[Snort-users] Code Green???

Steve Halligan agent33 at ...187...
Tue Sep 18 08:41:04 EDT 2001


It is using the root.exe from codered and the unicode directory traversal
attack.  I am getting >700 hits per min.
-steve

> -----Original Message-----
> From: Jim Howard [mailto:Jim.Howard at ...2728...]
> Sent: Tuesday, September 18, 2001 9:42 AM
> To: 'Matthew Francis'; Snort Users (E-mail)
> Subject: RE: [Snort-users] Code Green???
> 
> 
> verified here.  Whatever it is, is using the backdoor put in 
> by CRII, and it
> is nasty.  We are seeing 20+ hits per second here.
> 
> 
> -----Original Message-----
> From: Matthew Francis [mailto:mf at ...2811...]
> Sent: Tuesday, September 18, 2001 9:27 AM
> To: Snort Users (E-mail)
> Subject: [Snort-users] Code Green???
> 
> 
> Hi,
> 
> I'm getting LOADS of what looks like New Code Red attacks - 
> Could this be
> Code Green???  From one single 'attacking' PC I'm getting the 
> following log
> (There's 2 IDS's 1:Internet Facing, 2:DMZ):-
> 
> 18-09-2001	15:13:55	Auth.Alert	{IDS 1}	snort[846]:
> [1:1002:1]  WEB-IIS
> cmd.exe access [Classification: Attempted User Privilege Gain 
>   Priority:
> 8]: {Attacking PC}:1264 -> {Destination Server}:80
> 18-09-2001	15:13:55	Auth.Alert	{IDS 1}	snort[846]:
> [1:1002:1]  WEB-IIS
> cmd.exe access [Classification: Attempted User Privilege Gain 
>   Priority:
> 8]: {Attacking PC}:1264 -> {Destination Server}:80
> 18-09-2001	15:13:55	Auth.Alert	{IDS 1}	snort[846]:
> [1:1002:1]  WEB-IIS
> cmd.exe access [Classification: Attempted User Privilege Gain 
>   Priority:
> 8]: {Attacking PC}:1275 -> {Destination Server}:80
> 18-09-2001	15:13:55	Auth.Alert	{IDS 1}	snort[846]:
> [1:1002:1]  WEB-IIS
> cmd.exe access [Classification: Attempted User Privilege Gain 
>   Priority:
> 8]: {Attacking PC}:1275 -> {Destination Server}:80
> 18-09-2001	15:13:55	Auth.Alert	{IDS 1}	snort[846]:
> [1:970:1]  WEB-IIS
> multiple decode attempt [Classification: Attempted User Privilege Gain
> Priority: 8]: {Attacking PC}:1287 -> {Destination Server}:80
> 18-09-2001	15:13:55	Auth.Alert	{IDS 1}	snort[846]:
> [1:970:1]  WEB-IIS
> multiple decode attempt [Classification: Attempted User Privilege Gain
> Priority: 8]: {Attacking PC}:1287 -> {Destination Server}:80
> 18-09-2001	15:13:55	Auth.Alert	{IDS 1}	snort[846]:
> [1:970:1]  WEB-IIS
> multiple decode attempt [Classification: Attempted User Privilege Gain
> Priority: 8]: {Attacking PC}:1294 -> {Destination Server}:80
> 18-09-2001	15:13:55	System0.Alert	{IDS 2}	   snort[1472]:
> WEB-../..:
> {Attacking PC}:1294 -> {Destination Server}:80
> 18-09-2001	15:13:55	Auth.Alert	{IDS 1}	snort[846]:
> [1:970:1]  WEB-IIS
> multiple decode attempt [Classification: Attempted User Privilege Gain
> Priority: 8]: {Attacking PC}:1294 -> {Destination Server}:80
> 18-09-2001	15:13:55	Auth.Alert	{IDS 1}	snort[846]:
> [1:970:1]  WEB-IIS
> multiple decode attempt [Classification: Attempted User Privilege Gain
> Priority: 8]: {Attacking PC}:1304 -> {Destination Server}:80
> 18-09-2001	15:13:55	System0.Alert	{IDS 2}	   snort[1472]:
> WEB-../..:
> {Attacking PC}:1304 -> {Destination Server}:80
> 18-09-2001	15:13:55	Auth.Alert	{IDS 1}	snort[846]:
> [1:970:1]  WEB-IIS
> multiple decode attempt [Classification: Attempted User Privilege Gain
> Priority: 8]: {Attacking PC}:1304 -> {Destination Server}:80
> 18-09-2001	15:13:55	Auth.Alert	{IDS 1}	snort[846]:
> [1:970:1]  WEB-IIS
> multiple decode attempt [Classification: Attempted User Privilege Gain
> Priority: 8]: {Attacking PC}:1316 -> {Destination Server}:80
> 18-09-2001	15:13:55	System0.Alert	{IDS 2}	   snort[1472]:
> spp_http_decode:
> IIS Unicode attack detected: {Attacking PC}:1316 -> 
> {Destination Server}:80
> 18-09-2001	15:13:55	System0.Alert	{IDS 2}	   snort[1472]:
> spp_http_decode:
> IIS Unicode attack detected: {Attacking PC}:1316 -> 
> {Destination Server}:80
> 18-09-2001	15:13:55	System0.Alert	{IDS 2}	   snort[1472]:
> spp_http_decode:
> IIS Unicode attack detected: {Attacking PC}:1316 -> 
> {Destination Server}:80
> 18-09-2001	15:13:55	System0.Alert	{IDS 2}	   snort[1472]:
> WEB-../..:
> {Attacking PC}:1316 -> {Destination Server}:80
> 18-09-2001	15:13:55	Auth.Alert	{IDS 1}	snort[846]:
> [1:1002:1]  WEB-IIS
> cmd.exe access [Classification: Attempted User Privilege Gain 
>   Priority:
> 8]: {Attacking PC}:1323 -> {Destination Server}:80
> 18-09-2001	15:13:55	System0.Alert	{IDS 2}	   snort[1472]:
> spp_http_decode:
> IIS Unicode attack detected: {Attacking PC}:1323 -> 
> {Destination Server}:80
> 18-09-2001	15:13:55	Auth.Alert	{IDS 1}	snort[846]:
> [1:1002:1]  WEB-IIS
> cmd.exe access [Classification: Attempted User Privilege Gain 
>   Priority:
> 8]: {Attacking PC}:1323 -> {Destination Server}:80
> 18-09-2001	15:13:55	Auth.Alert	{IDS 1}	snort[846]:
> [1:1002:1]  WEB-IIS
> cmd.exe access [Classification: Attempted User Privilege Gain 
>   Priority:
> 8]: {Attacking PC}:1331 -> {Destination Server}:80
> 18-09-2001	15:13:55	System0.Alert	{IDS 2}	   snort[1472]:
> spp_http_decode:
> IIS Unicode attack detected: {Attacking PC}:1331 -> 
> {Destination Server}:80
> 18-09-2001	15:13:56	Auth.Alert	{IDS 1}	snort[846]:
> [1:1002:1]  WEB-IIS
> cmd.exe access [Classification: Attempted User Privilege Gain 
>   Priority:
> 8]: {Attacking PC}:1341 -> {Destination Server}:80
> 18-09-2001	15:13:56	System0.Alert	{IDS 2}	   snort[1472]:
> spp_http_decode:
> IIS Unicode attack detected: {Attacking PC}:1341 -> 
> {Destination Server}:80
> 18-09-2001	15:13:56	Auth.Alert	{IDS 1}	snort[846]:
> [1:1002:1]  WEB-IIS
> cmd.exe access [Classification: Attempted User Privilege Gain 
>   Priority:
> 8]: {Attacking PC}:1341 -> {Destination Server}:80
> 18-09-2001	15:13:56	Auth.Alert	{IDS 1}	snort[846]:
> [1:1002:1]  WEB-IIS
> cmd.exe access [Classification: Attempted User Privilege Gain 
>   Priority:
> 8]: {Attacking PC}:1350 -> {Destination Server}:80
> 18-09-2001	15:13:56	System0.Alert	{IDS 2}	   snort[1472]:
> spp_http_decode:
> IIS Unicode attack detected: {Attacking PC}:1350 -> 
> {Destination Server}:80
> 18-09-2001	15:13:56	Auth.Alert	{IDS 1}	snort[846]:
> [1:1002:1]  WEB-IIS
> cmd.exe access [Classification: Attempted User Privilege Gain 
>   Priority:
> 8]: {Attacking PC}:1350 -> {Destination Server}:80
> 18-09-2001	15:13:56	Auth.Alert	{IDS 1}	snort[846]:
> [1:970:1]  WEB-IIS
> multiple decode attempt [Classification: Attempted User Privilege Gain
> Priority: 8]: {Attacking PC}:1363 -> {Destination Server}:80
> 18-09-2001	15:13:56	Auth.Alert	{IDS 1}	snort[846]:
> [1:970:1]  WEB-IIS
> multiple decode attempt [Classification: Attempted User Privilege Gain
> Priority: 8]: {Attacking PC}:1363 -> {Destination Server}:80
> 18-09-2001	15:13:56	Auth.Alert	{IDS 1}	snort[846]:
> [1:970:1]  WEB-IIS
> multiple decode attempt [Classification: Attempted User Privilege Gain
> Priority: 8]: {Attacking PC}:1380 -> {Destination Server}:80
> 18-09-2001	15:13:56	Auth.Alert	{IDS 1}	snort[846]:
> [1:970:1]  WEB-IIS
> multiple decode attempt [Classification: Attempted User Privilege Gain
> Priority: 8]: {Attacking PC}:1380 -> {Destination Server}:80
> 18-09-2001	15:13:56	Auth.Alert	{IDS 1}	snort[846]:
> [1:970:1]  WEB-IIS
> multiple decode attempt [Classification: Attempted User Privilege Gain
> Priority: 8]: {Attacking PC}:1388 -> {Destination Server}:80
> 18-09-2001	15:13:56	Auth.Alert	{IDS 1}	snort[846]:
> [1:970:1]  WEB-IIS
> multiple decode attempt [Classification: Attempted User Privilege Gain
> Priority: 8]: {Attacking PC}:1388 -> {Destination Server}:80
> 18-09-2001	15:13:56	Auth.Alert	{IDS 1}	snort[846]:
> [1:1002:1]  WEB-IIS
> cmd.exe access [Classification: Attempted User Privilege Gain 
>   Priority:
> 8]: {Attacking PC}:1395 -> {Destination Server}:80
> 
> Obviously this is a massive log for one 'attack' attempt and 
> I'm getting
> this a LOT from all different IP address ranges which are all 
> standard dial
> up accounts (the ones I've checked anyway) with what looks 
> like unpatched
> IIS servers.
> 
> Anyone shed any light???
> 
> Thanks
> 
> -----
> Matthew Francis
> 
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 




More information about the Snort-users mailing list