lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <409BB7D9.22033.D42D3020@localhost>
From: nick at virus-l.demon.co.uk (Nick FitzGerald)
Subject: [FD]Questions about odd log entries

"Adam T" <adam_thacker@...mail.com> wrote:

> First I would like to say thank you to all on this list I have learnt so 
> many things even though I usually sit quietly in the corner, but  I do have 
> a question that I hope you can help me with. I came accross these odd log 
> entries the other day and was hoping someone could help me decipher them and 
> tell me what was attempted or accomplished and if this was a directed attack 
> or a script searching the net for a vulnerable host. (hoping it was not me) 
> and any suggestions to help me protect against such attacks.
> I have attached a small portion of the log. to provide more detail.

This is much the same traffic as several others have talked about the 
last few weeks.

A quick Google for the phrase "SEARCH /\x90\x02\xb1" straight from your 
log returned 777 hits, the first several of which suggest that it is 
some kind of attempt to exploit and old IIS WEBDAV vuln MS03-007.  I'd 
agree -- been seeing them for months.

Several currently common viruses include attempts against this vuln as 
a spread mechanism.  If you had IDS data you could correlate with these 
web logs you may be able to get a better fix on what malware is likely 
to be generating the traffic, or at least get an idea as to which 
malware family it's generator belongs...


-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ