iSID Analyst Knowledge Base

Definitions, and additional context on iSID alerts along with helpful recommendations

SERVER-WEBAPP JBoss JMX console access attempt

This alert is triggered when detecting an access attempt to the JBoss JMX console. The JBoss JMX (Java Management Extensions) console is a web-based interface used for managing and monitoring JBoss Application Server resources. The rule checks for access attempts to the /jmx-console/ URI, which indicates an effort to access this management console. This alert may be triggered when an adversary is attempting to exploit known vulnerabilities in the JBoss JMX, such as CVE-2007-1036 and CVE-2013-2185. These vulnerabilities can allow unauthorized remote code execution and administrative access.

SERVER-WEBAPP Worldweaver DX Studio Player shell.execute command execution attempt

This alert is triggered when detecting specific content indicative of an attempt to exploit CVE-2009-2011 a vulnerability in Worldweaver DX Studio Player. Worldweaver DX Studio Player is a multimedia application that's used for creating interactive 3D web applications. The rule is detecting an attempt to exploit a known vulnerability in the application that enables command execution via the shell.execute command.

SERVER-WEBAPP Oracle GlassFish Server authentication bypass attempt

This alert is triggered when an adversary is attempting to exploit CVE-2011-0807 and gain access to the Oracle GlassFish Server without providing a "JSESSIONID". Oracle GlassFish Server is an open-source application server provided by Oracle for the Java EE platform. The rule specifically detects attempts to bypass authentication by targeting the "/applications/upload" URI and looking for specific patterns in the request.

SERVER-WEBAPP Squid authentication headers handling denial of service attempt

This alert is triggered when an adversary is attempting to exploit CVE-2005-2917 a denial of service vulnerability in the Squid proxy server, specifically related to how it handles authentication headers. Squid is a widely-used proxy server that helps organizations increase their web performance by caching web content and also providing filtering capabilities. The vulnerability is linked to how Squid handles "Proxy-Authorization" headers with "NTLM" authentication.

SERVER-WEBAPP EMC Connectrix Manager FileUploadController directory traversal attempt

This alert is triggered when an adversary is attempting to exploit CVE-2013-6810 a directory traversal vulnerability in the EMC Connectrix Manager via its FileUploadController. EMC Connectrix Manager is a web application for managing Connectrix switches. A directory traversal vulnerability would allow an attacker to access files on the server that are outside the intended directory. The specific point of interest here is the "FileUploadController," which the attacker is trying to exploit by sending specially crafted filenames in their request.