Security Incidents mailing list archives
Re: New http attack?
From: Tomaz Solc <tomaz.solc () siol net>
Date: Wed, 08 Jun 2005 21:42:24 +0200
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi I've been seeing this kind of traffic on a number of servers since 30 May with peak on 2 June (around 100 requests per day). The number of requests has been slowly decreasing since (got 4 requests yesterday). A colleague first noticed it in his apache logs because of a large number of http requests without referrer or user agent headers (other than that, apache logs show a normal GET / requests with response 200) My first guess was that it is some kind of a worm because the wave of requests I've seen came almost exclusively from IPs that are near IPs of my servers. My google search turned up a few exploits that are using "Authorization: Negotiate" header to exploit an old vulnerability in the Microsoft ASN.1 library (CAN-2003-0818). I have a full packet log if anyone is interested. Best regards Tomaz Solc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFCp0ogsAlAlRhL9q8RAqCGAJ49vMR+AKPw6LzG181fCpcCp5ruoACeJhjA fePddeTwhuM7yKW7ciNKq0k= =LldT -----END PGP SIGNATURE-----
Current thread:
- New http attack? Keith T. Morgan (Jun 08)
- Re: New http attack? dullien (Jun 08)
- Re: New http attack? Kirby Angell (Jun 08)
- Re: New http attack? Ron (Jun 09)
- Re: New http attack? Alex (Jun 10)
- Re: New http attack? Ron (Jun 10)
- Re: New http attack? Kevin Timm (Jun 10)
- Re: New http attack? Ron (Jun 09)
- Re: New http attack? Tomaz Solc (Jun 08)
- <Possible follow-ups>
- Re: New http attack? Jason Falciola (Jun 08)
- Re: Re: New http attack? phil (Jun 20)
- Re: Re: New http attack? phil (Jun 20)