Snort mailing list archives
Re: Cmd.exe requests
From: Ryan Russell <ryan () securityfocus com>
Date: Mon, 6 Aug 2001 18:50:44 -0600 (MDT)
The CodeRed II worm sets off the cmd.exe rule. People attempting to exploit it would be after root.exe, not cmd.exe, most likely. Ryan On Mon, 6 Aug 2001, Jason wrote:
What I believe this is.. is those people that have 0 ethics attempting to exploit the results of the code red 3 worm. Today alone I have seen 800+ attempts (on an apache server) with code red 3, which copies cmd.exe to the scripts directory of IIS. So, basically what happens is all 800+ of those attempts were comprimised machines that I KNOW could be exploitable using the cmd.exe exploit. So basically, its a few (most likely alot more then a few) individuals are watching for attempts against their web servers via the code red v3 worm, then turning around and attempting to exploit the cmd.exe vulnerability. It could also be a script someone created, as from what you posted, you don't seem to be vulnerable, hense your IP would never have appeared in anyones logs..... But this is just pure conjecture from the trends I have noticed lately. Jason On Mon, 6 Aug 2001, Tom Sevy wrote:Does the following payload indicate any known worm? Or just a cmd.exe attempt? I have been seeing a lot of these. Generated by ACID v0.9.6b13 on Mon August 06, 2001 15:03:52 ---------------------------------------------------------------------------- -- #(1 - 61331) [2001-08-03 15:55:03] WEB-IIS cmd.exe access IPv4: 63.202.158.22 -> 208.248.231.103 hlen=5 TOS=0 dlen=106 ID=52091 flags=0 offset=0 TTL=241 chksum=10193 TCP: port=33837 -> dport: 80 flags=***AP*** seq=2524555147 ack=14124627 off=5 res=0 win=8760 urp=0 chksum=32756 Payload: length = 62 000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25 GET /scripts/..% 010 : 63 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 6D c../winnt/system 020 : 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 69 32/cmd.exe?/c+di 030 : 72 20 48 54 54 50 2F 31 2E 30 0D 0A 0D 0A r HTTP/1.0.... _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Cmd.exe requests Tom Sevy (Aug 06)
- Re: Cmd.exe requests ktimm (Aug 06)
- Re: Cmd.exe requests Jason (Aug 06)
- Re: Cmd.exe requests Ryan Russell (Aug 06)
- <Possible follow-ups>
- RE: Cmd.exe requests Anthony Geoffron (Aug 06)