| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: nick at virus-l.demon.co.uk (Nick FitzGerald) Subject: [FD]Questions about odd log entries "Adam T" <adam_thacker@...mail.com> wrote: > First I would like to say thank you to all on this list I have learnt so > many things even though I usually sit quietly in the corner, but I do have > a question that I hope you can help me with. I came accross these odd log > entries the other day and was hoping someone could help me decipher them and > tell me what was attempted or accomplished and if this was a directed attack > or a script searching the net for a vulnerable host. (hoping it was not me) > and any suggestions to help me protect against such attacks. > I have attached a small portion of the log. to provide more detail. This is much the same traffic as several others have talked about the last few weeks. A quick Google for the phrase "SEARCH /\x90\x02\xb1" straight from your log returned 777 hits, the first several of which suggest that it is some kind of attempt to exploit and old IIS WEBDAV vuln MS03-007. I'd agree -- been seeing them for months. Several currently common viruses include attempts against this vuln as a spread mechanism. If you had IDS data you could correlate with these web logs you may be able to get a better fix on what malware is likely to be generating the traffic, or at least get an idea as to which malware family it's generator belongs... -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854
Powered by blists - more mailing lists