New http attack?

From: Keith T. Morgan (
Date: 06/08/05

  • Next message: "Re: New http attack?"
    Date: Wed, 8 Jun 2005 12:04:37 -0400
    To: <>

    A google search didn't turn up anything of value on this, so I'm posting
    to the list. If I've missed something that's common knowledge here, I
    appologize for inverting the signal/noise ratio a bit with this post.

    We've seen an attack that triggered a snort bleeding-edge hit for "smb
    over http authentication." This isn't particularly alarming, but, what
    caught my attention is what appears to be a very large buffer in part of
    the packet.

    The ascii decoded capture looks a bit like this:

    GET / HTTP/1.0
    Host: obfuscated
    Authorization: Negotiate <what may be an encrypted password>

    This "QUFB" string is repeated for 1400 bytes or so, and I'm assuming
    went beyond the single packet capture I have.

    The IIS logs indicate a simple GET / with a 401 response code.

    Has anyone seen this "QUFBQUFB" string in a worm, virus, or exploit
    floating around out there somewhere? I think chances of this being a FP
    are low since we're not using NTLM or windows native/ad authentication
    on this site.

    -- Keith Morgan

    "Hey Pants... Any advice for getting through turn 1 with 55 motorcycles
    on the grid?"
    "Yeah. Don't Crash."
    -- Sage motorcycle roadracing advice from Shawn (Pants) Romano
    The contents of this email and any attachments are confidential.
    It is intended for the named recipient(s) only.
    If you have received this email in error please notify the system manager or the
    sender immediately and do not disclose the contents to anyone or make copies.

    ** this message has been scanned for viruses, vandals and malicious content **

  • Next message: "Re: New http attack?"