[Emerging-Sigs] StillSecure: 10 New Signatures - October 7th, 2011

signatures signatures at stillsecure.com
Fri Oct 7 05:00:48 EDT 2011


Hi Matt,

Please find the 10 signatures below,

1. WEB-PHP iBrowser Plugin dir Parameter Cross Site Scripting Attempt-1
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP iBrowser Plugin dir Parameter Cross Site Scripting Attempt-1"; flow:established,to_server; uricontent:"/ibrowser/scripts/random.php?"; nocase; uricontent:"dir="; nocase; pcre:"/dir\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; classtype:web-application-attack; reference:url,packetstormsecurity.org/files/105196; sid:0510111; rev:1;)

2. WEB-PHP Wordpress Zingiri webshop plugin Remote File inclusion Attempt
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Wordpress Zingiri webshop plugin Remote File inclusion Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/wp-content/plugins/zingiri-web-shop/fws/ajax/init.inc.php?"; nocase; uricontent:"wpabspath="; nocase; pcre:"/wpabspath=\s*(ftps?|https?|php)\:\//Ui"; classtype:web-application-attack; reference:url,packetstormsecurity.org/files/view/105237/wpzingiri-rfi.txt; sid:0410111; rev:1;)

3. WEB-PHP Mambo AHS Shop component SELECT FROM SQL Injection Attempt
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Mambo AHS Shop component SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/index.php?"; nocase; uricontent:"option=com_ahsshop"; nocase; uricontent:"flokkur="; nocase; uricontent:"SELECT"; nocase; uricontent:"FROM"; nocase; pcre:"/SELECT.+FROM/Ui"; classtype:web-application-attack; reference:url,packetstormsecurity.org/files/view/104695/mamboahsshopf-sql.txt; sid:0410112; rev:1;)

4. WEB-PHP Mambo AHS Shop component DELETE FROM SQL Injection Attempt
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Mambo AHS Shop component DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/index.php?"; nocase; uricontent:"option=com_ahsshop"; nocase; uricontent:"flokkur="; nocase; uricontent:"DELETE"; nocase; uricontent:"FROM"; nocase; pcre:"/DELETE.+FROM/Ui"; classtype:web-application-attack; reference:url,packetstormsecurity.org/files/view/104695/mamboahsshopf-sql.txt; sid:0410113; rev:1;)

5. WEB-PHP Mambo AHS Shop component UNION SELECT SQL Injection Attempt
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Mambo AHS Shop component UNION SELECT SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/index.php?"; nocase; uricontent:"option=com_ahsshop"; nocase; uricontent:"flokkur="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; classtype:web-application-attack; reference:url,packetstormsecurity.org/files/view/104695/mamboahsshopf-sql.txt; sid:0410114; rev:1;)

6. WEB-PHP Mambo AHS Shop component INSERT INTO SQL Injection Attempt
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Mambo AHS Shop component INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/index.php?"; nocase; uricontent:"option=com_ahsshop"; nocase; uricontent:"flokkur="; nocase; uricontent:"INSERT"; nocase; uricontent:"INTO"; nocase; pcre:"/INSERT.+INTO/Ui"; classtype:web-application-attack; reference:url,packetstormsecurity.org/files/view/104695/mamboahsshopf-sql.txt; sid:0410115; rev:1;)

7. WEB-PHP Mambo AHS Shop component UPDATE SET SQL Injection Attempt
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Mambo AHS Shop component UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/index.php?"; nocase; uricontent:"option=com_ahsshop"; nocase; uricontent:"flokkur="; nocase; uricontent:"UPDATE"; nocase; uricontent:"SET"; nocase; pcre:"/UPDATE.+SET/Ui"; classtype:web-application-attack; reference:url,packetstormsecurity.org/files/view/104695/mamboahsshopf-sql.txt; sid:0410116; rev:1;)

8. VIRUS Trojan Win32.Swisyn Reporting
alert tcp $HOME_NET any ->  $EXTERNAL_NET any (msg:"VIRUS Trojan Win32.Swisyn Reporting"; flow:to_server,established; content:"/Qvodav.exe"; nocase; content:"User-Agent|3a| Av_DVD"; nocase; classtype:trojan-activity; reference:url,precisesecurity.com/worms/trojan-win32-swisyn-algm; sid:05101113; rev:1;)

9. WEB-PHP Joomla Redirect Component view Parameter Local File Inclusion Attempt
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Joomla Redirect Component view Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/index.php?"; nocase; uricontent:"option=com_redirect"; uricontent:"view="; nocase; nocase; content:"|2e 2e 2f|"; nocase; depth:200; classtype:web-application-attack; reference:url,packetstormsecurity.org/files/view/96608/joomlaredirect-lfi.txt; sid:3009111; rev:1;)

10. WEB-PHP iBrowser Plugin dir Parameter Cross Site Scripting Attempt-2
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP iBrowser Plugin dir Parameter Cross Site Scripting Attempt-2"; flow:established,to_server; uricontent:"/phpThumb.demo.random.php?"; nocase; uricontent:"dir="; nocase; pcre:"/dir\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; classtype:web-application-attack; reference:url,packetstormsecurity.org/files/105196; sid:0510112; rev:1;)

Looking forward to your comments if any,

Thanks & Regards,
StillSecure

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20111007/c1d9b44a/attachment-0001.html


More information about the Emerging-sigs mailing list