[Snort-users] Some worm?
mkettler at ...4108...
Mon Apr 12 09:33:09 EDT 2004
At 03:47 PM 4/11/2004, Jan Hugo Prins wrote:
>Lately I get a lot of events that are grouped. First I get a "WEB-MISC
>WebDAV search access" alert, then a "(http_inspect) BARE BYTE UNICODE
>ENCODING" alert and after that 18 "SHELLCODE x86 NOOP" alerts.
>Is there some worm that tries to propagate using these signatures?
It's definitely been noticed before... someone asked about this specific
pattern on 4/2 and there was a reply pointing out some notes about a
multi-exploit worm or script being investigated over on incidents.org.
Some more recent notes indicating it was still going on 4/5
More information about the Snort-users