Re: [Snort-sigs] Outbound string contains c m d.exe, but from where?

["John Adams" <jadams () inktomi com>]

The source IP of that packet points to an infected NIMDA host. Take it
offline ASAP before it infects someone else.

-john

On Thu, 24 Jan 2002, Noller, Gregory wrote:

> Oh great wizards of snort....are any of you seeing outbound c m d . e x e
> where it ought not to be?
>
>
> I am seeing the following string in some infrequent packets exiting my nat
> router that sits in front of my outbound proxy array:
>
> From Demarc:
>
> WEB-IIS outbound c m d.exe access  TCP NET.209.128.247:2049  > 63.211.210.20
> :80 
>
> And the payload:
>
> GET /scripts/..%c../winnt/system32/c m d.exe?/c+dir dir HTTP/1.0
>
> pient
>
>
>
> ------_=_NextPart_000_01C1A4A9.A9555B3A
> Content-Type: message/rfc822
> Content-Transfer-Encoding: 7bit
>
> Message-ID: <000028f11612$00006023$00001ac7@>
> From: JJNSYMWLY () imailbox com
> Subject: For The Price Of A Cup Of Coffee... 6855
> Date: Mon, 21 Jan 2002 06:30:13 -0600
> MIME-Version: 1.0
> X-Mailer: Internet Mail Service (5.5.2653.19)
> X-MS-Embedded-Report: 
> Content-Type: text/plain; 
>  charset=iso-8859-1
> Content-Transfer-Encoding: quoted-printable
>
>  =20
> (remainder of the email message deleted for brevity)
>
> The payload always contains the same first line, then an email message.
>
> Another one (they are always different):
>
> WEB-IIS outbound c m d.exe access  TCP NET.209.128.247:2366  > 63.211.210.20
> :80 
>
> GET /scripts/..%c../winnt/system32/c m d.exe?/c+dir dir HTTP/1.0
>
> r () msn com>
> RCPT TO:<someone at my netowrk>
> DATA
> Received: from lrkxf.msn.com (burton-2.net.excite.com [199.172.146.149]) by
> adsl.pacbell.neet with SMTP (Microsoft Exchange Internet Mail Service
> Version 5.5.2653.13)
> .id DPA4KJQ6; Thu, 24 Jan 2002 01:46:50 -0800
> From: 101054br () msn com
> To: lke () yahoo com
> Reply-To: gwennduane3 () altavista com
> Subject: Don't suffer in debt any more, info inside.
> [pv3qp]
> Content-type: text/html; charset=ISO-8859-1
>
> This one has no email with it, and goes to a different destination address:
>
>
> WEB-IIS outbound c m d.exe access  TCP NET.209.128.247:6777  > 63.240.26.86
> :80 
>
> GET /scripts/..%c../winnt/system32/c m d.exe?/c+dir dir HTTP/1.0 1.0
> HTTP/1.0
> Via: 1.0 PROXY4, 1.0 PROXY1
> Connection: Keep-Alive
> User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 4.0; 04162001;
> Q312461)
> Host: 63.240.26.86
> Accept: */*
> Accept-Language: en-us
>
> As these are outbound, outside my proxy and nat router, I cannot determine
> where they are coming from inside my network.  So being real smart like I
> am, I set up another snort box inside my ProxyArray watching all traffic
> passing through the proxy (proxies are configured for outbound only and
> hardened) so as to catch the outbound string and see the real source
> address.
>
> Bingo, this morning I see outbound traffic (above three packets) and go
> check my inside snort, nothing.  I test it and the inside snort works fine
> catching anything in any direction or network that contains c m d . e x e
> (I've added spaces so as to not set off any alarms you may have in place).
> These packets for all the world are not originating inside my proxies, but
> contain mail destined to or from users on my network.  It all happens on
> port 80, not 25, so it's not an smtp thing.
>
> See below for how I'm configured...
>
> Thanks Marty, for this great tool.
>
>
>
> Here is how I start snort from /etc/init.d/snortd (start/stop)
>
> /usr/local/snort/bin/snort -D -I -i eth1 -o -l /usr/local/snort/logs -c
> /usr/local/snort/bin/snort.conf
>
> Here is my snort.conf:
>
> var HOME_NET
> [net.209.128.0/24,net.209.129.0/24,net.209.160.0/24,net.184.244.0/24,net.168
> .11.0/24,net.94.207.66/32,net.15.7.5/32]
>
> var EXTERNAL_NET !$HOME_NET
>
> var SMTP any
>
> var HTTP_SERVERS $HOME_NET
>
> var SQL_SERVERS $HOME_NET
>
> var DNS_SERVERS $HOME_NET
>
> preprocessor frag2
>
> preprocessor stream4: detect_scans
>
> preprocessor stream4_reassemble
>
> preprocessor http_decode: 80 -unicode -cginull
>
> preprocessor rpc_decode: 111
>
> preprocessor bo: -nobrute
>
> preprocessor telnet_decode
>
> preprocessor portscan: $HOME_NET 4 3 portscan.log
>
> preprocessor portscan-ignorehosts: $DNS_SERVERS
>
> output database: log, mysql, user=(obfuscated) password=(obfuscated)
> dbname=(obfuscated) host=(obfuscated)
>
> include classification.config
>
> (the only include that matters to this question:  include web-iis.rules)
>
>
> Here is my rule:
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"WEB-IIS outbound c m d.exe
> access"; flags: A+; content:"c m d.exe"; nocase;)
>
>
>
> Gregory Noller
> Senior IT Security Technologist
> Technology Risk Services
> Koch Business Solutions LP
> Wichita, Kansas
>
> (316) 828-7725
> (316) 214-7057 (Cellular)
>
>       
>
>
>
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs () lists sourceforge net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs

-- 
John Adams         . Sr. Security Engineer . Inktomi Corporation
jadams () inktomi com .  Security Operations  . FC 2.2.36
650-653-4611(desk) .  650-888-1167 (cell)  . 650.653.5454(fax)


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users