On Fri, 2003-05-30 at 17:13, Jeff Adams wrote: > > what is strange is that the cmd.exe / root.exe stuff is half way > > through with some other code before it the ip it hit was not mapped to > > > anything ( I believe it is unused) so this can not have been part of > > another tcp converstion any ideas ? > > I have been seeing similar odd cmd.exe packets as well.=20 > > It looks like part of a Code Red or a new variant. > > Anyone else seeing the same? I reported this end of April, and VJay Larosa reported it the month before. These packets seem to be only the second packet from CodeRed attempts. They are completely stateless. To test this and to capture more packets, I ran two Snort instances on the same segment/same box. One was configured to act only on established sessions (-z flag), the other on all traffic. The rules file only included a few IIS sigs, the snort.conf was identical. I had the statefull instance log into the /var/log/statefull directory, the stateless instance into /var/log/stateless. After a while I compared the two and found that the stateless directory contained a few more entries. Removing the known statefull IP's from the stateless directory, I was left with those spurious second-packet-only CodeReds. This seemed to confirm that these are indeed stateless packets (no TCP 3-way handshake, no first data packet) and occur on the wire like that (no mistakes in IDS config/logging etc). The majority seemed to be coming from China, but other sources were logged as well (i.e. USA, Turkey, etc). After capturing and staring at this for a couple weeks, I got bored and released the packets back into the Ether. However, if you interested in repeating the experiment with Snort, I can tar up the setup I used and mail it to you. Regards, Frank
This archive was generated by hypermail 2b30 : Sun Jun 01 2003 - 22:04:53 PDT