010717.html
Basically a few things that could help explain why you are seeing more at certain times and irrespective of what server:
1) There is a timing mechanism in Code Red that limits when it spreads...
- If the date is past the 20th of the month (GMT), the thread will stop searching for systems to infect and will instead attack www.whitehouse.gov. The attack consists of the infected system sending 100k bytes of data (1 byte at a time + 40 bytes overheard for the actually TCP/IP packet) to port 80 of www.whitehouse.gov. This flood of data (410 megabytes of data every 4 and a half hours per instance of the worm) would potentially amount to a denial-of-service attack against www.whitehouse.gov.
- If the date is between the 1st and the 19th of the month, this worm thread will not attack www.whitehouse.gov and will continue to try to find and infect new web servers.
We have calculated that the worm can attempt to infect roughly half a million IP addresses a day. This is a rough estimate generated by testing on a very slow network.
Of course there are now tons of variants that I am sure modify this somewhat...
2) The worms, to the best of my knowledge, still do no checking of the server version before trying the exploits. They just blindly pick an address and go for it...http server or no...iis or no...
3) There are plenty of skiddiots who still try this...
4) It is possible that someone on your network had some kind of URL filtering in place (checkpoint does this and so does Cisco IOS (oddly enough PIX doesn't so far as I can tell)). I am not sure about checkpoint, but the Cisco URL checks DO NOT reassemble fragments and miss a variation that fragments the request to obscure it. Check and see if any of it changed.
/nebulus
There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.
(Merovingian - Matrix Reloaded)
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote
