[Dshield] RE: (new?) IIS 'galaxy' vulnerability scanner ?

James C. Slora, Jr. Jim.Slora at phra.com
Fri Jun 14 15:33:11 GMT 2002


Johannes Ullrich wrote:

>I had today three people notify me about a new, rather noisy, signature
>they found in their apache logs. Can everyone take a look at their logs
>and see if they find it? I don't think this qualifies as a 'worm' so far.
>It looks a bit too complex and overly redundant. But maybe it is some
>vulnerability scanner.

Did not see "galaxy" in my logs, but these scans may be related to scans
that began on May 2 and are still continuing. It does appear to be an IIS
vulnerability scanner, as do my scans. The scanner seems to be
customizable - maybe there is a scanner toolkit.

>Note the first Line: 'galaxy_10400.10746'. It looks like a marker someone
>added to the tool.

>a.b.c.d - - [06/Jun/2002:15:10:59 +0200] "GET /galaxy_10400.10746
>HTTP/1.0" 404 289 "-" "-" "-"
>a.b.c.d - - [06/Jun/2002:15:10:59 +0200] "HEAD
>/_mem_bin/..%c0%2f..%c0%2f..%c0%2f../winnt/system32/cmd.exe?/c+dir
HTTP/1.0"
>404 0 "-" "-" "-"
<snipped>

Can anyone share a full capture of one or more of these packets? I've seen
some extensive IIS scans that share interesting characteristics -
particularly padded junk characters at the end of the GET statement (these
only show on full packet captures - not in web logs).

In all of these new scans, padding takes all of the PSH packets (containing
HTTP GET statements) to a length that is fixed across an entire scan. I have
seen a few scans with a DgmLen of 199 for PSHs and lots of scans with DGMLen
99. The 199 DgmLen scans were extensive (many varieties of IIS exploit
attempts), and each scan was different.

The DgmLen 99 scans seem to be the default attack of a tool, and consist of
a single GET statement. I've gotten dozens of these attacks, many from
wanadoo, t-online, and sympatico.ca. It looks like a worm except that the
sources mainly match script kiddie traffic. The one trustworthy network
where I was able to get a partial explanation did not find the source of the
scan but thought that the host was infected with Code Red. Their upstream
identified the scan as Nimda (but I'm sure they didn't look at it too hard).




More information about the list mailing list