[Snort-sigs] Proposed Signature - COMMUNITY WEB-PHP Remote Execution Backdoor Attempt Against Horde

Community Proposed lists at ...3397...
Fri Feb 17 11:44:25 EST 2012


Looking at the current change logs I do not see detection for this, if there
is already detection I apologize for the duplication and list noise.  Below is
a proposed community signature to detect on the Horde FTP compromise and
resulting backdoor insertion into the code base affecting downloads between
early/mid November 2011 and February 7 2012.

alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Remote
Execution Backdoor Attempt Against Horde"; flow:established,to_server;
content:"/services/javascript.php"; http_uri; fast_pattern:only;
content:"href="; http_cookie; content:"file=open_calendar.js";
http_client_body; classtype:web-application-attack;
reference:url,pastebin.com/U3ADiWrP;
reference:url,eromang.zataz.com/2012/02/15/cve-2012-0209-horde-backdoor-analysis/;
reference:url,dev.horde.org/h/jonah/stories/view.php?channel_id=1&id=155;
reference:cve,2012-0209; sid:x; rev:1;)

Thanks,
Nathan





More information about the Snort-sigs mailing list