[Emerging-updates] Daily Update Summary 4/11/2011

Matthew Jonkman jonkman at emergingthreatspro.com
Mon Apr 11 15:56:01 EDT 2011


We're all caught up on open and pro signatures today, and now we're digging into the MS Vulnerabilities for patch tuesday. There are 64 total, although not all are IDS-visible. We'll provide much more information at release time tomorrow, about 10:30am eastern time. 


[+++]          Added rules:          [+++]

 2012651 - ET WEB_SPECIFIC_APPS PHP-Nuke Surveys pollID parameter SELECT FROM SQL Injection Attempt (web_specific_apps.rules)
 2012652 - ET WEB_SPECIFIC_APPS PHP-Nuke Surveys pollID parameter DELETE FROM SQL Injection Attempt (web_specific_apps.rules)
 2012653 - ET WEB_SPECIFIC_APPS PHP-Nuke Surveys pollID parameter UNION SELECT SQL Injection Attempt (web_specific_apps.rules)
 2012654 - ET WEB_SPECIFIC_APPS PHP-Nuke Surveys pollID parameter INSERT INTO SQL Injection Attempt (web_specific_apps.rules)
 2012655 - ET WEB_SPECIFIC_APPS PHP-Nuke Surveys pollID parameter UPDATE SET SQL Injection Attempt (web_specific_apps.rules)
 2012656 - ET WEB_SPECIFIC_APPS eyeOS callback parameter Cross Site Scripting Attempt (web_specific_apps.rules)
 2012657 - ET WEB_SPECIFIC_APPS eyeOS file Parameter Local File Inclusion Attempt (web_specific_apps.rules)
 2012658 - ET WEB_SPECIFIC_APPS OrangeHRM recruitcode parameter Cross Site Script Attempt (web_specific_apps.rules)
 2012659 - ET WEB_SPECIFIC_APPS Joomla Component com_doqment Remote File inclusion Attempt (web_specific_apps.rules)
 2012660 - ET WEB_SPECIFIC_APPS Portel patron Parameter Blind SQL Injection Attempt (web_specific_apps.rules)
 2012661 - ET WEB_SPECIFIC_APPS vBulletin cChatBox messageid Parameter SELECT FROM SQL Injection Attempt (web_specific_apps.rules)
 2012662 - ET WEB_SPECIFIC_APPS vBulletin cChatBox messageid Parameter DELETE FROM SQL Injection Attempt (web_specific_apps.rules)
 2012663 - ET WEB_SPECIFIC_APPS vBulletin cChatBox messageid Parameter UNION SELECT SQL Injection Attempt (web_specific_apps.rules)
 2012664 - ET WEB_SPECIFIC_APPS vBulletin cChatBox messageid Parameter INSERT INTO SQL Injection Attempt (web_specific_apps.rules)
 2012665 - ET WEB_SPECIFIC_APPS vBulletin cChatBox messageid Parameter UPDATE SET SQL Injection Attempt (web_specific_apps.rules)
 2012666 - ET WEB_SPECIFIC_APPS Joomla component smartformer Remote File Inclusion Attempt (web_specific_apps.rules)
 2012667 - ET WEB_SPECIFIC_APPS Joomla Component Media Mall Factory Blind SQL Injection Attempt (web_specific_apps.rules)
 2012668 - ET WEB_SPECIFIC_APPS LoCal Calendar System LIBDIR Parameter Local File Inclusion Attempt (web_specific_apps.rules)
 2012669 - ET WEB_SPECIFIC_APPS ClanSphere 'CKEditorFuncNum' parameter Cross Site Scripting Attempt (web_specific_apps.rules)
 2012670 - ET WEB_SPECIFIC_APPS PhotoSmash action Parameter Cross Site Scripting Attempt (web_specific_apps.rules)
 2012672 - ET WEB_SPECIFIC_APPS Andy PHP Knowledgebase SQL Injection Attempt pdfgen.php pdfa SELECT (web_specific_apps.rules)
 2012673 - ET WEB_SPECIFIC_APPS Andy PHP Knowledgebase SQL Injection Attempt pdfgen.php pdfa UNION SELECT (web_specific_apps.rules)
 2012674 - ET WEB_SPECIFIC_APPS Andy PHP Knowledgebase SQL Injection Attempt pdfgen.php pdfa INSERT (web_specific_apps.rules)
 2012675 - ET WEB_SPECIFIC_APPS Andy PHP Knowledgebase SQL Injection Attempt pdfgen.php pdfa DELETE (web_specific_apps.rules)
 2012676 - ET WEB_SPECIFIC_APPS Andy PHP Knowledgebase SQL Injection Attempt pdfgen.php pdfa ASCII (web_specific_apps.rules)
 2012677 - ET WEB_SPECIFIC_APPS Andy PHP Knowledgebase SQL Injection Attempt pdfgen.php pdfa UPDATE (web_specific_apps.rules)
 2012678 - ET WEB_SPECIFIC_APPS webEdition CMS openBrowser.php Cross Site Scripting Attempt (web_specific_apps.rules)
 2012679 - ET WEB_SPECIFIC_APPS webEdition CMS edit_shop_editorFrameset.php Cross Site Scripting Attempt (web_specific_apps.rules)
 2012680 - ET WEB_SPECIFIC_APPS webEdition CMS we_transaction Parameter Cross Site Scripting Attempt (web_specific_apps.rules)
 2012681 - ET WEB_SPECIFIC_APPS webEdition CMS shop_artikelid Parameter Cross Site Scripting Attempt (web_specific_apps.rules)

These are moved over from the Pro rules as Dave Richards provided a sig very similar. 
 2012682 - ET EXPLOIT HP OpenView NNM snmpviewer.exe CGI Stack Buffer Overflow 1 (exploit.rules)
 2012683 - ET EXPLOIT HP OpenView NNM snmpviewer.exe CGI Stack Buffer Overflow 2 (exploit.rules)


 2012684 - ET WEB_CLIENT Office File With Embedded Executable (web_client.rules)


And the Pro rules, some very crafty backdoors to add detection for...

 2802015 - ETPRO TROJAN Cybergate/Rebhip/Spyrat Backdoor Keepalive (trojan.rules)
 2802016 - ETPRO TROJAN Cybergate/Rebhip/Spyrat Backdoor Keepalive Response (trojan.rules)
 2802017 - ETPRO TROJAN Fiskos/Fynloski/Gpigeon Backdoor Keepalive (trojan.rules)
 2802018 - ETPRO USER_AGENTS Win32.Phobiq Keylogger Checkin (user_agents.rules)
 2802019 - ETPRO TROJAN Virus Hunter FakeAV Checkin (trojan.rules)


[///]     Modified active rules:     [///]

 2011806 - ET WEB_SERVER ScriptResource.axd access without t (time) parameter - possible ASP padding-oracle exploit (web_server.rules)

Renamed to be more informative, and thresholding added.
 2012078 - ET POLICY Windows-Based OpenSSL Tunnel Outbound (policy.rules)
 2012079 - ET POLICY Windows-Based OpenSSL Tunnel Connection Outbound 2 (policy.rules)
 2012080 - ET POLICY Windows-Based OpenSSL Tunnel Connection Outbound 3 (policy.rules)

Expanded the match to the full word Launcher to avoid some FPs with Sandisk products.
 2010645 - ET USER_AGENTS Suspicious User Agent (Launcher) (user_agents.rules)

Added more to the US to avoid FPs as well.
 2012612 - ET TROJAN Hiloti Style GET to PHP with invalid terse MSIE headers (trojan.rules)

[---]         Removed rules:         [---]

Moved to Open. 
 2800565 - ETPRO EXPLOIT HP OpenView NNM snmpviewer.exe CGI Stack Buffer Overflow 1 (exploit.rules)
 2800566 - ETPRO EXPLOIT HP OpenView NNM snmpviewer.exe CGI Stack Buffer Overflow 2 (exploit.rules)

See you all on tuesday, assuming we survive the night of research!


----------------------------------------------------
Matthew Jonkman
Emergingthreats.net
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 765-807-8630 x110
Fax 312-264-0205
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc





More information about the Emerging-updates mailing list