Security Incidents mailing list archives
scans for root.exe
From: "Kevin Holmquist" <kevinh () netronin org>
Date: Wed, 15 Aug 2001 22:14:09 -0600
I'm noticing in my snort alerts an increasing number of 'WEB-MISC Attempt to execute cmd' alerts. I looked at the packet data with ethereal and it appears that they are trying to execute d:\inetpub\scripts\root.exe, d:\progra~1\common~1\system\\MS ADC\root.exe, and ./cmd.exe. These scans are not showing up in syslog or httpd access and error logs. The scan per hour rate has increased dramatically. It is also interesting that all of the scans I have received have been from hosts with the same first octet (64) as my ip address. Is anyone else seeing this kind of traffic? PS I run apache so I can't capture any code. I can provide logs and packet dumps if needed. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- scans for root.exe Kevin Holmquist (Aug 16)
- Re: scans for root.exe David Pick (Aug 16)
- Re: scans for root.exe Jacek Lipkowski (Aug 16)
- Re: scans for root.exe Daniel Harrison (Aug 16)
- Re: scans for root.exe Christian Kuhtz (Aug 16)
- Re: scans for root.exe Daniel Harrison (Aug 16)
- Re: scans for root.exe Jacek Lipkowski (Aug 16)
- Re: scans for root.exe David Pick (Aug 16)