[Snort-sigs] cmd.exe and iisamples

L. Christopher Luther CLuther at ...1474...
Wed Apr 23 12:03:31 EDT 2003

The two WEB-IIS log entries only mean that your IIS server was accessed in a
manner that Snort considers malicious.  If your IIS server is patched (you
probably don't want to hear this), and IT SHOULD BE if it is a public
server, then I'd not worry about these two log entries.  To be safe,
however, check the IIS logs to see what HTTP return code was generated.  

FYI:  CodeRed and other variants like to probe for cmd.exe and iissamples.  

As for blocking: Patch Windoze and IIS, and remove the IIS samples folder
from the web site.  This will not stop anyone from attempting to access
these files, and yes, Snort will dutifully alert/log the attempts.  

- Christopher 

-----Original Message-----
From: Bryan Irvine [mailto:bryan.irvine at ...1441...]
Sent: Wednesday, April 23, 2003 2:13 PM
To: snort-sigs at lists.sourceforge.net
Subject: [Snort-sigs] cmd.exe and iisamples

I got a couple of funny things in my snort logs.  The reason I installed
snort is because the windows server was hacked (I don't like windows
anyway) but do these logs mean that they were accessed? or just
attempted?  How can I block access to cmd.exe and iissamples just to
make doubly sure?

[**] WEB-IIS cmd.exe access [**]
04/11-22:55:22.078617 ->
TCP TTL:113 TOS:0x0 ID:4697 IpLen:20 DgmLen:161 DF
***AP**F Seq: 0xA50546C  Ack: 0xC2DF7BCF  Win: 0x2238  TcpLen: 20

[**] WEB-IIS iissamples access [**]
04/11-22:56:11.738609 ->
TCP TTL:113 TOS:0x0 ID:3173 IpLen:20 DgmLen:127 DF
***AP**F Seq: 0xA54488B  Ack: 0xC398F327  Win: 0x2238  TcpLen: 20


This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net

More information about the Snort-sigs mailing list