[prev in list] [next in list] [prev in thread] [next in thread] 

List:       snort-sigs
Subject:    [Snort-sigs] Re: Snort-sigs digest, Vol 1 #977 - 7 msgs
From:       GMUarmyRES () aol ! com
Date:       2004-06-25 9:55:52
Message-ID: 3DEF2C32.486A2734.0A921E84 () aol ! com
[Download RAW message or body]

Try these signatures:

alert tcp any 80 -> any any (msg:"IE ADODB Exploit Javascript Detected"; content:"var \
qxco7=document.cookie"; )  alert tcp any 80 -> any any (msg:"IE msits.exe Download \
Detected"; content:"|BA AC C7 AD C7 48 83 D1 CA 68 81 26 8B 6C F3 29 00 28 A3 2E 00 \
38 A3 36 02 6E 3F 25 8B 6C 87 E5 D8 3A D0 AD CF 48 97 76 E1 92 EF 26 9B 2C 87 42|"; )

Looks like almost all of these infections were from servers running IIS 5.0. 

Take a look:
http://www.pete.quallife.com/ Server: Microsoft-IIS/5.0
http://www.ci.citrus-heights.ca.us/ Server: Microsoft-IIS/5.0
MicrosoftOfficeWebServer: 5.0_Pub
http://www.baseballusa.com/ Server: Microsoft-IIS/5.0
MicrosoftOfficeWebServer: 5.0_Collab
http://www.armynavyshop.us/ Server: Microsoft-IIS/5.0
http://www.mda.org.au/ Server: Microsoft-IIS/5.0
http://www.gwinnettplacecid.com/ Server: Microsoft-IIS/5.0
http://www.armynavyshop.com/ Server: Microsoft-IIS/5.0
http://www.ntrl.com/ Server: Microsoft-IIS/5.0
http://www.co.madison.tn.us/ Server: Microsoft-IIS/5.0
http://a.as-us.falkag.net/ Server: Apache/1.3.29 (Unix)
mod_gzip/1.3.26.1a mod_fastcgi/2.2.10 http://red01.as-us.falkag.net/ Server: \
Apache/1.3.29 (Unix) mod_gzip/1.3.26.1a mod_fastcgi/2.2.10 mod_ssl/2.8.16 \
OpenSSL/0.9.7c http://www.starins.com/ Server: Microsoft-IIS/5.0 \
http://www.tourismecote-nord.com/ Server: Microsoft-IIS/5.0 \
http://www.commandline.co.uk/ Server: What_you_upto http://www.portlucayaresort.com/ \
Server: Microsoft-IIS/5.0 http://www.virginiahomeloan.com/prequal.htm Server: \
Microsoft-IIS/5.0

"Challenges are what make life interesting, overcoming them is what makes life \
meaningful."


-------------------------------------------------------
This SF.Net email sponsored by Black Hat Briefings & Training.
Attend Black Hat Briefings & Training, Las Vegas July 24-29 - 
digital self defense, top technical experts, no vendor pitches, 
unmatched networking opportunities. Visit www.blackhat.com
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs


[prev in list] [next in list] [prev in thread] [next in thread]