OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Thomas Whipp (tkwobjectronix.co.uk)
Date: Thu Oct 11 2001 - 11:10:58 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Hi all,

            overnight I got a cmd.exe attempt to one of the
    addresses within our netblock - nothing odd about that
    except that this address isn't active.

    Checking through our logs I found a range of other related
    attacks from the same source, all to the same unused
    address. Checking our packet logs I found the following:

    22:12:13 TCP: x.x.x.x:4137 ( ) -> y.y.y.y:80 ( ) FIN ACK
    22:12:17 TCP: x.x.x.x:4137 ( ) -> y.y.y.y:80 ( ) FIN PSH
    ACK
    22:19:44 TCP: x.x.x.x:3427 ( ) -> y.y.y.y:80 ( ) FIN ACK
    22:19:47 TCP: x.x.x.x:3427 ( ) -> y.y.y.y:80 ( ) FIN PSH
    ACK
    22:22:44 TCP: x.x.x.x:3964 ( ) -> y.y.y.y:80 ( ) FIN ACK
    22:22:47 TCP: x.x.x.x:3964 ( ) -> y.y.y.y:80 ( ) FIN PSH
    ACK
    22:25:0 TCP: x.x.x.x:4357 ( ) -> y.y.y.y:80 ( ) FIN ACK
    22:25:3 TCP: x.x.x.x:4357 ( ) -> y.y.y.y:80 ( ) FIN PSH
    ACK
    22:26:30 TCP: x.x.x.x:4634 ( ) -> y.y.y.y:80 ( ) FIN ACK
    22:26:33 TCP: x.x.x.x:4634 ( ) -> y.y.y.y:80 ( ) FIN PSH
    ACK
    22:29:30 TCP: x.x.x.x:3131 ( ) -> y.y.y.y:80 ( ) FIN ACK
    22:29:33 TCP: x.x.x.x:3131 ( ) -> y.y.y.y:80 ( ) FIN PSH
    ACK
    22:31:0 TCP: x.x.x.x:3394 ( ) -> y.y.y.y:80 ( ) FIN ACK
    22:31:3 TCP: x.x.x.x:3394 ( ) -> y.y.y.y:80 ( ) FIN PSH
    ACK

    Notes:
    1) This is a *full* packet log - its not filtered in any way
    and it is correctly positioned to see all traffic.
    2) All FIN/PSH/ACK packets appear to have carried a payload
    either unicode cmd.exe or root.exe.
    2) x.x.x.x is attacker
    3) y.y.y.y is target

    We've replicated the traffic internally to a scratch NT IIS
    server but didn't see any entries in the log files.

    I'm at a loss - the traffic is definatly hostile, but it
    doesn't make any sense... anybody know if there are any
    Windows builds that might pass traffic of this profile to
    the application layer?

    regards

            Tom

    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management
    and tracking system please see: http://aris.securityfocus.com