[prev in list] [next in list] [prev in thread] [next in thread] 

List:       snort-sigs
Subject:    [Snort-sigs] Linux/CDorked sig
From:       James Lay <jlay () slave-tothe-box ! net>
Date:       2013-04-26 17:04:34
Message-ID: c76b8d44a7664d9453c63675f63c3dec () localhost
[Download RAW message or body]

Enjoy:

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any 
(msg:"INDICATOR-COMPROMISED Linux/CDorked redirect"; 
flow:from_server,established; file_data; content:"index.php?j="; 
http_header; content:"302"; http_stat_code; 
pcre:"/http\x3a\x2f\x2f[0-9a-z]{16}/m"; metadata:policy balanced-ips 
drop, policy security-ips drop, service http; 
reference:url,http://blog.sucuri.net/2013/04/apache-binary-backdoors-on-cpanel-based-servers.html; 
classtype:trojan-activity; sid:10000049; rev:1;)

Ok Joel....how much cleanup is needed with this ;)

James

------------------------------------------------------------------------------
Try New Relic Now & We'll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service 
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_apr
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
[prev in list] [next in list] [prev in thread] [next in thread]