[prev in list] [next in list] [prev in thread] [next in thread]
List: snort-sigs
Subject: [Snort-sigs] Linux/CDorked sig
From: James Lay <jlay () slave-tothe-box ! net>
Date: 2013-04-26 17:04:34
Message-ID: c76b8d44a7664d9453c63675f63c3dec () localhost
[Download RAW message or body]
Enjoy:
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
(msg:"INDICATOR-COMPROMISED Linux/CDorked redirect";
flow:from_server,established; file_data; content:"index.php?j=";
http_header; content:"302"; http_stat_code;
pcre:"/http\x3a\x2f\x2f[0-9a-z]{16}/m"; metadata:policy balanced-ips
drop, policy security-ips drop, service http;
reference:url,http://blog.sucuri.net/2013/04/apache-binary-backdoors-on-cpanel-based-servers.html;
classtype:trojan-activity; sid:10000049; rev:1;)
Ok Joel....how much cleanup is needed with this ;)
James
------------------------------------------------------------------------------
Try New Relic Now & We'll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_apr
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org
Please visit http://blog.snort.org for the latest news about Snort!
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic