Snort mailing list archives
Re: [Snort-sigs] Outbound string contains c m d.exe, but from where?
From: "John Adams" <jadams () inktomi com>
Date: Thu, 24 Jan 2002 09:30:13 +0000 (PST)
The source IP of that packet points to an infected NIMDA host. Take it offline ASAP before it infects someone else. -john On Thu, 24 Jan 2002, Noller, Gregory wrote:
Oh great wizards of snort....are any of you seeing outbound c m d . e x e where it ought not to be? I am seeing the following string in some infrequent packets exiting my nat router that sits in front of my outbound proxy array: From Demarc: WEB-IIS outbound c m d.exe access TCP NET.209.128.247:2049 > 63.211.210.20 :80 And the payload: GET /scripts/..%c../winnt/system32/c m d.exe?/c+dir dir HTTP/1.0 pient ------_=_NextPart_000_01C1A4A9.A9555B3A Content-Type: message/rfc822 Content-Transfer-Encoding: 7bit Message-ID: <000028f11612$00006023$00001ac7@> From: JJNSYMWLY () imailbox com Subject: For The Price Of A Cup Of Coffee... 6855 Date: Mon, 21 Jan 2002 06:30:13 -0600 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) X-MS-Embedded-Report: Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable =20 (remainder of the email message deleted for brevity) The payload always contains the same first line, then an email message. Another one (they are always different): WEB-IIS outbound c m d.exe access TCP NET.209.128.247:2366 > 63.211.210.20 :80 GET /scripts/..%c../winnt/system32/c m d.exe?/c+dir dir HTTP/1.0 r () msn com> RCPT TO:<someone at my netowrk> DATA Received: from lrkxf.msn.com (burton-2.net.excite.com [199.172.146.149]) by adsl.pacbell.neet with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) .id DPA4KJQ6; Thu, 24 Jan 2002 01:46:50 -0800 From: 101054br () msn com To: lke () yahoo com Reply-To: gwennduane3 () altavista com Subject: Don't suffer in debt any more, info inside. [pv3qp] Content-type: text/html; charset=ISO-8859-1 This one has no email with it, and goes to a different destination address: WEB-IIS outbound c m d.exe access TCP NET.209.128.247:6777 > 63.240.26.86 :80 GET /scripts/..%c../winnt/system32/c m d.exe?/c+dir dir HTTP/1.0 1.0 HTTP/1.0 Via: 1.0 PROXY4, 1.0 PROXY1 Connection: Keep-Alive User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 4.0; 04162001; Q312461) Host: 63.240.26.86 Accept: */* Accept-Language: en-us As these are outbound, outside my proxy and nat router, I cannot determine where they are coming from inside my network. So being real smart like I am, I set up another snort box inside my ProxyArray watching all traffic passing through the proxy (proxies are configured for outbound only and hardened) so as to catch the outbound string and see the real source address. Bingo, this morning I see outbound traffic (above three packets) and go check my inside snort, nothing. I test it and the inside snort works fine catching anything in any direction or network that contains c m d . e x e (I've added spaces so as to not set off any alarms you may have in place). These packets for all the world are not originating inside my proxies, but contain mail destined to or from users on my network. It all happens on port 80, not 25, so it's not an smtp thing. See below for how I'm configured... Thanks Marty, for this great tool. Here is how I start snort from /etc/init.d/snortd (start/stop) /usr/local/snort/bin/snort -D -I -i eth1 -o -l /usr/local/snort/logs -c /usr/local/snort/bin/snort.conf Here is my snort.conf: var HOME_NET [net.209.128.0/24,net.209.129.0/24,net.209.160.0/24,net.184.244.0/24,net.168 .11.0/24,net.94.207.66/32,net.15.7.5/32] var EXTERNAL_NET !$HOME_NET var SMTP any var HTTP_SERVERS $HOME_NET var SQL_SERVERS $HOME_NET var DNS_SERVERS $HOME_NET preprocessor frag2 preprocessor stream4: detect_scans preprocessor stream4_reassemble preprocessor http_decode: 80 -unicode -cginull preprocessor rpc_decode: 111 preprocessor bo: -nobrute preprocessor telnet_decode preprocessor portscan: $HOME_NET 4 3 portscan.log preprocessor portscan-ignorehosts: $DNS_SERVERS output database: log, mysql, user=(obfuscated) password=(obfuscated) dbname=(obfuscated) host=(obfuscated) include classification.config (the only include that matters to this question: include web-iis.rules) Here is my rule: alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"WEB-IIS outbound c m d.exe access"; flags: A+; content:"c m d.exe"; nocase;) Gregory Noller Senior IT Security Technologist Technology Risk Services Koch Business Solutions LP Wichita, Kansas (316) 828-7725 (316) 214-7057 (Cellular) _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
-- John Adams . Sr. Security Engineer . Inktomi Corporation jadams () inktomi com . Security Operations . FC 2.2.36 650-653-4611(desk) . 650-888-1167 (cell) . 650.653.5454(fax) _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Outbound string contains c m d.exe, but from where? Noller, Gregory (Jan 24)
- Re: [Snort-sigs] Outbound string contains c m d.exe, but from where? John Adams (Jan 24)