Re: WebDav Worm?

From: Brian Eckman (eckman_at_umn.edu)
Date: 02/13/04

  • Next message: Alexander Kiwerski: "Re: buddylinks worm" 
    Date: Fri, 13 Feb 2004 15:43:58 -0600
To: "Keith T. Morgan" <keith.morgan@terradon.com>

    Keith T. Morgan wrote:
    > Maybe this is old news, or maybe it's scanning pattern is just now
    > making it to my netblocks, but we're seeing a massive increase in http
    > connections asking for SEARCH
    > /AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA on most
    > of our web servers. Each one is preceeded by a packet with a 1348 byte
    > payload containing a mix of what appears to be unicode followed by what
    > appears to be psuedo random ascii padding. An example of one of these
    > is included below.
    >
    > Has anyone else been seeing this type of activity increasing? We've
    > been seeing so much of it that I have to wonder if it's a worm. The
    > volume's a little too high for skr1pt k1dd13 activity, unless there
    > happens to be a whole bunch of them using the same tool in the same
    > manner at the same time.

    Yep. Nachi.B (or Welchia.B, whatever you want to call it.)

    Brian 

    -- 
Brian Eckman
Security Analyst
OIT Security and Assurance
University of Minnesota
"There are 10 types of people in this world. Those who
understand binary and those who don't."
---------------------------------------------------------------------------
Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection
Protect your network with the comprehensive security solution that
integrates six applications for ease of use and lower TCO.
Firewall - Virus protection - Spam protection - URL blocking - VPN
- Wireless security.
Download 30-day evaluation at:
http://www.astaro.com/php/contact/securityfocus.php
----------------------------------------------------------------------------
  • Next message: Alexander Kiwerski: "Re: buddylinks worm"

    Relevant Pages

    • Re: How secure is Email based password reset?
      ... Ask the personal question ... Brian Eckman ... OIT Security and Assurance ... This ALL INCLUSIVE curriculum utilizes lectures, case studies and true hands-on utilization ...
      (Security-Basics)
    • Re: New Trojan
      ... registry entry, as was mentioned earlier in this thread. ... Brian Eckman ... OIT Security and Assurance ... most highly-anticipated industry event of the year. ...
      (Incidents)
    • RE: WebDav Worm?
      ... I've seen the exact same pattern from 7 different source IPs in the ... All source IPs appear to be DSL or cable modem, ... Astaro Security Linux -- firewall with Spam/Virus Protection ...
      (Incidents)
    • RE: Life After CISSP?
      ... Subject: Life After CISSP? ... The contents of this email and any attachments to it may contain ... Astaro Security Linux -- firewall with Spam/Virus Protection ...
      (Security-Basics)
    • Re: pen testing & obfuscated shell code
      ... sleds) is that there are at least 2 ways of producing the same opcodes on Intel systems. ... Astaro Security Linux -- firewall with Spam/Virus Protection ...
      (Pen-Test)