[prev in list] [next in list] [prev in thread] [next in thread]
List: emerging-sigs
Subject: [Emerging-Sigs] anyone recognize this?
From: jonkman () emergingthreatspro ! com (Matthew Jonkman)
Date: 2011-04-28 15:04:00
Message-ID: 386A8384-0734-414F-A18A-DE2883B6ACE2 () emergingthreatspro ! com
[Download RAW message or body]
Putting these up, thanks harry!
Matt
On Apr 28, 2011, at 10:42 AM, harry.tuttle wrote:
> > On Wed, Apr 27, 2011 at 10:16 PM, evilghost at packetmail.net
> > > Any query string after that like "/in/rdrct/rckt/?" and is the trailing slash
> > > there too?
>
> No and yes.
>
> The last two may not be as clean as the first one, but I'm going to load up all \
> three locally, at least for a while. "people/?" by itself definitely falses. Happy \
> to have your suggestions.
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS \
> Unknown exploit redirect page /in/rdrct/rckt/"; flow:established,to_server; \
> content:"/in/rdrct/rckt/"; http_uri; classtype:bad-unknown; sid:2xxxxxx; rev:1;)
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS \
> Unknown exploit redirect page in .ru"; flow:established,to_server; \
> content:"people/?"; http_uri; content:"&top="; http_uri; content:".ru|0d 0a|"; \
> http_header; classtype:bad-unknown; sid:2xxxxxx; rev:1;)
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP \
> POST to unknown exploit page in .ru"; flow:established,to_server; \
> content:"people/?"; http_uri; content:"POST"; http_method; content:".ru|0d 0a|"; \
> http_header; classtype:bad-unknown; sid:2xxxxxx; rev:1;)
>
> ---- On Wed, 27 Apr 2011 20:24:25 -0700 Martin Holste wrote ----
>
> > April 6th: ntukjgozxy.ru|/in/rdrct/rckt/
> > April 7th: okfvuqmlh.ru|/in/rdrct/rckt/
> > April 8th: wnoayieqpz.ru|/in/rdrct/rckt/
> > April 14th: afepqbrylo.ru|/in/rdrct/rckt/
> > April 15th: buygoilkef.ru|/in/rdrct/rckt/
> > April 17th: cgfoyekuzj.ru|/in/rdrct/rckt/
> > April 21st: infoxkmdrg.ru|/in/rdrct/rckt/
> > April 25th: infoxkmdrg.ru|/in/rdrct/rckt/
> > April 26th: ojsfcpabwm.ru|/in/rdrct/rckt/
> >
> > No other hits for /in/rdrct/rckt/ so yeah, I think we'd be good with
> > that sig! Almost all referrers were search engines, so this is a
> > landing page promoted via SEO. Also have some referrers from the
> > infamous *.co.cc.
> >
> > On Wed, Apr 27, 2011 at 10:16 PM, evilghost at packetmail.net
> > wrote:
> > > -----BEGIN PGP SIGNED MESSAGE-----
> > > Hash: SHA1
> > >
> > >
> > > On 04/27/11 22:11, harry.tuttle wrote:
> > > > The GET redirects to hxxp://ojsfcpabwm.ru/in/rdrct/rckt/
> > >
> > > Hey Harry, /in/rdrct/rckt/ looks pretty tasty for a URI match, I can't imagine
> > > this falsing often but it's untested here and you never know what those ad guys \
> > > do.
> > > content:"/in/rdrct/rckt/"; http_uri;
> > >
> > > Any query string after that like "/in/rdrct/rckt/?" and is the trailing slash
> > > there too?
> > >
> > > - --
> > >
> > > - -evilghost
> > > -----BEGIN PGP SIGNATURE-----
> > > Version: GnuPG v1.4.10 (GNU/Linux)
> > >
> > > iQIcBAEBAgAGBQJNuNwqAAoJENgimYXu6xOHADIP/RhSYvEano1cr3xl56vc5iQT
> > > fq+F/uYdJd7iy1+CFXWbTRA80Jgs3jrv3dgAXp3I7jsEg/lMWkJzfBlQMUQIYzwg
> > > on+D1kdJUN/EAy7jpRzwGx4u7c/e8CHms8THcPvb4BiFyx8HLVlGxhjatnKQf+FB
> > > nKpXRF+R/c1FEJyeT5ZF+A8gJFb5fkwGkzpMmeyuJnpyd+RTZp5y7c6Rg+7cI2VD
> > > fO46yGInh38o0GEFjnz3VawSzN770mDLE/PXgbRxXv6lenkeU+3AdDjukfEXjZSi
> > > QbK6dHO2HOyGKw+rIckX7WDFZxjT1u5Czv9x3tDV56+G1SCj7Fsh30p3wZCW9Kfn
> > > TAQC4oKqKI3UbTX+Sn9BfZeOC/ZFEl+JPqAlqR9Mr2B6mc7cbhnWsW/9TrV9AHXi
> > > iTEU5oI/D3NP/MURK7xvMW0wx1770mt2OGGzSfN/PdI7ANSu88ZsAbHBB5OGr/Hp
> > > IFyzRgmxkzEsr+tl/HuR8Z08dGZd+xzvm4ti4rY10twjmMHPA4Y2UnRCGjYuhL1R
> > > coVv3YB+q8/7+rUxAorXXZVaGNwQzvwiS+oNfOEwNOVG7yQAZ+QFGy9m2z/vw/eD
> > > A3CiB2Z0x1e0NmtjHtw9YNz510lmc/wqzENf83ZqdbC9ZDqwxCuPfyr6o+mwbLUZ
> > > fKPco61NL4nHjC7nZ+dP
> > > =KYSI
> > > -----END PGP SIGNATURE-----
> > > _______________________________________________
> > > Emerging-sigs mailing list
> > > Emerging-sigs at emergingthreats.net
> > > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> > >
> > > Support Emerging Threats! Subscribe to Emerging Threats Pro \
> > > http://www.emergingthreatspro.com The ONLY place to get complete premium \
> > > rulesets for Snort 2.4.0 through Current!
> >
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro \
> http://www.emergingthreatspro.com The ONLY place to get complete premium rulesets \
> for Snort 2.4.0 through Current!
----------------------------------------------------
Matthew Jonkman
Emergingthreats.net
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 765-807-8630 x110
Fax 312-264-0205
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------
PGP: http://www.jonkmans.com/mattjonkman.asc
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic