Donnerstag, 31. Oktober 2013

Ruleset-Update: misc Scanner (Struts, Apache-Exploits)

[+] new sigs:
42000326 :: scanner.rules :: DN SCAN MASSCAN - UA Ddetected
42000327 :: app_server.rules :: DN APP_SERVER possible UPNP-Port-Manipulation
42000328 :: scanner.rules :: DN SCAN GestioIP Remote Code Execution - Scan
42000329 :: web_server.rules :: DN WEB_SERVER SSH-Homedir-Access
42000330 :: web_server.rules :: DN WEB_SERVER CONNECT-Request Attempt
42000331 :: web_server.rules :: DN WEB_SERVER ApacheStruts - Exploit-Scan
42000332 :: app_server.rules :: DN APP_SERVER Java.io.File in Request-Parameters
42000333 :: web_server.rules :: DN WEB_SERVER PHP-Opener ( <? ) found
42000334 :: web_server.rules :: DN WEB_SERVER CGI-BIN - Scan


https://bitbucket.org/lazy_dogtown/doxi-rules/src



Donnerstag, 17. Oktober 2013

Ruleset-Update: DLink Backdoor-Scan


[+] new sigs:
  42000325 :: web_server.rules     :: DN WEB_SERVER Dlink-Router Backdoor-Scan


#
# sid: 42000325 |  date: 2013-10-17 - 09:13:26 | maker: lazydog
#
# http://www.devttys0.com/2013/10/reverse-engineering-a-d-link-backdoor/
# et: 2017590
# http://blog.erratasec.com/2013/10/that-dlink-bug-masscan.html

MainRule "str:xmlset_roodkcableoj28840ybtide" "msg:DN WEB_SERVER Dlink-Router Backdoor-Scan" "mz:$HEADERS_VAR:User-Agent" "s:$ATTACK:8" id:42000325 ;


Freitag, 11. Oktober 2013

Rules-Update: vBulletin Exploit


[+] new sigs:
  42000321 :: scanner.rules        :: DN SCAN probably Malicous UA
  42000322 :: web_apps.rules       :: DN WEB_APPS Potential vBulletin Exploit (v5+)
  42000323 :: scanner.rules        :: DN SCAN vBulletinBoard-Scan
  42000324 :: web_apps.rules       :: DN WEB_APPS Potential vBulletin Exploit (v4+)

#
# sid: 42000321 |  date: 2013-10-12 - 00:30:51 | maker: lazydog
# 
# http://www.webmasterworld.com/search_engine_spiders/4058096.htm
# http://serverfault.com/questions/544523/apache-ddos-prevention/544531#544531
 
MainRule "str:mozilla/4.0 (compatible; msie 6.0; windows nt 5.1; sv1)" "msg:DN SCAN probably Malicous UA " "mz:$HEADERS_VAR:User-Agent" "s:$ATTACK:8" id:42000321; 
#
# sid: 42000322 |  date: 2013-10-12 - 00:31:23 | maker: lazydog
# 
# http://www.vbulletin.com/forum/forum/vbulletin-announcements/vbulletin-announcements_aa/3991423-potential-vbulletin-exploit-vbulletin-4-1-vbulletin-5
# 
# http://www.vbulletin.org/forum/showthread.php?p=2443431
# 
# 
 
MainRule "str:/core/install/upgrade.php" "msg:DN WEB_APPS Potential vBulletin Exploit (v5+)" "mz:URL" "s:$UWA:8" id:42000322 ; 



#
# sid: 42000323 |  date: 2013-10-12 - 00:30:26 | maker: lazydog
# 
# http://www.vbulletin.org/forum/showthread.php?p=2443431
 
MainRule "str:/core/install/" "msg:DN SCAN vBulletinBoard-Scan " "mz:URL" "s:$UWA:8" id:42000323 ; 



#
# sid: 42000324 |  date: 2013-10-12 - 00:30:05 | maker: lazydog
# 
# http://www.vbulletin.com/forum/forum/vbulletin-announcements/vbulletin-announcements_aa/3991423-potential-vbulletin-exploit-vbulletin-4-1-vbulletin-5
# 
# http://www.vbulletin.org/forum/showthread.php?p=2443431
 
MainRule "str:/install/upgrade.php" "msg:DN WEB_APPS Potential vBulletin Exploit (v4+)" "mz:URL" "s:$ATTACK:8" id:42000324 ; 


Montag, 7. Oktober 2013

Ruleset-Update: WHCMS - Exploit + JBOSS/Tomcat


[+] new sigs:
  42000318 :: web_server.rules     :: DN WEB_SERVER Possible WHMCS Exploit
  42000319 :: scanner.rules        :: DN SCAN Possible WHMCS - Scan
  42000320 :: app_server.rules     :: DN APP_SERVER Possible JBoss/Tomcat JMX InvokerServlet Auth Bypass Attempt


------------------


#
# sid: 42000318 |  date: 2013-10-07 - 22:07:29 | maker: lazydog
# 
# http://localhost.re/p/whmcs-527-vulnerability
 
MainRule "str:aes_encrypt" "msg:DN WEB_SERVER Possible WHMCS Exploit" "mz:BODY|ARGS" "s:$ATTACK:8" id:42000318 ; 

#
# sid: 42000319 |  date: 2013-10-07 - 22:07:53 | maker: lazydog
# 
# http://localhost.re/p/whmcs-527-vulnerability
 
MainRule "str:/register.php" "msg:DN SCAN Possible WHMCS - Scan" "mz:URL" "s:$UWA:8" id:42000319 ; 
#
# sid: 42000320 |  date: 2013-10-07 - 22:08:40 | maker: lazydog
# 
# http://packetstormsecurity.com/files/123510/9sg_ejb.txt
# sid 42000057
 
MainRule "str:/invoker/ejbinvokerservlet" "msg:DN APP_SERVER Possible JBoss/Tomcat JMX InvokerServlet Auth Bypass Attempt" "mz:URL|BODY" "s:$UWA:8" id:42000320 ;