[Snort-sigs] SID 497

Anton Chuvakin anton at ...1177...
Tue Jan 14 21:48:04 EST 2003


# This is a template for submitting snort signature descriptions to
# the snort.org website
#
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work.
#
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
#
# $Id: snort-sid-template.txt,v 1.1 2002/10/09 13:06:31 cazz Exp $
#
#

Rule:

alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK
RESPONSES file copied ok"; content:"1 file(s) copied"; nocase;
flow:from_server,established; classtype:bad-unknown; sid:497; rev:5;)

--
Sid: 497

-- 

Summary: A post-compromise behavior indicating the use of Windows
command shell for copying files.

-- 

Impact: attacker might have gained an ability to execute commands remotely

-- 

Detailed Information: Triggering of this signature indicates that a
file was successfully copied using Windows command line shell.  The
string "1 file(s) copied" is shown after a successful completion of a
Windows "copy" command. Seeing such a response in the HTTP traffic
indicates that somebody have managed to "convince" the web server to
spawn a shell bound to a web port and have successfully executed at
least one command to list the directory. Note that the source address
of this signature is actually the victim and not the attacker as for
the exploit signatures.

--

Attack Scenarios: an attacker gains an access to a Windows web server
via IIS vulnerability and then copies a "cmd.exe" file into the
directory accessible by a web server, thus creating a backdoor to
access the system.

-- 

Ease of Attack: this post-attack behavior can accompany different
attacks.

-- 

False Positives: not known

--
False Negatives: not known

-- 

Corrective Action: investigate the web server for signs of compromise,
run the integrity checking software, look for other IDS alerts
involving the same IP addresses.

--
Contributors: Anton Chuvakin <http://www.chuvakin.org>

-- 
Additional References:





More information about the Snort-sigs mailing list