Snort mailing list archives

Re: "Attempt to execute cmd" surge!

From: Ryan Russell <ryan () securityfocus com>
Date: Mon, 6 Aug 2001 12:07:29 -0600 (MDT)

On Mon, 6 Aug 2001, Sheahan, Paul (PCLN-NW) wrote:


I'm running Snort 1.7 on Red Hat Linux 7.0. Only occasionally do I see the
"WEB-MISC Attempt to execute cmd" alert in my logs. When I do, I check the
traces and it is obvious that someone included cmd.exe in a URL. But over
the last two days, I have been bombarded with "WEB-MISC Attempt to execute
cmd" in my Snort logs coming from tons of different external addresses.
Every packet coming from every different source looks exactly like what I
have pasted below, as though everyone is using the same exploit script. Is
anyone else seeing this? Root.exe is a file resulting from an IIS Extended
Unicode Traversal Vulnerability. Has a new exploit been released or
something that is prompting so many people to send this out?


That's CodeRedII.  See:
http://aris.securityfocus.com/alerts/codered2/

                                        Ryan


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

"Attempt to execute cmd" surge! Sheahan, Paul (PCLN-NW) (Aug 06)
- Re: "Attempt to execute cmd" surge! Ryan Russell (Aug 06)
- <Possible follow-ups>
- RE: "Attempt to execute cmd" surge! Steve Halligan (Aug 06)