Snort mailing list archives

Previous By Date Next
Previous By Thread Next

cmd.exe? in packets that look normal

From: Paul Schmehl <pauls () utdallas edu>
Date: Thu, 10 Jul 2003 17:39:41 -0500
I rewrote the rule that looks for cmd.exe (sid:1002 in web-iis.rules) to look for outgoing traffic *from* our network, and I changed the content from "cmd.exe" to "cmd.exe?" to lessen the FPs.
This rule now works very well for catching boxes on our network that get infected with Code Red or Nimda - mostly from our student residences.
However, I'm seeing a lot of packets like this (yes, I know "a lot" is a relative term), in fact, *most* of the packets that trip this rule look like this (I munged the src ip): 

length = 536


HEAD /msadc/..%c
1%af../winnt/sys
tem32/cmd.exe?/c
+dir+c:\ HTTP/1.
0..Host: 129.110
.xxx.xxx....29.11
0.29.28....atap_
chandran..5..sha
ilendra_..14..ok
..97..1..63..;0.
.64..GET /images
/bullet.gif HTTP
/1.1..Accept: */
*..Referer: http
://www.univision
.com/content/cha
nnel.jhtml;jsess
ionid=QV5I1RKHBE
BQCCWIAAOCFFIKZA
ABWIWC?chid=6&sc
hid=0..Accept-La
nguage: es-mx..A
ccept-Encoding:
gzip, deflate..U
ser-Agent: Mozil
la/4.0 (compatib
le; MSIE 5.01; W
indows 98)..Host
: www.univision.
com..Connection:
Keep-Alive..Coo
kie: q=49503d313
2392e3131302e343
02e31323
Aside from the obvious, these look like perfectly normal web sessions. Is anyone else seeing this? Anyone have any ideas what it is? It's too random to really be Code Red/Nimda, but it's an obvious Code Red/Nimda sig. Is this something retained in memory that ends up in a packet going out? Infected boxes usually spew hundreds of these, but these just show up here and there, from different IPs all over our network.
And before anyone asks, yes, this box is running IIS 5.0, and yes it's completely patched. 

Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu


-------------------------------------------------------
This SF.Net email sponsored by: Parasoft
Error proof Web apps, automate testing & more.
Download & eval WebKing and get a free book.
www.parasoft.com/bulletproofapps1
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: