On August 18th IP address 23.227.202.82 (Tampa, Florida) triggered the suricata alert “ET SCAN MS Terminal Server Traffic on Non-standard Port” on my web server. This is apparently an attempted information leak, and the network traffic was:
“Cookie: mstshash=NCRACK_USER”
I had no clue of the intent of this traffic, but was quite sure it wasn’t getting them anywhere. No breach, no real data loss, nothing. But the reason this alert caught my attention was that it was triggered 13,254 times. In about 11 seconds. Well, or so I thought. More about that in a bit.
I didn’t see anything like this again until November 16 when, between 12:43:16 and 12:43:44 AM EST (28 seconds) I was hit 29,618 times. This time the IP address was 146.70.41.186 (New York, NY). On closer inspection, though, I realized that Security Onion was only showing me 500 occurrences of a specific alert. The first 500, the last, a mix of them, I didn’t know. But with an excess of twenty nine thousand unseen alerts I could not know how long the attack was in operation. So I had to throw the time window out of the, well, window. Making an educated guess, 28 seconds times 59 (29.6k divided by 500) says about 27 and a half minutes. That’s pretty quick, I thought.
So, what is “Cookie: mstshash=NCRACK_USER” anyhow?
As the alert title suggests, this is related to the remote desktop protocol, but the specifics escape me. RDP is a pretty complex protocol and has changed quite a bit in the past 14 years. Is someone trying to authenticate to my LAMP server using RTP over port 80? Does NCRACK_USER refer to ncrack, a network authentication cracking tool? Maybe. Unfortunately, I have more questions than answers at this time. When this attack happens again, maybe I will get more information.
January 9, IP 146.70.41.235 (New York City), 24,568 alerts.
I realized that if I mess with the timespan filter, I can creep up on the last daily occurrence. First, I set the range from one second past midnight until one second before midnight. I can see the first five hundred alerts, including the chronologically first one. I creep the start time to one second before the last viewable alert, and I see more. Once the list is under five hundred alerts, I know that I can see the chronological last. I determined that the attack window was between 12:57:40 and 01:05:54 AM. Eight minutes and fourteen seconds. Almost fifty alerts per second. Quite a bit faster than my prior estimate.
I’d like to make a couple points here. Geolocating IPv4 addresses isn’t an exact science. I’ve identified the last two addresses (146.70.41.x) as New York City because that’s what my website of choice (https://dnslytics.com/) says. Interestingly, it identifies the ISP as “M247 Europe SRL”, which is probably why Security Onion says it is in the UK. Let’s put aside the “UK isn’t in Europe” arguments for now.
Secondly, this attack was focused on port 80 (HTTP), and I mentioned in an earlier post that my ISP blocks port 80. It does, but not completely. Port 80 does touch my LAMP server, but a connection cannot be formed.
What I gather is that this is an obsolete, zombie bot attack on terminal servers. Zombie, in that the bot network may have been abandoned, still searching for a terminal server with a long patched vulnerability. It does not happen often, does not interrupt my network, and does not present a significant threat. Still, I will keep an eye on it. I wish I kept copies of the Apache logs. Wonder what it looked like there. Perhaps next time.