Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: A small quandary

From: Mike Katz <mike () procinct com>
Date: Fri, 06 Dec 2002 10:41:35 -0800
At 12/4/2002 08:30 PM, Mahoney, Paul wrote:


/cgi-bin/publisher/search.cgi?dir=jobs&template=;cat+/etc/passwd|&output
_number=10
/perl/ 1 -
/cgi-bin/test-cgi.bat?|ver 1 -
/scripts..%c1%9c../winnt/system32/cmd.exe?/c+dir+c: 1 -
/cgi-bin/mrtg.cgi?cfg=/../../../../../../../../../winnt/win.ini 1 -
/scripts/.%252e/.%252e/winnt/system32/cmd.exe?/c+dir+c:\\

My question to everyone out there is would anyone be able to tell me if
this kind of attack has the fingerprints of any known software/viruses
in the field or is it a deliberate attempt to gain access to my clients
site?


Paul,
I am not aware of a tool or virus that produces the above logs. However, it would be trivial to modify one of the many web vulnerability scanners (nikto, whisker, etc.) to create a scan that would produce the above logs.
It looks like the scan wasn't targeted at a specific operating system. The first log entry would only work on a Unix system and the last three log entries would only have worked on Windows systems.
The logs above are indicative of a scan, which often precedes an attack, but is not a direct attempt to gain access (although it does gain information). The first log entry was targeted at a vulnerability in the AHG Search Engine and, if successful, would have given the scanner the /etc/passwd file (or any other accessible file specified) for the system, which includes account names, home directories, user, and group IDs. In older systems not using shadow password, it may have given the scanner the password hashes. This information could be useful in gaining unauthorized access to the system.
The log entry with test-cgi.bat was targeted at a vulnerable version of Apache running on Windows. The vulnerability allowed remote execution of commands and could be exploited to gain control of the server.
The log entries with /scripts/ were targeted at vulnerabilities in Microsoft's IIS server and would have given the scanner the directory listing of the c drive. More importantly, it would have indicated that the scanner could execute commands on the server. Attacks have exploited this vulnerability to gain control of IIS servers.
The log entry with mrtg.cgi was targeted at a vulnerability in CGI scripts for Multi Router Traffic Grapher, on a Windows system (it can also be found on Unix systems). If successful, the scanner would have retrieved the contents of the win.ini file. More importantly, it would indicate that any file on the target system could be retrieved.
I would treat these as hostile and would be extremely concerned if the logs indicated that any of these scans were successful (a 200 status code in the logs). I see these types of scans everyday and tend to ignore them unless, as in your case, they seem targeted. 

Hope that helps.

Michael Katz
Procinct Security
mike () procinct com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: