[Snort-sigs] Bleedingsnort.com Daily Update

John Hally JHally at ...1106...
Fri Jan 28 09:39:34 EST 2005


Anyone else having trouble getting to bleedingsnort.com?  I get a good
resolve for it, but get timeouts both in brower and ping from multiple
locations.

???
-----Original Message-----
From: snort-sigs-admin at lists.sourceforge.net
[mailto:snort-sigs-admin at lists.sourceforge.net] On Behalf Of
bleeding at ...2727...
Sent: Thursday, January 27, 2005 8:00 PM
To: snort-sigs at lists.sourceforge.net
Subject: [Snort-sigs] Bleedingsnort.com Daily Update


[***] Results from Oinkmaster started Thu Jan 27 20:00:03 2005 [***]

[+++]          Added rules:          [+++]

     -> Added to bleeding-virus.rules (4):
        alert udp $HOME_NET any -> any 53 (msg:"BLEEDING-EDGE MySQL bot DNS
lookup"; content:"|06|zmoker|06|dns2go|03|com"; nocase;
classtype:trojan-activity;
reference:url,isc.sans.org/diary.php?date=2005-01-27; sid:2001688; rev:3;)
        alert tcp $HOME_NET any -> !$SQL_SERVERS 3306 (msg:"BLEEDING-EDGE
Potential MySQL bot scanning for SQL server"; flags:S,12;
classtype:trojan-activity;
reference:url,isc.sans.org/diary.php?date=2005-01-27; sid:2001689; rev:2;)
        alert tcp $HOME_NET any -> $EXTERNAL_NET 5002:5003
(msg:"BLEEDING-EDGE Potential MySQL bot connecting to IRC server";
flags:S,12; classtype:trojan-activity;
reference:url,isc.sans.org/diary.php?date=2005-01-27; sid:2001690; rev:2;)
        alert udp $HOME_NET any -> any 53 (msg:"BLEEDING-EDGE MySQL bot DNS
lookup"; content:"landingzone"; nocase; classtype:trojan-activity;
reference:url,isc.sans.org/diary.php?date=2005-01-27; sid:2001687; rev:3;)

[///]     Modified active rules:     [///]

     -> Modified active in bleeding-exploit.rules (1):
        old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80
(msg:"BLEEDING-EDGE EXPLOIT Awstats Remote Code Execution Attempt";
flow:established,from_client; uricontent:"/awstats.pl?configdir=";
reference:url,www.k-otik.com/exploits/20050124.awexpl.c.php;
reference:url,www.idefense.com/application/poi/display?id=185&type=vulnerabi
lities&flashstatus=false; classtype:web-application-attack;sid:2001686;
rev:5;)
        new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE EXPLOIT Awstats Remote Code Execution Attempt";
flow:established,from_client; uricontent:"/awstats.pl?configdir=";
reference:url,www.k-otik.com/exploits/20050124.awexpl.c.php;
reference:url,www.idefense.com/application/poi/display?id=185&type=vulnerabi
lities&flashstatus=false; classtype:web-application-attack;sid:2001686;
rev:6;)

[+++]      Added non-rule lines:     [+++]

     -> Added to bleeding-sid-msg.map (4):
        2001687 || BLEEDING-EDGE MySQL bot DNS lookup ||
url,isc.sans.org/diary.php?date=2005-01-27
        2001688 || BLEEDING-EDGE MySQL bot DNS lookup ||
url,isc.sans.org/diary.php?date=2005-01-27
        2001689 || BLEEDING-EDGE Potential MySQL bot scanning for SQL server
|| url,isc.sans.org/diary.php?date=2005-01-27
        2001690 || BLEEDING-EDGE Potential MySQL bot connecting to IRC
server || url,isc.sans.org/diary.php?date=2005-01-27

     -> Added to bleeding-virus.rules (1):
        # Very crude first draft of rule to detect MySQL worm

[*] Added files: [*]
    None.



-------------------------------------------------------
This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting
Tool for open source databases. Create drag-&-drop reports. Save time
by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc.
Download a FREE copy at http://www.intelliview.com/go/osdn_nl
_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs




More information about the Snort-sigs mailing list