RE: is this a type of code red?

[Dan Fiorito <danf () clearnetwork com>]

Same thing here! 

-----Original Message-----
From: richard [mailto:richard.witt () ttuhsc edu] 
Sent: Tuesday, September 18, 2001 11:01 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] is this a type of code red?


Everyone,
        This morning on my box i picked up multiple packets of this kind
that were sending themselves out from our network and also from the internet
into our network. All of our servers have been patched ... probably more
than once with microsofts patch. This is a copy of the packet i am picking
up by snort.



[**] WEB-IIS CodeRed v2 root.exe access [**] 09/18-08:59:28.893059
0:1:3:22:BC:24 -> 0:50:DA:1A:ED:BA type:0x800 len:0x7E 168.49.XXX.YY:2923 ->
168.49.XXX.YY:80 TCP TTL:128 TOS:0x0 ID:6247 IpLen:20 DgmLen:112 DF
***AP*** Seq: 0x131F5D1A  Ack: 0x75B8F7F7  Win: 0x2238  TcpLen: 20 47 45 54
20 2F 73 63 72 69 70 74 73 2F 72 6F 6F  GET /scripts/roo 74 2E 65 78 65 3F
2F 63 2B 64 69 72 20 48 54 54  t.exe?/c+dir HTT 50 2F 31 2E 30 0D 0A 48 6F
73 74 3A 20 77 77 77  P/1.0..Host: www 0D 0A 43 6F 6E 6E 6E 65 63 74 69 6F
6E 3A 20 63  ..Connnection: c
6C 6F 73 65 0D 0A 0D 0A                          lose....

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


Can anyone shed some light on this?

richard


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users