[Dshield] New port 80 Scan/Attack

Doug doug at dwhite.ws
Thu Aug 7 12:40:07 GMT 2003


The WebDav exploit is going to get those larger networks where the admins have
delayed installing the available patches.

Johan's advice recently was very good when he said "Patch now"



================================
This address is filtered through the open relay database at http://www.ordb.org
and is virus scanned by ANTIVIR
http://www.dwhite.ws
mailto:doug at dwhite.ws
================================
----- Original Message ----- 
From: "Blake McNeill" <mcneillb at linklogger.com>
To: "General DShield Discussion List" <list at dshield.org>
Sent: Thursday, August 07, 2003 1:33 AM
Subject: [Dshield] New port 80 Scan/Attack


| The only thing that has been different lately on our honeypots started on
| August 2nd on TCP port 80 and has only occurred a couple of times and always
| from systems on 68.144.x.x which is where we are located (Source IP
| 68.144.160.126, 68.144.160.96, 68.144.47.132, 68.144.44.63). We are not
| running any web servers or anything and I know we didn't see this scan
| signature for the four days before August 2nd. The packet capture is always:
|
| 68.144.160.126 : 3583 TCP Data In : MD5 = 4147109BA20A6D25DD6436723EAB8C96
| --- 8/6/2003 19:40:53.853
| 0000 4F 50 54 49 4F 4E 53 20 2F 20 48 54 54 50 2F 31       OPTIONS / HTTP/1
| 0010 2E 31 0D 0A 74 72 61 6E 73 6C 61 74 65 3A 20 66     .1..translate: f
| 0020 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 4D 69    ..User-Agent: Mi
| 0030 63 72 6F 73 6F 66 74 2D 57 65 62 44 41 56 2D 4D     crosoft-WebDAV-M
| 0040 69 6E 69 52 65 64 69 72 2F 35 2E 31 2E 32 36 30       iniRedir/5.1.260
| 0050 30 0D 0A 48 6F 73 74 3A 20 36 38 2E 31 34 34 2E     0..Host: 68.144.
| 0060 31 39 32 2E 32 32 37 0D 0A 43 6F 6E 74 65 6E 74     192.227..Content
| 0070 2D 4C 65 6E 67 74 68 3A 20 30 0D 0A 43 6F 6E 6E   -Length: 0..Conn
| 0080 65 63 74 69 6F 6E 3A 20 4B 65 65 70 2D 41 6C 69     ection: Keep-Ali
| 0090 76 65 0D 0A 0D 0A
| ve....
|
| WebDAV stands for "Web-based Distributed Authoring and Versioning". It is a
| set of extensions to the HTTP protocol which allows users to collaboratively
| edit and manage files on remote web servers. Attacks using WebDav are not
| new, but given the increase in them it might be possible a new worm or
| attack script is out there using known vuls within WebDAV (
| www.cert.org/advisories/CA-2003-09.html www.kb.cert.org/vuls/id/959211 etc).
|
| I'll get another pot to start watching for this so we can tell if its using
| a netblock sweep or not.
|
| Blake
| www.SonicLogger.com - Logging Software for SonicWall and 3Com
| www.LinkLogger.com - Logging Software for Linksys, Netgear and Zyxel
|
| _______________________________________________
| list mailing list
| list at dshield.org
| To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list
|
|




More information about the list mailing list