#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wordpress wp-login.php redirect_to credentials stealing attempt"; flow:to_server,established; uricontent:"/wp-login.php"; nocase; uricontent:"redirect_to"; pcre:"/redirect_to=(ht|f)tps?\:\//iU"; reference:url,www.inliniac.net/blog/?p=71; reference:url,doc.emergingthreats.net/2003508; classtype:web-application-attack; sid:2003508; rev:6;)

Added 2017-04-19 17:17:06 UTC


alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wordpress wp-login.php redirect_to credentials stealing attempt"; flow:to_server,established; uricontent:"/wp-login.php"; nocase; uricontent:"redirect_to"; pcre:"/redirect_to=(ht|f)tps?\:\//iU"; reference:url,www.inliniac.net/blog/?p=71; reference:url,doc.emergingthreats.net/2003508; classtype:web-application-attack; sid:2003508; rev:6;)

Added 2011-10-12 19:13:36 UTC

too many false positives as the redirect_to may also contain the valid URL of that specific WP website

-- JohnNaggets - 2016-04-02


alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wordpress wp-login.php redirect_to credentials stealing attempt"; flow:to_server,established; uricontent:"/wp-login.php"; nocase; uricontent:"redirect_to"; pcre:"/redirect_to=(ht|f)tps?\:\//iU"; classtype:web-application-attack; reference:url,www.inliniac.net/blog/?p=71; reference:url,doc.emergingthreats.net/2003508; sid:2003508; rev:6;)

Added 2011-09-14 22:26:35 UTC


alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wordpress wp-login.php redirect_to credentials stealing attempt"; flow:to_server,established; uricontent:"/wp-login.php"; nocase; uricontent:"redirect_to"; pcre:"/redirect_to=(ht|f)tps?\:\//iU"; classtype:web-application-attack; reference:url,www.inliniac.net/blog/?p=71; reference:url,doc.emergingthreats.net/2003508; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Wordpress; sid:2003508; rev:6;)

Added 2011-02-04 17:22:31 UTC


alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wordpress wp-login.php redirect_to credentials stealing attempt"; flow:to_server,established; uricontent:"/wp-login.php"; nocase; uricontent:"redirect_to"; pcre:"/redirect_to=(ht|f)tps?\:\//iU"; classtype:web-application-attack; reference:url,www.inliniac.net/blog/?p=71; reference:url,doc.emergingthreats.net/2003508; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Wordpress; sid:2003508; rev:6;)

Added 2009-10-06 14:39:53 UTC


alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wordpress wp-login.php redirect_to credentials stealing attempt"; flow:to_server,established; uricontent:"/wp-login.php"; nocase; uricontent:"redirect_to"; pcre:"/redirect_to=(ht|f)tps?\:\//iU"; classtype:web-application-attack; reference:url,www.inliniac.net/blog/?p=71; reference:url,doc.emergingthreats.net/2003508; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Wordpress; sid:2003508; rev:6;)

Added 2009-10-06 14:39:53 UTC


alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC Wordpress wp-login.php redirect_to credentials stealing attempt"; flow:to_server,established; uricontent:"/wp-login.php"; nocase; uricontent:"redirect_to"; pcre:"/redirect_to=(ht|f)tps?\:\//iU"; classtype:web-application-attack; reference:url,www.inliniac.net/blog/?p=71; reference:url,doc.emergingthreats.net/2003508; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Wordpress; sid:2003508; rev:6;)

Added 2009-10-06 14:20:25 UTC


alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC Wordpress wp-login.php redirect_to credentials stealing attempt"; flow:to_server,established; uricontent:"/wp-login.php"; nocase; uricontent:"redirect_to"; pcre:"/redirect_to=(ht|f)tps?\:\//iU"; classtype:web-application-attack; reference:url,www.inliniac.net/blog/?p=71; reference:url,doc.emergingthreats.net/2003508; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Wordpress; sid:2003508; rev:6;)

Added 2009-10-06 14:20:25 UTC


alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC Wordpress wp-login.php redirect_to credentials stealing attempt"; flow:to_server,established; uricontent:"/wp-login.php"; nocase; uricontent:"redirect_to"; pcre:"/redirect_to=(ht|f)tps?\:\//iU"; classtype:web-application-attack; reference:url,www.inliniac.net/blog/?p=71; reference:url,doc.emergingthreats.net/2003508; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Wordpress; sid:2003508; rev:6;)

Added 2009-10-06 14:17:02 UTC


alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC Wordpress wp-login.php redirect_to credentials stealing attempt"; flow:to_server,established; uricontent:"/wp-login.php"; nocase; uricontent:"redirect_to"; pcre:"/redirect_to=(ht|f)tps?\:\//iU"; classtype:web-application-attack; reference:url,www.inliniac.net/blog/?p=71; reference:url,doc.emergingthreats.net/2003508; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Wordpress; sid:2003508; rev:6;)

Added 2009-10-06 14:17:02 UTC


alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC Wordpress wp-login.php redirect_to credentials stealing attempt"; flow:to_server,established; uricontent:"/wp-login.php"; nocase; uricontent:"redirect_to"; pcre:"/redirect_to=(ht|f)tps?\:\//iU"; classtype:web-application-attack; reference:url,www.inliniac.net/blog/?p=71; reference:url,doc.emergingthreats.net/2003508; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Wordpress; sid:2003508; rev:5;)

Added 2009-02-27 18:01:30 UTC


alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC Wordpress wp-login.php redirect_to credentials stealing attempt"; flow:to_server,established; uricontent:"/wp-login.php"; nocase; uricontent:"redirect_to"; pcre:"/redirect_to=(ht|f)tps?\:\//iU"; classtype:web-application-attack; reference:url,www.inliniac.net/blog/?p=71; reference:url,doc.emergingthreats.net/2003508; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Wordpress; sid:2003508; rev:5;)

Added 2009-02-27 18:01:30 UTC


alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC Wordpress wp-login.php redirect_to credentials stealing attempt"; flow:to_server,established; uricontent:"/wp-login.php"; nocase; uricontent:"redirect_to"; pcre:"/redirect_to=(ht|f)tps?\:\//iU"; classtype:web-application-attack; reference:url,www.inliniac.net/blog/?p=71; reference:url,doc.emergingthreats.net/2003508; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Wordpress; sid:2003508; rev:5;)

Added 2009-02-27 18:00:28 UTC


alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC Wordpress wp-login.php redirect_to credentials stealing attempt"; flow:to_server,established; uricontent:"/wp-login.php"; nocase; uricontent:"redirect_to"; pcre:"/redirect_to=(ht|f)tps?\:\//iU"; classtype:web-application-attack; reference:url,www.inliniac.net/blog/?p=71; reference:url,doc.emergingthreats.net/2003508; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Wordpress; sid:2003508; rev:5;)

Added 2009-02-27 18:00:28 UTC


alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC Wordpress wp-login.php redirect_to credentials stealing attempt"; flow:to_server,established; uricontent:"/wp-login.php"; nocase; uricontent:"redirect_to"; pcre:"/redirect_to=(ht|f)tps?\:\//iU"; classtype:web-application-attack; reference:url,www.inliniac.net/blog/?p=71; sid:2003508; rev:4;)

Added 2008-02-01 10:47:06 UTC


alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC Wordpress wp-login.php redirect_to credentials stealing attempt"; flow:to_server,established; uricontent:"/wp-login.php"; nocase; uricontent:"redirect_to"; pcre:"/redirect_to=(ht|f)tps?\:\//iU"; classtype:web-application-attack; reference:url,www.inliniac.net/blog/?p=71; sid:2003508; rev:4;)

Added 2008-02-01 10:47:06 UTC


alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BLEEDING-EDGE WEB Wordpress wp-login.php redirect_to credentials stealing attempt"; flow:to_server,established; uricontent:"/wp-login.php"; nocase; uricontent:"redirect_to"; pcre:"/redirect_to=(ht|f)tps?\:\//iU"; classtype:web-application-attack; reference:url,www.inliniac.net/blog/?p=71; sid:2003508; rev:3;)

Added 2007-03-21 09:45:17 UTC

Removed the double slashes in the pcre, thanks for catching that Blake!

-- MattJonkman - 21 Mar 2007


alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BLEEDING-EDGE WEB Wordpress wp-login.php redirect_to credentials stealing attempt"; flow:to_server,established; uricontent:"/wp-login.php"; nocase; uricontent:"redirect_to"; pcre:"/redirect_to=(ht|f)tps?\:\/\//iU"; classtype:web-application-attack; reference:url,www.inliniac.net/blog/?p=71; sid:2003508; rev:2;)

Added 2007-03-20 19:20:27 UTC

There needs to be a single '/' detection when using the uri buffers. http_inspect normalizes multiple '//' characters.

-- BlakeHartstein - 21 Mar 2007


alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BLEEDING-EDGE WEB Wordpress wp-login.php redirect_to credentials stealing attempt"; flow:to_server,established; uricontent:"/wp-login.php"; nocase; uricontent:"redirect_to"; pcre:"redirect_to=(ht|f)tps?\://"; classtype:web-application-attack; reference:url,www.inliniac.net/blog/?p=71; sid:2003508; rev:1;)

Added 2007-03-20 16:06:59 UTC

For more info see this Bugtraq post: http://www.securityfocus.com/archive/1/463291

-- VictorJ? - 20 Mar 2007


Topic revision: r5 - 2016-04-02 - JohnNaggets
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats