| Author |
 Topic  |
|
Stevensan
Starting Member
38 Posts |
 Posted - 17 October 2007 : 20:41:27
|
Hi everyone,
I was informed by my network administrator that Shell command injection attempt was detected. The url of the page involve was post_info.asp (I am using the latest version of snitz forum with a few mods)
What do i have to do on my end? Can anyone advise me?
Many thanks.
|
Snitz Forum 3.4 + PM + Poll + Avatar + Message Icon + Gender + Hover Color + CellBGImage + Additional Smilies + ActiveUser Mod |
|
|
AnonJr
Moderator
United States
5768 Posts |
Posted - 17 October 2007 : 21:29:45
|
First, what specific version are you using and what MODs (specifically) have you installed? It kinda makes a difference. 
Also, more information from your network admin would help. What was specifically being done? "Shell command injection attempt" only helps so much.
Lastly, was it successful or was it just an attempt? People keep attempting to spam the church forum, but that doesn't mean they are getting very far or are all that likely to any time soon. People will attempt a lot of things, but it doesn't necessarily make it time to panic. |
 |
|
|
Stevensan
Starting Member
38 Posts |
Posted - 17 October 2007 : 22:27:59
|
The excel sheet of information provided by my network admin didnt say much though. There is one in the verdict column that says "Attack_failed". The information below is in the data column.
"hmmmm+but+than+without+xplanation+who+knows+who+u+r..where+u+from‚like+to+know+tat....wakakakakak+skali+skali++JB+main+darah+lah‚wakakakakakka....jane+Posted+-+16/10/2007+:+11:06:36..------------------------------------------------------------------------"
The mods i have implemented so far...
- Active user 4.0
- Avatar mod 3.4
- @tomic's BG imagecell mod 3.4
- Private message mod
- Birthday mod
Hope these information is useful. |
Snitz Forum 3.4 + PM + Poll + Avatar + Message Icon + Gender + Hover Color + CellBGImage + Additional Smilies + ActiveUser Mod |
Edited by - Stevensan on 17 October 2007 22:30:33 |
|
|
|
ruirib
Snitz Forums Admin
Portugal
26364 Posts |
|
|
HuwR
Forum Admin
United Kingdom
20584 Posts |
Posted - 18 October 2007 : 02:31:02
|
| we would need a copy of your web sites log file (from IIS or Appache) for the time when the alleged attack occured, without that we can't give you any help. |
|
|
|
Stevensan
Starting Member
38 Posts |
Posted - 18 October 2007 : 03:04:02
|
Hi ruirib, its inserted by user and not an deliberate attack i guess. But does it pose a threat then? My network admin is panaroid about such things... So i guess i got to find ways to justify if this will cause any problem in the server in future.
HuwR - I will try to get a copy of the server log.
Thanks guys. |
Snitz Forum 3.4 + PM + Poll + Avatar + Message Icon + Gender + Hover Color + CellBGImage + Additional Smilies + ActiveUser Mod |
|
|
|
ruirib
Snitz Forums Admin
Portugal
26364 Posts |
|
|
Shaggy
Support Moderator
Ireland
6780 Posts |
Posted - 18 October 2007 : 09:51:18
|
And, if it was only an attempt, that implies that it was unsuccessful, so where's the concern? Anyone could "attempt" to upload all sorts of nasty files through a forum using one of the attachment mods, for example, but they wouldn't get through.
|
 Search is your friend
“I was having a mildly paranoid day, mostly due to the
fact that the mad priest lady from over the river had
taken to nailing weasels to my front door again.” |
|
|
|
pdrg
Support Moderator
United Kingdom
2897 Posts |
Posted - 19 October 2007 : 12:25:01
|
Looks like Jane may be illiterate but other than that what you've provided above gives no cause for concern
If you can request the IIS logs that correspond to the 30 mins or so around this attempted attack, that'd be interesting. Also the full post (I'm guessing the ....'s are snips) may give more clues - this could easily be a false positive. |
|
|
|
Stevensan
Starting Member
38 Posts |
Posted - 21 October 2007 : 22:22:07
|
| Sure. I will try to get the IIS logs. Thanks for all the advise. Maybe i over worried about all these... |
Snitz Forum 3.4 + PM + Poll + Avatar + Message Icon + Gender + Hover Color + CellBGImage + Additional Smilies + ActiveUser Mod |
|
|
|
Stevensan
Starting Member
38 Posts |
Posted - 30 October 2007 : 00:51:04
|
This is all i got from the network administrator. This is the question which i am being asked.
"Would appreciate if you can confirm the following data detected from the log comprise of any intrusion command/programming"
Occurance 1
Time: 2007-10-16 03:14:17 GMT
Tag Name: Shell_Command_Injection
Event Count: 1
Severity: High
Source IP: 10.xx.xx.aa
Taregt IP: 10.xx.xx.xx
Packet DestinationPort: 80
Packet DestinationPortName: HTTP
Packet SourceAddress: 10.xx.xx.aa
Server: intranet.xxx
accessed: nil
protocol: http
httpsvr: nil
verdict: nil
URL: /Forum/post_info.asp
data: hmmmm+but+than+without+xplanation+who+knows+who+u+r..where+u+from‚like+to+know+tat....wakakakakak+skali+skali++JB+main+darah+lah‚wakakakakakka....jane+Posted+-+16/10/2007+:+11:06:36..------------------------------------------------------------------------
Occurance 2
Time: 2007-10-16 03:14:17 GMT
Tag Name: Shell_Command_Injection
Event Count: 1
Severity: High
Source IP: 10.xx.xx.aa
Taregt IP: 10.xx.xx.xx
Packet DestinationPort: 80
Packet DestinationPortName: HTTP
Packet SourceAddress: 10.xx.xx.aa
Server: intranet.xxx
accessed: no
protocol: nil
httpsvr: Microsoft-IIS/5.0
verdict: attack_failed
URL: nil
data: nil
|
Snitz Forum 3.4 + PM + Poll + Avatar + Message Icon + Gender + Hover Color + CellBGImage + Additional Smilies + ActiveUser Mod |
|
|
|
HuwR
Forum Admin
United Kingdom
20584 Posts |
Posted - 30 October 2007 : 01:48:59
|
simple answer NO, that is a legitimate post, the /forum/postinfo.asp gives it away, not sure why they think it is an attack
however, those are not the IIS logs, they are the result of running some tool which is obviously not very good. |
|
|
|
Stevensan
Starting Member
38 Posts |
Posted - 30 October 2007 : 02:05:06
|
| Thanks HuwR! Now i can tell my network administrator a confident NO as an answer already. Many thanks. |
Snitz Forum 3.4 + PM + Poll + Avatar + Message Icon + Gender + Hover Color + CellBGImage + Additional Smilies + ActiveUser Mod |
Edited by - Stevensan on 30 October 2007 02:31:54 |
|
|
|
pdrg
Support Moderator
United Kingdom
2897 Posts |
Posted - 30 October 2007 : 12:53:47
|
| I'm interested in the Source IP and Target IP addresses - they're not public IP addresses, but NATted ones - from within your own network somewhere I expect. May be a weird one from the Intrusion Detection System, but may be worth mentioning. |
|
|
|
Stevensan
Starting Member
38 Posts |
Posted - 30 October 2007 : 19:37:32
|
Actually the forum is hosted within my intranet. I have no knowledge of the intrusion detection system but if a forum member post a reply and it appears as a intrusion then won't there be a huge intrusion data of this sort of post?
I am convinced that Snitz Forum would not have cause an intrusion in this case as the data in the reply has shown (at the least it doesn't look like a deliberate attack) Therefore i felt it could be some 3rd party intrusion detection system which somehow determine this reply as an intrusion. |
Snitz Forum 3.4 + PM + Poll + Avatar + Message Icon + Gender + Hover Color + CellBGImage + Additional Smilies + ActiveUser Mod |
|
|
|
pdrg
Support Moderator
United Kingdom
2897 Posts |
Posted - 31 October 2007 : 13:46:14
|
Yep, I agree, looks like a false positive, but I'm interested how this problem ever came to this if you're on the same intranet as the (supposedly attacking) poster!
How did the security dept not look at the post and if they were concerned, talk to the 'attacking' user, or her boss, etc, or look at the profile of her usage of the web, look at the actual HTTP post itself, etc. Weird. |
|
|
|
Topic |
|
Topic Locked
