|
|
| Applications |
| Mailing Lists |
| Miscellaneous |
| Operating Systems |
| Programming |
RE: strange cmd.exe access
Date: Sat May 31 2003 - 17:23:03 EDT
On Fri, 2003-05-30 at 17:13, Jeff Adams wrote:
> > what is strange is that the cmd.exe / root.exe stuff is half way
I reported this end of April, and VJay Larosa reported it the month before. These packets seem to be only the second packet from CodeRed attempts. They are completely stateless.
To test this and to capture more packets, I ran two Snort instances on the same segment/same box. One was configured to act only on established sessions (-z flag), the other on all traffic. The rules file only included a few IIS sigs, the snort.conf was identical.
I had the statefull instance log into the /var/log/statefull directory, the stateless instance into /var/log/stateless. After a while I compared the two and found that the stateless directory contained a few more entries. Removing the known statefull IP's from the stateless directory, I was left with those spurious second-packet-only CodeReds.
This seemed to confirm that these are indeed stateless packets (no TCP 3-way handshake, no first data packet) and occur on the wire like that (no mistakes in IDS config/logging etc). The majority seemed to be coming from China, but other sources were logged as well (i.e. USA, Turkey, etc).
After capturing and staring at this for a couple weeks, I got bored and released the packets back into the Ether. However, if you interested in repeating the experiment with Snort, I can tar up the setup I used and mail it to you.
Regards,
Frank
- application/pgp-signature attachment: This is a digitally signed message part
This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:02:06 EDT
|
Contact Us Legal Notices Order Services Online Pantek Home Privacy Policy IT news Site Map Pantek Library |