<div dir="ltr"><div>Awesome info here too<br><br><a href="http://www.welivesecurity.com/2013/04/26/linuxcdorked-new-apache-backdoor-in-the-wild-serves-blackhole/">http://www.welivesecurity.com/2013/04/26/linuxcdorked-new-apache-backdoor-in-the-wild-serves-blackhole/</a><br>

<br></div>Regards,<br></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Fri, Apr 26, 2013 at 3:03 PM, Will Metcalf <span dir="ltr"><<a href="mailto:wmetcalf@...3525..." target="_blank">wmetcalf@...3525...</a>></span> wrote:<br>

<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Thanks James, can probably limit to a-f0-9 on your char class and probably want a \. match after to ensure it is exactly this and not something like somethinglongerthan16charsaaaaaaaaa.foo.bar could also anchor the match to a Location header. Nice sig... Will get something into QA and out today based on this thanks!<div>


<br></div><div>Regards,</div><div><br></div><div>Will</div></div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><br><div class="gmail_quote">On Fri, Apr 26, 2013 at 12:04 PM, James Lay <span dir="ltr"><<a href="mailto:jlay@...3266..." target="_blank">jlay@...3797....</a>></span> wrote:<br>


<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Enjoy:<br>
<br>
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISED Linux/CDorked redirect"; flow:from_server,established; file_data; content:"index.php?j="; http_header; content:"302"; http_stat_code; pcre:"/http\x3a\x2f\x2f[0-9a-<u></u>z]{16}/m"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,<a href="http://blog.sucuri.net/2013/04/apache-binary-backdoors-on-cpanel-based-servers.html" target="_blank">http://blog.<u></u>sucuri.net/2013/04/apache-<u></u>binary-backdoors-on-cpanel-<u></u>based-servers.html</a>; classtype:trojan-activity; sid:10000049; rev:1;)<br>



<br>
Ok Joel....how much cleanup is needed with this ;)<br>
<br>
James<br>
______________________________<u></u>_________________<br>
Emerging-sigs mailing list<br>
<a href="mailto:Emerging-sigs@...3694..." target="_blank">Emerging-sigs@...2570...<u></u>emergingthreats.net</a><br>
<a href="https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs" target="_blank">https://lists.emergingthreats.<u></u>net/mailman/listinfo/emerging-<u></u>sigs</a><br>
<br>
Support Emerging Threats! Subscribe to Emerging Threats Pro <a href="http://www.emergingthreatspro.com" target="_blank">http://www.emergingthreatspro.<u></u>com</a><br>
The ONLY place to get complete premium rulesets for all versions of Suricata and Snort 2.4.0 through Current!<br>
</blockquote></div><br></div>
</div></div><br>_______________________________________________<br>
Emerging-sigs mailing list<br>
<a href="mailto:Emerging-sigs@...3694...">Emerging-sigs@...3694...</a><br>
<a href="https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs" target="_blank">https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs</a><br>
<br>
Support Emerging Threats! Subscribe to Emerging Threats Pro <a href="http://www.emergingthreatspro.com" target="_blank">http://www.emergingthreatspro.com</a><br>
The ONLY place to get complete premium rulesets for all versions of Suricata and Snort 2.4.0 through Current!<br></blockquote></div><br><br clear="all"><br>-- <br>Rodrigo Montoro (Sp0oKeR)<br><a href="http://spookerlabs.blogspot.com" target="_blank">http://spookerlabs.blogspot.com</a><br>

<a href="http://www.twitter.com/spookerlabs" target="_blank">http://www.twitter.com/spookerlabs</a><br><a href="http://www.linkedin.com/in/spooker" target="_blank">http://www.linkedin.com/in/spooker</a><br>
</div>