[Emerging-Sigs] StillSecure: 10 New Signatures - Oct 22nd, 2010

signatures signatures at stillsecure.com
Fri Oct 22 05:26:01 EDT 2010


Hi Matt,

Please find 10 New Signatures below:

1. WEB-PHP 724CMS section.php Module Parameter Local File inclusion Attempt
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP 724CMS section.php Module Parameter Local File inclusion Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/section.php?"; nocase; uricontent:"Module_Text="; nocase; uricontent:"ID="; nocase; uricontent:"Lang="; nocase; uricontent:"Nav="; nocase; uricontent:"Module="; nocase; content:"../"; depth:200; classtype:web-application-attack; reference:url,packetstormsecurity.org/1005-exploits/724cms459-lfi.txt; sid:20101082; rev:1;)

2. WEB-PHP MyOWNspace getfeed.php file Parameter Local File Inclusion Attempt(1)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP MyOWNspace getfeed.php file Parameter Local File Inclusion Attempt(1)"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/classes/flash_mp3_player/extras/external_feeds/getfeed.php?"; nocase; uricontent:"file="; nocase; content:"../"; depth:200; classtype:web-application-attack; reference:url,inj3ct0r.com/exploits/12674; sid:20101080; rev:1;)

3. WEB-PHP MyOWNspace getfeed.php file Parameter Local File Inclusion Attempt(2)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP MyOWNspace getfeed.php file Parameter Local File Inclusion Attempt(2)"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/classes/flash_mp3_player.23/extras/external_feeds/getfeed.php?"; nocase; uricontent:"file="; nocase; content:"../"; depth:200; classtype:web-application-attack; reference:url,inj3ct0r.com/exploits/12674; sid:20101081; rev:1;)

4. WEB-PHP CMS Board site_path Parameter Remote File Inclusion Attempt
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP CMS Board site_path Parameter Remote File Inclusion Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/include/admin.lib.inc.php?"; nocase; uricontent:"site_path="; nocase; pcre:"/site_path=\s*(ftps?|https?|php)\:\//Ui"; classtype:web-application-attack; reference:url,packetstormsecurity.org/1010-exploits/cmsboard-rfi.txt; sid:20101079; rev:1;)

5. WEB-PHP OvBB admincp.php smilieid Parameter SELECT FROM SQL Injection Attempt
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP OvBB admincp.php smilieid Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/admincp.php?"; nocase; uricontent:"section=smilies"; nocase; uricontent:"action=edit"; nocase; uricontent:"smilieid="; nocase; uricontent:"SELECT"; nocase; uricontent:"FROM"; nocase; pcre:"/SELECT.+FROM/Ui"; classtype:web-application-attack; reference:url,inj3ct0r.com/exploits/14205; sid:20101074; rev:1;)

6. WEB-PHP OvBB admincp.php smilieid Parameter DELETE FROM SQL Injection Attempt
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP OvBB admincp.php smilieid Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/admincp.php?"; nocase; uricontent:"section=smilies"; nocase; uricontent:"action=edit"; nocase; uricontent:"smilieid="; nocase; uricontent:"DELETE"; nocase; uricontent:"FROM"; nocase; pcre:"/DELETE.+FROM/Ui"; classtype:web-application-attack; reference:url,inj3ct0r.com/exploits/14205; sid:20101075; rev:1;)

7. WEB-PHP OvBB admincp.php smilieid Parameter UNION SELECT SQL Injection Attempt
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP OvBB admincp.php smilieid Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/admincp.php?"; nocase; uricontent:"section=smilies"; nocase; uricontent:"action=edit"; nocase; uricontent:"smilieid="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; reference:url,inj3ct0r.com/exploits/14205; sid:20101076; rev:1;)
 
8. WEB-PHP OvBB admincp.php smilieid Parameter UPDATE SET SQL Injection Attempt       
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP OvBB admincp.php smilieid Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/admincp.php?"; nocase; uricontent:"section=smilies"; nocase; uricontent:"action=edit"; nocase; uricontent:"smilieid="; nocase; uricontent:"UPDATE"; nocase; uricontent:"SET"; nocase; pcre:"/UPDATE.+SET/Ui"; classtype:web-application-attack; reference:url,inj3ct0r.com/exploits/14205; sid:20101077; rev:1;)

9. WEB-PHP OvBB admincp.php smilieid Parameter INSERT INTO SQL Injection Attempt
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP OvBB admincp.php smilieid Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/admincp.php?"; nocase; uricontent:"section=smilies"; nocase; uricontent:"action=edit"; nocase; uricontent:"smilieid="; nocase; uricontent:"INSERT"; nocase; uricontent:"INTO"; nocase; pcre:"/INSERT.+INTO/Ui"; classtype:web-application-attack; reference:url,inj3ct0r.com/exploits/14205; sid:20101078; rev:1;)

10. WEB-PHP A6MamboHelpDesk Admin.a6mambohelpdesk.php Remote File inclusion Attempt
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP A6MamboHelpDesk Admin.a6mambohelpdesk.php Remote File inclusion Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/administrator/components/com_a6mambohelpdesk/admin.a6mambohelpdesk.php?"; nocase; uricontent:"mosConfig_live_site="; nocase; pcre:"/mosConfig_live_site=\s*(ftps?|https?|php)\:\//Ui"; classtype:web-application-attack; reference:bugtraq,19198; reference:cve,CVE-2006-3930; sid:20101070; rev:1;)

Looking forward your comments, if any.

Thanks & Regards,
StillSecure

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20101022/ecb89a43/attachment.html


More information about the Emerging-sigs mailing list