From:	 Lance Spitzner <lance@SPITZNER.NET>
To:	 INCIDENTS@SECURITYFOCUS.COM
Subject: Repeated LPR attacks against wrong OS
Date:	 Sun, 22 Apr 2001 08:15:59 -0500

On Fri, 20 Apr 2001, Jim Forster wrote:

> I had the same thing here over the past few days.  Initial SYN scans of the
> network, then 350 + attempts to get into a staging NT server via 515 Linux
> LPR exploit.   Odd.

Actually, this is not odd, it merely demonstrates the tactics used
by the blackhat community, specifically script kiddies.  As many of
you know, script kiddies focus on a few exploits, then probe hundreds
of thousands of systems for these few vulnerabilities.  Traditionally,
blackhats, and script kiddies, would first determine if a system is
vulnerable.  Once determined, they would then launch the exploit.

Tactics have changed as script kiddies have become lazy.  Now, they just
merely search for a specific service, once identified they launch their
attack.  In your case, you most likely have a script kiddie using an
'auto rooter' or worm that is attempting to exploit a well know Linux
LPR vulnerability.  The tool search for this service, when identified
it launches.  If success, they have root.  If it fails, they simply
move on to the next victim.  Why bother taking the extra step and time
to determine if you are vulnerable (and even the correct OS) when you
can just launch the attack and that will determine for you.

We have confirmed this brute force approach with the Honeynet Project.
We have several different operating systems within our Honeynet, to
include both Linux and Solaris.  Often both systems are attacked with
the same exploit, even though the attacks are architecture dependent
(such as X86 or Sparc).  For example, during the month of January our
Solaris honeypot was hit with over 20 X86 rpc.statd attacks.

The reason you see repeated LPR attempts (which is VERY common for this
exploit) is the attack is most likely going through a series of different
offsets for the exploit.

Hope this helps :)

lance