[Snort-users] Re: [Snort-sigs] Outbound string contains c m d.exe, but from where?

John Adams jadams at ...4670...
Thu Jan 24 10:33:02 EST 2002


The source IP of that packet points to an infected NIMDA host. Take it
offline ASAP before it infects someone else.

-john

On Thu, 24 Jan 2002, Noller, Gregory wrote:

> Oh great wizards of snort....are any of you seeing outbound c m d . e x e
> where it ought not to be?
> 
> 
> I am seeing the following string in some infrequent packets exiting my nat
> router that sits in front of my outbound proxy array:
> 
> From Demarc:
> 
> WEB-IIS outbound c m d.exe access  TCP NET.209.128.247:2049  > 63.211.210.20
> :80 
> 
> And the payload:
> 
> GET /scripts/..%c../winnt/system32/c m d.exe?/c+dir dir HTTP/1.0
> 
> pient
> 
> 
> 
> ------_=_NextPart_000_01C1A4A9.A9555B3A
> Content-Type: message/rfc822
> Content-Transfer-Encoding: 7bit
> 
> Message-ID: <000028f11612$00006023$00001ac7@>
> From: JJNSYMWLY at ...4663...
> Subject: For The Price Of A Cup Of Coffee... 6855
> Date: Mon, 21 Jan 2002 06:30:13 -0600
> MIME-Version: 1.0
> X-Mailer: Internet Mail Service (5.5.2653.19)
> X-MS-Embedded-Report: 
> Content-Type: text/plain; 
>  charset=iso-8859-1
> Content-Transfer-Encoding: quoted-printable
> 
>  =20
> (remainder of the email message deleted for brevity)
> 
> The payload always contains the same first line, then an email message.
> 
> Another one (they are always different):
> 
> WEB-IIS outbound c m d.exe access  TCP NET.209.128.247:2366  > 63.211.210.20
> :80 
> 
> GET /scripts/..%c../winnt/system32/c m d.exe?/c+dir dir HTTP/1.0
> 
> r at ...4664...>
> RCPT TO:<someone at my netowrk>
> DATA
> Received: from lrkxf.msn.com (burton-2.net.excite.com [199.172.146.149]) by
> adsl.pacbell.neet with SMTP (Microsoft Exchange Internet Mail Service
> Version 5.5.2653.13)
> .id DPA4KJQ6; Thu, 24 Jan 2002 01:46:50 -0800
> From: 101054br at ...4664...
> To: lke at ...131...
> Reply-To: gwennduane3 at ...2975...
> Subject: Don't suffer in debt any more, info inside.
> [pv3qp]
> Content-type: text/html; charset=ISO-8859-1
> 
> This one has no email with it, and goes to a different destination address:
> 
> 
> WEB-IIS outbound c m d.exe access  TCP NET.209.128.247:6777  > 63.240.26.86
> :80 
> 
> GET /scripts/..%c../winnt/system32/c m d.exe?/c+dir dir HTTP/1.0 1.0
> HTTP/1.0
> Via: 1.0 PROXY4, 1.0 PROXY1
> Connection: Keep-Alive
> User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 4.0; 04162001;
> Q312461)
> Host: 63.240.26.86
> Accept: */*
> Accept-Language: en-us
> 
> As these are outbound, outside my proxy and nat router, I cannot determine
> where they are coming from inside my network.  So being real smart like I
> am, I set up another snort box inside my ProxyArray watching all traffic
> passing through the proxy (proxies are configured for outbound only and
> hardened) so as to catch the outbound string and see the real source
> address.
> 
> Bingo, this morning I see outbound traffic (above three packets) and go
> check my inside snort, nothing.  I test it and the inside snort works fine
> catching anything in any direction or network that contains c m d . e x e
> (I've added spaces so as to not set off any alarms you may have in place).
> These packets for all the world are not originating inside my proxies, but
> contain mail destined to or from users on my network.  It all happens on
> port 80, not 25, so it's not an smtp thing.
> 
> See below for how I'm configured...
> 
> Thanks Marty, for this great tool.
> 
> 
> 
> Here is how I start snort from /etc/init.d/snortd (start/stop)
> 
> /usr/local/snort/bin/snort -D -I -i eth1 -o -l /usr/local/snort/logs -c
> /usr/local/snort/bin/snort.conf
> 
> Here is my snort.conf:
> 
> var HOME_NET
> [net.209.128.0/24,net.209.129.0/24,net.209.160.0/24,net.184.244.0/24,net.168
> .11.0/24,net.94.207.66/32,net.15.7.5/32]
> 
> var EXTERNAL_NET !$HOME_NET
> 
> var SMTP any
> 
> var HTTP_SERVERS $HOME_NET
> 
> var SQL_SERVERS $HOME_NET
> 
> var DNS_SERVERS $HOME_NET
> 
> preprocessor frag2
> 
> preprocessor stream4: detect_scans
> 
> preprocessor stream4_reassemble
> 
> preprocessor http_decode: 80 -unicode -cginull
> 
> preprocessor rpc_decode: 111
> 
> preprocessor bo: -nobrute
> 
> preprocessor telnet_decode
> 
> preprocessor portscan: $HOME_NET 4 3 portscan.log
> 
> preprocessor portscan-ignorehosts: $DNS_SERVERS
> 
> output database: log, mysql, user=(obfuscated) password=(obfuscated)
> dbname=(obfuscated) host=(obfuscated)
> 
> include classification.config
> 
> (the only include that matters to this question:  include web-iis.rules)
> 
> 
> Here is my rule:
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"WEB-IIS outbound c m d.exe
> access"; flags: A+; content:"c m d.exe"; nocase;)
> 
> 
> 
> Gregory Noller
> Senior IT Security Technologist
> Technology Risk Services
> Koch Business Solutions LP
> Wichita, Kansas
> 
> (316) 828-7725
> (316) 214-7057 (Cellular)
> 
> 	
> 
> 
> 
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> 

-- 
John Adams         . Sr. Security Engineer . Inktomi Corporation
jadams at ...4670... .  Security Operations  . FC 2.2.36
650-653-4611(desk) .  650-888-1167 (cell)  . 650.653.5454(fax)





More information about the Snort-users mailing list