2001095 < Main < EmergingThreats

EmergingThreats>

Main Web>2001095 (2009-02-08, TWikiGuest)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg: "ET EXPLOIT IFRAME ExecCommand? vulnerability"; flow: from_server,established; content:"]SRC[\s]=[\s]["'][\x09\x0a\x0b\x0c\x0d]f[\x09\x0a\x0b\x0c\x0d]i[\x09\x0a\x0b\x0c\x0d]l[\x09\x0a\x0b\x0c\x0d]e[\x09\x0a\x0b\x0c\x0d]\:/Ri"; reference:url,www.securiteam.com/exploits/3D5Q4RFPPK.html; classtype: misc-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001095; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_IE_Vulnerabilities; sid: 2001095; rev:8;) <p /> </h2> <p /> Added 2009-02-07 22:00:25 UTC <p /> <p /> <form method="post" action="https://doc.emergingthreats.net/bin/save/Main/2001095" enctype="multipart/form-data" name="threadmode0" id="threadmode0"><input type="hidden" name="crypttoken" value="97ee78410e2e6644a28367ccd8cd700b" /><div class="commentPlugin commentPluginPromptBox" style="margin: 5px 0;"> <div><textarea rows="5" cols="80" name="comment" class="twikiTextarea" wrap="soft" style="width: 100%" onfocus="if(this.value=='Please enter documentation, comments, false positives, or concerns with this signature. Press the Attach button below to add samples or Pcaps.')this.value=''" onblur="if(this.value=='')this.value='Please enter documentation, comments, false positives, or concerns with this signature. Press the Attach button below to add samples or Pcaps.'">Please enter documentation, comments, false positives, or concerns with this signature. Press the Attach button below to add samples or Pcaps.</textarea></div><div style="padding: 5px 0 0 0;"><input type="submit" value="Add to Documentation" class="twikiButton" /></div> </div> <input type="hidden" name="comment_action" value="save" /> <input type="hidden" name="comment_type" value="threadmode" /> <input type="hidden" name="comment_index" value="0" /></form> <p /> <hr> <p /> <p /> <p /> <h2> <p /> <p /> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg: "ET EXPLOIT IFRAME <span class="twikiNewLink">ExecCommand<a href="/bin/edit/Main/ExecCommand?topicparent=Main.2001095" rel="nofollow" title="Create this topic">?</a></span> vulnerability"; flow: from_server,established; content:"<IFRAME "; nocase; pcre:"/^[^>]SRC[\s]=[\s]["'][\x09\x0a\x0b\x0c\x0d]f[\x09\x0a\x0b\x0c\x0d]i[\x09\x0a\x0b\x0c\x0d]l[\x09\x0a\x0b\x0c\x0d]e[\x09\x0a\x0b\x0c\x0d]\:/Ri"; reference:url,www.securiteam.com/exploits/3D5Q4RFPPK.html; classtype: misc-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001095; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_IE_Vulnerabilities; sid: 2001095; rev:8;) <p /> </h2> <p /> Added 2009-02-07 22:00:25 UTC <p /> <p /> <p /> <hr> <p /> <p /> <p /> <h2> <p /> <p /> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg: "ET EXPLOIT IFRAME <span class="twikiNewLink">ExecCommand<a href="/bin/edit/Main/ExecCommand?topicparent=Main.2001095" rel="nofollow" title="Create this topic">?</a></span> vulnerability"; flow: from_server,established; content:"<IFRAME "; nocase; pcre:"/^[^>]SRC[\s]=[\s]["'][\x09\x0a\x0b\x0c\x0d]f[\x09\x0a\x0b\x0c\x0d]i[\x09\x0a\x0b\x0c\x0d]l[\x09\x0a\x0b\x0c\x0d]e[\x09\x0a\x0b\x0c\x0d]\:/Ri"; reference:url,www.securiteam.com/exploits/3D5Q4RFPPK.html; classtype: misc-activity; sid: 2001095; rev:7;) <p /> </h2> <p /> Added 2008-01-25 10:56:37 UTC <p /> <p /> <p /> <hr> <p /> <p /> <p /> <h2> <p /> <p /> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg: "ET EXPLOIT IFRAME <span class="twikiNewLink">ExecCommand<a href="/bin/edit/Main/ExecCommand?topicparent=Main.2001095" rel="nofollow" title="Create this topic">?</a></span> vulnerability"; flow: from_server,established; content:"<IFRAME "; nocase; pcre:"/^[^>]SRC[\s]=[\s]["'][\x09\x0a\x0b\x0c\x0d]f[\x09\x0a\x0b\x0c\x0d]i[\x09\x0a\x0b\x0c\x0d]l[\x09\x0a\x0b\x0c\x0d]e[\x09\x0a\x0b\x0c\x0d]\:/Ri"; reference:url,www.securiteam.com/exploits/3D5Q4RFPPK.html; classtype: misc-activity; sid: 2001095; rev:7;) <p /> </h2> <p /> Added 2008-01-25 10:56:37 UTC <p /> <p /> <p /> <hr> <p /> <p /> <p /> <h2> <p /> <p /> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT IFRAME <span class="twikiNewLink">ExecCommand<a href="/bin/edit/Main/ExecCommand?topicparent=Main.2001095" rel="nofollow" title="Create this topic">?</a></span> vulnerability"; flow: from_server,established; content:"<IFRAME "; nocase; pcre:"/^[^>]SRC[\s]=[\s]["'][\x09\x0a\x0b\x0c\x0d]f[\x09\x0a\x0b\x0c\x0d]i[\x09\x0a\x0b\x0c\x0d]l[\x09\x0a\x0b\x0c\x0d]e[\x09\x0a\x0b\x0c\x0d]*\:/Ri"; reference:url,www.securiteam.com/exploits/3D5Q4RFPPK.html; classtype: misc-activity; sid: 2001095; rev:6; ) <p /> </h2> <hr> <p /> <p /> <hr> <p /> <p /> <p /> </div> <div class="twikiContentFooter"></div></div> <div class="clear"></div> <a name="topic-actions"></a><div class="patternTopicActions"><div class="patternTopicAction"><span class="patternActionButtons"><span><a href='https://doc.emergingthreats.net/bin/edit/Main/2001095?t=1548072280;nowysiwyg=1' rel='nofollow' title='Edit this topic text' accesskey='e'><img src='/pub/TWiki/TWikiDocGraphics/uweb-o14.gif' width='14' height='14' border='0' alt='' /> <span class='twikiAccessKey'>E</span>dit</a></span><span class='twikiSeparator'> | </span><span><a href='/bin/attach/Main/2001095' rel='nofollow' title='Attach an image or document to this topic' accesskey='a'><span class='twikiAccessKey'>A</span>ttach</a></span><span class='twikiSeparator'> | </span><span><a href='/bin/view/Main/2001095?cover=print' rel='nofollow' title='Printable version of this topic' accesskey='p'><span class='twikiAccessKey'>P</span>rint version</a></span><span class='twikiSeparator'> | </span><span><span><a href='/bin/rdiff/Main/2001095?type=history' rel='nofollow' title='View total topic history' accesskey='h'><span class='twikiAccessKey'>H</span>istory</a></span>: r1</span><span class='twikiSeparator'> | </span><span><a href='/bin/oops/Main/2001095?template=backlinksweb' rel='nofollow' title='Search the Main Web for topics that link to here' accesskey='b'><span class='twikiAccessKey'>B</span>acklinks</a></span><span class='twikiSeparator'> | </span><span><a href='/bin/view/Main/2001095?raw=on' rel='nofollow' title='View raw text without formatting' accesskey='r'><span class='twikiAccessKey'>R</span>aw View</a></span><span class='twikiSeparator'> | </span><span><a href='https://doc.emergingthreats.net/bin/edit/Main/2001095?t=1548072280;nowysiwyg=0' rel='nofollow' title='WYSIWYG editor' accesskey='w'>WYSIWYG</a></span><span class='twikiSeparator'> | </span><span><a href='/bin/oops/Main/2001095?template=oopsmore&param1=1&param2=1' rel='nofollow' title='Delete or rename this topic; set parent topic; view and compare revisions' accesskey='m'><span class='twikiAccessKey'>M</span>ore topic actions</a></span></span></div></div> <div class="patternInfo twikiGrayText"><div class="patternRevInfo">Topic revision: r1 - 2009-02-08 <a href="https://doc.emergingthreats.net/bin/edit/Main/2001095?nowysiwyg=1548072280" target="_top">-</a> <a href="/bin/view/Main/TWikiGuest" class="twikiLink">TWikiGuest</a></div></div> </div> </div><div id="patternLeftBar"><div id="patternClearHeaderLeft"></div> <div id="patternLeftBarContents"><div class="patternWebIndicator"> <ul> <li> <a class="twikiCurrentWebHomeLink twikiLink" href="/bin/view/Main/WebHome"><img src="/pub/TWiki/TWikiDocGraphics/web-bg-small.gif" width="13" height="13" alt="Web background" title="Web background" border="0" /> Main</a> </li></ul> </div> <div class="patternLeftBarPersonal"> <ul><li class="patternLogIn"><a href="/bin/login/Main/2001095?origurl=/bin/view/Main/2001095">Log In</a> or <a class="twikiLink" href="/bin/view/TWiki/TWikiRegistration">Register</a></li></ul> </div> <p /> <ul> <li> <b><a href="/bin/view/Main/WebHome" class="twikiCurrentWebHomeLink twikiLink"> <img src="/pub/TWiki/TWikiDocGraphics/home.gif" width="16" height="16" alt="Home" title="Home" border="0" /> Main Web</a></b> </li> <li> <a href="/bin/view/Main/WebTopicCreator?parent=2001095" target="_top"> <img src="/pub/TWiki/TWikiDocGraphics/newtopic.gif" width="16" height="16" alt="New topic" title="New topic" border="0" /> Create New Topic</a> </li> <li> <a href="/bin/view/Main/WebTopicList" class="twikiLink"> <img src="/pub/TWiki/TWikiDocGraphics/index.gif" width="16" height="16" alt="Index" title="Index" border="0" /> Index</a> </li> <li> <a class="twikiLink" href="/bin/view/Main/WebSearch"> <img src="/pub/TWiki/TWikiDocGraphics/searchtopic.gif" width="16" height="16" alt="Search topic" title="Search topic" border="0" /> Search</a> </li> <li> <a class="twikiLink" href="/bin/view/Main/RuleChanges"> <img src="/pub/TWiki/TWikiDocGraphics/changes.gif" width="16" height="16" alt="Changes" title="Changes" border="0" /> Changes</a> </li> <li> <a class="twikiLink" href="/bin/view/Main/WebPreferences"> <img src="/pub/TWiki/TWikiDocGraphics/wrench.gif" width="16" height="16" alt="Wrench, tools" title="Wrench, tools" border="0" /> Preferences</a> </li></ul> <p /> <ul> <li> <b>User Reference</b> </li> <li> <a href="http://doc.emergingthreats.net/bin/view/TWiki/ATasteOfTWiki" target="_top">ATasteOfTWiki</a> </li> <li> <a href="http://doc.emergingthreats.net/bin/view/TWiki/TextFormattingRules" target="_top">TextFormattingRules</a> </li></ul> <p /> <p /> <ul> <li> <b>Signature Reference</b> </li> <li> <a href="/bin/view/Main/WebRss" class="twikiLink">WebRss</a> Feed </li> <li> <a href="/bin/view/Main/EmergingFAQ" class="twikiLink">EmergingFAQ</a> </li></ul> <p /> <p /> </div></div> </div> <div class="clear"> </div> </div></div><div id="patternTopBar"><div id="patternTopBarContents"><table border="0" cellpadding="0" cellspacing="0" style="width:100%; margin-top:12px;"> <tr><td valign="middle"><span id="twikiLogo" class="twikiImage"><a href="https://doc.emergingthreats.net"><img src="https://doc.emergingthreats.net/logo.png" border="0" alt="Emerging Threats" style="border:none;" /></a></span></td> <td align="right" valign="top" class="patternMetaMenu"> <ul> <li> <form name="jumpForm" action="/bin/view/Main/2001095"><input id="jumpFormField" type="text" class="twikiInputField" name="topic" value="" size="18" /><noscript> <input type="submit" class="twikiButton" size="5" name="submit" value="Jump" /> </noscript> </form> </li> <li> <form name="quickSearchForm" action="/bin/view/Main/WebSearch"><input type="text" class="twikiInputField" id="quickSearchBox" name="search" value="" size="18" /><input type="hidden" name="scope" value="all" /><input type="hidden" name="web" value="Main" /><noscript> <input type="submit" size="5" class="twikiButton" name="submit" value="Search" /> </noscript> </form> </li> <li> </li></ul> </td></tr></table></div></div><div id="patternBottomBar"><div id="patternBottomBarContents"><div id="patternWebBottomBar"><div class="twikiCopyright"><span class="twikiRight"> <a href="http://twiki.org/"><img src="/pub/TWiki/TWikiLogos/T-badge-88x31.gif" alt="This site is powered by the TWiki collaboration platform" width="88" height="31" title="This site is powered by the TWiki collaboration platform" border="0" /></a></span><span class="twikiRight" style="padding:0 10px 0 10px"> <a href="http://www.perl.org/"><img src="/pub/TWiki/TWikiLogos/perl-logo-88x31.gif" alt="Powered by Perl" width="88" height="31" title="Powered by Perl" border="0" /></a></span><span class="twikiRight"> <a href="http://twiki.org/"><img src="/pub/TWiki/TWikiLogos/T-logo-80x15.gif" alt="This site is powered by the TWiki collaboration platform" width="80" height="15" title="This site is powered by the TWiki collaboration platform" border="0" /></a></span>Copyright © Emerging Threats <br /></div></div></div> </div> </div> </div> </body></html>