Re: WebDav Worm?

From: Bill McCarty (bmccarty_at_pt-net.net)
Date: 02/17/04

  • Next message: Roach4: "New virus: Alua! (Bagle.B)"
    Date: Mon, 16 Feb 2004 15:58:48 -0800
    To: Frank Knobbe <frank@knobbe.us>, "Keith T. Morgan" <keith.morgan@terradon.com>
    
    

    Hi Frank, Keith, and all,

    I see very little of these SEARCH requests, so far. And, my traffic does
    not include a NOP sled. So, it may be unrelated to yours.

    Packet capture follows. Note that the FIN and PUSH flags are set in the
    first packet containing payload, which follows another FIN packet. Also,
    note the "%s" in the payload packet, where the host name or IP address
    would generally appear.

    Looks like the programmer isn't carefully inspecting his results <g>. Or,
    maybe there's something special that sometimes occurs when you specify the
    hostname in this way.

    Cheers,

    02/16-13:16:20.367820 80.19.31.220:3707 -> xxx.xxx.xxx.36:80
    TCP TTL:107 TOS:0x0 ID:28364 IpLen:20 DgmLen:48 DF
    ******S* Seq: 0x86D93BDA Ack: 0x0 Win: 0x4000 TcpLen: 28
    TCP Options (4) => MSS: 1460 NOP NOP SackOK

    =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

    02/16-13:16:20.813812 80.19.31.220:3707 -> xxx.xxx.xxx.36:80
    TCP TTL:107 TOS:0x0 ID:28671 IpLen:20 DgmLen:40 DF
    ***A**** Seq: 0x86D93BDB Ack: 0xB8CAE075 Win: 0x5B4 TcpLen: 20

    =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

    02/16-13:16:22.642736 80.19.31.220:3707 -> xxx.xxx.xxx.36:80
    TCP TTL:107 TOS:0x0 ID:29249 IpLen:20 DgmLen:40 DF
    ***A***F Seq: 0x86D93BFA Ack: 0xB8CAE075 Win: 0x4470 TcpLen: 20

    =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

    02/16-13:16:29.860686 80.19.31.220:3707 -> xxx.xxx.xxx.36:80
    TCP TTL:107 TOS:0x0 ID:32208 IpLen:20 DgmLen:71 DF
    ***AP**F Seq: 0x86D93BDB Ack: 0xB8CAE075 Win: 0x4470 TcpLen: 20
    53 45 41 52 43 48 20 2F 20 48 54 54 50 2F 31 2E SEARCH / HTTP/1.
    31 0D 0A 48 6F 73 74 3A 20 25 73 0D 0A 0D 0A 1..Host: %s....

    =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

    02/16-13:16:30.177609 80.19.31.220:3707 -> xxx.xxx.xxx.36:80
    TCP TTL:107 TOS:0x0 ID:32223 IpLen:20 DgmLen:52 DF
    ***A**** Seq: 0x86D93BFB Ack: 0xB8CAE075 Win: 0x4470 TcpLen: 32
    TCP Options (3) => NOP NOP Sack: 16430@60427

    =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

    02/16-13:16:30.181809 80.19.31.220:3707 -> xxx.xxx.xxx.36:80
    TCP TTL:107 TOS:0x0 ID:32224 IpLen:20 DgmLen:40 DF
    *****R** Seq: 0x86D93BFB Ack: 0xB8CAE31C Win: 0x0 TcpLen: 20

    --On Friday, February 13, 2004 7:22 PM -0600 Frank Knobbe <frank@knobbe.us>
    wrote:

    > On Fri, 2004-02-13 at 09:40, Keith T. Morgan wrote:

    >> Maybe this is old news, or maybe it's scanning pattern is just now
    >> making it to my netblocks, but we're seeing a massive increase in http
    >> connections asking for SEARCH
    >> [...]
    >> Has anyone else been seeing this type of activity increasing? We've
    >> been seeing so much of it that I have to wonder if it's a worm.
    >
    > Heh... I asked this too on DShield, but no one cared to respond.

    ---------------------------------------------------
    Bill McCarty

    ---------------------------------------------------------------------------
    Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection

    Protect your network with the comprehensive security solution that
    integrates six applications for ease of use and lower TCO.

    Firewall - Virus protection - Spam protection - URL blocking - VPN
    - Wireless security.

    Download 30-day evaluation at:
    http://www.astaro.com/php/contact/securityfocus.php
    ----------------------------------------------------------------------------


  • Next message: Roach4: "New virus: Alua! (Bagle.B)"