[Emerging-Sigs] [PHI] [Domain Keys] Blackhole served via Yahoo

Martin Holste mcholste at gmail.com
Mon Dec 17 09:20:17 HAST 2012


Sure, seeing the MZ from 042395.com /dl.exe and Java.jar from
blogsmithmedia.net.


On Mon, Dec 17, 2012 at 1:11 PM, Nathan <nathan at packetmail.net> wrote:

> On Mon, 17 Dec 2012 12:57:57 -0600 Martin Holste <mcholste at gmail.com>
> wrote
>
> > ...  Is anyone else seeing hits for these?
>
> SELECT distinct url,dest_ip FROM webwasher_full where day>='2012-12-01' and
> http_status <> '407' and dest_ip rlike '98\\.139\\.135\\.2[1-2]' and url
> like
> '%.jar%'
>
> SELECT distinct url,dest_ip FROM webwasher_full where day>='2012-12-01' and
> http_status <> '407' and lower(url) like '%/java.jar%'
>
> Nada.  Can you share a specific URL?
>
> Also, sig has a "nocase;" on fast_pattern:only
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET
> CURRENT_EVENTS
> Blackhole Java Exploit Recent Jar (2)"; flow:established,to_server;
> content:"/java.jar"; http_uri; nocase; fast_pattern:only; content:"
> Java/1";
> http_header; classtype:trojan-activity; sid:2015487; rev:7;)
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20121217/9675dcce/attachment.html>


More information about the Emerging-sigs mailing list