Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: snort.org > snort-sigs > 03 > 040396.html (Request Expert snort.org Support)

RE: [Snort-sigs] cmd.exe and iisamples

From: L. Christopher Luther <CLuther(at)Xybernaut.com>
Date: Wed Apr 23 2003 - 15:02:26 EDT


The two WEB-IIS log entries only mean that your IIS server was accessed in a manner that Snort considers malicious. If your IIS server is patched (you probably don't want to hear this), and IT SHOULD BE if it is a public server, then I'd not worry about these two log entries. To be safe, however, check the IIS logs to see what HTTP return code was generated.

FYI: CodeRed and other variants like to probe for cmd.exe and iissamples.

As for blocking: Patch Windoze and IIS, and remove the IIS samples folder from the web site. This will not stop anyone from attempting to access these files, and yes, Snort will dutifully alert/log the attempts.

  • Christopher

-----Original Message-----
From: Bryan Irvine [mailto:bryan.irvine@kingcountyjournal.com] Sent: Wednesday, April 23, 2003 2:13 PM
To: snort-sigs@lists.sourceforge.net
Subject: [Snort-sigs] cmd.exe and iisamples

I got a couple of funny things in my snort logs. The reason I installed snort is because the windows server was hacked (I don't like windows anyway) but do these logs mean that they were accessed? or just attempted? How can I block access to cmd.exe and iissamples just to make doubly sure?

[**] WEB-IIS cmd.exe access [**]
04/11-22:55:22.078617 203.129.247.14:4309 -> 64.1.201.146:80 TCP TTL:113 TOS:0x0 ID:4697 IpLen:20 DgmLen:161 DF
***AP**F Seq: 0xA50546C Ack: 0xC2DF7BCF Win: 0x2238 TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] WEB-IIS iissamples access [**]
04/11-22:56:11.738609 203.129.247.14:4814 -> 64.1.201.146:80 TCP TTL:113 TOS:0x0 ID:3173 IpLen:20 DgmLen:127 DF
***AP**F Seq: 0xA54488B Ack: 0xC398F327 Win: 0x2238 TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

--Bryan


This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven.
http://thinkgeek.com/sf

Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven.
http://thinkgeek.com/sf

Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs Received on Wed Apr 23 15:35:25 2003
Do you need help?X

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:08:27 EDT

Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library