[Snort-sigs] SID 1332
anton at ...1177...
Tue Feb 18 20:00:07 EST 2003
# This is a template for submitting snort signature descriptions to
# the snort.org website
# Ensure that your descriptions are your own
# and not the work of others. References in the rules themselves
# should be used for linking to other's work.
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
# $Id: snort-sid-1328.txt,v 1.1 2003/02/18 20:39:03 anton Exp anton $
Rule: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"WEB-ATTACKS /usr/bin/id command attempt";
flow:to_server,established; content:"/usr/bin/id";nocase; sid:1332;
Summary: A web command execution attack involving the use of a UNIX
Impact: attacker might have gained an ability to execute system commands
remotely on the system
Detailed Information: This signature triggers when a UNIX "id" command
is used over a plain-text (unencrypted) connection on one of the
specified web ports to the target web server. The "id" command is used
to confirm the user name of the currently logged in user. The
signature looks for the "id" command in the client to web server
network traffic and does not indicate whether the command was actually
successful in showing the user information. The presence of the "id"
command web traffic indicates that an attacker attempted to trick the
web server into executing system in non-interactive mode i.e. without
a valid shell session. Another case when this signature might trigger
is unencrypted HTTP tunneling connection to the server.
Attack Scenarios: An attacker uses a "id" command via a web server
connection to test what username the web server runs under. He then
looks for all the files writable by this user and find a web server
configuration file with wrong permissions.
Ease of Attack: very easy, no exploit software required
False Positives: none known
False Negatives: none known
Corrective Action: check the web server software for vulnerabilities
and possible upgrade the system to the latest version, also
investigate the server for signs of compromise
Contributors: Anton Chuvakin <http://www.chuvakin.org>
More information about the Snort-sigs