SUC029 : WordPress TimThumb RFI Web Scanner/Robot

  • Use Case Reference : SUC029
  • Use Case Title : WordPress TimThumb RFI Web Scanner/Robot
  • Use Case Detection : IDS / HTTP logs
  • Attacker Class : Opportunists
  • Attack Sophistication : Unsophisticated
  • Identified tool(s) : ByroeNet scanners variant
  • Source IP(s) : Random
  • Source Countries : Random
  • Source Port(s) : Random
  • Destination Port(s) : 80/TCP, 443/TCP

Possible(s) correlation(s) :

Source(s) :

ZATAZ SIG 1010050 triggers are :

  • URI should contain “wp-content” and “php?src=http
  • The source port could be any FROM EXTERNAL_NET in destination of an HTTP_SERVERS HTTP_PORTS.
  • Threshold is configured to count 1 occurrence in 30 seconds for the same IP source.
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ZATAZ Timthumb.php - ACCESS - posssible WordPress-Attack"; flow:established,to_server; uricontent:"wp-content"; nocase; uricontent:"php?src=http"; nocase; threshold:type limit, count 1, seconds 30, track by_src; classtype:web-application-attack; sid:1010050; priority:3; rev:1;)
SIG 1010050 1 Week events activity
SIG 1010050 1 Week events activity
SIG 1010050 1 month events activity
SIG 1010050 1 month events activity
SIG 1010050 1 year events activity
SIG 1010050 1 year events activity
1 Month TOP 10 source IPs for SIG 1010050
1 Month TOP 10 source IPs for SIG 1010050