Network Security: Detailed info on [Snort-sigs] FPs for COMMUNITY WEB-PHP Particle Wiki PHP SQL Injection a

Subject:	[Snort-sigs] FPs for COMMUNITY WEB-PHP Particle Wiki PHP SQL Injection attempt, Sig ID, 100000446
Date:	Mon, 26 Jun 2006 09:13:03 +1200

I'm seeing over 10,000 hits a day for hundreds of different sources and
destinations.

R


META
--------
SID     CID     TimeStamp               Signature
6       10768281        2006-06-25 09:10:05     COMMUNITY WEB-PHP Particle Wiki 
PHP SQL
Injection attempt
Sig ID
100000446

Sensor Hostname                         Sensor Interface
hihi.insec.auckland.ac.nz       new dmz sensor

IP
--------
Source Address  Dest Address    Ver     Hdr Len
130.216.168.25  66.102.7.104    4       5
TOS     length  ID      flags   offset  TTL     chksum
0       725     40086   2       0       125     59852

Resolved Source
a.vesey.psoft.auckland.ac.nz

Resolved Dest
Could Not Resolve


TCP
--------
Source Port     Dest Port       Seq             Ack             
4137            80              4274711154      579578467
Offset  Reserved        Flags   Window  Checksum        Urgent Ptr
5       0               24      65535   483             0

Options
--------
None


Flags
--------
RB 1    RB 0    URG     ACK     PSH     RST     SYN     FIN
                        X       X                               

DATA
--------
474554202F746F6F6C73    GET /tools
2F66697265666F782F75    /firefox/u
70646174653F67756964    pdate?guid
3D7B3331313263613963    ={3112ca9c
2D646536642D34383834    -de6d-4884
2D613836392D39383535    -a869-9855
64653638303536637D26    de68056c}&
76657273696F6E3D322E    version=2.
302E3230303630353135    0.20060515
57266170706C69636174    W&applicat
696F6E3D7B6563383033    ion={ec803
3066372D633230612D34    0f7-c20a-4
3634662D396230652D31    64f-9b0e-1
33613361396539373338    3a3a9e9738
347D2661707076657273    4}&appvers
696F6E3D312E352E302E    ion=1.5.0.
3426646973743D676F6F    4&dist=goo
676C6520485454502F31    gle HTTP/1
2E310D0A486F73743A20    .1..Host:
7777772E676F6F676C65    www.google
2E636F6D0D0A55736572    .com..User
2D4167656E743A204D6F    -Agent: Mo
7A696C6C612F352E3020    zilla/5.0
2857696E646F77733B20    (Windows;
553B2057696E646F7773    U; Windows
204E5420352E313B2065     NT 5.1; e
6E2D55533B2072763A31    n-US; rv:1
2E382E302E3429204765    .8.0.4) Ge
636B6F2F323030363035    cko/200605
30382046697265666F78    08 Firefox
2F312E352E302E340D0A    /1.5.0.4..
4163636570743A207465    Accept: te
78742F786D6C2C617070    xt/xml,app
6C69636174696F6E2F78    lication/x
6D6C2C6170706C696361    ml,applica
74696F6E2F7868746D6C    tion/xhtml
2B786D6C2C746578742F    +xml,text/
68746D6C3B713D302E39    html;q=0.9
2C746578742F706C6169    ,text/plai
6E3B713D302E382C696D    n;q=0.8,im
6167652F706E672C2A2F    age/png,*/
2A3B713D302E350D0A41    *;q=0.5..A
63636570742D4C616E67    ccept-Lang
756167653A20656E2D75    uage: en-u
732C656E3B713D302E35    s,en;q=0.5
0D0A4163636570742D45    ..Accept-E
6E636F64696E673A2067    ncoding: g
7A69702C6465666C6174    zip,deflat
650D0A4163636570742D    e..Accept-
436861727365743A2049    Charset: I
534F2D383835392D312C    SO-8859-1,
7574662D383B713D302E    utf-8;q=0.
372C2A3B713D302E370D    7,*;q=0.7.
0A4B6565702D416C6976    .Keep-Aliv
653A203330300D0A436F    e: 300..Co
6E6E656374696F6E3A20    nnection:
6B6565702D616C697665    keep-alive
0D0A43616368652D436F    ..Cache-Co
6E74726F6C3A206E6F2D    ntrol: no-
63616368650D0A436F6F    cache..Coo
6B69653A20505245463D    kie: PREF=
49443D30333030663363    ID=0300f3c
3939363961656237363A    9969aeb76:
54423D323A544D3D3131    TB=2:TM=11
34373833303136303A4C    47830160:L
4D3D3131343738333031    M=11478301
36303A533D6873654E77    60:S=hseNw
616432593674594A7231    ad2Y6tYJr1
640D0A0D0A      d....

DATA
--------
GET /tools/firefox/update?guid={3112ca9c-de6d-4884-a869-9855
de68056c}&version=2.0.20060515W&application={ec8030f7-c20a-4
64f-9b0e-13a3a9e97384}&appversion=1.5.0.4&dist=google HTTP/1
.1..Host: www.google.com..User-Agent: Mozilla/5.0 (Windows;
U; Windows NT 5.1; en-US; rv:1.8.0.4) Gecko/20060508 Firefox
/1.5.0.4..Accept: text/xml,application/xml,application/xhtml
+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5..A
ccept-Language: en-us,en;q=0.5..Accept-Encoding: gzip,deflat
e..Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7..Keep-Aliv
e: 300..Connection: keep-alive..Cache-Control: no-cache..Coo
kie: PREF=ID=0300f3c9969aeb76:TB=2:TM=1147830160:LM=11478301
60:S=hseNwad2Y6tYJr1d....

Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

<Prev in Thread]	Current Thread	[Next in Thread>
[Snort-sigs] FPs for COMMUNITY WEB-PHP Particle Wiki PHP SQL Injection attempt, Sig ID, 100000446, Russell Fulton <=

Previous by Date:	[Snort-sigs] Bleedingsnort.com Daily Update, bleeding
Next by Date:	[Snort-sigs] Bleedingsnort.com Daily Update, bleeding
Previous by Thread:	[Snort-sigs] Bleedingsnort.com Daily Update, bleeding
Next by Thread:	[Snort-sigs] SNMP Missing Community String Signature FP, Eric Hines
Indexes:	[Date] [Thread] [Top] [All Lists]