[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <409BB7D9.22033.D42D3020@localhost>
From: nick at virus-l.demon.co.uk (Nick FitzGerald)
Subject: [FD]Questions about odd log entries
"Adam T" <adam_thacker@...mail.com> wrote:
> First I would like to say thank you to all on this list I have learnt so
> many things even though I usually sit quietly in the corner, but I do have
> a question that I hope you can help me with. I came accross these odd log
> entries the other day and was hoping someone could help me decipher them and
> tell me what was attempted or accomplished and if this was a directed attack
> or a script searching the net for a vulnerable host. (hoping it was not me)
> and any suggestions to help me protect against such attacks.
> I have attached a small portion of the log. to provide more detail.
This is much the same traffic as several others have talked about the
last few weeks.
A quick Google for the phrase "SEARCH /\x90\x02\xb1" straight from your
log returned 777 hits, the first several of which suggest that it is
some kind of attempt to exploit and old IIS WEBDAV vuln MS03-007. I'd
agree -- been seeing them for months.
Several currently common viruses include attempts against this vuln as
a spread mechanism. If you had IDS data you could correlate with these
web logs you may be able to get a better fix on what malware is likely
to be generating the traffic, or at least get an idea as to which
malware family it's generator belongs...
--
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854
Powered by blists - more mailing lists