##alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DELETED MaMa? CaSpEr? RFI Scan"; flow:established,to_server; content:"User-Agent|3a| MaMa? CaSpEr?|0D 0A|"; nocase; http_header; reference:url,doc.emergingthreats.net/2011176; classtype:web-application-attack; sid:2011176; rev:4;)

Added 2011-10-12 19:31:29 UTC


##alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DELETED MaMa? CaSpEr? RFI Scan"; flow:established,to_server; content:"User-Agent|3a| MaMa? CaSpEr?|0D 0A|"; nocase; http_header; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2011176; sid:2011176; rev:4;)

Added 2011-09-14 22:44:54 UTC


##alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DELETED MaMa? CaSpEr? RFI Scan"; flow:established,to_server; content:"User-Agent|3a| MaMa? CaSpEr?|0D 0A|"; nocase; http_header; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2011176; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_SERVER_Casper; sid:2011176; rev:4;)

Added 2011-02-04 17:30:57 UTC


alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN MaMa? CaSpEr? RFI Scan"; flow:established,to_server; content:"|0D 0A|User-Agent|3a| MaMa? CaSpEr?|0D 0A|"; nocase; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2011176; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_Casper; sid:2011176; rev:4;)

Added 2010-07-29 19:30:58 UTC

All casper sigs at: http://www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_Casper

-- MattJonkman - 20 Aug 2010


alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER MaMa? CaSpEr? RFI Scan"; flow:established,to_server; content:"|0D 0A|User-Agent|3a| MaMa? CaSpEr?|0D 0A|"; nocase; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2011176; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_SERVER_Casper; sid:2011176; rev:3;)

Added 2010-07-29 14:16:22 UTC


alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET USER_AGENTS MaMa? CaSpEr? RFI Scan"; flow:established,to_server; content:"|0D 0A|User-Agent|3a| MaMa? CaSpEr?|0D 0A|"; nocase; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2011176; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Casper; sid:2011176; rev:2;)

Added 2010-07-26 11:52:24 UTC


alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET USER_AGENTS MaMa? CaSpEr? RFI Scan"; flow:established,to_server; content:"|0D 0A|User-Agent|3a| MaMa? CaSpEr?|0D 0A|"; nocase; reference:url,doc.emergingthreats.net/2011176; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENT_Casper_RFI_Bot; classtype:web-application-attack; sid:2011176; rev:1;)

Added 2010-07-08 19:31:10 UTC

Just to provide you more informations about these casper user agents.

These user agent are hard coded into the "ByroeNet" scanner dated from 17/06/2010

Source code of the scanner. http://pastebin.com/zBUHC3d9

The scanner is an evolution of the BaMbY? scanner dated from 28/05/2010 http://novie.fileave.com/rfi.txt

This new scanner was first seen on Internet the 17 Jun 2010 on t7.fileave.com/e107.txt, directly exploited after his creation.

http://www.google.com/search?q=%22%24powered%3D%22ByroeNet%22%3B%22&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:fr:official&client=firefox-a

More precisely this scanner is integrating in his "normal functionalities" a new functionality : e107 scanner.

The e107 (cmde107 - e107scan) scanner, with support of dorks, is trying to exploit the 24 May 2010 RCE discovered vulnerability. http://www.exploit-db.com/exploits/12715/

But between his traditional RFI scanner and dorks, the scanner could also exploit the 31 May 2010 LFI discovered vulnerability. http://www.exploit-db.com/exploits/12818/

The ByroeNet? scanner is defining different user agents by default how are customisable

For sub cmdxml : my $userAgent = LWP::UserAgent->new(agent => 'perl post');

For sub cmde107 : $access->agent("Mozilla/5.0");

For sub e107scan : $ua->agent('Mozilla/4.76 [ru] (X11; U; SunOS? 5.7 sun4u)');

For sub xmlcek : my $userAgent = LWP::UserAgent->new(agent => 'perl post');

For sub xmlxspread : my $userAgent = LWP::UserAgent->new(agent => 'perl post');

For sub lfiexploit : Normal for /proc/self/environ exploitation my $agent = "";

For sub cmdlfi : Normal for /proc/self/environ exploitation my $hie = "j13mbut /dev/stdout"); ?>j13mbut"; $browser->agent("$hie");

After investigating my Honey Net weblogs for a period of one month, I got these different user agent targeting e107 exploits :

http://eromang.zataz.com/uploads/e107_user_agents.txt

You can find the default configured user agents : Mozilla/5.0 Mozilla/4.76 [ru] (X11; U; SunOS? 5.7 sun4u) perl post

But also Casper user agents : Casper Bot Search MaMa? CaSpEr?

And some new user agents : b3b4s Bot Search dex Bot Search Dex Bot Search kmccrew Bot Search plaNETWORK Bot Search rk q kangen sasqia Bot Search sledink Bot Search

As you can see the user agents are only reflecting the "Crew" or "Team" how is using the "ByroeNet" scanner.

Here some stats for the user agents :

http://eromang.zataz.com/2010/07/13/byroenet-casper-bot-search-e107-rce-scanner/

Casper Bot Search is really the more prolific user agent, but the others user agents must also be considered.

For conclusion, the mutation of traditional RFI scanner is clearly demonstrated, and I don't think that such ET rules are really effective,

cause each "Crew" or "Team" is dedicating they attacks by customising the user agents (same as a graffiti tagger).

Emerging Threats rules shouldn't not focus on user agents but more on attack vectors, cause user agents are to volatile.

Regards.

-- MattJonkman - 14 Jul 2010


Topic revision: r3 - 2010-08-20 - MattJonkman
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats