Security Incidents mailing list archives
Re: new iis worm: seeking signature
From: H C <keydet89 () yahoo com>
Date: Wed, 13 Jun 2001 22:51:47 -0700 (PDT)
Makes sense to me, due to it's simplicity. Most admins running an IIS web server probably don't want cmd.exe accessed anyway. It would seem to me that if you check the snort rules databases at snort.org or whitehats.com, you'll see that this very signature was written quite some time ago...probably before Microsoft released their patch in Nov '00. --- Jordan K Wiens <jwiens () nersp nerdc ufl edu> wrote:
Best signature we've found for catching any variety of these worms is keying on system32/cmd.exe to any web port. No matter what variation of the directory traversal bug the script or hacker uses, they invariably access cmd.exe for their first access. There are just too many variations of unicode for / and other characters and ways to combine them to try to catch them all with a simple IDS signature. An extremely intelligent IDS would have to either translate the unicode (even ones technically out of spec-which is the whole problem in the first place) to determine if a directory traversal is being attempted, and that's just not practical in an environment with as much data as many networks see. Generic unicode signatures work miserably for obvious reasons; false-positives until the sun comes up. In other words, a simple cmd.exe signature has been our most effective tool in catching these worms. -- Jordan Wiens UF Network Incident Response Team (352)392-2061 On Wed, 13 Jun 2001, Jose Nazario wrote:hi all, i found these in my apache logs after a quickcheck:209.250.131.60 - - [10/Jun/2001:17:50:29 -0400]"GET/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir+c: HTTP/1.0" 404 231209.250.131.60 - - [10/Jun/2001:17:50:30 -0400]"GET
/msadc/..%e0%80%af../..%e0%80%af../..%e0%80%af../winnt/system32/cmd.exe?/c+dir+c:
HTTP/1.0" 404 246in a nutshell, plain old unicode directorytraversal attempts. (failed,obviously.) normally i would have dismissed these as 'kids',but these reports on anew IIS worm have me wondering if anyone has asignature for the scans itdoes:
http://www.symantec.com/avcenter/venc/data/dos.storm.worm.html
http://www.security-informer.com/ic_620113_3494_1-3283.html
thanks. ____________________________ jose nazario jose () cwru edu PGP: 89 B0 81 DA 5B FD 7E 00 99 C3B2 CD 48 A0 07 80PGP key ID 0xFD37F4E5 (pgp.mit.edu)
__________________________________________________ Do You Yahoo!? Spot the hottest trends in music, movies, and more. http://buzz.yahoo.com/
Current thread:
- new iis worm: seeking signature Jose Nazario (Jun 13)
- Re: new iis worm: seeking signature Jordan K Wiens (Jun 13)
- Re: new iis worm: seeking signature H C (Jun 14)
- <Possible follow-ups>
- RE: new iis worm: seeking signature Jordan K Wiens (Jun 14)
- Re: new iis worm: seeking signature Jordan K Wiens (Jun 13)