[Snort-sigs] Local CodeRed infection

bthaler at ...572... bthaler at ...572...
Tue Jan 21 08:11:08 EST 2003


Please forgive me in advance if this is the wrong list.

I created these simple rules some time ago to check for any of my servers
being infected with CodeRed.

alert tcp $HOME_NET any -> any 80 (msg:"*** LOCAL CODERED INFECTION ***";
content:"/cmd.exe"; nocase;)
alert tcp $HOME_NET any -> any 80 (msg:"*** LOCAL CODERED INFECTION ***";
content:"/root.exe"; nocase;)

Since all of my servers are patched, these only triggered on false alarms,
as would be expected.  This was all working fine with Snort-1.8x, but
yesterday I upgraded to Snort-1.9 and these rules have started firing for no
aparrent reason.

For example, the first rule above just fired a few minutes ago on this
packet:

Source IP = x.x.x.80
Source Port = 1830
Dest IP = 63.175.146.25
Dest Port = 80
<!---- begin packet ---->
HEAD
/msadc/..%f8%80%80%80%af../..%f8%80%80%80%af../..%f8%80%80%80%af../winnt/sys
tem32/cmd.exe?/c+dir+c:\ HTTP/1.0
Host: x.x.x.23 (this is another host on my network)

-->
<br>
<!--webbot bot="HTMLMarkup" startspan --><HumanClick> <script
language='javascript' src='http://hc2.humanclick.com/hc/xGET
/WxDataISAPI/WxDataISAPI.dll?GetCData&Magic=10991&RegNum=18300681&ZipCode=33
309&StationID=KFXE&Units=0&Version=4.1&Fore=1&t=1043156811&lv=0 HTTP/1.1
User-Agent: Mozilla/3.0 (compatible; MSIE 4.0; Win32)
Host: wisapidata.weatherbug.com
Connection: Keep-Alive

GET
/WxDataISAPI/WxDataISAPI.dll?GetCData&Magic=10991&RegNum=18300681&ZipCode=33
309&StationID=KFXE&Units=0&Version=4.1&Fore=1&t=1043156811&lv=0 HTTP/1.1
User-Agent: Mozilla/3.0 (compatible; MSIE 4.0; Win32)
Host: wisapidata.weatherbug.com
Connection: Keep-Alive
<!---- end packet ---->

If you look at the packet above, it will obviously trigger the first rule
above due to the cmd.exe in the payload.  The strange part is that this
particular machine is most definitely NOT infected.  Like I said above,
these rules have been in place for quite some time and never fired under
Snort-1.8, but now thay're firing for several machines all of a sudden.

So I guess my question is:  Why would this machine be sending a packet like
this if it wasn't infected, and why would the rules only fire now, after I
upgraded?

Thanks in advance for the help.






Sincerely,

Brad T.





More information about the Snort-sigs mailing list