Blast(s) From the Past

A few of my HoneyPoints delivered an interesting blast from the past to me this morning. Around 2pm Eastern yesterday, one of our IP ranges got hit by a scan with this signature on port 80:

GET /level/16/exec/-///pwd HTTP/1.0

The web connection was then followed by a series of connections on port 23, though the tool did not do anything more than banner grabbing on the telnet port.

While the scan was obviously an attempt to exploit the old Cisco HTTP vulnerability (circa 2001), I had not seen probes for those issues in quite some time. I also had not seen a tool that also connected on port 23 of the same host and did banner grabbing, so thus why this stood out above the usual noise.

This brought about a very interesting point that many of these old vulnerabilities are making comebacks. Scans for old web vulnerabilities like Unicode issues, Double Decode, Code Red and the ASN.1 worm continue to be among the most seen probes on the Internet. Other folks have talked about the idea that perhaps as more third world countries become more Internet connected, that technology may not be updated there as rapidly – which could cause the lifecycle of older vulnerabilities to either be reborn or at least, eek out a longer existence. Could ancient vulnerabilities like RDS and .HTR buffer overflows still be leveraged for Internet compromise? The possibility is high that some small percentage of systems is likely available as a vulnerable target.

Does this mean that vulnerabilities will have a lifecycle that approaches infinity? If there are still systems out there that are vulnerable, why would some attacker without general worries of discovery not just keep building a super-worm that continually crawls the net looking for every known web vulnerability to date? If incorporated and distributed through bot-net style approaches, this is likely pretty feasible – particularly if you can make the attack smart enough to adapt its vulnerability testing to the specifics of a target – much like a modern scanning tool.

How will some of these older vulnerabilities fair? It remains to be seen, but my bet is that blasts from the past are likely to keep on rolling in some diminutive way. Let’s just say that I think it will be a long time before we live in a Code Red free world.

Leave a Reply