Snort mailing list archives
Re: sadmind rule
From: Max Vision <vision () whitehats com>
Date: Wed, 9 May 2001 12:00:33 -0700 (PDT)
I don't have a copy of this worm yet, but from everything I've seen so far it appears that it is strictly a Solaris worm, using the rpc.sadmind exploit to propagate. Before looking for the next Solaris system to infect, the worm scans some large netblock looking for IIS web servers and sends two requests to each (first request sets up shell that can accept redirection, second request causes defacement) The Solaris attack should cause an alert from IDS20: http://whitehats.com/info/IDS20 (portmap-request-sadmind) The NT/IIS attacks will be seen by IDS433: http://whitehats.com/info/IDS433 (http-iis-unicode-traversal-optyx) Also I think I saw mention of grabbb somewhere (teso banner grabber) - I don't recall it having a distinct signature. Anyone else have more details? Max On Wed, 9 May 2001, Andrew Daviel wrote:
We were just hit by the sadmind/IIS worm http://www.cert.org/advisories/CA-2001-11.html I've been trying to retroactively find what might have been actually attacked buried in all the port 80 traffic alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg: "sadmind"; flags: PA; content: "GET /scripts/root.exe"; ) seems to work The attack starts with GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+copy+\winnt\system32\cmd.exe+root.exe HTTP/1.0 then proceeds with GET /scripts/root.exe?/c+echo+^<your deface here>>.././index.asp we see "f**k USA Government" (I'd actually seen and reported the original scans with my auto reporter script, but didn't realize an actual attack was involved till yesterday) -- Andrew Daviel, TRIUMF, Canada Tel. +1 (604) 222-7376 security () triumf ca _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- sadmind rule Andrew Daviel (May 09)
- Re: sadmind rule Max Vision (May 09)
- Re: sadmind rule Andrew Daviel (May 09)
- Re: sadmind rule Andreas Östling (May 09)
- Re: sadmind rule Andrew Daviel (May 09)
- Re: sadmind rule Andreas Östling (May 09)
- Re: sadmind rule Chris Green (May 09)
- <Possible follow-ups>
- RE: SadMind rule Steve Halligan (May 09)
- snortsnarf Aaron McKinnon (May 09)
- Re: sadmind rule Polar Bear (May 09)
- Re: sadmind rule Max Vision (May 09)