[Emerging-Sigs] SEO Exploit Kit Sigs

Eoin Miller eoin.miller at trojanedbinaries.com
Fri Oct 1 11:48:25 EDT 2010


  On 10/1/2010 3:00 PM, Eoin Miller wrote:
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EID DRIVEBY 
> SEO Exploit Kit - Landing Page"; content:"<div id=\"obj\"></div><div 
> id=\"pdf\"></div><div id=\"hcp\">"; classtype:bad-unknown; 
> sid:5600164; rev:1;)
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EID DRIVEBY 
> SEO Exploit Kit - client exploited by Java"; 
> content:".php?exp=JavaROX"; http_uri; classtype:bad-unknown; 
> sid:5600165; rev:1;)
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EID DRIVEBY 
> SEO Exploit Kit - client exploited by SMB"; content:".php?exp=SMB"; 
> http_uri; classtype:bad-unknown; sid:5600166; rev:1;)
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EID DRIVEBY 
> SEO Exploit Kit - client exploited by Acrobat"; 
> content:".php?exp=PDF"; http_uri; classtype:bad-unknown; sid:5600167; 
> rev:1;) 
Ok, so I screwed this up when posting. Last three sigs need to have the 
src/dst flipped so the bottom sigs are actually correct:

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EID DRIVEBY 
SEO Exploit Kit - Landing Page"; content:"<div id=\"obj\"></div><div 
id=\"pdf\"></div><div id=\"hcp\">"; classtype:bad-unknown; sid:5600164; 
rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EID DRIVEBY 
SEO Exploit Kit - client exploited by Java"; content:".php?exp=JavaROX"; 
http_uri; classtype:bad-unknown; sid:5600165; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EID DRIVEBY 
SEO Exploit Kit - client exploited by SMB"; content:".php?exp=SMB"; 
http_uri; classtype:bad-unknown; sid:5600166; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EID DRIVEBY 
SEO Exploit Kit - client exploited by Acrobat"; content:".php?exp=PDF"; 
http_uri; classtype:bad-unknown; sid:5600167; rev:1;)

-- Eoin


More information about the Emerging-sigs mailing list