Use Cases

System Use Cases helping you to detect attacks against your infrastructures. These System Use Cases are classified by Attacker Classes (Opportunists, Targeting Opportunists, Professional or State Founded). This classification is inspired by Thierry Zoller work “Attacker Classes and Pyramid (Version 2)”.

SUC029 : WordPress TimThumb RFI Web Scanner/Robot

0
  • Use Case Reference : SUC029
  • Use Case Title : WordPress TimThumb RFI Web Scanner/Robot
  • Use Case Detection : IDS / HTTP logs
  • Attacker Class : Opportunists
  • Attack Sophistication : Unsophisticated
  • Identified tool(s) : ByroeNet scanners variant
  • Source IP(s) : Random
  • Source Countries : Random
  • Source Port(s) : Random
  • Destination Port(s) : 80/TCP, 443/TCP

Possible(s) correlation(s) :

Source(s) :

ZATAZ SIG 1010050 triggers are :

  • URI should contain “wp-content” and “php?src=http
  • The source port could be any FROM EXTERNAL_NET in destination of an HTTP_SERVERS HTTP_PORTS.
  • Threshold is configured to count 1 occurrence in 30 seconds for the same IP source.
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ZATAZ Timthumb.php - ACCESS - posssible WordPress-Attack"; flow:established,to_server; uricontent:"wp-content"; nocase; uricontent:"php?src=http"; nocase; threshold:type limit, count 1, seconds 30, track by_src; classtype:web-application-attack; sid:1010050; priority:3; rev:1;)
SIG 1010050 1 Week events activity

SIG 1010050 1 Week events activity

SIG 1010050 1 month events activity

SIG 1010050 1 month events activity

SIG 1010050 1 year events activity

SIG 1010050 1 year events activity

1 Month TOP 10 source IPs for SIG 1010050

1 Month TOP 10 source IPs for SIG 1010050

SUC028 : ProFTPD Backdoor Inbound Backdoor Open Request (ACIDBITCHEZ)

0
  • Use Case Reference : SUC028
  • Use Case Title : ProFTPD Backdoor Inbound Backdoor Open Request (ACIDBITCHEZ)
  • Use Case Detection : IDS / FTP logs
  • Attacker Class : Opportunists
  • Attack Sophistication : Unsophisticated
  • Identified tool(s) : Metasploit, Nessus, scripts, etc.
  • Source IP(s) : Random
  • Source Countries : Random
  • Source Port(s) : Random
  • Destination Port(s) : 21/TCP

Possible(s) correlation(s) :

  • Pen-testing tools or home made scripts

Source(s) :

  • ProFTPD Backdoor demo

Emerging Threats SIG 2011994 triggers are :

  • The FTP content should contain “HELP ACIDBITCHEZ“, how is the backdoor command.
  • The source port could be any FROM EXTERNAL_NET in destination of an HOME_NET port 21/TCP.
SIG 2011994 1 year events activity

SIG 2011994 1 year events activity

SUC027 : Muieblackcat setup.php Web Scanner/Robot

3
  • Use Case Reference : SUC027
  • Use Case Title : Muieblackcat setup.php Web Scanner/Robot
  • Use Case Detection : IDS / HTTP logs
  • Attacker Class : Opportunists
  • Attack Sophistication : Unsophisticated
  • Identified tool(s) : N.D.
  • Source IP(s) : Random
  • Source Countries : Random
  • Source Port(s) : Random
  • Destination Port(s) : 80/TCP, 443/TCP

Possible(s) correlation(s) :

  • Regarding the logs, this scanner is looking for “setup.php” files.

Source(s) :

Emerging Threats SIG 2013115 triggers are :

  • The HTTP header should contain “GET /muieblackcat HTTP/1.1“. A complete set of logs is available here.
  • The source port could be any FROM EXTERNAL_NET in destination of an HOME_NET HTTP_PORTS.
SIG 2013115 1 Week events activity

SIG 2013115 1 Week events activity

SIG 2013115 1 month events activity

SIG 2013115 1 month events activity

1 Month TOP 10 source IPs for SIG 2013115

1 Month TOP 10 source IPs for SIG 2013115

TOP 20 source countries for SIG 2013115

TOP 20 source countries for SIG 2013115

SUC026 : DataCha0s Web Scanner/Robot

0
  • Use Case Reference : SUC026
  • Use Case Title : DataCha0s Web Scanner/Robot
  • Use Case Detection : IDS / HTTP logs
  • Attacker Class : Opportunists
  • Attack Sophistication : Unsophisticated
  • Source IP(s) : Random
  • Source Countries : Most of US and Brasil
  • Source Port(s) : Random
  • Destination Port(s) : 80/TCP, 443/TCP

Possible(s) correlation(s) :

  • DataCha0s bot.

Source(s) :

Emerging Threats SIG 2003616 triggers are :

  • The HTTP header should contain “DataCha0s” User Agent string. Example : User-Agent: DataCha0s/2.0
  • The source port could be any FROM EXTERNAL_NET in destination of an HOME_NET HTTP_PORTS.
SIG 2003616 1 Week events activity

SIG 2003616 1 Week events activity

SIG 2003616 1 month events activity

SIG 2003616 1 month events activity

1 Month TOP 10 source IPs for SIG 2003616

1 Month TOP 10 source IPs for SIG 2003616

TOP 20 source countries for SIG 2003616

TOP 20 source countries for SIG 2003616

Go to Top