Possible new scan/attack against Windows systems targetting multiple vuls

Since August 2nd we have seen a new scan/attack pattern which targets ports
UDP port 137, TCP ports 139, 445, and 80 and have seen this from a couple of
different sources within from our own A.B.x.x netblock thus far.

Its the scan on port 80 which is rather different as its a WebDAV scan.
WebDAV stands for "Web-based Distributed Authoring and Versioning". It is a
set of extensions to the HTTP protocol which allows users to collaboratively
edit and manage files on remote web servers. Attacks using WebDav are not
new, but given the increase in them it might be possible a new worm or
attack script is out there using known vuls within WebDAV (
www.cert.org/advisories/CA-2003-09.html www.kb.cert.org/vuls/id/959211 etc).

Packet Capture of the Port 80 Scan:

0000 4F 50 54 49 4F 4E 53 20 2F 20 48 54 54 50 2F 31 OPTIONS /
HTTP/1
0010 2E 31 0D 0A 74 72 61 6E 73 6C 61 74 65 3A 20 66 .1..translate:
f
0020 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 4D 69 ..User-Agent: Mi
0030 63 72 6F 73 6F 66 74 2D 57 65 62 44 41 56 2D 4D
crosoft-WebDAV-M
0040 69 6E 69 52 65 64 69 72 2F 35 2E 31 2E 32 36 30
iniRedir/5.1.260
0050 30 0D 0A 48 6F 73 74 3A 20 36 38 2E 31 34 34 2E 0..Host:
68.144.
0060 31 39 32 2E 32 32 37 0D 0A 43 6F 6E 74 65 6E 74
192.227..Content
0070 2D 4C 65 6E 67 74 68 3A 20 30 0D 0A 43 6F 6E 6E -Length: 0..Conn
0080 65 63 74 69 6F 6E 3A 20 4B 65 65 70 2D 41 6C 69 ection:
Keep-Ali
0090 76 65 0D 0A 0D 0A
ve....

Sample Scan sequence capture

(TCP) 68.144.160.96 : 2026 >>> 192.168.168.4 : 139
(TCP) 68.144.160.96 : 2027 >>> 68.144.192.227 : 445
(TCP) 68.144.160.96 : 2028 >>> 192.168.168.4 : 139
(TCP) 68.144.160.96 : 2043 >>> 192.168.168.4 : 139
(UDP) 68.144.160.96 : 137 >>> 192.168.168.4 : 137
(UDP) 68.144.160.96 : 137 >>> 192.168.168.4 : 137
(UDP) 68.144.160.96 : 137 >>> 192.168.168.4 : 137
(TCP) 68.144.160.96 : 2057 >>> 192.168.168.4 : 80

Whether this is a script or a program, it runs on Windows as it uses calls
to Windows for the Netbios calls. For example the UDP port 137 scan is a
port 137 to 137 scan and the packet has unique transaction IDs which tends
to indicate a Windows netbios call as compared to a Opaserv fixed Netbios
packet using a source port above 1023.

Thanks
Blake McNeill
http://www.SonicLogger.com - Logging Software for SonicWall and 3Com
http://www.LinkLogger.com - Logging Software for Linksys, Netgear and Zyxel

Blake McNeill

"Blake McNeill" <> wrote in message
news:5HnYa.646743$. ca...
> Since August 2nd we have seen a new scan/attack pattern which targets
ports
> UDP port 137, TCP ports 139, 445, and 80 and have seen this from a couple
of
> different sources within from our own A.B.x.x netblock thus far.
>
> Its the scan on port 80 which is rather different as its a WebDAV scan.
> WebDAV stands for "Web-based Distributed Authoring and Versioning". It is
a
> set of extensions to the HTTP protocol which allows users to
collaboratively
> edit and manage files on remote web servers. Attacks using WebDav are not
> new, but given the increase in them it might be possible a new worm or
> attack script is out there using known vuls within WebDAV (
> www.cert.org/advisories/CA-2003-09.html www.kb.cert.org/vuls/id/959211
etc).
>
> Packet Capture of the Port 80 Scan:
>
> 0000 4F 50 54 49 4F 4E 53 20 2F 20 48 54 54 50 2F 31 OPTIONS /
> HTTP/1
> 0010 2E 31 0D 0A 74 72 61 6E 73 6C 61 74 65 3A 20 66
..1..translate:
> f
> 0020 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 4D 69 ..User-Agent:
Mi
> 0030 63 72 6F 73 6F 66 74 2D 57 65 62 44 41 56 2D 4D
> crosoft-WebDAV-M
> 0040 69 6E 69 52 65 64 69 72 2F 35 2E 31 2E 32 36 30
> iniRedir/5.1.260
> 0050 30 0D 0A 48 6F 73 74 3A 20 36 38 2E 31 34 34 2E 0..Host:
> 68.144.
> 0060 31 39 32 2E 32 32 37 0D 0A 43 6F 6E 74 65 6E 74
> 192.227..Content
> 0070 2D 4C 65 6E 67 74 68 3A 20 30 0D 0A 43 6F 6E 6E -Length:
0..Conn
> 0080 65 63 74 69 6F 6E 3A 20 4B 65 65 70 2D 41 6C 69 ection:
> Keep-Ali
> 0090 76 65 0D 0A 0D 0A
> ve....
>
> Sample Scan sequence capture
>
> (TCP) 68.144.160.96 : 2026 >>> 192.168.168.4 : 139
> (TCP) 68.144.160.96 : 2027 >>> 68.144.192.227 : 445
> (TCP) 68.144.160.96 : 2028 >>> 192.168.168.4 : 139
> (TCP) 68.144.160.96 : 2043 >>> 192.168.168.4 : 139
> (UDP) 68.144.160.96 : 137 >>> 192.168.168.4 : 137
> (UDP) 68.144.160.96 : 137 >>> 192.168.168.4 : 137
> (UDP) 68.144.160.96 : 137 >>> 192.168.168.4 : 137
> (TCP) 68.144.160.96 : 2057 >>> 192.168.168.4 : 80
>
> Whether this is a script or a program, it runs on Windows as it uses calls
> to Windows for the Netbios calls. For example the UDP port 137 scan is a
> port 137 to 137 scan and the packet has unique transaction IDs which tends
> to indicate a Windows netbios call as compared to a Opaserv fixed Netbios
> packet using a source port above 1023.
>
> Thanks
> Blake McNeill

You know, this could simply be a misconfiguration of some legitimate
webdav-based client. It's quite common for windoze systems to attempt to
speak netbios to each other as a side effect of some other transaction
between them.

You can also read more at
http://www.google.com/search?hl=en&i...ebdav++minired
ir

http://www.webmasterworld.com/forum11/1349.htm says:

" Most of these kind of accesses come from people who unintentionally use
the "wrong tools" to surf the web, like clicking a link in IE and having it
open in Excel. Excel and XP then try to open an editing session on the
hosting server. If the hosting server doesn't support this, it eventually
falls back to a "view-only" mode. My only problem with it is that the
handshake involves about six attempts to access multiple lock/unlock/file
reservation files - I wish it would just give up after one try. "

I think you should suspect someone with a misconfigured XP box as the most
plausible explanation.


DaveK
--
moderator of
alt.talk.rec.soc.biz.news.comp.humanities.meow.mis c.moderated.meow
Burn your ID card! http://www.optional-identity.org.uk/
Help support the campaign, copy this into your .sig!
Proud Member of the Exclusive "I have been plonked by Davee because he
thinks I'm interesting" List Member #<insert number here>
Master of Many Meowing Minions
Holder of the exhalted PF Chang's Crab Wonton Award for kook spankage above
and beyond the call of hilarity.
PGP Key-ID: 0x0FB504D1 Fingerprint 04B7 2E8C 0245 680E 6484 C441 CEC7 D2BD

Dave Korn

"Dave Korn" <> wrote in message
news:LSIYa.7685$...
> "Blake McNeill" <> wrote in message
> news:5HnYa.646743$. ca...
> > Since August 2nd we have seen a new scan/attack pattern which targets
> ports
> > UDP port 137, TCP ports 139, 445, and 80 and have seen this from a
couple
> of
> > different sources within from our own A.B.x.x netblock thus far.

> You can also read more at
>
http://www.google.com/search?hl=en&i...ebdav++minired
ir

And particularly, take a look at the post at
http://cert.uni-stuttgart.de/archive.../msg00176.html
and in particular read down to the bottom of the post to see the earlier
quoted parts of the thread... seems like exactly the situation you've
encountered.



DaveK
--
moderator of
alt.talk.rec.soc.biz.news.comp.humanities.meow.mis c.moderated.meow
Burn your ID card! http://www.optional-identity.org.uk/
Help support the campaign, copy this into your .sig!
Proud Member of the Exclusive "I have been plonked by Davee because he
thinks I'm interesting" List Member #<insert number here>
Master of Many Meowing Minions
Holder of the exhalted PF Chang's Crab Wonton Award for kook spankage above
and beyond the call of hilarity.
PGP Key-ID: 0x0FB504D1 Fingerprint 04B7 2E8C 0245 680E 6484 C441 CEC7 D2BD

Dave Korn