[Emerging-Sigs] Mass File Injection Attack From Russia With Zlob
Matt Jonkman
jonkman at jonkmans.com
Mon May 12 15:04:00 EDT 2008
Posted:
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET
CURRENT_EVENTS Client Visiting Possibly Compromised Site (HaCKeD By BeLa
& BodyguarD)"; flow:established,from_server; content:"HaCKeD By BeLa &
BodyguarD"; content:".js";
reference:url,www.incidents.org/diary.html?storyid=4405;
classtype:web-application-attack; sid:2008206; rev:1;)
alert tcp $EXTERNAL_NET any - > $HOME_NET $HTTP_PORTS (msg:"ET
CURRENT_EVENTS Possible File Injection Compromise (HaCKeD By BeLa &
BodyguarD)"; flow:established,to_server; content:"HaCKeD By BeLa &
BodyguarD"; reference:url,www.incidents.org/diary.html?storyid=4405;
classtype:web-application-attack; sid:2008207; rev:1;)
Look good to all? Is looking for the .js in the client one safe?
Matt
Joel Esler wrote:
> You would be right.
>
>
> On May 12, 2008, at 2:23 PM, James McQuaid wrote:
>
>> Sounds good. ISC would probably note the availability of the Emerging
>> Sig. Also, these people may have their hands in exploits other than
>> this particular injection.
>>
>> Jim
>>
>> On Mon, May 12, 2008 at 12:15 PM, Matt Jonkman <jonkman at jonkmans.com>
>> wrote:
>>> Hmmm, interesting. Tempted to add a temporary sig for that string in
>>> current_events. About 91k hits in google.
>>>
>>> Anyone have thoughts there? Maybe one sig for inbound to
>>> http_servers, one
>>> for back to clients?
>>>
>>> MAtt
>>>
>>>
>>> James McQuaid wrote:
>>>
>>>> Some of the sites containing the xprmn4u.info injection also include
>>>> "HaCKeD By BeLa & BodyguarD". If you do a corresponding Google
>>>> search, you will see that they have been very busy.
>>>>
>>>>
>>>
>>> --
>>> --------------------------------------------
>>> Matthew Jonkman
>>> Emerging Threats
>>> Phone 765-429-0398
>>> Fax 312-264-0205
>>> http://www.emergingthreats.net
>>> --------------------------------------------
>>>
>>> PGP: http://www.jonkmans.com/mattjonkman.asc
>>>
>>>
>>>
>>
>>
>>
>> --
>> James McQuaid
>> http://www.jamesmcquaid.com
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at emergingthreats.net
>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>
>
>
> --
> Joel Esler joel.esler at sourcefire.com
> [m]
>
>
>
--
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------
PGP: http://www.jonkmans.com/mattjonkman.asc
More information about the Emerging-sigs
mailing list