[Snort-sigs] vBulletin 4.x and 5.x exploit in the wild

Joel Esler jesler at ...435...
Wed Oct 9 20:30:26 EDT 2013


Thanks James. 

Sent from my iPhone

> On Oct 9, 2013, at 12:45 PM, James Lay <jlay at ...3266...> wrote:
> 
> Bummer:
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
> (msg:"MALWARE-OTHER vBulletin upgrade.php exploit"; flow:to_server, 
> established; content:"POST"; http_method; 
> content:"install|2f|upgrade.php"; http_uri; fast_pattern:only; 
> metadata:policy balanced-ips drop, policy security-ips drop, service 
> http, ruleset community; 
> reference:url,www.net-security.org/secworld.php?id=15743; 
> classtype:trojan-activity; sid:10000101; rev:1;)
> 
> not adding the / at the front allows it to catch both 4.x and 5.x 
> version.  Thanks all!
> 
> James
> 
> ------------------------------------------------------------------------------
> October Webinars: Code for Performance
> Free Intel webinars can help you accelerate application performance.
> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from 
> the latest Intel processors and coprocessors. See abstracts and register >
> http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
> 
> 
> Please visit http://blog.snort.org for the latest news about Snort!




More information about the Snort-sigs mailing list