[prev in list] [next in list] [prev in thread] [next in thread]
List: emerging-sigs
Subject: [Emerging-Sigs] signature for phoenix exploit kit - administrative page being accessed
From: eoin.miller () trojanedbinaries ! com (Eoin Miller)
Date: 2010-07-29 22:30:16
Message-ID: 4C5200F8.70306 () trojanedbinaries ! com
[Download RAW message or body]
This would probably help out some managed hosting providers detect and
remove phoenix exploit kits from their nets if they are so inclined:
alert tcp any $HTTP_PORTS -> any any (msg:"EID DRIVEBY phoenix exploit
kit - admin login page detected"; flow:established,to_client;
content:"<title>Phoenix Exploit's Kit - Log In</title>";
classtype:bad-unknown; sid:99999999; rev:1;)
I know I used any for the source/destination addresses, but if you limit
to $HOME_NET or $EXTERNAL_NET here, then you can only fire if you are
hosting or if a client is accessing it on an external network. You may
want to know if either or happens or maybe create two signatures? One
for if you are hosting it and another for if your clients are accessing it.
Based on:
==========================================================================
0000 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 74 79 <html><h ead><sty
0010 6c 65 20 74 79 70 65 3d 27 74 65 78 74 2f 63 73 le type= 'text/cs
0020 73 27 3e 62 6f 64 79 2c 20 74 64 20 7b 66 6f 6e s'>body, td {fon
**** ***************************** SNIP *********************************
0250 30 30 30 7d 3c 2f 73 74 79 6c 65 3e 3c 74 69 74 000}</st yle><tit
0260 6c 65 3e 50 68 6f 65 6e 69 78 20 45 78 70 6c 6f le>Phoen ix Explo
0270 69 74 27 73 20 4b 69 74 20 2d 20 4c 6f 67 20 49 it's Kit - Log I
0280 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e n</title ></head>
==========================================================================
Bunch of examples here if anyone else is interested in doing a bit of
research:
http://www.malwaredomainlist.com/mdl.php?search=control+panel+of+Phoenix+exploit+kit&colsearch=All&quantity=50
-- Eoin
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic