1041.txt

来自「This is the snapshot of Snot Latest Rule」· 文本 代码 · 共 70 行

Rule:

--
Sid:
1041

--
Summary:
This event is generated when an attempt is made to upload a file to a host running Microsoft Internet Information Server (IIS) using Site Server. 

--
Impact:
Possible web site defacement or unauthorized site access.

--
Detailed Information:
This event is generated when an attempt is made to upload a file to a host running Microsoft Internet Information Server (IIS) using Site Server. 

The attacker may be trying to publish documents to the server in an attempt to deface the web site being hosted.

The attacker may also be trying to gain administrator access to the host, garner information on users of the system or retrieve sensitive customer information.

The Site Server application allows users to publish pages and upload files to a web server. This event indicates that an attempt was made to access the file uploadn.asp from a source outside the protected network. This script is used by the Site Server application to post items to the web site hosted on the server.

--
Affected Systems:
Any host using IIS with Site Server.

--
Attack Scenarios:
An attacker could post web pages of their choosing to the server without proper authentication or even post scripts to be run in the context of the user running the web server in an attempt to gain further access to the server.

An attacker might also use the script to place files on the server for later retrieval.

--
Ease of Attack:
Simple.

--
False Positives:
None Known.

--
False Negatives:
None Known.

--
Corrective Action:
Check the IIS implementation on the host. Ensure all measures have been taken to deny access to sensitive files.

Ensure that the IIS implementation is fully patched.

Ensure that the underlying operating system is fully patched.

Employ strategies to harden the IIS implementation and operating system.

Check the host for signs of compromise.

--
Contributors:
Sourcefire Vulnerability Research Team
Brian Caswell <bmc@sourcefire.com>
Nigel Houghton <nigel.houghton@sourcefire.com>

--
Additional References:


--