PDA

Click to See Complete Forum and Search --> : snort 1.9.0 logs CodeRed v2 root.exe access

fearx24
02-08-2003, 04:43 PM
#12-(2-59) url[snort] WEB-IIS CodeRed v2 root.exe access 2003-02-08 14:26:10

source ip: 64.239.185.199:4942

192.168.0.4:80 TCP

This info above is some of the activity Snort has been picking up and Im fairly new to snort. I have abut 4 of these from the same ip address in my logs. Is this person attempting to get in.

thanks Nick
Choozo
02-08-2003, 04:55 PM
It's a worm looking for IIS servers (on Windows machines) so I wouldn't worry too much. The owner of the IP where these requests come from may be totally unaware of it, and most likely innocent.
fearx24
02-09-2003, 02:11 AM
How would I know then if the person was really trying to do something. Couldnt about any alert be unknown by the owner. Im new to Network Intusion and snort so doing lots of research. Know anything about these:

SNMP broadcast trap

WEB-IIS cmd.exe access

WEB-IIS unicode directory traversal attempt

these seem to be the most noticed ones. Only been running the system for 2 days now so dont really have to many yet.

Thanks Nick
Choozo
02-09-2003, 06:27 AM
Have you checked all the articles available over at www.snort.org yet?
Null_Logik
02-09-2003, 07:04 AM
I have a few sites to help you out:

www.dshield.com

www.packetstormsecurity.com

www.cert.org

www.securityfocus.com

www.securitywriters.org

www.cotse.com

www.sans.org

http://isc.incidents.org

this one is more advanced, writen by nsa infosec professionals:
http://www.radium.ncsc.mil/tpep/library/rainbow/index.html
http://www.radium.ncsc.mil/tpep/library/protection_profiles/

Intrusion detection is a bit tricky but it is a good idea to get a few books on it also get a good book on TCP/IP that is a must.
Null_Logik
02-10-2003, 08:51 AM
I have more I just can't think of them. :)
fearx24
02-11-2003, 11:46 AM
MS-SQL Worm propagation attempt

Could this just be a person with the worm then also and dont know about it. It seems wierd that I get an attempt from him every hour or so last night.

Thanks Nick
Choozo
02-11-2003, 01:28 PM
Yes, worms live their own life. Hence the usually rapid spread rate where they start off infecting one system, then spread out to several new systems .... thats propagating.

And the MS-SQL worm is what the name suggests - a worm attacking MicroSoft SQL servers.