#alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Mic22 id.php detected"; flow:established,from_server; content:"Mic22"; fast_pattern:only; reference:url,www.rfxn.com/vdb.php; reference:url,doc.emergingthreats.net/bin/view/Main/2007657; classtype:web-application-activity; sid:2007657; rev:6;)

Added 2011-10-12 19:23:32 UTC


#alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Mic22 id.php detected"; flow:established,from_server; content:"Mic22"; fast_pattern:only; classtype:web-application-activity; reference:url,www.rfxn.com/vdb.php; reference:url,doc.emergingthreats.net/bin/view/Main/2007657; sid:2007657; rev:6;)

Added 2011-09-14 22:37:06 UTC


#alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Mic22 id.php detected"; flow:established,from_server; content:"Mic22"; fast_pattern:only; classtype:web-application-activity; reference:url,www.rfxn.com/vdb.php; reference:url,doc.emergingthreats.net/bin/view/Main/2007657; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_PHP_Shells; sid:2007657; rev:6;)

Added 2011-02-04 17:26:47 UTC


#alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Mic22 id.php detected"; flow:established,from_server; content:"Mic22"; classtype:web-application-activity; reference:url,www.rfxn.com/vdb.php; reference:url,doc.emergingthreats.net/bin/view/Main/2007657; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_PHP_Shells; sid:2007657; rev:5;)

Added 2010-06-15 13:15:59 UTC


#alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Mic22 id.php detected"; flow:established,from_server; content:"Mic22"; classtype:web-application-activity; reference:url,www.rfxn.com/vdb.php; reference:url,doc.emergingthreats.net/bin/view/Main/2007657; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_PHP_Shells; sid:2007657; rev:5;)

Added 2010-06-15 13:15:59 UTC


#alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK RESPONSE Mic22 id.php detected"; flow:established,from_server; content:"Mic22"; classtype:web-application-activity; reference:url,www.rfxn.com/vdb.php; reference:url,doc.emergingthreats.net/bin/view/Main/2007657; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_PHP_Shells; sid:2007657; rev:4;)

Added 2009-02-06 19:00:55 UTC


#alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK RESPONSE Mic22 id.php detected"; flow:established,from_server; content:"Mic22"; classtype:web-application-activity; reference:url,www.rfxn.com/vdb.php; reference:url,doc.emergingthreats.net/bin/view/Main/2007657; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_PHP_Shells; sid:2007657; rev:4;)

Added 2009-02-06 19:00:55 UTC


#alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK RESPONSE Mic22 id.php detected"; flow:established,from_server; content:"Mic22"; classtype:web-application-activity; reference:url,www.rfxn.com/vdb.php; sid:2007657; rev:3;)

Added 2008-05-18 19:52:13 UTC


#alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK RESPONSE Mic22 id.php detected"; flow:established,from_server; content:"Mic22"; classtype:web-application-activity; reference:url,www.rfxn.com/vdb.php; sid:2007657; rev:3;)

Added 2008-05-18 19:52:13 UTC


#alert tcp $HTTP_SERVERS $HTTP_PORTS -> any any (msg:"ET ATTACK RESPONSE Mic22 id.php detected"; flow:established,from_server; content:"Mic22"; classtype:web-application-activity; reference:url,www.rfxn.com/vdb.php; sid:2007657; rev:2;)

Added 2008-01-23 10:46:28 UTC


#alert tcp $HTTP_SERVERS $HTTP_PORTS -> any any (msg:"ET ATTACK RESPONSE Mic22 id.php detected"; flow:established,from_server; content:"Mic22"; classtype:web-application-activity; reference:url,www.rfxn.com/vdb.php; sid:2007657; rev:2;)

Added 2008-01-23 10:46:28 UTC


#alert tcp $HTTP_SERVERS $HTTP_PORTS -> any any (msg:"BLEEDING-EDGE ATTACK RESPONSE Mic22 id.php detected"; flow:established,from_server; content:"Mic22"; classtype:web-application-activity; reference:url,www.rfxn.com/vdb.php; sid:2007657; rev:1;)

Added 2007-11-02 00:32:08 UTC

Commented out as it's likely ta false positive in a general environment.

if you've got this in just a web server farm only environment, this is more safe to run.

-- MattJonkman - 02 Nov 2007


Topic revision: r2 - 2007-11-02 - MattJonkman
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats