[Snort-sigs] Local CodeRed infection

DataShark nomad at ...1202...
Tue Jan 21 22:02:15 EST 2003


you should consider getting on the machine tripping the rule and run your sniffer from that machine. Barring that then setup a monitor port on the switch that that machine is connected to and only monitor its port.. see if the traffic in fact comes from that machine. Is this a workstation or a server?
		DS
On Tue, 21 Jan 2003 12:46:46 -0500
<bthaler at ...572...> wrote:

> We're not running any NAT here, so I think that's out, but I suppose the
> source could be spoofed.  That makes sense actually.
> 
> Time to get tcpdump running to show me the MACs I think.
> 
> 
> 
> 
> 
> 
> 
> Sincerely,
> 
> Brad Thaler
> Technical Support
> WebStream Internet Solutions
> 
> bthaler at ...572...
> http://www.webstream.net
> (954) 730-7405 Help Desk
> (954) 733-7067 Fax
> *** For further assistance you can go to http://helpdesk.webstream.net
> where you can find most of the answers you need.
> 
> WebStream accepts no liability for the content of this email, or for the
> consequences of any actions taken on the basis of the information provided,
> unless that information is subsequently confirmed in writing. Any views or
> opinions presented in this email are solely those of the author and do not
> necessarily represent those of WebStream. WARNING: Computer viruses can be
> transmitted via email. The recipient should check this email and any
> attachments for the presence of viruses. WebStream accepts no liability for
> any damage caused by any virus transmitted by this email.
> ----- Original Message -----
> From: "Robert Wagner" <rwagner at ...447...>
> To: <bthaler at ...572...>; <snort-sigs at lists.sourceforge.net>
> Sent: Tuesday, January 21, 2003 12:20 PM
> Subject: RE: [Snort-sigs] Local CodeRed infection
> 
> 
> > Could the source be NATed or Spoofed?  Do you have a ingress filter on
> your
> > firewall to prevent a spoofed packet?
> >
> > -----Original Message-----
> > From: bthaler at ...572... [mailto:bthaler at ...572...]
> > Sent: Tuesday, January 21, 2003 10:11 AM
> > To: snort-sigs at lists.sourceforge.net
> > Subject: [Snort-sigs] Local CodeRed infection
> >
> >
> > Please forgive me in advance if this is the wrong list.
> >
> > I created these simple rules some time ago to check for any of my servers
> > being infected with CodeRed.
> >
> > alert tcp $HOME_NET any -> any 80 (msg:"*** LOCAL CODERED INFECTION ***";
> > content:"/cmd.exe"; nocase;)
> > alert tcp $HOME_NET any -> any 80 (msg:"*** LOCAL CODERED INFECTION ***";
> 
> > content:"/root.exe"; nocase;)
> >
> > Since all of my servers are patched, these only triggered on false alarms,
> > as would be expected.  This was all working fine with Snort-1.8x, but
> > yesterday I upgraded to Snort-1.9 and these rules have started firing for
> no
> > aparrent reason.
> >
> > For example, the first rule above just fired a few minutes ago on this
> > packet:
> >
> > Source IP = x.x.x.80
> > Source Port = 1830
> > Dest IP = 63.175.146.25
> > Dest Port = 80
> > <!---- begin packet ---->
> > HEAD
> >
> /msadc/..%f8%80%80%80%af../..%f8%80%80%80%af../..%f8%80%80%80%af../winnt/sys
> > tem32/cmd.exe?/c+dir+c:\ HTTP/1.0
> > Host: x.x.x.23 (this is another host on my network)
> >
> > -->
> > <br>
> > <!--webbot bot="HTMLMarkup" startspan --><HumanClick> <script
> > language='javascript' src='http://hc2.humanclick.com/hc/xGET
> >
> /WxDataISAPI/WxDataISAPI.dll?GetCData&Magic=10991&RegNum=18300681&ZipCode=33
> > 309&StationID=KFXE&Units=0&Version=4.1&Fore=1&t=1043156811&lv=0 HTTP/1.1
> > User-Agent: Mozilla/3.0 (compatible; MSIE 4.0; Win32)
> > Host: wisapidata.weatherbug.com
> > Connection: Keep-Alive
> >
> > GET
> >
> /WxDataISAPI/WxDataISAPI.dll?GetCData&Magic=10991&RegNum=18300681&ZipCode=33
> > 309&StationID=KFXE&Units=0&Version=4.1&Fore=1&t=1043156811&lv=0 HTTP/1.1
> > User-Agent: Mozilla/3.0 (compatible; MSIE 4.0; Win32)
> > Host: wisapidata.weatherbug.com
> > Connection: Keep-Alive
> > <!---- end packet ---->
> >
> > If you look at the packet above, it will obviously trigger the first rule
> > above due to the cmd.exe in the payload.  The strange part is that this
> > particular machine is most definitely NOT infected.  Like I said above,
> > these rules have been in place for quite some time and never fired under
> > Snort-1.8, but now thay're firing for several machines all of a sudden.
> >
> > So I guess my question is:  Why would this machine be sending a packet
> like
> > this if it wasn't infected, and why would the rules only fire now, after I
> > upgraded?
> >
> > Thanks in advance for the help.
> >
> >
> >
> >
> >
> >
> > Sincerely,
> >
> > Brad T.
> >
> >
> >
> > -------------------------------------------------------
> > This SF.net email is sponsored by: Scholarships for Techies!
> > Can't afford IT training? All 2003 ictp students receive scholarships.
> > Get hands-on training in Microsoft, Cisco, Sun, Linux/UNIX, and more.
> > www.ictp.com/training/sourceforge.asp
> > _______________________________________________
> > Snort-sigs mailing list
> > Snort-sigs at lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/snort-sigs
> >
> >
> > -------------------------------------------------------
> > This SF.net email is sponsored by: Scholarships for Techies!
> > Can't afford IT training? All 2003 ictp students receive scholarships.
> > Get hands-on training in Microsoft, Cisco, Sun, Linux/UNIX, and more.
> > www.ictp.com/training/sourceforge.asp
> > _______________________________________________
> > Snort-sigs mailing list
> > Snort-sigs at lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/snort-sigs
> >
> 
> 
> 
> -------------------------------------------------------
> This SF.net email is sponsored by: Scholarships for Techies!
> Can't afford IT training? All 2003 ictp students receive scholarships.
> Get hands-on training in Microsoft, Cisco, Sun, Linux/UNIX, and more.
> www.ictp.com/training/sourceforge.asp
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> 
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20030121/1120ff55/attachment.sig>


More information about the Snort-sigs mailing list