[Snort-sigs] Re: Snort-sigs digest, Vol 1 #977 - 7 msgs

GMUarmyRES at ...20... GMUarmyRES at ...20...
Fri Jun 25 02:57:00 EDT 2004


Try these signatures:

alert tcp any 80 -> any any (msg:"IE ADODB Exploit Javascript Detected"; content:"var qxco7=document.cookie"; ) 
alert tcp any 80 -> any any (msg:"IE msits.exe Download Detected"; content:"|BA AC C7 AD C7 48 83 D1 CA 68 81 26 8B 6C F3 29 00 28 A3 2E 00 38 A3 36 02 6E 3F 25 8B 6C 87 E5 D8 3A D0 AD CF 48 97 76 E1 92 EF 26 9B 2C 87 42|"; )

Looks like almost all of these infections were from servers running IIS 5.0. 

Take a look:
http://www.pete.quallife.com/ Server: Microsoft-IIS/5.0
http://www.ci.citrus-heights.ca.us/ Server: Microsoft-IIS/5.0
MicrosoftOfficeWebServer: 5.0_Pub
http://www.baseballusa.com/ Server: Microsoft-IIS/5.0
MicrosoftOfficeWebServer: 5.0_Collab
http://www.armynavyshop.us/ Server: Microsoft-IIS/5.0
http://www.mda.org.au/ Server: Microsoft-IIS/5.0
http://www.gwinnettplacecid.com/ Server: Microsoft-IIS/5.0
http://www.armynavyshop.com/ Server: Microsoft-IIS/5.0
http://www.ntrl.com/ Server: Microsoft-IIS/5.0
http://www.co.madison.tn.us/ Server: Microsoft-IIS/5.0
http://a.as-us.falkag.net/ Server: Apache/1.3.29 (Unix)
mod_gzip/1.3.26.1a mod_fastcgi/2.2.10 http://red01.as-us.falkag.net/ Server: Apache/1.3.29 (Unix) mod_gzip/1.3.26.1a mod_fastcgi/2.2.10 mod_ssl/2.8.16 OpenSSL/0.9.7c http://www.starins.com/ Server: Microsoft-IIS/5.0
http://www.tourismecote-nord.com/ Server: Microsoft-IIS/5.0
http://www.commandline.co.uk/ Server: What_you_upto
http://www.portlucayaresort.com/ Server: Microsoft-IIS/5.0
http://www.virginiahomeloan.com/prequal.htm Server: Microsoft-IIS/5.0

"Challenges are what make life interesting, overcoming them is what makes life meaningful."




More information about the Snort-sigs mailing list