Category Archives: Use Cases

System Use Cases helping you to detect attacks against your infrastructures. These System Use Cases are classified by Attacker Classes (Opportunists, Targeting Opportunists, Professional or State Founded). This classification is inspired by Thierry Zoller work “Attacker Classes and Pyramid (Version 2)”.

SUC014 : Static source port 12200/TCP

Opportunists, Use Cases
  • Use Case Reference : SUC014
  • Use Case Title : Static source port 12200/TCP
  • Use Case Detection : Firewall logs / IDS
  • Attacker Class : Opportunists
  • Attack Sophistication : Unsophisticated
  • Identified tool(s) : Unknown
  • Source IP(s) : Random
  • Source Countries : Random, but most of them from China
  • Source Port(s) : 12200/TCP
  • Destination Port(s) : 1080/TCP, 2479/TCP, 3128/TCP, 3246/TCP, 8080/TCP, 9415/TCP, 9090/TCP
Possible(s) correlation(s) :
  • Proxy finder bot

Source(s) :

Most of time these trends are given by Firewall reporting, but an IDS how is configured to report activities on non used TCP, or UDP, ports, could also trigger alerts. If you use the Emerging Threats “Known Compromised Hosts” and “Recommended Block List“, correlation between Firewall activities and IDS signatures will give you a better overview on the attacker.

24 hours source port 12200/TCP events
24 hours source port 12200/TCP events
1 week source port 12200 events
1 week source port 12200 events
1 month source port 12200/TCP events
1 month source port 12200/TCP events
1 year source port 12200/TCP events
1 year source port 12200/TCP events
Source port 12200 source countries repartition
Source port 12200 source countries repartition
Source port 12200 destination ports repartition
Source port 12200 destination ports repartition

SUC013 : Paros Proxy Scanner

Use Cases,
  • Use Case Reference : SUC013
  • Use Case Title : Paros Proxy Scanner
  • Use Case Detection : IDS / HTTP logs
  • Targeted Attack : Yes, most of time using this tool is to target the Web Application
  • Identified tool(s) : Paros Proxy
  • Source IP(s) : Random
  • Source Countries : Random
  • Source Port(s) : Random, but static source port when scan is initiated
  • Destination Port(s) : 80/TCP, 443/TCP
Possible(s) correlation(s) :
  • Paros Proxy

Source(s) :

Emerging Threats SIG 2008187 create an alert if the user agent “Paros” is detected in destination of HTTP, or HTTPS, variables definitions. Each time, the user agent is detected an alert will be triggered. The sum of alert, from the same source, to the same destination, during an interval of time will give you the number of content how have been proxied by Paros.

Paros Proxy is used, normally, to evaluate to security of Web applications. All HTTP and HTTPS datas between server and client, including cookies and form fields are intercepted and could be modified. If you detect these kind of activities, you should add the attacker IP address to an “Aggressive Attacker” list for furthers trends and correlations.

Paros Proxy Scanner SIG 2008187 24h events activities
Paros Proxy Scanner SIG 2008187 24h events activities
Paros Proxy Scanner SIG 2008187 1 Week events activities
Paros Proxy Scanner SIG 2008187 1 Week events activities
Paros Proxy Scanner SIG 2008187 1 month events activities
Paros Proxy Scanner SIG 2008187 1 month events activities
Paros Proxy Scanner SIG 2008187 1 year events activities
Paros Proxy Scanner SIG 2008187 1 year events activities

SUC012 : Chinese Blind SQL Injection – hn.kd.ny.adsl

Opportunists, Use Cases, , ,
  • Use Case Reference : SUC012
  • Use Case Title : Chinese Blind SQL Injection
  • Use Case Detection : IDS / HTTP logs / SQL logs
  • Attacker Class : Opportunists
  • Attack Sophistication : Unsophisticated
  • Identified tool(s) : No
  • Source IP(s) : Most of 115.48.0.0/12 and ChinaNet
  • Source Countries : China
  • Source Port(s) : Random, but static source port when scan is initiated
  • Destination Port(s) : 80/TCP
Possible(s) correlation(s) :
  • Random SQL Injection Tool with some Google dorking capabilities

Source(s) :

We have some targeted Blind SQL Injection focusing on some randoms URLs, and all the time the same three parameters. We have actually make a list of different IP addresses, all located in China (hn.kd.ny.adsl), and more particular from the Henan province. All theses source IP addresses generating 30 distinct events. The 22/04/2010 events are not related with this Use Case.

1 month SID 2011040 IDS Events
1 month SID 2011040 IDS Events
One month SID 2006446 activity
One month SID 2006446 activity

Theses Blind SQL Injection scans are detected by Emerging Threats Snort rules, more precisely the 2011040WEB_SERVER Possible Usage of MYSQL Comments in URI for SQL Injection“, and also by the rule 2006446ET WEB_SERVER Possible SQL Injection Attempt UNION SELECT“.

1 Month TOP 10 source IPs for SID 2011040
1 Month TOP 10 source IPs for SID 2011040
1 Month TOP 10 source IPs for SID 2006446
1 Month TOP 10 source IPs for SID 2006446
TOP 20 source countries for SID 2011040
TOP 20 source countries for SID 2011040
TOP 20 source countries for SID 2006446
TOP 20 source countries for SID 2006446

When starting the Blind SQL Injection scan, the source port stay static during 26 of 30 events and the last 4 events are have also a static source port, but different from the initial 26 events. We have also seen that some source IP only test doing 10 events, all these teen events with the same static source port.

For examples :

115.52.225.227 – hn.kd.ny.adsl – Beijing – China – User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

  • source port : 60865 (26 events)
  • source port : 61446 (4 events)
1 week 115.52.225.227 SIG 2011040 events
1 week 115.52.225.227 SIG 2011040 events

123.161.77.52 – Beijing – China – User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

  • source port : 21703 (26 events)
  • source port : 22035 (4 events)
1 week 123.161.77.52 SIG 2011040 events
1 week 123.161.77.52 SIG 2011040 events

115.52.227.129 – hn.kd.ny.adsl – Beijing – China – User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

  • source port : 24431 (26 events)
  • source port : 25206 (4 events)
1 month 115.52.227.129 SIG 2011040 events
1 month 115.52.227.129 SIG 2011040 events

hn.kd.ny.adsl is well know on Internet for malware, spam, etc. activities.

The 3 source IP addresses replay exactly the same HTTP Blind SQL Injection sequences, you can find them here under. This Blind SQL Injection Tool has maybe an Google Dorking capability.

/forum/index.php?autocom=blog&blogid=1&showentry=46/**/aND/**/8%3D8
/forum/index.php?autocom=blog&blogid=1&showentry=46/**/aND/**/8%3D3
/forum/index.php?autocom=blog&blogid=1&showentry=46%27/**/aND/**/%278%27%3D%278
/forum/index.php?autocom=blog&blogid=1&showentry=46%27/**/aND/**/%278%27%3D%273
/forum/index.php?autocom=blog&blogid=1&showentry=46%25%27/**/aND/**/%278%27%3D%278
/forum/index.php?autocom=blog&blogid=1&showentry=46%25%27/**/aND/**/%278%25%27%3D%273
/forum/index.php?autocom=blog&blogid=1&showentry=46/**/XoR/**/8%3D3
/forum/index.php?autocom=blog&blogid=1&showentry=46/**/XoR/**/8%3D8
/forum/index.php?autocom=blog&blogid=1&showentry=46%27/**/XoR/**/%278%27%3D%273
/forum/index.php?autocom=blog&blogid=1&showentry=46%27/**/XoR/**/%278%27%3D%278

/forum/index.php?showentry=46&autocom=blog&blogid=1/**/aND/**/8%3D8
/forum/index.php?showentry=46&autocom=blog&blogid=1/**/aND/**/8%3D3
/forum/index.php?showentry=46&autocom=blog&blogid=1%27/**/aND/**/%278%27%3D%278
/forum/index.php?showentry=46&autocom=blog&blogid=1%27/**/aND/**/%278%27%3D%273
/forum/index.php?showentry=46&autocom=blog&blogid=1%25%27/**/aND/**/%278%27%3D%278
/forum/index.php?showentry=46&autocom=blog&blogid=1%25%27/**/aND/**/%278%25%27%3D%273
/forum/index.php?showentry=46&autocom=blog&blogid=1/**/XoR/**/8%3D3
/forum/index.php?showentry=46&autocom=blog&blogid=1/**/XoR/**/8%3D8
/forum/index.php?showentry=46&autocom=blog&blogid=1%27/**/XoR/**/%278%27%3D%273
/forum/index.php?showentry=46&autocom=blog&blogid=1%27/**/XoR/**/%278%27%3D%278

/forum/index.php?blogid=1&showentry=46&autocom=blog/**/aND/**/8%3D8
/forum/index.php?blogid=1&showentry=46&autocom=blog/**/aND/**/8%3D3
/forum/index.php?blogid=1&showentry=46&autocom=blog%27/**/aND/**/%278%27%3D%278
/forum/index.php?blogid=1&showentry=46&autocom=blog%27/**/aND/**/%278%27%3D%273
/forum/index.php?blogid=1&showentry=46&autocom=blog%25%27/**/aND/**/%278%27%3D%278
/forum/index.php?blogid=1&showentry=46&autocom=blog%25%27/**/aND/**/%278%25%27%3D%273
/forum/index.php?blogid=1&showentry=46&autocom=blog/**/XoR/**/8%3D3
/forum/index.php?blogid=1&showentry=46&autocom=blog/**/XoR/**/8%3D8
/forum/index.php?blogid=1&showentry=46&autocom=blog%27/**/XoR/**/%278%27%3D%273
/forum/index.php?blogid=1&showentry=46&autocom=blog%27/**/XoR/**/%278%27%3D%278

Other SQL injection fingerprints

'%20and%205=6%20union%20select%200x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E,0x5E5B7D7E%20--%20And%20'6'='6

If you have any informations around theses SQL injections and more in particular the used tool, please contact me on Twitter or comment this post.

SUC011 : Activities on 62550/UDP destination port – d1:ad2:id20

Use Cases, ,
  • Use Case Reference : SUC011
  • Use Case Title : Activities on 6250/UDP destination port
  • Use Case Detection : Firewall / IDS
  • Targeted Attack : N/A
  • Identified tool(s) : BitTorrent clients
  • Source IP(s) : Random
  • Source Countries : Random
  • Source Port(s) : Random
  • Destination Port(s) : 62550/UDP
Payload example :
000 : 64 31 3A 61 64 32 3A 69 64 32 30 3A AC 41 FC A5   d1:ad2:id20:.A..
010 : 70 55 ED 54 F8 0A 70 A8 C0 A0 DB D9 55 69 BE 5A   pU.T..p…..Ui.Z
020 : 65 31 3A 71 34 3A 70 69 6E 67 31 3A 74 34 3A B8   e1:q4:ping1:t4:.
030 : 8F 00 00 31 3A 76 34 3A 55 54 48 38 31 3A 79 31   …1:v4:UTH81:y1
040 : 3A 71 65                                          :qe
Possible(s) correlation(s) :
  • P2P BitTorrent DHT Queries for Trackerless Torrents

Source(s) :

These activities are real false positives if they match the “d1:ad2:id20” UDP content. You could ignore them, and also to no more receive these kind of activities we recommend you to block ICMP response on your servers.

24 hours destination port 62550 events
24 hours destination port 62550 events
1 week destination port 62550 events
1 week destination port 62550 events
1 month destination port 62550 events
1 month destination port 62550 events
1 year destination port 62550 events
1 year destination port 62550 events
source ports repartition for destination port 62550
source ports repartition for destination port 62550
source countries repartition for destination port 62550
source countries repartition for destination port 62550