[Snort-sigs] Local CodeRed infection

bthaler at ...572... bthaler at ...572...
Tue Jan 21 09:48:02 EST 2003


We're not running any NAT here, so I think that's out, but I suppose the
source could be spoofed.  That makes sense actually.

Time to get tcpdump running to show me the MACs I think.







Sincerely,

Brad Thaler
Technical Support
WebStream Internet Solutions

bthaler at ...572...
http://www.webstream.net
(954) 730-7405 Help Desk
(954) 733-7067 Fax
*** For further assistance you can go to http://helpdesk.webstream.net
where you can find most of the answers you need.

WebStream accepts no liability for the content of this email, or for the
consequences of any actions taken on the basis of the information provided,
unless that information is subsequently confirmed in writing. Any views or
opinions presented in this email are solely those of the author and do not
necessarily represent those of WebStream. WARNING: Computer viruses can be
transmitted via email. The recipient should check this email and any
attachments for the presence of viruses. WebStream accepts no liability for
any damage caused by any virus transmitted by this email.
----- Original Message -----
From: "Robert Wagner" <rwagner at ...447...>
To: <bthaler at ...572...>; <snort-sigs at lists.sourceforge.net>
Sent: Tuesday, January 21, 2003 12:20 PM
Subject: RE: [Snort-sigs] Local CodeRed infection


> Could the source be NATed or Spoofed?  Do you have a ingress filter on
your
> firewall to prevent a spoofed packet?
>
> -----Original Message-----
> From: bthaler at ...572... [mailto:bthaler at ...572...]
> Sent: Tuesday, January 21, 2003 10:11 AM
> To: snort-sigs at lists.sourceforge.net
> Subject: [Snort-sigs] Local CodeRed infection
>
>
> Please forgive me in advance if this is the wrong list.
>
> I created these simple rules some time ago to check for any of my servers
> being infected with CodeRed.
>
> alert tcp $HOME_NET any -> any 80 (msg:"*** LOCAL CODERED INFECTION ***";
> content:"/cmd.exe"; nocase;)
> alert tcp $HOME_NET any -> any 80 (msg:"*** LOCAL CODERED INFECTION ***";

> content:"/root.exe"; nocase;)
>
> Since all of my servers are patched, these only triggered on false alarms,
> as would be expected.  This was all working fine with Snort-1.8x, but
> yesterday I upgraded to Snort-1.9 and these rules have started firing for
no
> aparrent reason.
>
> For example, the first rule above just fired a few minutes ago on this
> packet:
>
> Source IP = x.x.x.80
> Source Port = 1830
> Dest IP = 63.175.146.25
> Dest Port = 80
> <!---- begin packet ---->
> HEAD
>
/msadc/..%f8%80%80%80%af../..%f8%80%80%80%af../..%f8%80%80%80%af../winnt/sys
> tem32/cmd.exe?/c+dir+c:\ HTTP/1.0
> Host: x.x.x.23 (this is another host on my network)
>
> -->
> <br>
> <!--webbot bot="HTMLMarkup" startspan --><HumanClick> <script
> language='javascript' src='http://hc2.humanclick.com/hc/xGET
>
/WxDataISAPI/WxDataISAPI.dll?GetCData&Magic=10991&RegNum=18300681&ZipCode=33
> 309&StationID=KFXE&Units=0&Version=4.1&Fore=1&t=1043156811&lv=0 HTTP/1.1
> User-Agent: Mozilla/3.0 (compatible; MSIE 4.0; Win32)
> Host: wisapidata.weatherbug.com
> Connection: Keep-Alive
>
> GET
>
/WxDataISAPI/WxDataISAPI.dll?GetCData&Magic=10991&RegNum=18300681&ZipCode=33
> 309&StationID=KFXE&Units=0&Version=4.1&Fore=1&t=1043156811&lv=0 HTTP/1.1
> User-Agent: Mozilla/3.0 (compatible; MSIE 4.0; Win32)
> Host: wisapidata.weatherbug.com
> Connection: Keep-Alive
> <!---- end packet ---->
>
> If you look at the packet above, it will obviously trigger the first rule
> above due to the cmd.exe in the payload.  The strange part is that this
> particular machine is most definitely NOT infected.  Like I said above,
> these rules have been in place for quite some time and never fired under
> Snort-1.8, but now thay're firing for several machines all of a sudden.
>
> So I guess my question is:  Why would this machine be sending a packet
like
> this if it wasn't infected, and why would the rules only fire now, after I
> upgraded?
>
> Thanks in advance for the help.
>
>
>
>
>
>
> Sincerely,
>
> Brad T.
>
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: Scholarships for Techies!
> Can't afford IT training? All 2003 ictp students receive scholarships.
> Get hands-on training in Microsoft, Cisco, Sun, Linux/UNIX, and more.
> www.ictp.com/training/sourceforge.asp
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: Scholarships for Techies!
> Can't afford IT training? All 2003 ictp students receive scholarships.
> Get hands-on training in Microsoft, Cisco, Sun, Linux/UNIX, and more.
> www.ictp.com/training/sourceforge.asp
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>





More information about the Snort-sigs mailing list