Security Incidents mailing list archives

Re: New http attack?

From: Tomaz Solc <tomaz.solc () siol net>
Date: Wed, 08 Jun 2005 21:42:24 +0200

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi

I've been seeing this kind of traffic on a number of servers since 30
May with peak on 2 June (around 100 requests per day). The number of
requests has been slowly decreasing since (got 4 requests yesterday).

A colleague first noticed it in his apache logs because of a large
number of http requests without referrer or user agent headers (other
than that, apache logs show a normal GET / requests with response 200)

My first guess was that it is some kind of a worm because the wave of
requests I've seen came almost exclusively from IPs that are near IPs of
my servers.

My google search turned up a few exploits that are using "Authorization:
Negotiate" header to exploit an old vulnerability in the Microsoft ASN.1
library (CAN-2003-0818).

I have a full packet log if anyone is interested.

Best regards
Tomaz Solc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFCp0ogsAlAlRhL9q8RAqCGAJ49vMR+AKPw6LzG181fCpcCp5ruoACeJhjA
fePddeTwhuM7yKW7ciNKq0k=
=LldT
-----END PGP SIGNATURE-----

Current thread:

New http attack? Keith T. Morgan (Jun 08)
- Re: New http attack? dullien (Jun 08)
- Re: New http attack? Kirby Angell (Jun 08)
  - Re: New http attack? Ron (Jun 09)
    - Re: New http attack? Alex (Jun 10)
    - Re: New http attack? Ron (Jun 10)
    - Re: New http attack? Kevin Timm (Jun 10)
- Re: New http attack? Tomaz Solc (Jun 08)
- <Possible follow-ups>
- Re: New http attack? Jason Falciola (Jun 08)
- Re: Re: New http attack? phil (Jun 20)
- Re: Re: New http attack? phil (Jun 20)