[Snort-sigs] Local CodeRed infection

Robert Wagner rwagner at ...447...
Tue Jan 21 09:21:07 EST 2003


Could the source be NATed or Spoofed?  Do you have a ingress filter on your
firewall to prevent a spoofed packet?

-----Original Message-----
From: bthaler at ...572... [mailto:bthaler at ...572...]
Sent: Tuesday, January 21, 2003 10:11 AM
To: snort-sigs at lists.sourceforge.net
Subject: [Snort-sigs] Local CodeRed infection


Please forgive me in advance if this is the wrong list.

I created these simple rules some time ago to check for any of my servers
being infected with CodeRed.

alert tcp $HOME_NET any -> any 80 (msg:"*** LOCAL CODERED INFECTION ***";
content:"/cmd.exe"; nocase;)
alert tcp $HOME_NET any -> any 80 (msg:"*** LOCAL CODERED INFECTION ***";
content:"/root.exe"; nocase;)

Since all of my servers are patched, these only triggered on false alarms,
as would be expected.  This was all working fine with Snort-1.8x, but
yesterday I upgraded to Snort-1.9 and these rules have started firing for no
aparrent reason.

For example, the first rule above just fired a few minutes ago on this
packet:

Source IP = x.x.x.80
Source Port = 1830
Dest IP = 63.175.146.25
Dest Port = 80
<!---- begin packet ---->
HEAD
/msadc/..%f8%80%80%80%af../..%f8%80%80%80%af../..%f8%80%80%80%af../winnt/sys
tem32/cmd.exe?/c+dir+c:\ HTTP/1.0
Host: x.x.x.23 (this is another host on my network)

-->
<br>
<!--webbot bot="HTMLMarkup" startspan --><HumanClick> <script
language='javascript' src='http://hc2.humanclick.com/hc/xGET
/WxDataISAPI/WxDataISAPI.dll?GetCData&Magic=10991&RegNum=18300681&ZipCode=33
309&StationID=KFXE&Units=0&Version=4.1&Fore=1&t=1043156811&lv=0 HTTP/1.1
User-Agent: Mozilla/3.0 (compatible; MSIE 4.0; Win32)
Host: wisapidata.weatherbug.com
Connection: Keep-Alive

GET
/WxDataISAPI/WxDataISAPI.dll?GetCData&Magic=10991&RegNum=18300681&ZipCode=33
309&StationID=KFXE&Units=0&Version=4.1&Fore=1&t=1043156811&lv=0 HTTP/1.1
User-Agent: Mozilla/3.0 (compatible; MSIE 4.0; Win32)
Host: wisapidata.weatherbug.com
Connection: Keep-Alive
<!---- end packet ---->

If you look at the packet above, it will obviously trigger the first rule
above due to the cmd.exe in the payload.  The strange part is that this
particular machine is most definitely NOT infected.  Like I said above,
these rules have been in place for quite some time and never fired under
Snort-1.8, but now thay're firing for several machines all of a sudden.

So I guess my question is:  Why would this machine be sending a packet like
this if it wasn't infected, and why would the rules only fire now, after I
upgraded?

Thanks in advance for the help.






Sincerely,

Brad T.



-------------------------------------------------------
This SF.net email is sponsored by: Scholarships for Techies!
Can't afford IT training? All 2003 ictp students receive scholarships.
Get hands-on training in Microsoft, Cisco, Sun, Linux/UNIX, and more.
www.ictp.com/training/sourceforge.asp
_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs




More information about the Snort-sigs mailing list