[Snort-sigs] Emerging Threats Daily Signature Changes

emerging at ...3335... emerging at ...3335...
Wed Jan 23 17:00:08 EST 2008


[***] Results from Oinkmaster started Wed Jan 23 17:00:08 2008 [***]

[+++]          Added rules:          [+++]

 2007775 - BLEEDING-EDGE TROJAN Krunchy/BZub HTTP Checkin/Update (bleeding-virus.rules)
 2007776 - BLEEDING-EDGE TROJAN Krunchy/BZub HTTP POST Update (bleeding-virus.rules)
 2007777 - ET TROJAN Browser HiJacker/Infostealer Stat file (bleeding-virus.rules)
 2007778 - ET TROJAN User-agent DownloadNetFile Win32.small.hsh downloader (bleeding-virus.rules)


[///]     Modified active rules:     [///]

 2000345 - ET ATTACK RESPONSE IRC - Nick change on non-std port (bleeding-attack_response.rules)
 2000346 - ET ATTACK RESPONSE IRC - Name response on non-std port (bleeding-attack_response.rules)
 2000347 - ET ATTACK RESPONSE IRC - Private message on non-std port (bleeding-attack_response.rules)
 2000348 - ET ATTACK RESPONSE IRC - Channel JOIN on non-std port (bleeding-attack_response.rules)
 2000349 - ET ATTACK RESPONSE IRC - DCC file transfer request on non-std port (bleeding-attack_response.rules)
 2000350 - ET ATTACK RESPONSE IRC - DCC chat request on non-std port (bleeding-attack_response.rules)
 2000351 - ET ATTACK RESPONSE IRC - channel join on non-std port (bleeding-attack_response.rules)
 2000352 - ET ATTACK RESPONSE IRC - dns request on non-std port (bleeding-attack_response.rules)
 2000499 - ET ATTACK RESPONSE FTP inaccessible directory access COM1 (bleeding-attack_response.rules)
 2000500 - ET ATTACK RESPONSE FTP inaccessible directory access COM2 (bleeding-attack_response.rules)
 2000501 - ET ATTACK RESPONSE FTP inaccessible directory access COM3 (bleeding-attack_response.rules)
 2000502 - ET ATTACK RESPONSE FTP inaccessible directory access COM4 (bleeding-attack_response.rules)
 2000503 - ET ATTACK RESPONSE FTP inaccessible directory access LPT1 (bleeding-attack_response.rules)
 2000504 - ET ATTACK RESPONSE FTP inaccessible directory access LPT2 (bleeding-attack_response.rules)
 2000505 - ET ATTACK RESPONSE FTP inaccessible directory access LPT3 (bleeding-attack_response.rules)
 2000506 - ET ATTACK RESPONSE FTP inaccessible directory access LPT4 (bleeding-attack_response.rules)
 2000507 - ET ATTACK RESPONSE FTP inaccessible directory access AUX (bleeding-attack_response.rules)
 2000508 - ET ATTACK RESPONSE FTP inaccessible directory access NULL (bleeding-attack_response.rules)
 2001616 - ET ATTACK RESPONSE Zone-H.org defacement notification (bleeding-attack_response.rules)
 2001620 - ET ATTACK RESPONSE Likely Botnet Activity (bleeding-attack_response.rules)
 2001628 - ET ATTACK RESPONSE Outbound PHP Connection (bleeding-attack_response.rules)
 2002034 - ET ATTACK RESPONSE Possible /etc/passwd via HTTP (linux style) (bleeding-attack_response.rules)
 2002809 - ET ATTACK RESPONSE Hostile FTP Server Banner (StnyFtpd) (bleeding-attack_response.rules)
 2002810 - ET ATTACK RESPONSE Hostile FTP Server Banner (Reptile) (bleeding-attack_response.rules)
 2002811 - ET ATTACK RESPONSE Hostile FTP Server Banner (Bot Server) (bleeding-attack_response.rules)
 2003071 - ET ATTACK RESPONSE Possible /etc/passwd via HTTP (BSD style) (bleeding-attack_response.rules)
 2003149 - ET ATTACK RESPONSE Possible /etc/passwd via SMTP (linux style) (bleeding-attack_response.rules)
 2003150 - ET ATTACK RESPONSE Possible /etc/passwd via SMTP (BSD style) (bleeding-attack_response.rules)
 2003464 - ET ATTACK RESPONSE Unusual FTP Server Banner (warFTPd) (bleeding-attack_response.rules)
 2003465 - ET ATTACK RESPONSE Unusual FTP Server Banner (freeFTPd) (bleeding-attack_response.rules)
 2003535 - ET ATTACK RESPONSE r57 phpshell footer detected (bleeding-attack_response.rules)
 2003536 - ET ATTACK RESPONSE r57 phpshell source being uploaded (bleeding-attack_response.rules)
 2006417 - ET ATTACK RESPONSE Weak Netbios Lanman Auth Challenge Detected (bleeding-attack_response.rules)
 2007651 - ET ATTACK RESPONSE x2300 phpshell detected (bleeding-attack_response.rules)
 2007652 - ET ATTACK RESPONSE c99shell phpshell detected (bleeding-attack_response.rules)
 2007653 - ET ATTACK RESPONSE RFI Scanner detected (bleeding-attack_response.rules)
 2007654 - ET ATTACK RESPONSE C99 Modified phpshell detected (bleeding-attack_response.rules)
 2007656 - ET ATTACK RESPONSE ALBANIA id.php detected (bleeding-attack_response.rules)
 2007715 - ET ATTACK_RESPONSE Off-Port FTP Without Banners - user (bleeding-attack_response.rules)
 2007717 - ET ATTACK_RESPONSE Off-Port FTP Without Banners - pass (bleeding-attack_response.rules)
 2007723 - ET ATTACK_RESPONSE Off-Port FTP Without Banners - retr (bleeding-attack_response.rules)
 2007725 - ET ATTACK RESPONSE Unusual FTP Server Banner on High Port (WinFtpd) (bleeding-attack_response.rules)
 2007726 - ET ATTACK RESPONSE Unusual FTP Server Banner on High Port (StnyFtpd) (bleeding-attack_response.rules)


[///]    Modified inactive rules:    [///]

 2007655 - ET ATTACK RESPONSE lila.jpg phpshell detected (bleeding-attack_response.rules)
 2007657 - ET ATTACK RESPONSE Mic22 id.php detected (bleeding-attack_response.rules)


[+++]      Added non-rule lines:     [+++]

     -> Added to bleeding-sid-msg.map (49):
        2000345 || ET ATTACK RESPONSE IRC - Nick change on non-std port
        2000346 || ET ATTACK RESPONSE IRC - Name response on non-std port
        2000347 || ET ATTACK RESPONSE IRC - Private message on non-std port
        2000348 || ET ATTACK RESPONSE IRC - Channel JOIN on non-std port
        2000349 || ET ATTACK RESPONSE IRC - DCC file transfer request on non-std port
        2000350 || ET ATTACK RESPONSE IRC - DCC chat request on non-std port
        2000351 || ET ATTACK RESPONSE IRC - channel join on non-std port
        2000352 || ET ATTACK RESPONSE IRC - dns request on non-std port
        2000499 || ET ATTACK RESPONSE FTP inaccessible directory access COM1
        2000500 || ET ATTACK RESPONSE FTP inaccessible directory access COM2
        2000501 || ET ATTACK RESPONSE FTP inaccessible directory access COM3
        2000502 || ET ATTACK RESPONSE FTP inaccessible directory access COM4
        2000503 || ET ATTACK RESPONSE FTP inaccessible directory access LPT1
        2000504 || ET ATTACK RESPONSE FTP inaccessible directory access LPT2
        2000505 || ET ATTACK RESPONSE FTP inaccessible directory access LPT3
        2000506 || ET ATTACK RESPONSE FTP inaccessible directory access LPT4
        2000507 || ET ATTACK RESPONSE FTP inaccessible directory access AUX
        2000508 || ET ATTACK RESPONSE FTP inaccessible directory access NULL
        2001616 || ET ATTACK RESPONSE Zone-H.org defacement notification
        2001620 || ET ATTACK RESPONSE Likely Botnet Activity
        2001628 || ET ATTACK RESPONSE Outbound PHP Connection
        2002034 || ET ATTACK RESPONSE Possible /etc/passwd via HTTP (linux style)
        2002809 || ET ATTACK RESPONSE Hostile FTP Server Banner (StnyFtpd)
        2002810 || ET ATTACK RESPONSE Hostile FTP Server Banner (Reptile)
        2002811 || ET ATTACK RESPONSE Hostile FTP Server Banner (Bot Server)
        2003071 || ET ATTACK RESPONSE Possible /etc/passwd via HTTP (BSD style)
        2003149 || ET ATTACK RESPONSE Possible /etc/passwd via SMTP (linux style)
        2003150 || ET ATTACK RESPONSE Possible /etc/passwd via SMTP (BSD style)
        2003464 || ET ATTACK RESPONSE Unusual FTP Server Banner (warFTPd) || url,www.warftp.org
        2003465 || ET ATTACK RESPONSE Unusual FTP Server Banner (freeFTPd) || url,www.freeftp.com
        2003535 || ET ATTACK RESPONSE r57 phpshell footer detected || url,www.pestpatrol.com/spywarecenter/pest.aspx?id=453096755
        2003536 || ET ATTACK RESPONSE r57 phpshell source being uploaded || url,www.pestpatrol.com/spywarecenter/pest.aspx?id=453096755
        2006417 || ET ATTACK RESPONSE Weak Netbios Lanman Auth Challenge Detected
        2007651 || ET ATTACK RESPONSE x2300 phpshell detected || url,www.rfxn.com/vdb.php
        2007652 || ET ATTACK RESPONSE c99shell phpshell detected || url,www.rfxn.com/vdb.php
        2007653 || ET ATTACK RESPONSE RFI Scanner detected || url,www.rfxn.com/vdb.php
        2007654 || ET ATTACK RESPONSE C99 Modified phpshell detected || url,www.rfxn.com/vdb.php
        2007655 || ET ATTACK RESPONSE lila.jpg phpshell detected || url,www.rfxn.com/vdb.php
        2007656 || ET ATTACK RESPONSE ALBANIA id.php detected || url,www.rfxn.com/vdb.php
        2007657 || ET ATTACK RESPONSE Mic22 id.php detected || url,www.rfxn.com/vdb.php
        2007715 || ET ATTACK_RESPONSE Off-Port FTP Without Banners - user
        2007717 || ET ATTACK_RESPONSE Off-Port FTP Without Banners - pass
        2007723 || ET ATTACK_RESPONSE Off-Port FTP Without Banners - retr
        2007725 || ET ATTACK RESPONSE Unusual FTP Server Banner on High Port (WinFtpd)
        2007726 || ET ATTACK RESPONSE Unusual FTP Server Banner on High Port (StnyFtpd)
        2007775 || BLEEDING-EDGE TROJAN Krunchy/BZub HTTP Checkin/Update
        2007776 || BLEEDING-EDGE TROJAN Krunchy/BZub HTTP POST Update
        2007777 || ET TROJAN Browser HiJacker/Infostealer Stat file
        2007778 || ET TROJAN User-agent DownloadNetFile Win32.small.hsh downloader

     -> Added to bleeding-sid-msg.map.txt (49):
        2000345 || ET ATTACK RESPONSE IRC - Nick change on non-std port
        2000346 || ET ATTACK RESPONSE IRC - Name response on non-std port
        2000347 || ET ATTACK RESPONSE IRC - Private message on non-std port
        2000348 || ET ATTACK RESPONSE IRC - Channel JOIN on non-std port
        2000349 || ET ATTACK RESPONSE IRC - DCC file transfer request on non-std port
        2000350 || ET ATTACK RESPONSE IRC - DCC chat request on non-std port
        2000351 || ET ATTACK RESPONSE IRC - channel join on non-std port
        2000352 || ET ATTACK RESPONSE IRC - dns request on non-std port
        2000499 || ET ATTACK RESPONSE FTP inaccessible directory access COM1
        2000500 || ET ATTACK RESPONSE FTP inaccessible directory access COM2
        2000501 || ET ATTACK RESPONSE FTP inaccessible directory access COM3
        2000502 || ET ATTACK RESPONSE FTP inaccessible directory access COM4
        2000503 || ET ATTACK RESPONSE FTP inaccessible directory access LPT1
        2000504 || ET ATTACK RESPONSE FTP inaccessible directory access LPT2
        2000505 || ET ATTACK RESPONSE FTP inaccessible directory access LPT3
        2000506 || ET ATTACK RESPONSE FTP inaccessible directory access LPT4
        2000507 || ET ATTACK RESPONSE FTP inaccessible directory access AUX
        2000508 || ET ATTACK RESPONSE FTP inaccessible directory access NULL
        2001616 || ET ATTACK RESPONSE Zone-H.org defacement notification
        2001620 || ET ATTACK RESPONSE Likely Botnet Activity
        2001628 || ET ATTACK RESPONSE Outbound PHP Connection
        2002034 || ET ATTACK RESPONSE Possible /etc/passwd via HTTP (linux style)
        2002809 || ET ATTACK RESPONSE Hostile FTP Server Banner (StnyFtpd)
        2002810 || ET ATTACK RESPONSE Hostile FTP Server Banner (Reptile)
        2002811 || ET ATTACK RESPONSE Hostile FTP Server Banner (Bot Server)
        2003071 || ET ATTACK RESPONSE Possible /etc/passwd via HTTP (BSD style)
        2003149 || ET ATTACK RESPONSE Possible /etc/passwd via SMTP (linux style)
        2003150 || ET ATTACK RESPONSE Possible /etc/passwd via SMTP (BSD style)
        2003464 || ET ATTACK RESPONSE Unusual FTP Server Banner (warFTPd) || url,www.warftp.org
        2003465 || ET ATTACK RESPONSE Unusual FTP Server Banner (freeFTPd) || url,www.freeftp.com
        2003535 || ET ATTACK RESPONSE r57 phpshell footer detected || url,www.pestpatrol.com/spywarecenter/pest.aspx?id=453096755
        2003536 || ET ATTACK RESPONSE r57 phpshell source being uploaded || url,www.pestpatrol.com/spywarecenter/pest.aspx?id=453096755
        2006417 || ET ATTACK RESPONSE Weak Netbios Lanman Auth Challenge Detected
        2007651 || ET ATTACK RESPONSE x2300 phpshell detected || url,www.rfxn.com/vdb.php
        2007652 || ET ATTACK RESPONSE c99shell phpshell detected || url,www.rfxn.com/vdb.php
        2007653 || ET ATTACK RESPONSE RFI Scanner detected || url,www.rfxn.com/vdb.php
        2007654 || ET ATTACK RESPONSE C99 Modified phpshell detected || url,www.rfxn.com/vdb.php
        2007655 || ET ATTACK RESPONSE lila.jpg phpshell detected || url,www.rfxn.com/vdb.php
        2007656 || ET ATTACK RESPONSE ALBANIA id.php detected || url,www.rfxn.com/vdb.php
        2007657 || ET ATTACK RESPONSE Mic22 id.php detected || url,www.rfxn.com/vdb.php
        2007715 || ET ATTACK_RESPONSE Off-Port FTP Without Banners - user
        2007717 || ET ATTACK_RESPONSE Off-Port FTP Without Banners - pass
        2007723 || ET ATTACK_RESPONSE Off-Port FTP Without Banners - retr
        2007725 || ET ATTACK RESPONSE Unusual FTP Server Banner on High Port (WinFtpd)
        2007726 || ET ATTACK RESPONSE Unusual FTP Server Banner on High Port (StnyFtpd)
        2007775 || BLEEDING-EDGE TROJAN Krunchy/BZub HTTP Checkin/Update
        2007776 || BLEEDING-EDGE TROJAN Krunchy/BZub HTTP POST Update
        2007777 || ET TROJAN Browser HiJacker/Infostealer Stat file
        2007778 || ET TROJAN User-agent DownloadNetFile Win32.small.hsh downloader

     -> Added to bleeding-virus.rules (3):
        # By Jeremy Conway - Possible root kit user agent
        # By Jeremy Conway
        #by matt jonkman, from sandnet hits

[---]     Removed non-rule lines:    [---]

     -> Removed from bleeding-sid-msg.map (45):
        2000345 || BLEEDING-EDGE ATTACK RESPONSE IRC - Nick change on non-std port
        2000346 || BLEEDING-EDGE ATTACK RESPONSE IRC - Name response on non-std port
        2000347 || BLEEDING-EDGE ATTACK RESPONSE IRC - Private message on non-std port
        2000348 || BLEEDING-EDGE ATTACK RESPONSE IRC - Channel JOIN on non-std port
        2000349 || BLEEDING-EDGE ATTACK RESPONSE IRC - DCC file transfer request on non-std port
        2000350 || BLEEDING-EDGE ATTACK RESPONSE IRC - DCC chat request on non-std port
        2000351 || BLEEDING-EDGE ATTACK RESPONSE IRC - channel join on non-std port
        2000352 || BLEEDING-EDGE ATTACK RESPONSE IRC - dns request on non-std port
        2000499 || BLEEDING-EDGE ATTACK RESPONSE FTP inaccessible directory access COM1
        2000500 || BLEEDING-EDGE ATTACK RESPONSE FTP inaccessible directory access COM2
        2000501 || BLEEDING-EDGE ATTACK RESPONSE FTP inaccessible directory access COM3
        2000502 || BLEEDING-EDGE ATTACK RESPONSE FTP inaccessible directory access COM4
        2000503 || BLEEDING-EDGE ATTACK RESPONSE FTP inaccessible directory access LPT1
        2000504 || BLEEDING-EDGE ATTACK RESPONSE FTP inaccessible directory access LPT2
        2000505 || BLEEDING-EDGE ATTACK RESPONSE FTP inaccessible directory access LPT3
        2000506 || BLEEDING-EDGE ATTACK RESPONSE FTP inaccessible directory access LPT4
        2000507 || BLEEDING-EDGE ATTACK RESPONSE FTP inaccessible directory access AUX
        2000508 || BLEEDING-EDGE ATTACK RESPONSE FTP inaccessible directory access NULL
        2001616 || BLEEDING-EDGE ATTACK RESPONSE Zone-H.org defacement notification
        2001620 || BLEEDING-EDGE ATTACK RESPONSE Likely Botnet Activity
        2001628 || BLEEDING-EDGE ATTACK RESPONSE Outbound PHP Connection
        2002034 || BLEEDING-EDGE ATTACK RESPONSE Possible /etc/passwd via HTTP (linux style)
        2002809 || BLEEDING-EDGE ATTACK RESPONSE Hostile FTP Server Banner (StnyFtpd)
        2002810 || BLEEDING-EDGE ATTACK RESPONSE Hostile FTP Server Banner (Reptile)
        2002811 || BLEEDING-EDGE ATTACK RESPONSE Hostile FTP Server Banner (Bot Server)
        2003071 || BLEEDING-EDGE ATTACK RESPONSE Possible /etc/passwd via HTTP (BSD style)
        2003149 || BLEEDING-EDGE ATTACK RESPONSE Possible /etc/passwd via SMTP (linux style)
        2003150 || BLEEDING-EDGE ATTACK RESPONSE Possible /etc/passwd via SMTP (BSD style)
        2003464 || BLEEDING-EDGE ATTACK RESPONSE Unusual FTP Server Banner (warFTPd) || url,www.warftp.org
        2003465 || BLEEDING-EDGE ATTACK RESPONSE Unusual FTP Server Banner (freeFTPd) || url,www.freeftp.com
        2003535 || BLEEDING-EDGE ATTACK RESPONSE r57 phpshell footer detected || url,www.pestpatrol.com/spywarecenter/pest.aspx?id=453096755
        2003536 || BLEEDING-EDGE ATTACK RESPONSE r57 phpshell source being uploaded || url,www.pestpatrol.com/spywarecenter/pest.aspx?id=453096755
        2006417 || BLEEDING-EDGE ATTACK RESPONSE Weak Netbios Lanman Auth Challenge Detected
        2007651 || BLEEDING-EDGE ATTACK RESPONSE x2300 phpshell detected || url,www.rfxn.com/vdb.php
        2007652 || BLEEDING-EDGE ATTACK RESPONSE c99shell phpshell detected || url,www.rfxn.com/vdb.php
        2007653 || BLEEDING-EDGE ATTACK RESPONSE RFI Scanner detected || url,www.rfxn.com/vdb.php
        2007654 || BLEEDING-EDGE ATTACK RESPONSE C99 Modified phpshell detected || url,www.rfxn.com/vdb.php
        2007655 || BLEEDING-EDGE ATTACK RESPONSE lila.jpg phpshell detected || url,www.rfxn.com/vdb.php
        2007656 || BLEEDING-EDGE ATTACK RESPONSE ALBANIA id.php detected || url,www.rfxn.com/vdb.php
        2007657 || BLEEDING-EDGE ATTACK RESPONSE Mic22 id.php detected || url,www.rfxn.com/vdb.php
        2007715 || BLEEDING-EDGE ATTACK_RESPONSE Off-Port FTP Without Banners - user
        2007717 || BLEEDING-EDGE ATTACK_RESPONSE Off-Port FTP Without Banners - pass
        2007723 || BLEEDING-EDGE ATTACK_RESPONSE Off-Port FTP Without Banners - retr
        2007725 || BLEEDING-EDGE ATTACK RESPONSE Unusual FTP Server Banner on High Port (WinFtpd)
        2007726 || BLEEDING-EDGE ATTACK RESPONSE Unusual FTP Server Banner on High Port (StnyFtpd)

     -> Removed from bleeding-sid-msg.map.txt (45):
        2000345 || BLEEDING-EDGE ATTACK RESPONSE IRC - Nick change on non-std port
        2000346 || BLEEDING-EDGE ATTACK RESPONSE IRC - Name response on non-std port
        2000347 || BLEEDING-EDGE ATTACK RESPONSE IRC - Private message on non-std port
        2000348 || BLEEDING-EDGE ATTACK RESPONSE IRC - Channel JOIN on non-std port
        2000349 || BLEEDING-EDGE ATTACK RESPONSE IRC - DCC file transfer request on non-std port
        2000350 || BLEEDING-EDGE ATTACK RESPONSE IRC - DCC chat request on non-std port
        2000351 || BLEEDING-EDGE ATTACK RESPONSE IRC - channel join on non-std port
        2000352 || BLEEDING-EDGE ATTACK RESPONSE IRC - dns request on non-std port
        2000499 || BLEEDING-EDGE ATTACK RESPONSE FTP inaccessible directory access COM1
        2000500 || BLEEDING-EDGE ATTACK RESPONSE FTP inaccessible directory access COM2
        2000501 || BLEEDING-EDGE ATTACK RESPONSE FTP inaccessible directory access COM3
        2000502 || BLEEDING-EDGE ATTACK RESPONSE FTP inaccessible directory access COM4
        2000503 || BLEEDING-EDGE ATTACK RESPONSE FTP inaccessible directory access LPT1
        2000504 || BLEEDING-EDGE ATTACK RESPONSE FTP inaccessible directory access LPT2
        2000505 || BLEEDING-EDGE ATTACK RESPONSE FTP inaccessible directory access LPT3
        2000506 || BLEEDING-EDGE ATTACK RESPONSE FTP inaccessible directory access LPT4
        2000507 || BLEEDING-EDGE ATTACK RESPONSE FTP inaccessible directory access AUX
        2000508 || BLEEDING-EDGE ATTACK RESPONSE FTP inaccessible directory access NULL
        2001616 || BLEEDING-EDGE ATTACK RESPONSE Zone-H.org defacement notification
        2001620 || BLEEDING-EDGE ATTACK RESPONSE Likely Botnet Activity
        2001628 || BLEEDING-EDGE ATTACK RESPONSE Outbound PHP Connection
        2002034 || BLEEDING-EDGE ATTACK RESPONSE Possible /etc/passwd via HTTP (linux style)
        2002809 || BLEEDING-EDGE ATTACK RESPONSE Hostile FTP Server Banner (StnyFtpd)
        2002810 || BLEEDING-EDGE ATTACK RESPONSE Hostile FTP Server Banner (Reptile)
        2002811 || BLEEDING-EDGE ATTACK RESPONSE Hostile FTP Server Banner (Bot Server)
        2003071 || BLEEDING-EDGE ATTACK RESPONSE Possible /etc/passwd via HTTP (BSD style)
        2003149 || BLEEDING-EDGE ATTACK RESPONSE Possible /etc/passwd via SMTP (linux style)
        2003150 || BLEEDING-EDGE ATTACK RESPONSE Possible /etc/passwd via SMTP (BSD style)
        2003464 || BLEEDING-EDGE ATTACK RESPONSE Unusual FTP Server Banner (warFTPd) || url,www.warftp.org
        2003465 || BLEEDING-EDGE ATTACK RESPONSE Unusual FTP Server Banner (freeFTPd) || url,www.freeftp.com
        2003535 || BLEEDING-EDGE ATTACK RESPONSE r57 phpshell footer detected || url,www.pestpatrol.com/spywarecenter/pest.aspx?id=453096755
        2003536 || BLEEDING-EDGE ATTACK RESPONSE r57 phpshell source being uploaded || url,www.pestpatrol.com/spywarecenter/pest.aspx?id=453096755
        2006417 || BLEEDING-EDGE ATTACK RESPONSE Weak Netbios Lanman Auth Challenge Detected
        2007651 || BLEEDING-EDGE ATTACK RESPONSE x2300 phpshell detected || url,www.rfxn.com/vdb.php
        2007652 || BLEEDING-EDGE ATTACK RESPONSE c99shell phpshell detected || url,www.rfxn.com/vdb.php
        2007653 || BLEEDING-EDGE ATTACK RESPONSE RFI Scanner detected || url,www.rfxn.com/vdb.php
        2007654 || BLEEDING-EDGE ATTACK RESPONSE C99 Modified phpshell detected || url,www.rfxn.com/vdb.php
        2007655 || BLEEDING-EDGE ATTACK RESPONSE lila.jpg phpshell detected || url,www.rfxn.com/vdb.php
        2007656 || BLEEDING-EDGE ATTACK RESPONSE ALBANIA id.php detected || url,www.rfxn.com/vdb.php
        2007657 || BLEEDING-EDGE ATTACK RESPONSE Mic22 id.php detected || url,www.rfxn.com/vdb.php
        2007715 || BLEEDING-EDGE ATTACK_RESPONSE Off-Port FTP Without Banners - user
        2007717 || BLEEDING-EDGE ATTACK_RESPONSE Off-Port FTP Without Banners - pass
        2007723 || BLEEDING-EDGE ATTACK_RESPONSE Off-Port FTP Without Banners - retr
        2007725 || BLEEDING-EDGE ATTACK RESPONSE Unusual FTP Server Banner on High Port (WinFtpd)
        2007726 || BLEEDING-EDGE ATTACK RESPONSE Unusual FTP Server Banner on High Port (StnyFtpd)





More information about the Snort-sigs mailing list