[Snort-users] re: Message 13

Joe Pampel joe at ...3851...
Wed Jan 2 04:44:05 EST 2002

Hi Patric:

No one is hacking per se.. This is just a virus infected server somewhere trying to infect your IIS server (if you're running one!) 
One way to see if you're infected is to add a rule which checks this traffic eitherbound 
from your web server. You should see it coming neither in nor going out. If it's coming in, you need to adust your firewall / edge router to stop it.. if you see these packets coming from your server, it's time to go to the backup tape! If you're running Apache, have a cub of coffee, put your feet up and take a nap. :-)  

If you don't want to write the snort rule(s), there are a number of detection programs offered for free 
to detect the NIMDA, Code Red, etc viruses (and vulnerablility for same)  Do a google on it and you'll find a bunch. 

just as a general rule:
1. make sure your IIS servers are fully patched and hardened (duh, I know.. )
2. make sure your firewall is stopping this kind of rot. (Checkpoint can do it with URI resource rules, Cisco routers can do it with policy-based access lists available in more recent IOS versions). If you can't change your edge router or firewall, use a snort based HIDS system to protect your server. I think there's a Win32 based HIDS available but I can't think of the name offhand (sorry!) 



Message: 13
From: "Patric Svensson" <patric.svensson at ...4346...>
To: <snort-users at lists.sourceforge.net>
Date: Wed, 2 Jan 2002 11:44:28 +0100
Subject: [Snort-users] Is someone hacking?

This is a multi-part message in MIME format.

Content-Type: text/plain;
Content-Transfer-Encoding: 7bit

I get a lot of alerts like this: WEB-IIS cmd.exe access and like this
WEB-IIS CodeRed v2 root.exe access. How will I know if the server has
been hacked?
The payload look like this: "GET
/scripts/..%2f../winnt/system32/cmd.exe?/c+dir r HTTP/1.0..Host:
www..Connnection: close.." 
For the "WEB-IIS cmd.exe access" alert. If anyone could help me with
this I would be very happy.
Patric Svensson

More information about the Snort-users mailing list