[Snort-users] Code Green???

richard csraw at ...3480...
Tue Sep 18 08:14:04 EDT 2001


We are getting this also. Very high traffic of this type. 

On Tue, 2001-09-18 at 09:27, Matthew Francis wrote:
> Hi,
> 
> I'm getting LOADS of what looks like New Code Red attacks - Could this be
> Code Green???  From one single 'attacking' PC I'm getting the following log
> (There's 2 IDS's 1:Internet Facing, 2:DMZ):-
> 
> 18-09-2001	15:13:55	Auth.Alert	{IDS 1}	snort[846]: [1:1002:1]  WEB-IIS
> cmd.exe access [Classification: Attempted User Privilege Gain   Priority:
> 8]: {Attacking PC}:1264 -> {Destination Server}:80
> 18-09-2001	15:13:55	Auth.Alert	{IDS 1}	snort[846]: [1:1002:1]  WEB-IIS
> cmd.exe access [Classification: Attempted User Privilege Gain   Priority:
> 8]: {Attacking PC}:1264 -> {Destination Server}:80
> 18-09-2001	15:13:55	Auth.Alert	{IDS 1}	snort[846]: [1:1002:1]  WEB-IIS
> cmd.exe access [Classification: Attempted User Privilege Gain   Priority:
> 8]: {Attacking PC}:1275 -> {Destination Server}:80
> 18-09-2001	15:13:55	Auth.Alert	{IDS 1}	snort[846]: [1:1002:1]  WEB-IIS
> cmd.exe access [Classification: Attempted User Privilege Gain   Priority:
> 8]: {Attacking PC}:1275 -> {Destination Server}:80
> 18-09-2001	15:13:55	Auth.Alert	{IDS 1}	snort[846]: [1:970:1]  WEB-IIS
> multiple decode attempt [Classification: Attempted User Privilege Gain
> Priority: 8]: {Attacking PC}:1287 -> {Destination Server}:80
> 18-09-2001	15:13:55	Auth.Alert	{IDS 1}	snort[846]: [1:970:1]  WEB-IIS
> multiple decode attempt [Classification: Attempted User Privilege Gain
> Priority: 8]: {Attacking PC}:1287 -> {Destination Server}:80
> 18-09-2001	15:13:55	Auth.Alert	{IDS 1}	snort[846]: [1:970:1]  WEB-IIS
> multiple decode attempt [Classification: Attempted User Privilege Gain
> Priority: 8]: {Attacking PC}:1294 -> {Destination Server}:80
> 18-09-2001	15:13:55	System0.Alert	{IDS 2}	   snort[1472]: WEB-../..:
> {Attacking PC}:1294 -> {Destination Server}:80
> 18-09-2001	15:13:55	Auth.Alert	{IDS 1}	snort[846]: [1:970:1]  WEB-IIS
> multiple decode attempt [Classification: Attempted User Privilege Gain
> Priority: 8]: {Attacking PC}:1294 -> {Destination Server}:80
> 18-09-2001	15:13:55	Auth.Alert	{IDS 1}	snort[846]: [1:970:1]  WEB-IIS
> multiple decode attempt [Classification: Attempted User Privilege Gain
> Priority: 8]: {Attacking PC}:1304 -> {Destination Server}:80
> 18-09-2001	15:13:55	System0.Alert	{IDS 2}	   snort[1472]: WEB-../..:
> {Attacking PC}:1304 -> {Destination Server}:80
> 18-09-2001	15:13:55	Auth.Alert	{IDS 1}	snort[846]: [1:970:1]  WEB-IIS
> multiple decode attempt [Classification: Attempted User Privilege Gain
> Priority: 8]: {Attacking PC}:1304 -> {Destination Server}:80
> 18-09-2001	15:13:55	Auth.Alert	{IDS 1}	snort[846]: [1:970:1]  WEB-IIS
> multiple decode attempt [Classification: Attempted User Privilege Gain
> Priority: 8]: {Attacking PC}:1316 -> {Destination Server}:80
> 18-09-2001	15:13:55	System0.Alert	{IDS 2}	   snort[1472]: spp_http_decode:
> IIS Unicode attack detected: {Attacking PC}:1316 -> {Destination Server}:80
> 18-09-2001	15:13:55	System0.Alert	{IDS 2}	   snort[1472]: spp_http_decode:
> IIS Unicode attack detected: {Attacking PC}:1316 -> {Destination Server}:80
> 18-09-2001	15:13:55	System0.Alert	{IDS 2}	   snort[1472]: spp_http_decode:
> IIS Unicode attack detected: {Attacking PC}:1316 -> {Destination Server}:80
> 18-09-2001	15:13:55	System0.Alert	{IDS 2}	   snort[1472]: WEB-../..:
> {Attacking PC}:1316 -> {Destination Server}:80
> 18-09-2001	15:13:55	Auth.Alert	{IDS 1}	snort[846]: [1:1002:1]  WEB-IIS
> cmd.exe access [Classification: Attempted User Privilege Gain   Priority:
> 8]: {Attacking PC}:1323 -> {Destination Server}:80
> 18-09-2001	15:13:55	System0.Alert	{IDS 2}	   snort[1472]: spp_http_decode:
> IIS Unicode attack detected: {Attacking PC}:1323 -> {Destination Server}:80
> 18-09-2001	15:13:55	Auth.Alert	{IDS 1}	snort[846]: [1:1002:1]  WEB-IIS
> cmd.exe access [Classification: Attempted User Privilege Gain   Priority:
> 8]: {Attacking PC}:1323 -> {Destination Server}:80
> 18-09-2001	15:13:55	Auth.Alert	{IDS 1}	snort[846]: [1:1002:1]  WEB-IIS
> cmd.exe access [Classification: Attempted User Privilege Gain   Priority:
> 8]: {Attacking PC}:1331 -> {Destination Server}:80
> 18-09-2001	15:13:55	System0.Alert	{IDS 2}	   snort[1472]: spp_http_decode:
> IIS Unicode attack detected: {Attacking PC}:1331 -> {Destination Server}:80
> 18-09-2001	15:13:56	Auth.Alert	{IDS 1}	snort[846]: [1:1002:1]  WEB-IIS
> cmd.exe access [Classification: Attempted User Privilege Gain   Priority:
> 8]: {Attacking PC}:1341 -> {Destination Server}:80
> 18-09-2001	15:13:56	System0.Alert	{IDS 2}	   snort[1472]: spp_http_decode:
> IIS Unicode attack detected: {Attacking PC}:1341 -> {Destination Server}:80
> 18-09-2001	15:13:56	Auth.Alert	{IDS 1}	snort[846]: [1:1002:1]  WEB-IIS
> cmd.exe access [Classification: Attempted User Privilege Gain   Priority:
> 8]: {Attacking PC}:1341 -> {Destination Server}:80
> 18-09-2001	15:13:56	Auth.Alert	{IDS 1}	snort[846]: [1:1002:1]  WEB-IIS
> cmd.exe access [Classification: Attempted User Privilege Gain   Priority:
> 8]: {Attacking PC}:1350 -> {Destination Server}:80
> 18-09-2001	15:13:56	System0.Alert	{IDS 2}	   snort[1472]: spp_http_decode:
> IIS Unicode attack detected: {Attacking PC}:1350 -> {Destination Server}:80
> 18-09-2001	15:13:56	Auth.Alert	{IDS 1}	snort[846]: [1:1002:1]  WEB-IIS
> cmd.exe access [Classification: Attempted User Privilege Gain   Priority:
> 8]: {Attacking PC}:1350 -> {Destination Server}:80
> 18-09-2001	15:13:56	Auth.Alert	{IDS 1}	snort[846]: [1:970:1]  WEB-IIS
> multiple decode attempt [Classification: Attempted User Privilege Gain
> Priority: 8]: {Attacking PC}:1363 -> {Destination Server}:80
> 18-09-2001	15:13:56	Auth.Alert	{IDS 1}	snort[846]: [1:970:1]  WEB-IIS
> multiple decode attempt [Classification: Attempted User Privilege Gain
> Priority: 8]: {Attacking PC}:1363 -> {Destination Server}:80
> 18-09-2001	15:13:56	Auth.Alert	{IDS 1}	snort[846]: [1:970:1]  WEB-IIS
> multiple decode attempt [Classification: Attempted User Privilege Gain
> Priority: 8]: {Attacking PC}:1380 -> {Destination Server}:80
> 18-09-2001	15:13:56	Auth.Alert	{IDS 1}	snort[846]: [1:970:1]  WEB-IIS
> multiple decode attempt [Classification: Attempted User Privilege Gain
> Priority: 8]: {Attacking PC}:1380 -> {Destination Server}:80
> 18-09-2001	15:13:56	Auth.Alert	{IDS 1}	snort[846]: [1:970:1]  WEB-IIS
> multiple decode attempt [Classification: Attempted User Privilege Gain
> Priority: 8]: {Attacking PC}:1388 -> {Destination Server}:80
> 18-09-2001	15:13:56	Auth.Alert	{IDS 1}	snort[846]: [1:970:1]  WEB-IIS
> multiple decode attempt [Classification: Attempted User Privilege Gain
> Priority: 8]: {Attacking PC}:1388 -> {Destination Server}:80
> 18-09-2001	15:13:56	Auth.Alert	{IDS 1}	snort[846]: [1:1002:1]  WEB-IIS
> cmd.exe access [Classification: Attempted User Privilege Gain   Priority:
> 8]: {Attacking PC}:1395 -> {Destination Server}:80
> 
> Obviously this is a massive log for one 'attack' attempt and I'm getting
> this a LOT from all different IP address ranges which are all standard dial
> up accounts (the ones I've checked anyway) with what looks like unpatched
> IIS servers.
> 
> Anyone shed any light???
> 
> Thanks
> 
> -----
> Matthew Francis
> 
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users






More information about the Snort-users mailing list