Re: A small quandary

• Previous message: H C: "Re: A small quandary"
• In reply to: Mahoney, Paul: "A small quandary"
• Next in thread: gminick: "Re: A small quandary"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 06 Dec 2002 10:41:35 -0800
To: <incidents@securityfocus.com>
From: Mike Katz <mike@procinct.com>

At 12/4/2002 08:30 PM, Mahoney, Paul wrote:

>/cgi-bin/publisher/search.cgi?dir=jobs&template=;cat+/etc/passwd|&output
>_number=10
>/perl/ 1 -
>/cgi-bin/test-cgi.bat?|ver 1 -
>/scripts..%c1%9c../winnt/system32/cmd.exe?/c+dir+c: 1 -
>/cgi-bin/mrtg.cgi?cfg=/../../../../../../../../../winnt/win.ini 1 -
>/scripts/.%252e/.%252e/winnt/system32/cmd.exe?/c+dir+c:\\
>
>My question to everyone out there is would anyone be able to tell me if
>this kind of attack has the fingerprints of any known software/viruses
>in the field or is it a deliberate attempt to gain access to my clients
>site?

Paul,

I am not aware of a tool or virus that produces the above logs. However,
it would be trivial to modify one of the many web vulnerability scanners
(nikto, whisker, etc.) to create a scan that would produce the above logs.

It looks like the scan wasn't targeted at a specific operating system. The
first log entry would only work on a Unix system and the last three log
entries would only have worked on Windows systems.

The logs above are indicative of a scan, which often precedes an attack,
but is not a direct attempt to gain access (although it does gain
information). The first log entry was targeted at a vulnerability in the
AHG Search Engine and, if successful, would have given the scanner the
/etc/passwd file (or any other accessible file specified) for the system,
which includes account names, home directories, user, and group IDs. In
older systems not using shadow password, it may have given the scanner the
password hashes. This information could be useful in gaining unauthorized
access to the system.

The log entry with test-cgi.bat was targeted at a vulnerable version of
Apache running on Windows. The vulnerability allowed remote execution of
commands and could be exploited to gain control of the server.

The log entries with /scripts/ were targeted at vulnerabilities in
Microsoft's IIS server and would have given the scanner the directory
listing of the c drive. More importantly, it would have indicated that the
scanner could execute commands on the server. Attacks have exploited this
vulnerability to gain control of IIS servers.

The log entry with mrtg.cgi was targeted at a vulnerability in CGI scripts
for Multi Router Traffic Grapher, on a Windows system (it can also be found
on Unix systems). If successful, the scanner would have retrieved the
contents of the win.ini file. More importantly, it would indicate that any
file on the target system could be retrieved.

I would treat these as hostile and would be extremely concerned if the logs
indicated that any of these scans were successful (a 200 status code in the
logs). I see these types of scans everyday and tend to ignore them unless,
as in your case, they seem targeted.

Hope that helps.

Michael Katz
Procinct Security
mike@procinct.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

• Next message: Jack Arenberg: "Does W2k issue an NBNS query automatically following each unsuccessful reverse DNS query?"
• Previous message: H C: "Re: A small quandary"
• In reply to: Mahoney, Paul: "A small quandary"
• Next in thread: gminick: "Re: A small quandary"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]