|
|
RE: Excessively large URI attacks: msg#00017security.intrusions
Donald, Here's one I grabbed. I see 4-12 per day. All which I get look just like this, save that each is directed at a different IP on our net. Source IPs differ, each source IP targets a different target IP. I lost the others from today, so have only this one. :-( >From Acid: #(1 - 39021) [2004-05-06 01:14:38] [arachNIDS/474] [snort/1070] WEB-MISC WebDAV search access IPv4: 12.219.16.184 -> 12.16x.yyy.zzz hlen=5 TOS=16 dlen=2960 ID=0 flags=0 offset=0 TTL=240 chksum=0 TCP: port=4187 -> dport: 80 flags=***AP*** seq=1781825260 ack=377583163 off=5 res=0 win=17520 urp=0 chksum=0 Payload: length = 2920 000 : 53 45 41 52 43 48 20 2F 90 02 B1 02 B1 02 B1 02 SEARCH /........ 010 : B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................ 020 : B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................ 030 : B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................ 040 : B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................ 050 : B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................ 060 : B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................ 070 : B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................ 080 : B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................ 090 : B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................ 0a0 : B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................ 0b0 : B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................ 0c0 : B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................ 0d0 : B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................ 0e0 : B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................ 0f0 : B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................ 100 : B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................ 110 : B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................ 120 : B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................ 130 : B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................ 140 : B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................ 150 : B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................ 160 : B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................ 170 : B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................ 180 : B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................ 190 : B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................ 1a0 : B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................ 1b0 : B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................ 1c0 : B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................ 1d0 : B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................ 1e0 : B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................ 1f0 : B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................ 200 : B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................ 210 : B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................ 220 : B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................ 230 : B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................ 240 : B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................ 250 : B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................ 260 : B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................ 270 : B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................ 280 : B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................ 290 : B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................ 2a0 : B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................ 2b0 : B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................ 2c0 : B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................ 2d0 : B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................ 2e0 : B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................ 2f0 : B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................ 300 : B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................ 310 : B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................ 320 : B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................ 330 : B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................ 340 : B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................ 350 : B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................ 360 : B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................ 370 : B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................ 380 : B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................ 390 : B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................ 3a0 : B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................ 3b0 : B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................ 3c0 : B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................ 3d0 : B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................ 3e0 : B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................ 3f0 : B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................ 400 : B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................ 410 : B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................ 420 : B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................ 430 : B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................ 440 : B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................ 450 : B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................ 460 : B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................ 470 : B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................ 480 : B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................ 490 : B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................ 4a0 : B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................ 4b0 : B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................ 4c0 : B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................ 4d0 : B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................ 4e0 : B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................ 4f0 : B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................ 500 : B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................ 510 : B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................ 520 : B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................ 530 : B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................ 540 : B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................ 550 : B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................ 560 : B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................ 570 : B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................ 580 : B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................ 590 : B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................ 5a0 : B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................ 5b0 : B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................ 5c0 : B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................ 5d0 : B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................ 5e0 : B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................ 5f0 : B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................ 600 : B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................ 610 : B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................ 620 : B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................ 630 : B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................ 640 : B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................ 650 : B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................ 660 : B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................ 670 : B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................ 680 : B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................ 690 : B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................ 6a0 : B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................ 6b0 : B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................ 6c0 : B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................ 6d0 : B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................ 6e0 : B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................ 6f0 : B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................ 700 : B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................ 710 : B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................ 720 : B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................ 730 : B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................ 740 : B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................ 750 : B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................ 760 : B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................ 770 : B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................ 780 : B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................ 790 : B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................ 7a0 : B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................ 7b0 : B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................ 7c0 : B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................ 7d0 : B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................ 7e0 : B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................ 7f0 : B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................ 800 : B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................ 810 : B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................ 820 : B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................ 830 : B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................ 840 : B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................ 850 : B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................ 860 : B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 90 ................ 870 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 880 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 890 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 8a0 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 8b0 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 8c0 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 8d0 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 8e0 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 8f0 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 900 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 910 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 920 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 930 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 940 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 950 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 960 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 970 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 980 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 990 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 9a0 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 9b0 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 9c0 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 9d0 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 9e0 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 9f0 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ a00 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ a10 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ a20 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ a30 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ a40 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ a50 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ a60 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ a70 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ a80 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ a90 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ aa0 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ ab0 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ ac0 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ ad0 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ ae0 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ af0 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ b00 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ b10 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ b20 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ b30 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ b40 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ b50 : 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ b60 : 90 90 90 90 90 90 90 90 ........ > -----Original Message----- > From: Smith, Donald [mailto:Donald.Smith@xxxxxxxxx] > Sent: Thursday, May 06, 2004 11:54 AM > To: Intrusions List (GCIA Practicals) > Subject: RE: [Intrusions] Excessively large URI attacks > > > Got Packets? > > Donald.Smith@xxxxxxxxx GCIA > http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xAF00EDCC > pgpFingerPrint:9CE4 227B B9B3 601F B500 D076 43F1 0767 AF00 EDCC > kill -13 111/2 > > > -----Original Message----- > > From: intrusions-bounces@xxxxxxxxxxxxxx > > [mailto:intrusions-bounces@xxxxxxxxxxxxxx] On Behalf Of Barry > > Fitzgerald > > Sent: Thursday, May 06, 2004 7:37 AM > > To: Intrusions List (GCIA Practicals) > > Subject: Re: [Intrusions] Excessively large URI attacks > > > > > > That's precisely what I'm seeing. They aren't breaking > > anything on my > > end either, but they're excessively long. This certainly seems > > different than the average Webdav attacks we've been seeing, > > but perhaps > > it's just an attempt to exploit a generic overflow. Anyone > have any > > thoughts? > > > > -Barry > > > > Tom Glaab wrote: > > > > > > > >> Has anyone seen an uptick in attacks using excessively > > large URIs and > > >> SEARCH strings? > > > > > > > > > > > > No uptick, but I've been seeing them for a few weeks. They > > don't seem > > > to be breaking anything and there's been no discussion > > here, so I've > > > just been watching them. > > > > > > They all look the same: 65.43.212.205 - - > > [02/May/2004:17:03:21 -0400] > > > "SEARCH > > > > > /\x90\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\ > > x02\xb1\x02\xb1\x02\xb1\x02\xb1\x > > > > > > > > > 02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1 > > > \x02\xb1..... > > > > > > > > > and end with pages of \x90 > > > > > > tg. > > > > > > > > > > > > _______________________________________________ > > > Intrusions mailing list > > > Intrusions@xxxxxxxxxxxxxx > > > http://www.dshield.org/mailman/listinfo/intrusions > > > > > > > > > > _______________________________________________ > > Intrusions mailing list > > Intrusions@xxxxxxxxxxxxxx > > http://www.dshield.org/mailman/listinfo/intrus> ions > > > _______________________________________________ > Intrusions mailing list > Intrusions@xxxxxxxxxxxxxx > http://www.dshield.org/mailman/listinfo/intrusions > _______________________________________________ Intrusions mailing list Intrusions@xxxxxxxxxxxxxx http://www.dshield.org/mailman/listinfo/intrusions |
|
| <Prev in Thread] | Current Thread | [Next in Thread> |
|---|---|---|
| Previous by Date: | RE: Excessively large URI attacks: 00017, Smith, Donald |
|---|---|
| Next by Date: | RE: Excessively large URI attacks: 00017, Smith, Donald |
| Previous by Thread: | RE: Excessively large URI attacksi: 00017, Smith, Donald |
| Next by Thread: | RE: Excessively large URI attacks: 00017, Smith, Donald |
| Indexes: | [Date] [Thread] [Top] [All Lists] |
| News | FAQ | advertise |