[Dshield] New port 80 Scan/Attack

Blake McNeill mcneillb at linklogger.com
Thu Aug 7 06:33:12 GMT 2003


The only thing that has been different lately on our honeypots started on
August 2nd on TCP port 80 and has only occurred a couple of times and always
from systems on 68.144.x.x which is where we are located (Source IP
68.144.160.126, 68.144.160.96, 68.144.47.132, 68.144.44.63). We are not
running any web servers or anything and I know we didn't see this scan
signature for the four days before August 2nd. The packet capture is always:

68.144.160.126 : 3583 TCP Data In : MD5 = 4147109BA20A6D25DD6436723EAB8C96
--- 8/6/2003 19:40:53.853
0000 4F 50 54 49 4F 4E 53 20 2F 20 48 54 54 50 2F 31       OPTIONS / HTTP/1
0010 2E 31 0D 0A 74 72 61 6E 73 6C 61 74 65 3A 20 66     .1..translate: f
0020 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 4D 69    ..User-Agent: Mi
0030 63 72 6F 73 6F 66 74 2D 57 65 62 44 41 56 2D 4D     crosoft-WebDAV-M
0040 69 6E 69 52 65 64 69 72 2F 35 2E 31 2E 32 36 30       iniRedir/5.1.260
0050 30 0D 0A 48 6F 73 74 3A 20 36 38 2E 31 34 34 2E     0..Host: 68.144.
0060 31 39 32 2E 32 32 37 0D 0A 43 6F 6E 74 65 6E 74     192.227..Content
0070 2D 4C 65 6E 67 74 68 3A 20 30 0D 0A 43 6F 6E 6E   -Length: 0..Conn
0080 65 63 74 69 6F 6E 3A 20 4B 65 65 70 2D 41 6C 69     ection: Keep-Ali
0090 76 65 0D 0A 0D 0A
ve....

WebDAV stands for "Web-based Distributed Authoring and Versioning". It is a
set of extensions to the HTTP protocol which allows users to collaboratively
edit and manage files on remote web servers. Attacks using WebDav are not
new, but given the increase in them it might be possible a new worm or
attack script is out there using known vuls within WebDAV (
www.cert.org/advisories/CA-2003-09.html www.kb.cert.org/vuls/id/959211 etc).

I'll get another pot to start watching for this so we can tell if its using
a netblock sweep or not.

Blake
www.SonicLogger.com - Logging Software for SonicWall and 3Com
www.LinkLogger.com - Logging Software for Linksys, Netgear and Zyxel




More information about the list mailing list