[Snort-sigs] Linux/CDorked sig

James Lay jlay at ...3266...
Fri Apr 26 13:04:34 EDT 2013


Enjoy:

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any 
(msg:"INDICATOR-COMPROMISED Linux/CDorked redirect"; 
flow:from_server,established; file_data; content:"index.php?j="; 
http_header; content:"302"; http_stat_code; 
pcre:"/http\x3a\x2f\x2f[0-9a-z]{16}/m"; metadata:policy balanced-ips 
drop, policy security-ips drop, service http; 
reference:url,http://blog.sucuri.net/2013/04/apache-binary-backdoors-on-cpanel-based-servers.html; 
classtype:trojan-activity; sid:10000049; rev:1;)

Ok Joel....how much cleanup is needed with this ;)

James




More information about the Snort-sigs mailing list