Large Attack

Douglas P. Brown dugbrown at email.unc.edu
Sat Mar 2 13:31:20 GMT 2002


Thank you all for your responses.  To answer some of the questions - We
were seeing these scans/attacks across the entire breadth of one of our
class B subnets.  Below you will find some of the source subnets for
these attacks:

63.120.163.0/24	       	"Tech Engine" - New York, USA
165.194.0.0/16		"Chungyang University" - Seoul, Korea
202.56.228.0/24  	"Bharti British Telecom" - New Delhi, India
203.199.121.0/24   	"ISP Link in Mumbai" - India   
210.68.146.0/24    	"Digital United Inc" - Taipei, Taiwan
210.69.0.0/16		"Chunghwa Telecom" - Taipei, Taiwan
210.178.195.0/24   	"Yangpyong Technical High School" - Korea

Our policies prohibit me from disclosing the measures we took to stop
these attacks.  I hope to provide packet captures later under separate
cover.  We would be very interesting in seeing Sans or SecurityFocus
provide a site to list "dirty subnets" - those subnets from which we see
repeated attacks and receive no response to our complaints.

Cheers,
-Doug
-- 
Douglas P. Brown
University of North Carolina
Manager of Security Resources
105 Abernethy Hall


zaire wrote:
> 
> Doug,
> 
> Rumor has it that allot of the defacement groups ( Silverlords ...etc)
> will run cron jobs of cgi probers on a targeted network for a few weeks
> prior to an actual penetration of a server in hopes that the ids
> administrators will just start to ignore certain alerts or suffer from
> information overload.
> 
> What are some of the responses from your webservers look like?
> 
> Have you seen any penetration on these servers or just allot of noise?
> 
> Can you give us some of the packet captures to look at to compare with
> some of the less used cgi scanners?
> 
> How many source address's come from apnic?
> 
> -zaire
> 
> On Fri, 1 Mar 2002, Douglas P. Brown wrote:
> 
> >
> > FYI - Starting last night and continuing this morning we've seen at
> > least 14 hosts from at least 7 different foreing subnets banging pretty
> > heavy on our subnets.  Below is a smart from the IDS logs for one of the
> > bad hosts.  The result has been that several NT and 2000 domains have
> > had accounts locked out.
> >
> > 148 different signatures are present for x.x.x.x as a source
> >
> >      1 instances of WEB-IIS JET VBA access
> >      1 instances of WEB-IIS getdrvrs access
> >      1 instances of WEB-COLDFUSION administrator access
> >      1 instances of WEB-IIS admin.dll access
> >      1 instances of WEB-MISC .wwwacl access
> >      1 instances of WEB-IIS uploadn.asp access
> >      1 instances of WEB-CGI args.bat access
> >      1 instances of WEB-MISC Domino catalog.ns access
> >      1 instances of WEB-COLDFUSION exampleapp access
> >      1 instances of WEB-IIS bdir.ht access
> >      1 instances of WEB-MISC cpshost.dll access
> >      1 instances of WEB-IIS getdrvs.exe access
> >      1 instances of WEB-IIS anot.htr access
> >      1 instances of WEB-IIS search97.vts
> >      1 instances of WEB-FRONTPAGE shtml.exe
> >      1 instances of WEB-COLDFUSION cfmlsyntaxcheck.cfm access
> >      1 instances of WEB-FRONTPAGE form_results access
> >      1 instances of WEB-FRONTPAGE authors.pwd access
> >      1 instances of WEB-COLDFUSION beaninfo access
> >      1 instances of WEB-MISC convert.bas access
> >      1 instances of WEB-MISC AuthChangeUr accessl
> >      1 instances of WEB-IIS codebrowser SDK access
> >      1 instances of WEB-CGI wwwboard passwd access
> >      1 instances of WEB-MISC ws_ftp.ini access
> >      1 instances of WEB-MISC cart 32 AdminPwd access
> >      1 instances of WEB-COLDFUSION fileexists.cfm access
> >      1 instances of WEB-IIS adctest.asp access
> >      1 instances of WEB-COLDFUSION evaluate.cfm access
> >      1 instances of WEB-IIS CGImail.exe access
> >      1 instances of WEB-COLDFUSION snippets attempt attempt
> >      1 instances of WEB-COLDFUSION addcontent.cfm access
> >      1 instances of WEB-COLDFUSION cfcache.map access
> >      2 instances of WEB-MISC counter.exe access
> >      2 instances of WEB-COLDFUSION exampleapp application.cfm
> >      2 instances of WEB-IIS .asp access
> >      2 instances of WEB-FRONTPAGE users.pwd access
> >      2 instances of WEB-FRONTPAGE registrations.txt access
> >      2 instances of WEB-FRONTPAGE dvwssr.dll access
> >      2 instances of WEB-FRONTPAGE fpadmcgi.exe access
> >      2 instances of WEB-COLDFUSION cfappman access
> >      2 instances of WEB-IIS achg.htr access
> >      2 instances of WEB-FRONTPAGE _vti_rpc access
> >      2 instances of WEB-FRONTPAGE fpcount.exe access
> >      2 instances of WEB-IIS codebrowser Exair access
> >      2 instances of WEB-MISC shopping cart access access
> >      2 instances of WEB-MISC ICQ webserver DOS
> >      2 instances of WEB-IIS query.asp access
> >      2 instances of SMTP expn root
> >      2 instances of WEB-COLDFUSION application.cfm access
> >      2 instances of WEB-IIS _vti_inf access
> >      2 instances of WEB-IIS admin-default access
> >      3 instances of WEB-IIS *.idc attempt
> >      3 instances of WEB-CGI MachineInfo access
> >      3 instances of RPC portmap listing
> >      3 instances of WEB-IIS global-asa access
> >      3 instances of WEB-COLDFUSION expeval access
> >      3 instances of WEB-IIS asp-dot attempt
> >      3 instances of WEB-IIS codebrowser access
> >      3 instances of WEB-MISC Ecommerce checks.txt access
> >      3 instances of WEB-CGI webgais access
> >      3 instances of SCAN Synscan Portscan ID 19104
> >      3 instances of WEB-IIS newdsn.exe access
> >      3 instances of WEB-CGI websendmail access
> >      3 instances of WEB-IIS jet vba access
> >      4 instances of WEB-CGI post-query access
> >      4 instances of WEB-CGI dumpenv.pl access
> >      4 instances of WEB-CGI AT-admin.cgi access
> >      4 instances of WEB-CGI whoisraw access
> >      5 instances of WEB-MISC get32.exe access
> >      5 instances of WEB-MISC .htpasswd access
> >      5 instances of WEB-CGI classifieds.cgi access
> >      5 instances of WEB-CGI sendform.cgi access
> >      5 instances of WEB-CGI w3-msql access
> >      5 instances of WEB-CGI files.pl access
> >      5 instances of WEB-CGI AnyForm2 access
> >      5 instances of WEB-CGI rksh access
> >      5 instances of WEB-IIS admin access
> >      6 instances of WEB-CGI bash access
> >      6 instances of WEB-CGI glimpse access
> >      6 instances of WEB-CGI maillist.pl access
> >      6 instances of WEB-CGI w2tvars.pm access
> >      6 instances of WEB-CGI wguest.exe access
> >      6 instances of WEB-MISC shopping cart directory traversal
> >      6 instances of WEB-CGI wais.p access
> >      6 instances of WEB-MISC /cgi-bin/jj attempt
> >      6 instances of WEB-CGI filemail access
> >      6 instances of WEB-CGI edit.pl access
> >      6 instances of WEB-CGI man.sh access
> >      7 instances of WEB-CGI pfdisplay.cgi access
> >      7 instances of WEB-MISC Ecommerce import.txt access
> >      7 instances of WEB-CGI www-sql access
> >      7 instances of WEB-IIS 5 .printer isapi
> >      7 instances of WEB-CGI archie access
> >      7 instances of WEB-MISC ~root
> >      7 instances of WEB-CGI day5datacopier.cgi access
> >      7 instances of WEB-MISC wwwboard.pl access
> >      7 instances of WEB-CGI environ.cgi access
> >      7 instances of WEB-CGI day5datanotifier.cgi access
> >      8 instances of WEB-CGI survey.cgi access
> >      8 instances of WEB-CGI redirect access
> >      8 instances of WEB-CGI calendar access
> >      8 instances of WEB-CGI perlshop.cgi access
> >      8 instances of WEB-CGI rsh access
> >      8 instances of WEB-MISC handler access
> >      8 instances of WEB-CGI rwwwshell.pl access
> >      8 instances of WEB-MISC guestbook.cgi access
> >      8 instances of WEB-CGI testcounter.pl access
> >      9 instances of WEB-MISC Domino log.nsf access
> >      9 instances of WEB-CGI info2www access
> >      9 instances of WEB-CGI upload.pl access
> >      9 instances of WEB-MISC order.log access
> >      9 instances of WEB-CGI ksh access
> >      9 instances of WEB-IIS iisadmpwd attempt
> >      10 instances of WEB-MISC mall log order access
> >      10 instances of WEB-MISC Domino names.nsf access
> >      10 instances of WEB-CGI bnbform.cgi access
> >      11 instances of WEB-CGI campas access
> >      11 instances of WEB-MISC /etc/passwd
> >      11 instances of WEB-MISC netscape admin passwd
> >      11 instances of WEB-CGI bb-hist.sh access
> >      12 instances of WEB-CGI htmlscript access
> >      12 instances of WEB-CGI faxsurvey access
> >      13 instances of WEB-MISC piranha passwd.php3 access
> >      13 instances of WEB-CGI NPH-publish access
> >      13 instances of WEB-CGI csh access
> >      13 instances of WEB-MISC nph-test-cgi access
> >      13 instances of WEB-CGI wwwadmin.pl access
> >      14 instances of WEB-MISC .htaccess access
> >      14 instances of WEB-MISC webdist.cgi access
> >      14 instances of WEB-MISC architext_query.pl access
> >      14 instances of WEB-CGI flexform access
> >      16 instances of WEB-CGI LWGate access
> >      16 instances of WEB-MISC bigconf.cgi access
> >      17 instances of WEB-MISC Attempt to execute cmd
> >      17 instances of WEB-CGI tsch access
> >      19 instances of WEB-MISC Domino domlog.nsf access
> >      19 instances of WEB-MISC wrap access
> >      19 instances of WEB-MISC Domino domcfg.nsf access
> >      20 instances of WEB-CGI finger access
> >      21 instances of WEB-CGI aglimpse access
> >      27 instances of WEB-CGI formmail access
> >      28 instances of WEB-FRONTPAGE fourdots request
> >      29 instances of WEB-CGI test-cgi access
> >      35 instances of WEB-CGI phf access
> >      54 instances of CUSTOM Port 515 traffic
> >      77 instances of FTP passwd attempt
> >      159 instances of WEB-MISC http directory traversal
> >      2369 instances of SCAN Proxy attempt
> >
> > There are 937 distinct destination IPs - we've taken steps on our end to
> > block this traffic.  I wanted to give everyone a heads up in case your
> > next, and to see if anyone else is seeing similar traffic.
> >
> > Cheers,
> > -Doug
> > --
> > Douglas P. Brown
> > University of North Carolina
> > Manager of Security Resources
> > 105 Abernethy Hall
> >
> > ----------------------------------------------------------------------------
> > This list is provided by the SecurityFocus ARIS analyzer service.
> > For more information on this free incident handling, management
> > and tracking system please see: http://aris.securityfocus.com
> >



More information about the unisog mailing list