Snort mailing list archives
RE: Code Green???
From: Jim Howard <Jim.Howard () abcv com>
Date: Tue, 18 Sep 2001 09:44:50 -0500
doesn't appear to be code green tho... just looked at cert's website. The sig looks different. Still investigating. -----Original Message----- From: Matthew Francis [mailto:mf () in-tuition co uk] Sent: Tuesday, September 18, 2001 9:27 AM To: Snort Users (E-mail) Subject: [Snort-users] Code Green??? Hi, I'm getting LOADS of what looks like New Code Red attacks - Could this be Code Green??? From one single 'attacking' PC I'm getting the following log (There's 2 IDS's 1:Internet Facing, 2:DMZ):- 18-09-2001 15:13:55 Auth.Alert {IDS 1} snort[846]: [1:1002:1] WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain Priority: 8]: {Attacking PC}:1264 -> {Destination Server}:80 18-09-2001 15:13:55 Auth.Alert {IDS 1} snort[846]: [1:1002:1] WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain Priority: 8]: {Attacking PC}:1264 -> {Destination Server}:80 18-09-2001 15:13:55 Auth.Alert {IDS 1} snort[846]: [1:1002:1] WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain Priority: 8]: {Attacking PC}:1275 -> {Destination Server}:80 18-09-2001 15:13:55 Auth.Alert {IDS 1} snort[846]: [1:1002:1] WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain Priority: 8]: {Attacking PC}:1275 -> {Destination Server}:80 18-09-2001 15:13:55 Auth.Alert {IDS 1} snort[846]: [1:970:1] WEB-IIS multiple decode attempt [Classification: Attempted User Privilege Gain Priority: 8]: {Attacking PC}:1287 -> {Destination Server}:80 18-09-2001 15:13:55 Auth.Alert {IDS 1} snort[846]: [1:970:1] WEB-IIS multiple decode attempt [Classification: Attempted User Privilege Gain Priority: 8]: {Attacking PC}:1287 -> {Destination Server}:80 18-09-2001 15:13:55 Auth.Alert {IDS 1} snort[846]: [1:970:1] WEB-IIS multiple decode attempt [Classification: Attempted User Privilege Gain Priority: 8]: {Attacking PC}:1294 -> {Destination Server}:80 18-09-2001 15:13:55 System0.Alert {IDS 2} snort[1472]: WEB-../..: {Attacking PC}:1294 -> {Destination Server}:80 18-09-2001 15:13:55 Auth.Alert {IDS 1} snort[846]: [1:970:1] WEB-IIS multiple decode attempt [Classification: Attempted User Privilege Gain Priority: 8]: {Attacking PC}:1294 -> {Destination Server}:80 18-09-2001 15:13:55 Auth.Alert {IDS 1} snort[846]: [1:970:1] WEB-IIS multiple decode attempt [Classification: Attempted User Privilege Gain Priority: 8]: {Attacking PC}:1304 -> {Destination Server}:80 18-09-2001 15:13:55 System0.Alert {IDS 2} snort[1472]: WEB-../..: {Attacking PC}:1304 -> {Destination Server}:80 18-09-2001 15:13:55 Auth.Alert {IDS 1} snort[846]: [1:970:1] WEB-IIS multiple decode attempt [Classification: Attempted User Privilege Gain Priority: 8]: {Attacking PC}:1304 -> {Destination Server}:80 18-09-2001 15:13:55 Auth.Alert {IDS 1} snort[846]: [1:970:1] WEB-IIS multiple decode attempt [Classification: Attempted User Privilege Gain Priority: 8]: {Attacking PC}:1316 -> {Destination Server}:80 18-09-2001 15:13:55 System0.Alert {IDS 2} snort[1472]: spp_http_decode: IIS Unicode attack detected: {Attacking PC}:1316 -> {Destination Server}:80 18-09-2001 15:13:55 System0.Alert {IDS 2} snort[1472]: spp_http_decode: IIS Unicode attack detected: {Attacking PC}:1316 -> {Destination Server}:80 18-09-2001 15:13:55 System0.Alert {IDS 2} snort[1472]: spp_http_decode: IIS Unicode attack detected: {Attacking PC}:1316 -> {Destination Server}:80 18-09-2001 15:13:55 System0.Alert {IDS 2} snort[1472]: WEB-../..: {Attacking PC}:1316 -> {Destination Server}:80 18-09-2001 15:13:55 Auth.Alert {IDS 1} snort[846]: [1:1002:1] WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain Priority: 8]: {Attacking PC}:1323 -> {Destination Server}:80 18-09-2001 15:13:55 System0.Alert {IDS 2} snort[1472]: spp_http_decode: IIS Unicode attack detected: {Attacking PC}:1323 -> {Destination Server}:80 18-09-2001 15:13:55 Auth.Alert {IDS 1} snort[846]: [1:1002:1] WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain Priority: 8]: {Attacking PC}:1323 -> {Destination Server}:80 18-09-2001 15:13:55 Auth.Alert {IDS 1} snort[846]: [1:1002:1] WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain Priority: 8]: {Attacking PC}:1331 -> {Destination Server}:80 18-09-2001 15:13:55 System0.Alert {IDS 2} snort[1472]: spp_http_decode: IIS Unicode attack detected: {Attacking PC}:1331 -> {Destination Server}:80 18-09-2001 15:13:56 Auth.Alert {IDS 1} snort[846]: [1:1002:1] WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain Priority: 8]: {Attacking PC}:1341 -> {Destination Server}:80 18-09-2001 15:13:56 System0.Alert {IDS 2} snort[1472]: spp_http_decode: IIS Unicode attack detected: {Attacking PC}:1341 -> {Destination Server}:80 18-09-2001 15:13:56 Auth.Alert {IDS 1} snort[846]: [1:1002:1] WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain Priority: 8]: {Attacking PC}:1341 -> {Destination Server}:80 18-09-2001 15:13:56 Auth.Alert {IDS 1} snort[846]: [1:1002:1] WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain Priority: 8]: {Attacking PC}:1350 -> {Destination Server}:80 18-09-2001 15:13:56 System0.Alert {IDS 2} snort[1472]: spp_http_decode: IIS Unicode attack detected: {Attacking PC}:1350 -> {Destination Server}:80 18-09-2001 15:13:56 Auth.Alert {IDS 1} snort[846]: [1:1002:1] WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain Priority: 8]: {Attacking PC}:1350 -> {Destination Server}:80 18-09-2001 15:13:56 Auth.Alert {IDS 1} snort[846]: [1:970:1] WEB-IIS multiple decode attempt [Classification: Attempted User Privilege Gain Priority: 8]: {Attacking PC}:1363 -> {Destination Server}:80 18-09-2001 15:13:56 Auth.Alert {IDS 1} snort[846]: [1:970:1] WEB-IIS multiple decode attempt [Classification: Attempted User Privilege Gain Priority: 8]: {Attacking PC}:1363 -> {Destination Server}:80 18-09-2001 15:13:56 Auth.Alert {IDS 1} snort[846]: [1:970:1] WEB-IIS multiple decode attempt [Classification: Attempted User Privilege Gain Priority: 8]: {Attacking PC}:1380 -> {Destination Server}:80 18-09-2001 15:13:56 Auth.Alert {IDS 1} snort[846]: [1:970:1] WEB-IIS multiple decode attempt [Classification: Attempted User Privilege Gain Priority: 8]: {Attacking PC}:1380 -> {Destination Server}:80 18-09-2001 15:13:56 Auth.Alert {IDS 1} snort[846]: [1:970:1] WEB-IIS multiple decode attempt [Classification: Attempted User Privilege Gain Priority: 8]: {Attacking PC}:1388 -> {Destination Server}:80 18-09-2001 15:13:56 Auth.Alert {IDS 1} snort[846]: [1:970:1] WEB-IIS multiple decode attempt [Classification: Attempted User Privilege Gain Priority: 8]: {Attacking PC}:1388 -> {Destination Server}:80 18-09-2001 15:13:56 Auth.Alert {IDS 1} snort[846]: [1:1002:1] WEB-IIS cmd.exe access [Classification: Attempted User Privilege Gain Priority: 8]: {Attacking PC}:1395 -> {Destination Server}:80 Obviously this is a massive log for one 'attack' attempt and I'm getting this a LOT from all different IP address ranges which are all standard dial up accounts (the ones I've checked anyway) with what looks like unpatched IIS servers. Anyone shed any light??? Thanks ----- Matthew Francis _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Code Green??? Matthew Francis (Sep 18)
- Re: Code Green??? richard (Sep 18)
- Re: Code Green??? Dushyanth Harinath (Sep 18)
- Re: Code Green??? Larry E. Smith Jr. (Sep 18)
- Re: Code Green??? Dushyanth Harinath (Sep 18)
- <Possible follow-ups>
- RE: Code Green??? Jim Howard (Sep 18)
- RE: Code Green??? Erek Adams (Sep 18)
- RE: Code Green??? Jim Howard (Sep 18)
- RE: Code Green??? Steve Halligan (Sep 18)
- RE: Code Green??? Lodin, Steven {GZ-Q~Mannheim} (Sep 18)
- RE: Code Green??? richard (Sep 18)
- RE: Code Green??? Steve Halligan (Sep 18)
- RE: Code Green??? Ed Kasky (Sep 18)
- RE: Code Green??? Steve Halligan (Sep 18)
- Re: Code Green??? Ian Cudlip (Sep 18)
- RE: Code Green??? John Steniger (Sep 18)
(Thread continues...)
- Re: Code Green??? richard (Sep 18)