RE: WebDav Worm?

• Previous message: Jeffrey Monahan: "Re: Something new? bind dos? exploit?"
• Maybe in reply to: Keith T. Morgan: "WebDav Worm?"
• Next in thread: Keith T. Morgan: "RE: WebDav Worm?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Tue, 17 Feb 2004 07:52:35 -0600
To: "Frank Knobbe" <frank@knobbe.us>, "Keith T. Morgan" <keith.morgan@terradon.com>

I'm finding that not all servers are getting hit with the entire exploit attempt. Only those servers that give back "411 Length required" responses are getting the full hit from the infected host. The non-windows web servers are not getting hit at all as they give back a 500 series denied.
 
Perhaps urlscan could calm down the noise by keeping the infected host from sending the complete exploit by denying the SEARCH command.
 
Dennis
 
 
On Fri, 2004-02-13 at 09:40, Keith T. Morgan wrote:
> Maybe this is old news, or maybe it's scanning pattern is just now
> making it to my netblocks, but we're seeing a massive increase in http
> connections asking for SEARCH
> [...]
> Has anyone else been seeing this type of activity increasing? We've
> been seeing so much of it that I have to wonder if it's a worm.

Heh... I asked this too on DShield, but no one cared to respond.

We've seen the same thing, started on Monday I believe, and at first I
thought it was a script kiddie (or just a script) probing for various
offsets/length of NOP sleds, perhaps a universal Swiss-Army exploit
script. But the activity levels increased to that of a worm. It appears,
as mentioned, that it is Nachi.B.

The interesting thing is that of those 20-some packets, a lot of them do
not have shellcode included, just sleds of varying length. Seems like
the code for the WebDAV exploit is broken. Thank God for small favors...
However, it's a noisy bugger. It's approaching the level of pollution of
the SQL Slammer. Unfortunately this one can not be filtered on ISP
routers. Looks like we have to learn to live with an increasing level of
bandwidth wasted on noise like this.

Cheers,
Frank



  _____

<< This is a digitally signed message part >>

        -----Original Message-----
        From: Frank Knobbe [mailto:frank@knobbe.us]
        Sent: Fri 2/13/2004 7:22 PM
        To: Keith T. Morgan
        Cc: incidents@securityfocus.com
        Subject: Re: WebDav Worm?
        
        

• Previous message: Jeffrey Monahan: "Re: Something new? bind dos? exploit?"
• Maybe in reply to: Keith T. Morgan: "WebDav Worm?"
• Next in thread: Keith T. Morgan: "RE: WebDav Worm?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: [SLE] Cautionary Tales: lm_sensors for beginners ... Make it 'visible' to SUSE and the sound starts. ... It took a while to locate the reason for this noise so I ... enables the script; he asked if I did this and I answered NO. ... This may sound like an silly question, but is it possible it's an alarm? ... (SuSE) Re: Batch Noise Removal ... > photos in a batch process. ... It has an excellent built in noise removal ... Apply the noise removal filter ... Save the recording as a script. ... (rec.photo.digital) Re: How can I prevent IE clicking sound when I change src element of Image? ... "Ken Varn" wrote in message ... > the click sound effect that IE produces. ... Is there anyway in the script ... > to disable all IE sounds, just somehow mask the click noise when my page ... (microsoft.public.scripting.jscript) Re: [SLE] Cautionary Tales: lm_sensors for beginners ... I posted my original message for the simple reason that by having the lm_sensors file created a high-pitched noise started up when I booted into SUSE. ... Joe Morris responded with the statement that nothing happens with lm_sensors until one copies the startup script from ... While I still don't really know how lm_sensors work or what makes it work, after reading quickly the wording of the lm_sensors file created by /usr/sbin/sensors-detect command I now think that in SUSE 10.1 the sensors start working when the file lm_sensors exists in /etc/sysconfig - and this goes contrary to what Joe suggested. ... (SuSE) Flat file db. Only display records of unique field data. ... Thanks for the quick reply and the piece of script. ... Not using a search command, I meant, using a form and input. ... Hans ... foreach { ... (alt.php)