[Snort-sigs] Snort-sigs Digest, Vol 84, Issue 2

Kent E. Parkin kparkin at ...526...
Fri May 3 18:05:45 EDT 2013



Sent from my iPhone

On May 3, 2013, at 16:33, "snort-sigs-request at lists.sourceforge.net" <snort-sigs-request at lists.sourceforge.net> wrote:

> Send Snort-sigs mailing list submissions to
>    snort-sigs at lists.sourceforge.net
> 
> To subscribe or unsubscribe via the World Wide Web, visit
>    https://lists.sourceforge.net/lists/listinfo/snort-sigs
> or, via email, send a message with subject or body 'help' to
>    snort-sigs-request at lists.sourceforge.net
> 
> You can reach the person managing the list at
>    snort-sigs-owner at lists.sourceforge.net
> 
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Snort-sigs digest..."
> 
> 
> Today's Topics:
> 
>   1. Sourcefire VRT Certified Snort Rules Update 2013-05-02 (Research)
>   2. Possible FP on sid:26529 - Cdorked backdoor command    attempt ?
>      (Andre DiMino)
>   3. Re: Possible FP on sid:26529 - Cdorked backdoor command
>      attempt ? (Nathan Benson)
> 
> 
> ----------------------------------------------------------------------
> 
> Message: 1
> Date: Thu,  2 May 2013 11:53:48 -0400 (EDT)
> From: Research <research at ...435...>
> Subject: [Snort-sigs] Sourcefire VRT Certified Snort Rules Update
>    2013-05-02
> To: snort-sigs at lists.sourceforge.net
> Message-ID: <20130502155348.4D854D406F at ...435...>
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> 
> Sourcefire VRT Certified Snort Rules Update
> 
> Synopsis:
> This release adds and modifies rules in several categories.
> 
> Details:
> The Sourcefire VRT has added and modified multiple rules in the
> blacklist, browser-ie, browser-other, browser-plugins, exploit-kit,
> file-identify, file-other, indicator-compromise, indicator-obfuscation,
> malware-cnc, malware-other, os-other, policy-other, protocol-ftp,
> pua-adware, server-mail, server-oracle and server-webapp rule sets to
> provide coverage for emerging threats from these technologies.
> 
> For a complete list of new and modified rules please see:
> 
> http://www.snort.org/vrt/docs/ruleset_changelogs/changes-2013-05-02.html
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.5 (GNU/Linux)
> 
> iD8DBQFRgowMQLjqI2QiHVMRAnNKAJsHKEzjIwtWx78IPIXZAFJ4ylTNQgCeM2+2
> eOuVVsoNHxe5hnJWxBRt8qA=
> =6LBW
> -----END PGP SIGNATURE-----
> 
> 
> 
> 
> ------------------------------
> 
> Message: 2
> Date: Fri, 3 May 2013 12:09:54 -0400
> From: Andre DiMino <adimino at ...3810...>
> Subject: [Snort-sigs] Possible FP on sid:26529 - Cdorked backdoor
>    command    attempt ?
> To: snort-sigs at lists.sourceforge.net
> Message-ID:
>    <CAGKRsZwkm+pWpeCx-YA0hKs4T5YXQNNePt8cfMv184+cAFPDOw at ...2421...>
> Content-Type: text/plain; charset=ISO-8859-1
> 
> I'm seeing this alert fire quite a bit today, and I'm not seeing
> anything seemingly related to Linux-Cdorked commands. I'm wondering if
> it may be a FP?
> The sig is as follows:
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
> (msg:"INDICATOR-COMPROMISE Unix.Backdoor.Cdorked backdoor command
> attempt"; flow:to_server,established; content:"SECID=";
> fast_pattern:only; content:"SECID="; nocase; http_cookie;
> pcre:"/^\/[^?]*?\?[a-f0-9]{4}/Ui"; metadata:impact_flag red, policy
> balanced-ips drop, policy security-ips drop, service http;
> reference:url,blog.sucuri.net/2013/04/apache-binary-backdoors-on-cpanel-based-servers.html;
> reference:url,virustotal.com/en/file/7b3cd8c1bd0249df458084f28d91648ad14e1baf455fdd53b174481d540070c6/analysis/;
> classtype:trojan-activity; sid:26529; rev:1; )
> 
> Traffic I'm seeing looks like this:
> 
> GET /ba.html?1095 HTTP/1.1
> Host: c.betrad. com
> User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3)
> AppleWebKit/536.29.13 (KHTML, like Gecko) Version/6.0.4
> Safari/536.29.13
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> Referer: hxxp://ad.media6degrees.
> com/adserv/cs?adType=iframe|is_preview=0|cId=16057|ec=1|spId=91095|advId=1218|tpCId=4954476|exId=9|price=0.354173|vurlId=216248|srcUrlEnc=http://screenrant.
> com/captain-america-2-falcon-winter-soldier-costumes/|tpInvId=95|notifyServer=aeq311.eq.pl.pvt|notifyPort=8080|bdie=1c7o0s87z0jj8|bid=1.7799999713897705|tId=6892644925539300|pubId=7854|invId=12998|secId=56|tpSecId=1319854|foo=bar|cb=1367595784
> Accept-Language: en-us
> Accept-Encoding: gzip, deflate
> Connection: keep-alive
> 
> Remote host is
> e5413.g.akamaiedge.net. A 184.26.51.231
> e5413.g.akamaiedge.net.0.1.cn.akamaiedge.net. A 184.26.51.231
> 
> It doesn't *appear* that screenrant. com is infected with Cdork, so I
> thought I'd just throw this out here for consideration.
> 
> Here are a few more:
> 
> ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
> GET /ba.html?1095 HTTP/1.1
> Host: c.betrad. com
> User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:20.0)
> Gecko/20100101 Firefox/20.0
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> Accept-Language: en-US,en;q=0.5
> Accept-Encoding: gzip, deflate
> Referer: http://ad.media6degrees.
> com/adserv/cs?tId=6809218409273906|cb=1367595163|adType=iframe|cId=15604|ec=1|spId=82885|advId=1065|exId=21|price=2.010000|pubId=127|secId=414|invId=1186|tpInvId=3|notifyServer=aeq194.eq.pl.pvt|notifyPort=8080|bdie=1jkm6wt1e2vod|bid=1.50|srcUrlEnc=http%3A%2F%2Fnation.foxnews.
> com%2Fstatic%2Fv%2Fall%2Fhtml%2Fad-ifr.html%3Fid%3Dframe2-300x100%26ns%3DfriendlyComm|bms=3
> Connection: keep-alive
> If-Modified-Since: Thu, 02 May 2013 22:08:34 GMT
> If-None-Match: "5389a15bc989f3e0f559222cf19c0064:1367532514"
> +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
> GET /reportV3/ft.stat?10476941-0-310-0-19070F3B686BBB-945671-0x0x0x123 HTTP/1.1
> Host: stat.flashtalking. com
> User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0)
> Gecko/20100101 Firefox/17.0
> Accept: image/png,image/*;q=0.8,*/*;q=0.5
> Accept-Language: en-US,en;q=0.5
> Accept-Encoding: gzip, deflate
> Connection: keep-alive
> Referer: http://servedby.flashtalking.
> com/imp/3/25598;543598;201;jsiframe;Media6Degrees;Media6degrees728x90/?ft_custom=&imageType=gif&ftDestID=3642763&ft_width=728&ft_height=90&click=http://ad.media6degrees.
> com/adserv/clk?tId=6676444134860084|cId=16511|cb=1367594173|notifyPort=8080|exId=25|tpAuctId=41b7d3ef371e05ead0634b808e1e96f5c4f3d910|tId=6676444134860084|tpInvId=2010722|ec=1|secId=460|price=883B0423C1C85454|pubId=5593|advId=1451|notifyServer=asd155.sd.pl.pvt|bdie=1pelg95qfwmya|spId=83223|adType=iframe|invId=10620|bms=2010722|bid=10.00|ctrack=&ftOBA=1&cachebuster=1367594174168
> Cookie: flashtalkingad1="GUID=19070F3B686BBB|segment=(y8BWISEA-m:c400last,SEABWI-m:c400ret,ags,bi7-m:origdest)|tp=(244-1477-v-19421841)"
> 
> --
> 
> Andre' M. DiMino
> DeepEnd Research
> http://deependresearch.org
> http://sempersecurus.org
> 
> "Make sure that nobody pays back wrong for wrong, but always try to be
> kind to each other and to everyone else" - 1 Thess 5:15 (NIV)
> 
> 
> 
> ------------------------------
> 
> Message: 3
> Date: Fri, 3 May 2013 16:25:24 -0400
> From: Nathan Benson <nathan at ...435...>
> Subject: Re: [Snort-sigs] Possible FP on sid:26529 - Cdorked backdoor
>    command attempt ?
> To: Andre DiMino <adimino at ...3810...>
> Cc: "snort-sigs at lists.sourceforge.net"
>    <snort-sigs at lists.sourceforge.net>
> Message-ID:
>    <CAKQBV1ZbYM=VKQKX5bHG-LOCSJrVERhFZQ=7-Uz7CkUtCyRCAg at ...2421...>
> Content-Type: text/plain; charset="iso-8859-1"
> 
> Hi Andre,
> 
> Thank you for the report, I'll take a look at it.  What version of Snort
> are you using with that rule?
> 
> nb
> 
> 
> On Fri, May 3, 2013 at 12:09 PM, Andre DiMino <adimino at ...3810...>wrote:
> 
>> I'm seeing this alert fire quite a bit today, and I'm not seeing
>> anything seemingly related to Linux-Cdorked commands. I'm wondering if
>> it may be a FP?
>> The sig is as follows:
>> 
>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
>> (msg:"INDICATOR-COMPROMISE Unix.Backdoor.Cdorked backdoor command
>> attempt"; flow:to_server,established; content:"SECID=";
>> fast_pattern:only; content:"SECID="; nocase; http_cookie;
>> pcre:"/^\/[^?]*?\?[a-f0-9]{4}/Ui"; metadata:impact_flag red, policy
>> balanced-ips drop, policy security-ips drop, service http;
>> reference:url,
>> blog.sucuri.net/2013/04/apache-binary-backdoors-on-cpanel-based-servers.html
>> ;
>> reference:url,
>> virustotal.com/en/file/7b3cd8c1bd0249df458084f28d91648ad14e1baf455fdd53b174481d540070c6/analysis/
>> ;
>> classtype:trojan-activity; sid:26529; rev:1; )
>> 
>> Traffic I'm seeing looks like this:
>> 
>> GET /ba.html?1095 HTTP/1.1
>> Host: c.betrad. com
>> User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3)
>> AppleWebKit/536.29.13 (KHTML, like Gecko) Version/6.0.4
>> Safari/536.29.13
>> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
>> Referer: hxxp://ad.media6degrees.
>> 
>> com/adserv/cs?adType=iframe|is_preview=0|cId=16057|ec=1|spId=91095|advId=1218|tpCId=4954476|exId=9|price=0.354173|vurlId=216248|srcUrlEnc=
>> http://screenrant.
>> 
>> com/captain-america-2-falcon-winter-soldier-costumes/|tpInvId=95|notifyServer=aeq311.eq.pl.pvt|notifyPort=8080|bdie=1c7o0s87z0jj8|bid=1.7799999713897705|tId=6892644925539300|pubId=7854|invId=12998|secId=56|tpSecId=1319854|foo=bar|cb=1367595784
>> Accept-Language: en-us
>> Accept-Encoding: gzip, deflate
>> Connection: keep-alive
>> 
>> Remote host is
>> e5413.g.akamaiedge.net. A 184.26.51.231
>> e5413.g.akamaiedge.net.0.1.cn.akamaiedge.net. A 184.26.51.231
>> 
>> It doesn't *appear* that screenrant. com is infected with Cdork, so I
>> thought I'd just throw this out here for consideration.
>> 
>> Here are a few more:
>> 
>> ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>> GET /ba.html?1095 HTTP/1.1
>> Host: c.betrad. com
>> User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:20.0)
>> Gecko/20100101 Firefox/20.0
>> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
>> Accept-Language: en-US,en;q=0.5
>> Accept-Encoding: gzip, deflate
>> Referer: http://ad.media6degrees.
>> 
>> com/adserv/cs?tId=6809218409273906|cb=1367595163|adType=iframe|cId=15604|ec=1|spId=82885|advId=1065|exId=21|price=2.010000|pubId=127|secId=414|invId=1186|tpInvId=3|notifyServer=aeq194.eq.pl.pvt|notifyPort=8080|bdie=1jkm6wt1e2vod|bid=1.50|srcUrlEnc=http%3A%2F%2Fnation.foxnews.
>> 
>> com%2Fstatic%2Fv%2Fall%2Fhtml%2Fad-ifr.html%3Fid%3Dframe2-300x100%26ns%3DfriendlyComm|bms=3
>> Connection: keep-alive
>> If-Modified-Since: Thu, 02 May 2013 22:08:34 GMT
>> If-None-Match: "5389a15bc989f3e0f559222cf19c0064:1367532514"
>> +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>> GET /reportV3/ft.stat?10476941-0-310-0-19070F3B686BBB-945671-0x0x0x123
>> HTTP/1.1
>> Host: stat.flashtalking. com
>> User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0)
>> Gecko/20100101 Firefox/17.0
>> Accept: image/png,image/*;q=0.8,*/*;q=0.5
>> Accept-Language: en-US,en;q=0.5
>> Accept-Encoding: gzip, deflate
>> Connection: keep-alive
>> Referer: http://servedby.flashtalking.
>> 
>> com/imp/3/25598;543598;201;jsiframe;Media6Degrees;Media6degrees728x90/?ft_custom=&imageType=gif&ftDestID=3642763&ft_width=728&ft_height=90&click=
>> http://ad.media6degrees.
>> 
>> com/adserv/clk?tId=6676444134860084|cId=16511|cb=1367594173|notifyPort=8080|exId=25|tpAuctId=41b7d3ef371e05ead0634b808e1e96f5c4f3d910|tId=6676444134860084|tpInvId=2010722|ec=1|secId=460|price=883B0423C1C85454|pubId=5593|advId=1451|notifyServer=asd155.sd.pl.pvt|bdie=1pelg95qfwmya|spId=83223|adType=iframe|invId=10620|bms=2010722|bid=10.00|ctrack=&ftOBA=1&cachebuster=1367594174168
>> Cookie:
>> flashtalkingad1="GUID=19070F3B686BBB|segment=(y8BWISEA-m:c400last,SEABWI-m:c400ret,ags,bi7-m:origdest)|tp=(244-1477-v-19421841)"
>> 
>> --
>> 
>> Andre' M. DiMino
>> DeepEnd Research
>> http://deependresearch.org
>> http://sempersecurus.org
>> 
>> "Make sure that nobody pays back wrong for wrong, but always try to be
>> kind to each other and to everyone else" - 1 Thess 5:15 (NIV)
>> 
>> 
>> ------------------------------------------------------------------------------
>> Get 100% visibility into Java/.NET code with AppDynamics Lite
>> It's a free troubleshooting tool designed for production
>> Get down to code-level detail for bottlenecks, with <2% overhead.
>> Download for free and get started troubleshooting in minutes.
>> http://p.sf.net/sfu/appdyn_d2d_ap2
>> _______________________________________________
>> Snort-sigs mailing list
>> Snort-sigs at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>> http://www.snort.org
>> 
>> 
>> Please visit http://blog.snort.org for the latest news about Snort!
>> 
> -------------- next part --------------
> An HTML attachment was scrubbed...
> 
> ------------------------------
> 
> ------------------------------------------------------------------------------
> Get 100% visibility into Java/.NET code with AppDynamics Lite
> It's a free troubleshooting tool designed for production
> Get down to code-level detail for bottlenecks, with <2% overhead.
> Download for free and get started troubleshooting in minutes.
> http://p.sf.net/sfu/appdyn_d2d_ap2
> 
> ------------------------------
> 
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
> 
> 
> Please visit http://blog.snort.org for the latest news about Snort!
> 
> End of Snort-sigs Digest, Vol 84, Issue 2
> *****************************************




More information about the Snort-sigs mailing list