[unisog] Windows Command Prompt in the clear in the network?

Michael Grinnell grinnell at american.edu
Wed Oct 11 21:06:21 GMT 2006


On Oct 11, 2006, at 4:56 PM, Glenn Forbes Fleming Larratt wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Folks,
>
> Honeypot and honeynet issues aside:
>
>    - is the presence in the clear of a Windows Command Prompt, from  
> a high
>      TCP source port to a high destination port, *ever*
>      legitimate/normal/to be expected in the Windows world?
>
>    - if not, is that presence *always* indicate of compromise, or  
> at least
>      of a vulnerability having been exploited?
>
> We have noted a 1-to-1 correspondence so far between compromised  
> machines
> in our network and a Command Prompt banner
>
>      Microsoft Windows {XP,2000}...
>
> or
>
>      Microsoft(R) Windows NT...
>
> appearing in the sample payload of our network flow recorder (QRadar).
>
> Please reply to me, I will summarize to the list.
>
> Thanks,
> - --
> Glenn Forbes Fleming Larratt
> Cornell University IT Security Office
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.1 (MingW32)
>
> iD8DBQFFLVp2Lyw7nZwiKgQRAiGpAJ0bN59ES9Dbtr4BrR4zaaH/x17RDgCffmF7
> yhOlmTQEKSvRAWrPEtb0Bro=
> =vnyQ
> -----END PGP SIGNATURE-----
> _______________________________________________
> unisog mailing list
> unisog at lists.dshield.org
> http://lists.dshield.org/mailman/listinfo/unisog

In my experience, always bad.

This is not quite the same, but TippingPoint, which is quite  
conservative with their filters, lists cmd.exe over HTTP as a default  
block.

Michael Grinnell
Network Security Administrator
The American University



More information about the unisog mailing list