Snort mailing list archives

Cmd.exe requests

From: Tom Sevy <tsevy () epx com>
Date: Mon, 6 Aug 2001 15:06:49 -0400

Does the following payload indicate any known worm?  Or just a cmd.exe
attempt?  I have been seeing a lot of these.





Generated by ACID v0.9.6b13 on Mon August 06, 2001 15:03:52

----------------------------------------------------------------------------
--
#(1 - 61331) [2001-08-03 15:55:03]  WEB-IIS cmd.exe access
IPv4: 63.202.158.22 -> 208.248.231.103
      hlen=5 TOS=0 dlen=106 ID=52091 flags=0 offset=0 TTL=241 chksum=10193
TCP:  port=33837 -> dport: 80  flags=***AP*** seq=2524555147
      ack=14124627 off=5 res=0 win=8760 urp=0 chksum=32756
Payload:  length = 62

000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25   GET /scripts/..%
010 : 63 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 6D   c../winnt/system
020 : 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 69   32/cmd.exe?/c+di
030 : 72 20 48 54 54 50 2F 31 2E 30 0D 0A 0D 0A         r HTTP/1.0....

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Cmd.exe requests Tom Sevy (Aug 06)
- Re: Cmd.exe requests ktimm (Aug 06)
- Re: Cmd.exe requests Jason (Aug 06)
  - Re: Cmd.exe requests Ryan Russell (Aug 06)
- <Possible follow-ups>
- RE: Cmd.exe requests Anthony Geoffron (Aug 06)