[Snort-sigs] new sig for detecting Apache / PHP RCE

Joel Esler joel.esler at ...3366...
Wed Oct 30 17:27:27 EDT 2013


rmkml,

This is CVE: 2012-1823, covered by sids: 22063, 22064, and 22097.

Are you not seeing these rules fire?

--
Joel Esler
AEGIS Intelligence Lead
OpenSource Community Manager
Vulnerability Research Team, Sourcefire

On Oct 30, 2013, at 5:30 PM, rmkml <rmkml at ...174...> wrote:

> Hi,
> 
> Created a new Community rule for detecting this exploit:
> 
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Apache / 
> PHP 5.x Remote Code Execution Kingcope attempt"; flow:to_server,established; 
> content:"POST"; nocase; http_method; content:"/cgi-bin/php"; nocase; http_uri; 
> content:"-d"; nocase; http_uri; distance:0; content:!"|0A|Referer|3a|"; nocase; 
> http_header; pcre:"/^\/cgi\-bin\/php(?:|[45]|[\-\.]cgi)\?/Ui"; 
> pcre:"/\b(?:proc_open\s*\(|pcntl_fork\s*\(|chdir\s*\(|umask\s*\()/Psi"; 
> reference:url,www.exploit-db.com/exploits/29290; classtype:attempted-admin; 
> sid:95417; rev:1; )
> 
> Please follow my new project http://etplc.org
> 
> Regards
> @Rmkml
> 
> PS: Thx @Kingcope
> 
> ------------------------------------------------------------------------------
> Android is increasing in popularity, but the open development platform that
> developers love is also attractive to malware creators. Download this white
> paper to learn more about secure code signing practices that can help keep
> Android apps secure.
> http://pubads.g.doubleclick.net/gampad/clk?id=65839951&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
> 
> 
> Please visit http://blog.snort.org for the latest news about Snort!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20131030/3767c7b5/attachment.html>


More information about the Snort-sigs mailing list