I'm noticing in my snort alerts an increasing number of 'WEB-MISC Attempt to execute cmd' alerts. I looked at the packet data with ethereal and it appears that they are trying to execute d:\inetpub\scripts\root.exe, d:\progra~1\common~1\system\\MS ADC\root.exe, and ./cmd.exe. These scans are not showing up in syslog or httpd access and error logs. The scan per hour rate has increased dramatically. It is also interesting that all of the scans I have received have been from hosts with the same first octet (64) as my ip address. Is anyone else seeing this kind of traffic? PS I run apache so I can't capture any code. I can provide logs and packet dumps if needed. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Aug 16 2001 - 07:37:25 PDT