logo       
<prev   next>

Re: Excessively large URI attacks: msg#00014

security.intrusions

Subject: Re: Excessively large URI attacks

Barry,

I captured a similar series of packets on my home system a couple of
weeks ago as part of the GCIA assignment. What I found was three
alerts,

OVERSIZE REQUEST-URI DIRECTORY
x86 NOOP
Bare Byte Unicode Encoding

When you take the 3 alerts and many source packets plus the three way
handshake, and reassemble the http data stream, you actually have an
extremely large attempted buffer overflow against WebDAV on an IIS
server.

In my case, I have a HTTP error message logged against this request
(apache)

If you have a moment, could you read through my GCIA assignment post
(question 2 documents this attack in paragraphs 11 through 20.)
I have just re-posted it about 10 minutes ago.

Regards,

Blaine Hein.

Please send messages to blaine(dot)hein(at)skynet(dot)be


-----Original Message-----
From: intrusions-request@xxxxxxxxxxxxxx
[mailto:intrusions-request@xxxxxxxxxxxxxx]
Sent: May 06 2004 15:50
To: intrusions@xxxxxxxxxxxxxx
Subject: Intrusions Digest, Vol 2, Issue 8

Send Intrusions mailing list submissions to
intrusions@xxxxxxxxxxxxxx

To subscribe or unsubscribe via the World Wide Web, visit
http://www.dshield.org/mailman/listinfo/intrusions
or, via email, send a message with subject or body 'help' to
intrusions-request@xxxxxxxxxxxxxx

You can reach the person managing the list at
intrusions-owner@xxxxxxxxxxxxxx

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Intrusions digest..."


Today's Topics:

1. [LOGS] Summary of large-scale portscanning detects
(Ken.Connelly@xxxxxxx)
2. Re: Excessively large URI attacks (Barry Fitzgerald)


----------------------------------------------------------------------

Message: 1
Date: Thu, 06 May 2004 08:13:04 -0500 (CDT)
From: Ken.Connelly@xxxxxxx
Subject: [Intrusions] [LOGS] Summary of large-scale portscanning
detects
To: intrusions@xxxxxxxxxxxxxx
Message-ID: <01L9RMLHLPZ88WW030@xxxxxxx>

The following extracts show the beginning and ending of scan activity
was detected on my network. The number following each set is the total
number of probes for that source. Timestamps are GMT-0500.

May 5 07:47:20 80.200.150.98:2607 -> xxx.yyy.246.126:139 SYN ******S*
May 5 07:47:17 80.200.150.98:2611 -> xxx.yyy.236.253:139 SYN ******S*
May 5 07:47:20 80.200.150.98:2613 -> xxx.yyy.227.124:139 SYN ******S*
May 5 07:47:20 80.200.150.98:2617 -> xxx.yyy.208.122:139 SYN ******S*
May 5 07:47:20 80.200.150.98:2621 -> xxx.yyy.198.249:139 SYN ******S*
May 5 07:47:20 80.200.150.98:2624 -> xxx.yyy.170.118:139 SYN ******S*
May 5 07:47:20 80.200.150.98:2625 -> xxx.yyy.160.245:139 SYN ******S*
May 5 07:47:18 80.200.150.98:2626 -> xxx.yyy.151.116:139 SYN ******S*
[...]
May 5 10:04:26 80.200.150.98:3644 -> xxx.yyy.151.210:445 SYN ******S*
May 5 10:04:26 80.200.150.98:3657 -> xxx.yyy.142.238:445 SYN ******S*
May 5 10:04:26 80.200.150.98:3658 -> xxx.yyy.189.57:445 SYN ******S*
May 5 10:04:26 80.200.150.98:3671 -> xxx.yyy.133.109:445 SYN ******S*
May 5 10:04:26 80.200.150.98:3683 -> xxx.yyy.152.111:445 SYN ******S*
May 5 10:04:27 80.200.150.98:3694 -> xxx.yyy.75.202:445 SYN ******S*
May 5 10:04:27 80.200.150.98:3701 -> xxx.yyy.246.63:445 SYN ******S*
May 5 10:04:27 80.200.150.98:3710 -> xxx.yyy.132.51:445 SYN ******S*
86034

May 5 02:35:23 81.61.41.187:1109 -> xxx.yyy.1.1:139 SYN ******S*
May 5 02:35:23 81.61.41.187:1110 -> xxx.yyy.1.4:445 SYN ******S*
May 5 02:35:23 81.61.41.187:1111 -> xxx.yyy.1.4:139 SYN ******S*
May 5 02:35:21 81.61.41.187:1112 -> xxx.yyy.1.5:445 SYN ******S*
May 5 02:35:24 81.61.41.187:1113 -> xxx.yyy.1.5:139 SYN ******S*
May 5 02:35:24 81.61.41.187:1114 -> xxx.yyy.1.6:445 SYN ******S*
May 5 02:35:24 81.61.41.187:1115 -> xxx.yyy.1.6:139 SYN ******S*
May 5 02:35:22 81.61.41.187:1117 -> xxx.yyy.1.7:445 SYN ******S*
[...]
May 5 14:21:22 81.61.41.187:1615 -> xxx.yyy.166.42:139 SYN ******S*
May 5 14:21:21 81.61.41.187:1612 -> xxx.yyy.166.41:139 SYN ******S*
May 5 14:21:21 81.61.41.187:1600 -> xxx.yyy.166.35:139 SYN ******S*
May 5 14:21:21 81.61.41.187:1599 -> xxx.yyy.166.35:445 SYN ******S*
May 5 14:21:23 81.61.41.187:1604 -> xxx.yyy.166.37:139 SYN ******S*
May 5 14:21:24 81.61.41.187:1605 -> xxx.yyy.166.38:445 SYN ******S*
May 5 14:21:25 81.61.41.187:1607 -> xxx.yyy.166.39:445 SYN ******S*
May 5 14:21:26 81.61.41.187:1610 -> xxx.yyy.166.40:139 SYN ******S*
May 5 14:21:27 81.61.41.187:1614 -> xxx.yyy.166.42:445 SYN ******S*
80315

May 5 07:32:15 134.169.192.7:2844 -> xxx.yyy.1.1:8000 SYN ******S*
May 5 07:32:15 134.169.192.7:2845 -> xxx.yyy.1.2:8000 SYN ******S*
May 5 07:32:14 134.169.192.7:2846 -> xxx.yyy.1.3:8000 SYN ******S*
May 5 07:32:14 134.169.192.7:2847 -> xxx.yyy.1.4:8000 SYN ******S*
May 5 07:32:17 134.169.192.7:2848 -> xxx.yyy.1.5:8000 SYN ******S*
May 5 07:32:17 134.169.192.7:2849 -> xxx.yyy.1.6:8000 SYN ******S*
May 5 07:32:17 134.169.192.7:2850 -> xxx.yyy.1.7:8000 SYN ******S*
May 5 07:32:17 134.169.192.7:2851 -> xxx.yyy.1.8:8000 SYN ******S*
[...]
May 5 07:43:55 134.169.192.7:1539 -> xxx.yyy.255.237:8000 SYN ******S*
May 5 07:43:55 134.169.192.7:1549 -> xxx.yyy.255.247:8000 SYN ******S*
May 5 07:43:55 134.169.192.7:1553 -> xxx.yyy.255.251:8000 SYN ******S*
May 5 07:43:55 134.169.192.7:1550 -> xxx.yyy.255.248:8000 SYN ******S*
May 5 07:43:55 134.169.192.7:1548 -> xxx.yyy.255.246:8000 SYN ******S*
May 5 07:43:55 134.169.192.7:1554 -> xxx.yyy.255.252:8000 SYN ******S*
May 5 07:43:55 134.169.192.7:1555 -> xxx.yyy.255.253:8000 SYN ******S*
May 5 07:43:55 134.169.192.7:1552 -> xxx.yyy.255.250:8000 SYN ******S*
May 5 07:43:55 134.169.192.7:1551 -> xxx.yyy.255.249:8000 SYN ******S*
64271

May 5 01:29:39 218.59.159.68:2547 -> xxx.yyy.1.1:443 SYN ******S*
May 5 01:29:39 218.59.159.68:2548 -> xxx.yyy.1.2:443 SYN ******S*
May 5 01:29:40 218.59.159.68:2549 -> xxx.yyy.1.3:443 SYN ******S*
May 5 01:29:40 218.59.159.68:2550 -> xxx.yyy.1.4:443 SYN ******S*
May 5 01:29:40 218.59.159.68:2551 -> xxx.yyy.1.5:443 SYN ******S*
May 5 01:29:40 218.59.159.68:2552 -> xxx.yyy.1.6:443 SYN ******S*
May 5 01:29:40 218.59.159.68:2553 -> xxx.yyy.1.7:443 SYN ******S*
May 5 01:29:37 218.59.159.68:2554 -> xxx.yyy.1.8:443 SYN ******S*
[...]
May 5 01:42:07 218.59.159.68:2026 -> xxx.yyy.255.249:443 SYN ******S*
May 5 01:42:07 218.59.159.68:2028 -> xxx.yyy.255.251:443 SYN ******S*
May 5 01:42:07 218.59.159.68:2029 -> xxx.yyy.255.252:443 SYN ******S*
May 5 01:42:07 218.59.159.68:2030 -> xxx.yyy.255.253:443 SYN ******S*
May 5 01:42:07 218.59.159.68:2024 -> xxx.yyy.255.247:443 SYN ******S*
May 5 01:42:07 218.59.159.68:2031 -> xxx.yyy.255.254:443 SYN ******S*
May 5 01:42:07 218.59.159.68:2027 -> xxx.yyy.255.250:443 SYN ******S*
May 5 01:42:07 218.59.159.68:2025 -> xxx.yyy.255.248:443 SYN ******S*
62974

May 5 19:22:17 213.97.37.236:49879 -> xxx.yyy.1.1:445 SYN ******S*
May 5 19:22:14 213.97.37.236:49880 -> xxx.yyy.1.2:445 SYN ******S*
May 5 19:22:14 213.97.37.236:49882 -> xxx.yyy.1.4:445 SYN ******S*
May 5 19:22:17 213.97.37.236:49883 -> xxx.yyy.1.5:445 SYN ******S*
May 5 19:22:17 213.97.37.236:49885 -> xxx.yyy.1.7:445 SYN ******S*
May 5 19:22:17 213.97.37.236:49886 -> xxx.yyy.1.8:445 SYN ******S*
May 5 19:22:14 213.97.37.236:49887 -> xxx.yyy.1.9:445 SYN ******S*
May 5 19:22:14 213.97.37.236:49888 -> xxx.yyy.1.10:445 SYN ******S*
[...]
May 5 19:34:01 213.97.37.236:52784 -> xxx.yyy.255.199:445 SYN ******S*
May 5 19:34:01 213.97.37.236:52793 -> xxx.yyy.255.208:445 SYN ******S*
May 5 19:34:01 213.97.37.236:52796 -> xxx.yyy.255.211:445 SYN ******S*
May 5 19:34:01 213.97.37.236:52808 -> xxx.yyy.255.223:445 SYN ******S*
May 5 19:34:01 213.97.37.236:52809 -> xxx.yyy.255.224:445 SYN ******S*
May 5 19:34:01 213.97.37.236:52820 -> xxx.yyy.255.235:445 SYN ******S*
May 5 19:34:01 213.97.37.236:52819 -> xxx.yyy.255.234:445 SYN ******S*
May 5 19:34:01 213.97.37.236:52831 -> xxx.yyy.255.246:445 SYN ******S*
May 5 19:34:01 213.97.37.236:52834 -> xxx.yyy.255.249:445 SYN ******S*
53391

May 5 00:36:17 66.14.222.126:26724 -> xxx.yyy.128.4:445 SYN ******S*
May 5 00:36:17 66.14.222.126:26733 -> xxx.yyy.128.1:445 SYN ******S*
May 5 00:36:17 66.14.222.126:26732 -> xxx.yyy.128.5:445 SYN ******S*
May 5 00:36:14 66.14.222.126:26366 -> xxx.yyy.128.2:445 SYN ******S*
May 5 00:36:15 66.14.222.126:26789 -> xxx.yyy.128.6:445 SYN ******S*
May 5 00:36:15 66.14.222.126:26791 -> xxx.yyy.128.3:445 SYN ******S*
May 5 00:36:15 66.14.222.126:26792 -> xxx.yyy.128.0:445 SYN ******S*
May 5 00:36:18 66.14.222.126:26784 -> xxx.yyy.128.2:445 SYN ******S*
[...]
May 5 06:02:56 66.14.222.126:14636 -> xxx.yyy.255.237:445 SYN ******S*
May 5 06:02:56 66.14.222.126:14638 -> xxx.yyy.255.254:445 SYN ******S*
May 5 06:02:56 66.14.222.126:14674 -> xxx.yyy.255.250:445 SYN ******S*
May 5 06:02:56 66.14.222.126:14737 -> xxx.yyy.255.233:445 SYN ******S*
May 5 06:02:56 66.14.222.126:14743 -> xxx.yyy.255.249:445 SYN ******S*
May 5 06:02:56 66.14.222.126:14745 -> xxx.yyy.255.241:445 SYN ******S*
May 5 06:02:56 66.14.222.126:14752 -> xxx.yyy.255.238:445 SYN ******S*
May 5 06:02:56 66.14.222.126:14753 -> xxx.yyy.255.242:445 SYN ******S*
May 5 06:02:58 66.14.222.126:14758 -> xxx.yyy.255.244:445 SYN ******S*
51507

May 5 13:14:47 63.166.255.24:1130 -> xxx.yyy.1.2:139 SYN ******S*
May 5 13:14:47 63.166.255.24:1132 -> xxx.yyy.1.4:139 SYN ******S*
May 5 13:14:45 63.166.255.24:1134 -> xxx.yyy.1.6:139 SYN ******S*
May 5 13:14:48 63.166.255.24:1135 -> xxx.yyy.1.7:139 SYN ******S*
May 5 13:14:48 63.166.255.24:1137 -> xxx.yyy.1.9:139 SYN ******S*
May 5 13:14:48 63.166.255.24:1138 -> xxx.yyy.1.10:139 SYN ******S*
May 5 13:14:48 63.166.255.24:1139 -> xxx.yyy.1.11:139 SYN ******S*
May 5 13:14:48 63.166.255.24:1141 -> xxx.yyy.1.13:139 SYN ******S*
[...]
May 5 13:25:44 63.166.255.24:3780 -> xxx.yyy.255.242:139 SYN ******S*
May 5 13:25:44 63.166.255.24:3777 -> xxx.yyy.255.239:139 SYN ******S*
May 5 13:25:44 63.166.255.24:3790 -> xxx.yyy.255.252:139 SYN ******S*
May 5 13:25:44 63.166.255.24:3787 -> xxx.yyy.255.249:139 SYN ******S*
May 5 13:25:44 63.166.255.24:3784 -> xxx.yyy.255.246:139 SYN ******S*
May 5 13:25:44 63.166.255.24:3785 -> xxx.yyy.255.247:139 SYN ******S*
May 5 13:25:44 63.166.255.24:3789 -> xxx.yyy.255.251:139 SYN ******S*
May 5 13:25:44 63.166.255.24:3783 -> xxx.yyy.255.245:139 SYN ******S*
50159

May 5 06:32:18 211.221.76.118:22002 -> xxx.yyy.1.0:10080 SYN ******S*
May 5 06:32:18 211.221.76.118:22002 -> xxx.yyy.1.0:3128 SYN ******S*
May 5 06:32:19 211.221.76.118:22002 -> xxx.yyy.1.1:10080 SYN ******S*
May 5 06:32:19 211.221.76.118:22002 -> xxx.yyy.1.1:3128 SYN ******S*
May 5 06:32:19 211.221.76.118:22002 -> xxx.yyy.1.2:1080 SYN ******S*
May 5 06:32:19 211.221.76.118:22002 -> xxx.yyy.1.2:10080 SYN ******S*
May 5 06:32:19 211.221.76.118:22002 -> xxx.yyy.1.2:3128 SYN ******S*
May 5 06:32:19 211.221.76.118:22002 -> xxx.yyy.1.3:1080 SYN ******S*
[...]
May 5 12:01:00 211.221.76.118:22002 -> xxx.yyy.185.8:1080 SYN ******S*
May 5 12:01:00 211.221.76.118:22002 -> xxx.yyy.185.8:10080 SYN ******S*

May 5 12:01:00 211.221.76.118:22002 -> xxx.yyy.185.8:3128 SYN ******S*
May 5 12:01:01 211.221.76.118:22002 -> xxx.yyy.185.9:1080 SYN ******S*
May 5 12:01:01 211.221.76.118:22002 -> xxx.yyy.185.9:10080 SYN ******S*

May 5 12:01:01 211.221.76.118:22002 -> xxx.yyy.185.9:3128 SYN ******S*
May 5 12:01:01 211.221.76.118:22002 -> xxx.yyy.185.10:1080 SYN ******S*

May 5 12:01:01 211.221.76.118:22002 -> xxx.yyy.185.10:10080 SYN
******S*
May 5 12:01:03 211.221.76.118:22002 -> xxx.yyy.185.11:1080 SYN ******S*

49059

May 5 08:55:26 209.218.230.133:10864 -> xxx.yyy.128.4:445 SYN ******S*
May 5 08:55:26 209.218.230.133:10865 -> xxx.yyy.128.5:445 SYN ******S*
May 5 08:55:26 209.218.230.133:10866 -> xxx.yyy.128.6:445 SYN ******S*
May 5 08:55:26 209.218.230.133:10867 -> xxx.yyy.128.7:445 SYN ******S*
May 5 08:55:26 209.218.230.133:10868 -> xxx.yyy.128.8:445 SYN ******S*
May 5 08:55:26 209.218.230.133:10869 -> xxx.yyy.128.9:445 SYN ******S*
May 5 08:55:26 209.218.230.133:10880 -> xxx.yyy.128.20:445 SYN ******S*

May 5 08:55:26 209.218.230.133:10881 -> xxx.yyy.128.21:445 SYN ******S*

[...]
May 5 14:10:39 209.218.230.133:58359 -> xxx.yyy.255.238:445 SYN
******S*
May 5 14:10:39 209.218.230.133:58352 -> xxx.yyy.255.231:445 SYN
******S*
May 5 14:10:39 209.218.230.133:58344 -> xxx.yyy.255.249:445 SYN
******S*
May 5 14:10:39 209.218.230.133:58341 -> xxx.yyy.255.246:445 SYN
******S*
May 5 14:10:39 209.218.230.133:58363 -> xxx.yyy.255.242:445 SYN
******S*
May 5 14:10:39 209.218.230.133:58356 -> xxx.yyy.255.235:445 SYN
******S*
May 5 14:10:39 209.218.230.133:58353 -> xxx.yyy.255.232:445 SYN
******S*
May 5 14:10:39 209.218.230.133:58350 -> xxx.yyy.255.229:445 SYN
******S*
May 5 14:10:39 209.218.230.133:58348 -> xxx.yyy.255.253:445 SYN
******S*
39297

May 5 11:56:00 212.243.164.70:2096 -> xxx.yyy.1.1:8000 SYN ******S*
May 5 11:56:00 212.243.164.70:2099 -> xxx.yyy.1.4:8000 SYN ******S*
May 5 11:56:00 212.243.164.70:2098 -> xxx.yyy.1.3:8000 SYN ******S*
May 5 11:56:03 212.243.164.70:2102 -> xxx.yyy.1.5:8000 SYN ******S*
May 5 11:56:00 212.243.164.70:2105 -> xxx.yyy.1.8:8000 SYN ******S*
May 5 11:56:03 212.243.164.70:2106 -> xxx.yyy.1.9:8000 SYN ******S*
May 5 11:56:03 212.243.164.70:2107 -> xxx.yyy.1.10:8000 SYN ******S*
May 5 11:56:00 212.243.164.70:2110 -> xxx.yyy.1.13:8000 SYN ******S*
[...]
May 5 12:07:53 212.243.164.70:3809 -> xxx.yyy.255.201:8000 SYN ******S*

May 5 12:07:53 212.243.164.70:3804 -> xxx.yyy.255.198:8000 SYN ******S*

May 5 12:07:53 212.243.164.70:3820 -> xxx.yyy.255.212:8000 SYN ******S*

May 5 12:07:53 212.243.164.70:3817 -> xxx.yyy.255.209:8000 SYN ******S*

May 5 12:07:53 212.243.164.70:3818 -> xxx.yyy.255.210:8000 SYN ******S*

May 5 12:07:53 212.243.164.70:3821 -> xxx.yyy.255.213:8000 SYN ******S*

May 5 12:07:53 212.243.164.70:3816 -> xxx.yyy.255.208:8000 SYN ******S*

May 5 12:07:53 212.243.164.70:3819 -> xxx.yyy.255.211:8000 SYN ******S*

33691

May 5 07:32:45 212.205.255.84:3766 -> xxx.yyy.10.36:1433 SYN ******S*
May 5 07:32:48 212.205.255.84:4039 -> xxx.yyy.10.37:1433 SYN ******S*
May 5 07:32:48 212.205.255.84:4042 -> xxx.yyy.10.40:1433 SYN ******S*
May 5 07:32:48 212.205.255.84:4041 -> xxx.yyy.10.39:1433 SYN ******S*
May 5 07:32:48 212.205.255.84:4040 -> xxx.yyy.10.38:1433 SYN ******S*
May 5 07:32:48 212.205.255.84:4043 -> xxx.yyy.10.41:1433 SYN ******S*
May 5 07:32:48 212.205.255.84:4044 -> xxx.yyy.10.42:1433 SYN ******S*
May 5 07:32:48 212.205.255.84:4045 -> xxx.yyy.10.43:1433 SYN ******S*
[...]
May 5 09:04:20 212.205.255.84:1028 -> xxx.yyy.111.247:1433 SYN ******S*

May 5 09:04:20 212.205.255.84:1027 -> xxx.yyy.111.246:1433 SYN ******S*

May 5 09:04:20 212.205.255.84:1031 -> xxx.yyy.111.250:1433 SYN ******S*

May 5 09:04:20 212.205.255.84:1030 -> xxx.yyy.111.249:1433 SYN ******S*

May 5 09:04:20 212.205.255.84:1033 -> xxx.yyy.111.251:1433 SYN ******S*

May 5 09:04:20 212.205.255.84:1041 -> xxx.yyy.111.255:1433 SYN ******S*

May 5 09:04:20 212.205.255.84:1038 -> xxx.yyy.111.254:1433 SYN ******S*

May 5 09:04:20 212.205.255.84:1036 -> xxx.yyy.111.252:1433 SYN ******S*

24637

[...]
17632

[...]
11854

May 5 00:00:10 202.108.87.100:4333 -> xxx.yyy.225.42:2745 SYN ******S*
May 5 00:00:11 202.108.87.100:4341 -> xxx.yyy.168.151:2745 SYN ******S*

May 5 00:00:12 202.108.87.100:4357 -> xxx.yyy.177.251:2745 SYN ******S*

May 5 00:00:10 202.108.87.100:4325 -> xxx.yyy.232.11:2745 SYN ******S*
May 5 00:00:13 202.108.87.100:4384 -> xxx.yyy.195.120:2745 SYN ******S*

May 5 00:00:15 202.108.87.100:4459 -> xxx.yyy.196.29:2745 SYN ******S*
May 5 00:00:15 202.108.87.100:4471 -> xxx.yyy.157.155:2745 SYN ******S*

May 5 00:00:17 202.108.87.100:4333 -> xxx.yyy.225.42:2745 SYN ******S*
[...]
May 5 23:59:47 202.108.87.100:1761 -> xxx.yyy.74.13:2745 SYN ******S*
May 5 23:59:51 202.108.87.100:1822 -> xxx.yyy.202.213:2745 SYN ******S*

May 5 23:59:52 202.108.87.100:1838 -> xxx.yyy.92.30:2745 SYN ******S*
May 5 23:59:52 202.108.87.100:1840 -> xxx.yyy.92.30:1025 SYN ******S*
May 5 23:59:50 202.108.87.100:1866 -> xxx.yyy.220.250:2745 SYN ******S*

May 5 23:59:54 202.108.87.100:1866 -> xxx.yyy.220.250:2745 SYN ******S*

May 5 23:59:54 202.108.87.100:1761 -> xxx.yyy.74.13:2745 SYN ******S*
May 5 23:59:54 202.108.87.100:1764 -> xxx.yyy.73.188:2745 SYN ******S*
11295

May 5 00:00:52 221.10.44.93:7495 -> xxx.yyy.224.116:2745 SYN ******S*
May 5 00:00:54 221.10.44.93:20961 -> xxx.yyy.232.184:2745 SYN ******S*
May 5 00:00:55 221.10.44.93:21068 -> xxx.yyy.239.107:2745 SYN ******S*
May 5 00:00:54 221.10.44.93:21079 -> xxx.yyy.83.69:2745 SYN ******S*
May 5 00:00:55 221.10.44.93:21125 -> xxx.yyy.84.104:2745 SYN ******S*
May 5 00:00:59 221.10.44.93:59288 -> xxx.yyy.84.104:1025 SYN ******S*
May 5 00:00:59 221.10.44.93:7495 -> xxx.yyy.224.116:2745 SYN ******S*
May 5 00:01:00 221.10.44.93:20961 -> xxx.yyy.232.184:2745 SYN ******S*
[...]
May 5 23:54:19 221.10.44.93:42680 -> xxx.yyy.177.204:3127 SYN ******S*
May 5 23:54:19 221.10.44.93:37250 -> xxx.yyy.177.204:5000 SYN ******S*
May 5 23:59:18 221.10.44.93:62495 -> xxx.yyy.140.3:2745 SYN ******S*
May 5 23:59:19 221.10.44.93:44964 -> xxx.yyy.89.16:5000 SYN ******S*
May 5 23:59:19 221.10.44.93:62615 -> xxx.yyy.89.16:2745 SYN ******S*
May 5 23:59:19 221.10.44.93:34470 -> xxx.yyy.89.16:3127 SYN ******S*
May 5 23:59:19 221.10.44.93:39310 -> xxx.yyy.89.16:1025 SYN ******S*
May 5 23:59:19 221.10.44.93:44962 -> xxx.yyy.89.16:6129 SYN ******S*
May 5 23:59:19 221.10.44.93:39312 -> xxx.yyy.89.16:80 SYN ******S*
8828

May 5 05:00:15 65.112.118.29:55629 -> xxx.yyy.129.97:1025 SYN ******S*
May 5 05:00:15 65.112.118.29:55627 -> xxx.yyy.129.97:2745 SYN ******S*
May 5 05:00:15 65.112.118.29:55630 -> xxx.yyy.129.97:445 SYN ******S*
May 5 05:00:15 65.112.118.29:55631 -> xxx.yyy.129.97:3127 SYN ******S*
May 5 05:00:15 65.112.118.29:55632 -> xxx.yyy.129.97:6129 SYN ******S*
May 5 05:00:15 65.112.118.29:55633 -> xxx.yyy.129.97:139 SYN ******S*
May 5 05:00:15 65.112.118.29:56390 -> xxx.yyy.136.85:2745 SYN ******S*
May 5 05:00:15 65.112.118.29:56396 -> xxx.yyy.136.85:139 SYN ******S*
[...]
May 5 09:44:09 65.112.118.29:56839 -> xxx.yyy.144.141:3127 SYN ******S*

May 5 09:44:07 65.112.118.29:11248 -> xxx.yyy.144.141:6129 SYN ******S*

May 5 09:44:09 65.112.118.29:34559 -> xxx.yyy.144.141:139 SYN ******S*
May 5 09:48:11 65.112.118.29:35689 -> xxx.yyy.194.176:139 SYN ******S*
May 5 09:48:11 65.112.118.29:35688 -> xxx.yyy.194.176:6129 SYN ******S*

May 5 09:48:11 65.112.118.29:35709 -> xxx.yyy.194.176:3127 SYN ******S*

May 5 09:48:11 65.112.118.29:35684 -> xxx.yyy.194.176:445 SYN ******S*
May 5 09:48:11 65.112.118.29:35683 -> xxx.yyy.194.176:1025 SYN ******S*

7749

May 5 07:38:23 64.80.86.35:4076 -> xxx.yyy.10.1:139 SYN ******S*
May 5 07:38:23 64.80.86.35:4077 -> xxx.yyy.10.2:139 SYN ******S*
May 5 07:38:23 64.80.86.35:4078 -> xxx.yyy.10.3:139 SYN ******S*
May 5 07:38:23 64.80.86.35:4079 -> xxx.yyy.10.4:139 SYN ******S*
May 5 07:38:20 64.80.86.35:4081 -> xxx.yyy.10.6:139 SYN ******S*
May 5 07:38:23 64.80.86.35:4082 -> xxx.yyy.10.7:139 SYN ******S*
May 5 07:38:23 64.80.86.35:4083 -> xxx.yyy.10.8:139 SYN ******S*
May 5 07:38:23 64.80.86.35:4084 -> xxx.yyy.10.9:139 SYN ******S*
[...]
May 5 07:49:37 64.80.86.35:4157 -> xxx.yyy.214.233:139 SYN ******S*
May 5 07:49:37 64.80.86.35:4154 -> xxx.yyy.214.230:139 SYN ******S*
May 5 07:49:37 64.80.86.35:4155 -> xxx.yyy.214.231:139 SYN ******S*
May 5 07:49:37 64.80.86.35:4152 -> xxx.yyy.214.228:139 SYN ******S*
May 5 07:49:37 64.80.86.35:4163 -> xxx.yyy.214.239:139 SYN ******S*
May 5 07:49:37 64.80.86.35:4160 -> xxx.yyy.214.236:139 SYN ******S*
May 5 07:49:37 64.80.86.35:4161 -> xxx.yyy.214.237:139 SYN ******S*
May 5 07:49:37 64.80.86.35:4165 -> xxx.yyy.214.241:139 SYN ******S*
7430

May 5 05:00:18 213.140.6.96:49975 -> xxx.yyy.160.39:139 SYN ******S*
May 5 05:00:18 213.140.6.96:50007 -> xxx.yyy.85.178:139 SYN ******S*
May 5 05:00:18 213.140.6.96:50178 -> xxx.yyy.166.211:139 SYN ******S*
May 5 05:00:18 213.140.6.96:50206 -> xxx.yyy.146.185:139 SYN ******S*
May 5 05:00:18 213.140.6.96:50246 -> xxx.yyy.150.245:139 SYN ******S*
May 5 05:00:17 213.140.6.96:50711 -> xxx.yyy.134.54:139 SYN ******S*
May 5 05:00:18 213.140.6.96:51281 -> xxx.yyy.204.169:139 SYN ******S*
May 5 05:00:22 213.140.6.96:52067 -> xxx.yyy.204.128:139 SYN ******S*
[...]
May 5 08:50:33 213.140.6.96:16613 -> xxx.yyy.241.204:139 SYN ******S*
May 5 08:50:35 213.140.6.96:14676 -> xxx.yyy.146.158:139 SYN ******S*
May 5 08:50:39 213.140.6.96:22431 -> xxx.yyy.79.141:139 SYN ******S*
May 5 08:50:36 213.140.6.96:49921 -> xxx.yyy.66.59:139 SYN ******S*
May 5 08:50:37 213.140.6.96:20839 -> xxx.yyy.191.110:139 SYN ******S*
May 5 08:50:42 213.140.6.96:49921 -> xxx.yyy.66.59:139 SYN ******S*
May 5 08:50:45 213.140.6.96:29047 -> xxx.yyy.76.5:139 SYN ******S*
May 5 08:50:46 213.140.6.96:22431 -> xxx.yyy.79.141:139 SYN ******S*
May 5 08:50:47 213.140.6.96:16414 -> xxx.yyy.66.119:139 SYN ******S*
6524

May 5 00:14:11 134.102.86.203:2636 -> xxx.yyy.129.67:2745 SYN ******S*
May 5 00:14:14 134.102.86.203:2181 -> xxx.yyy.129.67:1025 SYN ******S*
May 5 00:14:14 134.102.86.203:1673 -> xxx.yyy.129.67:445 SYN ******S*
May 5 00:14:14 134.102.86.203:2947 -> xxx.yyy.129.67:3127 SYN ******S*
May 5 00:14:14 134.102.86.203:4470 -> xxx.yyy.129.67:6129 SYN ******S*
May 5 00:14:12 134.102.86.203:4838 -> xxx.yyy.129.67:139 SYN ******S*
May 5 00:14:12 134.102.86.203:1344 -> xxx.yyy.129.67:3410 SYN ******S*
May 5 00:14:12 134.102.86.203:2147 -> xxx.yyy.129.67:1433 SYN ******S*
[...]
May 5 23:57:39 134.102.86.203:4479 -> xxx.yyy.220.38:1025 SYN ******S*
May 5 23:57:39 134.102.86.203:4482 -> xxx.yyy.220.38:445 SYN ******S*
May 5 23:57:39 134.102.86.203:4483 -> xxx.yyy.220.38:3127 SYN ******S*
May 5 23:57:39 134.102.86.203:4484 -> xxx.yyy.220.38:6129 SYN ******S*
May 5 23:57:39 134.102.86.203:4485 -> xxx.yyy.220.38:80 SYN ******S*
May 5 23:57:39 134.102.86.203:4487 -> xxx.yyy.220.38:139 SYN ******S*
May 5 23:57:39 134.102.86.203:4488 -> xxx.yyy.220.38:3410 SYN ******S*
May 5 23:57:39 134.102.86.203:4489 -> xxx.yyy.220.38:1433 SYN ******S*
May 5 23:57:39 134.102.86.203:4490 -> xxx.yyy.220.38:5000 SYN ******S*
5144

May 5 00:00:31 65.100.122.132:81 -> xxx.yyy.80.253:4598 INVALIDACK
***A*R*F
May 5 00:00:34 65.100.122.132:81 -> xxx.yyy.69.158:4890 INVALIDACK
***A*R*F
May 5 00:00:35 65.100.122.132:81 -> xxx.yyy.69.158:4890 INVALIDACK
***A*R*F
May 5 00:01:48 65.100.122.132:81 -> xxx.yyy.71.21:2992 INVALIDACK
***A*R*F
May 5 00:01:51 65.100.122.132:81 -> xxx.yyy.69.158:1121 INVALIDACK
***A*R*F
May 5 00:01:51 65.100.122.132:81 -> xxx.yyy.84.178:4430 INVALIDACK
***A*R*F
May 5 00:01:52 65.100.122.132:81 -> xxx.yyy.69.158:1121 INVALIDACK
***A*R*F
May 5 00:01:52 65.100.122.132:81 -> xxx.yyy.84.178:4430 INVALIDACK
***A*R*F
[...]
May 5 23:58:35 65.100.122.132:81 -> xxx.yyy.70.168:4195 INVALIDACK
***A*R*F
May 5 23:58:44 65.100.122.132:81 -> xxx.yyy.67.203:1460 INVALIDACK
***A*R*F
May 5 23:58:48 65.100.122.132:81 -> xxx.yyy.70.168:4247 INVALIDACK
***A*R*F
May 5 23:58:54 65.100.122.132:81 -> xxx.yyy.70.168:4247 INVALIDACK
***A*R*F
May 5 23:59:13 65.100.122.132:81 -> xxx.yyy.68.29:2751 INVALIDACK
***A*R*F
May 5 23:59:42 65.100.122.132:81 -> xxx.yyy.70.168:4398 INVALIDACK
***A*R*F
May 5 23:59:48 65.100.122.132:81 -> xxx.yyy.70.168:4398 INVALIDACK
***A*R*F
May 5 23:59:53 65.100.122.132:81 -> xxx.yyy.67.203:1641 INVALIDACK
***A*R*F
4571

[...]
4497

May 5 00:02:06 209.128.11.220:1571 -> xxx.yyy.105.77:2745 SYN ******S*
May 5 00:02:07 209.128.11.220:1476 -> xxx.yyy.91.26:2745 SYN ******S*
May 5 00:02:07 209.128.11.220:1492 -> xxx.yyy.148.111:2745 SYN ******S*

May 5 00:02:09 209.128.11.220:1511 -> xxx.yyy.94.174:1025 SYN ******S*
May 5 00:02:09 209.128.11.220:1509 -> xxx.yyy.94.174:2745 SYN ******S*
May 5 00:02:10 209.128.11.220:1646 -> xxx.yyy.89.190:2745 SYN ******S*
May 5 00:02:12 209.128.11.220:1675 -> xxx.yyy.107.221:2745 SYN ******S*

May 5 00:02:13 209.128.11.220:1646 -> xxx.yyy.89.190:2745 SYN ******S*
[...]
May 5 07:03:37 209.128.11.220:1284 -> xxx.yyy.176.93:2745 SYN ******S*
May 5 07:03:37 209.128.11.220:1201 -> xxx.yyy.185.42:2745 SYN ******S*
May 5 07:03:40 209.128.11.220:1358 -> xxx.yyy.14.210:2745 SYN ******S*
May 5 07:03:40 209.128.11.220:1364 -> xxx.yyy.207.146:2745 SYN ******S*

May 5 07:03:41 209.128.11.220:1233 -> xxx.yyy.78.210:2745 SYN ******S*
May 5 07:03:43 209.128.11.220:1358 -> xxx.yyy.14.210:2745 SYN ******S*
May 5 07:03:43 209.128.11.220:1284 -> xxx.yyy.176.93:2745 SYN ******S*
May 5 07:03:43 209.128.11.220:1364 -> xxx.yyy.207.146:2745 SYN ******S*

4469

[...]
4446

May 5 05:00:18 213.140.2.6:59408 -> xxx.yyy.134.132:2745 SYN ******S*
May 5 05:00:18 213.140.2.6:59411 -> xxx.yyy.134.132:1025 SYN ******S*
May 5 05:00:18 213.140.2.6:59413 -> xxx.yyy.134.132:445 SYN ******S*
May 5 05:00:18 213.140.2.6:59414 -> xxx.yyy.134.132:3127 SYN ******S*
May 5 05:00:18 213.140.2.6:59415 -> xxx.yyy.134.132:6129 SYN ******S*
May 5 05:00:18 213.140.2.6:59417 -> xxx.yyy.134.132:139 SYN ******S*
May 5 05:00:18 213.140.2.6:64105 -> xxx.yyy.144.225:2745 SYN ******S*
May 5 05:00:18 213.140.2.6:64114 -> xxx.yyy.144.225:1025 SYN ******S*
[...]
May 5 08:50:45 213.140.2.6:12802 -> xxx.yyy.153.167:3127 SYN ******S*
May 5 08:50:45 213.140.2.6:12797 -> xxx.yyy.153.167:445 SYN ******S*
May 5 08:50:51 213.140.2.6:15676 -> xxx.yyy.145.109:139 SYN ******S*
May 5 08:50:51 213.140.2.6:7918 -> xxx.yyy.145.109:3127 SYN ******S*
May 5 08:50:51 213.140.2.6:15675 -> xxx.yyy.145.109:6129 SYN ******S*
May 5 08:50:51 213.140.2.6:53781 -> xxx.yyy.145.109:445 SYN ******S*
May 5 08:50:51 213.140.2.6:54874 -> xxx.yyy.145.109:1025 SYN ******S*
May 5 08:50:51 213.140.2.6:54873 -> xxx.yyy.145.109:2745 SYN ******S*
4118

May 5 00:16:16 134.121.244.35:3622 -> xxx.yyy.201.58:2745 SYN ******S*
May 5 00:16:16 134.121.244.35:3626 -> xxx.yyy.201.58:1025 SYN ******S*
May 5 00:16:16 134.121.244.35:3632 -> xxx.yyy.201.58:6129 SYN ******S*
May 5 00:16:16 134.121.244.35:3633 -> xxx.yyy.201.58:80 SYN ******S*
May 5 00:16:16 134.121.244.35:3636 -> xxx.yyy.201.58:3410 SYN ******S*
May 5 00:16:16 134.121.244.35:3637 -> xxx.yyy.201.58:1433 SYN ******S*
May 5 00:16:13 134.121.244.35:3639 -> xxx.yyy.201.58:5000 SYN ******S*
May 5 00:16:41 134.121.244.35:1647 -> xxx.yyy.158.244:2745 SYN ******S*

[...]
May 5 23:59:35 134.121.244.35:4333 -> xxx.yyy.180.237:5000 SYN ******S*

May 5 23:59:41 134.121.244.35:4319 -> xxx.yyy.180.237:3410 SYN ******S*

May 5 23:59:41 134.121.244.35:4311 -> xxx.yyy.180.237:80 SYN ******S*
May 5 23:59:41 134.121.244.35:4304 -> xxx.yyy.180.237:6129 SYN ******S*

May 5 23:59:41 134.121.244.35:4282 -> xxx.yyy.180.237:1025 SYN ******S*

May 5 23:59:41 134.121.244.35:4274 -> xxx.yyy.180.237:2745 SYN ******S*

May 5 23:59:41 134.121.244.35:4333 -> xxx.yyy.180.237:5000 SYN ******S*

May 5 23:59:41 134.121.244.35:4325 -> xxx.yyy.180.237:1433 SYN ******S*

3675

May 5 00:01:27 66.190.44.41:4387 -> xxx.yyy.219.195:2745 SYN ******S*
May 5 00:01:29 66.190.44.41:4323 -> xxx.yyy.204.203:6129 SYN ******S*
May 5 00:01:29 66.190.44.41:4322 -> xxx.yyy.204.203:3127 SYN ******S*
May 5 00:01:29 66.190.44.41:4320 -> xxx.yyy.204.203:1025 SYN ******S*
May 5 00:01:29 66.190.44.41:4318 -> xxx.yyy.204.203:2745 SYN ******S*
May 5 00:01:30 66.190.44.41:4353 -> xxx.yyy.92.85:2745 SYN ******S*
May 5 00:01:33 66.190.44.41:4387 -> xxx.yyy.219.195:2745 SYN ******S*
May 5 00:01:36 66.190.44.41:4510 -> xxx.yyy.195.234:2745 SYN ******S*
[...]
May 5 23:56:35 66.190.44.41:4680 -> xxx.yyy.246.62:2745 SYN ******S*
May 5 23:59:54 66.190.44.41:3744 -> xxx.yyy.13.203:2745 SYN ******S*
May 5 23:59:55 66.190.44.41:3748 -> xxx.yyy.201.212:2745 SYN ******S*
May 5 23:59:57 66.190.44.41:3772 -> xxx.yyy.157.161:2745 SYN ******S*
May 5 23:59:57 66.190.44.41:3774 -> xxx.yyy.157.161:1025 SYN ******S*
May 5 23:59:57 66.190.44.41:3776 -> xxx.yyy.157.161:3127 SYN ******S*
May 5 23:59:54 66.190.44.41:3777 -> xxx.yyy.157.161:6129 SYN ******S*
May 6 00:00:01 66.190.44.41:3748 -> xxx.yyy.201.212:2745 SYN ******S*
3665

--
- Ken
========================================================================
===
Ken Connelly (KC152) Systems and Operations Manager, ITS - Network
Services
University of Northern Iowa Cedar Falls, IA
50614-0121
email: Ken.Connelly@xxxxxxx phone: (319) 273-5850 fax: (319)
273-7373


------------------------------

Message: 2
Date: Thu, 06 May 2004 09:37:03 -0400
From: Barry Fitzgerald <bkfsec@xxxxxxxxxxxxxxxx>
Subject: Re: [Intrusions] Excessively large URI attacks
To: "Intrusions List (GCIA Practicals)" <intrusions@xxxxxxxxxxxxxx>
Message-ID: <409A3F7F.5020701@xxxxxxxxxxxxxxxx>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

That's precisely what I'm seeing. They aren't breaking anything on my
end either, but they're excessively long. This certainly seems
different than the average Webdav attacks we've been seeing, but perhaps

it's just an attempt to exploit a generic overflow. Anyone have any
thoughts?

-Barry

Tom Glaab wrote:

>
>> Has anyone seen an uptick in attacks using excessively large URIs and

>> SEARCH strings?
>
>
>
> No uptick, but I've been seeing them for a few weeks. They don't seem
> to be breaking anything and there's been no discussion here, so I've
> just been watching them.
>
> They all look the same: 65.43.212.205 - - [02/May/2004:17:03:21 -0400]

> "SEARCH
>
/\x90\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x0
2\xb1\x02\xb1\x02\xb1\x
>
>
02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x
02\xb1.....
>
>
> and end with pages of \x90
>
> tg.
>
>
>
> _______________________________________________
> Intrusions mailing list
> Intrusions@xxxxxxxxxxxxxx
> http://www.dshield.org/mailman/listinfo/intrusions
>
>



------------------------------

_______________________________________________
Intrusions mailing list
Intrusions@xxxxxxxxxxxxxx
http://www.dshield.org/mailman/listinfo/intrusions


End of Intrusions Digest, Vol 2, Issue 8
****************************************
_______________________________________________
Intrusions mailing list
Intrusions@xxxxxxxxxxxxxx
http://www.dshield.org/mailman/listinfo/intrusions
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  LOGS: GIAC GCIA Version 3.4 Practical Detect Blaine Hein: 00014, blaine.hein
Next by Date:  Re: LOGS: GIAC GCIA Version 3.4 Practical Detect- David Chance (2nd Attempt): 00014, Chris Compton
Previous by Thread:  Re: Excessively large URI attacksi: 00014, skip1@xxxxxxxxxxxx
Next by Thread:  RE: Excessively large URI attacks: 00014, Smith, Donald
Indexes:  [Date] [Thread] [Top] [All Lists]

Google Custom Search
News | FAQ | advertise