Snort mailing list archives

Previous By Date Next
Previous By Thread Next

re: Message 13

From: "Joe Pampel" <joe () ardsley com>
Date: Wed, 02 Jan 2002 07:43:29 -0500

Hi Patric:

No one is hacking per se.. This is just a virus infected server somewhere trying to infect your IIS server (if you're 
running one!) 
One way to see if you're infected is to add a rule which checks this traffic eitherbound 
from your web server. You should see it coming neither in nor going out. If it's coming in, you need to adust your 
firewall / edge router to stop it.. if you see these packets coming from your server, it's time to go to the backup 
tape! If you're running Apache, have a cub of coffee, put your feet up and take a nap. :-)  

If you don't want to write the snort rule(s), there are a number of detection programs offered for free 
to detect the NIMDA, Code Red, etc viruses (and vulnerablility for same)  Do a google on it and you'll find a bunch. 

just as a general rule:
1. make sure your IIS servers are fully patched and hardened (duh, I know.. )
2. make sure your firewall is stopping this kind of rot. (Checkpoint can do it with URI resource rules, Cisco routers 
can do it with policy-based access lists available in more recent IOS versions). If you can't change your edge router 
or firewall, use a snort based HIDS system to protect your server. I think there's a Win32 based HIDS available but I 
can't think of the name offhand (sorry!) 

hth,

Joe


Message: 13
From: "Patric Svensson" <patric.svensson () nt se>
To: <snort-users () lists sourceforge net>
Date: Wed, 2 Jan 2002 11:44:28 +0100
Subject: [Snort-users] Is someone hacking?

This is a multi-part message in MIME format.

------=_NextPart_000_0001_01C19382.D61EF870
Content-Type: text/plain;
        charset="US-ASCII"
Content-Transfer-Encoding: 7bit

Hello!
 
I get a lot of alerts like this: WEB-IIS cmd.exe access and like this
WEB-IIS CodeRed v2 root.exe access. How will I know if the server has
been hacked?
 
The payload look like this: "GET
/scripts/..%2f../winnt/system32/cmd.exe?/c+dir r HTTP/1.0..Host:
www..Connnection: close.." 
For the "WEB-IIS cmd.exe access" alert. If anyone could help me with
this I would be very happy.
 
Best
Patric Svensson


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: