Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: snort.org > snort-sigs > 03 > 040398.html (Request Expert snort.org Support)

RE: [Snort-sigs] cmd.exe and iisamples

From: Robert Reid <rreid(at)1800FLOWERS.com>
Date: Wed Apr 23 2003 - 15:39:28 EDT


And remove the damn samples. They have no place on a public server.

-----Original Message-----

From: Esler, Joel Contractor [mailto:EslerJ@RCERT-S.ARMY.MIL] Sent: Wednesday, April 23, 2003 2:43 PM
To: 'Bryan Irvine'
Cc: 'snort-sigs@lists.sourceforge.net'
Subject: RE: [Snort-sigs] cmd.exe and iisamples

Ensure your box is patched to it's highest possible level, this indicates an attempt, not a successfull exploit, update your antivirus... This is most likely NIMDA or CODERED activity.

J

-----Original Message-----

From: Bryan Irvine [mailto:bryan.irvine@kingcountyjournal.com] Sent: Wednesday, April 23, 2003 2:13 PM
To: snort-sigs@lists.sourceforge.net
Subject: [Snort-sigs] cmd.exe and iisamples

I got a couple of funny things in my snort logs. The reason I installed snort is because the windows server was hacked (I don't like windows anyway) but do these logs mean that they were accessed? or just attempted? How can I block access to cmd.exe and iissamples just to make doubly sure?

[**] WEB-IIS cmd.exe access [**]
04/11-22:55:22.078617 203.129.247.14:4309 -> 64.1.201.146:80 TCP TTL:113 TOS:0x0 ID:4697 IpLen:20 DgmLen:161 DF ***AP**F Seq: 0xA50546C Ack: 0xC2DF7BCF Win: 0x2238 TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] WEB-IIS iissamples access [**]
04/11-22:56:11.738609 203.129.247.14:4814 -> 64.1.201.146:80 TCP TTL:113 TOS:0x0 ID:3173 IpLen:20 DgmLen:127 DF ***AP**F Seq: 0xA54488B Ack: 0xC398F327 Win: 0x2238 TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

Do you need help?X

--Bryan


This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. 
http://thinkgeek.com/sf _______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. 
http://thinkgeek.com/sf _______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven.
http://thinkgeek.com/sf

Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs Received on Wed Apr 23 16:06:48 2003

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:08:27 EDT

Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library