Snort mailing list archives
sid=1042 IIS view source via translate header
From: "Everist, Benjamin S. (NASWI)" <EveristB () naswi navy mil>
Date: Fri, 27 Jun 2003 09:02:21 -0700
Has anyone seen anything like this before? It doesnt look like the translate: f vuln [0], except that it contains the translate: f header. The long string of gobbley-gook after the auth: negotiate looks suspicious to me, but what do I know? I looked through the IIS 'sploits at bugtraq and didnt see anything that matches. Is this valid traffic? 000 : 4F 50 54 49 4F 4E 53 20 2F 20 48 54 54 50 2F 31 OPTIONS / HTTP/1 010 : 2E 31 0D 0A 74 72 61 6E 73 6C 61 74 65 3A 20 66 .1..translate: f 020 : 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 4D 69 ..User-Agent: Mi 030 : 63 72 6F 73 6F 66 74 2D 57 65 62 44 41 56 2D 4D crosoft-WebDAV-M 040 : 69 6E 69 52 65 64 69 72 2F 35 2E 31 2E 32 36 30 iniRedir/5.1.260 050 : 30 0D 0A 48 6F 73 74 3A 20 xx xx xx xx xx xx xx 0..Host: xxxxxxx 060 : xx xx xx xx xx xx xx 0D 0A 41 75 74 68 6F 72 69 xxxxxxx..Authori 070 : 7A 61 74 69 6F 6E 3A 20 4E 65 67 6F 74 69 61 74 zation: Negotiat 080 : 65 20 54 6C 52 4D 54 56 4E 54 55 41 41 44 41 41 e TlRMTVNTUAADAA 090 : 41 41 47 41 41 59 41 47 6F 41 41 41 41 59 41 42 AAGAAYAGoAAAAYAB 0a0 : 67 41 67 67 41 41 41 41 67 41 43 41 42 41 41 41 gAggAAAAgACABAAA 0b0 : 41 41 47 67 41 61 41 45 67 41 41 41 41 49 41 41 AAGgAaAEgAAAAIAA 0c0 : 67 41 59 67 41 41 41 41 41 41 41 41 43 61 41 41 gAYgAAAAAAAACaAA 0d0 : 41 41 42 59 4B 49 6F 46 67 41 56 51 42 4D 41 46 AABYKIoFgAVQBMAF 0e0 : 55 41 51 51 42 6B 41 47 30 41 61 51 42 75 41 47 UAQQBkAG0AaQBuAG 0f0 : 6B 41 63 77 42 30 41 48 49 41 59 51 42 30 41 47 kAcwB0AHIAYQB0AG 100 : 38 41 63 67 42 59 41 46 55 41 54 41 42 56 41 50 8AcgBYAFUATABVAP 110 : 70 59 77 6F 45 2F 62 77 42 37 41 41 41 41 41 41 pYwoE/bwB7AAAAAA 120 : 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 4E AAAAAAAAAAAAAAAN 130 : 7A 66 74 72 6F 7A 31 69 4A 6E 69 50 6D 34 33 4F zftroz1iJniPm43O 140 : 77 79 62 63 75 6B 61 55 53 66 53 46 64 45 43 67 wybcukaUSfSFdECg 150 : 3D 3D 0D 0A 43 6F 6E 6E 65 63 74 69 6F 6E 3A 20 ==..Connection: 160 : 4B 65 65 70 2D 41 6C 69 76 65 0D 0A 43 6F 6E 74 Keep-Alive..Cont 170 : 65 6E 74 2D 4C 65 6E 67 74 68 3A 20 30 0D 0A 0D ent-Length: 0... 180 : 0A [0] http://www.securityfocus.com/bid/1578/discussion/
Current thread:
- sid=1042 IIS view source via translate header Everist, Benjamin S. (NASWI) (Jun 27)