Snort mailing list archives
Re: "Attempt to execute cmd" surge!
From: Ryan Russell <ryan () securityfocus com>
Date: Mon, 6 Aug 2001 12:07:29 -0600 (MDT)
On Mon, 6 Aug 2001, Sheahan, Paul (PCLN-NW) wrote:
I'm running Snort 1.7 on Red Hat Linux 7.0. Only occasionally do I see the "WEB-MISC Attempt to execute cmd" alert in my logs. When I do, I check the traces and it is obvious that someone included cmd.exe in a URL. But over the last two days, I have been bombarded with "WEB-MISC Attempt to execute cmd" in my Snort logs coming from tons of different external addresses. Every packet coming from every different source looks exactly like what I have pasted below, as though everyone is using the same exploit script. Is anyone else seeing this? Root.exe is a file resulting from an IIS Extended Unicode Traversal Vulnerability. Has a new exploit been released or something that is prompting so many people to send this out?
That's CodeRedII. See: http://aris.securityfocus.com/alerts/codered2/ Ryan _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- "Attempt to execute cmd" surge! Sheahan, Paul (PCLN-NW) (Aug 06)
- Re: "Attempt to execute cmd" surge! Ryan Russell (Aug 06)
- <Possible follow-ups>
- RE: "Attempt to execute cmd" surge! Steve Halligan (Aug 06)