alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Prg Trojan HTTP POST version 2"; flow:established,to_server; content:"POST"; nocase; http_method; content:".php?1="; http_uri; content:"&i="; http_uri; pcre:"/\.php\?1=[a-z0-9]+_[a-z0-9_]+&i=/Ui"; reference:url,www.securescience.net/FILES/securescience/10378/pubMalwareCaseStudy.pdf; reference:url,doc.emergingthreats.net/2007724; classtype:trojan-activity; sid:2007724; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

Added 2017-08-07 21:00:59 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Prg Trojan HTTP POST version 2"; flow:established,to_server; content:"POST"; nocase; http_method; content:".php?1="; http_uri; content:"&i="; http_uri; pcre:"/\.php\?1=[a-z0-9]+_[a-z0-9_]+&i=/Ui"; reference:url,www.securescience.net/FILES/securescience/10378/pubMalwareCaseStudy.pdf; reference:url,doc.emergingthreats.net/2007724; classtype:trojan-activity; sid:2007724; rev:11;)

Added 2011-10-12 19:23:44 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Prg Trojan HTTP POST version 2"; flow:established,to_server; content:"POST"; nocase; http_method; content:".php?1="; http_uri; content:"&i="; http_uri; pcre:"/\.php\?1=[a-z0-9]+_[a-z0-9_]+&i=/Ui"; classtype:trojan-activity; reference:url,www.securescience.net/FILES/securescience/10378/pubMalwareCaseStudy.pdf; reference:url,doc.emergingthreats.net/2007724; sid:2007724; rev:11;)

Added 2011-09-14 22:37:14 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Prg Trojan HTTP POST version 2"; flow:established,to_server; content:"POST"; nocase; http_method; content:".php?1="; http_uri; content:"&i="; http_uri; pcre:"/\.php\?1=[a-z0-9]+_[a-z0-9_]+&i=/Ui"; classtype:trojan-activity; reference:url,www.securescience.net/FILES/securescience/10378/pubMalwareCaseStudy.pdf; reference:url,doc.emergingthreats.net/2007724; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_PRG; sid:2007724; rev:11;)

Added 2011-02-04 17:26:50 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Prg Trojan HTTP POST version 2"; flow:established,to_server; content:"POST "; depth:5; uricontent:".php?1="; uricontent:"&i="; pcre:"/\.php\?1=[a-z0-9]+_[a-z0-9_]+&i=/Ui"; reference:url,www.securescience.net/FILES/securescience/10378/pubMalwareCaseStudy.pdf; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007724; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_PRG; sid:2007724; rev:7;)

Added 2009-02-13 19:30:23 UTC

16:15:51.343785 IP 192.168.3.24.2135 > 64.86.133.58.80: P 1958733971:1958734218(247) ack 923439852 win 65535
        0x0000:  4548 011f c591 4000 8006 aaae c0a8 0318  EH....@.........
        0x0010:  4056 853a 0857 0050 74bf e893 370a 92ec  @V.:.W.Pt...7...
        0x0020:  5018 ffff 2512 0000 504f 5354 202f 7a2f  P...%...POST./z/
        0x0030:  7374 6174 312e 7068 703f 323d 6530 3032  stat1.php?2=e002
        0x0040:  306d 696b 656d 635f 3032 3039 6139 3838  0mikemc_0209a988
        0x0050:  266e 3d31 2676 3d31 3637 3737 3939 3126  &n=1&v=16777991&
        0x0060:  693d 2673 3d30 2673 703d 3026 6c63 703d  i=&s=0&sp=0&lcp=
        0x0070:  3026 7072 3d30 2048 5454 502f 312e 310d  0&pr=0.HTTP/1.1.
        0x0080:  0a55 7365 722d 4167 656e 743a 204d 6f7a  .User-Agent:.Moz
        0x0090:  696c 6c61 2f34 2e30 2028 636f 6d70 6174  illa/4.0.(compat
        0x00a0:  6962 6c65 3b20 4d53 4945 2036 2e30 3b20  ible;.MSIE.6.0;.
        0x00b0:  5769 6e64 6f77 7320 4e54 2035 2e31 290d  Windows.NT.5.1).
        0x00c0:  0a48 6f73 743a 2069 7473 796f 7572 6f6e  .Host:.itsyouron
        0x00d0:  6c69 6e65 2e63 6e0d 0a43 6f6e 7465 6e74  line.cn..Content
        0x00e0:  2d4c 656e 6774 683a 2030 0d0a 436f 6e6e  -Length:.0..Conn
        0x00f0:  6563 7469 6f6e 3a20 4b65 6570 2d41 6c69  ection:.Keep-Ali
        0x0100:  7665 0d0a 4361 6368 652d 436f 6e74 726f  ve..Cache-Contro
        0x0110:  6c3a 206e 6f2d 6361 6368 650d 0a0d 0a    l:.no-cache....
16:18:57.753583 IP 192.168.3.24.1080 > 64.86.133.58.80: P 1395420373:1395420501(128) ack 4245287523 win 65535
        0x0000:  4548 00a8 0233 4000 8006 6e84 c0a8 0318  EH...3@...n.....
        0x0010:  4056 853a 0438 0050 532c 6cd5 fd09 f263  @V.:.8.PS,l....c
        0x0020:  5018 ffff a085 0000 4745 5420 2f7a 2f63  P.......GET./z/c
        0x0030:  6667 2e62 696e 2048 5454 502f 312e 300d  fg.bin.HTTP/1.0.
        0x0040:  0a55 7365 722d 4167 656e 743a 204d 6f7a  .User-Agent:.Moz
        0x0050:  696c 6c61 2f34 2e30 2028 636f 6d70 6174  illa/4.0.(compat
        0x0060:  6962 6c65 3b20 4d53 4945 2036 2e30 3b20  ible;.MSIE.6.0;.
        0x0070:  5769 6e64 6f77 7320 4e54 2035 2e31 290d  Windows.NT.5.1).
        0x0080:  0a48 6f73 743a 2064 6574 6775 6964 652e  .Host:.detguide.
        0x0090:  636e 0d0a 5072 6167 6d61 3a20 6e6f 2d63  cn..Pragma:.no-c
        0x00a0:  6163 6865 0d0a 0d0a                      ache....
16:21:18.941872 IP 192.168.3.24.1263 > 64.86.133.58.80: P 742374694:742375087(393) ack 383429994 win 65535
        0x0000:  4548 01b1 0c6d 4000 8006 6341 c0a8 0318  EH...m@...cA....
        0x0010:  4056 853a 04ef 0050 2c3f bd26 16da ad6a  @V.:...P,?.&...j
        0x0020:  5018 ffff eae5 0000 504f 5354 202f 7a2f  P.......POST./z/
        0x0030:  7374 6174 312e 7068 703f 313d 6530 3032  stat1.php?1=e002
        0x0040:  306d 696b 656d 635f 3032 3039 6139 3838  0mikemc_0209a988
        0x0050:  2669 3d20 4854 5450 2f31 2e30 0d0a 5573  &i=.HTTP/1.0..Us
        0x0060:  6572 2d41 6765 6e74 3a20 4d6f 7a69 6c6c  er-Agent:.Mozill
        0x0070:  612f 342e 3020 2863 6f6d 7061 7469 626c  a/4.0.(compatibl
        0x0080:  653b 204d 5349 4520 362e 303b 2057 696e  e;.MSIE.6.0;.Win
        0x0090:  646f 7773 204e 5420 352e 3129 0d0a 486f  dows.NT.5.1)..Ho
        0x00a0:  7374 3a20 6974 7379 6f75 726f 6e6c 696e  st:.itsyouronlin
        0x00b0:  652e 636e 0d0a 436f 6e74 656e 742d 4c65  e.cn..Content-Le
        0x00c0:  6e67 7468 3a20 3138 360d 0a43 6f6e 6e65  ngth:.186..Conne
        0x00d0:  6374 696f 6e3a 204b 6565 702d 416c 6976  ction:.Keep-Aliv
        0x00e0:  650d 0a50 7261 676d 613a 206e 6f2d 6361  e..Pragma:.no-ca
        0x00f0:  6368 650d 0a0d 0a4c 4c41 48b2 0000 00fc  che....LLAH.....
        0x0100:  09f2 0d1a 1106 1ce9 83e2 1dde fae1 27d6  ..............'.
        0x0110:  2dd2 40ce 47ca 47c6 65c2 d7be 6dbb 4ab7  -.@.G.G.e...m.J.
        0x0120:  71bc 4dae 531e eaa7 59ab 61e1 9bf6 bcdf  q.M.S...Y.a.....
        0x0130:  b7d6 bce5 c4e6 e8ff ecf6 e2eb b4ac e1e4  ................
        0x0140:  fde1 009c f6e2 fab6 ec82 01bf 15bb df63  ...............c
        0x0150:  b35f b7b6 25be 25b9 f371 ecb5 38b1 f397  ._..%.%..q..8...
        0x0160:  3693 479d 3f58 3895 4651 448e 108d 4e7d  6.G.?X8.FQD...N}
        0x0170:  573f 567c 1f72 6973 6531 2e2e 3527 3e28  W?V|.rise1..5'>(
        0x0180:  3d2a 461e 4617 461e 4b1a 5411 55fa 62f6  =*F.F.F.K.T.U.b.
        0x0190:  6d41 9135 9637 9634 6bfa 6fee 71ea 850f  mA.5.7.4k.o.q...
        0x01a0:  aa1a bc1d 7f0d c413 d509 d111 95ce 95a3  ................
        0x01b0:  73                                       s

16:21:19.957925 IP 192.168.3.24.1264 > 64.86.133.58.80: P 2115566848:2115567088(240) ack 1548827247 win 65535
        0x0000:  4548 0118 0c7a 4000 8006 63cd c0a8 0318  EH...z@...c.....
        0x0010:  4056 853a 04f0 0050 7e18 fd00 5c51 3a6f  @V.:...P~...\Q:o
        0x0020:  5018 ffff d1e9 0000 504f 5354 202f 7a2f  P.......POST./z/
        0x0030:  7374 6174 312e 7068 703f 323d 6530 3032  stat1.php?2=e002
        0x0040:  306d 696b 656d 635f 3032 3039 6139 3838  0mikemc_0209a988
        0x0050:  266e 3d31 2676 3d31 3637 3737 3939 3126  &n=1&v=16777991&
        0x0060:  693d 2673 3d30 2673 703d 3026 6c63 703d  i=&s=0&sp=0&lcp=
        0x0070:  3026 7072 3d30 2048 5454 502f 312e 300d  0&pr=0.HTTP/1.0.
        0x0080:  0a55 7365 722d 4167 656e 743a 204d 6f7a  .User-Agent:.Moz
        0x0090:  696c 6c61 2f34 2e30 2028 636f 6d70 6174  illa/4.0.(compat
        0x00a0:  6962 6c65 3b20 4d53 4945 2036 2e30 3b20  ible;.MSIE.6.0;.
        0x00b0:  5769 6e64 6f77 7320 4e54 2035 2e31 290d  Windows.NT.5.1).
        0x00c0:  0a48 6f73 743a 2069 7473 796f 7572 6f6e  .Host:.itsyouron
        0x00d0:  6c69 6e65 2e63 6e0d 0a43 6f6e 7465 6e74  line.cn..Content
        0x00e0:  2d4c 656e 6774 683a 2030 0d0a 436f 6e6e  -Length:.0..Conn
        0x00f0:  6563 7469 6f6e 3a20 4b65 6570 2d41 6c69  ection:.Keep-Ali
        0x0100:  7665 0d0a 5072 6167 6d61 3a20 6e6f 2d63  ve..Pragma:.no-c
        0x0110:  6163 6865 0d0a 0d0a                      ache....

-- JackPepper - 20 Feb 2009


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Prg Trojan HTTP POST version 2"; flow:established,to_server; content:"POST "; depth:5; uricontent:".php?1="; uricontent:"&i="; pcre:"/\.php\?1=[a-z0-9]+_[a-z0-9_]+&i=/Ui"; reference:url,www.securescience.net/FILES/securescience/10378/pubMalwareCaseStudy.pdf; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007724; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_PRG; sid:2007724; rev:7;)

Added 2009-02-13 19:30:23 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Prg Trojan HTTP POST version 2"; flow:established,to_server; content:"POST "; depth:5; uricontent:".php?1="; uricontent:"&i="; pcre:"/\.php\?1=[a-z0-9]+_[a-z0-9_]+&i=/Ui"; reference:url,www.securescience.net/FILES/securescience/10378/pubMalwareCaseStudy.pdf; classtype:trojan-activity; sid:2007724; rev:6;)

Added 2008-07-07 10:21:57 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Prg Trojan HTTP POST version 2"; flow:established,to_server; content:"POST "; depth:5; uricontent:".php?1="; uricontent:"&i="; pcre:"/\.php\?1=[a-z0-9]+_[a-z0-9_]+&i=/Ui"; reference:url,www.securescience.net/FILES/securescience/10378/pubMalwareCaseStudy.pdf; classtype:trojan-activity; sid:2007724; rev:6;)

Added 2008-07-07 10:21:57 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Prg Trojan HTTP POST version 2"; flow:established,to_server; content:"POST "; depth:5; uricontent:".php?1="; uricontent:"&i="; pcre:"/\.php\?1=[a-z0-9]+_[a-z0-9_]+&i=/Ui"; reference:url,ip.securescience.net/advisories/pubMalwareCaseStudy.pdf; classtype:trojan-activity; sid:2007724; rev:5;)

Added 2008-02-15 23:23:04 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Prg Trojan HTTP POST version 2"; flow:established,to_server; content:"POST "; depth:5; uricontent:".php?1="; uricontent:"&i="; pcre:"/\.php\?1=[a-z0-9]+_[a-z0-9_]+&i=/Ui"; reference:url,ip.securescience.net/advisories/pubMalwareCaseStudy.pdf; classtype:trojan-activity; sid:2007724; rev:5;)

Added 2008-02-15 23:23:04 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Prg Trojan HTTP POST version 2"; flow:established,to_server; content:"POST "; depth:5; uricontent:".php?1="; uricontent:"&i="; pcre:"/\.php\?1=[a-z0-9]+_[a-z0-9]+&i=[a-z0-9]\d+\s/i"; reference:url,ip.securescience.net/advisories/pubMalwareCaseStudy.pdf; classtype:trojan-activity; sid:2007724; rev:4;)

Added 2008-02-15 13:30:54 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Prg Trojan HTTP POST version 2"; flow:established,to_server; content:"POST "; depth:5; uricontent:".php?1="; uricontent:"&i="; pcre:"/\.php\?1=[a-z0-9]+_[a-z0-9]+&i=[a-z0-9]\d+\s/i"; reference:url,ip.securescience.net/advisories/pubMalwareCaseStudy.pdf; classtype:trojan-activity; sid:2007724; rev:4;)

Added 2008-02-15 13:30:54 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Prg Trojan HTTP POST version 2"; flow:established,to_server; content:"POST "; depth:5; uricontent:".php?1="; uricontent:"&i="; pcre:"/\.php\?1=[a-z0-9]+_[a-z0-9]+&i=[a-z0-9]\d+\s/i"; within:40; reference:url, ip.securescience.net/advisories/pubMalwareCaseStudy.pdf; classtype:trojan-activity; sid:2007724; rev:3;)

Added 2008-02-15 11:52:27 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Prg Trojan HTTP POST version 2"; flow:established,to_server; content:"POST "; depth:5; uricontent:".php?1="; uricontent:"&i="; pcre:"/\.php\?1=[a-z0-9]+_[a-z0-9]+&i=[a-z0-9]\d+\s/i"; within:40; reference:url, ip.securescience.net/advisories/pubMalwareCaseStudy.pdf; classtype:trojan-activity; sid:2007724; rev:3;)

Added 2008-02-15 11:52:27 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Prg Trojan HTTP POST version 2"; flow:established,to_server; content:"POST "; depth:5; uricontent:".php?1="; uricontent:"&i="; within:40; pcre:"/\.php\?1=[a-z0-9]+_[a-z0-9]+&i=[a-z]\d+\s/i"; within:40; reference:url, ip.securescience.net/advisories/pubMalwareCaseStudy.pdf; classtype:trojan-activity; sid:2007724; rev:2;)

Added 2008-01-31 10:12:23 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Prg Trojan HTTP POST version 2"; flow:established,to_server; content:"POST "; depth:5; uricontent:".php?1="; uricontent:"&i="; within:40; pcre:"/\.php\?1=[a-z0-9]+_[a-z0-9]+&i=[a-z]\d+\s/i"; within:40; reference:url, ip.securescience.net/advisories/pubMalwareCaseStudy.pdf; classtype:trojan-activity; sid:2007724; rev:2;)

Added 2008-01-31 10:12:23 UTC


Topic revision: r2 - 2009-02-20 - JackPepper
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats