vBulletin 4.x and 5.x exploit in the wild

[James Lay <jlay () slave-tothe-box net>]

Bummer:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"MALWARE-OTHER vBulletin upgrade.php exploit"; flow:to_server, 
established; content:"POST"; http_method; 
content:"install|2f|upgrade.php"; http_uri; fast_pattern:only; 
metadata:policy balanced-ips drop, policy security-ips drop, service 
http, ruleset community; 
reference:url,www.net-security.org/secworld.php?id=15743; 
classtype:trojan-activity; sid:10000101; rev:1;)

not adding the / at the front allows it to catch both 4.x and 5.x 
version.  Thanks all!

James

------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from 
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!