alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32/Gaudox Checkin"; flow:to_server,established; content:".php"; http_uri; content:"Mozilla/5.0 (X11|3b 20|Linux i586|3b 20|rv|3a|31.0) Gecko/20100101 Firefox/31.0"; fast_pattern; http_user_agent; depth:66; isdataat:!1,relative; content:"Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a 20|"; http_header; pcre:"/^.{0,15}[^\x20-\x7e\r\n]/Ps"; pcre:"/\.php$/U"; metadata: former_category MALWARE; reference:md5,5d662258fd506b87dc5d3f8fce1ff784; classtype:trojan-activity; sid:2022505; rev:5; metadata:created_at 2016_02_11, updated_at 2019_10_23;)

Added 2019-10-23 19:39:27 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32/Gaudox Checkin"; flow:to_server,established; content:".php"; http_uri; content:"User-Agent|3a 20|Mozilla/5.0 (X11|3b 20|Linux i586|3b 20|rv|3a|31.0) Gecko/20100101 Firefox/31.0|0d 0a|"; fast_pattern:25,20; http_header; content:"Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a 20|"; http_header; pcre:"/^.{0,15}[^\x20-\x7e\r\n]/Ps"; pcre:"/\.php$/U"; metadata: former_category MALWARE; reference:md5,5d662258fd506b87dc5d3f8fce1ff784; classtype:trojan-activity; sid:2022505; rev:4; metadata:created_at 2016_02_11, updated_at 2016_02_11;)

Added 2019-09-26 19:58:07 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32/Gaudox Checkin"; flow:to_server,established; content:".php"; http_uri; content:"User-Agent|3a 20|Mozilla/5.0 (X11|3b 20|Linux i586|3b 20|rv|3a|31.0) Gecko/20100101 Firefox/31.0|0d 0a|"; fast_pattern:25,20; http_header; content:"Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a 20|"; http_header; pcre:"/^.{0,15}[^\x20-\x7e\r\n]/Ps"; pcre:"/\.php$/U"; reference:md5,5d662258fd506b87dc5d3f8fce1ff784; classtype:trojan-activity; sid:2022505; rev:4; metadata:created_at 2016_02_11, updated_at 2016_02_11;)

Added 2018-09-13 19:52:17 UTC


Added 2018-09-13 18:00:44 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32/Gaudox Checkin"; flow:to_server,established; content:".php"; http_uri; content:"User-Agent|3a 20|Mozilla/5.0 (X11|3b 20|Linux i586|3b 20|rv|3a|31.0) Gecko/20100101 Firefox/31.0|0d 0a|"; fast_pattern:25,20; http_header; content:"Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a 20|"; http_header; pcre:"/^.{0,15}[^\x20-\x7e\r\n]/Ps"; pcre:"/\.php$/U"; reference:md5,5d662258fd506b87dc5d3f8fce1ff784; classtype:trojan-activity; sid:2022505; rev:4; metadata:created_at 2016_02_11, updated_at 2016_02_11;)

Added 2017-08-07 21:17:24 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32/Gaudox Checkin"; flow:to_server,established; content:".php"; http_uri; content:"User-Agent|3a 20|Mozilla/5.0 (X11|3b 20|Linux i586|3b 20|rv|3a|31.0) Gecko/20100101 Firefox/31.0|0d 0a|"; fast_pattern:25,20; http_header; content:"Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3a 20|"; http_header; pcre:"/^.{0,15}[^\x20-\x7e\r\n]/Ps"; pcre:"/\.php$/U"; reference:md5,5d662258fd506b87dc5d3f8fce1ff784; classtype:trojan-activity; sid:2022505; rev:4;)

Added 2016-04-22 19:06:51 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32/Gaudox Checkin"; flow:to_server,established; content:"POST"; http_method; content:".php"; http_uri; content:"User-Agent|3a 20|Mozilla/5.0 (X11|3b 20|Linux i586|3b 20|rv|3a|31.0) Gecko/20100101 Firefox/31.0|0d 0a|"; fast_pattern:25,20; http_header; content:"Content-Type|3a 20|"; http_header; depth:14; content:!"Accept"; http_header; content:!"Referer|3a 20|"; http_header; pcre:"/^.{0,15}[^\x20-\x7e\r\n]/Ps"; reference:md5,5d662258fd506b87dc5d3f8fce1ff784; classtype:trojan-activity; sid:2022505; rev:3;)

Added 2016-02-19 18:30:41 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32/Gaudox Checkin"; flow:to_server,established; content:"POST"; http_method; content:".php"; http_uri; content:"User-Agent|3a 20|Mozilla/5.0 (X11|3b 20|Linux i586|3b 20|rv|3a|31.0) Gecko/20100101 Firefox/31.0|0d 0a|"; fast_pattern:25,20; http_header; content:"Content-Type|3a 20|"; http_header; depth:14; content:!"Accept"; http_header; content:!"Referer|3a 20|"; http_header; pcre:"/^.{0,15}[^\x20-\x7e\r\n]/P"; reference:md5,5d662258fd506b87dc5d3f8fce1ff784; classtype:trojan-activity; sid:2022505; rev:2;)

Added 2016-02-11 17:38:30 UTC


Topic revision: r1 - 2019-10-23 - TWikiGuest
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats