"Adam T" <[EMAIL PROTECTED]> wrote: > First I would like to say thank you to all on this list I have learnt so > many things even though I usually sit quietly in the corner, but I do have > a question that I hope you can help me with. I came accross these odd log > entries the other day and was hoping someone could help me decipher them and > tell me what was attempted or accomplished and if this was a directed attack > or a script searching the net for a vulnerable host. (hoping it was not me) > and any suggestions to help me protect against such attacks. > I have attached a small portion of the log. to provide more detail.
This is much the same traffic as several others have talked about the last few weeks. A quick Google for the phrase "SEARCH /\x90\x02\xb1" straight from your log returned 777 hits, the first several of which suggest that it is some kind of attempt to exploit and old IIS WEBDAV vuln MS03-007. I'd agree -- been seeing them for months. Several currently common viruses include attempts against this vuln as a spread mechanism. If you had IDS data you could correlate with these web logs you may be able to get a better fix on what malware is likely to be generating the traffic, or at least get an idea as to which malware family it's generator belongs... -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
