File: 1039.txt

package info (click to toggle)
snort 2.7.0-20.4
  • links: PTS
  • area: main
  • in suites: lenny
  • size: 34,512 kB
  • ctags: 18,772
  • sloc: ansic: 115,404; sh: 10,893; makefile: 1,372; perl: 487; sql: 213
file content (80 lines) | stat: -rw-r--r-- 1,903 bytes parent folder | download | duplicates (6)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
Rule:

--
Sid:
1039

--
Summary:
This event is generated when an attempt is made to exploit a potential 
weakness on a host running Microsoft Internet Information Server (IIS). 

--
Impact:
Information gathering possible administrator access.

--
Detailed Information:
This event indicates that an attempt has been made to exploit potential 
weaknesses in a host running Microsoft IIS.

The attacker may be trying to gain information on the IIS implementation
on the host, this may be the prelude to an attack against that host 
using that information.

This event is generated when an attempt is made to access a sample 
application on a Microsoft IIS server. In this case the sample search 
functionality. This application may present an attacker with the 
opportunity to gain valuable information regarding the implemenation of 
IIS on the affected host.

--
Affected Systems:
	Any host using IIS.

--
Attack Scenarios:
An attacker can retrieve a sensitive file containing information on the 
IIS implementation. The attacker might then gain administrator access to
the site, deface the content or gain access to a database.

--
Ease of Attack:
Simple.

--
False Positives:
None Known.

--
False Negatives:
None Known.

--
Corrective Action:
Check the IIS implementation on the host. Ensure all measures have been 
taken to deny access to sensitive files.

Ensure that the IIS implementation is fully patched.

Ensure that the underlying operating system is fully patched.

Employ strategies to harden the IIS implementation and operating system.

Check the host for signs of compromise.

Delete or disable access to any sample applications on the host.

--
Contributors:
Sourcefire Research Team
Brian Caswell <bmc@sourcefire.com>
Nigel Houghton <nigel.houghton@sourcefire.com>

--
Additional References:

Microsoft:
http://support.microsoft.com/support/kb/articles/Q188/2/57.ASP&NoWebContent=1

--