[Emerging-Sigs] StillSecure: 10 New Signatures - Oct 29th, 2010

Matthew Jonkman jonkman at emergingthreatspro.com
Fri Oct 29 15:59:26 EDT 2010


Posting, thanks!

Matt

On Oct 29, 2010, at 3:13 AM, signatures wrote:

> Hi Matt,
> 
> Please find the 10 signatures below,
> 
> 1.WEB-PHP DBHcms editmenu Parameter SELECT FROM SQL Injection Attempt
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP DBHcms editmenu Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/index.php?"; nocase; uricontent:"dbhcms_pid="; nocase; uricontent:"editmenu="; nocase; uricontent:"SELECT"; nocase; uricontent:"FROM"; nocase; pcre:"/SELECT.+FROM/Ui"; classtype:web-application-attack; reference:url,exploit-db.com/exploits/15309/; sid:20101096; rev:1;)
> 
> 2.WEB-PHP DBHcms editmenu Parameter DELETE FROM SQL Injection Attempt
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP DBHcms editmenu Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/index.php?"; nocase; uricontent:"dbhcms_pid="; nocase; uricontent:"editmenu="; nocase; uricontent:"DELETE"; nocase; uricontent:"FROM"; nocase; pcre:"/DELETE.+FROM/Ui"; classtype:web-application-attack; reference:url,exploit-db.com/exploits/15309/; sid:20101097; rev:1;)
> 
> 3.WEB-PHP DBHcms editmenu Parameter UNION SELECT SQL Injection Attempt
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP DBHcms editmenu Parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/index.php?"; nocase; uricontent:"dbhcms_pid="; nocase; uricontent:"editmenu="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; reference:url,exploit-db.com/exploits/15309/; sid:20101098; rev:1;)
> 
> 4.WEB-PHP DBHcms editmenu Parameter INSERT INTO SQL Injection Attempt
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP DBHcms editmenu Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/index.php?"; nocase; uricontent:"dbhcms_pid="; nocase; uricontent:"editmenu="; nocase; uricontent:"INSERT"; nocase; uricontent:"INTO"; nocase; pcre:"/INSERT.+INTO/Ui"; classtype:web-application-attack; reference:url,exploit-db.com/exploits/15309/; sid:20101099; rev:1;)
> 
> 5.WEB-PHP DBHcms editmenu Parameter UPDATE SET SQL Injection Attempt
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP DBHcms editmenu Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/index.php?"; nocase; uricontent:"dbhcms_pid="; nocase; uricontent:"editmenu="; nocase; uricontent:"UPDATE"; nocase; uricontent:"SET";
> nocase; pcre:"/UPDATE.+SET/Ui"; classtype:web-application-attack; reference:url,exploit-db.com/exploits/15309/; sid:20101100; rev:1;)
> 
> 6.WEB-PHP phpBazar picturelib.php Remote File inclusion Attempt
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP phpBazar picturelib.php Remote File inclusion Attempt"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/bazar/picturelib.php?"; nocase; uricontent:"cat="; nocase; pcre:"/cat=\s*(ftps?|https?|php)\:\//Ui"; classtype:web-application-attack; reference:cve,CVE-2010-2315; reference:url,exploit-db.com/exploits/12855/; sid:201110; rev:1;)
> 
> 7.WEB-PHP Open Web Analytics mw_plugin.php IP Parameter Remote File inclusion Attempt
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Open Web Analytics mw_plugin.php IP Parameter Remote File inclusion Attempt"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/mw_plugin.php?"; nocase; uricontent:"IP="; nocase; pcre:"/IP=\s*(ftps?|https?|php)\:\//Ui"; classtype:web-application-attack; reference:url,exploit-db.com/exploits/11903/; sid:20101101; rev:1;)
> 
> 8.WEB-PHP Open Web Analytics owa_action Parameter Local File inclusion Attempt
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Open Web Analytics owa_action Parameter Local File inclusion Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/index.php?"; nocase; uricontent:"owa_action="; nocase; content:"../"; depth:200; classtype:web-application-attack; reference:url,exploit-db.com/exploits/11903/; sid:20101102; rev:1;)
> 
> 9.WEB-PHP Open Web Analytics owa_do Parameter Local File inclusion Attempt
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Open Web Analytics owa_do Parameter Local File inclusion Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/index.php?"; nocase; uricontent:"owa_do="; nocase; content:"../"; depth:200; classtype:web-application-attack; reference:url,exploit-db.com/exploits/11903/; sid:20101103; rev:1;)
> 
> 10.WEB-PHP iGaming CMS loadplugin.php load Parameter Local File inclusion Attempt
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP iGaming CMS loadplugin.php load Parameter Local File inclusion Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/admin/loadplugin.php?"; nocase; uricontent:"load="; nocase; content:"../"; depth:200; classtype:web-application-attack; reference:url,packetstormsecurity.org/1010-exploits/igamingcms-lfi.txt; sid:2010112; rev:1;)
> 
> 
> Looking forward your comments, if any.
> 
> 
> Thanks & Regards,
> StillSecure
> 
> 
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> 
> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards
> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html


----------------------------------------------------
Matthew Jonkman
Emergingthreats.net
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 765-807-8630
Fax 312-264-0205
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc



-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20101029/b15689e8/attachment.html


More information about the Emerging-sigs mailing list