Snort mailing list archives
Re: "Connnection closed"? (spelled wrong!)
From: John Sage <jsage () finchhaven com>
Date: Sun, 13 Jan 2002 17:20:01 -0800
Although it doesn't seem to have received much attention, the "Connnection closed" mispelling seems to be a symptom of attempted Nimda infection; apparently it's within readme.eml
(My guess as to why it's not been discussed is that it's an easy error to make and a hard one to see: google returns over 6,000 hits on "connnection" with 3 n's...)
For a brief discussion, see: http://www.gfi.com/press/nimdaworm.htm "These requests are made to a virtual host named "www". The request looks similar to the following: GET /MSADC/root.exe HTTP/1.0 Host: www Connnection: close Notice the miss-spelt Connnection with 3 n instances."And 18 pages into the google search there's a page with a strings run on readme.eml that has in it:
<snip> : GET %s HTTP/1.0 Host: www Connnection: close readme main index default html : <snip> at: http://lists.jammed.com/forensics/2001/09/0054.htmlFinally, at incidents.org, see: http://www.incidents.org/diary/october01/100601.php
"09/18-19:57:01.145440 infected:1979 -> vulnerable:80 TCP ***AP*** GET /scripts/root.exe?/c+dir HTTP/1.0.. Host: www..Connnection: close...."In their discussion of an unsuccesful Nimda infection attempt in "Nimda Infection Illustrated"...
- John -- Computers: they're really nothing but l's and O's Edwin Eefting wrote:
Hi all For a quite a while now, i'm wondering why i always see the string "Connnection closed" spelled wrong in http requests. My first though it was some kind of mistake/coincidence, but now i see it over and over again. Somebody knows why this is, and is this really part of the http-standard?? :-) (sorry for my own bad english :) just cusious.. Edwin ------------------------------------------ On Thu, 10 Jan 2002 16:44:18 +0100 Andreas Östling <andreaso () it su se> wrote:On Wednesday 09 January 2002 06.51, Martin Roesch wrote:Hi Russell, I made some tweaks to stream4 tonight that will hopefully clear up your problem, check out the latest code from cvs if you're interested (the SNORT_1_8 branch, not the 1.9-dev code). This is build 89. It now fills in the Ethernet headers appropriately and is a little tigher in how it puts things together, hopefully it'll clear up your problem. Let me know how it goes. -MartyHello, I experience the same problems as Russell from time to time.I was running 1.8.3 (release version), but unfortunately build 89 did not solve all problems. The ethernet headers now seem to be correct, but the payload is still messed up.Example: 01/10-15:17:13.659803 0:30:B6:34:4F:4C -> 0:60:70:E:B8:0 type:0x8 len:0x2C2 x.x.x.x:4271 -> 62.70.3.13:80 TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:692 ***AP*** Seq: 0x69F23943 Ack: 0x3DE12400 Win: 0x7AEC TcpLen: 20 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 5C GET /scripts/..\ 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 6D 33 ../winnt/system3 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 69 72 2/cmd.exe?/c+dir 20 72 20 72 20 48 54 54 50 2F 31 2E 30 0D 0A 48 r r HTTP/1.0..H 6F 73 74 3A 20 77 77 77 0D 0A 43 6F 6E 6E 6E 65 ost: www..Connne 63 74 69 6F 6E 3A 20 63 6C 6F 73 65 0D 0A 0D 0A ction: close.... 20 66 72 6F 6D 20 63 63 2E 75 61 62 2E 65 73 20 from cc.uab.es
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Garbage in snort logs, (continued)
- Re: Garbage in snort logs Jim Forster (Jan 07)
- preprocessor Ganu Skop (Jan 07)
- Re: preprocessor Martin Roesch (Jan 08)
- Re: Garbage in snort logs russell (Jan 07)
- Re: Garbage in snort logs Phil Wood (Jan 08)
- Re: Garbage in snort logs russell (Jan 08)
- Re: Garbage in snort logs Martin Roesch (Jan 08)
- Re: Garbage in snort logs Martin Roesch (Jan 08)
- Re: Garbage in snort logs Andreas Östling (Jan 10)
- "Connnection closed"? (spelled wrong!) Edwin Eefting (Jan 10)
- Re: "Connnection closed"? (spelled wrong!) John Sage (Jan 13)
- Re: Garbage in snort logs Phil Wood (Jan 09)
- Getting an error using -r Ken Pickering (Jan 09)
- Re: Getting an error using -r Ken Pickering (Jan 09)
- CVS version not finding pcap includes Bob Van Cleef (Jan 09)
- Re: Garbage in snort logs Frank (Jan 10)
- Re: Re: Garbage in snort logs Martin Roesch (Jan 10)
- Re: Re: Garbage in snort logs Martin Roesch (Jan 10)