[Snort-sigs] BrownOrifice

Esler, Joel EslerJ at ...785...
Tue Aug 27 09:22:05 EDT 2002


No, It is the word "file:" imbedded into javascript which opens a back door
to allow an attacker to access local files through port 8080 on a computer
using an older version of Netscape.  All systems are vulnerable (windows,
linux, unix... blah blah) if they use this web browser...

-----Original Message-----
From: Ian Macdonald [mailto:secsnortsigs at ...644...]
Sent: Tuesday, August 27, 2002 12:13 PM
To: Esler, Joel; snort-sigs at lists.sourceforge.net
Subject: Re: [Snort-sigs] BrownOrifice


Is it possible to be more specific? searching for "<javascript>" and file
would generate a lot of false positives. Do you have any examples of traffic
that this backdoor generates? Does "file" always appear in the same location
in the message?

Ian
----- Original Message -----
From: "Esler, Joel" <EslerJ at ...785...>
To: <snort-sigs at lists.sourceforge.net>
Sent: Tuesday, August 27, 2002 11:56 AM
Subject: [Snort-sigs] BrownOrifice


> Has anyone seen, or developed a signature for BrownOrifice?  It would need
> to look for the word "file" in a javascript webpage.  Any thoughts?
>
> Joel
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by: OSDN - Tired of that same old
> cell phone?  Get a new here for FREE!
> https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>




More information about the Snort-sigs mailing list