[Snort-sigs] phpBB remote code execution detection rule (final)
shirkdog_list at ...12...
Wed Dec 1 10:00:11 EST 2004
This link describes an attack that adds an admin user to any vulnerable
phpBB forum using some of the content you described.
The 2001457 rule is just hunting the /'.system(/ so no matter what command
is attempted it should trigger. I tested by sending an ls command to a
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"BLEEDING-EDGE
phpBB Highlighting Remote Code Execution Attempt HowDark.com";
flow:to_server,established; uricontent:"/viewtopic.php?t="; nocase;
reference:url,www.howdark.com/poc/phpbb2010_hl.phps; sid:2001457; rev:4;)
Is your PC infected? Get a FREE online computer virus scan from McAfee�
More information about the Snort-sigs