Re: WebDav Worm?

[Brian Eckman <eckman () umn edu>]

Keith T. Morgan wrote:
> Maybe this is old news, or maybe it's scanning pattern is just now
> making it to my netblocks, but we're seeing a massive increase in http
> connections asking for SEARCH
> /AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA on most
> of our web servers.  Each one is preceeded by a packet with a 1348 byte
> payload containing a mix of what appears to be unicode followed by what
> appears to be psuedo random ascii padding.  An example of one of these
> is included below.
>
> Has anyone else been seeing this type of activity increasing?  We've
> been seeing so much of it that I have to wonder if it's a worm.  The
> volume's a little too high for skr1pt k1dd13 activity, unless there
> happens to be a whole bunch of them using the same tool in the same
> manner at the same time.

Yep. Nachi.B (or Welchia.B, whatever you want to call it.)

Brian

--
Brian Eckman
Security Analyst
OIT Security and Assurance
University of Minnesota

"There are 10 types of people in this world. Those who
understand binary and those who don't."


---------------------------------------------------------------------------
Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection

Protect your network with the comprehensive security solution that
integrates six applications for ease of use and lower TCO.

Firewall - Virus protection - Spam protection - URL blocking - VPN
- Wireless security.

Download 30-day evaluation at:
http://www.astaro.com/php/contact/securityfocus.php
----------------------------------------------------------------------------