Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Some worm?

From: Matt Kettler <mkettler () evi-inc com>
Date: Mon, 12 Apr 2004 12:32:42 -0400
At 03:47 PM 4/11/2004, Jan Hugo Prins wrote:

Lately I get a lot of events that are grouped. First I get a "WEB-MISC
WebDAV search access" alert, then a "(http_inspect) BARE BYTE UNICODE
ENCODING"  alert and after that 18 "SHELLCODE x86 NOOP" alerts.

Is there some worm that tries to propagate using these signatures?
It's definitely been noticed before... someone asked about this specific pattern on 4/2 and there was a reply pointing out some notes about a multi-exploit worm or script being investigated over on incidents.org. 

http://isc.sans.org/diary.php?date=2004-04-01

Some more recent notes indicating it was still going on 4/5
http://www.incidents.org/diary.php?date=2004-04-05&isc=4fa3ba545511ab1c5c13dfd444060ad4 


-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: