Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort-users digest, Vol 1 #4056 - 9 msgs

From: SN ORT <snort_on_acid () yahoo com>
Date: Thu, 18 Mar 2004 12:29:04 -0800 (PST)
The WEBDAV is a worm, but I've never seen the NOOP
alerts associated with the webdav stuff.

I have Nachi.B packet captures here: Port 80 packets
are only sub-100 bytes long, same as the 445 packets,
and both have the same payload such as:

:01:14.978689 00:02:55:58:cc:78 > 00:0c:f1:90:23:98,
ethertype IPv4 (0x0800), length 60: IP (tos 0x0, ttl
238, id 20552, offset 0, flags [DF], length: 40)
134.252.70.133.80 > 192.168.13.91.3230: . [tcp sum ok]
ack 0 win 0
0x0000:  4500 0028 5048 4000 ee06 b596 86fc 4685 
E..(PH@.......F.
0x0010:  ac14 0d5b 0050 0c9e 4d5e 1001 2c3e 0e4e 
...[.P..M^..,>.N
0x0020:  5010 0000 840a 0000 0000 0000 0000      
P.............

I don't think your problem is related to the
Nachi/Welchia worm.

Cheese!

Marc


------------------Original message--------------------
Message: 6
Subject: Re: [Snort-users] RFC: SHELLCODE and WEDAV
alerts
From: Frank Knobbe <frank () knobbe us>
To: Michael Shirk <shirkdog_linux () hotmail com>
Cc: snort-users () lists sourceforge net
Date: Thu, 18 Mar 2004 10:52:22 -0600


--=-l1nfTTZ78OlR63t+m0+G
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

On Thu, 2004-03-18 at 09:56, Michael Shirk wrote:

Then I get one WEBDAV alert with a payload of 1460:
WEB-MISC WebDAV       searchaccess    3/15/2004       17:30:10
=20
Which contains the following String:
=20
SEARCH /
=20
Followed by 90 or . characters.  I have not seen any

viruses of this natu=
re=20

and it is either a terrible false positive or some

kind of script. I have=
=20

seen different sources with the same exact pattern.

I am going to right a=
=20

rule for this but wondering if anyone has seen the

things in THEIR LOGS

It's a Nachi variant (B?) that is trying to enter web
servers that have
the WebDAV component enabled. I have some web servers
on monitored
networks that just get pummeled with those attacks
(about 6000/day)
while other web servers do not get hit at all. There
was a discussion in
SF-Incidents and DShield about this.=20

It comes down to the virus checking for the presence
of WebDAV, and if
found, it launching the attack. If you can turn WebDAV
off on your web
server, do so and the volume of alerts should
disappear.

Regards,
Frank
------------------------------------------------------

__________________________________
Do you Yahoo!?
Yahoo! Mail - More reliable, more storage, less spam
http://mail.yahoo.com


-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: