Proposed Signature - COMMUNITY WEB-PHP Remote Execution Backdoor Attempt Against Horde

[Community Proposed <lists () packetmail net>]

Looking at the current change logs I do not see detection for this, if there
is already detection I apologize for the duplication and list noise.  Below is
a proposed community signature to detect on the Horde FTP compromise and
resulting backdoor insertion into the code base affecting downloads between
early/mid November 2011 and February 7 2012.

alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-PHP Remote
Execution Backdoor Attempt Against Horde"; flow:established,to_server;
content:"/services/javascript.php"; http_uri; fast_pattern:only;
content:"href="; http_cookie; content:"file=open_calendar.js";
http_client_body; classtype:web-application-attack;
reference:url,pastebin.com/U3ADiWrP;
reference:url,eromang.zataz.com/2012/02/15/cve-2012-0209-horde-backdoor-analysis/;
reference:url,dev.horde.org/h/jonah/stories/view.php?channel_id=1&id=155;
reference:cve,2012-0209; sid:x; rev:1;)

Thanks,
Nathan


------------------------------------------------------------------------------
Virtualization & Cloud Management Using Capacity Planning
Cloud computing makes use of virtualization - but cloud computing 
also focuses on allowing computing to be delivered as a service.
http://www.accelacomm.com/jaw/sfnl/114/51521223/
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!