Security Incidents mailing list archives

Re: strange cmd.exe access

From: H Carvey <keydet89 () yahoo com>
Date: 30 May 2003 22:45:26 -0000

In-Reply-To: <Pine.LNX.4.21.0305292008410.9010-100000 () fist ipdog com>

what is strange is that the cmd.exe / root.exe stuff is
half way through with some other code before it


It doesn't look at all as if you received an HTTP
request, but as if some code was sent to port 80.

the ip it hit was not mapped to anything ( I believe it
is unused) so this can not have been part of another 
tcp converstion


This doesn't make any sense...it has to be mapped to
something, to a live machine.  If it wasn't, how could
the three-stage TCP handshake have been completed?

As someone else mentioned, it may be a follow-on packet
to Code Red.  Have you gone to this machine and checked
the logs?

Harlan

----------------------------------------------------------------------------
----------------------------------------------------------------------------

Current thread:

Re: strange cmd.exe access Valdis . Kletnieks (Jun 01)
- <Possible follow-ups>
- Re: strange cmd.exe access H Carvey (Jun 01)
- Re: strange cmd.exe access adam (Jun 01)
- RE: strange cmd.exe access Frank Knobbe (Jun 01)
- RE: strange cmd.exe access MacDougall, Shane (Jun 05)