[Snort-users] "Connnection closed"? (spelled wrong!)

John Sage jsage at ...2022...
Sun Jan 13 17:21:01 EST 2002


Although it doesn't seem to have received much attention, the 
"Connnection closed" mispelling seems to be a symptom of attempted Nimda 
infection; apparently it's within readme.eml

(My guess as to why it's not been discussed is that it's an easy error 
to make and a hard one to see: google returns over 6,000 hits on 
"connnection" with 3 n's...)


For a brief discussion, see:

http://www.gfi.com/press/nimdaworm.htm

"These requests are made to a virtual host named "www".
The  request looks similar to the following:

GET  /MSADC/root.exe HTTP/1.0
Host:  www
Connnection:  close

Notice the miss-spelt Connnection with 3 n instances."


And 18 pages into the google search there's a page with a strings run on 
readme.eml that has in it:

<snip>
:
GET %s HTTP/1.0
Host: www
Connnection: close
readme
main
index
default
html
:
<snip>

at:

http://lists.jammed.com/forensics/2001/09/0054.html


Finally, at incidents.org, see: 
http://www.incidents.org/diary/october01/100601.php


"09/18-19:57:01.145440 infected:1979 -> vulnerable:80 TCP ***AP***
  GET /scripts/root.exe?/c+dir HTTP/1.0..
  Host: www..Connnection: close...."

In their discussion of an unsuccesful Nimda infection attempt in "Nimda 
Infection Illustrated"...


- John

-- 
Computers: they're really nothing but l's and O's




Edwin Eefting wrote:

> Hi all
> 
> For a quite a while now, i'm wondering why i always see the string
> "Connnection closed" spelled wrong in http requests. My first though it was
> some kind of mistake/coincidence, but now i see it over and over again.
> Somebody knows why this is, and is this really part of the http-standard?? :-)
> (sorry for my own bad english :)
> 
> just cusious..
> Edwin
> 
> 
> ------------------------------------------
> On Thu, 10 Jan 2002 16:44:18 +0100 Andreas Östling <andreaso at ...236...> wrote:
> 
> 
>>On Wednesday 09 January 2002 06.51, Martin Roesch wrote:
>>
>>>Hi Russell,
>>>     I made some tweaks to stream4 tonight that will hopefully clear up
>>>your problem, check out the latest code from cvs if you're interested
>>>(the SNORT_1_8 branch, not the 1.9-dev code).  This is build 89.  It now
>>>fills in the Ethernet headers appropriately and is a little tigher in
>>>how it puts things together, hopefully it'll clear up your problem.  Let
>>>me know how it goes.
>>>
>>>     -Marty
>>>
>>Hello,
>>
>>I experience the same problems as Russell from time to time.
>>I was running 1.8.3 (release version), but unfortunately build 89 did not 
>>solve all problems. The ethernet headers now seem to be correct, but the 
>>payload is still messed up.
>>
>>Example:
>>
>>01/10-15:17:13.659803 0:30:B6:34:4F:4C -> 0:60:70:E:B8:0 type:0x8 len:0x2C2
>>x.x.x.x:4271 -> 62.70.3.13:80 TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:692
>>***AP*** Seq: 0x69F23943  Ack: 0x3DE12400  Win: 0x7AEC  TcpLen: 20
>>47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 5C  GET /scripts/..\
>>2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 6D 33  ../winnt/system3
>>32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 69 72  2/cmd.exe?/c+dir
>>20 72 20 72 20 48 54 54 50 2F 31 2E 30 0D 0A 48   r r HTTP/1.0..H
>>6F 73 74 3A 20 77 77 77 0D 0A 43 6F 6E 6E 6E 65  ost: www..Connne
>>63 74 69 6F 6E 3A 20 63 6C 6F 73 65 0D 0A 0D 0A  ction: close....
>>20 66 72 6F 6D 20 63 63 2E 75 61 62 2E 65 73 20   from cc.uab.es







More information about the Snort-users mailing list