[Snort-sigs] SID 1256

Warchild warchild at ...288...
Wed Jan 30 08:30:09 EST 2002


Rule:  
lert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS CodeRed v2
root.exe access"; flags: A+; uricontent:"scripts/root.exe?"; nocase;
classtype:web-application-attack; sid:1256; rev:2;) 

--
Sid:
1256

--
Summary:
A remote machine attempted to access the root.exe executable on your
webserver. 

--
Impact:
Only affects Windows machines with a listening webserver, primarily IIS.
If root.exe does not exist, there is no impact aside from minor iritation.
If root.exe _does_ exist, full system-level access at the priveledge level
of the user running the webserver is possible.

--
Detailed Information:
As part of the CodeRed infection process, cmd.exe (the windows command
interpreter) gets copied to a number of locations throughout the
filesystem and named root.exe.  Following a modification to the registry,
root.exe becomes available from the web, allowing remote machines to
execute arbitrary commands.

--
Attack Scenarios:
Normally, access to root.exe is detected as part of an attempted infection
by another machine already infected by CodeRed.  In other situations,
root.exe may be accessed by remote machines/users in an attempt to gain
access to your system.

--
Ease of Attack:
Anyone with access to a browser or a telnet/nc connection to port 80 on the
victim machine can test and/or exploit this vulnerability.


--
False Positives:
Unknown.

--
False Negatives:
None for CodeRed v2.  If cmd.exe gets renamed to something else (perhaps,
backdoor.exe), traffic will pass undetected.

--
Corrective Action:
If root.exe does exist on your filesystem, remove the machine from your
network and follow your vendor's recommend method for cleaning and
repairing the havok wreaked by this particular worm.


--
Contributors:
Jon Hart <jhart at ...289...>
Warchild <warchild at ...288...>

-- 
Additional References:
http://www.cert.org/advisories/CA-2001-19.html





More information about the Snort-sigs mailing list