Snort mailing list archives

Re: different CMD.exe access?!?

From: Paul Schmehl <pauls () utdallas edu>
Date: 11 Mar 2003 20:00:47 -0600

On Tue, 2003-03-11 at 09:58, John Hally wrote:

Hello,

This is a different looking trace that tripped on the CMD.EXE rule.  I
usually see a bunch of ../../../cmd.exe, but this one looks different.
Anyone else seeing this?  it originated from 219.240.31.44, over in Korea:


There is a new version of CodeRed out.  Two bytes have been changed to
alter the date so that it will never stop searching for victims.  That
appears to be what you are seeing.  (I'm seeing it as well.)

-- 
Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/




-------------------------------------------------------
This SF.net email is sponsored by:Crypto Challenge is now open! 
Get cracking and register here for some mind boggling fun and 
the chance of winning an Apple iPod:
http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0031en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

different CMD.exe access?!? John Hally (Mar 11)
- Re: different CMD.exe access?!? Bamm Visscher (Mar 11)
  - Re: different CMD.exe access?!? Jason (Mar 14)
- Re: different CMD.exe access?!? Phil Wood (Mar 11)
- Re: different CMD.exe access?!? Paul Schmehl (Mar 11)
- <Possible follow-ups>
- RE: different CMD.exe access?!? L. Christopher Luther (Mar 11)
- RE: different CMD.exe access?!? Ricardo, Gerson (Mar 14)