Snort mailing list archives

Re: Cmd.exe requests

From: Ryan Russell <ryan () securityfocus com>
Date: Mon, 6 Aug 2001 18:50:44 -0600 (MDT)

The CodeRed II worm sets off the cmd.exe rule.  People attempting to
exploit it would be after root.exe, not cmd.exe, most likely.

                                        Ryan

On Mon, 6 Aug 2001, Jason wrote:

What I believe this is.. is those people that have 0 ethics attempting to
exploit the results of the code red 3 worm.

Today alone I have seen 800+ attempts (on an apache server) with code red
3, which copies cmd.exe to the scripts directory  of IIS.  So, basically
what happens is all 800+ of those attempts were comprimised machines that
I KNOW could be exploitable using the cmd.exe exploit.  So basically, its
a few (most likely alot more then a few) individuals are watching for
attempts against their web servers via the code red v3 worm, then turning
around and attempting to exploit the cmd.exe vulnerability.  It could also
be a script someone created, as from what you posted, you don't seem to be
vulnerable, hense your IP would never have appeared in anyones logs.....

But this is just pure conjecture from the trends I have noticed lately.

Jason

On Mon, 6 Aug 2001, Tom Sevy wrote:

Does the following payload indicate any known worm?  Or just a cmd.exe
attempt?  I have been seeing a lot of these.

Generated by ACID v0.9.6b13 on Mon August 06, 2001 15:03:52

----------------------------------------------------------------------------
--
#(1 - 61331) [2001-08-03 15:55:03]  WEB-IIS cmd.exe access
IPv4: 63.202.158.22 -> 208.248.231.103
      hlen=5 TOS=0 dlen=106 ID=52091 flags=0 offset=0 TTL=241 chksum=10193
TCP:  port=33837 -> dport: 80  flags=***AP*** seq=2524555147
      ack=14124627 off=5 res=0 win=8760 urp=0 chksum=32756
Payload:  length = 62

000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25   GET /scripts/..%
010 : 63 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 6D   c../winnt/system
020 : 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 69   32/cmd.exe?/c+di
030 : 72 20 48 54 54 50 2F 31 2E 30 0D 0A 0D 0A         r HTTP/1.0....

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Cmd.exe requests Tom Sevy (Aug 06)
- Re: Cmd.exe requests ktimm (Aug 06)
- Re: Cmd.exe requests Jason (Aug 06)
  - Re: Cmd.exe requests Ryan Russell (Aug 06)
- <Possible follow-ups>
- RE: Cmd.exe requests Anthony Geoffron (Aug 06)