more iis-kabom Re: New attack or old Vulnerability Scanner?

From: Mark Embrich <mark_embrich(at)yahoo.com>
Date: Thu May 08 2003 - 18:49:48 EDT

('binary' encoding is not supported, stored as-is)
In-Reply-To: <OFA6BA0106.874F41EB-ON85256D18.005D3E70-85256D18.0061259B@us.ibm.com>

Received another of the iis-kabom type attacks. This one was slightly different in that the attacks came very slowly, about 2-4 minutes between attacks -- lasting 3 hours. This time it came from what looks like an Israeli cable provider's pool.

I did not receive all 65 attacks, it appears that some attacks were purposely removed -- like the "GET /adsamples/" requests.

Also different was that the source port numbers were jumping all over the place. Sometimes jumping a few hundred ports between attacks, sometimes the following attack had a lower port number (which I assume means the attacker sent so many packets that the source ports wrapped around).

Therefore, it could be that this attacker targetted so many victims that he performed a DoS on himself, thus the 2-4 minutes between attacks. Otherwise, I don't know why they would slow down the attack -- it's not like a portscan.

I don't need any responses, just letting you all know that this iis-kabom variant appears to be a work in progress.

Thanks,
Mark Embrich

---

Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the world's premier event for IT and network security experts. The two-day Training features 6 hand-on courses on May 12-13 taught by professionals. The two-day Briefings on May 14-15 features 24 top speakers with no vendor sales pitches. Deadline for the best rates is April 25. Register today to ensure your place. http://www.securityfocus.com/BlackHat-incidents

---

Received on Thu May 8 19:27:24 2003