[Snort-users] sadmind rule

Max Vision vision at ...4...
Wed May 9 15:00:33 EDT 2001


I don't have a copy of this worm yet, but from everything I've seen so far
it appears that it is strictly a Solaris worm, using the rpc.sadmind
exploit to propagate. Before looking for the next Solaris system to
infect, the worm scans some large netblock looking for IIS web servers and
sends two requests to each (first request sets up shell that can accept
redirection, second request causes defacement)

The Solaris attack should cause an alert from IDS20:
 http://whitehats.com/info/IDS20   (portmap-request-sadmind)

The NT/IIS attacks will be seen by IDS433:
 http://whitehats.com/info/IDS433  (http-iis-unicode-traversal-optyx)

Also I think I saw mention of grabbb somewhere (teso banner grabber) - I
don't recall it having a distinct signature.  Anyone else have more
details?

Max


On Wed, 9 May 2001, Andrew Daviel wrote:
>
> We were just hit by the sadmind/IIS worm
> http://www.cert.org/advisories/CA-2001-11.html
>
> I've been trying to retroactively find what might have been actually
> attacked buried in all the port 80 traffic
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg: "sadmind"; flags: PA;
> content: "GET /scripts/root.exe"; )
>
> seems to work
>
> The attack starts with
> GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+copy+\winnt\system32\cmd.exe+root.exe
> HTTP/1.0
> then proceeds with
> GET /scripts/root.exe?/c+echo+^<your deface here>>.././index.asp
> we see "f**k USA Government"
>
>
> (I'd actually seen and reported the original scans with my auto reporter
> script, but didn't realize an actual attack was involved till yesterday)
>
>
>  --
> Andrew Daviel, TRIUMF, Canada
> Tel. +1 (604) 222-7376
> security at ...524...
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>





More information about the Snort-users mailing list