[Snort-sigs] Proposed Signature - COMMUNITY WEB-PHP Remote Execution Backdoor Attempt Against Horde

Community Proposed lists at ...3397...
Fri Feb 17 11:44:25 EST 2012

Looking at the current change logs I do not see detection for this, if there
is already detection I apologize for the duplication and list noise.  Below is
a proposed community signature to detect on the Horde FTP compromise and
resulting backdoor insertion into the code base affecting downloads between
early/mid November 2011 and February 7 2012.

alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Remote
Execution Backdoor Attempt Against Horde"; flow:established,to_server;
content:"/services/javascript.php"; http_uri; fast_pattern:only;
content:"href="; http_cookie; content:"file=open_calendar.js";
http_client_body; classtype:web-application-attack;
reference:cve,2012-0209; sid:x; rev:1;)


More information about the Snort-sigs mailing list