[Snort-sigs] SID 1330

Anton Chuvakin anton at ...1177...
Tue Feb 18 19:59:15 EST 2003

# This is a template for submitting snort signature descriptions to
# the snort.org website
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work.
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
# $Id: snort-sid-1328.txt,v 1.1 2003/02/18 20:39:03 anton Exp anton $

(msg:"WEB-ATTACKS wget command attempt"; flow:to_server,established;
content:"wget%20";nocase; sid:1330; classtype:web-application-attack;

Sid: 1330

Summary: A post-compromise behavior indicating the use of a UNIX "wget"

Impact: attacker might have gained an ability to execute commands
remotely on the system and an ability to download file onto the web

Detailed Information: This signature triggers when a UNIX "wget"
command is used over a plain-text (unencrypted) connection on one of
the specified web ports to the target web server. The "wget" command
is used to download a file via HTTP or FTP connection to a UNIX
machine. Using "wget", the attackers might be able to download a local
exploit, IRC daemon or DDoS agent onto the server. The signature looks
for the "wget" command in the URL part of the client to web server
connection and does not indicate whether the command was actually
successful in downloading the files. The presence of the "wget" command
in the URL indicates that an attacker attempted to trick the web
server into executing system in non-interactive mode i.e. without a
valid shell session. Another case when this signature might trigger is
unencrypted HTTP tunneling connection to the server.

Attack Scenarios: An attacker uses a "wget" command via a web
server connection to load a copy of ptrace exploit onto a Linux
machine. He then executes the exploit over the web and obtains root

Ease of Attack: very easy, no exploit software required

False Positives: the signature will trigger if the string "wget " is
present in the URL requested from the web server, such as a part of a long
URL string.

False Negatives: non known

Corrective Action: check the web server software for vulnerabilities
and possible upgrade the system to the latest version, also
investigate the server for signs of compromise

Contributors: Anton Chuvakin <http://www.chuvakin.org>

Additional References:

More information about the Snort-sigs mailing list