GEN:SID | 1:1062 |
Message | WEB-MISC nc.exe attempt |
Summary | Netcat execution attempt - Netcat is a very flexible and powerfull tcp and udp port listener |
Impact | Serious. Full compromise of the host is possible. An attacker may have already compromised your system using another exploit and installed netcat to easily access a remote shell |
Detailed Information | This event is generated when an attempt is made to execute Netcat via a web session.
Netcat can be used for port forwarding, remote shell binding, file transfer etc. It is a security risk if someone can use the tool remotetly |
Affected Systems | |
Attack Scenarios | Usually nc.exe is uploaded after a successfull attack with another exploit. Netcat may then be executed via a web session to spawn a shell session the attacker can use for further system compromise. |
Ease of Attack | Simple
|
Corrective Action | Remove nc.exe.
Portscan your host and check your firewall log files for IP's accessing the suspect port where netcat listens to gain information about the attacker.
Webservers should not be allowed to view or execute files and binaries outside of it's designated web root or cgi-bin.
This command may also be requested on a command line should the attacker gain access to the machine.
|
Additional References | |