[Snort-sigs] [Emerging-Sigs] Linux/CDorked sig

Will Metcalf wmetcalf at ...3525...
Fri Apr 26 15:12:32 EDT 2013


Slight update

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET
CURRENT_EVENTS Possible Linux/Cdorked.A Incoming Command";
flow:established,to_server; content:"POST"; http_method; nocase;
content:"SECID="; nocase; fast_pattern:only; content:"SECID="; nocase;
http_cookie;
pcre:"/\/\?(?:4(?:4(?:3[123456789]|41|55)|c(?:3[123456789]|41))|5(?:354|431))(&|$)/U";
classtype:attempted-user; sid:103; rev:1;)


On Fri, Apr 26, 2013 at 2:02 PM, Will Metcalf <
wmetcalf at ...3525...> wrote:

> Going to add something like this as well...
>
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET
> CURRENT_EVENTS Possible Linux/Cdorked.A Incoming Command";
> flow:established,to_server; content:"SECID="; nocase; fast_pattern:only;
> content:"SECID="; nocase; http_cookie;
> pcre:"/\/\?(?:4(?:4(?:3[123456789]|41|55)|c(?:3[123456789]|41))|5(?:354|431))/U";
> classtype:attempted-user; sid:103; rev:1;)
>
>
>
> On Fri, Apr 26, 2013 at 1:24 PM, Rodrigo Montoro(Sp0oKeR) <
> spooker at ...2420...> wrote:
>
>> Awesome info here too
>>
>>
>> http://www.welivesecurity.com/2013/04/26/linuxcdorked-new-apache-backdoor-in-the-wild-serves-blackhole/
>>
>> Regards,
>>
>>
>> On Fri, Apr 26, 2013 at 3:03 PM, Will Metcalf <
>> wmetcalf at ...3525...> wrote:
>>
>>> Thanks James, can probably limit to a-f0-9 on your char class and
>>> probably want a \. match after to ensure it is exactly this and not
>>> something like somethinglongerthan16charsaaaaaaaaa.foo.bar could also
>>> anchor the match to a Location header. Nice sig... Will get something into
>>> QA and out today based on this thanks!
>>>
>>> Regards,
>>>
>>> Will
>>>
>>>
>>> On Fri, Apr 26, 2013 at 12:04 PM, James Lay <jlay at ...3266...>wrote:
>>>
>>>> Enjoy:
>>>>
>>>> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
>>>> (msg:"INDICATOR-COMPROMISED Linux/CDorked redirect";
>>>> flow:from_server,established; file_data; content:"index.php?j=";
>>>> http_header; content:"302"; http_stat_code; pcre:"/http\x3a\x2f\x2f[0-9a-
>>>> **z]{16}/m"; metadata:policy balanced-ips drop, policy security-ips
>>>> drop, service http; reference:url,http://blog.**
>>>> sucuri.net/2013/04/apache-**binary-backdoors-on-cpanel-**
>>>> based-servers.html<http://blog.sucuri.net/2013/04/apache-binary-backdoors-on-cpanel-based-servers.html>;
>>>> classtype:trojan-activity; sid:10000049; rev:1;)
>>>>
>>>> Ok Joel....how much cleanup is needed with this ;)
>>>>
>>>> James
>>>> ______________________________**_________________
>>>> Emerging-sigs mailing list
>>>> Emerging-sigs at ...2570...**emergingthreats.net<Emerging-sigs at ...3694...>
>>>> https://lists.emergingthreats.**net/mailman/listinfo/emerging-**sigs<https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs>
>>>>
>>>> Support Emerging Threats! Subscribe to Emerging Threats Pro
>>>> http://www.emergingthreatspro.**com <http://www.emergingthreatspro.com>
>>>> The ONLY place to get complete premium rulesets for all versions of
>>>> Suricata and Snort 2.4.0 through Current!
>>>>
>>>
>>>
>>> _______________________________________________
>>> Emerging-sigs mailing list
>>> Emerging-sigs at ...3694...
>>> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>>
>>> Support Emerging Threats! Subscribe to Emerging Threats Pro
>>> http://www.emergingthreatspro.com
>>> The ONLY place to get complete premium rulesets for all versions of
>>> Suricata and Snort 2.4.0 through Current!
>>>
>>
>>
>>
>> --
>> Rodrigo Montoro (Sp0oKeR)
>> http://spookerlabs.blogspot.com
>> http://www.twitter.com/spookerlabs
>> http://www.linkedin.com/in/spooker
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20130426/0af20e04/attachment.html>


More information about the Snort-sigs mailing list