Coordinated HTTP scan (NOT CodeRed or Nimda)?

Glenn Forbes Fleming Larratt glratt at io.com
Mon Mar 4 20:33:54 GMT 2002


We run two instances of Snort just inside our border - one with a mostly
standard 1.8.1-vintage ruleset, the other older with some special rules
to catch CodeRed and Nimda. 

During the half-hour between 1305 and 1335 UTC (0705-0735 local time),
we noted an abrupt appearance of entries of the form:

Mar  3 07:13:47 gummo.rice.edu snort[3081]: [ID 702911 auth.alert] spp_portscan: End of portscan from 208.59.144.209: TOTAL time(20s) hosts(31) TCP(33) UDP(0)
Mar  3 07:13:49 gummo.rice.edu snort[3081]: [ID 702911 auth.alert] spp_portscan: End of portscan from 24.132.199.169: TOTAL time(12s) hosts(34) TCP(35) UDP(0)
Mar  3 07:14:12 gummo.rice.edu snort[3081]: [ID 702911 auth.alert] spp_portscan: End of portscan from 208.59.144.209: TOTAL time(11s) hosts(35) TCP(36) UDP(0)

Investigation of the portscan.log file turned up some salient facts:

 - earliest hit was at 13:13:23 UTC, latest at 13:23:17;
 - every instance was a SYN scan against port 80;
 - SYN scans, thus no payload to trigger CR/Nimda rules, and thus probably
	*not* CR or Nimda;
 - exactly 10 source hosts were identified (noted below);
 - each source host scanned a precise region of our Class B (/16), as noted:

hits  source              scanned                                who
---- ---------------     ---------                              ----
 789 24.82.220.202	/24 subnets 6,7,9,10,11            shawcable.net
 446 208.59.144.209	/24 subnets 17,18,19,20,21,22      rcn.com
 292 66.183.11.57       /24 subnets 27,30,31,32            telus.net
 361 206.172.81.25      /24 subnets 66,67,68,69            sympatico.ca
 412 24.45.90.128       /24 subnets 81,82,83               optonline.net
 166 204.26.122.47      /24 subnets 139,141                multitech.com / 
                                                            USWEST
 539 64.252.197.190	/24 subnets 159,160,161,162        snet.net
 440 68.9.1.36		/24 subnets 166,167,168,169,170    cox.com
 116 149.99.203.126     /24 subnets 178,180,181            sprint.ca
 448 24.132.199.169	/24 subnets 181,183,184,185,186    a2000.nl

Distributed reconnaissance tool? Anyone recognize the signature? Anyone
seen this?

	-g

-- 
Glenn Forbes Fleming Larratt         The Lab Ratt (not briggs :-) 
glratt at io.com                        http://www.io.com/~glratt  
There are imaginary bugs to chase in heaven.



More information about the unisog mailing list