Web/HTTP signature series 5000

Web/HTTP signature series 5000

The 5000 series of signatures is the largest group. The signatures focus on different types of Web attacks. Buffer overflows, directory traversal, and illegal uploading and downloading of files are just a few examples.

  • 5034-WWW IIS newdsn attack: This signature fires when attempts are made to run the newdsn.exe command from the http server. This could be indicative of a remote denial of service attack attempt. This particular command could be used to fill up the target host's file system.

  • 5035-HTTP cgi HylaFAX Faxsurvey: This signature fires when an attempt is made to pass commands to the CGI program faxsurvey. A problem in the CGI program faxsurvey, included with the HylaFAX package from SGI, allows an attacker to execute commands on the host machine. These commands will execute at the privilege level of the HTTP server. There are no legitimate reasons to pass commands to the faxsurvey command. This signature indicates abuse and the source should be shunned.

  • 5036-WWW Windows Password File Access Attempt: This alarm is fired when an attempt is made to retrieve either the current or backup copy of the NT password file throught a web server.

    • Sub ID: 1: Backup copy

    • Sub ID: 2: Current

  • 5037-WWW SGI MachineInfo Attack: This alarm is fired when an attempt is made to retrieve either the current or backup copy of the NT password file through a web server.

    • Sub ID: 1: Backup Copy

    • Sub ID: 2: Current

  • 5038-WWW wwwsql file read Bug: This signature fireswhen an attempt is made to read files in the cgi-bin directory by the www-sql script. This could indicate that a remote attacker is trying to download cgi-bin scripts and access otherwise protected directories under DocumentRoot.

  • 5039-WWW finger attempt: This signature fires when an attempt is made to run the finger program using the http server. It is recommended that all unnecessary programs be removed from the cgi-bin directory.

  • 5040-WWW Perl Interpreter Attack: This signature fires when someone attempts to pass and execute Perl commands on the server through a perl interpreter. These commands will execute with the privilege level of the Web Server. If successful, an attacker may gain unauthorized access and remotely execute commands. This can lead to further system access (including root access) and malicious activity. The source address for this signature should be shunned.

  • 5041-WWW anyform attack: This signature fireswhen an attacker attempts to execute arbitrary commands through the anyform cgi-bin script. The source address for this attack should be shunned.

  • 5042-WWW CGI Valid Shell Access: This signature fires when attempts are made to access a valid shell or interpreter on the targeted system. Shells include:

    • Sub ID: 1: bash

    • Sub ID: 2: tcsh

    • Sub ID: 3: ash, bsh, csh, ksh, jsh, or zsh

    • Sub ID: 4: sh

    • Sub ID: 5: Java interpreter

    • Sub ID: 6: Python interpreter

  • 5043-WWW Cold Fusion Attack: This signature fireswhen attempts are made to access example scripts that are shipped with the Cold Fusion Servers. The source address for this signature should be shunned.

    • Sub ID 1: indicates an attempt to access the openfile script. This scripts allows an attacker to upload files to the target host or server.

    • Sub ID 2 indicates an attempt to access displayopenedfile.cfm. This could indicate that a remote attacker is trying to access files on the target host or server.

    • Sub ID 3 indicates an attempt to upload files to a Cold Fusion server through the exprcalc.cfm script. This can be used to overwrite files on the target server or host.

  • 5044-WWW Webcom.se Guestbook attack: This signature fires when an attacker attempts to execute arbitrary commands through Webcom.se's rguest.exe or wguest.exe cgi-bin script. The source address for this attack should be shunned.

  • 5045-WWW xterm display attack: This signature fires when any cgi-bin script attempts to execute the command xterm -display. This is an indicator someone is trying to login to your network illegally. There is not a legitimate use for someone to execute xterm –display. Any hosts attempting this command should be shunned.

  • 5046-WWW dumpenv.pl recon: This signature fires when an attempt is made to display information about the targeted host with the dumpenv.pl script. Some webservers include this script, which is intended to show environmental information about the server. External attempts should be scrutinized thoroughly. In most cases the source should be shunned.

  • 5047-WWW Server Side Include POST attack: This signature fires when attempts are made to embed a server side include (SSI) in an http POST command. This is an indicator someone is trying to access system resources without authorization.

  • 5048-WWW IIS BAT EXE attack: This signature fires when an attempt is made to execute remote commands on a Microsoft IIS 1.0-2.0b web server. This may indicate an attempt to illegally access system resources.

  • 5049-WWW IIS showcode.asp access: This signature fireswhenever an attempt is made to access the showcode.asp Active Server Page. This script allows for arbitrary access to any file on the targets file system. Hosts that attempt to access this file, especially from outside your network, should be shunned.

  • 5050-WWW IIS .htr Overflow Attack: This signature fires when an .htr buffer overrun attack is detected, indicating a possible attempt to execute remote commands, or cause a denial of service against the targeted Windows NT IIS server. Hosts that attempt to cause this type of alarm, especially from outside your network, should be shunned.

  • 5051-IIS Double Byte Code Page: IIS contains a vulnerability that could allow a web site visitor to view the source code for selected files on the server. However, this is based on the servers default language. The vulnerability only applies to default languages set to Chinese, Japanese or Korean.

  • 5052-FrontPage Extensions PWD Open Attempt: This signature fires when attempts are made to open a configuration file on a Microsoft Personal Webserver (for Windows) or FrontPage extensions (for UNIX) web server.

  • 5053-FrontPage _vti_bin Directory List Attempt: This signature fies when attempts are made to list the directory of binaries from a Microsoft Personal Webserver (for Windows) or FrontPage extensions (for UNIX) web server.

  • 5054-WWWBoard Password: This signature fires when CGI scans are detected looking for WWWBoard services. WWWBoard has several vulnerabilities and should be used with great care.

  • 5055-HTTP Basic Authentication Overflow: This signature fires when extremely large usernames and passwords are detected during authentication. This can cause a buffer overflow.

  • 5056-WWW Cisco IOS %% DoS: This signature fires when attempts to crash a Cisco IOS-based product using the HTTP management interface is detected. Certain versions of IOS incorrectly interpret the characters "%%" when sent to the HTTP management interface. This can result in a router crashing, causing the need for the power to be cycled to restore normal operation.

    The affected operating system versions are: Cisco IOS 11.3AA,11.3DB,12.0x,11.3,11.2 SA,12.0T,12.0W5,12.0XA,12.0XE,12.0XH,12.0XJ,12.1,12.1AA,12.1DA,12
    .1DB,12.1DC,12.1E,12.1EC,12.1T,12.1XA,12.1XB,12.1XC,12.1XD,12.1X
    E,12.1XF,12.1XG,12.1XH,12.1XI,12.1XJ,12.1XL,12.1XP,11.2P,11.2,1
    1.1,11.0,11.1CC, and 12.0.

    The affected software versions are: Cisco IOS 11.2SA,12.0T,12.0W5,12.0XA,12.0XE,12.0XH,12.0XJ,12.1,12.1AA,12.1D
    A,12.1DB,12.1DC,12.1E,12.1EC,12.1T,12.1XA,12.1XB,12.1XC,12.1XD,1
    2.1XE,12.1XF,12.1XG,12.1XH,12.1XJ,12.1XL,12.1XP,11.2P,11.2,11.1,11.3
    (1.2),11.3(1.2)T,11.3,11.2(10)P,11.1(14)CA, and 11.1CC.

    The affected services are: HTTP Web on ports 80/TCP and 8080/TCP>

  • 5057-WWW Sambar Samples: This signature fires when an attempt has been made to access certain CGI programs that contain known vulnerabilities shipped with the Sambar web server. Those programs are echo.bat and hello.bat.

  • 5058-WWW info2www Attack: This signature fires when an attempt is made to execute commands with the info2www CGI program.

  • 5059-WWW Alibaba Attack: This signature fires when an attempt is made to execute commands using certain CGI programs shipped with the Alibaba web server. Those programs are get32.exe, alibaba.pl, and tst.bat.

  • 5060-WWW Excite AT-generate.cgi Access: This signature fires when an attempt is made to access the CGI program AT-generate.cgi. Administrator passwords for the Excite Web Server application could be changed. If you feel your system has been subject to this type of activity have your system administrator verify the administrator passwords.

  • 5061-WWW catalog_type.asp Access: This signature fires when an attempt is made to access the vulnerable sample ASP file catalog_type.asp.

  • 5062-WWW classifieds.cgi Attack: This signature fires when an attempt has been made to execute commands with the CGI program classifieds.cgi.

  • 5063-WWW dmblparser.exe Access: This signature fires when an attempt is made to access the CGI program dmblparser.exe.

  • 5064-WWW imagemap.cgi Attack: This signature fires when an attempt is made to cause a buffer overflow in the CGI program imagemap.cgi.

  • 5065-WWW IRIX infosrch.cgi Attack: This signature fires when an attempt is made to execute commands using the IRIX CGI program infosrch.cgi.

  • 5066-WWW man.sh Access: An attempt has been to access the CGI shell script man.sh.

  • 5067-WWW plusmail Attack: This signature fires when an attempt has been made to change the PlusMail administrator password. The attacker could possibly gain full control of the PlusMail program. If this is suspected have the system administrator verify the password.

  • 5068-WWW formmail.pl Access: This signature fires when an attempt is made to access the CGI program formmail.pl.

  • 5069-WWW whois_raw.cgi Attack: This signature fires when an attempt is made to access to possibly execute commands using the CGI program Cdomain whois_raw.cgi.

  • 5070-WWW msadcs.dll Access: This signature fires when an attempt is made to access the CGI program msacds.dll. This is an indicator a reconnaissance session is occurring for a possible later attack to exploit the IIS RDS vulnerability. The affected operating system versions are Windows NT Server 4.0. The affected software and program versions are IIS 4.0 and 3.0. The affected services are: HTTP Web 80/TCP 8080/TCP, HTTPS Web 443/TCP

  • 5071-WWW msacds.dll Attack: This signature fires when an attempt is made to execute commands or view secured filed, with privileged access. This type of activity should be scrutinized closely and administrators should audit and validate the system from which the activity has been detected. This is a very common attack used to deface websites.

  • 5072-WWW bizdb1-search.cgi Attack: An attempt has been made to execute commands or view files with the privileges of the web server using the CGI program bizdb1-search.cgi.

  • 5073-WWW EZshopper loadpage.cgi Attack: An attempt has been made to execute commands or view files with the privileges of the web server using the CGI program loadpage.cgi.

  • 5074-WWW EZshopper search.cgi Attack: An attempt has been made to execute commands or view files with the privileges of the web server using the CGI program EZshopper search.cgi.

  • 5075-WWW IIS Virtualized UNC Bug: An attempt has been made to view the source of an ASP file. A bug exists in certain versions of Microsofts IIS web server which allow an attacker to view of the source of ASP, and other files if the IIS virtual directory they reside in has been mapped to a UNC share.

  • 5076-WWW webplus bug: An attempt was made to gain access to files outside the web server directories using the CGI program webplus.

  • 5077-WWW Excite AT-admin.cgi Access: An attempt has been made to access the CGI program AT-admin.cgi.

  • 5078-WWW Piranha passwd attack: An attempt has been made to access the vulnerable cgi script passwd.php3 with suspicious arguments. This is found in the piranha/secure/ directory.

  • 5079-WWW PCCS MySQL Admin Access: The PCCS PHP-based MySQL administration tool contains a file with the databases administrator's username and password. This may not seem like much of a problem except it can be accessed remotely.

  • 5080-WWW IBM WebSphere Access: This signature fires when someone attempts to access a JSP file using a URL like http://server/servlet/file/login.jsp potentially revealing the JSP source code.

  • 5081-WWW WinNT cmd.exe Access: This signature fires when the use of the Windows NT cmd.exe is detected in a URL.

  • 5083-WWW Virtual Vision FTP Browser Access: This signature fires when an attempt to traverse directories in a URL like http://server/cgi-bin/ftp/ftp.pl?dir=../../etc is detected.

  • 5084-WWW Alibaba Attack 2: This signature fires when a pipe (|) character is detected in a URL like http://server/cgi-bin/|post32.exe or http://server/cgi-bin/|sindex2.bat.

  • 5085-WWW IIS Source Fragment Access: This signature fires when a URL ending in "+.htr" is detected.

  • 5086-WWW WEBactive Logfile Access: This signature fires when an attempt to access the WEBactive logfile is detected.

  • 5087-WWW Sun Java Server Access: This signature fires when an attempt to access URL's like http://server/pservlet.html or http://server/servlet/sunexamples.RealmDumpServlet are detected.

  • 5088-WWW Akopia MiniVend Access: This signature fires when an attempt to access a URL like http://server/view_page.html is detected.

  • 5089-WWW Big Brother Directory Access: This signature fires when an attempt to traverse directories with the Big Brother CGI program bb-hostsvc.sh has been detected.

  • 5090-WWW FrontPage htimage.exe Access: This signature fires when the FrontPage CGI program is accessed with a filename argument ending with "0,0".

  • 5091-WWW Cart32 Remote Admin Access: This signature fireswhen an attempt is made to access the vulnerable cart32.exe cgi script with suspicious arguments: /cart32.exe/cart32clientlist or /c32web.exe/changeadminpassword.

  • 5092-WWW CGI-World Poll It Access: This signature fires when an attempt is made to access the Poll-It CGI using an internal script variable name "data_dir" as an argument in the HTTP request.

  • 5093-WWW PHP-Nuke admin.php3 Access: An attempt has been made to access the vulnerable PHP-Nuke admin.php3 cgi script using suspicious arguments.

  • 5095-WWW CGI Script Center Account Manager Attack: This signature fires when an attempt to change the administrator password of the CGI Script Center Account Manager is detected.

  • 5096-WWW CGI Script Center Subscribe Me Attack: This signature fires when an attempt to change the administrative password of the CGI Script Center Subscribe package is detected.

  • 5097-WWW FrontPage MS-DOS Device Attack: This signature fireswhen a URL is requested using the shtml.exe component of FrontPage that includes an MS-DOS device name. A denial of service can result from this URL request.

  • 5099-WWW GWScripts News Publisher Access: This signature fires when attempt to add an author to the GWScripts News Publisher interface is detected.

  • 5100-WWW CGI Center Auction Weaver File Access: This signature fires when an attempt to access normally inaccessible files using the CGI script auctionweaver.pl has.

  • 5101-WWW CGI Center Auction Weaver Attack: This signature fires when an attempt to execute an unauthorized command using the auctionweaver.pl CGI script is detected.

  • 5102-WWW phpPhotoAlbum explorer.php Access: This signature fires when unauthorized attempt to access files using the explorer.php CGI script is detected.

  • 5103-WWW SuSE Apache CGI Source Access: This signature fires when an attempt to access the /cgi-bin-sdb directory of a web server is detected.

  • 5104-WWW YaBB File Access: This signature fires when an attempt to read unauthorized files using the YaBB.pl CGI bulletin board program is detected.

  • 5105-WWW Ranson Johnson mailto.cgi Attack: This signature fires when an attempt to execute system commands using the mailto.cgi program is detected.

  • 5106-WWW Ranson Johnson mailform.pl Access: This signature fires when an attempt to access the "mailform.pl" has been detected.

  • 5107-WWW Mandrake Linux /perl Access: This signature fires when an attempt to access the URL path /perl directly has been detected.

  • 5108-WWW Netegrity Site Minder Access: This signature fires when an unauthorized attempt to access protected content on a website managed by Netegrity Site Minder using an authentication bypass method is detected. Looks for strings like "/$/somefile.ccc" in a URL.

  • 5109-WWW Sambar Beta search.dll Access: This signature fires when an unauthorized attempt to access files or directories using the Sambar Server search.dll CGI program is detected.

  • 5110-WWW SuSE Installed Packages Access: This signature fires when an attempt to access the URL /doc/packages is detected.

  • 5111-WWW Solaris Answerbook 2 Access: This signature fires when an attempt to add a user to the AnswerBook interface is detected.

  • 5112-WWW Solaris Answerbook 2 Attack: This signature fires when attempt to execute an unauthorized command using the access / error rotation feature of the administrative interface of AnswerBook 2 is detected.

  • 5113-WWW CommuniGate Pro Access: This signature fires when an unauthorized attempt to access files using the Communigate Pro web interface is detected.

  • 5114-WWW IIS Unicode Attack: This signature fires when an attempt to exploit the Unicode ../ directory traversal vulnerability is detected. Looks for the commonly exploited combinations which are included in publicly available exploit scripts.

  • 5115-Netscape Enterprise Server with ?wp Tags: This signature fires when certain Netscape Enterprise Server 3.x HTML tags are detected in use. These tags allow remote users to view the contents of directories on the web servers. In most cases they should be disabled if not in use.

    Each of the HTML tags are as follows:

    • SubSigId 0 - ?wp-cs-dump

    • SubSigId 1 - ?wp-ver-info

    • SubSigId 2 - ?wp-html-rend

    • SubSigId 3 - ?wp-usr-prop

    • SubSigId 4 - ?wp-ver-diff

    • SubSigId 5 - ?wp-verify-link

    • SubSigId 6 - ?wp-start-ver .

  • 5116-Endymion MailMan Remote Command Execution: This signature fires when the perl function open() is used on Endymion MailMan. This allows user-supplied input containing shell metacharacters to be executed as shell commands with the privilege level of the CGI script.

  • 5117-phpGroupWare Remote Command Exec: phpGroupWare is a multi-user groupware suite that is freely distributed. There exists a problem in the software could allow users to remotely execute malicious code by exploiting a vulnerable include() command.

  • 5118-eWave ServletExec 3.0C File Upload: UploadServlet is a servlet that ServletExec contains in its server side classes. UploadServlet, when invoked with a special formed HTTP or GET request, allows an attacker to upload any file to any directory on the server. The uploaded file may have code that can later be executed on the server, leading to remote command execution.

  • 5119-CGI Script Center News Update Admin Passwd Change: Newsup, a cgi script from the CGI Script Center allows password changes to the administrator account without proper verification. Every time a person changes a news update administrator password this signature will trigger.

  • 5120-Netscape Server Suite Buffer Overflow: This signature will fire if the value of the "content" variable sent to the CGI program "search is longer that 1000 bytes. The Netspace Server administrative interface is installed on TCP port 24326 by default.

  • 5121-iPlanet .shtml Buffer Overflow: This signature fires if a request with more than 180 characters between slashes (/ or ) is received with a .shtml suffix.

  • 5122-Nokia IP440 Denial of Service: This signature will fire if more than 6000 characters are send with a specifically formed request on a web port.

  • 5123- WWW IIS Internet Printing Overflow: There are two subsignatures associated with this signature.

    • SubSig 0: This alarm will fire if web traffic is detected sending an abnormally large GET request with a large 'Host' field. Both are

    • SubSig1: This signature firesupon detecting .printer in a URI argument field with a large argument field length.

  • 5124-IIS CGI Double Decode: This signature fires when a doubly obfuscated attempt to traverse the directory structure of a web server is detected. Certain versions of the IIS web server perform a second pass decode of the arguments sent to a CGI program. During this second pass decode, the IIS server erroneously reevaluates the already decoded path portion of the URL. An attacker can manipulate the path portion of a URL in such a way as to hide characters, such as ../, which would normally be filtered out during the first pass decode of the URL.

    This signature will alarm if the following characters are found in a deobfuscated HTTP request:

    • SubSig 0 - %2e (.)

    • SubSig 1 - %2f (/)

    • SubSig 2 - %5c ()

  • 5125-PerlCal Directory Traversal: This alarm will fire if a '../' is present in a HTTP request to the CGI script 'make_cal.pl'.

  • 5126-WWW IIS .ida Indexing Service Overflow: This vulnerability will alarm if web traffic is detected with the ISAPI extension of .ida? and a data size of greater 200 chars.

  • 5127-WWW viewsrc.cgi Directory Traversal: This alarm will fire if a ../ is used while requesting viewsrc.cgi using the web.

  • 5128-WWW nph-maillist.pl Cmd Exec: This alarm will fire if the cgi script nph-maillist.pl is used with the parameter e-mailaddress having a semicolon (;) in its argument.

  • 5129-IOS HTTP Unauth Command Execution: This signature fires when a HTTP attempt to bypass router authentication to execute privileged (level 15) commands is detected. The HTTP request looks like: http:///level/XX/exec/... where XX is 16 - 99.

    There are two subsignatures IDs:

    • SubSig 0 fires when XX is between 16 and 19 inclusive.

    • SubSig 1 fires when XX is between 20 and 99 inclusive.

  • 5130-Bugzilla globals.pl: This signature fires when an HTTP request for the file 'globals.pl' is detected.

  • 5131-talkback.cgi Directory Traversal: This signature fires when an HTTP access to talkback.cgi attempting traverse outside the normal directory structure is detected.

  • 5132-VirusScan catinfo Buffer Overflow: This signature fires when an abnormally long request is made to the CGI script 'catinfo', which is part of the Interscan VirusWall management interface.

  • 5133-Net.Commerce Macro Path Disclosure: This signature fires when a HTTP request to 'macro.d2w', with NOEXISTINGHTMLBLOCK appended to the end of the path, is detected.

  • 5134-MacOS PWS DoS: This signature fires when an abnormally long HTTP request like "/?aaaa..." is detected.

  • 5138-Oracle Application Server Shared Library Overflow: Alarms when a URL containing more than 2050 characters is sent to a Oracle server.

  • 5140-Net.Commerce Macro Denial of Service: This signature fires when an abnormally long HTTP request has been made to the CGI script 'macro.d2w', which causes the server to crash.

  • 5141-NCM content.pl SQL Query Vulnerability: Alarms when content.pl is detected in the URL with '<' or '>' characters.

  • 5142-DCShop File Disclosure: This signature fires when an HTTP request to one of two files is detected.

    • SubSigId 0 - /DCShop/Orders/orders.txt

    • SubSigId 1 - /DCShop/Auth_data/auth_user_file.txt

  • 5143-Microsoft Media Player ASX Overflow: Alarms when detects a large string in BANNER.HREF field.

  • 5146-MS-DOS Device Name DoS: This is referred to as the "DOS Device in Path Name" vulnerability. Microsoft Windows 95, 98, and 98SE will allow an attacker to cause a DoS by using a pathname that includes file device names. The DOS device names are reserved words, and cannot be used as folder or file names.

    The following subsignatures IDs correspond to the reserved DOS device names:

    • Subsig 0 alarms when /aux is detected in the URL.

    • Subsig 1 alarms when /CON is detected in the URL.

    • Subsig 2 alarms when /NUL is detected in the URL

    • Subsig 3 alarms when /PRN is detected in the URL

    • Subsig 4 alarms when /LPT1 through /LPT9 is detected in the URL

    • Subsig 5 alarms when /COM1 through /COM9 is detected in the URL

    • Subsig 6 alarms when /CLOCK$ is detected in the URL

    • Subsig 7 alarms when /CONFIG$ is detected in the URL

    • Subsig 8 alarms when /XMSXXXX0 is detected in the URL

    • Subsig 9 alarms when /$MMXXXX0 is detected in the URL

    • Subsig 10 alarms when /MSCD000 is detected in the URL

    • Subsig 11 alarms when /DBLBUFF$ is detected in the URL

    • Subsig 12 alarms when /EMMXXXX0 is detected in the URL

    • Subsig 13 alarms when /IFS$HLP$ is detected in the URL

    • Subsig 14 alarms when /SETVERXX is detected in the URL

    • Subsig 15 alarms when /SCSIMGR$ is detected in the URL

    • Subsig 16 alarms when /DBLSBIN$ is detected in the URL

    • Subsig 17 alarms when /MS$MOUSE is detected in the URL.

  • 5147-Arcadia Internet Store Directory Traversal Attempt: This signature fires when an attempt is made to pass ../.. as a template argument to the tradecli.dll for the Internet Directory Store program.

  • 5148-Perception LiteServe Web Server CGI Script Source Code Disclosu: Alarms when a MS-DOS style CGI directory name is contained in a web request.

  • 5149-Trend Micro Interscan Viruswall Configuration Modification: Alarms when interscan.dll is accessed.

  • 5150-InterScan VirusWall RegGo.dll Buffer Overflow: Alarms when RegGo.dll is sent a buffer greater than 820 bytes in length.

  • 5151-WebStore Admin Bypass: Detects when an attempt to bypass the administrative authentication of the WebStore application is made.

  • 5152-WebStore Command Exec: This signature fires when an attempt to execute unauthorized commands with WebStore application is detected.

  • 5154-WWW uDirectory Directory Traversal: Alarms when udirectory.pl is called with an arguments that contains a '../.' .

  • 5155-WWW SiteWare Editor Directory Traversal: Alarms if SWEditServlet is called with a '../' as an argument.

  • 5156-WWW Microsoft fp30reg.dll Overflow: Alarms if fp30reg.dll is detected with a argument size that is greater than 258 bytes.

  • 5157-Tarantella TTAWebTop.CGI Directory Traversal Bug: This signature fires when an attempt is made to pass ../.. as a value for the pg argument to the ttawebtop.cgi program.

  • 5158-iPlanet Proprietary Method Overflow: This alarm will fire if a supported method is requested with arguments of greater than 2000 characters. Unless an iPlanet web server is being used on your network this alarm should be disabled. Many web forms contain GET/POST methods when used with large sets of arguments could cause this signature to fire.

    The following subsignatures IDs correspond to the iPlanet proprietary methods:

    • Sub Sig 0 DELETE

    • Sub Sig 1 INDEX

    • Sub Sig 2 PUT

    • Sub Sig 3 MOVE

    • Sub Sig 4 MKDIR

    • Sub Sig 5 POST

    • Sub Sig 6 COPY

    • Sub Sig 7 EDIT

    • Sub Sig 8 UNEDIT

    • Sub Sig 9 SAVE

    • Sub Sig 10 LOCK

    • Sub Sig 11 UNLOCK

    • Sub Sig 12 REVLABEL

    • Sub Sig 13 REVLOG Sub

    • Sig 14 REVADD

    • Sub Sig 15 REVNUM

    • Sub Sig 16 SETATTRIBUTE

    • Sub Sig 17 GETATTRIBUTE

    • Sub Sig 18 GETATTRIBUTENAMES

    • Sub Sig 19 GETPROPERTIES

    • Sub Sig 20 STARTREV

    • Sub Sig 21 STOPREV

  • 5159-phpMyAdmin Cmd Exec: The trigger will fire upon detecting access to sql.php with the arguments 'goto' and 'btnDrop=No'.

  • 5160-Apache ? indexing file disclosure bug: This signature fires when attempts to view directories on web servers with certain strings in the URLs. The URL types are:

    • Sub Sig 0: /directory/?M=A

    • Sub Sig 1: /directory/?S=D.

  • 5160:1-Apache ? indexing file disclosure bug: This signature fires on attempts to view directories on web servers with certain strings in the URLs. The URL types are:

    • Sub Sig 0: /directory/?M=A

    • Sub Sig 1: /directory/?S=D

  • 5161-SquirrelMail Command Exec: This signature fires when an attempt to insert malicious PHP code in to the CGI script 'options_order.php' is detected in a HTTP request.

  • 5162-Active Classifieds Command Exec: This signature fires when attempt is detected to insert arbitrary Perl code into an HTTP request to 'admin.cgi'.

  • 5163-Mambo SiteServer Administrative Password ByPass: Alarms when a request with index2.php is detected with a UID of administrator.

  • 5164-PHPBB Remote SQL Query Manipulation: Alarms when an user_level 4 is sent to prefs.php.

  • 5165-php-nuke article.php sql query: This signature will fire when it detects a web request to 'article.php' with the arguments of mainfile and prefix. Valid requests can cause false positives.

  • 5166-php-nuke modules.php DoS: This will fire when it detects access to modules.php with an argument's value of '../'.

  • 5167-phpMyAdmin Cmd Exec 2: This signature fires when attempt to execute unauthorized PHP commands using phpMyAdmin is detected. The following subsignatures are associated with their PHP commands:

    • SubSig 0: illegitimate use of the CGI script 'tbl_copy.php'.

    • SubSig 1: illegitimate use of the CGI script 'tbl_rename.php'.

  • 5168-Snapstream PVS Directory Traversal Bug: Fires on an attempt to use '../' to traverse the directory tree on a webserver listening on port 8129.

  • 5169-SnapStream PVS Plaintext Password Vulnerability: This signature fireswhen an attempt to touch the ssd.ini file is detected on port 8129.

  • 5170-NULL byte in URI: This signature fires when a URL request ending in the character '' is detected.

  • 5171-NC-Book book.cgi Cmd Exec: This signature fireswhen 'book.cgi' is accessed with arguments that contain pipes (|). The CGI script is located in /ncbook/.

  • 5172-WinWrapper Admin Server Directory Traversal: Alarms when the classic directory traversal '../' is detected on port 4096.

  • 5173-Directory Manager Cmd Exec: This signature firesif edit_image.php is called with the parameter 'userfile_name' that contains a semicolon (;). The server does not filter these out. As long as the user is required to authenticate on the webserver this vulnerability is eliminated.

  • 5174-phpmyexplorer directory traversal: This signature fireswhen index.php is access with a parameter of 'chemin' whose value contains a '../'.

  • 5175-Hassan Shopping Cart Command Exec: This signature fires when an attempt to execute unauthorized commands using the CGI script 'shop.pl' is detected.

  • 5176-Exchange Address List Disclosure: This signature fires when an attempt to retrieve addresses from the Global Address Book using the Exchange Outlook Web Access interface is detected. False positives can occur because of legitimate queries to the Exchange server.

  • 5178-MS Index Server File/Path Recon: This signature fires when the 'SQLQHit.asp' file is accessed with a certain argument, 'CiColumns' containing a wildcard (*).

  • 5179-PHP-Nuke File Upload: This signature fires when an attempt to upload a file using the 'admin.php' CGI script is detected.

  • 5180-sgiMerchant Directory Traversal: This signature fires when the 'view_item' file is accessed with a certain value , '../', in the parameter html_file.

  • 5181-MacOS Apache File Disclosure: This signature fires when certain patterns are detected at the end of HTTP requests. The following is a list of subsignatures and their associated patterns:

    • SubSig 0 - '/.DS_Store'

    • SubSig 1 - '/.FBCIndex'

  • 5181:1-MacOS Apache File Disclosure: This signature fires when './FBCIndex' is detected in a URL.

  • 5182-WebDiscount's eShop Arbitrary Command Exec: This signature fires when certain shell meta-characters are detected as part of the input to the Perl script eShop.pl. The characters are (;) and (|).

  • 5183-PHP File Inclusion Remote Exec: This signature fires when there is an attempt made by a PHP script to retrieve a file using HTTP for execution. Legitimate use of PHP scripts can cause false positives.

  • 5184-Apache Authentication Module ByPass: This signature firesupon detecting a select statement on the Authorization line of an HTTP header.

  • 5188-HTTP Tunneling: This signature fires when HTTP Tunneling tools are detected in use. These tunneling tools allow users inside your private network to bypass the firewall to access services such as ftp, chat etc. This would be considered in violation of most security policies and pose a real threat to internal networks and should not be allowed.

    • SubSig 0: This signature, GotomyPC, fires when a computer connects to the GotomyPC site.

    • SubSig 1: This signature, FireThru, fires when an attempt is made to use /cgi-bin/proxy is detected. The cgi-bin/proxy is used to tunnel connections to other ports using web ports.

    • SubSig 2: This signature, HTTP Port, fires when a connection is made to exectech-va.com. The site runs a server, which connects a requested resource and returns the information using web ports.

    • SubSig 3: This signature, httptunnel, fires when '/index/html?crap' is detected on POST request.

  • 5191-Active Perl PerlIS.dll Buffer Overflow: The Signature fires when a filename greater than 300 characters is seen in a URL with the '.pl' extension.

  • 5194-Apache Server .ht File Access: This signature fires when an HTTP request to specific files is detected. The files are:

    • SubSig 0: .htaccess

    • SubSig 1: .htpasswd

    • SubSig 2: .htgroup

  • 5195-AS/400 '/' attack: This signature fires when a GET request with '.jsp/' on the end is detected. Unless you are running an IBM AS/400 web server you should disable this signature. This signature can cause false positives.

  • 5196-Red Hat Stronghold Recon attack: This signature fires when a HTTP request is detect to specific files. Those files are:

    • SubSig 0: stronghold-info

    • SubSig 1: stronghold-status

  • 5197-Network Query Tool command Exec: This signature fires when attempts are made to pass shell metacharacters to the 'nqt.php' or 'network_query.php' variables.

  • 5199-W3Mail Command Exec: This signature fires if an attempt to execute commands in a HTTP request to the CGI program 'sendmessage.cgi' is detected.

  • 5200-IIS Data Stream Source Disclosure: This signature fires when attempts are made to access a file using HTP with the '::$DATA' extension. This extension looks peculiar itself and any sightings should be scrutinized thoroughly.

  • 5201-PHP-Nuke Cross Site Scripting: Cross site scripting occurs when web applications gather malicious data from a user. This data is gathered in the form of a hyperlink that contains the malicious content within it. The subsignatures associated with PHP-Nuke Cross Site Scipting are:

    • SubSig 0: This signature fires if 'user.php' is accessed and the parameter uname contains a HTML script directive.

    • SubSig 1: This signature fires when 'modules.php' is accessed and the parameter title contains a HTML script directive.

    • SubSig 2: This signature fires when 'phptonuke.php' is accessed and the parameter 'filenavn' contains a HTML script directive.

  • 5202- PHP-Nuke File Copy / Delete: This signature fires when attempts are made to either copy or delete files using the PHP-Nuke administrator filemanger. The subsignatures associated with this signature are:

    • SubSig 0: This signature fires when attempts are made to copy a file a using the PHP-Nuke administrator filemanager module.

    • SubSig 1: This signature fires when attempts are made to delete a file a using the PHP-Nuke administrator filemanager module.

  • 5203- Hosting Controller File Access and Upload: This signature fires when directory traversal attempts are made using the script 'filemanager.asp'. This is a good indicator of uploading or downloading from a web server is taking place.

  • 5204-AspUpload Sample Scripts: This signature fire when certain sample scripts are detected as being used. Sample scripts should be removed from all production servers.

    • SubSig 0: This signature fires if directory traversal attempts to use the sample script "UploadScript11.asp" are detected.

    • SubSig 1: This signature fires if attempts to use the sample script "DirectoryListing.asp" are detected.

  • 5205-Apache php.exe File Disclosure: This signature fires when a MS-DOS drive letter is detected as an argument to the script 'php.exe'. This is a good indicator that unauthorized attempts to retrieve files off the Apache web server are occurring.

  • 5206-Horde IMP Session Hijack: This signature fires if 'status.php3' is accessed and the message parameter includes a script HTML directive.

  • 5207-Entrust GetAccess directory traversal: This signature fires when a directory traversal '../' is sent as a argument value to the script 'aboutbox.gas.bat'.

  • 5208-Network Tools shell metacharacters: This signature fires when a shell metacharacter is sent as an argument to the Network_Tool.

  • 5209-Agora.cgi Cross Site Scripting: This signature fire when HTML tags are detected as arguments sent to the Agora shopping cart application.

  • 5210-FAQManager.cgi directory traversal: This signature fires when a web request to FAQManager.cgi with a hard-coded path to a file outside of the web directory is detected.

  • 5211-zml.cgi File Disclosure: This signature fireswhen an argument - file, containing ../ is sent to zml.cgi script.

  • 5212-Bugzilla Admin Authorization Bypass: This signature fires when an unauthorized attempt is made to add a user to the administrative group of Bugzilla.

  • 5213-Bugzilla Command Exec: This signature fires if an attempt is made to add an unauthorized command to Bugzilla.

  • 5214-FAQManager.cgi null bytes: This signature fires if a web request to FAQManager.cgi with a null byte appended to the request is detected.

  • 5215-lastlines.cgi cmd exec/traversal: This signature fires when an HTTP request for lastlines.cgi with arguments is detected. The subsignatures with the associated arguments are:

    • SubSig 0: ../

    • SubSig 1: Shell Metacharacters

  • 5216-PHP Rocket Directory Traversal: This signature fires when an HTTP request to 'PHProcketadmin.php' or 'index.php' with a value for the parameter page of '../' is detected.

  • 5217-Webmin Directory Traversal: This signature fires when an HTTP request to 'edit_action.cgi' with an argument of '../' is detected.

  • 5218-Boozt Buffer Overflow: The signature fires when 'Index.cgi' in Boozt package is sent a name containing 1000+ characters.

  • 5219-Lotus Domino database DoS: This signature fires when '/./' is detected in the URL.

  • 5220-CSVForm Remote Command Exec: This signature fires when the script 'CSVForm.pl' is sent a file argument containing a pipe "|" character.

  • 5221-Hosting Controller Directory Traversal: This signature fires when an http request to a hosting controller file with certain arguments for the failpath is detected. False positives are possible if an administrator issues certain web requests. The subsignatures and the associated files are:

    • SubSig 0 statsbrowse.asp

    • SubSig 1 servubrowse.asp

    • SubSig 2 browsedisk.asp

    • SubSig 3 browsewebalizerexe.asp

    • SubSig 4 sqlbrowse.asp

  • 5223-Pi3Web Buffer Overflow: This signature fires when a long HTTP request to the CGI program 'hello.exe' is detected.

  • 5224-SquirrelMail SquirrelSpell Command Exec: This signature fires when attempts are made to execute commands using the SquirrelSpell feature of SquirrelMail is detected.

  • 5227- AHG Search Engine Command Exec: This signature fires when shell metacharacters ';|' are detected as input to the script 'search.cgi'.

  • 5229- DCP Portal Root Path Disclosure: This signature fires when a request to access add_user.php is detected.

  • 5230- Lotus Domino Authentication Bypass: The alarm fires when a .nsf file is accessed with URL longer than 230 bytes.

  • 5231- MRTG Directory Traversal: This signature will fire if directory traversal attempts using MRTG CGI scripts are detected.

  • 5232-URL with XSS: This signature will alarm upon detecting a URL with script in it. This is a common way to execute a XSS. This is also known as cross site scripting. Cross site scripting occurs when web applications gather malicious data from a user. This data is gathered in the form of a hyperlink that contains the malicious content within it.

  • 5233-PHP fileupload Buffer Overflow: This signature fires when an abnormal and long file name arguments are being sent to an HTTP form.

  • 5234-pforum sql-injection: This signature will fire when a sql-injection attempt to 'logincheck.php' is detected.

  • 5236-Xoops sql-injection: This signature will fire upon detecting a request to userinfo.php that contains a sql-injection attack in a parameter.

  • 5237-HTTP CONNECT Tunnel: The signature fires when the HTTP CONNECT method is detected. Attackers may try to exploit vulnerabilities in HTTP proxies to help hide their locations. Internal users accessing proxies can cause false positives.

  • 5238-EZNET Ezboard Buffer Overflow: The alarm fires when access to scripts 'Ezboard.cgi', 'Ezman.cgi', or 'Ezadmin.cgi' is detected. The HTTP header must be greater than 350 characters to make this signature fire.

  • 5239-Sambar cgitest.exe Buffer Overflow: This signature fires when an unusually long argument is detected being sent to the CGI program "/cgitest.exe".

  • 5240-Marcus Xenakis Shell Command Exec: The alarm fires when shell metacharacters are detected as argument to the script 'directory.php'.

  • 5241-Avenger System Command Exec: The alarm fires when a directory traversal or shell metacharacters are input to ans.pl script.

  • 5243-CS .cgi Script Cmd Exec: This signature will alarm upon detecting the use of a possible command exec statement in the argument list. The subsignatures and the associated scripts are:

    • SubSig 0: - csSearch.cgi

    • SubSig 1: - csMailto.cgi

    • SubSig 2: - csGuestbook.cgi

    • SubSig 3: - csLiveSupport.cgi

    • SubSig 4: - csNewsPro.cgi

    • SubSig 5: - csChatRBox.cgi

  • 5244- PhpSmsSend Command Exec: This signature fires when attempts are made to execute unauthorized commands using the CGI program 'phpsmssend.php' are detected.

  • 5245- HTTP 1.1 Chunked Encoding Transfer: This signature fires when HTTP 1.1 chunked encoding transfer activity is detected. False positives are possible. Any detect should be scrutinized closely.

  • 5246-IIS ISAPI Filter Buffer Overflow: This signature fires when an unusually long argument sent to the CGI program 'shtml.exe' is detected.

  • 5247-IIS ASP SSI Buffer Overflow: This signature fires when a HTTP request for an Active Server Page (ASP) document has an unusually large 'Content-Length' value.

  • 5248-IIS HTR ISAPI Buffer Overflow: This signature fires when an unusually long HTTP request for a HTR document with an ASP file as an argument is detected.

  • 5249-IDS Evasive Encoding: This signature looks for special characters such as Null , New Line %0a, Carriage Return %0d, Period "." %2e, Forward Slash "/" %2f, and Back Slash "\" %5c in the URL of a HTTP request that have been encoded in hexadecimal vice the actual character. This is a technique used to evade detection of an attack. This signature is fired if any of the before mentioned characters are detected as being encoded as part of the URL:

  • 5250-IDS Evasive Double Encoding: This signature looks for special characters such as Null , New Line %0a, Carriage Return %0d, Period "." %2e, Forward Slash "/" %2f, and Back Slash "\" %5c in the URL of a HTTP request that have been encoded in hexadecimal vice the actual character in the URL of a HTTP request that have been "doubly" encoded. This is a technique used to evade detection of an attack. This signature is fired if any of the before mentioned characters are detected as being doubly encoded as part of an URL

  • 5251-Allaire JRun // Directory Disclosure: This signature will fire if an unauthorized attempt to display directory listings for the Allaire JRun web server is detected.

  • 5252-Allaire JRun Session ID Recon: This signature will fire if the system detects that a remote user tries to access the sample servlet files in Allaire JRun web server in order to get sensitive information.

  • 5253-Axis StorPoint CD Authentication Bypass: This signature will fire if the system detects that a remote user tries to use the "dot dot" (..) attack to access the server's administration pages without authentication.

  • 5254-Sambar Server CGI Dos Batch File: This signature will fire if the system detects that a remote user tries to run MS-DOS batch files that are in server's cgi-bin directory.

  • 5255-Linux Directory traceroute / nslookup Command Exec: This signature fires when an unauthorized attempt to execute commands using the CGI script "nslookup.pl" or "traceroute.pl" is detected.

  • 5256-Dot Dot Slash in URI: This signature will when a "dot dot slash" (../) is detected in a URI.

  • 5257-PHPNetToolpack traceroute Command Exec: This signature fires when an unauthorized attempt to execute commands using the "nettools.php" CGI script is detected.

  • 5258-Script source disclosure with CodeBrws.asp: This signature fires upon detecting a request to the sample script CodeBrws.asp with arguments of '../'. You should never see a '../' request to this script.

  • 5259-Snitz Forums SQL injection: This signature will fire upon detecting a HTTP request to members.asp that includes the character ' as a value sent to the parameter M_NAME.

  • 5260-Xpede sprc.asp SQL Injection: This signature will alarm upon detecting an HTTP request to sprc.asp with an argument that contains an apostrophe ('). This would be indicative of a SQL insertion attack.

  • 5261-BackOffice Server Web Administration Access: This signature fires upon detecting access to Backoffice/Services.asp. This script has been known to be vulnerable to an authentication bypass attack.

  • 5262-Large number of Slashes URL: This signature will fire when a large number of slashes ("/") in URL are detected.

  • 5263-ecware.exe Access: This signature fires when a HTTP request for 'ecware.exe' is detected.

  • 5265-RedHat cachemgr.cgi Access: This signature fires when unauthorized remote access to 'cachemgr.cgi' file is detected. False positives are possible with normal access to the 'cachemgr.cgi' file.

  • 5266-iCat Carbo Server File Disclosure: This signature will fire when a http request contains carbo.dll in the url and ../ in the icatcommand parameter is detected.

  • 5268-Cisco Catalyst Remote Command Execution: This signature will fire when a http request contains /exec/ in the URL is detected. A vulnerability exists in the webserver configuration interface of Cisco Catalyst 3500 XL will allow a remote attacker to execute arbitrary commands. Legitimate access to the GUI of the Catalyst switch can cause false positives.

  • 5269-ColdFusion CFDOCS Directory Access: This signature will fire when unauthorized remote access to '/CFDOCS' directory is detected. Normal access to the '/CFDOCS' can cause false positives.

  • 5270-EZ-Mall order.log File Access: This signature fires when an HTTP request for attempt is '/mall_log_files/order.log' is detected.

  • 5271-search.cgi Directory Traversal: This signature fires when '../' is found in the 'letter' argument to the CGI script 'search.cgi'.

  • 5272-count.cgi GIF File Disclosure: This signature fires when '../' is found in the 'image' argument to the CGI script 'count.cgi'.

  • 5273-Bannermatic Sensitive File Access: This signature fires upon detecting an HTTP request to certain Bannermatic files. Bannermatic allows a web master to build his own banner exchange service without having to purchase, install, or operate special software because it functions exclusively online. The subsignatures and associated files are:

    • SubSig 0 - ban.log

    • SubSig 1 - ban.bak

    • SubSig 2 - ban.dat

    • SubSig 3 - banmat.pwd

  • 5274-Netpad.cgi Directory Traversal/Cmd Exec: This signature fires upon detecting an attack to the known vulnerable script 'netpad.cgi'. The subsignatures associated with this signature are:

    • SubSig 0 - Command Exec Attempt

    • SubSig 1 - Directory Traversal Attempt.

  • 5275-Phorum Remote Cmd Exec: This signature fires upon detecting an attempted remote script execution on certain files that are part of the 'Phorum' package. These files and corresponding subsignatures are:

    • SubSig 0 - admin.php

    • SubSig 1 - plugin.php

  • 5276-cart.cgi Command Execution: This signature fires when argument '3fdj939jf' is used with the cart.cgi script, which is the backdoor remote-execution argument.

  • 5276:1-cart.cgi vars,env,db Recon: This signature fires when argument 'vars','env', or 'db' is used with the cart.cgi script, which reveals configuration settings of the application. False positives are possible if arguments ending in 'vars' 'env' or 'db' is used with the script 'cart.cgi'.

  • 5276:2-cart.cgi Backdoor: This signature fires when argument 'usmbu7777' is used with the cart.cgi script, which is the e-mail backdoor argument.

  • 5277- dfire.cgi Command Exec: This signature fires when dfire.cgi is executed with a pipe or semicolon in the 'ipinc' or 'ipone' argument.

  • 5278-VP-ASP shoptest.asp access: This signature will fire upon detecting access to a dangerous default script of VP-ASP /demo400/shopdbtest.asp.

  • 5279-JJ CGi Cmd Exec: This signature fires when an unauthorized attempt to execute commands using the 'jj' CGI script is detected.

  • 5280-IIS idq.dll Directory Traversal: This signature will fire if an unauthorized attempt to view files on web server using idq.dll is detected.

  • 5281-Carello add.exe Access: This signature will fire when unauthorized remote access to /carello/add.exe file is detected. Legitimate access to '/carello/add.exe' file can cause this signature to fire.

  • 5282-IIS ExAir advsearch.asp Access: This signature will fire if the direct remote access to '/ExAir/search/advsearch.asp' page is detected.

  • 5282:1-IIS ExAir search.asp Access: This signature will fire if the direct remote access to '/ExAir/search/search.asp' page is detected.

  • 5282:2-IIS ExAir query.asp Access: This signature will fire if the direct remote access to '/ExAir/search/query.asp' page is detected.

  • 5283-info2www CGI Directory Traversal: This signature will fire when unauthorized remote access to 'info2www' CGI script is detected.

  • 5284- IIS webhits.dll Directory Traversal: This signature will fire if an unauthorized attempt to view files on web server using 'webhits.dll' is detected.

  • 5285-PHPEventCalendar Cmd Exec: This signature will fire upon detecting a shell metacharacter in the argument value of 'userfile' inside an HTTP request for 'index.php'.

  • 5286-WebScripts WebBBS Cmd Exec: This signature will fire upon detecting a shell metacharacter in the argument value of 'followup' inside an HTTP request for 'webbbs_post.pl'.

  • 5287-SiteServer AdSamples SITE.CSC File Access: This signature will fire when unauthorized remote access to '/adsamples/config/site.csc' file is detected. Legitimate access to the 'site.csc' can cause false positives.

  • 5288-Verity search97 Directory Traversal: This signature will fire when an unauthorized attempt to access files on the server using search97 CGI script is detected.

  • 5289-SQLXML ISAPI Buffer Overflow: This signature will fire if an attempt to overflow the "contenttype" argument in a HTTP request is detected.

  • 5290-Apache Tomcat DefaultServlet File Disclosure: This signature fires when an attempt is made to access org.apache.catalina.servlets.DefaultServlet uses an HTTP request.

  • 5291-WEB-INF Dot File Disclosure: This signature fires when a HTTP request includes a "." character appended to "WEB-INF". This may indicate an attempt to view the contents of directories and files under the "/WEB-INF" subdirectory on the web server.

  • 5292-SalesCart shop.mdb File Access: This signature will fire if an HTTP request for 'shop.mdb' is detected. This may indicate the possible disclosure of sensitive customer information.

  • 5293-robots.txt File Access: This signature fires when the file "robots.txt" is accessed on a web server.

  • 5294-BearShare File Disclosure: This signature fires on "\..\" appearing in an HTTP request on port 6346 after deobfuscation has been applied. Remember, deobfuscation is the process of clarifying or unobscuring the traffic.

  • 5295-finger CGI Recon: Fires on an HTTP request for a URI containing "/finger".

  • 5296-Netscape Server PageServices Directory Access: Fires on an HTTP request for a URI containing "?PageServices".

  • 5297-order_log.dat File Access: This signature fires when the file "/orders/order_log.dat" is accessed on a web server.

  • 5298-shopper.conf File Access: This signature fires when the file "/PDG_Cart/shopper.conf" is accessed on a web server.

  • 5299-quikstore.cfg File Access: This signature fires when the file "/quikstore.cfg" is accessed on a web server.

  • 5300-reg_echo.cgi Recon: Fires on any HTTP access to 'reg_echo.cgi'. False positives are possible from legitimate use of 'reg_echo.cgi'.

  • 5301-/consolehelp/ CGI File Access: Fires on any HTTP access to '/consolehelp/'.

  • 5302-/file/ WebLogic File Access: Fires on any HTTP containing '/file/' in the URL. False positives are likely if any URL contains the '/file/' string.

  • 5303-pfdispaly.cgi Command Execution: Fires on an HTTP access containing 'pfdisplay.cgi' followed by an argument containing a pipe ('|') or a semicolon (';'). Legitimate use of 'pdfdisplay.cgi' can cause false positives.

  • 5304-files.pl File Access: Fires on any HTTP access to 'files.pl'. Verify the files in question.

  • 5305-.bash_history File Access: This signature will fire when unauthorized remote access to '.bash_history' file is detected. False positives can be caused from legitimate use of the file.

  • 5305:1-.sh_history File Access: This signature will fire when unauthorized remote access to '.sh_history' file is detected. False positives can be caused from legitimate use of the file.

  • 5305:2-.history File Access: This signature will fire when unauthorized remote access to '.history' file is detected. False positives can be caused from legitimate use of the file.

  • 5305:3-.zhistory File Access: This signature will fire when unauthorized remote access to '.zhistory' file is detected. False positives can be caused from legitimate use of the file.

  • 5306-SoftCart storemgr.pw File Access: This signature will fire when unauthorized remote access to '/pw/storemgr.pw' file is detected. False positives can be caused from legitimate use of this file.

  • 5308-rpc-nlog.pl Command Execution: This signature fires when a URL containing the string "/*.jsp/" or "/*.jhtml/" is accessed on a web server. False positives can be caused from legitimate use of the 'rpc-nlog.pl' script.

  • 5309- handler CGI Command Execution: This signature fires when "/handler" is accessed on a web server with a pipe or semicolon as an argument. False positives can be caused from legitimate use of the 'handler' script.

  • 5310-INDEX / directory access: This signature fires when an INDEX request is made to a web server. False positives can be caused from legitimate INDEX requests.

  • 5311-8.3 file name access: This signature fires when an 8.3-style abbreusested file name (such as "MICROS~1") is accessed on a web server. False positives can be caused from legitimate access to files containing tildes.

  • 5312-*.jsp/*.jhtml Java Execution: This signature fires when a URL containing the string "/*.jsp/" or "/*.jhtml/" is accessed on a web server.

  • 5313-order.log File Access: This signature fires when the file "/admin_files/order.log" is accessed on a web server.

  • 5314- windmail.exe Command Execution: This signature fires when "/windmail.exe" is accessed on a web server.

  • 5315-changedisplay.pl WWWthreads Privilege Elevation: This signature fires when "/changedisplay.pl" is accessed on a web server with an argument of U_STATUS or U_SECURITY.

  • 5316-BadBlue Admin Command Exec: This signature fires when a request is made to the BadBlue web administration interface to map a directory on the web server's filesystem to a virtual directory on the web server. False positives can be caused from legitimate mapping of virtual directories.

  • 5317-Tivoli Endpoint Buffer Overflow: This signature detects an excessive long request to the Tivoli Management Framework Endpoint web server on TCP port 9495 is detected.

  • 5318-Tivoli ManagedNode Buffer Overflow: This signature fire when an excessive long request to the Tivoli Management Framework ManagedNode web server on TCP port 94 is detected. This may indicate a buffer overflow attack.

  • 5319-SoftCart orders Directory Access: This signature will fire when unauthorized remote access to '/orders' directory is detected. False positives can be caused by legitimate access to the '/orders' directory.

  • 5320-ColdFusion administrator Directory Access: This signature will fire when unauthorized remote access to '/cfide/administrator' directory is detected. False positives can be caused by legitimate access to the '/cfide/administrator' directory.

  • 5321-Guest Book CGI access: This will trigger on any HTTP access to '/cgi-bin/guestbook'. False positives will be caused by any type of access to the '/cgi-bin/guestbook'.

  • 5322-Long HTTP Request: This signature fires when a long HTTP request using the GET, HEAD, or POST method is detected. This signature must be tuned to reduce the number of false positives generated.

  • 5323-Cisco Router http exec command: This alarm will fire upon detecting a /exec/ in the URI portion of an http request. An /exec/ usually indicates a privledged command in being executed uses the web interface on a Cisco router.

  • 5323-midicart.mdb File Access: This alarm will fire upon detecting a ?/ in a URI portion of an http request.

  • 5324-Cisco IOS Query (?/):This alarm will fire upon detecting a ?/ in a URI portion of an http request.

  • 5325-Contivity cgiproc DoS: This alarm will fire upon detecting a shell meta-character as an argument to an http request to /cgi/cgiproc.

  • 5326-Root.exe access: The signature alarms upon detecting a http request for root.exe.

  • 5327-Tilde in URI: This signature fires upon detecing a tilde (~) in an http request.

  • 5328- Cisco IP phone DoS: This signature will fire upon detecting a specially crafted HTTP request that will reboot a Cisco IP phone.

  • 5329-Apache/mod_ssl Worm Probe: This signature fires when a probe by the Apache/mod_ssl worm is detected.

  • 5330-Apache/mod_ssl Worm Buffer Overflow: This signature fires when a buffer overflow attack by the Apache/mod_ssl worm to the HTTPS (TCP port 443) is detected.


    		Note

    The Apache/mod_ssl worm attempts to execute a buffer overflow attack to vulnerable web servers using the HTTPS port TCP443. If the worm can infect the host, it will propogate and begin to scan for new hosts to attack. A backdoor on port UDP2002 is also installed in order to perform distributed DoS attacks.

  • 5331-Image Javascript insertion: This signature fires upon detecting an HTML IMG tag that tries to inject javascript inside of it.

  • 5332-Wordtrans-web Command Exec: This signature fires when attempt to execute unauthorized commands using the Wordtrans-web script 'webtrans.php' is detected.

  • 5333-FUDForum File Disclosure: This signature fires when an attempt to view files using FUDForum is detected. SubSig 0 looks for access to the file 'tmp_view.php'. SubSig 1 looks for access to the file 'admbrowse.php'.

  • 5334- DB4Web File Disclosure: This signature fires when an unauthorized attempt to view files using the DB4WEB webserver script 'db4web_c' or 'db4web_c.exe' is detected.

  • 5335-DB4WEB Proxy Scan: This signature fires when an attempt to connect to a remote host using the DB4WEB web server as a proxy to scan for open TCP ports is detected. This is a good indicator of a reconnaissance attack.

  • 5336- Abyss Web Server File Disclosure: This signature fires when a HTTP request ends in a '+' character. This may indicate an attempt the view the source of the requested file.

  • 5337-Dot Dot Slash in HTTP Arguments: This signature fires upon detecting a directory traversal attempt (../) in the argument field of an HTTP request.

  • 5338-Front Page Admin password retrival: This signature fires upon detecting a access attempt to administrators.pwd uses HTTP traffic.

  • 5339-SunONE Directory Traversal: This signature fires upon detecting a directory traversal attempt (../) sent to ports 6015-6018 TCP.

  • 5340-Killer Protection Credential File Access: This signature fires upon detecting an HTTP request that contains 'vars.inc'.

  • 5341-HP Procurve 4000M Switch DoS: This signature fires when a HTTP request for the URL '/sw2/cgi/device_reset' is detected. This may indicate a denial of service attack against a HP Procurve switch.

  • 5342-Invision Board phpinfo.php Recon: This signature fire when a HTTP request for the URL 'phpinfo.php' is detected. This may indicate an attempted reconnaissance probe.

  • 5343-Apache Host Header Cross Site Scripting: This signature fires when an HTTP Host: header is received containing a percent or less-than character. This signature is disabled by default. This signature is known to impact performance.

  • 5344-IIS MDAC RDS Buffer Overflow: This signature fires when a buffer overflow attempt using the Remote Data Services (RDS) component of Microsoft Data Access Components (MDAC) is detected.

  • 5345-HTTPBench Information Disclosure: This signature fires when the ezhttpbench.php is requested with an AnalyseSite parameter starting with a slash ('/') character.

  • 5346-BadBlue Information Disclosure: This signature fires on an HTTP access to soinfo.php.

  • 5347-Xoops WebChat SQL Injection: This signature fires when an HTTP request is made for the script 'index.php' with the 'roomid' argument containing a single-quote or semicolon character.

  • 5348-Cobalt RaQ Server overflow.cgi Cmd Exec: This signature fires upon detecting to a HTTP request on port 81 or 444 to overflow.cgi with parameter name of 'e-mail'. False positives can be caused from legitimate activity.

  • 5349-Polycom ViewStation Admin Password: This signature fires when the file "a_security.htm" is accessed uses HTML. This may indicate an attempt the retrieve sensitive information.

  • 5350-PHPnuke e-mail attachment access: This signature fires upon detecting direct access to PHPnuke e-mail attachments from a web browser.

  • 5351-MS IE Help Overflow: This signature fires when a buffer overflow attempt is detected in Active X instructions coming from a web server.

  • 5352-H-Sphere Webshell Buffer Overflow: This signature fires when an HTTP request for '/cgi-bin/webshell' is detected with an excessively long multi-part boundary header.

  • 5353-H-Sphere Webshell 'mode' URI exec: This signature fires when the CGI executable '/cgi-bin/webshell' is accessed with shell escape characters ( | ; $ ` ) in the 'mode' parameter.

  • 5354-H-Sphere Webshell zipfile' URI exec: This signature fires when the CGI executable '/cgi-bin/webshell' is accessed with shell escape characters ( | ; $ ` ) in the 'zipfile' parameter.

  • 5355-DotBr exec.php3 exec: This signature is fired by a URI which accesses the script '/admin/exec.php3' with a parameter of 'cmd='.

  • 5356-DotBr system.php3 exec: This signature is fired by a URI which accesses the script '/admin/system.php3' with a parameter of 'cmd='.

  • 5357-IMP SQL Injection: This signature will fire upon detecting an sql-injection attempt to mailbox.php.

  • 5358-Psunami.CGI Remote Command Execution: This signature will fire when a http request contains psunami.cgi in the url and '|' character in the 'topic' parameter is detected.

  • 5359-Office Scan CGI Scripts Access: This signature will fire when a http request contains /officescan/cgi/ in the url is detected. False positives can be caused by normal access to '/officescan/cgi/'.

  • 5360-Frontpage htimage.exe Buffer Overflow: This signature will fire when a http request contains htimage.exe in the url and more than 700 characters in the argument field is detected.

  • 5362-FrontPage dvwssr.dll Buffer Overflow: This signature will fire when a http request contains dvwssr.dll in the url and more than 2000 characters in the argument field is detected.

  • 5363-Frontpage imagemap.exe Buffer Overflow: This signature will fire when a http request contains imagemap.exe in the url and more than 700 characters in the argument field is detected.

  • 5364-IIS WebDAV Overflow: This signature fires when a long HTTP request (65000+ chars) is detected with a HTTP header option of 'Translate:'. This indicates the use of an attack to exploit a weakness in the WebDAV component of the IIS web server.

  • 5365-Long WebDAV Request: This signature fires when a long WebDAV request(65000+ chars) is detected. This may indicate an attempted buffer overflow attack. For performance reasons, Cisco IDS 3.x only implements checks for the WebDAV methods SEARCH (SubSig 0) and LOCK (SubSig 1). Public exploits are available which utilize these methods.

  • 5366-Shell Code in HTTP URL / Args: This signature fires when a non-printable ASCII character (128-255) is detected in either the URL or arguments of the HTTP request. The URL and arguments of a HTTP request should not contain any non-printable characters, which may indicate the precense of shell code used in buffer overflow attacks. This signature is disabled in version 3.x of the sensor software. The subsignatures break this into two alarms:

    • subSig 0: URL

    • SubSig 1: Arguments of theHTTP request.

  • 5367-Apache CR / LF DoS: This is signature fires when a long sequence of consecutive carriage return / linefeed characters (\x0D\x0A) to web server ports is detected. This may indicate a denial of service of attack.

  • 5368-Cisco ACS Windows CSAdmin Overflow: This signature fires when an long username is sent to the 'login.exe' CGI program on TCP port 2002. This may indicate a buffer overflow attack.

  • 5369-Win32 Apache Batch File CmdExec: This signature fires upon detecting a metacharacter used as an agrument to a .bat file request. This indicates someone is trying to execute a command uses a request to the .bat file.

  • 5370-HTDig File Disclosure: This signature fires upon detecting access to an htdig script with a back tick (`) in the argument field.

  • 5371-bdir.htr Access: This signature fires upon detecting access to the file bdir.htr. False positives can be caused by legitimate use of an IIS versions 3.0 server.

  • 5372-ASP %20 source disclosure: This signature fires upon detecting .asp%20 sent to an argument named CiWebHitsFile.

  • 5373-IIS 5 Translate: f Source Disclosure: This signature fires upon detecting a field of Translate: F in the HTTP header request.

  • 5374-IIS Executable File Command Exec: This signature fires upon detecting a crafted web request sent to a .bat file.

  • 5375-Apache mod_dav Overflow: This signature fires upon detecting an XML document within an HTTP request that contains a WebDav method with a large argument.


    		Note

    This signature is only available in Cisco IDS versions 4.0 and newer.

  • 5376-iisPROTECT Admin SQL Injection: This signature fires when an attempt to inject arbitrary SQL statements into the arguments of an HTTP request to iisPROTECT administration interface is detected. This may be an unauthorized attempt to view or manipulate data or execute commands on the database server.

  • 5377-xp_cmdshell in HTTP args: This signature fires when an attempt to use the MSSQL 'xp_cmdshell' stored procedure is detected in the arguments of a HTTP request. This may represent a SQL insertion attack attempting to execute unauthorized commands on a MSSQL server.

  • 5378-Vignette TCL Injection Command Exec: This signature fires when attempt to inject TCL scripting code into a HTTP request to a Vignette template is detected.

  • 5379-Windows Media Services Logging ISAPI Overflow: This signature fires when a long HTTP request is sent to the Windows Media Services DLL. This may indicate a buffer overflow attack.

  • 5380-phpBB SQL injection: This signature is fired when an HTTP request is made for the CGI script 'viewtopic.php' with argument 'topic_id' containing either the word 'union' or a semicolon.

  • 5381-VPASP SQL injection: This signature is fired when a request is made for the CGI script 'shopexd.asp' with the argument 'id' containing a semicolon.

  • 5382- Xpressions SQL Admin Bypass: This signature fires when an attempt to bypass authentication controls to gain administrative access to a Xpressions Interactive application by injecting special-crafted SQL commands into a HTTP request.

  • 5383-Cyberstrong eShop SQL Injection: This signature fires when an attempt to insert unauthorized SQL queries into a HTTP request to a Cyberstrong eShop script.