[prev in list] [next in list] [prev in thread] [next in thread]
List: snort-sigs
Subject: Re: [Snort-sigs] [Emerging-Sigs] Linux/CDorked sig
From: Will Metcalf <wmetcalf () emergingthreatspro ! com>
Date: 2013-04-26 19:12:32
Message-ID: CAKrkXrPB=NPF-uJtT1RFBo3Ze+5P2fv0=rYOGZD7TUQNVESu5w () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Slight update
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET
CURRENT_EVENTS Possible Linux/Cdorked.A Incoming Command";
flow:established,to_server; content:"POST"; http_method; nocase;
content:"SECID="; nocase; fast_pattern:only; content:"SECID="; nocase;
http_cookie;
pcre:"/\/\?(?:4(?:4(?:3[123456789]|41|55)|c(?:3[123456789]|41))|5(?:354|431))(&|$)/U";
classtype:attempted-user; sid:103; rev:1;)
On Fri, Apr 26, 2013 at 2:02 PM, Will Metcalf <
wmetcalf@emergingthreatspro.com> wrote:
> Going to add something like this as well...
>
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET
> CURRENT_EVENTS Possible Linux/Cdorked.A Incoming Command";
> flow:established,to_server; content:"SECID="; nocase; fast_pattern:only;
> content:"SECID="; nocase; http_cookie;
> pcre:"/\/\?(?:4(?:4(?:3[123456789]|41|55)|c(?:3[123456789]|41))|5(?:354|431))/U";
> classtype:attempted-user; sid:103; rev:1;)
>
>
>
> On Fri, Apr 26, 2013 at 1:24 PM, Rodrigo Montoro(Sp0oKeR) <
> spooker@gmail.com> wrote:
>
> > Awesome info here too
> >
> >
> > http://www.welivesecurity.com/2013/04/26/linuxcdorked-new-apache-backdoor-in-the-wild-serves-blackhole/
> >
> > Regards,
> >
> >
> > On Fri, Apr 26, 2013 at 3:03 PM, Will Metcalf <
> > wmetcalf@emergingthreatspro.com> wrote:
> >
> > > Thanks James, can probably limit to a-f0-9 on your char class and
> > > probably want a \. match after to ensure it is exactly this and not
> > > something like somethinglongerthan16charsaaaaaaaaa.foo.bar could also
> > > anchor the match to a Location header. Nice sig... Will get something into
> > > QA and out today based on this thanks!
> > >
> > > Regards,
> > >
> > > Will
> > >
> > >
> > > On Fri, Apr 26, 2013 at 12:04 PM, James Lay <jlay@slave-tothe-box.net>wrote:
> > >
> > > > Enjoy:
> > > >
> > > > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
> > > > (msg:"INDICATOR-COMPROMISED Linux/CDorked redirect";
> > > > flow:from_server,established; file_data; content:"index.php?j=";
> > > > http_header; content:"302"; http_stat_code; pcre:"/http\x3a\x2f\x2f[0-9a-
> > > > **z]{16}/m"; metadata:policy balanced-ips drop, policy security-ips
> > > > drop, service http; reference:url,http://blog.**
> > > > sucuri.net/2013/04/apache-**binary-backdoors-on-cpanel-**
> > > > based-servers.html<http://blog.sucuri.net/2013/04/apache-binary-backdoors-on-cpanel-based-servers.html>;
> > > > classtype:trojan-activity; sid:10000049; rev:1;)
> > > >
> > > > Ok Joel....how much cleanup is needed with this ;)
> > > >
> > > > James
> > > > ______________________________**_________________
> > > > Emerging-sigs mailing list
> > > > Emerging-sigs@lists.**emergingthreats.net<Emerging-sigs@lists.emergingthreats.net>
> > > > https://lists.emergingthreats.**net/mailman/listinfo/emerging-**sigs<https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs>
> > > >
> > > > Support Emerging Threats! Subscribe to Emerging Threats Pro
> > > > http://www.emergingthreatspro.**com <http://www.emergingthreatspro.com>
> > > > The ONLY place to get complete premium rulesets for all versions of
> > > > Suricata and Snort 2.4.0 through Current!
> > > >
> > >
> > >
> > > _______________________________________________
> > > Emerging-sigs mailing list
> > > Emerging-sigs@lists.emergingthreats.net
> > > https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> > >
> > > Support Emerging Threats! Subscribe to Emerging Threats Pro
> > > http://www.emergingthreatspro.com
> > > The ONLY place to get complete premium rulesets for all versions of
> > > Suricata and Snort 2.4.0 through Current!
> > >
> >
> >
> >
> > --
> > Rodrigo Montoro (Sp0oKeR)
> > http://spookerlabs.blogspot.com
> > http://www.twitter.com/spookerlabs
> > http://www.linkedin.com/in/spooker
> >
>
>
[Attachment #5 (text/html)]
<div dir="ltr"><div style>Slight update</div><div><br></div>alert tcp $EXTERNAL_NET \
any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible \
Linux/Cdorked.A Incoming Command"; flow:established,to_server; \
content:"POST"; http_method; nocase; content:"SECID="; nocase; \
fast_pattern:only; content:"SECID="; nocase; http_cookie; \
pcre:"/\/\?(?:4(?:4(?:3[123456789]|41|55)|c(?:3[123456789]|41))|5(?:354|431))(&|$)/U"; \
classtype:attempted-user; sid:103; rev:1;)<br> </div><div \
class="gmail_extra"><br><br><div class="gmail_quote">On Fri, Apr 26, 2013 at 2:02 PM, \
Will Metcalf <span dir="ltr"><<a href="mailto:wmetcalf@emergingthreatspro.com" \
target="_blank">wmetcalf@emergingthreatspro.com</a>></span> wrote:<br> <blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"><div dir="ltr"><div>Going to add something like this as \
well...</div><div><br></div><div>alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS \
$HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Linux/Cdorked.A Incoming \
Command"; flow:established,to_server; content:"SECID="; nocase; \
fast_pattern:only; content:"SECID="; nocase; http_cookie; \
pcre:"/\/\?(?:4(?:4(?:3[123456789]|41|55)|c(?:3[123456789]|41))|5(?:354|431))/U"; \
classtype:attempted-user; sid:103; rev:1;)<br>
</div><div><br></div></div><div class="HOEnZb"><div class="h5"><div \
class="gmail_extra"><br><br><div class="gmail_quote">On Fri, Apr 26, 2013 at 1:24 PM, \
Rodrigo Montoro(Sp0oKeR) <span dir="ltr"><<a href="mailto:spooker@gmail.com" \
target="_blank">spooker@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"><div dir="ltr"><div>Awesome info here too<br><br><a \
href="http://www.welivesecurity.com/2013/04/26/linuxcdorked-new-apache-backdoor-in-the-wild-serves-blackhole/" \
target="_blank">http://www.welivesecurity.com/2013/04/26/linuxcdorked-new-apache-backdoor-in-the-wild-serves-blackhole/</a><br>
<br></div>Regards,<br></div><div class="gmail_extra"><div><div><br><br><div \
class="gmail_quote">On Fri, Apr 26, 2013 at 3:03 PM, Will Metcalf <span \
dir="ltr"><<a href="mailto:wmetcalf@emergingthreatspro.com" \
target="_blank">wmetcalf@emergingthreatspro.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"><div dir="ltr">Thanks James, can probably limit to a-f0-9 on \
your char class and probably want a \. match after to ensure it is exactly this and \
not something like somethinglongerthan16charsaaaaaaaaa.foo.bar could also anchor the \
match to a Location header. Nice sig... Will get something into QA and out today \
based on this thanks!<div>
<br></div><div>Regards,</div><div><br></div><div>Will</div></div><div><div><div \
class="gmail_extra"><br><br><div class="gmail_quote">On Fri, Apr 26, 2013 at 12:04 \
PM, James Lay <span dir="ltr"><<a href="mailto:jlay@slave-tothe-box.net" \
target="_blank">jlay@slave-tothe-box.net</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex">Enjoy:<br> <br>
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any \
(msg:"INDICATOR-COMPROMISED Linux/CDorked redirect"; \
flow:from_server,established; file_data; content:"index.php?j="; \
http_header; content:"302"; http_stat_code; \
pcre:"/http\x3a\x2f\x2f[0-9a-<u></u>z]{16}/m"; metadata:policy balanced-ips \
drop, policy security-ips drop, service http; reference:url,<a \
href="http://blog.sucuri.net/2013/04/apache-binary-backdoors-on-cpanel-based-servers.html" \
target="_blank">http://blog.<u></u>sucuri.net/2013/04/apache-<u></u>binary-backdoors-on-cpanel-<u></u>based-servers.html</a>; \
classtype:trojan-activity; sid:10000049; rev:1;)<br>
<br>
Ok Joel....how much cleanup is needed with this ;)<br>
<br>
James<br>
______________________________<u></u>_________________<br>
Emerging-sigs mailing list<br>
<a href="mailto:Emerging-sigs@lists.emergingthreats.net" \
target="_blank">Emerging-sigs@lists.<u></u>emergingthreats.net</a><br> <a \
href="https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs" \
target="_blank">https://lists.emergingthreats.<u></u>net/mailman/listinfo/emerging-<u></u>sigs</a><br>
<br>
Support Emerging Threats! Subscribe to Emerging Threats Pro <a \
href="http://www.emergingthreatspro.com" \
target="_blank">http://www.emergingthreatspro.<u></u>com</a><br> The ONLY place to \
get complete premium rulesets for all versions of Suricata and Snort 2.4.0 through \
Current!<br> </blockquote></div><br></div>
</div></div><br>_______________________________________________<br>
Emerging-sigs mailing list<br>
<a href="mailto:Emerging-sigs@lists.emergingthreats.net" \
target="_blank">Emerging-sigs@lists.emergingthreats.net</a><br> <a \
href="https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs" \
target="_blank">https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs</a><br>
<br>
Support Emerging Threats! Subscribe to Emerging Threats Pro <a \
href="http://www.emergingthreatspro.com" \
target="_blank">http://www.emergingthreatspro.com</a><br> The ONLY place to get \
complete premium rulesets for all versions of Suricata and Snort 2.4.0 through \
Current!<br></blockquote></div><br><br clear="all"><br></div></div><span><font \
color="#888888">-- <br>Rodrigo Montoro (Sp0oKeR)<br>
<a href="http://spookerlabs.blogspot.com" \
target="_blank">http://spookerlabs.blogspot.com</a><br>
<a href="http://www.twitter.com/spookerlabs" \
target="_blank">http://www.twitter.com/spookerlabs</a><br><a \
href="http://www.linkedin.com/in/spooker" \
target="_blank">http://www.linkedin.com/in/spooker</a><br> </font></span></div>
</blockquote></div><br></div>
</div></div></blockquote></div><br></div>
------------------------------------------------------------------------------
Try New Relic Now & We'll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_apr
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org
Please visit http://blog.snort.org for the latest news about Snort!
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic