[Emerging-Sigs] 195.93.218.57 (fullspace.cc)
Philipp Bescht
philipp at bescht.de
Wed Jul 9 16:39:07 EDT 2008
Hi,
Requests to this host are hitting sids 2006387 2003585 (Suspicious
User-Agent) already, because:
User-Agent: Windows Updates Manager|3.19|5|1|2600|2|
The Request URIs look like this:
/config.php?ver=3&uid=4y56Htkqh41mak2&action=newuser&ras=0&verfull=3.19
/register.php?id=xDPnKtBWAWFdGKa&port=10639&connect=network&ver=19&intip=192.168.1.244&bid=4y56Htkqh41mak2
/cgi-bin/register.cgi?id=xDPnKtBWAWFdGKa&port=10639&connect=network&ver=19&country=DE&intip=192.168.1.244
Those are the only references i have (from one infection), but a google
search revealed that this host is already known to emergingthreats
(sandnet):
http://www.malwaredomains.com/updates/200804
Updates/domains.20080401.txt
So far i have the following signatures, not knowing much about the
parameters/values:
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"fullspace.cc
checkin (1)"; flow:established,to_server;
uricontent:"/config.php?ver="; nocase; uricontent:"&uid="; nocase;
uricontent:"&action="; nocase; uricontent:"&ras="; nocase;
uricontent:"&verfull="; nocase; classtype:trojan-activity; sid:2009960;
rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"fullspace.cc checkin (2)"; flow:established,to_server;
uricontent:"/register."; nocase; uricontent:"?id="; nocase;
uricontent:"&port="; nocase; uricontent:"&connect="; nocase;
uricontent:"&ver="; nocase; uricontent:"ip="; nocase;
classtype:trojan-activity; sid:2009961; rev:1;)
Is it ok to check for this specifically, or is it enough that the
user-agent triggers a rule already?
Are these signatures too weak (especially the second)?
Does anyone know more about the parameters and values (ie Has $connect
always the value 'network'? If there is $intip, does $extip also exist?
etc)?
Regards,
Philipp
More information about the Emerging-sigs
mailing list