WEBDAV Exploits on the rise
On May 7th 2003, a post to the intrustions list noted an increase in attacks using the 'WEBDAV' exploit.
While we do not have any evidence of self replication at this point, the
tool used is very aggressive and at least some of the attacked hosts where reported to be used in scanning for other vulnerable hosts.
The WEBDAV vulnerability, officially announced in March but available in the
underground before that, has been used for a while by various tools. The goal
of these tools has been so far to either deface websites, or to upload various
backdoors or 'irc bots'.
This latest outbreak seems to be using a more aggressive tool, probably scanning
large number of hosts. While this tool may have the ability to replicate, we
have not seen any evidence. In particular for botnets, it is unusual to have the
tool copy itself to the vulnerable host. Instead, a remote control agent is used
to gain control of the host for various purposes (DDOS, port scanning).
We do not have any exploit code available for this particular tool. Based on
a post to the Intrusions list by Michael Scheidell, the following request can be found in weblogs of scanned systems:
SEARCH / HTTP/1.1\r\n", "Host: nnnnnn"
Apache logs from older WEBDAV tools:
1.2.3.4 - - [25/Mar/2003:15:07:28 -0500] "SEARCH /\x90\x04H\x04H
(the characters \x04H are repeated many times, followed by many repeats of \x90
" 414 271 "-" "-"
Relevant Links:
MSFT Announcement regarding WEBDAV:
http://www.microsoft.com/technet/security/bulletin/ms03-007.asp
ISC Analysis of WEBDAV Vulnerability:
http://isc.incidents.org/analysis.html?id=183
--------------
Please report any further details to isc@sans.org . Please submit code sample
as an encrypted zip file with password 'isc'.
While we do not have any evidence of self replication at this point, the
tool used is very aggressive and at least some of the attacked hosts where reported to be used in scanning for other vulnerable hosts.
The WEBDAV vulnerability, officially announced in March but available in the
underground before that, has been used for a while by various tools. The goal
of these tools has been so far to either deface websites, or to upload various
backdoors or 'irc bots'.
This latest outbreak seems to be using a more aggressive tool, probably scanning
large number of hosts. While this tool may have the ability to replicate, we
have not seen any evidence. In particular for botnets, it is unusual to have the
tool copy itself to the vulnerable host. Instead, a remote control agent is used
to gain control of the host for various purposes (DDOS, port scanning).
We do not have any exploit code available for this particular tool. Based on
a post to the Intrusions list by Michael Scheidell, the following request can be found in weblogs of scanned systems:
SEARCH / HTTP/1.1\r\n", "Host: nnnnnn"
Apache logs from older WEBDAV tools:
1.2.3.4 - - [25/Mar/2003:15:07:28 -0500] "SEARCH /\x90\x04H\x04H
(the characters \x04H are repeated many times, followed by many repeats of \x90
" 414 271 "-" "-"
Relevant Links:
MSFT Announcement regarding WEBDAV:
http://www.microsoft.com/technet/security/bulletin/ms03-007.asp
ISC Analysis of WEBDAV Vulnerability:
http://isc.incidents.org/analysis.html?id=183
--------------
Please report any further details to isc@sans.org . Please submit code sample
as an encrypted zip file with password 'isc'.
Keywords:
0 comment(s)
×
![modal content]()
Diary Archives
Comments
Anonymous
Dec 3rd 2022
10 months ago
Anonymous
Dec 3rd 2022
10 months ago
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.
<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
Anonymous
Dec 26th 2022
9 months ago
Anonymous
Dec 26th 2022
9 months ago
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
Anonymous
Dec 26th 2022
9 months ago
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
Anonymous
Dec 26th 2022
9 months ago
Anonymous
Dec 26th 2022
9 months ago
https://defineprogramming.com/
Dec 26th 2022
9 months ago
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
https://clickercounter.org/
https://defineprogramming.com/
Dec 26th 2022
9 months ago
rthrth
Jan 2nd 2023
9 months ago