[Snort-sigs] FPs for COMMUNITY WEB-PHP Particle Wiki PHP SQL Injection attempt, Sig ID, 100000446

Russell Fulton r.fulton at ...575...
Sun Jun 25 17:13:03 EDT 2006


I'm seeing over 10,000 hits a day for hundreds of different sources and
destinations.

R


META
--------
SID	CID	TimeStamp		Signature
6	10768281	2006-06-25 09:10:05	COMMUNITY WEB-PHP Particle Wiki PHP SQL
Injection attempt
Sig ID
100000446

Sensor Hostname				Sensor Interface
hihi.insec.auckland.ac.nz	new dmz sensor

IP
--------
Source Address	Dest Address	Ver	Hdr Len
130.216.168.25	66.102.7.104	4	5
TOS	length	ID	flags	offset	TTL	chksum
0	725	40086	2	0	125	59852

Resolved Source
a.vesey.psoft.auckland.ac.nz

Resolved Dest
Could Not Resolve


TCP
--------
Source Port	Dest Port	Seq		Ack		
4137		80		4274711154	579578467
Offset	Reserved	Flags	Window	Checksum	Urgent Ptr
5	0		24	65535	483		0

Options
--------
None


Flags
--------
RB 1	RB 0	URG	ACK	PSH	RST	SYN	FIN
			X	X				

DATA
--------
474554202F746F6F6C73	GET /tools
2F66697265666F782F75	/firefox/u
70646174653F67756964	pdate?guid
3D7B3331313263613963	={3112ca9c
2D646536642D34383834	-de6d-4884
2D613836392D39383535	-a869-9855
64653638303536637D26	de68056c}&
76657273696F6E3D322E	version=2.
302E3230303630353135	0.20060515
57266170706C69636174	W&applicat
696F6E3D7B6563383033	ion={ec803
3066372D633230612D34	0f7-c20a-4
3634662D396230652D31	64f-9b0e-1
33613361396539373338	3a3a9e9738
347D2661707076657273	4}&appvers
696F6E3D312E352E302E	ion=1.5.0.
3426646973743D676F6F	4&dist=goo
676C6520485454502F31	gle HTTP/1
2E310D0A486F73743A20	.1..Host:
7777772E676F6F676C65	www.google
2E636F6D0D0A55736572	.com..User
2D4167656E743A204D6F	-Agent: Mo
7A696C6C612F352E3020	zilla/5.0
2857696E646F77733B20	(Windows;
553B2057696E646F7773	U; Windows
204E5420352E313B2065	 NT 5.1; e
6E2D55533B2072763A31	n-US; rv:1
2E382E302E3429204765	.8.0.4) Ge
636B6F2F323030363035	cko/200605
30382046697265666F78	08 Firefox
2F312E352E302E340D0A	/1.5.0.4..
4163636570743A207465	Accept: te
78742F786D6C2C617070	xt/xml,app
6C69636174696F6E2F78	lication/x
6D6C2C6170706C696361	ml,applica
74696F6E2F7868746D6C	tion/xhtml
2B786D6C2C746578742F	+xml,text/
68746D6C3B713D302E39	html;q=0.9
2C746578742F706C6169	,text/plai
6E3B713D302E382C696D	n;q=0.8,im
6167652F706E672C2A2F	age/png,*/
2A3B713D302E350D0A41	*;q=0.5..A
63636570742D4C616E67	ccept-Lang
756167653A20656E2D75	uage: en-u
732C656E3B713D302E35	s,en;q=0.5
0D0A4163636570742D45	..Accept-E
6E636F64696E673A2067	ncoding: g
7A69702C6465666C6174	zip,deflat
650D0A4163636570742D	e..Accept-
436861727365743A2049	Charset: I
534F2D383835392D312C	SO-8859-1,
7574662D383B713D302E	utf-8;q=0.
372C2A3B713D302E370D	7,*;q=0.7.
0A4B6565702D416C6976	.Keep-Aliv
653A203330300D0A436F	e: 300..Co
6E6E656374696F6E3A20	nnection:
6B6565702D616C697665	keep-alive
0D0A43616368652D436F	..Cache-Co
6E74726F6C3A206E6F2D	ntrol: no-
63616368650D0A436F6F	cache..Coo
6B69653A20505245463D	kie: PREF=
49443D30333030663363	ID=0300f3c
3939363961656237363A	9969aeb76:
54423D323A544D3D3131	TB=2:TM=11
34373833303136303A4C	47830160:L
4D3D3131343738333031	M=11478301
36303A533D6873654E77	60:S=hseNw
616432593674594A7231	ad2Y6tYJr1
640D0A0D0A	d....

DATA
--------
GET /tools/firefox/update?guid={3112ca9c-de6d-4884-a869-9855
de68056c}&version=2.0.20060515W&application={ec8030f7-c20a-4
64f-9b0e-13a3a9e97384}&appversion=1.5.0.4&dist=google HTTP/1
.1..Host: www.google.com..User-Agent: Mozilla/5.0 (Windows;
U; Windows NT 5.1; en-US; rv:1.8.0.4) Gecko/20060508 Firefox
/1.5.0.4..Accept: text/xml,application/xml,application/xhtml
+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5..A
ccept-Language: en-us,en;q=0.5..Accept-Encoding: gzip,deflat
e..Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7..Keep-Aliv
e: 300..Connection: keep-alive..Cache-Control: no-cache..Coo
kie: PREF=ID=0300f3c9969aeb76:TB=2:TM=1147830160:LM=11478301
60:S=hseNwad2Y6tYJr1d....




More information about the Snort-sigs mailing list