Snort mailing list archives
Re: Signatures detecting PHP backdoor traffic
From: Jason Taylor via Snort-sigs <snort-sigs () lists snort org>
Date: Wed, 3 Jan 2024 17:24:26 -0500
Hey Bart, Thanks for the submission to the infosec community! We (Emerging Threats) happened across your post and we added your signatures to the Open (free) set for today's release! We added some flowbits to the logic you mentioned in your blog to reduce the chance of False Positives so users will only see an alert if signatures #1 or #2 fire and signature #3 fire. Todays release notes, https://community.emergingthreats.net/t/ruleset-update-summary-2024-01-03-v10498/1257 2049898 - ET MALWARE Suspected Generic PHP Backdoor Activity M1 2049899 - ET MALWARE Suspected Generic PHP Backdoor Activity M2 2049900 - ET MALWARE Generic PHP Backdoor CnC Response If you have questions or want to get in touch come check us out at https://community.emergingthreats.net/ This was great research and thanks for sharing! JT and the ET Team On Tue, Jan 2, 2024 at 7:59 AM Bart Broere <mail () bartbroere eu> wrote:
Hi fellow Snort Sigs subscribers, This is my first submission here, so I hope this is the right place to contribute new signatures. This week I analyzed a PHP malware sample that was installed on a Wordpress host. It functioned as a backdoor, allowing attackers to execute code on the host. Some of the functionality of the malware is that it responds with the MD5 hash of 47712 (6a59bb58c6c03d5103d44f3b7e5ebf07) when the GET parameter 47712 or 673435 is supplied. That behaviour can be converted to snort rules: alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP PHP backdoor check of successful installation using GET parameter 47712"; flow:to_server,established; content:"GET /"; http_uri; content:"47712="; http_uri; classtype:web-application-activity; reference:url,bartbroere.eu/2023/12/31/php-backdoor-malware/; sid:1000001;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP PHP backdoor check of successful installation using GET parameter 673435"; flow:to_server,established; content:"GET /"; http_uri; content:"673435="; http_uri; classtype:web-application-activity; reference:url,bartbroere.eu/2023/12/31/php-backdoor-malware/; sid:1000002;) alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"SERVER-WEBAPP Indication of a successful PHP backdoor check, server responds with 6a59bb58c6c03d5103d44f3b7e5ebf07"; flow:to_client,established; content:"6a59bb58c6c03d5103d44f3b7e5ebf07"; http_client_body; reference:url,bartbroere.eu/2023/12/31/php-backdoor-malware/; sid:1000003;) There's some potential for false positives with these rules, but not a lot. Numeric GET keys and an MD5 hash of an integer are already slightly suspect. The detection could also benefit from dynamic rules probably, where hitting rule 1 or 2 would be a requirement for rule 3 to raise an alert. Unless I'm mistaken the community ruleset does not yet include any dynamic rules. Let me know if it's possible to use mechanisms like activates/activated_by, and I'll happily convert them. I published a full write-up on the malware here: https://bartbroere.eu/2023/12/31/php-backdoor-malware/ This page also has references to earlier research. I'm especially thankful for all the samples collected by Bruce Ediger. I don't have any packet captures of this happening, but I could generate them by running the malware in a sandbox. Let me know if you have any questions or remarks, and whether these rules can be contributed to the Community Rules. Best regards, Bart Broere _______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- Signatures detecting PHP backdoor traffic Bart Broere (Jan 02)
- Re: Signatures detecting PHP backdoor traffic Jason Taylor via Snort-sigs (Jan 03)
- Re: Signatures detecting PHP backdoor traffic Joel Esler via Snort-sigs (Jan 06)
- Re: Signatures detecting PHP backdoor traffic Todor P. via Snort-sigs (Jan 08)
- Re: Signatures detecting PHP backdoor traffic Jason Taylor via Snort-sigs (Jan 03)