[Snort-sigs] Proposed Signature - COMMUNITY WEB-PHP Remote Execution Backdoor Attempt Against Horde
lists at ...3397...
Fri Feb 17 11:44:25 EST 2012
Looking at the current change logs I do not see detection for this, if there
is already detection I apologize for the duplication and list noise. Below is
a proposed community signature to detect on the Horde FTP compromise and
resulting backdoor insertion into the code base affecting downloads between
early/mid November 2011 and February 7 2012.
alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Remote
Execution Backdoor Attempt Against Horde"; flow:established,to_server;
content:"href="; http_cookie; content:"file=open_calendar.js";
reference:cve,2012-0209; sid:x; rev:1;)
More information about the Snort-sigs