RE: strange cmd.exe access

[Frank Knobbe <fknobbe () knobbeits com>]

On Fri, 2003-05-30 at 17:13, Jeff Adams wrote:
> > what is strange is that the cmd.exe / root.exe stuff is half way 
> > through with some other code before it the ip it hit was not mapped to
>
> > anything ( I believe it is unused) so this can not have been part of 
> > another tcp converstion any ideas ?
>
> I have been seeing similar odd cmd.exe packets as well.=20
>
> It looks like part of a Code Red or a new variant.
>
> Anyone else seeing the same?


I reported this end of April, and VJay Larosa reported it the month
before. These packets seem to be only the second packet from CodeRed
attempts. They are completely stateless.

To test this and to capture more packets, I ran two Snort instances on
the same segment/same box. One was configured to act only on established
sessions (-z flag), the other on all traffic. The rules file only
included a few IIS sigs, the snort.conf was identical.

I had the statefull instance log into the /var/log/statefull directory,
the stateless instance into /var/log/stateless. After a while I compared
the two and found that the stateless directory contained a few more
entries. Removing the known statefull IP's from the stateless directory,
I was left with those spurious second-packet-only CodeReds.

This seemed to confirm that these are indeed stateless packets (no TCP
3-way handshake, no first data packet) and occur on the wire like that
(no mistakes in IDS config/logging etc). The majority seemed to be
coming from China, but other sources were logged as well (i.e. USA,
Turkey, etc).

After capturing and staring at this for a couple weeks, I got bored and
released the packets back into the Ether. However, if you interested in
repeating the experiment with Snort, I can tar up the setup I used and
mail it to you.

Regards,
Frank

Attachment: signature.asc
Description: This is a digitally signed message part