The next three events we found to be automated behavior are from external machines trying to access internal IP addresses:
WEB-IIS view source via translate header WEB-IIS header field buffer overflow attempt WEB-MISC http directory traversal
Investigating the first event we found that it represents real HTTP traffic. The packet capture shows most of the HTTP headers (unlike in the last case where only part of the header was captured). The user-agents used in the HTTP requests are the following3.6:
User-Agent: Microsoft Data Access Internet Publishing Provider Protocol Discovery User-Agent: Mozilla/2.0 (compatible; MS FrontPage 5.0) User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.0.3705) User-Agent: MSFrontPage/5.0
The Host:-field of the HTTP traffic has one interesting value: Host: www.XXXXXXXX We assume this is part of the obfuscation that was done by SANS and in reality this would show a valid host name. The requests sent in these packets are as follows3.7:
GET /../images/bullet.jpg HTTP/1.1 GET /_vti_inf.html HTTP/1.1 OPTIONS /emc/eval.html HTTP/1.1 OPTIONS / HTTP/1.1 OPTIONS /main/catalog/usb97c210.html HTTP/1.1 OPTIONS /main/catalog/usbprods.html HTTP/1.1 OPTIONS /usb/eval210.html HTTP/1.1 OPTIONS /usb/eval3000.html HTTP/1.1 OPTIONS /usb/evs3000.html HTTP/1.1 OPTIONS /usb HTTP/1.1 OPTIONS /usb/ HTTP/1.1 OPTIONS /usb/usbprods.html HTTP/1.1 POST /_vti_bin/shtml.exe/_vti_rpc HTTP/1.1
The targets of these events are only two: 32.245.166.119 and 207.166.87.40
It is hard to tell whether this traffic is normal behavior or worm traffic. The regular intervals of the alerts lets us believe that we are dealing with a worm. We found a posting on the ARIS list[18] inquiring about very similar log entries. The sender also suggests that the traffic is automated. Unfortunately there are no responses available. This traffic could also stem from people using either WebDAV or Frontpage to upload Web content to a server.