#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Lighty Variant or UltimateDefender? POST"; flow:established,to_server; content:"POST"; http_method; content:".php"; content:"gd="; content:"&affid="; content:"&subid="; content:"&prov="; nocase; fast_pattern; reference:url,doc.emergingthreats.net/2008784; classtype:trojan-activity; sid:2008784; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

Added 2017-08-07 21:01:55 UTC


##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Lighty Variant or UltimateDefender? POST"; flow:established,to_server; content:"POST"; http_method; content:".php"; content:"gd="; content:"&affid="; content:"&subid="; content:"&prov="; nocase; fast_pattern; reference:url,doc.emergingthreats.net/2008784; classtype:trojan-activity; sid:2008784; rev:5;)

Added 2011-10-31 17:03:27 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Lighty Variant or UltimateDefender? POST"; flow:established,to_server; content:"POST"; http_method; content:".php"; content:"gd="; content:"&affid="; content:"&subid="; content:"&prov="; nocase; fast_pattern; reference:url,doc.emergingthreats.net/2008784; classtype:trojan-activity; sid:2008784; rev:5;)

Added 2011-10-12 19:25:51 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Lighty Variant or UltimateDefender? POST"; flow:established,to_server; content:"POST"; http_method; content:".php"; content:"gd="; content:"&affid="; content:"&subid="; content:"&prov="; nocase; fast_pattern; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008784; sid:2008784; rev:5;)

Added 2011-09-14 22:39:18 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Lighty Variant or UltimateDefender? POST"; flow:established,to_server; content:"POST"; http_method; content:".php"; content:"gd="; content:"&affid="; content:"&subid="; content:"&prov="; nocase; fast_pattern; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008784; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_UltimateDefender; sid:2008784; rev:5;)

Added 2011-02-04 17:27:59 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Lighty Variant or UltimateDefender? POST"; flow:established,to_server; content:"POST "; depth:5; content:".php"; content:"gd="; content:"&affid="; content:"&subid="; content:"&prov="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008784; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_UltimateDefender; sid:2008784; rev:3;)

Added 2009-02-13 19:47:26 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Lighty Variant or UltimateDefender? POST"; flow:established,to_server; content:"POST "; depth:5; content:".php"; content:"gd="; content:"&affid="; content:"&subid="; content:"&prov="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008784; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_UltimateDefender; sid:2008784; rev:3;)

Added 2009-02-13 19:47:26 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Lighty Variant or UltimateDefender? POST"; flow:established,to_server; content:"POST "; depth:5; content:".php"; content:"gd="; content:"&affid="; content:"&subid="; content:"&prov="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008784; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_UltimateDefender; sid:2008784; rev:3;)

Added 2009-02-13 19:46:39 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Lighty Variant or UltimateDefender? POST"; flow:established,to_server; content:"POST "; depth:5; content:".php"; content:"gd="; content:"&affid="; content:"&subid="; content:"&prov="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008784; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_UltimateDefender; sid:2008784; rev:3;)

Added 2009-02-13 19:46:39 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Lighty Variant or UltimateDefender? POST"; flow:established,to_server; content:"POST "; depth:5; content:".php"; content:"gd="; content:"&affid="; content:"&subid="; content:"&prov="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008784; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_UltimateDefender; sid:2008784; rev:3;)

Added 2009-02-13 19:45:24 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Lighty Variant or UltimateDefender? POST"; flow:established,to_server; content:"POST "; depth:5; content:".php"; content:"gd="; content:"&affid="; content:"&subid="; content:"&prov="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008784; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_UltimateDefender; sid:2008784; rev:3;)

Added 2009-02-13 19:45:24 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Lighty Variant or UltimateDefender? POST"; flow:established,to_server; content:"POST "; depth:5; content:".php"; content:"gd="; content:"&affid="; content:"&subid="; content:"&prov="; nocase; classtype:trojan-activity; sid:2008784; rev:2;)

Added 2008-12-23 11:15:21 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Lighty Variant or UltimateDefender? POST"; flow:established,to_server; content:"POST "; depth:5; content:".php"; content:"gd="; content:"&affid="; content:"&subid="; content:"&prov="; nocase; classtype:trojan-activity; sid:2008784; rev:2;)

Added 2008-12-23 11:15:21 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Lighty Variant or UltimateDefender? POST)"; flow:established,to_server; content:"POST "; depth:5; content:".php"; content:"gd="; content:"&affid="; content:"&subid="; content:"&prov="; nocase; classtype:trojan-activity; sid:2008784; rev:1;)

Added 2008-11-18 07:15:22 UTC

72.233.114.12 seems to be popular for this one.

 
    47 45 54 20 2F 76 63 67 69 2F 6E 65 77 30 31 2F  GET /vcgi/new01/
    75 70 64 61 74 65 2E 63 67 69 3F 6D 61 67 69 63  update.cgi?magic
    3D 35 32 34 30 39 38 32 35 30 30 30 30 26 6F 78  =524098250000&ox
    3D 32 2D 35 2D 31 2D 32 36 30 30 26 74 6D 3D 31  =2-5-1-2600&tm=1
    30 39 32 30 26 69 64 3D 32 31 35 34 36 38 34 31  0920&id=21546841
    26 63 61 63 68 65 3D 31 35 34 31 32 31 39 34 36  &cache=154121946
    36 20 48 54 54 50 2F 31 2E 31 0D 0A 48 6F 73 74  6 HTTP/1.1..Host
    3A 20 62 62 62 32 2E 6D 65 75 38 39 2E 6E 65 74  : bbb2.meu89.net
    0D 0A 0D 0A                                      ....
-- ChrisGreen - 01 Dec 2008


Topic revision: r2 - 2008-12-01 - ChrisGreen
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats