Security Incidents mailing list archives
Re: WebDav Worm?
From: Brian Eckman <eckman () umn edu>
Date: Fri, 13 Feb 2004 15:43:58 -0600
Keith T. Morgan wrote:
Maybe this is old news, or maybe it's scanning pattern is just now making it to my netblocks, but we're seeing a massive increase in http connections asking for SEARCH /AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA on most of our web servers. Each one is preceeded by a packet with a 1348 byte payload containing a mix of what appears to be unicode followed by what appears to be psuedo random ascii padding. An example of one of these is included below. Has anyone else been seeing this type of activity increasing? We've been seeing so much of it that I have to wonder if it's a worm. The volume's a little too high for skr1pt k1dd13 activity, unless there happens to be a whole bunch of them using the same tool in the same manner at the same time.
Yep. Nachi.B (or Welchia.B, whatever you want to call it.) Brian -- Brian Eckman Security Analyst OIT Security and Assurance University of Minnesota "There are 10 types of people in this world. Those who understand binary and those who don't." --------------------------------------------------------------------------- Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection Protect your network with the comprehensive security solution that integrates six applications for ease of use and lower TCO. Firewall - Virus protection - Spam protection - URL blocking - VPN - Wireless security. Download 30-day evaluation at: http://www.astaro.com/php/contact/securityfocus.php ----------------------------------------------------------------------------
Current thread:
- WebDav Worm? Keith T. Morgan (Feb 13)
- Re: WebDav Worm? Brian Eckman (Feb 13)
- Re: WebDav Worm? Frank Knobbe (Feb 16)
- Re: WebDav Worm? Bill McCarty (Feb 17)
- <Possible follow-ups>
- RE: WebDav Worm? Andy Patrick (Feb 13)
- RE: WebDav Worm? Henderson, Dennis K. (Feb 17)
- RE: WebDav Worm? Keith T. Morgan (Feb 17)