Snort mailing list archives

Webshell SIGs

From: Peter Bates <peter.bates () ucl ac uk>
Date: Wed, 29 May 2013 13:06:11 +0100

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hello all (second try with spaces inserted)

There are a variety of different SIGs to spot Webshells
- - primarily PHP.

One example is 22932 - "INDICATOR-COMPROMISE c99 shell.php command request - phpinfo"

I've put up a copy of C99 and made requests towards it
(primarily the rule above just hits on "act=php info")
but get nothing - but I do get consistent hits on
SID 1882 - id check returned userid.

URL logging (on the same box as Snort) shows the traffic:

2013-05-29 11:19:47     1.2.3.4  5.6.7.8   >       GET     www.x.x   /99.php?act=php info    
ELinks/0.12~pre5-2+squeeze1 (textmode; Debian; Linux 3.2.0-0.bpo.4-amd64 x86_64; 80x24-2)       http://www.x.x/99.php   
 HTTP/1.1

HOME_NET is correctly configured, EXTERNAL_NET is 'any'.

Snort is 2.9.3.1 (yes I need to upgrade)

Is there something obvious at fault?
I'm wondering if there's a whole bunch of incoming web evil I'm missing.

- -- 
Peter Bates
Senior Information Security Officer   Phone: +44(0)2076792049
Information Services Division         Internal Ext: 32049
University College London
London WC1E 6BT
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJRpe8yAAoJELhVoVpEMS6Rp4EIALE8/Po/U/F0J94pUyY8SKs0
ecsb3ofUjCWx7ktnHJBJQKMsrTWZ8YAUcwtF1imzibNdqKeMVra53SnuqE9ncsDA
cyiDnA9xikIEqx4rsAzNlUEXi87u4t4PGLBzsx3EgLKkBIVkzXvAh/pcmy57g7ZN
W1t5P1cJAG4AjHoGrZeTf1/u5QysCgcFmzO9MzWDY3CKEQCmlbBbyenaJNjoToDd
kLN0V0lOb9ahAwkVJBynhkWTfVQC9KfdqnYoLDFrwA7EWU57CRX2T2yiOezFO5fT
8pTqcEcaV9EdNmwCTyhUgLcaNS3Hp91rQ2ClNkEi7ZnYuKLQ8f/4OaeEDrKheNQ=
=Qz7m
-----END PGP SIGNATURE-----


------------------------------------------------------------------------------
Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET
Get 100% visibility into your production application - at no cost.
Code-level diagnostics for performance bottlenecks with <2% overhead
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap1
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Webshell SIGs Peter Bates (May 29)
- Re: Webshell SIGs waldo kitty (May 29)
- <Possible follow-ups>
- Webshell SIGs Peter Bates (May 29)
  - Re: Webshell SIGs Joel Esler (May 29)