CGI Email Script Scanning Update
In yesterday's diary entry, handler Tom Liston identified a distributed scan that was targeting sites for CGI mailer vulnerabilities. Further analysis of this activity indicates that the attackers were leveraging more than 1000 open proxy servers to distribute the scan, targeting hundreds of thousands of systems.
With the help of a University system's administrator, we were able to identify five controller hosts behind this attack, and have notified the appropriate ISP's. Many thanks to everyone who submitted logging information to help us track down the specifics of this attack.
The remaining question about this attack is why - it seems this attack used a fairly sophisticated scanning mechanism to remain anonymous (distributing the scan over a large number of systems). The target seems strange, since 99.95% of the systems that we were able to capture logging data returned "404 - File Not Found". Even if the target CGI's are found on a vulnerable system, they probably offer little value to an attacker. A few readers have suggested using these vulnerable systems for SPAM relays, but it seems there are easier ways to distribute SPAM than scanning for 1990'ish CGI vulnerabilities.
If anyone has a system with a vulnerable installation of formmail.pl that was exploited in these scans, please let us know.
MS SQL Server Scanning
Paul Asadoorian, GCIH and GCIA wrote in identifying several Windows systems that were discovered compromised on his network with the following characteristics:
+ They are all scanning the Internet for hosts listening on port 1433
+ They are all listening on port 26101 TCP (suspected backdoor)
+ They are all listening on TCP/35894 with a FTP banner message "220 Microsoft FTP Server"
These systems appear to be used for attacking MS SQL Servers, as reported in the 7/4 incident handlers report. Paul was able to identify these systems by parsing the output of TCPDump capture files with the following script for Unix systems:
$ tcpdump -c 500 -i eth1 -nn src net YOUR.SUBNET.0.0/16 and dst port 1433 | cut -d" " -f3 | cut -d"." -f1,2,3,4 | sort | uniq -c | sort
Organizations can benefit from from monitoring egress TCP/1433 traffic as a sign of infected systems.
Bagle Source Code Released
ZD Net is reporting the latest variants of the Bagle virus also include the assembler-language source code for the malware. This may result in additional viral strains from new authors. Yay.
Comments on 802.11i
Taking the opportunity to comment on the recent ratification of the 802.11i specification, organizations who are looking to purchase new 802.11 equipment should work with vendors to get a commitment for an upgrade path with any new hardware to support the 802.11i specification and WPA-II interoperability standard.
The IEEE has made significant improvement in protecting wireless networks with the ratification of the 802.11i specification. By adopting this technology, organizations benefits from strong encryption, non-repudiation and integrity on their wireless networks. However, the 802.11i specification does not protect wireless networks from attacks that exploit weak network authentication mechanisms (such as the LEAP authentication protocol), from denial-of-service attacks or from wireless client vulnerabilities. Deploying a defense-in-depth architecture is the only way to secure wireless networks, with the 802.11i specification being an important portion of a strong deployment.
--Joshua Wright/Handler on Duty
Jul 8th 2004
1 decade ago