Rule:

--
Sid:
1330

--
Summary:
Attempted wget command access via web

--
Impact:
Attempt to gain information using wget to access sensitive files on a webserver.

--
Detailed Information:
This is an attempt to gain intelligence from sensitive system files on a webserver. Wget is GNU software that allows for retrieval of files uing HTTP, HTTPS and FTP. The attacker could possibly gain information needed for other attacks on the system, including the retrieval of password files from a third party onto the target webserver.

Using "wget", the attacker may be able to upload an exploit, IRC daemon or DDoS agent onto the server. The rule looks for the "wget" command in the URL part of the client to web server connection and does not indicate whether the command was actually successful in uploading or downloading the files. The presence of the "wget" command in the URL indicates that an attacker attempted to trick the web server into executing system commands in non-interactive mode i.e. without a valid shell session. Another case when this rule might trigger is unencrypted HTTP tunneling connection to the server.

--
Attack Scenarios:
The attacker can make a standard HTTP request that contains the path to wget and commands for wget in the URI, which can then return requested files to an external destination or onto the target server.

--
Ease of Attack:
Simple HTTP request.

--
False Positives:
None Known

--
False Negatives:
None Known

--
Corrective Action:
Webservers should not be allowed to view or execute files and binaries outside of it's designated web root or cgi-bin. This command may also be requested on a command line should the attacker gain access to the machine. Non-essential binaries should be removed from a webserver once it is in production.

--
Contributors:
Sourcefire Research Team
Nigel Houghton <nigel.houghton@sourcefire.com>
Additional information from Anton Chuvakin <http://www.chuvakin.org>

-- 
Additional References:

--