Security Incidents mailing list archives
New Virus/Worm - Frontpage?
From: Clinton Smith <festive () iinet net au>
Date: Thu, 31 Jan 2002 10:46:42 +0800
NOTE TO MODERATOR: I tried to send this before - but no luck. If the message is inappropriate or malformed please advise. I have seen some unusual traffic in my logs that look like something new: (It appears to be automated / or a tool) Traffic Pattern is as follows: STANDARD RANDOM SRC PORT -> WEBSERVER (80) (24 Requests in Total over 1 second) ------------------------------------------------------------- (3 of these) OPTIONS /home/ HTTP/1.1 Translate: f User-Agent: Microsoft Data Access Internet Publishing Provider Protocol Discovery Host: my.website.com Content-Length: 0 Connection: Keep-Alive (2 of these) GET /_vti_inf.html HTTP/1.1 Date: Tue, 29 Jan 2002 02:33:55 GMT MIME-Version: 1.0 Accept: */* User-Agent: Mozilla/2.0 (compatible; MS FrontPage 5.0) Host: my.website.com Accept: auth/sicily Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache (1 of these) OPTIONS / HTTP/1.1 Translate: f User-Agent: Microsoft Data Access Internet Publishing Provider Protocol Discovery Host: my.website.com Content-Length: 0 Connection: Keep-Alive (1 of these) POST /_vti_bin/shtml.exe/_vti_rpc HTTP/1.1 Date: Tue, 29 Jan 2002 02:33:58 GMT MIME-Version: 1.0 User-Agent: MSFrontPage/5.0 Host: my.website.com Accept: auth/sicily Content-Length: 41 Content-Type: application/x-www-form-urlencoded X-Vermeer-Content-Type: application/x-www-form-urlencoded Connection: Keep-Alive Cache-Control: no-cache method=server+version%3a5%2e0%2e2%2e2623 (3 of these) OPTIONS /home/ HTTP/1.1 Translate: f User-Agent: Microsoft Data Access Internet Publishing Provider Protocol Discovery Host: my.website.com Content-Length: 0 Connection: Keep-Alive (1 of these) POST /_vti_bin/shtml.exe/_vti_rpc HTTP/1.1 Date: Tue, 29 Jan 2002 02:34:04 GMT MIME-Version: 1.0 User-Agent: MSFrontPage/5.0 Host: my.website.com Accept: auth/sicily Content-Length: 41 Content-Type: application/x-www-form-urlencoded X-Vermeer-Content-Type: application/x-www-form-urlencoded Connection: Keep-Alive Cache-Control: no-cache method=server+version%3a5%2e0%2e2%2e2623 (1 of these) GET /_vti_inf.html HTTP/1.1 Date: Tue, 29 Jan 2002 02:34:03 GMT MIME-Version: 1.0 Accept: */* User-Agent: Mozilla/2.0 (compatible; MS FrontPage 5.0) Host: my.website.com Accept: auth/sicily Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache (8 of these) PROPFIND /home/ HTTP/1.1 Depth: 0 translate: f User-Agent: Microsoft-WebDAV-MiniRedir/5.1.2600 Host: my.website.com Content-Length: 0 Connection: Keep-Alive Pragma: no-cache ------------------------------------------------------------- ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- New Virus/Worm - Frontpage? Clinton Smith (Jan 31)