Security Incidents mailing list archives
New http attack?
From: "Keith T. Morgan" <keith.morgan () terradon com>
Date: Wed, 8 Jun 2005 12:04:37 -0400
A google search didn't turn up anything of value on this, so I'm posting to the list. If I've missed something that's common knowledge here, I appologize for inverting the signal/noise ratio a bit with this post. We've seen an attack that triggered a snort bleeding-edge hit for "smb over http authentication." This isn't particularly alarming, but, what caught my attention is what appears to be a very large buffer in part of the packet. The ascii decoded capture looks a bit like this: GET / HTTP/1.0 Host: obfuscated Authorization: Negotiate <what may be an encrypted password> QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB. This "QUFB" string is repeated for 1400 bytes or so, and I'm assuming went beyond the single packet capture I have. The IIS logs indicate a simple GET / with a 401 response code. Has anyone seen this "QUFBQUFB" string in a worm, virus, or exploit floating around out there somewhere? I think chances of this being a FP are low since we're not using NTLM or windows native/ad authentication on this site. -- Keith Morgan -- CISSP, MCP, CCSE/CCSA "Hey Pants... Any advice for getting through turn 1 with 55 motorcycles on the grid?" "Yeah. Don't Crash." -- Sage motorcycle roadracing advice from Shawn (Pants) Romano ************************************************************************************************** The contents of this email and any attachments are confidential. It is intended for the named recipient(s) only. If you have received this email in error please notify the system manager or the sender immediately and do not disclose the contents to anyone or make copies. ** this message has been scanned for viruses, vandals and malicious content ** **************************************************************************************************
Current thread:
- New http attack? Keith T. Morgan (Jun 08)
- Re: New http attack? dullien (Jun 08)
- Re: New http attack? Kirby Angell (Jun 08)
- Re: New http attack? Ron (Jun 09)
- Re: New http attack? Alex (Jun 10)
- Re: New http attack? Ron (Jun 10)
- Re: New http attack? Kevin Timm (Jun 10)
- Re: New http attack? Ron (Jun 09)
- Re: New http attack? Tomaz Solc (Jun 08)
- <Possible follow-ups>
- Re: New http attack? Jason Falciola (Jun 08)
- Re: Re: New http attack? phil (Jun 20)
- Re: Re: New http attack? phil (Jun 20)