Snort mailing list archives
Re: Need help to identify issue on BOTNET-CNC Trojan.Bankpatch.C authentication
From: waldo kitty <wkitty42 () windstream net>
Date: Thu, 22 Nov 2012 13:00:08 -0500
On 11/22/2012 05:31, babu dheen wrote:
Dear Waldo, Thanks for the update. I would surely run the pcap on the destination server and get to know what exactly is the http request?
if you have windows, you could use wireshark to look at the pcap manually which is what i was intending to say...
But would like to know what is the impact of this alert or if you can give me security advisory of this event, will be helpful to resolve the issue once identified.
the advisory is in the rule... i didn't post it so as to give you a chance to find it on your system and dig out the info you need/want to know... you recall that old saying about teaching a man to fish? ;) C:\snort>grep -i -E "sid:\W*21416" 2931\rules\*.rules 2931\rules\malware-cnc.rules:# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Trojan.Bankpatch.C authentication string detected"; flow:established,to_server; content:"POST"; http_method; content:"/index.php"; http_uri; content:"MDAwMDAwMDAwMDAwMDAwMDAwMTA"; http_client_body; metadata:policy security-ips drop, service http; reference:url,www.threatexpert.com/threats/trojan-bankpatch-c.html; classtype:trojan-activity; sid:21416; rev:4;)
Regards Babudheen *From:* waldo kitty <wkitty42 () windstream net> *To:* snort-users () lists sourceforge net *Sent:* Wednesday, 21 November 2012 8:28 PM *Subject:* Re: [Snort-users] Need help to identify issue on BOTNET-CNC Trojan.Bankpatch.C authentication On 11/21/2012 07:59, babu dheen wrote:Dear Support, We have enabled Snort IPS between two unix machine and once enabled, we are seeing below events continously. We would like to know what does mean by below event and how can we solve the same. Name : "BOTNET-CNC Trojan.Bankpatch.C authentication String detected" Source IP : Solaris Server IP Destination IP : Solaris Server IP Destination Port : 80as far as i can tell, that would be rule 1:21416 right? please always try to include the GID:SID in posts like this... looking specifically for 1:21416 i see that VRT have it listed as disabled since at least 2012 Feb 21... that means that it should be available in the registered access rules set (latest is 2012 Oct 18) but i do not find it in the BOTNET-CNC rules as your message shows... instead, i find it in malware-cnc... since this is a GID 1 rule, it is easy to look at the rule to see what it is looking for... in this particular case, it is a http POST to /index.php with the string "MDAw" repeated 6 times with one more "MDA" on the end... you really should look at the pcaps for those alerts... you might want to use tcpdump to capture all the traffic so yo can see what's really going on... to find rules hint: grep -i -E "sid:\W*21416;" /path/to/your/rules/*.rules 21416 is the rule's SID you are looking for... i have the above as a bash shell script named lookuprule that you and others might find usable ;) #! /bin/bash # lookuprule bash script to find snort rules by sid grep -i -E "sid:\W*$1;" /path/to/your/rules/*.rules
------------------------------------------------------------------------------ Monitor your physical, virtual and cloud infrastructure from a single web console. Get in-depth insight into apps, servers, databases, vmware, SAP, cloud infrastructure, etc. Download 30-day Free Trial. Pricing starts from $795 for 25 servers or applications! http://p.sf.net/sfu/zoho_dev2dev_nov _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Need help to identify issue on BOTNET-CNC Trojan.Bankpatch.C authentication babu dheen (Nov 21)
- Re: Need help to identify issue on BOTNET-CNC Trojan.Bankpatch.C authentication waldo kitty (Nov 21)
- Re: Need help to identify issue on BOTNET-CNC Trojan.Bankpatch.C authentication babu dheen (Nov 22)
- Re: Need help to identify issue on BOTNET-CNC Trojan.Bankpatch.C authentication Alec Waters (Nov 22)
- Re: Need help to identify issue on BOTNET-CNC Trojan.Bankpatch.C authentication waldo kitty (Nov 22)
- Re: Need help to identify issue on BOTNET-CNC Trojan.Bankpatch.C authentication babu dheen (Nov 22)
- Re: Need help to identify issue on BOTNET-CNC Trojan.Bankpatch.C authentication waldo kitty (Nov 21)