This post shows how the “Filter
Group” section of the website can be used to find some very
interesting events. Lets start by looking at the “Metasploit
Shellcode” group, which is more often that not a very good starting point for
finding malicious attackers. Not surprisingly, in analyzing ThreatLinQ data we have noticed that shellcode
filters fire in tandem with many severe attacks. This
makes sense, as the Metasploit shellcode is borrowed by a majority
of exploit tools and proof of concept code circulating on the
Internet. So, lets take a look at the “Source IPs” tab and select
one of the IP address that has a large number of hits for this ThreatLinQ Filter Group, namely 210.91.205.222 which originates from the Republic
of Korea. On 7-16-08 we see a number of filter 3990 “Exploit:
Shellcode Payload” hits along with a single hit for filter 3885
“PHP File Include Exploit”. This attacker then proceeded 6 days
later to launch a DCOM IsystemActivator Overflow attack. Groupings of
severe attacks such as these three strengthen our case that
210.91.205.222 is an active, malicious host and one to keep an eye on
in the future.ThreatLinQ: Using Filter Groups - Guilty By Association
This post shows how the “Filter
Group” section of the website can be used to find some very
interesting events. Lets start by looking at the “Metasploit
Shellcode” group, which is more often that not a very good starting point for
finding malicious attackers. Not surprisingly, in analyzing ThreatLinQ data we have noticed that shellcode
filters fire in tandem with many severe attacks. This
makes sense, as the Metasploit shellcode is borrowed by a majority
of exploit tools and proof of concept code circulating on the
Internet. So, lets take a look at the “Source IPs” tab and select
one of the IP address that has a large number of hits for this ThreatLinQ Filter Group, namely 210.91.205.222 which originates from the Republic
of Korea. On 7-16-08 we see a number of filter 3990 “Exploit:
Shellcode Payload” hits along with a single hit for filter 3885
“PHP File Include Exploit”. This attacker then proceeded 6 days
later to launch a DCOM IsystemActivator Overflow attack. Groupings of
severe attacks such as these three strengthen our case that
210.91.205.222 is an active, malicious host and one to keep an eye on
in the future.
Tags:
Published On: 2008-08-22 13:47:15
