Security Incidents mailing list archives
RE: Odd attack string
From: "Levinson, Karl" <Karl.Levinson () dhs gov>
Date: Tue, 4 May 2004 16:18:01 -0400
What was the actual HTTP request? Was that a GET, a SEARCH, etc? Is this the complete request, or was there something more at the end, such as shell code? If this was a SEARCH request instead of a GET, I might suspect an attempt to the MS03-007 NTDLL vulnerability through WebDAV. The Agobot / Gaobot / Phatbot / Polybot Trojan is one tool that has caused a big increase in these attacks recently. Note that if an IIS-related buffer overflow is successful, it probably won't show up in your IIS logs, and the Windows System event logs on the target system might have an entry related to the overflow. I have to believe whatever log is collecting the information you gave isn't giving you enough information. Try reconfiguring it, complaining to the vendor, and/or using a different tool [IDS, Snort, web server logs, firewall logs, etc.] either in addition to or instead of your current tool. -----Original Message----- From: Jack Bristow [mailto:morriswurm () yahoo com] Sent: Tuesday, May 04, 2004 11:32 AM To: incidents () securityfocus com Subject: Odd attack string We've picked up on a few URL strings here that are obviously BO's. I researched in order to try and identify what the offensive program may be but I have had no luck. Has anyone else seen anything like the following? Random Source IP:Random Source Port -> Random Dest IP:Port 80 URL:/�.±.±.±.±.±.±.±.±.±.±.±.±.±.±.±.±.±.±.±.±.±.±.±.±.±.±.±.±.±.±.±. ±.±.±.±.±.±.±.±.±.±.±.±.±.±.±.±.±.±.±.±.±.±.±.±.±.±.±.±.±.±.±.±.±.±.±.±.±.±. ±.±.±.±.±.±.±.±.±.±.±.±.±.±.±.±.±.±.±.±.±.±.±.±.±.±.±.±.±.±.±.±.±.±.±.±.±.±. ±.±.±.±.±.±.±.±.±.±.±.±.±.±.±.±. --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Odd attack string Jack Bristow (May 04)
- Re: Odd attack string Jose Nazario (May 04)
- <Possible follow-ups>
- RE: Odd attack string Levinson, Karl (May 04)