Possible Botnet Scanning

Published: 2011-02-28
Last Updated: 2011-02-28 11:56:20 UTC
by Deborah Hale (Version: 1)
6 comment(s)

We have received a report from one of our readers that their Cisco IPS are picking up a large amount of scanning traffic across a large number of monitored clients.

He indicates: "These scans started about two or three days ago and have been rolling through our clients. Once we block one source IP address, a new source IP address shows up with the same traffic shortly thereafter. The scans are firing off multiple rapid events for two signatures on our deployed Cisco IPS sensors. "

The sources are both inside and outside the US. Please let us know if you are seeing this type of activity.

Thank you to Ryan for reporting this activity to us.

He reports that the two signatures that are triggering are:
Unix Password File Access Attempt (SigID: 3201) Web Application Security Test/Attack (SigID: 7212)

Updated:  We have been receiving information and samples of logs that indicate that there is indeed some activity going on, more than likely is botnet related.  The information that we have received indicates that this activity is directed at port 443 and port 80.  One of our readers (thanks Erik) indicated that his alerts indicate http://www.snort.org/search/sid/12709?r=1.  Looking at the link in this SID it looks like the activity may be directed at Microsoft ASN.1 remote exploit for CVE-2005-1935  with an exploit called kill-bill. ( www.phreedom.org/solar/exploits/msasn1-bitstring/All of it coincides with when the php get's started occurring. We will keep an eye on the reports and let you know if we see anything developing.  Please continue to let us know what you are seeing.

 

Deb Hale

6 comment(s)

Comments

We run cisco IPS and we have been seeing this for the last 4 days, maybe 3 times a day. We normally dont get Web App scan alerts apart from our own testing. Sources keep changing, started of in Italy. Happy to provide list of IPs if it will help.
We are seeing this in our ISS Proventia systems also.
We had lots of these blocked on a TippingPoint IPS this weekend. The signature was for "HTTP: ASN.1 Bitstring Processing Heap Overflow"
I have been seeing these intermittently, using a long parameter in the Authorization: Negotiate header. You want some PCAPs?

Source IPs have been mostly in Japan and Canada.
I've got about 60 attacks going back to 2011-02-22 22:53:04 ET with source IPs almost entirely in Europe.
Noticed many of these occurring across different platforms. 90% of the alerts occurred on February 26th 12:00 AM EST thru 11:59 PM EST but is still very much active. Through simple trending alone this activity can classified as probable botnet.

Diary Archives