RE: New scanner?

From: Jason Frey (jmfrey@charter.net)
Date: 11/23/02

Next message: Jonathan Bloomquist: "RE: Proxy server hit... Any ideas?"

Previous message: Moshe Aelion: "Re: Help - a possible bot"
In reply to: newsletters: "RE: New scanner?"
Next in thread: Russell Fulton: "Re: New scanner?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 22 Nov 2002 23:02:54 -0800
To: <listserv@citadelconsulting.net>, "'Jeremy'" <prrthd25@yahoo.com>, <incidents@securityfocus.com>
From: Jason Frey <jmfrey@charter.net>

Just because Snort alerts on it doesn't necessarily mean there is a
compromised box.

With publicly accessible web servers, your Snort is likely to see hundreds
of IIS targeted attacks daily. These are not false alarms, but they may
not be effective attacks either. If your IIS systems are patched and
configured correctly, they may not be compromised.

Still, I would examine the boxes as Jeremy suggests. Once you are sure
they are patched and configured correctly, you can create pass rules for
those boxes if you choose to not get alerted with these events for them.

At 09:10 PM 11/21/2002 -0500, newsletters wrote:
>Jeremy,
>
>I'm not sure if your serious or not, but this is probably the most
>common IIS exploit found. Wherever the destination address is located
>you're going to find IIS and a compromised scripts directory. The
>command (cmd.exe) interpreter has been renamed and copied to the
>c:\inetpub\scripts\root.exe and the intruder is using it to gain command
>line access to your system. This is basically the ultimate goal of a
>hacker. You need to search the system for root.exe and delete it. In
>addition you need to check and reset the permissions for C:\inetpub\*.
>At a minimum change the scripts directory to read only. Do a search on
>bugtraq for codered II. That should give you a more detailed action
>plan. My opinion would be to rebuild the box with all current patches
>and service packs.
>
>Good Luck!
>
>CB
>
>-----Original Message-----
>From: Jeremy [mailto:prrthd25@yahoo.com]
>Sent: Wednesday, November 20, 2002 10:30 AM
>To: incidents@securityfocus.com
>Subject: New scanner?
>
>Hello all,
>
> My snort box picked this up yesterday fron two
>different source ip's and I was wondering if anyone
>had seen this pattern before. Both times snort logged
>718 alerts consisting of the following:
>
>1 instances of WEB-IIS multiple decode attempt
>1 instances of FTP invalid MODE
>1 instances of WEB-MISC http directory traversal
>2 instances of WEB-IIS scripts access
>2 instances of (spp_portscan2) Portscan detected
>3 instances of WEB-IIS Unicode2.pl script (File
>permission canonicalization)
>6 instances of POLICY FTP anonymous login attempt
>17 instances of WEB-IIS CodeRed v2 root.exe access
>685 instances of WEB-IIS cmd.exe access
>
>This may have been around awhile but its the first
>time I've seen it, so I figured I would ask. If this
>is something new I do have packets captures from all
>the alerts.
>
>Thanks,
> Jeremy
>
>__________________________________________________
>Do you Yahoo!?
>Yahoo! Web Hosting - Let the expert host your site
>http://webhosting.yahoo.com
>
>------------------------------------------------------------------------
>----
>This list is provided by the SecurityFocus ARIS analyzer service.
>For more information on this free incident handling, management
>and tracking system please see: http://aris.securityfocus.com
>
>
>----------------------------------------------------------------------------
>This list is provided by the SecurityFocus ARIS analyzer service.
>For more information on this free incident handling, management
>and tracking system please see: http://aris.securityfocus.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

Next message: Jonathan Bloomquist: "RE: Proxy server hit... Any ideas?"
Previous message: Moshe Aelion: "Re: Help - a possible bot"
In reply to: newsletters: "RE: New scanner?"
Next in thread: Russell Fulton: "Re: New scanner?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: lots of port 0 scannings
... You don't say how these alerts were generated, but it looks like Snort, ... Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the ... Training features 6 hand-on courses on May 12-13 taught by professionals. ...
(Incidents)
Re: Snort false positive[Scanned]
... I get the exact alerts on the network I administer simply because I haven't ... "tuned" the Snort box to the network environment. ...
(Focus-IDS)
Re: New scanner?
... Both times snort logged ... > 1 instances of WEB-IIS multiple decode attempt ... This tool is really a delivery vehicle for what ever exploits you want ... make sure it is IIS first or not. ...
(Incidents)
CodeRed back with with a vengence this month!
... In past months snort has ... not seen CodeRed attacks until 9th or 10th, ... have overtaken lastmonths peak with 9 days to go. ... and tracking system please see: http://aris.securityfocus.com ...
(Incidents)
Re: sniffer black box
... Snort can be configured to generate alerts based packets it sees, ... For real-time network analysis, ...
(comp.os.linux.security)