Large Attack

Don Wolf SecuredSite at hotmail.com
Mon Mar 4 12:01:34 GMT 2002


In regards to your interest in seeing "a site to list 'dirty subnets' -
those subnets from which we see
repeated attacks", there is a great site in which to go.  DShield has been
doing just that for some time.  Just thought I'd point it out for those who
didn't know.  This link according to DShield "shows the top 10 offenders
according to the DShield database".

http://www.dshield.org/top10.html


___________________________________
 Don J. Wolf - Security Consultant
 SANS/GIAC, MCP, CCNA, ICSA
 SecuredSite Intrusion Specialists
 www.SecuredSite.org


----- Original Message -----
From: "Douglas P. Brown" <dugbrown at email.unc.edu>
To: <incidents at securityfocus.org>; <unisog at sans.org>
Cc: "ITS Security" <security at unc.edu>
Sent: Saturday, March 02, 2002 8:31 AM
Subject: Re: Re: Large Attack


>
> Thank you all for your responses.  To answer some of the questions - We
> were seeing these scans/attacks across the entire breadth of one of our
> class B subnets.  Below you will find some of the source subnets for
> these attacks:
>
> 63.120.163.0/24        "Tech Engine" - New York, USA
> 165.194.0.0/16 "Chungyang University" - Seoul, Korea
> 202.56.228.0/24  "Bharti British Telecom" - New Delhi, India
> 203.199.121.0/24   "ISP Link in Mumbai" - India
> 210.68.146.0/24    "Digital United Inc" - Taipei, Taiwan
> 210.69.0.0/16 "Chunghwa Telecom" - Taipei, Taiwan
> 210.178.195.0/24   "Yangpyong Technical High School" - Korea
>
> Our policies prohibit me from disclosing the measures we took to stop
> these attacks.  I hope to provide packet captures later under separate
> cover.  We would be very interesting in seeing Sans or SecurityFocus
> provide a site to list "dirty subnets" - those subnets from which we see
> repeated attacks and receive no response to our complaints.
>
> Cheers,
> -Doug
> --
> Douglas P. Brown
> University of North Carolina
> Manager of Security Resources
> 105 Abernethy Hall
>
>
> zaire wrote:
> >
> > Doug,
> >
> > Rumor has it that allot of the defacement groups ( Silverlords ...etc)
> > will run cron jobs of cgi probers on a targeted network for a few weeks
> > prior to an actual penetration of a server in hopes that the ids
> > administrators will just start to ignore certain alerts or suffer from
> > information overload.
> >
> > What are some of the responses from your webservers look like?
> >
> > Have you seen any penetration on these servers or just allot of noise?
> >
> > Can you give us some of the packet captures to look at to compare with
> > some of the less used cgi scanners?
> >
> > How many source address's come from apnic?
> >
> > -zaire
> >
> > On Fri, 1 Mar 2002, Douglas P. Brown wrote:
> >
> > >
> > > FYI - Starting last night and continuing this morning we've seen at
> > > least 14 hosts from at least 7 different foreing subnets banging
pretty
> > > heavy on our subnets.  Below is a smart from the IDS logs for one of
the
> > > bad hosts.  The result has been that several NT and 2000 domains have
> > > had accounts locked out.
> > >
> > > 148 different signatures are present for x.x.x.x as a source
> > >
> > >      1 instances of WEB-IIS JET VBA access
> > >      1 instances of WEB-IIS getdrvrs access
> > >      1 instances of WEB-COLDFUSION administrator access
> > >      1 instances of WEB-IIS admin.dll access
> > >      1 instances of WEB-MISC .wwwacl access
> > >      1 instances of WEB-IIS uploadn.asp access
> > >      1 instances of WEB-CGI args.bat access
> > >      1 instances of WEB-MISC Domino catalog.ns access
> > >      1 instances of WEB-COLDFUSION exampleapp access
> > >      1 instances of WEB-IIS bdir.ht access
> > >      1 instances of WEB-MISC cpshost.dll access
> > >      1 instances of WEB-IIS getdrvs.exe access
> > >      1 instances of WEB-IIS anot.htr access
> > >      1 instances of WEB-IIS search97.vts
> > >      1 instances of WEB-FRONTPAGE shtml.exe
> > >      1 instances of WEB-COLDFUSION cfmlsyntaxcheck.cfm access
> > >      1 instances of WEB-FRONTPAGE form_results access
> > >      1 instances of WEB-FRONTPAGE authors.pwd access
> > >      1 instances of WEB-COLDFUSION beaninfo access
> > >      1 instances of WEB-MISC convert.bas access
> > >      1 instances of WEB-MISC AuthChangeUr accessl
> > >      1 instances of WEB-IIS codebrowser SDK access
> > >      1 instances of WEB-CGI wwwboard passwd access
> > >      1 instances of WEB-MISC ws_ftp.ini access
> > >      1 instances of WEB-MISC cart 32 AdminPwd access
> > >      1 instances of WEB-COLDFUSION fileexists.cfm access
> > >      1 instances of WEB-IIS adctest.asp access
> > >      1 instances of WEB-COLDFUSION evaluate.cfm access
> > >      1 instances of WEB-IIS CGImail.exe access
> > >      1 instances of WEB-COLDFUSION snippets attempt attempt
> > >      1 instances of WEB-COLDFUSION addcontent.cfm access
> > >      1 instances of WEB-COLDFUSION cfcache.map access
> > >      2 instances of WEB-MISC counter.exe access
> > >      2 instances of WEB-COLDFUSION exampleapp application.cfm
> > >      2 instances of WEB-IIS .asp access
> > >      2 instances of WEB-FRONTPAGE users.pwd access
> > >      2 instances of WEB-FRONTPAGE registrations.txt access
> > >      2 instances of WEB-FRONTPAGE dvwssr.dll access
> > >      2 instances of WEB-FRONTPAGE fpadmcgi.exe access
> > >      2 instances of WEB-COLDFUSION cfappman access
> > >      2 instances of WEB-IIS achg.htr access
> > >      2 instances of WEB-FRONTPAGE _vti_rpc access
> > >      2 instances of WEB-FRONTPAGE fpcount.exe access
> > >      2 instances of WEB-IIS codebrowser Exair access
> > >      2 instances of WEB-MISC shopping cart access access
> > >      2 instances of WEB-MISC ICQ webserver DOS
> > >      2 instances of WEB-IIS query.asp access
> > >      2 instances of SMTP expn root
> > >      2 instances of WEB-COLDFUSION application.cfm access
> > >      2 instances of WEB-IIS _vti_inf access
> > >      2 instances of WEB-IIS admin-default access
> > >      3 instances of WEB-IIS *.idc attempt
> > >      3 instances of WEB-CGI MachineInfo access
> > >      3 instances of RPC portmap listing
> > >      3 instances of WEB-IIS global-asa access
> > >      3 instances of WEB-COLDFUSION expeval access
> > >      3 instances of WEB-IIS asp-dot attempt
> > >      3 instances of WEB-IIS codebrowser access
> > >      3 instances of WEB-MISC Ecommerce checks.txt access
> > >      3 instances of WEB-CGI webgais access
> > >      3 instances of SCAN Synscan Portscan ID 19104
> > >      3 instances of WEB-IIS newdsn.exe access
> > >      3 instances of WEB-CGI websendmail access
> > >      3 instances of WEB-IIS jet vba access
> > >      4 instances of WEB-CGI post-query access
> > >      4 instances of WEB-CGI dumpenv.pl access
> > >      4 instances of WEB-CGI AT-admin.cgi access
> > >      4 instances of WEB-CGI whoisraw access
> > >      5 instances of WEB-MISC get32.exe access
> > >      5 instances of WEB-MISC .htpasswd access
> > >      5 instances of WEB-CGI classifieds.cgi access
> > >      5 instances of WEB-CGI sendform.cgi access
> > >      5 instances of WEB-CGI w3-msql access
> > >      5 instances of WEB-CGI files.pl access
> > >      5 instances of WEB-CGI AnyForm2 access
> > >      5 instances of WEB-CGI rksh access
> > >      5 instances of WEB-IIS admin access
> > >      6 instances of WEB-CGI bash access
> > >      6 instances of WEB-CGI glimpse access
> > >      6 instances of WEB-CGI maillist.pl access
> > >      6 instances of WEB-CGI w2tvars.pm access
> > >      6 instances of WEB-CGI wguest.exe access
> > >      6 instances of WEB-MISC shopping cart directory traversal
> > >      6 instances of WEB-CGI wais.p access
> > >      6 instances of WEB-MISC /cgi-bin/jj attempt
> > >      6 instances of WEB-CGI filemail access
> > >      6 instances of WEB-CGI edit.pl access
> > >      6 instances of WEB-CGI man.sh access
> > >      7 instances of WEB-CGI pfdisplay.cgi access
> > >      7 instances of WEB-MISC Ecommerce import.txt access
> > >      7 instances of WEB-CGI www-sql access
> > >      7 instances of WEB-IIS 5 .printer isapi
> > >      7 instances of WEB-CGI archie access
> > >      7 instances of WEB-MISC ~root
> > >      7 instances of WEB-CGI day5datacopier.cgi access
> > >      7 instances of WEB-MISC wwwboard.pl access
> > >      7 instances of WEB-CGI environ.cgi access
> > >      7 instances of WEB-CGI day5datanotifier.cgi access
> > >      8 instances of WEB-CGI survey.cgi access
> > >      8 instances of WEB-CGI redirect access
> > >      8 instances of WEB-CGI calendar access
> > >      8 instances of WEB-CGI perlshop.cgi access
> > >      8 instances of WEB-CGI rsh access
> > >      8 instances of WEB-MISC handler access
> > >      8 instances of WEB-CGI rwwwshell.pl access
> > >      8 instances of WEB-MISC guestbook.cgi access
> > >      8 instances of WEB-CGI testcounter.pl access
> > >      9 instances of WEB-MISC Domino log.nsf access
> > >      9 instances of WEB-CGI info2www access
> > >      9 instances of WEB-CGI upload.pl access
> > >      9 instances of WEB-MISC order.log access
> > >      9 instances of WEB-CGI ksh access
> > >      9 instances of WEB-IIS iisadmpwd attempt
> > >      10 instances of WEB-MISC mall log order access
> > >      10 instances of WEB-MISC Domino names.nsf access
> > >      10 instances of WEB-CGI bnbform.cgi access
> > >      11 instances of WEB-CGI campas access
> > >      11 instances of WEB-MISC /etc/passwd
> > >      11 instances of WEB-MISC netscape admin passwd
> > >      11 instances of WEB-CGI bb-hist.sh access
> > >      12 instances of WEB-CGI htmlscript access
> > >      12 instances of WEB-CGI faxsurvey access
> > >      13 instances of WEB-MISC piranha passwd.php3 access
> > >      13 instances of WEB-CGI NPH-publish access
> > >      13 instances of WEB-CGI csh access
> > >      13 instances of WEB-MISC nph-test-cgi access
> > >      13 instances of WEB-CGI wwwadmin.pl access
> > >      14 instances of WEB-MISC .htaccess access
> > >      14 instances of WEB-MISC webdist.cgi access
> > >      14 instances of WEB-MISC architext_query.pl access
> > >      14 instances of WEB-CGI flexform access
> > >      16 instances of WEB-CGI LWGate access
> > >      16 instances of WEB-MISC bigconf.cgi access
> > >      17 instances of WEB-MISC Attempt to execute cmd
> > >      17 instances of WEB-CGI tsch access
> > >      19 instances of WEB-MISC Domino domlog.nsf access
> > >      19 instances of WEB-MISC wrap access
> > >      19 instances of WEB-MISC Domino domcfg.nsf access
> > >      20 instances of WEB-CGI finger access
> > >      21 instances of WEB-CGI aglimpse access
> > >      27 instances of WEB-CGI formmail access
> > >      28 instances of WEB-FRONTPAGE fourdots request
> > >      29 instances of WEB-CGI test-cgi access
> > >      35 instances of WEB-CGI phf access
> > >      54 instances of CUSTOM Port 515 traffic
> > >      77 instances of FTP passwd attempt
> > >      159 instances of WEB-MISC http directory traversal
> > >      2369 instances of SCAN Proxy attempt
> > >
> > > There are 937 distinct destination IPs - we've taken steps on our end
to
> > > block this traffic.  I wanted to give everyone a heads up in case your
> > > next, and to see if anyone else is seeing similar traffic.
> > >
> > > Cheers,
> > > -Doug
> > > --
> > > Douglas P. Brown
> > > University of North Carolina
> > > Manager of Security Resources
> > > 105 Abernethy Hall
> > >
> >
> --------------------------------------------------------------------------
--
> > > This list is provided by the SecurityFocus ARIS analyzer service.
> > > For more information on this free incident handling, management
> > > and tracking system please see: http://aris.securityfocus.com
> > >
>
> --------------------------------------------------------------------------
--
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
>
>



More information about the unisog mailing list