[Snort-users] Some worm?

Matt Kettler mkettler at ...4108...
Mon Apr 12 09:33:09 EDT 2004


At 03:47 PM 4/11/2004, Jan Hugo Prins wrote:
>Lately I get a lot of events that are grouped. First I get a "WEB-MISC
>WebDAV search access" alert, then a "(http_inspect) BARE BYTE UNICODE
>ENCODING"  alert and after that 18 "SHELLCODE x86 NOOP" alerts.
>
>Is there some worm that tries to propagate using these signatures?

It's definitely been noticed before... someone asked about this specific 
pattern on 4/2 and there was a reply pointing out some notes about a 
multi-exploit worm or script being investigated over on incidents.org.

http://isc.sans.org/diary.php?date=2004-04-01

Some more recent notes indicating it was still going on 4/5

http://www.incidents.org/diary.php?date=2004-04-05&isc=4fa3ba545511ab1c5c13dfd444060ad4 





More information about the Snort-users mailing list