[Snort-sigs] SID845 update

Busch, Andreas Andreas.Busch at ...300...
Wed Jan 23 04:36:17 EST 2002


# This is a template for submitting snort signature descriptions to
# the snort.org website
#
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work. 
#
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
# 
# $Id$
#
# 

Rule:
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI AT-admin.cgi
access";flags: A+; uricontent:"/AT-admin.cgi";
nocase;classtype:attempted-recon; sid:845; rev:1;) 

--
Sid:
845

--
Summary:
Someone tried to access the administration page of your local websites
Excite searchengine.

--
Impact:
An attacker might be able to change your wesites searchengine indexing
and/or may access
non-public documenttrees as well as the search-index database could be
completely deleted.

--
Detailed Information:
Excite is a searchengine which can be included on your own webserver to
index those local
documents. Access to the AT-admin.cgi therefore should be at least password
and/or location
restricted.

--
Attack Scenarios:
An attacker sends a HTTP-Request like:
http://your.site/AT-admin.cgi
http://your.site/excite/AT-admin.cgi

--
Ease of Attack:
Fairly simple hand-crafting of URLs by the attacker. 

--
False Positives:

--
False Negatives:

--
Corrective Action:
Examine the packet to determine what was accessed by the user. If you're
running Excite
and the access was successful (200 OK), investigate your searchengine and
server logs.

--
Contributors:

-- 
Additional References:





More information about the Snort-sigs mailing list