[Snort-sigs] SID 835

Warchild warchild at ...288...
Thu Feb 7 18:51:02 EST 2002

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI test-cgi
access"; flags: A+; uricontent:"/test-cgi"; nocase;
reference:arachnids,218;classtype:attempted-recon; sid:835; rev:1;)


Potential access to the test-cgi cgi script was detected.

May reveal key information about the configuration of your listening
Apache webserver.

Detailed Information:
The test-cgi script is provided as part of the Apache web server to
test that cgi scripts are working.  It can provide vital information
about the configuration of your webserver that may be invaluable to a
potential attacker.

Attack Scenarios:
A web browser, or anything that can speak http:

lynx http://victim/cgi-bin/test-cgi

warchild at ...351...
[~]$ telnet victim 80
Connected to haiti.
Escape character is '^]'.
GET /cgi-bin/test-cgi HTTP/1.0

Ease of Attack:
Trivial.  All that is needed is a web browser of sorts.

False Positives:
This may trigger on urls containing test-cgi, but are not necessarily
indicative of an attack.  For example,
http://myhost.org/home/foobar/test-cgi.txt would trigger this rule.

False Negatives:
Few, if any.

Corrective Action:
Determine the need for this script, and remove it if there is no need.
Keep your eyes peeled for more potential probes from this host.

Jon Hart <jhart at ...289...>
Warchild <warchild at ...288...>

Additional References:

More information about the Snort-sigs mailing list