Threat Level: green Handler on Duty: Manuel Humberto Santander Pelaez

SANS ISC: Possible Botnet Scanning SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Possible Botnet Scanning

We have received a report from one of our readers that their Cisco IPS are picking up a large amount of scanning traffic across a large number of monitored clients.

He indicates: "These scans started about two or three days ago and have been rolling through our clients. Once we block one source IP address, a new source IP address shows up with the same traffic shortly thereafter. The scans are firing off multiple rapid events for two signatures on our deployed Cisco IPS sensors. "

The sources are both inside and outside the US. Please let us know if you are seeing this type of activity.

Thank you to Ryan for reporting this activity to us.

He reports that the two signatures that are triggering are:
Unix Password File Access Attempt (SigID: 3201) Web Application Security Test/Attack (SigID: 7212)

Updated:  We have been receiving information and samples of logs that indicate that there is indeed some activity going on, more than likely is botnet related.  The information that we have received indicates that this activity is directed at port 443 and port 80.  One of our readers (thanks Erik) indicated that his alerts indicate http://www.snort.org/search/sid/12709?r=1.  Looking at the link in this SID it looks like the activity may be directed at Microsoft ASN.1 remote exploit for CVE-2005-1935  with an exploit called kill-bill. ( www.phreedom.org/solar/exploits/msasn1-bitstring/All of it coincides with when the php get's started occurring. We will keep an eye on the reports and let you know if we see anything developing.  Please continue to let us know what you are seeing.

 

Deb Hale

Deborah

278 Posts
ISC Handler
We run cisco IPS and we have been seeing this for the last 4 days, maybe 3 times a day. We normally dont get Web App scan alerts apart from our own testing. Sources keep changing, started of in Italy. Happy to provide list of IPs if it will help.
Raymond

14 Posts
We are seeing this in our ISS Proventia systems also.
jtwaldo

17 Posts
We had lots of these blocked on a TippingPoint IPS this weekend. The signature was for "HTTP: ASN.1 Bitstring Processing Heap Overflow"
jtwaldo
3 Posts
I have been seeing these intermittently, using a long parameter in the Authorization: Negotiate header. You want some PCAPs?

Source IPs have been mostly in Japan and Canada.
Shane

7 Posts
I've got about 60 attacks going back to 2011-02-22 22:53:04 ET with source IPs almost entirely in Europe.
Shane
1 Posts
Noticed many of these occurring across different platforms. 90% of the alerts occurred on February 26th 12:00 AM EST thru 11:59 PM EST but is still very much active. Through simple trending alone this activity can classified as probable botnet.
Shane
3 Posts

Sign Up for Free or Log In to start participating in the conversation!