Re: Has someone in Asia exploited Cisco

From: Robert Guess (no email)
Date: Thu Sep 01 2005 - 09:27:20 EDT

Next message: Susan Harris: "Re: This fall in LA"

Previous message: J. Oquendo: "Has someone in Asia exploited Cisco"
Maybe in reply to: J. Oquendo: "Has someone in Asia exploited Cisco"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Offhand, I would be tempted to say it is the activity of a not
exceedingly competent attacker trying to exploit a very old bug. The
sender is probing for the HTTP Authentication Bypass Issue from June 27
2001.

Original Advisory
http://www.cisco.com/warp/public/707/IOS-httplevel-pub.html

Malicious request: http://>/level/16/exec/

Analyze the timing and source of log events to determine if it is an
automated issue.

Robert Guess
Assistant Professor, Information Systems Technology
Tidewater Community College
(757) 822-5022

() ascii ribbon campaign
/\ against html email

>>> "J. Oquendo" <> 09/01/05 9:07 AM >>>

After doing some logfile analysis briefly yesterday, I noticed what
seems
to be some form of bot, worm, something, searching for what could seems
to
point to a Cisco exploitation of sorts. (http://tinyurl.com/df9d8)

All the hosts who've tried searching for the string are coming from
APNIC.
So I'm wondering... Has someone taken Michael Lynn's paper "Holy
Grail"
and produced a "DaVinci Code" to exploit the flaws Lynn spoke of...

Code snippet below is of "cisco_scanner.c" which searches for the same
particular /level/16/exec/-///pwd string however the code can be
modified
(obviously) and a search turns up less than one page of results on
Google.
Author's page seems to be gone like the wind... Anyhow.

# grep "/level/16/exec/-///" access_log |awk '{print $1,"\t\t"$7}'
58.236.50.75 /level/16/exec/-///pwd
221.141.168.137 /level/16/exec/-///pwd
221.138.93.31 /level/16/exec/-///pwd
218.53.244.16 /level/16/exec/-///pwd
222.232.84.34 /level/16/exec/-///pwd
222.238.128.14 /level/16/exec/-///pwd
218.50.74.189 /level/16/exec/-///pwd
218.239.26.42 /level/16/exec/-///pwd
218.232.83.18 /level/16/exec/-///pwd
211.208.254.67 /level/16/exec/-///pwd

whois.apnic.net $ABOVE_HOSTS

Code snippet...

/*
Multi-thread Cisco HTTP vulnerable scanner v0.2
by Inode
*/

#define HTTP_REQUEST "GET /level/16/exec/-///pwd HTTP/1.0\n\n"

So now I have yet another mod_security rule added ;)

SecFilterSelective THE_REQUEST "/level/16"
"redirect:http://www.cisco.com"

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
GPG Key ID 0x97B43D89
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x97B43D89

It is much easier to suggest solutions when you know nothing
about the problem. -- Niklaus Wirth

Next message: Susan Harris: "Re: This fall in LA"

Previous message: J. Oquendo: "Has someone in Asia exploited Cisco"
Maybe in reply to: J. Oquendo: "Has someone in Asia exploited Cisco"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Invaluement Anti-Spam DNSBLs