[Snort-sigs] Proposed Signature - COMMUNITY WEB-PHP Remote Execution Backdoor Attempt Against Horde

Alex Kirk akirk at ...435...
Fri Feb 17 17:55:13 EST 2012


Nope, that's fresh detection. We'll get that lined up for the next SEU.
Thanks for the contribution - they're always welcome!
On Feb 17, 2012 12:52 PM, "Community Proposed" <lists at ...3397...> wrote:

> Looking at the current change logs I do not see detection for this, if
> there
> is already detection I apologize for the duplication and list noise.
>  Below is
> a proposed community signature to detect on the Horde FTP compromise and
> resulting backdoor insertion into the code base affecting downloads between
> early/mid November 2011 and February 7 2012.
>
> alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Remote
> Execution Backdoor Attempt Against Horde"; flow:established,to_server;
> content:"/services/javascript.php"; http_uri; fast_pattern:only;
> content:"href="; http_cookie; content:"file=open_calendar.js";
> http_client_body; classtype:web-application-attack;
> reference:url,pastebin.com/U3ADiWrP;
> reference:url,
> eromang.zataz.com/2012/02/15/cve-2012-0209-horde-backdoor-analysis/;
> reference:url,dev.horde.org/h/jonah/stories/view.php?channel_id=1&id=155;
> reference:cve,2012-0209; sid:x; rev:1;)
>
> Thanks,
> Nathan
>
>
>
> ------------------------------------------------------------------------------
> Virtualization & Cloud Management Using Capacity Planning
> Cloud computing makes use of virtualization - but cloud computing
> also focuses on allowing computing to be delivered as a service.
> http://www.accelacomm.com/jaw/sfnl/114/51521223/
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20120217/f6c4baba/attachment.html>


More information about the Snort-sigs mailing list