Need help to find web server attacks signature

Discussion in 'Computer Security' started by Maxime Ducharme, Oct 22, 2003.

  1. Hi all,
    i'd need help to identify an attack that happened on one of our
    customer's web server yesterday, I put the log file here :
    http://www.pandore-design.com/security/2003-10-21-IIS-attack.txt

    I see some attacks that seem to be a security scanner tool,
    and some attacks which targets specific pages of the web site
    (where we begin to see 200 responses from the web server).

    Someone recognize a tool / virus / worm in this ?

    Thanks in advance for help

    ---------------------------------------------------------------
    Maxime Ducharme
    Administrateur reseau, Programmeur
     
    Maxime Ducharme, Oct 22, 2003
    #1
    1. Advertising

  2. Maxime Ducharme

    ssshades2 Guest

    In article <ngzlb.6014$>, maxime@pandore-
    designSPAMISBAD.com spake thus...
    > Subject: Need help to find web server attacks signature
    > From: Maxime Ducharme <>
    > Newsgroups: alt.computer.security
    >
    > Hi all,
    > i'd need help to identify an attack that happened on one of our
    > customer's web server yesterday, I put the log file here :
    >


    I would suggest not posting your logs like that in a newsgroup, rather direct
    them directly in email to a security professional.

    The reason being, is that it gives away quite a bit information about your
    webserver and it's structure. It would be trivial to find out where you work
    for example also, despite the attempt to hide the IP address it could be
    discovered easily enough.

    It _appears_ to be an attack using:

    Arirang - twwwscan for Unix

    http://www.monkey.org/~pilot/arirang/

    http://www.monkey.org/~pilot/arirang/scanrule/iis.uxe
    http://www.monkey.org/~pilot/arirang/scanrule/server.uxe
    http://www.monkey.org/~pilot/arirang/scanrule/nimda.uxe

    Although a lot of custom scan rules have been added. You are either being
    audited, or someone is attempting to hack your webserver pretty seriously.

    I'd say the attack is probably being launched from a Unix client as far as I
    know this is a Unix only application.

    Go to my webpage and email me if you want to discuss this further.

    Cheers, Mike.

    --
    ________________________________

    "We're in the pipe... 5 by 5..."

    shades2 (Perth, WA)
    http://www.iinet.net.au/~shades2
     
    ssshades2, Oct 23, 2003
    #2
    1. Advertising

  3. Maxime Ducharme

    jayjwa Guest

    ssshades2 wrote:

    > It _appears_ to be an attack using:
    >
    > Arirang - twwwscan for Unix
    >
    > http://www.monkey.org/~pilot/arirang/
    >
    > http://www.monkey.org/~pilot/arirang/scanrule/iis.uxe
    > http://www.monkey.org/~pilot/arirang/scanrule/server.uxe
    > http://www.monkey.org/~pilot/arirang/scanrule/nimda.uxe
    >
    > Although a lot of custom scan rules have been added. You are either being
    > audited, or someone is attempting to hack your webserver pretty seriously.
    >
    > I'd say the attack is probably being launched from a Unix client as far as I
    > know this is a Unix only application.


    Script Kiddie shit. He goes from config.sys to /etc/passwd, changes
    platforms. I'm not familiar with Arirang, but I do see lots of cases of
    people pointing a security scanner at a host, and it looks like that;
    they just go right down the line trying to find flaws. Because it is a
    pre-made tool that searches for vulerabilities by a "stab in the dark"
    approach, I'd say this guy isn't too advanced. Nessus or amap will make
    similar mess of the logs as this here example, but it takes no skill at
    all to download a scanner and point it at someone. I love when I get IIS
    exploits- on my *nix based webserver.


    --
    -=-=-=-=-=-=-=-=-=-=-=The New Atr2.Ath.Cx=-=-=-=-=-=-=-=-=-=-=
    - jayjwa *Https Only* Mod-SSL / PGP Key / CA Onsite
    Was I helpful?: https://atr2.ath.cx/papers/affero.php
    What every Windows user needs: https://atr2.ath.cx/pub/pic.jpg
    Mail: Spam servers:
    /cgi-bin/ping-jay.cgi or finger for GPG & info
    /pub is public WWW directory Registered Linux fanatic #37
    =-=-=-=-=-=-=-=Linux Tough.Powered By Slackware=-=-=-=-=-=-=-=
     
    jayjwa, Oct 24, 2003
    #3
  4. Thanks jayjwa

    I agree with you, we see many platforms probes & some
    well know forums vulnerabilities.

    Have a nice day

    ---------------------------------------------------------------
    Maxime Ducharme
    Administrateur reseau, Programmeur


    "jayjwa" <> wrote in message
    news:...
    > ssshades2 wrote:
    >
    > > It _appears_ to be an attack using:
    > >
    > > Arirang - twwwscan for Unix
    > >
    > > http://www.monkey.org/~pilot/arirang/
    > >
    > > http://www.monkey.org/~pilot/arirang/scanrule/iis.uxe
    > > http://www.monkey.org/~pilot/arirang/scanrule/server.uxe
    > > http://www.monkey.org/~pilot/arirang/scanrule/nimda.uxe
    > >
    > > Although a lot of custom scan rules have been added. You are either

    being
    > > audited, or someone is attempting to hack your webserver pretty

    seriously.
    > >
    > > I'd say the attack is probably being launched from a Unix client as far

    as I
    > > know this is a Unix only application.

    >
    > Script Kiddie shit. He goes from config.sys to /etc/passwd, changes
    > platforms. I'm not familiar with Arirang, but I do see lots of cases of
    > people pointing a security scanner at a host, and it looks like that;
    > they just go right down the line trying to find flaws. Because it is a
    > pre-made tool that searches for vulerabilities by a "stab in the dark"
    > approach, I'd say this guy isn't too advanced. Nessus or amap will make
    > similar mess of the logs as this here example, but it takes no skill at
    > all to download a scanner and point it at someone. I love when I get IIS
    > exploits- on my *nix based webserver.
    >
    >
    > --
    > -=-=-=-=-=-=-=-=-=-=-=The New Atr2.Ath.Cx=-=-=-=-=-=-=-=-=-=-=
    > - jayjwa *Https Only* Mod-SSL / PGP Key / CA Onsite
    > Was I helpful?: https://atr2.ath.cx/papers/affero.php
    > What every Windows user needs: https://atr2.ath.cx/pub/pic.jpg
    > Mail: Spam servers:
    > /cgi-bin/ping-jay.cgi or finger for GPG & info
    > /pub is public WWW directory Registered Linux fanatic #37
    > =-=-=-=-=-=-=-=Linux Tough.Powered By Slackware=-=-=-=-=-=-=-=
    >
    >
    >
     
    Maxime Ducharme, Oct 24, 2003
    #4
  5. Maxime Ducharme

    jayjwa Guest

    Maxime Ducharme wrote:

    > I agree with you, we see many platforms probes & some
    > well know forums vulnerabilities.
    >


    My guess is he's gone, without a trace, now? These things usually go
    away as fast as they come on (hopefully!). Two weeks ago, I had one that
    used the GET /scripts/..%255../... type exploit- made a mess of the logs
    but nothing more. Should I tell him it's not a IIS server? Naaaa...

    I put the full arirang tarball & all rulesets here, in one bzip2
    compressed file: https://atr2.ath.cx/pub/arirang-pak.tar.bz2


    --
    -=-=-=-=-=-=-=-=-=-=-=The New Atr2.Ath.Cx=-=-=-=-=-=-=-=-=-=-=
    - jayjwa *Https Only* Mod-SSL / PGP Key / CA Onsite
    Was I helpful?: https://atr2.ath.cx/papers/affero.php
    What every Windows user needs: https://atr2.ath.cx/pub/pic.jpg
    Mail: Spam servers:
    /cgi-bin/ping-jay.cgi or finger for GPG & info
    /pub is public WWW directory Registered Linux fanatic #37
    =-=-=-=-=-=-=-=Linux Tough.Powered By Slackware=-=-=-=-=-=-=-=
     
    jayjwa, Oct 25, 2003
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Mcploppy ©

    MICROSOFT WARNS OF WEB ATTACKS

    Mcploppy ©, Jun 25, 2004, in forum: Computer Support
    Replies:
    0
    Views:
    408
    Mcploppy ©
    Jun 25, 2004
  2. [    Doc Jeff    ]

    Re: a web site that attacks

    [ Doc Jeff ], Jun 27, 2004, in forum: Computer Security
    Replies:
    0
    Views:
    389
    [ Doc Jeff ]
    Jun 27, 2004
  3. Replies:
    1
    Views:
    388
    Evan Platt
    Dec 30, 2005
  4. Au79
    Replies:
    5
    Views:
    827
    Fuzzy Logic
    Mar 15, 2007
  5. Mike
    Replies:
    0
    Views:
    747
Loading...

Share This Page