Home page logo
/

snort logo Snort mailing list archives

Linux/CDorked sig
From: James Lay <jlay () slave-tothe-box net>
Date: Fri, 26 Apr 2013 11:04:34 -0600

Enjoy:

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any 
(msg:"INDICATOR-COMPROMISED Linux/CDorked redirect"; 
flow:from_server,established; file_data; content:"index.php?j="; 
http_header; content:"302"; http_stat_code; 
pcre:"/http\x3a\x2f\x2f[0-9a-z]{16}/m"; metadata:policy balanced-ips 
drop, policy security-ips drop, service http; 
reference:url,http://blog.sucuri.net/2013/04/apache-binary-backdoors-on-cpanel-based-servers.html; 
classtype:trojan-activity; sid:10000049; rev:1;)

Ok Joel....how much cleanup is needed with this ;)

James

------------------------------------------------------------------------------
Try New Relic Now & We'll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service 
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_apr
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]