Snort mailing list archives
please help ID payload info
From: "Randy Bey" <Randy.Bey () rivernorthsys com>
Date: Tue, 15 Oct 2002 09:46:43 -0600
I am getting a WEB-MISC /etc/passwd hit occasionally, and it has me worried. How the heck are they getting what looks like the contents of the /etc directory? I don't understand how it gets there, I have authentication set up on the server, so a plain old HEAD shouldn't work, but the payload looks like the output of an email that is routinely sent out with the 'ASET' job that I run daily. ASET is a Solaris thingie that does some HIDS stuff. I looked in access_log on the web server and all I see is 401's (authentication required) for all HEAD type requests. So why is this data here? Here is the payload snippet: 000 : 48 45 41 44 20 2F 20 48 54 54 50 2F 31 2E 30 0D HEAD / HTTP/1.0. 010 : 0A 0D 2A 2A 2A 0D 0A 0D 0A 2E 2E 2E 2E 20 73 65 ..***........ se 020 : 74 74 69 6E 67 20 61 74 74 72 69 62 75 74 65 73 tting attributes 030 : 20 6F 6E 20 74 68 65 20 73 79 73 74 65 6D 20 6F on the system o 040 : 62 6A 65 63 74 73 20 64 65 66 69 6E 65 64 20 69 bjects defined i 050 : 6E 0D 0A 20 20 20 20 2F 75 73 72 2F 61 73 65 74 n.. /usr/aset 060 : 2F 6D 61 73 74 65 72 73 2F 74 75 6E 65 2E 6D 65 /masters/tune.me 070 : 64 0D 0A 0D 0A 2A 2A 2A 20 45 6E 64 20 54 75 6E d....*** End Tun 080 : 65 20 54 61 73 6B 20 2A 2A 2A 0D 0A 0D 0A 2A 2A e Task ***....** 090 : 2A 20 42 65 67 69 6E 20 55 73 65 72 20 41 6E 64 * Begin User And 0a0 : 20 47 72 6F 75 70 20 43 68 65 63 6B 69 6E 67 20 Group Checking 0b0 : 2A 2A 2A 0D 0A 0D 0A 43 68 65 63 6B 69 6E 67 20 ***....Checking 0c0 : 2F 65 74 63 2F 70 61 73 73 77 64 20 2E 2E 2E 0D /etc/passwd .... 0d0 : 0A 0D 0A 43 68 65 63 6B 69 6E 67 20 2F 65 74 63 ...Checking /etc 0e0 : 2F 73 68 61 64 6F 77 20 2E 2E 2E 0D 0A 0D 0A 2E /shadow ........ 0f0 : 2E 2E 2E 20 65 6E 64 20 75 73 65 72 20 63 68 65 ... end user che 100 : 63 6B 2E 0D 0A 0D 0A 43 68 65 63 6B 69 6E 67 20 ck.....Checking 110 : 2F 65 74 63 2F 67 72 6F 75 70 20 2E 2E 2E 0D 0A /etc/group ..... 120 : 0D 0A 2E 2E 2E 2E 20 65 6E 64 20 67 72 6F 75 70 ...... end group 130 : 20 63 68 65 63 6B 2E 0D 0A 0D 0A 2A 2A 2A 20 45 check.....*** E 140 : 6E 64 20 55 73 65 72 20 41 6E 64 20 47 72 6F 75 nd User And Grou 150 : 70 20 43 68 65 63 6B 69 6E 67 20 2A 2A 2A 0D 0A p Checking ***.. Randy Bey RiverNorth Systems 7300 W 147th St Suite 300 Apple Valley, MN 55124 http://www.rivernorthsys.com ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- please help ID payload info Randy Bey (Oct 15)
- Re: please help ID payload info Matt Kettler (Oct 15)
- Re: please help ID payload info Robby Desmond (Oct 17)
- Help with content-list usage - Unable to open list file: Sven_da_duder Sean Wheeler (Oct 17)
- AW: Help with content-list usage - Unable to open list file: Sven_da_duder Sean Wheeler (Oct 17)
- AW: Help with content-list usage - Unable to open list file: Sven_da_duder Sean Wheeler (Oct 17)
- Help with content-list usage - Unable to open list file: Sven_da_duder Sean Wheeler (Oct 17)
- <Possible follow-ups>
- RE: please help ID payload info Randy Bey (Oct 15)
- RE: please help ID payload info twig les (Oct 15)
- RE: please help ID payload info matthew . keay (Oct 17)
- RE: please help ID payload info matthew . keay (Oct 17)