alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Pakes/Cutwall/Kobcka Update Detected High Ports"; flow:established,to_server; content:"GET "; depth:4; content:"|0d 0a|Host\: "; distance:0; content:"|0d 0a|X-Flags\: "; distance:0; within:40; content:"|0d 0a|X-TM\:"; distance:0; content:"|0d 0a|X-BI\: "; distance:0; classtype:trojan-activity; sid:2008011; rev:3;) Added 2008-05-19 10:47:59 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Pakes/Cutwall/Kobcka Update Detected High Ports"; flow:established,to_server; content:"GET "; depth:4; content:"|0d 0a|Host\: "; distance:0; content:"|0d 0a|X-Flags\: "; distance:0; within:40; content:"|0d 0a|X-TM\:"; distance:0; content:"|0d 0a|X-BI\: "; distance:0; classtype:trojan-activity; sid:2008011; rev:3;) Added 2008-05-19 10:47:59 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET 9000: (msg:"ET TROJAN Pakes/Cutwall/Kobcka Update Detected High Ports"; flow:established,to_server; content:"GET "; depth:4; content:"|0d 0a|Host\: "; distance:0; content:"|0d 0a|X-Flags\: "; distance:0; within:40; content:"|0d 0a|X-TM\:"; distance:0; content:"|0d 0a|X-BI\: "; distance:0; classtype:trojan-activity; sid:2008011; rev:2;) Added 2008-03-18 00:12:47 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET 9000: (msg:"ET TROJAN Pakes/Cutwall/Kobcka Update Detected High Ports"; flow:established,to_server; content:"GET "; depth:4; content:"|0d 0a|Host\: "; distance:0; content:"|0d 0a|X-Flags\: "; distance:0; within:40; content:"|0d 0a|X-TM\:"; distance:0; content:"|0d 0a|X-BI\: "; distance:0; classtype:trojan-activity; sid:2008011; rev:2;) Added 2008-03-18 00:12:47 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET 9000: (msg:"ET TROJAN Pakes/Cutwall/Kobcka Update Detected High Ports"; flow:established,to_server; content:"GET "; depth:4; content:"|0d 0a|Host: "; distance:0; content:"|0d 0a|X-Flags\: "; distance:0; within:40; content:"|0d 0a|X-TM\:"; distance:0; content:"|0d 0a|X-BI\: "; distance:0; classtype:trojan-activity; sid:2008011; rev:1;) Added 2008-03-17 17:46:41 UTC Like so, very high ports:
GET /g/D93400-406ED5-6200FD HTTP/1.1 Host: 208.72.168.13 X-Flags: 0 X-TM: 32 X-BI: D8CFC1C6CBC7D6C3C4D9DE X-PH: 0 return: HTTP/1.1 200 OK Content-Length: 37593 Content-Type: application/x-zip-compressed Accept-Ranges: bytes Server: Microsoft-IIS/6.0 Set-Cookie: static-71-119-18-3.lsanca.dsl-w.verizon.net 71.119.18.3 X-SGS: 1 1 X-Powered-By: ASP.NET X-NST: 6|10|1|60|4|40|3|100|7|300|5|5 10 3 1 1|Re 533edc69d1a58ce0187630d79f3600bf -- MattJonkman - 17 Mar 2008
Edit | Attach | Print version | History: r2 < r1 | Backlinks | Raw View | WYSIWYG | More topic actionsTopic revision: r2 - 2008-03-17 - MattJonkman
Main Web
Create New Topic
Index
Search
Changes
Preferences- User Reference
- ATasteOfTWiki
- TextFormattingRules
- Signature Reference
- WebRss Feed
- EmergingFAQ
 |
|
Copyright © Emerging Threats