[nsp-sec] Increased in HP OV NMM scanning from AS 29802 Upstreams AS 174 and 3549 (cogent and GBLX).
Smith, Donald
Donald.Smith at qwest.com
Tue Apr 15 14:43:05 EDT 2008
I found a scanner.
The pattern I am seeing looks like a sequential scan of the 216./8
netblock.
It came from 206.51.225.222.
It was nearly ALL 52 byte syns.
With 2 exceptions that are customers of mine so I will notify them that
they might have been compromised since they appear to have communicated
with this scanner on 2954.
AS | IP | AS Name
29802 | 206.51.225.222 | HVC-AS - HIVELOCITY VENTURES CORP
whois -h upstream-whois.cymru.com 206.51.225.222
PEER_AS | IP | AS Name
174 | 206.51.225.222 | COGENT Cogent/PSI
3549 | 206.51.225.222 | GBLX Global Crossing Ltd.
RM=for(1)
{manage_risk(identify_risk(product[i++]) &&
(identify_threat[product[i++]))}
Donald.Smith at qwest.com giac
> -----Original Message-----
> From: nsp-security-bounces at puck.nether.net
> [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of
> Smith, Donald
> Sent: Tuesday, April 15, 2008 11:57 AM
> To: david.harcourt at bt.com; joel at columbia.edu;
> rolf.gartmann at switch.ch; nsp-security at puck.nether.net
> Subject: Re: [nsp-sec] Increased in HP OV NMM scanning (tcp/2954)
>
> ----------- nsp-security Confidential --------
>
> For an enterprise your approach makes sense.
>
> However, the netflow I am using is from all our peering locations and
> sampled but it covers a VERY large portion of the internet especially
> traffic that starts on one tier 1,2 or 3 ISP and lands on another.
>
> It is HUGE and many of the IP addresses involved are not
> Qwest or Qwest
> customer IP addresses so I don't know which are really open
> view servers
> and which are scanning/exploiting.
>
> If I see anything that stands out and can be used as a
> netflow filter I
> will let this group know.
>
>
> RM=for(1)
> {manage_risk(identify_risk(product[i++]) &&
> (identify_threat[product[i++]))}
> Donald.Smith at qwest.com giac
>
> > -----Original Message-----
> > From: david.harcourt at bt.com [mailto:david.harcourt at bt.com]
> > Sent: Tuesday, April 15, 2008 11:33 AM
> > To: Smith, Donald; joel at columbia.edu;
> > rolf.gartmann at switch.ch; nsp-security at puck.nether.net
> > Subject: Re: [nsp-sec] Increased in HP OV NMM scanning (tcp/2954)
> >
> > I'd have thought you'd have a list of recognised servers, and
> > then anything other is either a misconfigured server
> > elsewhere probing too far, or an attack. Either way you
> > wouldn't want them...
> >
> > Dave
> >
> > -----Original Message-----
> > From: nsp-security-bounces at puck.nether.net
> > <nsp-security-bounces at puck.nether.net>
> > To: Joel Rosenblatt <joel at columbia.edu>; Rolf Gartmann
> > <rolf.gartmann at switch.ch>; NSP Security List
> > <nsp-security at puck.nether.net>
> > Sent: Tue Apr 15 18:11:40 2008
> > Subject: Re: [nsp-sec] Increased in HP OV NMM scanning (tcp/2954)
> >
> > ----------- nsp-security Confidential --------
> >
> > Just for my own understanding how do you determine if these
> are legit
> > traffic or actual scanning/exploit attempts?
> >
> > I have run a couple of flow queries and some of the traffic I
> > am seeing
> > does not look like scanning nor exploit attempts.
> > I see some sourced from well know ports (80 etc...) towards 2954.
> > Others I see are 1 to 1 communications. Established
> connections where
> > one host talks to another the whole time.
> > That could be exploit attempts but then the exploit tool
> must need to
> > try lots of combinations (dozens - several hundred).
> >
> >
> > Based on a quick review of the released tool it appears to
> > only need to
> > be run one time and only sends a few packets with a few
> > hundred bytes of
> > exploit code and reverse shell code.
> >
> > I am not picking on Joel here just trying to figure out if I can use
> > netflow to detect the actual attackers.
> >
> >
> >
> > RM=for(1)
> > {manage_risk(identify_risk(product[i++]) &&
> > (identify_threat[product[i++]))}
> > Donald.Smith at qwest.com giac
> >
> > > -----Original Message-----
> > > From: nsp-security-bounces at puck.nether.net
> > > [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of
> > > Joel Rosenblatt
> > > Sent: Tuesday, April 15, 2008 10:07 AM
> > > To: Rolf Gartmann; NSP Security List
> > > Subject: Re: [nsp-sec] Increased in HP OV NMM scanning (tcp/2954)
> > >
> > > ----------- nsp-security Confidential --------
> > >
> > > Here are some current (right now) counts
> > >
> > > [joel at geoduck ~]$ /cflow/bin/audit/port_query.pl -p2954 -r6 -n10
> > > # --- ---- ---- Report Information --- --- ---
> > > #
> > > # Title: Outgoing Scanning Sources
> > > # Fields: Total
> > > # Symbols: Disabled
> > > # Sorting: Descending Field 1
> > > # Name: Source IP
> > > #
> > > # Args: flow-stat -f9 -S1 -T Outgoing Scanning Sources
> > > #
> > > #
> > > # IPaddr flows octets
> packets
> > > #
> > > 128.59.48.6 9 10962 140
> > > 128.59.20.226 7 3945 36
> > > 128.59.48.36 5 86652 89
> > > 160.39.137.184 5 3092 25
> > > 160.39.201.175 5 781 12
> > > 128.59.176.131 4 1975 20
> > > 128.59.48.24 3 38679 47
> > > 128.59.59.177 3 512 11
> > > 128.59.199.87 3 811 16
> > > 160.39.4.62 3 1667 13
> > > 160.39.240.66 3 340 7
> > > 160.39.80.42 2 1662 15
> > > 128.59.28.83 2 184 4
> > > 156.111.139.12 2 452 8
> > > 160.39.201.69 2 3643425 2831
> > > 160.39.54.156 2 340 6
> > > 160.39.138.139 2 765 9
> > > 128.59.84.23 2 3496 10
> > > 128.59.48.4 2 1744 14
> > > 128.59.20.228 2 736 7
> > > 160.39.96.47 2 2818 15
> > > 128.59.64.30 1 96388 69
> > > 128.59.59.89 1 138 3
> > > 128.59.111.11 1 192210 132
> > > 128.59.178.184 1 262 5
> > >
> > > # --- ---- ---- Report Information --- --- ---
> > > #
> > > # Title: Outgoing Scanning Recipient ASNs
> > > # Fields: Total
> > > # Symbols: Disabled
> > > # Sorting: Descending Field 1
> > > # Name: Destination AS
> > > #
> > > # Args: flow-stat -f20 -S1 -T Outgoing Scanning
> Recipient ASNs
> > > #
> > > #
> > > # dst AS flows octets packets
> > > #
> > > 4134 9 362777 276
> > > 12322 5 3646377 2853
> > > 3462 4 895 12
> > > 9800 3 859 11
> > > 9318 3 3718 60
> > > 8167 3 564 10
> > > 7482 3 1667 13
> > > 4766 3 22016 27
> > > 4538 3 322 7
> > > 3320 3 385 8
> > > 33491 2 782 8
> > > 29738 2 140 3
> > > 20057 2 184 4
> > > 15169 2 86330 82
> > > 9498 2 733 10
> > > 4808 2 577 8
> > > 4788 2 16987 27
> > > 35908 1 1045 13
> > > 34383 1 480 5
> > > 33657 1 599 7
> > > 29687 1 289 5
> > > 23898 1 437 5
> > > 23700 1 138 3
> > > 21844 1 1312 16
> > > 20115 1 769 5
> > >
> > > # --- ---- ---- Report Information --- --- ---
> > > #
> > > # Title: Incoming Scanning Sources
> > > # Fields: Total
> > > # Symbols: Disabled
> > > # Sorting: Descending Field 1
> > > # Name: Source IP
> > > #
> > > # Args: flow-stat -f9 -S1 -T Incoming Scanning Sources
> > > #
> > > #
> > > # IPaddr flows octets
> packets
> > > #
> > > 125.118.56.251 24 3910 85
> > > 86.140.154.46 4 3843 76
> > > 72.14.247.83 4 2110 25
> > > 64.233.185.83 4 2435 24
> > > 66.102.1.91 3 44346 40
> > > 87.11.3.52 2 280 6
> > > 212.58.226.20 2 18832 17
> > > 204.11.109.22 2 8827 10
> > > 216.52.175.141 2 6040 13
> > > 66.249.83.83 2 4085 10
> > > 61.135.151.77 2 92 2
> > > 77.247.176.154 2 1555 10
> > > 68.253.191.194 1 138 3
> > > 67.107.161.4 1 30094 30
> > > 219.152.120.80 1 48 1
> > > 211.234.241.139 1 6138 9
> > > 8.6.12.121 1 5107886 3410
> > > 216.73.87.52 1 1908 4
> > > 211.206.120.106 1 2356 6
> > > 208.111.129.11 1 119326 82
> > > 69.28.154.242 1 775 4
> > > 209.170.120.43 1 545 4
> > > 77.247.176.134 1 413 5
> > > 129.206.100.212 1 46 1
> > > 67.228.59.227 1 2307 7
> > >
> > > # --- ---- ---- Report Information --- --- ---
> > >
> > >
> > > --On Tuesday, April 15, 2008 5:29 PM +0200 Rolf Gartmann
> > > <rolf.gartmann at switch.ch> wrote:
> > >
> > > > ----------- nsp-security Confidential --------
> > > >
> > > > from the fingers of jose nazario on 15.4.2008 17:14 Uhr:
> > > >> ----------- nsp-security Confidential --------
> > > >>
> > > >> Following publication of the exploit code for the HP OV
> > > NMM buffer overflow
> > > >> on TCP/2954, we're seeing a spike in attackers now for
> > > this port. This
> > > >> follows a smaller bump last week when the code was a) not
> > > working well and
> > > >> b) possibly working exploit code was not so public. Via
> > > ATLAS, here are the
> > > >> top hosts scanning:
> > > >>
> > > >> Host Bytes per subnet Percentage
> > > >> 85.25.146.193 2.09 kB 84.6%
> > > >> 80.233.240.24 186.94 B 7.6%
> > > >> 62.77.76.167 60.20 B 2.4%
> > > >> 195.246.222.16 53.74 B 2.2%
> > > >> 193.93.27.17 37.02 B 1.5%
> > > >> 89.146.16.26 28.20 B 1.1%
> > > >> 80.123.116.21 7.26 B 0.3%
> > > >> 62.244.213.210 5.34 B 0.2%
> > > >> 212.241.176.186 0.33 B 0.0%
> > > >> 85.196.83.12 0.16 B 0.0%
> > > >> Other 0 B 0.0%
> > > >> This is all since 01:50 UTC today.
> > > >
> > > > I can throw in some stats from our Darkspace:
> > > >
> > > > 2008-04-10 11:10 29658
> > > > 2008-04-10 11:15 37669
> > > > 2008-04-10 11:20 27340
> > > > 2008-04-11 00:45 7706
> > > > 2008-04-11 00:50 11555
> > > > 2008-04-11 01:00 10340
> > > > 2008-04-11 02:10 78
> > > > 2008-04-15 07:40 11262
> > > > 2008-04-15 07:45 18584
> > > >
> > > > checking from 2008-04-08 till now, numbers are pkts/5min
> > > > (timestamps UTC+2)
> > > >
> > > > -
> > > > Rolf
> > > >
> > > >> Exploit code is here:
> > > >>
> > > >> http://www.milw0rm.com/exploits/5445
> > > >>
> > > >> - jose
> > > >>
> > > >>
> > > >>
> > > >>
> > > >> _______________________________________________
> > > >> nsp-security mailing list
> > > >> nsp-security at puck.nether.net
> > > >> https://puck.nether.net/mailman/listinfo/nsp-security
> > > >>
> > > >> Please do not Forward, CC, or BCC this E-mail outside of
> > > the nsp-security
> > > >> community. Confidentiality is essential for effective
> > > Internet security counter-measures.
> > > >> _______________________________________________
> > > >
> > > >
> > > > --
> > > > SWITCH
> > > > Serving Swiss Universities
> > > > --------------------------
> > > > Rolf Gartmann, Security Engineer, Member of SWITCH-CERT
> > > > PGP fingerprint: 4602 9CC2 6C04 5DF0 3A05 7609 BC09
> 45A2 2E0E CA35
> > > > SWITCH, Werdstrasse 2, P.O. Box, CH-8021 Zurich, Switzerland
> > > > http://www.switch.ch/cert/
> > > >
> > > >
> > > > _______________________________________________
> > > > nsp-security mailing list
> > > > nsp-security at puck.nether.net
> > > > https://puck.nether.net/mailman/listinfo/nsp-security
> > > >
> > > > Please do not Forward, CC, or BCC this E-mail outside of
> > > the nsp-security
> > > > community. Confidentiality is essential for effective
> > > Internet security counter-measures.
> > > > _______________________________________________
> > >
> > >
> > >
> > > Joel Rosenblatt, Manager Network & Computer Security
> > > Columbia Information Security Office (CISO)
> > > Columbia University, 612 W 115th Street, NY, NY 10025 /
> 212 854 3033
> > > http://www.columbia.edu/~joel
> > >
> > >
> > >
> > > _______________________________________________
> > > nsp-security mailing list
> > > nsp-security at puck.nether.net
> > > https://puck.nether.net/mailman/listinfo/nsp-security
> > >
> > > Please do not Forward, CC, or BCC this E-mail outside of the
> > > nsp-security
> > > community. Confidentiality is essential for effective
> > > Internet security counter-measures.
> > > _______________________________________________
> > >
> > >
> >
> >
> > This communication is the property of Qwest and may contain
> > confidential or
> > privileged information. Unauthorized use of this
> > communication is strictly
> > prohibited and may be unlawful. If you have received this
> > communication
> > in error, please immediately notify the sender by reply
> > e-mail and destroy
> > all copies of the communication and any attachments.
> >
> >
> > _______________________________________________
> > nsp-security mailing list
> > nsp-security at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/nsp-security
> >
> > Please do not Forward, CC, or BCC this E-mail outside of the
> > nsp-security
> > community. Confidentiality is essential for effective
> > Internet security counter-measures.
> > _______________________________________________
> >
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the
> nsp-security
> community. Confidentiality is essential for effective
> Internet security counter-measures.
> _______________________________________________
>
>
More information about the nsp-security
mailing list