Markwd 1 Posted September 28 Share Posted September 28 Hello, Just a quick (global) question: We have a webserver containing an instance of Apache Tomcat version 9 (not fully up-to-dat). The server also has ESET Server Security version 9 on it. Once in a while ESET Server Security detects an attempt to exploit HTTP/Exploit.CVE-2021-41773 on the Tomcat.exe process. The exploit is bound to a vulnerability in Apache HTTPD instead of Tomcat. Would that be an attempt of the attacker to try if the webserver accidentally has a vulnerable httpd version on it, what is triggering ESET to detect the exploit attempt? Could it be a FP, because Tomcat.exe is not vulnerable to this exploit, or could something else be the reason ESS is triggered? Thanks! Quote Link to comment Share on other sites More sharing options...
Solution Nevermind 5 Posted September 30 Solution Share Posted September 30 Hey Markwd, thats a network detection only (ie its neither a file nor memory detection). The way I see it someone tries whether your server is vulnerable to this exploit. If you have logging enabled you can check if there are any requests similar to this: hxxp://<your_server>/cgi-bin/.%2e/%2e%2e/%2e%2e.... (src: https://github.com/thehackersbrain/CVE-2021-41773/blob/main/exploit.py) ESET doesnt check whether you are actually running a vulnerable software or not. It sees an exploit attempt -> it displays a detection window. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.