[Dshield] Weird WebDAV exploit pattern

Frank Knobbe frank at knobbe.us
Thu Feb 12 23:01:01 GMT 2004


for almost a week now we have been seeing some strange WebDAV exploit
activity. Usually we see the average WebDAV scan, either a "/SEARCH"
request of the "Nessus safe scan". But recently we've been seeing a
pattern of about 10-20 instances of the "/SEARCH" attempt with varying
amount of "A"'s. My theory was that there is a new exploit script out
there that probes for vulnerabilities in the SEARCH component of WebDAV
with varying offset, possibly to catch different language version of the
WebDAV component -- kinda like a universal Swiss-Army script. Some
packets include shellcode, others don't (strangely, just varying lengths
of the NOP sled).

However, this is not a once in a while thing. The activity level is
approaching that of a virus or worm or other automated beast.

Is anyone else seeing the same pattern? Any ideas what could be behind


Warning at the Gates of Bill:  
Abandon hope, all ye who press <ENTER> here...

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: This is a digitally signed message part
Url : http://www.dshield.org/pipermail/list/attachments/20040212/477cf1cc/attachment.bin

More information about the list mailing list