iSID Analyst Knowledge Base

Definitions, and additional context on iSID alerts along with helpful recommendations

Category: Cyber Attack

( 538 Alerts)

OS-OTHER Bash CGI environment variable injection attempt

These alerts are triggered when detecting an attempt to exploit the Bash Shellshock vulnerability via CGI scripts on a web server. The Bash Shellshock vulnerability is a severe security flaw in the Unix Bash shell that, when exploited, allows an attacker to execute arbitrary commands on a vulnerable system, potentially gaining unauthorized access or control.

OS-OTHER Bash CGI environment variable injection attempt

These alerts are triggered when detecting an attempt to exploit the Bash Shellshock vulnerability via CGI scripts on a web server. The Bash Shellshock vulnerability is a severe security flaw in the Unix Bash shell that, when exploited, allows an attacker to execute arbitrary commands on a vulnerable system, potentially gaining unauthorized access or control.

NF – SCAN Potential SSH Scan

This alert is triggered when detecting an SSH scan of an asset. SSH is a secure protocol to provide access to an asset in a network. This alert may be triggered when an adversary is attempting to scan a network and creat an initial connection.

NF – SCAN Potential VNC Scan 5800-5820

This alert is triggered when detecting communication on ports 5800-5820 from an external source. Ports 5800-5820 are used by the virtual network computing service (VNC), which creates a screen-sharing system opening the network to remote communication. This alert may be triggered when an adversary is attempting to scan the network or gain initial access.

OS-OTHER Bash CGI environment variable injection attempt

These alerts are triggered when detecting an attempt to exploit the Bash Shellshock vulnerability via CGI scripts on a web server. The Bash Shellshock vulnerability is a severe security flaw in the Unix Bash shell that, when exploited, allows an attacker to execute arbitrary commands on a vulnerable system, potentially gaining unauthorized access or control.

ET SCAN Suspicious inbound to mySQL port 3306

This alert is triggered when detecting inbound communication from an external network to the database (DB) on port 3306 (mySQL). This alert may be triggered when an adversary is attempting to gain initial access to the DB or is attempting to read or write data to the DB.

ET SCAN Suspicious inbound to PostgreSQL port 5432

This alert is triggered when detecting inbound communication from an external network to the database (DB) on port 5432 (PostgreSQL). This alert may be triggered when an adversary is attempting to gain initial access to the DB or is attempting to read or write data to the DB.

NF – SCAN NBTStat Query Response to External Destination, Possible Windows Network Enumeration

This alert is triggered when detecting a NetBIOS status communication sent from an internal asset to an axternal destination.

ET SCAN Potential VNC Scan 5900-5920

This alert is triggered when detecting communication on ports 5900-5920 from an external source. Ports 5900-5920 are used by the virtual network computing service (VNC), which creates a screen-sharing system opening the network to remote communication. This alert may be triggered when an adversary is attempting to scan the network or gain initial access.

ET SCAN Suspicious inbound to mSQL port 4333

This alert is triggered when detecting inbound communication from an external network to the database (DB) on port 4333 (mSQL). This alert may be triggered when an adversary is attempting to gain initial access to the DB or is attempting to read or write data to the DB.