• Use Case Reference : SUC027
  • Use Case Title : Muieblackcat setup.php Web Scanner/Robot
  • Use Case Detection : IDS / HTTP logs
  • Attacker Class : Opportunists
  • Attack Sophistication : Unsophisticated
  • Identified tool(s) : N.D.
  • Source IP(s) : Random
  • Source Countries : Random
  • Source Port(s) : Random
  • Destination Port(s) : 80/TCP, 443/TCP

Possible(s) correlation(s) :

  • Regarding the logs, this scanner is looking for “setup.php” files.

Source(s) :

Emerging Threats SIG 2013115 triggers are :

  • The HTTP header should contain “GET /muieblackcat HTTP/1.1“. A complete set of logs is available here.
  • The source port could be any FROM EXTERNAL_NET in destination of an HOME_NET HTTP_PORTS.
SIG 2013115 1 Week events activity

SIG 2013115 1 Week events activity

SIG 2013115 1 month events activity

SIG 2013115 1 month events activity

1 Month TOP 10 source IPs for SIG 2013115

1 Month TOP 10 source IPs for SIG 2013115

TOP 20 source countries for SIG 2013115

TOP 20 source countries for SIG 2013115