Snort mailing list archives

"Attempt to execute cmd" surge!

From: "Sheahan, Paul (PCLN-NW)" <Paul.Sheahan () priceline com>
Date: Mon, 6 Aug 2001 13:59:59 -0400


I'm running Snort 1.7 on Red Hat Linux 7.0. Only occasionally do I see the
"WEB-MISC Attempt to execute cmd" alert in my logs. When I do, I check the
traces and it is obvious that someone included cmd.exe in a URL. But over
the last two days, I have been bombarded with "WEB-MISC Attempt to execute
cmd" in my Snort logs coming from tons of different external addresses.
Every packet coming from every different source looks exactly like what I
have pasted below, as though everyone is using the same exploit script. Is
anyone else seeing this? Root.exe is a file resulting from an IIS Extended
Unicode Traversal Vulnerability. Has a new exploit been released or
something that is prompting so many people to send this out? 


08/06-04:57:23.391648 209.196.42.114:3610 -> <our web server>:80
TCP TTL:113 TOS:0x0 ID:15463 IpLen:20 DgmLen:1500 DF
***A**** Seq: 0xCB1265D1  Ack: 0x34D8A25D  Win: 0x4470  TcpLen: 20
..u..U..E......CloseHandle..u..U..E......_lcreat..u..U..E......_
lwrite..u..U..E......_lclose..u..U..E......GetSystemTime..u..U..
E......WS2_32.DLL..U..E......socket..u..U..E......closesocket..u
..U..E......ioctlsocket..u..U..E......connect..u..U..E......sele
ct..u..U..E......send..u..U..E......recv..u..U..E......gethostna
me..u..U..E......gethostbyname..u..U..E......WSAGetLastError..u.
.U..E......USER32.DLL..U..E......ExitWindowsEx..u..U..E...E.i... 
..@.E....xV4............<.t.<.t.................................
......... ...................................Y...#...#.X........
t....t.;.X...t..h......\...P.U....\........\CMD.EXE.^.....cj....
..d:\inetpub\scripts\root.exe...$....\...P.U.j..+...d:\progra~1\
common~1\system\MSADC\root.exe...$....\...P.U.......MZP.........
............@..............PE..L....*%).........................
............ ....@..........................@...................
 ...........................0...................................
.......................... ..`............. ....................
..@................0......................@.....................
..........................................h....h. @..a...... @..
. @.....j.h. @..L........h.'...1.....h.$@.h?...j.h. @.h.....2...  
..u&j.hT @.j.j.hH @..5.$@.......5.$@......h.$@.h?...j.hX @.h....
.......uU.. @..L..... @..B...j.h. @.j.j.h. @..5.$@......j.h. @.j
.j.h. @..5.$@.......5.$@..........$@.....h.$@.h. @.h.$@.j.U.5.$@
..`.....uI..$@...t@.. @..>.t6Ff.~.,,u...217.... @..5


Thanks,
Paul


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

"Attempt to execute cmd" surge! Sheahan, Paul (PCLN-NW) (Aug 06)
- Re: "Attempt to execute cmd" surge! Ryan Russell (Aug 06)
- <Possible follow-ups>
- RE: "Attempt to execute cmd" surge! Steve Halligan (Aug 06)