Rohny Jotton wrote:
> In the last 24 hours,
> I've logged two
> instances of "SEARCH
> /�����������������������....(many more)" on my
/me too
In our case we've seeing approximately 600-700 weekly "SEARCH /" scan
attempts since february. Snort flags it as "WEB-IIS WEBDAV nessus safe
scan attempt" (SID 2091, CAN-2003-0109).
However, recently, we've started seing the "SEARCH /AAAAAA..."
attempts. The funny thing is that the behaviour is:
1.- first do a "SEARCH /"
[if X, probably the bot checks for server version, etc. since not all
attempts proceed]
2.- start doing "SEARCH /AAAA" (234 'A' characters)
3.- repeat 2 increasing one "A" character until you get to 296 characters.
4.- stop
It seems that the application is trying to find the precise point
where the buffer overflow is located.
Regards
Javier
---------------------------------------------------------------------------
Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN,
wireless security
Protect your network against hackers, viruses, spam and other risks with Astaro
Security Linux, the comprehensive security solution that combines six
applications in one software solution for ease of use and lower total cost of
ownership.
Download your free trial at
http://www.securityfocus.com/sponsor/Astaro_incidents_040301
----------------------------------------------------------------------------
Received on Mar 26 2004
