Re: "Connnection closed"? (spelled wrong!)

[John Sage <jsage () finchhaven com>]

Although it doesn't seem to have received much attention, the 
"Connnection closed" mispelling seems to be a symptom of attempted Nimda 
infection; apparently it's within readme.eml

(My guess as to why it's not been discussed is that it's an easy error 
to make and a hard one to see: google returns over 6,000 hits on 
"connnection" with 3 n's...)


For a brief discussion, see:

http://www.gfi.com/press/nimdaworm.htm

"These requests are made to a virtual host named "www".
The  request looks similar to the following:

GET  /MSADC/root.exe HTTP/1.0
Host:  www
Connnection:  close

Notice the miss-spelt Connnection with 3 n instances."


And 18 pages into the google search there's a page with a strings run on 
readme.eml that has in it:

<snip>
:
GET %s HTTP/1.0
Host: www
Connnection: close
readme
main
index
default
html
:
<snip>

at:

http://lists.jammed.com/forensics/2001/09/0054.html


Finally, at incidents.org, see: 
http://www.incidents.org/diary/october01/100601.php


"09/18-19:57:01.145440 infected:1979 -> vulnerable:80 TCP ***AP***
 GET /scripts/root.exe?/c+dir HTTP/1.0..
 Host: www..Connnection: close...."

In their discussion of an unsuccesful Nimda infection attempt in "Nimda 
Infection Illustrated"...


- John

--
Computers: they're really nothing but l's and O's




Edwin Eefting wrote:

> Hi all
>
> For a quite a while now, i'm wondering why i always see the string
> "Connnection closed" spelled wrong in http requests. My first though it was
> some kind of mistake/coincidence, but now i see it over and over again.
> Somebody knows why this is, and is this really part of the http-standard?? :-)
> (sorry for my own bad english :)
>
> just cusious..
> Edwin
>
>
> ------------------------------------------
> On Thu, 10 Jan 2002 16:44:18 +0100 Andreas Östling <andreaso () it su se> wrote:
>
>
> > On Wednesday 09 January 2002 06.51, Martin Roesch wrote:
> >
> > > Hi Russell,
> > >     I made some tweaks to stream4 tonight that will hopefully clear up
> > > your problem, check out the latest code from cvs if you're interested
> > > (the SNORT_1_8 branch, not the 1.9-dev code).  This is build 89.  It now
> > > fills in the Ethernet headers appropriately and is a little tigher in
> > > how it puts things together, hopefully it'll clear up your problem.  Let
> > > me know how it goes.
> > >
> > >     -Marty
> > Hello,
> >
> > I experience the same problems as Russell from time to time.
> > I was running 1.8.3 (release version), but unfortunately build 89 did not 
> > solve all problems. The ethernet headers now seem to be correct, but the 
> > payload is still messed up.
> >
> > Example:
> >
> > 01/10-15:17:13.659803 0:30:B6:34:4F:4C -> 0:60:70:E:B8:0 type:0x8 len:0x2C2
> > x.x.x.x:4271 -> 62.70.3.13:80 TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:692
> > ***AP*** Seq: 0x69F23943  Ack: 0x3DE12400  Win: 0x7AEC  TcpLen: 20
> > 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 5C  GET /scripts/..\
> > 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 6D 33  ../winnt/system3
> > 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 69 72  2/cmd.exe?/c+dir
> > 20 72 20 72 20 48 54 54 50 2F 31 2E 30 0D 0A 48   r r HTTP/1.0..H
> > 6F 73 74 3A 20 77 77 77 0D 0A 43 6F 6E 6E 6E 65  ost: www..Connne
> > 63 74 69 6F 6E 3A 20 63 6C 6F 73 65 0D 0A 0D 0A  ction: close....
> > 20 66 72 6F 6D 20 63 63 2E 75 61 62 2E 65 73 20   from cc.uab.es




_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users