alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Pakes/Cutwall/Kobcka Update Detected High Ports"; flow:established,to_server; content:"GET "; depth:4; content:"|0d 0a|Host\: "; distance:0; content:"|0d 0a|X-Flags\: "; distance:0; within:40; content:"|0d 0a|X-TM\:"; distance:0; content:"|0d 0a|X-BI\: "; distance:0; classtype:trojan-activity; sid:2008011; rev:3;)

Added 2008-05-19 10:47:59 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Pakes/Cutwall/Kobcka Update Detected High Ports"; flow:established,to_server; content:"GET "; depth:4; content:"|0d 0a|Host\: "; distance:0; content:"|0d 0a|X-Flags\: "; distance:0; within:40; content:"|0d 0a|X-TM\:"; distance:0; content:"|0d 0a|X-BI\: "; distance:0; classtype:trojan-activity; sid:2008011; rev:3;)

Added 2008-05-19 10:47:59 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET 9000: (msg:"ET TROJAN Pakes/Cutwall/Kobcka Update Detected High Ports"; flow:established,to_server; content:"GET "; depth:4; content:"|0d 0a|Host\: "; distance:0; content:"|0d 0a|X-Flags\: "; distance:0; within:40; content:"|0d 0a|X-TM\:"; distance:0; content:"|0d 0a|X-BI\: "; distance:0; classtype:trojan-activity; sid:2008011; rev:2;)

Added 2008-03-18 00:12:47 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET 9000: (msg:"ET TROJAN Pakes/Cutwall/Kobcka Update Detected High Ports"; flow:established,to_server; content:"GET "; depth:4; content:"|0d 0a|Host\: "; distance:0; content:"|0d 0a|X-Flags\: "; distance:0; within:40; content:"|0d 0a|X-TM\:"; distance:0; content:"|0d 0a|X-BI\: "; distance:0; classtype:trojan-activity; sid:2008011; rev:2;)

Added 2008-03-18 00:12:47 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET 9000: (msg:"ET TROJAN Pakes/Cutwall/Kobcka Update Detected High Ports"; flow:established,to_server; content:"GET "; depth:4; content:"|0d 0a|Host: "; distance:0; content:"|0d 0a|X-Flags\: "; distance:0; within:40; content:"|0d 0a|X-TM\:"; distance:0; content:"|0d 0a|X-BI\: "; distance:0; classtype:trojan-activity; sid:2008011; rev:1;)

Added 2008-03-17 17:46:41 UTC

Like so, very high ports:

GET /g/D93400-406ED5-6200FD HTTP/1.1
Host: 208.72.168.13
X-Flags: 0
X-TM: 32
X-BI: D8CFC1C6CBC7D6C3C4D9DE
X-PH: 0

return:

HTTP/1.1 200 OK
Content-Length: 37593
Content-Type: application/x-zip-compressed
Accept-Ranges: bytes
Server: Microsoft-IIS/6.0
Set-Cookie: static-71-119-18-3.lsanca.dsl-w.verizon.net 71.119.18.3
X-SGS: 1 1
X-Powered-By: ASP.NET
X-NST: 6|10|1|60|4|40|3|100|7|300|5|5 10 3 1 1|

Re 533edc69d1a58ce0187630d79f3600bf

-- MattJonkman - 17 Mar 2008


Topic revision: r2 - 2008-03-17 - MattJonkman
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats