[Dshield] Port scan and proxied web attack

James C Slora Jr Jim.Slora at phra.com
Thu Nov 14 01:53:50 GMT 2002


A small group of my boxes got a pretty good distributed scan and web attack
yesterday. About 20,000 packets over more than 20 minutes. The attacker used
a German IP address to attack directly and also proxied through an Indian IP
address on a server named "ITSRV".

This big and noisy attack had lots of interesting stuff to share. A little
bit is below. Of course the fun part is finding the stuff the attacker did
quietly while the big scan was running.

Any suggestions about how best to accomplish this are more than welcome.

217.88.238.66 from Deutsche Telekom did the initial scan - what looked like
a custom Grims Ping scan.
-- Ping sweep all hosts with data EEEEEEEEEEEEEEE(etc)
-- Portscan live hosts on TCP 139 445 80 1433 21 137
-- After the portscan, hit live hosts on TCP 80 with default page source
code translate attempts: OPTIONS / HTTP/1.1 translate: f User-Agent:
Microsoft-WebDAV-MiniRedir/5.1.2600 Host: (host IP address) Content-Length:
0 Connection: Keep-Alive
-- SYN packets were like this:
217.88.238.66:3776 -> my.host:21 TCP
TTL:23 TOS:0x0 ID:61619 IpLen:20 DgmLen:64 DF
******S* Seq: 0xA0F2DA3  Ack: 0x0  Win: 0x4000  TcpLen: 44
TCP Options (9) => MSS: 1440 NOP WS: 0 NOP NOP TS: 0 0 NOP NOP
TCP Options => SackOK

During this set of hits another host, 203.129.212.114 in India, started an
exhaustive HTTP vulnerability scan - but only on the hosts that had been
identified by the first scanner. This scan continued for more than 20
minutes.
-- GET /Galaxy_3072.3418 (and many numeric variations)
-- HEAD unicode directory traversal attempts for cmd.exe?/c+dir and
cmd.exe?/c%20dir%20C:\ and win.ini and sam._
-- HEAD /a.asp/(unicode DT variations)winnt/win.ini
-- HEAD /a.asp/(unicode DT variations)winnt\repair\sam._
-- Lots of variations on this theme - Exchange, PBServer, check.bat, etc.
-- All except the Galaxy requests were HEADs not GETs
-- SYN packets were like this:
203.129.212.114:10483 -> my.host:80 TCP
TTL:112 TOS:0x0 ID:28390 IpLen:20 DgmLen:48 DF
******S* Seq: 0x8DDE5CCB  Ack: 0x0  Win: 0x4000  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK
-- HEADs were unusual, and indicated a proxied attack:
HEAD /(unicode DT garbage) HTTP/1.0 Via: 1.0 ITSRV Host: (target IP)
Connection: Keep-Alive

217.88.238.66 returned a few minutes into the other host's work to scan
again. The attempts were typical IIS attacks, but the GETS had specific
characters in their text that probably are a signature of the tool or script
being used.
-- Portscan previously identified live hosts
-- HTTP OPTIONS attempts
-- GET /NULL.ida?AAAA(etc. - buffer overflow attempt)
-- GET /NULL.printer HTTP/1.1 Host: AAAAAAAAAAAA(etc. - BO attempt)
-- GET /NULL.idq?HTTP/1.0 401 UnauthoAAAAAAAAAAAA(etc. - BO attempt)





More information about the list mailing list