No subject


Thu Nov 23 16:36:19 EST 2017


WEB-IIS outbound c m d.exe access  TCP NET.209.128.247:2049  > 63.211.210.20
:80 

And the payload:

GET /scripts/..%c../winnt/system32/c m d.exe?/c+dir dir HTTP/1.0

pient



------_=_NextPart_000_01C1A4A9.A9555B3A
Content-Type: message/rfc822
Content-Transfer-Encoding: 7bit

Message-ID: <000028f11612$00006023$00001ac7@>
From: JJNSYMWLY at ...4663...
Subject: For The Price Of A Cup Of Coffee... 6855
Date: Mon, 21 Jan 2002 06:30:13 -0600
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2653.19)
X-MS-Embedded-Report: 
Content-Type: text/plain; 
 charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable

 =20
(remainder of the email message deleted for brevity)

The payload always contains the same first line, then an email message.

Another one (they are always different):

WEB-IIS outbound c m d.exe access  TCP NET.209.128.247:2366  > 63.211.210.20
:80 

GET /scripts/..%c../winnt/system32/c m d.exe?/c+dir dir HTTP/1.0

r at ...4664...>
RCPT TO:<someone at my netowrk>
DATA
Received: from lrkxf.msn.com (burton-2.net.excite.com [199.172.146.149]) by
adsl.pacbell.neet with SMTP (Microsoft Exchange Internet Mail Service
Version 5.5.2653.13)
.id DPA4KJQ6; Thu, 24 Jan 2002 01:46:50 -0800
From: 101054br at ...4664...
To: lke at ...131...
Reply-To: gwennduane3 at ...2975...
Subject: Don't suffer in debt any more, info inside.
[pv3qp]
Content-type: text/html; charset=ISO-8859-1

This one has no email with it, and goes to a different destination address:


WEB-IIS outbound c m d.exe access  TCP NET.209.128.247:6777  > 63.240.26.86
:80 

GET /scripts/..%c../winnt/system32/c m d.exe?/c+dir dir HTTP/1.0 1.0
HTTP/1.0
Via: 1.0 PROXY4, 1.0 PROXY1
Connection: Keep-Alive
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 4.0; 04162001;
Q312461)
Host: 63.240.26.86
Accept: */*
Accept-Language: en-us

As these are outbound, outside my proxy and nat router, I cannot determine
where they are coming from inside my network.  So being real smart like I
am, I set up another snort box inside my ProxyArray watching all traffic
passing through the proxy (proxies are configured for outbound only and
hardened) so as to catch the outbound string and see the real source
address.

Bingo, this morning I see outbound traffic (above three packets) and go
check my inside snort, nothing.  I test it and the inside snort works fine
catching anything in any direction or network that contains c m d . e x e
(I've added spaces so as to not set off any alarms you may have in place).
These packets for all the world are not originating inside my proxies, but
contain mail destined to or from users on my network.  It all happens on
port 80, not 25, so it's not an smtp thing.

See below for how I'm configured...

Thanks Marty, for this great tool.



Here is how I start snort from /etc/init.d/snortd (start/stop)

/usr/local/snort/bin/snort -D -I -i eth1 -o -l /usr/local/snort/logs -c
/usr/local/snort/bin/snort.conf

Here is my snort.conf:

var HOME_NET
[net.209.128.0/24,net.209.129.0/24,net.209.160.0/24,net.184.244.0/24,net.168
.11.0/24,net.94.207.66/32,net.15.7.5/32]

var EXTERNAL_NET !$HOME_NET

var SMTP any

var HTTP_SERVERS $HOME_NET

var SQL_SERVERS $HOME_NET

var DNS_SERVERS $HOME_NET

preprocessor frag2

preprocessor stream4: detect_scans

preprocessor stream4_reassemble

preprocessor http_decode: 80 -unicode -cginull

preprocessor rpc_decode: 111

preprocessor bo: -nobrute

preprocessor telnet_decode

preprocessor portscan: $HOME_NET 4 3 portscan.log

preprocessor portscan-ignorehosts: $DNS_SERVERS

output database: log, mysql, user=(obfuscated) password=(obfuscated)
dbname=(obfuscated) host=(obfuscated)

include classification.config

(the only include that matters to this question:  include web-iis.rules)


Here is my rule:

alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"WEB-IIS outbound c m d.exe
access"; flags: A+; content:"c m d.exe"; nocase;)



Gregory Noller
Senior IT Security Technologist
Technology Risk Services
Koch Business Solutions LP
Wichita, Kansas

(316) 828-7725
(316) 214-7057 (Cellular)

	






More information about the Snort-users mailing list