SERVER-WEBAPP WebTester install2.php arbitrary command execution attempt
This alert is triggered when detecting an attempt to exploit a vulnerability in the WebTester application, specifically targeting the install2.php script. WebTester is an online testing and quiz system. The specific rule is designed to detect an adversary trying to exploit a command execution vulnerability in WebTester by injecting malicious commands into the installation process via malicious requests to the "install2.php" file.
ID Number
28288
Signature
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP WebTester install2.php arbitrary command execution attempt"; flow:to_server,established; content:"/webtester5/install2.php"; fast_pattern:only; http_uri; content:"cpanel=yes"; nocase; http_client_body; content:"createdb=yes"; nocase; http_client_body; pcre:"/(^|&)(db(username|password|)|cp(username|password|domain))=[^&]*?(\x27|%27)[^&]*?([\x3b\x60]|\x24\x28|%3b|%60|%24%28)/Pmi"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,sourceforge.net/p/webtesteronline/bugs/3/; classtype:attempted-admin; sid:28288; rev:2;)
MITRE ATT&CK Technique
-
Severity
High
Recommendations/Investigative actions
It is recommended to investigate the source of the request to determine whether it's an actual attack or a false positive.
Make sure to patch the WebTester application to the latest version or one that has addressed this specific vulnerability. If WebTester is no longer needed, consider removing it from the server.