[lug] possible intrusion

D. Stimits stimits at idcomm.com
Thu Jul 19 14:08:56 MDT 2001


Deva Samartha wrote:
> 
> Looks like they are not getting in - unless they get in, deliver a
> gift and then go on - this I have not checked yet since I am not
> able to identify the shell/buffercode yet. The package would have been
> overwritten 30 x or so, by now.
> 
> The incoming data is 4 .. 10 k in packets and outgoing it's
> anywhere from 50 .. 100 k response of the server. They connect
> once and are never seen again. All happens within seconds.

Since my prior post, I have seen about 2 bogus port 80 attempts on my
machine per minute. Just for fun, I try to gather info on most
attackers. I think I can verify that probably these attackers are
themselves cracked IIS boxes. On a couple of them, for those that did
not shut down all web access, I see this after telnet to port 80 and
manually running "GET":
Microsoft-IIS/5.0

So the real question is this: Do you have microsoft based web servers
accessible to the outside world? If not, you are not subject to any
successful attacks of this sort. It would appear that the attacking
machines are not doing a port scan followed by attack only on machines
that are susceptible...instead it is a blind attack on port 80 in hopes
it is IIS.

> 
> Maybe they are picking something up?
> 
> I checked into one source and there I could overwrite the
> IP number of the router with a wide open web interface, look at
> connection times etc.
> (I have not actually checked, if a different IP would have
> been accepted, but the web interface was there and accessible ;-)
> So, with this background - one can assume the system/LAN was compromised.
> I was unable to contact the party.
> 
> Apache just gives out an error message:
> "Client sent malformed Host header"
>   and give the 300 byte long NNNN code message in the log
> 
> I will email to security focus as suggested, because if nobody else
> sees this kind of traffic, I could be compromised :-(

It never hurts to talk to these people, they keep statistics if nothing
else. You can bet that every single hit like this though is from a
compromised machine, and each of those machines are trying to compromise
entire domains. Even if you have windows, you won't be at risk unless
you run the IIS web server.

D. Stimits, stimits at idcomm.com

> 
> Thank you,
> 
> Samartha
> 
> >This may be of interest:
> >http://www.astalavista.com/exploits/iis/buffer2.shtml
> >http://www.eeye.com/html/Research/Advisories/AD20010618.html
> >http://www.bhs.silesianet.pl/html/overflow_in_6.0.htm
> >
> >
> >My guess is they are looking for MS IIS servers to root. If you are
> >running any MS machines there with unpatched web server, they are
> >probably gone.
> >
> >D. Stimits, stimits at idcomm.com
> >_______________________________________________
> >Web Page: http://lug.boulder.co.us
> >Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> 
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug



More information about the LUG mailing list