Fun with Welchia…

So today I got an interesting alert from OSSEC (a Host-Based IDS) on my web-hosting server:


Rule: 31115 fired (level 13) -> “URL too long. Higher than allowed on most browsers. Possible attack.”

Portion of the log(s): – -16/Dec/2008:16:14:20 -0600] “SEARCH /x90x04Hx04Hx04Hx04Hx04Hx04Hx04Hx04Hx04Hx04Hx04Hx04Hx04Hx04Hx04Hx04Hx04Hx04Hx04Hx04Hx04Hx04Hx04Hx04Hx04Hx04Hx04Hx04Hx04Hx04Hx04Hx04Hx04Hx04Hx04Hx04Hx04Hx04Hx04Hx04Hx04Hx04Hx04Hx04Hx04H


As we can see, host tried to connect to my server on TCP port 80, looking to exploit a IIS WebDAV vulnerbility.  (Microsoft Security Bulletin MS03-007)  This is most often seen by a variant of Welchia, specfically, W32.Welchia.B.Worm .  From the Symantec article, “The worm specifically targets machines running Microsoft IIS 5.0 using this exploit. The worm’s use of this exploit will impact Windows 2000 systems and may impact Windows NT/XP systems.”

After doing a IP Lookup, using my favorite tool,, I found that it is an IP in Western Finland.  After that, I fired up Nmap, and did a quick scan of the IP.  Since it blocked pings, Nmap thought that the host was down, so I had to change the scan parameters to not ping before scanning.  Using regular TCP SYN scans, it seems that the most commonly used ports are filtered, and therefore I was unable to get an accurate OS type reading. Most likley, the machine is a compromised Windows machine, blasting out arbitrary scans, trying to compromise internet-facing, unpatched Windows machines.

The Moral of the Post:

Make sure your machines are all patched, even for old vulnerabilities.  Those worms are still out there.


PS: Obligatory xkcd

Tagged ,

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s