No subject


Thu Nov 23 16:36:19 EST 2017


WEB-IIS outbound c m d.exe access  TCP NET.209.128.247:2049  > 63.211.210.20
:80 

And the payload:

GET /scripts/..%c../winnt/system32/c m d.exe?/c+dir dir HTTP/1.0

pient



------_=_NextPart_000_01C1A4A9.A9555B3A
Content-Type: message/rfc822
Content-Transfer-Encoding: 7bit

Message-ID: <000028f11612$00006023$00001ac7@>
From: JJNSYMWLY at ...4663...
Subject: For The Price Of A Cup Of Coffee... 6855
Date: Mon, 21 Jan 2002 06:30:13 -0600
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2653.19)
X-MS-Embedded-Report: 
Content-Type: text/plain; 
 charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable

 =20
(remainder of the email message deleted for brevity)

The payload always contains the same first line, then an email message.

Another one (they are always different):

WEB-IIS outbound c m d.exe access  TCP NET.209.128.247:2366  > 63.211.210.20
:80 

GET /scripts/..%c../winnt/system32/c m d.exe?/c+dir dir HTTP/1.0

r at ...4664...>
RCPT TO:<someone at my netowrk>
DATA
Received: from lrkxf.msn.com (burton-2.net.excite.com [199.172.146.149]) by
adsl.pacbell.neet with SMTP (Microsoft Exchange Internet Mail Service
Version 5.5.2653.13)
.id DPA4KJQ6; Thu, 24 Jan 2002 01:46:50 -0800
From: 101054br at ...4664...
To: lke at ...131...
Reply-To: gwennduane3 at ...2975...
Subject: Don't suffer in debt any more, info inside.
[pv3qp]
Content-type: text/html; charset=ISO-8859-1

This one has no email with it, and goes to a different destination address:


WEB-IIS outbound c m d.exe access  TCP NET.209.128.247:6777  > 63.240.26.86
:80 

GET /scripts/..%c../winnt/system32/c m d.exe?/c+dir dir HTTP/1.0 1.0
HTTP/1.0
Via: 1.0 PROXY4, 1.0 PROXY1
Connection: Keep-Alive
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 4.0; 04162001;
Q312461)
Host: 63.240.26.86
Accept: */*
Accept-Language: en-us

As these are outbound, outside my proxy and nat router, I cannot determine
where they are coming from inside my network.  So being real smart like I
am, I set up another snort box inside my ProxyArray watching all traffic
passing through the proxy (proxies are configured for outbound only and
hardened) so as to catch the outbound string and see the real source
address.

Bingo, this morning I see outbound traffic (above three packets) and go
check my inside snort, nothing.  I test it and the inside snort works fine
catching anything in any direction or network that contains c m d . e x e
(I've added spaces so as to not set off any alarms you may have in place).
These packets for all the world are not originating inside my proxies, but
contain mail destined to or from users on my network.  It all happens on
port 80, not 25, so it's not an smtp thing.

See below for how I'm configured...

Thanks Marty, for this great tool.



Here is how I start snort from /etc/init.d/snortd (start/stop)

/usr/local/snort/bin/snort -D -I -i eth1 -o -l /usr/local/snort/logs -c
/usr/local/snort/bin/snort.conf

Here is my snort.conf:

var HOME_NET
[net.209.128.0/24,net.209.129.0/24,net.209.160.0/24,net.184.244.0/24,net.168
.11.0/24,net.94.207.66/32,net.15.7.5/32]

var EXTERNAL_NET !$HOME_NET

var SMTP any

var HTTP_SERVERS $HOME_NET

var SQL_SERVERS $HOME_NET

var DNS_SERVERS $HOME_NET

preprocessor frag2

preprocessor stream4: detect_scans

preprocessor stream4_reassemble

preprocessor http_decode: 80 -unicode -cginull

preprocessor rpc_decode: 111

preprocessor bo: -nobrute

preprocessor telnet_decode

preprocessor portscan: $HOME_NET 4 3 portscan.log

preprocessor portscan-ignorehosts: $DNS_SERVERS

output database: log, mysql, user=(obfuscated) password=(obfuscated)
dbname=(obfuscated) host=(obfuscated)

include classification.config

(the only include that matters to this question:  include web-iis.rules)


Here is my rule:

alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"WEB-IIS outbound c m d.exe
access"; flags: A+; content:"c m d.exe"; nocase;)



Gregory Noller
Senior IT Security Technologist
Technology Risk Services
Koch Business Solutions LP
Wichita, Kansas

(316) 828-7725
(316) 214-7057 (Cellular)

	



_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

------_=_NextPart_001_01C1A4F2.6989607A
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; charset=3Diso-8859-=
1">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version 5.5.2653.12">
<TITLE>RE: [Snort-sigs] Outbound string contains c m d.exe, but from where?=
</TITLE>
</HEAD>
<BODY>

<P><FONT SIZE=3D2>Gregory,</FONT>
<BR><FONT SIZE=3D2>Since the source of your packets is the same (209.128.24=
7:%PORT%)...What is that ip? Is it one of your ip's? Also I have seen this =
rule triggered quite a lot with Exchange Web Mail. Do you have Web Mail Ser=
vers on your Net? My snort gets really pissed off whenever I read my snort =
mail over the web!</FONT></P>

<P><FONT SIZE=3D2>Mike</FONT>
</P>

<P><FONT SIZE=3D2>-----Original Message-----</FONT>
<BR><FONT SIZE=3D2>From: Noller, Gregory [<A HREF=3D"mailto:Noller2G at ...4666...=
0...">mailto:Noller2G at ...4290...</A>]</FONT>
<BR><FONT SIZE=3D2>Sent: Thursday, January 24, 2002 10:17 AM</FONT>
<BR><FONT SIZE=3D2>To: snort-sigs at lists.sourceforge.net;</FONT>
<BR><FONT SIZE=3D2>'snort-users at lists.sourceforge.net'</FONT>
<BR><FONT SIZE=3D2>Subject: [Snort-sigs] Outbound string contains c m d.exe=
, but from</FONT>
<BR><FONT SIZE=3D2>where?</FONT>
</P>
<BR>

<P><FONT SIZE=3D2>Oh great wizards of snort....are any of you seeing outbou=
nd c m d . e x e</FONT>
<BR><FONT SIZE=3D2>where it ought not to be?</FONT>
</P>
<BR>

<P><FONT SIZE=3D2>I am seeing the following string in some infrequent packe=
ts exiting my nat</FONT>
<BR><FONT SIZE=3D2>router that sits in front of my outbound proxy array:</F=
ONT>
</P>

<P><FONT SIZE=3D2>From Demarc:</FONT>
</P>

<P><FONT SIZE=3D2>WEB-IIS outbound c m d.exe access  TCP NET.209.128.2=
47:2049  > 63.211.210.20</FONT>
<BR><FONT SIZE=3D2>:80 </FONT>
</P>

<P><FONT SIZE=3D2>And the payload:</FONT>
</P>

<P><FONT SIZE=3D2>GET /scripts/..%c../winnt/system32/c m d.exe?/c+dir dir H=
TTP/1.0</FONT>
</P>

<P><FONT SIZE=3D2>pient</FONT>
</P>
<BR>
<BR>

<P><FONT SIZE=3D2>------_=3D_NextPart_000_01C1A4A9.A9555B3A</FONT>
<BR><FONT SIZE=3D2>Content-Type: message/rfc822</FONT>
<BR><FONT SIZE=3D2>Content-Transfer-Encoding: 7bit</FONT>
</P>

<P><FONT SIZE=3D2>Message-ID: <000028f11612$00006023$00001ac7@></FONT>
<BR><FONT SIZE=3D2>From: JJNSYMWLY at ...4663...</FONT>
<BR><FONT SIZE=3D2>Subject: For The Price Of A Cup Of Coffee... 6855</FONT>
<BR><FONT SIZE=3D2>Date: Mon, 21 Jan 2002 06:30:13 -0600</FONT>
<BR><FONT SIZE=3D2>MIME-Version: 1.0</FONT>
<BR><FONT SIZE=3D2>X-Mailer: Internet Mail Service (5.5.2653.19)</FONT>
<BR><FONT SIZE=3D2>X-MS-Embedded-Report: </FONT>
<BR><FONT SIZE=3D2>Content-Type: text/plain; </FONT>
<BR><FONT SIZE=3D2> charset=3Diso-8859-1</FONT>
<BR><FONT SIZE=3D2>Content-Transfer-Encoding: quoted-printable</FONT>
</P>

<P><FONT SIZE=3D2> =3D20</FONT>
<BR><FONT SIZE=3D2>(remainder of the email message deleted for brevity)</FO=
NT>
</P>

<P><FONT SIZE=3D2>The payload always contains the same first line, then an =
email message.</FONT>
</P>

<P><FONT SIZE=3D2>Another one (they are always different):</FONT>
</P>

<P><FONT SIZE=3D2>WEB-IIS outbound c m d.exe access  TCP NET.209.128.2=
47:2366  > 63.211.210.20</FONT>
<BR><FONT SIZE=3D2>:80 </FONT>
</P>

<P><FONT SIZE=3D2>GET /scripts/..%c../winnt/system32/c m d.exe?/c+dir dir H=
TTP/1.0</FONT>
</P>

<P><FONT SIZE=3D2>r at ...4664...></FONT>
<BR><FONT SIZE=3D2>RCPT TO:<someone at my netowrk></FONT>
<BR><FONT SIZE=3D2>DATA</FONT>
<BR><FONT SIZE=3D2>Received: from lrkxf.msn.com (burton-2.net.excite.com [1=
99.172.146.149]) by</FONT>
<BR><FONT SIZE=3D2>adsl.pacbell.neet with SMTP (Microsoft Exchange Internet=
 Mail Service</FONT>
<BR><FONT SIZE=3D2>Version 5.5.2653.13)</FONT>
<BR><FONT SIZE=3D2>.id DPA4KJQ6; Thu, 24 Jan 2002 01:46:50 -0800</FONT>
<BR><FONT SIZE=3D2>From: 101054br at ...4664...</FONT>
<BR><FONT SIZE=3D2>To: lke at ...131...</FONT>
<BR><FONT SIZE=3D2>Reply-To: gwennduane3 at ...2975...</FONT>
<BR><FONT SIZE=3D2>Subject: Don't suffer in debt any more, info inside.</FO=
NT>
<BR><FONT SIZE=3D2>[pv3qp]</FONT>
<BR><FONT SIZE=3D2>Content-type: text/html; charset=3DISO-8859-1</FONT>
</P>

<P><FONT SIZE=3D2>This one has no email with it, and goes to a different de=
stination address:</FONT>
</P>
<BR>

<P><FONT SIZE=3D2>WEB-IIS outbound c m d.exe access  TCP NET.209.128.2=
47:6777  > 63.240.26.86</FONT>
<BR><FONT SIZE=3D2>:80 </FONT>
</P>

<P><FONT SIZE=3D2>GET /scripts/..%c../winnt/system32/c m d.exe?/c+dir dir H=
TTP/1.0 1.0</FONT>
<BR><FONT SIZE=3D2>HTTP/1.0</FONT>
<BR><FONT SIZE=3D2>Via: 1.0 PROXY4, 1.0 PROXY1</FONT>
<BR><FONT SIZE=3D2>Connection: Keep-Alive</FONT>
<BR><FONT SIZE=3D2>User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows N=
T 4.0; 04162001;</FONT>
<BR><FONT SIZE=3D2>Q312461)</FONT>
<BR><FONT SIZE=3D2>Host: 63.240.26.86</FONT>
<BR><FONT SIZE=3D2>Accept: */*</FONT>
<BR><FONT SIZE=3D2>Accept-Language: en-us</FONT>
</P>

<P><FONT SIZE=3D2>As these are outbound, outside my proxy and nat router, I=
 cannot determine</FONT>
<BR><FONT SIZE=3D2>where they are coming from inside my network.  So b=
eing real smart like I</FONT>
<BR><FONT SIZE=3D2>am, I set up another snort box inside my ProxyArray watc=
hing all traffic</FONT>
<BR><FONT SIZE=3D2>passing through the proxy (proxies are configured for ou=
tbound only and</FONT>
<BR><FONT SIZE=3D2>hardened) so as to catch the outbound string and see the=
 real source</FONT>
<BR><FONT SIZE=3D2>address.</FONT>
</P>

<P><FONT SIZE=3D2>Bingo, this morning I see outbound traffic (above three p=
ackets) and go</FONT>
<BR><FONT SIZE=3D2>check my inside snort, nothing.  I test it and the =
inside snort works fine</FONT>
<BR><FONT SIZE=3D2>catching anything in any direction or network that conta=
ins c m d . e x e</FONT>
<BR><FONT SIZE=3D2>(I've added spaces so as to not set off any alarms you m=
ay have in place).</FONT>
<BR><FONT SIZE=3D2>These packets for all the world are not originating insi=
de my proxies, but</FONT>
<BR><FONT SIZE=3D2>contain mail destined to or from users on my network.&nb=
sp; It all happens on</FONT>
<BR><FONT SIZE=3D2>port 80, not 25, so it's not an smtp thing.</FONT>
</P>

<P><FONT SIZE=3D2>See below for how I'm configured...</FONT>
</P>

<P><FONT SIZE=3D2>Thanks Marty, for this great tool.</FONT>
</P>
<BR>
<BR>

<P><FONT SIZE=3D2>Here is how I start snort from /etc/init.d/snortd (start/=
stop)</FONT>
</P>

<P><FONT SIZE=3D2>/usr/local/snort/bin/snort -D -I -i eth1 -o -l /usr/local=
/snort/logs -c</FONT>
<BR><FONT SIZE=3D2>/usr/local/snort/bin/snort.conf</FONT>
</P>

<P><FONT SIZE=3D2>Here is my snort.conf:</FONT>
</P>

<P><FONT SIZE=3D2>var HOME_NET</FONT>
<BR><FONT SIZE=3D2>[net.209.128.0/24,net.209.129.0/24,net.209.160.0/24,net.=
184.244.0/24,net.168</FONT>
<BR><FONT SIZE=3D2>.11.0/24,net.94.207.66/32,net.15.7.5/32]</FONT>
</P>

<P><FONT SIZE=3D2>var EXTERNAL_NET !$HOME_NET</FONT>
</P>

<P><FONT SIZE=3D2>var SMTP any</FONT>
</P>

<P><FONT SIZE=3D2>var HTTP_SERVERS $HOME_NET</FONT>
</P>

<P><FONT SIZE=3D2>var SQL_SERVERS $HOME_NET</FONT>
</P>

<P><FONT SIZE=3D2>var DNS_SERVERS $HOME_NET</FONT>
</P>

<P><FONT SIZE=3D2>preprocessor frag2</FONT>
</P>

<P><FONT SIZE=3D2>preprocessor stream4: detect_scans</FONT>
</P>

<P><FONT SIZE=3D2>preprocessor stream4_reassemble</FONT>
</P>

<P><FONT SIZE=3D2>preprocessor http_decode: 80 -unicode -cginull</FONT>
</P>

<P><FONT SIZE=3D2>preprocessor rpc_decode: 111</FONT>
</P>

<P><FONT SIZE=3D2>preprocessor bo: -nobrute</FONT>
</P>

<P><FONT SIZE=3D2>preprocessor telnet_decode</FONT>
</P>

<P><FONT SIZE=3D2>preprocessor portscan: $HOME_NET 4 3 portscan.log</FONT>
</P>

<P><FONT SIZE=3D2>preprocessor portscan-ignorehosts: $DNS_SERVERS</FONT>
</P>

<P><FONT SIZE=3D2>output database: log, mysql, user=3D(obfuscated) password=
=3D(obfuscated)</FONT>
<BR><FONT SIZE=3D2>dbname=3D(obfuscated) host=3D(obfuscated)</FONT>
</P>

<P><FONT SIZE=3D2>include classification.config</FONT>
</P>

<P><FONT SIZE=3D2>(the only include that matters to this question:  in=
clude web-iis.rules)</FONT>
</P>
<BR>

<P><FONT SIZE=3D2>Here is my rule:</FONT>
</P>

<P><FONT SIZE=3D2>alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:&quot=
;WEB-IIS outbound c m d.exe</FONT>
<BR><FONT SIZE=3D2>access"; flags: A+; content:"c m d.exe"; =
nocase;)</FONT>
</P>
<BR>
<BR>

<P><FONT SIZE=3D2>Gregory Noller</FONT>
<BR><FONT SIZE=3D2>Senior IT Security Technologist</FONT>
<BR><FONT SIZE=3D2>Technology Risk Services</FONT>
<BR><FONT SIZE=3D2>Koch Business Solutions LP</FONT>
<BR><FONT SIZE=3D2>Wichita, Kansas</FONT>
</P>

<P><FONT SIZE=3D2>(316) 828-7725</FONT>
<BR><FONT SIZE=3D2>(316) 214-7057 (Cellular)</FONT>
</P>

<P>       =20
</P>
<BR>
<BR>

<P><FONT SIZE=3D2>_______________________________________________</FONT>
<BR><FONT SIZE=3D2>Snort-sigs mailing list</FONT>
<BR><FONT SIZE=3D2>Snort-sigs at lists.sourceforge.net</FONT>
<BR><FONT SIZE=3D2><A HREF=3D"https://lists.sourceforge.net/lists/listinfo/=
snort-sigs" TARGET=3D"_blank">https://lists.sourceforge.net/lists/listinfo/=
snort-sigs</A></FONT>
</P>

</BODY>
</HTML>=

------_=_NextPart_001_01C1A4F2.6989607A--




More information about the Snort-users mailing list