Re: [FD]Questions about odd log entries

[Nick FitzGerald <nick () virus-l demon co uk>]

"Adam T" <adam_thacker () hotmail com> wrote:

> First I would like to say thank you to all on this list I have learnt so 
> many things even though I usually sit quietly in the corner, but  I do have 
> a question that I hope you can help me with. I came accross these odd log 
> entries the other day and was hoping someone could help me decipher them and 
> tell me what was attempted or accomplished and if this was a directed attack 
> or a script searching the net for a vulnerable host. (hoping it was not me) 
> and any suggestions to help me protect against such attacks.
> I have attached a small portion of the log. to provide more detail.

This is much the same traffic as several others have talked about the 
last few weeks.

A quick Google for the phrase "SEARCH /\x90\x02\xb1" straight from your 
log returned 777 hits, the first several of which suggest that it is 
some kind of attempt to exploit and old IIS WEBDAV vuln MS03-007.  I'd 
agree -- been seeing them for months.

Several currently common viruses include attempts against this vuln as 
a spread mechanism.  If you had IDS data you could correlate with these 
web logs you may be able to get a better fix on what malware is likely 
to be generating the traffic, or at least get an idea as to which 
malware family it's generator belongs...


-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html