alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Sisron/BackDoor.Cybergate.1 Checkin"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?action=add&a="; http_uri; content:"&c="; http_uri; content:"&u="; http_uri; content:"&l="; http_uri; content:"&p="; http_uri; content:!"Host|3a| whos.amung.us"; reference:url,doc.emergingthreats.net/2009458; classtype:trojan-activity; sid:2009458; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

Added 2017-08-07 21:02:36 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Sisron/BackDoor.Cybergate.1 Checkin"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?action=add&a="; http_uri; content:"&c="; http_uri; content:"&u="; http_uri; content:"&l="; http_uri; content:"&p="; http_uri; content:!"Host|3a| whos.amung.us"; reference:url,doc.emergingthreats.net/2009458; classtype:trojan-activity; sid:2009458; rev:8;)

Added 2012-05-23 22:04:27 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Password Stealing Trojan Check-in"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?action=add&a="; http_uri; content:"&c="; http_uri; content:"&u="; http_uri; content:"&l="; http_uri; content:"&p="; http_uri; content:!"Host|3a| whos.amung.us"; reference:url,doc.emergingthreats.net/2009458; classtype:trojan-activity; sid:2009458; rev:7;)

Added 2011-12-20 17:12:12 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Password Stealing Trojan Check-in"; flow:established,to_server; content:"GET"; http_method; content:".php"; http_uri; content:"?action="; http_uri; content:"&a="; http_uri; content:"&c="; http_uri; content:"&u="; http_uri; content:"&l="; http_uri; content:"&p="; http_uri; content:!"Host|3a| whos.amung.us"; reference:url,doc.emergingthreats.net/2009458; classtype:trojan-activity; sid:2009458; rev:5;)

Added 2011-10-12 19:27:25 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Password Stealing Trojan Check-in"; flow:established,to_server; content:"GET"; http_method; content:".php"; http_uri; content:"?action="; http_uri; content:"&a="; http_uri; content:"&c="; http_uri; content:"&u="; http_uri; content:"&l="; http_uri; content:"&p="; http_uri; content:!"Host|3a| whos.amung.us"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009458; sid:2009458; rev:5;)

Added 2011-09-14 22:40:47 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Password Stealing Trojan Check-in"; flow:established,to_server; content:"GET"; http_method; content:".php"; http_uri; content:"?action="; http_uri; content:"&a="; http_uri; content:"&c="; http_uri; content:"&u="; http_uri; content:"&l="; http_uri; content:"&p="; http_uri; content:!"Host|3a| whos.amung.us"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009458; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Unknown; sid:2009458; rev:5;)

Added 2011-02-04 17:28:47 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Password Stealing Trojan Check-in"; flow:established,to_server; content:"GET "; depth:4; uricontent:".php"; uricontent:"?action="; uricontent:"&a="; uricontent:"&c="; uricontent:"&u="; uricontent:"&l="; uricontent:"&p="; content:!"Host|3a| whos.amung.us"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009458; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Unknown; sid:2009458; rev:4;)

Added 2010-10-01 17:16:20 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Password Stealing Trojan Check-in"; flow:established,to_server; content:"GET "; depth:4; uricontent:".php"; uricontent:"?action="; uricontent:"&a="; uricontent:"&c="; uricontent:"&u="; uricontent:"&l="; uricontent:"&p="; content:!"Host|3a| whos.amung.us"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009458; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Unknown; sid:2009458; rev:4;)

Added 2010-10-01 17:16:20 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Password Stealing Trojan Check-in"; flow:established,to_server; content:"GET "; depth:4; uricontent:".php"; uricontent:"?action="; uricontent:"&a="; uricontent:"&c="; uricontent:"&u="; uricontent:"&l="; uricontent:"&p="; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009458; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Unknown; sid:2009458; rev:3;)

Added 2009-07-13 18:45:35 UTC

Hit on this but can't tell if "relevant" or FP:

GET /pjswidget/?k=d0t8&i=30b716e2&t=News%20%3A%3A%20JPopsuki%202.0&r=http%3A%2F%2Fjpopsuki.eu%2Fuser.php%3Faction%3Dinvite&s=&p=&o=w7&b=ch&u=f&v=0.50&a=t&l=f&f=f&rand=80352350&w=colored&c=e3f4fd000000 HTTP/1.1 Host: whos.amung.us Connection: keep-alive Referer: http://jpopsuki.eu/index.php

-- JeffKell - 22 Sep 2010

I would say FP, but suspicious.

-- MattJonkman - 22 Sep 2010


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Password Stealing Trojan Check-in"; flow:established,to_server; content:"GET "; depth:4; uricontent:".php"; uricontent:"?action="; uricontent:"&a="; uricontent:"&c="; uricontent:"&u="; uricontent:"&l="; uricontent:"&p="; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009458; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Unknown; sid:2009458; rev:3;)

Added 2009-07-13 18:45:35 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Unknown Trojan Check-in"; flow:established,to_server; content:"GET "; depth:4; uricontent:".php"; uricontent:"?action="; uricontent:"&a="; uricontent:"&c="; uricontent:"&u="; uricontent:"&l="; uricontent:"&p="; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009458; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Unknown; sid:2009458; rev:2;)

Added 2009-06-29 18:45:37 UTC

this closely matches this description here: http://nemesis.te-home.net/Forum/3000_News/20090612_Rlslog_net_uses_trojans_to_steal_and_sell_rapidsha.html

sample: DATA

GET /Dont_Bother/index.php?action=add&a=11&u=%68%74%74%70%3A %2F%2F%77%77%77%2E%72%65%61%6C%65%73%74%61%74%65%2E%63%6F%2E %6E%7A%2F%31%30%36%39%38%36%36%2F%69%6D%61%67%65%73%32&l=3%68%69%65%6E%40%67%6D%61%69%6C%2E%63%6F%6D &p=&c=%4B%41%48%53%48%49%45%4E

which translates to: GET /Dont_Bother/index.php?action=add&a=11&u=http: //www.realestate.co.nz/1069866/images2&l=@gmail.com &p=&c=KAHSHIEN

-- RussellFulton - 13 Jul 2009

I cut the password and username from above...

-- RussellFulton - 13 Jul 2009


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Unknown Trojan Check-in"; flow:established,to_server; content:"GET "; depth:4; uricontent:".php"; uricontent:"?action="; uricontent:"&a="; uricontent:"&c="; uricontent:"&u="; uricontent:"&l="; uricontent:"&p="; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009458; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Unknown; sid:2009458; rev:2;)

Added 2009-06-29 18:45:37 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Unknown Trojan Check-in"; flow:established,to_server; content:"GET "; depth:4; uricontent:".php"; uricontent:"?action="; uricontent:"&a="; uricontent:"&c="; uricontent:"&u="; uricontent:"&l="; uricontent:"&p="; classtype:trojan-activity; sid:2009458; rev:1;)

Added 2009-06-29 13:23:17 UTC


Topic revision: r4 - 2010-09-22 - MattJonkman
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats