EmergingThreats> Main Web>2008358 (2008-12-04, RussellFulton) EditAttach

#alert http $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Pakes/Cutwail/Kobcka Checkin Detected High Ports"; flow:established,to_server; content:"/?bot_id=0&mode=1"; http_uri; fast_pattern:only; reference:url,doc.emergingthreats.net/2008358; classtype:trojan-activity; sid:2008358; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

Added 2018-09-13 19:39:51 UTC

Added 2018-09-13 17:53:51 UTC

#alert http $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Pakes/Cutwail/Kobcka Checkin Detected High Ports"; flow:established,to_server; content:"/?bot_id=0&mode=1"; http_uri; fast_pattern:only; reference:url,doc.emergingthreats.net/2008358; classtype:trojan-activity; sid:2008358; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

Added 2018-02-07 18:13:53 UTC

alert http $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Pakes/Cutwail/Kobcka Checkin Detected High Ports"; flow:established,to_server; content:"/?bot_id=0&mode=1"; http_uri; fast_pattern:only; reference:url,doc.emergingthreats.net/2008358; classtype:trojan-activity; sid:2008358; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

Added 2017-08-07 21:01:31 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Pakes/Cutwail/Kobcka Checkin Detected High Ports"; flow:established,to_server; dsize:<160; content:"GET /?bot_id=0&mode=1"; depth:21; content:"Host|3a| "; distance:0; reference:url,doc.emergingthreats.net/2008358; classtype:trojan-activity; sid:2008358; rev:5;)

Added 2011-10-12 19:24:58 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Pakes/Cutwail/Kobcka Checkin Detected High Ports"; flow:established,to_server; dsize:<160; content:"GET /?bot_id=0&mode=1"; depth:21; content:"Host|3a| "; distance:0; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008358; sid:2008358; rev:5;)

Added 2011-09-14 22:38:25 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Pakes/Cutwail/Kobcka Checkin Detected High Ports"; flow:established,to_server; dsize:<160; content:"GET /?bot_id=0&mode=1"; depth:21; content:"Host|3a| "; distance:0; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008358; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Pakes; sid:2008358; rev:5;)

Added 2011-02-04 17:27:31 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Pakes/Cutwail/Kobcka Checkin Detected High Ports"; flow:established,to_server; dsize:<160; content:"GET /?bot_id=0&mode=1"; depth:21; content:"|0d 0a|Host\: "; distance:0; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008358; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Pakes; sid:2008358; rev:3;)

Added 2009-07-12 17:00:36 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Pakes/Cutwail/Kobcka Checkin Detected High Ports"; flow:established,to_server; dsize:<160; content:"GET /?bot_id=0&mode=1"; depth:21; content:"|0d 0a|Host\: "; distance:0; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008358; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Pakes; sid:2008358; rev:3;)

Added 2009-07-12 17:00:36 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Pakes/Cutwall/Kobcka Checkin Detected High Ports"; flow:established,to_server; dsize:<160; content:"GET /?bot_id=0&mode=1"; depth:21; content:"|0d 0a|Host\: "; distance:0; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008358; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Pakes; sid:2008358; rev:2;)

Added 2009-02-13 19:30:23 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Pakes/Cutwall/Kobcka Checkin Detected High Ports"; flow:established,to_server; dsize:<160; content:"GET /?bot_id=0&mode=1"; depth:21; content:"|0d 0a|Host\: "; distance:0; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008358; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Pakes; sid:2008358; rev:2;)

Added 2009-02-13 19:30:23 UTC

alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Pakes/Cutwall/Kobcka Checkin Detected High Ports"; flow:established,to_server; dsize:<160; content:"GET /?bot_id=0&mode=1"; depth:21; content:"|0d 0a|Host\: "; distance:0; classtype:trojan-activity; sid:2008358; rev:1;)

Added 2008-06-30 10:28:32 UTC

sample (uncomfirmed but perfect match for sig):

GET /?bot_id=0&mode=1 HTTP/1.1..User-Agent: imrabot..Host: sys365.3fn.net:2084

-- RussellFulton - 04 Dec 2008

Edit | Attach | Print version | History: r2 < r1 | Backlinks | Raw View | WYSIWYG | More topic actions
Topic revision: r2 - 2008-12-04 - RussellFulton
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats