[Snort-users] Code Green???

Steve Halligan agent33 at ...187...
Tue Sep 18 08:18:02 EDT 2001


I am getting loads of this too.  I just set up a honeypot to catch it.
-steve

> -----Original Message-----
> From: Jim Howard [mailto:Jim.Howard at ...2728...]
> Sent: Tuesday, September 18, 2001 9:45 AM
> To: 'Matthew Francis'; Snort Users (E-mail)
> Subject: RE: [Snort-users] Code Green???
> 
> 
> doesn't appear to be code green tho... just looked at cert's 
> website.  The
> sig looks different.  Still investigating.
> 
> -----Original Message-----
> From: Matthew Francis [mailto:mf at ...2811...]
> Sent: Tuesday, September 18, 2001 9:27 AM
> To: Snort Users (E-mail)
> Subject: [Snort-users] Code Green???
> 
> 
> Hi,
> 
> I'm getting LOADS of what looks like New Code Red attacks - 
> Could this be
> Code Green???  From one single 'attacking' PC I'm getting the 
> following log
> (There's 2 IDS's 1:Internet Facing, 2:DMZ):-
> 
> 18-09-2001	15:13:55	Auth.Alert	{IDS 1}	snort[846]:
> [1:1002:1]  WEB-IIS
> cmd.exe access [Classification: Attempted User Privilege Gain 
>   Priority:
> 8]: {Attacking PC}:1264 -> {Destination Server}:80
> 18-09-2001	15:13:55	Auth.Alert	{IDS 1}	snort[846]:
> [1:1002:1]  WEB-IIS
> cmd.exe access [Classification: Attempted User Privilege Gain 
>   Priority:
> 8]: {Attacking PC}:1264 -> {Destination Server}:80
> 18-09-2001	15:13:55	Auth.Alert	{IDS 1}	snort[846]:
> [1:1002:1]  WEB-IIS
> cmd.exe access [Classification: Attempted User Privilege Gain 
>   Priority:
> 8]: {Attacking PC}:1275 -> {Destination Server}:80
> 18-09-2001	15:13:55	Auth.Alert	{IDS 1}	snort[846]:
> [1:1002:1]  WEB-IIS
> cmd.exe access [Classification: Attempted User Privilege Gain 
>   Priority:
> 8]: {Attacking PC}:1275 -> {Destination Server}:80
> 18-09-2001	15:13:55	Auth.Alert	{IDS 1}	snort[846]:
> [1:970:1]  WEB-IIS
> multiple decode attempt [Classification: Attempted User Privilege Gain
> Priority: 8]: {Attacking PC}:1287 -> {Destination Server}:80
> 18-09-2001	15:13:55	Auth.Alert	{IDS 1}	snort[846]:
> [1:970:1]  WEB-IIS
> multiple decode attempt [Classification: Attempted User Privilege Gain
> Priority: 8]: {Attacking PC}:1287 -> {Destination Server}:80
> 18-09-2001	15:13:55	Auth.Alert	{IDS 1}	snort[846]:
> [1:970:1]  WEB-IIS
> multiple decode attempt [Classification: Attempted User Privilege Gain
> Priority: 8]: {Attacking PC}:1294 -> {Destination Server}:80
> 18-09-2001	15:13:55	System0.Alert	{IDS 2}	   snort[1472]:
> WEB-../..:
> {Attacking PC}:1294 -> {Destination Server}:80
> 18-09-2001	15:13:55	Auth.Alert	{IDS 1}	snort[846]:
> [1:970:1]  WEB-IIS
> multiple decode attempt [Classification: Attempted User Privilege Gain
> Priority: 8]: {Attacking PC}:1294 -> {Destination Server}:80
> 18-09-2001	15:13:55	Auth.Alert	{IDS 1}	snort[846]:
> [1:970:1]  WEB-IIS
> multiple decode attempt [Classification: Attempted User Privilege Gain
> Priority: 8]: {Attacking PC}:1304 -> {Destination Server}:80
> 18-09-2001	15:13:55	System0.Alert	{IDS 2}	   snort[1472]:
> WEB-../..:
> {Attacking PC}:1304 -> {Destination Server}:80
> 18-09-2001	15:13:55	Auth.Alert	{IDS 1}	snort[846]:
> [1:970:1]  WEB-IIS
> multiple decode attempt [Classification: Attempted User Privilege Gain
> Priority: 8]: {Attacking PC}:1304 -> {Destination Server}:80
> 18-09-2001	15:13:55	Auth.Alert	{IDS 1}	snort[846]:
> [1:970:1]  WEB-IIS
> multiple decode attempt [Classification: Attempted User Privilege Gain
> Priority: 8]: {Attacking PC}:1316 -> {Destination Server}:80
> 18-09-2001	15:13:55	System0.Alert	{IDS 2}	   snort[1472]:
> spp_http_decode:
> IIS Unicode attack detected: {Attacking PC}:1316 -> 
> {Destination Server}:80
> 18-09-2001	15:13:55	System0.Alert	{IDS 2}	   snort[1472]:
> spp_http_decode:
> IIS Unicode attack detected: {Attacking PC}:1316 -> 
> {Destination Server}:80
> 18-09-2001	15:13:55	System0.Alert	{IDS 2}	   snort[1472]:
> spp_http_decode:
> IIS Unicode attack detected: {Attacking PC}:1316 -> 
> {Destination Server}:80
> 18-09-2001	15:13:55	System0.Alert	{IDS 2}	   snort[1472]:
> WEB-../..:
> {Attacking PC}:1316 -> {Destination Server}:80
> 18-09-2001	15:13:55	Auth.Alert	{IDS 1}	snort[846]:
> [1:1002:1]  WEB-IIS
> cmd.exe access [Classification: Attempted User Privilege Gain 
>   Priority:
> 8]: {Attacking PC}:1323 -> {Destination Server}:80
> 18-09-2001	15:13:55	System0.Alert	{IDS 2}	   snort[1472]:
> spp_http_decode:
> IIS Unicode attack detected: {Attacking PC}:1323 -> 
> {Destination Server}:80
> 18-09-2001	15:13:55	Auth.Alert	{IDS 1}	snort[846]:
> [1:1002:1]  WEB-IIS
> cmd.exe access [Classification: Attempted User Privilege Gain 
>   Priority:
> 8]: {Attacking PC}:1323 -> {Destination Server}:80
> 18-09-2001	15:13:55	Auth.Alert	{IDS 1}	snort[846]:
> [1:1002:1]  WEB-IIS
> cmd.exe access [Classification: Attempted User Privilege Gain 
>   Priority:
> 8]: {Attacking PC}:1331 -> {Destination Server}:80
> 18-09-2001	15:13:55	System0.Alert	{IDS 2}	   snort[1472]:
> spp_http_decode:
> IIS Unicode attack detected: {Attacking PC}:1331 -> 
> {Destination Server}:80
> 18-09-2001	15:13:56	Auth.Alert	{IDS 1}	snort[846]:
> [1:1002:1]  WEB-IIS
> cmd.exe access [Classification: Attempted User Privilege Gain 
>   Priority:
> 8]: {Attacking PC}:1341 -> {Destination Server}:80
> 18-09-2001	15:13:56	System0.Alert	{IDS 2}	   snort[1472]:
> spp_http_decode:
> IIS Unicode attack detected: {Attacking PC}:1341 -> 
> {Destination Server}:80
> 18-09-2001	15:13:56	Auth.Alert	{IDS 1}	snort[846]:
> [1:1002:1]  WEB-IIS
> cmd.exe access [Classification: Attempted User Privilege Gain 
>   Priority:
> 8]: {Attacking PC}:1341 -> {Destination Server}:80
> 18-09-2001	15:13:56	Auth.Alert	{IDS 1}	snort[846]:
> [1:1002:1]  WEB-IIS
> cmd.exe access [Classification: Attempted User Privilege Gain 
>   Priority:
> 8]: {Attacking PC}:1350 -> {Destination Server}:80
> 18-09-2001	15:13:56	System0.Alert	{IDS 2}	   snort[1472]:
> spp_http_decode:
> IIS Unicode attack detected: {Attacking PC}:1350 -> 
> {Destination Server}:80
> 18-09-2001	15:13:56	Auth.Alert	{IDS 1}	snort[846]:
> [1:1002:1]  WEB-IIS
> cmd.exe access [Classification: Attempted User Privilege Gain 
>   Priority:
> 8]: {Attacking PC}:1350 -> {Destination Server}:80
> 18-09-2001	15:13:56	Auth.Alert	{IDS 1}	snort[846]:
> [1:970:1]  WEB-IIS
> multiple decode attempt [Classification: Attempted User Privilege Gain
> Priority: 8]: {Attacking PC}:1363 -> {Destination Server}:80
> 18-09-2001	15:13:56	Auth.Alert	{IDS 1}	snort[846]:
> [1:970:1]  WEB-IIS
> multiple decode attempt [Classification: Attempted User Privilege Gain
> Priority: 8]: {Attacking PC}:1363 -> {Destination Server}:80
> 18-09-2001	15:13:56	Auth.Alert	{IDS 1}	snort[846]:
> [1:970:1]  WEB-IIS
> multiple decode attempt [Classification: Attempted User Privilege Gain
> Priority: 8]: {Attacking PC}:1380 -> {Destination Server}:80
> 18-09-2001	15:13:56	Auth.Alert	{IDS 1}	snort[846]:
> [1:970:1]  WEB-IIS
> multiple decode attempt [Classification: Attempted User Privilege Gain
> Priority: 8]: {Attacking PC}:1380 -> {Destination Server}:80
> 18-09-2001	15:13:56	Auth.Alert	{IDS 1}	snort[846]:
> [1:970:1]  WEB-IIS
> multiple decode attempt [Classification: Attempted User Privilege Gain
> Priority: 8]: {Attacking PC}:1388 -> {Destination Server}:80
> 18-09-2001	15:13:56	Auth.Alert	{IDS 1}	snort[846]:
> [1:970:1]  WEB-IIS
> multiple decode attempt [Classification: Attempted User Privilege Gain
> Priority: 8]: {Attacking PC}:1388 -> {Destination Server}:80
> 18-09-2001	15:13:56	Auth.Alert	{IDS 1}	snort[846]:
> [1:1002:1]  WEB-IIS
> cmd.exe access [Classification: Attempted User Privilege Gain 
>   Priority:
> 8]: {Attacking PC}:1395 -> {Destination Server}:80
> 
> Obviously this is a massive log for one 'attack' attempt and 
> I'm getting
> this a LOT from all different IP address ranges which are all 
> standard dial
> up accounts (the ones I've checked anyway) with what looks 
> like unpatched
> IIS servers.
> 
> Anyone shed any light???
> 
> Thanks
> 
> -----
> Matthew Francis
> 
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 




More information about the Snort-users mailing list