Huh, the department of homeland security is attacking me?

04 Jul 2015, 07:30

dhs

Either the DHS is attacking me, or else they’ve got compromised computers…

In my logs I see 1147 attempts from 64.69.57.20 to my web server; e.g.

64.69.57.20 - - [03/Jul/2015:00:40:32 -0400] "\x16\x03\x01" 501 295 "-" "-"
64.69.57.20 - - [03/Jul/2015:00:40:40 -0400] "GNUTELLA CONNECT/0.6" 400 306 "-" "-"
64.69.57.20 - - [03/Jul/2015:00:40:41 -0400] "GET http://rfi.nessus.org/check_proxy.html HTTP/1.0" 404 293 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)"
64.69.57.20 - - [03/Jul/2015:00:40:42 -0400] "ABKJFC / HTTP/1.1" 501 303 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)"
64.69.57.20 - - [03/Jul/2015:00:40:42 -0400] "GET /aboutprinter.html HTTP/1.1" 404 300 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)"
64.69.57.20 - - [03/Jul/2015:00:40:42 -0400] "GET /properties/configuration.php?tab=Status HTTP/1.1" 404 311 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)"
64.69.57.20 - - [03/Jul/2015:00:40:52 -0400] "GET /etc/passwd HTTP/1.1" 404 293 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)"
64.69.57.20 - - [03/Jul/2015:00:41:09 -0400] "GET /?<meta%20http-equiv=Set-Cookie%20content=%22testrdhw=3733%22> HTTP/1.1" 200 6059 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)"

logwatch summary:

 Requests with error response codes
    400 Bad Request
       %.: 2 Time(s)
       %5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e ... winnt%5cwin.ini: 2 Time(s)
       .: 2 Time(s)
       ../../../../../../../../../../../../windows/win.ini: 2 Time(s)
       ../../../../../../../../../../../../winnt/win.ini: 2 Time(s)
       ..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\windows\\win.ini: 2 Time(s)
       ..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\winnt\\win.ini: 2 Time(s)
       ..\\..\\..\\..\\..\\..\\windows\\win.ini: 2 Time(s)
       ..\\..\\..\\..\\..\\..\\winnt\\win.ini: 2 Time(s)
       ./././././././././././././././././././././ ... ../../../../../: 2 Time(s)
       .\\.\\.\\.\\.\\.\\.\\.\\.\\.\\/windows/win.ini: 2 Time(s)
       .\\.\\.\\.\\.\\.\\.\\.\\.\\.\\/winnt/win.ini: 2 Time(s)
       /: 9 Time(s)
       /%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e ... e%2e/etc/passwd: 2 Time(s)
       /%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e ... e/winnt/win.ini: 2 Time(s)
       /%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e ... windows/win.ini: 2 Time(s)
       /%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd: 2 Time(s)
       /%NETHOOD%/: 2 Time(s)
       /%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/%u ... e/winnt/win.ini: 2 Time(s)
       /%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/%u ... ff0e/etc/passwd: 2 Time(s)
       /%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/%u ... windows/win.ini: 2 Time(s)
       /../../../../../../../../../../../../etc/passwd: 2 Time(s)
       /../../../../../../../../../../../../windows/win.ini: 2 Time(s)
       /../../../../../../../../../../../../winnt/win.ini: 2 Time(s)
       /./../../../../../../../../../../../etc/passwd: 2 Time(s)
       /././..: 2 Time(s)
       /././././././../../../../../etc/passwd: 2 Time(s)
       /././././././../../../../../windows/win.ini: 2 Time(s)
       /././././././../../../../../winnt/win.ini: 2 Time(s)
       //../../../../../../../../../../../../etc/passwd: 2 Time(s)
       /password: 2 Time(s)
       /tmUnblock.cgi: 1 Time(s)
       1435898497:@166.84.7.9/: 4 Time(s)
       : 1 Time(s)
       : 1 Time(s)
       : 1 Time(s)
       : 1 Time(s)
       CONNECT/0.4: 2 Time(s)
       CONNECT/0.6: 2 Time(s)
       c:\\boot.ini: 2 Time(s)
       invalid: 2 Time(s)
    403 Forbidden
       /: 1 Time(s)
       /.htaccess.1: 2 Time(s)
       /.htaccess.bak: 2 Time(s)
       /.htaccess.copy: 2 Time(s)
       /.htaccess.old: 2 Time(s)
       /.htaccess.tmp: 2 Time(s)
       /.htaccess.~1~: 2 Time(s)
       /.htaccess~: 2 Time(s)
    404 Not Found SUMMARY - 733 URLs, total: 1483 Time(s)
    405 Method Not Allowed
       /: 4 Time(s)
       /gprvpp1.html: 1 Time(s)
       /pevwoo1.html: 1 Time(s)
    417 Expectation Failed
       /: 1 Time(s)
    501 Not Implemented
       *: 2 Time(s)
       /: 4 Time(s)
       null: 5 Time(s)

The Nessus proxy check line makes me think this might be a generic scan… but why my machine?

They didn’t stop there… I have SSHD running on a non-standard port. If someone attempts to connect too frequently then they get blocked (simple iptables rule). I can see 6 dropped packets from the same SRC=64.69.57.20 to my SSH port.

Didn’t stop there, either. DNS attempts?

client 64.69.57.20 bad zone transfer request: 'dastardly.spuddy.org/IN': non-authoritative zone (NOTAUTH): 1 Time(s)
client 64.69.57.20 bad zone transfer request: 'org/IN': non-authoritative zone (NOTAUTH): 1 Time(s)
client 64.69.57.20 bad zone transfer request: 'ssl.spuddy.org/IN': non-authoritative zone (NOTAUTH): 1 Time(s)
client 64.69.57.20 update forwarding 'spuddy.org/IN' denied: 1 Time(s)
client 64.69.57.20 query (cache) 'example.com/A/IN' denied
client 64.69.57.20 query (cache) '\.\./nessus/A/IN' denied

Looks like also some port scans, ‘cos I can see “rsync” (started from xinetd) being woken up (but it rejects them access).

And, from another machine on the same network, SMTP attacks!

CONNECT from unknown[64.69.57.28]: 503 5.5.0 : Client host rejected: Improper use of SMTP command pipelining; proto=SMTP
non-SMTP command from unknown[64.69.57.28]: GET / HTTP/1.0 : 1 Time(s)
non-SMTP command from unknown[64.69.57.28]: GET /nice%20ports%2C/Tri%6Eity.txt%2ebak HTTP/1.0 : 1 Time(s)                
non-SMTP command from unknown[64.69.57.28]: Via: SIP/2.0/TCP nm;branch=foo: 1 Time(s)

(66 attempts against SMTP)

OK, OK, this all looks like an “out of the box” type scan from some misconfigured security tool. But it’s funny that it’s the DHS!