alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN General Proxy.Agent"; flow:to_server,established; content:"GET "; depth:4; uricontent:"tongji.do?unit|5f|id="; uricontent:"&uv|5f|id="; uricontent:"&uv|5f|new="; uricontent:"&cna=&cg=&mid=&mmland=&ade=&adtm=&sttm=&cpa=&ss|5f|id="; uricontent:"&ss|5f|no="; uricontent:"&ec="; uricontent:"&ref=&url="; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2011237; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_ProxyAgent_General; sid:2011237; rev:2;)

Added 2010-07-26 11:52:24 UTC

seeing hits from reference on legit web sites. referring code is http://js.tongji.linezing.com/745431/tongji.js which appears to be tracking/geolocation code

-- RussellFulton - 25 Aug 2010


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN General Proxy.Agent"; flow:to_server,established; content:"GET "; depth:4; uricontent:"tongji.do?unit|5f|id="; uricontent:"&uv|5f|id="; uricontent:"&uv|5f|new="; uricontent:"&cna=&cg=&mid=&mmland=&ade=&adtm=&sttm=&cpa=&ss|5f|id="; uricontent:"&ss|5f|no="; uricontent:"&ec="; uricontent:"&ref=&url="; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2011237; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_ProxyAgent_General; sid:2011237; rev:2;)

Added 2010-07-26 11:52:24 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN General Proxy.Agent"; flow:to_server,established; content:"GET "; depth:4; uricontent:"tongji.do?unit|5f|id="; uricontent:"&uv|5f|id="; uricontent:"&uv|5f|new="; uricontent:"&cna=&cg=&mid=&mmland=&ade=&adtm=&sttm=&cpa=&ss|5f|id="; uricontent:"&ss|5f|no="; uricontent:"&ec="; uricontent:"&ref=&url="; classtype:trojan-activity; sid:2011237; rev:1;)

Added 2010-07-26 11:01:01 UTC


Topic revision: r2 - 2010-08-25 - RussellFulton
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats