1339.txt

snort入侵检测规则文件2.4 Snort是众所周知的网络入侵检测工具

Rule:

--
Sid:
1339

--
Summary:
Attempted chsh command access via web

--
Impact:
Attempt to change a users shell on a webserver.

--
Detailed Information:
This is an attempt to change a users shell on a machine. Using this
command an attackermay change the shell of a user to suit his own
needs. By changingthe shell an attacker may further compromise a
machine by specifyinga shell that could contain a Trojan Horse
component or that couldcontain embedded commands specially crafted by
anattacker.

--
Attack Scenarios:
The attacker can make a standard HTTP request that contains '/bin/chsh'
in the URIwhich can then change the shell of a user present on the
host.This commandmay also be requested on a command line should the
attacker gainaccess to the machine.

--
Ease of Attack:
Simple HTTP request.

--
False Positives:
None Known

--
False Negatives:
None Known

--
Corrective Action:

Webservers should not be allowed to view or execute files and binaries
outside ofit's designated web root or cgi-bin.Whenever possible,
sensitive filesand certain areas of the filesystem should have the
system immutableflag set to negate the use of the chsh command. On BSD
derived systems,setting the systems runtime securelevel also prevents
the securelevelfrom being changed. (note: the securelevel can only be 
increased)

--
Contributors:
Sourcefire Research Team

-- 
Additional References:

man chsh

--