[Snort-sigs] SID 835
warchild at ...288...
Thu Feb 7 18:51:02 EST 2002
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI test-cgi
access"; flags: A+; uricontent:"/test-cgi"; nocase;
reference:arachnids,218;classtype:attempted-recon; sid:835; rev:1;)
Potential access to the test-cgi cgi script was detected.
May reveal key information about the configuration of your listening
The test-cgi script is provided as part of the Apache web server to
test that cgi scripts are working. It can provide vital information
about the configuration of your webserver that may be invaluable to a
A web browser, or anything that can speak http:
warchild at ...351...
[~]$ telnet victim 80
Connected to haiti.
Escape character is '^]'.
GET /cgi-bin/test-cgi HTTP/1.0
Ease of Attack:
Trivial. All that is needed is a web browser of sorts.
This may trigger on urls containing test-cgi, but are not necessarily
indicative of an attack. For example,
http://myhost.org/home/foobar/test-cgi.txt would trigger this rule.
Few, if any.
Determine the need for this script, and remove it if there is no need.
Keep your eyes peeled for more potential probes from this host.
Jon Hart <jhart at ...289...>
Warchild <warchild at ...288...>
More information about the Snort-sigs