Makes sense to me, due to it's simplicity. Most admins running an IIS web server probably don't want cmd.exe accessed anyway. It would seem to me that if you check the snort rules databases at snort.org or whitehats.com, you'll see that this very signature was written quite some time ago...probably before Microsoft released their patch in Nov '00. --- Jordan K Wiens <jwiensat_private> wrote: > Best signature we've found for catching any variety > of these worms is > keying on system32/cmd.exe to any web port. No > matter what variation of > the directory traversal bug the script or hacker > uses, they invariably > access cmd.exe for their first access. > > There are just too many variations of unicode for / > and other characters > and ways to combine them to try to catch them all > with a simple IDS > signature. An extremely intelligent IDS would have > to either translate the > unicode (even ones technically out of spec-which is > the whole problem in > the first place) to determine if a directory > traversal is being attempted, > and that's just not practical in an environment with > as much data as many > networks see. Generic unicode signatures work > miserably for obvious > reasons; false-positives until the sun comes up. > > In other words, a simple cmd.exe signature has been > our most effective tool > in catching these worms. > > -- > Jordan Wiens > UF Network Incident Response Team > (352)392-2061 > > On Wed, 13 Jun 2001, Jose Nazario wrote: > > > > > hi all, > > > > i found these in my apache logs after a quick > check: > > > > 209.250.131.60 - - [10/Jun/2001:17:50:29 -0400] > "GET > > > /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir+c: > HTTP/1.0" 404 231 > > 209.250.131.60 - - [10/Jun/2001:17:50:30 -0400] > "GET > > > /msadc/..%e0%80%af../..%e0%80%af../..%e0%80%af../winnt/system32/cmd.exe?/c+dir+c: > HTTP/1.0" 404 246 > > > > in a nutshell, plain old unicode directory > traversal attempts. (failed, > > obviously.) > > > > normally i would have dismissed these as 'kids', > but these reports on a > > new IIS worm have me wondering if anyone has a > signature for the scans it > > does: > > > > > http://www.symantec.com/avcenter/venc/data/dos.storm.worm.html > > > http://www.security-informer.com/ic_620113_3494_1-3283.html > > > > thanks. > > > > ____________________________ > > jose nazario joseat_private > > PGP: 89 B0 81 DA 5B FD 7E 00 99 C3 > B2 CD 48 A0 07 80 > > PGP key ID 0xFD37F4E5 (pgp.mit.edu) > > > > > __________________________________________________ Do You Yahoo!? Spot the hottest trends in music, movies, and more. http://buzz.yahoo.com/
This archive was generated by hypermail 2b30 : Thu Jun 14 2001 - 10:30:24 PDT