[Emerging-updates] Daily Ruleset Update Summary 2/27/2011

Matthew Jonkman jonkman at emergingthreatspro.com
Sun Feb 27 01:21:13 EST 2011


A significant update today. Much of it is catching up on the Stillsecure signatures, but we do have a number of new vuln and trojan sigs both in the open and ET Pro rulesets as well.


[+++]          Added rules:          [+++]

 2012334 - ET WEB_SPECIFIC_APPS Froxlor customer_ftp.php id Parameter Remote File Inclusion Attempt (web_specific_apps.rules)
 2012335 - ET WEB_SPECIFIC_APPS Coupon Script bus parameter Blind SQL Injection Attempt (web_specific_apps.rules)
 2012336 - ET WEB_SPECIFIC_APPS CultBooking lang parameter Local File Inclusion Attempt (web_specific_apps.rules)
 2012337 - ET WEB_SPECIFIC_APPS CultBooking lang Parameter Cross Site Scripting Attempt (web_specific_apps.rules)
 2012338 - ET WEB_SPECIFIC_APPS PHP-fusion Team Structure Infusion team_id Parameter SELECT FROM SQL Injection Attempt (web_specific_apps.rules)
 2012339 - ET WEB_SPECIFIC_APPS PHP-fusion Team Structure Infusion team_id Parameter DELETE FROM SQL Injection Attempt (web_specific_apps.rules)
 2012340 - ET WEB_SPECIFIC_APPS PHP-fusion Team Structure Infusion team_id Parameter UNION SELECT SQL Injection Attempt (web_specific_apps.rules)
 2012341 - ET WEB_SPECIFIC_APPS PHP-fusion Team Structure Infusion team_id Parameter INSERT INTO SQL Injection Attempt (web_specific_apps.rules)
 2012342 - ET WEB_SPECIFIC_APPS PHP-fusion Team Structure Infusion team_id Parameter UPDATE SET SQL Injection Attempt (web_specific_apps.rules)
 2012343 - ET WEB_SPECIFIC_APPS WeBid active_auctions.php lan Parameter Local File inclusion Attempt (web_specific_apps.rules)
 2012344 - ET WEB_SPECIFIC_APPS Madirish Webmail basedir Parameter Remote File inclusion Attempt (web_specific_apps.rules)
 2012345 - ET WEB_SPECIFIC_APPS Joomla Frontend-User-Access controller Parameter Local File Inclusion Attempt (web_specific_apps.rules)
 2012346 - ET WEB_SPECIFIC_APPS PMB Services id Parameter SELECT FROM SQL Injection Attempt (web_specific_apps.rules)
 2012347 - ET WEB_SPECIFIC_APPS PMB Services id Parameter DELETE FROM SQL Injection Attempt (web_specific_apps.rules)
 2012348 - ET WEB_SPECIFIC_APPS Services id Parameter UNION SELECT SQL Injection Attempt (web_specific_apps.rules)
 2012349 - ET WEB_SPECIFIC_APPS PMB Services id Parameter INSERT INTO SQL Injection Attempt (web_specific_apps.rules)
 2012350 - ET WEB_SPECIFIC_APPS PMB Services id Parameter UPDATE SET SQL Injection Attempt (web_specific_apps.rules)
 2012351 - ET WEB_SPECIFIC_APPS Emerson Network AllResults.aspx Cross Site Scripting Attempt (web_specific_apps.rules)
 2012352 - ET WEB_SPECIFIC_APPS PHP Classified ads software cid parameter Blind SQL Injection Attempt (web_specific_apps.rules)
 2012353 - ET WEB_SPECIFIC_APPS WordPress Audio showfile Parameter Cross Site Scripting Attempt (web_specific_apps.rules)
 2012354 - ET WEB_SPECIFIC_APPS Dokeos and Chamilo open_document.php file Parameter File Disclosure Attempt (web_specific_apps.rules)
 2012355 - ET WEB_SPECIFIC_APPS Moodle PHPCOVERAGE_HOME Parameter Cross Site Scripting Attempt (web_specific_apps.rules)
 2012356 - ET WEB_SPECIFIC_APPS WordPress Featured Content param Parameter Cross Site Scripting Attempt (web_specific_apps.rules)
 2012357 - ET WEB_SPECIFIC_APPS Joomla XGallery com_xgallery Component Local File Inclusion Attempt (web_specific_apps.rules)
 2012358 - ET WEB_SPECIFIC_APPS PHPCMS modelid Parameter SQL Injection Attempt (web_specific_apps.rules)
 2012359 - ET WEB_SPECIFIC_APPS T-Content Management System id_novedad Parameter SELECT FROM SQL Injection Attempt (web_specific_apps.rules)
 2012360 - ET WEB_SPECIFIC_APPS T-Content Management System id_novedad Parameter DELETE FROM SQL Injection Attempt (web_specific_apps.rules)
 2012361 - ET WEB_SPECIFIC_APPS T-Content Management System id_novedad Parameter UNION SELECT SQL Injection Attempt (web_specific_apps.rules)
 2012362 - ET WEB_SPECIFIC_APPS T-Content Management System id_novedad Parameter INSERT INTO SQL Injection Attempt (web_specific_apps.rules)
 2012363 - ET WEB_SPECIFIC_APPS T-Content Management System id_novedad Parameter UPDATE SET SQL Injection Attempt (web_specific_apps.rules)
 2012364 - ET WEB_SPECIFIC_APPS Bexfront sid Parameter SELECT FROM SQL Injection Attempt (web_specific_apps.rules)
 2012365 - ET WEB_SPECIFIC_APPS Bexfront sid Parameter DELETE FROM SQL Injection Attempt (web_specific_apps.rules)
 2012366 - ET WEB_SPECIFIC_APPS Bexfront sid Parameter UNION SELECT SQL Injection Attempt (web_specific_apps.rules)
 2012367 - ET WEB_SPECIFIC_APPS Bexfront sid Parameter INSERT INTO SQL Injection Attempt (web_specific_apps.rules)
 2012368 - ET WEB_SPECIFIC_APPS Bexfront sid Parameter UPDATE SET SQL Injection Attempt (web_specific_apps.rules)
 2012369 - ET WEB_SPECIFIC_APPS Joomla swMenuPro ImageManager.php Remote File Inclusion Attempt (web_specific_apps.rules)
 2012370 - ET WEB_SPECIFIC_APPS Boonex Dolphin explain Parameter Cross Site Scripting Attempt (web_specific_apps.rules)
 2012371 - ET WEB_SPECIFIC_APPS Boonex Dolphin relocate Parameter Cross Site Scripting Attempt (web_specific_apps.rules)
 2012372 - ET WEB_SPECIFIC_APPS ColdUserGroup LibraryID Parameter Blind SQL Injection Attempt (web_specific_apps.rules)
 2012373 - ET WEB_SPECIFIC_APPS Horde type Parameter Local File Inclusion Attempt (web_specific_apps.rules)
 2012374 - ET WEB_SPECIFIC_APPS Woltlab Burning Board katid Parameter SELECT FROM SQL Injection Attempt (web_specific_apps.rules)
 2012375 - ET WEB_SPECIFIC_APPS Woltlab Burning Board katid Parameter DELETE FROM SQL Injection Attempt (web_specific_apps.rules)
 2012376 - ET WEB_SPECIFIC_APPS Woltlab Burning Board katid Parameter UNION SELECT SQL Injection Attempt (web_specific_apps.rules)
 2012377 - ET WEB_SPECIFIC_APPS Woltlab Burning Board katid Parameter INSERT INTO SQL Injection Attempt (web_specific_apps.rules)
 2012378 - ET WEB_SPECIFIC_APPS Woltlab Burning Board katid Parameter UPDATE SET SQL Injection Attempt (web_specific_apps.rules)
 2012379 - ET WEB_SPECIFIC_APPS TelebidAuctionScript aid Parameter Blind SQL Injection Attempt (web_specific_apps.rules)
 2012380 - ET WEB_SPECIFIC_APPS Podcast Generator themes.php Cross Site Scripting Attempt (web_specific_apps.rules)
 2012381 - ET WEB_SPECIFIC_APPS ITechBids productid Parameter Blind SQL Injection Attempt (web_specific_apps.rules)
 2012382 - ET WEB_SPECIFIC_APPS Coppermine Photo Gallery output Parameter Remote Command Execution Attempt (web_specific_apps.rules)
 2012383 - ET WEB_SPECIFIC_APPS Coppermine Photo Gallery retva Parameter Remote Command Execution Attempt (web_specific_apps.rules)
 2012384 - ET TROJAN Purported MSIE 7 with terse HTTP Headers GET to PHP likely check-in to CnC (trojan.rules)
 2012385 - ET USER_AGENTS Likely Infected HTTP POST to PHP with User-Agent of HTTP Client (user_agents.rules)
 2012386 - ET USER_AGENTS Suspicious User-Agent VCTestClient (user_agents.rules)
 2012387 - ET USER_AGENTS Suspicious User-Agent PrivacyInfoUpdate (user_agents.rules)
 2012388 - ET CURRENT_EVENTS USPS SPAM Inbound possible spyeye trojan (current_events.rules)
 2012389 - ET TROJAN Java Exploit Kit Success Check-in Executable Download Likely (trojan.rules)
 2012390 - ET P2P Libtorrent User-Agent (p2p.rules)

And the Pro sigs:
 2801379 - ETPRO EXPLOIT Novell ZENworks Configuration Management TFTPD Remote Code Execution 1 (exploit.rules)
 2801380 - ETPRO EXPLOIT Novell ZENworks Configuration Management TFTPD Remote Code Execution 2 (exploit.rules)
 2801381 - ETPRO EXPLOIT Novell ZENworks Configuration Management TFTPD Remote Code Execution 3 (exploit.rules)
 2801382 - ETPRO EXPLOIT Novell ZENworks Configuration Management TFTPD Remote Code Execution 4 (exploit.rules)
 2801383 - ETPRO WORM Worm.Win32.Imamihong.A flowbits set 1 (worm.rules)
 2801384 - ETPRO WORM Worm.Win32.Imamihong.A Activity 1 (worm.rules)
 2801385 - ETPRO WORM Worm.Win32.Imamihong.A flowbits set 1 (worm.rules)
 2801386 - ETPRO WORM Worm.Win32.Imamihong.A Activity 2 (worm.rules)
 2801387 - ETPRO WEB_CLIENT Microsoft Windows Shell Graphics Thumbnail Image Integer Overflow 1 (web_client.rules)
 2801388 - ETPRO WEB_CLIENT Microsoft Windows Shell Graphics Thumbnail Image Integer Overflow 2 (web_client.rules)
 2801389 - ETPRO TROJAN Trojan-Downloader.Win32.Redonc.A Checkin (trojan.rules)
 2801390 - ETPRO TROJAN Malware Worm.Win32.Phorpiex.A Activity (trojan.rules)


[///]     Modified active rules:     [///]

 2003608 - ET USER_AGENTS Baidu.com Related Agent User-Agent (iexp) (user_agents.rules)
 2009752 - ET TROJAN Monkif/DlKroha Trojan Activity HTTP Outbound (trojan.rules)
 2010440 - ET CURRENT_EVENTS Potential Malware Download flash-HQ-plugin exe (current_events.rules)
 2801347 - ETPRO TROJAN Mariposa or Palevo Bot Checkin to Server (trojan.rules)



----------------------------------------------------
Matthew Jonkman
Emergingthreats.net
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 765-807-8630
Fax 312-264-0205
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc





More information about the Emerging-updates mailing list