Snort mailing list archives
Apache auto_prepend_file a.control.bin sig
From: James Lay <jlay () slave-tothe-box net>
Date: Fri, 14 Jun 2013 15:53:03 -0600
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMSED Apache auto_prepend_file a.control.bin C2 traffic"; flow:to_server,established; content:"User-Agent|3A| SEX|2f|1"; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,http://blog.sucuri.net/2013/06/apache-php-injection-to-javascript-files.html; classtype:trojan-activity; sid:10000076; rev:1;) Not sure if sigging the ga.gif link would be worth it. James ------------------------------------------------------------------------------ This SF.net email is sponsored by Windows: Build for Windows Store. http://p.sf.net/sfu/windows-dev2dev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Apache auto_prepend_file a.control.bin sig James Lay (Jun 14)