Provided by Aanval (Snort & Syslog Intrusion Detection and Correlation Engine) www.aanval.com
--
GEN:SID | 1:496 |
Message | ATTACK RESPONSES directory listing |
Summary | This event is generated by the successful completion of a directory listing operation. This may be indicative of post-compromise behavior indicating the use of a Windows command shell for listing directory contents. |
Impact | Serious. An attacker may have the ability to execute commands remotely |
Detailed Information | This event is generated when a standard Windows command for listing directories is executed. The string "Directory of" is typically shown in front of the directory listing on Windows NT/2000/XP. Seeing this response in HTTP traffic indicates that an attacker may have been able to spawn a shell bound to a web port and has successfully executed at least one command to list the contents of a directory directory. Note that the source address of this event is actually the victim and not that of the attacker. |
Affected Systems | |
Attack Scenarios | An attacker gains an access to a Windows web server via IIS vulnerability and manages to start a cmd.exe shell. He then proceeds to look for interesting files on the compromised server via the "dir" command. |
Ease of Attack | Simple. This post-attack behavior can accompany different attacks. |
Corrective Action | Investigate the web server for signs of compromise. Look for other IDS events involving the same IP addresses. |
Additional References |
--
DID:597693
--
http://www.aanval.com/