Hosting Provided By

[Snort-sigs] cmd.exe and iisamples

From: Bryan Irvine <bryan.irvine(at)kingcountyjournal.com>
Date: Wed Apr 23 2003 - 14:12:49 EDT

I got a couple of funny things in my snort logs. The reason I installed snort is because the windows server was hacked (I don't like windows anyway) but do these logs mean that they were accessed? or just attempted? How can I block access to cmd.exe and iissamples just to make doubly sure?

[**] WEB-IIS cmd.exe access [**]
04/11-22:55:22.078617 203.129.247.14:4309 -> 64.1.201.146:80 TCP TTL:113 TOS:0x0 ID:4697 IpLen:20 DgmLen:161 DF
***AP**F Seq: 0xA50546C Ack: 0xC2DF7BCF Win: 0x2238 TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] WEB-IIS iissamples access [**]
04/11-22:56:11.738609 203.129.247.14:4814 -> 64.1.201.146:80 TCP TTL:113 TOS:0x0 ID:3173 IpLen:20 DgmLen:127 DF
***AP**F Seq: 0xA54488B Ack: 0xC398F327 Win: 0x2238 TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

--Bryan

This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven.
http://thinkgeek.com/sf

Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs Received on Wed Apr 23 14:40:47 2003

This message: [ Message body ]
Next message: Esler, Joel Contractor: "RE: [Snort-sigs] cmd.exe and iisamples"
Previous message: Matt Kettler: "Re: [Snort-sigs] Strange question"
Reply: Esler, Joel Contractor: "RE: [Snort-sigs] cmd.exe and iisamples"
Reply: L. Christopher Luther: "RE: [Snort-sigs] cmd.exe and iisamples"
Reply: Jerry.L.Rose(at)saj02.usace.army.mil: "RE: [Snort-sigs] cmd.exe and iisamples"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:08:27 EDT