[Snort-sigs] [Emerging-Sigs] Linux/CDorked sig

Rodrigo Montoro(Sp0oKeR) spooker at ...2420...
Fri Apr 26 14:24:08 EDT 2013


Awesome info here too

http://www.welivesecurity.com/2013/04/26/linuxcdorked-new-apache-backdoor-in-the-wild-serves-blackhole/

Regards,


On Fri, Apr 26, 2013 at 3:03 PM, Will Metcalf <
wmetcalf at ...3525...> wrote:

> Thanks James, can probably limit to a-f0-9 on your char class and probably
> want a \. match after to ensure it is exactly this and not something like
> somethinglongerthan16charsaaaaaaaaa.foo.bar could also anchor the match to
> a Location header. Nice sig... Will get something into QA and out today
> based on this thanks!
>
> Regards,
>
> Will
>
>
> On Fri, Apr 26, 2013 at 12:04 PM, James Lay <jlay at ...3266...>wrote:
>
>> Enjoy:
>>
>> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
>> (msg:"INDICATOR-COMPROMISED Linux/CDorked redirect";
>> flow:from_server,established; file_data; content:"index.php?j=";
>> http_header; content:"302"; http_stat_code; pcre:"/http\x3a\x2f\x2f[0-9a-
>> **z]{16}/m"; metadata:policy balanced-ips drop, policy security-ips
>> drop, service http; reference:url,http://blog.**
>> sucuri.net/2013/04/apache-**binary-backdoors-on-cpanel-**
>> based-servers.html<http://blog.sucuri.net/2013/04/apache-binary-backdoors-on-cpanel-based-servers.html>;
>> classtype:trojan-activity; sid:10000049; rev:1;)
>>
>> Ok Joel....how much cleanup is needed with this ;)
>>
>> James
>> ______________________________**_________________
>> Emerging-sigs mailing list
>> Emerging-sigs at ...2570...**emergingthreats.net<Emerging-sigs at ...3694...>
>> https://lists.emergingthreats.**net/mailman/listinfo/emerging-**sigs<https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs>
>>
>> Support Emerging Threats! Subscribe to Emerging Threats Pro
>> http://www.emergingthreatspro.**com <http://www.emergingthreatspro.com>
>> The ONLY place to get complete premium rulesets for all versions of
>> Suricata and Snort 2.4.0 through Current!
>>
>
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at ...3694...
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for all versions of
> Suricata and Snort 2.4.0 through Current!
>



-- 
Rodrigo Montoro (Sp0oKeR)
http://spookerlabs.blogspot.com
http://www.twitter.com/spookerlabs
http://www.linkedin.com/in/spooker
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20130426/788f11ad/attachment.html>


More information about the Snort-sigs mailing list