[Snort-users] is this a type of code red?

richard richard.witt at ...3480...
Tue Sep 18 08:02:01 EDT 2001


Everyone,
	This morning on my box i picked up multiple packets of this kind that
were sending themselves out from our network and also from the internet
into our network. All of our servers have been patched ... probably more
than once with microsofts patch. This is a copy of the packet i am
picking up by snort.



[**] WEB-IIS CodeRed v2 root.exe access [**]
09/18-08:59:28.893059 0:1:3:22:BC:24 -> 0:50:DA:1A:ED:BA type:0x800
len:0x7E
168.49.XXX.YY:2923 -> 168.49.XXX.YY:80 TCP TTL:128 TOS:0x0 ID:6247
IpLen:20 DgmLen:112 DF
***AP*** Seq: 0x131F5D1A  Ack: 0x75B8F7F7  Win: 0x2238  TcpLen: 20
47 45 54 20 2F 73 63 72 69 70 74 73 2F 72 6F 6F  GET /scripts/roo
74 2E 65 78 65 3F 2F 63 2B 64 69 72 20 48 54 54  t.exe?/c+dir HTT
50 2F 31 2E 30 0D 0A 48 6F 73 74 3A 20 77 77 77  P/1.0..Host: www
0D 0A 43 6F 6E 6E 6E 65 63 74 69 6F 6E 3A 20 63  ..Connnection: c
6C 6F 73 65 0D 0A 0D 0A                          lose....

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


Can anyone shed some light on this?

richard





More information about the Snort-users mailing list