Suspicious WebDAV Traffic

From: Benny Teh (M_IT Ops) (BENNYTEH_at_M.CARSEMS.COM.MY)
Date: 04/02/04

  • Next message: Liu Die Yu: "full source code of monitoring(spy/kill) commandline and file operation" 
    Date:         Fri, 2 Apr 2004 08:23:07 +0800
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

    Hi guys,

    We've been getting quite a number of suspicious HTTP traffic to our
    webservers. It seems like another network worm exploiting buffer overflow
    vulnerabilities. Attached below is a snippet of what we're getting from our
    Snort IDS. Anyone has any clue on what this is all about ?

    [**] WEB-MISC WebDAV search access [**]
    04/01-18:32:41.105461 0:60:97:E1:72:5E -> 0:A0:C9:D8:57:B5 type:0x800
    len:0x5EA
    x.x.x.x:1614 -> x.x.x.x:80 TCP TTL:113 TOS:0x0 ID:43801 IpLen:20 DgmLen:1500
    DF
    ***A**** Seq: 0x911E2A1B Ack: 0xDE4E4F7 Win: 0x4470 TcpLen: 20
    0x0000: 00 A0 C9 D8 57 B5 00 60 97 E1 72 5E 08 00 45 00 ....W..`..r^..E.
    0x0010: 05 DC AB 19 40 00 71 06 73 29 43 A5 DF 86 C0 A8 ....@.q.s)C.....
    0x0020: 02 05 06 4E 00 50 91 1E 2A 1B 0D E4 E4 F7 50 10 ...N.P..*.....P.
    0x0030: 44 70 F6 72 00 00 53 45 41 52 43 48 20 2F 90 02 Dp.r..SEARCH /..
    0x0040: B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................
    0x0050: B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................
    0x0060: B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................
    0x0070: B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................
    0x0080: B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................
    0x0090: B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................
    0x00A0: B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................
    0x00B0: B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................
    0x00C0: B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................
    0x00D0: B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................
    0x00E0: B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................

    Regards,
    Benny T.
    Information Security Executive
    Carsem (M) Sdn Bhd M-site
    <bennyteh@m.carsems.com.my>
    Tel: (+60) 05-3123333 Ext: 332

    -----
    NTBugtraq Editor's Note:

    Wondering how to unsubscribe from NTBugtraq? Just send a message to Listserv@listserv.ntbugtraq.com with unsubscribe ntbugtraq in the message body, you don't need a subject line. If it says you aren't subscribed, you've either subscribed with a different email address or your address has changed somehow. Just email Russ.Cooper@rc.on.ca and I'll remove you.
    -----

  • Next message: Liu Die Yu: "full source code of monitoring(spy/kill) commandline and file operation"