[Snort-sigs] Frontpage breakins

tomc at ...280... tomc at ...280...
Tue Jan 22 09:33:04 EST 2002


I derived these after cleaning up from a front page break in.  It may be
easier to replace the content field with ".dll" since anyone POSTing a dll
is probably up to no good, but this is what the brazilian hacking club is
using:


alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-FRONTPAGE posting
idq.dll"; flags: A+; content:"POST"; uricontent:"/idq.dll"; nocase;
classtype:web-application-activity;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-FRONTPAGE posting
httpext.dll"; flags: A+; content:"POST"; uricontent:"/httpext.dll"; nocase;
classtype:web-application-activity;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-FRONTPAGE posting
httpodbc.dll"; flags: A+; content:"POST"; uricontent:"/httpodbc.dll";
nocase; classtype:web-application-activity;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-FRONTPAGE posting
ssinc.dll"; flags: A+; content:"POST"; uricontent:"/ssinc.dll"; nocase;
classtype:web-application-activity;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-FRONTPAGE posting
msw3prt.dll"; flags: A+; content:"POST"; uricontent:"/msw3prt.dll"; nocase;
classtype:web-application-activity;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-FRONTPAGE posting
author.dll"; flags: A+; content:"POST"; uricontent:"/author.dll"; nocase;
classtype:web-application-activity;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-FRONTPAGE posting
admin.dll"; flags: A+; content:"POST"; uricontent:"/admin.dll"; nocase;
classtype:web-application-activity;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-FRONTPAGE posting
shtml.dll"; flags: A+; content:"POST"; uricontent:"/shtml.dll"; nocase;
classtype:web-application-activity;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-FRONTPAGE posting
sspifilt.dll"; flags: A+; content:"POST"; uricontent:"/sspifilt.dll";
nocase; classtype:web-application-activity;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-FRONTPAGE posting
compfilt.dll"; flags: A+; content:"POST"; uricontent:"/compfilt.dll";
nocase; classtype:web-application-activity;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-FRONTPAGE posting
pwsdata.dll"; flags: A+; content:"POST"; uricontent:"/pwsdata.dll"; nocase;
classtype:web-application-activity;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-FRONTPAGE posting
md5filt.dll"; flags: A+; content:"POST"; uricontent:"/md5filt.dll"; nocase;
classtype:web-application-activity;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-FRONTPAGE posting
fpexedll.dll"; flags: A+; content:"POST"; uricontent:"/fpexedll.dll";
nocase; classtype:web-application-activity;)

tc





More information about the Snort-sigs mailing list