[Emerging-Sigs] SIG: ET TROJAN Linux/Chapro.A Malicious Apache Module CnC Beacon

Kevin Ross kevross33 at googlemail.com
Tue Dec 18 12:17:59 HAST 2012


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
Linux/Chapro.A Malicious Apache Module CnC Beacon";
flow:established,to_server; content:"POST"; http_method;
content:"/index.php"; http_uri; content:"c="; http_client_body; depth:2;
content:"&version="; http_client_body; distance:0; content:"&uname=";
fast_pattern; http_client_body; distance:0; classtype:trojan-activity;
reference:url,
blog.eset.com/2012/12/18/malicious-apache-module-used-for-content-injection-linuxchapro-a;
sid:139991; rev:1;)

Regards,
Kevin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20121218/9a1d2114/attachment.html>


More information about the Emerging-sigs mailing list