Snort mailing list archives
is this a type of code red?
From: richard <richard.witt () ttuhsc edu>
Date: 18 Sep 2001 10:00:30 -0500
Everyone, This morning on my box i picked up multiple packets of this kind that were sending themselves out from our network and also from the internet into our network. All of our servers have been patched ... probably more than once with microsofts patch. This is a copy of the packet i am picking up by snort. [**] WEB-IIS CodeRed v2 root.exe access [**] 09/18-08:59:28.893059 0:1:3:22:BC:24 -> 0:50:DA:1A:ED:BA type:0x800 len:0x7E 168.49.XXX.YY:2923 -> 168.49.XXX.YY:80 TCP TTL:128 TOS:0x0 ID:6247 IpLen:20 DgmLen:112 DF ***AP*** Seq: 0x131F5D1A Ack: 0x75B8F7F7 Win: 0x2238 TcpLen: 20 47 45 54 20 2F 73 63 72 69 70 74 73 2F 72 6F 6F GET /scripts/roo 74 2E 65 78 65 3F 2F 63 2B 64 69 72 20 48 54 54 t.exe?/c+dir HTT 50 2F 31 2E 30 0D 0A 48 6F 73 74 3A 20 77 77 77 P/1.0..Host: www 0D 0A 43 6F 6E 6E 6E 65 63 74 69 6F 6E 3A 20 63 ..Connnection: c 6C 6F 73 65 0D 0A 0D 0A lose.... =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ Can anyone shed some light on this? richard _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- is this a type of code red? richard (Sep 18)
- <Possible follow-ups>
- RE: is this a type of code red? Dan Fiorito (Sep 18)