Large Attack

Don Wolf SecuredSite at hotmail.com
Sat Mar 2 02:47:34 GMT 2002


Please explain what steps you took to block this traffic.

___________________________________
 Don J. Wolf - Security Consultant
 SANS/GIAC, MCP, CCNA, ICSA
 SecuredSite Intrusion Specialists
 www.SecuredSite.org


----- Original Message -----
From: "Douglas P. Brown" <dugbrown at email.unc.edu>
To: <incidents at securityfocus.org>; <unisog at sans.org>
Cc: "ITS Security" <security at unc.edu>
Sent: Friday, March 01, 2002 2:44 PM
Subject: Large Attack


>
> FYI - Starting last night and continuing this morning we've seen at
> least 14 hosts from at least 7 different foreing subnets banging pretty
> heavy on our subnets.  Below is a smart from the IDS logs for one of the
> bad hosts.  The result has been that several NT and 2000 domains have
> had accounts locked out.
>
> 148 different signatures are present for x.x.x.x as a source
>
>      1 instances of WEB-IIS JET VBA access
>      1 instances of WEB-IIS getdrvrs access
>      1 instances of WEB-COLDFUSION administrator access
>      1 instances of WEB-IIS admin.dll access
>      1 instances of WEB-MISC .wwwacl access
>      1 instances of WEB-IIS uploadn.asp access
>      1 instances of WEB-CGI args.bat access
>      1 instances of WEB-MISC Domino catalog.ns access
>      1 instances of WEB-COLDFUSION exampleapp access
>      1 instances of WEB-IIS bdir.ht access
>      1 instances of WEB-MISC cpshost.dll access
>      1 instances of WEB-IIS getdrvs.exe access
>      1 instances of WEB-IIS anot.htr access
>      1 instances of WEB-IIS search97.vts
>      1 instances of WEB-FRONTPAGE shtml.exe
>      1 instances of WEB-COLDFUSION cfmlsyntaxcheck.cfm access
>      1 instances of WEB-FRONTPAGE form_results access
>      1 instances of WEB-FRONTPAGE authors.pwd access
>      1 instances of WEB-COLDFUSION beaninfo access
>      1 instances of WEB-MISC convert.bas access
>      1 instances of WEB-MISC AuthChangeUr accessl
>      1 instances of WEB-IIS codebrowser SDK access
>      1 instances of WEB-CGI wwwboard passwd access
>      1 instances of WEB-MISC ws_ftp.ini access
>      1 instances of WEB-MISC cart 32 AdminPwd access
>      1 instances of WEB-COLDFUSION fileexists.cfm access
>      1 instances of WEB-IIS adctest.asp access
>      1 instances of WEB-COLDFUSION evaluate.cfm access
>      1 instances of WEB-IIS CGImail.exe access
>      1 instances of WEB-COLDFUSION snippets attempt attempt
>      1 instances of WEB-COLDFUSION addcontent.cfm access
>      1 instances of WEB-COLDFUSION cfcache.map access
>      2 instances of WEB-MISC counter.exe access
>      2 instances of WEB-COLDFUSION exampleapp application.cfm
>      2 instances of WEB-IIS .asp access
>      2 instances of WEB-FRONTPAGE users.pwd access
>      2 instances of WEB-FRONTPAGE registrations.txt access
>      2 instances of WEB-FRONTPAGE dvwssr.dll access
>      2 instances of WEB-FRONTPAGE fpadmcgi.exe access
>      2 instances of WEB-COLDFUSION cfappman access
>      2 instances of WEB-IIS achg.htr access
>      2 instances of WEB-FRONTPAGE _vti_rpc access
>      2 instances of WEB-FRONTPAGE fpcount.exe access
>      2 instances of WEB-IIS codebrowser Exair access
>      2 instances of WEB-MISC shopping cart access access
>      2 instances of WEB-MISC ICQ webserver DOS
>      2 instances of WEB-IIS query.asp access
>      2 instances of SMTP expn root
>      2 instances of WEB-COLDFUSION application.cfm access
>      2 instances of WEB-IIS _vti_inf access
>      2 instances of WEB-IIS admin-default access
>      3 instances of WEB-IIS *.idc attempt
>      3 instances of WEB-CGI MachineInfo access
>      3 instances of RPC portmap listing
>      3 instances of WEB-IIS global-asa access
>      3 instances of WEB-COLDFUSION expeval access
>      3 instances of WEB-IIS asp-dot attempt
>      3 instances of WEB-IIS codebrowser access
>      3 instances of WEB-MISC Ecommerce checks.txt access
>      3 instances of WEB-CGI webgais access
>      3 instances of SCAN Synscan Portscan ID 19104
>      3 instances of WEB-IIS newdsn.exe access
>      3 instances of WEB-CGI websendmail access
>      3 instances of WEB-IIS jet vba access
>      4 instances of WEB-CGI post-query access
>      4 instances of WEB-CGI dumpenv.pl access
>      4 instances of WEB-CGI AT-admin.cgi access
>      4 instances of WEB-CGI whoisraw access
>      5 instances of WEB-MISC get32.exe access
>      5 instances of WEB-MISC .htpasswd access
>      5 instances of WEB-CGI classifieds.cgi access
>      5 instances of WEB-CGI sendform.cgi access
>      5 instances of WEB-CGI w3-msql access
>      5 instances of WEB-CGI files.pl access
>      5 instances of WEB-CGI AnyForm2 access
>      5 instances of WEB-CGI rksh access
>      5 instances of WEB-IIS admin access
>      6 instances of WEB-CGI bash access
>      6 instances of WEB-CGI glimpse access
>      6 instances of WEB-CGI maillist.pl access
>      6 instances of WEB-CGI w2tvars.pm access
>      6 instances of WEB-CGI wguest.exe access
>      6 instances of WEB-MISC shopping cart directory traversal
>      6 instances of WEB-CGI wais.p access
>      6 instances of WEB-MISC /cgi-bin/jj attempt
>      6 instances of WEB-CGI filemail access
>      6 instances of WEB-CGI edit.pl access
>      6 instances of WEB-CGI man.sh access
>      7 instances of WEB-CGI pfdisplay.cgi access
>      7 instances of WEB-MISC Ecommerce import.txt access
>      7 instances of WEB-CGI www-sql access
>      7 instances of WEB-IIS 5 .printer isapi
>      7 instances of WEB-CGI archie access
>      7 instances of WEB-MISC ~root
>      7 instances of WEB-CGI day5datacopier.cgi access
>      7 instances of WEB-MISC wwwboard.pl access
>      7 instances of WEB-CGI environ.cgi access
>      7 instances of WEB-CGI day5datanotifier.cgi access
>      8 instances of WEB-CGI survey.cgi access
>      8 instances of WEB-CGI redirect access
>      8 instances of WEB-CGI calendar access
>      8 instances of WEB-CGI perlshop.cgi access
>      8 instances of WEB-CGI rsh access
>      8 instances of WEB-MISC handler access
>      8 instances of WEB-CGI rwwwshell.pl access
>      8 instances of WEB-MISC guestbook.cgi access
>      8 instances of WEB-CGI testcounter.pl access
>      9 instances of WEB-MISC Domino log.nsf access
>      9 instances of WEB-CGI info2www access
>      9 instances of WEB-CGI upload.pl access
>      9 instances of WEB-MISC order.log access
>      9 instances of WEB-CGI ksh access
>      9 instances of WEB-IIS iisadmpwd attempt
>      10 instances of WEB-MISC mall log order access
>      10 instances of WEB-MISC Domino names.nsf access
>      10 instances of WEB-CGI bnbform.cgi access
>      11 instances of WEB-CGI campas access
>      11 instances of WEB-MISC /etc/passwd
>      11 instances of WEB-MISC netscape admin passwd
>      11 instances of WEB-CGI bb-hist.sh access
>      12 instances of WEB-CGI htmlscript access
>      12 instances of WEB-CGI faxsurvey access
>      13 instances of WEB-MISC piranha passwd.php3 access
>      13 instances of WEB-CGI NPH-publish access
>      13 instances of WEB-CGI csh access
>      13 instances of WEB-MISC nph-test-cgi access
>      13 instances of WEB-CGI wwwadmin.pl access
>      14 instances of WEB-MISC .htaccess access
>      14 instances of WEB-MISC webdist.cgi access
>      14 instances of WEB-MISC architext_query.pl access
>      14 instances of WEB-CGI flexform access
>      16 instances of WEB-CGI LWGate access
>      16 instances of WEB-MISC bigconf.cgi access
>      17 instances of WEB-MISC Attempt to execute cmd
>      17 instances of WEB-CGI tsch access
>      19 instances of WEB-MISC Domino domlog.nsf access
>      19 instances of WEB-MISC wrap access
>      19 instances of WEB-MISC Domino domcfg.nsf access
>      20 instances of WEB-CGI finger access
>      21 instances of WEB-CGI aglimpse access
>      27 instances of WEB-CGI formmail access
>      28 instances of WEB-FRONTPAGE fourdots request
>      29 instances of WEB-CGI test-cgi access
>      35 instances of WEB-CGI phf access
>      54 instances of CUSTOM Port 515 traffic
>      77 instances of FTP passwd attempt
>      159 instances of WEB-MISC http directory traversal
>      2369 instances of SCAN Proxy attempt
>
> There are 937 distinct destination IPs - we've taken steps on our end to
> block this traffic.  I wanted to give everyone a heads up in case your
> next, and to see if anyone else is seeing similar traffic.
>
> Cheers,
> -Doug
> --
> Douglas P. Brown
> University of North Carolina
> Manager of Security Resources
> 105 Abernethy Hall
>
> --------------------------------------------------------------------------
--
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
>
>



More information about the unisog mailing list