Weird HTTP Requests.

From: Maher Odeh (rax_at_X-war.org)
Date: 08/14/03

  • Next message: lathiat_at_bur.st: "Re: MSBlast and other known exploits.."
    To: <incidents@securityfocus.com>
    Date: Thu, 14 Aug 2003 12:55:28 +0200
    
    

    Hello ,
    I have noticed the following in my URLScan error log file , i have arounf 50
    MB log file with those entries only
    what could it be ? is it a virus that does that ?

    [08-13-2003 - 04:16:46] Client at ###.###.###.###: Sent verb 'GES', which is
    not specifically allowed. Request will be rejected.
    [08-13-2003 - 04:17:42] Client at ###.###.###.###: Sent verb 'GES', which is
    not specifically allowed. Request will be rejected.
    [08-13-2003 - 04:18:37] Client at ###.###.###.###: Sent verb 'GT', which is
    not specifically allowed. Request will be rejected.
    [08-13-2003 - 04:18:55] Client at ###.###.###.###: Sent verb 'GDT', which is
    not specifically allowed. Request will be rejected.
    [08-13-2003 - 04:20:57] Client at ###.###.###.###: Sent verb 'ET', which is
    not specifically allowed. Request will be rejected.
    [08-13-2003 - 04:21:32] Client at ###.###.###.###: Sent verb 'GES', which is
    not specifically allowed. Request will be rejected.
    [08-13-2003 - 04:22:41] Client at ###.###.###.###: Sent verb 'GDT', which is
    not specifically allowed. Request will be rejected.
    [08-13-2003 - 04:22:52] Client at ###.###.###.###: Sent verb 'GFT', which is
    not specifically allowed. Request will be rejected.
    [08-13-2003 - 04:23:07] Client at ###.###.###.###: Sent verb 'GDT', which is
    not specifically allowed. Request will be rejected.
    [08-13-2003 - 04:23:09] Client at ###.###.###.###: Sent verb 'GE', which is
    not specifically allowed. Request will be rejected.
    [08-13-2003 - 04:23:17] Client at ###.###.###.###: Sent verb 'ET', which is
    not specifically allowed. Request will be rejected.
    [08-13-2003 - 04:23:59] Client at ###.###.###.###: Sent verb 'GE×', which is
    not specifically allowed. Request will be rejected.
    [08-13-2003 - 04:24:23] Client at ###.###.###.###: Sent verb 'GE', which is
    not specifically allowed. Request will be rejected.
    [08-13-2003 - 04:24:48] Client at ###.###.###.###: Sent verb 'GE', which is
    not specifically allowed. Request will be rejected.
    [08-13-2003 - 04:26:03] Client at ###.###.###.###: Sent verb 'GײT', which is
    not specifically allowed. Request will be rejected.

    Thanks ,

    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------


  • Next message: lathiat_at_bur.st: "Re: MSBlast and other known exploits.."

    Relevant Pages

    • [NT] 04WebServer Multiple Vulnerabilities (CSS, Log File Injection, AUX DoS)
      ... 04WebServer is a HTTP server developed by Soft3304 for Windows platforms. ... Characters into Log File ... filtering on the request URL before writing it into the log file. ... following HTTP request, when submitted to a vulnerable 04WebServer, will ...
      (Securiteam)
    • Re: IIS 6 - post problem at port 80
      ... Are you sure that your ISP/network-environment is not blocking port 80 ... Please check your W3SVC log file to see if the POST request is in the log ...
      (microsoft.public.windows.server.security)
    • Re: EventID 534: User has not been granted requested logon type
      ... Location of the log file - %windir%\debug ... Command Prompt setting - Enable from command prompt with "NLTEST ... >>>> logon type at this machine". ... >>>> that this might be an anonymous logon request, ...
      (microsoft.public.win2000.security)
    • Re: Response time of IIS
      ... As inferred from the reply Jerry gave, ... As an alternative, you might try the IIS Log parser, which lets you run TSQL ... you can log the time-taken into an IIS log file. ... > But it will only log one request at a time, ...
      (microsoft.public.inetserver.iis)
    • Re: suppecious
      ... >I read in the log file, ... If your server is up to date with security patches then the attack ... to the GET request successfully. ... You can check your machine's patch status by using HFNetchk from here: ...
      (microsoft.public.inetserver.iis.security)