Large Attack

Passion mil21 at www.hansecure.com
Sat Mar 2 04:06:56 GMT 2002


At first glance this log seems  to be a directed attack to find  web vulnerabilities in you systems.

example CIS , typhon .. these scanning tool use same pattern.

check sanning pattern and compare attack log!

CIS webscan - http://www.@stake.com/research/tools/webscan.exe



Regrads,

K.Tommy


----- Original Message ----- 
From: "Douglas P. Brown" <dugbrown at email.unc.edu>
To: <incidents at securityfocus.org>; <unisog at sans.org>
Cc: "ITS Security" <security at unc.edu>
Sent: Saturday, March 02, 2002 4:44 AM
Subject: Large Attack


> 
> FYI - Starting last night and continuing this morning we've seen at
> least 14 hosts from at least 7 different foreing subnets banging pretty
> heavy on our subnets.  Below is a smart from the IDS logs for one of the
> bad hosts.  The result has been that several NT and 2000 domains have
> had accounts locked out.
> 
> 148 different signatures are present for x.x.x.x as a source 
> 
>      1 instances of WEB-IIS JET VBA access 
>      1 instances of WEB-IIS getdrvrs access 
>      1 instances of WEB-COLDFUSION administrator access 
>      1 instances of WEB-IIS admin.dll access 
>      1 instances of WEB-MISC .wwwacl access 
>      1 instances of WEB-IIS uploadn.asp access 
>      1 instances of WEB-CGI args.bat access 
>      1 instances of WEB-MISC Domino catalog.ns access 
>      1 instances of WEB-COLDFUSION exampleapp access 
>      1 instances of WEB-IIS bdir.ht access 
>      1 instances of WEB-MISC cpshost.dll access 
>      1 instances of WEB-IIS getdrvs.exe access 
>      1 instances of WEB-IIS anot.htr access 
>      1 instances of WEB-IIS search97.vts 
>      1 instances of WEB-FRONTPAGE shtml.exe 
>      1 instances of WEB-COLDFUSION cfmlsyntaxcheck.cfm access 
>      1 instances of WEB-FRONTPAGE form_results access 
>      1 instances of WEB-FRONTPAGE authors.pwd access 
>      1 instances of WEB-COLDFUSION beaninfo access 
>      1 instances of WEB-MISC convert.bas access 
>      1 instances of WEB-MISC AuthChangeUr accessl 
>      1 instances of WEB-IIS codebrowser SDK access 
>      1 instances of WEB-CGI wwwboard passwd access 
>      1 instances of WEB-MISC ws_ftp.ini access 
>      1 instances of WEB-MISC cart 32 AdminPwd access 
>      1 instances of WEB-COLDFUSION fileexists.cfm access 
>      1 instances of WEB-IIS adctest.asp access 
>      1 instances of WEB-COLDFUSION evaluate.cfm access 
>      1 instances of WEB-IIS CGImail.exe access 
>      1 instances of WEB-COLDFUSION snippets attempt attempt 
>      1 instances of WEB-COLDFUSION addcontent.cfm access 
>      1 instances of WEB-COLDFUSION cfcache.map access 
>      2 instances of WEB-MISC counter.exe access 
>      2 instances of WEB-COLDFUSION exampleapp application.cfm 
>      2 instances of WEB-IIS .asp access 
>      2 instances of WEB-FRONTPAGE users.pwd access 
>      2 instances of WEB-FRONTPAGE registrations.txt access 
>      2 instances of WEB-FRONTPAGE dvwssr.dll access 
>      2 instances of WEB-FRONTPAGE fpadmcgi.exe access 
>      2 instances of WEB-COLDFUSION cfappman access 
>      2 instances of WEB-IIS achg.htr access 
>      2 instances of WEB-FRONTPAGE _vti_rpc access 
>      2 instances of WEB-FRONTPAGE fpcount.exe access 
>      2 instances of WEB-IIS codebrowser Exair access 
>      2 instances of WEB-MISC shopping cart access access 
>      2 instances of WEB-MISC ICQ webserver DOS 
>      2 instances of WEB-IIS query.asp access 
>      2 instances of SMTP expn root 
>      2 instances of WEB-COLDFUSION application.cfm access 
>      2 instances of WEB-IIS _vti_inf access 
>      2 instances of WEB-IIS admin-default access 
>      3 instances of WEB-IIS *.idc attempt 
>      3 instances of WEB-CGI MachineInfo access 
>      3 instances of RPC portmap listing 
>      3 instances of WEB-IIS global-asa access 
>      3 instances of WEB-COLDFUSION expeval access 
>      3 instances of WEB-IIS asp-dot attempt 
>      3 instances of WEB-IIS codebrowser access 
>      3 instances of WEB-MISC Ecommerce checks.txt access 
>      3 instances of WEB-CGI webgais access 
>      3 instances of SCAN Synscan Portscan ID 19104 
>      3 instances of WEB-IIS newdsn.exe access 
>      3 instances of WEB-CGI websendmail access 
>      3 instances of WEB-IIS jet vba access 
>      4 instances of WEB-CGI post-query access 
>      4 instances of WEB-CGI dumpenv.pl access 
>      4 instances of WEB-CGI AT-admin.cgi access 
>      4 instances of WEB-CGI whoisraw access 
>      5 instances of WEB-MISC get32.exe access 
>      5 instances of WEB-MISC .htpasswd access 
>      5 instances of WEB-CGI classifieds.cgi access 
>      5 instances of WEB-CGI sendform.cgi access 
>      5 instances of WEB-CGI w3-msql access 
>      5 instances of WEB-CGI files.pl access 
>      5 instances of WEB-CGI AnyForm2 access 
>      5 instances of WEB-CGI rksh access 
>      5 instances of WEB-IIS admin access 
>      6 instances of WEB-CGI bash access 
>      6 instances of WEB-CGI glimpse access 
>      6 instances of WEB-CGI maillist.pl access 
>      6 instances of WEB-CGI w2tvars.pm access 
>      6 instances of WEB-CGI wguest.exe access 
>      6 instances of WEB-MISC shopping cart directory traversal 
>      6 instances of WEB-CGI wais.p access 
>      6 instances of WEB-MISC /cgi-bin/jj attempt 
>      6 instances of WEB-CGI filemail access 
>      6 instances of WEB-CGI edit.pl access 
>      6 instances of WEB-CGI man.sh access 
>      7 instances of WEB-CGI pfdisplay.cgi access 
>      7 instances of WEB-MISC Ecommerce import.txt access 
>      7 instances of WEB-CGI www-sql access 
>      7 instances of WEB-IIS 5 .printer isapi 
>      7 instances of WEB-CGI archie access 
>      7 instances of WEB-MISC ~root 
>      7 instances of WEB-CGI day5datacopier.cgi access 
>      7 instances of WEB-MISC wwwboard.pl access 
>      7 instances of WEB-CGI environ.cgi access 
>      7 instances of WEB-CGI day5datanotifier.cgi access 
>      8 instances of WEB-CGI survey.cgi access 
>      8 instances of WEB-CGI redirect access 
>      8 instances of WEB-CGI calendar access 
>      8 instances of WEB-CGI perlshop.cgi access 
>      8 instances of WEB-CGI rsh access 
>      8 instances of WEB-MISC handler access 
>      8 instances of WEB-CGI rwwwshell.pl access 
>      8 instances of WEB-MISC guestbook.cgi access 
>      8 instances of WEB-CGI testcounter.pl access 
>      9 instances of WEB-MISC Domino log.nsf access 
>      9 instances of WEB-CGI info2www access 
>      9 instances of WEB-CGI upload.pl access 
>      9 instances of WEB-MISC order.log access 
>      9 instances of WEB-CGI ksh access 
>      9 instances of WEB-IIS iisadmpwd attempt 
>      10 instances of WEB-MISC mall log order access 
>      10 instances of WEB-MISC Domino names.nsf access 
>      10 instances of WEB-CGI bnbform.cgi access 
>      11 instances of WEB-CGI campas access 
>      11 instances of WEB-MISC /etc/passwd 
>      11 instances of WEB-MISC netscape admin passwd 
>      11 instances of WEB-CGI bb-hist.sh access 
>      12 instances of WEB-CGI htmlscript access 
>      12 instances of WEB-CGI faxsurvey access 
>      13 instances of WEB-MISC piranha passwd.php3 access 
>      13 instances of WEB-CGI NPH-publish access 
>      13 instances of WEB-CGI csh access 
>      13 instances of WEB-MISC nph-test-cgi access 
>      13 instances of WEB-CGI wwwadmin.pl access 
>      14 instances of WEB-MISC .htaccess access 
>      14 instances of WEB-MISC webdist.cgi access 
>      14 instances of WEB-MISC architext_query.pl access 
>      14 instances of WEB-CGI flexform access 
>      16 instances of WEB-CGI LWGate access 
>      16 instances of WEB-MISC bigconf.cgi access 
>      17 instances of WEB-MISC Attempt to execute cmd 
>      17 instances of WEB-CGI tsch access 
>      19 instances of WEB-MISC Domino domlog.nsf access 
>      19 instances of WEB-MISC wrap access 
>      19 instances of WEB-MISC Domino domcfg.nsf access 
>      20 instances of WEB-CGI finger access 
>      21 instances of WEB-CGI aglimpse access 
>      27 instances of WEB-CGI formmail access 
>      28 instances of WEB-FRONTPAGE fourdots request 
>      29 instances of WEB-CGI test-cgi access 
>      35 instances of WEB-CGI phf access 
>      54 instances of CUSTOM Port 515 traffic 
>      77 instances of FTP passwd attempt 
>      159 instances of WEB-MISC http directory traversal 
>      2369 instances of SCAN Proxy attempt 
> 
> There are 937 distinct destination IPs - we've taken steps on our end to
> block this traffic.  I wanted to give everyone a heads up in case your
> next, and to see if anyone else is seeing similar traffic.
> 
> Cheers,
> -Doug
> -- 
> Douglas P. Brown
> University of North Carolina
> Manager of Security Resources
> 105 Abernethy Hall
> 
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management 
> and tracking system please see: http://aris.securityfocus.com
> 
> 


More information about the unisog mailing list