Re: New http attack?

From: Tomaz Solc (tomaz.solc_at_siol.net)
Date: 06/08/05

  • Next message: Jason Falciola: "Re: New http attack?"
    Date: Wed, 08 Jun 2005 21:42:24 +0200
    To: "Keith T. Morgan" <keith.morgan@terradon.com>
    
    

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Hi

    I've been seeing this kind of traffic on a number of servers since 30
    May with peak on 2 June (around 100 requests per day). The number of
    requests has been slowly decreasing since (got 4 requests yesterday).

    A colleague first noticed it in his apache logs because of a large
    number of http requests without referrer or user agent headers (other
    than that, apache logs show a normal GET / requests with response 200)

    My first guess was that it is some kind of a worm because the wave of
    requests I've seen came almost exclusively from IPs that are near IPs of
    my servers.

    My google search turned up a few exploits that are using "Authorization:
    Negotiate" header to exploit an old vulnerability in the Microsoft ASN.1
    library (CAN-2003-0818).

    I have a full packet log if anyone is interested.

    Best regards
    Tomaz Solc
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.1 (GNU/Linux)
    Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

    iD8DBQFCp0ogsAlAlRhL9q8RAqCGAJ49vMR+AKPw6LzG181fCpcCp5ruoACeJhjA
    fePddeTwhuM7yKW7ciNKq0k=
    =LldT
    -----END PGP SIGNATURE-----


  • Next message: Jason Falciola: "Re: New http attack?"