alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Peed Report to Controller"; flow:established,to_server; uricontent:"/controller.php?action="; uricontent:"&entity"; uricontent:"&rnd="; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008501; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Peed; sid:2008501; rev:2;)

Added 2009-02-13 19:30:24 UTC

unconfirmed sample:

GET /fine/controller.php?action=bot&entity_list=&uid=5&first=1&guid=2757987615&rnd=758689

-- RussellFulton - 16 Feb 2009

I've also got the following uri patterns for newer versions of PEED.

GET /new/controller.php?action=bot&entity_list=&uid=1&first=1&guid=819416896&rnd=981633

GET /ging/controller.php?action=bot&entity_list=&uid=&first=1&guid=2902206485&rnd=946862

GET /stats/controller.php?action=bot&entity_list=&uid=&first=1&guid=1745401954&rnd=94686

-- DanielClemens - 26 May 2009


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Peed Report to Controller"; flow:established,to_server; uricontent:"/controller.php?action="; uricontent:"&entity"; uricontent:"&rnd="; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008501; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Peed; sid:2008501; rev:2;)

Added 2009-02-13 19:30:24 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Peed Report to Controller"; flow:established,to_server; uricontent:"/controller.php?action="; uricontent:"&entity"; uricontent:"&rnd="; classtype:trojan-activity; sid:2008501; rev:1;)

Added 2008-08-12 10:39:57 UTC


Topic revision: r4 - 2009-05-26 - MattJonkman
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats