Interview Questions

What does this log entry indicate? How could you identify what the contents are of the "hacked.htm" file that the attacker is trying to upload?

Computing Security,Information Security, NT security, Web Security and Network Security Questions and Answers

(Continued from previous question...)

What does this log entry indicate? How could you identify what the contents are of the "hacked.htm" file that the attacker is trying to upload?

One of your web servers is logging multiple requests similar to the following:


201.1.199.155 - - [26/Dec/2004:01:55:48 -0500] "PUT /hacked.htm HTTP/1.0" 403 769 "Microsoft Data Access Internet Publishing Provider DAV 1.1" "-"

What does this log entry indicate? How could you identify what the contents are of the "hacked.htm" file that the attacker is trying to upload?


Note: Goal of question – Determine if the applicant can identify both the attack (a web defacement attempt using the HTTP PUT Method), as well as, the logging limitations of CLF. In this type of attack, the defacement text is sent in the request body and not on the URL Request line. In order to identify this data, a network sniffing application would need to be utilized. An application such as Snort could be used with a custom rule to identify this activity. Here is an example rule –

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"LOCAL Put attempt"; flow:to_server,established; tag:session,50,packets; pcre:"/^PUT /A"; sid:3000001; rev:1;)

(Continued on next question...)

Other Interview Questions