[Emerging-Sigs] possible FPs for ET CURRENT_EVENTS Likely Blackhole Exploit Kit Driveby ?page Download Secondary Request : 2013666

Russell Fulton r.fulton at auckland.ac.nz
Mon Oct 17 18:52:38 EDT 2011

Just started seeing quite a few of hits on this rule like this:

GET /main.php?page=d2baefb3a79c2f71 HTTP/1.1
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Referer: http://tpnads.com/iframe/jscode.php?zoneid=115&size=760x120&source=nz-shop
Accept-Language: en-NZ
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; InfoPath.3; .NET4.0E; Zune 4.7)
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
Host: wiekf533.info

All to the same IP : 
bluebottle:test rful011$ host wiekf533.info
wiekf533.info has address

In the past when I have had hits on this rule and checked the source (local) IP I have invariably  found alerts for java exploits -- there are none for this site.  I have now idea what the site is but in the last 24 hours I had just over a 100 IPs trigger this alert.


More information about the Emerging-sigs mailing list