Re: RFC: SHELLCODE and WEDAV alerts

[Frank Knobbe <frank () knobbe us>]

On Thu, 2004-03-18 at 09:56, Michael Shirk wrote:
> Then I get one WEBDAV alert with a payload of 1460:
> WEB-MISC WebDAV       searchaccess    3/15/2004       17:30:10
>
> Which contains the following String:
>
> SEARCH /
>
> Followed by 90 or . characters.  I have not seen any viruses of this nature 
> and it is either a terrible false positive or some kind of script. I have 
> seen different sources with the same exact pattern. I am going to right a 
> rule for this but wondering if anyone has seen the things in THEIR LOGS

It's a Nachi variant (B?) that is trying to enter web servers that have
the WebDAV component enabled. I have some web servers on monitored
networks that just get pummeled with those attacks (about 6000/day)
while other web servers do not get hit at all. There was a discussion in
SF-Incidents and DShield about this. 

It comes down to the virus checking for the presence of WebDAV, and if
found, it launching the attack. If you can turn WebDAV off on your web
server, do so and the volume of alerts should disappear.

Regards,
Frank

Attachment: signature.asc
Description: This is a digitally signed message part