Security Incidents mailing list archives

Re: WebDav Worm?

From: Bill McCarty <bmccarty () pt-net net>
Date: Mon, 16 Feb 2004 15:58:48 -0800

Hi Frank, Keith, and all,

I see very little of these SEARCH requests, so far. And, my traffic doesnot include a NOP sled. So, it may be unrelated to yours.

Packet capture follows. Note that the FIN and PUSH flags are set in thefirst packet containing payload, which follows another FIN packet. Also,note the "%s" in the payload packet, where the host name or IP addresswould generally appear.

Looks like the programmer isn't carefully inspecting his results <g>. Or,maybe there's something special that sometimes occurs when you specify thehostname in this way.


Cheers,

02/16-13:16:20.367820 80.19.31.220:3707 -> xxx.xxx.xxx.36:80
TCP TTL:107 TOS:0x0 ID:28364 IpLen:20 DgmLen:48 DF
******S* Seq: 0x86D93BDA  Ack: 0x0  Win: 0x4000  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

02/16-13:16:20.813812 80.19.31.220:3707 -> xxx.xxx.xxx.36:80
TCP TTL:107 TOS:0x0 ID:28671 IpLen:20 DgmLen:40 DF
***A**** Seq: 0x86D93BDB  Ack: 0xB8CAE075  Win: 0x5B4  TcpLen: 20

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

02/16-13:16:22.642736 80.19.31.220:3707 -> xxx.xxx.xxx.36:80
TCP TTL:107 TOS:0x0 ID:29249 IpLen:20 DgmLen:40 DF
***A***F Seq: 0x86D93BFA  Ack: 0xB8CAE075  Win: 0x4470  TcpLen: 20

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

02/16-13:16:29.860686 80.19.31.220:3707 -> xxx.xxx.xxx.36:80
TCP TTL:107 TOS:0x0 ID:32208 IpLen:20 DgmLen:71 DF
***AP**F Seq: 0x86D93BDB  Ack: 0xB8CAE075  Win: 0x4470  TcpLen: 20
53 45 41 52 43 48 20 2F 20 48 54 54 50 2F 31 2E  SEARCH / HTTP/1.
31 0D 0A 48 6F 73 74 3A 20 25 73 0D 0A 0D 0A     1..Host: %s....

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

02/16-13:16:30.177609 80.19.31.220:3707 -> xxx.xxx.xxx.36:80
TCP TTL:107 TOS:0x0 ID:32223 IpLen:20 DgmLen:52 DF
***A**** Seq: 0x86D93BFB  Ack: 0xB8CAE075  Win: 0x4470  TcpLen: 32
TCP Options (3) => NOP NOP Sack: 16430@60427

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

02/16-13:16:30.181809 80.19.31.220:3707 -> xxx.xxx.xxx.36:80
TCP TTL:107 TOS:0x0 ID:32224 IpLen:20 DgmLen:40 DF
*****R** Seq: 0x86D93BFB  Ack: 0xB8CAE31C  Win: 0x0  TcpLen: 20

--On Friday, February 13, 2004 7:22 PM -0600 Frank Knobbe <frank () knobbe us>wrote:

On Fri, 2004-02-13 at 09:40, Keith T. Morgan wrote:

Maybe this is old news, or maybe it's scanning pattern is just now
making it to my netblocks, but we're seeing a massive increase in http
connections asking for SEARCH
[...]
Has anyone else been seeing this type of activity increasing?  We've
been seeing so much of it that I have to wonder if it's a worm.


Heh... I asked this too on DShield, but no one cared to respond.


---------------------------------------------------
Bill McCarty

---------------------------------------------------------------------------
Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection

Protect your network with the comprehensive security solution that
integrates six applications for ease of use and lower TCO.

Firewall - Virus protection - Spam protection - URL blocking - VPN
- Wireless security.

Download 30-day evaluation at:
http://www.astaro.com/php/contact/securityfocus.php
----------------------------------------------------------------------------

Current thread:

WebDav Worm? Keith T. Morgan (Feb 13)
- Re: WebDav Worm? Brian Eckman (Feb 13)
- Re: WebDav Worm? Frank Knobbe (Feb 16)
  - Re: WebDav Worm? Bill McCarty (Feb 17)
- <Possible follow-ups>
- RE: WebDav Worm? Andy Patrick (Feb 13)
- RE: WebDav Worm? Henderson, Dennis K. (Feb 17)
- RE: WebDav Worm? Keith T. Morgan (Feb 17)