2017073 < Main < EmergingThreats

EmergingThreats>

Main Web>2017073 (2020-08-05, TWikiGuest)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Cool Exploit Kit iframe with obfuscated Java version check Jun 26 2013"; flow:established,from_server; file_data; content:""; pcre:"/^(?P<v>[0-9a-z]{2})(?P<a>(?!(?P=v))[0-9a-z]{2})[0-9a-z]{2}(?P<space>[0-9a-z]{2})[0-9a-z]{2}(?P<J>[0-9a-z]{2})[0-9a-z]{4}(?P=v)[0-9a-z]{6}(?P=space)[0-9a-z]{2}(?P=space)[0-9a-z]{64}(?P=J)(?P=a)(?P=v)(?P=a)/R"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017073; rev:3; metadata:created_at 2013_06_27, former_category EXPLOIT_KIT, updated_at 2013_06_27;) </h2> Added 2020-08-05 19:09:09 UTC <form method="post" action="https://doc.emergingthreats.net/bin/save/Main/2017073" enctype="multipart/form-data" id="threadmode0" name="threadmode0"><input type="hidden" name="crypttoken" value="1777814b8cd265b8dee490553b412e41" /><div class="commentPlugin commentPluginPromptBox" style="margin: 5px 0;"> <div><textarea rows="5" cols="80" name="comment" class="twikiTextarea" wrap="soft" style="width: 100%" onfocus="if(this.value=='Please enter documentation, comments, false positives, or concerns with this signature. Press the Attach button below to add samples or Pcaps.')this.value=''" onblur="if(this.value=='')this.value='Please enter documentation, comments, false positives, or concerns with this signature. Press the Attach button below to add samples or Pcaps.'">Please enter documentation, comments, false positives, or concerns with this signature. Press the Attach button below to add samples or Pcaps.

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Cool Exploit Kit iframe with obfuscated Java version check Jun 26 2013"; flow:established,from_server; file_data; content:""; pcre:"/^(?P<v>[0-9a-z]{2})(?P<a>(?!(?P=v))[0-9a-z]{2})[0-9a-z]{2}(?P<space>[0-9a-z]{2})[0-9a-z]{2}(?P<J>[0-9a-z]{2})[0-9a-z]{4}(?P=v)[0-9a-z]{6}(?P=space)[0-9a-z]{2}(?P=space)[0-9a-z]{64}(?P=J)(?P=a)(?P=v)(?P=a)/R"; flowbits:set,et.exploitkitlanding; metadata: former_category EXPLOIT_KIT; classtype:trojan-activity; sid:2017073; rev:3; metadata:created_at 2013_06_27, updated_at 2013_06_27;) <p /> </h2> <p /> Added 2019-09-26 19:57:25 UTC <p /> <p /> <p /> <hr> <p /> <p /> <p /> <h2> <p /> <p /> #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Cool Exploit Kit iframe with obfuscated Java version check Jun 26 2013"; flow:established,from_server; file_data; content:"<textarea id|3d 22|"; content:"|22|>"; pcre:"/^(?P<v>[0-9a-z]{2})(?P<a>(?!(?P=v))[0-9a-z]{2})[0-9a-z]{2}(?P<space>[0-9a-z]{2})[0-9a-z]{2}(?P<J>[0-9a-z]{2})[0-9a-z]{4}(?P=v)[0-9a-z]{6}(?P=space)[0-9a-z]{2}(?P=space)[0-9a-z]{64}(?P=J)(?P=a)(?P=v)(?P=a)/R"; flowbits:set,et.exploitkitlanding; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2017073; rev:3; metadata:created_at 2013_06_27, updated_at 2013_06_27;) <p /> </h2> <p /> Added 2019-06-03 18:23:57 UTC <p /> <p /> <p /> <hr> <p /> <p /> <p /> <h2> <p /> <p /> alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Cool Exploit Kit iframe with obfuscated Java version check Jun 26 2013"; flow:established,from_server; file_data; content:"<textarea id|3d 22|"; content:"|22|>"; pcre:"/^(?P<v>[0-9a-z]{2})(?P<a>(?!(?P=v))[0-9a-z]{2})[0-9a-z]{2}(?P<space>[0-9a-z]{2})[0-9a-z]{2}(?P<J>[0-9a-z]{2})[0-9a-z]{4}(?P=v)[0-9a-z]{6}(?P=space)[0-9a-z]{2}(?P=space)[0-9a-z]{64}(?P=J)(?P=a)(?P=v)(?P=a)/R"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017073; rev:3; metadata:created_at 2013_06_27, updated_at 2013_06_27;) <p /> </h2> <p /> Added 2018-09-13 19:47:13 UTC <p /> <p /> <p /> <hr> <p /> <p /> <p /> <h2> <p /> <p /> <p /> </h2> <p /> Added 2018-09-13 17:57:47 UTC <p /> <p /> <p /> <hr> <p /> <p /> <p /> <h2> <p /> <p /> alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Cool Exploit Kit iframe with obfuscated Java version check Jun 26 2013"; flow:established,from_server; file_data; content:"<textarea id|3d 22|"; content:"|22|>"; pcre:"/^(?P<v>[0-9a-z]{2})(?P<a>(?!(?P=v))[0-9a-z]{2})[0-9a-z]{2}(?P<space>[0-9a-z]{2})[0-9a-z]{2}(?P<J>[0-9a-z]{2})[0-9a-z]{4}(?P=v)[0-9a-z]{6}(?P=space)[0-9a-z]{2}(?P=space)[0-9a-z]{64}(?P=J)(?P=a)(?P=v)(?P=a)/R"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017073; rev:3; metadata:created_at 2013_06_27, updated_at 2013_06_27;) <p /> </h2> <p /> Added 2017-08-07 21:10:56 UTC <p /> <p /> <p /> <hr> <p /> <p /> <p /> <h2> <p /> <p /> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Cool Exploit Kit iframe with obfuscated Java version check Jun 26 2013"; flow:established,from_server; file_data; content:"<textarea id|3d 22|"; content:"|22|>"; pcre:"/^(?P<v>[0-9a-z]{2})(?P<a>(?!(?P=v))[0-9a-z]{2})[0-9a-z]{2}(?P<space>[0-9a-z]{2})[0-9a-z]{2}(?P<J>[0-9a-z]{2})[0-9a-z]{4}(?P=v)[0-9a-z]{6}(?P=space)[0-9a-z]{2}(?P=space)[0-9a-z]{64}(?P=J)(?P=a)(?P=v)(?P=a)/R"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017073; rev:2;) <p /> </h2> <p /> Added 2013-06-27 20:56:22 UTC <p /> <p /> <p /> <hr> <p /> </div> <div class="twikiContentFooter"></div></div> <div class="clear"></div> <a name="topic-actions"></a><div class="patternTopicActions"><div class="patternTopicAction"><span class="patternActionButtons"><span><a href='https://doc.emergingthreats.net/bin/edit/Main/2017073?t=1597309802;nowysiwyg=1' rel='nofollow' title='Edit this topic text' accesskey='e'><img src='/pub/TWiki/TWikiDocGraphics/uweb-o14.gif' width='14' height='14' border='0' alt='' /> <span class='twikiAccessKey'>E</span>dit</a></span><span class='twikiSeparator'> | </span><span><a href='/bin/attach/Main/2017073' rel='nofollow' title='Attach an image or document to this topic' accesskey='a'><span class='twikiAccessKey'>A</span>ttach</a></span><span class='twikiSeparator'> | </span><span><a href='/bin/view/Main/2017073?cover=print' rel='nofollow' title='Printable version of this topic' accesskey='p'><span class='twikiAccessKey'>P</span>rint version</a></span><span class='twikiSeparator'> | </span><span><span><a href='/bin/rdiff/Main/2017073?type=history' rel='nofollow' title='View total topic history' accesskey='h'><span class='twikiAccessKey'>H</span>istory</a></span>: r1</span><span class='twikiSeparator'> | </span><span><a href='/bin/oops/Main/2017073?template=backlinksweb' rel='nofollow' title='Search the Main Web for topics that link to here' accesskey='b'><span class='twikiAccessKey'>B</span>acklinks</a></span><span class='twikiSeparator'> | </span><span><a href='/bin/view/Main/2017073?raw=on' rel='nofollow' title='View raw text without formatting' accesskey='r'><span class='twikiAccessKey'>R</span>aw View</a></span><span class='twikiSeparator'> | </span><span><a href='https://doc.emergingthreats.net/bin/edit/Main/2017073?t=1597309802;nowysiwyg=0' rel='nofollow' title='WYSIWYG editor' accesskey='w'>WYSIWYG</a></span><span class='twikiSeparator'> | </span><span><a href='/bin/oops/Main/2017073?template=oopsmore&param1=1&param2=1' rel='nofollow' title='Delete or rename this topic; set parent topic; view and compare revisions' accesskey='m'><span class='twikiAccessKey'>M</span>ore topic actions</a></span></span></div></div> <div class="patternInfo twikiGrayText"><div class="patternRevInfo">Topic revision: r1 - 2020-08-05 <a href="https://doc.emergingthreats.net/bin/edit/Main/2017073?nowysiwyg=1597309802" target="_top">-</a> <a class="twikiLink" href="/bin/view/Main/TWikiGuest">TWikiGuest</a></div></div> </div> </div><div id="patternLeftBar"><div id="patternClearHeaderLeft"></div> <div id="patternLeftBarContents"><div class="patternWebIndicator"> <ul> <li> <a class="twikiCurrentWebHomeLink twikiLink" href="/bin/view/Main/WebHome"><img src="/pub/TWiki/TWikiDocGraphics/web-bg-small.gif" width="13" height="13" alt="Web background" title="Web background" border="0" /> Main</a> </li></ul> </div> <div class="patternLeftBarPersonal"> <ul><li class="patternLogIn"><a href="/bin/login/Main/2017073?origurl=/bin/view/Main/2017073">Log In</a> </li></ul> </div> <p /> <ul> <li> <b><a class="twikiCurrentWebHomeLink twikiLink" href="/bin/view/Main/WebHome"> <img src="/pub/TWiki/TWikiDocGraphics/home.gif" width="16" height="16" alt="Home" title="Home" border="0" /> Main Web</a></b> </li> <li> <a href="/bin/view/Main/WebTopicCreator?parent=2017073" target="_top"> <img src="/pub/TWiki/TWikiDocGraphics/newtopic.gif" width="16" height="16" alt="New topic" title="New topic" border="0" /> Create New Topic</a> </li> <li> <a class="twikiLink" href="/bin/view/Main/WebTopicList"> <img src="/pub/TWiki/TWikiDocGraphics/index.gif" width="16" height="16" alt="Index" title="Index" border="0" /> Index</a> </li> <li> <a class="twikiLink" href="/bin/view/Main/WebSearch"> <img src="/pub/TWiki/TWikiDocGraphics/searchtopic.gif" width="16" height="16" alt="Search topic" title="Search topic" border="0" /> Search</a> </li> <li> <a class="twikiLink" href="/bin/view/Main/RuleChanges"> <img src="/pub/TWiki/TWikiDocGraphics/changes.gif" width="16" height="16" alt="Changes" title="Changes" border="0" /> Changes</a> </li> <li> <a class="twikiLink" href="/bin/view/Main/WebPreferences"> <img src="/pub/TWiki/TWikiDocGraphics/wrench.gif" width="16" height="16" alt="Wrench, tools" title="Wrench, tools" border="0" /> Preferences</a> </li></ul> <p /> <ul> <li> <b>User Reference</b> </li> <li> <a href="http://doc.emergingthreats.net/bin/view/TWiki/ATasteOfTWiki" target="_top">ATasteOfTWiki</a> </li> <li> <a href="http://doc.emergingthreats.net/bin/view/TWiki/TextFormattingRules" target="_top">TextFormattingRules</a> </li></ul> <p /> <p /> <ul> <li> <b>Signature Reference</b> </li> <li> <a class="twikiLink" href="/bin/view/Main/WebRss">WebRss</a> Feed </li> <li> <a class="twikiLink" href="/bin/view/Main/EmergingFAQ">EmergingFAQ</a> </li></ul> <p /> <p /> </div></div> </div> <div class="clear"> </div> </div></div><div id="patternTopBar"><div id="patternTopBarContents"><table border="0" cellpadding="0" cellspacing="0" style="width:100%; margin-top:12px;"> <tr><td valign="middle"><span id="twikiLogo" class="twikiImage"><a href="https://doc.emergingthreats.net"><img src="https://doc.emergingthreats.net/logo.png" border="0" alt="Emerging Threats" style="border:none;" /></a></span></td> <td align="right" valign="top" class="patternMetaMenu"> <ul> <li> <form name="jumpForm" action="/bin/view/Main/2017073"><input id="jumpFormField" type="text" class="twikiInputField" name="topic" value="" size="18" /><noscript> <input type="submit" class="twikiButton" size="5" name="submit" value="Jump" /> </noscript> </form> </li> <li> <form name="quickSearchForm" action="/bin/view/Main/WebSearch"><input type="text" class="twikiInputField" id="quickSearchBox" name="search" value="" size="18" /><input type="hidden" name="scope" value="all" /><input type="hidden" name="web" value="Main" /><noscript> <input type="submit" size="5" class="twikiButton" name="submit" value="Search" /> </noscript> </form> </li> <li> </li></ul> </td></tr></table></div></div><div id="patternBottomBar"><div id="patternBottomBarContents"><div id="patternWebBottomBar"><div class="twikiCopyright"><span class="twikiRight"> <a href="http://twiki.org/"><img src="/pub/TWiki/TWikiLogos/T-badge-88x31.gif" alt="This site is powered by the TWiki collaboration platform" width="88" height="31" title="This site is powered by the TWiki collaboration platform" border="0" /></a></span><span class="twikiRight" style="padding:0 10px 0 10px"> <a href="http://www.perl.org/"><img src="/pub/TWiki/TWikiLogos/perl-logo-88x31.gif" alt="Powered by Perl" width="88" height="31" title="Powered by Perl" border="0" /></a></span><span class="twikiRight"> <a href="http://twiki.org/"><img src="/pub/TWiki/TWikiLogos/T-logo-80x15.gif" alt="This site is powered by the TWiki collaboration platform" width="80" height="15" title="This site is powered by the TWiki collaboration platform" border="0" /></a></span>Copyright © Emerging Threats <br /></div></div></div> </div> </div> </div> </body></html>