nsa 2400 - intrusion details.pdf
TRANSCRIPT
-
8/13/2019 NSA 2400 - Intrusion Details.pdf
1/13
Firewall ...................................................................................................................................................................... 2
NSA 2400 ............................................................................................................................................................... 2Intrusions - Intrusion Details ................. .................. .................. ................... .................. .................. .................. .................. .................. ........... 2
-
8/13/2019 NSA 2400 - Intrusion Details.pdf
2/13
2 Powered By
Firewall
NSA 2400
Intrusions - Intrusion Details: December 5, 2013 - December 16, 2013
Timeline
Time Events
1 Dec 5, 2013 819
2 Dec 6, 2013 1,862
3 Dec 7, 2013 3,076
4 Dec 8, 2013 4,185
5 Dec 9, 2013 3156 Dec 10, 2013 249
7 Dec 11, 2013 349
8 Dec 12, 2013 221
9 Dec 13, 2013 183
10 Dec 14, 2013 410
11 Dec 15, 2013 305
12 Dec 16, 2013 117
Total: 12,091
Intrusions
-
8/13/2019 NSA 2400 - Intrusion Details.pdf
3/13
3 Powered By
Intrusion Priority Events
1 Suspicious CIFS Traffic 6 Medium 3,953
2 Echo Reply Low 1,507
3 Destination Unreachable (Port Unreachable) Low 1,479
4 PING Low 932
5 NetBIOS Name Request Probe Low 843
6 SQL Injection Attack 3 Medium 790
7 SQL Slammer Activity Medium 336
8 PING with Null Payload Low 307
9 HTTP Server Remote Code Execution 14 Medium 278
10 HTTP Server Remote Code Execution 7 Medium 250
11 SIP friendly-scanner User-Agent Low 228
12 Server Application Shellcode Exploit 2 Medium 174
13 Time-To-Live Exceeded in Transit Low 16414 VML File HTTP Download 4a Low 135
15 VML File HTTP Download 1a Low 78
16 Server Application Shellcode Exploit 10 Medium 64
17 UNION ALL Statement 4 (Possible SQL Injection) Medium 62
18 Server Application Shellcode Exploit 35 Medium 57
19 Samba call_trans2open Buffer Overflow 3 Medium 57
20 PING Microsoft Windows 2 Low 35
21 PING L3retriever Low 35
22 HTTP Request URI with SQL Statement (AND-1) Low 31
23 PHP File HTTP Upload 1 Low 28
24 Cross-Site Scripting (XSS) Attack 32 Medium 27
25 Allaple ICMP Sweep Ping Inbound Low 26
26 VML File HTTP Download 3a Low 25
27 Microsoft SQL Server UDP Status Request Low 17
28 Suspicious Request URI 7 Medium 15
29 HTTP Server Suspicious File Upload 1 Medium 15
30 Destination Unreachable (Fragmentation Needed and DF bit was
set)
Low 10
-
8/13/2019 NSA 2400 - Intrusion Details.pdf
4/13
4 Powered By
Intrusion Priority Events
31 Fragment Reassembly Time Exceeded Low 10
32 Microsoft CAPICOM ActiveX Instantiation Medium 8
33 PING *NIX Low 7
34 PING BSDtype Low 7
35 PING CyberKit Low 6
36 Source Quench Low 6
37 Redirect Host Low 6
38 Oracle Java Web Start ActiveX Instantiation Medium 5
39 ISC BIND VERSION Query (UDP) Low 5
40 Obfuscated HTML Code 13 Low 5
41 PHP CGI Argument Injection 2 Medium 5
42 Suspicious HTTP User-Agent Header 2a Medium 5
43 Obfuscated HTML Code 14 Low 5
44 SMTP VRFY root Command Medium 4
45 Riskware MalHTML Activity High 4
46 DNS Query example.com Low 4
47 HTTP Server Remote Code Execution 22 Medium 3
48 TCP Port 0 Traffic 1 Low 3
49 HTTP Server Directory Traversal Attack 1 Medium 3
50 PHP CGI Argument Injection 1 Medium 2
51 OpenEMR Arbitrary File Overwrite Medium 2
52 HTTP Request URI with SQL Statement (OR-1) Low 2
53 Windows LSASS Buffer Overflow 1 (MS04-011) Medium 2
54 PING BayRS Router Low 2
55 Suspicious CIFS Traffic 9 Medium 2
56 PING Flowpoint2200 or Network Management Software Low 2
57 HTTP Request URI with SQL Statement (IF-1) Low 2
58 SQL Injection Attack 12 Medium 2
59 Empty HTTP User-Agent Header Low 1
60 HTTP Request URI with SQL Statement (BENCHMARK) Low 1
61 HTTP Request URI with SQL Statement (SELECT) Low 1
62 HTTP Request URI with SQL Statement (UNION ALL) Low 1
63 HTTP Request Body with SQL Statement (AND-1) Low 1
64 HTTP Request Body with SQL Statement (OR-1) Low 1
65 MHTML Protocol Handler XSS 3 Medium 1
66 SIP Stress Test Traffic 5c (Extra Spaces) Low 1
67 HTTP Client Shellcode Exploit 18 Medium 1
68 RealVNC Authentication Bypass Medium 1
69 Apple Safari for iPhone Hide Address Bar Low 1
70 Obfuscated ActiveX Instantiation 3a Medium 1
71 /etc/passwd Access 1 Low 1
72 EOT File HTTP Download Low 1
Total: 12,091
-
8/13/2019 NSA 2400 - Intrusion Details.pdf
5/13
5 Powered By
Intrusion Categories
Intrusion Category Events
1 NETBIOS Suspicious CIFS Traffic 3,955
2 ICMP Echo Reply 1,507
3 ICMP Destination Unreachable (P 1,479
4 ICMP PING 932
5 INFO NetBIOS Name Request Probe 843
6 SQL-INJECTION SQL Injection Att 792
7 WEB-ATTACKS HTTP Server Remote 531
8 VIRUS SQL Slammer Activity 336
9 ICMP PING with Null Payload 307
10 EXPLOIT Server Application Shel 295
11 INFO SIP friendly-scanner User- 228
12 ICMP Time-To-Live Exceeded in T 164
13 INFO VML File HTTP Download 4a 135
14 INFO VML File HTTP Download 1a 78
15 SQL-INJECTION UNION ALL Stateme 62
16 NETBIOS Samba call_trans2open B 57
17 INFO HTTP Request URI with SQL 38
18 ICMP PING Microsoft Windows 2 35
19 ICMP PING L3retriever 35
20 INFO PHP File HTTP Upload 1 28
21 XSS Cross-Site Scripting (XSS) 27
22 ICMP Allaple ICMP Sweep Ping In 2623 INFO VML File HTTP Download 3a 25
24 INFO Microsoft SQL Server UDP S 17
25 WEB-ATTACKS Suspicious Request 15
26 WEB-ATTACKS HTTP Server Suspici 15
27 WEB-CLIENT Obfuscated HTML Code 10
28 ICMP Destination Unreachable (F 10
29 ICMP Fragment Reassembly Time E 10
-
8/13/2019 NSA 2400 - Intrusion Details.pdf
6/13
6 Powered By
Intrusion Category Events
30 ACTIVEX Microsoft CAPICOM Activ 8
31 ICMP PING *NIX 7
32 WEB-PHP PHP CGI Argument Inject 7
33 ICMP PING BSDtype 7
34 ICMP Redirect Host 6
35 ICMP Source Quench 6
36 ICMP PING CyberKit 6
37 INFO ISC BIND VERSION Query (UD 5
38 ACTIVEX Oracle Java Web Start A 5
39 WEB-ATTACKS Suspicious HTTP Use 5
40 SMTP SMTP VRFY root Command 4
41 VIRUS Riskware MalHTML Activity 4
42 INFO DNS Query example.com 4
43 INFO TCP Port 0 Traffic 1 3
44 WEB-ATTACKS HTTP Server Directo 3
45 ICMP PING BayRS Router 2
46 ICMP PING Flowpoint2200 or Netw 2
47 INFO HTTP Request Body with SQL 2
48 NETBIOS Windows LSASS Buffer Ov 2
49 WEB-PHP OpenEMR Arbitrary File 2
50 INFO /etc/passwd Access 1 1
51 INFO EOT File HTTP Download 1
52 ACTIVEX Obfuscated ActiveX Inst 1
53 INFO Apple Safari for iPhone Hi 1
54 EXPLOIT HTTP Client Shellcode E 1
55 MISC RealVNC Authentication Byp 1
56 XSS MHTML Protocol Handler XSS 3 1
57 VoIP-ATTACKS SIP Stress Test Tr 1
58 INFO Empty HTTP User-Agent Head 1
Total: 12,091
Targets
-
8/13/2019 NSA 2400 - Intrusion Details.pdf
7/13
7 Powered By
Target IP Target Host Events
1 200.199.220.114 4,097
2 200.199.220.115 1,328
3 200.199.220.125 1,261
4 200.199.220.70 1,019
5 200.199.220.80 823
6 200.199.220.69 797
7 200.199.220.74 747
8 200.199.220.110 459
9 200.199.220.120 349
10 200.199.220.66 server.unigran.br 231
11 200.199.220.81 108
12 200.199.220.82 107
13 200.199.220.67 server.inf.unigran.br 10014 200.199.220.75 95
15 200.199.220.111 74
16 200.199.220.81 server.dourados.br 59
17 200.199.220.67 52
18 200.199.220.72 ns2.unigran.br 46
19 200.199.220.86 43
20 200.199.220.71 ns1.unigran.br 38
21 200.199.220.76 34
22 200.199.220.83 31
23 200.199.220.78 31
24 200.199.220.73 28
25 200.199.220.112 roteador2.unigran.br 27
26 200.199.220.112 24
27 200.199.220.126 21
28 200.199.220.71 18
29 200.199.220.72 17
30 200.199.220.66 12
31 200.199.220.113 11
-
8/13/2019 NSA 2400 - Intrusion Details.pdf
8/13
8 Powered By
Target IP Target Host Events
32 23.23.172.253 4
Total: 12,091
Initiators
Initiator IP Initiator Host User Events
1 203.204.79.250 4,067
2 185.10.106.8 1,268
3 200.199.220.65 roteador.unigran.br 1,180
4 177.194.228.177 362
5 200.199.220.65 305
6 177.194.228.177 b1c2e4b1.virtua.com.br admin 221
7 177.194.228.177 b1c2e4b1.virtua.com.br 180
8 164.85.0.49 174
9 211.81.31.53 118
10 211.81.31.54 112
11 111.235.148.30 90
12 65.39.222.146 86
13 27.251.165.238 81
14 198.44.0.94 80
15 177.201.237.21 72
16 202.91.244.249 71
17 1.221.17.228 71
18 180.173.11.128 7119 137.117.188.82 64
20 50.58.223.66 59
21 37.0.124.118 53
22 37.58.49.40 43
23 187.112.42.6 34
24 177.16.50.83 31
25 129.82.138.44 30
26 201.116.140.98 28
-
8/13/2019 NSA 2400 - Intrusion Details.pdf
9/13
9 Powered By
Initiator IP Initiator Host User Events
27 177.194.228.177 admin 27
28 222.124.202.162 26
29 74.217.78.144 25
30 221.238.193.9 24
31 12.129.199.100 23
32 207.56.204.162 21
33 74.113.232.22 20
34 203.178.148.19 20
35 66.235.119.6 19
36 200.229.203.167 18
37 200.91.37.44 16
38 8.26.16.102 16
39 12.130.81.230 16
40 189.2.20.178 16
41 200.230.226.123 15
42 200.166.202.138 15
43 12.130.81.231 15
44 128.9.168.98 15
45 200.199.171.135 14
46 37.58.49.40 hosted-by.scopehosts.com 14
47 177.16.50.83 177.16.50.83.static.host.gvt.net.br 14
48 186.38.21.169 14
49 12.129.199.110 13
50 200.205.41.30 13
51 12.130.81.247 13
52 177.5.97.90 13
53 66.235.119.5 13
54 177.27.189.36 12
55 200.93.200.210 12
56 200.26.175.26 12
57 198.20.69.98 12
58 201.28.144.251 12
59 200.54.82.226 11
60 50.58.223.66 carbonyx.com 11
61 200.186.217.22 11
62 216.52.92.10 11
63 218.241.108.113 11
64 178.63.61.87 10
65 187.8.29.251 10
66 74.113.236.21 10
67 200.32.4.10 10
68 74.217.66.14 10
69 74.113.235.28 10
70 37.6.22.101 10
-
8/13/2019 NSA 2400 - Intrusion Details.pdf
10/13
10 Powered By
Initiator IP Initiator Host User Events
71 74.113.232.28 10
72 173.252.69.6 9
73 201.2.23.95 9
74 63.251.28.250 9
75 211.95.78.82 9
76 202.232.152.86 9
77 187.59.159.190 9
78 74.113.235.22 9
79 77.222.40.157 8
80 200.182.158.3 8
81 61.104.56.200 8
82 200.142.128.18 8
83 74.113.236.22 8
84 187.8.29.252 8
85 200.230.171.252 8
86 177.53.207.243 8
87 114.242.208.84 8
88 210.22.194.8 8
89 12.129.199.108 8
90 205.166.76.252 7
91 174.46.33.10 7
92 208.85.41.3 7
93 193.6.53.130 7
94 189.125.140.254 254.140.125.189.static.impsat.net.br 7
95 189.1.171.54 wilikat.mkt001.com.br 7
96 74.113.232.21 7
97 210.211.107.104 7
98 211.78.245.241 7
99 192.195.204.11 7
100 64.38.212.36 7
Total: 9,842
Ports Information
-
8/13/2019 NSA 2400 - Intrusion Details.pdf
11/13
11 Powered By
Target Port Initiator Port Events
1 53 53 1,271
2 3,296 8 786
3 137 137 719
4 25,675 8 585
5 1,434 1,128 118
6 14,068 8 114
7 1,434 4,335 112
8 8 21,930 71
9 139 52,056 69
10 139 52,111 69
11 139 52,121 69
12 139 52,112 69
13 139 52,108 6914 139 52,120 69
15 139 52,025 69
16 139 52,115 69
17 139 52,054 69
18 139 52,040 69
19 139 52,078 69
20 139 52,084 69
21 139 52,083 69
22 139 52,117 69
23 139 52,035 69
24 139 52,017 69
25 139 52,013 69
26 139 52,053 69
27 139 52,016 69
28 139 52,072 69
29 139 52,068 69
30 139 52,018 69
31 139 52,038 69
-
8/13/2019 NSA 2400 - Intrusion Details.pdf
12/13
12 Powered By
Target Port Initiator Port Events
32 139 52,033 69
33 139 52,012 69
34 139 52,086 69
35 139 52,049 69
36 139 52,015 69
37 139 52,100 69
38 139 52,036 69
39 139 52,048 69
40 139 52,074 69
41 139 52,020 69
42 139 52,030 69
43 139 52,060 69
44 139 52,066 69
45 139 52,098 69
46 139 52,059 69
47 139 52,046 69
48 139 52,019 69
49 139 52,076 69
50 139 52,042 69
51 139 52,044 69
52 139 52,092 69
53 139 52,028 69
54 139 52,080 69
55 139 52,024 69
56 139 52,102 69
57 139 52,014 69
58 139 52,071 69
59 139 52,104 69
60 139 52,114 69
61 139 52,096 69
62 139 52,094 69
63 139 52,062 69
64 139 52,022 69
65 139 52,065 69
66 8 512 67
67 139 52,088 67
68 139 52,090 67
69 5,060 5,060 61
70 8 1 57
71 80 53,315 30
72 1,434 4,365 26
73 80 53,546 24
74 1,434 1,944 24
75 80 52,991 24
-
8/13/2019 NSA 2400 - Intrusion Details.pdf
13/13
Target Port Initiator Port Events
76 80 52,988 23
77 80 53,347 23
78 80 53,340 23
79 80 53,552 22
80 80 52,762 21
81 80 53,354 21
82 80 53,343 20
83 1 8 20
84 80 53,540 19
85 80 52,760 17
86 80 53,554 16
87 80 53,560 16
88 80 53,330 16
89 80 52,765 15
90 80 52,995 15
91 80 53,352 14
92 80 53,569 14
93 8 768 14
94 80 53,267 14
95 80 53,547 13
96 80 53,349 13
97 80 52,980 13
98 80 53,534 13
99 80 53,337 12
100 80 52,468 12
Total: 8,575
Target Countries
Target Country Events
1 Brazil 12,087
2 United States 4
Total: 12,091
Initiator Countries
Initiator Country Events
1 Taiwan; Republic of China (ROC) 4,081
2 Brazil 2,376
3 Unknown 2,329
4 United States 1,142
5 China 655
Total: 10,583