Re: Web server response to attacks

From: Michael Katz <mike(at)procinct.com>
Date: Thu Feb 20 2003 - 16:44:54 EST

At 2/20/2003 10:48 AM, Terry Ziemniak wrote:

>I was reviewing some IIS logs with a co-worker. There were typical Nimda

For directory traversal attempts to access and execute cmd.exe (like Nimda), a successful attack will result in a HTTP status code of 200, indicating that it was successful. A 403 code, however, may reveal useful information, as well. It may indicate that ACLs have been applied to cmd.exe, but the directory traversal may have worked (it could also mean other things, as well). Note that if the server was subject to this vulnerability, the attacker could sanitize the logs, so it's important to have information from other sources, if possible (like IDS or previous vulnerability scans showing whether the server was vulnerable).

>Along those same lines, does this apply to the general class of exploits

For some successful attacks, you may never see a log entry. These buffer overflows interrupt the server before the log entry is written.

That said, if there is a log entry and that entry is 40x, then it is usually safe to assume that the attack was not successful.

Michael Katz
mike@procinct.com
Procinct Security

---

Does your IDS have Intelligent Attack Profiling? If not, see what you're missing.
Download a free 15-day trial of StillSecure Border Guard. http://www.securityfocus.com/stillsecure Received on Thu Feb 20 16:50:10 2003