alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO http string in hex Possible Obfuscated Exploit Redirect"; flow:established,to_client; content:"=[|22 5c|x68|5c|x74|5c|x74|5c|x70|5c|x3A|5c|x2F|5c|x2F|5c|"; classtype:bad-unknown; sid:2012118; rev:3;)

Added 2017-04-17 18:49:15 UTC


alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO http string in hex Possible Obfuscated Exploit Redirect"; flow:established,to_client; content:"=[|22 5c|x68|5c|x74|5c|x74|5c|x70|5c|x3A|5c|x2F|5c|x2F|5c|"; classtype:bad-unknown; sid:2012118; rev:2;)

Added 2017-04-17 08:51:40 UTC


alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS http string in hex Likely Obfuscated Exploit Redirect"; flow:established,to_client; content:"=[|22 5c|x68|5c|x74|5c|x74|5c|x70|5c|x3A|5c|x2F|5c|x2F|5c|"; classtype:bad-unknown; sid:2012118; rev:2;)

Added 2011-10-12 19:33:30 UTC

Likely false positive from 200.12.19.111:

SHTTP/1.1 200 OK Cache-Control: max-age=3600 Content-Type: application/x-javascript Last-Modified: Fri, 15 Apr 2016 19:26:23 GMT Accept-Ranges: bytes ETag: "127a77b24c97d11:0" Server: Microsoft-IIS/7.5 Access-Control-Allow-Origin: * Cache-Contol: public X-SrvID: 1-63 P3P?: CP="CAO PSA OUR" Connection: Keep-Alive Date: Mon, 02 May 2016 17:04:14 GMT Age: 5 Content-Length: 2584 Via: fCACHE var _0x5043=["\x68\x74\x74\x70\x3A\x2F\x2F\x72\x74\x72\x61\x63\x6B\x65\x72\x2E\x65\x6D\x6F\x6C\x2E\x63\x6F\x6D\x2F\x6E\x65\x77\x73","\x76\x69\x73\x69\x62\x69\x6C\x69\x74\x79\x63\x68\x61\x6E\x67\x65","\x77\x65\x62\x6B\x69\x74\x76\x69\x73\x69\x62\x69\x6C\x69\x74\x79\x63\x68\x61\x6E\x67\x65","\x6D\x6F\x7A\x76\x69\x73\x69\x62\x69\x6C\x69\x74\x79\x63\x68\x61\x6E\x67\x65","\x6D\x73\x76\x69\x73\x69\x62\x69\x6C\x69\x74\x79\x63\x68\x61\x6E\x67\x65","\x61\x64\x64\x45\x76\x65\x6E\x74\x4C\x69\x73\x74\x65\x6E\x65\x72","\x2F\x70\x69\x6E\x67","\x50\x4F\x53\x54","\x61\x6A\x61\x78","\x72\x65\x70\x65\x61\x74","\x69\x6E\x74\x65\x72\x76\x61\x6C","\x75\x75\x69\x64","\x6E\x65\x77\x73\x5F\x69\x64","\x75\x73\x65\x72\x5F\x74\x79\x70\x65","\x6F\x66\x62","\x72\x65\x66\x65\x72\x72\x65\x72","","\x6F\x72\x69\x67\x69\x6E","\x74\x65\x73\x74"];var url=_0x5043[0];var on_focus_behavior=true;var enabled=true;var repeat;var interval;var uuid;var news_id;var uuid_type;var vka;var

The hex de-obfuscates to: "http://rtracker.emol.com/news","visibilitychange","webkitvisibilitychange","mozvisibilitychange","msvisibilitychange","addEventListener","/ping","POST","ajax","repeat","interval","uuid","news_id","user_type","ofb","referrer","","origin","test"

Would love to know more about this as I have done some searching and haven't found much

-- JimMcKibben - 2016-05-02

This string "=[|22 5c|x68|5c|x74|5c|x74|5c|x70|5c|x3A|5c|x2F|5c|x2F|5c|" is looking for http://. The alert is just looking for hex obfuscation of a http link. This in and of itself is nothing particularly special or malicious, but may be obfuscating something for a reason....

-- HorseFaceKiller - 2016-09-01

Thank you for the feedback, we will be changing the message of this signature slightly to reflect that it is not always an exploit redirect attempt but rather just an obfuscated redirect.

-- DarienH - 2016-09-01


alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS http string in hex Likely Obfuscated Exploit Redirect"; flow:established,to_client; content:"=[|22 5c|x68|5c|x74|5c|x74|5c|x70|5c|x3A|5c|x2F|5c|x2F|5c|"; classtype:bad-unknown; sid:2012118; rev:2;)

Added 2011-02-04 17:31:59 UTC


Topic revision: r4 - 2016-09-01 - DarienH
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats