Computer security Question:
Download Job Interview Questions and Answers PDF
What does this log entry indicate? How could you identify what the contents are of the hacked.htm file that the attacker is trying to upload?
Answer:
One of your web servers is logging multiple requests similar to the following:
201.1.199.155 - - [26/Dec/2004:01:55:48 -0500] "PUT /hacked.htm HTTP/1.0" 403 769 "Microsoft Data Access Internet Publishing Provider DAV 1.1" "-"
What does this log entry indicate? How could you identify what the contents are of the "hacked.htm" file that the attacker is trying to upload?
Note: Goal of question – Determine if the applicant can identify both the attack (a web defacement attempt using the HTTP PUT Method), as well as, the logging limitations of CLF. In this type of attack, the defacement text is sent in the request body and not on the URL Request line. In order to identify this data, a network sniffing application would need to be utilized. An application such as Snort could be used with a custom rule to identify this activity. Here is an example rule –
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"LOCAL Put attempt"; flow:to_server,established; tag:session,50,packets; pcre:"/^PUT /A"; sid:3000001; rev:1;)
201.1.199.155 - - [26/Dec/2004:01:55:48 -0500] "PUT /hacked.htm HTTP/1.0" 403 769 "Microsoft Data Access Internet Publishing Provider DAV 1.1" "-"
What does this log entry indicate? How could you identify what the contents are of the "hacked.htm" file that the attacker is trying to upload?
Note: Goal of question – Determine if the applicant can identify both the attack (a web defacement attempt using the HTTP PUT Method), as well as, the logging limitations of CLF. In this type of attack, the defacement text is sent in the request body and not on the URL Request line. In order to identify this data, a network sniffing application would need to be utilized. An application such as Snort could be used with a custom rule to identify this activity. Here is an example rule –
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"LOCAL Put attempt"; flow:to_server,established; tag:session,50,packets; pcre:"/^PUT /A"; sid:3000001; rev:1;)
Download Computer security Interview Questions And Answers
PDF