On May 7th 2003, a post to the intrustions list noted an increase in attacks using the 'WEBDAV' exploit.
While we do not have any evidence of self replication at this point, the
tool used is very aggressive and at least some of the attacked hosts where reported to be used in scanning for other vulnerable hosts.
The WEBDAV vulnerability, officially announced in March but available in the
underground before that, has been used for a while by various tools. The goal
of these tools has been so far to either deface websites, or to upload various
backdoors or 'irc bots'.
This latest outbreak seems to be using a more aggressive tool, probably scanning
large number of hosts. While this tool may have the ability to replicate, we
have not seen any evidence. In particular for botnets, it is unusual to have the
tool copy itself to the vulnerable host. Instead, a remote control agent is used
to gain control of the host for various purposes (DDOS, port scanning).
We do not have any exploit code available for this particular tool. Based on
a post to the Intrusions list by Michael Scheidell, the following request can be found in weblogs of scanned systems:
SEARCH / HTTP/1.1\r\n", "Host: nnnnnn"
Apache logs from older WEBDAV tools:
18.104.22.168 - - [25/Mar/2003:15:07:28 -0500] "SEARCH /\x90\x04H\x04H
(the characters \x04H are repeated many times, followed by many repeats of \x90
" 414 271 "-" "-"
MSFT Announcement regarding WEBDAV:
ISC Analysis of WEBDAV Vulnerability:
Please report any further details to firstname.lastname@example.org . Please submit code sample
as an encrypted zip file with password 'isc'.
May 7th 2003
1 decade ago