[Snort-sigs] Anyone have signatures for apache/php attacks?

Jon Hart jhart at ...289...
Mon Aug 5 20:10:01 EDT 2002


> We have just had a apache web server hacked, files were left with
> ownership of apache and the system was know to have a vulnerable version
> of php installed.  (they were in the process of building a new server
> with all the patches applied...).
> Snort did not pick up the attack so I'm wondering if anyone has and
> rules that detect these attacks.

Russell,

We also got swept, but I don't know of any machines that were actually
compromised.  

Here's what my snort caught:

[**] WEB-PHP content-disposition memchr overlfow [**]
08/02/02-15:45:43.206395 0:10:FF:E9:B8:80 -> 8:0:20:B8:F8:50 type:0x800 len:0x5EA
207.171.20.100:54498 -> a.b.c.d:80 TCP TTL:44 TOS:0x0 ID:6487 IpLen:20 DgmLen:1500 DF
***A**** Seq: 0x8873D475  Ack: 0x9986326B  Win: 0x16D0  TcpLen: 32
TCP Options (3) => NOP NOP TS: 458738577 232686191
1.........t.3. at ...735...@..1...C...0..1.......`..j TR1.QY
AQ..j.[jfX....u.....=....u.[1.j?X.....?.....?.....Rhn/shh//bi..R
S..`j.X.h.0.._..Wh 220h/1.1hHTTP..1.....XXXXa..--h...Content-Dis
position: form-data; name=".....................................
................................................................
................................................................
................................................................
................................................................
................................................................
................................................................
................................................................
................................................................
................................................................
................................................................
................................................................
................................................................
................................................................
................................................................
................................................................
................................................................
................................................................
......................................................."; filena
me="....................................^@
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] WEB-PHP content-disposition memchr overlfow [**]
08/02/02-15:45:43.918125 0:10:FF:E9:B8:80 -> 8:0:20:B8:F8:50 type:0x800 len:0x5EA
207.171.20.100:54498 -> a.b.c.d:80 TCP TTL:44 TOS:0x0 ID:6533 IpLen:20 DgmLen:1500 DF
***A**** Seq: 0x8874D8A5  Ack: 0x9986326B  Win: 0x16D0  TcpLen: 32
TCP Options (3) => NOP NOP TS: 458738639 232686252
................................................................
................................................................
................................................................
................................................................
................................................................
................................................................
................................................................
................................................................
................................................................
................................................................
................................................................
.......................................--h...Content-Disposition
: form-data; name=".............................................
................................................................
................................................................
................................................................
................................................................
................................................................
................................................................
................................................................
................................................................
................................................................
........................................^@
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+



The following two rules were triggered:

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP
content-disposition memchr overlfow"; flags:A+; 
content:"Content-Disposition\:"; content:"name=\"|CC CC CC CC CC|";
reference:bugtraq,4183; classtype:web-application-attack; sid:1423; rev:7;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP
content-disposition"; flags:A+; content:"Content-Disposition\:"; content:
"form-data\;"; classtype:web-application-attack; reference:bugtraq,4183;
sid:1425; rev:6;)

The apache logs were slightly more revealing: an initial probe to get the
Apache/PHP versions (HEAD / HTTP/1.0), followed by 12 POSTs to index.php.
Index.php does not exist and the version of PHP that this machine runs is
up-to-date

If anyone has any more detail about what exactly was posted to index.php,
I'd love to see it.

-jon




More information about the Snort-sigs mailing list