Security Incidents mailing list archives
Re: strange cmd.exe access
From: H Carvey <keydet89 () yahoo com>
Date: 30 May 2003 22:45:26 -0000
In-Reply-To: <Pine.LNX.4.21.0305292008410.9010-100000 () fist ipdog com>
what is strange is that the cmd.exe / root.exe stuff is half way through with some other code before it
It doesn't look at all as if you received an HTTP request, but as if some code was sent to port 80.
the ip it hit was not mapped to anything ( I believe it is unused) so this can not have been part of another tcp converstion
This doesn't make any sense...it has to be mapped to something, to a live machine. If it wasn't, how could the three-stage TCP handshake have been completed? As someone else mentioned, it may be a follow-on packet to Code Red. Have you gone to this machine and checked the logs? Harlan ---------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Re: strange cmd.exe access Valdis . Kletnieks (Jun 01)
- <Possible follow-ups>
- Re: strange cmd.exe access H Carvey (Jun 01)
- Re: strange cmd.exe access adam (Jun 01)
- RE: strange cmd.exe access Frank Knobbe (Jun 01)
- RE: strange cmd.exe access MacDougall, Shane (Jun 05)