Snort mailing list archives
Weevely PHP Backdoor - Rule Proposal
From: Anestis Bechtsoudis <bechtsoudis.a () gmail com>
Date: Sun, 20 Nov 2011 23:19:54 +0200
I work in the NOC team at a University Campus in Greece, and recently i have noticed a noticeable increase in web hacking incidents. In many of them the attackers used the weevely*1 php backdoor to maintain access to the hacked system. I have searched around the net for some relative snort rules but i didn't find a match. So i decided to write my own. I thought these rules might pose an interest to the community so i decided to share them in this list (see the attachment). A detailed analysis of how i concluded to these content patterns can be found in my blog post*2. I admit that i'm not a Snort expert, so any propositions are welcome. *1 http://code.google.com/p/weevely/ *2 http://bechtsoudis.com/security/put-weevely-on-the-your-nids-radar/ -- =============================================== * Anestis Bechtsoudis * * Undergraduate Student * * * * Network Operation Center (NOC Group) * * Dept. of Computer Engineering & Informatics * * University of Patras, Greece * * * * Website: https://bechtsoudis.com * ===============================================
Attachment:
web-weevely.rules
Description:
------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-novd2d
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Weevely PHP Backdoor - Rule Proposal Anestis Bechtsoudis (Nov 20)
- Re: Weevely PHP Backdoor - Rule Proposal Martin Holste (Nov 20)
- Re: Weevely PHP Backdoor - Rule Proposal Anestis Bechtsoudis (Nov 20)
- Re: Weevely PHP Backdoor - Rule Proposal Martin Holste (Nov 20)
- Re: Weevely PHP Backdoor - Rule Proposal Joel Esler (Nov 20)
- Re: Weevely PHP Backdoor - Rule Proposal Anestis Bechtsoudis (Nov 20)
- Re: Weevely PHP Backdoor - Rule Proposal Martin Holste (Nov 20)