[Snort-users] cmd.exe? in packets that look normal

Paul Schmehl pauls at ...6838...
Thu Jul 10 15:40:18 EDT 2003


I rewrote the rule that looks for cmd.exe (sid:1002 in web-iis.rules) to 
look for outgoing traffic *from* our network, and I changed the content 
from "cmd.exe" to "cmd.exe?" to lessen the FPs.

This rule now works very well for catching boxes on our network that get 
infected with Code Red or Nimda - mostly from our student residences.

However, I'm seeing a lot of packets like this (yes, I know "a lot" is a 
relative term), in fact, *most* of the packets that trip this rule look 
like this (I munged the src ip):

length = 536
 

HEAD /msadc/..%c
1%af../winnt/sys
tem32/cmd.exe?/c
+dir+c:\ HTTP/1.
0..Host: 129.110
.xxx.xxx....29.11
0.29.28....atap_
chandran..5..sha
ilendra_..14..ok
..97..1..63..;0.
.64..GET /images
/bullet.gif HTTP
/1.1..Accept: */
*..Referer: http
://www.univision
.com/content/cha
nnel.jhtml;jsess
ionid=QV5I1RKHBE
BQCCWIAAOCFFIKZA
ABWIWC?chid=6&sc
hid=0..Accept-La
nguage: es-mx..A
ccept-Encoding:
gzip, deflate..U
ser-Agent: Mozil
la/4.0 (compatib
le; MSIE 5.01; W
indows 98)..Host
: www.univision.
com..Connection:
Keep-Alive..Coo
kie: q=49503d313
2392e3131302e343
02e31323

Aside from the obvious, these look like perfectly normal web sessions.  Is 
anyone else seeing this?  Anyone have any ideas what it is?  It's too 
random to really be Code Red/Nimda, but it's an obvious Code Red/Nimda sig. 
Is this something retained in memory that ends up in a packet going out? 
Infected boxes usually spew hundreds of these, but these just show up here 
and there, from different IPs all over our network.

And before anyone asks, yes, this box is running IIS 5.0, and yes it's 
completely patched.

Paul Schmehl (pauls at ...6838...)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu




More information about the Snort-users mailing list