[Snort-users] sadmind rule
andrew at ...523...
Wed May 9 14:15:59 EDT 2001
We were just hit by the sadmind/IIS worm
I've been trying to retroactively find what might have been actually
attacked buried in all the port 80 traffic
alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg: "sadmind"; flags: PA;
content: "GET /scripts/root.exe"; )
seems to work
The attack starts with
then proceeds with
GET /scripts/root.exe?/c+echo+^<your deface here>>.././index.asp
we see "f**k USA Government"
(I'd actually seen and reported the original scans with my auto reporter
script, but didn't realize an actual attack was involved till yesterday)
Andrew Daviel, TRIUMF, Canada
Tel. +1 (604) 222-7376
security at ...524...
More information about the Snort-users