RE: WebDav Worm?

From: Keith T. Morgan (
Date: 02/17/04

  • Next message: Bill McCarty: "Re: WebDav Worm?"
    Date: Tue, 17 Feb 2004 09:26:09 -0500
    To: "Henderson, Dennis K." <>, "Frank Knobbe" <>

    After some off-list discussion about this, it's become clear that some
    networks are being hammered with it, and others aren't. I asked about
    this in a busy linux forum, and none of the folks running apache
    reported this entry in their logs. Your explanation below corresponds
    with what they're reporting. It could also explain why some folks are
    seeing it, and some arent.

    ...*off disabling search verb on windows web servers*...

    > -----Original Message-----
    > From: Henderson, Dennis K. []
    > Sent: Tuesday, February 17, 2004 8:53 AM
    > To: Frank Knobbe; Keith T. Morgan
    > Cc:
    > Subject: RE: WebDav Worm?
    > I'm finding that not all servers are getting hit with the
    > entire exploit attempt. Only those servers that give back
    > "411 Length required" responses are getting the full hit from
    > the infected host. The non-windows web servers are not
    > getting hit at all as they give back a 500 series denied.
    > Perhaps urlscan could calm down the noise by keeping the
    > infected host from sending the complete exploit by denying
    > the SEARCH command.
    > Dennis

    The contents of this email and any attachments are confidential.
    It is intended for the named recipient(s) only.
    If you have received this email in error please notify the system manager or the
    sender immediately and do not disclose the contents to anyone or make copies.

    ** this message has been scanned for viruses, vandals and malicious content **

    Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection

    Protect your network with the comprehensive security solution that
    integrates six applications for ease of use and lower TCO.

    Firewall - Virus protection - Spam protection - URL blocking - VPN
    - Wireless security.

    Download 30-day evaluation at:

  • Next message: Bill McCarty: "Re: WebDav Worm?"