#alert tcp $EXTERNAL_NET 3128 -> $HOME_NET any (msg:"ET DELETED Hupigon Response from Controller (YES - ~~@@)"; flow:established,from_server; flowbits:isset,ET.Hupinit1; content:"HTTP/1.0 200 OK|0d 0a 0d 0a|YES|0d 0a 7e 7e|"; depth:26; content:"@@|0d 0a 0d 0a|"; within:150; reference:url,www.f-secure.com/v-descs/backdoor_w32_hupigon.shtml; reference:url,doc.emergingthreats.net/2008390; classtype:trojan-activity; sid:2008390; rev:2;)

Added 2011-10-12 19:25:02 UTC


#alert tcp $EXTERNAL_NET 3128 -> $HOME_NET any (msg:"ET DELETED Hupigon Response from Controller (YES - ~~@@)"; flow:established,from_server; flowbits:isset,ET.Hupinit1; content:"HTTP/1.0 200 OK|0d 0a 0d 0a|YES|0d 0a 7e 7e|"; depth:26; content:"@@|0d 0a 0d 0a|"; within:150; classtype:trojan-activity; reference:url,www.f-secure.com/v-descs/backdoor_w32_hupigon.shtml; reference:url,doc.emergingthreats.net/2008390; sid:2008390; rev:2;)

Added 2011-09-14 22:38:29 UTC


#alert tcp $EXTERNAL_NET 3128 -> $HOME_NET any (msg:"ET DELETED Hupigon Response from Controller (YES - ~~@@)"; flow:established,from_server; flowbits:isset,ET.Hupinit1; content:"HTTP/1.0 200 OK|0d 0a 0d 0a|YES|0d 0a 7e 7e|"; depth:26; content:"@@|0d 0a 0d 0a|"; within:150; classtype:trojan-activity; reference:url,www.f-secure.com/v-descs/backdoor_w32_hupigon.shtml; reference:url,doc.emergingthreats.net/2008390; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Hupington; sid:2008390; rev:2;)

Added 2011-07-07 22:32:26 UTC


#alert tcp $EXTERNAL_NET 3128 -> $HOME_NET any (msg:"ET DELETED Hupigon Response from Controller (YES - ~~@@)"; flow:established,from_server; flowbits:isset,ET.Hupinit1; content:"HTTP/1.0 200 OK|0d 0a 0d 0a|YES|0d 0a 7e 7e|"; depth:26; content:"@@|0d 0a 0d 0a|"; within:150; classtype:trojan-activity; reference:url,www.f-secure.com/v-descs/backdoor_w32_hupigon.shtml; reference:url,doc.emergingthreats.net/2008390; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Hupington; sid:2008390; rev:2;)

Added 2011-07-07 21:26:58 UTC


alert tcp $EXTERNAL_NET 3128 -> $HOME_NET any (msg:"ET TROJAN Hupigon Response from Controller (YES - ~~@@)"; flow:established,from_server; flowbits:isset,ET.Hupinit1; content:"HTTP/1.0 200 OK|0d 0a 0d 0a|YES|0d 0a 7e 7e|"; depth:26; content:"@@|0d 0a 0d 0a|"; within:150; classtype:trojan-activity; reference:url,www.f-secure.com/v-descs/backdoor_w32_hupigon.shtml; reference:url,doc.emergingthreats.net/2008390; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Hupington; sid:2008390; rev:2;)

Added 2011-02-04 17:27:34 UTC


alert tcp $EXTERNAL_NET 3128 -> $HOME_NET any (msg:"ET TROJAN Hupigon Response from Controller (YES - ~~@@)"; flow:established,from_server; flowbits:isset,ET.Hupinit1; content:"HTTP/1.0 200 OK|0d 0a 0d 0a|YES|0d 0a 7e 7e|"; depth:26; content:"@@|0d 0a 0d 0a|"; within:150; reference:url,www.f-secure.com/v-descs/backdoor_w32_hupigon.shtml; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008390; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Hupington; sid:2008390; rev:2;)

Added 2009-02-12 18:21:17 UTC


alert tcp $EXTERNAL_NET 3128 -> $HOME_NET any (msg:"ET TROJAN Hupigon Response from Controller (YES - ~~@@)"; flow:established,from_server; flowbits:isset,ET.Hupinit1; content:"HTTP/1.0 200 OK|0d 0a 0d 0a|YES|0d 0a 7e 7e|"; depth:26; content:"@@|0d 0a 0d 0a|"; within:150; reference:url,www.f-secure.com/v-descs/backdoor_w32_hupigon.shtml; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008390; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Hupington; sid:2008390; rev:2;)

Added 2009-02-12 18:21:17 UTC


alert tcp $EXTERNAL_NET 3128 -> $HOME_NET any (msg:"ET TROJAN Hupigon Response from Controller (YES - ~~@@)"; flow:established,from_server; flowbits:isset,ET.Hupinit1; content:"HTTP/1.0 200 OK|0d 0a 0d 0a|YES|0d 0a 7e 7e|"; depth:26; content:"@@|0d 0a 0d 0a|"; within:150; reference:url,www.f-secure.com/v-descs/backdoor_w32_hupigon.shtml; classtype:trojan-activity; sid:2008390; rev:1;)

Added 2008-07-09 15:35:40 UTC

To catch stuff like so, this on port 3128:

POST /+17131.html HTTP/1.1
Accept: */*
Accept-Language: en-us
User-Agent: Mozilla
Host: 157.161.97.3

-----
HTTP/1.0 200 OK

YES
~~@@

-- MattJonkman - 09 Jul 2008


Topic revision: r2 - 2008-07-09 - MattJonkman
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats