New http attack?

["Keith T. Morgan" <keith.morgan () terradon com>]

A google search didn't turn up anything of value on this, so I'm posting
to the list.  If I've missed something that's common knowledge here, I
appologize for inverting the signal/noise ratio a bit with this post.

We've seen an attack that triggered a snort bleeding-edge hit for "smb
over http authentication."  This isn't particularly alarming, but, what
caught my attention is what appears to be a very large buffer in part of
the packet.

The ascii decoded capture looks a bit like this:

GET / HTTP/1.0
Host: obfuscated
Authorization: Negotiate <what may be an encrypted password>
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB.

This "QUFB" string is repeated for 1400 bytes or so, and I'm assuming
went beyond the single packet capture I have.

The IIS logs indicate a simple GET / with a 401 response code.

Has anyone seen this "QUFBQUFB" string in a worm, virus, or exploit
floating around out there somewhere?  I think chances of this being a FP
are low since we're not using NTLM or windows native/ad authentication
on this site.


-- Keith Morgan
-- CISSP, MCP, CCSE/CCSA

"Hey Pants... Any advice for getting through turn 1 with 55 motorcycles
on the grid?"
"Yeah.  Don't Crash."
-- Sage motorcycle roadracing advice from Shawn (Pants) Romano
**************************************************************************************************
The contents of this email and any attachments are confidential.
It is intended for the named recipient(s) only.
If you have received this email in error please notify the system manager or  the 
sender immediately and do not disclose the contents to anyone or make copies.

** this message has been scanned for viruses, vandals and malicious content **
**************************************************************************************************