Offhand, I would be tempted to say it is the activity of a not exceedingly competent attacker trying to exploit a very old bug. The sender is probing for the HTTP Authentication Bypass Issue from June 27 2001. Original Advisory http://www.cisco.com/warp/public/707/IOS-httplevel-pub.html Malicious request: http://<device_addres>/level/16/exec/ Analyze the timing and source of log events to determine if it is an automated issue. Robert Guess Assistant Professor, Information Systems Technology Tidewater Community College (757) 822-5022 () ascii ribbon campaign /\ against html email
"J. Oquendo" <sil@politrix.org> 09/01/05 9:07 AM >>>
After doing some logfile analysis briefly yesterday, I noticed what seems to be some form of bot, worm, something, searching for what could seems to point to a Cisco exploitation of sorts. (http://tinyurl.com/df9d8) All the hosts who've tried searching for the string are coming from APNIC. So I'm wondering... Has someone taken Michael Lynn's paper "Holy Grail" and produced a "DaVinci Code" to exploit the flaws Lynn spoke of... Code snippet below is of "cisco_scanner.c" which searches for the same particular /level/16/exec/-///pwd string however the code can be modified (obviously) and a search turns up less than one page of results on Google. Author's page seems to be gone like the wind... Anyhow. # grep "/level/16/exec/-///" access_log |awk '{print $1,"\t\t"$7}' 58.236.50.75 /level/16/exec/-///pwd 221.141.168.137 /level/16/exec/-///pwd 221.138.93.31 /level/16/exec/-///pwd 218.53.244.16 /level/16/exec/-///pwd 222.232.84.34 /level/16/exec/-///pwd 222.238.128.14 /level/16/exec/-///pwd 218.50.74.189 /level/16/exec/-///pwd 218.239.26.42 /level/16/exec/-///pwd 218.232.83.18 /level/16/exec/-///pwd 211.208.254.67 /level/16/exec/-///pwd whois.apnic.net $ABOVE_HOSTS Code snippet... /* Multi-thread Cisco HTTP vulnerable scanner v0.2 by Inode */ #define HTTP_REQUEST "GET /level/16/exec/-///pwd HTTP/1.0\n\n" So now I have yet another mod_security rule added ;) SecFilterSelective THE_REQUEST "/level/16" "redirect:http://www.cisco.com" =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo GPG Key ID 0x97B43D89 http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x97B43D89 It is much easier to suggest solutions when you know nothing about the problem. -- Niklaus Wirth