Full Disclosure mailing list archives
RE: [despammed] Odd SEARCH Requests
From: "Levinson, Karl" <Karl.Levinson () dhs gov>
Date: Fri, 2 Apr 2004 14:48:53 -0500
MS03-007 NTDLL vulnerability over WebDAV. Probably Agobot / Gaobot / Phatbot / Polybot Trojan variants scanning for vulnerable systems to infect. Search google for "SEARCH-/\x90\x02" and you'll see more. Previously discussed here, at incidents () securityfocus com and other places. http://www.google.com/search?hl=en&ie=UTF-8&oe=UTF-8&q=SEARCH-%2F%5Cx90%5Cx0 2 Other strings seen include: SEARCH /AAAAAAAAA... SEARCH /±±±±±±... SEARCH /\x90\x02±\x02± ... x90\x90" http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.gaobot.jb.h tml http://archives.neohapsis.com/archives/sf/pentest/2003-03/0109.html http://www.microsoft.com/technet/security/bulletin/MS03-007.mspx http://thum.ath.cx/Apache/code.414 -----Original Message----- From: full-disclosure-admin () lists netsys com [mailto:full-disclosure-admin () lists netsys com] On Behalf Of badpack3t Sent: Friday, April 02, 2004 1:53 PM To: full-disclosure () lists netsys com Subject: [despammed] [Full-disclosure] Odd SEARCH Requests At least once per day I am receiving these odd SEARCH requests: http://fux0r.phathookups.com/incoming/dumbshit-thinks-he-can-hax0r-2.txt http://fux0r.phathookups.com/incoming/dumbshit-thinks-he-can-hax0r.txt I posted links because the requests are huge. If anyone else has seen these requests, or might have any other info on it let me know. It could possibly be ASN.1 related, but not sure. I tried the same request against a fully patched windows 2003 box with ISS 6.0 running, but nothing happened. Thanks, --------------------------- badpack3t www.security-protocols.com www.ihack.ms _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: [despammed] Odd SEARCH Requests Levinson, Karl (Apr 02)