Security Incidents mailing list archives
RE: WebDav Worm?
From: "Keith T. Morgan" <keith.morgan () terradon com>
Date: Tue, 17 Feb 2004 09:26:09 -0500
After some off-list discussion about this, it's become clear that some networks are being hammered with it, and others aren't. I asked about this in a busy linux forum, and none of the folks running apache reported this entry in their logs. Your explanation below corresponds with what they're reporting. It could also explain why some folks are seeing it, and some arent. ...*off disabling search verb on windows web servers*...
-----Original Message----- From: Henderson, Dennis K. [mailto:Dennis.Henderson () umb com] Sent: Tuesday, February 17, 2004 8:53 AM To: Frank Knobbe; Keith T. Morgan Cc: incidents () securityfocus com Subject: RE: WebDav Worm? I'm finding that not all servers are getting hit with the entire exploit attempt. Only those servers that give back "411 Length required" responses are getting the full hit from the infected host. The non-windows web servers are not getting hit at all as they give back a 500 series denied. Perhaps urlscan could calm down the noise by keeping the infected host from sending the complete exploit by denying the SEARCH command. Dennis
************************************************************************************************** The contents of this email and any attachments are confidential. It is intended for the named recipient(s) only. If you have received this email in error please notify the system manager or the sender immediately and do not disclose the contents to anyone or make copies. ** this message has been scanned for viruses, vandals and malicious content ** ************************************************************************************************** --------------------------------------------------------------------------- Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection Protect your network with the comprehensive security solution that integrates six applications for ease of use and lower TCO. Firewall - Virus protection - Spam protection - URL blocking - VPN - Wireless security. Download 30-day evaluation at: http://www.astaro.com/php/contact/securityfocus.php ----------------------------------------------------------------------------
Current thread:
- WebDav Worm? Keith T. Morgan (Feb 13)
- Re: WebDav Worm? Brian Eckman (Feb 13)
- Re: WebDav Worm? Frank Knobbe (Feb 16)
- Re: WebDav Worm? Bill McCarty (Feb 17)
- <Possible follow-ups>
- RE: WebDav Worm? Andy Patrick (Feb 13)
- RE: WebDav Worm? Henderson, Dennis K. (Feb 17)
- RE: WebDav Worm? Keith T. Morgan (Feb 17)