[Snort-sigs] Apache auto_prepend_file a.control.bin sig

James Lay jlay at ...3266...
Fri Jun 14 17:53:03 EDT 2013


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"INDICATOR-COMPROMSED Apache auto_prepend_file a.control.bin C2 
traffic"; flow:to_server,established; content:"User-Agent|3A| SEX|2f|1"; 
http_header; metadata:policy balanced-ips drop, policy security-ips 
drop, service http; 
reference:url,http://blog.sucuri.net/2013/06/apache-php-injection-to-javascript-files.html; 
classtype:trojan-activity; sid:10000076; rev:1;)

Not sure if sigging the ga.gif link would be worth it.

James




More information about the Snort-sigs mailing list