RE: "Attempt to execute cmd" surge!

[Steve Halligan <agent33 () geeksquad com>]

> I'm running Snort 1.7 on Red Hat Linux 7.0. Only occasionally 
> do I see the
> "WEB-MISC Attempt to execute cmd" alert in my logs. When I 
> do, I check the
> traces and it is obvious that someone included cmd.exe in a 
> URL. But over
> the last two days, I have been bombarded with "WEB-MISC 
> Attempt to execute
> cmd" in my Snort logs coming from tons of different external 
> addresses.
> Every packet coming from every different source looks exactly 
> like what I
> have pasted below, as though everyone is using the same 
> exploit script. Is
> anyone else seeing this? Root.exe is a file resulting from an 
> IIS Extended
> Unicode Traversal Vulnerability. Has a new exploit been released or
> something that is prompting so many people to send this out? 
This is Code Red II.  When it encounters a webserver, it tries to upload a
rootkit to it.  See the incidents list at securityfocus for lots of details.

-steve

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users