Counterpane: Log Analysis: Repeated lpr Exploit Attempts

Repeated lpr exploit attempts


From: Arrigo Triulzi [mailto:arrigo@northsea.sevenseas.org] 

Sent: Tuesday, November 06, 2001 6:12 AM 

To: intrusions@incidents.org 

Subject: Repeated lpr exploit attempts from 142.232.68.3 



Copy of text sent off to the admins of the site (British Columbia 

Institute of Technology).  Excuse the feeble attempts at humour but it 

is a cold day in London and a rather boring one too. 



Arrigo 



-*-*- 



Dear Sir, 



the host at IP address 142.232.68.3 which belongs to your network has 

managed to attempt to break my lpr daemons 2565 times in the past day 

which is a remarkable achievement. 



In particular here is a selection of his/her exploits (times are in 

GMT, NTP-locked to a stratum 2 server).  First a scan for port 515 

across all my hosts: 



Nov  6 03:43:22 eolo snort: [1:120005:1] ULTRA -  TCP closed port 

access attempt 54-1024 [Classification: Traffic not in Web Whitelist] 

[Priority: 6]: {TCP} 142.232.68.3:2022 -> 212.18.234.50:515 



[then onto scan every machine on my subnet, 212.18.234.48/29] 



Then an attempt using the old RedHat 7 exploit: 



Nov  6 03:43:55 eolo snort: [1:0:0] 

IDS457/lpr_LPRng-redhat7-overflow-security.is [Classification: system 

integrity attempt] [Priority: 11]: {TCP} 142.232.68.3: 4376 -> 

212.18.234.50:515 



[again over all my subnet...] 



Nov  6 03:43:57 eolo snort: [1:0:0] 

IDS457/lpr_LPRng-redhat7-overflow-security.is [Classification: system 

integrity attempt] [Priority: 11]: {TCP} 142.232.68.3: 4981 -> 

212.18.234.61:515 



Then repeated once more, since the first one failed... 



Nov  6 03:44:00 eolo snort: [1:0:0] 

IDS457/lpr_LPRng-redhat7-overflow-security.is [Classification: system 

integrity attempt] [Priority: 11]: {TCP} 142.232.68.3: 2061 -> 

212.18.234.50:515 



[again all over my subnet...] 



Then a portscan to check if the ports are open... 



Nov  6 03:44:01 eolo snort: spp_portscan: portscan status from 

142.232.68.3: 6 connections across 3 hosts: TCP(6), UDP(0) 



Ah, perhaps it isn't LPRng but standard LPR so let us try it all over 

again for the whole subnet: 



Nov  6 03:44:02 eolo snort: [1:302:1] EXPLOIT redhat 7.0 lprd overflow 

[Classification: Attempted Administrator Privilege Gain] [Priority: 

1]: {TCP} 142.232.68.3:2517 -> 212.18.234.60:515 



Another portscan... 



Nov  6 03:44:07 eolo snort: spp_portscan: portscan status from 

142.232.68.3: 6 connections across 3 hosts: TCP(6), UDP(0) 



And so on (repeat the above countless time, or rather 2000 and odd), 

to get to the end: 



Nov  6 03:45:14 eolo snort: spp_portscan: portscan status from 

142.232.68.3: 2 connections across 1 hosts: TCP(2), UDP(0) 

Nov  6 03:45:25 eolo snort: spp_portscan: End of portscan from 

142.232.68.3: TOTAL time(78s) hosts(18) TCP(59) UDP(0) 



Could you please investigate the machine in question and suggest to 

the owner that if the exploit fails the first time repeating it 

doesn't work (like a number of other things in life)? 



Thanks, 



Arrigo