lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
From: scheidell at secnap.net (Michael Scheidell)
Subject: ALERT WEBDAV worm on the loose

ISP: attbi and kcl.net
YOU MAY BE ABLE TO HELP PREVENT THE NEXT SLAMMER TYPE NETWORK MELTDOWN.
YOU HAVE TWO CLIENTS INFECTED WITH THIS NEW WORM NOW.  DON'T WAIT TILL ITS
TOO LATE.

Source ip addresses involved so far are
216.5.78.37 and 12.210.139.132

If any of your recent penetration tests revealed a WEBDAV weakness, you
MUST TAKE YOUR SERVER OFF LINE NOW and make sure it was not infected.
If you have any MS servers inside your network that may be vulnerable,
take them off line until you can apply the patch.  A worm can work its way
into your network via email or other means and they can infect servers and
workstations running MS SERVER behind the firewall.

A new WEBDAV worm is roaming the internet RIGHT NOW.  Yesterday, it was
announced that security company ISS had one of their servers compromised
and web site defaced using a vulnerability in Microsoft's WEBDAV (ISS
later announced that they meant for that server to be hacked to track
hacker and worm activity, see  story at: 
http://www.zone-h.org/en/defacements/view/id=258882

Last night, we saw over one thousand servers attacked on more than 6
different networks by what appeared to be a worm that used the same code
as found in discussions about this worm.  This did not appear to be
normal, and it appears to be a sequential scan.

What this means, is that hackers are looking for servers who have
weaknesses in their WEBDAV, and have not applied patch ms03-007.  If you
have not applied that patch, we suggest you take your server off line
immediately and then you must check your server and server logs for
attacks.

In your server logs you may find a string like this:
SEARCH / HTTP/1.1\r\n",
             "Host: nnnnnn"

Where nnnnn is your host name or ip address.

We have good confidence that there is a worm at work due to the following:
A) the host inserted in the string is the IP address, and not the
hostname (any reference to your web site would have been via name)

B) this worm has attacked 6 different networks so far, in one case hitting
740 ip address on one network and 504 ip addresses on another network.

C) worm has attempted to contact hosts that are not running a web server
(scanning)

D) Once worm finds a web server, it only sends the search string to MS
servers.

For more information on worm, see:
see MS announcement of vulnerability March 17th:
http://www.microsoft.com/technet/security/bulletin/ms03-007.asp

For lists of the source ip addresses and networks attacked, see:

http://www.hackertrap.net/IP.pl?IP=216.5.78.37
and 
http://www.hackertrap.net/IP.pl?IP=12.210.139.232

--
Michael Scheidell
SECNAP Network Security, LLC
(561) 368-9561 scheidell@...nap.net
http://www.secnap.net


Powered by blists - more mailing lists