Snort mailing list archives
Webshell SIGs
From: Peter Bates <peter.bates () ucl ac uk>
Date: Wed, 29 May 2013 13:06:11 +0100
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello all (second try with spaces inserted) There are a variety of different SIGs to spot Webshells - - primarily PHP. One example is 22932 - "INDICATOR-COMPROMISE c99 shell.php command request - phpinfo" I've put up a copy of C99 and made requests towards it (primarily the rule above just hits on "act=php info") but get nothing - but I do get consistent hits on SID 1882 - id check returned userid. URL logging (on the same box as Snort) shows the traffic: 2013-05-29 11:19:47 1.2.3.4 5.6.7.8 > GET www.x.x /99.php?act=php info ELinks/0.12~pre5-2+squeeze1 (textmode; Debian; Linux 3.2.0-0.bpo.4-amd64 x86_64; 80x24-2) http://www.x.x/99.php HTTP/1.1 HOME_NET is correctly configured, EXTERNAL_NET is 'any'. Snort is 2.9.3.1 (yes I need to upgrade) Is there something obvious at fault? I'm wondering if there's a whole bunch of incoming web evil I'm missing. - -- Peter Bates Senior Information Security Officer Phone: +44(0)2076792049 Information Services Division Internal Ext: 32049 University College London London WC1E 6BT -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJRpe8yAAoJELhVoVpEMS6Rp4EIALE8/Po/U/F0J94pUyY8SKs0 ecsb3ofUjCWx7ktnHJBJQKMsrTWZ8YAUcwtF1imzibNdqKeMVra53SnuqE9ncsDA cyiDnA9xikIEqx4rsAzNlUEXi87u4t4PGLBzsx3EgLKkBIVkzXvAh/pcmy57g7ZN W1t5P1cJAG4AjHoGrZeTf1/u5QysCgcFmzO9MzWDY3CKEQCmlbBbyenaJNjoToDd kLN0V0lOb9ahAwkVJBynhkWTfVQC9KfdqnYoLDFrwA7EWU57CRX2T2yiOezFO5fT 8pTqcEcaV9EdNmwCTyhUgLcaNS3Hp91rQ2ClNkEi7ZnYuKLQ8f/4OaeEDrKheNQ= =Qz7m -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET Get 100% visibility into your production application - at no cost. Code-level diagnostics for performance bottlenecks with <2% overhead Download for free and get started troubleshooting in minutes. http://p.sf.net/sfu/appdyn_d2d_ap1 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Webshell SIGs Peter Bates (May 29)
- Re: Webshell SIGs waldo kitty (May 29)
- <Possible follow-ups>
- Webshell SIGs Peter Bates (May 29)
- Re: Webshell SIGs Joel Esler (May 29)