Afterglow, relevant security information with visualization

Security visualization

Afterglow is a collection of scripts which facilitate the process of generating “linked graphs” or “network graphs”. The software is written in Perl, must be used on the command line, but quiet easy to use.

AfterGlow expects a CSV file as input and generates either an attributed graph langugage file that can be processed by the Graphviz libraries.

We will exercise us to use Afterglow with my previous post “Strange activities on 28081 and 47919 TCP/UDP destination ports” case.

To run afterglow, we need a CSV file, our first example has 3 rows : sources IP, protocol and destination port (how is 28081). The source IP will be the source data, the protocol the event, and the destination port the target.

We need also a configuration file named “color.properties” to configure the color output. Our will be very simple.

color.source=”greenyellow”
color.event=”lightblue”
color.target=”red”

To create your first afterglow visualization just lunch the following command.

cat 28081.csv | afterglow.pl -c color.properties -a -d -p 2 -e 3 | neato -Tpng -o 28081.png

Here under a gallery containing some afterglow results.

SUC004 : phpMyAdmin User-Agent Revolt Scanner

Opportunists, Use Cases, , , , ,
  • Use Case Reference : SUC004
  • Use Case Title : phpMyAdmin User-Agent Revolt Scanner
  • Use Case Detection : HTTP Logs / IDS
  • Attacker Class : Opportunists
  • Attack Sophistication : Unsophisticated
  • Identified tool(s) : Revolt Scanner
  • Source IP(s) : Random
  • Source Countries : Random
  • Source Port(s) : Random port, but static source port when scan is initiated
  • Destination Port(s) : 80/TCP, 443/TCP
Possible(s) correlation(s) :
  • phpMyAdmin scanner

Source(s) :

Surely during your daily HTTP log check, you have detect theses kind of patterns.

...
209.200.33.196 - - [23/Apr/2010:11:39:54 +0200] "HEAD http://xxx.xxx.xxx.xxx:80/mysql/sqlmanager/ HTTP/1.1" 301 - "-" "revolt"
209.200.33.196 - - [23/Apr/2010:11:39:54 +0200] "HEAD http://xxx.xxx.xxx.xxx:80/mysql/mysqlmanager/ HTTP/1.1" 301 - "-" "revolt"
209.200.33.196 - - [23/Apr/2010:11:39:54 +0200] "HEAD http://xxx.xxx.xxx.xxx:80/phpmyadmin/ HTTP/1.1" 301 - "-" "revolt"
209.200.33.196 - - [23/Apr/2010:11:39:54 +0200] "HEAD http://xxx.xxx.xxx.xxx:80/phpMyadmin/ HTTP/1.1" 301 - "-" "revolt"
209.200.33.196 - - [23/Apr/2010:11:39:54 +0200] "HEAD http://xxx.xxx.xxx.xxx:80/phpMyAdmin/ HTTP/1.1" 301 - "-" "revolt"
209.200.33.196 - - [23/Apr/2010:11:39:54 +0200] "HEAD http://xxx.xxx.xxx.xxx:80/phpmyAdmin/ HTTP/1.1" 301 - "-" "revolt"
209.200.33.196 - - [23/Apr/2010:11:39:54 +0200] "HEAD http://xxx.xxx.xxx.xxx:80/phpmyadmin2/ HTTP/1.1" 301 - "-" "revolt"
209.200.33.196 - - [23/Apr/2010:11:39:55 +0200] "HEAD http://xxx.xxx.xxx.xxx:80/2phpmyadmin/ HTTP/1.1" 301 - "-" "revolt"
209.200.33.196 - - [23/Apr/2010:11:39:55 +0200] "HEAD http://xxx.xxx.xxx.xxx:80/phpmy/ HTTP/1.1" 301 - "-" "revolt"
209.200.33.196 - - [23/Apr/2010:11:39:55 +0200] "HEAD http://xxx.xxx.xxx.xxx:80/phppma/ HTTP/1.1" 301 - "-" "revolt"
209.200.33.196 - - [23/Apr/2010:11:39:55 +0200] "HEAD http://xxx.xxx.xxx.xxx:80/myadmin/ HTTP/1.1" 301 - "-" "revolt"
209.200.33.196 - - [23/Apr/2010:11:39:55 +0200] "HEAD http://xxx.xxx.xxx.xxx:80/MyAdmin/ HTTP/1.1" 301 - "-" "revolt"
209.200.33.196 - - [23/Apr/2010:11:39:55 +0200] "HEAD http://xxx.xxx.xxx.xxx:80/program/ HTTP/1.1" 301 - "-" "revolt"
...

Theses patterns are related to Revolt Scanner, an Web scanner specialized in phpMyAdmin installation discovery. When the scanner is started the source port will stay static during the complete web directory discovery brute forcing. Also, this scanner is only targeting the IN A IP address of the domain he is asking.

Theses scans are detected by Emerging Threats Snort rules, more precisely the 2009288WEB_SERVER Attack Tool Revolt Scanner“.

You can find here, the typical list of directories how are scanned by revolt.

Here under you can find the latest statistics for Revolt Agent activities.

1 Month SIG 2009288 events activities
1 Month SIG 2009288 events activities
One year SIG 2009288 events activities
One year SIG 2009288 events activities
1 Month TOP 10 source IPs for SIG 2009288
1 Month TOP 10 source IPs for SIG 2009288
TOP 20 source countries for SIG 2009288
TOP 20 source countries for SIG 2009288

SUC003 : Events from static source port 6000/TCP

Opportunists, Use Cases
  • Use Case Reference : SUC003
  • Use Case Title : Events from static source port 6000/TCP
  • Use Case Detection : Firewall / IDS
  • Attacker Class : Opportunists
  • Attack Sophistication : Unsophisticated
  • Identified tool(s) : Unknown
  • Source IP(s) : Random
  • Source Countries : Most of China
  • Source Port(s) : 6000/TCP
  • Destination Port(s) : 135/TCP, 1080/TCP, 1433/TCP, 1521/TCP, 2967/TCP, 3127/TCP, 3128/TCP, 8000/TCP, 8080/TCP, 9090/TCP

Possible(s) correlation(s) :

  • Worm Dasher

Sources :

Same as many other Honey Net, we detected activities with static source port 6000 in destination of above destination ports.

This 6000/TCP port, is well know for targeting Microsoft-SQL-Server 1433/TCP, but has involve to target Oracle 1521/TCP.

Since a few days, source port 6000/TCP is targeting new destination ports : 8000/TCP, 8080/TCP and 9090/TCP.

Most of time these trends are given by Firewall reporting, but an IDS how is configured to report activities on non used TCP, or UDP, ports, could also trigger alerts. If you use the Emerging Threats “Known Compromised Hosts” and “Recommended Block List“, correlation between Firewall activities and IDS signatures will give you a better overview on the attacker.

24 hours source port 6000 events
24 hours source port 6000 events
1 week source port 6000 events
1 week source port 6000 events
1 month source port 6000 events
1 month source port 6000 events
1 year source port 6000 events
1 year source port 6000 events
Source port 6000 source countries repartition
Source port 6000 source countries repartition
Source port 6000 destination ports repartition
Source port 6000 destination ports repartition

Clamav antivirus blocking Yahoo, Apple HTML.IFrame-39

Various,

We have experience some issues with Clamav antivirus when trying accessing Yahoo or Apple websites. The access is denied with the “Virus ‘HTML.IFrame-39’ found” message.

The “HTML.IFrame-39” pattern was introduced in the 10766 daily Clamav DB update, dated from Apr 20, 2010, 8:10 PM.

Submission-ID: 15222955
Sender: llattan
Submission notes: Email link leads to a URL not found.
Added: Email.Trojan-162
Added: HTML.IFrame-39

Maybe some more websites are affected by this false positive.

Here under a list of websites affected : http://uk.yahoo.com, http://fr.yahoo.com, http://www.apple.com, http://www.lenovo.com, http://www.aqa.org.uk, http://www.alice-dsl.de, http://www.sky.de