- Use Case Reference : SUC025
- Use Case Title : ZmEu exploit scanner
- Use Case Detection : IDS / HTTP logs
- Attacker Class : Opportunists
- Attack Sophistication : Unsophisticated
- Identified tool(s) : ZmEu bot
- Source IP(s) : Random
- Source Countries : Random
- Source Port(s) : Random
- Destination Port(s) : 80/TCP, 443/TCP
Possible(s) correlation(s) :
- phpMyAdmin scanner
Source(s) :
Emerging Threats SIG 2010715 triggers are :
- The HTTP header should contain “Made by ZmEu” User-Agent string. Example : “User-Agent: Made by ZmEu @ WhiteHat Team – www.whitehat.ro“
- The source port could be any FROM EXTERNAL_NET in destination of an HOME_NET HTTP_PORTS.
