EmergingThreats
>
Main Web
>
2007828
(2011-08-01,
RussellFulton
)
(raw view)
E
dit
A
ttach
<h2> #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED LDPinch Checkin (2)"; flow:established,to_server; content:"POST"; nocase; http_method; content:".php"; http_uri; nocase; content:"a="; http_client_body; depth:2; content:"&b="; http_client_body; nocase; content:"&d="; http_client_body; nocase; content:".bin&c="; http_client_body; reference:url,doc.emergingthreats.net/2007828; classtype:trojan-activity; sid:2007828; rev:14; metadata:created_at 2010_07_30, updated_at 2010_07_30;) </h2> Added 2018-09-13 19:39:27 UTC %COMMENT{type="threadmode" default="Please enter documentation, comments, false positives, or concerns with this signature. Press the Attach button below to add samples or Pcaps." button="Add to Documentation" }% <hr> <h2> </h2> Added 2018-09-13 17:53:38 UTC <hr> <h2> #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED LDPinch Checkin (2)"; flow:established,to_server; content:"POST"; nocase; http_method; content:".php"; http_uri; nocase; content:"a="; http_client_body; depth:2; content:"&b="; http_client_body; nocase; content:"&d="; http_client_body; nocase; content:".bin&c="; http_client_body; reference:url,doc.emergingthreats.net/2007828; classtype:trojan-activity; sid:2007828; rev:14; metadata:created_at 2010_07_30, updated_at 2010_07_30;) </h2> Added 2017-08-07 21:01:03 UTC <hr> <h2> ##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED LDPinch Checkin (2)"; flow:established,to_server; content:"POST"; nocase; http_method; content:".php"; nocase; http_uri; content:"a="; http_client_body; depth:2; content:"&b="; http_client_body; nocase; content:"&d="; fast_pattern; http_client_body; nocase; content:".bin&c="; http_client_body; reference:url,doc.emergingthreats.net/2007828; classtype:trojan-activity; sid:2007828; rev:13;) </h2> Added 2014-01-09 18:09:55 UTC <hr> <h2> #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN LDPinch Checkin (2)"; flow:established,to_server; content:"POST"; nocase; http_method; content:".php"; nocase; http_uri; content:"a="; http_client_body; depth:2; content:"&b="; http_client_body; nocase; content:"&d="; fast_pattern; http_client_body; nocase; content:".bin&c="; http_client_body; reference:url,doc.emergingthreats.net/2007828; classtype:trojan-activity; sid:2007828; rev:11;) </h2> Added 2011-10-12 19:23:54 UTC <hr> <h2> #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN LDPinch Checkin (2)"; flow:established,to_server; content:"POST"; nocase; http_method; content:".php"; nocase; http_uri; content:"a="; http_client_body; depth:2; content:"&b="; http_client_body; nocase; content:"&d="; fast_pattern; http_client_body; nocase; content:".bin&c="; http_client_body; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007828; sid:2007828; rev:11;) </h2> Added 2011-09-14 22:37:23 UTC <hr> <h2> #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN LDPinch Checkin (2)"; flow:established,to_server; content:"POST"; nocase; http_method; content:".php"; nocase; http_uri; content:"a="; http_client_body; depth:2; content:"&b="; http_client_body; nocase; content:"&d="; fast_pattern; http_client_body; nocase; content:".bin&c="; http_client_body; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007828; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_PWS-LDPinch; sid:2007828; rev:11;) </h2> Added 2011-08-03 19:39:44 UTC <hr> <h2> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN LDPinch Checkin (2)"; flow:established,to_server; content:"POST"; nocase; http_method; uricontent:".php"; nocase; content:"a="; http_client_body; depth:2; content:"&b="; http_client_body; nocase; content:"&d="; fast_pattern; http_client_body; nocase; content:"&c="; http_client_body; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007828; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_PWS-LDPinch; sid:2007828; rev:9;) </h2> Added 2011-02-04 17:26:55 UTC I think this is an FP from the Arsenal iPhone app. POST /iphonelogger/logaction.php HTTP/1.1 Host: www.arsenal.com User-Agent: Arsenal/2.0.2 CFNetwork/485.12.7 Darwin/10.4.0 -- Main.RussellFulton - 01 Aug 2011 <hr> <h2> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN LDPinch Checkin (2)"; flow:established,to_server; content:"POST "; depth:5; uricontent:".php"; nocase; content:"|0d 0a 0d 0a|a="; content:"&b="; nocase; distance:0; content:"&d="; nocase; distance:0; content:"&c="; distance:0; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007828; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_PWS-LDPinch; sid:2007828; rev:6;) </h2> Added 2009-02-13 19:30:23 UTC <hr> <h2> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN LDPinch Checkin (2)"; flow:established,to_server; content:"POST "; depth:5; uricontent:".php"; nocase; content:"|0d 0a 0d 0a|a="; content:"&b="; nocase; distance:0; content:"&d="; nocase; distance:0; content:"&c="; distance:0; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007828; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_PWS-LDPinch; sid:2007828; rev:6;) </h2> Added 2009-02-13 19:30:23 UTC <hr> <h2> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN LDPinch Checkin (2)"; flow:established,to_server; content:"POST "; depth:5; uricontent:".php"; nocase; content:"|0d 0a 0d 0a|a="; content:"&b="; nocase; distance:0; content:"&d="; nocase; distance:0; content:"&c="; distance:0; classtype:trojan-activity; sid:2007828; rev:5;) </h2> Added 2008-05-23 15:47:44 UTC <hr> <h2> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN LDPinch Checkin (2)"; flow:established,to_server; content:"POST "; depth:5; uricontent:".php"; nocase; content:"|0d 0a 0d 0a|a="; content:"&b="; nocase; distance:0; content:"&d="; nocase; distance:0; content:"&c="; distance:0; classtype:trojan-activity; sid:2007828; rev:5;) </h2> Added 2008-05-23 15:47:44 UTC <hr> <h2> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN LDPinch Checkin (2)"; flow:established,to_server; content:"POST "; depth:5; uricontent:".php"; nocase; content:"|0d 0a 0d 0a|a="; content:"&b=pinch"; nocase; distance:0; content:"_report&d="; nocase; distance:0; classtype:trojan-activity; sid:2007828; rev:4;) </h2> Added 2008-03-19 11:20:58 UTC <hr> <h2> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN LDPinch Checkin (2)"; flow:established,to_server; content:"POST "; depth:5; uricontent:".php"; nocase; content:"|0d 0a 0d 0a|a="; content:"&b=pinch"; nocase; distance:0; content:"_report&d="; nocase; distance:0; classtype:trojan-activity; sid:2007828; rev:4;) </h2> Added 2008-03-19 11:20:58 UTC <hr> <h2> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN LDPinch Checkin (2)"; flow:established,to_server; content:"POST "; depth:5; uricontent:".php"; nocase; content:"|0d 0a 0d 0a|a="; content:"@mail.ru"; content:"&b=pinch"; nocase; distance:0; content:"_report&d="; nocase; distance:0; classtype:trojan-activity; sid:2007828; rev:3;) </h2> Added 2008-03-12 13:13:30 UTC <hr> <h2> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN LDPinch Checkin (2)"; flow:established,to_server; content:"POST "; depth:5; uricontent:".php"; nocase; content:"|0d 0a 0d 0a|a="; content:"@mail.ru"; content:"&b=pinch"; nocase; distance:0; content:"_report&d="; nocase; distance:0; classtype:trojan-activity; sid:2007828; rev:3;) </h2> Added 2008-03-12 13:13:30 UTC <hr> <h2> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN LDPinch Checkin (2)"; flow:established,to_server; content:"POST "; depth:5; uricontent:"/gate.php"; nocase; content:"|0d 0a 0d 0a|a="; content:"@mail.ru"; content:"&b=pinch"; nocase; distance:0; content:"_report&d="; nocase; distance:0; classtype:trojan-activity; sid:2007828; rev:2;) </h2> Added 2008-03-09 19:38:37 UTC <hr> <h2> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN LDPinch Checkin (2)"; flow:established,to_server; content:"POST "; depth:5; uricontent:"/gate.php"; nocase; content:"|0d 0a 0d 0a|a="; content:"@mail.ru"; content:"&b=pinch"; nocase; distance:0; content:"_report&d="; nocase; distance:0; classtype:trojan-activity; sid:2007828; rev:2;) </h2> Added 2008-03-09 19:38:37 UTC <hr> <h2> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN LDPinch Checkin (2)"; flow:established,to_server; content:"POST "; depth:5; uricontent:"/gate.php"; nocase; content:"|0d 0a 0d 0a|a="; content:"@mail.ru&b=pinch"; nocase; distance:0; content:"_report&d="; nocase; distance:0; classtype:trojan-activity; sid:2007828; rev:1;) </h2> Added 2008-02-08 14:51:00 UTC <hr> <h2> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN LDPinch Checkin (2)"; flow:established,to_server; content:"POST "; depth:5; uricontent:"/gate.php"; nocase; content:"|0d 0a 0d 0a|a="; content:"@mail.ru&b=pinch"; nocase; distance:0; content:"_report&d="; nocase; distance:0; classtype:trojan-activity; sid:2007828; rev:1;) </h2> Added 2008-02-08 14:48:59 UTC <hr> <h2> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN LDPinch Checkin (2)"; flow:established,to_server; content:"POST "; depth:5; uricontent:"/gate.php"; nocase; content:"|0d 0a 0d 0a|a="; content:"@mail.ru&b=pinch"; nocase; distance:0; content:"_report&d="; nocase; distance:0; classtype:trojan-activity; sid:2007828; rev:1;) </h2> Added 2008-02-08 14:46:22 UTC <hr>
E
dit
|
A
ttach
|
P
rint version
|
H
istory
: r2
<
r1
|
B
acklinks
|
V
iew topic
|
WYSIWYG
|
M
ore topic actions
Topic revision: r2 - 2011-08-01
-
RussellFulton
Main
Log In
Main Web
Create New Topic
Index
Search
Changes
Preferences
User Reference
ATasteOfTWiki
TextFormattingRules
Signature Reference
WebRss
Feed
EmergingFAQ
Copyright © Emerging Threats