> I'm noticing in my snort alerts an increasing number of 'WEB-MISC Attempt to > execute cmd' alerts. I looked at the packet data with ethereal and it > appears that they are trying to execute d:\inetpub\scripts\root.exe, > d:\progra~1\common~1\system\\MS ADC\root.exe, and ./cmd.exe. These scans > are not showing up in syslog or httpd > access and error logs. > > The scan per hour rate has increased dramatically. It is also interesting > that all of the scans I have received have been from hosts with the same > first octet (64) as my ip address. > > Is anyone else seeing this kind of traffic? > > PS I run apache so I can't capture any code. I can provide logs and packet > dumps if needed. These are attempts to use the "backdoor" left behind by the third main variant of the CodeRed worm. What command are they trying to execute? (should be passed as parameters to the query) or are they just looking to see if it's there at all? -- David Pick ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Aug 16 2001 - 08:13:41 PDT