Re: New http attack?

From: Tomaz Solc (
Date: 06/08/05

  • Next message: Jason Falciola: "Re: New http attack?"
    Date: Wed, 08 Jun 2005 21:42:24 +0200
    To: "Keith T. Morgan" <>

    Hash: SHA1


    I've been seeing this kind of traffic on a number of servers since 30
    May with peak on 2 June (around 100 requests per day). The number of
    requests has been slowly decreasing since (got 4 requests yesterday).

    A colleague first noticed it in his apache logs because of a large
    number of http requests without referrer or user agent headers (other
    than that, apache logs show a normal GET / requests with response 200)

    My first guess was that it is some kind of a worm because the wave of
    requests I've seen came almost exclusively from IPs that are near IPs of
    my servers.

    My google search turned up a few exploits that are using "Authorization:
    Negotiate" header to exploit an old vulnerability in the Microsoft ASN.1
    library (CAN-2003-0818).

    I have a full packet log if anyone is interested.

    Best regards
    Tomaz Solc
    Version: GnuPG v1.4.1 (GNU/Linux)
    Comment: Using GnuPG with Thunderbird -

    -----END PGP SIGNATURE-----

  • Next message: Jason Falciola: "Re: New http attack?"