Signature
alert tcp $EXTERNAL_NET any -> $HOME_NET 50000 (msg:"SERVER-WEBAPP SAP ConfigServlet command execution attempt"; flow:to_server,established; content:"/ctc/servlet/ConfigServlet"; http_uri; content:"param=com.sap.ctc.util.FileSystemConfig"; distance:0; http_uri; content:"EXECUTE_CMD"; distance:0; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,erpscan.com/wp-content/uploads/2012/11/Breaking-SAP-Portal-HackerHalted-2012.pdf; classtype:attempted-admin; sid:26929; rev:4;)
Recommendations/Investigative actions
It is recommended to immediately identify the server receiving this traffic and verify if it's running a vulnerable version of the SAP system. If so, patch or update the software to a non-vulnerable version.
Inspect server logs to determine if the attempted exploitation was successful. Look for signs of unauthorized access or further exploitation attempts.
If possible, block communication Attempts from external networks, or enable access from specific external devices only.
Relations to other alerts