Snort mailing list archives

RE: Code Green???

From: Steve Halligan <agent33 () geeksquad com>
Date: Tue, 18 Sep 2001 10:16:53 -0500

I am getting loads of this too.  I just set up a honeypot to catch it.
-steve

-----Original Message-----
From: Jim Howard [mailto:Jim.Howard () abcv com]
Sent: Tuesday, September 18, 2001 9:45 AM
To: 'Matthew Francis'; Snort Users (E-mail)
Subject: RE: [Snort-users] Code Green???


doesn't appear to be code green tho... just looked at cert's 
website.  The
sig looks different.  Still investigating.

-----Original Message-----
From: Matthew Francis [mailto:mf () in-tuition co uk]
Sent: Tuesday, September 18, 2001 9:27 AM
To: Snort Users (E-mail)
Subject: [Snort-users] Code Green???


Hi,

I'm getting LOADS of what looks like New Code Red attacks - 
Could this be
Code Green???  From one single 'attacking' PC I'm getting the 
following log
(There's 2 IDS's 1:Internet Facing, 2:DMZ):-

18-09-2001    15:13:55        Auth.Alert      {IDS 1} snort[846]:
[1:1002:1]  WEB-IIS
cmd.exe access [Classification: Attempted User Privilege Gain 
  Priority:
8]: {Attacking PC}:1264 -> {Destination Server}:80
18-09-2001    15:13:55        Auth.Alert      {IDS 1} snort[846]:
[1:1002:1]  WEB-IIS
cmd.exe access [Classification: Attempted User Privilege Gain 
  Priority:
8]: {Attacking PC}:1264 -> {Destination Server}:80
18-09-2001    15:13:55        Auth.Alert      {IDS 1} snort[846]:
[1:1002:1]  WEB-IIS
cmd.exe access [Classification: Attempted User Privilege Gain 
  Priority:
8]: {Attacking PC}:1275 -> {Destination Server}:80
18-09-2001    15:13:55        Auth.Alert      {IDS 1} snort[846]:
[1:1002:1]  WEB-IIS
cmd.exe access [Classification: Attempted User Privilege Gain 
  Priority:
8]: {Attacking PC}:1275 -> {Destination Server}:80
18-09-2001    15:13:55        Auth.Alert      {IDS 1} snort[846]:
[1:970:1]  WEB-IIS
multiple decode attempt [Classification: Attempted User Privilege Gain
Priority: 8]: {Attacking PC}:1287 -> {Destination Server}:80
18-09-2001    15:13:55        Auth.Alert      {IDS 1} snort[846]:
[1:970:1]  WEB-IIS
multiple decode attempt [Classification: Attempted User Privilege Gain
Priority: 8]: {Attacking PC}:1287 -> {Destination Server}:80
18-09-2001    15:13:55        Auth.Alert      {IDS 1} snort[846]:
[1:970:1]  WEB-IIS
multiple decode attempt [Classification: Attempted User Privilege Gain
Priority: 8]: {Attacking PC}:1294 -> {Destination Server}:80
18-09-2001    15:13:55        System0.Alert   {IDS 2}    snort[1472]:
WEB-../..:
{Attacking PC}:1294 -> {Destination Server}:80
18-09-2001    15:13:55        Auth.Alert      {IDS 1} snort[846]:
[1:970:1]  WEB-IIS
multiple decode attempt [Classification: Attempted User Privilege Gain
Priority: 8]: {Attacking PC}:1294 -> {Destination Server}:80
18-09-2001    15:13:55        Auth.Alert      {IDS 1} snort[846]:
[1:970:1]  WEB-IIS
multiple decode attempt [Classification: Attempted User Privilege Gain
Priority: 8]: {Attacking PC}:1304 -> {Destination Server}:80
18-09-2001    15:13:55        System0.Alert   {IDS 2}    snort[1472]:
WEB-../..:
{Attacking PC}:1304 -> {Destination Server}:80
18-09-2001    15:13:55        Auth.Alert      {IDS 1} snort[846]:
[1:970:1]  WEB-IIS
multiple decode attempt [Classification: Attempted User Privilege Gain
Priority: 8]: {Attacking PC}:1304 -> {Destination Server}:80
18-09-2001    15:13:55        Auth.Alert      {IDS 1} snort[846]:
[1:970:1]  WEB-IIS
multiple decode attempt [Classification: Attempted User Privilege Gain
Priority: 8]: {Attacking PC}:1316 -> {Destination Server}:80
18-09-2001    15:13:55        System0.Alert   {IDS 2}    snort[1472]:
spp_http_decode:
IIS Unicode attack detected: {Attacking PC}:1316 -> 
{Destination Server}:80
18-09-2001    15:13:55        System0.Alert   {IDS 2}    snort[1472]:
spp_http_decode:
IIS Unicode attack detected: {Attacking PC}:1316 -> 
{Destination Server}:80
18-09-2001    15:13:55        System0.Alert   {IDS 2}    snort[1472]:
spp_http_decode:
IIS Unicode attack detected: {Attacking PC}:1316 -> 
{Destination Server}:80
18-09-2001    15:13:55        System0.Alert   {IDS 2}    snort[1472]:
WEB-../..:
{Attacking PC}:1316 -> {Destination Server}:80
18-09-2001    15:13:55        Auth.Alert      {IDS 1} snort[846]:
[1:1002:1]  WEB-IIS
cmd.exe access [Classification: Attempted User Privilege Gain 
  Priority:
8]: {Attacking PC}:1323 -> {Destination Server}:80
18-09-2001    15:13:55        System0.Alert   {IDS 2}    snort[1472]:
spp_http_decode:
IIS Unicode attack detected: {Attacking PC}:1323 -> 
{Destination Server}:80
18-09-2001    15:13:55        Auth.Alert      {IDS 1} snort[846]:
[1:1002:1]  WEB-IIS
cmd.exe access [Classification: Attempted User Privilege Gain 
  Priority:
8]: {Attacking PC}:1323 -> {Destination Server}:80
18-09-2001    15:13:55        Auth.Alert      {IDS 1} snort[846]:
[1:1002:1]  WEB-IIS
cmd.exe access [Classification: Attempted User Privilege Gain 
  Priority:
8]: {Attacking PC}:1331 -> {Destination Server}:80
18-09-2001    15:13:55        System0.Alert   {IDS 2}    snort[1472]:
spp_http_decode:
IIS Unicode attack detected: {Attacking PC}:1331 -> 
{Destination Server}:80
18-09-2001    15:13:56        Auth.Alert      {IDS 1} snort[846]:
[1:1002:1]  WEB-IIS
cmd.exe access [Classification: Attempted User Privilege Gain 
  Priority:
8]: {Attacking PC}:1341 -> {Destination Server}:80
18-09-2001    15:13:56        System0.Alert   {IDS 2}    snort[1472]:
spp_http_decode:
IIS Unicode attack detected: {Attacking PC}:1341 -> 
{Destination Server}:80
18-09-2001    15:13:56        Auth.Alert      {IDS 1} snort[846]:
[1:1002:1]  WEB-IIS
cmd.exe access [Classification: Attempted User Privilege Gain 
  Priority:
8]: {Attacking PC}:1341 -> {Destination Server}:80
18-09-2001    15:13:56        Auth.Alert      {IDS 1} snort[846]:
[1:1002:1]  WEB-IIS
cmd.exe access [Classification: Attempted User Privilege Gain 
  Priority:
8]: {Attacking PC}:1350 -> {Destination Server}:80
18-09-2001    15:13:56        System0.Alert   {IDS 2}    snort[1472]:
spp_http_decode:
IIS Unicode attack detected: {Attacking PC}:1350 -> 
{Destination Server}:80
18-09-2001    15:13:56        Auth.Alert      {IDS 1} snort[846]:
[1:1002:1]  WEB-IIS
cmd.exe access [Classification: Attempted User Privilege Gain 
  Priority:
8]: {Attacking PC}:1350 -> {Destination Server}:80
18-09-2001    15:13:56        Auth.Alert      {IDS 1} snort[846]:
[1:970:1]  WEB-IIS
multiple decode attempt [Classification: Attempted User Privilege Gain
Priority: 8]: {Attacking PC}:1363 -> {Destination Server}:80
18-09-2001    15:13:56        Auth.Alert      {IDS 1} snort[846]:
[1:970:1]  WEB-IIS
multiple decode attempt [Classification: Attempted User Privilege Gain
Priority: 8]: {Attacking PC}:1363 -> {Destination Server}:80
18-09-2001    15:13:56        Auth.Alert      {IDS 1} snort[846]:
[1:970:1]  WEB-IIS
multiple decode attempt [Classification: Attempted User Privilege Gain
Priority: 8]: {Attacking PC}:1380 -> {Destination Server}:80
18-09-2001    15:13:56        Auth.Alert      {IDS 1} snort[846]:
[1:970:1]  WEB-IIS
multiple decode attempt [Classification: Attempted User Privilege Gain
Priority: 8]: {Attacking PC}:1380 -> {Destination Server}:80
18-09-2001    15:13:56        Auth.Alert      {IDS 1} snort[846]:
[1:970:1]  WEB-IIS
multiple decode attempt [Classification: Attempted User Privilege Gain
Priority: 8]: {Attacking PC}:1388 -> {Destination Server}:80
18-09-2001    15:13:56        Auth.Alert      {IDS 1} snort[846]:
[1:970:1]  WEB-IIS
multiple decode attempt [Classification: Attempted User Privilege Gain
Priority: 8]: {Attacking PC}:1388 -> {Destination Server}:80
18-09-2001    15:13:56        Auth.Alert      {IDS 1} snort[846]:
[1:1002:1]  WEB-IIS
cmd.exe access [Classification: Attempted User Privilege Gain 
  Priority:
8]: {Attacking PC}:1395 -> {Destination Server}:80

Obviously this is a massive log for one 'attack' attempt and 
I'm getting
this a LOT from all different IP address ranges which are all 
standard dial
up accounts (the ones I've checked anyway) with what looks 
like unpatched
IIS servers.

Anyone shed any light???

Thanks

-----
Matthew Francis


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Code Green??? Matthew Francis (Sep 18)
- Re: Code Green??? richard (Sep 18)
  - Re: Code Green??? Dushyanth Harinath (Sep 18)
    - Re: Code Green??? Larry E. Smith Jr. (Sep 18)
- <Possible follow-ups>
- RE: Code Green??? Jim Howard (Sep 18)
  - RE: Code Green??? Erek Adams (Sep 18)
- RE: Code Green??? Jim Howard (Sep 18)
- RE: Code Green??? Steve Halligan (Sep 18)
- RE: Code Green??? Lodin, Steven {GZ-Q~Mannheim} (Sep 18)
  - RE: Code Green??? richard (Sep 18)
- RE: Code Green??? Steve Halligan (Sep 18)
- RE: Code Green??? Ed Kasky (Sep 18)
- RE: Code Green??? Steve Halligan (Sep 18)
  - Re: Code Green??? Ian Cudlip (Sep 18)
- RE: Code Green??? John Steniger (Sep 18)
- RE: Code Green??? Tim Parker (Sep 18)
  - Re: Code Green??? Ian Cudlip (Sep 18)
- RE: Code Green??? Missaghi, Shawn (Sep 18)

(Thread continues...)