Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2005-03-31 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

* New DNS cache poisoning server; DNS Poisoning stats; Bluemountain; Win2k3 SP1; awstat.pl Details; port 1025; MS05-002 problem

Published: 2005-03-31
Last Updated: 2005-03-31 23:44:15 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)

New DNS cache poisoning server



Looks like we got us another DNS server trying to poison DNS caches:

218.38.13.108

If you run a larger network, we recommend to block all traffic to this host.

A quick check with 'dig' shows that this server advertises itself as authoritative for '.com', and returns the same IP for all queries to .com domains.

For the particular report we have, the original domain that caused a querry against this DNS server was intelliview.com. (Thanks Adrien for figuring this out!!)

Once your cache is poisoned. All requests to .com hosts are redirected either to 205.162.201.11 or 217.16.26.148. You will see a minimal search enigne like page and an advertisement for _http_://www.privacycash.com (DO NOT CLICK),

dig www.cnn.com @218.38.13.108

; <<>> DiG 9.2.4 <<>> www.cnn.com @218.38.13.108
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59667
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;www.cnn.com. IN A

;; ANSWER SECTION:
www.cnn.com. 99999 IN A 205.162.201.11
www.cnn.com. 99999 IN A 217.16.26.148

;; AUTHORITY SECTION:
com. 99999 IN NS besthost.co.kr.

;; ADDITIONAL SECTION:
besthost.co.kr. 1800 IN A 218.38.13.108

;; Query time: 236 msec
;; SERVER: 218.38.13.108#53(218.38.13.108)
;; WHEN: Thu Mar 31 16:01:07 2005
;; MSG SIZE rcvd: 105


DNS Poisoning Stats



The DNS spoofing attack on March 3rd redirected affected users to a set of
compromissed web servers. Some of the administrators of these servers agreed
to share logs collected during the attack (THANKS!). Based on these logs, we
collected the following statistics:

o 1,304 domains poisoned (pulled from the referer entries in the HTTPD logs)

o 7,973,953 HTTP get attempts from 966 unique IP addresses.

o 75,529 incoming email messages from 1,863 different mailservers.

o 7,455 failed FTP logins from 635 unique IP addresses (95 unique user accounts).

o 7,692 attempted IMAP logins (805 unique users, 411 unique IP addresses).

o 2,027 attempted logins to 82 different webmail (HTTP) servers.

BlueMounting Greeting Cards



We received multiple reports about "BlueMountain Greeting Cards" being used to spread malware. The links read like they link to the bluemountain.com web site, but in fact they link to other sites not affiliated with bluemountain.com. The email headers are fake and not sent via bluemountain.com.

Sites the e-mails link to (looks down now, but note that these sites may distribute malware. DO NOT CLICK).

_http_://66.66.129.65:8180/009/

_http_://66.66.129.65:8180/006/sp2.html

_http_://66.66.129.65:8180/006/counter.gif
(thank to Brian for additional versions of the URL).

Typical content (thanks Chris!):

From: guerite@osellus.com
To: username
Subject: Username, You've received a postcard!

To view your eCard, choose from the options below.
Click on the following link.
http://www.bluemountain.com/view.pd?i=156506081&m=1195&rr=y&source=bma772

OR

Enter the following eCard Number, 117890283650, on our Card Pick Up Window at
http://www.bluemountain.com/findit.pd?source=bma838

If you have any comments or questions, please visit
http://www.bluemountain.com/customer/emailus.pd?source=bma085

Thanks for using BlueMountain.com.


Windows 2003 SP1 released



was released today. One of the new features is a "Security Configuration Wizard". If you had a chance to use it, let us know how you liked it.

Service Packs usually include all past patches, and a set of new features. You should carefully test service packs before deploying them in a production environment.

awstats.pl details



Ryan Barnett setup a cgi script on his web server to collect more information from awstats.pl exploit attempts. This is achieved using the following httpd.conf directive:


ScriptAliasMatch /awstats\.pl /var/www/htdocs/cgi-bin/script$1


the 'script' will parse any commands passed to it, and provide plausible but fake responses. Shortly after Ryan's script detected the standard 'awstats.pl' attempt
( /cgi-bin/awstats.pl?configdir=|echo%20;echo%20;id;echo%20;echo|), he detected a followup exploit from the same IP address:


Request: a.b.c.d - - [31/Mar/2005:06:59:30 --0500] "GET /cgi-bin/awstats.pl?configdi
r=|echo;echo+DTORS_START;id;echo+DTORS_STOP;echo| HTTP/1.0" 403 743
Handler: cgi-script
----------------------------------------
GET /cgi-bin/awstats.pl?configdir=|echo;echo+DTORS_START;
id;echo+DTORS_STOP;echo| HTTP/1.0
mod_security-message: Access denied with code 403. Pattern match "!^[-a-zA-z0-9\._/]+$" at
REQUEST_URI
mod_security-action: 403

HTTP/1.0 403 Forbidden
========================================


A google search for the string 'DTORS_START' and 'DTORS_STOP' leads to an awstats exploit package on


Nice detect Ryan!

Port 1025



Orlando detected a large increase in port 1025 scans of his network. The scans subsided after a day, but are noteworthy. If you see any temporary increases in TCP SYN scans to port 1025, please try to setup a little netcat honeypot. Our best guess so far is that these scans target an RPC service.

MS05-002 Problem



The FrSIRT reports that Windows 9x and ME users report problems with patch MS05-002. After installing this patch, MSIE will no longer start. For details, see this discussion on
.

If you do still use a Windows version prior to Windows XP/2000, you should upgrade to a newer version of Windows.

----------

Johannes Ullrich, SANS Institute (jullrich\at/sans.org)
Keywords:
0 comment(s)
Diary Archives