Provided by Aanval (Snort & Syslog Intrusion Detection and Correlation Engine) www.aanval.com
--
GEN:SID | 1:1289 |
Message | TFTP GET Admin.dll |
Summary | This event is generated when an exploited Internet Information Server (IIS) host attempts to perform a tftp download of the file admin.dll to infect the host with the nimda worm. |
Impact | Administrator access. A successful attack can allow remote execution of commands with administrator privleges. |
Detailed Information | The nimda worm uses multiple propagation methods. One method exploits a victim Internet Information Server (IIS) using a unicode directory traversal attack to execute commands on the target server. An attempt is made to execute a tftp download of the file admin.dll from the infected attacking host to the victim server. The admin.dll file is a copy of the nimda worm that is activated on the newly infected victim server. This event is triggered if the IIS server is exploitable and the tftp transfer is attempted. |
Affected Systems | Hosts running Microsoft IIS 4.0 and 5.0. |
Attack Scenarios | The worm will attempt to remotely exploit a unicode directory vulnerability to infect an IIS server by executing a tftp download of the nimda worm. |
Ease of Attack | Simple. |
Corrective Action | Apply the appropriate patch referenced in Microsoft Security Bulletin MS00-078. |
Additional References | CERT: http://www.cert.org/advisories/CA-2001-26.html Microsoft: http://www.microsoft.com/technet/Security/Bulletin/ms00-078.asp |
Rule References | url: www.cert.org/advisories/CA-2001-26.html |
--
DID:501994
--
http://www.aanval.com/