Re: New http attack?
From: Tomaz Solc (tomaz.solc_at_siol.net)
Date: Wed, 08 Jun 2005 21:42:24 +0200 To: "Keith T. Morgan" <email@example.com>
-----BEGIN PGP SIGNED MESSAGE-----
I've been seeing this kind of traffic on a number of servers since 30
May with peak on 2 June (around 100 requests per day). The number of
requests has been slowly decreasing since (got 4 requests yesterday).
A colleague first noticed it in his apache logs because of a large
number of http requests without referrer or user agent headers (other
than that, apache logs show a normal GET / requests with response 200)
My first guess was that it is some kind of a worm because the wave of
requests I've seen came almost exclusively from IPs that are near IPs of
My google search turned up a few exploits that are using "Authorization:
Negotiate" header to exploit an old vulnerability in the Microsoft ASN.1
I have a full packet log if anyone is interested.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----