NSA 2400 - Intrusion Details PDF

Firewall ......................................................................................................................................................................
NSA 2400 ...............................................................................................................................................................

Intrusions - Intrusion Details
.............................................................................................................................................................................
2
2
2
Firewall
NSA 2400
Intrusions - Intrusion Details: December 5, 2013 - December 16, 2013
Timeline
Time
Events
Dec 5, 2013
819
Dec 6, 2013
1,862
Dec 7, 2013
3,076
Dec 8, 2013
4,185
Dec 9, 2013
315
Dec 10, 2013
249
Dec 11, 2013
349
Dec 12, 2013
221
Dec 13, 2013
183
10
Dec 14, 2013
410
11
Dec 15, 2013
305
12
Dec 16, 2013
117
Total:
12,091
Intrusions
Powered By
Intrusion
Priority
Events
Suspicious CIFS Traffic 6
Medium
3,953
Echo Reply
Low
1,507
Destination Unreachable (Port Unreachable)
Low
1,479
PING
Low
932
NetBIOS Name Request Probe
Low
843
SQL Injection Attack 3
Medium
790
SQL Slammer Activity
Medium
336
PING with Null Payload
Low
307
HTTP Server Remote Code Execution 14
Medium
278
10
Medium
250
11
SIP friendly-scanner User-Agent
Low
228
12
Server Application Shellcode Exploit 2
Medium
174
13
Time-To-Live Exceeded in Transit
Low
164
14
VML File HTTP Download 4a
Low
135
15
Low
78
16
Medium
64
17
UNION ALL Statement 4 (Possible SQL Injection)
Medium
62
18
Medium
57
19
Samba call_trans2open Buffer Overflow 3
Medium
57
20
PING Microsoft Windows 2
Low
35
21
PING L3retriever
Low
35
22
HTTP Request URI with SQL Statement (AND-1)
Low
31
23
PHP File HTTP Upload 1
Low
28
24
Cross-Site Scripting (XSS) Attack 32
Medium
27
25
Allaple ICMP Sweep Ping Inbound
Low
26
26
Low
25
27
Microsoft SQL Server UDP Status Request
Low
17
28
Suspicious Request URI 7
Medium
15
29
HTTP Server Suspicious File Upload 1
Medium
15
30
Destination Unreachable (Fragmentation Needed and DF bit was

set)
Low
10
Powered By
Intrusion
Priority
Events
31
Fragment Reassembly Time Exceeded
Low
10
32
Microsoft CAPICOM ActiveX Instantiation
Medium
33
PING *NIX
Low
34
PING BSDtype
Low
35
PING CyberKit
Low
36
Source Quench
Low
37
Redirect Host
Low
38
Oracle Java Web Start ActiveX Instantiation
Medium
39
ISC BIND VERSION Query (UDP)
Low
40
Obfuscated HTML Code 13
Low
41
PHP CGI Argument Injection 2
Medium
42
Suspicious HTTP User-Agent Header 2a
Medium
43
Obfuscated HTML Code 14
Low
44
SMTP VRFY root Command
Medium
45
Riskware MalHTML Activity
High
46
DNS Query example.com
Low
47
Medium
48
TCP Port 0 Traffic 1
Low
49
HTTP Server Directory Traversal Attack 1
Medium
50
PHP CGI Argument Injection 1
Medium
51
OpenEMR Arbitrary File Overwrite
Medium
52
HTTP Request URI with SQL Statement (OR-1)
Low
53
Windows LSASS Buffer Overflow 1 (MS04-011)
Medium
54
PING BayRS Router
Low
55
Suspicious CIFS Traffic 9
Medium
56
PING Flowpoint2200 or Network Management Software
Low
57
HTTP Request URI with SQL Statement (IF-1)
Low
58
SQL Injection Attack 12
Medium
59
Empty HTTP User-Agent Header
Low
60
HTTP Request URI with SQL Statement (BENCHMARK)
Low
61
HTTP Request URI with SQL Statement (SELECT)
Low
62
HTTP Request URI with SQL Statement (UNION ALL)
Low
63
HTTP Request Body with SQL Statement (AND-1)
Low
64
HTTP Request Body with SQL Statement (OR-1)
Low
65
MHTML Protocol Handler XSS 3
Medium
66
SIP Stress Test Traffic 5c (Extra Spaces)
Low
67
HTTP Client Shellcode Exploit 18
Medium
68
RealVNC Authentication Bypass
Medium
69
Apple Safari for iPhone Hide Address Bar
Low
70
Obfuscated ActiveX Instantiation 3a
Medium
71
/etc/passwd Access 1
Low
72
EOT File HTTP Download
Low
Total:
12,091
Powered By
Intrusion Categories
Intrusion Category
Events
NETBIOS Suspicious CIFS Traffic
3,955
ICMP Echo Reply
1,507
ICMP Destination Unreachable (P
1,479
ICMP PING
932
INFO NetBIOS Name Request Probe
843
SQL-INJECTION SQL Injection Att
792
WEB-ATTACKS HTTP Server Remote
531
VIRUS SQL Slammer Activity
336
ICMP PING with Null Payload
307
10
EXPLOIT Server Application Shel
295
11
INFO SIP friendly-scanner User-
228
12
ICMP Time-To-Live Exceeded in T
164
13
INFO VML File HTTP Download 4a
135
14
78
15
SQL-INJECTION UNION ALL Stateme
62
16
NETBIOS Samba call_trans2open B
57
17
INFO HTTP Request URI with SQL
38
18
ICMP PING Microsoft Windows 2
35
19
ICMP PING L3retriever
35
20
INFO PHP File HTTP Upload 1
28
21
XSS Cross-Site Scripting (XSS)
27
22
ICMP Allaple ICMP Sweep Ping In
26
23
25
24
INFO Microsoft SQL Server UDP S
17
25
WEB-ATTACKS Suspicious Request
15
26
WEB-ATTACKS HTTP Server Suspici
15
27
WEB-CLIENT Obfuscated HTML Code
10
28
ICMP Destination Unreachable (F
10
29
ICMP Fragment Reassembly Time E
10
Powered By
Intrusion Category
Events
30
ACTIVEX Microsoft CAPICOM Activ
31
ICMP PING *NIX
32
WEB-PHP PHP CGI Argument Inject
33
ICMP PING BSDtype
34
ICMP Redirect Host
35
ICMP Source Quench
36
ICMP PING CyberKit
37
INFO ISC BIND VERSION Query (UD
38
ACTIVEX Oracle Java Web Start A
39
WEB-ATTACKS Suspicious HTTP Use
40
SMTP SMTP VRFY root Command
41
VIRUS Riskware MalHTML Activity
42
INFO DNS Query example.com
43
INFO TCP Port 0 Traffic 1
44
WEB-ATTACKS HTTP Server Directo
45
ICMP PING BayRS Router
46
ICMP PING Flowpoint2200 or Netw
47
INFO HTTP Request Body with SQL
48
NETBIOS Windows LSASS Buffer Ov
49
WEB-PHP OpenEMR Arbitrary File
50
INFO /etc/passwd Access 1
51
INFO EOT File HTTP Download
52
ACTIVEX Obfuscated ActiveX Inst
53
INFO Apple Safari for iPhone Hi
54
EXPLOIT HTTP Client Shellcode E
55
MISC RealVNC Authentication Byp
56
XSS MHTML Protocol Handler XSS 3
57
VoIP-ATTACKS SIP Stress Test Tr
58
INFO Empty HTTP User-Agent Head
Total:
12,091
Targets
Powered By
Target IP
Target Host
Events
200.199.220.114
4,097
200.199.220.115
1,328
200.199.220.125
1,261
200.199.220.70
1,019
200.199.220.80
823
200.199.220.69
797
200.199.220.74
747
200.199.220.110
459
200.199.220.120
349
10
200.199.220.66
11
200.199.220.81
108
12
200.199.220.82
107
13
200.199.220.67
14
200.199.220.75
95
15
200.199.220.111
74
16
200.199.220.81
17
200.199.220.67
18
200.199.220.72
19
200.199.220.86
20
200.199.220.71
21
200.199.220.76
34
22
200.199.220.83
31
23
200.199.220.78
31
24
200.199.220.73
28
25
200.199.220.112
26
200.199.220.112
24
27
200.199.220.126
21
28
200.199.220.71
18
29
200.199.220.72
17
30
200.199.220.66
12
31
200.199.220.113
11
server.unigran.br
server.inf.unigran.br
server.dourados.br
231
100
59
52
ns2.unigran.br
46
43
ns1.unigran.br
roteador2.unigran.br
38
27
Powered By
Target IP
32
Target Host
Events
23.23.172.253
Total:
12,091
Initiators
Initiator IP
Initiator Host
User
Events
203.204.79.250
4,067
185.10.106.8
1,268
200.199.220.65
177.194.228.177
362
200.199.220.65
305
177.194.228.177
b1c2e4b1.virtua.com.br
177.194.228.177
b1c2e4b1.virtua.com.br
164.85.0.49
174
211.81.31.53
118
10
211.81.31.54
112
11
111.235.148.30
90
12
65.39.222.146
86
13
27.251.165.238
81
14
198.44.0.94
80
15
177.201.237.21
72
16
202.91.244.249
71
17
1.221.17.228
71
18
180.173.11.128
71
19
137.117.188.82
64
20
50.58.223.66
59
21
37.0.124.118
53
22
37.58.49.40
43
23
187.112.42.6
34
24
177.16.50.83
31
25
129.82.138.44
30
26
201.116.140.98
28
roteador.unigran.br
1,180
admin
221
180
Powered By
Initiator IP
Initiator Host
User
Events
admin
27
27
177.194.228.177
28
222.124.202.162
26
29
74.217.78.144
25
30
221.238.193.9
24
31
12.129.199.100
23
32
207.56.204.162
21
33
74.113.232.22
20
34
203.178.148.19
20
35
66.235.119.6
19
36
200.229.203.167
18
37
200.91.37.44
16
38
8.26.16.102
16
39
12.130.81.230
16
40
189.2.20.178
16
41
200.230.226.123
15
42
200.166.202.138
15
43
12.130.81.231
15
44
128.9.168.98
15
45
200.199.171.135
46
37.58.49.40
hosted-by.scopehosts.com
14
47
177.16.50.83
177.16.50.83.static.host.gvt.net.br
14
48
186.38.21.169
14
49
12.129.199.110
13
50
200.205.41.30
13
51
12.130.81.247
13
52
177.5.97.90
13
53
66.235.119.5
13
54
177.27.189.36
12
55
200.93.200.210
12
56
200.26.175.26
12
57
198.20.69.98
12
58
201.28.144.251
12
59
200.54.82.226
11
60
50.58.223.66
61
200.186.217.22
11
62
216.52.92.10
11
63
218.241.108.113
11
64
178.63.61.87
10
65
187.8.29.251
10
66
74.113.236.21
10
67
200.32.4.10
10
68
74.217.66.14
10
69
74.113.235.28
10
70
37.6.22.101
10
14
carbonyx.com
11
Powered By
Initiator IP
Initiator Host
User
Events
71
74.113.232.28
10
72
173.252.69.6
73
201.2.23.95
74
63.251.28.250
75
211.95.78.82
76
202.232.152.86
77
187.59.159.190
78
74.113.235.22
79
77.222.40.157
80
200.182.158.3
81
61.104.56.200
82
200.142.128.18
83
74.113.236.22
84
187.8.29.252
85
200.230.171.252
86
177.53.207.243
87
114.242.208.84
88
210.22.194.8
89
12.129.199.108
90
205.166.76.252
91
174.46.33.10
92
208.85.41.3
93
193.6.53.130
94
189.125.140.254
254.140.125.189.static.impsat.net.br
95
189.1.171.54
wilikat.mkt001.com.br
96
74.113.232.21
97
210.211.107.104
98
211.78.245.241
99
192.195.204.11
100
64.38.212.36
Total:
9,842
Ports Information
10
Powered By
Target Port
Initiator Port
Events
53
53
1,271
3,296
786
137
137
719
25,675
585
1,434
1,128
118
14,068
114
1,434
4,335
112
21,930
71
139
52,056
69
10
139
52,111
69
11
139
52,121
69
12
139
52,112
69
13
139
52,108
69
14
139
52,120
69
15
139
52,025
69
16
139
52,115
69
17
139
52,054
69
18
139
52,040
69
19
139
52,078
69
20
139
52,084
69
21
139
52,083
69
22
139
52,117
69
23
139
52,035
69
24
139
52,017
69
25
139
52,013
69
26
139
52,053
69
27
139
52,016
69
28
139
52,072
69
29
139
52,068
69
30
139
52,018
69
31
139
52,038
69
11
Powered By
Target Port
Initiator Port
Events
32
139
52,033
69
33
139
52,012
69
34
139
52,086
69
35
139
52,049
69
36
139
52,015
69
37
139
52,100
69
38
139
52,036
69
39
139
52,048
69
40
139
52,074
69
41
139
52,020
69
42
139
52,030
69
43
139
52,060
69
44
139
52,066
69
45
139
52,098
69
46
139
52,059
69
47
139
52,046
69
48
139
52,019
69
49
139
52,076
69
50
139
52,042
69
51
139
52,044
69
52
139
52,092
69
53
139
52,028
69
54
139
52,080
69
55
139
52,024
69
56
139
52,102
69
57
139
52,014
69
58
139
52,071
69
59
139
52,104
69
60
139
52,114
69
61
139
52,096
69
62
139
52,094
69
63
139
52,062
69
64
139
52,022
69
65
139
52,065
69
66
512
67
67
139
52,088
67
68
139
52,090
67
69
5,060
5,060
61
70
57
71
80
53,315
30
72
1,434
4,365
26
73
80
53,546
24
74
1,434
1,944
24
75
80
52,991
24
12
Powered By
Target Port
Initiator Port
Events
76
80
52,988
23
77
80
53,347
23
78
80
53,340
23
79
80
53,552
22
80
80
52,762
21
81
80
53,354
21
82
80
53,343
20
83
20
84
80
53,540
19
85
80
52,760
17
86
80
53,554
16
87
80
53,560
16
88
80
53,330
16
89
80
52,765
15
90
80
52,995
15
91
80
53,352
14
92
80
53,569
14
93
768
14
94
80
53,267
14
95
80
53,547
13
96
80
53,349
13
97
80
52,980
13
98
80
53,534
13
99
80
53,337
12
100
80
52,468
12
Total:
8,575
Target Countries
Target Country
Events
Brazil
12,087
United States
Total:
12,091
Initiator Countries
Initiator Country
Events
Taiwan; Republic of China (ROC)
4,081
Brazil
2,376
Unknown
2,329
United States
1,142
China
655
Total:
13
10,583
Powered By

NSA 2400 - Intrusion Details PDF

Hochgeladen von

Dokumentinformationen

Originalbeschreibung:

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

NSA 2400 - Intrusion Details PDF

Hochgeladen von

Copyright:

Verfügbare Formate

Firewall ......................................................................................................................................................................

NSA 2400 ...............................................................................................................................................................

Dec 10, 2013

Dec 11, 2013

Dec 12, 2013

Dec 13, 2013

Dec 14, 2013

Dec 15, 2013

Dec 16, 2013

Suspicious CIFS Traffic 6

Destination Unreachable (Port Unreachable)

NetBIOS Name Request Probe

SQL Injection Attack 3

SQL Slammer Activity

PING with Null Payload

HTTP Server Remote Code Execution 14

HTTP Server Remote Code Execution 7

SIP friendly-scanner User-Agent

Server Application Shellcode Exploit 2

Time-To-Live Exceeded in Transit

VML File HTTP Download 4a

VML File HTTP Download 1a

Server Application Shellcode Exploit 10

UNION ALL Statement 4 (Possible SQL Injection)

Server Application Shellcode Exploit 35

Samba call_trans2open Buffer Overflow 3

PING Microsoft Windows 2

HTTP Request URI with SQL Statement (AND-1)

PHP File HTTP Upload 1

Cross-Site Scripting (XSS) Attack 32

Allaple ICMP Sweep Ping Inbound

VML File HTTP Download 3a

Microsoft SQL Server UDP Status Request

Suspicious Request URI 7

HTTP Server Suspicious File Upload 1

Destination Unreachable (Fragmentation Needed and DF bit was

Fragment Reassembly Time Exceeded

Microsoft CAPICOM ActiveX Instantiation

Oracle Java Web Start ActiveX Instantiation

ISC BIND VERSION Query (UDP)

Obfuscated HTML Code 13

PHP CGI Argument Injection 2

Suspicious HTTP User-Agent Header 2a

Obfuscated HTML Code 14

SMTP VRFY root Command

Riskware MalHTML Activity

DNS Query example.com

HTTP Server Remote Code Execution 22

TCP Port 0 Traffic 1

HTTP Server Directory Traversal Attack 1

PHP CGI Argument Injection 1

OpenEMR Arbitrary File Overwrite

HTTP Request URI with SQL Statement (OR-1)

Windows LSASS Buffer Overflow 1 (MS04-011)

PING BayRS Router

Suspicious CIFS Traffic 9

PING Flowpoint2200 or Network Management Software

HTTP Request URI with SQL Statement (IF-1)

SQL Injection Attack 12

Empty HTTP User-Agent Header

HTTP Request URI with SQL Statement (BENCHMARK)

HTTP Request URI with SQL Statement (SELECT)