[Snort-sigs] Weird new CMD.EXE payload...

Nigel Houghton nigel at ...435...
Wed Jun 16 08:30:01 EDT 2004

On  0, "K. Jared Kalisz" <jkalisz at ...2550...> allegedly wrote:
> I thought as much. I just have not seen this particular payload before... I
> thought maybe others would be experiencing this. What's weird is that it is
> coming from different IP addresses, so far, never the same address twice.

Give it enough time and you might see something from the same address
again. I doubt it is going to cache where it's been already. It all
depends on how the thing determines the addresses it is going to target.

> The attempts are rolling in one about every 2-5 minutes. Never seen a
> pattern like this...  Also, it is targeting ALL of my web servers,
> regardless of type (i.e. IIS, Apache, etc..)

This is typical behavior for an automated tool like this. It doesn't care
about what is running on the host, why waste time figuring out if a box is
vulnerable or not? Just fire it at will and you might get a hit once in a

> So I agree that it is just an IIS exploit, the likes of which I see hundreds
> a day. It's more the pattern (frequency of attacks/always a unique source
> IP) and the payload that is odd/different, hence the concern.

Different tool, different characteristics. Some folks like to identify
what tool is being used to try to attack them, personally I don't care
what the tool actually is, just that it's happening.

> Thanks,
> Jared
Nigel Houghton       Research Engineer        Sourcefire Inc.
                 Vulnerability Research Team

In an emergency situation involving two or more officers of equal rank,
seniority will be granted to whichever officer can program a vcr.

More information about the Snort-sigs mailing list