Full Disclosure mailing list archives
Re: ALERT WEBDAV worm on the loose
From: "Johannes Ullrich" <jullrich () sans org>
Date: 07 May 2003 08:11:19 -0400
sorry to be the semantic freak (I am surely not the spelling or grammar guy). But in order to call this a 'worm', it needs to self replicate. What you may have on your hand at this point is most likely a tool to collect bots for some kind of irc bot network (just guessing here) based on the small number of sources at work here. On the other hand, I am seeing some advances in this type of exploits around. It maybe that the kids finally learned to build better 'offset libraries' to make this exploit more efficient.
A) the host inserted in the string is the IP address, and not the hostname (any reference to your web site would have been via name) B) this worm has attacked 6 different networks so far, in one case hitting 740 ip address on one network and 504 ip addresses on another network. C) worm has attempted to contact hosts that are not running a web server (scanning) D) Once worm finds a web server, it only sends the search string to MS servers. For more information on worm, see: see MS announcement of vulnerability March 17th: http://www.microsoft.com/technet/security/bulletin/ms03-007.asp For lists of the source ip addresses and networks attacked, see: http://www.hackertrap.net/IP.pl?IP=216.5.78.37 and http://www.hackertrap.net/IP.pl?IP=12.210.139.232 -- Michael Scheidell SECNAP Network Security, LLC (561) 368-9561 scheidell () secnap net http://www.secnap.net
-- -------------------------------------------------------------- SANS Internet Storm Center http://isc.sans.org _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: @(#)Mordred Security Notice - exploring the hacking websites Sir Mordred (May 06)
- ALERT WEBDAV worm on the loose Michael Scheidell (May 07)
- Re: ALERT WEBDAV worm on the loose Johannes Ullrich (May 07)
- <Possible follow-ups>
- Re: @(#)Mordred Security Notice - exploring the hacking websites Sir Mordred (May 06)
- ALERT WEBDAV worm on the loose Michael Scheidell (May 07)