[Snort-users] attack

Wayne Work wwork at ...3179...
Fri Feb 22 12:31:13 EST 2002


First, is your web server logs showing the same access info.

This looks like a Virus attack. Most likely they have NO CLUE as to the
status of a server which is effecting this attack.

Might want to call and chat with Network manager to see if they are aware of
this issue. If not response or it continues, SLAM THEM.

They should have taken care of this a LONG time ago if it is truly a virus.

Wayne



-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Scott
Taylor
Sent: Friday, February 22, 2002 1:53 PM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] attack


So what's the best thing to do with this type of attack? Turn'em in?
To who? Is there a way I can let them know that I know what their
doing? Any ideas?

Cheers,
Scott


[**] [1:1256:2] WEB-IIS CodeRed v2 root.exe access [**]
[Classification: Web Application Attack] [Priority: 1]
02/22-10:13:19.830419 63.204.135.168:2122 -> 63.169.127.223:80
TCP TTL:119 TOS:0x0 ID:56151 IpLen:20 DgmLen:112 DF
***AP*** Seq: 0x79EC6CC Ack: 0x21AE2090 Win: 0x4248 TcpLen: 20

[**] [1:1002:2] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1]
02/22-10:13:24.084478 63.204.135.168:2313 -> 63.169.127.223:80
TCP TTL:119 TOS:0x0 ID:56799 IpLen:20 DgmLen:120 DF
***AP*** Seq: 0x841E21B Ack: 0x21DA22E5 Win: 0x4248 TcpLen: 20

[**] [1:1002:2] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1]
02/22-10:13:26.015481 63.204.135.168:2415 -> 63.169.127.223:80
TCP TTL:119 TOS:0x0 ID:57061 IpLen:20 DgmLen:120 DF
***AP*** Seq: 0x897EDD4 Ack: 0x221B03CF Win: 0x4248 TcpLen: 20

[**] [1:1002:2] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1]
02/22-10:13:27.841065 63.204.135.168:2484 -> 63.169.127.223:80
TCP TTL:119 TOS:0x0 ID:57309 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0x8CD3F1E Ack: 0x21FF7EA1 Win: 0x4248 TcpLen: 20

[**] [1:1288:2] WEB-FRONTPAGE /_vti_bin/ access [**]
[Classification: access to a potentually vulnerable web application]
[Priority: 2]
02/22-10:13:29.720477 63.204.135.168:2572 -> 63.169.127.223:80
TCP TTL:119 TOS:0x0 ID:57558 IpLen:20 DgmLen:157 DF
***AP*** Seq: 0x9162D26 Ack: 0x22164ADC Win: 0x4248 TcpLen: 20

[**] [1:1002:2] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1]
02/22-10:13:31.651168 63.204.135.168:2658 -> 63.169.127.223:80
TCP TTL:119 TOS:0x0 ID:57814 IpLen:20 DgmLen:157 DF
***AP*** Seq: 0x95C4B1D Ack: 0x21AF8A4E Win: 0x4248 TcpLen: 20

[**] [1:1002:2] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1]
02/22-10:13:33.689744 63.204.135.168:2740 -> 63.169.127.223:80
TCP TTL:119 TOS:0x0 ID:58087 IpLen:20 DgmLen:185 DF
***AP*** Seq: 0x9A01736 Ack: 0x22220C8E Win: 0x4248 TcpLen: 20

[**] [1:1002:2] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1]
02/22-10:13:35.794798 63.204.135.168:2839 -> 63.169.127.223:80
TCP TTL:119 TOS:0x0 ID:58370 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0x9F34819 Ack: 0x2254F005 Win: 0x4248 TcpLen: 20

[**] [1:1002:2] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1]
02/22-10:13:37.904728 63.204.135.168:2923 -> 63.169.127.223:80
TCP TTL:119 TOS:0x0 ID:58654 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0xA3660EC Ack: 0x22D1A6E7 Win: 0x4248 TcpLen: 20

[**] [1:1002:2] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1]
02/22-10:13:40.239684 63.204.135.168:3022 -> 63.169.127.223:80
TCP TTL:119 TOS:0x0 ID:58965 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0xA882856 Ack: 0x22BD9884 Win: 0x4248 TcpLen: 20

[**] [1:1002:2] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1]
02/22-10:13:42.598231 63.204.135.168:3126 -> 63.169.127.223:80
TCP TTL:119 TOS:0x0 ID:59278 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0xADC9A9C Ack: 0x22C0BEF4 Win: 0x4248 TcpLen: 20

[**] [1:1002:2] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1]
02/22-10:13:44.946090 63.204.135.168:3227 -> 63.169.127.223:80
TCP TTL:119 TOS:0x0 ID:59592 IpLen:20 DgmLen:138 DF
***AP*** Seq: 0xB2DF585 Ack: 0x230644E9 Win: 0x4248 TcpLen: 20

[**] [1:1002:2] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1]
02/22-10:13:47.344817 63.204.135.168:3337 -> 63.169.127.223:80
TCP TTL:119 TOS:0x0 ID:59917 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0xB85E8FA Ack: 0x233A0541 Win: 0x4248 TcpLen: 20

[**] [1:1002:2] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1]
02/22-10:13:49.826087 63.204.135.168:3440 -> 63.169.127.223:80
TCP TTL:119 TOS:0x0 ID:60246 IpLen:20 DgmLen:140 DF
***AP*** Seq: 0xBDABDF7 Ack: 0x238A2DB3 Win: 0x4248 TcpLen: 20

[**] [1:1002:2] WEB-IIS cmd.exe access [**]
[Classification: Web Application Attack] [Priority: 1]
02/22-10:13:52.532260 63.204.135.168:3554 -> 63.169.127.223:80
TCP TTL:119 TOS:0x0 ID:60606 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0xC37CE49 Ack: 0x22E5E0D1 Win: 0x4248 TcpLen: 20



THERE IS ONLY ONE...
SOCCER.COM, The Center of the Soccer Universe
http://www.soccer.com

_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users





More information about the Snort-users mailing list