[Snort-users] (no subject)

Jeff Anderson janderso at ...3530...
Thu Sep 20 09:38:04 EDT 2001


Hi all,

That sounds right to me.  Assuming that the machine has been infected with
one of the IIS exploits, and now it is trying to infect other hosts, you
wouldn't see anything in the Proxy logs about it since IIS will be sitting
on the external interface.  Proxy should really only see traffic between the
internal and external interface.  Check the web logs, it'll be there.

Good luck,
Jeff Anderson
CS Manager
jeff at ...3530...


-----Original Message-----
From: richard [mailto:csraw at ...3480...]
Sent: Thursday, September 20, 2001 9:20 AM
To: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] (no subject)


I am far from being a professional about any of this so if anyone see a
mistake in what i say please correct me so i can learn. IF you are
running IIS, this appears to me to that your computer is/was infected
with nimda and it is sending out to try to infect other IIS computers.  

On Thu, 2001-09-20 at 06:40, Thomas Nilsen wrote:
> I've set up monitoring of outoging cmd.exe/root.exe traffic on port 80.
But
> I'm note quite sure how to get interpet these logs.
> 
> The traffic is leaving our network and entering on port 80 on the
> destinaton. What is so strange is that the traffic is leaving from out
proxy
> server. But I cannot find anything in the proxy log with reference to
> root.exe or cmd.exe... Any ideas anyone??
> 
> 000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 5C   GET /scripts/..\
> 010 : 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 6D 33   ../winnt/system3
> 020 : 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 69 72   2/cmd.exe?/c+dir
> 030 : 20 72 20 63 2B 64 69 72 20 48 54 54 50 2F 31 2E    r c+dir HTTP/1.
> 040 : 30 0D 0A 48 6F 73 74 3A 20 77 77 77 0D 0A 43 6F   0..Host: www..Co
> 050 : 6E 6E 6E 65 63 74 69 6F 6E 3A 20 63 6C 6F 73 65   nnnection: close
> 060 : 0D 0A 0D 0A 65 63 74 69 6F 6E 3A 20 63 6C 6F 73   ....ection: clos
> 070 : 65 0D 0A 0D 0A 2B 30 32 30 30 0D 0A 52 65 63 65   e....+0200..Rece
> 080 : 69 76 65 64 3A 20 66 72 6F 6D 20 73 74 61 74 6F   ived: from stato
> 090 : 69 6C 2E 6E 6F 20 28 6D 61 69 6C 68 6F 73 74 2E   il.no (mailhost.
> 0a0 : 73 74 61 74 6F 69 6C 2E 6E 6F 20 5B 31 34 33 2E   statoil.no [143.
> 0b0 : 39 37 2E 32 30 2E 31 30 39 5D 29 0D 0A 09 62 79   97.20.109])...by
> 0c0 : 20 6D 61 69 6C 77 61 6C 6C 31 2E 73 74 61 74 6F    mailwall1.stato
> 0d0 : 69 6C 2E 63 6F 6D 20 28 38 2E 31 31 2E 31 2F 38   il.com (8.11.1/8
> 0e0 : 2E 31 31 2E 31 29 20 77 69 74 68 20 45 53 4D 54   .11.1) with ESMT
> 0f0 : 50 20 69 64 20 66 38 4B 42 50 48 51 32 31 36 30   P id f8KBPHQ2160
> 100 : 34 3B 0D 0A 09 54 68 75 2C 20 32 30 20 53 65 70   4;...Thu, 20 Sep
> 110 : 20 32 30 30 31 20 31 33 3A 32 35 3A 31 37 20 2B    2001 13:25:17 +
> 120 : 30 32 30 30 20 28 4D 45 54 20 44 53 54 29 0D 0A   0200 (MET DST)..
> 130 : 52 65 63 65 69 76 65 64 3A 20 66 72 6F 6D 20 73   Received: from s
> 140 : 74 66 6F 2D 6C 6E 73 6D 74 70 32 2E 73 74 61 74   tfo-lnsmtp2.stat
> 150 : 6F 69 6C 2E 6E 6F 20 28 73 74 66 6F 2D 6C 6E 73   oil.no (stfo-lns
> 160 : 6D 74 70 32 2E 73 74 2E 73 74 61 74 6F 69 6C 2E   mtp2.st.statoil.
> 170 : 6E 6F 20 5B 31 34 33 2E 39 37 2E 32 30 2E 31 34   no [143.97.20.14
> 180 : 39 5D 29 0D 0A 09 62 79 20 73 74 61 74 6F 69 6C   9])...by statoil
> 190 : 2E 6E 6F 20 28 38 2E 31 30 2E 30 2F 38 2E 31 30   .no (8.10.0/8.10
> 1a0 : 2E 30 29 20 77 69 74 68 20 53 4D 54 50 20 69 64   .0) with SMTP id
> 1b0 : 20 66 38 4B 42 50 46 78 30 35 39 31 32 3B 0D 0A    f8KBPFx05912;..
> 1c0 : 09 54 68 75 2C 20 32 30 20 53 65 70 20 32 30 30   .Thu, 20 Sep 200
> 1d0 : 31 20 31 33 3A 32 35 3A 31 35 20 2B 30 32 30 30   1 13:25:15 +0200
> 1e0 : 20 28 4D 45 54 20 44 53 54 29 0D 0A 52 65 63 65    (MET DST)..Rece
> 1f0 : 69 76 65 64 3A 20 62 79 20 73 74 66 6F 2D 6C 6E   ived: by stfo-ln
> 200 : 73 6D 74 70 32 2E 73 74 61 74 6F 69 6C 2E 6E 6F   smtp2.statoil.no
> 210 : 28 4C 6F 74 75 73                                 (Lotus
> 
> Best Regards,
> Thomas Nilsen
> Kverneland IT AS
> Phone: +47 5142 9463 - Mobile: +47 991 55 001
> 
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users



_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20010920/51a779b5/attachment.html>


More information about the Snort-users mailing list