[Snort-sigs] Local CodeRed infection

Bamm Visscher rvissche at ...1206...
Wed Jan 22 08:12:06 EST 2003


Can you give the build number you are using? Looks like you have found a
good example of a known bug in the stream4 preprocessor where packets
from one stream mistakenly get injected into another stream. I see this
all the time too. In short, this rule never should of triggered as an
incoming cmd.exe (probably Nimda) got intermixed with legitimate
outgoing HTTP connection. Maybe Chris Green can give a more detailed
explanation of what is happening as I know he is working on a solution.

Bammkkkk
 
On Tue, 2003-01-21 at 10:10, bthaler at ...572... wrote:
> Please forgive me in advance if this is the wrong list.
> 
> I created these simple rules some time ago to check for any of my servers
> being infected with CodeRed.
> 
> alert tcp $HOME_NET any -> any 80 (msg:"*** LOCAL CODERED INFECTION ***";
> content:"/cmd.exe"; nocase;)
> alert tcp $HOME_NET any -> any 80 (msg:"*** LOCAL CODERED INFECTION ***";
> content:"/root.exe"; nocase;)
> 
> Since all of my servers are patched, these only triggered on false alarms,
> as would be expected.  This was all working fine with Snort-1.8x, but
> yesterday I upgraded to Snort-1.9 and these rules have started firing for
no
> aparrent reason.
> 
> For example, the first rule above just fired a few minutes ago on this
> packet:
> 
> Source IP = x.x.x.80
> Source Port = 1830
> Dest IP = 63.175.146.25
> Dest Port = 80
> <!---- begin packet ---->
> HEAD
>
/msadc/..%f8%80%80%80%af../..%f8%80%80%80%af../..%f8%80%80%80%af../winnt/sys
> tem32/cmd.exe?/c+dir+c:\ HTTP/1.0
> Host: x.x.x.23 (this is another host on my network)
> 
> -->
> <br>
> <!--webbot bot="HTMLMarkup" startspan --><HumanClick> <script
> language='javascript' src='http://hc2.humanclick.com/hc/xGET
>
/WxDataISAPI/WxDataISAPI.dll?GetCData&Magic=10991&RegNum=18300681&ZipCode=33
> 309&StationID=KFXE&Units=0&Version=4.1&Fore=1&t=1043156811&lv=0 HTTP/1.1
> User-Agent: Mozilla/3.0 (compatible; MSIE 4.0; Win32)
> Host: wisapidata.weatherbug.com
> Connection: Keep-Alive
> 
> GET
>
/WxDataISAPI/WxDataISAPI.dll?GetCData&Magic=10991&RegNum=18300681&ZipCode=33
> 309&StationID=KFXE&Units=0&Version=4.1&Fore=1&t=1043156811&lv=0 HTTP/1.1
> User-Agent: Mozilla/3.0 (compatible; MSIE 4.0; Win32)
> Host: wisapidata.weatherbug.com
> Connection: Keep-Alive
> <!---- end packet ---->
> 
> If you look at the packet above, it will obviously trigger the first rule
> above due to the cmd.exe in the payload.  The strange part is that this
> particular machine is most definitely NOT infected.  Like I said above,
> these rules have been in place for quite some time and never fired under
> Snort-1.8, but now thay're firing for several machines all of a sudden.
> 
> So I guess my question is:  Why would this machine be sending a packet
like
> this if it wasn't infected, and why would the rules only fire now, after I
> upgraded?
> 
> Thanks in advance for the help.
> 
> 
> 
> 
> 
> 
> Sincerely,
> 
> Brad T.
> 
> 
> 
> -------------------------------------------------------
> This SF.net email is sponsored by: Scholarships for Techies!
> Can't afford IT training? All 2003 ictp students receive scholarships.
> Get hands-on training in Microsoft, Cisco, Sun, Linux/UNIX, and more.
> www.ictp.com/training/sourceforge.asp
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
-- 
Bamm (Robert) Visscher
Network Security Engineer
Ball Corp.
http://www.ball.com
rvissche at ...1206... 
210.240.5950 




More information about the Snort-sigs mailing list