[nsp-sec] Increased in HP OV NMM scanning (tcp/2954)
Joel Rosenblatt
joel at columbia.edu
Tue Apr 15 13:48:19 EDT 2008
Hi Donald,
No picking felt :-)
This was the output of a tool I use to try and figure out what a bad netfow pattern would look like to build a "netflow signature". i.e. - this is raw data
only.
You are correct, at this point, I do not have a pattern for what a 2954 attack looks like.
I use this type of report to see what is going on.
I am very curious about this one 8.6.12.121 - the machines it is talking to on our campus are not servers, and it is not registered. It may just be some P2P
thing, but it doesn't look right to me.
Joel
8.6.12.121 (???)
Calling flowdumper
/usr/bin/flow-cat /hmt/skol/netflow/flows/saved//ft-v05.2008-04-15.133211-0400 | /usr/bin/flow-filter -f /tmp/flow.acl -o -Sbadguy -Dbadguy |
/usr/bin/flowdumper -s | sort
--------------------------------------------------------------------------------
For all non-ICMP traffic, output is
time srcip srcport destip destport protocol packets bytes
--------------------------------------------------------------------------------
2008/04/15 13:32:14 160.39.122.113.1920 -> 8.6.12.121.80 6 7 816
2008/04/15 13:32:14 8.6.12.121.80 -> 160.39.122.113.1920 6 8 6916
2008/04/15 13:32:15 156.111.216.112.56233 -> 8.6.12.121.80 6 6 768
2008/04/15 13:32:15 156.111.216.112.56233 -> 8.6.12.121.80 6 6 768
2008/04/15 13:32:15 8.6.12.121.80 -> 156.111.216.112.56233 6 7 4662
2008/04/15 13:32:29 156.111.63.198.4629 -> 8.6.12.121.80 6 5 776
2008/04/15 13:32:29 156.111.63.198.4629 -> 8.6.12.121.80 6 5 776
2008/04/15 13:32:34 160.39.86.39.1622 -> 8.6.12.121.80 6 1994 93772
2008/04/15 13:32:34 8.6.12.121.80 -> 160.39.86.39.1622 6 1957 2424407
2008/04/15 13:32:35 128.59.230.225.4223 -> 8.6.12.121.80 6 7 949
2008/04/15 13:32:35 8.6.12.121.80 -> 128.59.230.225.4223 6 8 6280
2008/04/15 13:32:39 156.111.92.176.2769 -> 8.6.12.121.80 6 6 717
2008/04/15 13:32:39 8.6.12.121.80 -> 156.111.92.176.2769 6 7 4446
2008/04/15 13:32:58 128.59.25.88.1537 -> 8.6.12.121.80 6 2406 113576
2008/04/15 13:32:58 8.6.12.121.80 -> 128.59.25.88.1537 6 4797 7188796
2008/04/15 13:33:07 156.145.111.130.1761 -> 8.6.12.121.80 6 7 851
2008/04/15 13:33:07 8.6.12.121.80 -> 156.145.111.130.1761 6 9 7814
2008/04/15 13:33:19 128.59.172.213.2274 -> 8.6.12.121.80 6 5 839
2008/04/15 13:33:19 8.6.12.121.80 -> 128.59.172.213.2274 6 6 3287
2008/04/15 13:33:31 128.59.188.48.3198 -> 8.6.12.121.80 6 7 849
2008/04/15 13:33:31 156.145.42.236.3416 -> 8.6.12.121.80 6 6 780
2008/04/15 13:33:31 156.145.42.236.3416 -> 8.6.12.121.80 6 6 780
2008/04/15 13:33:33 156.111.56.182.3260 -> 8.6.12.121.80 6 7 849
2008/04/15 13:33:38 128.59.231.11.56541 -> 8.6.12.121.80 6 6 928
2008/04/15 13:33:38 8.6.12.121.80 -> 128.59.231.11.56541 6 3 2172
2008/04/15 13:33:44 156.111.207.15.3521 -> 8.6.12.121.80 6 6 726
2008/04/15 13:33:44 156.145.168.103.2656 -> 8.6.12.121.80 6 6 888
2008/04/15 13:33:44 8.6.12.121.80 -> 156.111.207.15.3521 6 7 4875
2008/04/15 13:33:45 156.111.216.114.39235 -> 8.6.12.121.80 6 7 757
2008/04/15 13:33:45 156.145.125.117.1833 -> 8.6.12.121.80 6 7 792
2008/04/15 13:33:45 8.6.12.121.80 -> 156.111.216.114.39235 6 8 6646
2008/04/15 13:33:45 8.6.12.121.80 -> 156.145.125.117.1833 6 9 8574
2008/04/15 13:33:45 8.6.12.121.80 -> 156.145.168.103.2656 6 7 5037
2008/04/15 13:33:59 160.39.84.47.3940 -> 8.6.12.121.80 6 1114 53830
2008/04/15 13:33:59 8.6.12.121.80 -> 160.39.84.47.3940 6 2644 3273752
2008/04/15 13:34:04 156.111.194.100.52104 -> 8.6.12.121.80 6 1250 68572
2008/04/15 13:34:04 156.111.194.100.52104 -> 8.6.12.121.80 6 987 52652
2008/04/15 13:34:04 8.6.12.121.80 -> 156.111.194.100.52104 6 3130 4438750
2008/04/15 13:34:09 128.59.110.200.1189 -> 8.6.12.121.80 6 6 907
2008/04/15 13:34:09 160.39.71.32.50155 -> 8.6.12.121.80 6 7 1013
2008/04/15 13:34:09 8.6.12.121.80 -> 128.59.110.200.1189 6 6 4094
2008/04/15 13:34:09 8.6.12.121.80 -> 160.39.71.32.50155 6 8 5841
2008/04/15 13:34:13 128.59.233.87.4486 -> 8.6.12.121.80 6 7 783
2008/04/15 13:34:13 156.145.111.230.1613 -> 8.6.12.121.80 6 6 786
2008/04/15 13:34:13 156.145.111.230.1613 -> 8.6.12.121.80 6 6 786
2008/04/15 13:34:13 8.6.12.121.80 -> 128.59.233.87.4486 6 9 8199
2008/04/15 13:34:13 8.6.12.121.80 -> 156.145.111.230.1613 6 6 3333
2008/04/15 13:34:14 160.39.122.225.2587 -> 8.6.12.121.80 6 7 789
2008/04/15 13:34:14 8.6.12.121.80 -> 160.39.122.225.2587 6 10 9457
2008/04/15 13:34:16 160.39.122.46.2710 -> 8.6.12.121.80 6 7 941
2008/04/15 13:34:16 8.6.12.121.80 -> 160.39.122.46.2710 6 8 6658
2008/04/15 13:34:21 156.111.207.22.3654 -> 8.6.12.121.80 6 6 756
2008/04/15 13:34:21 156.111.207.22.3654 -> 8.6.12.121.80 6 6 756
2008/04/15 13:34:21 8.6.12.121.80 -> 156.111.207.22.3654 6 8 5964
2008/04/15 13:34:27 156.145.107.203.3597 -> 8.6.12.121.80 6 6 872
2008/04/15 13:34:27 156.145.107.203.3597 -> 8.6.12.121.80 6 6 872
2008/04/15 13:34:28 209.2.215.198.4101 -> 8.6.12.121.80 6 6 871
2008/04/15 13:34:28 8.6.12.121.80 -> 156.145.107.203.3597 6 7 4776
2008/04/15 13:34:28 8.6.12.121.80 -> 209.2.215.198.4101 6 6 2323
2008/04/15 13:34:29 160.39.177.182.1840 -> 8.6.12.121.80 6 1719 80412
2008/04/15 13:34:29 8.6.12.121.80 -> 160.39.177.182.1840 6 3335 4997471
2008/04/15 13:34:38 156.111.62.75.3020 -> 8.6.12.121.80 6 6 750
2008/04/15 13:34:38 156.111.92.82.4512 -> 8.6.12.121.80 6 8 965
2008/04/15 13:34:42 160.39.111.69.49781 -> 8.6.12.121.80 6 6 879
2008/04/15 13:34:47 128.59.110.200.1206 -> 8.6.12.121.80 6 5 861
2008/04/15 13:34:47 8.6.12.121.80 -> 128.59.110.200.1206 6 5 4268
2008/04/15 13:34:50 160.39.76.172.1619 -> 8.6.12.121.80 6 5 935
2008/04/15 13:34:50 8.6.12.121.80 -> 160.39.76.172.1619 6 5 349
2008/04/15 13:34:58 8.6.12.121.80 -> 156.145.125.115.1344 6 8 6482
2008/04/15 13:35:05 128.59.110.200.1205 -> 8.6.12.121.80 6 1057 51678
2008/04/15 13:35:05 8.6.12.121.80 -> 128.59.110.200.1205 6 2851 4274383
2008/04/15 13:35:14 156.145.168.245.4225 -> 8.6.12.121.80 6 860 40894
2008/04/15 13:35:14 8.6.12.121.80 -> 156.145.168.245.4225 6 2739 3882757
2008/04/15 13:35:19 160.39.63.20.55113 -> 8.6.12.121.80 6 5 828
2008/04/15 13:35:20 8.6.12.121.80 -> 160.39.63.20.55113 6 6 3847
2008/04/15 13:35:28 128.59.149.6.2460 -> 8.6.12.121.80 6 1670 78957
2008/04/15 13:35:28 8.6.12.121.80 -> 128.59.149.6.2460 6 3281 4916734
2008/04/15 13:35:30 128.59.152.45.2325 -> 8.6.12.121.80 6 5 843
2008/04/15 13:35:31 8.6.12.121.80 -> 128.59.152.45.2325 6 6 4336
2008/04/15 13:35:32 160.39.46.38.1250 -> 8.6.12.121.80 6 6 927
2008/04/15 13:35:32 8.6.12.121.80 -> 160.39.46.38.1250 6 7 5908
2008/04/15 13:35:36 156.145.73.64.2918 -> 8.6.12.121.80 6 1908 90935
2008/04/15 13:35:36 8.6.12.121.80 -> 156.145.73.64.2918 6 3467 4916651
2008/04/15 13:35:37 128.59.172.213.2281 -> 8.6.12.121.80 6 6 885
2008/04/15 13:35:37 8.6.12.121.80 -> 128.59.172.213.2281 6 8 7414
2008/04/15 13:35:39 156.145.164.101.1880 -> 8.6.12.121.80 6 5 840
2008/04/15 13:35:39 8.6.12.121.80 -> 156.145.164.101.1880 6 5 350
2008/04/15 13:35:49 156.111.62.75.3032 -> 8.6.12.121.80 6 7 797
2008/04/15 13:35:57 156.145.252.140.52277 -> 8.6.12.121.80 6 6 953
2008/04/15 13:35:57 8.6.12.121.80 -> 156.145.252.140.52277 6 7 5557
2008/04/15 13:35:58 156.111.62.75.3031 -> 8.6.12.121.80 6 1404 66691
2008/04/15 13:35:58 8.6.12.121.80 -> 156.111.62.75.3031 6 1585 2248388
2008/04/15 13:35:59 128.59.31.223.2944 -> 8.6.12.121.80 6 1605 75948
2008/04/15 13:35:59 8.6.12.121.80 -> 128.59.31.223.2944 6 3264 4889891
2008/04/15 13:36:01 128.59.172.213.2282 -> 8.6.12.121.80 6 981 47169
2008/04/15 13:36:01 8.6.12.121.80 -> 128.59.172.213.2282 6 1810 2711681
2008/04/15 13:36:02 8.6.12.121.80 -> 128.59.151.231.3111 6 8 6932
2008/04/15 13:36:03 8.6.12.121.80 -> 156.145.111.129.2884 6 7 5412
2008/04/15 13:36:07 156.111.92.94.2404 -> 8.6.12.121.80 6 7 838
2008/04/15 13:36:07 8.6.12.121.80 -> 156.111.92.94.2404 6 8 6211
2008/04/15 13:36:11 156.111.146.91.1736 -> 8.6.12.121.80 6 6 725
2008/04/15 13:36:11 8.6.12.121.80 -> 156.111.146.91.1736 6 7 5388
2008/04/15 13:36:13 156.111.216.112.58091 -> 8.6.12.121.80 6 6 706
2008/04/15 13:36:13 8.6.12.121.80 -> 156.111.216.112.58091 6 6 3855
2008/04/15 13:36:32 160.39.84.215.3004 -> 8.6.12.121.80 6 6 905
2008/04/15 13:36:33 8.6.12.121.80 -> 160.39.84.215.3004 6 7 4535
2008/04/15 13:36:43 8.6.12.121.80 -> 209.2.216.255.1975 6 1291 1876878
2008/04/15 13:36:58 156.111.146.34.1645 -> 8.6.12.121.80 6 6 718
2008/04/15 13:37:01 156.145.172.125.2324 -> 8.6.12.121.80 6 6 883
2008/04/15 13:37:01 156.145.172.125.2324 -> 8.6.12.121.80 6 6 883
2008/04/15 13:37:02 156.111.103.50.2347 -> 8.6.12.121.80 6 6 766
2008/04/15 13:37:02 156.111.103.50.2347 -> 8.6.12.121.80 6 6 766
--On Tuesday, April 15, 2008 11:11 AM -0600 "Smith, Donald" <Donald.Smith at qwest.com> wrote:
> Just for my own understanding how do you determine if these are legit
> traffic or actual scanning/exploit attempts?
>
> I have run a couple of flow queries and some of the traffic I am seeing
> does not look like scanning nor exploit attempts.
> I see some sourced from well know ports (80 etc...) towards 2954.
> Others I see are 1 to 1 communications. Established connections where
> one host talks to another the whole time.
> That could be exploit attempts but then the exploit tool must need to
> try lots of combinations (dozens - several hundred).
>
>
> Based on a quick review of the released tool it appears to only need to
> be run one time and only sends a few packets with a few hundred bytes of
> exploit code and reverse shell code.
>
> I am not picking on Joel here just trying to figure out if I can use
> netflow to detect the actual attackers.
>
>
>
> RM=for(1)
> {manage_risk(identify_risk(product[i++]) &&
> (identify_threat[product[i++]))}
> Donald.Smith at qwest.com giac
>
>> -----Original Message-----
>> From: nsp-security-bounces at puck.nether.net
>> [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of
>> Joel Rosenblatt
>> Sent: Tuesday, April 15, 2008 10:07 AM
>> To: Rolf Gartmann; NSP Security List
>> Subject: Re: [nsp-sec] Increased in HP OV NMM scanning (tcp/2954)
>>
>> ----------- nsp-security Confidential --------
>>
>> Here are some current (right now) counts
>>
>> [joel at geoduck ~]$ /cflow/bin/audit/port_query.pl -p2954 -r6 -n10
>> # --- ---- ---- Report Information --- --- ---
>> #
>> # Title: Outgoing Scanning Sources
>> # Fields: Total
>> # Symbols: Disabled
>> # Sorting: Descending Field 1
>> # Name: Source IP
>> #
>> # Args: flow-stat -f9 -S1 -T Outgoing Scanning Sources
>> #
>> #
>> # IPaddr flows octets packets
>> #
>> 128.59.48.6 9 10962 140
>> 128.59.20.226 7 3945 36
>> 128.59.48.36 5 86652 89
>> 160.39.137.184 5 3092 25
>> 160.39.201.175 5 781 12
>> 128.59.176.131 4 1975 20
>> 128.59.48.24 3 38679 47
>> 128.59.59.177 3 512 11
>> 128.59.199.87 3 811 16
>> 160.39.4.62 3 1667 13
>> 160.39.240.66 3 340 7
>> 160.39.80.42 2 1662 15
>> 128.59.28.83 2 184 4
>> 156.111.139.12 2 452 8
>> 160.39.201.69 2 3643425 2831
>> 160.39.54.156 2 340 6
>> 160.39.138.139 2 765 9
>> 128.59.84.23 2 3496 10
>> 128.59.48.4 2 1744 14
>> 128.59.20.228 2 736 7
>> 160.39.96.47 2 2818 15
>> 128.59.64.30 1 96388 69
>> 128.59.59.89 1 138 3
>> 128.59.111.11 1 192210 132
>> 128.59.178.184 1 262 5
>>
>> # --- ---- ---- Report Information --- --- ---
>> #
>> # Title: Outgoing Scanning Recipient ASNs
>> # Fields: Total
>> # Symbols: Disabled
>> # Sorting: Descending Field 1
>> # Name: Destination AS
>> #
>> # Args: flow-stat -f20 -S1 -T Outgoing Scanning Recipient ASNs
>> #
>> #
>> # dst AS flows octets packets
>> #
>> 4134 9 362777 276
>> 12322 5 3646377 2853
>> 3462 4 895 12
>> 9800 3 859 11
>> 9318 3 3718 60
>> 8167 3 564 10
>> 7482 3 1667 13
>> 4766 3 22016 27
>> 4538 3 322 7
>> 3320 3 385 8
>> 33491 2 782 8
>> 29738 2 140 3
>> 20057 2 184 4
>> 15169 2 86330 82
>> 9498 2 733 10
>> 4808 2 577 8
>> 4788 2 16987 27
>> 35908 1 1045 13
>> 34383 1 480 5
>> 33657 1 599 7
>> 29687 1 289 5
>> 23898 1 437 5
>> 23700 1 138 3
>> 21844 1 1312 16
>> 20115 1 769 5
>>
>> # --- ---- ---- Report Information --- --- ---
>> #
>> # Title: Incoming Scanning Sources
>> # Fields: Total
>> # Symbols: Disabled
>> # Sorting: Descending Field 1
>> # Name: Source IP
>> #
>> # Args: flow-stat -f9 -S1 -T Incoming Scanning Sources
>> #
>> #
>> # IPaddr flows octets packets
>> #
>> 125.118.56.251 24 3910 85
>> 86.140.154.46 4 3843 76
>> 72.14.247.83 4 2110 25
>> 64.233.185.83 4 2435 24
>> 66.102.1.91 3 44346 40
>> 87.11.3.52 2 280 6
>> 212.58.226.20 2 18832 17
>> 204.11.109.22 2 8827 10
>> 216.52.175.141 2 6040 13
>> 66.249.83.83 2 4085 10
>> 61.135.151.77 2 92 2
>> 77.247.176.154 2 1555 10
>> 68.253.191.194 1 138 3
>> 67.107.161.4 1 30094 30
>> 219.152.120.80 1 48 1
>> 211.234.241.139 1 6138 9
>> 8.6.12.121 1 5107886 3410
>> 216.73.87.52 1 1908 4
>> 211.206.120.106 1 2356 6
>> 208.111.129.11 1 119326 82
>> 69.28.154.242 1 775 4
>> 209.170.120.43 1 545 4
>> 77.247.176.134 1 413 5
>> 129.206.100.212 1 46 1
>> 67.228.59.227 1 2307 7
>>
>> # --- ---- ---- Report Information --- --- ---
>>
>>
>> --On Tuesday, April 15, 2008 5:29 PM +0200 Rolf Gartmann
>> <rolf.gartmann at switch.ch> wrote:
>>
>> > ----------- nsp-security Confidential --------
>> >
>> > from the fingers of jose nazario on 15.4.2008 17:14 Uhr:
>> >> ----------- nsp-security Confidential --------
>> >>
>> >> Following publication of the exploit code for the HP OV
>> NMM buffer overflow
>> >> on TCP/2954, we're seeing a spike in attackers now for
>> this port. This
>> >> follows a smaller bump last week when the code was a) not
>> working well and
>> >> b) possibly working exploit code was not so public. Via
>> ATLAS, here are the
>> >> top hosts scanning:
>> >>
>> >> Host Bytes per subnet Percentage
>> >> 85.25.146.193 2.09 kB 84.6%
>> >> 80.233.240.24 186.94 B 7.6%
>> >> 62.77.76.167 60.20 B 2.4%
>> >> 195.246.222.16 53.74 B 2.2%
>> >> 193.93.27.17 37.02 B 1.5%
>> >> 89.146.16.26 28.20 B 1.1%
>> >> 80.123.116.21 7.26 B 0.3%
>> >> 62.244.213.210 5.34 B 0.2%
>> >> 212.241.176.186 0.33 B 0.0%
>> >> 85.196.83.12 0.16 B 0.0%
>> >> Other 0 B 0.0%
>> >> This is all since 01:50 UTC today.
>> >
>> > I can throw in some stats from our Darkspace:
>> >
>> > 2008-04-10 11:10 29658
>> > 2008-04-10 11:15 37669
>> > 2008-04-10 11:20 27340
>> > 2008-04-11 00:45 7706
>> > 2008-04-11 00:50 11555
>> > 2008-04-11 01:00 10340
>> > 2008-04-11 02:10 78
>> > 2008-04-15 07:40 11262
>> > 2008-04-15 07:45 18584
>> >
>> > checking from 2008-04-08 till now, numbers are pkts/5min
>> > (timestamps UTC+2)
>> >
>> > -
>> > Rolf
>> >
>> >> Exploit code is here:
>> >>
>> >> http://www.milw0rm.com/exploits/5445
>> >>
>> >> - jose
>> >>
>> >>
>> >>
>> >>
>> >> _______________________________________________
>> >> nsp-security mailing list
>> >> nsp-security at puck.nether.net
>> >> https://puck.nether.net/mailman/listinfo/nsp-security
>> >>
>> >> Please do not Forward, CC, or BCC this E-mail outside of
>> the nsp-security
>> >> community. Confidentiality is essential for effective
>> Internet security counter-measures.
>> >> _______________________________________________
>> >
>> >
>> > --
>> > SWITCH
>> > Serving Swiss Universities
>> > --------------------------
>> > Rolf Gartmann, Security Engineer, Member of SWITCH-CERT
>> > PGP fingerprint: 4602 9CC2 6C04 5DF0 3A05 7609 BC09 45A2 2E0E CA35
>> > SWITCH, Werdstrasse 2, P.O. Box, CH-8021 Zurich, Switzerland
>> > http://www.switch.ch/cert/
>> >
>> >
>> > _______________________________________________
>> > nsp-security mailing list
>> > nsp-security at puck.nether.net
>> > https://puck.nether.net/mailman/listinfo/nsp-security
>> >
>> > Please do not Forward, CC, or BCC this E-mail outside of
>> the nsp-security
>> > community. Confidentiality is essential for effective
>> Internet security counter-measures.
>> > _______________________________________________
>>
>>
>>
>> Joel Rosenblatt, Manager Network & Computer Security
>> Columbia Information Security Office (CISO)
>> Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
>> http://www.columbia.edu/~joel
>>
>>
>>
>> _______________________________________________
>> nsp-security mailing list
>> nsp-security at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/nsp-security
>>
>> Please do not Forward, CC, or BCC this E-mail outside of the
>> nsp-security
>> community. Confidentiality is essential for effective
>> Internet security counter-measures.
>> _______________________________________________
>>
>>
>
>
> This communication is the property of Qwest and may contain confidential or
> privileged information. Unauthorized use of this communication is strictly
> prohibited and may be unlawful. If you have received this communication
> in error, please immediately notify the sender by reply e-mail and destroy
> all copies of the communication and any attachments.
Joel Rosenblatt, Manager Network & Computer Security
Columbia Information Security Office (CISO)
Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
http://www.columbia.edu/~joel
More information about the nsp-security
mailing list