Re: scans for root.exe

[David Pick <D.M.Pick () qmw ac uk>]

> I'm noticing in my snort alerts an increasing number of 'WEB-MISC Attempt to
> execute cmd' alerts.  I looked at the packet data with ethereal and it
> appears that they are trying to execute d:\inetpub\scripts\root.exe,
> d:\progra~1\common~1\system\\MS ADC\root.exe, and ./cmd.exe.  These scans
> are not showing up in syslog or httpd
> access and error logs.
>
> The scan per hour rate has increased dramatically.  It is also interesting
> that all of the scans I have received have been from hosts with the same
> first octet (64) as my ip address.
>
> Is anyone else seeing this kind of traffic?
>
> PS I run apache so I can't capture any code.  I can provide logs and packet
> dumps if needed.

These are attempts to use the "backdoor" left behind by the third
main variant of the CodeRed worm. What command are they trying to
execute? (should be passed as parameters to the query) or are they
just looking to see if it's there at all?

-- 
        David Pick


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com