Snort mailing list archives

Previous By Date Next
Previous By Thread Next

(no subject)

From: Thomas Nilsen <thomas.nilsen () kverneland com>
Date: Thu, 20 Sep 2001 13:40:00 +0200
I've set up monitoring of outoging cmd.exe/root.exe traffic on port 80. But
I'm note quite sure how to get interpet these logs.

The traffic is leaving our network and entering on port 80 on the
destinaton. What is so strange is that the traffic is leaving from out proxy
server. But I cannot find anything in the proxy log with reference to
root.exe or cmd.exe... Any ideas anyone??

000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 5C   GET /scripts/..\
010 : 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 6D 33   ../winnt/system3
020 : 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 69 72   2/cmd.exe?/c+dir
030 : 20 72 20 63 2B 64 69 72 20 48 54 54 50 2F 31 2E    r c+dir HTTP/1.
040 : 30 0D 0A 48 6F 73 74 3A 20 77 77 77 0D 0A 43 6F   0..Host: www..Co
050 : 6E 6E 6E 65 63 74 69 6F 6E 3A 20 63 6C 6F 73 65   nnnection: close
060 : 0D 0A 0D 0A 65 63 74 69 6F 6E 3A 20 63 6C 6F 73   ....ection: clos
070 : 65 0D 0A 0D 0A 2B 30 32 30 30 0D 0A 52 65 63 65   e....+0200..Rece
080 : 69 76 65 64 3A 20 66 72 6F 6D 20 73 74 61 74 6F   ived: from stato
090 : 69 6C 2E 6E 6F 20 28 6D 61 69 6C 68 6F 73 74 2E   il.no (mailhost.
0a0 : 73 74 61 74 6F 69 6C 2E 6E 6F 20 5B 31 34 33 2E   statoil.no [143.
0b0 : 39 37 2E 32 30 2E 31 30 39 5D 29 0D 0A 09 62 79   97.20.109])...by
0c0 : 20 6D 61 69 6C 77 61 6C 6C 31 2E 73 74 61 74 6F    mailwall1.stato
0d0 : 69 6C 2E 63 6F 6D 20 28 38 2E 31 31 2E 31 2F 38   il.com (8.11.1/8
0e0 : 2E 31 31 2E 31 29 20 77 69 74 68 20 45 53 4D 54   .11.1) with ESMT
0f0 : 50 20 69 64 20 66 38 4B 42 50 48 51 32 31 36 30   P id f8KBPHQ2160
100 : 34 3B 0D 0A 09 54 68 75 2C 20 32 30 20 53 65 70   4;...Thu, 20 Sep
110 : 20 32 30 30 31 20 31 33 3A 32 35 3A 31 37 20 2B    2001 13:25:17 +
120 : 30 32 30 30 20 28 4D 45 54 20 44 53 54 29 0D 0A   0200 (MET DST)..
130 : 52 65 63 65 69 76 65 64 3A 20 66 72 6F 6D 20 73   Received: from s
140 : 74 66 6F 2D 6C 6E 73 6D 74 70 32 2E 73 74 61 74   tfo-lnsmtp2.stat
150 : 6F 69 6C 2E 6E 6F 20 28 73 74 66 6F 2D 6C 6E 73   oil.no (stfo-lns
160 : 6D 74 70 32 2E 73 74 2E 73 74 61 74 6F 69 6C 2E   mtp2.st.statoil.
170 : 6E 6F 20 5B 31 34 33 2E 39 37 2E 32 30 2E 31 34   no [143.97.20.14
180 : 39 5D 29 0D 0A 09 62 79 20 73 74 61 74 6F 69 6C   9])...by statoil
190 : 2E 6E 6F 20 28 38 2E 31 30 2E 30 2F 38 2E 31 30   .no (8.10.0/8.10
1a0 : 2E 30 29 20 77 69 74 68 20 53 4D 54 50 20 69 64   .0) with SMTP id
1b0 : 20 66 38 4B 42 50 46 78 30 35 39 31 32 3B 0D 0A    f8KBPFx05912;..
1c0 : 09 54 68 75 2C 20 32 30 20 53 65 70 20 32 30 30   .Thu, 20 Sep 200
1d0 : 31 20 31 33 3A 32 35 3A 31 35 20 2B 30 32 30 30   1 13:25:15 +0200
1e0 : 20 28 4D 45 54 20 44 53 54 29 0D 0A 52 65 63 65    (MET DST)..Rece
1f0 : 69 76 65 64 3A 20 62 79 20 73 74 66 6F 2D 6C 6E   ived: by stfo-ln
200 : 73 6D 74 70 32 2E 73 74 61 74 6F 69 6C 2E 6E 6F   smtp2.statoil.no
210 : 28 4C 6F 74 75 73                                 (Lotus

Best Regards,
Thomas Nilsen
Kverneland IT AS
Phone: +47 5142 9463 - Mobile: +47 991 55 001


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: