[nsp-sec] Authorization: Negotiate HTTP spike.

Scott A. McIntyre scott at howyagoin.net
Fri Mar 2 21:54:54 EST 2012 

Hi all,

Over the last few hours I've noticed a spike in HTTP traffic to my honeypots.  From wireshark:

Hypertext Transfer Protocol
    GET / HTTP/1.0\r\n
        [Expert Info (Chat/Sequence): GET / HTTP/1.0\r\n]
            [Message: GET / HTTP/1.0\r\n]
            [Severity level: Chat]
            [Group: Sequence]
        Request Method: GET
        Request URI: /
        Request Version: HTTP/1.0
    [truncated] Authorization: Negotiate YIIQegYGKwYBBQUCoIIQbjCCEGqhghBmI4IQYgOCBAEAQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU
        GSS-API Generic Security Service Application Program Interface
            OID: 1.3.6.1.5.5.2 (SPNEGO - Simple Protected Negotiation)



The first hit for this I have is 11 January, a total of 11 sources.  Then silence until 22 February (14 sources), and now 207 sources in the last few hours.  Of the sources that I've detected, and who are listening on 80/tcp, they all seem to be running IIS 5.0 or IIS 5.1 (antiques, I know).

Just curious as to what the malcode may be behind this.  

Attached is data for the 207 hits, timestamps is GMT+1100.

Covers the following networks:

ASN
1257
1680
2108
2497
2516
2519
2706
2860
3209
3215
3269
3292
3320
3462
4134
4685
4716
4760
5483
6128
6327
6389
6471
6713
6739
6805
6830
7029
7132
8151
8308
8402
8404
8708
8764
9050
9116
9269
9299
9304
9371
9394
9416
9617
9829
9908
9924
10481
10796
11351
11427
12271
12322
12476
12578
12715
12741
12874
13124
13188
13579
14265
14420
15290
15457
15470
15735
16202
16232
16562
17501
17506
17511
17524
17547
17897
17924
18881
20845
20880
21404
21453
22709
22747
25144
25388
27699
27747
28573
29314
29859
31012
31242
33491
33923
34248
34588
35191
35362
37903
39603
41843
42689
44957
45687
47342
48161
48803
51116
197288


Thanks,

Scott A. McIntyre
Telstra Australia

-------------- next part --------------
A non-text attachment was scrubbed...
Name: autneg.csv
Type: text/csv
Size: 10070 bytes
Desc: not available
URL: <https://puck.nether.net/mailman/private/nsp-security/attachments/20120303/fdf496a0/attachment-0001.csv>

More information about the nsp-security mailing list