[Snort-sigs] Odd HTTP hits on 2 signatures

Tyler Hudak tyler at ...2280...
Thu Apr 1 21:06:11 EST 2004


There is a new multi-exploit worm going around right now.  More info in the
Handlers Diary at www.incidents.org.  I put netcat on my local box on port
80 to see what I can find and the worm tries to exploit one of the
vulnerabilities in the WebDAV search feature.  It also sends a whole bunch
o' NOPs.

I've posted a copy of one hit at http://www.hudakville.com/worm.txt.  I'm
going to wager that this is what you are seeing.

Sorry for not being more specific...its late.  :)

Tyler

--------------------------------------------------------------



Message: 2
Date: Fri, 2 Apr 2004 00:02:09 +0200 (CEST)
From: Hugo van der Kooij <hvdkooij at ...481...>
To: snort-sigs mailinglist <snort-sigs at lists.sourceforge.net>
Subject: [Snort-sigs] Odd HTTP hits on 2 signatures

Hi,

I get odd hits on the signatures 1070 (WebDAV search access) and 648
(SHELLCODE x86 NOOP) in repeating patterns much like:

04/01-06:20:46.265409  [**] [1:1070:6] WEB-MISC WebDAV search access [**]
[Classification: access to a potentially vulnerable web application]
[Priority: 2] {TCP} XXX.XXX.XXX.XXX:3765 -> 192.168.1.2:80
04/01-06:20:47.323124  [**] [1:648:6] SHELLCODE x86 NOOP [**]
[Classification: Executable code was detected] [Priority: 1] {TCP}
XXX.XXX.XXX.XXX:3765 -> 192.168.1.2:80
04/01-06:20:47.362624  [**] [1:648:6] SHELLCODE x86 NOOP [**]
[Classification: Executable code was detected] [Priority: 1] {TCP}
XXX.XXX.XXX.XXX:3765 -> 192.168.1.2:80
.....

They always start with a single WebDAV request and then a load of these
NOOPs.

Is anyone aware of any known infection or known webbrowser that fires of
these requests? The webserver logs show not a single request from said IP
address.

Hugo.







More information about the Snort-sigs mailing list