SUC023 : WebHack Control Center User-Agent Inbound (WHCC/)

  • Use Case Reference : SUC023
  • Use Case Title : WebHack Control Center User-Agent Inbound (WHCC/)
  • Use Case Detection : IDS / HTTP logs
  • Attacker Class : Opportunists / Targeting Opportunists 
  • Attack Sophistication : Unsophisticated / Low
  • Identified tool(s) : WebHack Control Center Web server vulnerability scanner
  • Source IP(s) : Random
  • Source Countries : Random
  • Source Port(s) : Random
  • Destination Port(s) : 80/TCP, 443/TCP

Possible(s) correlation(s) :

  • WebHack Control Center Web server vulnerability scanner

Source(s) :

Emerging Threats SIG 2003924 triggers are :

  • The HTTP header should contain “WHCC” User-Agent string. Example : “User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; WHCC/0.6; GTB6.6; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.2; .NET4.0C)
  • The source port could be any FROM EXTERNAL_NET in destination of an HOME_NET HTTP_PORTS.
SIG 2003924 1 Week events activity
SIG 2003924 1 Week events activity
SIG 2003924 1 month events activity
SIG 2003924 1 month events activity
1 Month TOP 10 source IPs for SIG 2003924
1 Month TOP 10 source IPs for SIG 2003924