Nimda type attacks with broken GETs

From: Stephen Samuel (samuelat_private)
Date: Mon May 13 2002 - 22:38:02 PDT

  • Next message: Alphonse MacDonald: "Re: Windows Systems Defaced"

    This may have already been mentioned on this list (I'm not
    subscribed, but I've had this list suggested for this).
    I've just noticed a Nimda-type attack where the 'get' line
    is broken up into two parts (presumably an attempt to
    confuse packet filters and IDSs).
    Given that this type of split of a 'get' line seems to be rather rare,
    I think that people depending on packet filters to help stop/identify
    this type of attack can probably add this to their list of bad packets.
    a sample of such a session is included (tethereal print below, and the
    raw tcpdump file attached).
       1   0.000000 -> TCP 4962 > http [SYN] Seq=1175453624 Ack=0 Win=16384 Len=0
       2   2.907647 -> TCP 4962 > http [SYN] Seq=1175453624 Ack=0 Win=16384 Len=0
       3   2.935290 -> TCP http > 4962 [SYN, ACK] Seq=886147005 Ack=1175453625 Win=8192 Len=0
       4   2.935572 -> TCP 4962 > http [ACK] Seq=1175453625 Ack=886147006 Win=17520 Len=0
       5   2.935779 -> HTTP GET
       6   2.937518 -> HTTP Continuation
       7   3.027385 -> TCP http > 4962 [ACK] Seq=886147006 Ack=1175453629 Win=8188 Len=0
       8   3.029238 -> HTTP Continuation
       9   3.030202 -> HTTP Continuation
      10   3.134727 -> TCP http > 4962 [ACK] Seq=886147006 Ack=1175455089 Win=8192 Len=0
      11   3.334389 -> TCP http > 4962 [ACK] Seq=886147006 Ack=1175457664 Win=5617 Len=0
    packet 5 only contains the string  'GET'.
       packets 6,8 and 9 contain the actual payload (get string).
    Stephen Samuel +1(604)876-0426                samuelat_private
    Powerful committed communication, reaching through fear, uncertainty and
    doubt to touch the jewel within each person and bring it to life.
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:

    This archive was generated by hypermail 2b30 : Tue May 14 2002 - 11:24:34 PDT