Use of HEAD in web server scan

From: Russell Fulton (r.fultonat_private)
Date: Sun Oct 28 2001 - 13:52:42 PST

  • Next message: Mike Lewinski: "Re: Use of HEAD in web server scan"

    I had not seen this before so I thought others might be interested.
    
    Last night someone (working through a machine in China :( ) attacked 
    our main campus web server.  Snort logged over 600 pobes.  I asked the 
    webserver support staff to check the logs to make sure that everything 
    as OK and they came back very puzzled:  they could find hardly any 
    traffic from the IP and what there was was perfectly innocent.  
    
    I went back to the snort logs and had a look at the packet dumps and 
    found that they were all HEAD requests which appear not to be logged by 
    IIS.
    
    The tool used uses HEAD request to establish if certain vulnerabilities 
    exist, these include various directory traversal vulnerabilities, the 
    presence of vulnerable cgi scripts etc.
    
    Russell Fulton, Computer and Network Security Officer
    The University of Auckland,  New Zealand
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Sun Oct 28 2001 - 17:33:01 PST