alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Armitage Loader Request"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/exe.php"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009031; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Armitage; sid:2009031; rev:3;)

Added 2009-02-12 18:21:13 UTC

likely FP ??

GET /flash/exe.php?x=flash HTTP/1.0 Host: diggstatistics.com

I've seen several of these from different machines.

This OTOH I suspect is the real thing:

GET /exe.php?c=4478204401&s=5331227034&i=1217625952&t=3&a=0& n=25&l=0&d=0&q=0&p=1&x=0&z=1&k=0&b=1 HTTP/1.1..Host: ads.cli cmanager.fr

-- RussellFulton - 27 Sep 2009


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Armitage Loader Request"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/exe.php"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009031; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Armitage; sid:2009031; rev:3;)

Added 2009-02-12 18:21:13 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Armitage Loader Request"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/exe.php"; classtype:trojan-activity; sid:2009031; rev:2;)

Added 2009-01-21 06:45:23 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Armitage Loader Request"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/exe.php"; classtype:trojan-activity; sid:2009031; rev:2;)

Added 2009-01-21 06:45:23 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Armitage Loader Request"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/exe.php"; sid:2009031; rev:1;)

Added 2009-01-20 00:30:24 UTC


Topic revision: r2 - 2009-09-27 - RussellFulton
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats