NSA 2400 - Intrusion Details (1).pdf

Firewall ...................................................................................................................................................................... 2NSA 2400 ............................................................................................................................................................... 2

Intrusions - Intrusion Details ............................................................................................................................................................................. 2

2 Powered By

FirewallNSA 2400

Intrusions - Intrusion Details: December 5, 2013 - December 16, 2013

Timeline

Time Events

1 Dec 5, 2013 8192 Dec 6, 2013 1,8623 Dec 7, 2013 3,0764 Dec 8, 2013 4,1855 Dec 9, 2013 3156 Dec 10, 2013 2497 Dec 11, 2013 3498 Dec 12, 2013 2219 Dec 13, 2013 18310 Dec 14, 2013 41011 Dec 15, 2013 30512 Dec 16, 2013 117

Total: 12,091

Intrusions

3 Powered By

Intrusion Priority Events

1 Suspicious CIFS Traffic 6 Medium 3,9532 Echo Reply Low 1,5073 Destination Unreachable (Port Unreachable) Low 1,4794 PING Low 9325 NetBIOS Name Request Probe Low 8436 SQL Injection Attack 3 Medium 7907 SQL Slammer Activity Medium 3368 PING with Null Payload Low 3079 HTTP Server Remote Code Execution 14 Medium 27810 HTTP Server Remote Code Execution 7 Medium 25011 SIP friendly-scanner User-Agent Low 22812 Server Application Shellcode Exploit 2 Medium 17413 Time-To-Live Exceeded in Transit Low 16414 VML File HTTP Download 4a Low 13515 VML File HTTP Download 1a Low 7816 Server Application Shellcode Exploit 10 Medium 6417 UNION ALL Statement 4 (Possible SQL Injection) Medium 6218 Server Application Shellcode Exploit 35 Medium 5719 Samba call_trans2open Buffer Overflow 3 Medium 5720 PING Microsoft Windows 2 Low 3521 PING L3retriever Low 3522 HTTP Request URI with SQL Statement (AND-1) Low 3123 PHP File HTTP Upload 1 Low 2824 Cross-Site Scripting (XSS) Attack 32 Medium 2725 Allaple ICMP Sweep Ping Inbound Low 2626 VML File HTTP Download 3a Low 2527 Microsoft SQL Server UDP Status Request Low 1728 Suspicious Request URI 7 Medium 1529 HTTP Server Suspicious File Upload 1 Medium 1530 Destination Unreachable (Fragmentation Needed and DF bit was

set)Low 10

4 Powered By

Intrusion Priority Events

31 Fragment Reassembly Time Exceeded Low 1032 Microsoft CAPICOM ActiveX Instantiation Medium 833 PING *NIX Low 734 PING BSDtype Low 735 PING CyberKit Low 636 Source Quench Low 637 Redirect Host Low 638 Oracle Java Web Start ActiveX Instantiation Medium 539 ISC BIND VERSION Query (UDP) Low 540 Obfuscated HTML Code 13 Low 541 PHP CGI Argument Injection 2 Medium 542 Suspicious HTTP User-Agent Header 2a Medium 543 Obfuscated HTML Code 14 Low 544 SMTP VRFY root Command Medium 445 Riskware MalHTML Activity High 446 DNS Query example.com Low 447 HTTP Server Remote Code Execution 22 Medium 348 TCP Port 0 Traffic 1 Low 349 HTTP Server Directory Traversal Attack 1 Medium 350 PHP CGI Argument Injection 1 Medium 251 OpenEMR Arbitrary File Overwrite Medium 252 HTTP Request URI with SQL Statement (OR-1) Low 253 Windows LSASS Buffer Overflow 1 (MS04-011) Medium 254 PING BayRS Router Low 255 Suspicious CIFS Traffic 9 Medium 256 PING Flowpoint2200 or Network Management Software Low 257 HTTP Request URI with SQL Statement (IF-1) Low 258 SQL Injection Attack 12 Medium 259 Empty HTTP User-Agent Header Low 160 HTTP Request URI with SQL Statement (BENCHMARK) Low 161 HTTP Request URI with SQL Statement (SELECT) Low 162 HTTP Request URI with SQL Statement (UNION ALL) Low 163 HTTP Request Body with SQL Statement (AND-1) Low 164 HTTP Request Body with SQL Statement (OR-1) Low 165 MHTML Protocol Handler XSS 3 Medium 166 SIP Stress Test Traffic 5c (Extra Spaces) Low 167 HTTP Client Shellcode Exploit 18 Medium 168 RealVNC Authentication Bypass Medium 169 Apple Safari for iPhone Hide Address Bar Low 170 Obfuscated ActiveX Instantiation 3a Medium 171 /etc/passwd Access 1 Low 172 EOT File HTTP Download Low 1

Total: 12,091

5 Powered By

Intrusion Categories

Intrusion Category Events

1 NETBIOS Suspicious CIFS Traffic 3,9552 ICMP Echo Reply 1,5073 ICMP Destination Unreachable (P 1,4794 ICMP PING 9325 INFO NetBIOS Name Request Probe 8436 SQL-INJECTION SQL Injection Att 7927 WEB-ATTACKS HTTP Server Remote 5318 VIRUS SQL Slammer Activity 3369 ICMP PING with Null Payload 30710 EXPLOIT Server Application Shel 29511 INFO SIP friendly-scanner User- 22812 ICMP Time-To-Live Exceeded in T 16413 INFO VML File HTTP Download 4a 13514 INFO VML File HTTP Download 1a 7815 SQL-INJECTION UNION ALL Stateme 6216 NETBIOS Samba call_trans2open B 5717 INFO HTTP Request URI with SQL 3818 ICMP PING Microsoft Windows 2 3519 ICMP PING L3retriever 3520 INFO PHP File HTTP Upload 1 2821 XSS Cross-Site Scripting (XSS) 2722 ICMP Allaple ICMP Sweep Ping In 2623 INFO VML File HTTP Download 3a 2524 INFO Microsoft SQL Server UDP S 1725 WEB-ATTACKS Suspicious Request 1526 WEB-ATTACKS HTTP Server Suspici 1527 WEB-CLIENT Obfuscated HTML Code 1028 ICMP Destination Unreachable (F 1029 ICMP Fragment Reassembly Time E 10

6 Powered By

Intrusion Category Events

30 ACTIVEX Microsoft CAPICOM Activ 831 ICMP PING *NIX 732 WEB-PHP PHP CGI Argument Inject 733 ICMP PING BSDtype 734 ICMP Redirect Host 635 ICMP Source Quench 636 ICMP PING CyberKit 637 INFO ISC BIND VERSION Query (UD 538 ACTIVEX Oracle Java Web Start A 539 WEB-ATTACKS Suspicious HTTP Use 540 SMTP SMTP VRFY root Command 441 VIRUS Riskware MalHTML Activity 442 INFO DNS Query example.com 443 INFO TCP Port 0 Traffic 1 344 WEB-ATTACKS HTTP Server Directo 345 ICMP PING BayRS Router 246 ICMP PING Flowpoint2200 or Netw 247 INFO HTTP Request Body with SQL 248 NETBIOS Windows LSASS Buffer Ov 249 WEB-PHP OpenEMR Arbitrary File 250 INFO /etc/passwd Access 1 151 INFO EOT File HTTP Download 152 ACTIVEX Obfuscated ActiveX Inst 153 INFO Apple Safari for iPhone Hi 154 EXPLOIT HTTP Client Shellcode E 155 MISC RealVNC Authentication Byp 156 XSS MHTML Protocol Handler XSS 3 157 VoIP-ATTACKS SIP Stress Test Tr 158 INFO Empty HTTP User-Agent Head 1

Total: 12,091

Targets

7 Powered By

Target IP Target Host Events

1 200.199.220.114 4,0972 200.199.220.115 1,3283 200.199.220.125 1,2614 200.199.220.70 1,0195 200.199.220.80 8236 200.199.220.69 7977 200.199.220.74 7478 200.199.220.110 4599 200.199.220.120 34910 200.199.220.66 server.unigran.br 23111 200.199.220.81 10812 200.199.220.82 10713 200.199.220.67 server.inf.unigran.br 10014 200.199.220.75 9515 200.199.220.111 7416 200.199.220.81 server.dourados.br 5917 200.199.220.67 5218 200.199.220.72 ns2.unigran.br 4619 200.199.220.86 4320 200.199.220.71 ns1.unigran.br 3821 200.199.220.76 3422 200.199.220.83 3123 200.199.220.78 3124 200.199.220.73 2825 200.199.220.112 roteador2.unigran.br 2726 200.199.220.112 2427 200.199.220.126 2128 200.199.220.71 1829 200.199.220.72 1730 200.199.220.66 1231 200.199.220.113 11

8 Powered By

Target IP Target Host Events

32 23.23.172.253 4

Total: 12,091

Initiators

Initiator IP Initiator Host User Events

1 203.204.79.250 4,0672 185.10.106.8 1,2683 200.199.220.65 roteador.unigran.br 1,1804 177.194.228.177 3625 200.199.220.65 3056 177.194.228.177 b1c2e4b1.virtua.com.br admin 2217 177.194.228.177 b1c2e4b1.virtua.com.br 1808 164.85.0.49 1749 211.81.31.53 11810 211.81.31.54 11211 111.235.148.30 9012 65.39.222.146 8613 27.251.165.238 8114 198.44.0.94 8015 177.201.237.21 7216 202.91.244.249 7117 1.221.17.228 7118 180.173.11.128 7119 137.117.188.82 6420 50.58.223.66 5921 37.0.124.118 5322 37.58.49.40 4323 187.112.42.6 3424 177.16.50.83 3125 129.82.138.44 3026 201.116.140.98 28

9 Powered By


27 177.194.228.177 admin 2728 222.124.202.162 2629 74.217.78.144 2530 221.238.193.9 2431 12.129.199.100 2332 207.56.204.162 2133 74.113.232.22 2034 203.178.148.19 2035 66.235.119.6 1936 200.229.203.167 1837 200.91.37.44 1638 8.26.16.102 1639 12.130.81.230 1640 189.2.20.178 1641 200.230.226.123 1542 200.166.202.138 1543 12.130.81.231 1544 128.9.168.98 1545 200.199.171.135 1446 37.58.49.40 hosted-by.scopehosts.com 1447 177.16.50.83 177.16.50.83.static.host.gvt.net.br 1448 186.38.21.169 1449 12.129.199.110 1350 200.205.41.30 1351 12.130.81.247 1352 177.5.97.90 1353 66.235.119.5 1354 177.27.189.36 1255 200.93.200.210 1256 200.26.175.26 1257 198.20.69.98 1258 201.28.144.251 1259 200.54.82.226 1160 50.58.223.66 carbonyx.com 1161 200.186.217.22 1162 216.52.92.10 1163 218.241.108.113 1164 178.63.61.87 1065 187.8.29.251 1066 74.113.236.21 1067 200.32.4.10 1068 74.217.66.14 1069 74.113.235.28 1070 37.6.22.101 10

10 Powered By


71 74.113.232.28 1072 173.252.69.6 973 201.2.23.95 974 63.251.28.250 975 211.95.78.82 976 202.232.152.86 977 187.59.159.190 978 74.113.235.22 979 77.222.40.157 880 200.182.158.3 881 61.104.56.200 882 200.142.128.18 883 74.113.236.22 884 187.8.29.252 885 200.230.171.252 886 177.53.207.243 887 114.242.208.84 888 210.22.194.8 889 12.129.199.108 890 205.166.76.252 791 174.46.33.10 792 208.85.41.3 793 193.6.53.130 794 189.125.140.254 254.140.125.189.static.impsat.net.br 795 189.1.171.54 wilikat.mkt001.com.br 796 74.113.232.21 797 210.211.107.104 798 211.78.245.241 799 192.195.204.11 7100 64.38.212.36 7

Total: 9,842

Ports Information

11 Powered By

Target Port Initiator Port Events

1 53 53 1,2712 3,296 8 7863 137 137 7194 25,675 8 5855 1,434 1,128 1186 14,068 8 1147 1,434 4,335 1128 8 21,930 719 139 52,056 6910 139 52,111 6911 139 52,121 6912 139 52,112 6913 139 52,108 6914 139 52,120 6915 139 52,025 6916 139 52,115 6917 139 52,054 6918 139 52,040 6919 139 52,078 6920 139 52,084 6921 139 52,083 6922 139 52,117 6923 139 52,035 6924 139 52,017 6925 139 52,013 6926 139 52,053 6927 139 52,016 6928 139 52,072 6929 139 52,068 6930 139 52,018 6931 139 52,038 69

12 Powered By


32 139 52,033 6933 139 52,012 6934 139 52,086 6935 139 52,049 6936 139 52,015 6937 139 52,100 6938 139 52,036 6939 139 52,048 6940 139 52,074 6941 139 52,020 6942 139 52,030 6943 139 52,060 6944 139 52,066 6945 139 52,098 6946 139 52,059 6947 139 52,046 6948 139 52,019 6949 139 52,076 6950 139 52,042 6951 139 52,044 6952 139 52,092 6953 139 52,028 6954 139 52,080 6955 139 52,024 6956 139 52,102 6957 139 52,014 6958 139 52,071 6959 139 52,104 6960 139 52,114 6961 139 52,096 6962 139 52,094 6963 139 52,062 6964 139 52,022 6965 139 52,065 6966 8 512 6767 139 52,088 6768 139 52,090 6769 5,060 5,060 6170 8 1 5771 80 53,315 3072 1,434 4,365 2673 80 53,546 2474 1,434 1,944 2475 80 52,991 24

13 Powered By


76 80 52,988 2377 80 53,347 2378 80 53,340 2379 80 53,552 2280 80 52,762 2181 80 53,354 2182 80 53,343 2083 1 8 2084 80 53,540 1985 80 52,760 1786 80 53,554 1687 80 53,560 1688 80 53,330 1689 80 52,765 1590 80 52,995 1591 80 53,352 1492 80 53,569 1493 8 768 1494 80 53,267 1495 80 53,547 1396 80 53,349 1397 80 52,980 1398 80 53,534 1399 80 53,337 12100 80 52,468 12

Total: 8,575

Target Countries

Target Country Events

1 Brazil 12,0872 United States 4

Total: 12,091

Initiator Countries

Initiator Country Events

1 Taiwan; Republic of China (ROC) 4,0812 Brazil 2,3763 Unknown 2,3294 United States 1,1425 China 655

Total: 10,583

Documents

NSA 2400 - Intrusion Details (1).pdf