Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Incidents
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: New http attack?

from [Tomaz Solc] Network Security [Permanent Link]
Subject: Re: New http attack?
Date: Wed, 08 Jun 2005 21:42:24 +0200 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi

I've been seeing this kind of traffic on a number of servers since 30
May with peak on 2 June (around 100 requests per day). The number of
requests has been slowly decreasing since (got 4 requests yesterday).

A colleague first noticed it in his apache logs because of a large
number of http requests without referrer or user agent headers (other
than that, apache logs show a normal GET / requests with response 200)

My first guess was that it is some kind of a worm because the wave of
requests I've seen came almost exclusively from IPs that are near IPs of
my servers.

My google search turned up a few exploits that are using "Authorization:
Negotiate" header to exploit an old vulnerability in the Microsoft ASN.1
library (CAN-2003-0818).

I have a full packet log if anyone is interested.

Best regards
Tomaz Solc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFCp0ogsAlAlRhL9q8RAqCGAJ49vMR+AKPw6LzG181fCpcCp5ruoACeJhjA
fePddeTwhuM7yKW7ciNKq0k=
=LldT
-----END PGP SIGNATURE-----
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: New http attack?, Kirby Angell
Next by Date:  Re: New http attack?, Jason Falciola
Previous by Thread:  Re: New http attack?, Kevin Timm
Next by Thread:  Re: New http attack?, Jason Falciola
Indexes:  [Date] [Thread] [Top] [All Lists]