#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED AirOS? admin.cgi/css Exploit Attempt"; flow:established,to_server; content:"POST"; http_method; content:"/etc/persistent/.skynet/install&action=cli"; http_uri; reference:url,seclists.org/fulldisclosure/2011/Dec/419; reference:url,www.root.cz/clanky/virus-v-bezdratovych-routerech-skynet/; classtype:trojan-activity; sid:2014042; rev:5;)

Added 2014-08-28 18:33:52 UTC


alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WORM AirOS? admin.cgi/css Exploit Attempt"; flow:established,to_server; content:"POST"; http_method; content:"/etc/persistent/.skynet/install&action=cli"; http_uri; reference:url,seclists.org/fulldisclosure/2011/Dec/419; reference:url,www.root.cz/clanky/virus-v-bezdratovych-routerech-skynet/; classtype:trojan-activity; sid:2014042; rev:5;)

Added 2012-01-06 16:36:22 UTC


alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WORM AirOS? admin.cgi/css Exploit Attempt"; flow:established,to_server; content:"POST"; http_method; content:"/admin.cgi/"; http_uri; fast_pattern:only; content:".css HTTP/1."; http_raw_header; content:"Content-Type|3A| multipart/form-data"; http_header; reference:url,seclists.org/fulldisclosure/2011/Dec/419; classtype:trojan-activity; sid:2014042; rev:4;)

Added 2011-12-30 19:58:59 UTC


alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WORM AirOS? admin.cgi/css Exploit Attempt"; flow:established,to_server; content:"POST"; http_method; content:"/admin.cgi/"; http_uri; fast_pattern:only; content:".css HTTP/1."; http_raw_header; content:"Content-Type|3A| multipart/form-data"; http_header; reference:url,seclists.org/fulldisclosure/2011/Dec/419; classtype:trojan-activity; sid:2014042; rev:4;)

Added 2011-12-30 19:24:08 UTC


alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WORM AirOS? admin.cgi/css Exploit Attempt"; flow:established,to_server; content:"POST"; http_method; content:"/admin.cgi/"; http_uri; fast_pattern:only; content:".css HTTP/1."; http_raw_header; content:"Content-Type|3A| multipart/form-data"; http_header; reference:url,seclists.org/fulldisclosure/2011/Dec/419; classtype:trojan-activity; sid:2014042; rev:4;)

Added 2011-12-30 18:03:29 UTC


alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WORM AirOS? admin.cgi/css Exploit Attempt"; flow:established,to_server; content:"POST"; http_method; content:"/admin.cgi/"; http_uri; fast_pattern:only; content:".css HTTP/1."; http_raw_header; content:"Content-Type|3A| multipart/form-data"; http_header; reference:url,seclists.org/fulldisclosure/2011/Dec/419; classtype:trojan-activity; sid:2014042; rev:2;)

Added 2011-12-28 10:16:49 UTC

shouldn't the flowbit be set to "flow:established,to_client" since its inbound to home_net?

-- BurnedSpy - 29 Dec 2011

It should, making that so, thanks!

-- MattJonkman - 29 Dec 2011

Actually I had the ports wrong, not direction. Moving $HTTP_PORTS to the leading pair.

-- MattJonkman - 29 Dec 2011


Topic revision: r3 - 2011-12-29 - MattJonkman
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats