SUC025 : ZmEu exploit scanner

  • Use Case Reference : SUC025
  • Use Case Title : ZmEu exploit scanner
  • Use Case Detection : IDS / HTTP logs
  • Attacker Class : Opportunists
  • Attack Sophistication : Unsophisticated
  • Identified tool(s) : ZmEu bot
  • Source IP(s) : Random
  • Source Countries : Random
  • Source Port(s) : Random
  • Destination Port(s) : 80/TCP, 443/TCP

Possible(s) correlation(s) :

  • phpMyAdmin scanner

Source(s) :

Emerging Threats SIG 2010715 triggers are :

  • The HTTP header should contain “Made by ZmEu” User-Agent string. Example : “User-Agent: Made by ZmEu @ WhiteHat Team – www.whitehat.ro
  • The source port could be any FROM EXTERNAL_NET in destination of an HOME_NET HTTP_PORTS.
SIG 2010715 1 Week events activity
SIG 2010715 1 Week events activity
SIG 2010715 1 month events activity
SIG 2010715 1 month events activity
1 Month TOP 10 source IPs for SIG 2010715
1 Month TOP 10 source IPs for SIG 2010715

SUC024 : ET WEB SQL Injection Attempt (Agent NV32ts)

  • Use Case Reference : SUC024
  • Use Case Title : ET WEB SQL Injection Attempt (Agent NV32ts)
  • Use Case Detection : IDS / HTTP /SQL logs
  • Attacker Class : Opportunists
  • Attack Sophistication : Unsophisticated
  • Source IP(s) : Random
  • Source Countries : Random
  • Source Port(s) : Random
  • Destination Port(s) : 80/TCP, 443/TCP

Possible(s) correlation(s) :

  • SQL injection tool or bot

Source(s) :

Emerging Threats SIG 2009029 triggers are :

  • The HTTP header should contain “NV32ts” User-Agent string. Example : “User-Agent: NV32ts
  • The source port could be any FROM EXTERNAL_NET in destination of an HOME_NET HTTP_PORTS.
SIG 2009029 1 Week events activity
SIG 2009029 1 Week events activity
SIG 2009029 1 month events activity
SIG 2009029 1 month events activity
1 Month TOP 10 source IPs for SIG 2009029
1 Month TOP 10 source IPs for SIG 2009029

SUC023 : WebHack Control Center User-Agent Inbound (WHCC/)

  • Use Case Reference : SUC023
  • Use Case Title : WebHack Control Center User-Agent Inbound (WHCC/)
  • Use Case Detection : IDS / HTTP logs
  • Attacker Class : Opportunists / Targeting Opportunists 
  • Attack Sophistication : Unsophisticated / Low
  • Identified tool(s) : WebHack Control Center Web server vulnerability scanner
  • Source IP(s) : Random
  • Source Countries : Random
  • Source Port(s) : Random
  • Destination Port(s) : 80/TCP, 443/TCP

Possible(s) correlation(s) :

  • WebHack Control Center Web server vulnerability scanner

Source(s) :

Emerging Threats SIG 2003924 triggers are :

  • The HTTP header should contain “WHCC” User-Agent string. Example : “User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; WHCC/0.6; GTB6.6; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.2; .NET4.0C)
  • The source port could be any FROM EXTERNAL_NET in destination of an HOME_NET HTTP_PORTS.
SIG 2003924 1 Week events activity
SIG 2003924 1 Week events activity
SIG 2003924 1 month events activity
SIG 2003924 1 month events activity
1 Month TOP 10 source IPs for SIG 2003924
1 Month TOP 10 source IPs for SIG 2003924

SUC022 : Sqlmap SQL Injection Scan User-Agent Inbound

  • Use Case Reference : SUC022
  • Use Case Title : Sqlmap SQL Injection Scan User-Agent Inbound
  • Use Case Detection : IDS / HTTP / SQL logs
  • Attacker Class : Opportunists / Targeting Opportunists / Professional
  • Attack Sophistication : Unsophisticated / Low / Mid-High
  • Identified tool(s) : sqlmap automatic SQL injection and database takeover tool
  • Source IP(s) : Random
  • Source Countries : Random
  • Source Port(s) : Random
  • Destination Port(s) : 80/TCP, 443/TCP

Possible(s) correlation(s) :

  • sqlmap automatic SQL injection and database takeover tool.

Source(s) :

Emerging Threats SIG 2008538 triggers are :

  • The HTTP header should contain “sqlmap” User-Agent string. Example : “User-Agent: sqlmap/1.0-dev (http://sqlmap.sourceforge.net)
  • The source port could be any FROM EXTERNAL_NET in destination of an HOME_NET HTTP_PORTS.
SIG 2008538 1 Week events activity
SIG 2008538 1 Week events activity
SIG 2008538 1 month events activity
SIG 2008538 1 month events activity
1 Month TOP 10 source IPs for SIG 2008538
1 Month TOP 10 source IPs for SIG 2008538