Snort mailing list archives
Re: Possible FP on sid:26529 - Cdorked backdoor command attempt ?
From: Joel Esler <jesler () sourcefire com>
Date: Fri, 3 May 2013 16:27:29 -0400
Thanks Andre, I'll get the analyst that wrote these on it. -- Joel Esler Senior Research Engineer, VRT OpenSource Community Manager Sourcefire On May 3, 2013, at 12:09 PM, Andre DiMino <adimino () sempersecurus org> wrote:
I'm seeing this alert fire quite a bit today, and I'm not seeing anything seemingly related to Linux-Cdorked commands. I'm wondering if it may be a FP? The sig is as follows: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE Unix.Backdoor.Cdorked backdoor command attempt"; flow:to_server,established; content:"SECID="; fast_pattern:only; content:"SECID="; nocase; http_cookie; pcre:"/^\/[^?]*?\?[a-f0-9]{4}/Ui"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,blog.sucuri.net/2013/04/apache-binary-backdoors-on-cpanel-based-servers.html; reference:url,virustotal.com/en/file/7b3cd8c1bd0249df458084f28d91648ad14e1baf455fdd53b174481d540070c6/analysis/; classtype:trojan-activity; sid:26529; rev:1; ) Traffic I'm seeing looks like this: GET /ba.html?1095 HTTP/1.1 Host: c.betrad. com User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/536.29.13 (KHTML, like Gecko) Version/6.0.4 Safari/536.29.13 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Referer: hxxp://ad.media6degrees. com/adserv/cs?adType=iframe|is_preview=0|cId=16057|ec=1|spId=91095|advId=1218|tpCId=4954476|exId=9|price=0.354173|vurlId=216248|srcUrlEnc=http://screenrant. com/captain-america-2-falcon-winter-soldier-costumes/|tpInvId=95|notifyServer=aeq311.eq.pl.pvt|notifyPort=8080|bdie=1c7o0s87z0jj8|bid=1.7799999713897705|tId=6892644925539300|pubId=7854|invId=12998|secId=56|tpSecId=1319854|foo=bar|cb=1367595784 Accept-Language: en-us Accept-Encoding: gzip, deflate Connection: keep-alive Remote host is e5413.g.akamaiedge.net. A 184.26.51.231 e5413.g.akamaiedge.net.0.1.cn.akamaiedge.net. A 184.26.51.231 It doesn't *appear* that screenrant. com is infected with Cdork, so I thought I'd just throw this out here for consideration. Here are a few more: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ GET /ba.html?1095 HTTP/1.1 Host: c.betrad. com User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:20.0) Gecko/20100101 Firefox/20.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://ad.media6degrees. com/adserv/cs?tId=6809218409273906|cb=1367595163|adType=iframe|cId=15604|ec=1|spId=82885|advId=1065|exId=21|price=2.010000|pubId=127|secId=414|invId=1186|tpInvId=3|notifyServer=aeq194.eq.pl.pvt|notifyPort=8080|bdie=1jkm6wt1e2vod|bid=1.50|srcUrlEnc=http%3A%2F%2Fnation.foxnews. com%2Fstatic%2Fv%2Fall%2Fhtml%2Fad-ifr.html%3Fid%3Dframe2-300x100%26ns%3DfriendlyComm|bms=3 Connection: keep-alive If-Modified-Since: Thu, 02 May 2013 22:08:34 GMT If-None-Match: "5389a15bc989f3e0f559222cf19c0064:1367532514" +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ GET /reportV3/ft.stat?10476941-0-310-0-19070F3B686BBB-945671-0x0x0x123 HTTP/1.1 Host: stat.flashtalking. com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20100101 Firefox/17.0 Accept: image/png,image/*;q=0.8,*/*;q=0.5 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Referer: http://servedby.flashtalking. com/imp/3/25598;543598;201;jsiframe;Media6Degrees;Media6degrees728x90/?ft_custom=&imageType=gif&ftDestID=3642763&ft_width=728&ft_height=90&click=http://ad.media6degrees. com/adserv/clk?tId=6676444134860084|cId=16511|cb=1367594173|notifyPort=8080|exId=25|tpAuctId=41b7d3ef371e05ead0634b808e1e96f5c4f3d910|tId=6676444134860084|tpInvId=2010722|ec=1|secId=460|price=883B0423C1C85454|pubId=5593|advId=1451|notifyServer=asd155.sd.pl.pvt|bdie=1pelg95qfwmya|spId=83223|adType=iframe|invId=10620|bms=2010722|bid=10.00|ctrack=&ftOBA=1&cachebuster=1367594174168 Cookie: flashtalkingad1="GUID=19070F3B686BBB|segment=(y8BWISEA-m:c400last,SEABWI-m:c400ret,ags,bi7-m:origdest)|tp=(244-1477-v-19421841)" -- Andre' M. DiMino DeepEnd Research http://deependresearch.org http://sempersecurus.org "Make sure that nobody pays back wrong for wrong, but always try to be kind to each other and to everyone else" - 1 Thess 5:15 (NIV) ------------------------------------------------------------------------------ Get 100% visibility into Java/.NET code with AppDynamics Lite It's a free troubleshooting tool designed for production Get down to code-level detail for bottlenecks, with <2% overhead. Download for free and get started troubleshooting in minutes. http://p.sf.net/sfu/appdyn_d2d_ap2 _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ Get 100% visibility into Java/.NET code with AppDynamics Lite It's a free troubleshooting tool designed for production Get down to code-level detail for bottlenecks, with <2% overhead. Download for free and get started troubleshooting in minutes. http://p.sf.net/sfu/appdyn_d2d_ap2
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Possible FP on sid:26529 - Cdorked backdoor command attempt ? Andre DiMino (May 03)
- Re: Possible FP on sid:26529 - Cdorked backdoor command attempt ? Nathan Benson (May 03)
- Re: Possible FP on sid:26529 - Cdorked backdoor command attempt ? Andre DiMino (May 03)
- Re: Possible FP on sid:26529 - Cdorked backdoor command attempt ? Joel Esler (May 03)
- Re: Possible FP on sid:26529 - Cdorked backdoor command attempt ? Andre DiMino (May 03)
- Re: Possible FP on sid:26529 - Cdorked backdoor command attempt ? Andre DiMino (May 03)
- Re: Possible FP on sid:26529 - Cdorked backdoor command attempt ? Nathan Benson (May 03)
- Re: Possible FP on sid:26529 - Cdorked backdoor command attempt ? Joel Esler (May 03)