sadmind rule

[Andrew Daviel <andrew () andrew triumf ca>]

We were just hit by the sadmind/IIS worm
http://www.cert.org/advisories/CA-2001-11.html

I've been trying to retroactively find what might have been actually
attacked buried in all the port 80 traffic

alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg: "sadmind"; flags: PA;
content: "GET /scripts/root.exe"; )

seems to work

The attack starts with
GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+copy+\winnt\system32\cmd.exe+root.exe
HTTP/1.0
then proceeds with
GET /scripts/root.exe?/c+echo+^<your deface here>>.././index.asp
we see "f**k USA Government"


(I'd actually seen and reported the original scans with my auto reporter
script, but didn't realize an actual attack was involved till yesterday)


 --
Andrew Daviel, TRIUMF, Canada
Tel. +1 (604) 222-7376
security () triumf ca


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users