[Emerging-Sigs] Blackhole HCP sig

Matthew Jonkman jonkman at emergingthreatspro.com
Sun Oct 9 22:38:58 EDT 2011


Thanks! Will get it posted.

Matt



On Oct 9, 2011, at 8:07 PM, "harry.tuttle" <harry.tuttle at zoho.com> wrote:

> URI structure du jour.
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole Exploit Pack HCP exploit 3"; flow:established,to_server; content:"/pch2.php?c="; http_uri; pcre:"/pch2.php?c=d+$/U"; classtype:bad-unknown; sid:nnnnnnn; rev:1;)
> 
> Currently live example:
> hxxp://signal.paycheckinaction.com/content/pch2.php?c=9
> 
> Serving up a Fake AV which in turn hits 2010382.
> 
> Regards,
> Harry
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> 
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!


More information about the Emerging-sigs mailing list