Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2004-05-23 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Akamai problems. Quiet, well kinda quiet, day on the Internet

Published: 2004-05-23
Last Updated: 2005-09-13 13:15:49 UTC
by Mike Poor (Version: 1)
0 comment(s)
Update (Mon. May 24th 9 am EST, 13:00 UTC, 15:00 CEST ) It appears that websites that use Akamai's distribution system are currently not reachable. Security related web sites effected are symantec.com and trendmicro.com. Virus updates may fail as a result. Further details are currently not available and updates will be posted here as they become available. Thanks to Vidar Wilkens for alerting us of this problem. According to a post to NANOG, the outage may be the result of a DDOS attack. At this point, Akamai has not ETA for a resolution. Update 09:45 EST: Looks like some of the Akamai hosted sites start to come back. Akamai posted this statement: " Due to a peering problem between ATT and UUNet, a subset of UUNet users may have experienced problems accessing Akamai delivered sites between 8-10pm EDT on Saturday May 22, 2004. The problem has been fully resolved. " ------ "Quiet" day on the Internet

We have received a number of reports of live exploitation of cvs servers using the latest round of exploits. http://www.cvshome.org the source for the cvs system, has been down for atleast two days. No news as to what happened, although two speculations exist: the first is that they are doing an extensive review of the site and the sourcecode, and the other is that they are being D-DoS'ed so that people can not update to the latest version of CVS (put your tin-foil hats on!). The rules at the bottom of the Diary, catch the current exploits posted at K-Otik, but beware that these are stopgap rules and should be replaced once better rules do come out. Tcpdump audit trail tidbits


Tidbit #1

This log below is most likely an agobot variant dujour, scanning for 1025 (M$ RPC, LSA exploit, etc), 135 (same goes), 139 (file shares), 2745 (Beagle, Bagle), 3127 (MyDoom), 445 (Sasser, etc), 6129 (Dameware). This is the current trend, imho, of things to come. Scanner bots that come loaded with a smorgasboard of exploits for the latest vulnerabilities. These botnets become varitable virtual armies waiting for the command to blow the next victim off the net. 4:28:11.568873 66.167.81.191.3058 > foo.foo.foo.107.2745: S 3806657657:3806657657(0) win 64800 <mss 1440,nop,nop,sackOK> (DF)
04:28:11.573439 66.167.81.191.3059 > foo.foo.foo.107.135: S 3806718729:3806718729(0) win 64800 <mss 1440,nop,nop,sackOK> (DF)
04:28:11.581346 66.167.81.191.3063 > foo.foo.foo.107.1025: S 3806759905:3806759905(0) win 64800 <mss 1440,nop,nop,sackOK> (DF)
04:28:11.668977 66.167.81.191.3072 > foo.foo.foo.107.445: S 3806843863:3806843863(0) win 64800 <mss 1440,nop,nop,sackOK> (DF)
04:28:11.673543 66.167.81.191.3075 > foo.foo.foo.107.3127: S 3806907179:3806907179(0) win 64800 <mss 1440,nop,nop,sackOK> (DF)
04:28:11.679083 66.167.81.191.3077 > foo.foo.foo.107.6129: S 3806944602:3806944602(0) win 64800 <mss 1440,nop,nop,sackOK> (DF)
04:28:11.686978 66.167.81.191.3082 > foo.foo.foo.107.139: S 3806979905:3806979905(0) win 64800 <mss 1440,nop,nop,sackOK> (DF)
04:28:12.071790 66.167.81.191.3058 > foo.foo.foo.107.2745: S 3806657657:3806657657(0) win 64800 <mss 1440,nop,nop,sackOK> (DF)
04:28:12.077521 66.167.81.191.3059 > foo.foo.foo.107.135: S 3806718729:3806718729(0) win 64800 <mss 1440,nop,nop,sackOK> (DF)
04:28:12.085352 66.167.81.191.3063 > foo.foo.foo.107.1025: S 3806759905:3806759905(0) win 64800 <mss 1440,nop,nop,sackOK> (DF)
04:28:12.171907 66.167.81.191.3072 > foo.foo.foo.107.445: S 3806843863:3806843863(0) win 64800 <mss 1440,nop,nop,sackOK> (DF)
04:28:12.176461 66.167.81.191.3075 > foo.foo.foo.107.3127: S 3806907179:3806907179(0) win 64800 <mss 1440,nop,nop,sackOK> (DF)
04:28:12.184357 66.167.81.191.3077 > foo.foo.foo.107.6129: S 3806944602:3806944602(0) win 64800 <mss 1440,nop,nop,sackOK> (DF)
04:28:12.189870 66.167.81.191.3082 > foo.foo.foo.107.139: S 3806979905:3806979905(0) win 64800 <mss 1440,nop,nop,sackOK> (DF)
04:28:12.569024 66.167.81.191.3063 > foo.foo.foo.107.1025: S 3806759905:3806759905(0) win 64800 <mss 1440,nop,nop,sackOK> (DF)
04:28:12.574691 66.167.81.191.3059 > foo.foo.foo.107.135: S 3806718729:3806718729(0) win 64800 <mss 1440,nop,nop,sackOK> (DF)
04:28:12.581498 66.167.81.191.3058 > foo.foo.foo.107.2745: S 3806657657:3806657657(0) win 64800 <mss 1440,nop,nop,sackOK> (DF)
04:28:12.668028 66.167.81.191.3082 > foo.foo.foo.107.139: S 3806979905:3806979905(0) win 64800 <mss 1440,nop,nop,sackOK> (DF)
04:28:12.673695 66.167.81.191.3077 > foo.foo.foo.107.6129: S 3806944602:3806944602(0) win 64800 <mss 1440,nop,nop,sackOK> (DF)
04:28:12.680553 66.167.81.191.3075 > foo.foo.foo.107.3127: S 3806907179:3806907179(0) win 64800 <mss 1440,nop,nop,sackOK> (DF)
04:28:12.686003 66.167.81.191.3072 > foo.foo.foo.107.445: S 3806843863:3806843863(0) win 64800 <mss 1440,nop,nop,sackOK> (DF)


Tidbit #2
This set is a script looking for Sasser or Dabber compromised machines: 04:45:17.543905 221.14.247.154.4263 > foo.foo.foo.104.5554: S 3956724128:3956724128(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
04:45:17.546756 221.14.247.154.4267 > foo.foo.foo.105.5554: S 3956865832:3956865832(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
04:45:17.548661 221.14.247.154.4259 > foo.foo.foo.100.5554: S 3956524133:3956524133(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
04:45:17.551653 221.14.247.154.4269 > foo.foo.foo.107.5554: S 3956971377:3956971377(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
04:45:17.553838 221.14.247.154.4260 > foo.foo.foo.101.5554: S 3956567526:3956567526(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
04:45:17.569655 221.14.247.154.4272 > foo.foo.foo.110.5554: S 3957084821:3957084821(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
04:45:17.988074 221.14.247.154.4590 > foo.foo.foo.104.9898: S 3969576284:3969576284(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
04:45:17.990285 221.14.247.154.4586 > foo.foo.foo.100.9898: S 3969390134:3969390134(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
04:45:17.994860 221.14.247.154.4587 > foo.foo.foo.101.9898: S 3969445181:3969445181(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
04:45:18.038802 221.14.247.154.4627 > foo.foo.foo.105.9898: S 3971494464:3971494464(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
04:45:18.070218 221.14.247.154.4639 > foo.foo.foo.107.9898: S 3972130192:3972130192(0) win 64240 <mss 1460,nop,nop,sackOK>
04:45:18.079188 221.14.247.154.4645 > foo.foo.foo.110.9898: S 3972431609:3972431609(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
Whats happening on your net at O'Dark-thirty? Use the ISC contact link to let us know ( http://isc.sans.org/contact.php)

Want to share your logs with Dshield? Help protect the Net by sharing your logs. Check here to find out how ( http://www.dshield.org/howto.php )

Reposted a previous diary
In response to seeing the cvs exploits being used in the wild, ISC Handlers George Bakos and Mike Poor put together some simple snort rules to detect the cvs exploits posted at K-Otik. Keep in mind that these are stopgap rules to catch these exploits only, not the vulnerability itself. The exploits are detected by Snort's SHELLCODE rules, but those rules are turned off by default. With the rules below, be sure to change the sid's to match your local.rules numbering. NOTE: these rules will wrap, so eliminate the line feeds when adding them to your local.rules file.
alert tcp $EXTERNAL_NET any -> $HOME_NET 2401 (msg:"CVS server heap overflow attempt (target Linux)"; flow:to_server,established; content:"|45 6e 74 72 79 20 43 43 43 43 43 43 43 43 43 2f 43 43|"; offset:0; depth:20; dsize: >512; threshold: type limit, track by_dst, count 1, seconds 60 ; sid:1000000; rev:1; classtype:attempted-admin;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 2401 (msg:"CVS server heap overflow attempt (target BSD)"; flow:to_server,established; content:"|45 6e 74 72 79 20 61 61 61 61 61 61 61 61 61 61 61 61|"; offset:0; depth:18; dsize: >512; threshold: type limit, track by_dst, count 1, seconds 60 ; sid:1000001; rev:1;classtype:attempted-admin;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 2401 (msg:"CVS server heap overflow attempt (target Solaris)"; flow:to_server,established; content:"|41 72 67 75 6d 65 6e 74 20 62 62 62 62 62 62 62 62 62|";offset:0; depth:18; dsize: >512; threshold: type limit, track by_dst, count 1, seconds 60 ; sid:1000002; rev:1;classtype:attempted-admin;)

Handler on Duty: Mike Poor
mike ^AT^ intelguardians.com
Keywords:
0 comment(s)
Diary Archives