Security Incidents: RE: Odd attack string

["Levinson, Karl" <Karl.Levinson () dhs gov>]

What was the actual HTTP request?  Was that a GET, a SEARCH, etc?  Is this
the complete request, or was there something more at the end, such as shell
code?

If this was a SEARCH request instead of a GET, I might suspect an attempt to
the MS03-007 NTDLL vulnerability through WebDAV.  The Agobot / Gaobot /
Phatbot / Polybot Trojan is one tool that has caused a big increase in these
attacks recently.  Note that if an IIS-related buffer overflow is
successful, it probably won't show up in your IIS logs, and the Windows
System event logs on the target system might have an entry related to the
overflow.

I have to believe whatever log is collecting the information you gave isn't
giving you enough information.  Try reconfiguring it, complaining to the
vendor, and/or using a different tool [IDS, Snort, web server logs, firewall
logs, etc.] either in addition to or instead of your current tool.

 

-----Original Message-----
From: Jack Bristow [mailto:morriswurm () yahoo com] 
Sent: Tuesday, May 04, 2004 11:32 AM
To: incidents () securityfocus com
Subject: Odd attack string


We've picked up on a few URL strings here that are obviously BO's.

I researched in order to try and identify what the offensive program may be
but I have had no luck. Has anyone else seen anything like the following?


Random Source IP:Random Source Port -> Random Dest IP:Port 80

URL:/�.±.±.±.±.±.±.±.±.±.±.±.±.±.±.±.±.±.±.±.±.±.±.±.±.±.±.±.±.±.±.±.
±.±.±.±.±.±.±.±.±.±.±.±.±.±.±.±.±.±.±.±.±.±.±.±.±.±.±.±.±.±.±.±.±.±.±.±.±.±.
±.±.±.±.±.±.±.±.±.±.±.±.±.±.±.±.±.±.±.±.±.±.±.±.±.±.±.±.±.±.±.±.±.±.±.±.±.±.
±.±.±.±.±.±.±.±.±.±.±.±.±.±.±.±.



---------------------------------------------------------------------------
----------------------------------------------------------------------------