Snort mailing list archives
RE: CodeRed Observations.
From: "John York" <YorkJ () brcc edu>
Date: Thu, 13 Mar 2003 13:58:54 -0500
Here's what I saw in yesterday's logs. I've been assuming that hits on cmd.exe and .ida are codered/Nimda scans. I looked at the rules for both of these and both have flow:to_server,established so I'm assuming the Snort pre-processors must have seen a complete handshake before the rules fired. I haven't made any special rules for this, so I doubt I'd see any hits without an established connection. Thanks John 03/13-14:25:54.526549 WEB-IIS cmd.exe access TCP 164.125.128.129 4243 x.x.x.x 80 0:8:21:9C:FD:20 0:90:27:4D:56:11 0x5EA ***A**** 0x3BCA6552 0x650253D9 0x16D0 50 16 46551 448 20 03/13-14:25:54.526087 WEB-IIS ISAPI .ida attempt TCP 164.125.128.129 4243 x.x.x.x 80 0:8:21:9C:FD:20 0:90:27:4D:56:11 0x5EA ***A**** 0x3BCA5F9E 0x650253D9 0x4020 52 0 32154 217 20 03/13-02:06:19.832951 WEB-IIS cmd.exe access TCP 164.125.61.214 1146 x.x.x.x 80 0:8:21:9C:FD:20 0:90:27:4D:56:11 0x5EA ***A**** 0xE48D8B3 0xC0E6DDBA 0x4020 52 0 32160 217 20 03/13-02:06:19.831720 WEB-IIS ISAPI .ida attempt TCP 164.125.61.214 1146 x.x.x.x 80 0:8:21:9C:FD:20 0:90:27:4D:56:11 0x5EA ***A**** 0xE48D2FF 0xC0E6DDBA 63 0 0 121 20 03/13-03:13:15.505757 WEB-IIS cmd.exe access TCP 164.77.209.252 1983 x.x.x.x 80 0:8:21:9C:FD:20 0:90:27:4D:56:11 0x5EA ***A**** 0xCDC7E3C3 0xFF6B24FD 127 0 22628 105 20 03/13-03:13:15.336757 WEB-IIS ISAPI .ida attempt TCP 164.77.209.252 1983 x.x.x.x 80 0:8:21:9C:FD:20 0:90:27:4D:56:11 0x5EA ***A**** 0xCDC7DE0F 0xFF6B24FD 0x16D0 52 0 61486 160 20 03/13-20:59:15.896767 WEB-IIS cmd.exe access TCP 164.77.218.214 3505 x.x.x.x 80 0:8:21:9C:FD:20 0:90:27:4D:56:11 0x5BC ***A**** 0xEE901D89 0xCBF5F076 0x4000 109 0 10931 48 20 03/13-20:59:15.812044 WEB-IIS ISAPI .ida attempt TCP 164.77.218.214 3505 x.x.x.x 80 0:8:21:9C:FD:20 0:90:27:4D:56:11 0x5BC ***A**** 0xEE901803 0xCBF5F076 0x4000 109 0 11147 48 20 alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS ISAPI .ida attempt"; flow:to_server,established; uricontent:".ida?"; nocase; reference:arachnids,552; classtype:web-application-attack; reference:bugtraq,1065; reference:cve,CAN-2000-0071; sid:1243; rev:8;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS cmd.exe access"; flow:to_server,established; content:"cmd.exe"; nocase; classtype:web-application-attack; sid:1002; rev:5;) John York Network Engineer Blue Ridge Community College P.O. Box 80/One College Lane Weyers Cave, VA 24486 540.453.2255
-----Original Message----- From: larosa, vjay [mailto:larosa_vjay () emc com] Sent: Wednesday, March 12, 2003 4:13 PM To: John York Cc: snort-users () lists sourceforge net Subject: RE: [Snort-users] CodeRed Observations. But are you seeing the originating source of the attack establishing a TCP session (Three way handshake) with your webservers? I'm not. It is almost like a stick or snort attack with codered packets. vjl -----Original Message----- From: John York [mailto:YorkJ () brcc edu] Sent: Wednesday, March 12, 2003 3:13 PM To: larosa, vjay Cc: snort-users () lists sourceforge net Subject: RE: [Snort-users] CodeRed Observations. The main difference I'm seeing is that the new CodeRed's send just a
few
attempts to my web servers (cmd.exe, ida, etc) instead of pounding
them
with a hundred or so like they did before. John York Network Engineer Blue Ridge Community College P.O. Box 80/One College Lane Weyers Cave, VA 24486 540.453.2255-----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users- admin () lists sourceforge net] On Behalf Of larosa, vjay Sent: Wednesday, March 12, 2003 12:04 PM To: 'intrusions () incidents org' Cc: 'snort-users () lists sourceforge net';
'focus-ids () securityfocus com'
Subject: [Snort-users] CodeRed Observations. Hello, I have been watching this recent spike in CodeRed activity and onething Iam noticing is the lack of TCP session establishment. I am seeing common getstringslike this showing up at my firewalls without ever establishing a TCP three wayhandshake. Ihave seen several hundred packets with in the last two days similar to this at myfirewalls.47 45 54 20 2F 64 65 66 61 75 6C 74 2E 69 64 61 GET /default.ida 3F 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 ?XXXXXXXXXXXXXXX 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 XXXXXXXXXXXXXXXX
Snip--------------------------------------------------------------------
---- ---------------------------------------------------- I find it awfully strange that there is no handshake (not even asingleSYN to try and establish a session) but these packets show up anyway. I also am not seeing an increase of port 80 scans in my firewall logs or with any of my IDS sensors. Is anybodyelseout there seeing the same things we are? Thanks! vjl V.Jay LaRosa EMC Corporation Information Security 4400 Computer Dr. (508)898-7433 office Westboro, MA 01580 (508)353-1348 cell www.emc.com 888-799-9750 pager larosa_vjay () emc com
------------------------------------------------------- This SF.net email is sponsored by:Crypto Challenge is now open! Get cracking and register here for some mind boggling fun and the chance of winning an Apple iPod: http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0031en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- CodeRed Observations. larosa, vjay (Mar 12)
- <Possible follow-ups>
- RE: CodeRed Observations. John York (Mar 12)
- RE: CodeRed Observations. larosa, vjay (Mar 12)
- RE: CodeRed Observations. John York (Mar 13)