Snort mailing list archives
sadmind rule
From: Andrew Daviel <andrew () andrew triumf ca>
Date: Wed, 9 May 2001 11:15:59 -0700 (PDT)
We were just hit by the sadmind/IIS worm http://www.cert.org/advisories/CA-2001-11.html I've been trying to retroactively find what might have been actually attacked buried in all the port 80 traffic alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg: "sadmind"; flags: PA; content: "GET /scripts/root.exe"; ) seems to work The attack starts with GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+copy+\winnt\system32\cmd.exe+root.exe HTTP/1.0 then proceeds with GET /scripts/root.exe?/c+echo+^<your deface here>>.././index.asp we see "f**k USA Government" (I'd actually seen and reported the original scans with my auto reporter script, but didn't realize an actual attack was involved till yesterday) -- Andrew Daviel, TRIUMF, Canada Tel. +1 (604) 222-7376 security () triumf ca _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- sadmind rule Andrew Daviel (May 09)
- Re: sadmind rule Max Vision (May 09)
- Re: sadmind rule Andrew Daviel (May 09)
- Re: sadmind rule Andreas Östling (May 09)
- Re: sadmind rule Andrew Daviel (May 09)
- Re: sadmind rule Andreas Östling (May 09)
- Re: sadmind rule Chris Green (May 09)
- <Possible follow-ups>
- RE: SadMind rule Steve Halligan (May 09)
- snortsnarf Aaron McKinnon (May 09)
- Re: sadmind rule Polar Bear (May 09)
- Re: sadmind rule Max Vision (May 09)