[Snort-sigs] Bleedingsnort.com Daily Update

bleeding at ...2727... bleeding at ...2727...
Thu Feb 2 17:01:06 EST 2006


[***] Results from Oinkmaster started Thu Feb  2 20:00:13 2006 [***]

[+++]          Added rules:          [+++]

 2002795 - BLEEDING-EDGE VIRUS Nyxem attempting to copy WINZIP_TMP.exe to shares (bleeding-virus.rules)


[///]     Modified active rules:     [///]

 2000559 - BLEEDING-EDGE THCIISLame IIS SSL Exploit Attempt (bleeding-web.rules)
 2000917 - BLEEDING-EDGE Malware WhenUClick.com WhenUSave Data Retrieval (offersdata) (bleeding-malware.rules)
 2000919 - BLEEDING-EDGE Malware WhenUClick.com WhenUSave Data Retrieval (Searchdb) (bleeding-malware.rules)
 2001021 - BLEEDING-EDGE Suspicious Encrypted Webpage Content (bleeding-web.rules)
 2001079 - BLEEDING-EDGE WEB-MISC cross site scripting attempt STYLE + VBSCRIPT 1 (bleeding-web.rules)
 2001080 - BLEEDING-EDGE WEB-MISC cross site scripting attempt STYLE + VBSCRIPT 2 (bleeding-web.rules)
 2001082 - BLEEDING-EDGE WEB-MISC cross site scripting attempt STYLE + EXPRESSION 1 (bleeding-web.rules)
 2001083 - BLEEDING-EDGE WEB-MISC cross site scripting attempt STYLE + EXPRESSION 2 (bleeding-web.rules)
 2001085 - BLEEDING-EDGE WEB-MISC cross site scripting attempt executing hidden Javascript 1 (bleeding-web.rules)
 2001086 - BLEEDING-EDGE WEB-MISC cross site scripting attempt executing hidden Javascript 2 (bleeding-web.rules)
 2001488 - BLEEDING-EDGE Malware Tibsystems Spyware Download (bleeding-malware.rules)
 2001537 - BLEEDING-EDGE Malware Spyspotter.com Access (bleeding-malware.rules)
 2001621 - BLEEDING-EDGE Exploit Suspected PHP Injection Attack (bleeding-web.rules)
 2001738 - BLEEDING-EDGE WEB PHP vBulletin Remote Command Execution Attempt (bleeding-web.rules)
 2001762 - BLEEDING-EDGE WEB phpbb Session Cookie (bleeding-web.rules)
 2001810 - BLEEDING-EDGE EXPLOIT WEB PHP remote file include exploit attempt (bleeding-web.rules)
 2001928 - BLEEDING-EDGE WEB XSS Possible Arbitrary Scripting Code Attack in phpBB (private message) (bleeding-web.rules)
 2001929 - BLEEDING-EDGE WEB XSS Possible Arbitrary Scripting Code Attack in phpBB (signature) (bleeding-web.rules)
 2001945 - BLEEDING-EDGE WEB WebAPP Apage.CGI Remote Command Execution Attempt (bleeding-web.rules)
 2001949 - BLEEDING-EDGE WEB Athena Web Registration Remote Command Execution Attempt (bleeding-web.rules)
 2002066 - BLEEDING-EDGE WEB CSV-DB CSV_DB.CGI Remote Command Execution Attempt (bleeding-web.rules)
 2002067 - BLEEDING-EDGE WEB Community Link Pro Login.CGI Remote Command Execution Attempt (bleeding-web.rules)
 2002069 - BLEEDING-EDGE WEB Blog Spam Insert Attempt (bleeding-web.rules)
 2002070 - BLEEDING-EDGE WEB phpBB Remote Code Execution Attempt (bleeding-web.rules)
 2002100 - BLEEDING-EDGE WEB WPS wps_shop.cgi Remote Command Execution Attempt (bleeding-web.rules)
 2002129 - BLEEDING-EDGE Cacti Input Validation Attack (bleeding-web.rules)
 2002313 - BLEEDING-EDGE WEB Cacti graph_image.php Remote Command Execution Attempt (bleeding-web.rules)
 2002314 - BLEEDING-EDGE WEB PHPOutsourcing Zorum prod.php Remote Command Execution Attempt (bleeding-web.rules)
 2002355 - BLEEDING-EDGE TROJAN Trojan.Exphook Sending Info Home 198.173.4.9 (bleeding-virus.rules)
 2002356 - BLEEDING-EDGE TROJAN Trojan.Exphook Sending Info Home 66.160.138.149 (bleeding-virus.rules)
 2002357 - BLEEDING-EDGE TROJAN Trojan.Exphook Sending Info Home 66.225.221.197 (bleeding-virus.rules)
 2002358 - BLEEDING-EDGE TROJAN Backdoor.Graybird.O Calling Home 202.101.43.83 (bleeding-virus.rules)
 2002359 - BLEEDING-EDGE TROJAN Backdoor.Graybird.O Calling Home 61.152.93.13 (bleeding-virus.rules)
 2002361 - BLEEDING-EDGE WEB Netquery Remote Command Execution Attempt (bleeding-web.rules)
 2002371 - BLEEDING-EDGE WEB Miva Merchant Cross Site Scripting Attack (bleeding-web.rules)
 2002388 - BLEEDING-EDGE WEB vBulletin misc.php Template Name Arbitrary Code Execution (bleeding-web.rules)
 2002408 - BLEEDING-EDGE WEB phpMyAdmin Suspicious Activity (bleeding-web.rules)
 2002409 - BLEEDING-EDGE WEB phpMyAdmin Local File Inclusion (2.6.4-pl1) (bleeding-web.rules)
 2002660 - BLEEDING-EDGE WEB RSA Web Auth Exploit Attempt - Long URL (bleeding-web.rules)
 2002668 - BLEEDING-EDGE WEB CutePHP CuteNews directory traversal vulnerability (bleeding-web.rules)
 2002681 - BLEEDING-EDGE WEB Mambo Exploit (bleeding-web.rules)
 2002705 - BLEEDING-EDGE WORM W32.Magflag.A at ...110... 1 (bleeding-virus.rules)
 2002706 - BLEEDING-EDGE WORM W32.Magflag.A at ...110... 2 (bleeding-virus.rules)
 2002711 - BLEEDING-EDGE WEB includer.cgi Remote Command Execution Attempt (bleeding-web.rules)
 2002721 - BLEEDING-EDGE WEB Cisco IOS HTTP set enable password attack (bleeding-web.rules)
 2002727 - BLEEDING-EDGE VIRUS Bagle.gen SMTP Outbound (aka - .BK,.ET,.FT,.JH,Lodear.E,.gen,Mitglieder.GU) (bleeding-virus.rules)
 2002790 - BLEEDING-EDGE TROJAN Haxdoor Reporting User Activity (bleeding-virus.rules)
 2402000 - BLEEDING-EDGE DROP Dshield Block Listed Source IP - 222.149.192.0/24 (bleeding-dshield.rules)
 2402001 - BLEEDING-EDGE DROP Dshield Block Listed Source IP - 61.128.162.0/24 (bleeding-dshield.rules)
 2402002 - BLEEDING-EDGE DROP Dshield Block Listed Source IP - 221.202.78.0/24 (bleeding-dshield.rules)
 2402003 - BLEEDING-EDGE DROP Dshield Block Listed Source IP - 219.146.96.0/24 (bleeding-dshield.rules)
 2402004 - BLEEDING-EDGE DROP Dshield Block Listed Source IP - 219.146.78.0/24 (bleeding-dshield.rules)
 2402005 - BLEEDING-EDGE DROP Dshield Block Listed Source IP - 59.8.216.0/24 (bleeding-dshield.rules)
 2402006 - BLEEDING-EDGE DROP Dshield Block Listed Source IP - 61.128.161.0/24 (bleeding-dshield.rules)
 2402007 - BLEEDING-EDGE DROP Dshield Block Listed Source IP - 218.12.197.0/24 (bleeding-dshield.rules)
 2402008 - BLEEDING-EDGE DROP Dshield Block Listed Source IP - 218.25.253.0/24 (bleeding-dshield.rules)
 2402009 - BLEEDING-EDGE DROP Dshield Block Listed Source IP - 61.185.36.0/24 (bleeding-dshield.rules)
 2402010 - BLEEDING-EDGE DROP Dshield Block Listed Source IP - 218.31.79.0/24 (bleeding-dshield.rules)
 2402011 - BLEEDING-EDGE DROP Dshield Block Listed Source IP - 202.97.181.0/24 (bleeding-dshield.rules)
 2402012 - BLEEDING-EDGE DROP Dshield Block Listed Source IP - 220.163.113.0/24 (bleeding-dshield.rules)
 2402013 - BLEEDING-EDGE DROP Dshield Block Listed Source IP - 219.148.70.0/24 (bleeding-dshield.rules)
 2402014 - BLEEDING-EDGE DROP Dshield Block Listed Source IP - 61.139.44.0/24 (bleeding-dshield.rules)
 2402015 - BLEEDING-EDGE DROP Dshield Block Listed Source IP - 140.113.31.0/24 (bleeding-dshield.rules)
 2402016 - BLEEDING-EDGE DROP Dshield Block Listed Source IP - 61.136.152.0/24 (bleeding-dshield.rules)
 2402017 - BLEEDING-EDGE DROP Dshield Block Listed Source IP - 213.47.131.0/24 (bleeding-dshield.rules)
 2402018 - BLEEDING-EDGE DROP Dshield Block Listed Source IP - 61.175.218.0/24 (bleeding-dshield.rules)
 2402019 - BLEEDING-EDGE DROP Dshield Block Listed Source IP - 210.205.147.0/24 (bleeding-dshield.rules)
 2403000 - BLEEDING-EDGE DROP Dshield Block Listed Source IP - 222.149.192.0/24 BLOCKING (bleeding-dshield-BLOCK.rules)
 2403001 - BLEEDING-EDGE DROP Dshield Block Listed Source IP - 61.128.162.0/24 BLOCKING (bleeding-dshield-BLOCK.rules)
 2403002 - BLEEDING-EDGE DROP Dshield Block Listed Source IP - 221.202.78.0/24 BLOCKING (bleeding-dshield-BLOCK.rules)
 2403003 - BLEEDING-EDGE DROP Dshield Block Listed Source IP - 219.146.96.0/24 BLOCKING (bleeding-dshield-BLOCK.rules)
 2403004 - BLEEDING-EDGE DROP Dshield Block Listed Source IP - 219.146.78.0/24 BLOCKING (bleeding-dshield-BLOCK.rules)
 2403005 - BLEEDING-EDGE DROP Dshield Block Listed Source IP - 59.8.216.0/24 BLOCKING (bleeding-dshield-BLOCK.rules)
 2403006 - BLEEDING-EDGE DROP Dshield Block Listed Source IP - 61.128.161.0/24 BLOCKING (bleeding-dshield-BLOCK.rules)
 2403007 - BLEEDING-EDGE DROP Dshield Block Listed Source IP - 218.12.197.0/24 BLOCKING (bleeding-dshield-BLOCK.rules)
 2403008 - BLEEDING-EDGE DROP Dshield Block Listed Source IP - 218.25.253.0/24 BLOCKING (bleeding-dshield-BLOCK.rules)
 2403009 - BLEEDING-EDGE DROP Dshield Block Listed Source IP - 61.185.36.0/24 BLOCKING (bleeding-dshield-BLOCK.rules)
 2403010 - BLEEDING-EDGE DROP Dshield Block Listed Source IP - 218.31.79.0/24 BLOCKING (bleeding-dshield-BLOCK.rules)
 2403011 - BLEEDING-EDGE DROP Dshield Block Listed Source IP - 202.97.181.0/24 BLOCKING (bleeding-dshield-BLOCK.rules)
 2403012 - BLEEDING-EDGE DROP Dshield Block Listed Source IP - 220.163.113.0/24 BLOCKING (bleeding-dshield-BLOCK.rules)
 2403013 - BLEEDING-EDGE DROP Dshield Block Listed Source IP - 219.148.70.0/24 BLOCKING (bleeding-dshield-BLOCK.rules)
 2403014 - BLEEDING-EDGE DROP Dshield Block Listed Source IP - 61.139.44.0/24 BLOCKING (bleeding-dshield-BLOCK.rules)
 2403015 - BLEEDING-EDGE DROP Dshield Block Listed Source IP - 140.113.31.0/24 BLOCKING (bleeding-dshield-BLOCK.rules)
 2403016 - BLEEDING-EDGE DROP Dshield Block Listed Source IP - 61.136.152.0/24 BLOCKING (bleeding-dshield-BLOCK.rules)
 2403017 - BLEEDING-EDGE DROP Dshield Block Listed Source IP - 213.47.131.0/24 BLOCKING (bleeding-dshield-BLOCK.rules)
 2403018 - BLEEDING-EDGE DROP Dshield Block Listed Source IP - 61.175.218.0/24 BLOCKING (bleeding-dshield-BLOCK.rules)
 2403019 - BLEEDING-EDGE DROP Dshield Block Listed Source IP - 210.205.147.0/24 BLOCKING (bleeding-dshield-BLOCK.rules)


[///]    Modified inactive rules:    [///]

 2002726 - BLEEDING-EDGE VIRUS Bagle.gen SMTP Inbound (aka - .BK,.ET,.FT,.JH,Lodear.E,.gen,Mitglieder.GU) (bleeding-virus.rules)


[+++]      Added non-rule lines:     [+++]

     -> Added to bleeding-sid-msg.map (20):
        2000917 || BLEEDING-EDGE Malware WhenUClick.com WhenUSave Data Retrieval (offersdata) || url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml || url,www.whenusearch.com
        2000919 || BLEEDING-EDGE Malware WhenUClick.com WhenUSave Data Retrieval (Searchdb) || url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml || url,www.whenusearch.com
        2001079 || BLEEDING-EDGE WEB-MISC cross site scripting attempt STYLE + VBSCRIPT 1
        2001080 || BLEEDING-EDGE WEB-MISC cross site scripting attempt STYLE + VBSCRIPT 2
        2001082 || BLEEDING-EDGE WEB-MISC cross site scripting attempt STYLE + EXPRESSION 1
        2001083 || BLEEDING-EDGE WEB-MISC cross site scripting attempt STYLE + EXPRESSION 2
        2001085 || BLEEDING-EDGE WEB-MISC cross site scripting attempt executing hidden Javascript 1
        2001086 || BLEEDING-EDGE WEB-MISC cross site scripting attempt executing hidden Javascript 2
        2001488 || BLEEDING-EDGE Malware Tibsystems Spyware Download
        2001537 || BLEEDING-EDGE Malware Spyspotter.com Access
        2002355 || BLEEDING-EDGE TROJAN Trojan.Exphook Sending Info Home 198.173.4.9 || url,securityresponse.symantec.com/avcenter/venc/data/trojan.exphook.html
        2002356 || BLEEDING-EDGE TROJAN Trojan.Exphook Sending Info Home 66.160.138.149 || url,securityresponse.symantec.com/avcenter/venc/data/trojan.exphook.html
        2002357 || BLEEDING-EDGE TROJAN Trojan.Exphook Sending Info Home 66.225.221.197 || url,securityresponse.symantec.com/avcenter/venc/data/trojan.exphook.html
        2002358 || BLEEDING-EDGE TROJAN Backdoor.Graybird.O Calling Home 202.101.43.83 || url,securityresponse.symantec.com/avcenter/venc/data/backdoor.graybird.o.html
        2002359 || BLEEDING-EDGE TROJAN Backdoor.Graybird.O Calling Home 61.152.93.13 || url,securityresponse.symantec.com/avcenter/venc/data/backdoor.graybird.o.html
        2002705 || BLEEDING-EDGE WORM W32.Magflag.A at ...110... 1 || url,securityresponse.symantec.com/avcenter/venc/data/w32.magflag.a at ...1512...
        2002706 || BLEEDING-EDGE WORM W32.Magflag.A at ...110... 2 || url,securityresponse.symantec.com/avcenter/venc/data/w32.magflag.a at ...1512...
        2002726 || BLEEDING-EDGE VIRUS Bagle.gen SMTP Inbound (aka - .BK,.ET,.FT,.JH,Lodear.E,.gen,Mitglieder.GU) || url,isc.sans.org/diary.php?storyid=937
        2002727 || BLEEDING-EDGE VIRUS Bagle.gen SMTP Outbound (aka - .BK,.ET,.FT,.JH,Lodear.E,.gen,Mitglieder.GU) || url,isc.sans.org/diary.php?storyid=937
        2002795 || BLEEDING-EDGE VIRUS Nyxem attempting to copy WINZIP_TMP.exe to shares || url,www.incidents.org/diary.php?date=2006-02-02 || url,www.lurhq.com/blackworm.html

     -> Added to bleeding-virus.rules (3):
        #    Trojan HaxDoor
        #Submitted by Tom Fischer, 2006-01-24, modified 2/2/06 on info from chriss
        #from isc, by Per Kristian Johnsen of Telenor Security Center

[---]     Removed non-rule lines:    [---]

     -> Removed from bleeding-sid-msg.map (19):
        2000917 || BLEEDING-EDGE Malware WhenUClick.com WhenUSave Data Retrieval || url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml || url,www.whenusearch.com
        2000919 || BLEEDING-EDGE Malware WhenUClick.com WhenUSave Data Retrieval || url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml || url,www.whenusearch.com
        2001079 || BLEEDING-EDGE WEB-MISC cross site scripting attempt STYLE + VBSCRIPT
        2001080 || BLEEDING-EDGE WEB-MISC cross site scripting attempt STYLE + VBSCRIPT
        2001082 || BLEEDING-EDGE WEB-MISC cross site scripting attempt STYLE + EXPRESSION
        2001083 || BLEEDING-EDGE WEB-MISC cross site scripting attempt STYLE + EXPRESSION
        2001085 || BLEEDING-EDGE WEB-MISC cross site scripting attempt executing hidden Javascript
        2001086 || BLEEDING-EDGE WEB-MISC cross site scripting attempt executing hidden Javascript
        2001488 || BLEEDING-EDGE Malware Tibsystems Spyware Activity
        2001537 || BLEEDING-EDGE Malware Spyspotter.com Access, Likely Spyware
        2002355 || BLEEDING-EDGE TROJAN Trojan.Exphook Sending Info Home || url,securityresponse.symantec.com/avcenter/venc/data/trojan.exphook.html
        2002356 || BLEEDING-EDGE TROJAN Trojan.Exphook Sending Info Home || url,securityresponse.symantec.com/avcenter/venc/data/trojan.exphook.html
        2002357 || BLEEDING-EDGE TROJAN Trojan.Exphook Sending Info Home || url,securityresponse.symantec.com/avcenter/venc/data/trojan.exphook.html
        2002358 || BLEEDING-EDGE TROJAN Backdoor.Graybird.O Calling Home || url,securityresponse.symantec.com/avcenter/venc/data/backdoor.graybird.o.html
        2002359 || BLEEDING-EDGE TROJAN Backdoor.Graybird.O Calling Home || url,securityresponse.symantec.com/avcenter/venc/data/backdoor.graybird.o.html
        2002705 || BLEEDING-EDGE WORM W32.Magflag.A at ...110... || url,securityresponse.symantec.com/avcenter/venc/data/w32.magflag.a at ...1512...
        2002706 || BLEEDING-EDGE WORM W32.Magflag.A at ...110... || url,securityresponse.symantec.com/avcenter/venc/data/w32.magflag.a at ...1512...
        2002726 || BLEEDING_EDGE VIRUS Bagle.gen SMTP Inbound (aka - .BK,.ET,.FT,.JH,Lodear.E,.gen,Mitglieder.GU) || url,isc.sans.org/diary.php?storyid=937
        2002727 || BLEEDING_EDGE VIRUS Bagle.gen SMTP Outbound (aka - .BK,.ET,.FT,.JH,Lodear.E,.gen,Mitglieder.GU) || url,isc.sans.org/diary.php?storyid=937

     -> Removed from bleeding-virus.rules (2):
        #     Trojan HaxDoor
        #Submitted by Tom Fischer, 2006-01-24





More information about the Snort-sigs mailing list