Security Incidents mailing list archives

RE: WebDav Worm?

From: "Keith T. Morgan" <keith.morgan () terradon com>
Date: Tue, 17 Feb 2004 09:26:09 -0500

After some off-list discussion about this, it's become clear that some
networks are being hammered with it, and others aren't.  I asked about
this in a busy linux forum, and none of the folks running apache
reported this entry in their logs.  Your explanation below corresponds
with what they're reporting.  It could also explain why some folks are
seeing it, and some arent.  

...*off disabling search verb on windows web servers*...

-----Original Message-----
From: Henderson, Dennis K. [mailto:Dennis.Henderson () umb com] 
Sent: Tuesday, February 17, 2004 8:53 AM
To: Frank Knobbe; Keith T. Morgan
Cc: incidents () securityfocus com
Subject: RE: WebDav Worm?

I'm finding that not all servers are getting hit with the 
entire exploit attempt. Only those servers that give back 
"411 Length required" responses are getting the full hit from 
the infected host. The non-windows web servers are not 
getting hit at all as they give back a 500 series denied.

Perhaps urlscan could calm down the noise by keeping the 
infected host from sending the complete exploit by denying 
the SEARCH command.

Dennis



**************************************************************************************************
The contents of this email and any attachments are confidential.
It is intended for the named recipient(s) only.
If you have received this email in error please notify the system manager or  the 
sender immediately and do not disclose the contents to anyone or make copies.

** this message has been scanned for viruses, vandals and malicious content **
**************************************************************************************************


---------------------------------------------------------------------------
Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection

Protect your network with the comprehensive security solution that
integrates six applications for ease of use and lower TCO.

Firewall - Virus protection - Spam protection - URL blocking - VPN
- Wireless security.

Download 30-day evaluation at:
http://www.astaro.com/php/contact/securityfocus.php
----------------------------------------------------------------------------

Current thread:

WebDav Worm? Keith T. Morgan (Feb 13)
- Re: WebDav Worm? Brian Eckman (Feb 13)
- Re: WebDav Worm? Frank Knobbe (Feb 16)
  - Re: WebDav Worm? Bill McCarty (Feb 17)
- <Possible follow-ups>
- RE: WebDav Worm? Andy Patrick (Feb 13)
- RE: WebDav Worm? Henderson, Dennis K. (Feb 17)
- RE: WebDav Worm? Keith T. Morgan (Feb 17)