Security Incidents: more iis-kabom Re: New attack or old Vulnerability Scanner?

[Mark Embrich <mark_embrich () yahoo com>]

In-Reply-To: <OFA6BA0106.874F41EB-ON85256D18.005D3E70-85256D18.0061259B () us ibm com>

Received another of the iis-kabom type attacks.
This one was slightly different in that the attacks came very slowly, 
about 2-4 minutes between attacks -- lasting 3 hours.  This time it came 
from what looks like an Israeli cable provider's pool.

I did not receive all 65 attacks, it appears that some attacks were 
purposely removed -- like the "GET /adsamples/" requests.

Also different was that the source port numbers were jumping all over the 
place.  Sometimes jumping a few hundred ports between attacks, sometimes 
the following attack had a lower port number (which I assume means the 
attacker sent so many packets that the source ports wrapped around).

Therefore, it could be that this attacker targetted so many victims that 
he performed a DoS on himself, thus the 2-4 minutes between attacks.  
Otherwise, I don't know why they would slow down the attack -- it's not 
like a portscan.

I don't need any responses, just letting you all know that this iis-kabom 
variant appears to be a work in progress.  

Thanks,
Mark Embrich

----------------------------------------------------------------------------
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the 
world's premier event for IT and network security experts.  The two-day 
Training features 6 hand-on courses on May 12-13 taught by professionals.  
The two-day Briefings on May 14-15 features 24 top speakers with no vendor 
sales pitches.  Deadline for the best rates is April 25.  Register today to 
ensure your place. http://www.securityfocus.com/BlackHat-incidents 
----------------------------------------------------------------------------