[Snort-users] Is someone hacking?

Matt Kettler mkettler at ...4108...
Wed Jan 2 08:34:10 EST 2002

What you saw is typically what happens when code red and similar derived 
worms attempt to infect a webserver. Some manual "hack in" scripts use 
these techniques as well. I typically see these at a rate of about 2 a week 
against a webserver (which is not vulnerable), sometimes more, sometimes less.

So it is clear an attempt was made to infect your server, but that does not 
mean it was successful.

If your webserver server is Microsoft IIS based and has not had IIS patches 
applied for quite a while (8 months or so),  you've likely been hit by code 
red or some other worm. The directory traversal holes used by this worm are 
quite old so if you patched IIS recently you should be fine. Be aware that 
windows update does not patch IIS, those updates must be manually 
downloaded from Microsoft's website, or received on CD via technet 
(downloads are my recommendation, CDs take too long to arrive).

If your server is up-to-date, or non-windows based, you're likely fine. If 
you are not sure, look up info on the worm at your favorite anti-virus or 
security website (norton,McAfee, securityportal.com, etc) and check.

Even if you aren't infected, you should probably check for updates to your 
servers OS and webserver, if for no other reason than peace of mind. And 
check back regularly for future updates. After all, there's a reason they 
say security is a process not just a product.

At 11:44 AM 1/2/2002 +0100, you wrote:

>I get a lot of alerts like this: WEB-IIS cmd.exe access and like this 
>WEB-IIS CodeRed v2 root.exe access. How will I know if the server has been 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20020102/44e57ad5/attachment.html>

More information about the Snort-users mailing list