Provided by Aanval (Snort & Syslog Intrusion Detection and Correlation Engine) www.aanval.com
--
| GEN:SID | 1:497 |
| Message | ATTACK-RESPONSES file copied ok |
| Summary | This event is generated by the successful completion of a file transfer operation. This may be indicative of post-compromise behavior indicating the use of a Windows command shell for copying files. |
| Impact | Serious. An attacker may have the ability to transfer files from the victim host. |
| Detailed Information | This event indicates that a file was successfully copied using Windows command line shell. The string "1 file(s) copied" is shown after the successful completion of a Windows "copy" command. Seeing this response in HTTP traffic indicates that an attacker may have been able to spawn a shell bound to a web port and has successfully executed the copy command. Note that the source address of this event is actually the victim and not that of the attacker. |
| Affected Systems | |
| Attack Scenarios | An attacker gains an access to a Windows web server via an IIS vulnerability and then copies "cmd.exe" into the directory accessible by the web server, thus creating a backdoor to access the system. |
| Ease of Attack | Simple. This may be post-attack behavior and can be indicative of the successful exploitation of a vulnerable system. |
| Corrective Action | Investigate the web server for other signs of compromise Look for other events generated by the same IP addresses. |
| Additional References | |
| Rule References | bugtraq: 1806 cve: 2000-0884 |
--
DID:364546
--
http://www.aanval.com/