RE: Excessively large URI attacks

Barry Fitzgerald wrote Wednesday, May 05, 2004 15:53

> Has anyone seen an uptick in attacks using excessively large 
> URIs and SEARCH strings?
> 
> I'm getting a small number of these and was wondering if 
> there's some automated tool out there that could be generating these.

Plenty of them.

If you mean just any HTTP SEARCH with a lot of data in the request (64Kb or
more), it is one of the most popular exploits in worms and skiddie tools. It
is an attempted overflow of ntdll.dll via WebDAV in IIS. Patched in
MS03-007.

Automated exploits and worms using this have been common for quite a while.
Search for "webdav" or "ms03-007" on any AV vendor site. Symantec gives 56
hits on "webdav" when filtering for only viruses, trojan horses, worms, and
macros. 

Agobot/polybot/phatbot appears to be the most common automated scan in my
neck of the woods at present (a guess based on other ports scanned along
with the WebDAV overflow attempts). With some variants you might also see
hits on TCP 135, 445, 1025, 3127, and other ports from the same address
attempting the WebDAV attack.

_______________________________________________
Intrusions mailing list
Intrusions@xxxxxxxxxxxxxx
http://www.dshield.org/mailman/listinfo/intrusions