Possible new scan/attack against Windows systems targetting multiple vuls

Discussion in 'Computer Security' started by Blake McNeill, Aug 7, 2003.

  1. Since August 2nd we have seen a new scan/attack pattern which targets ports
    UDP port 137, TCP ports 139, 445, and 80 and have seen this from a couple of
    different sources within from our own A.B.x.x netblock thus far.

    Its the scan on port 80 which is rather different as its a WebDAV scan.
    WebDAV stands for "Web-based Distributed Authoring and Versioning". It is a
    set of extensions to the HTTP protocol which allows users to collaboratively
    edit and manage files on remote web servers. Attacks using WebDav are not
    new, but given the increase in them it might be possible a new worm or
    attack script is out there using known vuls within WebDAV (
    www.cert.org/advisories/CA-2003-09.html www.kb.cert.org/vuls/id/959211 etc).

    Packet Capture of the Port 80 Scan:

    0000 4F 50 54 49 4F 4E 53 20 2F 20 48 54 54 50 2F 31 OPTIONS /
    HTTP/1
    0010 2E 31 0D 0A 74 72 61 6E 73 6C 61 74 65 3A 20 66 .1..translate:
    f
    0020 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 4D 69 ..User-Agent: Mi
    0030 63 72 6F 73 6F 66 74 2D 57 65 62 44 41 56 2D 4D
    crosoft-WebDAV-M
    0040 69 6E 69 52 65 64 69 72 2F 35 2E 31 2E 32 36 30
    iniRedir/5.1.260
    0050 30 0D 0A 48 6F 73 74 3A 20 36 38 2E 31 34 34 2E 0..Host:
    68.144.
    0060 31 39 32 2E 32 32 37 0D 0A 43 6F 6E 74 65 6E 74
    192.227..Content
    0070 2D 4C 65 6E 67 74 68 3A 20 30 0D 0A 43 6F 6E 6E -Length: 0..Conn
    0080 65 63 74 69 6F 6E 3A 20 4B 65 65 70 2D 41 6C 69 ection:
    Keep-Ali
    0090 76 65 0D 0A 0D 0A
    ve....

    Sample Scan sequence capture

    (TCP) 68.144.160.96 : 2026 >>> 192.168.168.4 : 139
    (TCP) 68.144.160.96 : 2027 >>> 68.144.192.227 : 445
    (TCP) 68.144.160.96 : 2028 >>> 192.168.168.4 : 139
    (TCP) 68.144.160.96 : 2043 >>> 192.168.168.4 : 139
    (UDP) 68.144.160.96 : 137 >>> 192.168.168.4 : 137
    (UDP) 68.144.160.96 : 137 >>> 192.168.168.4 : 137
    (UDP) 68.144.160.96 : 137 >>> 192.168.168.4 : 137
    (TCP) 68.144.160.96 : 2057 >>> 192.168.168.4 : 80

    Whether this is a script or a program, it runs on Windows as it uses calls
    to Windows for the Netbios calls. For example the UDP port 137 scan is a
    port 137 to 137 scan and the packet has unique transaction IDs which tends
    to indicate a Windows netbios call as compared to a Opaserv fixed Netbios
    packet using a source port above 1023.

    Thanks
    Blake McNeill
    http://www.SonicLogger.com - Logging Software for SonicWall and 3Com
    http://www.LinkLogger.com - Logging Software for Linksys, Netgear and Zyxel
     
    Blake McNeill, Aug 7, 2003
    #1
    1. Advertising

  2. Blake McNeill

    Dave Korn Guest

    "Blake McNeill" <> wrote in message
    news:5HnYa.646743$...
    > Since August 2nd we have seen a new scan/attack pattern which targets

    ports
    > UDP port 137, TCP ports 139, 445, and 80 and have seen this from a couple

    of
    > different sources within from our own A.B.x.x netblock thus far.
    >
    > Its the scan on port 80 which is rather different as its a WebDAV scan.
    > WebDAV stands for "Web-based Distributed Authoring and Versioning". It is

    a
    > set of extensions to the HTTP protocol which allows users to

    collaboratively
    > edit and manage files on remote web servers. Attacks using WebDav are not
    > new, but given the increase in them it might be possible a new worm or
    > attack script is out there using known vuls within WebDAV (
    > www.cert.org/advisories/CA-2003-09.html www.kb.cert.org/vuls/id/959211

    etc).
    >
    > Packet Capture of the Port 80 Scan:
    >
    > 0000 4F 50 54 49 4F 4E 53 20 2F 20 48 54 54 50 2F 31 OPTIONS /
    > HTTP/1
    > 0010 2E 31 0D 0A 74 72 61 6E 73 6C 61 74 65 3A 20 66

    ..1..translate:
    > f
    > 0020 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 4D 69 ..User-Agent:

    Mi
    > 0030 63 72 6F 73 6F 66 74 2D 57 65 62 44 41 56 2D 4D
    > crosoft-WebDAV-M
    > 0040 69 6E 69 52 65 64 69 72 2F 35 2E 31 2E 32 36 30
    > iniRedir/5.1.260
    > 0050 30 0D 0A 48 6F 73 74 3A 20 36 38 2E 31 34 34 2E 0..Host:
    > 68.144.
    > 0060 31 39 32 2E 32 32 37 0D 0A 43 6F 6E 74 65 6E 74
    > 192.227..Content
    > 0070 2D 4C 65 6E 67 74 68 3A 20 30 0D 0A 43 6F 6E 6E -Length:

    0..Conn
    > 0080 65 63 74 69 6F 6E 3A 20 4B 65 65 70 2D 41 6C 69 ection:
    > Keep-Ali
    > 0090 76 65 0D 0A 0D 0A
    > ve....
    >
    > Sample Scan sequence capture
    >
    > (TCP) 68.144.160.96 : 2026 >>> 192.168.168.4 : 139
    > (TCP) 68.144.160.96 : 2027 >>> 68.144.192.227 : 445
    > (TCP) 68.144.160.96 : 2028 >>> 192.168.168.4 : 139
    > (TCP) 68.144.160.96 : 2043 >>> 192.168.168.4 : 139
    > (UDP) 68.144.160.96 : 137 >>> 192.168.168.4 : 137
    > (UDP) 68.144.160.96 : 137 >>> 192.168.168.4 : 137
    > (UDP) 68.144.160.96 : 137 >>> 192.168.168.4 : 137
    > (TCP) 68.144.160.96 : 2057 >>> 192.168.168.4 : 80
    >
    > Whether this is a script or a program, it runs on Windows as it uses calls
    > to Windows for the Netbios calls. For example the UDP port 137 scan is a
    > port 137 to 137 scan and the packet has unique transaction IDs which tends
    > to indicate a Windows netbios call as compared to a Opaserv fixed Netbios
    > packet using a source port above 1023.
    >
    > Thanks
    > Blake McNeill


    You know, this could simply be a misconfiguration of some legitimate
    webdav-based client. It's quite common for windoze systems to attempt to
    speak netbios to each other as a side effect of some other transaction
    between them.

    You can also read more at
    http://www.google.com/search?hl=en&ie=ISO-8859-1&q=microsoft webdav minired
    ir

    http://www.webmasterworld.com/forum11/1349.htm says:

    " Most of these kind of accesses come from people who unintentionally use
    the "wrong tools" to surf the web, like clicking a link in IE and having it
    open in Excel. Excel and XP then try to open an editing session on the
    hosting server. If the hosting server doesn't support this, it eventually
    falls back to a "view-only" mode. My only problem with it is that the
    handshake involves about six attempts to access multiple lock/unlock/file
    reservation files - I wish it would just give up after one try. "

    I think you should suspect someone with a misconfigured XP box as the most
    plausible explanation.


    DaveK
    --
    moderator of
    alt.talk.rec.soc.biz.news.comp.humanities.meow.misc.moderated.meow
    Burn your ID card! http://www.optional-identity.org.uk/
    Help support the campaign, copy this into your .sig!
    Proud Member of the Exclusive "I have been plonked by Davee because he
    thinks I'm interesting" List Member #<insert number here>
    Master of Many Meowing Minions
    Holder of the exhalted PF Chang's Crab Wonton Award for kook spankage above
    and beyond the call of hilarity.
    PGP Key-ID: 0x0FB504D1 Fingerprint 04B7 2E8C 0245 680E 6484 C441 CEC7 D2BD
     
    Dave Korn, Aug 8, 2003
    #2
    1. Advertising

  3. Blake McNeill

    Dave Korn Guest

    "Dave Korn" <> wrote in message
    news:LSIYa.7685$...
    > "Blake McNeill" <> wrote in message
    > news:5HnYa.646743$...
    > > Since August 2nd we have seen a new scan/attack pattern which targets

    > ports
    > > UDP port 137, TCP ports 139, 445, and 80 and have seen this from a

    couple
    > of
    > > different sources within from our own A.B.x.x netblock thus far.


    > You can also read more at
    >

    http://www.google.com/search?hl=en&ie=ISO-8859-1&q=microsoft webdav minired
    ir

    And particularly, take a look at the post at
    http://cert.uni-stuttgart.de/archive/focus-ms/2002/05/msg00176.html
    and in particular read down to the bottom of the post to see the earlier
    quoted parts of the thread... seems like exactly the situation you've
    encountered.



    DaveK
    --
    moderator of
    alt.talk.rec.soc.biz.news.comp.humanities.meow.misc.moderated.meow
    Burn your ID card! http://www.optional-identity.org.uk/
    Help support the campaign, copy this into your .sig!
    Proud Member of the Exclusive "I have been plonked by Davee because he
    thinks I'm interesting" List Member #<insert number here>
    Master of Many Meowing Minions
    Holder of the exhalted PF Chang's Crab Wonton Award for kook spankage above
    and beyond the call of hilarity.
    PGP Key-ID: 0x0FB504D1 Fingerprint 04B7 2E8C 0245 680E 6484 C441 CEC7 D2BD
     
    Dave Korn, Aug 8, 2003
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Replies:
    0
    Views:
    673
  2. Joe Hanes

    ARP Spoofing, countermeasures against attack?

    Joe Hanes, Dec 2, 2004, in forum: Computer Security
    Replies:
    9
    Views:
    5,929
    winged
    Dec 9, 2004
  3. Replies:
    9
    Views:
    1,224
  4. Max Burke
    Replies:
    13
    Views:
    610
    thingy
    Jan 25, 2008
  5. Blig Merk
    Replies:
    66
    Views:
    1,878
    StickThatInYourPipeAndSmokeIt
    Apr 27, 2008
Loading...

Share This Page