Snort mailing list archives
cmd.exe? in packets that look normal
From: Paul Schmehl <pauls () utdallas edu>
Date: Thu, 10 Jul 2003 17:39:41 -0500
I rewrote the rule that looks for cmd.exe (sid:1002 in web-iis.rules) to look for outgoing traffic *from* our network, and I changed the content from "cmd.exe" to "cmd.exe?" to lessen the FPs.
This rule now works very well for catching boxes on our network that get infected with Code Red or Nimda - mostly from our student residences.
However, I'm seeing a lot of packets like this (yes, I know "a lot" is a relative term), in fact, *most* of the packets that trip this rule look like this (I munged the src ip):
length = 536 HEAD /msadc/..%c 1%af../winnt/sys tem32/cmd.exe?/c +dir+c:\ HTTP/1. 0..Host: 129.110 .xxx.xxx....29.11 0.29.28....atap_ chandran..5..sha ilendra_..14..ok ..97..1..63..;0. .64..GET /images /bullet.gif HTTP /1.1..Accept: */ *..Referer: http ://www.univision .com/content/cha nnel.jhtml;jsess ionid=QV5I1RKHBE BQCCWIAAOCFFIKZA ABWIWC?chid=6&sc hid=0..Accept-La nguage: es-mx..A ccept-Encoding: gzip, deflate..U ser-Agent: Mozil la/4.0 (compatib le; MSIE 5.01; W indows 98)..Host : www.univision. com..Connection: Keep-Alive..Coo kie: q=49503d313 2392e3131302e343 02e31323Aside from the obvious, these look like perfectly normal web sessions. Is anyone else seeing this? Anyone have any ideas what it is? It's too random to really be Code Red/Nimda, but it's an obvious Code Red/Nimda sig. Is this something retained in memory that ends up in a packet going out? Infected boxes usually spew hundreds of these, but these just show up here and there, from different IPs all over our network.
And before anyone asks, yes, this box is running IIS 5.0, and yes it's completely patched.
Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu ------------------------------------------------------- This SF.Net email sponsored by: Parasoft Error proof Web apps, automate testing & more. Download & eval WebKing and get a free book. www.parasoft.com/bulletproofapps1 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- cmd.exe? in packets that look normal Paul Schmehl (Jul 10)