Re: WebDav Worm?

From: Bill McCarty (
Date: 02/17/04

  • Next message: Roach4: "New virus: Alua! (Bagle.B)"
    Date: Mon, 16 Feb 2004 15:58:48 -0800
    To: Frank Knobbe <>, "Keith T. Morgan" <>

    Hi Frank, Keith, and all,

    I see very little of these SEARCH requests, so far. And, my traffic does
    not include a NOP sled. So, it may be unrelated to yours.

    Packet capture follows. Note that the FIN and PUSH flags are set in the
    first packet containing payload, which follows another FIN packet. Also,
    note the "%s" in the payload packet, where the host name or IP address
    would generally appear.

    Looks like the programmer isn't carefully inspecting his results <g>. Or,
    maybe there's something special that sometimes occurs when you specify the
    hostname in this way.


    02/16-13:16:20.367820 ->
    TCP TTL:107 TOS:0x0 ID:28364 IpLen:20 DgmLen:48 DF
    ******S* Seq: 0x86D93BDA Ack: 0x0 Win: 0x4000 TcpLen: 28
    TCP Options (4) => MSS: 1460 NOP NOP SackOK


    02/16-13:16:20.813812 ->
    TCP TTL:107 TOS:0x0 ID:28671 IpLen:20 DgmLen:40 DF
    ***A**** Seq: 0x86D93BDB Ack: 0xB8CAE075 Win: 0x5B4 TcpLen: 20


    02/16-13:16:22.642736 ->
    TCP TTL:107 TOS:0x0 ID:29249 IpLen:20 DgmLen:40 DF
    ***A***F Seq: 0x86D93BFA Ack: 0xB8CAE075 Win: 0x4470 TcpLen: 20


    02/16-13:16:29.860686 ->
    TCP TTL:107 TOS:0x0 ID:32208 IpLen:20 DgmLen:71 DF
    ***AP**F Seq: 0x86D93BDB Ack: 0xB8CAE075 Win: 0x4470 TcpLen: 20
    53 45 41 52 43 48 20 2F 20 48 54 54 50 2F 31 2E SEARCH / HTTP/1.
    31 0D 0A 48 6F 73 74 3A 20 25 73 0D 0A 0D 0A 1..Host: %s....


    02/16-13:16:30.177609 ->
    TCP TTL:107 TOS:0x0 ID:32223 IpLen:20 DgmLen:52 DF
    ***A**** Seq: 0x86D93BFB Ack: 0xB8CAE075 Win: 0x4470 TcpLen: 32
    TCP Options (3) => NOP NOP Sack: 16430@60427


    02/16-13:16:30.181809 ->
    TCP TTL:107 TOS:0x0 ID:32224 IpLen:20 DgmLen:40 DF
    *****R** Seq: 0x86D93BFB Ack: 0xB8CAE31C Win: 0x0 TcpLen: 20

    --On Friday, February 13, 2004 7:22 PM -0600 Frank Knobbe <>

    > On Fri, 2004-02-13 at 09:40, Keith T. Morgan wrote:

    >> Maybe this is old news, or maybe it's scanning pattern is just now
    >> making it to my netblocks, but we're seeing a massive increase in http
    >> connections asking for SEARCH
    >> [...]
    >> Has anyone else been seeing this type of activity increasing? We've
    >> been seeing so much of it that I have to wonder if it's a worm.
    > Heh... I asked this too on DShield, but no one cared to respond.

    Bill McCarty

    Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection

    Protect your network with the comprehensive security solution that
    integrates six applications for ease of use and lower TCO.

    Firewall - Virus protection - Spam protection - URL blocking - VPN
    - Wireless security.

    Download 30-day evaluation at:

  • Next message: Roach4: "New virus: Alua! (Bagle.B)"

    Relevant Pages

      ... Nop, As it was already set in bulk sample. ... Beside the problem is not when the packet is too short from the device. ... But when the request from the Application is less than a USB pipe. ...
    • [EXPL] Exploit Released for Buffer Overrun in WebAdmin.exe
      ... Beyond Security in Canada ... "\x90", # - NOP ... "\x33\xFF", # - XOR EDI, EDI ... "\x50", # - PUSH EAX ...