also massive attack attempts to my joomla sites , IPS output inside - Joomla! Forum - community, help and support
an intrusion has been detected. packet has been dropped automatically.
details intrusion alert:
message........: shellcode x86 noop
details........: http://www.snort.org/pub-bin/sigs.cgi?sid=648
time...........: 2007:08:16-23:41:37
packet dropped.: yes
priority.......: 1 (high)
classification.: executable code detected
ip protocol....: 6 (tcp)
source ip address: 89.171.148.82 (kw6.zory.msk.pl)
this going joomla sites , on ports 443
just info ... don't know if relevant actual case, maybe usefull...
infos:
shellcode x86 noop
summary
a series of nop instructions intel's x86 architecure detected.
impact as part of attack on remote service, attacker may attempt to
take advantage of insecure coding practices in hopes of executing
arbitrary code. procedure makes use of nops.
detailed information
the nop allows attacker fill address space large
number of nops followed or code of choice. allows
"sledding" attackers shellcode.
affected systems
all x86 based systems
attack scenarios
if particular service written using unsafe functions without
bounds checking (strcpy(), strcat(), sprintf() etc...), possible
to write arbitrary data address space of service.
normally, may cause program die horrible death.
however, if can return address point beginning
of newly written data, possible execute code of your
choice. requires newly written data actual
executable data. since calculating return address
may point no small task, popular technique pad space
leading shellcode nops. way, if return
address points anywhere in series of nops, execution slide
down shellcode.
ease of attack
not-so trivial. particular technique requires knowledge of x86
assembly coding, memory, , intimate understanding of the
code 1 attempting exploit. unfortunately, there are
hundreds upon hundreds of canned exploits the
ability point-and-click can use , wreak havok with.
false positives
the x86 nop can found in day-to-day traffic,
particularly when transfering large files.
if think rule has false positives, please fill out.
false negatives
there other techniques emulate nop. additionally, if
the attackers nop sled small enough (< 15), particular attack
may slip by. fortunately, nop sleds quite large.
if think rule has false negatives, please fill out.
corrective action
determine if nop part of attack or part of an
innocent stream of data.
details intrusion alert:
message........: shellcode x86 noop
details........: http://www.snort.org/pub-bin/sigs.cgi?sid=648
time...........: 2007:08:16-23:41:37
packet dropped.: yes
priority.......: 1 (high)
classification.: executable code detected
ip protocol....: 6 (tcp)
source ip address: 89.171.148.82 (kw6.zory.msk.pl)
this going joomla sites , on ports 443
just info ... don't know if relevant actual case, maybe usefull...
infos:
shellcode x86 noop
summary
a series of nop instructions intel's x86 architecure detected.
impact as part of attack on remote service, attacker may attempt to
take advantage of insecure coding practices in hopes of executing
arbitrary code. procedure makes use of nops.
detailed information
the nop allows attacker fill address space large
number of nops followed or code of choice. allows
"sledding" attackers shellcode.
affected systems
all x86 based systems
attack scenarios
if particular service written using unsafe functions without
bounds checking (strcpy(), strcat(), sprintf() etc...), possible
to write arbitrary data address space of service.
normally, may cause program die horrible death.
however, if can return address point beginning
of newly written data, possible execute code of your
choice. requires newly written data actual
executable data. since calculating return address
may point no small task, popular technique pad space
leading shellcode nops. way, if return
address points anywhere in series of nops, execution slide
down shellcode.
ease of attack
not-so trivial. particular technique requires knowledge of x86
assembly coding, memory, , intimate understanding of the
code 1 attempting exploit. unfortunately, there are
hundreds upon hundreds of canned exploits the
ability point-and-click can use , wreak havok with.
false positives
the x86 nop can found in day-to-day traffic,
particularly when transfering large files.
if think rule has false positives, please fill out.
false negatives
there other techniques emulate nop. additionally, if
the attackers nop sled small enough (< 15), particular attack
may slip by. fortunately, nop sleds quite large.
if think rule has false negatives, please fill out.
corrective action
determine if nop part of attack or part of an
innocent stream of data.
Comments
Post a Comment