[Emerging-Sigs] Emerging Threats Daily Signature Changes

emerging@emergingthreats.net emerging at emergingthreats.net
Sat Jan 3 16:00:10 EST 2009


[***] Results from Oinkmaster started Sat Jan  3 16:00:10 2009 [***]

[+++]          Added rules:          [+++]

 2008961 - ET WEB_SPECIFIC PHPmyGallery lang parameter Local File Inclusion (emerging-web_sql_injection.rules)
 2008963 - ET WEB_ACTIVEX EasyMail Objects emmailstore.dll ActiveX Control Remote Buffer Overflow (emerging-web.rules)
 2008964 - ET WEB_SPECIFIC lcxBBportal Alpha portal_block.php phpbb_root_path parameter Remote File Inclusion (emerging-web_sql_injection.rules)
 2008965 - ET WEB_SPECIFIC lcxBBportal Alpha acp_lcxbbportal.php phpbb_root_path parameter Remote File Inclusion (emerging-web_sql_injection.rules)
 2008966 - ET WEB_SPECIFIC ccTiddly index.php cct_base parameter Remote File Inclusion (emerging-web_sql_injection.rules)
 2008967 - ET WEB_SPECIFIC ccTiddly proxy.php cct_base parameter Remote File Inclusion (emerging-web_sql_injection.rules)
 2008968 - ET WEB_SPECIFIC ccTiddly header.php cct_base parameter Remote File Inclusion (emerging-web_sql_injection.rules)
 2008969 - ET WEB_SPECIFIC ccTiddly include.php cct_base parameter Remote File Inclusion (emerging-web_sql_injection.rules)
 2008970 - ET WEB_SPECIFIC ccTiddly workspace.php cct_base parameter Remote File Inclusion (emerging-web_sql_injection.rules)
 2008982 - ET WEB_SPECIFIC PHPmyGallery confdir parameter Remote File Inclusion (emerging-web_sql_injection.rules)


[///]     Modified active rules:     [///]

 2007962 - ET TROJAN Vipdataend C&C Traffic - Checkin (emerging-virus.rules)
 2007963 - ET TROJAN Vipdataend C&C Traffic - Status OK (emerging-virus.rules)
 2007964 - ET TROJAN Vipdataend C&C Traffic - Server Status OK (emerging-virus.rules)
 2007970 - ET TROJAN Vipdataend C&C Traffic - Checkin (XY) (emerging-virus.rules)
 2008223 - ET TROJAN Vipdataend C&C Traffic - Checkin (FYWL) (emerging-virus.rules)
 2008224 - ET TROJAN Vipdataend C&C Traffic - Checkin (XYLL) (emerging-virus.rules)
 2008254 - ET TROJAN Vipdataend/Ceckno C&C Traffic - Checkin (emerging-virus.rules)
 2008334 - ET TROJAN Beizhu/Womble/Vipdataend Checking in with Controller (emerging-virus.rules)
 2008335 - ET TROJAN Beizhu/Womble/Vipdataend Controller Keepalive (emerging-virus.rules)


[+++]      Added non-rule lines:     [+++]

     -> Added to emerging-sid-msg.map (12):
        2008961 || ET WEB_SPECIFIC PHPmyGallery lang parameter Local File Inclusion || bugtraq,32705 || url,milw0rm.com/exploits/7392
        2008963 || ET WEB_ACTIVEX EasyMail Objects emmailstore.dll ActiveX Control Remote Buffer Overflow || url,milw0rm.com/exploits/7402 || bugtraq,32722
        2008964 || ET WEB_SPECIFIC lcxBBportal Alpha portal_block.php phpbb_root_path parameter Remote File Inclusion || bugtraq,32647 || url,milw0rm.com/exploits/7341
        2008965 || ET WEB_SPECIFIC lcxBBportal Alpha acp_lcxbbportal.php phpbb_root_path parameter Remote File Inclusion || bugtraq,32647 || url,milw0rm.com/exploits/7341
        2008966 || ET WEB_SPECIFIC ccTiddly index.php cct_base parameter Remote File Inclusion || url,secunia.com/Advisories/32995/ || url,www.milw0rm.com/exploits/7336
        2008967 || ET WEB_SPECIFIC ccTiddly proxy.php cct_base parameter Remote File Inclusion || url,secunia.com/Advisories/32995/ || url,www.milw0rm.com/exploits/7336
        2008968 || ET WEB_SPECIFIC ccTiddly header.php cct_base parameter Remote File Inclusion || url,secunia.com/Advisories/32995/ || url,www.milw0rm.com/exploits/7336
        2008969 || ET WEB_SPECIFIC ccTiddly include.php cct_base parameter Remote File Inclusion || url,secunia.com/Advisories/32995/ || url,www.milw0rm.com/exploits/7336
        2008970 || ET WEB_SPECIFIC ccTiddly workspace.php cct_base parameter Remote File Inclusion || url,secunia.com/Advisories/32995/ || url,www.milw0rm.com/exploits/7336
        2008982 || ET WEB_SPECIFIC PHPmyGallery confdir parameter Remote File Inclusion || bugtraq,32705 || url,milw0rm.com/exploits/7392
        2500064 || ET COMPROMISED Known Compromised or Hostile Host Traffic (65) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510064 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (65) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts

     -> Added to emerging-sid-msg.map.txt (12):
        2008961 || ET WEB_SPECIFIC PHPmyGallery lang parameter Local File Inclusion || bugtraq,32705 || url,milw0rm.com/exploits/7392
        2008963 || ET WEB_ACTIVEX EasyMail Objects emmailstore.dll ActiveX Control Remote Buffer Overflow || url,milw0rm.com/exploits/7402 || bugtraq,32722
        2008964 || ET WEB_SPECIFIC lcxBBportal Alpha portal_block.php phpbb_root_path parameter Remote File Inclusion || bugtraq,32647 || url,milw0rm.com/exploits/7341
        2008965 || ET WEB_SPECIFIC lcxBBportal Alpha acp_lcxbbportal.php phpbb_root_path parameter Remote File Inclusion || bugtraq,32647 || url,milw0rm.com/exploits/7341
        2008966 || ET WEB_SPECIFIC ccTiddly index.php cct_base parameter Remote File Inclusion || url,secunia.com/Advisories/32995/ || url,www.milw0rm.com/exploits/7336
        2008967 || ET WEB_SPECIFIC ccTiddly proxy.php cct_base parameter Remote File Inclusion || url,secunia.com/Advisories/32995/ || url,www.milw0rm.com/exploits/7336
        2008968 || ET WEB_SPECIFIC ccTiddly header.php cct_base parameter Remote File Inclusion || url,secunia.com/Advisories/32995/ || url,www.milw0rm.com/exploits/7336
        2008969 || ET WEB_SPECIFIC ccTiddly include.php cct_base parameter Remote File Inclusion || url,secunia.com/Advisories/32995/ || url,www.milw0rm.com/exploits/7336
        2008970 || ET WEB_SPECIFIC ccTiddly workspace.php cct_base parameter Remote File Inclusion || url,secunia.com/Advisories/32995/ || url,www.milw0rm.com/exploits/7336
        2008982 || ET WEB_SPECIFIC PHPmyGallery confdir parameter Remote File Inclusion || bugtraq,32705 || url,milw0rm.com/exploits/7392
        2500064 || ET COMPROMISED Known Compromised or Hostile Host Traffic (65) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts
        2510064 || ET COMPROMISED Known Compromised or Hostile Host Traffic - BLOCKING (65) || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts

[---]     Removed non-rule lines:    [---]

     -> Removed from emerging-sid-msg.map (26):
        2404006 || ET DROP Known Bot C&C Server Traffic (group 7)  || url,www.shadowserver.org
        2404007 || ET DROP Known Bot C&C Server Traffic (group 8)  || url,www.shadowserver.org
        2404008 || ET DROP Known Bot C&C Server Traffic (group 9)  || url,www.shadowserver.org
        2404009 || ET DROP Known Bot C&C Server Traffic (group 10)  || url,www.shadowserver.org
        2404010 || ET DROP Known Bot C&C Server Traffic (group 11)  || url,www.shadowserver.org
        2404011 || ET DROP Known Bot C&C Server Traffic (group 12)  || url,www.shadowserver.org
        2404012 || ET DROP Known Bot C&C Server Traffic (group 13)  || url,www.shadowserver.org
        2404013 || ET DROP Known Bot C&C Server Traffic (group 14)  || url,www.shadowserver.org
        2404014 || ET DROP Known Bot C&C Server Traffic (group 15)  || url,www.shadowserver.org
        2404015 || ET DROP Known Bot C&C Server Traffic (group 16)  || url,www.shadowserver.org
        2404016 || ET DROP Known Bot C&C Server Traffic (group 17)  || url,www.shadowserver.org
        2404017 || ET DROP Known Bot C&C Server Traffic (group 18)  || url,www.shadowserver.org
        2404018 || ET DROP Known Bot C&C Server Traffic (group 19)  || url,www.shadowserver.org
        2405006 || ET DROP Known Bot C&C Traffic (group 7) - BLOCKING SOURCE || url,www.shadowserver.org
        2405007 || ET DROP Known Bot C&C Traffic (group 8) - BLOCKING SOURCE || url,www.shadowserver.org
        2405008 || ET DROP Known Bot C&C Traffic (group 9) - BLOCKING SOURCE || url,www.shadowserver.org
        2405009 || ET DROP Known Bot C&C Traffic (group 10) - BLOCKING SOURCE || url,www.shadowserver.org
        2405010 || ET DROP Known Bot C&C Traffic (group 11) - BLOCKING SOURCE || url,www.shadowserver.org
        2405011 || ET DROP Known Bot C&C Traffic (group 12) - BLOCKING SOURCE || url,www.shadowserver.org
        2405012 || ET DROP Known Bot C&C Traffic (group 13) - BLOCKING SOURCE || url,www.shadowserver.org
        2405013 || ET DROP Known Bot C&C Traffic (group 14) - BLOCKING SOURCE || url,www.shadowserver.org
        2405014 || ET DROP Known Bot C&C Traffic (group 15) - BLOCKING SOURCE || url,www.shadowserver.org
        2405015 || ET DROP Known Bot C&C Traffic (group 16) - BLOCKING SOURCE || url,www.shadowserver.org
        2405016 || ET DROP Known Bot C&C Traffic (group 17) - BLOCKING SOURCE || url,www.shadowserver.org
        2405017 || ET DROP Known Bot C&C Traffic (group 18) - BLOCKING SOURCE || url,www.shadowserver.org
        2405018 || ET DROP Known Bot C&C Traffic (group 19) - BLOCKING SOURCE || url,www.shadowserver.org

     -> Removed from emerging-sid-msg.map.txt (26):
        2404006 || ET DROP Known Bot C&C Server Traffic (group 7)  || url,www.shadowserver.org
        2404007 || ET DROP Known Bot C&C Server Traffic (group 8)  || url,www.shadowserver.org
        2404008 || ET DROP Known Bot C&C Server Traffic (group 9)  || url,www.shadowserver.org
        2404009 || ET DROP Known Bot C&C Server Traffic (group 10)  || url,www.shadowserver.org
        2404010 || ET DROP Known Bot C&C Server Traffic (group 11)  || url,www.shadowserver.org
        2404011 || ET DROP Known Bot C&C Server Traffic (group 12)  || url,www.shadowserver.org
        2404012 || ET DROP Known Bot C&C Server Traffic (group 13)  || url,www.shadowserver.org
        2404013 || ET DROP Known Bot C&C Server Traffic (group 14)  || url,www.shadowserver.org
        2404014 || ET DROP Known Bot C&C Server Traffic (group 15)  || url,www.shadowserver.org
        2404015 || ET DROP Known Bot C&C Server Traffic (group 16)  || url,www.shadowserver.org
        2404016 || ET DROP Known Bot C&C Server Traffic (group 17)  || url,www.shadowserver.org
        2404017 || ET DROP Known Bot C&C Server Traffic (group 18)  || url,www.shadowserver.org
        2404018 || ET DROP Known Bot C&C Server Traffic (group 19)  || url,www.shadowserver.org
        2405006 || ET DROP Known Bot C&C Traffic (group 7) - BLOCKING SOURCE || url,www.shadowserver.org
        2405007 || ET DROP Known Bot C&C Traffic (group 8) - BLOCKING SOURCE || url,www.shadowserver.org
        2405008 || ET DROP Known Bot C&C Traffic (group 9) - BLOCKING SOURCE || url,www.shadowserver.org
        2405009 || ET DROP Known Bot C&C Traffic (group 10) - BLOCKING SOURCE || url,www.shadowserver.org
        2405010 || ET DROP Known Bot C&C Traffic (group 11) - BLOCKING SOURCE || url,www.shadowserver.org
        2405011 || ET DROP Known Bot C&C Traffic (group 12) - BLOCKING SOURCE || url,www.shadowserver.org
        2405012 || ET DROP Known Bot C&C Traffic (group 13) - BLOCKING SOURCE || url,www.shadowserver.org
        2405013 || ET DROP Known Bot C&C Traffic (group 14) - BLOCKING SOURCE || url,www.shadowserver.org
        2405014 || ET DROP Known Bot C&C Traffic (group 15) - BLOCKING SOURCE || url,www.shadowserver.org
        2405015 || ET DROP Known Bot C&C Traffic (group 16) - BLOCKING SOURCE || url,www.shadowserver.org
        2405016 || ET DROP Known Bot C&C Traffic (group 17) - BLOCKING SOURCE || url,www.shadowserver.org
        2405017 || ET DROP Known Bot C&C Traffic (group 18) - BLOCKING SOURCE || url,www.shadowserver.org
        2405018 || ET DROP Known Bot C&C Traffic (group 19) - BLOCKING SOURCE || url,www.shadowserver.org



More information about the Emerging-sigs mailing list