Home page logo
/

snort logo Snort mailing list archives

Re: [Emerging-Sigs] Linux/CDorked sig
From: Will Metcalf <wmetcalf () emergingthreatspro com>
Date: Fri, 26 Apr 2013 14:12:32 -0500

Slight update

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET
CURRENT_EVENTS Possible Linux/Cdorked.A Incoming Command";
flow:established,to_server; content:"POST"; http_method; nocase;
content:"SECID="; nocase; fast_pattern:only; content:"SECID="; nocase;
http_cookie;
pcre:"/\/\?(?:4(?:4(?:3[123456789]|41|55)|c(?:3[123456789]|41))|5(?:354|431))(&|$)/U";
classtype:attempted-user; sid:103; rev:1;)


On Fri, Apr 26, 2013 at 2:02 PM, Will Metcalf <
wmetcalf () emergingthreatspro com> wrote:

Going to add something like this as well...

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET
CURRENT_EVENTS Possible Linux/Cdorked.A Incoming Command";
flow:established,to_server; content:"SECID="; nocase; fast_pattern:only;
content:"SECID="; nocase; http_cookie;
pcre:"/\/\?(?:4(?:4(?:3[123456789]|41|55)|c(?:3[123456789]|41))|5(?:354|431))/U";
classtype:attempted-user; sid:103; rev:1;)



On Fri, Apr 26, 2013 at 1:24 PM, Rodrigo Montoro(Sp0oKeR) <
spooker () gmail com> wrote:

Awesome info here too


http://www.welivesecurity.com/2013/04/26/linuxcdorked-new-apache-backdoor-in-the-wild-serves-blackhole/

Regards,


On Fri, Apr 26, 2013 at 3:03 PM, Will Metcalf <
wmetcalf () emergingthreatspro com> wrote:

Thanks James, can probably limit to a-f0-9 on your char class and
probably want a \. match after to ensure it is exactly this and not
something like somethinglongerthan16charsaaaaaaaaa.foo.bar could also
anchor the match to a Location header. Nice sig... Will get something into
QA and out today based on this thanks!

Regards,

Will


On Fri, Apr 26, 2013 at 12:04 PM, James Lay <jlay () slave-tothe-box net>wrote:

Enjoy:

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
(msg:"INDICATOR-COMPROMISED Linux/CDorked redirect";
flow:from_server,established; file_data; content:"index.php?j=";
http_header; content:"302"; http_stat_code; pcre:"/http\x3a\x2f\x2f[0-9a-
**z]{16}/m"; metadata:policy balanced-ips drop, policy security-ips
drop, service http; reference:url,http://blog.**
sucuri.net/2013/04/apache-**binary-backdoors-on-cpanel-**
based-servers.html<http://blog.sucuri.net/2013/04/apache-binary-backdoors-on-cpanel-based-servers.html>;
classtype:trojan-activity; sid:10000049; rev:1;)

Ok Joel....how much cleanup is needed with this ;)

James
______________________________**_________________
Emerging-sigs mailing list
Emerging-sigs () lists **emergingthreats net<Emerging-sigs () lists emergingthreats net>
https://lists.emergingthreats.**net/mailman/listinfo/emerging-**sigs<https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs>

Support Emerging Threats! Subscribe to Emerging Threats Pro
http://www.emergingthreatspro.**com <http://www.emergingthreatspro.com>
The ONLY place to get complete premium rulesets for all versions of
Suricata and Snort 2.4.0 through Current!



_______________________________________________
Emerging-sigs mailing list
Emerging-sigs () lists emergingthreats net
https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

Support Emerging Threats! Subscribe to Emerging Threats Pro
http://www.emergingthreatspro.com
The ONLY place to get complete premium rulesets for all versions of
Suricata and Snort 2.4.0 through Current!




--
Rodrigo Montoro (Sp0oKeR)
http://spookerlabs.blogspot.com
http://www.twitter.com/spookerlabs
http://www.linkedin.com/in/spooker



------------------------------------------------------------------------------
Try New Relic Now & We'll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service 
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_apr
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]