Snort mailing list archives
"Attempt to execute cmd" surge!
From: "Sheahan, Paul (PCLN-NW)" <Paul.Sheahan () priceline com>
Date: Mon, 6 Aug 2001 13:59:59 -0400
I'm running Snort 1.7 on Red Hat Linux 7.0. Only occasionally do I see the "WEB-MISC Attempt to execute cmd" alert in my logs. When I do, I check the traces and it is obvious that someone included cmd.exe in a URL. But over the last two days, I have been bombarded with "WEB-MISC Attempt to execute cmd" in my Snort logs coming from tons of different external addresses. Every packet coming from every different source looks exactly like what I have pasted below, as though everyone is using the same exploit script. Is anyone else seeing this? Root.exe is a file resulting from an IIS Extended Unicode Traversal Vulnerability. Has a new exploit been released or something that is prompting so many people to send this out? 08/06-04:57:23.391648 209.196.42.114:3610 -> <our web server>:80 TCP TTL:113 TOS:0x0 ID:15463 IpLen:20 DgmLen:1500 DF ***A**** Seq: 0xCB1265D1 Ack: 0x34D8A25D Win: 0x4470 TcpLen: 20 ..u..U..E......CloseHandle..u..U..E......_lcreat..u..U..E......_ lwrite..u..U..E......_lclose..u..U..E......GetSystemTime..u..U.. E......WS2_32.DLL..U..E......socket..u..U..E......closesocket..u ..U..E......ioctlsocket..u..U..E......connect..u..U..E......sele ct..u..U..E......send..u..U..E......recv..u..U..E......gethostna me..u..U..E......gethostbyname..u..U..E......WSAGetLastError..u. .U..E......USER32.DLL..U..E......ExitWindowsEx..u..U..E...E.i... ..@.E....xV4............<.t.<.t................................. ......... ...................................Y...#...#.X........ t....t.;.X...t..h......\...P.U....\........\CMD.EXE.^.....cj.... ..d:\inetpub\scripts\root.exe...$....\...P.U.j..+...d:\progra~1\ common~1\system\MSADC\root.exe...$....\...P.U.......MZP......... ............@..............PE..L....*%)......................... ............ ....@..........................@................... ...........................0................................... .......................... ..`............. .................... ..@................0......................@..................... ..........................................h....h. @..a...... @.. . @.....j.h. @..L........h.'...1.....h.$@.h?...j.h. @.h.....2... ..u&j.hT @.j.j.hH @..5.$@.......5.$@......h.$@.h?...j.hX @.h.... .......uU.. @..L..... @..B...j.h. @.j.j.h. @..5.$@......j.h. @.j .j.h. @..5.$@.......5.$@..........$@.....h.$@.h. @.h.$@.j.U.5.$@ ..`.....uI..$@...t@.. @..>.t6Ff.~.,,u...217.... @..5 Thanks, Paul _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- "Attempt to execute cmd" surge! Sheahan, Paul (PCLN-NW) (Aug 06)
- Re: "Attempt to execute cmd" surge! Ryan Russell (Aug 06)
- <Possible follow-ups>
- RE: "Attempt to execute cmd" surge! Steve Halligan (Aug 06)