Possible Botnet Scanning
We have received a report from one of our readers that their Cisco IPS are picking up a large amount of scanning traffic across a large number of monitored clients.
He indicates: "These scans started about two or three days ago and have been rolling through our clients. Once we block one source IP address, a new source IP address shows up with the same traffic shortly thereafter. The scans are firing off multiple rapid events for two signatures on our deployed Cisco IPS sensors. "
The sources are both inside and outside the US. Please let us know if you are seeing this type of activity.
Thank you to Ryan for reporting this activity to us.
He reports that the two signatures that are triggering are:
Unix Password File Access Attempt (SigID: 3201) Web Application Security Test/Attack (SigID: 7212)
Updated: We have been receiving information and samples of logs that indicate that there is indeed some activity going on, more than likely is botnet related. The information that we have received indicates that this activity is directed at port 443 and port 80. One of our readers (thanks Erik) indicated that his alerts indicate http://www.snort.org/search/sid/12709?r=1. Looking at the link in this SID it looks like the activity may be directed at Microsoft ASN.1 remote exploit for CVE-2005-1935 with an exploit called kill-bill. ( www.phreedom.org/solar/exploits/msasn1-bitstring/) All of it coincides with when the php get's started occurring. We will keep an eye on the reports and let you know if we see anything developing. Please continue to let us know what you are seeing.
Deb Hale
Comments