alert http $HTTP_SERVERS any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET WEB_SERVER Gootkit Website Infection Request for FTP Credentials from Control Server"; flow:established,to_server; content:"GET"; http_method; content:"/ftp"; nocase; http_uri; content:"User-Agent|3A| Mozilla/4.0 (compatible|3B| Win32|3B| WinHttpRequest?"; nocase; http_header; content:!"www.trendmicro.com"; http_header; flowbits:set,ET.GOOTKIT; reference:url,www.m86security.com/labs/i/GootKit--Automated-Website-Infection,trace.1368~.asp; reference:url,doc.emergingthreats.net/2011286; classtype:web-application-attack; sid:2011290; rev:7; metadata:created_at 2010_09_28, updated_at 2010_09_28;)

Added 2017-08-07 21:04:28 UTC


alert http $HTTP_SERVERS any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET WEB_SERVER Gootkit Website Infection Request for FTP Credentials from Control Server"; flow:established,to_server; content:"GET"; http_method; content:"/ftp"; nocase; http_uri; content:"User-Agent|3A| Mozilla/4.0 (compatible|3B| Win32|3B| WinHttpRequest?"; nocase; http_header; content:!"www.trendmicro.com"; http_header; flowbits:set,ET.GOOTKIT; reference:url,www.m86security.com/labs/i/GootKit--Automated-Website-Infection,trace.1368~.asp; reference:url,doc.emergingthreats.net/2011286; classtype:web-application-attack; sid:2011290; rev:7;)

Added 2016-07-05 17:59:28 UTC


alert http $HTTP_SERVERS any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET WEB_SERVER Gootkit Website Infection Request for FTP Credentials from Control Server"; flow:established,to_server; content:"GET"; http_method; content:"/ftp"; nocase; http_uri; content:"User-Agent|3A| Mozilla/4.0 (compatible|3B| Win32|3B| WinHttpRequest?"; nocase; http_header; content:!"www.trendmicro.com"; http_header; flowbits:set,ET.GOOTKIT; reference:url,www.m86security.com/labs/i/GootKit--Automated-Website-Infection,trace.1368~.asp; reference:url,doc.emergingthreats.net/2011286; classtype:web-application-attack; sid:2011290; rev:7;)

Added 2016-07-05 17:57:54 UTC


alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET WEB_SERVER Gootkit Website Infection Request for FTP Credentials from Control Server"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/ftp"; http_uri; nocase; fast_pattern; content:"User-Agent|3A| Mozilla/4.0 (compatible|3B| Win32|3B| WinHttpRequest?"; http_header; nocase; flowbits:set,ET.GOOTKIT; reference:url,www.m86security.com/labs/i/GootKit--Automated-Website-Infection,trace.1368~.asp; reference:url,doc.emergingthreats.net/2011286; classtype:web-application-attack; sid:2011290; rev:6;)

Added 2011-10-12 19:31:45 UTC


alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET WEB_SERVER Gootkit Website Infection Request for FTP Credentials from Control Server"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/ftp"; http_uri; nocase; fast_pattern; content:"User-Agent|3A| Mozilla/4.0 (compatible|3B| Win32|3B| WinHttpRequest?"; http_header; nocase; flowbits:set,ET.GOOTKIT; classtype:web-application-attack; reference:url,www.m86security.com/labs/i/GootKit--Automated-Website-Infection,trace.1368~.asp; reference:url,doc.emergingthreats.net/2011286; sid:2011290; rev:6;)

Added 2011-09-27 22:24:16 UTC


alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET WEB_SERVER Gootkit Website Infection Request for FTP Credentials from Control Server"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/ftp"; http_uri; nocase; fast_pattern:only; content:"User-Agent|3A| Mozilla/4.0 (compatible|3B| Win32|3B| WinHttpRequest?"; http_header; nocase; flowbits:set,ET.GOOTKIT; classtype:web-application-attack; reference:url,www.m86security.com/labs/i/GootKit--Automated-Website-Infection,trace.1368~.asp; reference:url,doc.emergingthreats.net/2011286; sid:2011290; rev:5;)

Added 2011-09-20 19:24:25 UTC


alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET WEB_SERVER Gootkit Website Infection Request for FTP Credentials from Control Server"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/ftp"; http_uri; fast_pattern; nocase; content:"User-Agent|3A| Mozilla/4.0 (compatible|3B| Win32|3B| WinHttpRequest?"; http_header; nocase; flowbits:set,ET.GOOTKIT; classtype:web-application-attack; reference:url,www.m86security.com/labs/i/GootKit--Automated-Website-Infection,trace.1368~.asp; reference:url,doc.emergingthreats.net/2011286; sid:2011290; rev:3;)

Added 2011-09-14 22:45:10 UTC


alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET WEB_SERVER Gootkit Website Infection Request for FTP Credentials from Control Server"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/ftp"; http_uri; fast_pattern; nocase; content:"User-Agent|3A| Mozilla/4.0 (compatible|3B| Win32|3B| WinHttpRequest?"; http_header; nocase; flowbits:set,ET.GOOTKIT; classtype:web-application-attack; reference:url,www.m86security.com/labs/i/GootKit--Automated-Website-Infection,trace.1368~.asp; reference:url,doc.emergingthreats.net/2011286; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_Gootkit; sid:2011290; rev:3;)

Added 2011-02-04 17:31:06 UTC


alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET WEB_SERVER Gootkit Website Infection Request for FTP Credentials from Control Server"; flow:established,to_server; content:"GET "; nocase; depth:4; uricontent:"/ftp"; nocase; content:"|0d 0a|User-Agent|3A| Mozilla/4.0 (compatible|3B| Win32|3B| WinHttpRequest?"; nocase; flowbits:set,ET.GOOTKIT; classtype:web-application-attack; reference:url,www.m86security.com/labs/i/GootKit--Automated-Website-Infection,trace.1368~.asp; reference:url,doc.emergingthreats.net/2011290; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_Gootkit; sid:2011290; rev:3;)

Added 2010-08-21 20:46:24 UTC


alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET WEB_SERVER Gootkit Website Infection Request for FTP Credentials from Control Server"; flow:established,to_server; content:"GET "; nocase; depth:4; uricontent:"/ftp"; nocase; content:"|0d 0a|User-Agent|3A| Mozilla/4.0 (compatible|3B| Win32|3B| WinHttpRequest?"; nocase; flowbits:set,ET.GOOTKIT; classtype:web-application-attack; reference:url,www.m86security.com/labs/i/GootKit--Automated-Website-Infection,trace.1368~.asp; reference:url,doc.emergingthreats.net/2011290; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_Gootkit; sid:2011290; rev:3;)

Added 2010-08-21 20:46:24 UTC


alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET WEB_SERVER Gootkit Website Infection Request for FTP Credentials from Control Server"; flow:established,to_server; content:"GET "; nocase; depth:4; uricontent:"/ftp"; nocase; content:"|0d 0a|User-Agent|3A| Mozilla/4.0 (compatible|3B| Win32|3B| WinHttpRequest?"; nocase; flowbits:set,ET.GOOTKIT; classtype:web-application-attack; reference:url,www.m86security.com/labs/i/GootKit--Automated-Website-Infection,trace.1368~.asp; reference:url,doc.emergingthreats.net/2011286; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_Gootkit; sid:2011290; rev:2;)

Added 2010-08-02 15:15:59 UTC


alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET WEB_SERVER Gootkit Website Infection Request for FTP Credentials from Control Server"; flow:established,to_server; content:"GET "; nocase; depth:4; uricontent:"/ftp"; nocase; content:"|0d 0a|User-Agent|3A| Mozilla/4.0 (compatible|3B| Win32|3B| WinHttpRequest?"; nocase; flowbits:set,ET.GOOTKIT; classtype:web-application-attack; reference:url,www.m86security.com/labs/i/GootKit--Automated-Website-Infection,trace.1368~.asp; reference:url,doc.emergingthreats.net/2011286; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_Gootkit; sid:2011290; rev:2;)

Added 2010-08-02 15:15:59 UTC


alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET WEB_SERVER Gootkit Website Infection Request for FTP Credentials from Control Server"; flow:established,to_server; content:"GET "; nocase; depth:4; uricontent:"/ftp"; nocase; content:"|0d 0a|User-Agent|3A| Mozilla/4.0 (compatible|3B| Win32|3B| WinHttpRequest?"; nocase; flowbits:set,ET.GOOTKIT; classtype:web-application-attack; reference:url,www.m86security.com/labs/i/GootKit--Automated-Website-Infection,trace.1368~.asp; reference:url,doc.emergingthreats.net/2011286; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_Gootkit; sid:2011290; rev:2;)

Added 2010-08-02 15:14:57 UTC


alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET WEB_SERVER Gootkit Website Infection Request for FTP Credentials from Control Server"; flow:established,to_server; content:"GET "; nocase; depth:4; uricontent:"/ftp"; nocase; content:"|0d 0a|User-Agent|3A| Mozilla/4.0 (compatible|3B| Win32|3B| WinHttpRequest?"; nocase; flowbits:set,ET.GOOTKIT; classtype:web-application-attack; reference:url,www.m86security.com/labs/i/GootKit--Automated-Website-Infection,trace.1368~.asp; reference:url,doc.emergingthreats.net/2011286; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_Gootkit; sid:2011290; rev:2;)

Added 2010-08-02 15:14:57 UTC


alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET WEB_SERVER Gootkit Website Infection Request for FTP Credentials from Control Server"; flow:established,to_server; content:"GET "; nocase; depth:4; uricontent:"/ftp"; nocase; content:"|0d 0a|User-Agent|3A| Mozilla/4.0 (compatible|3B| Win32|3B| WinHttpRequest?"; nocase; flowbits:set,ET_GOOTKIT; classtype:web-application-attack; reference:url,www.m86security.com/labs/i/GootKit--Automated-Website-Infection,trace.1368~.asp; reference:url,doc.emergingthreats.net/2011286; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_Gootkit; sid:2011290; rev:2;)

Added 2010-08-01 20:38:14 UTC


Topic revision: r1 - 2017-08-08 - TWikiGuest
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats