Snort mailing list archives
Re: Proposed Signature - COMMUNITY WEB-PHP Remote Execution Backdoor Attempt Against Horde
From: Alex Kirk <akirk () sourcefire com>
Date: Fri, 17 Feb 2012 17:55:13 -0500
Nope, that's fresh detection. We'll get that lined up for the next SEU. Thanks for the contribution - they're always welcome! On Feb 17, 2012 12:52 PM, "Community Proposed" <lists () packetmail net> wrote:
Looking at the current change logs I do not see detection for this, if there is already detection I apologize for the duplication and list noise. Below is a proposed community signature to detect on the Horde FTP compromise and resulting backdoor insertion into the code base affecting downloads between early/mid November 2011 and February 7 2012. alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Remote Execution Backdoor Attempt Against Horde"; flow:established,to_server; content:"/services/javascript.php"; http_uri; fast_pattern:only; content:"href="; http_cookie; content:"file=open_calendar.js"; http_client_body; classtype:web-application-attack; reference:url,pastebin.com/U3ADiWrP; reference:url, eromang.zataz.com/2012/02/15/cve-2012-0209-horde-backdoor-analysis/; reference:url,dev.horde.org/h/jonah/stories/view.php?channel_id=1&id=155; reference:cve,2012-0209; sid:x; rev:1;) Thanks, Nathan ------------------------------------------------------------------------------ Virtualization & Cloud Management Using Capacity Planning Cloud computing makes use of virtualization - but cloud computing also focuses on allowing computing to be delivered as a service. http://www.accelacomm.com/jaw/sfnl/114/51521223/ _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ Virtualization & Cloud Management Using Capacity Planning Cloud computing makes use of virtualization - but cloud computing also focuses on allowing computing to be delivered as a service. http://www.accelacomm.com/jaw/sfnl/114/51521223/
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Proposed Signature - COMMUNITY WEB-PHP Remote Execution Backdoor Attempt Against Horde Community Proposed (Feb 17)
- Re: Proposed Signature - COMMUNITY WEB-PHP Remote Execution Backdoor Attempt Against Horde Alex Kirk (Feb 17)
- Re: Proposed Signature - COMMUNITY WEB-PHP Remote Execution Backdoor Attempt Against Horde lists () packetmail net (Feb 17)
- Re: Proposed Signature - COMMUNITY WEB-PHP Remote Execution Backdoor Attempt Against Horde Alex Kirk (Feb 17)