scans for root.exe

["Kevin Holmquist" <kevinh () netronin org>]

I'm noticing in my snort alerts an increasing number of 'WEB-MISC Attempt to
execute cmd' alerts.  I looked at the packet data with ethereal and it
appears that they are trying to execute d:\inetpub\scripts\root.exe,
d:\progra~1\common~1\system\\MS ADC\root.exe, and ./cmd.exe.  These scans
are not showing up in syslog or httpd
access and error logs.

The scan per hour rate has increased dramatically.  It is also interesting
that all of the scans I have received have been from hosts with the same
first octet (64) as my ip address.

Is anyone else seeing this kind of traffic?

PS I run apache so I can't capture any code.  I can provide logs and packet
dumps if needed.





----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com