[nsp-sec] Increased in HP OV NMM scanning (tcp/2954)
david.harcourt at bt.com
david.harcourt at bt.com
Tue Apr 15 13:33:14 EDT 2008
I'd have thought you'd have a list of recognised servers, and then anything other is either a misconfigured server elsewhere probing too far, or an attack. Either way you wouldn't want them...
Dave
-----Original Message-----
From: nsp-security-bounces at puck.nether.net <nsp-security-bounces at puck.nether.net>
To: Joel Rosenblatt <joel at columbia.edu>; Rolf Gartmann <rolf.gartmann at switch.ch>; NSP Security List <nsp-security at puck.nether.net>
Sent: Tue Apr 15 18:11:40 2008
Subject: Re: [nsp-sec] Increased in HP OV NMM scanning (tcp/2954)
----------- nsp-security Confidential --------
Just for my own understanding how do you determine if these are legit
traffic or actual scanning/exploit attempts?
I have run a couple of flow queries and some of the traffic I am seeing
does not look like scanning nor exploit attempts.
I see some sourced from well know ports (80 etc...) towards 2954.
Others I see are 1 to 1 communications. Established connections where
one host talks to another the whole time.
That could be exploit attempts but then the exploit tool must need to
try lots of combinations (dozens - several hundred).
Based on a quick review of the released tool it appears to only need to
be run one time and only sends a few packets with a few hundred bytes of
exploit code and reverse shell code.
I am not picking on Joel here just trying to figure out if I can use
netflow to detect the actual attackers.
RM=for(1)
{manage_risk(identify_risk(product[i++]) &&
(identify_threat[product[i++]))}
Donald.Smith at qwest.com giac
> -----Original Message-----
> From: nsp-security-bounces at puck.nether.net
> [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of
> Joel Rosenblatt
> Sent: Tuesday, April 15, 2008 10:07 AM
> To: Rolf Gartmann; NSP Security List
> Subject: Re: [nsp-sec] Increased in HP OV NMM scanning (tcp/2954)
>
> ----------- nsp-security Confidential --------
>
> Here are some current (right now) counts
>
> [joel at geoduck ~]$ /cflow/bin/audit/port_query.pl -p2954 -r6 -n10
> # --- ---- ---- Report Information --- --- ---
> #
> # Title: Outgoing Scanning Sources
> # Fields: Total
> # Symbols: Disabled
> # Sorting: Descending Field 1
> # Name: Source IP
> #
> # Args: flow-stat -f9 -S1 -T Outgoing Scanning Sources
> #
> #
> # IPaddr flows octets packets
> #
> 128.59.48.6 9 10962 140
> 128.59.20.226 7 3945 36
> 128.59.48.36 5 86652 89
> 160.39.137.184 5 3092 25
> 160.39.201.175 5 781 12
> 128.59.176.131 4 1975 20
> 128.59.48.24 3 38679 47
> 128.59.59.177 3 512 11
> 128.59.199.87 3 811 16
> 160.39.4.62 3 1667 13
> 160.39.240.66 3 340 7
> 160.39.80.42 2 1662 15
> 128.59.28.83 2 184 4
> 156.111.139.12 2 452 8
> 160.39.201.69 2 3643425 2831
> 160.39.54.156 2 340 6
> 160.39.138.139 2 765 9
> 128.59.84.23 2 3496 10
> 128.59.48.4 2 1744 14
> 128.59.20.228 2 736 7
> 160.39.96.47 2 2818 15
> 128.59.64.30 1 96388 69
> 128.59.59.89 1 138 3
> 128.59.111.11 1 192210 132
> 128.59.178.184 1 262 5
>
> # --- ---- ---- Report Information --- --- ---
> #
> # Title: Outgoing Scanning Recipient ASNs
> # Fields: Total
> # Symbols: Disabled
> # Sorting: Descending Field 1
> # Name: Destination AS
> #
> # Args: flow-stat -f20 -S1 -T Outgoing Scanning Recipient ASNs
> #
> #
> # dst AS flows octets packets
> #
> 4134 9 362777 276
> 12322 5 3646377 2853
> 3462 4 895 12
> 9800 3 859 11
> 9318 3 3718 60
> 8167 3 564 10
> 7482 3 1667 13
> 4766 3 22016 27
> 4538 3 322 7
> 3320 3 385 8
> 33491 2 782 8
> 29738 2 140 3
> 20057 2 184 4
> 15169 2 86330 82
> 9498 2 733 10
> 4808 2 577 8
> 4788 2 16987 27
> 35908 1 1045 13
> 34383 1 480 5
> 33657 1 599 7
> 29687 1 289 5
> 23898 1 437 5
> 23700 1 138 3
> 21844 1 1312 16
> 20115 1 769 5
>
> # --- ---- ---- Report Information --- --- ---
> #
> # Title: Incoming Scanning Sources
> # Fields: Total
> # Symbols: Disabled
> # Sorting: Descending Field 1
> # Name: Source IP
> #
> # Args: flow-stat -f9 -S1 -T Incoming Scanning Sources
> #
> #
> # IPaddr flows octets packets
> #
> 125.118.56.251 24 3910 85
> 86.140.154.46 4 3843 76
> 72.14.247.83 4 2110 25
> 64.233.185.83 4 2435 24
> 66.102.1.91 3 44346 40
> 87.11.3.52 2 280 6
> 212.58.226.20 2 18832 17
> 204.11.109.22 2 8827 10
> 216.52.175.141 2 6040 13
> 66.249.83.83 2 4085 10
> 61.135.151.77 2 92 2
> 77.247.176.154 2 1555 10
> 68.253.191.194 1 138 3
> 67.107.161.4 1 30094 30
> 219.152.120.80 1 48 1
> 211.234.241.139 1 6138 9
> 8.6.12.121 1 5107886 3410
> 216.73.87.52 1 1908 4
> 211.206.120.106 1 2356 6
> 208.111.129.11 1 119326 82
> 69.28.154.242 1 775 4
> 209.170.120.43 1 545 4
> 77.247.176.134 1 413 5
> 129.206.100.212 1 46 1
> 67.228.59.227 1 2307 7
>
> # --- ---- ---- Report Information --- --- ---
>
>
> --On Tuesday, April 15, 2008 5:29 PM +0200 Rolf Gartmann
> <rolf.gartmann at switch.ch> wrote:
>
> > ----------- nsp-security Confidential --------
> >
> > from the fingers of jose nazario on 15.4.2008 17:14 Uhr:
> >> ----------- nsp-security Confidential --------
> >>
> >> Following publication of the exploit code for the HP OV
> NMM buffer overflow
> >> on TCP/2954, we're seeing a spike in attackers now for
> this port. This
> >> follows a smaller bump last week when the code was a) not
> working well and
> >> b) possibly working exploit code was not so public. Via
> ATLAS, here are the
> >> top hosts scanning:
> >>
> >> Host Bytes per subnet Percentage
> >> 85.25.146.193 2.09 kB 84.6%
> >> 80.233.240.24 186.94 B 7.6%
> >> 62.77.76.167 60.20 B 2.4%
> >> 195.246.222.16 53.74 B 2.2%
> >> 193.93.27.17 37.02 B 1.5%
> >> 89.146.16.26 28.20 B 1.1%
> >> 80.123.116.21 7.26 B 0.3%
> >> 62.244.213.210 5.34 B 0.2%
> >> 212.241.176.186 0.33 B 0.0%
> >> 85.196.83.12 0.16 B 0.0%
> >> Other 0 B 0.0%
> >> This is all since 01:50 UTC today.
> >
> > I can throw in some stats from our Darkspace:
> >
> > 2008-04-10 11:10 29658
> > 2008-04-10 11:15 37669
> > 2008-04-10 11:20 27340
> > 2008-04-11 00:45 7706
> > 2008-04-11 00:50 11555
> > 2008-04-11 01:00 10340
> > 2008-04-11 02:10 78
> > 2008-04-15 07:40 11262
> > 2008-04-15 07:45 18584
> >
> > checking from 2008-04-08 till now, numbers are pkts/5min
> > (timestamps UTC+2)
> >
> > -
> > Rolf
> >
> >> Exploit code is here:
> >>
> >> http://www.milw0rm.com/exploits/5445
> >>
> >> - jose
> >>
> >>
> >>
> >>
> >> _______________________________________________
> >> nsp-security mailing list
> >> nsp-security at puck.nether.net
> >> https://puck.nether.net/mailman/listinfo/nsp-security
> >>
> >> Please do not Forward, CC, or BCC this E-mail outside of
> the nsp-security
> >> community. Confidentiality is essential for effective
> Internet security counter-measures.
> >> _______________________________________________
> >
> >
> > --
> > SWITCH
> > Serving Swiss Universities
> > --------------------------
> > Rolf Gartmann, Security Engineer, Member of SWITCH-CERT
> > PGP fingerprint: 4602 9CC2 6C04 5DF0 3A05 7609 BC09 45A2 2E0E CA35
> > SWITCH, Werdstrasse 2, P.O. Box, CH-8021 Zurich, Switzerland
> > http://www.switch.ch/cert/
> >
> >
> > _______________________________________________
> > nsp-security mailing list
> > nsp-security at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/nsp-security
> >
> > Please do not Forward, CC, or BCC this E-mail outside of
> the nsp-security
> > community. Confidentiality is essential for effective
> Internet security counter-measures.
> > _______________________________________________
>
>
>
> Joel Rosenblatt, Manager Network & Computer Security
> Columbia Information Security Office (CISO)
> Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
> http://www.columbia.edu/~joel
>
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the
> nsp-security
> community. Confidentiality is essential for effective
> Internet security counter-measures.
> _______________________________________________
>
>
This communication is the property of Qwest and may contain confidential or
privileged information. Unauthorized use of this communication is strictly
prohibited and may be unlawful. If you have received this communication
in error, please immediately notify the sender by reply e-mail and destroy
all copies of the communication and any attachments.
_______________________________________________
nsp-security mailing list
nsp-security at puck.nether.net
https://puck.nether.net/mailman/listinfo/nsp-security
Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
community. Confidentiality is essential for effective Internet security counter-measures.
_______________________________________________
More information about the nsp-security
mailing list