RE: (no subject)

[Thomas Nilsen <thomas.nilsen () kverneland com>]

That's the strange thing about it. The internal proxy server is used only
for internal-to-external WEB traffic. If any PC/server used the proxy to
access the internet, it would be logged in the proxy's log, which it's not
the case here. I cannot find any entries in the log that has anything to do
with the cmd.exe/root.exe expolit.
 
What I also find strange is that part of the "payload" is part of a SMTP
connection/message?? 
 
I'm really confused..
 
Thomas
-----Original Message-----
From: Jeff Anderson [mailto:janderso () pgsavings bc ca]
Sent: 20. september 2001 18:39
To: snort-users () lists sourceforge net
Subject: RE: [Snort-users] (no subject)



Hi all, 

That sounds right to me.  Assuming that the machine has been infected with
one of the IIS exploits, and now it is trying to infect other hosts, you
wouldn't see anything in the Proxy logs about it since IIS will be sitting
on the external interface.  Proxy should really only see traffic between the
internal and external interface.  Check the web logs, it'll be there.

Good luck, 
Jeff Anderson 
CS Manager 
jeff () pgsavings bc ca 


-----Original Message----- 
From: richard [ mailto:csraw () ttuhsc edu <mailto:csraw () ttuhsc edu> ] 
Sent: Thursday, September 20, 2001 9:20 AM 
To: snort-users () lists sourceforge net 
Subject: Re: [Snort-users] (no subject) 


I am far from being a professional about any of this so if anyone see a 
mistake in what i say please correct me so i can learn. IF you are 
running IIS, this appears to me to that your computer is/was infected 
with nimda and it is sending out to try to infect other IIS computers.  

On Thu, 2001-09-20 at 06:40, Thomas Nilsen wrote: 
> I've set up monitoring of outoging cmd.exe/rootexe traffic on port 80. But

> I'm note quite sure how to get interpet these logs. 
>
> The traffic is leaving our network and entering on port 80 on the 
> destinaton. What is so strange is that the traffic is leaving from out
proxy 
> server. But I cannot find anything in the proxy log with reference to 
> root.exe or cmd.exe... Any ideas anyone?? 
>
> 000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 5C   GET /scripts/..\ 
> 010 : 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 6D 33   ../winnt/system3 
> 020 : 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 69 72   2/cmd.exe?/c+dir 
> 030 : 20 72 20 63 2B 64 69 72 20 48 54 54 50 2F 31 2E    r c+dir HTTP/1. 
> 040 : 30 0D 0A 48 6F 73 74 3A 20 77 77 77 0D 0A 43 6F   0..Host: www..Co 
> 050 : 6E 6E 6E 65 63 74 69 6F 6E 3A 20 63 6C 6F 73 65   nnnection: close 
> 060 : 0D 0A 0D 0A 65 63 74 69 6F 6E 3A 20 63 6C 6F 73   ....ection: clos 
> 070 : 65 0D 0A 0D 0A 2B 30 32 30 30 0D 0A 52 65 63 65   e....+0200..Rece 
> 080 : 69 76 65 64 3A 20 66 72 6F 6D 20 73 74 61 74 6F   ived: from stato 
> 090 : 69 6C 2E 6E 6F 20 28 6D 61 69 6C 68 6F 73 74 2E   il.no (mailhost. 
> 0a0 : 73 74 61 74 6F 69 6C 2E 6E 6F 20 5B 31 34 33 2E   statoil.no [143. 
> 0b0 : 39 37 2E 32 30 2E 31 30 39 5D 29 0D 0A 09 62 79   97.20.109])...by 
> 0c0 : 20 6D 61 69 6C 77 61 6C 6C 31 2E 73 74 61 74 6F    mailwall1.stato 
> 0d0 : 69 6C 2E 63 6F 6D 20 28 38 2E 31 31 2E 31 2F 38   il.com (8.11.1/8 
> 0e0 : 2E 31 31 2E 31 29 20 77 69 74 68 20 45 53 4D 54   .11.1) with ESMT 
> 0f0 : 50 20 69 64 20 66 38 4B 42 50 48 51 32 31 36 30   P id f8KBPHQ2160 
> 100 : 34 3B 0D 0A 09 54 68 75 2C 20 32 30 20 53 65 70   4;...Thu, 20 Sep 
> 110 : 20 32 30 30 31 20 31 33 3A 32 35 3A 31 37 20 2B    2001 13:25:17 + 
> 120 : 30 32 30 30 20 28 4D 45 54 20 44 53 54 29 0D 0A   0200 (MET DST).. 
> 130 : 52 65 63 65 69 76 65 64 3A 20 66 72 6F 6D 20 73   Received: from s 
> 140 : 74 66 6F 2D 6C 6E 73 6D 74 70 32 2E 73 74 61 74   tfo-lnsmtp2.stat 
> 150 : 6F 69 6C 2E 6E 6F 20 28 73 74 66 6F 2D 6C 6E 73   oil.no (stfo-lns 
> 160 : 6D 74 70 32 2E 73 74 2E 73 74 61 74 6F 69 6C 2E   mtp2.st.statoil. 
> 170 : 6E 6F 20 5B 31 34 33 2E 39 37 2E 32 30 2E 31 34   no [143.97.20.14 
> 180 : 39 5D 29 0D 0A 09 62 79 20 73 74 61 74 6F 69 6C   9])...by statoil 
> 190 : 2E 6E 6F 20 28 38 2E 31 30 2E 30 2F 38 2E 31 30   .no (8.10.0/8.10 
> 1a0 : 2E 30 29 20 77 69 74 68 20 53 4D 54 50 20 69 64   .0) with SMTP id 
> 1b0 : 20 66 38 4B 42 50 46 78 30 35 39 31 32 3B 0D 0A    f8KBPFx05912;.. 
> 1c0 : 09 54 68 75 2C 20 32 30 20 53 65 70 20 32 30 30   .Thu, 20 Sep 200 
> 1d0 : 31 20 31 33 3A 32 35 3A 31 35 20 2B 30 32 30 30   1 13:25:15 +0200 
> 1e0 : 20 28 4D 45 54 20 44 53 54 29 0D 0A 52 65 63 65    (MET DST)..Rece 
> 1f0 : 69 76 65 64 3A 20 62 79 20 73 74 66 6F 2D 6C 6E   ived: by stfo-ln 
> 200 : 73 6D 74 70 32 2E 73 74 61 74 6F 69 6C 2E 6E 6F   smtp2.statoil.no 
> 210 : 28 4C 6F 74 75 73                                 (Lotus 
>
> Best Regards, 
> Thomas Nilsen 
> Kverneland IT AS 
> Phone: +47 5142 9463 - Mobile: +47 991 55 001 
>
>
> _______________________________________________ 
> Snort-users mailing list 
> Snort-users () lists sourceforge net 
> Go to this URL to change user options or unsubscribe: 
> https://lists.sourceforge.net/lists/listinfo/snort-users
<https://lists.sourceforge.net/lists/listinfo/snort-users>  
> Snort-users list archive: 
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
<http://www.geocrawler.com/redir-sf.php3?list=snort-users>  



_______________________________________________ 
Snort-users mailing list 
Snort-users () lists sourceforge net 
Go to this URL to change user options or unsubscribe: 
https://lists.sourceforge.net/lists/listinfo/snort-users
<https://lists.sourceforge.net/lists/listinfo/snort-users>  
Snort-users list archive: 
http://www.geocrawler.com/redir-sfphp3?list=snort-users
<http://www.geocrawler.com/redir-sf.php3?list=snort-users>  


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users