RE: new attack tool combining SMB and WebDAV?

From: Toby Miller (toby_miller@adelphia.net)
Date: 04/01/03

  • Next message: Stuart Wallace: "RE: Why alerts on ports 1025-1029, 1036"
    From: "Toby Miller" <toby_miller@adelphia.net>
    To: "Matt Power" <mhpower@bos.bindview.com>, <incidents@securityfocus.com>, <intrusions@incidents.org>
    Date: Mon, 31 Mar 2003 21:20:22 -0500
    
    

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    I have seen those packets, except the DF and MF flags were both set
    and BTW you can recreate those packets by using Microsoft ping with
    the following command:
    ping -l 1500 (or what ever size you see). Just my .02 worth

                                    Toby

    The third type of traffic from the attacking machine consisted of
    very
    large ICMP echo-request packets, all going to the same destination IP
    address. The ICMP packet contents consisted entirely of the lowercase
    letters 'a' through 'w' repeated many times, e.g.,

      abcdefghijklmnopqrstuvwabcdefghijklmnopqrstuvw...

    Anyway, this may mean that some type of WebDAV data-gathering or
    exploit capability has been incorporated into a software package that
    also compromises machines via SMB. There wasn't direct evidence that
    the software package was associated with planned exploitation of the
    CA-2003-09 vulnerability via WebDAV, although it may have been. The
    ICMP traffic suggests that the software package may have a DoS
    capability that's separate from the SMB and WebDAV traffic.

    -----BEGIN PGP SIGNATURE-----
    Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>

    iQA/AwUBPoj3YVLhpjRJgUE5EQLAJACfeAG7zMsVfq0rzMVYLm6nRxAwpCMAoLt+
    CoWYIbl8nDx7HkbZcYzC7O+q
    =1Pey
    -----END PGP SIGNATURE-----

    ----------------------------------------------------------------------------
    Powerful Anti-Spam Management and More...
    SurfControl E-mail Filter puts the brakes on spam,
    viruses and malicious code. Safeguard your business
    critical communications. Download a free 30-day trial:
    http://www.securityfocus.com/SurfControl-incidents


  • Next message: Stuart Wallace: "RE: Why alerts on ports 1025-1029, 1036"

    Relevant Pages

    • TCP/IP Applications FAQ
      ... waiting for an ICMP Echo Reply from the host. ... Each trio of packets 'expire' at a succeeding ... Of the rexec protocol. ...
      (comp.unix.questions)
    • TCP/IP Applications FAQ
      ... waiting for an ICMP Echo Reply from the host. ... Each trio of packets 'expire' at a succeeding ... Of the rexec protocol. ...
      (comp.unix.questions)
    • TCP/IP Applications FAQ
      ... waiting for an ICMP Echo Reply from the host. ... Each trio of packets 'expire' at a succeeding ... Of the rexec protocol. ...
      (comp.unix.questions)
    • TCP/IP Applications FAQ
      ... waiting for an ICMP Echo Reply from the host. ... Each trio of packets 'expire' at a succeeding ... Of the rexec protocol. ...
      (comp.unix.questions)
    • TCP/IP Applications FAQ
      ... waiting for an ICMP Echo Reply from the host. ... Each trio of packets 'expire' at a succeeding ... Of the rexec protocol. ...
      (comp.unix.questions)