Security Incidents mailing list archives
Re: WebDav Worm?
From: Frank Knobbe <frank () knobbe us>
Date: Fri, 13 Feb 2004 19:22:14 -0600
On Fri, 2004-02-13 at 09:40, Keith T. Morgan wrote:
Maybe this is old news, or maybe it's scanning pattern is just now making it to my netblocks, but we're seeing a massive increase in http connections asking for SEARCH [...] Has anyone else been seeing this type of activity increasing? We've been seeing so much of it that I have to wonder if it's a worm.
Heh... I asked this too on DShield, but no one cared to respond. We've seen the same thing, started on Monday I believe, and at first I thought it was a script kiddie (or just a script) probing for various offsets/length of NOP sleds, perhaps a universal Swiss-Army exploit script. But the activity levels increased to that of a worm. It appears, as mentioned, that it is Nachi.B. The interesting thing is that of those 20-some packets, a lot of them do not have shellcode included, just sleds of varying length. Seems like the code for the WebDAV exploit is broken. Thank God for small favors... However, it's a noisy bugger. It's approaching the level of pollution of the SQL Slammer. Unfortunately this one can not be filtered on ISP routers. Looks like we have to learn to live with an increasing level of bandwidth wasted on noise like this. Cheers, Frank
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- WebDav Worm? Keith T. Morgan (Feb 13)
- Re: WebDav Worm? Brian Eckman (Feb 13)
- Re: WebDav Worm? Frank Knobbe (Feb 16)
- Re: WebDav Worm? Bill McCarty (Feb 17)
- <Possible follow-ups>
- RE: WebDav Worm? Andy Patrick (Feb 13)
- RE: WebDav Worm? Henderson, Dennis K. (Feb 17)
- RE: WebDav Worm? Keith T. Morgan (Feb 17)