Suspicious HTTP traffic

Suspicious HTTP traffic

Post by Benn » Fri, 02 Apr 2004 12:08:11


Hi guys,

Lately, we've been getting quite a number of what looks like a buffer
overflow attempt traffics, possibly a worm,on our webserver. Attached below
is a snippet of the traffic we're getting from our Snort IDS.
Has anyone encountered this ?

[**] WEB-MISC WebDAV search access [**]
04/01-10:50:28.859507 0:60:97:E1:72:5E -> 0:A0:C9:D8:57:B5 type:0x800
len:0x5EA
xxx.xxx.xxx.xxx:4398 -> xxx.xxx.xxx.xxx:80 TCP TTL:102 TOS:0x0 ID:32633
IpLen:20 DgmLen:1500 DF
***A**** Seq: 0x197C17A2 Ack: 0xDCF1648 Win: 0xFAF0 TcpLen: 20
0x0000: 00 A0 C9 D8 57 B5 00 60 97 E1 72 5E 08 00 45 00 ....W..`..r^..E.
0x0010: 05 DC 7F 79 40 00 66 06 91 96 D2 52 69 0C C0 A8 ...y@.f....Ri...
0x0020: 02 05 11 2E 00 50 19 7C 17 A2 0D CF 16 48 50 10 .....P.|.....HP.
0x0030: FA F0 75 BF 00 00 53 45 41 52 43 48 20 2F 90 02 ..u...SEARCH /..
0x0040: B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................
0x0050: B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................
0x0060: B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................
0x0070: B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................
0x0080: B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................
0x0090: B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................
0x00A0: B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................
0x00B0: B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................
0x00C0: B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................
0x00D0: B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................
0x00E0: B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................
0x00F0: B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................
0x0100: B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................
0x0110: B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................
0x0120: B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................
0x0130: B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................
0x0140: B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................
0x0150: B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................
0x0160: B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................
0x0170: B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................
0x0180: B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................
0x0190: B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 B1 02 ................