TippingPoint Digital Vaccine Laboratories
DID YOU KNOW... Most phishing sites are hosted on compromised Apache + PHP + MySQL servers located in the US. Our Digital Vaccine service includes filters specifically designed to prevent potential victims from reaching many of these malicious sites.

ThreatLinQ: A tale of two attackers

After my previous blog post last week about MS-SQL brute force attackers, I asked myself the question "who /are/ these guys?"  I mean, There are a lot of different attacks out there, why choose this one?  So, today I spent a couple hours trying to answer this question.
Specifically, I decided to take the top 25 attackers from filter 463 'Bad MS-SQL SA Login' portscan them w/OS detection and some other probes and then compare them with the top 25 attackers from  our 'PHP File include' filters.  So without further delay, Below are the results:


Top 25 PHP RFI Attackers           Top 25 Bad 'SA' Login Attackers



Attacker OS:                       Attacker OS:
windows:      %32                  Windows:      %88
Linux:        %68                  Linux:        %0
Unknown:      %0                   Unknown:      %12



Open Ports:                        Open Ports:
21:           %56                  21:           %36
22:           %48                  22:           %0
25:           %56                  25:           %28
53:           %48                  53:           %20
80:           %68                  80:           %52
110:          %52                  110:          %28
143:          %44                  143:          %16
135 or 445:   %12                  135 or 445:   %60
1433:         %0                   1433:         %20
3306:         %36                  3306:         %20


So this is somewhat interesting.  Pretty much all the 'bad SA login'
attackers were windows machines, while nearly %70 of the PHP file include attackers were Linux machines.  Why is this?  Well, It's hard to say without more information. But I suspect two things are happening here:

1.) Attackers are using their victims as launching pads for more attacks.
2.) Attackers are not using these machines as general purpose attack platforms. They are using them as attack platforms for more narrow 'classes' of attacks.

If these two points were not true, then you should not see such a strong correlation between the Attacker OS and the Attacked OS.  In particular, if the second point were not true, and the attacker was using these hosts as launching pads targeting both Linux and windows machines, then you should start seeing a much more diverse population of attackers as new machines are converted to attack platforms.

So, what do you think? Does the logic follow, or is there something else going on here?  If you have any ideas please post them in the comments!
 
Tags: Threatlinq,Attacker,MSSQL,PHP RFI
Published On: 2008-08-27 09:26:29

Comments post a comment

  1. Leon commented on 2008-08-28 @ 10:18

    "1.) Attackers are using their victims as launching pads for more attacks."

    - Agreed

    "2.) Attackers are not using these machines as general purpose attack platforms. They are using them as attack platforms for more narrow 'classes' of attacks."

    It may sound obvious, but experience shows that automated exploitation tools that target an operating system are commonly written for execution on that same operating system. This would hold true with what you observe, as following either an automated or semi-automated intrusion the target may have kicked off its own process to find other vulnerable devices.

    The PHP RFI is an OS independent method of attack that can work equally well on a Linux device as a Windows box. I would suggest that you are seeing 68% of source OS's as Linux because LAMP is a common hosting platform. MSSQL runs pretty much exclusively on Windows.

    I also note that you don't mention where your *target* OS data comes from, did you scan these devices as well?

    If an OS assumption was based on the event detected expect split results. It may be sane to estimate Windows when it comes to SA logins, but PHP remote file includes could lead you to anything that runs PHP.

    One thing from your data set that got my eye is that only 68% of the sources of RFI attempts have a listener on TCP:80 at the time of your scan. My gut feel would have had this % higher, there could be a few reasons for this, but I found it quite interesting.

    - Proxy's
    - SSL web servers (no results for :443)
    - Malicious sources rather than a "launching pads"
    - Incident response process (I'm sure you port scan against a compromised host would have interested them as well)

    As far as attackers go, I would say that you are seeing a few of one trick ponies.

  2. Mike Dausin commented on 2008-09-03 @ 14:09

    Leon: Thanks for the great comment. I think you are right, we are probably looking at 'one trick pony' attackers.

    We also had hoped to see a higher percentage of PHP RFI attackers with port 80 open. We assumed the rest were proxies, or port 80 was disabled soon after infection. I like your incident response theory though. I wonder how many attackers are using counter-reconnaissance techniques these days.

    I also note that you don't mention where your *target* OS data comes from

    The attacker OS was mostly determined by an Nmap OS detection scan (or banner grabs in cases where nmap was not sure.)

  3. Leon commented on 2008-09-09 @ 06:05

    Hi.

    When I said *target* OS, I was referring to the OS identification of the target system not the source (attacker) system.

    Did you Nmap the target systems as well?


Trackback