alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Downbot/Shady Rat Remote Shell Connection"; flow:established,from_server; dsize:<90; content:"|2F 2A 0A 40 2A 2A 2A 40 2A 40 40 40 40 40 40 40 40 40 40 40|"; depth:20; flowbits:set,et.shadyratinit; reference:url,www.symantec.com/connect/blogs/truth-behind-shady-rat; classtype:trojan-activity; sid:2013379; rev:3; metadata:created_at 2011_08_08, updated_at 2011_08_08;)

Added 2017-08-07 21:06:40 UTC


alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Downbot/Shady Rat Remote Shell Connection"; flow:established,from_server; dsize:<90; content:"|2F 2A 0A 40 2A 2A 2A 40 2A 40 40 40 40 40 40 40 40 40 40 40|"; depth:20; flowbits:set,et.shadyratinit; reference:url,www.symantec.com/connect/blogs/truth-behind-shady-rat; classtype:trojan-activity; sid:2013379; rev:3;)

Added 2011-10-12 19:36:43 UTC


alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Downbot/Shady Rat Remote Shell Connection"; flow:established,from_server; dsize:<90; content:"|2F 2A 0A 40 2A 2A 2A 40 2A 40 40 40 40 40 40 40 40 40 40 40|"; depth:20; flowbits:set,et.shadyratinit; classtype:trojan-activity; reference:url,www.symantec.com/connect/blogs/truth-behind-shady-rat; sid:2013379; rev:3;)

Added 2011-09-15 17:11:10 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Downbot/Shady Rat Remote Shell Connection"; flow:established,to_server; dsize:<90; content:"|2F 2A 0A 40 2A 2A 2A 40 2A 40 40 40 40 40 40 40 40 40 40 40|"; depth:20; classtype:trojan-activity; reference:url,www.symantec.com/connect/blogs/truth-behind-shady-rat; sid:2013379; rev:1;)

Added 2011-08-11 10:45:13 UTC


alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS iScripts MultiCart? orderid Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/refund_request.php?"; nocase; uricontent:"orderid="; nocase; uricontent:"DELETE"; nocase; uricontent:"FROM"; nocase; pcre:"/DELETE.+FROM/Ui"; classtype:web-application-attack; reference:bugtraq,41377; reference:url,doc.emergingthreats.net/2013379; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_iScripts; sid:2013379; rev:2;)

Added 2010-08-20 14:16:26 UTC


alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS iScripts MultiCart? orderid Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/refund_request.php?"; nocase; uricontent:"orderid="; nocase; uricontent:"DELETE"; nocase; uricontent:"FROM"; nocase; pcre:"/DELETE.+FROM/Ui"; classtype:web-application-attack; reference:bugtraq,41377; reference:url,doc.emergingthreats.net/2013379; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_iScripts; sid:2013379; rev:2;)

Added 2010-08-20 14:16:26 UTC


alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS iScripts MultiCart? orderid Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/refund_request.php?"; nocase; uricontent:"orderid="; nocase; uricontent:"DELETE"; nocase; uricontent:"FROM"; nocase; pcre:"/DELETE.+FROM/Ui"; classtype:web-application-attack; reference:bugtraq,41377; sid:2013379; rev:1;)

Added 2010-08-19 16:58:24 UTC


Topic revision: r1 - 2017-08-08 - TWikiGuest
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats