alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Hiloti Style GET to PHP with invalid terse MSIE headers"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php?"; http_uri; content:"HTTP/1.1|0d 0a|User-Agent"; fast_pattern; content:"|20|HTTP/1.1|0d 0a|User-Agent|3a 20|Mozilla/4.0|20|(compatible|3b 20|MSIE|20|"; content:!"8"; within:1; content:"|3b 20|Windows|20|NT|20|"; distance:0; content:")|0d 0a|Host|3a 20|"; distance:0; content:"Cache-Control|3a 20|no-cache|0d 0a 0d 0a|"; distance:0; content:!"|0d 0a|Accept"; content:!".taobao.com|0d 0a|"; http_header; content:!".dict.cn|0d 0a|"; http_header; content:!".avg.com|0d 0a|"; http_header; content:!"SlimBrowser"; http_header; content:!".weather.hao.360.cn"; http_header; classtype:trojan-activity; sid:2012612; rev:14;)

Added 2016-08-26 17:31:54 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Hiloti Style GET to PHP with invalid terse MSIE headers"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php?"; http_uri; content:"HTTP/1.1|0d 0a|User-Agent"; fast_pattern; content:"|20|HTTP/1.1|0d 0a|User-Agent|3a 20|Mozilla/4.0|20|(compatible|3b 20|MSIE|20|"; content:!"8"; within:1; content:"|3b 20|Windows|20|NT|20|"; distance:0; content:")|0d 0a|Host|3a 20|"; distance:0; content:"Cache-Control|3a 20|no-cache|0d 0a 0d 0a|"; distance:0; content:!"|0d 0a|Accept"; content:!".taobao.com|0d 0a|"; http_header; content:!".dict.cn|0d 0a|"; http_header; content:!".avg.com|0d 0a|"; http_header; content:!"SlimBrowser"; http_header; classtype:trojan-activity; sid:2012612; rev:13;)

Added 2016-04-05 17:59:29 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Hiloti Style GET to PHP with invalid terse MSIE headers"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php?"; http_uri; content:"HTTP/1.1|0d 0a|User-Agent"; fast_pattern; content:"|20|HTTP/1.1|0d 0a|User-Agent|3a 20|Mozilla/4.0|20|(compatible|3b 20|MSIE|20|"; content:!"8"; within:1; content:"|3b 20|Windows|20|NT|20|"; distance:0; content:")|0d 0a|Host|3a 20|"; distance:0; content:"Cache-Control|3a 20|no-cache|0d 0a 0d 0a|"; distance:0; content:!"|0d 0a|Accept"; content:!".taobao.com|0d 0a|"; http_header; content:!".dict.cn|0d 0a|"; http_header; content:!".avg.com|0d 0a|"; http_header; classtype:trojan-activity; sid:2012612; rev:12;)

Added 2014-08-12 18:24:35 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Hiloti Style GET to PHP with invalid terse MSIE headers"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php?"; http_uri; content:!".taobao.com|0d 0a|"; http_header; content:!".dict.cn|0d 0a|"; http_header; content:"HTTP/1.1|0d 0a|User-Agent"; fast_pattern:only; content:"|20|HTTP/1.1|0d 0a|User-Agent|3a 20|Mozilla/4.0|20|(compatible|3b 20|MSIE|20|"; content:!"8"; within:1; content:"|3b 20|Windows|20|NT|20|"; distance:0; content:")|0d 0a|Host|3a 20|"; distance:0; content:"Cache-Control|3a 20|no-cache|0d 0a 0d 0a|"; distance:0; content:!"|0d 0a|Accept"; classtype:trojan-activity; sid:2012612; rev:10;)

Added 2013-10-22 23:39:07 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Hiloti Style GET to PHP with invalid terse MSIE headers"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php?"; http_uri; content:!".taobao.com|0d 0a|"; http_header; content:!"client.dict.cn|0d 0a|"; http_header; content:"HTTP/1.1|0d 0a|User-Agent"; fast_pattern:only; content:"|20|HTTP/1.1|0d 0a|User-Agent|3a 20|Mozilla/4.0|20|(compatible|3b 20|MSIE|20|"; content:!"8"; within:1; content:"|3b 20|Windows|20|NT|20|"; distance:0; content:")|0d 0a|Host|3a 20|"; distance:0; content:"Cache-Control|3a 20|no-cache|0d 0a 0d 0a|"; distance:0; content:!"|0d 0a|Accept"; classtype:trojan-activity; sid:2012612; rev:9;)

Added 2012-04-02 21:11:33 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Hiloti Style GET to PHP with invalid terse MSIE headers"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php?"; http_uri; content:"HTTP/1.1|0d 0a|User-Agent"; fast_pattern:only; content:"|20|HTTP/1.1|0d 0a|User-Agent|3a 20|Mozilla/4.0|20|(compatible|3b 20|MSIE|20|"; content:!"8"; within:1; content:"|3b 20|Windows|20|NT|20|"; distance:0; content:")|0d 0a|Host|3a 20|"; distance:0; content:"Cache-Control|3a 20|no-cache|0d 0a 0d 0a|"; distance:0; content:!"|0d 0a|Accept"; classtype:trojan-activity; sid:2012612; rev:6;)

Added 2012-03-16 17:41:01 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Hiloti Style GET to PHP with invalid terse MSIE headers"; flow:established,to_server; content:"GET"; http_method; content:".php?"; http_uri; content:"HTTP/1.1|0d 0a|User-Agent"; fast_pattern:only; content:"|20|HTTP/1.1|0d 0a|User-Agent|3a 20|Mozilla/4.0|20|(compatible|3b 20|MSIE|20|"; content:"|3b 20|Windows|20|NT|20|"; distance:0; content:")|0d 0a|Host|3a 20|"; distance:0; content:"Cache-Control|3a 20|no-cache|0d 0a 0d 0a|"; distance:0; content:!"|0d 0a|Accept"; classtype:trojan-activity; sid:2012612; rev:4;)

Added 2011-10-12 19:34:46 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Hiloti Style GET to PHP with invalid terse MSIE headers"; flow:established,to_server; content:"GET"; http_method; content:".php?"; http_uri; content:"HTTP/1.1|0d 0a|User-Agent"; fast_pattern:only; content:"|20|HTTP/1.1|0d 0a|User-Agent|3a 20|Mozilla/4.0|20|(compatible|3b 20|MSIE|20|"; content:")|0d 0a|Host|3a 20|"; distance:0; content:"Cache-Control|3a 20|no-cache|0d 0a 0d 0a|"; distance:0; content:!"|0d 0a|Accept"; classtype:trojan-activity; sid:2012612; rev:3;)

Added 2011-03-31 20:32:18 UTC

FP with freerecorder

GET /freecorder4/check_upgrade.php?version=1.00 HTTP/1.1

-- RussellFulton - 25 Sep 2011


Topic revision: r2 - 2011-09-25 - RussellFulton
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats