[Intrusions] Has anyone seen this?
Paul Schmehl
pauls at utdallas.edu
Wed Aug 24 17:21:07 GMT 2005
We had a really strange attack the other day, and I'm wondering if anyone
else might have seen something similar. The attack originated in a class C
(in China), moving randomly through the address space (x.x.x.231,
x.x.x.222, x.x.x.198, x.x.x.243, etc.) and scanned through a number of
class C's on our network. The dst port was always 80.
The attack signature was one of either "root.exe" (Nimda) or
"winnt/system32/cmd.exe". I've never seen an IIS attack that used the
latter, and it seems rather strange, because unless the webserver is
grossly misconfigured you couldn't get to the system32 dir through port 80
anyway.
>From the rapidity of the attack, it seemed more like a discovery attack
rather than a break-in attack, because the script (or whatever it was)
would change src IP very quickly.
I'm just curious if anyone has seen anything similar.
(The entire attack was detected and blocked by Tippingpoint, so it's only
interesting from an educational standpoint.)
Paul Schmehl (pauls at utdallas.edu)
Adjunct Information Security Officer
University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/ir/security/
More information about the Intrusions
mailing list