Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Security Incidents: attack sig

attack sig

From: azimuth <lozah_at_io.com>
Date: Mon, 4 Dec 2000 13:50:24 CST
('binary' encoding is not supported, stored as-is) Howdy all,

>From the timestamps, it looks like the attacker may have used a tool that
checks systems for rpc exposures, attempts the appropriate exploits, then
checks for the backdoor in case an exploit worked. The activity
summarized below was conducted against 5 of our hosts in parallel. The
ftp refusals at the top of the log excerpt are noteworthy, since they may
have been part of the same tool / script. System integrity was
maintained, no further activity from this IP was detected. Complaint
sent to abuse_at_sprint.net, automated response received, no further
communications are expected or necessary. These attacks were directed at
Solaris/sparc systems.

az

Summary for host1:
21:38:20 FTP connect attempt refused.
21:38:37 First rpcinfo request (many others followed). IDS017
21:39:06 TTDB Kill attempt. IDS241
21:39:07 Rpcinfo request.
21:39:09 TTDB Overflow attempt. IDS242
21:39:15 Rpcinfo request.
21:39:17 TTDB Kill attempt, followed by rpcinfo request.
21:39:18 TTDB Overflow attempt.
21:39:22 Check for backdoor at TCP 1524.
21:39:26 Check again, just to make sure :-}

Dec 2 21:38:20 host1 in.ftpd[2673]: refused connect from
pminet.pmicim.com
Dec 2 21:38:20 host2 in.ftpd[3256]: refused connect from
pminet.pmicim.com
Dec 2 21:38:20 host3 in.ftpd[7595]: refused connect from
pminet.pmicim.com
Dec 2 21:38:23 host4 in.ftpd[578]: refused connect from
pminet.pmicim.com
Dec 2 21:38:35 host5 snort[3146]: IDS017 - RPC - portmap-request-cmsd:
src:848 -> dst.109:111
Dec 2 21:38:36 host5 snort[3146]: IDS017 - RPC - portmap-request-cmsd:
src:981 -> dst.109:111
Dec 2 21:38:37 host1 snort[278]: IDS017 - RPC - portmap-request-cmsd:
src:629 -> dst.104:111
Dec 2 21:38:37 host5 snort[3146]: IDS017 - RPC - portmap-request-cmsd:
src:665 -> dst.109:111
Dec 2 21:38:37 host1 snort[278]: IDS017 - RPC - portmap-request-cmsd:
src:716 -> dst.104:111
Dec 2 21:38:37 host5 snort[3146]: IDS017 - RPC - portmap-request-cmsd:
src:728 -> dst.109:111
Dec 2 21:38:38 host1 snort[278]: IDS017 - RPC - portmap-request-cmsd:
src:818 -> dst.104:111
Dec 2 21:38:39 host1 snort[278]: IDS017 - RPC - portmap-request-cmsd:
src:899 -> dst.104:111
Dec 2 21:38:42 host4 rpc.ttdbserverd[995]:
_Tt_file_system::findBestMountPoint -- max_match_entry is null,
aborting...
Dec 2 21:38:44 host5 last message repeated 1 time
Dec 2 21:38:45 host5 snort[3146]: IDS017 - RPC - portmap-request-cmsd:
src:856 -> dst.109:111
Dec 2 21:38:46 host5 snort[3146]: IDS017 - RPC - portmap-request-cmsd:
src:940 -> dst.109:111
Dec 2 21:38:47 host5 snort[3146]: IDS017 - RPC - portmap-request-cmsd:
src:982 -> dst.109:111
Dec 2 21:38:48 host5 snort[3146]: IDS017 - RPC - portmap-request-cmsd:
src:1012 -> dst.109:111
Dec 2 21:38:49 host5 snort[3146]: IDS017 - RPC - portmap-request-cmsd:
src:624 -> dst.109:111
Dec 2 21:38:49 host5 snort[3146]: IDS017 - RPC - portmap-request-cmsd:
src:655 -> dst.109:111
Dec 2 21:38:50 host5 snort[3146]: IDS017 - RPC - portmap-request-cmsd:
src:685 -> dst.109:111
Dec 2 21:38:51 host5 snort[3146]: IDS017 - RPC - portmap-request-cmsd:
src:721 -> dst.109:111
Dec 2 21:38:52 host5 snort[3146]: IDS017 - RPC - portmap-request-cmsd:
src:752 -> dst.109:111
Dec 2 21:38:52 host4 rpc.ttdbserverd[995]: iserase(): 78
Dec 2 21:38:53 host4 rpc.ttdbserverd[995]:
_Tt_file_system::findBestMountPoint -- max_match_entry is null,
aborting...
Dec 2 21:38:53 host1 last message repeated 2 times
Dec 2 21:38:54 host1 snort[278]: IDS017 - RPC - portmap-request-cmsd:
src:892 -> dst.104:111
Dec 2 21:38:55 host1 snort[278]: IDS017 - RPC - portmap-request-cmsd:
src:944 -> dst.104:111
Dec 2 21:38:55 host4 rpc.ttdbserverd[995]: iserase(): 78
Dec 2 21:38:56 host1 snort[278]: IDS017 - RPC - portmap-request-cmsd:
src:983 -> dst.104:111
Dec 2 21:38:56 host1 snort[278]: IDS017 - RPC - portmap-request-cmsd:
src:1023 -> dst.104:111
Dec 2 21:38:58 host1 snort[278]: IDS017 - RPC - portmap-request-cmsd:
src:655 -> dst.104:111
Dec 2 21:38:58 host1 snort[278]: IDS017 - RPC - portmap-request-cmsd:
src:694 -> dst.104:111
Dec 2 21:38:59 host1 snort[278]: IDS017 - RPC - portmap-request-cmsd:
src:738 -> dst.104:111
Dec 2 21:38:59 host1 snort[278]: IDS017 - RPC - portmap-request-cmsd:
src:758 -> dst.104:111
Dec 2 21:39:01 host1 snort[278]: IDS017 - RPC - portmap-request-cmsd:
src:814 -> dst.104:111
Dec 2 21:39:01 host1 snort[278]: IDS017 - RPC - portmap-request-cmsd:
src:855 -> dst.104:111
Dec 2 21:39:03 host1 snort[278]: IDS017 - RPC - portmap-request-cmsd:
src:902 -> dst.104:111
Dec 2 21:39:03 host1 snort[278]: IDS017 - RPC - portmap-request-cmsd:
src:950 -> dst.104:111
Dec 2 21:39:03 host2 rpc.ttdbserverd[3259]:
_Tt_file_system::findBestMountPoint -- max_match_entry is null,
aborting...
Dec 2 21:39:04 host1 snort[278]: IDS024 - RPC -
portmap-request-ttdbserv: src:984 -> dst.104:111
Dec 2 21:39:05 host1 /usr/dt/bin/rpc.ttdbserverd[2676]:
_Tt_file_system::findBestMountPoint -- max_match_entry is null,
aborting...
Dec 2 21:39:06 host1 snort[278]: IDS241 - CVE-1999-0003 - RPC ttdbserv
Solaris Kill: src:985 -> dst.104:32772
Dec 2 21:39:07 host1 snort[278]: IDS024 - RPC -
portmap-request-ttdbserv: src:655 -> dst.104:111
Dec 2 21:39:07 host5 last message repeated 2 times
Dec 2 21:39:08 host5 snort[3146]: IDS017 - RPC - portmap-request-cmsd:
src:696 -> dst.109:111
Dec 2 21:39:09 host1 /usr/dt/bin/rpc.ttdbserverd[2676]: iserase(): 78
Dec 2 21:39:09 host2 rpc.ttdbserverd[3259]: iserase(): 78
Dec 2 21:39:09 host1 snort[278]: IDS242 - RPC ttdbserv Solaris Overflow:
src:657 -> dst.104:32772
Dec 2 21:39:09 host5 snort[3146]: IDS017 - RPC - portmap-request-cmsd:
src:716 -> dst.109:111
Dec 2 21:39:14 host3 /usr/dt/bin/rpc.ttdbserverd[397]:
_Tt_file_system::findBestMountPoint -- max_match_entry is null,
aborting...
Dec 2 21:39:15 host5 snort[3146]: IDS017 - RPC - portmap-request-cmsd:
src:808 -> dst.109:111
Dec 2 21:39:15 host1 snort[278]: IDS024 - RPC -
portmap-request-ttdbserv: src:814 -> dst.104:111
Dec 2 21:39:16 host5 snort[3146]: IDS024 - RPC -
portmap-request-ttdbserv: src:610 -> dst.109:111
Dec 2 21:39:16 host1 /usr/dt/bin/rpc.ttdbserverd[2676]:
_Tt_file_system::findBestMountPoint -- max_match_entry is null,
aborting...
Dec 2 21:39:16 host3 /usr/dt/bin/rpc.ttdbserverd[397]: iserase(): 78
Dec 2 21:39:16 host2 rpc.ttdbserverd[3259]:
_Tt_file_system::findBestMountPoint -- max_match_entry is null,
aborting...
Dec 2 21:39:17 host5 rpc.ttdbserverd[418]: Could not find mount point
for
Dec 2 21:39:17 host5 snort[3146]: IDS241 - CVE-1999-0003 - RPC ttdbserv
Solaris Kill: src:618 -> dst.109:32772
Dec 2 21:39:17 host1 snort[278]: IDS241 - CVE-1999-0003 - RPC ttdbserv
Solaris Kill: src:815 -> dst.104:32772
Dec 2 21:39:17 host1 snort[278]: IDS024 - RPC -
portmap-request-ttdbserv: src:656 -> dst.104:111
Dec 2 21:39:17 host1 /usr/dt/bin/rpc.ttdbserverd[2676]: iserase(): 78
Dec 2 21:39:18 host5 snort[3146]: IDS024 - RPC -
portmap-request-ttdbserv: src:692 -> dst.109:111
Dec 2 21:39:18 host1 snort[278]: IDS242 - RPC ttdbserv Solaris Overflow:
src:660 -> dst.104:32772
Dec 2 21:39:18 host5 rpc.ttdbserverd[418]: iserase(): 78
Dec 2 21:39:18 host5 snort[3146]: IDS242 - RPC ttdbserv Solaris
Overflow: src:695 -> dst.109:32772
Dec 2 21:39:21 host2 rpc.ttdbserverd[3259]: iserase(): 78
Dec 2 21:39:21 host3 /usr/dt/bin/rpc.ttdbserverd[397]:
_Tt_file_system::findBestMountPoint -- max_match_entry is null,
aborting...
Dec 2 21:39:22 host1 snort[278]: default Backdoor access!: src:63470 ->
dst.104:1524
Dec 2 21:39:22 host5 last message repeated 1 time
Dec 2 21:39:22 host5 snort[3146]: IDS024 - RPC -
portmap-request-ttdbserv: src:876 -> dst.109:111
Dec 2 21:39:26 host6 /usr/dt/bin/rpc.ttdbserverd[2116]:
_Tt_file_system::findBestMountPoint -- max_match_entry is null,
aborting...
Dec 2 21:39:27 host6 /usr/dt/bin/rpc.ttdbserverd[2116]: iserase(): 78
Dec 2 21:39:27 host5 last message repeated 1 time
Dec 2 21:39:27 host5 rpc.ttdbserverd[418]: Could not find mount point
for
Dec 2 21:39:28 host5 snort[3146]: IDS241 - CVE-1999-0003 - RPC ttdbserv
Solaris Kill: src:881 -> dst.109:32772
Dec 2 21:39:28 host5 snort[3146]: IDS024 - RPC -
portmap-request-ttdbserv: src:692 -> dst.109:111
Dec 2 21:39:29 host5 rpc.ttdbserverd[418]: iserase(): 78
Dec 2 21:39:29 host5 snort[3146]: IDS242 - RPC ttdbserv Solaris
Overflow: src:756 -> dst.109:32772
Dec 2 21:39:30 host5 snort[3146]: default Backdoor access!: src:65363 ->
dst.109:1524
Dec 2 21:39:31 host3 /usr/dt/bin/rpc.ttdbserverd[397]: iserase(): 78
Dec 2 21:39:34 host6 /usr/dt/bin/rpc.ttdbserverd[2116]:
_Tt_file_system::findBestMountPoint -- max_match_entry is null,
aborting...
Dec 2 21:39:49 host6 /usr/dt/bin/rpc.ttdbserverd[2116]: iserase(): 78
Dec 2 21:39:26 host1 last message repeated 1 time
Dec 2 21:39:40 host5 last message repeated 2 times
Received on Dec 06 2000

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos