Sporadic Problems, Internet Health Monitors, IE Attacks, and HTTP GET

Published: 2004-06-21
Last Updated: 2004-06-21 23:36:08 UTC
by Ed Skoudis (Version: 1)
0 comment(s)
The Internet Storm Center received approximately a dozen reports today of sporadic and intermittent access problems for websites around the world. Locations as wide ranging as the Netherlands, Mexico City, and the Northeastern United States all reported trouble. However, we could discern no pattern in these difficulties, and haven?t detected a widespread infrastructure malfunction or attack at this point. For most users, the Internet was just fine today, thank you very much.

If you ever suspect a widespread problem with Internet connectivity, you can check out a variety of sites to get more information about current availability and access times. Of course, you?ll need enough web access to be able to cruise to these sites. Assuming you do, you may want to look at http://www.internettrafficreport.com/main.htm (which breaks out Asia, Australia, Europe, North America, and South America). Alternatively, if you want a more ISP-centric view of how the Internet health looks, you can check out http://www.internetpulse.net/. Of course, you can also feel free to peek in at http://isc.sans.org to get our view of the world.

For a list of very useful resources that check Internet status, along with a host of valuable information sources and other gizmos, please refer to http://isc.sans.org/links.php

Additionally, we continued to receive reports of attacks against IE browsers, this time loading an ActiveX control on the victim machine using the vulnerabilities described at http://www.securityfocus.com/bid/10472 and http://www.securityfocus.com/bid/10473 . In a surprising twist, the ActiveX control actually downloaded a Certificate Revocation List into the infected system's browser, revoking over one hundred certs. We?re happy to report that anti-virus signatures were successful in detecting the malicious ActiveX control.

We also received a report of a nasty attack with the Rbot.cc worm described by Trend Micro here: http://fr.trendmicro-europe.com/enterprise/security_info/ve_detail.php?VName=WORM_RBOT.CC&VSect=T

This worm vociferously scans for TCP port 445, and then tries to break in via RPC DCOM flaws (a la Blaster), IIS5/WebDAV flaws (a la Nachi/Welchia), and LSASS vulnerabilties (a la Sasser). When it infects a system, Rbot.cc runs a process called systemse.exe that starts at boot time. Be on the lookout for it in your environment.

Finally, we had that mysterious HTTP GET request to the Honeypot in yesterday?s diary:

GET /2004/6/18/18/54/15/ HTTP/1.1
User-Agent: Mozilla/777.1 (compatible; MSIE 888.12; Windows NT 999.1)
Host: xxx.xxx.xxx.xxx:29296

A handful of people suggested that someone was attempting to access a blog management tool or other content management system, based on the first element of the HTTP request including a specific date (GET /2004/6/18/18/54/15/). That theory seems reasonable? However, the strange port number (TCP 29296) is more mysterious. It is possible that a DHCP lease was given to an earlier machine that was running a blog server with a management interface on this port, and a client was looking for that server even though the IP address had been reassigned. That?s our theory for now, and we?re sticking with it unless something better comes along.

Signing out?
--Ed Skoudis, ed(at)intelguardians.com
0 comment(s)


Diary Archives