[Snort-sigs] cmd.exe and iisamples
L. Christopher Luther
CLuther at ...1474...
Wed Apr 23 12:03:31 EDT 2003
The two WEB-IIS log entries only mean that your IIS server was accessed in a
manner that Snort considers malicious. If your IIS server is patched (you
probably don't want to hear this), and IT SHOULD BE if it is a public
server, then I'd not worry about these two log entries. To be safe,
however, check the IIS logs to see what HTTP return code was generated.
FYI: CodeRed and other variants like to probe for cmd.exe and iissamples.
As for blocking: Patch Windoze and IIS, and remove the IIS samples folder
from the web site. This will not stop anyone from attempting to access
these files, and yes, Snort will dutifully alert/log the attempts.
From: Bryan Irvine [mailto:bryan.irvine at ...1441...]
Sent: Wednesday, April 23, 2003 2:13 PM
To: snort-sigs at lists.sourceforge.net
Subject: [Snort-sigs] cmd.exe and iisamples
I got a couple of funny things in my snort logs. The reason I installed
snort is because the windows server was hacked (I don't like windows
anyway) but do these logs mean that they were accessed? or just
attempted? How can I block access to cmd.exe and iissamples just to
make doubly sure?
[**] WEB-IIS cmd.exe access [**]
04/11-22:55:22.078617 220.127.116.11:4309 -> 18.104.22.168:80
TCP TTL:113 TOS:0x0 ID:4697 IpLen:20 DgmLen:161 DF
***AP**F Seq: 0xA50546C Ack: 0xC2DF7BCF Win: 0x2238 TcpLen: 20
[**] WEB-IIS iissamples access [**]
04/11-22:56:11.738609 22.214.171.124:4814 -> 126.96.36.199:80
TCP TTL:113 TOS:0x0 ID:3173 IpLen:20 DgmLen:127 DF
***AP**F Seq: 0xA54488B Ack: 0xC398F327 Win: 0x2238 TcpLen: 20
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
More information about the Snort-sigs