Vintage Internet Noise

just like an informal like we're g to go on a journey together talk so if you want to move into like these two sections I promise I don't like bite or throw things just right now you're on my peripherals but you can move up so I'm Kimber I'm GNA talk to you about vintage internet noise and I promis that this will not be 25 minutes of listening to dialup tones uh it's taking a look at that old stuff that old Gunk that we see in the packets that come across the internet um I work for a company called grey noise intelligence and what we do is we passively listen to the internet we have a series of sensors deployed all

throughout all kinds of different providers residential IP space VPN space and what we're trying to do is find like unique and interesting stuff and well sometimes we find out that that stuff that's unique and interesting is actually from 1999 and that's really weird and it's been a very strange phenomenon that I've really wanted to document so right now um I'm a product manager with them but I've also worked with their research team really closely so this is going to be a presentation about three different cves that are by all definitions vintage and I'm I'm so sorry to those of you who may also be considered vintage um this will be a nice trip down memory lane for you um

also that girl that just went before me she was 16 that was an amazing talk the kids are all right oh my gosh so she she wasn't even born um which is kind of crazy and wild so just to level set though uh just to kind of bring some perspective to this whole thing there is internet background noise so when you plug a device up to the Internet when you plug your router in the second that that happens you're getting contacted by outside IP addresses and they're doing things like pinging you seeing what ports are open seeing what they can throw at you and that's what's what we we refer to as opportunistic exploitation so there's script kitties

on the internet they have things running all the time to try and identify Cisco devices for example so that the second there's some kind of Cisco cve that's out they can throw it within an hour within half an hour of that exploit being out so on a daily basis you can kind of estimate that you see like 3,000 pings per day just being a device hanging out on the internet you can estimate that you see uh a thousand distinct IP addresses approximately on any given day and this this animation is how we've attempted to represent what this looks like so just background noise in general um mapped to IP spaces that big dark spot in the top

right is DoD space nothing goes there that's illegal um so the loudest stuff is obviously like your internet uh like VPS providers such as Amazon Digital ocean Google Microsoft Azure like all of the all of that stuff is pretty loud so it really depends on where you are on the internet uh and kind of what your traffic per day is but we can we can kind of estimate at this point that most traffic on the Internet is just noise it's just people trying to opportunistically exploit or things or there's a lot of benign scanners that are out there that just are taking inventory of the internet so they're taking a look at like what's out

there um census is who I'm going to use as an example in this talk because they do a really good job of service enumeration and certificate enumeration so that when an exploit comes out we can say Oh there's uh actually 5,000 dlink devices out there in instead of the 32,000 that are being reported so services like this are very important so what does scanning the internet look like to the end user it looks like maybe you get 25 alerts in your in your little sock platform Splunk is coming up with there was an end map scan by this one IP address uh you might get look at a pcap file from your router and see this just random blip of traffic

and you're like oh I don't really know what that is it just looks like a port scan it might look like an official HP support issue saying that if your printer is telling you to printing out things telling you to subscribe to PewDiePie uh that was done by internet scanning that was a real issue happened back in the day pretty cool pretty cool accomplishment all the printers attached to the internet printed out something that said subscribe to PewDiePie and I'm realizing that there might be some people who don't know who PewDiePie is because that's like an old internet reference at this point damn uh so if we refer to this in professional terms this is according to

the minor attack framework reconnaissance or initial access so we're in the very like far left of that whole big graph that leads to all the other bad things so I'm going to start with CBE 2002 1042 and this is a directory traversal vulnerability in search engine for I Planet web server blahy blah blah blah blah blah but what is important to notice there is Netscape Enterprise server 3.6 who has ever heard of Netscape Enterprise server 3.6 yes I see you in the back raising your hand and you over there with the Gray beard raising your hand thank you for your service both of you um um it it's ancient unfortunately we are solidly 20 years past 2002 and

unfortunately that is the qualification for being vintage is being at least 20 years old so what does it look like what is I planet's web server um I actually thought it was really really amusing that the US Department of Veterans Affairs has a huge catalog of just software and whether or not it was okay to use so this is their VA technical reference model for I Planet web server and it was a software that was designed for small and medium businesses to just have a Content hosting platform for them to manage their content so it's kind of like a precursor to Wordpress and what it did is it had they referred to it as pattern

P files and they used these pattern files in order to uh make sure that the right directories on the server were being mapped and surface those up in a way that like made sense to the user also I'm really curious did any did either of you that raised your hands work with I Planet web server ever nope okay cool so I'm not butchering that explanation um but it it used Java Java database connectivity it use some familiar stuff that we see today but uh this is what the exploit looks like so we're going to walk through it together because you never know who's looked at packets before but this is specifically when you look at a internet packet a

network packet an ipv4 TCP packet this is the payload field of the HTTP packet so we're pulling everything apart we're getting to the good stuff and we're getting to the payload because the payLo is what's going to show up in your uh web application firewall logs it's what's going to trigger your sock alert and so the slash in the beginning indicates the web root directory so we know that we are throwing exploit at the web server we're meaning to manipulate the software that is running the web server the next part is the function the search so this software had a search function in order to surface material that was relevant to the user search values after the question

mark and then there's this really interesting part and this is actually the vulnerable parameter of the cve so if we go back to the beginning which the very last part is dot do back slash sequences in the nquery pat parameter and when I first saw this I was like oh that's weird there's a like typo in this definition like shouldn't Pat be path and what it actually is for is for the pattern files so this is like a core functionality of the server is having these pattern files that you surface so next part dot dot slash stuff directory traversal does this pattern look familiar to anybody in the room okay good good we've got our

pattern matching brains on so this would have would have keyed to you that something was up um and then Etsy password obviously spicy valuable info that's what everybody's going to get for be looking for so what this is effectively doing is it's using that vulnerable vulnerable file that is pattern matching to surface that spicy password file via directory traversal it's really smart it's really simple I mean like that's why I love the Vintage stuff is because it's so understandable and straightforward but that being said when this came across my radar I had never seen that format before I had never seen what an NS query Pat so I thought it was something really good and like really

valuable but then I found out it was from 2002 on a dead software so surely this cannot still be on the internet all right we're gonna we're going to take a vote does anybody think this is this I Planet software is still on the internet okay good good you're just as jaded as I am wonderful um so yeah I'm so sorry it is a deed still on the internet and we know this by service enumeration and we used fingerprinting ETA census the magic of census uh to get 306 results on just my initial like dig which means effectively 306 servers that I could poke at and I did um because research so my favorite is a community college just

using it for their online services maybe this is just like a portal that they've end of life and just forgot to take down fully uh who knows but I dug a little deeper and I found an entire company running this stuff um quest to Technologies and I just have to highlight since 1996 and if you go to LinkedIn and happen to search these people bless their hearts because they have been working there 34 years and four months since 1990 responsible for all aspects of the business just I tried to get in touch um and Monty Monty did not want to respond on to me unfortunately I actually went down a really fun phone trail of like 40

different people trying to find out why is this still on the internet because like surely it's been exploited at this point and I had a very nice conversation with a man named Jimmy and Jimmy kind of told me he was like it was it was a real honor to like put education software on the internet and like be scanning old books so that people could learn stuff via the Internet and it was a really heartwarming conversation Jimmy was 88 years old uh it was just really heartwarming there was no moral to that just like Jimmy was a really cool guy to talk to and I'm glad that I had that experience uh respect your elders so surely we don't

see activity from those servers because they're still up and running and I'm going to leave you on a cliffhanger here because so grey Noise Records activity that we see scanning the internet and this we leave it open so you can research blah blah blah um so I searched one of Questa Technologies IP addresses and what this page is telling us is that it's scanned for Port 3389 over TCP and on the back end of this what I can see is that it only scann IP addresses in Israel for open RDP ports and that's a very Qui Qui thing to be doing on the internet a very directed targeted but it is spookable so there's this

trait of IP address connections that if you only complete part of the handshake we can't prove that it came from your IP but I will say having an i Planet server that who knows when it was spun up I mean it if you dig deeper into that it's running on end of life like version 5.4 free FreeBSD is what it's running on so potentially we don't know who's sitting on Monty's server and I really wanted to talk to him about it but I didn't so we move on to the next one uh cve 200126 sample internet data query scripts in IIs 3 and four allow remote attackers to read files via a DOT do attack so it's talking about internet uh

Microsoft Internet services server I forget what the I stands for anyways they had these templating scripts these idq scripts um that were on those very early versions and this is what the payload looks like so we kind of see the same pattern going on here it's a query it's looking for a particular templating file and using a directory traversal neat I think it's neat and so I looked at the data and I was like okay I can prove that this is ancient like that's fine it's from the year 2000 I don't know that I even had a conscious thought in 2000 being that I was a child so who cares anymore and so in I think this search was from the last

like 180 days this is how many IP addresses showed up and this is all the highlighted ones are the same IP address so I was like okay who's scanning for this and lo and behold it is a nessus server so that's kind of cool and interesting we know that by default nessus includes a scan for this ancient vulnerability which is kind of interesting and cool nessus is actually like looking out for the homies that are still running the Vintage stuff respect um no idea who this IP address belongs to it's just a very sketchy like random provider in Europe but this vulnerability is a really interesting one and I think one of the reasons that we still see

scanning for it is much like why we're going to see scanning for log for J forever because it was a like big headline winning like vulnerability that caused a big deal thing called the code red worm and so back in junee of 2001 this company stayed up all night investigating some stuff they were drinking a lot of Mountain Dew Code Red when they discovered this worm thus name the code red worm and it was uh this company called EI and they eventually became a company called Beyond trust so really nothing is new uh threat research has been a thing for years and years and years and basically we see this pattern constantly in threat intelligence which is homies stay up all

night finding an exploit or finding a thing they announce it and then gosh eight days later Microsoft releases to patch that's pretty fast for 2001 but on July 12th there's like this worm going through the internet and like it's exploiting all the unpatched computers because people weren't fast enough like you didn't have Twitter to tell you what to do in 2001 you just kind of had to be paying attention to Microsoft releasing things you had to be subscribed to the list serve you had to be on IRC so I talked to the guy who um found the worm cool uh I talked to the guy who found the worm and I was like why do you think

we still see scanning for this like there's no way the servers are still out there and he thinks it's just inventory searching he thinks it's not like anything too interesting he doesn't think code red worm is still out there um worms do like propagate themselves this one had a really interesting algorithm where it was semi- random so it would come up with a script to determine like neighboring IP addresses maybe and propagate at a random time from there so there was actually a if I could just like be a huge massive nerd for a minute there's some amazing research papers written on this about the dial shift of like worm movement through the internet this is a great

thing to like just know your roots on the code red worm I don't think we'll ever see any worms ever again maybe but um in any case Ryan didn't really think it was that interesting but it was cool of him to respond to my question about why do you still think we see this out there and finally our most prolific loudest most oldest noise that we see is scanning for cve 1999 0526 which is an X server's access control is disabled and allows anyone to connect to the server so these are referred to as X11 Windows uh it's a little hard to communicate how they look on the other side of the wire like when you receive this attack

because this is a protocol vulnerability and an X11 window is what you I'm going to explain this really badly just to be succinct X11 is just RDP for Linux so it's a like a way of viewing Linux remotely with a graphical interface and this basically knocks on the door says authentication and lets it right through this is very very simplified but it since it's a protocol vulnerability you have to actually look a little bit deeper into the packet and look at uh the hex pattern which is that 6 c0000 z b and and then all the zeros and so this is the Metasploit module and how forming that packet looks so you can see the

rapid seven rocks in there that's them like attempting authentication but anyways point being it's very very loud and most of the like I've actually seen this in socks that I've worked that they'll get alerts for X11 Windows scanning and it's just kind of this weird thing because it does still exist in um modern day Linux like you basically have to make sure that like somebody doesn't configure this wrong you really have to double check because this one is the one that can definitely still be affected because somebody can just be like I don't understand why isn't why am I not able to remotely like view over X11 and though you can set up authentication it's very hard to disable

authentication people still go and remove authentication from this thing because there's no real way to patch this because it's a vulnerability in the protocol itself so it's not like there's a program running that spins up X11 and all of these things like the protocol is broken so bless the Linux nerds they're trying to make everybody adopt what's called whent to fix this it's going about as well as things with Linux nerds go which is slow and steady it'll happen eventually but this is a graph of H last last seven days last 14 days something like that and we pretty steadily get above a thousand IP addresses on the internet every day scanning for this thing that was first discovered in

1999 wild because it's still still out there so why is there so much of this because we know it's a really bad problem that cannot be fixed easily because sorry graveyard friend over there gry beards love uh Linux and open source stuff and I think that's why we still see this one um but they know that it's a problem there's an nmap scan directly for this there's a qualus scan directly for us every single vulnerability management software that has a scanning scans for this so that's why we see it so much on the Internet by default because X11 is a v vulnerable protocol we see louder than anything else so this is just a comparison table

of the three different cves that we explored that X Server Connection attempt being the highest number of IP addresses that we've seen in the last 180 days that I Planet file disclosure the ancient software we see 33 so a little bit higher but not too crazy um and then that IIs one that very specific old version of I yes the four the seven version uh is 17 IP addresses so uh it is that 1999 one the oldest exploited vulnerability I think it is and so does this guy named Patrick G he's a big nerd about vulnerability research I really respect him a lot but uh he kind of posted this thread about like is there anything older than this

cve 1989 like X11 window Shen an again and like is there any volume of people like using X server so open X11 servers are pretty rare these days but people always scan for archaic protocols so I think that it's worth learning about like our roots and where we came from because it kind of informs where we're going and I guess that's how I'd wrap it up like what do we do cuz there's no real action item here right like if you don't have an ey Planet server why are you going to care about that alert or why are you going to care about that traffic and largely you don't have to but you can learn a lot

from it uh you can learn the pattern recognition which is absolutely helpful for you in threat research you can look at what these things have in common to start informing you how to learn about those patterns which is learn about direct directory traversals those like oos top 10 type things that are really in these packets um learn about the products that are in in your infrastructure and how you can use those products against itself so where where are the openings there where have cdes been in the past that might inform where they'll be in the future and as always the access control Struggle Bus make sure your things are closed make sure only the people that

have access are the ones you want having access and just accept that very little is new and novel we see all this stuff over and over and over again so learn your patterns learn your history and thanks I don't know I hope you enjoyed that Journey