Snort mailing list archives
Linux/CDorked sig
From: James Lay <jlay () slave-tothe-box net>
Date: Fri, 26 Apr 2013 11:04:34 -0600
Enjoy:
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
(msg:"INDICATOR-COMPROMISED Linux/CDorked redirect";
flow:from_server,established; file_data; content:"index.php?j=";
http_header; content:"302"; http_stat_code;
pcre:"/http\x3a\x2f\x2f[0-9a-z]{16}/m"; metadata:policy balanced-ips
drop, policy security-ips drop, service http;
reference:url,http://blog.sucuri.net/2013/04/apache-binary-backdoors-on-cpanel-based-servers.html;
classtype:trojan-activity; sid:10000049; rev:1;)
Ok Joel....how much cleanup is needed with this ;)
James
------------------------------------------------------------------------------
Try New Relic Now & We'll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_apr
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org
Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Linux/CDorked sig James Lay (Apr 26)
- Re: [Emerging-Sigs] Linux/CDorked sig Will Metcalf (Apr 29)
- Re: [Emerging-Sigs] Linux/CDorked sig Rodrigo Montoro(Sp0oKeR) (Apr 26)
- Re: [Emerging-Sigs] Linux/CDorked sig Will Metcalf (Apr 29)
- Re: [Emerging-Sigs] Linux/CDorked sig Will Metcalf (Apr 29)
- Re: [Emerging-Sigs] Linux/CDorked sig Rodrigo Montoro(Sp0oKeR) (Apr 26)
- Re: [Emerging-Sigs] Linux/CDorked sig Will Metcalf (Apr 29)