alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Ponmocup Redirection from infected Website to Trojan-Downloader"; flow:established,to_server; content:"/cgi-bin/r.cgi"; nocase; http_uri; depth:14; content:"p="; nocase; http_uri; content:"h="; nocase; http_uri; content:"u="; nocase; http_uri; content:"q="; nocase; http_uri; content:"t="; http_uri; nocase; reference:url,www9.dyndns-server.com%3a8080/pub/botnet-links.html; classtype:trojan-activity; sid:2013181; rev:10;)

Added 2014-11-10 19:29:50 UTC


#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Ponmocup Redirection from infected Website to Trojan-Downloader"; flow:established,to_server; content:"/cgi-bin/r.cgi"; nocase; http_uri; content:"p="; nocase; http_uri; content:"h="; nocase; http_uri; content:"u="; nocase; http_uri; content:"q="; nocase; http_uri; content:"t="; http_uri; nocase; reference:url,www9.dyndns-server.com%3a8080/pub/botnet-links.html; classtype:trojan-activity; sid:2013181; rev:9;)

Added 2014-11-04 18:56:47 UTC


#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Ponmocup Redirection from infected Website to Trojan-Downloader"; flow:established,to_server; content:"/cgi-bin/r.cgi"; nocase; http_uri; content:"p="; nocase; http_uri; content:"h="; nocase; http_uri; content:"u="; nocase; http_uri; content:"q="; nocase; http_uri; content:"t="; reference:url,www9.dyndns-server.com%3a8080/pub/botnet-links.html; classtype:trojan-activity; sid:2013181; rev:8;)

Added 2014-09-15 18:30:46 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Ponmocup Redirection from infected Website to Trojan-Downloader"; flow:established,to_server; content:"/cgi-bin/r.cgi"; nocase; http_uri; content:"p="; nocase; http_uri; content:"h="; nocase; http_uri; content:"u="; nocase; http_uri; content:"q="; nocase; http_uri; content:"t="; reference:url,www9.dyndns-server.com%3a8080/pub/botnet-links.html; classtype:trojan-activity; sid:2013181; rev:8;)

Added 2011-10-12 19:36:17 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Ponmocup Redirection from infected Website to Trojan-Downloader"; flow:established,to_server; content:"/cgi-bin/r.cgi"; nocase; http_uri; content:"p="; nocase; http_uri; content:"h="; nocase; http_uri; content:"u="; nocase; http_uri; content:"q="; nocase; http_uri; content:"t="; classtype:attempted-user; reference:url,www9.dyndns-server.com%3a8080/pub/botnet-links.html; sid:2013181; rev:7;)

Added 2011-08-02 16:23:28 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Ponmocup C2 Post Infection Checkin"; flow:established,to_server; content:"/cgi-bin/r.cgi"; nocase; http_uri; content:"p="; nocase; http_uri; content:"h="; nocase; http_uri; content:"u="; nocase; http_uri; content:"q="; nocase; http_uri; content:"t="; classtype:attempted-user; reference:url,www9.dyndns-server.com%3a8080/pub/botnet-links.html; sid:2013181; rev:6;)

Added 2011-07-27 00:56:50 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Driveby Referral to FakeAV? or Ponmocup 1"; flow:established,to_server; content:"/cgi-bin/r.cgi"; nocase; http_uri; content:"p="; nocase; http_uri; content:"h="; nocase; http_uri; content:"u="; nocase; http_uri; content:"q="; nocase; http_uri; content:"t="; classtype:attempted-user; reference:url,www9.dyndns-server.com%3a8080/pub/botnet-links.html; sid:2013181; rev:5;)

Added 2011-07-12 12:24:46 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Driveby Referral to FakeAV? or Ponmocup 1"; flow:established,to_server; content:"/cgi-bin/r.cgi"; nocase; http_uri; content:"p="; nocase; http_uri; content:"h="; nocase; http_uri; content:"u="; nocase; http_uri; content:"q="; nocase; http_uri; content:"t="; classtype:attempted-user; reference:url,www9.dyndns-server.com%3a8080/pub/botnet-links.html; sid:2013181; rev:5;)

Added 2011-07-11 15:32:47 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Driveby Referral to FakeAV? or Ponmocup 1"; flow:established,to_server; content:"/cgi-bin/r.cgi"; nocase; http_uri; content:"p="; nocase; http_uri; content:"h="; nocase; http_uri; content:"u="; nocase; http_uri; content:"q="; nocase; http_uri; content:"t="; classtype:attempted-user; sid:2013181; rev:4;)

Added 2011-07-08 18:36:54 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Ponmocup update 3"; flow:established,to_server; content:"/cgi-bin/r.cgi"; nocase; http_uri; content:"p="; nocase; http_uri; content:"h="; nocase; http_uri; content:"u="; nocase; http_uri; content:"q="; nocase; http_uri; content:"t="; classtype:trojan-activity; sid:2013181; rev:3;)

Added 2011-07-04 21:08:45 UTC


Topic revision: r1 - 2014-11-11 - TWikiGuest
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats