So today I got an interesting alert from OSSEC (a Host-Based IDS) on my web-hosting server:
—————————————-
Rule: 31115 fired (level 13) -> “URL too long. Higher than allowed on most browsers. Possible attack.”
Portion of the log(s):
81.197.69.xxx – -16/Dec/2008:16:14:20 -0600] “SEARCH /x90x04Hx04Hx04Hx04Hx04Hx04Hx04Hx04Hx04Hx04Hx04Hx04Hx04Hx04Hx04Hx04Hx04Hx04Hx04Hx04Hx04Hx04Hx04Hx04Hx04Hx04Hx04Hx04Hx04Hx04Hx04Hx04Hx04Hx04Hx04Hx04Hx04Hx04Hx04Hx04Hx04Hx04Hx04Hx04Hx04H
——————————–
As we can see, host 81.197.69.xxx tried to connect to my server on TCP port 80, looking to exploit a IIS WebDAV vulnerbility. (Microsoft Security Bulletin MS03-007) This is most often seen by a variant of Welchia, specfically, W32.Welchia.B.Worm . From the Symantec article, “The worm specifically targets machines running Microsoft IIS 5.0 using this exploit. The worm’s use of this exploit will impact Windows 2000 systems and may impact Windows NT/XP systems.”
After doing a IP Lookup, using my favorite tool, http://logbud.com, I found that it is an IP in Western Finland. After that, I fired up Nmap, and did a quick scan of the IP. Since it blocked pings, Nmap thought that the host was down, so I had to change the scan parameters to not ping before scanning. Using regular TCP SYN scans, it seems that the most commonly used ports are filtered, and therefore I was unable to get an accurate OS type reading. Most likley, the machine is a compromised Windows machine, blasting out arbitrary scans, trying to compromise internet-facing, unpatched Windows machines.
The Moral of the Post:
Make sure your machines are all patched, even for old vulnerabilities. Those worms are still out there.
Josh
PS: Obligatory xkcd
Defensive Depth 