RE: [Snort-sigs] cmd.exe and iisamples

From: <Jerry.L.Rose(at)saj02.usace.army.mil>
Date: Wed Apr 23 2003 - 15:07:37 EDT

Go to Microsoft and get the IISLockdown tool. They offer many free security tools like hfnetcheck too.

-----Original Message-----
From: Bryan Irvine [mailto:bryan.irvine@kingcountyjournal.com] Sent: Wednesday, April 23, 2003 2:13 PM
To: snort-sigs@lists.sourceforge.net
Subject: [Snort-sigs] cmd.exe and iisamples

I got a couple of funny things in my snort logs. The reason I installed snort is because the windows server was hacked (I don't like windows anyway) but do these logs mean that they were accessed? or just attempted? How can I block access to cmd.exe and iissamples just to make doubly sure?

[**] WEB-IIS cmd.exe access [**]
04/11-22:55:22.078617 203.129.247.14:4309 -> 64.1.201.146:80 TCP TTL:113 TOS:0x0 ID:4697 IpLen:20 DgmLen:161 DF
***AP**F Seq: 0xA50546C Ack: 0xC2DF7BCF Win: 0x2238 TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] WEB-IIS iissamples access [**]
04/11-22:56:11.738609 203.129.247.14:4814 -> 64.1.201.146:80 TCP TTL:113 TOS:0x0 ID:3173 IpLen:20 DgmLen:127 DF
***AP**F Seq: 0xA54488B Ack: 0xC398F327 Win: 0x2238 TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

--Bryan

---

This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven.
http://thinkgeek.com/sf

---

Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

---

This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven.
http://thinkgeek.com/sf

---

Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs Received on Wed Apr 23 15:41:57 2003