diff options
| author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-19 17:43:34 +0000 |
|---|---|---|
| committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-19 17:43:34 +0000 |
| commit | 0fcce96a175531ec6042cde1b11a0052aa261dd5 (patch) | |
| tree | 898a1e161c4984b41e6a732866bd73b24f0f7b7a | |
| parent | Initial commit. (diff) | |
| download | suricata-update-0fcce96a175531ec6042cde1b11a0052aa261dd5.tar.xz suricata-update-0fcce96a175531ec6042cde1b11a0052aa261dd5.zip | |
Adding upstream version 1.3.2.upstream/1.3.2
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
97 files changed, 35909 insertions, 0 deletions
diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS new file mode 100644 index 0000000..0a23353 --- /dev/null +++ b/.github/CODEOWNERS @@ -0,0 +1,12 @@ +# https://help.github.com/articles/about-codeowners/ +# +# last match wins, so put more specific matches towards the end +# +# only ppl with push rights in the repo can be owners +# https://github.com/isaacs/github/issues/989#issuecomment-320475904 +# +# additionally, it seems only the directoy syntax works. +# e.g. '/src/source-*.[ch] @regit' seems to have no effect. + +* @jasonish @OISF/core-team + diff --git a/.github/CONTRIBUTING.md b/.github/CONTRIBUTING.md new file mode 100644 index 0000000..934a9d1 --- /dev/null +++ b/.github/CONTRIBUTING.md @@ -0,0 +1,53 @@ +Contributing to Suricata +======================== + +We're happily taking patches and other contributions. The process is +documented at +https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Contributing +Please have a look at this document before submitting. + +Contribution Agreement +---------------------- + +Before accepting your pull requests we need you or your organization +to sign our contribution agreement. + +We do this to keep the ownership of Suricata in one hand: the Open +Information Security Foundation. See +https://suricata-ids.org/about/open-source/ and +https://suricata-ids.org/about/contribution-agreement/ + +Contribution Process +-------------------- + +Suricata is a complex piece of software dealing with mostly untrusted +input. Mishandling this input will have serious consequences: + +* in IPS mode a crash may knock a network offline; +* in passive mode a compromise of the IDS may lead to loss of critical + and confidential data; +* missed detection may lead to undetected compromise of the network. + +In other words, we think the stakes are pretty high, especially since +in many common cases the IDS/IPS will be directly reachable by an +attacker. + +For this reason, we have developed a QA process that is quite +extensive. A consequence is that contributing to Suricata can be a +somewhat lengthy process. + +On a high level, the steps are: + +1. Travis-CI based build & unit testing. This runs automatically when + a pull request is made. + +2. Review by devs from the team and community + +3. QA runs trigged by the team + +Questions +--------- + +If you have questions about contributing, please contact us via +https://suricata-ids.org/support/ + diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md new file mode 100644 index 0000000..5bf7005 --- /dev/null +++ b/.github/PULL_REQUEST_TEMPLATE.md @@ -0,0 +1,16 @@ +Make sure these boxes are signed before submitting your Pull Request +-- thank you. + +- [ ] I have read the contributing guide lines at + https://docs.suricata.io/en/latest/devguide/codebase/contributing/contribution-process.html +- [ ] I have signed the Open Information Security Foundation + contribution agreement at https://suricata.io/about/contribution-agreement/ +- [ ] I have updated the user guide (in doc/userguide/) to reflect the + changes made (if applicable) + +Link to [redmine](https://redmine.openinfosecfoundation.org/projects/suricata/issues) ticket: + +Describe changes: +- +- +- diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml new file mode 100644 index 0000000..22a19f3 --- /dev/null +++ b/.github/workflows/tests.yml @@ -0,0 +1,242 @@ +name: Distribution Checks + +on: + - push + - pull_request + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +permissions: read-all + +jobs: + + alma-9: + # At the time of adding this test, tox and pytest don't install + # cleanly using system packages, so just run the integration tests + # for now. + name: AlmaLinux 9 + runs-on: ubuntu-latest + container: almalinux:9 + steps: + - run: | + dnf -y install \ + python3 \ + python3-pyyaml + - uses: actions/checkout@v1 + - name: Python 3 integration tests + run: PYTHONPATH=. python3 ./tests/integration_tests.py + + alma-8: + name: AlmaLinux 8 + runs-on: ubuntu-latest + container: almalinux:8 + steps: + - run: | + yum -y install \ + python2-pytest \ + python2-pyyaml \ + python3 \ + python3-pytest \ + python3-pyyaml + - uses: actions/checkout@v1 + + - name: Python 2 unit tests + run: PYTHONPATH=. pytest-2 + - name: Python 2 integration tests + run: PYTHONPATH=. python2 ./tests/integration_tests.py + + - name: Python 3 unit tests + run: PYTHONPATH=. pytest-3 + - name: Python 3 integration tests + run: PYTHONPATH=. python3 ./tests/integration_tests.py + + centos-7: + name: CentOS 7 + runs-on: ubuntu-latest + container: centos:7 + steps: + - run: yum -y install epel-release + - run: | + yum -y install \ + python2-pytest \ + python2-pyyaml \ + python36-pytest \ + python36-yaml + - uses: actions/checkout@v1 + + - name: Python 2 unit tests + run: PYTHONPATH=. py.test-2.7 + - name: Python 2 integration tests + run: PYTHONPATH=. python2 ./tests/integration_tests.py + + - name: Python 3 unit tests + run: PYTHONPATH=. py.test-3 + - name: Python 3 integration tests + run: PYTHONPATH=. python3 ./tests/integration_tests.py + + fedora-39: + name: Fedora 39 + runs-on: ubuntu-latest + container: fedora:39 + steps: + - run: | + dnf -y install \ + python3 \ + python3-pytest \ + python3-pyyaml + - uses: actions/checkout@v4 + - name: Python 3 unit tests + run: PYTHONPATH=. pytest-3 + - name: Python 3 integration tests + run: PYTHONPATH=. python3 ./tests/integration_tests.py + + fedora-38: + name: Fedora 38 + runs-on: ubuntu-latest + container: fedora:38 + steps: + - run: | + dnf -y install \ + python3 \ + python3-pytest \ + python3-pyyaml + - uses: actions/checkout@v2 + - name: Python 3 unit tests + run: PYTHONPATH=. pytest-3 + - name: Python 3 integration tests + run: PYTHONPATH=. python3 ./tests/integration_tests.py + + ubuntu-2204: + name: Ubuntu 22.04 + runs-on: ubuntu-latest + container: ubuntu:22.04 + steps: + - run: apt update + - run: | + apt -y install \ + python3-pytest \ + python3-yaml + - uses: actions/checkout@v1 + - name: Python 3 unit tests + run: PYTHONPATH=. pytest-3 + - name: Python 3 integration tests + run: PYTHONPATH=. python3 ./tests/integration_tests.py + + ubuntu-2004: + name: Ubuntu 20.04 + runs-on: ubuntu-latest + container: ubuntu:20.04 + steps: + - run: apt update + - run: | + apt -y install \ + python-pytest \ + python-yaml \ + python3-pytest \ + python3-yaml + - uses: actions/checkout@v1 + + - name: Python 2 unit tests + run: PYTHONPATH=. pytest + - name: Python 2 integration tests + run: PYTHONPATH=. python2 ./tests/integration_tests.py + + - name: Python 3 unit tests + run: PYTHONPATH=. pytest-3 + - name: Python 3 integration tests + run: PYTHONPATH=. python3 ./tests/integration_tests.py + + ubuntu-1804: + name: Ubuntu 18.04 + runs-on: ubuntu-latest + container: ubuntu:18.04 + steps: + - run: apt update + - run: | + apt -y install \ + python-pytest \ + python-yaml \ + python3-pytest \ + python3-yaml + - uses: actions/checkout@v1 + + - name: Python 2 unit tests + run: PYTHONPATH=. pytest + - name: Python 2 integration tests + run: PYTHONPATH=. python2 ./tests/integration_tests.py + + - name: Python 3 unit tests + run: PYTHONPATH=. pytest-3 + - name: Python 3 integration tests + run: PYTHONPATH=. python3 ./tests/integration_tests.py + + debian-12: + name: Debian 12 + runs-on: ubuntu-latest + container: debian:12 + steps: + - run: apt update + - run: | + apt -y install \ + python3-pytest \ + python3-yaml + - uses: actions/checkout@v1 + + - name: Python 3 unit tests + run: PYTHONPATH=. pytest-3 + - name: Python 3 integration tests + run: PYTHONPATH=. python3 ./tests/integration_tests.py + + debian-11: + name: Debian 11 + runs-on: ubuntu-latest + container: debian:11 + steps: + - run: apt update + - run: | + apt -y install \ + python3-pytest \ + python3-yaml + - uses: actions/checkout@v1 + + - name: Python 3 unit tests + run: PYTHONPATH=. pytest-3 + - name: Python 3 integration tests + run: PYTHONPATH=. python3 ./tests/integration_tests.py + + debian-10: + name: Debian 10 + runs-on: ubuntu-latest + container: debian:10 + steps: + - run: apt update + - run: | + apt -y install \ + python-pytest \ + python-yaml \ + python3-pytest \ + python3-yaml + - uses: actions/checkout@v1 + + - name: Python 2 unit tests + run: PYTHONPATH=. pytest + - name: Python 2 integration tests + run: PYTHONPATH=. python2 ./tests/integration_tests.py + + - name: Python 3 unit tests + run: PYTHONPATH=. pytest-3 + - name: Python 3 integration tests + run: PYTHONPATH=. python3 ./tests/integration_tests.py + + macos-latest: + name: MacOS Latest + runs-on: macos-latest + steps: + - run: brew install python + - run: pip3 install PyYAML + - run: pip3 install pytest + - uses: actions/checkout@v1 + - run: PYTHONPATH=. python3 -m pytest + - run: PYTHONPATH=. python3 ./tests/integration_tests.py diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..4515679 --- /dev/null +++ b/.gitignore @@ -0,0 +1,15 @@ +*~ +*.pyc +_build +build +.DS_Store +_work + +# Development update.yaml +/update.yaml + +# The file containing the git revision. +/suricata/update/revision.py* + +# Working files for the tox testing framework. +/.tox diff --git a/.readthedocs.yaml b/.readthedocs.yaml new file mode 100644 index 0000000..635dca4 --- /dev/null +++ b/.readthedocs.yaml @@ -0,0 +1,17 @@ +version: 2 + +build: + os: ubuntu-22.04 + tools: + python: "3.11" + +python: + install: + - requirements: ./requirements.txt + +sphinx: + builder: html + configuration: doc/conf.py + fail_on_warning: false + +formats: all diff --git a/CHANGELOG.md b/CHANGELOG.md new file mode 100644 index 0000000..03310ca --- /dev/null +++ b/CHANGELOG.md @@ -0,0 +1,263 @@ +# Change Log + +## 1.3.2 - 2024-03-14 +- Fix copying of file hash lists which was broken in the dataset fix + as part of ticket #6833: + https://redmine.openinfosecfoundation.org/issues/6854 + +## 1.3.1 - 2024-03-11 +- Fix detecting dataset "load" when preceded by a space: + https://redmine.openinfosecfoundation.org/issues/6777 +- If no Suricata is found, Suricata-Update will assume version 6.0.0 + instead of 4.0.0. +- Handle URLs of bare files that don't end in .rules: + https://redmine.openinfosecfoundation.org/issues/3664 +- Don't base dataset filenames on the contents of the file, but + instead the filename path: + https://redmine.openinfosecfoundation.org/issues/6763 +- Give each file in a source a unique filename by prefixing the files + with a hash of the URL to prevent duplicate filenames from + cloberring each other, in particular dataset files: + https://redmine.openinfosecfoundation.org/issues/6833 + +## 1.3.0 - 2023-07-07 + +- Fix loading of configuration files specified in update.yaml: + https://redmine.openinfosecfoundation.org/issues/6172 + +## 1.3.0-rc1 - 2022-01-30 +- Be consistent about warning about old index. The index won't be + automatically updated now in some cases and not in others. Instead + opt to never auto-update: + https://redmine.openinfosecfoundation.org/issues/3249 +- Better flowbit resolution logging in verbose mode + https://redmine.openinfosecfoundation.org/issues/3205 +- Hide advanced command line options from help output: + https://redmine.openinfosecfoundation.org/issues/3974 +- Allow spaces in custom HTTP headers. Redmine issue + https://redmine.openinfosecfoundation.org/issues/4362 +- Better error message on invalid source specification: + https://redmine.openinfosecfoundation.org/issues/5141 + +## 1.2.7 - 2022-01-30 +- Embed an index that has been formatted so diffs are more readable. +- Documentation update with respect to how Suricata-Update is bundled + with all versions of Suricata now. + +## 1.2.6 - 2022-11-25 +- Allow checksum URL to be specified by the index: + https://redmine.openinfosecfoundation.org/issues/5684 +- Metadata rule matching for disable, enable and drop: + https://redmine.openinfosecfoundation.org/issues/5561 + +## 1.2.5 - 2022-09-22 +- Update entrypoint search path when not installed with distutils. This is + required for installation when bundled with Suricata 6.0.7 or newer: + https://redmine.openinfosecfoundation.org/issues/5313 + +## 1.2.4 - 2022-04-19 +- Fix multiple modifications to a rule: + https://redmine.openinfosecfoundation.org/issues/4259 +- Fix "check-versions" where the running Suricata is newer than what the index + knows about: https://redmine.openinfosecfoundation.org/issues/4373 +- Fix issue with dataset handling. Also adds file renaming to avoid conflicts: + https://redmine.openinfosecfoundation.org/issues/5010. +- New modify option to add metadata: + https://redmine.openinfosecfoundation.org/issues/5221. +- Respect Suricata's sysconfdir when loading configuration files: + https://redmine.openinfosecfoundation.org/issues/4374. +- Modify rule to add metadata: + https://redmine.openinfosecfoundation.org/issues/5221 +- Don't fail when source removed from index: + https://redmine.openinfosecfoundation.org/issues/5269 +- Option fail on download error: + https://redmine.openinfosecfoundation.org/issues/4579 + +## 1.2.3 - 2021-11-05 +- Allow more custom characters in custom http header to allow for more + of the base64 character set: + https://redmine.openinfosecfoundation.org/issues/4701 +- Send custom HTTP headers with check for remote checksum file: + https://redmine.openinfosecfoundation.org/issues/4001 + +## 1.2.2 - 2021-05-18 +- Fix "no-test" when set in configuration file: + https://redmine.openinfosecfoundation.org/issues/4493 + +## 1.2.1 - 2021-02-23 +- Fix --no-merge. Redmine issue + https://redmine.openinfosecfoundation.org/issues/4324. + +## 1.2.0 - 2020-10-05 +- Documentation updates. + +## 1.2.0rc2 - 2020-09-09 + +### Features +- Obsolete and deprecated source handling from the index: + https://redmine.openinfosecfoundation.org/issues/3918, + https://redmine.openinfosecfoundation.org/issues/3919. + +### Fixes +- Fix re-enabling a disabled source that was initially added with + "add-source": https://redmine.openinfosecfoundation.org/issues/3843 +- Handle duplicate filenames across multiple sources: + https://redmine.openinfosecfoundation.org/issues/3174 + +## 1.2.0rc1 - 2020-08-05 + +### Added +- Add summary for update-sources command: + https://redmine.openinfosecfoundation.org/issues/2472 +- Disable SMB rules if installed Suricata does not support them: + https://redmine.openinfosecfoundation.org/issues/3280 +- Better error on bad modify filter: + https://redmine.openinfosecfoundation.org/issues/3536 +- Missing documentation for list-sources, list-enabled-sources and + check-versions: + https://redmine.openinfosecfoundation.org/issues/3228 +- Optimization for modify filters: + https://redmine.openinfosecfoundation.org/issues/3620 +- Fix --http-header option. Header was not being sent: + https://redmine.openinfosecfoundation.org/issues/3696 +- Add classification.config management. Suricata-Update will now load + the Suricata installed classification.config and merge it with + classification.config's found in rule + files. https://redmine.openinfosecfoundation.org/issues/3203 +- Copy md5/sha1/sha256 file lists from rulesets into the rule output + directory: https://redmine.openinfosecfoundation.org/issues/2688 +- Copy dataset files from ruleset into the rule output directory: + https://redmine.openinfosecfoundation.org/issues/3528 + +## 1.1.0 - 2019-10-11 +- Disable ja3 rules if the Suricata build or runtime configuration + does not support + ja3. https://redmine.openinfosecfoundation.org/issues/3215 +- New command, check-versions to compare the version of Suricata on + the system to Suricata version information in the index. Can let you + know if Suricata is + outdated. https://redmine.openinfosecfoundation.org/issues/2341 + +## 1.1.0rc1 - 2019-09-09 +- Enable integration tests on + Travis-CI. https://redmine.openinfosecfoundation.org/issues/2760 +- Fix error on missing sid, or missing ';' in rule + parsing. https://redmine.openinfosecfoundation.org/issues/2867 +- Improve permission errors from tracebacks to more user friendly + error messages. https://redmine.openinfosecfoundation.org/issues/2875 +- Log warnings and errors to stderr, info and debug to stdout. + https://redmine.openinfosecfoundation.org/issues/2565 +- Cleaner exit on CTRL-C. + https://redmine.openinfosecfoundation.org/issues/2878 +- Run offline. + https://redmine.openinfosecfoundation.org/issues/2864 +- Log warning on duplicate SID. + https://redmine.openinfosecfoundation.org/issues/2879 +- Parse rule files alphabetically. + https://redmine.openinfosecfoundation.org/issues/2892 +- Set the noalert option on rules enabled for flowbit dependencies. + https://redmine.openinfosecfoundation.org/issues/2906 +- Allow sources to be specified without a checksum URL to prevent the + warning log message when this URL does not + exist. https://redmine.openinfosecfoundation.org/issues/3100 + +## 1.0.5 - 2019-04-26 +- Fix NULL pointer dereference (FORWARD_NULL) found by + Coverity. https://redmine.openinfosecfoundation.org/issues/2834 +- Add a download connection timeout of 30 + seconds. https://redmine.openinfosecfoundation.org/issues/2703 +- Fix issue with --no-merge command line + option. https://redmine.openinfosecfoundation.org/issues/2869 +- Fix handling of default ignore + files. https://redmine.openinfosecfoundation.org/issues/2851 +- Allow repeated calls to enable the same rule source without exiting + with an error. https://redmine.openinfosecfoundation.org/issues/2728 + +## 1.0.4 - 2019-03-07 +- Enable integration tests on + Travis-CI. https://redmine.openinfosecfoundation.org/issues/2760 +- Reduce memory usage. https://redmine.openinfosecfoundation.org/issues/2791 + +## 1.0.3 - 2018-12-21 +- Fix enable-source command. + https://redmine.openinfosecfoundation.org/issues/2753 + +## 1.0.2 - 2018-12-18 +- Fix installs on older versions of Python 2.7. + https://redmine.openinfosecfoundation.org/issues/2747 + +## 1.0.1 - 2018-12-16 +- Add --free argument to list-sources command to show only those + that are freely + available. https://redmine.openinfosecfoundation.org/issues/2641 +- If user-agent is configured to be empty, don't send the header at + all. This also fixes an issue where trying to set the user agent to + an empty string reset it back to the + default. https://redmine.openinfosecfoundation.org/issues/2665 +- Fix --dump-sample-configs. The data files were being + installed. https://redmine.openinfosecfoundation.org/issues/2683 +- When installing with pip, make pyyaml and a required dependency so + it will be installed automatically if needed. This does not apply + when installed bundled with + Suricata. https://redmine.openinfosecfoundation.org/issues/2667 +- Fix missing check for None, from + Coverity. https://redmine.openinfosecfoundation.org/issues/2676 +- Suppress download progress meter when not on a + tty. https://redmine.openinfosecfoundation.org/issues/2743 +- Hide git revision if not available in --version. +- Update list of engine provided rules to include. +- Allow a custom HTTP header to be set on a source when added with + add-source. https://redmine.openinfosecfoundation.org/issues/2577 + +## 1.0.0 - 2018-11-05 +- Fix failure to run custom test + command. https://redmine.openinfosecfoundation.org/issues/2652 + +## 1.0.0rc2 - 2018-10-12 +- Python 3 fix for enable-source. + https://redmine.openinfosecfoundation.org/issues/2549 +- Fix interactive input for add-source command. + https://redmine.openinfosecfoundation.org/issues/2550 +- Python fix for loading disable.conf (and other files). + https://redmine.openinfosecfoundation.org/issues/2551 + +## 1.0.0rc1 - 2018-07-17 +- Python 3 fixes. +- Bundle a copy of the index which can be used if download source for + the index is not available, and no index was previously + downloaded. Warnings will be issued. +- Fix for Python versions prior to 2.7.9 that don't have + ssl.create_default_context. For example, Ubuntu Trusty. +- Fix exception while referencing configuration + filename. https://redmine.openinfosecfoundation.org/issues/2526 + +## 1.0.0b1 - 2018-01-19 +- Various fixes for Python 3. +- Allow the default state directory of /var/lib/suricata to be changed + with the command line parameter -D (--data-dir). Fixes issue + https://redmine.openinfosecfoundation.org/issues/2334. +- Cache directory is now /var/lib/suricata/update/cache (or + update/cache under configured data directory). +- list-sources: If no index is found, automatically run + update-sources. Fixes issue + https://redmine.openinfosecfoundation.org/issues/2336. +- New testing framework, integration tests and a docker test with the + focus of testing on more versions of Python. +- Allow a custom HTTP User-Agent to be set + (https://redmine.openinfosecfoundation.org/issues/2344). +- Command line option and configuration parameter to set the + suricata.yaml configuration file used + (https://redmine.openinfosecfoundation.org/issues/2350). +- Allow the Suricata application to be set in the configuration file. +- Allow disabling of TLS certificate validation + (--no-check-certificate). +- Safe loading of YAML files + (https://redmine.openinfosecfoundation.org/issues/2359) + +## 1.0.0a1 - 2017-12-05 +- Initial alpha release of Suricata-Update. A Suricata rule update tool + based on idstools-rulecat, relicensed under the GPLv2 with copyright + assigned to the OISF. +- Features are derived from idstools-rulecat, but with more + opinionated defaults. +- Supports an index of rule sources to aid in discovery of rulesets. @@ -0,0 +1,339 @@ + GNU GENERAL PUBLIC LICENSE + Version 2, June 1991 + + Copyright (C) 1989, 1991 Free Software Foundation, Inc., + 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + Everyone is permitted to copy and distribute verbatim copies + of this license document, but changing it is not allowed. + + Preamble + + The licenses for most software are designed to take away your +freedom to share and change it. By contrast, the GNU General Public +License is intended to guarantee your freedom to share and change free +software--to make sure the software is free for all its users. This +General Public License applies to most of the Free Software +Foundation's software and to any other program whose authors commit to +using it. (Some other Free Software Foundation software is covered by +the GNU Lesser General Public License instead.) You can apply it to +your programs, too. + + When we speak of free software, we are referring to freedom, not +price. Our General Public Licenses are designed to make sure that you +have the freedom to distribute copies of free software (and charge for +this service if you wish), that you receive source code or can get it +if you want it, that you can change the software or use pieces of it +in new free programs; and that you know you can do these things. + + To protect your rights, we need to make restrictions that forbid +anyone to deny you these rights or to ask you to surrender the rights. +These restrictions translate to certain responsibilities for you if you +distribute copies of the software, or if you modify it. + + For example, if you distribute copies of such a program, whether +gratis or for a fee, you must give the recipients all the rights that +you have. You must make sure that they, too, receive or can get the +source code. And you must show them these terms so they know their +rights. + + We protect your rights with two steps: (1) copyright the software, and +(2) offer you this license which gives you legal permission to copy, +distribute and/or modify the software. + + Also, for each author's protection and ours, we want to make certain +that everyone understands that there is no warranty for this free +software. If the software is modified by someone else and passed on, we +want its recipients to know that what they have is not the original, so +that any problems introduced by others will not reflect on the original +authors' reputations. + + Finally, any free program is threatened constantly by software +patents. We wish to avoid the danger that redistributors of a free +program will individually obtain patent licenses, in effect making the +program proprietary. To prevent this, we have made it clear that any +patent must be licensed for everyone's free use or not licensed at all. + + The precise terms and conditions for copying, distribution and +modification follow. + + GNU GENERAL PUBLIC LICENSE + TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION + + 0. This License applies to any program or other work which contains +a notice placed by the copyright holder saying it may be distributed +under the terms of this General Public License. The "Program", below, +refers to any such program or work, and a "work based on the Program" +means either the Program or any derivative work under copyright law: +that is to say, a work containing the Program or a portion of it, +either verbatim or with modifications and/or translated into another +language. (Hereinafter, translation is included without limitation in +the term "modification".) Each licensee is addressed as "you". + +Activities other than copying, distribution and modification are not +covered by this License; they are outside its scope. The act of +running the Program is not restricted, and the output from the Program +is covered only if its contents constitute a work based on the +Program (independent of having been made by running the Program). +Whether that is true depends on what the Program does. + + 1. You may copy and distribute verbatim copies of the Program's +source code as you receive it, in any medium, provided that you +conspicuously and appropriately publish on each copy an appropriate +copyright notice and disclaimer of warranty; keep intact all the +notices that refer to this License and to the absence of any warranty; +and give any other recipients of the Program a copy of this License +along with the Program. + +You may charge a fee for the physical act of transferring a copy, and +you may at your option offer warranty protection in exchange for a fee. + + 2. You may modify your copy or copies of the Program or any portion +of it, thus forming a work based on the Program, and copy and +distribute such modifications or work under the terms of Section 1 +above, provided that you also meet all of these conditions: + + a) You must cause the modified files to carry prominent notices + stating that you changed the files and the date of any change. + + b) You must cause any work that you distribute or publish, that in + whole or in part contains or is derived from the Program or any + part thereof, to be licensed as a whole at no charge to all third + parties under the terms of this License. + + c) If the modified program normally reads commands interactively + when run, you must cause it, when started running for such + interactive use in the most ordinary way, to print or display an + announcement including an appropriate copyright notice and a + notice that there is no warranty (or else, saying that you provide + a warranty) and that users may redistribute the program under + these conditions, and telling the user how to view a copy of this + License. (Exception: if the Program itself is interactive but + does not normally print such an announcement, your work based on + the Program is not required to print an announcement.) + +These requirements apply to the modified work as a whole. If +identifiable sections of that work are not derived from the Program, +and can be reasonably considered independent and separate works in +themselves, then this License, and its terms, do not apply to those +sections when you distribute them as separate works. But when you +distribute the same sections as part of a whole which is a work based +on the Program, the distribution of the whole must be on the terms of +this License, whose permissions for other licensees extend to the +entire whole, and thus to each and every part regardless of who wrote it. + +Thus, it is not the intent of this section to claim rights or contest +your rights to work written entirely by you; rather, the intent is to +exercise the right to control the distribution of derivative or +collective works based on the Program. + +In addition, mere aggregation of another work not based on the Program +with the Program (or with a work based on the Program) on a volume of +a storage or distribution medium does not bring the other work under +the scope of this License. + + 3. You may copy and distribute the Program (or a work based on it, +under Section 2) in object code or executable form under the terms of +Sections 1 and 2 above provided that you also do one of the following: + + a) Accompany it with the complete corresponding machine-readable + source code, which must be distributed under the terms of Sections + 1 and 2 above on a medium customarily used for software interchange; or, + + b) Accompany it with a written offer, valid for at least three + years, to give any third party, for a charge no more than your + cost of physically performing source distribution, a complete + machine-readable copy of the corresponding source code, to be + distributed under the terms of Sections 1 and 2 above on a medium + customarily used for software interchange; or, + + c) Accompany it with the information you received as to the offer + to distribute corresponding source code. (This alternative is + allowed only for noncommercial distribution and only if you + received the program in object code or executable form with such + an offer, in accord with Subsection b above.) + +The source code for a work means the preferred form of the work for +making modifications to it. For an executable work, complete source +code means all the source code for all modules it contains, plus any +associated interface definition files, plus the scripts used to +control compilation and installation of the executable. However, as a +special exception, the source code distributed need not include +anything that is normally distributed (in either source or binary +form) with the major components (compiler, kernel, and so on) of the +operating system on which the executable runs, unless that component +itself accompanies the executable. + +If distribution of executable or object code is made by offering +access to copy from a designated place, then offering equivalent +access to copy the source code from the same place counts as +distribution of the source code, even though third parties are not +compelled to copy the source along with the object code. + + 4. You may not copy, modify, sublicense, or distribute the Program +except as expressly provided under this License. Any attempt +otherwise to copy, modify, sublicense or distribute the Program is +void, and will automatically terminate your rights under this License. +However, parties who have received copies, or rights, from you under +this License will not have their licenses terminated so long as such +parties remain in full compliance. + + 5. You are not required to accept this License, since you have not +signed it. However, nothing else grants you permission to modify or +distribute the Program or its derivative works. These actions are +prohibited by law if you do not accept this License. Therefore, by +modifying or distributing the Program (or any work based on the +Program), you indicate your acceptance of this License to do so, and +all its terms and conditions for copying, distributing or modifying +the Program or works based on it. + + 6. Each time you redistribute the Program (or any work based on the +Program), the recipient automatically receives a license from the +original licensor to copy, distribute or modify the Program subject to +these terms and conditions. You may not impose any further +restrictions on the recipients' exercise of the rights granted herein. +You are not responsible for enforcing compliance by third parties to +this License. + + 7. If, as a consequence of a court judgment or allegation of patent +infringement or for any other reason (not limited to patent issues), +conditions are imposed on you (whether by court order, agreement or +otherwise) that contradict the conditions of this License, they do not +excuse you from the conditions of this License. If you cannot +distribute so as to satisfy simultaneously your obligations under this +License and any other pertinent obligations, then as a consequence you +may not distribute the Program at all. For example, if a patent +license would not permit royalty-free redistribution of the Program by +all those who receive copies directly or indirectly through you, then +the only way you could satisfy both it and this License would be to +refrain entirely from distribution of the Program. + +If any portion of this section is held invalid or unenforceable under +any particular circumstance, the balance of the section is intended to +apply and the section as a whole is intended to apply in other +circumstances. + +It is not the purpose of this section to induce you to infringe any +patents or other property right claims or to contest validity of any +such claims; this section has the sole purpose of protecting the +integrity of the free software distribution system, which is +implemented by public license practices. Many people have made +generous contributions to the wide range of software distributed +through that system in reliance on consistent application of that +system; it is up to the author/donor to decide if he or she is willing +to distribute software through any other system and a licensee cannot +impose that choice. + +This section is intended to make thoroughly clear what is believed to +be a consequence of the rest of this License. + + 8. If the distribution and/or use of the Program is restricted in +certain countries either by patents or by copyrighted interfaces, the +original copyright holder who places the Program under this License +may add an explicit geographical distribution limitation excluding +those countries, so that distribution is permitted only in or among +countries not thus excluded. In such case, this License incorporates +the limitation as if written in the body of this License. + + 9. The Free Software Foundation may publish revised and/or new versions +of the General Public License from time to time. Such new versions will +be similar in spirit to the present version, but may differ in detail to +address new problems or concerns. + +Each version is given a distinguishing version number. If the Program +specifies a version number of this License which applies to it and "any +later version", you have the option of following the terms and conditions +either of that version or of any later version published by the Free +Software Foundation. If the Program does not specify a version number of +this License, you may choose any version ever published by the Free Software +Foundation. + + 10. If you wish to incorporate parts of the Program into other free +programs whose distribution conditions are different, write to the author +to ask for permission. For software which is copyrighted by the Free +Software Foundation, write to the Free Software Foundation; we sometimes +make exceptions for this. Our decision will be guided by the two goals +of preserving the free status of all derivatives of our free software and +of promoting the sharing and reuse of software generally. + + NO WARRANTY + + 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY +FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN +OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES +PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED +OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS +TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE +PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, +REPAIR OR CORRECTION. + + 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING +WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR +REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, +INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING +OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED +TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY +YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER +PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE +POSSIBILITY OF SUCH DAMAGES. + + END OF TERMS AND CONDITIONS + + How to Apply These Terms to Your New Programs + + If you develop a new program, and you want it to be of the greatest +possible use to the public, the best way to achieve this is to make it +free software which everyone can redistribute and change under these terms. + + To do so, attach the following notices to the program. It is safest +to attach them to the start of each source file to most effectively +convey the exclusion of warranty; and each file should have at least +the "copyright" line and a pointer to where the full notice is found. + + <one line to give the program's name and a brief idea of what it does.> + Copyright (C) <year> <name of author> + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License along + with this program; if not, write to the Free Software Foundation, Inc., + 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + +Also add information on how to contact you by electronic and paper mail. + +If the program is interactive, make it output a short notice like this +when it starts in an interactive mode: + + Gnomovision version 69, Copyright (C) year name of author + Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. + This is free software, and you are welcome to redistribute it + under certain conditions; type `show c' for details. + +The hypothetical commands `show w' and `show c' should show the appropriate +parts of the General Public License. Of course, the commands you use may +be called something other than `show w' and `show c'; they could even be +mouse-clicks or menu items--whatever suits your program. + +You should also get your employer (if you work as a programmer) or your +school, if any, to sign a "copyright disclaimer" for the program, if +necessary. Here is a sample; alter the names: + + Yoyodyne, Inc., hereby disclaims all copyright interest in the program + `Gnomovision' (which makes passes at compilers) written by James Hacker. + + <signature of Ty Coon>, 1 April 1989 + Ty Coon, President of Vice + +This General Public License does not permit incorporating your program into +proprietary programs. If your program is a subroutine library, you may +consider it more useful to permit linking proprietary applications with the +library. If this is what you want to do, use the GNU Lesser General +Public License instead of this License. diff --git a/MANIFEST.in b/MANIFEST.in new file mode 100644 index 0000000..5d8c23a --- /dev/null +++ b/MANIFEST.in @@ -0,0 +1,4 @@ +include LICENSE +include suricata/update/configs/*.conf +include suricata/update/configs/*.in +include suricata/update/configs/*.yaml diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..577b562 --- /dev/null +++ b/Makefile @@ -0,0 +1,50 @@ +.PHONY: doc + +all: build + +build: + python setup.py build + +install: + python setup.py install + +tox: + @if ! which tox 2>&1 > /dev/null; then \ + echo "error: tox required to run tests"; \ + exit 1; \ + fi + +test: tox + @tox + +integration-test: tox + @tox -c tox-integration.ini + +docker-test: + @if ! which docker 2>&1 > /dev/null; then \ + echo "error: docker is required to run docker tests"; \ + exit 1; \ + fi + @for test in $(wildcard tests/docker*); do \ + (cd $$test && $(MAKE)); \ + done + +clean: + find . -name \*.pyc -print0 | xargs -0 rm -f + find . -name \*~ -print0 | xargs -0 rm -f + find . -name __pycache__ -type d -print0 | xargs -0 rm -rf + rm -rf suricata_update.egg* + rm -rf build dist MANIFEST + cd doc && $(MAKE) clean + +doc: + cd doc && $(MAKE) clean html + +sdist: + python setup.py sdist + +sdist-upload: + python setup.py sdist upload + +update-index: + python -m suricata.update.data.update diff --git a/README.rst b/README.rst new file mode 100644 index 0000000..36503a6 --- /dev/null +++ b/README.rst @@ -0,0 +1,123 @@ +Suricata-Update +=============== + +The tool for updating your Suricata rules. + +Installation +------------ + + pip install --upgrade suricata-update + +Documentation +------------- + +https://suricata-update.readthedocs.io/en/latest/ + +Issues +------ + +https://redmine.openinfosecfoundation.org/projects/suricata-update + +Example Usage +------------- + + suricata-update + +The default invocation of ``suricata-update`` will perform the following: + +- Read the configuration, /etc/suricata/update.yaml, if it exists. +- Read in the rule filter configuration files: + + - /etc/suricata/disable.conf + - /etc/suricata/enable.conf + - /etc/suricata/drop.conf + - /etc/suricata/modify.conf + +- Download the best version of the Emerging Threats Open ruleset for + the version of Suricata found. +- Read in the rule files provided with the Suricata distribution from + /etc/suricata/rules. +- Apply disable, enable, drop and modify filters. +- Resolve flowbits. +- Write the rules to /var/lib/suricata/rules/suricata.rules. + +If you are not yet ready to use /var/lib/suricata/rules then you may +be interested in the `--output +<http://suricata-update.readthedocs.io/en/latest/#cmdoption-o>`_ and +`--no-merge +<http://suricata-update.readthedocs.io/en/latest/#cmdoption-o>`_ +command line options. + +Suricata Configuration +---------------------- + +The default Suricata configuration needs to be updated to find the rules +in the new location. + +Example suricata.yaml + +.. code-block:: yaml + + default-rule-path: /var/lib/suricata/rules + rule-files: + - suricata.rules + +Optionally ``-S /var/lib/suricata/rules/suricata.rules`` could be +provided on the Suricata command line. + +Notes +----- + +This ``suricata-update`` tool is based around the idea +``/etc/suricata`` should not be used for active rule management, but +instead as a location for more or less static configuration. Instead +``/var/lib/suricata`` is used for rule management and +``/etc/suricata/rules`` is used as a source for rule files provided by +the Suricata distribution. + +Files and Directories +--------------------- + +``/usr/share/suricata/rules`` + Used as a source of rules provided by the Suricata engine. If this + directory does not exist, ``etc/suricata/rules`` will be used. + +``/etc/suricata/update.yaml`` + The default location for the ``suricata-update`` configuration file. + +``/etc/suricata/disable.conf`` + Default location for disable rule filters if not provided in the + configuration file or command line. + +``/etc/suricata/enable.conf`` + Default location for enable rule filters if not provided in the + configuration file or command line. + +``/etc/suricata/drop.conf`` + Default location for drop rule filters if not provided in the + configuration file or command line. + +``/etc/suricata/modify.conf`` + Default location for modify rule filters if not provided in the + configuration file or command line. + +``/var/lib/suricata/rules`` + The output directory for rules processed by the ``suricata-update`` + tool. This directory is owned and managed by ``suricata-update`` and + should not be touched by the user. + +``/var/lib/suricata/rules/suricata.rules`` + The default output filename for the rules processed by ``suricata-update``. + + This is a single file that contains all the rules from all input + files and should be used by Suricata. + +``/var/lib/suricata/update/cache`` + Directory where downloaded rule files are cached here. + +``/var/lib/suricata/rules/cache/index.yaml`` + Cached copy of the rule source index. + +``/var/lib/suricata/update/sources`` + Configuration direction for sources enabled or added with + ``enable-source`` or ``add-source``. diff --git a/bin/suricata-update b/bin/suricata-update new file mode 100755 index 0000000..94ea2ba --- /dev/null +++ b/bin/suricata-update @@ -0,0 +1,36 @@ +#! /usr/bin/env python +# +# Copyright (C) 2017 Open Information Security Foundation +# +# You can copy, redistribute or modify this Program under the terms of +# the GNU General Public License version 2 as published by the Free +# Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# version 2 along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA +# 02110-1301, USA. + +import sys +import os + +exec_dir = os.path.dirname(__file__) + +# Check if we were installed along with Suricata, and setup the path if so. +libpath = os.path.realpath( + os.path.join(exec_dir, os.pardir, "lib/suricata/python")) +if os.path.exists(os.path.join(libpath, "suricata", "update")): + sys.path.insert(0, libpath) + +# If running out of the source directory, make sure we pick up the +# library from the current directory. +sys.path.insert( + 0, os.path.dirname(os.path.dirname(os.path.abspath(sys.argv[0])))) + +from suricata.update import main +sys.exit(main.main()) diff --git a/doc/Makefile b/doc/Makefile new file mode 100644 index 0000000..bfa0803 --- /dev/null +++ b/doc/Makefile @@ -0,0 +1,156 @@ +# Makefile for Sphinx documentation +# + +# You can set these variables from the command line. +SPHINXOPTS = +SPHINXBUILD = sphinx-build +SPHINXAPIDOC = sphinx-apidoc +PAPER = +BUILDDIR = _build + +# Internal variables. +PAPEROPT_a4 = -D latex_paper_size=a4 +PAPEROPT_letter = -D latex_paper_size=letter +ALLSPHINXOPTS = -d $(BUILDDIR)/doctrees $(PAPEROPT_$(PAPER)) $(SPHINXOPTS) . +# the i18n builder cannot share the environment and doctrees with the others +I18NSPHINXOPTS = $(PAPEROPT_$(PAPER)) $(SPHINXOPTS) . + +.PHONY: help clean html dirhtml singlehtml pickle json htmlhelp qthelp devhelp epub latex latexpdf text man changes linkcheck doctest gettext + +all: html + +help: + @echo "Please use \`make <target>' where <target> is one of" + @echo " html to make standalone HTML files" + @echo " dirhtml to make HTML files named index.html in directories" + @echo " singlehtml to make a single large HTML file" + @echo " pickle to make pickle files" + @echo " json to make JSON files" + @echo " htmlhelp to make HTML files and a HTML help project" + @echo " qthelp to make HTML files and a qthelp project" + @echo " devhelp to make HTML files and a Devhelp project" + @echo " epub to make an epub" + @echo " latex to make LaTeX files, you can set PAPER=a4 or PAPER=letter" + @echo " latexpdf to make LaTeX files and run them through pdflatex" + @echo " text to make text files" + @echo " man to make manual pages" + @echo " texinfo to make Texinfo files" + @echo " info to make Texinfo files and run them through makeinfo" + @echo " gettext to make PO message catalogs" + @echo " changes to make an overview of all changed/added/deprecated items" + @echo " linkcheck to check all external links for integrity" + @echo " doctest to run all doctests embedded in the documentation (if enabled)" + +clean: + -rm -rf $(BUILDDIR)/* + +html: + $(SPHINXBUILD) -b html $(ALLSPHINXOPTS) $(BUILDDIR)/html + @echo + @echo "Build finished. The HTML pages are in $(BUILDDIR)/html." + +dirhtml: + $(SPHINXBUILD) -b dirhtml $(ALLSPHINXOPTS) $(BUILDDIR)/dirhtml + @echo + @echo "Build finished. The HTML pages are in $(BUILDDIR)/dirhtml." + +singlehtml: + $(SPHINXBUILD) -b singlehtml $(ALLSPHINXOPTS) $(BUILDDIR)/singlehtml + @echo + @echo "Build finished. The HTML page is in $(BUILDDIR)/singlehtml." + +pickle: + $(SPHINXBUILD) -b pickle $(ALLSPHINXOPTS) $(BUILDDIR)/pickle + @echo + @echo "Build finished; now you can process the pickle files." + +json: + $(SPHINXBUILD) -b json $(ALLSPHINXOPTS) $(BUILDDIR)/json + @echo + @echo "Build finished; now you can process the JSON files." + +htmlhelp: + $(SPHINXBUILD) -b htmlhelp $(ALLSPHINXOPTS) $(BUILDDIR)/htmlhelp + @echo + @echo "Build finished; now you can run HTML Help Workshop with the" \ + ".hhp project file in $(BUILDDIR)/htmlhelp." + +qthelp: + $(SPHINXBUILD) -b qthelp $(ALLSPHINXOPTS) $(BUILDDIR)/qthelp + @echo + @echo "Build finished; now you can run "qcollectiongenerator" with the" \ + ".qhcp project file in $(BUILDDIR)/qthelp, like this:" + @echo "# qcollectiongenerator $(BUILDDIR)/qthelp/suricataupdate.qhcp" + @echo "To view the help file:" + @echo "# assistant -collectionFile $(BUILDDIR)/qthelp/suricataupdate.qhc" + +devhelp: + $(SPHINXBUILD) -b devhelp $(ALLSPHINXOPTS) $(BUILDDIR)/devhelp + @echo + @echo "Build finished." + @echo "To view the help file:" + @echo "# mkdir -p $$HOME/.local/share/devhelp/suricataupdate" + @echo "# ln -s $(BUILDDIR)/devhelp $$HOME/.local/share/devhelp/suricataupdate" + @echo "# devhelp" + +epub: + $(SPHINXBUILD) -b epub $(ALLSPHINXOPTS) $(BUILDDIR)/epub + @echo + @echo "Build finished. The epub file is in $(BUILDDIR)/epub." + +latex: + $(SPHINXBUILD) -b latex $(ALLSPHINXOPTS) $(BUILDDIR)/latex + @echo + @echo "Build finished; the LaTeX files are in $(BUILDDIR)/latex." + @echo "Run \`make' in that directory to run these through (pdf)latex" \ + "(use \`make latexpdf' here to do that automatically)." + +latexpdf: + $(SPHINXBUILD) -b latex $(ALLSPHINXOPTS) $(BUILDDIR)/latex + @echo "Running LaTeX files through pdflatex..." + $(MAKE) -C $(BUILDDIR)/latex all-pdf + @echo "pdflatex finished; the PDF files are in $(BUILDDIR)/latex." + +text: + $(SPHINXBUILD) -b text $(ALLSPHINXOPTS) $(BUILDDIR)/text + @echo + @echo "Build finished. The text files are in $(BUILDDIR)/text." + +man: + $(SPHINXBUILD) -b man $(ALLSPHINXOPTS) $(BUILDDIR)/man + @echo + @echo "Build finished. The manual pages are in $(BUILDDIR)/man." + +texinfo: + $(SPHINXBUILD) -b texinfo $(ALLSPHINXOPTS) $(BUILDDIR)/texinfo + @echo + @echo "Build finished. The Texinfo files are in $(BUILDDIR)/texinfo." + @echo "Run \`make' in that directory to run these through makeinfo" \ + "(use \`make info' here to do that automatically)." + +info: + $(SPHINXBUILD) -b texinfo $(ALLSPHINXOPTS) $(BUILDDIR)/texinfo + @echo "Running Texinfo files through makeinfo..." + make -C $(BUILDDIR)/texinfo info + @echo "makeinfo finished; the Info files are in $(BUILDDIR)/texinfo." + +gettext: + $(SPHINXBUILD) -b gettext $(I18NSPHINXOPTS) $(BUILDDIR)/locale + @echo + @echo "Build finished. The message catalogs are in $(BUILDDIR)/locale." + +changes: + $(SPHINXBUILD) -b changes $(ALLSPHINXOPTS) $(BUILDDIR)/changes + @echo + @echo "The overview file is in $(BUILDDIR)/changes." + +linkcheck: + $(SPHINXBUILD) -b linkcheck $(ALLSPHINXOPTS) $(BUILDDIR)/linkcheck + @echo + @echo "Link check complete; look for any errors in the above output " \ + "or in $(BUILDDIR)/linkcheck/output.txt." + +doctest: + $(SPHINXBUILD) -b doctest $(ALLSPHINXOPTS) $(BUILDDIR)/doctest + @echo "Testing of doctests in the sources finished, look at the " \ + "results in $(BUILDDIR)/doctest/output.txt." diff --git a/doc/_static/.gitignore b/doc/_static/.gitignore new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/doc/_static/.gitignore diff --git a/doc/add-source.rst b/doc/add-source.rst new file mode 100644 index 0000000..c49692c --- /dev/null +++ b/doc/add-source.rst @@ -0,0 +1,45 @@ +################################ +add-source - Add a source by URL +################################ + +Synopsis +======== + +:: + + suricata-update add-source <name> <url> + +Description +=========== + +The ``add-source`` adds a source to the set of enabled sources by +URL. It is useful to add a source that is not provided in the index. + +Options +======= + +.. option:: --http-header "Header: Value" + + Add an additional HTTP header to requests for this rule source such + as a custom API key. Example:: + + add-source --http-header "X-API-Key: 1234" + + HTTP basic authentication can be achieved by setting the HTTP Basic + Authentication header with ``base64(user1:password1)``. Example:: + + add-source --http-header "Authorization: Basic dXNlcjE6cGFzc3dvcmQx" + + HTTP Bearer authentication can be used by setting the HTTP Bearer Authentication header + with a OAuth2 token containing printable ASCII characters. Example:: + + add-source --http-header "Auhorization: Bearer NjA2MTUOTAx?D+wOm4U/vpXQy0xhl!hSaR7#ENVpK59" + +.. option:: --no-checksum + + Skips downloading the checksum URL for the rule source. + +Common Options +============== + +.. include:: ./common-options.rst diff --git a/doc/check-versions.rst b/doc/check-versions.rst new file mode 100644 index 0000000..8be2e0a --- /dev/null +++ b/doc/check-versions.rst @@ -0,0 +1,21 @@ +########################################## +check-versions - Check version of Suricata +########################################## + +Synopsis +======== + +:: + + suricata-update check-versions + +Description +=========== + +The ``check-versions`` command checks if the installed Suricata version is up +to date. + +Options +======= + +.. include:: common-options.rst diff --git a/doc/common-options.rst b/doc/common-options.rst new file mode 100644 index 0000000..d56df99 --- /dev/null +++ b/doc/common-options.rst @@ -0,0 +1,51 @@ +.. option:: -h, --help + + Show help. + +.. option:: -D <directory>, --data-dir <directory> + + Set an alternate data directory. + + Default: */var/lib/suricata* + +.. option:: -c <filename>, --config <filename> + + Path to the suricata-update config file. + + Default: */etc/suricata/update.yaml* + +.. option:: -q, --quiet + + Run quietly. Only warning and error messages will be displayed. + +.. option:: -v, --verbose + + Provide more verbose output. + +.. option:: --suricata-conf <path> + + Path to the suricata config file. + + Default: */etc/suricata/suricata.yaml* + +.. option:: --suricata <path> + + The path to the Suricata program. If not provided + ``suricata-update`` will attempt to find Suricata on your path. + + The Suricata program is used to determine the version of Suricata + as well as providing information about the Suricata configuration. + +.. option:: --suricata-version <version> + + Set the Suricata version to a specific version instead of checking + the version of Suricata on the path. + +.. option:: --user-agent <string> + + Set a custom user agent string for HTTP requests. + +.. option:: -s, --show-advanced + + Show advanced options. +
\ No newline at end of file diff --git a/doc/conf.py b/doc/conf.py new file mode 100644 index 0000000..b779bc9 --- /dev/null +++ b/doc/conf.py @@ -0,0 +1,247 @@ +# -*- coding: utf-8 -*- +# +# Suricata-Update documentation build configuration file, created by +# sphinx-quickstart on Wed Jul 17 23:14:56 2013. +# +# This file is execfile()d with the current directory set to its containing dir. +# +# Note that not all possible configuration values are present in this +# autogenerated file. +# +# All configuration values have a default; values that are commented out +# serve to show the default. + +import sys, os + +# If extensions (or modules to document with autodoc) are in another directory, +# add these directories to sys.path here. If the directory is relative to the +# documentation root, use os.path.abspath to make it absolute, like shown here. +sys.path.insert(0, os.path.abspath('..')) + +# -- General configuration ----------------------------------------------------- + +# If your documentation needs a minimal Sphinx version, state it here. +#needs_sphinx = '1.0' + +# Add any Sphinx extension module names here, as strings. They can be extensions +# coming with Sphinx (named 'sphinx.ext.*') or your custom ones. +extensions = ['sphinx.ext.autodoc', + 'sphinx.ext.ifconfig', + 'sphinx.ext.viewcode', + 'sphinxcontrib.programoutput'] + +# Add any paths that contain templates here, relative to this directory. +templates_path = ['_templates'] + +# The suffix of source filenames. +source_suffix = '.rst' + +# The encoding of source files. +#source_encoding = 'utf-8-sig' + +# The master toctree document. +master_doc = 'index' + +# General information about the project. +project = u'suricata-update' +copyright = u'2017, OISF' + +# The version info for the project you're documenting, acts as replacement for +# |version| and |release|, also used in various other places throughout the +# built documents. +# +# The short X.Y version. +import suricata.update.version + +version = suricata.update.version.version +release = version + +# The language for content autogenerated by Sphinx. Refer to documentation +# for a list of supported languages. +#language = None + +# There are two options for replacing |today|: either, you set today to some +# non-false value, then it is used: +#today = '' +# Else, today_fmt is used as the format for a strftime call. +#today_fmt = '%B %d, %Y' + +# List of patterns, relative to source directory, that match files and +# directories to ignore when looking for source files. +exclude_patterns = ['_build'] + +# The reST default role (used for this markup: `text`) to use for all documents. +#default_role = None + +# If true, '()' will be appended to :func: etc. cross-reference text. +#add_function_parentheses = True + +# If true, the current module name will be prepended to all description +# unit titles (such as .. function::). +#add_module_names = True + +# If true, sectionauthor and moduleauthor directives will be shown in the +# output. They are ignored by default. +#show_authors = False + +# The name of the Pygments (syntax highlighting) style to use. +pygments_style = 'sphinx' + +# A list of ignored prefixes for module index sorting. +#modindex_common_prefix = [] + + +# -- Options for HTML output --------------------------------------------------- + +# The theme to use for HTML and HTML Help pages. See the documentation for +# a list of builtin themes. +html_theme = 'default' + +# Theme options are theme-specific and customize the look and feel of a theme +# further. For a list of options available for each theme, see the +# documentation. +#html_theme_options = {} + +# Add any paths that contain custom themes here, relative to this directory. +#html_theme_path = [] + +# The name for this set of Sphinx documents. If None, it defaults to +# "<project> v<release> documentation". +#html_title = None + +# A shorter title for the navigation bar. Default is the same as html_title. +#html_short_title = None + +# The name of an image file (relative to this directory) to place at the top +# of the sidebar. +#html_logo = None + +# The name of an image file (within the static path) to use as favicon of the +# docs. This file should be a Windows icon file (.ico) being 16x16 or 32x32 +# pixels large. +#html_favicon = None + +# Add any paths that contain custom static files (such as style sheets) here, +# relative to this directory. They are copied after the builtin static files, +# so a file named "default.css" will overwrite the builtin "default.css". +html_static_path = ['_static'] + +# If not '', a 'Last updated on:' timestamp is inserted at every page bottom, +# using the given strftime format. +#html_last_updated_fmt = '%b %d, %Y' + +# If true, SmartyPants will be used to convert quotes and dashes to +# typographically correct entities. +#html_use_smartypants = True + +# Custom sidebar templates, maps document names to template names. +#html_sidebars = {} + +# Additional templates that should be rendered to pages, maps page names to +# template names. +#html_additional_pages = {} + +# If false, no module index is generated. +#html_domain_indices = True + +# If false, no index is generated. +#html_use_index = True + +# If true, the index is split into individual pages for each letter. +#html_split_index = False + +# If true, links to the reST sources are added to the pages. +#html_show_sourcelink = True + +# If true, "Created using Sphinx" is shown in the HTML footer. Default is True. +#html_show_sphinx = True + +# If true, "(C) Copyright ..." is shown in the HTML footer. Default is True. +#html_show_copyright = True + +# If true, an OpenSearch description file will be output, and all pages will +# contain a <link> tag referring to it. The value of this option must be the +# base URL from which the finished HTML is served. +#html_use_opensearch = '' + +# This is the file name suffix for HTML files (e.g. ".xhtml"). +#html_file_suffix = None + +# Output file base name for HTML help builder. +htmlhelp_basename = 'suricataupdatedoc' + + +# -- Options for LaTeX output -------------------------------------------------- + +latex_elements = { +# The paper size ('letterpaper' or 'a4paper'). +#'papersize': 'letterpaper', + +# The font size ('10pt', '11pt' or '12pt'). +#'pointsize': '10pt', + +# Additional stuff for the LaTeX preamble. +#'preamble': '', +} + +# Grouping the document tree into LaTeX files. List of tuples +# (source start file, target name, title, author, documentclass [howto/manual]). +latex_documents = [ + ('index', 'suricata-update.tex', u'Suricata Update Documentation', + u'OISF', 'manual'), +] + +# The name of an image file (relative to this directory) to place at the top of +# the title page. +#latex_logo = None + +# For "manual" documents, if this is true, then toplevel headings are parts, +# not chapters. +#latex_use_parts = False + +# If true, show page references after internal links. +#latex_show_pagerefs = False + +# If true, show URL addresses after external links. +#latex_show_urls = False + +# Documents to append as an appendix to all manuals. +#latex_appendices = [] + +# If false, no module index is generated. +#latex_domain_indices = True + + +# -- Options for manual page output -------------------------------------------- + +# One entry per manual page. List of tuples +# (source start file, name, description, authors, manual section). +man_pages = [ + ('index', 'suricata-update', u'Suricata Update', [], 1) +] + +# If true, show URL addresses after external links. +#man_show_urls = False + + +# -- Options for Texinfo output ------------------------------------------------ + +# Grouping the document tree into Texinfo files. List of tuples +# (source start file, target name, title, author, +# dir menu entry, description, category) +texinfo_documents = [ + ('index', 'suricata-update', u'Suricata Update Documentation', + u'OISF', 'suricata-update', 'Suricata Update Documentation.', + 'Miscellaneous'), +] + +# Documents to append as an appendix to all manuals. +#texinfo_appendices = [] + +# If false, no module index is generated. +#texinfo_domain_indices = True + +# How to display URL addresses: 'footnote', 'no', or 'inline'. +#texinfo_show_urls = 'footnote' + +highlight_language = "none" diff --git a/doc/disable-source.rst b/doc/disable-source.rst new file mode 100644 index 0000000..b2c9ef0 --- /dev/null +++ b/doc/disable-source.rst @@ -0,0 +1,22 @@ +########################################## +disable-source - Disable an enabled source +########################################## + +Synopsis +======== + +:: + + suricata-update disable-source <name> + +Description +=========== + +The ``disable-source`` command disables a currently enabled +source. The configuration for the source is not removed, allowing it +to be re-enabled without having to re-enter any required parameters. + +Options +======= + +.. include:: ./common-options.rst diff --git a/doc/enable-source.rst b/doc/enable-source.rst new file mode 100644 index 0000000..476b87f --- /dev/null +++ b/doc/enable-source.rst @@ -0,0 +1,35 @@ +############################### +enable-source - Enable a source +############################### + +Synopsis +======== + +:: + + suricata-update enable-source <source-name> [param=val ...] + +Description +=========== + +Enable a source that is listed in the index. + +If the index requires user provided parameters the user will be +prompted for them. Alternatively they can be provided on command line +to avoid the prompt. + +For example:: + + suricata-update enable-source et/pro secret-code=xxxxxxxxxxxxxxxx + +This will prevent the prompt for the et/pro secret code using the +value provided on the command line instead. + +To update parameters for enabled sources, just re-run the ``enable-source`` +command above again with changed parameters. Changed parameters will be +updated in the stored configuration. + +Options +======= + +.. include:: ./common-options.rst diff --git a/doc/index.rst b/doc/index.rst new file mode 100644 index 0000000..a9268c9 --- /dev/null +++ b/doc/index.rst @@ -0,0 +1,16 @@ +############################################# +suricata-update - A Suricata Rule Update Tool +############################################# + +.. toctree:: + :maxdepth: 2 + + quickstart + update + update-sources + list-sources + enable-source + disable-source + remove-source + add-source + check-versions diff --git a/doc/list-sources.rst b/doc/list-sources.rst new file mode 100644 index 0000000..f4b36eb --- /dev/null +++ b/doc/list-sources.rst @@ -0,0 +1,28 @@ +######################################## +list-sources - List available sources +######################################## + +Synopsis +======== + +:: + + suricata-update list-sources + +Description +=========== + +The ``list-sources`` command lists all the available sources. + +Options +======= + +.. include:: common-options.rst + +.. option:: --free + + List all freely available sources. + +.. option:: --enabled + + Lists all the enabled sources. diff --git a/doc/quickstart.rst b/doc/quickstart.rst new file mode 100644 index 0000000..bf57de5 --- /dev/null +++ b/doc/quickstart.rst @@ -0,0 +1,209 @@ +Quick Start +########### + +Install Suricata Update +======================= + +Suricata-Update is bundled with all supported versions of Suricata and +should be installed when Suricata is installed. Please check if +``suricata-update`` is already installed before proceeding with these +installation directions, for example, the following command will tell +you the version:: + + suricata-update -V + +You should only need to install Suricata-Update manually if it is +required independently of a Suricata install. + +Suricata-Update is a tool written in Python and best installed with +the ``pip`` tool for installing Python packages. + +Pip can install ``suricata-update`` globally making it available to +all users or it can install ``suricata-update`` into your home +directory. + +To install ``suricata-update`` globally:: + + pip install --upgrade suricata-update + +or to install it to your own directory:: + + pip install --user --upgrade suricata-update + +Pip can also be used to install the latest development version of +Suricata-Update:: + + pip install --user --upgrade \ + https://github.com/oisf/suricata-update/archive/master.zip + +.. note:: When installing to your home directory the + ``suricata-update`` program will be installed to + $HOME/.local/bin, so make sure this directory is in your + path:: + + export PATH=$HOME/.local/bin:$PATH + +Directories and Permissions +=========================== + +In order for ``suricata-update`` to function, the following +permissions are required: + +* Directory /etc/suricata: read/write access +* Directory /var/lib/suricata/rules: read/write access +* Directory /var/lib/suricata/update: read/write access + +One option is to simply run ``suricata-update`` as root or with +``sudo``. + +.. note:: It is recommended to create a ``suricata`` group and setup + the above directories with the correct permissions for + the ``suricata`` group then add users to the ``suricata`` + group. + +Steps to setup the above directories with the correct permissions: + +First, create a group ``suricata``:: + + sudo groupadd suricata + +Next, change the group of the directories and its files recursively:: + + sudo chgrp -R suricata /etc/suricata + sudo chgrp -R suricata /var/lib/suricata/rules + sudo chgrp -R suricata /var/lib/suricata/update + +.. note:: The paths ``/etc/suricata`` and ``/var/lib`` above are used + in the default configuration and are dependent on paths set + during compilation. By default, these paths are set to + ``/usr/local``. + Please check your configuration for appropriate paths. + +Setup the directories with the correct permissions for the ``suricata`` +group:: + + sudo chmod -R g+r /etc/suricata/ + sudo chmod -R g+rw /var/lib/suricata/rules + sudo chmod -R g+rw /var/lib/suricata/update + +Now, add user to the group:: + + sudo usermod -a -G suricata username + +Verify whether group has been changed:: + + ls -al /etc/suricata + ls -al /var/lib/suricata/rules + ls -al /var/lib/suricata/update + +Reboot your system. Run ``suricata-update`` without a sudo to check +if suricata-update functions. + +Update Your Rules +================= + +Without doing any configuration the default operation of +``suricata-update`` is to use the Emerging Threats Open ruleset. + +Example:: + + suricata-update + +This command will: + +* Look for the ``suricata`` program on your path to determine its + version. + +* Look for /etc/suricata/enable.conf, /etc/suricata/disable.conf, + /etc/suricata/drop.conf, and /etc/suricata/modify.conf to look for + filters to apply to the downloaded rules. These files are optional + and do not need to exist. + +* Download the Emerging Threats Open ruleset for your version of + Suricata, defaulting to 6.0.0 if not found. + +* Apply enable, disable, drop and modify filters as loaded above. + +* Write out the rules to ``/var/lib/suricata/rules/suricata.rules``. + +* Run Suricata in test mode on + ``/var/lib/suricata/rules/suricata.rules``. + +.. note:: Suricata-Update is also capable of triggering a rule reload, + but doing so requires some extra configuration that will be + covered later. See the documentation of + :command:`--reload-command=<command>` for more details. + +Configure Suricata to Load Suricata-Update Managed Rules +======================================================== + +.. note:: If ``suricata-update`` was installed for you by Suricata, + then your Suricata configuration should already be setup to + work with Suricata-Update. + +If upgrading from an older version of Suricata, or running a +development version that may not be bundled with Suricata-Update, you +will have to check that your ``suricata.yaml`` is configured for +Suricata-Update. The main difference is the ``default-rule-path`` +which is ``/var/lib/suricata/rules`` when using Suricata-Update. + +You will want to update your ``suricata.yaml`` to have the following:: + + default-rule-path: /var/lib/suricata/rules + rule-files: + - suricata.rules + +If you have local rules you would like Suricata to load, these can be +listed here as well by using the full path name. + +Discover Other Available Rule Sources +===================================== + +First update the rule source index with the ``update-sources`` command, +for example:: + + suricata-update update-sources + +Then list the sources from the index. Example:: + + suricata-update list-sources + +Now enable the **ptresearch/attackdetection** ruleset:: + + suricata-update enable-source ptresearch/attackdetection + +And update your rules again:: + + suricata-update + +List Enabled Sources +==================== + +:: + + suricata-update list-sources --enabled + +Disable a Source +================ + +:: + + suricata-update disable-source et/pro + +Disabling a source keeps the source configuration but disables. This +is useful when a source requires parameters such as a code that you +don't want to lose, which would happen if you removed a source. + +Enabling a disabled source re-enables without prompting for user +inputs. + +Remove a Source +=============== + +:: + + suricata-update remove-source et/pro + +This removes the local configuration for this source. Re-enabling +**et/pro** will requiring re-entering your access code. + diff --git a/doc/remove-source.rst b/doc/remove-source.rst new file mode 100644 index 0000000..f8e3135 --- /dev/null +++ b/doc/remove-source.rst @@ -0,0 +1,21 @@ +########################################## +remove-source - Remove a configured source +########################################## + +Synopsis +======== + +:: + + suricata-update remove-source <name> + +Description +=========== + +Remove a source configuration. This removes the source file from +``/var/lib/suricata/update/sources``, even if its disabled. + +Options +======= + +.. include:: ./common-options.rst diff --git a/doc/update-sources.rst b/doc/update-sources.rst new file mode 100644 index 0000000..ade1246 --- /dev/null +++ b/doc/update-sources.rst @@ -0,0 +1,40 @@ +######################################## +update-sources - Update the source index +######################################## + +Synopsis +======== + +:: + + suricata-update update-sources + +Description +=========== + +The ``update-sources`` command downloads the latest index of available +sources. + +Options +======= + +.. include:: common-options.rst + +Files and Directories +===================== + +``/var/lib/suricata/rules/.cache/index.yaml`` + Where the downloaded source index is cached. + +Environment Variables +===================== + +**SOURCE_INDEX_URL** + This environment variable allows the specification of an alternate + URL to download the index from. + +URLs +==== + +``https://www.openinfosecfoundation.org/rules/index.yaml`` + The default URL used to download the index from. diff --git a/doc/update.rst b/doc/update.rst new file mode 100644 index 0000000..c3db62e --- /dev/null +++ b/doc/update.rst @@ -0,0 +1,324 @@ +######################## +suricata-update - Update +######################## + +Synopsis +======== + +``suricata-update`` [OPTIONS] + +Description +=========== + +``suricata-update`` aims to be a simple to use rule download and +management tool for Suricata. + +Options +======= + +.. include:: ./common-options.rst + +.. option:: -o, --output + + The directory to output the rules to. + + Default: */var/lib/suricata/rules* + +.. option:: --force + + Force remote rule files to be downloaded if they otherwise wouldn't + be due to just recently downloaded, or the remote checksum matching + the cached copy. + +.. option:: --no-merge + + Do not merge the rules into a single rule file. + + *Warning: No attempt is made to resolve conflicts if 2 input rule files have the same name.* + +.. option:: --yaml-fragment=<filename.yaml> + + Output a fragment of YAML containing the *rule-files* section will + all downloaded rule files listed for inclusion in your + *suricata.yaml*. + +.. option:: --url=<url> + + A URL to download rules from. This option can be used multiple + times. + +.. option:: --local=<filename or directory> + + A path to a filename or directory of local rule files to include. + + If the path is a directory all files ending in *.rules* will be + loaded. + + Wildcards are accepted but to avoid shell expansion the argument + must be quoted, for example:: + + --local '/etc/suricata/custom-*.rules' + + This option can be specified multiple times. + +.. option:: --sid-msg-map=<filename> + + Output a v1 style sid-msg.map file. + +.. option:: --sid-msg-map-2=<filename> + + Output a v2 style sid-msg.map file. + +.. option:: --disable-conf=<disable.conf> + + Specify the configuration file for disable filters. + + See :ref:`example-disable-conf` + +.. option:: --enable-conf=<enable.conf> + + Specify the configuration file for enable rules. + + See :ref:`example-enable-conf` + +.. option:: --modify-conf=<modify.conf> + + Specify the configuration file for rule modification filters. + + See :ref:`example-modify-conf` + +.. option:: --drop-conf=<drop.conf> + + Specify the configuration file for drop filters. + + See :ref:`example-drop-conf` + +.. option:: --ignore=<pattern> + + Filenames to ignore. This is a pattern that will be matched against + the basename of a rule files. + + This argument may be specified multiple times. + + Default: *\*deleted.rules* + + Example:: + + --ignore dnp3-events.rules --ignore deleted.rules --ignore "modbus*" + + .. note:: + + If specified the default value of *\*deleted.rules* will no longer + be used, so add it as an extra ignore if needed. + +.. option:: --no-ignore + + Disable the --ignore option. Most useful to disable the default + ignore pattern without adding others. + +.. option:: --etopen + + Download the ET/Open ruleset. + + This is the default action of no ``--url`` options are provided or + no sources are configured. + + Use this option to enable the ET/Open ruleset in addition to any + URLs provided on the command line or sources provided in the + configuration. + +.. option:: --dump-sample-configs + + Output sample configuration files for the ``--disable``, + ``--enable``, ``--modify`` and ``--threshold-in`` commands. + +.. option:: --threshold-in=<threshold.conf.in> + + Specify the threshold.conf input template. + +.. option:: --threshold-out=<threshold.conf> + + Specify the name of the processed threshold.conf to output. + +.. option:: -T <command>, --test-command <command> + + Specifies a custom test command to test the rules before reloading + Suricata. This overrides the default command and can also be + specified in the configuration file under ``test-command``. + +.. option:: --no-test + + Disables the test command and proceed as if it had passed. + +.. option:: --reload-command=<command> + + A command to run after the rules have been updated; will not run if + no change to the output files was made. For example:: + + --reload-command='sudo kill -USR2 $(pidof suricata)' + + will tell Suricata to reload its rules. + + Furthermore the reload can be triggered using the Unix socket of Suricata. + + Blocking reload (with Suricata waiting for the reload to finish):: + + --reload-command='sudo suricatasc -c reload-rules' + + Non blocking reload (without restarting Suricata):: + + --reload-command='sudo suricatasc -c ruleset-reload-nonblocking' + + See the Suricata documentation on `Rule Reloads + <https://suricata.readthedocs.io/en/latest/rule-management/rule-reload.html>`_ + for more information. + +.. option:: --no-reload + + Disable Suricata rule reload. + +.. option:: -V, --version + + Display the version of **suricata-update**. + +.. option:: --offline + + Run offline using most recent cached rules. + +Rule Matching +============= + +Matching rules for disabling, enabling, converting to drop or +modification can be done with the following: + +- signature ID +- regular expression +- rule group +- filename + +Signature ID Matching +--------------------- + +A signature ID can be matched by just its signature ID, for example:: + + 1034 + +The generator ID can also be used for compatibility with other tools:: + + 1:1034 + +Regular Expression Matching +--------------------------- + +Regular expression matching will match a regular expression over the +complete rule. Example:: + + re:heartbleed + re:MS(0[7-9]|10)-\d+ + +Group Matching +-------------- + +The group matcher matches against the group the rule was loaded +from. Basically this is the filename without the leading path or file +extension. Example:: + + group:emerging-icmp.rules + group:emerging-dos + +Wild card matching similar to wildcards used in a Unix shell can also +be used:: + + group:*deleted* + +Filename Matching +----------------- + +The filename matcher matches against the filename the rule was loaded +from taking into consideration the full path. Shell wildcard patterns +are allowed:: + + filename:rules/*deleted* + filename:*/emerging-dos.rules + +Metadata Matching +----------------- + +Rules can be enabled or disabled based on the metadata fields +contained in the rule, for example:: + + metadata: deployment perimeter + +Will match rules that have a metadata field of "deployment" with the +value of "perimeter" (case insensitive). This will match on a rule +with the provided metadata:: + + metadata:affected_product Any, attack_target Any, deployment Perimeter + +.. note:: Metadata matching can only be used to enable, disable or + convert rules to drop. It is not available for rule + modification. + +Modifying Rules +--------------- + +Rule modification can be done with regular expression search and +replace. The basic format for a rule modification specifier is:: + + <match> <from> <to> + +where <match> is one of the rule matchers from above, <from> is the +text to be replaced and <to> is the replacement text. + +Example converting all alert rules to drop:: + + re:. ^alert drop + +Example converting all drop rules with noalert back to alert:: + + re:. "^drop(.*)noalert(.*)" "alert\\1noalert\\2" + +Order of application of configuration files +=========================================== +1. disable.conf +2. enable.conf +3. drop.conf +4. modify.conf + +Example Configuration Files +=========================== + +.. _example_update_yaml: + +Example Configuration File (/etc/suricata/update.yaml) +------------------------------------------------------ + +.. literalinclude:: ../suricata/update/configs/update.yaml + +.. _example-enable-conf: + +Example Configuration to Enable Rules (--enable-conf) +----------------------------------------------------- + +.. literalinclude:: ../suricata/update/configs/enable.conf + +.. _example-disable-conf: + +Example Configuration to Disable Rules (--disable-conf) +-------------------------------------------------------- + +.. literalinclude:: ../suricata/update/configs/disable.conf + +.. _example-drop-conf: + +Example Configuration to convert Rules to Drop (--drop-conf) +------------------------------------------------------------ + +.. literalinclude:: ../suricata/update/configs/drop.conf + +.. _example-modify-conf: + +Example Configuration to modify Rules (--modify-conf) +----------------------------------------------------- + +.. literalinclude:: ../suricata/update/configs/modify.conf diff --git a/requirements.txt b/requirements.txt new file mode 100644 index 0000000..410c758 --- /dev/null +++ b/requirements.txt @@ -0,0 +1,4 @@ +sphinxcontrib-programoutput +Sphinx +python-dateutil +PyYAML diff --git a/setup.py b/setup.py new file mode 100644 index 0000000..a6acdf6 --- /dev/null +++ b/setup.py @@ -0,0 +1,60 @@ +import sys +import os.path +import subprocess +import distutils +from distutils.core import setup +from distutils.core import sys + +from suricata.update.version import version + + +version_major = sys.version_info[0] +version_minor = sys.version_info[1] + +if version_major < 3 and version_minor < 7: + print("Suricata-Update requires Python 2.7 or newer.") + sys.exit(0) + +def write_git_revision(): + if not os.path.exists(".git"): + return + try: + revision = subprocess.check_output( + ["git", "rev-parse", "--short", "HEAD"]) + with open("./suricata/update/revision.py", "w") as fileobj: + fileobj.write("revision = '%s'" % (revision.decode().strip())) + except Exception as err: + print("Failed to get current git revision: %s" % (err)) + +write_git_revision() + +args = { + "name": "suricata-update", + "version": version, + "description": "Suricata Update Tool", + "author": "Jason Ish", + "author_email": "ish@unx.ca", + "packages": [ + "suricata", + "suricata.update", + "suricata.update.commands", + "suricata.update.configs", + "suricata.update.compat", + "suricata.update.compat.argparse", + "suricata.update.data", + ], + "package_data": {"suricata.update.configs": ["*.conf", "*.yaml", "*.in"]}, + "url": "https://github.com/OISF/suricata-update", + "license": "GPLv2", + "classifiers": [ + 'License :: OSI Approved :: GNU General Public License v2 (GPLv2)', + ], + "scripts": [ + "bin/suricata-update", + ], +} + +if any("pip" in arg for arg in sys.argv): + args["install_requires"] = ["pyyaml", ] + +setup(**args) diff --git a/suricata/__init__.py b/suricata/__init__.py new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/suricata/__init__.py diff --git a/suricata/update/__init__.py b/suricata/update/__init__.py new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/suricata/update/__init__.py diff --git a/suricata/update/commands/__init__.py b/suricata/update/commands/__init__.py new file mode 100644 index 0000000..e75c80a --- /dev/null +++ b/suricata/update/commands/__init__.py @@ -0,0 +1,23 @@ +# Copyright (C) 2017 Open Information Security Foundation +# +# You can copy, redistribute or modify this Program under the terms of +# the GNU General Public License version 2 as published by the Free +# Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# version 2 along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA +# 02110-1301, USA. + +from suricata.update.commands import addsource +from suricata.update.commands import listsources +from suricata.update.commands import updatesources +from suricata.update.commands import enablesource +from suricata.update.commands import disablesource +from suricata.update.commands import removesource +from suricata.update.commands import checkversions diff --git a/suricata/update/commands/addsource.py b/suricata/update/commands/addsource.py new file mode 100644 index 0000000..a87095c --- /dev/null +++ b/suricata/update/commands/addsource.py @@ -0,0 +1,72 @@ +# Copyright (C) 2017 Open Information Security Foundation +# +# You can copy, redistribute or modify this Program under the terms of +# the GNU General Public License version 2 as published by the Free +# Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# version 2 along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA +# 02110-1301, USA. + +from __future__ import print_function + +import logging + +from suricata.update import config +from suricata.update import sources + +try: + input = raw_input +except: + pass + +logger = logging.getLogger() + + +def register(parser): + parser.add_argument("name", metavar="<name>", nargs="?", + help="Name of source") + parser.add_argument("url", metavar="<url>", nargs="?", help="Source URL") + parser.add_argument("--http-header", metavar="<http-header>", + help="Additional HTTP header to add to requests") + parser.add_argument("--no-checksum", action="store_false", + help="Skips downloading the checksum URL") + parser.set_defaults(func=add_source) + + +def add_source(): + args = config.args() + + if args.name: + name = args.name + else: + while True: + name = input("Name of source: ").strip() + if name: + break + + if sources.source_name_exists(name): + logger.error("A source with name %s already exists.", name) + return 1 + + if args.url: + url = args.url + else: + while True: + url = input("URL: ").strip() + if url: + break + + checksum = args.no_checksum + + header = args.http_header if args.http_header else None + + source_config = sources.SourceConfiguration( + name, header=header, url=url, checksum=checksum) + sources.save_source_config(source_config) diff --git a/suricata/update/commands/checkversions.py b/suricata/update/commands/checkversions.py new file mode 100644 index 0000000..3492317 --- /dev/null +++ b/suricata/update/commands/checkversions.py @@ -0,0 +1,83 @@ +# Copyright (C) 2019 Open Information Security Foundation +# +# You can copy, redistribute or modify this Program under the terms of +# the GNU General Public License version 2 as published by the Free +# Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# version 2 along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA +# 02110-1301, USA. + +import os.path +import logging +from suricata.update import sources, engine + +logger = logging.getLogger() + + +def is_gt(v1, v2): + if v1.full == v2.full: + return False + + if v1.major < v2.major: + return False + elif v1.major > v2.major: + return True + + if v1.minor < v2.minor: + return False + elif v1.minor > v2.minor: + return True + + if v1.patch < v2.patch: + return False + + return True + + +def register(parser): + parser.set_defaults(func=check_version) + + +def check_version(suricata_version): + if "dev" in suricata_version.full: + logger.warning("Development version of Suricata found: %s. " + "Skipping version check.", suricata_version.full) + return + + index_filename = sources.get_index_filename() + if not os.path.exists(index_filename): + logger.warning("No index exists, will use bundled index.") + logger.warning("Please run suricata-update update-sources.") + index = sources.Index(index_filename) + version = index.get_versions() + recommended = engine.parse_version(version["suricata"]["recommended"]) + if not recommended: + logger.error("Recommended version was not parsed properly") + sys.exit(1) + # In case index is out of date + if is_gt(suricata_version, recommended): + return + # Evaluate if the installed version is present in index + upgrade_version = version["suricata"].get(suricata_version.short) + if not upgrade_version: + logger.warning("Suricata version %s has reached EOL. Please upgrade to %s.", + suricata_version.full, recommended.full) + return + if suricata_version.full == upgrade_version: + logger.info("Suricata version %s is up to date", suricata_version.full) + elif upgrade_version == recommended.full: + logger.warning( + "Suricata version %s is outdated. Please upgrade to %s.", + suricata_version.full, recommended.full) + else: + logger.warning( + "Suricata version %s is outdated. Please upgrade to %s or %s.", + suricata_version.full, upgrade_version, recommended.full) + diff --git a/suricata/update/commands/disablesource.py b/suricata/update/commands/disablesource.py new file mode 100644 index 0000000..6a64a7b --- /dev/null +++ b/suricata/update/commands/disablesource.py @@ -0,0 +1,40 @@ +# Copyright (C) 2017 Open Information Security Foundation +# +# You can copy, redistribute or modify this Program under the terms of +# the GNU General Public License version 2 as published by the Free +# Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# version 2 along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA +# 02110-1301, USA. + +from __future__ import print_function + +import os +import logging + +from suricata.update import config +from suricata.update import sources + +logger = logging.getLogger() + +def register(parser): + parser.add_argument("name") + parser.set_defaults(func=disable_source) + +def disable_source(): + name = config.args().name + filename = sources.get_enabled_source_filename(name) + if not os.path.exists(filename): + logger.debug("Filename %s does not exist.", filename) + logger.warning("Source %s is not enabled.", name) + return 0 + logger.debug("Renaming %s to %s.disabled.", filename, filename) + os.rename(filename, "%s.disabled" % (filename)) + logger.info("Source %s has been disabled", name) diff --git a/suricata/update/commands/enablesource.py b/suricata/update/commands/enablesource.py new file mode 100644 index 0000000..53bb68a --- /dev/null +++ b/suricata/update/commands/enablesource.py @@ -0,0 +1,162 @@ +# Copyright (C) 2017 Open Information Security Foundation +# +# You can copy, redistribute or modify this Program under the terms of +# the GNU General Public License version 2 as published by the Free +# Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# version 2 along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA +# 02110-1301, USA. + +from __future__ import print_function + +import os +import logging + +import yaml + +from suricata.update import config +from suricata.update import sources + +try: + input = raw_input +except: + pass + +logger = logging.getLogger() + +default_source = "et/open" + +def register(parser): + parser.add_argument("name") + parser.add_argument("params", nargs="*", metavar="param=val") + parser.set_defaults(func=enable_source) + +def enable_source(): + name = config.args().name + update_params = False + + # Check if source is already enabled. + enabled_source_filename = sources.get_enabled_source_filename(name) + if os.path.exists(enabled_source_filename): + logger.warning("The source %s is already enabled.", name) + update_params = True + + # First check if this source was previous disabled and then just + # re-enable it. + disabled_source_filename = sources.get_disabled_source_filename(name) + if os.path.exists(disabled_source_filename): + logger.info("Re-enabling previously disabled source for %s.", name) + os.rename(disabled_source_filename, enabled_source_filename) + update_params = True + + if not os.path.exists(sources.get_index_filename()): + logger.warning("Source index does not exist, will use bundled one.") + logger.warning("Please run suricata-update update-sources.") + + source_index = sources.load_source_index(config) + + if not name in source_index.get_sources() and not name in sources.get_sources_from_dir(): + logger.error("Unknown source: %s", name) + return 1 + + # Parse key=val options. + opts = {} + for param in config.args().params: + key, val = param.split("=", 1) + opts[key] = val + + params = {} + if update_params: + source = yaml.safe_load(open(sources.get_enabled_source_filename(name), "rb")) + else: + source = source_index.get_sources()[name] + + if "params" in source: + params = source["params"] + for old_param in source["params"]: + if old_param in opts and source["params"][old_param] != opts[old_param]: + logger.info("Updating source parameter '%s': '%s' -> '%s'." % ( + old_param, source["params"][old_param], opts[old_param])) + params[old_param] = opts[old_param] + + if "subscribe-url" in source: + print("The source %s requires a subscription. Subscribe here:" % (name)) + print(" %s" % source["subscribe-url"]) + + if "parameters" in source: + for param in source["parameters"]: + if param in opts: + params[param] = opts[param] + else: + prompt = source["parameters"][param]["prompt"] + while True: + r = input("%s (%s): " % (prompt, param)) + r = r.strip() + if r: + break + params[param] = r.strip() + + if "checksum" in source: + checksum = source["checksum"] + else: + checksum = source.get("checksum", True) + + new_source = sources.SourceConfiguration( + name, params=params, checksum=checksum) + + # If the source directory does not exist, create it. Also create + # the default rule-source of et/open, unless the source being + # enabled replaces it. + source_directory = sources.get_source_directory() + if not os.path.exists(source_directory): + try: + logger.info("Creating directory %s", source_directory) + os.makedirs(source_directory) + except Exception as err: + logger.error( + "Failed to create directory %s: %s", source_directory, err) + return 1 + + if "replaces" in source and default_source in source["replaces"]: + logger.debug( + "Not enabling default source as selected source replaces it") + elif new_source.name == default_source: + logger.debug( + "Not enabling default source as selected source is the default") + else: + logger.info("Enabling default source %s", default_source) + if not source_index.get_source_by_name(default_source): + logger.error("Default source %s not in index", default_source) + else: + default_source_config = sources.SourceConfiguration( + default_source) + write_source_config(default_source_config, True) + + write_source_config(new_source, True) + logger.info("Source %s enabled", new_source.name) + + if "replaces" in source: + for replaces in source["replaces"]: + filename = sources.get_enabled_source_filename(replaces) + if os.path.exists(filename): + logger.info( + "Removing source %s as its replaced by %s", replaces, + new_source.name) + logger.debug("Deleting %s", filename) + os.unlink(filename) + +def write_source_config(config, enabled): + if enabled: + filename = sources.get_enabled_source_filename(config.name) + else: + filename = sources.get_disabled_source_filename(config.name) + with open(filename, "w") as fileobj: + logger.debug("Writing %s", filename) + fileobj.write(yaml.safe_dump(config.dict(), default_flow_style=False)) diff --git a/suricata/update/commands/listsources.py b/suricata/update/commands/listsources.py new file mode 100644 index 0000000..d35c3cd --- /dev/null +++ b/suricata/update/commands/listsources.py @@ -0,0 +1,116 @@ +# Copyright (C) 2017 Open Information Security Foundation +# +# You can copy, redistribute or modify this Program under the terms of +# the GNU General Public License version 2 as published by the Free +# Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# version 2 along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA +# 02110-1301, USA. + +from __future__ import print_function + +import logging + +from suricata.update import config +from suricata.update import sources +from suricata.update import util +from suricata.update import exceptions + +logger = logging.getLogger() + +def register(parser): + parser.add_argument("--free", action="store_true", + default=False, help="List all freely available sources") + parser.add_argument("--enabled", action="store_true", + help="List all enabled sources") + parser.add_argument("--all", action="store_true", + help="List all sources (including deprecated and obsolete)") + parser.set_defaults(func=list_sources) + +def list_sources(): + enabled = config.args().enabled or \ + config.args().subcommand == "list-enabled-sources" + + if enabled: + found = False + + # First list sources from the main config. + config_sources = config.get("sources") + if config_sources: + found = True + print("From %s:" % (config.filename)) + for source in config_sources: + print(" - %s" % (source)) + + # And local files. + local = config.get("local") + if local: + found = True + print("Local files/directories:") + for filename in local: + print(" - %s" % (filename)) + + enabled_sources = sources.get_enabled_sources() + if enabled_sources: + found = True + print("Enabled sources:") + for source in enabled_sources.values(): + print(" - %s" % (source["source"])) + + # If no enabled sources were found, log it. + if not found: + logger.warning("No enabled sources.") + return 0 + + free_only = config.args().free + if not sources.source_index_exists(config): + logger.warning("Source index does not exist, will use bundled one.") + logger.warning("Please run suricata-update update-sources.") + + index = sources.load_source_index(config) + for name, source in index.get_sources().items(): + is_not_free = source.get("subscribe-url") + if free_only and is_not_free: + continue + if not config.args().all: + if source.get("deprecated") is not None or \ + source.get("obsolete") is not None: + continue + print("%s: %s" % (util.bright_cyan("Name"), util.bright_magenta(name))) + print(" %s: %s" % ( + util.bright_cyan("Vendor"), util.bright_magenta(source["vendor"]))) + print(" %s: %s" % ( + util.bright_cyan("Summary"), util.bright_magenta(source["summary"]))) + print(" %s: %s" % ( + util.bright_cyan("License"), util.bright_magenta(source["license"]))) + if "tags" in source: + print(" %s: %s" % ( + util.bright_cyan("Tags"), + util.bright_magenta(", ".join(source["tags"])))) + if "replaces" in source: + print(" %s: %s" % ( + util.bright_cyan("Replaces"), + util.bright_magenta(", ".join(source["replaces"])))) + if "parameters" in source: + print(" %s: %s" % ( + util.bright_cyan("Parameters"), + util.bright_magenta(", ".join(source["parameters"])))) + if "subscribe-url" in source: + print(" %s: %s" % ( + util.bright_cyan("Subscription"), + util.bright_magenta(source["subscribe-url"]))) + if "deprecated" in source: + print(" %s: %s" % ( + util.orange("Deprecated"), + util.bright_magenta(source["deprecated"]))) + if "obsolete" in source: + print(" %s: %s" % ( + util.orange("Obsolete"), + util.bright_magenta(source["obsolete"]))) diff --git a/suricata/update/commands/removesource.py b/suricata/update/commands/removesource.py new file mode 100644 index 0000000..f75d5ca --- /dev/null +++ b/suricata/update/commands/removesource.py @@ -0,0 +1,49 @@ +# Copyright (C) 2017 Open Information Security Foundation +# +# You can copy, redistribute or modify this Program under the terms of +# the GNU General Public License version 2 as published by the Free +# Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# version 2 along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA +# 02110-1301, USA. + +from __future__ import print_function + +import os +import logging + +from suricata.update import config +from suricata.update import sources + +logger = logging.getLogger() + +def register(parser): + parser.add_argument("name") + parser.set_defaults(func=remove_source) + +def remove_source(): + name = config.args().name + + enabled_source_filename = sources.get_enabled_source_filename(name) + if os.path.exists(enabled_source_filename): + logger.debug("Deleting file %s.", enabled_source_filename) + os.remove(enabled_source_filename) + logger.info("Source %s removed, previously enabled.", name) + return 0 + + disabled_source_filename = sources.get_disabled_source_filename(name) + if os.path.exists(disabled_source_filename): + logger.debug("Deleting file %s.", disabled_source_filename) + os.remove(disabled_source_filename) + logger.info("Source %s removed, previously disabled.", name) + return 0 + + logger.warning("Source %s does not exist.", name) + return 1 diff --git a/suricata/update/commands/updatesources.py b/suricata/update/commands/updatesources.py new file mode 100644 index 0000000..06a0d11 --- /dev/null +++ b/suricata/update/commands/updatesources.py @@ -0,0 +1,105 @@ +# Copyright (C) 2017 Open Information Security Foundation +# +# You can copy, redistribute or modify this Program under the terms of +# the GNU General Public License version 2 as published by the Free +# Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# version 2 along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA +# 02110-1301, USA. + +from __future__ import print_function + +import io +import logging +import os + +import yaml +from suricata.update import config, exceptions, net, sources + +logger = logging.getLogger() + + +def register(parser): + parser.set_defaults(func=update_sources) + + +def get_initial_content(): + initial_content = None + if os.path.exists(local_index_filename): + with open(local_index_filename, "r") as stream: + initial_content = yaml.safe_load(stream) + return initial_content + + +def get_sources(before, after): + all_sources = {source: after[source] + for source in after if source not in before} + return all_sources + + +def log_sources(sources_map): + for name, all_sources in sources_map.items(): + if not all_sources: + continue + for source in all_sources: + logger.info("Source %s was %s", source, name) + + +def compare_sources(initial_content, final_content): + if not initial_content: + logger.info("Adding all sources") + return + if initial_content == final_content: + logger.info("No change in sources") + return + initial_sources = initial_content.get("sources") + final_sources = final_content.get("sources") + added_sources = get_sources(before=initial_sources, after=final_sources) + removed_sources = get_sources(before=final_sources, after=initial_sources) + log_sources(sources_map={"added": added_sources, + "removed": removed_sources}) + for source in set(initial_sources) & set(final_sources): + if initial_sources[source] != final_sources[source]: + logger.info("Source %s was changed", source) + + +def write_and_compare(initial_content, fileobj): + try: + with open(local_index_filename, "wb") as outobj: + outobj.write(fileobj.getvalue()) + except IOError as ioe: + logger.error("Failed to open directory: %s", ioe) + return 1 + with open(local_index_filename, "rb") as stream: + final_content = yaml.safe_load(stream) + compare_sources(initial_content, final_content) + logger.info("Saved %s", local_index_filename) + + +def update_sources(): + global local_index_filename + local_index_filename = sources.get_index_filename() + initial_content = get_initial_content() + with io.BytesIO() as fileobj: + url = sources.get_source_index_url() + logger.info("Downloading %s", url) + try: + net.get(url, fileobj) + except Exception as err: + raise exceptions.ApplicationError( + "Failed to download index: %s: %s" % (url, err)) + if not os.path.exists(config.get_cache_dir()): + try: + os.makedirs(config.get_cache_dir()) + except Exception as err: + logger.error("Failed to create directory %s: %s", + config.get_cache_dir(), err) + return 1 + write_and_compare(initial_content=initial_content, fileobj=fileobj) diff --git a/suricata/update/compat/__init__.py b/suricata/update/compat/__init__.py new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/suricata/update/compat/__init__.py diff --git a/suricata/update/compat/argparse/LICENSE.txt b/suricata/update/compat/argparse/LICENSE.txt new file mode 100644 index 0000000..640bc78 --- /dev/null +++ b/suricata/update/compat/argparse/LICENSE.txt @@ -0,0 +1,20 @@ +argparse is (c) 2006-2009 Steven J. Bethard <steven.bethard@gmail.com>. + +The argparse module was contributed to Python as of Python 2.7 and thus +was licensed under the Python license. Same license applies to all files in +the argparse package project. + +For details about the Python License, please see doc/Python-License.txt. + +History +------- + +Before (and including) argparse 1.1, the argparse package was licensed under +Apache License v2.0. + +After argparse 1.1, all project files from the argparse project were deleted +due to license compatibility issues between Apache License 2.0 and GNU GPL v2. + +The project repository then had a clean start with some files taken from +Python 2.7.1, so definitely all files are under Python License now. + diff --git a/suricata/update/compat/argparse/__init__.py b/suricata/update/compat/argparse/__init__.py new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/suricata/update/compat/argparse/__init__.py diff --git a/suricata/update/compat/argparse/argparse.py b/suricata/update/compat/argparse/argparse.py new file mode 100644 index 0000000..5a68b70 --- /dev/null +++ b/suricata/update/compat/argparse/argparse.py @@ -0,0 +1,2378 @@ +# Author: Steven J. Bethard <steven.bethard@gmail.com>. + +"""Command-line parsing library + +This module is an optparse-inspired command-line parsing library that: + + - handles both optional and positional arguments + - produces highly informative usage messages + - supports parsers that dispatch to sub-parsers + +The following is a simple usage example that sums integers from the +command-line and writes the result to a file:: + + parser = argparse.ArgumentParser( + description='sum the integers at the command line') + parser.add_argument( + 'integers', metavar='int', nargs='+', type=int, + help='an integer to be summed') + parser.add_argument( + '--log', default=sys.stdout, type=argparse.FileType('w'), + help='the file where the sum should be written') + args = parser.parse_args() + args.log.write('%s' % sum(args.integers)) + args.log.close() + +The module contains the following public classes: + + - ArgumentParser -- The main entry point for command-line parsing. As the + example above shows, the add_argument() method is used to populate + the parser with actions for optional and positional arguments. Then + the parse_args() method is invoked to convert the args at the + command-line into an object with attributes. + + - ArgumentError -- The exception raised by ArgumentParser objects when + there are errors with the parser's actions. Errors raised while + parsing the command-line are caught by ArgumentParser and emitted + as command-line messages. + + - FileType -- A factory for defining types of files to be created. As the + example above shows, instances of FileType are typically passed as + the type= argument of add_argument() calls. + + - Action -- The base class for parser actions. Typically actions are + selected by passing strings like 'store_true' or 'append_const' to + the action= argument of add_argument(). However, for greater + customization of ArgumentParser actions, subclasses of Action may + be defined and passed as the action= argument. + + - HelpFormatter, RawDescriptionHelpFormatter, RawTextHelpFormatter, + ArgumentDefaultsHelpFormatter -- Formatter classes which + may be passed as the formatter_class= argument to the + ArgumentParser constructor. HelpFormatter is the default, + RawDescriptionHelpFormatter and RawTextHelpFormatter tell the parser + not to change the formatting for help text, and + ArgumentDefaultsHelpFormatter adds information about argument defaults + to the help. + +All other classes in this module are considered implementation details. +(Also note that HelpFormatter and RawDescriptionHelpFormatter are only +considered public as object names -- the API of the formatter objects is +still considered an implementation detail.) +""" + +__version__ = '1.3.0' # we use our own version number independant of the + # one in stdlib and we release this on pypi. + +__external_lib__ = True # to make sure the tests really test THIS lib, + # not the builtin one in Python stdlib + +__all__ = [ + 'ArgumentParser', + 'ArgumentError', + 'ArgumentTypeError', + 'FileType', + 'HelpFormatter', + 'ArgumentDefaultsHelpFormatter', + 'RawDescriptionHelpFormatter', + 'RawTextHelpFormatter', + 'Namespace', + 'Action', + 'ONE_OR_MORE', + 'OPTIONAL', + 'PARSER', + 'REMAINDER', + 'SUPPRESS', + 'ZERO_OR_MORE', +] + + +import copy as _copy +import os as _os +import re as _re +import sys as _sys +import textwrap as _textwrap + +from gettext import gettext as _ + +try: + set +except NameError: + # for python < 2.4 compatibility (sets module is there since 2.3): + from sets import Set as set + +try: + basestring +except NameError: + basestring = str + +try: + sorted +except NameError: + # for python < 2.4 compatibility: + def sorted(iterable, reverse=False): + result = list(iterable) + result.sort() + if reverse: + result.reverse() + return result + + +def _callable(obj): + return hasattr(obj, '__call__') or hasattr(obj, '__bases__') + + +SUPPRESS = '==SUPPRESS==' + +OPTIONAL = '?' +ZERO_OR_MORE = '*' +ONE_OR_MORE = '+' +PARSER = 'A...' +REMAINDER = '...' +_UNRECOGNIZED_ARGS_ATTR = '_unrecognized_args' + +# ============================= +# Utility functions and classes +# ============================= + +class _AttributeHolder(object): + """Abstract base class that provides __repr__. + + The __repr__ method returns a string in the format:: + ClassName(attr=name, attr=name, ...) + The attributes are determined either by a class-level attribute, + '_kwarg_names', or by inspecting the instance __dict__. + """ + + def __repr__(self): + type_name = type(self).__name__ + arg_strings = [] + for arg in self._get_args(): + arg_strings.append(repr(arg)) + for name, value in self._get_kwargs(): + arg_strings.append('%s=%r' % (name, value)) + return '%s(%s)' % (type_name, ', '.join(arg_strings)) + + def _get_kwargs(self): + return sorted(self.__dict__.items()) + + def _get_args(self): + return [] + + +def _ensure_value(namespace, name, value): + if getattr(namespace, name, None) is None: + setattr(namespace, name, value) + return getattr(namespace, name) + + +# =============== +# Formatting Help +# =============== + +class HelpFormatter(object): + """Formatter for generating usage messages and argument help strings. + + Only the name of this class is considered a public API. All the methods + provided by the class are considered an implementation detail. + """ + + def __init__(self, + prog, + indent_increment=2, + max_help_position=24, + width=None): + + # default setting for width + if width is None: + try: + width = int(_os.environ['COLUMNS']) + except (KeyError, ValueError): + width = 80 + width -= 2 + + self._prog = prog + self._indent_increment = indent_increment + self._max_help_position = max_help_position + self._width = width + + self._current_indent = 0 + self._level = 0 + self._action_max_length = 0 + + self._root_section = self._Section(self, None) + self._current_section = self._root_section + + self._whitespace_matcher = _re.compile(r'\s+') + self._long_break_matcher = _re.compile(r'\n\n\n+') + + # =============================== + # Section and indentation methods + # =============================== + def _indent(self): + self._current_indent += self._indent_increment + self._level += 1 + + def _dedent(self): + self._current_indent -= self._indent_increment + assert self._current_indent >= 0, 'Indent decreased below 0.' + self._level -= 1 + + class _Section(object): + + def __init__(self, formatter, parent, heading=None): + self.formatter = formatter + self.parent = parent + self.heading = heading + self.items = [] + + def format_help(self): + # format the indented section + if self.parent is not None: + self.formatter._indent() + join = self.formatter._join_parts + for func, args in self.items: + func(*args) + item_help = join([func(*args) for func, args in self.items]) + if self.parent is not None: + self.formatter._dedent() + + # return nothing if the section was empty + if not item_help: + return '' + + # add the heading if the section was non-empty + if self.heading is not SUPPRESS and self.heading is not None: + current_indent = self.formatter._current_indent + heading = '%*s%s:\n' % (current_indent, '', self.heading) + else: + heading = '' + + # join the section-initial newline, the heading and the help + return join(['\n', heading, item_help, '\n']) + + def _add_item(self, func, args): + self._current_section.items.append((func, args)) + + # ======================== + # Message building methods + # ======================== + def start_section(self, heading): + self._indent() + section = self._Section(self, self._current_section, heading) + self._add_item(section.format_help, []) + self._current_section = section + + def end_section(self): + self._current_section = self._current_section.parent + self._dedent() + + def add_text(self, text): + if text is not SUPPRESS and text is not None: + self._add_item(self._format_text, [text]) + + def add_usage(self, usage, actions, groups, prefix=None): + if usage is not SUPPRESS: + args = usage, actions, groups, prefix + self._add_item(self._format_usage, args) + + def add_argument(self, action): + if action.help is not SUPPRESS: + + # find all invocations + get_invocation = self._format_action_invocation + invocations = [get_invocation(action)] + for subaction in self._iter_indented_subactions(action): + invocations.append(get_invocation(subaction)) + + # update the maximum item length + invocation_length = max([len(s) for s in invocations]) + action_length = invocation_length + self._current_indent + self._action_max_length = max(self._action_max_length, + action_length) + + # add the item to the list + self._add_item(self._format_action, [action]) + + def add_arguments(self, actions): + for action in actions: + self.add_argument(action) + + # ======================= + # Help-formatting methods + # ======================= + def format_help(self): + help = self._root_section.format_help() + if help: + help = self._long_break_matcher.sub('\n\n', help) + help = help.strip('\n') + '\n' + return help + + def _join_parts(self, part_strings): + return ''.join([part + for part in part_strings + if part and part is not SUPPRESS]) + + def _format_usage(self, usage, actions, groups, prefix): + if prefix is None: + prefix = _('usage: ') + + # if usage is specified, use that + if usage is not None: + usage = usage % dict(prog=self._prog) + + # if no optionals or positionals are available, usage is just prog + elif usage is None and not actions: + usage = '%(prog)s' % dict(prog=self._prog) + + # if optionals and positionals are available, calculate usage + elif usage is None: + prog = '%(prog)s' % dict(prog=self._prog) + + # split optionals from positionals + optionals = [] + positionals = [] + for action in actions: + if action.option_strings: + optionals.append(action) + else: + positionals.append(action) + + # build full usage string + format = self._format_actions_usage + action_usage = format(optionals + positionals, groups) + usage = ' '.join([s for s in [prog, action_usage] if s]) + + # wrap the usage parts if it's too long + text_width = self._width - self._current_indent + if len(prefix) + len(usage) > text_width: + + # break usage into wrappable parts + part_regexp = r'\(.*?\)+|\[.*?\]+|\S+' + opt_usage = format(optionals, groups) + pos_usage = format(positionals, groups) + opt_parts = _re.findall(part_regexp, opt_usage) + pos_parts = _re.findall(part_regexp, pos_usage) + assert ' '.join(opt_parts) == opt_usage + assert ' '.join(pos_parts) == pos_usage + + # helper for wrapping lines + def get_lines(parts, indent, prefix=None): + lines = [] + line = [] + if prefix is not None: + line_len = len(prefix) - 1 + else: + line_len = len(indent) - 1 + for part in parts: + if line_len + 1 + len(part) > text_width: + lines.append(indent + ' '.join(line)) + line = [] + line_len = len(indent) - 1 + line.append(part) + line_len += len(part) + 1 + if line: + lines.append(indent + ' '.join(line)) + if prefix is not None: + lines[0] = lines[0][len(indent):] + return lines + + # if prog is short, follow it with optionals or positionals + if len(prefix) + len(prog) <= 0.75 * text_width: + indent = ' ' * (len(prefix) + len(prog) + 1) + if opt_parts: + lines = get_lines([prog] + opt_parts, indent, prefix) + lines.extend(get_lines(pos_parts, indent)) + elif pos_parts: + lines = get_lines([prog] + pos_parts, indent, prefix) + else: + lines = [prog] + + # if prog is long, put it on its own line + else: + indent = ' ' * len(prefix) + parts = opt_parts + pos_parts + lines = get_lines(parts, indent) + if len(lines) > 1: + lines = [] + lines.extend(get_lines(opt_parts, indent)) + lines.extend(get_lines(pos_parts, indent)) + lines = [prog] + lines + + # join lines into usage + usage = '\n'.join(lines) + + # prefix with 'usage:' + return '%s%s\n\n' % (prefix, usage) + + def _format_actions_usage(self, actions, groups): + # find group indices and identify actions in groups + group_actions = set() + inserts = {} + for group in groups: + try: + start = actions.index(group._group_actions[0]) + except ValueError: + continue + else: + end = start + len(group._group_actions) + if actions[start:end] == group._group_actions: + for action in group._group_actions: + group_actions.add(action) + if not group.required: + if start in inserts: + inserts[start] += ' [' + else: + inserts[start] = '[' + inserts[end] = ']' + else: + if start in inserts: + inserts[start] += ' (' + else: + inserts[start] = '(' + inserts[end] = ')' + for i in range(start + 1, end): + inserts[i] = '|' + + # collect all actions format strings + parts = [] + for i, action in enumerate(actions): + + # suppressed arguments are marked with None + # remove | separators for suppressed arguments + if action.help is SUPPRESS: + parts.append(None) + if inserts.get(i) == '|': + inserts.pop(i) + elif inserts.get(i + 1) == '|': + inserts.pop(i + 1) + + # produce all arg strings + elif not action.option_strings: + part = self._format_args(action, action.dest) + + # if it's in a group, strip the outer [] + if action in group_actions: + if part[0] == '[' and part[-1] == ']': + part = part[1:-1] + + # add the action string to the list + parts.append(part) + + # produce the first way to invoke the option in brackets + else: + option_string = action.option_strings[0] + + # if the Optional doesn't take a value, format is: + # -s or --long + if action.nargs == 0: + part = '%s' % option_string + + # if the Optional takes a value, format is: + # -s ARGS or --long ARGS + else: + default = action.dest.upper() + args_string = self._format_args(action, default) + part = '%s %s' % (option_string, args_string) + + # make it look optional if it's not required or in a group + if not action.required and action not in group_actions: + part = '[%s]' % part + + # add the action string to the list + parts.append(part) + + # insert things at the necessary indices + for i in sorted(inserts, reverse=True): + parts[i:i] = [inserts[i]] + + # join all the action items with spaces + text = ' '.join([item for item in parts if item is not None]) + + # clean up separators for mutually exclusive groups + open = r'[\[(]' + close = r'[\])]' + text = _re.sub(r'(%s) ' % open, r'\1', text) + text = _re.sub(r' (%s)' % close, r'\1', text) + text = _re.sub(r'%s *%s' % (open, close), r'', text) + text = _re.sub(r'\(([^|]*)\)', r'\1', text) + text = text.strip() + + # return the text + return text + + def _format_text(self, text): + if '%(prog)' in text: + text = text % dict(prog=self._prog) + text_width = self._width - self._current_indent + indent = ' ' * self._current_indent + return self._fill_text(text, text_width, indent) + '\n\n' + + def _format_action(self, action): + # determine the required width and the entry label + help_position = min(self._action_max_length + 2, + self._max_help_position) + help_width = self._width - help_position + action_width = help_position - self._current_indent - 2 + action_header = self._format_action_invocation(action) + + # ho nelp; start on same line and add a final newline + if not action.help: + tup = self._current_indent, '', action_header + action_header = '%*s%s\n' % tup + + # short action name; start on the same line and pad two spaces + elif len(action_header) <= action_width: + tup = self._current_indent, '', action_width, action_header + action_header = '%*s%-*s ' % tup + indent_first = 0 + + # long action name; start on the next line + else: + tup = self._current_indent, '', action_header + action_header = '%*s%s\n' % tup + indent_first = help_position + + # collect the pieces of the action help + parts = [action_header] + + # if there was help for the action, add lines of help text + if action.help: + help_text = self._expand_help(action) + help_lines = self._split_lines(help_text, help_width) + parts.append('%*s%s\n' % (indent_first, '', help_lines[0])) + for line in help_lines[1:]: + parts.append('%*s%s\n' % (help_position, '', line)) + + # or add a newline if the description doesn't end with one + elif not action_header.endswith('\n'): + parts.append('\n') + + # if there are any sub-actions, add their help as well + for subaction in self._iter_indented_subactions(action): + parts.append(self._format_action(subaction)) + + # return a single string + return self._join_parts(parts) + + def _format_action_invocation(self, action): + if not action.option_strings: + metavar, = self._metavar_formatter(action, action.dest)(1) + return metavar + + else: + parts = [] + + # if the Optional doesn't take a value, format is: + # -s, --long + if action.nargs == 0: + parts.extend(action.option_strings) + + # if the Optional takes a value, format is: + # -s ARGS, --long ARGS + else: + default = action.dest.upper() + args_string = self._format_args(action, default) + for option_string in action.option_strings: + parts.append('%s %s' % (option_string, args_string)) + + return ', '.join(parts) + + def _metavar_formatter(self, action, default_metavar): + if action.metavar is not None: + result = action.metavar + elif action.choices is not None: + choice_strs = [str(choice) for choice in action.choices] + result = '{%s}' % ','.join(choice_strs) + else: + result = default_metavar + + def format(tuple_size): + if isinstance(result, tuple): + return result + else: + return (result, ) * tuple_size + return format + + def _format_args(self, action, default_metavar): + get_metavar = self._metavar_formatter(action, default_metavar) + if action.nargs is None: + result = '%s' % get_metavar(1) + elif action.nargs == OPTIONAL: + result = '[%s]' % get_metavar(1) + elif action.nargs == ZERO_OR_MORE: + result = '[%s [%s ...]]' % get_metavar(2) + elif action.nargs == ONE_OR_MORE: + result = '%s [%s ...]' % get_metavar(2) + elif action.nargs == REMAINDER: + result = '...' + elif action.nargs == PARSER: + result = '%s ...' % get_metavar(1) + else: + formats = ['%s' for _ in range(action.nargs)] + result = ' '.join(formats) % get_metavar(action.nargs) + return result + + def _expand_help(self, action): + params = dict(vars(action), prog=self._prog) + for name in list(params): + if params[name] is SUPPRESS: + del params[name] + for name in list(params): + if hasattr(params[name], '__name__'): + params[name] = params[name].__name__ + if params.get('choices') is not None: + choices_str = ', '.join([str(c) for c in params['choices']]) + params['choices'] = choices_str + return self._get_help_string(action) % params + + def _iter_indented_subactions(self, action): + try: + get_subactions = action._get_subactions + except AttributeError: + pass + else: + self._indent() + for subaction in get_subactions(): + yield subaction + self._dedent() + + def _split_lines(self, text, width): + text = self._whitespace_matcher.sub(' ', text).strip() + return _textwrap.wrap(text, width) + + def _fill_text(self, text, width, indent): + text = self._whitespace_matcher.sub(' ', text).strip() + return _textwrap.fill(text, width, initial_indent=indent, + subsequent_indent=indent) + + def _get_help_string(self, action): + return action.help + + +class RawDescriptionHelpFormatter(HelpFormatter): + """Help message formatter which retains any formatting in descriptions. + + Only the name of this class is considered a public API. All the methods + provided by the class are considered an implementation detail. + """ + + def _fill_text(self, text, width, indent): + return ''.join([indent + line for line in text.splitlines(True)]) + + +class RawTextHelpFormatter(RawDescriptionHelpFormatter): + """Help message formatter which retains formatting of all help text. + + Only the name of this class is considered a public API. All the methods + provided by the class are considered an implementation detail. + """ + + def _split_lines(self, text, width): + return text.splitlines() + + +class ArgumentDefaultsHelpFormatter(HelpFormatter): + """Help message formatter which adds default values to argument help. + + Only the name of this class is considered a public API. All the methods + provided by the class are considered an implementation detail. + """ + + def _get_help_string(self, action): + help = action.help + if '%(default)' not in action.help: + if action.default is not SUPPRESS: + defaulting_nargs = [OPTIONAL, ZERO_OR_MORE] + if action.option_strings or action.nargs in defaulting_nargs: + help += ' (default: %(default)s)' + return help + + +# ===================== +# Options and Arguments +# ===================== + +def _get_action_name(argument): + if argument is None: + return None + elif argument.option_strings: + return '/'.join(argument.option_strings) + elif argument.metavar not in (None, SUPPRESS): + return argument.metavar + elif argument.dest not in (None, SUPPRESS): + return argument.dest + else: + return None + + +class ArgumentError(Exception): + """An error from creating or using an argument (optional or positional). + + The string value of this exception is the message, augmented with + information about the argument that caused it. + """ + + def __init__(self, argument, message): + self.argument_name = _get_action_name(argument) + self.message = message + + def __str__(self): + if self.argument_name is None: + format = '%(message)s' + else: + format = 'argument %(argument_name)s: %(message)s' + return format % dict(message=self.message, + argument_name=self.argument_name) + + +class ArgumentTypeError(Exception): + """An error from trying to convert a command line string to a type.""" + pass + + +# ============== +# Action classes +# ============== + +class Action(_AttributeHolder): + """Information about how to convert command line strings to Python objects. + + Action objects are used by an ArgumentParser to represent the information + needed to parse a single argument from one or more strings from the + command line. The keyword arguments to the Action constructor are also + all attributes of Action instances. + + Keyword Arguments: + + - option_strings -- A list of command-line option strings which + should be associated with this action. + + - dest -- The name of the attribute to hold the created object(s) + + - nargs -- The number of command-line arguments that should be + consumed. By default, one argument will be consumed and a single + value will be produced. Other values include: + - N (an integer) consumes N arguments (and produces a list) + - '?' consumes zero or one arguments + - '*' consumes zero or more arguments (and produces a list) + - '+' consumes one or more arguments (and produces a list) + Note that the difference between the default and nargs=1 is that + with the default, a single value will be produced, while with + nargs=1, a list containing a single value will be produced. + + - const -- The value to be produced if the option is specified and the + option uses an action that takes no values. + + - default -- The value to be produced if the option is not specified. + + - type -- The type which the command-line arguments should be converted + to, should be one of 'string', 'int', 'float', 'complex' or a + callable object that accepts a single string argument. If None, + 'string' is assumed. + + - choices -- A container of values that should be allowed. If not None, + after a command-line argument has been converted to the appropriate + type, an exception will be raised if it is not a member of this + collection. + + - required -- True if the action must always be specified at the + command line. This is only meaningful for optional command-line + arguments. + + - help -- The help string describing the argument. + + - metavar -- The name to be used for the option's argument with the + help string. If None, the 'dest' value will be used as the name. + """ + + def __init__(self, + option_strings, + dest, + nargs=None, + const=None, + default=None, + type=None, + choices=None, + required=False, + help=None, + metavar=None): + self.option_strings = option_strings + self.dest = dest + self.nargs = nargs + self.const = const + self.default = default + self.type = type + self.choices = choices + self.required = required + self.help = help + self.metavar = metavar + + def _get_kwargs(self): + names = [ + 'option_strings', + 'dest', + 'nargs', + 'const', + 'default', + 'type', + 'choices', + 'help', + 'metavar', + ] + return [(name, getattr(self, name)) for name in names] + + def __call__(self, parser, namespace, values, option_string=None): + raise NotImplementedError(_('.__call__() not defined')) + + +class _StoreAction(Action): + + def __init__(self, + option_strings, + dest, + nargs=None, + const=None, + default=None, + type=None, + choices=None, + required=False, + help=None, + metavar=None): + if nargs == 0: + raise ValueError('nargs for store actions must be > 0; if you ' + 'have nothing to store, actions such as store ' + 'true or store const may be more appropriate') + if const is not None and nargs != OPTIONAL: + raise ValueError('nargs must be %r to supply const' % OPTIONAL) + super(_StoreAction, self).__init__( + option_strings=option_strings, + dest=dest, + nargs=nargs, + const=const, + default=default, + type=type, + choices=choices, + required=required, + help=help, + metavar=metavar) + + def __call__(self, parser, namespace, values, option_string=None): + setattr(namespace, self.dest, values) + + +class _StoreConstAction(Action): + + def __init__(self, + option_strings, + dest, + const, + default=None, + required=False, + help=None, + metavar=None): + super(_StoreConstAction, self).__init__( + option_strings=option_strings, + dest=dest, + nargs=0, + const=const, + default=default, + required=required, + help=help) + + def __call__(self, parser, namespace, values, option_string=None): + setattr(namespace, self.dest, self.const) + + +class _StoreTrueAction(_StoreConstAction): + + def __init__(self, + option_strings, + dest, + default=False, + required=False, + help=None): + super(_StoreTrueAction, self).__init__( + option_strings=option_strings, + dest=dest, + const=True, + default=default, + required=required, + help=help) + + +class _StoreFalseAction(_StoreConstAction): + + def __init__(self, + option_strings, + dest, + default=True, + required=False, + help=None): + super(_StoreFalseAction, self).__init__( + option_strings=option_strings, + dest=dest, + const=False, + default=default, + required=required, + help=help) + + +class _AppendAction(Action): + + def __init__(self, + option_strings, + dest, + nargs=None, + const=None, + default=None, + type=None, + choices=None, + required=False, + help=None, + metavar=None): + if nargs == 0: + raise ValueError('nargs for append actions must be > 0; if arg ' + 'strings are not supplying the value to append, ' + 'the append const action may be more appropriate') + if const is not None and nargs != OPTIONAL: + raise ValueError('nargs must be %r to supply const' % OPTIONAL) + super(_AppendAction, self).__init__( + option_strings=option_strings, + dest=dest, + nargs=nargs, + const=const, + default=default, + type=type, + choices=choices, + required=required, + help=help, + metavar=metavar) + + def __call__(self, parser, namespace, values, option_string=None): + items = _copy.copy(_ensure_value(namespace, self.dest, [])) + items.append(values) + setattr(namespace, self.dest, items) + + +class _AppendConstAction(Action): + + def __init__(self, + option_strings, + dest, + const, + default=None, + required=False, + help=None, + metavar=None): + super(_AppendConstAction, self).__init__( + option_strings=option_strings, + dest=dest, + nargs=0, + const=const, + default=default, + required=required, + help=help, + metavar=metavar) + + def __call__(self, parser, namespace, values, option_string=None): + items = _copy.copy(_ensure_value(namespace, self.dest, [])) + items.append(self.const) + setattr(namespace, self.dest, items) + + +class _CountAction(Action): + + def __init__(self, + option_strings, + dest, + default=None, + required=False, + help=None): + super(_CountAction, self).__init__( + option_strings=option_strings, + dest=dest, + nargs=0, + default=default, + required=required, + help=help) + + def __call__(self, parser, namespace, values, option_string=None): + new_count = _ensure_value(namespace, self.dest, 0) + 1 + setattr(namespace, self.dest, new_count) + + +class _HelpAction(Action): + + def __init__(self, + option_strings, + dest=SUPPRESS, + default=SUPPRESS, + help=None): + super(_HelpAction, self).__init__( + option_strings=option_strings, + dest=dest, + default=default, + nargs=0, + help=help) + + def __call__(self, parser, namespace, values, option_string=None): + parser.print_help() + parser.exit() + + +class _VersionAction(Action): + + def __init__(self, + option_strings, + version=None, + dest=SUPPRESS, + default=SUPPRESS, + help="show program's version number and exit"): + super(_VersionAction, self).__init__( + option_strings=option_strings, + dest=dest, + default=default, + nargs=0, + help=help) + self.version = version + + def __call__(self, parser, namespace, values, option_string=None): + version = self.version + if version is None: + version = parser.version + formatter = parser._get_formatter() + formatter.add_text(version) + parser.exit(message=formatter.format_help()) + + +class _SubParsersAction(Action): + + class _ChoicesPseudoAction(Action): + + def __init__(self, name, aliases, help): + metavar = dest = name + if aliases: + metavar += ' (%s)' % ', '.join(aliases) + sup = super(_SubParsersAction._ChoicesPseudoAction, self) + sup.__init__(option_strings=[], dest=dest, help=help, + metavar=metavar) + + def __init__(self, + option_strings, + prog, + parser_class, + dest=SUPPRESS, + help=None, + metavar=None): + + self._prog_prefix = prog + self._parser_class = parser_class + self._name_parser_map = {} + self._choices_actions = [] + + super(_SubParsersAction, self).__init__( + option_strings=option_strings, + dest=dest, + nargs=PARSER, + choices=self._name_parser_map, + help=help, + metavar=metavar) + + def add_parser(self, name, **kwargs): + # set prog from the existing prefix + if kwargs.get('prog') is None: + kwargs['prog'] = '%s %s' % (self._prog_prefix, name) + + aliases = kwargs.pop('aliases', ()) + + # create a pseudo-action to hold the choice help + if 'help' in kwargs: + help = kwargs.pop('help') + choice_action = self._ChoicesPseudoAction(name, aliases, help) + self._choices_actions.append(choice_action) + + # create the parser and add it to the map + parser = self._parser_class(**kwargs) + self._name_parser_map[name] = parser + + # make parser available under aliases also + for alias in aliases: + self._name_parser_map[alias] = parser + + return parser + + def _get_subactions(self): + return self._choices_actions + + def __call__(self, parser, namespace, values, option_string=None): + parser_name = values[0] + arg_strings = values[1:] + + # set the parser name if requested + if self.dest is not SUPPRESS: + setattr(namespace, self.dest, parser_name) + + # select the parser + try: + parser = self._name_parser_map[parser_name] + except KeyError: + tup = parser_name, ', '.join(self._name_parser_map) + msg = _('unknown parser %r (choices: %s)' % tup) + raise ArgumentError(self, msg) + + # parse all the remaining options into the namespace + # store any unrecognized options on the object, so that the top + # level parser can decide what to do with them + namespace, arg_strings = parser.parse_known_args(arg_strings, namespace) + if arg_strings: + vars(namespace).setdefault(_UNRECOGNIZED_ARGS_ATTR, []) + getattr(namespace, _UNRECOGNIZED_ARGS_ATTR).extend(arg_strings) + + +# ============== +# Type classes +# ============== + +class FileType(object): + """Factory for creating file object types + + Instances of FileType are typically passed as type= arguments to the + ArgumentParser add_argument() method. + + Keyword Arguments: + - mode -- A string indicating how the file is to be opened. Accepts the + same values as the builtin open() function. + - bufsize -- The file's desired buffer size. Accepts the same values as + the builtin open() function. + """ + + def __init__(self, mode='r', bufsize=None): + self._mode = mode + self._bufsize = bufsize + + def __call__(self, string): + # the special argument "-" means sys.std{in,out} + if string == '-': + if 'r' in self._mode: + return _sys.stdin + elif 'w' in self._mode: + return _sys.stdout + else: + msg = _('argument "-" with mode %r' % self._mode) + raise ValueError(msg) + + # all other arguments are used as file names + if self._bufsize: + return open(string, self._mode, self._bufsize) + else: + return open(string, self._mode) + + def __repr__(self): + args = [self._mode, self._bufsize] + args_str = ', '.join([repr(arg) for arg in args if arg is not None]) + return '%s(%s)' % (type(self).__name__, args_str) + +# =========================== +# Optional and Positional Parsing +# =========================== + +class Namespace(_AttributeHolder): + """Simple object for storing attributes. + + Implements equality by attribute names and values, and provides a simple + string representation. + """ + + def __init__(self, **kwargs): + for name in kwargs: + setattr(self, name, kwargs[name]) + + __hash__ = None + + def __eq__(self, other): + return vars(self) == vars(other) + + def __ne__(self, other): + return not (self == other) + + def __contains__(self, key): + return key in self.__dict__ + + +class _ActionsContainer(object): + + def __init__(self, + description, + prefix_chars, + argument_default, + conflict_handler): + super(_ActionsContainer, self).__init__() + + self.description = description + self.argument_default = argument_default + self.prefix_chars = prefix_chars + self.conflict_handler = conflict_handler + + # set up registries + self._registries = {} + + # register actions + self.register('action', None, _StoreAction) + self.register('action', 'store', _StoreAction) + self.register('action', 'store_const', _StoreConstAction) + self.register('action', 'store_true', _StoreTrueAction) + self.register('action', 'store_false', _StoreFalseAction) + self.register('action', 'append', _AppendAction) + self.register('action', 'append_const', _AppendConstAction) + self.register('action', 'count', _CountAction) + self.register('action', 'help', _HelpAction) + self.register('action', 'version', _VersionAction) + self.register('action', 'parsers', _SubParsersAction) + + # raise an exception if the conflict handler is invalid + self._get_handler() + + # action storage + self._actions = [] + self._option_string_actions = {} + + # groups + self._action_groups = [] + self._mutually_exclusive_groups = [] + + # defaults storage + self._defaults = {} + + # determines whether an "option" looks like a negative number + self._negative_number_matcher = _re.compile(r'^-\d+$|^-\d*\.\d+$') + + # whether or not there are any optionals that look like negative + # numbers -- uses a list so it can be shared and edited + self._has_negative_number_optionals = [] + + # ==================== + # Registration methods + # ==================== + def register(self, registry_name, value, object): + registry = self._registries.setdefault(registry_name, {}) + registry[value] = object + + def _registry_get(self, registry_name, value, default=None): + return self._registries[registry_name].get(value, default) + + # ================================== + # Namespace default accessor methods + # ================================== + def set_defaults(self, **kwargs): + self._defaults.update(kwargs) + + # if these defaults match any existing arguments, replace + # the previous default on the object with the new one + for action in self._actions: + if action.dest in kwargs: + action.default = kwargs[action.dest] + + def get_default(self, dest): + for action in self._actions: + if action.dest == dest and action.default is not None: + return action.default + return self._defaults.get(dest, None) + + + # ======================= + # Adding argument actions + # ======================= + def add_argument(self, *args, **kwargs): + """ + add_argument(dest, ..., name=value, ...) + add_argument(option_string, option_string, ..., name=value, ...) + """ + + # if no positional args are supplied or only one is supplied and + # it doesn't look like an option string, parse a positional + # argument + chars = self.prefix_chars + if not args or len(args) == 1 and args[0][0] not in chars: + if args and 'dest' in kwargs: + raise ValueError('dest supplied twice for positional argument') + kwargs = self._get_positional_kwargs(*args, **kwargs) + + # otherwise, we're adding an optional argument + else: + kwargs = self._get_optional_kwargs(*args, **kwargs) + + # if no default was supplied, use the parser-level default + if 'default' not in kwargs: + dest = kwargs['dest'] + if dest in self._defaults: + kwargs['default'] = self._defaults[dest] + elif self.argument_default is not None: + kwargs['default'] = self.argument_default + + # create the action object, and add it to the parser + action_class = self._pop_action_class(kwargs) + if not _callable(action_class): + raise ValueError('unknown action "%s"' % action_class) + action = action_class(**kwargs) + + # raise an error if the action type is not callable + type_func = self._registry_get('type', action.type, action.type) + if not _callable(type_func): + raise ValueError('%r is not callable' % type_func) + + return self._add_action(action) + + def add_argument_group(self, *args, **kwargs): + group = _ArgumentGroup(self, *args, **kwargs) + self._action_groups.append(group) + return group + + def add_mutually_exclusive_group(self, **kwargs): + group = _MutuallyExclusiveGroup(self, **kwargs) + self._mutually_exclusive_groups.append(group) + return group + + def _add_action(self, action): + # resolve any conflicts + self._check_conflict(action) + + # add to actions list + self._actions.append(action) + action.container = self + + # index the action by any option strings it has + for option_string in action.option_strings: + self._option_string_actions[option_string] = action + + # set the flag if any option strings look like negative numbers + for option_string in action.option_strings: + if self._negative_number_matcher.match(option_string): + if not self._has_negative_number_optionals: + self._has_negative_number_optionals.append(True) + + # return the created action + return action + + def _remove_action(self, action): + self._actions.remove(action) + + def _add_container_actions(self, container): + # collect groups by titles + title_group_map = {} + for group in self._action_groups: + if group.title in title_group_map: + msg = _('cannot merge actions - two groups are named %r') + raise ValueError(msg % (group.title)) + title_group_map[group.title] = group + + # map each action to its group + group_map = {} + for group in container._action_groups: + + # if a group with the title exists, use that, otherwise + # create a new group matching the container's group + if group.title not in title_group_map: + title_group_map[group.title] = self.add_argument_group( + title=group.title, + description=group.description, + conflict_handler=group.conflict_handler) + + # map the actions to their new group + for action in group._group_actions: + group_map[action] = title_group_map[group.title] + + # add container's mutually exclusive groups + # NOTE: if add_mutually_exclusive_group ever gains title= and + # description= then this code will need to be expanded as above + for group in container._mutually_exclusive_groups: + mutex_group = self.add_mutually_exclusive_group( + required=group.required) + + # map the actions to their new mutex group + for action in group._group_actions: + group_map[action] = mutex_group + + # add all actions to this container or their group + for action in container._actions: + group_map.get(action, self)._add_action(action) + + def _get_positional_kwargs(self, dest, **kwargs): + # make sure required is not specified + if 'required' in kwargs: + msg = _("'required' is an invalid argument for positionals") + raise TypeError(msg) + + # mark positional arguments as required if at least one is + # always required + if kwargs.get('nargs') not in [OPTIONAL, ZERO_OR_MORE]: + kwargs['required'] = True + if kwargs.get('nargs') == ZERO_OR_MORE and 'default' not in kwargs: + kwargs['required'] = True + + # return the keyword arguments with no option strings + return dict(kwargs, dest=dest, option_strings=[]) + + def _get_optional_kwargs(self, *args, **kwargs): + # determine short and long option strings + option_strings = [] + long_option_strings = [] + for option_string in args: + # error on strings that don't start with an appropriate prefix + if not option_string[0] in self.prefix_chars: + msg = _('invalid option string %r: ' + 'must start with a character %r') + tup = option_string, self.prefix_chars + raise ValueError(msg % tup) + + # strings starting with two prefix characters are long options + option_strings.append(option_string) + if option_string[0] in self.prefix_chars: + if len(option_string) > 1: + if option_string[1] in self.prefix_chars: + long_option_strings.append(option_string) + + # infer destination, '--foo-bar' -> 'foo_bar' and '-x' -> 'x' + dest = kwargs.pop('dest', None) + if dest is None: + if long_option_strings: + dest_option_string = long_option_strings[0] + else: + dest_option_string = option_strings[0] + dest = dest_option_string.lstrip(self.prefix_chars) + if not dest: + msg = _('dest= is required for options like %r') + raise ValueError(msg % option_string) + dest = dest.replace('-', '_') + + # return the updated keyword arguments + return dict(kwargs, dest=dest, option_strings=option_strings) + + def _pop_action_class(self, kwargs, default=None): + action = kwargs.pop('action', default) + return self._registry_get('action', action, action) + + def _get_handler(self): + # determine function from conflict handler string + handler_func_name = '_handle_conflict_%s' % self.conflict_handler + try: + return getattr(self, handler_func_name) + except AttributeError: + msg = _('invalid conflict_resolution value: %r') + raise ValueError(msg % self.conflict_handler) + + def _check_conflict(self, action): + + # find all options that conflict with this option + confl_optionals = [] + for option_string in action.option_strings: + if option_string in self._option_string_actions: + confl_optional = self._option_string_actions[option_string] + confl_optionals.append((option_string, confl_optional)) + + # resolve any conflicts + if confl_optionals: + conflict_handler = self._get_handler() + conflict_handler(action, confl_optionals) + + def _handle_conflict_error(self, action, conflicting_actions): + message = _('conflicting option string(s): %s') + conflict_string = ', '.join([option_string + for option_string, action + in conflicting_actions]) + raise ArgumentError(action, message % conflict_string) + + def _handle_conflict_resolve(self, action, conflicting_actions): + + # remove all conflicting options + for option_string, action in conflicting_actions: + + # remove the conflicting option + action.option_strings.remove(option_string) + self._option_string_actions.pop(option_string, None) + + # if the option now has no option string, remove it from the + # container holding it + if not action.option_strings: + action.container._remove_action(action) + + +class _ArgumentGroup(_ActionsContainer): + + def __init__(self, container, title=None, description=None, **kwargs): + # add any missing keyword arguments by checking the container + update = kwargs.setdefault + update('conflict_handler', container.conflict_handler) + update('prefix_chars', container.prefix_chars) + update('argument_default', container.argument_default) + super_init = super(_ArgumentGroup, self).__init__ + super_init(description=description, **kwargs) + + # group attributes + self.title = title + self._group_actions = [] + + # share most attributes with the container + self._registries = container._registries + self._actions = container._actions + self._option_string_actions = container._option_string_actions + self._defaults = container._defaults + self._has_negative_number_optionals = \ + container._has_negative_number_optionals + + def _add_action(self, action): + action = super(_ArgumentGroup, self)._add_action(action) + self._group_actions.append(action) + return action + + def _remove_action(self, action): + super(_ArgumentGroup, self)._remove_action(action) + self._group_actions.remove(action) + + +class _MutuallyExclusiveGroup(_ArgumentGroup): + + def __init__(self, container, required=False): + super(_MutuallyExclusiveGroup, self).__init__(container) + self.required = required + self._container = container + + def _add_action(self, action): + if action.required: + msg = _('mutually exclusive arguments must be optional') + raise ValueError(msg) + action = self._container._add_action(action) + self._group_actions.append(action) + return action + + def _remove_action(self, action): + self._container._remove_action(action) + self._group_actions.remove(action) + + +class ArgumentParser(_AttributeHolder, _ActionsContainer): + """Object for parsing command line strings into Python objects. + + Keyword Arguments: + - prog -- The name of the program (default: sys.argv[0]) + - usage -- A usage message (default: auto-generated from arguments) + - description -- A description of what the program does + - epilog -- Text following the argument descriptions + - parents -- Parsers whose arguments should be copied into this one + - formatter_class -- HelpFormatter class for printing help messages + - prefix_chars -- Characters that prefix optional arguments + - fromfile_prefix_chars -- Characters that prefix files containing + additional arguments + - argument_default -- The default value for all arguments + - conflict_handler -- String indicating how to handle conflicts + - add_help -- Add a -h/-help option + """ + + def __init__(self, + prog=None, + usage=None, + description=None, + epilog=None, + version=None, + parents=[], + formatter_class=HelpFormatter, + prefix_chars='-', + fromfile_prefix_chars=None, + argument_default=None, + conflict_handler='error', + add_help=True): + + if version is not None: + import warnings + warnings.warn( + """The "version" argument to ArgumentParser is deprecated. """ + """Please use """ + """"add_argument(..., action='version', version="N", ...)" """ + """instead""", DeprecationWarning) + + superinit = super(ArgumentParser, self).__init__ + superinit(description=description, + prefix_chars=prefix_chars, + argument_default=argument_default, + conflict_handler=conflict_handler) + + # default setting for prog + if prog is None: + prog = _os.path.basename(_sys.argv[0]) + + self.prog = prog + self.usage = usage + self.epilog = epilog + self.version = version + self.formatter_class = formatter_class + self.fromfile_prefix_chars = fromfile_prefix_chars + self.add_help = add_help + + add_group = self.add_argument_group + self._positionals = add_group(_('positional arguments')) + self._optionals = add_group(_('optional arguments')) + self._subparsers = None + + # register types + def identity(string): + return string + self.register('type', None, identity) + + # add help and version arguments if necessary + # (using explicit default to override global argument_default) + if '-' in prefix_chars: + default_prefix = '-' + else: + default_prefix = prefix_chars[0] + if self.add_help: + self.add_argument( + default_prefix+'h', default_prefix*2+'help', + action='help', default=SUPPRESS, + help=_('show this help message and exit')) + if self.version: + self.add_argument( + default_prefix+'v', default_prefix*2+'version', + action='version', default=SUPPRESS, + version=self.version, + help=_("show program's version number and exit")) + + # add parent arguments and defaults + for parent in parents: + self._add_container_actions(parent) + try: + defaults = parent._defaults + except AttributeError: + pass + else: + self._defaults.update(defaults) + + # ======================= + # Pretty __repr__ methods + # ======================= + def _get_kwargs(self): + names = [ + 'prog', + 'usage', + 'description', + 'version', + 'formatter_class', + 'conflict_handler', + 'add_help', + ] + return [(name, getattr(self, name)) for name in names] + + # ================================== + # Optional/Positional adding methods + # ================================== + def add_subparsers(self, **kwargs): + if self._subparsers is not None: + self.error(_('cannot have multiple subparser arguments')) + + # add the parser class to the arguments if it's not present + kwargs.setdefault('parser_class', type(self)) + + if 'title' in kwargs or 'description' in kwargs: + title = _(kwargs.pop('title', 'subcommands')) + description = _(kwargs.pop('description', None)) + self._subparsers = self.add_argument_group(title, description) + else: + self._subparsers = self._positionals + + # prog defaults to the usage message of this parser, skipping + # optional arguments and with no "usage:" prefix + if kwargs.get('prog') is None: + formatter = self._get_formatter() + positionals = self._get_positional_actions() + groups = self._mutually_exclusive_groups + formatter.add_usage(self.usage, positionals, groups, '') + kwargs['prog'] = formatter.format_help().strip() + + # create the parsers action and add it to the positionals list + parsers_class = self._pop_action_class(kwargs, 'parsers') + action = parsers_class(option_strings=[], **kwargs) + self._subparsers._add_action(action) + + # return the created parsers action + return action + + def _add_action(self, action): + if action.option_strings: + self._optionals._add_action(action) + else: + self._positionals._add_action(action) + return action + + def _get_optional_actions(self): + return [action + for action in self._actions + if action.option_strings] + + def _get_positional_actions(self): + return [action + for action in self._actions + if not action.option_strings] + + # ===================================== + # Command line argument parsing methods + # ===================================== + def parse_args(self, args=None, namespace=None): + args, argv = self.parse_known_args(args, namespace) + if argv: + msg = _('unrecognized arguments: %s') + self.error(msg % ' '.join(argv)) + return args + + def parse_known_args(self, args=None, namespace=None): + # args default to the system args + if args is None: + args = _sys.argv[1:] + + # default Namespace built from parser defaults + if namespace is None: + namespace = Namespace() + + # add any action defaults that aren't present + for action in self._actions: + if action.dest is not SUPPRESS: + if not hasattr(namespace, action.dest): + if action.default is not SUPPRESS: + default = action.default + if isinstance(action.default, basestring): + default = self._get_value(action, default) + setattr(namespace, action.dest, default) + + # add any parser defaults that aren't present + for dest in self._defaults: + if not hasattr(namespace, dest): + setattr(namespace, dest, self._defaults[dest]) + + # parse the arguments and exit if there are any errors + try: + namespace, args = self._parse_known_args(args, namespace) + if hasattr(namespace, _UNRECOGNIZED_ARGS_ATTR): + args.extend(getattr(namespace, _UNRECOGNIZED_ARGS_ATTR)) + delattr(namespace, _UNRECOGNIZED_ARGS_ATTR) + return namespace, args + except ArgumentError: + err = _sys.exc_info()[1] + self.error(str(err)) + + def _parse_known_args(self, arg_strings, namespace): + # replace arg strings that are file references + if self.fromfile_prefix_chars is not None: + arg_strings = self._read_args_from_files(arg_strings) + + # map all mutually exclusive arguments to the other arguments + # they can't occur with + action_conflicts = {} + for mutex_group in self._mutually_exclusive_groups: + group_actions = mutex_group._group_actions + for i, mutex_action in enumerate(mutex_group._group_actions): + conflicts = action_conflicts.setdefault(mutex_action, []) + conflicts.extend(group_actions[:i]) + conflicts.extend(group_actions[i + 1:]) + + # find all option indices, and determine the arg_string_pattern + # which has an 'O' if there is an option at an index, + # an 'A' if there is an argument, or a '-' if there is a '--' + option_string_indices = {} + arg_string_pattern_parts = [] + arg_strings_iter = iter(arg_strings) + for i, arg_string in enumerate(arg_strings_iter): + + # all args after -- are non-options + if arg_string == '--': + arg_string_pattern_parts.append('-') + for arg_string in arg_strings_iter: + arg_string_pattern_parts.append('A') + + # otherwise, add the arg to the arg strings + # and note the index if it was an option + else: + option_tuple = self._parse_optional(arg_string) + if option_tuple is None: + pattern = 'A' + else: + option_string_indices[i] = option_tuple + pattern = 'O' + arg_string_pattern_parts.append(pattern) + + # join the pieces together to form the pattern + arg_strings_pattern = ''.join(arg_string_pattern_parts) + + # converts arg strings to the appropriate and then takes the action + seen_actions = set() + seen_non_default_actions = set() + + def take_action(action, argument_strings, option_string=None): + seen_actions.add(action) + argument_values = self._get_values(action, argument_strings) + + # error if this argument is not allowed with other previously + # seen arguments, assuming that actions that use the default + # value don't really count as "present" + if argument_values is not action.default: + seen_non_default_actions.add(action) + for conflict_action in action_conflicts.get(action, []): + if conflict_action in seen_non_default_actions: + msg = _('not allowed with argument %s') + action_name = _get_action_name(conflict_action) + raise ArgumentError(action, msg % action_name) + + # take the action if we didn't receive a SUPPRESS value + # (e.g. from a default) + if argument_values is not SUPPRESS: + action(self, namespace, argument_values, option_string) + + # function to convert arg_strings into an optional action + def consume_optional(start_index): + + # get the optional identified at this index + option_tuple = option_string_indices[start_index] + action, option_string, explicit_arg = option_tuple + + # identify additional optionals in the same arg string + # (e.g. -xyz is the same as -x -y -z if no args are required) + match_argument = self._match_argument + action_tuples = [] + while True: + + # if we found no optional action, skip it + if action is None: + extras.append(arg_strings[start_index]) + return start_index + 1 + + # if there is an explicit argument, try to match the + # optional's string arguments to only this + if explicit_arg is not None: + arg_count = match_argument(action, 'A') + + # if the action is a single-dash option and takes no + # arguments, try to parse more single-dash options out + # of the tail of the option string + chars = self.prefix_chars + if arg_count == 0 and option_string[1] not in chars: + action_tuples.append((action, [], option_string)) + char = option_string[0] + option_string = char + explicit_arg[0] + new_explicit_arg = explicit_arg[1:] or None + optionals_map = self._option_string_actions + if option_string in optionals_map: + action = optionals_map[option_string] + explicit_arg = new_explicit_arg + else: + msg = _('ignored explicit argument %r') + raise ArgumentError(action, msg % explicit_arg) + + # if the action expect exactly one argument, we've + # successfully matched the option; exit the loop + elif arg_count == 1: + stop = start_index + 1 + args = [explicit_arg] + action_tuples.append((action, args, option_string)) + break + + # error if a double-dash option did not use the + # explicit argument + else: + msg = _('ignored explicit argument %r') + raise ArgumentError(action, msg % explicit_arg) + + # if there is no explicit argument, try to match the + # optional's string arguments with the following strings + # if successful, exit the loop + else: + start = start_index + 1 + selected_patterns = arg_strings_pattern[start:] + arg_count = match_argument(action, selected_patterns) + stop = start + arg_count + args = arg_strings[start:stop] + action_tuples.append((action, args, option_string)) + break + + # add the Optional to the list and return the index at which + # the Optional's string args stopped + assert action_tuples + for action, args, option_string in action_tuples: + take_action(action, args, option_string) + return stop + + # the list of Positionals left to be parsed; this is modified + # by consume_positionals() + positionals = self._get_positional_actions() + + # function to convert arg_strings into positional actions + def consume_positionals(start_index): + # match as many Positionals as possible + match_partial = self._match_arguments_partial + selected_pattern = arg_strings_pattern[start_index:] + arg_counts = match_partial(positionals, selected_pattern) + + # slice off the appropriate arg strings for each Positional + # and add the Positional and its args to the list + for action, arg_count in zip(positionals, arg_counts): + args = arg_strings[start_index: start_index + arg_count] + start_index += arg_count + take_action(action, args) + + # slice off the Positionals that we just parsed and return the + # index at which the Positionals' string args stopped + positionals[:] = positionals[len(arg_counts):] + return start_index + + # consume Positionals and Optionals alternately, until we have + # passed the last option string + extras = [] + start_index = 0 + if option_string_indices: + max_option_string_index = max(option_string_indices) + else: + max_option_string_index = -1 + while start_index <= max_option_string_index: + + # consume any Positionals preceding the next option + next_option_string_index = min([ + index + for index in option_string_indices + if index >= start_index]) + if start_index != next_option_string_index: + positionals_end_index = consume_positionals(start_index) + + # only try to parse the next optional if we didn't consume + # the option string during the positionals parsing + if positionals_end_index > start_index: + start_index = positionals_end_index + continue + else: + start_index = positionals_end_index + + # if we consumed all the positionals we could and we're not + # at the index of an option string, there were extra arguments + if start_index not in option_string_indices: + strings = arg_strings[start_index:next_option_string_index] + extras.extend(strings) + start_index = next_option_string_index + + # consume the next optional and any arguments for it + start_index = consume_optional(start_index) + + # consume any positionals following the last Optional + stop_index = consume_positionals(start_index) + + # if we didn't consume all the argument strings, there were extras + extras.extend(arg_strings[stop_index:]) + + # if we didn't use all the Positional objects, there were too few + # arg strings supplied. + if positionals: + self.error(_('too few arguments')) + + # make sure all required actions were present + for action in self._actions: + if action.required: + if action not in seen_actions: + name = _get_action_name(action) + self.error(_('argument %s is required') % name) + + # make sure all required groups had one option present + for group in self._mutually_exclusive_groups: + if group.required: + for action in group._group_actions: + if action in seen_non_default_actions: + break + + # if no actions were used, report the error + else: + names = [_get_action_name(action) + for action in group._group_actions + if action.help is not SUPPRESS] + msg = _('one of the arguments %s is required') + self.error(msg % ' '.join(names)) + + # return the updated namespace and the extra arguments + return namespace, extras + + def _read_args_from_files(self, arg_strings): + # expand arguments referencing files + new_arg_strings = [] + for arg_string in arg_strings: + + # for regular arguments, just add them back into the list + if arg_string[0] not in self.fromfile_prefix_chars: + new_arg_strings.append(arg_string) + + # replace arguments referencing files with the file content + else: + try: + args_file = open(arg_string[1:]) + try: + arg_strings = [] + for arg_line in args_file.read().splitlines(): + for arg in self.convert_arg_line_to_args(arg_line): + arg_strings.append(arg) + arg_strings = self._read_args_from_files(arg_strings) + new_arg_strings.extend(arg_strings) + finally: + args_file.close() + except IOError: + err = _sys.exc_info()[1] + self.error(str(err)) + + # return the modified argument list + return new_arg_strings + + def convert_arg_line_to_args(self, arg_line): + return [arg_line] + + def _match_argument(self, action, arg_strings_pattern): + # match the pattern for this action to the arg strings + nargs_pattern = self._get_nargs_pattern(action) + match = _re.match(nargs_pattern, arg_strings_pattern) + + # raise an exception if we weren't able to find a match + if match is None: + nargs_errors = { + None: _('expected one argument'), + OPTIONAL: _('expected at most one argument'), + ONE_OR_MORE: _('expected at least one argument'), + } + default = _('expected %s argument(s)') % action.nargs + msg = nargs_errors.get(action.nargs, default) + raise ArgumentError(action, msg) + + # return the number of arguments matched + return len(match.group(1)) + + def _match_arguments_partial(self, actions, arg_strings_pattern): + # progressively shorten the actions list by slicing off the + # final actions until we find a match + result = [] + for i in range(len(actions), 0, -1): + actions_slice = actions[:i] + pattern = ''.join([self._get_nargs_pattern(action) + for action in actions_slice]) + match = _re.match(pattern, arg_strings_pattern) + if match is not None: + result.extend([len(string) for string in match.groups()]) + break + + # return the list of arg string counts + return result + + def _parse_optional(self, arg_string): + # if it's an empty string, it was meant to be a positional + if not arg_string: + return None + + # if it doesn't start with a prefix, it was meant to be positional + if not arg_string[0] in self.prefix_chars: + return None + + # if the option string is present in the parser, return the action + if arg_string in self._option_string_actions: + action = self._option_string_actions[arg_string] + return action, arg_string, None + + # if it's just a single character, it was meant to be positional + if len(arg_string) == 1: + return None + + # if the option string before the "=" is present, return the action + if '=' in arg_string: + option_string, explicit_arg = arg_string.split('=', 1) + if option_string in self._option_string_actions: + action = self._option_string_actions[option_string] + return action, option_string, explicit_arg + + # search through all possible prefixes of the option string + # and all actions in the parser for possible interpretations + option_tuples = self._get_option_tuples(arg_string) + + # if multiple actions match, the option string was ambiguous + if len(option_tuples) > 1: + options = ', '.join([option_string + for action, option_string, explicit_arg in option_tuples]) + tup = arg_string, options + self.error(_('ambiguous option: %s could match %s') % tup) + + # if exactly one action matched, this segmentation is good, + # so return the parsed action + elif len(option_tuples) == 1: + option_tuple, = option_tuples + return option_tuple + + # if it was not found as an option, but it looks like a negative + # number, it was meant to be positional + # unless there are negative-number-like options + if self._negative_number_matcher.match(arg_string): + if not self._has_negative_number_optionals: + return None + + # if it contains a space, it was meant to be a positional + if ' ' in arg_string: + return None + + # it was meant to be an optional but there is no such option + # in this parser (though it might be a valid option in a subparser) + return None, arg_string, None + + def _get_option_tuples(self, option_string): + result = [] + + # option strings starting with two prefix characters are only + # split at the '=' + chars = self.prefix_chars + if option_string[0] in chars and option_string[1] in chars: + if '=' in option_string: + option_prefix, explicit_arg = option_string.split('=', 1) + else: + option_prefix = option_string + explicit_arg = None + for option_string in self._option_string_actions: + if option_string.startswith(option_prefix): + action = self._option_string_actions[option_string] + tup = action, option_string, explicit_arg + result.append(tup) + + # single character options can be concatenated with their arguments + # but multiple character options always have to have their argument + # separate + elif option_string[0] in chars and option_string[1] not in chars: + option_prefix = option_string + explicit_arg = None + short_option_prefix = option_string[:2] + short_explicit_arg = option_string[2:] + + for option_string in self._option_string_actions: + if option_string == short_option_prefix: + action = self._option_string_actions[option_string] + tup = action, option_string, short_explicit_arg + result.append(tup) + elif option_string.startswith(option_prefix): + action = self._option_string_actions[option_string] + tup = action, option_string, explicit_arg + result.append(tup) + + # shouldn't ever get here + else: + self.error(_('unexpected option string: %s') % option_string) + + # return the collected option tuples + return result + + def _get_nargs_pattern(self, action): + # in all examples below, we have to allow for '--' args + # which are represented as '-' in the pattern + nargs = action.nargs + + # the default (None) is assumed to be a single argument + if nargs is None: + nargs_pattern = '(-*A-*)' + + # allow zero or one arguments + elif nargs == OPTIONAL: + nargs_pattern = '(-*A?-*)' + + # allow zero or more arguments + elif nargs == ZERO_OR_MORE: + nargs_pattern = '(-*[A-]*)' + + # allow one or more arguments + elif nargs == ONE_OR_MORE: + nargs_pattern = '(-*A[A-]*)' + + # allow any number of options or arguments + elif nargs == REMAINDER: + nargs_pattern = '([-AO]*)' + + # allow one argument followed by any number of options or arguments + elif nargs == PARSER: + nargs_pattern = '(-*A[-AO]*)' + + # all others should be integers + else: + nargs_pattern = '(-*%s-*)' % '-*'.join('A' * nargs) + + # if this is an optional action, -- is not allowed + if action.option_strings: + nargs_pattern = nargs_pattern.replace('-*', '') + nargs_pattern = nargs_pattern.replace('-', '') + + # return the pattern + return nargs_pattern + + # ======================== + # Value conversion methods + # ======================== + def _get_values(self, action, arg_strings): + # for everything but PARSER args, strip out '--' + if action.nargs not in [PARSER, REMAINDER]: + arg_strings = [s for s in arg_strings if s != '--'] + + # optional argument produces a default when not present + if not arg_strings and action.nargs == OPTIONAL: + if action.option_strings: + value = action.const + else: + value = action.default + if isinstance(value, basestring): + value = self._get_value(action, value) + self._check_value(action, value) + + # when nargs='*' on a positional, if there were no command-line + # args, use the default if it is anything other than None + elif (not arg_strings and action.nargs == ZERO_OR_MORE and + not action.option_strings): + if action.default is not None: + value = action.default + else: + value = arg_strings + self._check_value(action, value) + + # single argument or optional argument produces a single value + elif len(arg_strings) == 1 and action.nargs in [None, OPTIONAL]: + arg_string, = arg_strings + value = self._get_value(action, arg_string) + self._check_value(action, value) + + # REMAINDER arguments convert all values, checking none + elif action.nargs == REMAINDER: + value = [self._get_value(action, v) for v in arg_strings] + + # PARSER arguments convert all values, but check only the first + elif action.nargs == PARSER: + value = [self._get_value(action, v) for v in arg_strings] + self._check_value(action, value[0]) + + # all other types of nargs produce a list + else: + value = [self._get_value(action, v) for v in arg_strings] + for v in value: + self._check_value(action, v) + + # return the converted value + return value + + def _get_value(self, action, arg_string): + type_func = self._registry_get('type', action.type, action.type) + if not _callable(type_func): + msg = _('%r is not callable') + raise ArgumentError(action, msg % type_func) + + # convert the value to the appropriate type + try: + result = type_func(arg_string) + + # ArgumentTypeErrors indicate errors + except ArgumentTypeError: + name = getattr(action.type, '__name__', repr(action.type)) + msg = str(_sys.exc_info()[1]) + raise ArgumentError(action, msg) + + # TypeErrors or ValueErrors also indicate errors + except (TypeError, ValueError): + name = getattr(action.type, '__name__', repr(action.type)) + msg = _('invalid %s value: %r') + raise ArgumentError(action, msg % (name, arg_string)) + + # return the converted value + return result + + def _check_value(self, action, value): + # converted value must be one of the choices (if specified) + if action.choices is not None and value not in action.choices: + tup = value, ', '.join(map(repr, action.choices)) + msg = _('invalid choice: %r (choose from %s)') % tup + raise ArgumentError(action, msg) + + # ======================= + # Help-formatting methods + # ======================= + def format_usage(self): + formatter = self._get_formatter() + formatter.add_usage(self.usage, self._actions, + self._mutually_exclusive_groups) + return formatter.format_help() + + def format_help(self): + formatter = self._get_formatter() + + # usage + formatter.add_usage(self.usage, self._actions, + self._mutually_exclusive_groups) + + # description + formatter.add_text(self.description) + + # positionals, optionals and user-defined groups + for action_group in self._action_groups: + formatter.start_section(action_group.title) + formatter.add_text(action_group.description) + formatter.add_arguments(action_group._group_actions) + formatter.end_section() + + # epilog + formatter.add_text(self.epilog) + + # determine help from format above + return formatter.format_help() + + def format_version(self): + import warnings + warnings.warn( + 'The format_version method is deprecated -- the "version" ' + 'argument to ArgumentParser is no longer supported.', + DeprecationWarning) + formatter = self._get_formatter() + formatter.add_text(self.version) + return formatter.format_help() + + def _get_formatter(self): + return self.formatter_class(prog=self.prog) + + # ===================== + # Help-printing methods + # ===================== + def print_usage(self, file=None): + if file is None: + file = _sys.stdout + self._print_message(self.format_usage(), file) + + def print_help(self, file=None): + if file is None: + file = _sys.stdout + self._print_message(self.format_help(), file) + + def print_version(self, file=None): + import warnings + warnings.warn( + 'The print_version method is deprecated -- the "version" ' + 'argument to ArgumentParser is no longer supported.', + DeprecationWarning) + self._print_message(self.format_version(), file) + + def _print_message(self, message, file=None): + if message: + if file is None: + file = _sys.stderr + file.write(message) + + # =============== + # Exiting methods + # =============== + def exit(self, status=0, message=None): + if message: + self._print_message(message, _sys.stderr) + _sys.exit(status) + + def error(self, message): + """error(message: string) + + Prints a usage message incorporating the message to stderr and + exits. + + If you override this in a subclass, it should not return -- it + should either exit or raise an exception. + """ + self.print_usage(_sys.stderr) + self.exit(2, _('%s: error: %s\n') % (self.prog, message)) diff --git a/suricata/update/compat/ordereddict.py b/suricata/update/compat/ordereddict.py new file mode 100644 index 0000000..5b0303f --- /dev/null +++ b/suricata/update/compat/ordereddict.py @@ -0,0 +1,127 @@ +# Copyright (c) 2009 Raymond Hettinger
+#
+# Permission is hereby granted, free of charge, to any person
+# obtaining a copy of this software and associated documentation files
+# (the "Software"), to deal in the Software without restriction,
+# including without limitation the rights to use, copy, modify, merge,
+# publish, distribute, sublicense, and/or sell copies of the Software,
+# and to permit persons to whom the Software is furnished to do so,
+# subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be
+# included in all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES
+# OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
+# HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
+# WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+# FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
+# OTHER DEALINGS IN THE SOFTWARE.
+
+from UserDict import DictMixin
+
+class OrderedDict(dict, DictMixin):
+
+ def __init__(self, *args, **kwds):
+ if len(args) > 1:
+ raise TypeError('expected at most 1 arguments, got %d' % len(args))
+ try:
+ self.__end
+ except AttributeError:
+ self.clear()
+ self.update(*args, **kwds)
+
+ def clear(self):
+ self.__end = end = []
+ end += [None, end, end] # sentinel node for doubly linked list
+ self.__map = {} # key --> [key, prev, next]
+ dict.clear(self)
+
+ def __setitem__(self, key, value):
+ if key not in self:
+ end = self.__end
+ curr = end[1]
+ curr[2] = end[1] = self.__map[key] = [key, curr, end]
+ dict.__setitem__(self, key, value)
+
+ def __delitem__(self, key):
+ dict.__delitem__(self, key)
+ key, prev, next = self.__map.pop(key)
+ prev[2] = next
+ next[1] = prev
+
+ def __iter__(self):
+ end = self.__end
+ curr = end[2]
+ while curr is not end:
+ yield curr[0]
+ curr = curr[2]
+
+ def __reversed__(self):
+ end = self.__end
+ curr = end[1]
+ while curr is not end:
+ yield curr[0]
+ curr = curr[1]
+
+ def popitem(self, last=True):
+ if not self:
+ raise KeyError('dictionary is empty')
+ if last:
+ key = reversed(self).next()
+ else:
+ key = iter(self).next()
+ value = self.pop(key)
+ return key, value
+
+ def __reduce__(self):
+ items = [[k, self[k]] for k in self]
+ tmp = self.__map, self.__end
+ del self.__map, self.__end
+ inst_dict = vars(self).copy()
+ self.__map, self.__end = tmp
+ if inst_dict:
+ return (self.__class__, (items,), inst_dict)
+ return self.__class__, (items,)
+
+ def keys(self):
+ return list(self)
+
+ setdefault = DictMixin.setdefault
+ update = DictMixin.update
+ pop = DictMixin.pop
+ values = DictMixin.values
+ items = DictMixin.items
+ iterkeys = DictMixin.iterkeys
+ itervalues = DictMixin.itervalues
+ iteritems = DictMixin.iteritems
+
+ def __repr__(self):
+ if not self:
+ return '%s()' % (self.__class__.__name__,)
+ return '%s(%r)' % (self.__class__.__name__, self.items())
+
+ def copy(self):
+ return self.__class__(self)
+
+ @classmethod
+ def fromkeys(cls, iterable, value=None):
+ d = cls()
+ for key in iterable:
+ d[key] = value
+ return d
+
+ def __eq__(self, other):
+ if isinstance(other, OrderedDict):
+ if len(self) != len(other):
+ return False
+ for p, q in zip(self.items(), other.items()):
+ if p != q:
+ return False
+ return True
+ return dict.__eq__(self, other)
+
+ def __ne__(self, other):
+ return not self == other
diff --git a/suricata/update/config.py b/suricata/update/config.py new file mode 100644 index 0000000..ad95996 --- /dev/null +++ b/suricata/update/config.py @@ -0,0 +1,266 @@ +# Copyright (C) 2017 Open Information Security Foundation +# Copyright (c) 2015-2017 Jason Ish +# +# You can copy, redistribute or modify this Program under the terms of +# the GNU General Public License version 2 as published by the Free +# Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# version 2 along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA +# 02110-1301, USA. + +import os.path +import logging + +import yaml + +import suricata.update.engine +from suricata.update.exceptions import ApplicationError + +try: + from suricata.config import defaults + has_defaults = True +except: + has_defaults = False + +logger = logging.getLogger() + +DEFAULT_DATA_DIRECTORY = "/var/lib/suricata" + +# Cache directory - relative to the data directory. +CACHE_DIRECTORY = os.path.join("update", "cache") + +# Source directory - relative to the data directory. +SOURCE_DIRECTORY = os.path.join("update", "sources") + +# Configuration keys. +DATA_DIRECTORY_KEY = "data-directory" +CACHE_DIRECTORY_KEY = "cache-directory" +IGNORE_KEY = "ignore" +DISABLE_CONF_KEY = "disable-conf" +ENABLE_CONF_KEY = "enable-conf" +MODIFY_CONF_KEY = "modify-conf" +DROP_CONF_KEY = "drop-conf" +LOCAL_CONF_KEY = "local" +OUTPUT_KEY = "output" +DIST_RULE_DIRECTORY_KEY = "dist-rule-directory" + +if has_defaults: + DEFAULT_UPDATE_YAML_PATH = os.path.join(defaults.sysconfdir, "update.yaml") +else: + DEFAULT_UPDATE_YAML_PATH = "/etc/suricata/update.yaml" + +DEFAULT_SURICATA_YAML_PATH = [ + "/etc/suricata/suricata.yaml", + "/usr/local/etc/suricata/suricata.yaml", + "/etc/suricata/suricata-debian.yaml" +] + +if has_defaults: + DEFAULT_DIST_RULE_PATH = [ + defaults.datarulesdir, + "/etc/suricata/rules", + ] +else: + DEFAULT_DIST_RULE_PATH = [ + "/etc/suricata/rules", + ] + +DEFAULT_CONFIG = { + "sources": [], + LOCAL_CONF_KEY: [], + + # The default file patterns to ignore. + "ignore": [ + "*deleted.rules", + ], +} + +_args = None +_config = {} + +# The filename the config was read from, if any. +filename = None + +def has(key): + """Return true if a configuration key exists.""" + return key in _config + +def set(key, value): + """Set a configuration value.""" + _config[key] = value + +def get(key): + """Get a configuration value.""" + if key in _config: + return _config[key] + return None + +def set_state_dir(directory): + _config[DATA_DIRECTORY_KEY] = directory + +def get_state_dir(): + """Get the data directory. This is more of the Suricata state + directory than a specific Suricata-Update directory, and is used + as the root directory for Suricata-Update data. + """ + if os.getenv("DATA_DIRECTORY"): + return os.getenv("DATA_DIRECTORY") + if DATA_DIRECTORY_KEY in _config: + return _config[DATA_DIRECTORY_KEY] + return DEFAULT_DATA_DIRECTORY + +def set_cache_dir(directory): + """Set an alternate cache directory.""" + _config[CACHE_DIRECTORY_KEY] = directory + +def get_cache_dir(): + """Get the cache directory.""" + if CACHE_DIRECTORY_KEY in _config: + return _config[CACHE_DIRECTORY_KEY] + return os.path.join(get_state_dir(), CACHE_DIRECTORY) + +def get_output_dir(): + """Get the rule output directory.""" + if OUTPUT_KEY in _config: + return _config[OUTPUT_KEY] + return os.path.join(get_state_dir(), "rules") + +def args(): + """Return sthe parsed argument object.""" + return _args + +def get_arg(key): + key = key.replace("-", "_") + if hasattr(_args, key): + val = getattr(_args, key) + if val not in [[], None]: + return val + return None + +def init(args): + global _args + global filename + + _args = args + _config.update(DEFAULT_CONFIG) + + if args.config: + logger.info("Loading %s", args.config) + with open(args.config, "rb") as fileobj: + config = yaml.safe_load(fileobj) + if config: + _config.update(config) + filename = args.config + elif os.path.exists(DEFAULT_UPDATE_YAML_PATH): + logger.info("Loading %s", DEFAULT_UPDATE_YAML_PATH) + with open(DEFAULT_UPDATE_YAML_PATH, "rb") as fileobj: + config = yaml.safe_load(fileobj) + if config: + _config.update(config) + filename = DEFAULT_UPDATE_YAML_PATH + + # Apply command line arguments to the config. + for arg in vars(args): + if arg == "local": + for local in args.local: + logger.debug("Adding local ruleset to config: %s", local) + _config[LOCAL_CONF_KEY].append(local) + elif arg == "data_dir" and args.data_dir: + logger.debug("Setting data directory to %s", args.data_dir) + _config[DATA_DIRECTORY_KEY] = args.data_dir + elif getattr(args, arg) is not None: + key = arg.replace("_", "-") + val = getattr(args, arg) + logger.debug("Setting configuration value %s -> %s", key, val) + _config[key] = val + + # Find and set the path to suricata if not provided. + if "suricata" in _config: + if not os.path.exists(_config["suricata"]): + raise ApplicationError( + "Configured path to suricata does not exist: %s" % ( + _config["suricata"])) + else: + suricata_path = suricata.update.engine.get_path() + if not suricata_path: + logger.warning("No suricata application binary found on path.") + else: + _config["suricata"] = suricata_path + + if "suricata" in _config: + build_info = suricata.update.engine.get_build_info(_config["suricata"]) + + # Set the first suricata.yaml to check for to the one in the + # --sysconfdir provided by build-info. + if not "suricata_conf" in _config and "sysconfdir" in build_info: + DEFAULT_SURICATA_YAML_PATH.insert( + 0, os.path.join( + build_info["sysconfdir"], "suricata/suricata.yaml")) + + # Amend the path to look for Suricata provided rules based on + # the build info. As we are inserting at the front, put the + # highest priority path last. + if "sysconfdir" in build_info: + DEFAULT_DIST_RULE_PATH.insert( + 0, os.path.join(build_info["sysconfdir"], "suricata/rules")) + if "datarootdir" in build_info: + DEFAULT_DIST_RULE_PATH.insert( + 0, os.path.join(build_info["datarootdir"], "suricata/rules")) + + # Set the data-directory prefix to that of the --localstatedir + # found in the build-info. + if not DATA_DIRECTORY_KEY in _config and "localstatedir" in build_info: + data_directory = os.path.join( + build_info["localstatedir"], "lib/suricata") + logger.info("Using data-directory %s.", data_directory) + _config[DATA_DIRECTORY_KEY] = data_directory + + # Fixup the default locations for Suricata-Update configuration files, but only if + # they exist, otherwise keep the defaults. + conf_search_path = ["/etc"] + if "sysconfdir" in build_info: + sysconfdir = build_info["sysconfdir"] + if not sysconfdir in conf_search_path: + conf_search_path.insert(0, sysconfdir) + configs = ( + ("disable-conf", "disable.conf"), + ("enable-conf", "enable.conf"), + ("drop-conf", "drop.conf"), + ("modify-conf", "modify.conf"), + ) + for key, filename in configs: + if getattr(args, key.replace("-", "_"), None) is not None: + continue + if _config.get(key) is not None: + continue + for conf_dir in conf_search_path: + config_path = os.path.join(conf_dir, "suricata", filename) + logger.debug("Looking for {}".format(config_path)) + if os.path.exists(config_path): + logger.debug("Found {}".format(config_path)) + logger.debug("Using {} for {}".format(config_path, key)) + _config[key] = config_path + break + + # If suricata-conf not provided on the command line or in the + # configuration file, look for it. + if not "suricata-conf" in _config: + for conf in DEFAULT_SURICATA_YAML_PATH: + if os.path.exists(conf): + logger.info("Using Suricata configuration %s" % (conf)) + _config["suricata-conf"] = conf + break + + if not DIST_RULE_DIRECTORY_KEY in _config: + for path in DEFAULT_DIST_RULE_PATH: + if os.path.exists(path): + logger.info("Using %s for Suricata provided rules.", path) + _config[DIST_RULE_DIRECTORY_KEY] = path + break diff --git a/suricata/update/configs/__init__.py b/suricata/update/configs/__init__.py new file mode 100644 index 0000000..e136c7a --- /dev/null +++ b/suricata/update/configs/__init__.py @@ -0,0 +1,31 @@ +# Copyright (C) 2017 Open Information Security Foundation +# +# You can copy, redistribute or modify this Program under the terms of +# the GNU General Public License version 2 as published by the Free +# Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# version 2 along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA +# 02110-1301, USA. + +import os.path + +# The list of sample config files provided here, for use when asked to +# dump them. +filenames = [ + "update.yaml", + "enable.conf", + "disable.conf", + "modify.conf", + "drop.conf", + "threshold.in", +] + +directory = os.path.dirname(__file__) + diff --git a/suricata/update/configs/disable.conf b/suricata/update/configs/disable.conf new file mode 100644 index 0000000..59d0e18 --- /dev/null +++ b/suricata/update/configs/disable.conf @@ -0,0 +1,19 @@ +# suricata-update - disable.conf + +# Example of disabling a rule by signature ID (gid is optional). +# 1:2019401 +# 2019401 + +# Example of disabling a rule by regular expression. +# - All regular expression matches are case insensitive. +# re:heartbleed +# re:MS(0[7-9]|10)-\d+ + +# Examples of disabling a group of rules. +# group:emerging-icmp.rules +# group:emerging-dos +# group:emerging* + +# Disable all rules with a metadata of "deployment perimeter". Note that metadata +# matches are case insensitive. +# metadata: deployment perimeter
\ No newline at end of file diff --git a/suricata/update/configs/drop.conf b/suricata/update/configs/drop.conf new file mode 100644 index 0000000..a93268d --- /dev/null +++ b/suricata/update/configs/drop.conf @@ -0,0 +1,11 @@ +# suricata-update - drop.conf +# +# Rules matching specifiers in this file will be converted to drop rules. +# +# Examples: +# +# 1:2019401 +# 2019401 +# +# re:heartbleed +# re:MS(0[7-9]|10)-\d+ diff --git a/suricata/update/configs/enable.conf b/suricata/update/configs/enable.conf new file mode 100644 index 0000000..ad7b4e2 --- /dev/null +++ b/suricata/update/configs/enable.conf @@ -0,0 +1,19 @@ +# suricata-update - enable.conf + +# Example of enabling a rule by signature ID (gid is optional). +# 1:2019401 +# 2019401 + +# Example of enabling a rule by regular expression. +# - All regular expression matches are case insensitive. +# re:heartbleed +# re:MS(0[7-9]|10)-\d+ + +# Examples of enabling a group of rules. +# group:emerging-icmp.rules +# group:emerging-dos +# group:emerging* + +# Enable all rules with a metadata of "deployment perimeter". Note that metadata +# matches are case insensitive. +# metadata: deployment perimeter
\ No newline at end of file diff --git a/suricata/update/configs/modify.conf b/suricata/update/configs/modify.conf new file mode 100644 index 0000000..70bfb3e --- /dev/null +++ b/suricata/update/configs/modify.conf @@ -0,0 +1,24 @@ +# suricata-update - modify.conf + +# Format: <sid> "<from>" "<to>" + +# Example changing the seconds for rule 2019401 to 3600. +# 2019401 "seconds \d+" "seconds 3600" +# +# Example converting all alert rules to drop: +# re:. ^alert drop +# +# Example converting all drop rules with noalert back to alert: +# re:. "^drop(.*)noalert(.*)" "alert\\1noalert\\2" + +# Change all trojan-activity rules to drop. Its better to setup a +# drop.conf for this, but this does show the use of back references. +# re:classtype:trojan-activity "(alert)(.*)" "drop\\2" + +# For compatibility, most Oinkmaster modifysid lines should work as +# well. +# modifysid * "^drop(.*)noalert(.*)" | "alert${1}noalert${2}" + +# Add metadata. +#metadata-add re:"SURICATA STREAM" "evebox-action" "archive" +#metadata-add 2010646 "evebox-action" "archive"
\ No newline at end of file diff --git a/suricata/update/configs/threshold.in b/suricata/update/configs/threshold.in new file mode 100644 index 0000000..377417d --- /dev/null +++ b/suricata/update/configs/threshold.in @@ -0,0 +1,22 @@ +# suricata-update - threshold.in + +# This file contains thresholding configurations that will be turned into +# a Suricata compatible threshold.conf file. + +# This file can contain standard threshold.conf configurations: +# +# suppress gen_id <gid>, sig_id <sid> +# suppress gen_id <gid>, sig_id <sid>, track <by_src|by_dst>, ip <ip|subnet> +# threshold gen_id 0, sig_id 0, type threshold, track by_src, count 10, seconds 10 +# suppress gen_id 1, sig_id 2009557, track by_src, ip 217.110.97.128/25 + +# Or ones that will be preprocessed... + +# Suppress all rules containing "java". +# +# suppress re:java +# suppress re:java, track by_src, ip 217.110.97.128/25 + +# Threshold all rules containing "java". +# +# threshold re:java, type threshold, track by_dst, count 1, seconds 10 diff --git a/suricata/update/configs/update.yaml b/suricata/update/configs/update.yaml new file mode 100644 index 0000000..358e869 --- /dev/null +++ b/suricata/update/configs/update.yaml @@ -0,0 +1,58 @@ +# Configuration with disable filters. +# - Overrided by --disable-conf +# - Default: /etc/suricata/disable.conf +disable-conf: /etc/suricata/disable.conf + +# Configuration with enable filters. +# - Overrided by --enable-conf +# - Default: /etc/suricata/enable.conf +enable-conf: /etc/suricata/enable.conf + +# Configuration with drop filters. +# - Overrided by --drop-conf +# - Default: /etc/suricata/drop.conf +drop-conf: /etc/suricata/drop.conf + +# Configuration with modify filters. +# - Overrided by --modify-conf +# - Default: /etc/suricata/modify.conf +modify-conf: /etc/suricata/modify.conf + +# List of files to ignore. Overrided by the --ignore command line option. +ignore: + - "*deleted.rules" + +# Override the user-agent string. +#user-agent: "Suricata-Update" + +# Provide an alternate command to the default test command. +# +# The following environment variables can be used. +# SURICATA_PATH - The path to the discovered suricata program. +# OUTPUT_DIR - The directory the rules are written to. +# OUTPUT_FILENAME - The name of the rule file. Will be empty if the rules +# were not merged. +#test-command: ${SURICATA_PATH} -T -S ${OUTPUT_FILENAME} -l /tmp + +# Provide a command to reload the Suricata rules. +# May be overrided by the --reload-command command line option. +# See the documentation of --reload-command for the different options +# to reload Suricata rules. +#reload-command: sudo systemctl reload suricata + +# Remote rule sources. Simply a list of URLs. +sources: + # Emerging Threats Open with the Suricata version dynamically replaced. + - https://rules.emergingthreats.net/open/suricata-%(__version__)s/emerging.rules.tar.gz + # The SSL blacklist, which is just a standalone rule file. + - https://sslbl.abuse.ch/blacklist/sslblacklist.rules + +# A list of local rule sources. Each entry can be a rule file, a +# directory or a wild card specification. +local: + # A directory of rules. + - /etc/suricata/rules + # A single rule file. + - /etc/suricata/rules/app-layer-events.rules + # A wildcard. + - /etc/suricata/rules/*.rules diff --git a/suricata/update/data/__init__.py b/suricata/update/data/__init__.py new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/suricata/update/data/__init__.py diff --git a/suricata/update/data/index.py b/suricata/update/data/index.py new file mode 100644 index 0000000..02a9c4f --- /dev/null +++ b/suricata/update/data/index.py @@ -0,0 +1,476 @@ +index = { 'sources': { 'et/open': { 'description': 'Proofpoint ET Open is a ' + 'timely and accurate rule set ' + 'for detecting and blocking ' + 'advanced threats\n', + 'license': 'MIT', + 'summary': 'Emerging Threats Open Ruleset', + 'url': 'https://rules.emergingthreats.net/open/suricata-%(__version__)s/emerging.rules.tar.gz', + 'vendor': 'Proofpoint'}, + 'et/pro': { 'checksum': False, + 'description': 'Proofpoint ET Pro is a timely ' + 'and accurate rule set for ' + 'detecting and blocking ' + 'advanced threats\n', + 'license': 'Commercial', + 'parameters': { 'secret-code': { 'prompt': 'Emerging ' + 'Threats ' + 'Pro ' + 'access ' + 'code'}}, + 'replaces': ['et/open'], + 'subscribe-url': 'https://www.proofpoint.com/us/threat-insight/et-pro-ruleset', + 'summary': 'Emerging Threats Pro Ruleset', + 'url': 'https://rules.emergingthreatspro.com/%(secret-code)s/suricata-%(__version__)s/etpro.rules.tar.gz', + 'vendor': 'Proofpoint'}, + 'etnetera/aggressive': { 'checksum': False, + 'license': 'MIT', + 'min-version': '4.0.0', + 'summary': 'Etnetera aggressive ' + 'IP blacklist', + 'url': 'https://security.etnetera.cz/feeds/etn_aggressive.rules', + 'vendor': 'Etnetera a.s.'}, + 'malsilo/win-malware': { 'checksum': True, + 'description': 'TCP/UDP, DNS and ' + 'HTTP Windows ' + 'threats ' + 'artifacts ' + 'observed at ' + 'runtime.\n', + 'homepage': 'https://raw-data.gitlab.io/post/malsilo_2.1/', + 'license': 'MIT', + 'min-version': '4.1.0', + 'summary': 'Commodity malware ' + 'rules', + 'url': 'https://malsilo.gitlab.io/feeds/dumps/malsilo.rules.tar.gz', + 'vendor': 'malsilo'}, + 'oisf/trafficid': { 'checksum': False, + 'license': 'MIT', + 'min-version': '4.0.0', + 'summary': 'Suricata Traffic ID ' + 'ruleset', + 'support-url': 'https://redmine.openinfosecfoundation.org/', + 'url': 'https://openinfosecfoundation.org/rules/trafficid/trafficid.rules', + 'vendor': 'OISF'}, + 'pawpatrules': { 'checksum': False, + 'description': 'PAW Patrules ruleset ' + 'permit to detect many ' + 'events on\n' + 'network. Suspicious ' + 'flow, malicious tool, ' + 'unsuported and\n' + 'vulnerable system, known ' + 'threat actors with ' + 'various IOCs,\n' + 'lateral movement, bad ' + 'practice, shadow IT... ' + 'Rules are\n' + 'frequently updated.\n', + 'homepage': 'https://pawpatrules.fr/', + 'license': 'CC-BY-SA-4.0', + 'min-version': '6.0.0', + 'summary': 'PAW Patrules is a collection ' + 'of rules for IDPS / NSM ' + 'Suricata engine', + 'url': 'https://rules.pawpatrules.fr/suricata/paw-patrules.tar.gz', + 'vendor': 'pawpatrules'}, + 'ptresearch/attackdetection': { 'description': 'The ' + 'Attack ' + 'Detection ' + 'Team ' + 'searches ' + 'for new ' + 'vulnerabilities ' + 'and ' + '0-days, ' + 'reproduces ' + 'it and ' + 'creates ' + 'PoC ' + 'exploits ' + 'to ' + 'understand ' + 'how these ' + 'security ' + 'flaws ' + 'work and ' + 'how ' + 'related ' + 'attacks ' + 'can be ' + 'detected ' + 'on the ' + 'network ' + 'layer. ' + 'Additionally, ' + 'we are ' + 'interested ' + 'in ' + 'malware ' + 'and ' + "hackers' " + 'TTPs, so ' + 'we ' + 'develop ' + 'Suricata ' + 'rules for ' + 'detecting ' + 'all sorts ' + 'of such ' + 'activities.\n', + 'license': 'Custom', + 'license-url': 'https://raw.githubusercontent.com/ptresearch/AttackDetection/master/LICENSE', + 'obsolete': 'no longer ' + 'exists', + 'summary': 'Positive ' + 'Technologies ' + 'Attack ' + 'Detection ' + 'Team ruleset', + 'url': 'https://raw.githubusercontent.com/ptresearch/AttackDetection/master/pt.rules.tar.gz', + 'vendor': 'Positive ' + 'Technologies'}, + 'scwx/enhanced': { 'description': 'Broad ruleset composed ' + 'of malware rules and ' + 'other security-related ' + 'countermeasures, and ' + 'curated by the ' + 'Secureworks Counter ' + 'Threat Unit research ' + 'team. This ruleset ' + 'has been enhanced with ' + 'comprehensive and ' + 'fully ' + 'standard-compliant ' + 'BETTER metadata ' + '(https://better-schema.readthedocs.io/).\n', + 'license': 'Commercial', + 'min-version': '3.0.0', + 'parameters': { 'secret-code': { 'prompt': 'Secureworks ' + 'Threat ' + 'Intelligence ' + 'Authentication ' + 'Token'}}, + 'subscribe-url': 'https://www.secureworks.com/contact/ ' + '(Please reference ' + 'CTU Countermeasures)', + 'summary': 'Secureworks ' + 'suricata-enhanced ruleset', + 'url': 'https://ws.secureworks.com/ti/ruleset/%(secret-code)s/Suricata_suricata-enhanced_latest.tgz', + 'vendor': 'Secureworks'}, + 'scwx/malware': { 'description': 'High-fidelity, ' + 'high-priority ruleset ' + 'composed mainly of ' + 'malware-related ' + 'countermeasures and ' + 'curated by the ' + 'Secureworks Counter ' + 'Threat Unit research ' + 'team.\n', + 'license': 'Commercial', + 'min-version': '3.0.0', + 'parameters': { 'secret-code': { 'prompt': 'Secureworks ' + 'Threat ' + 'Intelligence ' + 'Authentication ' + 'Token'}}, + 'subscribe-url': 'https://www.secureworks.com/contact/ ' + '(Please reference CTU ' + 'Countermeasures)', + 'summary': 'Secureworks ' + 'suricata-malware ruleset', + 'url': 'https://ws.secureworks.com/ti/ruleset/%(secret-code)s/Suricata_suricata-malware_latest.tgz', + 'vendor': 'Secureworks'}, + 'scwx/security': { 'description': 'Broad ruleset composed ' + 'of malware rules and ' + 'other security-related ' + 'countermeasures, and ' + 'curated by the ' + 'Secureworks Counter ' + 'Threat Unit research ' + 'team.\n', + 'license': 'Commercial', + 'min-version': '3.0.0', + 'parameters': { 'secret-code': { 'prompt': 'Secureworks ' + 'Threat ' + 'Intelligence ' + 'Authentication ' + 'Token'}}, + 'subscribe-url': 'https://www.secureworks.com/contact/ ' + '(Please reference ' + 'CTU Countermeasures)', + 'summary': 'Secureworks ' + 'suricata-security ruleset', + 'url': 'https://ws.secureworks.com/ti/ruleset/%(secret-code)s/Suricata_suricata-security_latest.tgz', + 'vendor': 'Secureworks'}, + 'sslbl/ja3-fingerprints': { 'checksum': False, + 'description': 'If you are ' + 'running ' + 'Suricata, you ' + 'can use the ' + "SSLBL's " + 'Suricata JA3 ' + 'FingerprintRuleset ' + 'to detect ' + 'and/or block ' + 'malicious SSL ' + 'connections ' + 'in your ' + 'network based ' + 'on the JA3 ' + 'fingerprint. ' + 'Please note ' + 'that your ' + 'need Suricata ' + '4.1.0 or ' + 'newer in ' + 'order to use ' + 'the JA3 ' + 'fingerprint ' + 'ruleset.\n', + 'license': 'Non-Commercial', + 'min-version': '4.1.0', + 'summary': 'Abuse.ch Suricata ' + 'JA3 Fingerprint ' + 'Ruleset', + 'url': 'https://sslbl.abuse.ch/blacklist/ja3_fingerprints.rules', + 'vendor': 'Abuse.ch'}, + 'sslbl/ssl-fp-blacklist': { 'checksum': False, + 'description': 'The SSL ' + 'Blacklist ' + '(SSLBL) is a ' + 'project of ' + 'abuse.ch with ' + 'the goal of ' + 'detecting ' + 'malicious SSL ' + 'connections, ' + 'by ' + 'identifying ' + 'and ' + 'blacklisting ' + 'SSL ' + 'certificates ' + 'used by ' + 'botnet C&C ' + 'servers. In ' + 'addition, ' + 'SSLBL ' + 'identifies ' + 'JA3 ' + 'fingerprints ' + 'that helps ' + 'you to detect ' + '& block ' + 'malware ' + 'botnet C&C ' + 'communication ' + 'on the TCP ' + 'layer.\n', + 'license': 'Non-Commercial', + 'summary': 'Abuse.ch SSL ' + 'Blacklist', + 'url': 'https://sslbl.abuse.ch/blacklist/sslblacklist.rules', + 'vendor': 'Abuse.ch'}, + 'stamus/lateral': { 'description': 'Suricata ruleset ' + 'specifically focused ' + 'on detecting lateral\n' + 'movement in Microsoft ' + 'Windows environments ' + 'by Stamus Networks\n', + 'license': 'GPL-3.0-only', + 'min-version': '6.0.6', + 'summary': 'Lateral movement rules', + 'support-url': 'https://discord.com/channels/911231224448712714/911238451842666546', + 'url': 'https://ti.stamus-networks.io/open/stamus-lateral-rules.tar.gz', + 'vendor': 'Stamus Networks'}, + 'stamus/nrd-14-open': { 'description': 'Newly Registered ' + 'Domains list ' + '(last 14 days) to ' + 'match on DNS, TLS ' + 'and HTTP ' + 'communication.\n' + 'Produced by ' + 'Stamus Labs ' + 'research team.\n', + 'license': 'Commercial', + 'min-version': '6.0.0', + 'parameters': { 'secret-code': { 'prompt': 'Stamus ' + 'Networks ' + 'License ' + 'code'}}, + 'subscribe-url': 'https://www.stamus-networks.com/stamus-labs/subscribe-to-threat-intel-feed', + 'summary': 'Newly Registered ' + 'Domains Open only - ' + '14 day list, complete', + 'url': 'https://ti.stamus-networks.io/%(secret-code)s/sti-domains-nrd-14.tar.gz', + 'vendor': 'Stamus Networks'}, + 'stamus/nrd-30-open': { 'description': 'Newly Registered ' + 'Domains list ' + '(last 30 days) to ' + 'match on DNS, TLS ' + 'and HTTP ' + 'communication.\n' + 'Produced by ' + 'Stamus Labs ' + 'research team.\n', + 'license': 'Commercial', + 'min-version': '6.0.0', + 'parameters': { 'secret-code': { 'prompt': 'Stamus ' + 'Networks ' + 'License ' + 'code'}}, + 'subscribe-url': 'https://www.stamus-networks.com/stamus-labs/subscribe-to-threat-intel-feed', + 'summary': 'Newly Registered ' + 'Domains Open only - ' + '30 day list, complete', + 'url': 'https://ti.stamus-networks.io/%(secret-code)s/sti-domains-nrd-30.tar.gz', + 'vendor': 'Stamus Networks'}, + 'stamus/nrd-entropy-14-open': { 'description': 'Suspicious ' + 'Newly ' + 'Registered ' + 'Domains ' + 'list with ' + 'high ' + 'entropy ' + '(last 14 ' + 'days) to ' + 'match on ' + 'DNS, TLS ' + 'and HTTP ' + 'communication.\n' + 'Produced ' + 'by Stamus ' + 'Labs ' + 'research ' + 'team.\n', + 'license': 'Commercial', + 'min-version': '6.0.0', + 'parameters': { 'secret-code': { 'prompt': 'Stamus ' + 'Networks ' + 'License ' + 'code'}}, + 'subscribe-url': 'https://www.stamus-networks.com/stamus-labs/subscribe-to-threat-intel-feed', + 'summary': 'Newly ' + 'Registered ' + 'Domains Open ' + 'only - 14 day ' + 'list, high ' + 'entropy', + 'url': 'https://ti.stamus-networks.io/%(secret-code)s/sti-domains-entropy-14.tar.gz', + 'vendor': 'Stamus ' + 'Networks'}, + 'stamus/nrd-entropy-30-open': { 'description': 'Suspicious ' + 'Newly ' + 'Registered ' + 'Domains ' + 'list with ' + 'high ' + 'entropy ' + '(last 30 ' + 'days) to ' + 'match on ' + 'DNS, TLS ' + 'and HTTP ' + 'communication.\n' + 'Produced ' + 'by Stamus ' + 'Labs ' + 'research ' + 'team.\n', + 'license': 'Commercial', + 'min-version': '6.0.0', + 'parameters': { 'secret-code': { 'prompt': 'Stamus ' + 'Networks ' + 'License ' + 'code'}}, + 'subscribe-url': 'https://www.stamus-networks.com/stamus-labs/subscribe-to-threat-intel-feed', + 'summary': 'Newly ' + 'Registered ' + 'Domains Open ' + 'only - 30 day ' + 'list, high ' + 'entropy', + 'url': 'https://ti.stamus-networks.io/%(secret-code)s/sti-domains-entropy-30.tar.gz', + 'vendor': 'Stamus ' + 'Networks'}, + 'stamus/nrd-phishing-14-open': { 'description': 'Suspicious ' + 'Newly ' + 'Registered ' + 'Domains ' + 'Phishing ' + 'list ' + '(last 14 ' + 'days) to ' + 'match on ' + 'DNS, TLS ' + 'and HTTP ' + 'communication.\n' + 'Produced ' + 'by ' + 'Stamus ' + 'Labs ' + 'research ' + 'team.\n', + 'license': 'Commercial', + 'min-version': '6.0.0', + 'parameters': { 'secret-code': { 'prompt': 'Stamus ' + 'Networks ' + 'License ' + 'code'}}, + 'subscribe-url': 'https://www.stamus-networks.com/stamus-labs/subscribe-to-threat-intel-feed', + 'summary': 'Newly ' + 'Registered ' + 'Domains Open ' + 'only - 14 ' + 'day list, ' + 'phishing', + 'url': 'https://ti.stamus-networks.io/%(secret-code)s/sti-domains-phishing-14.tar.gz', + 'vendor': 'Stamus ' + 'Networks'}, + 'stamus/nrd-phishing-30-open': { 'description': 'Suspicious ' + 'Newly ' + 'Registered ' + 'Domains ' + 'Phishing ' + 'list ' + '(last 30 ' + 'days) to ' + 'match on ' + 'DNS, TLS ' + 'and HTTP ' + 'communication.\n' + 'Produced ' + 'by ' + 'Stamus ' + 'Labs ' + 'research ' + 'team.\n', + 'license': 'Commercial', + 'min-version': '6.0.0', + 'parameters': { 'secret-code': { 'prompt': 'Stamus ' + 'Networks ' + 'License ' + 'code'}}, + 'subscribe-url': 'https://www.stamus-networks.com/stamus-labs/subscribe-to-threat-intel-feed', + 'summary': 'Newly ' + 'Registered ' + 'Domains Open ' + 'only - 30 ' + 'day list, ' + 'phishing', + 'url': 'https://ti.stamus-networks.io/%(secret-code)s/sti-domains-phishing-30.tar.gz', + 'vendor': 'Stamus ' + 'Networks'}, + 'tgreen/hunting': { 'checksum': False, + 'description': 'Heuristic ruleset for ' + 'hunting. Focus on ' + 'anomaly detection and ' + 'showcasing latest ' + 'engine features, not ' + 'performance.\n', + 'license': 'GPLv3', + 'min-version': '4.1.0', + 'summary': 'Threat hunting rules', + 'url': 'https://raw.githubusercontent.com/travisbgreen/hunting-rules/master/hunting.rules', + 'vendor': 'tgreen'}}, + 'version': 1}
\ No newline at end of file diff --git a/suricata/update/data/update.py b/suricata/update/data/update.py new file mode 100644 index 0000000..8b34c40 --- /dev/null +++ b/suricata/update/data/update.py @@ -0,0 +1,53 @@ +# Copyright (C) 2018-2022 Open Information Security Foundation +# +# You can copy, redistribute or modify this Program under the terms of +# the GNU General Public License version 2 as published by the Free +# Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# version 2 along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA +# 02110-1301, USA. + +import os.path +import sys +import pprint + +try: + from urllib2 import urlopen +except: + from urllib.request import urlopen + +import yaml + +DEFAULT_URL = "https://raw.githubusercontent.com/oisf/suricata-intel-index/master/index.yaml" + +def embed_index(): + """Embed a copy of the index as a Python source file. We can't use a + datafile yet as there is no easy way to do with distutils.""" + if len(sys.argv) > 1: + url = sys.argv[1] + else: + url = DEFAULT_URL + dist_filename = os.path.join(os.path.dirname(__file__), "index.py") + response = urlopen(url) + index = yaml.safe_load(response.read()) + + # Delete the version info to prevent the issue of the version info being out of + # date around a new release of Suricata where the index has not been updated + # to the latest recommended version. The user will be asked to update their + # sources to run the version check. + del(index["versions"]) + + pp = pprint.PrettyPrinter(indent=4) + + with open(dist_filename, "w") as fileobj: + fileobj.write("index = {}".format(pp.pformat(index))) + +if __name__ == "__main__": + embed_index() diff --git a/suricata/update/engine.py b/suricata/update/engine.py new file mode 100644 index 0000000..22ad9b3 --- /dev/null +++ b/suricata/update/engine.py @@ -0,0 +1,196 @@ +# Copyright (C) 2017 Open Information Security Foundation +# Copyright (c) 2015 Jason Ish +# +# You can copy, redistribute or modify this Program under the terms of +# the GNU General Public License version 2 as published by the Free +# Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# version 2 along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA +# 02110-1301, USA. + +# This module contains functions for interacting with the Suricata +# application (aka the engine). + +from __future__ import print_function + +import sys +import os +import os.path +import subprocess +import re +import logging +import shutil +import yaml +import tempfile +from collections import namedtuple + +logger = logging.getLogger() + +SuricataVersion = namedtuple( + "SuricataVersion", ["major", "minor", "patch", "full", "short", "raw"]) + +def get_build_info(suricata): + build_info = { + "features": [], + } + build_info_output = subprocess.check_output([suricata, "--build-info"]) + for line in build_info_output.decode("utf-8").split("\n"): + line = line.strip() + if line.startswith("--prefix"): + build_info["prefix"] = line.split()[-1].strip() + elif line.startswith("--sysconfdir"): + build_info["sysconfdir"] = line.split()[-1].strip() + elif line.startswith("--localstatedir"): + build_info["localstatedir"] = line.split()[-1].strip() + elif line.startswith("--datarootdir"): + build_info["datarootdir"] = line.split()[-1].strip() + elif line.startswith("Features:"): + build_info["features"] = line.split()[1:] + elif line.startswith("This is Suricata version"): + build_info["version"] = parse_version(line) + + if not "prefix" in build_info: + logger.warning("--prefix not found in build-info.") + if not "sysconfdir" in build_info: + logger.warning("--sysconfdir not found in build-info.") + if not "localstatedir" in build_info: + logger.warning("--localstatedir not found in build-info.") + + return build_info + +class Configuration: + """An abstraction over the Suricata configuration file.""" + + def __init__(self, conf, build_info = {}): + self.conf = conf + self.build_info = build_info + + def keys(self): + return self.conf.keys() + + def has_key(self, key): + return key in self.conf + + def get(self, key): + return self.conf.get(key, None) + + def is_true(self, key, truthy=[]): + if not key in self.conf: + logger.warning( + "Suricata configuration key does not exist: %s" % (key)) + return False + if key in self.conf: + val = self.conf[key] + if val.lower() in ["1", "yes", "true"] + truthy: + return True + return False + + @classmethod + def load(cls, config_filename, suricata_path=None): + env = build_env() + env["SC_LOG_LEVEL"] = "Error" + if not suricata_path: + suricata_path = get_path() + if not suricata_path: + raise Exception("Suricata program could not be found.") + if not os.path.exists(suricata_path): + raise Exception("Suricata program %s does not exist.", suricata_path) + configuration_dump = subprocess.check_output( + [suricata_path, "-c", config_filename, "--dump-config"], + env=env) + conf = {} + for line in configuration_dump.splitlines(): + try: + key, val = line.decode().split(" = ") + conf[key] = val + except: + logger.warning("Failed to parse: %s", line) + build_info = get_build_info(suricata_path) + return cls(conf, build_info) + +def get_path(program="suricata"): + """Find Suricata in the shell path.""" + # First look for Suricata relative to suricata-update. + relative_path = os.path.join(os.path.dirname(sys.argv[0]), "suricata") + if os.path.exists(relative_path): + logger.debug("Found suricata at %s" % (relative_path)) + return relative_path + + # Otherwise look for it in the path. + for path in os.environ["PATH"].split(os.pathsep): + if not path: + continue + suricata_path = os.path.join(path, program) + logger.debug("Looking for %s in %s" % (program, path)) + if os.path.exists(suricata_path): + logger.debug("Found %s." % (suricata_path)) + return suricata_path + return None + +def parse_version(buf): + m = re.search(r"((\d+)\.(\d+)(\.(\d+))?([\w\-]+)?)", str(buf).strip()) + if m: + full = m.group(1) + major = int(m.group(2)) + minor = int(m.group(3)) + if not m.group(5): + patch = 0 + else: + patch = int(m.group(5)) + short = "%s.%s" % (major, minor) + return SuricataVersion( + major=major, minor=minor, patch=patch, short=short, full=full, + raw=buf) + return None + +def get_version(path): + """Get a SuricataVersion named tuple describing the version. + + If no path argument is found, the envionment PATH will be + searched. + """ + if not path: + return None + output = subprocess.check_output([path, "-V"]) + if output: + return parse_version(output) + return None + +def test_configuration(suricata_path, suricata_conf=None, rule_filename=None): + """Test the Suricata configuration with -T.""" + tempdir = tempfile.mkdtemp() + test_command = [ + suricata_path, + "-T", + "-l", tempdir, + ] + if suricata_conf: + test_command += ["-c", suricata_conf] + if rule_filename: + test_command += ["-S", rule_filename] + + env = build_env() + env["SC_LOG_LEVEL"] = "Warning" + + logger.debug("Running %s; env=%s", " ".join(test_command), str(env)) + rc = subprocess.Popen(test_command, env=env).wait() + ret = True if rc == 0 else False + + # Cleanup the temp dir + shutil.rmtree(tempdir) + + return ret + +def build_env(): + env = os.environ.copy() + env["SC_LOG_FORMAT"] = "%t - <%d> -- " + env["SC_LOG_LEVEL"] = "Error" + env["ASAN_OPTIONS"] = "detect_leaks=0" + return env diff --git a/suricata/update/exceptions.py b/suricata/update/exceptions.py new file mode 100644 index 0000000..1f2c547 --- /dev/null +++ b/suricata/update/exceptions.py @@ -0,0 +1,21 @@ +# Copyright (C) 2017 Open Information Security Foundation +# +# You can copy, redistribute or modify this Program under the terms of +# the GNU General Public License version 2 as published by the Free +# Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# version 2 along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA +# 02110-1301, USA. + +class ApplicationError(Exception): + pass + +class InvalidConfigurationError(ApplicationError): + pass diff --git a/suricata/update/extract.py b/suricata/update/extract.py new file mode 100644 index 0000000..20e4156 --- /dev/null +++ b/suricata/update/extract.py @@ -0,0 +1,68 @@ +# Copyright (C) 2017 Open Information Security Foundation +# Copyright (c) 2017 Jason Ish +# +# You can copy, redistribute or modify this Program under the terms of +# the GNU General Public License version 2 as published by the Free +# Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# version 2 along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA +# 02110-1301, USA. + +from __future__ import print_function + +import tarfile +from zipfile import ZipFile + +def extract_tar(filename): + files = {} + + tf = tarfile.open(filename, mode="r:*") + + try: + while True: + member = tf.next() + if member is None: + break + if not member.isfile(): + continue + fileobj = tf.extractfile(member) + if fileobj: + # Remove leading /. + member_name = member.name.lstrip("/") + files[member_name] = fileobj.read() + finally: + tf.close() + + return files + +def extract_zip(filename): + files = {} + + with ZipFile(filename) as reader: + for name in reader.namelist(): + if name.endswith("/"): + continue + fixed_name = name.lstrip("/") + files[fixed_name] = reader.read(name) + + return files + +def try_extract(filename): + try: + return extract_tar(filename) + except: + pass + + try: + return extract_zip(filename) + except: + pass + + return None diff --git a/suricata/update/loghandler.py b/suricata/update/loghandler.py new file mode 100644 index 0000000..dc10504 --- /dev/null +++ b/suricata/update/loghandler.py @@ -0,0 +1,115 @@ +# Copyright (C) 2017 Open Information Security Foundation +# Copyright (c) 2016 Jason Ish +# +# You can copy, redistribute or modify this Program under the terms of +# the GNU General Public License version 2 as published by the Free +# Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# version 2 along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA +# 02110-1301, USA. + +import sys +import os +import logging +import time + +# A list of secrets that will be replaced in the log output. +secrets = {} + + +def add_secret(secret, replacement): + """Register a secret to be masked. The secret will be replaced with: + <replacement> + """ + secrets[str(secret)] = str(replacement) + + +class SuriColourLogHandler(logging.StreamHandler): + """An alternative stream log handler that logs with Suricata inspired + log colours.""" + + GREEN = "\x1b[32m" + BLUE = "\x1b[34m" + REDB = "\x1b[1;31m" + YELLOW = "\x1b[33m" + RED = "\x1b[31m" + YELLOWB = "\x1b[1;33m" + ORANGE = "\x1b[38;5;208m" + RESET = "\x1b[0m" + + def formatTime(self, record): + lt = time.localtime(record.created) + t = "%d/%d/%d -- %02d:%02d:%02d" % (lt.tm_mday, + lt.tm_mon, + lt.tm_year, + lt.tm_hour, + lt.tm_min, + lt.tm_sec) + return "%s" % (t) + + def emit(self, record): + + if record.levelname == "ERROR": + level_prefix = self.REDB + message_prefix = self.REDB + elif record.levelname == "WARNING": + level_prefix = self.ORANGE + message_prefix = self.ORANGE + else: + level_prefix = self.YELLOW + message_prefix = "" + + if os.isatty(self.stream.fileno()): + self.stream.write("%s%s%s - <%s%s%s> -- %s%s%s\n" % ( + self.GREEN, + self.formatTime(record), + self.RESET, + level_prefix, + record.levelname.title(), + self.RESET, + message_prefix, + self.mask_secrets(record.getMessage()), + self.RESET)) + else: + self.stream.write("%s - <%s> -- %s\n" % ( + self.formatTime(record), + record.levelname.title(), + self.mask_secrets(record.getMessage()))) + + def mask_secrets(self, msg): + for secret in secrets: + msg = msg.replace(secret, "<%s>" % secrets[secret]) + return msg + + +class LessThanFilter(logging.Filter): + def __init__(self, exclusive_maximum, name=""): + super(LessThanFilter, self).__init__(name) + self.max_level = exclusive_maximum + + def filter(self, record): + return 1 if record.levelno < self.max_level else 0 + + +def configure_logging(): + if os.fstat(sys.stdout.fileno()) == os.fstat(sys.stderr.fileno()): + filter_stdout = True + else: + filter_stdout = False + logger = logging.getLogger() + logger.setLevel(logging.NOTSET) + logging_handler_out = SuriColourLogHandler(sys.stdout) + logging_handler_out.setLevel(logging.DEBUG) + if filter_stdout: + logging_handler_out.addFilter(LessThanFilter(logging.WARNING)) + logger.addHandler(logging_handler_out) + logging_handler_err = SuriColourLogHandler(sys.stderr) + logging_handler_err.setLevel(logging.WARNING) + logger.addHandler(logging_handler_err) diff --git a/suricata/update/main.py b/suricata/update/main.py new file mode 100644 index 0000000..18af7a8 --- /dev/null +++ b/suricata/update/main.py @@ -0,0 +1,1404 @@ +# Copyright (C) 2017-2022 Open Information Security Foundation +# Copyright (c) 2015-2017 Jason Ish +# +# You can copy, redistribute or modify this Program under the terms of +# the GNU General Public License version 2 as published by the Free +# Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# version 2 along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA +# 02110-1301, USA. + +from __future__ import print_function + +import sys +import re +import os.path +import logging +import argparse +import time +import hashlib +import fnmatch +import subprocess +import shutil +import glob +import io +import tempfile +import signal +import errno +from collections import namedtuple + +try: + # Python 3. + from urllib.error import URLError +except ImportError: + # Python 2.7. + from urllib2 import URLError + +try: + import yaml +except: + print("error: pyyaml is required") + sys.exit(1) + +from suricata.update import ( + commands, + config, + configs, + engine, + exceptions, + extract, + loghandler, + net, + notes, + parsers, + rule as rule_mod, + sources, + util, + matchers as matchers_mod +) + +from suricata.update.version import version +try: + from suricata.update.revision import revision +except: + revision = None + +SourceFile = namedtuple("SourceFile", ["filename", "content"]) + +if sys.argv[0] == __file__: + sys.path.insert( + 0, os.path.abspath(os.path.join(__file__, "..", "..", ".."))) + +# Initialize logging, use colour if on a tty. +if len(logging.root.handlers) == 0: + logger = logging.getLogger() + loghandler.configure_logging() + logger.setLevel(level=logging.INFO) +else: + logging.basicConfig( + level=logging.INFO, + format="%(asctime)s - <%(levelname)s> - %(message)s") + logger = logging.getLogger() + +# If Suricata is not found, default to this version. +DEFAULT_SURICATA_VERSION = "6.0.0" + +# The default filename to use for the output rule file. This is a +# single file concatenating all input rule files together. +DEFAULT_OUTPUT_RULE_FILENAME = "suricata.rules" + +INDEX_EXPIRATION_TIME = 60 * 60 * 24 * 14 + +# Rule keywords that come with files +file_kw = ["filemd5", "filesha1", "filesha256", "dataset"] + +def strict_error(msg): + logger.error(msg) + if config.args().fail: + sys.exit(1) + +class Fetch: + + def __init__(self): + self.istty = os.isatty(sys.stdout.fileno()) + + def check_checksum(self, tmp_filename, url, checksum_url=None): + try: + if not isinstance(checksum_url, str): + checksum_url = url[0] + ".md5" + net_arg=(checksum_url,url[1]) + local_checksum = hashlib.md5( + open(tmp_filename, "rb").read()).hexdigest().strip() + remote_checksum_buf = io.BytesIO() + logger.info("Checking %s." % (checksum_url)) + net.get(net_arg, remote_checksum_buf) + remote_checksum = remote_checksum_buf.getvalue().decode().strip() + logger.debug("Local checksum=|%s|; remote checksum=|%s|" % ( + local_checksum, remote_checksum)) + if local_checksum == remote_checksum: + os.utime(tmp_filename, None) + return True + except Exception as err: + logger.warning("Failed to check remote checksum: %s" % err) + return False + + def progress_hook(self, content_length, bytes_read): + if config.args().quiet or not self.istty: + return + if not content_length or content_length == 0: + percent = 0 + else: + percent = int((bytes_read / float(content_length)) * 100) + buf = " %3d%% - %-30s" % ( + percent, "%d/%d" % (bytes_read, content_length)) + sys.stdout.write(buf) + sys.stdout.flush() + sys.stdout.write("\b" * 38) + + def progress_hook_finish(self): + if config.args().quiet or not self.istty: + return + sys.stdout.write("\n") + sys.stdout.flush() + + def url_basename(self, url): + """ Return the base filename of the URL. """ + filename = os.path.basename(url).split("?", 1)[0] + return filename + + def get_tmp_filename(self, url): + url_hash = hashlib.md5(url.encode("utf-8")).hexdigest() + return os.path.join( + config.get_cache_dir(), + "%s-%s" % (url_hash, self.url_basename(url))) + + def fetch(self, url): + net_arg = url + checksum = url[2] + url = url[0] + tmp_filename = self.get_tmp_filename(url) + if config.args().offline: + if config.args().force: + logger.warning("Running offline, skipping download of %s", url) + logger.info("Using latest cached version of rule file: %s", url) + if not os.path.exists(tmp_filename): + logger.error("Can't proceed offline, " + "source {} has not yet been downloaded.".format(url)) + sys.exit(1) + return self.extract_files(tmp_filename) + if not config.args().force and os.path.exists(tmp_filename): + if not config.args().now and \ + time.time() - os.stat(tmp_filename).st_mtime < (60 * 15): + logger.info( + "Last download less than 15 minutes ago. Not downloading %s.", + url) + return self.extract_files(tmp_filename) + if checksum: + if self.check_checksum(tmp_filename, net_arg, checksum): + logger.info("Remote checksum has not changed. " + "Not fetching.") + return self.extract_files(tmp_filename) + if not os.path.exists(config.get_cache_dir()): + os.makedirs(config.get_cache_dir(), mode=0o770) + logger.info("Fetching %s." % (url)) + try: + tmp_fileobj = tempfile.NamedTemporaryFile() + net.get( + net_arg, + tmp_fileobj, + progress_hook=self.progress_hook) + shutil.copyfile(tmp_fileobj.name, tmp_filename) + tmp_fileobj.close() + except URLError as err: + if os.path.exists(tmp_filename): + if config.args().fail: + strict_error("Failed to fetch {}: {}".format(url, err)) + else: + logger.error("Failed to fetch {}, will use latest cached version: {}".format(url, err)) + return self.extract_files(tmp_filename) + raise err + except IOError as err: + self.progress_hook_finish() + logger.error("Failed to copy file: {}".format(err)) + sys.exit(1) + except Exception as err: + raise err + self.progress_hook_finish() + logger.info("Done.") + return self.extract_files(tmp_filename) + + def run(self, url=None): + files = {} + if url: + try: + fetched = self.fetch(url) + files.update(fetched) + except URLError as err: + url = url[0] if isinstance(url, tuple) else url + strict_error("Failed to fetch {}: {}".format(url, err)) + else: + for url in self.args.url: + files.update(self.fetch(url)) + return files + + def extract_files(self, filename): + files = extract.try_extract(filename) + if files: + return files + + # The file is not an archive, treat it as an individual file. + basename = os.path.basename(filename).split("-", 1)[1] + if not basename.endswith(".rules"): + basename = "{}.rules".format(basename) + files = {} + files[basename] = open(filename, "rb").read() + return files + +def load_filters(filename): + + filters = [] + + with open(filename) as fileobj: + for line in fileobj: + line = line.strip() + if not line or line.startswith("#"): + continue + line = line.rsplit(" #")[0].strip() + + try: + if line.startswith("metadata-add"): + rule_filter = matchers_mod.AddMetadataFilter.parse(line) + filters.append(rule_filter) + else: + line = re.sub(r'\\\$', '$', line) # needed to escape $ in pp + rule_filter = matchers_mod.ModifyRuleFilter.parse(line) + filters.append(rule_filter) + except Exception as err: + raise exceptions.ApplicationError( + "Failed to parse modify filter: {}".format(line)) + + return filters + +def load_drop_filters(filename): + matchers = load_matchers(filename) + filters = [] + + for matcher in matchers: + filters.append(matchers_mod.DropRuleFilter(matcher)) + + return filters + +def parse_matchers(fileobj): + matchers = [] + + for line in fileobj: + line = line.strip() + if not line or line.startswith("#"): + continue + line = line.rsplit(" #")[0] + matcher = matchers_mod.parse_rule_match(line) + if not matcher: + logger.warn("Failed to parse: \"%s\"" % (line)) + else: + matchers.append(matcher) + + return matchers + +def load_matchers(filename): + with open(filename) as fileobj: + return parse_matchers(fileobj) + +def load_local(local, files): + + """Load local files into the files dict.""" + if os.path.isdir(local): + for dirpath, dirnames, filenames in os.walk(local): + for filename in filenames: + if filename.endswith(".rules"): + path = os.path.join(local, filename) + load_local(path, files) + else: + local_files = glob.glob(local) + if len(local_files) == 0: + local_files.append(local) + for filename in local_files: + filename = os.path.realpath(filename) + logger.info("Loading local file %s" % (filename)) + if filename in files: + logger.warn( + "Local file %s overrides existing file of same name." % ( + filename)) + try: + with open(filename, "rb") as fileobj: + files.append(SourceFile(filename, fileobj.read())) + except Exception as err: + logger.error("Failed to open {}: {}".format(filename, err)) + +def load_dist_rules(files): + """Load the rule files provided by the Suricata distribution.""" + + # In the future hopefully we can just pull in all files from + # /usr/share/suricata/rules, but for now pull in the set of files + # known to have been provided by the Suricata source. + filenames = [ + "app-layer-events.rules", + "decoder-events.rules", + "dhcp-events.rules", + "dnp3-events.rules", + "dns-events.rules", + "files.rules", + "http-events.rules", + "ipsec-events.rules", + "kerberos-events.rules", + "modbus-events.rules", + "nfs-events.rules", + "ntp-events.rules", + "smb-events.rules", + "smtp-events.rules", + "stream-events.rules", + "tls-events.rules", + ] + + dist_rule_path = config.get(config.DIST_RULE_DIRECTORY_KEY) + if not dist_rule_path: + logger.warning("No distribution rule directory found.") + return + + if not os.path.exists(dist_rule_path): + logger.warning("Distribution rule directory not found: %s", + dist_rule_path) + return + + if os.path.exists(dist_rule_path): + if not os.access(dist_rule_path, os.R_OK): + logger.warning("Distribution rule path not readable: %s", + dist_rule_path) + return + for filename in filenames: + path = os.path.join(dist_rule_path, filename) + if not os.path.exists(path): + continue + if not os.access(path, os.R_OK): + logger.warning("Distribution rule file not readable: %s", + path) + continue + logger.info("Loading distribution rule file %s", path) + try: + with open(path, "rb") as fileobj: + files.append(SourceFile(path, fileobj.read())) + except Exception as err: + logger.error("Failed to open {}: {}".format(path, err)) + sys.exit(1) + +def load_classification(suriconf, files): + filename = os.path.join("suricata", "classification.config") + dirs = [] + classification_dict = {} + if "sysconfdir" in suriconf.build_info: + dirs.append(os.path.join(suriconf.build_info["sysconfdir"], filename)) + if "datarootdir" in suriconf.build_info: + dirs.append(os.path.join(suriconf.build_info["datarootdir"], filename)) + + for path in dirs: + if os.path.exists(path): + logger.debug("Loading {}".format(path)) + with open(path) as fp: + for line in fp: + if line.startswith("#") or not line.strip(): + continue + config_classification = line.split(":")[1].strip() + key, desc, priority = config_classification.split(",") + if key in classification_dict: + if classification_dict[key][1] >= priority: + continue + classification_dict[key] = [desc, priority, line.strip()] + + # Handle files from the sources + for filep in files: + logger.debug("Loading {}".format(filep[0])) + lines = filep[1].decode().split('\n') + for line in lines: + if line.startswith("#") or not line.strip(): + continue + config_classification = line.split(":")[1].strip() + key, desc, priority = config_classification.split(",") + if key in classification_dict: + if classification_dict[key][1] >= priority: + if classification_dict[key][1] > priority: + logger.warning("Found classification with same shortname \"{}\"," + " keeping the one with higher priority ({})".format( + key, classification_dict[key][1])) + continue + classification_dict[key] = [desc, priority, line.strip()] + + return classification_dict + +def manage_classification(suriconf, files): + if suriconf is None: + # Can't continue without a valid Suricata configuration + # object. + return + classification_dict = load_classification(suriconf, files) + path = os.path.join(config.get_output_dir(), "classification.config") + try: + logger.info("Writing {}".format(path)) + with open(path, "w+") as fp: + fp.writelines("{}\n".format(v[2]) for k, v in classification_dict.items()) + except (OSError, IOError) as err: + logger.error(err) + +def handle_dataset_files(rule, dep_files): + if not rule.enabled: + return + dataset_load = [el for el in (el.strip() for el in rule.dataset.split(",")) if el.startswith("load")] + if not dataset_load: + # No dataset load found. + return + dataset_filename = dataset_load[0].split(maxsplit=1)[1].strip() + + # Get the directory name the rule is from. + prefix = os.path.dirname(rule.group) + + # Construct the source filename. + source_filename = os.path.join(prefix, dataset_filename) + + # If a source filename starts with a "/", look for it on the filesystem. The archive + # unpackers will take care of removing a leading / so this shouldn't happen for + # downloaded rulesets. + if source_filename.startswith("/"): + if not os.path.exists(source_filename): + logger.warn("Local dataset file '{}' was not found for rule {}, rule will be disabled".format(source_filename, rule.idstr)) + rule.enabled = False + return + dataset_contents = open(source_filename, "rb").read() + else: + if not source_filename in dep_files: + logger.warn("Dataset file '{}' was not found for rule {}, rule will be disabled".format(dataset_filename, rule.idstr)) + rule.enabled = False + return + dataset_contents = dep_files[source_filename] + + source_filename_hash = hashlib.md5(source_filename.encode()).hexdigest() + new_rule = re.sub(r"(dataset.*?load\s+){}".format(dataset_filename), r"\g<1>datasets/{}".format(source_filename_hash), rule.format()) + dest_filename = os.path.join(config.get_output_dir(), "datasets", source_filename_hash) + dest_dir = os.path.dirname(dest_filename) + logger.debug("Copying dataset file {} to {}".format(dataset_filename, dest_filename)) + try: + os.makedirs(dest_dir, exist_ok=True) + except Exception as err: + logger.error("Failed to create directory {}: {}".format(dest_dir, err)) + return + with open(dest_filename, "w") as fp: + fp.write(dataset_contents.decode("utf-8")) + return new_rule + +def handle_filehash_files(rule, dep_files, fhash): + if not rule.enabled: + return + filehash_fname = rule.get(fhash) + + # Get the directory name the rule is from. + prefix = os.path.dirname(rule.group) + + source_filename = os.path.join(prefix, filehash_fname) + dest_filename = source_filename[len(prefix) + len(os.path.sep):] + logger.debug("dest_filename={}".format(dest_filename)) + + if source_filename not in dep_files: + logger.error("{} file {} was not found".format(fhash, filehash_fname)) + else: + logger.debug("Copying %s file %s to output directory" % (fhash, filehash_fname)) + filepath = os.path.join(config.get_output_dir(), os.path.dirname(dest_filename)) + logger.debug("filepath: %s" % filepath) + try: + os.makedirs(filepath) + except OSError as oserr: + if oserr.errno != errno.EEXIST: + logger.error(oserr) + sys.exit(1) + output_filename = os.path.join(filepath, os.path.basename(filehash_fname)) + logger.debug("output fname: %s" % output_filename) + with open(output_filename, "w") as fp: + fp.write(dep_files[source_filename].decode("utf-8")) + +def write_merged(filename, rulemap, dep_files): + + if not args.quiet: + # List of rule IDs that have been added. + added = [] + # List of rule objects that have been removed. + removed = [] + # List of rule IDs that have been modified. + modified = [] + + oldset = {} + if os.path.exists(filename): + for rule in rule_mod.parse_file(filename): + oldset[rule.id] = True + if not rule.id in rulemap: + removed.append(rule) + elif rule.format() != rulemap[rule.id].format(): + modified.append(rulemap[rule.id]) + + for key in rulemap: + if not key in oldset: + added.append(key) + + enabled = len([rule for rule in rulemap.values() if rule.enabled]) + logger.info("Writing rules to %s: total: %d; enabled: %d; " + "added: %d; removed %d; modified: %d" % ( + filename, + len(rulemap), + enabled, + len(added), + len(removed), + len(modified))) + tmp_filename = ".".join([filename, "tmp"]) + with io.open(tmp_filename, encoding="utf-8", mode="w") as fileobj: + for sid in rulemap: + rule = rulemap[sid] + reformatted = None + for kw in file_kw: + if kw in rule: + if "dataset" == kw: + reformatted = handle_dataset_files(rule, dep_files) + else: + handle_filehash_files(rule, dep_files, kw) + if reformatted: + print(reformatted, file=fileobj) + else: + print(rule.format(), file=fileobj) + os.rename(tmp_filename, filename) + +def write_to_directory(directory, files, rulemap, dep_files): + # List of rule IDs that have been added. + added = [] + # List of rule objects that have been removed. + removed = [] + # List of rule IDs that have been modified. + modified = [] + + oldset = {} + if not args.quiet: + for file in files: + outpath = os.path.join( + directory, os.path.basename(file.filename)) + + if os.path.exists(outpath): + for rule in rule_mod.parse_file(outpath): + oldset[rule.id] = True + if not rule.id in rulemap: + removed.append(rule) + elif rule.format() != rulemap[rule.id].format(): + modified.append(rule.id) + for key in rulemap: + if not key in oldset: + added.append(key) + + enabled = len([rule for rule in rulemap.values() if rule.enabled]) + logger.info("Writing rule files to directory %s: total: %d; " + "enabled: %d; added: %d; removed %d; modified: %d" % ( + directory, + len(rulemap), + enabled, + len(added), + len(removed), + len(modified))) + + for file in sorted(files): + outpath = os.path.join( + directory, os.path.basename(file.filename)) + logger.debug("Writing %s." % outpath) + if not file.filename.endswith(".rules"): + open(outpath, "wb").write(file.content) + else: + content = [] + for line in io.StringIO(file.content.decode("utf-8")): + rule = rule_mod.parse(line) + if not rule or rule.id not in rulemap: + content.append(line.strip()) + else: + reformatted = None + for kw in file_kw: + if kw in rule: + if "dataset" == kw: + reformatted = handle_dataset_files(rulemap[rule.id], dep_files) + else: + handle_filehash_files(rulemap[rule.id], dep_files, kw) + if reformatted: + content.append(reformatted) + else: + content.append(rulemap[rule.id].format()) + tmp_filename = ".".join([outpath, "tmp"]) + io.open(tmp_filename, encoding="utf-8", mode="w").write( + u"\n".join(content)) + os.rename(tmp_filename, outpath) + +def write_yaml_fragment(filename, files): + logger.info( + "Writing YAML configuration fragment: %s" % (filename)) + with open(filename, "w") as fileobj: + print("%YAML 1.1", file=fileobj) + print("---", file=fileobj) + print("rule-files:", file=fileobj) + for fn in sorted(files): + if fn.endswith(".rules"): + print(" - %s" % os.path.basename(fn), file=fileobj) + +def write_sid_msg_map(filename, rulemap, version=1): + logger.info("Writing %s." % (filename)) + with io.open(filename, encoding="utf-8", mode="w") as fileobj: + for key in rulemap: + rule = rulemap[key] + if version == 2: + formatted = rule_mod.format_sidmsgmap_v2(rule) + if formatted: + print(formatted, file=fileobj) + else: + formatted = rule_mod.format_sidmsgmap(rule) + if formatted: + print(formatted, file=fileobj) + +def build_rule_map(rules): + """Turn a list of rules into a mapping of rules. + + In case of gid:sid conflict, the rule with the higher revision + number will be used. + """ + rulemap = {} + + for rule in rules: + if rule.id not in rulemap: + rulemap[rule.id] = rule + else: + if rule["rev"] == rulemap[rule.id]["rev"]: + logger.warning( + "Found duplicate rule SID {} with same revision, " + "keeping the first rule seen.".format(rule.sid)) + if rule["rev"] > rulemap[rule.id]["rev"]: + logger.warning( + "Found duplicate rule SID {}, " + "keeping the rule with greater revision.".format(rule.sid)) + rulemap[rule.id] = rule + + return rulemap + +def dump_sample_configs(): + + for filename in configs.filenames: + if os.path.exists(filename): + logger.info("File already exists, not dumping %s." % (filename)) + else: + logger.info("Creating %s." % (filename)) + shutil.copy(os.path.join(configs.directory, filename), filename) + +def resolve_flowbits(rulemap, disabled_rules): + flowbit_resolver = rule_mod.FlowbitResolver() + flowbit_enabled = set() + pass_ = 1 + while True: + logger.debug("Checking flowbits for pass %d of rules.", pass_) + flowbits = flowbit_resolver.get_required_flowbits(rulemap) + logger.debug("Found %d required flowbits.", len(flowbits)) + required_rules = flowbit_resolver.get_required_rules(rulemap, flowbits) + logger.debug( + "Found %d rules to enable for flowbit requirements (pass %d)", + len(required_rules), pass_) + if not required_rules: + logger.debug("All required rules enabled.") + break + for rule in required_rules: + if not rule.enabled and rule in disabled_rules: + logger.debug( + "Enabling previously disabled rule for flowbits: %s" % ( + rule.brief())) + rule.enabled = True + rule.noalert = True + flowbit_enabled.add(rule) + pass_ = pass_ + 1 + logger.info("Enabled %d rules for flowbit dependencies." % ( + len(flowbit_enabled))) + +class ThresholdProcessor: + + patterns = [ + re.compile(r"\s+(re:\"(.*)\")"), + re.compile(r"\s+(re:(.*?)),.*"), + re.compile(r"\s+(re:(.*))"), + ] + + def extract_regex(self, buf): + for pattern in self.patterns: + m = pattern.search(buf) + if m: + return m.group(2) + + def extract_pattern(self, buf): + regex = self.extract_regex(buf) + if regex: + return re.compile(regex, re.I) + + def replace(self, threshold, rule): + for pattern in self.patterns: + m = pattern.search(threshold) + if m: + return threshold.replace( + m.group(1), "gen_id %d, sig_id %d" % (rule.gid, rule.sid)) + return threshold + + def process(self, filein, fileout, rulemap): + count = 0 + for line in filein: + line = line.rstrip() + if not line or line.startswith("#"): + print(line, file=fileout) + continue + pattern = self.extract_pattern(line) + if not pattern: + print(line, file=fileout) + else: + for rule in rulemap.values(): + if rule.enabled: + if pattern.search(rule.format()): + count += 1 + print("# %s" % (rule.brief()), file=fileout) + print(self.replace(line, rule), file=fileout) + print("", file=fileout) + logger.info("Generated %d thresholds to %s." % (count, fileout.name)) + +class FileTracker: + """Used to check if files are modified. + + Usage: Add files with add(filename) prior to modification. Test + with any_modified() which will return True if any of the checksums + have been modified. + + """ + + def __init__(self): + self.hashes = {} + + def add(self, filename): + checksum = self.md5(filename) + if not checksum: + logger.debug("Recording new file %s" % (filename)) + else: + logger.debug("Recording existing file %s with hash '%s'.", + filename, checksum) + self.hashes[filename] = checksum + + def md5(self, filename): + if not os.path.exists(filename): + return "" + else: + return hashlib.md5(open(filename, "rb").read()).hexdigest() + + def any_modified(self): + for filename in self.hashes: + if self.md5(filename) != self.hashes[filename]: + return True + return False + +def ignore_file(ignore_files, filename): + if not ignore_files: + return False + for pattern in ignore_files: + if fnmatch.fnmatch(os.path.basename(filename), pattern): + return True + return False + +def check_vars(suriconf, rulemap): + """Check that all vars referenced by a rule exist. If a var is not + found, disable the rule. + """ + if suriconf is None: + # Can't continue without a valid Suricata configuration + # object. + return + for rule_id in rulemap: + rule = rulemap[rule_id] + disable = False + for var in rule_mod.parse_var_names(rule["source_addr"]): + if not suriconf.has_key("vars.address-groups.%s" % (var)): + logger.warning( + "Rule has unknown source address var and will be disabled: %s: %s" % ( + var, rule.brief())) + notes.address_group_vars.add(var) + disable = True + for var in rule_mod.parse_var_names(rule["dest_addr"]): + if not suriconf.has_key("vars.address-groups.%s" % (var)): + logger.warning( + "Rule has unknown dest address var and will be disabled: %s: %s" % ( + var, rule.brief())) + notes.address_group_vars.add(var) + disable = True + for var in rule_mod.parse_var_names(rule["source_port"]): + if not suriconf.has_key("vars.port-groups.%s" % (var)): + logger.warning( + "Rule has unknown source port var and will be disabled: %s: %s" % ( + var, rule.brief())) + notes.port_group_vars.add(var) + disable = True + for var in rule_mod.parse_var_names(rule["dest_port"]): + if not suriconf.has_key("vars.port-groups.%s" % (var)): + logger.warning( + "Rule has unknown dest port var and will be disabled: %s: %s" % ( + var, rule.brief())) + notes.port_group_vars.add(var) + disable = True + + if disable: + rule.enabled = False + +def test_suricata(suricata_path): + if not suricata_path: + logger.info("No suricata application binary found, skipping test.") + return True + + if config.get("no-test"): + logger.info("Skipping test, disabled by configuration.") + return True + + if config.get("test-command"): + test_command = config.get("test-command") + logger.info("Testing Suricata configuration with: %s" % ( + test_command)) + env = { + "SURICATA_PATH": suricata_path, + "OUTPUT_DIR": config.get_output_dir(), + } + if not config.get("no-merge"): + env["OUTPUT_FILENAME"] = os.path.join( + config.get_output_dir(), DEFAULT_OUTPUT_RULE_FILENAME) + rc = subprocess.Popen(test_command, shell=True, env=env).wait() + if rc != 0: + return False + else: + logger.info("Testing with suricata -T.") + suricata_conf = config.get("suricata-conf") + if not config.get("no-merge"): + if not engine.test_configuration( + suricata_path, suricata_conf, + os.path.join( + config.get_output_dir(), + DEFAULT_OUTPUT_RULE_FILENAME)): + return False + else: + if not engine.test_configuration(suricata_path, suricata_conf): + return False + + return True + +def copytree(src, dst): + """A shutil.copytree like function that will copy the files from one + tree to another even if the path exists. + + """ + + for dirpath, dirnames, filenames in os.walk(src): + for filename in filenames: + src_path = os.path.join(dirpath, filename) + dst_path = os.path.join(dst, src_path[len(src) + 1:]) + if not os.path.exists(os.path.dirname(dst_path)): + os.makedirs(os.path.dirname(dst_path), mode=0o770) + shutil.copyfile(src_path, dst_path) + + # Also attempt to copy the stat bits, but this may fail + # if the owner of the file is not the same as the user + # running the program. + try: + shutil.copystat(src_path, dst_path) + except OSError as err: + logger.debug( + "Failed to copy stat info from %s to %s", src_path, + dst_path) + +def load_sources(suricata_version): + urls = [] + + http_header = None + checksum = True + + # Add any URLs added with the --url command line parameter. + if config.args().url: + for url in config.args().url: + urls.append((url, http_header, checksum)) + + # Get the new style sources. + enabled_sources = sources.get_enabled_sources() + + # Convert the Suricata version to a version string. + version_string = "%d.%d.%d" % ( + suricata_version.major, suricata_version.minor, + suricata_version.patch) + + # Construct the URL replacement parameters that are internal to + # suricata-update. + internal_params = {"__version__": version_string} + + # If we have new sources, we also need to load the index. + if enabled_sources: + index_filename = sources.get_index_filename() + if not os.path.exists(index_filename): + logger.warning("No index exists, will use bundled index.") + logger.warning("Please run suricata-update update-sources.") + if os.path.exists(index_filename) and time.time() - \ + os.stat(index_filename).st_mtime > INDEX_EXPIRATION_TIME: + logger.warning( + "Source index is older than 2 weeks. " + "Please update with suricata-update update-sources.") + index = sources.Index(index_filename) + + for (name, source) in enabled_sources.items(): + params = source["params"] if "params" in source else {} + params.update(internal_params) + if "url" in source: + # No need to go off to the index. + http_header = source.get("http-header") + checksum = source.get("checksum") + url = (source["url"] % params, http_header, checksum) + logger.debug("Resolved source %s to URL %s.", name, url[0]) + else: + if not index: + raise exceptions.ApplicationError( + "Source index is required for source %s; " + "run suricata-update update-sources" % (source["source"])) + source_config = index.get_source_by_name(name) + if source_config is None: + logger.warn("Source no longer exists in index and will not be fetched: {}".format(name)) + continue + try: + checksum = source_config["checksum"] + except: + checksum = True + url = (index.resolve_url(name, params), http_header, + checksum) + if "deprecated" in source_config: + logger.warn("Source has been deprecated: %s: %s" % ( + name, source_config["deprecated"])) + if "obsolete" in source_config: + logger.warn("Source is obsolete and will not be fetched: %s: %s" % ( + name, source_config["obsolete"])) + continue + logger.debug("Resolved source %s to URL %s.", name, url[0]) + urls.append(url) + + if config.get("sources"): + for url in config.get("sources"): + if not isinstance(url, str): + raise exceptions.InvalidConfigurationError( + "Invalid datatype for source URL: %s" % (str(url))) + url = (url % internal_params, http_header, checksum) + logger.debug("Adding source %s.", url) + urls.append(url) + + # If --etopen is on the command line, make sure its added. Or if + # there are no URLs, default to ET/Open. + if config.get("etopen") or not urls: + if not config.args().offline and not urls: + logger.info("No sources configured, will use Emerging Threats Open") + urls.append((sources.get_etopen_url(internal_params), http_header, + checksum)) + + # Converting the URLs to a set removed dupes. + urls = set(urls) + + # Now download each URL. + files = [] + for url in urls: + + # To de-duplicate filenames, add a prefix that is a hash of the URL. + prefix = hashlib.md5(url[0].encode()).hexdigest() + source_files = Fetch().run(url) + for key in source_files: + content = source_files[key] + key = os.path.join(prefix, key) + files.append(SourceFile(key, content)) + + # Now load local rules. + if config.get("local") is not None: + for local in config.get("local"): + load_local(local, files) + + return files + +def copytree_ignore_backup(src, names): + """ Returns files to ignore when doing a backup of the rules. """ + return [".cache"] + +def check_output_directory(output_dir): + """ Check that the output directory exists, creating it if it doesn't. """ + if not os.path.exists(output_dir): + logger.info("Creating directory %s." % (output_dir)) + try: + os.makedirs(output_dir, mode=0o770) + except Exception as err: + raise exceptions.ApplicationError( + "Failed to create directory %s: %s" % ( + output_dir, err)) + +# Check and disable ja3 rules if needed. +# +# Note: This is a bit of a quick fixup job for 5.0, but we should look +# at making feature handling more generic. +def disable_ja3(suriconf, rulemap, disabled_rules): + if suriconf and suriconf.build_info: + enabled = False + reason = None + logged = False + if "HAVE_NSS" not in suriconf.build_info["features"]: + reason = "Disabling ja3 rules as Suricata is built without libnss." + else: + # Check if disabled. Must be explicitly disabled, + # otherwise we'll keep ja3 rules enabled. + val = suriconf.get("app-layer.protocols.tls.ja3-fingerprints") + + # Prior to Suricata 5, leaving ja3-fingerprints undefined + # in the configuration disabled the feature. With 5.0, + # having it undefined will enable it as needed. + if not val: + if suriconf.build_info["version"].major < 5: + val = "no" + else: + val = "auto" + + if val and val.lower() not in ["1", "yes", "true", "auto"]: + reason = "Disabling ja3 rules as ja3 fingerprints are not enabled." + else: + enabled = True + + count = 0 + if not enabled: + for key, rule in rulemap.items(): + if "ja3" in rule["features"]: + if not logged: + logger.warn(reason) + logged = True + rule.enabled = False + disabled_rules.append(rule) + count += 1 + if count: + logger.info("%d ja3_hash rules disabled." % (count)) + +def _main(): + global args + args = parsers.parse_arg() + + # Go verbose or quiet sooner than later. + if args.verbose: + logger.setLevel(logging.DEBUG) + if args.quiet: + logger.setLevel(logging.WARNING) + + logger.debug("This is suricata-update version %s (rev: %s); Python: %s" % ( + version, revision, sys.version.replace("\n", "- "))) + + config.init(args) + + # Error out if any reserved/unimplemented arguments were set. + unimplemented_args = [ + "disable", + "enable", + "modify", + "drop", + ] + for arg in unimplemented_args: + if hasattr(args, arg) and getattr(args, arg): + logger.error("--{} not implemented".format(arg)) + return 1 + + suricata_path = config.get("suricata") + + # Now parse the Suricata version. If provided on the command line, + # use that, otherwise attempt to get it from Suricata. + if args.suricata_version: + # The Suricata version was passed on the command line, parse it. + suricata_version = engine.parse_version(args.suricata_version) + if not suricata_version: + logger.error("Failed to parse provided Suricata version: {}".format( + args.suricata_version)) + return 1 + logger.info("Forcing Suricata version to %s." % (suricata_version.full)) + elif suricata_path: + suricata_version = engine.get_version(suricata_path) + if suricata_version: + logger.info("Found Suricata version %s at %s." % ( + str(suricata_version.full), suricata_path)) + else: + logger.error("Failed to get Suricata version.") + return 1 + else: + logger.info( + "Using default Suricata version of %s", DEFAULT_SURICATA_VERSION) + suricata_version = engine.parse_version(DEFAULT_SURICATA_VERSION) + + # Provide the Suricata version to the net module to add to the + # User-Agent. + net.set_user_agent_suricata_version(suricata_version.full) + + if args.subcommand: + if args.subcommand == "check-versions" and hasattr(args, "func"): + return args.func(suricata_version) + elif hasattr(args, "func"): + return args.func() + elif args.subcommand != "update": + logger.error("Unknown command: {}".format(args.subcommand)) + return 1 + + if args.dump_sample_configs: + return dump_sample_configs() + + # If --no-ignore was provided, clear any ignores provided in the + # config. + if args.no_ignore: + config.set(config.IGNORE_KEY, []) + + file_tracker = FileTracker() + + disable_matchers = [] + enable_matchers = [] + modify_filters = [] + drop_filters = [] + + # Load user provided disable filters. + disable_conf_filename = config.get("disable-conf") + if disable_conf_filename: + if os.path.exists(disable_conf_filename): + logger.info("Loading %s.", disable_conf_filename) + disable_matchers += load_matchers(disable_conf_filename) + else: + logger.warn("disable-conf file does not exist: {}".format(disable_conf_filename)) + + # Load user provided enable filters. + enable_conf_filename = config.get("enable-conf") + if enable_conf_filename: + if os.path.exists(enable_conf_filename): + logger.info("Loading %s.", enable_conf_filename) + enable_matchers += load_matchers(enable_conf_filename) + else: + logger.warn("enable-conf file does not exist: {}".format(enable_conf_filename)) + + # Load user provided modify filters. + modify_conf_filename = config.get("modify-conf") + if modify_conf_filename: + if os.path.exists(modify_conf_filename): + logger.info("Loading %s.", modify_conf_filename) + modify_filters += load_filters(modify_conf_filename) + else: + logger.warn("modify-conf file does not exist: {}".format(modify_conf_filename)) + + # Load user provided drop filters. + drop_conf_filename = config.get("drop-conf") + if drop_conf_filename: + if os.path.exists(drop_conf_filename): + logger.info("Loading %s.", drop_conf_filename) + drop_filters += load_drop_filters(drop_conf_filename) + else: + logger.warn("drop-conf file does not exist: {}".format(drop_conf_filename)) + + # Load the Suricata configuration if we can. + suriconf = None + if config.get("suricata-conf") and \ + os.path.exists(config.get("suricata-conf")) and \ + suricata_path and os.path.exists(suricata_path): + logger.info("Loading %s",config.get("suricata-conf")) + try: + suriconf = engine.Configuration.load( + config.get("suricata-conf"), suricata_path=suricata_path) + except subprocess.CalledProcessError: + return 1 + + # Disable rule that are for app-layers that are not enabled. + if suriconf: + for key in suriconf.keys(): + m = re.match(r"app-layer\.protocols\.([^\.]+)\.enabled", key) + if m: + proto = m.group(1) + if not suriconf.is_true(key, ["detection-only"]): + logger.info("Disabling rules for protocol %s", proto) + disable_matchers.append(matchers_mod.ProtoRuleMatcher(proto)) + elif proto == "smb" and suriconf.build_info: + # Special case for SMB rules. For versions less + # than 5, disable smb rules if Rust is not + # available. + if suriconf.build_info["version"].major < 5: + if not "RUST" in suriconf.build_info["features"]: + logger.info("Disabling rules for protocol {}".format(proto)) + disable_matchers.append(matchers_mod.ProtoRuleMatcher(proto)) + + # Check that the cache directory exists and is writable. + if not os.path.exists(config.get_cache_dir()): + try: + os.makedirs(config.get_cache_dir(), mode=0o770) + except Exception as err: + logger.warning( + "Cache directory does not exist and could not be created. " + "/var/tmp will be used instead.") + config.set_cache_dir("/var/tmp") + + files = load_sources(suricata_version) + + load_dist_rules(files) + + rules = [] + classification_files = [] + dep_files = {} + for entry in sorted(files, key = lambda e: e.filename): + if "classification.config" in entry.filename: + classification_files.append((entry.filename, entry.content)) + continue + if not entry.filename.endswith(".rules"): + dep_files.update({entry.filename: entry.content}) + continue + if ignore_file(config.get("ignore"), entry.filename): + logger.info("Ignoring file {}".format(entry.filename)) + continue + logger.debug("Parsing {}".format(entry.filename)) + rules += rule_mod.parse_fileobj(io.BytesIO(entry.content), entry.filename) + + rulemap = build_rule_map(rules) + logger.info("Loaded %d rules." % (len(rules))) + + # Counts of user enabled and modified rules. + enable_count = 0 + modify_count = 0 + drop_count = 0 + + # List of rules disabled by user. Used for counting, and to log + # rules that are re-enabled to meet flowbit requirements. + disabled_rules = [] + + for key, rule in rulemap.items(): + + # To avoid duplicate counts when a rule has more than one modification + # to it, we track the actions here then update the counts at the end. + enabled = False + modified = False + dropped = False + + for matcher in disable_matchers: + if rule.enabled and matcher.match(rule): + logger.debug("Disabling: %s" % (rule.brief())) + rule.enabled = False + disabled_rules.append(rule) + + for matcher in enable_matchers: + if not rule.enabled and matcher.match(rule): + logger.debug("Enabling: %s" % (rule.brief())) + rule.enabled = True + enabled = True + + for fltr in drop_filters: + if fltr.match(rule): + rule = fltr.run(rule) + dropped = True + + for fltr in modify_filters: + if fltr.match(rule): + rule = fltr.run(rule) + modified = True + + if enabled: + enable_count += 1 + if modified: + modify_count += 1 + if dropped: + drop_count += 1 + + rulemap[key] = rule + + # Check if we should disable ja3 rules. + try: + disable_ja3(suriconf, rulemap, disabled_rules) + except Exception as err: + logger.error("Failed to dynamically disable ja3 rules: {}".format(err)) + + # Check rule vars, disabling rules that use unknown vars. + check_vars(suriconf, rulemap) + + logger.info("Disabled %d rules." % (len(disabled_rules))) + logger.info("Enabled %d rules." % (enable_count)) + logger.info("Modified %d rules." % (modify_count)) + logger.info("Dropped %d rules." % (drop_count)) + + # Fixup flowbits. + resolve_flowbits(rulemap, disabled_rules) + + # Check that output directory exists, creating it if needed. + check_output_directory(config.get_output_dir()) + + # Check that output directory is writable. + if not os.access(config.get_output_dir(), os.W_OK): + logger.error( + "Output directory is not writable: {}".format(config.get_output_dir())) + return 1 + + # Backup the output directory. + logger.info("Backing up current rules.") + backup_directory = util.mktempdir() + shutil.copytree(config.get_output_dir(), os.path.join( + backup_directory, "backup"), ignore=copytree_ignore_backup) + + if not args.no_merge: + # The default, write out a merged file. + output_filename = os.path.join( + config.get_output_dir(), DEFAULT_OUTPUT_RULE_FILENAME) + file_tracker.add(output_filename) + write_merged(os.path.join(output_filename), rulemap, dep_files) + else: + for file in files: + file_tracker.add( + os.path.join( + config.get_output_dir(), os.path.basename(file.filename))) + write_to_directory(config.get_output_dir(), files, rulemap, dep_files) + + manage_classification(suriconf, classification_files) + + if args.yaml_fragment: + file_tracker.add(args.yaml_fragment) + write_yaml_fragment(args.yaml_fragment, files) + + if args.sid_msg_map: + write_sid_msg_map(args.sid_msg_map, rulemap, version=1) + if args.sid_msg_map_2: + write_sid_msg_map(args.sid_msg_map_2, rulemap, version=2) + + if args.threshold_in and args.threshold_out: + file_tracker.add(args.threshold_out) + threshold_processor = ThresholdProcessor() + threshold_processor.process( + open(args.threshold_in), open(args.threshold_out, "w"), rulemap) + + if not args.force and not file_tracker.any_modified(): + logger.info("No changes detected, exiting.") + notes.dump_notes() + return 0 + + # Set these containers to None to fee the memory before testing Suricata which + # may consume a lot of memory by itself. Ideally we should refactor this large + # function into multiple methods so these go out of scope and get removed + # automatically. + rulemap = None + rules = None + files = None + + if not test_suricata(suricata_path): + logger.error("Suricata test failed, aborting.") + logger.error("Restoring previous rules.") + copytree( + os.path.join(backup_directory, "backup"), config.get_output_dir()) + return 1 + + if not config.args().no_reload and config.get("reload-command"): + logger.info("Running %s." % (config.get("reload-command"))) + rc = subprocess.Popen(config.get("reload-command"), shell=True).wait() + if rc != 0: + logger.error("Reload command exited with error: {}".format(rc)) + + logger.info("Done.") + + notes.dump_notes() + + return 0 + +def signal_handler(signal, frame): + print('Program interrupted. Aborting...') + sys.exit(1) + +def main(): + signal.signal(signal.SIGINT, signal_handler) + try: + sys.exit(_main()) + except exceptions.ApplicationError as err: + logger.error(err) + sys.exit(1) + +if __name__ == "__main__": + main() diff --git a/suricata/update/maps.py b/suricata/update/maps.py new file mode 100644 index 0000000..8a34f27 --- /dev/null +++ b/suricata/update/maps.py @@ -0,0 +1,215 @@ +# Copyright (C) 2017 Open Information Security Foundation +# Copyright (c) 2013 Jason Ish +# +# You can copy, redistribute or modify this Program under the terms of +# the GNU General Public License version 2 as published by the Free +# Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# version 2 along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA +# 02110-1301, USA. + +"""Provide mappings from ID's to descriptions. + +Includes mapping classes for event ID messages and classification +information. +""" + +from __future__ import print_function + +import re + +class SignatureMap(object): + """SignatureMap maps signature IDs to a signature info dict. + + The signature map can be build up from classification.config, + gen-msg.map, and new and old-style sid-msg.map files. + + The dict's in the map will have at a minimum the following + fields: + + * gid *(int)* + * sid *(int)* + * msg *(string)* + * refs *(list of strings)* + + Signatures loaded from a new style sid-msg.map file will also have + *rev*, *classification* and *priority* fields. + + Example:: + + >>> from idstools import maps + >>> sigmap = maps.SignatureMap() + >>> sigmap.load_generator_map(open("tests/gen-msg.map")) + >>> sigmap.load_signature_map(open("tests/sid-msg-v2.map")) + >>> print(sigmap.get(1, 2495)) + {'classification': 'misc-attack', 'rev': 8, 'priority': 0, 'gid': 1, + 'sid': 2495, + 'msg': 'GPL NETBIOS SMB DCEPRC ORPCThis request flood attempt', + 'ref': ['bugtraq,8811', 'cve,2003-0813', 'nessus,12206', + 'url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx']} + + """ + + def __init__(self): + self.map = {} + + def size(self): + return len(self.map) + + def get(self, generator_id, signature_id): + """Get signature info by generator_id and signature_id. + + :param generator_id: The generator id of the signature to lookup. + :param signature_id: The signature id of the signature to lookup. + + For convenience, if the generator_id is 3 and the signature is + not found, a second lookup will be done using a generator_id + of 1. + + """ + + key = (generator_id, signature_id) + sig = self.map.get(key) + if sig is None and generator_id == 3: + return self.get(1, signature_id) + return sig + + def load_generator_map(self, fileobj): + """Load the generator message map (gen-msg.map) from a + file-like object. + + """ + for line in fileobj: + line = line.strip() + if not line or line.startswith("#"): + continue + gid, sid, msg = [part.strip() for part in line.split("||")] + entry = { + "gid": int(gid), + "sid": int(sid), + "msg": msg, + "refs": [], + } + self.map[(entry["gid"], entry["sid"])] = entry + + def load_signature_map(self, fileobj, defaultgid=1): + """Load signature message map (sid-msg.map) from a file-like + object. + + """ + + for line in fileobj: + line = line.strip() + if not line or line.startswith("#"): + continue + parts = [p.strip() for p in line.split("||")] + + # If we have at least 6 parts, attempt to parse as a v2 + # signature map file. + try: + entry = { + "gid": int(parts[0]), + "sid": int(parts[1]), + "rev": int(parts[2]), + "classification": parts[3], + "priority": int(parts[4]), + "msg": parts[5], + "ref": parts[6:], + } + except: + entry = { + "gid": defaultgid, + "sid": int(parts[0]), + "msg": parts[1], + "ref": parts[2:], + } + self.map[(entry["gid"], entry["sid"])] = entry + +class ClassificationMap(object): + """ClassificationMap maps classification IDs and names to a dict + object describing a classification. + + :param fileobj: (Optional) A file like object to load + classifications from on initialization. + + The classification dicts stored in the map have the following + fields: + + * name *(string)* + * description *(string)* + * priority *(int)* + + Example:: + + >>> from idstools import maps + >>> classmap = maps.ClassificationMap() + >>> classmap.load_from_file(open("tests/classification.config")) + + >>> classmap.get(3) + {'priority': 2, 'name': 'bad-unknown', 'description': 'Potentially Bad Traffic'} + >>> classmap.get_by_name("bad-unknown") + {'priority': 2, 'name': 'bad-unknown', 'description': 'Potentially Bad Traffic'} + + """ + + def __init__(self, fileobj=None): + self.id_map = [] + self.name_map = {} + + if fileobj: + self.load_from_file(fileobj) + + def size(self): + return len(self.id_map) + + def add(self, classification): + """Add a classification to the map.""" + self.id_map.append(classification) + self.name_map[classification["name"]] = classification + + def get(self, class_id): + """Get a classification by ID. + + :param class_id: The classification ID to get. + + :returns: A dict describing the classification or None. + + """ + if 0 < class_id <= len(self.id_map): + return self.id_map[class_id - 1] + else: + return None + + def get_by_name(self, name): + """Get a classification by name. + + :param name: The name of the classification + + :returns: A dict describing the classification or None. + + """ + if name in self.name_map: + return self.name_map[name] + else: + return None + + def load_from_file(self, fileobj): + """Load classifications from a Snort style + classification.config file object. + + """ + pattern = "config classification: ([^,]+),([^,]+),([^,]+)" + for line in fileobj: + m = re.match(pattern, line.strip()) + if m: + self.add({ + "name": m.group(1), + "description": m.group(2), + "priority": int(m.group(3))}) diff --git a/suricata/update/matchers.py b/suricata/update/matchers.py new file mode 100644 index 0000000..56a9e29 --- /dev/null +++ b/suricata/update/matchers.py @@ -0,0 +1,331 @@ +# Copyright (C) 2017 Open Information Security Foundation +# +# You can copy, redistribute or modify this Program under the terms of +# the GNU General Public License version 2 as published by the Free +# Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# version 2 along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA +# 02110-1301, USA. + +# This module contains functions for matching rules for disabling, +# enabling, converting to drop or modification. + +import re +import os.path +import logging +import shlex +import fnmatch +import suricata.update.rule + + +logger = logging.getLogger() + + +class AllRuleMatcher(object): + """Matcher object to match all rules. """ + + def match(self, rule): + return True + + @classmethod + def parse(cls, buf): + if buf.strip() == "*": + return cls() + return None + + +class ProtoRuleMatcher: + """A rule matcher that matches on the protocol of a rule.""" + + def __init__(self, proto): + self.proto = proto + + def match(self, rule): + return rule.proto == self.proto + + +class IdRuleMatcher(object): + """Matcher object to match an idstools rule object by its signature + ID.""" + + def __init__(self, generatorId=None, signatureId=None): + self.signatureIds = [] + if generatorId and signatureId: + self.signatureIds.append((generatorId, signatureId)) + + def match(self, rule): + for (generatorId, signatureId) in self.signatureIds: + if generatorId == rule.gid and signatureId == rule.sid: + return True + return False + + @classmethod + def parse(cls, buf): + matcher = cls() + + for entry in buf.split(","): + entry = entry.strip() + + parts = entry.split(":", 1) + if not parts: + return None + if len(parts) == 1: + try: + signatureId = int(parts[0]) + matcher.signatureIds.append((1, signatureId)) + except: + return None + else: + try: + generatorId = int(parts[0]) + signatureId = int(parts[1]) + matcher.signatureIds.append((generatorId, signatureId)) + except: + return None + + return matcher + + +class FilenameMatcher(object): + """Matcher object to match a rule by its filename. This is similar to + a group but has no specifier prefix. + """ + + def __init__(self, pattern): + self.pattern = pattern + + def match(self, rule): + if hasattr(rule, "group") and rule.group is not None: + return fnmatch.fnmatch(rule.group, self.pattern) + return False + + @classmethod + def parse(cls, buf): + if buf.startswith("filename:"): + try: + group = buf.split(":", 1)[1] + return cls(group.strip()) + except: + pass + return None + + +class GroupMatcher(object): + """Matcher object to match an idstools rule object by its group (ie: + filename). + + The group is just the basename of the rule file with or without + extension. + + Examples: + - emerging-shellcode + - emerging-trojan.rules + + """ + + def __init__(self, pattern): + self.pattern = pattern + + def match(self, rule): + if hasattr(rule, "group") and rule.group is not None: + if fnmatch.fnmatch(os.path.basename(rule.group), self.pattern): + return True + # Try matching against the rule group without the file + # extension. + if fnmatch.fnmatch( + os.path.splitext( + os.path.basename(rule.group))[0], self.pattern): + return True + return False + + @classmethod + def parse(cls, buf): + if buf.startswith("group:"): + try: + logger.debug("Parsing group matcher: %s" % (buf)) + group = buf.split(":", 1)[1] + return cls(group.strip()) + except: + pass + if buf.endswith(".rules"): + return cls(buf.strip()) + return None + + +class ReRuleMatcher(object): + """Matcher object to match an idstools rule object by regular + expression.""" + + def __init__(self, pattern): + self.pattern = pattern + + def match(self, rule): + if self.pattern.search(rule.raw): + return True + return False + + @classmethod + def parse(cls, buf): + if buf.startswith("re:"): + try: + logger.debug("Parsing regex matcher: %s" % (buf)) + patternstr = buf.split(":", 1)[1].strip() + pattern = re.compile(patternstr, re.I) + return cls(pattern) + except: + pass + return None + + +class MetadataRuleMatch(object): + """ Matcher that matches on key/value style metadata fields. Case insensitive. """ + + def __init__(self, key, value): + self.key = key + self.value = value + + def match(self, rule): + for entry in rule.metadata: + parts = entry.strip().split(" ", 1) + if parts[0].strip().lower() == self.key and parts[1].strip().lower() == self.value: + print(rule) + return True + return False + + @classmethod + def parse(cls, buf): + print(buf) + if buf.startswith("metadata:"): + buf = buf.split(":", 1)[1].strip() + parts = buf.split(" ", 1) + if len(parts) == 2: + key = parts[0].strip().lower() + val = parts[1].strip().lower() + return cls(key, val) + return None + + +class ModifyRuleFilter(object): + """Filter to modify an idstools rule object. + + Important note: This filter does not modify the rule inplace, but + instead returns a new rule object with the modification. + """ + + def __init__(self, matcher, pattern, repl): + self.matcher = matcher + self.pattern = pattern + self.repl = repl + + def match(self, rule): + return self.matcher.match(rule) + + def run(self, rule): + modified_rule = self.pattern.sub(self.repl, rule.format()) + parsed = suricata.update.rule.parse(modified_rule, rule.group) + if parsed is None: + logger.error("Modification of rule %s results in invalid rule: %s", + rule.idstr, modified_rule) + return rule + return parsed + + @classmethod + def parse(cls, buf): + tokens = shlex.split(buf) + if len(tokens) == 3: + matchstring, a, b = tokens + elif len(tokens) > 3 and tokens[0] == "modifysid": + matchstring, a, b = tokens[1], tokens[2], tokens[4] + else: + raise Exception("Bad number of arguments.") + matcher = parse_rule_match(matchstring) + if not matcher: + raise Exception("Bad match string: %s" % (matchstring)) + pattern = re.compile(a) + + # Convert Oinkmaster backticks to Python. + b = re.sub(r"\$\{(\d+)\}", "\\\\\\1", b) + + return cls(matcher, pattern, b) + + +class DropRuleFilter(object): + """ Filter to modify an idstools rule object to a drop rule. """ + + def __init__(self, matcher): + self.matcher = matcher + + def match(self, rule): + if rule["noalert"]: + return False + return self.matcher.match(rule) + + def run(self, rule): + drop_rule = suricata.update.rule.parse(re.sub( + r"^\w+", "drop", rule.raw)) + drop_rule.enabled = rule.enabled + return drop_rule + +class AddMetadataFilter(object): + + def __init__(self, matcher, key, val): + self.matcher = matcher + self.key = key + self.val = val + + def match(self, rule): + return self.matcher.match(rule) + + def run(self, rule): + new_rule_string = re.sub(r";\s*\)$", "; metadata: {} {};)".format(self.key, self.val), rule.format()) + new_rule = suricata.update.rule.parse(new_rule_string, rule.group) + if not new_rule: + logger.error("Rule is not valid after adding metadata: [{}]: {}".format(rule.idstr, new_rule_string)) + return rule + return new_rule + + @classmethod + def parse(cls, buf): + try: + command, match_string, key, val = shlex.split(buf) + except: + raise Exception("metadata-add: invalid number of arguments") + matcher = parse_rule_match(match_string) + if not matcher: + raise Exception("Bad match string: %s" % (matchstring)) + return cls(matcher, key, val) + + +def parse_rule_match(match): + matcher = AllRuleMatcher.parse(match) + if matcher: + return matcher + + matcher = IdRuleMatcher.parse(match) + if matcher: + return matcher + + matcher = ReRuleMatcher.parse(match) + if matcher: + return matcher + + matcher = FilenameMatcher.parse(match) + if matcher: + return matcher + + matcher = GroupMatcher.parse(match) + if matcher: + return matcher + + matcher = MetadataRuleMatch.parse(match) + if matcher: + return matcher + + return None diff --git a/suricata/update/net.py b/suricata/update/net.py new file mode 100644 index 0000000..eac060e --- /dev/null +++ b/suricata/update/net.py @@ -0,0 +1,175 @@ +# Copyright (C) 2017 Open Information Security Foundation +# Copyright (c) 2013 Jason Ish +# +# You can copy, redistribute or modify this Program under the terms of +# the GNU General Public License version 2 as published by the Free +# Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# version 2 along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA +# 02110-1301, USA. + +""" Module for network related operations. """ + +import platform +import logging +import ssl +import re + +try: + # Python 3.3... + from urllib.request import urlopen, build_opener + from urllib.error import HTTPError + from urllib.request import HTTPSHandler +except ImportError: + # Python 2.6, 2.7. + from urllib2 import urlopen, build_opener + from urllib2 import HTTPError + from urllib2 import HTTPSHandler + +from suricata.update.version import version +from suricata.update import config +from suricata.update import osinfo + +logger = logging.getLogger() + +# Number of bytes to read at a time in a GET request. +GET_BLOCK_SIZE = 8192 + +user_agent_suricata_verison = "Unknown" +custom_user_agent = None + +def set_custom_user_agent(ua): + global custom_user_agent + custom_user_agent = ua + +def set_user_agent_suricata_version(version): + global user_agent_suricata_verison + user_agent_suricata_verison = version + +def build_user_agent(): + params = [] + has_custom_user_agent = config.has("user-agent") + if has_custom_user_agent: + user_agent = config.get("user-agent") + if user_agent is None or len(user_agent.strip()) == 0: + logger.debug("Suppressing HTTP User-Agent header") + return None + return user_agent + + params = [] + try: + params.append("OS: {}".format(platform.system())) + except Exception as err: + logger.error("Failed to set user-agent OS: {}".format(str(err))) + try: + params.append("CPU: {}".format(osinfo.arch())) + except Exception as err: + logger.error("Failed to set user-agent architecture: {}".format(str(err))) + try: + params.append("Python: {}".format(platform.python_version())) + except Exception as err: + logger.error("Failed to set user-agent python version: {}".format(str(err))) + try: + params.append("Dist: {}".format(osinfo.dist())) + except Exception as err: + logger.error("Failed to set user-agent distribution: {}".format(str(err))) + + params.append("Suricata: %s" % (user_agent_suricata_verison)) + + return "Suricata-Update/%s (%s)" % ( + version, "; ".join(params)) + + +def is_header_clean(header): + if len(header) != 2: + return False + name, val = header[0].strip(), header[1].strip() + if re.match( r"^[\w-]+$", name) and re.match(r"^[\w\s -~]+$", val): + return True + return False + + +def get(url, fileobj, progress_hook=None): + """ Perform a GET request against a URL writing the contents into + the provided file-like object. + + :param url: The URL to fetch + :param fileobj: The fileobj to write the content to + :param progress_hook: The function to call with progress updates + + :returns: Returns a tuple containing the number of bytes read and + the result of the info() function from urllib2.urlopen(). + + :raises: Exceptions from urllib2.urlopen() and writing to the + provided fileobj may occur. + """ + + user_agent = build_user_agent() + + try: + # Wrap in a try as Python versions prior to 2.7.9 don't have + # create_default_context, but some distros have backported it. + ssl_context = ssl.create_default_context() + if config.get("no-check-certificate"): + logger.debug("Disabling SSL/TLS certificate verification.") + ssl_context.check_hostname = False + ssl_context.verify_mode = ssl.CERT_NONE + opener = build_opener(HTTPSHandler(context=ssl_context)) + except: + opener = build_opener() + + if user_agent: + logger.debug("Setting HTTP User-Agent to %s", user_agent) + http_headers = [("User-Agent", user_agent)] + else: + http_headers = [(header, value) for header, + value in opener.addheaders if header.lower() != "user-agent"] + if isinstance(url, tuple): + header = url[1].split(":") if url[1] is not None else None + if header and is_header_clean(header=header): + name, val = header[0].strip(), header[1].strip() + logger.debug("Setting HTTP header %s to %s", name, val) + http_headers.append((name, val)) + elif header: + logger.error("Header not set as it does not meet the criteria") + url = url[0] + opener.addheaders = http_headers + + try: + remote = opener.open(url, timeout=30) + except ValueError as ve: + logger.error(ve) + else: + info = remote.info() + content_length = info.get("content-length") + content_length = int(content_length) if content_length else 0 + bytes_read = 0 + while True: + buf = remote.read(GET_BLOCK_SIZE) + if not buf: + # EOF + break + bytes_read += len(buf) + fileobj.write(buf) + if progress_hook: + progress_hook(content_length, bytes_read) + remote.close() + fileobj.flush() + return bytes_read, info + + +if __name__ == "__main__": + + import sys + + try: + get(sys.argv[1], sys.stdout) + except Exception as err: + print("ERROR: %s" % (err)) diff --git a/suricata/update/notes.py b/suricata/update/notes.py new file mode 100644 index 0000000..6288781 --- /dev/null +++ b/suricata/update/notes.py @@ -0,0 +1,60 @@ +# Copyright (C) 2018 Open Information Security Foundation +# +# You can copy, redistribute or modify this Program under the terms of +# the GNU General Public License version 2 as published by the Free +# Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# version 2 along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA +# 02110-1301, USA. + +from __future__ import print_function + +import textwrap + +# Address group notes. +address_group_vars = set() + +# Port group notes. +port_group_vars = set() + +# Template for missing address-group variable. +missing_address_group_var_template = """ +A rule has been disabled due to the unknown address-group variable +%(var)s being used. You may want to add this variable to your Suricata +configuration file. +""" + +# Template for missing port-group variable. +missing_port_group_var_template = """ +A rule has been disabled due to the unknown port-group variable +%(var)s being used. You may want to add this variable to your Suricata +configuration file. +""" + +def render_note(note): + lines = textwrap.wrap(note.strip().replace("\n", " ")) + print("* %s" % (lines[0])) + for line in lines[1:]: + print(" %s" % (line)) + +def dump_notes(): + notes = [] + + for var in address_group_vars: + notes.append(missing_address_group_var_template % {"var": var}) + + for var in port_group_vars: + notes.append(missing_port_group_var_template % {"var": var}) + + if notes: + print("\nNotes:\n") + for note in notes: + render_note(note) + print("") diff --git a/suricata/update/osinfo.py b/suricata/update/osinfo.py new file mode 100644 index 0000000..c3e417b --- /dev/null +++ b/suricata/update/osinfo.py @@ -0,0 +1,75 @@ +# Copyright (C) 2020 Open Information Security Foundation +# +# You can copy, redistribute or modify this Program under the terms of +# the GNU General Public License version 2 as published by the Free +# Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# version 2 along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA +# 02110-1301, USA. + +import re +import os.path +import platform + +def parse_os_release(filename="/etc/os-release"): + os_release={} + + if not os.path.exists(filename): + return os_release + + with open(filename) as fileobj: + for line in fileobj: + line = line.strip() + m = re.match(r"^(\w+)=\"?(.*?)\"?$", line) + if m: + os_release[m.group(1)] = m.group(2) + return os_release + +def dist(): + os_release = parse_os_release() + if "NAME" in os_release: + version_fields = ["VERSION_ID", "BUILD_ID"] + for vf in version_fields: + if vf in os_release: + return "{}/{}".format(os_release["NAME"], os_release[vf]) + return os_release["NAME"] + + # Arch may or may not have /etc/os-release, but its easy to + # detect. + if os.path.exists("/etc/arch-release"): + return "Arch Linux" + + # Uname fallback. + uname = platform.uname() + return "{}/{}".format(uname[0], uname[2]) + +normalized_arch = { + "amd64": "x86_64", +} + +def arch(): + """Return the machine architecture. """ + machine = platform.machine() + return normalized_arch.get(machine, machine) + +if __name__ == "__main__": + # Build a user agent string. Something like: + # Suricata-Update/1.2.0dev0 (OS: Linux; \ + # CPU: x86_64; \ + # Python: 3.7.7; \ + # Dist: Fedora/31; \ + # Suricata: 4.0.0) + parts = [] + parts.append("OS: {}".format(platform.system())) + parts.append("CPU: {}".format(arch())) + parts.append("Python: {}".format(platform.python_version())) + parts.append("Dist: {}".format(dist())) + + print("Suricata-Update/1.2.0dev0 ({})".format("; ".join(parts))) diff --git a/suricata/update/parsers.py b/suricata/update/parsers.py new file mode 100644 index 0000000..185205c --- /dev/null +++ b/suricata/update/parsers.py @@ -0,0 +1,268 @@ +# Copyright (C) 2017 Open Information Security Foundation +# Copyright (c) 2015-2017 Jason Ish +# +# You can copy, redistribute or modify this Program under the terms of +# the GNU General Public License version 2 as published by the Free +# Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# version 2 along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA +# 02110-1301, USA. + +# This module contains functions for command line parsers for +# suricata-update + +import argparse +import sys +from suricata.update import commands, config + +from suricata.update.version import version + +try: + from suricata.update.revision import revision +except: + revision = None + +default_update_yaml = config.DEFAULT_UPDATE_YAML_PATH + +show_advanced = False + +if "-s" in sys.argv or "--show-advanced" in sys.argv: + show_advanced = True + +# Global arguments - command line options for suricata-update +global_arg = [ + (("-v", "--verbose"), + {'action': 'store_true', 'default': None, + 'help': "Be more verbose"}), + (("-q", "--quiet"), + {'action': 'store_true', 'default': None, + 'help': "Be quiet, warning and error messages only"}), + (("-D", "--data-dir"), + {'metavar': '<directory>', 'dest': 'data_dir', + 'help': "Data directory (default: /var/lib/suricata)"}), + (("-c", "--config"), + {'metavar': '<filename>', + 'help': "configuration file (default: %s)" % (default_update_yaml)}), + (("--suricata-conf",), + {'metavar': '<filename>', + 'help': "configuration file (default: /etc/suricata/suricata.yaml)"}), + (("--suricata",), + {'metavar': '<path>', + 'help': "Path to Suricata program"}), + (("--suricata-version",), + {'metavar': '<version>', + 'help': "Override Suricata version"}), + (("--user-agent",), + {'metavar': '<user-agent>', + 'help': "Set custom user-agent string" + if show_advanced else argparse.SUPPRESS}), + (("--no-check-certificate",), + {'action': 'store_true', 'default': None, + 'help': "Disable server SSL/TLS certificate verification" + if show_advanced else argparse.SUPPRESS}), + (("-V", "--version"), + {'action': 'store_true', 'default': False, + 'help': "Display version"}), + (("-s","--show-advanced"), + {'action': 'store_true', + 'help': "Show advanced options"}), +] + +# Update arguments - command line options for suricata-update +update_arg = [ + (("-o", "--output"), + {'metavar': '<directory>', 'dest': 'output', + 'help': "Directory to write rules to"}), + (("-f", "--force"), + {'action': 'store_true', 'default': False, + 'help': "Force operations that might otherwise be skipped"}), + (("--yaml-fragment",), + {'metavar': '<filename>', + 'help': "Output YAML fragment for rule inclusion" + if show_advanced else argparse.SUPPRESS}), + (("--url",), + {'metavar': '<url>', 'action': 'append', 'default': [], + 'help': "URL to use instead of auto-generating one " + "(can be specified multiple times)" + if show_advanced else argparse.SUPPRESS}), + (("--local",), + {'metavar': '<path>', 'action': 'append', 'default': [], + 'help': "Local rule files or directories " + "(can be specified multiple times)" + if show_advanced else argparse.SUPPRESS}), + (("--sid-msg-map",), + {'metavar': '<filename>', + 'help': "Generate a sid-msg.map file" + if show_advanced else argparse.SUPPRESS}), + (("--sid-msg-map-2",), + {'metavar': '<filename>', + 'help': "Generate a v2 sid-msg.map file" + if show_advanced else argparse.SUPPRESS}), + + (("--disable-conf",), + {'metavar': '<filename>', + 'help': "Filename of rule disable filters"}), + (("--enable-conf",), + {'metavar': '<filename>', + 'help': "Filename of rule enable filters"}), + (("--modify-conf",), + {'metavar': '<filename>', + 'help': "Filename of rule modification filters"}), + (("--drop-conf",), + {'metavar': '<filename>', + 'help': "Filename of drop rule filters"}), + + (("--ignore",), + {'metavar': '<pattern>', 'action': 'append', 'default': None, + 'help': "Filenames to ignore " + "(can be specified multiple times; default: *deleted.rules)" + if show_advanced else argparse.SUPPRESS}), + (("--no-ignore",), + {'action': 'store_true', 'default': False, + 'help': "Disables the ignore option." + if show_advanced else argparse.SUPPRESS}), + (("--threshold-in",), + {'metavar': '<filename>', + 'help': "Filename of rule thresholding configuration" + if show_advanced else argparse.SUPPRESS}), + (("--threshold-out",), + {'metavar': '<filename>', + 'help': "Output of processed threshold configuration" + if show_advanced else argparse.SUPPRESS}), + (("--dump-sample-configs",), + {'action': 'store_true', 'default': False, + 'help': "Dump sample config files to current directory" + if show_advanced else argparse.SUPPRESS}), + (("--etopen",), + {'action': 'store_true', + 'help': "Use ET-Open rules (default)" + if show_advanced else argparse.SUPPRESS}), + (("--reload-command",), + {'metavar': '<command>', + 'help': "Command to run after update if modified" + if show_advanced else argparse.SUPPRESS}), + (("--no-reload",), + {'action': 'store_true', 'default': False, + 'help': "Disable reload"}), + (("-T", "--test-command"), + {'metavar': '<command>', + 'help': "Command to test Suricata configuration" + if show_advanced else argparse.SUPPRESS}), + (("--no-test",), + {'action': 'store_true', 'default': None, + 'help': "Disable testing rules with Suricata"}), + (("--no-merge",), + {'action': 'store_true', 'default': False, + 'help': "Do not merge the rules into a single file" + if show_advanced else argparse.SUPPRESS}), + (("--offline",), + {'action': 'store_true', + 'help': "Run offline using most recent cached rules"}), + (("--fail",), + {'action': 'store_true', + 'help': "Strictly fail and exit in case of an error"}), + + # Hidden argument, --now to bypass the timebased bypass of + # updating a ruleset. + (("--now",), + {'default': False, 'action': 'store_true', 'help': argparse.SUPPRESS}), + + # The Python 2.7 argparse module does prefix matching which can be + # undesirable. Reserve some names here that would match existing + # options to prevent prefix matching. + (("--disable",), + {'default': False, 'help': argparse.SUPPRESS}), + (("--enable",), + {'default': False, 'help': argparse.SUPPRESS}), + (("--modify",), + {'default': False, 'help': argparse.SUPPRESS}), + (("--drop",), + {'default': False, 'help': argparse.SUPPRESS}) +] + + +def parse_global(): + global_parser = argparse.ArgumentParser(add_help=False) + + for arg, opts in global_arg: + global_parser.add_argument(*arg, **opts) + + return global_parser + + +def parse_update(subparsers, global_parser): + # The "update" (default) sub-command parser. + update_parser = subparsers.add_parser( + "update", add_help=True, parents=[global_parser], + formatter_class=argparse.RawDescriptionHelpFormatter) + + for arg, opts in update_arg: + update_parser.add_argument(*arg, **opts) + + return update_parser + + +def parse_commands(subparsers, global_parser): + commands.listsources.register(subparsers.add_parser( + "list-sources", parents=[global_parser])) + commands.listsources.register(subparsers.add_parser( + "list-enabled-sources", parents=[global_parser])) + commands.addsource.register(subparsers.add_parser( + "add-source", parents=[global_parser])) + commands.updatesources.register(subparsers.add_parser( + "update-sources", parents=[global_parser])) + commands.enablesource.register(subparsers.add_parser( + "enable-source", parents=[global_parser])) + commands.disablesource.register(subparsers.add_parser( + "disable-source", parents=[global_parser])) + commands.removesource.register(subparsers.add_parser( + "remove-source", parents=[global_parser])) + commands.checkversions.register(subparsers.add_parser( + "check-versions", parents=[global_parser])) + + +def parse_arg(): + global_parser = parse_global() + global_args, rem = global_parser.parse_known_args() + + if global_args.version: + revision_string = " (rev: %s)" % (revision) if revision else "" + print("suricata-update version {}{}".format(version, revision_string)) + sys.exit(0) + + if not rem or rem[0].startswith("-"): + rem.insert(0, "update") + + parser = argparse.ArgumentParser() + subparsers = parser.add_subparsers(dest="subcommand", metavar="<command>") + update_parser = parse_update(subparsers, global_parser) + + update_parser.epilog = r"""other commands: + update-sources Update the source index + list-sources List available sources + enable-source Enable a source from the index + disable-source Disable an enabled source + remove-source Remove an enabled or disabled source + add-source Add a new source by URL + check-versions Check version of suricata-update +""" + + parse_commands(subparsers, global_parser) + + args = parser.parse_args(rem) + + # Merge global args into args. + for arg in vars(global_args): + if not hasattr(args, arg): + setattr(args, arg, getattr(global_args, arg)) + elif hasattr(args, arg) and getattr(args, arg) is None: + setattr(args, arg, getattr(global_args, arg)) + + return args diff --git a/suricata/update/rule.py b/suricata/update/rule.py new file mode 100644 index 0000000..169af6c --- /dev/null +++ b/suricata/update/rule.py @@ -0,0 +1,439 @@ +# Copyright (C) 2017-2019 Open Information Security Foundation +# Copyright (c) 2011 Jason Ish +# +# You can copy, redistribute or modify this Program under the terms of +# the GNU General Public License version 2 as published by the Free +# Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# version 2 along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA +# 02110-1301, USA. + +""" Module for parsing Snort-like rules. + +Parsing is done using regular expressions and the job of this module +is to do its best at parsing out fields of interest from the rule +rather than perform a sanity check. + +The methods that parse multiple rules for a provided input +(parse_file, parse_fileobj) return a list of rules instead of dict +keyed by ID as its not the job of this module to detect or deal with +duplicate signature IDs. +""" + +from __future__ import print_function + +import sys +import re +import logging +import io + +logger = logging.getLogger(__name__) + +# Compile an re pattern for basic rule matching. +rule_pattern = re.compile(r"^(?P<enabled>#)*[\s#]*" + r"(?P<raw>" + r"(?P<header>[^()]+)" + r"\((?P<options>.*)\)" + r"$)") + +# Rule actions we expect to see. +actions = ( + "alert", "log", "pass", "activate", "dynamic", "drop", "reject", "sdrop") + +class NoEndOfOptionError(Exception): + """Exception raised when the end of option terminator (semicolon) is + missing.""" + pass + +class Rule(dict): + """Class representing a rule. + + The Rule class is a class that also acts like a dictionary. + + Dictionary fields: + + - **group**: The group the rule belongs to, typically the filename. + - **enabled**: True if rule is enabled (uncommented), False is + disabled (commented) + - **action**: The action of the rule (alert, pass, etc) as a + string + - **proto**: The protocol of the rule. + - **direction**: The direction string of the rule. + - **gid**: The gid of the rule as an integer + - **sid**: The sid of the rule as an integer + - **rev**: The revision of the rule as an integer + - **msg**: The rule message as a string + - **flowbits**: List of flowbit options in the rule + - **metadata**: Metadata values as a list + - **references**: References as a list + - **classtype**: The classification type + - **priority**: The rule priority, 0 if not provided + - **noalert**: Is the rule a noalert rule + - **features**: Features required by this rule + - **raw**: The raw rule as read from the file or buffer + + :param enabled: Optional parameter to set the enabled state of the rule + :param action: Optional parameter to set the action of the rule + :param group: Optional parameter to set the group (filename) of the rule + + """ + + def __init__(self, enabled=None, action=None, group=None): + dict.__init__(self) + self["enabled"] = enabled + self["action"] = action + self["proto"] = None + self["source_addr"] = None + self["source_port"] = None + self["direction"] = None + self["dest_addr"] = None + self["dest_port"] = None + self["group"] = group + self["gid"] = 1 + self["sid"] = None + self["rev"] = 0 + self["msg"] = None + self["flowbits"] = [] + self["metadata"] = [] + self["references"] = [] + self["classtype"] = None + self["priority"] = 0 + self["noalert"] = False + + self["features"] = [] + + self["raw"] = None + + def __getattr__(self, name): + return self[name] + + @property + def id(self): + """ The ID of the rule. + + :returns: A tuple (gid, sid) representing the ID of the rule + :rtype: A tuple of 2 ints + """ + return (int(self.gid), int(self.sid)) + + @property + def idstr(self): + """Return the gid and sid of the rule as a string formatted like: + '[GID:SID]'""" + return "[%s:%s]" % (str(self.gid), str(self.sid)) + + def brief(self): + """ A brief description of the rule. + + :returns: A brief description of the rule + :rtype: string + """ + return "%s[%d:%d] %s" % ( + "" if self.enabled else "# ", self.gid, self.sid, self.msg) + + def __hash__(self): + return self["raw"].__hash__() + + def __str__(self): + """ The string representation of the rule. + + If the rule is disabled it will be returned as commented out. + """ + return self.format() + + def format(self): + if self.noalert and not "noalert;" in self.raw: + self.raw = re.sub(r'( *sid\: *[0-9]+\;)', r' noalert;\1', self.raw) + return u"%s%s" % (u"" if self.enabled else u"# ", self.raw) + +def find_opt_end(options): + """ Find the end of an option (;) handling escapes. """ + offset = 0 + + while True: + i = options[offset:].find(";") + if options[offset + i - 1] == "\\": + offset += 2 + else: + return offset + i + +class BadSidError(Exception): + """Raises exception when sid is of type null""" + +def parse(buf, group=None): + """ Parse a single rule for a string buffer. + + :param buf: A string buffer containing a single Snort-like rule + + :returns: An instance of of :py:class:`.Rule` representing the parsed rule + """ + + if type(buf) == type(b""): + buf = buf.decode("utf-8") + buf = buf.strip() + + m = rule_pattern.match(buf) + if not m: + return None + + if m.group("enabled") == "#": + enabled = False + else: + enabled = True + + header = m.group("header").strip() + + rule = Rule(enabled=enabled, group=group) + + # If a decoder rule, the header will be one word. + if len(header.split(" ")) == 1: + action = header + direction = None + else: + states = ["action", + "proto", + "source_addr", + "source_port", + "direction", + "dest_addr", + "dest_port", + ] + state = 0 + + rem = header + while state < len(states): + if not rem: + return None + if rem[0] == "[": + end = rem.find("]") + if end < 0: + return + end += 1 + token = rem[:end].strip() + rem = rem[end:].strip() + else: + end = rem.find(" ") + if end < 0: + token = rem + rem = "" + else: + token = rem[:end].strip() + rem = rem[end:].strip() + + if states[state] == "action": + action = token + elif states[state] == "proto": + rule["proto"] = token + elif states[state] == "source_addr": + rule["source_addr"] = token + elif states[state] == "source_port": + rule["source_port"] = token + elif states[state] == "direction": + direction = token + elif states[state] == "dest_addr": + rule["dest_addr"] = token + elif states[state] == "dest_port": + rule["dest_port"] = token + + state += 1 + + if action not in actions: + return None + + rule["action"] = action + rule["direction"] = direction + rule["header"] = header + + options = m.group("options") + + while True: + if not options: + break + index = find_opt_end(options) + if index < 0: + raise NoEndOfOptionError("no end of option") + option = options[:index].strip() + options = options[index + 1:].strip() + + if option.find(":") > -1: + name, val = [x.strip() for x in option.split(":", 1)] + else: + name = option + val = None + + if name in ["gid", "sid", "rev"]: + rule[name] = int(val) + elif name == "metadata": + if not name in rule: + rule[name] = [] + rule[name] += [v.strip() for v in val.split(",")] + elif name == "flowbits": + rule.flowbits.append(val) + if val and val.find("noalert") > -1: + rule["noalert"] = True + elif name == "noalert": + rule["noalert"] = True + elif name == "reference": + rule.references.append(val) + elif name == "msg": + if val and val.startswith('"') and val.endswith('"'): + val = val[1:-1] + rule[name] = val + else: + rule[name] = val + + if name.startswith("ja3"): + rule["features"].append("ja3") + + if rule["msg"] is None: + rule["msg"] = "" + + if not rule["sid"]: + raise BadSidError("Sid cannot be of type null") + + rule["raw"] = m.group("raw").strip() + + return rule + +def parse_fileobj(fileobj, group=None): + """ Parse multiple rules from a file like object. + + Note: At this time rules must exist on one line. + + :param fileobj: A file like object to parse rules from. + + :returns: A list of :py:class:`.Rule` instances, one for each rule parsed + """ + rules = [] + buf = "" + for line in fileobj: + try: + if type(line) == type(b""): + line = line.decode() + except: + pass + if line.rstrip().endswith("\\"): + buf = "%s%s " % (buf, line.rstrip()[0:-1]) + continue + buf = buf + line + try: + rule = parse(buf, group) + if rule: + rules.append(rule) + except Exception as err: + logger.error("Failed to parse rule: %s: %s", buf.rstrip(), err) + buf = "" + return rules + +def parse_file(filename, group=None): + """ Parse multiple rules from the provided filename. + + :param filename: Name of file to parse rules from + + :returns: A list of :py:class:`.Rule` instances, one for each rule parsed + """ + with io.open(filename, encoding="utf-8") as fileobj: + return parse_fileobj(fileobj, group) + +class FlowbitResolver(object): + + setters = ["set", "setx", "unset", "toggle"] + getters = ["isset", "isnotset"] + + def __init__(self): + self.enabled = [] + + def resolve(self, rules): + required = self.get_required_flowbits(rules) + enabled = self.set_required_flowbits(rules, required) + if enabled: + self.enabled += enabled + return self.resolve(rules) + return self.enabled + + def set_required_flowbits(self, rules, required): + enabled = [] + for rule in [rule for rule in rules.values() if not rule.enabled]: + for option, value in map(self.parse_flowbit, rule.flowbits): + if option in self.setters and value in required: + rule.enabled = True + enabled.append(rule) + return enabled + + def get_required_rules(self, rulemap, flowbits, include_enabled=False): + """Returns a list of rules that need to be enabled in order to satisfy + the list of required flowbits. + + """ + required = [] + + for rule in [rule for rule in rulemap.values()]: + if not rule: + continue + for option, value in map(self.parse_flowbit, rule.flowbits): + if option in self.setters and value in flowbits: + if rule.enabled and not include_enabled: + continue + required.append(rule) + + return required + + def get_required_flowbits(self, rules): + required_flowbits = set() + for rule in [rule for rule in rules.values() if rule and rule.enabled]: + for option, value in map(self.parse_flowbit, rule.flowbits): + if option in self.getters: + required_flowbits.add(value) + return required_flowbits + + def parse_flowbit(self, flowbit): + tokens = flowbit.split(",", 1) + if len(tokens) == 1: + return tokens[0], None + elif len(tokens) == 2: + return tokens[0], tokens[1] + else: + raise Exception("Flowbit parse error on %s" % (flowbit)) + +def enable_flowbit_dependencies(rulemap): + """Helper function to resolve flowbits, wrapping the FlowbitResolver + class. """ + resolver = FlowbitResolver() + return resolver.resolve(rulemap) + +def format_sidmsgmap(rule): + """ Format a rule as a sid-msg.map entry. """ + try: + return " || ".join([str(rule.sid), rule.msg] + rule.references) + except: + logger.error("Failed to format rule as sid-msg.map: %s" % (str(rule))) + return None + +def format_sidmsgmap_v2(rule): + """ Format a rule as a v2 sid-msg.map entry. + + eg: + gid || sid || rev || classification || priority || msg || ref0 || refN + """ + try: + return " || ".join([ + str(rule.gid), str(rule.sid), str(rule.rev), + "NOCLASS" if rule.classtype is None else rule.classtype, + str(rule.priority), rule.msg] + rule.references) + except: + logger.error("Failed to format rule as sid-msg-v2.map: %s" % ( + str(rule))) + return None + +def parse_var_names(var): + """ Parse out the variable names from a string. """ + if var is None: + return [] + return re.findall(r"\$([\w_]+)", var) diff --git a/suricata/update/sources.py b/suricata/update/sources.py new file mode 100644 index 0000000..a5bc673 --- /dev/null +++ b/suricata/update/sources.py @@ -0,0 +1,207 @@ +# Copyright (C) 2017 Open Information Security Foundation +# +# You can copy, redistribute or modify this Program under the terms of +# the GNU General Public License version 2 as published by the Free +# Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# version 2 along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA +# 02110-1301, USA. + +from __future__ import print_function + +import sys +import os +import logging +import io +import argparse + +import yaml + +from suricata.update import config +from suricata.update import net +from suricata.update import util +from suricata.update import loghandler +from suricata.update.data.index import index as bundled_index + +logger = logging.getLogger() + +DEFAULT_SOURCE_INDEX_URL = "https://www.openinfosecfoundation.org/rules/index.yaml" +SOURCE_INDEX_FILENAME = "index.yaml" + +DEFAULT_ETOPEN_URL = "https://rules.emergingthreats.net/open/suricata-%(__version__)s/emerging.rules.tar.gz" + +def get_source_directory(): + """Return the directory where source configuration files are kept.""" + return os.path.join(config.get_state_dir(), config.SOURCE_DIRECTORY) + +def get_index_filename(): + return os.path.join(config.get_cache_dir(), SOURCE_INDEX_FILENAME) + +def get_sources_from_dir(): + """Return names of all files existing in the sources dir""" + source_dir = get_source_directory() + source_names = [] + (_, _, fnames) = next(os.walk(source_dir)) + source_names = [".".join(fname.split('.')[:-1]) for fname in fnames] + return source_names + +def get_enabled_source_filename(name): + return os.path.join(get_source_directory(), "%s.yaml" % ( + safe_filename(name))) + +def get_disabled_source_filename(name): + return os.path.join(get_source_directory(), "%s.yaml.disabled" % ( + safe_filename(name))) + +def source_name_exists(name): + """Return True if a source already exists with name.""" + if os.path.exists(get_enabled_source_filename(name)) or \ + os.path.exists(get_disabled_source_filename(name)): + return True + return False + +def source_index_exists(config): + """Return True if the source index file exists.""" + return os.path.exists(get_index_filename()) + +def get_source_index_url(): + if os.getenv("SOURCE_INDEX_URL"): + return os.getenv("SOURCE_INDEX_URL") + return DEFAULT_SOURCE_INDEX_URL + +def save_source_config(source_config): + if not os.path.exists(get_source_directory()): + logger.info("Creating directory %s", get_source_directory()) + os.makedirs(get_source_directory()) + with open(get_enabled_source_filename(source_config.name), "w") as fileobj: + fileobj.write(yaml.safe_dump( + source_config.dict(), default_flow_style=False)) + +class SourceConfiguration: + + def __init__(self, name, header=None, url=None, + params={}, checksum=True): + self.name = name + self.url = url + self.params = params + self.header = header + self.checksum = checksum + + def dict(self): + d = { + "source": self.name, + } + if self.url: + d["url"] = self.url + if self.params: + d["params"] = self.params + if self.header: + d["http-header"] = self.header + if self.checksum: + d["checksum"] = self.checksum + return d + +class Index: + + def __init__(self, filename): + self.filename = filename + self.index = {} + self.load() + + def load(self): + if os.path.exists(self.filename): + index = yaml.safe_load(open(self.filename, "rb")) + self.index = index + else: + self.index = bundled_index + + def resolve_url(self, name, params={}): + if not name in self.index["sources"]: + raise Exception("Source name not in index: %s" % (name)) + source = self.index["sources"][name] + try: + return source["url"] % params + except KeyError as err: + raise Exception("Missing URL parameter: %s" % (str(err.args[0]))) + + def get_sources(self): + return self.index["sources"] + + def get_source_by_name(self, name): + if name in self.index["sources"]: + return self.index["sources"][name] + return None + + def get_versions(self): + try: + return self.index["versions"] + except KeyError: + logger.error("Version information not in index. Please update with suricata-update update-sources.") + sys.exit(1) + +def load_source_index(config): + return Index(get_index_filename()) + +def get_enabled_sources(): + """Return a map of enabled sources, keyed by name.""" + if not os.path.exists(get_source_directory()): + return {} + sources = {} + for dirpath, dirnames, filenames in os.walk(get_source_directory()): + for filename in filenames: + if filename.endswith(".yaml"): + path = os.path.join(dirpath, filename) + logger.debug("Loading source specification file {}".format(path)) + source = yaml.safe_load(open(path, "rb")) + + if not "source" in source: + logger.error("Source specification file missing field \"source\": filename: {}".format( + path)) + continue + + sources[source["source"]] = source + + if "params" in source: + for param in source["params"]: + if param.startswith("secret"): + loghandler.add_secret(source["params"][param], param) + + return sources + +def remove_source(config): + name = config.args.name + + enabled_source_filename = get_enabled_source_filename(name) + if os.path.exists(enabled_source_filename): + logger.debug("Deleting file %s.", enabled_source_filename) + os.remove(enabled_source_filename) + logger.info("Source %s removed, previously enabled.", name) + return 0 + + disabled_source_filename = get_disabled_source_filename(name) + if os.path.exists(disabled_source_filename): + logger.debug("Deleting file %s.", disabled_source_filename) + os.remove(disabled_source_filename) + logger.info("Source %s removed, previously disabled.", name) + return 0 + + logger.warning("Source %s does not exist.", name) + return 1 + +def safe_filename(name): + """Utility function to make a source short-name safe as a + filename.""" + name = name.replace("/", "-") + return name + +def get_etopen_url(params): + if os.getenv("ETOPEN_URL"): + return os.getenv("ETOPEN_URL") % params + return DEFAULT_ETOPEN_URL % params diff --git a/suricata/update/util.py b/suricata/update/util.py new file mode 100644 index 0000000..50788d8 --- /dev/null +++ b/suricata/update/util.py @@ -0,0 +1,98 @@ +# Copyright (C) 2017 Open Information Security Foundation +# Copyright (c) 2013 Jason Ish +# +# You can copy, redistribute or modify this Program under the terms of +# the GNU General Public License version 2 as published by the Free +# Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# version 2 along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA +# 02110-1301, USA. + +""" Module for utility functions that don't really fit anywhere else. """ + +import hashlib +import tempfile +import atexit +import shutil +import zipfile + +def md5_hexdigest(filename): + """ Compute the MD5 checksum for the contents of the provided filename. + + :param filename: Filename to computer MD5 checksum of. + + :returns: A string representing the hex value of the computed MD5. + """ + return hashlib.md5(open(filename).read().encode()).hexdigest() + +def mktempdir(delete_on_exit=True): + """ Create a temporary directory that is removed on exit. """ + tmpdir = tempfile.mkdtemp("suricata-update") + if delete_on_exit: + atexit.register(shutil.rmtree, tmpdir, ignore_errors=True) + return tmpdir + +class ZipArchiveReader: + + def __init__(self, zipfile): + self.zipfile = zipfile + self.names = self.zipfile.namelist() + + def __iter__(self): + return self + + def __enter__(self): + return self + + def __exit__(self, type, value, traceback): + self.zipfile.close() + + def next(self): + if self.names: + name = self.names.pop(0) + if name.endswith("/"): + # Is a directory, ignore + return self.next() + return name + raise StopIteration + + def open(self, name): + return self.zipfile.open(name) + + def read(self, name): + return self.zipfile.read(name) + + @classmethod + def from_fileobj(cls, fileobj): + zf = zipfile.ZipFile(fileobj) + return cls(zf) + +GREEN = "\x1b[32m" +BLUE = "\x1b[34m" +REDB = "\x1b[1;31m" +YELLOW = "\x1b[33m" +RED = "\x1b[31m" +YELLOWB = "\x1b[1;33m" +ORANGE = "\x1b[38;5;208m" +BRIGHT_MAGENTA = "\x1b[1;35m" +BRIGHT_CYAN = "\x1b[1;36m" +RESET = "\x1b[0m" + +def blue(msg): + return "%s%s%s" % (BLUE, msg, RESET) + +def bright_magenta(msg): + return "%s%s%s" % (BRIGHT_MAGENTA, msg, RESET) + +def bright_cyan(msg): + return "%s%s%s" % (BRIGHT_CYAN, msg, RESET) + +def orange(msg): + return "%s%s%s" % (ORANGE, msg, RESET) diff --git a/suricata/update/version.py b/suricata/update/version.py new file mode 100644 index 0000000..75d1205 --- /dev/null +++ b/suricata/update/version.py @@ -0,0 +1,7 @@ +# Version format: +# Release: 1.0.0 +# Beta: 1.0.0b1 +# Alpha: 1.0.0a1 +# Development: 1.0.0dev0 +# Release candidate: 1.0.0rc1 +version = "1.3.2" diff --git a/tests/classification1.config b/tests/classification1.config new file mode 100644 index 0000000..f00276f --- /dev/null +++ b/tests/classification1.config @@ -0,0 +1,51 @@ + +# +# config classification:shortname,short description,priority +# + +config classification: not-suspicious,Not Suspicious Traffic,3 +config classification: unknown,Unknown Traffic,3 +config classification: bad-unknown,Potentially Bad Traffic, 2 +config classification: attempted-recon,Attempted Information Leak,2 +config classification: successful-recon-limited,Information Leak,2 +config classification: successful-recon-largescale,Large Scale Information Leak,2 +config classification: attempted-dos,Attempted Denial of Service,2 +config classification: successful-dos,Denial of Service,2 +config classification: attempted-user,Attempted User Privilege Gain,1 +config classification: unsuccessful-user,Unsuccessful User Privilege Gain,1 +config classification: successful-user,Successful User Privilege Gain,1 +config classification: attempted-admin,Attempted Administrator Privilege Gain,1 +config classification: successful-admin,Successful Administrator Privilege Gain,1 + +# NEW CLASSIFICATIONS +config classification: rpc-portmap-decode,Decode of an RPC Query,2 +config classification: shellcode-detect,Executable code was detected,1 +config classification: string-detect,A suspicious string was detected,3 +config classification: suspicious-filename-detect,A suspicious filename was detected,2 +config classification: suspicious-login,An attempted login using a suspicious username was detected,2 +config classification: system-call-detect,A system call was detected,2 +config classification: tcp-connection,A TCP connection was detected,4 +config classification: trojan-activity,A Network Trojan was detected, 1 +config classification: unusual-client-port-connection,A client was using an unusual port,2 +config classification: network-scan,Detection of a Network Scan,3 +config classification: denial-of-service,Detection of a Denial of Service Attack,2 +config classification: non-standard-protocol,Detection of a non-standard protocol or event,2 +config classification: protocol-command-decode,Generic Protocol Command Decode,3 +config classification: web-application-activity,access to a potentially vulnerable web application,2 +config classification: web-application-attack,Web Application Attack,1 +config classification: misc-activity,Misc activity,3 +config classification: misc-attack,Misc Attack,2 +config classification: icmp-event,Generic ICMP event,3 +config classification: kickass-porn,SCORE! Get the lotion!,1 +config classification: policy-violation,Potential Corporate Privacy Violation,1 +config classification: default-login-attempt,Attempt to login by a default username and password,2 + +# Update +config classification: targeted-activity,Targeted Malicious Activity was Detected,1 +config classification: exploit-kit,Exploit Kit Activity Detected,1 +config classification: external-ip-check,Device Retrieving External IP Address Detected,2 +config classification: domain-c2,Domain Observed Used for C2 Detected,1 +config classification: pup-activity,Possibly Unwanted Program Detected,2 +config classification: credential-theft,Successful Credential Theft Detected,1 +config classification: social-engineering,Possible Social Engineering Attempted,2 +config classification: coin-mining,Crypto Currency Mining Activity Detected,2 diff --git a/tests/classification2.config b/tests/classification2.config new file mode 100644 index 0000000..d470ab5 --- /dev/null +++ b/tests/classification2.config @@ -0,0 +1,54 @@ + +# +# config classification:shortname,short description,priority +# + +config classification: not-suspicious,Not Suspicious Traffic,3 +config classification: unknown,Unknown Traffic,3 +config classification: bad-unknown,Potentially Bad Traffic, 2 +config classification: attempted-recon,Attempted Information Leak,2 +config classification: successful-recon-limited,Information Leak,2 +config classification: successful-recon-largescale,Large Scale Information Leak,2 +config classification: attempted-dos,Attempted Denial of Service,2 +config classification: successful-dos,Denial of Service,2 +config classification: attempted-user,Attempted User Privilege Gain,1 +config classification: unsuccessful-user,Unsuccessful User Privilege Gain,1 +config classification: successful-user,Successful User Privilege Gain,1 +config classification: attempted-admin,Attempted Administrator Privilege Gain,1 +config classification: successful-admin,Successful Administrator Privilege Gain,1 + +# NEW CLASSIFICATIONS +config classification: rpc-portmap-decode,Decode of an RPC Query,2 +config classification: shellcode-detect,Executable code was detected,1 +config classification: string-detect,A suspicious string was detected,3 +config classification: suspicious-filename-detect,A suspicious filename was detected,2 +config classification: suspicious-login,An attempted login using a suspicious username was detected,2 +config classification: system-call-detect,A system call was detected,2 +config classification: tcp-connection,A TCP connection was detected,4 +config classification: trojan-activity,A Network Trojan was detected, 1 +config classification: unusual-client-port-connection,A client was using an unusual port,2 +config classification: network-scan,Detection of a Network Scan,3 +config classification: denial-of-service,Detection of a Denial of Service Attack,2 +config classification: non-standard-protocol,Detection of a non-standard protocol or event,2 +config classification: protocol-command-decode,Generic Protocol Command Decode,3 +config classification: web-application-activity,access to a potentially vulnerable web application,2 +config classification: web-application-attack,Web Application Attack,1 +config classification: misc-activity,Misc activity,3 +config classification: misc-attack,Misc Attack,5 +config classification: icmp-event,Generic ICMP event,3 +config classification: kickass-porn,SCORE! Get the lotion!,1 +config classification: policy-violation,Potential Corporate Privacy Violation,1 +config classification: default-login-attempt,Attempt to login by a default username and password,2 + +# Update +config classification: targeted-activity,Targeted Malicious Activity was Detected,1 +config classification: exploit-kit,Exploit Kit Activity Detected,1 +config classification: external-ip-check,Device Retrieving External IP Address Detected,2 +config classification: domain-c2,Domain Observed Used for C2 Detected,1 +config classification: pup-activity,Possibly Unwanted Program Detected,2 +config classification: credential-theft,Successful Credential Theft Detected,1 +config classification: social-engineering,Possible Social Engineering Attempted,2 +config classification: coin-mining,Crypto Currency Mining Activity Detected,2 +config classification: coin-mining-test-1,Crypto Currency Mining Activity Detected Test 1,2 +config classification: coin-mining-test-2,Crypto Currency Mining Activity Detected Test 2,4 + diff --git a/tests/docker-centos-7/Dockerfile b/tests/docker-centos-7/Dockerfile new file mode 100644 index 0000000..fdf1814 --- /dev/null +++ b/tests/docker-centos-7/Dockerfile @@ -0,0 +1,25 @@ +FROM centos:7 + +RUN yum -y install epel-release +RUN yum -y install \ + git \ + python-yaml \ + python-pip \ + pytest \ + python34-yaml \ + python34-pytest \ + python34-pip \ + findutils + +COPY / /src +RUN find /src -name \*.pyc -delete + +ENV PYTEST2 py.test +ENV PYTEST3 py.test-3 + +ENV PIP2 pip2 +ENV PIP3 pip3 + +WORKDIR /src + +CMD ["./tests/docker-centos-7/run.sh"] diff --git a/tests/docker-centos-7/Makefile b/tests/docker-centos-7/Makefile new file mode 100644 index 0000000..619f3f2 --- /dev/null +++ b/tests/docker-centos-7/Makefile @@ -0,0 +1,6 @@ +TAG := suricata-update/tests/centos-7 + +all: + docker build -t $(TAG) -f Dockerfile ../.. + docker run --rm -it $(TAG) + diff --git a/tests/docker-centos-7/README.md b/tests/docker-centos-7/README.md new file mode 100644 index 0000000..c0b6664 --- /dev/null +++ b/tests/docker-centos-7/README.md @@ -0,0 +1,11 @@ +This is a live test of Suricata-Update in a CentOS 7 Docker image. + +The following tests are performed: +- Unit tests with Python 2 and Python 3. +- Installation with Python 2 pip. +- Various commands run as a user might with Python 2 install. +- Installation with Python 3 pip. +- Various commands run as a user might with Python 3 install. + +This test is "live" as the index and rule files will be downloaded +from the internet. diff --git a/tests/docker-centos-7/run.sh b/tests/docker-centos-7/run.sh new file mode 100755 index 0000000..23e52f0 --- /dev/null +++ b/tests/docker-centos-7/run.sh @@ -0,0 +1,54 @@ +#! /bin/sh + +set -e +set -x + +# Test the commands in a scenario a user might. +test_commands() { + # Cleanup. + rm -rf /var/lib/suricata + + suricata-update + test -e /var/lib/suricata/rules/suricata.rules + + suricata-update update-sources + test -e /var/lib/suricata/update/cache/index.yaml + + suricata-update enable-source oisf/trafficid + test -e /var/lib/suricata/update/sources/et-open.yaml + test -e /var/lib/suricata/update/sources/oisf-trafficid.yaml + suricata-update + + suricata-update disable-source oisf/trafficid + test ! -e /var/lib/suricata/update/sources/oisf-trafficid.yaml + test -e /var/lib/suricata/update/sources/oisf-trafficid.yaml.disabled + + suricata-update remove-source oisf/trafficid + test ! -e /var/lib/suricata/update/sources/oisf-trafficid.yaml.disabled +} + +# Python 2 unit tests. +PYTHONPATH=. ${PYTEST2} + +# Python 3 unit tests. +PYTHONPATH=. ${PYTEST3} + +# Install with Python 2. +${PIP2} install . +test -e /usr/bin/suricata-update + +test_commands + +# Uninstall Python 2 version. +${PIP2} uninstall --yes suricata-update +test ! -e /usr/bin/suricata-update + +# Install and run with Python 3. +${PIP3} install . +test -e /usr/bin/suricata-update +grep python3 -s /usr/bin/suricata-update + +test_commands + +${PIP3} uninstall --yes suricata-update +test ! -e /usr/local/bin/suricata-update diff --git a/tests/emerging-current_events.rules b/tests/emerging-current_events.rules new file mode 100644 index 0000000..8880195 --- /dev/null +++ b/tests/emerging-current_events.rules @@ -0,0 +1,5400 @@ +# Emerging Threats +# +# This distribution may contain rules under two different licenses. +# +# Rules with sids 1 through 3464, and 100000000 through 100000908 are under the GPLv2. +# A copy of that license is available at http://www.gnu.org/licenses/gpl-2.0.html +# +# Rules with sids 2000000 through 2799999 are from Emerging Threats and are covered under the BSD License +# as follows: +# +#************************************************************* +# Copyright (c) 2003-2017, Emerging Threats +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without modification, are permitted provided that the +# following conditions are met: +# +# * Redistributions of source code must retain the above copyright notice, this list of conditions and the following +# disclaimer. +# * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the +# following disclaimer in the documentation and/or other materials provided with the distribution. +# * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, +# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE +# USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +# +#************************************************************* +# +# +# +# + +# This Ruleset is EmergingThreats Open optimized for suricata-1.3. + +#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Malvertising drive by kit encountered - Loading..."; flow:established,to_client; content:"HTTP/1"; depth:6; content:"<html><head></head><body>Loading...<div id=|22|page|22| style=|22|display|3a| none|22|>"; nocase; reference:url,doc.emergingthreats.net/2011223; classtype:bad-unknown; sid:2011223; rev:5;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS DRIVEBY SEO Exploit Kit request for PDF exploit"; flow:established,to_server; content:"POST"; http_method; content:"id="; content:"|25 32 36|np"; distance:32; within:5; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2011348; rev:4;) + +#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS DRIVEBY SEO Exploit Kit request for Java exploit"; flow:established,to_server; content:"POST"; http_method; content:"id="; http_client_body; content:"|25 32 36|j"; distance:32; within:4; http_client_body; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2011349; rev:6;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS DRIVEBY SEO Exploit Kit request for Java and PDF exploits"; flow:established,to_server; content:"POST"; http_method; content:"id="; http_client_body; content:"|25 32 36|jp"; distance:5; within:5; http_client_body; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2011350; rev:8;) + +#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Driveby bredolab hidden div served by nginx"; flow:established,to_client; content:"|0d 0a|Server|3a| nginx"; file_data; content:"<div style=|22|visibility|3a| hidden|3b 22|><"; depth:120; classtype:bad-unknown; sid:2011355; rev:3;) + +#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Neosploit Exploit Pack Activity Observed"; flow:established,to_server; content:"GET"; nocase; http_method; content:!"|0d 0a|Referer|3a| "; nocase; content:"|0d 0a|User-Agent|3a| "; nocase; pcre:"/\.(php|asp|py|exe|htm|html)\/[joewxy](U[0-9a-f]{8})?H[0-9a-f]{8}V[0-9a-f]{8}\d{3}R[0-9a-f]{8}\d{3}T[0-9a-f]{8,}/U"; reference:url,blog.fireeye.com/research/2010/01/pdf-obfuscation.html; reference:url,blog.fireeye.com/research/2010/06/neosploit_notes.html; reference:url,dxp2532.blogspot.com/2007/12/neosploit-exploit-toolkit.html; classtype:attempted-user; sid:2011583; rev:4;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Driveby Bredolab - client exploited by acrobat"; flow:established,to_server; content:"?reader_version="; http_uri; content:"&exn=CVE-"; http_uri; classtype:trojan-activity; sid:2011797; rev:2;) + +#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SEO Exploit Kit - Landing Page"; flow:established,to_client; content:"<div id=\"obj\"></div><div id=\"pdf\"></div><div id=\"hcp\">"; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2011812; rev:4;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SEO Exploit Kit - client exploited"; flow:established,to_server; content:"/exe.php?exp="; http_uri; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2011813; rev:6;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS exploit kit x/load/svchost.exe"; flow:established,to_server; content:"GET"; http_method; content:"load/svchost.exe"; nocase; http_uri; classtype:bad-unknown; sid:2011906; rev:3;) + +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SWF served from /tmp/ "; flow:established,to_server; content:"/tmp/"; http_uri; fast_pattern; content:".swf"; http_uri; pcre:"/\/tmp\/[^\/]+\.swf$/U"; classtype:bad-unknown; sid:2011970; rev:1;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS PDF served from /tmp/ could be Phoenix Exploit Kit"; flow:established,to_server; content:"/tmp/"; http_uri; content:".pdf"; http_uri; pcre:"/\/tmp\/[^\/]+\.pdf$/U"; classtype:bad-unknown; sid:2011972; rev:3;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS JAR served from /tmp/ could be Phoenix Exploit Kit"; flow:established,to_server; content:"/tmp/"; http_uri; fast_pattern; content:".jar"; http_uri; pcre:"/\/tmp\/[^\/]+\.jar$/U"; classtype:bad-unknown; sid:2011973; rev:3;) + +#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS MALVERTISING Alureon JavaScript IFRAME Redirect"; flow:established,to_client; file_data; content:"marginwidth=|5c 22|0|22 5c| marginheight=|5c 22|0|22 5c| hspace=|5c 22|0|22 5c| vspace=|5c 22|0|22 5c| frameborder=|5c 22|0|22 5c| scrolling=|5c 22|0|22 5c| bordercolor=|5c 22 23|000000|5c 22|></IFRAME>|22 29 3b 7d|"; classtype:bad-unknown; sid:2011978; rev:5;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Phoenix-style Exploit Kit Java Request with semicolon in URI"; flow:established,to_server; content:"/?"; http_uri; content:"|3b| 1|3b| "; http_uri; content:"|29| Java/1."; http_header; pcre:"/\/\?[a-z0-9]{65,}\x3b \d\x3b \d/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2011988; rev:5;) + +#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Neosploit Toolkit download"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/GNH11.exe"; http_uri; nocase; reference:url,www.malwareurl.com/listing.php?domain=piadraspgdw.com; reference:url,labs.m86security.com/2011/01/shedding-light-on-the-neosploit-exploit-kit; classtype:trojan-activity; sid:2012333; rev:3;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Likely Blackhole Exploit Kit Driveby Download Secondary Request"; flow:established,to_server; content:".php?t"; http_uri; pcre:"/\.php\?t[a-z0-9]{1,4}=[a-f0-9]{16}$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2012401; rev:11;) + +#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Compressed Adobe Flash File Embedded in XLS FILE Caution - Could be Exploit"; flow:established,from_server; file_data; content:"|0D 0A 0D 0A D0 CF 11 E0 A1 B1 1A E1|"; content:"|45 57 73 09|"; distance:0; reference:url,blogs.adobe.com/asset/2011/03/background-on-apsa11-01-patch-schedule.html; reference:url,bugix-security.blogspot.com/2011/03/cve-2011-0609-adobe-flash-player.html; reference:bid,46860; reference:cve,2011-0609; classtype:attempted-user; sid:2012503; rev:5;) + +#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Excel with Embedded .emf object downloaded"; flow:established,to_client; file_data; content:"|0D 0A 0D 0A D0 CF 11 E0 A1 B1 1A E1|"; content:"| 50 4B 03 04 |"; content:"|2F 6D 65 64 69 61 2F 69 6D 61 67 65 |"; within:64; content:"| 2E 65 6D 66 |"; within:15; classtype:bad-unknown; sid:2012504; rev:8;) + +#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS RetroGuard Obfuscated JAR likely part of hostile exploit kit"; flow:established,from_server; content:"classPK"; content:"|20|by|20|RetroGuard|20|Lite|20|"; reference:url,www.retrologic.com; classtype:trojan-activity; sid:2012518; rev:2;) + +#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Download of Microsft Office File From Russian Content-Language Website"; flow:established,to_client; content:"Content-Language|3A| ru"; nocase; content:"|D0 CF 11 E0 A1 B1 1A E1|"; classtype:trojan-activity; sid:2012525; rev:3;) + +#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Download of Microsoft Office File From Chinese Content-Language Website"; flow:established,to_client; content:"Content-Language|3A| zh-cn"; nocase; content:"|D0 CF 11 E0 A1 B1 1A E1|"; classtype:trojan-activity; sid:2012526; rev:3;) + +#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Download of PDF File From Russian Content-Language Website"; flow:established,to_client; content:"Content-Language|3A| ru"; nocase; content:"%PDF-"; classtype:trojan-activity; sid:2012527; rev:3;) + +#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Download of PDF File From Chinese Content-Language Website"; flow:established,to_client; content:"Content-Language|3A| zh-cn"; nocase; content:"%PDF-"; classtype:trojan-activity; sid:2012528; rev:3;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS WindowsLive Imposter Site WindowsLive.png"; flow:established,to_server; content:"/images/WindowsLive.png"; http_uri; depth:23; classtype:bad-unknown; sid:2012529; rev:3;) + +#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS WindowsLive Imposter Site Landing Page"; flow:established,from_server; content:"<title>MWL</title>"; classtype:bad-unknown; sid:2012530; rev:3;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS WindowsLive Imposter Site blt .png"; flow:established,to_server; content:"/images/blt"; http_uri; depth:11; content:".png"; http_uri; within:6; classtype:bad-unknown; sid:2012531; rev:3;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS WindowsLive Imposter Site Payload Download"; flow:established,to_server; content:"/MRT/update/"; http_uri; depth:12; content:".exe"; http_uri; classtype:bad-unknown; sid:2012532; rev:2;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Phoenix Java Exploit Attempt Request for .class from octal host"; flow:established,to_server; content:".class|20|HTTP/1.1|0d 0a|"; fast_pattern; content:"|20|Java/"; http_header; content:"Host|3a 20|"; pcre:"/Host\x3a \d{4,}[^A-Za-z\.]/D"; reference:url,fhoguin.com/2011/03/oracle-java-unsigned-applet-applet2classloader-remote-code-execution-vulnerability-zdi-11-084-explained/; reference:cve,CVE-2010-4452; classtype:trojan-activity; sid:2012609; rev:6;) + +#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Java Exploit io.exe download served"; flow:established,from_server; content:"|3b 20|filename=io.exe|0d 0a|"; fast_pattern; classtype:trojan-activity; sid:2012610; rev:2;) + +#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Internal WebServer Compromised By Lizamoon Mass SQL-Injection Attacks"; flow:established,from_server; content:"</title><script src=http|3a|//"; nocase; content:"/ur.php></script>"; within:100; reference:url,malwaresurvival.net/tag/lizamoon-com/; classtype:web-application-attack; sid:2012614; rev:5;) + +#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Adobe Flash SWF File Embedded in XLS FILE Caution - Could be Exploit"; flow:established,from_server; content:"|0D 0A 0D 0A D0 CF 11 E0 A1 B1 1A E1|"; content:"SWF"; fast_pattern:only; reference:url,blogs.adobe.com/asset/2011/03/background-on-apsa11-01-patch-schedule.html; reference:url,bugix-security.blogspot.com/2011/03/cve-2011-0609-adobe-flash-player.html; reference:bid,46860; reference:cve,2011-0609; classtype:attempted-user; sid:2012621; rev:4;) + +#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Adobe Flash Unicode SWF File Embedded in Office File Caution - Could be Hostile"; flow:established,from_server; flowbits:isset,OLE.CompoundFile; content:"S|00|W|00|F|00|"; reference:url,blogs.adobe.com/asset/2011/03/background-on-apsa11-01-patch-schedule.html; reference:url,bugix-security.blogspot.com/2011/03/cve-2011-0609-adobe-flash-player.html; reference:bid,46860; reference:cve,2011-0609; reference:url,www.adobe.com/support/security/advisories/apsa11-02.html; reference:cve,2011-0611; classtype:attempted-user; sid:2012622; rev:5;) + +#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Lizamoon Related Compromised site served to local client"; flow:established,from_server; content:"</title><script src=http|3a|//"; nocase; content:"/ur.php></script>"; within:100; classtype:attempted-user; sid:2012624; rev:5;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Potential Lizamoon Client Request /ur.php"; flow:established,to_server; content:"GET"; http_method; content:"/ur.php"; http_uri; content:"GET /ur.php "; depth:12; classtype:trojan-activity; sid:2012625; rev:3;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Java Exploit Attempt Request for .id from octal host"; flow:established,to_server; content:".id|20|HTTP/1.1|0d 0a|"; fast_pattern; content:"|20|Java/"; http_header; content:"Host|3a 20|"; pcre:"/Host\x3a \d{4,}[^A-Za-z\.]/D"; reference:url,fhoguin.com/2011/03/oracle-java-unsigned-applet-applet2classloader-remote-code-execution-vulnerability-zdi-11-084-explained/; reference:cve,CVE-2010-4452; classtype:trojan-activity; sid:2012628; rev:5;) + +#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET CURRENT_EVENTS Potential Paypal Phishing Form Attachment"; flow:established,to_server; content:"Content-Disposition|3A| attachment|3b|"; nocase; content:"Restore Your Account"; distance:0; nocase; content:"paypal"; distance:0; nocase; content:"form.php|22| method=|22|post|22|"; nocase; distance:0; classtype:bad-unknown; sid:2012632; rev:3;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Paypal Phishing victim POSTing data"; flow:established,to_server; content:"POST"; http_method; content:"usr="; content:"&pwd="; content:"&name-on="; content:"&cu-on="; content:"&how2-on="; fast_pattern; classtype:bad-unknown; sid:2012630; rev:3;) + +#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET CURRENT_EVENTS Potential ACH Transaction Phishing Attachment"; flow:established,to_server; content:"ACH transaction"; nocase; content:".pdf.exe"; nocase; classtype:bad-unknown; sid:2012635; rev:2;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Java Exploit Attempt Request for hostile binary"; flow:established,to_server; content:"&|20|HTTP/1.1|0d 0a|User-A"; fast_pattern; content:".php?height="; http_uri; content:"|20|Java/"; http_header; pcre:"/\/[a-z0-9]{30,}\.php\?height=\d+&sid=\d+&width=[a-z0-9]+&/U"; classtype:trojan-activity; sid:2012644; rev:3;) + +#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Malicious JAR olig"; flow:established,from_server; content:"|00 00|META-INF/PK|0a|"; fast_pattern; content:"|00|olig/"; classtype:trojan-activity; sid:2012646; rev:3;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown Exploit Pack Binary Load Request"; flow:established,to_server; content:".php?sex="; nocase; http_uri; content:"&children="; nocase; http_uri; content:"&userid="; nocase; http_uri; pcre:"/\.php\?sex=\d+&children=\d+&userid=/U"; classtype:trojan-activity; sid:2012687; rev:2;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Likely Redirector to Exploit Page /in/rdrct/rckt/?"; flow:established,to_server; content:"/in/rdrct/rckt/?"; http_uri; classtype:attempted-user; sid:2012731; rev:2;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown .ru Exploit Redirect Page"; flow:established,to_server; content:"people/?"; http_uri; content:"&top="; http_uri; content:".ru|0d 0a|"; http_header; classtype:bad-unknown; sid:2012732; rev:2;) + +#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Java Exploit Attempt applet via file URI param"; flow:established,from_server; content:"applet"; nocase; content:"file|3a|C|3a 5c|Progra"; fast_pattern; nocase; distance:0; content:"java"; nocase; distance:0; content:"jre6"; nocase; distance:0; content:"lib"; nocase; distance:0; content:"ext"; nocase; distance:0; reference:url,fhoguin.com/2011/03/oracle-java-unsigned-applet-applet2classloader-remote-code-execution-vulnerability-zdi-11-084-explained/; reference:cve,CVE-2010-4452; classtype:trojan-activity; sid:2012884; rev:3;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Eleonore Exploit Pack exemple.com Request"; flow:established,to_server; content:"/exemple.com/"; nocase; http_uri; classtype:trojan-activity; sid:2012940; rev:2;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Phoenix Exploit Kit Newplayer.pdf"; flow:established,to_server; content:"/newplayer.pdf"; http_uri; reference:cve,2009-4324; reference:url,www.m86security.com/labs/i/Phoenix-Exploit-Kit-2-0,trace.1427~.asp; classtype:attempted-user; sid:2012941; rev:7;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Phoenix Exploit Kit Printf.pdf"; flow:established,to_server; content:"/printf.pdf"; http_uri; reference:cve,2008-2992; reference:url,www.m86security.com/labs/i/Phoenix-Exploit-Kit-2-0,trace.1427~.asp; classtype:attempted-user; sid:2012942; rev:7;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Phoenix Exploit Kit Geticon.pdf"; flow:established,to_server; content:"/geticon.pdf"; http_uri; reference:url,www.m86security.com/labs/i/Phoenix-Exploit-Kit-2-0,trace.1427~.asp; classtype:attempted-user; sid:2012943; rev:7;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Phoenix Exploit Kit All.pdf"; flow:established,to_server; content:"/tmp/all.pdf"; http_uri; reference:url,www.m86security.com/labs/i/Phoenix-Exploit-Kit-2-0,trace.1427~.asp; classtype:attempted-user; sid:2012944; rev:7;) + +#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Request to malicious info.php drive-by landing"; flow:established,to_server; content:"/info.php?n="; http_uri; fast_pattern:only; content:!"&"; http_uri; content:!"|0d 0a|Referer|3a|"; pcre:"/\/info.php\?n=\d/U"; classtype:trojan-activity; sid:2013010; rev:3;) + +#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Malicious PHP 302 redirect response with avtor URI and cookie"; flow:established,from_server; content:"302"; http_stat_code; content:".php?avtor="; fast_pattern; content:"Set-Cookie|3a| "; content:"avtor="; within:40; classtype:trojan-activity; sid:2013011; rev:6;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Exploit kit mario.jar"; flow:established,to_server; content:"pack200"; http_header; content:" Java/"; http_header; content:"/mario.jar"; http_uri; classtype:trojan-activity; sid:2013024; rev:3;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Java/PDF Exploit kit from /Home/games/ initial landing"; flow:established,to_server; content:"/Home/games/2fdp.php?f="; http_uri; classtype:trojan-activity; sid:2013025; rev:2;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Java/PDF Exploit kit initial landing"; flow:established,to_server; content:"/2fdp.php?f="; http_uri; classtype:trojan-activity; sid:2013027; rev:3;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Fake Shipping Invoice Request to JPG.exe Executable"; flow:established,to_server; content:"/invoice"; nocase; http_uri; content:".JPG.exe"; nocase; fast_pattern; classtype:trojan-activity; sid:2013048; rev:4;) + +#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Sidename.js Injected Script Served by Local WebServer"; flow:established,from_server; content:"/sidename.js\"></script>"; nocase; fast_pattern:only; reference:url,blog.armorize.com/2011/06/mass-meshing-injection-sidenamejs.html; classtype:web-application-attack; sid:2013061; rev:3;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible CVE-2011-2110 Flash Exploit Attempt"; flow:established,to_server; content:"GET /"; depth:5; content:".swf?info=02"; http_uri; reference:url,www.shadowserver.org/wiki/pmwiki.php/Calendar/20110617; classtype:trojan-activity; sid:2013065; rev:4;) + +#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Java Exploit Attempt applet via file URI setAttribute"; flow:established,from_server; content:"setAttribute("; content:"C|3a 5c 5c|Progra"; fast_pattern; nocase; distance:0; content:"java"; nocase; distance:0; content:"jre6"; nocase; distance:0; content:"lib"; nocase; distance:0; content:"ext"; nocase; distance:0; reference:url,fhoguin.com/2011/03/oracle-java-unsigned-applet-applet2classloader-remote-code-execution-vulnerability-zdi-11-084-explained/; reference:cve,CVE-2010-4452; classtype:trojan-activity; sid:2013066; rev:3;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Blackhole Exploit Pack HCP overflow Media Player lt 10"; flow:established,to_server; content:"/hcp_asx.php?f="; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2013077; rev:4;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Clickfraud Framework Request"; flow:to_server,established; content:"/go.php?uid="; http_uri; fast_pattern; content:"&data="; http_uri; urilen:>400; classtype:bad-unknown; sid:2013093; rev:3;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Phoenix/Fiesta URI Requested Contains /? and hex"; flow:established,to_server; content:"/?"; http_uri; fast_pattern; pcre:"/\/\?[0-9a-f]{60,66}[\;\d\x2c]*$/U"; classtype:bad-unknown; sid:2013094; rev:9;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Driveby Exploit Kit Browser Progress Checkin - Binary Likely Previously Downloaded"; flow:established,to_server; content:"/?"; http_uri; content:!" Java/"; http_header; pcre:"/\/\?[a-f0-9]{64}\;\d\;\d/U"; classtype:trojan-activity; sid:2013098; rev:3;) + +#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible CVE-2011-2110 Flash Exploit Attempt Embedded in Web Page"; flow:established,to_client; content:"<param name="; nocase; content:"value="; nocase; distance:0; content:"|2E|swf?info="; fast_pattern; nocase; distance:0; pcre:"/value\x22[^\x22]*\x2Eswf\x3finfo\x3D/smi"; reference:url,stopmalvertising.com/malware-reports/all-ur-swf-bel0ng-2-us-analysis-of-cve-2011-2110.html; reference:bid,48268; reference:cve,2011-2110; classtype:attempted-user; sid:2013137; rev:3;) + +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Likely EgyPack Exploit kit landing page (EGYPACK_CRYPT)"; flow:established,from_server; content:"EGYPACK_CRYPT"; pcre:"/EGYPACK_CRYPT\d/"; reference:url,www.kahusecurity.com/2011/new-exploit-kit-egypack/; reference:url,www.vbulletin.com/forum/forum/vbulletin-3-8/vbulletin-3-8-questions-problems-and-troubleshooting/346989-vbulletin-footer-sql-injection-hack; reference:url,blog.webroot.com/2013/03/29/a-peek-inside-the-egypack-web-malware-exploitation-kit/; classtype:trojan-activity; sid:2013175; rev:4;) + +#alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS cssminibar.js Injected Script Served by Local WebServer"; flow:established,from_server; content:"cssminibar.js|22|></script>"; nocase; fast_pattern:only; reference:url,blog.armorize.com/2011/06/mass-meshing-injection-sidenamejs.html; classtype:web-application-attack; sid:2013192; rev:2;) + +#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Obfuscated Javascript Often Used in Drivebys"; flow:established,from_server; content:"Content-Type|3a 20|text/html"; content:"|0d 0a|<html><body><div|20|"; fast_pattern; within:500; pcre:"/\x7b?(visibility\x3ahidden|display\x3anone)\x3b?\x7d?\x22><div>\d{16}/R"; classtype:trojan-activity; sid:2013237; rev:5;) + +#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Known Injected Credit Card Fraud Malvertisement Script"; flow:established,to_client; content:"|3C|script|3E|ba|28 27|Windows.class|27 2C 27|Windows.jar|27 29 3B 3C 2F|script|3E|"; nocase; reference:url,blogs.paretologic.com/malwarediaries/index.php/2011/07/06/stolen-credit-cards-site-injected-with-malware/; classtype:misc-activity; sid:2013244; rev:2;) + +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query for Known Hostile Domain gooqlepics com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|gooqlepics|03|com|00|"; reference:url,blog.armorize.com/2011/07/willysycom-mass-injection-ongoing.html; classtype:bad-unknown; sid:2013328; rev:4;) + +#alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"ET CURRENT_EVENTS Wordpress possible Malicious DNS-Requests - flickr.com.* "; content:"|05|flickr|03|com"; nocase; content:!"|00|"; within:1; reference:url,markmaunder.com/2011/zero-day-vulnerability-in-many-wordpress-themes/; reference:url,www.us-cert.gov/current/index.html#wordpress_themes_vulnerability; reference:url,blog.sucuri.net/2011/08/timthumb-security-vulnerability-list-of-themes-including-it.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SucuriSecurity+%28Sucuri+Security%29; classtype:web-application-attack; sid:2013353; rev:3;) + +#alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"ET CURRENT_EVENTS Wordpress possible Malicious DNS-Requests - picasa.com.* "; content:"|06|picasa|03|com"; nocase; content:!"|00|"; within:1; reference:url,markmaunder.com/2011/zero-day-vulnerability-in-many-wordpress-themes/; reference:url,www.us-cert.gov/current/index.html#wordpress_themes_vulnerability; reference:url,blog.sucuri.net/2011/08/timthumb-security-vulnerability-list-of-themes-including-it.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SucuriSecurity+%28Sucuri+Security%29; classtype:web-application-attack; sid:2013354; rev:3;) + +#alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"ET CURRENT_EVENTS Wordpress possible Malicious DNS-Requests - blogger.com.* "; content:"|07|blogger|03|com"; nocase; content:!"|00|"; within:1; reference:url,markmaunder.com/2011/zero-day-vulnerability-in-many-wordpress-themes/; reference:url,www.us-cert.gov/current/index.html#wordpress_themes_vulnerability; reference:url,blog.sucuri.net/2011/08/timthumb-security-vulnerability-list-of-themes-including-it.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SucuriSecurity+%28Sucuri+Security%29; classtype:web-application-attack; sid:2013355; rev:3;) + +#alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"ET CURRENT_EVENTS Wordpress possible Malicious DNS-Requests - wordpress.com.* "; content:"|09|wordpress|03|com"; nocase; content:!"|00|"; within:1; reference:url,markmaunder.com/2011/zero-day-vulnerability-in-many-wordpress-themes/; reference:url,www.us-cert.gov/current/index.html#wordpress_themes_vulnerability; reference:url,blog.sucuri.net/2011/08/timthumb-security-vulnerability-list-of-themes-including-it.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SucuriSecurity+%28Sucuri+Security%29; classtype:web-application-attack; sid:2013357; rev:1;) + +#alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"ET CURRENT_EVENTS Wordpress possible Malicious DNS-Requests - img.youtube.com.* "; content:"|03|img|07|youtube|03|com"; nocase; content:!"|00|"; within:1; reference:url,markmaunder.com/2011/zero-day-vulnerability-in-many-wordpress-themes/; reference:url,www.us-cert.gov/current/index.html#wordpress_themes_vulnerability; reference:url,blog.sucuri.net/2011/08/timthumb-security-vulnerability-list-of-themes-including-it.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SucuriSecurity+%28Sucuri+Security%29; classtype:web-application-attack; sid:2013358; rev:2;) + +#alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"ET CURRENT_EVENTS Wordpress possible Malicious DNS-Requests - upload.wikimedia.com.* "; content:"|06|upload|09|wikimedia|03|com"; nocase; content:!"|00|"; within:1; reference:url,markmaunder.com/2011/zero-day-vulnerability-in-many-wordpress-themes/; reference:url,www.us-cert.gov/current/index.html#wordpress_themes_vulnerability; reference:url,blog.sucuri.net/2011/08/timthumb-security-vulnerability-list-of-themes-including-it.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SucuriSecurity+%28Sucuri+Security%29; classtype:web-application-attack; sid:2013359; rev:2;) + +#alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"ET CURRENT_EVENTS Wordpress possible Malicious DNS-Requests - photobucket.com.* "; content:"|0b|photobucket|03|com"; nocase; content:!"|00|"; within:1; content:!"|09|footprint|03|net|00|"; nocase; distance:0; reference:url,markmaunder.com/2011/zero-day-vulnerability-in-many-wordpress-themes/; reference:url,www.us-cert.gov/current/index.html#wordpress_themes_vulnerability; reference:url,blog.sucuri.net/2011/08/timthumb-security-vulnerability-list-of-themes-including-it.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SucuriSecurity+%28Sucuri+Security%29; classtype:web-application-attack; sid:2013360; rev:2;) + +#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Malicious 1px iframe related to Mass Wordpress Injections"; flow:established,from_server; content:"/?go=1|22 20|width=|22|1|22 20|height=|22|1|22|></iframe>"; fast_pattern; content:"<html"; nocase; distance:0; classtype:bad-unknown; sid:2013380; rev:2;) + +#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY ACH - Redirection"; flow:from_server,established; file_data; content:"<title>NACHA</title>"; classtype:bad-unknown; sid:2013474; rev:5;) + +#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Phoenix Java MIDI Exploit Received By Vulnerable Client"; flow:established,to_client; flowbits:isset,ET.http.javaclient.vulnerable; file_data; content:"META-INF/services/javax.sound.midi.spi.MidiDeviceProvider"; classtype:bad-unknown; sid:2013484; rev:4;) + +#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Phoenix Java MIDI Exploit Received"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"META-INF/services/javax.sound.midi.spi.MidiDeviceProvider"; classtype:bad-unknown; sid:2013485; rev:4;) + +#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Phoenix landing page JAVASMB"; flow:established,to_client; file_data; content:"JAVASMB()"; classtype:bad-unknown; sid:2013486; rev:4;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Likely Generic Java Exploit Attempt Request for Java to decimal host"; flow:established,to_server; content:" Java/1"; http_header; pcre:"/Host\x3a \d{8,10}(\x0d\x0a|\x3a\d{1,5}\x0d\x0a)/H"; reference:url,fhoguin.com/2011/03/oracle-java-unsigned-applet-applet2classloader-remote-code-execution-vulnerability-zdi-11-084-explained/; reference:cve,CVE-2010-4452; classtype:trojan-activity; sid:2013487; rev:5;) + +#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Known Fraudulent DigiNotar SSL Certificate for google.com"; flow:established,from_server; content:"|0C 76 DA 9C 91 0C 4E 2C 9E FE 15 D0 58 93 3C 4C|"; content:"google.com"; within:250; reference:url,www.vasco.com/company/press_room/news_archive/2011/news_diginotar_reports_security_incident.aspx; classtype:misc-activity; sid:2013500; rev:2;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Blackhole Exploit Pack HCP exploit"; flow:established,to_server; content:"/pch.php?f="; http_uri; pcre:"/pch\.php\?f=\d+$/U"; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2013548; rev:3;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Blackhole Exploit Pack HCP exploit 2"; flow:established,to_server; content:"/hcp_vbs.php?f="; http_uri; pcre:"/hcp_vbs\.php\?f=\d+&d=\d+$/U"; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2013549; rev:3;) + +#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Driveby Generic Java Exploit Attempt"; flow:established,to_client; content:" codebase=|22|C|3a 5c|Program Files|5c|java|5c|jre6|5c|lib|5c|ext|22| code="; nocase; reference:url,fhoguin.com/2011/03/oracle-java-unsigned-applet-applet2classloader-remote-code-execution-vulnerability-zdi-11-084-explained/; reference:cve,CVE-2010-4452; classtype:trojan-activity; sid:2013551; rev:3;) + +#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Driveby Generic Java Exploit Attempt 2"; flow:established,to_client; content:" codebase=|22|C|3a 5c|Program Files (x86)|5c|java|5c|jre6|5c|lib|5c|ext|22| code="; nocase; reference:url,fhoguin.com/2011/03/oracle-java-unsigned-applet-applet2classloader-remote-code-execution-vulnerability-zdi-11-084-explained/; reference:cve,CVE-2010-4452; classtype:trojan-activity; sid:2013552; rev:3;) + +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole landing page with malicious Java applet"; flow:established,from_server; file_data; content:"<applet code=|27|buildService.MapYandex.class|27|"; content:".jar"; content:"</applet>"; classtype:bad-unknown; sid:2013553; rev:6;) + +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole MapYandex.class malicious jar"; flow:established,from_server; content:"|0d 0a|Content-Type|3a 20|application/java-archive|0d 0a|"; content:"MapYandex.class"; fast_pattern:only; content:"PK"; classtype:bad-unknown; sid:2013554; rev:7;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Blackhole Exploit Kit Landing Reporting Successful Java Compromise"; flow:established,to_server; content:".php?spl="; http_uri; pcre:"/\.php\?spl=[A-Z]{3}/U"; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2013652; rev:5;) + +#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown Exploit Kit Landing Response Malicious JavaScript"; flow:established,from_server; content:"<html><body><script>|0d 0a|"; fast_pattern; nocase; content:"document.createElement"; within:50; content:"|28|String["; distance:0; pcre:"/,[0-9\.]+\*\d,[a-z]\+\d+,[0-9\.]+\*\d,[a-z]\+\d+,[0-9\.]+\*\d,[a-z]\+\d+,/iR"; classtype:bad-unknown; sid:2013660; rev:4;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Exploit kit worms.jar"; flow:established,to_server; content:"pack200"; http_header; content:" Java/"; http_header; content:"/worms.jar"; http_uri; classtype:trojan-activity; sid:2013661; rev:2;) + +#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Crimepack Java exploit attempt(2)"; flow:from_server,established; file_data; content:"PK"; content:"META-INF/MANIFEST"; within:50; content:"PK"; within:150; nocase; content:"Exploit|24 31 24 31 2E|class"; distance:0; fast_pattern; classtype:web-application-attack; sid:2013662; rev:2;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Likely Blackhole Exploit Kit Driveby ?b Download Secondary Request"; flow:established,to_server; content:".php?b"; http_uri; pcre:"/\.php\?b[a-z0-9]{1,4}=[a-f0-9]{16}$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2013664; rev:4;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Likely Blackhole Exploit Kit Driveby ?n Download Secondary Request"; flow:established,to_server; content:".php?n"; http_uri; pcre:"/\.php\?n[a-z0-9]{1,4}=[a-f0-9]{16}$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2013665; rev:3;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Likely Blackhole Exploit Kit Driveby ?page Download Secondary Request"; flow:established,to_server; content:".php?page"; http_uri; pcre:"/^[^?#]+?\.php\?page[a-z0-9]*=[a-f0-9]{16}$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2013666; rev:7;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown Exploit Kit reporting Java and PDF state"; flow:established,to_server; content:"_js?java="; http_uri; fast_pattern; content:"&adobe_pdf="; http_uri; distance:0; pcre:"/\/[a-f0-9]{60,}_js\?/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2013690; rev:3;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown Exploit Kit Java requesting malicious JAR"; flow:established,to_server; content:"_jar"; http_uri; fast_pattern; content:"|20|Java/"; http_header; pcre:"/\/[a-f0-9]{60,}_jar$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2013691; rev:3;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown Exploit Kit request for pdf_err__Error__Unspecified"; flow:established,to_server; content:"/pdf_err__Error__Unspecified error..gif"; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2013693; rev:7;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown Exploit Kit Java requesting malicious EXE"; flow:established,to_server; content:"_exe"; http_uri; fast_pattern; content:"|20|Java/"; http_header; pcre:"/\/[a-f0-9]{60,}_exe$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2013692; rev:3;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown Java Exploit Kit x.jar?o="; flow:established,to_server; content:"/x.jar?o="; http_uri; content:"|20|Java/"; http_header; classtype:trojan-activity; sid:2013696; rev:3;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown Java Exploit Kit lo.class"; flow:established,to_server; content:"/lo.class"; http_uri; content:"|20|Java/"; http_header; classtype:trojan-activity; sid:2013697; rev:3;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown Java Exploit Kit lo2.jar"; flow:established,to_server; content:"/lo2.jar"; http_uri; content:"|20|Java/"; http_header; classtype:trojan-activity; sid:2013698; rev:3;) + +#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown Java Exploit Kit applet landing"; flow:established,from_server; file_data; content:"<html>|0d 0a|<body>|0d 0a|<applet archive="; content:"width=|22|0|22| height=|22|0|22|></applet>|0d 0a|</body>|0d 0a|</body></html>"; distance:0; classtype:trojan-activity; sid:2013699; rev:3;) + +#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole landing page with malicious Java applet"; flow:established,from_server; file_data; content:"<applet"; content:"code="; content:".jar"; content:"e00oMDD"; fast_pattern; content:"</applet>"; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2013700; rev:5;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Blackhole Exploit Pack HCP exploit 3"; flow:established,to_server; content:"/pch2.php?c="; http_uri; pcre:"/pch2.php?c=\d+$/U"; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2013746; rev:7;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Saturn Exploit Kit binary download request"; flow:established,to_server; content:"/dl/"; depth:4; http_uri; fast_pattern; content:".php?"; http_uri; pcre:"/\/dl\/\w{1,4}\.php\?[0-9]$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2013775; rev:2;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Saturn Exploit Kit probable Java exploit request"; flow:established,to_server; content:"/dl/apache.php"; depth:14; http_uri; classtype:trojan-activity; sid:2013776; rev:3;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Saturn Exploit Kit probable Java MIDI exploit request"; flow:established,to_server; content:"/dl/jsm.php"; depth:14; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2013777; rev:2;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Blackhole Acrobat 8/9.3 PDF exploit download request 2"; flow:established,to_server; content:"/2ddfp.php?f="; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2013786; rev:2;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Blackhole Acrobat 1-7 PDF exploit download request 2"; flow:established,to_server; content:"/1ddfp.php?f="; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2013787; rev:2;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Likely Blackhole Exploit Kit Driveby ?doit Download Secondary Request"; flow:established,to_server; content:".php?doit"; http_uri; pcre:"/\.php\?doit[a-z0-9]*=[a-f0-9]{16}$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2013788; rev:3;) + +#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Suspicious Self Signed SSL Certificate CN of common Possible SSL CnC"; flow:established,from_server; content:"|16 03|"; content:"|0b|"; within:7; content:"common1|1b|0"; classtype:bad-unknown; sid:2013805; rev:4;) + +#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Suspicious Self Signed SSL Certificate with admin@common Possible SSL CnC"; flow:established,from_server; content:"|16 03|"; content:"|0b|"; within:7; content:"admin@common"; classtype:bad-unknown; sid:2013806; rev:4;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Incognito Exploit Kit Java request to showthread.php?t="; flow:established,to_server; content:"/showthread.php?t="; http_uri; content:"|29 20|Java/"; http_header; pcre:"/^\/showthread\.php\?t=\d+$/Ui"; reference:url,research.zscaler.com/2012/01/popularity-of-exploit-kits-leading-to.html; classtype:trojan-activity; sid:2013916; rev:6;) + +#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole obfuscated Javascript padded charcodes 25"; flow:established,from_server; content:"75"; depth:500; content:"86"; within:4; content:"74"; within:4; content:"92"; within:4; content:"84"; within:4; classtype:bad-unknown; sid:2013950; rev:1;) + +#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Jupiter Exploit Kit Landing Page with Malicious Java Applets"; flow:established,from_server; content:"<applet"; content:"code="; content:".jar"; distance:0; content:"u//FCyy"; within:50; fast_pattern; content:"</applet>"; within:100; classtype:bad-unknown; sid:2013955; rev:3;) + +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Exploit Kit Delivering PDF Exploit to Client"; flowbits:isset,et.exploitkitlanding; flow:established,to_client; content:"|0d 0a 0d 0a|%PDF-"; reference:url,isc.sans.org/diary/Updates+on+ZeroAccess+and+BlackHole+front+/12079; classtype:attempted-user; sid:2013960; rev:6;) + +#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Initial Blackhole Landing Loading... Wait Please"; flow:established,from_server; content:"Wait Please"; fast_pattern:only; content:">Loading..."; content:"<script"; distance:0; reference:url,isc.sans.org/diary/Updates+on+ZeroAccess+and+BlackHole+front+/12079; classtype:trojan-activity; sid:2013972; rev:5;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Neosploit Java Exploit Kit request to /? plus hex 32"; flow:established,to_server; content:"/?"; http_uri; fast_pattern; content:" Java/"; http_header; pcre:"/^\/\?[a-f0-9]{32}$/U"; classtype:trojan-activity; sid:2013975; rev:3;) + +#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Lilupophilupop Injected Script Being Served to Client"; flow:established,to_client; content:"|3C|script src=|22|http|3A|//lilupophilupop.com/sl.php|22|>|3C 2F|script>"; nocase; classtype:bad-unknown; sid:2013978; rev:3;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Lilupophilupop Injected Script Being Served from Local Server"; flow:established,from_server; content:"|3C|script src=|22|http|3A|//lilupophilupop.com/sl.php|22|>|3C 2F|script>"; nocase; classtype:bad-unknown; sid:2013979; rev:3;) + +#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Exploit Kit hostile PDF qwe123"; flow:established,from_server; file_data; content:"/Kids [1 0 R]/"; content:"|0d 0a 09 09|<field qwe=|22|213123|22| name=|22|qwe123|22|"; distance:0; content:"application/x-javascript"; distance:0; classtype:trojan-activity; sid:2013990; rev:3;) + +#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole hostile PDF v1"; flow:established,from_server; file_data; content:"|25 50 44 46 2d 31 2e 36|"; content:"|4b 69 64 73 5b 32 38 20 30 20 52 5d 3e 3e|"; distance:0; content:"javascript"; nocase; distance:0; classtype:trojan-activity; sid:2013991; rev:4;) + +#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole hostile PDF v2"; flow:established,from_server; file_data; content:"|25 50 44 46 2d 31 2e 36|"; content:"|20 2f 4b 69 64 73 20 5b 31 20 30 20 52 5d 20 2f 54 79 70 65 2f 50 61 67 65 73 3e 3e|"; distance:0; content:"javascript"; nocase; distance:0; classtype:trojan-activity; sid:2013992; rev:5;) + +#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Adobe PDF Universal 3D file corrupted download 1"; flow:established,from_server; file_data; content:"/Subtype /U3D"; content:"<</Author (Fo) /email (fo@gmail.com) /web (fo.googlepages.com)"; distance:0; reference:url,www.adobe.com/support/security/advisories/apsa11-04.html; classtype:bad-unknown; sid:2013996; rev:4;) + +#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Adobe PDF Universal 3D file corrupted download 2"; flow:established,from_server; file_data; content:"/Subtype /U3D"; content:"/Contents (a pwning u3d model) /3DI false > /3DA << /A /PO /DIS /I >> /Rect [0 0 640 480] /3DD 10 0 R /F 7 >>"; distance:0; reference:url,www.adobe.com/support/security/advisories/apsa11-04.html; classtype:bad-unknown; sid:2013997; rev:6;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Probable Scalaxy exploit kit secondary request"; flow:established,to_server; content:"=1.6.0_"; http_uri; pcre:"/^\/[a-z][0-9a-z_+=-]{10,30}\?\w=[0-9.]+\&\w=1.6.0_\d\d$/Ui"; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2014024; rev:4;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Probable Scalaxy exploit kit Java or PDF exploit request"; flow:established,to_server; content:"/"; http_uri; offset:2; depth:3; urilen:35; pcre:"/\/[a-z]\/[0-9a-f]{32}$/U"; classtype:bad-unknown; sid:2014025; rev:1;) + +#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Obfuscated Base64 in Javascript probably Scalaxy exploit kit"; flow:established,from_server; content:!"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"; content:"|2b 2f 3d 22 3b|"; fast_pattern; content:"<<18|7c|"; within:500; content:"<<12|7c|"; within:13; content:"<<6|7c|"; within:13; classtype:bad-unknown; sid:2014027; rev:2;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Generic Java Rhino Scripting Engine Exploit Previously Requested com.class"; flow:established,to_server; content:" Java/1"; http_header; content:"/com.class"; http_uri; classtype:trojan-activity; sid:2014031; rev:2;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Generic Java Rhino Scripting Engine Exploit Previously Requested org.class"; flow:established,to_server; content:" Java/1"; http_header; content:"/org.class"; http_uri; classtype:trojan-activity; sid:2014032; rev:2;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Generic Java Rhino Scripting Engine Exploit Previously Requested edu.class"; flow:established,to_server; content:" Java/1"; http_header; content:"/edu.class"; http_uri; classtype:trojan-activity; sid:2014033; rev:2;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Generic Java Rhino Scripting Engine Exploit Previously Requested net.class"; flow:established,to_server; content:" Java/1"; http_header; content:"/net.class"; http_uri; classtype:trojan-activity; sid:2014034; rev:2;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Blackhole PDF Exploit Request /fdp2.php"; flow:established,to_server; content:"/fdp2.php?f="; http_uri; reference:md5,8a33d1d36d097ca13136832aa10ae5ca; reference:cve,CVE-2011-0611; classtype:trojan-activity; sid:2014035; rev:2;) + +#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Generic Java Exploit Obfuscated With Allatori"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"PK"; within:2; content:"Allatori"; nocase; fast_pattern:only; classtype:bad-unknown; sid:2014036; rev:6;) + +#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS MALVERTISING OpenX BrowserDetect.init Download"; flow:established,to_client; content:"OAID="; http_cookie; file_data; content:"BrowserDetect.init"; classtype:bad-unknown; sid:2014038; rev:6;) + +#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS MALVERTISING Alureon Malicious IFRAME"; flow:established,to_client; file_data; content:"name=\"Twitter\" scrolling=\"auto\" frameborder=\"no\" align=\"center\" height = \"1px\" width = \"1px\"></iframe>"; classtype:bad-unknown; sid:2014039; rev:5;) + +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Exploit Kit Java Rhino Script Engine Remote Code Execution Attempt"; flow:established,to_client; content:"document.createElement('applet'"; nocase; content:"setAttribute('code"; nocase; distance:0; content:"setAttribute('archive"; nocase; distance:0; content:".jar"; nocase; distance:0; content:"document.createElement('param"; nocase; distance:0; content:"setAttribute('name"; nocase; distance:0; content:"setAttribute('value"; nocase; distance:0; reference:url,blog.eset.com/2011/12/15/spam-campaign-uses-blackhole-exploit-kit-to-install-spyeye; reference:bid,50218; reference:cve,2011-3544; classtype:attempted-user; sid:2014048; rev:6;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Blackhole Likely Flash exploit download request score.swf"; flow:established,to_server; content:"/score.swf"; http_uri; reference:cve,CVE-2011-0611; classtype:trojan-activity; sid:2014053; rev:3;) + +#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS User-Agent used in Injection Attempts"; flow:established,to_server; content:"User-Agent|3a| MOT-MPx220/1.400 Mozilla/4.0"; http_header; reference:url,lists.emergingthreats.net/pipermail/emerging-sigs/2011-December/016882.html; classtype:trojan-activity; sid:2014054; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Blackhole-like Java Exploit request to .jar?t="; flow:established,to_server; content:".jar?t="; http_uri; nocase; fast_pattern; content:"&h="; http_uri; distance:0; content:"|29| Java/1."; http_header; pcre:"/\.jar\?t=\d+&h=[^&]+$/Ui"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014094; rev:3;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Document.write Long Backslash UTF-16 Encoded Content - Exploit Kit Behavior Flowbit Set"; flow:established,to_client; content:"document.write|28 22 5C|u"; nocase; isdataat:100,relative; content:!"|29|"; within:100; content:"|5C|u"; nocase; distance:4; within:2; content:"|5C|u"; nocase; distance:4; within:2; content:"|5C|u"; nocase; distance:4; within:2; content:"|5C|u"; nocase; distance:70; content:"|5C|u"; nocase; distance:4; within:2; flowbits:set,et.exploitkitlanding; flowbits:noalert; reference:url,www.kahusecurity.com/2011/elaborate-black-hole-infection/; classtype:bad-unknown; sid:2014096; rev:6;) + +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Excessive new Array With Newline - Exploit Kit Behavior Flowbit Set"; flow:established,to_client; content:" = new Array|28 29 3B|"; nocase; content:" = new Array|28 29 3B|"; nocase; within:100; content:" = new Array|28 29 3B|"; nocase; content:" = new Array|28 29 3B|"; nocase; within:100; content:" = new Array|28 29 3B|"; nocase; content:" = new Array|28 29 3B|"; nocase; within:100; flowbits:set,et.exploitkitlanding; flowbits:noalert; reference:url,www.kahusecurity.com/2011/elaborate-black-hole-infection/; classtype:bad-unknown; sid:2014097; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Blackhole - Help and Control Panel Exploit Request"; flow:established,to_server; content:"/cph2.php?c="; http_uri; reference:url,jsunpack.jeek.org/?report=2b1d42ba5b47676db4864855ac239a73fb8217ff; classtype:trojan-activity; sid:2014125; rev:4;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Blackhole Likely Flash Exploit Request /field.swf"; flow:established,to_server; content:"/field.swf"; http_uri; classtype:trojan-activity; sid:2014126; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown Java Exploit Version Check with hidden applet"; flow:established,from_server; file_data; content:"deployJava.versionCheck|28|"; content:"<applet"; nocase; distance:0; content:"hidden"; within:200; nocase; pcre:"/\x3capplet[^\x3e]+visibility[^\x3e]+hidden[^\x3e]/i"; classtype:trojan-activity; sid:2014136; rev:7;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Likely Driveby Delivered Malicious PDF"; flow:established,from_server; file_data; content:"%PDF"; depth:4; content:"/Author (yvp devo)/Creator (bub lob)"; distance:0; classtype:trojan-activity; sid:2014142; rev:5;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Sakura Exploit Kit Landing Page Request"; flow:established,to_server; content:".php?s="; http_uri; pcre:"/\.php\?s=[0-9a-fA-F]{25}$/U"; flowbits:set,et.exploitkitlanding; reference:url,xylibox.blogspot.com/2012/01/sakura-exploit-pack-10.html; classtype:bad-unknown; sid:2014147; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Sakura Exploit Kit Binary Load Request"; flow:established,to_server; content:"/load.php?spl="; http_uri; pcre:"/\/load\.php\?spl=[-_\w]+$/U"; classtype:attempted-user; sid:2014148; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Known Malicious Link Leading to Exploit Kits (t.php?id=is1)"; flow:established,to_server; content:"/t.php?id=is1"; http_uri; classtype:bad-unknown; sid:2014151; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY PDF Containing Subform with JavaScript"; flow:established,to_client; file_data; content:"%PDF"; within:4; content:"subform"; nocase; distance:0; fast_pattern; content:"script"; nocase; distance:0; reference:cve,2017-2962; classtype:attempted-user; sid:2014154; rev:6;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS JavaScript Obfuscation JSXX Script"; flow:established,to_client; file_data; content:"Encrypt "; content:"JSXX"; fast_pattern; distance:0; content:"VIP"; within:100; reference:cve,2012-0003; reference:url,eromang.zataz.com/2012/10/22/gong-da-gondad-exploit-pack-evolutions/; classtype:attempted-user; sid:2014155; rev:5;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Blackhole Acrobat 8/9.3 PDF exploit download request 4"; flow:established,to_server; content:"/adfp2.php?f="; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014157; rev:1;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Blackhole Acrobat 1-7 PDF exploit download request 4"; flow:established,to_server; content:"/addfp1.php?f="; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014158; rev:1;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Unknown Landing Page Received"; flow:established,from_server; file_data; content:"<applet code="; depth:35; content:".class"; distance:0; content:".jar"; distance:0; content:".pdf"; distance:0; classtype:attempted-user; sid:2014168; rev:5;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Blackhole Acrobat 8/9.3 PDF exploit download request 5"; flow:established,to_server; content:"/adp"; http_uri; content:".php?f="; http_uri; pcre:"/\/adp\d\.php\?=[0-9a-z]{2,6}/Ui"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014195; rev:4;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Yang Pack Exploit Kit Landing Page Known JavaScript Function Detected"; flow:established,to_client; content:"function booom"; nocase; pcre:"/function\x20booom[1-3]{1}\x28\x29/smi"; reference:url,www.kahusecurity.com/2012/chinese-exploit-packs/; classtype:trojan-activity; sid:2014197; rev:2;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Exploit Kit Exploiting IEPeers"; flow:established,to_client; content:"booom["; content:"booom["; distance:0; content:"booom["; distance:0; content:"booom["; distance:0; content:"booom["; distance:0; content:"booom["; distance:0; content:"booom["; distance:0; reference:url,www.kahusecurity.com/2011/cve-2011-2140-caught-in-the-wild/; reference:cve,2010-0806; classtype:trojan-activity; sid:2014199; rev:1;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CUTE-IE.html CutePack Exploit Kit Landing Page Request"; flow:established,to_server; content:"/CUTE-IE.html"; nocase; http_uri; reference:url,www.kahusecurity.com/2012/chinese-exploit-packs/; classtype:trojan-activity; sid:2014203; rev:3;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS CutePack Exploit Kit JavaScript Variable Detected"; flow:established,to_client; content:"var Cute"; nocase; fast_pattern:only; pcre:"/var\x20Cute(Money|Power|Shine)/smi"; reference:url,www.kahusecurity.com/2012/chinese-exploit-packs/; classtype:trojan-activity; sid:2014204; rev:1;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS CUTE-IE.html CutePack Exploit Kit Iframe for Landing Page Detected"; flow:established,to_client; content:"/CUTE-IE.html"; nocase; fast_pattern:only; pcre:"/iframe[^\r\n]*\x2FCUTE-IE\x2Ehtml/smi"; reference:url,www.kahusecurity.com/2012/chinese-exploit-packs/; classtype:trojan-activity; sid:2014205; rev:1;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS CutePack Exploit Kit Landing Page Detected"; flow:established,to_client; content:"button id=|22|evilcute|22|"; nocase; fast_pattern:only; reference:url,www.kahusecurity.com/2012/chinese-exploit-packs/; classtype:trojan-activity; sid:2014206; rev:1;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Blackhole - Payload Download - info.exe"; flow:established,to_client; content:"attachment|3b|"; http_header; content:"info."; fast_pattern; http_header; distance:0; content:"|0d 0a|"; http_header; within:6; pcre:"/attachment\x3b[^\r\n]*?info\.(dll|exe)[\x22\x27]?\r?$/Hmi"; classtype:bad-unknown; sid:2014235; rev:12;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Blackhole - Payload Download - contacts.exe"; flow:established,to_client; content:"attachment|3b|"; http_header; content:"contacts."; fast_pattern; http_header; distance:0; content:"|0d 0a|"; within:6; http_header; pcre:"/attachment\x3b[^\r\n]*?contacts\.(dll|exe)[\x22\x27]?\r?$/Hmi"; classtype:bad-unknown; sid:2014236; rev:6;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Blackhole - Payload Download - calc.exe"; flow:established,from_server; content:"attachment|3b|"; http_header; content:"calc."; http_header; distance:0; fast_pattern; content:"|0d 0a|"; http_header; within:6; pcre:"/attachment\x3b[^\r\n]*?calc\.(dll|exe)[\x22\x27]?\r?$/Hmi"; classtype:bad-unknown; sid:2014237; rev:6;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Blackhole - Payload Download - about.exe"; flow:established,to_client; content:"attachment|3b|"; http_header; content:"about."; http_header; distance:0; content:"|0d 0a|"; http_header; within:6; pcre:"/attachment\x3b[^\r\n]*?about\.(dll|exe)[\x22\x27]?\r?$/Hmi"; classtype:bad-unknown; sid:2014238; rev:7;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Java Rhino Scripting Engine Exploit Downloaded"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"PK"; within:2; content:"com.class"; content:"edu.class"; content:"net.class"; content:"org.class"; classtype:bad-unknown; sid:2014243; rev:5;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Tax Landing Page with JavaScript Attack"; flow:established,from_server; content:"Please wait, till tax confirmation is ready."; fast_pattern:only; content:"try{"; content:"catch("; classtype:attempted-admin; sid:2014274; rev:1;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Blackhole Acrobat 8/9.3 PDF exploit download request 6"; flow:established,to_server; content:"/data/ap2.php"; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014279; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Blackhole Acrobat 1-7 PDF exploit download request 6"; flow:established,to_server; content:"/ap1.php?f="; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014280; rev:1;) + +#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Java Applet with Obfuscated URL 2"; flow:established,from_server; file_data; content:"<applet"; content:"Mlgg"; fast_pattern; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2014281; rev:4;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Blackhole Download Secondary Request ?pagpag"; flow:established,to_server; content:".php?pagpag="; http_uri; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2014282; rev:1;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Blackhole Exploit Pack HCP exploit 4"; flow:established,to_server; content:"/hhcp.php?c="; http_uri; pcre:"/hhcp.php?c=[a-f0-9]{5}$/U"; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2014284; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Java Atomic Exploit Downloaded"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"PK"; within:2; content:",CAFEBABE00000030007A0A002500300A003100320700"; distance:0; classtype:bad-unknown; sid:2014295; rev:6;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole obfuscated Javascript 171 charcodes >= 48"; flow:established,from_server; content:"G<H6>F=7.49B7F"; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2014298; rev:1;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Blackhole - Payload Download - readme.exe"; flow:established,from_server; content:"attachment|3b|"; http_header; content:"readme."; fast_pattern; http_header; distance:0; content:"|0d 0a|"; http_header; within:6; pcre:"/attachment\x3b[^\r\n]*?readme\.(dll|exe)[\x22\x27]?\r?$/Hmi"; classtype:bad-unknown; sid:2014301; rev:9;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Obfuscated Content Using Dadongs JSXX 0.41 VIP Obfuscation Script"; flow:established,to_client; content:"document.cookie=|22|dadong"; fast_pattern:17,6; nocase; reference:url,www.kahusecurity.com/2012/chinese-pack-using-dadongs-jsxx-vip-script/; classtype:bad-unknown; sid:2014308; rev:1;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Incognito Payload Download /load/*exe"; flow:established,from_server; content:"Content-Disposition|3a| inline"; nocase; http_header; content:".exe"; http_header; content:"load/"; http_header; fast_pattern; file_data; content:"MZ"; depth:2; classtype:attempted-user; sid:2014314; rev:8;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Incognito libtiff PDF Exploit Requested"; flow:established,to_server; content:"/lib.php"; http_uri; content:".php?showtopic="; http_header; classtype:trojan-activity; sid:2014315; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Incognito libtiff PDF Exploit Recieved"; flow:established,from_server; content:"Content-Disposition|3a| inline"; nocase; content:".pdf"; distance:0; file_data; content:"%PDF-"; depth:5; content:"<</Filter/FlateDecode /Length"; within:64; classtype:trojan-activity; sid:2014316; rev:4;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Clickpayz redirection to *.clickpayz.com"; flow:established,from_server; content:"HTTP/1.1 30"; depth:11; content:"clickpayz.com/"; classtype:bad-unknown; sid:2014318; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Dadong Java Exploit Requested"; flow:established,to_server; content:"/Gondad.jpg"; nocase; http_uri; content:" Java/1"; http_header; classtype:bad-unknown; sid:2014319; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Compromised Wordpress Redirect"; flow:established,to_server; content:"GET"; http_method; content:"/mm.php?d=1"; http_uri; content:".rr.nu"; http_header; pcre:"/Host\x3A\x20[^\r\n]*.rr.nu/H"; reference:url,community.websense.com/blogs/securitylabs/archive/2012/03/02/mass-injection-of-wordpress-sites.aspx; classtype:attempted-user; sid:2014334; rev:4;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS RogueAV Wordpress Injection Campaign Compromised Page Served to Local Client"; flow:established,to_client; content:".rr.nu/mm.php?d=1|22|><|2F|script>"; nocase; reference:url,community.websense.com/blogs/securitylabs/archive/2012/03/05/mass-injection-of-wordpress-sites.aspx; classtype:attempted-user; sid:2014337; rev:2;) + +alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS RougeAV Wordpress Injection Campaign Compromised Page Served From Local Compromised Server"; flow:established,from_server; content:".rr.nu/mm.php?d=1|22|><|2F|script>"; nocase; reference:url,community.websense.com/blogs/securitylabs/archive/2012/03/05/mass-injection-of-wordpress-sites.aspx; classtype:successful-admin; sid:2014338; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS INBOUND Blackhole Java Exploit request similar to /content/jav.jar"; flow:established,to_server; content:"/content/jav"; http_uri; content:".jar"; http_uri; pcre:"/\/content\/jav\d?\.jar$/U"; classtype:trojan-activity; sid:2014346; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Likely Scalaxy Exploit Kit URL template download"; flow:established,from_server; content:"<script>a=|22|http|3a|//"; content:"/tttttt"; fast_pattern; within:50; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2014362; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole qwe123 PDF"; flow:established,from_server; file_data; content:"%PDF-1.6"; depth:8; content:"|20 28|qwe123"; classtype:trojan-activity; sid:2014368; rev:5;) + +#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole/Cutwail Redirection Page 1"; flow:established,from_server; content:"document.location="; depth:200; content:".php?"; within:100; pcre:"/\.php\?[^&]{1,8}=[a-f0-9]{16}[\x22\x27\x3b\x20\x0a\x0d]/"; classtype:bad-unknown; sid:2014378; rev:4;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY EgyPack Exploit Kit Cookie Set"; flow:established,from_server; content:"Cookie|3a| visited=TRUE"; http_header; content:"Cookie|3a| mutex="; http_raw_header; reference:url,www.kahusecurity.com/2011/new-exploit-kit-egypack/; reference:url,www.vbulletin.com/forum/forum/vbulletin-3-8/vbulletin-3-8-questions-problems-and-troubleshooting/346989-vbulletin-footer-sql-injection-hack; reference:url,blog.webroot.com/2013/03/29/a-peek-inside-the-egypack-web-malware-exploitation-kit/; classtype:bad-unknown; sid:2014407; rev:4;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS DRIVEBY EgyPack Exploit Kit Cookie Present"; flow:established,to_server; content:"visited=TRUE|3b| mutex="; http_cookie; depth:20; reference:url,www.kahusecurity.com/2011/new-exploit-kit-egypack/; reference:url,www.vbulletin.com/forum/forum/vbulletin-3-8/vbulletin-3-8-questions-problems-and-troubleshooting/346989-vbulletin-footer-sql-injection-hack; reference:url,blog.webroot.com/2013/03/29/a-peek-inside-the-egypack-web-malware-exploitation-kit/; classtype:bad-unknown; sid:2014408; rev:4;) + +#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Blackhole client=done Cookie Set"; flow:established,from_server; content:"client=done|3b|"; content:"client=done|3b|"; http_cookie; depth:12; classtype:bad-unknown; sid:2014412; rev:3;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Blackhole client=done Cookie Present"; flow:established,to_server; content:"client=done"; http_header; content:"client=done"; http_cookie; depth:11; classtype:bad-unknown; sid:2014413; rev:3;) + +#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Blackhole Landing Page applet param window.document"; flow:established,from_server; content:"<applet"; content:"<param"; distance:0; content:"window.document"; distance:0; classtype:bad-unknown; sid:2014414; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Exploit Kit JavaScript dotted quad hostile applet"; flow:established,from_server; content:"<html><body><applet"; fast_pattern; content:"archive="; distance:0; content:"code="; pcre:"/archive=[^\x3e]+?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/"; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; classtype:trojan-activity; sid:2014415; rev:4;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Java Rhino Exploit Attempt - evilcode.class"; flow:established,to_client; content:"code=|22|evilcode.class|22|"; nocase; fast_pattern:only; reference:cve,2011-3544; classtype:attempted-user; sid:2014429; rev:5;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Unknown - news=1 in http_cookie"; flow:established,to_client; content:"Set-Cookie|3a| news=1"; http_raw_header; classtype:bad-unknown; sid:2014438; rev:9;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Blackhole - Payload Download - scandsk.exe"; flow:established,from_server; content:"attachment|3b|"; http_header; content:"scandsk"; http_header; fast_pattern; within:20; content:".exe|0d 0a|"; http_header; distance:0; classtype:bad-unknown; sid:2014440; rev:5;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Blackhole - Landing Page Requested - /Home/index.php"; flow:to_server,established; urilen:15; content:"/Home/index.php"; http_uri; flowbits:set,et.exploitkitlanding; flowbits:noalert; classtype:bad-unknown; sid:2014441; rev:5;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Blackhole - Landing Page Requested - *.php?*=16HexCharacters in http_uri"; flow:to_server,established; urilen:>23; content:".php?"; http_uri; content:"="; within:8; http_uri; pcre:"/\?[a-z]{1,7}=[a-f0-9]{16}$/U"; pcre:"/=.*[a-f].*$/U"; flowbits:set,et.exploitkitlanding; flowbits:noalert; classtype:bad-unknown; sid:2014442; rev:6;) + +#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Blackhole - Page redirecting to driveby"; flow:from_server,established; content:"|0d 0a 0d 0a|"; content:"/Home/index.php\" width=1 height=1 scrolling=no></iframe>"; distance:0; classtype:bad-unknown; sid:2014444; rev:5;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Dynamic DNS Exploit Pack Landing Page /de/sN"; flow:established,to_server; content:"/de/s"; http_uri; depth:5; urilen:6; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2014446; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Dynamic Dns Exploit Pack Java exploit"; flow:established,to_server; content:"/de/"; http_uri; depth:4; content:".jar"; http_uri; distance:32; within:4; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2014447; rev:6;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Italian Spam Campaign"; flow:established,to_server; content:"/Dettagli.zip"; http_uri; reference:md5,c64504b68d34b18a370f5e77bd0b0337; classtype:trojan-activity; sid:2014458; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Likely Blackhole eval haha"; flow:established,from_server; content:"eval(haha"; fast_pattern:only; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; classtype:trojan-activity; sid:2020604; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Likely Blackhole PDF served from iframe"; flow:established,from_server; content:".pdf|27|/></iframe>"; fast_pattern:only; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; classtype:trojan-activity; sid:2014470; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Exploit Kit Delivering JAR Archive to Client"; flow:established,to_client; flowbits:isset,et.exploitkitlanding; file_data; content:"|50 4B 03 04 14 00 08 00 08 00|"; within:10; classtype:bad-unknown; sid:2014526; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Initial Blackhole Landing .prototype.q catch with split"; flow:established,from_server; content:".prototype.q}catch("; fast_pattern:only; content:".split("; classtype:trojan-activity; sid:2014537; rev:2;) + +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Initial Blackhole Landing Loading... Please Wait"; flow:established,from_server; content:"Please Wait"; fast_pattern:only; content:">Loading..."; content:"<script"; distance:0; classtype:trojan-activity; sid:2014538; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Malicious TDS /indigo?"; flow:to_server,established; content:"/indigo?"; http_uri; pcre:"/\/indigo\?\d+/U"; classtype:bad-unknown; sid:2014539; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Landing for Loading prototype catch"; flow:established,from_server; content:">Loading..."; fast_pattern:only; content:").prototype."; content:"}catch("; within:10; classtype:trojan-activity; sid:2014540; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS TDS Sutra - redirect received"; flow:established,to_client; content:"302"; http_stat_code; content:" SL_"; content:"_0000="; within:8; classtype:bad-unknown; sid:2014542; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS TDS Sutra - request in.cgi"; flow:to_server,established; content:"/in.cgi"; http_uri; classtype:bad-unknown; sid:2014543; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS TDS Sutra - cookie set"; flow:established,to_client; content:!"302"; http_stat_code; content:"Set-Cookie|3a| SL_"; content:"_0000="; within:8; classtype:bad-unknown; sid:2014544; rev:4;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS TDS Sutra - page redirecting to a SutraTDS"; flow:established,to_client; file_data; content:"/in.cgi?"; distance:0; flowbits:isnotset,ET.opera.adblock; classtype:bad-unknown; sid:2014545; rev:6;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS TDS Sutra - HTTP header redirecting to a SutraTDS"; flow:established,to_client; content:"/in.cgi"; http_header; classtype:bad-unknown; sid:2014546; rev:5;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS TDS Sutra - redirect received"; flow:established,to_client; content:"302"; http_stat_code; content:"=_"; content:"_\; domain="; distance:1; within:10; pcre:"/^[a-z]{5}[0-9]{1,2}=_[0-9]{1,2}_/C"; classtype:bad-unknown; sid:2014547; rev:5;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS TDS Sutra - cookie set"; flow:established,to_client; content:!"302"; http_stat_code; content:"=_"; content:"_\; domain="; distance:1; within:10;pcre:"/^[a-z]{5}[0-9]{1,2}=_[0-9]{1,2}_/C"; classtype:bad-unknown; sid:2014548; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS TDS Sutra - page redirecting to a SutraTDS"; flow:established,to_client; file_data; content:"?igc.ni/"; distance:0; classtype:bad-unknown; sid:2014549; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Modified Metasploit Jar"; flow:from_server,established; flowbits:isset,ET.http.javaclient.vulnerable; file_data; content:"msf|2f|x|2f|Payload"; classtype:trojan-activity; sid:2014560; rev:7;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS landing page with malicious Java applet"; flow:established,from_server; file_data; content:"code="; distance:0; content:"xploit.class"; distance:2; within:18; classtype:bad-unknown; sid:2014561; rev:6;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS JavaScript Determining OS MAC and Serving Java Archive File"; flow:established,to_client; file_data; content:"<script"; content:"navigator.userAgent.indexOf|28 27|Mac|27 29|"; distance:0; nocase; content:"setAttribute|28 27|code|27|"; distance:0; nocase; content:".class"; nocase; distance:0; content:"setAttribute|28 27|archive|27|"; distance:0; nocase; content:".jar"; nocase; distance:0; reference:url,blog.trendmicro.com/another-tibetan-themed-malware-email-campaign-targeting-windows-and-macs/; reference:cve,2011-3544; classtype:bad-unknown; sid:2014565; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unkown exploit kit jar download"; flow:established,to_server; content:"GET"; http_method; content:".php?"; http_uri; content:"x=MSIE"; http_uri; fast_pattern; content:"&u="; http_uri; content:"&s="; http_uri; content:"&id="; http_uri; content:"&file="; http_uri; content:".jar"; http_uri; classtype:trojan-activity; sid:2014568; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unkown exploit kit version check"; flow:established,to_server; content:"GET"; http_method; content:".php?"; http_uri; content:"x="; http_uri; content:"&u="; http_uri; content:"&s="; http_uri; content:"&t="; http_uri; content:"&java"; http_uri; fast_pattern; content:"&pdf="; http_uri; content:"&flash="; content:"&qt="; http_uri; classtype:trojan-activity; sid:2014569; rev:5;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS ET CURRENT_EVENTS Italian Spam Campaign ZIP with EXE Containing Many Underscores"; flow:from_server,established; file_data; content:"|50 4b 03 04|"; within:4; byte_test:2,>,50,22,relative; content:"|5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 2e|exe"; distance:22; within:150; classtype:trojan-activity; sid:2014577; rev:5;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Nikjju Mass Injection Compromised Site Served To Local Client"; flow:established,from_server; file_data; content:"</title><script src="; nocase; content:"http|3a|//"; nocase; within:8; content:"/r.php"; fast_pattern; within:100; content:"></script>"; distance:1; within:10; classtype:attempted-user; sid:2014607; rev:10;) + +alert http $HOME_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Nikjju Mass Injection Internal WebServer Compromised"; flow:established,from_server; file_data; content:"</title><script src="; nocase; content:"http|3a|//"; nocase; within:8; content:"/r.php"; fast_pattern; within:100; content:"></script>"; distance:1; within:10; classtype:attempted-user; sid:2014608; rev:9;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Incognito Exploit Kit Java request to images.php?t="; flow:established,to_server; content:"/images.php?t="; http_uri; content:"|29 20|Java/"; http_header; pcre:"/^\/images\.php\?t=\d+$/Ui"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014609; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS TDS Sutra - cookie set RULEZ"; flow:established,from_server; content:"sutraRULEZcookies"; fast_pattern:only; content:"sutraRULEZcookiessupport"; http_cookie; classtype:trojan-activity; sid:2014611; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS TDS Sutra - cookie is set RULEZ"; flow:established,to_server; content:"sutraRULEZcookies"; fast_pattern:only; content:"sutraRULEZcookiessupport"; http_cookie; classtype:trojan-activity; sid:2014612; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Jembot PHP Webshell (file upload)"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php"; http_uri; nocase; content:"jembot"; http_uri; nocase; reference:url,lab.onsec.ru/2012/04/find-new-web-bot-jembot.html?m=1; classtype:web-application-activity; sid:2014613; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Jembot PHP Webshell (system command)"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php"; http_uri; nocase; content:"empix="; http_uri; nocase; reference:url,lab.onsec.ru/2012/04/find-new-web-bot-jembot.html?m=1; classtype:web-application-activity; sid:2014614; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Jembot PHP Webshell (hell.php)"; flow:established,to_server; content:"/hell.php"; http_uri; nocase; reference:url,lab.onsec.ru/2012/04/find-new-web-bot-jembot.html?m=1; classtype:web-application-activity; sid:2014615; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Incognito Exploit Kit PDF request to images.php?t=81118"; flow:established,to_server; content:"/images.php?t=81118"; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014639; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Incognito Exploit Kit payload request to images.php?t=N"; flow:established,to_server; content:"/images.php?t="; http_uri; urilen:15; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014640; rev:1;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Incognito Exploit Kit landing page request to images.php?t=4xxxxxxx"; flow:established,to_server; content:"/images.php?t="; http_uri; urilen:22; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014641; rev:4;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole - Landing Page Recieved - applet PluginDetect and 10hexchar title"; flow:established,to_client; file_data; content:"PluginDetect"; content:"<applet"; pcre:"/<title>[a-f0-9]{10}<\/title>/"; classtype:trojan-activity; sid:2014644; rev:1;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unkown exploit kit pdf download"; flow:established,to_server; content:"GET"; http_method; content:".php?"; http_uri; content:"x=x"; http_uri; fast_pattern; content:"&u="; http_uri; content:"&s="; http_uri; content:"&id="; http_uri; content:"&file="; http_uri; content:".pdf"; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014657; rev:1;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unkown exploit kit payload download"; flow:established,to_server; content:"GET"; http_method; content:".php?"; http_uri; content:"x=x"; http_uri; fast_pattern; content:"&u="; http_uri; content:"&s="; http_uri; content:"&id="; http_uri; content:"&spl="; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014658; rev:1;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Landing Page Obfuscated Please wait Message"; flow:established,to_client; file_data; content:"Please|3A|wait|3A|page|3A|is|3A|loading"; flowbits:set,et.exploitkitlanding; reference:url,isc.sans.edu/diary.html?storyid=13051; classtype:trojan-activity; sid:2014659; rev:4;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Landing for prototype catch substr"; flow:established,from_server; content:"try{prototype|3b|}catch("; fast_pattern; content:"substr"; distance:0; classtype:trojan-activity; sid:2014661; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole - Jar File Naming Algorithm"; flow:established,to_client; content:"Content-Disposition|3a| inline"; http_header; nocase; content:".jar"; http_header; fast_pattern; pcre:"/=[0-9a-f]{8}\.jar/H"; file_data; content:"PK"; depth:2; classtype:trojan-activity; sid:2014664; rev:11;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Generic - Redirection to Kit - BrowserDetect with var stopit"; flow:established,from_server; file_data; content:"var stopit = BrowserDetect.browser"; distance:0; classtype:trojan-activity; sid:2014665; rev:5;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Blackhole - Injected Page Leading To Driveby"; flow:established,to_client; file_data; content:"/images.php?t="; distance:0; fast_pattern; content:"width=\"1\" height=\"1\""; within:100; classtype:trojan-activity; sid:2014666; rev:4;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Bleeding Life 2 GPLed Exploit Pack exploit request"; flow:to_server,established; content:"/load_module.php?e="; http_uri; classtype:trojan-activity; sid:2014705; rev:4;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Bleeding Life 2 GPLed Exploit Pack payload request (exploit successful!)"; flow:established,to_server; content:"/download_file.php?e="; http_uri; classtype:trojan-activity; sid:2014706; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Bleeding Life 2 GPLed Exploit Pack payload download"; flow:established,from_server; content:"filename=payload.exe.exe|0d 0a|"; http_header; classtype:trojan-activity; sid:2014707; rev:4;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Request for Blackhole Exploit Kit Landing Page - src.php?case="; flow:established,to_server; content:"/src.php?case="; http_uri; pcre:"/\x2Fsrc\x2Ephp\x3Fcase\x3D[a-f0-9]{16}$/U"; classtype:trojan-activity; sid:2014725; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS FakeAV Landing Page - Viruses were found"; flow:established,from_server; file_data; content:">Viruses were found on your computer!</"; fast_pattern; content:"images/alert.png"; classtype:bad-unknown; sid:2014729; rev:4;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Redkit Java Exploit request to /24842.jar"; flow:established,to_server; content:"/24842.jar"; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014749; rev:1;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Incognito/RedKit Exploit Kit vulnerable Java payload request to /1digit.html"; flowbits:isset,ET.http.javaclient.vulnerable; flow:established,to_server; urilen:7; content:".html"; http_uri; content:" Java/1"; http_header; pcre:"/\/[0-9]\.html$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014750; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Nuclear/Safe/CritX/FlashPack - Java Request - 32char hex-ascii"; flow:to_server,established; content:".jar"; offset:32; http_uri; fast_pattern; content:"Java/1"; http_user_agent; pcre:"/\/[a-z0-9]{32}\.jar$/U"; classtype:bad-unknown; sid:2014751; rev:8;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Landing Page JavaScript Split String Obfuscation of CharCode"; flow:established,to_client; content:"|22|h|22|+|22|arCode|22 3B|"; classtype:trojan-activity; sid:2014773; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Malicious PDF qweqwe="; flow:established,to_client; content:"><qwe qweqwe="; reference:url,jsunpack.jeek.org/dec/go?report=4d25f4f01ff5cdbee35a23fcd9e047b69d917b47; classtype:trojan-activity; sid:2014774; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Blackhole PDF Payload Request"; flow:established,to_server; content:"/content/"; http_uri; content:".php?f="; http_uri; pcre:"/\x2Fcontent\x2F[a-z0-9]{1,6}\x2Ephp\x3Ff\x3D[0-9]{1,5}$/Ui"; classtype:trojan-activity; sid:2014775; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Blackhole PDF Payload Request With Double Colon"; flow:established,to_server; content:"/content/"; http_uri; content:".php?f="; http_uri; content:"|3A 3A|"; http_uri; pcre:"/\x2Fcontent\x2F[a-z0-9]{1,6}\x2Ephp\x3Ff\x3D[0-9]{1,5}\x3A\x3A[0-9]{1,5}$/Ui"; classtype:trojan-activity; sid:2014776; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Try App.title Catch - May 22nd 2012"; flow:established,to_client; file_data; content:"try{app.title}catch("; reference:url,blog.spiderlabs.com/2012/05/catch-me-if-you-can-trojan-banker-zeus-strikes-again-part-2-of-5-1.html; classtype:trojan-activity; sid:2014801; rev:5;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Fragus Exploit jar Download"; flow:established,to_server; content:"_.jar?"; http_uri; pcre:"/\w_\.jar\?[a-f0-9]{8}$/U"; classtype:trojan-activity; sid:2014802; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown java_ara Bin Download"; flow:established,to_server; content:"java_ara&name="; http_uri; content:"/forum/"; http_uri; content:".php?"; http_uri; flowbits:isset,ET.http.javaclient.vulnerable; classtype:trojan-activity; sid:2014805; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Wordpress timthumb look-alike domain list RFI"; flow:to_server,established; content:"/timthumb.php?"; http_uri; content:!"webshot=1"; http_uri; distance:0; content:"src="; http_uri; distance:0; content:"http"; distance:0; http_uri; pcre:"/src\s*=\s*https?\x3A\x2f+[^\x2f]*?(?:(?:(?:(?:static)?flick|blogge)r|p(?:hotobucket|icasa)|wordpress|tinypic)\.com|im(?:g(?:\.youtube|ur)\.com|ageshack\.us)|upload\.wikimedia\.org)[^\x2f]/Ui"; reference:url,code.google.com/p/timthumb/issues/detail?id=212; classtype:web-application-attack; sid:2014846; rev:12;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Landing Page Obfuscated Javascript Blob"; flow:established,to_client; file_data; content:"<pre id=|22|"; content:"style=|22|display|3A|none|3B 22 3E|"; within:100; isdataat:400,relative; content:!"|20|"; within:400; content:!"pre|3E|"; within:400; content:"|2C|"; distance:2; within:2; content:"|2C|"; distance:2; within:2; content:"|2C|"; distance:2; within:2; content:"|2C|"; distance:2; within:2; content:"|3C 2F|pre|3E|3Cscript|3E|"; fast_pattern; distance:400; pcre:"/display\x3Anone\x3B\x22\x3E[0-9]{2,3}\x2C[0-9]{2,3}\x2C[0-9]{2,3}\x2C[0-9]{2,3}\x2C[0-9]{2,3}[^\r\n]*\x3C\x2Fpre\x3E\x3Cscript\x3E/sm"; classtype:trojan-activity; sid:2014820; rev:4;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole RawValue Specific Exploit PDF"; flow:established,to_client; file_data; content:"%PDF-"; depth:5; content:"|2E|rawValue|5D 5B|0|5D 2E|split|28 27 2D 27 29 3B|"; distance:0; reference:cve,2010-0188; classtype:trojan-activity; sid:2014821; rev:6;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Malicious PDF asdvsa"; flow:established,from_server; file_data; content:"obj"; content:"<<"; within:4; content:"(asdvsa"; within:80; classtype:trojan-activity; sid:2014823; rev:5;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Landing Page Script Profile ASD"; flow:established,to_client; file_data; content:"pre id=|22|asd|22|"; classtype:trojan-activity; sid:2014825; rev:5;) + +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET CURRENT_EVENTS FedEX Spam Inbound"; flow:established,to_server; content:"name=|22|FEDEX"; nocase; content:".zip|22|"; within:47; nocase; pcre:"/name=\x22FEDEX(\s|_|\-)?[a-z0-9\-_\.\s]{0,42}\.zip\x22/i"; classtype:trojan-activity; sid:2014827; rev:2;) + +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET CURRENT_EVENTS UPS Spam Inbound"; flow:established,to_server; content:"name=|22|"; nocase; content:"UPS"; nocase; within:11; content:".zip|22|"; within:74; nocase; pcre:"/name=\x22([a-z_]{0,8})?UPS(\s|_|\-)?[a-z0-9\-_\.\s]{0,69}\.zip\x22/i"; classtype:trojan-activity; sid:2014828; rev:2;) + +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET CURRENT_EVENTS Post Express Spam Inbound"; flow:established,to_server; content:"name=|22|Post_Express_Label_"; nocase; content:".zip|22|"; within:15; nocase; pcre:"/name=\x22Post_Express_Label_[a-z0-9\-_\.\s]{0,10}\.zip\x22/i"; classtype:trojan-activity; sid:2014829; rev:1;) + +alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET CURRENT_EVENTS php with eval/gzinflate/base64_decode possible webshell"; flow:to_client,established; file_data; content:"<?"; content:"eval(gzinflate(base64_decode("; distance:0; reference:url,blog.sucuri.net/2012/05/list-of-domains-hosting-webshells-for-timthumb-attacks.html; classtype:web-application-attack; sid:2014847; rev:6;) + +alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET CURRENT_EVENTS webshell used In timthumb attacks GIF98a 16129xX with PHP"; flow:to_client,established; file_data; content:"|0d 0a 0d 0a|GIF89a|01 3f|"; content:"<?"; within:720; reference:url,blog.sucuri.net/2012/05/list-of-domains-hosting-webshells-for-timthumb-attacks.html; classtype:web-application-attack; sid:2014848; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Sakura Exploit Kit Version 1.1 Archive Request"; flow:established,to_server; content:"/getfile.php?i="; http_uri; content:"&key="; http_uri; pcre:"/\x2Fgetfile\x2Ephp\x3Fi\x3D[0-9]\x26key\x3D[a-f0-9]{32}$/Ui"; reference:url,blog.spiderlabs.com/2012/05/sakura-exploit-kit-11.html; classtype:trojan-activity; sid:2014851; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Sakura Exploit Kit Version 1.1 document.write Fake 404 - Landing Page"; flow:established,to_client; content:"document.write(|22|404|22 3B|"; reference:url,blog.spiderlabs.com/2012/05/sakura-exploit-kit-11.html; classtype:trojan-activity; sid:2014852; rev:3;) + +alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sakura Exploit Kit Version 1.1 Applet Value lxxt"; flow:established,to_client; file_data; content:"value=|22|lxxt>33"; fast_pattern:only; reference:url,blog.spiderlabs.com/2012/05/sakura-exploit-kit-11.html; classtype:trojan-activity; sid:2014853; rev:4;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Likely TDS redirecting to exploit kit"; flow:established,to_server; content:".php?go="; http_uri; pcre:"/\.php\?go=\d$/U"; classtype:bad-unknown; sid:2014854; rev:4;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Fraudulent Paypal Mailing Server Response June 04 2012"; flow:from_server,established; content:"<html>|0d 0a|<title>Paypal"; fast_pattern; content:"|3a 20|Loading<"; distance:0; classtype:trojan-activity; sid:2014858; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Redirect to driveby sid=mix"; flow:to_server,established; content:"/go.php?sid=mix"; http_uri; classtype:bad-unknown; sid:2014866; rev:2;) + +alert http any any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SN and CN From MS TS Revoked Cert Chain Seen"; flow:established,from_server; content:"|c1 00 8b 3c 3c 88 11 d1 3e f6 63 ec df 40|"; content:"Microsoft Root Authority"; distance:105; within:24; content:"Microsoft Enforced Licensing Intermediate PCA"; distance:0; content:"|61 1a 02 b7 00 02 00 00 00 12|"; distance:0; content:"Microsoft Enforced Licensing Registration Authority CA"; distance:378; within:54; reference:url,blog.crysys.hu/2012/06/the-flame-malware-wusetupv-exe-certificate-chain/; reference:url,rmhrisk.wpengine.com/?p=52; reference:url,msdn.microsoft.com/en-us/library/aa448396.aspx; reference:md5,1f61d280067e2564999cac20e386041c; classtype:bad-unknown; sid:2014870; rev:4;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Obfuscated Javascript redirecting to Blackhole June 7 2012"; flow:established,from_server; file_data; content:"st=\"no3"; content:"3rxtc\"\;Date"; distance:12; within:60; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2014873; rev:4;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Request to malicious SutraTDS - lonly= in cookie"; flow:established,to_server; content:" lonly="; fast_pattern:only; content:" lonly="; http_cookie; classtype:bad-unknown; sid:2014884; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SutraTDS (enema) used in Blackhole campaigns"; flow:to_server,established; content:"/top2.html"; http_uri; content:"|0d 0a|Host|3a| enema."; http_header; classtype:bad-unknown; sid:2014885; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Try Prototype Catch June 11 2012"; flow:from_server,established; content:"try{"; content:"=prototype"; within:25; content:"|3b|}catch("; within:15; classtype:bad-unknown; sid:2014888; rev:5;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS RedKit - Java Exploit Requested - 5 digit jar"; flow:established,to_server; urilen:10; content:".jar"; http_uri; pcre:"/^\/[0-9]{5}\.jar$/U"; classtype:trojan-activity; sid:2014891; rev:1;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS RedKit - Jar File Naming Algorithm"; flow:established,to_client; content:"Content-Disposition: inline"; http_header; nocase; content:".jar"; http_header; fast_pattern; content:"|0D 0A 0D 0A|PK"; pcre:"/=[0-9a-f]{8}\.jar/H"; classtype:trojan-activity; sid:2014892; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS RedKit - Landing Page Received - applet and code"; flow:established,to_client; content:"<applet"; content:"code="; pcre:"/code=\"[a-z]\.[a-z][\.\"][ c]/"; classtype:trojan-activity; sid:2014895; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Initial Blackhole Landing - UPS Number Loading.. Jun 15 2012"; flow:established,from_server; content:"|20|Number|3A 20 09|Loading|2E 2E 3C|"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014907; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Initial Blackhole Landing - Verizon Balance Due Jun 15 2012"; flow:established,from_server; content:"|20|Balance Due|3a| Loading|2c 20|please wait|2e 2e 2e|"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014908; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole obfuscated Java EXE Download by Vulnerable Version - Likely Driveby"; flowbits:isset,ET.http.javaclient.vulnerable; flow:established,to_client; content:"|0d 0a 9c 62 d8 66 66 66 66 54|"; classtype:trojan-activity; sid:2014909; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown - Java Request - gt 60char hex-ascii"; flow:established,to_server; urilen:>60; content:"Java/1."; http_user_agent; fast_pattern; content:"Mozilla"; http_user_agent; depth:7; pcre:"/[\/\?][a-z0-9]{60,66}[\;0-9]/Ui"; classtype:trojan-activity; sid:2014912; rev:6;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS NuclearPack - JAR Naming Algorithm"; flow:established,to_client; content:"-Disposition|3a| inline"; http_header; nocase; content:".jar"; http_header; pcre:"/=[.\"]\w{8}\.jar/Hi"; content:"|0D 0A 0D 0A|PK"; fast_pattern; classtype:trojan-activity; sid:2014913; rev:2;) + +#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS NuclearPack - PDF Naming Algorithm"; flow:established,to_client; content:"-Disposition|3a| inline"; http_header; nocase; content:".pdf"; http_header; pcre:"/=\w{8}\.pdf/Hi"; content:"|0D 0A 0D 0A|%PDF"; fast_pattern; content:"/Filter/FlateDecode"; classtype:trojan-activity; sid:2014914; rev:5;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS NuclearPack - Landing Page Received - applet archive=32CharHex"; flow:established,to_client; content:"<applet"; content:"archive=|22|"; pcre:"/^\?[a-f0-9]{32}\" /R"; classtype:trojan-activity; sid:2014915; rev:4;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Landing Try Prototype Catch Jun 18 2012"; flow:established,from_server; content:"try{prototype"; content:"|3B|}catch("; distance:0; within:12; classtype:trojan-activity; sid:2014921; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Incognito Landing Page Requested .php?showtopic=6digit"; flow:established,to_server; flowbits:noalert; flowbits:set,ET.http.driveby.incognito.uri; urilen:25<>45; content:".php?showtopic="; http_uri; pcre:"/\.php\?showtopic=[0-9]{6}$/U"; classtype:trojan-activity; sid:2014922; rev:1;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Incognito Landing Page Received applet and flowbit"; flow:established,to_client; flowbits:isset,ET.http.driveby.incognito.uri; content:"<applet"; classtype:attempted-user; sid:2014923; rev:1;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Incognito Payload Requested /getfile.php by Java Client"; flow:established,to_server; content:"/getfile.php?"; http_uri; content:"Java/1"; http_header; classtype:attempted-user; sid:2014924; rev:1;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown Java Malicious Jar /eeltff.jar"; flow:to_server,established; content:"/eeltff.jar"; nocase; http_uri; classtype:trojan-activity; sid:2014927; rev:1;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown - Java Request .jar from dl.dropbox.com"; flow:established,to_server; content:"dl.dropbox.com|0D 0A|"; http_header; content:" Java/1"; http_header; content:".jar"; http_uri; classtype:bad-unknown; sid:2014928; rev:1;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Request to .in FakeAV Campaign June 19 2012 exe or zip"; flow:established,to_server; content:"setup."; fast_pattern:only; http_uri; content:".in|0d 0a|"; http_header; pcre:"/\/[a-f0-9]{16}\/([a-z0-9]{1,3}\/)?setup\.(exe|zip)$/U"; pcre:"/^Host\x3a\s.+\.in\r?$/Hmi"; reference:url,isc.sans.edu/diary/+Vulnerabilityqueerprocessbrittleness/13501; classtype:trojan-activity; sid:2014929; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Obfuscated Javascript redirecting to badness 21 June 2012"; flow:established,from_server; file_data; content:"javascript'>var wow="; content:"Date&&"; distance:12; within:60; classtype:bad-unknown; sid:2014930; rev:4;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Landing Please wait a moment Jun 20 2012"; flow:established,to_client; file_data; content:"Please wait a moment. You will be forwarded..."; classtype:trojan-activity; sid:2014931; rev:4;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS FoxxySoftware - Landing Page"; flow:established,to_client; content:"eval(function(p,a,c,"; content:"|7C|zzz|7C|"; distance:0; classtype:trojan-activity; sid:2014934; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS FoxxySoftware - Landing Page Received - foxxysoftware"; flow:established,to_client; content:"|7C|foxxysoftware|7C|"; classtype:trojan-activity; sid:2014935; rev:4;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS FoxxySoftware - Landing Page Received - applet and 0px"; flow:established,to_client; content:"<applet"; content:"'0px'"; within:20; classtype:trojan-activity; sid:2014936; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole RawValue Exploit PDF"; flow:established,to_client; file_data; content:"%PDF-"; depth:5; content:"|2E|rawValue|5D 5B|0|5D 2E|split|28 27 2D 27 29 3B 26 23|"; distance:0; reference:cve,2010-0188; classtype:trojan-activity; sid:2014940; rev:5;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Base64 - Java Exploit Requested - /1Digit"; flow:established,to_server; urilen:2; content:" Java/1"; http_header; pcre:"/^\/[0-9]$/U"; classtype:trojan-activity; sid:2014959; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Base64 - Landing Page Received - base64encode(GetOs()"; flow:established,to_client; content:"base64encode(GetOs()"; classtype:trojan-activity; sid:2014960; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Generic - PDF with NEW PDF EXPLOIT"; flow:established,to_client; file_data; content:"%PDF"; depth:4; fast_pattern; content:"NEW PDF EXPLOIT"; classtype:trojan-activity; sid:2014966; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS - Landing Page Requested - 15Alpha1Digit.php"; flow:established,to_server; urilen:21; content:"GET"; http_method; content:".php"; http_uri; pcre:"/^\/[a-z]{15}[0-9]\.php$/U"; classtype:trojan-activity; sid:2014967; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown - Java Exploit Requested - 13-14Alpha.jar"; flow:established,to_server; urilen:16<>19; content:".jar"; http_uri; fast_pattern; content:" Java/1"; http_header; pcre:"/^\/[a-z]{13,14}\.jar$/U"; classtype:trojan-activity; sid:2014969; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Runforestrun Malware Campaign Infected Website"; flow:established,to_client; content:"setAttribute|28 22|src|22|, |22|http|3A|//|22| + "; nocase; content:"+ |22|/runforestrun?sid="; fast_pattern; nocase; distance:0; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-062103-1655-99; reference:url,isc.sans.edu/diary/Run+Forest+/13540; reference:url,isc.sans.edu/diary/Run+Forest+Update+/13561; classtype:trojan-activity; sid:2014970; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS JS.Runfore Malware Campaign Request"; flow:established,to_server; content:"/runforestrun?"; http_uri; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-062103-1655-99; reference:url,isc.sans.edu/diary/Run+Forest+/13540; reference:url,isc.sans.edu/diary/Run+Forest+Update+/13561; classtype:trojan-activity; sid:2014971; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS HeapLib JS Library"; flow:established,to_client; file_data; content:"heapLib.ie|28|"; nocase; reference:url,www.blackhat.com/presentations/bh-europe-07/Sotirov/Presentation/bh-eu-07-sotirov-apr19.pdf; classtype:bad-unknown; sid:2014972; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Exploit Kit Landing Page Try Renamed Prototype Catch - June 28th 2012"; flow:established,to_client; file_data; content:"try {"; content:"=prototype|2d|"; within:80; content:"} catch"; within:80; reference:url,research.zscaler.com/2012/06/cleartripcom-infected-with-blackhole.html; classtype:trojan-activity; sid:2014981; rev:7;) + +alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET CURRENT_EVENTS Googlebot UA POST to /uploadify.php"; flow:established,to_server; content:"POST"; http_method; content:"/uploadify.php"; http_uri; nocase; fast_pattern; content:"User-Agent|3a| Mozilla/5.0 (compatible|3b| Googlebot/2.1|3b|"; http_header; reference:url,blog.sucuri.net/2012/06/uploadify-uploadify-and-uploadify-the-new-timthumb.html; classtype:attempted-recon; sid:2014982; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Scalaxy Jar file"; flow:to_client,established; file_data; content:"PK"; depth:2; content:"C1.class"; fast_pattern; distance:0; content:"C2.class"; distance:0; flowbits:isset,ET.http.javaclient.vulnerable; classtype:trojan-activity; sid:2014983; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Hacked Website Response /*km0ae9gr6m*/ Jun 25 2012"; flow:established,from_server; file_data; content:"/*km0ae9gr6m*/"; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; classtype:trojan-activity; sid:2014984; rev:5;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Hacked Website Response /*qhk6sa6g1c*/ Jun 25 2012"; flow:established,from_server; file_data; content:"/*qhk6sa6g1c*/"; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; classtype:trojan-activity; sid:2014985; rev:6;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Runforestrun Malware Campaign Infected Website Landing Page Obfuscated String JavaScript DGA"; flow:established,to_client; file_data; content:"*/window.eval(String.fromCharCode("; isdataat:80,relative; content:!")"; within:80; pcre:"/\x2A[a-z0-9]{10}\x2A\x2Fwindow\x2Eeval\x28String\x2EfromCharCode\x28[0-9]{1,3}\x2C[0-9]{1,3}\x2C/sm"; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; classtype:trojan-activity; sid:2014998; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS NuclearPack Java exploit binary get request"; flow:established,to_server; content:"GET"; http_method; nocase; content:"Java/1."; fast_pattern:only; http_user_agent; pcre:"/[a-f0-9]{32,64}\/[a-f0-9]{32,64}/\w$/U"; classtype:trojan-activity; sid:2015000; rev:6;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Java applet with obfuscated URL 3"; flow:established,from_server; content:"|3c|applet"; fast_pattern; content:"56|3a|14|3a|14|3a|19|3a|27|3a|50|3a|50|3a|"; within:100; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2015005; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS g01pack exploit pack /mix/ Java exploit"; flow:established,to_server; content:"/mix/"; http_uri; depth:5; content:".jar"; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015010; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Split String Obfuscation of Eval 1"; flow:established,to_client; file_data; content:"e|22|+|22|va"; pcre:"/(\x3D|\x5B\x22])e\x22\x2B\x22va/"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015012; rev:5;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Split String Obfuscation of Eval 2"; flow:established,to_client; file_data; content:"e|22|+|22|v|22|+|22|a"; pcre:"/(\x3D|\x5B\x22])e\x22\x2B\x22v\x22\x2B\x22a/"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015013; rev:5;) + +#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Split String Obfuscation of Eval 3"; flow:established,to_client; content:"ev|22|+|22|a"; pcre:"/(\x3D|\x5B\x22])ev\x22\x2B\x22a/"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015014; rev:5;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Incognito - Malicious PDF Requested - /getfile.php"; flow:established,to_server; content:"/getfile.php?i="; http_uri; content:"&key="; http_uri; content:!" Java/1"; http_header; classtype:trojan-activity; sid:2015024; rev:1;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS g01pack exploit pack /mix/ payload"; flow:established,to_server; content:"/mix/"; http_uri; depth:5; content:".php"; http_uri; content:"fid="; http_uri; content:"quote="; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015011; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Landing Page Eval Variable Obfuscation 1"; flow:established,to_client; file_data; content:"=|22|ev|22 3B|"; content:"+|22|al|22|"; distance:0; pcre:"/\x2B\x22al\x22(\x3B|\x5D)/"; classtype:trojan-activity; sid:2015025; rev:7;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Landing Page Eval Variable Obfuscation 2"; flow:established,to_client; file_data; content:"=|22|e|22 3B|"; content:"+|22|val|22|"; distance:0; pcre:"/\x2B\x22val\x22(\x3B|\x5D)/"; classtype:trojan-activity; sid:2015026; rev:7;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Incognito - Java Exploit Requested - /gotit.php by Java Client"; flow:established,to_server; content:"/gotit.php?"; http_uri; content:" Java/1"; http_header; classtype:trojan-activity; sid:2015030; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Incognito - Payload Request - /load.php by Java Client"; flow:established,to_server; content:"/load.php?"; http_uri; content:" Java/1"; http_header; classtype:trojan-activity; sid:2015031; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS g01pack - 32Char.php by Java Client"; flow:established,to_server; urilen:52<>130; content:".php?"; http_uri; content:" Java/1"; http_header; pcre:"/^\/[a-z]{1,10}\/[a-z0-9]{32}\.php\?/U"; classtype:trojan-activity; sid:2015042; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS 09 July 2012 Blackhole Landing Page - Please Wait Loading"; flow:established,from_server; file_data; content:"Please wait, the page is loading..."; nocase; content:"x-java-applet"; distance:0; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2015048; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS c3284d Malware Network Compromised Redirect (comments 1)"; flow:established,to_client; file_data; content:"#c3284d#"; distance:0; content:"#/c3284d#"; distance:0; reference:url,stopmalvertising.com/malware-reports/the-c3284d-malware-network-stats.php.html; classtype:trojan-activity; sid:2015051; rev:4;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS c3284d Malware Network Compromised Redirect (comments 2)"; flow:established,to_client; file_data; content:"<!--c3284d-->"; distance:0; content:"<!--/c3284d-->"; distance:0; reference:url,stopmalvertising.com/malware-reports/the-c3284d-malware-network-stats.php.html; classtype:trojan-activity; sid:2015052; rev:4;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown_s=1 - Landing Page - 10HexChar Title and applet"; flow:established,to_client; file_data; content:"<applet"; pcre:"/<title>[a-f0-9]{10}<\/title>/"; classtype:trojan-activity; sid:2015053; rev:6;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown_s=1 - Landing Page - 100HexChar value and applet"; flow:established,to_client; file_data; content:"<applet"; content:"value=\""; pcre:"/value=.[a-f0-9]{100}/"; classtype:trojan-activity; sid:2015054; rev:5;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown_s=1 - Payload Requested - 32AlphaNum?s=1 Java Request"; flow:established,to_server; urilen:37; content:"?s=1"; http_uri; content:" Java/1"; http_header; pcre:"/^\/[a-z0-9]{32}\?s=1$/Ui"; classtype:trojan-activity; sid:2015055; rev:2;) + +#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Exploit Kit Landing Page Structure"; flow:established,to_client; content:"<html><body><script>"; content:"Math.floor"; fast_pattern; distance:0; content:"try{"; distance:0; content:"prototype"; within:20; content:"}catch("; within:20; classtype:trojan-activity; sid:2015056; rev:5;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS c3284d malware network iframe"; flow:established,to_client; file_data; content:"|22| name=|22|Twitter|22| scrolling=|22|auto|22| frameborder=|22|no|22| align=|22|center|22| height=|22|2|22| width=|22|2|22|></iframe>"; classtype:trojan-activity; sid:2015057; rev:4;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS BlackHole TKR Landing Page /last/index.php"; flow:established,to_server; content:"/last/index.php"; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2015475; rev:6;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Unknown TDS /top2.html"; flow:established,to_server; urilen:9; content:"/top2.html"; http_uri; fast_pattern:only; reference:url,blog.unmaskparasites.com/2012/07/11/whats-in-your-wp-head/; classtype:trojan-activity; sid:2015478; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Unknown TDS /rem2.html"; flow:established,to_server; urilen:10; content:"/rem2.html"; http_uri; fast_pattern:only; reference:url,blog.unmaskparasites.com/2012/07/11/whats-in-your-wp-head/; classtype:trojan-activity; sid:2015479; rev:3;) + +alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Compromised WordPress Server pulling Malicious JS"; flow:established,to_server; content:"/net/?u="; http_uri; fast_pattern:only; content:"Host|3a| net"; http_header; content:"net.net"; http_header; distance:2; within:7; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 8.0|3b| Windows NT 6.0)"; http_header; pcre:"/^Host\x3a\snet[0-4]{2}net\.net\r?\n$/Hmi"; reference:url,blog.unmaskparasites.com/2012/07/11/whats-in-your-wp-head/; classtype:trojan-activity; sid:2015480; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Compromised Wordpress Install Serving Malicious JS"; flow:established,to_client; file_data; content:"var wow"; fast_pattern; content:"Date"; distance:0; within:200; pcre:"/var wow\s*=\s*\x22[^\x22\n]+?\x22\x3b[^\x3b\n]*?Date[^\x3b\n]*?\x3b/"; reference:url,blog.unmaskparasites.com/2012/07/11/whats-in-your-wp-head/; classtype:trojan-activity; sid:2015481; rev:5;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Java Exploit Recent Jar (1)"; flow:established,from_server; file_data; content:"PK"; within:2; content:"chcyih.class"; classtype:trojan-activity; sid:2015486; rev:8;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Blackhole Java Exploit Recent Jar (2)"; flow:established,to_server; content:"/java.jar"; http_uri; nocase; fast_pattern:only; content:"Java/1."; http_user_agent; classtype:trojan-activity; sid:2015487; rev:10;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Java Exploit Recent Jar (3)"; flow:established,from_server; file_data; content:"PK"; within:2; content:"NewClass1.class"; classtype:trojan-activity; sid:2015488; rev:9;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS RedKit PluginDetect Rename Saigon"; flow:established,from_server; content:"var Saigon={version|3a 22|"; classtype:trojan-activity; sid:2015516; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS .HTM being served from WP 1-flash-gallery Upload DIR (likely malicious)"; flow:established,to_server; content:"/wp-content/uploads/fgallery/"; fast_pattern:11,18; nocase; http_uri; content:".htm"; nocase; distance:0; http_uri; classtype:bad-unknown; sid:2015517; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS .PHP being served from WP 1-flash-gallery Upload DIR (likely malicious)"; flow:established,to_server; content:"/wp-content/uploads/fgallery/"; fast_pattern:11,18; nocase; http_uri; content:".php"; nocase; distance:0; http_uri; classtype:bad-unknown; sid:2015518; rev:5;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS c3284d Malware Network Compromised Redirect (comments 3)"; flow:established,from_server; file_data; content:"/*c3284d*/"; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; classtype:trojan-activity; sid:2015524; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Fake-AV Conditional Redirect (Blackmuscats)"; flow:established,to_server; content:"/blackmuscats?"; fast_pattern:only; http_uri; reference:url,blog.sucuri.net/2012/07/blackmuscats-conditional-redirections-to-faveav.html/; classtype:trojan-activity; sid:2015553; rev:3;) + +alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Cridex Self Signed SSL Certificate (TR Some-State Internet Widgits)"; flow:established,from_server; content:"|16 03|"; content:"|0b|"; within:7; content:"|55 04 06 13 02|TR"; content:"|55 04 08 13 0a|Some-State"; distance:0; content:"|13 18|Internet Widgits Pty"; within:35; classtype:trojan-activity; sid:2015559; rev:5;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Yszz JS/Encryption (Used in KaiXin Exploit Kit)"; flow:to_client,established; file_data; content:"|2f 2a|Yszz 0.7 vip|2a 2f|"; fast_pattern:only; nocase; reference:url,kahusecurity.com/2012/new-chinese-exploit-pack/; classtype:attempted-user; sid:2015573; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DoSWF Flash Encryption (Used in KaiXin Exploit Kit)"; flow:to_client,established; file_data; content:"CWS"; depth:3; content:"<doswf version="; reference:url,kahusecurity.com/2012/new-chinese-exploit-pack/; classtype:attempted-user; sid:2015574; rev:5;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS KaiXin Exploit Kit Java Class"; flow:to_client,established; file_data; content:"Gond"; pcre:"/^(?:a(?:ttack|dEx[xp])|([a-z])\1)\.class/Ri"; flowbits:isset,ET.http.javaclient; reference:url,kahusecurity.com/2012/new-chinese-exploit-pack/; classtype:attempted-user; sid:2015575; rev:11;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Obfuscated Javascript redirecting to badness August 6 2012"; flow:established,from_server; content:"text/javascript'>var wow="; content:"document.cookie.indexOf"; distance:0; within:70; classtype:bad-unknown; sid:2015578; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS FoxxySoftware - Comments"; flow:established,to_client; file_data; content:"FoxxySF Website Copier"; reference:url,blog.eset.com/2012/08/07/foxxy-software-outfoxed; classtype:trojan-activity; sid:2015583; rev:4;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS FoxxySoftware - Comments(2)"; flow:established,to_client; content:"Added By FoxxySF"; fast_pattern:only; reference:url,blog.eset.com/2012/08/07/foxxy-software-outfoxed; classtype:trojan-activity; sid:2015584; rev:4;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS FoxxySoftware - Hit Counter Access"; flow:to_server,established; content:"/wtf/callback=getip"; fast_pattern:only; http_uri; nocase; content:".php?username="; nocase; http_uri; content:"&website="; nocase; http_uri; content:"foxxysoftware.org"; http_header; nocase; reference:url,blog.eset.com/2012/08/07/foxxy-software-outfoxed; classtype:trojan-activity; sid:2015585; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Redirection Page Try Math.Round Catch - 7th August 2012"; flow:established,to_client; file_data; content:"try{"; content:"=Math.round|3B|}catch("; distance:0; classtype:trojan-activity; sid:2015586; rev:5;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Sutra TDS /simmetry"; flow:to_server,established; content:"/simmetry?"; fast_pattern:only; http_uri; reference:url,blog.sucuri.net/2012/08/very-good-malware-redirection.html; classtype:trojan-activity; sid:2015593; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS DRIVEBY SPL - Java Exploit Requested - /spl_data/"; flow:established,to_server; content:"/spl_data/"; http_uri; fast_pattern:only; content:" Java/"; http_header; classtype:trojan-activity; sid:2015603; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS DRIVEBY SPL - Java Exploit Requested .jar Naming Pattern"; flow:established,to_server; content:"-a."; http_uri; content:".jar"; http_uri; fast_pattern:only; content:" Java/"; http_header; pcre:"/\/[a-z]{4,20}-a\.[a-z]{4,20}\.jar$/U"; classtype:trojan-activity; sid:2015604; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY SPL - Landing Page Received"; flow:established,to_client; file_data; content:"application/x-java-applet"; content:"width=|22|0|22| height=|22|0|22|>"; fast_pattern; within:100; classtype:trojan-activity; sid:2015605; rev:6;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Blackhole/Cool jnlp URI Struct"; flow:established,to_server; content:".jnlp"; http_uri; fast_pattern:only; pcre:"/\/(?:(?:(?:detec|meri)t|[wW]atche|link)s|co(?:ntrolling|mplaints)|r(?:ea(?:che)?d|aise)|(?:alternat|fin)e|s(?:erver|tring)|t(?:hought|opic)|w(?:hite|orld)|en(?:sure|ds)|indication|kill|Web)\/([a-z]{2,19}[-_]){1,4}[a-z]{2,19}\.jnlp(\?[a-zA-Z]+?=[a-zA-Z0-9]+?&[\x3ba-zA-Z]+?=[a-zA-Z0-9]+?)?$/U"; classtype:trojan-activity; sid:2015619; rev:4;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Landing Page Hwehes String - August 13th 2012"; flow:established,to_client; file_data; content:"hwehes"; content:"hwehes"; distance:0; content:"hwehes"; distance:0; content:"hwehes"; distance:0; classtype:trojan-activity; sid:2015622; rev:4;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown Exploit Kit seen with O1/O2.class /form"; flow:established,to_server; content:"/L"; http_uri; depth:2; content:"/search|0d 0a|"; http_header; fast_pattern:only; pcre:"/^\/L[a-zA-Z0-9]+\/[a-zA-Z0-9\x5f]+\?[a-z]+=[A-Za-z0-9\x2e]{10,}$/Um"; classtype:trojan-activity; sid:2015646; rev:4;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown Exploit Kit seen with O1/O2.class /search"; flow:established,to_server; content:"/L"; http_uri; depth:2; content:"/form|0d 0a|"; http_header; fast_pattern:only; pcre:"/^\/L[a-zA-Z0-9]+\/[a-zA-Z0-9\x5f]+\?[a-z]+=[A-Za-z0-9\x2e]{10,}$/Um"; classtype:trojan-activity; sid:2015647; rev:4;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Malicious Redirect n.php h=*&s=*"; flow:to_server,established; content:"/n.php?h="; fast_pattern:only; http_uri; content:"&s="; http_uri; content:".rr.nu|0d 0a|"; http_header; pcre:"/\/n\.php\?h=\w*?&s=\w{1,5}$/Ui"; reference:url,0xicf.wordpress.com/category/security-updates/; reference:url,support.clean-mx.de/clean-mx viruses.php?domain=rr.nu&sort=first%20desc; reference:url,urlquery.net/report.php?id=111302; classtype:attempted-user; sid:2015669; rev:10;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Metasploit Java Payload"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"Payload.class"; nocase; fast_pattern:only; reference:url,blog.sucuri.net/2012/08/java-zero-day-in-the-wild.html; reference:url,metasploit.com/modules/exploit/multi/browser/java_jre17_exec; classtype:trojan-activity; sid:2015657; rev:4;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Metasploit Java Exploit"; flow:established,to_client; file_data; flowbits:isset,ET.http.javaclient; content:"xploit.class"; nocase; fast_pattern:only; reference:url,blog.sucuri.net/2012/08/java-zero-day-in-the-wild.html; reference:url,metasploit.com/modules/exploit/multi/browser/java_jre17_exec; classtype:trojan-activity; sid:2015658; rev:5;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Blackhole Admin bhadmin.php access Outbound"; flow:established,to_server; content:"/bhadmin.php"; http_uri; fast_pattern:only; classtype:attempted-user; sid:2015659; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS - Blackhole Admin Login Outbound"; flow:established,to_server; content:"AuthPass="; http_client_body; content:"AuthLanguage="; http_client_body; content:"AuthTemplate="; http_client_body; classtype:attempted-user; sid:2015660; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Admin bhadmin.php access Inbound"; flow:established,to_server; content:"/bhadmin.php"; http_uri; fast_pattern:only; classtype:attempted-user; sid:2015661; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS - Blackhole Admin Login Inbound"; flow:established,to_server; content:"AuthPass="; http_client_body; content:"AuthLanguage="; http_client_body; content:"AuthTemplate="; http_client_body; classtype:attempted-user; sid:2015662; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS NeoSploit - Version Enumerated - Java"; flow:established,to_server; urilen:>85; content:"/1."; offset:75; depth:3; http_uri; content:"|2e|"; distance:1; within:1; http_uri; content:"|2e|"; distance:1; within:1; http_uri; pcre:"/^\/[a-f0-9]{24}\/[a-f0-9]{24}\/[a-f0-9]{24}\/1\.[4-7]\.[0-2]\.[0-9]{1,2}\//U"; classtype:attempted-user; sid:2015666; rev:4;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS NeoSploit - Version Enumerated - null"; flow:established,to_server; urilen:85; content:"/null/null"; http_uri; pcre:"/^\/[a-f0-9]{24}\/[a-f0-9]{24}\/[a-f0-9]{24}\/null\/null$/U"; classtype:attempted-user; sid:2015667; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS FlimKit/Other - Landing Page - 100HexChar value and applet"; flow:established,to_client; file_data; content:"<applet"; nocase; content:"value"; distance:0; pcre:"/^[\r\n\s]*?=[\r\n\s]*?[\x22\x27]?[a-f0-9]{100}/R"; classtype:attempted-user; sid:2015668; rev:6;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown Exploit Kit suspected Blackhole"; flow:established,to_server; content:".js?"; http_uri; fast_pattern; urilen:33<>34; pcre:"/\/\d+\.js\?\d+&[a-f0-9]{16}$/U"; classtype:bad-unknown; sid:2015670; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET 1342 (msg:"ET CURRENT_EVENTS Unknown Exploit Kit redirect"; flow:established,to_server; urilen:35; content:"GET"; http_method; content:"/t/"; depth:3; http_uri; pcre:"/^\/t\/[a-f0-9]{32}/Ui"; content:"|0d 0a|Host|3a| "; http_header; content:"|3a|1342|0d 0a|"; http_header; fast_pattern:only; classtype:bad-unknown; sid:2015672; rev:5;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown Java Exploit Kit Payload Download Request - Sep 04 2012"; flow:established,to_server; content:" Java/"; http_header; fast_pattern:only; urilen:>24; content:!".jar"; nocase; http_uri; content:"!.class"; nocase; http_uri; pcre:"/\/[A-Z]{20,}\?[A-Z]=\d$/Ui"; classtype:trojan-activity; sid:2015676; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Sakura exploit kit exploit download request /view.php"; flow:established,to_server; content:"/view.php?i="; http_uri; fast_pattern:only; pcre:"/\/view.php\?i=\d&key=[0-9a-f]{32}$/U"; classtype:trojan-activity; sid:2015678; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Probable Sakura exploit kit landing page with obfuscated URLs"; flow:established,from_server; content:"applet"; content:"myyu?44"; fast_pattern; within:200; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015679; rev:2;) + +#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Java applet with obfuscated URL Nov 09 2012"; flow:established,from_server; file_data; content:"applet"; content:"0b0909041f"; fast_pattern; within:200; classtype:bad-unknown; sid:2015680; rev:9;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown Java Exploit Kit with fast-flux like behavior static initial landing - Sep 05 2012"; flow:established,to_server; content:"/PJeHubmUD"; http_uri; classtype:trojan-activity; sid:2015682; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown Java Exploit Kit with fast-flux like behavior hostile java archive - Sep 05 2012"; flow:established,to_server; content:"pqvjdujfllkwl.jar"; http_uri; classtype:trojan-activity; sid:2015683; rev:2;) + +alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET CURRENT_EVENTS Possible Remote PHP Code Execution (php.pjpg)"; flow:established,to_server; content:"POST"; http_method; content:".php.pjpg"; fast_pattern:only; http_uri; nocase; reference:url,exploitsdownload.com/search/Arbitrary%20File%20Upload/27; classtype:web-application-attack; sid:2015688; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS DRIVEBY NeoSploit - Java Exploit Requested"; flow:established,to_server; urilen:>89; content:".jar"; http_uri; fast_pattern:only; content:" Java/1"; http_header; pcre:"/^\/[a-f0-9]{24}\/[a-f0-9]{24}\/[a-f0-9]{24}\/[0-9]{7,8}\/.*\.jar$/U"; classtype:attempted-user; sid:2015689; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS NeoSploit - Obfuscated Payload Requested"; flow:established,to_server; urilen:>89; content:" Java/1"; http_header; fast_pattern:only; pcre:"/^\/[a-f0-9]{24}\/[a-f0-9]{24}\/[a-f0-9]{24}\/[0-9]{7,8}\/[0-9]{7}$/U"; classtype:attempted-user; sid:2015690; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS NeoSploit - PDF Exploit Requested"; flow:established,to_server; urilen:>89; content:".pdf"; fast_pattern:only; http_uri; pcre:"/^\/[a-f0-9]{24}\/[a-f0-9]{24}\/[a-f0-9]{24}\/[0-9]{7,8}\/.*\.pdf$/U"; classtype:attempted-user; sid:2015691; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS NeoSploit - Version Enumerated - Java"; flow:established,to_server; urilen:>85; content:"/1."; http_uri; fast_pattern:only; pcre:"/^\/[a-f0-9]{24}\/[a-f0-9]{24}\/[a-f0-9]{24}\/1\.[4-7]\.[0-2]\.[0-9]{1,2}\//U"; classtype:attempted-user; sid:2015693; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS NeoSploit - Version Enumerated - null"; flow:established,to_server; urilen:85; content:"/null/null"; http_uri; fast_pattern:only; pcre:"/^\/[a-f0-9]{24}\/[a-f0-9]{24}\/[a-f0-9]{24}\/null\/null$/U"; classtype:attempted-user; sid:2015694; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Generic - 8Char.JAR Naming Algorithm"; flow:established,to_client; content:"-Disposition|3a| inline"; http_header; nocase; content:".jar"; http_header; fast_pattern:only; pcre:"/[=\"]\w{8}\.jar/Hi"; file_data; content:"PK"; within:2; classtype:attempted-user; sid:2015695; rev:4;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Blackhole2 - URI Structure"; flow:established,to_server; urilen:>122; content:".php?"; http_uri; fast_pattern:only; pcre:"/\.php\?[a-z]{2,12}=[a-f0-9]{64}&[a-z]{2,12}=/U"; classtype:attempted-user; sid:2015700; rev:4;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DoSWF Flash Encryption Banner"; flow:to_client,established; file_data; content:"FWS"; within:3; content:"DoSWF"; distance:0; classtype:attempted-user; sid:2015704; rev:6;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Blackhole2 - Landing Page Received"; flow:established,to_client; file_data; content:"<applet"; content:"<param"; distance:0; content:"value="; distance:0; pcre:"/^.{1,5}[a-f0-9]{100}/R"; classtype:trojan-activity; sid:2015710; rev:2;) + +#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS pamdql Exploit Kit 09/25/12 Sending Jar"; flow:established,from_server; pcre:"/^[a-zA-Z]{5}=[a-z0-9]{8}\-[a-f0-9]{4}\-[a-f0-9]{4}\-[a-f0-9]{4}\-[a-f0-9]{12}$/C"; content:"/x-java-archive|0d 0a|"; fast_pattern:only; http_header; file_data; content:"PK"; within:2; classtype:trojan-activity; sid:2015724; rev:10;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Access To mm-forms-community upload dir (Outbound)"; flow:established,to_server; content:"GET"; http_method; content:"/wp-content/plugins/mm-forms-community/upload/temp/"; http_uri; fast_pattern:20,20; reference:url,www.exploit-db.com/exploits/18997/; reference:cve,2012-3574; classtype:trojan-activity; sid:2015726; rev:2;) + +alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET CURRENT_EVENTS Access To mm-forms-community upload dir (Inbound)"; flow:established,to_server; content:"GET"; http_method; content:"/wp-content/plugins/mm-forms-community/upload/temp/"; http_uri; fast_pattern:20,20; reference:url,www.exploit-db.com/exploits/18997/; reference:cve,2012-3574; classtype:trojan-activity; sid:2015727; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Sakura exploit kit exploit download request /sarah.php"; flow:established,to_server; content:"/sarah.php?s="; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015733; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Sakura exploit kit exploit download request /nano.php"; flow:established,to_server; content:"/nano.php?x="; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015734; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Probable Sakura Java applet with obfuscated URL Sep 21 2012"; flow:established,from_server; file_data; content:"applet"; content:"nzzv@55"; fast_pattern; within:200; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2015735; rev:3;) + +#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS pamdql obfuscated javascript --- padding"; flow:established,from_server; file_data; content:"d---o---c---u---m---"; within:500; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2015738; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS MALVERTISING - Redirect To Blackhole - Push JavaScript"; flow:established,to_client; file_data; content:".push( 'h' )\;"; content:".push( 't' )\;"; within:20; classtype:trojan-activity; sid:2015740; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS g01pack Exploit Kit Landing Page (2)"; flow:established,to_server; urilen:>2; content:"/ HTTP/1."; pcre:"/^\/[a-z]+\/$/U"; content:".mine.nu|0d 0a|"; http_header; nocase; fast_pattern:only; classtype:trojan-activity; sid:2015758; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Java Exploit Recent Jar (4)"; flow:established,from_server; file_data; content:"PK"; within:2; content:"hw.class"; content:"test.class"; classtype:trojan-activity; sid:2015759; rev:7;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown Java Exploit Kit 32-32 byte hex initial landing"; flow:established,to_server; content:"/?"; http_uri; fast_pattern; isdataat:64,relative; content:"="; http_uri; distance:32; within:1; pcre:"/\/\?[a-f0-9]{32}=[^&]+&[a-f0-9]{32}=[^&]+$/U"; classtype:trojan-activity; sid:2015781; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Magnitude EK (formerly Popads) Other Java Exploit Kit 32-32 byte hex hostile jar"; flow:established,to_server; content:".jar"; http_uri; fast_pattern:only; urilen:70; pcre:"/\/[a-f0-9]{32}\/[a-f0-9]{32}\.jar$/U"; classtype:trojan-activity; sid:2015782; rev:5;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS BegOp Exploit Kit Payload"; flow:established,from_server; content:"Content-Type|3a| image/"; http_header; fast_pattern:only; file_data; content:"M"; within:1; content:!"Z"; within:1; content:"Z"; distance:1; within:1; classtype:trojan-activity; sid:2015783; rev:5;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS BegOpEK - TDS - icon.php"; flow:established,to_server; content:"/icon.php"; urilen:9; classtype:trojan-activity; sid:2015789; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS BegOpEK - Landing Page"; flow:established,to_client; file_data; content:"<applet"; content:"Ini.class"; distance:0; within:50; classtype:trojan-activity; sid:2015788; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Blackhole/Cool eot URI Struct"; flow:to_server,established; content:".eot"; http_uri; fast_pattern:only; pcre:"/\/(?:(?:(?:detec|meri)t|[wW]atche|link)s|co(?:ntrolling|mplaints)|r(?:ea(?:che)?d|aise)|(?:alternat|fin)e|s(?:erver|tring)|t(?:hought|opic)|w(?:hite|orld)|en(?:sure|ds)|indication|kill|Web)\/([a-z]{2,19}[-_]){1,4}[a-z]{2,19}\.eot(\?[a-zA-Z]+?=[a-zA-Z0-9]+?&[\x3ba-zA-Z]+?=[a-zA-Z0-9]+?)?$/U"; classtype:trojan-activity; sid:2015787; rev:3;) + +alert http $HOME_NET any -> 209.139.208.0/23 $HTTP_PORTS (msg:"ET CURRENT_EVENTS Scalaxy Secondary Landing Page 10/11/12"; flow:to_server,established; content:"/q"; http_uri; depth:2; pcre:"/^\/q[a-zA-Z0-9+-]{3,14}\/[a-zA-Z0-9+-]{3,16}\?[a-z]{1,6}=[a-zA-Z0-9+-\._]{7,18}$/U"; classtype:trojan-activity; sid:2015792; rev:2;) + +alert http $HOME_NET any -> 209.139.208.0/23 any (msg:"ET CURRENT_EVENTS Scalaxy Java Exploit 10/11/12"; flow:to_server,established; content:"/m"; http_uri; depth:2; pcre:"/^\/m[a-zA-Z0-9-_]{3,14}\/[a-zA-Z0-9-_]{3,17}$/U"; classtype:trojan-activity; sid:2015793; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Blackhole/Cool Jar URI Struct"; flow:to_server,established; content:".jar"; http_uri; fast_pattern:only; pcre:"/\/(?:(?:(?:detec|meri)t|[wW]atche|link)s|co(?:ntrolling|mplaints)|r(?:ea(?:che)?d|aise)|(?:alternat|fin)e|s(?:erver|tring)|t(?:hought|opic)|w(?:hite|orld)|en(?:sure|ds)|indication|kill|Web)\/([a-z]{2,19}[-_]){1,4}[a-z]{2,19}\.jar(\?[a-zA-Z]+?=[a-zA-Z0-9]+?&[\x3ba-zA-Z]+?=[a-zA-Z0-9]+?)?$/U"; classtype:trojan-activity; sid:2015796; rev:6;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Blackhole 2 Landing Page (3)"; flow:to_server,established; content:"/ngen/controlling/"; fast_pattern:only; http_uri; content:".php"; http_uri; classtype:trojan-activity; sid:2015797; rev:4;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Blackhole/Cool EXE URI Struct"; flow:to_server,established; content:".exe"; http_uri; fast_pattern:only; pcre:"/\/(?:(?:(?:detec|meri)t|[wW]atche|link)s|co(?:ntrolling|mplaints)|r(?:ea(?:che)?d|aise)|(?:alternat|fin)e|s(?:erver|tring)|t(?:hought|opic)|w(?:hite|orld)|en(?:sure|ds)|indication|kill|Web)\/([a-z]{2,19}[-_]){1,4}[a-z]{2,19}\.exe(\?[a-zA-Z]+?=[a-zA-Z0-9]+?&[\x3ba-zA-Z]+?=[a-zA-Z0-9]+?)?$/U"; classtype:trojan-activity; sid:2015798; rev:5;) + +alert http $HOME_NET any -> $EXTERNAL_NET 8080 (msg:"ET CURRENT_EVENTS Blackhole 2 Landing Page (5)"; flow:to_server,established; content:"/forum/links/column.php"; http_uri; nocase; content:".ru:8080|0d 0a|"; http_header; fast_pattern:only; classtype:trojan-activity; sid:2015802; rev:3;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Blackhole/Cool Landing URI Struct"; flow:to_server,established; content:".php"; http_uri; fast_pattern:only; pcre:"/\/(?:(?:(?:detec|meri)t|[wW]atche|link)s|co(?:ntrolling|mplaints)|r(?:ea(?:che)?d|aise)|(?:alternat|fin)e|s(?:erver|tring)|t(?:hought|opic)|w(?:hite|orld)|en(?:sure|ds)|indication|kill|Web)\/([a-z]{2,19}[-_]){1,4}[a-z]{2,19}\.php(\?[a-zA-Z]+?=[a-zA-Z0-9]+?&[\x3ba-zA-Z]+?=[a-zA-Z0-9]+?)?$/U"; reference:url,fortknoxnetworks.blogspot.com/2012/10/blackhhole-exploit-kit-v-20-url-pattern.html; classtype:trojan-activity; sid:2015803; rev:8;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS BlackHole 2 PDF Exploit"; flow:established,from_server; file_data; content:"/Index[5 1 7 1 9 4 23 4 50 3]"; flowbits:isset,ET.pdf.in.http; reference:url,fortknoxnetworks.blogspot.com/2012/10/blackhhole-exploit-kit-v-20-url-pattern.html; classtype:trojan-activity; sid:2015804; rev:4;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SofosFO Jar file 10/17/12"; flow:to_client,established; file_data; content:"PK"; within:2; content:"SecretKey.class"; fast_pattern; distance:0; content:"Mac.class"; distance:0; flowbits:isset,ET.http.javaclient.vulnerable; classtype:trojan-activity; sid:2015812; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Blackhole2 Non-Vulnerable Client Fed Fake Flash Executable"; flow: established,to_server; content:"/adobe/update_flash_player.exe"; http_uri; reference:url,research.zscaler.com/2012/10/blackhole-exploit-kit-v2-on-rise.html; classtype:trojan-activity; sid:2015817; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS g01pack Exploit Kit .homeip. Landing Page"; flow:established,to_server; urilen:>2; content:"/ HTTP/1."; pcre:"/^\/[a-z]+\/$/U"; content:".homeip."; http_header; nocase; fast_pattern:only; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015818; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS g01pack Exploit Kit .homelinux. Landing Page"; flow:established,to_server; urilen:>2; content:"/ HTTP/1."; pcre:"/^\/[a-z]+\/$/U"; content:".homelinux."; http_header; nocase; fast_pattern:only; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015819; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Blackhole 2.0 Binary Get Request"; flow:established,to_server; content:"GET"; http_method; content:"Java/1."; http_user_agent; content:".php?"; http_uri; pcre:"/\.php\?\w{2,8}\=(0[0-9a-b]|3[0-9]){5,32}\&\w{2,9}\=(0[0-9a-b]|3[0-9]){10}\&\w{1,8}\=\d{2}\&\w{1,8}\=\w{1,8}\&\w{1,8}\=\w{1,8}$/U"; reference:url,fortknoxnetworks.blogspot.be/2012/10/blackhole-20-binary-get-request.html; classtype:successful-user; sid:2015836; rev:6;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown Exploit Kit Landing Page"; flow:established,to_server; content:"/beacon/"; http_uri; fast_pattern:only; pcre:"/\/beacon\/[a-f0-9]{8}\.htm$/U"; classtype:successful-user; sid:2015840; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown Exploit Kit Landing Page"; flow:established,to_server; content:"/Applet.jar"; http_uri; fast_pattern:only; pcre:"/^\/Applet\.jar$/U"; classtype:successful-user; sid:2015841; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS NeoSploit Jar with three-letter class names"; flow:established,from_server; file_data; content:"PK"; depth:2; content:".classPK"; pcre:"/(\0[a-z]{3}\.classPK.{43}){4}/"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015846; rev:3;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SofosFO/NeoSploit possible second stage landing page"; flow:established,to_server; urilen:>25; content:"/50a"; http_uri; depth:4; pcre:"/^\/50a[a-f0-9]{21}\/(((\d+,)+\d+)|null)\//U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015847; rev:5;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Imposter USPS Domain"; flow:established,to_server; content:".usps.com."; http_header; nocase; fast_pattern:only; pcre:"/^Host\x3a[^\r\n]\.usps\.com\./Hi"; classtype:trojan-activity; sid:2015848; rev:2;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Metasploit CVE-2012-1723 Path (Seen in Unknown EK) 10/29/12"; flow:to_client,established; file_data; content:"PK"; within:2; content:"cve1723/"; flowbits:isset,ET.http.javaclient.vulnerable; classtype:trojan-activity; sid:2015849; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sakura/RedKit obfuscated URL"; flow:established,from_server; file_data; content:"<applet"; pcre:"/^((?!<\/applet>).)+?\/.{1,12}\/.{1,12}\x3a.{1,12}p.{1,12}t.{1,12}t.{1,12}h/Rs"; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2015858; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Metasploit CVE-2012-1723 Attacker.class (Seen in Unknown EK) 11/01/12"; flow:to_client,established; file_data; content:"<applet"; content:"Attacker.class"; distance:0; classtype:trojan-activity; sid:2015859; rev:4;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Blackhole request for file containing Java payload URIs (2)"; flow:established,to_server; content:"php?fbebf=nt34t4"; http_uri; content:"|29 20|Java/"; http_user_agent; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015863; rev:6;) + +alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Self-Singed SSL Cert Used in Conjunction with Neosploit"; flow:from_server,established; content:"|16 03 01|"; content:"|00 be d3 cf b1 fe a1 55 bf|"; distance:0; content:"webmaster@localhost"; distance:0; content:"|30 81 89 02 81 81 00 ac 12 38 fc 5c bf 7c 8c 18 e7 db 09 dc|"; distance:0; classtype:trojan-activity; sid:2015865; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sophos PDF Standard Encryption Key Length Buffer Overflow"; flow:from_server,established; file_data; flowbits:isset,ET.pdf.in.http; content:"/Standard"; content:"/Length"; within:200; pcre:"/^[\r\n\s]+(\d{4}|(?!(\d{1,2}[\r\n\s]|1[0-2][0-8][\r\n\s])))((?!>>).)+\/R\s+3[\r\n\s>]/Rs"; classtype:trojan-activity; sid:2015866; rev:4;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sophos PDF Standard Encryption Key Length Buffer Overflow"; flow:from_server,established; file_data; flowbits:isset,ET.pdf.in.http; content:"/Standard"; content:"/R 3"; within:200; pcre:"/^[\r\n\s]+((?!>>).)+?\/Length[\r\n\s]+(\d{4}|(?!(\d{1,2}[\r\n\s]|1[0-2][0-8][\r\n\s])))/Rs"; classtype:trojan-activity; sid:2015867; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Blackhole request for file containing Java payload URIs (3)"; flow:established,to_server; content:".php?asvvab=125qwafdsg"; http_uri; content:"|29 20|Java/"; http_header; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015871; rev:4;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Cool Exploit Kit Requesting Payload"; flow:established,to_server; content:"/f.php?k="; http_uri; fast_pattern:only; pcre:"/^\/[a-z]\/f\.php\?k=\d(&e=\d&f=\d)?$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015873; rev:5;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SofosFO Jar file 09 Nov 12"; flow:to_client,established; file_data; content:"PK"; within:2; content:"SecretKey.class"; fast_pattern:only; content:"Anony"; pcre:"/^(mous)?\.class/R"; flowbits:isset,ET.http.javaclient.vulnerable; classtype:trojan-activity; sid:2015876; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Blackhole 16/32-hex/a-z.php Landing Page URI"; flow:established,to_server; content:".php"; http_uri; content:"/"; http_uri; distance:-6; within:1; pcre:"/\/[a-f0-9]{16}([a-f0-9]{16})?\/[a-z]\.php$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015877; rev:6;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS KaiXin Exploit Kit Landing Page NOP String"; flow:established,to_client; file_data; content:" == -1 {|5c|x5C0|5c|x5C0|5c|x5C0|5c|x5C0|5c|x5C0|5c|x5C0|5c|x5C0|5c|x5C0|5c|x5C0|5c|x5C0|5c|x5C0|5c|x5C0|5c|x5C0|5c|x5C0|5c|x5C0"; distance:0; reference:url,ondailybasis.com/blog/?p=1610; classtype:trojan-activity; sid:2015881; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS KaiXin Exploit Kit Landing Page parseInt Javascript Replace"; flow:established,to_client; file_data; content:" = parseInt("; distance:0; content:".replace(|2F 5C 2E 7C 5C 5F 2F|g, ''))|3B|"; within:30; reference:url,ondailybasis.com/blog/?p=1610; classtype:trojan-activity; sid:2015882; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Java Exploit Campaign SetAttribute Java Applet"; flow:established,to_client; file_data; content:"document.createElement(|22|applet|22|)|3B|"; fast_pattern:13,20; distance:0; nocase; content:".setAttribute(|22|code"; distance:0; nocase; content:".class|22 29 3B|"; nocase; within:50; content:".setAttribute(|22|archive"; nocase; distance:0; content:"document.createElement|22|param"; nocase; distance:0; reference:url,ondailybasis.com/blog/?p=1593; classtype:trojan-activity; sid:2015883; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS CritXPack Landing Page"; flow:established,to_client; file_data; content:"<applet"; content:"a.Test"; fast_pattern; classtype:trojan-activity; sid:2015884; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CritXPack - No Java URI - Dot.class"; flow:established,to_server; urilen:10; content:"/Dot.class"; http_uri; classtype:trojan-activity; sid:2015885; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CirtXPack - No Java URI - /a.Test"; flow:established,to_server; urilen:7; content:"/a.Test"; classtype:trojan-activity; sid:2015886; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Magnitude EK (formerly Popads) Java Exploit Kit 32 byte hex with trailing digit java payload request"; flow:established,to_server; urilen:>32; content:"Java/1."; http_user_agent; pcre:"/^\/(?:[\/_]*?[a-f0-9][\/_]*?){32}\/\d+?$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015888; rev:8;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS CoolEK - Landing Page - FlashExploit"; flow:established,to_client; file_data; content:"FlashExploit()"; classtype:trojan-activity; sid:2015890; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible TDS Exploit Kit /flow redirect at .ru domain"; flow:established,to_server; urilen:<12; content:"/flow"; fast_pattern; depth:5; http_uri; content:".php"; distance:1; within:5; http_uri; content:"GET"; http_method; content:".ru|0d 0a|"; http_header; pcre:"/^\/flow\d{1,2}\.php$/U"; classtype:bad-unknown; sid:2015897; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Magnitude EK (formerly Popads) - Landing Page - Java ClassID and 32HexChar.jar"; flow:established,to_client; file_data; content:"8AD9C840-044E-11D1-B3E9-00805F499D93"; content:".jar"; pcre:"/[a-f0-9]{32}\.jar/"; classtype:trojan-activity; sid:2015901; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS WSO - WebShell Activity - WSO Title"; flow:established,to_client; file_data; content:"<title>"; content:" - WSO "; fast_pattern; distance:0; content:"</title>"; distance:0; classtype:attempted-user; sid:2015905; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS WSO - WebShell Activity - POST structure"; flow:established,to_server; content:"POST"; http_method; content:"&c="; http_client_body; content:"&p1="; http_client_body; content:"&p2="; http_client_body; content:"&p3="; http_client_body; fast_pattern; pcre:"/a=(?:S(?:e(?:lfRemove|cInfo)|tringTools|afeMode|ql)|(?:Bruteforc|Consol)e|FilesMan|Network|Logout|Php)/P"; classtype:attempted-user; sid:2015906; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS BoA -Account Phished"; flow:established,to_server; content:"POST"; http_method; content:"creditcard="; http_client_body; content:"expyear="; http_client_body; content:"ccv="; http_client_body; content:"pin="; http_client_body; classtype:bad-unknown; sid:2015907; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS BoA - PII Phished"; flow:established,to_server; content:"POST"; http_method; content:"&phone3="; http_client_body; content:"&ssn3="; http_client_body; content:"&dob3="; http_client_body; classtype:bad-unknown; sid:2015908; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Bank of America Phish Oct 1 M1"; flow:established,to_server; content:"POST"; http_method; content:"reason="; nocase; depth:7; fast_pattern; http_client_body; content:"Access_ID="; nocase; distance:0; http_client_body; content:"Current_Passcode="; nocase; distance:0; http_client_body; classtype:bad-unknown; sid:2015909; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Successful PHISH - AOL Creds"; flow:established,to_server; content:"POST"; http_method; content:"aoluser="; http_client_body; content:"aolpassword="; http_client_body; classtype:bad-unknown; sid:2015910; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Successful PHISH - Yahoo Creds"; flow:established,to_server; content:"POST"; http_method; content:"yahoouser="; http_client_body; content:"yahoopassword="; http_client_body; classtype:bad-unknown; sid:2015911; rev:4;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Successful PHISH - Gmail Creds"; flow:established,to_server; content:"POST"; http_method; content:"gmailuser="; http_client_body; content:"gmailpassword="; http_client_body; classtype:bad-unknown; sid:2015912; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Successful PHISH - Hotmail Creds"; flow:established,to_server; content:"POST"; http_method; content:"hotmailuser="; http_client_body; content:"hotmailpassword="; http_client_body; classtype:bad-unknown; sid:2015913; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Successful PHISH - Other Creds"; flow:established,to_server; content:"POST"; http_method; content:"otheruser="; http_client_body; content:"otherpassword="; http_client_body; classtype:bad-unknown; sid:2015914; rev:4;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Spam Campaign JPG CnC Link"; flow:established,to_client; file_data; content:"he1l0|3A|hxxp|3A|//"; distance:0; content:".jpg"; distance:0; reference:url,blog.fireeye.com/research/2012/11/more-phish.html; classtype:trojan-activity; sid:2015921; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Glazunov Java exploit request /9-10-/4-5-digit"; flow:established,to_server; content:"|29 20|Java/"; http_user_agent; urilen:14<>18; pcre:"/^\/\d{9,10}\/\d{4,5}$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015922; rev:6;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Glazunov Java payload request /5-digit"; flow:established,to_server; content:"|29 20|Java/"; http_user_agent; urilen:6; pcre:"/^\/\d{5}$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015923; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS RedKit Exploit Kit Java Request to Recent jar (1)"; flow:established,to_server; content:"/332.jar"; fast_pattern:only; http_uri; content:"|29 20|Java/"; http_header; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015928; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS RedKit Exploit Kit Java Request to Recent jar (2)"; flow:established,to_server; content:"/887.jar"; fast_pattern:only; http_uri; content:"|29 20|Java/"; http_header; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015929; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS RedKit Exploit Kit Vulnerable Java Payload Request URI (1)"; flowbits:isset,ET.http.javaclient.vulnerable; flow:established,to_server; content:"/33.html"; depth:8; http_uri; urilen:8; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015930; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS RedKit Exploit Kit vulnerable Java Payload Request to URI (2)"; flowbits:isset,ET.http.javaclient.vulnerable; flow:established,to_server; content:"/41.html"; depth:8; http_uri; urilen:8; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015931; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Blackhole 2 Landing Page (7)"; flow:to_server,established; content:"/news/enter/2012-1"; fast_pattern:only; http_uri; content:".php"; http_uri; pcre:"/\/news\/enter\/2012-1[0-2]-([0-2][0-9]|3[0-1])\.php/U"; classtype:trojan-activity; sid:2015932; rev:4;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Blackhole/Cool txt URI Struct"; flow:to_server,established; content:".txt"; http_uri; fast_pattern:only; pcre:"/\/(?:(?:(?:detec|meri)t|[wW]atche|link)s|co(?:ntrolling|mplaints)|r(?:ea(?:che)?d|aise)|(?:alternat|fin)e|s(?:erver|tring)|t(?:hought|opic)|w(?:hite|orld)|en(?:sure|ds)|indication|kill|Web)\/([a-z]{2,19}[-_]){1,4}[a-z]{2,19}\.txt(\?[a-zA-Z]+?=[a-zA-Z0-9]+?&[\x3ba-zA-Z]+?=[a-zA-Z0-9]+?)?$/U"; classtype:trojan-activity; sid:2015933; rev:6;) + +alert http $HOME_NET any -> $EXTERNAL_NET !$HTTP_PORTS (msg:"ET CURRENT_EVENTS Nuclear Exploit Kit HTTP Off-port Landing Page Request"; flow:established,to_server; urilen:35; content:"/t/"; depth:3; http_uri; pcre:"/\/t\/[a-f0-9]{32}$/U"; classtype:trojan-activity; sid:2015936; rev:5;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown Banking PHISH - Login.php?LOB=RBG"; flow:established,to_server; content:"/Logon.php?LOB=RBG"; http_uri; content:"&_pageLabel=page_"; http_uri; classtype:trojan-activity; sid:2015938; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS g01pack Exploit Kit .blogsite. Landing Page"; flow:established,to_server; urilen:>2; content:"/ HTTP/1."; pcre:"/^\/[a-z]+\/$/U"; content:".blogsite."; http_header; nocase; fast_pattern:only; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015939; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CrimeBoss - Java Exploit - Recent Jar (1)"; flow:established,to_server; content:"/amor"; http_uri; content:".jar"; http_uri; within:6; content:"Java/1."; http_user_agent; fast_pattern:only; pcre:"/amor\d{0,2}\.jar/U"; classtype:trojan-activity; sid:2015941; rev:4;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CrimeBoss - Java Exploit - Recent Jar (2)"; flow:established,to_server; content:"/java7.jar?r="; http_uri; content:"Java/1."; http_user_agent; fast_pattern:only; classtype:trojan-activity; sid:2015942; rev:4;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Crimeboss - Java Exploit - Recent Jar (3)"; flow:established,from_server; file_data; content:"PK"; within:2; content:"amor.class"; distance:0; classtype:trojan-activity; sid:2015943; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CrimeBoss - Stats Access"; flow:established,to_server; content:".php?action=stats_access"; http_uri; classtype:trojan-activity; sid:2015944; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CrimeBoss - Stats Java On"; flow:established,to_server; content:".php?action=stats_javaon"; http_uri; classtype:trojan-activity; sid:2015945; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CrimeBoss - Setup"; flow:established,to_server; content:".php?setup=d&s="; http_uri; content:"&r="; pcre:"/\.php\?setup=d&s=\d+&r=\d+$/U"; classtype:trojan-activity; sid:2015946; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Propack Recent Jar (1)"; flow:established,from_server; file_data; content:"PK"; within:2; content:"propack/"; distance:0; classtype:trojan-activity; sid:2015949; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Propack Payload Request"; flow:established,to_server; content:".php?j=1&k="; http_uri; nocase; fast_pattern:only; content:" Java/1"; http_header; pcre:"/\.php\?j=1&k=[0-9](i=[0-9])?$/U"; classtype:trojan-activity; sid:2015950; rev:2;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SibHost Jar Request"; flow:established,to_server; content:".jar?m="; http_uri; content:"|29 20|Java/1"; http_user_agent; fast_pattern:only; pcre:"/\.jar\?m=[1-2]$/U"; classtype:trojan-activity; sid:2015951; rev:17;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS PHISH Generic -SSN - ssn1 ssn2 ssn3"; flow:established,to_server; content:"POST"; http_method; content:"ssn1="; http_client_body; content:"ssn2="; http_client_body; content:"ssn3="; http_client_body; content:!"LabTech Agent"; http_user_agent; classtype:trojan-activity; sid:2015952; rev:4;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS PDF /FlateDecode and PDF version 1.1 (seen in pamdql EK)"; flow:established,from_server; file_data; content:"%PDF-1.1"; fast_pattern; within:8; content:"/FlateDecode"; distance:0; classtype:trojan-activity; sid:2015955; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Serenity Exploit Kit Landing Page HTML Header"; flow:established,to_client; file_data; content:"<head><title>Loading... Please wait<|2F|title><meta name=|22|robots|22| content=|22|noindex|22|><|2F|head>"; distance:0; classtype:trojan-activity; sid:2015956; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CritXPack Jar Request"; flow:established,to_server; content:"/j.php?t=u00"; http_uri; fast_pattern:only; content:"Java/1."; http_user_agent; classtype:trojan-activity; sid:2015960; rev:12;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CritXPack PDF Request"; flow:established,to_server; content:"/p5.php?t=u00"; http_uri; content:"&oh="; http_uri; classtype:trojan-activity; sid:2015961; rev:11;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CritXPack Payload Request"; flow:established,to_server; content:"/load.php?e="; http_uri; fast_pattern:only; content:"&token="; http_uri; classtype:trojan-activity; sid:2015962; rev:11;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Zuponcic EK Java Exploit Jar"; flow:established,from_server; file_data; content:"PK"; within:2; content:"FlashPlayer.class"; distance:0; content:".SF"; content:".RSA"; classtype:trojan-activity; sid:2015971; rev:9;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Zuponcic EK Payload Request"; flow:established,to_server; content:"POST"; http_method; urilen:1; content:"|29 20|Java/1"; http_header; content:"/"; http_uri; content:"i=2ZI"; fast_pattern; http_client_body; depth:5; classtype:trojan-activity; sid:2015970; rev:11;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown EK Landing URL"; flow:established,to_server; content:".php?dentesus=208779"; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2015964; rev:11;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful PayPal Account Phish"; flow:established,to_server; content:"POST"; http_method; content:"login_email="; http_client_body; content:"login_password="; http_client_body; content:"target_page="; http_client_body; classtype:bad-unknown; sid:2015972; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Sibhost Status Check"; flow:established,to_server; content:"POST"; http_method; content:"|29 20|Java/1"; http_user_agent; fast_pattern:only; content:"text="; http_client_body; depth:5; pcre:"/\?(s|page|id)=\d+$/U"; classtype:trojan-activity; sid:2015974; rev:14;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS probable malicious Glazunov Javascript injection"; flow:established,from_server; file_data; content:"(|22|"; distance:0; content:"|22|))|3b|"; distance:52; within:106; content:")|3b|</script></body>"; within:200; fast_pattern; pcre:"/\(\x22[0-9\x3a\x3b\x3c\x3d\x3e\x3fa-k]{50,100}\x22\).{0,200}\)\x3b<\/script><\/body>/s"; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2015977; rev:7;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Java applet with obfuscated URL Dec 03 2012"; flow:established,from_server; file_data; content:"applet"; content:"yy3Ojj"; within:1600; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2015978; rev:7;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS CritXPack - Landing Page"; flow:established,from_server; file_data; content:"|7C|pdfver|7C|"; content:"|7C|applet|7C|"; classtype:bad-unknown; sid:2015979; rev:1;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Google Account Phish"; flow:established,to_server; content:"POST"; http_method; content:"continue="; http_client_body; content:"followup="; http_client_body; content:"checkedDomains="; http_client_body; classtype:bad-unknown; sid:2015980; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Zuponcic Hostile Jar"; flow:established,to_server; content:"Host|3a 20|"; http_header; content:"."; http_header; distance:2; within:1; content:"Java/"; http_header; content:".jar"; http_uri; fast_pattern:only; pcre:"/^Host\x3a\x20[a-z]{2}\./Hm"; pcre:"/^\/[a-zA-Z]{7}\.jar$/U"; classtype:trojan-activity; sid:2015981; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Zuponcic Hostile JavaScript"; flow:established,to_server; urilen:11; content:"Host|3a 20|"; http_header; content:"."; http_header; distance:2; within:1; content:"/js/java.js"; http_uri; fast_pattern:only; pcre:"/^Host\x3a\x20[a-z]{2}\./Hm"; classtype:trojan-activity; sid:2015982; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS PHISH Bank - York - Creds Phished"; flow:established,to_server; content:"POST"; http_method; content:"/secured/private/login.php"; http_uri; classtype:bad-unknown; sid:2015983; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CrimeBoss - Stats Load Fail"; flow:established,to_server; content:"?action=stats_loadfail"; http_uri; classtype:bad-unknown; sid:2015988; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS RedKit - Potential Java Exploit Requested - 3 digit jar"; flow:established,to_server; urilen:6<>9; content:".jar"; http_uri; pcre:"/^\/[0-9]{3}\.jar$/U"; classtype:bad-unknown; sid:2015989; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS RedKit - Potential Payload Requested - /2Digit.html"; flow:established,to_server; urilen:8; content:".html"; http_uri; content:" Java/1"; http_header; pcre:"/\/[0-9]{2}\.html$/U"; classtype:bad-unknown; sid:2015990; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Robopak - Landing Page Received"; flow:established,to_client; file_data; content:"|22|ors.class|22|"; fast_pattern:only; content:"|22|bhjwfffiorjwe|22|"; classtype:bad-unknown; sid:2015991; rev:4;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Fake Google Chrome Update/Install"; flow:established,to_server; content:"/chrome/google_chrome_"; http_uri; content:".exe"; http_uri; distance:0; pcre:"/\/chrome\/google_chrome_(update|installer)\.exe$/U"; reference:url,www.barracudanetworks.com/blogs/labsblog?bid=3108; reference:url,www.bluecoat.com/security-blog/2012-12-05/blackhole-kit-doesnt-chrome; classtype:trojan-activity; sid:2015997; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CritXPack Jar Request (2)"; flow:established,to_server; content:".php?i="; http_uri; pcre:"/\/j\d{2}\.php\?i=/U"; content:"Java/1."; http_user_agent; fast_pattern:only; classtype:trojan-activity; sid:2016013; rev:6;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CritXPack PDF Request (2)"; flow:established,to_server; content:"/lpdf.php?i="; http_uri; fast_pattern:only; pcre:"/\/lpdf\.php\?i=[a-zA-Z0-9]+&?$/U"; classtype:trojan-activity; sid:2016012; rev:4;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CritXPack Landing Pattern"; flow:established,to_server; content:"/i.php?token="; http_uri; fast_pattern:only; nocase; pcre:"/\/i.php?token=[a-z0-9]+$/Ui"; classtype:trojan-activity; sid:2015998; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS PDF /XFA and PDF-1.[0-4] Spec Violation (seen in pamdql and other EKs)"; flow:established,to_client; file_data; content:"%PDF-1."; within:7; pcre:"/^[0-4][^0-9]/R"; content:"/XFA"; distance:0; fast_pattern; pcre:"/^[\r\n\s]*[\d\x5b]/R"; classtype:trojan-activity; sid:2016001; rev:5;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Embedded Open Type Font file .eot seeing at Cool Exploit Kit"; flow:established,to_client; file_data; content:"|02 00 02 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00|"; offset:8; depth:18; content:"|4c 50|"; distance:8; within:2; content:"|10 00 40 00|D|00|e|00|x|00|t|00|e|00|r|00 00|"; distance:0; content:"|00|R|00|e|00|g|00|u|00|l|00|a|00|r|00|"; distance:0; content:"V|00|e|00|r|00|s|00|i|00|o|00|n|00 20 00|1|00 2e 00|0"; reference:cve,2011-3402; classtype:attempted-user; sid:2016018; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS MALVERTISING FlashPost - Redirection IFRAME"; flow:established,to_client; file_data; content:"{|22|iframe|22 3a|true,|22|url|22|"; within:20; classtype:bad-unknown; sid:2016022; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS MALVERTISING FlashPost - POST to *.stats"; flow:established,to_server; content:"POST"; http_method; content:".stats"; http_uri; content:"pageURL="; http_client_body; classtype:bad-unknown; sid:2016023; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole - TDS Redirection To Exploit Kit - Loading"; flow:established,to_client; file_data; content:"<title>Loading...!</title>"; classtype:bad-unknown; sid:2016024; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS NuclearPack - Landing Page Received - applet and 32HexChar.jar"; flow:established,to_client; file_data; content:"<applet"; fast_pattern:only; content:".jar"; content:"param"; pcre:"/[a-f0-9]{32}\.jar/"; classtype:bad-unknown; sid:2016026; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS g01pack - Landing Page Received - applet and 32AlphaNum.jar"; flow:established,to_client; file_data; content:"<applet"; fast_pattern:only; content:".jar"; pcre:"/[a-z0-9]{32}\.jar/"; classtype:bad-unknown; sid:2016027; rev:5;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible SibHost PDF Request"; flow:established,to_server; content:".pdf?p=1&s="; http_uri; fast_pattern:only; pcre:"/\.pdf\?p=1&s=[1-2]$/U"; classtype:trojan-activity; sid:2016035; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown_gmf EK - Payload Download Requested"; flow:established,to_server; content:"/getmyfile.exe"; http_uri; content:"Java/1."; http_user_agent; classtype:trojan-activity; sid:2016052; rev:4;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown_gmf EK - Payload Download Received"; flow:established,to_client; content:".exe.crypted"; http_header; fast_pattern; content:"attachment"; http_header; classtype:trojan-activity; sid:2016053; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown_gmf EK - Server Response - Application Error"; flow:established,to_client; content:"X-Powered-By|3a| Application Error...."; http_header; classtype:trojan-activity; sid:2016054; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown_gmf EK - pdfx.html"; flow:established,to_server; content:"/pdfx.html"; http_uri; classtype:trojan-activity; sid:2016055; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown_gmf EK - flsh.html"; flow:established,to_server; urilen:>80; content:"/flsh.html"; http_uri; classtype:trojan-activity; sid:2016056; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful PayPal Account Phish"; flow:established,to_server; content:"login_email="; http_client_body; content:"login_password="; http_client_body; content:"browser_version="; http_client_body; content:"operating_system="; fast_pattern; http_client_body; classtype:bad-unknown; sid:2016063; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Magnitude EK (formerly Popads) Embedded Open Type Font file .eot"; flow:established,to_client; file_data; content:"|02 00 02 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00|"; offset:8; depth:18; content:"|4c 50|"; distance:8; within:2; content:"|10 00 40 00|a|00|b|00|c|00|d|00|e|00|f|00 00|"; distance:0; content:"|00|R|00|e|00|g|00|u|00|l|00|a|00|r|00|"; distance:0; content:"V|00|e|00|r|00|s|00|i|00|o|00|n|00 20 00|1|00 2e 00|0"; reference:cve,2011-3402; classtype:attempted-user; sid:2016065; rev:4;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SofosFO obfuscator string 19 Dec 12 - possible landing"; flow:from_server,established; file_data; content:"cRxmlqC14I8yhr92sovp"; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2016070; rev:5;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SofosFO 20 Dec 12 - .jar file request"; flow:established,to_server; urilen:>44; content:".jar"; offset:38; http_uri; content:"Java/1."; http_user_agent; pcre:"/^\/[a-zA-Z0-9]{25,35}\/\d{9,10}\/[a-z]{4,12}\.jar$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016071; rev:4;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SofosFO 20 Dec 12 - .pdf file request"; flow:established,to_server; urilen:>44; content:".pdf"; offset:38; http_uri; pcre:"/^\/[a-zA-Z0-9]{25,35}\/\d{9,10}\/[a-z]{4,12}\.pdf$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016072; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SofosFO - possible second stage landing page"; flow:established,to_server; urilen:>40; content:".js"; offset:38; http_uri; pcre:"/^\/[a-z0-9A-Z]{25,35}\/(([tZFBeDauxR]+q){3}[tZFBeDauxR]+(_[tZFBeDauxR]+)?|O7dd)k(([tZFBeDauxR]+q){3}[tZFBeDauxR]+|O7dd)\//U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016073; rev:7;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Hostile Gate landing seen with pamdql/Sweet Orange /in.php?q="; flow:established,to_server; content:"/in.php?q="; http_uri; classtype:trojan-activity; sid:2016090; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Hostile Gate landing seen with pamdql/Sweet Orange base64"; flow:established,to_server; content:"KAhFXlx9"; http_uri; pcre:"/\.php\?[a-z]=.{2}KAhFXlx9.{2}Oj[^&]+$/U"; classtype:trojan-activity; sid:2016091; rev:2;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS pamdql/Sweet Orange delivering exploit kit payload"; flow:established,to_server; content:"/command/"; http_uri; urilen:15; pcre:"/^\/command\/[a-zA-Z]{6}$/U"; classtype:trojan-activity; sid:2016093; rev:4;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Drupal Mass Injection Campaign Inbound"; flow:established,from_server; file_data; content:"if (i5463 == null) { var i5463 = 1|3b|"; classtype:bad-unknown; sid:2016098; rev:2;) + +alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Drupal Mass Injection Campaign Outbound"; flow:established,from_server; file_data; content:"if (i5463 == null) { var i5463 = 1|3b|"; classtype:bad-unknown; sid:2016099; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown EK Landing Page"; flow:established,from_server; file_data; content:"<applet"; content:"site.A.class"; within:300; classtype:trojan-activity; sid:2016106; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Topic EK Requesting Jar"; flow:established,to_server; content:".php?exp="; http_uri; content:"&b="; http_uri; content:"&k="; http_uri; content:"Java/1."; http_user_agent; pcre:"/&b=[a-f0-9]{7}&k=[a-f0-9]{32}/U"; classtype:trojan-activity; sid:2016107; rev:6;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Topic EK Requesting PDF"; flow:established,to_server; content:".php?exp=lib"; http_uri; content:"&b="; http_uri; content:"&k="; pcre:"/&b=[a-f0-9]{7}&k=[a-f0-9]{32}/U"; classtype:trojan-activity; sid:2016108; rev:3;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Sweet Orange Java payload request (1)"; flow:established,to_server; content:"Java/1"; http_user_agent; content:"openparadise1"; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016111; rev:4;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Redkit encrypted binary (1)"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"|fb 67 1f 49|"; within:4; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016113; rev:3;) + +#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS RedKit - Landing Page"; flow:established,to_client; file_data; content:".jar"; nocase; fast_pattern; content:".pdf"; nocase; content:"Msxml2.XMLHTTP"; nocase; classtype:trojan-activity; sid:2016128; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown_gmf/Styx EK - fnts.html "; flow:established,to_server; content:"/fnts.html"; http_uri; classtype:trojan-activity; sid:2016129; rev:4;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Escaped Unicode Char in Window Location CVE-2012-4792 EIP"; flow:established,from_server; file_data; content:"<form"; nocase; content:"button"; nocase; content:"CollectGarbage("; nocase; fast_pattern:only; content:".location"; nocase; pcre:"/^[\r\n\s]*=[\r\n\s]*unescape\(\s*[\x22\x27][\\%]u/Ri"; reference:cve,2012-4792; reference:url,github.com/rapid7/metasploit-framework/commit/6cb9106218bde56fc5e8d72c66fbba9f11c24449; reference:url,eromang.zataz.com/2012/12/29/attack-and-ie-0day-informations-used-against-council-on-foreign-relations/; classtype:attempted-user; sid:2016132; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Escaped Unicode Char in Location CVE-2012-4792 EIP (Exploit Specific replace)"; flow:established,from_server; file_data; content:"jj2Ejj6Cjj6Fjj63jj61jj74jj69jj6Fjj6Ejj20jj3Djj20jj75jj6Ejj65jj73jj63jj61jj70jj65jj28jj22jj25jj75"; nocase; reference:cve,2012-4792; reference:url,github.com/rapid7/metasploit-framework/commit/6cb9106218bde56fc5e8d72c66fbba9f11c24449; reference:url,eromang.zataz.com/2012/12/29/attack-and-ie-0day-informations-used-against-council-on-foreign-relations/; classtype:attempted-user; sid:2016133; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Escaped Unicode Char in Location CVE-2012-4792 EIP % Hex Encode"; flow:established,from_server; file_data; content:"%2e%6c%6f%63%61%74%69%6f%6e%20%3d%20%75%6e%65%73%63%61%70%65%28%22%25%75"; nocase; reference:cve,2012-4792; reference:url,github.com/rapid7/metasploit-framework/commit/6cb9106218bde56fc5e8d72c66fbba9f11c24449; reference:url,eromang.zataz.com/2012/12/29/attack-and-ie-0day-informations-used-against-council-on-foreign-relations/; classtype:attempted-user; sid:2016134; rev:3;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS CFR DRIVEBY CVE-2012-4792 DNS Query for C2 domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|provide|08|yourtrap|03|com|00|"; fast_pattern; nocase; distance:0; reference:cve,2012-4792; reference:url,github.com/rapid7/metasploit-framework/commit/6cb9106218bde56fc5e8d72c66fbba9f11c24449; reference:url,eromang.zataz.com/2012/12/29/attack-and-ie-0day-informations-used-against-council-on-foreign-relations/; classtype:attempted-user; sid:2016135; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Metasploit CVE-2012-4792 EIP in URI IE 8"; flow:established,to_server; content:"/%E0%AC%B0%E0%B0%8C"; http_raw_uri; fast_pattern; content:"MSIE 8.0|3b|"; http_header; reference:cve,2012-4792; reference:url,github.com/rapid7/metasploit-framework/commit/6cb9106218bde56fc5e8d72c66fbba9f11c24449; reference:url,eromang.zataz.com/2012/12/29/attack-and-ie-0day-informations-used-against-council-on-foreign-relations/; classtype:attempted-user; sid:2016136; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CVE-2012-4792 EIP in URI (1)"; flow:established,to_server; content:"/%E0%B4%8C%E1%88%92"; http_raw_uri; fast_pattern; content:"MSIE 8.0|3b|"; http_header; reference:cve,2012-4792; reference:url,github.com/rapid7/metasploit-framework/commit/6cb9106218bde56fc5e8d72c66fbba9f11c24449; reference:url,eromang.zataz.com/2012/12/29/attack-and-ie-0day-informations-used-against-council-on-foreign-relations/; classtype:attempted-user; sid:2016137; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Exodus Intel IE HTML+TIME EIP Control Technique"; flow:established,from_server; file_data; content:"urn|3a|schemas-microsoft-com|3a|time"; nocase; content:"#default#time2"; content:"<t|3a|ANIMATECOLOR"; nocase; fast_pattern:only; content:"CollectGarbage"; nocase; content:"try"; distance:0; nocase; content:".values"; distance:0; nocase; pcre:"/^[\r\n\s\+]*?=.+?\}[\r\n\s]*?catch/Rsi"; reference:cve,2012-4792; reference:url,blog.exodusintel.com/2013/01/02/happy-new-year-analysis-of-cve-2012-4792/; classtype:attempted-user; sid:2016138; rev:4;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Sweet Orange Java payload request (2)"; flow:established,to_server; content:"Java/1"; http_header; content:"&partners="; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016142; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Injected iframe leading to Redkit Jan 02 2013"; flow:established,from_server; file_data; content:"iframe name="; pcre:"/^[\r\n\s]*[\w]+[\r\n\s]+/R"; content:"scrolling=auto frameborder=no align=center height=2 width=2 src=http|3a|//"; within:71; fast_pattern:48,20; pcre:"/^[^\r\n\s>]+\/[a-z]{4,5}\.html\>\<\/iframe\>/R"; classtype:trojan-activity; sid:2016144; rev:3;) + +alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible TURKTRUST Spoofed Google Cert"; flow:established,from_server; content:"|16 03|"; depth:2; content:"*.EGO.GOV.TR"; nocase; fast_pattern:only; content:"*.google.com"; classtype:policy-violation; sid:2016154; rev:1;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Exploit Kit PluginDetect FromCharCode Jan 04 2013"; flowbits:set,et.exploitkitlanding; flow:established,to_client; file_data; content:"80,108,117,103,105,110,68,101,116,101,99,116"; nocase; classtype:attempted-user; sid:2016166; rev:7;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible CrimeBoss Generic URL Structure"; flow:established,to_server; content:"/cb.php?action="; http_uri; classtype:bad-unknown; sid:2016169; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CVE-2012-4792 EIP in URI (2)"; flow:established,to_server; content:"/%E0%B4%8C%E1%82%AB"; http_raw_uri; fast_pattern; content:"MSIE 8.0|3b|"; http_header; reference:cve,2012-4792; reference:url,github.com/rapid7/metasploit-framework/commit/6cb9106218bde56fc5e8d72c66fbba9f11c24449; reference:url,eromang.zataz.com/2012/12/29/attack-and-ie-0day-informations-used-against-council-on-foreign-relations/; classtype:attempted-user; sid:2016170; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY RedKit - Landing Page"; flow:established,to_client; file_data; content:".jar"; nocase; fast_pattern; content:".pdf"; nocase; content:"Msxml2.XMLHTTP"; nocase; pcre:"/\/[0-9]{3}\.jar/"; pcre:"/\/[0-9]{3}\.pdf/"; classtype:trojan-activity; sid:2016174; rev:3;) + +alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET CURRENT_EVENTS Possible CVE-2013-0156 Ruby On Rails XML POST to Disallowed Type YAML"; flow:established,to_server; content:"POST"; http_method; content:"|0d 0a|Content-Type|3a 20|"; pcre:"/^(?:application\/(?:x-)?|text\/)xml/R"; content:" type="; http_client_body; nocase; fast_pattern; content:"yaml"; distance:0; nocase; http_client_body; pcre:"/<[^>]*\stype\s*=\s*([\x22\x27])yaml\1/Pi"; reference:url,groups.google.com/forum/?hl=en&fromgroups=#!topic/rubyonrails-security/61bkgvnSGTQ; classtype:web-application-attack; sid:2016175; rev:3;) + +alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET CURRENT_EVENTS Possible CVE-2013-0156 Ruby On Rails XML POST to Disallowed Type SYMBOL"; flow:established,to_server; content:"POST"; http_method; content:"|0d 0a|Content-Type|3a 20|"; pcre:"/^(?:application\/(?:x-)?|text\/)xml/R"; content:" type="; http_client_body; nocase; fast_pattern; content:"symbol"; distance:0; nocase; http_client_body; pcre:"/<[^>]*\stype\s*=\s*([\x22\x27])symbol\1/Pi"; reference:url,groups.google.com/forum/?hl=en&fromgroups=#!topic/rubyonrails-security/61bkgvnSGTQ; classtype:web-application-activity; sid:2016176; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY SPL - Landing Page Received"; flow:established,to_client; file_data; content:"application/x-java-applet"; content:"width=|22|000"; content:"height=|22|000"; classtype:bad-unknown; sid:2016190; rev:4;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS CoolEK - Landing Page Received"; flow:established,to_client; file_data; content:"<div id=|22|heap_allign|22|></div>"; classtype:bad-unknown; sid:2016191; rev:6;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Unknown - Please wait..."; flow:established,to_client; file_data; content:"<title>Please wait...</title>"; nocase; content:"<div id="; content:"></div><div id="; distance:5; within:16; classtype:bad-unknown; sid:2016192; rev:5;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Unknown - Landing Page Requested - /?Digit"; flow:established,to_server; urilen:9<>16; content:"/?"; http_uri; depth:13; pcre:"/^\/[a-z0-9]{6,10}\/\?[0-9]{1,2}$/Ui"; classtype:bad-unknown; sid:2016193; rev:7;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Redkit Exploit Kit Three Numerical Character Naming Convention PDF Request"; flow:established,to_server; urilen:8; content:".pdf"; http_uri; pcre:"/\x2F[0-9]{3}\.pdf$/U"; reference:url,blogs.mcafee.com/mcafee-labs/red-kit-an-emerging-exploit-pack; reference:cve,2010-0188; classtype:trojan-activity; sid:2016210; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Metasploit CVE-2013-0422 Landing Page"; flow:established,from_server; file_data; content:"<title>Loading, Please Wait...</title>"; pcre:"/[^a-zA-Z0-9_\-\.][a-zA-Z]{7}\.class/"; pcre:"/[^a-zA-Z0-9_\-\.][a-zA-Z]{8}\.jar/"; classtype:attempted-user; sid:2016227; rev:4;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Metasploit CVE-2013-0422 Jar"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"B.class"; fast_pattern:only; pcre:"/[^a-zA-Z0-9_\-.]B\.class/"; pcre:"/[^a-zA-Z0-9_\-\.][a-zA-Z]{7}\.class/"; content:!"Browser.class"; classtype:attempted-user; sid:2016228; rev:5;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Blackhole 16/32-hex/a-z.php Jar Download"; flow:established,to_server; content:".php"; http_uri; pcre:"/\/[a-f0-9]{16}([a-f0-9]{16})?\/[a-z]\.php/U"; content:"Java/1."; http_user_agent; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016229; rev:11;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Impact Exploit Kit Class Download"; flow:established,to_server; content:"/com/sun/org/glassfish/gmbal/util/GenericConstructor.class"; fast_pattern:13,20; content:" Java/1"; http_header; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016240; rev:5;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Java applet with obfuscated URL Jan 21 2012"; flow:established,from_server; file_data; content:"applet"; content:"Dyy"; within:300; content:"Ojj"; within:200; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2016242; rev:6;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS StyX Landing Page"; flow:established,from_server; file_data; content:"|22|pdfx.ht|5C|x6dl|22|"; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2016247; rev:6;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS StyX Landing Page"; flow:established,to_server; content:"/i.html?0x"; http_uri; depth:10; urilen:>100; pcre:"/\/i\.html\?0x\d{1,2}=[a-zA-Z0-9+=]{100}/U"; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2016248; rev:6;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Redkit Class Request (1)"; flow:established,to_server; content:"/Gobon.class"; http_uri; content:"Java/1."; http_user_agent; classtype:bad-unknown; sid:2016249; rev:8;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Redkit Class Request (2)"; flow:established,to_server; content:"/Runs.class"; http_uri; content:"Java/1."; http_user_agent; classtype:bad-unknown; sid:2016250; rev:8;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Red Dot Exploit Kit Single Character JAR Request"; flow:established,to_server; urilen:6; content:".jar"; http_uri; pcre:"/\x2F[a-z]\x2Ejar$/U"; reference:url,malware.dontneedcoffee.com/; classtype:trojan-activity; sid:2016254; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Red Dot Exploit Kit Binary Payload Request"; flow:established,to_server; content:"/load.php?guid="; http_uri; content:"&thread="; http_uri; content:"&exploit="; http_uri; content:"&version="; http_uri; content:"&rnd="; http_uri; reference:url,malware.dontneedcoffee.com/; classtype:trojan-activity; sid:2016255; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Gondad Exploit Kit Post Exploitation Request"; flow:established,to_server; content:"/cve2012xxxx/Gondvv.class"; http_uri; classtype:trojan-activity; sid:2016256; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS TDS - in.php"; flow:established,to_server; content:"/in.php?s="; http_uri; classtype:trojan-activity; sid:2016272; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS MetaSploit CVE-2012-1723 Class File (seen in live EKs)"; flow:established,from_server; flowbits:isset,ET.http.javaclient; content:"ConfusingClassLoader.class"; classtype:bad-unknown; sid:2016276; rev:5;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS MetaSploit CVE-2012-1723 Class File (seen in live EKs)"; flow:established,from_server; flowbits:isset,ET.http.javaclient; content:"Confuser.class"; classtype:bad-unknown; sid:2016277; rev:5;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Malicious iframe"; flow:established,from_server; file_data; content:"<iframe"; pcre:"/^((?!<\/iframe>).)*?[\r\n\s]+name[\r\n\s]*=[\r\n\s]*(?P<q>[\x22\x27])?(Twitter|Google\+)(?P=q)?[\r\n\s]+/R"; content:"scrolling=auto frameborder=no align=center height=2 width=2"; within:59; fast_pattern:39,20; classtype:trojan-activity; sid:2016297; rev:4;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Malicious iframe"; flow:established,from_server; file_data; content:"<iframe"; pcre:"/^((?!<\/iframe>).)*?[\r\n\s]+name[\r\n\s]*=[\r\n\s]*(?P<q>[\x22\x27])?(Twitter|Google\+)(?P=q)?[\r\n\s]+/R"; content:"scrolling=|22|auto|22| frameborder=|22|no|22| align=|22|center|22| height=|22|2|22| width=|22|2|22|"; within:69; fast_pattern:49,20; classtype:trojan-activity; sid:2016298; rev:4;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Redkit Class Request (3)"; flow:established,to_server; content:"/Vlast.class"; http_uri; content:"Java/1."; http_user_agent; fast_pattern:only; classtype:bad-unknown; sid:2016299; rev:10;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS JDB Exploit Kit Landing URL structure"; flow:established,from_client; content:"/inf.php?id="; http_uri; nocase; fast_pattern:only; pcre:"/\/inf\.php\?id=[a-f0-9]{32}$/Ui"; classtype:trojan-activity; sid:2016306; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS JDB Exploit Kit Landing Page"; flow:established,from_server; file_data; content:"Adobe Flash must be updated to view this"; content:"/lib/adobe.php?id="; distance:0; fast_pattern; pcre:"/^[a-f0-9]{32}/R"; classtype:trojan-activity; sid:2016307; rev:6;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible JDB Exploit Kit Class Request"; flow:established,to_server; content:"/jdb/"; http_uri; nocase; content:".class"; http_uri; nocase; pcre:"/\/jdb\/[^\/]+\.class$/Ui"; content:" Java/1"; http_header; fast_pattern:only; classtype:trojan-activity; sid:2016308; rev:6;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS JDB Exploit Kit JAR Download"; flow:established,to_server; content:".php?id="; http_uri; nocase; content:"Java/1."; http_user_agent; fast_pattern:only; pcre:"/\.php\?id=[a-f0-9]{32}$/Ui"; classtype:trojan-activity; sid:2016309; rev:7;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS JDB Exploit Kit Fake Adobe Download"; flow:established,to_server; content:"/lib/adobe.php?id="; http_uri; nocase; fast_pattern:only; pcre:"/\/lib\/adobe\.php\?id=[a-f0-9]{32}$/Ui"; classtype:trojan-activity; sid:2016310; rev:5;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Non-Standard HTML page in Joomla /com_content/ dir (Observed in Recent Pharma Spam)"; flow:established,to_server; content:"/components/com_content/"; http_uri; content:!"index.html"; nocase; within:10; http_uri; content:".html"; nocase; http_uri; distance:0; classtype:bad-unknown; sid:2016311; rev:6;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Impact Exploit Kit Landing Page"; flow:established,from_server; file_data; content:"<applet"; fast_pattern:only; content:"value"; pcre:"/^\s*=\s*[\x22\x27]/R"; content:"h"; distance:8; within:1; content:"t"; distance:8; within:1; content:"t"; distance:8; within:1; content:"p"; distance:8; within:1; content:"|3a|"; distance:8; within:1; content:"/"; distance:8; within:1; classtype:trojan-activity; sid:2016319; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS PHISH Generic - POST to myform.php"; flow:established,to_server; content:"POST"; http_method; content:"/myform.php"; http_uri; classtype:bad-unknown; sid:2016327; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible g01pack Landing Page"; flow:established,to_client; file_data; content:"<applet"; nocase; content:"archive"; nocase; distance:0; pcre:"/^[\r\n\s]*=[\r\n\s]*(?P<q>[\x22\x27])((?!(?P=q)).)+?\.(gif|jpe?g|p(ng|sd))(?P=q)/Rsi"; classtype:trojan-activity; sid:2016333; rev:4;) + +#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Java applet with obfuscated URL Feb 04 2012"; flow:established,from_server; file_data; content:"applet"; content:"Ojj"; within:300; content:"Dyy"; within:300; classtype:bad-unknown; sid:2016341; rev:5;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Styx Exploit Kit Secondary Landing"; flow:established,to_server; content:".js"; http_uri; content:"/i.html"; http_header; fast_pattern:only; pcre:"/^[a-z]+\.js$/U"; pcre:"/^Referer\x3a[^\r\n]+\/i.html(\?[^=]{1,10}=[^&\r\n]{100,})?\r?$/Hmi"; classtype:bad-unknown; sid:2016347; rev:6;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS WhiteHole Exploit Landing Page"; flow:established,from_server; file_data; content:".jar?java="; nocase; fast_pattern:only; content:"<applet"; pcre:"/^((?!<\/applet>).)+?\.jar\?java=\d+/R"; content:" name="; content:"http"; within:5; content:" name="; content:"ftp"; within:4; classtype:trojan-activity; sid:2016348; rev:7;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS WhiteHole Exploit Kit Jar Request"; flow:to_server,established; content:".jar?java="; http_uri; fast_pattern:only; nocase; content:"Java/1."; http_user_agent; pcre:"/\.jar\?java=\d+$/Ui"; classtype:trojan-activity; sid:2016349; rev:5;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS WhiteHole Exploit Kit Payload Download"; flow:established,to_server; content:"/?whole="; nocase; http_uri; fast_pattern:only; content:"Java/1."; http_user_agent; pcre:"/\/\?whole=\d+$/Ui"; classtype:trojan-activity; sid:2016350; rev:4;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Styx Exploit Kit Jerk.cgi TDS"; flow:established,to_server; content:"/jerk.cgi?"; fast_pattern:only; http_uri; pcre:"/\x2Fjerk\x2Ecgi\x3F[0-9]$/U"; reference:url,malwaremustdie.blogspot.co.uk/2013/02/the-infection-of-styx-exploit-kit.html; classtype:trojan-activity; sid:2016352; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Styx Exploit Kit Landing Applet With Getmyfile.exe Payload"; flow:established,to_client; file_data; content:"<applet"; distance:0; content:"value="; distance:0; content:"/getmyfile.exe?o="; distance:0; nocase; reference:url,malwaremustdie.blogspot.co.uk/2013/02/the-infection-of-styx-exploit-kit.html; classtype:trojan-activity; sid:2016353; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS WSO WebShell Activity POST structure 2"; flow:established,to_server; content:"POST"; http_method; content:" name=|22|c|22|"; http_client_body; content:"name=|22|p1|22|"; http_client_body; fast_pattern; pcre:"/name=(?P<q>[\x22\x27])a(?P=q)[^\r\n]*\r\n[\r\n\s]+(?:S(?:e(?:lfRemove|cInfo)|tringTools|afeMode|ql)|(?:Bruteforc|Consol)e|FilesMan|Network|Logout|Php)/Pi"; classtype:attempted-user; sid:2016354; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS CritXPack - Landing Page - Received"; flow:established,to_client; file_data; content:"js.pd.js"; content:"|7C|applet|7C|"; classtype:trojan-activity; sid:2016356; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CritXPack - URI - jpfoff.php"; flow:established,to_server; content:"/jpfoff.php?token="; http_uri; classtype:trojan-activity; sid:2016357; rev:2;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CritXPack Jar Request (3)"; flow:established,to_server; content:"/j17.php?i="; http_uri; content:"|29 20|Java/1"; http_user_agent; fast_pattern:only; classtype:trojan-activity; sid:2016365; rev:5;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Exploit Kit Java jpg download"; flow:established,to_server; content:".jpg"; http_uri; pcre:"/\.jpg$/U"; content:"Java/1."; http_user_agent; fast_pattern:only; flowbits:set,ET.g01pack.Java.Image; flowbits:noalert; classtype:trojan-activity; sid:2016371; rev:5;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown_MM EK - Landing Page"; flow:established,to_client; file_data; content:"<applet "; content:"new PDFObject"; classtype:trojan-activity; sid:2016373; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown_MM - Java Exploit - jaxws.jar"; flow:established,to_server; content:"/jaxws.jar"; http_uri; content:"Java/"; http_user_agent; classtype:trojan-activity; sid:2016374; rev:4;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown_MM - Java Exploit - jre.jar"; flow:established,to_server; content:"/jre.jar"; http_uri; content:"Java/1."; http_user_agent; classtype:trojan-activity; sid:2016375; rev:4;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown_MM - Payload Download"; flow:established,to_client; file_data; content:"PK"; within:2; content:"stealth.exe"; within:60; classtype:trojan-activity; sid:2016377; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown_MM EK - Java Exploit - fbyte.jar"; flow:established,to_server; content:"/fbyte.jar"; http_uri; content:"Java/1."; http_user_agent; classtype:trojan-activity; sid:2016378; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Generic - JAR Containing Windows Executable"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"PK"; within:2; content:".exe"; fast_pattern; nocase; classtype:trojan-activity; sid:2016379; rev:5;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sakura Exploit Kit Encrypted Binary (1)"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"|25 3e fc 75 7b|"; within:5; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016380; rev:4;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Adobe Flash Zero Day LadyBoyle Infection Campaign"; flow:established,to_client; file_data; content:"FWS"; distance:0; content:"LadyBoyle"; distance:0; reference:md5,3de314089db35af9baaeefc598f09b23; reference:md5,2568615875525003688839cb8950aeae; reference:url,blog.fireeye.com/research/2013/02/lady-boyle-comes-to-town-with-a-new-exploit.html; reference:url,www.adobe.com/go/apsb13-04; reference:cve,2013-0633; reference:cve,2013-0633; classtype:trojan-activity; sid:2016391; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Impact Exploit Kit Landing Page"; flow:established,from_server; file_data; content:"applet"; fast_pattern; content:"value"; distance:0; pcre:"/^(\s*=\s*|[\x22\x27]\s*,\s*)[\x22\x27]/R"; content:"h"; distance:8; within:1; content:"t"; distance:8; within:1; content:"t"; distance:8; within:1; content:"p"; distance:8; within:1; content:"|3a|"; distance:8; within:1; content:"/"; distance:8; within:1; classtype:trojan-activity; sid:2016393; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Exploit Specific Uncompressed Flash CVE-2013-0634"; flow:established,to_client; flowbits:isset,HTTP.UncompressedFlash; file_data; content:"RegExp"; distance:0; content:"#(?i)()()(?-i)|7c 7c|"; distance:0; classtype:trojan-activity; sid:2016396; rev:5;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Exploit Specific Uncompressed Flash Inside of OLE CVE-2013-0634"; flow:established,to_client; flowbits:isset,OLE.WithFlash; file_data; content:"RegExp"; distance:0; content:"#(?i)()()(?-i)|7c 7c|"; distance:0; classtype:trojan-activity; sid:2016397; rev:4;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Flash Action Script Invalid Regex CVE-2013-0634"; flow:established,to_client; file_data; flowbits:isset,HTTP.UncompressedFlash; content:"RegExp"; distance:0; content:"#"; distance:0; pcre:"/^[\x20-\x7f]*\(\?[sxXmUJ]*i[sxXmUJ]*(\-[sxXmUJ]*)?\)[\x20-\x7f]*\(\?[sxXmUJ]*\-[sxXmUJ]*i[sxXmUJ]*\)[\x20-\x7f]*\|\|/R"; reference:cve,2013-0634; classtype:trojan-activity; sid:2016400; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Flash Action Script Invalid Regex CVE-2013-0634"; flow:established,to_client; file_data; flowbits:isset,OLE.WithFlash; content:"RegExp"; distance:0; content:"#"; distance:0; pcre:"/^[\x20-\x7f]*\(\?[sxXmUJ]*i[sxXmUJ]*(\-[sxXmUJ]*)?\)[\x20-\x7f]*\(\?[sxXmUJ]*\-[sxXmUJ]*i[sxXmUJ]*\)[\x20-\x7f]*\|\|/R"; reference:cve,2013-0364; classtype:trojan-activity; sid:2016401; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS CoolEK Payload - obfuscated binary base 0"; flow:established,to_client; file_data; content:"|af 9e b6 98 09 fc ee d0|"; within:8; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016403; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Cool Java Exploit Recent Jar (1)"; flow:established,from_server; file_data; content:"PK"; within:2; content:"SunJCE.class"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016407; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Adobe PDF Zero Day Trojan.666 Payload libarhlp32.dll Second Stage Download POST"; flow:established,to_server; content:"POST"; http_method; content:"/index.php"; http_uri; content:"lbarhlp32.blb"; http_client_body; reference:url,blog.fireeye.com/research/2013/02/the-number-of-the-beast.html; classtype:trojan-activity; sid:2016409; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Adobe PDF Zero Day Trojan.666 Payload libarext32.dll Second Stage Download POST"; flow:established,to_server; content:"POST"; http_method; content:"/index.php"; http_uri; content:"lbarext32.blb"; http_client_body; reference:url,blog.fireeye.com/research/2013/02/the-number-of-the-beast.html; classtype:trojan-activity; sid:2016410; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS TDS Vdele"; flow:established,to_server; content:"GET"; nocase; http_method; urilen:>37; content:"/vd/"; http_uri; nocase; fast_pattern:only; pcre:"/\/vd\/\d+\x3b[a-f0-9]{32}/Ui"; classtype:trojan-activity; sid:2016412; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CoolEK Payload Download (5)"; flow:established,to_server; content:".txt?e="; http_uri; nocase; fast_pattern:only; content:!"Referer|3a| "; http_header; pcre:"/\.txt\?e=\d+(&[fh]=\d+)?$/U"; classtype:trojan-activity; sid:2016414; rev:8;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS CoolEK landing applet plus class Feb 18 2013"; flow:established,to_client; file_data; content:"<applet"; content:"code=|22|hw|22|"; fast_pattern; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016426; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CoolEK Possible Java Payload Download"; flow:to_server,established; content:".exe?"; http_uri; content:"Java/1."; http_user_agent; fast_pattern:only; pcre:"/\.exe\?(e=)?\d+$/U"; classtype:trojan-activity; sid:2016427; rev:7;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CoolEK/BHEK/Impact EK Java7 Exploit Class Request (1)"; flow:established,to_server; content:"/java/lang/ClassBeanInfo.class"; http_uri; fast_pattern:10,20; content:"Java/1.7"; http_user_agent; classtype:trojan-activity; sid:2016490; rev:12;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CoolEK/BHEK/Impact EK Java7 Exploit Class Request (2)"; flow:established,to_server; content:"/java/lang/ObjectBeanInfo.class"; http_uri; fast_pattern:11,20; content:"Java/1.7"; http_user_agent; classtype:trojan-activity; sid:2016491; rev:11;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CoolEK/BHEK/Impact EK Java7 Exploit Class Request (3)"; flow:established,to_server; content:"/java/lang/ObjectCustomizer.class"; http_uri; fast_pattern:13,20; content:"Java/1.7"; http_user_agent; classtype:trojan-activity; sid:2016492; rev:12;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CoolEK/BHEK/Impact EK Java7 Exploit Class Request (3)"; flow:established,to_server; content:"/java/lang/ClassCustomizer.class"; http_uri; fast_pattern:12,20; content:"Java/1.7"; http_user_agent; classtype:trojan-activity; sid:2016493; rev:11;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS StyX Landing Page (2)"; flow:established,from_server; file_data; content:"|22|pdf|5c|78.ht|5c|6dl|22|"; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2016497; rev:7;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Styx Exploit Kit Landing Applet With Payload"; flow:established,to_client; file_data; content:".exe?"; fast_pattern:only; content:"<applet"; content:" value"; distance:0; nocase; pcre:"/^[\r\n\s]*?=[\r\n\s]*?[\x22\x27][^\x22\x27]+?\/[a-zA-Z0-9\/\-\_]{60,}\/[a-zA-Z0-9]+\.exe\?[a-zA-Z0-9]+=[a-zA-Z0-9]+(&h=\d+)?[\x22\x27]/R"; reference:url,malwaremustdie.blogspot.co.uk/2013/02/the-infection-of-styx-exploit-kit.html; reference:md5,9a17d72f6234a1dc930ffe6b1681504c; classtype:trojan-activity; sid:2016498; rev:9;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Styx Exploit Kit Payload Download"; flow:established,to_server; content:".exe"; http_uri; nocase; fast_pattern:only; content:"&h="; http_uri; pcre:"/\.exe(?:\?[a-zA-Z0-9]+=[a-zA-Z0-9]+)?&h=\d+$/Ui"; content:!"Referer|3a|"; http_header; classtype:bad-unknown; sid:2016499; rev:14;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Nicepack EK Landing (Anti-VM)"; flow:established,to_client; file_data; content:"if(document.body.onclick!=null)"; content:"if(document.styleSheets.length!=0)"; classtype:bad-unknown; sid:2016500; rev:8;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Compromise svchost.jpg Beacon - Java Zeroday"; flow:established,to_server; content:"/svchost.jpg"; fast_pattern:only; http_uri; content:"Java/1."; http_user_agent; reference:url,blog.fireeye.com/research/2013/02/yaj0-yet-another- java-zero-day-2.html; classtype:trojan-activity; sid:2016511; rev:4;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CrimeBoss - Java Exploit - jhan.jar"; flow:established,to_server; content:"/jhan.jar"; http_uri; content:"Java/1."; http_user_agent; classtype:trojan-activity; sid:2016514; rev:4;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Probable Sakura exploit kit landing page obfuscated applet tag Mar 1 2013"; flow:established,from_server; file_data; content:"<#a#p#p#l#e#t#"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016520; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown Exploit Kit Java Archive Request (Java-SPLOIT.jar)"; flow:established,to_server; content:"/Java-SPLOIT.jar"; http_uri; content:"Java/1."; fast_pattern:only; http_user_agent; classtype:bad-unknown; sid:2016521; rev:5;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown Exploit Kit Payload Request"; flow:established,to_server; content:"/download.php?e="; http_uri; fast_pattern:only; pcre:"/\.php\?e=[^&]+?$/U"; classtype:bad-unknown; sid:2016522; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown Exploit Kit Exploit Request"; flow:established,to_server; content:"/module.php?e="; http_uri; fast_pattern:only; pcre:"/\.php\?e=[^&]+?$/U"; classtype:bad-unknown; sid:2016523; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole V2 Exploit Kit Landing Page Try Catch Body Specific - 4/3/2013"; flow:established,to_client; file_data; content:"}try{doc[|22|body|22|]^=2}catch("; distance:0; classtype:trojan-activity; sid:2016524; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole V2 Exploit Kit Landing Page Try Catch Body Style 2 Specific - 4/3/2013"; flow:established,to_client; file_data; content:"try{document.body^=2}catch("; distance:0; classtype:trojan-activity; sid:2016525; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole V2 Exploit Kit Landing Page Try Catch False Specific - 4/3/2013"; flow:established,to_client; file_data; content:"}try{}catch("; distance:0; content:"=false|3B|}"; within:30; classtype:trojan-activity; sid:2016526; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Java Download non Jar file"; flow:established,to_server; content:!".jar"; http_uri; nocase; content:!".jnlp"; http_uri; nocase; content:!".hpi"; http_uri; nocase; content:"Java/1."; http_user_agent; fast_pattern:only; flowbits:set,ET.JavaNotJar; flowbits:noalert; classtype:bad-unknown; sid:2016539; rev:6;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS JAR Download by Java UA with non JAR EXT matches various EKs"; flow:established,from_server; content:!".jar"; http_header; nocase; file_data; content:"PK"; within:2; content:".class"; distance:0; fast_pattern; flowbits:isset,ET.JavaNotJar; flowbits:unset,ET.JavaNotJar; classtype:bad-unknown; sid:2016540; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SofosFO/GrandSoft landing applet plus class Mar 03 2013"; flow:established,to_client; file_data; content:"<applet"; content:"MyApplet"; within:200; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016541; rev:4;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Portal TDS Kit GET"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php?pprec"; nocase; fast_pattern:only; http_uri; pcre:"/\.php\?pprec$/Ui"; reference:url,ondailybasis.com/blog/?p=1867; classtype:trojan-activity; sid:2016542; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Portal TDS Kit GET (2)"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php?c002"; nocase; fast_pattern:only; http_uri; pcre:"/\.php\?c002$/Ui"; reference:url,ondailybasis.com/blog/?p=1867; classtype:trojan-activity; sid:2016543; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Base64 http argument in applet (Neutrino/Angler)"; flow:established,from_server; file_data; content:"<applet "; pcre:"/^((?!<\/applet>).)+?[\x22\x27]aHR0cDov/Rs"; content:"aHR0cDov"; fast_pattern:only; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016549; rev:4;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Neutrino EK Downloading Jar"; flow:established,to_server; content:"Java/1."; http_user_agent; content:"/m"; http_uri; content:"?l"; http_uri; distance:0; pcre:"/\/m[a-z]+?\?l[a-z]+?=[a-z]+$/U"; classtype:trojan-activity; sid:2016551; rev:8;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible CrimeBoss Generic URL Structure"; flow:established,to_server; content:".php?action=jv&h="; http_uri; classtype:bad-unknown; sid:2016558; rev:4;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS GonDadEK Plugin Detect March 11 2013"; flow:to_client,established; file_data; content:"this.gondad = arrVersion"; reference:url,kahusecurity.com/2012/new-chinese-exploit-pack/; classtype:attempted-user; sid:2016560; rev:10;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Neutrino EK Posting Plugin-Detect Data"; flow:established,to_server; content:"POST"; nocase; http_method; content:"h"; depth:1; http_client_body; content:"="; within:12; http_client_body; content:"&p"; distance:24; within:2; http_client_body; pcre:"/^h[a-z0-9]{0,10}\x3d[a-f0-9]{24}&p[a-z0-9]{0,10}\x3d[a-z0-9]{1,11}&i/P"; classtype:trojan-activity; sid:2016562; rev:7;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Blackhole 16-hex/q.php Landing Page/Java exploit URI"; flow:established,to_server; urilen:23; content:"/q.php"; offset:17; http_uri; pcre:"/^\/[0-9a-f]{16}\/q\.php$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016563; rev:7;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Blackhole 16-hex/q.php Jar Download"; flow:established,to_server; content:"/q.php"; offset:17; http_uri; pcre:"/^\/[0-9a-f]{16}\/q\.php/U"; content:"Java/1."; http_user_agent; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016564; rev:9;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SNET EK Downloading Payload"; flow:to_server,established; content:"get"; http_uri; content:"?src="; http_uri; fast_pattern; distance:0;content:"snet"; http_uri; distance:0; pcre:"/\?src=[a-z]+snet$/U"; content:" WinHttp.WinHttpRequest"; http_user_agent; classtype:trojan-activity; sid:2016566; rev:4;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS Java Request to DynDNS Pro Dynamic DNS Domain"; flow:to_server,established; content:"Java/1."; http_user_agent; pcre:"/^Host\x3a\x20[^\r\n]+\.(?:i(?:s(?:-(?:a(?:-(?:(?:(?:h(?:ard-work|unt)e|financialadviso)r|d(?:e(?:mocrat|signer)|octor)|t(?:e(?:acher|chie)|herapist)|r(?:epublican|ockstar)|n(?:ascarfan|urse)|anarchist|musician)\.com|c(?:(?:(?:ubicle-sla|onservati)ve|pa)\.com|a(?:ndidate\.org|terer\.com)|hef\.(?:com|net|org)|elticsfan\.org)|l(?:i(?:ber(?:tarian|al)\.com|nux-user\.org)|(?:a(?:ndscap|wy)er|lama)\.com)|p(?:(?:ersonaltrain|hotograph|lay)er\.com|a(?:inter\.com|tsfan\.org))|b(?:(?:(?:ookkeep|logg)er|ulls-fan)\.com|ruinsfan\.org)|s(?:o(?:cialist\.com|xfan\.org)|tudent\.com)|g(?:eek\.(?:com|net|org)|(?:reen|uru)\.com)|knight\.org)|n-(?:a(?:c(?:t(?:ress|or)|countant)|(?:narch|rt)ist)|en(?:tertain|gine)er)\.com)|(?:into-(?:(?:car(?:toon)?|game)s|anime)|(?:(?:not-)?certifie|with-theban)d|uberleet|gone)\.com|(?:very-(?:(?:goo|ba)d|sweet|evil|nice)|found)\.org|s(?:aved\.org|lick\.com)|l(?:eet\.com|ost\.org)|by\.us)|a-(?:geek\.(?:com|net|org)|hockeynut\.com)|t(?:eingeek|mein)\.de|smarterthanyou\.com)|n-the-band\.net|amallama\.com)|f(?:rom-(?:(?:i[adln]|w[aivy]|o[hkr]|[hr]i|d[ce]|k[sy]|p[ar]|s[cd]|t[nx]|v[at]|fl|ga|ut)\.com|m(?:[adinost]\.com|e\.org)|n(?:[cdehjmv]\.com|y\.net)|a(?:[klr]\.com|z\.net)|c(?:[at]\.com|o\.net)|la\.net)|or(?:-(?:(?:(?:mor|som|th)e|better)\.biz|our\.info)|got\.h(?:er|is)\.name)|uettertdasnetz\.de|tpaccess\.cc)|s(?:e(?:l(?:ls(?:-(?:for-(?:less|u)\.com|it\.net)|yourhome\.org)|fip\.(?:info|biz|com|net|org))|rve(?:bbs\.(?:com|net|org)|ftp\.(?:net|org)|game\.org))|(?:aves-the-whales|pace-to-rent|imple-url)\.com|crapp(?:er-site\.net|ing\.cc)|tuff-4-sale\.(?:org|us)|hacknet\.nu)|d(?:o(?:es(?:ntexist\.(?:com|org)|-it\.net)|ntexist\.(?:com|net|org)|omdns\.(?:com|org))|yn(?:a(?:lias\.(?:com|net|org)|thome\.net)|-o-saur\.com|dns\.ws)|ns(?:alias\.(?:com|net|org)|dojo\.(?:com|net|org))|vrdns\.org)|h(?:o(?:me(?:linux\.(?:com|net|org)|unix\.(?:com|net|org)|(?:\.dyn)?dns\.org|ftp\.(?:net|org)|ip\.net)|bby-site\.(?:com|org))|ere-for-more\.info|am-radio-op\.net)|b(?:log(?:dns\.(?:com|net|org)|site\.org)|(?:uyshouses|roke-it)\.net|arrel?l-of-knowledge\.info|oldlygoingnowhere\.org|etter-than\.tv)|g(?:o(?:tdns\.(?:com|org)|\.dyndns\.org)|ame-(?:server\.cc|host\.org)|et(?:myip\.com|s-it\.net)|roks-th(?:is|e)\.info)|e(?:st-(?:(?:a-la-ma(?:is|si)|le-patr)on|mon-blogueur)\.com|ndof(?:internet\.(?:net|org)|theinternet\.org))|l(?:e(?:btimnetz|itungsen)\.de|ikes(?:candy|-pie)\.com|and-4-sale\.us)|m(?:i(?:sconfused\.org|ne\.nu)|yp(?:hotos\.cc|ets\.ws)|erseine\.nu)|w(?:ebhop\.(?:info|biz|net|org)|ritesthisblog\.com|orse-than\.tv)|t(?:eaches-yoga\.com|raeumtgerade\.de|hruhere\.net)|k(?:icks-ass\.(?:net|org)|nowsitall\.info)|o(?:ffice-on-the\.net|n-the-web\.tv)|(?:neat-url|cechire)\.com|podzone\.(?:net|org)|at-band-camp\.net|readmyblog\.org)(\x3a\d{1,5})?\r$/Hmi"; classtype:bad-unknown; sid:2016580; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS Java Request to ChangeIP Dynamic DNS Domain"; flow:to_server,established; content:"Java/1."; http_user_agent; pcre:"/^Host\x3a\x20[^\r\n]+\.(?:m(?:y(?:p(?:op3\.(?:net|org)|icture\.info)|n(?:etav\.(?:net|org)|umber\.org)|(?:secondarydns|lftv|03)\.com|d(?:ad\.info|dns\.com)|ftp\.(?:info|name)|(?:mom|z)\.info|www\.biz)|(?:r(?:b(?:asic|onus)|(?:slov|fac)e)|efound)\.com|oneyhome\.biz)|d(?:yn(?:amicdns\.(?:(?:org|co|me)\.uk|biz)|dns\.pro|ssl\.com)|ns(?:(?:-(?:stuff|dns)|0[45]|et|rd)\.com|[12]\.us)|dns\.(?:m(?:e\.uk|obi|s)|info|name|us)|(?:smtp|umb1)\.com|hcp\.biz)|(?:j(?:u(?:ngleheart|stdied)|etos|kub)|y(?:ou(?:dontcare|rtrap)|gto)|4(?:mydomain|dq|pu)|q(?:high|poe)|2(?:waky|5u)|z(?:yns|zux)|vizvaz|1dumb)\.com|s(?:e(?:(?:llclassics|rveusers?|ndsmtp)\.com|x(?:idude\.com|xxy\.biz))|quirly\.info|sl443\.org|ixth\.biz)|o(?:n(?:mypc\.(?:info|biz|net|org|us)|edumb\.com)|(?:(?:urhobb|cr)y|rganiccrap|tzo)\.com)|f(?:ree(?:(?:ddns|tcp)\.com|www\.(?:info|biz))|a(?:qserv|rtit)\.com|tp(?:server|1)\.biz)|a(?:(?:(?:lmostm|cmeto)y|mericanunfinished)\.com|uthorizeddns\.(?:net|org|us))|n(?:s(?:0(?:1\.(?:info|biz|us)|2\.(?:info|biz|us))|[123]\.name)|inth\.biz)|c(?:hangeip\.(?:n(?:ame|et)|org)|leansite\.(?:info|biz|us)|ompress\.to)|i(?:(?:t(?:emdb|saol)|nstanthq|sasecret|kwb)\.com|ownyour\.(?:biz|org))|g(?:r8(?:domain|name)\.biz|ettrials\.com|ot-game\.org)|l(?:flink(?:up\.(?:com|net|org)|\.com)|ongmusic\.com)|t(?:o(?:ythieves\.com|h\.info)|rickip\.(?:net|org))|(?:undefineddynamic-dns|rebatesrule|3-a)\.net|x(?:x(?:xy\.(?:info|biz)|uz\.com)|24hr\.com)|p(?:canywhere\.net|roxydns\.com|ort25\.biz)|w(?:ww(?:host|1)\.biz|ikaba\.com|ha\.la)|e(?:(?:smtp|dns)\.biz|zua\.com|pac\.to)|https443\.(?:net|org)|bigmoney\.biz)(\x3a\d{1,5})?\r$/Hmi"; classtype:bad-unknown; sid:2016581; rev:4;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS Java Request to NOIP Dynamic DNS Domain"; flow:to_server,established; content:"Java/1."; http_user_agent; pcre:"/^Host\x3a\x20[^\r\n]+\.(?:s(?:e(?:rve(?:(?:(?:(?:counterstri|qua)k|exchang|gam)e|h(?:alflife|umour|ttp)|p(?:ics|2p)|sarcasm|ftp)\.com|m(?:inecraft\.net|p3\.com)|b(?:eer\.com|log\.net))|curity(?:exploit|tactic)s\.com)|tufftoread\.com|ytes\.net)|m(?:y(?:(?:(?:dissen|effec)t|mediapc|psx)\.net|securitycamera\.(?:com|net|org)|(?:activedirectory|vnc)\.com|ftp\.(?:biz|org))|lbfan\.org|mafan\.biz)|d(?:(?:itchyourip|amnserver|ynns)\.com|dns(?:\.(?:net|me)|king\.com)|ns(?:iskinky\.com|for\.me)|vrcam\.info)|n(?:o(?:-ip\.(?:c(?:o\.uk|a)|info|biz|net|org)|ip\.(?:me|us))|et-freaks\.com|flfan\.org|hlfan\.net)|h(?:o(?:mesecurity(?:ma|p)c\.com|pto\.(?:org|me))|ealth-carereform\.com)|p(?:(?:rivatizehealthinsurance|gafan)\.net|oint(?:2this\.com|to\.us))|c(?:(?:o(?:uchpotatofries|llegefan)|able-modem)\.org|iscofreak\.com)|g(?:o(?:lffan\.us|tdns\.ch)|eekgalaxy\.com)|b(?:logsyte\.com|ounceme\.net|rasilia\.me)|re(?:ad-books\.org|directme\.net)|u(?:nusualperson\.com|fcfan\.org)|w(?:orkisboring\.com|ebhop\.me)|(?:3utiliti|quicksyt)es\.com|eating-organic\.net|ilovecollege\.info|fantasyleague\.cc|loginto\.me|zapto\.org)(\x3a\d{1,5})?\r$/Hmi"; classtype:bad-unknown; sid:2016582; rev:5;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS Java Request to DNSDynamic Dynamic DNS Domain"; flow:to_server,established; content:"Java/1."; http_user_agent; pcre:"/^Host\x3a\x20[^\r\n]+\.(?:d(?:ns(?:d(?:ynamic\.(?:com|net)|\.(?:info|me))|api\.info|get\.org|53\.biz)|dns01\.com)|(?:f(?:lashserv|e100|tp21)|adultdns|mysq1|wow64)\.net|(?:(?:ima|voi)p01|(?:user|ole)32|kadm5)\.com|t(?:tl60\.(?:com|org)|empors\.com|ftpd\.net)|s(?:sh(?:01\.com|22\.net)|ql01\.com)|http(?:(?:s443|01)\.com|80\.info)|n(?:s360\.info|tdll\.net)|x(?:ns01\.com|64\.me)|craftx\.biz)(\x3a\d{1,5})?\r$/Hmi"; classtype:bad-unknown; sid:2016583; rev:4;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS Java Request to DtDNS Dynamic DNS Domain"; flow:to_server,established; content:"Java/1."; http_user_agent; pcre:"/^Host\x3a\x20[^\r\n]+\.(?:(?:b(?:bsindex|0ne)|chatnook|gotgeeks|3d-game|4irc)\.com|s(?:(?:cieron|uroot)\.com|lyip\.(?:com|net))|d(?:arktech\.org|eaftone\.com|tdns\.net)|e(?:towns\.(?:net|org)|ffers\.com)|flnet\.org)(\x3a\d{1,5})?\r$/Hmi"; classtype:bad-unknown; sid:2016584; rev:4;) + +#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sweet Orange applet with obfuscated URL March 03 2013"; flow:established,from_server; file_data; content:"applet"; content:"103sdj115sdj115sdj111sdj57sdj46sdj46sdj"; fast_pattern; within:250; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016585; rev:7;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Query to a *.opengw.net Open VPN Relay Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|opengw|03|net|00|"; nocase; fast_pattern:only; reference:url,www.vpngate.net; classtype:bad-unknown; sid:2016586; rev:5;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Redkit Landing Page URL March 03 2013"; flow:established,from_server; file_data; content:"applet"; fast_pattern; content:"u33&299"; within:200; content:"u3v7"; within:50; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016587; rev:6;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS RedDotv2 Java Check-in"; flow:established,to_server; content:"/search/"; http_uri; content:"Java/1."; http_user_agent; fast_pattern:only; pcre:"/^\/search\/[0-9]{64}/U"; classtype:trojan-activity; sid:2016593; rev:8;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS RedDotv2 Jar March 18 2013"; flow:established,to_server; content:"/sexy.jar"; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2016594; rev:7;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS Java Request to cd.am Dynamic DNS Domain"; flow:to_server,established; content:"Java/1."; http_user_agent; content:"cd.am"; http_header; nocase; pcre:"/^Host\x3a\x20[^\r\n]+\.cd\.am(\x3a\d{1,5})?\r$/Hmi"; classtype:bad-unknown; sid:2016595; rev:6;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CrimeBoss - Java Exploit - jmx.jar"; flow:established,to_server; content:"/jmx.jar"; http_uri; content:"Java/1."; http_user_agent; content:!"hermesjms.com"; http_header; classtype:trojan-activity; sid:2016598; rev:5;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain peocity.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|peocity|03|com|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016600; rev:1;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain rusview.net"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|rusview|03|net|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016601; rev:1;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain skyruss.net"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|skyruss|03|net|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016602; rev:1;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain commanal.net"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|commanal|03|net|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016603; rev:1;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain natareport.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|natareport|03|com|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016604; rev:1;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain photogellrey.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|photogellrey|03|com|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016605; rev:1;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain photogalaxyzone.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0f|photogalaxyzone|03|com|00|"; nocase; fast_pattern; distance:0; classtype:trojan-activity; sid:2016606; rev:1;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain insdet.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|insdet|03|com|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016607; rev:1;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain creditrept.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|creditrept|03|com|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016608; rev:1;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain pollingvoter.org"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|pollingvoter|03|org|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016609; rev:1;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain dfasonline.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|dfasonline|03|com|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016610; rev:1;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain hudsoninst.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|hudsoninst|03|com|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016611; rev:1;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain wsurveymaster.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0d|wsurveymaster|03|com|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016612; rev:1;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain nhrasurvey.org"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|nhrasurvey|03|org|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016613; rev:1;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain pdi2012.org"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|pdi2012|03|org|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016614; rev:1;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain nceba.org"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|nceba|03|org|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016615; rev:1;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain linkedin-blog.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0d|linkedin-blog|03|com|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016616; rev:1;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain aafbonus.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|aafbonus|03|com|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016617; rev:1;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain milstars.org"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|milstars|03|org|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016618; rev:1;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain vatdex.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|vatdex|03|com|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016619; rev:1;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain insightpublicaffairs.org"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|14|insightpublicaffairs|03|org|00|"; nocase; fast_pattern; distance:0; classtype:trojan-activity; sid:2016620; rev:1;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain applesea.net"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|applesea|03|net|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016621; rev:1;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain appledmg.net"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|appledmg|03|net|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016622; rev:1;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain appleintouch.net"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|appleintouch|03|net|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016623; rev:1;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain seyuieyahooapis.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0f|seyuieyahooapis|03|com|00|"; nocase; fast_pattern; distance:0; classtype:trojan-activity; sid:2016624; rev:1;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain appledns.net"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|appledns|03|net|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016625; rev:1;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain emailserverctr.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0e|emailserverctr|03|com|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016626; rev:1;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain dailynewsjustin.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0f|dailynewsjustin|03|com|00|"; nocase; fast_pattern; distance:0; classtype:trojan-activity; sid:2016627; rev:1;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain hi-tecsolutions.org"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0f|hi-tecsolutions|03|org|00|"; nocase; fast_pattern; distance:0; classtype:trojan-activity; sid:2016628; rev:1;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain slashdoc.org"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|slashdoc|03|org|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016629; rev:1;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain photosmagnum.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|photosmagnum|03|com|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016630; rev:1;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain resume4jobs.net"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0b|resume4jobs|03|net|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016631; rev:1;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain searching-job.net"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0d|searching-job|03|net|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016632; rev:1;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain servagency.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|servagency|03|com|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016633; rev:1;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain gsasmartpay.org"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0b|gsasmartpay|03|org|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016634; rev:1;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain tech-att.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|tech-att|03|com|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016635; rev:1;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Watering Hole applet name AppletHigh.jar"; flow:established,to_server; content:"/AppletHigh.jar"; http_uri; content:"Java/1."; http_user_agent; reference:url,www.fireeye.com/blog/technical/targeted-attack/2013/03/internet-explorer-8-exploit-found-in-watering-hole-campaign-targeting-chinese-dissidents.html; classtype:trojan-activity; sid:2016639; rev:4;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Watering Hole applet name AppletLow.jar"; flow:established,to_server; content:"/AppletLow.jar"; http_uri; content:"Java/1."; http_user_agent; reference:url,www.fireeye.com/blog/technical/targeted-attack/2013/03/internet-explorer-8-exploit-found-in-watering-hole-campaign-targeting-chinese-dissidents.html; classtype:trojan-activity; sid:2016640; rev:4;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible RedDotv2 applet with 32hex value Landing Page"; flow:established,from_server; file_data; content:"<applet"; pcre:"/^((?!<\/applet>).)+[\r\n\s]value[\r\n\s]*=[\r\n\s]*(?P<q1>[\x22\x27])[a-f0-9]{32}(?P=q1)/Rsi"; classtype:trojan-activity; sid:2016643; rev:5;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Postal Reciept EXE in Zip"; flow:from_server,established; file_data; content:"PK"; within:2; content:"Postal-Receipt.exe"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016654; rev:2;) + +#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sweet Orange Java obfuscated binary (3)"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"|20 3b|"; within:2; content:"|3d 24 00 00|"; within:512; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016655; rev:5;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Karagany encrypted binary (1)"; flow:established,to_client; file_data; content:"|81 f2 90 00 cf a8 00 00|"; within:8; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016663; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sweet Orange applet with obfuscated URL April 01 2013"; flow:established,from_server; file_data; content:"<applet"; pcre:"/^((?!(?i:<\/applet>)).)+?[\r\n\s]value[\r\n\s]*?=[\r\n\s]*?[\x22\x27]?(\d{2,3})?(?P<sep>([^a-zA-Z0-9]{1,100}|[a-zA-Z0-9]{1,100}))\d{2,3}((?P=sep)\d{2,3}){20}/Rs"; classtype:trojan-activity; sid:2016705; rev:19;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS svchost.exe in URI Probable Process Dump/Trojan Download"; flow:established,to_server; content:"GET"; http_method; content:"/svchost.exe"; http_uri; nocase; fast_pattern:only; pcre:"/\/svchost\.exe$/Ui"; classtype:bad-unknown; sid:2016696; rev:13;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS winlogon.exe in URI"; flow:established,to_server; content:"GET"; http_method; urilen:<100; content:"/winlogon.exe"; http_uri; nocase; fast_pattern:only; pcre:"/\/winlogon\.exe$/Ui"; reference:md5,fd95cc0bb7d3ea5a0c86d45570df5228; reference:md5,09330c596a33689a610a1b183a651118; classtype:bad-unknown; sid:2016697; rev:13;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS services.exe in URI"; flow:established,to_server; content:"GET"; http_method; urilen:<100; content:"/services.exe"; http_uri; nocase; fast_pattern:only; pcre:"/\/services\.exe$/Ui"; reference:md5,145c06300d61b3a0ce2c944fe7cdcb96; classtype:bad-unknown; sid:2016698; rev:13;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS lsass.exe in URI"; flow:established,to_server; content:"GET"; http_method; urilen:<100; content:"/lsass.exe"; http_uri; nocase; fast_pattern:only; pcre:"/\/lsass\.exe$/Ui"; reference:md5,d929747212309559cb702dd062fb3e5d; classtype:bad-unknown; sid:2016699; rev:13;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS explorer.exe in URI"; flow:established,to_server; content:"GET"; http_method; urilen:<100; content:"/explorer.exe"; http_uri; nocase; fast_pattern:only; pcre:"/\/explorer\.exe$/Ui"; reference:md5,de1bc32ad135b14ad3a5cf72566a63ff; classtype:bad-unknown; sid:2016700; rev:13;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS smss.exe in URI"; flow:established,to_server; content:"GET"; http_method; urilen:<100; content:"/smss.exe"; http_uri; nocase; fast_pattern:only; pcre:"/\/smss\.exe$/Ui"; reference:md5,450dbe96d7f4108474071aca5826fc43; classtype:bad-unknown; sid:2016701; rev:12;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS csrss.exe in URI"; flow:established,to_server; content:"GET"; http_method; urilen:<100; content:"/csrss.exe"; http_uri; nocase; fast_pattern:only; pcre:"/\/csrss\.exe$/Ui"; reference:md5,21a069667a6dba38f06765e414e48824; classtype:bad-unknown; sid:2016702; rev:12;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS rundll32.exe in URI"; flow:established,to_server; content:"GET"; http_method; urilen:<100; content:"/rundll32.exe"; http_uri; nocase; fast_pattern:only; pcre:"/\/rundll32\.exe$/Ui"; reference:md5,ea3dec87f79ff97512c637a5c8868a7e; classtype:bad-unknown; sid:2016703; rev:12;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Probable Sakura exploit kit landing page obfuscated applet tag Mar 28 2013"; flow:established,from_server; file_data; content:"<apABCplet"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016704; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CrimeBoss Recent Jar (3)"; flow:established,to_server; content:"/m1"; http_uri; nocase; content:".jar"; content:"Java/1."; http_user_agent; fast_pattern:only; pcre:"/\/m1[1-6]\.jar$/U"; classtype:trojan-activity; sid:2016708; rev:8;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CrimeBoss Recent Jar (4)"; flow:established,to_server; content:"/cmm.jar"; http_uri; content:"Java/1."; http_user_agent; fast_pattern:only; classtype:trojan-activity; sid:2016709; rev:8;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Targeted Tibetan Android Malware C2 Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|android|06|uyghur|04|dnsd|02|me|00|"; nocase; fast_pattern; distance:0; reference:url,citizenlab.org/2013/04/permission-to-spy-an-analysis-of-android-malware-targeting-tibetans/; classtype:trojan-activity; sid:2016711; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS W32/BaneChant.APT Winword.pkg Redirect"; flow:established,to_client; content:"301"; http_stat_code; content:"Moved Permanently"; http_stat_msg; content:"/update/winword.pkg"; http_header; pcre:"/Location\x3A[^\r\n]*\x2Fupdate\x2Fwinword\x2Epkg/H"; reference:url,www.fireeye.com/blog/technical/malware-research/2013/04/trojan-apt-banechant-in-memory-trojan-that-observes-for-multiple-mouse-clicks.html; classtype:trojan-activity; sid:2016713; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS BHEK q.php iframe inbound"; flow:established,to_client; file_data; content:"/q.php"; fast_pattern:only; content:"<iframe"; pcre:"/^((?!<\/iframe).)*?[\r\n\s]src[\r\n\s]*=[\r\n\s]*(?P<q1>[\x22\x27])http\x3a\/\/[^\x5c]+?\/(?:[a-f0-9]{16}|[a-f0-9]{32})\/q\.php(?P=q1)/Rs"; reference:url,blog.sucuri.net/2013/02/web-server-compromise-debian-distro-identify-and-remove-corrupt-apache-modules.html; classtype:trojan-activity; sid:2016716; rev:5;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS BHEK ff.php iframe inbound"; flow:established,to_client; file_data; content:"/ff.php"; fast_pattern:only; content:"<iframe"; pcre:"/^((?!<\/iframe).)*?[\r\n\s]src[\r\n\s]*=[\r\n\s]*(?P<q1>[\x22\x27])http\x3a\/\/[^\x5c]+?\/(?:[a-f0-9]{16}|[a-f0-9]{32})\/ff\.php(?P=q1)/Rs"; reference:url,blog.sucuri.net/2013/02/web-server-compromise-debian-distro-identify-and-remove-corrupt-apache-modules.html; classtype:trojan-activity; sid:2016717; rev:4;) + +alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS BHEK q.php iframe outbound"; flow:established,to_client; file_data; content:"/q.php"; fast_pattern:only; content:"<iframe"; pcre:"/^((?!<\/iframe).)*?[\r\n\s]src[\r\n\s]*=[\r\n\s]*(?P<q1>[\x22\x27])http\x3a\/\/[^\x5c]+?\/(?:[a-f0-9]{16}|[a-f0-9]{32})\/q\.php(?P=q1)/Rs"; reference:url,blog.sucuri.net/2013/02/web-server-compromise-debian-distro-identify-and-remove-corrupt-apache-modules.html; classtype:trojan-activity; sid:2016718; rev:4;) + +alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS BHEK ff.php iframe outbound"; flow:established,to_client; file_data; content:"/ff.php"; fast_pattern:only; content:"<iframe"; pcre:"/^((?!<\/iframe).)*?[\r\n\s]src[\r\n\s]*=[\r\n\s]*(?P<q1>[\x22\x27])http\x3a\/\/[^\x5c]+?\/(?:[a-f0-9]{16}|[a-f0-9]{32})\/ff\.php(?P=q1)/Rs"; reference:url,blog.sucuri.net/2013/02/web-server-compromise-debian-distro-identify-and-remove-corrupt-apache-modules.html; classtype:trojan-activity; sid:2016719; rev:4;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Sakura Jar Download"; flow:established,to_client; content:"Content-Type|3a| application/x-java-archive|0d 0a|"; http_header; fast_pattern:22,20; pcre:"/Last-Modified\x3a Mon, (?!(?:0[29]|16|23|30))\d{2} Jul 2001/H"; classtype:trojan-activity; sid:2016721; rev:4;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Blackhole 32-hex/ff.php Landing Page/Java exploit URI"; flow:established,to_server; urilen:40; content:"/ff.php"; http_uri; offset:33; pcre:"/^\/[0-9a-f]{32}\/ff\.php$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016722; rev:4;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Blackhole 32-hex/ff.php Jar Download"; flow:established,to_server; content:"/ff.php"; offset:33; depth:7; http_uri; pcre:"/^\/[0-9a-f]{32}\/ff\.php/U"; content:"Java/1."; http_user_agent; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016723; rev:7;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Blackhole 16-hex/ff.php Landing Page/Java exploit URI"; flow:established,to_server; urilen:24; content:"/ff.php"; offset:17; depth:7; http_uri; pcre:"/^\/[0-9a-f]{16}\/ff\.php$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016724; rev:6;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Blackhole 16-hex/ff.php Jar Download"; flow:established,to_server; content:"/ff.php"; offset:17; depth:7; http_uri; pcre:"/^\/[0-9a-f]{16}\/ff\.php/U"; content:"Java/1."; http_user_agent; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016725; rev:8;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Potential Fiesta Flash Exploit"; flow:established,to_server; content:"/?"; http_uri; content:"|3b|"; distance:60; within:7; http_uri; pcre:"/\/\?[0-9a-f]{60,66}\x3b(?:1(?:0[0-3]|1\d)|90)\d{1,3}\x3b\d{1,3}$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016726; rev:6;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Reversed Applet Observed in Sakura/Blackhole Landing"; flow:established,from_server; file_data; content:"eulav "; nocase; fast_pattern:only; content:"eman "; nocase; content:"marap<"; nocase; within:500; content:"telppa"; within:500; nocase; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016729; rev:11;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sakura encrypted binary (2)"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"|74 3d c0 19|"; within:4; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016733; rev:4;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS RedKit applet + obfuscated URL Apr 7 2013"; flow:established,from_server; file_data; content:"applet"; fast_pattern; content:"8ss&299"; within:200; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016734; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS GonDadEK Java Exploit Requested"; flow:established,to_server; content:"/wmck.jpg"; nocase; http_uri; content:"Java/1."; http_user_agent; classtype:trojan-activity; sid:2016735; rev:5;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS GonDadEK Java Exploit Requested"; flow:established,to_server; content:"/ckwm.jpg"; nocase; http_uri; content:"Java/1."; http_user_agent; classtype:trojan-activity; sid:2016736; rev:5;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS GonDadEK Kit Jar"; flow:to_client,established; file_data; content:"ckwm"; pcre:"/^(ckwm)*?(Exp|cc)\.class/R"; flowbits:isset,ET.http.javaclient; reference:url,kahusecurity.com/2012/new-chinese-exploit-pack/; classtype:attempted-user; sid:2016737; rev:11;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS W32/Citadel Infection or Config URL Request"; flow:established,to_server; content:"/file.php|7C|file="; http_uri; reference:url,malwaremustdie.blogspot.co.uk/2013/04/wireshark-analysis-of-citadel-trojan.html; reference:url,seifreed.es/docs/Citadel%20Trojan%20Report_eng.pdf; classtype:trojan-activity; sid:2016738; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS RedKit/Sakura/CritX/SafePack/FlashPack applet + obfuscated URL Apr 10 2013"; flow:established,from_server; file_data; content:"<applet"; nocase; pcre:"/^((?!(?i:<\/applet>)).)+?(?i:value)[\r\n\s]*=[\r\n\s]*\x5c?[\x22\x27](?!http\x3a\/\/)(?P<h>[^\x22\x27])(?P<t>(?!(?P=h))[^\x22\x27])(?P=t)[^\x22\x27]{2}(?P<slash>(?!((?P=h)|(?P=t)))[^\x22\x27])(?P=slash)[^\x22\x27]+(?P=slash)/Rs"; classtype:trojan-activity; sid:2016751; rev:10;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Neutrino EK Plugin-Detect April 12 2013"; flow:established,from_server; file_data; content:"PluginDetect"; fast_pattern:only; nocase; content:"$(document).ready"; content:"function"; distance:0; pcre:"/\x28[\r\n\s]*?(?P<qa1>[\x22\x27]?)[a-f0-9]{24}(?P=qa1)[\r\n\s]*?,[\r\n\s]*?(?P<qa2>[\x22\x27]?)[a-z0-9]{1,20}(?P=qa2)[\r\n\s]*?/R"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016756; rev:6;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Neutrino EK Posting Plugin-Detect Data April 12 2013"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/c"; http_uri; depth:2; pcre:"/^\/c[a-z0-9]+$/U"; content:"XMLHttpRequest"; nocase; http_header; fast_pattern:only; content:"p"; depth:1; http_client_body; pcre:"/^p[a-z0-9]{0,20}\x3d[a-z0-9]{1,20}&i[a-z0-9]{0,20}\x3d%[0-9A-F]{2}/P"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016753; rev:10;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Blackhole 2 Landing Page (9)"; flow:to_server,established; content:"/closest/"; fast_pattern:only; http_uri; content:".php"; http_uri; pcre:"/^\/closest\/(([a-z]{1,16}[-_]){1,4}[a-z]{1,16}|[a-z0-9]{20,}+)\.php/U"; classtype:trojan-activity; sid:2016755; rev:6;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SofosFO PDF Payload Download"; flow:established,to_server; content:"User-Agent|3a 20|http|3a|//"; http_header; fast_pattern:only; pcre:"/^GET (?P<uri>(\/[A-Za-z0-9]+)?\/\d+\/\d+)\sHTTP\/1\.1\r\nUser-Agent\x3a\x20http\x3a\/\/(?P<host>[^\r\n]+)(?P=uri)\r\nHost\x3a\x20(?P=host)\r\n(\r\n)?$/"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016764; rev:15;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Fake DHL Kuluoz.B URI"; flow:established,to_server; content:".php?get"; http_uri; fast_pattern:only; pcre:"/\.php\?get[^=]*=\d_\d{5,}$/U"; content:!"Referer|3a 20|"; http_header; classtype:trojan-activity; sid:2016779; rev:4;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sakura obfuscated javascript Apr 21 2013"; flow:established,from_server; file_data; content:"OD&|3a|x9T6"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016781; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fiesta - Payload - flashplayer11"; flow:established,to_client; content:"flashplayer11_"; http_header; file_data; content:"MZ"; within:2; classtype:trojan-activity; sid:2016784; rev:3;) + +alert http $EXTERNAL_NET 81:90 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sakura - Java Exploit Recievied"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"PK"; within:2; content:"javax/crypto/spec/SecretKeySpec"; distance:0; classtype:trojan-activity; sid:2016785; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET 81:90 (msg:"ET CURRENT_EVENTS Sakura - Payload Requested"; flow:established,to_server; content:"Java/1."; http_user_agent; fast_pattern:only; content:".html"; http_uri; pcre:"/\/[0-9]{4}\.html$/Ui"; classtype:trojan-activity; sid:2016786; rev:5;) + +alert http $EXTERNAL_NET 81:90 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sakura - Payload Downloaded"; flow:established,to_client; flowbits:isset,ET.http.javaclient; content:".txt|0d 0a|"; http_header; fast_pattern:only; pcre:"/filename=[a-z]{4}\.txt\x0D\x0A/H"; classtype:trojan-activity; sid:2016787; rev:3;) + +alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET CURRENT_EVENTS Possible Wordpress Super Cache Plugin PHP Injection mfunc"; flow:established,to_server; content:"POST"; http_method; content:"comment"; http_client_body; nocase; content:"mfunc"; fast_pattern; http_client_body; nocase; distance:0; pcre:"/(?:%3C%21|\<\!)--[\r\n\s]*?mfunc/Pi"; classtype:attempted-user; sid:2016788; rev:2;) + +alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET CURRENT_EVENTS Possible Wordpress Super Cache Plugin PHP Injection mclude"; flow:established,to_server; content:"POST"; http_method; content:"comment"; http_client_body; nocase; content:"mclude"; fast_pattern; http_client_body; nocase; distance:0; pcre:"/(?:%3C%21|\<\!)--[\r\n\s]*?mclude/Pi"; classtype:attempted-user; sid:2016789; rev:2;) + +alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET CURRENT_EVENTS Possible Wordpress Super Cache Plugin PHP Injection dynamic-cached-content"; flow:established,to_server; content:"POST"; http_method; content:"comment"; http_client_body; nocase; content:"dynamic-cached-content"; fast_pattern; http_client_body; nocase; distance:0; pcre:"/(?:%3C%21|\<\!)--[\r\n\s]*?dynamic-cached-content/Pi"; classtype:attempted-user; sid:2016790; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sakura - Landing Page - Received"; flow:established,to_client; file_data; content:"value"; pcre:"/^[\r\n\s\+]*?=[\r\n\s\+]*?[\x22\x27]((?P<hex>%[A-Fa-f0-9]{2})|(?P<ascii>[a-zA-Z0-9]))((?P=hex){10}|(?P=ascii){10})/R"; content:"var PluginDetect"; distance:0; classtype:trojan-activity; sid:2016791; rev:6;) + +alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET CURRENT_EVENTS Possible Linux/Cdorked.A Incoming Command"; flow:established,to_server; content:"SECID="; http_cookie; pcre:"/\?[0-9a-f]{6}$/U"; reference:url,www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf; reference:url,github.com/eset/malware-ioc; classtype:attempted-user; sid:2016794; rev:7;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Java Applet JNLP applet_ssv_validated in Base64"; flow:established,to_client; file_data; content:"X19hcHBsZXRfc3N2X3ZhbGlkYXRl"; flowbits:set,et.exploitkitlanding; reference:url,immunityproducts.blogspot.fr/2013/04/yet-another-java-security-warning-bypass.html; classtype:trojan-activity; sid:2016796; rev:5;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Java Applet JNLP applet_ssv_validated Click To Run Bypass"; flow:established,to_client; file_data; content:"<jnlp "; nocase; content:"__applet_ssv_validated"; nocase; distance:0; flowbits:set,et.exploitkitlanding; reference:url,immunityproducts.blogspot.fr/2013/04/yet-another-java-security-warning-bypass.html; classtype:trojan-activity; sid:2016797; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Magnitude EK (formerly Popads) Java JNLP Requested"; flow:established,to_server; flowbits:isset,ET.http.javaclient; urilen:71; content:".jnlp"; http_uri; fast_pattern:only; pcre:"/^\/[a-f0-9]{32}\/[a-f0-9]{32}\.jnlp$/Ui"; classtype:trojan-activity; sid:2016798; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Magnitude EK (formerly Popads) Flash Exploit Requested"; flow:established,to_server; urilen:70; content:".swf"; http_uri; fast_pattern:only; pcre:"/^\/[a-f0-9]{32}\/[a-f0-9]{32}\.swf$/Ui"; classtype:trojan-activity; sid:2016799; rev:3;) + +#alert http $EXTERNAL_NET !80 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Nuclear landing with obfuscated plugindetect Apr 29 2013"; flow:established,from_server; file_data; content:"visibility|3a|hidden"; pcre:"/(?P<e>\d{2})(?P<t>(?!(?P=e))\d{2})(?P=e)\d{2}(?P=t)\d{6}(?P=e)\d{12}(?P<q>(?!((?P=e)|(?P=t)))\d{2})\d{2}(?P<dot>(?!((?P=e)|(?P=t)|(?P=q)))\d{2})\d{2}(?P=dot)\d{2}(?P=q)/R"; classtype:trojan-activity; sid:2016801; rev:9;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown_MM - Java Exploit - jreg.jar"; flow:established,to_server; content:"/jreg.jar"; http_uri; fast_pattern:only; content:"Java/1."; http_user_agent; classtype:trojan-activity; sid:2016804; rev:4;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown EK UAC Disable in Uncompressed JAR"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"UACDisableNotify"; fast_pattern:only; classtype:trojan-activity; sid:2016805; rev:3;) + +#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Eval With Base64.decode seen in DOL Watering Hole Attack 05/01/13"; flow:established,from_server; content:"Base64.decode"; nocase; fast_pattern:only; content:"eval("; nocase; pcre:"/^[\r\n\s]*?Base64\.decode[\r\n\s]*?\x28[\r\n\s]*?[\x22\x27]/Ri"; content:!"|22|J0RVREFPTkUn|22|"; content:!"|22|J01PQklMRSc|3D 22|"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016807; rev:6;) + +alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tor2Web .onion Proxy Service SSL Cert (1)"; flow:established,from_server; content:"|55 04 03|"; content:"*.tor2web."; nocase; distance:2; within:10; reference:url,uscyberlabs.com/blog/2013/04/30/tor-exploit-pak/; classtype:trojan-activity; sid:2016806; rev:5;) + +alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tor2Web .onion Proxy Service SSL Cert (2)"; flow:established,from_server; content:"|55 04 03|"; content:"*.onion."; nocase; distance:2; within:8; pcre:"/^(?:sh|lu|to)/Rsi"; reference:url,uscyberlabs.com/blog/2013/04/30/tor-exploit-pak/; classtype:trojan-activity; sid:2016810; rev:5;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS - Possible Redkit 1-4 char JNLP request "; flow:established,to_server; urilen:<11; content:".jnlp"; nocase; http_uri; fast_pattern:only; pcre:"/^\/[a-z0-9]{1,4}\.jnlp$/U"; classtype:trojan-activity; sid:2016811; rev:6;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS - Possible BlackHole request with decryption Base "; flow:established,to_server; content:"&jopa="; nocase; http_uri; fast_pattern:only; pcre:"/&jopa=\d+$/U"; classtype:trojan-activity; sid:2016813; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Java Applet JNLP applet_ssv_validated in Base64 2"; flow:established,to_client; file_data; content:"9fYXBwbGV0X3Nzdl92YWxpZGF0"; flowbits:set,et.exploitkitlanding; reference:url,immunityproducts.blogspot.fr/2013/04/yet-another-java-security-warning-bypass.html; classtype:trojan-activity; sid:2016817; rev:4;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Java Applet JNLP applet_ssv_validated in Base64 3"; flow:established,to_client; file_data; content:"fX2FwcGxldF9zc3ZfdmFsaWRhdGVk"; flowbits:set,et.exploitkitlanding; reference:url,immunityproducts.blogspot.fr/2013/04/yet-another-java-security-warning-bypass.html; classtype:trojan-activity; sid:2016818; rev:4;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown EK Requsting Payload"; flow:established,to_server; content:"/FlashPlayer.cpl"; http_uri; content:"Java/1."; http_user_agent; classtype:trojan-activity; sid:2016828; rev:5;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Injection - var j=0"; flow:established,to_client; file_data; content:"00|3a|00|3a|00|3b| path=/|22 3b|var j=0|3b| while(j"; classtype:trojan-activity; sid:2016830; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS CVE-2013-2423 IVKM PoC Seen in Unknown EK"; flow:to_client,established; content:"Union1.class"; content:"Union2.class"; fast_pattern; content:"SystemClass.class"; content:"PoC.class"; flowbits:isset,ET.http.javaclient; reference:url,weblog.ikvm.net/CommentView.aspx?guid=acd2dd6d-1028-4996-95df-efa42ac237f0; classtype:trojan-activity; sid:2016831; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS HellSpawn EK Requesting Jar"; flow:established,to_server; content:"/j21.jar"; http_uri; content:"Java/1."; http_user_agent; classtype:trojan-activity; sid:2016832; rev:7;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS IE HTML+TIME ANIMATECOLOR with eval as seen in unknown EK"; flow:established,from_server; file_data; content:"urn|3a|schemas-microsoft-com|3a|time"; nocase; content:"#default#time2"; content:"<t|3a|ANIMATECOLOR"; nocase; fast_pattern:only; content:"eval("; nocase; reference:url,blog.exodusintel.com/2013/01/02/happy-new-year-analysis-of-cve-2012-4792/; classtype:attempted-user; sid:2016833; rev:5;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS FlimKit hex.zip Java Downloading Jar"; flow:established,to_server; content:"Java/1."; http_user_agent; content:".zip"; http_uri; pcre:"/\/[a-f0-9]+\.zip$/U"; classtype:trojan-activity; sid:2016839; rev:6;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS FlimKit Landing"; flow:established,from_server; file_data; content:"jnlp_embedded"; nocase; fast_pattern:only; content:"</applet>"; content:"<applet"; within:20; content:"archive"; distance:0; pcre:"/^[\r\n\s]*?=[\r\n\s]*?(?P<q>[\x22\x27])[a-f0-9]{9,16}\.(jar|zip)(?P=q)/R"; classtype:trojan-activity; sid:2016840; rev:5;) + +alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET CURRENT_EVENTS BlackHole Java Exploit Artifact"; flow:established,to_server; content:"/hw.class"; http_uri; content:"Java/1."; http_user_agent; reference:url,vanheusden.com/httping/; classtype:policy-violation; sid:2016848; rev:12;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Winwebsec/Zbot/Luder Checkin Response"; flow:established,from_server; file_data; content:"ingdx.htmA{ip}"; nocase; classtype:trojan-activity; sid:2016851; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sakura obfuscated javascript May 10 2013"; flow:established,from_server; file_data; content:"qV7/|3b|pF"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016852; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Neutrino EK Posting Plugin-Detect Data May 15 2013"; flow:established,to_server; content:"POST"; nocase; http_method; pcre:"/^\/[a-z][a-z0-9]+$/U"; content:"XMLHttpRequest"; nocase; http_header; fast_pattern:only; pcre:"/^Referer\x3a[^\r\n]+[?&][a-z]+=\d+\r$/Hmi"; content:"=%25"; http_client_body; pcre:"/=%25[0-9A-F]{2}%25[0-9A-F]{2}/P"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016853; rev:15;) + +#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sweet Orange Landing Page May 16 2013"; flow:established,from_server; file_data; content:"<applet"; nocase; content:"Seven guids Seven g"; fast_pattern:only; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016860; rev:18;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown_MM - Java Exploit - cee.jar"; flow:established,to_server; content:"/cee.jar"; http_uri; content:"Java/1."; http_user_agent; classtype:trojan-activity; sid:2016859; rev:4;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Neutrino EK Plugin-Detect 2 May 20 2013"; flow:established,from_server; file_data; content:"encodeURIComponent(xor(JSON.stringify"; fast_pattern:8,20; content:"PluginDetect.getVersion"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016868; rev:14;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS FlimKit Post Exploit Payload Download"; flow:to_server,established; content:"POST"; http_method; urilen:17; pcre:"/^\/[a-f0-9]{16}$/U"; content:!"Referer|3a 20|"; http_header; content:!"User-Agent|3a 20|"; http_header; content:"HTTP/1.0|0d 0a|"; content:"Content-Length|3a 20|0|0d 0a|"; http_header; fast_pattern:only; pcre:"/^Host\x3a[^\r\n]+\r\nContent-Length\x3a\s0\r\nConnection\x3a\sclose\r\n(\r\n)?$/H"; classtype:trojan-activity; sid:2016869; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown EK Requesting Payload"; flow:established,to_server; content:".php?ex="; http_uri; content:"&b="; http_uri; content:"&k="; http_uri; pcre:"/&b=[a-f0-9]{7}&k=[a-f0-9]{32}/U"; classtype:trojan-activity; sid:2016896; rev:4;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Malicious Redirect URL"; flow:established,to_server; content:"/8gcf744Waxolp752.php"; http_uri; classtype:trojan-activity; sid:2016919; rev:8;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS KaiXin Exploit Kit Java Class 1 May 24 2013"; flow:to_client,established; file_data; content:"gonagExp.class"; fast_pattern:only; flowbits:isset,ET.http.javaclient; reference:url,kahusecurity.com/2012/new-chinese-exploit-pack/; classtype:attempted-user; sid:2016923; rev:14;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS KaiXin Exploit Kit Java Class 2 May 24 2013"; flow:to_client,established; file_data; content:"20130422.class"; fast_pattern:only; flowbits:isset,ET.http.javaclient; reference:url,kahusecurity.com/2012/new-chinese-exploit-pack/; classtype:attempted-user; sid:2016924; rev:11;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS KaiXin Exploit Landing Page 1 May 24 2013"; flow:to_client,established; file_data; content:"AppletObject.code"; nocase; content:"Gond"; nocase; distance:0; pcre:"/^(?:a(?:ttack|dEx[xp])|([a-z])\1)\.class/Ri"; reference:url,kahusecurity.com/2012/new-chinese-exploit-pack/; classtype:attempted-user; sid:2016925; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS KaiXin Exploit Landing Page 2 May 24 2013"; flow:to_client,established; file_data; content:"1337.exe"; nocase; fast_pattern:only; content:"<APPLET"; nocase; pcre:"/^((?!<\/applet>).)+?[\x22\x27]1337\.exe/Ri"; reference:url,kahusecurity.com/2012/new-chinese-exploit-pack/; classtype:attempted-user; sid:2016926; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS HellSpawn EK Landing 1 May 24 2013"; flow:to_client,established; file_data; content:"function weCameFromHell("; nocase; fast_pattern:4,20; content:"spawAnyone("; nocase; distance:0; classtype:trojan-activity; sid:2016927; rev:11;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS HellSpawn EK Landing 2 May 24 2013"; flow:to_client,established; file_data; content:"FlashPlayer.cpl"; nocase; fast_pattern:only; content:"window.location"; nocase; pcre:"/^[\r\n\s\+]*?=[\r\n\s\+]*?(?P<func>[_a-zA-Z][a-zA-Z0-9_-]+)\([\r\n\s]*?[\x22\x27](?!http\x3a\/\/)(?P<h>[^\x22\x27])(?P<t>(?!(?P=h))[^\x22\x27])(?P=t)[^\x22\x27]{2}(?P<slash>(?!((?P=h)|(?P=t)))[^\x22\x27])(?P=slash)[^\x22\x27]*?[\x22\x27][\r\n\s]*?,[\r\n\s]*?[\x22\x27][^\x22\x27]+[\x22\x27][\r\n\s]*?\)\+(?P=func)/Rsi"; classtype:trojan-activity; sid:2016928; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible HellSpawn EK Fake Flash May 24 2013"; flow:to_server,established; content:"/FlashPlayer.cpl"; http_uri; nocase; fast_pattern:only; pcre:"/\/FlashPlayer\.cpl$/U"; classtype:trojan-activity; sid:2016929; rev:11;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible HellSpawn EK Java Artifact May 24 2013"; flow:to_server,established; content:"/PoC.class"; http_uri; nocase; content:"Java/1."; http_user_agent; classtype:trojan-activity; sid:2016930; rev:4;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS BlackHole EK JNLP request"; flow:established,to_server; content:".php?jnlp="; http_uri; nocase; fast_pattern:only; pcre:"/\.php\?jnlp=[a-f0-9]{10}(,|$)/Ui"; content:"Java/1."; http_user_agent; classtype:trojan-activity; sid:2016931; rev:7;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS Java Request to Afraid.org Top 100 Dynamic DNS Domain May 28 2013"; flow:to_server,established; content:"Java/1."; http_user_agent; pcre:"/^Host\x3a\x20[^\r\n]+\.(?:s(?:tr(?:eetdirectory\.co\.id|angled\.net)|(?:at(?:dv\.net|-dv)|vlen)\.ru(?:pacetechnology\.ne|oon\.i)t|hop\.tm|uka\.se)|c(?:(?:hickenkiller|rabdance)\.com|o(?:ntinent\.kz|alnet\.ru)|sproject\.org|c\.st|f\.gs)|m(?:i(?:ne(?:craftn(?:ation\.net|oob\.com)|\.bz)|l\.nf)|ooo\.(?:info|com)|adhacker\.biz)|t(?:h(?:emafia\.info|cgirls\.com)|wilightparadox\.com|ime4film\.ru|ruecsi\.org|28\.net)|a(?:(?:(?:vangardkennel|gropeople)\.r|buser\.e)u|ntongorbunov\.com|llowed\.org|x\.lt)|h(?:a(?:ck(?:quest\.com|ed\.jp)|ppyforever\.com)|ome(?:net\.or|\.k)g|-o-s-t\.name)|p(?:(?:rivatedns|sybnc|ort0|wnz)\.org|(?:hoto-frame|irat3)\.com|unked\.us)|i(?:n(?:fo\.(?:gf|tm)|c\.gs)|gnorelist\.com|iiii\.info|z\.rs)|b(?:i(?:gbox\.info|z\.tm)|yte4byte\.com|ot\.nu|rb\.dj)|d(?:earabba\.org|-n-s\.name|alnet\.ca|ynet\.com)|(?:w(?:ith-linux|hynotad)|3dxtras|ohbah)\.com|u(?:n(?:do\.it|i\.cx)|k\.(?:is|to)|s\.to)|v(?:(?:erymad\.ne|r\.l)t|ietnam\.ro)|r(?:o(?:ot\.sx|\.lt)|-o-o-t\.net)|n(?:eon\.org|ow\.im|a\.tl|x\.tc)|j(?:umpingcrab\.com|avafaq\.nu)|f(?:(?:art|ram)ed\.net|tp\.sh)|(?:k(?:ir22\.r|\.v)|69\.m)u|l(?:inux[dx]\.org|eet\.la)|e(?:vils\.in|z\.lv)|(?:24-7\.r|qc\.t)o|(?:55|gw)\.lt|1337\.cx)(\x3a\d{1,5})?\r$/Hmi"; classtype:bad-unknown; sid:2016933; rev:5;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sakura - Landing Page - Received May 29 2013"; flow:established,to_client; file_data; content:"<div id"; nocase; pcre:"/^[\r\n\s\+]*?=[\r\n\s\+]*?[\x22\x27][^\x22\x27]+?[\x22\x27][^>]*?>((?P<hex>%[A-Fa-f0-9]{2})|(?P<ascii>[a-zA-Z0-9]))((?P=hex){9,20}|(?P=ascii){9,20})%3C/R"; content:"{version:|22|0.8.0|22|"; distance:0; nocase; classtype:trojan-activity; sid:2016942; rev:6;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Sakura - Payload Requested"; flow:established,to_server; content:"Java/1."; http_user_agent; fast_pattern:only; content:".pkg"; http_uri; nocase; pcre:"/\/\d+\.pkg$/Ui"; classtype:trojan-activity; sid:2016943; rev:8;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sakura encrypted binary (2)"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"|58 23 3a d4|"; within:4; classtype:trojan-activity; sid:2016945; rev:8;) + +#alert http $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET CURRENT_EVENTS Probable Nuclear exploit kit landing page"; flow:established,to_server; content:".html"; http_uri; content:"GET"; http_method; pcre:"/^\/[0-9a-f]{32}\.html$/U"; content:"Referer|3a|"; http_header; classtype:bad-unknown; sid:2016952; rev:8;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CritX/SafePack Reporting Plugin Detect Data June 03 2013"; flow:established,to_server; content:"/gate.php?ver="; http_uri; nocase; fast_pattern:only; pcre:"/&p=\d+\.\d+\.\d+\.\d+&j=\d+\.\d+\.\d+\.\d+&f=\d+\.\d+\.\d+\.\d+$/U"; classtype:trojan-activity; sid:2016964; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Metasploit Based Unknown EK Jar Download June 03 2013"; flow:established,to_server; content:"/j_"; http_uri; pcre:"/\/j_[a-z0-9]+_(?:0422|1723|3544|5076)\.jar$/U"; content:"Java/1."; http_user_agent; fast_pattern:only; classtype:trojan-activity; sid:2016965; rev:7;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sakura obfuscated javascript Jun 1 2013"; flow:established,from_server; file_data; content:"a5chZev!"; distance:0; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016966; rev:7;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Karagany encrypted binary (3)"; flow:established,to_client; file_data; content:"|f2 fd 90 00 bc a7 00 00|"; within:8; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016970; rev:4;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Blackhole 32-hex/a.php Landing Page/Java exploit URI"; flow:established,to_server; content:"/a.php"; http_uri; pcre:"/\/[0-9a-f]{32}\/a\.php$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016971; rev:5;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Blackhole 32-hex/a.php Jar Download"; flow:established,to_server; content:"/a.php"; http_uri; pcre:"/\/[0-9a-f]{32}\/a\.php/U"; content:"Java/1."; http_user_agent; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016972; rev:8;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Blackhole 16-hex/a.php Landing Page/Java exploit URI"; flow:established,to_server; content:"/a.php"; http_uri; pcre:"/\/[0-9a-f]{16}\/a\.php$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016973; rev:7;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Blackhole 16-hex/a.php Jar Download"; flow:established,to_server; content:"/a.php"; http_uri; pcre:"/\/[0-9a-f]{16}\/a\.php/U"; content:"Java/1."; http_user_agent; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016974; rev:9;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Neutrino EK Landing URI Format"; flow:established,to_server; content:"GET"; http_method; content:"/a"; depth:2; http_uri; pcre:"/^\/a[a-z]{4,13}\?(hash=[a-f0-9]{32}&)?q[a-z]{4,11}=\d{6,7}$/U"; classtype:trojan-activity; sid:2016975; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CoolEK Payload Download (9)"; flow:established,to_server; content:".txt?f="; fast_pattern:only; content:!"Referer|3a| "; http_header; pcre:"/\.txt\?f=\d+$/U"; classtype:trojan-activity; sid:2016976; rev:9;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS BlackHole EK Initial Gate from Linked-In Mailing Campaign"; flow:established,to_server; content:"/linkendorse.html"; http_uri; classtype:trojan-activity; sid:2016984; rev:2;) + +#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Microsoft Office PNG overflow attempt invalid tEXt chunk length"; flow:established,to_client; file_data; content:"|89 50 4E 47 0D 0A 1A 0A|"; content:"IHDR"; distance:0; content:"tEXt"; distance:13; byte_test:4,>,2147483647,-8,relative; reference:cve,2013-1331; reference:url,blogs.technet.com/b/srd/archive/2013/06/11/ms13-051-get-out-of-my-office.aspx; classtype:attempted-user; sid:2017005; rev:6;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Kuluoz.B Shipping Label Spam Campaign"; flow:established,to_server; content:".php?"; http_uri; content:"_info="; distance:1; within:6; http_uri; pcre:"/\.php\?[a-z]_info=[a-z0-9]{1,4}_\d+?$/Ui"; content:!"Referer|3a 20|"; http_header; classtype:trojan-activity; sid:2017002; rev:6;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Kuluoz.B Spam Campaign Shipment_Label.exe in Zip"; flow:from_server,established; content:"Shipment_Label.zip"; nocase; fast_pattern:only; http_header; file_data; content:"PK"; within:2; content:".exe"; distance:0; classtype:trojan-activity; sid:2017003; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Glazunov EK Downloading Jar"; flow:established,to_server; content:"Java/1."; http_user_agent; content:".zip"; http_uri; pcre:"/\/\d+\/\d\.zip$/U"; classtype:trojan-activity; sid:2017011; rev:7;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible 2012-1533 altjvm (jvm.dll) Requested Over WeBDAV"; flow:established,to_server; content:"/jvm.dll"; http_uri; fast_pattern:only; pcre:"/\/jvm\.dll$/U"; reference:cve,2012-1533; classtype:trojan-activity; sid:2017012; rev:4;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible 2012-1533 altjvm RCE via JNLP command injection"; flow:established,from_server; file_data; content:"<jnlp"; nocase; content:"initial-heap-size"; nocase; content:"max-heap-size"; content:"-XXaltjvm"; nocase; fast_pattern:only; reference:cve,2012-1533; classtype:trojan-activity; sid:2017013; rev:2;) + +alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown EK Landing (Payload Downloaded Via Dropbox)"; flow:established,from_server; file_data; content:"jnlp_embedded"; nocase; content:"6u27.jar"; content:"6u41.jar"; fast_pattern:only; classtype:trojan-activity; sid:2017014; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown EK Jar 1 June 12 2013"; flow:established,to_server; content:"/6u27.jar"; http_uri; content:"Java/1."; http_user_agent; classtype:trojan-activity; sid:2017016; rev:7;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown EK Jar 2 June 12 2013"; flow:established,to_server; content:"/6u41.jar"; http_uri; content:"Java/1."; http_user_agent; classtype:trojan-activity; sid:2017017; rev:6;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown EK Jar 3 June 12 2013"; flow:established,to_server; content:"/7u17.jar"; http_uri; content:"Java/1."; http_user_agent; classtype:trojan-activity; sid:2017018; rev:6;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Dotka Chef EK .cache request"; flow:established,to_server; content:"Java/1"; http_user_agent; content:"/.cache/?f|3d|"; fast_pattern:only; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017019; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Dotka Chef EK exploit/payload URI request"; flow:to_server,established; content:"?f="; http_uri; content:"&k="; http_uri; pcre:"/&k=\d{16}(&|$)/U"; content:"Java/1"; http_user_agent; classtype:trojan-activity; sid:2017020; rev:10;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CritX/SafePack/FlashPack URI Format June 17 2013 1"; flow:established,to_server; content:".php?"; http_uri; content:"3a313"; http_uri; fast_pattern:only; pcre:"/=(3[0-9a]|2e)+3a313[3-9](3[0-9]){8}$/U"; reference:url,www.malwaresigs.com/2013/06/14/slight-change-in-flashpack-uri/; classtype:trojan-activity; sid:2017022; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CritX/SafePack/FlashPack URI Format June 17 2013 2"; flow:established,to_server; content:".php?hash=I3QxW"; http_uri; fast_pattern:only; pcre:"/\.php\?hash=I3QxW[A-Za-z0-9\+\/]+={0,2}$/U"; reference:url,www.malwaresigs.com/2013/06/14/slight-change-in-flashpack-uri/; classtype:trojan-activity; sid:2017023; rev:5;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CritX/SafePack/FlashPack URI Format June 17 2013 3"; flow:established,to_server; content:".php?hash="; http_uri; fast_pattern:only; pcre:"/\/(?:java(?:byte|db)|o(?:utput|ther)|r(?:hino|otat)|msie\d|load)\.php\?hash=/U"; reference:url,www.malwaresigs.com/2013/06/14/slight-change-in-flashpack-uri/; classtype:trojan-activity; sid:2017024; rev:4;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS MALVERTISING Unknown_InIFRAME - RedTDS URI Structure"; flow:established,to_server; content:"/red"; depth:7; http_uri; content:".php"; distance:2; within:6; http_uri; pcre:"/^\/[0-9]{1,2}\/red[0-9]{1,4}\.php[0-9]{0,1}$/Ui"; classtype:trojan-activity; sid:2017028; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown_InIFRAME - URI Structure"; flow:established,to_server; content:"/iniframe/"; depth:10; http_uri; content:"/"; distance:32; within:1; http_uri; content:"/"; distance:1; within:5; http_uri; content:"/"; distance:32; within:1; http_uri; classtype:trojan-activity; sid:2017029; rev:5;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown_InIFRAME - Redirect to /iniframe/ URI"; flow:established,to_client; content:"302"; http_stat_code; content:"/iniframe/"; http_header; classtype:trojan-activity; sid:2017030; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown_InIFRAME - In Referer"; flow:established,to_server; content:"/iniframe/"; http_header; content:"/"; distance:32; within:1; http_header; content:"/"; distance:1; within:5; http_header; content:"/"; distance:32; within:1; http_header; classtype:trojan-activity; sid:2017031; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS MALVERTISING Flash - URI - /loading?vkn="; flow:established,to_server; content:"/loading?vkn="; http_uri; classtype:trojan-activity; sid:2017032; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Malicious Redirect June 18 2013"; flow:established,to_client; file_data; content:",53,154,170,170,164,76,63,63,"; classtype:trojan-activity; sid:2017035; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS NailedPack EK Landing June 18 2013"; flow:established,to_client; file_data; content:"report_and_get_exploits(_0x"; reference:url,www.basemont.com/june_2013_exploit_kit_2; classtype:trojan-activity; sid:2017034; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Javadoc API Redirect CVE-2013-1571"; flow:established,to_server; content:"GET"; nocase; http_method; content:"?//"; http_header; fast_pattern:only; pcre:"/^Referer\x3a\x20[^\r\n]+\/((index|toc)\.html?)?\?\/\//Hmi"; reference:cve,2013-1571; classtype:bad-unknown; sid:2017037; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS RedKit Jar Download June 20 2013"; flow:established,to_server; content:"/contacts.asp"; http_uri; content:"Java/1."; http_user_agent; fast_pattern:only; classtype:trojan-activity; sid:2017038; rev:4;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS X20 EK Payload Download"; flow:established,to_server; content:"/download.asp?p=1"; http_uri; content:" Java/1."; http_header; fast_pattern:only; classtype:trojan-activity; sid:2017039; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Rawin Exploit Kit Landing URI Struct"; flow:established,to_server; content:".php?"; http_uri; content:"v=1."; http_uri; fast_pattern; content:"."; http_uri; distance:1; within:1; pcre:"/\.php\?(b=[a-fA-F0-9]{6}&)?v=1\.(?:(?:4\.[0-2]\.[0-3]|5\.0\.[0-2]|6.0\.[0-4])\d?|[7-8]\.0\.\d{1,2})$/U"; classtype:trojan-activity; sid:2017040; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Rawin Exploit Kit Jar 1.7.x"; flow:established,to_server; content:"/frozen.jar"; http_uri; fast_pattern:only; content:"Java/1.7"; http_user_agent; classtype:trojan-activity; sid:2017041; rev:4;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Rawin Exploit Kit Jar 1.6 (Old)"; flow:established,to_server; content:"/arina.jar"; http_uri; fast_pattern:only; content:"Java/1.6"; http_user_agent; classtype:trojan-activity; sid:2017042; rev:4;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Rawin Exploit Kit Jar 1.6 (New)"; flow:established,to_server; content:"/sigwer.jar"; http_uri; fast_pattern:only; content:"Java/1.6"; http_user_agent; classtype:trojan-activity; sid:2017043; rev:4;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Rawin Exploit Kit Jar 1.6 (New)"; flow:established,to_server; content:"/dubstep.jar"; http_uri; fast_pattern:only; content:"Java/1.6"; http_user_agent; classtype:trojan-activity; sid:2017044; rev:4;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS AryaN IRC bot CnC1"; flow:established,to_server; dsize:<256; content:"PRIVMSG "; depth:8; content:"|20 3a 03|10OK|3a 03 20|"; within:30; classtype:trojan-activity; sid:2017055; rev:1;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS AryaN IRC bot CnC2"; flow:established,to_server; dsize:<256; content:"PRIVMSG "; depth:8; content:" |3a|[AryaN]|3a| "; within:30; content: "download"; nocase; classtype:trojan-activity; sid:2017056; rev:1;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS AryaN IRC bot Download and Execute Scheduled file command"; flow:established,to_server; content:"PRIVMSG "; depth:8; content:"Download and Execute Scheduled [File|3a|"; classtype:trojan-activity; sid:2017057; rev:1;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS AryaN IRC bot Flood command"; flow:established,to_server; content:"PRIVMSG "; depth:8; content:"Flood|3a| Started [Type|3a|"; classtype:trojan-activity; sid:2017058; rev:1;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS AryaN IRC bot Botkill command"; flow:established,to_server; content:"PRIVMSG "; depth:8; content:"Botkill|3a| Cycled once"; classtype:trojan-activity; sid:2017059; rev:1;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Cool/BHEK/Goon Applet with Alpha-Numeric Encoded HTML entity"; flow:established,from_server; file_data; content:"<applet"; nocase; pcre:"/^((?!<\/applet>).)+?&#(?:0*?(?:1(?:[0-1]\d|2[0-2])|[78][0-9]|9[07-9]|4[8-9]|5[0-7]|6[5-9])|x0*?(?:[46][1-9A-F]|[57][0-9A]|3[0-9]))(\x3b|&#)/Rsi"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017064; rev:18;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Pony Loader default URI struct"; flow:to_server,established; content:"GET"; http_method; content:"/pony"; http_uri; fast_pattern:only; content:"/gate.php"; http_uri; nocase; classtype:trojan-activity; sid:2017065; rev:4;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Neutrino Exploit Kit Redirector To Landing Page"; flow:established,to_server; content:"/?wps="; http_uri; fast_pattern:only; pcre:"/^\x2F\x3Fwps\x3D[0-9]$/U"; reference:url,malwaremustdie.blogspot.co.uk/2013/06/knockin-on-neutrino-exploit-kits-door.html; classtype:trojan-activity; sid:2017068; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Neutrino Exploit Kit Clicker.php TDS"; flow:established,to_server; content:"/clicker.php"; http_uri; fast_pattern:only; pcre:"/^\x2Fclicker\x2Ephp$/U"; reference:url,malwaremustdie.blogspot.co.uk/2013/06/knockin-on-neutrino-exploit-kits-door.html; classtype:trojan-activity; sid:2017069; rev:2;) + +#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Neutrino Exploit Kit XOR decodeURIComponent"; flow:established,to_client; file_data; content:"xor(decodeURIComponent("; distance:0; classtype:trojan-activity; sid:2017071; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Applet tag in jjencode as (as seen in Dotka Chef EK)"; flow:established,from_server; file_data; content:",$$$$|3a|(![]+|22 22|)"; fast_pattern:only; content:"<|22|+"; pcre:"/^(?P<var>.{1,10})\.\$\_\$\_\+\x22\x5c\x5c\x22\+(?P=var)\.\_\_\$\+(?P=var)\.\$\$\_\+(?P=var)\.\_\_\_\+\x22\x5c\x5c\x22\+(?P=var)\.\_\_\$\+(?P=var)\.\$\$\_\+(?P=var)\.\_\_\_\+\(\!\[\]\+\x22\x22\)\[(?P=var)\.\_\$\_\]\+(?P=var)\.\$\$\$\_\+(?P=var)\.\_\_\+/R"; classtype:trojan-activity; sid:2017070; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Cool Exploit Kit iframe with obfuscated Java version check Jun 26 2013"; flow:established,from_server; file_data; content:"<textarea id|3d 22|"; content:"|22|>"; pcre:"/^(?P<v>[0-9a-z]{2})(?P<a>(?!(?P=v))[0-9a-z]{2})[0-9a-z]{2}(?P<space>[0-9a-z]{2})[0-9a-z]{2}(?P<J>[0-9a-z]{2})[0-9a-z]{4}(?P=v)[0-9a-z]{6}(?P=space)[0-9a-z]{2}(?P=space)[0-9a-z]{64}(?P=J)(?P=a)(?P=v)(?P=a)/R"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017073; rev:3;) + +#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sweet Orange applet structure June 27 2013"; flow:established,from_server; file_data; content:"<applet"; content:"<param value=|22|1|22| name=|22|WindowSize|22|>"; fast_pattern:15,20; distance:0; content:"value"; nocase; distance:0; pcre:"/^[\r\n\s]*?=[\r\n\s]*?[\x22\x27][^\x22\x27]*?[a-f0-9]/R"; content:"value"; nocase; distance:0; pcre:"/^[\r\n\s]*?=[\r\n\s]*?[\x22\x27][^\x22\x27]*?[a-f0-9]/R"; content:"value"; nocase; distance:0; pcre:"/^[\r\n\s]*?=[\r\n\s]*?[\x22\x27][^\x22\x27]*?[a-f0-9]/R"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017075; rev:5;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS BlackHole EK Variant Payload Download"; flow:established,to_server; urilen:>48; content:".php?"; http_uri; fast_pattern:only; pcre:"/\.php\?[^=]+=(?:3[0-2a-e8-9]|[47][0-2]|2[d-j]|5[2-7]|6[c-e]){5}&[^=]+=(?:3[0-2a-e8-9]|[47][0-2]|2[d-j]|5[2-7]|6[c-e]){10}&/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017076; rev:9;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Redirect to DotkaChef EK Landing"; flow:established,from_server; content:".js?cp="; http_header; fast_pattern:only; content:"302"; http_stat_code; pcre:"/^Location\x3a[^\r\n]+\/[A-Fa-f0-9]+\.js\?cp=/Hmi"; classtype:trojan-activity; sid:2017077; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Lucky7 Java Exploit URI Struct June 28 2013"; flow:established,to_server; content:"Java/1."; http_user_agent; fast_pattern:only; content:".php?"; http_uri; pcre:"/\/[a-z]+\.php\?[a-z]+?=\d{7}&[a-z]+?=\d{7,8}$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017078; rev:6;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Sibhost Status Check GET Jul 01 2013"; flow:established,to_server; content:"GET"; http_method; content:"|29 20|Java/1"; http_user_agent; fast_pattern:only; content:"text="; http_uri; pcre:"/\?(s|page|id)=\d+&text=\d+$/U"; classtype:trojan-activity; sid:2017079; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS CritX/SafePack/FlashPack Jar Download Jul 01 2013"; flow:established,to_client; content:"j51"; http_header; nocase; content:".jar"; http_header; fast_pattern:only; pcre:"/^Content-Disposition\x3a[^\r\n]+?=\s*?(?P<q>[\x22\x27]?)j51[a-f0-9]{21}\.jar(?P=q)\r?$/Hm"; reference:url,www.malwaresigs.com/2013/06/14/slight-change-in-flashpack-uri/; classtype:trojan-activity; sid:2017092; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS CritX/SafePack/FlashPack EXE Download Jul 01 2013"; flow:established,to_client; content:"e51"; http_header; nocase; content:".exe"; http_header; fast_pattern:only; pcre:"/^Content-Disposition\x3a[^\r\n]+?=\s*?(?P<q>[\x22\x27]?)e51[a-f0-9]{21}\.exe(?P=q)\r?$/Hm"; reference:url,www.malwaresigs.com/2013/06/14/slight-change-in-flashpack-uri/; classtype:trojan-activity; sid:2017093; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown Malvertising Exploit Kit Hostile Jar pipe.class"; flow:established,from_server; file_data; content:"PK"; within:2; content:"|00|pipe.class"; fast_pattern; content:"|00|inc.class"; content:"|00|fdp.class"; classtype:trojan-activity; sid:2017095; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown Malvertising Exploit Kit Hostile Jar app.jar"; flow:established,to_server; content:"/app.jar"; http_uri; content:"Java/1."; http_user_agent; classtype:trojan-activity; sid:2017096; rev:4;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown Malvertising Exploit Kit Hostile Jar cm2.jar"; flow:established,to_server; content:"/cm2.jar"; http_uri; content:"Java/1."; http_user_agent; classtype:trojan-activity; sid:2017097; rev:4;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Lucky7 EK Landing Encoded Plugin-Detect"; flow:established,from_server; file_data; content:"JTc1JTY3JTY5JTZlJTQ0JTY1JTc0JTY1JTYzJTc0JTJlJTY3JTY1JTc0JTU2JTY1JTcyJTcz"; classtype:trojan-activity; sid:2017098; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Lucky7 EK IE Exploit"; flow:established,from_server; file_data; content:"<t|3a|ANIMATECOLOR"; nocase; fast_pattern:only; content:"JTQzJTZmJTZjJTZjJTY1JTYzJTc0JTQ3JTYxJTcyJTYyJTYxJTY3JTY1"; classtype:attempted-user; sid:2017099; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS /Styx EK - /jlnp.html"; flow:established,to_server; content:!"&"; http_uri; content:"/jlnp.html"; http_uri; reference:url,blogs.mcafee.com/mcafee-labs/styx-exploit-kit-takes-advantage-of-vulnerabilities; classtype:trojan-activity; sid:2017100; rev:4;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS /Styx EK - /jovf.html"; flow:established,to_server; content:!"&"; http_uri; content:"/jovf.html"; http_uri; reference:url,blogs.mcafee.com/mcafee-labs/styx-exploit-kit-takes-advantage-of-vulnerabilities; classtype:trojan-activity; sid:2017101; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS /Styx EK - /jorg.html"; flow:established,to_server; content:!"&"; http_uri; content:"/jorg.html"; http_uri; reference:url,blogs.mcafee.com/mcafee-labs/styx-exploit-kit-takes-advantage-of-vulnerabilities; classtype:trojan-activity; sid:2017102; rev:3;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Neutrino EK Landing URI Format July 04 2013"; flow:established,to_server; content:"GET"; http_method; content:"/s"; depth:2; http_uri; pcre:"/^\/s[a-z]{4,13}\?(hash=[a-f0-9]{32}&)?d[a-z]{4,11}=\d{6,7}$/U"; classtype:trojan-activity; sid:2017104; rev:4;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS FlimKit Landing Applet Jul 05 2013"; flow:established,to_client; file_data; content:"<applet "; nocase; fast_pattern:only; content:"|3b|document.write("; nocase; pcre:"/^[^\x3b]+?\+[a-z]+?\.substring([^)]+?)[^\x3b]+?\+[a-z]+?\.substring([^)]+?)[^\x3b]+?\+[a-z]+?\.substring([^)]+?)/Rsi"; classtype:trojan-activity; sid:2017106; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS FlashPlayerSetup.x86.exe pull"; flow:established,to_server; content:"GET"; http_method; content:"FlashPlayerSetup.x86.exe"; http_uri; content:".swf|0d 0a|"; http_header; reference:url,blog.avast.com/2013/07/03/fake-flash-player-installer; classtype:trojan-activity; sid:2017107; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS FlashPlayerSetup.x86.exe checkin UA"; flow:established,to_server; content:"GET"; http_method; content:"risp"; http_user_agent; depth:4; flowbits:set,FlashPlayerSetupUA; reference:url,blog.avast.com/2013/07/03/fake-flash-player-installer; classtype:trojan-activity; sid:2017108; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS FlashPlayerSetup.x86.exe checkin response 2"; flow:established,to_client; content:"200"; http_stat_code; file_data; content:"var begenilecek_sayfalar"; depth:28; flowbits:isset,FlashPlayerSetupUA; reference:url,blog.avast.com/2013/07/03/fake-flash-player-installer; classtype:trojan-activity; sid:2017109; rev:2;) + +#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sweet Orange applet structure Jul 05 2013"; flow:established,from_server; file_data; content:"<applet"; nocase; fast_pattern; content:"000000000000000000|22| name=|22|WindowSize"; distance:0; content:"000000000000000000|22| name=|22|WindowSize"; distance:0; content:"000000000000000000|22| name=|22|WindowSize"; distance:0; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017110; rev:7;) + +alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET CURRENT_EVENTS VBulletin Backdoor CMD inbound"; flow:established,to_server; content:"HTTP_ECMDE|3a|"; http_header; reference:url,blog.sucuri.net/2013/07/vbulletin-infections-from-adabeupdate.html; classtype:trojan-activity; sid:2017111; rev:4;) + +alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS VBulletin Backdoor C2 URI Structure"; flow:established,to_server; content:"/ss?t=f&"; http_uri; depth:8; reference:url,blog.sucuri.net/2013/07/vbulletin-infections-from-adabeupdate.html; classtype:trojan-activity; sid:2017112; rev:4;) + +alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS VBulletin Backdoor C2 Domain "; flow:established,to_server; content:"adabeupdate.com|0d 0a|"; http_header; reference:url,blog.sucuri.net/2013/07/vbulletin-infections-from-adabeupdate.html; classtype:trojan-activity; sid:2017113; rev:4;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Styx iframe with obfuscated Java version check Jul 04 2013"; flow:established,from_server; file_data; content:"<html>|0d 0a|"; within:8; content:"<body"; within:100; content:"><h"; within:100; content:">|0d 0a|<h"; within:6; pcre:"/(?P<v>[0-9a-z]{2})(?P<a>(?!(?P=v))[0-9a-z]{2})[0-9a-z]{2}(?P<space>[0-9a-z]{2})[0-9a-z]{12,16}(?P=space)[0-9a-z]{2}(?P=space)(?P<w>[0-9a-z]{2})(?P<i>[0-9a-z]{2})(?P<n>[0-9a-z]{2})[0-9a-z]{4}(?P=w)[0-9a-z]{10}(?P=i)(?P=n)[0-9a-z]{28}(?P=i)[0-9a-z]{2}(?P=n)[0-9a-z]{6}(?P=a)(?P=v)(?P=a)/R"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017114; rev:5;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sweet Orange applet July 08 2013"; flow:established,from_server; file_data; content:"<applet"; nocase; content:"value"; distance:0; nocase; pcre:"/^[\r\n\s]*?=[\r\n\s]*?[\x22\x27][^\x22\x27]+?(?P<dot>[a-f0-9]{2})([^a-f0-9]{2}){1,20}(?P<p>(?!(?P=dot))[a-f0-9]{2})([^a-f0-9]{2}){1,20}(?P<h>(?!((?P=p)|(?P=dot)))[a-f0-9]{2})([^a-f0-9]{2}){1,20}(?P=p).+?value[\r\n\s]*?=[\r\n\s]*?[\x22\x27][^\x22\x27]+?(?P=dot)([^a-f0-9]{2}){1,20}(?P<e>[a-f0-9]{2})([^a-f0-9]{2}){1,20}(?P<x>(?!(?P=e))[a-f0-9]{2})([^a-f0-9]{2}){1,20}(?P=e)(([^a-f0-9]{2}){1,20})?[\x22\x27]/Rs"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017115; rev:8;) + +#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sweet Orange Landing with Applet July 08 2013"; flow:established,from_server; file_data; content:" Passage to India "; content:"<applet"; nocase; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017116; rev:5;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Cool Exploit Kit Plugin-Detect July 08 2013"; flow:established,from_server; file_data; content:"cGRwZD17dmVyc2lvbjoiMC4"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017117; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sibhost Zip as Applet Archive July 08 2013"; flow:established,from_server; file_data; content:"getVersion("; content:"<applet"; fast_pattern; distance:0; nocase; pcre:"/^((?!(?i:<\/applet>)).)+?[\r\n\s]archive[\r\n\s]*?=[\r\n\s]*?[\x22\x27][^\x22\x27]+?\.zip[\x22\x27]/Rsi"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017118; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CritX/SafePack Java Exploit Payload June 03 2013"; flow:established,to_server; content:"Java/1."; nocase; http_user_agent; content:".php?"; http_uri; nocase; fast_pattern:only; pcre:"/\/[a-z0-9]{3}\.php\?[a-z]=[a-zA-Z0-9]{10}$/U"; classtype:trojan-activity; sid:2017119; rev:4;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake Adobe Flash Player update warning enticing clicks to malware payload"; flow:established,from_server; file_data; content:"WARNING|21| You should update your Flash Player Immediately"; classtype:trojan-activity; sid:2017122; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Fake Adobe Flash Player malware binary requested"; flow:established,to_server; content:"&filename=Flash Player "; http_uri; content:".exe"; http_uri; classtype:trojan-activity; sid:2017123; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Redirection - Wordpress Injection"; flow:established,to_client; file_data; content:"15,15,155,152,44,54"; classtype:trojan-activity; sid:2017124; rev:2;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Probable FlimKit Redirect July 10 2013"; flow:established,to_server; content:"/b.swf|0d 0a|"; http_header; fast_pattern:only; content:!"revolvermaps.com"; http_header; pcre:"/^Referer\x3a[^\r\n]+\/b.swf\r$/Hm"; flowbits:set,FlimKit.SWF.Redirect; classtype:trojan-activity; sid:2017125; rev:4;) + +#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS FlimKit Landing July 10 2013"; flow:established,from_server; file_data; flowbits:isset,FlimKit.SWF.Redirect; content:".substring("; fast_pattern:only; nocase; content:"document.write("; nocase; content:".substring("; distance:0; nocase; content:".substring("; distance:0; nocase; content:".substring("; distance:0; nocase; classtype:trojan-activity; sid:2017126; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Potential Internet Explorer Use After Free CVE-2013-3163 Exploit URI Struct 1"; flow:established,to_server; content:!"Cookie|3a|"; content:"/vid.aspx?id="; http_uri; nocase; fast_pattern:only; pcre:"/\/vid\.aspx\?id=[a-zA-Z0-9]+$/Ui"; reference:url,blogs.technet.com/b/srd/archive/2013/07/10/running-in-the-wild-not-for-so-long.aspx; classtype:attempted-user; sid:2017131; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Successful PHISH - function Validate"; flow:established,to_client; file_data; content:"function ValidateFormAol()"; fast_pattern:6,20; classtype:trojan-activity; sid:2017135; rev:4;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS g01pack - Java JNLP Requested"; flow:established,to_server; urilen:>70; content:".jnlp"; http_uri; fast_pattern:only; pcre:"/\/[a-f0-9]{32}\/[a-f0-9]{32}\.jnlp$/Ui"; classtype:trojan-activity; sid:2017138; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS DotkaChef JJencode Script URI Struct"; flow:established,to_server; content:"voDc0RHa8NnZ"; http_uri; fast_pattern:only; pcre:"/\/\?={0,2}[A-Za-z0-9\+\/]+?voDc0RHa8NnZ$/U"; classtype:trojan-activity; sid:2017139; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Blackhole EK Jar Download URI Struct"; flow:established,to_server; content:"Java/1."; http_user_agent; fast_pattern:only; content:".php?"; http_uri; pcre:"/\/(?:[^\/]+?\/[a-z]{2,16}[_-][a-z]{2,16}([_-][a-z]{2,16})*?|[a-z]{16,20}\/[a-z]{16,20}|closest\/[a-z0-9]+)\.php\?[A-Za-z0-9\!\(\)\*\-\_]+=[A-Za-z0-9\!\(\)\*\-\_]+&[A-Za-z0-9\!\(\)\*\-\_]+=[A-Za-z0-9\!\(\)\*\-\_]+$/U"; classtype:trojan-activity; sid:2017140; rev:10;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole EK Plugin-Detect July 12 2013"; flow:established,from_server; file_data; content:"4CMiojbvl2cyVmd71DZwRGc"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017141; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Redirection - phpBB Injection"; flow:established,to_server; content:".js?"; http_uri; content:"&"; distance:6; within:1; http_uri; pcre:"/\/[0-9]{6}\.js\?[0-9]{6}&[0-9a-f]{16}$/Ui"; classtype:trojan-activity; sid:2017149; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Styx PDF July 15 2013"; flow:from_server,established; flowbits:isset,ET.pdf.in.http; file_data; content:".exe?"; fast_pattern:only; nocase; content:"<script"; nocase; content:"http|3a 2f 2f|"; distance:0; pcre:"/^[^\x3b\r\n\x22\x27]+?[A-Za-z0-9\/\_\-]{60,}\.exe\?/R"; classtype:trojan-activity; sid:2017151; rev:12;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Cool PDF July 15 2013"; flow:from_server,established; flowbits:isset,ET.pdf.in.http; file_data; content:".txt?e="; fast_pattern:only; nocase; content:"<script"; nocase; content:"http|3a 2f 2f|"; distance:0; pcre:"/^[^\x3b\r\n\x22\x27]+?\.txt\?e=\d+(&[fh]=\d)?/R"; classtype:trojan-activity; sid:2017150; rev:12;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS FlimKit Jar URI Struct"; flow:established,to_server; content:"Java/1."; http_user_agent; content:".jar"; http_uri; fast_pattern:only; pcre:"/^[^\/]*?\/[a-f0-9]{8}[a-z0-9]+\.jar$/U"; pcre:"/\d/U"; pcre:"/[a-f]/U"; classtype:trojan-activity; sid:2017152; rev:5;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS FlimKit JNLP URI Struct"; flow:established,to_server; content:".pl|0d 0a|"; http_header; content:" Java/1."; http_header; content:".jnlp"; http_uri; fast_pattern:only; pcre:"/^[^\/]*?\/[a-z0-9]{9,16}\.jnlp$/U"; pcre:"/\d/U"; pcre:"/[a-z]/U"; classtype:trojan-activity; sid:2017153; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS JS Browser Based Ransomware"; flow:established,from_server; file_data; content:"YOUR BROWSER HAS BEEN LOCKED.|5c|n|5c|nALL PC DATA WILL BE DETAINED"; reference:url,blog.malwarebytes.org/intelligence/2013/07/fbi-ransomware-now-targeting-apples-mac-os-x-users/; reference:url,www.f-secure.com/weblog/archives/00002577.html; classtype:trojan-activity; sid:2017165; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sibhost Zip as Applet Archive July 08 2013"; flow:established,from_server; file_data; content:"jquery.js"; content:"archive"; fast_pattern; distance:0; nocase; pcre:"/^[\r\n\s]*?=[\r\n\s]*?[\x22\x27][^\x22\x27]+?\.zip[\x22\x27]/Rsi"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017166; rev:4;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS X20 EK Landing July 22 2013"; flow:established,from_server; file_data; content:"&7&.y|22|></param></applet></table></body></html>"; nocase; classtype:trojan-activity; sid:2017167; rev:4;) + +#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS FlimKit Landing 07/22/13"; flow:established,to_client; flowbits:isnotset,FlimKit.Landing; flowbits:set,FlimKit.Landing; file_data; content:"applet"; nocase; fast_pattern:only; content:".substring("; content:"|3b|document.write("; nocase; distance:0; content:"|3b|var "; pcre:"/^\s*?(?P<var>[a-z]{3,6})\s*?=[^\x3b\n]+?\+[a-z]{3,6}\.substring([^)]+?)[^\x3b]+?\+[a-z]{3,6}\.substring([^)]+?)[^\x3b\n]+?\+[a-z]{3,6}\.substring([^)]+?)[^\x3b\n]*?\x3bdocument\.write\((?P=var)\)\x3b<\/script>/R"; classtype:trojan-activity; sid:2017168; rev:4;) + +#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS FlimKit Landing 07/22/13 2"; flow:established,to_client; flowbits:isnotset,FlimKit.Landing; flowbits:set,FlimKit.Landing; file_data; content:"param"; nocase; fast_pattern:only; content:".substring("; content:"|3b|document.write("; nocase; distance:0; content:"|3b|var "; pcre:"/^\s*?(?P<var>[a-z]{3,6})\s*?=[^\x3b\n]+?\+[a-z]{3,6}\.substring([^)]+?)[^\x3b]+?\+[a-z]{3,6}\.substring([^)]+?)[^\x3b\n]+?\+[a-z]{3,6}\.substring([^)]+?)[^\x3b\n]*?\x3bdocument\.write\((?P=var)\)\x3b<\/script>/R"; classtype:trojan-activity; sid:2017169; rev:4;) + +#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS FlimKit Landing 07/22/13 3"; flow:established,to_client; flowbits:isnotset,FlimKit.Landing; flowbits:set,FlimKit.Landing; file_data; content:"jnlp_"; nocase; fast_pattern:only; content:".substring("; content:"|3b|document.write("; nocase; distance:0; content:"|3b|var "; pcre:"/^\s*?(?P<var>[a-z]{3,6})\s*?=[^\x3b\n]+?\+[a-z]{3,6}\.substring([^)]+?)[^\x3b]+?\+[a-z]{3,6}\.substring([^)]+?)[^\x3b\n]+?\+[a-z]{3,6}\.substring([^)]+?)[^\x3b\n]*?\x3bdocument\.write\((?P=var)\)\x3b<\/script>/R"; classtype:trojan-activity; sid:2017170; rev:5;) + +#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS FlimKit Landing 07/22/13 4"; flow:established,to_client; flowbits:isnotset,FlimKit.Landing; flowbits:set,FlimKit.Landing; file_data; content:".jar"; nocase; fast_pattern:only; content:".substring("; content:"|3b|document.write("; nocase; distance:0; content:"|3b|var "; pcre:"/^\s*?(?P<var>[a-z]{3,6})\s*?=[^\x3b\n]+?\+[a-z]{3,6}\.substring([^)]+?)[^\x3b]+?\+[a-z]{3,6}\.substring([^)]+?)[^\x3b\n]+?\+[a-z]{3,6}\.substring([^)]+?)[^\x3b\n]*?\x3bdocument\.write\((?P=var)\)\x3b<\/script>/R"; classtype:trojan-activity; sid:2017171; rev:4;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Rawin - Landing Page Received"; flow:established,to_client; file_data; content:"<body bgcolor=|22|"; pcre:"/^[0-9a-f]{6}/R"; content:"<body bgcolor=|22|"; pcre:"/^[0-9a-f]{6}/Ri";content:"|22 20|>|0a|<applet"; within:11; fast_pattern; classtype:trojan-activity; sid:2017177; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Rawin - Java Exploit -dubspace.jar"; flow:established,to_server; content:"/dubspace.jar"; http_uri; classtype:trojan-activity; sid:2017178; rev:2;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Neutrino EK Java Payload Download"; flow:established,to_server; content:"Java/1."; http_user_agent; content:"/j"; http_uri; content:"?l"; http_uri; distance:0; pcre:"/\/j[a-z]+?\?l[a-z]+?=[a-z]+$/U"; classtype:trojan-activity; sid:2017179; rev:4;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Neutrino EK Java Payload Download 2"; flow:established,to_server; content:"Java/1."; http_user_agent; content:"/j"; http_uri; pcre:"/\/j[a-z]+?\?l[a-z]+?=[a-z]+$/U"; classtype:trojan-activity; sid:2017180; rev:4;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sibhost/FlimKit/Glazunov Jar with lowercase class names"; flow:established,from_server; flowbits:isset,ET.http.javaclient; content:!"smartsvn.com"; http_header; file_data; content:"PK|01 02|"; pcre:"/PK\x01\x02.{42}(?P<dir>[a-z]{7,}\/)([a-z$]+\.class)?(\xfe\xca\x00\x00)?(PK\x01\x02.{42}(?P=dir)[a-z$]+\.class){6,}(PK\x01\x02.{42}[0-9a-z$]{5,}(\.[a-z]{3})?)?PK\x05\x06.{18}$/s"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017181; rev:6;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Possible CritXPack - Landing Page - jnlp_embedded"; flow:established,to_client; file_data; content:"jnlp_embedded|3a 22|PD94b"; classtype:trojan-activity; sid:2017182; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS c0896 Hacked Site Response (Inbound) 1"; flow:established,to_client; file_data; content:"<!--0c0896-->"; fast_pattern; content:"split"; distance:0; classtype:trojan-activity; sid:2017184; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS c0896 Hacked Site Response (Inbound) 2"; flow:established,to_client; file_data; content:"#0c0896#"; fast_pattern; content:"split"; distance:0; classtype:trojan-activity; sid:2017185; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS c0896 Hacked Site Response (Inbound) 3"; flow:established,to_client; file_data; content:"/*0c0896*/"; fast_pattern; content:"split"; distance:0; classtype:trojan-activity; sid:2017186; rev:2;) + +alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS c0896 Hacked Site Response (Outbound) 1"; flow:established,to_client; file_data; content:"<!--0c0896-->"; fast_pattern; content:"split"; distance:0; classtype:trojan-activity; sid:2017187; rev:2;) + +alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS c0896 Hacked Site Response (Outbound) 2"; flow:established,to_client; file_data; content:"#0c0896#"; fast_pattern; content:"split"; distance:0; classtype:trojan-activity; sid:2017188; rev:2;) + +alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS c0896 Hacked Site Response (Outbound) 3"; flow:established,to_client; file_data; content:"/*0c0896*/"; fast_pattern; content:"split"; distance:0; classtype:trojan-activity; sid:2017189; rev:2;) + +alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS c0896 Hacked Site Response Octal (Outbound)"; flow:established,to_client; file_data; content:"0c0896"; fast_pattern; content:"="; distance:0; pcre:"/^[^\x22\x27\x3b]*?[\x22\x27](?P<space>[0-7]{1,3})(?P<sep>[^0-9a-f])(?P<f>[0-7]{1,3})(?P=sep)[0-7]{1,3}(?P=sep)(?P<n>(?!(?P=f))[0-7]{1,3})(?P=sep)([0-7]{1,3}(?P=sep)){4}(?P=n)(?P=sep)(?P=space)(?P=sep)(?P<z>(?!((?P=f)|(?P=n)))[0-7]{1,3})(?P=sep)(?P=z)(?P=sep)(?P=z)(?P=sep)(?P=f)(?P=sep)(?P=f)(?P=sep)(?P=f)/R"; classtype:trojan-activity; sid:2017192; rev:3;) + +alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS c0896 Hacked Site Response Hex (Outbound)"; flow:established,to_client; file_data; content:"0c0896"; fast_pattern; content:"="; distance:0; pcre:"/^[^\x22\x27\x3b]*?[\x22\x27](?P<space>[a-f0-9]{2})(?P<sep>[^0-9a-f])(?P<f>[a-f0-9]{2})(?P=sep)[a-f0-9]{2}(?P=sep)(?P<n>(?!(?P=f))[a-f0-9]{2})(?P=sep)([a-f0-9]{2}(?P=sep)){4}(?P=n)(?P=sep)(?P=space)(?P=sep)(?P<z>(?!((?P=f)|(?P=n)))[a-f0-9]{2})(?P=sep)(?P=z)(?P=sep)(?P=z)(?P=sep)(?P=f)(?P=sep)(?P=f)(?P=sep)(?P=f)/R"; classtype:trojan-activity; sid:2017193; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS c0896 Hacked Site Response Octal (Inbound)"; flow:established,to_client; file_data; content:"0c0896"; fast_pattern; content:"="; distance:0; pcre:"/^[^\x22\x27\x3b]*?[\x22\x27](?P<space>[0-7]{1,3})(?P<sep>[^0-9a-f])(?P<f>[0-7]{1,3})(?P=sep)[0-7]{1,3}(?P=sep)(?P<n>(?!(?P=f))[0-7]{1,3})(?P=sep)([0-7]{1,3}(?P=sep)){4}(?P=n)(?P=sep)(?P=space)(?P=sep)(?P<z>(?!((?P=f)|(?P=n)))[0-7]{1,3})(?P=sep)(?P=z)(?P=sep)(?P=z)(?P=sep)(?P=f)(?P=sep)(?P=f)(?P=sep)(?P=f)/R"; classtype:trojan-activity; sid:2017194; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS c0896 Hacked Site Response Hex (Inbound)"; flow:established,to_client; file_data; content:"0c0896"; fast_pattern; content:"="; distance:0; pcre:"/^[^\x22\x27\x3b]*?[\x22\x27](?P<space>[a-f0-9]{2})(?P<sep>[^0-9a-f])(?P<f>[a-f0-9]{2})(?P=sep)[a-f0-9]{2}(?P=sep)(?P<n>(?!(?P=f))[a-f0-9]{2})(?P=sep)([a-f0-9]{2}(?P=sep)){4}(?P=n)(?P=sep)(?P=space)(?P=sep)(?P<z>(?!((?P=f)|(?P=n)))[a-f0-9]{2})(?P=sep)(?P=z)(?P=sep)(?P=z)(?P=sep)(?P=f)(?P=sep)(?P=f)(?P=sep)(?P=f)/R"; classtype:trojan-activity; sid:2017195; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Reversed Embedded JNLP Observed in Sakura/Blackhole Landing"; flow:established,from_server; file_data; content:"deddebme_plnj"; nocase; fast_pattern:only; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017198; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Java UA Requesting Numeric.ext From Base Dir (Observed in Redkit/Sakura)"; flow:established,to_server; content:!"/404."; http_uri; depth:5; content:"Java/1."; http_user_agent; pcre:"/^\/\d{2,}\.[a-z0-9]+$/Ui"; classtype:trojan-activity; sid:2017199; rev:4;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Sakura Jar Download"; flow:established,to_client; content:"Content-Type|3a| application/x-java-archive|0d 0a|"; http_header; content:"Sun, 28 Jul 2002 "; fast_pattern; classtype:trojan-activity; sid:2017200; rev:5;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Java Applet JNLP applet_ssv_validated in Base64 (Reversed)"; flow:established,to_client; file_data; content:"lRXYklGbhZ3X2N3cfRXZsBHch91X"; flowbits:set,et.exploitkitlanding; reference:url,immunityproducts.blogspot.fr/2013/04/yet-another-java-security-warning-bypass.html; classtype:trojan-activity; sid:2017201; rev:6;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Java Applet JNLP applet_ssv_validated Click To Run Bypass (Reversed)"; flow:established,to_client; file_data; content:"detadilav_vss_telppa__"; nocase; distance:0; flowbits:set,et.exploitkitlanding; reference:url,immunityproducts.blogspot.fr/2013/04/yet-another-java-security-warning-bypass.html; classtype:trojan-activity; sid:2017202; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Java Applet JNLP applet_ssv_validated in Base64 2 (Reversed)"; flow:established,to_client; file_data; content:"0FGZpxWY29ldzN3X0VGbwBXYf9"; flowbits:set,et.exploitkitlanding; reference:url,immunityproducts.blogspot.fr/2013/04/yet-another-java-security-warning-bypass.html; classtype:trojan-activity; sid:2017203; rev:5;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Java Applet JNLP applet_ssv_validated in Base64 3 (Reversed)"; flow:established,to_client; file_data; content:"kVGdhRWasFmdfZ3cz9FdlxGcwF2Xf"; flowbits:set,et.exploitkitlanding; reference:url,immunityproducts.blogspot.fr/2013/04/yet-another-java-security-warning-bypass.html; classtype:trojan-activity; sid:2017204; rev:5;) + +alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS c0896 Hacked Site Response (Outbound) 4"; flow:established,to_client; file_data; content:"0c0896"; fast_pattern; flowbits:isset,ET.JS.Obfus.Func; classtype:trojan-activity; sid:2017246; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS c0896 Hacked Site Response (Inbound) 4"; flow:established,to_client; file_data; content:"0c0896"; fast_pattern; flowbits:isset,ET.JS.Obfus.Func; classtype:trojan-activity; sid:2017247; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS PluginDetect plus Java version check"; flow:established,from_server; file_data; content:"PluginDetect"; pcre:"/if.{1,10}[<>]=?\s*(?P<quot>[\x22\x27])1(?P<sep>[^0-9a-zA-Z])7((?P=sep)\d+)?(?P=quot).{1,10}[<>]=?\s*(?P=quot)1(?P=sep)7((?P=sep)\d+)?(?P=quot)/s"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017248; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS %Hex Encoded Applet (Observed in Sakura)"; flow:established,from_server; file_data; content:"|25|61|25|70|25|70|25|6c|25|65|25|74"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017249; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS %Hex Encoded jnlp_embedded (Observed in Sakura)"; flow:established,from_server; file_data; content:"|25|6a|25|6e|25|6c|25|70|25|5f|25|65|25|6d|25|62|25|65|25|64|25|64|25|65|25|64"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017250; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS %Hex Encoded applet_ssv_validated (Observed in Sakura)"; flow:established,from_server; file_data; content:"|25|61|25|70|25|70|25|6c|25|65|25|74|25|5f|25|73|25|73|25|76|25|5f|25|76|25|61|25|6c|25|69|25|64|25|61|25|74|25|65|25|64"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017251; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS %Hex Encoded/base64 1 applet_ssv_validated (Observed in Sakura)"; flow:established,from_server; file_data; content:"|25|58|25|31|25|39|25|68|25|63|25|48|25|42|25|73|25|5a|25|58|25|52|25|66|25|63|25|33|25|4e|25|32|25|58|25|33|25|5a|25|68|25|62|25|47|25|6c|25|6b|25|59|25|58|25|52|25|6c"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017252; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS %Hex Encoded/base64 2 applet_ssv_validated (Observed in Sakura)"; flow:established,from_server; file_data; content:"|25|39|25|66|25|59|25|58|25|42|25|77|25|62|25|47|25|56|25|30|25|58|25|33|25|4e|25|7a|25|64|25|6c|25|39|25|32|25|59|25|57|25|78|25|70|25|5a|25|47|25|46|25|30"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017253; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS %Hex Encoded/base64 3 applet_ssv_validated (Observed in Sakura)"; flow:established,from_server; file_data; content:"|25|66|25|58|25|32|25|46|25|77|25|63|25|47|25|78|25|6c|25|64|25|46|25|39|25|7a|25|63|25|33|25|5a|25|66|25|64|25|6d|25|46|25|73|25|61|25|57|25|52|25|68|25|64|25|47|25|56|25|6b"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017254; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Fake FedEX/Pony spam campaign URI Struct 2"; flow:established,to_server; content:"/img/info.php?info="; http_uri; nocase; classtype:trojan-activity; sid:2017257; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS BlackHole EK Non-standard base64 Key"; flow:established,from_server; file_data; content:"var "; content:" = |22|"; within:10; content:!"|22|"; within:65; content:"|22|"; distance:65; within:1; content:!"0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"; distance:-66; within:62; content:!"0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"; distance:-66; within:62; content:!"abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ"; distance:-66; within:62; content:!"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"; distance:-66; within:62; content:!"ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyz"; distance:-66; within:62; content:!"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"; distance:-66; within:62; content:" & 15) << 4)"; fast_pattern:only; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017265; rev:5;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Neutrino EK Landing URI Format Sep 30 2013"; flow:established,to_server; content:"GET"; http_method; content:"/k"; depth:2; http_uri; content:"?e"; http_uri; pcre:"/^\/k[a-z]{4,13}\?e[a-z]{4,11}=\d{6,7}$/U"; classtype:trojan-activity; sid:2017266; rev:7;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Neutrino EK Java Exploit Download Sep 30 2013"; flow:established,to_server; content:"Java/1."; http_user_agent; fast_pattern:only; content:"/j"; http_uri; content:"?f"; http_uri; distance:0; pcre:"/\/j[a-z]+?\?f[a-z]+?=[a-z]+$/U"; classtype:trojan-activity; sid:2017267; rev:7;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Neutrino EK Java Payload Download Sep 30 2013"; flow:established,to_server; content:"Java/1."; http_user_agent; fast_pattern:only; content:"/f"; http_uri; content:"?f"; http_uri; distance:0; pcre:"/\/f[a-z]+?\?f[a-z]+?=[a-z]+$/U"; classtype:trojan-activity; sid:2017268; rev:7;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Styx Exploit Kit Landing Applet With Payload Aug 02 2013"; flow:established,to_client; file_data; content:"<applet"; content:" value"; distance:0; nocase; pcre:"/^[\r\n\s]*?=[\r\n\s]*?[\x22\x27]http\x3a\/\/[^\/]+?\/\?[A-Za-z0-9]+=[A-Za-z0-9%]{60,}[\x22\x27]/R"; reference:url,malwaremustdie.blogspot.co.uk/2013/02/the-infection-of-styx-exploit-kit.html; classtype:trojan-activity; sid:2017270; rev:7;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Plugin-Detect with global % replace on unescaped string (Sakura)"; flow:established,to_client; file_data; content:"PluginDetect.getVersion"; fast_pattern; content:"unescape("; nocase; pcre:"/^[\r\n\s]*?[\x22\x27][^\x22\x27]+?[\x22\x27]\.replace\([\r\n\s]*?(?P<q1>[\x22\x27]?)\/.+?\/g[\r\n\s]*?,[\r\n\s]*?(?P<q2>[\x22\x27]?)%(?P=q2)[\r\n\s]*?\)/R"; classtype:trojan-activity; sid:2017271; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Rawin EK Java (Old) /golem.jar"; flow:established,to_server; content:"/golem.jar"; fast_pattern:only; http_uri; content:"Java/1."; http_user_agent; classtype:trojan-activity; sid:2017272; rev:4;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Rawin EK Java 1.7 /caramel.jar"; flow:established,to_server; content:"/caramel.jar"; fast_pattern:only; http_uri; content:"Java/1."; http_user_agent; classtype:trojan-activity; sid:2017273; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Styx iframe with obfuscated Java version check Jul 04 2013"; flow:established,from_server; file_data; content:"<html>|0d 0a|"; within:8; content:"<body"; within:100; content:"><h"; within:100; content:">|0d 0a|<div"; within:8; pcre:"/(?P<v>[0-9a-z]{2})(?P<a>(?!(?P=v))[0-9a-z]{2})[0-9a-z]{2}(?P<space>[0-9a-z]{2})[0-9a-z]{10,20}(?P=space)[0-9a-z]{2}(?P=space)(?P<w>[0-9a-z]{2})(?P<i>[0-9a-z]{2})(?P<n>[0-9a-z]{2})[0-9a-z]{4}(?P=w)[0-9a-z]{10}(?P=i)(?P=n)[0-9a-z]{28}(?P=i)[0-9a-z]{2}(?P=n)[0-9a-z]{6}(?P=a)(?P=v)(?P=a)/R"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017295; rev:6;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible CritX/SafePack/FlashPack Jar Download"; flow:established,from_server; content:"filename=j"; http_header; content:".jar"; distance:23; within:4; http_header; pcre:"/filename=j[a-f0-9]{23}\.jar/H"; classtype:trojan-activity; sid:2017296; rev:5;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible CritX/SafePack/FlashPack EXE Download"; flow:established,from_server; content:"filename=e"; http_header; content:".exe"; distance:23; within:4; http_header; pcre:"/filename=e[a-f0-9]{23}\.exe/H"; classtype:trojan-activity; sid:2017297; rev:6;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS X20 EK Download Aug 07 2013"; flow:established,from_server; content:"filename=app.jar|0d 0a|"; http_header; fast_pattern:only; file_data; content:"PK"; within:2; content:"|CA FE BA BE|"; distance:0; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017299; rev:6;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Rawin -TDS - POST w/Java Version"; flow:established,to_server; content:"POST"; http_method; content:"&v="; http_client_body; depth:3; pcre:"/^&v=(null|(\d+\.)+?\d+)\x3b\d+\x3b\x3b\d{3,5}x\d{3,5}\x3b/P"; classtype:trojan-activity; sid:2017300; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake Trojan Dropper purporting to be missing application page landing"; flow:established,from_server; content:"Unable to find |22|"; content:"|20|Please Click Here to install......"; distance:0; within:85; classtype:trojan-activity; sid:2017301; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Fake Trojan Dropper purporting to be missing application - findloader"; flow:established,to_server; content:"/findloader"; http_uri; pcre:"/findloader[^\x2f\.\?]*?\.php\?[a-z]=[^&]+$/U"; classtype:trojan-activity; sid:2017302; rev:2;) + +alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS 0f2490 Hacked Site Response (Inbound)"; flow:established,from_server; file_data; content:"</script>"; content:"#/0f2490#"; fast_pattern; distance:0; classtype:trojan-activity; sid:2017306; rev:5;) + +alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS 0f2490 Hacked Site Response (Outbound)"; flow:established,from_server; file_data; content:"</script>"; content:"#/0f2490#"; fast_pattern; distance:0; classtype:trojan-activity; sid:2017307; rev:5;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible FortDisco Wordpress Brute-force Site list download 10+ wp-login.php"; flow:established,to_client; file_data; content:"/wp-login.php|0d 0a|"; nocase; content:"/wp-login.php|0d 0a|"; nocase; distance:0; content:"/wp-login.php|0d 0a|"; nocase; distance:0; content:"/wp-login.php|0d 0a|"; nocase; distance:0; content:"/wp-login.php|0d 0a|"; nocase; distance:0; content:"/wp-login.php|0d 0a|"; nocase; distance:0; content:"/wp-login.php|0d 0a|"; nocase; distance:0; content:"/wp-login.php|0d 0a|"; nocase; distance:0; content:"/wp-login.php|0d 0a|"; nocase; distance:0; content:"/wp-login.php|0d 0a|"; nocase; distance:0; content:"/wp-login.php|0d 0a|"; nocase; distance:0; reference:url,www.arbornetworks.com/asert/2013/08/fort-disco-bruteforce-campaign/; reference:md5,722a1809bd4fd75743083f3577e1e6a4; classtype:trojan-activity; sid:2017310; rev:3;) + +alert tcp any !80 -> any any (msg:"ET CURRENT_EVENTS SUSPICIOUS IRC - PRIVMSG *.(exe|tar|tgz|zip) download command"; flow:established,to_client; content:"PRIVMSG"; pcre:"/^[^\r\n]+\.(?:t(?:ar|gz)|exe|zip)/Ri"; classtype:bad-unknown; sid:2017318; rev:4;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS IRC - NICK and 3 Letter Country Code"; flow:established,to_server; content:"NICK "; depth:5; pcre:"/^[^\r\n]*[\[\|\{][A-Z]{3}[\]\|\}]/R"; classtype:bad-unknown; sid:2017319; rev:6;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS IRC - NICK and Possible Windows XP/7"; flow:established,to_server; content:"NICK "; depth:5; pcre:"/^[^\r\n]*(?:W(?:in(?:dows)?)?[^a-z0-9]?(XP|[7-8])|Vista)/Ri"; content:!"|20|XP/7"; classtype:bad-unknown; sid:2017321; rev:8;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS IRC - NICK and Win"; flow:established,to_server; content:"NICK "; depth:5; pcre:"/^[^\r\n]*win/Ri"; classtype:bad-unknown; sid:2017322; rev:4;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS IRC - NICK and -PC"; flow:established,to_server; content:"NICK "; depth:5; pcre:"/^[^\r\n]*-PC/Ri"; classtype:bad-unknown; sid:2017323; rev:4;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS FlimKit obfuscated hex-encoded jnlp_embedded Aug 08 2013"; flow:established,from_server; file_data; content:"fromCh"; pcre:"/(?P<m>[0-9a-f]{2})(?P<sep>[^0-9a-f])(?P<e>(?!(?P=m))[0-9a-f]{2})(?P=sep)([0-9a-f]{2}(?P=sep)){7}(?P=e)(?P=sep)(?P=m)(?P=sep)[0-9a-f]{2}(?P=sep)(?P=e)(?P=sep)(?P<d>(?!(?P=e))[0-9a-f]{2})(?P=sep)(?P=d)(?P=sep)(?P=e)(?P=sep)(?P=d)/R"; content:"<applet"; fast_pattern:only; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017324; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown EK setSecurityManager hex August 14 2013"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"73657453656375726974794d616e6167657228"; nocase; reference:url,piratebrowser.com; classtype:trojan-activity; sid:2017328; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Styx EK - /jvvn.html"; flow:established,to_server; content:"/jvvn.html"; http_uri; classtype:trojan-activity; sid:2017333; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Blackhole Exploit Kit Shrift.php Microsoft OpenType Font Exploit Request"; flow:established,to_server; content:"/ngen/shrift.php"; http_uri; reference:cve,2011-3402; classtype:trojan-activity; sid:2017340; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Exploit Kit Microsoft OpenType Font Exploit"; flow:established,to_client; content:"Content-Description|3A| File Transfer"; http_header; content:"Content-Disposition|3A| attachment|3B| filename=font.eot"; http_header; fast_pattern:33,17; reference:cve,2011-3402; classtype:trojan-activity; sid:2017341; rev:3;) + +#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole/Cool obfuscated plugindetect in charcodes w/o sep Jul 10 2013"; flow:established,from_server; file_data; content:"<div>"; content:!"<"; within:1000; pcre:"/^([0-9a-z]{8})?(?P<p>[0-9a-z]{2})(?P<d>(?!(?P=p))[0-9a-z]{2})(?P=p)(?P=d)([0-9a-z]{2}){10}(?P<q>[0-9a-z]{2})[0-9a-z]{2}(?P<dot>[0-9a-z]{2})[0-9a-z]{2}(?P=dot)[0-9a-z]{2}(?P=q)/R"; classtype:trojan-activity; sid:2017346; rev:4;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS AutoIT C&C Check-In 2013-08-23 URL"; flow:established,to_server; content:"GET"; http_method; content:"/panel/panel.bin"; http_uri; reference:url,malwr.com/analysis/MWM3NDA2NTdhM2U4NGE0NjgwY2IzN2Y3ZDk4ZTcyMmM/; classtype:trojan-activity; sid:2017370; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sweet Orange Landing with Applet Aug 26 2013"; flow:established,from_server; file_data; content:"Australian Holiday|22|"; fast_pattern:only; content:"<applet"; nocase; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017372; rev:5;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible CookieBomb Generic JavaScript Format"; flow:from_server,established; file_data; content:"/*/"; fast_pattern; pcre:"/^[a-f0-9]{6}\*\//R"; content:"="; pcre:"/^[\r\n\s]*?\x5c?[\x22\x27]/R"; content:!"|22|"; within:500; content:!"|27|"; within:500; pcre:"/^([a-f0-9]{2}[^\x22\x27a-f0-9]{0,10})?(?P<f>[a-f0-9]{2})(?P<sep>[^\x22\x27a-f0-9]{0,10})(?P<u>(?!(?P=f))[a-f0-9]{2})(?P=sep)(?P<n>(?!(?:(?P=f)|(?P=u)))[a-f0-9]{2})(?P=sep)(?P<c>(?!(?:(?P=f)|(?P=u)|(?P=n)))[a-f0-9]{2})(?P=sep)(?P<t>(?!(?:(?P=f)|(?P=u)|(?P=n)|(?P=c)))[a-f0-9]{2})(?P=sep)(?P<i>(?!(?:(?P=f)|(?P=u)|(?P=n)|(?P=c)|(?P=t)))[a-f0-9]{2})(?P=sep)(?P<o>(?!(?:(?P=f)|(?P=u)|(?P=n)|(?P=c)|(?P=t)|(?P=i)))[a-f0-9]{2})(?P=sep)(?P=n)(?P=sep)(?P<spc>[a-f0-9]{2})(?P=sep)([a-f0-9]{2}(?P=sep)){1,100}(?P=spc)/Ri"; classtype:trojan-activity; sid:2017373; rev:6;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS CookieBomb Generic PHP Format"; flow:from_server,established; file_data; content:"echo "; fast_pattern; content:"#/"; distance:0; pcre:"/^[a-f0-9]{6}#/R"; content:"="; pcre:"/^[\r\n\s]*?\x5c?[\x22\x27]/R"; content:!"|22|"; within:500; content:!"|27|"; within:500; pcre:"/^([a-f0-9]{2}[^\x22\x27a-f0-9]{0,10})?(?P<f>[a-f0-9]{2})(?P<sep>[^\x22\x27a-f0-9]{0,10})(?P<u>(?!(?P=f))[a-f0-9]{2})(?P=sep)(?P<n>(?!(?:(?P=f)|(?P=u)))[a-f0-9]{2})(?P=sep)(?P<c>(?!(?:(?P=f)|(?P=u)|(?P=n)))[a-f0-9]{2})(?P=sep)(?P<t>(?!(?:(?P=f)|(?P=u)|(?P=n)|(?P=c)))[a-f0-9]{2})(?P=sep)(?P<i>(?!(?:(?P=f)|(?P=u)|(?P=n)|(?P=c)|(?P=t)))[a-f0-9]{2})(?P=sep)(?P<o>(?!(?:(?P=f)|(?P=u)|(?P=n)|(?P=c)|(?P=t)|(?P=i)))[a-f0-9]{2})(?P=sep)(?P=n)(?P=sep)(?P<spc>[a-f0-9]{2})(?P=sep)([a-f0-9]{2}(?P=sep)){1,100}(?P=spc)/Ri"; classtype:trojan-activity; sid:2017374; rev:6;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS CookieBomb Generic HTML Format"; flow:from_server,established; file_data; content:"<!--/"; fast_pattern; pcre:"/^[a-f0-9]{6}\-\-\>/R"; content:"="; pcre:"/^[\r\n\s]*?\x5c?[\x22\x27]/R"; content:!"|22|"; within:500; content:!"|27|"; within:500; pcre:"/^([a-f0-9]{2}[^\x22\x27a-f0-9]{0,10})?(?P<f>[a-f0-9]{2})(?P<sep>[^\x22\x27a-f0-9]{0,10})(?P<u>(?!(?P=f))[a-f0-9]{2})(?P=sep)(?P<n>(?!(?:(?P=f)|(?P=u)))[a-f0-9]{2})(?P=sep)(?P<c>(?!(?:(?P=f)|(?P=u)|(?P=n)))[a-f0-9]{2})(?P=sep)(?P<t>(?!(?:(?P=f)|(?P=u)|(?P=n)|(?P=c)))[a-f0-9]{2})(?P=sep)(?P<i>(?!(?:(?P=f)|(?P=u)|(?P=n)|(?P=c)|(?P=t)))[a-f0-9]{2})(?P=sep)(?P<o>(?!(?:(?P=f)|(?P=u)|(?P=n)|(?P=c)|(?P=t)|(?P=i)))[a-f0-9]{2})(?P=sep)(?P=n)(?P=sep)(?P<spc>[a-f0-9]{2})(?P=sep)([a-f0-9]{2}(?P=sep)){1,100}(?P=spc)/Ri"; classtype:trojan-activity; sid:2017375; rev:6;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible BHEK Landing URI Format"; flow:to_server,established; urilen:>41; content:".php"; http_uri; fast_pattern:only; pcre:"/\/[a-f0-9]{32}\/[a-z]+?\-[a-z]+?\.php/U"; classtype:trojan-activity; sid:2017376; rev:7;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible APT-12 Related C2"; flow:to_server,established; content:"/url.asp?"; http_uri; content:"-ShowNewsID-"; http_uri; fast_pattern; distance:0; pcre:"/=[A-Za-z0-9\/\+]+={0,2}$/U"; reference:url,community.rapid7.com/community/infosec/blog/2013/08/26/upcoming-g20-summit-fuels-espionage-operations; classtype:trojan-activity; sid:2017386; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown EK Landing Aug 27 2013"; flow:established,from_server; file_data; content:"base_decode("; nocase; fast_pattern:only; content:"decodeHex("; nocase; content:"<applet"; nocase; classtype:trojan-activity; sid:2017387; rev:5;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Sweet Orange Payload Download Aug 28 2013"; flow:established,to_server; content:"=java.util.Random@"; http_uri; fast_pattern:only; content:"Java/1."; http_user_agent; classtype:trojan-activity; sid:2017388; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sweet Orange Landing with Applet Aug 30 2013"; flow:established,from_server; file_data; content:"var pp100"; fast_pattern; content:"document.write("; distance:0; pcre:"/^[\r\n\s]*?[\x22\x27]<(?:[\x27\x22]\s*?\+\s*?[\x22\x27])?a(?:[\x27\x22]\s*?\+\s*?[\x22\x27])?p(?:[\x27\x22]\s*?\+\s*?[\x22\x27])?p(?:[\x27\x22]\s*?\+\s*?[\x22\x27])?l(?:[\x27\x22]\s*?\+\s*?[\x22\x27])?e(?:[\x27\x22]\s*?\+\s*?[\x27\x22])?t/Ri"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017405; rev:6;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Rawin EK Java /victoria.jar"; flow:established,to_server; content:"/victoria.jar"; fast_pattern:only; http_uri; content:"Java/1."; http_user_agent; classtype:trojan-activity; sid:2017406; rev:5;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sakura Landing with Applet Aug 30 2013"; flow:established,from_server; file_data; content:".getVersion"; nocase; content:"|22|PGFwcGxld"; fast_pattern; content:"|22|PGFwcGxld"; distance:0; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017407; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS GondadEK Landing Sept 03 2013"; flow:established,from_server; file_data; content:"expires=|22|+expires.toGMTString()"; fast_pattern:3,20; nocase; content:"51yes.com/click.aspx?"; nocase; content:"|22|gb2312|22|"; nocase; content:"delete "; nocase; content:"eval"; nocase; pcre:"/^[^A-Za-z0-9]/R"; flowbits:set,et.exploitkitlanding; reference:url,www.kahusecurity.com/2013/deobfuscating-the-ck-exploit-kit; classtype:trojan-activity; sid:2017408; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible MHTML CVE-2012-0158 Vulnerable CLSID+b64 Office Doc Magic 1"; flow:established; file_data; content:"bdd1f04b-858b-11d1-b16a-00c0f0283628"; nocase; content:"0M8R4KGxGu"; reference:url,www.antiy.net/wp-content/uploads/The-Latest-APT-Attack-by-Exploiting-CVE2012-0158-Vulnerability.pdf; reference:url,contagiodump.blogspot.com/2013/09/sandbox-miming-cve-2012-0158-in-mhtml.html; classtype:trojan-activity; sid:2017409; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible MHTML CVE-2012-0158 Vulnerable CLSID+b64 Office Doc Magic 2"; flow:established; file_data; content:"996BF5E0-8044-4650-ADEB-0B013914E99C"; nocase; content:"0M8R4KGxGu"; reference:url,www.antiy.net/wp-content/uploads/The-Latest-APT-Attack-by-Exploiting-CVE2012-0158-Vulnerability.pdf; reference:url,contagiodump.blogspot.com/2013/09/sandbox-miming-cve-2012-0158-in-mhtml.html; classtype:trojan-activity; sid:2017410; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible MHTML CVE-2012-0158 Vulnerable CLSID+b64 Office Doc Magic 3"; flow:established; file_data; content:"C74190B6-8589-11d1-B16A-00C0F0283628"; nocase; content:"0M8R4KGxGu"; reference:url,www.antiy.net/wp-content/uploads/The-Latest-APT-Attack-by-Exploiting-CVE2012-0158-Vulnerability.pdf; reference:url,contagiodump.blogspot.com/2013/09/sandbox-miming-cve-2012-0158-in-mhtml.html; classtype:trojan-activity; sid:2017411; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS BlackHole EK Variant PDF Download"; flow:established,from_server; content:".pdf"; http_header; fast_pattern:only; file_data; content:"%PDF-"; within:100; flowbits:isset,et.BHEK.PDF; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017416; rev:6;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sakura EK Landing Sep 06 2013"; flow:established,from_server; file_data; content:"/deployJava.js"; fast_pattern:only; nocase; content:!"<applet"; nocase; content:" RegExp"; pcre:"/^[\r\n\s]*?\([\r\n\s]*?(?P<q>[\x22\x27])(?P<m>((?!(?P=q)).)+)(?P=q).+?<(?P=m)?a(?P=m)?p(?P=m)?p(?P=m)l(?P=m)?e(?P=m)?t/Rsi"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017433; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown Bleeding EK Variant Landing Sep 06 2013"; flow:established,from_server; file_data; content:"DoCake()"; fast_pattern:only; nocase; content:"applet"; nocase; content:".php?e="; content:".php?e="; distance:0; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017434; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown Bleeding EK Variant Landing JAR Sep 06 2013"; flow:established,to_server; content:"Java/1."; fast_pattern:only; http_user_agent; content:".php?e="; nocase; http_uri; pcre:"/\.php\?e=\d+(&|$)/Ui"; classtype:trojan-activity; sid:2017435; rev:4;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sakura Sep 10 2013"; flow:established,from_server; file_data; content:".getVersion("; nocase; content:!"PluginDetect"; nocase; distance:-24; within:12; pcre:"/^[\r\n\s]*?(?P<q>[\x22\x27])Java(?P=q)/Ri"; content:!"<applet"; nocase; content:"var"; pcre:"/^[^=]+?=[^\x22\x27\x3b]*?(?P<q>[\x22\x27])(?:(?!(?P=q)).)+?<[^\x22\x27]*?a[^\x22\x27]*?p[^\x22\x27]*?p[^\x22\x27]*?l[^\x22\x27]*?e[^\x22\x27]*?t[^\x22\x27](?:(?!(?P=q)).)+?<[^\x22\x27]*?p[^\x22\x27]*?a[^\x22\x27]*?r[^\x22\x27]*?a[^\x22\x27]*?m/Rs"; classtype:trojan-activity; sid:2017450; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS FlimKit Landing Page"; flow:established,from_server; file_data; content:"|22|0x|22 3b|"; content:"="; distance:0; pcre:"/^[\r\n\s]*?[\x22\x27][a-f0-9]{2}(?P<sep>[^a-f0-9]{1,10})(?P<a>[a-f0-9]{2})(?P=sep)(?P<p>[a-f0-9]{2})(?P=sep)(?P=p)(?P=sep)(?P<l>[a-f0-9]{2})(?P=sep)(?P<e>[a-f0-9]{2})[^\x22\x27]+?(?P=sep)(?P=p)(?P=sep)(?P=a)(?P=sep)[a-f0-9]{2}(?P=sep)(?P=a)(?P=sep)[^\x22\x27]+?(?P=sep)(?P=a)(?P=sep)(?P=l)(?P=sep)[a-f0-9]{2}(?P=sep)(?P=e)/Rsi"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017451; rev:6;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Redirection - Forum Injection"; flow:established,to_server; urilen:27<>33; content:".js?"; http_uri; fast_pattern:only; pcre:"/^\/[a-z]{7,11}\.js\?[a-f0-9]{16}$/U"; classtype:trojan-activity; sid:2017453; rev:4;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS BlackHole EK Payload Download Sep 11 2013"; flow:established,to_server; urilen:>56; content:".php?"; http_uri; fast_pattern:only; pcre:"/\.php\?[^=]+=(?:[^&]?(?:3[0-2a-e8-9]|7[x-y6-7\-3]|x[b-e6-9xz]|\-[b-hy-z9]|w[wa-f6-9]|5[2-9a-e]|[47][0-2]|8[a-ez9]|2[d-j]|6[c-e])){5}&[^=]+=(?:[^&]?(?:3[0-2a-e8-9]|7[x-y6-7\-3]|x[b-e6-9xz]|\-[b-hy-z9]|w[wa-f6-9]|5[2-9a-e]|[47][0-2]|8[a-ez9]|2[d-j]|6[c-e])){10}&/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017454; rev:12;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS BlackHole EK Variant PDF Download Sep 11 2013"; flow:established,to_server; urilen:>56; content:".php?"; http_uri; fast_pattern:only; pcre:"/\.php\?[^=]+=(?:[^&](?:5[5-9a-e]|8[9a-e])){5}[^=]+=[^&]+&[^=]+=(?:[^&](?:5[5-9a-f]|8[9a-e])){10}([^&]60[^&]60(?:[^&](?:5[5-9a-f]|8[9a-e])){10})*?&/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017456; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole obfuscated base64 decoder Sep 12 2013"; flow:established,from_server; file_data; content:" & 15) << 4)"; content:" & 3) << (3+3))"; fast_pattern:only; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017461; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CottonCastle EK Java Jar "; flow:to_server,established; content:"Java/1."; http_user_agent; fast_pattern:only; pcre:"/\/(?:M[ABCDFGHIJKMOPSTUZ]|E[ABDEGIJKMNPRSVY]|R[ABCEFGHIKLMNPST]|G[ABCEGKMNPSTUV]|A[BCGLMNPQSUVZ]|O[ABCDFIJMNRST]|S[ABEGILMPRSUW]|T[ABEGHILMPSTY]|N[BCGHIKMPSTV]|I[ABCFGKLNSV]|L[ABCGIMNPST]|W[ABCGKMPRTZ]|Z[ABCDKMNSTU]|F[ABCGMNPTW]|H[BCEGKMPST]|K[CDFHLMPST]|U[ACGHLMNRV]|Y[BCGKLMPSU]|C[CELMNSTV]|D[ABCGIMST]|V[BCLMST]|J[BDFST]|P[GJKMN]|Q[ABGIM]|B[BGLS]|X[ACMS])\/[a-f0-9]{32}(\.[^\x2f]+)?$/Ui"; classtype:trojan-activity; sid:2017467; rev:4;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown EK Fake Microsoft Security Update Applet Sep 16 2013"; flow:established,from_server; file_data; content:"JTNDJTNGeG1sJTIwdmVyc2lvbiUzRCUy"; content:"/microsoft.jnlp"; fast_pattern:only; nocase; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017468; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible SNET EK VBS Download"; flow:to_server,established; content:"/cod/"; http_uri; fast_pattern; content:".vbs"; http_uri; distance:0; pcre:"/\/cod\/[^\x2f]+\.vbs$/U"; classtype:trojan-activity; sid:2017469; rev:5;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SNET EK Encoded VBS 1"; flow:established,from_server; file_data; content:"BDbGVhckludGVybmV0Q2FjaGUo"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017470; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SNET EK Encoded VBS 2"; flow:established,from_server; file_data; content:"IENsZWFySW50ZXJuZXRDYWNoZS"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017471; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SNET EK Encoded VBS 3"; flow:established,from_server; file_data; content:"Q2xlYXJJbnRlcm5ldENhY2hlK"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017472; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible CoolEK Variant Payload Download Sep 16 2013"; flow:to_server,established; content:"Java/1."; http_user_agent; content:"&e="; http_uri; content:!"osk188.com"; http_header; pcre:"/=\d+&e=\d+$/U"; classtype:trojan-activity; sid:2017473; rev:6;) + +#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS CoolEK Variant Landing Page - Applet Sep 16 2013"; flow:established,to_client; file_data; content:".class"; nocase; fast_pattern:only; content:"<param"; nocase; content:"value"; distance:0; nocase; pcre:"/^[\r\n\s]*?=[\r\n\s]*?[\x22\x27][^\x22\x27]+?[\?\&]e=\d+[\x22\x27]/R"; classtype:trojan-activity; sid:2017474; rev:4;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY SweetOrange - Java Exploit Downloaded"; flow:established,from_server; file_data; content:".classPK"; content:".mp4PK"; fast_pattern; within:80; classtype:trojan-activity; sid:2017476; rev:6;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS BlackHole initial landing/gate"; flow:established,to_server; content:"/jquery/get.php?ver=jquery.latest.js"; http_uri; classtype:trojan-activity; sid:2017481; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Styx - TDS - Redirect To Landing Page"; flow:established,to_client; file_data; content:"<body onLoad="; content:"Redirect..."; fast_pattern; classtype:trojan-activity; sid:2017482; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown EK Using Office/.Net ROP/ASLR Bypass"; flow:established,to_client; file_data; content:" DropPayload("; fast_pattern:only; classtype:trojan-activity; sid:2017483; rev:4;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown EK Using Office/.Net ROP/ASLR Bypass"; flow:established,to_client; file_data; content:"function Suck("; fast_pattern:only; classtype:trojan-activity; sid:2017484; rev:3;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown EK Using Office/.Net ROP/ASLR Bypass"; flow:established,to_client; file_data; content:"function align_esp("; fast_pattern:only; classtype:trojan-activity; sid:2017485; rev:1;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown EK Using Office/.Net ROP/ASLR Bypass"; flow:established,to_client; file_data; content:"CollectGarbage"; nocase; fast_pattern:only; content:"eval(|27|unescape|27|)"; nocase; content:"|27|%u|27|"; classtype:trojan-activity; sid:2017486; rev:2;) + +#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown EK Using Office/.Net ROP/ASLR Bypass"; flow:established,to_client; file_data; content:"unescape"; nocase; fast_pattern:only; content:"[|22|replace|22|]("; nocase; content:"/g"; distance:0; pcre:"/^[\r\n\s]*?\,[\r\n\s]*?[\x22\x27][\%\\]u"/Rsi"; classtype:trojan-activity; sid:2017487; rev:4;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown EK Using Office/.Net ROP/ASLR Bypass"; flow:established,to_client; file_data; content:"(|22|ms-help|3a|//|22|)|3b|"; nocase; content:"(|22|ms-help|3a|//|22|)|3b|"; distance:0; content:"(|22|ms-help|3a 22|)|3b|"; nocase; content:"(|22|ms-help|3a 22|)|3b|"; nocase; distance:0; classtype:trojan-activity; sid:2017488; rev:3;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Neutrino EK Landing URI Format Sep 19 2013"; flow:established,to_server; content:"GET"; http_method; content:"/g"; depth:2; http_uri; content:"?t"; http_uri; distance:0; pcre:"/^\/g[a-z]{4,13}\?(hash=[a-f0-9]{32}&)?t[a-z]{4,11}=\d{6,7}$/U"; classtype:trojan-activity; sid:2017491; rev:5;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Neutrino EK Java Exploit Download Sep 19 2013"; flow:established,to_server; content:"Java/1."; http_user_agent; fast_pattern:only; content:"/r"; http_uri; content:"?j"; http_uri; distance:0; pcre:"/\/r[a-z]+?\?j[a-z]+?=[a-z]+$/U"; classtype:trojan-activity; sid:2017492; rev:4;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Neutrino EK Java Payload Download Sep 19 2013"; flow:established,to_server; content:"Java/1."; fast_pattern:only; http_user_agent; content:"/f"; http_uri; content:"?j"; http_uri; distance:0; pcre:"/\/f[a-z]+?\?j[a-z]+?=[a-z]+$/U"; classtype:trojan-activity; sid:2017493; rev:4;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Rawin EK - Java Exploit - bona.jar"; flow:established,to_server; content:"/bona.jar"; http_uri; classtype:trojan-activity; sid:2017497; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blatantly Evil JS Function"; flow:established,from_server; file_data; content:"function heap"; nocase; content:"spray"; nocase; within:6; classtype:trojan-activity; sid:2017498; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Probably Evil Long Unicode string only string and unescape 1"; flow:established,from_server; file_data; content:"unescape"; content:"|22|%u"; content:!"|22|"; within:120; pcre:"/^[a-f0-9]{4}([\%\\]u[a-f0-9]{4}){20}/Ri"; classtype:trojan-activity; sid:2017499; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Probably Evil Long Unicode string only string and unescape 2"; flow:established,from_server; file_data; content:"unescape"; content:"|27|%u"; nocase; content:!"|27|"; within:120; pcre:"/^[a-f0-9]{4}([\%\\]u[a-f0-9]{4}){20}/Ri"; classtype:trojan-activity; sid:2017500; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Probably Evil Long Unicode string only string and unescape 3"; flow:established,from_server; file_data; content:"unescape"; content:"|22 5f|u"; nocase; pcre:"/^[a-f0-9]{4}([\%\\]u[a-f0-9]{4}){20}/Ri"; classtype:trojan-activity; sid:2017501; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Probably Evil Long Unicode string only string and unescape 3"; flow:established,from_server; file_data; content:"unescape"; content:"|27 5f|u"; nocase; content:!"|27|"; within:100; pcre:"/^[a-f0-9]{4}([\%\\]u[a-f0-9]{4}){20}/Ri"; classtype:trojan-activity; sid:2017502; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown EK Used in various watering hole attacks"; flow:established,from_server; file_data; content:"ConVertData"; pcre:"/^[^a-z0-9]/Ri"; content:"checka"; pcre:"/^[^a-z0-9]/Ri"; content:"checkb"; pcre:"/^[^a-z0-9]/Ri"; classtype:trojan-activity; sid:2017503; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Generic - *.com.exe HTTP Attachment"; flow:established,to_client; content:".com.exe"; nocase; http_header; file_data; content:"MZ"; within:2; classtype:trojan-activity; sid:2017504; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sakura - Java Exploit Recieved - Atomic"; flow:established,to_client; file_data; content:"PK"; within:2; content:"Main-Class|3a| atomic.Atomic"; classtype:trojan-activity; sid:2017506; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Cushion Redirection"; flow:established,to_server; content:".php?message="; http_uri; fast_pattern:only; pcre:"/\/(?:app|info)\.php\?message=[A-Za-z0-9\+\/]+={0,2}$/U"; reference:url,malwaremustdie.blogspot.co.uk/2013/09/302-redirector-new-cushion-attempt-to.html; classtype:trojan-activity; sid:2017507; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible J7u21 click2play bypass"; flow:established,to_client; file_data; content:"<jfx|3a|"; nocase; content:"preloader-class"; nocase; content:"<jnlp"; nocase; classtype:attempted-user; sid:2017509; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS W32/Caphaw DriveBy Campaign Statistic.js"; flow:established,to_server; content:"/statistic.js?k="; http_uri; content:"&d="; http_uri; reference:url,research.zscaler.com/2013/09/a-new-wave-of-win32caphaw-attacks.html; reference:url,blog.damballa.com/archives/2147; classtype:trojan-activity; sid:2017512; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS W32/Caphaw DriveBy Campaign Ping.html"; flow:established,to_server; content:"/ping.html?id="; http_uri; content:"&js="; http_uri; content:"&key="; http_uri; content:!"/utils/"; http_uri; reference:url,research.zscaler.com/2013/09/a-new-wave-of-win32caphaw-attacks.html; reference:url,blog.damballa.com/archives/2147; classtype:trojan-activity; sid:2017513; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS LightsOut EK Payload Download"; flow:to_server,established; content:".php?dwl="; http_uri; fast_pattern:only; nocase; pcre:"/\.php\?dwl=[a-z]+$/U"; reference:url,blogs.cisco.com/security/watering-hole-attacks-target-energy-sector; classtype:trojan-activity; sid:2017529; rev:4;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible LightsOut EK info3i.html"; flow:to_server,established; content:"/info3i.html"; http_uri; fast_pattern:only; nocase; reference:url,blogs.cisco.com/security/watering-hole-attacks-target-energy-sector; classtype:trojan-activity; sid:2017530; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible LightsOut EK info3i.php"; flow:to_server,established; content:"/info3i.php"; http_uri; fast_pattern:only; nocase; reference:url,blogs.cisco.com/security/watering-hole-attacks-target-energy-sector; classtype:trojan-activity; sid:2017531; rev:4;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible LightsOut EK inden2i.html"; flow:to_server,established; content:"/inden2i.html"; http_uri; fast_pattern:only; nocase; reference:url,blogs.cisco.com/security/watering-hole-attacks-target-energy-sector; classtype:trojan-activity; sid:2017532; rev:4;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible LightsOut EK sort.html"; flow:to_server,established; content:"/sort.html"; http_uri; fast_pattern:only; nocase; reference:url,blogs.cisco.com/security/watering-hole-attacks-target-energy-sector; classtype:trojan-activity; sid:2017533; rev:5;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible LightsOut EK leks.html"; flow:to_server,established; content:"/leks.html"; http_uri; fast_pattern:only; nocase; reference:url,blogs.cisco.com/security/watering-hole-attacks-target-energy-sector; classtype:trojan-activity; sid:2017534; rev:4;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible LightsOut EK negc.html"; flow:to_server,established; content:"/negc.html"; http_uri; fast_pattern:only; nocase; reference:url,blogs.cisco.com/security/watering-hole-attacks-target-energy-sector; classtype:trojan-activity; sid:2017535; rev:4;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible LightsOut EK negq.html"; flow:to_server,established; content:"/negq.html"; http_uri; fast_pattern:only; nocase; reference:url,blogs.cisco.com/security/watering-hole-attacks-target-energy-sector; classtype:trojan-activity; sid:2017536; rev:4;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible LightsOut EK leks.jar"; flow:to_server,established; content:"/leks.jar"; http_uri; fast_pattern:only; nocase; reference:url,blogs.cisco.com/security/watering-hole-attacks-target-energy-sector; classtype:trojan-activity; sid:2017537; rev:4;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible LightsOut EK start.jar"; flow:to_server,established; content:"/start.jar"; http_uri; fast_pattern:only; nocase; reference:url,blogs.cisco.com/security/watering-hole-attacks-target-energy-sector; classtype:trojan-activity; sid:2017538; rev:4;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible LightsOut EK stoq.jar"; flow:to_server,established; content:"/stoq.jar"; http_uri; fast_pattern:only; nocase; reference:url,blogs.cisco.com/security/watering-hole-attacks-target-energy-sector; classtype:trojan-activity; sid:2017539; rev:4;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible LightsOut EK erno_rfq.html"; flow:to_server,established; content:"/erno_rfq.html"; http_uri; fast_pattern:only; nocase; reference:url,blogs.cisco.com/security/watering-hole-attacks-target-energy-sector; classtype:trojan-activity; sid:2017540; rev:4;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible LightsOut EK inden2i.php"; flow:to_server,established; content:"/inden2i.php"; http_uri; fast_pattern:only; nocase; reference:url,blogs.cisco.com/security/watering-hole-attacks-target-energy-sector; classtype:trojan-activity; sid:2017541; rev:4;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible LightsOut EK gami.html"; flow:to_server,established; content:"/gami.html"; http_uri; fast_pattern:only; nocase; reference:url,blogs.cisco.com/security/watering-hole-attacks-target-energy-sector; classtype:trojan-activity; sid:2017542; rev:4;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible LightsOut EK gami.jar"; flow:to_server,established; content:"/gami.jar"; http_uri; fast_pattern:only; nocase; reference:url,blogs.cisco.com/security/watering-hole-attacks-target-energy-sector; classtype:trojan-activity; sid:2017543; rev:4;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS LightsOut EK POST Compromise POST"; flow:to_server,established; content:"POST"; http_method; content:".php?id="; http_uri; nocase; content:"&v1="; http_uri; nocase; content:"&v2="; http_uri; nocase; fast_pattern:only; content:"&q="; http_uri; nocase; content:!"Referer|3a|"; http_header; content:!"Accept|3a|"; http_header; content:"Content-Length|3a 20|0"; http_header; reference:url,blogs.cisco.com/security/watering-hole-attacks-target-energy-sector; classtype:trojan-activity; sid:2017544; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sweet Orange Landing with Applet Sep 30 2013"; flow:established,from_server; file_data; content:"New Zealandn Holiday"; fast_pattern:only; content:"<applet"; nocase; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017545; rev:6;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible FortDisco POP3 Site list download"; flow:established,to_server; content:"GET"; http_method; content:"User-Agent|3a 20|PrototypeB|0d 0a|"; http_header; fast_pattern:12,10; content:!"Accept|3a 20|"; http_header; content:!"Referer|3a 20|"; http_header; reference:md5,538a4cedad8791e27088666a4a6bf9c5; reference:md5,87c21bc9c804cefba6bb4148dbe4c4de; reference:url,www.abuse.ch/?p=5813; classtype:trojan-activity; sid:2017546; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CoolEK Jar Download Sep 30 2013"; flow:to_server,established; content:"Java/1."; http_user_agent; fast_pattern:only; content:"/index.html?p="; http_uri; pcre:"/\/index\.html\?p=\d+$/U"; reference:md5,d58fea2d0f791e65c6aae8e52f7089c1; classtype:trojan-activity; sid:2017547; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Cushion Redirection"; flow:established,to_server; content:"/index.php?"; http_uri; content:"="; distance:1; within:1; http_uri; content:!"=aHR0"; http_uri; fast_pattern; pcre:"/\/index\.php\?[a-z]=[A-Za-z0-9\/\+]*?(?:(?:N1cm[kw]|RpbWU)9|(?:zdXJ[ps]|0aW1l)P|c3Vy(?:aT|bD)|dGltZT)[A-Za-z0-9\/\+]+?(?:(?:N1cm[kw]|RpbWU)9|(?:zdXJ[ps]|0aW1l)P|c3Vy(?:aT|bD)|dGltZT)[A-Za-z0-9\/\+]+(?:(?:N1cm[kw]|RpbWU)9|(?:zdXJ[ps]|0aW1l)P|c3Vy(?:aT|bD)|dGltZT)[A-Za-z0-9\/\+]+={0,2}$/U"; reference:url,malwaremustdie.blogspot.co.uk/2013/09/302-redirector-new-cushion-attempt-to.html; classtype:trojan-activity; sid:2017552; rev:6;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake MS Security Update (Jar)"; flow:established,from_server; file_data; content:"Microsoft Security Update"; content:"applet_ssv_validated"; fast_pattern:only; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017549; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS HiMan EK Landing Oct 1 2013"; flow:established,from_server; file_data; content:"java3()|3b|"; fast_pattern:only; content:"java2()|3b|"; content:"pdf()|3b|"; content:"ie()|3b|"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017550; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Obfuscated http 2 digit sep in applet (Seen in HiMan EK)"; flow:established,from_server; file_data; content:"<applet"; content:"value"; distance:0; pcre:"/^[\r\n\s]*?=[\r\n\s]*?[\x22\x27]h(?P<sep>\d{2})t(?P=sep)t(?P=sep)p(?P=sep)\x3a/R"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017551; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS HiMan EK Reporting Host/Exploit Info"; flow:established,to_server; content:".php?ex="; http_uri; content:"&os="; http_uri; content:"&name="; http_uri; content:"&ver="; http_uri; classtype:trojan-activity; sid:2017553; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS BHEK Payload Download (java only alternate method may overlap with 2017454)"; flow:established,to_server; urilen:>48; content:"Java/1."; http_user_agent; fast_pattern:only; content:".php?"; http_uri; pcre:"/\.php\?[^=]+=(?:[^&]?[a-z0-9]{2}){5}&[^=]+=(?:[^&]?[a-z0-9]{2}){10}&/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017554; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS DotkaChef EK initial landing from Oct 02 2013 mass-site compromise EK campaign"; flow:established,to_server; content:".js?cp="; http_uri; fast_pattern:only; pcre:"/\/[A-F0-9]{8}\.js\?cp=/U"; classtype:trojan-activity; sid:2017555; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Java CVE-2013-1488 java.sql.Drivers Service Object in JAR"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"META-INF/services/java.sql.Drivers"; fast_pattern:14,20; content:"META-INF/services/java.lang.Object"; reference:cve,2013-1488; reference:url,www.contextis.com/research/blog/java-pwn2own/; reference:url,www.rapid7.com/db/modules/exploit/multi/browser/java_jre17_driver_manager; classtype:attempted-user; sid:2017557; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS BlackHole EK Variant PDF Download"; flow:established,to_server; urilen:>48; content:".php?"; http_uri; fast_pattern:only; pcre:"/\.php\?[^=]+=[^&]{10}&[^=]+=[^&]+&[^=]+=[^&]{20}((?P<sep>[^&]{2})(?P=sep)[^&]{20})*?&/U"; flowbits:set,et.BHEK.PDF; flowbits:noalert; classtype:trojan-activity; sid:2017556; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sweet Orange Landing with Applet Oct 4 2013"; flow:established,from_server; file_data; content:"Embassy Tokyo, Japan"; fast_pattern; content:"<applet"; nocase; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017562; rev:6;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Java CVE-2013-2465 Based on PoC"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"$MyColorModel.class"; content:"$MyColorSpace.class"; reference:cve,2013-2465; reference:url,seclists.org/fulldisclosure/2013/Aug/134; reference:url,malwageddon.blogspot.com/2013/10/unknown-ek-i-wanna-be-billionaire-so.html; classtype:attempted-user; sid:2017563; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown EK Landing"; flow:established,from_server; file_data; content:"<applet"; nocase; content:"name=|22|kurban|22|"; distance:0; nocase; content:".exe"; nocase; reference:cve,2013-2465; reference:url,malwageddon.blogspot.com/2013/10/unknown-ek-i-wanna-be-billionaire-so.html; reference:url,seclists.org/fulldisclosure/2013/Aug/134; classtype:attempted-user; sid:2017564; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS FiestaEK js-redirect"; flow:established,to_server; content:"/?"; http_uri; fast_pattern:only; pcre:"/^\/[a-z0-9]+[0-9][a-z0-9]+\/\?\d$/U"; classtype:trojan-activity; sid:2017567; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Metasploit Java CVE-2013-2465 Class Name Sub Algo"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:".classPK"; content:"$"; distance:-21; within:1; content:".classPK"; distance:0; content:"$"; distance:-21; within:1; pcre:"/\b(?P<xps>[a-zA-Z]{7})\.classPK.+?\b(?P=xps)\$[a-zA-Z]{12}\.classPK.+?\b(?P=xps)\$[a-zA-Z]{12}\.classPK/s"; reference:cve,2013-2465; reference:url,seclists.org/fulldisclosure/2013/Aug/134; reference:url,github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/browser/java_storeimagearray.rb; classtype:attempted-user; sid:2017568; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Angler EK Landing Page"; flow:established,from_server; file_data; content:".javaEnabled"; content:"f1=true"; nocase; fast_pattern:only; content:"window."; nocase; pcre:"/^(?P<windname>[a-z0-9]+)(?P<plug1>([sj]|f1))=true.+?window\.(?P=windname)(?P<plug2>(?:(?!(?P=plug1))([sj]|f1)))=true.+?window\.(?P=windname)(?!(?:(?P=plug1)|(?P=plug2)))(?:[sj]|f1)=true/Rsi"; classtype:trojan-activity; sid:2017569; rev:6;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Angler EK Payload Download"; flow:established,to_server; urilen:15; content:"Java/1."; http_header; content:"/1"; depth:2; http_uri; pcre:"/^\/1[a-z0-9]{13}$/U"; classtype:trojan-activity; sid:2017571; rev:4;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Styx EK jply.html"; flow:established,to_server; content:"/jply.html"; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2017576; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fiesta EK Landing Oct 09 2013"; flow:established,from_server; file_data; content:"|27|urn|3a|schemas-microsoft-com|3a|vml|27|"; content:"=String.fromCharCode|3b|"; fast_pattern:1,20; content:"return parseInt"; content:"return |27 27|"; classtype:trojan-activity; sid:2017577; rev:4;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Fake MS Security Update EK (Payload Download)"; flow:established,to_server; content:"/winddl32.exe"; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2017578; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS Possible Secondary Indicator of Java Exploit (Artifact Observed mostly in EKs/a few mis-configured apps)"; flow:established,to_server; content:"/javax.xml.datatype.DatatypeFactory"; http_uri; content:"Java/1."; http_header; classtype:trojan-activity; sid:2017579; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS DotkaChef Payload October 09"; flow:to_server,established; content:"sm_main.mp3"; http_uri; fast_pattern; content:"Java/1."; http_header; classtype:trojan-activity; sid:2017580; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown EK Initial Payload Internet Connectivity Check"; flow:established,to_server; content:"/ep/cl.php"; http_uri; fast_pattern:only; pcre:"/^\/ep\/cl\.php$/U"; reference:url,malwageddon.blogspot.fi/2013/09/unknown-ek-it-aint-no-trick-to-get-rich.html; classtype:trojan-activity; sid:2017589; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS D-LINK Router Backdoor via Specific UA"; flow:to_server,established; content:"xmlset_roodkcableoj28840ybtide"; http_user_agent; reference:url,www.devttys0.com/2013/10/reverse-engineering-a-d-link-backdoor/; classtype:attempted-admin; sid:2017590; rev:3;) + +alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown Malvertising Related EK Landing Oct 14 2013"; flow:established,from_server; content:"(2)!=7"; fast_pattern:only; content:"(7)==0"; content:"(6)==1"; content:"javafx_version"; content:"jnlp_href"; content:".getVersion("; pcre:"/^[\r\n\s]*?[\x22\x27]Java[\x22\x27]/R"; content:"document.write("; pcre:"/^[\r\n\s]*?[\x22\x27]<applet/R"; content:"document.write("; pcre:"/^[\r\n\s]*?[\x22\x27]<applet/R"; reference:url,www.malwaresigs.com/2013/10/14/unknown-ek/; classtype:trojan-activity; sid:2017591; rev:2;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown Malvertising Related EK Redirect Oct 14 2013"; flow:established,to_server; content:".php?tnzppl="; fast_pattern; content:"&endovenafsl="; distance:0; pcre:"/^Host\x3a\x20\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\r$/mi"; reference:url,malwageddon.blogspot.fi/2013/09/unknown-ek-it-aint-no-trick-to-get-rich.html; classtype:trojan-activity; sid:2017592; rev:1;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Neutrino EK Landing URI Format Oct 15 2013"; flow:established,to_server; content:"GET"; http_method; content:"/o"; depth:2; http_uri; content:"?h"; http_uri; pcre:"/^\/o[a-z]{4,13}\?h[a-z]{4,11}=\d{6,7}$/U"; classtype:trojan-activity; sid:2017593; rev:7;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Neutrino EK Java Exploit Download Oct 15 2013"; flow:established,to_server; content:"Java/1."; http_user_agent; fast_pattern:only; content:"/b"; http_uri; content:"?n"; http_uri; distance:0; pcre:"/\/b[a-z]+?\?n[a-z]+?=[a-z]+$/U"; classtype:trojan-activity; sid:2017594; rev:8;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Neutrino EK Java Payload Download Oct 15 2013"; flow:established,to_server; content:"Java/1."; http_user_agent; fast_pattern:only; content:"/v"; http_uri; content:"?n"; http_uri; distance:0; pcre:"/\/v[a-z]+?\?n[a-z]+?=[a-z]+$/U"; classtype:trojan-activity; sid:2017595; rev:9;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Neutrino EK XORed pluginDetect 1"; flow:established,to_client; file_data; content:"M%01%06%00%18%02%11"; within:19; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017596; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Neutrino EK XORed pluginDetect 2"; flow:established,to_client; file_data; content:"_%11%11%16%0A%12%06"; within:19; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017597; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Nuclear EK CVE-2013-2551 IE Exploit URI Struct"; flow:established,to_server; content:".tpl"; http_uri; fast_pattern:only; pcre:"/\/1[34]\d{8}\.tpl$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017601; rev:4;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Magnitude EK - Landing Page - Java ClassID and 32/32 archive Oct 16 2013"; flow:established,to_client; file_data; content:"applet"; nocase; fast_pattern; content:"archive"; nocase; distance:0; pcre:"/^[\r\n\s]*?=[\r\n\s]*?[\x22\x27][^\x22\x27]*?\/(?:[\/_]*?[a-f0-9][\/_]*?){64}[\x22\x27]/R"; classtype:trojan-activity; sid:2017602; rev:5;) + +alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Magnitude EK (formerly Popads) Java Exploit 32-32 byte hex java payload request Oct 16 2013"; flow:established,to_server; urilen:>64; content:"Java/1."; http_user_agent; pcre:"/^\/(?:[\/_]*?[a-f0-9][\/_]*?){64}$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017603; rev:8;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Magnitude EK (formerly Popads) IE Exploit with IE UA Oct 16 2013"; flow:established,to_server; urilen:66; pcre:"/^\/[a-f0-9]{32}\/[a-f0-9]{32}$/Ui"; content:"Referer|3a| http|3a|//"; http_header; pcre:"/^[^\/\r\n]+/HR"; content:"/?"; http_header; within:2; pcre:"/^[a-f0-9]{32}=\d{1,10}\r\n/HR"; content:" MSIE "; http_user_agent; fast_pattern:only; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017613; rev:9;) + +alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Cutwail Redirect to Magnitude EK"; flow:established,to_server; urilen:15; content:"/messag_id.html"; http_uri; fast_pattern:only; reference:url,www.secureworks.com/resources/blog/research/cutwail-spam-swapping-blackhole-for-magnitude-exploit-kit/; classtype:trojan-activity; sid:2017621; rev:3;) + +alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tenda Router Backdoor 1"; content:"w302r_mfg|00|"; depth:10; reference:url,www.devttys0.com/2013/10/from-china-with-love/; classtype:attempted-admin; sid:2017623; rev:3;) + +alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tenda Router Backdoor 2"; content:"rlink_mfg|00|"; depth:10; reference:url,www.devttys0.com/2013/10/from-china-with-love/; classtype:attempted-admin; sid:2017624; rev:3;) + +alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS 81a338 Hacked Site Response (Outbound)"; flow:established,from_server; file_data; content:"<!--81a338-->"; fast_pattern:only; classtype:trojan-activity; sid:2017625; rev:6;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS 81a338 Hacked Site Response (Inbound)"; flow:established,from_server; file_data; content:"<!--81a338-->"; fast_pattern:only; classtype:trojan-activity; sid:2017626; rev:7;) + +alert http $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET CURRENT_EVENTS Possible Sakura Jar Download Oct 22 2013"; flow:to_server,established; content:!".jar"; http_uri; content:"Java/1."; http_user_agent; fast_pattern:only; content:".pl|3a|"; http_header; pcre:"/^\/[a-z]+([_-][a-z]+)*\.[a-z]{1,3}$/U"; pcre:"/^Host\x3a\x20[a-z0-9]+\.[a-z0-9]+\.[a-z0-9]+\.pl\x3a\d{2,5}\r$/Hm"; classtype:trojan-activity; sid:2017628; rev:4;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS FlashPack Oct 23 2013"; flow:to_server,established; content:".php?cashe="; http_uri; fast_pattern:only; content:"Java/1."; http_user_agent; pcre:"/\.php\?cashe=\d+$/U"; classtype:trojan-activity; sid:2017629; rev:4;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Angler EK encrypted binary (1)"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"|7c 68 a3 34 36|"; within:5; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017630; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Netgear WNDR4700 Auth Bypass"; flow:to_server,established; content:"/BRS_03B_haveBackupFile_fileRestore.html"; http_uri; nocase; reference:url,securityevaluators.com/content/case-studies/routers/netgear_wndr4700.jsp; classtype:attempted-admin; sid:2017631; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Netgear WNDR3700 Auth Bypass"; flow:to_server,established; content:"/BRS_02_genieHelp.html"; http_uri; nocase; reference:url,shadow-file.blogspot.ro/2013/10/complete-persistent-compromise-of.html; classtype:attempted-admin; sid:2017632; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sweet Orange Landing Page Oct 25 2013"; flow:established,from_server; file_data; content:"domestic transit area.<br>"; fast_pattern:6,20; content:"display"; nocase; pcre:"/^[\r\n\s]*?\x3a[\r\n\s]*?none/Ri"; content:"<li"; nocase; pcre:"/^[^>]*?\>/R"; content:!"</li>"; nocase; within:500; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017634; rev:7;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Styx Landing Page Oct 25 2013"; flow:established,from_server; file_data; content:"fromCharCode"; content:"+0+0+3-1-1"; fast_pattern; within:100; content:"substr"; content:"(3-1)"; within:100; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017635; rev:4;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Nuclear EK PDF URI Struct"; flow:established,to_server; content:".pdf"; http_uri; fast_pattern:only; content:"/1"; http_uri; pcre:"/\/1(?:3[89]\d{7}|4\d{8})\.pdf$/U"; pcre:"/^Referer\x3a[^\r\n]+?\/[a-z0-9A-Z\_\-]{26,}\.html(?:\x3a\d{1,5})?\r$/Hm"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017636; rev:11;) + +alert http any any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Alpha Networks ADSL2/2+ router remote administration password disclosure"; flow:to_server,established; content:"/APIS/returnJSON.htm"; http_uri; reference:url,packetstorm.foofus.com/1208-exploits/asl26555_pass_disclosure.txt; classtype:attempted-admin; sid:2017638; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Host Domain .bit"; flow:established,to_server; content:".bit|0D 0A|"; fast_pattern:only; http_header; pcre:"/^Host\x3a [^\r\n]+?\.bit\r\n$/Hmi"; reference:url,www.normanshark.com/blog/necurs-cc-domains-non-censorable/; classtype:bad-unknown; sid:2017644; rev:2;) + +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query Domain .bit"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|bit|00|"; fast_pattern; nocase; distance:0; reference:url,www.normanshark.com/blog/necurs-cc-domains-non-censorable/; classtype:bad-unknown; sid:2017645; rev:2;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Sweet Orange payload Request"; flow:established,to_server; urilen:>50; content:".php?"; http_uri; pcre:"/^\/[a-z\_\-]{4,20}\.php\?(?:[a-z\_\-]{4,20}=\d+?&){3,}[a-z\_\-]{4,20}=-?\d+$/U"; content:"Java/1."; http_user_agent; fast_pattern:only; flowbits:set,et.SweetOrangeURI; classtype:trojan-activity; sid:2017648; rev:7;) + +#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sweet Orange encrypted payload"; flow:established,to_client; flowbits:isset,et.SweetOrangeURI; file_data; byte_test:1,>,95,0,relative; byte_test:1,<,128,0,relative; content:"|00 00 00|"; distance:1; within:3; content:!"|00|"; within:1; content:"|00 00 00|"; distance:1; within:3; classtype:trojan-activity; sid:2017649; rev:6;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SofosFO/Grandsoft Plugin-Detect"; flow:established,to_client; file_data; content:"go2Page(|27|/|27|+PluginDetect.getVersion(|22|AdobeReader|22|)+|27|.pdf|27|)|3b|"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017650; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET 8000 (msg:"ET CURRENT_EVENTS Possible Neutrino EK Landing URI Format Nov 1 2013"; flow:established,to_server; urilen:18<>37; content:"GET"; http_method; content:"?"; http_uri; offset:6; depth:11; content:"="; http_uri; distance:5; within:8; pcre:"/^\/[a-z]{5,14}\?[a-z]{5,12}=\d{6,7}$/U"; classtype:trojan-activity; sid:2017652; rev:8;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Neutrino EK Java Exploit/Payload Download Nov 1 2013"; flow:established,to_server; content:"Java/1."; http_user_agent; pcre:"/^\/[a-z]{5,14}\?[a-z]{5,12}=[a-z]{6,11}$/U"; reference:url,pastebin.com/194D8UuK; classtype:trojan-activity; sid:2017653; rev:14;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Malicious Cookie Set By Flash Malvertising"; flow:established,to_server; content:"|0d 0a|Cookie|3a 20|asg325we234=1|0d 0a|"; reference:md5,cce9dcad030c4cba605a8ee65572136a; classtype:trojan-activity; sid:2017660; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Redirect to Neutrino EK goi.php Nov 4 2013"; flow:established,to_server; urilen:8; content:"/goi.php"; http_uri; classtype:trojan-activity; sid:2017661; rev:3;) + +alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET CURRENT_EVENTS Fredcot campaign php5-cgi initial exploit"; flow:to_server,established; content:!"Accept"; http_header; content:!"Referer"; http_header; content:"Mobile/10A5355d"; http_user_agent; content:"<?php"; depth:5; http_client_body; content:"fredcot"; http_client_body; fast_pattern; reference:cve,2012-1823; reference:url,eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/; classtype:web-application-attack; sid:2017663; rev:2;) + +alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET 21 (msg:"ET CURRENT_EVENTS Fredcot campaign payload download"; flow:to_server,established; content:"PASS fredcot123|0d 0a|"; reference:md5,e69bbd29f2822c1846d569ace710c9d5; reference:url,permalink.gmane.org/gmane.comp.security.ids.snort.emerging-sigs/20243; classtype:trojan-activity; sid:2017664; rev:5;) + +alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Fredcot campaign IRC CnC"; flow:to_server,established; content:"JOIN #1111 ddosit"; reference:md5,e69bbd29f2822c1846d569ace710c9d5; reference:url,permalink.gmane.org/gmane.comp.security.ids.snort.emerging-sigs/20243; classtype:trojan-activity; sid:2017665; rev:3;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Nuclear EK JAR URI Struct Nov 05 2013"; flow:established,to_server; content:"/14"; fast_pattern:only; http_uri; content:"Java/1."; http_user_agent; pcre:"/\/14\d{8}(?:\.jar)?$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017666; rev:11;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Nuclear EK Payload URI Struct Nov 05 2013"; flow:established,to_server; content:"/f/"; http_uri; depth:3; pcre:"/^\/f(?:\/[^\x2f]+)?\/14\d{8}(?:\/\d{9,10})?(?:\/\d)+(?:\/x[a-f0-9]+(?:\x3b\d)+?)?$/U"; classtype:trojan-activity; sid:2017667; rev:8;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS Word DOCX with Many ActiveX Objects and Media"; flow:established,from_server; flowbits:isset,et.http.PK; file_data; content:"word/activeX/activeX40.xml"; nocase; content:"word/media/"; nocase; reference:url,blogs.mcafee.com/mcafee-labs/mcafee-labs-detects-zero-day-exploit-targeting-microsoft-office-2; classtype:trojan-activity; sid:2017670; rev:6;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible CVE-2013-3906 CnC Checkin"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:"MyWebClient"; depth:11; http_user_agent; reference:url,alienvault.com/open-threat-exchange/blog/microsoft-office-zeroday-used-to-attack-pakistani-targets; classtype:trojan-activity; sid:2017671; rev:5;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS msctcd.exe in URI Probable Process Dump/Trojan Download"; flow:established,to_server; content:"GET"; http_method; content:"/msctcd.exe"; http_uri; nocase; fast_pattern:only; pcre:"/\/msctcd\.exe$/Ui"; reference:url,alienvault.com/open-threat-exchange/blog/microsoft-office-zeroday-used-to-attack-pakistani-targets; classtype:trojan-activity; sid:2017672; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS taskmgr.exe in URI Probable Process Dump/Trojan Download"; flow:established,to_server; content:"GET"; http_method; content:"/taskmgr.exe"; http_uri; nocase; fast_pattern:only; pcre:"/\/taskmgr\.exe$/Ui"; reference:url,alienvault.com/open-threat-exchange/blog/microsoft-office-zeroday-used-to-attack-pakistani-targets; classtype:trojan-activity; sid:2017673; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS wsqmocn.exe in URI Probable Process Dump/Trojan Download"; flow:established,to_server; content:"GET"; http_method; content:"/wsqmocn.exe"; http_uri; nocase; fast_pattern:only; pcre:"/\/wsqmocn\.exe$/Ui"; reference:url,alienvault.com/open-threat-exchange/blog/microsoft-office-zeroday-used-to-attack-pakistani-targets; classtype:trojan-activity; sid:2017674; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS connhost.exe in URI Probable Process Dump/Trojan Download"; flow:established,to_server; content:"GET"; http_method; content:"/connhost.exe"; http_uri; nocase; fast_pattern:only; pcre:"/\/connhost\.exe$/Ui"; reference:url,alienvault.com/open-threat-exchange/blog/microsoft-office-zeroday-used-to-attack-pakistani-targets; classtype:trojan-activity; sid:2017675; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS lgfxsrvc.exe in URI Probable Process Dump/Trojan Download"; flow:established,to_server; content:"GET"; http_method; content:"/lgfxsrvc.exe"; http_uri; nocase; fast_pattern:only; pcre:"/\/lgfxsrvc\.exe$/Ui"; classtype:trojan-activity; sid:2017676; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS wimhost.exe in URI Probable Process Dump/Trojan Download"; flow:established,to_server; content:"GET"; http_method; content:"/wimhost.exe"; http_uri; nocase; fast_pattern:only; pcre:"/\/wimhost\.exe$/Ui"; reference:url,alienvault.com/open-threat-exchange/blog/microsoft-office-zeroday-used-to-attack-pakistani-targets; classtype:trojan-activity; sid:2017677; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS winlog.exe in URI Probable Process Dump/Trojan Download"; flow:established,to_server; content:"GET"; http_method; content:"/winlog.exe"; http_uri; nocase; fast_pattern:only; pcre:"/\/winlog\.exe$/Ui"; reference:url,alienvault.com/open-threat-exchange/blog/microsoft-office-zeroday-used-to-attack-pakistani-targets; classtype:trojan-activity; sid:2017679; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS waulct.exe in URI Probable Process Dump/Trojan Download"; flow:established,to_server; content:"GET"; http_method; content:"/waulct.exe"; http_uri; nocase; fast_pattern:only; pcre:"/\/waulct\.exe$/Ui"; reference:url,alienvault.com/open-threat-exchange/blog/microsoft-office-zeroday-used-to-attack-pakistani-targets; classtype:trojan-activity; sid:2017680; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS alg.exe in URI Probable Process Dump/Trojan Download"; flow:established,to_server; content:"GET"; http_method; content:"/alg.exe"; http_uri; nocase; fast_pattern:only; pcre:"/\/alg\.exe$/Ui"; reference:url,alienvault.com/open-threat-exchange/blog/microsoft-office-zeroday-used-to-attack-pakistani-targets; classtype:trojan-activity; sid:2017681; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS mssrs.exe in URI Probable Process Dump/Trojan Download"; flow:established,to_server; content:"GET"; http_method; content:"/mssrs.exe"; http_uri; nocase; fast_pattern:only; pcre:"/\/mssrs\.exe$/Ui"; reference:url,alienvault.com/open-threat-exchange/blog/microsoft-office-zeroday-used-to-attack-pakistani-targets; classtype:trojan-activity; sid:2017682; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS winhosts.exe in URI Probable Process Dump/Trojan Download"; flow:established,to_server; content:"GET"; http_method; content:"/winhosts.exe"; http_uri; nocase; fast_pattern:only; pcre:"/\/winhosts\.exe$/Ui"; reference:url,alienvault.com/open-threat-exchange/blog/microsoft-office-zeroday-used-to-attack-pakistani-targets; classtype:trojan-activity; sid:2017683; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Styx iframe with obfuscated CVE-2013-2551"; flow:established,from_server; file_data; content:"<html>|0d 0a|"; within:8; content:"<body"; within:100; content:"><h"; within:100; content:">|0d 0a|<div"; within:8; pcre:"/(?P<a>[0-9a-z]{2})(?P<s>(?!(?P=a))[0-9a-z]{2})[0-9a-z]{2}(?P=s)[0-9a-z]{2}(?P<y>[0-9a-z]{2})[0-9a-z]{4}(?P<dot>[0-9a-z]{2})(?P=a)(?P<r>[0-9a-z]{2})(?P=r)(?P=a)(?P=y)(?P=dot)/R"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017693; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Magnitude IE EK Payload Nov 8 2013"; flow:established,to_server; urilen:34; content:"/?"; depth:2; http_uri; fast_pattern; pcre:"/^\/\?[a-f0-9]{32}$/U"; content:" MSIE "; http_user_agent; content:!"Referer|3a|"; http_header; classtype:trojan-activity; sid:2017694; rev:6;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Angler EK Flash Exploit"; flow:established,to_server; urilen:15; content:"/0"; depth:2; http_uri; pcre:"/^GET \/0(?P<baseuri>[a-z0-9]{10})[a-z0-9]{3} HTTP\/1\.[01]\r\n.*?Referer\x3a http\x3a\/\/[^\/]+?\/(?P=baseuri)\r\n/s"; classtype:trojan-activity; sid:2017695; rev:4;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS FaceBook IM & Web Driven Facebook Trojan Download"; flow:established,to_server; content:"/dlimage4.php"; http_uri; content:".best.lt.ua|0d 0a|"; http_header; pcre:"/Host\x3a\x20[a-z]{6}\.best.lt\.ua\r$/Hm"; reference:url,pastebin.com/raw.php?i=tdATTg7L; classtype:trojan-activity; sid:2017696; rev:5;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Magnitude Landing Nov 11 2013"; flow:established,from_server; file_data; content:".fromCharCode("; nocase; pcre:"/^[^\)]+\][\r\n\s]*?\^[\r\n\s]*?\d+?[\r\n\s]*?\)/R"; content:"eval("; nocase; content:".split("; nocase; pcre:"/^[\r\n\s]*?[\x22\x27](?P<sp>[^\x22\x27]+)[\x22\x27].+?eval\([^\)\(]+?\([\x22\x27]\d{2,3}(?P=sp)\d{2,3}(?P=sp)/Rsi"; classtype:trojan-activity; sid:2017698; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Grandsoft/SofosFO EK PDF URI Struct"; flow:established,to_server; content:".pdf"; http_uri; fast_pattern:only; pcre:"/^\/\d{1,2}(?P<l>[A-Z])\d{1,2}(?P=l)\d{1,2}(?P=l)\d{1,2}\.pdf$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017699; rev:3;) + +alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET CURRENT_EVENTS webr00t WebShell Access"; flow:established,to_server; content:"/?webr00t="; http_uri; reference:url,blog.sucuri.net/2013/11/case-study-analyzing-a-wordpress-attack-dissecting-the-webr00t-cgi-shell-part-i.html; classtype:trojan-activity; sid:2017701; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Angler EK Possible Flash/IE Payload"; flow:established,to_server; urilen:15; content:"/1"; depth:2; http_uri; pcre:"/^\/1[a-z0-9]{13}$/U"; content:!"Referer|3a|"; http_header; content:!"User-Agent|3a|"; http_header; content:"|0d 0a 0d 0a|"; classtype:trojan-activity; sid:2017703; rev:3;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Sweet Orange IE Payload Request"; flow:established,to_server; urilen:>50; content:".php?"; http_uri; fast_pattern:only; content:!"Referer|3a|"; http_header; content:" MSIE "; http_header; pcre:"/^\/[a-z\_\-]{4,10}\.php\?([a-z\_\-]{4,10}=\d{1,3}&){7,}[a-z\_\-]{4,10}=-?\d+$/U"; flowbits:set,et.SweetOrangeURI; classtype:trojan-activity; sid:2017706; rev:6;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Fake Codec Download"; flow:established,to_server; content:"/Setup.exe?tid="; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2017711; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Angler EK Landing Nov 18 2013"; flow:established,from_server; file_data; content:"<title>"; content:"soft apple."; fast_pattern; distance:0; content:"</title>"; distance:0; content:"AgControl.AgControl"; nocase; content:"Math.floor"; nocase; classtype:trojan-activity; sid:2017729; rev:7;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Styx EK SilverLight Payload"; flow:established,to_server; urilen:19; content:"/1"; depth:2; http_uri; fast_pattern; pcre:"/^\/1[a-z0-9]{13}\.[a-z]{3}$/U"; content:!"Referer|3a|"; http_header; content:!"User-Agent|3a|"; http_header; content:"|0d 0a 0d 0a|"; classtype:trojan-activity; sid:2017731; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Styx/Angler EK SilverLight Exploit"; flow:established,from_server; file_data; content:"PK"; within:2; content:"ababbss.dll"; fast_pattern; content:"AppManifest.xaml"; classtype:trojan-activity; sid:2017732; rev:6;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS WhiteLotus EK PluginDetect Nov 20 2013"; flow:established,from_server; file_data; content:"makeid"; pcre:"/^[\r\n\s]*?\(/R"; content:"replaceIt"; pcre:"/^[\r\n\s]*?\(/R"; content:".getVersion"; nocase; content:"Silverlight"; nocase; content:"Java"; nocase; content:"Reader"; nocase; content:"Flash"; nocase; classtype:trojan-activity; sid:2017735; rev:4;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible WhiteLotus EK 2013-2551 Exploit 1"; flow:established,from_server; file_data; content:"a0dmblxmL5FmcyFmLlxWe0NHazFGZ"; classtype:trojan-activity; sid:2017736; rev:4;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible WhiteLotus EK 2013-2551 Exploit 2"; flow:established,from_server; file_data; content:"gGdn5WZs5SehJnch5SZslHdzh2chR"; classtype:trojan-activity; sid:2017737; rev:4;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible WhiteLotus EK 2013-2551 Exploit 3"; flow:established,from_server; file_data; content:"oR3ZuVGbukXYyJXYuUGb5R3coNXYk"; classtype:trojan-activity; sid:2017738; rev:4;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible WhiteLotus Java Payload"; flow:established,to_server; content:"Java/1."; http_user_agent; content:"/?"; depth:2; http_uri; pcre:"/^\/\?[A-Za-z0-9]+=(?P<v1>[^&]+)&(?P=v1)=[^\/\.]+$/U"; classtype:trojan-activity; sid:2017739; rev:4;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sweet Orange Landing Page Nov 21 2013"; flow:established,from_server; file_data; content:"object|22|.substring(15)"; content:"|22|"; distance:-37; within:1; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017740; rev:3;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible WhiteLotus IE Payload"; flow:established,to_server; content:"GET"; http_method; content:"/?"; depth:2; http_uri; fast_pattern; content:" MSIE "; http_user_agent; content:!"Referer|3a|"; http_header; content:"|0d 0a 0d 0a|"; pcre:"/^\/\?[A-Za-z0-9]+=(?P<v1>[^&]+)&(?P=v1)=[A-Za-z0-9]+$/U"; classtype:trojan-activity; sid:2017743; rev:4;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS StyX EK Payload Cookie"; flow:established,to_server; content:"Cookie|3a 20|fGGhTasdas=http"; classtype:trojan-activity; sid:2017744; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Fake Media Player malware binary requested"; flow:established,to_server; content:"&filename=Media Player "; http_uri; content:".exe"; http_uri; classtype:trojan-activity; sid:2017745; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Successful PHISH - AOL Creds"; flow:established,to_server; content:"POST"; http_method; content:"/aol.php"; http_uri; fast_pattern; content:"Sign+In"; http_client_body; nocase; classtype:bad-unknown; sid:2017750; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Successful PHISH - Yahoo Creds"; flow:established,to_server; content:"POST"; http_method; content:"/yahoo.php"; http_uri; fast_pattern; content:"Sign+In"; http_client_body; nocase; classtype:bad-unknown; sid:2017751; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Successful PHISH - Gmail Creds"; flow:established,to_server; content:"POST"; http_method; content:"/gmail.php"; http_uri; fast_pattern; content:"Sign+In"; http_client_body; nocase; classtype:bad-unknown; sid:2017752; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible PHISH Remax - Hotmail Creds"; flow:established,to_server; content:"POST"; http_method; content:"/hotmail.php"; http_uri; fast_pattern; content:"Sign+In"; http_client_body; nocase; classtype:bad-unknown; sid:2017753; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Successful PHISH - Other Creds"; flow:established,to_server; content:"POST"; http_method; content:"/other.php"; http_uri; fast_pattern; content:"Sign+In"; http_client_body; nocase; classtype:bad-unknown; sid:2017754; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Goon EK Java Payload"; flow:established,to_server; content:"Java/1."; http_user_agent; fast_pattern:only; content:".mp3"; http_uri; pcre:"/\/\d{6}\.mp3$/U"; classtype:trojan-activity; sid:2017755; rev:5;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Goon EK Jar Download"; flow:established,from_server; flowbits:isset,et.JavaArchiveOrClass; file_data; content:"Goon.class"; classtype:trojan-activity; sid:2017756; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Java Lang Runtime in B64 Observed in Goon EK 1"; flow:established,from_server; flowbits:isset,et.JavaArchiveOrClass; file_data; content:"amF2YS9sYW5nL1J1bnRpbW"; classtype:trojan-activity; sid:2017757; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Java Lang Runtime in B64 Observed in Goon EK 2"; flow:established,from_server; flowbits:isset,et.JavaArchiveOrClass; file_data; content:"phdmEvbGFuZy9SdW50aW1l"; classtype:trojan-activity; sid:2017758; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Java Lang Runtime in B64 Observed in Goon EK 3"; flow:established,from_server; flowbits:isset,et.JavaArchiveOrClass; file_data; content:"qYXZhL2xhbmcvUnVudGltZ"; classtype:trojan-activity; sid:2017759; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS Java Request With Uncompressed JAR/Class file Accessing Security Manager"; flow:established,from_server; flowbits:isset,et.JavaArchiveOrClass; file_data; content:"etSecurityManager"; classtype:bad-unknown; sid:2017760; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS Java Request With Uncompressed JAR/Class file Importing Protection Domain"; flow:established,from_server; flowbits:isset,et.JavaArchiveOrClass; file_data; content:"java/security/ProtectionDomain"; classtype:bad-unknown; sid:2017761; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS Java Request With Uncompressed JAR/Class Accessing Importing glassfish"; flow:established,from_server; flowbits:isset,et.JavaArchiveOrClass; file_data; content:"glassfish/gmbal"; classtype:bad-unknown; sid:2017762; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS Java Request With Uncompressed JAR/Class B64 encoded class"; flow:established,from_server; flowbits:isset,et.JavaArchiveOrClass; file_data; content:"yv66v"; classtype:bad-unknown; sid:2017763; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS Java Request With Uncompressed JAR/Class Importing jmx mbeanserver"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"jmx/mbeanserver"; classtype:bad-unknown; sid:2017764; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS Java Request With Uncompressed JAR/Class Importing mbeanserver Introspector"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"mbeanserver/Introspector"; classtype:bad-unknown; sid:2017765; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS Java Request With Uncompressed JAR/Class Importing glassfish external statistics impl"; flow:established,from_server; flowbits:isset,et.JavaArchiveOrClass; file_data; content:"glassfish/external/statistics/impl"; classtype:bad-unknown; sid:2017766; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS Java Request With Uncompressed JAR/Class Importing management MBeanServer"; flow:established,from_server; flowbits:isset,et.JavaArchiveOrClass; file_data; content:"management/MBeanServer"; classtype:bad-unknown; sid:2017767; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS Java Request With Uncompressed JAR/Class Mozilla JS Class Creation"; flow:established,from_server; flowbits:isset,et.JavaArchiveOrClass; file_data; content:"sun.org.mozilla.javascript.internal.Context"; content:"sun.org.mozilla.javascript.internal.GeneratedClassLoader"; classtype:trojan-activity; sid:2017768; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS Java Request With Uncompressed JAR/Class Hex Encoded Class file"; flow:established,from_server; flowbits:isset,et.JavaArchiveOrClass; file_data; content:"CAFEBABE"; classtype:bad-unknown; sid:2017769; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS Java Request With Uncompressed JAR/Class Importing tracing Provider Factory"; flow:established,from_server; flowbits:isset,et.JavaArchiveOrClass; file_data; content:"tracing/ProviderFactory"; classtype:bad-unknown; sid:2017770; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS Java Request With Uncompressed JAR/Class Importing Classes used in awt exploits"; flow:established,from_server; flowbits:isset,et.JavaArchiveOrClass; file_data; content:"java/awt/image"; content:"Raster"; content:"SampleModel"; classtype:bad-unknown; sid:2017771; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS Java Request With Uncompressed JAR/Class Importing Classe used in CVE-2013-2471/2472/2473"; flow:established,from_server; flowbits:isset,et.JavaArchiveOrClass; file_data; content:"java/awt/image/SinglePixelPacked"; classtype:bad-unknown; sid:2017772; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS Java Request With Uncompressed JAR/Class Importing Classe used in CVE-2013-2465/2463"; flow:established,from_server; flowbits:isset,et.JavaArchiveOrClass; file_data; content:"java/awt/image/MultiPixelPacked"; classtype:bad-unknown; sid:2017773; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Nuclear EK CVE-2013-2551 URI Struct Nov 26 2013"; flow:established,to_server; content:".htm"; http_uri; fast_pattern:only; pcre:"/^\/\d{8,11}(\/\d)?\/1[34]\d{8}\.htm$/U"; pcre:"/^Referer\x3a[^\r\n]+?\/[a-f0-9A-Z\_\-]{32,}\.html(?:\x3a\d{1,5})?\r$/Hm"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017774; rev:9;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Android InMobi SDK SideDoor Access takeCameraPicture"; flow:from_server,established; file_data; content:"utilityController"; nocase; content:".takeCameraPicture"; nocase; reference:url,www.fireeye.com/blog/technical/vulnerabilities/2013/11/inmobi-another-vulnaggressive-adware-opens-billions-of-javascript-sidedoors-on-android-devices.html; classtype:trojan-activity; sid:2017777; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Android InMobi SDK SideDoor Access getGalleryImage"; flow:from_server,established; file_data; content:"utilityController"; nocase; content:"getGalleryImage"; nocase; reference:url,www.fireeye.com/blog/technical/vulnerabilities/2013/11/inmobi-another-vulnaggressive-adware-opens-billions-of-javascript-sidedoors-on-android-devices.html; classtype:trojan-activity; sid:2017778; rev:3;) + +alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Android InMobi SDK SideDoor Access makeCall"; flow:from_server,established; file_data; content:"utilityController"; nocase; content:"makeCall"; nocase; reference:url,www.fireeye.com/blog/technical/vulnerabilities/2013/11/inmobi-another-vulnaggressive-adware-opens-billions-of-javascript-sidedoors-on-android-devices.html; classtype:trojan-activity; sid:2017779; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Android InMobi SDK SideDoor Access postToSocial"; flow:from_server,established; file_data; content:"utilityController"; nocase; content:"postToSocial"; nocase; reference:url,fireeye.com/blog/threat-research/2014/01/js-binding-over-http-vulnerability-and-javascript-sidedoor.html; classtype:trojan-activity; sid:2017780; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Android InMobi SDK SideDoor Access sendMail"; flow:from_server,established; file_data; content:"utilityController"; nocase; content:"sendMail"; nocase; reference:url,fireeye.com/blog/threat-research/2014/01/js-binding-over-http-vulnerability-and-javascript-sidedoor.html; classtype:trojan-activity; sid:2017781; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Android InMobi SDK SideDoor Access sendSMS"; flow:from_server,established; file_data; content:"utilityController"; nocase; content:"sendSMS"; nocase; reference:url,fireeye.com/blog/threat-research/2014/01/js-binding-over-http-vulnerability-and-javascript-sidedoor.html; classtype:trojan-activity; sid:2017782; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Android InMobi SDK SideDoor Access registerMicListener"; flow:from_server,established; file_data; content:"utilityController"; nocase; content:"registerMicListener"; nocase; reference:url,fireeye.com/blog/threat-research/2014/01/js-binding-over-http-vulnerability-and-javascript-sidedoor.html; classtype:trojan-activity; sid:2017783; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Nuclear EK IE Exploit CVE-2013-2551"; flow:from_server,established; file_data; content:"#default#VML"; nocase; fast_pattern:only; content:"stroke"; nocase; content:"visibility"; nocase; content:"hidden"; nocase; distance:0; content:"Array"; nocase; pcre:"/^[\r\n\s]*?\([\r\n\s]*?[\x22\x27]f([\x22\x27][\r\n\s]*?,[\r\n\s]*[\x22\x27])?r([\x22\x27][\r\n\s]*?,[\r\n\s]*[\x22\x27])?o([\x22\x27][\r\n\s]*?,[\r\n\s]*[\x22\x27])?m([\x22\x27][\r\n\s]*?,[\r\n\s]*[\x22\x27])?C([\x22\x27][\r\n\s]*?,[\r\n\s]*[\x22\x27])?h([\x22\x27][\r\n\s]*?,[\r\n\s]*[\x22\x27])?a([\x22\x27][\r\n\s]*?,[\r\n\s]*[\x22\x27])?r([\x22\x27][\r\n\s]*?,[\r\n\s]*[\x22\x27])?c([\x22\x27][\r\n\s]*?,[\r\n\s]*[\x22\x27])?o([\x22\x27][\r\n\s]*?,[\r\n\s]*[\x22\x27])?d([\x22\x27][\r\n\s]*?,[\r\n\s]*[\x22\x27])?e[\x22\x27]/Ri"; classtype:trojan-activity; sid:2017785; rev:2;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SNET EK Activity Nov 27 2013"; flow:established,to_server; content:"?src="; content:"request|3a 20|microsoft_update|0d 0a|"; pcre:"/^[^\s]*?\s*?\/[^\r\n\s]*?\?src=/i"; classtype:trojan-activity; sid:2017786; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS JJEncode Encoded Script Inside of PDF Likely Evil"; flow:established,from_server; flowbits:isset,ET.pdf.in.http; file_data; content:"|2c 24 24 24 24 3a 28 21 5b 5d 2b 22 22 29 5b|"; reference:md5,6776bda19a3a8ed4c2870c34279dbaa9; classtype:trojan-activity; sid:2017789; rev:4;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Polling/Check-in/Compromise from fake DHL mailing campaign"; flow:established,to_server; content:"/golden/index.php"; http_uri; content:" MSIE 7.0"; http_header; content:"q=0.1|0d 0a|"; http_header; classtype:trojan-activity; sid:2017791; rev:2;) + +alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET CURRENT_EVENTS Hostile fake DHL mailing campaign"; flow:established,to_server; content:"but no one bell unresponsive"; content:"The best regard DHL.com."; content:"filename=Notice"; classtype:trojan-activity; sid:2017792; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS HiMan EK - Flash Exploit"; flow:established,to_client; file_data; content:"function Flash_Exploit() {"; classtype:trojan-activity; sid:2017794; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS HiMan EK - Landing Page"; flow:established,to_client; file_data; content:"687474703a2f2f"; fast_pattern:only; content:"<applet"; nocase; pcre:"/^((?!<\/applet>).)+?[\x22\x27]687474703a2f2f/Rsi"; classtype:trojan-activity; sid:2017796; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS HiMan EK - TDS - POST hyt="; flow:established,to_server; content:"POST"; http_method; content:"hyt="; http_client_body; depth:4; content:"&vre="; http_client_body; classtype:trojan-activity; sid:2017797; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Angler EK XOR'd Payload"; flow:from_server,established; file_data; content:"|7c 68 a3 34 36 36 37 38|"; within:8; classtype:trojan-activity; sid:2017809; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Magnitude EK (formerly Popads) Java Jar Download"; flow:established,to_server; urilen:>32; content:"Java/1."; http_header; pcre:"/^\/(?:[\/_]*?[a-f0-9][\/_]*?){32}$/U"; content:"_"; http_uri; content:"/"; http_uri; offset:1; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017811; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Safe/CritX/FlashPack Payload"; flow:established,to_server; content:"/load"; http_uri; fast_pattern:only; content:".php"; http_uri; pcre:"/\/load(?:fla(2001[34]|0515)|msie\d{0,2}|20132551|jimage|silver|0322|db|im|rh)\.php/U"; content:!"Referer|3a|"; http_header; classtype:trojan-activity; sid:2017813; rev:9;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Safe/CritX/FlashPack URI Struct .php?id=Hex"; flow:established,to_server; content:".php?id="; http_uri; pcre:"/\/(?:java(?:db|im|rh)|silver|flash|msie)\.php\?id=/U"; classtype:trojan-activity; sid:2017814; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Safe/CritX/FlashPack Edwards Packed PluginDetect"; flow:established,to_client; file_data; content:"|7C|PluginDetect|7C|"; classtype:trojan-activity; sid:2017815; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sweet Orange Landing Page Dec 09 2013"; flow:established,from_server; file_data; content:"display|3a| none|3b 22|"; nocase; content:">"; within:500; content:!">"; nocase; within:500; content:"f"; within:200; pcre:"/^(?P<sep>.{1,50})u(?P=sep)n(?P=sep)c(?P=sep)t(?P=sep)i(?P=sep)o(?P=sep)n(?P=sep)\s/R"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017817; rev:11;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Styx EK iexp.html"; flow:established,to_server; content:"/iexp.html"; http_uri; content:!"&"; http_uri; classtype:trojan-activity; sid:2017819; rev:5;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS heapSpray in jjencode"; flow:from_server,established; file_data; content:".__$+"; pcre:"/^(?P<sep>((?!\.\$\_\$\+).){1,10})\.\$\_\$\+(?P=sep)\.___\+(?P=sep)\.\$\$\$\_\+(?P=sep)\.\$\_\$\_\+\"\\\"\+(?P=sep)\.\_\_\$\+(?P=sep)\.\$\$\_\+(?P=sep)\.\_\_\_\+\"\\\"\+(?P=sep)\.\_\_\$\+(?P=sep)\.\_\$\_\+(?P=sep)\.\_\$\$\+\"\\\"\+(?P=sep)\.\_\_\$\+(?P=sep)\.\$\$\_\+(?P=sep)\.\_\_\_\+\"\\\"\+(?P=sep)\.\_\_\$\+(?P=sep)\.\$\$\_\+(?P=sep)\.\_\$\_\+(?P=sep)\.\$\_\$\_\+\"\\\"\+(?P=sep)\.\_\_\$\+(?P=sep)\.\$\$\$\+(?P=sep)\.\_\_\$/R"; reference:url,www.invincea.com/2013/12/e-k-i-a-adobe-reader-exploit-cve-2013-3346-kernel-ndproxy-sys-zero-day-eop/; classtype:trojan-activity; sid:2017823; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Neutrino EK Landing Page Dec 09 2013"; flow:from_server,established; file_data; content:".charCodeAt("; fast_pattern; pcre:"/^[^\)]+\)[\r\n\s]*?\^[\r\n\s]*?[\w\.\_\-]*?\.charCodeAt\([^\)]+\)[\r\n\s]*?\,/Rsi"; content:"Math.floor"; content:"$(document).ready"; content:"decodeURIComponent"; pcre:"/^[\r\n\s]*?\,/Rsi"; content:"+= |22 22|"; content:"+= |22 22|"; distance:0; classtype:trojan-activity; sid:2017824; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SPL2 EK Landing Dec 09 2013"; flow:from_server,established; file_data; content:"$.getVersion(|22|Silverlight|22|)"; content:"$.getVersion(|22|Java|22|)"; content:"calcMD5(encode_utf8(location"; classtype:trojan-activity; sid:2017826; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SPL2 EK Dec 09 2013 Java Request"; flow:established,to_server; content:"Java/1."; http_user_agent; content:".html%3fjar"; http_raw_uri; pcre:"/\.html\?jar$/U"; classtype:trojan-activity; sid:2017827; rev:6;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Styx Exploit Kit - JAR Exploit"; flow:to_server,established; urilen:>300; content:"Java/1."; http_user_agent; content:".jar"; fast_pattern:only; http_uri; pcre:"/^\/[a-zA-Z0-9_\x2f-]{300,}\.jar$/U"; content:"/"; http_uri; offset:1; content:"_"; http_uri; offset:1; content:"-"; offset:1; http_uri; classtype:trojan-activity; sid:2017840; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Styx Exploit Kit - EOT Exploit"; flow:to_server,established; urilen:>300; content:".eot"; fast_pattern:only; http_uri; pcre:"/^\/[a-zA-Z0-9_\x2f-]{300,}\.eot$/U"; content:"/"; http_uri; offset:1; content:"_"; http_uri; offset:1; content:"-"; offset:1; http_uri; classtype:trojan-activity; sid:2017844; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS winhost(32|64).exe in URI"; flow:established,to_server; content:"GET"; http_method; content:"/winhost"; http_uri; nocase; fast_pattern:only; pcre:"/\/winhost(?:32|64)\.(exe|pack)$/Ui"; classtype:trojan-activity; sid:2017842; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS pony.exe in URI"; flow:established,to_server; content:"GET"; http_method; content:"/pony."; http_uri; nocase; fast_pattern:only; pcre:"/\/pony\.(exe|pack)$/Ui"; classtype:trojan-activity; sid:2017843; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS DRIVEBY FakeUpdate - URI - /styles/javaupdate.css"; flow:established,to_server; content:"/styles/javaupdate.css"; http_uri; classtype:trojan-activity; sid:2017845; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS DRIVEBY FakeUpdate - URI - Payload Requested"; flow:established,to_server; content:"DDL Java Installer.php?dv1="; http_uri; classtype:trojan-activity; sid:2017846; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Browlock Landing Page URI Struct"; flow:to_server,established; content:"/?flow_id"; http_uri; content:"/case_id="; http_uri; fast_pattern:only; pcre:"/\/\?flow_id=\d+?&\d+?=\d+?\/case_id=\d+$/U"; classtype:trojan-activity; sid:2017847; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SPL2 EK SilverLight"; flow:to_server,established; content:".html?sv="; http_uri; fast_pattern:only; pcre:"/\.html\?sv=[1-5](\,\d+?){1,3}$/U"; classtype:trojan-activity; sid:2017848; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible CVE-2013-2551 As seen in SPL2 EK"; flow:from_server,established; file_data; content:".dashstyle.array.length"; nocase; pcre:"/^[\r\n\s]*?=[\r\n\s]*?(?:-[\r\n\s]*?\d|0[\r\n\s]*?-)/Ri"; classtype:trojan-activity; sid:2017849; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SPL2 PluginDetect Data Hash"; flow:to_server,established; content:".html?id"; http_uri; fast_pattern:only; pcre:"/\.html\?id\d*?=[a-f0-9]{32}$/U"; pcre:"/GET\s[^\r\n]*?(?P<name>\/[^\.\/]+\.html)\?id\d*?=[a-f0-9]{32}\sHTTP\/1\..+?\r\nReferer\x3a\x20[^\r\n]*?(?P=name)(:?\d{1,5})?\r\n/s"; classtype:trojan-activity; sid:2017850; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS HiMan EK Exploit URI Struct"; flow:to_server,established; content:"=687474703a2f2f"; http_uri; content:".php?"; http_uri; pcre:"/\/(?:d|xie|fla)\.php\?[a-z]+?=687474703a2f2f/U"; classtype:trojan-activity; sid:2017851; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS HiMan EK Secondary Landing"; flow:from_server,established; file_data; content:"<body onload=|27|Exploit()|3b 27|>"; fast_pattern:6,20; content:"|3a|stroke"; nocase; classtype:trojan-activity; sid:2017852; rev:2;) + +alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET CURRENT_EVENTS PHP script in OptimizePress Upload Directory Possible WebShell Access"; flow:to_server,established; content:"/wp-content/uploads/optpress/images_"; http_uri; fast_pattern:16,20; content:".php"; http_uri; pcre:"/\/wp-content\/uploads\/optpress\/images\_(?:comingsoon|lncthumbs|optbuttons)\/.*?\.php/Ui"; reference:url,blog.sucuri.net/2013/12/wordpress-optimizepress-theme-file-upload-vulnerability.html; classtype:attempted-admin; sid:2017854; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Grandsoft/SofosFO EK Java Payload URI Struct"; flow:established,to_server; content:"Java/1."; http_header; pcre:"/^\/\d{4,5}\/\d{7}$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017861; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CrimePack PDF Exploit"; flow:established,to_server; content:"/pdf.php?pdf="; http_uri; fast_pattern:only; content:"type="; http_uri; pcre:"/\/pdf\.php\?pdf=[a-f0-9]{32}&/Ui"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017862; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CrimePack Java Exploit"; flow:established,to_server; content:"Java/1."; http_user_agent; content:"/java.php?eid="; http_uri; fast_pattern:only; content:"type="; http_uri; pcre:"/\/java\.php\?eid=[a-f0-9]{32}&/Ui"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017863; rev:4;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CrimePack HCP Exploit"; flow:established,to_server; content:"/hcp.php?"; http_uri; fast_pattern:only; content:"type="; nocase; http_uri; content:"o="; nocase; http_uri; content:"b="; nocase; http_uri; pcre:"/[&?]type=\d+(?:$|&)/Ui"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017864; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CrimePack Jar 1 Dec 16 2013"; flow:established,to_server; content:"Java/1."; http_user_agent; content:"/cp.jar"; http_uri; fast_pattern:only; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017865; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CrimePack Jar 2 Dec 16 2013"; flow:established,to_server; content:"Java/1."; http_user_agent; content:"/serial.jar"; http_uri; fast_pattern:only; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017866; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS W32/BitCoinMiner Fake Flash Player Distribution Campaign - December 2013"; flow:established,to_server; content:"/blam/flashplayerv"; nocase; http_uri; reference:url,blog.malwarebytes.org/fraud-scam/2013/12/fake-flash-player-wants-to-go-mining/; reference:url,esearch.zscaler.com/2013/12/bitcoin-mining-operation-seen-across.html; classtype:trojan-activity; sid:2017874; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS DotkaChef Landing URI Struct"; flow:established,to_server; content:"/?"; http_uri; content:"LvoDc0RHa8NnZ"; http_uri; pcre:"/\/\?={0,2}[A-Za-z0-9\+\/]+?LvoDc0RHa8NnZ$/U"; flowbits:set,et.exploitkitlanding; reference:url,www.kahusecurity.com/2013/analyzing-dotkachef-exploit-pack/; classtype:trojan-activity; sid:2017893; rev:4;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS DotkaChef Payload Dec 20 2013"; flow:established,to_server; content:"/?f=bb.mp3"; http_uri; flowbits:set,et.exploitkitlanding; reference:url,www.kahusecurity.com/2013/analyzing-dotkachef-exploit-pack/; classtype:trojan-activity; sid:2017894; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible PDF Dictionary Entry with Hex/Ascii replacement"; flow:established,from_server; file_data; content:"%PDF-"; fast_pattern; within:5; content:"obj"; pcre:"/^[\r\n\s]*?<<(?:(?!>>).)+?\/[a-zA-Z\d]*?#(?:[46][1-9a-fA-F]|[57][\daA])(?:[a-zA-Z\d])*?#(?:[46][1-9a-fA-F]|[57][\daA])/Rsi"; classtype:trojan-activity; sid:2017899; rev:4;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Metasploit 2013-3346"; flow:established,from_server; file_data; content:"5 0 R>>|0a|endobj|0a|5 0 obj |0a|<</"; pcre:"/^(?:L|#4c)(?:e|#65)(?:n|#6e)(?:g|#67)(?:t|#74)(?:h|#68)\x20\d+?\/(?:F|#46)(?:i|#69)(?:l|#6c)(?:t|#74)(?:e|#65)(?:r|#72)\[\/(?:F|#46)(?:l|#6c)(?:a|#61)(?:t|#74)(?:e|#65)(?:D|#44)(?:e|#65)(?:c|#63)(?:o|#6f)(?:d|#64)(?:e|#65)\/(?:A|#41)(?:S|#53)(?:C|#43)(?:I|#49){2}(?:H|#48)(?:e|#65)(?:x|#78)(?:D|#44)(?:e|#65)(?:c|#63)(?:o|#6f)(?:d|#64)(?:e|#65)\]>>/Rs"; content:"5 0 R>>|0a|endobj|0a|5 0 obj |0a|<<"; pcre:"/^(?:(?!>>).)+?#(?:[46][1-9a-fA-F]|[57][\daA])/Rs"; classtype:trojan-activity; sid:2017900; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Angler EK Flash Exploit Dec 24 2013"; flow:established,to_server; urilen:15; content:"/4"; depth:2; http_uri; pcre:"/^GET \/4(?P<baseuri>[a-z0-9]{10})[a-z0-9]{3} HTTP\/1\.[01]\r\n.*?Referer\x3a http\x3a\/\/[^\/]+?\/(?P=baseuri)\r\n/s"; classtype:trojan-activity; sid:2017901; rev:5;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Angler EK Possible Flash/IE Payload Dec 24 2013"; flow:established,to_server; urilen:15; content:"/3"; depth:2; http_uri; pcre:"/^\/3[a-z0-9]{13}$/U"; content:!"Referer|3a|"; http_header; content:!"User-Agent|3a|"; http_header; content:"|0d 0a 0d 0a|"; classtype:trojan-activity; sid:2017902; rev:4;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Angler EK Flash Exploit Dec 26 2013"; flow:established,to_server; content:"/4"; depth:2; http_uri; content:"?&xkey="; http_uri; content:"&exec=aHR0cDov"; http_uri; pcre:"/\/4[a-z0-9]{13}\?&xkey=/U"; classtype:trojan-activity; sid:2017904; rev:5;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SofosFO/GrandSoft PDF"; flow:established,from_server; file_data; content:"/TM(gawgewafgwe[0].#subform[0]"; classtype:trojan-activity; sid:2017905; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS TDS Unknown_.aso - URI - IP.aso"; flow:established,to_server; content:".aso"; http_uri; fast_pattern:only; pcre:"/\/\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\.aso$/U"; classtype:bad-unknown; sid:2017906; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS GoonEK Landing with CVE-2013-2551 Dec 29 2013"; flow:established,from_server; file_data; content:"javafx_version"; fast_pattern:only; content:"fromCharCode"; pcre:"/^[\r\n\s]*?\([\r\n\s]*?[a-zA-Z_$][^\r\n\s]*?\.charCodeAt[\r\n\s]*?\([\r\n\s]*?[a-zA-Z_$][^\r\n\s]*[\r\n\s]*?\)[\r\n\s]*?\^[\r\n\s]*?[a-zA-Z_$][^\r\n\s]*\.charCodeAt[\r\n\s]*?\(/Rsi"; content:"decodeURIComponent"; content:"applet"; classtype:trojan-activity; sid:2017907; rev:4;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS GoonEK encrypted binary (1)"; flow:established,to_client; file_data; content:"|20 69 c3 34 55 6d 33 53|"; depth:8; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017908; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Redirection - Injection - Modified Edwards Packer Script"; flow:established,to_client; file_data; content:"function(s,a,c,k,e,d"; classtype:trojan-activity; sid:2017931; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Angler EK Landing Jan 10 2014"; flow:established,to_client; file_data; content:"window.GetKey"; nocase; fast_pattern; content:"window.GetUrl"; nocase; content:"aHR0cDov"; distance:0; content:"#default#VML"; classtype:trojan-activity; sid:2017953; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Angler EK Landing Jan 10 2014 1"; flow:established,to_client; file_data; content:"ODAvM"; fast_pattern:only; content:".GetUrl"; nocase; content:"aHR0cDo"; pcre:"/^[a-zA-Z0-9\/\+]+?ODAvM[a-zA-Z0-9\/\+]{18}(?:=|%3D)[\x22\x27]/R"; classtype:trojan-activity; sid:2017954; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Angler EK Landing Jan 10 2014 2"; flow:established,to_client; file_data; content:"4MC8x"; fast_pattern:only; content:".GetUrl"; nocase; content:"aHR0cDo"; pcre:"/^[a-zA-Z0-9\/\+]+?4MC8x[a-zA-Z0-9\/\+]{18}(?:=|%3D){2}[\x22\x27]/R"; classtype:trojan-activity; sid:2017955; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Angler EK Landing Jan 10 2014 3"; flow:established,to_client; file_data; content:"OjgwL"; fast_pattern:only; content:".GetUrl"; nocase; content:"aHR0cDo"; pcre:"/^[a-zA-Z0-9\/\+]+?OjgwL[a-zA-Z0-9\/\+]{19}[\x22\x27]/R"; classtype:trojan-activity; sid:2017956; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS GoonEK Landing Jan 10 2014"; flow:established,to_client; file_data; content:"javafx_version"; fast_pattern:only; nocase; content:"46"; pcre:"/^(?P<sep>[^\x22\x27]{1,10})100(?P=sep)97(?P=sep)115(?P=sep)104(?P=sep)115(?P=sep)116(?P=sep)121(?P=sep)108(?P=sep)101(?P=sep)46(?P=sep)97(?P=sep)114(?P=sep)114(?P=sep)97(?P=sep)121(?P=sep)/R"; classtype:trojan-activity; sid:2017957; rev:2;) + +alert tcp $EXTERNAL_NET 8000 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Neutrino EK SilverLight Exploit Jan 11 2014"; flow:established,from_server; file_data; content:"AppManifest.xaml"; content:"dig.dll"; nocase; fast_pattern:only; pcre:"/\bdig\.dll\b/"; classtype:trojan-activity; sid:2017958; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Neutrino/Fiesta EK SilverLight Exploit Jan 13 2014 DLL Naming Convention"; flow:established,from_server; file_data; content:"PK|01 02|"; content:"|10 00|"; distance:24; within:2; content:"AppManifest.xaml"; distance:16; within:16; content:"PK|01 02|"; within:36; content:"|07 00|"; distance:24; within:2; pcre:"/^.{16}[a-z]{3}\.dll/Rs"; content:"PK|05 06|"; within:36; content:"|02 00 02 00|"; distance:4; within:4; classtype:trojan-activity; sid:2017963; rev:3;) + +alert http any any -> any any (msg:"ET CURRENT_EVENTS Netgear passwordrecovered.cgi attempt"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/passwordrecovered.cgi?id="; nocase; http_uri; reference:url,www.securityfocus.com/archive/1/530743/30/0/threaded; reference:url,www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2017-003/?fid=8911; reference:cve,2017-5521; classtype:attempted-admin; sid:2017969; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET 8000 (msg:"ET CURRENT_EVENTS Possible Neutrino EK IE/Silverlight Payload Download"; flow:established,to_server; content:"WinHttp.WinHttpRequest."; http_header; pcre:"/^\/[a-z]+?\?[a-z]+?=[a-z]+$/U"; classtype:trojan-activity; sid:2017971; rev:10;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Nuclear EK CVE-2013-3918"; flow:established,from_server; file_data; content:"19916E01-B44E-4E31-94A4-4696DF46157B"; nocase; content:"Array"; nocase; distance:0; content:"|22|"; nocase; within:500; content:!"|22|"; within:500; pcre:"/^[a-z0-9]{1,500}?(?P<s>[a-z0-9]{2})(?P<t>(?!(?P=s))[a-z0-9]{2})(?P<r>(?!(?:(?P=s)|(?P=t)))[a-z0-9]{2})(?P=t)(?P<o>(?!(?:(?P=s)|(?P=t)|(?P=r)))[a-z0-9]{2})(?P<b>(?!(?:(?P=s)|(?P=t)|(?P=r)|(?P=o)))[a-z0-9]{2})(?P<y>(?!(?:(?P=s)|(?P=t)|(?P=r)|(?P=o)|(?P=b)))[a-z0-9]{2})(?P=t)(?:(?!(?:(?P=s)|(?P=t)|(?P=r)))[a-z0-9]{4})(?P=s)(?P=t)(?P=r)/Rs"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017973; rev:9;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible AnglerEK Landing URI Struct"; flow:established,to_server; content:"?thread="; http_uri; nocase; content:"key="; http_uri; nocase; pcre:"/^\/[a-z0-9]+?\?thread=\d+?&x?key=[A-F0-9]{32}$/U"; classtype:trojan-activity; sid:2017975; rev:3;) + +alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Updatre SSL Certificate cardiffpower"; flow:established,from_server; content:"|55 04 03|"; content:"|10|cardiffpower.com"; distance:1; within:17; content:"|55 04 03|"; distance:0; content:"|10|cardiffpower.com"; distance:1; within:17; classtype:trojan-activity; sid:2017977; rev:2;) + +alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Updatre Compromised SSL Certificate marchsf"; flow:established,from_server; content:"|02 07 04 81 e4 de 05 6a 5a|"; content:"|0b|marchsf.com"; distance:0; fast_pattern; classtype:trojan-activity; sid:2017978; rev:2;) + +alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Updatre Compromised SSL Certificate california89"; flow:established,from_server; content:"|02 07 2b 00 ee 19 5e ab 1f|"; content:"|10|california89.com"; distance:0; classtype:trojan-activity; sid:2017979; rev:2;) + +alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Updatre Compromised SSL Certificate thebostonshaker"; flow:established,from_server; content:"|02 07 27 7d 65 4a cd bf 4e|"; content:"|17|www.thebostonshaker.com"; distance:0; classtype:trojan-activity; sid:2017981; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Angler EK encrypted binary (1) Jan 17 2013"; flow:established,to_client; file_data; content:"|2c 36 f4 6f 6d 6a 66 67|"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017984; rev:5;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Angler EK encrypted binary (2) Jan 17 2013"; flow:established,to_client; file_data; content:"|2c 3e f2 32 30 34 6e 68|"; within:8; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017985; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Angler EK encrypted binary (3) Jan 17 2013"; flow:established,to_client; file_data; content:"|7d 6b f8 64 76 74 6e 66|"; within:8; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017986; rev:2;) + +alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Upatre SSL Compromised site appsredeeem"; flow:established,to_client; content:"|12|www.appsredeem.com"; nocase; classtype:trojan-activity; sid:2017987; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Angler EK encrypted binary (4)"; flow:established,to_client; file_data; content:"|21 3b e3 70 65 6e 66 64|"; within:8; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017989; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS VBS.Dunihi Check-in UA"; flow:to_server,established; content:"POST"; nocase; http_method; content:"User-Agent|3A 20|"; http_header; content:"|3C 7C 3E|"; http_header; fast_pattern; distance:0; content:"|3C 7C 3E|"; http_header; distance:0; pcre:"/^User-Agent\x3a\x20[^\r\n]+?\x3c\x7c\x3e[^\r\n]+?\x3c\x7c\x3e[^\r\n]+?\x3c\x7c\x3e/Hm"; reference:url,kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/24000/PD24761/en_US/McAfee%20Labs%20Threat%20Advisory-VBSAutorun%20Worm.pdf; reference:url, www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?ThreatId=-2147283579&mstLocPickShow=False#tab=2; classtype:trojan-activity; sid:2017994; rev:4;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS GoonEK Landing Jan 21 2013 SilverLight 1"; flow:established,from_server; file_data; content:"Y21kLmV4ZSA"; pcre:"/^[a-zA-Z0-9\+\/]+?(?:V2luSHR0cC5XaW5IdHRwUmVxdWVzdC41Lj|XaW5IdHRwLldpbkh0dHBSZXF1ZXN0LjUuM|dpbkh0dHAuV2luSHR0cFJlcXVlc3QuNS4x)/R"; classtype:trojan-activity; sid:2017995; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS GoonEK Landing Jan 21 2013 SilverLight 2"; flow:established,from_server; file_data; content:"NtZC5leGUg"; pcre:"/^[a-zA-Z0-9\+\/]+?(?:V2luSHR0cC5XaW5IdHRwUmVxdWVzdC41Lj|XaW5IdHRwLldpbkh0dHBSZXF1ZXN0LjUuM|dpbkh0dHAuV2luSHR0cFJlcXVlc3QuNS4x)/R"; classtype:trojan-activity; sid:2017996; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS GoonEK Landing Jan 21 2013 SilverLight 3"; flow:established,from_server; file_data; content:"jbWQuZXhlI"; pcre:"/^[a-zA-Z0-9\+\/]+?(?:V2luSHR0cC5XaW5IdHRwUmVxdWVzdC41Lj|XaW5IdHRwLldpbkh0dHBSZXF1ZXN0LjUuM|dpbkh0dHAuV2luSHR0cFJlcXVlc3QuNS4x)/R"; classtype:trojan-activity; sid:2017997; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fiesta EK Landing Jan 24 2013"; flow:established,to_client; file_data; content:"0x3dcde1&&"; nocase; content:"0x4e207d"; nocase; within:50; classtype:attempted-user; sid:2018011; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS ehow/livestrong Malicious Flash 10/11"; flow:established,to_server; urilen:13; content:".swf"; http_uri; offset:9; depth:4; pcre:"/^\/[a-f0-9]{8}\.swf$/U"; pcre:"/^Referer\x3a[^\r\n]+\/[a-f0-9]{8}\/1(?:0\/[0-2]|1\/\d)\/\r$/Hm"; classtype:trojan-activity; sid:2018029; rev:2;) + +alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Hostile _dsgweed.class JAR exploit"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"_dsgweed.class"; classtype:trojan-activity; sid:2018031; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS StyX Landing Jan 29 2014"; flow:from_server,established; file_data; content:"<applet"; fast_pattern:only; content:".exe"; pcre:"/^[\x22\x27]/R"; content:"var"; pcre:"/^\s+?(?P<vname>[^\s=]+)\s*?=\s*?(?P<q>[\x22\x27])(?:(?!(?P=q)).)+?\.exe(?P=q).+?<applet(?:(?!<\/applet>).)+?value\s*?=\s*?(?:\x22\x27|\x27\x22)\s*?\+\s*?(?P=vname)\s*?\+\s*?(?:\x22\x27|\x27\x22)/Rsi"; classtype:trojan-activity; sid:2018035; rev:4;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS CookieBomb 2.0 In Server Response Jan 29 2014"; flow:from_server,established; file_data; content:"%66%75%6e%63%74%69%6f%6e%20%72%65%64%69%72%65%63%74"; nocase; content:"%66%75%6e%63%74%69%6f%6e%20%63%72%65%61%74%65%43%6f%6f%6b%69%65"; nocase; content:"%64%6f%52%65%64%69%72%65%63%74"; nocase; fast_pattern:only; reference:url,malwaremustdie.blogspot.jp/2014/01/and-another-detonating-method-of-todays.html; classtype:trojan-activity; sid:2018037; rev:4;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Current Asprox Spam Campaign"; flow:established,to_server; urilen:>60; content:"/viewtopic.php?"; http_uri; fast_pattern:only; pcre:"/\/viewtopic\.php\?[^=]+=[a-zA-Z0-9\x2b\x2f]{43}=$/U"; classtype:trojan-activity; sid:2018041; rev:4;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS PHISH Apple - Landing Page"; flow:established,to_client; file_data; content:"<title>Apple - Update Your Information</title>"; classtype:trojan-activity; sid:2018042; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS PHISH Visa - Landing Page"; flow:established,to_client; file_data; content:"Enter your password Verified by Visa / MasterCard SecureCode"; classtype:trojan-activity; sid:2018043; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS PHISH Visa - Creds Phished"; flow:established,to_server; content:"/vbv.php"; http_uri; fast_pattern; content:"password="; http_client_body; classtype:trojan-activity; sid:2018044; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS PHISH Visa - URI - Landing Page"; flow:established,to_server; content:"/Verified by Visa"; http_uri; nocase; content:!"Referer|3a| http|3a 2f 2f|www.crdbbank.com"; http_header; nocase; classtype:trojan-activity; sid:2018045; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Zbot Generic URI/Header Struct .bin"; flow:established,to_server; content:"GET"; http_method; content:".bin"; http_uri; fast_pattern:only; pcre:"/\/[a-z0-9]{1,31}\.bin$/U"; content:!"Referer|3a|"; http_header; content:!"Accept-Language|3a|"; http_header; content:" MSIE "; http_header; content:!"AskTbARS"; http_header; content:!".passport.net|0d 0a|"; http_header; content:!".microsoftonline-p.net|0d 0a|"; http_header; content:!".symantec.com|0d 0a|"; http_header; content:!".qq.com|0d 0a|"; http_header; content:!"aocdn.net"; http_header; content:!"kankan.com|0d 0a|"; http_header; content:"|0d 0a 0d 0a|"; classtype:trojan-activity; sid:2018052; rev:6;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Malicious Redirect 8x8 script tag"; flow:established,from_server; file_data; content:".php?id="; content:"/"; distance:-17; within:1; pcre:"/^[a-z0-9A-Z]*?[A-Z0-9][a-z0-9A-Z]*?\.php\?id=\d{6,9}[\x22\x27]/R"; content:"<script"; nocase; pcre:"/^(?:(?!<\/script>).)*?\ssrc\s*?=\s*?[\x22\x27][^\x22\x27]+?\/[a-z0-9A-Z]{8}\.php\?id=\d{6,9}[\x22\x27]/Rsi"; classtype:trojan-activity; sid:2018053; rev:4;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible malicious zipped-executable"; flow:established,from_server; file_data; content:"PK|01 02|"; within:4; content:".xla"; nocase; content:"PK|05 06|"; within:52; content:"|01 00 01 00|"; distance:4; within:4; classtype:trojan-activity; sid:2018086; rev:5;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Flash Exploit CVE-2014-0497"; flow:established,from_server; file_data; content:"makePayloadWin"; reference:url,www.securelist.com/en/blog/8177/CVE_2014_0497_a_0_day_vulnerability; classtype:trojan-activity; sid:2018091; rev:2;) + +alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS TecSystems (Possible Mask) Signed PE EXE Download"; flow:established,to_client; flowbits:isset,ET.http.binary; content:"|55 04 0a|"; content:"|0e|TecSystem Ltd."; distance:1; within:15; reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf; classtype:trojan-activity; sid:2018103; rev:2;) + +alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS EXE Accessing Kaspersky System Driver (Possible Mask)"; flow:established,to_client; flowbits:isset,ET.http.binary; content:"|5c 5c 2e 5c|KLIF"; reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf; classtype:bad-unknown; sid:2018104; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Suspicious Jar name JavaUpdate.jar"; flow:established,to_server; content:"/JavaUpdate.jar"; http_uri; nocase; content:"Java/1."; http_user_agent; reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf; classtype:trojan-activity; sid:2018106; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS .PIF File Inside of Zip"; flow:established,from_server; file_data; content:"PK"; within:2; content:".pif"; nocase; fast_pattern; within:500; reference:md5,2e760350a5c692bd94c7c6d1233af72c; classtype:trojan-activity; sid:2018125; rev:5;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS .CPL File Inside of Zip"; flow:established,from_server; file_data; content:"PK|01 02|"; within:4; content:".cpl"; nocase; fast_pattern; distance:42; within:500; content:"PK|05 06|"; within:52; content:"|01 00 01 00|"; distance:4; within:4; classtype:trojan-activity; sid:2018126; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Goon EK Java JNLP URI Struct Feb 12 2014"; flow:established,to_server; content:"Java/1."; http_user_agent; content:".xml"; http_uri; pcre:"/\/[A-Z]\.xml$/U"; classtype:trojan-activity; sid:2018127; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Current Asprox Spam Campaign 2"; flow:established,to_server; urilen:>60; content:"/handler.php?"; http_uri; fast_pattern:only; pcre:"/\/handler\.php\?[^=]+=[a-zA-Z0-9\x2b\x2f]{43}=$/U"; classtype:trojan-activity; sid:2018135; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Linksys Router Returning Device Settings To External Source"; flow:established,from_server; file_data; content:"<GetDeviceSettingsResponse>"; content:"<GetDeviceSettingsResult>"; content:"<ModelName>"; reference:url,isc.sans.edu/forums/diary/Linksys+Worm+TheMoon+Summary+What+we+know+so+far/17633; classtype:attempted-admin; sid:2018136; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Generic HeapSpray Construct"; flow:established,to_client; file_data; content:"CollectGarbage"; nocase; fast_pattern:only; content:"var"; pcre:"/^\s+?(?P<vname>[^\s\x3d]+)\s*?=\s*?(?:0x(?:(6[4-9a-f]|[7-9a-f])|\d{3,})|\d{3,}).+?[\s\x3b]for\s*?\([^\x3b\)]*?\x3b[^\x3b\)]+?<=?\s*?(?P=vname)[^\)]+?\)\s*?(?:\{[^}]*?|[^\r\n]*?)document\s*\.\s*createElement/Rsi"; classtype:bad-unknown; sid:2018145; rev:4;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Generic HeapSpray Construct"; flow:established,to_client; file_data; content:"<script"; nocase; content:"CollectGarbage"; distance:0; fast_pattern; content:"while"; pcre:"/^\s*?\([^\)]*?(?P<var>[^\.]+)\s*?\.\s*?length\s*<\s*(?:0?[0-9]{5,}|0x[a-z0-9]{3,})[^)]+\)\s*?\{\s*?(?P=var)\s*?=\s*?(?P=var)\s*?\+\s*?(?P=var)\s*?\}/Rsi"; content:"getElementsByClassName"; distance:0; content:"CollectGarbage"; distance:0; classtype:bad-unknown; sid:2018146; rev:4;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible GoonEK Landing Feb 19 2014 1"; flow:from_server,established; file_data; content:"javafx_version"; nocase; fast_pattern:only; content:"jnlp_href"; nocase; content:"</applet><object"; nocase; content:"data|3a|application/x-silverlight-2"; nocase; within:100; classtype:trojan-activity; sid:2018161; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Malicious Redirect Evernote Spam Campaign Feb 19 2014"; flow:to_server,established; content:"/1.txt"; http_uri; nocase; pcre:"/\/1\.txt$/Ui"; content:"/1.html"; http_header; nocase; pcre:"/Referer\x3a\x20[^\r\n]+?\/1\.html[\x3a\r]/Hi"; classtype:attempted-admin; sid:2018162; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS GoonEK Landing Feb 19 2014 2"; flow:from_server,established; file_data; content:"stroke>"; fast_pattern:only; content:!"#default#VML"; content:"eval"; content:"35"; pcre:"/^(?P<sep>((?!100).){1,20})100(?P=sep)101(?P=sep)102(?P=sep)97(?P=sep)117(?P=sep)108(?P=sep)116(?P=sep)35(?P=sep)86(?P=sep)77(?P=sep)76(?P=sep)/Rsi"; classtype:trojan-activity; sid:2018163; rev:2;) + +#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Angler EK Landing Page Feb 24 2014"; flow:from_server,established; file_data; content:"AgControl.AgControl"; nocase; fast_pattern:only; content:"parseInt"; nocase; content:"32"; pcre:"/^\W/R"; content:"63"; nocase; within:100; pcre:"/^\W/R"; content:"if"; distance:-200; within:200; nocase; pcre:"/^(?:\s*?|\/\*(?:(?!\*\/).)*?\*\/)*?\((?:\s*?|\/\*(?:(?!\*\/).)*?\*\/)*?(?P<vname>[^\s>=]+)(?:\s*?|\/\*(?:(?!\*\/).)*?\*\/)*?<(?:\s*?|\/\*(?:(?!\*\/).)*?\*\/)*?32\b.{0,200}(?P=vname)(?:\s*?|\/\*(?:(?!\*\/).)*?\*\/)*?\x3d(?:\s*?|\/\*(?:(?!\*\/).)*?\*\/)*?63\b.{1,200}\+=.{0,200}\((?:\s*?|\/\*(?:(?!\*\/).)*?\*\/)*?(?P=vname)/Rsi"; classtype:trojan-activity; sid:2018171; rev:6;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS Java Lang Runtime in Response"; flow:from_server,established; file_data; content:!"|CA FE BA BE|"; within:4; content:"getClass"; nocase; content:"java.lang.Runtime"; nocase; fast_pattern:only; content:"getRuntime"; nocase; content:"exec"; nocase; content:"script"; nocase; classtype:bad-unknown; sid:2018172; rev:2;) + +alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS XXTEA UTF-16 Encoded HTTP Response"; flow:from_server,established; content:"u|00|t|00|f|00|8|00|t|00|o|00|1|00|6|00|"; nocase; content:"x|00|x|00|t|00|e|00|a|00|_|00|d|00|e|00|c|00|r|00|y|00|p|00|t|00|"; nocase; fast_pattern; content:"b|00|a|00|s|00|e|00|6|00|4|00|d|00|e|00|c|00|o|00|d|00|e"; nocase; classtype:bad-unknown; sid:2018175; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS OnClick Anti-BOT TDS POST Feb 25 2014"; flow:established,to_server; content:"POST"; http_method; content:"/tds/"; http_uri; fast_pattern:only; nocase; pcre:"/\/tds\/[a-f0-9]{32}$/U"; content:"ua="; http_client_body; content:"ip="; http_client_body; classtype:trojan-activity; sid:2018177; rev:5;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS OnClick Anti-BOT TDS Hidden Form Feb 25 2014"; flow:established,from_server; file_data; content:"<form"; nocase; content:"action"; nocase; distance:0; content:"/tds/"; fast_pattern; distance:0; pcre:"/^[a-f0-9]{32}[\x22\x27]/Rsi"; classtype:trojan-activity; sid:2018178; rev:4;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Obfuscation Technique Used in CVE-2014-0322 Attacks"; flow:established,from_server; file_data; content:"|2f|%u([0-9a-fA-F]{1,4}"; nocase; fast_pattern:only; content:"decode"; nocase; pcre:"/^\s*?\(\s*?key\s*?,\s*?js\s*?/Rsi"; content:"decode"; nocase; pcre:"/^\s*?\(\s*?[^,\s]*?\s*?,\s*?[\x22\x27][a-f0-9]{100}/Rsi"; classtype:trojan-activity; sid:2018179; rev:4;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible FakeAV .exe.vbe HTTP Content-Disposition"; flow:established,to_client; content:".exe.vbe"; http_header; nocase; fast_pattern:only; pcre:"/Content-Disposition\x3a[^\r\n]*?\.exe\.vbe/Hi"; reference:url,www.malwaresigs.com/2014/02/07/fakeav-is-still-alive/; classtype:trojan-activity; sid:2018190; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SUSPICIOUS .exe Downloaded from SVN/HTTP on GoogleCode"; flow:established,to_server; content:".googlecode.com"; nocase; http_header; content:"/svn/"; http_uri; nocase; content:".exe"; distance:0; http_uri; nocase; fast_pattern; pcre:"/^Host\x3a[^\r\n]+\.googlecode\.com[\x3a\r]/Hmi"; classtype:trojan-activity; sid:2018191; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Malicious Spam Redirection Feb 28 2014"; flow:established,from_server; file_data; content:"Connecting to server...</div></td></tr></table>"; within:500; classtype:trojan-activity; sid:2018196; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Hello/LightsOut EK Secondary Landing"; flow:established,to_server; content:".php?a="; http_uri; fast_pattern:only; content:"&f="; http_uri; content:"&u="; http_uri; pcre:"/\.php\?a=[^&]+&f=[a-f0-9]{32}&u=[^&]+$/I"; reference:url,vrt-blog.snort.org/2014/03/hello-new-exploit-kit.html; reference:url,blogs.cisco.com/security/watering-hole-attacks-target-energy-sector/; classtype:trojan-activity; sid:2018206; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS LightsOut EK Exploit/Payload Request"; flow:to_server,established; content:".php?a="; http_uri; fast_pattern:only; nocase; pcre:"/\.php\?a=(?:dw[a-z0-9]|[hr][2-7])$/U"; reference:url,vrt-blog.snort.org/2014/03/hello-new-exploit-kit.html; classtype:trojan-activity; sid:2018207; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Rawin EK Java fakav.jar"; flow:established,to_server; content:"/fakav.jar"; fast_pattern:only; http_uri; content:"Java/1."; http_user_agent; classtype:trojan-activity; sid:2018209; rev:7;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SWF filename used in IE 2014-0322 Watering Hole Attacks"; flow:established,to_server; content:"/Tope.swf"; http_uri; classtype:trojan-activity; sid:2018223; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Fiesta Jar with four-letter class names"; flow:established,from_server; file_data; content:"PK"; depth:2; content:".classPK"; pcre:"/(PK\x01\x02.{24}\x0a\x00.{16}[a-z]{4}.class){4}/"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2018225; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Neutrino/Fiesta EK SilverLight Exploit March 05 2014 DLL Naming Convention"; flow:established,from_server; file_data; content:"PK|01 02|"; content:"|10 00|"; distance:24; within:2; content:"AppManifest.xaml"; distance:16; within:16; content:"PK|01 02|"; within:36; content:"|08 00|"; distance:24; within:2; pcre:"/^.{16}[a-z]{4}\.dll/Rs"; content:"PK|05 06|"; within:36; content:"|02 00 02 00|"; distance:4; within:4; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2018226; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Rawin Flash Landing URI Struct March 05 2014"; flow:established,to_server; content:".php?b="; http_uri; content:"&css="; http_uri; pcre:"/\.php\?b=[A-F0-9]{6}&css=[a-z]+$/"; classtype:trojan-activity; sid:2018227; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible ZyXELs ZynOS Configuration Download Attempt (Contains Passwords)"; flow:established,to_server; urilen:6; content:"/rom-0"; http_uri; nocase; reference:url,www.team-cymru.com/ReadingRoom/Whitepapers/2013/TeamCymruSOHOPharming.pdf; classtype:attempted-admin; sid:2018232; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS CritX/SafePack/FlashPack CVE-2013-2551"; flow:established,from_server; file_data; content:"#default#VML"; content:"stroke"; content:"%66%75%6e%63%74%69%6f%6e"; nocase; content:"%66%72%6f%6d%43%68%61%72%43%6f%64%65"; content:"%63%68%61%72%41%74"; fast_pattern:only; classtype:trojan-activity; sid:2018235; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS CritX/SafePack/FlashPack SilverLight Secondary Landing"; flow:established,from_server; file_data; content:"/x-silverlight-2"; content:"aHR0cDov"; distance:0; pcre:"/^[A-Za-z0-9\+\/]+(?:(?:LmVvdA=|5lb3Q)=|uZW90)[\x22\x27]/Rsi"; content:".eot"; classtype:trojan-activity; sid:2018236; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS CritX/SafePack/FlashPack SilverLight file as eot"; flow:established,from_server; content:"Content-Type|3a 20|application/vnd.ms-fontobject|0d 0a|"; http_header; file_data; content:"PK"; within:2; content:"AppManifest.xaml"; distance:0; fast_pattern; classtype:trojan-activity; sid:2018237; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Safe/CritX/FlashPack Common Filename javadb.php"; flow:established,to_server; content:"/javadb.php"; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2018238; rev:4;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Safe/CritX/FlashPack Common Filename javaim.php"; flow:established,to_server; content:"/javaim.php"; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2018239; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Safe/CritX/FlashPack Common Filename javarh.php"; flow:established,to_server; content:"/javarh.php"; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2018240; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Gamut Spambot Checkin"; flow:established,to_server; content:"file=SenderClient.conf"; http_uri; nocase; fast_pattern:only; pcre:"/file=SenderClient.conf$/Ui"; content:!"Referer|3a 20|"; flowbits:set,ETGamut; reference:url,blog.spiderlabs.com/2014/03/gamut-spambot-analysis-.html; reference:md5,f00f3f47062646f900aa327b1d5ca3a1; classtype:trojan-activity; sid:2018245; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Gamut Spambot Checkin Response"; flow:established,from_server; file_data; content:"count_threads|09 09 09 3d 09|"; depth:18; fast_pattern; content:"|0a|efficiency_limit|09 09 3d 09|"; distance:1; within:22; flowbits:isset,ETGamut; reference:url,blog.spiderlabs.com/2014/03/gamut-spambot-analysis-.html; reference:md5,f00f3f47062646f900aa327b1d5ca3a1; classtype:trojan-activity; sid:2018246; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Gamut Spambot Checkin 2"; flow:established,to_server; urilen:6; content:"POST"; http_method; content:"/?8080"; http_uri; fast_pattern:only; content:"name=|22|action|22 0d 0a 0d 0a|"; http_client_body; pcre:"/^(?:Get(?:Subscription(?:EmailsBlock|Content)|PTR|IP)|Port25(?:Close|Open))\x0d\x0a/RP"; content:"name=|22|location|22 0d 0a 0d 0a|"; distance:0; http_client_body; pcre:"/^(?:winload(?:32)?|cmms)\x0d\x0a/RP"; content:!"Referer|3a 20|"; reference:url,blog.spiderlabs.com/2014/03/gamut-spambot-analysis-.html; reference:md5,f00f3f47062646f900aa327b1d5ca3a1; classtype:trojan-activity; sid:2018257; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Nuclear EK PDF URI Struct March 12 2014"; flow:established,to_server; content:".pdf"; http_uri; fast_pattern:only; pcre:"/^\/1[34]\d{8}\.pdf$/U"; pcre:"/^Referer\x3a\x20http\x3a\/\/[^\r\n\/]+\/(?:\x3a\d{1,5})?\r$/Hm"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2018258; rev:10;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Nuclear EK CVE-2013-2551 URI Struct Nov 26 2013"; flow:established,to_server; content:".htm"; http_uri; fast_pattern:only; pcre:"/^\/1[34]\d{8}\.htm$/U"; pcre:"/^Referer\x3a\x20http\x3a\/\/[^\r\n\/]+\/(?:\x3a\d{1,5})?\r$/Hm"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2018259; rev:10;) + +#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Styx Landing Page Mar 08 2014"; flow:established,from_server; file_data; content:"fromCharCode"; content:"substr"; within:200; content:",2,"; within:20; fast_pattern; content:"-"; distance:2; within:4; pcre:"/^\s*?\d/R"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2018260; rev:4;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Nuclear EK Landing Page Mar 12 2014"; flow:established,from_server; file_data; content:"/[a-zA-Z]/g|3b|"; fast_pattern; content:"/[0-9]/g|3b|"; content:"|22|f"; pcre:"/^\d+r\d+o\d+m\d/R"; content:"|22|p"; pcre:"/^\d+u\d+s\d+h\d/R"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2018261; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Nuclear EK IE Exploit CVE-2013-2551 March 12 2014"; flow:from_server,established; file_data; content:"#default#VML"; nocase; fast_pattern:only; content:"stroke"; nocase; content:"visibility"; nocase; content:"hidden"; nocase; distance:0; content:"|22|f"; nocase; pcre:"/^\d+([\x22\x27]\s*?,\s*[\x22\x27])?r\d+([\x22\x27]\s*?,\s*[\x22\x27])?o\d+([\x22\x27]\s*?,\s*[\x22\x27])?m\d+([\x22\x27]\s*?,\s*[\x22\x27])?C\d+([\x22\x27]\s*?,\s*[\x22\x27])?h\d+([\x22\x27]\s*?,\s*[\x22\x27])?a\d+([\x22\x27]\s*?,\s*[\x22\x27])?r\d+([\x22\x27]\s*?,\s*[\x22\x27])?c\d+([\x22\x27]\s*?,\s*[\x22\x27])?o\d+([\x22\x27]\s*?,\s*[\x22\x27])?d\d+([\x22\x27]\s*?,\s*[\x22\x27])?e\d+[\x22\x27]/Ri"; classtype:trojan-activity; sid:2018262; rev:3;) + +alert http any any -> any any (msg:"ET CURRENT_EVENTS Dell Kace backdoor"; flow:established,to_server; content:"POST"; http_method; content:"/kbot_upload.php"; nocase; http_uri; content:"filename=db.php"; nocase; distance:0; http_uri; content:"machineId="; nocase; pcre:"/(?:\.\.\/)+kboxwww\/tmp\//Ri"; content:"KSudoClient.class.php"; nocase; http_client_body; content:"KSudoClient|3a 3a|RunCommand"; distance:0; http_client_body; reference:url,console-cowboys.blogspot.com/2014/03/the-curious-case-of-ninjamonkeypiratela.html; classtype:attempted-admin; sid:2018263; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS MtGox Leak wallet stealer UA"; flow:established,to_server; content:"MtGoxBackOffice"; depth:15; http_user_agent; reference:url,www.securelist.com/en/blog/8196/Analysis_of_Malware_from_the_MtGox_leak_archive; reference:md5,c4e99fdcd40bee6eb6ce85167969348d; classtype:trojan-activity; sid:2018279; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS EMET.DLL in jjencode"; flow:established,from_server; file_data; content:"|22 5c 5c 5c 5c 5c 5c 5c 5c 5c 5c 22|+"; pcre:"/^(?P<var>.{1,10})\.\_\_\$\+(?P=var)\.\_\_\_\+(?P=var)\.\$\_\$\+\x22\x5c\x5c\x22\+(?P=var)\.\_\_\$\+(?P=var)\.\_\_\$\+(?P=var)\.\$\_\$\+\x22\x5c\x5c\x22\+(?P=var)\.\_\_\$\+(?P=var)\.\_\_\_\+(?P=var)\.\$\_\$\+\x22\x5c\x5c\x22\+(?P=var)\.\_\_\$\+(?P=var)\.\_\$\_\+(?P=var)\.\$\_\_\+\x22\.\x5c\x5c\x22\+(?P=var)\.\_\_\$\+(?P=var)\.\_\_\_\+(?P=var)\.\$\_\_\+\x22\x5c\x5c\x22\+(?P=var)\.\_\_\$\+(?P=var)\.\_\_\$\+(?P=var)\.\$\_\_\+\x22\x5c\x5c\x22\+(?P=var)\.\_\_\$\+(?P=var)\.\_\_\$\+(?P=var)\.\$\_\_\+\x22/R"; classtype:trojan-activity; sid:2018286; rev:3;) + +alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET CURRENT_EVENTS Joomla 3.2.1 SQL injection attempt"; flow:established,to_server; content:"weblinks-categories?"; nocase; fast_pattern; http_uri; content:"id="; nocase; distance:0; http_uri; content:"select password"; nocase; http_uri; distance:0; reference:url,www.exploit-db.com/exploits/31459/; classtype:web-application-attack; sid:2018288; rev:2;) + +alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET CURRENT_EVENTS Joomla 3.2.1 SQL injection attempt 2"; flow:established,to_server; content:"weblinks-categories?"; nocase; fast_pattern; http_uri; content:"id="; nocase; distance:0; http_uri; pcre:"/id\=[^\r\n]*?(?:select|delete|union|update|insert)/Ui"; reference:url,www.exploit-db.com/exploits/31459/; classtype:web-application-attack; sid:2018289; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS GoonEK encrypted binary (3) "; flow:established,to_client; file_data; content:"|89 b4 f4 6a 24 1f 46 14|"; depth:8; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2018297; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS GoonEK Landing Mar 20 2014"; flow:established,from_server; file_data; content:"jnlp_href"; nocase; fast_pattern:only; content:"application/x-silverlight-2"; nocase; content:"value"; pcre:"/^\s*?=\s*?[\x22\x27][^\x22\x27\x3d]{1,20}=[a-zA-z0-9\/\+]{10}/R"; content:"d27cdb6e-ae6d-11cf-96b8-444553540000"; nocase; content:"value"; pcre:"/^\s*?=\s*?[\x22\x27][^\x22\x27\x3d]{1,20}=[a-f0-9]{20}/R"; classtype:trojan-activity; sid:2018298; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS PHISH iTunes - Landing Page - Title over non SSL"; flow:established,to_client; file_data; content:"<TITLE>iTunes Connect</TITLE>"; classtype:trojan-activity; sid:2018303; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS PHISH iTunes - Creds Phished"; flow:established,to_server; content:"theAccountName="; http_client_body; content:"theAccountPW="; http_client_body; classtype:trojan-activity; sid:2018304; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS PHISH iTunes - PII Phished"; flow:established,to_server; content:"fname="; http_client_body; content:"lname="; http_client_body; content:"hnum="; http_client_body; content:"snam="; http_client_body; classtype:trojan-activity; sid:2018305; rev:3;) + +alert tcp $EXTERNAL_NET any -> $HOME_NET [25,587] (msg:"ET CURRENT_EVENTS Possible CVE-2014-1761 Inbound SMTP 1"; flow:from_client,established; content:"XGxpc3RvdmVycmlkZWNvdW50"; isdataat:2,relative; pcre:"/^\s*/Rs"; content:!"MQ"; within:2; content:!"MV"; within:2; content:!"MT"; within:2; content:!"MH"; within:2; content:!"MF"; within:2; content:!"ME"; within:2; content:!"OQ"; within:2; content:!"OX"; within:2; content:!"MA"; within:2; content:!"MS"; within:2; content:!"MX"; within:2; reference:cve,2014-1761; reference:url,blogs.technet.com/b/srd/archive/2014/03/24/security-advisory-2953095-recommendation-to-stay-protected-and-for-detections.aspx; classtype:attempted-user; sid:2018314; rev:8;) + +alert tcp $EXTERNAL_NET any -> $HOME_NET [25,587] (msg:"ET CURRENT_EVENTS Possible CVE-2014-1761 Inbound SMTP 2"; flow:from_client,established; content:"xsaXN0b3ZlcnJpZGVjb3Vud"; isdataat:2,relative; pcre:"/^\s*/Rs"; content:!"DE"; within:2; content:!"DF"; within:2; content:!"Dk"; within:2; content:!"Dl"; within:2; content:!"DA"; within:2; content:!"DB"; within:2; content:!"DV"; within:2; reference:cve,2014-1761; reference:url,blogs.technet.com/b/srd/archive/2014/03/24/security-advisory-2953095-recommendation-to-stay-protected-and-for-detections.aspx; classtype:attempted-user; sid:2018308; rev:7;) + +alert tcp $EXTERNAL_NET any -> $HOME_NET [25,587] (msg:"ET CURRENT_EVENTS Possible CVE-2014-1761 Inbound SMTP 3"; flow:from_client,established; content:"cbGlzdG92ZXJyaWRlY291bn"; isdataat:2,relative; pcre:"/^\s*/Rs"; content:!"Qx"; within:2; content:!"Q5"; within:2; content:!"Qw"; within:2; reference:cve,2014-1761; reference:url,blogs.technet.com/b/srd/archive/2014/03/24/security-advisory-2953095-recommendation-to-stay-protected-and-for-detections.aspx; classtype:attempted-user; sid:2018309; rev:5;) + +alert tcp $EXTERNAL_NET any -> $HOME_NET [25,587] (msg:"ET CURRENT_EVENTS Possible CVE-2014-1761 Inbound SMTP 4"; flow:from_client,established; content:"x1LTU1N"; fast_pattern; pcre:"/^(?:.*?(?:XHUtNTU0|cdS01NT|x1LTU1N)){5}/Rs"; reference:cve,2014-1761; reference:url,blogs.technet.com/b/srd/archive/2014/03/24/security-advisory-2953095-recommendation-to-stay-protected-and-for-detections.aspx; classtype:attempted-user; sid:2018310; rev:5;) + +alert tcp $EXTERNAL_NET any -> $HOME_NET [25,587] (msg:"ET CURRENT_EVENTS Possible CVE-2014-1761 Inbound SMTP 5"; flow:from_client,established; content:"XHUtNTU0"; fast_pattern; pcre:"/^(?:.*?(?:XHUtNTU0|cdS01NT|x1LTU1N)){7}/Rs"; reference:cve,2014-1761; reference:url,blogs.technet.com/b/srd/archive/2014/03/24/security-advisory-2953095-recommendation-to-stay-protected-and-for-detections.aspx; classtype:attempted-user; sid:2018311; rev:4;) + +alert tcp $EXTERNAL_NET any -> $HOME_NET [25,587] (msg:"ET CURRENT_EVENTS Possible CVE-2014-1761 Inbound SMTP 6"; flow:from_client,established; content:"cdS01NT"; fast_pattern; pcre:"/^(?:.*?(?:XHUtNTU0|cdS01NT|x1LTU1N)){7}/Rs"; reference:cve,2014-1761; reference:url,blogs.technet.com/b/srd/archive/2014/03/24/security-advisory-2953095-recommendation-to-stay-protected-and-for-detections.aspx; classtype:attempted-user; sid:2018312; rev:4;) + +#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Upatre SSL Compromised site trudeausociety"; flow:established,to_client; content:"|12|trudeausociety.com"; fast_pattern:only; classtype:trojan-activity; sid:2018319; rev:1;) + +alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Captcha Malware C2 SSL Certificate"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|Mojolicious"; distance:1; within:17; content:"|55 04 0a|"; distance:0; content:"|0b|Mojolicious"; distance:1; within:17; reference:url,community.emc.com/community/connect/rsaxchange/netwitness/blog/2014/03/25/captcha-protected-malware-downloader; classtype:trojan-activity; sid:2018322; rev:1;) + +#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Possible CritX/SafePack/FlashPack IE Exploit"; flow:established,from_server; file_data; content:"6f"; fast_pattern; nocase; content:"6c"; within:12; nocase; content:"43"; distance:-26; within:24; content:!"|22|"; within:14; content:!"|27|"; within:14; pcre:"/^(?P<sep>[^\x22\x27]{0,10})6f(?P=sep)6c(?P=sep)6c(?P=sep)65(?P=sep)63(?P=sep)74(?P=sep)47(?P=sep)61(?P=sep)72(?P=sep)62(?P=sep)61(?P=sep)67(?P=sep)65(?P=sep)/Rsi"; classtype:trojan-activity; sid:2018330; rev:6;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Payload Filename Used in Various 2014-0322 Attacks"; flow:established,to_server; content:"/Erido.jpg"; nocase; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2018329; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Goon/Infinity EK Landing Mar 31 2014"; flow:established,to_client; file_data; content:".text+=String.fromCharCode"; content:"35"; pcre:"/^[^\d]{1,20}100[^\d]{1,20}101[^\d]{1,20}102[^\d]{1,20}97[^\d]{1,20}117[^\d]{1,20}108[^\d]{1,20}116[^\d]{1,20}35[^\d]{1,20}86[^\d]{1,20}77[^\d]{1,20}76/Rsi"; classtype:trojan-activity; sid:2018337; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Goon/Infinity EK Landing Mar 31 2014"; flow:established,to_client; file_data; content:"117"; fast_pattern; content:"108"; within:24; content:"116"; within:24; content:"35"; pcre:"/^[^\d](?:.{0,20}[^\d])?100[^\d](?:.{0,20}[^\d])?101[^\d](?:.{0,20}[^\d])?102[^\d](?:.{0,20}[^\d])?97[^\d](?:.{0,20}[^\d])?117[^\d](?:.{1,20}[^\d])?108[^\d](?:.{0,20}[^\d])?116[^\d](?:.{0,20}[^\d])?35[^\d](?:[^\d].{0,20}[^\d])?86[^\d](?:.{0,20}[^\d])?77[^\d](?:.{0,20}[^\d])?76[^\d]/Rsi"; classtype:trojan-activity; sid:2018342; rev:2;) + +alert http any any -> any 5000 (msg:"ET CURRENT_EVENTS Hikvision DVR attempted Synology Recon Scan"; flow:established,to_server; content:"GET"; http_method; content:"/webman/info.cgi?host="; fast_pattern:only; http_uri; reference:url,isc.sans.edu/forums/diary/More+Device+Malware+This+is+why+your+DVR+attacked+my+Synology+Disk+Station+and+now+with+Bitcoin+Miner/17879; classtype:trojan-activity; sid:2018343; rev:2;) + +alert http any any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Hikvision DVR Synology Recon Scan Checkin"; flow:established,to_server; content:"GET"; http_method; content:"/k.php?h="; http_uri; depth:9; content:"ballsack"; depth:8; http_user_agent; content:!"Referer|3a 20|"; http_header; content:!"Accept|3a 20|"; http_header; reference:url,isc.sans.edu/forums/diary/More+Device+Malware+This+is+why+your+DVR+attacked+my+Synology+Disk+Station+and+now+with+Bitcoin+Miner/17879; classtype:trojan-activity; sid:2018344; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Angler EK Landing Apr 01 2014"; flow:established,to_client; file_data; content:"|3a|stroke id="; content:"|3a|oval>"; content:"(function"; pcre:"/^\s*?\(\s*?\)\s*?{\s*?return\s*?(?:[^\s]+\(\s*?)?[\x22\x27][a-f0-9]{10}/Rs"; content:"(function"; distance:0; pcre:"/^\s*?\(\s*?\)\s*?{\s*?return\s*?(?:[^\s]+\(\s*?)?[\x22\x27][a-f0-9]{10}/Rs"; content:"/*"; pcre:"/^[a-zA-Z0-9]+\*\//R"; content:"/*"; distance:0; pcre:"/^[a-zA-Z0-9]+\*\//R"; content:"/*"; distance:0; pcre:"/^[a-zA-Z0-9]+\*\//R"; classtype:trojan-activity; sid:2018346; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Deep Panda WateringHole Related URI Struct"; flow:established,to_server; content:".php?v=webhp"; fast_pattern:only; http_uri; nocase; classtype:trojan-activity; sid:2018348; rev:3;) + +#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Upatre SSL Compromised site potpourriflowers"; flow:established,to_client; content:"|55 04 03|"; content:"|1a|www.potpourriflowers.co.uk"; distance:1; within:27; nocase; classtype:trojan-activity; sid:2018350; rev:2;) + +#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Upatre SSL Compromised site kionic"; flow:established,to_client; content:"|55 04 03|"; content:"|0a|kionic.com"; distance:1; within:11; nocase; reference:url,blog.malwaremustdie.org/2014/04/upatre-downloading-gmo-is-back-to-ssl.html; classtype:trojan-activity; sid:2018351; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible FakeAV binary download (setup)"; content:"GET"; http_method; content:"index.php?key="; http_uri; content:"&key2=download"; http_uri; classtype:trojan-activity; sid:2018352; rev:2;) + +alert http $HOME_NET any -> any any (msg:"ET CURRENT_EVENTS Win32.RBrute Scan (Outgoing)"; flow:to_server,established; urilen:1; content:"/"; http_uri; content:"Microsoft-WebDAV-MiniRedir/5.1.2600"; http_user_agent; depth:35; content:"Referer|3a 20|http|3a|//"; pcre:"/^Host\x3a (?P<ipaddr>\b([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})\b).*Referer\x3a http\x3a\/\/(?P=ipaddr)\//Hs"; reference:md5,f8ff430aee52da3b4b1759700be9aead; reference:url,www.welivesecurity.com/2014/04/02/win32sality-newest-component-a-routers-primary-dns-changer-named-win32rbrute/; classtype:attempted-recon; sid:2018353; rev:4;) + +alert http $EXTERNAL_NET any -> any any (msg:"ET CURRENT_EVENTS Win32.RBrute Scan (incoming)"; flow:to_server,established; urilen:1; content:"/"; http_uri; content:"Microsoft-WebDAV-MiniRedir/5.1.2600"; depth:35; http_user_agent; content:"Referer|3a 20|http|3a|//"; pcre:"/^Host\x3a (?P<ipaddr>\b([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})\b).*Referer\x3a http\x3a\/\/(?P=ipaddr)\//Hs"; reference:md5,f8ff430aee52da3b4b1759700be9aead; reference:url,www.welivesecurity.com/2014/04/02/win32sality-newest-component-a-routers-primary-dns-changer-named-win32rbrute/; classtype:attempted-recon; sid:2018354; rev:4;) + +alert http any any -> any 80 (msg:"ET CURRENT_EVENTS Win32.RBrute http server request"; flow:to_server,established; content:"BlackBerry9000/5.0.0.93 Profile/MIDP-2.0 Configuration/CLDC-2.1 VendorID/831"; http_user_agent; fast_pattern:only; nocase; flowbits:set,ET.Rbrute.incoming; reference:md5,f8ff430aee52da3b4b1759700be9aead; reference:url,www.welivesecurity.com/2014/04/02/win32sality-newest-component-a-routers-primary-dns-changer-named-win32rbrute/; classtype:trojan-activity; sid:2018355; rev:3;) + +alert http any 80 -> any any (msg:"ET CURRENT_EVENTS Win32.RBrute http response"; flow:to_client,established; file_data; content:"<html>kenji oke</html>|0d 0a|"; depth:24; flowbits:isset,ET.Rbrute.incoming; reference:md5,055a9be75e469f8817c9311390a449f6; reference:url,www.welivesecurity.com/2014/04/02/win32sality-newest-component-a-routers-primary-dns-changer-named-win32rbrute/; classtype:trojan-activity; sid:2018356; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS EvilTDS Redirection"; flow:established,to_server; content:"/zyso.cgi?"; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2018357; rev:10;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Nuclear EK SWF Struct"; flow:established,to_server; content:"/13"; http_uri; fast_pattern:only; content:".swf"; http_uri; pcre:"/\/13[89]\d{7}.swf$/U"; flowbits:set,et.Nuclear.SWF; flowbits:noalert; classtype:trojan-activity; sid:2018360; rev:10;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Nuclear EK SWF Struct"; flow:established,to_server; content:"/14"; fast_pattern:only; http_uri; pcre:"/\/14\d{8}(?:\.swf)?$/U"; flowbits:set,et.Nuclear.SWF; flowbits:noalert; classtype:trojan-activity; sid:2018361; rev:11;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Nuclear EK SWF"; flow:established,from_server; flowbits:isset,et.Nuclear.SWF; content:"Content-Disposition|3a|"; http_header; content:".swf"; http_header; content:"X-Powered-By|3a|"; http_header; pcre:"/^Content-Disposition\x3a[^\r\n]+\.swf/Hm"; content:"ZWS"; classtype:trojan-activity; sid:2018362; rev:12;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Nuclear EK PDF"; flow:established,from_server; file_data; content:"13 0 obj"; pcre:"/^\s*?<<\s*?\/[A-Z0-9a-z]+\([A-Z0-9a-z]+\)\s*?/Rs"; content:"/XFA[(config)17 0 R] /Fields [14 0 R]|0d 0a|>>"; classtype:trojan-activity; sid:2018363; rev:2;) + +alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS OVH Shared Host SSL Certificate (Observed In Use by Some Trojans)"; flow:established,to_client; content:"|55 04 03|"; byte_test:1,>,11,1,relative; byte_test:1,<,14,1,relative; content:"ssl"; distance:2; within:3; pcre:"/^\d{1,2}/R"; content:".ovh.net"; within:8; reference:url,help.ovh.co.uk/SslOnHosting; reference:md5,63079a2471fc18323f355ec28f36303c; reference:md5,20b1c30ef1f5dae656529b277e5b73fb; classtype:bad-unknown; sid:2018364; rev:2;) + +alert tcp any any -> $HOME_NET !$HTTP_PORTS (msg:"ET CURRENT_EVENTS Malformed HeartBeat Request"; flow:established,to_server; content:"|18 03|"; depth:2; byte_test:1,<,4,2; content:"|01|"; offset:5; depth:1; byte_extract:2,3,record_len; byte_test:2,>,2,3; byte_test:2,>,record_len,6; threshold:type limit,track by_src,count 1,seconds 120; flowbits:set,ET.MalformedTLSHB; reference:cve,2014-0160; reference:url,blog.inliniac.net/2014/04/08/detecting-openssl-heartbleed-with-suricata/; reference:url,heartbleed.com/; reference:url,blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-live-blog/; classtype:bad-unknown; sid:2018372; rev:2;) + +alert tcp $HOME_NET !$HTTP_PORTS -> any any (msg:"ET CURRENT_EVENTS Malformed HeartBeat Response"; flow:established,from_server; flowbits:isset,ET.MalformedTLSHB; content:"|18 03|"; depth:2; byte_test:1,<,4,2; byte_test:2,>,200,3; threshold:type limit,track by_src,count 1,seconds 120; reference:cve,2014-0160; reference:url,blog.inliniac.net/2014/04/08/detecting-openssl-heartbleed-with-suricata/; reference:url,heartbleed.com/; reference:url,blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-live-blog/; classtype:bad-unknown; sid:2018373; rev:3;) + +alert tcp any any -> $HOME_NET !$HTTP_PORTS (msg:"ET CURRENT_EVENTS Malformed HeartBeat Request method 2"; flow:established,to_server; content:"|18 03|"; depth:2; byte_test:1,<,4,2; content:"|01|"; offset:5; depth:1; byte_test:2,>,2,3; byte_test:2,>,200,6; threshold:type limit,track by_src,count 1,seconds 120; flowbits:set,ET.MalformedTLSHB; flowbits:noalert; reference:cve,2014-0160; reference:url,blog.inliniac.net/2014/04/08/detecting-openssl-heartbleed-with-suricata/; reference:url,heartbleed.com/; reference:url,blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-live-blog/; classtype:bad-unknown; sid:2018374; rev:2;) + +alert tcp any any -> $HOME_NET any (msg:"ET CURRENT_EVENTS TLS HeartBeat Request (Client Initiated) fb set"; flow:established,to_server; content:"|18 03|"; depth:2; byte_test:1,<,4,2; flowbits:isnotset,ET.HB.Response.CI; flowbits:set,ET.HB.Request.CI; flowbits:noalert; reference:cve,2014-0160; reference:url,blog.inliniac.net/2014/04/08/detecting-openssl-heartbleed-with-suricata/; reference:url,heartbleed.com/; reference:url,blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-live-blog/; classtype:bad-unknown; sid:2018376; rev:4;) + +alert tcp any any -> $HOME_NET any (msg:"ET CURRENT_EVENTS TLS HeartBeat Request (Server Initiated) fb set"; flow:established,from_server; content:"|18 03|"; depth:2; byte_test:1,<,4,2; flowbits:isnotset,ET.HB.Response.SI; flowbits:set,ET.HB.Request.SI; flowbits:noalert; reference:cve,2014-0160; reference:url,blog.inliniac.net/2014/04/08/detecting-openssl-heartbleed-with-suricata/; reference:url,heartbleed.com/; reference:url,blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-live-blog/; classtype:bad-unknown; sid:2018375; rev:3;) + +alert tcp $HOME_NET any -> any any (msg:"ET CURRENT_EVENTS Possible OpenSSL HeartBleed Large HeartBeat Response (Client Init Vuln Server)"; flow:established,to_client; content:"|18 03|"; depth:2; byte_test:1,<,4,2; flowbits:isset,ET.HB.Request.CI; flowbits:isnotset,ET.HB.Response.CI; flowbits:set,ET.HB.Response.CI; flowbits:unset,ET.HB.Request.CI; byte_test:2,>,150,3; threshold:type limit,track by_src,count 1,seconds 120; reference:cve,2014-0160; reference:url,blog.inliniac.net/2014/04/08/detecting-openssl-heartbleed-with-suricata/; reference:url,heartbleed.com/; reference:url,blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-live-blog/; classtype:bad-unknown; sid:2018377; rev:3;) + +alert tcp $HOME_NET any -> any any (msg:"ET CURRENT_EVENTS Possible OpenSSL HeartBleed Large HeartBeat Response (Server Init Vuln Client)"; flow:established,to_server; content:"|18 03|"; depth:2; byte_test:1,<,4,2; flowbits:isset,ET.HB.Request.SI; flowbits:isnotset,ET.HB.Response.SI; flowbits:set,ET.HB.Response.SI; flowbits:unset,ET.HB.Request.SI; byte_test:2,>,150,3; threshold:type limit,track by_src,count 1,seconds 120; reference:cve,2014-0160; reference:url,blog.inliniac.net/2014/04/08/detecting-openssl-heartbleed-with-suricata/; reference:url,heartbleed.com/; reference:url,blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-live-blog/; classtype:bad-unknown; sid:2018378; rev:5;) + +alert tcp $HOME_NET [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible OpenSSL HeartBleed Large HeartBeat Response from Common SSL Port (Outbound from Server)"; flow:established,to_client; content:"|18 03|"; depth:2; byte_test:1,<,4,2; byte_test:2,>,150,3; byte_test:2,<,17000,3; threshold:type limit,track by_dst,count 1,seconds 120; reference:cve,2014-0160; reference:url,blog.inliniac.net/2014/04/08/detecting-openssl-heartbleed-with-suricata/; reference:url,heartbleed.com/; reference:url,blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-live-blog/; classtype:bad-unknown; sid:2018382; rev:8;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET [21,25,110,143,443,465,587,636,989:995,5061,5222] (msg:"ET CURRENT_EVENTS Possible OpenSSL HeartBleed Large HeartBeat Response from Common SSL Port (Outbound from Client)"; flow:established,from_client; content:"|18 03|"; depth:2; byte_test:1,<,4,2; byte_test:2,>,150,3; byte_test:2,<,17000,3; threshold:type limit,track by_src,count 1,seconds 120; reference:cve,2014-0160; reference:url,blog.inliniac.net/2014/04/08/detecting-openssl-heartbleed-with-suricata/; reference:url,heartbleed.com/; reference:url,blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-live-blog/; classtype:bad-unknown; sid:2018383; rev:8;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Angler EK Landing Apr 14 2014"; flow:established,from_server; file_data; content:"Cjw/eG1sIHZlcnNpb249"; content:"^="; content:"eval"; pcre:"/^\W/R"; content:"/*"; pcre:"/[a-z0-9]+?\*\//Ri"; content:"/*"; distance:0; pcre:"/[a-z0-9]+?\*\//Ri"; content:"/*"; distance:0; pcre:"/[a-z0-9]+?\*\//Ri"; pcre:"/[a-z0-9]+?\*\//Ri"; content:"/*"; distance:0; pcre:"/[a-z0-9]+?\*\//Ri"; classtype:bad-unknown; sid:2018387; rev:5;) + +alert tcp any any -> $HOME_NET [443,636,989,990,992,993,994,995,5061,25] (msg:"ET CURRENT_EVENTS Possible TLS HeartBleed Unencrypted Request Method 4 (Inbound to Common SSL Port)"; flow:established,to_server; content:"|18 03|"; byte_test:1,<,4,0,relative; content:"|00 03 01|"; distance:1; within:3; byte_test:2,>,150,0,relative; isdataat:!18,relative; threshold:type limit,track by_src,count 1,seconds 120; reference:cve,2014-0160; reference:url,blog.inliniac.net/2014/04/08/detecting-openssl-heartbleed-with-suricata/; reference:url,heartbleed.com/; reference:url,blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-live-blog/; classtype:bad-unknown; sid:2018388; rev:2;) + +alert tcp any any -> $HOME_NET [443,636,989,990,992,993,994,995,5061,25] (msg:"ET CURRENT_EVENTS Possible TLS HeartBleed Unencrypted Request Method 3 (Inbound to Common SSL Port)"; flow:established,to_server; content:"|18 03|"; depth:2; byte_test:1,<,4,0,relative; content:!"|00 03|"; distance:1; within:2; byte_extract:2,1,rec_len,relative; content:"|01|"; within:1; byte_test:2,>,150,0,relative; byte_test:2,>,rec_len,0,relative; threshold:type limit,track by_src,count 1,seconds 120; reference:cve,2014-0160; reference:url,blog.inliniac.net/2014/04/08/detecting-openssl-heartbleed-with-suricata/; reference:url,heartbleed.com/; reference:url,blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-live-blog/; classtype:bad-unknown; sid:2018389; rev:3;) + +alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS BrowseTor .onion Proxy Service SSL Cert"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|*.browsetor.com"; nocase; distance:1; within:16; classtype:bad-unknown; sid:2018396; rev:4;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Possible Goon/Infinity/Magnitude EK SilverLight Exploit"; flow:established,to_server; content:".xap"; nocase; fast_pattern:only; http_uri; pcre:"/\/\d{2,}\.xap$/Ui"; classtype:trojan-activity; sid:2018402; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY EL8 EK Landing"; flow:established,from_server; file_data; content:"lady8vhc"; nocase; fast_pattern:only; content:"eval(function("; classtype:trojan-activity; sid:2018405; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Fiesta URI Struct"; flow:established,to_server; urilen:>64; content:"|3b|"; http_uri; offset:63; fast_pattern; content:!"="; http_uri; content:!"&"; http_uri; pcre:"/^\/[^\x2f]+?\/\??[a-f0-9]{60,66}(?:\x3b\d+){1,4}$/U"; flowbits:set,ET.Fiesta.Exploit.URI; classtype:trojan-activity; sid:2018407; rev:9;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fiesta PDF Exploit Download"; flow:established,from_server; flowbits:isset,ET.Fiesta.Exploit.URI; file_data; content:"%PDF"; within:1024; classtype:trojan-activity; sid:2018408; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fiesta SilverLight Exploit Download"; flow:established,from_server; flowbits:isset,ET.Fiesta.Exploit.URI; file_data; content:"AppManifest.xaml"; nocase; classtype:trojan-activity; sid:2018409; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fiesta Flash Exploit Download"; flow:established,from_server; flowbits:isset,ET.Fiesta.Exploit.URI; file_data; content:"ZWS"; within:3; classtype:trojan-activity; sid:2018410; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fiesta Flash Exploit Download"; flow:established,from_server; flowbits:isset,ET.Fiesta.Exploit.URI; file_data; content:"CWS"; within:3; classtype:trojan-activity; sid:2018411; rev:2;) + +alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible W32/Zbot.InfoStealer SSL Cert Parallels.com"; flow:established,to_client; content:"|16 03 01|"; depth:3; content:"|16 03 01|"; distance:0; content:"|52 14 cb 90|"; distance:0; content:"|12|info@parallels.com"; distance:0; reference:md5,19e17898e99af83e5fff9c3bad553bb2; classtype:trojan-activity; sid:2018418; rev:5;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS Crystalize Filter in Uncompressed Flash"; flow:from_server,established; flowbits:isset,HTTP.UncompressedFlash; file_data; content:"Crystallize -filter"; content:"|41 41 41 41|"; distance:0; reference:url,www.securelist.com/en/blog/8212/New_Flash_Player_0_day_CVE_2014_0515_used_in_watering_hole_attacks; classtype:trojan-activity; sid:2018428; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Common Bad Actor Indicators Used in Various Targeted 0-day Attacks"; flow:from_server,established; file_data; content:"dword2data"; fast_pattern; pcre:"/^\s*?\(/Rs"; content:"function"; pcre:"/^\s*?fun\s*?\(/Rs"; content:"CollectGarbage"; reference:cve,2014-0322; reference:cve,2014-1776; classtype:trojan-activity; sid:2018439; rev:4;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Goon/Infinity EK Landing May 05 2014"; flow:from_server,established; file_data; content:"#default#VML"; nocase; fast_pattern:only; content:"/*"; pcre:"/^\d+?\*\/\s*?(?P<vname>[^\s\(\x3b]{1,20})\s*?\([^\)]+\)\s*?(?:\/\*\d+?\*\/\s*?)?\x3b\s*?(?:\/\*\d+?\*\/)?(?P=vname)\s*?(?:\/\*\d+?\*\/\s*?)?\([^\)]+\)\s*?(?:\/\*\d+?\*\/\s*?)?\x3b\s*?(?:\/\*\d+?\*\/)?(?P=vname)/Rs"; classtype:trojan-activity; sid:2018440; rev:4;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Goon/Infinity URI Struct EK Landing May 05 2014"; flow:established,to_server; content:".php?req="; nocase; http_uri; fast_pattern; content:"&PHPSSESID="; http_uri; pcre:"/\.php\?req=(?:swf(?:IE)?|x(?:ap|ml)|jar|mp3)&/Ui"; classtype:trojan-activity; sid:2018441; rev:10;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS 32-byte by 32-byte PHP EK Gate with HTTP POST"; flow:established,to_server; urilen:72; content:"POST"; http_method; content:".php?q="; http_uri; fast_pattern:only; pcre:"/^\/[a-f0-9]{32}\.php\?q=[a-f0-9]{32}$/U"; classtype:trojan-activity; sid:2018442; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Nuclear EK Landing May 05 2014"; flow:from_server,established; content:"|0d 0a|Vary|3a 20|Accept-Encoding,User-Agent"; http_header; content:"|0d 0a|X-Powered-By|3a 20|PHP"; http_header; file_data; content:"|ef bb bf 3c 68 74 6d 6c 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 23|"; within:27; fast_pattern; pcre:"/^[a-f0-9]{6}\x22>\r\n(?:<(?P<tag>[^>]{1,10})>[A-Za-z0-9]+?<\/(?P=tag)>\r\n){0,10}\r\n<script>(?:var [a-zA-Z0-9]{1,20}\x3b){1,20}[a-zA-Z0-9]{1,20}\s*?=/R"; classtype:trojan-activity; sid:2018451; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Malvertising Redirect URI Struct"; flow:established,to_server; content:"/assets/js/jquery-"; depth:18; http_uri; fast_pattern; content:"min.js?ver="; http_uri; distance:0; pcre:"/^\/assets\/js\/jquery-[0-9]\.[0-9]\.[0-9]\.min\.js\?ver=[0-9]+\.[0-9]+\.[0-9]+$/U"; classtype:trojan-activity; sid:2018454; rev:4;) + +#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Compromised site iclasshd.net"; flow:established,to_client; content:"|55 04 03|"; content:"|0c|iclasshd.net"; distance:1; within:14; nocase; reference:md5,abe131828ce5beae41ef341238016547; classtype:trojan-activity; sid:2018460; rev:1;) + +#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Compromised site sabzevarsez.com"; flow:established,to_client; content:"|55 04 03|"; content:"|13|www.sabzevarsez.com"; distance:1; within:21; nocase; reference:md5,36cf205b39bd27b6dc981dd0da8a311a; classtype:trojan-activity; sid:2018461; rev:1;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY FlashPack 2013-2551 May 13 2014"; flow:from_server,established; file_data; content:"#default#VML"; nocase; fast_pattern:only; content:"|3a|stroke"; nocase; content:"|3a|oval"; nocase; content:"66"; pcre:"/^(?P<sep>[^\x22\x27]{0,10})75(?P=sep)6e(?P=sep)63(?P=sep)74(?P=sep)69(?P=sep)6f(?P=sep)6e(?P=sep)20/Rsi"; classtype:trojan-activity; sid:2018469; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS DRIVEBY FlashPack Flash Exploit flash2013.php"; flow:established,to_server; content:"/flash2013.php"; http_uri; nocase; classtype:trojan-activity; sid:2018470; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS DRIVEBY FlashPack Flash Exploit flash2014.php"; flow:established,to_server; content:"/flash2014.php"; http_uri; nocase; classtype:trojan-activity; sid:2018471; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY FlashPack Plugin-Detect May 13 2014"; flow:from_server,established; file_data; content:"javarhino"; fast_pattern; nocase; pcre:"/^[\x22\x27]/R"; content:"javaimage"; pcre:"/^[\x22\x27]/R"; content:"javadb"; pcre:"/^[\x22\x27]/R"; content:"getVersion"; content:"SilverLight"; classtype:trojan-activity; sid:2018472; rev:2;) + +#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Compromised site dfsdirect.ca"; flow:established,to_client; content:"|55 04 03|"; content:"|0c|dfsdirect.ca"; distance:1; within:14; nocase; reference:md5,fe56b5a28eac390aa8cfb1402360958b; classtype:trojan-activity; sid:2018480; rev:1;) + +#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS [25,587] (msg:"ET CURRENT_EVENTS .gadget Email Attachment - Possible Upatre"; flow:established,to_server; content:"Content-Type|3a| application/zip|3b|"; nocase; content:".gadget|22|"; distance:7; within:30; nocase; pcre:"/name=\x22[a-z0-9\-_\.\s]{0,25}\.gadget\x22/i"; reference:url,pastebin.com/5eNDazpL; classtype:trojan-activity; sid:2018490; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Sweet Orange WxH redirection"; flow:established,to_server; urilen:23<>50; content:"x"; http_uri; depth:4; offset:2; content:".php?"; fast_pattern; http_uri; content:"="; http_uri; within:3; pcre:"/^\/[0-9]{2,3}x[0-9]{2,3}\/[a-z]+\.php\?[a-z]{2}=[0-9a-z]+$/U"; classtype:trojan-activity; sid:2018493; rev:4;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Malicious Plugin Detect URI struct"; flow:established,to_server; content:"v_ja="; http_uri; nocase; fast_pattern:only; content:"v_f="; http_uri; nocase; content:"v_m="; http_uri; nocase; content:"v_s="; http_uri; nocase; content:"v_a="; http_uri; nocase; content:"v_q="; http_uri; nocase; content:"js="; nocase; http_uri; content:"ref="; http_uri; nocase; pcre:"/[&?]v_(?:[sfamq]|ja)=.+&v_(?:[sfamq]|ja)=.+&v_(?:[sfamq]|ja)=.+&v_(?:[sfamq]|ja)=.+&v_(?:[sfamq]|ja)=.+&v_(?:[sfamq]|ja)=/Ui"; classtype:trojan-activity; sid:2018920; rev:10;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Styx/Angler EK SilverLight Exploit 2"; flow:established,from_server; file_data; content:"PK"; within:2; content:"fotosaster.dll"; fast_pattern; content:"AppManifest.xaml"; classtype:trojan-activity; sid:2018498; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Metasploit Various Java Exploit Common Class name"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"PayloadX.class"; nocase; fast_pattern:only; classtype:attempted-user; sid:2018500; rev:6;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Gongda EK Secondary Landing"; flow:established,from_server; file_data; content:"fdsaw[fwegg]"; nocase; pcre:"/^\s*?=\s*?window\.document\.createElement/Rsi"; classtype:trojan-activity; sid:2018501; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Gongda EK Landing 1"; flow:established,from_server; file_data; content:"{var bmw=[263,275,275,271,217,206,206,262,256,274,269,260,274,205,258,270,268,217,215,207,210,206,207,207,208,205,260,279,159,260]"; classtype:trojan-activity; sid:2018502; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Gongda EK Landing 2"; flow:established,from_server; file_data; content:"function(/*jsckvip*/p,/*jsckvip*/a,/*jsckvip*/c,k,/*jsckvip*/e,/*jsckvip*/d/*jsckvip*/)"; classtype:trojan-activity; sid:2018503; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Angler EK encrypted binary (5)"; flow:established,to_client; file_data; content:"|3a 0e a6 51 77 79 53 59|"; within:8; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2018509; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Angler EK encrypted binary (6)"; flow:established,to_client; file_data; content:"|2c 3e c2 32 61 34 6e 68|"; within:8; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2018510; rev:4;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Malicious Injected Redirect June 02 2014"; flow:established,to_client; file_data; content:"s.src"; content:"+Math.random()|3b|document.body.appendChild(s)|3b|"; distance:0; classtype:trojan-activity; sid:2018514; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CottonCastle EK URI Struct"; flow:established,to_server; content:"/3/"; http_uri; fast_pattern:only; pcre:"/\/3\/(?:M[ABCDFGHIJKMOPSTUZ]|E[ABDEGIJKMNPRSVY]|R[ABCEFGHIKLMNPST]|G[ABCEGKMNPSTUV]|A[BCGLMNPQSUVZ]|O[ABCDFIJMNRST]|S[ABEGILMPRSUW]|T[ABEGHILMPSTY]|N[BCGHIKMPSTV]|I[ABCFGKLNSV]|L[ABCGIMNPST]|W[ABCGKMPRTZ]|Z[ABCDKMNSTU]|F[ABCGMNPTW]|H[BCEGKMPST]|K[CDFHLMPST]|U[ACGHLMNRV]|Y[BCGKLMPSU]|C[CELMNSTV]|D[ABCGIMST]|V[BCLMST]|J[BDFST]|P[GJKMN]|Q[ABGIM]|B[BGLS]|X[ACMS])\/[a-f0-9]{32}(?:\.[^\x2f]+|\/\d+\.\d+\.\d+\.\d+\/?)?$/U"; classtype:trojan-activity; sid:2018534; rev:3;) + +alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS CottonCastle EK Landing June 05 2014"; flow:established,from_server; content:"lrtCfdP.FDP,FDP.FDPorcA"; fast_pattern:only; content:"reverse"; classtype:trojan-activity; sid:2018535; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CottonCastle EK Landing EK Struct"; flow:established,to_server; content:"/3/"; http_uri; fast_pattern:only; content:"/http|3a|/"; http_uri; pcre:"/\/3\/[a-f0-9]{32}\/http\x3a\x2f/U"; classtype:trojan-activity; sid:2018536; rev:2;) + +alert tcp $EXTERNAL_NET [443,$HTTP_PORTS] -> $HOME_NET any (msg:"ET CURRENT_EVENTS tor2www .onion Proxy SSL cert"; flow:established,from_server; content:"|55 04 03|"; content:"*.tor2www."; nocase; distance:2; within:10; classtype:trojan-activity; sid:2018538; rev:2;) + +alert tcp $EXTERNAL_NET [443,$HTTP_PORTS] -> $HOME_NET any (msg:"ET CURRENT_EVENTS TorExplorer Certificate - Potentially Linked To W32/Cryptowall.Ransomware"; flow:established,to_client; content:"|55 04 03|"; content:"torexplorer.com"; distance:0; reference:url,www.malware-traffic-analysis.net/2014/05/28/index.html; classtype:trojan-activity; sid:2018539; rev:1;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS DRIVEBY FlashPack Flash Exploit flash0515.php"; flow:established,to_server; content:"/flash0515.php"; fast_pattern:only; http_uri; nocase; classtype:trojan-activity; sid:2018540; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS PlugX/Destory HTTP traffic"; flow:established,to_server; content:"POST "; depth:5; content:"X-Sn|3a 20|"; http_header; fast_pattern; content:"X-Session|3a 20|"; http_header; content:"X-Status|3a 20|"; http_header; content:"X-Size|3a 20|"; http_header; reference:url,circl.lu/pub/tr-24/; classtype:trojan-activity; sid:2018541; rev:2;) + +#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert"; flow:established,to_client; content:"|55 04 03|"; content:"|1e|static-182-18-143-140.ctrls.in"; distance:1; within:31; reference:md5,b4d63a1178027f64c4c868181437284d; classtype:trojan-activity; sid:2018542; rev:1;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Neverquest/Wawtrak Posting Data"; flow:established,to_server; content:"POST"; http_method; content:"/viewforum.php?f="; http_uri; fast_pattern:only; pcre:"/\/viewforum\.php\?f=\d+&sid=[A-F0-9]{32}$/U"; content:!"Referer|3a|"; http_header; content:"Content-Type|3a 20|application/octet-stream"; http_header; reference:md5,0400671fd3804fbf3fd1d6cf707bced4; reference:md5,1dfaeb7b985d2ba039cd158f63b8ae54; classtype:trojan-activity; sid:2018543; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS CottonCastle EK Landing June 05 2014 2"; flow:established,from_server; file_data; content:"hsalFevawkcohS.hsalFevawkcohS"; content:"reverse"; classtype:trojan-activity; sid:2018544; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS CottonCastle EK Jar Download Method 2"; flow:established,from_server; content:"Content-Type|3a 20|application/octed-stream"; http_header; fast_pattern:18,20; flowbits:isset,ET.http.javaclient; classtype:trojan-activity; sid:2018545; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS EXE Download from Google Common Data Storage with no Referer"; flow:established,to_server; content:".exe"; fast_pattern:only; http_uri; content:"Host|3a| commondatastorage.googleapis.com|0d 0a|"; http_header; content:!"Referer|3a|"; http_header; reference:md5,9fcbc6def809520e77dd7af984f82fd5; reference:md5,71e752dd4c4df15a910c17eadb8b15ba; classtype:trojan-activity; sid:2018556; rev:2;) + +alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS DTLS Pre 1.0 Fragmented Client Hello Possible CVE-2014-0195"; content:"|16 01 00 00 00 00 00 00 00|"; depth:10; content:"|01|"; distance:3; within:1; byte_test:3,>,0,0,relative; byte_test:3,>,0,8,relative; byte_extract:3,0,frag_len,relative; byte_jump:3,5,relative; content:"|01|"; within:1; byte_test:3,!=,frag_len,0,relative; reference:url,h30499.www3.hp.com/t5/HP-Security-Research-Blog/ZDI-14-173-CVE-2014-0195-OpenSSL-DTLS-Fragment-Out-of-Bounds/ba-p/6501002; classtype:attempted-user; sid:2018559; rev:2;) + +alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS DTLS 1.0 Fragmented Client Hello Possible CVE-2014-0195"; content:"|16 fe ff 00 00 00 00 00 00 00|"; depth:10; content:"|01|"; distance:3; within:1; byte_test:3,>,0,0,relative; byte_test:3,>,0,8,relative; byte_extract:3,0,frag_len,relative; byte_jump:3,5,relative; content:"|01|"; within:1; byte_test:3,!=,frag_len,0,relative; reference:url,h30499.www3.hp.com/t5/HP-Security-Research-Blog/ZDI-14-173-CVE-2014-0195-OpenSSL-DTLS-Fragment-Out-of-Bounds/ba-p/6501002; classtype:attempted-user; sid:2018560; rev:2;) + +alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS DTLS 1.2 Fragmented Client Hello Possible CVE-2014-0195"; content:"|16 fe fd 00 00 00 00 00 00 00|"; depth:10; content:"|01|"; distance:3; within:1; byte_test:3,>,0,0,relative; byte_test:3,>,0,8,relative; byte_extract:3,0,frag_len,relative; byte_jump:3,5,relative; content:"|01|"; within:1; byte_test:3,!=,frag_len,0,relative; reference:url,h30499.www3.hp.com/t5/HP-Security-Research-Blog/ZDI-14-173-CVE-2014-0195-OpenSSL-DTLS-Fragment-Out-of-Bounds/ba-p/6501002; classtype:attempted-user; sid:2018561; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS BleedingLife Exploit Kit Landing Page Requested"; flow:established,to_server; content:"/load_module.php?user="; http_uri; depth:22; pcre:"/^\x2Fload\x5Fmodule\x2Ephp\x3Fuser\x3D(n1|11?|2)$/U"; reference:url,vrt-blog.snort.org/2014/06/the-never-ending-exploit-kit-shift.html; classtype:trojan-activity; sid:2018562; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS BleedingLife Exploit Kit SWF Exploit Request"; flow:established,to_server; content:"/modules/"; http_uri; depth:9; content:".swf"; http_uri; distance:1; within:5; pcre:"/^\x2Fmodules\x2F(?:n[u3]|1|2)\x2Eswf$/U"; reference:url,vrt-blog.snort.org/2014/06/the-never-ending-exploit-kit-shift.html; reference:cve,2013-0634; reference:cve,2014-0515; classtype:trojan-activity; sid:2018563; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS BleedingLife Exploit Kit JAR Exploit Request"; flow:established,to_server; content:"/modules/"; http_uri; depth:9; content:".jar"; http_uri; distance:1; within:4; pcre:"/^\x2Fmodules\x2F(1|2)\x2Ejar$/U"; reference:url,vrt-blog.snort.org/2014/06/the-never-ending-exploit-kit-shift.html; reference:cve,2011-3544; reference:cve,2012-1723; reference:cve,2013-2465; classtype:trojan-activity; sid:2018564; rev:2;) + +alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"ET CURRENT_EVENTS Possible Inbound SNMP Router DoS (TTL 1)"; byte_jump:1,6; content:"|a3|"; within:1; content:"|30 0d 06 08 2b 06 01 02 01 04 02 00 02 01 01|"; distance:9; threshold: type limit, track by_src, count 1, seconds 120; classtype:attempted-dos; sid:2018568; rev:1;) + +alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"ET CURRENT_EVENTS Possible Inbound SNMP Router DoS (Disable Forwarding)"; byte_jump:1,6; content:"|a3|"; within:1; content:"|30 0d 06 08 2b 06 01 02 01 04 01 00 02 01 02|"; distance:9; threshold: type limit, track by_src, count 1, seconds 120; classtype:attempted-dos; sid:2018569; rev:1;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Safe/CritX/FlashPack EK Secondary Landing"; flow:established,to_client; file_data; content:".getVersion"; pcre:"/^\s*?\(\s*?[\x22\x27]Java[\x22\x27]/Rsi"; content:"621"; distance:0; pcre:"/^\W.{0,50}<\s*?=\s*?645\W[^{]*?{[^\}]*?\(\s*?document\s*?\)\s*?\[\s*?[\x22\x27]body[\x22\x27]\s*?\]\[\s*?[\x22\x27]appendChild[\x22\x27]\s*?\]/Rsi"; content:"700"; pcre:"/^\W.{0,50}<\s*?725\W/Rsi"; content:".getVersion"; pcre:"/^\s*?\(\s*?[\x22\x27]Flash[\x22\x27]/Rsi"; classtype:trojan-activity; sid:2018573; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Safe/CritX/FlashPack EK Secondary Landing 2"; flow:established,to_client; file_data; content:"/[a-z]/gi"; fast_pattern; content:"substring"; pcre:"/^(?:[\x22\x27]\s*?\])?\s*?\(\s*?(?P<num>\d+)\s*?\*\s*?(?P<cnt>\w+)\s*?,\s*?(?P=num)\s*?\*\s*?(?P=cnt)\s*?\+\s*?(?P=num)\s*?\)\s*?,\s*?\d+\s*?\)/Rsi"; content:"="; pcre:"/^\s*?[\x22\x27][A-Za-z0-9\s]{500}/Rsi"; classtype:trojan-activity; sid:2018577; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Sweet Orange EK Common Java Exploit"; flow:to_server,established; content:"/testi.jnlp"; http_uri; content:"Java/1."; http_user_agent; classtype:trojan-activity; sid:2018583; rev:4;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Trojan-Banker.JS.Banker fraudulent redirect boleto payment code"; flow:to_server,established; content:"/boleto"; http_uri; fast_pattern:only; content:".php?"; http_uri; pcre:"/^Host\x3a\x20[^\r\n]+(\r\n)?\r\n$/Hi"; reference:url,brazil.kaspersky.com/sobre-a-kaspersky/centro-de-imprensa/blog-da-kaspersky/extensoes-maliciosas-boleto; reference:md5,de38bc962f92eb99d63eebecb3930906; classtype:trojan-activity; sid:2018591; rev:5;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Multiple EKs CVE-2013-3918"; flow:established,from_server; file_data; content:"C|3a 5c|rock.png"; nocase; fast_pattern:only; content:"19916E01-B44E-4E31-94A4-4696DF46157B"; nocase; classtype:trojan-activity; sid:2018592; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Safe/CritX/FlashPack EK CVE-2013-3918"; flow:established,to_server; content:"/m20133918.php"; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2018593; rev:2;) + +#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert webhostingpad.com"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|10 00 89 36 39 2c a7 4f ef 26 13 4f 11 2e d4 22 64|"; fast_pattern:only; content:"|55 04 03|"; content:"|13|*.webhostingpad.com"; distance:1; within:20; reference:md5,be7a7252865b3407498170f142efe471; classtype:trojan-activity; sid:2018594; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Nuclear EK Landing May 23 2014"; flow:from_server,established; content:"|0d 0a|Vary|3a 20|Accept-Encoding,User-Agent"; http_header; content:"|0d 0a|X-Powered-By|3a 20|PHP"; http_header; file_data; content:"|ef bb bf|<html>|0d 0a|<body bgcolor|3d 22|#"; within:27; fast_pattern; pcre:"/^[a-f0-9]{6}\x22>\r\n(?:<(?P<tag>[^>]{1,10})>[A-Za-z0-9]+?<\/(?P=tag)>\r\n){0,10}<script>var/R"; classtype:trojan-activity; sid:2018595; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Safe/CritX/FlashPack EK Secondary Landing June 25 2014"; flow:established,to_client; file_data; content:"t=|22|1|3b|url=about|3a|Tabs|22|"; fast_pattern:only; content:"<body>"; pcre:"/^[\r\n\s]*?<script>[\r\n\s]*?[A-Za-z]+[\r\n\s]*?=[\r\n\s]*?[\x22\x27][A-Za-z]{9}\x20[A-Za-z\x20]{300}/R"; classtype:trojan-activity; sid:2018606; rev:4;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil EK Redirector Cookie June 27 2014"; flow:established,from_server; content:"lvqwg="; depth:6; http_cookie; nocase; classtype:trojan-activity; sid:2018613; rev:3;) + +#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert 999servers.com"; flow:established,to_client; content:"|55 04 03|"; content:"|10|*.999servers.com"; distance:1; within:17; reference:md5,b9ffad739bb47a0e4619b76af51d9a74; classtype:trojan-activity; sid:2018647; rev:1;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Safe/CritX/FlashPack EK Secondary Landing Jul 11 2014"; flow:established,to_client; file_data; content:"t=|22|1|3b|url=about|3a|Tabs|22|"; content:"/[a-z]/gi"; content:"|5c|x66|5c|x72|5c|x6F|5c|x6D|5c|x43|5c|x68|5c|x61|5c|x72|5c|x43|5c|x6F|5c|x64|5c|x65"; fast_pattern; classtype:trojan-activity; sid:2018668; rev:5;) + +#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert acesecureshop.com"; flow:established,to_client; content:"|55 04 03|"; content:"|11|acesecureshop.com"; distance:1; within:18; reference:md5,c2e85512ceaacbf8306321f9cc2b1eaf; classtype:trojan-activity; sid:2018671; rev:1;) + +#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert new-install.privatedns.com"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; distance:0; content:"|1a|new-install.privatedns.com"; distance:1; within:27; fast_pattern; content:"|2a 86 48 86 f7 0d 01 09 01|"; distance:0; content:"|1e|ssl@new-install.privatedns.com"; distance:1; within:31; reference:md5,280a3a944878d57bc44ead271a0cc457; classtype:trojan-activity; sid:2018672; rev:1;) + +#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert July 14 2014"; flow:established,to_client; content:"|55 04 03|"; content:"|0f|groberts.com.au"; distance:1; within:16; content:"|2a 86 48 86 f7 0d 01 09 01|"; distance:0; content:"|13|info@dctreasure.com"; distance:1; within:20; reference:md5,9f48eb74687492978259edb8f79ac397; classtype:trojan-activity; sid:2018673; rev:1;) + +#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert faithmentoringandmore.com"; flow:established,to_client; content:"|55 04 03|"; content:"|1d|www.faithmentoringandmore.com"; distance:1; within:31; reference:md5,b5df3ba04c987692929f35d9c64e0c0d; classtype:trojan-activity; sid:2018674; rev:1;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Malvertising Redirect URI Struct Jul 16 2014"; flow:established,to_server; content:"/js/metrika/watch.js?ver="; depth:25; http_uri; fast_pattern; pcre:"/^\/js\/metrika\/watch\.js\?ver=[0-9]+\.[0-9]+\.[0-9]+$/U"; classtype:trojan-activity; sid:2018686; rev:5;) + +#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert karinejoncas.com"; flow:established,from_server; content:"|55 04 03|"; content:"|14|www.karinejoncas.com"; distance:1; within:21; reference:md5,87bbf4bc45ef30507b1d239edc727067; classtype:trojan-activity; sid:2018690; rev:1;) + +#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert deslematin.ca"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|deslematin.ca"; distance:1; within:14; reference:md5,87bbf4bc45ef30507b1d239edc727067; classtype:trojan-activity; sid:2018691; rev:1;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Fake CDN Sweet Orange Gate July 17 2014"; flow:established,to_server; content:"GET"; http_method; urilen:>10; content:"?"; http_uri; offset:2; depth:1; content:"Host|3a 20|cdn"; http_header; fast_pattern:only; pcre:"/^\/[a-z]\?[a-z]=[0-9]{5,}$/U"; classtype:trojan-activity; sid:2018737; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Fiesta EK randomized javascript Gate Jul 18 2014"; flow:established,to_server; content:"GET"; http_method; urilen:23<>85; content:".js?"; http_uri; fast_pattern; content:"="; distance:7; within:26; http_uri; content:!"&"; http_uri; pcre:"/^Host\x3a\x20[^\.\r\n]+?\.[a-z]{2,4}\r\n/Hmi"; pcre:"/^\/[A-Za-z0-9]{6,16}\.js\?[a-zA-Z0-9]{7,32}=(?![0-9]+$)[a-f0-9]{5,30}$/U"; classtype:trojan-activity; sid:2018741; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Sweet Orange redirection 21 July 2014"; flow:to_client,established; file_data; content:"jquery_datepicker=|27|"; pcre:"/[^0-9a-f]{1,3}68[^0-9a-f]{1,3}74[^0-9a-f]{1,3}74[^0-9a-f]{1,3}70[0-9a-f]{1,3}3a/Ri"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2018751; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS XMLDOM Check for Presence Kaspersky AV Observed in RIG EK"; flow:from_server,established; file_data; content:"loadXML"; nocase; content:"parseError"; content:"-2147023083"; fast_pattern:only; content:"|5c|kl1.sys"; nocase; pcre:"/^[\x22\x27]/Rs"; reference:url,research.zscaler.com/2014/07/de-obfuscating-dom-based-javascript.html; classtype:trojan-activity; sid:2018756; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS XMLDOM Check for Presence TrendMicro AV Observed in RIG EK"; flow:from_server,established; file_data; content:"loadXML"; nocase; content:"parseError"; content:"-2147023083"; fast_pattern:only; content:"|5c|tm"; nocase; pcre:"/^(?:e(?:vtmgr|ext)|actmon|nciesc|EBC32|comm|tdi)\.sys[\x22\x27]/Rsi"; reference:url,research.zscaler.com/2014/07/de-obfuscating-dom-based-javascript.html; classtype:trojan-activity; sid:2018757; rev:2;) + +#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert twitterbacklinks.com"; flow:established,from_server; content:"|55 04 03|"; content:"|18|www.twitterbacklinks.com"; distance:1; within:25; reference:md5,4cb5a748416b9f03d875245437344177; classtype:trojan-activity; sid:2018758; rev:2;) + +#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert thelabelnashville.com"; flow:established,from_server; content:"|55 04 03|"; content:"|15|thelabelnashville.com"; distance:1; within:22; reference:md5,f75b9bffe33999339d189b1a3d8d8b4e; classtype:trojan-activity; sid:2018776; rev:2;) + +#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert cactussports.com"; flow:established,from_server; content:"|55 04 03|"; content:"|10|cactussports.com"; distance:1; within:17; reference:md5,fe557165290ae68b768591eb746fa1c5; classtype:trojan-activity; sid:2018777; rev:2;) + +#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert yellowdevilgear.com"; flow:established,from_server; content:"|55 04 03|"; content:"|17|www.yellowdevilgear.com"; distance:1; within:24; reference:md5,2def687d8159d7859e86855b6c4a20c8; classtype:trojan-activity; sid:2018778; rev:2;) + +#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert michaelswinecellar.com"; flow:established,from_server; content:"|55 04 03|"; content:"|1a|www.michaelswinecellar.com"; distance:1; within:27; reference:md5,c9869431ad760912a553a63266173442; classtype:trojan-activity; sid:2018779; rev:2;) + +#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert migsparkle.com"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|migsparkle.com"; distance:1; within:15; reference:md5,bc74dd7e0350ad7ad8f75ca0de6fb9dc; classtype:trojan-activity; sid:2018780; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Likely Evil XMLDOM Detection of Local File"; flow:from_server,established; file_data; content:"-2147023083"; nocase; fast_pattern:only; content:"res|3a 2f|"; nocase; content:"<!DOCTYPE html PUBLIC"; nocase; reference:url,alienvault.com/open-threat-exchange/blog/attackers-abusing-internet-explorer-to-enumerate-software-and-detect-securi/; classtype:trojan-activity; sid:2018783; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible ShellCode Passed as Argument to FlashVars"; flow:from_server,established; file_data; content:",0x"; fast_pattern; content:",0x"; distance:8; within:3; content:",0x"; distance:8; within:3; content:"FlashVars"; nocase; content:"<param"; nocase; pcre:"/^(?=(?:(?!<\/>).)+?FlashVars)(?:(?!<\/>).)+?value\s*?=\s*?[\x22\x27][^=\x22\x27]+=(?:0x[a-f0-9]{8},){15}/Rsi"; classtype:trojan-activity; sid:2018785; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Sweet Orange EK CDN Landing Page"; flow:established,to_server; content:"GET"; http_method; content:"stargalaxy.php?nebula="; http_uri; reference:url,malware-traffic-analysis.net/2014/07/24/index.html; classtype:trojan-activity; sid:2018786; rev:3;) + +#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert server.abaphome.net"; flow:established,from_server; content:"|55 04 03|"; content:"|13|server.abaphome.net"; distance:1; within:20; reference:md5,cfe7cade32e463f0ef7efd134c56b5c8; classtype:trojan-activity; sid:2018790; rev:3;) + +#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert 1stopmall.us"; flow:established,from_server; content:"|55 04 03|"; content:"|10|www.1stopmall.us"; distance:1; within:17; reference:md5,b833914b8171bc8f400b41449c3ef06b; classtype:trojan-activity; sid:2018791; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Safe/CritX/FlashPack EK Secondary Landing June 28 2014"; flow:established,to_client; file_data; content:"t=|22|1|3b|url=about|3a|Tabs|22|"; content:"hex2bin"; fast_pattern:only; content:"eval"; pcre:"/^(?:[\x22\x27]\s*?\])?\(\s*?(?:\[[\x22\x27])?rc4(?:[\x22\x27]\s*?\])?\(\s*?[\x22\x27][^\x22\x27]+?[\x22\x27]\s*?,\s*?(?:\[[\x22\x27])?hex2bin(?:[\x22\x27]\s*?\])?\(/Rsi"; classtype:trojan-activity; sid:2018794; rev:5;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Safe/CritX/FlashPack EK Plugin Detect IE Exploit"; flow:established,to_client; file_data; content:"|2f|Trident|5c 2f|(|5c|d)|2f|"; content:"|7c|2551"; pcre:"/^[\x22\x27]/R"; distance:0; content:"|7c|3918"; pcre:"/^[\x22\x27]/R"; content:"|7c|0322"; pcre:"/^[\x22\x27]/R"; classtype:trojan-activity; sid:2018795; rev:5;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Safe/CritX/FlashPack EK Plugin Detect Java Exploit"; flow:established,to_client; file_data; content:"getVersion"; nocase; content:"Java"; distance:0; content:"3544"; pcre:"/^[\x22\x27]/R"; distance:0; content:"2471"; pcre:"/^[\x22\x27]/R"; content:"2460"; pcre:"/^[\x22\x27]/R"; classtype:trojan-activity; sid:2018796; rev:5;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Safe/CritX/FlashPack EK Plugin Detect Flash Exploit"; flow:established,to_client; file_data; content:"getVersion"; nocase; content:"Flash"; distance:0; content:"0515"; pcre:"/^[\x22\x27]/R"; distance:0; content:"0634"; pcre:"/^[\x22\x27]/R"; content:"0497"; pcre:"/^[\x22\x27]/R"; classtype:trojan-activity; sid:2018797; rev:5;) + +#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert disenart.info"; flow:established,from_server; content:"|55 04 03|"; content:"|0c 0d|disenart.info"; distance:0; within:15; reference:md5,c860eee9ca6a7c570b3b4cd7b8e2cd17; classtype:trojan-activity; sid:2018801; rev:2;) + +#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert host-galaxy.com"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|host-galaxy.com"; distance:1; within:16; reference:md5,83c2eb9a2a5315e7fc15d85387886a19; classtype:trojan-activity; sid:2018802; rev:2;) + +#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert fxbingpanel.fareexchange.co.uk"; flow:established,from_server; content:"|55 04 03|"; content:"|1e|fxbingpanel.fareexchange.co.uk"; distance:1; within:31; reference:md5,3c4e0c0e4dbe2bf0e4d3ca825b95209c; classtype:trojan-activity; sid:2018803; rev:2;) + +#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert 66h.66hosting.net"; flow:established,from_server; content:"|55 04 03|"; content:"|11|66h.66hosting.net"; distance:1; within:18; reference:md5,f9c0bc6e8c08acbe520df0ab6efcd962; classtype:trojan-activity; sid:2018804; rev:2;) + +#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert businesswebstudios.com"; flow:established,from_server; content:"|55 04 03|"; content:"|16|businesswebstudios.com"; distance:1; within:23; reference:md5,b8ca6c78deeb448421073a65f708c34e; classtype:trojan-activity; sid:2018805; rev:2;) + +#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert udderperfection.com"; flow:established,from_server; content:"|55 04 03|"; content:"|17|www.udderperfection.com"; distance:1; within:24; reference:md5,c8020934a53e888059e734b934043794; classtype:trojan-activity; sid:2018806; rev:2;) + +#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert www.senorwooly.com"; flow:established,from_server; content:"|55 04 03|"; content:"|12|www.senorwooly.com"; distance:1; within:19; reference:md5,c860eee9ca6a7c570b3b4cd7b8e2cd17; classtype:trojan-activity; sid:2018849; rev:2;) + +#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert ns2.sicher.in"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|ns2.sicher.in"; distance:1; within:14; reference:md5,c860eee9ca6a7c570b3b4cd7b8e2cd17; classtype:trojan-activity; sid:2018850; rev:2;) + +alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET CURRENT_EVENTS Possible Phishing E-ZPass Email Toll Notification July 30 2014"; flow:to_server,established; content:"|0d 0a|Subject|3a|"; nocase; content:"toll road"; distance:2; within:75; nocase; content:"|0d 0a|From|3a|"; nocase; content:"E-ZPass"; distance:2; within:10; nocase; fast_pattern; reference:url,isc.sans.edu/forums/diary/E-ZPass+phishing+scam/18389; classtype:trojan-activity; sid:2018853; rev:3;) + +#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert chinasemservice.com"; flow:established,from_server; content:"|55 04 03|"; content:"|13|chinasemservice.com"; distance:1; within:20; reference:md5,c2ecc111018491cee3853e2c93472bb9; classtype:trojan-activity; sid:2018868; rev:2;) + +#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert ns7-777.777servers.com"; flow:established,from_server; content:"|55 04 03|"; content:"|16|ns7-777.777servers.com"; distance:1; within:23; reference:md5,b5b97b4da688aaa6ddbdb6a6e567ffba; classtype:trojan-activity; sid:2018870; rev:2;) + +#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert adodis.com"; flow:established,from_server; content:"|55 04 03|"; content:"|0a|adodis.com"; distance:1; within:11; reference:md5,cca48e10973344ccc4e995be8e151176; classtype:trojan-activity; sid:2018871; rev:2;) + +#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert power2.mschosting.com"; flow:established,from_server; content:"|55 04 03|"; content:"|15|power2.mschosting.com"; distance:1; within:22; reference:md5,fb89ab865465d9bf38e24af73cdcd656; classtype:trojan-activity; sid:2018881; rev:2;) + +#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert tradeledstore.co.uk"; flow:established,from_server; content:"|55 04 03|"; content:"|15 2a 2e|tradeledstore.co.uk"; distance:1; within:22; reference:md5,5b447247c8778b91650e0a9c2e36b1e6; classtype:trojan-activity; sid:2018898; rev:2;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Malvertising Redirection to Exploit Kit Aug 07 2014"; flow:established,to_server; content:".js?ver="; http_uri; fast_pattern:only; pcre:"/\.js\?ver=[0-9]\.[0-9]{2}\.[0-9]{4}$/U"; classtype:trojan-activity; sid:2018909; rev:4;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Nuclear Exploit Kit exe.exe Payload"; flow:established,to_client; content:"Content-disposition|3A| attachment|3B| filename=exe.exe"; http_header; fast_pattern:32,17; reference:url,www.malware-traffic-analysis.net/2014/08/06/index.html; classtype:trojan-activity; sid:2018914; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Turla/SPL EK Java Applet"; flow:established,from_server; file_data; content:"/x-java-applet"; fast_pattern:only; content:"spl"; nocase; pcre:"/^[\x22\x27]/R"; content:"<object"; nocase; pcre:"/^(?=(?:(?!<\/object>).)+?codebase\s*?=\s*?[\x22\x27]spl[\x22\x27])(?=(?:(?!<\/object>).)+?\/x-java-applet)/Rsi"; reference:url,securelist.com/analysis/publications/65545/the-epic-turla-operation/; classtype:trojan-activity; sid:2018922; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Turla/SPL EK Java Exploit"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"fawa/"; nocase; pcre:"/^[\w.]*?\.class/Rsi"; reference:url,securelist.com/analysis/publications/65545/the-epic-turla-operation/; classtype:trojan-activity; sid:2018923; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Turla/SPL EK Java Exploit"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"a/hidden.class"; nocase; reference:url,securelist.com/analysis/publications/65545/the-epic-turla-operation/; classtype:trojan-activity; sid:2018924; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Turla/SPL EK Java Exploit Requested - /spl/"; flow:established,to_server; content:"/spl/"; http_uri; fast_pattern:only; content:".jar"; http_uri; content:"Java/"; http_header; reference:url,securelist.com/analysis/publications/65545/the-epic-turla-operation/; classtype:trojan-activity; sid:2018925; rev:5;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Archie.EK PluginDetect URI Struct"; flow:to_server,established; content:"/log.html?"; http_uri; content:"java="; http_uri; content:"gie="; http_uri; content:"header="; http_uri; classtype:trojan-activity; sid:2018930; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Archie.EK CVE-2013-2551 URI Struct"; flow:to_server,established; content:"/ie8910.html"; http_uri; classtype:trojan-activity; sid:2018931; rev:5;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Archie.EK Landing"; flow:established,to_client; file_data; content:"|2f|Trident|5c 2f|(|5c|d)|2f|i"; content:"Exploit.class"; nocase; fast_pattern:only; reference:cve,2014-2820; classtype:trojan-activity; sid:2018933; rev:4;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Angler EK Landing Aug 16 2014"; flow:established,to_client; file_data; content:"0|22 29 3b 0a 0d 0a|</script>"; pcre:"/^\s*?<script>\s*?(?P<func>[A-Za-z0-9]+)\s*?\(\s*?[\x22\x27](?P<var>[^1\x22\x27]+)1[\x22\x27]\s*?\)\x3b\s*?<\/script>\s*?<script>\s*?(?P=func)\s*?\(\s*?[\x22\x27](?P=var)2[\x22\x27]\s*?\)\x3b\s*?<\/script>\s*?<script>\s*?(?P=func)\s*?\(\s*?[\x22\x27](?P=var)3[\x22\x27]\s*?\)\x3b\s*?<\/script>\s*?<script>/Rsi"; classtype:trojan-activity; sid:2018950; rev:4;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Angler EK Encoded Shellcode IE"; flow:established,from_server; file_data; content:"|f1 f4 c2 a2 8b 34 6e 68|"; within:8; classtype:trojan-activity; sid:2018954; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Angler EK Encoded Shellcode Silverlight"; flow:established,from_server; file_data; content:"|f1 fc f4 ff 87 6a 66 67|"; within:8; classtype:trojan-activity; sid:2018955; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Angler EK Encoded Shellcode Flash"; flow:established,from_server; file_data; content:"|e7 c4 a6 c1 9d 79 53 59|"; within:8; classtype:trojan-activity; sid:2018956; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Angler EK Encoded Shellcode Java"; flow:established,from_server; file_data; content:"|d6 e2 ff c3 a1 75 39 68|"; within:8; classtype:trojan-activity; sid:2018957; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS ZeroLocker EXE Download"; flow:established,from_server; flowbits:isset,ET.http.binary; file_data; content:"|5c 50 72 6f 6a 65 63 74 73 5c 5a 65 72 6f 4c 6f 63 6b 65 72 5c|"; reference:url,securelist.com/blog/incidents/66135/zerolocker-wont-come-to-your-rescue/; reference:url,webroot.com/blog/2014/08/14/zero-locker/; reference:url,symantec.com/security_response/writeup.jsp?docid=2014-081521-4509-9; classtype:trojan-activity; sid:2018963; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Malvertising Leading to EK Aug 19 2014 M3"; flow:established,from_server; file_data; content:"<script>function z("; content:"createElement|28 22|iframe|22 29|"; distance:0; content:".style.left = |22|-"; content:".style.top = |22|-"; content:"|3b|}z()|3b|</script></body></html>"; distance:0; fast_pattern; classtype:trojan-activity; sid:2018965; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Malvertising Leading to EK Aug 19 2014 M1"; flow:established,from_server; file_data; content:"readed|3b| max-age"; fast_pattern:only; content:"document.cookie"; pcre:"/^\s*?=\s*?[\x22\x27](?P<var>[^\s\x3b]+)\s*?=\s*?readed\x3b.*?document.cookie.indexOf\s*?\(\s*?[\x22\x27](?P=var)[\x22\x27]/Rsi"; content:".top"; pcre:"/^\s*?=\s*?[\x22\x27]\-/Rsi"; classtype:trojan-activity; sid:2018966; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Malvertising Leading to EK Aug 19 2014 M2"; flow:established,from_server; file_data; content:"readed|3b| max-age"; fast_pattern:only; content:"document.cookie.indexOf"; pcre:"/^\s*?\(\s*?[\x22\x27](?P<var>[^\x22\x27]+)[\x22\x27].+?document\.cookie\s*?=\s*?[\x22\x27][^\x22\x27]*?(?P=var)\s*?=\s*?readed\x3b/Rsi"; content:".top"; pcre:"/^\s*?=\s*?[\x22\x27]\-/Rsi"; classtype:trojan-activity; sid:2018967; rev:2;) + +alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Dyre SSL Cert Aug 20 2014 D1"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|00 89 aa ac b6 40 58 a5 8c|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,70bb2e450fe927ee32884cda6fe948b5; classtype:trojan-activity; sid:2018973; rev:2;) + +alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Dyre SSL Cert Aug 20 2014 D2"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|00 9c 96 01 9e 7e d5 38 fd|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; classtype:trojan-activity; sid:2018974; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Sweet Orange EK Thread Specific Java Exploit"; flow:established,to_server; content:"GET"; http_method; content:"/Fqxzdh.jar"; http_uri; fast_pattern:only; content:" Java/1."; http_user_agent; pcre:"/\/Fqxzdh\.jar$/U"; reference:url,malware-traffic-analysis.net/2014/07/24/index.html; classtype:trojan-activity; sid:2018987; rev:4;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown Malvertising EK Landing Aug 22 2014"; flow:established,from_server; file_data; content:"|5d 2f 67 2c 27 27 29 2e 73 75 62 73 74 72 28|"; content:"|5d 2f 67 2c 27 27 29 2e 73 75 62 73 74 72 28|"; within:500; content:"ActiveXObject"; pcre:"/^\s*?\(\s*?[\x22\x27](?!AgControl\.AgControl)[^\x22\x27]*?A[^\x22\x27]*?g[^\x22\x27]*?C[^\x22\x27]*?o[^\x22\x27]*?n[^\x22\x27]*?t[^\x22\x27]*?r[^\x22\x27]*?o[^\x22\x27]*?l[^\x22\x27]*?\.[^\x22\x27]*?A[^\x22\x27]*?g[^\x22\x27]*?C[^\x22\x27]*?o[^\x22\x27]*?n[^\x22\x27]*?t[^\x22\x27]*?r[^\x22\x27]*?o[^\x22\x27]*?l[^\x22\x27]*?[\x22\x27]\s*?\.\s*?replace\s*?\(/Rsi"; reference:url,malware-traffic-analysis.net/2014/08/22/index2.html; reference:url,www.malwaresigs.com/2013/10/14/unknown-ek/; classtype:trojan-activity; sid:2018988; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown Malvertising EK Landing URI Sruct Aug 22 2014"; flow:established,to_server; urilen:16; content:"/nhqdxa/eipm.php"; http_uri; fast_pattern:only; reference:url,malware-traffic-analysis.net/2014/08/22/index2.html; reference:url,www.malwaresigs.com/2013/10/14/unknown-ek/; classtype:trojan-activity; sid:2018989; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown Malvertising EK Payload URI Sruct Aug 22 2014"; flow:established,to_server; urilen:16; content:"/nhqdxa/yztl.php"; http_uri; fast_pattern:only; content:!"Referer|3a|"; http_header; reference:url,malware-traffic-analysis.net/2014/08/22/index2.html; reference:url,www.malwaresigs.com/2013/10/14/unknown-ek/; classtype:trojan-activity; sid:2018990; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown Malvertising EK Silverlight URI Sruct Aug 22 2014"; flow:established,to_server; urilen:16; content:"/nhqdxa/vpclcy.x"; http_uri; fast_pattern:only; content:!"Referer|3a|"; http_header; reference:url,malware-traffic-analysis.net/2014/08/22/index2.html; reference:url,www.malwaresigs.com/2013/10/14/unknown-ek/; classtype:trojan-activity; sid:2018991; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown Malvertising EK Flash URI Sruct Aug 22 2014"; flow:established,to_server; urilen:17; content:"/nhqdxa/oujyt.swf"; http_uri; fast_pattern:only; reference:url,malware-traffic-analysis.net/2014/08/22/index2.html; reference:url,www.malwaresigs.com/2013/10/14/unknown-ek/; classtype:trojan-activity; sid:2018992; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown Malvertising EK Payload URI Sruct Aug 22 2014"; flow:established,to_server; urilen:19; content:"/nhqdxa/gjtzssq.php"; http_uri; fast_pattern:only; content:!"Referer|3a|"; http_header; reference:url,malware-traffic-analysis.net/2014/08/22/index2.html; reference:url,www.malwaresigs.com/2013/10/14/unknown-ek/; classtype:trojan-activity; sid:2018993; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Archie EK CVE-2014-0515 Aug 24 2014"; flow:established,to_server; content:"GET"; http_method; content:"flashhigh.swf"; fast_pattern:only; http_uri; pcre:"/^\/(?:pruncd)?flashhigh\.swf$/U"; classtype:trojan-activity; sid:2018995; rev:4;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Archie EK CVE-2014-0497 Aug 24 2014"; flow:established,to_server; content:"flashlow.swf"; http_uri; fast_pattern:only; pcre:"/^\/(?:pruncd)?flashlow\.swf$/U"; classtype:trojan-activity; sid:2018996; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Archie EK Secondary Landing Aug 24 2014"; flow:established,to_server; content:"/ie8910b.html"; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2018997; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Archie EK Landing Aug 24 2014"; flow:established,from_server; file_data; content:"+payload"; fast_pattern; nocase; content:"flashLow"; nocase; classtype:trojan-activity; sid:2018998; rev:10;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS FlashPack EK Exploit Flash Post Aug 25 2014"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:"id="; http_client_body; depth:3; content:"&dom=687474703a2f2f"; http_client_body; fast_pattern:only; content:"2e706870"; http_client_body; pcre:"/^id=[^&]+&dom=687474703a2f2f[a-f0-9]+2e706870\s*?$/Ps"; classtype:trojan-activity; sid:2019004; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS FlashPack EK Redirect Aug 25 2014"; flow:established,to_server; content:"POST"; http_method; content:"gate.php"; http_uri; fast_pattern:only; content:".swf/[[DYNAMIC]]/1"; http_header; classtype:trojan-activity; sid:2019005; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS FlashPack EK Exploit Landing Aug 25 2014"; flow:established,to_server; content:"POST"; http_method; content:"/msie.php"; http_uri; pcre:"/[^=]+?=(?:(?:[46][1-9a-f]|[57][0-9a]|3[0-9]|2d)+?2e)+(?:[46][1-9a-f]|[57][0-9a]|3[0-9]|2d)+\s*?/P"; classtype:trojan-activity; sid:2019006; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS FlashPack EK JS Include Aug 25 2014"; flow:established,from_server; file_data; content:"function hex2bin(hex)"; within:21; content:"function rc4"; distance:0; content:!"function "; distance:0; classtype:trojan-activity; sid:2019007; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Safe/CritX/FlashPack Java Payload"; flow:established,to_server; content:"/load"; http_uri; fast_pattern:only; content:".php?id="; content:"Java/1."; http_user_agent; classtype:trojan-activity; sid:2019008; rev:8;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS BleedingLife EK Variant Aug 26 2014"; flow:established,to_server; content:".php?spl="; http_uri; fast_pattern:only; pcre:"/\.php\?spl=[\w_]+$/Ui"; classtype:trojan-activity; sid:2019023; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Offensive Security EMET Bypass Observed in BleedingLife Variant Aug 26 2014"; flow:established,to_client; file_data; content:"|22 25 75 22 2b 67 65 74 6d 6f 64 75 6c 65 77 31 2b 22 25 75 22 2b 67 65 74 6d 6f 64 75 6c 65 77 32 29|"; classtype:trojan-activity; sid:2019024; rev:3;) + +#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert freeb4u.com"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|freeb4u.com"; distance:1; within:12; reference:md5,3c140d775b33a5201089e8f8118b7fb5; classtype:trojan-activity; sid:2019025; rev:2;) + +#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert developmentinn.com"; flow:established,from_server; content:"|55 04 03|"; content:"|16|www.developmentinn.com"; distance:1; within:23; reference:md5,2f17d82e939efe315a89f1aa42e93cf1; classtype:trojan-activity; sid:2019026; rev:2;) + +#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert directory92.com"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|directory92.com"; distance:1; within:16; reference:md5,dc7939920cb93e58c990a8e0a0295bb7; classtype:trojan-activity; sid:2019027; rev:2;) + +#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert epr-co.ch"; flow:established,from_server; content:"|55 04 03|"; content:"|09|epr-co.ch"; distance:1; within:10; reference:md5,dc7939920cb93e58c990a8e0a0295bb7; classtype:trojan-activity; sid:2019028; rev:2;) + +#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert pouyasazan.org"; flow:established,from_server; content:"|55 04 03|"; content:"|15|linux4.pouyasazan.org"; distance:1; within:22; reference:md5,b978929f93fe8e10d8f7f6f52953cbba; classtype:trojan-activity; sid:2019029; rev:2;) + +#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert ara-photos.net"; flow:established,from_server; content:"|55 04 03|"; content:"|12|www.ara-photos.net"; distance:1; within:19; reference:md5,b978929f93fe8e10d8f7f6f52953cbba; classtype:trojan-activity; sid:2019030; rev:2;) + +#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert tecktalk.com"; flow:established,from_server; content:"|55 04 03|"; content:"|10|www.tecktalk.com"; distance:1; within:17; reference:md5,0181d134ff73743e8dd5e23b9cf7ff51; classtype:trojan-activity; sid:2019031; rev:2;) + +#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert cyclivate.com"; flow:established,from_server; content:"|55 04 03|"; content:"|11|www.cyclivate.com"; distance:1; within:18; reference:md5,b911327d0ba6ce016e8e33ba97e87e83; classtype:trojan-activity; sid:2019032; rev:2;) + +#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert mentoringgroup.com"; flow:established,from_server; content:"|55 04 03|"; content:"|16|www.mentoringgroup.com"; distance:1; within:23; reference:md5,444dd80b551ac28e43380c2ef0bc4df0; classtype:trojan-activity; sid:2019033; rev:2;) + +#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert dineshuthayakumar.in"; flow:established,from_server; content:"|55 04 03|"; content:"|14|dineshuthayakumar.in"; distance:1; within:21; reference:md5,0c96fd25ec4139063ac7d83511835d20; classtype:trojan-activity; sid:2019034; rev:4;) + +#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert ssshosting.net"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|ssshosting.net"; distance:1; within:15; reference:md5,8f13400f01f5ad3404bc6700279ac7aa; classtype:trojan-activity; sid:2019035; rev:2;) + +#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert erotikturk.com"; flow:established,from_server; content:"|55 04 03|"; content:"|15|server.erotikturk.com"; distance:1; within:22; reference:md5,8f13400f01f5ad3404bc6700279ac7aa; classtype:trojan-activity; sid:2019036; rev:2;) + +#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert mtnoutfitters.com"; flow:established,from_server; content:"|55 04 03|"; content:"|11|mtnoutfitters.com"; distance:1; within:18; reference:md5,ebca10e0a4eb99758f0fb3612fa970ba; classtype:trojan-activity; sid:2019037; rev:2;) + +#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert jojik-international.com"; flow:established,from_server; content:"|55 04 03|"; content:"|17|jojik-international.com"; distance:1; within:24; reference:md5,ffa19cd3be6a89da96bcfb5a1a52b6ae; classtype:trojan-activity; sid:2019038; rev:2;) + +#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert abarsolutions.com"; flow:established,from_server; content:"|55 04 03|"; content:"|11|abarsolutions.com"; distance:1; within:18; reference:md5,029e3713002bd3514b1f2493caea8294; classtype:trojan-activity; sid:2019039; rev:2;) + +#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert eastwoodvalley.com"; flow:established,from_server; content:"|55 04 03|"; content:"|16|www.eastwoodvalley.com"; distance:1; within:23; reference:md5,450b394d88a69f6cb9722a5b56168ce6; classtype:trojan-activity; sid:2019040; rev:2;) + +#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert pejlain.se"; flow:established,from_server; content:"|55 04 03|"; content:"|0a|pejlain.se"; distance:1; within:11; reference:md5,1658e12bb1fe8a25127e8bd09b923acd; classtype:trojan-activity; sid:2019042; rev:2;) + +#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert dominionthe.com"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|dominionthe.com"; distance:1; within:16; reference:md5,911bc6e1c581e9295d193bcdbcce1ddd; classtype:trojan-activity; sid:2019043; rev:2;) + +#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert delanecanada.ca"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|delanecanada.ca"; distance:1; within:16; reference:md5,911bc6e1c581e9295d193bcdbcce1ddd; classtype:trojan-activity; sid:2019044; rev:2;) + +#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert hebergement-solutions.com"; flow:established,from_server; content:"|55 04 03|"; content:"|19|hebergement-solutions.com"; distance:1; within:26; reference:md5,e5f8caba2b2832de5c13a16d5b4f6d6f; classtype:trojan-activity; sid:2019045; rev:2;) + +#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert sportofteniq.com"; flow:established,from_server; content:"|55 04 03|"; content:"|10|sportofteniq.com"; distance:1; within:17; reference:md5,d06ec89944b566df8dcd959a2196b37c; classtype:trojan-activity; sid:2019046; rev:2;) + +#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert adoraacc.com"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|adoraacc.com"; distance:1; within:13; reference:md5,a938c50d686663f97d62dff812fc575b; classtype:trojan-activity; sid:2019047; rev:2;) + +#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert tristacey.com"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|tristacey.com"; distance:1; within:14; reference:md5,e40ec448fd7cfea641a18fb6b38e4e92; classtype:trojan-activity; sid:2019048; rev:2;) + +#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert nbc-mail.com"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|nbc-mail.com"; distance:1; within:13; reference:md5,348b8a9e693a6784a6cf26d9afe6fed9; classtype:trojan-activity; sid:2019049; rev:2;) + +#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert tridayacipta.com"; flow:established,from_server; content:"|55 04 03|"; content:"|10|tridayacipta.com"; distance:1; within:17; reference:md5,010e6b78b6ec2fd6970b0c709e70acec; classtype:trojan-activity; sid:2019050; rev:2;) + +#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert trainthetrainerinternational.com"; flow:established,from_server; content:"|55 04 03|"; content:"|20|trainthetrainerinternational.com"; distance:1; within:33; reference:md5,010e6b78b6ec2fd6970b0c709e70acec; classtype:trojan-activity; sid:2019051; rev:2;) + +#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert lingayasuniversity.edu.in"; flow:established,from_server; content:"|55 04 03|"; content:"|1d|www.lingayasuniversity.edu.in"; distance:1; within:30; reference:md5,b2c3bb2b56876e325d86731a693fd138; classtype:trojan-activity; sid:2019052; rev:2;) + +#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert uleideargan.com"; flow:established,from_server; content:"|55 04 03|"; content:"|13|www.uleideargan.com"; distance:1; within:20; reference:md5,ba402e41e140af41d57788e24c4c56d4; classtype:trojan-activity; sid:2019053; rev:2;) + +#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert picklingtank.com"; flow:established,from_server; content:"|55 04 03|"; content:"|10|picklingtank.com"; distance:1; within:17; reference:md5,ba402e41e140af41d57788e24c4c56d4; classtype:trojan-activity; sid:2019054; rev:2;) + +#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert vcomdesign.com"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|vcomdesign.com"; distance:1; within:15; reference:md5,9ad86fc9a57b620e96082cd61aa1b494; classtype:trojan-activity; sid:2019055; rev:2;) + +#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert technosysuk.com"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|technosysuk.com"; distance:1; within:16; reference:md5,fc23d6cbe926a022cac003214679ec7a; classtype:trojan-activity; sid:2019056; rev:2;) + +#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert slmp-550-105.slc.westdc.net"; flow:established,from_server; content:"|55 04 03|"; content:"|1b|slmp-550-105.slc.westdc.net"; distance:1; within:28; reference:md5,f053b1aa875751944bae74fce67fe965; classtype:trojan-activity; sid:2019057; rev:2;) + +#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert itiltrainingcertworkshop.com"; flow:established,from_server; content:"|55 04 03|"; content:"|23|server.itiltrainingcertworkshop.com"; distance:1; within:36; reference:md5,f7b715ad4235599ed21179a369279225; classtype:trojan-activity; sid:2019058; rev:2;) + +#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert udderperfection.com"; flow:established,from_server; content:"|55 04 03|"; content:"|13|udderperfection.com"; distance:1; within:20; reference:md5,27938e57f7928e9559e71d384a8fffe6; classtype:trojan-activity; sid:2019059; rev:2;) + +#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert efind.co.il"; flow:established,from_server; content:"|55 04 03|"; content:"|0b|efind.co.il"; distance:1; within:12; reference:md5,6d8a5b36f61e392aaa048b97b3d9e090; classtype:trojan-activity; sid:2019060; rev:2;) + +#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert bloodsoft.com"; flow:established,from_server; content:"|55 04 03|"; content:"|0d|bloodsoft.com"; distance:1; within:14; reference:md5,1b1626f65c4bac3af1220898f971f3ac; classtype:trojan-activity; sid:2019061; rev:2;) + +#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert walletmix.com"; flow:established,from_server; content:"|55 04 03|"; content:"|11|www.walletmix.com"; distance:1; within:18; reference:md5,1b1626f65c4bac3af1220898f971f3ac; classtype:trojan-activity; sid:2019062; rev:2;) + +#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert turnaliinsaat.com"; flow:established,from_server; content:"|55 04 03|"; content:"|11|turnaliinsaat.com"; distance:1; within:18; reference:md5,feb5304d966a0f1610e642984a64d54c; classtype:trojan-activity; sid:2019063; rev:2;) + +#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert mdus-pp-wb12.webhostbox.net"; flow:established,from_server; content:"|55 04 03|"; content:"|1b|mdus-pp-wb12.webhostbox.net"; distance:1; within:28; reference:md5,309efe8603c6db1218e8a95b6f4d2840; classtype:trojan-activity; sid:2019064; rev:2;) + +#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert plastics-technology.com"; flow:established,from_server; content:"|55 04 03|"; content:"|1b|www.plastics-technology.com"; distance:1; within:28; reference:md5,309efe8603c6db1218e8a95b6f4d2840; classtype:trojan-activity; sid:2019065; rev:2;) + +#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert deserve.org.uk"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|deserve.org.uk"; distance:1; within:15; reference:md5,9d16352f292d86f40236afc7e06bce08; classtype:trojan-activity; sid:2019067; rev:2;) + +#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert worldbuy.biz"; flow:established,from_server; content:"|55 04 03|"; content:"|10|www.worldbuy.biz"; distance:1; within:17; reference:md5,57c73f511f3ed23df07e2c1b88e007ca; classtype:trojan-activity; sid:2019068; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS NullHole EK Landing Aug 27 2014"; flow:established,to_client; file_data; content:"|28 36 39 33 37 34 31 29 2e 74 6f 53 74 72 69 6e 67 28 33 36 29 3b 77 69 6e 64 6f 77|"; classtype:trojan-activity; sid:2019071; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS RIG EK Landing URI Struct"; flow:established,to_server; content:"/?PHPSSESID=njr"; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2019072; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS NullHole EK Landing Redirect Aug 27 2014"; flow:established,to_client; content:"Server|3a 20|CppCMS-Embedded/1.0.4|0d 0a|"; http_header; content:"302"; http_stat_code; content:"nhweb="; http_cookie; depth:6; classtype:trojan-activity; sid:2019073; rev:2;) + +#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert paydaypedro.co.uk"; flow:established,from_server; content:"|55 04 03|"; content:"|11|paydaypedro.co.uk"; distance:1; within:18; reference:md5,39877be17bd3435f275fc54577beaa6e; classtype:trojan-activity; sid:2019075; rev:2;) + +#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert chatso.com"; flow:established,from_server; content:"|55 04 03|"; content:"|0a|chatso.com"; distance:1; within:11; reference:md5,ef88df67a0bcb872143543ebad0ba91d; classtype:trojan-activity; sid:2019076; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Nuclear EK Landing Aug 27 2014"; flow:from_server,established; content:"|0d 0a|X-Powered-By|3a 20|PHP"; http_header; file_data; content:"|3c 68 74 6d 6c 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 23|"; within:27; fast_pattern; pcre:"/^[a-f0-9]{6}\x22>\r\n(?:<(?P<tag>[^>]{1,10})>[A-Za-z0-9]+?<\/(?P=tag)>\r\n){0,10}(?:\r\n)*?<script>[^\r\n]+?\We[\x22\x27\+]*?v[\x22\x27\+]*?a[\x22\x27\+]*?l\W/R"; classtype:trojan-activity; sid:2019078; rev:6;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS ScanBox Framework used in WateringHole Attacks"; flow:from_server,established; file_data; content:"scanbox.crypt._utf8_encode"; classtype:trojan-activity; sid:2019093; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS ScanBox Framework used in WateringHole Attacks Intial (POST)"; flow:to_server,established; content:"POST"; http_method; content:".php"; http_uri; fast_pattern:only; content:"seed="; http_client_body; content:"&referrer="; http_client_body; content:"&agent="; http_client_body; content:"&location="; http_client_body; content:"&toplocation="; http_client_body; pcre:"/\.php$/U"; reference:url,www.alienvault.com/open-threat-exchange/blog/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks; classtype:trojan-activity; sid:2019094; rev:4;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS ScanBox Framework used in WateringHole Attacks (POST) PluginData"; flow:to_server,established; content:"POST"; http_method; content:"pluginid="; http_client_body; fast_pattern:only; content:"projectid="; http_client_body; content:"seed="; http_client_body; content:"data="; http_client_body; reference:url,www.alienvault.com/open-threat-exchange/blog/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks; classtype:trojan-activity; sid:2019095; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS ScanBox Framework used in WateringHole Attacks KeepAlive"; flow:to_server,established; content:"GET"; http_method; content:".php?seed="; http_uri; fast_pattern:only; content:"&alivetime="; http_uri; content:"&r="; http_uri; reference:url,www.alienvault.com/open-threat-exchange/blog/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks; classtype:trojan-activity; sid:2019096; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Archie EK SilverLight URI Struct"; flow:to_server,established; content:"silverapp1.xap"; http_uri; fast_pattern:only; pcre:"/^\/(?:pruncd)?silverapp1\.xap$/U"; classtype:trojan-activity; sid:2019097; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Archie EK Sending Plugin-Detect Data"; flow:to_server,established; content:"dump="; http_client_body; depth:5; content:"%7C"; http_client_body; distance:0; content:"%7C"; http_client_body; distance:0; content:"%7C"; http_client_body; distance:0; content:"&ua="; http_client_body; distance:0; content:"&ref="; http_client_body; distance:0; classtype:trojan-activity; sid:2019098; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Archie/Metasploit SilverLight Exploit"; flow:from_server,established; file_data; content:"SilverApp1.dllPK"; classtype:trojan-activity; sid:2019099; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS FlashPack EK Redirect Sept 01 2014"; flow:established,to_server; content:".php"; http_uri; pcre:"/\.php$/U"; content:".php/[[DYNAMIC]]/"; http_header; pcre:"/Referer\x3a[^\r\n]+\.php\/\[\[DYNAMIC\]\]\/\d/Hm"; classtype:trojan-activity; sid:2019100; rev:3;) + +alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Dyre SSL Cert Sept 3 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 9c c5 8b 5d c7 8a 96 b7|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,0d5ad9759753cb4639cd405eddbe2a16; classtype:trojan-activity; sid:2019104; rev:2;) + +#alert tls 66.147.244.132 any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert bluehost.com Aug 27 2014"; flow:established,from_server; content:"|55 04 03|"; content:"|0e 2a 2e|bluehost.com"; distance:1; within:15; reference:md5,19bb8e0b16c14194862d0750916ce338; classtype:trojan-activity; sid:2019105; rev:3;) + +alert tcp $EXTERNAL_NET any -> $HOME_NET [25,587] (msg:"ET CURRENT_EVENTS Possible Double Flated Encoded Inbound Malicious PDF"; flow:to_server,established; content:"Wy9GbCAvRmxd"; classtype:trojan-activity; sid:2019117; rev:2;) + +alert tcp $EXTERNAL_NET any -> $HOME_NET [25,587] (msg:"ET CURRENT_EVENTS Possible Double Flated Encoded Inbound Malicious PDF"; flow:to_server,established; content:"L0ZsIC9GbF0g"; classtype:trojan-activity; sid:2019118; rev:3;) + +alert tcp $EXTERNAL_NET any -> $HOME_NET [25,587] (msg:"ET CURRENT_EVENTS Possible Double Flated Encoded Inbound Malicious PDF"; flow:to_server,established; content:"IFsvRmwgL0Zs"; classtype:trojan-activity; sid:2019119; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Astrum EK Landing"; flow:established,from_server; file_data; content:"|7b 72 65 74 75 72 6e 20 75 6e 65 73 63 61 70 65|"; content:"|3e 3e 38 26 32 35 35 29 29 3b 62 72 65 61 6b 3b 63 61 73 65 20 32 3a|"; content:"|29 5e 32 35 35 26|"; classtype:trojan-activity; sid:2019130; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Astrum EK Landing"; flow:established,from_server; file_data; content:"%65%64%6f%43%72%61%68%43%6d%6f%72%66"; content:"%74%41%65%64%6f%43%72%61%68%63"; classtype:trojan-activity; sid:2019131; rev:6;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Flashpack Redirect Method 2"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; pcre:"/^Referer\x3a[^\r\n]+\.swf/Hmi"; content:"fvers="; fast_pattern; http_client_body; content:"osa="; http_client_body; classtype:trojan-activity; sid:2019134; rev:5;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Sweet Orange CDN Gate Sept 09 2014 Method 2"; flow:established,to_server; content:"/k?t"; http_uri; fast_pattern:only; pcre:"/\/k\?t[a-z]*=\d{5,}$/U"; classtype:trojan-activity; sid:2019146; rev:6;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Sweet Orange EK Java Exploit"; flow:established,to_server; content:"/view_policy_free.jnlp"; http_uri; content:"Java/1."; http_user_agent; classtype:trojan-activity; sid:2019154; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Nuclear EK Silverlight URI Struct"; flow:established,to_server; content:".xap"; http_uri; fast_pattern:only; content:"/1"; http_uri; pcre:"/\/1(?:3[89]\d{7}|4\d{8})\.xap$/U"; classtype:trojan-activity; sid:2019167; rev:2;) + +alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Dyre SSL Cert Sept 15 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 aa 95 9f e1 a6 33 7b d9|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,edefcbba2944872f31454fcb98802488; classtype:trojan-activity; sid:2019173; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Astrum EK URI Struct"; flow:established,to_server; urilen:60<>100; content:"|2e 20|HTTP/1."; fast_pattern:only; pcre:"/^\/(?=[A-Za-z_-]*?\d)(?=[a-z0-9_-]*?[A-Z])(?:[A-Za-z0-9_-]{4}){15,}(?:[[A-Za-z0-9_-]{2}\x2e?\x2e|[A-Za-z0-9_-]{3}\x2e)$/U"; classtype:trojan-activity; sid:2019176; rev:3;) + +alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Dyre SSL Cert Sept 16 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e4 8c bf 77 7c 33 77 06|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,5dd6e69b1e9049f295e314b523679d98; classtype:trojan-activity; sid:2019178; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Malvertising Leading to EK Aug 19 2014 M4"; flow:established,from_server; content:"Server|3a 20|nginx|0d 0a|"; http_header; content:"X-Powered-By|3a 20|PHP"; http_header; content:"text/javascript"; http_header; file_data; content:"if|28|[removed].indexOf|28|"; within:27; fast_pattern; pcre:"/^\s*?[\x22\x27](?P<var>[^\x22\x27]+)[\x22\x27]\s*?\x29\s*?==\s*?-1\x29\x7b[^\r\n]*?document\.cookie\s*?=\s*?[\x22\x27](?P=var)\s*?\x3d\s*?[^\r\n]+?[\r\n]*?$/Rsi"; content:"iframe"; content:"top"; pcre:"/^\s*?[\x3a\x3d]\s*?[\x22\x27]?\-/Rsi"; content:"left"; pcre:"/^\s*?[\x3a\x3d]\s*?[\x22\x27]?\-/Rsi"; classtype:trojan-activity; sid:2019180; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Android CVE-2014-6041"; flow:from_server,established; file_data; content:"|5c|u000"; fast_pattern; pcre:"/^[a-f0-9]/Ri"; content:"javascript|3a|"; nocase; within:11; reference:url,1337day.com/exploit/22581; classtype:trojan-activity; sid:2019181; rev:7;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fiesta EK Gate"; flow:established,from_server; file_data; content:"AgControl.AgControl"; content:"document.cookie.indexOf|28 22|xap|22 29|"; fast_pattern:10,20; content:"Math.random()|3b|"; classtype:trojan-activity; sid:2019183; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fiesta EK Silverlight Based Redirect"; flow:established,from_server; file_data; content:"AppManifest.xamlPK"; fast_pattern:only; content:"iframe.dllPK"; classtype:trojan-activity; sid:2019184; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Nuclear EK Gate Sep 16 2014"; flow:established,from_server; file_data; content:"16.html"; fast_pattern:only; content:"etCookie"; content:"document.write(|27|<iframe"; pcre:"/^(?=(?:(?!<\/iframe>).)+?src\s*?=\s*?\x22http\x3a[^\x22]+16\.html\x22)(?=(?:(?!<\/iframe>).)+?left\s*?[\x3a\x3d]\s*?[\x22\x27]?\-)(?=(?:(?!<\/iframe>).)+?top\s*?[\x3a\x3d]\s*?[\x22\x27]?\-)(?:(?!<\/iframe>).)+?<\/iframe>\x27\x29/Rsi"; classtype:trojan-activity; sid:2019185; rev:4;) + +alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Dyre SSL Cert Sept 16 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e8 66 93 12 61 52 ba b4|"; within:35; fast_pattern; content:"|55 04 03|"; distance:0; content:"|0b|Zatusim.com"; distance:1; within:12; reference:md5,2f52d3921613b2fe06c9eb9051d45e60; classtype:trojan-activity; sid:2019186; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Nuclear EK CVE-2013-2551 Sept 17 2014 "; flow:established,from_server; file_data; content:"|76 5c 3a 2a 7b 62 65 68 61 76 69 6f 72 3a 75 72 6c 28 23 64 65 66 61 75 6c 74 23 56 4d 4c 29 3b 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 7d|"; content:"|64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 28 75 6e 65 73 63 61 70 65 28|"; distance:0; content:"|3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 62 6c 61 63 6b|"; distance:0; classtype:trojan-activity; sid:2019188; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Nuclear EK CVE-2013-2551 URI Struct Sept 17 2014"; flow:established,to_server; content:"/14"; http_uri; content:".htm"; http_uri; distance:8; within:4; pcre:"/^\/[a-z0-9]+?(?:\/\d)?\/14\d{8}\.htm$/U"; pcre:"/^Referer\x3a[^\r\n]+?\/[a-f0-9A-Z\_\-]{14,}\.html(?:\x3a\d{1,5})?\r$/Hm"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2019189; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS RIG EK Landing Page Sept 17 2014"; flow:established,from_server; file_data; content:"|41 63 74 69 76 65 58 4F 62 6A 65 63 74 28 22 4D 69 63 72 6F 73 22 2B 2F 2A|"; pcre:"/^[a-z0-9]+\x2A\x2F\x22\x6F\x66\x74\x2E/R"; classtype:trojan-activity; sid:2019193; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Nuclear EK Redirect Sept 18 2014"; flow:established,to_server; content:".php?ds="; http_uri; fast_pattern:only; content:"&dr="; http_uri; pcre:"/&dr=\d+$/U"; reference:url, blog.malwarebytes.org/exploits-2/2014/07/socialblade-com-compromised-starts-redirection-chain-to-nuclear-pack-exploit-kit/; classtype:trojan-activity; sid:2019194; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Nuclear EK Redirect Sept 18 2014"; flow:established,to_server; content:".php?acc="; http_uri; fast_pattern:only; content:"&nrk="; http_uri; pcre:"/&nrk=\d+$/U"; classtype:trojan-activity; sid:2019195; rev:2;) + +alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Androm SSL Cert Sept 18 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; distance:0; content:"|09 00 bf 91 db e3 f1 fb 7c cc|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0e|My Company Ltd"; distance:1; within:15; reference:md5,ca2f3e2568ac5c01ecf2747f778e13a1; classtype:trojan-activity; sid:2019196; rev:2;) + +alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Dyre SSL Cert Sept 19 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 f8 69 16 89 bb bc f3 d7|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,1da03b89c25c9f8999edb8c1abb0c4ed; classtype:trojan-activity; sid:2019200; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Nuclear EK PDF Struct (no alert)"; flow:established,to_server; content:"/14"; http_uri; fast_pattern:only; pcre:"/\/14\d{8}(?:\.pdf)?$/U"; flowbits:set,et.Nuclear.PDF; flowbits:noalert; classtype:trojan-activity; sid:2019209; rev:12;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Nuclear EK PDF"; flow:established,from_server; flowbits:isset,et.Nuclear.PDF; content:"Content-Disposition|3a|"; http_header; content:".pdf|0d 0a|"; http_header; fast_pattern:only; content:"X-Powered-By|3a|"; http_header; content:"nginx"; http_header; nocase; pcre:"/^Content-Disposition\x3a[^\r\n]+(?<!\W14\d{8})\.pdf\r?$/Hm"; file_data; content:"|25|PDF-1.6"; within:8; classtype:trojan-activity; sid:2019210; rev:13;) + +alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Dyre SSL Cert Sept 22 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 95 78 dc d3 77 1b bc 30|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,bf019054fced52ff03ed8d371dfd371d; classtype:trojan-activity; sid:2019213; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Angler EK Apr 01 2014"; flow:established,to_client; content:"Expires|3a| Sat, 26 Jul 1997 05|3a|00|3a|00 GMT|0d 0a|Last-Modified|3a| Sat, 26 Jul 2040 05|3a|00|3a|00 GMT|0d 0a|"; fast_pattern:55,20; http_header; classtype:trojan-activity; sid:2019224; rev:5;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Nuclear EK 2013-3918"; flow:established,from_server; content:"X-Powered-By|3a|"; http_header; file_data; content:"C|3a 5c|Rock.png"; nocase; fast_pattern:only; content:"|7b|return"; pcre:"/^\s*?[A-Z0-9a-z\+]+?\s*?\x7d/R"; content:"|7d|function"; content:"|3b|function"; classtype:trojan-activity; sid:2019226; rev:2;) + +alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Win32/Spy.Zbot.ACB SSL Cert Sept 24 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 99 56 02 06 27 f8 97 08|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:md5,2ceda25b44378583dfb6df64b92ac654; classtype:trojan-activity; sid:2019227; rev:2;) + +alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Dyre SSL Cert Sept 26 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 fb c0 73 38 d6 b1 99 a5|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,0fa515ad9fd1031b7a7891a46f72f122; classtype:trojan-activity; sid:2019275; rev:2;) + +alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Dyre SSL Cert Sept 26 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c5 86 50 03 11 16 99 16|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,75a2e3c9f8783dfc953f6aeb8a9eda2f; classtype:trojan-activity; sid:2019276; rev:2;) + +#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert santa.my"; flow:established,from_server; content:"|55 04 03|"; content:"|0c|www.santa.my"; distance:1; within:13; reference:md5,cfbfac0a9bf37b71e46ed43d95df4aec; classtype:trojan-activity; sid:2019277; rev:2;) + +#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert glynwedasia.com"; flow:established,from_server; content:"|55 04 03|"; content:"|0f|glynwedasia.com"; distance:1; within:16; reference:md5,cfbfac0a9bf37b71e46ed43d95df4aec; classtype:trojan-activity; sid:2019278; rev:2;) + +alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS BlackEnergy Possible SSL Cert Sept 26 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 88 91 e8 ca 54 bb 7d 10|"; within:35; fast_pattern; content:"|55 04 03|"; distance:0; content:"|0b|5.79.80.166"; distance:1; within:12; reference:md5,1821351d67a3dce1045be09e88461fe9; classtype:trojan-activity; sid:2019282; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Job314 EK Landing"; flow:established,from_server; file_data; content:"|22|container|22|,|20 22|10|22|,"; fast_pattern:only; content:"swfobject.embedSWF"; nocase; pcre:"/^\s*?\x28\s*?(?P<q>[\x22\x27])(?:(?!(?P=q)).)+?(?P=q)\s*?\,\s*?[\x22\x27]container[\x22\x27]\s*?,\s*?[\x22\x27]10[\x22\x27]\s*?,\s*?[\x22\x27]10[\x22\x27],\s*?[\x22\x27]9\.0\.0[\x22\x27]\s*?,\s*?false\s*?,\s*?flashvars,\s*?params\s*?,\s*?attributes\s*?\x29\s*?\x3b\s*?<\/script>\s*?<\/head>/Rs"; classtype:trojan-activity; sid:2019287; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Possible Job314 EK JAR URI Struct"; flow:established,to_server; content:"Java/1."; http_user_agent; fast_pattern:only; content:".pack.gz"; http_uri; pcre:"/^(?=(?:\/[a-z]+?)*?\/\d+\/)(?=(?:\/\d+?)*?\/[a-z]+?\/)(?:\/(?:[a-z]+|\d+)){4,}\/[a-z]+\.pack\.gz$/U"; classtype:trojan-activity; sid:2019288; rev:3;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Upatre redirector GET Sept 29 2014"; flow:established,to_server; content:".php?h="; http_uri; fast_pattern; pcre:"/^\d+&w=\d+&ua=.+&e=1$/UR"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2019311; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Nuclear EK Landing Sep 29 2014"; flow:from_server,established; file_data; content:"|28 2f 5b 40 5c 2a 5c 2d 5d 2f 67 2c 27 27 29|"; fast_pattern:only; content:"return"; pcre:"/^\s[^\r\n]*?[\x28\x5b]\s*?[\x22\x27][^\x22\x27]?s[^\x22\x27]?u[^\x22\x27]?b[^\x22\x27]?s[^\x22\x27]?t[^\x22\x27]?r[^\x22\x27]?[\x22\x27]\s*?[\x29\x5d]\s*?(?:\x5d\s*?)?\x28/R"; classtype:trojan-activity; sid:2019315; rev:7;) + +alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Dyre SSL Cert Sept 30 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c3 04 eb 4f 91 0a 85 aa|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,a3dd0964ee346db49192836569b41203; classtype:trojan-activity; sid:2019319; rev:2;) + +alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Dyre SSL Cert Sept 30 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 ba c8 fb e2 d7 61 26 81|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,27ec921595f9e05e7e8933e71d336fa7; classtype:trojan-activity; sid:2019320; rev:2;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Upatre redirector 29 Sept 2014 - POST"; flow:established,to_server; content:"POST"; http_method; content:"h="; http_client_body; depth:3; content:"w="; http_client_body; within:8; content:"ua="; http_client_body; within:8; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2019321; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS suspicious embedded zip file in web page"; flow:established,to_client; file_data; content:"data|3a|"; nocase; content:"base64,UEsDB"; within:40; fast_pattern; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2019324; rev:2;) + +#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert mypreschool.sg"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|mypreschool.sg"; distance:1; within:15; reference:md5,f186984320d0cf0a4fd501e50c7a40c5; classtype:trojan-activity; sid:2019337; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Generic CollectGarbage in Hex"; flow:established,from_server; file_data; content:"|5c|x43|5c|x6f|5c|x6c|5c|x6c|5c|x65|5c|x63|5c|x74|5c|x47|5c|x61|5c|x72|5c|x62|5c|x61|5c|x67|5c|x65"; nocase; classtype:trojan-activity; sid:2019338; rev:6;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Generic URLENCODED CollectGarbage"; flow:established,from_server; file_data; content:"%43%6f%6c%6c%65%63%74%47%61%72%62%61%67%65"; classtype:trojan-activity; sid:2019339; rev:4;) + +alert smtp any any -> any any (msg:"ET CURRENT_EVENTS Possible ComputerCop Log Transmitted via SMTP"; flow:to_server,established; content:"Subject|3a 20|CCOP|20|"; nocase; fast_pattern:only; reference:url,www.eff.org/deeplinks/2014/09/computercop-dangerous-internet-safety-software-hundreds-police-agencies; classtype:trojan-activity; sid:2019340; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Cryptowall 2.0 DL URI Struct Oct 2 2014"; flow:to_server,established; content:"GET"; http_method; content:"/blog/"; http_uri; depth:6; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; pcre:"/^\/blog\/[a-z0-9]+$/U"; pcre:"/^User-Agent\x3a[^\r\n]+(?:MSIE|rv\x3a11\.0)[^\r\n]+\r\nHost\x3a[^\r\n]+\r\nCache-Control\x3a\x20no-cache\r\n(?:\r\n)?$/H"; reference:url,malware-traffic-analysis.net/2014/10/01/index.html; classtype:trojan-activity; sid:2019341; rev:2;) + +alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Dyre SSL Cert Oct 3 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 9e 02 84 39 97 d9 ef df|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,27b8d15950022f53ca4ca7004932cf2b; classtype:trojan-activity; sid:2019342; rev:2;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS FAKEIE 11.0 Minimal Headers (flowbit set)"; flow:to_server,established; content:" rv|3a|11.0"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; pcre:"/^User-Agent\x3a[^\r\n]+rv\x3a11\.0[^\r\n]+\r\nHost\x3a[^\r\n]+\r\nCache-Control\x3a\x20no-cache\r\n(?:\r\n)?$/H"; flowbits:set,FakeIEMinimal; flowbits:noalert; reference:url,malware-traffic-analysis.net/2014/10/01/index.html; classtype:trojan-activity; sid:2019343; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS FAKEIE Minimal Headers (flowbit set)"; flow:to_server,established; content:"GET"; http_method; content:" MSIE "; http_user_agent; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; pcre:"/^User-Agent\x3a[^\r\n]+\sMSIE\s[^\r\n]+\r\nHost\x3a[^\r\n]+\r\nCache-Control\x3a\x20no-cache\r\n(?:\r\n)?$/H"; flowbits:set,FakeIEMinimal; flowbits:noalert; reference:url,malware-traffic-analysis.net/2014/10/01/index.html; classtype:trojan-activity; sid:2019344; rev:5;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible CryptoLocker TorComponent DL"; flow:from_server,established; flowbits:isset,FakeIEMinimal; file_data; byte_extract:1,0,size,relative; content:"|00 00 00|"; within:3; content:!"|00|"; within:size; content:"|00|"; distance:size; within:1; pcre:"/^.\x00\x00\x00[a-z0-9]+?\x00/s"; reference:url,malware-traffic-analysis.net/2014/10/01/index.html; classtype:trojan-activity; sid:2019345; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Sweet Orange redirection 19 September 2014"; flow:to_client,established; file_data; content:"var ajax_data_source"; within:20; pcre:"/^\s*?=\s*?[\x22\x27](?!687474703a2f)[^\x22\x27]{0,10}6[^\x22\x27]{0,10}8[^\x22\x27]{0,10}7[^\x22\x27]{0,10}4[^\x22\x27]{0,10}7[^\x22\x27]{0,10}4[^\x22\x27]{0,10}7[^\x22\x27]{0,10}0[^\x22\x27]{0,10}3[^\x22\x27]{0,10}a[^\x22\x27]{0,10}2[^\x22\x27]{0,10}f/Ri"; flowbits:set,et.exploitkitlanding; reference:url,malware-traffic-analysis.net/2014/10/03/index.html; classtype:trojan-activity; sid:2019352; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Nuclear EK Payload URI Struct Oct 5 2014 (no alert)"; flow:established,to_server; content:"/14"; http_uri; fast_pattern:only; pcre:"/\/14\d{8}(?:\/\d+)*?(?:\/x[a-f0-9]+[\x3b0-9]*)?$/U"; flowbits:set,et.Nuclear.Payload; flowbits:noalert; classtype:trojan-activity; sid:2019358; rev:11;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Nuclear EK Payload URI Struct Oct 5 2014"; flow:established,from_server; flowbits:isset,et.Nuclear.Payload; content:".exe"; http_header; fast_pattern:only; content:"Content-Disposition|3a|"; http_header; pcre:"/^Content-Disposition\x3a.+?filename\s*?=\s*?[\x22\x27]?\d\.exe/Hm"; classtype:trojan-activity; sid:2019359; rev:10;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Sednit EK Landing"; flow:established,from_server; file_data; content:"DetectFlashForMSIE()"; content:"DetectPdfForMSIE()"; content:"http|3a 2f 2f|localhost"; reference:url,www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-custom-exploit-kit/; classtype:trojan-activity; sid:2019367; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Sednit EK IE Exploit CVE-2014-1776 M1"; flow:established,from_server; file_data; content:"#default#VML"; fast_pattern:only; content:"dword2data"; content:"localhost"; content:".swf"; reference:url,www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-custom-exploit-kit/; classtype:trojan-activity; sid:2019368; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Sednit EK IE Exploit CVE-2014-1776 M2"; flow:established,from_server; file_data; content:"|5c|x3c|5c|x64|5c|x69|5c|x76|5c|x20|5c|x69|5c|x64|5c|x3d|5c|x22|5c|x6c|5c|x6f|5c|x6c|5c|x22"; reference:url,www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-custom-exploit-kit/; classtype:trojan-activity; sid:2019369; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Sednit EK IE Exploit CVE-2014-1776 M3"; flow:established,from_server; file_data; content:"1776_concat.swf"; reference:url,www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-custom-exploit-kit/; classtype:trojan-activity; sid:2019370; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Sednit EK IE Exploit CVE-2013-1347 M1"; flow:established,from_server; file_data; content:"SharePoint.OpenDocuments.3"; nocase; content:"SharePoint.OpenDocuments.4"; nocase; content:"|3a|ANIMATECOLOR "; nocase; content:"ms-help|3a 2f 2f|"; fast_pattern:only; nocase; reference:url,www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-custom-exploit-kit/; classtype:trojan-activity; sid:2019371; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Sednit EK IE Exploit CVE-2013-1347 M2"; flow:established,from_server; file_data; content:"|75 6e 65 73 63 61 70 65 28 22 25 75 22 2b 22 39 30 22 20 2b 20 22 39 30 22 29|"; nocase; content:"|75 6e 65 73 63 61 70 65 28 22 25 75 22 2b 22 39 30 22 20 2b 20 22 39 30 22 29|"; nocase; distance:0; content:"|75 6e 65 73 63 61 70 65 28 22 25 75 22 2b 70 61 72 73 65 49 6e 74 28|"; content:"|2e 73 75 62 73 74 72 28 30 2c 32 29 2c 31 36 29 2e 74 6f 53 74 72 69 6e 67 28 31 36 29|"; distance:4; within:29; reference:url,www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-custom-exploit-kit/; classtype:trojan-activity; sid:2019372; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Generic CollectGarbage in JJEncode (Observed in Sednit)"; flow:established,from_server; file_data; content:".__$+"; pcre:"/^(?P<sep>.{1,20})\.___\+(?P=sep)\._\$\$\+(?P=sep)\._\$\+\(\!\[\]\+\x22\x22\)\[(?P=sep)\._\$_\]\+\(\!\[\]\+\x22\x22\)\[(?P=sep)\._\$_\]\+(?P=sep)\.\$\$\$_\+(?P=sep)\.\$\$__\+(?P=sep)\.__\+\x22\x5c\x5c\x22\+(?P=sep)\.__\$\+(?P=sep)\.___\+(?P=sep)\.\$\$\$\+(?P=sep)\.\$_\$_\+\x22\x5c\x5c\x22\+(?P=sep)\.__\$\+(?P=sep)\.\$\$_\+(?P=sep)\._\$_\+(?P=sep)\.\$_\$\$\+(?P=sep)\.\$_\$_\+\x22\x5c\x5c\x22\+(?P=sep)\.__\$\+(?P=sep)\.\$__\+(?P=sep)\.\$\$\$\+(?P=sep)\.\$\$\$_\+/R"; reference:url,www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-custom-exploit-kit/; classtype:trojan-activity; sid:2019373; rev:6;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Sednit EK IE Exploit CVE-2013-3897 M1"; flow:established,from_server; file_data; content:"|5c|x76|5c|x61|5c|x72|5c|x20|5c|x73|5c|x74|5c|x72|5c|x3d|5c|x75|5c|x6e|5c|x65|5c|x73|5c|x63|5c|x61|5c|x70|5c|x65|5c|x28|5c|x22|5c|x25|5c|x75|5c|x31|5c|x34|5c|x31|5c|x34|5c|x25|5c|x75|5c|x31|5c|x34|5c|x31|5c|x34|5c|x22|5c|x29|5c|x3b"; nocase; reference:url,www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-custom-exploit-kit/; classtype:trojan-activity; sid:2019374; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Sweet Orange redirection Oct 8 2014"; flow:established,to_client; file_data; content:"String.fromCharCode(parseInt|28 28|"; pcre:"/^\s*?(?P<var1>[^\x29\x5b]+)\x5b\s*?(?P<cntr>[^\x5d]+)\s*?\x5d\s*?\+\s*?(?P=var1)\x5b\s*?(?P=cntr)\s*?\+\s*?1\s*?\x5d\s*?\x29\s*?,\s*?16\s*?\x29\s*?\^\s*?parseInt\x28\x28\s*?(?P<var2>[^\x29\x5b]+)\x5b\s*?(?P=cntr)\s*?\x5d\s*?\+\s*?(?P=var2)\x5b\s*?(?P=cntr)\s*?\+\s*?1\s*?\x5d\s*?\x29\s*?,\s*16\s*?\x29\x29\s*?\x3b\s*?(?P=cntr)\s*?\+=\s*?2\s*?\x3b/Rs"; reference:url,malware-traffic-analysis.net/2014/10/06/index2.html; classtype:trojan-activity; sid:2019375; rev:4;) + +alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Napolar SSL Cert Oct 9 2014"; flow:established,from_server; content:"|55 04 03|"; content:"|19|secure.barrentomedear.com"; distance:1; within:26; reference:md5,958804a1191cb281a3a967de17763cf4; classtype:trojan-activity; sid:2019376; rev:2;) + +alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Win32/Zbot SSL Cert Oct 9 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 be cf d6 29 b3 79 8f e2|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:md5,3a9f4fc34e121fc2e5c0d7775091714c; classtype:trojan-activity; sid:2019382; rev:2;) + +alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET CURRENT_EVENTS Possible TWiki RCE attempt"; flow:established,to_server; content:"debugenableplugins="; http_uri; pcre:"/debugenableplugins=[a-zA-Z0-9]+?\x3b/U"; reference:url,twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2014-7236; reference:cve,2014-7236; classtype:attempted-admin; sid:2019385; rev:2;) + +alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET CURRENT_EVENTS Possible TWiki Apache config file upload attempt"; flow:established,to_server; content:"POST"; http_method; content:"filename=|22 00|.htaccess"; http_client_body; reference:url,twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2014-7237; reference:cve,2014-7237; classtype:attempted-admin; sid:2019386; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible SandWorm INF Download"; flow:to_client,established; file_data; content:"Software|5c|Microsoft|5c|Windows|5c|CurrentVersion|5c|Run"; nocase; content:"7EBEFBC0-3200-11d2-B4C2-00A0C9697D17"; nocase; content:"ClassGuid"; nocase; content:"DefaultInstall"; nocase; classtype:attempted-user; sid:2019395; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible SandWorm INF Download (UNICODE)"; flow:to_client,established; file_data; content:"S|00|o|00|f|00|t|00|w|00|a|00|r|00|e|00 5c 00|M|00|i|00|c|00|r|00|o|00|s|00|o|00|f|00|t|00 5c 00|W|00|i|00|n|00|d|00|o|00|w|00|s|00 5c 00|C|00|u|00|r|00|r|00|e|00|n|00|t|00|V|00|e|00|r|00|s|00|i|00|o|00|n|00 5c 00|R|00|u|00|n|00|"; nocase; content:"7|00|E|00|B|00|E|00|F|00|B|00|C|00|0|00 2d 00|3|00|2|00|0|00|0|00 2d 00|1|00|1|00|d|00|2|00 2d 00|B|00|4|00|C|00|2|00 2d 00|0|00|0|00|A|00|0|00|C|00|9|00|6|00|9|00|7|00|D|00|1|00|7"; nocase; content:"C|00|l|00|a|00|s|00|s|00|G|00|u|00|i|00|d|00|"; nocase; content:"D|00|e|00|f|00|a|00|u|00|l|00|t|00|I|00|n|00|s|00|t|00|a|00|l|00|l|00|"; nocase; classtype:attempted-user; sid:2019397; rev:2;) + +alert tcp $EXTERNAL_NET [445,139] -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible SandWorm INF Download (SMB)"; flow:to_client,established; content:"Software|5c|Microsoft|5c|Windows|5c|CurrentVersion|5c|Run"; nocase; content:"7EBEFBC0-3200-11d2-B4C2-00A0C9697D17"; fast_pattern; nocase; content:"ClassGuid"; nocase; content:"DefaultInstall"; nocase; classtype:attempted-user; sid:2019398; rev:2;) + +alert tcp $EXTERNAL_NET [445,139] -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible SandWorm INF Download (SMB UNICODE)"; flow:to_client,established; content:"S|00|o|00|f|00|t|00|w|00|a|00|r|00|e|00 5c 00|M|00|i|00|c|00|r|00|o|00|s|00|o|00|f|00|t|00 5c 00|W|00|i|00|n|00|d|00|o|00|w|00|s|00 5c 00|C|00|u|00|r|00|r|00|e|00|n|00|t|00|V|00|e|00|r|00|s|00|i|00|o|00|n|00 5c 00|R|00|u|00|n|00|"; nocase; content:"7|00|E|00|B|00|E|00|F|00|B|00|C|00|0|00 2d 00|3|00|2|00|0|00|0|00 2d 00|1|00|1|00|d|00|2|00 2d 00|B|00|4|00|C|00|2|00 2d 00|0|00|0|00|A|00|0|00|C|00|9|00|6|00|9|00|7|00|D|00|1|00|7"; fast_pattern; nocase; content:"C|00|l|00|a|00|s|00|s|00|G|00|u|00|i|00|d|00|"; nocase; content:"D|00|e|00|f|00|a|00|u|00|l|00|t|00|I|00|n|00|s|00|t|00|a|00|l|00|l|00|"; nocase; classtype:attempted-user; sid:2019399; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS PPT Download with Embedded OLE Object"; flow:established,from_server; flowbits:isset,et.http.PK; file_data; content:"ppt/embeddings/oleObject"; classtype:misc-activity; sid:2019405; rev:6;) + +alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET CURRENT_EVENTS SUSPICIOUS SMTP Attachment Inbound PPT attachment with Embedded OLE Object M1"; flow:established,to_server; content:"|0D 0A 0D 0A|UEsDB"; pcre:"/^[A-Za-z0-9\/\+\x0D\x0A]+?B[\x0d\x0a]{0,2}w[\x0d\x0a]{0,2}d[\x0d\x0a]{0,2}C[\x0d\x0a]{0,2}9[\x0d\x0a]{0,2}l[\x0d\x0a]{0,2}b[\x0d\x0a]{0,2}W[\x0d\x0a]{0,2}J[\x0d\x0a]{0,2}l[\x0d\x0a]{0,2}Z[\x0d\x0a]{0,2}G[\x0d\x0a]{0,2}R[\x0d\x0a]{0,2}p[\x0d\x0a]{0,2}b[\x0d\x0a]{0,2}m[\x0d\x0a]{0,2}d[\x0d\x0a]{0,2}z[\x0d\x0a]{0,2}L[\x0d\x0a]{0,2}2[\x0d\x0a]{0,2}9[\x0d\x0a]{0,2}s[\x0d\x0a]{0,2}Z[\x0d\x0a]{0,2}U[\x0d\x0a]{0,2}9[\x0d\x0a]{0,2}i[\x0d\x0a]{0,2}a[\x0d\x0a]{0,2}m[\x0d\x0a]{0,2}V[\x0d\x0a]{0,2}j[\x0d\x0a]{0,2}d/R"; classtype:misc-activity; sid:2019406; rev:3;) + +alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET CURRENT_EVENTS SUSPICIOUS SMTP Attachment Inbound PPT attachment with Embedded OLE Object M2"; flow:established,to_server; content:"|0D 0A 0D 0A|UEsDB"; pcre:"/^[A-Za-z0-9\/\+\x0D\x0A]+?c[\x0d\x0a]{0,2}H[\x0d\x0a]{0,2}B[\x0d\x0a]{0,2}0[\x0d\x0a]{0,2}L[\x0d\x0a]{0,2}2[\x0d\x0a]{0,2}V[\x0d\x0a]{0,2}t[\x0d\x0a]{0,2}Y[\x0d\x0a]{0,2}m[\x0d\x0a]{0,2}V[\x0d\x0a]{0,2}k[\x0d\x0a]{0,2}Z[\x0d\x0a]{0,2}G[\x0d\x0a]{0,2}l[\x0d\x0a]{0,2}u[\x0d\x0a]{0,2}Z[\x0d\x0a]{0,2}3[\x0d\x0a]{0,2}M[\x0d\x0a]{0,2}v[\x0d\x0a]{0,2}b[\x0d\x0a]{0,2}2[\x0d\x0a]{0,2}x[\x0d\x0a]{0,2}l[\x0d\x0a]{0,2}T[\x0d\x0a]{0,2}2[\x0d\x0a]{0,2}J[\x0d\x0a]{0,2}q[\x0d\x0a]{0,2}Z[\x0d\x0a]{0,2}W[\x0d\x0a]{0,2}N[\x0d\x0a]{0,2}0/R"; classtype:misc-activity; sid:2019407; rev:2;) + +alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET CURRENT_EVENTS SUSPICIOUS SMTP Attachment Inbound PPT attachment with Embedded OLE Object M3"; flow:established,to_server; content:"|0D 0A 0D 0A|UEsDB"; pcre:"/^[A-Za-z0-9\/\+\x0D\x0A]+?c[\x0d\x0a]{0,2}H[\x0d\x0a]{0,2}Q[\x0d\x0a]{0,2}v[\x0d\x0a]{0,2}Z[\x0d\x0a]{0,2}W[\x0d\x0a]{0,2}1[\x0d\x0a]{0,2}i[\x0d\x0a]{0,2}Z[\x0d\x0a]{0,2}W[\x0d\x0a]{0,2}R[\x0d\x0a]{0,2}k[\x0d\x0a]{0,2}a[\x0d\x0a]{0,2}W[\x0d\x0a]{0,2}5[\x0d\x0a]{0,2}n[\x0d\x0a]{0,2}c[\x0d\x0a]{0,2}y[\x0d\x0a]{0,2}9[\x0d\x0a]{0,2}v[\x0d\x0a]{0,2}b[\x0d\x0a]{0,2}G[\x0d\x0a]{0,2}V[\x0d\x0a]{0,2}P[\x0d\x0a]{0,2}Y[\x0d\x0a]{0,2}m[\x0d\x0a]{0,2}p[\x0d\x0a]{0,2}l[\x0d\x0a]{0,2}Y[\x0d\x0a]{0,2}3/R"; classtype:misc-activity; sid:2019408; rev:2;) + +alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET CURRENT_EVENTS SUSPICIOUS SMTP Attachment Inbound PPT attachment with Embedded OLE Object M4"; flow:established,to_server; content:"cHB0L2VtYmVkZGluZ3Mvb2xlT2JqZWN0"; classtype:misc-activity; sid:2019409; rev:2;) + +alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET CURRENT_EVENTS SUSPICIOUS SMTP Attachment Inbound PPT attachment with Embedded OLE Object M5"; flow:established,to_server; content:"cHQvZW1iZWRkaW5ncy9vbGVPYmplY3"; classtype:misc-activity; sid:2019410; rev:2;) + +alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET CURRENT_EVENTS SUSPICIOUS SMTP Attachment Inbound PPT attachment with Embedded OLE Object M6"; flow:established,to_server; content:"BwdC9lbWJlZGRpbmdzL29sZU9iamVjd"; classtype:misc-activity; sid:2019411; rev:2;) + +alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Dyre SSL Cert Oct 15 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 d5 2e c1 9c b6 e5 96 7d|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,05823d6ec6d2a483f94ae1794a06c1a6; classtype:trojan-activity; sid:2019413; rev:2;) + +#alert tcp $EXTERNAL_NET [443,465,993,995,25] -> $HOME_NET any (msg:"ET CURRENT_EVENTS excessive fatal alerts (possible POODLE attack against client)"; flow:from_server,established; ssl_version:sslv3; content:"|15 03 00 00|"; depth:4; byte_jump:2,3,post_offset -1; isdataat:!2,relative; threshold:type both, track by_dst, count 50, seconds 300; reference:url,blog.fox-it.com/2014/10/15/poodle/; reference:url,www.openssl.org/~bodo/ssl-poodle.pdf; reference:cve,2014-3566; reference:url,askubuntu.com/questions/537196/how-do-i-patch-workaround-sslv3-poodle-vulnerability-cve-2014-3566; reference:url,www.imperialviolet.org/2014/10/14/poodle.html; classtype:policy-violation; sid:2019417; rev:4;) + +alert tcp $HOME_NET [443,465,993,995,25] -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SSL excessive fatal alerts (possible POODLE attack against server)"; flow:from_server,established; ssl_version:sslv3; content:"|15 03 00 00|"; depth:4; byte_jump:2,3,post_offset -1; isdataat:!2,relative; threshold:type both, track by_src, count 50, seconds 300; reference:url,blog.fox-it.com/2014/10/15/poodle/; reference:url,www.openssl.org/~bodo/ssl-poodle.pdf; reference:cve,2014-3566; reference:url,askubuntu.com/questions/537196/how-do-i-patch-workaround-sslv3-poodle-vulnerability-cve-2014-3566; reference:url,www.imperialviolet.org/2014/10/14/poodle.html; classtype:attempted-recon; sid:2019418; rev:5;) + +alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Dyre SSL Cert Oct 15 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 aa 29 c6 1c 85 a5 85 33|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,38f4f489bd7e59ed91dc6ff95f37999f; classtype:trojan-activity; sid:2019419; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS FlashPack Payload URI Struct Oct 16 2014"; flow:established,to_server; content:"/loxotrap.php"; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2019456; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS BlackEnergy URI Struct Oct 17 2014 BE1"; flow:established,to_server; content:"/YXJyYWtpczAy/"; http_uri; reference:url,github.com/hosom/bro-sandworm/blob/master/sandworm.sig; classtype:trojan-activity; sid:2019461; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS BlackEnergy URI Struct Oct 17 2014 BE2"; flow:established,to_server; content:"/aG91c2VhdHJlaWRlczk0/"; http_uri; reference:url,github.com/hosom/bro-sandworm/blob/master/sandworm.sig; classtype:trojan-activity; sid:2019462; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS BlackEnergy URI Struct Oct 17 2014 BE3"; flow:established,to_server; content:"/QmFzaGFyb2Z0aGVTYXJkYXVrYXJz/"; http_uri; reference:url,github.com/hosom/bro-sandworm/blob/master/sandworm.sig; classtype:trojan-activity; sid:2019463; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS BlackEnergy URI Struct Oct 17 2014 BE4"; flow:established,to_server; content:"/U2FsdXNhU2VjdW5kdXMy/"; http_uri; reference:url,github.com/hosom/bro-sandworm/blob/master/sandworm.sig; classtype:trojan-activity; sid:2019464; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS BlackEnergy URI Struct Oct 17 2014 BE5"; flow:established,to_server; content:"/ZXBzaWxvbmVyaWRhbmkw/"; http_uri; reference:url,github.com/hosom/bro-sandworm/blob/master/sandworm.sig; classtype:trojan-activity; sid:2019465; rev:2;) + +alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Win32/Zbot SSL Cert Oct 17 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 f6 a0 9e 7c 8c 25 3a d0|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,ae773f234152fb5df1ab35116dbb82bd; classtype:trojan-activity; sid:2019470; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Job314 EK URI Exploit/Payload Struct"; flow:established,to_server; content:"?action="; http_uri; content:"&exp="; http_uri; fast_pattern; pcre:"/\?action=(?:pld|exp)&exp=/U"; classtype:trojan-activity; sid:2019479; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Job314 EK URI Landing Struct"; flow:established,to_server; content:".html?action=lnd"; http_uri; pcre:"/\?action=lnd$/U"; classtype:trojan-activity; sid:2019480; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Orca RAT URI Struct 1"; flow:established,to_server; content:"=1/"; http_uri; fast_pattern:only; pcre:"/^\/[A-Za-z0-9+~]+(?:=[1-2])?\/[A-Za-z0-9+~]+(?:=[1-2])?\/[A-Za-z0-9+~]+(?:=[1-2])?\/[A-Za-z0-9+~]+(?:=[1-2])?\/[A-Za-z0-9+~]+(?:=[1-2])?$/U"; content:!"Referer|3a|"; http_header; content:"Accept-Encoding|3a|"; http_header; content:"User-Agent|3a|"; http_header; distance:0; pcre:"/(?: MSIE |rv\x3a11)/Vi"; reference:url,pwc.blogs.com/cyber_security_updates/2014/10/orcarat-a-whale-of-a-tale.html; classtype:trojan-activity; sid:2019481; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Orca RAT URI Struct 2"; flow:established,to_server; content:"=2/"; http_uri; fast_pattern:only; pcre:"/^\/[A-Za-z0-9+~]+(?:=[1-2])?\/[A-Za-z0-9+~]+(?:=[1-2])?\/[A-Za-z0-9+~]+(?:=[1-2])?\/[A-Za-z0-9+~]+(?:=[1-2])?\/[A-Za-z0-9+~]+(?:=[1-2])?$/U"; content:!"Referer|3a|"; http_header; content:"Accept-Encoding|3a|"; http_header; content:"User-Agent|3a|"; http_header; distance:0; pcre:"/(?: MSIE |rv\x3a11)/Vi"; reference:url,pwc.blogs.com/cyber_security_updates/2014/10/orcarat-a-whale-of-a-tale.html; classtype:trojan-activity; sid:2019482; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Orca RAT URI Struct 3"; flow:established,to_server; content:"=1/"; http_uri; fast_pattern:only; pcre:"/^\/[A-Za-z0-9+~]+(?:=[1-2])?\/[A-Za-z0-9+~]+(?:=[1-2])?\/[A-Za-z0-9+~]+(?:=[1-2])?\/[A-Za-z0-9+~]+(?:=[1-2])?\/[A-Za-z0-9+~]+(?:=[1-2])?$/U"; content:!"Referer|3a|"; http_header; content:!"Accept-Encoding|3a|"; http_header; pcre:"/(?: MSIE |rv\x3a11)/Vi"; reference:url,pwc.blogs.com/cyber_security_updates/2014/10/orcarat-a-whale-of-a-tale.html; classtype:trojan-activity; sid:2019483; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Orca RAT URI Struct 4"; flow:established,to_server; content:"=2/"; http_uri; fast_pattern:only; pcre:"/^\/[A-Za-z0-9+~]+(?:=[1-2])?\/[A-Za-z0-9+~]+(?:=[1-2])?\/[A-Za-z0-9+~]+(?:=[1-2])?\/[A-Za-z0-9+~]+(?:=[1-2])?\/[A-Za-z0-9+~]+(?:=[1-2])?$/U"; content:!"Referer|3a|"; http_header; content:!"Accept-Encoding|3a|"; http_header; pcre:"/(?: MSIE |rv\x3a11)/Vi"; reference:url,pwc.blogs.com/cyber_security_updates/2014/10/orcarat-a-whale-of-a-tale.html; classtype:trojan-activity; sid:2019484; rev:3;) + +alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Win32/Zbot SSL Cert Oct 21 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 ca 38 a4 ec ec c1 f1 9a|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,1fedcd44951c3dfb861fa83ddcec2b84; classtype:trojan-activity; sid:2019485; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS FlashPack Payload URI Struct Oct 22 2014"; flow:established,to_server; content:"/ldcigar.php"; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2019487; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Angler EK Oct 22 2014"; flow:established,from_server; content:"Expires|3a| Sat, 26 Jul"; http_header; content:"Last-Modified|3a| Sat, 26 Jul 2040 05|3a|00"; http_header; fast_pattern:15,20; classtype:trojan-activity; sid:2019488; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Angler EK Landing Oct 22 2014"; flow:established,from_server; file_data; content:".join(|22 22|)|3b 3b|"; pcre:"/^\s*?\n\s*?(?P<func>[^\x28\r\n\s]+)\s*?\(\s*?(?P<var>[^\+\x29]+)\+[^\r\n]+\r?\n\s*?<\/script>\s+<script>\s+(?P=func)\s*?\x28\s*?(?P=var)\+[^\r\n]+\r?\n\s*?<\/script>\s+<script>\s+(?P=func)\s*?\x28\s*?(?P=var)\+/Rs"; classtype:trojan-activity; sid:2019489; rev:2;) + +alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Dyre SSL Cert Oct 22 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 ca f1 2e 3e cb c1 4a c0|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,f4c26252042b9d520cd832b8b4a66de0; classtype:trojan-activity; sid:2019493; rev:2;) + +alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Dyre SSL Cert Oct 22 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 8c 54 a8 06 20 b6 93 90|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,1754d4765a05e4637d2dcdbd1c28eaf1; classtype:trojan-activity; sid:2019494; rev:2;) + +alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Dyre SSL Cert Oct 22 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 d6 cd df 4e c0 3c fc 13|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,5159780c47b8df01d5eb00d858b4d35a; classtype:trojan-activity; sid:2019495; rev:2;) + +alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Dyre SSL Cert Oct 22 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 d1 be 1b e1 6a 4d bf 01|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,f66bf24aa5516e335873c758d007ed3c; classtype:trojan-activity; sid:2019496; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Nuclear EK Gate Injected iframe Oct 22 2014"; flow:established,from_server; file_data; content:"|2f 2a 0a 43 6f 70 79 72 69 67 68 74 20 28 43 29 20 32 30 30 37 20 46 72 65 65 20 53 6f 66 74 77 61 72 65 20 46 6f 75 6e 64 61 74 69 6f 6e 2c 20 49 6e 63 2e 20 68 74 74 70 3a 2f 2f 66 73 66 2e 6f 72 67 2f 0a 2a 2f 0a 66 75 6e 63 74 69 6f 6e 20 67 65 74 43 6f 6f 6b 69 65 28 65 29|"; within:93; fast_pattern:73,20; classtype:trojan-activity; sid:2019497; rev:2;) + +alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SSL SinkHole Cert Possible Infected Host"; flow:established,from_server; content:"|14|www.kitchensinks.n0t"; nocase; classtype:trojan-activity; sid:2019503; rev:2;) + +#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert Oct 24 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e6 91 76 a5 11 ca 47 2d|"; within:35; fast_pattern; content:"|55 04 0b|"; distance:0; content:"|04|none"; distance:1; within:5; content:"|55 04 08|"; distance:0; content:"|0c|Someprovince"; distance:1; within:13; reference:md5,35f6b510f94bd96ed9bc44e1f7bf7f38; classtype:trojan-activity; sid:2019506; rev:2;) + +#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert www.tradeledstore.co.uk"; flow:established,from_server; content:"|55 04 03|"; content:"|17|www.tradeledstore.co.uk"; distance:1; within:24; reference:md5,b12730a51341a8bfaa5c7d7e4421fe6c; classtype:trojan-activity; sid:2019507; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Angler EK Flash Exploit URI Struct"; flow:established,to_server; urilen:65; content:"x-flash-version|3a|"; http_header; fast_pattern:only; pcre:"/^\/[a-z0-9\x2d\x5f]{62}(?:(?:[a-z0-9\x2d\x5f]|=)=|[a-z0-9\x2d\x5f]{2})$/Ui"; classtype:trojan-activity; sid:2019513; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Angler EK Java Exploit URI Struct"; flow:established,to_server; urilen:65; content:"Java/1."; http_user_agent; fast_pattern:only; pcre:"/^\/[a-z0-9\x2d\x5f]{62}(?:(?:[a-z0-9\x2d\x5f]|=)=|[a-z0-9\x2d\x5f]{2})$/Ui"; classtype:trojan-activity; sid:2019514; rev:4;) + +alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Dyre SSL Cert Oct 27 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 ba 53 8e c8 a2 a1 6c 17|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,e5395918babb67b495a094040efff909; classtype:trojan-activity; sid:2019520; rev:2;) + +alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Dyre SSL Cert Oct 27 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 fe d5 e3 3b b2 f8 4e f4|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,e5395918babb67b495a094040efff909; classtype:trojan-activity; sid:2019521; rev:2;) + +alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Dyre SSL Cert Oct 27 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 81 01 15 1a 78 7f e9 6e|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,2841fb14060f579e46a301baf234a1e7; classtype:trojan-activity; sid:2019522; rev:2;) + +alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Dyre SSL Cert Oct 27 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 9e 10 4b 4c 47 43 e9 4b|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,bd3fd9f55900e2c63d5f4977053e8f68; classtype:trojan-activity; sid:2019523; rev:2;) + +#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Potential Sofacy Phishing Redirect"; flow:established,to_client; file_data; content:"|22 5c|x6C|5c|x6F|5c|x63|5c|x61|5c|x74|5c|x69|5c|x6F|5c|x6E"; nocase; content:"window[_0x"; content:"[1]][_0x"; reference:url,pwc.blogs.com/cyber_security_updates/2014/10/phresh-phishing-against-government-defence-and-energy.html; classtype:trojan-activity; sid:2019540; rev:5;) + +#alert http $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET CURRENT_EVENTS Likely SweetOrange EK Java Exploit Struct (JAR)"; flow:established,to_server; content:"Java/1."; http_user_agent; fast_pattern:only; content:".jar"; http_uri; pcre:"/\/(?=[a-z0-9]{0,10}[A-Z])(?=[A-Z0-9]{0,10}[a-z])[A-Z-a-z0-9]{5,20}\.jar$/U"; classtype:trojan-activity; sid:2019542; rev:7;) + +alert http $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET CURRENT_EVENTS Likely SweetOrange EK Flash Exploit URI Struct"; flow:established,to_server; content:"x-flash-version|3a|"; http_header; fast_pattern:only; pcre:"/\/(?=[a-z0-9]{0,10}[A-Z])(?=[A-Z0-9]{0,10}[a-z])[A-Z-a-z0-9]{5,11}$/U"; pcre:"/^Referer\x3a[^\r\n]+\x3a\d{1,5}\/[^\r\n]*?[a-z]+?\.php\?[a-z]+?=\d/Hm"; classtype:trojan-activity; sid:2019543; rev:2;) + +#alert http $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET CURRENT_EVENTS Possible Sweet Orange Flash/IE Payload Request"; flow:established,to_server; urilen:>50; content:".php?"; http_uri; fast_pattern:only; pcre:"/^\/[a-z\_\-]{4,10}\.php\?([a-z\_\-]{0,10}=\d{1,3}&){3,}[a-z\_\-]{4,10}=-?\d+$/U"; content:!"Accept"; http_header; content:!"User-Agent"; http_header; content:!"Referer"; http_header; flowbits:set,et.SweetOrangeURI; flowbits:noalert; classtype:trojan-activity; sid:2019544; rev:6;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS FlashPack EK Plugin-Detect Post"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:"=0oPDPAP6Prooodj"; http_client_body; fast_pattern; classtype:trojan-activity; sid:2019594; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS FlashPack Payload Download Oct 29"; flow:established,to_server; content:"/lofla1.php"; http_uri; classtype:trojan-activity; sid:2019595; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS FlashPack Secondary Landing Oct 29"; flow:established,from_server; file_data; content:"Windows%20"; within:10; content:"<br>|0d 0a|"; within:10; pcre:"/^\d/R"; content:"FlashVars=|22|exec="; pcre:"/^(?!687474703a2f2f)(?P<h>[a-f0-9]{2})(?P<t>[a-f0-9]{2})(?P=t)(?P<p>[a-f0-9]{2})(?P<colon>[a-f0-9]{2})(?P<slash>[a-f0-9]{2})(?P=slash)/R"; classtype:trojan-activity; sid:2019596; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY FakeSupport - Landing Page - Windows Firewall Warning"; flow:established,to_client; file_data; content:"<title>Windows Firewall warning!</title>"; nocase; classtype:trojan-activity; sid:2019597; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS DRIVEBY FakeSupport - URI - windows-firewall.png"; flow:established,to_server; content:"windows-firewall.png"; http_uri; classtype:trojan-activity; sid:2019598; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY FakeSupport - Landing Page - Operating System Check"; flow:established,to_client; file_data; content:"<title>Operating System Check</title>"; classtype:trojan-activity; sid:2019599; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET CURRENT_EVENTS Likely SweetOrange EK Java Exploit Struct (JNLP)"; flow:established,to_server; content:"Java/1."; http_user_agent; fast_pattern:only; content:".jnlp"; http_uri; pcre:"/\/(?=[a-z]*?[A-Z])(?=[A-Z]*?[a-z])[A-Z-a-z]{18}\.jnlp$/U"; classtype:trojan-activity; sid:2019600; rev:3;) + +alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Win32/Trustezeb.J SSL Cert Oct 30 2014"; flow:established,from_server; content:"|55 04 03|"; content:"|17|bestofthebestrussia.com"; distance:1; within:24; reference:md5,2d8211ad47b36893b6e1b3fdceb00012; classtype:trojan-activity; sid:2019605; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Fiesta Java Exploit/Payload URI Struct"; flow:established,to_server; urilen:68<>101; content:"Java/1."; http_user_agent; fast_pattern; content:!"="; http_uri; content:!"&"; http_uri; pcre:"/\/\??[a-f0-9]{60,}(?:\x3b\d+){1,4}$/U"; classtype:trojan-activity; sid:2019611; rev:8;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Fiesta Flash Exploit URI Struct"; flow:established,to_server; urilen:>68; content:"|3b|1"; http_uri; offset:60; content:"|3b|"; http_uri; distance:5; within:1; content:!"="; http_uri; content:!"&"; http_uri; pcre:"/\/\??[a-f0-9]{60,}\x3b1\d{5}\x3b\d{1,3}$/U"; classtype:trojan-activity; sid:2019612; rev:7;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Fiesta SilverLight 4.x Exploit URI Struct"; flow:established,to_server; urilen:>68; content:"|3b|4"; http_uri; offset:60; pcre:"/\/\??[a-f0-9]{60,}\x3b4[0-1]\d{5}$/U"; classtype:trojan-activity; sid:2019623; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Fiesta SilverLight 5.x Exploit URI Struct"; flow:established,to_server; urilen:>68; content:"|3b|5"; http_uri; offset:60; pcre:"/\/\??[a-f0-9]{60,}\x3b5[0-1]\d{5}$/U"; classtype:trojan-activity; sid:2019624; rev:2;) + +alert http $EXTERNAL_NET !80 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sweet Orange Landing Nov 3 2014"; flow:established,to_client; file_data; content:"|61 72 73 79 6d 5b 30 5d 3d 22 65 6e 74 22 3b|"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2019634; rev:6;) + +alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Win32.Zbot.umpz SSL Cert Nov 4 2014"; flow:established,from_server; content:"|55 04 03|"; content:"|16|boogermanshoptools.net"; distance:1; within:33; reference:md5,c6796076a24f35119ebe441725ec9da7; classtype:trojan-activity; sid:2019639; rev:3;) + +alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil EK Redirector Cookie Nov 03 2014"; flow:established,from_server; content:"ruarc="; fast_pattern:only; content:"ruarc="; depth:6; http_cookie; classtype:trojan-activity; sid:2019638; rev:4;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Sweet Orange redirection Nov 4 2014"; flow:established,from_server; file_data; content:"var main_request_data_content"; within:29; fast_pattern:9,20; pcre:"/^\s*?=\s*?[\x22\x27](?!687474703a2f)[^\x22\x27]{0,10}6[^\x22\x27]{0,10}8[^\x22\x27]{0,10}7[^\x22\x27]{0,10}4[^\x22\x27]{0,10}7[^\x22\x27]{0,10}4[^\x22\x27]{0,10}7[^\x22\x27]{0,10}0[^\x22\x27]{0,10}3[^\x22\x27]{0,10}a[^\x22\x27]{0,10}2[^\x22\x27]{0,10}f/Ri"; flowbits:set,et.exploitkitlanding; reference:url,malware-traffic-analysis.net/2014/10/27/index2.html; classtype:trojan-activity; sid:2019642; rev:2;) + +alert http $EXTERNAL_NET !80 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Sweet Orange Landing Nov 3 2014"; flow:established,to_client; file_data; content:"class=|22|green_class|22|"; pcre:"/^[^>\r\n<]+>[A-Za-z]{70}/R"; classtype:trojan-activity; sid:2019643; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sweet Orange Landing Nov 04 2013"; flow:from_server,established; file_data; content:"|20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3e|"; fast_pattern:only; content:"|20|id=|22|"; pcre:"/^(?=[a-z]{0,7}[A-Z])(?=[A-Z]{0,7}[a-z])[A-Za-z]{8}\x22[^>]+?>[A-Za-z]{70}/Rs"; classtype:trojan-activity; sid:2019647; rev:5;) + +alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Dyre SSL Cert Nov 05 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e9 49 68 e1 31 97 48 3f|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,c078788d86c653f428fc3a62dd030ede; classtype:trojan-activity; sid:2019651; rev:2;) + +alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Win32/Trustezeb.E SSL Cert Nov 05 2014"; flow:established,from_server; content:"|55 04 03|"; content:"|0e|easy-access.me"; distance:1; within:15; reference:md5,b648562ee817b3635fa7725afe28577c; classtype:trojan-activity; sid:2019652; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fiesta EK Landing Nov 05 2014"; flow:from_server,established; file_data; content:"=|27|c"; pcre:"/^(?:\x27\s*?\+\s*?\x27)?h(?:\x27\s*?\+\s*?\x27)?a(?:\x27\s*?\+\s*?\x27)?r(?:\x27\s*?\+\s*?\x27)?A(?:\x27\s*?\+\s*?\x27)?/R"; content:"t|27 3b|return"; within:9; fast_pattern; content:".indexOf"; pcre:"/^\s*?\x28\s*?[a-z0-9]{4,6}\s*?\x28\s*?[a-z0-9]{1,3}\s*?,\s*?[a-z0-9]{1,3}\s*?\x29\s*?\x29\s*?\x3b\s*?(?P<var>[a-z0-9]{1,3})\s*?\x3d\s*?\x28\s*?(?P=var)\s*?\x2b\s*?[a-z0-9]{1,3}\s*?\x29\s*?\x25\s*?[a-z0-9]{1,3}\.length\x3b/R"; classtype:trojan-activity; sid:2019655; rev:6;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Archie EK Exploit Flash URI Struct"; flow:established,to_server; content:"flashhigh.swf"; http_uri; fast_pattern:only; pcre:"/^\/[^\x2f]*?flashhigh\.swf$/U"; classtype:trojan-activity; sid:2019656; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Archie EK Exploit Flash URI Struct"; flow:established,to_server; content:"flashlow.swf"; http_uri; fast_pattern:only; pcre:"/^\/[^\x2f]*?flashlow\.swf$/U"; classtype:trojan-activity; sid:2019657; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Archie EK Exploit SilverLight URI Struct"; flow:established,to_server; content:"silverapp1.xap"; http_uri; fast_pattern:only; pcre:"/^\/[^\x2f]*?silverapp1\.xap$/U"; classtype:trojan-activity; sid:2019658; rev:4;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Archie EK Exploit IE URI Struct"; flow:established,to_server; content:"iebasic.html"; http_uri; fast_pattern:only; pcre:"/^\/[^\x2f]*?iebasic\.html$/U"; classtype:trojan-activity; sid:2019659; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Nuclear SilverLight URI Struct (noalert)"; flow:established,to_server; content:"/14"; http_uri; fast_pattern:only; pcre:"/\/14\d{8}(?:\.xap)?$/U"; flowbits:set,et.Nuclear.SilverLight; flowbits:noalert; classtype:trojan-activity; sid:2019668; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Nuclear SilverLight Exploit"; flow:established,from_server; flowbits:isset,et.Nuclear.SilverLight; file_data; content:"PK"; within:2; content:"AppManifest.xaml"; classtype:trojan-activity; sid:2019669; rev:2;) + +alert http $HOME_NET any -> [216.157.99.0/24,72.51.32.0/20,76.74.152.0/21] any (msg:"ET CURRENT_EVENTS Possible HanJuan EK Flash Payload DL"; flow:to_server,established; content:"/"; http_uri; content:".php"; http_uri; fast_pattern; within:11; pcre:"/\/[a-z]{3,7}\.php$/U"; content:!"User-Agent"; http_header; content:!"Referer|3a|"; http_header; content:!"Accept"; http_header; content:"Cache-Control|3a|"; http_header; classtype:trojan-activity; sid:2019672; rev:2;) + +alert http $HOME_NET any -> [216.157.99.0/24,72.51.32.0/20,76.74.152.0/21] any (msg:"ET CURRENT_EVENTS Possible HanJuan EK URI Struct Actor Specific"; flow:to_server,established; content:"?zho="; http_uri; fast_pattern:only; pcre:"/\/(?:[a-z0-9]{1,7}\.php)?\?zho=/U"; classtype:trojan-activity; sid:2019673; rev:2;) + +alert http $HOME_NET any -> [216.157.99.0/24,72.51.32.0/20,76.74.152.0/21] any (msg:"ET CURRENT_EVENTS Possible HanJuan Flash Exploit"; flow:to_server,established; content:".swf"; http_uri; fast_pattern:only; pcre:"/^\/(?:[a-z0-9]{3,7}\/)?[a-z]{3,7}\.swf$/U"; classtype:trojan-activity; sid:2019674; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible HanJuan EK Actor Specific Injected iframe"; flow:from_server,established; content:"|3c 6c 69 20 63 6c 61 73 73 3d 22 69 73 2d 6e 65 77 22 3e|"; nocase; content:"|22 20 63 6c 61 73 73 3d 22 74 6f 6f 6c 74 69 70 22 20 74 69 74 6c 65 3d 22 22 3e|"; nocase; distance:0; content:"<iframe"; nocase; distance:0; content:" vspace="; nocase; content:"0"; within:3; content:" hspace="; content:"0"; within:3; content:" marginwidth="; content:"0"; within:3; content:"|3c 6c 69 20 63 6c 61 73 73 3d 22 69 73 2d 6e 65 77 22 3e|"; nocase; distance:0; classtype:trojan-activity; sid:2019675; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Nuclear EK Payload URI Struct Nov 07 2014"; flow:established,from_server; flowbits:isset,et.Nuclear.Payload; content:".dll"; http_header; fast_pattern:only; content:"Content-Disposition|3a|"; http_header; pcre:"/^Content-Disposition\x3a.+?filename\s*?=\s*?[\x22\x27]?\d\.dll/Hm"; classtype:trojan-activity; sid:2019676; rev:11;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Archie EK Exploit Flash URI Struct"; flow:established,to_server; content:"prancerBlit15xa.swf"; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2019677; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil EK Redirector Cookie Nov 07 2014"; flow:established,from_server; content:"usid=sid|3a 7b 27|"; fast_pattern:only; reference:url,blog.malwarebytes.org/malvertising-2/2014/11/the-proof-is-in-the-cookie/; classtype:trojan-activity; sid:2019684; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Operation Huyao Landing Page Nov 07 2014"; flow:established,to_server; content:"/tslyphper"; fast_pattern:only; http_uri; pcre:"/\/tslyphper(?:[A-Za-z0-9+/-_]{4})*(?:[A-Za-z0-9+/-_]{2}==|[A-Za-z0-9+/-_]{3}=|[A-Za-z0-9+/-_]{4})\.html$/U"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/new-phishing-technique-outfoxes-site-owners-operation-huyao/; classtype:trojan-activity; sid:2019681; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Operation Huyao Phishing Page Nov 07 2014"; flow:established,to_server; content:"/cart.php?site="; fast_pattern:only; http_uri; content:"&p="; http_uri; content:"&nm="; http_uri; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/new-phishing-technique-outfoxes-site-owners-operation-huyao/; classtype:trojan-activity; sid:2019682; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Archie EK Landing URI Struct"; flow:established,to_server; urilen:15; content:"/abhgtnedg.html"; http_uri; classtype:trojan-activity; sid:2019685; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Job314 EK Landing Nov 10 2014"; flow:established,to_client; file_data; content:"embedSWF(|22|index.swf?action=swf|22|"; fast_pattern:11,20; content:"src=|22|index.js?action=swfobject|22|"; classtype:trojan-activity; sid:2019689; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Archie EK Landing Nov 10 2014"; flow:established,to_client; file_data; content:"xmlhttp.open(|22|POST|22|, |22|/foo|22|, false)|3b|"; fast_pattern:16,20; content:"xmlhttp.send(sendstr)|3b|"; distance:0; classtype:trojan-activity; sid:2019690; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Dridex Campaign Download Nov 11 2014"; flow:established,to_server; content:"/bin.exe"; http_uri; fast_pattern:only; content:!"Referer|3a|"; http_header; pcre:"/\/bin\.exe$/U"; classtype:trojan-activity; sid:2019696; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Dridex Campaign Download Nov 11 2014"; flow:established,to_server; content:"/get/get.php"; http_uri; fast_pattern:only; content:!"Referer|3a|"; http_header; pcre:"/\/get\/get\.php$/U"; classtype:trojan-activity; sid:2019697; rev:2;) + +alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Win32/Zbot SSL Cert Nov 11 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 d1 9e 51 1d eb 97 c1 ea|"; within:35; fast_pattern; content:"|55 04 07|"; distance:0; content:"|08|Sometown"; distance:1; within:9; reference:md5,37f927437de627777c5b571fc46fb218; classtype:trojan-activity; sid:2019698; rev:2;) + +alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Dyre SSL Cert Nov 11 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 a9 e0 8a 96 fb 4a 1b b6|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; classtype:trojan-activity; sid:2019699; rev:2;) + +alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Dyre SSL Cert Nov 11 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e6 65 21 19 a2 a2 9e 6e|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; classtype:trojan-activity; sid:2019700; rev:2;) + +alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Dyre SSL Cert Nov 11 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 fa 3d b1 87 b3 12 ff 2f|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; classtype:trojan-activity; sid:2019701; rev:2;) + +alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Dyre SSL Cert Nov 11 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 e4 e8 67 40 49 01 84 b1|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; classtype:trojan-activity; sid:2019702; rev:2;) + +alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Dyre SSL Cert Nov 11 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 9b c4 77 4f 2c d1 50 37|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; classtype:trojan-activity; sid:2019703; rev:2;) + +alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Dyre SSL Cert Nov 12 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 b0 48 5c e9 94 c7 59 03|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,31536d977dfc0e158d8f7a365c0543ec; classtype:trojan-activity; sid:2019705; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile"; flow:established,to_server; content:"/"; http_uri; content:".exe"; distance:1; within:8; fast_pattern; http_uri; content:!"Referer|3a 20|"; nocase; http_header; content:!"download.bitdefender.com|0d 0a|"; http_header; content:!".appspot.com|0d 0a|"; http_header; nocase; pcre:"/\/[A-Z]?[a-z]{1,3}[0-9]?\.exe$/U"; content:!"kaspersky.com|0d 0a|"; http_header; content:!".sophosxl.net"; http_header; content:!"koggames"; http_header; classtype:bad-unknown; sid:2019714; rev:8;) + +alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Dyre SSL Cert Nov 17 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 a6 9e 89 2a 06 f4 80 5f|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; reference:md5,b7214b7ff246175e7b6bbe2db600f98e; classtype:trojan-activity; sid:2019719; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Archie EK Landing Nov 17 2014"; flow:established,from_server; file_data; content:"flash_run2"; nocase; content:"silver_run"; nocase; content:"msie_run"; nocase; classtype:trojan-activity; sid:2019722; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Archie EK Landing Nov 17 2014 M2"; flow:established,from_server; file_data; content:"|66 66 62 67 72 6e 74 68 35 77 65 28 61 29|"; classtype:trojan-activity; sid:2019723; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Archie EK Flash Exploit URI Struct Nov 17 2014"; flow:established,to_server; content:"/5c5390116e606055c51b2c86340beb2bd1668f6e3bbf56240a01d43db5ac6b9d.swf"; http_uri; classtype:trojan-activity; sid:2019724; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Archie EK Flash Exploit URI Struct 2 Nov 17 2014"; flow:established,to_server; content:"/6896a114d0047db5679d5da0be7eb87d77ef59ed49ef942e7b74f60fb3df2ce3.swf"; http_uri; classtype:trojan-activity; sid:2019725; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Archie EK Landing URI Struct 2 Nov 17 2014"; flow:established,to_server; content:"/9e675626486f3804603227533ab83b26f4a95a0c4f5eebbc00507558da27edc0.html"; http_uri; classtype:trojan-activity; sid:2019726; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS NullHole EK Exploit URI Struct"; flow:established,to_server; urilen:>34; content:"/"; offset:33; depth:1; http_uri; content:"Cookie|3a 20|nhweb="; fast_pattern; pcre:"/^\/[a-f0-9]{32}\/(?=[a-z]*?[A-Z])(?=[A-Z]*?[a-z])[A-Za-z]+\.(?:html|jar|swf)$/U"; classtype:trojan-activity; sid:2019727; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SPL2 EK Landing Nov 18 2014"; flow:established,from_server; file_data; content:"v|3a|stroke id=|27|beg|27|"; fast_pattern:only; content:"<h1>Forbidden</h1>"; classtype:trojan-activity; sid:2019742; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SPL2 EK PluginDetect Data Hash Nov 18 2014"; flow:to_server,established; content:".html?"; http_uri; fast_pattern:only; content:"-"; http_uri; pcre:"/\/[a-z]+?-[a-z]+?-[a-z]+?\.html\?[a-z]+\d*?=[a-f0-9]{32}$/U"; content:"GET "; pcre:"/^[^\r\n]*?(?P<name>\/[^\.\/]+\.html)\?[a-z]+?\d*?=[a-f0-9]{32}\sHTTP\/1\..+?\r\nReferer\x3a\x20[^\r\n]*?(?P=name)(?:\d{1,5})?\r\n/Rs"; classtype:trojan-activity; sid:2019743; rev:5;) + +alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SPL2 EK JS HashLib Nov 18 2014"; flow:to_server,established; urilen:8; content:"/mdd5.js"; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2019744; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SPL2 EK Flash Exploit Nov 18 2014"; flow:to_server,established; content:"/Drop2"; http_uri; fast_pattern:only; pcre:"/^\/Drop2(?:-\d+)\.swf$/U"; classtype:trojan-activity; sid:2019745; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SweetOrange EK Landing Nov 19 2014"; flow:established,from_server; file_data; content:"|6a 61 76 61 73 63 72 69 70 74 22 3e 76 61 72 20 76 61 72 70 72 6f 74 3d 5b|"; classtype:trojan-activity; sid:2019751; rev:6;) + +#alert http $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET CURRENT_EVENTS Possible Sweet Orange CVE-2014-6332 Payload Request"; flow:established,to_server; urilen:>50; content:".php?"; http_uri; pcre:"/^\/[a-z\_\-]{4,10}\.php\?(?:[a-z\_\-]{0,10}=\d+?&){3,}[a-z\_\-]{4,10}=-?[a-z0-9]+$/U"; content:"WinHttp.WinHttpRequest"; http_header; fast_pattern; content:!"Referer|3a|"; http_header; flowbits:set,et.SweetOrangeURI; classtype:trojan-activity; sid:2019752; rev:9;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible FlashPack (FlashOnly) Payload Struct Nov 19 2014"; flow:established,to_server; content:"GET"; http_method; content:"/load.php"; http_uri; fast_pattern:only; pcre:"/^\/[a-z0-9]+\/load\.php$/U"; content:!"User-Agent|3a|"; http_header; content:!"Accept|3a|"; http_header; content:!"Referer|3a|"; http_header; classtype:trojan-activity; sid:2019753; rev:2;) + +alert http $EXTERNAL_NET !80 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Job314/Neutrino Reboot EK Landing Nov 20 2014"; flow:established,from_server; file_data; content:"swfobject.embedSWF"; fast_pattern; pcre:"/^\s*?\(\s*?[\x22\x27]\/[a-z]+\.(?![Ss][Ww][Ff])[a-z]+\d?\?(?:[a-z]+\x3d(?:[a-z]+|[0-9]+)&){2,}[a-z]+\x3d(?:[a-z]+|[0-9]+)[\x22\x27]/Rs"; classtype:trojan-activity; sid:2019761; rev:4;) + +alert http $EXTERNAL_NET !80 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Job314/Neutrino Reboot EK Landing Nov 20 2014"; flow:established,from_server; file_data; content:"swfobject.embedSWF"; fast_pattern; pcre:"/^\s*?\(\s*?[\x22\x27]\/(?:[a-z]+\x2f(?:[a-z]+|[0-9]+)\x2f){3,}[a-z]+\x2f(?:[a-z]+|[0-9]+)\x2f?[\x22\x27]/Rs"; classtype:trojan-activity; sid:2019762; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET CURRENT_EVENTS Job314/Neutrino Reboot EK Flash Exploit Nov 20 2014"; flow:established,to_server; content:"x-flash-version|3a|"; fast_pattern:only; http_header; pcre:"/^\/(?:[a-z]+\.(?![Ss][Ww][Ff])[a-z]+\d?\?(?:[a-z]+\x3d(?:[a-z]+|[0-9]+)&){2,}[a-z]+=(?:[a-z]+|[0-9]+)|(?:[a-z]+\x2f(?:[a-z]+|[0-9]+)\x2f){3,}[a-z]+\x2f(?:[a-z]+|[0-9]+)\x2f?)$/U"; pcre:"/^Referer\x3a[^\r\n]+\x3a\d+\/(?:[a-z]+\.(?![Ss][Ww][Ff])[a-z]+\d?\?(?:[a-z]+\x3d(?:[a-z]+|[0-9]+)&){2,3}|(?:[a-z]+\x2f(?:[a-z]+|[0-9]+)\x2f){3})/Hm"; classtype:trojan-activity; sid:2019763; rev:8;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Nuclear EK SWF"; flow:established,from_server; flowbits:isset,et.Nuclear.SWF; content:"Content-Disposition|3a|"; http_header; content:".swf"; http_header; content:"X-Powered-By|3a|"; http_header; pcre:"/^Content-Disposition\x3a[^\r\n]+\.swf/Hm"; content:"CWS"; classtype:trojan-activity; sid:2019765; rev:13;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS FlashPack Flash Exploit Nov 20 2014"; flow:established,to_server; content:"/Main.swf"; http_uri; content:"/gate.php"; http_header; pcre:"/^Referer\x3a[^\r\n]+\/gate.php\r$/Hm"; classtype:trojan-activity; sid:2019766; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET CURRENT_EVENTS Archie EK T2 Landing Struct Nov 20 2014"; flow:established,to_server; urilen:70; content:".html"; http_uri; offset:65; depth:5; pcre:"/^\/[a-f0-9]{64}\.html$/U"; pcre:"/^Host\x3a\s*?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\x3a|\r?\n)/Hmi"; classtype:trojan-activity; sid:2019769; rev:4;) + +alert http $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET CURRENT_EVENTS Archie EK T2 PD Struct Nov 20 2014"; flow:established,to_server; urilen:68; content:"|2f|"; http_uri; depth:1; content:".js"; http_uri; offset:65; depth:3; pcre:"/^\/[a-f0-9]{64}\.js$/U"; pcre:"/^Referer\x3a[^\r\n]+\x3a\d{1,5}\/[a-f0-9]{64}\.html\r$/Hm"; pcre:"/^Host\x3a\s*?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\x3a|\r?\n)/Hmi"; classtype:trojan-activity; sid:2019768; rev:4;) + +alert http $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET CURRENT_EVENTS Archie EK T2 SWF Exploit Struct Nov 20 2014"; flow:established,to_server; urilen:69; content:".swf"; http_uri; offset:65; depth:4; pcre:"/^\/[a-f0-9]{64}\.swf$/U"; pcre:"/^Host\x3a\s*?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\x3a/Hmi"; classtype:trojan-activity; sid:2019770; rev:5;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Internet Explorer CVE-2014-6332 Common Construct b64 1 (Observed in Archie EK)"; flow:established,from_server; file_data; content:"Y2hydygwMSkmY2hydygyMTc2KSZjaHJ3KDAxKSZjaHJ3KDAwK"; reference:cve,2014-6332; classtype:attempted-user; sid:2019773; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Internet Explorer CVE-2014-6332 Common Construct b64 2 (Observed in Archie EK)"; flow:established,from_server; file_data; content:"NocncoMDEpJmNocncoMjE3NikmY2hydygwMSkmY2hydygwMC"; reference:cve,2014-6332; classtype:attempted-user; sid:2019774; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Internet Explorer CVE-2014-6332 Common Construct b64 3 (Observed in Archie EK)"; flow:established,from_server; file_data; content:"jaHJ3KDAxKSZjaHJ3KDIxNzYpJmNocncoMDEpJmNocncoMDAp"; reference:cve,2014-6332; classtype:attempted-user; sid:2019775; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS AOL PHISH PayPal - Creds Phished"; flow:established,to_server; content:"1="; http_client_body; content:"2="; http_client_body; content:"submit.x=Login"; http_client_body; classtype:bad-unknown; sid:2019781; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS AOL PHISH PayPal - Name Address Phished"; flow:established,to_server; content:"_fn="; http_client_body; content:"_ln="; http_client_body; content:"_birthd="; http_client_body; fast_pattern:only; classtype:bad-unknown; sid:2019782; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS AOL PHISH PayPal - Credit Card and SSN Phished"; flow:established,to_server; content:"_fulln="; http_client_body; fast_pattern:only; content:"_ccn="; http_client_body; content:"_ccv="; http_client_body; classtype:bad-unknown; sid:2019783; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS AOL PHISH PayPal - Bank Account Phished"; flow:established,to_server; content:"_bkid="; http_client_body; content:"_bkpass="; http_client_body; fast_pattern:only; content:"_accn="; http_client_body; classtype:bad-unknown; sid:2019784; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS PHISH PayPal - Landing Page"; flow:established,to_client; file_data; content:"<title>Login - PayPal</title>"; classtype:bad-unknown; sid:2019785; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Internet Explorer CVE-2014-6332 Common Construct URLENCODE"; flow:established,from_server; file_data; content:"%63%68%72%77%28%30%31%29%26%63%68%72%77%28%32%31%37%36%29%26%63%68%72%77%28%30%31%29%26%63%68%72%77%28%30%30%29"; reference:cve,2014-6332; classtype:attempted-user; sid:2019792; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Internet Explorer CVE-2014-6332 Common Construct HEX"; flow:established,from_server; file_data; content:"63687277283031292663687277283231373629266368727728303129266368727728303029"; reference:cve,2014-6332; classtype:attempted-user; sid:2019793; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Internet Explorer CVE-2014-6332 Common Construct HEXC"; flow:established,from_server; file_data; content:"63,68,72,77,28,30,31,29,26,63,68,72,77,28,32,31,37,36,29,26,63,68,72,77,28,30,31,29,26,63,68,72,77,28,30,30,29"; reference:cve,2014-6332; classtype:attempted-user; sid:2019794; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Internet Explorer CVE-2014-6332 Common Construct HEXCS"; flow:established,from_server; file_data; content:"63, 68, 72, 77, 28, 30, 31, 29, 26, 63, 68, 72, 77, 28, 32, 31, 37, 36, 29, 26, 63, 68, 72, 77, 28, 30, 31, 29, 26, 63, 68, 72, 77, 28, 30, 30, 29"; reference:cve,2014-6332; classtype:attempted-user; sid:2019795; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Internet Explorer CVE-2014-6332 Common Construct DECC"; flow:established,from_server; file_data; content:"99,104,114,119,40,48,49,41,38,99,104,114,119,40,50,49,55,54,41,38,99,104,114,119,40,48,49,41,38,99,104,114,119,40,48,48,41"; reference:cve,2014-6332; classtype:attempted-user; sid:2019796; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Internet Explorer CVE-2014-6332 Common Construct DECCS"; flow:established,from_server; file_data; content:"99, 104, 114, 119, 40, 48, 49, 41, 38, 99, 104, 114, 119, 40, 50, 49, 55, 54, 41, 38, 99, 104, 114, 119, 40, 48, 49, 41, 38, 99, 104, 114, 119, 40, 48, 48, 41"; reference:cve,2014-6332; classtype:attempted-user; sid:2019797; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Malicious Iframe Leading to EK"; flow:established,from_server; file_data; content:"document.write((|22|<iframe src=|27|http|3a|"; within:35; pcre:"/^[^\x27]+[\x27]\s*/R"; content:"width=12 height=12 frameborder=0 marginheight=0 marginwidth=0 scrolling=no></|22| + |22|iframe>|22|))|3b|"; fast_pattern:73,20; within:93; isdataat:!3,relative; classtype:trojan-activity; sid:2019798; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Magnitude Flash Exploit (IE)"; flow:established,to_server; urilen:31<>69; content:"x-flash-version"; http_header; fast_pattern:only; pcre:"/^\/\??[a-f0-9]{32}(?:\/[a-f0-9]{32})?\/?$/U"; pcre:"/Host\x3a\x20(?:\.*[a-f0-9]\.*){32}\./Hm"; classtype:trojan-activity; sid:2019799; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Magnitude Flash Payload"; flow:established,to_server; urilen:34; content:"/?"; http_uri; depth:2; fast_pattern; content:!"User-Agent"; http_header; content:!"Accept"; http_header; content:!"Referer"; http_header; pcre:"/^\/\?[a-f0-9]{32}$/U"; pcre:"/^Host\x3a\x20\d{1,3}\.\d{1,3}.\d{1,3}.\d{1,3}(?:\x3a\d{1,5})?\r\n/H"; classtype:trojan-activity; sid:2019800; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Internet Explorer CVE-2014-6332 Common Construct (Reversed)"; flow:established,from_server; file_data; content:"(wrhc&)6712(wrhc&)10"; reference:cve,2014-6332; classtype:attempted-user; sid:2019806; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS KaiXin Landing Page Nov 25 2014"; flow:established,from_server; file_data; content:"function ckl|28|"; content:"return bmw|3b|"; distance:0; classtype:trojan-activity; sid:2019807; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS WinHttpRequest Downloading EXE"; flow:established,from_server; flowbits:isset,et.WinHttpRequest; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; classtype:trojan-activity; sid:2019822; rev:7;) + +alert http $EXTERNAL_NET !80 -> $HOME_NET any (msg:"ET CURRENT_EVENTS WinHttpRequest Downloading EXE Non-Port 80 (Likely Exploit Kit)"; flow:established,from_server; flowbits:isset,et.WinHttpRequest; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; classtype:trojan-activity; sid:2019823; rev:7;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Nuclear EK Exploit Struct"; flow:established,to_server; urilen:>32; content:"/AwoVG"; http_uri; fast_pattern; depth:6; pcre:"/^\/AwoVG[A-Za-z0-9_]+$/U"; content:".html|0d 0a|"; http_header; flowbits:set,et.Nuclear.Exploit; flowbits:noalert; classtype:trojan-activity; sid:2019844; rev:4;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Nuclear EK SWF"; flow:established,from_server; flowbits:isset,et.Nuclear.Exploit; content:"Content-Disposition|3a 20|inline|3b 20|filename="; http_header; pcre:"/^[a-z0-9]*\r\n/HR"; file_data; content:"ZWS"; within:3; flowbits:set,et.Nuclear.Payload; classtype:trojan-activity; sid:2019845; rev:7;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Nuclear EK SWF"; flow:established,from_server; flowbits:isset,et.Nuclear.Exploit; content:"Content-Disposition|3a 20|inline|3b 20|filename="; http_header; pcre:"/^[a-z0-9]*\r\n/HR"; file_data; content:"CWS"; within:3; flowbits:set,et.Nuclear.Payload; classtype:trojan-activity; sid:2019846; rev:6;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Nuclear EK Payload (flowbits set)"; flow:established,to_server; urilen:>32; content:"/ABs"; http_uri; fast_pattern; depth:4; pcre:"/^\/ABs[A-Za-z0-9_]+(?:\/x?[a-f0-9]+(?:\x3b\d+)+)?$/U"; content:!"Referer"; http_header; flowbits:set,et.Nuclear.Payload; flowbits:noalert; classtype:trojan-activity; sid:2019872; rev:4;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Nuclear EK Payload"; flow:established,from_server; flowbits:isset,et.Nuclear.Payload; content:"application/octet-stream"; http_header; content:"Content-Disposition|3a 20|inline|3b 20|filename="; http_header; pcre:"/filename=[a-z0-9]*\r\n/H"; classtype:trojan-activity; sid:2019873; rev:4;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Nuclear EK Landing Dec 03 2014"; flow:established,from_server; file_data; content:"=|22|replace|22 3b 27 29 3b|"; content:"|7b 41 3d 5b 5b 61 5d 2c 5b 65 76 61 6c 5d 5d 3b 7d 41 5b 31 5d 5b 30 5d 28 41 5b 30 5d 5b 30 5d 29 3b|"; classtype:trojan-activity; sid:2019874; rev:2;) + +alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Dyre SSL Cert Dec 4 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 b8 24 bd ca a0 48 b4 10|"; within:35; fast_pattern; content:"|55 04 03|"; distance:0; content:"|08|thfgtjyj"; distance:1; within:9; classtype:trojan-activity; sid:2019875; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS MS Office Macro Dridex Download URI Dec 5 2014"; flow:established,to_server; content:"GET"; http_method; urilen:13; content:"/stat/lld.php"; http_uri; fast_pattern:only; content:!"Referer|3A|"; http_header; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/banking-trojan-dridex-uses-macros-for-infection/; classtype:trojan-activity; sid:2019877; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Malicious Iframe Leading to EK Dec 08 2014"; flow:established,from_server; file_data; content:"document.write(|22|<iframe name=|27|"; within:30; pcre:"/^[A-Za-z0-9]+\x27\s*?src=\x27http\x3a[^\x27]+[\x27]\s*width=1\d\s+height=1\d\s+/R"; content:"frameborder=0 marginheight=0 marginwidth=0 scrolling=no"; content:"</|22| + |22|iframe>|22|)|3b|"; fast_pattern; isdataat:!3,relative; classtype:trojan-activity; sid:2019892; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Angler EK XTEA encrypted binary (1)"; flow:established,to_client; file_data; content:"|0e c7 9d 28 8c cb ae 85|"; within:8; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2019893; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Probable malicious download from e-mail link /1.php"; flow:established,to_server; content:"GET"; http_method; content:"/1.php?r"; http_uri; fast_pattern:only; content:!"Referer|3a 20|"; http_header; pcre:"/\/1\.php\?r$/U"; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2019894; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Malicious Redirect Leading to EK Dec 08 2014"; flow:established,from_server; content:"Content-Type|3a 20 0d 0a|"; http_header; fast_pattern:only; pcre:"/^Last-Modified\x3a\x20[^A-Za-z]{2}/Hm"; file_data; content:"<meta http-equiv=|22|refresh|22| content=|22|0|3b| url="; classtype:trojan-activity; sid:2019895; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS QNAP Shellshock CVE-2014-6271"; flow:established,to_server; content:"authLogin.cgi"; http_uri; content:"|28 29 20 7b|"; http_header; fast_pattern:only; reference:url,www.fireeye.com/blog/threat-research/2014/10/the-shellshock-aftershock-for-nas-administrators.html; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; reference:cve,2014-6271; classtype:attempted-admin; sid:2019904; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS QNAP Shellshock script retrieval"; flow:established,from_server; file_data; content:"|2f|share|2f|MD0_DATA|2f|optware|2f|.xpl|2f|"; fast_pattern:only; content:"unset HISTFIE"; reference:url,www.fireeye.com/blog/threat-research/2014/10/the-shellshock-aftershock-for-nas-administrators.html; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; reference:cve,2014-6271; classtype:attempted-admin; sid:2019905; rev:2;) + +alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Gootkit SSL Cert Dec 10 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 d2 a9 3c 29 28 ec b0 b1|"; distance:0; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0e|My Company Ltd"; distance:1; within:15; reference:md5,c05453a18b6dc45bc258a377d2161b1c; classtype:trojan-activity; sid:2019907; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Evil Flash Redirector to Job314/Neutrino Reboot EK"; flow:established,to_server; content:"POST"; http_method; content:".php?item="; http_uri; content:"&sort="; http_uri; content:".swf?item="; http_header; fast_pattern:only; content:"photo="; http_client_body; depth:6; classtype:trojan-activity; sid:2019908; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS HanJuan Landing Dec 10 2014"; flow:established,from_server; file_data; content:"|27|.replace(/["; pcre:"/^[A-Za-z]{10,}/R"; content:"]/g,|27 27|).substr|28|"; fast_pattern; content:"document.write("; content:"d"; content:!"27cdb6e-ae6d-11cf-96b8-444553540000"; within:35; pcre:"/^[^\x27]*?2[^\x27]*?7[^\x27]*?c[^\x27]*?d[^\x27]*?b[^\x27]*?6[^\x27]*?e[^\x27]*?-[^\x27]*?a[^\x27]*?e[^\x27]*?6[^\x27]*?d[^\x27]*?-[^\x27]*?1[^\x27]*?1[^\x27]*?c[^\x27]*?f[^\x27]*?-[^\x27]*?9[^\x27]*?6[^\x27]*?b[^\x27]*?8[^\x27]*?-[^\x27]*?4[^\x27]*?4[^\x27]*?4[^\x27]*?5[^\x27]*?5[^\x27]*?3[^\x27]*?5[^\x27]*?4[^\x27]*?0[^\x27]*?0[^\x27]*?0[^\x27]*?0/Rsi"; classtype:trojan-activity; sid:2019916; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Nuclear EK SilverLight Exploit"; flow:established,from_server; flowbits:isset,et.Nuclear.Exploit; content:"Content-Disposition|3a 20|inline|3b 20|filename="; http_header; pcre:"/^[a-z0-9]*\r\n/HR"; file_data; content:"AppManifest.xaml"; fast_pattern:only; flowbits:set,et.Nuclear.Payload; classtype:trojan-activity; sid:2019917; rev:5;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Malicious JS Leading to Fiesta EK"; flow:established,from_server; file_data; content:"xapLoad"; fast_pattern; content:"swfLoad"; content:"xapURL"; content:"swfURL"; content:"errURL"; content:"var id"; classtype:trojan-activity; sid:2019920; rev:2;) + +alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Win32/Spy.Zbot.ACB SSL Cert Dec 15 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 fe 69 db 33 70 71 2c 70|"; distance:0; fast_pattern; content:"|55 04 06|"; distance:0; content:"|02|XX"; distance:1; within:3; content:"|55 04 07|"; distance:0; content:"|0c|Default City"; distance:1; within:13; content:"|55 04 0a|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:md5,d271218da70d0bceb69c477e7d13dcc8; classtype:trojan-activity; sid:2019936; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SoakSoak Malware GET request"; flow:established,to_server; content:"GET"; http_method; content:"/xteas/code"; http_uri; fast_pattern:only; pcre:"/^Host\x3a[^\r\n]+soaksoak\.ru/Hmi"; pcre:"/^\/xteas\/code$/U"; reference:url,blog.sucuri.net/2014/12/soaksoak-malware-compromises-100000-wordpress-websites.html; classtype:trojan-activity; sid:2019939; rev:3;) + +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query SoakSoak Malware"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|soaksoak|02|ru|00|"; fast_pattern; nocase; distance:0; reference:url,blog.sucuri.net/2014/12/soaksoak-malware-compromises-100000-wordpress-websites.html; classtype:trojan-activity; sid:2019940; rev:1;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Malicious Referer Bulk Traffic Sometimes Leading to EKs (Possible Bedep infection) Dec 16 2014"; flow:established,to_server; content:"rowedmedia.com/search.php"; http_header; fast_pattern:only; pcre:"/^Referer\x3a[^\r\n]+?rowedmedia\.com\/search\.php\r?$/Hmi"; threshold: type limit, track by_src, count 1, seconds 60; classtype:trojan-activity; sid:2019950; rev:3;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Upatre Redirector Dec 16 2014 set"; flow:established,to_server; content:"GET"; http_method; urilen:27; content:".html"; http_uri; fast_pattern:only; content:!"Referer|3a|"; http_header; pcre:"/^\/[a-z]{10}\/[a-z]{10}\.html$/U"; flowbits:set,Upatre.Redirector; flowbits:noalert; classtype:trojan-activity; sid:2019953; rev:2;) + +#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Upatre Redirector Dec 16 2014"; flow:established,from_server; file_data; content:"PK|03 04|"; within:4; flowbits:isset,Upatre.Redirector; classtype:trojan-activity; sid:2019954; rev:2;) + +alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Zbot SSL Cert Dec 16 2014"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 cc c9 0f 16 44 47 71 3d|"; within:35; fast_pattern; content:"|55 04 0A|"; distance:0; content:"|13|Default Company Ltd"; distance:1; within:20; reference:md5,417a42f5e244ce2f340f16fa2fed0412; classtype:trojan-activity; sid:2019955; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Evil Flash Redirector to RIG EK Dec 17 2014"; flow:established,to_server; content:"GET"; http_method; content:".swf?myid="; http_uri; fast_pattern:only; pcre:"/\.swf\?myid=[a-zA-Z0-9]+$/U"; classtype:trojan-activity; sid:2019967; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Angler EK XTEA encrypted binary (2)"; flow:established,to_client; file_data; content:"|69 b8 3c 09 08 6c b1 4c|"; within:8; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2019968; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Angler EK XTEA encrypted binary (3)"; flow:established,to_client; file_data; content:"|28 46 c5 83 df ef a3 2a|"; within:8; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2019969; rev:2;) + +#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Upatre Download Redirection Dec 18 2014"; flow:established,from_server; file_data; content:"<br><meta http-equiv=|22|refresh|22| content=|22|0|3b| url="; pcre:"/^[^\x2f\x22]+?\x22>/R"; classtype:trojan-activity; sid:2019970; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET CURRENT_EVENTS Archie EK T2 Activity Dec 18 2014"; flow:established,to_server; content:"/landing?action="; http_uri; fast_pattern:only; pcre:"/^Host\x3a\s*?\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\x3a|\r\n)/Hmi"; classtype:trojan-activity; sid:2019973; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS W32/Dridex Distribution Campaign Dec 19 2014"; flow:established,to_server; content:"GET"; http_method; content:"stat/lldv"; http_uri; fast_pattern:only; content:".php"; offset:10; http_uri; pcre:"/\/s?stat\/lldvs?\.php$/U"; pcre:"/^Host\x3A[^\r\n]+?\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x2E\d{1,3}(?:\x3a\d{1,5})?\r?$/Hmi"; reference:url,blog.dynamoo.com/2014/12/pl-remittance-details-ref844127rh.html; classtype:trojan-activity; sid:2019977; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Dec 22 2014 Video"; flow:established,to_server; content:"/video.php?id="; fast_pattern:only; http_uri; pcre:"/\/video.php\?id=(?=[0-9]*?[A-F])[A-F0-9]{10,}$/U"; classtype:trojan-activity; sid:2019989; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Dec 22 2014 Player"; flow:established,to_server; content:"/player.php?pid="; fast_pattern:only; http_uri; pcre:"/\/player.php\?pid=(?=[0-9]*?[A-F])[A-F0-9]{10,}$/U"; classtype:trojan-activity; sid:2019990; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Dec 22 2014 Search"; flow:established,to_server; content:"/search.php?pid="; fast_pattern:only; http_uri; pcre:"/\/search.php\?pid=(?=[0-9]*?[A-F])[A-F0-9]{10,}$/U"; classtype:trojan-activity; sid:2019991; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Angler EK XTEA encrypted binary (4)"; flow:established,to_client; file_data; content:"|41 ad 58 53 4c 7f 25 9e|"; within:8; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2019992; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Angler EK XTEA encrypted binary (5)"; flow:established,to_client; file_data; content:"|b8 67 f0 44 43 1e fe 5b|"; within:8; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2019993; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible CVE-2014-6332 Arrays with Offset Dec 23"; flow:established,from_server; file_data; content:"For i=LBound("; pcre:"/^\s*?(?P<v1>[^\x29\s]+)\s*?\x29\s*?To Ubound\x28(?P=v1)\s*?\x29\s*?(?:dim\s*?)?(?P<v2>[^\s\x3d]+)\s*?\x3d\s*?(?P=v2)\+Cstr\x28\s*?Chr\x28(?P=v1)\x28i\x29[\+\-]\d+\x29\x29.+?Execute\s*?(?P=v2)/Rsi"; reference:md5,d2d3c212f430bff2b5f075fa083de047; reference:cve,2014-6332; classtype:trojan-activity; sid:2020067; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Angler EK Dec 24 2014"; flow:established,from_server; content:"Expires|3a| Sat, 26 Jul"; http_header; content:"Last-Modified|3a| Sat, 26 Jul 2039 "; http_header; fast_pattern:12,20; classtype:trojan-activity; sid:2020068; rev:7;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Angler EK XTEA encrypted binary (6)"; flow:established,to_client; file_data; content:"|82 67 9f c3 f1 71 70 fc|"; within:8; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2020071; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Angler EK XTEA encrypted binary (7)"; flow:established,to_client; file_data; content:"|04 6e 76 82 2e 2c 2c 48|"; within:8; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2020072; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Nuclear EK Landing Dec 29 2014"; flow:from_server,established; file_data; content:"|2f 67 2c 27 27 29 3b 7d 65 6c 73 65 7b 72 65 74 75 72 6e|"; fast_pattern:only; content:"Function"; pcre:"/^\s*?\x28\s*?[\x22\x27](?P<var1>[^\x22\x27]+)[\x22\x27]\s*,\s*[\x22\x27]if\s*?\x28(?P=var1)\s*\!\s*=\s*[\x27\x22][\x22\x27]\s*?\x29\s*?\{\s*?(?P<var2>[^\s\x3d]+)\s*?=\s*?(?P=var1)\s*?\[/Rs"; classtype:trojan-activity; sid:2020082; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Cushion Redirection URI Struct Mon Jan 05 2015"; flow:established,to_server; urilen:13; content:"/get_gift.php"; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2020091; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Nuclear EK Landing Jan 06 2014"; flow:established,from_server; file_data; content:"|3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 2f 2a|"; within:24; fast_pattern:4,20; pcre:"/^(?=[A-Z0-9]*?[a-z])(?=[a-z0-9]*?[A-Z])[A-Za-z0-9]+\x2a\x2f[^\n]*?Function\s*?\x28\s*?[\x22\x27](?P<var1>[^\x22\x27]+)[\x22\x27]\s*,\s*[\x22\x27]if\s*?\x28\s*?(?P=var1)\s*[=!]{2}\s*?[\x27\x22][\x22\x27]\s*?\x29\s*?\{/Rs"; classtype:trojan-activity; sid:2020103; rev:5;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS MS Office Macro Dridex Download URI Jan 7 2015"; flow:to_server,established; content:"GET"; http_method; content:"/pops"; offset:1; fast_pattern; http_uri; content:".php"; within:5; http_uri; content:!"Referer|3a|"; http_header; pcre:"/^\/[^\x2f]+\/pops[a-z]?\.php$/U"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/banking-trojan-dridex-uses-macros-for-infection/; classtype:trojan-activity; sid:2020148; rev:4;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Upatre Redirector Jan 9 2015"; flow:established,to_server; content:"GET"; http_method; content:".js?"; http_uri; fast_pattern; content:".js"; distance:30; http_uri; pcre:"/\d\.js\?[a-zA-Z0-9]{7,16}=[^&]+(?:&[a-zA-Z0-9]{7,16}=[^&]+){3}\.js$/U"; content:".html"; http_header; content:"Referer|3a|"; http_header; pcre:"/^[^\r\n]+\.html\r?$/RHmi"; flowbits:set,ET.Upatre.Redirector; classtype:trojan-activity; sid:2020159; rev:6;) + +#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Upatre IE Redirector Receiving Payload Jan 9 2015"; flow:established,from_server; content:"Content-Disposition|3a 20|attachment|3b 20|"; http_header; content:".zip|20 3b 0d 0a|"; distance:0; http_header; content:"Content-Type|3a 20|$ctype|0d 0a|"; http_header; fast_pattern:2,20; file_data; content:"PK|03 04|"; within:4; classtype:trojan-activity; sid:2020160; rev:5;) + +#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Upatre Firefox/Chrome Redirector Receiving Payload Jan 9 2015"; flow:established,from_server; file_data; content:"UEsDB"; content:"var"; pcre:"/^\s*?\w+\s*?=\s*?[\x22\x27]UEsDB/R"; flowbits:isset,ET.Upatre.Redirector; classtype:trojan-activity; sid:2020161; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Nuclear EK Landing Jan 14 2014"; flow:established,from_server; file_data; content:"|3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 2f 2a|"; within:24; fast_pattern:4,20; content:"|24 2c|"; distance:0; pcre:"/^\s*?(?P<var1>[^\x29]+)\x29[^\n]*?=\s*?(?P=var1)\s*?\x7c{2}\s*?\d+?\s*?\x2c/R"; classtype:trojan-activity; sid:2020180; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Angler EK XTEA encrypted binary (8)"; flow:established,to_client; file_data; content:"|31 90 49 ae c8 2b 73 75|"; within:8; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2020204; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Nuclear EK Landing Jan 19 2014"; flow:established,from_server; file_data; content:"|73 74 61 72 74 7C 7C 30|"; nocase; fast_pattern:only; content:"|24 2c|"; pcre:"/^\s*?\x73\x74\x61\x72\x74\s*?\x29\s*?\x7b\s*?for\s*?\x28\s*?var\s+?[^\s]+?\s*?=\s*?\x73\x74\x61\x72\x74\x7C\x7C\x30\s*\x2c/Rsi"; content:"|22 6c|"; distance:0; pcre:"/^[^a-z]?\x65[^a-z]?\x6e[^a-z]?\x67[^a-z]?\x74[^a-z]?\x68/Ri"; classtype:trojan-activity; sid:2020207; rev:3;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Upatre Redirector IE Requesting Payload Jan 19 2015"; flow:established,to_server; content:"GET"; http_method; content:".js?get_message"; http_uri; fast_pattern:only; pcre:"/\d\.js\?get_message(?:=-?\d+?)?$/U"; content:"Referer|3a|"; http_header; pcre:"/^[^\r\n]+?\.html?\r?$/RHmi"; classtype:trojan-activity; sid:2020212; rev:6;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Successful Phishing Attempt Jan 20 2015"; flow:established,to_server; content:"POST"; http_method; urilen:20; content:"/js/moontools-1.7.js"; http_uri; fast_pattern:only; content:"username="; depth:9; http_client_body; content:"&password="; distance:0; http_client_body; classtype:trojan-activity; sid:2020224; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Angler EK XTEA encrypted binary (9)"; flow:established,to_client; file_data; content:"|0b c7 6a 1e 7c c2 43 ea|"; within:8; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2020225; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Angler EK Flash Exploit URI Structure Jan 21 2015"; flow:established,to_server; urilen:>48; content:"x-flash-version|3a|"; http_header; fast_pattern:only; pcre:"/^\/(?:[A-Za-z0-9-_]{4}){11,}(?:[A-Za-z0-9-_]{2}==|[A-Za-z0-9-_]{3}=)?$/U"; pcre:"/^Referer\x3a[^\r\n]+\/(?:[a-z0-9]+\.php|\d+)\r$/Hm"; classtype:trojan-activity; sid:2020234; rev:4;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Nuclear EK Landing Jan 21 2014"; flow:established,from_server; file_data; content:"|3d 20 20 20 20 20 20 20 20 20 20|"; fast_pattern:only; content:".replace|28|"; content:"<script>"; content:"|3d 20 20 20 20 20 20|"; distance:0; pcre:"/^\s*?[\x22\x27](?P<char>[^\x22\x27]+)[\x22\x27]\.replace\x28\s*?[\x22\x27](?P=char)[\x22\x27]\s*?,/R"; content:"|3d 20 20 20 20 20 20|"; distance:0; pcre:"/^\s*?[\x22\x27](?P<char>[^\x22\x27]+)[\x22\x27]\.replace\x28\s*?[\x22\x27](?P=char)[\x22\x27]\s*?,/R"; classtype:trojan-activity; sid:2020236; rev:2;) + +alert tls $EXTERNAL_NET [443,4443] -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Dyre SSL Cert Jan 22 2015"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 a3 c1 47 06 dd 12 ae 21|"; within:35; fast_pattern; content:"|55 04 07|"; distance:0; content:"|0f|Dniepropetrovsk"; distance:1; within:16; classtype:trojan-activity; sid:2020288; rev:2;) + +alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Dyre SSL Cert Jan 22 2015"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 92 87 8f 35 b4 aa 08 d1|"; within:35; fast_pattern; content:"|55 04 07|"; content:"|06|Taipei"; distance:1; within:7; classtype:trojan-activity; sid:2020289; rev:2;) + +alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre or Dyre SSL Cert Jan 22 2015"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|02 09 00|"; distance:17; within:3; content:"|06 03 55 04 06 13 02 43 4e|"; distance:0; content:"|06 03 55 04 08 0c 02|ST"; distance:0; content:"|55 04 07|"; distance:0; pcre:"/^.{2}(?P<var>[a-zA-Z0-9]{24}[01]).+?\x55\x04\x07.{2}(?P=var)/Rs"; classtype:trojan-activity; sid:2020290; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Sweet Orange redirection Jan 22 2015"; flow:established,from_server; file_data; content:"var theme_customize"; within:19; pcre:"/^\s*?=\s*?[\x22\x27](?!687474703a2f)[^\x22\x27]{0,10}6[^\x22\x27]{0,10}8[^\x22\x27]{0,10}7[^\x22\x27]{0,10}4[^\x22\x27]{0,10}7[^\x22\x27]{0,10}4[^\x22\x27]{0,10}7[^\x22\x27]{0,10}0[^\x22\x27]{0,10}3[^\x22\x27]{0,10}a[^\x22\x27]{0,10}2[^\x22\x27]{0,10}f/Ri"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2020291; rev:2;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Nuclear EK Exploit Struct Jan 23 2015"; flow:established,to_server; urilen:50<>151; content:"GET /"; byte_test:1,>,64,0,relative; byte_test:1,<,91,0,relative; pcre:"/^\/[A-Z](?=[A-Za-z]{0,148}\d)[A-Za-z0-9]{49,148}$/U"; content:".htm"; http_header; fast_pattern:only; content:"Referer|3a 20|"; http_header; pcre:"/^http\x3a\/\/[^\x2f]+\/[A-Z](?=[a-z0-9]+[A-Z])(?=[A-Z0-9]+[a-z])[A-Za-z0-9]{9,}\.html?\r?$/RHmi"; classtype:trojan-activity; sid:2020300; rev:11;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Upatre Redirector Jan 23 2015"; flow:established,to_server; content:"GET"; http_method; content:"/js/jquery-"; http_uri; fast_pattern:only; pcre:"/^\/js\/jquery-\d+\.\d{2}\.\d{2}\.js$/U"; content:"Referer|3a|"; pcre:"/^[^\r\n]+?\.html?\r?$/Rmi"; classtype:trojan-activity; sid:2020304; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Nuclear EK SWF M2"; flow:established,from_server; content:"|20|inline|3b 20|filename="; http_header; fast_pattern:only; content:"Content-Type|3a 20|application/octet-stream|0d 0a|"; http_header; content:"Server|3a 20|nginx"; http_header; pcre:"/Content-Disposition\x3a\x20inline\x3b\x20filename=(?:[a-z0-9]{4})?\r\n/H"; file_data; content:"ZWS"; within:3; flowbits:set,et.Nuclear.Payload; classtype:trojan-activity; sid:2020311; rev:10;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Nuclear EK SWF M2"; flow:established,from_server; content:"|20|inline|3b 20|filename="; http_header; fast_pattern:only; content:"Content-Type|3a 20|application/octet-stream|0d 0a|"; http_header; content:"Server|3a 20|nginx"; http_header; pcre:"/Content-Disposition\x3a\x20inline\x3b\x20filename=(?:[a-z0-9]{4})?\r\n/H"; file_data; content:"CWS"; within:3; flowbits:set,et.Nuclear.Payload; classtype:trojan-activity; sid:2020312; rev:8;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Nuclear EK SilverLight M2"; flow:established,from_server; content:"|20|inline|3b 20|filename="; http_header; fast_pattern:only; content:"Content-Type|3a 20|application/octet-stream|0d 0a|"; content:"X-Powered-By|3a 20|"; http_header; content:"Server|3a 20|nginx"; http_header; file_data; content:"PK"; within:2; content:"AppManifest.xaml"; flowbits:set,et.Nuclear.Payload; classtype:trojan-activity; sid:2020317; rev:6;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Nuclear EK Landing Jan 27 2015 M1"; flow:established,from_server; content:"Server|3a 20|nginx"; http_header; content:"X-Powered-By|3a|"; http_header; file_data; content:"|5b 2f 2a|"; fast_pattern; pcre:"/^[a-z]{7}(?:\s*?[a-z]+\s*?)*?[a-z]{7,}\x2a\x2f[a-zA-Z]{3,5}\W/Rs"; content:"|2f 2a|"; distance:0; pcre:"/^[a-z]{7}(?:\s*?[a-z]+\s*?)*?[a-z]{7,}\x2a\x2f/Rs"; content:"|2f 2a|"; distance:0; pcre:"/^[a-z]{7}(?:\s*?[a-z]+\s*?)*?[a-z]{7,}\x2a\x2f/Rs"; classtype:trojan-activity; sid:2020318; rev:8;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Nuclear EK Landing Jan 27 2015 M2"; flow:established,from_server; content:"Server|3a 20|nginx"; http_header; content:"X-Powered-By|3a|"; http_header; file_data; content:" id=|22|"; distance:15; within:16; pcre:"/^[A-Za-z]{3,5}/R"; content:"|22| style=|22|display|3a|none|22|>"; within:23; pcre:"/^[a-zA-Z0-9]{9}<\/[^>]+>\s+?<[^\s]+\sid=\x22[a-zA-Z]{3,5}\x22\sstyle=\x22display\x3anone\x22>[A-Za-z0-9]{500}/Rs"; classtype:trojan-activity; sid:2020319; rev:3;) + +alert http $EXTERNAL_NET !80 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Job314/Neutrino Reboot EK Landing Jan 27 2015"; flow:established,from_server; file_data; content:"name=|22|movie|22|"; fast_pattern; pcre:"/^\s*?value\s*?=\s*?[\x22\x27]\/[a-z]+\.(?![Ss][Ww][Ff])[a-z]+\d?\?(?:[a-z]+\x3d(?:[a-z]+|[0-9]+)&){2,}[a-z]+\x3d(?:[a-z]+|[0-9]+)[\x22\x27]/Rs"; classtype:trojan-activity; sid:2020320; rev:5;) + +alert http $EXTERNAL_NET !80 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Job314/Neutrino Reboot EK Landing Jan 27 2015"; flow:established,from_server; file_data; content:"name=|22|movie|22|"; fast_pattern; pcre:"/^\s*?value\s*?=\s*?[\x22\x27]\/(?:[a-z]+\x2f(?:[a-z]+|[0-9]+)\x2f){3,}[a-z]+\x2f(?:[a-z]+|[0-9]+)\x2f?[\x22\x27]/Rs"; classtype:trojan-activity; sid:2020321; rev:4;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Dridex Campaign Download Jan 28 2015"; flow:established,to_server; content:"GET"; http_method; content:"/js/bin.exe?="; http_uri; fast_pattern:only; content:!"Referer|3a|"; http_header; pcre:"/\/js\/bin\.exe\?=\d+$/U"; classtype:trojan-activity; sid:2020328; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible PHISH Dropbox - Landing Page - Title over non SSL"; flow:established,to_client; file_data; content:"<title>Dropbox - Sign in</title>"; classtype:bad-unknown; sid:2020332; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Nuclear EK Landing Feb 01 2015 M2"; flow:established,from_server; content:"Server|3a 20|nginx"; http_header; content:"X-Powered-By|3a|"; http_header; file_data; content:" id=|22|"; pcre:"/^[A-Za-z]{3,5}/R"; content:"|22| style=|22|display|3a|none|22| title="; within:29; fast_pattern:9,20; pcre:"/^\s*?\x22[a-zA-Z0-9]{7}l[a-zA-Z0-9]\x22\s*?>(?:(?!<\/).){500}/Rs"; classtype:trojan-activity; sid:2020342; rev:4;) + +alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET CURRENT_EVENTS Possible Dridex e-mail inbound"; flow:established,to_server; content:"<no-replay"; fast_pattern:only; content:"User-Agent|3a 20|Roundcube"; classtype:bad-unknown; sid:2020351; rev:1;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Nuclear EK Landing Feb 03 2015 M2"; flow:established,from_server; content:"Server|3a 20|nginx"; http_header; content:"X-Powered-By|3a|"; http_header; file_data; content:" id=|22|"; pcre:"/^[A-Za-z]{3,5}/R"; content:"|22| style=|22|visibility|3a|hidden|22| title="; within:34; fast_pattern:14,20; pcre:"/^\s*?\x22[a-zA-Z0-9]{7}l[a-zA-Z0-9]\x22\s*?>(?:(?!<\/).){500}/Rs"; classtype:trojan-activity; sid:2020352; rev:4;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Angler EK Feb 04 2015"; flow:established,from_server; content:"26 Jul 2039"; http_header; fast_pattern:only; content:"Expires|3a| Sat, 26 Jul"; http_header; pcre:"/Last-Modified\x3a\x20[A-Z][a-z]+, 26 Jul 2039/H"; classtype:trojan-activity; sid:2020355; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Angler EK Feb 04 2015 M2"; flow:established,from_server; content:"26 Jul 2040"; http_header; fast_pattern:only; content:"Expires|3a| Sat, 26 Jul"; http_header; pcre:"/Last-Modified\x3a\x20[A-Z][a-z]+, 26 Jul 2040/H"; classtype:trojan-activity; sid:2020356; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Nuclear EK Landing Feb 03 2015 M2"; flow:established,from_server; content:"Server|3a 20|nginx"; http_header; file_data; content:"</script></head>|0d 0a|<body>"; fast_pattern:2,20; content:" id="; pcre:"/^\s*?[\x22\x27][A-Za-z]{3,10}[\x22\x27]/R"; content:" title="; content:!"<"; within:100; pcre:"/^\s*?[\x22\x27](?=[A-Z]{0,19}[a-z]{1,19}[A-Z])[a-zA-Z]{14,20}[\x22\x27][^<>]*?>(?=[A-Za-z]{0,99}\d)[A-Za-z0-9\x20]{100}/R"; classtype:trojan-activity; sid:2020354; rev:8;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Angler EK Landing Primer Feb 04 2014 (noalert)"; flow:established,from_server; file_data; content:"Elinor"; pcre:"/^\W/R"; flowbits:set,ET.Angler.Primer; flowbits:noalert; classtype:trojan-activity; sid:2020365; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Angler EK Landing Primer Feb 04 2014 (noalert)"; flow:established,from_server; file_data; content:"Dashwood"; pcre:"/^\W/R"; flowbits:set,ET.Angler.Primer; flowbits:noalert; classtype:trojan-activity; sid:2020366; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Angler EK Landing Feb 04 2014 T1"; flow:established,from_server; flowbits:isset,ET.Angler.Primer; file_data; content:"|76 61 72 20 6b 3d 30 3b 20 6b 3c 31 3b 6b 2b 2b 29 7b 3b 7d 7d|"; classtype:trojan-activity; sid:2020367; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Angler EK XTEA encrypted binary (11)"; flow:established,to_client; file_data; content:"|c1 e4 07 2f 13 ad 23 2e|"; within:8; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2020387; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET CURRENT_EVENTS Job314/Neutrino Reboot EK Payload Nov 20 2014"; flow:established,to_server; content:!"Referer|3a|"; http_header; content:!"Accept-"; http_header; content:"Windows NT"; fast_pattern:only; http_header; content:"User-Agent|3a 20|Mozilla"; content:"GET"; http_method; pcre:"/^\/(?:[a-z]+\.[a-z]+\d?\?(?:[a-z]+\x3d(?:[a-z]+|[0-9]+)&){2,}[a-z]+=(?:[a-z]+|[0-9]+)|(?:[a-z]+\x2f(?:[a-z]+|[0-9]+)\x2f){3,}[a-z]+\x2f(?:[a-z]+|[0-9]+)\x2f?)$/U"; classtype:trojan-activity; sid:2020388; rev:8;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS KaiXin Secondary Landing Page"; flow:to_server,established; content:"/main.html"; http_uri; fast_pattern:only; pcre:"/\/main\.html$/U"; content:"/index.html"; http_header; pcre:"/\b[a-z]{2}\d+\s*?=\s*?Yes/C"; classtype:trojan-activity; sid:2020392; rev:5;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Android CVE-2014-6041"; flow:from_server,established; file_data; content:"|5c|u001"; fast_pattern; pcre:"/^[a-f0-9]/Ri"; content:"javascript|3a|"; nocase; within:11; reference:url,1337day.com/exploit/22581; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/same-origin-policy-bypass-vulnerability-has-wider-reach-than-thought/; classtype:attempted-user; sid:2020397; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Android CVE-2014-6041"; flow:from_server,established; file_data; content:"|5c|u0020javascript|3a|"; nocase; fast_pattern:only; reference:url,1337day.com/exploit/22581; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/same-origin-policy-bypass-vulnerability-has-wider-reach-than-thought/; classtype:attempted-user; sid:2020398; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS KaiXin Landing Page M2"; flow:from_server,established; file_data; content:"deconcept.SWFObjectUtil.getPlayerVersion"; fast_pattern; content:"navigator.userAgent.toLowerCase()|3b|"; content:"if|28|document.cookie"; content:"var "; pcre:"/^(?P<vname>[A-Za-z0-9]+)\s*?=\s*?navigator.userAgent.toLowerCase\x28\x29\x3b.+?if\(document.cookie[^\r\n]+\([^\r\n]+(?P=vname)[\x2e\x5b\x22\x27+\s]+i[\x22\x27+\s]*n[\x22\x27+\s]*d[\x22\x27+\s]*e[\x22\x27+\s]*x[\x22\x27+\s]*O[\x22\x27+\s]*f[\x22\x27+\s]*\x5d?\(\s*?[\x22\x27]b[\x22\x27+\s]*o[\x22\x27+\s]*t[\x22\x27+\s]*[\x22\x27][^\r\n]+(?P=vname)[\x2e\x5b\x22\x27+\s]+i[\x22\x27+\s]*n[\x22\x27+\s]*d[\x22\x27+\s]*e[\x22\x27+\s]*x[\x22\x27+\s]*O[\x22\x27+\s]*f[\x22\x27+\s]*\x5d?\(\s*?[\x22\x27]s[\x22\x27+\s]*p[\x22\x27+\s]*i[\x22\x27+\s]*d[\x22\x27+\s]*e[\x22\x27+\s]*r[\x22\x27+\s]*[\x22\x27]/Rs"; classtype:trojan-activity; sid:2020407; rev:5;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Feb 11 2015 Banner"; flow:established,to_server; content:"/banner.php?sid="; fast_pattern:only; http_uri; pcre:"/\/banner.php\?sid=(?=[0-9]*?[A-F])[A-F0-9]{10,}$/U"; classtype:trojan-activity; sid:2020408; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Feb 11 2015 Blog"; flow:established,to_server; content:"/blog.php?id="; fast_pattern:only; http_uri; pcre:"/\/blog.php\?id=(?=[0-9]*?[A-F])[A-F0-9]{10,}$/U"; classtype:trojan-activity; sid:2020409; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Upatre Common URI Struct Feb 12 2015"; flow:established,to_server; content:"GET"; http_method; content:"/0/"; http_uri; fast_pattern:only; content:!"Accept-"; http_header; content:!"Referer|3a|"; http_header; pcre:"/\/(?:5[12]|6[0-3])\/0\/[A-Z]*$/U"; pcre:"/^Host\x3a[^\r\n]+\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\x3a\d{1,5})?\r?$/Hmi"; classtype:trojan-activity; sid:2020419; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown EK Landing Feb 16 2015 b64 1 M1"; flow:established,from_server; file_data; content:"lRXdjVGeFxGblh2U"; classtype:trojan-activity; sid:2020423; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown EK Landing Feb 16 2015 b64 2 M1"; flow:established,from_server; file_data; content:"Z0V3YlhXRsxWZoN"; classtype:trojan-activity; sid:2020424; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown EK Landing Feb 16 2015 b64 3 M1"; flow:established,from_server; file_data; content:"Gd1NWZ4VEbsVGaT"; classtype:trojan-activity; sid:2020425; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Double-Encoded Reverse Base64/Dean Edwards Packed JavaScript Observed in Unknown EK Feb 16 2015 b64 1 M2"; flow:established,from_server; file_data; content:"CZsUGLrxyYsEGLwhibvlGdj5WdmhCbhZXZ"; classtype:trojan-activity; sid:2020426; rev:3;) + +alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown EK Landing Feb 16 2015 b64 2 M2"; flow:established,from_server; file_data; content:"pQGLlxyasMGLhxCco42bpR3YuVnZowWY2V"; classtype:trojan-activity; sid:2020427; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown EK Landing Feb 16 2015 b64 3 M2"; flow:established,from_server; file_data; content:"KkxSZssGLjxSYsAHKu9Wa0Nmb1ZGKsFmdl"; classtype:trojan-activity; sid:2020428; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Uknown EK Java Exploit"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"DFE42z.class"; classtype:trojan-activity; sid:2020429; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible CVE-2014-6332 DECS2"; flow:established,from_server; file_data; content:"102,117,110,99,116,105,111,110,32,114,117,110,109,117,109,97,97"; classtype:trojan-activity; sid:2020460; rev:4;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS KaiXin EK Jar URI Struct"; flow:established,to_server; content:"Java/1."; http_user_agent; fast_pattern; content:".jar"; http_uri; pcre:"/(?:\/[A-Z][a-z][A-Z][a-z][A-Z][a-z]|(?:b(?:m(?:nw|wn)|n(?:mw|wm)|w(?:mn|nm))|m(?:b(?:nw|wn)|n(?:bw|wb)|w(?:bn|nb))|n(?:b(?:mw|wm)|m(?:bw|wb)|w(?:bm|mb))|w(?:b(?:mn|nm)|m(?:bn|nb)|n(?:bm|mb))))\.jar$/U"; classtype:trojan-activity; sid:2020476; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS KaiXin EK Possible Jar Download"; flow:established,to_server; content:"Java/1."; http_user_agent; content:"=Yes"; http_cookie; content:"cck_lasttime="; http_cookie; content:"cck_count="; http_cookie; classtype:trojan-activity; sid:2020477; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS KaiXin EK Possible Jar Download"; flow:established,to_server; content:"Java/1."; http_user_agent; content:"=Yes"; http_cookie; pcre:"/nb[\d+]=Yes/C"; classtype:trojan-activity; sid:2020478; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY GENERIC CollectGarbage in Hex String No Seps"; flow:to_client,established; file_data; content:"436f6c6c6563744761726261676528"; nocase; classtype:trojan-activity; sid:2020481; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY GENERIC ShellExecute in Hex No Seps"; flow:to_client,established; file_data; content:"5368656c6c45786563757465"; nocase; classtype:trojan-activity; sid:2020482; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY GENERIC ShellExecute in URLENCODE"; flow:to_client,established; file_data; content:"%53%68%65%6c%6c%45%78%65%63%75%74%65"; nocase; classtype:trojan-activity; sid:2020483; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown EK Comment in Body"; flow:to_client,established; file_data; content:"|3c 21 2d 2d 20 30 39 38 30 32 33 37 36 34 32 20 2d 2d 3e|"; classtype:trojan-activity; sid:2020484; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS KaiXin Secondary Landing Page M2"; flow:established,from_server; file_data; content:"function llll|28|"; content:"return bmw|3b|"; distance:0; classtype:trojan-activity; sid:2020494; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS KaiXin Landing M3"; flow:established,from_server; file_data; content:"|2a|0xffffffff|2a|"; content:"|2a|str2long|2a|"; content:"|2a|long2str|2a|"; classtype:trojan-activity; sid:2020495; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Angler EK Post-infection HTTP Request Feb 20 2015"; flow:established,to_server; urilen:13; content:"GET"; http_method; content:"?"; http_uri; content:"HTTP/1.1|0d 0a|Connection|3a 20|Keep-Alive|0d 0a|"; fast_pattern:2,20; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer"; http_header; pcre:"/^\/[a-z]{3}\?[A-F0-9]{8}$/U"; classtype:trojan-activity; sid:2020496; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Possible Unknown EK HFS CVE-2014-6332"; flow:established,from_server; content:"Server|3a 20|HFS|20|"; http_header; fast_pattern; file_data; content:"Wscript.Shell"; content:"Microsoft.XMLHTTP"; content:"ADODB.Stream"; content:"cmd.exe"; classtype:trojan-activity; sid:2020498; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Likely Evil EXE with no referer from HFS webserver (used by Unknown EK)"; flow:established,from_server; flowbits:isset,exe.no.referer; content:"Server|3a 20|HFS"; http_header; fast_pattern; file_data; content:"MZ"; within:2; classtype:trojan-activity; sid:2020500; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Unknown EK Landing"; flow:established,from_server; content:"|64 6f 63 75 6d 65 6e 74 2e 6c 6f 63 61 74 69 6f 6e 2e 68 6f 73 74 6e 61 6d 65 2e 6c 65 6e 67 74 68 3e 30 29 7b|"; content:"|3d 22 31 22 2b 22 31 22 3b 64 65 6c 65 74 65|"; distance:0; content:"|2b 3d 22 30 22 2b 22 30 22 2b 22 30 22 2b 22 30 22 2b 22 30 22 2b 22 30 22 2b 22 30 22 2b 22 30 22 2b 22 30 22 2b 22 30 22 2b 22 30 22|"; distance:0; classtype:trojan-activity; sid:2020501; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY [PwC CTD] -- MultiGroup - ScanBox and Targetted Watering Holes PDF"; flow:established,from_server; file_data; content:"plugin_pdf_ie()"; reference:url,pwc.blogs.com/cyber_security_updates/2014/10/scanboxframework-whos-affected-and-whos-using-it-1.html; classtype:trojan-activity; sid:2020558; rev:6;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY [PwC CTD] -- MultiGroup - ScanBox Watering Hole iframe"; flow:established,from_server; file_data; content:".item(0).appendChild(iframe_tag)"; reference:url,pwc.blogs.com/cyber_security_updates/2014/10/scanbox-framework-whosaffected-and-whos-using-it-1.html; classtype:trojan-activity; sid:2020559; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY [PwC CTD] -- MultiGroup - ScanBox and Targetted Watering Holes ActiveX Call"; flow:established,from_server; file_data; content:"var version|3b|var ax|3b|var e|3b|try{axo=new ActiveXObject"; reference:url,pwc.blogs.com/cyber_security_updates/2014/10/scanbox-framework-whosaffected-and-whos-using-it-1.html; classtype:trojan-activity; sid:2020560; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY [PwC CTD] -- MultiGroup - ScanBox Watering Hole Content form tag appended to head"; flow:established,from_server; file_data; content:"document.getElementsByTagName('head').item(0).appendChild(form_tag)|3b|"; reference:url,pwc.blogs.com/cyber_security_updates/2014/10/scanbox-framework-whosaffected-and-whos-using-it-1.html; classtype:trojan-activity; sid:2020561; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY [PwC CTD] -- MultiGroup - ScanBox Watering Hole function return value"; flow:established,from_server; file_data; content:"return ((!a) ? 'x-'|3a| a) + Math.floor(Math.random() * 99999|29 3b|"; reference:url,pwc.blogs.com/cyber_security_updates/2014/10/scanbox-framework-whosaffected-and-whos-using-it-1.html; classtype:trojan-activity; sid:2020562; rev:5;) + +alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY [PwC CTD] -- MultiGroup - TH3BUG and Non-Targetted Groups Watering Hole Deobfuscation function"; flow:established,from_server; file_data; content:"Chr(CInt(ns(i)) Xor n)"; reference:url,pwc.blogs.com/cyber_security_updates/2014/10/scanbox-framework-whosaffected-and-whos-using-it-1.html; classtype:trojan-activity; sid:2020563; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS KaiXin Secondary Landing Page"; flow:to_server,established; content:"/main.html"; http_uri; fast_pattern:only; pcre:"/\/main\.html$/U"; content:"/connector.html|0d 0a|"; http_header; classtype:trojan-activity; sid:2020570; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS INFO .exe download with no referer (noalert)"; flow:established,to_server; content:".exe"; http_uri; fast_pattern:only; content:!"Referer|3a|"; http_header; flowbits:set,exe.no.referer; flowbits:noalert; classtype:bad-unknown; sid:2020573; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET CURRENT_EVENTS Sweet Orange EK Flash Exploit IE March 03 2015"; flow:established,to_server; urilen:>12; content:!".swf"; nocase; http_uri; content:"x-flash-version|3a|"; http_header; fast_pattern; content:".php?"; http_header; pcre:"/\/(?=[a-z0-9]{0,20}[A-Z])(?=[A-Z0-9]{0,20}[a-z])(?=[A-Za-z]{0,20}[0-9])[A-Za-z0-9]{12,20}$/U"; pcre:"/^Referer\x3a[^\r\n]+?\x3a\d+[^\r\n]*?\/[a-z0-9]+\.php\?[a-z0-9]+=\d+(?:\r\n|&)/Hm"; classtype:trojan-activity; sid:2020584; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Scam - FakeAV Alert Landing March 2 2015"; flow:established,from_server; file_data; content:"WARNING! Your PC may not be protected!"; content:"remove malicious malware and adware"; distance:0; classtype:trojan-activity; sid:2020588; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Scam - FakeAV Alert Landing March 2 2015"; flow:established,from_server; file_data; content:"WARNING|3a| Your PC may have a serious virus!"; content:"assistance removing malicious viruses"; classtype:trojan-activity; sid:2020589; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Angler EK XTEA encrypted binary (12)"; flow:established,to_client; file_data; content:"|08 fe 4a ac c6 d6 06 8d|"; distance:1424; within:8; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2020591; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Angler EK XTEA encrypted binary (13)"; flow:established,to_client; file_data; content:"|08 fe 4a ac c6 d6 06 8d|"; distance:40; within:8; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2020592; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Angler EK XTEA encrypted binary (14)"; flow:established,to_client; file_data; content:"|c5 91 b0 40 ed d9 90 e2|"; distance:1424; within:8; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2020593; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Angler EK XTEA encrypted binary (15)"; flow:established,to_client; file_data; content:"|c5 91 b0 40 ed d9 90 e2|"; distance:40; within:8; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2020594; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Angler EK XTEA encrypted binary (16)"; flow:established,to_client; file_data; content:"|71 37 53 d7 19 3c 44 ac|"; distance:1424; within:8; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2020595; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Angler EK XTEA encrypted binary (17)"; flow:established,to_client; file_data; content:"|71 37 53 d7 19 3c 44 ac|"; distance:40; within:8; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2020596; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Angler EK XTEA encrypted binary (18)"; flow:established,to_client; file_data; content:"|ff be d1 79 e8 64 54 d1|"; distance:1424; within:8; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2020597; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Angler EK XTEA encrypted binary (19)"; flow:established,to_client; file_data; content:"|ff be d1 79 e8 64 54 d1|"; distance:40; within:8; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2020598; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Angler EK XTEA encrypted binary (20)"; flow:established,to_client; file_data; content:"|64 4e 63 0d 03 30 d6 a5|"; distance:1424; within:8; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2020599; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Angler EK XTEA encrypted binary (21)"; flow:established,to_client; file_data; content:"|64 4e 63 0d 03 30 d6 a5|"; distance:40; within:8; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2020600; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS WindowBase64.atob Function In Edwards Packed JavaScript - Possible iFrame Injection Detected"; flow:established,to_client; file_data; content:"eval(function(p,a,c"; content:"|7C|atob|7C|"; nocase; content:"|7C|iframe|7C|"; nocase; fast_pattern:only; reference:url,blog.malwarebytes.org/exploits-2/2015/02/celebrity-chef-jamie-olivers-website-hacked-redirects-to-exploit-kit/; classtype:bad-unknown; sid:2020605; rev:5;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS rechnung zip file download"; flow:established,to_server; content:"GET"; http_method; content:"rechnung"; fast_pattern; http_uri; nocase; content:"|2e|zip"; nocase; http_uri; distance:0; content:!"Referer|3a 20|"; http_header; pcre:"/\.zip$/Ui"; classtype:trojan-activity; sid:2020622; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Tsukuba Banker Edwards Packed proxy.pac"; flow:established,to_client; file_data; content:"eval(function(p,a,c"; content:"|7C|FindProxyForURL|7C|"; nocase; content:"|7c|proxy|7c|"; nocase; content:"|7c|credicard|7c|"; nocase; reference:url,securityintelligence.com/tsukuba-banking-trojan-phishing-in-japanese-waters; classtype:trojan-activity; sid:2020623; rev:3;) + +#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre SSL Cert www.eshaalfoundation.org"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 c2 06 49 5e 75 fb 3f 44|"; within:35; fast_pattern; content:"|55 04 03|"; content:"|18|www.eshaalfoundation.org"; distance:1; within:25; reference:md5,e36073ba13e2df22348cd624ab0a9fbc; classtype:trojan-activity; sid:2020624; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Fiesta EK Landing URI Struct March 6 2015"; flow:established,to_server; urilen:>40; content:"GET"; http_method; content:"/tdstest/"; http_uri; fast_pattern:only; pcre:"/^\/tdstest\/[a-f0-9]{32,}\/?$/U"; classtype:trojan-activity; sid:2020626; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown Malicious Second Stage Download URI Struct M1 Feb 06 2015"; flow:established,to_server; content:".php?id="; http_uri; fast_pattern:only; content:"&rnd="; http_uri; pcre:"/\.php\?id=[0-9A-F]{44,54}&rnd=[0-9]{3,7}$/U"; classtype:trojan-activity; sid:2020643; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown Malicious Second Stage Download URI Struct M2 Feb 06 2015"; flow:established,to_server; content:".php?rnd="; http_uri; fast_pattern:only; content:"&id="; http_uri; pcre:"/\.php\?rnd=[0-9]{3,7}&id=[0-9A-F]{44,54}$/U"; classtype:trojan-activity; sid:2020644; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK March 16 2015"; flow:established,to_server; urilen:51<>61; content:"/a"; http_uri; depth:2; pcre:"/^\/a[a-z]{9,}\/[a-f0-9]{40}$/U"; pcre:"/^GET \/(?P<name>a[a-z]{9,})\/.+?\r\nHost\x3a\x20(?P=name)\./sm"; classtype:trojan-activity; sid:2020698; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake Windows Security Warning - Alert"; flow:established,to_client; file_data; content:"<title>WARNING - SECURITY ALERT</title>"; classtype:trojan-activity; sid:2020710; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Fake Windows Security Warning - png"; flow:established,to_server; content:"gp-warning-img.png"; http_uri; classtype:trojan-activity; sid:2020711; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Mar 19 2015"; flow:established,to_server; content:"GET"; http_method; content:"4c2H"; nocase; http_uri; pcre:"/\/\??4c2H(?:$|[&?]utm_source=)/U"; classtype:trojan-activity; sid:2020715; rev:4;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible HanJuan Landing March 20 2015"; flow:established,from_server; content:"Server|3a 20|nginx"; http_header; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:!"<body>"; content:!"<html>"; content:"<script>"; depth:8; pcre:"/^\s*[a-z]+\s*?=\s*?(?P<q1>[\x22\x27])(?:(?!(?P=q1)).)+?(?P=q1)\.replace\(\/\[[A-Za-z]{10,}\]\/g,\x27\x27\)\.substr\(\s*?\d+\s*?,\s*?\d+\s*?\)\s*?\x3b\s*?[a-z]+\s*?=\s*?(?P<q2>[\x22\x27])(?:(?!(?P=q2)).)+?(?P=q2)\.replace\(\/\[[A-Za-z]{10,}\]\/g,\x27\x27\)\.substr/Rs"; content:"]/g,|27 27|).substr|28|"; fast_pattern:only; classtype:trojan-activity; sid:2020719; rev:4;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS RIG Payload URI Struct March 20 2015"; flow:established,to_server; urilen:>220; content:"/index.php?"; http_uri; depth:11; content:"=l3S"; fast_pattern; http_uri; offset:26; depth:4; content:!"Referer|3a|"; http_header; pcre:"/^\/index\.php\?[A-Za-z0-9_-]{15}=l3S/U"; classtype:trojan-activity; sid:2020720; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS RIG Exploit URI Struct March 20 2015"; flow:established,to_server; urilen:>220; content:"/index.php?"; http_uri; depth:11; content:"=l3S"; fast_pattern; http_uri; offset:26; depth:4; content:"/?"; http_header; content:"=l3S"; http_header; pcre:"/^\/index\.php\?[A-Za-z0-9_-]{15}=l3S/U"; flowbits:set,ET.RIGEKExploit; classtype:trojan-activity; sid:2020721; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS RIG Landing URI Struct March 20 2015"; flow:established,to_server; content:"/?"; http_uri; depth:2; content:"=l3S"; http_uri; fast_pattern; offset:17; depth:4; pcre:"/^\/\?[A-Za-z0-9_-]{15}=l3S/U"; classtype:trojan-activity; sid:2020722; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS RIG EK Landing March 20 2015"; flow:established,from_server; file_data; content:"function iu7("; content:"ji2"; within:100; pcre:"/^\W/R"; content:"hu2"; pcre:"/^\W/R"; classtype:trojan-activity; sid:2020725; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS RIG EK Landing March 20 2015 M2"; flow:established,from_server; file_data; content:"|22 29 3b 2f 2a|"; pcre:"/^[^\x2a]+\x2a\x2f(?:\x2f\x2a[^\x2a]+\x2a\x2f)*?(?P<arg>[a-z0-9]{3,})(?:\x2f\x2a[^\x2a]+\x2a\x2f)*?\x28[^\x29]+\x29\x3b\x2f\x2a[^\x2a]+\x2a\x2f(?:\x2f\x2a[^\x2a]+\x2a\x2f)*?(?P=arg)(?:\x2f\x2a[^\x2a]+\x2a\x2f)*?\x28/R"; classtype:trojan-activity; sid:2020726; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Angler EK XTEA encrypted binary (22)"; flow:established,to_client; file_data; content:"|c5 91 b0 40 ed d9 90 e2|"; distance:1728; within:8; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2020730; rev:3;) + +alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unauthorized SSL Cert for Google Domains"; flow:established,from_server; content:"|55 04 0a|"; content:"|0a|MCSHOLDING"; distance:1; within:11; reference:url,googleonlinesecurity.blogspot.com/2015/03/maintaining-digital-certificate-security.html; classtype:trojan-activity; sid:2020736; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS HanJuan EK Landing March 24 2015 M1"; flow:established,from_server; file_data; content:"document.createElement|28|"; pcre:"/^\s*?(?P<q1>[\x22\x27])(?:(?!(?P=q1)).)+?(?P=q1)\.replace\(\/\[[A-Za-z]{10,}\]/R"; content:"/g,|27 27|).substr|28|"; fast_pattern; within:14; pcre:"/^\s*?\d+,\s*?\d/R"; classtype:trojan-activity; sid:2020743; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS HanJuan EK Landing March 24 2015 M2"; flow:established,from_server; file_data; content:"document.createElement|28|"; pcre:"/^\s*?(?P<q1>[\x22\x27])(?:(?!(?P=q1)).)+?(?P=q1)\.replace\(\/\[[A-Za-z]{10,}\]/R"; content:"/g,|22 22|).substr|28|"; fast_pattern; within:14; pcre:"/^\s*?\d+,\s*?\d/R"; classtype:trojan-activity; sid:2020744; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS VBA Office Document Dridex Binary Download User-Agent"; flow:established,to_server; content:"User-Agent|3A| KAII"; http_header; fast_pattern:only; reference:md5,cb2903c89d60947fa4badec41e065d71; classtype:trojan-activity; sid:2020758; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS GoogleFile - Creds Phished"; flow:established,to_server; content:"g2-choseyouremailprovider="; http_client_body; content:"g2-password="; http_client_body; classtype:bad-unknown; sid:2020803; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS VBA Office Document Dridex Binary Download User-Agent 2"; flow:established,to_server; content:"User-Agent|3A| MisterZALALU"; http_header; fast_pattern:4,20; reference:md5,2f53b7669482c2d9216a74050630fbb7; classtype:trojan-activity; sid:2020806; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS VBScript Driveby MAR 31 2015"; flow:established,to_server; content:"/content/dl.php?sl=vbs"; http_uri; fast_pattern:only; pcre:"/\/content\/dl\.php\?sl=vbs[a-z0-9]{32}$/U"; classtype:trojan-activity; sid:2020823; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS VBScript Driveby Related TDS MAR 31 2015"; flow:established,to_server; content:"/content/getvbslink.php?d="; http_uri; fast_pattern:only; pcre:"/\/content\/getvbslink\.php\?d=[a-z0-9]{32}$/U"; classtype:trojan-activity; sid:2020824; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Potential Dridex.Maldoc Minimal Executable Request"; flow:established,to_server; urilen:<40; content:"GET"; http_method; content:".exe"; http_uri; fast_pattern:only; content:!"Mozilla/"; http_header; content:!"Referer|3A 20|"; http_header; content:!"Accept"; http_header; content:!"MstarUpdate"; http_header; content:"User-Agent|3a 20|"; depth:12; http_header; content:!".bitdefender.com|0d 0a|"; http_header; pcre:"/\/[a-z0-9]+\/[a-z0-9]+\.exe$/Ui"; pcre:"/^User-Agent\x3A\x20[a-z\x20]{2,30}\r\nHost\x3A[^\r\n]+\r\n(?:\r\n)?$/Hmi"; content:!".homestead.com|0d 0a|"; http_header; reference:md5,28208e19a528bfa95e5662e2d6f2e911; reference:url,blogs.cisco.com/security/dridex-attacks-target-corporate-accounting; classtype:trojan-activity; sid:2020826; rev:6;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Apr 2 2015"; flow:established,to_server; content:"GET"; http_method; urilen:12; content:"/8u5_cb06/?"; depth:11; http_uri; classtype:trojan-activity; sid:2020832; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Malicious Doc Download EXE Primer (flowbits set)"; flow:established,to_server; content:"?id="; http_uri; content:"&act="; http_uri; fast_pattern:only; content:!"Referer|3a|"; http_header; pcre:"/\.[^\x3F]+\?id=\d+&act=\d+$/U"; flowbits:set,ETPRO.MalDocEXEPrimer; flowbits:noalert; reference:url,fireeye.com/blog/threat-research/2015/04/a_new_word_document.html; classtype:trojan-activity; sid:2020837; rev:4;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Malicious Doc Downloading EXE"; flow:established,from_server; flowbits:isset,ETPRO.MalDocEXEPrimer; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; reference:url,fireeye.com/blog/threat-research/2015/04/a_new_word_document.html; classtype:trojan-activity; sid:2020838; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Malicious Redirect Leading to EK Apr 03 2015"; flow:established,to_server; content:"/wordpress/?bf7N&utm_source="; http_uri; classtype:trojan-activity; sid:2020840; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Nuclear EK Landing Apr 03 2015"; flow:established,from_server; content:"Server|3a 20|nginx"; http_header; file_data; content:"eval|3b|"; fast_pattern:only; content:"replace"; pcre:"/^\s*?\x28\s*?\x22\s\x22\s*?,\s*?\x22Q(?:\x22\s*?\+\s*?\x22)?Q\x22/Rs"; classtype:trojan-activity; sid:2020841; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Nuclear EK Landing Apr 03 2015"; flow:established,from_server; content:"Server|3a 20|nginx"; http_header; file_data; content:"return eval"; fast_pattern:only; content:"replace"; pcre:"/^\s*?\x28\s*?\x22\s\x22\s*?,\s*?\x22Q(?:\x22\s*?\+\s*?\x22)?Q\x22/Rs"; classtype:trojan-activity; sid:2020842; rev:2;) + +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS Possible Upatre DNS Query (jamco.com.pk)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|jamco|03|com|02|pk|00|"; fast_pattern:only; reference:md5,407cce4873bc8af9077dbb21a8762f37; classtype:bad-unknown; sid:2020846; rev:1;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Chrome Form Data Theft April 06 2015"; flow:established,to_server; content:".php?type=form&site="; fast_pattern:only; http_uri; reference:url,ocelot.li/the-malware-campaign-that-went-unnoticed/; classtype:trojan-activity; sid:2020847; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Chrome Cookie Data Theft April 06 2015"; flow:established,to_server; content:".php?type=cookie&site="; fast_pattern:only; http_uri; reference:url,ocelot.li/the-malware-campaign-that-went-unnoticed/; classtype:trojan-activity; sid:2020848; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Router DNS Changer Apr 07 2015"; flow:established,from_server; file_data; content:"|69 66 28 75 72 6c 2e 69 6e 64 65 78 4f 66 28 27 3c 65 6f 70 6c 3e 27 29 3e 30 29 7b|"; reference:url,malware.dontneedcoffee.com/2015/05/an-exploit-kit-dedicated-to-csrf.html; classtype:trojan-activity; sid:2020854; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Nuclear EK Landing Apr 08 2015"; flow:established,from_server; content:"Server|3a 20|nginx"; http_header; file_data; content:"Q|22|"; fast_pattern; content:"length"; pcre:"/^\s*?\<\s*?10/Rs"; content:"replace"; within:500; pcre:"/^\s*?\x28\s*?\x22\s\x22\s*?,\s*?\x22(?:\!(?:\x22\s*?\+\s*?\x22)?)?Q(?:\x22\s*?\+\s*?\x22)?Q\x22/Rs"; classtype:trojan-activity; sid:2020865; rev:3;) + +alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Dridex downloader SSL Certificate srv1.mainsftdomain.com"; flow:established,from_server; content:"|55 04 03|"; content:"|16|srv1.mainsftdomain.com"; distance:1; within:23; content:"|55 04 03|"; distance:0; content:"|16|srv1.mainsftdomain.com"; distance:1; within:23; classtype:trojan-activity; sid:2020866; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY EXE Embeded in Page Likely Evil M1"; flow:established,from_server; file_data; content:"vbscript"; nocase; content:"|22|4D5A90"; fast_pattern; nocase; content:!"|22|"; within:500; pcre:"/^[a-f0-9]{500}/Rsi"; classtype:trojan-activity; sid:2020893; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY EXE Embeded in Page Likely Evil M2"; flow:established,from_server; file_data; content:"vbscript"; nocase; content:"|27|4D5A90"; fast_pattern; nocase; content:!"|27|"; within:500; pcre:"/^[a-f0-9]{500}/Rsi"; classtype:trojan-activity; sid:2020894; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Magnitude Flash Exploit (IE) M2"; flow:established,to_server; urilen:<70; content:!".swf"; nocase; http_uri; content:"x-flash-version"; http_header; fast_pattern:only; pcre:"/^\/(?:\??[a-f0-9]{32,64}\/?)?$/U"; pcre:"/Referer\x3a\x20http\x3a\x2f+(?P<dl1>[^\x2e\r\n]+)\x2e[^\x2f\r\n]*?(?P<dl2>\x2e[^\x2e\r\n\x2f]+\x2e[^\x2e\x2f\r\n]+)\x2f(?:\??[a-f0-9]{32,64}\/?)?\r\n.*?Host\x3a\x20(?!(?P=dl1))[^\r\n]*?(?P=dl2)\r\n/Hsm"; classtype:trojan-activity; sid:2020895; rev:6;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Router DNS Changer Apr 07 2015 M2"; flow:established,from_server; file_data; content:"|22 5c 78 35 32 5c 78 35 34 5c 78 34 33 5c 78 35 30 5c 78 36 35 5c 78 36 35 5c 78 37 32 5c 78 34 33 5c 78 36 46 5c 78 36 45 5c 78 36 45 5c 78 36 35 5c 78 36 33 5c 78 37 34 5c 78 36 39 5c 78 36 46 5c 78 36 45 22|"; content:!"vidzi.tv|0d 0a|"; reference:url,malware.dontneedcoffee.com/2015/05/an-exploit-kit-dedicated-to-csrf.html; classtype:trojan-activity; sid:2020896; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SPL2 EK Post-Compromise Data Dump M1"; flow:established,to_server; content:"POST"; http_method; content:!"Referer|3a|"; http_header; content:"QWRtaW5SaWdodHMy"; http_client_body; pcre:"/(?:Byb2NMaXN0|Qcm9jTGlzd|UHJvY0xpc3)/P"; classtype:trojan-activity; sid:2020903; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SPL2 EK Post-Compromise Data Dump M2"; flow:established,to_server; content:"POST"; http_method; content:!"Referer|3a|"; http_header; content:"FkbWluUmlnaHRzM"; http_client_body; pcre:"/(?:Byb2NMaXN0|Qcm9jTGlzd|UHJvY0xpc3)/P"; classtype:trojan-activity; sid:2020904; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SPL2 EK Post-Compromise Data Dump M3"; flow:established,to_server; content:"POST"; http_method; content:!"Referer|3a|"; http_header; content:"BZG1pblJpZ2h0cz"; http_client_body; pcre:"/(?:Byb2NMaXN0|Qcm9jTGlzd|UHJvY0xpc3)/P"; classtype:trojan-activity; sid:2020905; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Likely Trojan Multi-part Macro Download M1"; flow:established,from_server; file_data; content:"PAB0AGUAeAB0ADEAMAA+ACQA"; within:24; classtype:trojan-activity; sid:2020911; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Potential Dridex.Maldoc Minimal Executable Request"; flow:established,to_server; urilen:<15; content:"GET"; http_method; content:".exe"; http_uri; fast_pattern:only; content:!"User-Agent|3a|"; http_header; content:!"Accept"; http_header; content:!"Referer|3A|"; http_header; pcre:"/^\/\d+\/\d+\.exe$/U"; content:"Host|3a|"; depth:5; http_header; pcre:"/^Host\x3a[^\r\n]+\r\n(?:(?:Cache-Control|Pragma)\x3a[^\r\n]+\r\n)?(?:\r\n)?$/Hmi"; reference:md5,2cea5182d71b768e8b669cacdea39825; classtype:trojan-activity; sid:2020941; rev:2;) + +alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Dridex downloader SSL Certificate"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 be ef 3b e8 9f 06 3c 8d|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0f|Global Security"; distance:1; within:16; content:"|55 04 03|"; distance:0; content:"|0b|example.com"; distance:1; within:12; classtype:trojan-activity; sid:2020943; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sundown EK Landing Apr 20 2015"; flow:established,from_server; file_data; content:"|27 3b|d=unescape(m)|3b|document.write(d|29 3b|</script>"; content:".swf"; nocase; content:".swf"; nocase; content:"vbscript"; nocase; content:"System.Net.WebClient"; nocase; content:".exe"; nocase; classtype:trojan-activity; sid:2020950; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Sundown EK Flash Exploit Apr 20 2015"; flow:established,to_server; content:"/bad/"; http_uri; fast_pattern:only; pcre:"/\/bad\/[A-Z0-9]+\.swf$/U"; classtype:trojan-activity; sid:2020951; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Nuclear EK Landing Apr 22 2015"; flow:established,from_server; content:"nginx"; http_header; file_data; content:"|0d 0a|<textarea "; fast_pattern; content:!">"; within:21; content:!"</textarea>"; within:500; content:!"|0d|"; within:500; pcre:"/^\s*[^>]*?[a-zA-Z]+\s*?=\s*?[\x22\x27](?=[a-z]{0,20}[A-Z])(?=[A-Z]{0,20}[a-z])[A-Za-z]{15,21}[\x22\x27][^>]*?>(?=[A-Za-z_]{0,200}[0-9])(?=[0-9a-z_]{0,200}[A-Z])(?=[0-9A-Z_]{0,200}[a-z])[A-Za-z0-9_]{200}/R"; classtype:trojan-activity; sid:2020975; rev:4;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fiesta EK Landing Apr 23 2015"; flow:established,from_server; file_data; content:"=window|3b|"; fast_pattern:only; content:"String.fromCharCode"; content:"|28 2f|Win64|3b 2f|i,"; nocase; content:"function"; pcre:"/^\s*?[^\x28\s]*?\x28\s*?(?P<a1>[^\s,\x29]+)\s*?,\s*?(?P<a2>[^\s,\x29]+)\s*?\x29\{[^\r\n]*?[\+=]String.fromCharCode\((?P=a2)\)[^\r\n]*?\}/Rs"; classtype:trojan-activity; sid:2020979; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fiesta EK IE Exploit Apr 23 2015"; flow:established,from_server; file_data; content:"<title>some"; fast_pattern:only; content:"<style>"; content:"|5c 3a|*{display|3a|inline-block|3b|behavior|3a|url(#default#VML)|3b|}</style>"; distance:3; within:65; classtype:trojan-activity; sid:2020980; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fiesta EK Flash Exploit Apr 23 2015"; flow:established,from_server; content:"Content-Disposition|3a 20|inline|3b|"; http_header; content:".swf"; http_header; pcre:"/Content-Disposition\x3a\x20[^\r\n]+filename=[a-z]{5,8}\d{2,3}\.swf\r\n/Hm"; file_data; content:"WS"; within:3; classtype:trojan-activity; sid:2020981; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fiesta EK SilverLight Exploit Apr 23 2015"; flow:established,from_server; content:"Content-Disposition|3a 20|inline|3b|"; http_header; content:".xap"; http_header; pcre:"/Content-Disposition\x3a\x20[^\r\n]+filename=[a-z]{5,8}\d{2,3}\.xap\r\n/Hm"; file_data; content:"AppManifest.xaml"; fast_pattern:only; classtype:trojan-activity; sid:2020982; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fiesta EK Java Exploit Apr 23 2015"; flow:established,from_server; content:"Content-Disposition|3a 20|inline|3b|"; http_header; content:".jar"; http_header; fast_pattern:only; pcre:"/Content-Disposition\x3a\x20[^\r\n]+filename=[a-z]{5,8}\d{2,3}\.jar\r\n/Hm"; file_data; content:"PK"; within:2; classtype:trojan-activity; sid:2020983; rev:3;) + +#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fiesta EK PDF Exploit Apr 23 2015"; flow:established,from_server; content:"Content-Disposition|3a 20|inline|3b|"; http_header; content:".pdf"; http_header; fast_pattern:only; pcre:"/Content-Disposition\x3a\x20[^\r\n]+filename=[a-z]{7,8}\d{2,3}\.pdf\r\n/Hm"; file_data; content:"PDF-"; within:500; classtype:trojan-activity; sid:2020984; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sundown EK Secondary Landing Apr 20 2015"; flow:established,from_server; file_data; content:"2147023083"; content:"BlackList"; nocase; content:"lenBadFiles"; nocase; fast_pattern:only; content:"ProgFilePath"; nocase; content:"lenProgFiles"; nocase; classtype:trojan-activity; sid:2020985; rev:2;) + +alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Dridex Downloader SSL Certificate"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 be ef 3b e8 9f 06 3c 8d|"; within:35; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0f|Global Security"; distance:1; within:16; content:"|55 04 03|"; distance:0; content:"|0b|example.com"; distance:1; within:12; classtype:trojan-activity; sid:2020986; rev:1;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Download file with Powershell via LNK file (observed in Sundown EK)"; flow:established,from_server; file_data; content:"|4c 00 00 00|"; within:4; content:"c|00|m|00|d|00|.|00|e|00|x|00|e"; nocase; content:"P|00|o|00|w|00|e|00|r|00|S|00|h|00|e|00|l|00|l"; nocase; content:"D|00|o|00|w|00|n|00|l|00|o|00|a|00|d|00|F|00|i|00|l|00|e"; nocase; classtype:trojan-activity; sid:2020987; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Sundown EK URI Struct T1 Apr 24 2015"; flow:established,to_server; content:"/street"; http_uri; fast_pattern:only; pcre:"/\/street[1-5]\.php$/U"; classtype:trojan-activity; sid:2020988; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Sundown EK Payload Struct T1 Apr 24 2015"; flow:established,to_server; content:".exe"; http_uri; content:"/XV-"; fast_pattern:only; pcre:"/\/XV-\d+\.exe$/U"; classtype:trojan-activity; sid:2020989; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sundown EK Secondary Landing T1 M2 Apr 24 2015"; flow:established,from_server; file_data; content:"System.Net.WebClient"; nocase; content:"Powershell"; nocase; content:"DownloadFile"; nocase; content:"|3b|d=unescape(m)|3b|document.write(d)|3b|"; classtype:trojan-activity; sid:2020990; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Sundown EK Payload Struct T2 M1 Apr 24 2015"; flow:established,to_server; content:".exe"; http_uri; fast_pattern:only; pcre:"/\/(?:Flash[23]?|Ink|New|One|HQ).exe$/U"; classtype:trojan-activity; sid:2020991; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Sundown EK Payload Struct T2 M2 Apr 24 2015"; flow:established,to_server; content:"/BrowserUpdate.lnk"; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2020992; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS IonCube Encoded Page (no alert)"; flow:established,from_server; file_data; content:"javascript>c=|22|"; content:"|3b|eval(unescape("; flowbits:noalert; flowbits:set,ET.IonCube; classtype:trojan-activity; sid:2020993; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Sundown EK Flash Exploit Struct T2 Apr 24 2015"; flow:established,to_server; flowbits:isset,ET.IonCube; content:"/"; http_uri; content:".swf"; http_uri; distance:4; within:4; pcre:"/\/(?=[A-Za-z]{0,3}\d)(?=\d{0,3}[A-Za-z])[A-Za-z0-9]{4,5}\.swf$/U"; content:".php"; http_header; classtype:trojan-activity; sid:2020994; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CottonCastle/Niteris EK Landing URI Struct April 29 2015 M1"; flow:established,to_server; content:"GET"; http_method; content:"/|20|http|3a|/"; http_uri; fast_pattern:only; pcre:"/^\/[a-z]+\/[a-z]+\/\d\/[a-f0-9]{32}(?:[a-f0-9]{8})?\/\x20http\x3a\x2f/U"; classtype:trojan-activity; sid:2021033; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CottonCastle/Niteris EK Landing URI Struct April 29 2015 M2"; flow:established,to_server; content:"GET"; http_method; content:"/5/"; http_uri; fast_pattern; content:"http|3a|/"; distance:0; http_uri; pcre:"/\/5\/[a-f0-9]{32}\/\x20*http\x3a\x2f/U"; classtype:trojan-activity; sid:2021034; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CottonCastle/Niteris EK Java Exploit URI Struct April 29 2015"; flow:established,to_server; content:"Java/"; http_user_agent; fast_pattern:only; pcre:"/^\/[a-z]+\/[a-z]+\/\d\/[A-Z]+\/[a-f0-9]{32}(?:[a-f0-9]{8})?(?:\.[a-z]+)?$/U"; classtype:trojan-activity; sid:2021035; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CottonCastle/Niteris EK URI Struct April 29 2015"; flow:established,to_server; content:"/5/"; http_uri; fast_pattern:only; pcre:"/\/5\/[A-Z]{3,}\/[a-f0-9]{32}(?:\.[^\x2f]+|\/[a-z]*?\d+\.[a-z]*?\d+\.[a-z]*?\d+\.[a-z]*?\d+\/?|\/\d+\/?)?$/U"; classtype:trojan-activity; sid:2021036; rev:4;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CottonCastle/Niteris EK Payload April 29 2015"; flow:established,to_server; content:"/5/"; http_uri; fast_pattern:only; pcre:"/^\/[a-z]+\/[a-z]+\/5\/[A-Z]+\/[a-f0-9]{32}(?:[a-f0-9]{8})?$/U"; content:"Referer|3a 20|"; http_header; pcre:"/^[^\r\n]+\/\d\/[A-Z]+\/[a-f0-9]{32}(?:[a-f0-9]{8})?\r?/RH"; classtype:trojan-activity; sid:2021037; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CottonCastle/Niteris EK POST Beacon April 29 2015"; flow:established,to_server; content:"POST"; http_method; content:"0/"; http_uri; content:"Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|"; http_header; fast_pattern:21,20; content:"%"; http_client_body; pcre:"/^\/[a-z]+\/[a-z]+\//U"; pcre:"/^-?\d+=(?:[a-zA-Z0-9]|%[A-F0-9]{2}){2}(?P<var1>(?:[a-zA-Z0-9]|%[A-F0-9]{2}))(?:[a-zA-Z0-9]|%[A-F0-9]{2}){6}(?P<var2>(?:[a-zA-Z0-9]|%[A-F0-9]{2}))(?:[a-zA-Z0-9]|%[A-F0-9]{2}){2}(?P=var2)(?:[a-zA-Z0-9]|%[A-F0-9]{2}){4}(?P=var1)/P"; classtype:trojan-activity; sid:2021038; rev:4;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS CottonCastle/Niteris EK Landing April 29 2015"; flow:established,from_server; file_data; content:"lortnoCgA.lortnoCgA"; content:"reverse"; classtype:trojan-activity; sid:2021039; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CottonCastle/Niteris EK Exploit Struct April 30 2015"; flow:established,to_server; content:"GET"; http_method; pcre:"/\/\d\/[A-Z]+\/[a-f0-9]{32}\/[a-z]*?\d+\.[a-z]*?\d+\.[a-z]*?\d+\.[a-z]*?\d+\/?$/U"; content:"/%20http%3A"; http_header; fast_pattern:only; flowbits:set,ET.CottonCasle.Exploit; classtype:trojan-activity; sid:2021042; rev:5;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS CottonCastle/Niteris EK SWF Exploit April 30 2015"; flow:established,from_server; content:"Content-Type|3a| application/x-shockwave-flash|0d 0a|"; http_header; fast_pattern:25,20; file_data; content:"ZWS"; within:3; flowbits:isset,ET.CottonCasle.Exploit; classtype:trojan-activity; sid:2021043; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS CottonCastle/Niteris EK SWF Exploit April 30 2015"; flow:established,from_server; content:"Content-Type|3a| application/x-shockwave-flash|0d 0a|"; http_header; fast_pattern:25,20; file_data; content:"CWS"; within:3; flowbits:isset,ET.CottonCasle.Exploit; classtype:trojan-activity; sid:2021044; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS CottonCastle/Niteris EK SilverLight Exploit April 30 2015"; flow:established,from_server; file_data; content:"AppManifest.xaml"; fast_pattern:only; flowbits:isset,ET.CottonCasle.Exploit; classtype:trojan-activity; sid:2021045; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown EK Landing Page May 01 2015"; flow:from_server,established; file_data; content:"CM|3a 20|u.indexOf(|27|NT 5.1|27|) > -1"; content:"PS|3a 20|u.indexOf(|27|NT 6.|27|) > -1"; classtype:trojan-activity; sid:2021046; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown EK Secondary Landing Page May 01 2015 M1"; flow:from_server,established; file_data; content:"FlashVars"; content:"sh=Y21kIC9jIGVjaG8g"; classtype:trojan-activity; sid:2021047; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown EK Secondary Landing Page May 01 2015 M2"; flow:from_server,established; file_data; content:"FlashVars"; content:"sh=cG93ZXJzaGVsbC5leGUg"; classtype:trojan-activity; sid:2021048; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Magnitude EK Flash Payload ShellCode Apr 23 2015"; flow:established,from_server; file_data; content:"urlmon.dll|00|http|3a 2f|"; pcre:"/^\x2f+\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\x2f\??[a-f0-9]+\x7chttp\x3a\x2f/Rs"; classtype:trojan-activity; sid:2021054; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Angler EK XTEA encrypted binary (23)"; flow:established,to_client; file_data; content:"|08 fe 4a ac c6 d6 06 8d|"; distance:1728; within:8; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2021059; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS CottonCastle/Niteris EK Receiving Payload May 7 2015"; flow:established,from_server; content:"Content-Type|3a 20|application/postscript|0d 0a|"; http_header; fast_pattern:18,20; content:"Cache-Control|3a 20|no-cache,no-store,max-age=0,must-revalidate|0d 0a|"; http_header; content:"Content-Disposition|3a 20|inline|3b| filename="; http_header; pcre:"/^[a-z]{10}\.[a-z]{3}\r?$/RHm"; classtype:trojan-activity; sid:2021064; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible CryptoPHP Leaking Credentials May 8 2015 M1"; flow:established,to_server; content:"GET"; http_method; content:".js?callback="; http_uri; content:"&data=bG9nP"; distance:0; http_uri; fast_pattern; content:"JnB3ZD"; distance:0; http_uri; content:"&_="; distance:0; http_uri; pcre:"/&_=\d+$/U"; reference:url,research.zscaler.com/2015/05/compromised-wordpress-sites-leaking.html; classtype:trojan-activity; sid:2021081; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible CryptoPHP Leaking Credentials May 8 2015 M2"; flow:established,to_server; content:"GET"; http_method; content:".js?callback="; http_uri; content:"&data=bG9nP"; distance:0; http_uri; fast_pattern; content:"Zwd2Q9"; distance:0; http_uri; content:"&_="; distance:0; http_uri; pcre:"/&_=\d+$/U"; reference:url,research.zscaler.com/2015/05/compromised-wordpress-sites-leaking.html; classtype:trojan-activity; sid:2021082; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible CryptoPHP Leaking Credentials May 8 2015 M3"; flow:established,to_server; content:"GET"; http_method; content:".js?callback="; http_uri; content:"&data=bG9nP"; distance:0; http_uri; fast_pattern; content:"mcHdkP"; distance:0; http_uri; content:"&_="; distance:0; http_uri; pcre:"/&_=\d+$/U"; reference:url,research.zscaler.com/2015/05/compromised-wordpress-sites-leaking.html; classtype:trojan-activity; sid:2021083; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS WebRTC IP tracker Observed in DNSChanger EK May 12 2015"; flow:established,from_server; file_data; content:"function getIPs|28|callback|29|"; nocase; fast_pattern; content:"ip_dups"; nocase; content:"handleCandidate"; nocase; content:"RTCPeerConnection"; nocase; reference:url,github.com/diafygi/webrtc-ips; classtype:trojan-activity; sid:2021089; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DNSChanger EK Landing May 12 2015"; flow:established,from_server; file_data; content:"<input type=|22|hidden|22| id=|22|myip|22|>"; nocase; fast_pattern:11,20; content:"CryptoJSAesJson"; nocase; classtype:trojan-activity; sid:2021090; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Download file with BITS via LNK file (Likely Malicious)"; flow:established,from_server; file_data; content:"|4c 00 00 00|"; within:4; content:"|00|b|00|i|00|t|00|s|00|a|00|d|00|m|00|i|00|n|00|"; nocase; content:"|00|t|00|r|00|a|00|n|00|s|00|f|00|e|00|r|00|"; nocase; classtype:trojan-activity; sid:2021092; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Dridex Remote Macro Download"; flow:established,from_server; file_data; content:"(Chr(77) & Chr(105) & Chr(99) & Chr(114) & Chr(111) & Chr(115) & Chr(111) & Chr(102) & Chr(116) & Chr(46) & Chr(88) & Chr(77) & Chr(76) & Chr(72) & Chr(84) & Chr(84) & Chr(80)"; nocase; classtype:trojan-activity; sid:2021093; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DNSChanger EK Secondary Landing May 12 2015 M2"; flow:established,from_server; file_data; content:"&|22|+DetectRTC.isWebSocketsSupported+|22|&|22|+"; nocase; content:"CryptoJSAesJson"; nocase; classtype:trojan-activity; sid:2021110; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Angler EK XTEA encrypted binary (24)"; flow:established,to_client; file_data; content:"|51 cb 7b fc 19 9b 77 fb|"; distance:40; within:8; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2021126; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Angler EK XTEA encrypted binary (25)"; flow:established,to_client; file_data; content:"|51 cb 7b fc 19 9b 77 fb|"; distance:1424; within:8; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2021127; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sundown EK Landing May 21 2015 M1"; flow:from_server,established; file_data; content:"|3c 21 2d 2d 20 53 45 45 44 3a|"; nocase; fast_pattern:only; content:"classid"; nocase; pcre:"/^\s*?=\s*?[\x22\x27](?:c|&#(?:x[64]3|99|67)\x3b)(?:l|&#(?:x[64]c|108|76)\x3b)(?:s|&#(?:x[75]3|115|83)\x3b)(?:i|&#(?:x[64]9|105|73)\x3b)(?:d|&#(?:x[64]4|100|68)\x3b)(?:\x3a|&#(?:x3a|58)\x3b)(?![a-fA-F0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12})[^\x22\x27]+(?:(?:\x5c|&#)(?:5[01234567]|10[012]|6[5678]|4[589]|9[789]|7[09])|(?:\x25|&#x)(?:4[123456]|6[123456]|3\d|2D))/Rsi"; classtype:trojan-activity; sid:2021136; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sundown EK Landing May 21 2015 M2"; flow:from_server,established; file_data; content:"|5e 23 7e 40|"; nocase; fast_pattern:only; content:"classid"; nocase; pcre:"/^\s*?=\s*?[\x22\x27](?:c|&#(?:x[64]3|99|67)\x3b)(?:l|&#(?:x[64]c|108|76)\x3b)(?:s|&#(?:x[75]3|115|83)\x3b)(?:i|&#(?:x[64]9|105|73)\x3b)(?:d|&#(?:x[64]4|100|68)\x3b)(?:\x3a|&#(?:x3a|58)\x3b)(?![a-fA-F0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12})[^\x22\x27]+(?:(?:\x5c|&#)(?:5[01234567]|10[012]|6[5678]|4[589]|9[789]|7[09])|(?:\x25|&#x)(?:4[123456]|6[123456]|3\d|2D))/Rsi"; flowbits:set,SunDown.EK; classtype:trojan-activity; sid:2021137; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS DNSChanger EK Landing URI Struct May 22 2015"; flow:to_server,established; content:"/stat/load"; http_uri; fast_pattern:only; content:".php"; http_uri; pcre:"/^GET\s*?\/stat\/load(?=(?-i)[a-z0-9]*?[A-Z])(?=(?-i)[A-Z0-9]*?[a-z])(?P<hname>[a-z0-9]+)\.php\s.+?Host\x3a\x20(?P=hname)\./smi"; classtype:trojan-activity; sid:2021141; rev:2;) + +alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Likely Malicious Redirect SSL Cert"; flow:established,from_server; content:"|55 04 03|"; content:"|14|formationtraffic.com"; distance:1; within:21; classtype:trojan-activity; sid:2021146; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil JS iframe Embedded In GIF"; flow:established,from_server; file_data; content:"GIF89a="; nocase; within:8; content:"|3b|url="; nocase; distance:0; content:"iframe"; nocase; distance:0; content:"|3b|tail="; nocase; distance:0; fast_pattern; classtype:trojan-activity; sid:2021156; rev:2;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Angler EK Exploit URI Struct May 28 2015 M1"; flow:to_server,established; urilen:>51; content:"."; http_uri; offset:49; depth:1; content:!"/"; http_uri; offset:1; pcre:"/^\/(?=[a-z0-9_-]{0,47}?[A-Z][a-z0-9_-]{0,46}?[A-Z])(?=[A-Z0-9_-]{0,47}?[a-z][A-Z0-9_-]{0,46}?[a-z])(?=[A-Za-z_-]{0,47}?[0-9][A-Za-z_-]{0,46}?[0-9])[A-Za-z0-9_-]{48}\.[a-z]{2,25}\d?\??/U"; pcre:"/^Referer\x3a\x20http\x3a\x2f\x2f?[^\x2f]+\/[a-z]{3,20}((?P<sep>[_-]?)[a-z]{3,20}(?P=sep)(?:[a-z]{3,20}(?P=sep))?)?[a-z]{3,20}\/\d{10,20}(?:\x3a\d{1,5})?\r$/Hm"; flowbits:set,AnglerEK.Struct; classtype:trojan-activity; sid:2021157; rev:8;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS suspicious VBE-encoded script (seen in Sundown EK)"; flow:established,from_server; file_data; content:"Script.Encode"; content:"<!--"; within:8; content:"#@~"; within:5; flowbits:set,et.exploitkitlanding; flowbits:set,SunDown.EK; classtype:trojan-activity; sid:2021169; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake AV Phone Scam Landing June 2 2015"; flow:established,from_server; file_data; content:"<title>WARNING|3a| INTERNET SECURITY ALERT</title>"; nocase; fast_pattern; content:"function myFunction|28 29|"; nocase; distance:0; content:"Due to Suspicious Activity"; nocase; distance:0; classtype:trojan-activity; sid:2021177; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake AV Phone Scam Landing June 4 2015 M1"; flow:established,to_client; file_data; content:"<title>MICROSOFT WINDOWS SECURITY ALERT</title>"; nocase; fast_pattern; content:"<title>WARNING: VIRUS CHECK</title>"; nocase; distance:0; classtype:trojan-activity; sid:2021181; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake AV Phone Scam Landing June 4 2015 M2"; flow:established,to_client; file_data; content:"<title>WARNING: VIRUS CHECK</title>"; fast_pattern; nocase; content:"function myFunction|28 29|"; nocase; distance:0; content:"There is a .net frame work file missing due to some harmfull virus"; nocase; distance:0; classtype:trojan-activity; sid:2021182; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake AV Phone Scam Landing June 4 2015 M3"; flow:established,to_client; file_data; content:"<title>Advised System Support!</title>"; fast_pattern; nocase; content:"Your Computer May Not Be Protected"; nocase; distance:0; content:"Possible network damages if virus not removed immediately"; nocase; distance:0; classtype:trojan-activity; sid:2021183; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake AV Phone Scam Landing June 8 2015 M1"; flow:established,to_client; file_data; content:"<title>INTERNET BROWSER PROCESS WARNING ERROR</title>"; nocase; fast_pattern:33,20; content:"WINDOWS HEALTH IS CRITICAL"; nocase; distance:0; classtype:trojan-activity; sid:2021206; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake AV Phone Scam Landing June 8 2015 M2"; flow:established,to_client; file_data; content:"<title>Norton Firewall Warning</title>"; fast_pattern:18,20; nocase; content:"function myFunction|28 29|"; nocase; distance:0; content:"Windows has blocked access to the Internet."; nocase; distance:0; classtype:trojan-activity; sid:2021207; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Likely Evil JS used in Unknown EK Landing"; flow:established,from_server; file_data; content:"|74 3d 75 74 66 38 74 6f 31 36 28 78 78 74 65 61 5f 64 65 63 72 79 70 74 28 62 61 73 65 36 34 64 65 63 6f 64 65 28 74 29 2c|"; nocase; classtype:trojan-activity; sid:2021217; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Likely Evil JS used in Unknown EK Landing"; flow:established,from_server; file_data; content:"base64decode"; nocase; content:"xxtea_decrypt"; nocase; fast_pattern:only; content:"long2str"; nocase; content:"str2long"; nocase; classtype:trojan-activity; sid:2021218; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS KaiXin Secondary Landing Jun 09 2015"; flow:established,to_server; content:"/main.html"; http_uri; nocase; fast_pattern:only; content:"/index.html"; http_header; nocase; content:"cck_lasttime"; http_cookie; nocase; classtype:trojan-activity; sid:2021219; rev:4;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Angler EK Landing URI Struct Jun 11"; flow:to_server,established; urilen:>22; content:"/?"; offset:12; depth:86; fast_pattern; pcre:"/^\/[a-z]{3,20}(?P<sep>[_-])[a-z]{3,20}(?P=sep)[a-z]{3,20}(?:(?P=sep)[a-z]{3,20}\/\?[a-z]{6,}=\d{15,20}|(?:(?P=sep)[a-z]{3,20})?\/\?[a-z]{6,}=\d{10,13})$/U"; pcre:"/Referer\x3a\x20http\x3a\x2f+(?P<refhost>[^\x3a\x2f\r\n]+).*?\r\nHost\x3a\x20(?!(?:(?P=refhost)|www\.))/Hsi"; flowbits:set,AnglerEK; classtype:trojan-activity; sid:2021248; rev:7;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Evil Redirector Leading to EK June 11 2015"; flow:established,from_server; content:"javascript"; http_header; content:"nginx"; nocase; http_header; file_data; pcre:"/^\s*?/Rs"; content:"document.write|28 28 22|<iframe src=|27|"; pcre:"/^http\x3a\x2f[^\x27]+[\x27](?:\swidth=\d{1,2}\sheight=\d{1,2}\s|\sheight=\d{1,2}\swidth=\d{1,2}\s)/R"; content:"frameborder=0 marginheight=0 marginwidth=0 scrolling=no> </|22 20|+|20 22|iframe>|22 29 29 3b|"; fast_pattern:55,20; isdataat:!3,relative; classtype:trojan-activity; sid:2021249; rev:6;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake AV Phone Scam Landing June 11 2015 M2"; flow:established,to_client; file_data; content:"<title>Firewall Alert!</title>"; nocase; fast_pattern:10,20; content:"myFunction|28 29|"; nocase; distance:0; content:"warning_message.png"; nocase; distance:0; classtype:trojan-activity; sid:2021256; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake AV Phone Scam Landing June 11 2015 M1"; flow:established,to_client; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>*** Security Error Code 0x80070424</title>"; fast_pattern:29,20; nocase; classtype:trojan-activity; sid:2021255; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake AV Phone Scam Landing June 11 2015 M3"; flow:established,to_client; file_data; content:"<title>VIRUS WARNING!</title>"; nocase; fast_pattern:9,20; content:"myFunction|28 29|"; nocase; distance:0; content:"gp-msg.mp3"; nocase; distance:0; classtype:trojan-activity; sid:2021258; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Angler EK Landing URI Struct Jun 11 M2"; flow:to_server,established; urilen:>22; content:"/?"; offset:12; depth:86; fast_pattern; pcre:"/^\/[a-z]{3,20}(?P<sep>[_-])[a-z]{3,20}(?P=sep)[a-z]{3,20}(?:(?P=sep)[a-z]{3,20}\/\?[a-z]{6,}=\d{15,20}|(?:(?P=sep)[a-z]{3,20})?\/\?[a-z]{6,}=\d{10,13})$/U"; pcre:"/Host\x3a\x20(?!www\.)(?P<refhost>[^\x3a\r\n]+).*?\r\nReferer\x3a\x20https?\x3a\x2f\x2f(?!(?P=refhost))/Hsi"; flowbits:set,AnglerEK; classtype:trojan-activity; sid:2021266; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Angler EK Landing URI Struct Jun 11 M3"; flow:to_server,established; urilen:>22; content:"/?"; offset:12; depth:86; fast_pattern; pcre:"/^\/[a-z]{3,20}(?P<sep>[_-])[a-z]{3,20}(?P=sep)[a-z]{3,20}(?:(?P=sep)[a-z]{3,20}\/\?[a-z]{6,}=\d{15,20}|(?:(?P=sep)[a-z]{3,20})?\/\?[a-z]{6,}=\d{10,13})$/U"; content:!"Referer|3a|"; http_header; pcre:"/^Host\x3a\x20(?!www\.)[^\x2e]+(?:\.[^\x2e\r\n]+){2,}\r$/Hmi"; flowbits:set,AnglerEK; classtype:trojan-activity; sid:2021267; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Angler EK Landing URI Struct Jun 15"; flow:to_server,established; urilen:>26; content:"/search?"; http_uri; depth:8; content:!"."; http_uri; content:!"+"; http_uri; content:!"|20|"; http_uri; pcre:"/^\/search\?[a-z0-9]{1,5}=[a-z0-9]{1,5}(?:&[a-z0-9]{1,5}=[a-z0-9]{1,5}){4,}$/U"; pcre:"/Referer\x3a\x20http\x3a\x2f+(?P<refhost>[^\x3a\x2f\r\n]+).*?\r\nHost\x3a\x20(?!(?:(?P=refhost)|www\.))/Hsi"; content:!"|2e 73 70 6f 72 74 73 61 75 74 68 6f 72 69 74 79 2e 63 6f 6d 0d 0a|"; http_header; content:!"Cookie|3a 20|"; flowbits:set,AnglerEK; classtype:trojan-activity; sid:2021269; rev:4;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Angler EK Landing URI Struct Jun 15 M2"; flow:to_server,established; urilen:>26; content:"/search?"; http_uri; depth:8; content:!"."; http_uri; content:!"+"; http_uri; content:!"|20|"; http_uri; pcre:"/^\/search\?[a-z0-9]{1,5}=[a-z0-9]{1,5}(?:&[a-z0-9]{1,5}=[a-z0-9]{1,5}){4,}$/U"; pcre:"/Host\x3a\x20(?!www\.)(?P<refhost>[^\x3a\r\n]+).*?\r\nReferer\x3a\x20https?\x3a\x2f\x2f(?!(?P=refhost))/Hsi"; flowbits:set,AnglerEK; content:!"|2e 73 70 6f 72 74 73 61 75 74 68 6f 72 69 74 79 2e 63 6f 6d 0d 0a|"; http_header; content:!"|2e 72 65 73 75 6c 74 73 70 61 67 65 2e 63 6f 6d 0d 0a|"; http_header; classtype:trojan-activity; sid:2021270; rev:4;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Angler EK Landing URI Struct Jun 15 M3"; flow:to_server,established; urilen:>26; content:"/search?"; http_uri; depth:8; content:!"."; http_uri; content:!"+"; http_uri; content:!"|20|"; http_uri; pcre:"/^\/search\?[a-z0-9]{1,5}=[a-z0-9]{1,5}(?:&[a-z0-9]{1,5}=[a-z0-9]{1,5}){4,}$/U"; content:!"Referer|3a|"; http_header; pcre:"/^Host\x3a\x20(?!www\.)[^\x2e]+(?:\.[^\x2e\r\n]+){2,}(?:\x3a\d{1,5})?\r$/Hmi"; content:!"|2e 73 70 6f 72 74 73 61 75 74 68 6f 72 69 74 79 2e 63 6f 6d 0d 0a|"; http_header; content:!"Cookie|3a 20|"; flowbits:set,AnglerEK; classtype:trojan-activity; sid:2021271; rev:4;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Angler EK XTEA encrypted binary (16) M2"; flow:established,to_client; file_data; content:"|51 cb 7b fc 19 9b 77 fb|"; within:2048; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2021280; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Angler EK XTEA encrypted binary (11) M2"; flow:established,to_client; file_data; content:"|08 fe 4a ac c6 d6 06 8d|"; within:2048; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2021281; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake AV Phone Scam Landing June 16 2015 M1"; flow:established,to_client; file_data; content:"<title>WINDOWS WARNING ERROR</title>"; nocase; fast_pattern:16,20; content:"myFunction|28 29|"; distance:0; classtype:trojan-activity; sid:2021285; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake AV Phone Scam Landing June 16 2015 M2"; flow:established,to_client; file_data; content:"<title>Security Error</title>"; nocase; content:"myFunction|28 29|"; content:"setInterval"; content:"WARNING"; nocase; classtype:trojan-activity; sid:2021286; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake AV Phone Scam Landing June 16 2015 M4"; flow:established,to_client; file_data; content:"onload=|22|myFunction|28 29 3b 22|"; fast_pattern; content:"onmouseover=|22|myFunction|28 29 3b 22|"; distance:1; content:"onclick=|22|myFunction|28 29 3b 22|"; distance:1; content:"onkeydown=|22|myFunction|28 29 3b 22|"; distance:1; content:"onunload=|22|myFunction|28 29 3b 22|"; distance:1; classtype:trojan-activity; sid:2021288; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS KaiXin Landing M4"; flow:established,from_server; file_data; content:"|76 68 7a 32 7a 3d 27 27 3b 74 72 79 7b 77 69 6e 64 6f 77|"; classtype:trojan-activity; sid:2021291; rev:4;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS KaiXin Secondary Landing Page"; flow:to_server,established; content:"/win.html"; http_uri; fast_pattern:only; pcre:"/\/win\.html$/U"; pcre:"/Referer\x3a\x20http\x3a\x2f+(?P<refhost>[^\x3a\x2f\r\n]+)(?:\x3a\d{1,5})?[^\r\n]*?\/(?:index.html)?\r\n.*?\r\nHost\x3a\x20(?P=refhost)[\x3a\r]/Hsi"; classtype:trojan-activity; sid:2021292; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS KaiXin Secondary Landing Page"; flow:to_server,established; content:"/win.html"; http_uri; fast_pattern:only; pcre:"/\/win\.html$/U"; pcre:"/Host\x3a\x20(?P<refhost>[^\x3a\r\n]+)(?:\x3a\d{1,5})?\r\n.*?\r\nReferer\x3a\x20https?\x3a\x2f\x2f(?P=refhost)(?:\x3a\d{1,5})?\/?/Hsi"; content:!"Host|3a 20|www.carrona.org"; classtype:trojan-activity; sid:2021293; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake AV Phone Scam Landing June 17 2015 M1"; flow:established,to_client; file_data; content:"/Alert_files/"; nocase; fast_pattern; content:"Due to a third party application"; nocase; distance:0; content:"iOS is crashed"; nocase; distance:0; classtype:trojan-activity; sid:2021294; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Fake AV Phone Scam Landing June 17 2015 M2"; flow:established,to_server; content:"GET"; http_method; content:"a=HT&u="; http_uri; fast_pattern; content:"&clickid="; http_uri; distance:0; content:"&browser="; http_uri; distance:0; content:"&country="; http_uri; distance:0; content:"&device="; http_uri; distance:0; content:"&model="; http_uri; distance:0; content:"&isp="; http_uri; distance:0; classtype:trojan-activity; sid:2021295; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Fake Login Page Credential Theft June 17 2015 M1"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:"Content-Type|3a 20|application/x-www-form-urlencoded"; http_header; content:"username="; depth:9; http_client_body; fast_pattern; content:"&password="; http_client_body; distance:0; content:"&remember_me="; distance:0; http_client_body; content:"&vi="; http_client_body; distance:0; classtype:trojan-activity; sid:2021296; rev:5;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Fake Login Page Credential Theft June 17 2015 M2"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:"Content-Type|3a 20|application/x-www-form-urlencoded"; http_header; content:"email="; depth:6; http_client_body; fast_pattern; content:"&pswd="; http_client_body; distance:0; content:"&Button1="; http_client_body; distance:0; pcre:"/\.php$/U"; classtype:trojan-activity; sid:2021297; rev:4;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Fake Login Page Credential Theft June 17 2015 M3"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:"Content-Type|3a 20|application/x-www-form-urlencoded"; http_header; content:"server="; depth:7; http_client_body; fast_pattern; content:"&username="; http_client_body; distance:0; content:"&password="; distance:0; http_client_body; pcre:"/\.php$/U"; classtype:trojan-activity; sid:2021298; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CottonCastle/Niteris EK Landing URI Struct June 19 2015 M3"; flow:established,to_server; content:"GET"; http_method; content:"/|3a|http|3a|/"; http_uri; fast_pattern:only; pcre:"/^\/[a-z]+\/[a-z]+\/\d\/[a-f0-9]{32}(?:[a-f0-9]{8})?\/\x3ahttp\x3a\x2f/U"; classtype:trojan-activity; sid:2021305; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Likely CottonCastle/Niteris EK Response June 19 2015"; flow:established,from_server; content:"Refresh|3a 20|"; http_header; content:"|3b 20|url"; distance:0; http_header; content:"/999/00000/|0d 0a|"; distance:0; http_header; fast_pattern; pcre:"/^Refresh\x3a\x20\d+\x3b\x20url[^\r\n]+\/999\/00000\/\r?$/Hm"; classtype:trojan-activity; sid:2021306; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CottonCastle/Niteris EK Exploit URI Struct June 19 2015"; flow:established,to_server; content:"?time="; http_uri; fast_pattern; content:"&stamp="; distance:0; http_uri; content:"."; distance:0; http_uri; pcre:"/^\/[a-z]+\/[a-z]+\/\d\/[A-Z]+\/[a-f0-9]{32}(?:[a-f0-9]{8})?\.[a-z]+\?time=[^&]+&stamp=[a-z]*\d+(?:\.[a-z]*\d+)+$/U"; flowbits:set,ET.CottonCastle.Exploit; classtype:trojan-activity; sid:2021307; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CottonCastle/Niteris EK Payload June 19 2015"; flow:established,to_server; content:"/4/"; http_uri; fast_pattern:only; pcre:"/^\/[a-z]+\/[a-z]+\/4\/[A-Z]+\/[a-f0-9]{32}(?:[a-f0-9]{8})?$/U"; content:"Referer|3a 20|"; http_header; pcre:"/^Referer\x3a[^\r\n]+\/4\/[A-Z]+\/[a-f0-9]{32}(?:[a-f0-9]{8})?\r?$/Hm"; classtype:trojan-activity; sid:2021308; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CottonCastle/Niteris EK Flash Exploit URI Struct June 19 2015"; flow:established,to_server; content:"GET"; http_method; content:"/%"; http_header; content:"http%3A%2F%2F"; distance:2; within:13; nocase; http_header; fast_pattern; pcre:"/^\/[a-z]+\/[a-z]+\/\d\/[A-Z]+\/[a-f0-9]{32}(?:[a-f0-9]{8})?\//U"; content:"Referer|3a 20|http"; http_header; pcre:"/^[^\r\n]+\/%(?:3A|20)http%3A%2F%2F/Hmi"; flowbits:set,ET.CottonCastle.Exploit; classtype:trojan-activity; sid:2021309; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS CottonCastle/Niteris EK Landing June 19 2015"; flow:established,from_server; file_data; content:"ScriptEngineMajorVersion"; nocase; content:"ScriptEngineMinorVersion"; nocase; content:"ScriptEngineBuildVersion"; nocase; content:"javafx_version"; nocase; content:"ip"; pcre:"/^\s*?=\s*?[\x22\x27]8\.8\.8\.8[\x22\x27]/Rsi"; content:"8.8.8.8"; fast_pattern:only; classtype:trojan-activity; sid:2021310; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Likely Malicious wininet UA Downloading EXE"; flow:established,from_server; flowbits:isset,ET.wininet.UA; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; classtype:trojan-activity; sid:2021312; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Suspicious JS Observed in Unknown EK Landing"; flow:established,from_server; file_data; content:"|64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 28 58 4f 52 28 75 6e 65 73 63 61 70 65 28 73 74 72 48 54 4d 4c 29|"; nocase; classtype:trojan-activity; sid:2021313; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS KaiXin Secondary Landing Page June 22 2015"; flow:established,from_server; file_data; content:"return binary_to_base64|28|"; content:"return "; pcre:"/^\s*?[\x22\x27][^\x22\x27a-f0-9]68[^\x22\x27a-f0-9]74[^\x22\x27a-f0-9]74[^\x22\x27a-f0-9]70[^\x22\x27a-f0-9]3a[^\x22\x27a-f0-9]2f[^\x22\x27a-f0-9]2f[^\x22\x27]+?[^\x22\x27a-f0-9]00[\x22\x27]/Ri"; classtype:trojan-activity; sid:2021320; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible PHISH Remax - AOL Creds"; flow:established,to_server; content:"POST"; http_method; content:"/aol.php"; http_uri; fast_pattern; content:"sitedomain="; depth:11; http_client_body; content:"&isSiteStateEncoded="; http_client_body; nocase; distance:0; classtype:bad-unknown; sid:2021322; rev:4;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible PHISH Remax - Yahoo Creds"; flow:established,to_server; content:"POST"; http_method; content:"/yahoo.php"; http_uri; fast_pattern; content:".tries="; http_client_body; nocase; depth:7; content:"&.challenge="; http_client_body; nocase; distance:0; classtype:bad-unknown; sid:2021323; rev:4;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible PHISH Remax - Other Creds"; flow:established,to_server; content:"POST"; http_method; content:"/other.php"; http_uri; fast_pattern; content:"&_task=login&_action=login"; http_client_body; nocase; classtype:bad-unknown; sid:2021324; rev:4;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Likely Linux/Xorddos.F DDoS Attack Participation (aa.hostasa.org)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|aa|07|hostasa|03|org"; fast_pattern; nocase; distance:0; threshold:type limit,track by_src,count 3,seconds 60; reference:md5,3c49b5160b981f06bd5242662f8d0a54; classtype:trojan-activity; sid:2021326; rev:2;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Likely Linux/Xorddos.F DDoS Attack Participation (ns1.hostasa.org)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|ns1|07|hostasa|03|org"; fast_pattern; nocase; distance:0; threshold:type both,track by_src,count 10,seconds 120; reference:md5,3c49b5160b981f06bd5242662f8d0a54; classtype:trojan-activity; sid:2021327; rev:1;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Likely Linux/Xorddos.F DDoS Attack Participation (ns2.hostasa.org)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|ns2|07|hostasa|03|org"; fast_pattern; nocase; distance:0; threshold:type both,track by_src,count 10,seconds 120; reference:md5,3c49b5160b981f06bd5242662f8d0a54; classtype:trojan-activity; sid:2021328; rev:1;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Likely Linux/Xorddos.F DDoS Attack Participation (ns3.hostasa.org)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|ns3|07|hostasa|03|org"; fast_pattern; nocase; distance:0; threshold:type both,track by_src,count 10,seconds 120; reference:md5,3c49b5160b981f06bd5242662f8d0a54; classtype:trojan-activity; sid:2021329; rev:1;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Likely Linux/Xorddos.F DDoS Attack Participation (ns4.hostasa.org)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|ns4|07|hostasa|03|org"; fast_pattern; nocase; distance:0; threshold:type both,track by_src,count 10,seconds 120; reference:md5,3c49b5160b981f06bd5242662f8d0a54; classtype:trojan-activity; sid:2021330; rev:1;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Likely Linux/Xorddos.F DDoS Attack Participation (gh.dsaj2a1.org)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|gh|07|dsaj2a1|03|org"; fast_pattern; nocase; distance:0; threshold:type both,track by_src,count 10,seconds 120; reference:md5,3c49b5160b981f06bd5242662f8d0a54; classtype:trojan-activity; sid:2021331; rev:1;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Likely Linux/Xorddos.F DDoS Attack Participation (navert0p.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|navert0p|03|com"; fast_pattern; nocase; distance:0; threshold:type both,track by_src,count 10,seconds 120; reference:md5,3c49b5160b981f06bd5242662f8d0a54; classtype:trojan-activity; sid:2021332; rev:1;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Likely Linux/Xorddos.F DDoS Attack Participation (wangzongfacai.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0d|wangzongfacai|03|com"; fast_pattern; nocase; distance:0; threshold:type both,track by_src,count 10,seconds 120; reference:md5,3c49b5160b981f06bd5242662f8d0a54; classtype:trojan-activity; sid:2021333; rev:1;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Evil Redirector Leading to EK June 10 2015"; flow:established,from_server; file_data; content:"60*60*24*7*1000|29 3b| document.cookie=|22|PHP_SESSION_PHP="; fast_pattern:31,20; pcre:"/^\d+\x3b/R"; classtype:trojan-activity; sid:2021338; rev:11;) + +alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Elasticsearch CVE-2015-1427 Exploit Campaign SSL Certificate"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 08|"; distance:0; content:"|06|hacked"; distance:1; within:7; content:"|01 09 01|"; distance:0; content:"|10|hackking@126.com"; distance:1; within:17; reference:url,blog.malwaremustdie.org/2015/06/mmd-0034-2015-new-elf.html; classtype:trojan-activity; sid:2021351; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Fake AV Phone Scam Landing June 26 2015 M1"; flow:established,to_server; content:"GET"; http_method; content:".php?cid="; http_uri; fast_pattern; content:"-w"; distance:0; http_uri; pcre:"/\.php\?cid=[0-9]+?-w[A-Z0-9]{23}$/U"; classtype:trojan-activity; sid:2021357; rev:4;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake AV Phone Scam Landing June 26 2015 M2"; flow:established,to_client; file_data; content:"<title>SCANNING.."; fast_pattern; content:"myFunction|28 29|"; distance:0; content:"virus"; nocase; distance:0; classtype:trojan-activity; sid:2021358; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake AV Phone Scam Landing June 26 2015 M3"; flow:established,to_client; file_data; content:"e.ctrlKey &&"; distance:0; content:"e.keyCode ==="; distance:0; content:"e.keyCode ==="; distance:0; content:"e.keyCode ==="; distance:0; content:"IP has been Registed"; nocase; fast_pattern; distance:0; classtype:trojan-activity; sid:2021359; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Angler EK XTEA encrypted binary (26)"; flow:established,from_server; file_data; content:"|51 CB 7B FC 19 9B 77 FB|"; distance:40; within:8; classtype:trojan-activity; sid:2021360; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Angler EK XTEA encrypted binary (27)"; flow:established,from_server; file_data; content:"|51 CB 7B FC 19 9B 77 FB|"; distance:1424; within:8; classtype:trojan-activity; sid:2021361; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Magnitude CVE-2015-3113 Jun 29 2015 M1"; flow:established,to_server; urilen:10; content:"/video.flv"; nocase; http_uri; fast_pattern:only; pcre:"/Referer\x3a\x20http\x3a\x2f+?(?:[\x2eg-z]*[a-f0-9][\x2eg-z]*){32}\.[^\x2f\r\n]*?\x2f+\[\[DYNAMIC\]\]\x2f\d*?\r\n?/H"; pcre:"/Host\x3a\x20(?:[\x2eg-z]*[a-f0-9][\x2eg-z]*){32}\./H"; classtype:trojan-activity; sid:2021364; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake AV Phone Scam Landing June 26 2015 M4"; flow:established,to_client; file_data; content:"div class=|22|what-to-do|22|"; content:"div class=|22|more-about-the-virus|22|"; fast_pattern:11,20; distance:0; content:"div class=|22|service|22|"; distance:0; content:"div class=|22|windows-logo|22|"; distance:0; classtype:trojan-activity; sid:2021365; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake AV Phone Scam Stylesheet June 26 2015"; flow:established,to_client; content:"Content-Type|3a 20|text/css"; http_header; file_data; content:".header-warning"; content:".what-to-do"; distance:0; content:"more-about-the-virus"; distance:0; fast_pattern; classtype:trojan-activity; sid:2021366; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Fake AV Phone Scam Landing June 26 2015 M5"; flow:established,to_server; content:"GET"; http_method; content:"isp="; http_uri; content:"&browser="; distance:0; http_uri; content:"&browserversion"; http_uri; distance:0; fast_pattern; content:"&ip="; http_uri; distance:0; content:"&os="; http_uri; distance:0; content:"&osversion="; http_uri; distance:0; classtype:trojan-activity; sid:2021367; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake AV Phone Scam Landing June 26 2015 M6"; flow:established,to_client; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>WARNING|3a|"; nocase; fast_pattern; content:"onbeforeunload"; nocase; distance:0; content:"function|28 29|"; nocase; distance:0; content:"virus"; nocase; distance:0; classtype:trojan-activity; sid:2021368; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS NullHole EK Landing URI struct"; flow:established,to_server; content:"/e.html"; http_uri; fast_pattern:only; pcre:"/\/e\.html$/U"; content:"nhweb="; http_cookie; classtype:trojan-activity; sid:2021373; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Jul 02"; flow:established,from_server; file_data; content:"|2e 73 70 6c 69 74 28 22 22 29 2e 72 65 76 65 72 73 65 28 29 2e 6a 6f 69 6e 28 22 22 29 2e 73 70 6c 69 74 28 22 22 29 2e 72 65 76 65 72 73 65 28 29 2e 6a 6f 69 6e 28 22 22 29 5d 2e 62 6f 72 64 65 72 20 3d 20 22 6e 6f 6e 65 22 3b|"; fast_pattern:46,20; content:" +="; pcre:"/^\s+\d{1,2}\x3b\s+else\s+(?P<var>[a-z]+)\s+\-=\s+\d{1,2}\x3b\s+return\s+[a-z]+\.charAt\x28(?P=var)\/\d{1,2}\x29\x7d/R"; classtype:trojan-activity; sid:2021374; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Jul 08"; flow:established,from_server; file_data; content:"></script><!--|2f|"; fast_pattern:only; content:"<!--"; pcre:"/^(?P<var>[a-f0-9]{6})-->\s*?<script\s*?type=[\x22\x27]text\/javascript[\x22\x27]\s*?src=[\x22\x27]http\x3a\x2f[^\x22\x27]*?\/[a-z\d]{8}\.php\?id=\d+[\x22\x27]\s*?><\/script><!--\/(?P=var)-->/Rs"; classtype:trojan-activity; sid:2021394; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible PHISH - Fake Login Landing Page"; flow:to_client,established; file_data; content:"openOffersDialog|28 29 3b|"; content:"dropboxmaincontent"; fast_pattern; distance:0; content:"Verification Required"; nocase; distance:0; classtype:policy-violation; sid:2021400; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Targeted Attack from APT Actor Delivering HT SWF Exploit RIP"; flow:established,from_server; file_data; content:"|67 5f 6f 3d 69 65 56 65 72 73 69 6f 6e 28 29 3b|"; nocase; fast_pattern:only; content:"|67 65 74 42 69 74 73 28 29 3b|"; nocase; content:"var "; pcre:"/^\s*?(?P<var>[^=\s\x3b]+)\s*?=\s*?getBits\(\s*?\)\x3b.+?flashvars\s*?=\s*?\x5c\x22(?P=var)\s*?=\s*?\x22\s*?\+\s*?(?P=var)\s*?\+\s*?\x22\x5c\x22/Rsi"; classtype:trojan-activity; sid:2021405; rev:4;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS HanJuan EK Current Campaign Landing URI Struct Jul 10 2015"; flow:established,to_server; urilen:>13; content:!"/"; offset:1; http_uri; content:".asp"; http_uri; pcre:"/^\/[A-Za-z\d]+\-[A-Za-z\d]+\-[A-Za-z\d]+\-[A-Za-z\d]+\-[A-Za-z\d]+\.asp/U"; pcre:"/[a-z].*?[a-z]/U"; pcre:"/[A-Z].*?[A-Z]/U"; pcre:"/\d.*?\d/U"; pcre:"/^Host\x3a\x20\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\r$|\x3a)/Hm"; content:!"Cookie|3a|"; classtype:trojan-activity; sid:2021407; rev:4;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Likely Linux/Xorddos DDoS Attack Participation (gggatat456.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|gggatat456|03|com"; fast_pattern; nocase; distance:0; threshold:type both,track by_src,count 10,seconds 120; reference:md5,5a6bd6b5e00333b8d39ff6be13a346f6; classtype:trojan-activity; sid:2021409; rev:1;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Likely Linux/Xorddos DDoS Attack Participation (xxxatat456.com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|xxxatat456|03|com"; fast_pattern; nocase; distance:0; threshold:type both,track by_src,count 10,seconds 120; reference:md5,5a6bd6b5e00333b8d39ff6be13a346f6; classtype:trojan-activity; sid:2021410; rev:1;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Suspicious SWF filename movie(dot)swf in doc root"; flow:established,to_server; urilen:10; content:"/movie.swf"; fast_pattern:only; http_uri; classtype:trojan-activity; sid:2021414; rev:2;) + +alert tls $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Likely Malicious Redirect SSL Cert"; flow:established,from_server; content:"|55 04 03|"; content:"|10|mixticmotion.com"; distance:1; within:17; classtype:trojan-activity; sid:2021415; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible IE MSMXL Detection of Local DLL (Likely Malicious)"; flow:established,from_server; file_data; content:"res|3a|"; nocase; content:"loadXML"; nocase; content:"parseError"; nocase; content:"errorCode"; nocase; content:"-2147023083"; fast_pattern:only; content:".dll"; classtype:trojan-activity; sid:2021429; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible IE MSMXL Detection of Local SYS (Likely Malicious)"; flow:established,from_server; file_data; content:"res|3a|"; nocase; content:"loadXML"; nocase; content:"parseError"; nocase; content:"errorCode"; nocase; content:"-2147023083"; fast_pattern:only; content:".sys"; classtype:trojan-activity; sid:2021430; rev:3;) + +alert tls $EXTERNAL_NET [443,4443] -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Dyre SSL Cert M1 (L O)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|02 09 00|"; distance:17; within:3; content:"|06 03 55 04 06 13 02|"; distance:0; pcre:"/^[A-Z]{2}[01]/R"; content:"|30 09 06 03 55 04 08 0c 02|"; distance:1; within:9; fast_pattern; pcre:"/^[A-Z]{2}[01]/R"; content:"|06 03 55 04 07 0c|"; within:9; byte_test:1,>,9,0,relative; byte_test:1,<,121,0,relative; pcre:"/^.{1}(?=[a-z0-9]{0,119}[A-Z])(?=[A-Z0-9]{0,119}[a-z])[a-zA-Z0-9]{10,120}[01]/R"; content:"|06 03 55 04 0a 0c|"; within:9; byte_extract:1,0,orglen,relative; content:!"|20|"; within:orglen; pcre:"/^(?=[a-z0-9]{0,119}[A-Z])(?=[A-Z0-9]{0,119}[a-z])[a-zA-Z0-9]{10,120}[01]/R"; content:"|06 03 55 04 03 0c|"; within:9; byte_extract:1,0,cnlen,relative; content:!"|2e|"; within:cnlen; content:!"|2a|"; within:cnlen; pcre:"/^(?P<var>[a-zA-Z0-9]{1,120}[01]).+?\x55\x04\x03.{2}(?P=var)/Rs"; classtype:trojan-activity; sid:2021432; rev:2;) + +alert tls $EXTERNAL_NET [443,4443] -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Dyre SSL Cert M2 (L CN)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|02 09 00|"; distance:17; within:3; content:"|06 03 55 04 06 13 02|"; distance:0; pcre:"/^[A-Z]{2}[01]/R"; content:"|30 09 06 03 55 04 08 0c 02|"; distance:1; within:9; fast_pattern; pcre:"/^[A-Z]{2}[01]/R"; content:"|06 03 55 04 07 0c|"; within:9; byte_test:1,>,9,0,relative; byte_test:1,<,121,0,relative; pcre:"/^.{1}(?=[a-z0-9]{0,119}[A-Z])(?=[A-Z0-9]{0,119}[a-z])[a-zA-Z0-9]{10,120}[01]/R"; content:"|06 03 55 04 0a 0c|"; within:9; byte_extract:1,0,orglen,relative; content:!"|20|"; within:orglen; content:"|06 03 55 04 03 0c|"; distance:0; byte_extract:1,0,cnlen,relative; content:!"|2e|"; within:cnlen; content:!"|2a|"; within:cnlen; pcre:"/^(?=[a-z0-9]{0,119}[A-Z])(?=[A-Z0-9]{0,119}[a-z])(?P<var>[a-zA-Z0-9]{10,120}[01]).+?\x55\x04\x03.{2}(?P=var)/Rs"; classtype:trojan-activity; sid:2021433; rev:2;) + +alert tls $EXTERNAL_NET [443,4443] -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Dyre SSL Cert M3 (O CN)"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|02 09 00|"; distance:17; within:3; content:"|06 03 55 04 06 13 02|"; distance:0; pcre:"/^[A-Z]{2}[01]/R"; content:"|30 09 06 03 55 04 08 0c 02|"; distance:1; within:9; fast_pattern; pcre:"/^[A-Z]{2}[01]/R"; content:"|06 03 55 04 07 0c|"; distance:0; content:"|06 03 55 04 0a 0c|"; distance:0; byte_extract:1,0,orglen,relative; content:!"|20|"; within:orglen; pcre:"/^(?=[a-z0-9]{0,119}[A-Z])(?=[A-Z0-9]{0,119}[a-z])[a-zA-Z0-9]{10,120}[01]/R"; content:"|06 03 55 04 03 0c|"; within:9; byte_extract:1,0,cnlen,relative; content:!"|2e|"; within:cnlen; content:!"|2a|"; within:cnlen; pcre:"/^(?=[a-z0-9]{0,119}[A-Z])(?=[A-Z0-9]{0,119}[a-z])(?P<var>[a-zA-Z0-9]{10,120}[01]).+?\x55\x04\x03.{2}(?P=var)/Rs"; classtype:trojan-activity; sid:2021434; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Jul 17"; flow:to_server,established; content:"fare="; http_uri; nocase; content:".asp?"; http_uri; nocase; content:".pw|0d 0a|"; http_header; nocase; fast_pattern:only; pcre:"/[&?]fare=/Ui"; pcre:"/[&?]c=/Ui"; pcre:"/[&?]t=[a-f0-9]{32}(?:&|$)/Ui"; classtype:trojan-activity; sid:2021435; rev:4;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Likely Linux/Xorddos.F DDoS Attack Participation (v8.f1122.org)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|v8|05|f1122|03|org"; fast_pattern; nocase; distance:0; threshold:type both,track by_src,count 10,seconds 120; classtype:trojan-activity; sid:2021443; rev:1;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Likely Linux/IptabLesX C2 Domain Lookup (GroUndHog.MapSnode.CoM)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|09|GroUndHog|08|MapSnode|03|CoM"; fast_pattern; nocase; distance:0; threshold:type both,track by_src,count 10,seconds 120; classtype:trojan-activity; sid:2021444; rev:1;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Fake AV Phone Scam Landing July 20 2015 M2"; flow:to_server,established; content:"GET"; http_method; content:"index.html?city="; http_uri; fast_pattern; content:"&ip="; http_uri; distance:0; content:"&isp="; http_uri; distance:0; content:!"Referer|3a|"; http_header; classtype:trojan-activity; sid:2021447; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake AV Phone Scam Landing July 20 2015 M4"; flow:to_client,established; file_data; content:"myFunction|28 29|"; content:"setInterval"; distance:0; content:"alert"; distance:0; content:"gp-msg.mp3"; nocase; distance:0; fast_pattern; classtype:trojan-activity; sid:2021449; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake AV Phone Scam Landing July 20 2015 M1"; flow:to_client,established; file_data; content:"us_win.mp3"; fast_pattern; content:"yourOS|28 29|"; distance:0; content:"myFunction|28 29|"; distance:0; content:"onload_fun|28 29|"; distance:0; classtype:trojan-activity; sid:2021500; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS NullHole URI Struct Jul 22 2015 M2"; flow:established,to_server; urilen:40; content:"/e.html"; http_uri; offset:33; depth:7; pcre:"/^\/[a-f0-9]{32}\/e\.html$/U"; classtype:trojan-activity; sid:2021507; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS NullHole URI Struct Jul 22 2015 M3"; flow:established,from_server; content:"302"; http_stat_code; content:"/e.html"; http_header; fast_pattern:only; pcre:"/^Location\x3a\x20[a-f0-9]{32}\/e\.html\r$/Hm"; content:"Set-Cookie|3a|"; classtype:trojan-activity; sid:2021508; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Angler EK XTEA encrypted binary (28)"; flow:established,from_server; file_data; content:"|EB BD 89 F5 C0 3B 7A 3E|"; distance:42; within:8; classtype:trojan-activity; sid:2021509; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Angler EK XTEA encrypted binary (29)"; flow:established,from_server; file_data; content:"|EB BD 89 F5 C0 3B 7A 3E|"; distance:746; within:8; classtype:trojan-activity; sid:2021510; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Google Drive Phish - Landing Page July 24 M1"; flow:to_client,established; file_data; content:"<title>Document Shared</title>"; fast_pattern:10,20; content:"name=|22|GENERATOR|22 22|>"; distance:0; content:"name=|22|HOSTING|22 22|>"; distance:0; content:"Login with your email"; distance:0; content:"Choose your email provider"; distance:0; classtype:trojan-activity; sid:2021535; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Google Drive Phish - Landing Page July 24 M2"; flow:to_client,established; file_data; content:"invoicetoptables"; fast_pattern; content:"invoicecontent"; distance:0; content:"displayTextgmail"; distance:0; content:"displayTexthotmail"; distance:0; content:"displayTextaol"; distance:0; classtype:trojan-activity; sid:2021536; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Successful PHISH - function Validate"; flow:established,to_client; file_data; content:"function ValidateFormOther()"; fast_pattern:8,20; classtype:trojan-activity; sid:2021537; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Successful PHISH - function Validate"; flow:established,to_client; file_data; content:"function ValidateFormHotmail()"; fast_pattern:10,20; classtype:trojan-activity; sid:2021538; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Successful PHISH - function Validate"; flow:established,to_client; file_data; content:"function ValidateFormGmail()"; fast_pattern:8,20; classtype:trojan-activity; sid:2021539; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Successful PHISH - function Validate"; flow:established,to_client; file_data; content:"function ValidateFormYahoo()"; fast_pattern:8,20; classtype:trojan-activity; sid:2021540; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS ScanBox Jun 06 2015 M1 T1"; flow:established,from_server; file_data; content:"_=window|3b|"; nocase; fast_pattern:only; content:"var "; nocase; pcre:"/^\s*?[$_]+w[$_]+i[$_]+=window\x3b/Rsi"; content:"function "; pcre:"/^\s*?[_$]+\x28\x29/Rsi"; classtype:trojan-activity; sid:2021542; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS ScanBox Jun 06 2015 M2 T1"; flow:established,from_server; file_data; content:"$=window|3b|"; nocase; fast_pattern:only; content:"var "; nocase; pcre:"/^\s*?[$_]+w[$_]+i[$_]+=window\x3b/Rsi"; content:"function "; pcre:"/^\s*?[_$]+\x28\x29/Rsi"; classtype:trojan-activity; sid:2021543; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS ScanBox Jun 06 2015 M3 T1"; flow:established,from_server; file_data; content:"|5b 28 28 32 38 29 2e 74 6f 53 74 72 69 6e 67 28 33 36 29 29 2e 74 6f 55 70 70 65 72 43 61 73 65 28 29 2b 28 34 39 39 39 32 37 34 38 29 2e 74 6f 53 74 72 69 6e 67 28 33 36 29 5d 3b|"; fast_pattern:25,20; classtype:trojan-activity; sid:2021544; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Malicious Redirect 8x8 script tag URI struct"; flow:established,to_server; content:".php?id="; http_uri; fast_pattern:only; pcre:"/\/(?=[a-zA-Z\d]{0,6}[a-z][A-Z])[A-Za-z\d]{8}\.php\?id=\d{6,9}$/U"; classtype:trojan-activity; sid:2021552; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Jul 29"; flow:to_server,established; urilen:214; content:"Lzc1MTZmZDQzYWRhYTVl"; http_uri; fast_pattern; content:"=="; distance:54; http_uri; pcre:"/Host\x3a\x20a[a-z]{10}\.[a-z]{5}\./H"; classtype:trojan-activity; sid:2021559; rev:2;) + +alert tls $EXTERNAL_NET [443,4443] -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Dyre SSL Cert (non-ASCII) Jul 21 2015"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|02 09 00|"; distance:17; within:3; content:"|06 03 55 04 06 13 02|"; distance:0; pcre:"/^[A-Z]{2}[01]/R"; content:"|30 09 06 03 55 04 08 0c 02|"; distance:1; within:9; fast_pattern; pcre:"/^[A-Z]{2}[01]/Rs"; content:!"|06 03 55 04 0b|"; distance:0; content:"|06 03 55 04 07 0c|"; within:10; byte_test:1,>,9,0,relative; byte_test:1,<,121,0,relative; pcre:"/^.{1}(?=[\x20-\x7e]{0,8}?[^\x20-\x7e])/Rs"; content:"|06 03 55 04 0a 0c|"; distance:0; byte_test:1,>,9,0,relative; byte_test:1,<,121,0,relative; pcre:"/^.{1}(?=[\x20-\x7e]{0,8}?[^\x20-\x7e])/Rs"; content:"|06 03 55 04 03 0c|"; distance:0; byte_test:1,>,9,0,relative; byte_test:1,<,121,0,relative; pcre:"/^.{1}(?=[\x20-\x7e]{0,8}?[^\x20-\x7e])(?P<var>.{10,120}?[01]).+?\x55\x04\x03.{2}(?P=var)/Rs"; classtype:trojan-activity; sid:2021586; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Job314/Neutrino Reboot EK Landing Aug 02 2015"; flow:established,from_server; file_data; content:"value=|22|#ffffff|22|"; content:!".swf"; nocase; content:"<html>"; pcre:"/^\s*?<body>\s*?<script>(?:\s*var\s+[a-z]+\s*?=\s*?\d+\s*?\x3b\s*?)*?\s*?<\/script>/Rs"; content:"<object"; pcre:"/^(?=(?:(?!<\/object>).)*?<param(?=[^>]*?name\s*?=\s*?\x22bgcolor\x22)[^>]*?value\s*?=\s*?\x22#ffffff\x22)(?:(?!<\/object>).)*?<param(?=[^>]*?name\s*?=\s*?\x22movie\x22)[^>]*?value\s*?=\s*?\x22(?![^\x22]+\.[Ss][Ww][Ff])[^\x22]*?\x22/Rs"; content:"</object>"; distance:0; pcre:"/^\s*?<\/body>\s*?\s*?<\/html>\s*?$/Rs"; content:"allowScriptAccess"; fast_pattern:only; flowbits:set,ET.Neutrino; classtype:trojan-activity; sid:2021587; rev:5;) + +alert http $EXTERNAL_NET !80 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Job314/Neutrino EK Flash Exploit M2 Aug 02 2015"; flow:from_server,established; flowbits:isset,ET.Neutrino; content:"nginx"; http_header; nocase; file_data; content:"CWS"; fast_pattern; within:3; classtype:trojan-activity; sid:2021588; rev:3;) + +alert http $EXTERNAL_NET !80 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Job314/Neutrino EK Flash Exploit M3 Aug 02 2015"; flow:from_server,established; flowbits:isset,ET.Neutrino; content:"nginx"; http_header; nocase; file_data; content:"ZWS"; fast_pattern; within:3; classtype:trojan-activity; sid:2021589; rev:5;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Job314/Neutrino EK Flash Exploit M1 Aug 02 2015 (IE)"; flow:to_server,established; content:"x-flash-version|3a|"; http_header; fast_pattern:only; content:!".swf"; http_uri; nocase; content:!".flv"; http_uri; nocase; pcre:"/^\/(?:[a-z]{3,20}\/(?:(?:[a-z\d+]*?[A-Z])(?:[A-Z\d+]*?[a-z])[A-Za-z\d]+|\d+\/(?:[a-z]{3,20}-)+[a-z]{3,20}|(?:[a-z]{3,20}-)+\d+|(?:[a-z\d]*?[A-Z]{2}[\d]))|\d+\/\d+\/\d+\/(?:[a-z]{3,20}\/)+(?:[a-z]{3,20}-)+[a-z]{3,20}\.html)$/U"; pcre:"/Referer\x3a\x20http\x3a\x2f+(?!www\.)(?P<refhost>[^\x3a\x2f\r\n]+)(?:\x3a\d{1,5})?\/(?:[a-z]{3,20}\/(?:(?:[a-z\d+]*?[A-Z])(?:[A-Z\d+]*?[a-z])[A-Za-z\d]+|\d+\/(?:[a-z]{3,20}-)+[a-z]{3,20}|(?:[a-z]{3,20}-)+\d+|(?:[a-z\d]*?[A-Z]{2}[\d]))|\d+\/\d+\/\d+\/(?:[a-z]{3,20}\/)+(?:[a-z]{3,20}-)+[a-z]{3,20}\.html)\r\n.*?Host\x3a\x20(?P=refhost)/Hsi"; content:!"Cookie|3a 20|"; classtype:trojan-activity; sid:2021590; rev:6;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS HT SWF Exploit RIP"; flow:established,from_server; file_data; content:"<!-- saved from url=(0014)about|3a|internet -->"; content:"getEnvInfo"; content:"getPlatform"; content:"<embed"; pcre:"/^(?=[^>]*?\ssrc\s*?=\s*?[\x22\x27][^\x22\x27]*?\.swf[\x22\x27])(?=[^>]*?\swidth\s*?=\s*?[\x22\x27]0[\x22\x27])[^>]*?\sheight\s*?=\s*?[\x22\x27]0[\x22\x27]/Ri"; classtype:trojan-activity; sid:2021595; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Potential W32/Dridex Alphanumeric Download Pattern"; flow:established,to_server; urilen:9<>47; content:"GET"; http_method; content:".exe"; http_uri; offset:6; fast_pattern; content:!"Referer|3A|"; http_header; content:"Accept|3a|"; http_header; pcre:"/^\/(?=[a-z\d]{0,18}(?:[a-z]\d|\d[a-z]|~[a-z])[a-z\d]{0,18}(?:\/[a-z\d]{0,18}(?:[a-z]\d|\d[a-z])[a-z\d]{0,18}){1,2}\.exe$)(?=[a-f\d\x2f\x7e]{0,40}[g-z])[a-z0-9~]{2,20}(?:\/[a-z0-9]{2,20}){1,2}\.exe$/U"; pcre:"/^User-Agent\x3a\x20[^\r\n]+?(?:MSIE|rv\x3a11\.0)/Hmi"; reference:md5,03c5bfb5c0c7a936ad62ebe03019edd0; classtype:trojan-activity; sid:2021607; rev:6;) + +alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Dridex Downloader SSL Certificate"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|09 00 92 14 63 ad 72 a8 8a 36|"; fast_pattern; content:"|55 04 0a|"; distance:0; content:"|0d|Casino Royale"; distance:1; within:14; classtype:trojan-activity; sid:2021615; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Nuclear EK Exploit URI Struct Aug 12"; flow:to_server,established; urilen:>100; content:!"|20|"; http_uri; content:!"+"; http_uri; content:!"_"; http_uri; content:!"-"; http_uri; content:"search?q="; http_header; fast_pattern:only; pcre:"/\/(?:[^?]+\?)(?=[A-Z&=\d]*?[a-z])(?=[a-zA-Z\d&=]*?[A-Za-z=&]\d[A-Za-z])(?=[a-zA-Z\d&=]*?[a-z\d][A-Z][A-Za-z\d])[A-Za-z0-9]+=[A-Za-z0-9]+&[A-Za-z0-9]+=[A-Za-z0-9]+&[A-Za-z0-9]+=[A-Za-z0-9]+[&=A-Za-z0-9]*?$/U"; pcre:"/Referer\x3a\x20http\x3a\x2f+(?!www\.)(?P<refhost>[^\x3a\x2f\r\n]+)[^\r\n]*?\/search\?q=(?=[A-Z&=\d]*?[a-z])(?=[a-zA-Z\d&=]*?[A-Za-z=&]\d[A-Za-z])(?=[a-zA-Z\d&=]*?[a-z\d][A-Z][A-Za-z\d])[A-Za-z0-9]+&[A-Za-z0-9]+=[A-Za-z0-9]+&[A-Za-z0-9]+=[A-Za-z0-9]+&[A-Za-z0-9]+=[A-Za-z0-9]+[&=A-Za-z0-9]*?\r\n.*?Host\x3a\x20(?P=refhost)/Hsi"; pcre:!"/^Host\x3a\x20(?:[^\r\n]+\.)?(?:ya(?:ndex|hoo)|google|bing)\.(?:com?)?(?:\.[a-z]{2})?(:?\x3a\d{1,5})?\r$/Hmi"; content:!"Cookie|3a 20|"; flowbits:set,NuclearEK; classtype:trojan-activity; sid:2021620; rev:2;) + +alert http $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS CottonCastle/Niteris EK Secondary Landing Aug 17 2015"; flow:established,from_server; file_data; content:"fromCharCode"; nocase; content:"charCodeAt"; nocase; content:"fontFamily"; nocase; content:"style"; nocase; content:"language"; nocase; pcre:"/^\s*?=\s*?[\x22\x27]vb[\x22\x27]/Rsi"; content:"^"; pcre:"/^\s*?\w+\s*?\.\s*?charCodeAt/Rsi"; content:"decodeURIComponent"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2021637; rev:2;) + +alert http $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS CottonCastle/Niteris EK Landing Aug 17 2015"; flow:established,from_server; file_data; content:"ScriptEngineMajorVersion"; nocase; content:"ScriptEngineMinorVersion"; nocase; content:"ScriptEngineBuildVersion"; nocase; fast_pattern; content:"d27cdb6e-ae6d-11cf-96b8-444553540000"; nocase; classtype:trojan-activity; sid:2021638; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET CURRENT_EVENTS CottonCastle/Niteris EK Secondary Landing URI Struct Aug 17 2015"; flow:established,to_server; content:"GET"; http_method; content:".html&"; http_uri; fast_pattern; content:"/"; distance:-47; http_uri; pcre:"/\/\d\/?[A-Z]+\/[a-f0-9]{32}(?:[a-f0-9]{8})?\.html&[a-z]+=[^&]+&[a-z]+=\d{3}\.\d{3}\.\d{3,}(?:\.\d{3,})?$/U"; classtype:trojan-activity; sid:2021639; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET CURRENT_EVENTS CottonCastle/Niteris EK Exploit URI Struct Aug 17 2015"; flow:established,to_server; content:"GET"; http_method; content:"Referer|3a|"; http_header; content:"|3a|443/"; distance:0; http_header; fast_pattern; pcre:"/\/\d\/?[A-Z]+\/[a-f0-9]{40}\/$/U"; flowbits:set,ET.CottonCasle.Exploit; classtype:trojan-activity; sid:2021640; rev:2;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Likely Linux/Tsunami DDoS Attack Participation (s-p-o-o-f-e-d.h-o-s-t.name)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0d|s-p-o-o-f-e-d|07|h-o-s-t|04|name"; fast_pattern; nocase; distance:0; threshold:type limit,track by_src,count 3,seconds 60; reference:md5,c01991d55133d0057c9b721bb141a5d9; classtype:trojan-activity; sid:2021691; rev:1;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS PHISH Generic - Credit Card"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:"&ccnumber="; http_client_body; fast_pattern; content:"&expmonth="; distance:0; http_client_body; content:"&expyear="; distance:0; http_client_body; content:"&cvv="; distance:0; http_client_body; content:"&ccpin="; distance:0; http_client_body; pcre:"/\.php$/U"; classtype:trojan-activity; sid:2021692; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS PHISH Generic - Three Security Questions"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:"&q1="; http_client_body; content:"&answer1="; distance:0; http_client_body; fast_pattern; content:"&q2="; http_client_body; distance:0; content:"&answer2="; distance:0; http_client_body; content:"&q3="; distance:0; http_client_body; content:"&answer3="; distance:0; http_client_body; pcre:"/\.php$/U"; classtype:trojan-activity; sid:2021693; rev:2;) + +#alert http $HOME_NET any -> $EXTERNAL_NET ![80,8080,3128,3129] (msg:"ET CURRENT_EVENTS Job314/Neutrino Reboot EK Payload Aug 19 2015"; flow:established,to_server; content:!"Referer|3a|"; http_header; content:!"Accept-"; http_header; content:"Windows NT"; fast_pattern:only; http_header; content:"User-Agent|3a 20|Mozilla"; content:"GET"; http_method; pcre:"/^\/(?:[a-z]{3,20}\/(?:(?:[a-z\d+]*?[A-Z])(?:[A-Z\d+]*?[a-z])[A-Za-z\d]+|\d+\/(?:[a-z]{3,20}-)+[a-z]{3,20}|(?:[a-z]{3,20}-)+\d+|(?:[a-z\d]*?[A-Z]{2}[\d]))|\d+\/\d+\/\d+\/(?:[a-z]{3,20}\/)+(?:[a-z]{3,20}-)+[a-z]{3,20}\.html)$/U"; pcre:"/^Host\x3a[^\r\n]*?\x3a(?!(80(?:80)|312[89]))\d+\r$/Hm"; classtype:trojan-activity; sid:2021694; rev:5;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible TDS Redirecting to EK Aug 19 2015"; flow:established,from_server; file_data; content:"|27|ad|27|+|27|dEv|27|+|27|entListe|27|+|27|ner|27|"; content:"|27|att|27|+|27|achEve|27|+|27|nt|27|"; content:"|27|DOMCo|27|+|27|ntentL|27|+|27|oad|27|+|27|ed|27|"; classtype:trojan-activity; sid:2021696; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Magnitude EK Landing URI Struct Aug 21 2015"; flow:established,to_server; urilen:33<>67; content:"/?"; http_uri; depth:2; content:".pw|0d 0a|"; http_header; fast_pattern:only; pcre:"/^\/\?[a-f0-9]{32,64}$/U"; classtype:trojan-activity; sid:2021698; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Magnitude EK Landing Aug 21 2015"; flow:established,from_server; file_data; content:"/x-silverlight-2"; nocase; fast_pattern:only; content:"value"; pcre:"/^\s*?=\s*?[\x22\x27][a-z]+\.xap[\x22\x27]/Rs"; content:"/x-shockwave-flash"; nocase; content:!".swf"; nocase; content:"<div"; pcre:"/^[^>]*?id\s*?=[\x22\x27][a-z0-9]+[\x22\x27][^>]*?>\s*?[\x2a\d]{100}/R"; classtype:trojan-activity; sid:2021699; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Magnitude/Hunter EK IE Exploit Aug 23 2015"; flow:from_server,established; file_data; content:"|22 3a 22 4d 4f 56 20 5b 45 43 58 2b 30 43 5d 2c 45 41 58 22|"; fast_pattern; content:"|22 3a 22 76 69 72 74 75 61 6c 70 72 6f 74 65 63 74 22|"; classtype:trojan-activity; sid:2021707; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Nuclear EK IE Exploit Aug 23 2015"; flow:to_server,established; urilen:>50; content:"POST"; http_method; content:"application/json"; http_header; content:"|22 67 22 3a 22|"; http_client_body; fast_pattern; content:"|22 70 22 3a 22|"; http_client_body; content:"|22 41 22 3a 22|"; http_client_body; pcre:"/\?(?=[a-z\d\x3d&\x2e]*?[A-Z])(?=[A-Z\d=&\x2e]*?[a-z])(?=[A-Za-z=&\x2e]*?\d)[A-Za-z\d=&\x2e]{50,}$/U"; classtype:trojan-activity; sid:2021708; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS HT SWF Exploit RIP M2"; flow:established,from_server; file_data; content:"<!-- saved from url=(0014)about|3a|internet -->"; content:"return navigator.appName"; content:"return navigator.platform|3b|"; content:"clsid|3a|D27CDB6E-AE6D-11cf-96B8-444553540000"; nocase; classtype:trojan-activity; sid:2021710; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Cryptowall docs campaign Aug 2015 encrypted binary (1)"; flow:established,to_client; file_data; content:"|65 5d d1 c6 b0 88 68 62|"; within:8; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2021725; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS PawnStorm Java Class Stage 1 M1 Aug 28 2015"; flow:established,from_server; file_data; content:"|01 00 08 47 4f 47 4f 47 4f 47 4f|"; content:"|01 00 0c 6a 61 76 61 2f 6e 65 74 2f 55 52 4c|"; content:"|01 00 0f 53 74 61 72 74 69 6e 67 20 41 70 70 6c 65 74|"; classtype:trojan-activity; sid:2021726; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS PawnStorm Java Class Stage 2 M1 Aug 28 2015"; flow:established,from_server; file_data; content:"|01 00 0e 4c 50 68 61 6e 74 6f 6d 53 75 70 65 72 3b|"; fast_pattern; content:"|01 00 32 4c 6a 61 76 61 2f 75 74 69 6c 2f 63 6f 6e 63 75 72 72 65 6e 74 2f 61 74 6f 6d 69 63 2f 41 74 6f 6d 69 63 52 65 66 65 72 65 6e 63 65 41 72 72 61 79 3b|"; classtype:trojan-activity; sid:2021727; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS PawnStorm Java Class Stage 2 M2 Aug 28 2015"; flow:established,from_server; file_data; content:"|01 00 0a 63 6f 72 6d 61 63 2e 6d 63 72|"; classtype:trojan-activity; sid:2021728; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS PawnStorm Sednit DL Aug 28 2015"; flow:established,to_server; content:"/cormac.mcr"; http_uri; content:!"Referer|3a|"; http_header; classtype:trojan-activity; sid:2021729; rev:2;) + +alert tls $EXTERNAL_NET [443,4443] -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Dyre SSL Cert Aug 31 2015"; flow:established,from_server; content:".com"; content:"|16|"; content:"|0b|"; within:8; content:"|02 09 00|"; distance:17; within:3; content:"|06 03 55 04 06 13 02|"; distance:0; pcre:"/^[A-Z]{2}/R"; content:"|55 04 08|"; distance:0; pcre:"/^.{2}(?P<state>[A-Z][a-z]+).*?\x55\x04\x07.{2}(?P=state)\x0a/Rsi"; content:"|55 04 0a|"; distance:0; content:"|55 04 03|"; byte_extract:1,1,cnlength,relative; content:!"|2e|"; within:cnlength; content:"|55 04 0b|"; distance:0; content:"|2a 86 48 86 f7 0d 01 09 01|"; distance:0; fast_pattern; pcre:"/^.{2}[a-z]+@[a-z]+\.com[01]/R"; reference:md5,26e83fa8b2f3eccfe975cd451933ae63; reference:url,us-cert.gov/ncas/alerts/TA14-300A; classtype:trojan-activity; sid:2021735; rev:4;) + +alert tls $EXTERNAL_NET [443,4443] -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Dyre SSL Cert Aug 31 2015"; flow:established,from_server; content:".com"; content:"|16|"; content:"|0b|"; within:8; content:"|02 09 00|"; distance:17; within:3; content:"|06 03 55 04 06 13 02|"; distance:0; pcre:"/^[A-Z]{2}[01]/R"; content:"|55 04 08|"; distance:0; byte_test:1,>,9,1,relative; byte_test:1,<,121,1,relative; pcre:"/^.{2}[A-Z]{10,120}/R"; content:"|55 04 07|"; distance:0; content:"|55 04 0a|"; distance:0; content:"|55 04 03|"; byte_extract:1,1,cnlength,relative; content:!"|2e|"; within:cnlength; content:"|55 04 0b|"; distance:0; content:"|2a 86 48 86 f7 0d 01 09 01|"; fast_pattern; distance:0; pcre:"/^.{2}[a-z]+@[a-z]+\.com[01]/R"; reference:md5,26e83fa8b2f3eccfe975cd451933ae63; reference:url,us-cert.gov/ncas/alerts/TA14-300A; classtype:trojan-activity; sid:2021736; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Aug 31 2015 T2 (BizCN)"; flow:from_server,established; file_data; content:"|3d 27 44 4f 4d 43 6f 27 2b 27 6e 74 65 6e 74 4c 27 2b 27 6f 61 64 27 2b 27 65 64 27 3b 66 6b 3d 77 69 6e 64 6f 77 3b|"; classtype:trojan-activity; sid:2021740; rev:2;) + +alert tls $EXTERNAL_NET [443,4443] -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Dyre SSL Cert Sept 2 2015"; flow:established,from_server; content:".com"; content:"|16|"; content:"|0b|"; within:8; content:"|02 09 00|"; distance:17; within:3; content:"|06 03 55 04 06 13 02|"; distance:0; pcre:"/^[A-Z]{2}[01]/R"; content:"|55 04 08|"; distance:0; content:"|55 04 07|"; distance:0; content:"|55 04 0a|"; distance:0; content:"|55 04 03|"; byte_test:1,>,0x40,2,relative; byte_test:1,<,0x5B,2,relative; content:"|55 04 0b|"; distance:0; content:"|2a 86 48 86 f7 0d 01 09 01|"; fast_pattern; distance:0; pcre:"/^.{2}[a-z]+@[a-z]+\.com[01]/R"; content:"|55 04 0a|"; pcre:"/^.(?P<orgname>.[^01]+).*?\x55\x04\x0b.(?P=orgname)/Rsi"; content:!"Beam Propulsion"; reference:md5,52faadf69c492e5bea1b3ad77fd7e8b1; reference:url,us-cert.gov/ncas/alerts/TA14-300A; classtype:trojan-activity; sid:2021743; rev:4;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK September 04 2015"; flow:established,from_server; content:"Set-Cookie|3a 20|_PHP_SESSION_PHP="; fast_pattern:9,20; pcre:"/^\d+\x3b/R"; reference:url,blog.sucuri.net/2015/12/evolution-of-pseudo-darkleech.html; classtype:trojan-activity; sid:2021746; rev:3;) + +alert tls $EXTERNAL_NET [443,4443] -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre/Dyre/Kegotip SSL Cert Sept 8 2015"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|02 09 00|"; distance:17; within:3; content:"|0b 30 09 06 03 55 04 06 13 02 55 53|"; distance:0; content:"|55 04 08|"; distance:0; content:"|55 04 07|"; distance:0; content:"|55 04 0a|"; distance:0; byte_extract:1,1,olength,relative; content:!"|2e|"; within:olength; content:!"|20|"; within:olength; pcre:"/^[a-zA-Z0-9]+[01]/R"; content:"|55 04 03|"; byte_test:1,>,0x40,2,relative; byte_test:1,<,0x5B,2,relative; content:"|55 04 0b|"; distance:0; byte_extract:1,1,oulength,relative; content:!"|2e|"; within:oulength; content:!"|20|"; within:oulength; pcre:"/^[a-zA-Z0-9]+[01]/R"; content:"|55 04 03|"; content:"|2a 86 48 86 f7 0d 01 09 01|"; distance:0; content:!"support@"; distance:0; pcre:"/^.{2}[A-Za-z][a-z]*?@[a-z]+\.com0/R"; content:".com0"; fast_pattern:only; reference:md5,52faadf69c492e5bea1b3ad77fd7e8b1; reference:url,us-cert.gov/ncas/alerts/TA14-300A; classtype:trojan-activity; sid:2021749; rev:6;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS Likely Neutrino EK or other EK IE Flash request to DYNDNS set non-standard filename"; flow:established,to_server; content:"x-flash-version|3a|"; http_header; fast_pattern:only; pcre:"/^Host\x3a\x20[^\r\n]+\.(?:d(?:yndns\.[a-z]{2,3}|esi)|c(?:ricket|a?fe?)|(?:lin|wor)k|s(?:u|pace)|accountant|t(?:k|op)|g[aq]|xyz|ml|pw)(?:\x3a\d{1,5})?\r$/Hmi"; content:!"/crossdomain.xml"; http_header; content:!".swf"; http_header; nocase; content:!".flv"; http_header; nocase; content:!"[DYNAMIC]"; http_header; content:!".swf"; nocase; http_uri; content:!".flv"; nocase; http_uri; content:!"/crossdomain.xml"; http_uri; content:!"|0d 0a|Cookie|3a|"; classtype:trojan-activity; sid:2021752; rev:13;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS possible Sofacy encrypted binary (1)"; flow:established,to_client; file_data; content:"|57 46 e8 67 27 3d 66 1a|"; within:8; flowbits:set,et.exploitkitlanding; reference:url,labsblog.f-secure.com/2015/09/08/sofacy-recycles-carberp-and-metasploit-code/; reference:url,www.isightpartners.com/2015/07/microsoft-office-zero-day-cve-2015-2424-leveraged-by-tsar-team/; classtype:trojan-activity; sid:2021755; rev:2;) + +alert http $EXTERNAL_NET !2095 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible PHISH - Generic Status Messages Sept 11"; flow:established,to_client; file_data; content:"|22|ajax_timeout|22 20 3A 20 22|"; content:"Authenticating|20 E2 80 A6 22 2C|"; fast_pattern; distance:0; content:"|22|expired_session|22 20 3A 20 22|Your"; distance:0; content:"|22|prevented_xfer|22 20 3A 20 22|The session"; distance:0; content:"successful. Redirecting|20 E2 80 A6 22 2C|"; distance:0; content:"|22|token_incorrect|22 20 3A 20 22|The security"; distance:0; classtype:trojan-activity; sid:2021761; rev:4;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Spartan EK Secondary Flash Exploit DL"; flow:established,from_server; content:"|43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 69 6e 6c 69 6e 65 3b 20 66 69 6c 65 6e 61 6d 65 3d 0d 0a|"; fast_pattern:18,20; http_header; file_data; content:"|3c 74 6f 70 70 69 6e 67 73 3e|"; reference:url,www.mysonicwall.com/sonicalert/searchresults.aspx?ev=article&id=854; classtype:trojan-activity; sid:2021762; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS Grey Advertising Often Leading to EK"; flow:established,from_server; file_data; content:"|69 66 20 28 62 65 66 6f 72 65 53 63 72 69 70 74 53 72 63 20 26 26 20 74 79 70 65 6f 66 20 62 65 66 6f 72 65 53 63 72 69 70 74 53 72 63 20 3d 3d 3d 20 27 73 74 72 69 6e 67 27 29|"; content:"|66 75 6e 63 74 69 6f 6e 20 28 73 72 63 2c 20 61 73 79 6e 63 2c 20 62 65 66 6f 72 65 53 63 72 69 70 74 53 72 63 2c 20 63 61 6c 6c 62 61 63 6b 29|"; reference:url,www.mysonicwall.com/sonicalert/searchresults.aspx?ev=article&id=854; classtype:trojan-activity; sid:2021763; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Spartan EK Secondary Flash Exploit DL M2"; flow:established,to_server; urilen:>13; content:"GET /"; byte_test:1,>,64,0,relative; byte_test:1,<,91,0,relative; content:".xml"; http_uri; offset:11; pcre:"/^\/[A-Z](?=[a-z0-9]*?[A-Z][a-z0-9]*?[A-Z])(?=[A-Z0-9]*?[a-z][A-Z0-9]*?[a-z])[A-Za-z0-9]{9,}\.xml$/U"; content:"x-flash-version|3a|"; http_header; fast_pattern:only; content:".swf"; http_header; nocase; pcre:"/Referer\x3a\x20[^\r\n]*?\/[a-f0-9]{32,64}\.swf/H"; classtype:trojan-activity; sid:2021764; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Spartan/Nuclear EK Payload"; flow:established,from_server; content:"nginx"; http_header; content:"X-Powered-By|3a|"; http_header; content:"application/octet-stream"; http_header; content:"Content-Disposition|3a 20|inline|3b 20|filename=|0d 0a|"; http_header; fast_pattern:20,20; classtype:trojan-activity; sid:2021765; rev:3;) + +alert tls $EXTERNAL_NET [443,4443] -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre/Dyre/Kegotip SSL Cert Sept 14 2015"; flow:established,from_server; content:"|16|"; content:"|0b|"; within:8; content:"|02 09 00|"; distance:17; within:3; content:"|06 03 55 04 06 13 02|"; distance:0; pcre:"/^[A-Z]{2}/R"; content:"|55 04 08|"; distance:0; content:"|55 04 07|"; distance:0; content:"|55 04 03|"; pcre:"/^.{2}[A-Z]?[a-z]+ [A-Z]?[a-z]+/Rs"; content:"|55 04 0b|"; distance:0; byte_extract:1,1,oulength,relative; content:!"|2e|"; within:oulength; content:!"|20|"; within:oulength; pcre:"/^[a-zA-Z0-9]+[01]/R"; content:"|2a 86 48 86 f7 0d 01 09 01|"; distance:0; pcre:"/^.{2}[A-Z]?[a-z]+\.[A-Z]?[a-z]+@gmail\.com[01]/Rs"; content:"@gmail.com"; fast_pattern:only; reference:md5,f22cad1a3985a5183a76324b448e06f2; reference:url,us-cert.gov/ncas/alerts/TA14-300A; classtype:trojan-activity; sid:2021773; rev:5;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Cryptowall docs campaign Sept 2015 encrypted binary (1)"; flow:established,to_client; file_data; content:"|23 31 f9 4f 62 57 73 67|"; within:8; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2021778; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown Malicious Second Stage Download URI Struct Sept 15 2015"; flow:established,to_server; urilen:>46; content:".php?rnd="; http_uri; fast_pattern:only; content:"&id="; http_uri; pcre:"/\.php\?rnd=\d+&id=[0-9A-F]{32,}$/U"; content:!"Referer|3a|"; http_header; classtype:trojan-activity; sid:2021786; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown Malicious Second Stage Download URI Struct Sept 15 2015"; flow:established,to_server; urilen:>46; content:".php?id="; http_uri; fast_pattern:only; content:"&rnd="; http_uri; pcre:"/\.php\?id=[0-9A-F]{32,}&rnd=\d+$/U"; content:!"Referer|3a|"; http_header; classtype:trojan-activity; sid:2021787; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake AV Phone Scam Landing Sept 21 2015"; flow:established,to_client; file_data; content:"malware error 895-system 32.exe"; nocase; fast_pattern; content:"RESOLVE THE ISSUE ON TOLL FREE - 1-855-"; nocase; content:"DO NOT SHUT DOWN OR RESTART"; nocase; classtype:trojan-activity; sid:2021811; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Angler EK Redirector Sept 25 2015"; flow:to_client,established; file_data; content:"<body>"; pcre:"/^(?:(?!<\/body).)+?Content\s*?loading.*?Please wait.*?<iframe/Rsi"; content:"Content loading"; nocase; content:"Please wait"; nocase; distance:0; content:"<iframe s1=|22|off|22|"; fast_pattern; distance:0; content:"mask=true"; distance:0; classtype:trojan-activity; sid:2021840; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Sept 25 2015"; flow:to_client,established; content:"<div style="; pcre:"/^(?:(?!<\/div).)+?top\x3a\s*?\x2d[0-9]+px\x3b.+left\x3a\s*?\x2d[0-9]+px\x3b.+<iframe\x20.+?stack=\d+/Rsi"; content:"absolute|3b|"; content:"<iframe src="; distance:0; content:" stack="; fast_pattern:only; classtype:trojan-activity; sid:2021841; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil JavaScript Injection Sep 29 2015"; flow:established,to_client; file_data; content:"|76 61 72 20 61 3d 22 27 31 41 71 61 70 6b 72 76 27|"; content:"|27 30 30 27 30 32 29 27 30 32 27 30 30|"; fast_pattern; distance:0; reference:url,research.zscaler.com/2015/09/compromised-wordpress-campaign-spyware.html; classtype:trojan-activity; sid:2021846; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Sep 29 2015"; flow:established,to_server; content:"GET"; http_method; content:"/snitch?default|5f|keyword="; depth:24; http_uri; fast_pattern; content:"&referrer="; http_uri; distance:0; content:"&se_referrer="; http_uri; distance:0; content:"&source="; http_uri; distance:0; reference:url,research.zscaler.com/2015/09/compromised-wordpress-campaign-spyware.html; classtype:trojan-activity; sid:2021847; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Evil Redirector from iframe Sep 29 2015"; flow:established,to_server; content:"GET"; http_method; content:"/in/?|5f|BC="; depth:9; http_uri; fast_pattern; pcre:"/^\/in\/\?_BC=\d+,\d+,\d+,[0-9,-]+,$/U"; content:"Referer|3a|"; http_header; content:"/snitch?default|5f|keyword="; distance:0; http_header; reference:url,research.zscaler.com/2015/09/compromised-wordpress-campaign-spyware.html; classtype:trojan-activity; sid:2021848; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading To EK Sep 30 2015"; flow:to_server,established; urilen:5; content:"/052F"; http_uri; classtype:trojan-activity; sid:2021870; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Phish Outlook Credentials Oct 1"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:"outlookuser="; depth:12; nocase; fast_pattern; http_client_body; content:"outlookpassword="; nocase; http_client_body; distance:0; pcre:"/\.php$/U"; classtype:trojan-activity; sid:2021890; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Phish Yahoo Credentials Oct 1"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:"yahoopassword="; depth:14; nocase; fast_pattern; http_client_body; content:"&Button"; nocase; http_client_body; distance:0; pcre:"/\.php$/U"; classtype:trojan-activity; sid:2021892; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Potential Data URI Phishing"; flow:established,to_client; file_data; content:"<script type=|22|text/javascript|22|>"; nocase; content:"window.location="; nocase; within:17; content:"PCFET0NUWVBFIGh0bWw+DQo"; fast_pattern; distance:0; reference:url,blog.malwarebytes.org/online-security/2015/10/this-pdf-version-is-not-supported-data-uri-phish; classtype:bad-unknown; sid:2021893; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS KaiXin Landing M5 1 Oct 05 2015"; flow:established,from_server; file_data; content:"str2long"; fast_pattern:only; content:"long2str"; content:"0xffffffff"; pcre:"/^(?P<sep>[^\s\x3b\x22\x27])(?=.+?(?P=sep)str2long(?P=sep)).+?(?P=sep)long2str(?P=sep)/Rs"; classtype:trojan-activity; sid:2021905; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS KaiXin Landing M5 2 Oct 05 2015"; flow:established,from_server; file_data; content:"str2long"; fast_pattern:only; content:"0xffffffff"; content:"long2str"; pcre:"/^(?P<sep>[^\s\x3b\x22\x27])(?=.+?(?P=sep)0xffffffff(?P=sep)).+?(?P=sep)str2long(?P=sep)/Rs"; classtype:trojan-activity; sid:2021906; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS KaiXin Landing M5 3 Oct 05 2015"; flow:established,from_server; file_data; content:"long2str"; fast_pattern:only; content:"0xffffffff"; content:"str2long"; pcre:"/^(?P<sep>[^\s\x3b\x22\x27])(?=.+?(?P=sep)0xffffffff(?P=sep)).+?(?P=sep)long2str(?P=sep)/Rs"; classtype:trojan-activity; sid:2021907; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS KaiXin Landing Page Oct 05 2015"; flow:established,from_server; file_data; content:"function ckl"; content:"VIP*/"; nocase; classtype:trojan-activity; sid:2021908; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Magnitude EK Landing Oct 08 2015"; flow:established,from_server; file_data; content:"/x-silverlight-2"; nocase; fast_pattern:only; content:"value"; pcre:"/^\s*?=\s*?[\x22\x27][a-z\d]+\.xap[\x22\x27]/Rs"; content:"/x-shockwave-flash"; nocase; content:!".swf"; nocase; content:"<param"; nocase; pcre:"/^(?=[^>]*?\sname\s*?\x3d\s*?[\x22\x27]?movie[\x22\x27]?)[^>]*?\svalue\s*?\x3d\s*?[\x22\x27][^\x22\x27]+\/(?:\??[a-f0-9]+)?[\x22\x27]/Ri"; classtype:trojan-activity; sid:2021939; rev:5;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Netgear Multiple Router Auth Bypass"; flow:to_server,established; content:"/BRS_netgear_success.html"; depth:25; nocase; http_uri; fast_pattern:5,20; reference:url,www.shellshocklabs.com/2015/09/part-1en-hacking-netgear-jwnr2010v5.html; classtype:attempted-admin; sid:2021944; rev:2;) + +alert tls $EXTERNAL_NET [443,4443] -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Upatre/Dyre/Kegotip SSL Cert Oct 12 2015"; flow:established,from_server; content:".com"; content:"|16|"; content:"|0b|"; within:8; content:"|02 09 00|"; distance:17; within:3; content:"|0b 30 09 06 03 55 04 06 13 02 43 41 31|"; distance:0; fast_pattern; content:"|55 04 08|"; distance:0; content:"|55 04 07|"; distance:0; content:"|55 04 0a|"; distance:0; byte_extract:1,1,olength,relative; content:!"|2e|"; within:olength; content:!"|20|"; within:olength; pcre:"/^[a-zA-Z0-9]+[01]/R"; content:"|55 04 03|"; byte_test:1,>,0x40,2,relative; byte_test:1,<,0x5B,2,relative; content:"|55 04 0b|"; distance:0; byte_extract:1,1,oulength,relative; content:!"|2e|"; within:oulength; content:!"|20|"; within:oulength; pcre:"/^[a-zA-Z0-9]+[01]/R"; content:"|55 04 03|"; content:"|2a 86 48 86 f7 0d 01 09 01|"; distance:0; content:!"support@"; distance:0; pcre:"/^.{2}[A-Za-z][a-z]*?@[a-z]+\.com[01]/R"; reference:md5,52faadf69c492e5bea1b3ad77fd7e8b1; reference:url,us-cert.gov/ncas/alerts/TA14-300A; classtype:trojan-activity; sid:2021948; rev:2;) + +alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET CURRENT_EVENTS Possible Magento Directory Traversal Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/magmi-importer/web/"; fast_pattern; http_uri; content:"download_file.php?file="; http_uri; distance:0; content:"|2e 2e 2f|"; http_raw_uri; content:!"Referer|3a|"; http_header; reference:url,threatpost.com/zero-day-in-magento-plugin-magmi-under-attack/115026/; classtype:trojan-activity; sid:2021951; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Fake Virus Phone Scam Landing Oct 19 M1"; flow:established,to_server; content:"GET"; http_method; content:".html?a="; http_uri; fast_pattern; content:"&clickid=w"; distance:0; http_uri; pcre:"/&clickid=w[A-Z0-9]{23}$/U"; classtype:trojan-activity; sid:2021963; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake Virus Phone Scam Landing Oct 19 M2"; flow:established,from_server; file_data; content:"<!-- saved from url="; content:"<title>WARNING-ERROR</title>"; fast_pattern:8,20; distance:0; classtype:trojan-activity; sid:2021964; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake Virus Phone Scam Landing Oct 19 M3"; flow:established,from_server; file_data; content:".net frame work file missing"; fast_pattern:8,20; nocase; content:"Debug malware error"; nocase; distance:0; content:"Please do not open"; nocase; distance:0; content:"avoid data corruption"; nocase; distance:0; content:"PLEASE DO NOT SHUT DOWN"; nocase; distance:0; content:"RESTART YOUR COMPUTER"; nocase; distance:0; classtype:trojan-activity; sid:2021965; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Fake Virus Phone Scam Landing Oct 19 M4"; flow:established,to_server; content:"GET"; http_method; content:"WINDOWS HEALTH IS CRITICAL"; http_uri; fast_pattern:6,20; classtype:trojan-activity; sid:2021966; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Fake Virus Phone Scam Redirector Oct 19 M1"; flow:established,to_server; content:"GET"; http_method; content:"/scan"; depth:5; fast_pattern; http_uri; content:!"Referer|3a|"; http_header; pcre:"/^\/scan[A-Z][a-z]?\/?$/U"; classtype:trojan-activity; sid:2021967; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Fake Virus Phone Scam Redirector Oct 19 M2"; flow:established,to_server; content:"GET"; http_method; content:".dill/"; fast_pattern:only; http_uri; content:!"Referer|3a|"; http_header; pcre:"/^\/[a-z]+\.dill\/$/U"; classtype:trojan-activity; sid:2021968; rev:2;) + +alert http $EXTERNAL_NET !80 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Job314/Neutrino Reboot EK Landing Oct 19 2015"; flow:established,from_server; file_data; content:!".swf"; content:"<html>"; pcre:"/^\s*?\r?\n\s*?<body>\s*?\r?\n\s*?<script>\s*\r?\n\s*?<\/script>/Rs"; content:"value=|22|#ffffff|22|"; content:"<object"; pcre:"/^(?=(?:(?!<\/object>).)*?<param(?=[^>]*?name\s*?=\s*?\x22bgcolor\x22)[^>]*?value\s*?=\s*?\x22#ffffff\x22)(?:(?!<\/object>).)*?<param(?=[^>]*?name\s*?=\s*?\x22movie\x22)[^>]*?value\s*?=\s*?\x22(?![^\x22]+\.[Ss][Ww][Ff])[^\x22]*?\x22/Rs"; content:"allowScriptAccess"; fast_pattern:only; flowbits:set,ET.Neutrino; classtype:trojan-activity; sid:2021969; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Angler EK encrypted payload Oct 19 (1)"; flow:established,to_client; file_data; content:"|d8 57 45 e6 17 f8 ec bb|"; distance:4; within:8; classtype:trojan-activity; sid:2021970; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Angler EK encrypted payload Oct 19 (2)"; flow:established,to_client; file_data; content:"|d5 88 7d dc 8a 95 4b be|"; distance:4; within:8; classtype:trojan-activity; sid:2021971; rev:4;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Angler EK encrypted payload Oct 19 (3)"; flow:established,to_client; file_data; content:"|08 42 7d|"; distance:4; within:3; pcre:"/^(?:\x4c|\x35)/R"; classtype:trojan-activity; sid:2021972; rev:4;) + +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Angler EK encrypted payload Oct 19 (4)"; flow:established,to_client; file_data; content:"|05 9d 45|"; distance:4; within:4; pcre:"/^(?:\x76|\x0f)/R"; classtype:trojan-activity; sid:2021973; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Fake Virus Phone Scam Redirector Oct 19 M3"; flow:established,to_server; content:"GET"; http_method; content:"/eyJscCI6InRlc3Q"; depth:16; fast_pattern; http_uri; pcre:"/^\/(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})\/$/U"; classtype:trojan-activity; sid:2021974; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake Virus Phone Scam Landing Oct 19 M5"; flow:established,from_server; file_data; content:"<title>SECURITY WARNING</title>"; nocase; content:"dontdisplaycheckbox()"; distance:0; nocase; content:"gp-msg.mp3"; distance:0; nocase; fast_pattern; content:"Infection ID"; distance:0; nocase; classtype:trojan-activity; sid:2021975; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible click2play bypass Oct 19 2015 as observed in PawnStorm"; flow:established,from_server; file_data; content:"javax.naming.InitialContext"; fast_pattern:only; content:"progress-class"; nocase; pcre:"/^\s*?=\s*?[\x22\x27]javax.naming.InitialContext/Rsi"; content:"</jnlp>"; nocase; distance:0; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/new-headaches-how-the-pawn-storm-zero-day-evaded-javas-click-to-play-protection/; classtype:trojan-activity; sid:2021985; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible click2play bypass Oct 19 2015 B64 1"; flow:established,from_server; file_data; content:"cHJvZ3Jlc3MtY2xhc3"; pcre:"/^[A-Za-z0-9+/]*?(?:amF2YXgubmFtaW5nLkluaXRpYWxDb250ZXh0|phdmF4Lm5hbWluZy5Jbml0aWFsQ29udGV4d|qYXZheC5uYW1pbmcuSW5pdGlhbENvbnRleH)/R"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/new-headaches-how-the-pawn-storm-zero-day-evaded-javas-click-to-play-protection/; classtype:trojan-activity; sid:2021986; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible click2play bypass Oct 19 2015 B64 2"; flow:established,from_server; file_data; content:"Byb2dyZXNzLWNsYXNz"; pcre:"/^[A-Za-z0-9+/]*?(?:amF2YXgubmFtaW5nLkluaXRpYWxDb250ZXh0|phdmF4Lm5hbWluZy5Jbml0aWFsQ29udGV4d|qYXZheC5uYW1pbmcuSW5pdGlhbENvbnRleH)/R"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/new-headaches-how-the-pawn-storm-zero-day-evaded-javas-click-to-play-protection/; classtype:trojan-activity; sid:2021987; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible click2play bypass Oct 19 2015 B64 3"; flow:established,from_server; file_data; content:"wcm9ncmVzcy1jbGFzc"; pcre:"/^[A-Za-z0-9+/]*?(?:amF2YXgubmFtaW5nLkluaXRpYWxDb250ZXh0|phdmF4Lm5hbWluZy5Jbml0aWFsQ29udGV4d|qYXZheC5uYW1pbmcuSW5pdGlhbENvbnRleH)/R"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/new-headaches-how-the-pawn-storm-zero-day-evaded-javas-click-to-play-protection/; classtype:trojan-activity; sid:2021988; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Angler EK encrypted payload Oct 19 (5)"; flow:established,to_client; file_data; content:"|91 29 83 25 66 1e be fb|"; distance:4; within:8; classtype:trojan-activity; sid:2021989; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Angler EK encrypted payload Oct 19 (6)"; flow:established,to_client; file_data; content:"|57 05 11 53 6c d2 02 f9|"; distance:4; within:8; classtype:trojan-activity; sid:2021990; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Fake Java Installer Landing Page Oct 21"; flow:established,to_server; content:"GET"; http_method; content:"/download.php?id="; http_uri; content:"&sid="; http_uri; distance:0; content:"&name=Java|20|Runtime|20|Environment|20|"; http_uri; distance:0; fast_pattern; pcre:"/^\/[0-9]+\/download\.php\?id=/U"; pcre:"/&name=[a-z0-9\x20]+$/Ui"; reference:url,heimdalsecurity.com/blog/security-alert-blackhat-seo-campaign-passes-around-malware-to-unsuspecting-users; classtype:trojan-activity; sid:2021991; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Oct 26 2015"; flow:established,from_server; content:"|0d 0a|Set-Cookie|3a 20|qtaho="; classtype:trojan-activity; sid:2022001; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Malicious Redirect Leading to EK Oct 29"; flow:to_server,established; urilen:5; content:"/533L"; classtype:trojan-activity; sid:2022009; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake AV Phone Scam Landing Oct 29"; flow:established,to_client; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>WARNING! Windows Update Required"; nocase; fast_pattern; content:"Call US Toll Free|20 3a 20|1-877"; nocase; distance:0; content:"System connected with OVERSEAS IP Address"; nocase; distance:0; content:"YOUR COMPUTER HAS BEEN LOCKED!!"; nocase; distance:0; reference:url,threatglass.com/malicious_urls/funu-info; classtype:trojan-activity; sid:2022010; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake Virus Phone Scam Landing Oct 30"; flow:established,from_server; file_data; content:"<title>*** Security Error Code"; fast_pattern:10,20; content:"Suspicious Connection Was Trying"; nocase; distance:0; content:"Your Accounts May be Suspended"; nocase; distance:0; classtype:trojan-activity; sid:2022011; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake Virus Phone Scam Audio Oct 30"; flow:established,from_server; file_data; content:"<audio"; content:"gp-msg.mp3"; distance:0; nocase; fast_pattern; content:"audio/mpeg"; distance:0; nocase; content:"</audio>"; distance:0; nocase; classtype:trojan-activity; sid:2022012; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake Video Player Update Scam Oct 30"; flow:established,from_server; file_data; content:"<title>Please Update"; nocase; fast_pattern; content:"downloadUrl"; nocase; distance:0; content:"update your video player"; nocase; distance:0; content:"please send a message <a href=|22|#|22|>here</a>"; nocase; distance:0; classtype:trojan-activity; sid:2022013; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Paypal Account Phish Oct 30"; flow:to_server,established; content:"POST"; http_method; content:".php?Go=_"; http_uri; content:"1="; depth:2; http_client_body; content:"&2="; http_client_body; nocase; distance:0; content:"Log+In=Log+In"; http_client_body; nocase; distance:0; fast_pattern; classtype:trojan-activity; sid:2022017; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Paypal Account Phish Oct 30 2"; flow:to_server,established; content:"POST"; http_method; content:".php?Go=_"; http_uri; content:"name="; depth:5; http_client_body; content:"&adress1="; http_client_body; nocase; distance:0; content:"&phone="; http_client_body; nocase; distance:0; fast_pattern; classtype:trojan-activity; sid:2022018; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Paypal Account Phish Oct 30 3"; flow:to_server,established; content:"POST"; http_method; content:".php?Go=_"; http_uri; content:"chldr="; depth:7; http_client_body; content:"&ccnum="; http_client_body; nocase; distance:0; content:"&password="; http_client_body; nocase; distance:0; fast_pattern; classtype:trojan-activity; sid:2022019; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Jimdo.com Phishing PDF via HTTP"; flow:established,from_server; file_data; content:"/Subtype/Link/Rect"; content:"/BS<</W 0>>/F 4/A<</Type/Action/S/URI/URI (http|3a|//"; distance:0; content:".jimdo.com/)>"; distance:0; fast_pattern; content:"www.Neevia.com"; distance:0; content:"Neevia Document Converter"; distance:0; reference:md5,70eaba2ab6410e3541a2e24a482ddddd; classtype:trojan-activity; sid:2022029; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake Virus Phone Scam Landing Nov 4 M2"; flow:established,from_server; file_data; content:"<title>SYSTEM ERROR WARNING"; nocase; fast_pattern:7,20; content:"Window's Defender"; nocase; distance:0; content:"right-click has been disabled"; nocase; distance:0; classtype:trojan-activity; sid:2022030; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake Virus Phone Scam JS Landing Nov 4"; flow:established,from_server; content:"200"; http_stat_code; content:"Content-Type|3a 20|application/x-javascript"; http_header; content:"Content-Encoding|3a 20|gzip"; http_header; file_data; content:"tfnnumber"; content:"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/="; distance:0; content:"msgencoded"; content:"returnmsgencoded"; distance:0; content:"Base64"; pcre:"/^\s*?\.\s*?decode\s*?\(\s*?msgencoded\s*?\)\s*?\.\s*?replace/Rsi"; classtype:trojan-activity; sid:2022031; rev:4;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Fake Virus Phone Scam GET Nov 4"; flow:to_server,established; content:"GET"; http_method; content:".html?cid="; nocase; http_uri; fast_pattern; content:"&caid="; http_uri; nocase; distance:0; content:"&oid="; http_uri; nocase; distance:0; content:"&zid="; http_uri; nocase; distance:0; content:"&os="; http_uri; nocase; distance:0; content:"&browser="; http_uri; nocase; distance:0; content:"&isp="; http_uri; nocase; distance:0; content:!"www.google-analytics.com|0d 0a|"; http_header; classtype:trojan-activity; sid:2022032; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake Virus Phone Scam Landing Nov 4 M1"; flow:established,from_server; file_data; content:"<title>Microsoft Official Support</title>"; nocase; fast_pattern:21,20; content:"function myFunction()"; nocase; distance:0; content:"setInterval(function(){alert"; nocase; distance:0; classtype:trojan-activity; sid:2022033; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Google Drive (Remax) Phish Landing Nov 4"; flow:established,from_server; file_data; content:"#MyRemax_Password"; nocase; fast_pattern; content:"#MyRemax_Email"; nocase; distance:0; content:"<title>Meet Google Drive"; nocase; distance:0; classtype:trojan-activity; sid:2022035; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Google Drive (Remax) Phish Nov 4"; flow:to_server,established; content:"POST"; http_method; content:"Content-Type|3a 20|multipart/form-data|3b 20|boundary=---------"; http_header; content:"form-data|3b 20|name=|22|server|22|"; nocase; http_client_body; fast_pattern; content:"form-data|3b 20|name=|22|ipLists|22|"; nocase; http_client_body; distance:0; content:"form-data|3b 20|name=|22|ipEmpty|22|"; nocase; http_client_body; distance:0; content:"form-data|3b 20|name=|22|MyRemax_Email|22|"; nocase; http_client_body; distance:0; content:"form-data|3b 20|name=|22|MyRemax_Password|22|"; nocase; http_client_body; distance:0; classtype:trojan-activity; sid:2022036; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible vBulletin object injection vulnerability Attempt"; flow:established,to_server; content:"/api/hook/decodeArguments"; nocase; http_uri; content:"arguments="; nocase; http_uri; content:"|7b|"; distance:0; http_uri; content:"|3a|"; distance:0; http_uri; content:"|3b|"; distance:0; http_uri; content:"free_result"; nocase; distance:0; http_uri; reference:url,blog.sucuri.net/2015/11/vbulletin-exploits-in-the-wild.html; classtype:attempted-admin; sid:2022039; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leadking to EK Nov 2015"; flow:to_server,established; content:".pw|0d 0a|"; nocase; http_header; fast_pattern:only; content:"/?id="; http_uri; nocase; content:"&keyword="; nocase; http_uri; pcre:"/^Host\x3a[^\r\n]*?\.pw\r$/Hmi"; classtype:trojan-activity; sid:2022040; rev:2;) + +alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M1"; flow:established,to_client; content:"MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; flowbits:isset,et.MS.XMLHTTP.ip.request; classtype:trojan-activity; sid:2022050; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M2"; flow:established,to_client; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; flowbits:isset,et.MS.XMLHTTP.ip.request; classtype:trojan-activity; sid:2022051; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Likely Evil EXE download from MSXMLHTTP non-exe extension M2"; flow:established,to_client; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; flowbits:isset,et.MS.XMLHTTP.no.exe.request; classtype:trojan-activity; sid:2022053; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Evil Redirector Leading to EK Nov 09 2015 M1"; flow:to_server,established; content:".php?sid="; http_uri; offset:4; depth:26; pcre:"/^\/[a-z]{3,20}\.php\?sid=[A-F0-9]{40,200}$/U"; content:!"|0d 0a|Cookie|3a|"; classtype:trojan-activity; sid:2022070; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Evil Redirector Leading to EK Nov 09 2015 M2"; flow:to_server,established; content:".php?id=4"; http_uri; offset:4; depth:25; pcre:"/^\/[a-z]{3,20}\.php\?id=4[A-F0-9]{39,200}$/U"; content:!"|0d 0a|Cookie|3a|"; content:!".hostingcatalog.com|0d 0a|"; http_header; nocase; classtype:trojan-activity; sid:2022071; rev:6;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake AV Phone Scam Landing Nov 11"; flow:established,to_client; file_data; content:"onload=|22|myFunction|28 29 22|"; fast_pattern; content:"onclick=|22|myFunction|28 29 22|"; distance:0; content:"onkeydown=|22|myFunction|28 29 22|"; distance:0; content:"onunload=|22|myFunction|28 29 22|"; distance:0; classtype:trojan-activity; sid:2022079; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Mailbox Renewal Phish Landing Nov 13"; flow:established,from_server; file_data; content:"<title>Mailbox renewal"; fast_pattern; nocase; content:"autorised email address"; nocase; distance:0; content:"To complete this autorization"; nocase; distance:0; content:"Online MailBox Renewal"; nocase; distance:0; classtype:trojan-activity; sid:2022083; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Revalidation Phish Nov 13 M1"; flow:to_server,established; content:"POST"; http_method; content:".php"; http_uri; content:"user="; depth:5; nocase; http_client_body; fast_pattern; content:"&email_address="; nocase; http_client_body; distance:0; content:"&pass"; nocase; http_client_body; distance:0; content:"&captcha="; nocase; http_client_body; distance:0; content:"&submitbutton="; nocase; http_client_body; distance:0; classtype:trojan-activity; sid:2022084; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Successful Revalidation Phish Nov 13 M2"; flow:established,from_server; content:"200"; http_stat_code; file_data; content:"<META HTTP-EQUIV=|22|REFRESH|22|"; nocase; content:"Revalidation</title>"; fast_pattern; nocase; distance:0; content:"Account Revalidated"; nocase; distance:0; content:"you have sucessfully revalidated"; nocase; distance:0; classtype:trojan-activity; sid:2022085; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Revalidation Phish Landing Nov 13"; flow:established,from_server; content:"200"; http_stat_code; file_data; content:"Revalidation</title>"; fast_pattern; nocase; content:" |3b| |3b| |3b| |3b|Revalidating your"; nocase; distance:0; content:"Account information"; nocase; distance:0; content:"Password|3a|"; nocase; distance:0; content:"Word Verification|3a|"; nocase; distance:0; content:"Revalidate my account"; nocase; distance:0; classtype:trojan-activity; sid:2022086; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Nuclear EK Nov 13 2015 Landing URI struct"; flow:established,to_server; urilen:>25; content:"_id="; http_uri; fast_pattern:only; pcre:"/^\/(?:[a-z0-9]+\/)?[^\x2f]+\?[a-z]{1,40}_id=\d{2,5}(?:&[a-z]{1,40}_id=\d{2,5})?&[^&\x3d]+=(?=[a-z0-9]*?[A-Z])(?=[A-Z0-9]*?[a-z])[A-Za-z0-9]{15,}\x2e{0,2}?$/U"; pcre:"/^Host\x3a\x20[a-z0-9]+\.(?:g[aq]|cf|ml|tk|xyz|info|space)(?:\x3a\d{1,5})?\r$/Hm"; content:!"|0d 0a|Cookie|3a|"; flowbits:set,NuclearEK; classtype:trojan-activity; sid:2022090; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake Virus Phone Scam Landing Nov 16"; flow:established,from_server; file_data; content:"Windows Browser"; fast_pattern; content:"getElementById"; nocase; distance:0; pcre:"/^\s*?\(\s*?[\x22\x27]country[\x22\x27]/Rsi"; content:"getElementById"; nocase; distance:0; pcre:"/^\s*?\(\s*?[\x22\x27]isp[\x22\x27]/Rsi"; content:"getElementById"; nocase; distance:0; pcre:"/^\s*?\(\s*?[\x22\x27]ip[\x22\x27]/Rsi"; content:"Hello China"; nocase; distance:0; classtype:trojan-activity; sid:2022092; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Jimdo Outlook Web App Phishing Landing Nov 16"; flow:established,from_server; file_data; content:"Outlook"; nocase; content:"jimdo.com"; nocase; distance:0; content:"Email"; nocase; distance:0; content:"Password"; nocase; distance:0; content:"Confirm Password"; fast_pattern; nocase; distance:0; classtype:trojan-activity; sid:2022093; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Jimdo Outlook Web App Phishing Nov 16"; flow:to_server,established; content:"POST"; http_method; content:"|2f 66 6f 72 6d 2f 73 75 62 6d 69 74 2f|"; http_uri; content:"|6a 69 6d 64 6f 2e 63 6f 6d 0d 0a|"; http_header; fast_pattern; content:"|6d 6f 64 75 6c 65 49 64 3d|"; nocase; http_client_body; depth:9; content:"|26 64 61 74 61 3b 3d|"; nocase; distance:0; http_client_body; content:"|45 6d 61 69 6c|"; nocase; distance:0; http_client_body; content:"|50 61 73 73 77 6f 72 64|"; nocase; distance:0; http_client_body; content:"|43 6f 6e 66 69 72 6d 2b 50 61 73 73 77 6f 72 64|"; nocase; distance:0; http_client_body; pcre:"/\/form\/submit\/$/U"; classtype:trojan-activity; sid:2022094; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Fake Virus Phone Scam Landing Nov 16"; flow:established,to_server; content:"GET"; http_method; content:".html?os="; http_uri; fast_pattern; content:"&clickid=w"; distance:0; http_uri; pcre:"/&clickid=w[A-Z0-9]{23}$/U"; classtype:trojan-activity; sid:2022103; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Nuclear EK Landing Nov 17 2015"; urilen:>51; flow:to_server,established; content:"_id="; http_uri; content:"_id="; distance:0; http_uri; pcre:"/^\/(?:[a-z0-9]+\/)?[^\x2f]+\?[a-z]{1,40}_id=\d{2,5}?&[a-z]{1,40}_id=\d{2,5}&[^&\x3d]+(?<!_id)=(?=[a-zA-Z0-9]+(?:[A-Z][a-z][A-Z]|\d[a-z][A-Z]|[A-Z]\d[A-Z]|[A-Z\d]{3}[a-z]))(?=[A-Fa-f0-9]*?[G-Zg-z])(?=[a-z0-9]*?[A-Z])(?=[A-Z0-9]*?[a-z])[A-Za-z0-9]{32}\x2e{0,2}$/U"; content:!"|0d 0a|Cookie|3a|"; flowbits:set,NuclearEK; classtype:trojan-activity; sid:2022112; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS BlackHole EK Landing Nov 17 2015"; flow:from_server,established; file_data; content:"|2e 73 74 79 6c 65 2e 6c 65 66 74 3d 3d 3d 22 22 29 7b 67 67 3d 22 67 65 74 41 22 3b 7d 71 71 3d 22 71 22 3b 67 67 2b 3d 22 74 74 72 69 22 3b 66 75 6e 63 74 69 6f 6e 20 63 78 7a 28 29|"; fast_pattern:17,20; classtype:trojan-activity; sid:2022113; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake AV Phone Scam Landing Nov 20"; flow:established,from_server; file_data; content:"<title>VIRUS WARNING"; fast_pattern; nocase; content:"onload=|22|myFunction()|22|"; nocase; content:"YOUR COMPUTER HAS BEEN BLOCKED"; nocase; content:"CALL IMMEDIATLY"; nocase; content:"|5c 6e 5c 6e 5c 6e 5c 6e 5c 6e 5c 6e 5c 6e 5c 6e 5c 6e|"; nocase; classtype:trojan-activity; sid:2022125; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Spartan/Nuclear EK Payload"; flow:established,from_server; content:"Server|3a 20|nginx"; http_header; depth:13; content:"Content-Type|3a 20|application/octet-stream"; http_header; content:"Accept-Ranges|3a 20|bytes|0d 0a|Content-Disposition|3a 20|inline|3b 20|filename=|0d 0a|"; http_header; fast_pattern:42,20; pcre:"/\x20filename=\r\n(?:\r\n)?$/H"; classtype:trojan-activity; sid:2022135; rev:4;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Netsolhost SSL Proxying - Possible Phishing"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|secure|0a|netsolhost|03|com|00|"; nocase; distance:0; fast_pattern; classtype:trojan-activity; sid:2022136; rev:1;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Generic Phishing Landing Uri Nov 25"; flow:to_server,established; content:"GET"; http_method; content:".php?usernms="; http_uri; fast_pattern; pcre:"/\.php\?usernms=[^@]+@[^\r\n]+$/Ui"; classtype:trojan-activity; sid:2022187; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Nuclear EK Landing Nov 27 2015"; flow:to_server,established; urilen:>55; content:"&cat_no="; http_uri; content:"&no="; http_uri; distance:0; pcre:"/&cat_no=\d{2,5}?&no=\d{2,5}&[^&\x3d]+(?<!_no)=(?=[a-zA-Z0-9]+(?:[A-Z][a-z][A-Z]|\d[a-z][A-Z]|[A-Z]\d[A-Z]|[A-Z\d]{3}[a-z]))(?=[A-Fa-f0-9]*?[G-Zg-z])(?=[a-z0-9]*?[A-Z])(?=[A-Z0-9]*?[a-z])[A-Za-z0-9]{32}\x2e{0,2}$/U"; content:!"|0d 0a|Cookie|3a|"; flowbits:set,NuclearEK; classtype:trojan-activity; sid:2022193; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Google Drive Phish Sept 1 M1"; flow:to_server,established; content:"POST"; http_method; content:"hidCflag="; nocase; depth:9; http_client_body; fast_pattern; content:"&Email="; nocase; http_client_body; distance:0; content:"&Pass"; http_client_body; distance:0; nocase; content:"sign"; nocase; http_client_body; distance:0; classtype:trojan-activity; sid:2022217; rev:5;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Facebook password stealing inject Jan 04"; flow:from_server,established; file_data; content:"facebook.com"; nocase; content:"localStorage"; fast_pattern:only; nocase; content:"email"; nocase; content:"pass"; nocase; content:"login_form"; nocase; content:"location"; nocase; pcre:"/^\s*\.\s*hostname\s*.indexOf\s*\([\x22\x27]facebook\.com[\x22\x27]/Rsi"; content:"getElementById"; distance:0; pcre:"/^\s*\(\s*[\x22\x27]login_form[\x22\x27]/Rsi"; content:"getElementById"; distance:0; pcre:"/\s*\(\s*[\x22\x27](email|pass)[\x22\x27]/Rsi"; content:"image"; nocase; pcre:"/[^.]*\.\s*src\s*\=[\x22\x27][^\x22\x27]*\.php\?[ -~]+?\=[\x22\x27]\s*\+localStorage\./Rsi"; classtype:web-application-attack; sid:2022221; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Dec 09"; flow:established,from_server; file_data; content:"<!--/"; fast_pattern:only; content:"<!--"; pcre:"/^(?P<ccode>[a-f0-9]{6})-->.*?<script.+?<\/script>.*?<!--/(?P=ccode)-->/Rsi"; classtype:trojan-activity; sid:2022242; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Evil Macro Downloading Trojan Dec 16 2015 Post to EXE"; flow:established,to_server; content:"POST"; http_method; content:".exe"; http_uri; nocase; fast_pattern:only; pcre:"/^[\x2fa-z\d]+\.exe$/U"; content:!"Referer|3a|"; http_header; content:"Content-Length|3a 20|0|0d 0a|Connection|3a 20|"; http_header; content:"Accept|3a 20|*/*|0d 0a|"; depth:13; http_header; content:"Accept-Encoding|3a 20|gzip, deflate|0d 0a|User-Agent|3a 20|Mozilla/4.0 (compatible|3b| MSIE 7.0|3b|"; http_header; classtype:trojan-activity; sid:2022270; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Mon Dec 21 2015 5"; flow:from_server,established; file_data; content:"|3f 22 5c 78|"; fast_pattern; byte_test:1,>,0x2f,-5,relative; byte_test:1,<,0x3a,-5,relative; content:"var "; pcre:"/^\s*?[a-z]+\s*?=\s*?\x28\d+[<>]\d+\?\s*?\x22[^\x22]+\x22\s*?\x3a\s*?\x22[^\x22]+\x22\s*?\x29\s*?[\x3b\x2b].*?(?<=[\x3d\x2b])\x28\d+[<>]\d+\?\s*?\x22[^\x22]+\x22\s*?\x3a\s*?\x22[^\x22]+\x22\s*?\x29\s*?[\x3b\x2b].*?(?<=[\x3d\x2b])\x28\d+[<>]\d+\?\s*?\x22[^\x22]+\x22\s*?\x3a\s*?\x22[^\x22]+\x22\s*?\x29\s*?[\x3b\x2b].*?(?<=[\x3d\x2b])\x28\d+[<>]\d+\?\s*?\x22[^\x22]+\x22\s*?\x3a\s*?\x22[^\x22]+\x22\s*?\x29\s*?[\x3b\x2b]/Rsi"; reference:url,blog.sucuri.net/2015/12/evolution-of-pseudo-darkleech.html; classtype:trojan-activity; sid:2022290; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Evil Redirect Leading to EK Dec 22 2015 (Proxy Filtering)"; flow:established,to_server; content:"POST"; http_method; content:"content-types|3a|"; http_header; nocase; fast_pattern:only; content:"Referer|3a|"; http_header; content:"content-type|3a|"; http_header; nocase; classtype:trojan-activity; sid:2022304; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Mon Dec 26 2015"; flow:to_server,established; content:"/st1.phtml"; http_uri; classtype:trojan-activity; sid:2022312; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Mon Dec 26 2015 2"; flow:to_server,established; content:"/lobo.phtml"; http_uri; classtype:trojan-activity; sid:2022313; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing Dec 30 M1"; flow:to_client,established; file_data; content:"/windowslogo.jpg"; fast_pattern; nocase; content:"/winborder.html"; nocase; distance:0; content:"bug1.html"; nocase; distance:0; content:"infected your system"; nocase; distance:0; content:"TCP connection already exists"; nocase; distance:0; content:"TOLL FREE"; nocase; distance:0; classtype:trojan-activity; sid:2022319; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing Dec 30 M2"; flow:to_client,established; file_data; content:"/sound.mp3"; fast_pattern; nocase; content:"function goodbye"; nocase; distance:0; content:"DetectMobile()"; nocase; distance:0; content:"stopPropagation"; nocase; distance:0; content:"preventDefault"; nocase; distance:0; classtype:trojan-activity; sid:2022320; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Jan 6th 2016 M1"; flow:established,to_server; urilen:18; content:"GET"; http_method; content:"/switch/cookie.php"; depth:18; http_uri; fast_pattern; classtype:trojan-activity; sid:2022338; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Dridex Download 6th Jan 2016 Flowbit"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; pcre:"/\.php$/U"; content:"Content-Length|3a 20|0|0d 0a|"; content:"MSIE 7.0"; http_header; fast_pattern:only; content:!"Referer|3A|"; http_header; pcre:"/Host\x3A\x20\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x2E\d{1,3}(?:\x3a\d{1,5})?\r\n/H"; flowbits:set,et.dridexdoc; flowbits:noalert; classtype:trojan-activity; sid:2022339; rev:2;) + +alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS W32/Dridex Binary Download 6th Jan 2016"; flowbits:isset,et.dridexdoc; flow:established,to_client; content:"Content-Disposition|3A| attachment|3B| filename="; http_header; content:".exe"; http_header; fast_pattern; file_data; content:"MZ"; within:2; content:"This program"; within:100; classtype:trojan-activity; sid:2022340; rev:4;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Jan 6th 2016 M2"; flow:established,from_server; content:"Content-Type|3a 20|application/javascript|3b|"; http_header; file_data; content:"var iframe"; within:13; pcre:"/^\s*?=\s*?[\x22\x27]<iframe\s*?src\s*?=/R"; content:":-"; pcre:"/^\d{3,}/R"; content:"</iframe>"; pcre:"/^\s*?/Rs"; content:"document.write(iframe)|3b|"; isdataat:!2,relative; classtype:trojan-activity; sid:2022341; rev:2;) + +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CoinMiner Malicious Authline Seen in JAR Backdoor"; flow:established,to_server; content:"{|22|id|22 3A|"; depth:6; content:"|22|method|22 3a 20 22|mining.authorize|22 2c|"; within:100; content:"|22|params|22|"; within:50; content:"|5b 22|CGX2U2oeocN3DTJhyPG2cPg7xpRRTzNZkz|22 2c 20 22|"; distance:0; reference:url,research.zscaler.com/2013/12/bitcoin-mining-operation-seen-across.html; reference:url,blog.malwaremustdie.org/2016/01/mmd-0049-2016-case-of-java-trojan.html; classtype:trojan-activity; sid:2022349; rev:1;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake Virus Phone Scam Landing Jan 13 M1"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>SECURITY WARNING"; fast_pattern:3,20; content:"0x0000007E"; nocase; distance:0; content:"0xFFFFFFFFFC000000047"; nocase; distance:0; content:"Serious security threat"; nocase; distance:0; content:"msg.mp3"; nocase; classtype:trojan-activity; sid:2022364; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake Virus Phone Scam Landing Jan 13 M2"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"DRIVER_UNLOADED_WITHOUT_CANCELLING_PENDING_OPERATIONS"; content:"WINDOWS HEALTH IS CRITICAL"; fast_pattern:6,20; distance:0; content:"myFunction()|3b|"; classtype:trojan-activity; sid:2022365; rev:5;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake Virus Phone Scam Landing Jan 13 M3"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"getURLParameter"; nocase; content:"PhoneNumber"; nocase; distance:0; content:"AlertMessage"; content:"Windows Certified Support"; fast_pattern:5,20; nocase; distance:0; content:"myFunction"; nocase; distance:0; content:"needToConfirm"; nocase; distance:0; content:"msg1.mp3"; nocase; distance:0; classtype:trojan-activity; sid:2022366; rev:2;) + +#alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Chrome Extension Phishing DNS Request"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"chrome-extension"; nocase; distance:0; fast_pattern; reference:url,www.seancassidy.me/lostpass.html; classtype:trojan-activity; sid:2022372; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Chrome Extension Phishing HTTP Request"; flow:to_server,established; content:"Host|3a| chrome-extension."; http_header; reference:url,www.seancassidy.me/lostpass.html; classtype:trojan-activity; sid:2022373; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Suspicious LastPass URI Structure - Possible Phishing"; flow:established,to_server; content:"GET"; http_method; content:"/tabDialog.html?dialog=login"; http_uri; fast_pattern:only; reference:url,www.seancassidy.me/lostpass.html; classtype:trojan-activity; sid:2022374; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Suspicious Script Loaded from Pastebin"; flow:established,to_client; file_data; content:"pastebin.com/raw"; fast_pattern:only; content:"<script "; pcre:"/^(?:(?!<\/script>).)*?src\s*=\s*\x5c?[\x22\x27]https?\x3a\/\/(?:www\.)?pastebin\.com\/raw(?:\/|\.php\?i=)[A-Z-a-z0-9]{8}[\x22\x27]/Rsi"; classtype:trojan-activity; sid:2022376; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake AV Phone Scam Landing Jan 26 2016"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"Critical Error"; nocase; content:"WINDOWS VIRUS"; nocase; content:".net framework file missing"; nocase; fast_pattern:7,20; content:"contact Microsoft Support"; nocase; distance:0; classtype:trojan-activity; sid:2022409; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Chrome Tech Support Scam Landing Jan 26 2016"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"function pop"; fast_pattern; nocase; content:"function progressUpdate"; nocase; content:"Operating System"; nocase; content:"Browser"; nocase; content:"Internet Provider"; nocase; content:"Location"; nocase; content:"Scan progress"; nocase; classtype:trojan-activity; sid:2022410; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Jan 27 2016 (Evil Keitaro FB Set)"; flow:established,to_server; urilen:>5; content:"/?3b"; http_uri; depth:4; pcre:"/^\/\?3b[A-Z0-9a-z]{2}(&subid=[^&]*)?$/U"; flowbits:set,evil.Keitaro; flowbits:noalert; classtype:trojan-activity; sid:2022464; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK (Known Evil Keitaro TDS)"; flow:established,from_server; flowbits:isset,evil.Keitaro; content:"302"; http_stat_code; content:"LOCATION|3a 20|http"; http_header; content:"Expires|3a 20|Thu, 21 Jul 1977 07|3a|30|3a|00 GMT|0d 0a|"; http_header; fast_pattern:5,20; classtype:trojan-activity; sid:2022465; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Keitaro TDS Redirect"; flow:established,from_server; content:"302"; http_stat_code; content:"LOCATION|3a 20|http"; http_header; nocase; content:"Content-Type|3a 20|text/html|3b 20|charset=utf-8|0d 0a|"; http_header; content:"Expires|3a 20|Thu, 21 Jul 1977 07|3a|30|3a|00 GMT|0d 0a|"; http_header; fast_pattern:5,20; pcre:"/Date\x3a\x20(?P<dstring>[^\r\n]+)\r\n.*?Last-Modified\x3a\x20(?P=dstring)\r\n/Hs"; content:"Cache-Control|3a 20|max-age=0|0d 0a|Pragma|3a 20|no-cache|0d 0a|"; classtype:bad-unknown; sid:2022466; rev:5;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS EITest Evil Redirect Leading to EK Feb 01 2016"; flow:established,from_server; file_data; content:"|7a 2d 69 6e 64 65 78 3a 2d 31 3b|"; content:"|6f 70 61 63 69 74 79 3a 30 3b 66 69 6c 74 65 72 3a 61 6c 70 68 61 28 6f 70 61 63 69 74 79 3d 30 29 3b 20 2d 6d 6f 7a 2d 6f 70 61 63 69 74 79 3a 30 3b 22 3e|"; fast_pattern:32,20; distance:0; content:"|63 6c 73 69 64 3a 64 32 37 63 64 62 36 65 2d 61 65 36 64 2d 31 31 63 66 2d 39 36 62 38 2d 34 34 34 35 35 33 35 34 30 30 30 30|"; nocase; within:500; reference:url,malware-traffic-analysis.net/2016/01/26/index.html; classtype:trojan-activity; sid:2022479; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirect Compromised WP Feb 01 2016"; flow:established,from_server; file_data; content:"|5c 22 5d 5d 2e 6a 6f 69 6e 28 5c 22 5c 22 29 3b 22 29 29 3b 2f 2a|"; fast_pattern:2,20; pcre:"/^\s*[a-f0-9]{32}\s*\x2a\x2f/R"; reference:url,blog.sucuri.net/2016/02/massive-admedia-iframe-javascript-infection.html; classtype:trojan-activity; sid:2022481; rev:4;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS RIG encrypted payload Feb 02 (1)"; flow:established,to_client; file_data; content:"|3b 2d dd 4b 40 77 77 41|"; within:8; classtype:trojan-activity; sid:2022484; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Phishing Landing via GetGoPhish Phishing Tool"; flow:to_server,established; content:"GET"; http_method; content:"?rid="; http_uri; fast_pattern; pcre:"/\?rid=[a-f0-9]{64}$/Ui"; reference:url,getgophish.com; classtype:trojan-activity; sid:2022486; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Phishing Attempt via GetGoPhish Phishing Tool"; flow:to_server,established; content:"POST"; http_method; content:"?rid="; http_header; fast_pattern; pcre:"/\?rid=[a-f0-9]{64}\x0d\x0a/Hi"; reference:url,getgophish.com; classtype:trojan-activity; sid:2022487; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Feb 05 2016"; flow:established,to_server; content:"/?keyword="; http_uri; fast_pattern:only; pcre:"/\/\?keyword=(?:(?=[a-f]{0,31}[0-9])(?=[0-9]{0,31}[a-f])[a-f0-9]{32}|\d{5})$/U"; classtype:trojan-activity; sid:2022493; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Feb 07 2016"; flow:established,to_server; content:"/QrQ8Gr"; http_uri; urilen:7; classtype:trojan-activity; sid:2022496; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Apple Phish Feb 6th M1"; flow:to_server,established; content:"POST"; http_method; content:".php?token|3b|"; fast_pattern; http_uri; content:"id="; depth:3; nocase; http_client_body; content:"&password="; nocase; http_client_body; distance:0; classtype:trojan-activity; sid:2022497; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Apple Phish Feb 6th M2"; flow:to_server,established; content:"POST"; http_method; content:".php?token|3b|"; fast_pattern; http_uri; content:"fName="; depth:6; nocase; http_client_body; content:"&lName="; nocase; http_client_body; distance:0; content:"&ZIPCode="; nocase; http_client_body; distance:0; classtype:trojan-activity; sid:2022498; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Apple Phish Feb 6th M3"; flow:to_server,established; content:"POST"; http_method; content:".php?token|3b|"; fast_pattern; http_uri; content:"ccNum="; depth:6; nocase; http_client_body; content:"&NameOnCard="; nocase; http_client_body; distance:0; content:"&CVV="; nocase; http_client_body; distance:0; classtype:trojan-activity; sid:2022499; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Xbagger Macro Encrypted DL"; flow:established,to_server; content:".jpg?"; http_uri; fast_pattern:only; content:"MSIE 7.0|3b| Windows NT"; http_header; content:"Range"; http_header; pcre:"/^\/[a-z0-9]+\.jpg\?(?=[a-z0-9]*[A-Z]+[a-z0-9])[A-Za-z0-9]+=\d{1,4}$/U"; classtype:trojan-activity; sid:2022500; rev:5;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Dridex AlphaNum DL Feb 10 2016"; flow:established,to_server; urilen:15<>50; content:"MSIE 7.0|3b| Windows NT"; http_header; fast_pattern; content:!"Referer|3a|"; http_header; content:!"="; http_uri; content:!"&"; http_uri; content:!"?"; http_uri; pcre:"/\/(?=[a-z]{0,7}[0-9])(?=[0-9]{0,7}[a-z])[a-z0-9]{7,8}\/(?=[a-z]{0,7}[0-9])(?=[0-9]{0,7}[a-z])[a-z0-9]{7,8}$/U"; content:!"Cookie|3a|"; classtype:trojan-activity; sid:2022503; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake Hard Drive Delete Scam Landing Feb 16 M1"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<!-- get the phone number"; nocase; fast_pattern:5,20; content:"//Flag we have not run the script"; nocase; distance:0; content:"//This is the scripting used to replace"; nocase; distance:0; content:"// alert the visitor with a message"; nocase; distance:0; content:"// Setup whatever you want for an exit"; nocase; distance:0; classtype:trojan-activity; sid:2022525; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake Hard Drive Delete Scam Landing Feb 16 M2"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"background-color|3a| #FF1C1C|3b|"; fast_pattern:6,20; nocase; content:"color|3a| #FFFFFF|3b|"; nocase; distance:0; content:"function countdown"; nocase; distance:0; content:"function updateTimer"; nocase; distance:0; classtype:trojan-activity; sid:2022526; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake Hard Drive Delete Scam Landing Feb 16 M3"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Error Hard Drive"; fast_pattern:3,20; nocase; content:"src=|22|a1.mp4|22|"; nocase; distance:0; content:"To STOP Deleting Hard Drive"; nocase; distance:0; classtype:trojan-activity; sid:2022527; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake Hard Drive Delete Scam Landing Feb 16 M4"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"function main_alert"; nocase; fast_pattern; content:"WARNING"; nocase; distance:0; content:"Your hard drive will be DELETED"; nocase; distance:0; content:"To Stop This Process"; nocase; distance:0; classtype:trojan-activity; sid:2022528; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake Virus Phone Scam Landing Feb 17"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"keyframes poplzatvci"; fast_pattern; content:"#lzatvciovlwmiiqxbwxywuerkhtunrlvherk"; nocase; distance:0; classtype:trojan-activity; sid:2022530; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Dridex DL Pattern Feb 18 2016"; flow:established,to_server; content:"GET"; http_method; content:".exe?."; http_uri; fast_pattern:only; pcre:"/\.exe\?\.\d+$/U"; content:"MSIE 7.0|3b| Windows NT"; http_user_agent; content:!"Referer|3a|"; http_header; classtype:trojan-activity; sid:2022549; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Malicious Macro DL EXE Feb 2016"; flow:established,to_server; content:"GET"; http_method; content:".exe"; http_uri; nocase; fast_pattern:only; content:"Accept|3a 20|*/*|0d 0a|"; depth:13; http_header; content:"Accept-Encoding|3a 20|gzip, deflate|0d 0a|"; http_header; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b| MSIE 7.0|3b| Windows NT"; http_header; content:!"Referer|3a|"; http_header; content:!"Cookie|3a|"; pcre:"/(?:\/(?:(?:p(?:lugins\/content\/vote\/\.ssl\/[a-z0-9]|a(?:nel\/includes\/[^\x2f]+|tric)|o(?:sts?\/[a-z0-9]+|ny[a-z]*)|rogcicicic|m\d{1,2})|s(?:ystem\/(?:logs|engine)\/[^\x2f]+?|e(?:rv(?:au|er)|ct)|vchost[^\x2f]*|gau\/.*?|alam|ucks|can|ke)|(?=[a-z]*[0-9])(?=[0-9]*[a-z])(?!setup\d+\.exe$)[a-z0-9]{5,10}|in(?:voice(?:\/[^\x2f]+|[^\x2f]*)|st\d+|fos?)|a(?:d(?:min\/images\/\w+|obe)|salam|live|us)|m(?:edia\/files\/\w+|a(?:cros?|rch)|soffice)|d(?:o(?:c(?:\/[a-z0-9]+)?|ne)|bust)|(?:~.+?\/\.[^\x2f]+|\.css)\/.+?|c(?:onfig|hris|alc)|u(?:swinz\w+|pdate)|xml\/load\/[^\x2f]+|(?:[Dd]ocumen|ve)t|Ozonecrytedserver|w(?:or[dk]|insys)|t(?:mp\/.+?|est)|fa(?:cture|soo)|n(?:otepad|ach)|k(?:be|ey|is)|ArfBtxz|office|yhaooo|[a-z]|etna|link|\d+)\.exe$|(?:(?=[a-z0-9]*?[3456789][a-z0-9]*?[3456789])(?=[a-z0-9]*?[h-z])[a-z0-9]{3,31}\+|PasswordRecovery|RemoveWAT|Dejdisc|Host\d+|Msword)\.exe)|(?:^\/(?:image\/.+?\/[^\x2f]+|x\/setup)|[\x2f\s]order|keem)\.exe$)/Ui"; content:!".bloomberg.com|0d 0a|"; http_header; nocase; content:!".bitdefender.com|0d 0a|"; http_header; classtype:trojan-activity; sid:2022550; rev:15;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirect Leading to EK Feb 23 2016"; flow:established,from_server; file_data; content:"|29 7b 72 65 74 75 72 6e 20 4d 61 74 68 2e 72 6f 75 6e 64 28 28 28 28 28|"; content:"|29 7b 72 65 74 75 72 6e 20 4d 61 74 68 2e 72 6f 75 6e 64 28 28 28 28 28|"; distance:0; content:"|3d 66 75 6e 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 6e|"; pcre:"/^\s+\d+\x3b\s*\}/R"; content:"|5d 3d 53 74 72 69 6e 67 2e 66 72 6f 6d 43 68 61 72 43 6f 64 65|"; fast_pattern; classtype:trojan-activity; sid:2022565; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Malicious Macro EXE DL AlphaNumL"; flow:established,to_server; urilen:10<>40; content:".exe"; fast_pattern; http_uri; offset:5; pcre:"/\/(?=[0-9]*?[a-z]*?[a-z0-9)(?=[a-z0-9]*[0-9][a-z]*[0-9][a-z0-9]*\.exe)(?!setup\d+\.exe)[a-z0-9]{5,15}\.exe/U"; content:"Accept|3a 20|*/*|0d 0a|"; depth:13; http_header; content:"Accept-Encoding|3a 20|gzip, deflate|0d 0a|"; http_header; content:"Mozilla/4.0 (compatible|3b| MSIE 7.0|3b| Windows NT"; http_user_agent; depth:45; content:!"Referer|3a|"; http_header; content:!".bloomberg.com|0d 0a|"; http_header; nocase; content:!"leg1.state.va.us"; http_header; nocase; classtype:trojan-activity; sid:2022566; rev:5;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirect Leading to EK Feb 25 2016"; flow:established,from_server; file_data; content:"|36 31 2c 39 31 2c 33 34 2c 31 31 34 2c 31 31 38 2c 35 38 2c 34 39 2c 34 39 2c 33 34 2c 34 34 2c 33 34 2c 37 37 2c 38 33 2c 37 33 2c 36 39 2c 33 34 2c 34 34 2c 39 33 2c 35 39|"; content:"|39 39 2c 31 30 34 2c 39 37 2c 31 31 34 2c 36 37 2c 31 31 31 2c 31 30 30 2c 31 30 31 2c 36 35 2c 31 31 36|"; classtype:trojan-activity; sid:2022567; rev:2;) + +#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Fake AV Phone Scam Landing Feb 26"; flow:to_server,established; content:"GET"; http_method; content:".html"; http_uri; content:"rackcdn.com|0d 0a|"; http_header; fast_pattern; pcre:"/^\/[a-zA-Z0-9]+\.html$/U"; pcre:"/\x0d\x0aHost\x3a\x20[a-f0-9]{20}-[a-f0-9]{32}\.r[0-9]{1,2}\.cf[0-9]\.rackcdn\.com\x0d\x0a/H"; classtype:trojan-activity; sid:2022574; rev:3;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Possible Fake AV Phone Scam Long Domain M1 Feb 29"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"helpdesk"; fast_pattern; distance:0; nocase; pcre:"/^[a-z0-9\x02-\x50]{100,}\x00\x00\x01\x00\x01$/Rsi"; classtype:trojan-activity; sid:2022575; rev:1;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Possible Fake AV Phone Scam Long Domain M2 Feb 29"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"errorcode"; fast_pattern; distance:0; nocase; pcre:"/^[a-z0-9\x02-\x50]{100,}\x00\x00\x01\x00\x01$/Rsi"; classtype:trojan-activity; sid:2022576; rev:1;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Phishing Landing Obfuscation Mar 1"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"%75%6E%65%73%63%61%70%65%3D%66%75%6E%63%74%69%6F%6E"; fast_pattern:31,20; content:"%72%65%70%6C%61%63%65%28%6E%65%77%20%52%65%67%45%78%70%28%22%25%32%36%22%2C%20%22%67%22%29%2C%20%22%26%22%29%3B"; distance:0; content:"%72%65%70%6C%61%63%65%28%6E%65%77%20%52%65%67%45%78%70%28%22%25%33%42%22%2C%20%22%67%22%29%2C%20%22%3B%22%29%3B"; distance:0; content:"%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65"; distance:0; content:"%72%65%70%6C%61%63%65%28%27%3C%21%2D%2D%3F%2D%2D%3E%3C%3F%27%2C%27%3C%21%2D%2D%3F%2D%2D%3E%27%29%29%3B"; distance:0; reference:url,proofpoint.com/us/threat-insight/post/Obfuscation-Techniques-In-Phishing-Attacks; classtype:trojan-activity; sid:2022578; rev:2;) + +alert tcp $EXTERNAL_NET any -> $HOME_NET 3306 (msg:"ET CURRENT_EVENTS MySQL Malicious Scanning 1"; flow:to_server; content:"|00 03|"; offset:3; depth:2; content:"GRANT ALTER, ALTER ROUTINE"; distance:0; nocase; within:30; content:"TO root@% WITH"; fast_pattern:only; reference:url,isc.sans.edu/diary/Quick+Analysis+of+a+Recent+MySQL+Exploit/20781; classtype:bad-unknown; sid:2022579; rev:1;) + +alert tcp $EXTERNAL_NET any -> $HOME_NET 3306 (msg:"ET CURRENT_EVENTS MySQL Malicious Scanning 2"; flow:to_server; content:"|00 03|"; offset:3; depth:2; content:"set global log_bin_trust_function_creators=1"; fast_pattern:only; reference:url,isc.sans.edu/diary/Quick+Analysis+of+a+Recent+MySQL+Exploit/20781; classtype:bad-unknown; sid:2022580; rev:1;) + +alert tcp $EXTERNAL_NET any -> $HOME_NET 3306 (msg:"ET CURRENT_EVENTS MySQL Malicious Scanning 3"; flow:to_server; content:"|00 03|"; offset:3; depth:2; content:"select unhex("; fast_pattern; distance:0; content:"into dumpfile|20 27|"; distance:0; reference:url,isc.sans.edu/diary/Quick+Analysis+of+a+Recent+MySQL+Exploit/20781; classtype:bad-unknown; sid:2022581; rev:1;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Fake AV Phone Scam Domain M1 Mar 3"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"errorfound"; fast_pattern; distance:0; nocase; pcre:"/^[a-z0-9\x02-\x50]{100,}\x00\x00\x01\x00\x01$/Rsi"; classtype:trojan-activity; sid:2022591; rev:1;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Fake AV Phone Scam Domain M2 Mar 3"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"unattendedfile"; fast_pattern; distance:0; nocase; pcre:"/^[a-z0-9\x02-\x50]{100,}\x00\x00\x01\x00\x01$/Rsi"; classtype:trojan-activity; sid:2022592; rev:1;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Fake AV Phone Scam Domain M3 Mar 3"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"internetsituation"; fast_pattern; distance:0; nocase; pcre:"/^[a-z0-9\x02-\x50]{100,}\x00\x00\x01\x00\x01$/Rsi"; classtype:trojan-activity; sid:2022593; rev:1;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Phishing Landing - Data URI Inline Javascript Mar 7"; flow:established,to_client; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"data|3a|text/html|3b|"; fast_pattern; content:"|3b|base64,"; distance:0; within:21; pcre:"/^[^\x22|\x27]+<\s*?script(?:(?!<\s*?\/\s*?script).)+?data\x3atext\/html\x3b(?:charset=UTF-8\x3b)?base64\x2c/si"; reference:url,proofpoint.com/us/threat-insight/post/Obfuscation-Techniques-In-Phishing-Attacks; classtype:trojan-activity; sid:2022597; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Microsoft Fake Support Phone Scam Mar 7"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Microsoft"; nocase; content:"function myFunction()"; pcre:"/^\s*?\{\s*?setInterval\s*?\(\s*?function/Rsi"; content:"alert2.mp3"; fast_pattern; nocase; distance:0; classtype:trojan-activity; sid:2022602; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Generic Fake Support Phone Scam Mar 8"; flow:established,from_server; file_data; content:"onload=|22|myFunction|28 29 3b 22|"; fast_pattern; nocase; content:"onclick=|22|myFunction|28 29 3b 22|"; nocase; content:"onkeydown=|22|myFunction|28 29 3b 22|"; nocase; content:"onunload=|22|myFunction|28 29 3b 22|"; nocase; content:"<audio"; nocase; pcre:"/^[^\r\n]+autoplay=[\x22\x27]autoplay/Rsi"; content:"TOLL FREE"; nocase; classtype:trojan-activity; sid:2022603; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Enom Phish Mar 8"; flow:to_server,established; content:"POST"; http_method; content:"enom"; http_header; nocase; content:"ctl00_ScriptManager"; depth:19; nocase; fast_pattern; http_client_body; content:"user="; nocase; http_client_body; distance:0; content:"pass"; nocase; distance:0; http_client_body; content:"Login=Login"; nocase; distance:0; http_client_body; reference:url,welivesecurity.com/2016/03/07/beware-spear-phishers-hijack-website/; classtype:trojan-activity; sid:2022604; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Generic Fake Support Phone Scam Mar 9 M1"; flow:established,from_server; file_data; content:"Callpixels"; fast_pattern; nocase; pcre:"/^\s*?\.\s*?Campaign\s*?\(\s*?\{\s*?campaign_key/Rsi"; content:"<audio"; nocase; pcre:"/^[^\r\n]+autoplay=[\x22\x27]autoplay/Rsi"; content:"TOLL FREE"; nocase; classtype:trojan-activity; sid:2022605; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Generic Fake Support Phone Scam Mar 9 M2"; flow:established,from_server; file_data; content:"//Flag we have not"; fast_pattern; nocase; content:"//The location of the page that we will load on a second pop"; nocase; distance:0; content:"//figure out what to use for default number"; nocase; distance:0; content:"//allow for the traffic source to send in their own default number"; nocase; distance:0; content:"//if no unformatted number just use it"; nocase; distance:0; classtype:trojan-activity; sid:2022606; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Generic Fake Support Phone Scam Mar 9 M3"; flow:established,from_server; file_data; content:"<title>ALERT"; fast_pattern; content:"makeNewPosition"; nocase; distance:0; content:"animateDiv"; nocase; distance:0; content:"div.fakeCursor"; nocase; distance:0; content:"<audio autoplay"; nocase; distance:0; classtype:trojan-activity; sid:2022607; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake Virus Phone Scam Landing Mar 9 M2"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"function myFunction"; nocase; fast_pattern; content:"MICROSOFT COMPUTER HAS BEEN BLOCKED"; nocase; distance:0; content:"Windows System Alert"; nocase; distance:0; content:"Contact Microsoft"; nocase; distance:0; classtype:trojan-activity; sid:2022608; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Chase Phishing Domain Mar 14"; flow:to_server,established; content:"GET"; http_method; content:"chase.com"; http_header; fast_pattern; content:!"Referer|3a 20|"; http_header; content:!"chase.com|0d 0a|"; http_header; pcre:"/^Host\x3a[^\r\n]+chase\.com[^\r\n]{20,}\r\n/Hmi"; threshold: type limit, count 1, track by_src, seconds 30; classtype:trojan-activity; sid:2022615; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Apple Phishing Domain Mar 14"; flow:to_server,established; content:"GET"; http_method; content:"apple.com"; http_header; fast_pattern; content:!"Referer|3a 20|"; http_header; content:!"apple.com|0d 0a|"; http_header; pcre:"/^Host\x3a[^\r\n]+apple\.com[^\r\n]{20,}\r\n/Hmi"; threshold: type limit, count 1, track by_src, seconds 30; classtype:trojan-activity; sid:2022616; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible USAA Phishing Domain Mar 14"; flow:to_server,established; content:"GET"; http_method; content:"usaa.com"; http_header; fast_pattern; content:!"Referer|3a 20|"; http_header; content:!"usaa.com|0d 0a|"; http_header; pcre:"/^Host\x3a[^\r\n]+usaa\.com[^\r\n]{20,}\r\n/Hmi"; threshold: type limit, count 1, track by_src, seconds 30; classtype:trojan-activity; sid:2022617; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Paypal Phishing Domain Mar 14"; flow:to_server,established; content:"GET"; http_method; content:"paypal.com"; http_header; fast_pattern; content:!"Referer|3a 20|"; http_header; content:!"paypal.com|0d 0a|"; http_header; pcre:"/^Host\x3a[^\r\n]+paypal\.com[^\r\n]{20,}\r\n/Hmi"; threshold: type limit, count 1, track by_src, seconds 30; classtype:trojan-activity; sid:2022618; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake AV Phone Scam Landing Mar 15"; flow:established,to_client; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Security"; fast_pattern; nocase; content:"function DetectMobile"; nocase; distance:0; content:"function myFunction"; nocase; distance:0; content:"Please call"; nocase; distance:0; classtype:trojan-activity; sid:2022619; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Mar 15 2016 M1"; flow:established,from_server; file_data; content:"|2f 2a 67 6c 6f 62 61 6c 20 4a 53 4f 4e 32 3a 74 72 75 65 20 2a 2f 0a 64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 28 22 3c 64 69 76 20 73 74 79 6c 65 3d 27 77 69 64 74 68 3a 20 33 30 30 70 78 3b 20 68 65 69 67 68 74 3a 20 33 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 20 6c 65 66 74 3a 2d 35 30 30 70 78 3b 20 74 6f 70 3a 20 2d 35 30 30 70 78 3b 27 3e 3c 69 66 72 61 6d 65 20 73 72 63 3d|"; content:"|77 69 64 74 68 3d 27 32 35 30 27 20 68 65 69 67 68 74 3d 27 32 35 30 27 3e 3c 2f 69 66 72 61 6d 65 3e 3c 2f 64 69 76 3e 22 29 3b|"; distance:0; isdataat:!10,relative; classtype:trojan-activity; sid:2022620; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Mar 15 2016 M2"; flow:established,to_server; content:"/track/k.track?wd="; http_uri; depth:18; content:"fid="; http_uri; content:"rds="; http_uri; classtype:trojan-activity; sid:2022621; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Likely Evil Macro EXE DL mar 15 2016"; flow:established,to_server; content:"/image/"; http_uri; depth:13; content:".exe"; http_uri; fast_pattern:only; pcre:"/^\/image\/(?:data|flags)\/[^\x2f]+\.exe$/Ui"; content:!"Referer|3a|"; http_header; classtype:trojan-activity; sid:2022622; rev:2;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Possible Fake AV Phone Scam Long Domain Mar 15"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"suspiciousactivity"; fast_pattern; distance:0; nocase; pcre:"/^[a-z0-9\x02-\x50]{100,}\x00\x00\x01\x00\x01$/Rsi"; classtype:trojan-activity; sid:2022625; rev:1;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirect Leading to EK Mar 18 2016"; flow:from_server,established; file_data; content:"|52 65 67 45 78 70 28 27|"; content:"|27 2b 27 3d 28 5b 5e 3b 5d 29 7b 31 2c 7d 27 29 3b|"; distance:32; within:17; content:"|3b 64 2e 73 65 74 44 61 74 65 28 64 2e 67 65 74 44 61 74 65 28 29 2b 31 29 3b|"; content:"|3c 69 66 72 61 6d 65|"; distance:0; classtype:trojan-activity; sid:2022628; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Mar 19 2016 M1"; flow:established,from_server; file_data; content:"|2f 2a 67 6c 6f 62 61 6c 20 4a 53 4f 4e 32 3a 74 72 75 65 20 2a 2f|"; content:"|28 22 3c 64 69 76 20 73 74 79 6c 65 3d 27 77 69 64 74 68 3a 20 33 30 30 70 78 3b 20 68 65 69 67 68 74 3a 20 33 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 20 6c 65 66 74 3a 2d 35 30 30 70 78 3b 20 74 6f 70 3a 20 2d 35 30 30 70 78 3b 27 3e 3c 69 66 72 61 6d 65 20 73 72 63 3d 27 68 74 74 70|"; distance:0; content:"|77 69 64 74 68 3d 27 32 35 30 27 20 68 65 69 67 68 74 3d 27 32 35 30 27 3e 3c 2f 69 66 72 61 6d 65 3e 3c 2f 64 69 76 3e 22 29 3b|"; distance:0; classtype:trojan-activity; sid:2022629; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Mar 19 2016 M2"; flow:established,to_server; content:"/imp/one.trk?wid="; http_uri; classtype:trojan-activity; sid:2022630; rev:2;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Possible Fake AV Phone Scam Long Domain Mar 21 M1"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"errorunauthorized"; fast_pattern; distance:0; nocase; pcre:"/^[a-z0-9\x02-\x50]{100,}\x00\x00\x01\x00\x01$/Rsi"; classtype:trojan-activity; sid:2022631; rev:1;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Possible Fake AV Phone Scam Long Domain Mar 21 M2"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"drivercrashed"; fast_pattern; distance:0; nocase; pcre:"/^[a-z0-9\x02-\x50]{100,}\x00\x00\x01\x00\x01$/Rsi"; classtype:trojan-activity; sid:2022632; rev:1;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Possible Fake AV Phone Scam Long Domain Mar 21 M3"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"computer-is-locked"; fast_pattern; distance:0; nocase; pcre:"/^[a-z0-9\x02-\x50]{100,}\x00\x00\x01\x00\x01$/Rsi"; classtype:trojan-activity; sid:2022633; rev:1;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading To EK Mar 22 2016"; flow:established,from_server; file_data; content:"|6d 6f 64 75 6c 65 2e 65 78 70 6f 72 74 73 2e 55 41 20 3d 20 55 41|"; content:"|2e 73 70 6c 69 74 28 22 2c 22 29 2c 20 69 3d 30 2c 20 6b 3b 20 66 6f 72 20 28 3b 20 6b 20 3d 20 61 5b 69 5d 2c 20 69 20 3c 20 61 2e 6c 65 6e 67 74 68 3b 20 69 2b 2b 29 20 72 2e 70 75 73 68 28|"; content:"|2e 6c 65 6e 67 74 68 3b 20 69 2b 2b 29 20 7b 20 74 72 79 20 7b 20 6e 65 77 20 41 63 74 69 76 65 58 4f 62 6a 65 63 74 28|"; classtype:trojan-activity; sid:2022635; rev:2;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Possible Fake AV Phone Scam Long Domain Mar 23"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"unauthorized-transaction"; fast_pattern; distance:0; nocase; pcre:"/^[a-z0-9\x02-\x50]{100,}\x00\x00\x01\x00\x01$/Rsi"; classtype:trojan-activity; sid:2022648; rev:1;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake AV Phone Scam Mar 23"; flow:established,to_client; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Microsoft"; fast_pattern; nocase; content:"function myFunction"; nocase; distance:0; content:"setInterval"; nocase; distance:0; pcre:"/^\s*?\(\s*?function\s*?\(\s*?\)\s*?\{\s*?alert\s*?\(/Rsi"; content:"<audio"; nocase; distance:0; classtype:trojan-activity; sid:2022649; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS W32/Dridex Binary Download Mar 23 2016"; flow:to_server,established; content:"GET"; http_method; content:"/dana/home.php"; http_uri; fast_pattern; content:"Accept|3a 20|*/*|0d 0a|Accept-Encoding|3a 20|gzip, deflate|0d 0a|"; http_header; content:"MSIE 7.0"; http_header; content:!"Referer|3a 20|"; http_header; pcre:"/\/home\.php$/U"; reference:md5,2f32bf996e093d5a4107d6daa6c51ec4; classtype:trojan-activity; sid:2022650; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake Flash Update Mar 23"; flow:established,to_client; file_data; content:"<title>Flash"; nocase; fast_pattern; content:"#prozor"; nocase; distance:0; content:"#dugme"; nocase; distance:0; content:"Latest version of Adobe"; nocase; distance:0; classtype:trojan-activity; sid:2022651; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Likely Evil EXE download from WinHttpRequest non-exe extension"; flow:established,to_client; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; flowbits:isset,et.MS.WinHttpRequest.no.exe.request; classtype:trojan-activity; sid:2022653; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Malicious Macro DL EXE Feb 2016 (WinHTTPRequest)"; flow:established,to_server; content:"GET"; http_method; content:".exe"; http_uri; nocase; fast_pattern:only; content:"WinHttp.WinHttpRequest."; http_header; pcre:"/(?:\/(?:(?:p(?:lugins\/content\/vote\/\.ssl\/[a-z0-9]|a(?:nel\/includes\/[^\x2f]+|tric)|osts?\/[a-z0-9]+|rogcicicic)|s(?:ystem\/(?:logs|engine)\/[^\x2f]+?|e(?:rv(?:au|er)|ct)|gau\/.*?|alam|ucks|can|ke)|(?=[a-z]*[0-9])(?=[0-9]*[a-z])(?!setup\d+\.exe$)[a-z0-9]{5,10}|a(?:d(?:min\/images\/\w+|obe)|salam|live|us)|m(?:edia\/files\/\w+|a(?:cros?|rch)|soffice)|d(?:o(?:c(?:\/[a-z0-9]+)?|ne)|bust)|(?:~.+?\/\.[^\x2f]+|\.css)\/.+?|in(?:voice\/[^\x2f]+|fos?)|c(?:onfig|hris|alc)|u(?:swinz\w+|pdate)|xml\/load\/[^\x2f]+|(?:[Dd]ocumen|ve)t|Ozonecrytedserver|w(?:or[dk]|insys)|t(?:mp\/.+?|est)|fa(?:cture|soo)|n(?:otepad|ach)|k(?:be|ey|is)|ArfBtxz|office|yhaooo|[a-z]|etna|link|\d+)\.exe$|(?:(?=[a-z0-9]*?[3456789][a-z0-9]*?[3456789])(?=[a-z0-9]*?[h-z])[a-z0-9]{3,31}\+|PasswordRecovery|RemoveWAT|Dejdisc|Host\d+|Msword)\.exe)|(?:^\/(?:image\/.+?\/[^\x2f]+|x\/setup)|keem)\.exe$)/Ui"; classtype:trojan-activity; sid:2022658; rev:4;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Evil Redirector Leading to EK EITest Mar 27"; flow:established,to_server; urilen:60<>250; content:!"="; http_uri; content:!"."; http_uri; content:!"?"; http_uri; content:"x-flash-version|3a|"; fast_pattern; http_header; content:!".swf"; http_header; nocase; content:!".flv"; http_header; nocase; content:!"Cookie|3a|"; content:!"[DYNAMIC]"; http_header; pcre:"/^\/(?=[a-z][a-z\x2f]*\d[a-z\x2f]+\d[a-z\x2f]+\d[a-z\x2f]+\d[a-z\x2f]+\d)[a-z0-9\x2f]+\/$/U"; classtype:trojan-activity; sid:2022666; rev:4;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Evil Redirector Leading to EK EITest Mar 27 M2"; flow:established,to_server; urilen:60<>250; content:!"="; http_uri; content:!"."; http_uri; content:!"?"; http_uri; content:"x-flash-version|3a|"; fast_pattern; http_header; content:!".swf"; http_header; nocase; content:!".flv"; http_header; nocase; content:!"[DYNAMIC]"; http_header; content:!"Cookie|3a|"; pcre:"/^\/(?=[a-z][a-z\x2f]*-[a-z\x2f]+-)[a-z\x2f-]+\/$/U"; classtype:trojan-activity; sid:2022682; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Likely Evil Macro EXE DL mar 28 2016"; flow:established,to_server; content:"HEAD"; http_method; content:"User-Agent|3a 20|Microsoft BITS/7.5|0d 0a|"; http_header; fast_pattern:12,20; content:".exe"; http_uri; content:!"Referer|3a|"; http_header; pcre:"/^Host\x3a\x20[^\r\n]+(?:xyz|pw)\r?$/Hmi"; reference:md5,d599a63fac0640c21272099f39020fac; classtype:trojan-activity; sid:2022686; rev:4;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Possible Fake AV Phone Scam Long Domain Mar 30 M1"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"diskissue"; fast_pattern; distance:0; nocase; pcre:"/^[a-z0-9\x02-\x50]{100,}\x00\x00\x01\x00\x01$/Rsi"; classtype:trojan-activity; sid:2022690; rev:1;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Possible Fake AV Phone Scam Long Domain Mar 30 M2"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"avirus"; fast_pattern; distance:0; nocase; content:!"|07|spotify|03|com"; pcre:"/^[a-z0-9\x02-\x50]{100,}\x00\x00\x01\x00\x01$/Rsi"; classtype:trojan-activity; sid:2022691; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake AV Phone Scam Landing Apr 1"; flow:established,to_client; file_data; content:"<title>SYSTEM ERROR WARNING"; fast_pattern; nocase; content:"function loadNumber"; nocase; distance:0; content:"campaign_key:"; nocase; distance:0; classtype:trojan-activity; sid:2022695; rev:2;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Possible Fake AV Phone Scam Long Domain Apr 4"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"callasap"; fast_pattern; distance:0; nocase; pcre:"/^[a-z0-9\x02-\x50]{100,}\x00\x00\x01\x00\x01$/Rsi"; classtype:trojan-activity; sid:2022696; rev:1;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake AV Phone Scam Landing Apr 4"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; content:"catchControlKeys"; fast_pattern; content:"// Ctrl+U"; nocase; distance:0; content:"// Ctrl+C"; nocase; distance:0; content:"// Ctrl+A"; nocase; distance:0; content:"//e.cancelBubble is supported by IE"; nocase; distance:0; content:"//e.stopPropagation works in Firefox"; nocase; distance:0; classtype:trojan-activity; sid:2022697; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK April 12 2016 M1"; flow:established,to_server; content:"/2016/less/ing/frame.html"; http_uri; classtype:trojan-activity; sid:2022724; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK April 12 2016 M2"; flow:established,from_server; file_data; content:"|3c 73 63 72 69 70 74 20 74 79 70 65 3d 27 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 27 3e 76 61 72 20 6c 3d 27 68 74 74 70 3a|"; content:"|3b 64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 28 27 3c 27 2b 27 73 63 72 69 70 74 20 74 79 70 65 3d 5c 27 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 5c 27 20 73 72 63 3d 5c 27 27 2b 6c 2b 27 5c 27 3e 3c 27 2b 27 2f 73 63 72 69 70 74 3e 27 29 3b 3c 2f 73 63 72 69 70 74 3e|"; distance:0; classtype:trojan-activity; sid:2022725; rev:2;) + +alert tcp any !80 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Open MGate Device"; flow:established,from_server; content:"Model name|20|"; pcre:"/^\x20+\x3a\x20MGate/R"; content:"|0d 00 0a|MAC address|20|"; distance:0; pcre:"/^\x20+\x3a\x20(?:[0-9A-F]{2}\x3a){5}[0-9A-F]{2}\x0d\x00\x0a/R"; classtype:successful-admin; sid:2022732; rev:2;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Possible Fake AV Phone Scam Long Domain M3 Feb 29"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"yourcomputer"; fast_pattern; distance:0; nocase; pcre:"/^[a-z0-9\x02-\x50]{100,}\x00\x00\x01\x00\x01$/Rsi"; classtype:trojan-activity; sid:2022739; rev:1;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Possible Fake AV Phone Scam Long Domain Apr 18 M1"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"unusualactivity"; fast_pattern; distance:0; nocase; pcre:"/^[a-z0-9\x02-\x50]{100,}\x00\x00\x01\x00\x01$/Rsi"; classtype:trojan-activity; sid:2022740; rev:1;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Possible Fake AV Phone Scam Long Domain Apr 18 M2"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"yoursystem"; fast_pattern; distance:0; nocase; pcre:"/^[a-z0-9\x02-\x50]{100,}\x00\x00\x01\x00\x01$/Rsi"; classtype:trojan-activity; sid:2022741; rev:1;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Possible Fake AV Phone Scam Long Domain Apr 18 M3"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"howcanwehelp"; fast_pattern; distance:0; nocase; pcre:"/^[a-z0-9\x02-\x50]{100,}\x00\x00\x01\x00\x01$/Rsi"; classtype:trojan-activity; sid:2022742; rev:1;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Possible Fake AV Phone Scam Long Domain Apr 18 M4"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"bluescreen"; fast_pattern; distance:0; nocase; pcre:"/^[a-z0-9\x02-\x50]{100,}\x00\x00\x01\x00\x01$/Rsi"; classtype:trojan-activity; sid:2022743; rev:1;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Possible Fake AV Phone Scam Long Domain Apr 18 M5"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"cloud-on"; fast_pattern; distance:0; nocase; pcre:"/^[a-z0-9\x02-\x50]{100,}\x00\x00\x01\x00\x01$/Rsi"; classtype:trojan-activity; sid:2022744; rev:1;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Possible Fake AV Phone Scam Long Domain Apr 18 M6"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"call-now"; fast_pattern; distance:0; nocase; pcre:"/^[a-z0-9\x02-\x50]{100,}\x00\x00\x01\x00\x01$/Rsi"; classtype:trojan-activity; sid:2022745; rev:1;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Apr 20 2016"; flow:established,to_server; urilen:5; content:"/get2"; http_uri; content:"bc3ad="; http_cookie; classtype:trojan-activity; sid:2022751; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Apr 21 2016 M2"; flow:established,to_server; content:"/idx.aspx?sid="; http_uri; content:"&bcOrigin="; http_uri; content:"&rnd="; http_uri; distance:0; classtype:trojan-activity; sid:2022752; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Apr 27 2016 (fbset)"; flow:established,to_server; urilen:11<>57; content:".js"; http_uri; fast_pattern:only; pcre:"/^\/[a-z]{2,20}\/[a-z]{2,20}\/(?:(?:(?:featur|quot)e|ip)s|d(?:ropdown|etect)|co(?:mpiled|re)|header|jquery|lang|min|ga)\.js$/U"; flowbits:set,ET.WordJS; flowbits:noalert; reference:url,research.zscaler.com/2016/01/music-themed-malvertising-lead-to-angler.html; classtype:trojan-activity; sid:2022770; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Apr 27 2016"; flow:established,from_server; flowbits:isset,ET.WordJS; content:"Content-Type|3a 20|text/html|3b 20|charset=utf-8|0d 0a|"; http_header; file_data; content:"<iframe"; within:7; fast_pattern; reference:url,research.zscaler.com/2016/01/music-themed-malvertising-lead-to-angler.html; classtype:trojan-activity; sid:2022771; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Apr 28 2016"; flow:established,from_server; file_data; content:"|3d 22 5c 78 32|"; content:"|3d 22 5c 78 36|"; content:"|3d 22 5c 78 37|"; fast_pattern:only; content:"</span>"; content:!"<span>"; distance:-500; within:500; pcre:"/^\s*?<script>\s*?(?:[A-Za-z][A-Za-z\d+]+\s*?\+?=\s*(?:[A-Za-z][A-Za-z\d]+|[\x22\x27]\\x[2-7][0-9a-fA-F](?:\\x[2-7][0-9a-fA-F]){0,4}[\x22\x27])\s*?\x3b){20}/Rs"; reference:url,researchcenter.paloaltonetworks.com/2016/03/unit42-campaign-evolution-darkleech-to-pseudo-darkleech-and-beyond/; classtype:trojan-activity; sid:2022772; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Apr 29 2016"; flow:established,from_server; file_data; content:"|69 32 33 33 36 20 3d 3d 20 6e 75 6c 6c|"; nocase; fast_pattern:only; content:"|64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 28 27 3c 44 49 56 20 69 64 3d 63 68 65 63 6b 35 32 34 20 73 74 79 6c 65 3d 22 44 49 53 50 4c 41 59 3a 20 6e 6f 6e 65 22 3e|"; content:"|3c 69 66 72 61 6d 65 20 73 72 63 3d 22|"; classtype:trojan-activity; sid:2022774; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK (delivered via e-mail)"; flow:established,from_server; file_data; content:"|3c 69 6d 67 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 70 69 6e 6b 2d 70 72 6f 64 75 63 74 73 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 70 6c 65 61 73 65 2d 77 61 69 74 2e 67 69 66 22|"; nocase; fast_pattern:17,20; content:"|61 6c 74 3d 22 50 6c 65 61 73 65 20 77 61 69 74 2e 2e 2e 22 2f 3e|"; nocase; content:"|3c 69 66 72 61 6d 65 20 73 72 63 3d|"; nocase; classtype:trojan-activity; sid:2022779; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Microsoft Fake Support Phone Scam May 10"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Error Hard Drive Safety"; nocase; content:"myFunction()"; content:"Warning|3a| Internet Security Damaged"; content:"err.mp3"; fast_pattern; nocase; distance:0; classtype:trojan-activity; sid:2022802; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirect Leading to EK May 13 2016"; flow:established,from_server; file_data; content:"|3c 74 69 74 6c 65 3e 53 65 61 72 63 68 3c 2f 74 69 74 6c 65 3e|"; content:"|23 6c 6c 6c 7b 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 6c 65 66 74 3a 2d|"; fast_pattern; content:"|3c 64 69 76 20 69 64 3d 22 6c 6c 6c 22 3e 3c 69 66 72 61 6d 65 20 73 72 63 3d|"; classtype:trojan-activity; sid:2022805; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Malicious Macro DL EXE May 2016 (Mozilla compatible)"; flow:established,to_server; content:"GET"; http_method; content:".exe"; http_uri; nocase; fast_pattern:only; content:"Mozilla/4.0|20|(compatible|3b|)"; http_header; content:"Accept|3a 20|*/*|0d 0a|"; http_header; pcre:"/(?:\/(?:(?:p(?:lugins\/content\/vote\/\.ssl\/[a-z0-9]|a(?:nel\/includes\/[^\x2f]+|tric)|osts?\/[a-z0-9]+|rogcicicic)|s(?:ystem\/(?:logs|engine)\/[^\x2f]+?|e(?:rv(?:au|er)|ct)|gau\/.*?|alam|ucks|can|ke)|(?=[a-z]*[0-9])(?=[0-9]*[a-z])(?!setup\d+\.exe$)[a-z0-9]{5,10}|a(?:d(?:min\/images\/\w+|obe)|salam|live|us)|m(?:edia\/files\/\w+|a(?:cros?|rch)|soffice)|d(?:o(?:c(?:\/[a-z0-9]+)?|ne)|bust)|(?:~.+?\/\.[^\x2f]+|\.css)\/.+?|in(?:voice\/[^\x2f]+|fos?)|c(?:onfig|hris|alc)|u(?:swinz\w+|pdate)|xml\/load\/[^\x2f]+|(?:[Dd]ocumen|ve)t|Ozonecrytedserver|w(?:or[dk]|insys)|t(?:mp\/.+?|est)|fa(?:cture|soo)|n(?:otepad|ach)|k(?:be|ey|is)|ArfBtxz|office|yhaooo|[a-z]|etna|link|\d+)\.exe$|(?:(?=[a-z0-9]*?[3456789][a-z0-9]*?[3456789])(?=[a-z0-9]*?[h-z])[a-z0-9]{3,31}\+|PasswordRecovery|RemoveWAT|Dejdisc|Host\d+|Msword)\.exe)|(?:^\/(?:image\/.+?\/[^\x2f]+|x\/setup)|keem)\.exe$)/Ui"; reference:md5,f29a3564b386e7899f45ed5155d16a96; classtype:trojan-activity; sid:2022830; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Malicious Macro DL BIN May 2016 (No UA)"; flow:established,to_server; content:"GET"; http_method; content:"/system/"; depth:8; http_uri; nocase; fast_pattern; pcre:"/^\/system\/(?:cache|logs)\/[^\x2f]+\.(?:exe|dll|doc|bin)$/Ui"; content:!"Referer|3a 20|"; http_header; reference:md5,c6747ca29d5c28f4349a5a8343d6b025; classtype:trojan-activity; sid:2022834; rev:4;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible ReactorBot .bin Download"; flow:established,to_server; content:"GET"; http_method; content:"/cgi/"; content:".bin"; http_uri; fast_pattern:only; pcre:"/\/cgi\/[a-z0-9]{1,31}\.bin$/U"; content:!"Referer|3a|"; http_header; content:!"Accept-Language|3a|"; http_header; content:!"AskTbARS"; http_header; content:!".passport.net|0d 0a|"; http_header; content:!".microsoftonline-p.net|0d 0a|"; http_header; content:!".symantec.com|0d 0a|"; http_header; content:!".qq.com|0d 0a|"; http_header; content:!"kankan.com|0d 0a|"; http_header; content:!"aocdn.net"; http_header; content:"|0d 0a 0d 0a|"; classtype:trojan-activity; sid:2022841; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing M4 Jun 3"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>System Official"; nocase; fast_pattern:2,20; content:"function stopNavigate"; nocase; distance:0; content:"<audio autoplay="; nocase; content:"autoplay"; nocase; distance:1; classtype:trojan-activity; sid:2022853; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing M5 Jun 3"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"// escape function context"; nocase; content:"// necessary to prevent infinite loop"; nocase; distance:0; content:"// that kills your browser"; nocase; distance:0; fast_pattern:6,20; content:"// pressing leave will still leave, but the GET may be fired first anyway"; nocase; distance:0; classtype:trojan-activity; sid:2022854; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing M3 Jun 3"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Chrome Error"; fast_pattern; nocase; content:"function myFunction"; nocase; distance:0; content:"setInterval"; nocase; distance:0; pcre:"/^\s*\(\s*function\s*\(\s*\)\s*\{\s*alert\s*\([\x22\x27]\s*Warning/Rsi"; classtype:trojan-activity; sid:2022855; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing M1 Jun 3"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"script to pull the number yet"; nocase; content:"// alert the visitor"; fast_pattern; nocase; distance:0; content:"// repeat alert, whatever you want them to see"; nocase; distance:0; content:"// end function goodbye"; nocase; distance:0; classtype:trojan-activity; sid:2022856; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing M2 Jun 3"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"function countdown"; nocase; content:"function loadNumber"; nocase; distance:0; content:"function main_alert"; nocase; distance:0; fast_pattern; content:"function repeat_alert"; nocase; distance:0; content:"function goodbye"; nocase; distance:0; classtype:trojan-activity; sid:2022857; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Suspicious BITS EXE DL Dotted Quad as Observed in Recent Cerber Campaign"; flow:to_server,established; content:"User-Agent|3a 20|Microsoft BITS/"; http_header; fast_pattern:6,20; content:".exe"; http_uri; nocase; pcre:"/Host\x3a\x20\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\x3a\d{1,5})?\r\n/H"; classtype:misc-activity; sid:2022858; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Jun 03 2016"; flow:established,to_server; content:"/wordpress/?"; http_uri; depth:12; pcre:"/^\/wordpress\/\?[A-Za-z0-9]{4}(?:&utm_source=le)?$/U"; classtype:trojan-activity; sid:2022859; rev:5;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Jun 06 2016"; flow:established,from_server; file_data; content:"|28 22 3c 64 69 76 20 73 74 79 6c 65 3d 27 77 69 64 74 68 3a 20 33 30 30 70 78 3b 20 68 65 69 67 68 74 3a 20 33 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 20 6c 65 66 74 3a 2d 35 30 30 70 78 3b 20 74 6f 70 3a 20 2d 35 30 30 70 78 3b 27 3e 3c 69 66 72 61 6d 65 20 73 72 63 3d 27 68 74 74 70|"; fast_pattern:77,20; content:"name=|27|"; distance:0; content:"|27|"; distance:12; within:1; content:"|20 77 69 64 74 68 3d 27 32 35 30 27 20 68 65 69 67 68 74 3d 27 32 35 30 27 3e 3c 2f 69 66 72 61 6d 65 3e 3c 2f 64 69 76 3e 22 29 3b|"; within:44; classtype:trojan-activity; sid:2022869; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS EXE Download from specific file share site (used in recent maldoc campaign)"; flow:to_server,established; content:".exe"; http_uri; content:"Host|3a 20|a.pomf.cat|0d 0a|"; http_header; fast_pattern; content:!"Referer|3a|"; http_header; reference:md5,c321f38862a24dc8a72a251616b3afdf; classtype:trojan-activity; sid:2022884; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS Firesale gTLD IE Flash request to set non-standard filename (some overlap with 2021752)"; flow:established,to_server; content:"x-flash-version|3a|"; http_header; fast_pattern:only; pcre:"/^Host\x3a\x20[^\r\n]+\.(?:s(?:(?:(?:cien|pa)c|it)e|tream)|c(?:l(?:ick|ub)|ountry|ricket)|m(?:(?:aiso|e)n|o(?:bi|m))|p(?:r(?:ess|o)|arty|ink|w)|r(?:e(?:[dn]|view)|acing)|w(?:eb(?:site|cam)|in)|b(?:(?:outiq|l)ue|id)|d(?:ownload|ate|esi)|(?:accountan|hos)t|l(?:o(?:an|l)|ink)|t(?:rade|ech|op)|v(?:oyage|ip)|g(?:dn|b)|online|faith|kim|xyz)(?:\x3a\d{1,5})?\r?\n/Hmi"; content:!"/crossdomain.xml"; http_header; content:!".swf"; http_header; nocase; content:!".flv"; http_header; nocase; content:!"[DYNAMIC]"; http_header; content:!".swf"; nocase; http_uri; content:!".flv"; nocase; http_uri; content:!"/crossdomain.xml"; http_uri; content:!"|0d 0a|Cookie|3a|"; content:!"sync-eu.exe.bid"; http_header; classtype:trojan-activity; sid:2022894; rev:5;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Xbagger Macro Encrypted DL Jun 13 2016"; flow:established,to_server; content:".jpg?"; http_uri; fast_pattern:only; content:"MSIE 7.0|3b| Windows NT"; http_header; content:"Range"; http_header; pcre:"/^\/[a-z0-9_-]+\.jpg\?[A-Za-z0-9]{2,10}=\d{1,4}$/U"; content:!"Referer|3a|"; http_header; classtype:trojan-activity; sid:2022895; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016"; flow:established,to_server; content:".exe"; nocase; http_uri; fast_pattern:only; pcre:"/^Host\x3a\x20[^\r\n]+\.(?:s(?:(?:(?:cien|pa)c|it)e|tream)|c(?:l(?:ick|ub)|ountry|ricket)|m(?:(?:aiso|e)n|o(?:bi|m))|p(?:r(?:ess|o)|arty|ink|w)|r(?:e(?:[dn]|view)|acing)|w(?:eb(?:site|cam)|in)|b(?:(?:outiq|l)ue|id)|d(?:ownload|ate|esi)|(?:accountan|hos)t|l(?:o(?:an|l)|ink)|t(?:rade|ech|op)|v(?:oyage|ip)|g(?:dn|b)|online|faith|kim|xyz)(?:\x3a\d{1,5})?\r?\n/Hmi"; content:!"Referer|3a|"; http_header; content:!"|0d 0a|Cookie|3a|"; classtype:trojan-activity; sid:2022896; rev:4;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Jun 14 2016"; flow:established,from_server; file_data; content:"|64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 28 27 3c 64 69 76|"; within:20; pcre:"/^(?:\x20id=\x22\d+\x22)?\x20style=\x22(?=[^\x22\r\n]*top\x3a\x20-\d{3}px\x3b)(?=[^\x22\r\n]*left\x3a-\d{3}px\x3b)(?=[^\x22\r\n]*position\x3a\x20absolute\x3b)[^\x22\r\n]*\x22>\x20<iframe[^\r\n>]*><\x2f/R";content:"|69 27 2b 27 66 72 61 6d 65 3e 3c 2f 64 69 76 3e 27 29 3b|"; within:19; fast_pattern; isdataat:!4,relative; classtype:trojan-activity; sid:2022898; rev:4;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Jun 15 2016"; flow:established,from_server; content:"Set-Cookie|3a 20|bc3ad="; fast_pattern:only; content:"campaigns"; http_cookie; classtype:trojan-activity; sid:2022904; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Suspicious Hidden Javascript Redirect - Possible Phishing Jun 17"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|application/x-javascript"; http_header; file_data; content:"data_receiver_url"; fast_pattern; nocase; content:"redirect_url"; nocase; distance:0; content:"current_page"; nocase; distance:0; content:"cc_data"; nocase; distance:0; content:"document"; nocase; distance:0; pcre:"/^\s*\.\s*location\s*\.\s*href\s*=\s*redirect_url/Rsi"; reference:url,myonlinesecurity.co.uk/very-unusual-paypal-phishing-attack/; classtype:trojan-activity; sid:2022905; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Evil Redirect Leading to EK Jun 22 2016 M1"; flow:established,to_server; content:"/js/analytic.php?id="; http_uri; fast_pattern:only; pcre:"/^\/js\/analytic\.php\?id=\d+&tz=\-?\d+&rs=\d+x\d+$/Ui"; classtype:trojan-activity; sid:2022909; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirect Leading to EK Jun 22 2016 M2"; flow:established,from_server; file_data; content:"&tz=|27|+tzSignature()+|27|&rs=|27|+rsSignature()+"; fast_pattern:only; content:"document.write("; pcre:"/^[\x22\x27](?!<script)[\x22\x27+\s]*<[\x22\x27+\s]*s[\x22\x27+\s]*c[\x22\x27+\s]*r[\x22\x27+\s]*i[\x22\x27+\s]*p[\x22\x27+\s]*t[^\r\n]+\.php\?id=\d+&tz=\x27\+tzSignature\x28\x29\+\x27&rs=/R"; classtype:trojan-activity; sid:2022910; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS RIG EK Payload Jun 26 2016"; flow:established,from_server; file_data; content:"|2c 2d dd 4b 40 44 77 41|"; within:9; classtype:trojan-activity; sid:2022916; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing Jun 29 M1"; flow:from_server,established; content:"401"; http_stat_code; content:"WWW-Authenticate|3a 20|Basic realm=|22|"; nocase; http_header; content:"Alert!"; nocase; http_header; distance:0; fast_pattern; content:"has been blocked"; http_header; nocase; classtype:trojan-activity; sid:2022925; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing Jun 29 M2"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>errorx508"; fast_pattern; nocase; content:"Warning_0001"; nocase; distance:0; classtype:trojan-activity; sid:2022926; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing Jun 29 M3"; flow:to_server,established; content:"GET"; http_method; content:"your-computer-is-locked-"; nocase; http_uri; fast_pattern; content:"your-computer-is-locked-"; http_uri; distance:0; nocase; classtype:trojan-activity; sid:2022927; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing Jun 29 M4"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Mozila Error"; fast_pattern; nocase; content:"Warning|3a 20|Internet Security"; nocase; distance:0; classtype:trojan-activity; sid:2022928; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Pony DLL Download"; flow:established,to_server; content:"/pm"; http_uri; content:".dll"; http_uri; fast_pattern:only; pcre:"/\/pm\d?\.dll$/U"; content:!"Referer|3a|"; http_header; content:!"Cookie|3a|"; reference:md5,62e7a146079f99ded1a6b8f2db08ad18; classtype:trojan-activity; sid:2022939; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Malicous Macro DL EXE Jul 01 2016 (userdir dotted quad)"; flow:established,to_server; content:".exe"; http_uri; fast_pattern:only; content:"/~"; http_uri; depth:2; content:!"Referer|3a|"; http_header; content:!"Cookie|3a|"; pcre:"/^\/\~[a-z]+\/(?:[a-z]+\/)*[a-z]+\.exe$/Ui"; pcre:"/^Host\x3a\x20\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\x3a\d{1,5})?\r$/Hm"; reference:md5,a27bb6ac49f890bbdb97d939ccaa5956; classtype:trojan-activity; sid:2022940; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Malicous Macro DL EXE Jul 01 2016 (dll generic custom headers)"; flow:established,to_server; content:".dll"; http_uri; fast_pattern:only; content:"GET"; http_method; content:"|0d 0a|accept-Encoding|3a 20|none|0d 0a|accept-Language|3a 20|en-US.q=0.8|0d 0a|Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|"; http_header; content:"MSIE 7"; http_header; content:!"Referer|3a|"; content:!"Cookie|3a|"; reference:md5,62e7a146079f99ded1a6b8f2db08ad18; classtype:trojan-activity; sid:2022941; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Malicous Macro DL EXE Jul 01 2016 (exe generic custom headers)"; flow:established,to_server; content:".exe"; http_uri; fast_pattern:only; content:"GET"; http_method; content:"|0d 0a|accept-Encoding|3a 20|none|0d 0a|accept-Language|3a 20|en-US.q=0.8|0d 0a|Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|"; http_header; content:"MSIE 7"; http_header; content:!"Referer|3a|"; content:!"Cookie|3a|"; reference:md5,62e7a146079f99ded1a6b8f2db08ad18; classtype:trojan-activity; sid:2022942; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS RIG EK Payload Jul 05 2016"; flow:established,from_server; file_data; content:"|3b 2d dd 4b 40 77 77 41|"; within:8; classtype:trojan-activity; sid:2022949; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sundown/Xer EK Landing Jul 06 2016 M1"; flow:established,from_server; content:"X-Powered-By|3a 20|Yugoslavian Business Network"; http_header; fast_pattern:12,20; content:"Content-Type|3a 20|text/html|3b|"; http_header; content:"nginx"; http_header; flowbits:set,SunDown.EK; reference:url,blog.talosintel.com/2016/10/sundown-ek.html; classtype:trojan-activity; sid:2023480; rev:4;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing M1 Jul 7"; flow:to_server,established; content:"GET"; http_method; content:".dill/?ip="; fast_pattern; nocase; http_uri; content:"&os="; http_uri; nocase; distance:0; content:"&browser="; http_uri; nocase; distance:0; content:"&isp="; http_uri; nocase; distance:0; classtype:trojan-activity; sid:2022954; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing M2 Jul 7"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"default_number|3b|"; nocase; distance:0; content:"default_plain_number|3b|"; fast_pattern; nocase; distance:0; content:"plain_number|3b|"; nocase; distance:0; content:"loco_params|3b|"; nocase; distance:0; content:"loco|3b|"; nocase; distance:0; classtype:trojan-activity; sid:2022955; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Jul 10 M2"; flow:established,from_server; file_data; content:"|76 61 72 20 66 72 61 67 6d 65 6e 74 20 3d 20 63 72 65 61 74 65 28 22 3c 64 69 76 20 73 74 79 6c 65 3d 27 77 69 64 74 68 3a 20 33 30 30 70 78 3b 20 68 65 69 67 68 74 3a 20 33 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 20 6c 65 66 74 3a 2d 35 30 30 70 78 3b 20 74 6f 70 3a 20 2d 35 30 30 70 78 3b 27 3e 3c 69 66 72 61 6d 65 20 73 72 63 3d 27 68 74 74 70 3a|"; classtype:trojan-activity; sid:2022956; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading To EK Jul 10 M1"; flow:established,to_server; content:".js?chebstr=0."; http_uri; pcre:"/\.js\?chebstr=0\.\d+$/U"; classtype:trojan-activity; sid:2022957; rev:2;) + +alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Jul 12 2016"; flow:established,from_server; file_data; content:"|3c 73 70 61 6e 20 73 74 79 6c 65 3d 22 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 2d 31|"; pcre:"/^\d{3}px\x3b\swidth\x3a3\d{2}px\x3b\sheight\x3a3\d{2}px\x3b\x22>[^<>]*?<iframe src=[\x22\x27][^\x22\x27]+[\x22\x27]\swidth=[\x22\x27]2\d{2}[\x22\x27]\sheight=[\x22\x27]2\d{2}[\x22\x27]><\/iframe>[^<>]*?\n[^<>]*?<\/span>/Rsi"; classtype:trojan-activity; sid:2022962; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Jul 13 2016 2"; flow:established,to_server; content:"POST"; http_method; content:".swf"; nocase; http_header; content:"|4d 61 6e 75 66 75 63 6b|"; nocase; http_client_body; content:"|4d 61 63 72 6f 77 69 6e|"; nocase; http_client_body; classtype:trojan-activity; sid:2022964; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Dropbox Phish Nov 20"; flow:to_server,established; content:"POST"; http_method; content:".php"; http_uri; content:"mailtype="; depth:9; nocase; http_client_body; fast_pattern; content:"&Email"; distance:0; nocase; http_client_body; content:"&Passwd"; distance:0; nocase; http_client_body; pcre:"/\.php$/U"; classtype:trojan-activity; sid:2022967; rev:2;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Suspicious SMTP Settings in XLS - Possible Phishing Document"; flow:established,to_client; content:"200"; http_stat_code; content:"Content-type|3a 20|application/vnd.ms-excel"; http_header; file_data; content:"/configuration/sendusing"; nocase; fast_pattern; content:"/configuration/smtpserver"; nocase; distance:0; content:"/configuration/smtpauthenticate"; nocase; distance:0; content:"/configuration/sendusername"; nocase; distance:0; content:"/configuration/sendpassword"; nocase; distance:0; reference:md5,710ea2ed2c4aefe70bf082b06b82818a; reference:url,symantec.com/connect/blogs/malicious-macros-arrive-phishing-emails-steal-banking-information; classtype:trojan-activity; sid:2022974; rev:1;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Bank of Oklahoma Phish Jul 21 M1"; flow:to_server,established; content:"POST"; http_method; content:".php"; http_uri; content:"__RequestVerificationToken="; depth:27; http_client_body; content:"&forgotPassword="; nocase; distance:0; http_client_body; content:"&lat="; nocase; distance:0; http_client_body; content:"&userName="; nocase; distance:0; http_client_body; fast_pattern; content:"&password="; nocase; distance:0; http_client_body; pcre:"/\.php$/U"; classtype:trojan-activity; sid:2022978; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Bank of Oklahoma Phish Jul 21 M2"; flow:to_server,established; content:"POST"; http_method; content:".php"; http_uri; content:"__RequestVerificationToken="; depth:27; http_client_body; content:"&bankId="; fast_pattern; nocase; distance:0; http_client_body; content:"&email="; nocase; distance:0; http_client_body; content:"&pass="; nocase; distance:0; http_client_body; content:"&q1="; nocase; distance:0; http_client_body; pcre:"/\.php$/U"; classtype:trojan-activity; sid:2022979; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing Jul 21 M1"; flow:to_server,established; content:"GET"; http_method; content:"/your-computer-is-locked-call-us-at-tollfreenow"; fast_pattern:27,20; nocase; http_uri; content:"your-computer-is-locked-call-us-at-tollfreenow"; nocase; distance:0; http_uri; classtype:trojan-activity; sid:2022980; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing Jul 21 M2"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Google Security"; nocase; fast_pattern; content:"beep.mp3"; nocase; distance:0; content:"function alertCall"; nocase; distance:0; content:"function alertTimed"; nocase; distance:0; content:"function alertLoop"; nocase; distance:0; classtype:trojan-activity; sid:2022981; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Windows Settings Phishing Landing Jul 22"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Windows Settings"; fast_pattern; nocase; distance:0; content:"Enter account password"; nocase; distance:0; classtype:trojan-activity; sid:2024098; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Maldoc Downloading EXE Jul 26 2016"; flow:established,to_server;content:!".exe"; http_uri; nocase; pcre:"/\/(?:[a-z0-9]+_){4,}[a-z0-9]+(?:\/[a-f0-9]+)*?\/[a-f0-9]+\.(?![Ee][Xx][Ee])[a-z0-9]+$/U"; content:"|3a 20|Microsoft BITS"; http_header; fast_pattern:only; content:!".microsoft.com|0d 0a|"; http_header; nocase; reference:md5,82fb5101847e734dd9b36f51f1fc73e3; classtype:trojan-activity; sid:2022983; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirect Leading to EK Mar 30 M3"; flow:established,to_client; file_data; content:"try "; content:"= new ActiveXObject"; distance:0; content:"catch"; distance:0; content:"=|20 22|Kaspersky.IeVirtualKeyboardPlugin.JavascriptApi|22|,"; content:"=|20 22|Kaspersky.IeVirtualKeyboardPluginSm.JavascriptApi|22|,"; content:".location="; distance:0; classtype:trojan-activity; sid:2022984; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirect Leading to EK Jul 28 2016"; flow:established,to_client; content:"Set-Cookie|3a 20|yatutuzebil=1|3b|"; fast_pattern; content:"yatutuzebil"; http_cookie; classtype:trojan-activity; sid:2022990; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing Jul 29 M1"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>errorx"; nocase; fast_pattern; content:"<audio autoplay"; nocase; distance:0; content:"setInterval"; nocase; pcre:"/^\s*\(\s*function\s*\(\s*\)\s*\{\s*alert/Ri"; classtype:trojan-activity; sid:2022991; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing Jul 29 M2"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Google Security"; nocase; fast_pattern:2,20; content:"alertCall"; nocase; distance:0; content:"alertTimed"; nocase; distance:0; content:"alertLoop"; nocase; distance:0; classtype:trojan-activity; sid:2022992; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing Jul 29 M3"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"// this script is so you can get fields our of the URL"; fast_pattern:34,20; nocase; content:"CHECKS FULL PARAMETER NAME BEGIN OF"; distance:0; content:"// Firefox NS_ERROR_NOT_AVAILABLE"; distance:0; content:"// if delta less than 50ms"; nocase; distance:0; content:"// thus we need redirect"; nocase; distance:0; classtype:trojan-activity; sid:2022993; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing Jul 29 M4"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"function loadNumber"; nocase; fast_pattern; content:"function doRedirect"; nocase; distance:0; content:"function randomString"; nocase; distance:0; content:"function leavebehind"; nocase; distance:0; content:"function myFunction"; nocase; distance:0; content:"function confirmExit"; nocase; distance:0; classtype:trojan-activity; sid:2022994; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading To EK Jul 30 M1"; flow:established,to_server; content:".js?chbstr=0."; http_uri; pcre:"/\.js\?chbstr=0\.\d+$/U"; classtype:trojan-activity; sid:2022995; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Aug1 2016"; flow:established,from_server; file_data; content:"|76 61 72 20 68 65 61 64 3d 20 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 27 62 6f 64 79 27 29 5b 30 5d 3b 20 76 61 72 20 73 63 72 69 70 74 3d 20 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 27 73 63 72 69 70 74 27 29 3b 73 63 72 69 70 74 2e 73 72 63 3d 20 22 2f 2f|"; pcre:"/^[^\r\n\x22\?]+[&?][^=\r\n\x22]+=[a-f0-9]+[^\r\n\x22\?]*[&?][^=\r\n\x22]+=[a-f0-9]+\x22\s*\x3b\s*head\.appendChild\(\s*script\s*\)\x3b/R"; classtype:trojan-activity; sid:2022998; rev:2;) + +alert tcp $HOME_NET any -> [85.93.0.0/24,194.165.16.0/24,31.184.192.0/24] 80 (msg:"ET CURRENT_EVENTS EITest Flash Redirect Aug 09 2016"; flow:established,to_server; urilen:>20; content:"x-flash-version|3a 20|"; http_header; content:!"/crossdomain.xml"; http_header; content:!".swf"; http_header; nocase; content:!".flv"; http_header; nocase; content:!"[DYNAMIC]"; http_header; content:!".swf"; nocase; http_uri; content:!".flv"; nocase; http_uri; content:!"/crossdomain.xml"; http_uri; content:!"|0d 0a|Cookie|3a|"; classtype:trojan-activity; sid:2023036; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing Aug 10 M1"; flow:to_server,established; content:"GET"; http_method; content:"/please-fix-immediately-"; nocase; fast_pattern:4,20; http_uri; content:"/index.html"; nocase; distance:0; http_uri; pcre:"/[A-Za-z0-9]{10,20}_14[0-9]{8,}\/index\.html$/Ui"; classtype:trojan-activity; sid:2023037; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing Aug 10 M2"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Mozila Error"; fast_pattern; nocase; content:"<audio autoplay"; nocase; distance:0; content:"data|3a|image/png|3b|base64,"; nocase; classtype:trojan-activity; sid:2023038; rev:2;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing Aug 10 M3"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>SYSTEM ERROR"; fast_pattern; nocase; content:"getURLParameter"; distance:0; content:"decodeURI"; distance:0; content:"loadNumber"; distance:0; content:"confirmExit"; distance:0; classtype:trojan-activity; sid:2023039; rev:1;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing Aug 10 M4"; flow:to_server,established; content:"GET"; http_method; content:".php?num="; fast_pattern; nocase; http_uri; content:"&country="; nocase; distance:0; http_uri; content:"&city="; nocase; distance:0; http_uri; content:"&os="; nocase; distance:0; http_uri; content:"&ip="; nocase; distance:0; http_uri; classtype:trojan-activity; sid:2023040; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing Aug 10 M5"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Hacking Attack"; nocase; fast_pattern; content:"mozfullscreenerror"; nocase; distance:0; content:"toggleFullScreen"; distance:0; content:"addEventListener"; distance:0; content:"countdown"; nocase; classtype:trojan-activity; sid:2023041; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Apple Suspended Account Phish Aug 9 M1"; flow:to_server,established; content:"POST"; http_method; content:".php"; http_uri; content:"name-re="; nocase; depth:8; fast_pattern; http_client_body; content:"&dob"; nocase; distance:0; http_client_body; content:"&donnee"; nocase; distance:0; http_client_body; content:"&is_valid_email"; nocase; distance:0; http_client_body; pcre:"/\.php$/U"; classtype:trojan-activity; sid:2023042; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Apple Suspended Account Phish Aug 9 M2"; flow:to_server,established; content:"POST"; http_method; content:".php"; http_uri; content:"holdername="; nocase; depth:11; fast_pattern; http_client_body; content:"&numcard"; nocase; distance:0; http_client_body; content:"&ccv"; nocase; distance:0; http_client_body; content:"&donnee"; nocase; distance:0; http_client_body; pcre:"/\.php$/U"; classtype:trojan-activity; sid:2023043; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Apple Suspended Account Phishing Landing Aug 9"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Log in to my account"; nocase; fast_pattern:7,20; content:"iCloud"; distance:0; nocase; content:"disabled for security reasons"; distance:0; nocase; content:"confirm your account information"; distance:0; nocase; content:"account has been frozen"; distance:0; nocase; classtype:trojan-activity; sid:2023044; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Excel Online Phishing Landing Aug 9"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Excel Online"; nocase; fast_pattern; content:"someone@example.com"; nocase; distance:0; content:"password"; nocase; distance:0; flowbits:set,ET.GenericPhish_Excel; classtype:trojan-activity; sid:2023045; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Generic Excel Online Phish Aug 9"; flow:to_server,established; flowbits:isset,ET.GenericPhish_Excel; content:"POST"; http_method; content:".php"; http_uri; pcre:"/\.php$/U"; classtype:trojan-activity; sid:2023046; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Adobe Shared Document Phishing Landing Nov 19 2015"; flow:established,from_server; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"pagename=|22|login|22|"; nocase; content:"<title>Sign in - Adobe"; nocase; distance:0; fast_pattern:2,20; content:"password-revealer"; nocase; distance:0; flowbits:set,ET.GenericPhish_Adobe; reference:md5,ba42e59213f10f5c1bd70ce4813f25d1; classtype:trojan-activity; sid:2023047; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Generic Adobe Shared Document Phish Aug 11 2016"; flow:to_server,established; flowbits:isset,ET.GenericPhish_Adobe; content:"POST"; http_method; content:".php"; http_uri; pcre:"/\.php$/U"; classtype:trojan-activity; sid:2023048; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing Aug 12 M1"; flow:established,from_server; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"script is so you can get fields our of the URL"; fast_pattern:26,20; nocase; content:"//Flag we have not run the script"; nocase; distance:0; content:"//The page that we will load on a second pop"; nocase; distance:0; content:"//figure out what to use for default number"; nocase; distance:0; classtype:trojan-activity; sid:2023051; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing Aug 12 M2"; flow:established,from_server; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"#foxboxmsg"; fast_pattern; nocase; content:"getURLParameter"; nocase; distance:0; content:"default_number"; nocase; distance:0; content:"default_plain_number"; nocase; distance:0; content:"loco_params"; nocase; distance:0; classtype:trojan-activity; sid:2023052; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing (err.mp3) Aug 12 2016"; flow:established,from_server; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<audio autoplay="; content:"<source src="; distance:0; content:"err.mp3|22|"; fast_pattern; distance:0; content:"audio/mpeg"; distance:0; classtype:trojan-activity; sid:2023055; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing (msg.mp3) Aug 12 2016"; flow:established,from_server; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<audio autoplay="; content:"<source src="; distance:0; content:"msg.mp3|22|"; fast_pattern; distance:0; content:"audio/mpeg"; distance:0; classtype:trojan-activity; sid:2023056; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing M1 Aug 12 2016"; flow:established,from_server; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>System Infect"; nocase; fast_pattern; content:"toggleFullScreen"; distance:0; content:"countdown"; distance:0; content:"twoDigits"; distance:0; classtype:trojan-activity; sid:2023057; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing M2 Aug 12 2016"; flow:established,from_server; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"vendorName"; nocase; content:"alertCall"; fast_pattern; nocase; distance:0; content:"alertTimed"; nocase; distance:0; content:"setInterval"; nocase; distance:0; content:"alertLoop"; nocase; distance:0; content:"onkeydown"; nocase; distance:0; content:"e.ctrlKey"; nocase; distance:0; content:"e.keyCode"; nocase; distance:0; content:"onbeforeunload"; nocase; distance:0; classtype:trojan-activity; sid:2023058; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Excel Phish Aug 15 2016"; flow:to_server,established; content:"POST"; http_method; content:".php"; http_uri; content:".php?cmd=login_submit"; http_header; nocase; fast_pattern; content:"login="; depth:6; nocase; http_client_body; content:"&passwd="; nocase; distance:0; http_client_body; pcre:"/\.php$/U"; classtype:trojan-activity; sid:2023061; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Email Storage Upgrade Phishing Landing Aug 15 2016"; flow:established,from_server; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<TITLE>Login Authorization"; fast_pattern; nocase; content:"STORAGE UPGRADE"; nocase; distance:0; content:"Global Internet Administration!"; nocase; distance:0; classtype:trojan-activity; sid:2023062; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Credit Agricole Phish Aug 15 2016 M1"; flow:to_server,established; content:"POST"; http_method; content:".php"; http_uri; content:"ident="; fast_pattern; depth:6; nocase; http_client_body; content:"&ReadOut="; nocase; distance:0; http_client_body; content:"&prenom="; nocase; distance:0; http_client_body; content:"&nuum="; nocase; distance:0; http_client_body; content:"&xrypt="; nocase; distance:0; http_client_body; pcre:"/\.php$/U"; classtype:trojan-activity; sid:2023063; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Credit Agricole Phish Aug 15 2016 M2"; flow:to_server,established; content:"POST"; http_method; content:".php"; http_uri; content:"nom="; depth:4; nocase; http_client_body; content:"&prenom="; nocase; distance:0; http_client_body; content:"&email="; nocase; distance:0; http_client_body; content:"&pemail="; fast_pattern; nocase; distance:0; http_client_body; pcre:"/\.php$/U"; classtype:trojan-activity; sid:2023064; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Square Enix Phishing Domain Aug 15 2016"; flow:to_server,established; content:"GET"; http_method; content:"square-enix.com"; http_header; fast_pattern; content:!"square-enix.com|0d 0a|"; http_header; pcre:!"/^Referer\x3a[^\r\n]+square-enix\.com/Hmi"; classtype:trojan-activity; sid:2023065; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Bank of America Phishing Domain Aug 15 2016"; flow:to_server,established; content:"GET"; http_method; content:"bankofamerica.com"; http_header; fast_pattern; content:!"bankofamerica.com|0d 0a|"; http_header; pcre:"/Host\x3a[^\r\n]+bankofamerica\.com[^\r\n]{10,}\r\n/Hmi"; threshold: type limit, count 1, track by_src, seconds 30; classtype:trojan-activity; sid:2023066; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Suspicious HTTP Refresh to SMS Aug 16 2016"; flow:established,from_server; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<meta http-equiv="; nocase; content:"refresh"; distance:1; within:8; pcre:"/^[^>]+url=sms\x3a/Rsi"; content:"url=sms|3a|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2023068; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SMS Fake Mobile Virus Scam Aug 16 2016"; flow:established,from_server; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Protect your Computer"; nocase; fast_pattern; content:"Your Computer"; nocase; distance:0; content:"INFECTED"; distance:0; content:"Enter Your Number"; nocase; distance:0; content:"SCAN NOW</button>"; nocase; distance:0; classtype:trojan-activity; sid:2023069; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Netflix Phish Aug 17 2016"; flow:to_server,established; content:"POST"; http_method; content:".php"; http_uri; content:"firstName="; depth:10; nocase; fast_pattern; http_client_body; content:"&lastName="; nocase; http_client_body; distance:0; content:"&cardNumber="; nocase; http_client_body; distance:0; content:"&authURL="; nocase; http_client_body; distance:0; content:"&encryptedOaepLen="; nocase; http_client_body; distance:0; pcre:"/\.php$/U"; classtype:trojan-activity; sid:2023072; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Netflix Phishing Landing Aug 17 2016"; flow:established,from_server; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Netflix"; nocase; fast_pattern; content:"Update Your Payment Information"; nocase; distance:0; content:"Please update your payment information"; nocase; distance:0; content:"not be charged for the days you missed"; nocase; distance:0; classtype:trojan-activity; sid:2023073; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirect Leading to EK Aug 17 2016"; flow:established,to_client; file_data; content:"|64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 27 69 66 27 2b 27 72 61 27 2b 27 6d 65 27 29 3b|"; nocase; fast_pattern:19,20; content:"|2e 73 74 79 6c 65 2e 70 6f 73 69 74 69 6f 6e 20 3d 20 27 61 62 27 2b 27 73 6f 6c 27 2b 27 75 74 65 27 3b|"; distance:0; nocase; content:"setAttribute"; nocase; pcre:"/^\s*\(\s*[\x22\x27]id[\x22\x27]\s*,\s*?(?P<var>[^,\x29\s\x3b]+)\s*\x29.*?\.appendChild\s*\(\s*(?P=var)/Rsi"; classtype:trojan-activity; sid:2023074; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake Mobile Virus Scam M1 Aug 18 2016"; flow:established,from_server; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Virus Detected"; nocase; fast_pattern; content:"#loading-bar"; nocase; distance:0; content:"navigator.vibrate"; nocase; distance:0; content:"Download Now"; nocase; distance:0; content:"Download Now"; nocase; distance:0; classtype:trojan-activity; sid:2023079; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake Mobile Virus Scam M2 Aug 18 2016"; flow:established,from_server; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"navigator.vibrate"; fast_pattern:only; content:"getURLParameter"; content:"gotooffer"; nocase; distance:0; content:"brandmodel"; nocase; distance:0; content:"countDown"; nocase; distance:0; content:"PreventExitPop"; nocase; distance:0; classtype:trojan-activity; sid:2023080; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Google Drive Phishing Domain Aug 25 2016"; flow:to_server,established; content:"drive.google.com"; http_header; fast_pattern; content:!"drive.google.com|0d 0a|"; http_header; pcre:"/^Host\x3a[^\r\n]+drive\.google\.com[^\r\n]{20,}\r\n/Hmi"; threshold: type limit, count 1, track by_src, seconds 30; classtype:trojan-activity; sid:2023092; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Suspicious Proxifier DL (non-browser observed in maldoc campaigns)"; flow:established,to_server; content:"/distr/Proxifier"; http_uri; nocase; depth:16; fast_pattern; content:!"User-Agent|3a|"; http_header; nocase; content:!"Referer|3a|"; http_header; content:!"Accept-"; http_header; content:!"Cookie|3a|"; content:"proxifier.com|0d 0a|"; http_header; nocase; reference:md5,2a0728a6edab6921520a93e10a86d4b2; classtype:trojan-activity; sid:2023138; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS CVE-2014-6332 Sep 01 2016 (HFS Actor) M1"; flow:established,from_server; file_data; content:"|26 63 68 72 77 28 32 31 37 36 29 26 63 68 72 77 28 30 31 29 26|"; nocase; content:"|26 63 68 72 77 28 33 32 37 36 37 29|"; nocase; content:"|73 65 74 6e 6f 74 73 61 66 65 6d 6f 64 65 28 29|"; nocase; content:"|72 75 6e 73 68 65 6c 6c 63 6f 64 65 28 29|"; nocase; reference:cve,2014-6332; classtype:trojan-activity; sid:2023145; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS CVE-2014-6332 Sep 01 2016 (HFS Actor) M2"; flow:established,from_server; content:"Server|3a 20|HFS|20|"; http_header; file_data; content:"|6f 62 6a 57 73 68 2e 72 75 6e 20 22 43 3a 5c 57 69 6e 64 6f 77 73 5c 54 65 6d 70 5c 70 75 74 74 79 2e 65 78 65 22|"; nocase; reference:cve,2014-6332; classtype:trojan-activity; sid:2023146; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Evil Redirector Leading to EK EITest Sep 02 M2"; flow:established,to_server; urilen:60<>250; content:!"="; http_uri; content:!"."; http_uri; content:!"?"; http_uri; content:"x-flash-version|3a|"; fast_pattern; http_header; content:!".swf"; http_header; nocase; content:!".flv"; http_header; nocase; content:!"[DYNAMIC]"; http_header; content:!"Cookie|3a|"; pcre:"/^\/(?=[a-z\d]+[+-][a-z\d]+[+-][a-z\d]+[+-])[a-z\d+-]*\/$/U"; classtype:trojan-activity; sid:2023150; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS iCloud Phishing Landing Sept 2 2016"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>iCloud"; fast_pattern; nocase; content:"apple.com"; nocase; distance:0; content:"iCloud Settings"; nocase; distance:0; content:"<form"; nocase; distance:0; content:"method=|22|post|22|"; nocase; distance:0; classtype:trojan-activity; sid:2024230; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Encoded CVE-2014-6332 (As Observed in SunDown EK) M1"; flow:established,to_client; file_data; content:"|43 68 72 28 39 39 29 20 26 20 43 68 72 28 31 30 34 29 20 26 20 43 68 72 28 31 31 34 29 20 26 20 43 68 72 28 31 31 39 29 20 26 20 43 68 72 28 34 30 29 20 26 20 43 68 72 28 35 31 29 20 26 20 43 68 72 28 35 30 29 20 26 20 43 68 72 28 35 35 29 20 26 20 43 68 72 28 35 34 29 20 26 20 43 68 72 28 35 35 29 20 26 20 43 68 72 28 34 31 29|"; classtype:trojan-activity; sid:2023151; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Encoded CVE-2014-6332 (As Observed in SunDown EK) M2"; flow:established,to_client; file_data; content:"|43 68 72 28 39 39 29 20 26 20 43 68 72 28 31 30 34 29 20 26 20 43 68 72 28 31 31 34 29 20 26 20 43 68 72 28 31 31 39 29 20 26 20 43 68 72 28 34 30 29 20 26 20 43 68 72 28 35 30 29 20 26 20 43 68 72 28 34 39 29 20 26 20 43 68 72 28 35 35 29 20 26 20 43 68 72 28 35 34 29|"; classtype:trojan-activity; sid:2023152; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Encoded CVE-2014-6332 (As Observed in SunDown EK) M3"; flow:established,to_client; file_data; content:"|43 68 72 28 33 32 29 20 26 20 43 68 72 28 31 31 35 29 20 26 20 43 68 72 28 31 30 31 29 20 26 20 43 68 72 28 31 31 36 29 20 26 20 43 68 72 28 31 31 30 29 20 26 20 43 68 72 28 31 31 31 29 20 26 20 43 68 72 28 31 31 36 29 20 26 20 43 68 72 28 31 31 35 29 20 26 20 43 68 72 28 39 37 29 20 26 20 43 68 72 28 31 30 32 29 20 26 20 43 68 72 28 31 30 31 29 20 26 20 43 68 72 28 31 30 39 29 20 26 20 43 68 72 28 31 31 31 29 20 26 20 43 68 72 28 31 30 30 29 20 26 20 43 68 72 28 31 30 31 29|"; classtype:trojan-activity; sid:2023153; rev:2;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query to Ebay Phishing Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|13|107sbtd9cbhsbtd5d80"; fast_pattern; distance:0; nocase; threshold:type limit, track by_src, count 1, seconds 30; classtype:trojan-activity; sid:2023180; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Ebay Phish Sept 8 2016"; flow:to_server,established; content:"POST"; http_method; content:".php"; http_uri; content:"Host|3a 20|107SbTd9CBhSbT"; http_header; nocase; fast_pattern; content:"Referer|3a 20|http|3a 2f 2f|107sbtd9cbhsbt"; http_header; distance:0; content:"email"; nocase; http_client_body; content:"pass"; nocase; distance:0; http_client_body; pcre:"/\.php$/U"; classtype:trojan-activity; sid:2023181; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Sep 12 2016 (Flash)"; flow:established,to_server; content:"/promo"; http_uri; nocase; depth:6; content:"/promo.swf?t="; http_uri; nocase; fast_pattern:only; pcre:"/^\/promo\d+(?:x\d+)?\/promo\.swf\?t=\d+$/Ui"; classtype:trojan-activity; sid:2023186; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Sep 12 2016"; flow:established,from_server; content:"Set-Cookie|3a 20|CAMPAIGNE.REFERER_COOKIE="; fast_pattern:12,20; content:"CAMPAIGNE.REFERER_COOKIE="; http_cookie; classtype:trojan-activity; sid:2023187; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS EITest Inject (compromised site) Sep 12 2016"; flow:established,from_server; file_data; content:"|25 32 32 25 37 30 25 36 66 25 37 33 25 36 39 25 37 34 25 36 39 25 36 66 25 36 65 25 33 61 25 32 30 25 36 31 25 36 32 25 37 33 25 36 66 25 36 63 25 37 35 25 37 34 25 33 62|"; nocase; classtype:trojan-activity; sid:2023188; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS EITest Inject (compromised site) M2 Sep 12 2016"; flow:established,from_server; file_data; content:"|25 33 62 25 36 36 25 36 39 25 36 63 25 37 34 25 36 35 25 37 32 25 33 61 25 36 31 25 36 63 25 37 30 25 36 38 25 36 31 25 32 38 25 36 66 25 37 30 25 36 31 25 36 33 25 36 39 25 37 34 25 37 39 25 33 64 25 33 30 25 32 39 25 33 62 25 32 30 25 32 64 25 36 64 25 36 66 25 37 61 25 32 64 25 36 66 25 37 30 25 36 31 25 36 33 25 36 39 25 37 34 25 37 39 25 33 61 25 33 30 25 33 62 25 32 32 25 33 65|"; nocase; classtype:trojan-activity; sid:2023189; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS CVE-2016-0189 Exploit as Observed in Sundown/RIG EK (b641)"; flow:established,from_server; file_data; content:"RnVuY3Rpb24gbGVha01lbS"; classtype:attempted-admin; sid:2023190; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS CVE-2016-0189 Exploit as Observed in Sundown/RIG EK (b642)"; flow:established,from_server; file_data; content:"Z1bmN0aW9uIGxlYWtNZW0g"; classtype:attempted-admin; sid:2023191; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS CVE-2016-0189 Exploit as Observed in Sundown/RIG EK (b643)"; flow:established,from_server; file_data; content:"GdW5jdGlvbiBsZWFrTWVtI"; classtype:attempted-admin; sid:2023192; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS CVE-2016-0189 Exploit as Observed in Sundown/RIG EK (b644)"; flow:established,from_server; file_data; content:"cHJlZml4ICYgIiV1MDAxNiV1NDE0MSV1NDE0MSV1NDE0MSV1NDI0MiV1NDI0Mi"; classtype:attempted-admin; sid:2023193; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS CVE-2016-0189 Exploit as Observed in Sundown/RIG EK (b645)"; flow:established,from_server; file_data; content:"ByZWZpeCAmICIldTAwMTYldTQxNDEldTQxNDEldTQxNDEldTQyNDIldTQyNDIi"; classtype:attempted-admin; sid:2023194; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS CVE-2016-0189 Exploit as Observed in Sundown/RIG EK (b646)"; flow:established,from_server; file_data; content:"wcmVmaXggJiAiJXUwMDE2JXU0MTQxJXU0MTQxJXU0MTQxJXU0MjQyJXU0MjQyI"; classtype:attempted-admin; sid:2023195; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS RIG EK Landing Sep 12 2016 T2"; flow:established,from_server; file_data; content:".split"; nocase; pcre:"/^\s*\(\s*[\x22\x27][\x00-\x09\x80-\xff][\x22\x27]\s*\)\s*\x3b\s*[A-Za-z0-9]+\s*=\s*[\x22\x27]/Rsi"; content:"|01 2e 02 3c 03 3e 04 3d 05 5c 22 06 5c 27 07 29|"; fast_pattern; within:16; flowbits:set,ET.RIGEKExploit; classtype:trojan-activity; sid:2023196; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS RIG EK Landing Sep 13 2016 (b641)"; flow:established,from_server; file_data; content:"KyAnPHBhcmFtIG5hbWU9Rmxhc2hWYXJzIHZhbHVlPSJpZGRxZD"; flowbits:set,ET.RIGEKExploit; classtype:trojan-activity; sid:2023198; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS RIG EK Landing Sep 13 2016 (b642)"; flow:established,from_server; file_data; content:"sgJzxwYXJhbSBuYW1lPUZsYXNoVmFycyB2YWx1ZT0iaWRkcWQ9"; flowbits:set,ET.RIGEKExploit; classtype:trojan-activity; sid:2023199; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS RIG EK Landing Sep 13 2016 (b643)"; flow:established,from_server; file_data; content:"rICc8cGFyYW0gbmFtZT1GbGFzaFZhcnMgdmFsdWU9ImlkZHFkP"; flowbits:set,ET.RIGEKExploit; classtype:trojan-activity; sid:2023200; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Microsoft Tech Support Scam M1 Sept 15 2016"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"Download Security Essentials"; nocase; fast_pattern; content:"Malicious Software Removal"; nocase; distance:0; content:"<audio"; content:"autoplay="; nocase; distance:0; content:"autoplay"; distance:1; nocase; content:"audio/mpeg"; nocase; distance:0; content:"getURLParameter"; content:"setTimeout"; distance:0; classtype:trojan-activity; sid:2023235; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Microsoft Tech Support Scam M2 Sept 15 2016"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Security Error"; nocase; fast_pattern; content:"+screen.availHeight"; nocase; distance:0; content:"screen.availWidth"; nocase; distance:0; content:"<audio"; content:"autoplay="; content:"autoplay"; distance:1; within:9; classtype:trojan-activity; sid:2023236; rev:2;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Possible Fake AV Phone Scam Long Domain Sept 15 2016"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"issuefound"; fast_pattern; distance:0; nocase; pcre:"/^[a-z0-9\x02-\x50]{100,}\x00/Rsi"; classtype:trojan-activity; sid:2023237; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS PC Support Tech Support Scam Sept 15 2016"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>PC Support"; nocase; fast_pattern; content:"getParameterByName"; nocase; distance:0; content:"decodeURIComponent"; nocase; distance:0; content:"FormattedNumber"; nocase; distance:0; content:"showRecurringPop"; nocase; distance:0; classtype:trojan-activity; sid:2023238; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Microsoft Tech Support Scam M3 Sept 15 2016"; flow:to_client,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:".chrome-alert"; nocase; content:"<title>"; nocase; distance:0; content:"Microsoft Official Support"; fast_pattern; nocase; distance:0; within:40; classtype:trojan-activity; sid:2023239; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Sep 19 2016"; flow:established,from_server; file_data; content:"|29 2b 22 2e 49 65 56 22 2b|"; fast_pattern; content:"|29 2b 22 58 4f 22 2b|"; content:"|6e 65 77 20 77 69 6e 64 6f 77 5b 22 41 22 2b|"; content:"|29 7b 72 65 74 75 72 6e|"; content:"|2e 74 6f 53 74 72 69 6e 67|"; classtype:trojan-activity; sid:2023248; rev:2;) + +alert http $HOME_NET any -> [31.184.192.0/19] 80 (msg:"ET CURRENT_EVENTS Possible EITest Flash Redirect Sep 19 2016"; flow:established,to_server; urilen:1; content:"x-flash-version|3a 20|"; http_header; content:!"/crossdomain.xml"; http_header; content:!".swf"; http_header; nocase; content:!".flv"; http_header; nocase; content:!"[DYNAMIC]"; http_header; content:!".swf"; nocase; http_uri; content:!".flv"; nocase; http_uri; content:!"/crossdomain.xml"; http_uri; content:!"|0d 0a|Cookie|3a|"; classtype:trojan-activity; sid:2023249; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Sep 19 2016 (EItest Inject)"; flow:established,from_server; file_data; content:"3a-20-61-62-73-6f-6c-75-74-65-3b-7a-2d-69-6e-64-65-78-3a-2d-31-3b"; nocase; classtype:trojan-activity; sid:2023250; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Sep 19 2016 (EItest Inject) M2"; flow:established,from_server; file_data; content:"|32 32 2d 36 66 2d 37 30 2d 36 31 2d 37 31 2d 37 35 2d 36 35 2d 32 32 2d 32 66 2d 33 65 2d 33 63 2d 32 66 2d 36 66 2d 36 32 2d 36 61 2d 36 35 2d 36 33 2d 37 34 2d 33 65 2d 30 64 2d 30 61 2d 33 63 2d 32 66 2d 36 34 2d 36 39 2d 37 36 2d 33 65 22 2e 72 65 70 6c 61 63 65 28 2f 2d 2f 67 2c 20 22 25 22 29 3b 20 64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65|"; nocase; classtype:trojan-activity; sid:2023251; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Sep 20 2016"; flow:established,from_server; file_data; content:"Base64.encode(rc4("; nocase; fast_pattern; content:"+|22 3a|timeDelta|2c 22|+"; nocase; content:"cfg.key|29 29|"; nocase; distance:0; pcre:"/^[\x3b\x2c]postRequest\x28cfg\.urlSoftDetectorCallback/Ri"; classtype:trojan-activity; sid:2023252; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SunDown EK Flash Exploit Sep 22 2016"; flow:established,to_server; content:".swf"; http_uri; content:"/index.php?"; http_header; pcre:"/^\/\d+\/\d+\.swf$/U"; pcre:"/Referer\x3a\x20http\x3a\x2f\x2f[^\r\n\x2f]+\/index\.php\?[^\x3d&]+=(?:[A-Za-z0-9_-]{4})*(?:[A-Za-z0-9_-]{2}==|[A-Za-z0-9_-]{3}=)?\r\n/H"; flowbits:set,SunDown.EK; classtype:trojan-activity; sid:2023270; rev:4;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SunDown EK NOP Sled Sep 22 2016 (b641)"; flow:established,from_server; file_data; content:"LGZ4NWpdLGZ4NWpdLGZ4NWpdLGZ4NWpdLGZ4NWpdIF";flowbits:set,SunDown.EK; classtype:trojan-activity; sid:2023271; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SunDown EK NOP Sled Sep 22 2016 (b642)"; flow:established,from_server; file_data; content:"pdLGZ4NWpdLGZ4NWpdLGZ4NWpdLGZ4NWpdLGZ4NVEX";flowbits:set,SunDown.EK; classtype:trojan-activity; sid:2023272; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SunDown EK NOP Sled Sep 22 2016 (b643)"; flow:established,from_server; file_data; content:"4NWpdLGZ4NWpdLGZ4NWpdLGZ4NWpdLGZ4NWpdLGYUJ";flowbits:set,SunDown.EK; classtype:trojan-activity; sid:2023273; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SunDown EK Slight Sep 22 2016 (b641)"; flow:established,from_server; file_data; content:"x7soyTdaNq94NWpdLGZ4NWpd";flowbits:set,SunDown.EK; classtype:trojan-activity; sid:2023274; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SunDown EK Slight Sep 22 2016 (b642)"; flow:established,from_server; file_data; content:"MlADchNaR0LGZ4NWpdLGZ4N";flowbits:set,SunDown.EK; classtype:trojan-activity; sid:2023275; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SunDown EK Slight Sep 22 2016 (b643)"; flow:established,from_server; file_data; content:"azTEhyWNbKGpdLGZ4NWpdLG";flowbits:set,SunDown.EK; classtype:trojan-activity; sid:2023276; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SunDown EK CVE-2015-0016 Sep 22 2016 (b641)"; flow:established,from_server; file_data; content:"wSNfF6IsxmIHAD8ewTEVACMiwT0d"; flowbits:set,SunDown.EK; classtype:trojan-activity; sid:2023277; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SunDown EK CVE-2015-0016 Sep 22 2016 (b642)"; flow:established,from_server; file_data; content:"IaOoM9BCQ9FnEgy6IoITEaz6Iex"; flowbits:set,SunDown.EK; classtype:trojan-activity; sid:2023278; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SunDown EK CVE-2015-0016 Sep 22 2016 (b643)"; flow:established,from_server; file_data; content:"9xb4GwTUbwUQoyD09AFIox7g9y6"; flowbits:set,SunDown.EK; classtype:trojan-activity; sid:2023279; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SunDown EK CVE-2016-0189 Sep 22 2016 (b641)"; flow:established,from_server; file_data; content:"yTEsz98oyHssxnxc"; flowbits:set,SunDown.EK; classtype:trojan-activity; sid:2023280; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SunDown EK CVE-2016-0189 Sep 22 2016 (b642)"; flow:established,from_server; file_data; content:"coBDgMAD9lBCQmN"; flowbits:set,SunDown.EK; classtype:trojan-activity; sid:2023281; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SunDown EK CVE-2016-0189 Sep 22 2016 (b643)"; flow:established,from_server; file_data; content:"hADUiGDEgPTUbAa"; flowbits:set,SunDown.EK; classtype:trojan-activity; sid:2023282; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SunDown EK CVE-2013-2551 Sep 22 2016 (b641)"; flow:established,from_server; file_data; content:"ATUazSM9vDcoOnUbxnU4Oncoynw9z"; flowbits:set,SunDown.EK; classtype:trojan-activity; sid:2023283; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SunDown EK CVE-2013-2551 Sep 22 2016 (b642)"; flow:established,from_server; file_data; content:"Isx7sawSohAH4sxmQsvH4hAD4mwT"; flowbits:set,SunDown.EK; classtype:trojan-activity; sid:2023284; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SunDown EK CVE-2013-2551 Sep 22 2016 (b643)"; flow:established,from_server; file_data; content:"pBCMlx6I4yTFfBCQbBCpfyTEfA6Il"; flowbits:set,SunDown.EK; classtype:trojan-activity; sid:2023285; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirect Leading to EK Sep 26 2016"; flow:established,from_server; file_data; content:"document.write"; within:14; pcre:"/^\s*\x28\s*[\x22\x27]<div\s*style\s*=\s*[\x22\x27](?=[^\x22\x27\r\n]*position\x3aabsolute\x3b)(?=[^\x22\x27\r\n]*top\x3a\s\-\d+px\x3b)(?=[^\x22\x27\r\n]*left\x3a\s0px\x3b)[^\r\n]*?<iframe[^\r\n>]*\s><\/i[\x22\x27]\+[\x22\x27]frame>[^\r\n]*<\/div>[\x22\x27]\s*\x29\x3b$/R"; content:"|3c 2f 69 27 2b 27 66 72 61 6d 65 3e|"; fast_pattern:only; classtype:trojan-activity; sid:2023302; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Sep 26 2016 T2"; flow:established,from_server; file_data; content:"|6c 65 66 74 3a 2d 35 30 30 70 78 3b 20 74 6f 70 3a 20 2d 35 30 30 70 78 3b 27 3e 20 3c 69 66 72 61 6d 65 20 73 72 63 3d|"; pcre:"/^\s*\x27[^\x27]+\x27width=\x27250\x27\sheight=\x27250\x27>\s*<\/iframe>\s*<\/div>/R"; classtype:trojan-activity; sid:2023303; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS EITest Inject (compromised site) Sep 12 2016"; flow:established,from_server; file_data; content:"|67 2c 20 22 25 22 29 3b 20 64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 28 64 65 63 6f 64 65 55 52 49 43 6f 6d 70 6f 6e 65 6e 74|"; content:"3c"; nocase; distance:-242; within:200; pcre:"/^(?P<split>.{1,10})2f(?P=split)64(?P=split)69(?P=split)76(?P=split)3e(?P=split)?[^\x22\x27]*[\x22\x27]\.replace\s*\(\s*[\x22\x27]?\/(?P=split)\/g[\x22\x27]?\s*,\s*[\x22\x27]\x25[\x22\x27]\s*\x29\s*\x3b/Ri"; classtype:trojan-activity; sid:2023307; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK (EITest Inject) Oct 03 2016"; flow:established,from_server; file_data; content:"|25 75 30 30 33 64 25 75 30 30 36 63 25 75 30 30 33 33 25 75 30 30 35 33|"; content:"|73 72 63 20 3d 20 75 6e 65 73 63 61 70 65|"; classtype:trojan-activity; sid:2023312; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Flash Exploit Likely SunDown EK"; flow:established,from_server; flowbits:isset,HTTP.UncompressedFlash; file_data; content:"9090909090909090909090909090909090909090EB"; classtype:trojan-activity; sid:2023313; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SunDown EK Landing Oct 03 2016"; flow:from_server,established; file_data; content:"|28 65 78 70 6c 6f 69 74 29|"; content:"|2e 65 78 65 63 28 69 6e 70 75 74 29 29 7b 72 65 74 75 72 6e 2d 31 7d 69 6e 70 75 74 3d 69 6e 70 75 74 2e 72 65 70 6c 61 63 65|"; content:"|6b 65 79 53 74 72|"; classtype:trojan-activity; sid:2023314; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Locky AlphaNum Downloader Oct 3 2016"; flow:to_server,established; urilen:5<>10; content:"GET"; http_method; pcre:"/^\/(?=[a-z]*[0-9][a-z-0-9]*$)(?=[0-9]*[a-z][a-z-0-9]*$)[a-z0-9]{5,8}$/U"; content:!"Cookie|3a 20|"; content:!"Referer|3a|"; http_header; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b| MSIE 7.0|3b| Windows NT"; http_header; fast_pattern:37,20; content:"Accept|3a|"; http_header; content:"Accept-Encoding"; http_header; flowbits:set,ET.LockyDL; flowbits:noalert; classtype:trojan-activity; sid:2023315; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Locky AlphaNum Downloader Oct 3 2016"; flow:from_server,established; flowbits:isnotset,ET.http.binary; flowbits:isset,ET.LockyDL; content:"ETag|3a|"; http_header; content:!"Content-Disposition|3a|"; http_header; content:!"Cookie|3a|"; content:"Content-Length|3a 20|1"; http_header; fast_pattern:only; pcre:"/^Content-Length\x3a\x201[6-8]\d{4}\r?$/Hm"; file_data; content:!"MZ"; within:2; content:!"PK"; within:2; content:!"GIF"; within:3; content:!"|FF D8 FF|"; within:3; content:!"CWS"; within:3; content:!"ZWS"; within:3; pcre:"/^.{4}[\x0a-\x7f]{0,100}[\x00-x09\x80-\xff]/s"; classtype:trojan-activity; sid:2023316; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful WeTransfer Phish Oct 04 2016"; flow:to_server,established; content:"POST"; http_method; content:".php?cmd="; nocase; http_uri; content:"&id="; nocase; http_uri; content:"&session="; nocase; http_uri; content:"provider="; depth:9; nocase; http_client_body; fast_pattern; content:"&email="; nocase; distance:0; http_client_body; content:"&password="; nocase; distance:0; http_client_body; content:"&phone="; nocase; distance:0; http_client_body; content:"&submit="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2023964; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful iCloud Phish Oct 10 2016"; flow:to_server,established; content:"POST"; http_method; content:"/save.asp"; nocase; http_uri; fast_pattern; content:"apple"; http_header; content:"u="; depth:2; nocase; http_client_body; content:"&p="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2023592; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK EITest Inject Oct 17 2016"; flow:established,from_server; file_data; content:"=l3S"; fast_pattern; content:"|22|frameBorder|22 2c 20 22|0|22|"; nocase; content:"document.createElement|28 22|iframe|22 29 3b|"; nocase; content:" document.body.appendChild"; nocase; content:"http|3a 2f 2f|"; nocase; pcre:"/^[^\x2f\x22\x27]+\/\?[^=&\x22\x27]+=l3S/Ri"; classtype:trojan-activity; sid:2023343; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Oct 19 2016"; flow:established,from_server; content:"nginx"; http_header; pcre:"/^Content-Length\x3a\x20\d{2,3}\r?$/Hmi"; file_data; content:"document.write|28|"; within:15; pcre:"/^(?=[^\n>]*position\x3aabsolute)(?=[^\n>]*top\x3a\x20-\d+px\x3b)[^\n]*<iframe(?=[^\n>]*width=\d{3})(?=[^\n>]*height=\d{3})[^\n>]*src=[\x22\x27]http[^\n>]+\s*>\s*/R"; content:"</|27|+|27|iframe>"; within:12; fast_pattern; pcre:"/^[^\n]*\x29\x3b$/R"; classtype:trojan-activity; sid:2023352; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Oct 19 2016 T2"; flow:established,from_server; content:"Content-Type|3a 20|text/javascript|0d 0a|"; http_header; content:"nginx"; http_header; file_data; content:"var"; within:3; pcre:"/^\s*(?P<var>[^\r\n\s\x3d\x2c\x3b]+)\s*=[^\n]*<iframe(?=[^\n>]*top\x3a-\d+px\x3b)[^\n>]+src\s*=\s*\x5c?[\x22\x27]http[^\n>]+>\s*<\/iframe>\x22\x3bdocument\.write\((?P=var)\)\x3b\s*$/R"; content:"</iframe>|22 3b|document.write"; fast_pattern; classtype:trojan-activity; sid:2023353; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS RIG EK URI struct Oct 24 2016 (RIG-v)"; flow:established,to_server; content:"/?"; http_uri; depth:2; content:"q="; http_uri; content:"oq="; http_uri; fast_pattern:only; pcre:"/^\/(?=.*?[&?][a-z]{2}_[a-z]{2}=\d+(?:&|$))(?=.*?[&?]q=(?:[A-Za-z0-9_-]{4})*(?:[A-Za-z0-9_-]{2}|[A-Za-z0-9_-]{3})+(?:&|$))(?=.*?[&?]oq=(?:[A-Za-z0-9_-]{4})*(?:[A-Za-z0-9_-]{2}|[A-Za-z0-9_-]{3})+(?:&|$)).*?[&?][a-z]{3}=[A-Za-z_]{3,20}(?=[a-z\d]*\x2e)(?=[a-z\x2e]*\d)[a-z\d\x2e]+(?:&|$)/U"; flowbits:set,ET.RIGEKExploit; classtype:trojan-activity; sid:2023401; rev:5;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Malicious Tor Module Download"; flow:established,to_server; content:"/tor/"; http_uri; fast_pattern:only; content:!"Referer|3a 20|"; http_header; content:!"Accept"; http_header; content:"Content-Type|3a 20|application/x-www-form-urlencoded"; http_header; pcre:"/\/tor\/[^\x2f\x2e]+(?:32|64)\.dll$/Ui"; reference:md5,dacbf4c26c5642c29e69e336e0f111f7; classtype:trojan-activity; sid:2023471; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DNSChanger EK Secondary Landing Oct 31 2016"; flow:established,from_server; file_data; content:".controlurl"; nocase; pcre:"/^[\s\x2c\x3b]/Rs"; content:".schematype"; nocase; pcre:"/^[\s\x2c\x3b]/Rs"; content:".csrf"; nocase; pcre:"/^[\s\x2c\x3b]/Rs"; content:".port"; nocase; pcre:"/^[\s\x2c\x3b]/Rs"; content:"upnp"; nocase; content:" ip"; nocase; pcre:"/^\s*=\s*[\x22\x27]?(?:10|127|172\.(?:1[6-9]|2[0-9]|3[01])|192\.168)\./R"; classtype:attempted-admin; sid:2023473; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Nov 01 2016"; flow:established,from_server; file_data; content:"|5c 78 35 63 5c 78 36 62 5c 78 36 31 5c 78 37 33 5c 78 35 66 5c 78 36 35 5c 78 36 65 5c 78 36 37 5c 78 36 39 5c 78 36 65 5c 78 36 35 5c 78 32 65 5c 78 36 34 5c 78 36 63 5c 78 36 63 5c 78 32 66 5c 78 32 33 5c 78 33 32 5c 78 33 34 5c 78 32 66 5c 78 33 32 5c 78 32 32 5c 78 37 64|"; nocase; classtype:trojan-activity; sid:2023474; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK EITest Inject Oct 17 2016 M2"; flow:established,from_server; file_data; content:"|75 74 65 28 22 66 72 61 6d 65 42 6f 72 64 65 72 22 2c 20 22 30|"; fast_pattern:only; content:"<script type=|22|text/javascript|22|>"; pcre:"/^\s*var\s*(?P<var>[^\s=]+)\s*=\s*document.createElement\(\s*[\x22\x27]iframe[\x22\x27](?=.+?(?P=var)\.frameBorder\s*=\s*[\x22\x27]0[\x22\x27])(?=.+?document\.body\.appendChild\(\s*(?P=var)\s*\)).+?(?P=var)\.setAttribute\s*\(\s*[\x22\x27]frameBorder[\x22\x27]\s*,\s*[\x22\x27]0[\x22\x27]\s*\)\s*\x3b/Rsi"; classtype:trojan-activity; sid:2023482; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Tesco Bank Phish M1 Nov 08 2016"; flow:to_server,established; content:"POST"; http_method; content:".php"; nocase; http_uri; content:"username="; depth:9; nocase; http_client_body; content:"&login.x="; nocase; distance:0; http_client_body; content:"&login.y="; nocase; distance:0; http_client_body; pcre:"/\.php$/U"; classtype:trojan-activity; sid:2023487; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Tesco Bank Phish M2 Nov 08 2016"; flow:to_server,established; content:"POST"; http_method; content:".php"; nocase; http_uri; content:"1="; depth:2; nocase; http_client_body; content:"&password="; nocase; distance:0; http_client_body; content:"&cvv1="; nocase; distance:0; http_client_body; content:"&mobile1="; nocase; distance:0; http_client_body; content:"&next"; nocase; distance:0; http_client_body; pcre:"/\.php$/U"; classtype:trojan-activity; sid:2023488; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Cartasi Phishing Domain Nov 8"; flow:to_server,established; content:"GET"; http_method; content:"cartasi"; http_header; fast_pattern; content:!"cartasi.it|0d 0a|"; http_header; pcre:"/^Host\x3a[^\r\n]+cartasi[^\r\n]{20,}\r\n/Hmi"; threshold: type limit, count 1, track by_src, seconds 30; classtype:trojan-activity; sid:2023495; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK Nov 15 2016"; flow:established,from_server; file_data; content:"<iframe src=|22|http|3a 2f 2f|"; pcre:"/^[a-z0-9_-]+\.(?=[0-9_-]*[A-Z])[A-Z0-9_-]+\.[^\x22]+\x22\s/R"; content:"|77 69 64 74 68 3d 22 31 22 20 68 65 69 67 68 74 3d 22 31 22 20 73 74 79 6c 65 3d 22 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 6c 65 66 74 3a 2d 31 70 78 3b 22 3e 3c 2f 69 66 72 61 6d 65 3e|"; within:67; fast_pattern:47,20; classtype:trojan-activity; sid:2023513; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK EITest Inject Oct 17 2016 M3"; flow:established,from_server; file_data; content:"oq="; fast_pattern:only; content:"|22|frameBorder|22 2c 20 22|0|22|"; nocase; content:" document.body.appendChild"; nocase; content:"http|3a 2f 2f|"; nocase; pcre:"/^[^\x2f\x22\x27]+\/(?=[^\x22\x27]*?[?&]oq=[A-Za-z0-9+\x2f_-]+(?:[\x22\x27]|&))(?=[^\x22\x27]*?[&?][a-z]+_[a-z]+=\d+)(?=[^\x22\x27]*?[&?]q=)/Ri"; classtype:trojan-activity; sid:2023547; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Malicious JS.Nemucod to PS Dropping PE Nov 14 M2"; flow:to_server,established; content:"GET"; http_method; content:".php?f="; http_uri; fast_pattern:only; content:!"Referer"; http_header; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b|"; http_header; pcre:"/^\/\w+\.php\?f=[a-z]?\d{1,3}(?:\.(?:dat|gif))?$/U"; reference:md5,551c440d76be5ab9932d8f3e8f65726e; classtype:trojan-activity; sid:2023754; rev:6;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS XBOOMBER Paypal Phishing Landing Nov 28 2016"; flow:established,from_server; content:"200"; http_stat_code; content:"Content-Encoding|3a 20|gzip"; http_header; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<form method=|22|post|22|"; nocase; content:"action=|22|websc"; nocase; within:150; content:".php?SessionID-xb="; fast_pattern; nocase; distance:0; within:50; classtype:trojan-activity; sid:2023557; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful XBOOMBER Paypal Phish Nov 28 2016"; flow:to_server,established; content:"POST"; http_method; content:"/websc-"; nocase; http_uri; content:".php?SessionID-xb="; nocase; http_uri; fast_pattern; within:40; classtype:trojan-activity; sid:2023558; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Internet Explorer Information Disclosure Vuln as Observed in RIG EK Prefilter M1 Dec 06"; flow:established,from_server; file_data; content:"res|3a 2f 2f|"; nocase; fast_pattern:only; content:"/#24/"; pcre:"/^#?\d+/R"; content:".exe"; content:"|5c 5c|Progra"; nocase; classtype:trojan-activity; sid:2023586; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Internet Explorer Information Disclosure Vuln as Observed in RIG EK Prefilter M2 Dec 06"; flow:established,from_server; file_data; content:"res|3a 2f 2f|"; nocase; fast_pattern:only; content:"/#16/"; pcre:"/^#?\d+/R"; content:".exe"; nocase; content:"|5c 5c|Progra"; nocase; classtype:trojan-activity; sid:2023587; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Linkedin Phishing Domain Dec 09 2016"; flow:to_server,established; content:"GET"; http_method; content:"linkedin.com"; http_header; fast_pattern; content:!"Referer|3a 20|"; http_header; content:!"linkedin.com|0d 0a|"; http_header; pcre:"/^Host\x3a[^\r\n]+linkedin\.com[^\r\n]{20,}\r\n/Hmi"; threshold: type limit, count 1, track by_src, seconds 30; classtype:trojan-activity; sid:2023596; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Common Phishing Redirect Dec 13 2016"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Page Redirection"; nocase; fast_pattern:3,20; content:"don't tell people to `click` the link"; nocase; distance:0; content:"just tell them that it is a link"; nocase; distance:0; content:!"location.hostname"; nocase; classtype:trojan-activity; sid:2023638; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Microsoft Edge SmartScreen Page Spoof Attempt Dec 16 2016"; flow:from_server,established; file_data; content:"ms-appx-web|3a|//"; fast_pattern; nocase; content:"microsoftedge"; nocase; distance:0; content:"/assets/errorpages/"; nocase; distance:0; content:"BlockedDomain="; nocase; distance:0; reference:url,www.brokenbrowser.com/spoof-addressbar-malware/; classtype:trojan-activity; sid:2023657; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Bradesco Bank Phish M1 Jan 05 2017"; flow:to_server,established; content:"POST"; http_method; content:".php?"; nocase; http_uri; content:"p="; depth:2; nocase; http_client_body; content:"&a2="; nocase; distance:0; http_client_body; content:"&agencia="; nocase; distance:0; http_client_body; content:"&a1="; nocase; distance:0; http_client_body; content:"&conta="; nocase; distance:0; http_client_body; fast_pattern; content:"&aa="; nocase; distance:0; http_client_body; content:"&digito="; nocase; distance:0; http_client_body; content:"&age="; nocase; distance:0; http_client_body; content:"&ir="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2023696; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Bradesco Bank Phish M2 Jan 05 2017"; flow:to_server,established; content:"POST"; http_method; content:".php?"; nocase; http_uri; content:"agencia="; depth:8; nocase; http_client_body; content:"&conta="; nocase; distance:0; http_client_body; content:"&digito="; nocase; distance:0; http_client_body; content:"&entrada_1="; nocase; distance:0; http_client_body; fast_pattern; content:"&entrada_2="; nocase; distance:0; http_client_body; content:"&entrada_3="; nocase; distance:0; http_client_body; content:"&entrada_4="; nocase; distance:0; http_client_body; content:"&looking1="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2023697; rev:4;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful National Bank Phish Jan 05 2017"; flow:to_server,established; content:"POST"; http_method; content:".php"; nocase; http_uri; content:"redirect="; depth:9; nocase; http_client_body; content:"&txtState="; nocase; distance:0; http_client_body; content:"&txtCount="; nocase; distance:0; http_client_body; content:"&txtOneTime="; nocase; distance:0; http_client_body; content:"&Account_ID="; nocase; distance:0; http_client_body; content:"&active_Password="; nocase; distance:0; http_client_body; fast_pattern; content:"&Submit="; nocase; distance:0; http_client_body; pcre:"/\.php$/U"; classtype:trojan-activity; sid:2023698; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Paypal Phishing Landing Jan 09 2017"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; content:"<meta name=|22|description|22 20|content=|22 78 50 61 79 50 61 6c 5f 32 30 31 37|"; content:"|43 61 5a 61 4e 6f 56 61 31 36 33|"; within:50; fast_pattern; classtype:trojan-activity; sid:2023712; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS EITest SocEng Inject Jan 15 2017 M2"; flow:established,from_server; file_data; content:"|69 6e 66 6f 6c|"; fast_pattern:only; content:"|77 69 6e 64 6f 77 2e 63 68 72 6f 6d 65|"; nocase; content:"<input"; nocase; pcre:"/^(?=[^>]*type\s*=\s*[\x22\x27]hidden[\x22\x27])(?=[^>]*name\s*=\s*[\x22\x27]infol[\x22\x27])[^>]*value\s*=\s*[\x22\x27][A-Za-z0-9+/]+[\x22\x27]/Rsi"; content:"<form"; nocase; pcre:"/^(?=[^>]+action\s*=\s*[\x22\x27]http\x3a\x2f)[^>]+method\s*=\s*[\x22\x27]post[\x22\x27]/Rsi"; classtype:trojan-activity; sid:2023742; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS EITest SocEng Inject Jan 15 2017 M1"; flow:established,from_server; file_data; content:"|77 69 6e 64 6f 77 2e 63 68 72 6f 6d 65|"; nocase; content:"|77 69 6e 64 6f 77 2e 63 68 72 6f 6d 65 2e 77 65 62 73 74 6f 72 65|"; nocase; content:"|2e 6d 61 74 63 68 28 2f 3e 28 5c 77 3f 5c 73 3f 2e 2a 3f 29 3c 2f 67 29|"; nocase; fast_pattern:only; content:"|5b 69 5d 2e 72 65 70 6c 61 63 65 28 65 76 61 6c 28|"; content:"unescape"; nocase; pcre:"/^\s*\([^\x29]*(?:\%2F|\/)(?:\%5B|\[)(?:\%5E|^)(?=[^\x29]*(?:%3C|\<))(?=[^\x29]*(?:%3E|\>))(?=[^\x29]*(?:\%5C|\\)(?:\%6E|n))/Rsi"; classtype:trojan-activity; sid:2023743; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS EITest SocEng Inject Jan 15 2017 M2"; flow:established,from_server; file_data; content:"|69 6e 66 6f 6c|"; fast_pattern:only; content:"|77 69 6e 64 6f 77 2e 63 68 72 6f 6d 65|"; nocase; content:"<input"; nocase; pcre:"/^(?=[^>]+type\s*=\s*[\x22\x27]hidden[\x22\x27])(?=[^>]+name\s*=\s*[\x22\x27]infol[\x22\x27])[^>]+value\s*=\s*[\x22\x27](?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)[\x22\x27]/Rsi"; content:"<form"; nocase; pcre:"/^(?=[^>]+action\s*=\s*[\x22\x27]http\x3a\x2f)[^>]+method\s*=\s*[\x22\x27]post[\x22\x27]/Rsi"; classtype:trojan-activity; sid:2023744; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS EITest SocEng Inject Jan 15 2017 EXE Download"; flow:established,from_server; content:"Chrome_Font.exe"; http_header; nocase; fast_pattern:only; pcre:"/^Content-Disposition\x3a[^\r\n]+filename\s*=\s*[\x22\x27]?Chrome_Font\.exe/Hmi"; classtype:trojan-activity; sid:2023745; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK EITest Inject Oct 17 2016 M4"; flow:established,from_server; file_data; content:"|75 74 65 28 22 66 72 61 6d 65 42 6f 72 64 65 72 22 2c 20 22 30|"; fast_pattern:only; content:"<script type=|22|text|2f|"; pcre:"/^(?:rocket|java)script\x22>\s*var\s*(?P<ifr>[^\s=]+)\s*=\s*[\x22\x27]iframe[\x22\x27].*?\s*var\s*(?P<var>[^\s=]+)\s*=\s*document\.createElement\(\s*(?P=ifr)(?=.+?(?P=var)\.frameBorder\s*=\s*[\x22\x27]0[\x22\x27])(?=.+?document\.body\.appendChild\(\s*(?P=var)\s*\)).+?(?P=var)\.setAttribute\s*\(\s*[\x22\x27]frameBorder[\x22\x27]\s*,\s*[\x22\x27]0[\x22\x27]\s*\)\s*\x3b/Rsi"; classtype:trojan-activity; sid:2023748; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing M1 Jan 20 2017"; flow:from_server,established; content:"401"; http_stat_code; content:"WWW-Authenticate|3a 20|Basic realm=|22|"; nocase; http_header; content:"Warning|3a|"; nocase; http_header; distance:0; fast_pattern; content:"Call Microsoft"; http_header; nocase; classtype:trojan-activity; sid:2023751; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing M2 Jan 20 2017"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Error Hard Drive"; nocase; fast_pattern:3,20; content:"background-color|3a 20|#FF0000"; nocase; distance:0; classtype:trojan-activity; sid:2023752; rev:2;) + +alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Microsoft RDP Client for Mac RCE"; flow:established,to_client; content:"rdp|3a 2f 2f|"; nocase; content:"drivestoredirect"; fast_pattern; nocase; distance:0; content:"rdp|3a 2f 2f|"; nocase; pcre:"/^\S+?drivestoredirect/Ri"; reference:url,www.wearesegment.com/research/Microsoft-Remote-Desktop-Client-for-Mac-Remote-Code-Execution; classtype:attempted-admin; sid:2023755; rev:1;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake AV Phone Scam Landing Jan 24"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title> Windows Official Support"; fast_pattern; nocase; content:"This Is A Critical Warning"; nocase; distance:0; classtype:trojan-activity; sid:2023757; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Apple iCloud Phish Jan 23 2017"; flow:to_server,established; content:"POST"; http_method; content:".php"; nocase; http_uri; content:"usuario="; depth:8; nocase; http_client_body; content:"&contrasena="; nocase; distance:0; http_client_body; content:"&hdtxt="; nocase; distance:0; http_client_body; pcre:"/\.php$/U"; classtype:trojan-activity; sid:2023758; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Successful Generic Paypal Phish Jan 23 2016"; flow:to_server,established; content:"POST"; http_method; content:"/websrc"; http_uri; fast_pattern; content:"email"; nocase; http_client_body; content:"|25|40"; http_client_body; distance:0; content:"pass"; nocase; distance:0; http_client_body; pcre:"/\/websrc$/U"; classtype:trojan-activity; sid:2023759; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Paypal Phish Jan 23 2017"; flow:to_server,established; content:"POST"; http_method; content:"locale.x="; depth:9; nocase; http_client_body; content:"&processSignin="; nocase; distance:0; http_client_body; content:"&login_email="; nocase; distance:0; http_client_body; content:"&login_password="; nocase; distance:0; http_client_body; content:"&btnLogin="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2023760; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Broken/Filtered RIG EK Payload Download"; flow:established,from_server; content:"Content-Type|3a 20|application/x-msdownload|0d 0a|"; http_header; content:"Content-Length|3a 20|3|0d 0a|"; http_header; fast_pattern; file_data; content:"|3d 28 28|"; within:3; isdataat:!1,relative; classtype:trojan-activity; sid:2023768; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful RBC Royal Bank Phish Jan 30 2017"; flow:to_server,established; content:"POST"; http_method; content:".php"; nocase; http_uri; content:"FromPreSignIn_SIP="; depth:18; nocase; http_client_body; fast_pattern; content:"&RSA_DEVPRINT="; nocase; distance:0; http_client_body; content:"&ROLLOUT="; nocase; distance:0; http_client_body; content:"&user="; nocase; distance:0; http_client_body; content:"&pass="; nocase; distance:0; http_client_body; pcre:"/\.php$/U"; classtype:trojan-activity; sid:2023770; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Wells Fargo Phish Jan 30 2017"; flow:to_server,established; content:"POST"; http_method; content:".php"; nocase; http_uri; content:"card_num="; depth:9; nocase; http_client_body; content:"&full_name="; nocase; distance:0; http_client_body; content:"&ssn_num="; nocase; distance:0; http_client_body; fast_pattern; content:"&j_password="; nocase; distance:0; http_client_body; content:"&userPrefs="; nocase; distance:0; http_client_body; content:"&jsenabled="; nocase; distance:0; http_client_body; content:"&origin="; nocase; distance:0; http_client_body; content:"&screenid="; nocase; distance:0; http_client_body; content:"&ndsid="; nocase; distance:0; http_client_body; pcre:"/\.php$/U"; classtype:trojan-activity; sid:2023771; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Successful Find My iPhone Phish (SP) Jan 30 2017"; flow:from_server,established; file_data; content:"<title>Buscar iPhone"; fast_pattern; content:"<div class=|22|icloud"; nocase; distance:0; content:"Buscar iPhone"; nocase; distance:0; content:"<div class=|22|error"; nocase; distance:0; classtype:trojan-activity; sid:2023772; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Tangerine Bank Phish M1 Jan 30 2017"; flow:to_server,established; content:"POST"; http_method; content:"cusd="; depth:5; nocase; http_client_body; content:"&tbNickname="; nocase; distance:0; http_client_body; fast_pattern; content:"&ddCIF="; nocase; distance:0; http_client_body; content:"&Go="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2023773; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Tangerine Bank Phish M2 Jan 30 2017"; flow:to_server,established; content:"POST"; http_method; content:".php?SecureToken="; http_header; content:"&fill="; http_header; distance:0; content:"PIN="; depth:4; nocase; http_client_body; fast_pattern; content:"&Go="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2023774; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Ebay Phishing Domain Jan 30 2017"; flow:to_server,established; content:"GET"; http_method; content:"ebay.com"; http_header; fast_pattern; content:!"Referer|3a 20|"; http_header; content:!"ebay.com|0d 0a|"; http_header; pcre:"/^Host\x3a[^\r\n]+ebay\.com[^\r\n]{20,}\r\n/Hmi"; threshold: type limit, count 1, track by_src, seconds 30; classtype:trojan-activity; sid:2023775; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Successful Ebay Phish Jan 30 2017"; flow:to_server,established; content:"POST"; http_method; content:"ebay.com"; http_header; fast_pattern; content:!"ebay.com|0d 0a|"; http_header; pcre:"/^Host\x3a[^\r\n]+ebay\.com[^\r\n]{20,}\r\n/Hmi"; threshold: type limit, count 1, track by_src, seconds 30; classtype:trojan-activity; sid:2023776; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS EITest SocEng Inject Jan 15 2017 EXE Download"; flow:established,from_server; content:"Font_Update.exe"; http_header; nocase; fast_pattern:only; pcre:"/^Content-Disposition\x3a[^\r\n]+filename\s*=\s*[\x22\x27]?Font_Update\.exe/Hmi"; reference:url,www.proofpoint.com/us/threat-insight/post/EITest-Nabbing-Chrome-Users-Chrome-Font-Social-Engineering-Scheme; reference:url,blog.brillantit.com/exposing-eitest-campaign; classtype:trojan-activity; sid:2023817; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Discover Phishing Domain Feb 02 2017"; flow:to_server,established; content:"GET"; http_method; content:"discover.com"; http_header; fast_pattern; content:!"Referer|3a 20|"; http_header; content:!"discover.com|0d 0a|"; http_header; content:!"autodiscover"; http_header; pcre:"/^Host\x3a[^\r\n]+discover\.com[^\r\n]{20,}\r\n/Hmi"; threshold: type limit, count 1, track by_src, seconds 30; classtype:trojan-activity; sid:2023819; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Successful Chase Phish Feb 02 2017"; flow:to_server,established; content:"POST"; http_method; content:"chase.com"; http_header; fast_pattern; content:!"chase.com|0d 0a|"; http_header; pcre:"/^Host\x3a[^\r\n]+chase\.com[^\r\n]{20,}\r\n/Hmi"; classtype:trojan-activity; sid:2023820; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Successful Apple Phishing Domain Feb 02 2017"; flow:to_server,established; content:"POST"; http_method; content:"apple.com"; http_header; fast_pattern; content:!"apple.com|0d 0a|"; http_header; pcre:"/^Host\x3a[^\r\n]+apple\.com[^\r\n]{20,}\r\n/Hmi"; classtype:trojan-activity; sid:2023821; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Successful USAA Phishing Domain Feb 02 2017"; flow:to_server,established; content:"POST"; http_method; content:"usaa.com"; http_header; fast_pattern; content:!"usaa.com|0d 0a|"; http_header; pcre:"/^Host\x3a[^\r\n]+usaa\.com[^\r\n]{20,}\r\n/Hmi"; classtype:trojan-activity; sid:2023822; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Successful Paypal Phishing Domain Feb 02 2017"; flow:to_server,established; content:"POST"; http_method; content:"paypal.com"; http_header; fast_pattern; content:!"paypal.com|0d 0a|"; http_header; pcre:"/^Host\x3a[^\r\n]+paypal\.com[^\r\n]{20,}\r\n/Hmi"; classtype:trojan-activity; sid:2023823; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Successful Bank of America Phishing Domain Feb 02 2017"; flow:to_server,established; content:"POST"; http_method; content:"bankofamerica.com"; http_header; fast_pattern; content:!"bankofamerica.com|0d 0a|"; http_header; pcre:"/Host\x3a[^\r\n]+bankofamerica\.com[^\r\n]{10,}\r\n/Hmi"; classtype:trojan-activity; sid:2023824; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Successful Google Drive Phishing Domain Feb 02 2017"; flow:to_server,established; content:"POST"; http_method; content:"drive.google.com"; http_header; fast_pattern; content:!"drive.google.com|0d 0a|"; http_header; pcre:"/^Host\x3a[^\r\n]+drive\.google\.com[^\r\n]{20,}\r\n/Hmi"; classtype:trojan-activity; sid:2023825; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Successful Cartasi Phishing Domain Feb 02 2017"; flow:to_server,established; content:"POST"; http_method; content:"cartasi"; http_header; fast_pattern; content:!"cartasi.it|0d 0a|"; http_header; pcre:"/^Host\x3a[^\r\n]+cartasi[^\r\n]{20,}\r\n/Hmi"; classtype:trojan-activity; sid:2023826; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Successful Linkedin Phishing Domain Feb 02 2017"; flow:to_server,established; content:"POST"; http_method; content:"linkedin.com"; http_header; fast_pattern; content:!"linkedin.com|0d 0a|"; http_header; pcre:"/^Host\x3a[^\r\n]+linkedin\.com[^\r\n]{20,}\r\n/Hmi"; classtype:trojan-activity; sid:2023827; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Successful Ebay Phishing Domain Feb 02 2017"; flow:to_server,established; content:"POST"; http_method; content:"ebay.com"; http_header; fast_pattern; content:!"ebay.com|0d 0a|"; http_header; pcre:"/^Host\x3a[^\r\n]+ebay\.com[^\r\n]{20,}\r\n/Hmi"; classtype:trojan-activity; sid:2023828; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Successful Discover Phish Feb 02 2017"; flow:to_server,established; content:"POST"; http_method; content:"discover.com"; http_header; fast_pattern; content:!"discover.com|0d 0a|"; http_header; content:!"autodiscover"; http_header; pcre:"/^Host\x3a[^\r\n]+discover\.com[^\r\n]{20,}\r\n/Hmi"; classtype:trojan-activity; sid:2023829; rev:3;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 01"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0e|account-google|08|serveftp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023833; rev:1;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 02"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0f|aramex-shipping|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023834; rev:1;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 03"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|11|device-activation|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023835; rev:1;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 04"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0f|dropbox-service|08|serveftp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023836; rev:1;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 05"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|dropbox-sign|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023837; rev:1;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 06"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0e|dropboxsupport|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023838; rev:1;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 07"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|fedex-mail|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023839; rev:1;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 08"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0e|fedex-shipping|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023840; rev:1;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 09"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|fedex-sign|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023841; rev:1;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 10"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|11|googledriver-sign|04|ddns|03|net|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023842; rev:1;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 11"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|googledrive-sign|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023843; rev:1;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 12"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0b|google-maps|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023844; rev:1;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 13"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|11|googlesecure-serv|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023845; rev:1;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 14"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|googlesignin|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023846; rev:1;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 15"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|13|googleverify-signin|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023847; rev:1;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 16"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0e|mailgooglesign|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023848; rev:1;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 17"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|09|myaccount|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023849; rev:1;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 18"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0b|secure-team|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023850; rev:1;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 19"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|12|security-myaccount|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023851; rev:1;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 20"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|verification-acc|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023852; rev:1;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 21"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0d|dropbox-verfy|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023853; rev:1;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 22"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|fedex-s|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023854; rev:1;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 23"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|watchyoutube|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023855; rev:1;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 24"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|11|verification-team|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023856; rev:1;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 25"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|13|securityteam-notify|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023857; rev:1;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 26"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|secure-alert|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023858; rev:1;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 27"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|12|quota-notification|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023859; rev:1;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 28"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|11|notification-team|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023860; rev:1;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 29"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|12|fedex-notification|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023861; rev:1;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 30"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|docs-mails|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023862; rev:1;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 31"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|11|restricted-videos|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023863; rev:1;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 32"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|13|dropboxnotification|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023864; rev:1;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 33"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|moi-gov|08|serveftp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023865; rev:1;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 34"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0f|activate-google|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023866; rev:1;) + +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Request to NilePhish Domain 35"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|googlemaps|09|servehttp|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,citizenlab.org/2017/02/nilephish-report; classtype:trojan-activity; sid:2023867; rev:1;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake AV Phone Scam Landing Feb 2"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title> Microsoft Official Support <"; fast_pattern; nocase; content:"var stroka"; nocase; distance:0; content:"wM/8AAEQgADQCgAwEiAAIRAQMRAf/dAAQACv/EAT8AAAEFAQEBAQEBAAAAAAAAAAMAAQIE"; distance:0; classtype:trojan-activity; sid:2023869; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Terror EK Landing M1 Feb 07 2016 M1"; flow:established,from_server; file_data; content:"value"; nocase; pcre:"/^\s*=\s*[\x27\x22](?:sh(?:ell(?:32)?)?|exec)=6wLrBej5\x2f\x2f/Rsi"; content:"6wLrBej5"; fast_pattern:only; classtype:trojan-activity; sid:2023878; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Terror EK Landing M1 Feb 07 2016 M2"; flow:established,from_server; file_data; content:"EB02EB05E8F9FFFFFF"; nocase; fast_pattern:only; pcre:"/(?:value=[\x22\x27](?:sh(?:ell(?:32)?)?|exec)=|unescape\(EscapeHexString\(.)EB02EB05E8F9FFFFFF/si"; classtype:trojan-activity; sid:2023879; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Successful Craigslist Phishing Domain Feb 07 2017"; flow:to_server,established; content:"POST"; http_method; content:"craigslist.org"; http_header; fast_pattern; content:!"craigslist.org|0d 0a|"; http_header; pcre:"/^Host\x3a[^\r\n]+craigslist\.org[^\r\n]{20,}\r\n/Hmi"; classtype:trojan-activity; sid:2023880; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Apple Phish Feb 09 2017"; flow:to_server,established; content:"POST"; http_method; content:".php"; nocase; http_uri; content:"login="; depth:6; nocase; http_client_body; content:"&pass="; nocase; distance:0; http_client_body; content:"&submit=Sign+In&curl_version="; nocase; distance:0; http_client_body; fast_pattern:9,20; classtype:trojan-activity; sid:2023888; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tech Support Phone Scam Landing Feb 09 2017"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Microsoft Official Support"; nocase; fast_pattern:13,20; content:"<audio"; nocase; distance:0; content:"loop="; nocase; within:50; classtype:trojan-activity; sid:2023889; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Banco Itau (BR) Mobile Phish M1 Feb 09 2017"; flow:to_server,established; content:"POST"; http_method; content:"iden="; depth:5; nocase; http_client_body; content:"&AG="; nocase; distance:0; http_client_body; content:"&CC="; nocase; distance:0; http_client_body; content:"&CCDIG="; nocase; distance:0; http_client_body; content:"&PASSNET="; nocase; distance:0; http_client_body; fast_pattern; content:"&btnLogInT.x="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2023890; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Banco Itau (BR) Mobile Phish M2 Feb 09 2017"; flow:to_server,established; content:"POST"; http_method; content:".php"; nocase; http_uri; content:"DDD="; depth:4; nocase; http_client_body; content:"&CELLULAR="; nocase; distance:0; http_client_body; fast_pattern; content:"&SDESEIS="; nocase; distance:0; http_client_body; content:"&btnLogInT.x="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2023891; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Apple Account Phish Feb 17 2017"; flow:to_server,established; content:"POST"; http_method; content:"locked.php"; nocase; http_uri; content:"Account-Unlock"; nocase; distance:0; http_uri; fast_pattern; content:"user="; depth:5; nocase; http_client_body; content:"&pass="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2023999; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful iCloud (CN) Phish Feb 17 2017"; flow:to_server,established; content:"POST"; http_method; content:"Host|3a 20 31 31 32 32 33 33 68 74 2e 70 77|"; fast_pattern:only; classtype:trojan-activity; sid:2024000; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful California Bank & Trust Phish Feb 17 2017"; flow:to_server,established; content:"POST"; http_method; content:"AccountNo="; depth:10; nocase; http_client_body; fast_pattern; content:"&token="; nocase; distance:0; http_client_body; content:"&check=Login"; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024001; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Banco Itau (BR) Mobile Phish Feb 17 2017"; flow:to_server,established; content:"POST"; http_method; content:"&txtCelular="; nocase; http_client_body; content:"&txtSenhaCartao="; nocase; distance:0; http_client_body; fast_pattern; content:"btnLogIn"; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024002; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Phishing Verified by Visa title over non SSL Feb 17 2017"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>"; content:"Verified by Visa"; nocase; within:50; fast_pattern; classtype:trojan-activity; sid:2024003; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Suspicious JS Refresh - Possible Phishing Redirect Feb 24 2017"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"self.location.replace("; within:100; fast_pattern:2,20; pcre:"/\s*(?P<var>[^)]+)\s*\).+window\s*\.\s*location\s*=\s*\(\s*(?P=var)/Rsi"; classtype:trojan-activity; sid:2024007; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Phishing Redirect Feb 24 2017"; flow:from_server,established; content:"302"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; content:"Content-Length|3a 20|0|0d 0a|"; http_header; content:"location|3a 20|"; http_header; fast_pattern; content:"|2f 3f|"; distance:32; within:2; http_header; content:"|0d 0a|"; distance:32; within:2; http_header; classtype:trojan-activity; sid:2024008; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Craigslist (RO) Phish M1 Feb 24 2017"; flow:to_server,established; content:"POST"; http_method; content:"step=confirmation"; depth:17; nocase; http_client_body; content:"&rt="; nocase; distance:0; http_client_body; content:"&rp="; nocase; distance:0; http_client_body; content:"&p="; nocase; distance:0; http_client_body; content:"&whichForm="; nocase; distance:0; http_client_body; content:"&Email="; nocase; distance:0; http_client_body; content:"&Parola="; nocase; distance:0; http_client_body; fast_pattern; classtype:trojan-activity; sid:2024009; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Craigslist (RO) Phish M2 Feb 24 2017"; flow:to_server,established; content:"POST"; http_method; content:"NumarCard="; depth:10; nocase; http_client_body; fast_pattern; content:"&CVV="; nocase; distance:0; http_client_body; content:"&Luna="; nocase; distance:0; http_client_body; content:"&NumeCard="; nocase; distance:0; http_client_body; content:"&PrenumeCard="; nocase; distance:0; http_client_body; content:"&NumedeContact="; nocase; distance:0; http_client_body; content:"&NumardeTelefon="; nocase; distance:0; http_client_body; content:"&EmaildeContact="; nocase; distance:0; http_client_body; content:"&cryptedStepCheck="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024010; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful RBC Royal Bank Phish M1 Feb 24 2017"; flow:to_server,established; content:"POST"; http_method; content:"FromPreSignIn_SIP="; depth:18; nocase; http_client_body; fast_pattern; content:"&LANGUAGE="; nocase; distance:0; http_client_body; content:"&CHKCLICK="; nocase; distance:0; http_client_body; content:"&NNAME="; nocase; distance:0; http_client_body; content:"&RSA_DEVPRINT="; nocase; distance:0; http_client_body; content:"&K1="; nocase; distance:0; http_client_body; content:"&Q1="; nocase; distance:0; http_client_body; content:"&submit="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024011; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful RBC Royal Bank Phish M2 Feb 24 2017"; flow:to_server,established; content:"POST"; http_method; content:"&rbcProductOrService="; nocase; http_client_body; content:"&cardSelected="; nocase; distance:0; http_client_body; content:"&rbcCardNumber="; nocase; distance:0; http_client_body; fast_pattern; content:"&twoDigitIssueNumber="; nocase; distance:0; http_client_body; content:"&atmpin="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024012; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful RBC Royal Bank Phish M3 Feb 24 2017"; flow:to_server,established; content:"POST"; http_method; content:"&rbcProductOrService="; nocase; http_client_body; fast_pattern; content:"&fullname="; nocase; distance:0; http_client_body; content:"&dob="; nocase; distance:0; http_client_body; content:"&ssn="; nocase; distance:0; http_client_body; content:"&mmn="; nocase; distance:0; http_client_body; content:"&dl="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024013; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful RBC Royal Bank Phish M4 Feb 24 2017"; flow:to_server,established; content:"POST"; http_method; content:"&rbcProductOrService="; nocase; http_client_body; fast_pattern; content:"&sq1="; nocase; distance:0; http_client_body; content:"&sq1a="; nocase; distance:0; http_client_body; content:"&sq2="; nocase; distance:0; http_client_body; content:"&sq2a="; nocase; distance:0; http_client_body; content:"&sq3="; nocase; distance:0; http_client_body; content:"&sq3a="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024014; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Orderlink (IN) Phish Feb 24 2017"; flow:to_server,established; urilen:7; content:"POST"; http_method; content:"/signin"; content:"/signin|0d 0a|"; http_header; fast_pattern; content:"_token="; depth:7; nocase; http_client_body; content:"&email="; nocase; distance:0; http_client_body; content:"|25|40"; nocase; distance:0; http_client_body; content:"&pass"; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024015; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Paypal Phishing Redirect M1 Feb 24 2017"; flow:from_server,established; content:"302"; http_stat_code; content:"location|3a 20|"; nocase; http_header; content:".php?cmd=_update-information&account_bank="; nocase; http_header; fast_pattern:22,20; distance:0; content:"&dispatch="; distance:32; within:10; nocase; http_header; content:"Content-Length|3a 20|0|0d 0a|"; http_header; classtype:trojan-activity; sid:2024016; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Paypal Phishing Redirect M2 Feb 24 2017"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; file_data; content:"<meta http-equiv="; nocase; within:50; content:"refresh"; nocase; distance:1; within:7; content:"/webapps/"; nocase; distance:0; content:"/websrc"; distance:5; within:7; fast_pattern; classtype:trojan-activity; sid:2024017; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Common Paypal Phishing URI Feb 24 2017"; flow:to_server,established; content:"GET"; http_method; content:"/webapps/"; http_uri; content:"/websrc"; distance:5; within:7; http_uri; fast_pattern; pcre:"/\/webapps\/[a-f0-9]{5}\/websrc/Ui"; classtype:trojan-activity; sid:2024018; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Paypal Phishing Landing Feb 24 2017"; flow:from_server,established; file_data; content:"<title></title>"; nocase; fast_pattern; content:"<meta name=|22|application-name|22 20|content=|22|PayPal"; distance:0; classtype:trojan-activity; sid:2024019; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS RIG EK URI Struct Feb 26 2017"; flow:established,to_server; urilen:>90; content:"oq="; http_uri; fast_pattern:only; pcre:"/^\/\?o?q=(?=[A-Za-z_-]*[0-9])(?=[a-z0-9_-]*[A-Z][a-z0-9_-]*[A-Z])(?=[A-Z0-9_-]*[a-z][A-Z0-9_-]*[a-z])[A-Za-z0-9_-]+&o?q=(?=[A-Za-z_-]*[0-9])(?=[a-z0-9_-]*[A-Z][a-z0-9_-]*[A-Z])(?=[A-Z0-9_-]*[a-z][A-Z0-9_-]*[a-z])[A-Za-z0-9_-]+$/U"; content:!"Cookie|3a|"; flowbits:set,ET.RIGEKExploit; classtype:trojan-activity; sid:2024020; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS RIG EK Landing Feb 26 2016"; flow:established,from_server; file_data; content:"|3d 20 28 2f 2a 67 66 2a 2f 22 73 5c 78 37 35 62 73 22 29 2b 2f 2a 67 66 2a 2f 22 74 72 22 3b|"; flowbits:set,ET.RIGEKExploit; classtype:trojan-activity; sid:2024021; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Vanguard Phish Mar 06 2017"; flow:to_server,established; content:"POST"; http_method; content:"dmform-0="; depth:9; nocase; http_client_body; content:"&label-dmform-0=User+name"; nocase; distance:0; http_client_body; content:"&label-dmform-1=Password"; nocase; distance:0; http_client_body; content:"&label-dmform-8=Account+Email"; nocase; distance:0; http_client_body; content:"&label-dmform-9=Password"; nocase; distance:0; http_client_body; content:"&dmformsubject=Vang"; nocase; distance:0; http_client_body; fast_pattern; classtype:trojan-activity; sid:2024032; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Android Fake AV Download Landing Mar 06 2017"; flow:to_server,established; content:"GET"; http_method; content:".php?model="; nocase; http_uri; content:"&brand="; nocase; distance:0; http_uri; content:"&osversion="; nocase; distance:0; http_uri; content:"&ip="; nocase; distance:0; http_uri; content:"&voluumdata=BASE64"; nocase; distance:0; http_uri; fast_pattern; classtype:trojan-activity; sid:2024033; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirect Leading to EK March 07 2017"; flow:established,from_server; file_data; content:"|3c 64 69 76 20 73 74 79 6c 65 3d 27 77 69 64 74 68 3a 20 31 70 78 3b 20 68 65 69 67 68 74 3a 20 31 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 20 6c 65 66 74 3a 2d 35 30 30 70 78 3b 20 74 6f 70 3a 20 2d 35 30 30 70 78 3b 27 3e 20 3c 69 66 72 61 6d 65 20 73 72 63 3d|"; fast_pattern:70,20; pcre:"/^\s*\x27[^\x27\x3b\r\n]+\x27width=\x27250\x27\sheight=\x27250\x27\>/Ri"; classtype:trojan-activity; sid:2024037; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS EITest SocEng Fake Font DL March 09 2017"; flow:from_server,established; content:"Content-Disposition|3a|"; nocase; http_header; content:"|43 68 72 ce bf 6d 65|"; nocase; http_header; fast_pattern:only; content:"|66 ce bf 6e 74|"; nocase; http_header; content:"|2e 65 78 65|"; nocase; http_header; file_data; content:"MZ"; within:2; classtype:trojan-activity; sid:2024040; rev:1;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake Virus Phone Scam Landing Mar 09 2017"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>System Virus Alert"; nocase; fast_pattern:5,20; content:"|3a|-webkit-full-screen"; nocase; distance:0; classtype:trojan-activity; sid:2024042; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Paypal Phish Mar 13 2017"; flow:to_server,established; content:"POST"; http_method; content:"yass_email="; depth:11; nocase; http_client_body; content:"&yass_password="; nocase; distance:0; http_client_body; fast_pattern; content:"&btnLogin="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024046; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful National Bank Phish Mar 13 2017"; flow:to_server,established; content:"POST"; http_method; content:"aliasDispatcher="; depth:16; nocase; http_client_body; content:"&indBNCFunds="; nocase; distance:0; http_client_body; content:"&accountNumber1="; nocase; distance:0; http_client_body; content:"&cardExpirDate="; nocase; distance:0; http_client_body; fast_pattern; content:"®istrationMode="; nocase; distance:0; http_client_body; content:"&cardActionTypeSelected="; nocase; distance:0; http_client_body; content:"&language="; nocase; distance:0; http_client_body; content:"&clientIpAdress="; nocase; distance:0; http_client_body; content:"&clientUserAgent="; nocase; distance:0; http_client_body; content:"&clientScreenResolution="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024047; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS RIG EK URI Struct Mar 13 2017"; flow:established,to_server; urilen:>90; content:"oq="; http_uri; fast_pattern:only; pcre:"/(?=.*?[?&]oq=(?=[A-Za-z_-]*[0-9])(?=[a-z0-9_-]*[A-Z][a-z0-9_-]*[A-Z])(?=[A-Z0-9_-]*[a-z][A-Z0-9_-]*[a-z])[A-Za-z0-9_-]+(?:&|$)).*?[?&]q=(?=[A-Za-z_-]*[0-9])(?=[a-z0-9_-]*[A-Z][a-z0-9_-]*[A-Z])(?=[A-Z0-9_-]*[a-z][A-Z0-9_-]*[a-z])[A-Za-z0-9_-]+(?:&|$)/U"; content:!"Cookie|3a|"; flowbits:set,ET.RIGEKExploit; classtype:trojan-activity; sid:2024048; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS RIG EK URI Struct Mar 13 2017 M2"; flow:established,to_server; urilen:>90; content:"QMvXcJ"; http_uri; pcre:"/(?=.*?=[^&]{3,4}QMvXcJ).*?=(?=[A-Za-z_-]*[0-9])(?=[a-z0-9_-]*[A-Z][a-z0-9_-]*[A-Z])(?=[A-Z0-9_-]*[a-z][A-Z0-9_-]*[a-z])[A-Za-z0-9_-]+&.*?=(?=[A-Za-z_-]*[0-9])(?=[a-z0-9_-]*[A-Z][a-z0-9_-]*[A-Z])(?=[A-Z0-9_-]*[a-z][A-Z0-9_-]*[a-z])[A-Za-z0-9_-]+(?:&|$)/U"; content:!"Cookie|3a|"; flowbits:set,ET.RIGEKExploit; classtype:trojan-activity; sid:2024049; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful ANZ Internet Banking Phish Mar 14 2017"; flow:to_server,established; content:"POST"; http_method; content:"typ="; depth:4; nocase; http_client_body; content:"&cid="; nocase; distance:0; http_client_body; content:"&cpass="; nocase; distance:0; http_client_body; content:"&homepn="; nocase; distance:0; http_client_body; content:"&workpn="; nocase; distance:0; http_client_body; content:"&mobilepn="; nocase; distance:0; http_client_body; content:"&telepass="; nocase; distance:0; http_client_body; content:"&ccnumber="; nocase; distance:0; http_client_body; fast_pattern; content:"&cvv="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024050; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Instagram Phish Mar 14 2017"; flow:to_server,established; content:"POST"; http_method; content:"cek=login"; depth:9; nocase; http_client_body; fast_pattern; content:"&username="; nocase; distance:0; http_client_body; content:"&password="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024051; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Paypal Phish Mar 14 2017"; flow:to_server,established; content:"POST"; http_method; content:"login_cmd="; depth:10; nocase; http_client_body; content:"&login_params="; nocase; distance:0; http_client_body; content:"&login_email="; nocase; distance:0; http_client_body; content:"&login_password="; nocase; distance:0; http_client_body; fast_pattern; content:"&btnLogin="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024052; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Terror EK Payload Download M1 Mar 14 2017"; flow:established,from_server; file_data; content:"|2e de 08 bb 99 8a 7b 6c|"; within:8; classtype:trojan-activity; sid:2024053; rev:1;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Terror EK Payload Download M2 Mar 14 2017"; flow:established,from_server; file_data; content:"|5e 5a a3 90 b9 31 7b 54|"; within:8; classtype:trojan-activity; sid:2024054; rev:1;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Terror EK Payload RC4 Key M1 Mar 14 2017"; flow:established,from_server; content:"200"; http_stat_code; file_data; content:"uylzJB3mWrFjellI9iDFGQjO"; fast_pattern:only; content:"("; pcre:"/^\s*[\x22\x27]\s*http[^\x22\x27]+\.php\s*[\x22\x27]\s*\x2c\s*[\x22\x27]\s*uylzJB3mWrFjellI9iDFGQjO/Rs"; classtype:trojan-activity; sid:2024055; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Successful iCloud Phish Mar 15 2017"; flow:from_server,established; flowbits:isset,ET.genericphish; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<meta http-equiv=|22|Content-Type|22|"; nocase; content:"alert"; content:"|41 70 70 6c 65 20 49 44|"; nocase; within:20; fast_pattern; content:"|68 69 73 74 6f 72 79 2e 62 61 63 6b|"; nocase; distance:0; classtype:trojan-activity; sid:2024059; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Apple Phish M1 Mar 15 2017"; flow:to_server,established; content:"POST"; http_method; content:"appid="; depth:6; nocase; http_client_body; fast_pattern; content:"|25|40"; distance:0; http_client_body; content:"&pwd"; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024060; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Apple Phish M2 Mar 15 2017"; flow:to_server,established; content:"POST"; http_method; content:"fname="; depth:6; nocase; http_client_body; content:"&dob="; nocase; distance:0; http_client_body; content:"&cchn="; nocase; distance:0; http_client_body; content:"&ccnum="; nocase; distance:0; http_client_body; fast_pattern; content:"&expdate="; nocase; distance:0; http_client_body; content:"&cvv2="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024061; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK March 15 2017"; flow:established,from_server; file_data; content:"iframe"; nocase; content:"src"; nocase; pcre:"/^\s*=\s*[\x22\x27][Hh][Tt][Tt][Pp][Ss]?\x3a\x2f\x2f[^\x2f]+\x2f(?=[^\x2f\x22\x27]+=[^\x2f\x22\x27&]{0,5}QMvXcJ)[^\x2f\x22\x27]{90}/Rs"; content:"QMvXcJ"; fast_pattern:only; classtype:trojan-activity; sid:2024092; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil Redirector Leading to EK March 15 2017 M2"; flow:established,from_server; file_data; content:"<iframe"; within:7; pcre:"/^(?:\s+style=\x27hidden\x27)?\s+src=\x27https?\x3a[^>\x22\x27]+[\x22\x27]\s*width=\x270\x27\s+/Ri";content:"|68 65 69 67 68 74 3d 27 30 27 3e 3c 2f 69 66 72 61 6d 65 3e 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c|"; within:34; isdataat:100; classtype:trojan-activity; sid:2024093; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Paypal Phish Mar 22 2017"; flow:to_server,established; content:"POST"; http_method; content:"identif="; depth:8; nocase; http_client_body; content:"&elserr="; nocase; distance:0; http_client_body; fast_pattern; content:"&btnLogin="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024100; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful RBC Royal Bank Phish Mar 27 2017"; flow:to_server,established; content:"POST"; http_method; content:"FromPreSignIn_SIP="; depth:18; nocase; http_client_body; fast_pattern; content:"&LANGUAGE="; nocase; distance:0; http_client_body; content:"&RSA_DEVPRINT="; nocase; distance:0; http_client_body; content:"&K1="; nocase; distance:0; http_client_body; content:"&Q1="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024101; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Tangerine Bank Phish M1 Mar 27 2017"; flow:to_server,established; content:"POST"; http_method; content:"act="; depth:4; nocase; http_client_body; content:"&command="; nocase; distance:16; within:9; http_client_body; fast_pattern; content:"&PIN="; nocase; distance:0; http_client_body; content:"&Go="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024102; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Tangerine Bank Phish M2 Mar 27 2017"; flow:to_server,established; content:"POST"; http_method; content:"account="; depth:8; nocase; http_client_body; content:"&pin"; nocase; distance:16; within:4; http_client_body; content:"&command="; nocase; distance:0; http_client_body; content:"&PrimaryApplicant="; nocase; distance:0; http_client_body; fast_pattern; classtype:trojan-activity; sid:2024103; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Malicious Macro DL BIN March 2017"; flow:established,to_server; content:"GET"; http_method; content:"?showforum="; http_uri; fast_pattern:only; pcre:"/\?showforum=$/Ui"; content:!".php"; http_uri; content:!"Referer|3a 20|"; http_header; content:!"User-Agent|3a 20|"; http_header; reference:md5,ad575f6795526f2ee5e730f76a3b5346; classtype:trojan-activity; sid:2024109; rev:3;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS MalDoc Retrieving Payload March 30 2017"; flow:to_server,established; content:"GET"; http_method; content:"/mang.bbk"; http_uri; fast_pattern:only; content:!"User-Agent|3a|"; http_header; content:!"Referer|3a|"; http_header; pcre:"/\/mang\.bbk$/Ui"; reference:md5,33018afc5ef9818eee0f3833d1f738b0; classtype:trojan-activity; sid:2024122; rev:2;) + +alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Lets Encrypt Free SSL Cert Observed in Tech Support Scams M1"; flow:established,from_server; content:"|55 04 0a|"; content:"|0d|Let|27|s Encrypt"; distance:1; within:14; content:"|55 04 03|"; distance:0; content:"|12|wide.singldays.top"; distance:1; within:19; fast_pattern; reference:url,blog.sucuri.net/2017/02/javascript-injections-leads-to-tech-support-scam.html; reference:url,letsencrypt.org/about/; classtype:policy-violation; sid:2024124; rev:2;) + +alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Lets Encrypt Free SSL Cert Observed in Tech Support Scams M2"; flow:established,from_server; content:"|55 04 0a|"; content:"|0d|Let|27|s Encrypt"; distance:1; within:14; content:"|55 04 03|"; distance:0; content:"|15|wine.industrialzz.top"; distance:1; within:22; fast_pattern:2,20; reference:url,blog.sucuri.net/2017/02/javascript-injections-leads-to-tech-support-scam.html; reference:url,letsencrypt.org/about/; classtype:policy-violation; sid:2024125; rev:2;) + +alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Lets Encrypt Free SSL Cert Observed in Tech Support Scams M3"; flow:established,from_server; content:"|55 04 0a|"; content:"|0d|Let|27|s Encrypt"; distance:1; within:14; content:"|55 04 03|"; distance:0; content:"|14|one.industrialzz.top"; distance:1; within:21; fast_pattern:1,20; reference:url,blog.sucuri.net/2017/02/javascript-injections-leads-to-tech-support-scam.html; reference:url,letsencrypt.org/about/; classtype:policy-violation; sid:2024126; rev:2;) + +alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Lets Encrypt Free SSL Cert Observed in Tech Support Scams M4"; flow:established,from_server; content:"|55 04 0a|"; content:"|0d|Let|27|s Encrypt"; distance:1; within:14; content:"|55 04 03|"; distance:0; content:"|13|web.machinerysc.top"; distance:1; within:20; fast_pattern; reference:url,blog.sucuri.net/2017/02/javascript-injections-leads-to-tech-support-scam.html; reference:url,letsencrypt.org/about/; classtype:policy-violation; sid:2024127; rev:2;) + +alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Lets Encrypt Free SSL Cert Observed in Tech Support Scams M5"; flow:established,from_server; content:"|55 04 0a|"; content:"|0d|Let|27|s Encrypt"; distance:1; within:14; content:"|55 04 03|"; distance:0; content:"|12|sub.contentedy.top"; distance:1; within:19; fast_pattern; reference:url,blog.sucuri.net/2017/02/javascript-injections-leads-to-tech-support-scam.html; reference:url,letsencrypt.org/about/; classtype:policy-violation; sid:2024128; rev:2;) + +alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Lets Encrypt Free SSL Cert Observed in Tech Support Scams M6"; flow:established,from_server; content:"|55 04 0a|"; content:"|0d|Let|27|s Encrypt"; distance:1; within:14; content:"|55 04 03|"; distance:0; content:"|14|check-work-18799.top"; distance:1; within:21; fast_pattern:1,20; reference:url,blog.sucuri.net/2017/02/javascript-injections-leads-to-tech-support-scam.html; reference:url,letsencrypt.org/about/; classtype:policy-violation; sid:2024129; rev:2;) + +alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Lets Encrypt Free SSL Cert Observed in Tech Support Scams M7"; flow:established,from_server; content:"|55 04 0a|"; content:"|0d|Let|27|s Encrypt"; distance:1; within:14; content:"|55 04 03|"; distance:0; content:"|15|asp.refreshmentnu.top"; distance:1; within:22; fast_pattern:2,20; reference:url,blog.sucuri.net/2017/02/javascript-injections-leads-to-tech-support-scam.html; reference:url,letsencrypt.org/about/; classtype:policy-violation; sid:2024130; rev:2;) + +alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Lets Encrypt Free SSL Cert Observed in Tech Support Scams M8"; flow:established,from_server; content:"|55 04 0a|"; content:"|0d|Let|27|s Encrypt"; distance:1; within:14; content:"|55 04 03|"; distance:0; content:"|15|get.resemblanceao.bid"; distance:1; within:22; fast_pattern:2,20; reference:url,blog.sucuri.net/2017/02/javascript-injections-leads-to-tech-support-scam.html; reference:url,letsencrypt.org/about/; classtype:policy-violation; sid:2024131; rev:2;) + +alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Lets Encrypt Free SSL Cert Observed in Tech Support Scams M9"; flow:established,from_server; content:"|55 04 0a|"; content:"|0d|Let|27|s Encrypt"; distance:1; within:14; content:"|55 04 03|"; distance:0; content:"|14|sip.discoveredzp.bid"; distance:1; within:21; fast_pattern:1,20; reference:url,blog.sucuri.net/2017/02/javascript-injections-leads-to-tech-support-scam.html; reference:url,letsencrypt.org/about/; classtype:policy-violation; sid:2024132; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Suspicious Decimal IP Redirect - Observed in RIG EK Redirects M1"; flow:from_server,established; content:"302"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; content:"Content-Length|3a 20|0|0d 0a|"; http_header; fast_pattern; content:"Location|3a 20|http|3a 2f 2f|0"; nocase; http_header; pcre:"/^\d+[\r\n\x2f]/Hmi"; reference:url,blog.malwarebytes.com/cybercrime/2017/03/websites-compromised-decimal-ip-campaign/; classtype:trojan-activity; sid:2024133; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Suspicious Decimal IP Redirect - Observed in RIG EK Redirects M2"; flow:from_server,established; content:"302"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; content:"Content-Length|3a 20|0|0d 0a|"; http_header; fast_pattern; content:"Location|3a 20|http|3a 2f 2f|1"; nocase; http_header; pcre:"/^\d+[\r\n\x2f]/Hmi"; reference:url,blog.malwarebytes.com/cybercrime/2017/03/websites-compromised-decimal-ip-campaign/; classtype:trojan-activity; sid:2024134; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Suspicious Decimal IP Redirect - Observed in RIG EK Redirects M3"; flow:from_server,established; content:"302"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; content:"Content-Length|3a 20|0|0d 0a|"; http_header; fast_pattern; content:"Location|3a 20|http|3a 2f 2f|2"; nocase; http_header; pcre:"/^\d+[\r\n\x2f]/Hmi"; reference:url,blog.malwarebytes.com/cybercrime/2017/03/websites-compromised-decimal-ip-campaign/; classtype:trojan-activity; sid:2024135; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Suspicious Decimal IP Redirect - Observed in RIG EK Redirects M4"; flow:from_server,established; content:"302"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; content:"Content-Length|3a 20|0|0d 0a|"; http_header; fast_pattern; content:"Location|3a 20|http|3a 2f 2f|3"; nocase; http_header; pcre:"/^\d+[\r\n\x2f]/Hmi"; reference:url,blog.malwarebytes.com/cybercrime/2017/03/websites-compromised-decimal-ip-campaign/; classtype:trojan-activity; sid:2024136; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Suspicious Decimal IP Redirect - Observed in RIG EK Redirects M5"; flow:from_server,established; content:"302"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; content:"Content-Length|3a 20|0|0d 0a|"; http_header; fast_pattern; content:"Location|3a 20|http|3a 2f 2f|4"; nocase; http_header; pcre:"/^\d+[\r\n\x2f]/Hmi"; reference:url,blog.malwarebytes.com/cybercrime/2017/03/websites-compromised-decimal-ip-campaign/; classtype:trojan-activity; sid:2024137; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Suspicious Decimal IP Redirect - Observed in RIG EK Redirects M6"; flow:from_server,established; content:"302"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; content:"Content-Length|3a 20|0|0d 0a|"; http_header; fast_pattern; content:"Location|3a 20|http|3a 2f 2f|5"; nocase; http_header; pcre:"/^\d+[\r\n\x2f]/Hmi"; reference:url,blog.malwarebytes.com/cybercrime/2017/03/websites-compromised-decimal-ip-campaign/; classtype:trojan-activity; sid:2024138; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Suspicious Decimal IP Redirect - Observed in RIG EK Redirects M7"; flow:from_server,established; content:"302"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; content:"Content-Length|3a 20|0|0d 0a|"; http_header; fast_pattern; content:"Location|3a 20|http|3a 2f 2f|6"; nocase; http_header; pcre:"/^\d+[\r\n\x2f]/Hmi"; reference:url,blog.malwarebytes.com/cybercrime/2017/03/websites-compromised-decimal-ip-campaign/; classtype:trojan-activity; sid:2024139; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Suspicious Decimal IP Redirect - Observed in RIG EK Redirects M8"; flow:from_server,established; content:"302"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; content:"Content-Length|3a 20|0|0d 0a|"; http_header; fast_pattern; content:"Location|3a 20|http|3a 2f 2f|7"; nocase; http_header; pcre:"/^\d+[\r\n\x2f]/Hmi"; reference:url,blog.malwarebytes.com/cybercrime/2017/03/websites-compromised-decimal-ip-campaign/; classtype:trojan-activity; sid:2024140; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Suspicious Decimal IP Redirect - Observed in RIG EK Redirects M9"; flow:from_server,established; content:"302"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; content:"Content-Length|3a 20|0|0d 0a|"; http_header; fast_pattern; content:"Location|3a 20|http|3a 2f 2f|8"; nocase; http_header; pcre:"/^\d+[\r\n\x2f]/Hmi"; reference:url,blog.malwarebytes.com/cybercrime/2017/03/websites-compromised-decimal-ip-campaign/; classtype:trojan-activity; sid:2024141; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Suspicious Decimal IP Redirect - Observed in RIG EK Redirects M10"; flow:from_server,established; content:"302"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; content:"Content-Length|3a 20|0|0d 0a|"; http_header; fast_pattern; content:"Location|3a 20|http|3a 2f 2f|9"; nocase; http_header; pcre:"/^\d+[\r\n\x2f]/Hmi"; reference:url,blog.malwarebytes.com/cybercrime/2017/03/websites-compromised-decimal-ip-campaign/; classtype:trojan-activity; sid:2024142; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Mail.ru Phish Apr 04 2017"; flow:to_server,established; content:"POST"; http_method; content:"new_auth_form="; depth:14; nocase; http_client_body; fast_pattern; content:"&page="; nocase; distance:0; http_client_body; content:"&back="; nocase; distance:0; http_client_body; content:"&FromAccount="; nocase; distance:0; http_client_body; content:"&Login="; nocase; distance:0; http_client_body; content:"&selector="; nocase; distance:0; http_client_body; content:"&Username="; nocase; distance:0; http_client_body; content:"&Password="; nocase; distance:0; http_client_body; content:"&saveauth="; nocase; distance:0; http_client_body; content:"&submit="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024167; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Terror EK CVE-2016-0189 Exploit"; flow:established,from_server; file_data; content:"dllcode"; nocase; fast_pattern:only; content:"|28 26 68 34 64 2c 26 68 35 61 2c 26 68 38 30 2c 30 2c 31 2c 30 2c 30 2c 30|"; nocase; content:"GetSpecialFolder"; nocase; reference:cve,2016-0189; classtype:trojan-activity; sid:2024168; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Terror EK CVE-2016-0189 Exploit M2"; flow:established,from_server; file_data; content:"|73 74 72 54 6f 49 6e 74 28 4d 69 64 28 6d 65 6d 2c 20 31 2c 20 32 29 29|"; content:"|2b 20 26 48 31 37 34|"; reference:cve,2016-0189; classtype:trojan-activity; sid:2024169; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Terror EK CVE-2015-2419 Exploit"; flow:established,from_server; file_data; content:"EB125831C966B9"; nocase; content:"05498034088485C975F7FFE0E8E9FFFFFFD10D61074028D7D5D3B544E0"; distance:2; within:58; nocase; reference:cve,2016-0189; classtype:trojan-activity; sid:2024170; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Terror EK Payload Download"; flow:established,to_server; content:"e=cve"; http_uri; fast_pattern:only; pcre:"/[&?]e=cve\d{8}(?:&|$)/U"; pcre:"/=[a-f0-9]{32,}(?:&|$)/U"; content:!"Referer|3a|"; http_header; classtype:trojan-activity; sid:2024180; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful HM Revenue & Customs Phish M1 Apr 07 2017"; flow:to_server,established; content:"POST"; http_method; content:"gender="; depth:7; nocase; http_client_body; fast_pattern; content:"&name1="; nocase; distance:0; http_client_body; content:"&name2="; nocase; distance:0; http_client_body; content:"&day="; nocase; distance:0; http_client_body; content:"&month="; nocase; distance:0; http_client_body; content:"&year="; nocase; distance:0; http_client_body; content:"&email="; nocase; distance:0; http_client_body; content:"&pass="; nocase; distance:0; http_client_body; content:"&submitForm="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024184; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful HM Revenue & Customs Phish M2 Apr 07 2017"; flow:to_server,established; content:"POST"; http_method; content:"cnumber="; depth:8; nocase; http_client_body; fast_pattern; content:"&expm="; nocase; distance:0; http_client_body; content:"&expy="; nocase; distance:0; http_client_body; content:"&cvv="; nocase; distance:0; http_client_body; content:"&cname="; nocase; distance:0; http_client_body; content:"&submitForm="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024185; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Santander Phish M1 Apr 07 2017"; flow:to_server,established; content:"POST"; http_method; content:"cpf="; depth:4; nocase; http_client_body; fast_pattern; content:"&next_pag="; nocase; distance:0; http_client_body; content:"&entrar="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024186; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Santander Phish M2 Apr 07 2017"; flow:to_server,established; content:"POST"; http_method; content:"psw_net="; depth:8; nocase; http_client_body; fast_pattern; content:"&cpf="; nocase; distance:0; http_client_body; content:"&continuar_acess="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024187; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Santander Phish M3 Apr 07 2017"; flow:to_server,established; content:"POST"; http_method; content:"psw_4="; depth:6; nocase; http_client_body; fast_pattern; content:"&psw_net="; nocase; distance:0; http_client_body; content:"&cpf="; nocase; distance:0; http_client_body; content:"&proseguir="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024188; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS MSXMLHTTP DL of HTA (Observed in RTF 0-day )"; flow:established,from_server; flowbits:isset,et.IE7.NoRef.NoCookie; content:"Content-Type|3a 20|application/hta|0d 0a|"; http_header; fast_pattern:9,20; nocase; classtype:trojan-activity; sid:2024197; rev:2;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS EITest SocENG Payload DL"; flow:established,from_server; content:"|3b 20 66 69 6c 65 6e 61 6d 65 3d 43 68 72 ce bf 6d d0 b5 20 66 ce bf 6e e1 b9 ab 2e 65 78 65|"; http_header; nocase; file_data; content:"MZ"; within:2; classtype:trojan-activity; sid:2024198; rev:1;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS EITest SocENG Inject M2"; flow:established,from_server; file_data; content:"|69 64 3d 22 70 70 68 68 22 20 3e 54 68 65 20 22 48 6f 65 66 6c 65 72 54 65 78 74 22 20 66 6f 6e 74 20 77 61 73 6e 27 74 20 66 6f 75 6e 64 2e|"; classtype:trojan-activity; sid:2024199; rev:1;) + +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS EITest SocENG Inject M3"; flow:established,from_server; file_data; content:"|69 64 3d 22 62 62 62 31 22 3e 43 6c 69 63 6b 20 6f 6e 20 74 68 65 20 43 68 72 6f 6d 65 5f 46 6f 6e 74 2e 65 78 65|"; classtype:trojan-activity; sid:2024200; rev:1;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Known Malicious Expires Header Seen In Malicious JavaScript Downloader Campaign"; flow:established,to_client; content:"Expires|3A| Tue, 08 Jan 1935 00|3A|00|3A|00 GMT"; http_header; fast_pattern:9,20; classtype:trojan-activity; sid:2024229; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful iCloud Phish Apr 20 2017"; flow:to_server,established; content:"POST"; http_method; content:"ip="; depth:3; nocase; http_client_body; content:"&city="; nocase; distance:0; http_client_body; content:"&country="; nocase; distance:0; http_client_body; content:"&email="; nocase; distance:0; http_client_body; content:"&password="; nocase; distance:0; http_client_body; fast_pattern; content:"&sbBtn="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024231; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Alitalia Airline Phish Apr 20 2017"; flow:to_server,established; content:"POST"; http_method; content:"carta="; depth:6; nocase; http_client_body; content:"&month="; nocase; distance:0; http_client_body; content:"&cvv="; nocase; distance:0; http_client_body; content:"&year="; nocase; distance:0; http_client_body; content:"&imageField"; nocase; distance:0; http_client_body; content:"&nome="; nocase; distance:0; http_client_body; content:"&VBV="; nocase; distance:0; http_client_body; fast_pattern; classtype:trojan-activity; sid:2024232; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS ElTest Exploit Kit Redirection Script"; flow:established,to_client; file_data; content:"<script"; nocase; content:"text/javascript"; within:50; nocase; content:"|22|iframe|22|"; within:100; nocase; content:".style.border= |22|0px|22|"; within:200; fast_pattern; nocase; content:"frameborder"; within:100; nocase; content:".setAttribute("; within:50; nocase; content:"document.body.appendChild("; within:100; nocase; content:"= |22|http"; within:100; nocase; content:".src="; distance:0; nocase; content:"<|2F|script>"; within:50; nocase; reference:url,researchcenter.paloaltonetworks.com/2017/01/unit42-campaign-evolution-eitest-october-december-2016/; classtype:trojan-activity; sid:2024237; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS HoeflerText Chrome Popup DriveBy Download Attempt"; flow:established,to_client; file_data; content:"The |22|HoeflerText|22| font wasn't found"; nocase; fast_pattern; content:"you have to update the |22|Chrome Font Pack|22|"; distance:0; nocase; content:"Click on the Chrome_Font.exe"; distance:0; nocase; content:"Latest version"; distance:0; nocase; content:"href=|22|http"; distance:0; nocase; content:"window.chrome"; distance:0; nocase; reference:url,www.bleepingcomputer.com/virus-removal/hoeflertext-font-wasnt-found-and-chrome-font-pack-guide; classtype:trojan-activity; sid:2024238; rev:2;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Successful Google App Oauth Phish M1 Mar 3 2017"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Chrome Alert</title>"; fast_pattern:7,20; nocase; content:"<script type=|22|text/javascript|22 20|src=|22|/alert.php?h="; nocase; distance:0; classtype:trojan-activity; sid:2024266; rev:1;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Google App Oauth Phish M2 Mar 3 2017"; flow:to_server,established; content:"GET"; http_method; content:"/alert.php?h="; depth:13; http_uri; fast_pattern; nocase; content:"/r.php?h="; http_header; content:"|0d 0a|"; distance:32; within:2; http_header; classtype:trojan-activity; sid:2024267; rev:3;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Successful Google App Oauth Phish M3 Mar 3 2017"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/javascript"; http_header; content:"alert="; http_cookie; file_data; content:"navigator.languages"; nocase; content:"Your computer is infected"; nocase; distance:0; fast_pattern:5,20; content:"navegador contiene malware"; nocase; distance:0; content:"navigateur contient MALWARE"; nocase; distance:0; content:"&subid=alertyes"; nocase; distance:0; classtype:trojan-activity; sid:2024268; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Google App Oauth Phish M4 Mar 3 2017"; flow:to_server,established; content:"GET"; http_method; content:"/tds.php?h="; depth:11; http_uri; fast_pattern; nocase; content:"&subid=alert"; nocase; distance:32; within:12; http_uri; content:"/r.php?h="; http_header; content:"|0d 0a|"; distance:32; within:2; http_header; classtype:trojan-activity; sid:2024269; rev:3;) + +alert tcp any any -> any 445 (msg:"ET CURRENT_EVENTS ETERNALBLUE Exploit M2 MS17-010"; flow:established,to_server; content:"|8000a80000000000000000000000000000000000ffff000000000000ffff0000000000000000000000000000000000000000000000f1dfff000000000000000020f0dfff00f1dfffffffffff600004100000000080efdfff|"; reference:cve,CVE-2017-0143; classtype:attempted-admin; sid:2024297; rev:1;) + +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Multibrowser Resource Exhaustion observed in Tech Support Scam"; flow:from_server,established; file_data; content:"var|20|total|20|=|20 22 22 3b|"; nocase; content:"total|20|=|20|total"; nocase; distance:0; content:"history.pushState"; nocase; fast_pattern; distance:0; pcre:"/^\s*\(\s*0\s*,\s*0\s*,\s*total\s*\)/Ri"; reference:url,bugzilla.mozilla.org/show_bug.cgi?id=1246773; classtype:trojan-activity; sid:2024305; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Scotiabank Phish M1 May 24 2017"; flow:to_server,established; content:"POST"; http_method; content:"signon_form="; depth:12; nocase; http_client_body; content:"trusteeCompatible="; nocase; distance:0; http_client_body; content:"&user="; nocase; distance:0; http_client_body; content:"&pass="; nocase; distance:0; http_client_body; content:"card-nickname="; nocase; distance:0; http_client_body; fast_pattern; content:"enter_sol="; nocase; distance:0; http_client_body; classtype:trojan-activity; sid:2024326; rev:2;) + +alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Successful Scotiabank Phish M2 May 24 2017"; flow:to_server,established; content:"POST"; http_method; content:".php?Step=Account"; nocase; http_uri; content:"mmn="; depth:4; nocase; http_client_body; content:"&seccode="; nocase; distance:0; http_client_body; fast_pattern; classtype:trojan-activity; sid:2024327; rev:2;) + diff --git a/tests/emerging.rules.tar.gz b/tests/emerging.rules.tar.gz Binary files differnew file mode 100644 index 0000000..01fc92b --- /dev/null +++ b/tests/emerging.rules.tar.gz diff --git a/tests/emerging.rules.tar.gz.md5 b/tests/emerging.rules.tar.gz.md5 new file mode 100644 index 0000000..b54d458 --- /dev/null +++ b/tests/emerging.rules.tar.gz.md5 @@ -0,0 +1 @@ +3ed507977921535c79d7d322803cdd34 diff --git a/tests/emerging.rules.zip b/tests/emerging.rules.zip Binary files differnew file mode 100644 index 0000000..a511ce6 --- /dev/null +++ b/tests/emerging.rules.zip diff --git a/tests/empty b/tests/empty new file mode 100644 index 0000000..3c0e2c9 --- /dev/null +++ b/tests/empty @@ -0,0 +1 @@ +# An empty configuration for test purposes. diff --git a/tests/gen-msg.map b/tests/gen-msg.map new file mode 100644 index 0000000..301a576 --- /dev/null +++ b/tests/gen-msg.map @@ -0,0 +1,318 @@ +# $Id: gen-msg.map,v 1.8 2010/04/15 19:55:13 mwatchinski Exp $ +# GENERATORS -> msg map +# Format: generatorid || alertid || MSG + +1 || 1 || snort general alert +2 || 1 || tag: Tagged Packet +3 || 1 || snort dynamic alert +100 || 1 || spp_portscan: Portscan Detected +100 || 2 || spp_portscan: Portscan Status +100 || 3 || spp_portscan: Portscan Ended +101 || 1 || spp_minfrag: minfrag alert +102 || 1 || http_decode: Unicode Attack +102 || 2 || http_decode: CGI NULL Byte Attack +102 || 3 || http_decode: large method attempted +102 || 4 || http_decode: missing uri +102 || 5 || http_decode: double encoding detected +102 || 6 || http_decode: illegal hex values detected +102 || 7 || http_decode: overlong character detected +103 || 1 || spp_defrag: Fragmentation Overflow Detected +103 || 2 || spp_defrag: Stale Fragments Discarded +104 || 1 || spp_anomsensor: SPADE Anomaly Threshold Exceeded +104 || 2 || spp_anomsensor: SPADE Anomaly Threshold Adjusted +105 || 1 || spp_bo: Back Orifice Traffic Detected +105 || 2 || spp_bo: Back Orifice Client Traffic Detected +105 || 3 || spp_bo: Back Orifice Server Traffic Detected +105 || 4 || spp_bo: Back Orifice Snort Buffer Attack +106 || 1 || spp_rpc_decode: Fragmented RPC Records +106 || 2 || spp_rpc_decode: Multiple Records in one packet +106 || 3 || spp_rpc_decode: Large RPC Record Fragment +106 || 4 || spp_rpc_decode: Incomplete RPC segment +106 || 5 || spp_rpc_decode: Zero-length RPC Fragment +110 || 1 || spp_unidecode: CGI NULL Attack +110 || 2 || spp_unidecode: Directory Traversal +110 || 3 || spp_unidecode: Unknown Mapping +110 || 4 || spp_unidecode: Invalid Mapping +111 || 1 || spp_stream4: Stealth Activity Detected +111 || 2 || spp_stream4: Evasive Reset Packet +111 || 3 || spp_stream4: Retransmission +111 || 4 || spp_stream4: Window Violation +111 || 5 || spp_stream4: Data on SYN Packet +111 || 6 || spp_stream4: Full XMAS Stealth Scan +111 || 7 || spp_stream4: SAPU Stealth Scan +111 || 8 || spp_stream4: FIN Stealth Scan +111 || 9 || spp_stream4: NULL Stealth Scan +111 || 10 || spp_stream4: NMAP XMAS Stealth Scan +111 || 11 || spp_stream4: VECNA Stealth Scan +111 || 12 || spp_stream4: NMAP Fingerprint Stateful Detection +111 || 13 || spp_stream4: SYN FIN Stealth Scan +111 || 14 || spp_stream4: TCP forward overlap detected +111 || 15 || spp_stream4: TTL Evasion attempt +111 || 16 || spp_stream4: Evasive retransmitted data attempt +111 || 17 || spp_stream4: Evasive retransmitted data with the data split attempt +111 || 18 || spp_stream4: Multiple acked +111 || 19 || spp_stream4: Shifting to Emergency Session Mode +111 || 20 || spp_stream4: Shifting to Suspend Mode +111 || 21 || spp_stream4: TCP Timestamp option has value of zero +111 || 22 || spp_stream4: Too many overlapping TCP packets +111 || 23 || spp_stream4: Packet in established TCP stream missing ACK +111 || 24 || spp_stream4: Evasive FIN Packet +111 || 25 || spp_stream4: SYN on established +112 || 1 || spp_arpspoof: Directed ARP Request +112 || 2 || spp_arpspoof: Etherframe ARP Mismatch SRC +112 || 3 || spp_arpspoof: Etherframe ARP Mismatch DST +112 || 4 || spp_arpspoof: ARP Cache Overwrite Attack +113 || 1 || spp_frag2: Oversized Frag +113 || 2 || spp_frag2: Teardrop/Fragmentation Overlap Attack +113 || 3 || spp_frag2: TTL evasion detected +113 || 4 || spp_frag2: overlap detected +113 || 5 || spp_frag2: Duplicate first fragments +113 || 6 || spp_frag2: memcap exceeded +113 || 7 || spp_frag2: Out of order fragments +113 || 8 || spp_frag2: IP Options on Fragmented Packet +113 || 9 || spp_frag2: Shifting to Emegency Session Mode +113 || 10 || spp_frag2: Shifting to Suspend Mode +114 || 1 || spp_fnord: Possible Mutated GENERIC NOP Sled detected +114 || 2 || spp_fnord: Possible Mutated IA32 NOP Sled detected +114 || 3 || spp_fnord: Possible Mutated HPPA NOP Sled detected +114 || 4 || spp_fnord: Possible Mutated SPARC NOP Sled detected +115 || 1 || spp_asn1: Indefinite ASN.1 length encoding +115 || 2 || spp_asn1: Invalid ASN.1 length encoding +115 || 3 || spp_asn1: ASN.1 oversized item, possible overflow +115 || 4 || spp_asn1: ASN.1 spec violation, possible overflow +115 || 5 || spp_asn1: ASN.1 Attack: Datum length > packet length +116 || 1 || snort_decoder: Not IPv4 datagram! +116 || 2 || snort_decoder: WARNING: hlen < IP_HEADER_LEN! +116 || 3 || snort_decoder: WARNING: IP dgm len < IP Hdr len! +116 || 4 || snort_decoder: Bad IPv4 Options +116 || 5 || snort_decoder: Truncated IPv4 Options +116 || 6 || snort_decoder: WARNING: IP dgm len > captured len! +116 || 45 || snort_decoder: TCP packet len is smaller than 20 bytes! +116 || 46 || snort_decoder: TCP Data Offset is less than 5! +116 || 47 || snort_decoder: TCP Data Offset is longer than payload! +116 || 54 || snort_decoder: Tcp Options found with bad lengths +116 || 55 || snort_decoder: Truncated Tcp Options +116 || 56 || snort_decoder: T/TCP Detected +116 || 57 || snort_decoder: Obsolete TCP options +116 || 58 || snort_decoder: Experimental TCP options +116 || 59 || snort_decoder: TCP Window Scale Option Scale Invalid (> 14) +116 || 95 || snort_decoder: Truncated UDP Header! +116 || 96 || snort_decoder: Invalid UDP header, length field < 8 +116 || 97 || snort_decoder: Short UDP packet, length field > payload length +116 || 98 || snort_decoder: Long UDP packet, length field < payload length +116 || 105 || snort_decoder: ICMP Header Truncated! +116 || 106 || snort_decoder: ICMP Timestamp Header Truncated! +116 || 107 || snort_decoder: ICMP Address Header Truncated! +116 || 108 || snort_decoder: Unknown Datagram decoding problem! +116 || 109 || snort_decoder: Truncated ARP Packet! +116 || 110 || snort_decoder: Truncated EAP Header! +116 || 111 || snort_decoder: EAP Key Truncated! +116 || 112 || snort_decoder: EAP Header Truncated! +116 || 120 || snort_decoder: WARNING: Bad PPPOE frame detected! +116 || 130 || snort_decoder: WARNING: Bad VLAN Frame! +116 || 131 || snort_decoder: WARNING: Bad LLC header! +116 || 132 || snort_decoder: WARNING: Bad Extra LLC Info! +116 || 133 || snort_decoder: WARNING: Bad 802.11 LLC header! +116 || 134 || snort_decoder: WARNING: Bad 802.11 Extra LLC Info! +116 || 140 || snort_decoder: WARNING: Bad Token Ring Header! +116 || 141 || snort_decoder: WARNING: Bad Token Ring ETHLLC Header! +116 || 142 || snort_decoder: WARNING: Bad Token Ring MRLEN Header! +116 || 143 || snort_decoder: WARNING: Bad Token Ring MR Header! +116 || 150 || snort_decoder: Bad Traffic Loopback IP! +116 || 151 || snort_decoder: Bad Traffic Same Src/Dst IP! +116 || 160 || snort_decoder: WARNING: GRE header length > payload length +116 || 161 || snort_decoder: WARNING: Multiple encapsulations in packet +116 || 162 || snort_decoder: WARNING: Invalid GRE version +116 || 163 || snort_decoder: WARNING: Invalid GRE v.0 header +116 || 164 || snort_decoder: WARNING: Invalid GRE v.1 PPTP header +116 || 165 || snort_decoder: WARNING: GRE Trans header length > payload length +116 || 170 || snort_decoder: Bad MPLS Frame +116 || 171 || snort_decoder: MPLS Label 0 Appears in Nonbottom Header +116 || 172 || snort_decoder: MPLS Label 1 Appears in Bottom Header +116 || 173 || snort_decoder: MPLS Label 2 Appears in Nonbottom Header +116 || 174 || snort_decoder: Bad use of label 3 +116 || 175 || snort_decoder: MPLS Label 4, 5,.. or 15 Appears in Header +116 || 176 || snort_decoder: Too Many MPLS headers +116 || 250 || snort_decoder: WARNING: ICMP Original IP Header Truncated! +116 || 251 || snort_decoder: WARNING: ICMP Original IP Header Not IPv4! +116 || 252 || snort_decoder: WARNING: ICMP Original Datagram Length < Original IP Header Length! +116 || 253 || snort_decoder: WARNING: ICMP Original IP Payload < 64 bits! +116 || 254 || snort_decoder: WARNING: ICMP Original IP Payload > 576 bytes! +116 || 255 || snort_decoder: WARNING: ICMP Original IP Fragmented and Offset Not 0! +116 || 270 || snort_decoder: WARNING: IPV6 packet exceeded TTL limit +116 || 271 || snort_decoder: WARNING: IPv6 header claims to not be IPv6 +116 || 272 || snort_decoder: WARNING: IPV6 truncated extension header +116 || 273 || snort_decoder: WARNING: IPV6 truncated header +116 || 274 || snort_decoder: WARNING: IPV6 dgm len < IPV6 Hdr len! +116 || 275 || snort_decoder: WARNING: IPV6 dgm len > captured len! +116 || 291 || snort_decoder: IPV6 tunneled over IPv4, IPv6 header truncated, possible Linux Kernel attack +116 || 400 || snort_decoder: WARNING: XMAS Attack Detected! +116 || 401 || snort_decoder: WARNING: Nmap XMAS Attack Detected! +116 || 402 || snort_decoder: DOS NAPTHA Vulnerability Detected! +116 || 403 || snort_decoder: Bad Traffic SYN to multicast address +116 || 404 || snort_decoder: WARNING: IPV4 packet with zero TTL +116 || 405 || snort_decoder: WARNING: IPV4 packet with bad frag bits (Both MF and DF set) +116 || 406 || snort_decoder: Invalid IPv6 UDP packet, checksum zero +117 || 1 || spp_portscan2: Portscan detected! +118 || 1 || spp_conversation: Bad IP protocol! +119 || 1 || http_inspect: ASCII ENCODING +119 || 2 || http_inspect: DOUBLE DECODING ATTACK +119 || 3 || http_inspect: U ENCODING +119 || 4 || http_inspect: BARE BYTE UNICODE ENCODING +119 || 5 || http_inspect: BASE36 ENCODING +119 || 6 || http_inspect: UTF-8 ENCODING +119 || 7 || http_inspect: IIS UNICODE CODEPOINT ENCODING +119 || 8 || http_inspect: MULTI_SLASH ENCODING +119 || 9 || http_inspect: IIS BACKSLASH EVASION +119 || 10 || http_inspect: SELF DIRECTORY TRAVERSAL +119 || 11 || http_inspect: DIRECTORY TRAVERSAL +119 || 12 || http_inspect: APACHE WHITESPACE (TAB) +119 || 13 || http_inspect: NON-RFC HTTP DELIMITER +119 || 14 || http_inspect: NON-RFC DEFINED CHAR +119 || 15 || http_inspect: OVERSIZE REQUEST-URI DIRECTORY +119 || 16 || http_inspect: OVERSIZE CHUNK ENCODING +119 || 17 || http_inspect: UNAUTHORIZED PROXY USE DETECTED +119 || 18 || http_inspect: WEBROOT DIRECTORY TRAVERSAL +119 || 19 || http_inspect: LONG HEADER +119 || 20 || http_inspect: MAX HEADERS +119 || 21 || http_inspect: MULTIPLE CONTENT LENGTH HEADER FIELDS +119 || 22 || http_inspect: CHUNK SIZE MISMATCH DETECTED +120 || 1 || http_inspect: ANOMALOUS HTTP SERVER ON UNDEFINED HTTP PORT +121 || 1 || flow-portscan: Fixed Scale Scanner Limit Exceeded +121 || 2 || flow-portscan: Sliding Scale Scanner Limit Exceeded +121 || 3 || flow-portscan: Fixed Scale Talker Limit Exceeded +121 || 4 || flow-portscan: Sliding Scale Talker Limit Exceeded +122 || 1 || portscan: TCP Portscan +122 || 2 || portscan: TCP Decoy Portscan +122 || 3 || portscan: TCP Portsweep +122 || 4 || portscan: TCP Distributed Portscan +122 || 5 || portscan: TCP Filtered Portscan +122 || 6 || portscan: TCP Filtered Decoy Portscan +122 || 7 || portscan: TCP Filtered Portsweep +122 || 8 || portscan: TCP Filtered Distributed Portscan +122 || 9 || portscan: IP Protocol Scan +122 || 10 || portscan: IP Decoy Protocol Scan +122 || 11 || portscan: IP Protocol Sweep +122 || 12 || portscan: IP Distributed Protocol Scan +122 || 13 || portscan: IP Filtered Protocol Scan +122 || 14 || portscan: IP Filtered Decoy Protocol Scan +122 || 15 || portscan: IP Filtered Protocol Sweep +122 || 16 || portscan: IP Filtered Distributed Protocol Scan +122 || 17 || portscan: UDP Portscan +122 || 18 || portscan: UDP Decoy Portscan +122 || 19 || portscan: UDP Portsweep +122 || 20 || portscan: UDP Distributed Portscan +122 || 21 || portscan: UDP Filtered Portscan +122 || 22 || portscan: UDP Filtered Decoy Portscan +122 || 23 || portscan: UDP Filtered Portsweep +122 || 24 || portscan: UDP Filtered Distributed Portscan +122 || 25 || portscan: ICMP Sweep +122 || 26 || portscan: ICMP Filtered Sweep +122 || 27 || portscan: Open Port +123 || 1 || frag3: IP Options on fragmented packet +123 || 2 || frag3: Teardrop attack +123 || 3 || frag3: Short fragment, possible DoS attempt +123 || 4 || frag3: Fragment packet ends after defragmented packet +123 || 5 || frag3: Zero-byte fragment +123 || 6 || frag3: Bad fragment size, packet size is negative +123 || 7 || frag3: Bad fragment size, packet size is greater than 65536 +123 || 8 || frag3: Fragmentation overlap +123 || 9 || frag3: IPv6 BSD mbufs remote kernel buffer overflow +123 || 10 || frag3: Bogus fragmentation packet. Possible BSD attack +123 || 11 || frag3: TTL value less than configured minimum, not using for reassembly +123 || 12 || frag3: Number of overlapping fragments exceed configured limit +123 || 13 || frag3: Fragments smaller than configured min_fragment_length +124 || 1 || smtp: Attempted command buffer overflow +124 || 2 || smtp: Attempted data header buffer overflow +124 || 3 || smtp: Attempted response buffer overflow +124 || 4 || smtp: Attempted specific command buffer overflow +124 || 5 || smtp: Unknown command +124 || 6 || smtp: Illegal command +124 || 7 || smtp: Attempted header name buffer overflow +124 || 8 || smtp: Attempted X-Link2State command buffer overflow +125 || 1 || ftp_pp: Telnet command on FTP command channel +125 || 2 || ftp_pp: Invalid FTP command +125 || 3 || ftp_pp: FTP parameter length overflow +125 || 4 || ftp_pp: FTP malformed parameter +125 || 5 || ftp_pp: Possible string format attempt in FTP command/parameter +125 || 6 || ftp_pp: FTP response length overflow +125 || 7 || ftp_pp: FTP command channel encrypted +125 || 8 || ftp_pp: FTP bounce attack +125 || 9 || ftp_pp: Evasive Telnet command on FTP command channel +126 || 1 || telnet_pp: Telnet consecutive AYT overflow +126 || 2 || telnet_pp: Telnet data encrypted +126 || 3 || telnet_pp: Subnegotiation Begin without matching Subnegotiation End +128 || 1 || ssh: Gobbles exploit +128 || 2 || ssh: SSH1 CRC32 exploit +128 || 3 || ssh: Server version string overflow +128 || 4 || ssh: Protocol mismatch +128 || 5 || ssh: Bad message direction +128 || 6 || ssh: Payload size incorrect for the given payload +128 || 7 || ssh: Failed to detect SSH version string +129 || 1 || stream5: SYN on established session +129 || 2 || stream5: Data on SYN packet +129 || 3 || stream5: Data sent on stream not accepting data +129 || 4 || stream5: TCP Timestamp is outside of PAWS window +129 || 5 || stream5: Bad segment, overlap adjusted size less than/equal 0 +129 || 6 || stream5: Window size (after scaling) larger than policy allows +129 || 7 || stream5: Limit on number of overlapping TCP packets reached +129 || 8 || stream5: Data sent on stream after TCP Reset +129 || 9 || stream5: TCP Client possibly hijacked, different Ethernet Address +129 || 10 || stream5: TCP Server possibly hijacked, different Ethernet Address +129 || 11 || stream5: TCP Data with no TCP Flags set +129 || 12 || stream5: TCP Small Segment Threshold Exceeded +129 || 13 || stream5: TCP 4-way handshake detected +129 || 14 || stream5: TCP Timestamp is missing +130 || 1 || dcerpc: Maximum memory usage reached +131 || 1 || dns: Obsolete DNS RData Type +131 || 2 || dns: Experimental DNS RData Type +131 || 3 || dns: Client RData TXT Overflow +133 || 1 || dcerpc2: Memory cap exceeded +133 || 2 || dcerpc2: SMB - Bad NetBIOS Session Service session type +133 || 3 || dcerpc2: SMB - Bad SMB message type +133 || 4 || dcerpc2: SMB - Bad SMB Id (not \xffSMB) +133 || 5 || dcerpc2: SMB - Bad word count for command +133 || 6 || dcerpc2: SMB - Bad byte count for command +133 || 7 || dcerpc2: SMB - Bad format type for command +133 || 8 || dcerpc2: SMB - Bad AndX or data offset in command +133 || 9 || dcerpc2: SMB - Zero total data count in command +133 || 10 || dcerpc2: SMB - NetBIOS data length less than SMB header length +133 || 11 || dcerpc2: SMB - Remaining NetBIOS data length less than command length +133 || 12 || dcerpc2: SMB - Remaining NetBIOS data length less than command byte count +133 || 13 || dcerpc2: SMB - Remaining NetBIOS data length less than command data size +133 || 14 || dcerpc2: SMB - Remaining total data count less than this command data size +133 || 15 || dcerpc2: SMB - Total data sent greater than command total data expected +133 || 16 || dcerpc2: SMB - Byte count less than command data size +133 || 17 || dcerpc2: SMB - Invalid command data size for byte count +133 || 18 || dcerpc2: SMB - Excessive Tree Connect requests with pending Tree Connect responses +133 || 19 || dcerpc2: SMB - Excessive Read requests with pending Read responses +133 || 20 || dcerpc2: SMB - Excessive command chaining +133 || 21 || dcerpc2: SMB - Multiple chained login requests +133 || 22 || dcerpc2: SMB - Multiple chained tree connect requests +133 || 23 || dcerpc2: SMB - Chained login followed by logoff +133 || 24 || dcerpc2: SMB - Chained tree connect followed by tree disconnect +133 || 25 || dcerpc2: SMB - Chained open pipe followed by close pipe +133 || 26 || dcerpc2: SMB - Invalid share access +133 || 27 || dcerpc2: Connection-oriented DCE/RPC - Invalid major version +133 || 28 || dcerpc2: Connection-oriented DCE/RPC - Invalid minor version +133 || 29 || dcerpc2: Connection-oriented DCE/RPC - Invalid pdu type +133 || 30 || dcerpc2: Connection-oriented DCE/RPC - Fragment length less than header size +133 || 31 || dcerpc2: Connection-oriented DCE/RPC - Remaining fragment length less than size needed +133 || 32 || dcerpc2: Connection-oriented DCE/RPC - No context items specified +133 || 33 || dcerpc2: Connection-oriented DCE/RPC - No transfer syntaxes specified +133 || 34 || dcerpc2: Connection-oriented DCE/RPC - Fragment length on non-last fragment less than maximum negotiated fragment transmit size for client +133 || 35 || dcerpc2: Connection-oriented DCE/RPC - Fragment length greater than maximum negotiated fragment transmit size +133 || 36 || dcerpc2: Connection-oriented DCE/RPC - Alter Context byte order different from Bind +133 || 37 || dcerpc2: Connection-oriented DCE/RPC - Call id of non first/last fragment different from call id established for fragmented request +133 || 38 || dcerpc2: Connection-oriented DCE/RPC - Opnum of non first/last fragment different from opnum established for fragmented request +133 || 39 || dcerpc2: Connection-oriented DCE/RPC - Context id of non first/last fragment different from context id established for fragmented request +133 || 40 || dcerpc2: Connectionless DCE/RPC - Invalid major version +133 || 41 || dcerpc2: Connectionless DCE/RPC - Invalid pdu type +133 || 42 || dcerpc2: Connectionless DCE/RPC - Data length less than header size +133 || 43 || dcerpc2: Connectionless DCE/RPC - Bad sequence number +134 || 1 || ppm: rule tree disabled +134 || 2 || ppm: rule tree enabled +135 || 1 || internal: syn received +135 || 2 || internal: session established +135 || 3 || internal: session cleared +139 || 1 || sensitive_data: sensitive data global threshold exceeded diff --git a/tests/index.yaml b/tests/index.yaml new file mode 100644 index 0000000..05636e7 --- /dev/null +++ b/tests/index.yaml @@ -0,0 +1,106 @@ +# NOTE: Please do not add new sources to this file and submit a pull +# request. New sources should be added with a pull-request to +# the index repo: https://github.com/OISF/suricata-intel-index +# +# This is a version 1 formatted index. +version: 1 + +sources: + + et/open: + summary: Emerging Threats Open Ruleset + description: | + Proofpoint ET Open is a timely and accurate rule set for detecting and blocking advanced threats + vendor: Proofpoint + license: MIT + url: https://rules.emergingthreats.net/open/suricata-%(__version__)s/emerging.rules.tar.gz + + et/pro: + summary: Emerging Threats Pro Ruleset + description: | + Proofpoint ET Pro is a timely and accurate rule set for detecting and blocking advanced threats + vendor: Proofpoint + license: Commercial + url: https://rules.emergingthreatspro.com/%(secret-code)s/suricata-%(__version__)s/etpro.rules.tar.gz + subscribe-url: https://www.proofpoint.com/us/threat-insight/et-pro-ruleset + parameters: + secret-code: + prompt: Emerging Threats Pro access code + replaces: + - et/open + + oisf/trafficid: + summary: Suricata Traffic ID ruleset + vendor: OISF + license: MIT + url: https://openinfosecfoundation.org/rules/trafficid/trafficid.rules + support-url: https://redmine.openinfosecfoundation.org/ + min-version: 4.0.0 + + ptresearch/attackdetection: + summary: Positive Technologies Attack Detection Team ruleset + description: | + The Attack Detection Team searches for new vulnerabilities and 0-days, reproduces it and creates PoC exploits to understand how these security flaws work and how related attacks can be detected on the network layer. Additionally, we are interested in malware and hackers’ TTPs, so we develop Suricata rules for detecting all sorts of such activities. + vendor: Positive Technologies + license: Custom + license-url: https://raw.githubusercontent.com/ptresearch/AttackDetection/master/LICENSE + url: https://raw.githubusercontent.com/ptresearch/AttackDetection/master/pt.rules.tar.gz + + scwx/malware: + summary: Secureworks suricata-malware ruleset + description: | + High-fidelity, high-priority ruleset composed mainly of malware-related countermeasures and curated by the Secureworks Counter Threat Unit research team. + vendor: Secureworks + license: Commercial + url: https://ws.secureworks.com/ti/ruleset/%(secret-code)s/Suricata_suricata-malware_latest.tgz + parameters: + secret-code: + prompt: Secureworks Threat Intelligence Authentication Token + subscribe-url: https://www.secureworks.com/contact/ (Please reference CTU Countermeasures) + min-version: 2.0.9 + + scwx/security: + summary: Secureworks suricata-security ruleset + description: | + Broad ruleset composed of malware rules and other security-related countermeasures, and curated by the Secureworks Counter Threat Unit research team. + vendor: Secureworks + license: Commercial + url: https://ws.secureworks.com/ti/ruleset/%(secret-code)s/Suricata_suricata-security_latest.tgz + parameters: + secret-code: + prompt: Secureworks Threat Intelligence Authentication Token + subscribe-url: https://www.secureworks.com/contact/ (Please reference CTU Countermeasures) + min-version: 2.0.9 + + sslbl/ssl-fp-blacklist: + summary: Abuse.ch SSL Blacklist + description: | + The SSL Blacklist (SSLBL) is a project of abuse.ch with the goal of detecting malicious SSL connections, by identifying and blacklisting SSL certificates used by botnet C&C servers. In addition, SSLBL identifies JA3 fingerprints that helps you to detect & block malware botnet C&C communication on the TCP layer. + vendor: Abuse.ch + license: Non-Commercial + url: https://sslbl.abuse.ch/blacklist/sslblacklist.rules + + sslbl/ja3-fingerprints: + summary: Abuse.ch Suricata JA3 Fingerprint Ruleset + description: | + If you are running Suricata, you can use the SSLBL's Suricata JA3 FingerprintRuleset to detect and/or block malicious SSL connections in your network based on the JA3 fingerprint. Please note that your need Suricata 4.1.0 or newer in order to use the JA3 fingerprint ruleset. + vendor: Abuse.ch + license: Non-Commercial + url: https://sslbl.abuse.ch/blacklist/ja3_fingerprints.rules + min-version: 4.1.0 + + etnetera/aggressive: + summary: Etnetera aggressive IP blacklist + vendor: Etnetera a.s. + license: MIT + url: https://security.etnetera.cz/feeds/etn_aggressive.rules + min-version: 4.0.0 + + tgreen/hunting: + summary: Threat hunting rules + description: | + Heuristic ruleset for hunting. Focus on anomaly detection and showcasing latest engine features, not performance. + vendor: tgreen + license: GPLv3 + url: https://raw.githubusercontent.com/travisbgreen/hunting-rules/master/hunting.rules + min-version: 4.1.0 diff --git a/tests/integration_tests.py b/tests/integration_tests.py new file mode 100755 index 0000000..c4b119b --- /dev/null +++ b/tests/integration_tests.py @@ -0,0 +1,230 @@ +import sys +import os +import subprocess +import shutil +import tempfile +import suricata.update.rule + +DATA_DIR = "./tests/tmp" + + +def run(args): + subprocess.check_call(args) + + +def delete(path): + if os.path.isdir(path): + shutil.rmtree(path) + else: + os.unlink(path) + + +print("Python executable: %s" % sys.executable) +print("Python version: %s" % str(sys.version)) +print("Current directory: %s" % os.getcwd()) + +# Override the default source index URL to avoid hitting the network. +os.environ["SOURCE_INDEX_URL"] = "file://%s/tests/index.yaml" % (os.getcwd()) + +os.environ["ETOPEN_URL"] = "file://%s/tests/emerging.rules.tar.gz" % ( + os.getcwd()) + +if os.path.exists(DATA_DIR): + delete(DATA_DIR) + +common_args = [ + sys.executable, + "./bin/suricata-update", + "-D", + DATA_DIR, + "-c", + "./tests/empty", +] + +common_update_args = [ + "--no-test", + "--no-reload", + "--suricata-conf", + "./tests/suricata.yaml", + "--disable-conf", + "./tests/disable.conf", + "--enable-conf", + "./tests/empty", + "--drop-conf", + "./tests/empty", + "--modify-conf", + "./tests/empty", +] + +# Default run with data directory. +run(common_args + common_update_args) +assert (os.path.exists(DATA_DIR)) +assert (os.path.exists(os.path.join(DATA_DIR, "update", "cache"))) +assert (os.path.exists(os.path.join(DATA_DIR, "rules", "suricata.rules"))) + +# Default run with data directory and --no-merge +run(common_args + common_update_args + ["--no-merge"]) +assert (os.path.exists(DATA_DIR)) +assert (os.path.exists(os.path.join(DATA_DIR, "update", "cache"))) +assert (os.path.exists( + os.path.join(DATA_DIR, "rules", "emerging-deleted.rules"))) +assert (os.path.exists( + os.path.join(DATA_DIR, "rules", "emerging-current_events.rules"))) + +# Still a default run, but set --output to an alternate location." +run(common_args + common_update_args + ["--output", "./tests/tmp/_rules"]) +assert (os.path.exists(os.path.join(DATA_DIR, "_rules"))) + +# Update sources. +run(common_args + ["update-sources"]) +assert (os.path.exists(os.path.join(DATA_DIR, "update", "cache", + "index.yaml"))) + +# Now delete the index and run lists-sources to see if it downloads +# the index. +delete(os.path.join(DATA_DIR, "update", "cache", "index.yaml")) +run(common_args + ["list-sources"]) +assert(not os.path.exists(os.path.join(DATA_DIR, "update", "cache", "index.yaml"))) + +# Enable a source. +run(common_args + ["enable-source", "oisf/trafficid"]) +assert (os.path.exists( + os.path.join(DATA_DIR, "update", "sources", "oisf-trafficid.yaml"))) + +# Disable the source. +run(common_args + ["disable-source", "oisf/trafficid"]) +assert (not os.path.exists( + os.path.join(DATA_DIR, "update", "sources", "oisf-trafficid.yaml"))) +assert (os.path.exists( + os.path.join(DATA_DIR, "update", "sources", + "oisf-trafficid.yaml.disabled"))) + +# Remove the source. +run(common_args + ["remove-source", "oisf/trafficid"]) +assert (not os.path.exists( + os.path.join(DATA_DIR, "update", "sources", + "oisf-trafficid.yaml.disabled"))) + +# Add a source with a custom header. +run(common_args + [ + "add-source", "--http-header", "Header: NoSpaces", + "testing-header-nospaces", "file:///doesnotexist" +]) + +# Add a source with a custom header with spaces in the value +# (https://redmine.openinfosecfoundation.org/issues/4362) +run(common_args + [ + "add-source", "--http-header", "Authorization: Basic dXNlcjE6cGFzc3dvcmQx", + "testing-header-with-spaces", "file:///doesnotexist" +]) + +run(common_args + [ + "add-source", + "suricata-test-rules", + "file://{}/tests/suricata-test-rules.zip".format(os.getcwd()), +]) +run(common_args) +assert(os.path.exists(os.path.join(DATA_DIR, "rules/testmyids.md5"))) +assert(os.path.exists(os.path.join(DATA_DIR, "rules/testmyids.sha1"))) +assert(os.path.exists(os.path.join(DATA_DIR, "rules/testmyids.sha256"))) + +class IntegrationTest: + def __init__(self, configs={}): + self.directory = tempfile.mkdtemp(dir=DATA_DIR) + self.configs = configs + self.args = [] + self.write_configs() + + if not "update.yaml" in self.configs: + self.args += ["-c", "./tests/empty"] + + def write_configs(self): + for config in self.configs: + config_filename = "%s/%s" % (self.directory, config) + with open(config_filename, "w") as of: + of.write(self.configs[config]) + if config == "modify.conf": + self.args += ["--modify-conf", config_filename] + elif config == "drop.conf": + self.args += ["--drop-conf", config_filename] + elif config == "enable.conf": + self.args += ["--enable-conf", config_filename] + elif config == "disable.conf": + self.args += ["--disable-conf", config_filename] + + def run(self): + args = [ + sys.executable, + "./bin/suricata-update", + "-D", + self.directory, + "--no-test", + "--no-reload", + "--suricata-conf", + "./tests/suricata.yaml", + ] + self.args + subprocess.check_call(args) + self.check() + self.clean() + + def clean(self): + if self.directory.startswith(DATA_DIR): + shutil.rmtree(self.directory) + + def check(self): + pass + + def get_rule_by_sid(self, sid): + """ Return all rules where the provided substring is found. """ + with open("%s/rules/suricata.rules" % (self.directory)) as inf: + for line in inf: + rule = suricata.update.rule.parse(line) + if rule.sid == sid: + return rule + return None + + +class MultipleModifyTest(IntegrationTest): + + configs = { + "modify.conf": + """ +modifysid emerging-exploit.rules "^alert" | "drop" +modifysid * "^drop(.*)noalert(.*)" | "alert${1}noalert${2}" + """ + } + + def __init__(self): + IntegrationTest.__init__(self, self.configs) + + def check(self): + # This rule should have been converted to drop. + rule1 = self.get_rule_by_sid(2103461) + assert(rule1.action == "drop") + + # This one should have been converted back to alert. + rule2 = self.get_rule_by_sid(2023184) + assert(rule2.action == "alert") + +class DropAndModifyTest(IntegrationTest): + + configs = { + "drop.conf": """ +2024029 + """, + "modify.conf": """ +2024029 "ET INFO" "TEST INFO" + """ + } + + def __init__(self): + IntegrationTest.__init__(self, self.configs) + + def check(self): + rule1 = self.get_rule_by_sid(2024029) + assert(rule1.action == "drop") + assert(rule1.msg.startswith("TEST INFO")) + + +MultipleModifyTest().run() +DropAndModifyTest().run() diff --git a/tests/rule-with-unicode.rules b/tests/rule-with-unicode.rules new file mode 100644 index 0000000..8377f33 --- /dev/null +++ b/tests/rule-with-unicode.rules @@ -0,0 +1,4 @@ +# This is a file where a rule has unicode in it - the second rule. +alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake AV Phone Scam Mar 23"; flow:established,to_client; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:"<title>Microsoft"; fast_pattern; nocase; content:"function myFunction"; nocase; distance:0; content:"setInterval"; nocase; distance:0; pcre:"/^\s*?\(\s*?function\s*?\(\s*?\)\s*?\{\s*?alert\s*?\(/Rsi"; content:"<audio"; nocase; distance:0; classtype:trojan-activity; sid:2022649; rev:2;) +alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN KHRAT DragonOK DNS Lookup (inter-ctrip .com)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0b|inter-ctrip|03|com|00|"; nocase; distance:0; fast_pattern; reference:url,blogs.forcepoint.com/security-labs/trojanized-adobe-installer-used-install-dragonok’s-new-custom-backdoor; classtype:trojan-activity; sid:2024108; rev:1;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS RealtyListings detail.asp iPro Parameter SQL Injection"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/detail.asp?"; nocase; uricontent:"iPro="; nocase; uricontent:"UNION"; nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; reference:url,secunia.com/advisories/33167/; reference:url,milw0rm.com/exploits/7464; reference:url,doc.emergingthreats.net/2009050; classtype:web-application-attack; sid:2009050; rev:3;) diff --git a/tests/sid-msg-v2.map b/tests/sid-msg-v2.map new file mode 100644 index 0000000..96b30fa --- /dev/null +++ b/tests/sid-msg-v2.map @@ -0,0 +1,18356 @@ +1 || 1 || 1 || NOCLASS || 0 || FILEEXT JPG file claimed +1 || 3 || 1 || NOCLASS || 0 || FILEEXT BMP file claimed +1 || 6 || 1 || NOCLASS || 0 || FILESTORE jpg +1 || 8 || 1 || NOCLASS || 0 || FILESTORE pdf +1 || 9 || 1 || NOCLASS || 0 || FILEMAGIC pdf +1 || 10 || 1 || NOCLASS || 0 || FILEMAGIC jpg(1) +1 || 11 || 1 || NOCLASS || 0 || FILEMAGIC jpg(2) +1 || 12 || 1 || NOCLASS || 0 || FILEMAGIC short +1 || 15 || 1 || NOCLASS || 0 || FILE store all +1 || 16 || 1 || NOCLASS || 0 || FILE magic +1 || 17 || 1 || NOCLASS || 0 || FILE magic +1 || 18 || 1 || NOCLASS || 0 || FILE magic -- windows +1 || 19 || 1 || NOCLASS || 0 || FILE tracking PNG (1x1 pixel) (1) +1 || 20 || 1 || NOCLASS || 0 || FILE tracking PNG (1x1 pixel) (2) +1 || 21 || 1 || NOCLASS || 0 || FILE tracking GIF (1x1 pixel) +1 || 22 || 1 || NOCLASS || 0 || FILE pdf claimed, but not pdf +1 || 23 || 2 || NOCLASS || 0 || FILE magic +1 || 648 || 7 || shellcode-detect || 0 || GPL SHELLCODE x86 NOOP || arachnids,181 +1 || 653 || 9 || shellcode-detect || 0 || GPL SHELLCODE x86 0x90 unicode NOOP +1 || 1266 || 10 || rpc-portmap-decode || 0 || GPL RPC portmap mountd request TCP || arachnids,13 +1 || 1429 || 3 || misc-activity || 0 || GPL DELETED poll.gotomypc.com access || url,www.gotomypc.com/help2.tmpl +1 || 1877 || 9 || web-application-activity || 0 || GPL WEB_SERVER printenv access || bugtraq,1658 || cve,2000-0868 || nessus,10188 || nessus,10503 +1 || 2351 || 11 || attempted-admin || 0 || GPL NETBIOS DCERPC ISystemActivator path overflow attempt little endian unicode || bugtraq,8205 || cve,2003-0352 || nessus,11808 || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx +1 || 2352 || 10 || attempted-admin || 0 || GPL NETBIOS DCERPC ISystemActivator path overflow attempt big endian unicode || bugtraq,8205 || cve,2003-0352 || nessus,11808 || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx +1 || 2492 || 7 || protocol-command-decode || 0 || GPL NETBIOS SMB DCERPC ISystemActivator bind attempt || bugtraq,8811 || cve,2003-0813 || nessus,12206 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx +1 || 2493 || 7 || protocol-command-decode || 0 || GPL NETBIOS SMB DCERPC ISystemActivator unicode bind attempt || bugtraq,8811 || cve,2003-0813 || nessus,12206 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx +1 || 2494 || 8 || misc-attack || 0 || GPL NETBIOS DCEPRC ORPCThis request flood attempt || bugtraq,8811 || cve,2003-0813 || nessus,12206 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx +1 || 2495 || 8 || misc-attack || 0 || GPL NETBIOS SMB DCEPRC ORPCThis request flood attempt || bugtraq,8811 || cve,2003-0813 || nessus,12206 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx +1 || 2873 || 2 || attempted-user || 0 || GPL DELETED sys.dbms_repcat_conf.alter_priority_nvarchar2 buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2952 || 3 || protocol-command-decode || 0 || GPL NETBIOS SMB IPC$ andx share access +1 || 2953 || 3 || protocol-command-decode || 0 || GPL NETBIOS SMB IPC$ unicode andx share access +1 || 2972 || 3 || protocol-command-decode || 0 || GPL NETBIOS SMB D$ andx share access +1 || 2973 || 3 || protocol-command-decode || 0 || GPL NETBIOS SMB D$ unicode andx share access +1 || 2976 || 3 || protocol-command-decode || 0 || GPL NETBIOS SMB C$ andx share access +1 || 2977 || 3 || protocol-command-decode || 0 || GPL NETBIOS SMB C$ unicode andx share access +1 || 2980 || 3 || protocol-command-decode || 0 || GPL NETBIOS SMB ADMIN$ andx share access +1 || 2981 || 3 || protocol-command-decode || 0 || GPL NETBIOS SMB ADMIN$ unicode andx share access +1 || 2000005 || 7 || attempted-dos || 0 || ET EXPLOIT Cisco Telnet Buffer Overflow || url,www.cisco.com/warp/public/707/cisco-sn-20040326-exploits.shtml || url,doc.emergingthreats.net/bin/view/Main/2000005 +1 || 2000006 || 13 || attempted-dos || 0 || ET DOS Cisco Router HTTP DoS || url,www.cisco.com/warp/public/707/cisco-sn-20040326-exploits.shtml +1 || 2000007 || 7 || attempted-dos || 0 || ET EXPLOIT Catalyst SSH protocol mismatch || url,www.cisco.com/warp/public/707/catalyst-ssh-protocolmismatch-pub.shtml || url,doc.emergingthreats.net/bin/view/Main/2000007 +1 || 2000009 || 12 || attempted-dos || 0 || ET DELETED Cisco IOS HTTP DoS || url,www.cisco.com/warp/public/707/ioshttpserverquery-pub.shtml || url,doc.emergingthreats.net/bin/view/Main/2000009 +1 || 2000010 || 11 || attempted-dos || 0 || ET DOS Cisco 514 UDP flood DoS || url,www.cisco.com/warp/public/707/IOS-cbac-dynacl-pub.shtml || url,doc.emergingthreats.net/bin/view/Main/2000010 +1 || 2000011 || 8 || attempted-dos || 0 || ET DOS Catalyst memory leak attack || url,www.cisco.com/en/US/products/products_security_advisory09186a00800b138e.shtml || url,doc.emergingthreats.net/bin/view/Main/2000011 +1 || 2000012 || 11 || attempted-dos || 0 || ET DELETED Cisco %u IDS evasion || url,doc.emergingthreats.net/bin/view/Main/2000012 +1 || 2000013 || 12 || attempted-dos || 0 || ET DELETED Cisco IOS HTTP server DoS || url,doc.emergingthreats.net/bin/view/Main/2000013 +1 || 2000015 || 6 || trojan-activity || 0 || ET P2P Phatbot Control Connection || url,www.lurhq.com/phatbot.html || url,doc.emergingthreats.net/bin/view/Main/2000015 +1 || 2000016 || 7 || attempted-dos || 0 || ET DOS SSL Bomb DoS Attempt || cve,CAN-2004-0120 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || url,doc.emergingthreats.net/bin/view/Main/2000016 +1 || 2000017 || 6 || bad-unknown || 0 || ET NETBIOS NII Microsoft ASN.1 Library Buffer Overflow Exploit || url,www.microsoft.com/technet/security/bulletin/ms04-007.asp || url,doc.emergingthreats.net/bin/view/Main/2000017 +1 || 2000024 || 9 || trojan-activity || 0 || ET DELETED rcprograms || url,sarc.com/avcenter/venc/data/adware.rcprograms.html || url,doc.emergingthreats.net/bin/view/Main/2000024 +1 || 2000025 || 11 || policy-violation || 0 || ET MALWARE Gator Cookie || url,www3.ca.com/securityadvisor/pest/content.aspx?q=67999 || url,doc.emergingthreats.net/bin/view/Main/2000025 +1 || 2000026 || 37 || policy-violation || 0 || ET USER_AGENTS Gator Agent Traffic || url,doc.emergingthreats.net/2000026 +1 || 2000031 || 5 || attempted-admin || 0 || ET EXPLOIT CVS server heap overflow attempt (target BSD) || url,doc.emergingthreats.net/bin/view/Main/2000031 +1 || 2000032 || 9 || misc-activity || 0 || ET NETBIOS LSA exploit || url,www.eeye.com/html/research/advisories/AD20040501.html || url,www.upenn.edu/computing/virus/04/w32.sasser.worm.html || url,doc.emergingthreats.net/bin/view/Main/2000032 +1 || 2000033 || 9 || misc-activity || 0 || ET NETBIOS MS04011 Lsasrv.dll RPC exploit (WinXP) || url,doc.emergingthreats.net/bin/view/Main/2000033 || cve,2003-0533 +1 || 2000035 || 13 || policy-violation || 0 || ET POLICY Hotmail Inbox Access || url,doc.emergingthreats.net/2000035 +1 || 2000036 || 15 || policy-violation || 0 || ET POLICY Hotmail Message Access || url,doc.emergingthreats.net/2000036 +1 || 2000037 || 14 || policy-violation || 0 || ET POLICY Hotmail Compose Message Access || url,doc.emergingthreats.net/2000037 +1 || 2000038 || 14 || policy-violation || 0 || ET POLICY Hotmail Compose Message Submit || url,doc.emergingthreats.net/2000038 +1 || 2000039 || 11 || policy-violation || 0 || ET POLICY Hotmail Compose Message Submit Data || url,doc.emergingthreats.net/2000039 +1 || 2000040 || 5 || misc-activity || 0 || ET WORM Sasser FTP Traffic || url,vil.mcafeesecurity.com/vil/content/Print125009.htm || url,doc.emergingthreats.net/2000040 +1 || 2000041 || 14 || policy-violation || 0 || ET POLICY Yahoo Mail Inbox View || url,doc.emergingthreats.net/2000041 +1 || 2000042 || 14 || policy-violation || 0 || ET POLICY Yahoo Mail Message View || url,doc.emergingthreats.net/2000042 +1 || 2000043 || 12 || policy-violation || 0 || ET POLICY Yahoo Mail Message Compose Open || url,doc.emergingthreats.net/2000043 +1 || 2000044 || 11 || policy-violation || 0 || ET POLICY Yahoo Mail Message Send || url,doc.emergingthreats.net/2000044 +1 || 2000045 || 12 || policy-violation || 0 || ET DELETED Yahoo Mail Message Send Info Capture || url,doc.emergingthreats.net/2000045 +1 || 2000046 || 9 || misc-activity || 0 || ET NETBIOS MS04011 Lsasrv.dll RPC exploit (Win2k) || url,doc.emergingthreats.net/bin/view/Main/2000046 || cve,2003-0533 +1 || 2000047 || 5 || misc-activity || 0 || ET WORM Sasser Transfer _up.exe || url,vil.mcafeesecurity.com/vil/content/Print125009.htm || url,doc.emergingthreats.net/2000047 +1 || 2000048 || 5 || attempted-admin || 0 || ET EXPLOIT CVS server heap overflow attempt (target Linux) || url,doc.emergingthreats.net/bin/view/Main/2000048 +1 || 2000049 || 5 || attempted-admin || 0 || ET EXPLOIT CVS server heap overflow attempt (target Solaris) || url,doc.emergingthreats.net/bin/view/Main/2000049 +1 || 2000105 || 5 || attempted-user || 0 || ET WEB_SERVER SQL sp_password attempt || url,doc.emergingthreats.net/2000105 +1 || 2000106 || 5 || attempted-user || 0 || ET WEB_SERVER SQL sp_delete_alert attempt || url,doc.emergingthreats.net/2000106 +1 || 2000306 || 29 || trojan-activity || 0 || ET DELETED Virtumonde Spyware siae3123.exe GET || url,sarc.com/avcenter/venc/data/adware.virtumonde.html || url,doc.emergingthreats.net/bin/view/Main/2000306 +1 || 2000307 || 26 || trojan-activity || 0 || ET DELETED Virtumonde Spyware siae3123.exe GET (8081) || url,sarc.com/avcenter/venc/data/adware.virtumonde.html || url,doc.emergingthreats.net/bin/view/Main/2000307 +1 || 2000308 || 24 || trojan-activity || 0 || ET DELETED Virtumonde Spyware Information Post || url,sarc.com/avcenter/venc/data/adware.virtumonde.html || url,doc.emergingthreats.net/bin/view/Main/2000308 +1 || 2000309 || 8 || policy-violation || 0 || ET DELETED GotoMyPC Polling Client || url,doc.emergingthreats.net/2000309 +1 || 2000327 || 10 || trojan-activity || 0 || ET DELETED Spyware 2020 || url,securityresponse.symantec.com/avcenter/venc/data/spyware.2020search.html || url,doc.emergingthreats.net/bin/view/Main/2000327 +1 || 2000328 || 12 || misc-activity || 0 || ET POLICY Outbound Multiple Non-SMTP Server Emails || url,doc.emergingthreats.net/2000328 +1 || 2000330 || 13 || policy-violation || 0 || ET P2P ed2k connection to server || url,www.giac.org/practical/GCIH/Ian_Gosling_GCIH.pdf || url,doc.emergingthreats.net/bin/view/Main/2000330 +1 || 2000332 || 11 || policy-violation || 0 || ET P2P ed2k request part || url,www.giac.org/practical/GCIH/Ian_Gosling_GCIH.pdf || url,doc.emergingthreats.net/bin/view/Main/2000332 +1 || 2000333 || 11 || policy-violation || 0 || ET P2P ed2k file request answer || url,www.giac.org/practical/GCIH/Ian_Gosling_GCIH.pdf || url,doc.emergingthreats.net/bin/view/Main/2000333 +1 || 2000334 || 12 || policy-violation || 0 || ET P2P BitTorrent peer sync || url,bitconjurer.org/BitTorrent/protocol.html || url,doc.emergingthreats.net/bin/view/Main/2000334 +1 || 2000335 || 9 || policy-violation || 0 || ET P2P Overnet (Edonkey) Server Announce || url,www.overnet.com || url,doc.emergingthreats.net/bin/view/Main/2000335 +1 || 2000336 || 12 || trojan-activity || 0 || ET DELETED Yesadvertising Banking Spyware RETRIEVE || url,isc.sans.org/presentations/banking_malware.pdf || url,doc.emergingthreats.net/bin/view/Main/2000336 +1 || 2000337 || 12 || trojan-activity || 0 || ET DELETED Yesadvertising Banking Spyware INFORMATION SUBMIT || url,isc.sans.org/presentations/banking_malware.pdf || url,doc.emergingthreats.net/bin/view/Main/2000337 +1 || 2000338 || 5 || trojan-activity || 0 || ET P2P iroffer IRC Bot help message || url,iroffer.org || url,doc.emergingthreats.net/bin/view/Main/2000338 +1 || 2000339 || 5 || trojan-activity || 0 || ET P2P iroffer IRC Bot offered files advertisement || url,iroffer.org || url,doc.emergingthreats.net/bin/view/Main/2000339 +1 || 2000340 || 10 || policy-violation || 0 || ET P2P Kaaza Media desktop p2pnetworking.exe Activity || url,www.giac.org/practical/GCIH/Ian_Gosling_GCIH.pdf || url,doc.emergingthreats.net/bin/view/Main/2000340 +1 || 2000341 || 10 || policy-violation || 0 || ET POLICY Yahoo Mail General Page View || url,doc.emergingthreats.net/2000341 +1 || 2000342 || 6 || misc-attack || 0 || ET EXPLOIT Squid NTLM Auth Overflow Exploit || url,www.idefense.com/application/poi/display?id=107 || cve,CAN-2004-0541 || url,doc.emergingthreats.net/bin/view/Main/2000342 +1 || 2000345 || 15 || trojan-activity || 0 || ET TROJAN IRC Nick change on non-standard port || url,doc.emergingthreats.net/bin/view/Main/2000345 +1 || 2000346 || 12 || trojan-activity || 0 || ET DELETED IRC Name response on non-standard port || url,doc.emergingthreats.net/bin/view/Main/2000346 +1 || 2000347 || 13 || trojan-activity || 0 || ET TROJAN IRC Private message on non-standard port || url,doc.emergingthreats.net/bin/view/Main/2000347 +1 || 2000348 || 12 || trojan-activity || 0 || ET TROJAN IRC Channel JOIN on non-standard port || url,doc.emergingthreats.net/bin/view/Main/2000348 +1 || 2000349 || 11 || policy-violation || 0 || ET TROJAN IRC DCC file transfer request on non-std port || url,doc.emergingthreats.net/bin/view/Main/2000349 +1 || 2000350 || 11 || policy-violation || 0 || ET TROJAN IRC DCC chat request on non-standard port || url,doc.emergingthreats.net/bin/view/Main/2000350 +1 || 2000351 || 11 || policy-violation || 0 || ET TROJAN IRC Channel join on non-standard port || url,doc.emergingthreats.net/bin/view/Main/2000351 +1 || 2000352 || 10 || policy-violation || 0 || ET TROJAN IRC DNS request on non-standard port || url,doc.emergingthreats.net/bin/view/Main/2000352 +1 || 2000355 || 5 || misc-activity || 0 || ET CHAT IRC authorization message || url,doc.emergingthreats.net/2000355 +1 || 2000356 || 5 || misc-activity || 0 || ET POLICY IRC connection || url,doc.emergingthreats.net/2000356 +1 || 2000357 || 8 || policy-violation || 0 || ET P2P BitTorrent Traffic || url,bitconjurer.org/BitTorrent/protocol.html || url,doc.emergingthreats.net/bin/view/Main/2000357 +1 || 2000366 || 14 || trojan-activity || 0 || ET MALWARE Binet (download complete) || url,sarc.com/avcenter/venc/data/pf/adware.betterinternet.html || url,doc.emergingthreats.net/bin/view/Main/2000366 +1 || 2000367 || 11 || trojan-activity || 0 || ET MALWARE Binet (set_pix) || url,sarc.com/avcenter/venc/data/pf/adware.betterinternet.html || url,doc.emergingthreats.net/bin/view/Main/2000367 +1 || 2000369 || 6 || policy-violation || 0 || ET P2P BitTorrent Announce || url,bitconjurer.org/BitTorrent/protocol.html || url,doc.emergingthreats.net/bin/view/Main/2000369 +1 || 2000371 || 12 || trojan-activity || 0 || ET MALWARE Binet (randreco.exe) || url,sarc.com/avcenter/venc/data/pf/adware.betterinternet.html || url,doc.emergingthreats.net/bin/view/Main/2000371 +1 || 2000372 || 8 || attempted-user || 0 || ET EXPLOIT MS-SQL SQL Injection running SQL statements line comment || url,www.nextgenss.com/papers/more_advanced_sql_injection.pdf || url,www.securitymap.net/sdm/docs/windows/mssql-checklist.html || url,doc.emergingthreats.net/bin/view/Main/2000372 +1 || 2000373 || 7 || attempted-user || 0 || ET EXPLOIT MS-SQL SQL Injection line comment || url,www.nextgenss.com/papers/more_advanced_sql_injection.pdf || url,www.securitymap.net/sdm/docs/windows/mssql-checklist.html || url,doc.emergingthreats.net/bin/view/Main/2000373 +1 || 2000377 || 7 || attempted-admin || 0 || ET EXPLOIT MS-SQL heap overflow attempt || url,www.nextgenss.com/papers/tp-SQL2000.pdf || url,doc.emergingthreats.net/bin/view/Main/2000377 +1 || 2000378 || 8 || attempted-dos || 0 || ET EXPLOIT MS-SQL DOS attempt (08) || url,www.nextgenss.com/papers/tp-SQL2000.pdf || url,doc.emergingthreats.net/bin/view/Main/2000378 +1 || 2000379 || 7 || attempted-dos || 0 || ET EXPLOIT MS-SQL DOS attempt (08) 1 byte || url,www.nextgenss.com/papers/tp-SQL2000.pdf || url,doc.emergingthreats.net/bin/view/Main/2000379 +1 || 2000380 || 9 || attempted-admin || 0 || ET EXPLOIT MS-SQL Spike buffer overflow || bugtraq,5411 || url,doc.emergingthreats.net/bin/view/Main/2000380 +1 || 2000381 || 8 || attempted-dos || 0 || ET EXPLOIT MS-SQL DOS bouncing packets || url,www.nextgenss.com/papers/tp-SQL2000.pdf || url,doc.emergingthreats.net/bin/view/Main/2000381 +1 || 2000418 || 11 || policy-violation || 0 || ET POLICY Executable and linking format (ELF) file download || url,www.itee.uq.edu.au/~cristina/students/david/honoursThesis96/bff.htm || url,doc.emergingthreats.net/bin/view/Main/2000418 +1 || 2000419 || 22 || policy-violation || 0 || ET POLICY PE EXE or DLL Windows file download || url,doc.emergingthreats.net/bin/view/Main/2000419 +1 || 2000420 || 11 || misc-activity || 0 || ET POLICY REG files version 4 download || url,www.ss64.com/nt/regedit.html || url,doc.emergingthreats.net/bin/view/Main/2000420 +1 || 2000421 || 10 || misc-activity || 0 || ET POLICY REG files version 5 download || url,www.ss64.com/nt/regedit.html || url,doc.emergingthreats.net/bin/view/Main/2000421 +1 || 2000422 || 10 || misc-activity || 0 || ET POLICY REG files version 5 Unicode download || url,www.ss64.com/nt/regedit.html || url,doc.emergingthreats.net/bin/view/Main/2000422 +1 || 2000423 || 10 || misc-activity || 0 || ET DELETED NE EXE OS2 file download || url,www.itee.uq.edu.au/~cristina/students/david/honoursThesis96/bff.htm || url,doc.emergingthreats.net/bin/view/Main/2000423 +1 || 2000424 || 9 || misc-activity || 0 || ET DELETED LX EXE OS2 file download || url,www.itee.uq.edu.au/~cristina/students/david/honoursThesis96/bff.htm || url,doc.emergingthreats.net/bin/view/Main/2000424 +1 || 2000425 || 9 || misc-activity || 0 || ET DELETED NE EXE Windows 3.x file download || url,www.itee.uq.edu.au/~cristina/students/david/honoursThesis96/bff.htm || url,doc.emergingthreats.net/bin/view/Main/2000425 +1 || 2000426 || 9 || misc-activity || 0 || ET POLICY EXE compressed PKWARE Windows file download || url,www.program-transformation.org/Transform/PcExeFormat || url,doc.emergingthreats.net/bin/view/Main/2000426 +1 || 2000427 || 14 || policy-violation || 0 || ET DELETED PE EXE Install Windows file download || url,www.program-transformation.org/Transform/PcExeFormat || url,doc.emergingthreats.net/bin/view/Main/2000427 +1 || 2000428 || 10 || misc-activity || 0 || ET POLICY ZIP file download || url,zziplib.sourceforge.net/zzip-parse.print.html || url,doc.emergingthreats.net/bin/view/Main/2000428 +1 || 2000429 || 9 || misc-activity || 0 || ET POLICY Download Windows Help File CHM 2 || url,www.speakeasy.org/~russotto/chm/chmformat.html || url,www.securiteam.com/windowsntfocus/6V00N000AU.html || url,doc.emergingthreats.net/bin/view/Main/2000429 +1 || 2000466 || 7 || attempted-recon || 0 || ET MALWARE User-Agent (iexplore) || url,doc.emergingthreats.net/2000466 +1 || 2000488 || 7 || attempted-user || 0 || ET EXPLOIT MS-SQL SQL Injection closing string plus line comment || url,www.nextgenss.com/papers/more_advanced_sql_injection.pdf || url,www.securitymap.net/sdm/docs/windows/mssql-checklist.html || url,doc.emergingthreats.net/bin/view/Main/2000488 +1 || 2000489 || 9 || misc-activity || 0 || ET POLICY Download Windows Help File CHM || url,www.speakeasy.org/~russotto/chm/chmformat.html || url,www.securiteam.com/windowsntfocus/6V00N000AU.html || url,doc.emergingthreats.net/bin/view/Main/2000489 +1 || 2000499 || 8 || string-detect || 0 || ET ATTACK_RESPONSE FTP inaccessible directory access COM1 || url,doc.emergingthreats.net/bin/view/Main/2000499 +1 || 2000500 || 8 || string-detect || 0 || ET ATTACK_RESPONSE FTP inaccessible directory access COM2 || url,doc.emergingthreats.net/bin/view/Main/2000500 +1 || 2000501 || 8 || string-detect || 0 || ET ATTACK_RESPONSE FTP inaccessible directory access COM3 || url,doc.emergingthreats.net/bin/view/Main/2000501 +1 || 2000502 || 8 || string-detect || 0 || ET ATTACK_RESPONSE FTP inaccessible directory access COM4 || url,doc.emergingthreats.net/bin/view/Main/2000502 +1 || 2000503 || 8 || string-detect || 0 || ET ATTACK_RESPONSE FTP inaccessible directory access LPT1 || url,doc.emergingthreats.net/bin/view/Main/2000503 +1 || 2000504 || 8 || string-detect || 0 || ET ATTACK_RESPONSE FTP inaccessible directory access LPT2 || url,doc.emergingthreats.net/bin/view/Main/2000504 +1 || 2000505 || 8 || string-detect || 0 || ET ATTACK_RESPONSE FTP inaccessible directory access LPT3 || url,doc.emergingthreats.net/bin/view/Main/2000505 +1 || 2000506 || 8 || string-detect || 0 || ET ATTACK_RESPONSE FTP inaccessible directory access LPT4 || url,doc.emergingthreats.net/bin/view/Main/2000506 +1 || 2000507 || 8 || string-detect || 0 || ET ATTACK_RESPONSE FTP inaccessible directory access AUX || url,doc.emergingthreats.net/bin/view/Main/2000507 +1 || 2000508 || 8 || string-detect || 0 || ET ATTACK_RESPONSE FTP inaccessible directory access NULL || url,doc.emergingthreats.net/bin/view/Main/2000508 +1 || 2000514 || 8 || misc-attack || 0 || ET MALWARE IE homepage hijacking || url,www.geek.com/news/geeknews/2004Jun/gee20040610025522.htm || url,doc.emergingthreats.net/bin/view/Main/2000514 +1 || 2000519 || 11 || misc-attack || 0 || ET MALWARE shell browser vulnerability W9x/XP || url,www.packetfocus.com/shell_exploit.htm || url,doc.emergingthreats.net/bin/view/Main/2000519 +1 || 2000520 || 11 || misc-attack || 0 || ET MALWARE shell browser vulnerability NT/2K || url,www.packetfocus.com/shell_exploit.htm || url,doc.emergingthreats.net/bin/view/Main/2000520 +1 || 2000536 || 7 || attempted-recon || 0 || ET SCAN NMAP -sO || url,doc.emergingthreats.net/2000536 +1 || 2000537 || 8 || attempted-recon || 0 || ET SCAN NMAP -sS window 2048 || url,doc.emergingthreats.net/2000537 +1 || 2000538 || 8 || attempted-recon || 0 || ET SCAN NMAP -sA (1) || url,doc.emergingthreats.net/2000538 +1 || 2000540 || 8 || attempted-recon || 0 || ET SCAN NMAP -sA (2) || url,doc.emergingthreats.net/2000540 +1 || 2000543 || 7 || attempted-recon || 0 || ET SCAN NMAP -f -sF || url,doc.emergingthreats.net/2000543 +1 || 2000544 || 7 || attempted-recon || 0 || ET SCAN NMAP -f -sN || url,doc.emergingthreats.net/2000544 +1 || 2000545 || 7 || attempted-recon || 0 || ET SCAN NMAP -f -sS || url,doc.emergingthreats.net/2000545 +1 || 2000546 || 7 || attempted-recon || 0 || ET SCAN NMAP -f -sX || url,doc.emergingthreats.net/2000546 +1 || 2000559 || 14 || web-application-attack || 0 || ET WEB_SERVER THCIISLame IIS SSL Exploit Attempt || url,www.thc.org/exploits/THCIISSLame.c || url,isc.sans.org/diary.php?date=2004-07-17 || url,doc.emergingthreats.net/2000559 +1 || 2000560 || 10 || misc-activity || 0 || ET POLICY HTTP CONNECT Tunnel Attempt Inbound || url,doc.emergingthreats.net/2000560 +1 || 2000562 || 12 || suspicious-filename-detect || 0 || ET TROJAN OUTBOUND Suspicious Email Attachment || url,doc.emergingthreats.net/2000562 +1 || 2000563 || 11 || misc-attack || 0 || ET EXPLOIT Pwdump3e Password Hash Retrieval port 445 || url,doc.emergingthreats.net/bin/view/Main/2000563 +1 || 2000564 || 9 || misc-attack || 0 || ET EXPLOIT Pwdump3e pwservice.exe Access port 445 || url,doc.emergingthreats.net/bin/view/Main/2000564 +1 || 2000565 || 8 || suspicious-login || 0 || ET EXPLOIT Pwdump3e Session Established Reg-Entry port 139 || url,doc.emergingthreats.net/bin/view/Main/2000565 +1 || 2000566 || 8 || suspicious-login || 0 || ET EXPLOIT Pwdump3e Session Established Reg-Entry port 445 || url,doc.emergingthreats.net/bin/view/Main/2000566 +1 || 2000567 || 8 || misc-attack || 0 || ET EXPLOIT Pwdump3e pwservice.exe Access port 139 || url,doc.emergingthreats.net/bin/view/Main/2000567 +1 || 2000568 || 10 || misc-attack || 0 || ET EXPLOIT Pwdump3e Password Hash Retrieval port 139 || url,doc.emergingthreats.net/bin/view/Main/2000568 +1 || 2000569 || 6 || policy-violation || 0 || ET DELETED KitCo Kcast Ticker (agtray) || url,doc.emergingthreats.net/2000569 +1 || 2000570 || 6 || policy-violation || 0 || ET DELETED KitCo Kcast Ticker (autray) || url,doc.emergingthreats.net/2000570 +1 || 2000571 || 8 || policy-violation || 0 || ET POLICY AOL Webmail Message Send || url,doc.emergingthreats.net/bin/view/Main/2000571 +1 || 2000572 || 7 || policy-violation || 0 || ET POLICY AOL Webmail Login || url,doc.emergingthreats.net/bin/view/Main/2000572 +1 || 2000574 || 11 || trojan-activity || 0 || ET MALWARE Bargain Buddy || url,www.doxdesk.com/parasite/BargainBuddy.html || url,doc.emergingthreats.net/bin/view/Main/2000574 +1 || 2000575 || 7 || misc-activity || 0 || ET SCAN ICMP PING IPTools || url,www.ks-soft.net/ip-tools.eng || url,www.ks-soft.net/ip-tools.eng/index.htm || url,doc.emergingthreats.net/2000575 +1 || 2000577 || 10 || policy-violation || 0 || ET DELETED Popuptraffic.com Bot Reporting || url,popuptraffic.com || url,doc.emergingthreats.net/bin/view/Main/2000577 +1 || 2000580 || 9 || policy-violation || 0 || ET MALWARE Shop At Home Select.com Install Attempt || url,www.spywareguide.com/product_show.php?id=700 || url,www.shopathomeselect.com || url,doc.emergingthreats.net/bin/view/Main/2000580 +1 || 2000581 || 10 || policy-violation || 0 || ET MALWARE Shop At Home Select.com Install Download || url,www.spywareguide.com/product_show.php?id=700 || url,www.shopathomeselect.com || url,doc.emergingthreats.net/bin/view/Main/2000581 +1 || 2000582 || 9 || trojan-activity || 0 || ET MALWARE F1Organizer Reporting || url,doc.emergingthreats.net/bin/view/Main/2000582 +1 || 2000583 || 9 || trojan-activity || 0 || ET MALWARE Mindset Interactive Install (1) || url,www.mindsetinteractive.com || url,doc.emergingthreats.net/bin/view/Main/2000583 +1 || 2000584 || 9 || trojan-activity || 0 || ET MALWARE Mindset Interactive Install (2) || url,www.mindsetinteractive.com || url,doc.emergingthreats.net/bin/view/Main/2000584 +1 || 2000585 || 9 || trojan-activity || 0 || ET MALWARE F1Organizer Install Attempt || url,doc.emergingthreats.net/bin/view/Main/2000585 +1 || 2000586 || 32 || trojan-activity || 0 || ET MALWARE Ezula Related User-Agent (mez) || url,www.ezula.com || url,www.spyany.com/program/article_spw_rm_eZuLa.html || url,doc.emergingthreats.net/2000586 +1 || 2000587 || 12 || trojan-activity || 0 || ET MALWARE SpywareLabs VirtualBouncer Seeking Instructions || url,securityresponse.symantec.com/avcenter/venc/data/adware.virtualbouncer.html || url,doc.emergingthreats.net/bin/view/Main/2000587 +1 || 2000588 || 11 || trojan-activity || 0 || ET MALWARE TopMoxie Reporting Data to External Host || url,www.topmoxie.com || url,doc.emergingthreats.net/bin/view/Main/2000588 +1 || 2000589 || 9 || trojan-activity || 0 || ET MALWARE TopMoxie Retrieving Data (downloads) || url,www.topmoxie.com || url,doc.emergingthreats.net/bin/view/Main/2000589 +1 || 2000590 || 9 || trojan-activity || 0 || ET MALWARE TopMoxie Retrieving Data (common) || url,www.topmoxie.com || url,doc.emergingthreats.net/bin/view/Main/2000590 +1 || 2000593 || 9 || trojan-activity || 0 || ET MALWARE Binet Ad Retrieval || url,sarc.com/avcenter/venc/data/pf/adware.betterinternet.html || url,doc.emergingthreats.net/bin/view/Main/2000593 +1 || 2000594 || 7 || trojan-activity || 0 || ET MALWARE Mindset Interactive Ad Retrieval || url,www.mindsetinteractive.com || url,doc.emergingthreats.net/bin/view/Main/2000594 +1 || 2000595 || 11 || policy-violation || 0 || ET DELETED Gator Checkin || url,www3.ca.com/securityadvisor/pest/content.aspx?q=67999 || url,doc.emergingthreats.net/bin/view/Main/2000595 +1 || 2000596 || 14 || policy-violation || 0 || ET MALWARE Gator/Claria Data Submission || url,www3.ca.com/securityadvisor/pest/content.aspx?q=67999 || url,doc.emergingthreats.net/bin/view/Main/2000596 +1 || 2000597 || 9 || policy-violation || 0 || ET MALWARE Gator New Code Download || url,www3.ca.com/securityadvisor/pest/content.aspx?q=67999 || url,doc.emergingthreats.net/bin/view/Main/2000597 +1 || 2000598 || 9 || policy-violation || 0 || ET DELETED Altnet PeerPoints Manager Data Submission || url,securityresponse.symantec.com/avcenter/venc/data/adware.topsearch.html || url,doc.emergingthreats.net/bin/view/Main/2000598 +1 || 2000599 || 8 || policy-violation || 0 || ET MALWARE Fun Web Products Install || url,www.funwebproducts.com || url,doc.emergingthreats.net/bin/view/Main/2000599 +1 || 2000600 || 13 || trojan-activity || 0 || ET MALWARE MyWebSearch Toolbar Receiving Configuration || url,doc.emergingthreats.net/bin/view/Main/2000600 +1 || 2000601 || 7 || trojan-activity || 0 || ET MALWARE Salongas Infection || url,doc.emergingthreats.net/bin/view/Main/2000601 +1 || 2000900 || 8 || trojan-activity || 0 || ET MALWARE JoltID Agent Probing or Announcing UDP || url,www.joltid.com || url,forum.treweeke.com/lofiversion/index.php/t597.html || url,securityresponse.symantec.com/avcenter/venc/data/adware.p2pnetworking.html || url,doc.emergingthreats.net/bin/view/Main/2000900 +1 || 2000901 || 9 || trojan-activity || 0 || ET MALWARE JoltID Agent Communicating TCP || url,www.joltid.com || url,forum.treweeke.com/lofiversion/index.php/t597.html || url,securityresponse.symantec.com/avcenter/venc/data/adware.p2pnetworking.html || url,doc.emergingthreats.net/bin/view/Main/2000901 +1 || 2000902 || 9 || policy-violation || 0 || ET MALWARE MarketScore.com Spyware Configuration Access || url,www.marketscore.com || url,www.spysweeper.com/remove-marketscore.html || url,doc.emergingthreats.net/bin/view/Main/2000902 +1 || 2000903 || 8 || trojan-activity || 0 || ET MALWARE Avres Agent Receiving Instructions || url,www.avres.net || url,ar.avres.net/ie/updatenew/ || url,doc.emergingthreats.net/bin/view/Main/2000903 +1 || 2000905 || 9 || trojan-activity || 0 || ET MALWARE FlashPoint Agent Retrieving New Code || url,www.flashpoint.bm || url,doc.emergingthreats.net/bin/view/Main/2000905 +1 || 2000906 || 9 || policy-violation || 0 || ET DELETED Altnet PeerPoints Manager Start || url,securityresponse.symantec.com/avcenter/venc/data/adware.topsearch.html || url,doc.emergingthreats.net/bin/view/Main/2000906 +1 || 2000907 || 10 || policy-violation || 0 || ET DELETED Altnet PeerPoints Manager Settings Download || url,securityresponse.symantec.com/avcenter/venc/data/adware.topsearch.html || url,doc.emergingthreats.net/bin/view/Main/2000907 +1 || 2000908 || 12 || policy-violation || 0 || ET MALWARE WhenUClick.com App and Search Bar Install (1) || url,www.whenusearch.com || url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml || url,doc.emergingthreats.net/bin/view/Main/2000908 +1 || 2000909 || 11 || policy-violation || 0 || ET MALWARE WhenUClick.com App and Search Bar Install (2) || url,www.whenusearch.com || url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml || url,doc.emergingthreats.net/bin/view/Main/2000909 +1 || 2000910 || 11 || policy-violation || 0 || ET MALWARE WhenUClick.com Clock Sync App Checkin || url,www.whenusearch.com || url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml || url,doc.emergingthreats.net/bin/view/Main/2000910 +1 || 2000911 || 11 || policy-violation || 0 || ET MALWARE WhenUClick.com Weather App Checkin || url,www.whenusearch.com || url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml || url,doc.emergingthreats.net/bin/view/Main/2000911 +1 || 2000912 || 11 || policy-violation || 0 || ET MALWARE WhenUClick.com Clock Sync App Checkin (1) || url,www.whenusearch.com || url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml || url,doc.emergingthreats.net/bin/view/Main/2000912 +1 || 2000913 || 11 || policy-violation || 0 || ET MALWARE WhenUClick.com Clock Sync App Checkin (2) || url,www.whenusearch.com || url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml || url,doc.emergingthreats.net/bin/view/Main/2000913 +1 || 2000914 || 11 || policy-violation || 0 || ET MALWARE WhenUClick.com Weather App Checkin (1) || url,www.whenusearch.com || url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml || url,doc.emergingthreats.net/bin/view/Main/2000914 +1 || 2000915 || 11 || policy-violation || 0 || ET MALWARE WhenUClick.com Weather App Checkin (2) || url,www.whenusearch.com || url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml || url,doc.emergingthreats.net/bin/view/Main/2000915 +1 || 2000916 || 11 || policy-violation || 0 || ET MALWARE WhenUClick.com WhenUSave App Checkin || url,www.whenusearch.com || url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml || url,doc.emergingthreats.net/bin/view/Main/2000916 +1 || 2000917 || 11 || policy-violation || 0 || ET MALWARE WhenUClick.com WhenUSave Data Retrieval (offersdata) || url,www.whenusearch.com || url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml || url,doc.emergingthreats.net/bin/view/Main/2000917 +1 || 2000918 || 10 || policy-violation || 0 || ET MALWARE WhenUClick.com Desktop Bar Install || url,www.whenusearch.com || url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml || url,doc.emergingthreats.net/bin/view/Main/2000918 +1 || 2000919 || 11 || policy-violation || 0 || ET MALWARE WhenUClick.com WhenUSave Data Retrieval (Searchdb) || url,www.whenusearch.com || url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml || url,doc.emergingthreats.net/bin/view/Main/2000919 +1 || 2000920 || 11 || trojan-activity || 0 || ET MALWARE Hotbar Install (1) || url,www.hotbar.com || url,doc.emergingthreats.net/bin/view/Main/2000920 +1 || 2000921 || 10 || trojan-activity || 0 || ET MALWARE Hotbar Install (2) || url,www.hotbar.com || url,doc.emergingthreats.net/bin/view/Main/2000921 +1 || 2000922 || 10 || trojan-activity || 0 || ET MALWARE Hotbar Install (3) || url,www.hotbar.com || url,doc.emergingthreats.net/bin/view/Main/2000922 +1 || 2000923 || 11 || trojan-activity || 0 || ET MALWARE Hotbar Agent Reporting Information || url,www.hotbar.com || url,doc.emergingthreats.net/bin/view/Main/2000923 +1 || 2000924 || 10 || trojan-activity || 0 || ET MALWARE Hotbar Agent Upgrading || url,www.hotbar.com || url,doc.emergingthreats.net/bin/view/Main/2000924 +1 || 2000925 || 9 || trojan-activity || 0 || ET MALWARE Hotbar Agent Partner Checkin || url,www.hotbar.com || url,doc.emergingthreats.net/bin/view/Main/2000925 +1 || 2000927 || 9 || trojan-activity || 0 || ET MALWARE ISearchTech.com XXXPornToolbar Reporting || url,www.isearchtech.com || url,doc.emergingthreats.net/bin/view/Main/2000927 +1 || 2000928 || 10 || trojan-activity || 0 || ET MALWARE ISearchTech.com XXXPornToolbar Activity (1) || url,www.isearchtech.com || url,doc.emergingthreats.net/bin/view/Main/2000928 +1 || 2000929 || 10 || trojan-activity || 0 || ET MALWARE Hotbar Agent Activity || url,www.hotbar.com || url,doc.emergingthreats.net/bin/view/Main/2000929 +1 || 2000930 || 10 || trojan-activity || 0 || ET DELETED 180solutions Update Engine || url,www.safer-networking.org/index.php?page=threats&detail=212 || url,doc.emergingthreats.net/bin/view/Main/2000930 +1 || 2000931 || 10 || policy-violation || 0 || ET MALWARE Comet Systems Spyware Traffic || url,doc.emergingthreats.net/bin/view/Main/2000931 +1 || 2000932 || 8 || trojan-activity || 0 || ET MALWARE Keenvalue Update Engine || url,www.safer-networking.org/index.php?page=updatehistory&detail=2003-11-24 || url,doc.emergingthreats.net/bin/view/Main/2000932 +1 || 2000934 || 10 || trojan-activity || 0 || ET DELETED 2020search Update Engine || url,www.safer-networking.org/index.php?page=updatehistory&detail=2004-03-04 || url,doc.emergingthreats.net/bin/view/Main/2000934 +1 || 2000936 || 9 || trojan-activity || 0 || ET MALWARE FlashTrack Agent Retrieving New App Code || url,www.flashpoint.bm || url,doc.emergingthreats.net/bin/view/Main/2000936 +1 || 2001013 || 9 || policy-violation || 0 || ET MALWARE Fun Web Products SmileyCentral || url,www.funwebproducts.com || url,doc.emergingthreats.net/bin/view/Main/2001013 +1 || 2001015 || 9 || trojan-activity || 0 || ET MALWARE JoltID Agent Keep-Alive || url,www.joltid.com || url,forum.treweeke.com/lofiversion/index.php/t597.html || url,securityresponse.symantec.com/avcenter/venc/data/adware.p2pnetworking.html || url,doc.emergingthreats.net/bin/view/Main/2001015 +1 || 2001016 || 10 || policy-violation || 0 || ET MALWARE SideStep Bar Install || url,www.sidestep.com || url,www.spyany.com/program/article_spw_rm_SideStep.html || url,doc.emergingthreats.net/bin/view/Main/2001016 +1 || 2001017 || 10 || policy-violation || 0 || ET MALWARE SideStep Bar Reporting Data || url,www.sidestep.com || url,www.spyany.com/program/article_spw_rm_SideStep.html || url,doc.emergingthreats.net/bin/view/Main/2001017 +1 || 2001022 || 5 || bad-unknown || 0 || ET EXPLOIT Invalid non-fragmented packet with fragment offset>0 || url,doc.emergingthreats.net/bin/view/Main/2001022 +1 || 2001023 || 5 || bad-unknown || 0 || ET EXPLOIT Invalid fragment - ACK reset || url,doc.emergingthreats.net/bin/view/Main/2001023 +1 || 2001024 || 5 || bad-unknown || 0 || ET EXPLOIT Invalid fragment - illegal flags || url,doc.emergingthreats.net/bin/view/Main/2001024 +1 || 2001031 || 9 || trojan-activity || 0 || ET MALWARE Casino on Net Reporting Data || url,www.888casino.net || url,doc.emergingthreats.net/bin/view/Main/2001031 +1 || 2001032 || 9 || trojan-activity || 0 || ET MALWARE Casino on Net Ping Hit || url,www.888casino.net || url,doc.emergingthreats.net/bin/view/Main/2001032 +1 || 2001033 || 9 || trojan-activity || 0 || ET MALWARE Casino on Net Data Download || url,www.888casino.net || url,doc.emergingthreats.net/bin/view/Main/2001033 +1 || 2001034 || 23 || policy-violation || 0 || ET DELETED Fun Web Products Adware Agent Traffic || url,www.funwebproducts.com || url,doc.emergingthreats.net/bin/view/Main/2001034 +1 || 2001035 || 8 || policy-violation || 0 || ET P2P Morpheus Install || url,www.morpheus.com || url,doc.emergingthreats.net/bin/view/Main/2001035 +1 || 2001036 || 8 || policy-violation || 0 || ET P2P Morpheus Install ini Download || url,www.morpheus.com || url,doc.emergingthreats.net/bin/view/Main/2001036 +1 || 2001037 || 8 || policy-violation || 0 || ET P2P Morpheus Update Request || url,www.morpheus.com || url,doc.emergingthreats.net/bin/view/Main/2001037 +1 || 2001038 || 9 || policy-violation || 0 || ET MALWARE Ebates Install || url,www.pestpatrol.com/PestInfo/e/ebates_moneymaker.asp || url,doc.emergingthreats.net/bin/view/Main/2001038 +1 || 2001040 || 10 || trojan-activity || 0 || ET MALWARE My Search Bar Install || url,www.2-spyware.com/parasite-my-search-bar.html || url,doc.emergingthreats.net/bin/view/Main/2001040 +1 || 2001041 || 9 || trojan-activity || 0 || ET MALWARE Casino on Net Install || url,www.888casino.net || url,doc.emergingthreats.net/bin/view/Main/2001041 +1 || 2001043 || 12 || policy-violation || 0 || ET DELETED Fun Web Products MyWay Agent Traffic || url,www.funwebproducts.com || url,doc.emergingthreats.net/bin/view/Main/2001043 +1 || 2001044 || 8 || policy-violation || 0 || ET POLICY Yahoo Briefcase Upload || url,doc.emergingthreats.net/2001044 +1 || 2001046 || 13 || misc-activity || 0 || ET TROJAN UPX compressed file download possible malware || url,doc.emergingthreats.net/2001046 +1 || 2001047 || 13 || misc-activity || 0 || ET MALWARE UPX encrypted file download possible malware || url,doc.emergingthreats.net/2001047 +1 || 2001048 || 9 || misc-activity || 0 || ET WEB_CLIENT IE process injection iexplore.exe executable download || url,doc.emergingthreats.net/bin/view/Main/2001048 +1 || 2001050 || 9 || policy-violation || 0 || ET MALWARE CometSystems Spyware || url,doc.emergingthreats.net/bin/view/Main/2001050 +1 || 2001052 || 8 || misc-activity || 0 || ET EXPLOIT NTDump Session Established Reg-Entry port 139 || url,doc.emergingthreats.net/bin/view/Main/2001052 +1 || 2001053 || 7 || misc-activity || 0 || ET EXPLOIT NTDump.exe Service Started port 139 || url,doc.emergingthreats.net/bin/view/Main/2001053 +1 || 2001055 || 6 || attempted-admin || 0 || ET MISC HP Web JetAdmin ExecuteFile admin access || bugtraq,10224 || url,doc.emergingthreats.net/2001055 +1 || 2001056 || 7 || misc-activity || 0 || ET WORM W32/Sasser.worm.b || url,securityresponse.symantec.com/avcenter/venc/data/w32.sasser.worm.html || url,doc.emergingthreats.net/2001056 +1 || 2001057 || 7 || misc-activity || 0 || ET WORM W32/Sasser.worm.a || url,securityresponse.symantec.com/avcenter/venc/data/w32.sasser.worm.html || url,doc.emergingthreats.net/2001057 +1 || 2001058 || 8 || attempted-admin || 0 || ET EXPLOIT libpng tRNS overflow attempt || cve,CAN-2004-0597 || url,doc.emergingthreats.net/bin/view/Main/2001058 +1 || 2001059 || 9 || policy-violation || 0 || ET P2P Ares traffic || url,www.aresgalaxy.org || url,doc.emergingthreats.net/bin/view/Main/2001059 +1 || 2001066 || 8 || misc-activity || 0 || ET TROJAN IE Ilookup Trojan || url,62.131.86.111/analysis.htm || url,doc.emergingthreats.net/2001066 +1 || 2001099 || 10 || misc-attack || 0 || ET WEB_CLIENT Attempt to execute VBScript code || url,doc.emergingthreats.net/bin/view/Main/2001099 +1 || 2001101 || 13 || misc-attack || 0 || ET WEB_CLIENT Stealth attempt to execute Javascript code || url,doc.emergingthreats.net/bin/view/Main/2001101 +1 || 2001102 || 13 || misc-attack || 0 || ET WEB_CLIENT Stealth attempt to execute VBScript code || url,doc.emergingthreats.net/bin/view/Main/2001102 +1 || 2001103 || 13 || misc-attack || 0 || ET WEB_CLIENT Stealth attempt to access SHELL#=#= || url,doc.emergingthreats.net/bin/view/Main/2001103 +1 || 2001105 || 11 || misc-activity || 0 || ET WEB_CLIENT Javascript execution with expression eval || url,www.securiteam.com/exploits/3D5Q4RFPPK.html || url,doc.emergingthreats.net/bin/view/Main/2001105 +1 || 2001106 || 10 || misc-activity || 0 || ET WEB_CLIENT Javascript execution with expression eval hex || url,www.securiteam.com/exploits/3D5Q4RFPPK.html || url,doc.emergingthreats.net/bin/view/Main/2001106 +1 || 2001114 || 9 || bad-unknown || 0 || ET POLICY Mozilla XPI install files download || url,doc.emergingthreats.net/2001114 +1 || 2001115 || 7 || bad-unknown || 0 || ET POLICY MSI (microsoft installer file) download || url,doc.emergingthreats.net/bin/view/Main/2001115 +1 || 2001116 || 6 || not-suspicious || 0 || ET DNS Standard query response, Format error || url,doc.emergingthreats.net/2001116 +1 || 2001117 || 6 || not-suspicious || 0 || ET DNS Standard query response, Name Error || url,doc.emergingthreats.net/2001117 +1 || 2001118 || 6 || not-suspicious || 0 || ET DNS Standard query response, Not Implemented || url,doc.emergingthreats.net/2001118 +1 || 2001119 || 6 || not-suspicious || 0 || ET DNS Standard query response, Refused || url,doc.emergingthreats.net/2001119 +1 || 2001181 || 12 || misc-attack || 0 || ET ACTIVEX Internet Explorer Plugin.ocx Heap Overflow || url,www.hnc3k.com/ievulnerabil.htm || url,doc.emergingthreats.net/bin/view/Main/2001181 +1 || 2001182 || 11 || misc-attack || 0 || ET WEB_CLIENT IE trojan Ants3set 1.exe - process injection || url,doc.emergingthreats.net/bin/view/Main/2001182 +1 || 2001185 || 8 || policy-violation || 0 || ET P2P Soulseek traffic (1) || url,www.slsknet.org || url,doc.emergingthreats.net/bin/view/Main/2001185 +1 || 2001186 || 8 || policy-violation || 0 || ET P2P Soulseek traffic (2) || url,www.slsknet.org || url,doc.emergingthreats.net/bin/view/Main/2001186 +1 || 2001187 || 6 || policy-violation || 0 || ET P2P Soulseek Filesearch Results || url,www.slsknet.org || url,doc.emergingthreats.net/bin/view/Main/2001187 +1 || 2001188 || 8 || policy-violation || 0 || ET P2P Soulseek || url,www.slsknet.org || url,doc.emergingthreats.net/bin/view/Main/2001188 +1 || 2001190 || 11 || misc-activity || 0 || ET DELETED libPNG - Possible NULL-pointer crash in png_handle_iCCP || url,www.securiteam.com/unixfocus/5ZP0C0KDPG.html || url,doc.emergingthreats.net/bin/view/Main/2001190 +1 || 2001191 || 11 || misc-activity || 0 || ET EXPLOIT libPNG - Width exceeds limit || url,www.securiteam.com/unixfocus/5ZP0C0KDPG.html || url,doc.emergingthreats.net/bin/view/Main/2001191 +1 || 2001192 || 11 || misc-activity || 0 || ET DELETED libPNG - Height exceeds limit || url,www.securiteam.com/unixfocus/5ZP0C0KDPG.html || url,doc.emergingthreats.net/bin/view/Main/2001192 +1 || 2001195 || 9 || misc-activity || 0 || ET EXPLOIT libPNG - Possible integer overflow in allocation in png_handle_sPLT || url,www.securiteam.com/unixfocus/5ZP0C0KDPG.html || url,doc.emergingthreats.net/bin/view/Main/2001195 +1 || 2001197 || 10 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHPNuke SQL injection attempt || url,www.waraxe.us/index.php?modname=sa&id=35 || url,doc.emergingthreats.net/2001197 +1 || 2001198 || 8 || trojan-activity || 0 || ET MALWARE Twaintec Download Attempt || url,www.pestpatrol.com/PestInfo/t/twain-tech.asp || url,doc.emergingthreats.net/bin/view/Main/2001198 +1 || 2001199 || 8 || trojan-activity || 0 || ET MALWARE Twaintec Ad Retrieval || url,www.pestpatrol.com/PestInfo/t/twain-tech.asp || url,doc.emergingthreats.net/bin/view/Main/2001199 +1 || 2001202 || 9 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHPNuke general SQL injection attempt || url,www.waraxe.us/?modname=sa&id=030 || url,www.waraxe.us/?modname=sa&id=036 || url,doc.emergingthreats.net/2001202 +1 || 2001216 || 8 || trojan-activity || 0 || ET MALWARE Twaintec Reporting Data || url,www.pestpatrol.com/PestInfo/t/twain-tech.asp || url,doc.emergingthreats.net/bin/view/Main/2001216 +1 || 2001217 || 11 || attempted-admin || 0 || ET EXPLOIT Adobe Acrobat Reader Malicious URL Null Byte || url,idefense.com/application/poi/display?id=126&type=vulnerabilities || url,www.securiteam.com/windowsntfocus/5BP0D20DPW.html || cve,2004-0629 || url,doc.emergingthreats.net/bin/view/Main/2001217 +1 || 2001218 || 11 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHPNuke general XSS attempt || url,www.waraxe.us/?modname=sa&id=030 || url,doc.emergingthreats.net/2001218 +1 || 2001219 || 18 || attempted-recon || 0 || ET SCAN Potential SSH Scan || url,en.wikipedia.org/wiki/Brute_force_attack || url,doc.emergingthreats.net/2001219 +1 || 2001221 || 8 || trojan-activity || 0 || ET MALWARE F1Organizer Config Download || url,doc.emergingthreats.net/bin/view/Main/2001221 +1 || 2001222 || 9 || trojan-activity || 0 || ET DELETED Default-homepage-network.com Access || url,default-homepage-network.com/start.cgi?new-hkcu || url,doc.emergingthreats.net/bin/view/Main/2001222 +1 || 2001223 || 9 || trojan-activity || 0 || ET MALWARE Regnow.com Access || url,www.regnow.com || url,doc.emergingthreats.net/bin/view/Main/2001223 +1 || 2001224 || 9 || trojan-activity || 0 || ET MALWARE Regnow.com Gamehouse.com Access || url,www.gamehouse.com || url,doc.emergingthreats.net/bin/view/Main/2001224 +1 || 2001225 || 11 || policy-violation || 0 || ET DELETED Statblaster Receiving New configuration (update) || url,securityresponse.symantec.com/avcenter/venc/data/adware.statblaster.html || url,doc.emergingthreats.net/bin/view/Main/2001225 +1 || 2001228 || 10 || policy-violation || 0 || ET MALWARE Advertising.com Data Post (villains) || url,securityresponse.symantec.com/avcenter/venc/data/adware.fastseek.html || url,doc.emergingthreats.net/bin/view/Main/2001228 +1 || 2001230 || 10 || policy-violation || 0 || ET MALWARE Advertising.com Data Post (cakedeal) || url,securityresponse.symantec.com/avcenter/venc/data/adware.fastseek.html || url,doc.emergingthreats.net/bin/view/Main/2001230 +1 || 2001233 || 8 || trojan-activity || 0 || ET WORM Possible CIA Trojan download/upload attempt || url,doc.emergingthreats.net/2001233 +1 || 2001235 || 13 || misc-activity || 0 || ET DELETED Weatherbug || url,doc.emergingthreats.net/bin/view/Main/2001235 +1 || 2001238 || 9 || web-application-activity || 0 || ET WEB_SPECIFIC_APPS Possible Xedus Webserver Directory Traversal Attempt || url,www.gulftech.org/?node=research&article_id=00047-08302004 || url,doc.emergingthreats.net/2001238 +1 || 2001239 || 9 || not-suspicious || 0 || ET POLICY Cisco Device in Config Mode || url,doc.emergingthreats.net/bin/view/Main/2001239 +1 || 2001240 || 9 || not-suspicious || 0 || ET POLICY Cisco Device New Config Built || url,doc.emergingthreats.net/bin/view/Main/2001240 +1 || 2001241 || 5 || policy-violation || 0 || ET CHAT MSN file transfer request || url,doc.emergingthreats.net/2001241 +1 || 2001242 || 5 || policy-violation || 0 || ET CHAT MSN file transfer accept || url,doc.emergingthreats.net/2001242 +1 || 2001243 || 5 || policy-violation || 0 || ET CHAT MSN file transfer reject || url,doc.emergingthreats.net/2001243 +1 || 2001253 || 7 || policy-violation || 0 || ET DELETED Yahoo IM successful logon || url,doc.emergingthreats.net/2001253 +1 || 2001254 || 5 || policy-violation || 0 || ET CHAT Yahoo IM voicechat || url,doc.emergingthreats.net/2001254 +1 || 2001255 || 6 || policy-violation || 0 || ET CHAT Yahoo IM ping || url,doc.emergingthreats.net/2001255 +1 || 2001256 || 5 || policy-violation || 0 || ET CHAT Yahoo IM conference invitation || url,doc.emergingthreats.net/2001256 +1 || 2001257 || 5 || policy-violation || 0 || ET CHAT Yahoo IM conference logon success || url,doc.emergingthreats.net/2001257 +1 || 2001258 || 5 || policy-violation || 0 || ET CHAT Yahoo IM conference message || url,doc.emergingthreats.net/2001258 +1 || 2001259 || 6 || policy-violation || 0 || ET CHAT Yahoo IM file transfer request || url,doc.emergingthreats.net/2001259 +1 || 2001260 || 6 || policy-violation || 0 || ET CHAT Yahoo IM message || url,doc.emergingthreats.net/2001260 +1 || 2001261 || 6 || policy-violation || 0 || ET DELETED Yahoo IM successful chat join || url,doc.emergingthreats.net/2001261 +1 || 2001262 || 5 || policy-violation || 0 || ET CHAT Yahoo IM conference offer invitation || url,doc.emergingthreats.net/2001262 +1 || 2001263 || 5 || policy-violation || 0 || ET CHAT Yahoo IM conference request || url,doc.emergingthreats.net/2001263 +1 || 2001264 || 5 || policy-violation || 0 || ET CHAT Yahoo IM conference watch || url,doc.emergingthreats.net/2001264 +1 || 2001266 || 15 || trojan-activity || 0 || ET DELETED Browseraid.com Agent Reporting Data || url,www.browseraid.com || url,doc.emergingthreats.net/bin/view/Main/2001266 +1 || 2001267 || 18 || misc-activity || 0 || ET POLICY Weatherbug Activity || url,doc.emergingthreats.net/bin/view/Main/2001267 +1 || 2001269 || 16 || trojan-activity || 0 || ET WORM Beagle User Agent Detected || url,securityresponse.symantec.com/avcenter/venc/data/w32.beagle.i@mm.html || url,doc.emergingthreats.net/2001269 +1 || 2001273 || 13 || trojan-activity || 0 || ET WORM Outbound W32.Novarg.A worm || url,securityresponse.symantec.com/avcenter/venc/data/w32.mydoom.a@mm.html || url,doc.emergingthreats.net/2001273 +1 || 2001293 || 13 || trojan-activity || 0 || ET DELETED Featured-Results.com Agent Reporting Data || url,www.featured-results.com || url,doc.emergingthreats.net/bin/view/Main/2001293 +1 || 2001294 || 5 || successful-admin || 0 || ET POLICY Dameware Remote Control Service Install || url,doc.emergingthreats.net/2001294 +1 || 2001295 || 24 || trojan-activity || 0 || ET DELETED Browseraid.com User-Agent (Browser Adv) || url,www.browseraid.com || url,doc.emergingthreats.net/2001295 +1 || 2001296 || 9 || policy-violation || 0 || ET P2P eDonkey File Status || url,www.edonkey.com || url,doc.emergingthreats.net/bin/view/Main/2001296 +1 || 2001297 || 10 || policy-violation || 0 || ET P2P eDonkey File Status Request || url,www.edonkey.com || url,doc.emergingthreats.net/bin/view/Main/2001297 +1 || 2001298 || 9 || policy-violation || 0 || ET P2P eDonkey Server Status Request || url,www.edonkey.com || url,doc.emergingthreats.net/bin/view/Main/2001298 +1 || 2001299 || 9 || policy-violation || 0 || ET P2P eDonkey Server Status || url,www.edonkey.com || url,doc.emergingthreats.net/bin/view/Main/2001299 +1 || 2001304 || 10 || trojan-activity || 0 || ET DELETED Browseraid.com Agent Updating || url,www.browseraid.com || url,doc.emergingthreats.net/bin/view/Main/2001304 +1 || 2001306 || 11 || policy-violation || 0 || ET MALWARE Gator/Clarian Agent || url,www3.ca.com/securityadvisor/pest/content.aspx?q=67999 || url,doc.emergingthreats.net/bin/view/Main/2001306 +1 || 2001307 || 8 || trojan-activity || 0 || ET MALWARE Wild Tangent Agent Installation || url,www.spyany.com/program/article_spw_rm_WildTangent.html || url,www.wildtangent.com || url,doc.emergingthreats.net/bin/view/Main/2001307 +1 || 2001308 || 11 || policy-violation || 0 || ET MALWARE Internet Optomizer Reporting Data || url,securityresponse.symantec.com/avcenter/venc/data/adware.netoptimizer.html || url,doc.emergingthreats.net/bin/view/Main/2001308 +1 || 2001309 || 8 || trojan-activity || 0 || ET MALWARE Wild Tangent Agent Checking In || url,www.spyany.com/program/article_spw_rm_WildTangent.html || url,www.wildtangent.com || url,doc.emergingthreats.net/bin/view/Main/2001309 +1 || 2001310 || 8 || trojan-activity || 0 || ET MALWARE Wild Tangent Agent Traffic || url,www.spyany.com/program/article_spw_rm_WildTangent.html || url,www.wildtangent.com || url,doc.emergingthreats.net/bin/view/Main/2001310 +1 || 2001311 || 7 || trojan-activity || 0 || ET MALWARE Rdxrp.com Traffic || url,doc.emergingthreats.net/bin/view/Main/2001311 +1 || 2001312 || 7 || trojan-activity || 0 || ET MALWARE Rdxrp.com Traffic (Generic) || url,doc.emergingthreats.net/bin/view/Main/2001312 +1 || 2001313 || 8 || policy-violation || 0 || ET MALWARE Traffic Syndicate Add/Remove || url,doc.emergingthreats.net/bin/view/Main/2001313 +1 || 2001314 || 8 || trojan-activity || 0 || ET MALWARE Wild Tangent Agent || url,www.spyany.com/program/article_spw_rm_WildTangent.html || url,www.wildtangent.com || url,doc.emergingthreats.net/bin/view/Main/2001314 +1 || 2001315 || 10 || policy-violation || 0 || ET MALWARE Traffic Syndicate Agent Updating (1) || url,doc.emergingthreats.net/bin/view/Main/2001315 +1 || 2001316 || 10 || policy-violation || 0 || ET MALWARE Traffic Syndicate Agent Updating (2) || url,doc.emergingthreats.net/bin/view/Main/2001316 +1 || 2001317 || 10 || trojan-activity || 0 || ET MALWARE Webhancer Data Upload || url,securityresponse.symantec.com/avcenter/venc/data/spyware.webhancer.html || url,doc.emergingthreats.net/bin/view/Main/2001317 +1 || 2001318 || 8 || policy-violation || 0 || ET DELETED Adwave Agent Access || url,www.intermute.com/spyware/HuntBar.html || url,doc.emergingthreats.net/bin/view/Main/2001318 +1 || 2001320 || 7 || trojan-activity || 0 || ET DELETED Speedera Agent || url,doc.emergingthreats.net/bin/view/Main/2001320 +1 || 2001321 || 7 || trojan-activity || 0 || ET MALWARE Speedera Agent (Specific) || url,doc.emergingthreats.net/bin/view/Main/2001321 +1 || 2001322 || 8 || trojan-activity || 0 || ET MALWARE Wild Tangent New Install || url,www.spyany.com/program/article_spw_rm_WildTangent.html || url,www.wildtangent.com || url,doc.emergingthreats.net/bin/view/Main/2001322 +1 || 2001325 || 10 || trojan-activity || 0 || ET MALWARE Websearch.com Spyware || mcafee,131461 || url,doc.emergingthreats.net/bin/view/Main/2001325 +1 || 2001328 || 13 || policy-violation || 0 || ET POLICY SSN Detected in Clear Text (dashed) || url,doc.emergingthreats.net/2001328 +1 || 2001329 || 8 || misc-activity || 0 || ET POLICY RDP connection request || url,doc.emergingthreats.net/2001329 +1 || 2001330 || 8 || misc-activity || 0 || ET POLICY RDP connection confirm || url,doc.emergingthreats.net/2001330 +1 || 2001331 || 8 || misc-activity || 0 || ET POLICY RDP disconnect request || url,doc.emergingthreats.net/2001331 +1 || 2001334 || 8 || trojan-activity || 0 || ET MALWARE Ezula || url,www.ezula.com || url,www.spyany.com/program/article_spw_rm_eZuLa.html || url,doc.emergingthreats.net/bin/view/Main/2001334 +1 || 2001335 || 9 || trojan-activity || 0 || ET MALWARE Ezula Installer Download || url,www.ezula.com || url,www.spyany.com/program/article_spw_rm_eZuLa.html || url,doc.emergingthreats.net/bin/view/Main/2001335 +1 || 2001337 || 7 || trojan-activity || 0 || ET WORM Korgo.P offering executable || url,www.f-secure.com/v-descs/korgo_p.shtml || url,doc.emergingthreats.net/2001337 +1 || 2001338 || 8 || trojan-activity || 0 || ET WORM Korgo.P binary upload || url,www.f-secure.com/v-descs/korgo_p.shtml || url,doc.emergingthreats.net/2001338 +1 || 2001339 || 9 || trojan-activity || 0 || ET MALWARE BInet Information Upload || url,sarc.com/avcenter/venc/data/pf/adware.betterinternet.html || url,doc.emergingthreats.net/bin/view/Main/2001339 +1 || 2001340 || 11 || trojan-activity || 0 || ET MALWARE LocalNRD Spyware Checkin || url,www.localnrd.com || url,doc.emergingthreats.net/bin/view/Main/2001340 +1 || 2001341 || 11 || policy-violation || 0 || ET MALWARE OfferOptimizer.com Spyware || url,www.offeroptimizer.com || url,doc.emergingthreats.net/bin/view/Main/2001341 +1 || 2001342 || 25 || web-application-attack || 0 || ET WEB_SERVER IIS ASP.net Auth Bypass / Canonicalization || url,doc.emergingthreats.net/2001342 || cve,CVE-2004-0847 +1 || 2001343 || 22 || web-application-attack || 0 || ET WEB_SERVER IIS ASP.net Auth Bypass / Canonicalization % 5 C || url,doc.emergingthreats.net/2001343 +1 || 2001345 || 9 || trojan-activity || 0 || ET MALWARE Bonziportal Traffic || url,www3.ca.com/securityadvisor/pest/pest.aspx?id=59256 || url,doc.emergingthreats.net/bin/view/Main/2001345 +1 || 2001346 || 9 || policy-violation || 0 || ET INAPPROPRIATE Kiddy Porn preteen || url,doc.emergingthreats.net/bin/view/Main/2001346 +1 || 2001347 || 9 || policy-violation || 0 || ET INAPPROPRIATE Kiddy Porn pre-teen || url,doc.emergingthreats.net/bin/view/Main/2001347 +1 || 2001348 || 9 || policy-violation || 0 || ET INAPPROPRIATE Kiddy Porn early teen || url,doc.emergingthreats.net/bin/view/Main/2001348 +1 || 2001349 || 9 || policy-violation || 0 || ET INAPPROPRIATE free XXX || url,doc.emergingthreats.net/bin/view/Main/2001349 +1 || 2001350 || 9 || policy-violation || 0 || ET INAPPROPRIATE hardcore anal || url,doc.emergingthreats.net/bin/view/Main/2001350 +1 || 2001351 || 9 || policy-violation || 0 || ET INAPPROPRIATE masturbation || url,doc.emergingthreats.net/bin/view/Main/2001351 +1 || 2001352 || 9 || policy-violation || 0 || ET INAPPROPRIATE ejaculation || url,doc.emergingthreats.net/bin/view/Main/2001352 +1 || 2001353 || 9 || policy-violation || 0 || ET INAPPROPRIATE BDSM || url,doc.emergingthreats.net/bin/view/Main/2001353 +1 || 2001359 || 9 || policy-violation || 0 || ET MALWARE MarketScore.com Spyware Access || url,www.marketscore.com || url,www.spysweeper.com/remove-marketscore.html || url,doc.emergingthreats.net/bin/view/Main/2001359 +1 || 2001363 || 7 || shellcode-detect || 0 || ET EXPLOIT Possible MS04-032 Windows Metafile (.emf) Heap Overflow Portbind Attempt || url,www.microsoft.com/technet/security/bulletin/ms04-032.mspx || url,doc.emergingthreats.net/bin/view/Main/2001363 +1 || 2001364 || 7 || shellcode-detect || 0 || ET EXPLOIT MS04-032 Windows Metafile (.emf) Heap Overflow Connectback Attempt || url,www.microsoft.com/technet/security/bulletin/ms04-032.mspx || url,doc.emergingthreats.net/bin/view/Main/2001364 +1 || 2001365 || 12 || web-application-activity || 0 || ET WEB_SERVER Alternate Data Stream source view attempt || url,support.microsoft.com/kb/q188806/ || cve,1999-0278 || url,doc.emergingthreats.net/2001365 +1 || 2001366 || 10 || attempted-dos || 0 || ET DOS Possible Microsoft SQL Server Remote Denial Of Service Attempt || bugtraq,11265 || url,doc.emergingthreats.net/bin/view/Main/2001366 +1 || 2001369 || 7 || shellcode-detect || 0 || ET EXPLOIT MS04-032 Windows Metafile (.emf) Heap Overflow Exploit || url,www.k-otik.com/exploits/20041020.HOD-ms04032-emf-expl2.c.php || url,doc.emergingthreats.net/bin/view/Main/2001369 +1 || 2001374 || 8 || misc-activity || 0 || ET EXPLOIT MS04-032 Bad EMF file || url,www.sygate.com/alerts/SSR20041013-0001.htm || url,doc.emergingthreats.net/bin/view/Main/2001374 +1 || 2001375 || 12 || policy-violation || 0 || ET POLICY Credit Card Number Detected in Clear (16 digit spaced) || url,www.beachnet.com/~hstiles/cardtype.html || url,doc.emergingthreats.net/2001375 +1 || 2001376 || 12 || policy-violation || 0 || ET POLICY Credit Card Number Detected in Clear (16 digit dashed) || url,www.beachnet.com/~hstiles/cardtype.html || url,doc.emergingthreats.net/2001376 +1 || 2001377 || 12 || policy-violation || 0 || ET POLICY Credit Card Number Detected in Clear (16 digit) || url,www.beachnet.com/~hstiles/cardtype.html || url,doc.emergingthreats.net/2001377 +1 || 2001378 || 12 || policy-violation || 0 || ET POLICY Credit Card Number Detected in Clear (15 digit) || url,www.beachnet.com/~hstiles/cardtype.html || url,doc.emergingthreats.net/2001378 +1 || 2001379 || 12 || policy-violation || 0 || ET POLICY Credit Card Number Detected in Clear (15 digit spaced) || url,www.beachnet.com/~hstiles/cardtype.html || url,doc.emergingthreats.net/2001379 +1 || 2001380 || 12 || policy-violation || 0 || ET POLICY Credit Card Number Detected in Clear (15 digit dashed) || url,www.beachnet.com/~hstiles/cardtype.html || url,doc.emergingthreats.net/2001380 +1 || 2001381 || 12 || policy-violation || 0 || ET POLICY Credit Card Number Detected in Clear (14 digit) || url,www.beachnet.com/~hstiles/cardtype.html || url,doc.emergingthreats.net/2001381 +1 || 2001382 || 12 || policy-violation || 0 || ET POLICY Credit Card Number Detected in Clear (14 digit spaced) || url,www.beachnet.com/~hstiles/cardtype.html || url,doc.emergingthreats.net/2001382 +1 || 2001383 || 12 || policy-violation || 0 || ET POLICY Credit Card Number Detected in Clear (14 digit dashed) || url,www.beachnet.com/~hstiles/cardtype.html || url,doc.emergingthreats.net/2001383 +1 || 2001384 || 13 || policy-violation || 0 || ET POLICY SSN Detected in Clear Text (spaced) || url,doc.emergingthreats.net/2001384 +1 || 2001385 || 6 || shellcode-detect || 0 || ET EXPLOIT Possible ShixxNote buffer-overflow + remote shell attempt || url,aluigi.altervista.org/adv/shixxbof-adv.txt || url,doc.emergingthreats.net/bin/view/Main/2001385 +1 || 2001386 || 7 || policy-violation || 0 || ET INAPPROPRIATE Kiddy Porn pthc || url,doc.emergingthreats.net/bin/view/Main/2001386 +1 || 2001387 || 7 || policy-violation || 0 || ET INAPPROPRIATE Kiddy Porn zeps || url,doc.emergingthreats.net/bin/view/Main/2001387 +1 || 2001388 || 7 || policy-violation || 0 || ET INAPPROPRIATE Kiddy Porn r@ygold || url,doc.emergingthreats.net/bin/view/Main/2001388 +1 || 2001389 || 7 || policy-violation || 0 || ET INAPPROPRIATE Kiddy Porn childlover || url,doc.emergingthreats.net/bin/view/Main/2001389 +1 || 2001392 || 11 || policy-violation || 0 || ET INAPPROPRIATE Sextracker Tracking Code Detected (1) || url,doc.emergingthreats.net/bin/view/Main/2001392 +1 || 2001393 || 11 || policy-violation || 0 || ET INAPPROPRIATE Sextracker Tracking Code Detected (2) || url,doc.emergingthreats.net/bin/view/Main/2001393 +1 || 2001395 || 10 || trojan-activity || 0 || ET MALWARE ISearchTech.com XXXPornToolbar Activity (2) || url,www.isearchtech.com || url,doc.emergingthreats.net/bin/view/Main/2001395 +1 || 2001396 || 8 || policy-violation || 0 || ET MALWARE Internet Optimizer Spyware Install || url,securityresponse.symantec.com/avcenter/venc/data/adware.netoptimizer.html || url,doc.emergingthreats.net/bin/view/Main/2001396 +1 || 2001397 || 12 || trojan-activity || 0 || ET DELETED 180solutions Spyware (tracked event reported) || url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html || url,doc.emergingthreats.net/bin/view/Main/2001397 +1 || 2001398 || 9 || policy-violation || 0 || ET MALWARE Bfast.com Spyware || url,doc.emergingthreats.net/bin/view/Main/2001398 +1 || 2001399 || 10 || trojan-activity || 0 || ET DELETED 180solutions Spyware (action url reported) || url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html || url,doc.emergingthreats.net/bin/view/Main/2001399 +1 || 2001400 || 12 || trojan-activity || 0 || ET DELETED 180solutions Spyware Reporting || url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html || url,doc.emergingthreats.net/bin/view/Main/2001400 +1 || 2001402 || 5 || not-suspicious || 0 || ET POLICY ZIPPED DOC in transit || url,doc.emergingthreats.net/2001402 +1 || 2001403 || 5 || not-suspicious || 0 || ET POLICY ZIPPED XLS in transit || url,doc.emergingthreats.net/2001403 +1 || 2001404 || 5 || not-suspicious || 0 || ET POLICY ZIPPED EXE in transit || url,doc.emergingthreats.net/2001404 +1 || 2001405 || 5 || not-suspicious || 0 || ET POLICY ZIPPED PPT in transit || url,doc.emergingthreats.net/2001405 +1 || 2001406 || 10 || suspicious-filename-detect || 0 || ET POLICY Possible hidden zip extension .cpl || url,doc.emergingthreats.net/2001406 +1 || 2001407 || 10 || suspicious-filename-detect || 0 || ET POLICY Possible hidden zip extension .pif || url,doc.emergingthreats.net/2001407 +1 || 2001408 || 10 || suspicious-filename-detect || 0 || ET POLICY Possible hidden zip extension .scr || url,doc.emergingthreats.net/2001408 +1 || 2001415 || 10 || trojan-activity || 0 || ET DELETED E2give Related Downloading IeBHOs.dll || url,research.sunbelt-software.com/threatdisplay.aspx?name=E2Give&threatid=4728 || url,doc.emergingthreats.net/bin/view/Main/2001415 +1 || 2001416 || 9 || trojan-activity || 0 || ET MALWARE E2give Related Reporting Install || url,research.sunbelt-software.com/threatdisplay.aspx?name=E2Give&threatid=4728 || url,doc.emergingthreats.net/bin/view/Main/2001416 +1 || 2001417 || 10 || trojan-activity || 0 || ET MALWARE E2give Related Receiving Config || url,research.sunbelt-software.com/threatdisplay.aspx?name=E2Give&threatid=4728 || url,doc.emergingthreats.net/bin/view/Main/2001417 +1 || 2001418 || 9 || trojan-activity || 0 || ET MALWARE E2give Related Downloading Code || url,research.sunbelt-software.com/threatdisplay.aspx?name=E2Give&threatid=4728 || url,doc.emergingthreats.net/bin/view/Main/2001418 +1 || 2001423 || 9 || trojan-activity || 0 || ET MALWARE E2give Related Reporting || url,research.sunbelt-software.com/threatdisplay.aspx?name=E2Give&threatid=4728 || url,doc.emergingthreats.net/bin/view/Main/2001423 +1 || 2001424 || 7 || policy-violation || 0 || ET POLICY Gmail Inbox Access || url,doc.emergingthreats.net/2001424 +1 || 2001425 || 16 || policy-violation || 0 || ET POLICY Gmail File Send || url,doc.emergingthreats.net/2001425 +1 || 2001426 || 9 || policy-violation || 0 || ET POLICY Gmail Message Send || url,doc.emergingthreats.net/2001426 +1 || 2001427 || 5 || policy-violation || 0 || ET CHAT Yahoo IM Unavailable Status || url,doc.emergingthreats.net/2001427 +1 || 2001430 || 10 || trojan-activity || 0 || ET DELETED Bofra Victim Accessing Reactor Page || url,securityresponse.symantec.com/avcenter/venc/data/w32.bofra.e@mm.html || url,us.mcafee.com/virusInfo/default.asp?id=description&virus_k=129631 || url,doc.emergingthreats.net/2001430 +1 || 2001440 || 7 || trojan-activity || 0 || ET MALWARE Abox Download || url,doc.emergingthreats.net/bin/view/Main/2001440 +1 || 2001441 || 13 || trojan-activity || 0 || ET MALWARE Abox Install Report || url,securityresponse.symantec.com/avcenter/venc/data/adware.adultbox.html || url,doc.emergingthreats.net/bin/view/Main/2001441 +1 || 2001442 || 11 || trojan-activity || 0 || ET MALWARE Statblaster.MemoryWatcher Download || url,www.memorywatcher.com/eula.aspx || url,doc.emergingthreats.net/bin/view/Main/2001442 +1 || 2001443 || 10 || policy-violation || 0 || ET MALWARE WhenUClick.com Desktop Bar App Checkin || url,www.whenusearch.com || url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml || url,doc.emergingthreats.net/bin/view/Main/2001443 +1 || 2001444 || 13 || trojan-activity || 0 || ET MALWARE Overpro Spyware Bundle Install || url,www.wildarcade.com || url,doc.emergingthreats.net/bin/view/Main/2001444 +1 || 2001445 || 12 || policy-violation || 0 || ET MALWARE PeopleOnPage Install || url,www.peopleonpage.com || url,www.safer-networking.org/en/threats/602.html || url,doc.emergingthreats.net/bin/view/Main/2001445 +1 || 2001446 || 12 || policy-violation || 0 || ET DELETED PeopleOnPage Ping || url,www.peopleonpage.com || url,www.safer-networking.org/en/threats/602.html || url,doc.emergingthreats.net/bin/view/Main/2001446 +1 || 2001447 || 8 || trojan-activity || 0 || ET MALWARE 2nd-thought (W32.Daqa.C) Download || url,securityresponse.symantec.com/avcenter/venc/data/adware.secondthought.html || url,doc.emergingthreats.net/bin/view/Main/2001447 +1 || 2001448 || 12 || trojan-activity || 0 || ET MALWARE MediaTickets Download || url,securityresponse.symantec.com/avcenter/venc/data/adware.winad.html || url,doc.emergingthreats.net/bin/view/Main/2001448 +1 || 2001449 || 8 || attempted-user || 0 || ET POLICY Proxy Connection detected || url,doc.emergingthreats.net/2001449 +1 || 2001450 || 13 || trojan-activity || 0 || ET MALWARE Wintools Download/Configure || url,www.intermute.com/spyware/HuntBar.html || url,doc.emergingthreats.net/bin/view/Main/2001450 +1 || 2001451 || 8 || policy-violation || 0 || ET MALWARE Bundleware Spyware Download || url,doc.emergingthreats.net/bin/view/Main/2001451 +1 || 2001452 || 8 || trojan-activity || 0 || ET MALWARE Bundleware Spyware CHM Download || url,doc.emergingthreats.net/bin/view/Main/2001452 +1 || 2001453 || 8 || policy-violation || 0 || ET MALWARE Couponage Download || url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090725 || url,doc.emergingthreats.net/bin/view/Main/2001453 +1 || 2001454 || 8 || policy-violation || 0 || ET MALWARE Couponage Configure || url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090725 || url,doc.emergingthreats.net/bin/view/Main/2001454 +1 || 2001455 || 7 || policy-violation || 0 || ET MALWARE Couponage Reporting || url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090725 || url,doc.emergingthreats.net/bin/view/Main/2001455 +1 || 2001456 || 7 || policy-violation || 0 || ET MALWARE ContextPanel Reporting || url,doc.emergingthreats.net/bin/view/Main/2001456 +1 || 2001458 || 7 || trojan-activity || 0 || ET MALWARE Bundleware Spyware cab Download || url,doc.emergingthreats.net/bin/view/Main/2001458 +1 || 2001459 || 11 || trojan-activity || 0 || ET MALWARE Overpro Spyware Games || url,securityresponse.symantec.com/avcenter/venc/data/adware.overpro.html || url,doc.emergingthreats.net/bin/view/Main/2001459 +1 || 2001460 || 10 || trojan-activity || 0 || ET MALWARE Sexmaniack Install Tracking || url,doc.emergingthreats.net/bin/view/Main/2001460 +1 || 2001461 || 10 || trojan-activity || 0 || ET MALWARE Xpire.info Multiple Spyware Installs (1) || url,doc.emergingthreats.net/bin/view/Main/2001461 +1 || 2001462 || 9 || trojan-activity || 0 || ET MALWARE Xpire.info Multiple Spyware Installs Occuring || url,doc.emergingthreats.net/bin/view/Main/2001462 +1 || 2001463 || 11 || trojan-activity || 0 || ET MALWARE Xpire.info Multiple Spyware Installs (2) || url,doc.emergingthreats.net/bin/view/Main/2001463 +1 || 2001464 || 10 || trojan-activity || 0 || ET MALWARE Xpire.info Multiple Spyware Installs (3) || url,doc.emergingthreats.net/bin/view/Main/2001464 +1 || 2001466 || 10 || trojan-activity || 0 || ET MALWARE Xpire.info Multiple Spyware Installs (4) || url,doc.emergingthreats.net/bin/view/Main/2001466 +1 || 2001467 || 10 || trojan-activity || 0 || ET MALWARE Xpire.info Multiple Spyware Installs (5) || url,doc.emergingthreats.net/bin/view/Main/2001467 +1 || 2001468 || 9 || trojan-activity || 0 || ET MALWARE Xpire.info Multiple Spyware Installs CHM Exploit || url,doc.emergingthreats.net/bin/view/Main/2001468 +1 || 2001469 || 10 || trojan-activity || 0 || ET MALWARE Xpire.info Multiple Spyware Installs (6) || url,doc.emergingthreats.net/bin/view/Main/2001469 +1 || 2001470 || 10 || trojan-activity || 0 || ET MALWARE Xpire.info Multiple Spyware Installs (7) || url,doc.emergingthreats.net/bin/view/Main/2001470 +1 || 2001471 || 9 || trojan-activity || 0 || ET MALWARE Xpire.info Spyware Exploit || url,doc.emergingthreats.net/bin/view/Main/2001471 +1 || 2001472 || 9 || trojan-activity || 0 || ET MALWARE Xpire.info Spyware Install Reporting || url,doc.emergingthreats.net/bin/view/Main/2001472 +1 || 2001473 || 9 || trojan-activity || 0 || ET DELETED Searchmeup Spyware Install (toolbar) || url,doc.emergingthreats.net/bin/view/Main/2001473 +1 || 2001474 || 9 || trojan-activity || 0 || ET MALWARE Searchmeup Spyware Install (prog) || url,doc.emergingthreats.net/bin/view/Main/2001474 +1 || 2001475 || 9 || trojan-activity || 0 || ET MALWARE Searchmeup Spyware Receiving Commands || url,doc.emergingthreats.net/bin/view/Main/2001475 +1 || 2001479 || 9 || trojan-activity || 0 || ET MALWARE Coolsearch Spyware Install || url,doc.emergingthreats.net/bin/view/Main/2001479 +1 || 2001480 || 9 || trojan-activity || 0 || ET MALWARE Searchmeup Spyware Install (systime) || url,doc.emergingthreats.net/bin/view/Main/2001480 +1 || 2001481 || 8 || trojan-activity || 0 || ET MALWARE MediaTickets Spyware Install || url,securityresponse.symantec.com/avcenter/venc/data/adware.winad.html || url,doc.emergingthreats.net/bin/view/Main/2001481 +1 || 2001482 || 8 || trojan-activity || 0 || ET MALWARE thebestsoft4u.com Spyware Install (1) || url,doc.emergingthreats.net/bin/view/Main/2001482 +1 || 2001483 || 9 || trojan-activity || 0 || ET MALWARE Searchmeup Spyware Install (mstask) || url,doc.emergingthreats.net/bin/view/Main/2001483 +1 || 2001484 || 9 || trojan-activity || 0 || ET MALWARE Searchmeup Spyware Install (d.exe) || url,doc.emergingthreats.net/bin/view/Main/2001484 +1 || 2001485 || 8 || trojan-activity || 0 || ET MALWARE thebestsoft4u.com Spyware Install (2) || url,doc.emergingthreats.net/bin/view/Main/2001485 +1 || 2001486 || 9 || trojan-activity || 0 || ET DELETED thebestsoft4u.com Spyware Install (3) || url,doc.emergingthreats.net/bin/view/Main/2001486 +1 || 2001488 || 9 || trojan-activity || 0 || ET MALWARE Tibsystems Spyware Download || url,doc.emergingthreats.net/bin/view/Main/2001488 +1 || 2001489 || 9 || trojan-activity || 0 || ET MALWARE Spygalaxy.ws Spyware Checkin || url,doc.emergingthreats.net/bin/view/Main/2001489 +1 || 2001490 || 10 || trojan-activity || 0 || ET MALWARE ICQ-Update.biz Reporting Install || url,doc.emergingthreats.net/bin/view/Main/2001490 +1 || 2001491 || 11 || trojan-activity || 0 || ET MALWARE Xpire.info Spyware Checkin || url,doc.emergingthreats.net/bin/view/Main/2001491 +1 || 2001492 || 37 || trojan-activity || 0 || ET MALWARE ISearchTech.com XXXPornToolbar Activity (MyApp) || url,www.isearchtech.com || url,doc.emergingthreats.net/2001492 +1 || 2001493 || 35 || trojan-activity || 0 || ET USER_AGENTS ISearchTech.com XXXPornToolbar Activity (IST) || url,www.isearchtech.com || url,doc.emergingthreats.net/2001493 +1 || 2001494 || 8 || trojan-activity || 0 || ET MALWARE Clickspring.net Spyware Reporting Successful Install || url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453082745 || url,doc.emergingthreats.net/bin/view/Main/2001494 +1 || 2001495 || 10 || trojan-activity || 0 || ET MALWARE Outerinfo.com Spyware Install || url,doc.emergingthreats.net/bin/view/Main/2001495 +1 || 2001496 || 7 || trojan-activity || 0 || ET MALWARE Outerinfo.com Spyware Advertising Campaign Download || url,doc.emergingthreats.net/bin/view/Main/2001496 +1 || 2001497 || 8 || trojan-activity || 0 || ET MALWARE Outerinfo.com Spyware Activity || url,doc.emergingthreats.net/bin/view/Main/2001497 +1 || 2001498 || 30 || trojan-activity || 0 || ET MALWARE Internet Optimizer Activity User-Agent (IOKernel) || url,doc.emergingthreats.net/2001498 +1 || 2001499 || 10 || trojan-activity || 0 || ET MALWARE Look2me Spyware Activity (1) || url,securityresponse.symantec.com/avcenter/venc/data/adware.look2me.html || url,doc.emergingthreats.net/bin/view/Main/2001499 +1 || 2001500 || 8 || trojan-activity || 0 || ET MALWARE Clickspring.net Spyware Reporting || url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453082745 || url,doc.emergingthreats.net/bin/view/Main/2001500 +1 || 2001501 || 9 || trojan-activity || 0 || ET MALWARE Clickspring.net Spyware Reporting || url,sarc.com/avcenter/venc/data/adware.bargainbuddy.html || url,doc.emergingthreats.net/bin/view/Main/2001501 +1 || 2001503 || 10 || trojan-activity || 0 || ET MALWARE Medialoads.com Spyware Config || url,doc.emergingthreats.net/bin/view/Main/2001503 +1 || 2001505 || 10 || trojan-activity || 0 || ET MALWARE Smartpops.com Spyware Install rh.exe || url,securityresponse.symantec.com/avcenter/venc/data/adware.smartpops.html || url,doc.emergingthreats.net/bin/view/Main/2001505 +1 || 2001507 || 12 || trojan-activity || 0 || ET MALWARE Medialoads.com Spyware Identifying Country of Origin || url,doc.emergingthreats.net/bin/view/Main/2001507 +1 || 2001508 || 12 || trojan-activity || 0 || ET DELETED Medialoads.com Spyware Reporting (download.cgi) || url,doc.emergingthreats.net/bin/view/Main/2001508 +1 || 2001509 || 11 || trojan-activity || 0 || ET MALWARE Medialoads.com Spyware Reporting (register.cgi) || url,doc.emergingthreats.net/bin/view/Main/2001509 +1 || 2001510 || 9 || trojan-activity || 0 || ET MALWARE SurfAssistant.com Spyware Install || url,securityresponse.symantec.com/avcenter/venc/data/adware.sa.html || url,doc.emergingthreats.net/bin/view/Main/2001510 +1 || 2001513 || 9 || trojan-activity || 0 || ET MALWARE Smartpops.com Spyware Update || url,securityresponse.symantec.com/avcenter/venc/data/adware.smartpops.html || url,doc.emergingthreats.net/bin/view/Main/2001513 +1 || 2001514 || 10 || trojan-activity || 0 || ET MALWARE SurfAssistant.com Spyware Reporting || url,securityresponse.symantec.com/avcenter/venc/data/adware.sa.html || url,doc.emergingthreats.net/bin/view/Main/2001514 +1 || 2001516 || 9 || trojan-activity || 0 || ET MALWARE Smartpops.com Spyware Install || url,securityresponse.symantec.com/avcenter/venc/data/adware.smartpops.html || url,doc.emergingthreats.net/bin/view/Main/2001516 +1 || 2001517 || 9 || trojan-activity || 0 || ET MALWARE Websearch.com Outbound Dialer Retrieval || mcafee,131461 || url,doc.emergingthreats.net/bin/view/Main/2001517 +1 || 2001520 || 10 || trojan-activity || 0 || ET MALWARE Spywaremover Activity || url,securityresponse.symantec.com/avcenter/venc/data/adware.topantispyware.html || url,doc.emergingthreats.net/bin/view/Main/2001520 +1 || 2001521 || 12 || trojan-activity || 0 || ET MALWARE Spywaremover Activity || url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453087903 || url,doc.emergingthreats.net/bin/view/Main/2001521 +1 || 2001522 || 14 || trojan-activity || 0 || ET MALWARE SpywareLabs Application Install || url,doc.emergingthreats.net/bin/view/Main/2001522 +1 || 2001523 || 9 || policy-violation || 0 || ET MALWARE Statblaster Receiving New configuration (allfiles) || url,securityresponse.symantec.com/avcenter/venc/data/adware.statblaster.html || url,doc.emergingthreats.net/bin/view/Main/2001523 +1 || 2001524 || 8 || policy-violation || 0 || ET MALWARE Statblaster Code Download || url,securityresponse.symantec.com/avcenter/venc/data/adware.statblaster.html || url,doc.emergingthreats.net/bin/view/Main/2001524 +1 || 2001525 || 9 || trojan-activity || 0 || ET MALWARE Virtumonde Spyware Code Download mmdom.exe || url,sarc.com/avcenter/venc/data/adware.virtumonde.html || url,doc.emergingthreats.net/bin/view/Main/2001525 +1 || 2001526 || 23 || trojan-activity || 0 || ET MALWARE Virtumonde Spyware Code Download bkinst.exe || url,www.lurhq.com/iframeads.html || url,doc.emergingthreats.net/bin/view/Main/2001526 +1 || 2001529 || 12 || trojan-activity || 0 || ET MALWARE Casalemedia Access, Likely Spyware || url,doc.emergingthreats.net/bin/view/Main/2001529 +1 || 2001530 || 10 || trojan-activity || 0 || ET MALWARE ak-networks.com Spyware Code Download || url,doc.emergingthreats.net/bin/view/Main/2001530 +1 || 2001531 || 14 || trojan-activity || 0 || ET DELETED C4tdownload.com Access, Likely Spyware || url,sarc.com/avcenter/venc/data/adware.clickdloader.b.html || url,doc.emergingthreats.net/bin/view/Main/2001531 +1 || 2001532 || 13 || trojan-activity || 0 || ET DELETED Searchmiracle.com Access, Likely Spyware || url,securityresponse.symantec.com/avcenter/venc/data/trojan.elitebar.html || url,doc.emergingthreats.net/bin/view/Main/2001532 +1 || 2001533 || 11 || trojan-activity || 0 || ET MALWARE Searchmiracle.com Spyware Installer silent.exe Download || url,www.searchmiracle.com/silent.exe || url,doc.emergingthreats.net/bin/view/Main/2001533 +1 || 2001534 || 13 || trojan-activity || 0 || ET MALWARE Searchmiracle.com Spyware Install (silent_install) || url,www.searchmiracle.com || url,doc.emergingthreats.net/bin/view/Main/2001534 +1 || 2001535 || 13 || trojan-activity || 0 || ET MALWARE Searchmiracle.com Spyware Install (protector.exe) || url,www.searchmiracle.com || url,doc.emergingthreats.net/bin/view/Main/2001535 +1 || 2001536 || 9 || trojan-activity || 0 || ET MALWARE Spyspotter.com Install || url,doc.emergingthreats.net/bin/view/Main/2001536 +1 || 2001537 || 15 || trojan-activity || 0 || ET MALWARE Spyspotter.com Access || url,doc.emergingthreats.net/bin/view/Main/2001537 +1 || 2001538 || 8 || trojan-activity || 0 || ET MALWARE Oenji.com Install || url,doc.emergingthreats.net/bin/view/Main/2001538 +1 || 2001539 || 11 || trojan-activity || 0 || ET MALWARE Spyspotter.com Access, Likely Spyware || url,doc.emergingthreats.net/bin/view/Main/2001539 +1 || 2001540 || 11 || trojan-activity || 0 || ET MALWARE Searchmiracle.com Spyware Install (v3cab) || url,www.searchmiracle.com || url,doc.emergingthreats.net/bin/view/Main/2001540 +1 || 2001541 || 12 || trojan-activity || 0 || ET MALWARE Xpire.info Install Report || url,doc.emergingthreats.net/bin/view/Main/2001541 +1 || 2001543 || 7 || misc-activity || 0 || ET EXPLOIT NTDump Session Established Reg-Entry port 445 || url,doc.emergingthreats.net/bin/view/Main/2001543 +1 || 2001544 || 7 || misc-activity || 0 || ET EXPLOIT NTDump.exe Service Started port 445 || url,doc.emergingthreats.net/bin/view/Main/2001544 +1 || 2001547 || 8 || trojan-activity || 0 || ET DELETED Sobig.E-F Trojan Site Download Request || url,securityresponse.symantec.com/avcenter/venc/data/w32.sobig.e@mm.html || url,doc.emergingthreats.net/2001547 +1 || 2001548 || 6 || attempted-admin || 0 || ET WORM Sasser FTP exploit attempt || url,www.lurhq.com/dabber.html || url,doc.emergingthreats.net/2001548 +1 || 2001553 || 7 || attempted-dos || 0 || ET SCAN Possible SSL Brute Force attack or Site Crawl || url,doc.emergingthreats.net/2001553 +1 || 2001562 || 32 || policy-violation || 0 || ET MALWARE MarketScore.com Spyware User Configuration and Setup Access User-Agent (OSSProxy) || url,www.marketscore.com || url,www.spysweeper.com/remove-marketscore.html || url,doc.emergingthreats.net/2001562 +1 || 2001563 || 7 || policy-violation || 0 || ET MALWARE MarketScore.com Spyware SSL Access || url,www.marketscore.com || url,www.spysweeper.com/remove-marketscore.html || url,doc.emergingthreats.net/bin/view/Main/2001563 +1 || 2001564 || 10 || policy-violation || 0 || ET MALWARE MarketScore.com Spyware Proxied Traffic || url,www.marketscore.com || url,www.spysweeper.com/remove-marketscore.html || url,doc.emergingthreats.net/bin/view/Main/2001564 +1 || 2001569 || 13 || misc-activity || 0 || ET SCAN Behavioral Unusual Port 445 traffic, Potential Scan or Infection || url,doc.emergingthreats.net/2001569 +1 || 2001570 || 9 || trojan-activity || 0 || ET MALWARE Spyware Stormer Reporting Data || url,www.spywarestormer.com || url,doc.emergingthreats.net/bin/view/Main/2001570 +1 || 2001571 || 9 || trojan-activity || 0 || ET MALWARE Spyware Stormer/Error Guard Activity || url,www.spywarestormer.com || url,doc.emergingthreats.net/bin/view/Main/2001571 +1 || 2001576 || 8 || trojan-activity || 0 || ET MALWARE BInet Information Install Report || url,sarc.com/avcenter/venc/data/pf/adware.betterinternet.html || url,doc.emergingthreats.net/bin/view/Main/2001576 +1 || 2001579 || 13 || misc-activity || 0 || ET SCAN Behavioral Unusual Port 139 traffic, Potential Scan or Infection || url,doc.emergingthreats.net/2001579 +1 || 2001580 || 13 || misc-activity || 0 || ET SCAN Behavioral Unusual Port 137 traffic, Potential Scan or Infection || url,doc.emergingthreats.net/2001580 +1 || 2001581 || 13 || misc-activity || 0 || ET SCAN Behavioral Unusual Port 135 traffic, Potential Scan or Infection || url,doc.emergingthreats.net/2001581 +1 || 2001582 || 13 || misc-activity || 0 || ET SCAN Behavioral Unusual Port 1434 traffic, Potential Scan or Infection || url,doc.emergingthreats.net/2001582 +1 || 2001583 || 14 || misc-activity || 0 || ET SCAN Behavioral Unusual Port 1433 traffic, Potential Scan or Infection || url,doc.emergingthreats.net/2001583 +1 || 2001586 || 9 || policy-violation || 0 || ET MALWARE MarketScore.com Spyware Proxied Traffic (mitmproxy agent) || url,www.marketscore.com || url,www.spysweeper.com/remove-marketscore.html || url,doc.emergingthreats.net/bin/view/Main/2001586 +1 || 2001587 || 7 || policy-violation || 0 || ET MALWARE MarketScore.com Spyware Upgrading || url,www.marketscore.com || url,www.spysweeper.com/remove-marketscore.html || url,doc.emergingthreats.net/bin/view/Main/2001587 +1 || 2001588 || 8 || policy-violation || 0 || ET MALWARE MarketScore.com Spyware Activity (1) || url,www.marketscore.com || url,www.spysweeper.com/remove-marketscore.html || url,doc.emergingthreats.net/bin/view/Main/2001588 +1 || 2001589 || 8 || policy-violation || 0 || ET MALWARE MarketScore.com Spyware Activity (2) || url,www.marketscore.com || url,www.spysweeper.com/remove-marketscore.html || url,doc.emergingthreats.net/bin/view/Main/2001589 +1 || 2001595 || 10 || policy-violation || 0 || ET CHAT Skype VOIP Checking Version (Startup) || url,www1.cs.columbia.edu/~library/TR-repository/reports/reports-2004/cucs-039-04.pdf || url,doc.emergingthreats.net/2001595 +1 || 2001596 || 11 || policy-violation || 0 || ET DELETED Skype VOIP Reporting Install || url,www1.cs.columbia.edu/~library/TR-repository/reports/reports-2004/cucs-039-04.pdf || url,doc.emergingthreats.net/2001596 +1 || 2001597 || 5 || policy-violation || 0 || ET POLICY Netop Remote Control Usage || url,www.netop.com || url,doc.emergingthreats.net/2001597 +1 || 2001608 || 9 || policy-violation || 0 || ET INAPPROPRIATE Likely Porn || url,doc.emergingthreats.net/bin/view/Main/2001608 +1 || 2001609 || 12 || misc-activity || 0 || ET SCAN F5 BIG-IP 3DNS TCP Probe 1 || url,www.f5.com/f5products/v9intro/index.html || url,doc.emergingthreats.net/2001609 +1 || 2001610 || 12 || misc-activity || 0 || ET SCAN F5 BIG-IP 3DNS TCP Probe 2 || url,www.f5.com/f5products/v9intro/index.html || url,doc.emergingthreats.net/2001610 +1 || 2001611 || 12 || misc-activity || 0 || ET SCAN F5 BIG-IP 3DNS TCP Probe 3 || url,www.f5.com/f5products/v9intro/index.html || url,doc.emergingthreats.net/2001611 +1 || 2001616 || 13 || trojan-activity || 0 || ET ATTACK_RESPONSE Zone-H.org defacement notification || url,doc.emergingthreats.net/bin/view/Main/2001616 +1 || 2001620 || 10 || string-detect || 0 || ET DELETED Likely Botnet Activity || url,doc.emergingthreats.net/bin/view/Main/2001620 +1 || 2001621 || 35 || web-application-attack || 0 || ET DELETED Exploit Suspected PHP Injection Attack (name=) || cve,2002-0953 || url,doc.emergingthreats.net/2001621 +1 || 2001622 || 15 || web-application-attack || 0 || ET ACTIVEX winhlp32 ActiveX control attack, phase 1 || url,doc.emergingthreats.net/bin/view/Main/2001622 +1 || 2001623 || 14 || web-application-attack || 0 || ET ACTIVEX winhlp32 ActiveX control attack, phase 2 || url,doc.emergingthreats.net/bin/view/Main/2001623 +1 || 2001624 || 14 || web-application-attack || 0 || ET ACTIVEX winhlp32 ActiveX control attack, phase 3 || url,doc.emergingthreats.net/bin/view/Main/2001624 +1 || 2001628 || 9 || web-application-activity || 0 || ET ATTACK_RESPONSE Outbound PHP Connection || url,doc.emergingthreats.net/bin/view/Main/2001628 +1 || 2001639 || 30 || trojan-activity || 0 || ET DELETED Wild Tangent Agent User-Agent (WildTangent) || url,doc.emergingthreats.net/2001639 +1 || 2001640 || 23 || policy-violation || 0 || ET DELETED Altnet PeerPoints Manager Traffic User-Agent (Peer Points) || url,doc.emergingthreats.net/2001640 +1 || 2001641 || 8 || trojan-activity || 0 || ET MALWARE Microgaming.com Spyware Installation (dlhelper) || url,doc.emergingthreats.net/bin/view/Main/2001641 +1 || 2001643 || 9 || trojan-activity || 0 || ET MALWARE Microgaming.com Spyware Installation (2) || url,doc.emergingthreats.net/bin/view/Main/2001643 +1 || 2001644 || 8 || trojan-activity || 0 || ET MALWARE Microgaming.com Spyware Reporting Installation || url,doc.emergingthreats.net/bin/view/Main/2001644 +1 || 2001645 || 7 || trojan-activity || 0 || ET MALWARE Microgaming.com Spyware Casino App Install || url,doc.emergingthreats.net/bin/view/Main/2001645 +1 || 2001646 || 8 || trojan-activity || 0 || ET MALWARE Toprebates.com Install (1) || url,securityresponse.symantec.com/avcenter/venc/data/adware.webrebates.html || url,doc.emergingthreats.net/bin/view/Main/2001646 +1 || 2001647 || 8 || trojan-activity || 0 || ET MALWARE Toprebates.com Install (2) || url,securityresponse.symantec.com/avcenter/venc/data/adware.webrebates.html || url,doc.emergingthreats.net/bin/view/Main/2001647 +1 || 2001648 || 7 || trojan-activity || 0 || ET MALWARE Toprebates.com User Confirming Membership || url,securityresponse.symantec.com/avcenter/venc/data/adware.webrebates.html || url,doc.emergingthreats.net/bin/view/Main/2001648 +1 || 2001650 || 9 || policy-violation || 0 || ET MALWARE Search Scout Related Spyware (content) || url,securityresponse.symantec.com/avcenter/venc/data/adware.searchscout.html || url,doc.emergingthreats.net/bin/view/Main/2001650 +1 || 2001652 || 34 || trojan-activity || 0 || ET POLICY JoltID Agent New Code Download || url,www.joltid.com || url,forum.treweeke.com/lofiversion/index.php/t597.html || url,doc.emergingthreats.net/2001652 +1 || 2001653 || 9 || policy-violation || 0 || ET MALWARE Search Scout Related Spyware (results) || url,securityresponse.symantec.com/avcenter/venc/data/adware.searchscout.html || url,doc.emergingthreats.net/bin/view/Main/2001653 +1 || 2001654 || 11 || trojan-activity || 0 || ET MALWARE JoltID Agent Requesting File || url,www.joltid.com || url,forum.treweeke.com/lofiversion/index.php/t597.html || url,doc.emergingthreats.net/bin/view/Main/2001654 +1 || 2001655 || 8 || policy-violation || 0 || ET MALWARE Comet Systems Spyware Traffic (context.xml) || url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453083029 || url,doc.emergingthreats.net/bin/view/Main/2001655 +1 || 2001656 || 7 || trojan-activity || 0 || ET MALWARE GlobalPhon.com Dialer || url,doc.emergingthreats.net/bin/view/Main/2001656 +1 || 2001657 || 6 || trojan-activity || 0 || ET MALWARE GlobalPhon.com Dialer Download || url,doc.emergingthreats.net/bin/view/Main/2001657 +1 || 2001658 || 8 || policy-violation || 0 || ET MALWARE Comet Systems Spyware Reporting || url,doc.emergingthreats.net/bin/view/Main/2001658 +1 || 2001659 || 9 || trojan-activity || 0 || ET MALWARE GlobalPhon.com Dialer (no_pop) || url,doc.emergingthreats.net/bin/view/Main/2001659 +1 || 2001660 || 8 || trojan-activity || 0 || ET MALWARE GlobalPhon.com Dialer (add_ocx) || url,doc.emergingthreats.net/bin/view/Main/2001660 +1 || 2001664 || 7 || policy-violation || 0 || ET P2P Gnutella Connect || url,www.gnutella.com || url,doc.emergingthreats.net/bin/view/Main/2001664 +1 || 2001666 || 7 || policy-violation || 0 || ET MALWARE Metarewards Spyware Activity || url,doc.emergingthreats.net/bin/view/Main/2001666 +1 || 2001668 || 6 || misc-attack || 0 || ET EXPLOIT Exploit MS05-002 Malformed .ANI stack overflow attack || url,doc.emergingthreats.net/bin/view/Main/2001668 +1 || 2001669 || 8 || bad-unknown || 0 || ET POLICY Proxy GET Request || url,doc.emergingthreats.net/2001669 +1 || 2001670 || 9 || bad-unknown || 0 || ET POLICY Proxy HEAD Request || url,doc.emergingthreats.net/2001670 +1 || 2001674 || 8 || bad-unknown || 0 || ET POLICY Proxy POST Request || url,doc.emergingthreats.net/2001674 +1 || 2001675 || 9 || bad-unknown || 0 || ET POLICY Proxy CONNECT Request || url,doc.emergingthreats.net/2001675 +1 || 2001677 || 13 || trojan-activity || 0 || ET MALWARE Webhancer Data Post || url,securityresponse.symantec.com/avcenter/venc/data/spyware.webhancer.html || url,doc.emergingthreats.net/bin/view/Main/2001677 +1 || 2001678 || 13 || trojan-activity || 0 || ET MALWARE Webhancer Agent Activity || url,securityresponse.symantec.com/avcenter/venc/data/spyware.webhancer.html || url,doc.emergingthreats.net/bin/view/Main/2001678 +1 || 2001679 || 13 || trojan-activity || 0 || ET MALWARE JoltID Agent P2P via Proxy Server || url,securityresponse.symantec.com/avcenter/venc/data/adware.p2pnetworking.html || url,doc.emergingthreats.net/bin/view/Main/2001679 +1 || 2001682 || 10 || policy-violation || 0 || ET CHAT MSN IM Poll via HTTP || url,doc.emergingthreats.net/2001682 +1 || 2001683 || 17 || trojan-activity || 0 || ET MALWARE Windows executable sent when remote host claims to send an image || url,doc.emergingthreats.net/bin/view/Main/2001683 +1 || 2001684 || 14 || trojan-activity || 0 || ET DELETED Windows executable sent when remote host claims to send image, Win32 || url,doc.emergingthreats.net/bin/view/Main/2001684 +1 || 2001685 || 9 || trojan-activity || 0 || ET DELETED Possible Windows executable sent when remote host claims to send an image || url,doc.emergingthreats.net/bin/view/Main/2001685 +1 || 2001686 || 17 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Awstats Remote Code Execution Attempt || url,www.k-otik.com/exploits/20050124.awexpl.c.php || url,www.k-otik.com/exploits/20050302.awstats_shell.c.php || url,awstats.sourceforge.net || url,www.idefense.com/application/poi/display?id=185&type=vulnerabilities&flashstatus=false || bugtraq,12298 || cve,CAN-2005-0116 || url,doc.emergingthreats.net/2001686 +1 || 2001689 || 8 || trojan-activity || 0 || ET WORM Potential MySQL bot scanning for SQL server || url,isc.sans.org/diary.php?date=2005-01-27 || url,doc.emergingthreats.net/2001689 +1 || 2001696 || 10 || trojan-activity || 0 || ET MALWARE Search Relevancy Spyware || url,securityresponse.symantec.com/avcenter/venc/data/spyware.relevancy.html || url,doc.emergingthreats.net/bin/view/Main/2001696 +1 || 2001697 || 9 || trojan-activity || 0 || ET MALWARE ISearchTech Toolbar Data Submission || url,www.isearchtech.com || url,doc.emergingthreats.net/bin/view/Main/2001697 +1 || 2001698 || 7 || trojan-activity || 0 || ET DELETED YourSiteBar Data Submision || url,www.ysbweb.com || url,doc.emergingthreats.net/bin/view/Main/2001698 +1 || 2001699 || 261 || trojan-activity || 0 || ET MALWARE YourSiteBar User-Agent (istsvc) || url,www.ysbweb.com || url,doc.emergingthreats.net/2001699 +1 || 2001700 || 9 || trojan-activity || 0 || ET MALWARE Windupdates.com Spyware Install || url,doc.emergingthreats.net/bin/view/Main/2001700 +1 || 2001701 || 9 || trojan-activity || 0 || ET MALWARE Windupdates.com Spyware Loggin Data || url,doc.emergingthreats.net/bin/view/Main/2001701 +1 || 2001702 || 37 || policy-violation || 0 || ET MALWARE Shop at Home Select Spyware User-Agent (Bundle) || url,doc.emergingthreats.net/2001702 +1 || 2001703 || 34 || trojan-activity || 0 || ET MALWARE Context Plus Spyware User-Agent (Apropos) || url,doc.emergingthreats.net/2001703 +1 || 2001704 || 8 || trojan-activity || 0 || ET MALWARE Context Plus Spyware Install || url,doc.emergingthreats.net/bin/view/Main/2001704 +1 || 2001705 || 10 || trojan-activity || 0 || ET MALWARE Flingstone Spyware Install (sportsinteraction) || url,securityresponse.symantec.com/avcenter/venc/data/adware.winfavorites.html || url,doc.emergingthreats.net/bin/view/Main/2001705 +1 || 2001706 || 35 || trojan-activity || 0 || ET MALWARE Context Plus Spyware User-Agent (Envolo) || url,doc.emergingthreats.net/2001706 +1 || 2001707 || 33 || policy-violation || 0 || ET MALWARE Shop at Home Select Spyware User-Agent (SAH) || url,doc.emergingthreats.net/2001707 +1 || 2001708 || 10 || policy-violation || 0 || ET MALWARE Shop at Home Select Spyware Heartbeat || url,securityresponse.symantec.com/avcenter/venc/data/adware.sahagent.html || url,doc.emergingthreats.net/bin/view/Main/2001708 +1 || 2001710 || 10 || trojan-activity || 0 || ET MALWARE Flingstone Spyware Install (cxtpls) || url,securityresponse.symantec.com/avcenter/venc/data/adware.winfavorites.html || url,doc.emergingthreats.net/bin/view/Main/2001710 +1 || 2001711 || 9 || trojan-activity || 0 || ET USER_AGENTS Likely Spambot Web-based Control Traffic || url,doc.emergingthreats.net/bin/view/Main/2001711 +1 || 2001712 || 6 || policy-violation || 0 || ET POLICY MyWebEx Server Traffic || url,www.mywebexpc.com || url,doc.emergingthreats.net/2001712 +1 || 2001713 || 6 || policy-violation || 0 || ET POLICY MyWebEx Installation || url,www.mywebexpc.com || url,doc.emergingthreats.net/2001713 +1 || 2001714 || 6 || policy-violation || 0 || ET POLICY MyWebEx Incoming Connection || url,www.mywebexpc.com || url,doc.emergingthreats.net/2001714 +1 || 2001726 || 10 || trojan-activity || 0 || ET DELETED Trojan-Spy.Win32.Bancos Download || url,securityresponse.symantec.com/avcenter/venc/data/pwsteal.bancos.b.html || url,doc.emergingthreats.net/2001726 +1 || 2001729 || 7 || trojan-activity || 0 || ET MALWARE Tibsystems Spyware Install (1) || url,doc.emergingthreats.net/bin/view/Main/2001729 +1 || 2001730 || 9 || trojan-activity || 0 || ET MALWARE A-d-w-a-r-e.com Activity (popup) || url,www.a-d-w-a-r-e.com || url,doc.emergingthreats.net/bin/view/Main/2001730 +1 || 2001731 || 8 || trojan-activity || 0 || ET MALWARE SurfSidekick Activity || url,securityresponse.symantec.com/avcenter/venc/data/adware.surfsidekick.html || url,doc.emergingthreats.net/bin/view/Main/2001731 +1 || 2001733 || 8 || trojan-activity || 0 || ET DELETED CrazyWinnings.com Activity || url,doc.emergingthreats.net/bin/view/Main/2001733 +1 || 2001734 || 7 || trojan-activity || 0 || ET MALWARE Tibsystems Spyware Install (2) || url,doc.emergingthreats.net/bin/view/Main/2001734 +1 || 2001735 || 9 || trojan-activity || 0 || ET MALWARE A-d-w-a-r-e.com Activity (cmd) || url,www.a-d-w-a-r-e.com || url,doc.emergingthreats.net/bin/view/Main/2001735 +1 || 2001736 || 271 || trojan-activity || 0 || ET MALWARE UCMore Spyware User-Agent (UCmore) || url,doc.emergingthreats.net/2001736 +1 || 2001737 || 8 || trojan-activity || 0 || ET MALWARE ak-networks.com Spyware Code Install || url,doc.emergingthreats.net/bin/view/Main/2001737 +1 || 2001742 || 9 || attempted-admin || 0 || ET EXPLOIT Arkeia full remote access without password or authentication || url,metasploit.com/research/vulns/arkeia_agent || url,doc.emergingthreats.net/bin/view/Main/2001742 +1 || 2001743 || 8 || trojan-activity || 0 || ET TROJAN HackerDefender Root Kit Remote Connection Attempt Detected || url,securityresponse.symantec.com/avcenter/venc/data/backdoor.hackdefender.html || url,doc.emergingthreats.net/2001743 +1 || 2001744 || 13 || trojan-activity || 0 || ET MALWARE Searchmiracle.com Spyware Install (install) || url,www.searchmiracle.com || url,doc.emergingthreats.net/bin/view/Main/2001744 +1 || 2001746 || 35 || trojan-activity || 0 || ET MALWARE Enhance My Search Spyware User-Agent (HelperH) || url,doc.emergingthreats.net/2001746 +1 || 2001747 || 9 || misc-activity || 0 || ET MALWARE My-Stats.com Spyware Checkin || url,doc.emergingthreats.net/bin/view/Main/2001747 +1 || 2001748 || 7 || trojan-activity || 0 || ET MALWARE Pynix.dll BHO Activity || url,www.pynix.com || url,doc.emergingthreats.net/bin/view/Main/2001748 +1 || 2001753 || 4 || suspicious-login || 0 || ET EXPLOIT Pwdump4 Session Established GetHash port 139 || url,doc.emergingthreats.net/bin/view/Main/2001753 +1 || 2001754 || 4 || suspicious-login || 0 || ET EXPLOIT Pwdump4 Session Established GetHash port 445 || url,doc.emergingthreats.net/bin/view/Main/2001754 +1 || 2001761 || 7 || trojan-activity || 0 || ET MALWARE ABX Toolbar ActiveX Install || url,isc.sans.org/diary.php?date=2005-03-04 || url,doc.emergingthreats.net/bin/view/Main/2001761 +1 || 2001762 || 10 || web-application-attack || 0 || ET DELETED phpbb Session Cookie || url,www.waraxe.us/ftopict-555.html || url,doc.emergingthreats.net/2001762 +1 || 2001764 || 6 || misc-activity || 0 || ET TROJAN Bugbear@MM virus via SMTP || url,www.symantec.com/avcenter/venc/data/w32.bugbear@mm.html || url,doc.emergingthreats.net/2001764 +1 || 2001765 || 7 || misc-activity || 0 || ET DELETED BugBear@MM virus in Network share || url,www.symantec.com/avcenter/venc/data/w32.bugbear@mm.html || url,doc.emergingthreats.net/2001765 +1 || 2001766 || 6 || misc-activity || 0 || ET DELETED BugBear@MM Worm Copied to Startup Folder || url,www.symantec.com/avcenter/venc/data/w32.bugbear@mm.html || url,doc.emergingthreats.net/2001766 +1 || 2001768 || 11 || web-application-activity || 0 || ET WEB_SERVER MSSQL Server OLEDB asp error || url,www.wiretrip.net/rfp/p/doc.asp/i2/d42.htm || url,doc.emergingthreats.net/2001768 +1 || 2001780 || 6 || attempted-admin || 0 || ET EXPLOIT Solaris TTYPROMPT environment variable set || url,online.securityfocus.com/archive/1/293844 || url,doc.emergingthreats.net/bin/view/Main/2001780 +1 || 2001783 || 7 || policy-violation || 0 || ET MALWARE Media Pass ActiveX Install || url,www.benedelman.org/news/010205-1.html || url,static.windupdates.com/Release/v19/Info.txt || url,doc.emergingthreats.net/bin/view/Main/2001783 +1 || 2001793 || 8 || trojan-activity || 0 || ET MALWARE Incredisearch.com Spyware Ping || url,doc.emergingthreats.net/bin/view/Main/2001793 +1 || 2001794 || 9 || trojan-activity || 0 || ET MALWARE Incredisearch.com Spyware Activity || url,doc.emergingthreats.net/bin/view/Main/2001794 +1 || 2001795 || 9 || denial-of-service || 0 || ET DOS Excessive SMTP MAIL-FROM DDoS || url,doc.emergingthreats.net/bin/view/Main/2001795 +1 || 2001796 || 5 || policy-violation || 0 || ET P2P Kazaa over UDP || url,www.kazaa.com/us/index.htm || url,doc.emergingthreats.net/bin/view/Main/2001796 +1 || 2001801 || 5 || policy-violation || 0 || ET CHAT ICQ Status Invisible || url,doc.emergingthreats.net/2001801 +1 || 2001802 || 6 || policy-violation || 0 || ET CHAT ICQ Status Change (1) || url,doc.emergingthreats.net/2001802 +1 || 2001803 || 6 || policy-violation || 0 || ET CHAT ICQ Status Change (2) || url,doc.emergingthreats.net/2001803 +1 || 2001804 || 5 || policy-violation || 0 || ET CHAT ICQ Login || url,doc.emergingthreats.net/2001804 +1 || 2001805 || 5 || policy-violation || 0 || ET CHAT ICQ Message || url,doc.emergingthreats.net/2001805 +1 || 2001807 || 8 || attempted-admin || 0 || ET DELETED CAN-2005-0399 Gif Vuln via http || cve,2005-0399 || url,doc.emergingthreats.net/bin/view/Main/2001807 +1 || 2001808 || 8 || policy-violation || 0 || ET P2P LimeWire P2P Traffic || url,www.limewire.com || url,doc.emergingthreats.net/bin/view/Main/2001808 +1 || 2001809 || 8 || policy-violation || 0 || ET P2P Limewire P2P UDP Traffic || url,www.limewire.com || url,doc.emergingthreats.net/bin/view/Main/2001809 +1 || 2001810 || 28 || attempted-admin || 0 || ET DELETED PHP remote file include exploit attempt || url,doc.emergingthreats.net/2001810 +1 || 2001811 || 8 || misc-activity || 0 || ET WEB_CLIENT Encoded javascriptdocument.write - usually hostile || url,doc.emergingthreats.net/2001811 +1 || 2001812 || 8 || policy-violation || 0 || ET DELETED KazaaClient P2P Traffic || url,www.kazaa.com/us/index.htm || url,doc.emergingthreats.net/bin/view/Main/2001812 +1 || 2001815 || 8 || non-standard-protocol || 0 || ET MALWARE Spambot Suspicious 220 Banner on Local Port || url,doc.emergingthreats.net/bin/view/Main/2001815 +1 || 2001841 || 8 || policy-violation || 0 || ET DELETED UDP traffic - Likely Limewire || url,www.limewire.com || url,doc.emergingthreats.net/bin/view/Main/2001841 +1 || 2001848 || 7 || misc-activity || 0 || ET EXPLOIT MS05-021 Exchange Link State - Possible Attack (1) || cve,CAN-2005-0560 || url,isc.sans.org/diary.php?date=2005-04-12 || url,www.microsoft.com/technet/security/bulletin/MS05-021.mspx || url,doc.emergingthreats.net/bin/view/Main/2001848 +1 || 2001849 || 7 || misc-activity || 0 || ET EXPLOIT MS05-021 Exchange Link State - Possible Attack (2) || cve,CAN-2005-0560 || url,isc.sans.org/diary.php?date=2005-04-12 || url,www.microsoft.com/technet/security/bulletin/MS05-021.mspx || url,doc.emergingthreats.net/bin/view/Main/2001849 +1 || 2001850 || 11 || trojan-activity || 0 || ET MALWARE Likely Trojan/Spyware Installer Requested (1) || url,doc.emergingthreats.net/bin/view/Main/2001850 +1 || 2001852 || 28 || trojan-activity || 0 || ET MALWARE 404Search Spyware User-Agent (404search) || url,doc.emergingthreats.net/2001852 +1 || 2001853 || 26 || trojan-activity || 0 || ET MALWARE Easy Search Bar Spyware User-Agent (ESB) || url,doc.emergingthreats.net/2001853 +1 || 2001854 || 24 || trojan-activity || 0 || ET MALWARE EZULA Spyware User Agent || url,doc.emergingthreats.net/2001854 +1 || 2001855 || 28 || trojan-activity || 0 || ET MALWARE Fun Web Products Spyware User-Agent (FunWebProducts) || url,doc.emergingthreats.net/2001855 +1 || 2001858 || 26 || trojan-activity || 0 || ET MALWARE Hotbar Spyware User-Agent (Hotbar) || url,doc.emergingthreats.net/2001858 +1 || 2001864 || 8 || trojan-activity || 0 || ET MALWARE Fun Web Products Spyware User-Agent (MyWay) || url,doc.emergingthreats.net/2001864 +1 || 2001865 || 25 || trojan-activity || 0 || ET MALWARE MyWebSearch Spyware User-Agent (MyWebSearch) || url,doc.emergingthreats.net/2001865 +1 || 2001867 || 27 || trojan-activity || 0 || ET MALWARE Search Engine 2000 Spyware User-Agent (searchengine) || url,doc.emergingthreats.net/2001867 +1 || 2001868 || 26 || trojan-activity || 0 || ET MALWARE Spyware User-Agent (sureseeker) || url,doc.emergingthreats.net/2001868 +1 || 2001869 || 26 || trojan-activity || 0 || ET MALWARE Spyware User-Agent (Sidesearch) || url,doc.emergingthreats.net/2001869 +1 || 2001870 || 25 || trojan-activity || 0 || ET MALWARE Surfplayer Spyware User-Agent (SurferPlugin) || url,doc.emergingthreats.net/2001870 +1 || 2001871 || 23 || trojan-activity || 0 || ET MALWARE Target Saver Spyware User-Agent (TSA) || url,doc.emergingthreats.net/2001871 +1 || 2001872 || 29 || trojan-activity || 0 || ET MALWARE Visicom Spyware User-Agent (Visicom) || url,doc.emergingthreats.net/2001872 +1 || 2001873 || 9 || misc-activity || 0 || ET EXPLOIT MS Exchange Link State Routing Chunk (maybe MS05-021) || cve,CAN-2005-0560 || url,isc.sans.org/diary.php?date=2005-04-12 || url,www.microsoft.com/technet/security/bulletin/MS05-021.mspx || url,doc.emergingthreats.net/bin/view/Main/2001873 +1 || 2001874 || 8 || misc-activity || 0 || ET EXPLOIT TCP Reset from MS Exchange after chunked data, probably crashed it (MS05-021) || cve,CAN-2005-0560 || url,isc.sans.org/diary.php?date=2005-04-12 || url,www.microsoft.com/technet/security/bulletin/MS05-021.mspx || url,doc.emergingthreats.net/bin/view/Main/2001874 +1 || 2001882 || 10 || denial-of-service || 0 || ET DOS ICMP Path MTU lowered below acceptable threshold || cve,CAN-2004-1060 || url,www.microsoft.com/technet/security/bulletin/MS05-019.mspx || url,isc.sans.org/diary.php?date=2005-04-12 || url,doc.emergingthreats.net/bin/view/Main/2001882 +1 || 2001884 || 5 || trojan-activity || 0 || ET MALWARE DesktopTraffic Toolbar Spyware || url,research.spysweeper.com/threat_library/threat_details.php?threat=desktoptraffic.net_hijack || url,doc.emergingthreats.net/bin/view/Main/2001884 +1 || 2001885 || 8 || policy-violation || 0 || ET MALWARE Begin2Search.com Spyware || url,sarc.com/avcenter/venc/data/adware.begin2search.html || url,doc.emergingthreats.net/bin/view/Main/2001885 +1 || 2001890 || 9 || trojan-activity || 0 || ET MALWARE ToolbarPartner Spyware Agent Download (1) || url,toolbarpartner.com || url,doc.emergingthreats.net/bin/view/Main/2001890 +1 || 2001891 || 16 || trojan-activity || 0 || ET USER_AGENTS Suspicious User Agent (agent) || url,doc.emergingthreats.net/bin/view/Main/2001891 +1 || 2001895 || 8 || trojan-activity || 0 || ET MALWARE ToolbarPartner Spyware Spambot Retrieving Target Emails || url,toolbarpartner.com || url,doc.emergingthreats.net/bin/view/Main/2001895 +1 || 2001898 || 6 || policy-violation || 0 || ET POLICY eBay Bid Placed || url,doc.emergingthreats.net/2001898 +1 || 2001901 || 10 || trojan-activity || 0 || ET TROJAN Possible Bobax trojan infection || url,www.lurhq.com/bobax.html || url,doc.emergingthreats.net/2001901 +1 || 2001904 || 6 || misc-activity || 0 || ET SCAN Behavioral Unusually fast inbound Telnet Connections, Potential Scan or Brute Force || url,www.rapid7.com/nexpose-faq-answer2.htm || url,doc.emergingthreats.net/2001904 +1 || 2001906 || 6 || protocol-command-decode || 0 || ET SCAN MYSQL 4.0 brute force root login attempt || url,www.redferni.uklinux.net/mysql/MySQL-323.html || url,doc.emergingthreats.net/2001906 +1 || 2001907 || 5 || policy-violation || 0 || ET POLICY eBay Placing Item for sale || url,doc.emergingthreats.net/2001907 +1 || 2001908 || 7 || policy-violation || 0 || ET POLICY eBay View Item || url,doc.emergingthreats.net/2001908 +1 || 2001909 || 7 || policy-violation || 0 || ET POLICY eBay Watch This Item || url,doc.emergingthreats.net/2001909 +1 || 2001910 || 5 || trojan-activity || 0 || ET WORM AIM Bot Outbound Control Channel Open and Login || url,doc.emergingthreats.net/2001910 +1 || 2001919 || 6 || trojan-activity || 0 || ET DELETED Greeting card gif.exe email incoming SMTP || url,securityresponse.symantec.com/avcenter/venc/data/vbs.postcard@mm.html || url,doc.emergingthreats.net/2001919 +1 || 2001920 || 6 || trojan-activity || 0 || ET DELETED Greeting card gif.exe email incoming POP3/IMAP || url,securityresponse.symantec.com/avcenter/venc/data/vbs.postcard@mm.html || url,doc.emergingthreats.net/2001920 +1 || 2001921 || 6 || trojan-activity || 0 || ET DELETED Greeting card gif.exe email incoming HTTP || url,securityresponse.symantec.com/avcenter/venc/data/vbs.postcard@mm.html || url,doc.emergingthreats.net/2001921 +1 || 2001928 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS XSS Possible Arbitrary Scripting Code Attack in phpBB (private message) || url,www.securitytracker.com/alerts/2005/May/1013918.html || url,doc.emergingthreats.net/2001928 +1 || 2001929 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS XSS Possible Arbitrary Scripting Code Attack in phpBB (signature) || url,www.securitytracker.com/alerts/2005/May/1013918.html || url,doc.emergingthreats.net/2001929 +1 || 2001933 || 10 || trojan-activity || 0 || ET TROJAN PWS Banker Trojan Sending Report of Infection || url,securityresponse.symantec.com/avcenter/venc/data/pwsteal.banker.b.html || url,doc.emergingthreats.net/2001933 +1 || 2001944 || 7 || attempted-admin || 0 || ET NETBIOS MS04-007 Kill-Bill ASN1 exploit attempt || url,www.phreedom.org/solar/exploits/msasn1-bitstring/ || url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx || cve,CAN-2003-0818 || url,doc.emergingthreats.net/bin/view/Main/2001944 +1 || 2001947 || 7 || policy-violation || 0 || ET MALWARE Zenotecnico Adware || url,www.zenotecnico.com || url,doc.emergingthreats.net/bin/view/Main/2001947 +1 || 2001949 || 11 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Athena Web Registration Remote Command Execution Attempt || cve,CAN-2004-1782 || bugtraq,9349 || url,doc.emergingthreats.net/2001949 +1 || 2001959 || 8 || trojan-activity || 0 || ET DELETED Hotword Trojan in Transit || url,securityresponse.symantec.com/avcenter/venc/data/trojan.hotword.html || url,doc.emergingthreats.net/2001959 +1 || 2001960 || 7 || trojan-activity || 0 || ET DELETED Hotword Trojan inbound via http || url,securityresponse.symantec.com/avcenter/venc/data/trojan.hotword.html || url,doc.emergingthreats.net/2001960 +1 || 2001961 || 10 || trojan-activity || 0 || ET DELETED Hotword Trojan - Possible File Upload CHJO || url,securityresponse.symantec.com/avcenter/venc/data/trojan.hotword.html || url,doc.emergingthreats.net/2001961 +1 || 2001962 || 10 || trojan-activity || 0 || ET DELETED Hotword Trojan - Possible File Upload CFXP || url,securityresponse.symantec.com/avcenter/venc/data/trojan.hotword.html || url,doc.emergingthreats.net/2001962 +1 || 2001963 || 10 || trojan-activity || 0 || ET DELETED Hotword Trojan - Possible FTP File Request pspv.exe || url,securityresponse.symantec.com/avcenter/venc/data/trojan.hotword.html || url,doc.emergingthreats.net/2001963 +1 || 2001964 || 10 || trojan-activity || 0 || ET DELETED Hotword Trojan - Possible FTP File Request .tea || url,securityresponse.symantec.com/avcenter/venc/data/trojan.hotword.html || url,doc.emergingthreats.net/2001964 +1 || 2001965 || 10 || trojan-activity || 0 || ET DELETED Hotword Trojan - Possible FTP File Status Upload ___ || url,securityresponse.symantec.com/avcenter/venc/data/trojan.hotword.html || url,doc.emergingthreats.net/2001965 +1 || 2001966 || 10 || trojan-activity || 0 || ET DELETED Hotword Trojan - Possible FTP File Status Check ___ || url,securityresponse.symantec.com/avcenter/venc/data/trojan.hotword.html || url,doc.emergingthreats.net/2001966 +1 || 2001972 || 17 || misc-activity || 0 || ET SCAN Behavioral Unusually fast Terminal Server Traffic, Potential Scan or Infection (Inbound) || url,doc.emergingthreats.net/2001972 +1 || 2001973 || 7 || misc-activity || 0 || ET POLICY SSH Server Banner Detected on Expected Port || url,doc.emergingthreats.net/2001973 +1 || 2001974 || 7 || misc-activity || 0 || ET POLICY SSH Client Banner Detected on Expected Port || url,doc.emergingthreats.net/2001974 +1 || 2001975 || 7 || misc-activity || 0 || ET POLICY SSHv2 Server KEX Detected on Expected Port || url,doc.emergingthreats.net/2001975 +1 || 2001976 || 8 || misc-activity || 0 || ET POLICY SSHv2 Client KEX Detected on Expected Port || url,doc.emergingthreats.net/2001976 +1 || 2001977 || 8 || misc-activity || 0 || ET POLICY SSHv2 Client New Keys detected on Expected Port || url,doc.emergingthreats.net/2001977 +1 || 2001978 || 8 || misc-activity || 0 || ET POLICY SSH session in progress on Expected Port || url,doc.emergingthreats.net/2001978 +1 || 2001979 || 7 || misc-activity || 0 || ET POLICY SSH Server Banner Detected on Unusual Port || url,doc.emergingthreats.net/2001979 +1 || 2001980 || 9 || misc-activity || 0 || ET POLICY SSH Client Banner Detected on Unusual Port || url,doc.emergingthreats.net/2001980 +1 || 2001981 || 7 || misc-activity || 0 || ET POLICY SSHv2 Server KEX Detected on Unusual Port || url,doc.emergingthreats.net/2001981 +1 || 2001982 || 8 || misc-activity || 0 || ET POLICY SSHv2 Client KEX Detected on Unusual Port || url,doc.emergingthreats.net/2001982 +1 || 2001983 || 8 || misc-activity || 0 || ET POLICY SSHv2 Client New Keys Detected on Unusual Port || url,doc.emergingthreats.net/2001983 +1 || 2001984 || 9 || misc-activity || 0 || ET POLICY SSH session in progress on Unusual Port || url,doc.emergingthreats.net/2001984 +1 || 2001985 || 8 || trojan-activity || 0 || ET DELETED HTTP RBOT Challenge/Response Authentication || url,isc.sans.org/diary.php?date=2005-06-03 || url,www.phreedom.org/solar/exploits/msasn1-bitstring || url,doc.emergingthreats.net/2001985 +1 || 2001988 || 4 || attempted-admin || 0 || ET EXPLOIT MySQL MaxDB Buffer Overflow || url,doc.emergingthreats.net/bin/view/Main/2001988 +1 || 2001989 || 5 || policy-violation || 0 || ET DELETED Prospero Chat Session in Progress || url,www.prospero.com/technology.htm || url,doc.emergingthreats.net/2001989 +1 || 2001990 || 5 || web-application-attack || 0 || ET EXPLOIT JamMail Jammail.pl Remote Command Execution Attempt || bugtraq,13937 || url,doc.emergingthreats.net/bin/view/Main/2001990 +1 || 2001992 || 7 || trojan-activity || 0 || ET MALWARE SurfSidekick Download || url,securityresponse.symantec.com/avcenter/venc/data/adware.surfsidekick.html || url,doc.emergingthreats.net/bin/view/Main/2001992 +1 || 2001994 || 8 || trojan-activity || 0 || ET MALWARE SurfSidekick Activity (ipixel) || url,securityresponse.symantec.com/avcenter/venc/data/adware.surfsidekick.html || url,doc.emergingthreats.net/bin/view/Main/2001994 +1 || 2001995 || 7 || trojan-activity || 0 || ET MALWARE UCMore Spyware Reporting || url,www3.ca.com/securityadvisor/pest/pest.aspx?id=58660 || url,doc.emergingthreats.net/bin/view/Main/2001995 +1 || 2001996 || 15 || trojan-activity || 0 || ET MALWARE UCMore Spyware User-Agent (EI) || url,doc.emergingthreats.net/2001996 +1 || 2001997 || 8 || trojan-activity || 0 || ET MALWARE TargetNetworks.net Spyware Reporting (req) || url,www.targetnetworks.com || url,doc.emergingthreats.net/bin/view/Main/2001997 +1 || 2001998 || 7 || trojan-activity || 0 || ET MALWARE UCMore Spyware Downloading Ads || url,www3.ca.com/securityadvisor/pest/pest.aspx?id=58660 || url,doc.emergingthreats.net/bin/view/Main/2001998 +1 || 2001999 || 9 || trojan-activity || 0 || ET MALWARE BTGrab.com Spyware Downloading Ads || url,www.btgrab.com || url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090726 || url,doc.emergingthreats.net/bin/view/Main/2001999 +1 || 2002000 || 7 || trojan-activity || 0 || ET MALWARE Shopnav Spyware Install || url,securityresponse.symantec.com/avcenter/venc/data/spyware.shopnav.html || url,doc.emergingthreats.net/bin/view/Main/2002000 +1 || 2002001 || 7 || trojan-activity || 0 || ET MALWARE 180solutions Spyware Keywords Download || url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html || url,doc.emergingthreats.net/bin/view/Main/2002001 +1 || 2002002 || 30 || trojan-activity || 0 || ET MALWARE Better Internet Spyware User-Agent (thnall) || url,doc.emergingthreats.net/2002002 +1 || 2002003 || 7 || trojan-activity || 0 || ET MALWARE 180solutions Spyware Install || url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html || url,doc.emergingthreats.net/bin/view/Main/2002003 +1 || 2002004 || 8 || trojan-activity || 0 || ET MALWARE Topconverting Spyware Install || url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html || url,doc.emergingthreats.net/bin/view/Main/2002004 +1 || 2002005 || 35 || trojan-activity || 0 || ET USER_AGENTS Better Internet Spyware User-Agent (poller) || url,doc.emergingthreats.net/2002005 +1 || 2002008 || 10 || trojan-activity || 0 || ET MALWARE Wild Tangent Install || mcafee,122249 || url,doc.emergingthreats.net/bin/view/Main/2002008 +1 || 2002009 || 8 || trojan-activity || 0 || ET MALWARE ESyndicate Spyware Install (esyndicateinst.exe) || url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453094058 || url,doc.emergingthreats.net/bin/view/Main/2002009 +1 || 2002010 || 8 || trojan-activity || 0 || ET MALWARE ESyndicate Spyware Install (sepinst.exe) || url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453094058 || url,doc.emergingthreats.net/bin/view/Main/2002010 +1 || 2002012 || 6 || trojan-activity || 0 || ET MALWARE GrandstreetInteractive.com Install || url,doc.emergingthreats.net/bin/view/Main/2002012 +1 || 2002013 || 6 || trojan-activity || 0 || ET MALWARE GrandstreetInteractive.com Update || url,doc.emergingthreats.net/bin/view/Main/2002013 +1 || 2002015 || 6 || trojan-activity || 0 || ET MALWARE Internet Fuel.com Install || url,doc.emergingthreats.net/bin/view/Main/2002015 +1 || 2002016 || 10 || trojan-activity || 0 || ET MALWARE jmnad1.com Spyware Install (2) || url,doc.emergingthreats.net/bin/view/Main/2002016 +1 || 2002017 || 9 || trojan-activity || 0 || ET MALWARE Overpro Spyware Install Report || url,securityresponse.symantec.com/avcenter/venc/data/adware.overpro.html || url,doc.emergingthreats.net/bin/view/Main/2002017 +1 || 2002019 || 11 || trojan-activity || 0 || ET MALWARE jmnad1.com Spyware Install (1) || url,doc.emergingthreats.net/bin/view/Main/2002019 +1 || 2002021 || 28 || trojan-activity || 0 || ET MALWARE Grandstreet Interactive Spyware User-Agent (IEP) || url,doc.emergingthreats.net/2002021 +1 || 2002022 || 4 || policy-violation || 0 || ET DELETED GotoMyPC poll.gotomypc.com Server Response to Polling Client OK || url,doc.emergingthreats.net/2002022 +1 || 2002023 || 16 || misc-activity || 0 || ET CHAT IRC USER command || url,doc.emergingthreats.net/2002023 +1 || 2002024 || 19 || misc-activity || 0 || ET CHAT IRC NICK command || url,doc.emergingthreats.net/2002024 +1 || 2002025 || 19 || misc-activity || 0 || ET CHAT IRC JOIN command || url,doc.emergingthreats.net/2002025 +1 || 2002026 || 21 || misc-activity || 0 || ET CHAT IRC PRIVMSG command || url,doc.emergingthreats.net/2002026 +1 || 2002027 || 16 || misc-activity || 0 || ET CHAT IRC PING command || url,doc.emergingthreats.net/2002027 +1 || 2002028 || 19 || misc-activity || 0 || ET CHAT IRC PONG response || url,doc.emergingthreats.net/2002028 +1 || 2002029 || 11 || trojan-activity || 0 || ET TROJAN IRC Channel topic scan/exploit command || url,doc.emergingthreats.net/2002029 +1 || 2002030 || 16 || trojan-activity || 0 || ET TROJAN IRC Potential bot scan/exploit command || url,doc.emergingthreats.net/2002030 +1 || 2002031 || 19 || trojan-activity || 0 || ET TROJAN IRC Potential bot update/download via http command || url,doc.emergingthreats.net/2002031 +1 || 2002032 || 22 || trojan-activity || 0 || ET TROJAN IRC Potential DDoS command 1 || url,doc.emergingthreats.net/2002032 +1 || 2002033 || 17 || trojan-activity || 0 || ET TROJAN IRC Potential bot command response || url,doc.emergingthreats.net/2002033 +1 || 2002034 || 10 || misc-activity || 0 || ET ATTACK_RESPONSE Possible /etc/passwd via HTTP (linux style) || url,doc.emergingthreats.net/bin/view/Main/2002034 +1 || 2002036 || 7 || trojan-activity || 0 || ET MALWARE Weird on the Web /180 Solutions Checkin || url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html || url,doc.emergingthreats.net/bin/view/Main/2002036 +1 || 2002037 || 7 || policy-violation || 0 || ET MALWARE Shop at Home Select Spyware Install || url,securityresponse.symantec.com/avcenter/venc/data/adware.sahagent.html || url,doc.emergingthreats.net/bin/view/Main/2002037 +1 || 2002038 || 249 || trojan-activity || 0 || ET MALWARE Shopathomeselect.com Spyware User-Agent (WebDownloader) || url,doc.emergingthreats.net/2002038 +1 || 2002040 || 7 || trojan-activity || 0 || ET MALWARE Topconverting Spyware Reporting || url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html || url,doc.emergingthreats.net/bin/view/Main/2002040 +1 || 2002041 || 8 || trojan-activity || 0 || ET DELETED Weird on the Web /180 Solutions Update || url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html || url,doc.emergingthreats.net/bin/view/Main/2002041 +1 || 2002044 || 6 || trojan-activity || 0 || ET MALWARE OutBlaze.com Spyware Activity || url,doc.emergingthreats.net/bin/view/Main/2002044 +1 || 2002046 || 8 || trojan-activity || 0 || ET MALWARE TargetNetworks.net Spyware Reporting (tn) || url,www.targetnetworks.com || url,doc.emergingthreats.net/bin/view/Main/2002046 +1 || 2002048 || 6 || trojan-activity || 0 || ET MALWARE 180solutions Spyware Defs Download || url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html || url,doc.emergingthreats.net/bin/view/Main/2002048 +1 || 2002061 || 4 || attempted-admin || 0 || ET EXPLOIT Possible BackupExec Metasploit Exploit (inbound) || url,isc.sans.org/diary.php?date=2005-06-27 || url,www.metasploit.org/projects/Framework/modules/exploits/backupexec_agent.pm || url,doc.emergingthreats.net/bin/view/Main/2002061 +1 || 2002062 || 4 || attempted-admin || 0 || ET EXPLOIT Possible BackupExec Metasploit Exploit (outbound) || url,isc.sans.org/diary.php?date=2005-06-27 || url,www.metasploit.org/projects/Framework/modules/exploits/backupexec_agent.pm || url,doc.emergingthreats.net/bin/view/Main/2002062 +1 || 2002064 || 7 || attempted-admin || 0 || ET NETBIOS ms05-011 exploit || bugtraq,12484 || url,www.frsirt.com/exploits/20050623.mssmb_poc.c.php || url,doc.emergingthreats.net/bin/view/Main/2002064 +1 || 2002065 || 7 || misc-attack || 0 || ET EXPLOIT Veritas backupexec_agent exploit || url,isc.sans.org/diary.php?date=2005-06-27 || url,doc.emergingthreats.net/bin/view/Main/2002065 +1 || 2002066 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS CSV-DB CSV_DB.CGI Remote Command Execution Attempt || bugtraq,14059 || url,doc.emergingthreats.net/2002066 +1 || 2002067 || 8 || web-application-attack || 0 || ET DELETED Community Link Pro Login.CGI Remote Command Execution Attempt || bugtraq,14097 || url,doc.emergingthreats.net/2002067 +1 || 2002068 || 8 || attempted-recon || 0 || ET EXPLOIT NDMP Notify Connect - Possible Backup Exec Remote Agent Recon || url,www.ndmp.org/download/sdk_v4/draft-skardal-ndmp4-04.txt || url,doc.emergingthreats.net/bin/view/Main/2002068 +1 || 2002069 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Blog Spam Insert Attempt || url,spamhuntress.com/2005/05/14/new-block-for-bulgarians/ || url,lists.geeklog.net/pipermail/geeklog-spam/2005-June/000020.html || url,www.webmasterworld.com/forum92/3683.htm || url,doc.emergingthreats.net/2002069 +1 || 2002070 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS phpBB Remote Code Execution Attempt || url,secunia.com/advisories/15845/ || bugtraq,14086 || url,www.securiteam.com/unixfocus/6Z00R2ABPY.html || url,doc.emergingthreats.net/2002070 +1 || 2002071 || 16 || trojan-activity || 0 || ET MALWARE XupiterToolbar Spyware User-Agent (XupiterToolbar) || url,castlecops.com/tk781-Xupitertoolbar_dll_t_dll.html || url,doc.emergingthreats.net/2002071 +1 || 2002078 || 29 || trojan-activity || 0 || ET MALWARE Spyware User-Agent (SideStep) || url,doc.emergingthreats.net/2002078 +1 || 2002079 || 18 || trojan-activity || 0 || ET USER_AGENTS MyWaySearch Products Spyware User Agent || url,doc.emergingthreats.net/2002079 || url,www.funwebproducts.com +1 || 2002080 || 22 || trojan-activity || 0 || ET MALWARE MySearch Products Spyware User-Agent (MySearch) || url,doc.emergingthreats.net/2002080 +1 || 2002083 || 6 || trojan-activity || 0 || ET MALWARE Pacimedia Spyware 1 || url,doc.emergingthreats.net/bin/view/Main/2002083 +1 || 2002087 || 10 || misc-activity || 0 || ET POLICY Inbound Frequent Emails - Possible Spambot Inbound || url,doc.emergingthreats.net/2002087 +1 || 2002088 || 7 || trojan-activity || 0 || ET MALWARE C4tdownload.com Spyware Activity || url,sarc.com/avcenter/venc/data/adware.clickdloader.b.html || url,doc.emergingthreats.net/bin/view/Main/2002088 +1 || 2002089 || 9 || trojan-activity || 0 || ET MALWARE CWS qck.cc Spyware Installer (in.php) || url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076035 || url,doc.emergingthreats.net/bin/view/Main/2002089 +1 || 2002090 || 7 || trojan-activity || 0 || ET MALWARE IEHelp.net Spyware Installer || url,securityresponse.symantec.com/avcenter/venc/data/trojan.domcom.html || url,doc.emergingthreats.net/bin/view/Main/2002090 +1 || 2002091 || 7 || trojan-activity || 0 || ET MALWARE Searchmiracle.com Spyware Install - silent.exe || url,www.searchmiracle.com || url,doc.emergingthreats.net/bin/view/Main/2002091 +1 || 2002092 || 8 || trojan-activity || 0 || ET MALWARE yupsearch.com Spyware Install - protector.exe || url,www.yupsearch.com || url,doc.emergingthreats.net/bin/view/Main/2002092 +1 || 2002093 || 8 || trojan-activity || 0 || ET MALWARE Likely Trojan/Spyware Installer Requested (2) || url,doc.emergingthreats.net/bin/view/Main/2002093 +1 || 2002094 || 5 || trojan-activity || 0 || ET DELETED MSUpdater.net Spyware Checkin || url,doc.emergingthreats.net/bin/view/Main/2002094 +1 || 2002095 || 7 || trojan-activity || 0 || ET MALWARE CWS qck.cc Spyware Installer (web.php) || url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076035 || url,doc.emergingthreats.net/bin/view/Main/2002095 +1 || 2002096 || 8 || trojan-activity || 0 || ET MALWARE IEHelp.net Spyware checkin || url,securityresponse.symantec.com/avcenter/venc/data/trojan.domcom.html || url,doc.emergingthreats.net/bin/view/Main/2002096 +1 || 2002098 || 8 || trojan-activity || 0 || ET MALWARE yupsearch.com Spyware Install - sideb.exe || url,www.yupsearch.com || url,doc.emergingthreats.net/bin/view/Main/2002098 +1 || 2002099 || 5 || trojan-activity || 0 || ET MALWARE 180solutions Spyware config Download || url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html || url,doc.emergingthreats.net/bin/view/Main/2002099 +1 || 2002100 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WPS wps_shop.cgi Remote Command Execution Attempt || bugtraq,14245 || url,doc.emergingthreats.net/2002100 +1 || 2002101 || 6 || policy-violation || 0 || ET GAMES Battle.net Starcraft login || url,doc.emergingthreats.net/bin/view/Main/2002101 +1 || 2002102 || 6 || policy-violation || 0 || ET GAMES Battle.net Brood War login || url,doc.emergingthreats.net/bin/view/Main/2002102 +1 || 2002103 || 6 || policy-violation || 0 || ET GAMES Battle.net Diablo login || url,doc.emergingthreats.net/bin/view/Main/2002103 +1 || 2002104 || 6 || policy-violation || 0 || ET GAMES Battle.net Diablo 2 login || url,doc.emergingthreats.net/bin/view/Main/2002104 +1 || 2002105 || 6 || policy-violation || 0 || ET GAMES Battle.net Diablo 2 Lord of Destruction login || url,doc.emergingthreats.net/bin/view/Main/2002105 +1 || 2002106 || 6 || policy-violation || 0 || ET GAMES Battle.net Warcraft 2 login || url,doc.emergingthreats.net/bin/view/Main/2002106 +1 || 2002107 || 6 || policy-violation || 0 || ET GAMES Battle.net Warcraft 3 login || url,doc.emergingthreats.net/bin/view/Main/2002107 +1 || 2002108 || 7 || policy-violation || 0 || ET GAMES Battle.net Warcraft 3 The Frozen throne login || url,doc.emergingthreats.net/bin/view/Main/2002108 +1 || 2002109 || 6 || policy-violation || 0 || ET GAMES Battle.net old game version || url,doc.emergingthreats.net/bin/view/Main/2002109 +1 || 2002110 || 5 || policy-violation || 0 || ET GAMES Battle.net invalid version || url,doc.emergingthreats.net/bin/view/Main/2002110 +1 || 2002111 || 5 || policy-violation || 0 || ET GAMES Battle.net invalid cdkey || url,doc.emergingthreats.net/bin/view/Main/2002111 +1 || 2002112 || 6 || policy-violation || 0 || ET GAMES Battle.net cdkey in use || url,doc.emergingthreats.net/bin/view/Main/2002112 +1 || 2002113 || 5 || policy-violation || 0 || ET GAMES Battle.net banned key || url,doc.emergingthreats.net/bin/view/Main/2002113 +1 || 2002114 || 5 || policy-violation || 0 || ET GAMES Battle.net wrong product || url,doc.emergingthreats.net/bin/view/Main/2002114 +1 || 2002115 || 6 || policy-violation || 0 || ET GAMES Battle.net failed account login (OLS) wrong password || url,doc.emergingthreats.net/bin/view/Main/2002115 +1 || 2002116 || 6 || policy-violation || 0 || ET GAMES Battle.net failed account login (NLS) wrong password || url,doc.emergingthreats.net/bin/view/Main/2002116 +1 || 2002117 || 6 || policy-violation || 0 || ET GAMES Battle.net connection reset (possible IP-Ban) || url,doc.emergingthreats.net/bin/view/Main/2002117 +1 || 2002118 || 6 || policy-violation || 0 || ET GAMES Battle.net user in channel || url,doc.emergingthreats.net/bin/view/Main/2002118 +1 || 2002119 || 6 || policy-violation || 0 || ET GAMES Battle.net outgoing chat message || url,doc.emergingthreats.net/bin/view/Main/2002119 +1 || 2002129 || 13 || web-application-activity || 0 || ET WEB_SPECIFIC_APPS Cacti Input Validation Attack || url,www.cacti.net || url,www.idefense.com/application/poi/display?id=265&type=vulnerabilities || url,www.idefense.com/application/poi/display?id=266&type=vulnerabilities || url,doc.emergingthreats.net/2002129 +1 || 2002131 || 10 || web-application-activity || 0 || ET WEB_SERVER Oracle Reports XML Information Disclosure || url,www.oracle.com/technology/products/reports/index.html || url,www.red-database-security.com/advisory/oracle_reports_read_any_xml_file.html || url,doc.emergingthreats.net/2002131 +1 || 2002132 || 10 || web-application-activity || 0 || ET WEB_SERVER Oracle Reports DESFORMAT Information Disclosure || url,www.oracle.com/technology/products/reports/index.html || url,www.red-database-security.com/advisory/oracle_reports_read_any_file.html || url,doc.emergingthreats.net/2002132 +1 || 2002133 || 10 || web-application-activity || 0 || ET WEB_SERVER Oracle Reports OS Command Injection Attempt || url,www.oracle.com/technology/products/reports/index.html || url,www.red-database-security.com/advisory/oracle_reports_run_any_os_command.html || url,doc.emergingthreats.net/2002133 +1 || 2002138 || 9 || policy-violation || 0 || ET GAMES World of Warcraft connection || url,doc.emergingthreats.net/bin/view/Main/2002138 +1 || 2002139 || 5 || policy-violation || 0 || ET GAMES World of Warcraft failed logon || url,doc.emergingthreats.net/bin/view/Main/2002139 +1 || 2002140 || 5 || policy-violation || 0 || ET GAMES Battle.net user joined channel || url,doc.emergingthreats.net/bin/view/Main/2002140 +1 || 2002141 || 5 || policy-violation || 0 || ET GAMES Battle.net user left channel || url,doc.emergingthreats.net/bin/view/Main/2002141 +1 || 2002142 || 5 || policy-violation || 0 || ET GAMES Battle.net received whisper message || url,doc.emergingthreats.net/bin/view/Main/2002142 +1 || 2002143 || 5 || policy-violation || 0 || ET GAMES Battle.net received server broadcast || url,doc.emergingthreats.net/bin/view/Main/2002143 +1 || 2002144 || 5 || policy-violation || 0 || ET GAMES Battle.net joined channel || url,doc.emergingthreats.net/bin/view/Main/2002144 +1 || 2002145 || 5 || policy-violation || 0 || ET GAMES Battle.net user had a flags update || url,doc.emergingthreats.net/bin/view/Main/2002145 +1 || 2002146 || 5 || policy-violation || 0 || ET GAMES Battle.net sent a whisper || url,doc.emergingthreats.net/bin/view/Main/2002146 +1 || 2002147 || 5 || policy-violation || 0 || ET GAMES Battle.net channel full || url,doc.emergingthreats.net/bin/view/Main/2002147 +1 || 2002148 || 5 || policy-violation || 0 || ET GAMES Battle.net channel doesn't exist || url,doc.emergingthreats.net/bin/view/Main/2002148 +1 || 2002149 || 5 || policy-violation || 0 || ET GAMES Battle.net channel is restricted || url,doc.emergingthreats.net/bin/view/Main/2002149 +1 || 2002150 || 5 || policy-violation || 0 || ET GAMES Battle.net informational message || url,doc.emergingthreats.net/bin/view/Main/2002150 +1 || 2002151 || 5 || policy-violation || 0 || ET GAMES Battle.net error message || url,doc.emergingthreats.net/bin/view/Main/2002151 +1 || 2002152 || 5 || policy-violation || 0 || ET GAMES Battle.net 'emote' message || url,doc.emergingthreats.net/bin/view/Main/2002152 +1 || 2002154 || 5 || policy-violation || 0 || ET GAMES Guild Wars connection || url,doc.emergingthreats.net/bin/view/Main/2002154 +1 || 2002155 || 4 || policy-violation || 0 || ET GAMES Steam connection || url,doc.emergingthreats.net/bin/view/Main/2002155 +1 || 2002157 || 11 || policy-violation || 0 || ET CHAT Skype User-Agent detected || url,doc.emergingthreats.net/2002157 +1 || 2002158 || 14 || web-application-attack || 0 || ET WEB_SERVER XML-RPC for PHP Remote Code Injection || url,www.securityfocus.com/bid/14088/exploit || cve,2005-1921 || url,doc.emergingthreats.net/bin/view/Main/2002158 +1 || 2002160 || 17 || trojan-activity || 0 || ET MALWARE CoolWebSearch Spyware (Feat) || url,www.spywareguide.com/product_show.php?id=599 || url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075759 || url,www.doxdesk.com/parasite/CoolWebSearch.html || url,doc.emergingthreats.net/2002160 +1 || 2002164 || 13 || trojan-activity || 0 || ET MALWARE Hotbar Spyware User-Agent (host) || url,www.doxdesk.com/parasite/Hotbar.html || url,www.pchell.com/support/hotbar.shtml || url,doc.emergingthreats.net/2002164 +1 || 2002166 || 16 || trojan-activity || 0 || ET MALWARE Alexa Search Toolbar User-Agent (Alexa Toolbar) || url,www.spywareguide.com/product_show.php?id=418 || url,doc.emergingthreats.net/2002166 +1 || 2002167 || 18 || trojan-activity || 0 || ET POLICY Software Install Reporting via HTTP - Wise User Agent (Wise) Sometimes Malware Related || url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076771 || url,doc.emergingthreats.net/2002167 +1 || 2002169 || 14 || trojan-activity || 0 || ET MALWARE iWon Spyware (iWonSearchAssistant) || url,www.spywareguide.com/product_show.php?id=461 || url,doc.emergingthreats.net/2002169 +1 || 2002170 || 5 || policy-violation || 0 || ET GAMES Battle.net incoming chat message || url,doc.emergingthreats.net/bin/view/Main/2002170 +1 || 2002171 || 11 || web-application-attack || 0 || ET DELETED COM Object Instantiation Memory Corruption Vulnerability (group 1) || cve,2005-1990 || url,www.microsoft.com/technet/security/Bulletin/MS05-038.mspx || url,doc.emergingthreats.net/2002171 +1 || 2002172 || 10 || web-application-attack || 0 || ET DELETED COM Object Instantiation Memory Corruption Vulnerability (group 2) || cve,2005-1990 || url,www.microsoft.com/technet/security/Bulletin/MS05-038.mspx || url,doc.emergingthreats.net/2002172 +1 || 2002173 || 13 || web-application-attack || 0 || ET DELETED COM Object Instantiation Memory Corruption Vulnerability (group 3) || cve,2005-1990 || url,www.microsoft.com/technet/security/Bulletin/MS05-038.mspx || url,doc.emergingthreats.net/2002173 +1 || 2002175 || 5 || trojan-activity || 0 || ET TROJAN Srv.SSA-KeyLogger Checkin Traffic || url,doc.emergingthreats.net/2002175 +1 || 2002181 || 5 || default-login-attempt || 0 || ET EXPLOIT Backup Exec Windows Agent Remote File Access - Attempt || url,www.frsirt.com/english/advisories/2005/1387 || url,www.frsirt.com/exploits/20050811.backupexec_dump.pm.php || url,doc.emergingthreats.net/bin/view/Main/2002181 +1 || 2002182 || 5 || misc-attack || 0 || ET EXPLOIT Backup Exec Windows Agent Remote File Access - Vulnerable || url,www.frsirt.com/english/advisories/2005/1387 || url,www.frsirt.com/exploits/20050811.backupexec_dump.pm.php || url,doc.emergingthreats.net/bin/view/Main/2002182 +1 || 2002186 || 4 || attempted-admin || 0 || ET NETBIOS SMB-DS Microsoft Windows 2000 Plug and Play Vulnerability || url,www.microsoft.com/technet/security/Bulletin/MS05-039.mspx || url,isc.sans.org/diary.php?date=2005-08-14 || url,doc.emergingthreats.net/bin/view/Main/2002186 +1 || 2002187 || 6 || attempted-admin || 0 || ET DELETED NETBIOS SMB Microsoft Windows 2000 PNP Vuln || url,www.microsoft.com/technet/security/Bulletin/MS05-039.mspx || url,isc.sans.org/diary.php?date=2005-08-14 || url,doc.emergingthreats.net/bin/view/Main/2002187 +1 || 2002188 || 6 || attempted-admin || 0 || ET DELETED NETBIOS SMB-DS Microsoft Windows 2000 PNP Vuln || url,www.microsoft.com/technet/security/Bulletin/MS05-039.mspx || url,isc.sans.org/diary.php?date=2005-08-14 || url,doc.emergingthreats.net/bin/view/Main/2002188 +1 || 2002192 || 4 || policy-violation || 0 || ET CHAT MSN status change || url,doc.emergingthreats.net/2002192 +1 || 2002194 || 7 || policy-violation || 0 || ET DELETED Pacimedia Spyware 2 || url,doc.emergingthreats.net/bin/view/Main/2002194 +1 || 2002196 || 4 || trojan-activity || 0 || ET MALWARE Casalemedia Spyware Reporting URL Visited 2 || url,doc.emergingthreats.net/bin/view/Main/2002196 +1 || 2002199 || 4 || protocol-command-decode || 0 || ET NETBIOS SMB-DS DCERPC PnP HOD bind attempt || url,doc.emergingthreats.net/bin/view/Main/2002199 +1 || 2002200 || 4 || protocol-command-decode || 0 || ET NETBIOS SMB-DS DCERPC PnP bind attempt || url,doc.emergingthreats.net/bin/view/Main/2002200 +1 || 2002201 || 4 || attempted-admin || 0 || ET NETBIOS SMB-DS DCERPC PnP QueryResConfList exploit attempt || cve,CAN-2005-1983 || url,www.microsoft.com/technet/security/Bulletin/MS05-039.mspx || url,doc.emergingthreats.net/bin/view/Main/2002201 +1 || 2002202 || 4 || protocol-command-decode || 0 || ET NETBIOS SMB DCERPC PnP bind attempt || url,doc.emergingthreats.net/bin/view/Main/2002202 +1 || 2002203 || 4 || attempted-admin || 0 || ET NETBIOS SMB DCERPC PnP QueryResConfList exploit attempt || cve,CAN-2005-1983 || url,www.microsoft.com/technet/security/Bulletin/MS05-039.mspx || url,doc.emergingthreats.net/bin/view/Main/2002203 +1 || 2002296 || 8 || trojan-activity || 0 || ET MALWARE Searchfeed.com Spyware 1 || url,www.searchfeed.com || url,doc.emergingthreats.net/bin/view/Main/2002296 +1 || 2002297 || 6 || trojan-activity || 0 || ET MALWARE Searchfeed.com Spyware 2 || url,www.searchfeed.com || url,doc.emergingthreats.net/bin/view/Main/2002297 +1 || 2002298 || 6 || trojan-activity || 0 || ET MALWARE Searchfeed.com Spyware 3 || url,www.searchfeed.com || url,doc.emergingthreats.net/bin/view/Main/2002298 +1 || 2002299 || 6 || trojan-activity || 0 || ET MALWARE Searchfeed.com Spyware 4 || url,www.searchfeed.com || url,doc.emergingthreats.net/bin/view/Main/2002299 +1 || 2002300 || 6 || trojan-activity || 0 || ET MALWARE Searchfeed.com Spyware 5 || url,www.searchfeed.com || url,doc.emergingthreats.net/bin/view/Main/2002300 +1 || 2002301 || 6 || trojan-activity || 0 || ET MALWARE Searchfeed.com Spyware 6 || url,www.searchfeed.com || url,doc.emergingthreats.net/bin/view/Main/2002301 +1 || 2002302 || 6 || trojan-activity || 0 || ET MALWARE Searchfeed.com Spyware 7 || url,www.searchfeed.com || url,doc.emergingthreats.net/bin/view/Main/2002302 +1 || 2002303 || 6 || trojan-activity || 0 || ET MALWARE Searchfeed.com Spyware 8 || url,www.searchfeed.com || url,doc.emergingthreats.net/bin/view/Main/2002303 +1 || 2002304 || 8 || policy-violation || 0 || ET DELETED Advertising.com Reporting Data || url,securityresponse.symantec.com/avcenter/venc/data/adware.fastseek.html || url,doc.emergingthreats.net/bin/view/Main/2002304 +1 || 2002305 || 8 || policy-violation || 0 || ET MALWARE Fun Web Products Smileychooser Spyware || url,www.funwebproducts.com || url,doc.emergingthreats.net/bin/view/Main/2002305 +1 || 2002306 || 6 || policy-violation || 0 || ET MALWARE Fun Web Products Cursorchooser Spyware || url,www.funwebproducts.com || url,doc.emergingthreats.net/bin/view/Main/2002306 +1 || 2002307 || 8 || policy-violation || 0 || ET DELETED Fun Web Products Stampchooser Spyware || url,www.funwebproducts.com || url,doc.emergingthreats.net/bin/view/Main/2002307 +1 || 2002308 || 49 || web-application-attack || 0 || ET DELETED Internet Explorer Vulnerable CLSID (Msdds.dll) || url,www.frsirt.com/exploits/20050817.IE-Msddsdll-0day.php || url,doc.emergingthreats.net/2002308 +1 || 2002309 || 7 || policy-violation || 0 || ET DELETED Metarewards Disclaimer Access || url,doc.emergingthreats.net/bin/view/Main/2002309 +1 || 2002310 || 8 || policy-violation || 0 || ET MALWARE Fun Web Products Smileychooser Spyware || url,www.funwebproducts.com || url,doc.emergingthreats.net/bin/view/Main/2002310 +1 || 2002312 || 4 || policy-violation || 0 || ET DELETED MSN Game Loading || url,doc.emergingthreats.net/2002312 +1 || 2002313 || 11 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Cacti graph_image.php Remote Command Execution Attempt || cve,CAN-2005-1524 || bugtraq,14129 || bugtraq,14042 || url,doc.emergingthreats.net/2002313 +1 || 2002314 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHPOutsourcing Zorum prod.php Remote Command Execution Attempt || bugtraq,14601 || url,doc.emergingthreats.net/2002314 +1 || 2002315 || 7 || misc-attack || 0 || ET EXPLOIT Incoming Electronic Mail for UNIX Expires Header Buffer Overflow Exploit || url,www.frsirt.com/exploits/20050822.elmexploit.c.php || url,www.instinct.org/elm/ || url,doc.emergingthreats.net/bin/view/Main/2002315 +1 || 2002316 || 7 || misc-attack || 0 || ET EXPLOIT Outgoing Electronic Mail for UNIX Expires Header Buffer Overflow Exploit || url,www.frsirt.com/exploits/20050822.elmexploit.c.php || url,www.instinct.org/elm/ || url,doc.emergingthreats.net/bin/view/Main/2002316 +1 || 2002317 || 5 || trojan-activity || 0 || ET MALWARE EZSearch Spyware Reporting Search Strings || url,doc.emergingthreats.net/bin/view/Main/2002317 +1 || 2002318 || 5 || trojan-activity || 0 || ET MALWARE EZSearch Spyware Reporting Search Category || url,doc.emergingthreats.net/bin/view/Main/2002318 +1 || 2002319 || 5 || trojan-activity || 0 || ET MALWARE EZSearch Spyware Reporting 2 || url,doc.emergingthreats.net/bin/view/Main/2002319 +1 || 2002320 || 5 || trojan-activity || 0 || ET MALWARE Transponder Spyware Activity || url,www.doxdesk.com/parasite/Transponder.html || url,doc.emergingthreats.net/bin/view/Main/2002320 +1 || 2002322 || 3 || misc-activity || 0 || ET WORM Possible MSN Worm Exploit php || url,doc.emergingthreats.net/2002322 +1 || 2002323 || 3 || misc-activity || 0 || ET WORM Possible MSN Worm Exploit exe || url,doc.emergingthreats.net/2002323 +1 || 2002324 || 3 || misc-activity || 0 || ET WORM Possible MSN Worm Exploit pif || url,doc.emergingthreats.net/2002324 +1 || 2002325 || 3 || misc-activity || 0 || ET WORM W32.kelvir.HI || url,securityresponse.symantec.com/avcenter/venc/data/w32.kelvir.hi.html || url,doc.emergingthreats.net/2002325 +1 || 2002327 || 4 || policy-violation || 0 || ET CHAT Google Talk (Jabber) Client Login || url,talk.google.com || url,www.xmpp.org || url,doc.emergingthreats.net/2002327 +1 || 2002330 || 4 || policy-violation || 0 || ET POLICY Google Talk TLS Client Traffic || url,talk.google.com || url,www.xmpp.org || url,doc.emergingthreats.net/2002330 +1 || 2002331 || 5 || attempted-recon || 0 || ET WEB_SPECIFIC_APPS Piranha default passwd attempt || bugtraq,1148 || cve,2000-0248 || nessus,10381 || url,doc.emergingthreats.net/2002331 +1 || 2002332 || 6 || policy-violation || 0 || ET POLICY Google IM traffic Windows client user sign-on || url,www.google.com/talk || url,doc.emergingthreats.net/2002332 +1 || 2002333 || 6 || policy-violation || 0 || ET POLICY Google IM traffic friend invited || url,www.google.com/talk || url,doc.emergingthreats.net/2002333 +1 || 2002334 || 5 || policy-violation || 0 || ET CHAT Google IM traffic Jabber client sign-on || url,www.google.com/talk || url,doc.emergingthreats.net/2002334 +1 || 2002348 || 5 || trojan-activity || 0 || ET MALWARE VPP Technologies Spyware || url,doc.emergingthreats.net/bin/view/Main/2002348 +1 || 2002349 || 7 || trojan-activity || 0 || ET MALWARE Alexa Spyware Reporting URL || url,doc.emergingthreats.net/bin/view/Main/2002349 +1 || 2002350 || 5 || trojan-activity || 0 || ET MALWARE VPP Technologies Spyware Reporting URL || url,doc.emergingthreats.net/bin/view/Main/2002350 +1 || 2002351 || 5 || policy-violation || 0 || ET MALWARE Comet Systems Spyware Update Download || url,doc.emergingthreats.net/bin/view/Main/2002351 +1 || 2002352 || 5 || policy-violation || 0 || ET MALWARE Comet Systems Spyware Context Report || url,doc.emergingthreats.net/bin/view/Main/2002352 +1 || 2002353 || 6 || trojan-activity || 0 || ET DELETED AdultfriendFinder.com Spyware Iframe Download || url,doc.emergingthreats.net/bin/view/Main/2002353 +1 || 2002354 || 5 || trojan-activity || 0 || ET MALWARE 180solutions Spyware versionconfig POST || url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html || url,doc.emergingthreats.net/bin/view/Main/2002354 +1 || 2002362 || 6 || web-application-attack || 0 || ET WEB_SERVER Barracuda Spam Firewall img.pl Remote Command Execution Attempt || bugtraq,14712 || url,doc.emergingthreats.net/2002362 +1 || 2002363 || 15 || trojan-activity || 0 || ET TROJAN IRC potential reptile commands || url,doc.emergingthreats.net/2002363 +1 || 2002364 || 7 || misc-activity || 0 || ET DELETED Weatherbug Wxbug Capture || url,doc.emergingthreats.net/bin/view/Main/2002364 +1 || 2002365 || 9 || web-application-attack || 0 || ET WEB_SERVER HP OpenView Network Node Manager Remote Command Execution Attempt || bugtraq,14662 || url,doc.emergingthreats.net/2002365 +1 || 2002371 || 6 || web-application-activity || 0 || ET WEB_SPECIFIC_APPS Miva Merchant Cross Site Scripting Attack || bugtraq,14828 || url,smallbusiness.miva.com/products/mia/ || url,www.frsirt.com/english/advisories/2005/1758 || url,doc.emergingthreats.net/2002371 +1 || 2002376 || 10 || web-application-attack || 0 || ET WEB_SERVER IBM Lotus Domino BaseTarget XSS attempt || bugtraq,14845 || url,doc.emergingthreats.net/2002376 +1 || 2002377 || 9 || web-application-attack || 0 || ET WEB_SERVER IBM Lotus Domino Src XSS attempt || bugtraq,14846 || url,doc.emergingthreats.net/2002377 +1 || 2002381 || 10 || web-application-attack || 0 || ET WEB_CLIENT RealPlayer/Helix Player Format String Exploit || url,milw0rm.com/id.php?id=1232 || bugtraq,14945 || cve,2005-2710 || url,doc.emergingthreats.net/bin/view/Main/2002381 +1 || 2002383 || 11 || unsuccessful-user || 0 || ET SCAN Potential FTP Brute-Force attempt || url,doc.emergingthreats.net/2002383 +1 || 2002384 || 17 || trojan-activity || 0 || ET TROJAN IRC potential bot commands || url,doc.emergingthreats.net/2002384 +1 || 2002385 || 14 || trojan-activity || 0 || ET TROJAN IRC channel topic reptile commands || url,doc.emergingthreats.net/2002385 +1 || 2002386 || 12 || trojan-activity || 0 || ET TROJAN IRC channel topic misc bot commands || url,doc.emergingthreats.net/2002386 +1 || 2002387 || 10 || trojan-activity || 0 || ET DELETED Mitglieder Proxy Bot Checking In || url,isc.sans.org/diary.php?storyid=722 || url,doc.emergingthreats.net/2002387 +1 || 2002389 || 4 || successful-recon-limited || 0 || ET EXPLOIT Vulnerable Mercury 4.01a IMAP Banner || url,www.pmail.com/whatsnew/m32401.htm || bugtraq,11775 || url,doc.emergingthreats.net/bin/view/Main/2002389 +1 || 2002390 || 4 || misc-attack || 0 || ET EXPLOIT Mercury v4.01a IMAP RENAME Buffer Overflow || url,www.pmail.com/whatsnew/m32401.htm || url,metasploit.com/projects/Framework/exploits.html#mercury_imap || bugtraq,11775 || url,doc.emergingthreats.net/bin/view/Main/2002390 +1 || 2002394 || 12 || trojan-activity || 0 || ET MALWARE Adwave/MarketScore User-Agent (WTA) || url,www.adwave.com/our_mission.aspx || url,www.marketscore.com || url,doc.emergingthreats.net/2002394 +1 || 2002395 || 13 || trojan-activity || 0 || ET MALWARE Miva User-Agent (TPSystem) || url,www.miva.com || url,www.findwhat.com || url,doc.emergingthreats.net/2002395 +1 || 2002396 || 12 || trojan-activity || 0 || ET MALWARE Miva Spyware User-Agent (Travel Update) || url,www.miva.com || url,doc.emergingthreats.net/2002396 +1 || 2002400 || 29 || trojan-activity || 0 || ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer) || url,doc.emergingthreats.net/bin/view/Main/2002400 +1 || 2002402 || 17 || trojan-activity || 0 || ET MALWARE Spyware Related User-Agent (UtilMind HTTPGet) || url,www.websearch.com || url,doc.emergingthreats.net/bin/view/Main/2002402 +1 || 2002403 || 12 || trojan-activity || 0 || ET MALWARE Context Plus User-Agent (PTS) || url,www.contextplus.net || url,doc.emergingthreats.net/2002403 +1 || 2002404 || 11 || trojan-activity || 0 || ET MALWARE Movies-etc User-Agent (IOInstall) || url,www.movies-etc.com || url,doc.emergingthreats.net/2002404 +1 || 2002405 || 11 || trojan-activity || 0 || ET MALWARE Internet Optimizer User-Agent (ROGUE) || url,www.internet-optimizer.com || url,doc.emergingthreats.net/2002405 +1 || 2002406 || 4 || attempted-recon || 0 || ET EXPLOIT TAC Attack Directory Traversal || cve,2005-3040 || url,secunia.com/advisories/16854 || url,cirt.dk/advisories/cirt-37-advisory.pdf || url,doc.emergingthreats.net/bin/view/Main/2002406 +1 || 2002407 || 8 || policy-violation || 0 || ET DELETED WebshotsNetClient || url,www.webshots.com || url,doc.emergingthreats.net/2002407 +1 || 2002410 || 4 || policy-violation || 0 || ET DELETED SMTP Non-US Restricted Outbound || url,doc.emergingthreats.net/bin/view/Main/2002410 +1 || 2002411 || 4 || policy-violation || 0 || ET DELETED SMTP Non-US Confidential Outbound || url,doc.emergingthreats.net/bin/view/Main/2002411 +1 || 2002412 || 4 || policy-violation || 0 || ET DELETED SMTP Non-US Top Secret Outbound || url,doc.emergingthreats.net/bin/view/Main/2002412 +1 || 2002413 || 4 || policy-violation || 0 || ET DELETED SMTP Non-US Secret || url,doc.emergingthreats.net/bin/view/Main/2002413 +1 || 2002414 || 5 || policy-violation || 0 || ET DELETED SMTP NATO Restricted || url,doc.emergingthreats.net/bin/view/Main/2002414 +1 || 2002415 || 4 || policy-violation || 0 || ET DELETED SMTP NATO Confidential Atomal || url,doc.emergingthreats.net/bin/view/Main/2002415 +1 || 2002416 || 4 || policy-violation || 0 || ET DELETED SMTP NATO Confidential || url,doc.emergingthreats.net/bin/view/Main/2002416 +1 || 2002417 || 4 || policy-violation || 0 || ET DELETED SMTP NATO COSMIC Top Secret Atomal || url,doc.emergingthreats.net/bin/view/Main/2002417 +1 || 2002418 || 4 || policy-violation || 0 || ET DELETED SMTP NATO Secret Atomal || url,doc.emergingthreats.net/bin/view/Main/2002418 +1 || 2002419 || 4 || policy-violation || 0 || ET DELETED SMTP NATO Secret || url,doc.emergingthreats.net/bin/view/Main/2002419 +1 || 2002420 || 4 || policy-violation || 0 || ET DELETED SMTP US Confidential, Electronic || url,doc.emergingthreats.net/bin/view/Main/2002420 +1 || 2002421 || 4 || policy-violation || 0 || ET DELETED SMTP US Top Secret, Electronic || url,doc.emergingthreats.net/bin/view/Main/2002421 +1 || 2002422 || 5 || policy-violation || 0 || ET DELETED SMTP US Secret, Electronic || url,doc.emergingthreats.net/bin/view/Main/2002422 +1 || 2002423 || 4 || policy-violation || 0 || ET DELETED SMTP US Confidential REL TO || url,doc.emergingthreats.net/bin/view/Main/2002423 +1 || 2002424 || 4 || policy-violation || 0 || ET DELETED SMTP US Top Secret REL TO || url,doc.emergingthreats.net/bin/view/Main/2002424 +1 || 2002425 || 3 || policy-violation || 0 || ET DELETED SMTP US Secret REL TO || url,doc.emergingthreats.net/bin/view/Main/2002425 +1 || 2002426 || 3 || policy-violation || 0 || ET DELETED SMTP US Confidential COMINT || url,doc.emergingthreats.net/bin/view/Main/2002426 +1 || 2002427 || 3 || policy-violation || 0 || ET DELETED SMTP US Top Secret COMINT || url,doc.emergingthreats.net/bin/view/Main/2002427 +1 || 2002428 || 3 || policy-violation || 0 || ET DELETED SMTP US Secret COMINT || url,doc.emergingthreats.net/bin/view/Main/2002428 +1 || 2002429 || 4 || policy-violation || 0 || ET DELETED SMTP US Unclassified COMSEC || url,doc.emergingthreats.net/bin/view/Main/2002429 +1 || 2002430 || 4 || policy-violation || 0 || ET DELETED SMTP US Confidential COMSEC || url,doc.emergingthreats.net/bin/view/Main/2002430 +1 || 2002431 || 4 || policy-violation || 0 || ET DELETED SMTP US Top Secret COMSEC || url,doc.emergingthreats.net/bin/view/Main/2002431 +1 || 2002432 || 3 || policy-violation || 0 || ET DELETED SMTP US Secret COMSEC || url,doc.emergingthreats.net/bin/view/Main/2002432 +1 || 2002433 || 3 || policy-violation || 0 || ET DELETED SMTP US Secret IMCON || url,doc.emergingthreats.net/bin/view/Main/2002433 +1 || 2002434 || 4 || policy-violation || 0 || ET DELETED SMTP US Top Secret CNWDI || url,doc.emergingthreats.net/bin/view/Main/2002434 +1 || 2002435 || 3 || policy-violation || 0 || ET DELETED SMTP US Secret CNWDI || url,doc.emergingthreats.net/bin/view/Main/2002435 +1 || 2002436 || 4 || policy-violation || 0 || ET DELETED SMTP US Top Secret TK || url,doc.emergingthreats.net/bin/view/Main/2002436 +1 || 2002437 || 3 || policy-violation || 0 || ET DELETED SMTP US Secret TK || url,doc.emergingthreats.net/bin/view/Main/2002437 +1 || 2002438 || 4 || policy-violation || 0 || ET DELETED SMTP US FGI || url,doc.emergingthreats.net/bin/view/Main/2002438 +1 || 2002439 || 4 || policy-violation || 0 || ET DELETED SMTP US FOUO || url,doc.emergingthreats.net/bin/view/Main/2002439 +1 || 2002440 || 4 || policy-violation || 0 || ET DELETED SMTP US Confidential NOFORN || url,doc.emergingthreats.net/bin/view/Main/2002440 +1 || 2002441 || 4 || policy-violation || 0 || ET DELETED SMTP US Top Secret NOFORN || url,doc.emergingthreats.net/bin/view/Main/2002441 +1 || 2002442 || 3 || policy-violation || 0 || ET DELETED SMTP US Secret NOFORN || url,doc.emergingthreats.net/bin/view/Main/2002442 +1 || 2002443 || 4 || policy-violation || 0 || ET DELETED SMTP US Confidential ORCON || url,doc.emergingthreats.net/bin/view/Main/2002443 +1 || 2002444 || 4 || policy-violation || 0 || ET DELETED SMTP US Top Secret ORCON || url,doc.emergingthreats.net/bin/view/Main/2002444 +1 || 2002445 || 3 || policy-violation || 0 || ET DELETED SMTP US Secret ORCON || url,doc.emergingthreats.net/bin/view/Main/2002445 +1 || 2002446 || 4 || policy-violation || 0 || ET DELETED SMTP US Unclassified PROPIN || url,doc.emergingthreats.net/bin/view/Main/2002446 +1 || 2002447 || 4 || policy-violation || 0 || ET DELETED SMTP US Confidential PROPIN || url,doc.emergingthreats.net/bin/view/Main/2002447 +1 || 2002448 || 4 || policy-violation || 0 || ET DELETED SMTP US Top Secret PROPIN || url,doc.emergingthreats.net/bin/view/Main/2002448 +1 || 2002449 || 3 || policy-violation || 0 || ET DELETED SMTP US Secret PROPIN || url,doc.emergingthreats.net/bin/view/Main/2002449 +1 || 2002450 || 4 || policy-violation || 0 || ET DELETED SMTP US Confidential RD || url,doc.emergingthreats.net/bin/view/Main/2002450 +1 || 2002451 || 4 || policy-violation || 0 || ET DELETED SMTP US Top Secret RD || url,doc.emergingthreats.net/bin/view/Main/2002451 +1 || 2002452 || 3 || policy-violation || 0 || ET DELETED SMTP US Secret RD || url,doc.emergingthreats.net/bin/view/Main/2002452 +1 || 2002453 || 4 || policy-violation || 0 || ET DELETED SMTP US SAMI || url,doc.emergingthreats.net/bin/view/Main/2002453 +1 || 2002454 || 4 || policy-violation || 0 || ET DELETED SMTP US Confidential SPECAT || url,doc.emergingthreats.net/bin/view/Main/2002454 +1 || 2002455 || 4 || policy-violation || 0 || ET DELETED SMTP US Top Secret SPECAT || url,doc.emergingthreats.net/bin/view/Main/2002455 +1 || 2002456 || 3 || policy-violation || 0 || ET DELETED SMTP US Secret SPECAT || url,doc.emergingthreats.net/bin/view/Main/2002456 +1 || 2002457 || 4 || policy-violation || 0 || ET DELETED SMTP US Top Secret STOP || url,doc.emergingthreats.net/bin/view/Main/2002457 +1 || 2002458 || 4 || policy-violation || 0 || ET DELETED SMTP Private || url,doc.emergingthreats.net/bin/view/Main/2002458 +1 || 2002459 || 4 || policy-violation || 0 || ET DELETED SMTP Restricted || url,doc.emergingthreats.net/bin/view/Main/2002459 +1 || 2002461 || 4 || policy-violation || 0 || ET DELETED SMTP Secret || url,doc.emergingthreats.net/bin/view/Main/2002461 +1 || 2002462 || 4 || policy-violation || 0 || ET DELETED SMTP Top Secret || url,doc.emergingthreats.net/bin/view/Main/2002462 +1 || 2002463 || 4 || policy-violation || 0 || ET DELETED SMTP Sealed || url,doc.emergingthreats.net/bin/view/Main/2002463 +1 || 2002464 || 4 || policy-violation || 0 || ET DELETED SMTP Sensitive || url,doc.emergingthreats.net/bin/view/Main/2002464 +1 || 2002465 || 5 || policy-violation || 0 || ET DELETED SMTP Proprietary || url,doc.emergingthreats.net/bin/view/Main/2002465 +1 || 2002466 || 4 || policy-violation || 0 || ET DELETED SMTP Protected || url,doc.emergingthreats.net/bin/view/Main/2002466 +1 || 2002467 || 4 || policy-violation || 0 || ET DELETED SMTP Law Enorcement Sensitive || url,doc.emergingthreats.net/bin/view/Main/2002467 +1 || 2002468 || 5 || policy-violation || 0 || ET DELETED SMTP Internal Use Only || url,doc.emergingthreats.net/bin/view/Main/2002468 +1 || 2002469 || 4 || policy-violation || 0 || ET DELETED SMTP Date of Birth || url,doc.emergingthreats.net/bin/view/Main/2002469 +1 || 2002470 || 4 || policy-violation || 0 || ET DELETED SMTP HCPCS Code || url,doc.emergingthreats.net/bin/view/Main/2002470 +1 || 2002471 || 4 || policy-violation || 0 || ET DELETED SMTP ICD-10 Code || url,doc.emergingthreats.net/bin/view/Main/2002471 +1 || 2002472 || 4 || policy-violation || 0 || ET DELETED SMTP FDA NDC Code || url,doc.emergingthreats.net/bin/view/Main/2002472 +1 || 2002473 || 4 || policy-violation || 0 || ET DELETED SMTP ADA Procedure Code || url,doc.emergingthreats.net/bin/view/Main/2002473 +1 || 2002474 || 6 || policy-violation || 0 || ET DELETED SMTP DSM-IV Code || url,doc.emergingthreats.net/bin/view/Main/2002474 +1 || 2002475 || 4 || policy-violation || 0 || ET DELETED SMTP AMA CPT Code || url,doc.emergingthreats.net/bin/view/Main/2002475 +1 || 2002477 || 4 || policy-violation || 0 || ET DELETED SMTP Credit Card, JCB || url,doc.emergingthreats.net/bin/view/Main/2002477 +1 || 2002483 || 4 || policy-violation || 0 || ET DELETED SMTP Password || url,doc.emergingthreats.net/bin/view/Main/2002483 +1 || 2002484 || 4 || policy-violation || 0 || ET DELETED SMTP Appraisal || url,doc.emergingthreats.net/bin/view/Main/2002484 +1 || 2002485 || 4 || policy-violation || 0 || ET DELETED SMTP Account Balance || url,doc.emergingthreats.net/bin/view/Main/2002485 +1 || 2002486 || 5 || policy-violation || 0 || ET DELETED SMTP Payment History || url,doc.emergingthreats.net/bin/view/Main/2002486 +1 || 2002487 || 5 || policy-violation || 0 || ET DELETED SMTP Annual Income || url,doc.emergingthreats.net/bin/view/Main/2002487 +1 || 2002488 || 4 || policy-violation || 0 || ET DELETED SMTP Credit History || url,doc.emergingthreats.net/bin/view/Main/2002488 +1 || 2002489 || 4 || policy-violation || 0 || ET DELETED SMTP Transaction History || url,doc.emergingthreats.net/bin/view/Main/2002489 +1 || 2002490 || 4 || policy-violation || 0 || ET DELETED SMTP Customer List || url,doc.emergingthreats.net/bin/view/Main/2002490 +1 || 2002491 || 12 || web-application-attack || 0 || ET DELETED COM Object MS05-052 (group 1) || cve,2005-2127 || url,www.microsoft.com/technet/security/Bulletin/MS05-052.mspx || url,doc.emergingthreats.net/2002491 +1 || 2002492 || 13 || web-application-attack || 0 || ET DELETED COM Object MS05-052 (group 2) || cve,2005-2127 || url,www.microsoft.com/technet/security/Bulletin/MS05-052.mspx || url,doc.emergingthreats.net/2002492 +1 || 2002493 || 81 || web-application-attack || 0 || ET DELETED COM Object MS05-052 (group 3) || cve,2005-2127 || url,www.microsoft.com/technet/security/Bulletin/MS05-052.mspx || url,doc.emergingthreats.net/2002493 +1 || 2002494 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Versatile Bulletin Board SQL Injection Attack || bugtraq,15068 || url,doc.emergingthreats.net/2002494 +1 || 2002495 || 5 || policy-violation || 0 || ET DELETED HTTP Non-US Restricted || url,doc.emergingthreats.net/bin/view/Main/2002495 +1 || 2002496 || 5 || policy-violation || 0 || ET DELETED HTTP - Non-US Confidential || url,doc.emergingthreats.net/bin/view/Main/2002496 +1 || 2002497 || 5 || policy-violation || 0 || ET DELETED HTTP - Non-US Top Secret || url,doc.emergingthreats.net/bin/view/Main/2002497 +1 || 2002498 || 5 || policy-violation || 0 || ET DELETED HTTP - Non-US Secret || url,doc.emergingthreats.net/bin/view/Main/2002498 +1 || 2002499 || 6 || policy-violation || 0 || ET DELETED HTTP - NATO Restricted || url,doc.emergingthreats.net/bin/view/Main/2002499 +1 || 2002500 || 5 || policy-violation || 0 || ET DELETED HTTP - NATO Confidential Atomal || url,doc.emergingthreats.net/bin/view/Main/2002500 +1 || 2002501 || 5 || policy-violation || 0 || ET DELETED HTTP - NATO Confidential || url,doc.emergingthreats.net/bin/view/Main/2002501 +1 || 2002502 || 5 || policy-violation || 0 || ET DELETED HTTP - NATO COSMIC Top Secret Atomal || url,doc.emergingthreats.net/bin/view/Main/2002502 +1 || 2002503 || 5 || policy-violation || 0 || ET DELETED HTTP - NATO Secret Atomal || url,doc.emergingthreats.net/bin/view/Main/2002503 +1 || 2002504 || 5 || policy-violation || 0 || ET DELETED HTTP - NATO Secret || url,doc.emergingthreats.net/bin/view/Main/2002504 +1 || 2002505 || 5 || policy-violation || 0 || ET DELETED HTTP - US Confidential, Electronic || url,doc.emergingthreats.net/bin/view/Main/2002505 +1 || 2002506 || 5 || policy-violation || 0 || ET DELETED HTTP - US Top Secret, Electronic || url,doc.emergingthreats.net/bin/view/Main/2002506 +1 || 2002507 || 5 || policy-violation || 0 || ET DELETED HTTP - US Secret, Electronic || url,doc.emergingthreats.net/bin/view/Main/2002507 +1 || 2002508 || 5 || policy-violation || 0 || ET DELETED HTTP - US Confidential REL TO || url,doc.emergingthreats.net/bin/view/Main/2002508 +1 || 2002509 || 5 || policy-violation || 0 || ET DELETED HTTP - US Top Secret REL TO || url,doc.emergingthreats.net/bin/view/Main/2002509 +1 || 2002510 || 4 || policy-violation || 0 || ET DELETED HTTP - US Secret REL TO || url,doc.emergingthreats.net/bin/view/Main/2002510 +1 || 2002511 || 4 || policy-violation || 0 || ET DELETED HTTP - US Confidential COMINT || url,doc.emergingthreats.net/bin/view/Main/2002511 +1 || 2002512 || 4 || policy-violation || 0 || ET DELETED HTTP - US Top Secret COMINT || url,doc.emergingthreats.net/bin/view/Main/2002512 +1 || 2002513 || 4 || policy-violation || 0 || ET DELETED HTTP - US Secret COMINT || url,doc.emergingthreats.net/bin/view/Main/2002513 +1 || 2002514 || 5 || policy-violation || 0 || ET DELETED HTTP - US Unclassified COMSEC || url,doc.emergingthreats.net/bin/view/Main/2002514 +1 || 2002515 || 5 || policy-violation || 0 || ET DELETED HTTP - US Confidential COMSEC || url,doc.emergingthreats.net/bin/view/Main/2002515 +1 || 2002516 || 5 || policy-violation || 0 || ET DELETED HTTP - US Top Secret COMSEC || url,doc.emergingthreats.net/bin/view/Main/2002516 +1 || 2002517 || 4 || policy-violation || 0 || ET DELETED HTTP - US Secret COMSEC || url,doc.emergingthreats.net/bin/view/Main/2002517 +1 || 2002519 || 5 || policy-violation || 0 || ET DELETED HTTP - US Top Secret CNWDI || url,doc.emergingthreats.net/bin/view/Main/2002519 +1 || 2002521 || 6 || policy-violation || 0 || ET DELETED HTTP - US Top Secret TK || url,doc.emergingthreats.net/bin/view/Main/2002521 +1 || 2002523 || 5 || policy-violation || 0 || ET DELETED HTTP - US FGI || url,doc.emergingthreats.net/bin/view/Main/2002523 +1 || 2002524 || 7 || policy-violation || 0 || ET DELETED HTTP - US FOUO || url,doc.emergingthreats.net/bin/view/Main/2002524 +1 || 2002525 || 5 || policy-violation || 0 || ET DELETED HTTP - US Confidential NOFORN || url,doc.emergingthreats.net/bin/view/Main/2002525 +1 || 2002526 || 5 || policy-violation || 0 || ET DELETED HTTP - US Top Secret NOFORN || url,doc.emergingthreats.net/bin/view/Main/2002526 +1 || 2002528 || 5 || policy-violation || 0 || ET DELETED HTTP - US Top Secret ORCON || url,doc.emergingthreats.net/bin/view/Main/2002528 +1 || 2002530 || 5 || policy-violation || 0 || ET DELETED HTTP - US Unclassified PROPIN || url,doc.emergingthreats.net/bin/view/Main/2002530 +1 || 2002531 || 5 || policy-violation || 0 || ET DELETED HTTP - US Confidential PROPIN || url,doc.emergingthreats.net/bin/view/Main/2002531 +1 || 2002532 || 5 || policy-violation || 0 || ET DELETED HTTP - US Top Secret PROPIN || url,doc.emergingthreats.net/bin/view/Main/2002532 +1 || 2002534 || 5 || policy-violation || 0 || ET DELETED HTTP - US Confidential RD || url,doc.emergingthreats.net/bin/view/Main/2002534 +1 || 2002535 || 5 || policy-violation || 0 || ET DELETED HTTP - US Top Secret RD || url,doc.emergingthreats.net/bin/view/Main/2002535 +1 || 2002537 || 5 || policy-violation || 0 || ET DELETED HTTP - US SAMI || url,doc.emergingthreats.net/bin/view/Main/2002537 +1 || 2002538 || 5 || policy-violation || 0 || ET DELETED HTTP - US Confidential SPECAT || url,doc.emergingthreats.net/bin/view/Main/2002538 +1 || 2002539 || 5 || policy-violation || 0 || ET DELETED HTTP - US Top Secret SPECAT || url,doc.emergingthreats.net/bin/view/Main/2002539 +1 || 2002541 || 5 || policy-violation || 0 || ET DELETED HTTP - US Top Secret STOP || url,doc.emergingthreats.net/bin/view/Main/2002541 +1 || 2002542 || 5 || policy-violation || 0 || ET DELETED HTTP - Private || url,doc.emergingthreats.net/bin/view/Main/2002542 +1 || 2002543 || 5 || policy-violation || 0 || ET DELETED HTTP - Restricted || url,doc.emergingthreats.net/bin/view/Main/2002543 +1 || 2002544 || 5 || policy-violation || 0 || ET DELETED HTTP - Confidential || url,doc.emergingthreats.net/bin/view/Main/2002544 +1 || 2002546 || 5 || policy-violation || 0 || ET DELETED HTTP - Top Secret || url,doc.emergingthreats.net/bin/view/Main/2002546 +1 || 2002547 || 5 || policy-violation || 0 || ET DELETED HTTP - Sealed || url,doc.emergingthreats.net/bin/view/Main/2002547 +1 || 2002548 || 5 || policy-violation || 0 || ET DELETED HTTP - Sensitive || url,doc.emergingthreats.net/bin/view/Main/2002548 +1 || 2002549 || 5 || policy-violation || 0 || ET DELETED HTTP - Proprietary || url,doc.emergingthreats.net/bin/view/Main/2002549 +1 || 2002550 || 5 || policy-violation || 0 || ET DELETED HTTP - Protected || url,doc.emergingthreats.net/bin/view/Main/2002550 +1 || 2002551 || 5 || policy-violation || 0 || ET DELETED HTTP - Law Enorcement Sensitive || url,doc.emergingthreats.net/bin/view/Main/2002551 +1 || 2002552 || 5 || policy-violation || 0 || ET DELETED HTTP - Internal Use Only || url,doc.emergingthreats.net/bin/view/Main/2002552 +1 || 2002553 || 5 || policy-violation || 0 || ET DELETED HTTP - Date of Birth || url,doc.emergingthreats.net/bin/view/Main/2002553 +1 || 2002554 || 5 || policy-violation || 0 || ET DELETED HTTP - HCPCS Code || url,doc.emergingthreats.net/bin/view/Main/2002554 +1 || 2002555 || 5 || policy-violation || 0 || ET DELETED HTTP - ICD-10 Code || url,doc.emergingthreats.net/bin/view/Main/2002555 +1 || 2002556 || 5 || policy-violation || 0 || ET DELETED HTTP - FDA NDC Code || url,doc.emergingthreats.net/bin/view/Main/2002556 +1 || 2002557 || 5 || policy-violation || 0 || ET DELETED HTTP - ADA Procedure Code || url,doc.emergingthreats.net/bin/view/Main/2002557 +1 || 2002558 || 7 || policy-violation || 0 || ET DELETED HTTP - DSM-IV Code || url,doc.emergingthreats.net/bin/view/Main/2002558 +1 || 2002559 || 5 || policy-violation || 0 || ET DELETED HTTP - AMA CPT Code || url,doc.emergingthreats.net/bin/view/Main/2002559 +1 || 2002561 || 5 || policy-violation || 0 || ET DELETED HTTP - Credit Card, JCB || url,doc.emergingthreats.net/bin/view/Main/2002561 +1 || 2002567 || 5 || policy-violation || 0 || ET DELETED HTTP - Password || url,doc.emergingthreats.net/bin/view/Main/2002567 +1 || 2002568 || 5 || policy-violation || 0 || ET DELETED HTTP - Appraisal || url,doc.emergingthreats.net/bin/view/Main/2002568 +1 || 2002569 || 5 || policy-violation || 0 || ET DELETED HTTP - Account Balance || url,doc.emergingthreats.net/bin/view/Main/2002569 +1 || 2002570 || 5 || policy-violation || 0 || ET DELETED HTTP - Payment History || url,doc.emergingthreats.net/bin/view/Main/2002570 +1 || 2002571 || 5 || policy-violation || 0 || ET DELETED HTTP - Annual Income || url,doc.emergingthreats.net/bin/view/Main/2002571 +1 || 2002572 || 5 || policy-violation || 0 || ET DELETED HTTP - Credit History || url,doc.emergingthreats.net/bin/view/Main/2002572 +1 || 2002573 || 5 || policy-violation || 0 || ET DELETED HTTP - Transaction History || url,doc.emergingthreats.net/bin/view/Main/2002573 +1 || 2002574 || 5 || policy-violation || 0 || ET DELETED HTTP - Customer List || url,doc.emergingthreats.net/bin/view/Main/2002574 +1 || 2002575 || 5 || policy-violation || 0 || ET DELETED High Ports - Non-US Restricted || url,doc.emergingthreats.net/bin/view/Main/2002575 +1 || 2002576 || 5 || policy-violation || 0 || ET DELETED High Ports - Non-US Confidential || url,doc.emergingthreats.net/bin/view/Main/2002576 +1 || 2002577 || 5 || policy-violation || 0 || ET DELETED High Ports - Non-US Top Secret || url,doc.emergingthreats.net/bin/view/Main/2002577 +1 || 2002578 || 5 || policy-violation || 0 || ET DELETED High Ports - Non-US Secret || url,doc.emergingthreats.net/bin/view/Main/2002578 +1 || 2002579 || 5 || policy-violation || 0 || ET DELETED High Ports - NATO Restricted || url,doc.emergingthreats.net/bin/view/Main/2002579 +1 || 2002580 || 5 || policy-violation || 0 || ET DELETED High Ports - NATO Confidential Atomal || url,doc.emergingthreats.net/bin/view/Main/2002580 +1 || 2002581 || 5 || policy-violation || 0 || ET DELETED High Ports - NATO Confidential || url,doc.emergingthreats.net/bin/view/Main/2002581 +1 || 2002582 || 5 || policy-violation || 0 || ET DELETED High Ports - NATO COSMIC Top Secret Atomal || url,doc.emergingthreats.net/bin/view/Main/2002582 +1 || 2002583 || 5 || policy-violation || 0 || ET DELETED High Ports - NATO Secret Atomal || url,doc.emergingthreats.net/bin/view/Main/2002583 +1 || 2002584 || 5 || policy-violation || 0 || ET DELETED High Ports - NATO Secret || url,doc.emergingthreats.net/bin/view/Main/2002584 +1 || 2002585 || 5 || policy-violation || 0 || ET DELETED High Ports - US Confidential, Electronic || url,doc.emergingthreats.net/bin/view/Main/2002585 +1 || 2002586 || 5 || policy-violation || 0 || ET DELETED High Ports - US Top Secret, Electronic || url,doc.emergingthreats.net/bin/view/Main/2002586 +1 || 2002587 || 5 || policy-violation || 0 || ET DELETED High Ports - US Secret, Electronic || url,doc.emergingthreats.net/bin/view/Main/2002587 +1 || 2002588 || 5 || policy-violation || 0 || ET DELETED High Ports - US Confidential REL TO || url,doc.emergingthreats.net/bin/view/Main/2002588 +1 || 2002589 || 5 || policy-violation || 0 || ET DELETED High Ports - US Top Secret REL TO || url,doc.emergingthreats.net/bin/view/Main/2002589 +1 || 2002591 || 4 || policy-violation || 0 || ET DELETED High Ports - US Confidential COMINT || url,doc.emergingthreats.net/bin/view/Main/2002591 +1 || 2002592 || 4 || policy-violation || 0 || ET DELETED High Ports - US Top Secret COMINT || url,doc.emergingthreats.net/bin/view/Main/2002592 +1 || 2002593 || 4 || policy-violation || 0 || ET DELETED High Ports - US Secret COMINT || url,doc.emergingthreats.net/bin/view/Main/2002593 +1 || 2002594 || 5 || policy-violation || 0 || ET DELETED High Ports - US Unclassified COMSEC || url,doc.emergingthreats.net/bin/view/Main/2002594 +1 || 2002595 || 5 || policy-violation || 0 || ET DELETED High Ports - US Confidential COMSEC || url,doc.emergingthreats.net/bin/view/Main/2002595 +1 || 2002596 || 5 || policy-violation || 0 || ET DELETED High Ports - US Top Secret COMSEC || url,doc.emergingthreats.net/bin/view/Main/2002596 +1 || 2002599 || 5 || policy-violation || 0 || ET DELETED High Ports - US Top Secret CNWDI || url,doc.emergingthreats.net/bin/view/Main/2002599 +1 || 2002601 || 5 || policy-violation || 0 || ET DELETED High Ports - US Top Secret TK || url,doc.emergingthreats.net/bin/view/Main/2002601 +1 || 2002602 || 4 || policy-violation || 0 || ET DELETED High Ports - US Secret TK || url,doc.emergingthreats.net/bin/view/Main/2002602 +1 || 2002603 || 5 || policy-violation || 0 || ET DELETED High Ports - US FGI || url,doc.emergingthreats.net/bin/view/Main/2002603 +1 || 2002604 || 5 || policy-violation || 0 || ET DELETED High Ports - US FOUO || url,doc.emergingthreats.net/bin/view/Main/2002604 +1 || 2002605 || 5 || policy-violation || 0 || ET DELETED High Ports - US Confidential NOFORN || url,doc.emergingthreats.net/bin/view/Main/2002605 +1 || 2002606 || 5 || policy-violation || 0 || ET DELETED High Ports - US Top Secret NOFORN || url,doc.emergingthreats.net/bin/view/Main/2002606 +1 || 2002607 || 4 || policy-violation || 0 || ET DELETED High Ports - US Secret NOFORN || url,doc.emergingthreats.net/bin/view/Main/2002607 +1 || 2002608 || 5 || policy-violation || 0 || ET DELETED High Ports - US Confidential ORCON || url,doc.emergingthreats.net/bin/view/Main/2002608 +1 || 2002609 || 5 || policy-violation || 0 || ET DELETED High Ports - US Top Secret ORCON || url,doc.emergingthreats.net/bin/view/Main/2002609 +1 || 2002610 || 4 || policy-violation || 0 || ET DELETED High Ports - US Secret ORCON || url,doc.emergingthreats.net/bin/view/Main/2002610 +1 || 2002611 || 5 || policy-violation || 0 || ET DELETED High Ports - US Unclassified PROPIN || url,doc.emergingthreats.net/bin/view/Main/2002611 +1 || 2002612 || 5 || policy-violation || 0 || ET DELETED High Ports - US Confidential PROPIN || url,doc.emergingthreats.net/bin/view/Main/2002612 +1 || 2002613 || 5 || policy-violation || 0 || ET DELETED High Ports - US Top Secret PROPIN || url,doc.emergingthreats.net/bin/view/Main/2002613 +1 || 2002615 || 5 || policy-violation || 0 || ET DELETED High Ports - US Confidential RD || url,doc.emergingthreats.net/bin/view/Main/2002615 +1 || 2002616 || 5 || policy-violation || 0 || ET DELETED High Ports - US Top Secret RD || url,doc.emergingthreats.net/bin/view/Main/2002616 +1 || 2002618 || 5 || policy-violation || 0 || ET DELETED High Ports - US SAMI || url,doc.emergingthreats.net/bin/view/Main/2002618 +1 || 2002619 || 5 || policy-violation || 0 || ET DELETED High Ports - US Confidential SPECAT || url,doc.emergingthreats.net/bin/view/Main/2002619 +1 || 2002620 || 5 || policy-violation || 0 || ET DELETED High Ports - US Top Secret SPECAT || url,doc.emergingthreats.net/bin/view/Main/2002620 +1 || 2002621 || 4 || policy-violation || 0 || ET DELETED High Ports - US Secret SPECAT || url,doc.emergingthreats.net/bin/view/Main/2002621 +1 || 2002622 || 5 || policy-violation || 0 || ET DELETED High Ports - US Top Secret STOP || url,doc.emergingthreats.net/2002622 +1 || 2002623 || 5 || policy-violation || 0 || ET DELETED High Ports - Private || url,doc.emergingthreats.net/2002623 +1 || 2002624 || 5 || policy-violation || 0 || ET DELETED High Ports - Restricted || url,doc.emergingthreats.net/2002624 +1 || 2002625 || 5 || policy-violation || 0 || ET DELETED High Ports - Confidential || url,doc.emergingthreats.net/2002625 +1 || 2002626 || 4 || policy-violation || 0 || ET DELETED High Ports - Secret || url,doc.emergingthreats.net/2002626 +1 || 2002627 || 5 || policy-violation || 0 || ET DELETED High Ports - Top Secret || url,doc.emergingthreats.net/2002627 +1 || 2002628 || 5 || policy-violation || 0 || ET DELETED High Ports - Sealed || url,doc.emergingthreats.net/2002628 +1 || 2002629 || 5 || policy-violation || 0 || ET DELETED High Ports - Sensitive || url,doc.emergingthreats.net/2002629 +1 || 2002630 || 6 || policy-violation || 0 || ET DELETED High Ports - Proprietary || url,doc.emergingthreats.net/2002630 +1 || 2002631 || 6 || policy-violation || 0 || ET DELETED High Ports - Protected || url,doc.emergingthreats.net/2002631 +1 || 2002632 || 6 || policy-violation || 0 || ET DELETED High Ports - Law Enorcement Sensitive || url,doc.emergingthreats.net/2002632 +1 || 2002633 || 6 || policy-violation || 0 || ET DELETED High Ports - Internal Use Only || url,doc.emergingthreats.net/2002633 +1 || 2002634 || 6 || policy-violation || 0 || ET DELETED High Ports - Date of Birth || url,doc.emergingthreats.net/2002634 +1 || 2002635 || 6 || policy-violation || 0 || ET DELETED High Ports - HCPCS Code || url,doc.emergingthreats.net/2002635 +1 || 2002636 || 6 || policy-violation || 0 || ET DELETED High Ports - ICD-10 Code || url,doc.emergingthreats.net/2002636 +1 || 2002637 || 6 || policy-violation || 0 || ET DELETED High Ports - FDA NDC Code || url,doc.emergingthreats.net/2002637 +1 || 2002638 || 6 || policy-violation || 0 || ET DELETED High Ports - ADA Procedure Code || url,doc.emergingthreats.net/2002638 +1 || 2002639 || 8 || policy-violation || 0 || ET DELETED High Ports - DSM-IV Code || url,doc.emergingthreats.net/2002639 +1 || 2002640 || 6 || policy-violation || 0 || ET DELETED High Ports - AMA CPT Code || url,doc.emergingthreats.net/2002640 +1 || 2002642 || 6 || policy-violation || 0 || ET DELETED High Ports - Credit Card, JCB || url,doc.emergingthreats.net/2002642 +1 || 2002648 || 6 || policy-violation || 0 || ET DELETED High Ports - Password || url,doc.emergingthreats.net/2002648 +1 || 2002649 || 6 || policy-violation || 0 || ET DELETED High Ports - Appraisal || url,doc.emergingthreats.net/2002649 +1 || 2002650 || 6 || policy-violation || 0 || ET DELETED High Ports - Account Balance || url,doc.emergingthreats.net/2002650 +1 || 2002651 || 6 || policy-violation || 0 || ET DELETED High Ports - Payment History || url,doc.emergingthreats.net/2002651 +1 || 2002652 || 7 || policy-violation || 0 || ET DELETED High Ports - Annual Income || url,doc.emergingthreats.net/2002652 +1 || 2002653 || 6 || policy-violation || 0 || ET DELETED High Ports - Credit History || url,doc.emergingthreats.net/2002653 +1 || 2002654 || 6 || policy-violation || 0 || ET DELETED High Ports - Transaction History || url,doc.emergingthreats.net/2002654 +1 || 2002655 || 6 || policy-violation || 0 || ET DELETED High Ports - Customer List || url,doc.emergingthreats.net/2002655 +1 || 2002656 || 4 || attempted-dos || 0 || ET EXPLOIT malformed Sack - Snort DoS-by-$um$id || url,doc.emergingthreats.net/bin/view/Main/2002656 +1 || 2002658 || 4 || policy-violation || 0 || ET POLICY EIN in the clear (US-IRS Employer ID Number) || url,policy.ssa.gov/poms.nsf/lnx/0101001004 || url,policy.ssa.gov/poms.nsf/lnx/0101001001?opendocument || url,doc.emergingthreats.net/2002658 +1 || 2002659 || 5 || policy-violation || 0 || ET CHAT Yahoo IM Client Install || url,doc.emergingthreats.net/2002659 +1 || 2002660 || 10 || web-application-activity || 0 || ET DELETED RSA Web Auth Exploit Attempt - Long URL || url,secunia.com/advisories/17281 || url,www.metasploit.com/projects/Framework/modules/exploits/rsa_iiswebagent_redirect.pm || url,doc.emergingthreats.net/2002660 || url,doc.emergingthreats.net/2002660 +1 || 2002662 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS TWiki INCLUDE remote command execution attempt || bugtraq,14960 || url,doc.emergingthreats.net/2002662 +1 || 2002663 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS e107 resetcore.php SQL Injection attempt || bugtraq,15125 || url,doc.emergingthreats.net/2002663 +1 || 2002664 || 10 || attempted-recon || 0 || ET SCAN Nessus User Agent || url,www.nessus.org || url,doc.emergingthreats.net/2002664 +1 || 2002667 || 38 || attempted-recon || 0 || ET WEB_SERVER sumthin scan || url,www.webmasterworld.com/forum11/2100.htm || url,doc.emergingthreats.net/2002667 +1 || 2002668 || 10 || misc-activity || 0 || ET WEB_SPECIFIC_APPS CutePHP CuteNews directory traversal vulnerability - show_news || bugtraq,15295 || url,doc.emergingthreats.net/2002668 +1 || 2002671 || 9 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Galerie ShowGallery.php SQL Injection attempt || bugtraq,15313 || url,doc.emergingthreats.net/2002671 +1 || 2002673 || 9 || policy-violation || 0 || ET P2P MS Foldershare Login Detected || url,www.foldershare.com || url,doc.emergingthreats.net/bin/view/Main/2002673 +1 || 2002676 || 3 || bad-unknown || 0 || ET POLICY nstx DNS Tunnel Outbound || url,savannah.nongnu.org/projects/nstx/ || url,nstx.dereference.de/nstx || url,doc.emergingthreats.net/2002676 +1 || 2002677 || 12 || web-application-attack || 0 || ET SCAN Nikto Web App Scan in Progress || url,www.cirt.net/code/nikto.shtml || url,doc.emergingthreats.net/2002677 +1 || 2002678 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Cyphor show.php SQL injection attempt || bugtraq,15418 || url,doc.emergingthreats.net/2002678 +1 || 2002681 || 12 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Mambo Exploit || url,seclists.org/lists/fulldisclosure/2005/Nov/0528.html || url,isc.sans.org/diary.php?storyid=869 || url,www.us-cert.gov/cas/bulletins/SB07-106.html || url,doc.emergingthreats.net/2002681 +1 || 2002683 || 6 || trojan-activity || 0 || ET WORM shell bot perl code download || url,doc.emergingthreats.net/2002683 +1 || 2002684 || 5 || trojan-activity || 0 || ET WORM Shell Bot Code Download || url,doc.emergingthreats.net/2002684 +1 || 2002685 || 6 || web-application-attack || 0 || ET WEB_SERVER Barracuda Spam Firewall img.pl Remote Directory Traversal Attempt || bugtraq,14710 || url,doc.emergingthreats.net/2002685 +1 || 2002695 || 9 || trojan-activity || 0 || ET DELETED Generic Downloader Outbound HTTP connection - Downloading Code || url,doc.emergingthreats.net/2002695 +1 || 2002697 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS CVSTrac filediff Arbitrary Remote Code Execution || bugtraq,10878 || cve,2004-1456 || url,doc.emergingthreats.net/bin/view/Main/2002697 +1 || 2002702 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS OSTicket Remote Code Execution Attempt || url,secunia.com/advisories/15216 || url,www.gulftech.org/?node=research&article_id=00071-05022005 || cve,CAN-2005-1438 || cve,CAN-2005-1439 || url,doc.emergingthreats.net/bin/view/Main/2002702 +1 || 2002703 || 4 || web-application-attack || 0 || ET EXPLOIT GuppY error.php Arbitrary Remote Code Execution || bugtraq,15609 || url,doc.emergingthreats.net/bin/view/Main/2002703 +1 || 2002704 || 5 || policy-violation || 0 || ET DELETED HTTP - US Confidential ORCON || url,doc.emergingthreats.net/bin/view/Main/2002704 +1 || 2002707 || 9 || trojan-activity || 0 || ET DELETED iframebiz - adv***.php || url,iframecash.biz || url,isc.sans.org/diary.php?storyid=868 || url,doc.emergingthreats.net/bin/view/Main/2002707 +1 || 2002708 || 8 || trojan-activity || 0 || ET MALWARE iframebiz - sploit.anr || url,iframecash.biz || url,isc.sans.org/diary.php?storyid=868 || url,doc.emergingthreats.net/bin/view/Main/2002708 +1 || 2002709 || 8 || trojan-activity || 0 || ET MALWARE iframebiz - loaderadv***.jar || url,iframecash.biz || url,isc.sans.org/diary.php?storyid=868 || url,doc.emergingthreats.net/bin/view/Main/2002709 +1 || 2002710 || 8 || trojan-activity || 0 || ET MALWARE iframebiz - loadadv***.exe || url,iframecash.biz || url,isc.sans.org/diary.php?storyid=868 || url,doc.emergingthreats.net/bin/view/Main/2002710 +1 || 2002721 || 6 || web-application-attack || 0 || ET WEB_SERVER Cisco IOS HTTP set enable password attack || cve,2005-3921 || bugtraq,15602 || url,www.infohacking.com/INFOHACKING_RESEARCH/Our_Advisories/cisco/index.html || url,doc.emergingthreats.net/2002721 +1 || 2002722 || 4 || policy-violation || 0 || ET POLICY MP3 File Transfer Outbound || url,filext.com/detaillist.php?extdetail=mp3&Search=Search || url,doc.emergingthreats.net/2002722 +1 || 2002723 || 4 || policy-violation || 0 || ET POLICY MP3 File Transfer Inbound || url,filext.com/detaillist.php?extdetail=mp3&Search=Search || url,doc.emergingthreats.net/2002723 +1 || 2002724 || 11 || web-application-attack || 0 || ET ACTIVEX MciWndx ActiveX Control || url,www.microsoft.com/technet/security/bulletin/ms05-054.mspx || url,doc.emergingthreats.net/2002724 +1 || 2002725 || 13 || web-application-attack || 0 || ET ACTIVEX COM Object Instantiation Memory Corruption Vulnerability MS05-054 || cve,2005-2831 || url,www.microsoft.com/technet/security/bulletin/ms05-054.mspx || url,doc.emergingthreats.net/2002725 +1 || 2002728 || 6 || trojan-activity || 0 || ET DELETED Ranky or variant backdoor communication ping || url,www.sophos.com/virusinfo/analyses/trojranckcx.html || url,www.iss.net/threats/W32.Trojan.Ranky.FV.html +1 || 2002729 || 4 || policy-violation || 0 || ET POLICY Outbound Hamachi VPN Connection Attempt || url,www.hamachi.cc || url,doc.emergingthreats.net/2002729 +1 || 2002731 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Generic phpbb arbitrary command attempt || url,cve.mitre.org/cgi-bin/cvekey.cgi?keyword=phpbb_root_path || url,doc.emergingthreats.net/2002731 +1 || 2002734 || 5 || attempted-user || 0 || ET EXPLOIT WMF Exploit || url,www.frsirt.com/exploits/20051228.ie_xp_pfv_metafile.pm.php || url,doc.emergingthreats.net/bin/view/Main/2002734 +1 || 2002735 || 6 || policy-violation || 0 || ET MALWARE Zenotecnico Adware 2 || url,www.zenotecnico.com || url,doc.emergingthreats.net/bin/view/Main/2002735 +1 || 2002736 || 5 || policy-violation || 0 || ET MALWARE Trafficsector.com Spyware Install || url,doc.emergingthreats.net/bin/view/Main/2002736 +1 || 2002737 || 6 || policy-violation || 0 || ET MALWARE Zenotecnico Spyware Install Report || url,www.zenotecnico.com || url,doc.emergingthreats.net/bin/view/Main/2002737 +1 || 2002738 || 5 || trojan-activity || 0 || ET MALWARE SurfSidekick Activity (rinfo) || url,securityresponse.symantec.com/avcenter/venc/data/adware.surfsidekick.html || url,doc.emergingthreats.net/bin/view/Main/2002738 +1 || 2002739 || 12 || trojan-activity || 0 || ET MALWARE iDownloadAgent Spyware User-Agent (iDownloadAgent) || url,doc.emergingthreats.net/2002739 +1 || 2002740 || 5 || policy-violation || 0 || ET MALWARE adservs.com Spyware || url,doc.emergingthreats.net/bin/view/Main/2002740 +1 || 2002741 || 11 || unknown || 0 || ET EXPLOIT WMF Escape Record Exploit - Web Only - version 3 || url,www.frsirt.com/english/advisories/2005/3086 || url,doc.emergingthreats.net/bin/view/Main/2002741 +1 || 2002742 || 9 || attempted-user || 0 || ET EXPLOIT WMF Escape Record Exploit - Version 3 || url,www.frsirt.com/english/advisories/2005/3086 || url,doc.emergingthreats.net/bin/view/Main/2002742 +1 || 2002743 || 8 || unknown || 0 || ET EXPLOIT WMF Escape Record Exploit - Web Only - all versions || url,www.frsirt.com/english/advisories/2005/3086 || url,doc.emergingthreats.net/bin/view/Main/2002743 +1 || 2002749 || 14 || bad-unknown || 0 || ET POLICY Unallocated IP Space Traffic - Bogon Nets || url,www.cymru.com/Documents/bogon-list.html || url,doc.emergingthreats.net/bin/view/Main/2002749 +1 || 2002750 || 27 || bad-unknown || 0 || ET DELETED Reserved IP Space Traffic - Bogon Nets 2 || url,www.cymru.com/Documents/bogon-list.html || url,doc.emergingthreats.net/bin/view/Main/2002750 +1 || 2002751 || 8 || bad-unknown || 0 || ET DELETED Reserved IP Space Traffic - Bogon Nets 3 || url,www.cymru.com/Documents/bogon-list.html || url,doc.emergingthreats.net/bin/view/Main/2002751 +1 || 2002752 || 4 || bad-unknown || 0 || ET POLICY Reserved Internal IP Traffic || url,www.cymru.com/Documents/bogon-list.html || url,doc.emergingthreats.net/bin/view/Main/2002752 +1 || 2002757 || 5 || unknown || 0 || ET EXPLOIT WMF Escape Record Exploit - Web Only - version 1 || url,www.frsirt.com/english/advisories/2005/3086 || url,doc.emergingthreats.net/bin/view/Main/2002757 +1 || 2002758 || 6 || attempted-user || 0 || ET EXPLOIT WMF Escape Record Exploit - Version 1 || url,www.frsirt.com/english/advisories/2005/3086 || url,doc.emergingthreats.net/bin/view/Main/2002758 +1 || 2002760 || 3 || policy-violation || 0 || ET P2P GnucDNA UDP Ultrapeer Traffic || url,doc.emergingthreats.net/bin/view/Main/2002760 +1 || 2002761 || 6 || policy-violation || 0 || ET P2P Gnutella TCP Ultrapeer Traffic || url,doc.emergingthreats.net/bin/view/Main/2002761 +1 || 2002762 || 6 || trojan-activity || 0 || ET TROJAN Torpig Reporting User Activity (x25) || url,www.sophos.com/virusinfo/analyses/trojtorpigr.html || url,doc.emergingthreats.net/2002762 +1 || 2002763 || 7 || trojan-activity || 0 || ET TROJAN Dumador Reporting User Activity || url,www.norman.com/Virus/Virus_descriptions/24279/ || url,doc.emergingthreats.net/2002763 +1 || 2002765 || 7 || trojan-activity || 0 || ET DELETED Corpsespyware.net BlackListed Malicious Domain - google.vc || url,www.securityfocus.com/infocus/1745 || url,doc.emergingthreats.net/bin/view/Main/2002765 +1 || 2002766 || 7 || trojan-activity || 0 || ET MALWARE Corpsespyware.net BlackList - pcpeek || url,www.securityfocus.com/infocus/1745 || url,doc.emergingthreats.net/bin/view/Main/2002766 +1 || 2002767 || 8 || trojan-activity || 0 || ET MALWARE Corpsespyware.net Distribution - bos.biz || url,www.securityfocus.com/infocus/1745 || url,doc.emergingthreats.net/bin/view/Main/2002767 +1 || 2002768 || 7 || trojan-activity || 0 || ET MALWARE Corpsespyware.net Distribution - fesexy || url,www.securityfocus.com/infocus/1745 || url,doc.emergingthreats.net/bin/view/Main/2002768 +1 || 2002769 || 8 || trojan-activity || 0 || ET MALWARE Corpsespyware.net Distribution - studiolacase || url,www.securityfocus.com/infocus/1745 || url,doc.emergingthreats.net/bin/view/Main/2002769 +1 || 2002770 || 5 || trojan-activity || 0 || ET MALWARE Corpsespyware.net - msits.exe access || url,www.securityfocus.com/infocus/1745 || url,doc.emergingthreats.net/bin/view/Main/2002770 +1 || 2002771 || 5 || trojan-activity || 0 || ET MALWARE Corpsespyware.net - msys.exe access || url,www.securityfocus.com/infocus/1745 || url,doc.emergingthreats.net/bin/view/Main/2002771 +1 || 2002773 || 8 || trojan-activity || 0 || ET TROJAN FSG Packed Binary via HTTP Inbound || url,www.securityfocus.com/infocus/1745 || url,doc.emergingthreats.net/2002773 +1 || 2002774 || 6 || trojan-activity || 0 || ET DELETED Corpsespyware.net Blind Data Upload || url,www.securityfocus.com/infocus/1745 || url,doc.emergingthreats.net/bin/view/Main/2002774 +1 || 2002775 || 8 || trojan-activity || 0 || ET TROJAN Goldun Reporting User Activity || url,www.avira.com/en/threats/TR_Spy_Goldun_de_1_details.html || url,doc.emergingthreats.net/2002775 +1 || 2002776 || 7 || trojan-activity || 0 || ET TROJAN SickleBot Reporting User Activity || url,doc.emergingthreats.net/2002776 +1 || 2002777 || 7 || web-application-attack || 0 || ET WEB_SERVER Light Weight Calendar 'date' Arbitrary Remote Code Execution || url,doc.emergingthreats.net/2002777 +1 || 2002780 || 7 || trojan-activity || 0 || ET TROJAN Goldun Reporting User Activity 2 || url,www.avira.com/en/threats/TR_Spy_Goldun_de_1_details.html || url,doc.emergingthreats.net/2002780 +1 || 2002781 || 6 || trojan-activity || 0 || ET TROJAN w32agent.dsi Posting Info || url,doc.emergingthreats.net/2002781 +1 || 2002782 || 6 || trojan-activity || 0 || ET TROJAN w32agent.dsi Domain Update || url,doc.emergingthreats.net/2002782 +1 || 2002783 || 4 || trojan-activity || 0 || ET EXPLOIT Java runtime.exec() call || url,www.mullingsecurity.com || url,doc.emergingthreats.net/bin/view/Main/2002783 +1 || 2002784 || 4 || trojan-activity || 0 || ET EXPLOIT Java private function call sun.misc.unsafe || url,www.mullingsecurity.com || url,doc.emergingthreats.net/bin/view/Main/2002784 +1 || 2002785 || 4 || trojan-activity || 0 || ET EXPLOIT Java field reflector call java.lang.reflect.field || url,www.mullingsecurity.com || url,doc.emergingthreats.net/bin/view/Main/2002785 +1 || 2002786 || 4 || trojan-activity || 0 || ET EXPLOIT Javascript unsafe applet call || url,www.mullingsecurity.com || url,doc.emergingthreats.net/bin/view/Main/2002786 +1 || 2002787 || 4 || trojan-activity || 0 || ET EXPLOIT Javascript Securitymanager class applet call || url,www.mullingsecurity.com || url,doc.emergingthreats.net/bin/view/Main/2002787 +1 || 2002790 || 9 || trojan-activity || 0 || ET TROJAN Haxdoor Reporting User Activity || url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=BKDR_HAXDOOR.DI || url,doc.emergingthreats.net/2002790 || url,www.symantec.com/security_response/writeup.jsp?docid=2003-113016-1420-99&tabid=2 || url,www.threatexpert.com/report.aspx?md5=e787c4437ff67061983cd08458f71c94 || url,www.threatexpert.com/report.aspx?md5=d86b9eaf9682d60cb8b928dc6ac40954 || url,www.threatexpert.com/report.aspx?md5=1777f0ffa890ebfcc7587957f2d08dca +1 || 2002791 || 5 || web-application-attack || 0 || ET DELETED MISC Computer Associates Negative Content-Length Buffer Overflow || bugtraq,16354 || cve,2005-3653 || url,doc.emergingthreats.net/bin/view/Main/2002791 +1 || 2002796 || 4 || policy-violation || 0 || ET POLICY X-Box Live Connecting || url,www.microsoft.com/xbox/ || url,doc.emergingthreats.net/2002796 +1 || 2002800 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHP PHPNuke Remote File Inclusion Attempt || url,www.zone-h.org/en/advisories/read/id=8694/ || url,doc.emergingthreats.net/2002800 +1 || 2002801 || 14 || policy-violation || 0 || ET POLICY Google Desktop User-Agent Detected || url,news.com.com/2100-1032_3-6038197.html || url,doc.emergingthreats.net/2002801 +1 || 2002802 || 8 || attempted-user || 0 || ET EXPLOIT Windows Media Player parsing BMP file with 0 size offset to start of image || url,www.milw0rm.com/id.php?id=1500 || url,www.microsoft.com/technet/security/Bulletin/MS06-005.mspx || cve,2006-0006 || bugtraq,16633 || url,doc.emergingthreats.net/bin/view/Main/2002802 +1 || 2002803 || 10 || attempted-user || 0 || ET EXPLOIT BMP with invalid bfOffBits || url,www.microsoft.com/technet/security/Bulletin/ms06-005.mspx || cve,2006-0006 || bugtraq,16633 || url,doc.emergingthreats.net/bin/view/Main/2002803 +1 || 2002804 || 6 || trojan-activity || 0 || ET MALWARE Spyaxe Spyware DB Update || url,doc.emergingthreats.net/bin/view/Main/2002804 +1 || 2002805 || 6 || trojan-activity || 0 || ET MALWARE Spyaxe Spyware DB Version Check || url,doc.emergingthreats.net/bin/view/Main/2002805 +1 || 2002806 || 6 || trojan-activity || 0 || ET MALWARE Spyaxe Spyware Checkin || url,doc.emergingthreats.net/bin/view/Main/2002806 +1 || 2002807 || 11 || trojan-activity || 0 || ET DELETED Spyaxe Spyware User-Agent (spyaxe) || url,doc.emergingthreats.net/2002807 +1 || 2002808 || 12 || trojan-activity || 0 || ET MALWARE Spyaxe Spyware User-Agent (spywareaxe) || url,doc.emergingthreats.net/2002808 +1 || 2002809 || 5 || trojan-activity || 0 || ET ATTACK_RESPONSE Hostile FTP Server Banner (StnyFtpd) || url,doc.emergingthreats.net/bin/view/Main/2002809 +1 || 2002810 || 4 || trojan-activity || 0 || ET ATTACK_RESPONSE Hostile FTP Server Banner (Reptile) || url,doc.emergingthreats.net/bin/view/Main/2002810 +1 || 2002811 || 5 || trojan-activity || 0 || ET ATTACK_RESPONSE Hostile FTP Server Banner (Bot Server) || url,doc.emergingthreats.net/bin/view/Main/2002811 +1 || 2002812 || 6 || trojan-activity || 0 || ET DELETED PWS-LDPinch Reporting User Activity || url,doc.emergingthreats.net/2002812 +1 || 2002814 || 5 || policy-violation || 0 || ET P2P Direct Connect Traffic (client-server) || url,en.wikipedia.org/wiki/Direct_connect_file-sharing_application || url,doc.emergingthreats.net/bin/view/Main/2002814 +1 || 2002815 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Plume CMS prepend.php Remote File Inclusion attempt || cve,CVE-2006-0725 || bugtraq,16662 || nessus,20972 || url,doc.emergingthreats.net/2002815 +1 || 2002816 || 5 || trojan-activity || 0 || ET MALWARE DelFin Project Spyware (payload) || url,doc.emergingthreats.net/bin/view/Main/2002816 +1 || 2002817 || 5 || trojan-activity || 0 || ET MALWARE DelFin Project Spyware (setup) || url,doc.emergingthreats.net/bin/view/Main/2002817 +1 || 2002820 || 5 || trojan-activity || 0 || ET MALWARE Hotbar Agent Subscription POST || url,www.hotbar.com || url,doc.emergingthreats.net/bin/view/Main/2002820 +1 || 2002821 || 7 || policy-violation || 0 || ET MALWARE SideStep Bar Reporting Data (sbstart) || url,www.sidestep.com || url,www.spyany.com/program/article_spw_rm_SideStep.html || url,doc.emergingthreats.net/bin/view/Main/2002821 +1 || 2002822 || 9 || attempted-recon || 0 || ET POLICY Wget User Agent || url,www.gnu.org/software/wget || url,doc.emergingthreats.net/2002822 +1 || 2002823 || 11 || attempted-recon || 0 || ET POLICY POSSIBLE Web Crawl using Wget || url,www.gnu.org/software/wget/ || url,doc.emergingthreats.net/2002823 +1 || 2002824 || 10 || attempted-recon || 0 || ET POLICY CURL User Agent || url,curl.haxx.se || url,doc.emergingthreats.net/2002824 +1 || 2002825 || 8 || attempted-recon || 0 || ET POLICY POSSIBLE Web Crawl using Curl || url,curl.haxx.se || url,doc.emergingthreats.net/2002825 +1 || 2002826 || 10 || attempted-recon || 0 || ET POLICY fetch User Agent || url,gobsd.com/code/freebsd/lib/libfetch || url,doc.emergingthreats.net/2002826 +1 || 2002827 || 11 || attempted-recon || 0 || ET POLICY POSSIBLE Crawl using Fetch || url,gobsd.com/code/freebsd/lib/libfetch || url,doc.emergingthreats.net/2002827 +1 || 2002828 || 9 || not-suspicious || 0 || ET POLICY Googlebot User Agent || url,www.google.com/webmasters/bot.html || url,doc.emergingthreats.net/2002828 +1 || 2002829 || 9 || attempted-recon || 0 || ET POLICY Googlebot Crawl || url,www.google.com/webmasters/bot.html || url,doc.emergingthreats.net/2002829 +1 || 2002830 || 8 || not-suspicious || 0 || ET POLICY Msnbot User Agent || url,search.msn.com/msnbot.htm || url,doc.emergingthreats.net/2002830 +1 || 2002831 || 9 || attempted-recon || 0 || ET POLICY Msnbot Crawl || url,search.msn.com/msnbot.htm || url,doc.emergingthreats.net/2002831 +1 || 2002832 || 9 || not-suspicious || 0 || ET POLICY Yahoo Crawler User Agent || url,mms-mmcrawler-support@yahoo-inc.com || url,doc.emergingthreats.net/2002832 +1 || 2002833 || 7 || attempted-recon || 0 || ET POLICY Yahoo Crawler Crawl || url,mms-mmcrawler-support@yahoo-inc.com || url,doc.emergingthreats.net/2002833 +1 || 2002836 || 8 || trojan-activity || 0 || ET MALWARE MyWebSearch Toolbar Traffic (bar config download) || url,doc.emergingthreats.net/bin/view/Main/2002836 +1 || 2002837 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PmWiki Globals Variables Overwrite Attempt || cve,CVE-2006-0479 || bugtraq,16421 || nessus,20891 || url,doc.emergingthreats.net/2002837 +1 || 2002838 || 9 || web-application-activity || 0 || ET POLICY Google Search Appliance browsing the Internet || url,www.google.com/enterprise/gsa/index.html || url,doc.emergingthreats.net/2002838 +1 || 2002839 || 6 || trojan-activity || 0 || ET MALWARE My Search Spyware Config Download || url,doc.emergingthreats.net/bin/view/Main/2002839 +1 || 2002840 || 6 || policy-violation || 0 || ET MALWARE Freeze.com Spyware/Adware (Install) || url,doc.emergingthreats.net/bin/view/Main/2002840 +1 || 2002841 || 7 || policy-violation || 0 || ET MALWARE Freeze.com Spyware/Adware (Install Registration) || url,doc.emergingthreats.net/bin/view/Main/2002841 +1 || 2002842 || 4 || protocol-command-decode || 0 || ET SCAN MYSQL 4.1 brute force root login attempt || url,www.redferni.uklinux.net/mysql/MySQL-Protocol.html || url,doc.emergingthreats.net/2002842 +1 || 2002843 || 4 || attempted-dos || 0 || ET DOS Microsoft Streaming Server Malformed Request || bugtraq,1282 || url,www.microsoft.com/technet/security/bulletin/ms00-038.mspx || url,doc.emergingthreats.net/bin/view/Main/2002843 +1 || 2002844 || 7 || web-application-attack || 0 || ET WEB_SERVER WebDAV search overflow || cve,2003-0109 || url,doc.emergingthreats.net/2002844 +1 || 2002845 || 5 || attempted-admin || 0 || ET EXPLOIT MSSQL Hello Overflow Attempt || cve,2002-1123 || bugtraq,5411 || url,doc.emergingthreats.net/bin/view/Main/2002845 +1 || 2002848 || 7 || attempted-user || 0 || ET VOIP SIP UDP Softphone INVITE overflow || bugtraq,16213 || cve,2006-0189 || url,doc.emergingthreats.net/bin/view/Main/2002848 +1 || 2002849 || 11 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Google Appliance External Proxy Stylesheet || bugtraq,15509 || cve,2005-3758 || url,doc.emergingthreats.net/2002849 +1 || 2002850 || 5 || not-suspicious || 0 || ET FTP USER login flowbit || url,doc.emergingthreats.net/bin/view/Main/2002850 +1 || 2002851 || 5 || attempted-recon || 0 || ET FTP HP-UX LIST command without login || cve,2005-3296 || bugtraq,15138 || url,doc.emergingthreats.net/bin/view/Main/2002851 +1 || 2002852 || 5 || attempted-user || 0 || ET EXPLOIT HP-UX Printer LPD Command Insertion || cve,2005-3277 || bugtraq,15136 || url,doc.emergingthreats.net/bin/view/Main/2002852 +1 || 2002853 || 5 || attempted-dos || 0 || ET DOS FreeBSD NFS RPC Kernel Panic || cve,2006-0900 || bugtraq,19017 || url,doc.emergingthreats.net/bin/view/Main/2002853 +1 || 2002855 || 7 || policy-violation || 0 || ET GAMES Blizzard Downloader || url,www.worldofwarcraft.com/info/faq/blizzarddownloader.html || url,doc.emergingthreats.net/bin/view/Main/2002855 +1 || 2002856 || 9 || unknown || 0 || ET DELETED Suspicious POST to ROBOTS.TXT || url,doc.emergingthreats.net/bin/view/Main/2002856 +1 || 2002857 || 5 || trojan-activity || 0 || ET TROJAN Win32.VB.aie Reporting User Activity || url,doc.emergingthreats.net/2002857 +1 || 2002858 || 5 || policy-violation || 0 || ET MALWARE Fun Web Products StationaryChooser Spyware || url,www.funwebproducts.com || url,doc.emergingthreats.net/bin/view/Main/2002858 +1 || 2002859 || 7 || trojan-activity || 0 || ET TROJAN PassSickle Reporting User Activity || url,doc.emergingthreats.net/2002859 +1 || 2002861 || 11 || web-application-attack || 0 || ET ACTIVEX Danim.dll and Dxtmsft.dll COM Objects || cve,2006-1186 || url,www.microsoft.com/technet/security/bulletin/ms06-013.mspx || url,doc.emergingthreats.net/2002861 +1 || 2002863 || 8 || attempted-recon || 0 || ET DELETED osCommerce vulnerable web application extras update.php exists || url,retrogod.altervista.org/oscommerce_22_adv.html || url,doc.emergingthreats.net/2002863 +1 || 2002864 || 6 || attempted-recon || 0 || ET WEB_SERVER osCommerce extras/update.php disclosure || url,retrogod.altervista.org/oscommerce_22_adv.html || url,doc.emergingthreats.net/2002864 +1 || 2002865 || 6 || attempted-user || 0 || ET WEB_SERVER Novell GroupWise Messenger Accept Language Buffer Overflow || cve,2006-0992 || bugtraq,17503 || url,doc.emergingthreats.net/2002865 +1 || 2002866 || 6 || policy-violation || 0 || ET POLICY Winpcap Installation in Progress || url,www.winpcap.org || url,doc.emergingthreats.net/2002866 +1 || 2002867 || 10 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Horde 3.0.9-3.1.0 Help Viewer Remote PHP Exploit || url,www.milw0rm.com/exploits/1660 || cve,2006-1491 || bugtraq,17292 || url,doc.emergingthreats.net/2002867 +1 || 2002868 || 10 || web-application-activity || 0 || ET WEB_SPECIFIC_APPS Horde Web Mail Help Access || cve,2006-1491 || bugtraq,17292 || url,doc.emergingthreats.net/2002868 +1 || 2002869 || 8 || web-application-attack || 0 || ET WEB_SERVER WebAttacker kit (exploit1 ie0601) || url,doc.emergingthreats.net/2002869 +1 || 2002870 || 8 || web-application-attack || 0 || ET WEB_SERVER WebAttacker kit (exploit ie0604) || url,doc.emergingthreats.net/2002870 +1 || 2002871 || 7 || web-application-attack || 0 || ET WEB_SERVER WebAttacker kit (bug ie0604) || url,doc.emergingthreats.net/2002871 +1 || 2002872 || 6 || policy-violation || 0 || ET POLICY Myspace Login Attempt || url,doc.emergingthreats.net/2002872 +1 || 2002874 || 14 || trojan-activity || 0 || ET TROJAN Metafisher/Goldun User-Agent (z) || url,doc.emergingthreats.net/2002874 +1 || 2002877 || 14 || trojan-activity || 0 || ET TROJAN TROJAN BankSnif/Nethelper User-Agent (nethelper) || url,doc.emergingthreats.net/2002877 +1 || 2002878 || 8 || policy-violation || 0 || ET POLICY iTunes User Agent || url,hcsoftware.sourceforge.net/jason-rohrer/itms4all/ || url,doc.emergingthreats.net/2002878 +1 || 2002879 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHP phpMyAgenda rootagenda Remote File Include Attempt || cve,2006-2009 || bugtraq,17670 || url,doc.emergingthreats.net/2002879 +1 || 2002880 || 8 || attempted-dos || 0 || ET SNMP Cisco Non-Trap PDU request on SNMPv1 trap port || cve,2004-0714 || bugtraq,10186 || url,doc.emergingthreats.net/bin/view/Main/2002880 +1 || 2002881 || 8 || attempted-dos || 0 || ET SNMP Cisco Non-Trap PDU request on SNMPv2 trap port || cve,2004-0714 || bugtraq,10186 || url,doc.emergingthreats.net/bin/view/Main/2002881 +1 || 2002882 || 7 || attempted-dos || 0 || ET SNMP Cisco Non-Trap PDU request on SNMPv3 trap port || cve,2004-0714 || bugtraq,10186 || url,doc.emergingthreats.net/bin/view/Main/2002882 +1 || 2002886 || 3 || attempted-admin || 0 || ET EXPLOIT SYS get_domain_index_metadata Privilege Escalation Attempt || bugtraq,17699 || url,doc.emergingthreats.net/bin/view/Main/2002886 +1 || 2002887 || 4 || attempted-admin || 0 || ET EXPLOIT SYS get_domain_index_tables Access || bugtraq,17699 || url,doc.emergingthreats.net/bin/view/Main/2002887 +1 || 2002888 || 4 || attempted-admin || 0 || ET EXPLOIT SYS get_v2_domain_index_tables Privilege Escalation Attempt || bugtraq,17699 || url,doc.emergingthreats.net/bin/view/Main/2002888 +1 || 2002889 || 8 || attempted-user || 0 || ET ACTIVEX JuniperSetup Control Buffer Overflow || url,www.eeye.com/html/research/advisories/AD20060424.html || url,doc.emergingthreats.net/2002889 +1 || 2002892 || 4 || trojan-activity || 0 || ET DELETED Mytob.X clam SMTP Inbound || url,www3.ca.com/securityadvisor/virusinfo/virus.aspx?ID=42326 || url,doc.emergingthreats.net/2002892 +1 || 2002893 || 4 || trojan-activity || 0 || ET DELETED Mytob.X clam SMTP Outbound || url,www3.ca.com/securityadvisor/virusinfo/virus.aspx?ID=42326 || url,doc.emergingthreats.net/2002893 +1 || 2002894 || 4 || trojan-activity || 0 || ET DELETED W32.Nugache SMTP Inbound || url,www.symantec.com/avcenter/venc/data/w32.nugache.a@mm.html || url,doc.emergingthreats.net/2002894 +1 || 2002895 || 4 || trojan-activity || 0 || ET DELETED W32.Nugache SMTP Outbound || url,www.symantec.com/avcenter/venc/data/w32.nugache.a@mm.html || url,doc.emergingthreats.net/2002895 +1 || 2002896 || 6 || attempted-recon || 0 || ET EXPLOIT Symantec Scan Engine Request Password Hash || cve,2006-0230 || bugtraq,17637 || url,doc.emergingthreats.net/bin/view/Main/2002896 +1 || 2002897 || 10 || web-application-activity || 0 || ET WEB_SPECIFIC_APPS Horde README access probe || cve,CVE-2006-1491 || url,csirt.terradon.com/postarchive.php?month=4&year=2006#article28 || url,doc.emergingthreats.net/2002897 +1 || 2002898 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHP Web Calendar Remote File Inclusion Attempt || bugtraq,14651 || cve,2005-2717 || url,doc.emergingthreats.net/2002898 +1 || 2002899 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHP VWar Remote File Inclusion get_header.php || url,www.milw0rm.com/exploits/1632 || cve,2006-1636 || bugtraq,17358 || url,doc.emergingthreats.net/2002899 +1 || 2002900 || 6 || web-application-attack || 0 || ET WEB_SERVER CGI AWstats Migrate Command Attempt || bugtraq,17844 || url,doc.emergingthreats.net/2002900 +1 || 2002901 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHP Aardvark Topsites PHP CONFIG PATH Remote File Include Attempt || cve,CVE-2006-2149 || url,www.osvdb.org/25158 || url,doc.emergingthreats.net/2002901 +1 || 2002902 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHP VWar Remote File Inclusion functions_install.php || cve,2006-1503 || bugtraq,17290 || url,doc.emergingthreats.net/2002902 +1 || 2002903 || 5 || shellcode-detect || 0 || ET SHELLCODE x86 PexFnstenvMov/Sub Encoder || url,doc.emergingthreats.net/bin/view/Main/2002903 +1 || 2002904 || 5 || shellcode-detect || 0 || ET SHELLCODE x86 Alpha2 GetEIPs Encoder || url,doc.emergingthreats.net/bin/view/Main/2002904 +1 || 2002905 || 5 || shellcode-detect || 0 || ET SHELLCODE x86 Countdown Encoder || url,doc.emergingthreats.net/bin/view/Main/2002905 +1 || 2002906 || 5 || shellcode-detect || 0 || ET SHELLCODE x86 PexAlphaNum Encoder || url,doc.emergingthreats.net/bin/view/Main/2002906 +1 || 2002907 || 5 || shellcode-detect || 0 || ET SHELLCODE x86 PexCall Encoder || url,doc.emergingthreats.net/bin/view/Main/2002907 +1 || 2002908 || 5 || shellcode-detect || 0 || ET SHELLCODE x86 JmpCallAdditive Encoder || url,doc.emergingthreats.net/bin/view/Main/2002908 +1 || 2002910 || 4 || attempted-recon || 0 || ET SCAN Potential VNC Scan 5800-5820 || url,doc.emergingthreats.net/2002910 +1 || 2002911 || 4 || attempted-recon || 0 || ET SCAN Potential VNC Scan 5900-5920 || url,doc.emergingthreats.net/2002911 +1 || 2002912 || 7 || misc-activity || 0 || ET EXPLOIT VNC Possible Vulnerable Server Response || url,www.realvnc.com/docs/rfbproto.pdf || cve,2006-2369 || url,doc.emergingthreats.net/bin/view/Main/2002912 +1 || 2002913 || 7 || misc-activity || 0 || ET EXPLOIT VNC Client response || url,www.realvnc.com/docs/rfbproto.pdf || url,doc.emergingthreats.net/bin/view/Main/2002913 +1 || 2002914 || 6 || misc-activity || 0 || ET EXPLOIT VNC Server VNC Auth Offer || url,www.realvnc.com/docs/rfbproto.pdf || url,doc.emergingthreats.net/bin/view/Main/2002914 +1 || 2002915 || 6 || attempted-admin || 0 || ET EXPLOIT VNC Authentication Reply || url,www.realvnc.com/docs/rfbproto.pdf || url,doc.emergingthreats.net/bin/view/Main/2002915 +1 || 2002916 || 6 || attempted-admin || 0 || ET EXPLOIT RealVNC Authentication Bypass Attempt || url,secunia.com/advisories/20107/ || url,archives.neohapsis.com/archives/fulldisclosure/2006-05/0356.html || cve,2006-2369 || url,doc.emergingthreats.net/bin/view/Main/2002916 +1 || 2002917 || 6 || successful-admin || 0 || ET EXPLOIT RealVNC Server Authentication Bypass Successful || url,secunia.com/advisories/20107/ || url,archives.neohapsis.com/archives/fulldisclosure/2006-05/0356.html || cve,2006-2369 || url,doc.emergingthreats.net/bin/view/Main/2002917 +1 || 2002918 || 6 || misc-activity || 0 || ET EXPLOIT VNC Server VNC Auth Offer - No Challenge string || url,www.realvnc.com/docs/rfbproto.pdf || url,doc.emergingthreats.net/bin/view/Main/2002918 +1 || 2002919 || 7 || attempted-admin || 0 || ET EXPLOIT VNC Good Authentication Reply || url,www.realvnc.com/docs/rfbproto.pdf || url,doc.emergingthreats.net/bin/view/Main/2002919 +1 || 2002920 || 5 || attempted-admin || 0 || ET POLICY VNC Authentication Failure || url,www.cl.cam.ac.uk/Research/DTG/attarchive/vnc/rfbproto.pdf || url,doc.emergingthreats.net/bin/view/Main/2002920 +1 || 2002921 || 6 || attempted-admin || 0 || ET EXPLOIT VNC Multiple Authentication Failures || url,www.realvnc.com/docs/rfbproto.pdf || url,doc.emergingthreats.net/bin/view/Main/2002921 +1 || 2002922 || 5 || not-suspicious || 0 || ET POLICY VNC Authentication Successful || url,www.cl.cam.ac.uk/Research/DTG/attarchive/vnc/rfbproto.pdf || url,doc.emergingthreats.net/bin/view/Main/2002922 +1 || 2002923 || 6 || misc-activity || 0 || ET EXPLOIT VNC Server Not Requiring Authentication (case 2) || url,www.realvnc.com/docs/rfbproto.pdf || cve,2006-2369 || url,doc.emergingthreats.net/bin/view/Main/2002923 +1 || 2002924 || 7 || misc-activity || 0 || ET EXPLOIT VNC Server Not Requiring Authentication || url,www.realvnc.com/docs/rfbproto.pdf || cve,2006-2369 || url,doc.emergingthreats.net/bin/view/Main/2002924 +1 || 2002925 || 5 || policy-violation || 0 || ET INAPPROPRIATE Google Image Search, Safe Mode Off || url,doc.emergingthreats.net/bin/view/Main/2002925 +1 || 2002926 || 7 || attempted-dos || 0 || ET SNMP Cisco Non-Trap PDU request on SNMPv1 random port || cve,2004-0714 || bugtraq,10186 || url,doc.emergingthreats.net/bin/view/Main/2002926 +1 || 2002927 || 7 || attempted-dos || 0 || ET SNMP Cisco Non-Trap PDU request on SNMPv2 random port || cve,2004-0714 || bugtraq,10186 || url,doc.emergingthreats.net/bin/view/Main/2002927 +1 || 2002928 || 7 || attempted-dos || 0 || ET SNMP Cisco Non-Trap PDU request on SNMPv3 random port || cve,2004-0714 || bugtraq,10186 || url,doc.emergingthreats.net/bin/view/Main/2002928 +1 || 2002929 || 7 || trojan-activity || 0 || ET TROJAN Haxdoor Reporting User Activity 2 || url,doc.emergingthreats.net/2002929 || url,www.symantec.com/security_response/writeup.jsp?docid=2003-113016-1420-99&tabid=2 || url,www.threatexpert.com/report.aspx?md5=e787c4437ff67061983cd08458f71c94 || url,www.threatexpert.com/report.aspx?md5=d86b9eaf9682d60cb8b928dc6ac40954 || url,www.threatexpert.com/report.aspx?md5=1777f0ffa890ebfcc7587957f2d08dca || md5,0995ecb8bb78f510ae995a50be0c351a +1 || 2002931 || 5 || trojan-activity || 0 || ET MALWARE CWS Trafcool.biz Related Installer || url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076035 || url,doc.emergingthreats.net/bin/view/Main/2002931 +1 || 2002932 || 5 || trojan-activity || 0 || ET MALWARE CWS Related Installer || url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076035 || url,doc.emergingthreats.net/bin/view/Main/2002932 +1 || 2002933 || 5 || trojan-activity || 0 || ET MALWARE CWS Spy-Sheriff.com Infeced Buy Page Request || url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076035 || url,doc.emergingthreats.net/bin/view/Main/2002933 +1 || 2002934 || 9 || attempted-recon || 0 || ET POLICY libwww-perl User Agent || url,www.linpro.no/lwp/ || url,doc.emergingthreats.net/2002934 +1 || 2002935 || 9 || attempted-recon || 0 || ET POLICY Possible Web Crawl - libwww-perl User Agent || url,www.linpro.no/lwp/ || url,doc.emergingthreats.net/2002935 +1 || 2002937 || 7 || web-application-attack || 0 || ET WEB_SERVER WebAttacker kit (ie0606) || url,doc.emergingthreats.net/2002937 +1 || 2002938 || 5 || trojan-activity || 0 || ET TROJAN elitekeylogger v1.0 reporting - Inbound || url,doc.emergingthreats.net/2002938 +1 || 2002940 || 4 || trojan-activity || 0 || ET TROJAN XP keylogger v2.1 mail report - Inbound || url,doc.emergingthreats.net/2002940 +1 || 2002941 || 5 || trojan-activity || 0 || ET TROJAN elitekeylogger v1.0 reporting - Outbound || url,doc.emergingthreats.net/2002941 +1 || 2002942 || 4 || trojan-activity || 0 || ET TROJAN XP keylogger v2.1 mail report - Outbound || url,doc.emergingthreats.net/2002942 +1 || 2002943 || 9 || attempted-recon || 0 || ET POLICY python.urllib User Agent Web Crawl || url,docs.python.org/lib/module-urllib.html || url,doc.emergingthreats.net/2002943 +1 || 2002944 || 8 || attempted-recon || 0 || ET POLICY python.urllib User Agent || url,docs.python.org/lib/module-urllib.html || url,doc.emergingthreats.net/2002944 +1 || 2002945 || 12 || attempted-recon || 0 || ET POLICY Java Url Lib User Agent Web Crawl || url,www.mozilla.org/docs/netlib/seealso/netmods.html || url,doc.emergingthreats.net/2002945 +1 || 2002946 || 9 || attempted-recon || 0 || ET POLICY Java Url Lib User Agent || url,www.mozilla.org/docs/netlib/seealso/netmods.html || url,doc.emergingthreats.net/2002946 +1 || 2002947 || 7 || attempted-admin || 0 || ET GAMES PunkBuster Server webkey Buffer Overflow || url,aluigi.altervista.org/adv/pbwebbof-adv.txt || url,doc.emergingthreats.net/2002947 +1 || 2002948 || 10 || policy-violation || 0 || ET POLICY External Windows Update in Progress || url,windowsupdate.microsoft.com || url,doc.emergingthreats.net/2002948 +1 || 2002949 || 9 || policy-violation || 0 || ET POLICY Windows Update in Progress || url,windowsupdate.microsoft.com || url,doc.emergingthreats.net/2002949 +1 || 2002950 || 6 || policy-violation || 0 || ET P2P TOR 1.0 Server Key Retrieval || url,tor.eff.org || url,doc.emergingthreats.net/2002950 +1 || 2002951 || 5 || policy-violation || 0 || ET P2P TOR 1.0 Status Update || url,tor.eff.org || url,doc.emergingthreats.net/2002951 +1 || 2002952 || 5 || policy-violation || 0 || ET P2P TOR 1.0 Inbound Circuit Traffic || url,tor.eff.org || url,doc.emergingthreats.net/2002952 +1 || 2002953 || 5 || policy-violation || 0 || ET P2P TOR 1.0 Outbound Circuit Traffic || url,tor.eff.org || url,doc.emergingthreats.net/2002953 +1 || 2002954 || 6 || trojan-activity || 0 || ET MALWARE Bravesentry.com Fake Antispyware Download || url,www.bravesentry.com || url,research.sunbelt-software.com/threatdisplay.aspx?name=BraveSentry&threatid=44152 || url,doc.emergingthreats.net/bin/view/Main/2002954 +1 || 2002955 || 7 || trojan-activity || 0 || ET MALWARE Win32/Tibs Checkin || md5,65448c8678f03253ef380c375d6670ce +1 || 2002956 || 5 || trojan-activity || 0 || ET MALWARE Bestcount.net Spyware Downloading vxgame || url,reports.internic.net/cgi/whois?whois_nic=bestcount.net&type=domain || url,doc.emergingthreats.net/bin/view/Main/2002956 +1 || 2002957 || 5 || trojan-activity || 0 || ET MALWARE Bestcount.net Spyware Initial Infection Download || url,reports.internic.net/cgi/whois?whois_nic=bestcount.net&type=domain || url,doc.emergingthreats.net/bin/view/Main/2002957 +1 || 2002959 || 6 || trojan-activity || 0 || ET TROJAN Tibs Checkin || url,doc.emergingthreats.net/2002959 +1 || 2002960 || 7 || trojan-activity || 0 || ET DELETED Tibs Download || url,doc.emergingthreats.net/2002960 +1 || 2002961 || 5 || trojan-activity || 0 || ET TROJAN Tibs Checkin 2 || url,doc.emergingthreats.net/2002961 +1 || 2002962 || 7 || trojan-activity || 0 || ET DELETED Tibs Code Download || url,doc.emergingthreats.net/2002962 +1 || 2002963 || 8 || trojan-activity || 0 || ET TROJAN Generic Spambot-Spyware Access || url,doc.emergingthreats.net/2002963 +1 || 2002964 || 5 || trojan-activity || 0 || ET TROJAN Generic Spyware Update Download || url,doc.emergingthreats.net/2002964 +1 || 2002965 || 7 || trojan-activity || 0 || ET DELETED Generic Spambot Spam Download || url,doc.emergingthreats.net/2002965 +1 || 2002966 || 5 || trojan-activity || 0 || ET MALWARE Elitemediagroup.net Spyware Config Download || url,elitemediagroup.net || url,doc.emergingthreats.net/bin/view/Main/2002966 +1 || 2002967 || 5 || trojan-activity || 0 || ET MALWARE Dollarrevenue.com Spyware Code Download || url,dollarrevenue.com || url,doc.emergingthreats.net/bin/view/Main/2002967 +1 || 2002971 || 5 || attempted-user || 0 || ET ACTIVEX Wmm2fxa.dll COM Object Instantiation Memory Corruption CLSID 1 Access Attempt || cve,2006-1303 || bugtraq,18328 || url,www.microsoft.com/technet/security/bulletin/ms06-021.mspx || url,doc.emergingthreats.net/2002971 +1 || 2002973 || 4 || misc-activity || 0 || ET SCAN Behavioral Unusual Port 3127 traffic, Potential Scan or Backdoor || url,doc.emergingthreats.net/2002973 +1 || 2002974 || 3 || trojan-activity || 0 || ET TROJAN Backdoor.Hupigon Possible Control Connection Being Established || url,www.avira.com/en/threats/section/fulldetails/id_vir/1051/bds_hupigon.bo.html || url,doc.emergingthreats.net/2002974 +1 || 2002975 || 3 || trojan-activity || 0 || ET TROJAN Backdoor.Hupigon INFECTION - Reporting Host Type || url,www.avira.com/en/threats/section/fulldetails/id_vir/1051/bds_hupigon.bo.html || url,doc.emergingthreats.net/2002975 +1 || 2002976 || 8 || trojan-activity || 0 || ET TROJAN Banker.Delf Infection - Sending Initial Email to Owner || url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html || url,doc.emergingthreats.net/2002976 +1 || 2002977 || 4 || trojan-activity || 0 || ET TROJAN Banload Downloader Infection - Sending initial email to owner || url,www.viruslist.com/en/viruses/encyclopedia?virusid=95586 || url,doc.emergingthreats.net/2002977 +1 || 2002978 || 6 || trojan-activity || 0 || ET TROJAN Banker.Delf Infection variant 2 - Sending Initial Email to Owner || url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html || url,doc.emergingthreats.net/2002978 +1 || 2002979 || 4 || trojan-activity || 0 || ET TROJAN SC-KeyLog Keylogger Installed - Sending Initial Email Report || url,www.soft-central.net/keylog.php || url,doc.emergingthreats.net/2002979 +1 || 2002980 || 4 || trojan-activity || 0 || ET TROJAN Banker.Delf Infection variant 3 - Sending Initial Email to Owner || url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html || url,doc.emergingthreats.net/2002980 +1 || 2002981 || 4 || trojan-activity || 0 || ET TROJAN Banker.Delf Infection variant 4 - Sending Initial Email to Owner || url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html || url,doc.emergingthreats.net/2002981 +1 || 2002982 || 6 || trojan-activity || 0 || ET TROJAN GENERAL Possible Trojan Sending Initial Email to Owner - INFECTADO || url,doc.emergingthreats.net/2002982 +1 || 2002983 || 3 || trojan-activity || 0 || ET TROJAN GENERAL Possible Trojan Sending Initial Email to Owner - SUCCESSO || url,doc.emergingthreats.net/2002983 +1 || 2002984 || 6 || trojan-activity || 0 || ET MALWARE SpySherriff Spyware Activity || url,doc.emergingthreats.net/bin/view/Main/2002984 +1 || 2002987 || 6 || trojan-activity || 0 || ET MALWARE Jupitersatellites.biz Spyware Download || url,doc.emergingthreats.net/bin/view/Main/2002987 +1 || 2002988 || 9 || trojan-activity || 0 || ET MALWARE Possible Spambot Checking in to Spam || url,doc.emergingthreats.net/bin/view/Main/2002988 +1 || 2002989 || 8 || trojan-activity || 0 || ET DELETED Possible Spambot getting new exe url || url,doc.emergingthreats.net/bin/view/Main/2002989 +1 || 2002990 || 9 || trojan-activity || 0 || ET MALWARE Possible Spambot Pulling IP List to Spam || url,doc.emergingthreats.net/bin/view/Main/2002990 +1 || 2002991 || 6 || trojan-activity || 0 || ET MALWARE Possible Spambot getting new exe || url,doc.emergingthreats.net/bin/view/Main/2002991 +1 || 2002992 || 6 || misc-activity || 0 || ET SCAN Rapid POP3 Connections - Possible Brute Force Attack || url,doc.emergingthreats.net/2002992 +1 || 2002993 || 6 || misc-activity || 0 || ET SCAN Rapid POP3S Connections - Possible Brute Force Attack || url,doc.emergingthreats.net/2002993 +1 || 2002994 || 6 || misc-activity || 0 || ET SCAN Rapid IMAP Connections - Possible Brute Force Attack || url,doc.emergingthreats.net/2002994 +1 || 2002995 || 9 || misc-activity || 0 || ET SCAN Rapid IMAPS Connections - Possible Brute Force Attack || url,doc.emergingthreats.net/2002995 +1 || 2002996 || 9 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS GeekLog Remote File Include Vulnerability || url,securitydot.net/xpl/exploits/vulnerabilities/articles/1122/exploit.html || url,doc.emergingthreats.net/2002996 +1 || 2002997 || 11 || web-application-attack || 0 || ET WEB_SERVER PHP Remote File Inclusion (monster list http) || url,www.sans.org/top20/ || url,doc.emergingthreats.net/2002997 +1 || 2002998 || 7 || attempted-dos || 0 || ET DELETED HELO Non-Displayable Characters MailEnable Denial of Service || cve,2006-3277 || bugtraq,18630 || url,doc.emergingthreats.net/bin/view/Main/2002998 +1 || 2002999 || 5 || trojan-activity || 0 || ET MALWARE /jk/exp.wmf Exploit Code Load Attempt || url,doc.emergingthreats.net/bin/view/Main/2002999 +1 || 2003000 || 6 || trojan-activity || 0 || ET MALWARE PopupSh.ocx Access Attempt || url,doc.emergingthreats.net/bin/view/Main/2003000 +1 || 2003002 || 8 || unusual-client-port-connection || 0 || ET POLICY TLS/SSL Client Hello on Unusual Port TLS || url,doc.emergingthreats.net/2003002 +1 || 2003003 || 8 || unusual-client-port-connection || 0 || ET POLICY TLS/SSL Client Hello on Unusual Port SSLv3 || url,doc.emergingthreats.net/2003003 +1 || 2003004 || 8 || unusual-client-port-connection || 0 || ET POLICY TLS/SSL Client Hello on Unusual Port Case 2 || url,doc.emergingthreats.net/2003004 +1 || 2003005 || 9 || unusual-client-port-connection || 0 || ET POLICY TLS/SSL Client Hello on Unusual Port SSLv3 || url,doc.emergingthreats.net/2003005 +1 || 2003006 || 8 || unusual-client-port-connection || 0 || ET POLICY TLS/SSL Client Key Exchange on Unusual Port || url,doc.emergingthreats.net/2003006 +1 || 2003007 || 8 || unusual-client-port-connection || 0 || ET POLICY TLS/SSL Client Key Exchange on Unusual Port SSLv3 || url,doc.emergingthreats.net/2003007 +1 || 2003008 || 7 || unusual-client-port-connection || 0 || ET POLICY TLS/SSL Client Cipher Set on Unusual Port || url,doc.emergingthreats.net/2003008 +1 || 2003009 || 7 || unusual-client-port-connection || 0 || ET POLICY TLS/SSL Client Cipher Set on Unusual Port SSLv3 || url,doc.emergingthreats.net/2003009 +1 || 2003010 || 7 || unusual-client-port-connection || 0 || ET POLICY TLS/SSL Server Hello on Unusual Port || url,doc.emergingthreats.net/2003010 +1 || 2003011 || 7 || unusual-client-port-connection || 0 || ET POLICY TLS/SSL Server Hello on Unusual Port SSLv3 || url,doc.emergingthreats.net/2003011 +1 || 2003012 || 8 || unusual-client-port-connection || 0 || ET POLICY TLS/SSL Server Certificate Exchange on Unusual Port || url,doc.emergingthreats.net/2003012 +1 || 2003013 || 7 || unusual-client-port-connection || 0 || ET POLICY TLS/SSL Server Certificate Exchange on Unusual Port SSLv3 || url,doc.emergingthreats.net/2003013 +1 || 2003014 || 7 || unusual-client-port-connection || 0 || ET POLICY TLS/SSL Server Key Exchange on Unusual Port || url,doc.emergingthreats.net/2003014 +1 || 2003015 || 6 || unusual-client-port-connection || 0 || ET POLICY TLS/SSL Server Key Exchange on Unusual Port SSLv3 || url,doc.emergingthreats.net/2003015 +1 || 2003016 || 7 || unusual-client-port-connection || 0 || ET DELETED TLS/SSL Server Hello Done on Unusual Port || url,doc.emergingthreats.net/2003016 +1 || 2003017 || 6 || unusual-client-port-connection || 0 || ET DELETED TLS/SSL Server Hello Done on Unusual Port SSLv3 || url,doc.emergingthreats.net/2003017 +1 || 2003018 || 7 || unusual-client-port-connection || 0 || ET POLICY TLS/SSL Server Cipher Set on Unusual Port || url,doc.emergingthreats.net/2003018 +1 || 2003019 || 7 || unusual-client-port-connection || 0 || ET POLICY TLS/SSL Server Cipher Set on Unusual Port SSLv3 || url,doc.emergingthreats.net/2003019 +1 || 2003020 || 9 || unusual-client-port-connection || 0 || ET POLICY TLS/SSL Encrypted Application Data on Unusual Port || url,doc.emergingthreats.net/2003020 +1 || 2003021 || 8 || unusual-client-port-connection || 0 || ET POLICY TLS/SSL Encrypted Application Data on Unusual Port SSLv3 || url,doc.emergingthreats.net/2003021 +1 || 2003022 || 4 || policy-violation || 0 || ET CHAT Skype Bootstrap Node (udp) || url,www1.cs.columbia.edu/~library/TR-repository/reports/reports-2004/cucs-039-04.pdf || url,doc.emergingthreats.net/2003022 +1 || 2003023 || 9 || web-application-activity || 0 || ET WEB_CLIENT IE StructuredGraphicsControl SourceURL Bug MoBB#6 || url,browserfun.blogspot.com/2006/07/mobb-6-structuredgraphicscontrol.html || cve,2006-3427 || url,doc.emergingthreats.net/bin/view/Main/2003023 +1 || 2003025 || 6 || trojan-activity || 0 || ET DELETED Unknown Web Bot Controller Accessed || url,doc.emergingthreats.net/bin/view/Main/2003025 +1 || 2003026 || 5 || not-suspicious || 0 || ET POLICY Known SSL traffic on port 443 being excluded from SSL Alerts || url,doc.emergingthreats.net/2003026 +1 || 2003027 || 5 || not-suspicious || 0 || ET POLICY Known SSL traffic on port 8000 being excluded from SSL Alerts || url,doc.emergingthreats.net/2003027 +1 || 2003028 || 5 || not-suspicious || 0 || ET POLICY Known SSL traffic on port 8080 being excluded from SSL Alerts || url,doc.emergingthreats.net/2003028 +1 || 2003029 || 5 || not-suspicious || 0 || ET POLICY Known SSL traffic on port 8200 being excluded from SSL Alerts || url,doc.emergingthreats.net/2003029 +1 || 2003030 || 5 || not-suspicious || 0 || ET POLICY Known SSL traffic on port 8443 being excluded from SSL Alerts || url,doc.emergingthreats.net/2003030 +1 || 2003031 || 5 || not-suspicious || 0 || ET CHAT Known SSL traffic on port 5222 (Jabber) being excluded from SSL Alerts || url,doc.emergingthreats.net/2003031 +1 || 2003032 || 5 || not-suspicious || 0 || ET CHAT Known SSL traffic on port 5223 (Jabber) being excluded from SSL Alerts || url,doc.emergingthreats.net/2003032 +1 || 2003033 || 4 || not-suspicious || 0 || ET POLICY Known SSL traffic on port 2967 (Symantec) being excluded from SSL Alerts || url,doc.emergingthreats.net/2003033 +1 || 2003034 || 4 || trojan-activity || 0 || ET DELETED Trojan.Downloader.Time2Pay.AQ || url,research.sunbelt-software.com || url,doc.emergingthreats.net/bin/view/Main/2003034 +1 || 2003035 || 4 || not-suspicious || 0 || ET POLICY Known SSL traffic on port 3128 (proxy) being excluded from SSL Alerts || url,doc.emergingthreats.net/2003035 +1 || 2003036 || 4 || not-suspicious || 0 || ET POLICY Known SSL traffic on port 8080 (proxy) being excluded from SSL Alerts || url,doc.emergingthreats.net/2003036 +1 || 2003037 || 4 || not-suspicious || 0 || ET POLICY Known SSL traffic on port 8292 (Bloomberg) being excluded from SSL Alerts || url,doc.emergingthreats.net/2003037 +1 || 2003038 || 4 || not-suspicious || 0 || ET POLICY Known SSL traffic on port 8294 (Bloomberg) being excluded from SSL Alerts || url,doc.emergingthreats.net/2003038 +1 || 2003039 || 4 || attempted-user || 0 || ET EXPLOIT UPnP DLink M-Search Overflow Attempt || url,www.eeye.com/html/research/advisories/AD20060714.html || url,doc.emergingthreats.net/bin/view/Main/2003039 +1 || 2003040 || 4 || policy-violation || 0 || ET DELETED PCMesh Anonymous Proxy client connect || url,doc.emergingthreats.net/2003040 +1 || 2003041 || 7 || trojan-activity || 0 || ET DELETED Win32.SMTP-Mailer SMTP Outbound || url,research.sunbelt-software.com/threatdisplay.aspx?name=Win32.SMTP-Mailer&threatid=48095 || url,www.hauri.net/virus/virusinfo_read.php?code=TRW3000774&start=1 || url,doc.emergingthreats.net/2003041 +1 || 2003045 || 4 || policy-violation || 0 || ET DELETED Real.com Game Arcade Install (User agent) || url,doc.emergingthreats.net/2003045 +1 || 2003046 || 3 || policy-violation || 0 || ET DELETED Real.com Game Arcade Install || url,doc.emergingthreats.net/2003046 +1 || 2003047 || 4 || policy-violation || 0 || ET POLICY Proxy Judge Discovery/Evasion (prxjdg.cgi) || url,doc.emergingthreats.net/2003047 +1 || 2003048 || 4 || policy-violation || 0 || ET POLICY Proxy Judge Discovery/Evasion (proxyjudge.cgi) || url,doc.emergingthreats.net/2003048 +1 || 2003055 || 12 || non-standard-protocol || 0 || ET MALWARE Suspicious FTP 220 Banner on Local Port (-) || url,doc.emergingthreats.net/bin/view/Main/2003055 +1 || 2003056 || 5 || attempted-admin || 0 || ET WEB_SPECIFIC_APPS EiQNetworks Security Analyzer Buffer Overflow || cve,2006-3838 || url,secunia.com/advisories/21211/ || url,doc.emergingthreats.net/2003056 +1 || 2003057 || 5 || trojan-activity || 0 || ET MALWARE 180solutions Spyware Actionlibs Download || url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html || url,doc.emergingthreats.net/bin/view/Main/2003057 +1 || 2003058 || 5 || trojan-activity || 0 || ET MALWARE 180solutions (Zango) Spyware Installer Download || url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html || url,doc.emergingthreats.net/bin/view/Main/2003058 +1 || 2003059 || 5 || trojan-activity || 0 || ET MALWARE 180solutions (Zango) Spyware TB Installer Download || url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html || url,doc.emergingthreats.net/bin/view/Main/2003059 +1 || 2003060 || 5 || trojan-activity || 0 || ET MALWARE 180solutions (Zango) Spyware Local Stats Post || url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html || url,doc.emergingthreats.net/bin/view/Main/2003060 +1 || 2003061 || 4 || trojan-activity || 0 || ET MALWARE 180solutions (Zango) Spyware Event Activity Post || url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html || url,doc.emergingthreats.net/bin/view/Main/2003061 +1 || 2003062 || 11 || trojan-activity || 0 || ET USER_AGENTS 180 Solutions (Zango Installer) User Agent || url,doc.emergingthreats.net/2003062 +1 || 2003063 || 7 || web-application-attack || 0 || ET WEB_SERVER WebAttacker RootLauncher || url,doc.emergingthreats.net/2003063 +1 || 2003064 || 7 || attempted-admin || 0 || ET DELETED Cisco-MARS/JBoss jmx-console POST || bugtraq,19071 || url,doc.emergingthreats.net/bin/view/Main/2003064 +1 || 2003065 || 7 || attempted-admin || 0 || ET DELETED Cisco-MARS/JBoss Remote Command Execution || bugtraq,19071 || url,doc.emergingthreats.net/bin/view/Main/2003065 +1 || 2003066 || 4 || trojan-activity || 0 || ET TROJAN Torpig Reporting User Activity (wur8) || url,www.sophos.com/virusinfo/analyses/trojtorpigr.html || url,doc.emergingthreats.net/2003066 +1 || 2003067 || 5 || attempted-dos || 0 || ET EXPLOIT DOS Microsoft Windows SRV.SYS MAILSLOT || url,www.milw0rm.com/exploits/2057 || url,www.microsoft.com/technet/security/bulletin/MS06-035.mspx || url,doc.emergingthreats.net/bin/view/Main/2003067 +1 || 2003068 || 6 || attempted-recon || 0 || ET SCAN Potential SSH Scan OUTBOUND || url,en.wikipedia.org/wiki/Brute_force_attack || url,doc.emergingthreats.net/2003068 +1 || 2003069 || 4 || policy-violation || 0 || ET DELETED Anonymous Proxy Traffic from Inside || url,doc.emergingthreats.net/2003069 +1 || 2003070 || 6 || trojan-activity || 0 || ET WORM Korgo.U Reporting || url,www.f-secure.com/v-descs/korgo_u.shtml || url,doc.emergingthreats.net/2003070 +1 || 2003071 || 7 || misc-activity || 0 || ET ATTACK_RESPONSE Possible /etc/passwd via HTTP (BSD style) || url,doc.emergingthreats.net/bin/view/Main/2003071 +1 || 2003072 || 5 || attempted-admin || 0 || ET EXPLOIT Linksys WRT54g Authentication Bypass Attempt || url,secunia.com/advisories/21372/ || url,doc.emergingthreats.net/bin/view/Main/2003072 +1 || 2003073 || 4 || trojan-activity || 0 || ET DELETED ICMP Banking Trojan sending encrypted stolen data || url,www.websensesecuritylabs.com/alerts/alert.php?AlertID=570 || url,doc.emergingthreats.net/2003073 +1 || 2003074 || 5 || trojan-activity || 0 || ET MALWARE Content-loader.com Spyware Install || url,doc.emergingthreats.net/bin/view/Main/2003074 +1 || 2003075 || 5 || trojan-activity || 0 || ET MALWARE Content-loader.com Spyware Install 2 || url,doc.emergingthreats.net/bin/view/Main/2003075 +1 || 2003076 || 5 || trojan-activity || 0 || ET MALWARE Content-loader.com (ownusa.info) Spyware Install || url,doc.emergingthreats.net/bin/view/Main/2003076 +1 || 2003081 || 5 || misc-attack || 0 || ET NETBIOS NETBIOS SMB DCERPC NetrpPathCanonicalize request (possible MS06-040) || url,www.microsoft.com/technet/security/bulletin/MS06-040.mspx || url,doc.emergingthreats.net/bin/view/Main/2003081 +1 || 2003082 || 5 || misc-attack || 0 || ET NETBIOS NETBIOS SMB-DS DCERPC NetrpPathCanonicalize request (possible MS06-040) || url,www.microsoft.com/technet/security/bulletin/MS06-040.mspx || url,doc.emergingthreats.net/bin/view/Main/2003082 +1 || 2003083 || 6 || trojan-activity || 0 || ET TROJAN Dialer || url,isc.sans.org/diary.php?storyid=1388 || url,doc.emergingthreats.net/2003083 +1 || 2003084 || 5 || trojan-activity || 0 || ET MALWARE TROJAN_VB Microjoin || url,de.trendmicro-europe.com/consumer/vinfo/encyclopedia.php?VName=TROJ_VB.AWW || url,doc.emergingthreats.net/bin/view/Main/2003084 +1 || 2003085 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS TWiki Configure Script TYPEOF Remote Command Execution Attempt || cve,CVE-2006-3819 || bugtraq,19188 || url,doc.emergingthreats.net/2003085 +1 || 2003086 || 6 || web-application-attack || 0 || ET WEB_SERVER Barracuda Spam Firewall preview_email.cgi Remote Command Execution || bugtraq,19276 || url,doc.emergingthreats.net/2003086 +1 || 2003087 || 7 || web-application-attack || 0 || ET WEB_SERVER Barracuda Spam Firewall preview_email.cgi Remote Directory Traversal Attempt || bugtraq,19276 || url,doc.emergingthreats.net/2003087 +1 || 2003089 || 4 || policy-violation || 0 || ET GAMES STEAM Connection (v2) || url,doc.emergingthreats.net/bin/view/Main/2003089 +1 || 2003092 || 3 || policy-violation || 0 || ET DELETED Gmail gtalk || url,doc.emergingthreats.net/2003092 +1 || 2003094 || 3 || trojan-activity || 0 || ET TROJAN VMM Detecting Torpig/Anserin/Sinowal Trojan || url,doc.emergingthreats.net/2003094 +1 || 2003095 || 3 || trojan-activity || 0 || ET TROJAN (UPX) VMM Detecting Torpig/Anserin/Sinowal Trojan || url,doc.emergingthreats.net/2003095 +1 || 2003096 || 4 || misc-activity || 0 || ET DELETED Possible Image Spam Inbound (simple rule) || url,doc.emergingthreats.net/2003096 +1 || 2003097 || 4 || misc-activity || 0 || ET DELETED Possible Image Spam Inbound (complex rule) || url,doc.emergingthreats.net/2003097 +1 || 2003099 || 7 || web-application-activity || 0 || ET WEB_SERVER Poison Null Byte || cve,2006-4542 || cve,2006-4458 || cve,2006-3602 || url,www.security-assessment.com/Whitepapers/0x00_vs_ASP_File_Uploads.pdf || url,doc.emergingthreats.net/2003099 +1 || 2003102 || 12 || attempted-user || 0 || ET ACTIVEX Microsoft Multimedia Controls - ActiveX control's spline function call CLSID || url,www.osvdb.org/displayvuln.php?osvdb_id=28841 || cve,2006-4446 || url,doc.emergingthreats.net/2003102 +1 || 2003103 || 10 || attempted-user || 0 || ET ACTIVEX Microsoft Multimedia Controls - ActiveX control's spline function call Object || url, www.osvdb.org/displayvuln.php?osvdb_id=28841 || cve,2006-4446 || url,doc.emergingthreats.net/2003103 +1 || 2003104 || 11 || attempted-user || 0 || ET DELETED Microsoft Multimedia Controls - ActiveX control's KeyFrame function call CSLID || url,www.osvdb.org/displayvuln.php?osvdb_id=28842 || cve,2006-4777 || url,doc.emergingthreats.net/2003104 +1 || 2003105 || 10 || attempted-user || 0 || ET ACTIVEX Microsoft Multimedia Controls - ActiveX control's KeyFrame function call Object || url,www.osvdb.org/displayvuln.php?osvdb_id=28842 || cve,2006-4777 || url,doc.emergingthreats.net/2003105 +1 || 2003110 || 7 || attempted-user || 0 || ET WEB_CLIENT MSIE WebViewFolderIcon setSlice invalid memory copy || url, riosec.com/msie-setslice-vuln || url,osvdb.org/27110 || cve,2006-3730 || url,doc.emergingthreats.net/bin/view/Main/2003110 +1 || 2003115 || 7 || trojan-activity || 0 || ET TROJAN - Trojan.Proxy.PPAgent.t (updatea) || url,original.avira.com/en/threats/vdf_history.html?id_vdf=2738 || url,doc.emergingthreats.net/2003115 +1 || 2003116 || 7 || trojan-activity || 0 || ET TROJAN - Trojan.Proxy.PPAgent.t (updateb) || url,original.avira.com/en/threats/vdf_history.html?id_vdf=2738 || url,doc.emergingthreats.net/2003116 +1 || 2003117 || 4 || shellcode-detect || 0 || ET DELETED SHELLCODE CLET polymorphic payload || url,toorcon.org/2006/conference.html?id=29 || url,doc.emergingthreats.net/2003117 +1 || 2003118 || 4 || shellcode-detect || 0 || ET DELETED SHELLCODE Shikata Ga Nai polymorphic payload || url,toorcon.org/2006/conference.html?id=29 || url,doc.emergingthreats.net/2003118 +1 || 2003119 || 4 || shellcode-detect || 0 || ET DELETED SHELLCODE ADMutate polymorphic payload || url,toorcon.org/2006/conference.html?id=29 || url,doc.emergingthreats.net/2003119 +1 || 2003120 || 4 || misc-activity || 0 || ET DELETED Possible Image Spam Inbound (3) || url,doc.emergingthreats.net/2003120 +1 || 2003121 || 6 || policy-violation || 0 || ET POLICY docs.google.com Activity || url,docs.google.com || url,doc.emergingthreats.net/2003121 +1 || 2003122 || 6 || policy-violation || 0 || ET DELETED Possible docs.google.com Activity || url,docs.google.com || url,doc.emergingthreats.net/2003122 +1 || 2003132 || 7 || trojan-activity || 0 || ET TROJAN BOT - potential DDoS command (2) || url,doc.emergingthreats.net/2003132 +1 || 2003138 || 3 || trojan-activity || 0 || ET TROJAN SpamThru trojan peer exchange || url,www.secureworks.com/analysis/spamthru/ || url,doc.emergingthreats.net/2003138 +1 || 2003139 || 3 || trojan-activity || 0 || ET TROJAN SpamThru trojan SMTP test successful || url,www.secureworks.com/analysis/spamthru/ || url,doc.emergingthreats.net/2003139 +1 || 2003140 || 3 || trojan-activity || 0 || ET TROJAN SpamThru trojan update request || url,www.secureworks.com/analysis/spamthru/ || url,doc.emergingthreats.net/2003140 +1 || 2003141 || 3 || trojan-activity || 0 || ET TROJAN SpamThru trojan AV DLL request || url,www.secureworks.com/analysis/spamthru/ || url,doc.emergingthreats.net/2003141 +1 || 2003142 || 3 || trojan-activity || 0 || ET TROJAN SpamThru trojan spam template request || url,www.secureworks.com/analysis/spamthru/ || url,doc.emergingthreats.net/2003142 +1 || 2003143 || 3 || trojan-activity || 0 || ET TROJAN SpamThru trojan spam run report || url,www.secureworks.com/analysis/spamthru/ || url,doc.emergingthreats.net/2003143 +1 || 2003144 || 3 || trojan-activity || 0 || ET TROJAN SpamThru trojan AV scan report || url,www.secureworks.com/analysis/spamthru/ || url,doc.emergingthreats.net/2003144 +1 || 2003145 || 5 || web-application-attack || 0 || ET EXPLOIT Novell HttpStk Remote Code Execution Attempt /nds || url,doc.emergingthreats.net/bin/view/Main/2003145 +1 || 2003146 || 5 || web-application-attack || 0 || ET EXPLOIT Novell HttpStk Remote Code Execution Attempt /dhost || url,doc.emergingthreats.net/bin/view/Main/2003146 +1 || 2003147 || 5 || web-application-attack || 0 || ET EXPLOIT Novell HttpStk Remote Code Execution Attempt /dhost (linewrap) || url,doc.emergingthreats.net/bin/view/Main/2003147 +1 || 2003148 || 5 || web-application-attack || 0 || ET EXPLOIT Novell HttpStk Remote Code Execution Attempt /nds (linewrap) || url,doc.emergingthreats.net/bin/view/Main/2003148 +1 || 2003149 || 5 || misc-activity || 0 || ET ATTACK_RESPONSE Possible /etc/passwd via SMTP (linux style) || url,doc.emergingthreats.net/bin/view/Main/2003149 +1 || 2003150 || 5 || misc-activity || 0 || ET ATTACK_RESPONSE Possible /etc/passwd via SMTP (BSD style) || url,doc.emergingthreats.net/bin/view/Main/2003150 +1 || 2003151 || 5 || trojan-activity || 0 || ET MALWARE Fun Web Products SmileyCentral IEsp2 Install || url,www.myfuncards.com || url,doc.emergingthreats.net/bin/view/Main/2003151 +1 || 2003152 || 7 || misc-activity || 0 || ET WEB_SPECIFIC_APPS CutePHP CuteNews directory traversal vulnerability - show_archives || bugtraq,15295 || url,doc.emergingthreats.net/2003152 +1 || 2003153 || 5 || trojan-activity || 0 || ET MALWARE Bestcount.net Spyware Exploit Download || url,reports.internic.net/cgi/whois?whois_nic=bestcount.net&type=domain || url,doc.emergingthreats.net/bin/view/Main/2003153 +1 || 2003154 || 8 || trojan-activity || 0 || ET MALWARE Bestcount.net Spyware Data Upload || url,reports.internic.net/cgi/whois?whois_nic=bestcount.net&type=domain || url,doc.emergingthreats.net/bin/view/Main/2003154 +1 || 2003155 || 4 || misc-activity || 0 || ET POLICY Microsoft TEREDO IPv6 tunneling || url,doc.emergingthreats.net/2003155 +1 || 2003156 || 6 || attempted-recon || 0 || ET DELETED Crewbox Proxy Scan || url,doc.emergingthreats.net/2003156 +1 || 2003157 || 10 || trojan-activity || 0 || ET TROJAN Agobot-SDBot Commands || url,doc.emergingthreats.net/2003157 +1 || 2003158 || 11 || attempted-user || 0 || ET ACTIVEX Microsoft WMIScriptUtils.WMIObjectBroker object call CSLID || url,www.securityfocus.com/bid/20843 || url,secunia.com/advisories/22603 || cve,2006-4704 || url,www.microsoft.com/technet/security/bulletin/ms06-073.mspx || url,doc.emergingthreats.net/2003158 +1 || 2003159 || 10 || attempted-user || 0 || ET ACTIVEX Microsoft VsmIDE.DTE object call CSLID || url,doc.emergingthreats.net/2003159 +1 || 2003160 || 10 || attempted-user || 0 || ET ACTIVEX Microsoft DExplore.AppObj.8.0 object call CSLID || url,doc.emergingthreats.net/2003160 +1 || 2003161 || 10 || attempted-user || 0 || ET ACTIVEX Microsoft VisualStudio.DTE.8.0 object call CSLID || url,doc.emergingthreats.net/2003161 +1 || 2003162 || 8 || attempted-user || 0 || ET ACTIVEX Microsoft Microsoft.DbgClr.DTE.8.0 object call CSLID || url,doc.emergingthreats.net/2003162 +1 || 2003163 || 8 || attempted-user || 0 || ET ACTIVEX Microsoft VsaIDE.DTE object call CSLID || url,doc.emergingthreats.net/2003163 +1 || 2003164 || 8 || attempted-user || 0 || ET ACTIVEX Microsoft Business Object Factory object call CSLID || url,doc.emergingthreats.net/2003164 +1 || 2003165 || 8 || attempted-user || 0 || ET ACTIVEX Microsoft Outlook Data Object object call CSLID || url,doc.emergingthreats.net/2003165 +1 || 2003166 || 8 || attempted-user || 0 || ET ACTIVEX Microsoft Outlook.Application object call CSLID || url,doc.emergingthreats.net/2003166 +1 || 2003167 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS tikiwiki featured link XSS attempt || url,www.securityfocus.com/archive/1/450268/30/0 || url,doc.emergingthreats.net/2003167 +1 || 2003168 || 7 || policy-violation || 0 || ET POLICY Winamp Streaming User Agent || url,doc.emergingthreats.net/2003168 +1 || 2003170 || 4 || trojan-activity || 0 || ET DELETED Zango Spyware Activity || url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html || url,doc.emergingthreats.net/bin/view/Main/2003170 +1 || 2003171 || 7 || attempted-recon || 0 || ET SCAN IBM NSA User Agent || url,ftp.inf.utfsm.cl/pub/Docs/IBM/Tivoli/pdfs/sg246021.pdf || url,doc.emergingthreats.net/2003171 +1 || 2003173 || 7 || trojan-activity || 0 || ET SHELLCODE Possible UTF-8 encoded Shellcode Detected || url,doc.emergingthreats.net/bin/view/Main/2003173 +1 || 2003174 || 8 || trojan-activity || 0 || ET SHELLCODE Possible UTF-16 encoded Shellcode Detected || url,doc.emergingthreats.net/bin/view/Main/2003174 +1 || 2003175 || 5 || not-suspicious || 0 || ET TROJAN Warezov/Stration Challenge || url,www.sophos.com/security/analyses/w32strationbo.html || url,doc.emergingthreats.net/2003175 +1 || 2003176 || 5 || trojan-activity || 0 || ET TROJAN Warezov/Stration Challenge Response || url,www.sophos.com/security/analyses/w32strationbo.html || url,doc.emergingthreats.net/2003176 +1 || 2003179 || 10 || policy-violation || 0 || ET POLICY exe download without User Agent || url,doc.emergingthreats.net/2003179 +1 || 2003180 || 11 || trojan-activity || 0 || ET TROJAN Possible Warezov/Stration Data Post to Controller || url,www.sophos.com/security/analyses/w32strationbo.html || url,doc.emergingthreats.net/2003180 +1 || 2003182 || 11 || trojan-activity || 0 || ET DELETED Prg Trojan v0.1-v0.3 Data Upload || url,www.securescience.net/FILES/securescience/10378/pubMalwareCaseStudy.pdf || url,doc.emergingthreats.net/2003182 +1 || 2003183 || 5 || trojan-activity || 0 || ET TROJAN Prg Trojan Server Reply || url,www.securescience.net/FILES/securescience/10378/pubMalwareCaseStudy.pdf || url,doc.emergingthreats.net/2003183 +1 || 2003184 || 5 || trojan-activity || 0 || ET DELETED Prg Trojan v0.1 Binary In Transit || url,www.securescience.net/FILES/securescience/10378/pubMalwareCaseStudy.pdf || url,doc.emergingthreats.net/2003184 +1 || 2003185 || 5 || trojan-activity || 0 || ET DELETED Prg Trojan v0.2 Binary In Transit || url,www.securescience.net/FILES/securescience/10378/pubMalwareCaseStudy.pdf || url,doc.emergingthreats.net/2003185 +1 || 2003186 || 5 || trojan-activity || 0 || ET DELETED Prg Trojan v0.3 Binary In Transit || url,www.securescience.net/FILES/securescience/10378/pubMalwareCaseStudy.pdf || url,doc.emergingthreats.net/2003186 +1 || 2003187 || 5 || trojan-activity || 0 || ET TROJAN Win32.Lager Trojan Initial Checkin || url,www.viruslist.com/en/viruses/encyclopedia?virusid=87732 || url,doc.emergingthreats.net/2003187 +1 || 2003188 || 5 || trojan-activity || 0 || ET TROJAN Win32.Lager Trojan Reporting || url,www.viruslist.com/en/viruses/encyclopedia?virusid=87732 || url,doc.emergingthreats.net/2003188 +1 || 2003189 || 6 || trojan-activity || 0 || ET TROJAN Win32.Lager Trojan Reporting (gcu) || url,www.viruslist.com/en/viruses/encyclopedia?virusid=87732 || url,doc.emergingthreats.net/2003189 +1 || 2003190 || 9 || trojan-activity || 0 || ET TROJAN Win32.Lager Trojan Reporting Spam || url,www.viruslist.com/en/viruses/encyclopedia?virusid=87732 || url,doc.emergingthreats.net/2003190 +1 || 2003192 || 4 || attempted-dos || 0 || ET VOIP INVITE Message Flood TCP || url,doc.emergingthreats.net/2003192 +1 || 2003193 || 5 || attempted-dos || 0 || ET VOIP REGISTER Message Flood TCP || url,doc.emergingthreats.net/2003193 +1 || 2003194 || 6 || attempted-dos || 0 || ET VOIP Multiple Unauthorized SIP Responses TCP || url,doc.emergingthreats.net/2003194 +1 || 2003195 || 5 || bad-unknown || 0 || ET POLICY Unusual number of DNS No Such Name Responses || url,doc.emergingthreats.net/2003195 +1 || 2003196 || 7 || misc-attack || 0 || ET EXPLOIT FTP .message file write || url,www.milw0rm.com/exploits/2856 || url,doc.emergingthreats.net/bin/view/Main/2003196 +1 || 2003197 || 6 || misc-attack || 0 || ET EXPLOIT ProFTPD .message file overflow attempt || url,www.milw0rm.com/exploits/2856 || url,doc.emergingthreats.net/bin/view/Main/2003197 +1 || 2003198 || 4 || non-standard-protocol || 0 || ET EXPLOIT TFTP Invalid Mode in file Get || url,doc.emergingthreats.net/bin/view/Main/2003198 +1 || 2003199 || 4 || non-standard-protocol || 0 || ET EXPLOIT TFTP Invalid Mode in file Put || url,doc.emergingthreats.net/bin/view/Main/2003199 +1 || 2003200 || 10 || trojan-activity || 0 || ET DELETED User-Agent (MSIE XPSP2) || url,doc.emergingthreats.net/2003200 +1 || 2003201 || 5 || trojan-activity || 0 || ET MALWARE Thespyguard.com Spyware Install || url,www.thespyguard.com || url,www.kliksoftware.com || url,doc.emergingthreats.net/bin/view/Main/2003201 +1 || 2003202 || 7 || trojan-activity || 0 || ET MALWARE Thespyguard.com Spyware Update Check || url,www.kliksoftware.com || url,www.thespyguard.com || url,doc.emergingthreats.net/bin/view/Main/2003202 +1 || 2003203 || 5 || trojan-activity || 0 || ET MALWARE Hitvirus Fake AV Install || url,www.kliksoftware.com || url,doc.emergingthreats.net/bin/view/Main/2003203 +1 || 2003204 || 6 || trojan-activity || 0 || ET MALWARE Thespyguard.com Spyware Updating || url,www.kliksoftware.com || url,www.thespyguard.com || url,doc.emergingthreats.net/bin/view/Main/2003204 +1 || 2003205 || 9 || trojan-activity || 0 || ET MALWARE User-Agent (Informer from RBC) || url,www.kliksoftware.com || url,doc.emergingthreats.net/bin/view/Main/2003205 +1 || 2003208 || 13 || trojan-activity || 0 || ET TROJAN IRC pBot PHP Bot Commands || url,doc.emergingthreats.net/2003208 +1 || 2003209 || 6 || trojan-activity || 0 || ET MALWARE Best-targeted-traffic.com Spyware Checkin || url,doc.emergingthreats.net/bin/view/Main/2003209 +1 || 2003210 || 6 || trojan-activity || 0 || ET MALWARE Best-targeted-traffic.com Spyware Install || url,doc.emergingthreats.net/bin/view/Main/2003210 +1 || 2003211 || 6 || trojan-activity || 0 || ET MALWARE Best-targeted-traffic.com Spyware Ping || url,doc.emergingthreats.net/bin/view/Main/2003211 +1 || 2003214 || 5 || attempted-recon || 0 || ET POLICY Pingdom.com Monitoring detected || url,royal.pingdom.com/?p=46 || url,doc.emergingthreats.net/2003214 +1 || 2003215 || 5 || attempted-recon || 0 || ET POLICY Pingdom.com Monitoring Node Active || url,royal.pingdom.com/?p=46 || url,doc.emergingthreats.net/2003215 +1 || 2003217 || 8 || trojan-activity || 0 || ET MALWARE 180solutions (Zango) Spyware Installer Config 2 || url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html || url,doc.emergingthreats.net/bin/view/Main/2003217 +1 || 2003218 || 6 || trojan-activity || 0 || ET MALWARE Conduit Connect Toolbar Message Download(Many report to be benign) || url,www.conduit.com || url,doc.emergingthreats.net/bin/view/Main/2003218 +1 || 2003219 || 5 || trojan-activity || 0 || ET MALWARE Alexa Spyware Reporting || url,doc.emergingthreats.net/bin/view/Main/2003219 +1 || 2003221 || 6 || trojan-activity || 0 || ET MALWARE MySearchNow.com Spyware || url,www.mysearchnow.com || url,doc.emergingthreats.net/bin/view/Main/2003221 +1 || 2003222 || 7 || trojan-activity || 0 || ET MALWARE MyWebSearch Toolbar Receiving Config 2 || url,doc.emergingthreats.net/bin/view/Main/2003222 +1 || 2003223 || 10 || trojan-activity || 0 || ET DELETED Zango-Hotbar User-Agent (zb-hb) || url,doc.emergingthreats.net/2003223 +1 || 2003224 || 10 || trojan-activity || 0 || ET MALWARE Megaupload Spyware User-Agent (Megaupload) || url,www.budsinc.com || url,doc.emergingthreats.net/2003224 +1 || 2003230 || 7 || attempted-user || 0 || ET WEB_CLIENT Microsoft IE FTP URL Arbitrary Command Injection || url,osvdb.org/12299 || cve,2004-1166 || url,doc.emergingthreats.net/bin/view/Main/2003230 +1 || 2003231 || 10 || attempted-user || 0 || ET ACTIVEX ACTIVEX Possible Microsoft IE Install Engine Inseng.dll Arbitrary Code Execution || url, osvdb.org/10705 || cve,2004-0216 || url,doc.emergingthreats.net/2003231 +1 || 2003232 || 59 || attempted-user || 0 || ET ACTIVEX Possible Microsoft IE Install Engine Inseng.dll Arbitrary Code Execution (2) || url, osvdb.org/10705 || cve,2004-0216 || url,doc.emergingthreats.net/2003232 +1 || 2003233 || 9 || attempted-user || 0 || ET ACTIVEX Possible Microsoft IE Shell.Application ActiveX Arbitrary Command Execution || url, osvdb.org/7913 || cve,2004-2291 || url,doc.emergingthreats.net/2003233 +1 || 2003234 || 9 || attempted-user || 0 || ET ACTIVEX ACTIVEX Possible Microsoft IE Shell.Application ActiveX Arbitrary Command Execution (2) || url, osvdb.org/7913 || cve,2004-2291 || url,doc.emergingthreats.net/2003234 +1 || 2003236 || 4 || attempted-dos || 0 || ET DOS NetrWkstaUserEnum Request with large Preferred Max Len || cve,2006-6723 || url,doc.emergingthreats.net/bin/view/Main/2003236 +1 || 2003237 || 8 || attempted-user || 0 || ET VOIP MultiTech SIP UDP Overflow || cve,2005-4050 || url,doc.emergingthreats.net/2003237 +1 || 2003238 || 8 || trojan-activity || 0 || ET TROJAN W32.Downloader Tibs.jy Reporting to C&C || url,doc.emergingthreats.net/2003238 +1 || 2003239 || 5 || trojan-activity || 0 || ET TROJAN W32.Downloader Tibs.jy Reporting to C&C (2) || url,doc.emergingthreats.net/2003239 +1 || 2003240 || 5 || trojan-activity || 0 || ET MALWARE New.net Spyware updating || url,www.new.net || url,doc.emergingthreats.net/bin/view/Main/2003240 +1 || 2003241 || 6 || trojan-activity || 0 || ET MALWARE New.net Spyware Checkin || url,www.new.net || url,doc.emergingthreats.net/bin/view/Main/2003241 +1 || 2003242 || 10 || trojan-activity || 0 || ET DELETED Websearch.com Cab Download || mcafee,131461 || url,doc.emergingthreats.net/bin/view/Main/2003242 +1 || 2003243 || 12 || trojan-activity || 0 || ET MALWARE User-Agent (Download Agent) Possibly Related to TrinityAcquisitions.com || url,doc.emergingthreats.net/bin/view/Main/2003243 +1 || 2003244 || 3 || trojan-activity || 0 || ET TROJAN HackerDefender.HE Root Kit Control Connection || url,securityresponse.symantec.com/avcenter/venc/data/backdoor.hackdefender.html || url,doc.emergingthreats.net/2003244 +1 || 2003245 || 3 || trojan-activity || 0 || ET TROJAN HackerDefender.HE Root Kit Control Connection Reply || url,securityresponse.symantec.com/avcenter/venc/data/backdoor.hackdefender.html || url,doc.emergingthreats.net/2003245 +1 || 2003250 || 4 || attempted-admin || 0 || ET EXPLOIT Symantec Remote Management RTVScan Exploit || cve,2006-3455 || url,research.eeye.com/html/advisories/published/AD20060612.html || url,doc.emergingthreats.net/bin/view/Main/2003250 +1 || 2003251 || 7 || trojan-activity || 0 || ET MALWARE SpySheriff Intial Phone Home || url,vil.nai.com/vil/content/v_135033.htm || url,doc.emergingthreats.net/bin/view/Main/2003251 +1 || 2003253 || 5 || policy-violation || 0 || ET MALWARE MarketScore Spyware Uploading Data || url,www.marketscore.com || url,www.spysweeper.com/remove-marketscore.html || url,doc.emergingthreats.net/bin/view/Main/2003253 +1 || 2003254 || 5 || protocol-command-decode || 0 || ET MALWARE SOCKSv5 Port 25 Inbound Request (Windows Source) || url,handlers.sans.org/wsalusky/rants/ || url,en.wikipedia.org/wiki/SOCKS || url,ss5.sourceforge.net/socks4.protocol.txt || url,ss5.sourceforge.net/socks4A.protocol.txt || url,www.ietf.org/rfc/rfc1928.txt || url,www.ietf.org/rfc/rfc1929.txt || url,www.ietf.org/rfc/rfc1961.txt || url,www.ietf.org/rfc/rfc3089.txt || url,doc.emergingthreats.net/bin/view/Main/2003254 +1 || 2003255 || 5 || protocol-command-decode || 0 || ET MALWARE SOCKSv5 Port 25 Inbound Request (Linux Source) || url,handlers.sans.org/wsalusky/rants/ || url,en.wikipedia.org/wiki/SOCKS || url,ss5.sourceforge.net/socks4.protocol.txt || url,ss5.sourceforge.net/socks4A.protocol.txt || url,www.ietf.org/rfc/rfc1928.txt || url,www.ietf.org/rfc/rfc1929.txt || url,www.ietf.org/rfc/rfc1961.txt || url,www.ietf.org/rfc/rfc3089.txt || url,doc.emergingthreats.net/bin/view/Main/2003255 +1 || 2003256 || 5 || protocol-command-decode || 0 || ET MALWARE SOCKSv4 Port 25 Inbound Request (Windows Source) || url,handlers.sans.org/wsalusky/rants/ || url,en.wikipedia.org/wiki/SOCKS || url,ss5.sourceforge.net/socks4.protocol.txt || url,ss5.sourceforge.net/socks4A.protocol.txt || url,www.ietf.org/rfc/rfc1928.txt || url,www.ietf.org/rfc/rfc1929.txt || url,www.ietf.org/rfc/rfc1961.txt || url,www.ietf.org/rfc/rfc3089.txt || url,doc.emergingthreats.net/bin/view/Main/2003256 +1 || 2003257 || 5 || protocol-command-decode || 0 || ET MALWARE SOCKSv5 Port 25 Inbound Request (Linux Source) || url,handlers.sans.org/wsalusky/rants/ || url,en.wikipedia.org/wiki/SOCKS || url,ss5.sourceforge.net/socks4.protocol.txt || url,ss5.sourceforge.net/socks4A.protocol.txt || url,www.ietf.org/rfc/rfc1928.txt || url,www.ietf.org/rfc/rfc1929.txt || url,www.ietf.org/rfc/rfc1961.txt || url,www.ietf.org/rfc/rfc3089.txt || url,doc.emergingthreats.net/bin/view/Main/2003257 +1 || 2003258 || 5 || protocol-command-decode || 0 || ET MALWARE SOCKSv5 DNS Inbound Request (Windows Source) || url,handlers.sans.org/wsalusky/rants/ || url,en.wikipedia.org/wiki/SOCKS || url,ss5.sourceforge.net/socks4.protocol.txt || url,ss5.sourceforge.net/socks4A.protocol.txt || url,www.ietf.org/rfc/rfc1928.txt || url,www.ietf.org/rfc/rfc1929.txt || url,www.ietf.org/rfc/rfc1961.txt || url,www.ietf.org/rfc/rfc3089.txt || url,doc.emergingthreats.net/bin/view/Main/2003258 +1 || 2003259 || 5 || protocol-command-decode || 0 || ET MALWARE SOCKSv5 DNS Inbound Request (Linux Source) || url,handlers.sans.org/wsalusky/rants/ || url,en.wikipedia.org/wiki/SOCKS || url,ss5.sourceforge.net/socks4.protocol.txt || url,ss5.sourceforge.net/socks4A.protocol.txt || url,www.ietf.org/rfc/rfc1928.txt || url,www.ietf.org/rfc/rfc1929.txt || url,www.ietf.org/rfc/rfc1961.txt || url,www.ietf.org/rfc/rfc3089.txt || url,doc.emergingthreats.net/bin/view/Main/2003259 +1 || 2003260 || 5 || protocol-command-decode || 0 || ET MALWARE SOCKSv5 HTTP Proxy Inbound Request (Windows Source) || url,handlers.sans.org/wsalusky/rants/ || url,en.wikipedia.org/wiki/SOCKS || url,ss5.sourceforge.net/socks4.protocol.txt || url,ss5.sourceforge.net/socks4A.protocol.txt || url,www.ietf.org/rfc/rfc1928.txt || url,www.ietf.org/rfc/rfc1929.txt || url,www.ietf.org/rfc/rfc1961.txt || url,www.ietf.org/rfc/rfc3089.txt || url,doc.emergingthreats.net/bin/view/Main/2003260 +1 || 2003261 || 5 || protocol-command-decode || 0 || ET MALWARE SOCKSv5 HTTP Proxy Inbound Request (Linux Source) || url,handlers.sans.org/wsalusky/rants/ || url,en.wikipedia.org/wiki/SOCKS || url,ss5.sourceforge.net/socks4.protocol.txt || url,ss5.sourceforge.net/socks4A.protocol.txt || url,www.ietf.org/rfc/rfc1928.txt || url,www.ietf.org/rfc/rfc1929.txt || url,www.ietf.org/rfc/rfc1961.txt || url,www.ietf.org/rfc/rfc3089.txt || url,doc.emergingthreats.net/bin/view/Main/2003261 +1 || 2003262 || 5 || protocol-command-decode || 0 || ET MALWARE SOCKSv4 HTTP Proxy Inbound Request (Windows Source) || url,handlers.sans.org/wsalusky/rants/ || url,en.wikipedia.org/wiki/SOCKS || url,ss5.sourceforge.net/socks4.protocol.txt || url,ss5.sourceforge.net/socks4A.protocol.txt || url,www.ietf.org/rfc/rfc1928.txt || url,www.ietf.org/rfc/rfc1929.txt || url,www.ietf.org/rfc/rfc1961.txt || url,www.ietf.org/rfc/rfc3089.txt || url,doc.emergingthreats.net/bin/view/Main/2003262 +1 || 2003263 || 5 || protocol-command-decode || 0 || ET MALWARE SOCKSv4 HTTP Proxy Inbound Request (Linux Source) || url,handlers.sans.org/wsalusky/rants/ || url,en.wikipedia.org/wiki/SOCKS || url,ss5.sourceforge.net/socks4.protocol.txt || url,ss5.sourceforge.net/socks4A.protocol.txt || url,www.ietf.org/rfc/rfc1928.txt || url,www.ietf.org/rfc/rfc1929.txt || url,www.ietf.org/rfc/rfc1961.txt || url,www.ietf.org/rfc/rfc3089.txt || url,doc.emergingthreats.net/bin/view/Main/2003263 +1 || 2003266 || 5 || protocol-command-decode || 0 || ET MALWARE SOCKSv5 Port 443 Inbound Request (Windows Source) || url,handlers.sans.org/wsalusky/rants/ || url,en.wikipedia.org/wiki/SOCKS || url,ss5.sourceforge.net/socks4.protocol.txt || url,ss5.sourceforge.net/socks4A.protocol.txt || url,www.ietf.org/rfc/rfc1928.txt || url,www.ietf.org/rfc/rfc1929.txt || url,www.ietf.org/rfc/rfc1961.txt || url,www.ietf.org/rfc/rfc3089.txt || url,doc.emergingthreats.net/bin/view/Main/2003266 +1 || 2003267 || 5 || protocol-command-decode || 0 || ET MALWARE SOCKSv5 Port 443 Inbound Request (Linux Source) || url,handlers.sans.org/wsalusky/rants/ || url,en.wikipedia.org/wiki/SOCKS || url,ss5.sourceforge.net/socks4.protocol.txt || url,ss5.sourceforge.net/socks4A.protocol.txt || url,www.ietf.org/rfc/rfc1928.txt || url,www.ietf.org/rfc/rfc1929.txt || url,www.ietf.org/rfc/rfc1961.txt || url,www.ietf.org/rfc/rfc3089.txt || url,doc.emergingthreats.net/bin/view/Main/2003267 +1 || 2003268 || 5 || protocol-command-decode || 0 || ET MALWARE SOCKSv4 Port 443 Inbound Request (Windows Source) || url,handlers.sans.org/wsalusky/rants/ || url,en.wikipedia.org/wiki/SOCKS || url,ss5.sourceforge.net/socks4.protocol.txt || url,ss5.sourceforge.net/socks4A.protocol.txt || url,www.ietf.org/rfc/rfc1928.txt || url,www.ietf.org/rfc/rfc1929.txt || url,www.ietf.org/rfc/rfc1961.txt || url,www.ietf.org/rfc/rfc3089.txt || url,doc.emergingthreats.net/bin/view/Main/2003268 +1 || 2003269 || 5 || protocol-command-decode || 0 || ET MALWARE SOCKSv4 Port 443 Inbound Request (Linux Source) || url,handlers.sans.org/wsalusky/rants/ || url,en.wikipedia.org/wiki/SOCKS || url,ss5.sourceforge.net/socks4.protocol.txt || url,ss5.sourceforge.net/socks4A.protocol.txt || url,www.ietf.org/rfc/rfc1928.txt || url,www.ietf.org/rfc/rfc1929.txt || url,www.ietf.org/rfc/rfc1961.txt || url,www.ietf.org/rfc/rfc3089.txt || url,doc.emergingthreats.net/bin/view/Main/2003269 +1 || 2003270 || 5 || protocol-command-decode || 0 || ET MALWARE SOCKSv5 Port 5190 Inbound Request (Windows Source) || url,handlers.sans.org/wsalusky/rants/ || url,en.wikipedia.org/wiki/SOCKS || url,ss5.sourceforge.net/socks4.protocol.txt || url,ss5.sourceforge.net/socks4A.protocol.txt || url,www.ietf.org/rfc/rfc1928.txt || url,www.ietf.org/rfc/rfc1929.txt || url,www.ietf.org/rfc/rfc1961.txt || url,www.ietf.org/rfc/rfc3089.txt || url,doc.emergingthreats.net/bin/view/Main/2003270 +1 || 2003271 || 5 || protocol-command-decode || 0 || ET MALWARE SOCKSv5 Port 5190 Inbound Request (Linux Source) || url,handlers.sans.org/wsalusky/rants/ || url,en.wikipedia.org/wiki/SOCKS || url,ss5.sourceforge.net/socks4.protocol.txt || url,ss5.sourceforge.net/socks4A.protocol.txt || url,www.ietf.org/rfc/rfc1928.txt || url,www.ietf.org/rfc/rfc1929.txt || url,www.ietf.org/rfc/rfc1961.txt || url,www.ietf.org/rfc/rfc3089.txt || url,doc.emergingthreats.net/bin/view/Main/2003271 +1 || 2003272 || 5 || protocol-command-decode || 0 || ET MALWARE SOCKSv4 Port 5190 Inbound Request (Windows Source) || url,handlers.sans.org/wsalusky/rants/ || url,en.wikipedia.org/wiki/SOCKS || url,ss5.sourceforge.net/socks4.protocol.txt || url,ss5.sourceforge.net/socks4A.protocol.txt || url,www.ietf.org/rfc/rfc1928.txt || url,www.ietf.org/rfc/rfc1929.txt || url,www.ietf.org/rfc/rfc1961.txt || url,www.ietf.org/rfc/rfc3089.txt || url,doc.emergingthreats.net/bin/view/Main/2003272 +1 || 2003273 || 5 || protocol-command-decode || 0 || ET MALWARE SOCKSv5 Port 5190 Inbound Request (Linux Source) || url,handlers.sans.org/wsalusky/rants/ || url,en.wikipedia.org/wiki/SOCKS || url,ss5.sourceforge.net/socks4.protocol.txt || url,ss5.sourceforge.net/socks4A.protocol.txt || url,www.ietf.org/rfc/rfc1928.txt || url,www.ietf.org/rfc/rfc1929.txt || url,www.ietf.org/rfc/rfc1961.txt || url,www.ietf.org/rfc/rfc3089.txt || url,doc.emergingthreats.net/bin/view/Main/2003273 +1 || 2003274 || 5 || protocol-command-decode || 0 || ET MALWARE SOCKSv5 Port 1863 Inbound Request (Windows Source) || url,handlers.sans.org/wsalusky/rants/ || url,en.wikipedia.org/wiki/SOCKS || url,ss5.sourceforge.net/socks4.protocol.txt || url,ss5.sourceforge.net/socks4A.protocol.txt || url,www.ietf.org/rfc/rfc1928.txt || url,www.ietf.org/rfc/rfc1929.txt || url,www.ietf.org/rfc/rfc1961.txt || url,www.ietf.org/rfc/rfc3089.txt || url,doc.emergingthreats.net/bin/view/Main/2003274 +1 || 2003275 || 5 || protocol-command-decode || 0 || ET MALWARE SOCKSv5 Port 1863 Inbound Request (Linux Source) || url,handlers.sans.org/wsalusky/rants/ || url,en.wikipedia.org/wiki/SOCKS || url,ss5.sourceforge.net/socks4.protocol.txt || url,ss5.sourceforge.net/socks4A.protocol.txt || url,www.ietf.org/rfc/rfc1928.txt || url,www.ietf.org/rfc/rfc1929.txt || url,www.ietf.org/rfc/rfc1961.txt || url,www.ietf.org/rfc/rfc3089.txt || url,doc.emergingthreats.net/bin/view/Main/2003275 +1 || 2003276 || 5 || protocol-command-decode || 0 || ET MALWARE SOCKSv4 Port 1863 Inbound Request (Windows Source) || url,handlers.sans.org/wsalusky/rants/ || url,en.wikipedia.org/wiki/SOCKS || url,ss5.sourceforge.net/socks4.protocol.txt || url,ss5.sourceforge.net/socks4A.protocol.txt || url,www.ietf.org/rfc/rfc1928.txt || url,www.ietf.org/rfc/rfc1929.txt || url,www.ietf.org/rfc/rfc1961.txt || url,www.ietf.org/rfc/rfc3089.txt || url,doc.emergingthreats.net/bin/view/Main/2003276 +1 || 2003277 || 5 || protocol-command-decode || 0 || ET MALWARE SOCKSv4 Port 1863 Inbound Request (Linux Source) || url,handlers.sans.org/wsalusky/rants/ || url,en.wikipedia.org/wiki/SOCKS || url,ss5.sourceforge.net/socks4.protocol.txt || url,ss5.sourceforge.net/socks4A.protocol.txt || url,www.ietf.org/rfc/rfc1928.txt || url,www.ietf.org/rfc/rfc1929.txt || url,www.ietf.org/rfc/rfc1961.txt || url,www.ietf.org/rfc/rfc3089.txt || url,doc.emergingthreats.net/bin/view/Main/2003277 +1 || 2003278 || 5 || protocol-command-decode || 0 || ET MALWARE SOCKSv5 Port 5050 Inbound Request (Windows Source) || url,handlers.sans.org/wsalusky/rants/ || url,en.wikipedia.org/wiki/SOCKS || url,ss5.sourceforge.net/socks4.protocol.txt || url,ss5.sourceforge.net/socks4A.protocol.txt || url,www.ietf.org/rfc/rfc1928.txt || url,www.ietf.org/rfc/rfc1929.txt || url,www.ietf.org/rfc/rfc1961.txt || url,www.ietf.org/rfc/rfc3089.txt || url,doc.emergingthreats.net/bin/view/Main/2003278 +1 || 2003279 || 5 || protocol-command-decode || 0 || ET MALWARE SOCKSv5 Port 5050 Inbound Request (Linux Source) || url,handlers.sans.org/wsalusky/rants/ || url,en.wikipedia.org/wiki/SOCKS || url,ss5.sourceforge.net/socks4.protocol.txt || url,ss5.sourceforge.net/socks4A.protocol.txt || url,www.ietf.org/rfc/rfc1928.txt || url,www.ietf.org/rfc/rfc1929.txt || url,www.ietf.org/rfc/rfc1961.txt || url,www.ietf.org/rfc/rfc3089.txt || url,doc.emergingthreats.net/bin/view/Main/2003279 +1 || 2003280 || 5 || protocol-command-decode || 0 || ET MALWARE SOCKSv4 Port 5050 Inbound Request (Windows Source) || url,handlers.sans.org/wsalusky/rants/ || url,en.wikipedia.org/wiki/SOCKS || url,ss5.sourceforge.net/socks4.protocol.txt || url,ss5.sourceforge.net/socks4A.protocol.txt || url,www.ietf.org/rfc/rfc1928.txt || url,www.ietf.org/rfc/rfc1929.txt || url,www.ietf.org/rfc/rfc1961.txt || url,www.ietf.org/rfc/rfc3089.txt || url,doc.emergingthreats.net/bin/view/Main/2003280 +1 || 2003281 || 5 || protocol-command-decode || 0 || ET MALWARE SOCKSv4 Port 5050 Inbound Request (Linux Source) || url,handlers.sans.org/wsalusky/rants/ || url,en.wikipedia.org/wiki/SOCKS || url,ss5.sourceforge.net/socks4.protocol.txt || url,ss5.sourceforge.net/socks4A.protocol.txt || url,www.ietf.org/rfc/rfc1928.txt || url,www.ietf.org/rfc/rfc1929.txt || url,www.ietf.org/rfc/rfc1961.txt || url,www.ietf.org/rfc/rfc3089.txt || url,doc.emergingthreats.net/bin/view/Main/2003281 +1 || 2003284 || 5 || protocol-command-decode || 0 || ET MALWARE SOCKSv5 IPv6 Inbound Connect Request (Windows Source) || url,handlers.sans.org/wsalusky/rants/ || url,en.wikipedia.org/wiki/SOCKS || url,ss5.sourceforge.net/socks4.protocol.txt || url,ss5.sourceforge.net/socks4A.protocol.txt || url,www.ietf.org/rfc/rfc1928.txt || url,www.ietf.org/rfc/rfc1929.txt || url,www.ietf.org/rfc/rfc1961.txt || url,www.ietf.org/rfc/rfc3089.txt || url,doc.emergingthreats.net/bin/view/Main/2003284 +1 || 2003285 || 5 || protocol-command-decode || 0 || ET MALWARE SOCKSv5 IPv6 Inbound Connect Request (Linux Source) || url,handlers.sans.org/wsalusky/rants/ || url,en.wikipedia.org/wiki/SOCKS || url,ss5.sourceforge.net/socks4.protocol.txt || url,ss5.sourceforge.net/socks4A.protocol.txt || url,www.ietf.org/rfc/rfc1928.txt || url,www.ietf.org/rfc/rfc1929.txt || url,www.ietf.org/rfc/rfc1961.txt || url,www.ietf.org/rfc/rfc3089.txt || url,doc.emergingthreats.net/bin/view/Main/2003285 +1 || 2003286 || 7 || protocol-command-decode || 0 || ET MALWARE SOCKSv5 UDP Proxy Inbound Connect Request (Windows Source) || url,handlers.sans.org/wsalusky/rants/ || url,en.wikipedia.org/wiki/SOCKS || url,ss5.sourceforge.net/socks4.protocol.txt || url,ss5.sourceforge.net/socks4A.protocol.txt || url,www.ietf.org/rfc/rfc1928.txt || url,www.ietf.org/rfc/rfc1929.txt || url,www.ietf.org/rfc/rfc1961.txt || url,www.ietf.org/rfc/rfc3089.txt || url,doc.emergingthreats.net/bin/view/Main/2003286 +1 || 2003287 || 6 || protocol-command-decode || 0 || ET MALWARE SOCKSv5 UDP Proxy Inbound Connect Request (Linux Source) || url,handlers.sans.org/wsalusky/rants/ || url,en.wikipedia.org/wiki/SOCKS || url,ss5.sourceforge.net/socks4.protocol.txt || url,ss5.sourceforge.net/socks4A.protocol.txt || url,www.ietf.org/rfc/rfc1928.txt || url,www.ietf.org/rfc/rfc1929.txt || url,www.ietf.org/rfc/rfc1961.txt || url,www.ietf.org/rfc/rfc3089.txt || url,doc.emergingthreats.net/bin/view/Main/2003287 +1 || 2003288 || 5 || protocol-command-decode || 0 || ET MALWARE SOCKSv4 Bind Inbound (Windows Source) || url,handlers.sans.org/wsalusky/rants/ || url,en.wikipedia.org/wiki/SOCKS || url,ss5.sourceforge.net/socks4.protocol.txt || url,ss5.sourceforge.net/socks4A.protocol.txt || url,www.ietf.org/rfc/rfc1928.txt || url,www.ietf.org/rfc/rfc1929.txt || url,www.ietf.org/rfc/rfc1961.txt || url,www.ietf.org/rfc/rfc3089.txt || url,doc.emergingthreats.net/bin/view/Main/2003288 +1 || 2003289 || 5 || protocol-command-decode || 0 || ET MALWARE SOCKSv4 Bind Inbound (Linux Source) || url,handlers.sans.org/wsalusky/rants/ || url,en.wikipedia.org/wiki/SOCKS || url,ss5.sourceforge.net/socks4.protocol.txt || url,ss5.sourceforge.net/socks4A.protocol.txt || url,www.ietf.org/rfc/rfc1928.txt || url,www.ietf.org/rfc/rfc1929.txt || url,www.ietf.org/rfc/rfc1961.txt || url,www.ietf.org/rfc/rfc3089.txt || url,doc.emergingthreats.net/bin/view/Main/2003289 +1 || 2003290 || 5 || protocol-command-decode || 0 || ET MALWARE SOCKSv5 Bind Inbound (Linux Source) || url,handlers.sans.org/wsalusky/rants/ || url,en.wikipedia.org/wiki/SOCKS || url,ss5.sourceforge.net/socks4.protocol.txt || url,ss5.sourceforge.net/socks4A.protocol.txt || url,www.ietf.org/rfc/rfc1928.txt || url,www.ietf.org/rfc/rfc1929.txt || url,www.ietf.org/rfc/rfc1961.txt || url,www.ietf.org/rfc/rfc3089.txt || url,doc.emergingthreats.net/bin/view/Main/2003290 +1 || 2003291 || 5 || protocol-command-decode || 0 || ET MALWARE SOCKSv5 Bind Inbound (Windows Source) || url,handlers.sans.org/wsalusky/rants/ || url,en.wikipedia.org/wiki/SOCKS || url,ss5.sourceforge.net/socks4.protocol.txt || url,ss5.sourceforge.net/socks4A.protocol.txt || url,www.ietf.org/rfc/rfc1928.txt || url,www.ietf.org/rfc/rfc1929.txt || url,www.ietf.org/rfc/rfc1961.txt || url,www.ietf.org/rfc/rfc3089.txt || url,doc.emergingthreats.net/bin/view/Main/2003291 +1 || 2003292 || 7 || trojan-activity || 0 || ET WORM Allaple ICMP Sweep Ping Outbound || url,www.sophos.com/virusinfo/analyses/w32allapleb.html || url,isc.sans.org/diary.html?storyid=2451 || url,doc.emergingthreats.net/2003292 +1 || 2003293 || 9 || trojan-activity || 0 || ET WORM Allaple ICMP Sweep Reply Inbound || url,www.sophos.com/virusinfo/analyses/w32allapleb.html || url,isc.sans.org/diary.html?storyid=2451 || url,doc.emergingthreats.net/2003293 +1 || 2003294 || 6 || trojan-activity || 0 || ET WORM Allaple ICMP Sweep Ping Inbound || url,www.sophos.com/virusinfo/analyses/w32allapleb.html || url,isc.sans.org/diary.html?storyid=2451 || url,doc.emergingthreats.net/2003294 +1 || 2003295 || 8 || trojan-activity || 0 || ET WORM Allaple ICMP Sweep Reply Outbound || url,www.sophos.com/virusinfo/analyses/w32allapleb.html || url,isc.sans.org/diary.html?storyid=2451 || url,doc.emergingthreats.net/2003295 +1 || 2003296 || 6 || trojan-activity || 0 || ET TROJAN Possible Web-based DDoS-command being issued || url,doc.emergingthreats.net/2003296 +1 || 2003297 || 5 || trojan-activity || 0 || ET MALWARE Travel Update Spyware || url,doc.emergingthreats.net/bin/view/Main/2003297 +1 || 2003298 || 5 || trojan-activity || 0 || ET MALWARE KMIP.net Spyware || url,www.kmip.net || url,doc.emergingthreats.net/bin/view/Main/2003298 +1 || 2003302 || 8 || misc-activity || 0 || ET TROJAN psyBNC IRC Server Connection || url,en.wikipedia.org/wiki/PsyBNC || url,doc.emergingthreats.net/2003302 +1 || 2003303 || 3 || misc-activity || 0 || ET POLICY FTP Login Attempt (non-anonymous) || url,doc.emergingthreats.net/2003303 +1 || 2003304 || 5 || trojan-activity || 0 || ET MALWARE Effectivebrands.com Spyware Checkin || url,doc.emergingthreats.net/bin/view/Main/2003304 +1 || 2003305 || 10 || trojan-activity || 0 || ET DELETED Zango-Hotbar User-Agent (zbu-hb-) || url,doc.emergingthreats.net/2003305 +1 || 2003306 || 8 || trojan-activity || 0 || ET MALWARE 180solutions Spyware (tracked event 2 reporting) || url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html || url,doc.emergingthreats.net/bin/view/Main/2003306 +1 || 2003307 || 5 || policy-violation || 0 || ET MALWARE Comet Systems Spyware Cursor DL || url,doc.emergingthreats.net/bin/view/Main/2003307 +1 || 2003308 || 4 || policy-violation || 0 || ET P2P Edonkey IP Request || url,www.giac.org/certified_professionals/practicals/gcih/0446.php || url,doc.emergingthreats.net/bin/view/Main/2003308 +1 || 2003309 || 4 || policy-violation || 0 || ET P2P Edonkey IP Reply || url,www.giac.org/certified_professionals/practicals/gcih/0446.php || url,doc.emergingthreats.net/bin/view/Main/2003309 +1 || 2003310 || 3 || policy-violation || 0 || ET P2P Edonkey Publicize File || url,www.giac.org/certified_professionals/practicals/gcih/0446.php || url,doc.emergingthreats.net/bin/view/Main/2003310 +1 || 2003311 || 3 || policy-violation || 0 || ET P2P Edonkey Publicize File ACK || url,www.giac.org/certified_professionals/practicals/gcih/0446.php || url,doc.emergingthreats.net/bin/view/Main/2003311 +1 || 2003312 || 3 || policy-violation || 0 || ET P2P Edonkey Connect Request || url,www.giac.org/certified_professionals/practicals/gcih/0446.php || url,doc.emergingthreats.net/bin/view/Main/2003312 +1 || 2003313 || 3 || policy-violation || 0 || ET P2P Edonkey Connect Reply and Server List || url,www.giac.org/certified_professionals/practicals/gcih/0446.php || url,doc.emergingthreats.net/bin/view/Main/2003313 +1 || 2003314 || 3 || policy-violation || 0 || ET P2P Edonkey Search Request (by file hash) || url,www.giac.org/certified_professionals/practicals/gcih/0446.php || url,doc.emergingthreats.net/bin/view/Main/2003314 +1 || 2003315 || 3 || policy-violation || 0 || ET P2P Edonkey Search Reply || url,www.giac.org/certified_professionals/practicals/gcih/0446.php || url,doc.emergingthreats.net/bin/view/Main/2003315 +1 || 2003316 || 3 || policy-violation || 0 || ET P2P Edonkey IP Query End || url,www.giac.org/certified_professionals/practicals/gcih/0446.php || url,doc.emergingthreats.net/bin/view/Main/2003316 +1 || 2003317 || 3 || policy-violation || 0 || ET P2P Edonkey Search Request (any type file) || url,www.giac.org/certified_professionals/practicals/gcih/0446.php || url,doc.emergingthreats.net/bin/view/Main/2003317 +1 || 2003318 || 3 || policy-violation || 0 || ET P2P Edonkey Get Sources Request (by hash) || url,www.giac.org/certified_professionals/practicals/gcih/0446.php || url,doc.emergingthreats.net/bin/view/Main/2003318 +1 || 2003319 || 3 || policy-violation || 0 || ET P2P Edonkey Search Request (search by name) || url,www.giac.org/certified_professionals/practicals/gcih/0446.php || url,doc.emergingthreats.net/bin/view/Main/2003319 +1 || 2003320 || 3 || policy-violation || 0 || ET P2P Edonkey Search Results || url,www.giac.org/certified_professionals/practicals/gcih/0446.php || url,doc.emergingthreats.net/bin/view/Main/2003320 +1 || 2003321 || 5 || policy-violation || 0 || ET P2P Edonkey Server Message || url,www.giac.org/certified_professionals/practicals/gcih/0446.php || url,doc.emergingthreats.net/bin/view/Main/2003321 +1 || 2003322 || 4 || policy-violation || 0 || ET P2P Edonkey Server List || url,www.giac.org/certified_professionals/practicals/gcih/0446.php || url,doc.emergingthreats.net/bin/view/Main/2003322 +1 || 2003323 || 4 || policy-violation || 0 || ET P2P Edonkey Client to Server Hello || url,www.giac.org/certified_professionals/practicals/gcih/0446.php || url,doc.emergingthreats.net/bin/view/Main/2003323 +1 || 2003324 || 3 || policy-violation || 0 || ET P2P Edonkey Server Status || url,www.giac.org/certified_professionals/practicals/gcih/0446.php || url,doc.emergingthreats.net/bin/view/Main/2003324 +1 || 2003325 || 4 || policy-violation || 0 || ET POLICY SMTP Executable attachment || url,doc.emergingthreats.net/2003325 +1 || 2003326 || 7 || attempted-admin || 0 || ET WEB_CLIENT Apple Quicktime RTSP Overflow (1) || cve,2007-0015 || bugtraq,21829 || url,doc.emergingthreats.net/2003326 +1 || 2003327 || 7 || attempted-admin || 0 || ET WEB_CLIENT Apple Quicktime RTSP Overflow (2) || cve,2007-0015 || bugtraq,21829 || url,doc.emergingthreats.net/2003327 +1 || 2003328 || 9 || web-application-attack || 0 || ET ACTIVEX NCTAudioFile2 ActiveX SetFormatLikeSample() Buffer Overflow || cve,2007-0018 || url,secunia.com/advisories/23475/ || url,doc.emergingthreats.net/2003328 +1 || 2003329 || 6 || attempted-user || 0 || ET VOIP Centrality IP Phone (PA-168 Chipset) Session Hijacking || url,www.milw0rm.com/exploits/3189 || url,doc.emergingthreats.net/bin/view/Main/2003329 || cve,2007-0528 +1 || 2003330 || 6 || bad-unknown || 0 || ET POLICY Possible Spambot Host DNS MX Query High Count || url,doc.emergingthreats.net/2003330 +1 || 2003331 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHP Generic membreManager.php remote file include || bugtraq,22287 || url,doc.emergingthreats.net/2003331 +1 || 2003332 || 5 || web-application-attack || 0 || ET EXPLOIT GuppY error.php POST Arbitrary Remote Code Execution || bugtraq,15609 || url,doc.emergingthreats.net/bin/view/Main/2003332 +1 || 2003333 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHP Gnopaster Common.php remote file include || bugtraq,18180 || url,doc.emergingthreats.net/2003333 +1 || 2003334 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Cacti cmd.php Remote Arbitrary SQL Command Execution Attempt || cve,CVE-2006-6799 || bugtraq,21799 || url,doc.emergingthreats.net/2003334 +1 || 2003335 || 10 || trojan-activity || 0 || ET USER_AGENTS 2search.org User Agent (2search) || url,doc.emergingthreats.net/2003335 +1 || 2003336 || 14 || trojan-activity || 0 || ET MALWARE AntiVermins.com Fake Antispyware Package User-Agent (AntiVerminser) || url,doc.emergingthreats.net/2003336 +1 || 2003337 || 14 || trojan-activity || 0 || ET MALWARE Suspicious User Agent (Autoupdate) || url,doc.emergingthreats.net/bin/view/Main/2003337 +1 || 2003340 || 5 || policy-violation || 0 || ET MALWARE Baidu.com Spyware Bar Reporting || url,www.pctools.com/mrc/infections/id/BaiDu/ || url,doc.emergingthreats.net/bin/view/Main/2003340 +1 || 2003341 || 5 || policy-violation || 0 || ET MALWARE Baidu.com Spyware Bar Pulling Content || url,www.pctools.com/mrc/infections/id/BaiDu/ || url,doc.emergingthreats.net/bin/view/Main/2003341 +1 || 2003344 || 5 || trojan-activity || 0 || ET MALWARE Trinityacquisitions.com and Maximumexperience.com Spyware Activity || url,doc.emergingthreats.net/bin/view/Main/2003344 +1 || 2003345 || 10 || trojan-activity || 0 || ET MALWARE User-Agent (Download UBAgent) - lop.com and other spyware || url,www.spywareinfo.com/articles/lop/ || url,doc.emergingthreats.net/2003345 +1 || 2003346 || 10 || trojan-activity || 0 || ET MALWARE Errorsafe.com Fake antispyware User-Agent (ErrorSafe Updater) || url,doc.emergingthreats.net/2003346 +1 || 2003347 || 10 || trojan-activity || 0 || ET MALWARE Gamehouse.com User-Agent (GAMEHOUSE.NET.URL) || url,doc.emergingthreats.net/2003347 +1 || 2003348 || 5 || trojan-activity || 0 || ET MALWARE Gamehouse.com Activity || url,www.gamehouse.com || url,doc.emergingthreats.net/bin/view/Main/2003348 +1 || 2003351 || 6 || trojan-activity || 0 || ET MALWARE MyGlobalSearch Spyware bar update || url,doc.emergingthreats.net/bin/view/Main/2003351 +1 || 2003352 || 6 || trojan-activity || 0 || ET MALWARE MyGlobalSearch Spyware bar update 2 || url,doc.emergingthreats.net/bin/view/Main/2003352 +1 || 2003353 || 5 || trojan-activity || 0 || ET MALWARE Winferno Registry Fix Spyware Download || url,doc.emergingthreats.net/bin/view/Main/2003353 +1 || 2003354 || 5 || trojan-activity || 0 || ET MALWARE Yourscreen.com Spyware Download || url,doc.emergingthreats.net/bin/view/Main/2003354 +1 || 2003355 || 10 || trojan-activity || 0 || ET MALWARE Yourscreen.com Spyware User-Agent (FreezeInet) || url,doc.emergingthreats.net/2003355 +1 || 2003356 || 5 || trojan-activity || 0 || ET MALWARE Freeze.com Spyware Download || url,doc.emergingthreats.net/bin/view/Main/2003356 +1 || 2003358 || 5 || trojan-activity || 0 || ET MALWARE Catchonlife.com Spyware || url,doc.emergingthreats.net/bin/view/Main/2003358 +1 || 2003360 || 5 || trojan-activity || 0 || ET MALWARE Effectivebrands.com Spyware Checkin 2 || url,doc.emergingthreats.net/bin/view/Main/2003360 +1 || 2003362 || 5 || policy-violation || 0 || ET MALWARE Freeze.com Spyware/Adware (Pulling Ads) || url,doc.emergingthreats.net/bin/view/Main/2003362 +1 || 2003363 || 10 || trojan-activity || 0 || ET DELETED Spamblockerutility.com-Hotbar User Agent (sbu-hb-) || url,doc.emergingthreats.net/2003363 +1 || 2003364 || 5 || trojan-activity || 0 || ET MALWARE Hotbar Agent Adopt/Zango || url,www.hotbar.com || url,doc.emergingthreats.net/bin/view/Main/2003364 +1 || 2003365 || 10 || trojan-activity || 0 || ET MALWARE Hotbar Zango Toolbar Spyware User Agent (ZangoToolbar ) || url,doc.emergingthreats.net/2003365 +1 || 2003369 || 3 || attempted-admin || 0 || ET EXPLOIT CA BrightStor ARCserve Mobile Backup LGSERVER.EXE Heap Corruption || cve,2007-0449 || url,doc.emergingthreats.net/bin/view/Main/2003369 +1 || 2003370 || 3 || attempted-dos || 0 || ET EXPLOIT Computer Associates Brightstor ARCServer Backup RPC Server (Catirpc.dll) DoS || url,www.milw0rm.com/exploits/3248 || url,doc.emergingthreats.net/bin/view/Main/2003370 +1 || 2003371 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHP Portail Includes.php remote file include || bugtraq,22361 || url,doc.emergingthreats.net/2003371 +1 || 2003372 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHPEventMan remote file include || bugtraq,22358 || url,doc.emergingthreats.net/2003372 +1 || 2003375 || 5 || trojan-activity || 0 || ET MALWARE Spy-Not.com Spyware Pulling Fake Sigs || url,doc.emergingthreats.net/bin/view/Main/2003375 +1 || 2003376 || 5 || trojan-activity || 0 || ET MALWARE Instafinder.com spyware || url,doc.emergingthreats.net/bin/view/Main/2003376 +1 || 2003377 || 5 || trojan-activity || 0 || ET MALWARE Spy-Not.com Spyware Updating || url,doc.emergingthreats.net/bin/view/Main/2003377 +1 || 2003378 || 3 || attempted-admin || 0 || ET EXPLOIT Computer Associates Mobile Backup Service LGSERVER.EXE Stack Overflow || url,www.milw0rm.com/exploits/3244 || url,doc.emergingthreats.net/bin/view/Main/2003378 +1 || 2003379 || 3 || attempted-dos || 0 || ET EXPLOIT Computer Associates BrightStor ARCserve Backup for Laptops LGServer.exe DoS || url,www.securityfocus.com/archive/1/archive/1/458650/100/0/threaded || url,doc.emergingthreats.net/bin/view/Main/2003379 +1 || 2003380 || 10 || trojan-activity || 0 || ET TROJAN Suspicious User-Agent - Possible Trojan Downloader (ver18/ver19, etc) || url,doc.emergingthreats.net/2003380 +1 || 2003381 || 6 || not-suspicious || 0 || ET POLICY McAfee Update User Agent (McAfee AutoUpdate) || url,doc.emergingthreats.net/2003381 +1 || 2003383 || 12 || trojan-activity || 0 || ET MALWARE Hotbar Tools Spyware User-Agent (hbtools) || url,doc.emergingthreats.net/2003383 +1 || 2003384 || 10 || trojan-activity || 0 || ET MALWARE SpamBlockerUtility Fake Anti-Spyware User-Agent (SpamBlockerUtility x.x.x) || url,doc.emergingthreats.net/2003384 +1 || 2003385 || 11 || trojan-activity || 0 || ET USER_AGENTS sgrunt Dialer User Agent (sgrunt) || url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453096347 || url,doc.emergingthreats.net/2003385 +1 || 2003387 || 11 || trojan-activity || 0 || ET MALWARE dialno Dialer User-Agent (dialno) || url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453096347 || url,doc.emergingthreats.net/2003387 +1 || 2003388 || 5 || trojan-activity || 0 || ET MALWARE Hotbar Keywords Download || url,www.hotbar.com || url,doc.emergingthreats.net/bin/view/Main/2003388 +1 || 2003389 || 6 || policy-violation || 0 || ET MALWARE WhenUClick.com Application Version Check || url,www.whenusearch.com || url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml || url,doc.emergingthreats.net/bin/view/Main/2003389 +1 || 2003390 || 5 || trojan-activity || 0 || ET MALWARE SurfAccuracy.com Spyware Updating || url,www.symantec.com/security_response/writeup.jsp?docid=2005-062716-0109-99 || url,doc.emergingthreats.net/bin/view/Main/2003390 +1 || 2003391 || 5 || trojan-activity || 0 || ET MALWARE SurfAccuracy.com Spyware Pulling Ads || url,www.symantec.com/security_response/writeup.jsp?docid=2005-062716-0109-99 || url,doc.emergingthreats.net/bin/view/Main/2003391 +1 || 2003394 || 8 || trojan-activity || 0 || ET USER_AGENTS User Agent Containing http Suspicious - Likely Spyware/Trojan || url,doc.emergingthreats.net/bin/view/Main/2003394 +1 || 2003396 || 12 || trojan-activity || 0 || ET MALWARE Mysearch.com/Morpheus Bar Spyware User-Agent (Morpheus) || url,doc.emergingthreats.net/2003396 +1 || 2003397 || 12 || trojan-activity || 0 || ET MALWARE Zango Seekmo Bar Spyware User-Agent (Seekmo Toolbar) +1 || 2003398 || 11 || trojan-activity || 0 || ET MALWARE Morpheus Spyware Install User-Agent (SmartInstaller) || url,doc.emergingthreats.net/2003398 +1 || 2003399 || 9 || trojan-activity || 0 || ET MALWARE Spyhealer Fake Anti-Spyware Install User-Agent (SpyHealer) || url,doc.emergingthreats.net/2003399 +1 || 2003400 || 4 || web-application-attack || 0 || ET EXPLOIT US-ASCII Obfuscated script || url,www.internetdefence.net/2007/02/06/Javascript-payload || cve,2006-3227 || url,www.securityfocus.com/archive/1/437948/30/0/threaded || url,doc.emergingthreats.net/bin/view/Main/2003400 +1 || 2003401 || 5 || web-application-attack || 0 || ET EXPLOIT US-ASCII Obfuscated VBScript download file || url,www.internetdefence.net/2007/02/06/Javascript-payload || cve,2006-3227 || url,www.securityfocus.com/archive/1/437948/30/0/threaded || url,doc.emergingthreats.net/bin/view/Main/2003401 +1 || 2003402 || 5 || web-application-attack || 0 || ET EXPLOIT US-ASCII Obfuscated VBScript execute command || url,www.internetdefence.net/2007/02/06/Javascript-payload || cve,2006-3227 || url,www.securityfocus.com/archive/1/437948/30/0/threaded || url,doc.emergingthreats.net/bin/view/Main/2003402 +1 || 2003403 || 4 || web-application-attack || 0 || ET EXPLOIT US-ASCII Obfuscated VBScript || url,www.internetdefence.net/2007/02/06/Javascript-payload || cve,2006-3227 || url,www.securityfocus.com/archive/1/437948/30/0/threaded || url,doc.emergingthreats.net/bin/view/Main/2003403 +1 || 2003404 || 6 || policy-violation || 0 || ET MALWARE WhenUClick.com WhenUSave Data Retrieval (DataChunksGZ) || url,www.whenusearch.com || url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml || url,doc.emergingthreats.net/bin/view/Main/2003404 +1 || 2003405 || 10 || trojan-activity || 0 || ET MALWARE Freeze.com Spyware User-Agent (YourScreen123) || url,doc.emergingthreats.net/2003405 +1 || 2003406 || 10 || trojan-activity || 0 || ET MALWARE Mysearch.com Spyware User-Agent (iMeshBar) || url,doc.emergingthreats.net/2003406 +1 || 2003407 || 9 || trojan-activity || 0 || ET MALWARE searchenginebar.com Spyware User-Agent (RX Bar) || url,doc.emergingthreats.net/2003407 +1 || 2003408 || 7 || trojan-activity || 0 || ET DELETED Zhelatin Variant Checkin || url,doc.emergingthreats.net/2003408 +1 || 2003409 || 5 || trojan-activity || 0 || ET DELETED Majestic-12 Spider Bot User-Agent (MJ12bot) || url,www.majestic12.co.uk/ || url,doc.emergingthreats.net/2003409 +1 || 2003410 || 9 || misc-activity || 0 || ET POLICY FTP Login Successful || url,doc.emergingthreats.net/2003410 +1 || 2003411 || 8 || attempted-user || 0 || ET EXPLOIT Solaris telnet USER environment vuln Attack inbound || url,riosec.com/solaris-telnet-0-day || url,isc.sans.org/diary.html?n&storyid=2220 || url,doc.emergingthreats.net/bin/view/Main/2003411 || cve,2007-0882 +1 || 2003412 || 4 || attempted-user || 0 || ET EXPLOIT Solaris telnet USER environment vuln Attack outbound || url,riosec.com/solaris-telnet-0-day || url,isc.sans.org/diary.html?n&storyid=2220 || url,doc.emergingthreats.net/bin/view/Main/2003412 || cve,2007-0882 +1 || 2003414 || 5 || trojan-activity || 0 || ET MALWARE Epilot.com Spyware Reporting || url,www.intermute.com/spysubtract/researchcenter/ClientMan.html || url,doc.emergingthreats.net/bin/view/Main/2003414 +1 || 2003416 || 5 || trojan-activity || 0 || ET MALWARE Epilot.com Spyware Reporting Clicks || url,www.intermute.com/spysubtract/researchcenter/ClientMan.html || url,doc.emergingthreats.net/bin/view/Main/2003416 +1 || 2003417 || 5 || trojan-activity || 0 || ET MALWARE CNSMIN (3721.com) Spyware Activity || url,www.spyany.com/program/article_spy_rm_CnsMin.html || url,doc.emergingthreats.net/bin/view/Main/2003417 +1 || 2003418 || 5 || trojan-activity || 0 || ET MALWARE CNSMIN (3721.com) Spyware Activity 2 || url,www.spyany.com/program/article_spy_rm_CnsMin.html || url,doc.emergingthreats.net/bin/view/Main/2003418 +1 || 2003419 || 5 || trojan-activity || 0 || ET MALWARE CNSMIN (3721.com) Spyware Activity 3 || url,www.spyany.com/program/article_spy_rm_CnsMin.html || url,doc.emergingthreats.net/bin/view/Main/2003419 +1 || 2003420 || 5 || trojan-activity || 0 || ET POLICY Weatherbug Activity || url,doc.emergingthreats.net/bin/view/Main/2003420 +1 || 2003421 || 5 || trojan-activity || 0 || ET DELETED Weatherbug Design60 Upload Activity || url,doc.emergingthreats.net/bin/view/Main/2003421 +1 || 2003422 || 5 || trojan-activity || 0 || ET POLICY Weatherbug Command Activity || url,doc.emergingthreats.net/bin/view/Main/2003422 +1 || 2003423 || 4 || trojan-activity || 0 || ET DELETED Weatherbug Design60 Upload Activity || url,doc.emergingthreats.net/bin/view/Main/2003423 +1 || 2003424 || 5 || trojan-activity || 0 || ET DELETED Sality Trojan Web Update || url,www.sophos.com/security/analyses/w32salityu.html || url,doc.emergingthreats.net/2003424 +1 || 2003425 || 11 || trojan-activity || 0 || ET MALWARE clickspring.com Spyware Install User-Agent (CS Fingerprint Module) || url,doc.emergingthreats.net/2003425 +1 || 2003426 || 5 || trojan-activity || 0 || ET MALWARE Outerinfo.com Spyware Checkin || url,doc.emergingthreats.net/bin/view/Main/2003426 +1 || 2003428 || 11 || trojan-activity || 0 || ET MALWARE Surfaccuracy.com Spyware Install User-Agent (SF Installer) || url,doc.emergingthreats.net/2003428 +1 || 2003429 || 12 || trojan-activity || 0 || ET MALWARE xxxtoolbar.com Spyware Install User-Agent || url,doc.emergingthreats.net/2003429 +1 || 2003431 || 6 || trojan-activity || 0 || ET TROJAN Unnamed Generic.Malware http get || url,doc.emergingthreats.net/2003431 +1 || 2003432 || 5 || trojan-activity || 0 || ET DELETED Nukebot related infection - Unique HTTP get request || url,www.websense.com/securitylabs/alerts/alert.php?AlertID=743 || url,doc.emergingthreats.net/2003432 +1 || 2003433 || 5 || trojan-activity || 0 || ET DELETED Nukebot Checkin || url,www.websense.com/securitylabs/alerts/alert.php?AlertID=743 || url,doc.emergingthreats.net/2003433 +1 || 2003434 || 3 || attempted-admin || 0 || ET EXPLOIT Trend Micro Web Interface Auth Bypass Vulnerable Cookie Attempt || url,labs.idefense.com/intelligence/vulnerabilities/display.php?id=477 || url,www.trendmicro.com/download/product.asp?productid=20 || url,doc.emergingthreats.net/bin/view/Main/2003434 +1 || 2003435 || 4 || trojan-activity || 0 || ET TROJAN Stormy Variant HTTP Request || url,doc.emergingthreats.net/2003435 +1 || 2003436 || 5 || trojan-activity || 0 || ET TROJAN Warezov/Stration Communicating with Controller 2 || url,www.sophos.com/security/analyses/w32strationbo.html || url,www.avira.com/en/threats/section/fulldetails/id_vir/3242/tr_dldr.warezov.df.html || url,doc.emergingthreats.net/2003436 +1 || 2003437 || 7 || policy-violation || 0 || ET P2P Ares over UDP || url,doc.emergingthreats.net/bin/view/Main/2003437 +1 || 2003438 || 5 || trojan-activity || 0 || ET MALWARE Abcsearch.com Spyware Reporting || url,doc.emergingthreats.net/bin/view/Main/2003438 +1 || 2003439 || 10 || trojan-activity || 0 || ET MALWARE Dropspam.com Spyware Install User-Agent (DSInstall) || url,doc.emergingthreats.net/2003439 +1 || 2003440 || 5 || trojan-activity || 0 || ET MALWARE Dropspam.com Spyware Reporting || url,doc.emergingthreats.net/bin/view/Main/2003440 +1 || 2003441 || 10 || trojan-activity || 0 || ET MALWARE Webbuying.net Spyware Install User-Agent (wbi_v0.90) || url,doc.emergingthreats.net/2003441 +1 || 2003442 || 5 || trojan-activity || 0 || ET MALWARE Webbuying.net Spyware Installing || url,doc.emergingthreats.net/bin/view/Main/2003442 +1 || 2003444 || 5 || policy-violation || 0 || ET MALWARE Deskwizz.com Spyware Install Code Download || url,doc.emergingthreats.net/bin/view/Main/2003444 +1 || 2003445 || 5 || policy-violation || 0 || ET MALWARE Deskwizz.com Spyware Install INI Download || url,doc.emergingthreats.net/bin/view/Main/2003445 +1 || 2003446 || 8 || policy-violation || 0 || ET MALWARE Adware Command Client Checkin || url,www.nuker.com/container/details/adware_command.php || url,doc.emergingthreats.net/bin/view/Main/2003446 +1 || 2003449 || 10 || trojan-activity || 0 || ET USER_AGENTS Webbuying.net Spyware Install User-Agent 2 (wb v1.6.4) || url,doc.emergingthreats.net/2003449 +1 || 2003450 || 5 || policy-violation || 0 || ET MALWARE Specificclick.net Spyware Activity || url,doc.emergingthreats.net/bin/view/Main/2003450 +1 || 2003451 || 5 || policy-violation || 0 || ET MALWARE K8l.info Spyware Activity || url,doc.emergingthreats.net/bin/view/Main/2003451 +1 || 2003453 || 6 || policy-violation || 0 || ET DELETED Netvacy.com Anonymizing Proxy Access || url,doc.emergingthreats.net/2003453 +1 || 2003454 || 5 || policy-violation || 0 || ET POLICY Yahoo 360 Social Site Access || url,doc.emergingthreats.net/2003454 +1 || 2003455 || 4 || policy-violation || 0 || ET POLICY Hi5.com Social Site Access || url,doc.emergingthreats.net/2003455 +1 || 2003457 || 5 || policy-violation || 0 || ET POLICY Metacafe.com Social Site Access || url,doc.emergingthreats.net/2003457 +1 || 2003458 || 4 || policy-violation || 0 || ET POLICY Orkut.com Social Site Access || url,doc.emergingthreats.net/2003458 +1 || 2003462 || 5 || trojan-activity || 0 || ET MALWARE CoolDeskAlert Spyware Activity || url,cooldeskalert.com || url,www.benedelman.org/spyware/images/bannerfarms-ad_w_a_r_e-globalstore-log-061006.html || url,doc.emergingthreats.net/bin/view/Main/2003462 +1 || 2003463 || 17 || trojan-activity || 0 || ET MALWARE Suspicious User-Agent (Toolbar) Possibly Malware/Spyware || url,doc.emergingthreats.net/bin/view/Main/2003463 +1 || 2003464 || 5 || trojan-activity || 0 || ET ATTACK_RESPONSE Unusual FTP Server Banner (warFTPd) || url,www.warftp.org || url,doc.emergingthreats.net/bin/view/Main/2003464 +1 || 2003465 || 5 || trojan-activity || 0 || ET ATTACK_RESPONSE Unusual FTP Server Banner (freeFTPd) || url,www.freeftp.com || url,doc.emergingthreats.net/bin/view/Main/2003465 +1 || 2003466 || 13 || web-application-attack || 0 || ET WEB_SERVER PHP Attack Tool Morfeus F Scanner || url,www.webmasterworld.com/search_engine_spiders/3227720.htm || url,doc.emergingthreats.net/2003466 +1 || 2003468 || 11 || trojan-activity || 0 || ET MALWARE Oemji Spyware User-Agent (Oemji) || url,doc.emergingthreats.net/2003468 +1 || 2003469 || 7 || policy-violation || 0 || ET POLICY AOL Toolbar User-Agent (AOLToolbar) || url,doc.emergingthreats.net/bin/view/Main/2003469 +1 || 2003470 || 10 || trojan-activity || 0 || ET MALWARE Suspicious User-Agent (Updater) || url,doc.emergingthreats.net/2003470 +1 || 2003471 || 7 || trojan-activity || 0 || ET DELETED Winsoftware.com Spyware Activity || url,doc.emergingthreats.net/bin/view/Main/2003471 +1 || 2003472 || 5 || trojan-activity || 0 || ET MALWARE DelFin Project Spyware (setup-alt) || url,doc.emergingthreats.net/bin/view/Main/2003472 +1 || 2003473 || 5 || trojan-activity || 0 || ET MALWARE DelFin Project Spyware (payload-alt) || url,doc.emergingthreats.net/bin/view/Main/2003473 +1 || 2003474 || 6 || attempted-dos || 0 || ET VOIP Asterisk Register with no URI or Version DOS Attempt || url,labs.musecurity.com/advisories/MU-200703-01.txt || url,tools.ietf.org/html/rfc3261 || url,doc.emergingthreats.net/2003474 +1 || 2003475 || 8 || trojan-activity || 0 || ET P2P ABC Torrent User-Agent (ABC/ABC-3.1.0) || url,pingpong-abc.sourceforge.net || url,doc.emergingthreats.net/bin/view/Main/2003475 +1 || 2003476 || 9 || trojan-activity || 0 || ET MALWARE Virusblast.com Fake AV/Anti-Spyware User-Agent (ad-protect) || url,spywarewarrior.com/rogue_anti-spyware.htm || url,www.virusblast.com || url,doc.emergingthreats.net/2003476 +1 || 2003477 || 9 || trojan-activity || 0 || ET MALWARE Terminexor.com Spyware User-Agent (DInstaller2) || url,www.terminexor.com || url,netrn.net/spywareblog/archives/2004/12/23/more-rip-off-ware-terminexor || url,doc.emergingthreats.net/2003477 +1 || 2003478 || 9 || trojan-activity || 0 || ET MALWARE Errornuker.com Fake Anti-Spyware User-Agent (ERRORNUKER) || url,www.spywarewarrior.com/rogue_anti-spyware.htm || url,www.errornuker.com || url,doc.emergingthreats.net/2003478 +1 || 2003479 || 4 || not-suspicious || 0 || ET POLICY Radmin Remote Control Session Setup Initiate || url,www.radmin.com || url,doc.emergingthreats.net/2003479 +1 || 2003480 || 4 || not-suspicious || 0 || ET POLICY Radmin Remote Control Session Setup Response || url,www.radmin.com || url,doc.emergingthreats.net/2003480 +1 || 2003481 || 4 || not-suspicious || 0 || ET POLICY Radmin Remote Control Session Authentication Initiate || url,www.radmin.com || url,doc.emergingthreats.net/2003481 +1 || 2003482 || 4 || not-suspicious || 0 || ET POLICY Radmin Remote Control Session Authentication Response || url,www.radmin.com || url,doc.emergingthreats.net/2003482 +1 || 2003484 || 9 || trojan-activity || 0 || ET WORM Allaple Unique HTTP Request - Possibly part of DDOS || url,doc.emergingthreats.net/2003484 || url,isc.sans.org/diary.html?storyid=2451 +1 || 2003486 || 10 || trojan-activity || 0 || ET USER_AGENTS Drivecleaner.com Spyware User-Agent (DriveCleaner Updater) || url,www.drivecleaner.com || url,research.sunbelt-software.com/threatdisplay.aspx?name=DriveCleaner&threatid=44533 || url,doc.emergingthreats.net/2003486 +1 || 2003489 || 11 || trojan-activity || 0 || ET MALWARE malwarewipeupdate.com Spyware User-Agent (MalwareWipe) || url,www.malwarewipeupdate.com || url,research.sunbelt-software.com/threatdisplay.aspx?name=MalwareWipe&threatid=43086 || url,doc.emergingthreats.net/2003489 +1 || 2003490 || 8 || trojan-activity || 0 || ET MALWARE Mirar Spyware User-Agent (Mirar_KeywordContent) || url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453078818 || url,doc.emergingthreats.net/2003490 +1 || 2003492 || 14 || trojan-activity || 0 || ET MALWARE Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0) || url,doc.emergingthreats.net/2003492 +1 || 2003493 || 10 || trojan-activity || 0 || ET MALWARE AskSearch Spyware User-Agent (AskSearchAssistant) || url,doc.emergingthreats.net/2003493 +1 || 2003494 || 15 || policy-violation || 0 || ET DELETED AskSearch Toolbar Spyware User-Agent (AskTBar) || url,doc.emergingthreats.net/2003494 +1 || 2003495 || 11 || trojan-activity || 0 || ET DELETED HSN.com Toolbar Spyware User-Agent (HSN) || url,doc.emergingthreats.net/2003495 +1 || 2003496 || 12 || trojan-activity || 0 || ET MALWARE AskSearch Toolbar Spyware User-Agent (AskBar) || url,doc.emergingthreats.net/2003496 +1 || 2003497 || 13 || trojan-activity || 0 || ET MALWARE User-Agent (ms) || url,doc.emergingthreats.net/bin/view/Main/2003497 +1 || 2003498 || 9 || trojan-activity || 0 || ET MALWARE Gamehouse.com Related Spyware User-Agent (Sprout Game) || url,doc.emergingthreats.net/2003498 +1 || 2003499 || 9 || trojan-activity || 0 || ET MALWARE SpyDawn.com Fake Anti-Spyware User-Agent (SpyDawn) || url,www.spywareguide.com/spydet_3366_spydawn.html || url,doc.emergingthreats.net/2003499 +1 || 2003500 || 9 || trojan-activity || 0 || ET MALWARE Adwave.com Related Spyware User-Agent (STBHOGet) || url,doc.emergingthreats.net/2003500 +1 || 2003501 || 10 || trojan-activity || 0 || ET MALWARE Bestoffersnetwork.com Related Spyware User-Agent (TBONAS) || url,research.sunbelt-software.com/threatdisplay.aspx?name=BestOffersNetworks&threatid=43670 || url,doc.emergingthreats.net/2003501 +1 || 2003504 || 5 || trojan-activity || 0 || ET MALWARE E2give Spyware Reporting (check url) || url,research.sunbelt-software.com/threatdisplay.aspx?name=E2Give&threatid=4728 || url,doc.emergingthreats.net/bin/view/Main/2003504 +1 || 2003505 || 10 || trojan-activity || 0 || ET MALWARE Toplist.cz Related Spyware Checkin +1 || 2003506 || 10 || trojan-activity || 0 || ET MALWARE Alawar Toolbar Spyware User-Agent (Alawar Toolbar) || url,www.bleepingcomputer.com/uninstall/68/Alawar-Toolbar.html || url,doc.emergingthreats.net/2003506 +1 || 2003508 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Wordpress wp-login.php redirect_to credentials stealing attempt || url,www.inliniac.net/blog/?p=71 || url,doc.emergingthreats.net/2003508 +1 || 2003513 || 11 || trojan-activity || 0 || ET DELETED Suspicious Mozilla User-Agent typo (MOzilla/4.0) || url,doc.emergingthreats.net/2003513 +1 || 2003514 || 8 || attempted-user || 0 || ET ACTIVEX Possible Microsoft Internet Explorer ADODB.Redcordset Double Free Memory Exploit - MS07-009 || url,www.milw0rm.com/exploits/3577 || url,www.microsoft.com/technet/security/Bulletin/MS07-009.mspx || url,doc.emergingthreats.net/2003514 +1 || 2003515 || 6 || trojan-activity || 0 || ET TROJAN Snatch Reporting User Activity || url,doc.emergingthreats.net/2003515 +1 || 2003516 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Xoops Articles modules print.php SQL injection attempt || bugtraq,23160 || url,doc.emergingthreats.net/2003516 +1 || 2003517 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS iPhotoAlbum header.php remote file include || bugtraq,23189 || url,doc.emergingthreats.net/2003517 +1 || 2003518 || 5 || attempted-admin || 0 || ET EXPLOIT Computer Associates Brightstor ARCServe Backup Mediasvr.exe Remote Exploit || url,www.milw0rm.com/exploits/3604 || url,doc.emergingthreats.net/bin/view/Main/2003518 +1 || 2003519 || 8 || attempted-admin || 0 || ET EXPLOIT MS ANI exploit || url,doc.emergingthreats.net/bin/view/Main/2003519 +1 || 2003520 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS webCalendar Remote File include || url,www.securityfocus.com/archive/1/462957 || url,doc.emergingthreats.net/2003520 +1 || 2003525 || 5 || trojan-activity || 0 || ET MALWARE Supergames.aavalue.com Spyware || url,research.sunbelt-software.com/threatdisplay.aspx?name=EZ-Tracks%20Toolbar&threatid=41189 || url,doc.emergingthreats.net/bin/view/Main/2003525 +1 || 2003526 || 5 || trojan-activity || 0 || ET MALWARE KMIP.net Spyware 2 || url,www.kmip.net || url,doc.emergingthreats.net/bin/view/Main/2003526 +1 || 2003527 || 9 || trojan-activity || 0 || ET MALWARE WinSoftware.com Spyware User-Agent (WinSoftware) || url,research.sunbelt-software.com/threatdisplay.aspx?name=WinSoftware%20Corporation%2c%20Inc.%20(v)&threatid=90037 || url,doc.emergingthreats.net/2003527 +1 || 2003528 || 8 || trojan-activity || 0 || ET MALWARE WinSoftware.com Spyware User-Agent (NetInstaller) || url,research.sunbelt-software.com/threatdisplay.aspx?name=WinSoftware%20Corporation,%20Inc.%20(v)&threatid=90037 || url,doc.emergingthreats.net/2003528 +1 || 2003529 || 8 || trojan-activity || 0 || ET MALWARE Msgplus.net Spyware/Adware User-Agent (MsgPlus3) || url,research.sunbelt-software.com/threatdisplay.aspx?name=Messenger%20Plus!&threatid=14931 || url,doc.emergingthreats.net/2003529 +1 || 2003530 || 13 || trojan-activity || 0 || ET MALWARE Suspicious Mozilla User-Agent Separator - likely Fake (Mozilla/4.0+(compatible +MSIE+) || url,doc.emergingthreats.net/2003530 +1 || 2003531 || 8 || trojan-activity || 0 || ET MALWARE Antivermins.com Spyware/Adware User-Agent (AntiVermeans) || url,www.bleepingcomputer.com/forums/topic69886.htm || url,doc.emergingthreats.net/2003531 +1 || 2003532 || 9 || trojan-activity || 0 || ET MALWARE CommonName.com Spyware/Adware User-Agent (CommonName Agent) || url,www.pestpatrol.com/spywarecenter/pest.aspx?id=453078618 || url,doc.emergingthreats.net/2003532 +1 || 2003533 || 6 || trojan-activity || 0 || ET MALWARE Sytes.net Related Spyware Reporting || url,www.sophos.com/security/analyses/w32forbotdv.html || url,doc.emergingthreats.net/bin/view/Main/2003533 +1 || 2003534 || 5 || trojan-activity || 0 || ET DELETED Weatherbug Vista Gadget Activity || url,doc.emergingthreats.net/bin/view/Main/2003534 +1 || 2003535 || 7 || web-application-activity || 0 || ET ATTACK_RESPONSE r57 phpshell footer detected || url,www.pestpatrol.com/spywarecenter/pest.aspx?id=453096755 || url,doc.emergingthreats.net/bin/view/Main/2003535 +1 || 2003536 || 9 || web-application-activity || 0 || ET ATTACK_RESPONSE r57 phpshell source being uploaded || url,www.pestpatrol.com/spywarecenter/pest.aspx?id=453096755 || url,doc.emergingthreats.net/bin/view/Main/2003536 +1 || 2003537 || 6 || trojan-activity || 0 || ET TROJAN Trojan.Duntek establishing remote connection || url,www.symantec.com/security_response/writeup.jsp?docid=2006-102514-0554-99 || url,doc.emergingthreats.net/2003537 +1 || 2003538 || 5 || trojan-activity || 0 || ET TROJAN Klom.A Connecting to Controller || url,www.bitdefender.com/VIRUS-1000126-en--Trojan.Klom.A.html || url,doc.emergingthreats.net/2003538 +1 || 2003541 || 6 || trojan-activity || 0 || ET MALWARE Bravesentry.com Fake Antispyware Updating || url,www.bravesentry.com || url,research.sunbelt-software.com/threatdisplay.aspx?name=BraveSentry&threatid=44152 || url,doc.emergingthreats.net/bin/view/Main/2003541 +1 || 2003542 || 6 || trojan-activity || 0 || ET MALWARE Bravesentry.com/Protectwin.com Fake Antispyware Reporting || url,www.bravesentry.com || url,research.sunbelt-software.com/threatdisplay.aspx?name=BraveSentry&threatid=44152 || url,doc.emergingthreats.net/bin/view/Main/2003542 +1 || 2003543 || 6 || trojan-activity || 0 || ET MALWARE Winfixmaster.com Fake Anti-Spyware Install || url,doc.emergingthreats.net/bin/view/Main/2003543 +1 || 2003544 || 8 || trojan-activity || 0 || ET MALWARE Winfixmaster.com Fake Anti-Spyware User-Agent (WinFixMaster) || url,doc.emergingthreats.net/2003544 +1 || 2003545 || 8 || trojan-activity || 0 || ET USER_AGENTS Winfixmaster.com Fake Anti-Spyware User-Agent 2 (WinFix Master) || url,doc.emergingthreats.net/2003545 +1 || 2003546 || 11 || trojan-activity || 0 || ET DELETED Suspicious User-Agent (downloader) - Used by Winfixmaster.com Fake Anti-Spyware and Others || url,doc.emergingthreats.net/bin/view/Main/2003546 +1 || 2003547 || 5 || trojan-activity || 0 || ET MALWARE Privacyprotector.com Fake Anti-Spyware Install || url,doc.emergingthreats.net/bin/view/Main/2003547 +1 || 2003548 || 5 || trojan-activity || 0 || ET MALWARE Privacyprotector.com Fake Anti-Spyware Checkin || url,doc.emergingthreats.net/bin/view/Main/2003548 +1 || 2003549 || 5 || trojan-activity || 0 || ET TROJAN Bandook v1.2 Initial Connection and Report || url,www.nuclearwintercrew.com || url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408 || url,doc.emergingthreats.net/bin/view/Main/TrojanBandook +1 || 2003550 || 5 || trojan-activity || 0 || ET TROJAN Bandook v1.2 Get Processes || url,www.nuclearwintercrew.com || url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408 || url,doc.emergingthreats.net/bin/view/Main/TrojanBandook +1 || 2003551 || 5 || trojan-activity || 0 || ET TROJAN Bandook v1.2 Kill Process Command || url,www.nuclearwintercrew.com || url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408 || url,doc.emergingthreats.net/bin/view/Main/TrojanBandook +1 || 2003552 || 5 || trojan-activity || 0 || ET TROJAN Bandook v1.2 Reporting Socks Proxy Active || url,www.nuclearwintercrew.com || url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408 || url,doc.emergingthreats.net/bin/view/Main/TrojanBandook +1 || 2003553 || 5 || trojan-activity || 0 || ET TROJAN Bandook v1.2 Reporting Socks Proxy Off || url,www.nuclearwintercrew.com || url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408 || url,doc.emergingthreats.net/bin/view/Main/TrojanBandook +1 || 2003554 || 5 || trojan-activity || 0 || ET TROJAN Bandook v1.2 Client Ping Reply || url,www.nuclearwintercrew.com || url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408 || url,doc.emergingthreats.net/bin/view/Main/TrojanBandook +1 || 2003555 || 5 || trojan-activity || 0 || ET TROJAN Bandook v1.35 Initial Connection and Report || url,www.nuclearwintercrew.com || url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408 || url,doc.emergingthreats.net/bin/view/Main/TrojanBandook +1 || 2003556 || 5 || trojan-activity || 0 || ET TROJAN Bandook v1.35 Keepalive Send || url,www.nuclearwintercrew.com || url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408 || url,doc.emergingthreats.net/bin/view/Main/TrojanBandook +1 || 2003557 || 5 || trojan-activity || 0 || ET TROJAN Bandook v1.35 Keepalive Reply || url,www.nuclearwintercrew.com || url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408 || url,doc.emergingthreats.net/bin/view/Main/TrojanBandook +1 || 2003558 || 5 || trojan-activity || 0 || ET TROJAN Bandook v1.35 Create Registry Key Command Send || url,www.nuclearwintercrew.com || url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408 || url,doc.emergingthreats.net/bin/view/Main/TrojanBandook +1 || 2003559 || 5 || trojan-activity || 0 || ET TROJAN Bandook v1.35 Create Directory Command Send || url,www.nuclearwintercrew.com || url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408 || url,doc.emergingthreats.net/bin/view/Main/TrojanBandook +1 || 2003560 || 5 || trojan-activity || 0 || ET TROJAN Bandook v1.35 Window List Command Send || url,www.nuclearwintercrew.com || url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408 || url,doc.emergingthreats.net/bin/view/Main/TrojanBandook +1 || 2003561 || 5 || trojan-activity || 0 || ET TROJAN Bandook v1.35 Window List Reply || url,www.nuclearwintercrew.com || url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408 || url,doc.emergingthreats.net/bin/view/Main/TrojanBandook +1 || 2003562 || 5 || trojan-activity || 0 || ET TROJAN Bandook v1.35 Get Processes Command Send || url,www.nuclearwintercrew.com || url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408 || url,doc.emergingthreats.net/bin/view/Main/TrojanBandook +1 || 2003563 || 5 || trojan-activity || 0 || ET TROJAN Bandook v1.35 Start Socks5 Proxy Command Send || url,www.nuclearwintercrew.com || url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408 || url,doc.emergingthreats.net/bin/view/Main/TrojanBandook +1 || 2003564 || 5 || trojan-activity || 0 || ET TROJAN Bandook v1.35 Socks5 Proxy Start Command Reply || url,www.nuclearwintercrew.com || url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408 || url,doc.emergingthreats.net/bin/view/Main/TrojanBandook +1 || 2003565 || 5 || trojan-activity || 0 || ET TROJAN Bandook v1.35 Get Processes Command Reply || url,www.nuclearwintercrew.com || url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408 || url,doc.emergingthreats.net/bin/view/Main/TrojanBandook +1 || 2003566 || 12 || trojan-activity || 0 || ET MALWARE User-Agent (DIALER) || url,doc.emergingthreats.net/2003566 +1 || 2003567 || 9 || trojan-activity || 0 || ET MALWARE Winsoftware.com Fake AV User-Agent (DNS Extractor) || url,doc.emergingthreats.net/2003567 +1 || 2003568 || 4 || trojan-activity || 0 || ET DELETED Evidencenuker.com Fake AV Updating || url,www.evidencenuker.com || url,doc.emergingthreats.net/bin/view/Main/2003568 +1 || 2003569 || 10 || trojan-activity || 0 || ET MALWARE Evidencenuker.com Fake AV/Anti-Spyware User-Agent (EVNUKER) || url,doc.emergingthreats.net/2003567 +1 || 2003570 || 9 || trojan-activity || 0 || ET MALWARE CoolWebSearch Spyware User-Agent (iefeatsl) || url,www.applicationsignatures.com/backend/index.php || url,doc.emergingthreats.net/2003570 +1 || 2003575 || 7 || trojan-activity || 0 || ET DELETED Gator/Clarian Spyware Posting Data || url,www3.ca.com/securityadvisor/pest/content.aspx?q=67999 || url,doc.emergingthreats.net/bin/view/Main/2003575 +1 || 2003576 || 5 || trojan-activity || 0 || ET MALWARE Security-updater.com Spyware Posting Data || url,doc.emergingthreats.net/bin/view/Main/2003576 +1 || 2003577 || 5 || trojan-activity || 0 || ET MALWARE Mirarsearch.com Spyware Posting Data || url,doc.emergingthreats.net/bin/view/Main/2003577 +1 || 2003578 || 8 || trojan-activity || 0 || ET MALWARE Baidu.com Spyware Bar Pulling Data || url,www.pctools.com/mrc/infections/id/BaiDu/ || url,doc.emergingthreats.net/bin/view/Main/2003578 +1 || 2003579 || 5 || trojan-activity || 0 || ET MALWARE Findwhat.com Spyware (clickthrough) || url,doc.emergingthreats.net/bin/view/Main/2003579 +1 || 2003580 || 6 || trojan-activity || 0 || ET DELETED Findwhat.com Spyware (sendtracker) || url,doc.emergingthreats.net/bin/view/Main/2003580 +1 || 2003581 || 5 || trojan-activity || 0 || ET MALWARE Findwhat.com Spyware (sendmedia) || url,doc.emergingthreats.net/bin/view/Main/2003581 +1 || 2003582 || 9 || trojan-activity || 0 || ET MALWARE MalwareWiped.com Spyware User-Agent (MalwareWiped) || url,doc.emergingthreats.net/2003582 +1 || 2003583 || 11 || trojan-activity || 0 || ET MALWARE Suspicious User-Agent (update) || url,doc.emergingthreats.net/2003583 +1 || 2003584 || 9 || trojan-activity || 0 || ET USER_AGENTS Suspicious User-Agent (Updater) || url,doc.emergingthreats.net/2003584 +1 || 2003585 || 12 || trojan-activity || 0 || ET MALWARE Trojan User-Agent (Windows Updates Manager) || url,doc.emergingthreats.net/2003585 +1 || 2003586 || 12 || trojan-activity || 0 || ET TROJAN Suspicious User-Agent (WinXP Pro Service Pack 2) || url,doc.emergingthreats.net/2003586 +1 || 2003588 || 10 || trojan-activity || 0 || ET MALWARE Worm.Pyks HTTP C&C Traffic User-Agent (skw00001) || url,doc.emergingthreats.net/2003588 +1 || 2003590 || 8 || trojan-activity || 0 || ET TROJAN Downloader-5265/Torpig/Anserin/Sinowal Unique UA (MSID) || url,doc.emergingthreats.net/2003590 +1 || 2003595 || 6 || policy-violation || 0 || ET POLICY exe download via HTTP - Informational || url,doc.emergingthreats.net/2003595 +1 || 2003597 || 4 || policy-violation || 0 || ET POLICY Google Calendar in Use || url,www.computerworld.com.au/index.php?id=1687889918&eid=-255 || url,doc.emergingthreats.net/2003597 +1 || 2003598 || 7 || trojan-activity || 0 || ET TROJAN Diazom Trojan User-Agent in Use (cv_v2.0.1) || url,ww.symantec.com/enterprise/security_response/writeup.jsp?docid=2007-032316-0426-99&tabid=2 || url,doc.emergingthreats.net/2003598 +1 || 2003603 || 5 || trojan-activity || 0 || ET TROJAN W32.Virut.A joining an IRC Channel || url,www.bitcrank.net || url,doc.emergingthreats.net/2003603 +1 || 2003604 || 8 || trojan-activity || 0 || ET POLICY Baidu.com Agent User-Agent (Desktop Web System) || url,doc.emergingthreats.net/2003604 +1 || 2003605 || 5 || trojan-activity || 0 || ET MALWARE Baidu.com Spyware Bar Activity || url,www.pctools.com/mrc/infections/id/BaiDu/ || url,doc.emergingthreats.net/bin/view/Main/2003605 +1 || 2003606 || 5 || trojan-activity || 0 || ET MALWARE Alexa Spyware Reporting URL Visited || url,doc.emergingthreats.net/bin/view/Main/2003606 +1 || 2003607 || 10 || trojan-activity || 0 || ET DELETED Cnzz.com/Baidu Related Spyware Stat Reporting || url,vil.nai.com/vil/content/v_140364.htm || url,doc.emergingthreats.net/bin/view/Main/2003607 +1 || 2003608 || 12 || trojan-activity || 0 || ET POLICY Baidu.com Related Agent User-Agent (iexp) || url,doc.emergingthreats.net/2003608 +1 || 2003610 || 4 || trojan-activity || 0 || ET MALWARE Zango Spyware (tbrequest data post) || url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html || url,doc.emergingthreats.net/bin/view/Main/2003610 +1 || 2003611 || 7 || trojan-activity || 0 || ET MALWARE Malwarealarm.com Fake AV/AntiSpyware Updating || url,sunbeltblog.blogspot.com/2007/04/another-fake-security-scam-site_9466.html || url,doc.emergingthreats.net/bin/view/Main/2003611 +1 || 2003612 || 6 || trojan-activity || 0 || ET MALWARE Malwarealarm.com Fake AV/AntiSpyware Download || url,sunbeltblog.blogspot.com/2007/04/another-fake-security-scam-site_9466.html || url,doc.emergingthreats.net/bin/view/Main/2003612 +1 || 2003613 || 10 || trojan-activity || 0 || ET MALWARE EELoader Malware Packages User-Agent (EELoader) || url,doc.emergingthreats.net/2003613 +1 || 2003614 || 5 || bad-unknown || 0 || ET INFO WinUpack Modified PE Header Inbound || url,doc.emergingthreats.net/bin/view/Main/WinPEHeaders +1 || 2003615 || 6 || bad-unknown || 0 || ET INFO WinUpack Modified PE Header Outbound || url,doc.emergingthreats.net/bin/view/Main/WinPEHeaders +1 || 2003616 || 38 || web-application-activity || 0 || ET WEB_SERVER DataCha0s Web Scanner/Robot || url,www.internetofficer.com/web-robot/datacha0s.html || url,doc.emergingthreats.net/2003616 +1 || 2003617 || 7 || trojan-activity || 0 || ET MALWARE MyWebSearch Toolbar Posting Activity Report || url,doc.emergingthreats.net/bin/view/Main/2003617 +1 || 2003619 || 6 || trojan-activity || 0 || ET MALWARE Alexa Spyware Redirecting User || url,doc.emergingthreats.net/bin/view/Main/2003619 +1 || 2003620 || 4 || trojan-activity || 0 || ET MALWARE 51yes.com Spyware Reporting User Activity || url,doc.emergingthreats.net/bin/view/Main/2003620 +1 || 2003621 || 7 || trojan-activity || 0 || ET MALWARE MyWay Spyware Posting Activity Report - Dell Related || url,doc.emergingthreats.net/bin/view/Main/2003621 +1 || 2003622 || 12 || trojan-activity || 0 || ET TROJAN Suspicious User-Agent outbound (bot) || url,doc.emergingthreats.net/bin/view/Main/2003622 +1 || 2003623 || 5 || policy-violation || 0 || ET POLICY Centralops.net Domain Dossier Utility Probe || url,centralops.net || url,doc.emergingthreats.net/bin/view/Main/2003623 +1 || 2003625 || 9 || trojan-activity || 0 || ET MALWARE dns-look-up.com Spyware User-Agent (KRSystem) || url,doc.emergingthreats.net/2003625 +1 || 2003626 || 10 || trojan-activity || 0 || ET MALWARE Double User-Agent (User-Agent User-Agent) || url,doc.emergingthreats.net/bin/view/Main/2003626 +1 || 2003627 || 9 || trojan-activity || 0 || ET MALWARE Internet-optimizer.com Related Spyware User-Agent (SexTrackerWSI) || url,doc.emergingthreats.net/2003627 +1 || 2003630 || 5 || trojan-activity || 0 || ET MALWARE Baidu.com Spyware Sobar Bar Activity || url,www.pctools.com/mrc/infections/id/BaiDu/ || url,doc.emergingthreats.net/bin/view/Main/2003630 +1 || 2003631 || 6 || policy-violation || 0 || ET POLICY Centralops.net Probe || url,centralops.net || url,doc.emergingthreats.net/bin/view/Main/2003631 +1 || 2003632 || 8 || trojan-activity || 0 || ET TROJAN Zlob User Agent - updating (internetsecurity) || url,secubox.aldria.com/topic-post1618.html#post1618 || url,doc.emergingthreats.net/2003632 +1 || 2003634 || 8 || attempted-admin || 0 || ET SCAN Suspicious User-Agent - get-minimal - Possible Vuln Scan || url,doc.emergingthreats.net/2003634 +1 || 2003635 || 6 || trojan-activity || 0 || ET TROJAN Generic Password Stealer User Agent Detected (RookIE) || url,doc.emergingthreats.net/2003635 +1 || 2003636 || 9 || trojan-activity || 0 || ET MALWARE Sality Virus User Agent Detected (KUKU) || url,doc.emergingthreats.net/2003636 +1 || 2003637 || 6 || trojan-activity || 0 || ET TROJAN Inject.BV Trojan User Agent Detected (faserx) || url,doc.emergingthreats.net/2003637 +1 || 2003638 || 6 || trojan-activity || 0 || ET DELETED AV-Killer.Win32 User Agent Detected (p4r4z1t3v3.one14.J) || url,doc.emergingthreats.net/2003638 +1 || 2003639 || 8 || trojan-activity || 0 || ET MALWARE Adload.Generic Spyware User-Agent (ProxyDown) || url,doc.emergingthreats.net/2003639 +1 || 2003640 || 11 || trojan-activity || 0 || ET MALWARE Adload.Generic Spyware User-Agent (91castInstallKernel) || url,doc.emergingthreats.net/2003640 +1 || 2003641 || 7 || trojan-activity || 0 || ET TROJAN Downloader.Small 5ser Agent Detected (NetScafe) || url,doc.emergingthreats.net/2003641 +1 || 2003644 || 9 || trojan-activity || 0 || ET MALWARE Generic.Malware.dld User-Agent (Sickloader) || url,doc.emergingthreats.net/2003644 +1 || 2003645 || 6 || trojan-activity || 0 || ET TROJAN Generic.Malware.SFL User-Agent (Rescue/9.11) || url,doc.emergingthreats.net/2003645 +1 || 2003646 || 9 || trojan-activity || 0 || ET TROJAN Downloader.VB.TX/Backdoor.Win32.DSSdoor!IK Checkin || url,doc.emergingthreats.net/2003646 +1 || 2003647 || 7 || trojan-activity || 0 || ET TROJAN Backdoor.Irc.MFV User Agent Detected (IRC-U) || url,doc.emergingthreats.net/2003647 +1 || 2003648 || 8 || trojan-activity || 0 || ET TROJAN Clicker.BC User Agent Detected (linkrunner) || url,doc.emergingthreats.net/2003648 +1 || 2003649 || 8 || trojan-activity || 0 || ET TROJAN Hupigon User Agent Detected (SykO) || url,doc.emergingthreats.net/2003649 +1 || 2003650 || 6 || trojan-activity || 0 || ET TROJAN Dialer-715 Install Checkin || url,doc.emergingthreats.net/2003650 +1 || 2003651 || 6 || trojan-activity || 0 || ET DELETED Sality Virus User Agent Detected (SPM_ID=) || url,doc.emergingthreats.net/2003651 +1 || 2003652 || 9 || trojan-activity || 0 || ET MALWARE CoolStreaming Toolbar (Conduit related) User-Agent (Coolstreaming Tool-Bar) || url,doc.emergingthreats.net/2003652 +1 || 2003653 || 7 || trojan-activity || 0 || ET POLICY Boitho.com Distributed Crawler in use - User-Agent (boitho.com-dc) || url,doc.emergingthreats.net/bin/view/Main/2003653 +1 || 2003654 || 9 || trojan-activity || 0 || ET MALWARE Effectivebrands.com Spyware User-Agent (GTBank) || url,doc.emergingthreats.net/2003654 +1 || 2003655 || 9 || trojan-activity || 0 || ET MALWARE Trafficadvance.net Spyware User-Agent (Internet 1.0) || url,doc.emergingthreats.net/2003655 +1 || 2003656 || 10 || trojan-activity || 0 || ET MALWARE debelizombi.com (Rizo) related Spyware User-Agent (mc_v1.2.6) || url,www.f-secure.com/v-descs/rizo.shtml || url,doc.emergingthreats.net/2003656 +1 || 2003657 || 15 || trojan-activity || 0 || ET TROJAN Suspicious User-Agent (MSIE) || url,doc.emergingthreats.net/bin/view/Main/2003657 +1 || 2003658 || 8 || trojan-activity || 0 || ET MALWARE qq.com related Spyware User-Agent (QQGame) || url,doc.emergingthreats.net/2003658 +1 || 2003660 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Persism CMS Remote Inclusion Attempt - Headerfile.php System || cve,CVE-2007-2545 || url,www.milw0rm.com/exploits/3853 || url,doc.emergingthreats.net/2003660 +1 || 2003661 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Persism CMS Remote Inclusion Attempt -- latest_files.php System || cve,CVE-2007-2545 || url,www.milw0rm.com/exploits/3853 || url,doc.emergingthreats.net/2003661 +1 || 2003662 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Persism CMS Remote Inclusion Attempt -- latest_posts.php System || cve,CVE-2007-2545 || url,www.milw0rm.com/exploits/3853 || url,doc.emergingthreats.net/2003662 +1 || 2003663 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Persism CMS Remote Inclusion Attempt -- groups_headerfile.php System || cve,CVE-2007-2545 || url,www.milw0rm.com/exploits/3853 || url,doc.emergingthreats.net/2003663 +1 || 2003664 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Persism CMS Remote Inclusion Attempt -- filters_headerfile.php System || cve,CVE-2007-2545 || url,www.milw0rm.com/exploits/3853 || url,doc.emergingthreats.net/2003664 +1 || 2003665 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Persism CMS Remote Inclusion Attempt -- links.php System || cve,CVE-2007-2545 || url,www.milw0rm.com/exploits/3853 || url,doc.emergingthreats.net/2003665 +1 || 2003666 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Persism CMS Remote Inclusion Attempt -- menu_headerfile.php System || cve,CVE-2007-2545 || url,www.milw0rm.com/exploits/3853 || url,doc.emergingthreats.net/2003666 +1 || 2003667 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Persism CMS Remote Inclusion Attempt -- latest_news.php System || cve,CVE-2007-2545 || url,www.milw0rm.com/exploits/3853 || url,doc.emergingthreats.net/2003667 +1 || 2003668 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Persism CMS Remote Inclusion Attempt -- settings_headerfile.php System || cve,CVE-2007-2545 || url,www.milw0rm.com/exploits/3853 || url,doc.emergingthreats.net/2003668 +1 || 2003669 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS TopTree Remote Inclusion Attempt -- tpl_message.php right_file || cve,CVE-2007-2544 || url,www.milw0rm.com/exploits/3854 || url,doc.emergingthreats.net/2003669 +1 || 2003670 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Workbench Survival Guide Remote Inclusion Attempt -- headerfile.php path || cve,CVE-2007-2542 || url,www.milw0rm.com/exploits/3848 || url,doc.emergingthreats.net/2003670 +1 || 2003671 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Versado CMS Remote Inclusion Attempt -- ajax_listado.php urlModulo || cve,CVE-2007-2541 || url,www.milw0rm.com/exploits/3847 || url,doc.emergingthreats.net/2003671 +1 || 2003672 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PMECMS Remote Inclusion Attempt -- mod_image_index.php config pathMod || cve,CVE-2007-2540 || url,www.milw0rm.com/exploits/3852 || url,doc.emergingthreats.net/2003672 +1 || 2003673 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PMECMS Remote Inclusion Attempt -- mod_liens_index.php config pathMod || cve,CVE-2007-2540 || url,www.milw0rm.com/exploits/3852 || url,doc.emergingthreats.net/2003673 +1 || 2003674 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PMECMS Remote Inclusion Attempt -- mod_liste_index.php config pathMod || cve,CVE-2007-2540 || url,www.milw0rm.com/exploits/3852 || url,doc.emergingthreats.net/2003674 +1 || 2003675 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PMECMS Remote Inclusion Attempt -- mod_special_index.php config pathMod || cve,CVE-2007-2540 || url,www.milw0rm.com/exploits/3852 || url,doc.emergingthreats.net/2003675 +1 || 2003676 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PMECMS Remote Inclusion Attempt -- mod_texte_index.php config pathMod || cve,CVE-2007-2540 || url,www.milw0rm.com/exploits/3852 || url,doc.emergingthreats.net/2003676 +1 || 2003677 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Berylium2 Remote Inclusion Attempt -- berylium-classes.php beryliumroot || cve,CVE-2007-2531 || url,www.milw0rm.com/exploits/3869 || url,doc.emergingthreats.net/2003677 +1 || 2003678 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Tropicalm Remote Inclusion Attempt -- dosearch.php RESPATH || cve,CVE-2007-2530 || url,www.milw0rm.com/exploits/3865 || url,doc.emergingthreats.net/2003678 +1 || 2003679 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS DynamicPAD Remote Inclusion Attempt -- dp_logs.php HomeDir || cve,CVE-2007-2527 || url,milw0rm.com/exploits/3868 || url,doc.emergingthreats.net/2003679 +1 || 2003680 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS DynamicPAD Remote Inclusion Attempt -- index.php HomeDir || cve,CVE-2007-2527 || url,milw0rm.com/exploits/3868 || url,doc.emergingthreats.net/2003680 +1 || 2003681 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Persism CMS Remote Inclusion Attempt -- users_headerfile.php System || cve,CVE-2007-2545 || url,www.milw0rm.com/exploits/3853 || url,doc.emergingthreats.net/2003681 +1 || 2003682 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS E-Gads Remote Inclusion Attempt -- common.php locale || cve,CVE-2007-2521 || url,www.milw0rm.com/exploits/3846 || url,doc.emergingthreats.net/2003682 +1 || 2003683 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHP Turbulence Remote Inclusion Attempt -- turbulence.php GLOBALS tcore || cve,CVE-2007-2504 || url,www.securityfocus.com/bid/23580 || url,doc.emergingthreats.net/2003683 +1 || 2003684 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS MXBB Remote Inclusion Attempt -- faq.php module_root_path || cve,CVE-2007-2493 || url,www.milw0rm.com/exploits/3833 || url,doc.emergingthreats.net/2003684 +1 || 2003685 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Wordpress Remote Inclusion Attempt -- wptable-button.php wpPATH || cve,CVE-2007-2484 || url,www.milw0rm.com/exploits/3824 || url,doc.emergingthreats.net/2003685 +1 || 2003686 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Wordpress Remote Inclusion Attempt -- wordtube-button.php wpPATH || cve,CVE-2007-2481 || url,www.milw0rm.com/exploits/3825 || url,doc.emergingthreats.net/2003686 +1 || 2003687 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS TurnKeyWebTools Remote Inclusion Attempt -- payflow_pro.php abs_path || cve,CVE-2007-2474 || url,www.securityfocus.com/bid/23662 || url,doc.emergingthreats.net/2003687 +1 || 2003688 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS TurnKeyWebTools Remote Inclusion Attempt -- global.php abs_path || cve,CVE-2007-2474 || url,www.securityfocus.com/bid/23662 || url,doc.emergingthreats.net/2003688 +1 || 2003689 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS TurnKeyWebTools Remote Inclusion Attempt -- libsecure.php abs_path || cve,CVE-2007-2474 || url,www.securityfocus.com/bid/23662 || url,doc.emergingthreats.net/2003689 +1 || 2003690 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Firefly Remote Inclusion Attempt -- config.php DOCUMENT_ROOT || cve,CVE-2007-2460 || url,www.frsirt.com/english/advisories/2007/1554 || url,doc.emergingthreats.net/2003690 +1 || 2003691 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Pixaria Gallery Remote Inclusion Attempt -- psg.smarty.lib.php cfg sys base_path || cve,CVE-2007-2458 || url,www.frsirt.com/english/advisories/2007/1390 || url,doc.emergingthreats.net/2003691 +1 || 2003692 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS VM Watermark Remote Inclusion Attempt -- watermark.php GALLERY_BASEDIR || cve,CVE-2007-2575 || url,www.milw0rm.com/exploits/3857 || url,doc.emergingthreats.net/2003692 +1 || 2003693 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHPtree Remote Inclusion Attempt -- cms2.php s_dir || cve,CVE-2007-2573 || url,www.milw0rm.com/exploits/3860 || url,doc.emergingthreats.net/2003693 +1 || 2003694 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS NoAH Remote Inclusion Attempt -- mfa_theme.php tpls || cve,CVE-2007-2572 || url,www.milw0rm.com/exploits/3861 || url,doc.emergingthreats.net/2003694 +1 || 2003696 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Wikivi5 Remote Inclusion Attempt -- show.php sous_rep || cve,CVE-2007-2570 || url,www.milw0rm.com/exploits/3863 || url,doc.emergingthreats.net/2003696 +1 || 2003698 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS pfa CMS Remote Inclusion index.php abs_path || cve,CVE-2007-2559 || url,www.securityfocus.com/archive/1/archive/1/467840/100/0/threaded || url,doc.emergingthreats.net/2003698 +1 || 2003699 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS pfa CMS Remote Inclusion checkout.php abs_path || cve,CVE-2007-2559 || url,www.securityfocus.com/archive/1/archive/1/467840/100/0/threaded || url,doc.emergingthreats.net/2003699 +1 || 2003700 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS pfa CMS Remote Inclusion libsecure.php abs_path || cve,CVE-2007-2559 || url,www.securityfocus.com/archive/1/archive/1/467840/100/0/threaded || url,doc.emergingthreats.net/2003700 +1 || 2003701 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS pfa CMS Remote Inclusion index.php repinc || cve,CVE-2007-2558 || url,www.securityfocus.com/archive/1/archive/1/467827/100/0/threaded || url,doc.emergingthreats.net/2003701 +1 || 2003702 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Pixaria Gallery Remote Inclusion class.Smarty.php cfg sys base_path || cve,CVE-2007-2457 || url,www.milw0rm.com/exploits/3733 || url,doc.emergingthreats.net/2003702 +1 || 2003703 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS phpMyPortal Remote Inclusion Attempt -- articles.inc.php GLOBALS CHEMINMODULES || cve,CVE-2007-2594 || url,www.milw0rm.com/exploits/3879 || url,doc.emergingthreats.net/2003703 +1 || 2003704 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS AForum Remote Inclusion func.php CommonAbsDir || cve,CVE-2007-2596 || url,www.milw0rm.com/exploits/3884 || url,doc.emergingthreats.net/2003704 +1 || 2003705 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion site_conf.php ordnertiefe || cve,CVE-2007-2597 || url,www.milw0rm.com/exploits/3885 || url,doc.emergingthreats.net/2003705 +1 || 2003706 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion class.csv.php tt_docroot || cve,CVE-2007-2597 || url,www.milw0rm.com/exploits/3885 || url,doc.emergingthreats.net/2003706 +1 || 2003707 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion produkte_nach_serie.php tt_docroot || cve,CVE-2007-2597 || url,www.milw0rm.com/exploits/3885 || url,doc.emergingthreats.net/2003707 +1 || 2003708 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion ref_kd_rubrik.php tt_docroot || cve,CVE-2007-2597 || url,www.milw0rm.com/exploits/3885 || url,doc.emergingthreats.net/2003708 +1 || 2003709 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion hg_referenz_jobgalerie.php tt_docroot || cve,CVE-2007-2597 || url,www.milw0rm.com/exploits/3885 || url,doc.emergingthreats.net/2003709 +1 || 2003710 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion surfer_anmeldung_NWL.php tt_docroot || cve,CVE-2007-2597 || url,www.milw0rm.com/exploits/3885 || url,doc.emergingthreats.net/2003710 +1 || 2003711 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion produkte_nach_serie_alle.php tt_docroot || cve,CVE-2007-2597 || url,www.milw0rm.com/exploits/3885 || url,doc.emergingthreats.net/2003711 +1 || 2003712 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion surfer_aendern.php tt_docroot || cve,CVE-2007-2597 || url,www.milw0rm.com/exploits/3885 || url,doc.emergingthreats.net/2003712 +1 || 2003713 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion referenz.php tt_docroot || cve,CVE-2007-2597 || url,www.milw0rm.com/exploits/3885 || url,doc.emergingthreats.net/2003713 +1 || 2003714 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion lay.php tt_docroot || cve,CVE-2007-2597 || url,www.milw0rm.com/exploits/3885 || url,doc.emergingthreats.net/2003714 +1 || 2003715 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion ref_kd_rubrik.php tt_docroot || cve,CVE-2007-2597 || url,www.milw0rm.com/exploits/3885 || url,doc.emergingthreats.net/2003715 +1 || 2003716 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS LaVague Remote Inclusion Attempt -- printbar.php views_path || cve,CVE-2007-2607 || url,www.exploit-db.com/exploits/3870/ || url,doc.emergingthreats.net/2003716 +1 || 2003717 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS miplex2 Remote Inclusion SmartyFU.class.php system || cve,CVE-2007-2608 || url,www.milw0rm.com/exploits/3878 || url,doc.emergingthreats.net/2003717 +1 || 2003718 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS gnuedu Remote Inclusion Attempt -- lom.php ETCDIR || cve,CVE-2007-2609 || url,www.milw0rm.com/exploits/3876 || url,doc.emergingthreats.net/2003718 +1 || 2003719 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS gnuedu Remote Inclusion Attempt -- lom_update.php ETCDIR || cve,CVE-2007-2609 || url,www.milw0rm.com/exploits/3876 || url,doc.emergingthreats.net/2003719 +1 || 2003720 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS gnuedu Remote Inclusion Attempt -- check-lom.php ETCDIR || cve,CVE-2007-2609 || url,www.milw0rm.com/exploits/3876 || url,doc.emergingthreats.net/2003720 +1 || 2003721 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS gnuedu Remote Inclusion Attempt -- weigh_keywords.php ETCDIR || cve,CVE-2007-2609 || url,www.milw0rm.com/exploits/3876 || url,doc.emergingthreats.net/2003721 +1 || 2003722 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS gnuedu Remote Inclusion Attempt -- logout.php ETCDIR || cve,CVE-2007-2609 || url,www.milw0rm.com/exploits/3876 || url,doc.emergingthreats.net/2003722 +1 || 2003723 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS gnuedu Remote Inclusion Attempt -- help.php ETCDIR || cve,CVE-2007-2609 || url,www.milw0rm.com/exploits/3876 || url,doc.emergingthreats.net/2003723 +1 || 2003724 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS gnuedu Remote Inclusion Attempt -- index.php ETCDIR || cve,CVE-2007-2609 || url,www.milw0rm.com/exploits/3876 || url,doc.emergingthreats.net/2003724 +1 || 2003725 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS gnuedu Remote Inclusion Attempt -- login.php ETCDIR || cve,CVE-2007-2609 || url,www.milw0rm.com/exploits/3876 || url,doc.emergingthreats.net/2003725 +1 || 2003726 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS CGX Remote Inclusion Attempt -- mtdialogo.php pathCGX || cve,CVE-2007-2611 || url,www.milw0rm.com/exploits/3874 || url,doc.emergingthreats.net/2003726 +1 || 2003727 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS CGX Remote Inclusion Attempt -- ltdialogo.php pathCGX || cve,CVE-2007-2611 || url,www.milw0rm.com/exploits/3874 || url,doc.emergingthreats.net/2003727 +1 || 2003728 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS CGX Remote Inclusion Attempt -- logingecon.php pathCGX || cve,CVE-2007-2611 || url,www.milw0rm.com/exploits/3874 || url,doc.emergingthreats.net/2003728 +1 || 2003729 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS CGX Remote Inclusion Attempt -- login.php pathCGX || cve,CVE-2007-2611 || url,www.milw0rm.com/exploits/3874 || url,doc.emergingthreats.net/2003729 +1 || 2003730 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHPHtmlLib Remote Inclusion Attempt -- widget8.php phphtmllib || cve,CVE-2007-2614 || url,www.securityfocus.com/archive/1/archive/1/467837/100/0/threaded || url,doc.emergingthreats.net/2003730 +1 || 2003731 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHPLojaFacil Remote Inclusion Attempt -- ftp.php path_local || cve,CVE-2007-2615 || url,www.milw0rm.com/exploits/3875 || url,doc.emergingthreats.net/2003731 +1 || 2003732 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHPLojaFacil Remote Inclusion Attempt -- db.php path_local || cve,CVE-2007-2615 || url,www.milw0rm.com/exploits/3875 || url,doc.emergingthreats.net/2003732 +1 || 2003733 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHPLojaFacil Remote Inclusion Attempt -- libs_ftp.php path_local || cve,CVE-2007-2615 || url,www.milw0rm.com/exploits/3875 || url,doc.emergingthreats.net/2003733 +1 || 2003735 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHPSecurityAdmin Remote Inclusion Attempt -- logout.php PSA_PATH || cve,CVE-2007-2628 || url,www.securityfocus.com/bid/23801 || url,doc.emergingthreats.net/2003735 +1 || 2003736 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS AForum Remote Inclusion Attempt -- errormsg.php header || cve,CVE-2007-2634 || url,secunia.com/advisories/25224 || url,doc.emergingthreats.net/2003736 +1 || 2003737 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS CJG Explorer Remote Inclusion Attempt -- pcltrace.lib.php g_pcltar_lib_dir || cve,CVE-2007-2660 || url,www.milw0rm.com/exploits/3915 || url,doc.emergingthreats.net/2003737 +1 || 2003738 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Beacon Remote Inclusion Attempt -- splash.lang.php languagePath || cve,CVE-2007-2663 || url,www.milw0rm.com/exploits/3909 || url,doc.emergingthreats.net/2003738 +1 || 2003739 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Yaap Remote Inclusion Attempt -- common.php root_path || cve,CVE-2007-2664 || url,www.milw0rm.com/exploits/3908 || url,doc.emergingthreats.net/2003739 +1 || 2003740 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHPFirstPost Remote Inclusion Attempt block.php Include || cve,CVE-2007-2665 || url,www.milw0rm.com/exploits/3906 || url,doc.emergingthreats.net/2003740 +1 || 2003741 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Open Translation Engine Remote Inclusion Attempt -- header.php ote_home || cve,CVE-2007-2676 || url,www.milw0rm.com/exploits/3838 || url,doc.emergingthreats.net/2003741 +1 || 2003742 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHPChess Remote Inclusion Attempt -- language.php config || cve,CVE-2007-2677 || url,www.milw0rm.com/exploits/3837 || url,doc.emergingthreats.net/2003742 +1 || 2003743 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHPChess Remote Inclusion Attempt -- layout_admin_cfg.php Root_Path || cve,CVE-2007-2677 || url,www.milw0rm.com/exploits/3837 || url,doc.emergingthreats.net/2003743 +1 || 2003744 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHPChess Remote Inclusion Attempt -- layout_cfg.php Root_Path || cve,CVE-2007-2677 || url,www.milw0rm.com/exploits/3837 || url,doc.emergingthreats.net/2003744 +1 || 2003745 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHPChess Remote Inclusion Attempt -- layout_t_top.php Root_Path || cve,CVE-2007-2677 || url,www.milw0rm.com/exploits/3837 || url,doc.emergingthreats.net/2003745 +1 || 2003746 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Simple PHP Script Gallery Remote Inclusion index.php gallery || cve,CVE-2007-2679 || url,www.securityfocus.com/bid/23534 || url,doc.emergingthreats.net/2003746 +1 || 2003747 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS gnuedu Remote Inclusion Attempt -- lom.php ETCDIR || cve,CVE-2007-2609 || url,www.milw0rm.com/exploits/3876 || url,doc.emergingthreats.net/2003747 +1 || 2003749 || 8 || trojan-activity || 0 || ET USER_AGENTS QQHelper related Spyware User-Agent (H) || url,doc.emergingthreats.net/2003749 +1 || 2003750 || 4 || attempted-dos || 0 || ET EXPLOIT CA Brightstor ARCServe caloggerd DoS || url,www.milw0rm.com/exploits/3939 || url,doc.emergingthreats.net/bin/view/Main/2003750 +1 || 2003751 || 4 || attempted-dos || 0 || ET EXPLOIT CA Brightstor ARCServe Mediasvr DoS || url, www.milw0rm.com/exploits/3940 || url,doc.emergingthreats.net/bin/view/Main/2003751 +1 || 2003752 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS CreaScripts CreaDirectory SQL Injection Attempt -- error.asp id SELECT || cve,CVE-2007-2342 || url,www.milw0rm.com/exploits/3767 || url,doc.emergingthreats.net/2003752 +1 || 2003753 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS CreaScripts CreaDirectory SQL Injection Attempt -- error.asp id UNION SELECT || cve,CVE-2007-2342 || url,www.milw0rm.com/exploits/3767 || url,doc.emergingthreats.net/2003753 +1 || 2003754 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS CreaScripts CreaDirectory SQL Injection Attempt -- error.asp id INSERT || cve,CVE-2007-2342 || url,www.milw0rm.com/exploits/3767 || url,doc.emergingthreats.net/2003754 +1 || 2003755 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS CreaScripts CreaDirectory SQL Injection Attempt -- error.asp id DELETE || cve,CVE-2007-2342 || url,www.milw0rm.com/exploits/3767 || url,doc.emergingthreats.net/2003755 +1 || 2003756 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS CreaScripts CreaDirectory SQL Injection Attempt -- error.asp id ASCII || cve,CVE-2007-2342 || url,www.milw0rm.com/exploits/3767 || url,doc.emergingthreats.net/2003756 +1 || 2003757 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS CreaScripts CreaDirectory SQL Injection Attempt -- error.asp id UPDATE || cve,CVE-2007-2342 || url,www.milw0rm.com/exploits/3767 || url,doc.emergingthreats.net/2003757 +1 || 2003758 || 9 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS John Mordo Jobs SQL Injection Attempt -- index.php cid SELECT || cve,CVE-2007-2370 || url,www.milw0rm.com/exploits/3672 || url,doc.emergingthreats.net/2003758 +1 || 2003759 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS John Mordo Jobs SQL Injection Attempt -- index.php cid UNION SELECT || cve,CVE-2007-2370 || url,www.milw0rm.com/exploits/3672 || url,doc.emergingthreats.net/2003759 +1 || 2003760 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS John Mordo Jobs SQL Injection Attempt -- index.php cid INSERT || cve,CVE-2007-2370 || url,www.milw0rm.com/exploits/3672 || url,doc.emergingthreats.net/2003760 +1 || 2003761 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS John Mordo Jobs SQL Injection Attempt -- index.php cid DELETE || cve,CVE-2007-2370 || url,www.milw0rm.com/exploits/3672 || url,doc.emergingthreats.net/2003761 +1 || 2003762 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS John Mordo Jobs SQL Injection Attempt -- index.php cid ASCII || cve,CVE-2007-2370 || url,www.milw0rm.com/exploits/3672 || url,doc.emergingthreats.net/2003762 +1 || 2003763 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS John Mordo Jobs SQL Injection Attempt -- index.php cid UPDATE || cve,CVE-2007-2370 || url,www.milw0rm.com/exploits/3672 || url,doc.emergingthreats.net/2003763 +1 || 2003764 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WF-Links (wflinks) SQL Injection Attempt -- viewcat.php cid SELECT || cve,CVE-2007-2373 || url,www.milw0rm.com/exploits/3670 || url,doc.emergingthreats.net/2003764 +1 || 2003765 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WF-Links (wflinks) SQL Injection Attempt -- viewcat.php cid UNION SELECT || cve,CVE-2007-2373 || url,www.milw0rm.com/exploits/3670 || url,doc.emergingthreats.net/2003765 +1 || 2003766 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WF-Links (wflinks) SQL Injection Attempt -- viewcat.php cid INSERT || cve,CVE-2007-2373 || url,www.milw0rm.com/exploits/3670 || url,doc.emergingthreats.net/2003766 +1 || 2003767 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WF-Links (wflinks) SQL Injection Attempt -- viewcat.php cid DELETE || cve,CVE-2007-2373 || url,www.milw0rm.com/exploits/3670 || url,doc.emergingthreats.net/2003767 +1 || 2003768 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WF-Links (wflinks) SQL Injection Attempt -- viewcat.php cid ASCII || cve,CVE-2007-2373 || url,www.milw0rm.com/exploits/3670 || url,doc.emergingthreats.net/2003768 +1 || 2003769 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WF-Links (wflinks) SQL Injection Attempt -- viewcat.php cid UPDATE || cve,CVE-2007-2373 || url,www.milw0rm.com/exploits/3670 || url,doc.emergingthreats.net/2003769 +1 || 2003770 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS E-Annu SQL Injection Attempt -- home.php a SELECT || cve,CVE-2007-2416 || url,www.securityfocus.com/bid/23727 || url,doc.emergingthreats.net/2003770 +1 || 2003771 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS E-Annu SQL Injection Attempt -- home.php a UNION SELECT || cve,CVE-2007-2416 || url,www.securityfocus.com/bid/23727 || url,doc.emergingthreats.net/2003771 +1 || 2003772 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS E-Annu SQL Injection Attempt -- home.php a INSERT || cve,CVE-2007-2416 || url,www.securityfocus.com/bid/23727 || url,doc.emergingthreats.net/2003772 +1 || 2003773 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS E-Annu SQL Injection Attempt -- home.php a DELETE || cve,CVE-2007-2416 || url,www.securityfocus.com/bid/23727 || url,doc.emergingthreats.net/2003773 +1 || 2003774 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS E-Annu SQL Injection Attempt -- home.php a ASCII || cve,CVE-2007-2416 || url,www.securityfocus.com/bid/23727 || url,doc.emergingthreats.net/2003774 +1 || 2003775 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS E-Annu SQL Injection Attempt -- home.php a UPDATE || cve,CVE-2007-2416 || url,www.securityfocus.com/bid/23727 || url,doc.emergingthreats.net/2003775 +1 || 2003776 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Burak Yilmaz Blog SQL Injection Attempt -- bry.asp id SELECT || cve,CVE-2007-2420 || url,www.securityfocus.com/bid/23678 || url,doc.emergingthreats.net/2003776 +1 || 2003777 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Burak Yilmaz Blog SQL Injection Attempt -- bry.asp id UNION SELECT || cve,CVE-2007-2420 || url,www.securityfocus.com/bid/23678 || url,doc.emergingthreats.net/2003777 +1 || 2003778 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Burak Yilmaz Blog SQL Injection Attempt -- bry.asp id INSERT || cve,CVE-2007-2420 || url,www.securityfocus.com/bid/23678 || url,doc.emergingthreats.net/2003778 +1 || 2003779 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Burak Yilmaz Blog SQL Injection Attempt -- bry.asp id DELETE || cve,CVE-2007-2420 || url,www.securityfocus.com/bid/23678 || url,doc.emergingthreats.net/2003779 +1 || 2003780 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Burak Yilmaz Blog SQL Injection Attempt -- bry.asp id ASCII || cve,CVE-2007-2420 || url,www.securityfocus.com/bid/23678 || url,doc.emergingthreats.net/2003780 +1 || 2003781 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Burak Yilmaz Blog SQL Injection Attempt -- bry.asp id UPDATE || cve,CVE-2007-2420 || url,www.securityfocus.com/bid/23678 || url,doc.emergingthreats.net/2003781 +1 || 2003782 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS pnFlashGames SQL Injection Attempt -- index.php cid SELECT || cve,CVE-2007-2427 || url,www.milw0rm.com/exploits/3813 || url,doc.emergingthreats.net/2003782 +1 || 2003783 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS pnFlashGames SQL Injection Attempt -- index.php cid UNION SELECT || cve,CVE-2007-2427 || url,www.milw0rm.com/exploits/3813 || url,doc.emergingthreats.net/2003783 +1 || 2003784 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS pnFlashGames SQL Injection Attempt -- index.php cid INSERT || cve,CVE-2007-2427 || url,www.milw0rm.com/exploits/3813 || url,doc.emergingthreats.net/2003784 +1 || 2003785 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS pnFlashGames SQL Injection Attempt -- index.php cid DELETE || cve,CVE-2007-2427 || url,www.milw0rm.com/exploits/3813 || url,doc.emergingthreats.net/2003785 +1 || 2003786 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS pnFlashGames SQL Injection Attempt -- index.php cid ASCII || cve,CVE-2007-2427 || url,www.milw0rm.com/exploits/3813 || url,doc.emergingthreats.net/2003786 +1 || 2003787 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS pnFlashGames SQL Injection Attempt -- index.php cid UPDATE || cve,CVE-2007-2427 || url,www.milw0rm.com/exploits/3813 || url,doc.emergingthreats.net/2003787 +1 || 2003788 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS FileRun SQL Injection Attempt -- index.php fid SELECT || cve,CVE-2007-2469 || url,www.securityfocus.com/bid/23752 || url,doc.emergingthreats.net/2003788 +1 || 2003789 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS FileRun SQL Injection Attempt -- index.php fid UNION SELECT || cve,CVE-2007-2469 || url,www.securityfocus.com/bid/23752 || url,doc.emergingthreats.net/2003789 +1 || 2003790 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS FileRun SQL Injection Attempt -- index.php fid INSERT || cve,CVE-2007-2469 || url,www.securityfocus.com/bid/23752 || url,doc.emergingthreats.net/2003790 +1 || 2003791 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS FileRun SQL Injection Attempt -- index.php fid DELETE || cve,CVE-2007-2469 || url,www.securityfocus.com/bid/23752 || url,doc.emergingthreats.net/2003791 +1 || 2003792 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS FileRun SQL Injection Attempt -- index.php fid ASCII || cve,CVE-2007-2469 || url,www.securityfocus.com/bid/23752 || url,doc.emergingthreats.net/2003792 +1 || 2003793 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS FileRun SQL Injection Attempt -- index.php fid UPDATE || cve,CVE-2007-2469 || url,www.securityfocus.com/bid/23752 || url,doc.emergingthreats.net/2003793 +1 || 2003794 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS CMS Made Simple SQL Injection Attempt -- stylesheet.php templateid SELECT || cve,CVE-2007-2473 || url,www.securityfocus.com/bid/23753 || url,doc.emergingthreats.net/2003794 +1 || 2003795 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS CMS Made Simple SQL Injection Attempt -- stylesheet.php templateid UNION SELECT || cve,CVE-2007-2473 || url,www.securityfocus.com/bid/23753 || url,doc.emergingthreats.net/2003795 +1 || 2003796 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS CMS Made Simple SQL Injection Attempt -- stylesheet.php templateid INSERT || cve,CVE-2007-2473 || url,www.securityfocus.com/bid/23753 || url,doc.emergingthreats.net/2003796 +1 || 2003797 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS CMS Made Simple SQL Injection Attempt -- stylesheet.php templateid ASCII || cve,CVE-2007-2473 || url,www.securityfocus.com/bid/23753 || url,doc.emergingthreats.net/2003797 +1 || 2003798 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS CMS Made Simple SQL Injection Attempt -- stylesheet.php templateid UPDATE || cve,CVE-2007-2473 || url,www.securityfocus.com/bid/23753 || url,doc.emergingthreats.net/2003798 +1 || 2003805 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS phpHoo3 SQL Injection Attempt -- admin.php ADMIN_USER SELECT || cve,CVE-2007-2534 || url,www.securityfocus.com/bid/23854 || url,doc.emergingthreats.net/2003805 +1 || 2003806 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS phpHoo3 SQL Injection Attempt -- admin.php ADMIN_USER UNION SELECT || cve,CVE-2007-2534 || url,www.securityfocus.com/bid/23854 || url,doc.emergingthreats.net/2003806 +1 || 2003807 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS phpHoo3 SQL Injection Attempt -- admin.php ADMIN_USER INSERT || cve,CVE-2007-2534 || url,www.securityfocus.com/bid/23854 || url,doc.emergingthreats.net/2003807 +1 || 2003808 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS phpHoo3 SQL Injection Attempt -- admin.php ADMIN_USER DELETE || cve,CVE-2007-2534 || url,www.securityfocus.com/bid/23854 || url,doc.emergingthreats.net/2003808 +1 || 2003809 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS phpHoo3 SQL Injection Attempt -- admin.php ADMIN_USER ASCII || cve,CVE-2007-2534 || url,www.securityfocus.com/bid/23854 || url,doc.emergingthreats.net/2003809 +1 || 2003810 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS phpHoo3 SQL Injection Attempt -- admin.php ADMIN_USER UPDATE || cve,CVE-2007-2534 || url,www.securityfocus.com/bid/23854 || url,doc.emergingthreats.net/2003810 +1 || 2003811 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS phpHoo3 SQL Injection Attempt -- admin.php ADMIN_PASS SELECT || cve,CVE-2007-2534 || url,www.securityfocus.com/bid/23854 || url,doc.emergingthreats.net/2003811 +1 || 2003812 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS phpHoo3 SQL Injection Attempt -- admin.php ADMIN_PASS UNION SELECT || cve,CVE-2007-2534 || url,www.securityfocus.com/bid/23854 || url,doc.emergingthreats.net/2003812 +1 || 2003813 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS phpHoo3 SQL Injection Attempt -- admin.php ADMIN_PASS INSERT || cve,CVE-2007-2534 || url,www.securityfocus.com/bid/23854 || url,doc.emergingthreats.net/2003813 +1 || 2003814 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS phpHoo3 SQL Injection Attempt -- admin.php ADMIN_PASS DELETE || cve,CVE-2007-2534 || url,www.securityfocus.com/bid/23854 || url,doc.emergingthreats.net/2003814 +1 || 2003815 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS phpHoo3 SQL Injection Attempt -- admin.php ADMIN_PASS ASCII || cve,CVE-2007-2534 || url,www.securityfocus.com/bid/23854 || url,doc.emergingthreats.net/2003815 +1 || 2003816 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS phpHoo3 SQL Injection Attempt -- admin.php ADMIN_PASS UPDATE || cve,CVE-2007-2534 || url,www.securityfocus.com/bid/23854 || url,doc.emergingthreats.net/2003816 +1 || 2003817 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS RunCms SQL Injection Attempt -- debug_show.php executed_queries SELECT || cve,CVE-2007-2538 || url,www.milw0rm.com/exploits/3850 || url,doc.emergingthreats.net/2003817 +1 || 2003818 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS RunCms SQL Injection Attempt -- debug_show.php executed_queries UNION SELECT || cve,CVE-2007-2538 || url,www.milw0rm.com/exploits/3850 || url,doc.emergingthreats.net/2003818 +1 || 2003819 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS RunCms SQL Injection Attempt -- debug_show.php executed_queries INSERT || cve,CVE-2007-2538 || url,www.milw0rm.com/exploits/3850 || url,doc.emergingthreats.net/2003819 +1 || 2003820 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS RunCms SQL Injection Attempt -- debug_show.php executed_queries DELETE || cve,CVE-2007-2538 || url,www.milw0rm.com/exploits/3850 || url,doc.emergingthreats.net/2003820 +1 || 2003821 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS RunCms SQL Injection Attempt -- debug_show.php executed_queries ASCII || cve,CVE-2007-2538 || url,www.milw0rm.com/exploits/3850 || url,doc.emergingthreats.net/2003821 +1 || 2003822 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS RunCms SQL Injection Attempt -- debug_show.php executed_queries UPDATE || cve,CVE-2007-2538 || url,www.milw0rm.com/exploits/3850 || url,doc.emergingthreats.net/2003822 +1 || 2003823 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Flashgames SQL Injection Attempt -- game.php lid SELECT || cve,CVE-2007-2543 || url,www.milw0rm.com/exploits/3849 || url,doc.emergingthreats.net/2003823 +1 || 2003824 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Flashgames SQL Injection Attempt -- game.php lid UNION SELECT || cve,CVE-2007-2543 || url,www.milw0rm.com/exploits/3849 || url,doc.emergingthreats.net/2003824 +1 || 2003825 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Flashgames SQL Injection Attempt -- game.php lid INSERT || cve,CVE-2007-2543 || url,www.milw0rm.com/exploits/3849 || url,doc.emergingthreats.net/2003825 +1 || 2003826 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Flashgames SQL Injection Attempt -- game.php lid DELETE || cve,CVE-2007-2543 || url,www.milw0rm.com/exploits/3849 || url,doc.emergingthreats.net/2003826 +1 || 2003827 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Flashgames SQL Injection Attempt -- game.php lid ASCII || cve,CVE-2007-2543 || url,www.milw0rm.com/exploits/3849 || url,doc.emergingthreats.net/2003827 +1 || 2003828 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Flashgames SQL Injection Attempt -- game.php lid UPDATE || cve,CVE-2007-2543 || url,www.milw0rm.com/exploits/3849 || url,doc.emergingthreats.net/2003828 +1 || 2003829 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ResManager SQL Injection Attempt -- edit_day.php id_reserv SELECT || cve,CVE-2007-2735 || url,www.milw0rm.com/exploits/3931 || url,doc.emergingthreats.net/2003829 +1 || 2003830 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ResManager SQL Injection Attempt -- edit_day.php id_reserv UNION SELECT || cve,CVE-2007-2735 || url,www.milw0rm.com/exploits/3931 || url,doc.emergingthreats.net/2003830 +1 || 2003831 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ResManager SQL Injection Attempt -- edit_day.php id_reserv INSERT || cve,CVE-2007-2735 || url,www.milw0rm.com/exploits/3931 || url,doc.emergingthreats.net/2003831 +1 || 2003832 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ResManager SQL Injection Attempt -- edit_day.php id_reserv DELETE || cve,CVE-2007-2735 || url,www.milw0rm.com/exploits/3931 || url,doc.emergingthreats.net/2003832 +1 || 2003833 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ResManager SQL Injection Attempt -- edit_day.php id_reserv ASCII || cve,CVE-2007-2735 || url,www.milw0rm.com/exploits/3931 || url,doc.emergingthreats.net/2003833 +1 || 2003834 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ResManager SQL Injection Attempt -- edit_day.php id_reserv UPDATE || cve,CVE-2007-2735 || url,www.milw0rm.com/exploits/3931 || url,doc.emergingthreats.net/2003834 +1 || 2003835 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS MyConference SQL Injection Attempt -- index.php cid SELECT || cve,CVE-2007-2737 || url,www.frsirt.com/english/advisories/2007/1830 || url,doc.emergingthreats.net/2003835 +1 || 2003836 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS MyConference SQL Injection Attempt -- index.php cid UNION SELECT || cve,CVE-2007-2737 || url,www.frsirt.com/english/advisories/2007/1830 || url,doc.emergingthreats.net/2003836 +1 || 2003837 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS MyConference SQL Injection Attempt -- index.php cid INSERT || cve,CVE-2007-2737 || url,www.frsirt.com/english/advisories/2007/1830 || url,doc.emergingthreats.net/2003837 +1 || 2003838 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS MyConference SQL Injection Attempt -- index.php cid DELETE || cve,CVE-2007-2737 || url,www.frsirt.com/english/advisories/2007/1830 || url,doc.emergingthreats.net/2003838 +1 || 2003839 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS MyConference SQL Injection Attempt -- index.php cid ASCII || cve,CVE-2007-2737 || url,www.frsirt.com/english/advisories/2007/1830 || url,doc.emergingthreats.net/2003839 +1 || 2003840 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS MyConference SQL Injection Attempt -- index.php cid UPDATE || cve,CVE-2007-2737 || url,www.frsirt.com/english/advisories/2007/1830 || url,doc.emergingthreats.net/2003840 +1 || 2003841 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Glossaire SQL Injection Attempt -- glossaire-p-f.php sid UNION SELECT || cve,CVE-2007-2738 || url,www.milw0rm.com/exploits/3932 || url,doc.emergingthreats.net/2003841 +1 || 2003842 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Glossaire SQL Injection Attempt -- glossaire-p-f.php sid INSERT || cve,CVE-2007-2738 || url,www.milw0rm.com/exploits/3932 || url,doc.emergingthreats.net/2003842 +1 || 2003843 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Glossaire SQL Injection Attempt -- glossaire-p-f.php sid DELETE || cve,CVE-2007-2738 || url,www.milw0rm.com/exploits/3932 || url,doc.emergingthreats.net/2003843 +1 || 2003844 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Glossaire SQL Injection Attempt -- glossaire-p-f.php sid ASCII || cve,CVE-2007-2738 || url,www.milw0rm.com/exploits/3932 || url,doc.emergingthreats.net/2003844 +1 || 2003845 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Glossaire SQL Injection Attempt -- glossaire-p-f.php sid UPDATE || cve,CVE-2007-2738 || url,www.milw0rm.com/exploits/3932 || url,doc.emergingthreats.net/2003845 +1 || 2003846 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS FAQEngine SQL Injection Attempt -- question.php questionref SELECT || cve,CVE-2007-2749 || url,www.milw0rm.com/exploits/3943 || url,doc.emergingthreats.net/2003846 +1 || 2003847 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS FAQEngine SQL Injection Attempt -- question.php questionref UNION SELECT || cve,CVE-2007-2749 || url,www.milw0rm.com/exploits/3943 || url,doc.emergingthreats.net/2003847 +1 || 2003848 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS FAQEngine SQL Injection Attempt -- question.php questionref INSERT || cve,CVE-2007-2749 || url,www.milw0rm.com/exploits/3943 || url,doc.emergingthreats.net/2003848 +1 || 2003849 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS FAQEngine SQL Injection Attempt -- question.php questionref DELETE || cve,CVE-2007-2749 || url,www.milw0rm.com/exploits/3943 || url,doc.emergingthreats.net/2003849 +1 || 2003850 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS FAQEngine SQL Injection Attempt -- question.php questionref ASCII || cve,CVE-2007-2749 || url,www.milw0rm.com/exploits/3943 || url,doc.emergingthreats.net/2003850 +1 || 2003851 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS FAQEngine SQL Injection Attempt -- question.php questionref UPDATE || cve,CVE-2007-2749 || url,www.milw0rm.com/exploits/3943 || url,doc.emergingthreats.net/2003851 +1 || 2003852 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS SimpNews SQL Injection Attempt -- print.php newsnr SELECT || cve,CVE-2007-2750 || url,www.milw0rm.com/exploits/3942 || url,doc.emergingthreats.net/2003852 +1 || 2003853 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS SimpNews SQL Injection Attempt -- print.php newsnr UNION SELECT || cve,CVE-2007-2750 || url,www.milw0rm.com/exploits/3942 || url,doc.emergingthreats.net/2003853 +1 || 2003854 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS SimpNews SQL Injection Attempt -- print.php newsnr INSERT || cve,CVE-2007-2750 || url,www.milw0rm.com/exploits/3942 || url,doc.emergingthreats.net/2003854 +1 || 2003855 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS SimpNews SQL Injection Attempt -- print.php newsnr DELETE || cve,CVE-2007-2750 || url,www.milw0rm.com/exploits/3942 || url,doc.emergingthreats.net/2003855 +1 || 2003856 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS SimpNews SQL Injection Attempt -- print.php newsnr ASCII || cve,CVE-2007-2750 || url,www.milw0rm.com/exploits/3942 || url,doc.emergingthreats.net/2003856 +1 || 2003857 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS SimpNews SQL Injection Attempt -- print.php newsnr UPDATE || cve,CVE-2007-2750 || url,www.milw0rm.com/exploits/3942 || url,doc.emergingthreats.net/2003857 +1 || 2003858 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS RunawaySoft Haber portal 1.0 SQL Injection Attempt -- devami.asp id SELECT || cve,CVE-2007-2752 || url,www.milw0rm.com/exploits/3936 || url,doc.emergingthreats.net/2003858 +1 || 2003859 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS RunawaySoft Haber portal 1.0 SQL Injection Attempt -- devami.asp id UNION SELECT || cve,CVE-2007-2752 || url,www.milw0rm.com/exploits/3936 || url,doc.emergingthreats.net/2003859 +1 || 2003860 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS RunawaySoft Haber portal 1.0 SQL Injection Attempt -- devami.asp id INSERT || cve,CVE-2007-2752 || url,www.milw0rm.com/exploits/3936 || url,doc.emergingthreats.net/2003860 +1 || 2003861 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS RunawaySoft Haber portal 1.0 SQL Injection Attempt -- devami.asp id DELETE || cve,CVE-2007-2752 || url,www.milw0rm.com/exploits/3936 || url,doc.emergingthreats.net/2003861 +1 || 2003862 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS RunawaySoft Haber portal 1.0 SQL Injection Attempt -- devami.asp id ASCII || cve,CVE-2007-2752 || url,www.milw0rm.com/exploits/3936 || url,doc.emergingthreats.net/2003862 +1 || 2003863 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS RunawaySoft Haber portal 1.0 SQL Injection Attempt -- devami.asp id UPDATE || cve,CVE-2007-2752 || url,www.milw0rm.com/exploits/3936 || url,doc.emergingthreats.net/2003863 +1 || 2003864 || 4 || misc-activity || 0 || ET POLICY Outbound SMTP on port 587 || url,doc.emergingthreats.net/2003864 +1 || 2003865 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS CMS Made Simple SQL Injection Attempt -- stylesheet.php templateid DELETE || cve,CVE-2007-2473 || url,www.securityfocus.com/bid/23753 || url,doc.emergingthreats.net/2003865 +1 || 2003866 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Glossaire SQL Injection Attempt -- glossaire-p-f.php sid SELECT || cve,CVE-2007-2738 || url,www.milw0rm.com/exploits/3932 || url,doc.emergingthreats.net/2003866 +1 || 2003867 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS TellTarget CMS Remote Inclusion 3_lay.php tt_docroot || cve,CVE-2007-2597 || url,www.milw0rm.com/exploits/3885 || url,doc.emergingthreats.net/2003867 +1 || 2003869 || 7 || misc-attack || 0 || ET SCAN ProxyReconBot CONNECT method to Mail || url,doc.emergingthreats.net/2003869 +1 || 2003870 || 7 || misc-attack || 0 || ET SCAN ProxyReconBot POST method to Mail || url,doc.emergingthreats.net/2003870 +1 || 2003871 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Ripe Website Manager XSS Attempt -- index.php ripeformpost || cve,CVE-2007-2206 || url,www.securityfocus.com/bid/23597 || url,doc.emergingthreats.net/2003871 +1 || 2003872 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Redoable XSS Attempt -- searchloop.php s || cve,CVE-2007-2757 || url,www.securityfocus.com/archive/1/archive/1/468892/100/0/threaded || url,doc.emergingthreats.net/2003872 +1 || 2003873 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Redoable XSS Attempt -- header.php s || cve,CVE-2007-2757 || url,www.securityfocus.com/archive/1/archive/1/468892/100/0/threaded || url,doc.emergingthreats.net/2003873 +1 || 2003874 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS vDesk Webmail XSS Attempt -- printcal.pl || cve,CVE-2007-2745 || url,www.securityfocus.com/bid/24022 || url,doc.emergingthreats.net/2003874 +1 || 2003875 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS fotolog XSS Attempt -- all_photos.html user || cve,CVE-2007-2724 || url,www.securityfocus.com/archive/1/archive/1/468316/100/0/threaded || url,doc.emergingthreats.net/2003875 +1 || 2003876 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS EQdkp XSS Attempt -- listmembers.php show || cve,CVE-2007-2716 || url,www.securityfocus.com/bid/23951 || url,doc.emergingthreats.net/2003876 +1 || 2003877 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS EQdkp XSS Attempt -- stats.php show || cve,CVE-2007-2716 || url,www.securityfocus.com/bid/23951 || url,doc.emergingthreats.net/2003877 +1 || 2003878 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Open Translation Engine (OTE) XSS Attempt -- header.php ote_home || cve,CVE-2007-2676 || url,www.milw0rm.com/exploits/3838 || url,doc.emergingthreats.net/2003878 +1 || 2003879 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHPChain XSS Attempt -- settings.php catid || cve,CVE-2007-2670 || url,www.securityfocus.com/bid/23761 || url,doc.emergingthreats.net/2003879 +1 || 2003880 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHPChain XSS Attempt -- cat.php catid || cve,CVE-2007-2670 || url,www.securityfocus.com/bid/23761 || url,doc.emergingthreats.net/2003880 +1 || 2003881 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS SonicBB XSS Attempt -- search.php part || cve,CVE-2007-1903 || url,www.netvigilance.com/advisory0020 || url,doc.emergingthreats.net/2003881 +1 || 2003882 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHP Multi User Randomizer (phpMUR) XSS Attempt -- configure_plugin.tpl.php edit_plugin || cve,CVE-2007-2632 || url,www.securityfocus.com/bid/23917 || url,doc.emergingthreats.net/2003882 +1 || 2003883 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHP Multi User Randomizer (phpMUR) XSS Attempt -- phpinfo.php 1 || cve,CVE-2007-2632 || url,www.securityfocus.com/bid/23917 || url,doc.emergingthreats.net/2003883 +1 || 2003884 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHP Multi User Randomizer (phpMUR) XSS Attempt -- phpinfo.php a || cve,CVE-2007-2632 || url,www.securityfocus.com/bid/23917 || url,doc.emergingthreats.net/2003884 +1 || 2003885 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WordPress XSS Attempt -- sidebar.php || cve,CVE-2007-2627 || url,www.securityfocus.com/archive/1/archive/1/467360/100/0/threaded || url,doc.emergingthreats.net/2003885 +1 || 2003886 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS All In One Control Panel (AIOCP) XSS Attempt -- cp_authorization.php || cve,CVE-2007-2625 || url,www.frsirt.com/english/advisories/2007/1637 || url,doc.emergingthreats.net/2003886 +1 || 2003887 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS All In One Control Panel (AIOCP) XSS Attempt -- cp_config.php || cve,CVE-2007-2624 || url,www.securityfocus.com/bid/23790 || url,doc.emergingthreats.net/2003887 +1 || 2003888 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS TutorialCMS (Photoshop Tutorials) XSS Attempt -- browseCat.php catFile || cve,CVE-2007-2600 || url,www.milw0rm.com/exploits/3887 || url,doc.emergingthreats.net/2003888 +1 || 2003889 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS TutorialCMS (Photoshop Tutorials) XSS Attempt -- browseSubCat.php catFile || cve,CVE-2007-2600 || url,www.milw0rm.com/exploits/3887 || url,doc.emergingthreats.net/2003889 +1 || 2003890 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS TutorialCMS (Photoshop Tutorials) XSS Attempt -- openTutorial.php id || cve,CVE-2007-2600 || url,www.milw0rm.com/exploits/3887 || url,doc.emergingthreats.net/2003890 +1 || 2003891 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS TutorialCMS (Photoshop Tutorials) XSS Attempt -- topFrame.php id || cve,CVE-2007-2600 || url,www.milw0rm.com/exploits/3887 || url,doc.emergingthreats.net/2003891 +1 || 2003892 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS TutorialCMS (Photoshop Tutorials) XSS Attempt -- editListing.php id || cve,CVE-2007-2600 || url,www.milw0rm.com/exploits/3887 || url,doc.emergingthreats.net/2003892 +1 || 2003893 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS TutorialCMS (Photoshop Tutorials) XSS Attempt -- search.php search || cve,CVE-2007-2600 || url,www.milw0rm.com/exploits/3887 || url,doc.emergingthreats.net/2003893 +1 || 2003894 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Nokia Intellisync Mobile Suite XSS Attempt -- dev_logon.asp username || cve,CVE-2007-2592 || url,www.securityfocus.com/archive/1/archive/1/468048/100/0/threaded || url,doc.emergingthreats.net/2003894 +1 || 2003895 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Nokia Intellisync Mobile Suite XSS Attempt -- registerAccount.asp || cve,CVE-2007-2592 || url,www.securityfocus.com/archive/1/archive/1/468048/100/0/threaded || url,doc.emergingthreats.net/2003895 +1 || 2003896 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Nokia Intellisync Mobile Suite XSS Attempt -- create_account.asp || cve,CVE-2007-2592 || url,www.securityfocus.com/archive/1/archive/1/468048/100/0/threaded || url,doc.emergingthreats.net/2003896 +1 || 2003897 || 9 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Adobe RoboHelp XSS Attempt whstart.js || cve,CVE-2007-1280 || url,www.securityfocus.com/archive/1/archive/1/468360/100/0/threaded || url,doc.emergingthreats.net/2003897 +1 || 2003898 || 10 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Adobe RoboHelp XSS Attempt whcsh_home.htm || cve,CVE-2007-1280 || url,www.securityfocus.com/archive/1/archive/1/468360/100/0/threaded || url,doc.emergingthreats.net/2003898 +1 || 2003899 || 9 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Adobe RoboHelp XSS Attempt wf_startpage.js || cve,CVE-2007-1280 || url,www.securityfocus.com/archive/1/archive/1/468360/100/0/threaded || url,doc.emergingthreats.net/2003899 +1 || 2003900 || 9 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Adobe RoboHelp XSS Attempt wf_startqs.htm || cve,CVE-2007-1280 || url,www.securityfocus.com/archive/1/archive/1/468360/100/0/threaded || url,doc.emergingthreats.net/2003900 +1 || 2003901 || 9 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Adobe RoboHelp XSS Attempt WindowManager.dll || cve,CVE-2007-1280 || url,www.securityfocus.com/archive/1/archive/1/468360/100/0/threaded || url,doc.emergingthreats.net/2003901 +1 || 2003902 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Apache Tomcat XSS Attempt -- implicit-objects.jsp || cve,CVE-2006-7195 || url,www.frsirt.com/english/advisories/2007/1729 || url,doc.emergingthreats.net/2003902 +1 || 2003903 || 8 || web-application-attack || 0 || ET WEB_SERVER Microsoft SharePoint XSS Attempt default.aspx || cve,CVE-2007-2581 || url,www.securityfocus.com/bid/23832 || url,doc.emergingthreats.net/2003903 +1 || 2003904 || 8 || web-application-attack || 0 || ET WEB_SERVER Microsoft SharePoint XSS Attempt index.php form mail || cve,CVE-2007-2579 || url,www.securityfocus.com/bid/23834 || url,doc.emergingthreats.net/2003904 +1 || 2003905 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ACP3 XSS Attempt -- index.php form mods || cve,CVE-2007-2579 || url,www.securityfocus.com/bid/23834 || url,doc.emergingthreats.net/2003905 +1 || 2003906 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ACP3 XSS Attempt -- index.php form || cve,CVE-2007-2579 || url,www.securityfocus.com/bid/23834 || url,doc.emergingthreats.net/2003906 +1 || 2003907 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ACP3 XSS Attempt -- download.php id || cve,CVE-2007-2579 || url,www.securityfocus.com/bid/23834 || url,doc.emergingthreats.net/2003907 +1 || 2003908 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ACP3 XSS Attempt -- index.php form cat || cve,CVE-2007-2579 || url,www.securityfocus.com/bid/23834 || url,doc.emergingthreats.net/2003908 +1 || 2003909 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ACP3 XSS Attempt -- index.php form cat || cve,CVE-2007-2579 || url,www.securityfocus.com/bid/23834 || url,doc.emergingthreats.net/2003909 +1 || 2003910 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ACP3 XSS Attempt -- index.php form name || cve,CVE-2007-2579 || url,www.securityfocus.com/bid/23834 || url,doc.emergingthreats.net/2003910 +1 || 2003911 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ACP3 XSS Attempt -- index.php form message || cve,CVE-2007-2579 || url,www.securityfocus.com/bid/23834 || url,doc.emergingthreats.net/2003911 +1 || 2003912 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ACP3 XSS Attempt -- index.php form mail || cve,CVE-2007-2579 || url,www.securityfocus.com/bid/23834 || url,doc.emergingthreats.net/2003912 +1 || 2003913 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Kayako eSupport XSS Attempt -- index.php _m || cve,CVE-2007-2562 || url,www.securityfocus.com/archive/1/archive/1/467832/100/0/threaded || url,doc.emergingthreats.net/2003913 +1 || 2003914 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Podium CMS XSS Attempt -- Default.aspx id || cve,CVE-2007-2555 || url,www.securityfocus.com/archive/1/archive/1/467823/100/0/threaded || url,doc.emergingthreats.net/2003914 +1 || 2003915 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Advanced Guestbook XSS Attempt -- picture.php picture || cve,CVE-2007-0605 || url,www.securityfocus.com/bid/23873 || url,doc.emergingthreats.net/2003915 +1 || 2003916 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WikkaWiki (Wikka Wiki) XSS Attempt -- usersettings.php name || cve,CVE-2007-2551 || url,www.securityfocus.com/bid/23894 || url,doc.emergingthreats.net/2003916 +1 || 2003917 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS TurnkeyWebTools SunShop Shopping Cart XSS Attempt -- index.php l || cve,CVE-2007-2547 || url,www.securityfocus.com/bid/23856 || url,doc.emergingthreats.net/2003917 +1 || 2003918 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Minh Nguyen Duong Obie Website Mini Web Shop XSS Attempt -- sendmail.php || cve,CVE-2007-2532 || url,www.securityfocus.com/bid/23847 || url,doc.emergingthreats.net/2003918 +1 || 2003919 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Minh Nguyen Duong Obie Website Mini Web Shop XSS Attempt -- order_form.php || cve,CVE-2007-2532 || url,www.securityfocus.com/bid/23847 || url,doc.emergingthreats.net/2003919 +1 || 2003920 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS DVDdb XSS Attempt -- loan.php movieid || cve,CVE-2007-2499 || url,www.securityfocus.com/bid/23764 || url,doc.emergingthreats.net/2003920 +1 || 2003921 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS DVDdb XSS Attempt -- listmovies.php s || cve,CVE-2007-2499 || url,www.securityfocus.com/bid/23764 || url,doc.emergingthreats.net/2003921 +1 || 2003922 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Sendcard XSS Attempt -- sendcard.php form || cve,CVE-2007-2472 || url,www.secunia.com/advisories/25085 || url,doc.emergingthreats.net/2003922 +1 || 2003924 || 8 || trojan-activity || 0 || ET SCAN WebHack Control Center User-Agent Inbound (WHCC/) || url,www.governmentsecurity.org/forum/index.php?showtopic=5112&pid=28561&mode=threaded&start= || url,doc.emergingthreats.net/2003924 +1 || 2003925 || 7 || trojan-activity || 0 || ET USER_AGENTS WebHack Control Center User-Agent Outbound (WHCC/) || url,www.governmentsecurity.org/forum/index.php?showtopic=5112&pid=28561&mode=threaded&start= || url,doc.emergingthreats.net/2003925 +1 || 2003926 || 8 || trojan-activity || 0 || ET MALWARE Personalweb Spyware User-Agent (PWMI/1.0) || url,doc.emergingthreats.net/2003926 +1 || 2003927 || 9 || trojan-activity || 0 || ET TROJAN Suspicious User-Agent (HTTPTEST) - Seen used by downloaders || url,doc.emergingthreats.net/bin/view/Main/2003927 +1 || 2003928 || 9 || trojan-activity || 0 || ET MALWARE Mirar Bar Spyware User-Agent (Mbar) || url,doc.emergingthreats.net/2003928 +1 || 2003929 || 8 || trojan-activity || 0 || ET MALWARE Mirar Bar Spyware User-Agent (Mirar_Toolbar) || url,doc.emergingthreats.net/2003929 +1 || 2003930 || 11 || trojan-activity || 0 || ET TROJAN Suspicious User-Agent (Snatch-System) || url,doc.emergingthreats.net/bin/view/Main/2003930 +1 || 2003931 || 7 || trojan-activity || 0 || ET TROJAN Banker.Delf User-Agent (Varlok_11000) || url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html || url,doc.emergingthreats.net/2003931 +1 || 2003932 || 8 || trojan-activity || 0 || ET TROJAN Hupigon User Agent Detected (IE_7.0) || url,doc.emergingthreats.net/2003932 +1 || 2003933 || 9 || trojan-activity || 0 || ET TROJAN Banker.Delf User-Agent (Ms) || url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html || url,doc.emergingthreats.net/2003933 +1 || 2003934 || 4 || not-suspicious || 0 || ET POLICY Known SSL traffic on port 1521 (Oracle) being excluded from SSL Alerts || url,doc.emergingthreats.net/2003934 +1 || 2003936 || 4 || trojan-activity || 0 || ET TROJAN Bandok phoning home (xor by 0xe9 to decode) || url,www.dshield.org/diary.html?date=2007-03-28 || url,www.secureworks.com/research/threats/bbbphish/?threat=bbbphish || url,doc.emergingthreats.net/2003936 +1 || 2003937 || 11 || trojan-activity || 0 || ET TROJAN Bandook iwebho/BBB-phish trojan leaking user data || url,www.secureworks.com/research/threats/bbbphish || url,doc.emergingthreats.net/2003937 +1 || 2003939 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- main_page.php SELECT || cve,CVE-2007-2684 || url,www.netvigilance.com/advisory0027 || url,doc.emergingthreats.net/2003939 +1 || 2003940 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- main_page.php UNION SELECT || cve,CVE-2007-2684 || url,www.netvigilance.com/advisory0027 || url,doc.emergingthreats.net/2003940 +1 || 2003941 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- main_page.php INSERT || cve,CVE-2007-2684 || url,www.netvigilance.com/advisory0027 || url,doc.emergingthreats.net/2003941 +1 || 2003942 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- main_page.php DELETE || cve,CVE-2007-2684 || url,www.netvigilance.com/advisory0027 || url,doc.emergingthreats.net/2003942 +1 || 2003943 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- main_page.php ASCII || cve,CVE-2007-2684 || url,www.netvigilance.com/advisory0027 || url,doc.emergingthreats.net/2003943 +1 || 2003944 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- main_page.php UPDATE || cve,CVE-2007-2684 || url,www.netvigilance.com/advisory0027 || url,doc.emergingthreats.net/2003944 +1 || 2003945 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- open_tree.php SELECT || cve,CVE-2007-2684 || url,www.netvigilance.com/advisory0027 || url,doc.emergingthreats.net/2003945 +1 || 2003946 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- open_tree.php UNION SELECT || cve,CVE-2007-2684 || url,www.netvigilance.com/advisory0027 || url,doc.emergingthreats.net/2003946 +1 || 2003947 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- open_tree.php INSERT || cve,CVE-2007-2684 || url,www.netvigilance.com/advisory0027 || url,doc.emergingthreats.net/2003947 +1 || 2003948 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- open_tree.php DELETE || cve,CVE-2007-2684 || url,www.netvigilance.com/advisory0027 || url,doc.emergingthreats.net/2003948 +1 || 2003949 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- open_tree.php ASCII || cve,CVE-2007-2684 || url,www.netvigilance.com/advisory0027 || url,doc.emergingthreats.net/2003949 +1 || 2003950 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- open_tree.php UPDATE || cve,CVE-2007-2684 || url,www.netvigilance.com/advisory0027 || url,doc.emergingthreats.net/2003950 +1 || 2003951 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- outputs.php SELECT || cve,CVE-2007-2684 || url,www.netvigilance.com/advisory0027 || url,doc.emergingthreats.net/2003951 +1 || 2003952 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- outputs.php UNION SELECT || cve,CVE-2007-2684 || url,www.netvigilance.com/advisory0027 || url,doc.emergingthreats.net/2003952 +1 || 2003953 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- outputs.php INSERT || cve,CVE-2007-2684 || url,www.netvigilance.com/advisory0027 || url,doc.emergingthreats.net/2003953 +1 || 2003954 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- outputs.php DELETE || cve,CVE-2007-2684 || url,www.netvigilance.com/advisory0027 || url,doc.emergingthreats.net/2003954 +1 || 2003955 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- outputs.php ASCII || cve,CVE-2007-2684 || url,www.netvigilance.com/advisory0027 || url,doc.emergingthreats.net/2003955 +1 || 2003956 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- outputs.php UPDATE || cve,CVE-2007-2684 || url,www.netvigilance.com/advisory0027 || url,doc.emergingthreats.net/2003956 +1 || 2003957 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- index.php view SELECT || cve,CVE-2007-2684 || url,www.netvigilance.com/advisory0027 || url,doc.emergingthreats.net/2003957 +1 || 2003958 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- index.php view UNION SELECT || cve,CVE-2007-2684 || url,www.netvigilance.com/advisory0027 || url,doc.emergingthreats.net/2003958 +1 || 2003959 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- index.php view INSERT || cve,CVE-2007-2684 || url,www.netvigilance.com/advisory0027 || url,doc.emergingthreats.net/2003959 +1 || 2003960 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- index.php view DELETE || cve,CVE-2007-2684 || url,www.netvigilance.com/advisory0027 || url,doc.emergingthreats.net/2003960 +1 || 2003961 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- index.php view ASCII || cve,CVE-2007-2684 || url,www.netvigilance.com/advisory0027 || url,doc.emergingthreats.net/2003961 +1 || 2003962 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- index.php view UPDATE || cve,CVE-2007-2684 || url,www.netvigilance.com/advisory0027 || url,doc.emergingthreats.net/2003962 +1 || 2003963 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- opentree.php id SELECT || cve,CVE-2007-2684 || url,www.netvigilance.com/advisory0027 || url,doc.emergingthreats.net/2003963 +1 || 2003964 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- opentree.php id UNION SELECT || cve,CVE-2007-2684 || url,www.netvigilance.com/advisory0027 || url,doc.emergingthreats.net/2003964 +1 || 2003965 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- opentree.php id INSERT || cve,CVE-2007-2684 || url,www.netvigilance.com/advisory0027 || url,doc.emergingthreats.net/2003965 +1 || 2003966 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- opentree.php id DELETE || cve,CVE-2007-2684 || url,www.netvigilance.com/advisory0027 || url,doc.emergingthreats.net/2003966 +1 || 2003967 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- opentree.php id ASCII || cve,CVE-2007-2684 || url,www.netvigilance.com/advisory0027 || url,doc.emergingthreats.net/2003967 +1 || 2003968 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- opentree.php id UPDATE || cve,CVE-2007-2684 || url,www.netvigilance.com/advisory0027 || url,doc.emergingthreats.net/2003968 +1 || 2003969 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- index.php login SELECT || cve,CVE-2007-2685 || url,www.netvigilance.com/advisory0028 || url,doc.emergingthreats.net/2003969 +1 || 2003970 || 9 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- index.php login UNION SELECT || cve,CVE-2007-2685 || url,www.netvigilance.com/advisory0028 || url,doc.emergingthreats.net/2003970 +1 || 2003971 || 9 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- index.php login INSERT || cve,CVE-2007-2685 || url,www.netvigilance.com/advisory0028 || url,doc.emergingthreats.net/2003971 +1 || 2003972 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- index.php login DELETE || cve,CVE-2007-2685 || url,www.netvigilance.com/advisory0028 || url,doc.emergingthreats.net/2003972 +1 || 2003973 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- index.php login ASCII || cve,CVE-2007-2685 || url,www.netvigilance.com/advisory0028 || url,doc.emergingthreats.net/2003973 +1 || 2003974 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Jetbox CMS SQL Injection Attempt -- index.php login UPDATE || cve,CVE-2007-2685 || url,www.netvigilance.com/advisory0028 || url,doc.emergingthreats.net/2003974 +1 || 2003981 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Zomplog SQL Injection Attempt -- mp3playlist.php speler SELECT || cve,CVE-2007-2773 || url,www.milw0rm.com/exploits/3955 || url,doc.emergingthreats.net/2003981 +1 || 2003982 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Zomplog SQL Injection Attempt -- mp3playlist.php speler UNION SELECT || cve,CVE-2007-2773 || url,www.milw0rm.com/exploits/3955 || url,doc.emergingthreats.net/2003982 +1 || 2003983 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Zomplog SQL Injection Attempt -- mp3playlist.php speler INSERT || cve,CVE-2007-2773 || url,www.milw0rm.com/exploits/3955 || url,doc.emergingthreats.net/2003983 +1 || 2003984 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Zomplog SQL Injection Attempt -- mp3playlist.php speler DELETE || cve,CVE-2007-2773 || url,www.milw0rm.com/exploits/3955 || url,doc.emergingthreats.net/2003984 +1 || 2003985 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Zomplog SQL Injection Attempt -- mp3playlist.php speler ASCII || cve,CVE-2007-2773 || url,www.milw0rm.com/exploits/3955 || url,doc.emergingthreats.net/2003985 +1 || 2003986 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Zomplog SQL Injection Attempt -- mp3playlist.php speler UPDATE || cve,CVE-2007-2773 || url,www.milw0rm.com/exploits/3955 || url,doc.emergingthreats.net/2003986 +1 || 2003987 || 9 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Mambo SQL Injection Attempt -- index.php listid SELECT || cve,CVE-2007-2792 || url,www.exploit-db.com/exploits/3944/ || url,doc.emergingthreats.net/2003987 +1 || 2003988 || 9 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Mambo SQL Injection Attempt -- index.php listid UNION SELECT || cve,CVE-2007-2792 || url,www.exploit-db.com/exploits/3944/ || url,doc.emergingthreats.net/2003988 +1 || 2003989 || 9 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Mambo SQL Injection Attempt -- index.php listid INSERT || cve,CVE-2007-2792 || url,www.exploit-db.com/exploits/3944/ || url,doc.emergingthreats.net/2003989 +1 || 2003990 || 9 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Mambo SQL Injection Attempt -- index.php listid DELETE || cve,CVE-2007-2792 || url,www.exploit-db.com/exploits/3944/ || url,doc.emergingthreats.net/2003990 +1 || 2003991 || 9 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Mambo SQL Injection Attempt -- index.php listid ASCII || cve,CVE-2007-2792 || url,www.exploit-db.com/exploits/3944/ || url,doc.emergingthreats.net/2003991 +1 || 2003992 || 9 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Mambo SQL Injection Attempt -- index.php listid UPDATE || cve,CVE-2007-2792 || url,www.exploit-db.com/exploits/3944/ || url,doc.emergingthreats.net/2003992 +1 || 2003993 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Vizayn Urun Tanitim Sitesi SQL Injection Attempt -- default.asp id SELECT || cve,CVE-2007-2803 || url,www.secunia.com/advisories/25348 || url,doc.emergingthreats.net/2003993 +1 || 2003994 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Vizayn Urun Tanitim Sitesi SQL Injection Attempt -- default.asp id UNION SELECT || cve,CVE-2007-2803 || url,www.secunia.com/advisories/25348 || url,doc.emergingthreats.net/2003994 +1 || 2003995 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Vizayn Urun Tanitim Sitesi SQL Injection Attempt -- default.asp id INSERT || cve,CVE-2007-2803 || url,www.secunia.com/advisories/25348 || url,doc.emergingthreats.net/2003995 +1 || 2003996 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Vizayn Urun Tanitim Sitesi SQL Injection Attempt -- default.asp id DELETE || cve,CVE-2007-2803 || url,www.secunia.com/advisories/25348 || url,doc.emergingthreats.net/2003996 +1 || 2003997 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Vizayn Urun Tanitim Sitesi SQL Injection Attempt -- default.asp id ASCII || cve,CVE-2007-2803 || url,www.secunia.com/advisories/25348 || url,doc.emergingthreats.net/2003997 +1 || 2003998 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Vizayn Urun Tanitim Sitesi SQL Injection Attempt -- default.asp id UPDATE || cve,CVE-2007-2803 || url,www.secunia.com/advisories/25348 || url,doc.emergingthreats.net/2003998 +1 || 2003999 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Gazi Download Portal SQL Injection Attempt -- down_indir.asp id SELECT || cve,CVE-2007-2810 || url,www.securityfocus.com/bid/23714 || url,doc.emergingthreats.net/2003999 +1 || 2004000 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Gazi Download Portal SQL Injection Attempt -- down_indir.asp id UNION SELECT || cve,CVE-2007-2810 || url,www.securityfocus.com/bid/23714 || url,doc.emergingthreats.net/2004000 +1 || 2004001 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Gazi Download Portal SQL Injection Attempt -- down_indir.asp id INSERT || cve,CVE-2007-2810 || url,www.securityfocus.com/bid/23714 || url,doc.emergingthreats.net/2004001 +1 || 2004002 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Gazi Download Portal SQL Injection Attempt -- down_indir.asp id DELETE || cve,CVE-2007-2810 || url,www.securityfocus.com/bid/23714 || url,doc.emergingthreats.net/2004002 +1 || 2004003 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Gazi Download Portal SQL Injection Attempt -- down_indir.asp id ASCII || cve,CVE-2007-2810 || url,www.securityfocus.com/bid/23714 || url,doc.emergingthreats.net/2004003 +1 || 2004004 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Gazi Download Portal SQL Injection Attempt -- down_indir.asp id UPDATE || cve,CVE-2007-2810 || url,www.securityfocus.com/bid/23714 || url,doc.emergingthreats.net/2004004 +1 || 2004005 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ol bookmarks SQL Injection Attempt -- index.php id SELECT || cve,CVE-2007-2817 || url,www.milw0rm.com/exploits/3964 || url,doc.emergingthreats.net/2004005 +1 || 2004006 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ol bookmarks SQL Injection Attempt -- index.php id UNION SELECT || cve,CVE-2007-2817 || url,www.milw0rm.com/exploits/3964 || url,doc.emergingthreats.net/2004006 +1 || 2004007 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ol bookmarks SQL Injection Attempt -- index.php id INSERT || cve,CVE-2007-2817 || url,www.milw0rm.com/exploits/3964 || url,doc.emergingthreats.net/2004007 +1 || 2004008 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ol bookmarks SQL Injection Attempt -- index.php id DELETE || cve,CVE-2007-2817 || url,www.milw0rm.com/exploits/3964 || url,doc.emergingthreats.net/2004008 +1 || 2004009 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ol bookmarks SQL Injection Attempt -- index.php id ASCII || cve,CVE-2007-2817 || url,www.milw0rm.com/exploits/3964 || url,doc.emergingthreats.net/2004009 +1 || 2004010 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ol bookmarks SQL Injection Attempt -- index.php id UPDATE || cve,CVE-2007-2817 || url,www.milw0rm.com/exploits/3964 || url,doc.emergingthreats.net/2004010 +1 || 2004011 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-ajax.php cookie SELECT || cve,CVE-2007-2821 || url,www.securityfocus.com/bid/24076 || url,doc.emergingthreats.net/2004011 +1 || 2004012 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-ajax.php cookie UNION SELECT || cve,CVE-2007-2821 || url,www.securityfocus.com/bid/24076 || url,doc.emergingthreats.net/2004012 +1 || 2004013 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-ajax.php cookie INSERT || cve,CVE-2007-2821 || url,www.securityfocus.com/bid/24076 || url,doc.emergingthreats.net/2004013 +1 || 2004014 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-ajax.php cookie DELETE || cve,CVE-2007-2821 || url,www.securityfocus.com/bid/24076 || url,doc.emergingthreats.net/2004014 +1 || 2004015 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-ajax.php cookie ASCII || cve,CVE-2007-2821 || url,www.securityfocus.com/bid/24076 || url,doc.emergingthreats.net/2004015 +1 || 2004016 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-ajax.php cookie UPDATE || cve,CVE-2007-2821 || url,www.securityfocus.com/bid/24076 || url,doc.emergingthreats.net/2004016 +1 || 2004022 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS AlstraSoft E-Friends SQL Injection Attempt -- index.php pack UPDATE || cve,CVE-2007-2824 || url,www.milw0rm.com/exploits/3956 || url,doc.emergingthreats.net/2004022 +1 || 2004023 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS BtiTracker SQL Injection Attempt -- account_change.php style SELECT || cve,CVE-2007-2854 || url,www.milw0rm.com/exploits/3970 || url,doc.emergingthreats.net/2004023 +1 || 2004024 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS BtiTracker SQL Injection Attempt -- account_change.php style UNION SELECT || cve,CVE-2007-2854 || url,www.milw0rm.com/exploits/3970 || url,doc.emergingthreats.net/2004024 +1 || 2004025 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS BtiTracker SQL Injection Attempt -- account_change.php style INSERT || cve,CVE-2007-2854 || url,www.milw0rm.com/exploits/3970 || url,doc.emergingthreats.net/2004025 +1 || 2004026 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS BtiTracker SQL Injection Attempt -- account_change.php style DELETE || cve,CVE-2007-2854 || url,www.milw0rm.com/exploits/3970 || url,doc.emergingthreats.net/2004026 +1 || 2004027 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS BtiTracker SQL Injection Attempt -- account_change.php style ASCII || cve,CVE-2007-2854 || url,www.milw0rm.com/exploits/3970 || url,doc.emergingthreats.net/2004027 +1 || 2004028 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS BtiTracker SQL Injection Attempt -- account_change.php style UPDATE || cve,CVE-2007-2854 || url,www.milw0rm.com/exploits/3970 || url,doc.emergingthreats.net/2004028 +1 || 2004029 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS BtiTracker SQL Injection Attempt -- account_change.php langue SELECT || cve,CVE-2007-2854 || url,www.milw0rm.com/exploits/3970 || url,doc.emergingthreats.net/2004029 +1 || 2004030 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS BtiTracker SQL Injection Attempt -- account_change.php langue UNION SELECT || cve,CVE-2007-2854 || url,www.milw0rm.com/exploits/3970 || url,doc.emergingthreats.net/2004030 +1 || 2004031 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS BtiTracker SQL Injection Attempt -- account_change.php langue INSERT || cve,CVE-2007-2854 || url,www.milw0rm.com/exploits/3970 || url,doc.emergingthreats.net/2004031 +1 || 2004032 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS BtiTracker SQL Injection Attempt -- account_change.php langue DELETE || cve,CVE-2007-2854 || url,www.milw0rm.com/exploits/3970 || url,doc.emergingthreats.net/2004032 +1 || 2004033 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS BtiTracker SQL Injection Attempt -- account_change.php langue ASCII || cve,CVE-2007-2854 || url,www.milw0rm.com/exploits/3970 || url,doc.emergingthreats.net/2004033 +1 || 2004034 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS BtiTracker SQL Injection Attempt -- account_change.php langue UPDATE || cve,CVE-2007-2854 || url,www.milw0rm.com/exploits/3970 || url,doc.emergingthreats.net/2004034 +1 || 2004035 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS CubeCart SQL Injection Attempt -- cart.inc.php SELECT || cve,CVE-2007-2862 || url,www.securityfocus.com/archive/1/archive/1/469301/100/0/threaded || url,doc.emergingthreats.net/2004035 +1 || 2004036 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS CubeCart SQL Injection Attempt -- cart.inc.php UNION SELECT || cve,CVE-2007-2862 || url,www.securityfocus.com/archive/1/archive/1/469301/100/0/threaded || url,doc.emergingthreats.net/2004036 +1 || 2004037 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS CubeCart SQL Injection Attempt -- cart.inc.php INSERT || cve,CVE-2007-2862 || url,www.securityfocus.com/archive/1/archive/1/469301/100/0/threaded || url,doc.emergingthreats.net/2004037 +1 || 2004038 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS CubeCart SQL Injection Attempt -- cart.inc.php DELETE || cve,CVE-2007-2862 || url,www.securityfocus.com/archive/1/archive/1/469301/100/0/threaded || url,doc.emergingthreats.net/2004038 +1 || 2004039 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS CubeCart SQL Injection Attempt -- cart.inc.php ASCII || cve,CVE-2007-2862 || url,www.securityfocus.com/archive/1/archive/1/469301/100/0/threaded || url,doc.emergingthreats.net/2004039 +1 || 2004040 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS CubeCart SQL Injection Attempt -- cart.inc.php UPDATE || cve,CVE-2007-2862 || url,www.securityfocus.com/archive/1/archive/1/469301/100/0/threaded || url,doc.emergingthreats.net/2004040 +1 || 2004041 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHPEcho CMS SQL Injection Attempt -- gallery.php id SELECT || cve,CVE-2007-2866 || url,www.frsirt.com/english/advisories/2007/1937 || url,doc.emergingthreats.net/2004041 +1 || 2004042 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHPEcho CMS SQL Injection Attempt -- gallery.php id UNION SELECT || cve,CVE-2007-2866 || url,www.frsirt.com/english/advisories/2007/1937 || url,doc.emergingthreats.net/2004042 +1 || 2004043 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHPEcho CMS SQL Injection Attempt -- gallery.php id INSERT || cve,CVE-2007-2866 || url,www.frsirt.com/english/advisories/2007/1937 || url,doc.emergingthreats.net/2004043 +1 || 2004044 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHPEcho CMS SQL Injection Attempt -- gallery.php id DELETE || cve,CVE-2007-2866 || url,www.frsirt.com/english/advisories/2007/1937 || url,doc.emergingthreats.net/2004044 +1 || 2004045 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHPEcho CMS SQL Injection Attempt -- gallery.php id ASCII || cve,CVE-2007-2866 || url,www.frsirt.com/english/advisories/2007/1937 || url,doc.emergingthreats.net/2004045 +1 || 2004046 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHPEcho CMS SQL Injection Attempt -- gallery.php id UPDATE || cve,CVE-2007-2866 || url,www.frsirt.com/english/advisories/2007/1937 || url,doc.emergingthreats.net/2004046 +1 || 2004047 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Dokeos SQL Injection Attempt -- courseLog.php scormcontopen SELECT || cve,CVE-2007-2889 || url,www.milw0rm.com/exploits/3980 || url,doc.emergingthreats.net/2004047 +1 || 2004048 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Dokeos SQL Injection Attempt -- courseLog.php scormcontopen UNION SELECT || cve,CVE-2007-2889 || url,www.milw0rm.com/exploits/3980 || url,doc.emergingthreats.net/2004048 +1 || 2004049 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Dokeos SQL Injection Attempt -- courseLog.php scormcontopen INSERT || cve,CVE-2007-2889 || url,www.milw0rm.com/exploits/3980 || url,doc.emergingthreats.net/2004049 +1 || 2004050 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Dokeos SQL Injection Attempt -- courseLog.php scormcontopen DELETE || cve,CVE-2007-2889 || url,www.milw0rm.com/exploits/3980 || url,doc.emergingthreats.net/2004050 +1 || 2004051 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Dokeos SQL Injection Attempt -- courseLog.php scormcontopen ASCII || cve,CVE-2007-2889 || url,www.milw0rm.com/exploits/3980 || url,doc.emergingthreats.net/2004051 +1 || 2004052 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Dokeos SQL Injection Attempt -- courseLog.php scormcontopen UPDATE || cve,CVE-2007-2889 || url,www.milw0rm.com/exploits/3980 || url,doc.emergingthreats.net/2004052 +1 || 2004053 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS cpCommerce SQL Injection Attempt -- category.php id_category SELECT || cve,CVE-2007-2890 || url,www.milw0rm.com/exploits/3981 || url,doc.emergingthreats.net/2004053 +1 || 2004054 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS cpCommerce SQL Injection Attempt -- category.php id_category UNION SELECT || cve,CVE-2007-2890 || url,www.milw0rm.com/exploits/3981 || url,doc.emergingthreats.net/2004054 +1 || 2004055 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS cpCommerce SQL Injection Attempt -- category.php id_category INSERT || cve,CVE-2007-2890 || url,www.milw0rm.com/exploits/3981 || url,doc.emergingthreats.net/2004055 +1 || 2004056 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS cpCommerce SQL Injection Attempt -- category.php id_category DELETE || cve,CVE-2007-2890 || url,www.milw0rm.com/exploits/3981 || url,doc.emergingthreats.net/2004056 +1 || 2004057 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS cpCommerce SQL Injection Attempt -- category.php id_category ASCII || cve,CVE-2007-2890 || url,www.milw0rm.com/exploits/3981 || url,doc.emergingthreats.net/2004057 +1 || 2004058 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS cpCommerce SQL Injection Attempt -- category.php id_category UPDATE || cve,CVE-2007-2890 || url,www.milw0rm.com/exploits/3981 || url,doc.emergingthreats.net/2004058 +1 || 2004059 || 11 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS 2z Project SQL Injection Attempt -- rating.php rating SELECT || cve,CVE-2007-2898 || url,www.securityfocus.com/archive/1/archive/1/469351/100/0/threaded || url,doc.emergingthreats.net/2004059 +1 || 2004060 || 11 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS 2z Project SQL Injection Attempt -- rating.php rating UNION SELECT || cve,CVE-2007-2898 || url,www.securityfocus.com/archive/1/archive/1/469351/100/0/threaded || url,doc.emergingthreats.net/2004060 +1 || 2004061 || 11 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS 2z Project SQL Injection Attempt -- rating.php rating INSERT || cve,CVE-2007-2898 || url,www.securityfocus.com/archive/1/archive/1/469351/100/0/threaded || url,doc.emergingthreats.net/2004061 +1 || 2004062 || 11 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS 2z Project SQL Injection Attempt -- rating.php rating DELETE || cve,CVE-2007-2898 || url,www.securityfocus.com/archive/1/archive/1/469351/100/0/threaded || url,doc.emergingthreats.net/2004062 +1 || 2004063 || 11 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS 2z Project SQL Injection Attempt -- rating.php rating ASCII || cve,CVE-2007-2898 || url,www.securityfocus.com/archive/1/archive/1/469351/100/0/threaded || url,doc.emergingthreats.net/2004063 +1 || 2004064 || 11 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS 2z Project SQL Injection Attempt -- rating.php rating UPDATE || cve,CVE-2007-2898 || url,www.securityfocus.com/archive/1/archive/1/469351/100/0/threaded || url,doc.emergingthreats.net/2004064 +1 || 2004065 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Dokeos SQL Injection Attempt -- my_progress.php course SELECT || cve,CVE-2007-2902 || url,www.milw0rm.com/exploits/3974 || url,doc.emergingthreats.net/2004065 +1 || 2004066 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Dokeos SQL Injection Attempt -- my_progress.php course UNION SELECT || cve,CVE-2007-2902 || url,www.milw0rm.com/exploits/3974 || url,doc.emergingthreats.net/2004066 +1 || 2004067 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Dokeos SQL Injection Attempt -- my_progress.php course INSERT || cve,CVE-2007-2902 || url,www.milw0rm.com/exploits/3974 || url,doc.emergingthreats.net/2004067 +1 || 2004068 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Dokeos SQL Injection Attempt -- my_progress.php course DELETE || cve,CVE-2007-2902 || url,www.milw0rm.com/exploits/3974 || url,doc.emergingthreats.net/2004068 +1 || 2004069 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Dokeos SQL Injection Attempt -- my_progress.php course ASCII || cve,CVE-2007-2902 || url,www.milw0rm.com/exploits/3974 || url,doc.emergingthreats.net/2004069 +1 || 2004070 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Dokeos SQL Injection Attempt -- my_progress.php course UPDATE || cve,CVE-2007-2902 || url,www.milw0rm.com/exploits/3974 || url,doc.emergingthreats.net/2004070 +1 || 2004071 || 11 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS 2z Project SQL Injection Attempt -- rating.php post_id SELECT || cve,CVE-2007-2905 || url,www.securityfocus.com/archive/1/archive/1/469351/100/0/threaded || url,doc.emergingthreats.net/2004071 +1 || 2004072 || 11 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS 2z Project SQL Injection Attempt -- rating.php post_id UNION SELECT || cve,CVE-2007-2905 || url,www.securityfocus.com/archive/1/archive/1/469351/100/0/threaded || url,doc.emergingthreats.net/2004072 +1 || 2004073 || 11 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS 2z Project SQL Injection Attempt -- rating.php post_id INSERT || cve,CVE-2007-2905 || url,www.securityfocus.com/archive/1/archive/1/469351/100/0/threaded || url,doc.emergingthreats.net/2004073 +1 || 2004074 || 12 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS 2z Project SQL Injection Attempt -- rating.php post_id DELETE || cve,CVE-2007-2905 || url,www.securityfocus.com/archive/1/archive/1/469351/100/0/threaded || url,doc.emergingthreats.net/2004074 +1 || 2004075 || 11 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS 2z Project SQL Injection Attempt -- rating.php post_id ASCII || cve,CVE-2007-2905 || url,www.securityfocus.com/archive/1/archive/1/469351/100/0/threaded || url,doc.emergingthreats.net/2004075 +1 || 2004076 || 11 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS 2z Project SQL Injection Attempt -- rating.php post_id UPDATE || cve,CVE-2007-2905 || url,www.securityfocus.com/archive/1/archive/1/469351/100/0/threaded || url,doc.emergingthreats.net/2004076 +1 || 2004077 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Jelsoft vBulletin SQL Injection Attempt -- attachment.php SELECT || cve,CVE-2007-2911 || url,www.vbulletin.com/forum/project.php?issueid=21615 || url,doc.emergingthreats.net/2004077 +1 || 2004078 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Jelsoft vBulletin SQL Injection Attempt -- attachment.php UNION SELECT || cve,CVE-2007-2911 || url,www.vbulletin.com/forum/project.php?issueid=21615 || url,doc.emergingthreats.net/2004078 +1 || 2004079 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Jelsoft vBulletin SQL Injection Attempt -- attachment.php INSERT || cve,CVE-2007-2911 || url,www.vbulletin.com/forum/project.php?issueid=21615 || url,doc.emergingthreats.net/2004079 +1 || 2004080 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Jelsoft vBulletin SQL Injection Attempt -- attachment.php DELETE || cve,CVE-2007-2911 || url,www.vbulletin.com/forum/project.php?issueid=21615 || url,doc.emergingthreats.net/2004080 +1 || 2004081 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Jelsoft vBulletin SQL Injection Attempt -- attachment.php ASCII || cve,CVE-2007-2911 || url,www.vbulletin.com/forum/project.php?issueid=21615 || url,doc.emergingthreats.net/2004081 +1 || 2004082 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Jelsoft vBulletin SQL Injection Attempt -- attachment.php UPDATE || cve,CVE-2007-2911 || url,www.vbulletin.com/forum/project.php?issueid=21615 || url,doc.emergingthreats.net/2004082 +1 || 2004083 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS DGNews SQL Injection Attempt -- news.php catid SELECT || cve,CVE-2007-0693 || url,www.securityfocus.com/bid/24201 || url,doc.emergingthreats.net/2004083 +1 || 2004084 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS DGNews SQL Injection Attempt -- news.php catid UNION SELECT || cve,CVE-2007-0693 || url,www.securityfocus.com/bid/24201 || url,doc.emergingthreats.net/2004084 +1 || 2004085 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS DGNews SQL Injection Attempt -- news.php catid INSERT || cve,CVE-2007-0693 || url,www.securityfocus.com/bid/24201 || url,doc.emergingthreats.net/2004085 +1 || 2004086 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS DGNews SQL Injection Attempt -- news.php catid DELETE || cve,CVE-2007-0693 || url,www.securityfocus.com/bid/24201 || url,doc.emergingthreats.net/2004086 +1 || 2004087 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS DGNews SQL Injection Attempt -- news.php catid ASCII || cve,CVE-2007-0693 || url,www.securityfocus.com/bid/24201 || url,doc.emergingthreats.net/2004087 +1 || 2004088 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS DGNews SQL Injection Attempt -- news.php catid UPDATE || cve,CVE-2007-0693 || url,www.securityfocus.com/bid/24201 || url,doc.emergingthreats.net/2004088 +1 || 2004089 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Phil-a-Form SQL Injection Attempt -- index.php form_id SELECT || cve,CVE-2007-2933 || url,www.milw0rm.com/exploits/4003 || url,doc.emergingthreats.net/2004089 +1 || 2004090 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Phil-a-Form SQL Injection Attempt -- index.php form_id UNION SELECT || cve,CVE-2007-2933 || url,www.milw0rm.com/exploits/4003 || url,doc.emergingthreats.net/2004090 +1 || 2004091 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Phil-a-Form SQL Injection Attempt -- index.php form_id INSERT || cve,CVE-2007-2933 || url,www.milw0rm.com/exploits/4003 || url,doc.emergingthreats.net/2004091 +1 || 2004092 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Phil-a-Form SQL Injection Attempt -- index.php form_id DELETE || cve,CVE-2007-2933 || url,www.milw0rm.com/exploits/4003 || url,doc.emergingthreats.net/2004092 +1 || 2004093 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Phil-a-Form SQL Injection Attempt -- index.php form_id ASCII || cve,CVE-2007-2933 || url,www.milw0rm.com/exploits/4003 || url,doc.emergingthreats.net/2004093 +1 || 2004094 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Phil-a-Form SQL Injection Attempt -- index.php form_id UPDATE || cve,CVE-2007-2933 || url,www.milw0rm.com/exploits/4003 || url,doc.emergingthreats.net/2004094 +1 || 2004095 || 9 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS My Little Forum SQL Injection Attempt -- user.php id SELECT || cve,CVE-2007-2942 || url,www.exploit-db.com/exploits/3989/ || url,doc.emergingthreats.net/2004095 +1 || 2004096 || 9 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS My Little Forum SQL Injection Attempt -- user.php id UNION SELECT || cve,CVE-2007-2942 || url,www.exploit-db.com/exploits/3989/ || url,doc.emergingthreats.net/2004096 +1 || 2004097 || 9 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS My Little Forum SQL Injection Attempt -- user.php id INSERT || cve,CVE-2007-2942 || url,www.exploit-db.com/exploits/3989/ || url,doc.emergingthreats.net/2004097 +1 || 2004098 || 9 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS My Little Forum SQL Injection Attempt -- user.php id DELETE || cve,CVE-2007-2942 || url,www.exploit-db.com/exploits/3989/ || url,doc.emergingthreats.net/2004098 +1 || 2004099 || 9 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS My Little Forum SQL Injection Attempt -- user.php id ASCII || cve,CVE-2007-2942 || url,www.exploit-db.com/exploits/3989/ || url,doc.emergingthreats.net/2004099 +1 || 2004100 || 9 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS My Little Forum SQL Injection Attempt -- user.php id UPDATE || cve,CVE-2007-2942 || url,www.exploit-db.com/exploits/3989/ || url,doc.emergingthreats.net/2004100 +1 || 2004101 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS cpCommerce SQL Injection Attempt -- manufacturer.php id_manufacturer SELECT || cve,CVE-2007-2959 || url,www.securityfocus.com/bid/24223 || url,doc.emergingthreats.net/2004101 +1 || 2004102 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS cpCommerce SQL Injection Attempt -- manufacturer.php id_manufacturer UNION SELECT || cve,CVE-2007-2959 || url,www.securityfocus.com/bid/24223 || url,doc.emergingthreats.net/2004102 +1 || 2004103 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS cpCommerce SQL Injection Attempt -- manufacturer.php id_manufacturer INSERT || cve,CVE-2007-2959 || url,www.securityfocus.com/bid/24223 || url,doc.emergingthreats.net/2004103 +1 || 2004104 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS cpCommerce SQL Injection Attempt -- manufacturer.php id_manufacturer DELETE || cve,CVE-2007-2959 || url,www.securityfocus.com/bid/24223 || url,doc.emergingthreats.net/2004104 +1 || 2004105 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS cpCommerce SQL Injection Attempt -- manufacturer.php id_manufacturer ASCII || cve,CVE-2007-2959 || url,www.securityfocus.com/bid/24223 || url,doc.emergingthreats.net/2004105 +1 || 2004106 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS cpCommerce SQL Injection Attempt -- manufacturer.php id_manufacturer UPDATE || cve,CVE-2007-2959 || url,www.securityfocus.com/bid/24223 || url,doc.emergingthreats.net/2004106 +1 || 2004108 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS gCards SQL Injection Attempt -- getnewsitem.php newsid SELECT || cve,CVE-2007-2971 || url,www.milw0rm.com/exploits/3988 || url,doc.emergingthreats.net/2004108 +1 || 2004109 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS gCards SQL Injection Attempt -- getnewsitem.php newsid UNION SELECT || cve,CVE-2007-2971 || url,www.milw0rm.com/exploits/3988 || url,doc.emergingthreats.net/2004109 +1 || 2004110 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS gCards SQL Injection Attempt -- getnewsitem.php newsid INSERT || cve,CVE-2007-2971 || url,www.milw0rm.com/exploits/3988 || url,doc.emergingthreats.net/2004110 +1 || 2004111 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS gCards SQL Injection Attempt -- getnewsitem.php newsid DELETE || cve,CVE-2007-2971 || url,www.milw0rm.com/exploits/3988 || url,doc.emergingthreats.net/2004111 +1 || 2004112 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS gCards SQL Injection Attempt -- getnewsitem.php newsid ASCII || cve,CVE-2007-2971 || url,www.milw0rm.com/exploits/3988 || url,doc.emergingthreats.net/2004112 +1 || 2004113 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS gCards SQL Injection Attempt -- getnewsitem.php newsid UPDATE || cve,CVE-2007-2971 || url,www.milw0rm.com/exploits/3988 || url,doc.emergingthreats.net/2004113 +1 || 2004114 || 7 || trojan-activity || 0 || ET USER_AGENTS Bancos User-Agent Detected vb wininet || url,doc.emergingthreats.net/2004114 +1 || 2004116 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ScriptMagix Jokes SQL Injection Attempt -- index.php catid SELECT || cve,CVE-2007-1615 || url,www.milw0rm.com/exploits/3509 || url,doc.emergingthreats.net/2004116 +1 || 2004117 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ScriptMagix Jokes SQL Injection Attempt -- index.php catid UNION SELECT || cve,CVE-2007-1615 || url,www.milw0rm.com/exploits/3509 || url,doc.emergingthreats.net/2004117 +1 || 2004118 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ScriptMagix Jokes SQL Injection Attempt -- index.php catid INSERT || cve,CVE-2007-1615 || url,www.milw0rm.com/exploits/3509 || url,doc.emergingthreats.net/2004118 +1 || 2004119 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ScriptMagix Jokes SQL Injection Attempt -- index.php catid DELETE || cve,CVE-2007-1615 || url,www.milw0rm.com/exploits/3509 || url,doc.emergingthreats.net/2004119 +1 || 2004120 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ScriptMagix Jokes SQL Injection Attempt -- index.php catid ASCII || cve,CVE-2007-1615 || url,www.milw0rm.com/exploits/3509 || url,doc.emergingthreats.net/2004120 +1 || 2004121 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ScriptMagix Jokes SQL Injection Attempt -- index.php catid UPDATE || cve,CVE-2007-1615 || url,www.milw0rm.com/exploits/3509 || url,doc.emergingthreats.net/2004121 +1 || 2004122 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Katalog Plyt Audio SQL Injection Attempt -- index.php kolumna SELECT || cve,CVE-2007-1612 || url,www.exploit-db.com/exploits/3513/ || url,doc.emergingthreats.net/2004122 +1 || 2004123 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Katalog Plyt Audio SQL Injection Attempt -- index.php kolumna UNION SELECT || cve,CVE-2007-1612 || url,www.exploit-db.com/exploits/3513/ || url,doc.emergingthreats.net/2004123 +1 || 2004124 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Katalog Plyt Audio SQL Injection Attempt -- index.php kolumna INSERT || cve,CVE-2007-1612 || url,www.exploit-db.com/exploits/3513/ || url,doc.emergingthreats.net/2004124 +1 || 2004125 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Katalog Plyt Audio SQL Injection Attempt -- index.php kolumna DELETE || cve,CVE-2007-1612 || url,www.exploit-db.com/exploits/3513/ || url,doc.emergingthreats.net/2004125 +1 || 2004126 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Katalog Plyt Audio SQL Injection Attempt -- index.php kolumna ASCII || cve,CVE-2007-1612 || url,www.exploit-db.com/exploits/3513/ || url,doc.emergingthreats.net/2004126 +1 || 2004127 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Katalog Plyt Audio SQL Injection Attempt -- index.php kolumna UPDATE || cve,CVE-2007-1612 || url,www.exploit-db.com/exploits/3513/ || url,doc.emergingthreats.net/2004127 +1 || 2004128 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS w-Agora SQL Injection Attempt -- search.php search_forum SELECT || cve,CVE-2007-1607 || url,www.securityfocus.com/bid/23057 || url,doc.emergingthreats.net/2004128 +1 || 2004129 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS w-Agora SQL Injection Attempt -- search.php search_forum UNION SELECT || cve,CVE-2007-1607 || url,www.securityfocus.com/bid/23057 || url,doc.emergingthreats.net/2004129 +1 || 2004130 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS w-Agora SQL Injection Attempt -- search.php search_forum INSERT || cve,CVE-2007-1607 || url,www.securityfocus.com/bid/23057 || url,doc.emergingthreats.net/2004130 +1 || 2004131 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS w-Agora SQL Injection Attempt -- search.php search_forum DELETE || cve,CVE-2007-1607 || url,www.securityfocus.com/bid/23057 || url,doc.emergingthreats.net/2004131 +1 || 2004132 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS w-Agora SQL Injection Attempt -- search.php search_forum ASCII || cve,CVE-2007-1607 || url,www.securityfocus.com/bid/23057 || url,doc.emergingthreats.net/2004132 +1 || 2004133 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS w-Agora SQL Injection Attempt -- search.php search_forum UPDATE || cve,CVE-2007-1607 || url,www.securityfocus.com/bid/23057 || url,doc.emergingthreats.net/2004133 +1 || 2004134 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS w-Agora SQL Injection Attempt -- search.php search_user SELECT || cve,CVE-2007-1607 || url,www.securityfocus.com/bid/23057 || url,doc.emergingthreats.net/2004134 +1 || 2004135 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS w-Agora SQL Injection Attempt -- search.php search_user UNION SELECT || cve,CVE-2007-1607 || url,www.securityfocus.com/bid/23057 || url,doc.emergingthreats.net/2004135 +1 || 2004136 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS w-Agora SQL Injection Attempt -- search.php search_user INSERT || cve,CVE-2007-1607 || url,www.securityfocus.com/bid/23057 || url,doc.emergingthreats.net/2004136 +1 || 2004137 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS w-Agora SQL Injection Attempt -- search.php search_user DELETE || cve,CVE-2007-1607 || url,www.securityfocus.com/bid/23057 || url,doc.emergingthreats.net/2004137 +1 || 2004138 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS w-Agora SQL Injection Attempt -- search.php search_user ASCII || cve,CVE-2007-1607 || url,www.securityfocus.com/bid/23057 || url,doc.emergingthreats.net/2004138 +1 || 2004139 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS w-Agora SQL Injection Attempt -- search.php search_user UPDATE || cve,CVE-2007-1607 || url,www.securityfocus.com/bid/23057 || url,doc.emergingthreats.net/2004139 +1 || 2004140 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Weekly Drawing Contest SQL Injection Attempt -- check_vote.php order SELECT || cve,CVE-2007-1602 || url,www.securityfocus.com/archive/1/archive/1/462702/100/100/threaded || url,doc.emergingthreats.net/2004140 +1 || 2004141 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Weekly Drawing Contest SQL Injection Attempt -- check_vote.php order UNION SELECT || cve,CVE-2007-1602 || url,www.securityfocus.com/archive/1/archive/1/462702/100/100/threaded || url,doc.emergingthreats.net/2004141 +1 || 2004142 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Weekly Drawing Contest SQL Injection Attempt -- check_vote.php order INSERT || cve,CVE-2007-1602 || url,www.securityfocus.com/archive/1/archive/1/462702/100/100/threaded || url,doc.emergingthreats.net/2004142 +1 || 2004143 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Weekly Drawing Contest SQL Injection Attempt -- check_vote.php order DELETE || cve,CVE-2007-1602 || url,www.securityfocus.com/archive/1/archive/1/462702/100/100/threaded || url,doc.emergingthreats.net/2004143 +1 || 2004144 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Weekly Drawing Contest SQL Injection Attempt -- check_vote.php order ASCII || cve,CVE-2007-1602 || url,www.securityfocus.com/archive/1/archive/1/462702/100/100/threaded || url,doc.emergingthreats.net/2004144 +1 || 2004145 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Weekly Drawing Contest SQL Injection Attempt -- check_vote.php order UPDATE || cve,CVE-2007-1602 || url,www.securityfocus.com/archive/1/archive/1/462702/100/100/threaded || url,doc.emergingthreats.net/2004145 +1 || 2004146 || 8 || web-application-attack || 0 || ET DELETED Jelsoft vBulletin SQL Injection Attempt -- attachment.php SELECT || cve,CVE-2007-1573 || url,www.secunia.com/advisories/24503 || url,doc.emergingthreats.net/2004146 +1 || 2004147 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Jelsoft vBulletin SQL Injection Attempt -- attachment.php UNION SELECT || cve,CVE-2007-1573 || url,www.secunia.com/advisories/24503 || url,doc.emergingthreats.net/2004147 +1 || 2004148 || 8 || web-application-attack || 0 || ET DELETED Jelsoft vBulletin SQL Injection Attempt -- attachment.php INSERT || cve,CVE-2007-1573 || url,www.secunia.com/advisories/24503 || url,doc.emergingthreats.net/2004148 +1 || 2004149 || 8 || web-application-attack || 0 || ET DELETED Jelsoft vBulletin SQL Injection Attempt -- attachment.php DELETE || cve,CVE-2007-1573 || url,www.secunia.com/advisories/24503 || url,doc.emergingthreats.net/2004149 +1 || 2004150 || 8 || web-application-attack || 0 || ET DELETED Jelsoft vBulletin SQL Injection Attempt -- attachment.php ASCII || cve,CVE-2007-1573 || url,www.secunia.com/advisories/24503 || url,doc.emergingthreats.net/2004150 +1 || 2004151 || 8 || web-application-attack || 0 || ET DELETED Jelsoft vBulletin SQL Injection Attempt -- attachment.php UPDATE || cve,CVE-2007-1573 || url,www.secunia.com/advisories/24503 || url,doc.emergingthreats.net/2004151 +1 || 2004152 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS JGBBS SQL Injection Attempt -- search.asp title SELECT || cve,CVE-2007-1572 || url,www.frsirt.com/english/advisories/2007/0940 || url,doc.emergingthreats.net/2004152 +1 || 2004153 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS JGBBS SQL Injection Attempt -- search.asp title UNION SELECT || cve,CVE-2007-1572 || url,www.frsirt.com/english/advisories/2007/0940 || url,doc.emergingthreats.net/2004153 +1 || 2004154 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS JGBBS SQL Injection Attempt -- search.asp title INSERT || cve,CVE-2007-1572 || url,www.frsirt.com/english/advisories/2007/0940 || url,doc.emergingthreats.net/2004154 +1 || 2004155 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS JGBBS SQL Injection Attempt -- search.asp title DELETE || cve,CVE-2007-1572 || url,www.frsirt.com/english/advisories/2007/0940 || url,doc.emergingthreats.net/2004155 +1 || 2004156 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS JGBBS SQL Injection Attempt -- search.asp title ASCII || cve,CVE-2007-1572 || url,www.frsirt.com/english/advisories/2007/0940 || url,doc.emergingthreats.net/2004156 +1 || 2004157 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS JGBBS SQL Injection Attempt -- search.asp title UPDATE || cve,CVE-2007-1572 || url,www.frsirt.com/english/advisories/2007/0940 || url,doc.emergingthreats.net/2004157 +1 || 2004158 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS NetVIOS Portal SQL Injection Attempt -- page.asp NewsID SELECT || cve,CVE-2007-1566 || url,www.exploit-db.com/exploits/3520/ || url,doc.emergingthreats.net/2004158 +1 || 2004159 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS NetVIOS Portal SQL Injection Attempt -- page.asp NewsID UNION SELECT || cve,CVE-2007-1566 || url,www.exploit-db.com/exploits/3520/ || url,doc.emergingthreats.net/2004159 +1 || 2004160 || 9 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS NetVIOS Portal SQL Injection Attempt -- page.asp NewsID INSERT || cve,CVE-2007-1566 || url,www.exploit-db.com/exploits/3520/ || url,doc.emergingthreats.net/2004160 +1 || 2004161 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS NetVIOS Portal SQL Injection Attempt -- page.asp NewsID DELETE || cve,CVE-2007-1566 || url,www.exploit-db.com/exploits/3520/ || url,doc.emergingthreats.net/2004161 +1 || 2004162 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS NetVIOS Portal SQL Injection Attempt -- page.asp NewsID ASCII || cve,CVE-2007-1566 || url,www.exploit-db.com/exploits/3520/ || url,doc.emergingthreats.net/2004162 +1 || 2004163 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS NetVIOS Portal SQL Injection Attempt -- page.asp NewsID UPDATE || cve,CVE-2007-1566 || url,www.exploit-db.com/exploits/3520/ || url,doc.emergingthreats.net/2004163 +1 || 2004164 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Minerva mod SQL Injection Attempt -- forum.php c SELECT || cve,CVE-2007-1555 || url,www.milw0rm.com/exploits/3519 || url,doc.emergingthreats.net/2004164 +1 || 2004165 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Minerva mod SQL Injection Attempt -- forum.php c UNION SELECT || cve,CVE-2007-1555 || url,www.milw0rm.com/exploits/3519 || url,doc.emergingthreats.net/2004165 +1 || 2004166 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Minerva mod SQL Injection Attempt -- forum.php c INSERT || cve,CVE-2007-1555 || url,www.milw0rm.com/exploits/3519 || url,doc.emergingthreats.net/2004166 +1 || 2004167 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Minerva mod SQL Injection Attempt -- forum.php c DELETE || cve,CVE-2007-1555 || url,www.milw0rm.com/exploits/3519 || url,doc.emergingthreats.net/2004167 +1 || 2004168 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Minerva mod SQL Injection Attempt -- forum.php c ASCII || cve,CVE-2007-1555 || url,www.milw0rm.com/exploits/3519 || url,doc.emergingthreats.net/2004168 +1 || 2004169 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Minerva mod SQL Injection Attempt -- forum.php c UPDATE || cve,CVE-2007-1555 || url,www.milw0rm.com/exploits/3519 || url,doc.emergingthreats.net/2004169 +1 || 2004170 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- gallery.php image_id SELECT || cve,CVE-2007-1550 || url,www.securityfocus.com/bid/23033 || url,doc.emergingthreats.net/2004170 +1 || 2004171 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- gallery.php image_id UNION SELECT || cve,CVE-2007-1550 || url,www.securityfocus.com/bid/23033 || url,doc.emergingthreats.net/2004171 +1 || 2004172 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- gallery.php image_id INSERT || cve,CVE-2007-1550 || url,www.securityfocus.com/bid/23033 || url,doc.emergingthreats.net/2004172 +1 || 2004173 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- gallery.php image_id DELETE || cve,CVE-2007-1550 || url,www.securityfocus.com/bid/23033 || url,doc.emergingthreats.net/2004173 +1 || 2004174 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- gallery.php image_id ASCII || cve,CVE-2007-1550 || url,www.securityfocus.com/bid/23033 || url,doc.emergingthreats.net/2004174 +1 || 2004175 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- gallery.php image_id UPDATE || cve,CVE-2007-1550 || url,www.securityfocus.com/bid/23033 || url,doc.emergingthreats.net/2004175 +1 || 2004176 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- gallery.php cat_id SELECT || cve,CVE-2007-1550 || url,www.securityfocus.com/bid/23033 || url,doc.emergingthreats.net/2004176 +1 || 2004177 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- gallery.php cat_id UNION SELECT || cve,CVE-2007-1550 || url,www.securityfocus.com/bid/23033 || url,doc.emergingthreats.net/2004177 +1 || 2004178 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- gallery.php cat_id INSERT || cve,CVE-2007-1550 || url,www.securityfocus.com/bid/23033 || url,doc.emergingthreats.net/2004178 +1 || 2004179 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- gallery.php cat_id DELETE || cve,CVE-2007-1550 || url,www.securityfocus.com/bid/23033 || url,doc.emergingthreats.net/2004179 +1 || 2004180 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- gallery.php cat_id ASCII || cve,CVE-2007-1550 || url,www.securityfocus.com/bid/23033 || url,doc.emergingthreats.net/2004180 +1 || 2004181 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- gallery.php cat_id UPDATE || cve,CVE-2007-1550 || url,www.securityfocus.com/bid/23033 || url,doc.emergingthreats.net/2004181 +1 || 2004182 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- news.php news_id SELECT || cve,CVE-2007-1550 || url,www.securityfocus.com/bid/23033 || url,doc.emergingthreats.net/2004182 +1 || 2004183 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- news.php news_id UNION SELECT || cve,CVE-2007-1550 || url,www.securityfocus.com/bid/23033 || url,doc.emergingthreats.net/2004183 +1 || 2004184 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- news.php news_id INSERT || cve,CVE-2007-1550 || url,www.securityfocus.com/bid/23033 || url,doc.emergingthreats.net/2004184 +1 || 2004185 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- news.php news_id DELETE || cve,CVE-2007-1550 || url,www.securityfocus.com/bid/23033 || url,doc.emergingthreats.net/2004185 +1 || 2004186 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- news.php news_id ASCII || cve,CVE-2007-1550 || url,www.securityfocus.com/bid/23033 || url,doc.emergingthreats.net/2004186 +1 || 2004187 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- news.php news_id UPDATE || cve,CVE-2007-1550 || url,www.securityfocus.com/bid/23033 || url,doc.emergingthreats.net/2004187 +1 || 2004188 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- print.php news_id SELECT || cve,CVE-2007-1550 || url,www.securityfocus.com/bid/23033 || url,doc.emergingthreats.net/2004188 +1 || 2004189 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- print.php news_id UNION SELECT || cve,CVE-2007-1550 || url,www.securityfocus.com/bid/23033 || url,doc.emergingthreats.net/2004189 +1 || 2004190 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- print.php news_id INSERT || cve,CVE-2007-1550 || url,www.securityfocus.com/bid/23033 || url,doc.emergingthreats.net/2004190 +1 || 2004191 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- print.php news_id DELETE || cve,CVE-2007-1550 || url,www.securityfocus.com/bid/23033 || url,doc.emergingthreats.net/2004191 +1 || 2004192 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- print.php news_id ASCII || cve,CVE-2007-1550 || url,www.securityfocus.com/bid/23033 || url,doc.emergingthreats.net/2004192 +1 || 2004193 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- print.php news_id UPDATE || cve,CVE-2007-1550 || url,www.securityfocus.com/bid/23033 || url,doc.emergingthreats.net/2004193 +1 || 2004194 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- news.php news_cat_id SELECT || cve,CVE-2007-1550 || url,www.securityfocus.com/bid/23033 || url,doc.emergingthreats.net/2004194 +1 || 2004195 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- news.php news_cat_id UNION SELECT || cve,CVE-2007-1550 || url,www.securityfocus.com/bid/23033 || url,doc.emergingthreats.net/2004195 +1 || 2004196 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- news.php news_cat_id INSERT || cve,CVE-2007-1550 || url,www.securityfocus.com/bid/23033 || url,doc.emergingthreats.net/2004196 +1 || 2004197 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- news.php news_cat_id DELETE || cve,CVE-2007-1550 || url,www.securityfocus.com/bid/23033 || url,doc.emergingthreats.net/2004197 +1 || 2004198 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- news.php news_cat_id ASCII || cve,CVE-2007-1550 || url,www.securityfocus.com/bid/23033 || url,doc.emergingthreats.net/2004198 +1 || 2004199 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- news.php news_cat_id UPDATE || cve,CVE-2007-1550 || url,www.securityfocus.com/bid/23033 || url,doc.emergingthreats.net/2004199 +1 || 2004200 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- forums.php cat_id SELECT || cve,CVE-2007-1550 || url,www.securityfocus.com/bid/23033 || url,doc.emergingthreats.net/2004200 +1 || 2004201 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- forums.php cat_id UNION SELECT || cve,CVE-2007-1550 || url,www.securityfocus.com/bid/23033 || url,doc.emergingthreats.net/2004201 +1 || 2004202 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- forums.php cat_id INSERT || cve,CVE-2007-1550 || url,www.securityfocus.com/bid/23033 || url,doc.emergingthreats.net/2004202 +1 || 2004203 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- forums.php cat_id DELETE || cve,CVE-2007-1550 || url,www.securityfocus.com/bid/23033 || url,doc.emergingthreats.net/2004203 +1 || 2004204 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- forums.php cat_id ASCII || cve,CVE-2007-1550 || url,www.securityfocus.com/bid/23033 || url,doc.emergingthreats.net/2004204 +1 || 2004205 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- forums.php cat_id UPDATE || cve,CVE-2007-1550 || url,www.securityfocus.com/bid/23033 || url,doc.emergingthreats.net/2004205 +1 || 2004206 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- forums.php topic_id SELECT || cve,CVE-2007-1550 || url,www.securityfocus.com/bid/23033 || url,doc.emergingthreats.net/2004206 +1 || 2004207 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- forums.php topic_id UNION SELECT || cve,CVE-2007-1550 || url,www.securityfocus.com/bid/23033 || url,doc.emergingthreats.net/2004207 +1 || 2004208 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- forums.php topic_id INSERT || cve,CVE-2007-1550 || url,www.securityfocus.com/bid/23033 || url,doc.emergingthreats.net/2004208 +1 || 2004209 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- forums.php topic_id DELETE || cve,CVE-2007-1550 || url,www.securityfocus.com/bid/23033 || url,doc.emergingthreats.net/2004209 +1 || 2004210 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- forums.php topic_id ASCII || cve,CVE-2007-1550 || url,www.securityfocus.com/bid/23033 || url,doc.emergingthreats.net/2004210 +1 || 2004211 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- forums.php topic_id UPDATE || cve,CVE-2007-1550 || url,www.securityfocus.com/bid/23033 || url,doc.emergingthreats.net/2004211 +1 || 2004212 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- forums.php post_id SELECT || cve,CVE-2007-1550 || url,www.securityfocus.com/bid/23033 || url,doc.emergingthreats.net/2004212 +1 || 2004213 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- forums.php post_id UNION SELECT || cve,CVE-2007-1550 || url,www.securityfocus.com/bid/23033 || url,doc.emergingthreats.net/2004213 +1 || 2004214 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- forums.php post_id INSERT || cve,CVE-2007-1550 || url,www.securityfocus.com/bid/23033 || url,doc.emergingthreats.net/2004214 +1 || 2004215 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- forums.php post_id DELETE || cve,CVE-2007-1550 || url,www.securityfocus.com/bid/23033 || url,doc.emergingthreats.net/2004215 +1 || 2004216 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- forums.php post_id ASCII || cve,CVE-2007-1550 || url,www.securityfocus.com/bid/23033 || url,doc.emergingthreats.net/2004216 +1 || 2004217 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- forums.php post_id UPDATE || cve,CVE-2007-1550 || url,www.securityfocus.com/bid/23033 || url,doc.emergingthreats.net/2004217 +1 || 2004218 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- users.php user_id SELECT || cve,CVE-2007-1550 || url,www.securityfocus.com/bid/23033 || url,doc.emergingthreats.net/2004218 +1 || 2004219 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- users.php user_id UNION SELECT || cve,CVE-2007-1550 || url,www.securityfocus.com/bid/23033 || url,doc.emergingthreats.net/2004219 +1 || 2004220 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- users.php user_id INSERT || cve,CVE-2007-1550 || url,www.securityfocus.com/bid/23033 || url,doc.emergingthreats.net/2004220 +1 || 2004221 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- users.php user_id DELETE || cve,CVE-2007-1550 || url,www.securityfocus.com/bid/23033 || url,doc.emergingthreats.net/2004221 +1 || 2004222 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- users.php user_id ASCII || cve,CVE-2007-1550 || url,www.securityfocus.com/bid/23033 || url,doc.emergingthreats.net/2004222 +1 || 2004223 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS phpx SQL Injection Attempt -- users.php user_id UPDATE || cve,CVE-2007-1550 || url,www.securityfocus.com/bid/23033 || url,doc.emergingthreats.net/2004223 +1 || 2004224 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Web Wiz Forums SQL Injection Attempt -- functions_filters.asp SELECT || cve,CVE-2007-1548 || url,www.securityfocus.com/bid/23051 || url,doc.emergingthreats.net/2004224 +1 || 2004225 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Web Wiz Forums SQL Injection Attempt -- functions_filters.asp UNION SELECT || cve,CVE-2007-1548 || url,www.securityfocus.com/bid/23051 || url,doc.emergingthreats.net/2004225 +1 || 2004226 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Web Wiz Forums SQL Injection Attempt -- functions_filters.asp INSERT || cve,CVE-2007-1548 || url,www.securityfocus.com/bid/23051 || url,doc.emergingthreats.net/2004226 +1 || 2004227 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Web Wiz Forums SQL Injection Attempt -- functions_filters.asp DELETE || cve,CVE-2007-1548 || url,www.securityfocus.com/bid/23051 || url,doc.emergingthreats.net/2004227 +1 || 2004228 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Web Wiz Forums SQL Injection Attempt -- functions_filters.asp ASCII || cve,CVE-2007-1548 || url,www.securityfocus.com/bid/23051 || url,doc.emergingthreats.net/2004228 +1 || 2004229 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Web Wiz Forums SQL Injection Attempt -- functions_filters.asp UPDATE || cve,CVE-2007-1548 || url,www.securityfocus.com/bid/23051 || url,doc.emergingthreats.net/2004229 +1 || 2004230 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Web Wiz Forums SQL Injection Attempt -- pop_up_member_search.asp name SELECT || cve,CVE-2007-1548 || url,www.securityfocus.com/bid/23051 || url,doc.emergingthreats.net/2004230 +1 || 2004231 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Web Wiz Forums SQL Injection Attempt -- pop_up_member_search.asp name UNION SELECT || cve,CVE-2007-1548 || url,www.securityfocus.com/bid/23051 || url,doc.emergingthreats.net/2004231 +1 || 2004232 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Web Wiz Forums SQL Injection Attempt -- pop_up_member_search.asp name INSERT || cve,CVE-2007-1548 || url,www.securityfocus.com/bid/23051 || url,doc.emergingthreats.net/2004232 +1 || 2004233 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Web Wiz Forums SQL Injection Attempt -- pop_up_member_search.asp name DELETE || cve,CVE-2007-1548 || url,www.securityfocus.com/bid/23051 || url,doc.emergingthreats.net/2004233 +1 || 2004234 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Web Wiz Forums SQL Injection Attempt -- pop_up_member_search.asp name UPDATE || cve,CVE-2007-1548 || url,www.securityfocus.com/bid/23051 || url,doc.emergingthreats.net/2004234 +1 || 2004235 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Web Wiz Forums SQL Injection Attempt -- page.asp NewsID SELECT || cve,CVE-2007-1548 || url,www.securityfocus.com/bid/23051 || url,doc.emergingthreats.net/2004235 +1 || 2004236 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Web Wiz Forums SQL Injection Attempt -- page.asp NewsID UNION SELECT || cve,CVE-2007-1548 || url,www.securityfocus.com/bid/23051 || url,doc.emergingthreats.net/2004236 +1 || 2004237 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Web Wiz Forums SQL Injection Attempt -- page.asp NewsID INSERT || cve,CVE-2007-1548 || url,www.securityfocus.com/bid/23051 || url,doc.emergingthreats.net/2004237 +1 || 2004238 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Web Wiz Forums SQL Injection Attempt -- page.asp NewsID DELETE || cve,CVE-2007-1548 || url,www.securityfocus.com/bid/23051 || url,doc.emergingthreats.net/2004238 +1 || 2004239 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Web Wiz Forums SQL Injection Attempt -- page.asp NewsID ASCII || cve,CVE-2007-1548 || url,www.securityfocus.com/bid/23051 || url,doc.emergingthreats.net/2004239 +1 || 2004240 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Web Wiz Forums SQL Injection Attempt -- page.asp NewsID UPDATE || cve,CVE-2007-1548 || url,www.securityfocus.com/bid/23051 || url,doc.emergingthreats.net/2004240 +1 || 2004241 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHP-Stats SQL Injection Attempt -- php-stats.recphp.php ip SELECT || cve,CVE-2006-7172 || url,www.milw0rm.com/exploits/3497 || url,doc.emergingthreats.net/2004241 +1 || 2004242 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHP-Stats SQL Injection Attempt -- php-stats.recphp.php ip UNION SELECT || cve,CVE-2006-7172 || url,www.milw0rm.com/exploits/3497 || url,doc.emergingthreats.net/2004242 +1 || 2004243 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHP-Stats SQL Injection Attempt -- php-stats.recphp.php ip INSERT || cve,CVE-2006-7172 || url,www.milw0rm.com/exploits/3497 || url,doc.emergingthreats.net/2004243 +1 || 2004244 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHP-Stats SQL Injection Attempt -- php-stats.recphp.php ip DELETE || cve,CVE-2006-7172 || url,www.milw0rm.com/exploits/3497 || url,doc.emergingthreats.net/2004244 +1 || 2004245 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHP-Stats SQL Injection Attempt -- php-stats.recphp.php ip ASCII || cve,CVE-2006-7172 || url,www.milw0rm.com/exploits/3497 || url,doc.emergingthreats.net/2004245 +1 || 2004246 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHP-Stats SQL Injection Attempt -- php-stats.recphp.php ip UPDATE || cve,CVE-2006-7172 || url,www.milw0rm.com/exploits/3497 || url,doc.emergingthreats.net/2004246 +1 || 2004247 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Woltlab Burning Board SQL Injection Attempt -- usergroups.php SELECT || cve,CVE-2007-1518 || url,www.securityfocus.com/bid/22970 || url,doc.emergingthreats.net/2004247 +1 || 2004248 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Woltlab Burning Board SQL Injection Attempt -- usergroups.php UNION SELECT || cve,CVE-2007-1518 || url,www.securityfocus.com/bid/22970 || url,doc.emergingthreats.net/2004248 +1 || 2004249 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Woltlab Burning Board SQL Injection Attempt -- usergroups.php INSERT || cve,CVE-2007-1518 || url,www.securityfocus.com/bid/22970 || url,doc.emergingthreats.net/2004249 +1 || 2004250 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Woltlab Burning Board SQL Injection Attempt -- usergroups.php DELETE || cve,CVE-2007-1518 || url,www.securityfocus.com/bid/22970 || url,doc.emergingthreats.net/2004250 +1 || 2004251 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Woltlab Burning Board SQL Injection Attempt -- usergroups.php ASCII || cve,CVE-2007-1518 || url,www.securityfocus.com/bid/22970 || url,doc.emergingthreats.net/2004251 +1 || 2004252 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Woltlab Burning Board SQL Injection Attempt -- usergroups.php UPDATE || cve,CVE-2007-1518 || url,www.securityfocus.com/bid/22970 || url,doc.emergingthreats.net/2004252 +1 || 2004253 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WSN Guest SQL Injection Attempt -- comments.php id SELECT || cve,CVE-2007-1517 || url,www.milw0rm.com/exploits/3477 || url,doc.emergingthreats.net/2004253 +1 || 2004254 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WSN Guest SQL Injection Attempt -- comments.php id UNION SELECT || cve,CVE-2007-1517 || url,www.milw0rm.com/exploits/3477 || url,doc.emergingthreats.net/2004254 +1 || 2004255 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WSN Guest SQL Injection Attempt -- comments.php id INSERT || cve,CVE-2007-1517 || url,www.milw0rm.com/exploits/3477 || url,doc.emergingthreats.net/2004255 +1 || 2004256 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WSN Guest SQL Injection Attempt -- comments.php id DELETE || cve,CVE-2007-1517 || url,www.milw0rm.com/exploits/3477 || url,doc.emergingthreats.net/2004256 +1 || 2004257 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WSN Guest SQL Injection Attempt -- comments.php id ASCII || cve,CVE-2007-1517 || url,www.milw0rm.com/exploits/3477 || url,doc.emergingthreats.net/2004257 +1 || 2004258 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WSN Guest SQL Injection Attempt -- comments.php id UPDATE || cve,CVE-2007-1517 || url,www.milw0rm.com/exploits/3477 || url,doc.emergingthreats.net/2004258 +1 || 2004259 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Particle Blogger SQL Injection Attempt -- post.php postid SELECT || cve,CVE-2007-1510 || url,www.milw0rm.com/exploits/3500 || url,doc.emergingthreats.net/2004259 +1 || 2004260 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Particle Blogger SQL Injection Attempt -- post.php postid UNION SELECT || cve,CVE-2007-1510 || url,www.milw0rm.com/exploits/3500 || url,doc.emergingthreats.net/2004260 +1 || 2004261 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Particle Blogger SQL Injection Attempt -- post.php postid INSERT || cve,CVE-2007-1510 || url,www.milw0rm.com/exploits/3500 || url,doc.emergingthreats.net/2004261 +1 || 2004262 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Particle Blogger SQL Injection Attempt -- post.php postid DELETE || cve,CVE-2007-1510 || url,www.milw0rm.com/exploits/3500 || url,doc.emergingthreats.net/2004262 +1 || 2004263 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Particle Blogger SQL Injection Attempt -- post.php postid ASCII || cve,CVE-2007-1510 || url,www.milw0rm.com/exploits/3500 || url,doc.emergingthreats.net/2004263 +1 || 2004264 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Particle Blogger SQL Injection Attempt -- post.php postid UPDATE || cve,CVE-2007-1510 || url,www.milw0rm.com/exploits/3500 || url,doc.emergingthreats.net/2004264 +1 || 2004265 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php x SELECT || cve,CVE-2006-7171 || url,xforce.iss.net/xforce/xfdb/30215 || url,doc.emergingthreats.net/2004265 +1 || 2004266 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php x UNION SELECT || cve,CVE-2006-7171 || url,xforce.iss.net/xforce/xfdb/30215 || url,doc.emergingthreats.net/2004266 +1 || 2004267 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php x INSERT || cve,CVE-2006-7171 || url,xforce.iss.net/xforce/xfdb/30215 || url,doc.emergingthreats.net/2004267 +1 || 2004268 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php x DELETE || cve,CVE-2006-7171 || url,xforce.iss.net/xforce/xfdb/30215 || url,doc.emergingthreats.net/2004268 +1 || 2004269 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php x ASCII || cve,CVE-2006-7171 || url,xforce.iss.net/xforce/xfdb/30215 || url,doc.emergingthreats.net/2004269 +1 || 2004270 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php x UPDATE || cve,CVE-2006-7171 || url,xforce.iss.net/xforce/xfdb/30215 || url,doc.emergingthreats.net/2004270 +1 || 2004271 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php t SELECT || cve,CVE-2006-7170 || url,www.securityfocus.com/bid/21072 || url,doc.emergingthreats.net/2004271 +1 || 2004272 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php t UNION SELECT || cve,CVE-2006-7170 || url,www.securityfocus.com/bid/21072 || url,doc.emergingthreats.net/2004272 +1 || 2004273 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php t INSERT || cve,CVE-2006-7170 || url,www.securityfocus.com/bid/21072 || url,doc.emergingthreats.net/2004273 +1 || 2004274 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php t DELETE || cve,CVE-2006-7170 || url,www.securityfocus.com/bid/21072 || url,doc.emergingthreats.net/2004274 +1 || 2004275 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php t ASCII || cve,CVE-2006-7170 || url,www.securityfocus.com/bid/21072 || url,doc.emergingthreats.net/2004275 +1 || 2004276 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php t UPDATE || cve,CVE-2006-7170 || url,www.securityfocus.com/bid/21072 || url,doc.emergingthreats.net/2004276 +1 || 2004277 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php productId SELECT || cve,CVE-2006-7170 || url,www.securityfocus.com/bid/21072 || url,doc.emergingthreats.net/2004277 +1 || 2004278 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php productId UNION SELECT || cve,CVE-2006-7170 || url,www.securityfocus.com/bid/21072 || url,doc.emergingthreats.net/2004278 +1 || 2004279 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php productId INSERT || cve,CVE-2006-7170 || url,www.securityfocus.com/bid/21072 || url,doc.emergingthreats.net/2004279 +1 || 2004280 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php productId DELETE || cve,CVE-2006-7170 || url,www.securityfocus.com/bid/21072 || url,doc.emergingthreats.net/2004280 +1 || 2004281 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php productId ASCII || cve,CVE-2006-7170 || url,www.securityfocus.com/bid/21072 || url,doc.emergingthreats.net/2004281 +1 || 2004282 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php productId UPDATE || cve,CVE-2006-7170 || url,www.securityfocus.com/bid/21072 || url,doc.emergingthreats.net/2004282 +1 || 2004283 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php sk SELECT || cve,CVE-2006-7170 || url,www.securityfocus.com/bid/21072 || url,doc.emergingthreats.net/2004283 +1 || 2004284 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php sk UNION SELECT || cve,CVE-2006-7170 || url,www.securityfocus.com/bid/21072 || url,doc.emergingthreats.net/2004284 +1 || 2004285 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php sk INSERT || cve,CVE-2006-7170 || url,www.securityfocus.com/bid/21072 || url,doc.emergingthreats.net/2004285 +1 || 2004286 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php sk DELETE || cve,CVE-2006-7170 || url,www.securityfocus.com/bid/21072 || url,doc.emergingthreats.net/2004286 +1 || 2004287 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php sk ASCII || cve,CVE-2006-7170 || url,www.securityfocus.com/bid/21072 || url,doc.emergingthreats.net/2004287 +1 || 2004288 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php sk UPDATE || cve,CVE-2006-7170 || url,www.securityfocus.com/bid/21072 || url,doc.emergingthreats.net/2004288 +1 || 2004289 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php x SELECT || cve,CVE-2006-7170 || url,www.securityfocus.com/bid/21072 || url,doc.emergingthreats.net/2004289 +1 || 2004290 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php x UNION SELECT || cve,CVE-2006-7170 || url,www.securityfocus.com/bid/21072 || url,doc.emergingthreats.net/2004290 +1 || 2004291 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php x INSERT || cve,CVE-2006-7170 || url,www.securityfocus.com/bid/21072 || url,doc.emergingthreats.net/2004291 +1 || 2004292 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php x DELETE || cve,CVE-2006-7170 || url,www.securityfocus.com/bid/21072 || url,doc.emergingthreats.net/2004292 +1 || 2004293 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php x ASCII || cve,CVE-2006-7170 || url,www.securityfocus.com/bid/21072 || url,doc.emergingthreats.net/2004293 +1 || 2004294 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php x UPDATE || cve,CVE-2006-7170 || url,www.securityfocus.com/bid/21072 || url,doc.emergingthreats.net/2004294 +1 || 2004295 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php so SELECT || cve,CVE-2006-7170 || url,www.securityfocus.com/bid/21072 || url,doc.emergingthreats.net/2004295 +1 || 2004296 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php so UNION SELECT || cve,CVE-2006-7170 || url,www.securityfocus.com/bid/21072 || url,doc.emergingthreats.net/2004296 +1 || 2004297 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php so INSERT || cve,CVE-2006-7170 || url,www.securityfocus.com/bid/21072 || url,doc.emergingthreats.net/2004297 +1 || 2004298 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php so DELETE || cve,CVE-2006-7170 || url,www.securityfocus.com/bid/21072 || url,doc.emergingthreats.net/2004298 +1 || 2004299 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php so ASCII || cve,CVE-2006-7170 || url,www.securityfocus.com/bid/21072 || url,doc.emergingthreats.net/2004299 +1 || 2004300 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- product_review.php so UPDATE || cve,CVE-2006-7170 || url,www.securityfocus.com/bid/21072 || url,doc.emergingthreats.net/2004300 +1 || 2004301 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- order-track.php orderNo SELECT || cve,CVE-2006-7170 || url,www.securityfocus.com/bid/21072 || url,doc.emergingthreats.net/2004301 +1 || 2004302 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- order-track.php orderNo UNION SELECT || cve,CVE-2006-7170 || url,www.securityfocus.com/bid/21072 || url,doc.emergingthreats.net/2004302 +1 || 2004303 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- order-track.php orderNo INSERT || cve,CVE-2006-7170 || url,www.securityfocus.com/bid/21072 || url,doc.emergingthreats.net/2004303 +1 || 2004304 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- order-track.php orderNo DELETE || cve,CVE-2006-7170 || url,www.securityfocus.com/bid/21072 || url,doc.emergingthreats.net/2004304 +1 || 2004305 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- order-track.php orderNo ASCII || cve,CVE-2006-7170 || url,www.securityfocus.com/bid/21072 || url,doc.emergingthreats.net/2004305 +1 || 2004306 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Koan Software Mega Mall SQL Injection Attempt -- order-track.php orderNo UPDATE || cve,CVE-2006-7170 || url,www.securityfocus.com/bid/21072 || url,doc.emergingthreats.net/2004306 +1 || 2004307 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS NukeSentinel SQL Injection Attempt -- nukesentinel.php SELECT || cve,CVE-2007-1493 || url,www.securityfocus.com/archive/1/archive/1/462453/100/0/threaded || url,doc.emergingthreats.net/2004307 +1 || 2004308 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS NukeSentinel SQL Injection Attempt -- nukesentinel.php UNION SELECT || cve,CVE-2007-1493 || url,www.securityfocus.com/archive/1/archive/1/462453/100/0/threaded || url,doc.emergingthreats.net/2004308 +1 || 2004309 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS NukeSentinel SQL Injection Attempt -- nukesentinel.php INSERT || cve,CVE-2007-1493 || url,www.securityfocus.com/archive/1/archive/1/462453/100/0/threaded || url,doc.emergingthreats.net/2004309 +1 || 2004310 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS NukeSentinel SQL Injection Attempt -- nukesentinel.php DELETE || cve,CVE-2007-1493 || url,www.securityfocus.com/archive/1/archive/1/462453/100/0/threaded || url,doc.emergingthreats.net/2004310 +1 || 2004311 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS NukeSentinel SQL Injection Attempt -- nukesentinel.php ASCII || cve,CVE-2007-1493 || url,www.securityfocus.com/archive/1/archive/1/462453/100/0/threaded || url,doc.emergingthreats.net/2004311 +1 || 2004312 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS NukeSentinel SQL Injection Attempt -- nukesentinel.php UPDATE || cve,CVE-2007-1493 || url,www.securityfocus.com/archive/1/archive/1/462453/100/0/threaded || url,doc.emergingthreats.net/2004312 +1 || 2004313 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WBBlog SQL Injection Attempt -- index.php e_id SELECT || cve,CVE-2007-1481 || url,www.milw0rm.com/exploits/3490 || url,doc.emergingthreats.net/2004313 +1 || 2004314 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WBBlog SQL Injection Attempt -- index.php e_id UNION SELECT || cve,CVE-2007-1481 || url,www.milw0rm.com/exploits/3490 || url,doc.emergingthreats.net/2004314 +1 || 2004315 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WBBlog SQL Injection Attempt -- index.php e_id INSERT || cve,CVE-2007-1481 || url,www.milw0rm.com/exploits/3490 || url,doc.emergingthreats.net/2004315 +1 || 2004316 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WBBlog SQL Injection Attempt -- index.php e_id DELETE || cve,CVE-2007-1481 || url,www.milw0rm.com/exploits/3490 || url,doc.emergingthreats.net/2004316 +1 || 2004317 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WBBlog SQL Injection Attempt -- index.php e_id UPDATE || cve,CVE-2007-1481 || url,www.milw0rm.com/exploits/3490 || url,doc.emergingthreats.net/2004317 +1 || 2004318 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WBBlog SQL Injection Attempt -- index.php e_id ASCII || cve,CVE-2007-1481 || url,www.milw0rm.com/exploits/3490 || url,doc.emergingthreats.net/2004318 +1 || 2004319 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Absolute Image Gallery SQL Injection Attempt -- gallery.asp categoryid SELECT || cve,CVE-2007-1469 || url,www.securityfocus.com/bid/22988 || url,doc.emergingthreats.net/2004319 +1 || 2004320 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Absolute Image Gallery SQL Injection Attempt -- gallery.asp categoryid UNION SELECT || cve,CVE-2007-1469 || url,www.securityfocus.com/bid/22988 || url,doc.emergingthreats.net/2004320 +1 || 2004321 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Absolute Image Gallery SQL Injection Attempt -- gallery.asp categoryid INSERT || cve,CVE-2007-1469 || url,www.securityfocus.com/bid/22988 || url,doc.emergingthreats.net/2004321 +1 || 2004322 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Absolute Image Gallery SQL Injection Attempt -- gallery.asp categoryid DELETE || cve,CVE-2007-1469 || url,www.securityfocus.com/bid/22988 || url,doc.emergingthreats.net/2004322 +1 || 2004323 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Absolute Image Gallery SQL Injection Attempt -- gallery.asp categoryid ASCII || cve,CVE-2007-1469 || url,www.securityfocus.com/bid/22988 || url,doc.emergingthreats.net/2004323 +1 || 2004324 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Absolute Image Gallery SQL Injection Attempt -- gallery.asp categoryid UPDATE || cve,CVE-2007-1469 || url,www.securityfocus.com/bid/22988 || url,doc.emergingthreats.net/2004324 +1 || 2004325 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- mainfile.php lang SELECT || cve,CVE-2007-1450 || url,www.securityfocus.com/bid/22909 || url,doc.emergingthreats.net/2004325 +1 || 2004326 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- mainfile.php lang UNION SELECT || cve,CVE-2007-1450 || url,www.securityfocus.com/bid/22909 || url,doc.emergingthreats.net/2004326 +1 || 2004327 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- mainfile.php lang INSERT || cve,CVE-2007-1450 || url,www.securityfocus.com/bid/22909 || url,doc.emergingthreats.net/2004327 +1 || 2004328 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- mainfile.php lang DELETE || cve,CVE-2007-1450 || url,www.securityfocus.com/bid/22909 || url,doc.emergingthreats.net/2004328 +1 || 2004329 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- mainfile.php lang ASCII || cve,CVE-2007-1450 || url,www.securityfocus.com/bid/22909 || url,doc.emergingthreats.net/2004329 +1 || 2004330 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- mainfile.php lang UPDATE || cve,CVE-2007-1450 || url,www.securityfocus.com/bid/22909 || url,doc.emergingthreats.net/2004330 +1 || 2004331 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS BP Blog SQL Injection Attempt -- default.asp layout SELECT || cve,CVE-2007-1445 || url,www.milw0rm.com/exploits/3466 || url,doc.emergingthreats.net/2004331 +1 || 2004332 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS BP Blog SQL Injection Attempt -- default.asp layout UNION SELECT || cve,CVE-2007-1445 || url,www.milw0rm.com/exploits/3466 || url,doc.emergingthreats.net/2004332 +1 || 2004333 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS BP Blog SQL Injection Attempt -- default.asp layout INSERT || cve,CVE-2007-1445 || url,www.milw0rm.com/exploits/3466 || url,doc.emergingthreats.net/2004333 +1 || 2004334 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS BP Blog SQL Injection Attempt -- default.asp layout DELETE || cve,CVE-2007-1445 || url,www.milw0rm.com/exploits/3466 || url,doc.emergingthreats.net/2004334 +1 || 2004335 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS BP Blog SQL Injection Attempt -- default.asp layout ASCII || cve,CVE-2007-1445 || url,www.milw0rm.com/exploits/3466 || url,doc.emergingthreats.net/2004335 +1 || 2004336 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS BP Blog SQL Injection Attempt -- default.asp layout UPDATE || cve,CVE-2007-1445 || url,www.milw0rm.com/exploits/3466 || url,doc.emergingthreats.net/2004336 +1 || 2004337 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS JGBBS SQL Injection Attempt -- search.asp author SELECT || cve,CVE-2007-1440 || url,www.milw0rm.com/exploits/3470 || url,doc.emergingthreats.net/2004337 +1 || 2004338 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS JGBBS SQL Injection Attempt -- search.asp author UNION SELECT || cve,CVE-2007-1440 || url,www.milw0rm.com/exploits/3470 || url,doc.emergingthreats.net/2004338 +1 || 2004339 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS JGBBS SQL Injection Attempt -- search.asp author INSERT || cve,CVE-2007-1440 || url,www.milw0rm.com/exploits/3470 || url,doc.emergingthreats.net/2004339 +1 || 2004340 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS JGBBS SQL Injection Attempt -- search.asp author DELETE || cve,CVE-2007-1440 || url,www.milw0rm.com/exploits/3470 || url,doc.emergingthreats.net/2004340 +1 || 2004341 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS JGBBS SQL Injection Attempt -- search.asp author ASCII || cve,CVE-2007-1440 || url,www.milw0rm.com/exploits/3470 || url,doc.emergingthreats.net/2004341 +1 || 2004342 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS JGBBS SQL Injection Attempt -- search.asp author UPDATE || cve,CVE-2007-1440 || url,www.milw0rm.com/exploits/3470 || url,doc.emergingthreats.net/2004342 +1 || 2004343 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS X-Ice News System SQL Injection Attempt -- devami.asp id SELECT || cve,CVE-2007-1438 || url,www.milw0rm.com/exploits/3469 || url,doc.emergingthreats.net/2004343 +1 || 2004344 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS X-Ice News System SQL Injection Attempt -- devami.asp id UNION SELECT || cve,CVE-2007-1438 || url,www.milw0rm.com/exploits/3469 || url,doc.emergingthreats.net/2004344 +1 || 2004345 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS X-Ice News System SQL Injection Attempt -- devami.asp id INSERT || cve,CVE-2007-1438 || url,www.milw0rm.com/exploits/3469 || url,doc.emergingthreats.net/2004345 +1 || 2004346 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS X-Ice News System SQL Injection Attempt -- devami.asp id DELETE || cve,CVE-2007-1438 || url,www.milw0rm.com/exploits/3469 || url,doc.emergingthreats.net/2004346 +1 || 2004347 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS X-Ice News System SQL Injection Attempt -- devami.asp id ASCII || cve,CVE-2007-1438 || url,www.milw0rm.com/exploits/3469 || url,doc.emergingthreats.net/2004347 +1 || 2004348 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS X-Ice News System SQL Injection Attempt -- devami.asp id UPDATE || cve,CVE-2007-1438 || url,www.milw0rm.com/exploits/3469 || url,doc.emergingthreats.net/2004348 +1 || 2004349 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- userdetail.php id SELECT || cve,CVE-2007-1434 || url,www.securityfocus.com/bid/22911 || url,doc.emergingthreats.net/2004349 +1 || 2004350 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- userdetail.php id UNION SELECT || cve,CVE-2007-1434 || url,www.securityfocus.com/bid/22911 || url,doc.emergingthreats.net/2004350 +1 || 2004351 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- userdetail.php id INSERT || cve,CVE-2007-1434 || url,www.securityfocus.com/bid/22911 || url,doc.emergingthreats.net/2004351 +1 || 2004352 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- userdetail.php id DELETE || cve,CVE-2007-1434 || url,www.securityfocus.com/bid/22911 || url,doc.emergingthreats.net/2004352 +1 || 2004353 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- userdetail.php id ASCII || cve,CVE-2007-1434 || url,www.securityfocus.com/bid/22911 || url,doc.emergingthreats.net/2004353 +1 || 2004354 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- userdetail.php id UPDATE || cve,CVE-2007-1434 || url,www.securityfocus.com/bid/22911 || url,doc.emergingthreats.net/2004354 +1 || 2004355 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- jump.php id SELECT || cve,CVE-2007-1434 || url,www.securityfocus.com/bid/22911 || url,doc.emergingthreats.net/2004355 +1 || 2004356 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- jump.php id UNION SELECT || cve,CVE-2007-1434 || url,www.securityfocus.com/bid/22911 || url,doc.emergingthreats.net/2004356 +1 || 2004357 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- jump.php id INSERT || cve,CVE-2007-1434 || url,www.securityfocus.com/bid/22911 || url,doc.emergingthreats.net/2004357 +1 || 2004358 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- jump.php id DELETE || cve,CVE-2007-1434 || url,www.securityfocus.com/bid/22911 || url,doc.emergingthreats.net/2004358 +1 || 2004359 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- jump.php id ASCII || cve,CVE-2007-1434 || url,www.securityfocus.com/bid/22911 || url,doc.emergingthreats.net/2004359 +1 || 2004360 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- jump.php id UPDATE || cve,CVE-2007-1434 || url,www.securityfocus.com/bid/22911 || url,doc.emergingthreats.net/2004360 +1 || 2004361 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- detail.php id SELECT || cve,CVE-2007-1434 || url,www.securityfocus.com/bid/22911 || url,doc.emergingthreats.net/2004361 +1 || 2004362 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- detail.php id UNION SELECT || cve,CVE-2007-1434 || url,www.securityfocus.com/bid/22911 || url,doc.emergingthreats.net/2004362 +1 || 2004363 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- detail.php id INSERT || cve,CVE-2007-1434 || url,www.securityfocus.com/bid/22911 || url,doc.emergingthreats.net/2004363 +1 || 2004364 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- detail.php id DELETE || cve,CVE-2007-1434 || url,www.securityfocus.com/bid/22911 || url,doc.emergingthreats.net/2004364 +1 || 2004365 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- detail.php id ASCII || cve,CVE-2007-1434 || url,www.securityfocus.com/bid/22911 || url,doc.emergingthreats.net/2004365 +1 || 2004366 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- detail.php id UPDATE || cve,CVE-2007-1434 || url,www.securityfocus.com/bid/22911 || url,doc.emergingthreats.net/2004366 +1 || 2004367 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- jump.php url SELECT || cve,CVE-2007-1434 || url,www.securityfocus.com/bid/22911 || url,doc.emergingthreats.net/2004367 +1 || 2004368 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- jump.php url UNION SELECT || cve,CVE-2007-1434 || url,www.securityfocus.com/bid/22911 || url,doc.emergingthreats.net/2004368 +1 || 2004369 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- jump.php url INSERT || cve,CVE-2007-1434 || url,www.securityfocus.com/bid/22911 || url,doc.emergingthreats.net/2004369 +1 || 2004370 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- jump.php url DELETE || cve,CVE-2007-1434 || url,www.securityfocus.com/bid/22911 || url,doc.emergingthreats.net/2004370 +1 || 2004371 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- jump.php url ASCII || cve,CVE-2007-1434 || url,www.securityfocus.com/bid/22911 || url,doc.emergingthreats.net/2004371 +1 || 2004372 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Grayscale Blog SQL Injection Attempt -- jump.php url UPDATE || cve,CVE-2007-1434 || url,www.securityfocus.com/bid/22911 || url,doc.emergingthreats.net/2004372 +1 || 2004373 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHP Labs JobSitePro SQL Injection Attempt -- search.php salary SELECT || cve,CVE-2007-1428 || url,www.exploit-db.com/exploits/3455/ || url,doc.emergingthreats.net/2004373 +1 || 2004374 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHP Labs JobSitePro SQL Injection Attempt -- search.php salary UNION SELECT || cve,CVE-2007-1428 || url,www.exploit-db.com/exploits/3455/ || url,doc.emergingthreats.net/2004374 +1 || 2004375 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHP Labs JobSitePro SQL Injection Attempt -- search.php salary INSERT || cve,CVE-2007-1428 || url,www.exploit-db.com/exploits/3455/ || url,doc.emergingthreats.net/2004375 +1 || 2004376 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHP Labs JobSitePro SQL Injection Attempt -- search.php salary DELETE || cve,CVE-2007-1428 || url,www.exploit-db.com/exploits/3455/ || url,doc.emergingthreats.net/2004376 +1 || 2004377 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHP Labs JobSitePro SQL Injection Attempt -- search.php salary ASCII || cve,CVE-2007-1428 || url,www.exploit-db.com/exploits/3455/ || url,doc.emergingthreats.net/2004377 +1 || 2004378 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHP Labs JobSitePro SQL Injection Attempt -- search.php salary UPDATE || cve,CVE-2007-1428 || url,www.exploit-db.com/exploits/3455/ || url,doc.emergingthreats.net/2004378 +1 || 2004379 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Triexa SonicMailer Pro SQL Injection Attempt -- index.php list SELECT || cve,CVE-2007-1425 || url,www.milw0rm.com/exploits/3457 || url,doc.emergingthreats.net/2004379 +1 || 2004380 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Triexa SonicMailer Pro SQL Injection Attempt -- index.php list UNION SELECT || cve,CVE-2007-1425 || url,www.milw0rm.com/exploits/3457 || url,doc.emergingthreats.net/2004380 +1 || 2004381 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Triexa SonicMailer Pro SQL Injection Attempt -- index.php list INSERT || cve,CVE-2007-1425 || url,www.milw0rm.com/exploits/3457 || url,doc.emergingthreats.net/2004381 +1 || 2004382 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Triexa SonicMailer Pro SQL Injection Attempt -- index.php list DELETE || cve,CVE-2007-1425 || url,www.milw0rm.com/exploits/3457 || url,doc.emergingthreats.net/2004382 +1 || 2004383 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Triexa SonicMailer Pro SQL Injection Attempt -- index.php list ASCII || cve,CVE-2007-1425 || url,www.milw0rm.com/exploits/3457 || url,doc.emergingthreats.net/2004383 +1 || 2004384 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Triexa SonicMailer Pro SQL Injection Attempt -- index.php list UPDATE || cve,CVE-2007-1425 || url,www.milw0rm.com/exploits/3457 || url,doc.emergingthreats.net/2004384 +1 || 2004385 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS fystyq Duyuru Scripti SQL Injection Attempt -- goster.asp id SELECT || cve,CVE-2007-1422 || url,www.securityfocus.com/bid/22910 || url,doc.emergingthreats.net/2004385 +1 || 2004386 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS fystyq Duyuru Scripti SQL Injection Attempt -- goster.asp id UNION SELECT || cve,CVE-2007-1422 || url,www.securityfocus.com/bid/22910 || url,doc.emergingthreats.net/2004386 +1 || 2004387 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS fystyq Duyuru Scripti SQL Injection Attempt -- goster.asp id INSERT || cve,CVE-2007-1422 || url,www.securityfocus.com/bid/22910 || url,doc.emergingthreats.net/2004387 +1 || 2004388 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS fystyq Duyuru Scripti SQL Injection Attempt -- goster.asp id DELETE || cve,CVE-2007-1422 || url,www.securityfocus.com/bid/22910 || url,doc.emergingthreats.net/2004388 +1 || 2004389 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS fystyq Duyuru Scripti SQL Injection Attempt -- goster.asp id ASCII || cve,CVE-2007-1422 || url,www.securityfocus.com/bid/22910 || url,doc.emergingthreats.net/2004389 +1 || 2004390 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS fystyq Duyuru Scripti SQL Injection Attempt -- goster.asp id UPDATE || cve,CVE-2007-1422 || url,www.securityfocus.com/bid/22910 || url,doc.emergingthreats.net/2004390 +1 || 2004397 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS GaziYapBoz Game Portal SQL Injection Attempt -- kategori.asp kategori SELECT || cve,CVE-2007-1410 || url,www.milw0rm.com/exploits/3437 || url,doc.emergingthreats.net/2004397 +1 || 2004398 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS GaziYapBoz Game Portal SQL Injection Attempt -- kategori.asp kategori UNION SELECT || cve,CVE-2007-1410 || url,www.milw0rm.com/exploits/3437 || url,doc.emergingthreats.net/2004398 +1 || 2004399 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS GaziYapBoz Game Portal SQL Injection Attempt -- kategori.asp kategori INSERT || cve,CVE-2007-1410 || url,www.milw0rm.com/exploits/3437 || url,doc.emergingthreats.net/2004399 +1 || 2004400 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS GaziYapBoz Game Portal SQL Injection Attempt -- kategori.asp kategori DELETE || cve,CVE-2007-1410 || url,www.milw0rm.com/exploits/3437 || url,doc.emergingthreats.net/2004400 +1 || 2004401 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS GaziYapBoz Game Portal SQL Injection Attempt -- kategori.asp kategori ASCII || cve,CVE-2007-1410 || url,www.milw0rm.com/exploits/3437 || url,doc.emergingthreats.net/2004401 +1 || 2004402 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS GaziYapBoz Game Portal SQL Injection Attempt -- kategori.asp kategori UPDATE || cve,CVE-2007-1410 || url,www.milw0rm.com/exploits/3437 || url,doc.emergingthreats.net/2004402 +1 || 2004403 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-functions.php SELECT || cve,CVE-2007-1409 || url,www.secunia.com/advisories/24566 || url,doc.emergingthreats.net/2004403 +1 || 2004404 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-functions.php UNION SELECT || cve,CVE-2007-1409 || url,www.secunia.com/advisories/24566 || url,doc.emergingthreats.net/2004404 +1 || 2004405 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-functions.php INSERT || cve,CVE-2007-1409 || url,www.secunia.com/advisories/24566 || url,doc.emergingthreats.net/2004405 +1 || 2004406 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-functions.php DELETE || cve,CVE-2007-1409 || url,www.secunia.com/advisories/24566 || url,doc.emergingthreats.net/2004406 +1 || 2004407 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-functions.php ASCII || cve,CVE-2007-1409 || url,www.secunia.com/advisories/24566 || url,doc.emergingthreats.net/2004407 +1 || 2004408 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- admin-functions.php UPDATE || cve,CVE-2007-1409 || url,www.secunia.com/advisories/24566 || url,doc.emergingthreats.net/2004408 +1 || 2004409 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Links Management Application SQL Injection Attempt -- index.php lcnt SELECT || cve,CVE-2007-1339 || url,www.exploit-db.com/exploits/3416/ || url,doc.emergingthreats.net/2004409 +1 || 2004410 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Links Management Application SQL Injection Attempt -- index.php lcnt UNION SELECT || cve,CVE-2007-1339 || url,www.exploit-db.com/exploits/3416/ || url,doc.emergingthreats.net/2004410 +1 || 2004411 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Links Management Application SQL Injection Attempt -- index.php lcnt INSERT || cve,CVE-2007-1339 || url,www.exploit-db.com/exploits/3416/ || url,doc.emergingthreats.net/2004411 +1 || 2004412 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Links Management Application SQL Injection Attempt -- index.php lcnt DELETE || cve,CVE-2007-1339 || url,www.exploit-db.com/exploits/3416/ || url,doc.emergingthreats.net/2004412 +1 || 2004413 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Links Management Application SQL Injection Attempt -- index.php lcnt ASCII || cve,CVE-2007-1339 || url,www.exploit-db.com/exploits/3416/ || url,doc.emergingthreats.net/2004413 +1 || 2004414 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Links Management Application SQL Injection Attempt -- index.php lcnt UPDATE || cve,CVE-2007-1339 || url,www.exploit-db.com/exploits/3416/ || url,doc.emergingthreats.net/2004414 +1 || 2004415 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Serendipity SQL Injection Attempt -- index.php serendipity SELECT || cve,CVE-2007-1326 || url,www.securityfocus.com/archive/1/archive/1/461671/100/0/threaded || url,doc.emergingthreats.net/2004415 +1 || 2004416 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Serendipity SQL Injection Attempt -- index.php serendipity UNION SELECT || cve,CVE-2007-1326 || url,www.securityfocus.com/archive/1/archive/1/461671/100/0/threaded || url,doc.emergingthreats.net/2004416 +1 || 2004417 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Serendipity SQL Injection Attempt -- index.php serendipity INSERT || cve,CVE-2007-1326 || url,www.securityfocus.com/archive/1/archive/1/461671/100/0/threaded || url,doc.emergingthreats.net/2004417 +1 || 2004418 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Serendipity SQL Injection Attempt -- index.php serendipity DELETE || cve,CVE-2007-1326 || url,www.securityfocus.com/archive/1/archive/1/461671/100/0/threaded || url,doc.emergingthreats.net/2004418 +1 || 2004419 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Serendipity SQL Injection Attempt -- index.php serendipity ASCII || cve,CVE-2007-1326 || url,www.securityfocus.com/archive/1/archive/1/461671/100/0/threaded || url,doc.emergingthreats.net/2004419 +1 || 2004420 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Serendipity SQL Injection Attempt -- index.php serendipity UPDATE || cve,CVE-2007-1326 || url,www.securityfocus.com/archive/1/archive/1/461671/100/0/threaded || url,doc.emergingthreats.net/2004420 +1 || 2004421 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Hazir Site SQL Injection Attempt -- giris_yap.asp sifre SELECT || cve,CVE-2006-7161 || url,www.securityfocus.com/bid/20375 || url,doc.emergingthreats.net/2004421 +1 || 2004422 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Hazir Site SQL Injection Attempt -- giris_yap.asp sifre UNION SELECT || cve,CVE-2006-7161 || url,www.securityfocus.com/bid/20375 || url,doc.emergingthreats.net/2004422 +1 || 2004423 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Hazir Site SQL Injection Attempt -- giris_yap.asp sifre INSERT || cve,CVE-2006-7161 || url,www.securityfocus.com/bid/20375 || url,doc.emergingthreats.net/2004423 +1 || 2004424 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Hazir Site SQL Injection Attempt -- giris_yap.asp sifre DELETE || cve,CVE-2006-7161 || url,www.securityfocus.com/bid/20375 || url,doc.emergingthreats.net/2004424 +1 || 2004425 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Hazir Site SQL Injection Attempt -- giris_yap.asp sifre ASCII || cve,CVE-2006-7161 || url,www.securityfocus.com/bid/20375 || url,doc.emergingthreats.net/2004425 +1 || 2004426 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Hazir Site SQL Injection Attempt -- giris_yap.asp sifre UPDATE || cve,CVE-2006-7161 || url,www.securityfocus.com/bid/20375 || url,doc.emergingthreats.net/2004426 +1 || 2004427 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Mambo SQL Injection Attempt -- moscomment.php mcname SELECT || cve,CVE-2006-7150 || url,www.securityfocus.com/bid/20650 || url,doc.emergingthreats.net/2004427 +1 || 2004428 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Mambo SQL Injection Attempt -- moscomment.php mcname UNION SELECT || cve,CVE-2006-7150 || url,www.securityfocus.com/bid/20650 || url,doc.emergingthreats.net/2004428 +1 || 2004429 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Mambo SQL Injection Attempt -- moscomment.php mcname INSERT || cve,CVE-2006-7150 || url,www.securityfocus.com/bid/20650 || url,doc.emergingthreats.net/2004429 +1 || 2004430 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Mambo SQL Injection Attempt -- moscomment.php mcname DELETE || cve,CVE-2006-7150 || url,www.securityfocus.com/bid/20650 || url,doc.emergingthreats.net/2004430 +1 || 2004431 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Mambo SQL Injection Attempt -- moscomment.php mcname ASCII || cve,CVE-2006-7150 || url,www.securityfocus.com/bid/20650 || url,doc.emergingthreats.net/2004431 +1 || 2004432 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Mambo SQL Injection Attempt -- moscomment.php mcname UPDATE || cve,CVE-2006-7150 || url,www.securityfocus.com/bid/20650 || url,doc.emergingthreats.net/2004432 +1 || 2004433 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Mambo SQL Injection Attempt -- com_comment.php mcname SELECT || cve,CVE-2006-7150 || url,www.securityfocus.com/bid/20650 || url,doc.emergingthreats.net/2004433 +1 || 2004434 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Mambo SQL Injection Attempt -- com_comment.php mcname UNION SELECT || cve,CVE-2006-7150 || url,www.securityfocus.com/bid/20650 || url,doc.emergingthreats.net/2004434 +1 || 2004435 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Mambo SQL Injection Attempt -- com_comment.php mcname INSERT || cve,CVE-2006-7150 || url,www.securityfocus.com/bid/20650 || url,doc.emergingthreats.net/2004435 +1 || 2004436 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Mambo SQL Injection Attempt -- com_comment.php mcname DELETE || cve,CVE-2006-7150 || url,www.securityfocus.com/bid/20650 || url,doc.emergingthreats.net/2004436 +1 || 2004437 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Mambo SQL Injection Attempt -- com_comment.php mcname ASCII || cve,CVE-2006-7150 || url,www.securityfocus.com/bid/20650 || url,doc.emergingthreats.net/2004437 +1 || 2004438 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Mambo SQL Injection Attempt -- com_comment.php mcname UPDATE || cve,CVE-2006-7150 || url,www.securityfocus.com/bid/20650 || url,doc.emergingthreats.net/2004438 +1 || 2004439 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Web Wiz Forums SQL Injection Attempt -- pop_up_member_search.asp name ASCII || cve,CVE-2007-1548 || url,www.securityfocus.com/bid/23051 || url,doc.emergingthreats.net/2004439 +1 || 2004440 || 7 || trojan-activity || 0 || ET TROJAN Banload User-Agent Detected (ExampleDL) || url,doc.emergingthreats.net/2004440 +1 || 2004442 || 8 || trojan-activity || 0 || ET TROJAN Banker.Delf User-Agent (hhh) || url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html || url,doc.emergingthreats.net/2004442 +1 || 2004443 || 9 || trojan-activity || 0 || ET TROJAN KKtone Suspicious User-Agent (KKTone) || url,doc.emergingthreats.net/bin/view/Main/2004443 +1 || 2004449 || 6 || denial-of-service || 0 || ET DELETED PacketShaper DoS attempt || url,doc.emergingthreats.net/2004449 +1 || 2004450 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Omegasoft SQL Injection Attempt -- OmegaMw7.asp SELECT || cve,CVE-2007-2992 || url,www.securityfocus.com/bid/24275 || url,doc.emergingthreats.net/2004450 +1 || 2004451 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Omegasoft SQL Injection Attempt -- OmegaMw7.asp UNION SELECT || cve,CVE-2007-2992 || url,www.securityfocus.com/bid/24275 || url,doc.emergingthreats.net/2004451 +1 || 2004452 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Omegasoft SQL Injection Attempt -- OmegaMw7.asp INSERT || cve,CVE-2007-2992 || url,www.securityfocus.com/bid/24275 || url,doc.emergingthreats.net/2004452 +1 || 2004453 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Omegasoft SQL Injection Attempt -- OmegaMw7.asp DELETE || cve,CVE-2007-2992 || url,www.securityfocus.com/bid/24275 || url,doc.emergingthreats.net/2004453 +1 || 2004454 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Omegasoft SQL Injection Attempt -- OmegaMw7.asp ASCII || cve,CVE-2007-2992 || url,www.securityfocus.com/bid/24275 || url,doc.emergingthreats.net/2004454 +1 || 2004455 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Omegasoft SQL Injection Attempt -- OmegaMw7.asp UPDATE || cve,CVE-2007-2992 || url,www.securityfocus.com/bid/24275 || url,doc.emergingthreats.net/2004455 +1 || 2004456 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS DGNews SQL Injection Attempt -- news.php newsid SELECT || cve,CVE-2007-2994 || url,www.securityfocus.com/bid/24212 || url,doc.emergingthreats.net/2004456 +1 || 2004457 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS DGNews SQL Injection Attempt -- news.php newsid UNION SELECT || cve,CVE-2007-2994 || url,www.securityfocus.com/bid/24212 || url,doc.emergingthreats.net/2004457 +1 || 2004458 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS DGNews SQL Injection Attempt -- news.php newsid INSERT || cve,CVE-2007-2994 || url,www.securityfocus.com/bid/24212 || url,doc.emergingthreats.net/2004458 +1 || 2004459 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS DGNews SQL Injection Attempt -- news.php newsid DELETE || cve,CVE-2007-2994 || url,www.securityfocus.com/bid/24212 || url,doc.emergingthreats.net/2004459 +1 || 2004460 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS DGNews SQL Injection Attempt -- news.php newsid ASCII || cve,CVE-2007-2994 || url,www.securityfocus.com/bid/24212 || url,doc.emergingthreats.net/2004460 +1 || 2004461 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS DGNews SQL Injection Attempt -- news.php newsid UPDATE || cve,CVE-2007-2994 || url,www.securityfocus.com/bid/24212 || url,doc.emergingthreats.net/2004461 +1 || 2004463 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS SalesCart Shopping Cart SQL Injection Attempt -- reorder2.asp SELECT || cve,CVE-2007-2997 || url,www.securityfocus.com/bid/24226 || url,doc.emergingthreats.net/2004463 +1 || 2004464 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS SalesCart Shopping Cart SQL Injection Attempt -- reorder2.asp UNION SELECT || cve,CVE-2007-2997 || url,www.securityfocus.com/bid/24226 || url,doc.emergingthreats.net/2004464 +1 || 2004465 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS SalesCart Shopping Cart SQL Injection Attempt -- reorder2.asp INSERT || cve,CVE-2007-2997 || url,www.securityfocus.com/bid/24226 || url,doc.emergingthreats.net/2004465 +1 || 2004466 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS SalesCart Shopping Cart SQL Injection Attempt -- reorder2.asp DELETE || cve,CVE-2007-2997 || url,www.securityfocus.com/bid/24226 || url,doc.emergingthreats.net/2004466 +1 || 2004467 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS SalesCart Shopping Cart SQL Injection Attempt -- reorder2.asp ASCII || cve,CVE-2007-2997 || url,www.securityfocus.com/bid/24226 || url,doc.emergingthreats.net/2004467 +1 || 2004468 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS SalesCart Shopping Cart SQL Injection Attempt -- reorder2.asp UPDATE || cve,CVE-2007-2997 || url,www.securityfocus.com/bid/24226 || url,doc.emergingthreats.net/2004468 +1 || 2004469 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS myBloggie SQL Injection Attempt -- index.php cat_id UNION SELECT || cve,CVE-2007-3003 || url,www.securityfocus.com/bid/24249 || url,doc.emergingthreats.net/2004469 +1 || 2004470 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS myBloggie SQL Injection Attempt -- index.php cat_id INSERT || cve,CVE-2007-3003 || url,www.securityfocus.com/bid/24249 || url,doc.emergingthreats.net/2004470 +1 || 2004471 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS myBloggie SQL Injection Attempt -- index.php cat_id DELETE || cve,CVE-2007-3003 || url,www.securityfocus.com/bid/24249 || url,doc.emergingthreats.net/2004471 +1 || 2004472 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS myBloggie SQL Injection Attempt -- index.php cat_id ASCII || cve,CVE-2007-3003 || url,www.securityfocus.com/bid/24249 || url,doc.emergingthreats.net/2004472 +1 || 2004473 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS myBloggie SQL Injection Attempt -- index.php cat_id UPDATE || cve,CVE-2007-3003 || url,www.securityfocus.com/bid/24249 || url,doc.emergingthreats.net/2004473 +1 || 2004474 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS myBloggie SQL Injection Attempt -- index.php year SELECT || cve,CVE-2007-3003 || url,www.securityfocus.com/bid/24249 || url,doc.emergingthreats.net/2004474 +1 || 2004475 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS myBloggie SQL Injection Attempt -- index.php year UNION SELECT || cve,CVE-2007-3003 || url,www.securityfocus.com/bid/24249 || url,doc.emergingthreats.net/2004475 +1 || 2004476 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS myBloggie SQL Injection Attempt -- index.php year INSERT || cve,CVE-2007-3003 || url,www.securityfocus.com/bid/24249 || url,doc.emergingthreats.net/2004476 +1 || 2004477 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS myBloggie SQL Injection Attempt -- index.php year DELETE || cve,CVE-2007-3003 || url,www.securityfocus.com/bid/24249 || url,doc.emergingthreats.net/2004477 +1 || 2004478 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS myBloggie SQL Injection Attempt -- index.php year ASCII || cve,CVE-2007-3003 || url,www.securityfocus.com/bid/24249 || url,doc.emergingthreats.net/2004478 +1 || 2004479 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS myBloggie SQL Injection Attempt -- index.php year UPDATE || cve,CVE-2007-3003 || url,www.securityfocus.com/bid/24249 || url,doc.emergingthreats.net/2004479 +1 || 2004480 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHP JackKnife SQL Injection Attempt -- G_Display.php iCategoryUnq SELECT || cve,CVE-2007-3000 || url,www.securityfocus.com/bid/24253 || url,doc.emergingthreats.net/2004480 +1 || 2004481 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHP JackKnife SQL Injection Attempt -- G_Display.php iCategoryUnq UNION SELECT || cve,CVE-2007-3000 || url,www.securityfocus.com/bid/24253 || url,doc.emergingthreats.net/2004481 +1 || 2004482 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHP JackKnife SQL Injection Attempt -- G_Display.php iCategoryUnq INSERT || cve,CVE-2007-3000 || url,www.securityfocus.com/bid/24253 || url,doc.emergingthreats.net/2004482 +1 || 2004483 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHP JackKnife SQL Injection Attempt -- G_Display.php iCategoryUnq DELETE || cve,CVE-2007-3000 || url,www.securityfocus.com/bid/24253 || url,doc.emergingthreats.net/2004483 +1 || 2004484 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHP JackKnife SQL Injection Attempt -- G_Display.php iCategoryUnq ASCII || cve,CVE-2007-3000 || url,www.securityfocus.com/bid/24253 || url,doc.emergingthreats.net/2004484 +1 || 2004485 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHP JackKnife SQL Injection Attempt -- G_Display.php iCategoryUnq UPDATE || cve,CVE-2007-3000 || url,www.securityfocus.com/bid/24253 || url,doc.emergingthreats.net/2004485 +1 || 2004486 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHP JackKnife SQL Injection Attempt -- DisplayResults.php iSearchID SELECT || cve,CVE-2007-3000 || url,www.securityfocus.com/bid/24253 || url,doc.emergingthreats.net/2004486 +1 || 2004487 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHP JackKnife SQL Injection Attempt -- DisplayResults.php iSearchID UNION SELECT || cve,CVE-2007-3000 || url,www.securityfocus.com/bid/24253 || url,doc.emergingthreats.net/2004487 +1 || 2004488 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHP JackKnife SQL Injection Attempt -- DisplayResults.php iSearchID INSERT || cve,CVE-2007-3000 || url,www.securityfocus.com/bid/24253 || url,doc.emergingthreats.net/2004488 +1 || 2004489 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHP JackKnife SQL Injection Attempt -- DisplayResults.php iSearchID DELETE || cve,CVE-2007-3000 || url,www.securityfocus.com/bid/24253 || url,doc.emergingthreats.net/2004489 +1 || 2004490 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHP JackKnife SQL Injection Attempt -- DisplayResults.php iSearchID ASCII || cve,CVE-2007-3000 || url,www.securityfocus.com/bid/24253 || url,doc.emergingthreats.net/2004490 +1 || 2004491 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHP JackKnife SQL Injection Attempt -- DisplayResults.php iSearchID UPDATE || cve,CVE-2007-3000 || url,www.securityfocus.com/bid/24253 || url,doc.emergingthreats.net/2004491 +1 || 2004492 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS myBloggie SQL Injection Attempt -- index.php cat_id SELECT || cve,CVE-2007-3003 || url,www.securityfocus.com/bid/24249 || url,doc.emergingthreats.net/2004492 +1 || 2004493 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php name SELECT || cve,CVE-2007-1304 || url,www.securityfocus.com/bid/22820 || url,doc.emergingthreats.net/2004493 +1 || 2004494 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php name UNION SELECT || cve,CVE-2007-1304 || url,www.securityfocus.com/bid/22820 || url,doc.emergingthreats.net/2004494 +1 || 2004495 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php name INSERT || cve,CVE-2007-1304 || url,www.securityfocus.com/bid/22820 || url,doc.emergingthreats.net/2004495 +1 || 2004496 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php name DELETE || cve,CVE-2007-1304 || url,www.securityfocus.com/bid/22820 || url,doc.emergingthreats.net/2004496 +1 || 2004497 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php name ASCII || cve,CVE-2007-1304 || url,www.securityfocus.com/bid/22820 || url,doc.emergingthreats.net/2004497 +1 || 2004498 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php name UPDATE || cve,CVE-2007-1304 || url,www.securityfocus.com/bid/22820 || url,doc.emergingthreats.net/2004498 +1 || 2004499 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php country SELECT || cve,CVE-2007-1304 || url,www.securityfocus.com/bid/22820 || url,doc.emergingthreats.net/2004499 +1 || 2004500 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php country UNION SELECT || cve,CVE-2007-1304 || url,www.securityfocus.com/bid/22820 || url,doc.emergingthreats.net/2004500 +1 || 2004501 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php country INSERT || cve,CVE-2007-1304 || url,www.securityfocus.com/bid/22820 || url,doc.emergingthreats.net/2004501 +1 || 2004502 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php country DELETE || cve,CVE-2007-1304 || url,www.securityfocus.com/bid/22820 || url,doc.emergingthreats.net/2004502 +1 || 2004503 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php country ASCII || cve,CVE-2007-1304 || url,www.securityfocus.com/bid/22820 || url,doc.emergingthreats.net/2004503 +1 || 2004504 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php country UPDATE || cve,CVE-2007-1304 || url,www.securityfocus.com/bid/22820 || url,doc.emergingthreats.net/2004504 +1 || 2004505 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php email SELECT || cve,CVE-2007-1304 || url,www.securityfocus.com/bid/22820 || url,doc.emergingthreats.net/2004505 +1 || 2004506 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php email UNION SELECT || cve,CVE-2007-1304 || url,www.securityfocus.com/bid/22820 || url,doc.emergingthreats.net/2004506 +1 || 2004507 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php email INSERT || cve,CVE-2007-1304 || url,www.securityfocus.com/bid/22820 || url,doc.emergingthreats.net/2004507 +1 || 2004508 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php email DELETE || cve,CVE-2007-1304 || url,www.securityfocus.com/bid/22820 || url,doc.emergingthreats.net/2004508 +1 || 2004509 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php email ASCII || cve,CVE-2007-1304 || url,www.securityfocus.com/bid/22820 || url,doc.emergingthreats.net/2004509 +1 || 2004510 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php email UPDATE || cve,CVE-2007-1304 || url,www.securityfocus.com/bid/22820 || url,doc.emergingthreats.net/2004510 +1 || 2004511 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php website SELECT || cve,CVE-2007-1304 || url,www.securityfocus.com/bid/22820 || url,doc.emergingthreats.net/2004511 +1 || 2004512 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php website UNION SELECT || cve,CVE-2007-1304 || url,www.securityfocus.com/bid/22820 || url,doc.emergingthreats.net/2004512 +1 || 2004513 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php website INSERT || cve,CVE-2007-1304 || url,www.securityfocus.com/bid/22820 || url,doc.emergingthreats.net/2004513 +1 || 2004514 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php website DELETE || cve,CVE-2007-1304 || url,www.securityfocus.com/bid/22820 || url,doc.emergingthreats.net/2004514 +1 || 2004515 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php website ASCII || cve,CVE-2007-1304 || url,www.securityfocus.com/bid/22820 || url,doc.emergingthreats.net/2004515 +1 || 2004516 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php website UPDATE || cve,CVE-2007-1304 || url,www.securityfocus.com/bid/22820 || url,doc.emergingthreats.net/2004516 +1 || 2004517 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php message SELECT || cve,CVE-2007-1304 || url,www.securityfocus.com/bid/22820 || url,doc.emergingthreats.net/2004517 +1 || 2004518 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php message UNION SELECT || cve,CVE-2007-1304 || url,www.securityfocus.com/bid/22820 || url,doc.emergingthreats.net/2004518 +1 || 2004519 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php message INSERT || cve,CVE-2007-1304 || url,www.securityfocus.com/bid/22820 || url,doc.emergingthreats.net/2004519 +1 || 2004520 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php message DELETE || cve,CVE-2007-1304 || url,www.securityfocus.com/bid/22820 || url,doc.emergingthreats.net/2004520 +1 || 2004521 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php message ASCII || cve,CVE-2007-1304 || url,www.securityfocus.com/bid/22820 || url,doc.emergingthreats.net/2004521 +1 || 2004522 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Savas Guestbook SQL Injection Attempt -- add2.php message UPDATE || cve,CVE-2007-1304 || url,www.securityfocus.com/bid/22820 || url,doc.emergingthreats.net/2004522 +1 || 2004523 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS LI-Guestbook SQL Injection Attempt -- guestbook.php country SELECT || cve,CVE-2007-1302 || url,www.securityfocus.com/bid/22821 || url,doc.emergingthreats.net/2004523 +1 || 2004524 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS LI-Guestbook SQL Injection Attempt -- guestbook.php country UNION SELECT || cve,CVE-2007-1302 || url,www.securityfocus.com/bid/22821 || url,doc.emergingthreats.net/2004524 +1 || 2004525 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS LI-Guestbook SQL Injection Attempt -- guestbook.php country INSERT || cve,CVE-2007-1302 || url,www.securityfocus.com/bid/22821 || url,doc.emergingthreats.net/2004525 +1 || 2004526 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS LI-Guestbook SQL Injection Attempt -- guestbook.php country DELETE || cve,CVE-2007-1302 || url,www.securityfocus.com/bid/22821 || url,doc.emergingthreats.net/2004526 +1 || 2004527 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS LI-Guestbook SQL Injection Attempt -- guestbook.php country ASCII || cve,CVE-2007-1302 || url,www.securityfocus.com/bid/22821 || url,doc.emergingthreats.net/2004527 +1 || 2004528 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS LI-Guestbook SQL Injection Attempt -- guestbook.php country UPDATE || cve,CVE-2007-1302 || url,www.securityfocus.com/bid/22821 || url,doc.emergingthreats.net/2004528 +1 || 2004529 || 9 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS AJ Auction SQL Injection Attempt -- subcat.php cate_id SELECT || cve,CVE-2007-1298 || url,www.milw0rm.com/exploits/3408 || url,doc.emergingthreats.net/2004529 +1 || 2004530 || 9 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS AJ Auction SQL Injection Attempt -- subcat.php cate_id UNION SELECT || cve,CVE-2007-1298 || url,www.milw0rm.com/exploits/3408 || url,doc.emergingthreats.net/2004530 +1 || 2004531 || 9 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS AJ Auction SQL Injection Attempt -- subcat.php cate_id INSERT || cve,CVE-2007-1298 || url,www.milw0rm.com/exploits/3408 || url,doc.emergingthreats.net/2004531 +1 || 2004532 || 9 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS AJ Auction SQL Injection Attempt -- subcat.php cate_id DELETE || cve,CVE-2007-1298 || url,www.milw0rm.com/exploits/3408 || url,doc.emergingthreats.net/2004532 +1 || 2004533 || 9 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS AJ Auction SQL Injection Attempt -- subcat.php cate_id ASCII || cve,CVE-2007-1298 || url,www.milw0rm.com/exploits/3408 || url,doc.emergingthreats.net/2004533 +1 || 2004534 || 9 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS AJ Auction SQL Injection Attempt -- subcat.php cate_id UPDATE || cve,CVE-2007-1298 || url,www.milw0rm.com/exploits/3408 || url,doc.emergingthreats.net/2004534 +1 || 2004535 || 9 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS AJDating SQL Injection Attempt -- view_profile.php user_id SELECT || cve,CVE-2007-1297 || url,www.milw0rm.com/exploits/3409 || url,doc.emergingthreats.net/2004535 +1 || 2004536 || 9 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS AJDating SQL Injection Attempt -- view_profile.php user_id UNION SELECT || cve,CVE-2007-1297 || url,www.milw0rm.com/exploits/3409 || url,doc.emergingthreats.net/2004536 +1 || 2004537 || 9 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS AJDating SQL Injection Attempt -- view_profile.php user_id INSERT || cve,CVE-2007-1297 || url,www.milw0rm.com/exploits/3409 || url,doc.emergingthreats.net/2004537 +1 || 2004538 || 9 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS AJDating SQL Injection Attempt -- view_profile.php user_id DELETE || cve,CVE-2007-1297 || url,www.milw0rm.com/exploits/3409 || url,doc.emergingthreats.net/2004538 +1 || 2004539 || 9 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS AJDating SQL Injection Attempt -- view_profile.php user_id ASCII || cve,CVE-2007-1297 || url,www.milw0rm.com/exploits/3409 || url,doc.emergingthreats.net/2004539 +1 || 2004540 || 9 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS AJDating SQL Injection Attempt -- view_profile.php user_id UPDATE || cve,CVE-2007-1297 || url,www.milw0rm.com/exploits/3409 || url,doc.emergingthreats.net/2004540 +1 || 2004541 || 9 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS AJ Classifieds SQL Injection Attempt -- postingdetails.php postingid SELECT || cve,CVE-2007-1296 || url,www.milw0rm.com/exploits/3410 || url,doc.emergingthreats.net/2004541 +1 || 2004542 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS AJ Classifieds SQL Injection Attempt -- postingdetails.php postingid UNION SELECT || cve,CVE-2007-1296 || url,www.milw0rm.com/exploits/3410 || url,doc.emergingthreats.net/2004542 +1 || 2004543 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS AJ Classifieds SQL Injection Attempt -- postingdetails.php postingid INSERT || cve,CVE-2007-1296 || url,www.milw0rm.com/exploits/3410 || url,doc.emergingthreats.net/2004543 +1 || 2004544 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS AJ Classifieds SQL Injection Attempt -- postingdetails.php postingid DELETE || cve,CVE-2007-1296 || url,www.milw0rm.com/exploits/3410 || url,doc.emergingthreats.net/2004544 +1 || 2004545 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS AJ Classifieds SQL Injection Attempt -- postingdetails.php postingid ASCII || cve,CVE-2007-1296 || url,www.milw0rm.com/exploits/3410 || url,doc.emergingthreats.net/2004545 +1 || 2004546 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS AJ Classifieds SQL Injection Attempt -- postingdetails.php postingid UPDATE || cve,CVE-2007-1296 || url,www.milw0rm.com/exploits/3410 || url,doc.emergingthreats.net/2004546 +1 || 2004547 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS AJ Forum SQL Injection Attempt -- topic_title.php td_id SELECT || cve,CVE-2007-1295 || url,www.milw0rm.com/exploits/3411 || url,doc.emergingthreats.net/2004547 +1 || 2004548 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS AJ Forum SQL Injection Attempt -- topic_title.php td_id INSERT || cve,CVE-2007-1295 || url,www.milw0rm.com/exploits/3411 || url,doc.emergingthreats.net/2004548 +1 || 2004549 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS AJ Forum SQL Injection Attempt -- topic_title.php td_id DELETE || cve,CVE-2007-1295 || url,www.milw0rm.com/exploits/3411 || url,doc.emergingthreats.net/2004549 +1 || 2004550 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS AJ Forum SQL Injection Attempt -- topic_title.php td_id ASCII || cve,CVE-2007-1295 || url,www.milw0rm.com/exploits/3411 || url,doc.emergingthreats.net/2004550 +1 || 2004551 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS AJ Forum SQL Injection Attempt -- topic_title.php td_id UPDATE || cve,CVE-2007-1295 || url,www.milw0rm.com/exploits/3411 || url,doc.emergingthreats.net/2004551 +1 || 2004552 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS phpPgAdmin XSS Attempt -- sqledit.php server || cve,CVE-2007-2865 || url,www.securityfocus.com/bid/24115 || url,doc.emergingthreats.net/2004552 +1 || 2004554 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS HLstats XSS Attempt -- hlstats.php authusername || cve,CVE-2007-2847 || url,www.securityfocus.com/bid/24102 || url,doc.emergingthreats.net/2004554 +1 || 2004555 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS HLstats XSS Attempt -- hlstats.php authpassword || cve,CVE-2007-2847 || url,www.securityfocus.com/bid/24102 || url,doc.emergingthreats.net/2004555 +1 || 2004556 || 8 || web-application-attack || 0 || ET WEB_SERVER Cisco CallManager XSS Attempt serverlist.asp pattern || cve,CVE-2007-2832 || url,www.secunia.com/advisories/25377 || url,doc.emergingthreats.net/2004556 +1 || 2004557 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS @Mail XSS Attempt -- ReadMsg.php || cve,CVE-2007-2825 || url,xforce.iss.net/xforce/xfdb/34376 || url,doc.emergingthreats.net/2004557 +1 || 2004558 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Track+ XSS Attempt -- reportItem.do projId || cve,CVE-2007-2819 || url,www.securityfocus.com/bid/24060 || url,doc.emergingthreats.net/2004558 +1 || 2004559 || 9 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS CactuSoft Parodia XSS Attempt -- cand_login.asp strJobIDs || cve,CVE-2007-2818 || url,www.securityfocus.com/bid/24078 || url,doc.emergingthreats.net/2004559 +1 || 2004560 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS HLstats XSS Attempt -- hlstats.php || cve,CVE-2007-2812 || url,www.securityfocus.com/bid/24063 || url,doc.emergingthreats.net/2004560 +1 || 2004561 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS HLstats XSS Attempt -- hlstats.php action || cve,CVE-2007-2812 || url,www.securityfocus.com/bid/24063 || url,doc.emergingthreats.net/2004561 +1 || 2004562 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Gnatsweb and Gnats XSS Attempt -- gnatsweb.pl database || cve,CVE-2007-2808 || url,www.secunia.com/advisories/25333 || url,doc.emergingthreats.net/2004562 +1 || 2004563 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS GaliX XSS Attempt -- index.php galix_cat_detail || cve,CVE-2007-2806 || url,www.securityfocus.com/bid/24066 || url,doc.emergingthreats.net/2004563 +1 || 2004564 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS GaliX XSS Attempt -- index.php galix_gal_detail || cve,CVE-2007-2806 || url,www.securityfocus.com/bid/24066 || url,doc.emergingthreats.net/2004564 +1 || 2004565 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS GaliX XSS Attempt -- index.php galix_cat_detail_sort || cve,CVE-2007-2806 || url,www.securityfocus.com/bid/24066 || url,doc.emergingthreats.net/2004565 +1 || 2004566 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ClientExec (CE) XSS Attempt -- index.php ticketID || cve,CVE-2007-2805 || url,www.securityfocus.com/bid/24061 || url,doc.emergingthreats.net/2004566 +1 || 2004567 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ClientExec (CE) XSS Attempt -- index.php view || cve,CVE-2007-2805 || url,www.securityfocus.com/bid/24061 || url,doc.emergingthreats.net/2004567 +1 || 2004568 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ClientExec (CE) XSS Attempt -- index.php fuse || cve,CVE-2007-2805 || url,www.securityfocus.com/bid/24061 || url,doc.emergingthreats.net/2004568 +1 || 2004569 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS CandyPress Store XSS Attempt -- prodList.asp brand || cve,CVE-2007-2804 || url,www.secunia.com/advisories/25370 || url,doc.emergingthreats.net/2004569 +1 || 2004570 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS CandyPress Store XSS Attempt -- prodList.asp Msg || cve,CVE-2007-2804 || url,www.secunia.com/advisories/25370 || url,doc.emergingthreats.net/2004570 +1 || 2004571 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS RM EasyMail Plus XSS Attempt -- Login d || cve,CVE-2007-2802 || url,www.secunia.com/advisories/25326 || url,doc.emergingthreats.net/2004571 +1 || 2004572 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Jetbox CMS XSS Attempt -- index.php login || cve,CVE-2007-2686 || url,www.osvdb.org/34791 || url,doc.emergingthreats.net/2004572 +1 || 2004573 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS VP-ASP Shopping Cart XSS Attempt -- shopcontent.asp type || cve,CVE-2007-2790 || url,www.securityfocus.com/archive/1/archive/1/468834/100/0/threaded || url,doc.emergingthreats.net/2004573 +1 || 2004574 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WikyBlog XSS Attempt sessionRegister.php || cve,CVE-2007-2781 || url,www.secunia.com/advisories/25308 || url,doc.emergingthreats.net/2004574 +1 || 2004575 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Tomcat XSS Attempt -- hello.jsp test || cve,CVE-2007-1355 || url,www.securityfocus.com/bid/24058 || url,doc.emergingthreats.net/2004575 +1 || 2004576 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Invision Power Board XSS Attempt -- module_bbcodeloader.php || cve,CVE-2007-2963 || url,www.securityfocus.com/bid/24244 || url,doc.emergingthreats.net/2004576 +1 || 2004577 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Invision Power Board XSS Attempt -- module_div.php || cve,CVE-2007-2963 || url,www.securityfocus.com/bid/24244 || url,doc.emergingthreats.net/2004577 +1 || 2004578 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Invision Power Board XSS Attempt -- module_email.php || cve,CVE-2007-2963 || url,www.securityfocus.com/bid/24244 || url,doc.emergingthreats.net/2004578 +1 || 2004579 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Invision Power Board XSS Attempt -- module_image.php || cve,CVE-2007-2963 || url,www.securityfocus.com/bid/24244 || url,doc.emergingthreats.net/2004579 +1 || 2004580 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Invision Power Board XSS Attempt -- module_link.php || cve,CVE-2007-2963 || url,www.securityfocus.com/bid/24244 || url,doc.emergingthreats.net/2004580 +1 || 2004581 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Invision Power Board XSS Attempt -- module_table.php editorid || cve,CVE-2007-2963 || url,www.securityfocus.com/bid/24244 || url,doc.emergingthreats.net/2004581 +1 || 2004582 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Particle Gallery XSS Attempt -- search.php order || cve,CVE-2007-2962 || url,www.securityfocus.com/archive/1/archive/1/469985/100/0/threaded || url,doc.emergingthreats.net/2004582 +1 || 2004583 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS BoastMachine XSS Attempt -- index.php blog || cve,CVE-2007-2932 || url,www.securityfocus.com/bid/24156 || url,doc.emergingthreats.net/2004583 +1 || 2004584 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS DGNews XSS Attempt -- footer.php copyright || cve,CVE-2007-0694 || url,www.securityfocus.com/bid/24200 || url,doc.emergingthreats.net/2004584 +1 || 2004585 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS DGNews XSS Attempt -- news.php catid || cve,CVE-2007-0693 || url,www.securityfocus.com/bid/24201 || url,doc.emergingthreats.net/2004585 +1 || 2004586 || 9 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS GMTT Music Distro XSS Attempt -- showown.php st || cve,CVE-2007-2916 || url,www.securityfocus.com/archive/1/archive/1/469269/100/0/threaded || url,doc.emergingthreats.net/2004586 +1 || 2004587 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PsychoStats XSS Attempt -- awards.php || cve,CVE-2007-2914 || url,www.securityfocus.com/archive/1/archive/1/469260/100/0/threaded || url,doc.emergingthreats.net/2004587 +1 || 2004588 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PsychoStats XSS Attempt -- login.php || cve,CVE-2007-2914 || url,www.securityfocus.com/archive/1/archive/1/469260/100/0/threaded || url,doc.emergingthreats.net/2004588 +1 || 2004589 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PsychoStats XSS Attempt -- register.php || cve,CVE-2007-2914 || url,www.securityfocus.com/archive/1/archive/1/469260/100/0/threaded || url,doc.emergingthreats.net/2004589 +1 || 2004590 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PsychoStats XSS Attempt -- weapons.php || cve,CVE-2007-2914 || url,www.securityfocus.com/archive/1/archive/1/469260/100/0/threaded || url,doc.emergingthreats.net/2004590 +1 || 2004591 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ClonusWiki XSS Attempt -- index.php query || cve,CVE-2007-2913 || url,www.securityfocus.com/archive/1/archive/1/469230/100/0/threaded || url,doc.emergingthreats.net/2004591 +1 || 2004592 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Jelsoft vBulletin XSS Attempt -- calendar.php || cve,CVE-2007-2909 || url,www.vbulletin.com/forum/showthread.php?postid=1355012 || url,doc.emergingthreats.net/2004592 +1 || 2004593 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Dokeos XSS Attempt -- editor.php img || cve,CVE-2007-2901 || url,www.milw0rm.com/exploits/3974 || url,doc.emergingthreats.net/2004593 +1 || 2004594 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ASP-Nuke XSS Attempt -- news.asp id || cve,CVE-2007-2892 || url,www.securityfocus.com/bid/24135 || url,doc.emergingthreats.net/2004594 +1 || 2004595 || 9 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Digirez XSS Attempt -- info_book.asp Room_name || cve,CVE-2007-2880 || url,www.securityfocus.com/archive/1/archive/1/469589/100/0/threaded || url,doc.emergingthreats.net/2004595 +1 || 2004596 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Digirez XSS Attempt -- week.asp curYear || cve,CVE-2007-2880 || url,www.securityfocus.com/archive/1/archive/1/469589/100/0/threaded || url,doc.emergingthreats.net/2004596 +1 || 2004598 || 4 || not-suspicious || 0 || ET POLICY Known SSL traffic on port 9001 (aol) being excluded from SSL Alerts || url,doc.emergingthreats.net/2004598 +1 || 2004600 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS RevokeSoft RevokeBB SQL Injection Attempt -- class_users.php SELECT || cve,CVE-2007-3051 || url,www.milw0rm.com/exploits/4020 || url,doc.emergingthreats.net/2004600 +1 || 2004601 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS RevokeSoft RevokeBB SQL Injection Attempt -- class_users.php UNION SELECT || cve,CVE-2007-3051 || url,www.milw0rm.com/exploits/4020 || url,doc.emergingthreats.net/2004601 +1 || 2004602 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS RevokeSoft RevokeBB SQL Injection Attempt -- class_users.php INSERT || cve,CVE-2007-3051 || url,www.milw0rm.com/exploits/4020 || url,doc.emergingthreats.net/2004602 +1 || 2004603 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS RevokeSoft RevokeBB SQL Injection Attempt -- class_users.php DELETE || cve,CVE-2007-3051 || url,www.milw0rm.com/exploits/4020 || url,doc.emergingthreats.net/2004603 +1 || 2004604 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS RevokeSoft RevokeBB SQL Injection Attempt -- class_users.php ASCII || cve,CVE-2007-3051 || url,www.milw0rm.com/exploits/4020 || url,doc.emergingthreats.net/2004604 +1 || 2004605 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS RevokeSoft RevokeBB SQL Injection Attempt -- class_users.php UPDATE || cve,CVE-2007-3051 || url,www.milw0rm.com/exploits/4020 || url,doc.emergingthreats.net/2004605 +1 || 2004606 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PNphpBB2 SQL Injection Attempt -- index.php c SELECT || cve,CVE-2007-3052 || url,www.milw0rm.com/exploits/4026 || url,doc.emergingthreats.net/2004606 +1 || 2004607 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PNphpBB2 SQL Injection Attempt -- index.php c UNION SELECT || cve,CVE-2007-3052 || url,www.milw0rm.com/exploits/4026 || url,doc.emergingthreats.net/2004607 +1 || 2004608 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PNphpBB2 SQL Injection Attempt -- index.php c INSERT || cve,CVE-2007-3052 || url,www.milw0rm.com/exploits/4026 || url,doc.emergingthreats.net/2004608 +1 || 2004609 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PNphpBB2 SQL Injection Attempt -- index.php c DELETE || cve,CVE-2007-3052 || url,www.milw0rm.com/exploits/4026 || url,doc.emergingthreats.net/2004609 +1 || 2004610 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PNphpBB2 SQL Injection Attempt -- index.php c ASCII || cve,CVE-2007-3052 || url,www.milw0rm.com/exploits/4026 || url,doc.emergingthreats.net/2004610 +1 || 2004611 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PNphpBB2 SQL Injection Attempt -- index.php c UPDATE || cve,CVE-2007-3052 || url,www.milw0rm.com/exploits/4026 || url,doc.emergingthreats.net/2004611 +1 || 2004612 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS My Datebook SQL Injection Attempt -- diary.php delete SELECT || cve,CVE-2007-3063 || url,www.securityfocus.com/archive/1/archive/1/470483/100/0/threaded || url,doc.emergingthreats.net/2004612 +1 || 2004613 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS My Datebook SQL Injection Attempt -- diary.php delete UNION SELECT || cve,CVE-2007-3063 || url,www.securityfocus.com/archive/1/archive/1/470483/100/0/threaded || url,doc.emergingthreats.net/2004613 +1 || 2004614 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS My Datebook SQL Injection Attempt -- diary.php delete INSERT || cve,CVE-2007-3063 || url,www.securityfocus.com/archive/1/archive/1/470483/100/0/threaded || url,doc.emergingthreats.net/2004614 +1 || 2004615 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS My Datebook SQL Injection Attempt -- diary.php delete DELETE || cve,CVE-2007-3063 || url,www.securityfocus.com/archive/1/archive/1/470483/100/0/threaded || url,doc.emergingthreats.net/2004615 +1 || 2004616 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS My Datebook SQL Injection Attempt -- diary.php delete ASCII || cve,CVE-2007-3063 || url,www.securityfocus.com/archive/1/archive/1/470483/100/0/threaded || url,doc.emergingthreats.net/2004616 +1 || 2004617 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS My Datebook SQL Injection Attempt -- diary.php delete UPDATE || cve,CVE-2007-3063 || url,www.securityfocus.com/archive/1/archive/1/470483/100/0/threaded || url,doc.emergingthreats.net/2004617 +1 || 2004618 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Particle Soft Particle Gallery SQL Injection Attempt -- viewimage.php editcomment SELECT || cve,CVE-2007-3065 || url,www.milw0rm.com/exploits/4019 || url,doc.emergingthreats.net/2004618 +1 || 2004619 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Particle Soft Particle Gallery SQL Injection Attempt -- viewimage.php editcomment UNION SELECT || cve,CVE-2007-3065 || url,www.milw0rm.com/exploits/4019 || url,doc.emergingthreats.net/2004619 +1 || 2004620 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Particle Soft Particle Gallery SQL Injection Attempt -- viewimage.php editcomment INSERT || cve,CVE-2007-3065 || url,www.milw0rm.com/exploits/4019 || url,doc.emergingthreats.net/2004620 +1 || 2004621 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Particle Soft Particle Gallery SQL Injection Attempt -- viewimage.php editcomment DELETE || cve,CVE-2007-3065 || url,www.milw0rm.com/exploits/4019 || url,doc.emergingthreats.net/2004621 +1 || 2004622 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Particle Soft Particle Gallery SQL Injection Attempt -- viewimage.php editcomment ASCII || cve,CVE-2007-3065 || url,www.milw0rm.com/exploits/4019 || url,doc.emergingthreats.net/2004622 +1 || 2004623 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Particle Soft Particle Gallery SQL Injection Attempt -- viewimage.php editcomment UPDATE || cve,CVE-2007-3065 || url,www.milw0rm.com/exploits/4019 || url,doc.emergingthreats.net/2004623 +1 || 2004624 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS EQdkp SQL Injection Attempt -- listmembers.php rank SELECT || cve,CVE-2007-3077 || url,www.milw0rm.com/exploits/4030 || url,doc.emergingthreats.net/2004624 +1 || 2004625 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS EQdkp SQL Injection Attempt -- listmembers.php rank UNION SELECT || cve,CVE-2007-3077 || url,www.milw0rm.com/exploits/4030 || url,doc.emergingthreats.net/2004625 +1 || 2004626 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS EQdkp SQL Injection Attempt -- listmembers.php rank INSERT || cve,CVE-2007-3077 || url,www.milw0rm.com/exploits/4030 || url,doc.emergingthreats.net/2004626 +1 || 2004627 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS EQdkp SQL Injection Attempt -- listmembers.php rank DELETE || cve,CVE-2007-3077 || url,www.milw0rm.com/exploits/4030 || url,doc.emergingthreats.net/2004627 +1 || 2004628 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS EQdkp SQL Injection Attempt -- listmembers.php rank ASCII || cve,CVE-2007-3077 || url,www.milw0rm.com/exploits/4030 || url,doc.emergingthreats.net/2004628 +1 || 2004629 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS EQdkp SQL Injection Attempt -- listmembers.php rank UPDATE || cve,CVE-2007-3077 || url,www.milw0rm.com/exploits/4030 || url,doc.emergingthreats.net/2004629 +1 || 2004630 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Hunkaray Okul Portaly SQL Injection Attempt -- haberoku.asp id UNION SELECT || cve,CVE-2007-3080 || url,www.securityfocus.com/bid/24288 || url,doc.emergingthreats.net/2004630 +1 || 2004631 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Hunkaray Okul Portaly SQL Injection Attempt -- haberoku.asp id INSERT || cve,CVE-2007-3080 || url,www.securityfocus.com/bid/24288 || url,doc.emergingthreats.net/2004631 +1 || 2004632 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Hunkaray Okul Portaly SQL Injection Attempt -- haberoku.asp id DELETE || cve,CVE-2007-3080 || url,www.securityfocus.com/bid/24288 || url,doc.emergingthreats.net/2004632 +1 || 2004633 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Hunkaray Okul Portaly SQL Injection Attempt -- haberoku.asp id ASCII || cve,CVE-2007-3080 || url,www.securityfocus.com/bid/24288 || url,doc.emergingthreats.net/2004633 +1 || 2004634 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Hunkaray Okul Portaly SQL Injection Attempt -- haberoku.asp id UPDATE || cve,CVE-2007-3080 || url,www.securityfocus.com/bid/24288 || url,doc.emergingthreats.net/2004634 +1 || 2004635 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Comicsense SQL Injection Attempt -- index.php epi SELECT || cve,CVE-2007-3088 || url,www.securityfocus.com/archive/1/archive/1/470598/100/0/threaded || url,doc.emergingthreats.net/2004635 +1 || 2004636 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Comicsense SQL Injection Attempt -- index.php epi UNION SELECT || cve,CVE-2007-3088 || url,www.securityfocus.com/archive/1/archive/1/470598/100/0/threaded || url,doc.emergingthreats.net/2004636 +1 || 2004637 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Comicsense SQL Injection Attempt -- index.php epi INSERT || cve,CVE-2007-3088 || url,www.securityfocus.com/archive/1/archive/1/470598/100/0/threaded || url,doc.emergingthreats.net/2004637 +1 || 2004638 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Comicsense SQL Injection Attempt -- index.php epi DELETE || cve,CVE-2007-3088 || url,www.securityfocus.com/archive/1/archive/1/470598/100/0/threaded || url,doc.emergingthreats.net/2004638 +1 || 2004639 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Comicsense SQL Injection Attempt -- index.php epi ASCII || cve,CVE-2007-3088 || url,www.securityfocus.com/archive/1/archive/1/470598/100/0/threaded || url,doc.emergingthreats.net/2004639 +1 || 2004640 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Comicsense SQL Injection Attempt -- index.php epi UPDATE || cve,CVE-2007-3088 || url,www.securityfocus.com/archive/1/archive/1/470598/100/0/threaded || url,doc.emergingthreats.net/2004640 +1 || 2004641 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Kartli Alisveris Sistemi SQL Injection Attempt -- news.asp news_id SELECT || cve,CVE-2007-3119 || url,www.exploit-db.com/exploits/4040/ || url,doc.emergingthreats.net/2004641 +1 || 2004642 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Kartli Alisveris Sistemi SQL Injection Attempt -- news.asp news_id UNION SELECT || cve,CVE-2007-3119 || url,www.exploit-db.com/exploits/4040/ || url,doc.emergingthreats.net/2004642 +1 || 2004643 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Kartli Alisveris Sistemi SQL Injection Attempt -- news.asp news_id INSERT || cve,CVE-2007-3119 || url,www.exploit-db.com/exploits/4040/ || url,doc.emergingthreats.net/2004643 +1 || 2004644 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Kartli Alisveris Sistemi SQL Injection Attempt -- news.asp news_id DELETE || cve,CVE-2007-3119 || url,www.exploit-db.com/exploits/4040/ || url,doc.emergingthreats.net/2004644 +1 || 2004645 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Kartli Alisveris Sistemi SQL Injection Attempt -- news.asp news_id ASCII || cve,CVE-2007-3119 || url,www.exploit-db.com/exploits/4040/ || url,doc.emergingthreats.net/2004645 +1 || 2004646 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Kartli Alisveris Sistemi SQL Injection Attempt -- news.asp news_id UPDATE || cve,CVE-2007-3119 || url,www.exploit-db.com/exploits/4040/ || url,doc.emergingthreats.net/2004646 +1 || 2004647 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS W1L3D4 WEBmarket SQL Injection Attempt -- urunbak.asp id SELECT || cve,CVE-2007-3133 || url,www.securityfocus.com/bid/24364 || url,doc.emergingthreats.net/2004647 +1 || 2004648 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS W1L3D4 WEBmarket SQL Injection Attempt -- urunbak.asp id UNION SELECT || cve,CVE-2007-3133 || url,www.securityfocus.com/bid/24364 || url,doc.emergingthreats.net/2004648 +1 || 2004649 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS W1L3D4 WEBmarket SQL Injection Attempt -- urunbak.asp id INSERT || cve,CVE-2007-3133 || url,www.securityfocus.com/bid/24364 || url,doc.emergingthreats.net/2004649 +1 || 2004650 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS W1L3D4 WEBmarket SQL Injection Attempt -- urunbak.asp id DELETE || cve,CVE-2007-3133 || url,www.securityfocus.com/bid/24364 || url,doc.emergingthreats.net/2004650 +1 || 2004651 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS W1L3D4 WEBmarket SQL Injection Attempt -- urunbak.asp id ASCII || cve,CVE-2007-3133 || url,www.securityfocus.com/bid/24364 || url,doc.emergingthreats.net/2004651 +1 || 2004652 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS W1L3D4 WEBmarket SQL Injection Attempt -- urunbak.asp id UPDATE || cve,CVE-2007-3133 || url,www.securityfocus.com/bid/24364 || url,doc.emergingthreats.net/2004652 +1 || 2004654 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Wordpress 2.2 SQL Injection Attempt -- xmlrpc.php SELECT || cve,CVE-2007-3140 || url,www.milw0rm.com/exploits/4039 || url,doc.emergingthreats.net/2004654 +1 || 2004655 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Wordpress 2.2 SQL Injection Attempt -- xmlrpc.php UNION SELECT || cve,CVE-2007-3140 || url,www.milw0rm.com/exploits/4039 || url,doc.emergingthreats.net/2004655 +1 || 2004656 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Wordpress 2.2 SQL Injection Attempt -- xmlrpc.php INSERT || cve,CVE-2007-3140 || url,www.milw0rm.com/exploits/4039 || url,doc.emergingthreats.net/2004656 +1 || 2004657 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Wordpress 2.2 SQL Injection Attempt -- xmlrpc.php DELETE || cve,CVE-2007-3140 || url,www.milw0rm.com/exploits/4039 || url,doc.emergingthreats.net/2004657 +1 || 2004658 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Wordpress 2.2 SQL Injection Attempt -- xmlrpc.php ASCII || cve,CVE-2007-3140 || url,www.milw0rm.com/exploits/4039 || url,doc.emergingthreats.net/2004658 +1 || 2004659 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Wordpress 2.2 SQL Injection Attempt -- xmlrpc.php UPDATE || cve,CVE-2007-3140 || url,www.milw0rm.com/exploits/4039 || url,doc.emergingthreats.net/2004659 +1 || 2004660 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Rigter Portal System (RPS) SQL Injection Attempt -- index.php categoria SELECT || cve,CVE-2007-1293 || url,www.milw0rm.com/exploits/3403 || url,doc.emergingthreats.net/2004660 +1 || 2004661 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Rigter Portal System (RPS) SQL Injection Attempt -- index.php categoria UNION SELECT || cve,CVE-2007-1293 || url,www.milw0rm.com/exploits/3403 || url,doc.emergingthreats.net/2004661 +1 || 2004662 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Rigter Portal System (RPS) SQL Injection Attempt -- index.php categoria INSERT || cve,CVE-2007-1293 || url,www.milw0rm.com/exploits/3403 || url,doc.emergingthreats.net/2004662 +1 || 2004663 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Rigter Portal System (RPS) SQL Injection Attempt -- index.php categoria DELETE || cve,CVE-2007-1293 || url,www.milw0rm.com/exploits/3403 || url,doc.emergingthreats.net/2004663 +1 || 2004664 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Rigter Portal System (RPS) SQL Injection Attempt -- index.php categoria ASCII || cve,CVE-2007-1293 || url,www.milw0rm.com/exploits/3403 || url,doc.emergingthreats.net/2004664 +1 || 2004665 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Rigter Portal System (RPS) SQL Injection Attempt -- index.php categoria UPDATE || cve,CVE-2007-1293 || url,www.milw0rm.com/exploits/3403 || url,doc.emergingthreats.net/2004665 +1 || 2004666 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Jelsoft vBulletin SQL Injection Attempt -- inlinemod.php postids SELECT || cve,CVE-2007-1292 || url,www.milw0rm.com/exploits/3387 || url,doc.emergingthreats.net/2004666 +1 || 2004667 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Jelsoft vBulletin SQL Injection Attempt -- inlinemod.php postids UNION SELECT || cve,CVE-2007-1292 || url,www.milw0rm.com/exploits/3387 || url,doc.emergingthreats.net/2004667 +1 || 2004668 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Jelsoft vBulletin SQL Injection Attempt -- inlinemod.php postids INSERT || cve,CVE-2007-1292 || url,www.milw0rm.com/exploits/3387 || url,doc.emergingthreats.net/2004668 +1 || 2004669 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Jelsoft vBulletin SQL Injection Attempt -- inlinemod.php postids DELETE || cve,CVE-2007-1292 || url,www.milw0rm.com/exploits/3387 || url,doc.emergingthreats.net/2004669 +1 || 2004670 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Jelsoft vBulletin SQL Injection Attempt -- inlinemod.php postids ASCII || cve,CVE-2007-1292 || url,www.milw0rm.com/exploits/3387 || url,doc.emergingthreats.net/2004670 +1 || 2004671 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Jelsoft vBulletin SQL Injection Attempt -- inlinemod.php postids UPDATE || cve,CVE-2007-1292 || url,www.milw0rm.com/exploits/3387 || url,doc.emergingthreats.net/2004671 +1 || 2004672 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Tyger Bug Tracking System (TygerBT) SQL Injection Attempt -- ViewReport.php bug SELECT || cve,CVE-2007-1290 || url,www.secunia.com/advisories/24385 || url,doc.emergingthreats.net/2004672 +1 || 2004673 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Tyger Bug Tracking System (TygerBT) SQL Injection Attempt -- ViewReport.php bug UNION SELECT || cve,CVE-2007-1290 || url,www.secunia.com/advisories/24385 || url,doc.emergingthreats.net/2004673 +1 || 2004674 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Tyger Bug Tracking System (TygerBT) SQL Injection Attempt -- ViewReport.php bug INSERT || cve,CVE-2007-1290 || url,www.secunia.com/advisories/24385 || url,doc.emergingthreats.net/2004674 +1 || 2004675 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Tyger Bug Tracking System (TygerBT) SQL Injection Attempt -- ViewReport.php bug DELETE || cve,CVE-2007-1290 || url,www.secunia.com/advisories/24385 || url,doc.emergingthreats.net/2004675 +1 || 2004676 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Tyger Bug Tracking System (TygerBT) SQL Injection Attempt -- ViewReport.php bug ASCII || cve,CVE-2007-1290 || url,www.secunia.com/advisories/24385 || url,doc.emergingthreats.net/2004676 +1 || 2004677 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Tyger Bug Tracking System (TygerBT) SQL Injection Attempt -- ViewReport.php bug UPDATE || cve,CVE-2007-1290 || url,www.secunia.com/advisories/24385 || url,doc.emergingthreats.net/2004677 +1 || 2004678 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Tyger Bug Tracking System (TygerBT) SQL Injection Attempt -- ViewBugs.php s SELECT || cve,CVE-2007-1289 || url,www.securityfocus.com/bid/22799 || url,doc.emergingthreats.net/2004678 +1 || 2004679 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Tyger Bug Tracking System (TygerBT) SQL Injection Attempt -- ViewBugs.php s INSERT || cve,CVE-2007-1289 || url,www.securityfocus.com/bid/22799 || url,doc.emergingthreats.net/2004679 +1 || 2004680 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Tyger Bug Tracking System (TygerBT) SQL Injection Attempt -- ViewBugs.php s DELETE || cve,CVE-2007-1289 || url,www.securityfocus.com/bid/22799 || url,doc.emergingthreats.net/2004680 +1 || 2004681 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Tyger Bug Tracking System (TygerBT) SQL Injection Attempt -- ViewBugs.php s ASCII || cve,CVE-2007-1289 || url,www.securityfocus.com/bid/22799 || url,doc.emergingthreats.net/2004681 +1 || 2004682 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Tyger Bug Tracking System (TygerBT) SQL Injection Attempt -- ViewBugs.php s UPDATE || cve,CVE-2007-1289 || url,www.securityfocus.com/bid/22799 || url,doc.emergingthreats.net/2004682 +1 || 2004683 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS DMXReady Site Engine Manager SQL Injection Attempt -- index.asp mid SELECT || cve,CVE-2006-7118 || url,www.securityfocus.com/bid/21064 || url,doc.emergingthreats.net/2004683 +1 || 2004684 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS DMXReady Site Engine Manager SQL Injection Attempt -- index.asp mid UNION SELECT || cve,CVE-2006-7118 || url,www.securityfocus.com/bid/21064 || url,doc.emergingthreats.net/2004684 +1 || 2004685 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS DMXReady Site Engine Manager SQL Injection Attempt -- index.asp mid INSERT || cve,CVE-2006-7118 || url,www.securityfocus.com/bid/21064 || url,doc.emergingthreats.net/2004685 +1 || 2004686 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS DMXReady Site Engine Manager SQL Injection Attempt -- index.asp mid DELETE || cve,CVE-2006-7118 || url,www.securityfocus.com/bid/21064 || url,doc.emergingthreats.net/2004686 +1 || 2004687 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS DMXReady Site Engine Manager SQL Injection Attempt -- index.asp mid ASCII || cve,CVE-2006-7118 || url,www.securityfocus.com/bid/21064 || url,doc.emergingthreats.net/2004687 +1 || 2004688 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS DMXReady Site Engine Manager SQL Injection Attempt -- index.asp mid UPDATE || cve,CVE-2006-7118 || url,www.securityfocus.com/bid/21064 || url,doc.emergingthreats.net/2004688 +1 || 2004689 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Kubix SQL Injection Attempt -- index.php member_id SELECT || cve,CVE-2006-7116 || url,www.exploit-db.com/exploits/2863/ || url,doc.emergingthreats.net/2004689 +1 || 2004690 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Kubix SQL Injection Attempt -- index.php member_id UNION SELECT || cve,CVE-2006-7116 || url,www.exploit-db.com/exploits/2863/ || url,doc.emergingthreats.net/2004690 +1 || 2004691 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Kubix SQL Injection Attempt -- index.php member_id INSERT || cve,CVE-2006-7116 || url,www.exploit-db.com/exploits/2863/ || url,doc.emergingthreats.net/2004691 +1 || 2004692 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Kubix SQL Injection Attempt -- index.php member_id DELETE || cve,CVE-2006-7116 || url,www.exploit-db.com/exploits/2863/ || url,doc.emergingthreats.net/2004692 +1 || 2004693 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Kubix SQL Injection Attempt -- index.php member_id ASCII || cve,CVE-2006-7116 || url,www.exploit-db.com/exploits/2863/ || url,doc.emergingthreats.net/2004693 +1 || 2004694 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Kubix SQL Injection Attempt -- index.php member_id UPDATE || cve,CVE-2006-7116 || url,www.exploit-db.com/exploits/2863/ || url,doc.emergingthreats.net/2004694 +1 || 2004695 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHPKit SQL Injection Attempt -- include.php catid SELECT || cve,CVE-2006-7115 || url,www.securityfocus.com/bid/21002 || url,doc.emergingthreats.net/2004695 +1 || 2004696 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHPKit SQL Injection Attempt -- include.php catid UNION SELECT || cve,CVE-2006-7115 || url,www.securityfocus.com/bid/21002 || url,doc.emergingthreats.net/2004696 +1 || 2004697 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHPKit SQL Injection Attempt -- include.php catid INSERT || cve,CVE-2006-7115 || url,www.securityfocus.com/bid/21002 || url,doc.emergingthreats.net/2004697 +1 || 2004698 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHPKit SQL Injection Attempt -- include.php catid DELETE || cve,CVE-2006-7115 || url,www.securityfocus.com/bid/21002 || url,doc.emergingthreats.net/2004698 +1 || 2004699 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHPKit SQL Injection Attempt -- include.php catid ASCII || cve,CVE-2006-7115 || url,www.securityfocus.com/bid/21002 || url,doc.emergingthreats.net/2004699 +1 || 2004700 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHPKit SQL Injection Attempt -- include.php catid UPDATE || cve,CVE-2006-7115 || url,www.securityfocus.com/bid/21002 || url,doc.emergingthreats.net/2004700 +1 || 2004701 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHPWind SQL Injection Attempt -- admin.php SELECT || cve,CVE-2006-7101 || url,www.milw0rm.com/exploits/2759 || url,doc.emergingthreats.net/2004701 +1 || 2004702 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHPWind SQL Injection Attempt -- admin.php UNION SELECT || cve,CVE-2006-7101 || url,www.milw0rm.com/exploits/2759 || url,doc.emergingthreats.net/2004702 +1 || 2004703 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHPWind SQL Injection Attempt -- admin.php DELETE || cve,CVE-2006-7101 || url,www.milw0rm.com/exploits/2759 || url,doc.emergingthreats.net/2004703 +1 || 2004704 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHPWind SQL Injection Attempt -- admin.php ASCII || cve,CVE-2006-7101 || url,www.milw0rm.com/exploits/2759 || url,doc.emergingthreats.net/2004704 +1 || 2004705 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Connectix Boards SQL Injection Attempt -- admin.php uploadimage SELECT || cve,CVE-2007-1255 || url,www.milw0rm.com/exploits/3352 || url,doc.emergingthreats.net/2004705 +1 || 2004706 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Connectix Boards SQL Injection Attempt -- admin.php uploadimage UNION SELECT || cve,CVE-2007-1255 || url,www.milw0rm.com/exploits/3352 || url,doc.emergingthreats.net/2004706 +1 || 2004707 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Connectix Boards SQL Injection Attempt -- admin.php uploadimage INSERT || cve,CVE-2007-1255 || url,www.milw0rm.com/exploits/3352 || url,doc.emergingthreats.net/2004707 +1 || 2004708 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Connectix Boards SQL Injection Attempt -- admin.php uploadimage DELETE || cve,CVE-2007-1255 || url,www.milw0rm.com/exploits/3352 || url,doc.emergingthreats.net/2004708 +1 || 2004709 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Connectix Boards SQL Injection Attempt -- admin.php uploadimage ASCII || cve,CVE-2007-1255 || url,www.milw0rm.com/exploits/3352 || url,doc.emergingthreats.net/2004709 +1 || 2004710 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Connectix Boards SQL Injection Attempt -- admin.php uploadimage UPDATE || cve,CVE-2007-1255 || url,www.milw0rm.com/exploits/3352 || url,doc.emergingthreats.net/2004710 +1 || 2004711 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Connectix Boards SQL Injection Attempt -- index.php p_skin SELECT || cve,CVE-2007-1254 || url,www.milw0rm.com/exploits/3352 || url,doc.emergingthreats.net/2004711 +1 || 2004712 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Connectix Boards SQL Injection Attempt -- index.php p_skin UNION SELECT || cve,CVE-2007-1254 || url,www.milw0rm.com/exploits/3352 || url,doc.emergingthreats.net/2004712 +1 || 2004713 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Connectix Boards SQL Injection Attempt -- index.php p_skin INSERT || cve,CVE-2007-1254 || url,www.milw0rm.com/exploits/3352 || url,doc.emergingthreats.net/2004713 +1 || 2004714 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Connectix Boards SQL Injection Attempt -- index.php p_skin DELETE || cve,CVE-2007-1254 || url,www.milw0rm.com/exploits/3352 || url,doc.emergingthreats.net/2004714 +1 || 2004715 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Connectix Boards SQL Injection Attempt -- index.php p_skin ASCII || cve,CVE-2007-1254 || url,www.milw0rm.com/exploits/3352 || url,doc.emergingthreats.net/2004715 +1 || 2004716 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Connectix Boards SQL Injection Attempt -- index.php p_skin UPDATE || cve,CVE-2007-1254 || url,www.milw0rm.com/exploits/3352 || url,doc.emergingthreats.net/2004716 +1 || 2004717 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ANGEL Learning Management Suite (LMS) SQL Injection Attempt -- default.asp id SELECT || cve,CVE-2007-1250 || url,www.milw0rm.com/exploits/3390 || url,doc.emergingthreats.net/2004717 +1 || 2004718 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ANGEL Learning Management Suite (LMS) SQL Injection Attempt -- default.asp id UNION SELECT || cve,CVE-2007-1250 || url,www.milw0rm.com/exploits/3390 || url,doc.emergingthreats.net/2004718 +1 || 2004719 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ANGEL Learning Management Suite (LMS) SQL Injection Attempt -- default.asp id INSERT || cve,CVE-2007-1250 || url,www.milw0rm.com/exploits/3390 || url,doc.emergingthreats.net/2004719 +1 || 2004720 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ANGEL Learning Management Suite (LMS) SQL Injection Attempt -- default.asp id DELETE || cve,CVE-2007-1250 || url,www.milw0rm.com/exploits/3390 || url,doc.emergingthreats.net/2004720 +1 || 2004721 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ANGEL Learning Management Suite (LMS) SQL Injection Attempt -- default.asp id ASCII || cve,CVE-2007-1250 || url,www.milw0rm.com/exploits/3390 || url,doc.emergingthreats.net/2004721 +1 || 2004723 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ANGEL Learning Management Suite (LMS) SQL Injection Attempt -- default.asp id UPDATE || cve,CVE-2007-1250 || url,www.milw0rm.com/exploits/3390 || url,doc.emergingthreats.net/2004723 +1 || 2004724 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Audins Audiens SQL Injection Attempt -- index.php PHPSESSID SELECT || cve,CVE-2007-1242 || url,www.securityfocus.com/bid/22728 || url,doc.emergingthreats.net/2004724 +1 || 2004725 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Audins Audiens SQL Injection Attempt -- index.php PHPSESSID UNION SELECT || cve,CVE-2007-1242 || url,www.securityfocus.com/bid/22728 || url,doc.emergingthreats.net/2004725 +1 || 2004726 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Audins Audiens SQL Injection Attempt -- index.php PHPSESSID INSERT || cve,CVE-2007-1242 || url,www.securityfocus.com/bid/22728 || url,doc.emergingthreats.net/2004726 +1 || 2004727 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Audins Audiens SQL Injection Attempt -- index.php PHPSESSID DELETE || cve,CVE-2007-1242 || url,www.securityfocus.com/bid/22728 || url,doc.emergingthreats.net/2004727 +1 || 2004728 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Audins Audiens SQL Injection Attempt -- index.php PHPSESSID ASCII || cve,CVE-2007-1242 || url,www.securityfocus.com/bid/22728 || url,doc.emergingthreats.net/2004728 +1 || 2004729 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Audins Audiens SQL Injection Attempt -- index.php PHPSESSID UPDATE || cve,CVE-2007-1242 || url,www.securityfocus.com/bid/22728 || url,doc.emergingthreats.net/2004729 +1 || 2004730 || 6 || web-application-attack || 0 || ET DELETED NukeSentinel SQL Injection Attempt -- nukesentinel.php SELECT || cve,CVE-2007-1172 || url,www.milw0rm.com/exploits/3338 || url,doc.emergingthreats.net/2004730 +1 || 2004731 || 6 || web-application-attack || 0 || ET DELETED NukeSentinel SQL Injection Attempt -- nukesentinel.php UNION SELECT || cve,CVE-2007-1172 || url,www.milw0rm.com/exploits/3338 || url,doc.emergingthreats.net/2004731 +1 || 2004732 || 6 || web-application-attack || 0 || ET DELETED NukeSentinel SQL Injection Attempt -- nukesentinel.php INSERT || cve,CVE-2007-1172 || url,www.milw0rm.com/exploits/3338 || url,doc.emergingthreats.net/2004732 +1 || 2004733 || 6 || web-application-attack || 0 || ET DELETED NukeSentinel SQL Injection Attempt -- nukesentinel.php DELETE || cve,CVE-2007-1172 || url,www.milw0rm.com/exploits/3338 || url,doc.emergingthreats.net/2004733 +1 || 2004734 || 6 || web-application-attack || 0 || ET DELETED NukeSentinel SQL Injection Attempt -- nukesentinel.php ASCII || cve,CVE-2007-1172 || url,www.milw0rm.com/exploits/3338 || url,doc.emergingthreats.net/2004734 +1 || 2004735 || 6 || web-application-attack || 0 || ET DELETED NukeSentinel SQL Injection Attempt -- nukesentinel.php UPDATE || cve,CVE-2007-1172 || url,www.milw0rm.com/exploits/3338 || url,doc.emergingthreats.net/2004735 +1 || 2004736 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS NukeSentinel SQL Injection Attempt -- nsbypass.php SELECT || cve,CVE-2007-1171 || url,www.milw0rm.com/exploits/3337 || url,doc.emergingthreats.net/2004736 +1 || 2004737 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS NukeSentinel SQL Injection Attempt -- nsbypass.php UNION SELECT || cve,CVE-2007-1171 || url,www.milw0rm.com/exploits/3337 || url,doc.emergingthreats.net/2004737 +1 || 2004738 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS NukeSentinel SQL Injection Attempt -- nsbypass.php INSERT || cve,CVE-2007-1171 || url,www.milw0rm.com/exploits/3337 || url,doc.emergingthreats.net/2004738 +1 || 2004739 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS NukeSentinel SQL Injection Attempt -- nsbypass.php DELETE || cve,CVE-2007-1171 || url,www.milw0rm.com/exploits/3337 || url,doc.emergingthreats.net/2004739 +1 || 2004740 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS NukeSentinel SQL Injection Attempt -- nsbypass.php ASCII || cve,CVE-2007-1171 || url,www.milw0rm.com/exploits/3337 || url,doc.emergingthreats.net/2004740 +1 || 2004741 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS NukeSentinel SQL Injection Attempt -- nsbypass.php UPDATE || cve,CVE-2007-1171 || url,www.milw0rm.com/exploits/3337 || url,doc.emergingthreats.net/2004741 +1 || 2004742 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Nabopoll SQL Injection Attempt -- result.php surv SELECT || cve,CVE-2007-1166 || url,www.exploit-db.com/exploits/3355/ || url,doc.emergingthreats.net/2004742 +1 || 2004743 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Nabopoll SQL Injection Attempt -- result.php surv UNION SELECT || cve,CVE-2007-1166 || url,www.exploit-db.com/exploits/3355/ || url,doc.emergingthreats.net/2004743 +1 || 2004744 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Nabopoll SQL Injection Attempt -- result.php surv INSERT || cve,CVE-2007-1166 || url,www.exploit-db.com/exploits/3355/ || url,doc.emergingthreats.net/2004744 +1 || 2004745 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Nabopoll SQL Injection Attempt -- result.php surv DELETE || cve,CVE-2007-1166 || url,www.exploit-db.com/exploits/3355/ || url,doc.emergingthreats.net/2004745 +1 || 2004746 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Nabopoll SQL Injection Attempt -- result.php surv ASCII || cve,CVE-2007-1166 || url,www.exploit-db.com/exploits/3355/ || url,doc.emergingthreats.net/2004746 +1 || 2004747 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Nabopoll SQL Injection Attempt -- result.php surv UPDATE || cve,CVE-2007-1166 || url,www.exploit-db.com/exploits/3355/ || url,doc.emergingthreats.net/2004747 +1 || 2004748 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- printview.php topic SELECT || cve,CVE-2007-1163 || url,www.milw0rm.com/exploits/3351 || url,doc.emergingthreats.net/2004748 +1 || 2004749 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- printview.php topic UNION SELECT || cve,CVE-2007-1163 || url,www.milw0rm.com/exploits/3351 || url,doc.emergingthreats.net/2004749 +1 || 2004750 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- printview.php topic INSERT || cve,CVE-2007-1163 || url,www.milw0rm.com/exploits/3351 || url,doc.emergingthreats.net/2004750 +1 || 2004751 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- printview.php topic DELETE || cve,CVE-2007-1163 || url,www.milw0rm.com/exploits/3351 || url,doc.emergingthreats.net/2004751 +1 || 2004752 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- printview.php topic ASCII || cve,CVE-2007-1163 || url,www.milw0rm.com/exploits/3351 || url,doc.emergingthreats.net/2004752 +1 || 2004753 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- printview.php topic UPDATE || cve,CVE-2007-1163 || url,www.milw0rm.com/exploits/3351 || url,doc.emergingthreats.net/2004753 +1 || 2004754 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WebMplayer SQL Injection Attempt -- index.php strid SELECT || cve,CVE-2007-1135 || url,www.securityfocus.com/bid/22726 || url,doc.emergingthreats.net/2004754 +1 || 2004755 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WebMplayer SQL Injection Attempt -- index.php strid UNION SELECT || cve,CVE-2007-1135 || url,www.securityfocus.com/bid/22726 || url,doc.emergingthreats.net/2004755 +1 || 2004756 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WebMplayer SQL Injection Attempt -- index.php strid INSERT || cve,CVE-2007-1135 || url,www.securityfocus.com/bid/22726 || url,doc.emergingthreats.net/2004756 +1 || 2004757 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WebMplayer SQL Injection Attempt -- index.php strid DELETE || cve,CVE-2007-1135 || url,www.securityfocus.com/bid/22726 || url,doc.emergingthreats.net/2004757 +1 || 2004758 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WebMplayer SQL Injection Attempt -- index.php strid ASCII || cve,CVE-2007-1135 || url,www.securityfocus.com/bid/22726 || url,doc.emergingthreats.net/2004758 +1 || 2004759 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WebMplayer SQL Injection Attempt -- index.php strid UPDATE || cve,CVE-2007-1135 || url,www.securityfocus.com/bid/22726 || url,doc.emergingthreats.net/2004759 +1 || 2004760 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WebMplayer SQL Injection Attempt -- filecheck.php id SELECT || cve,CVE-2007-1135 || url,www.securityfocus.com/bid/22726 || url,doc.emergingthreats.net/2004760 +1 || 2004761 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WebMplayer SQL Injection Attempt -- filecheck.php id UNION SELECT || cve,CVE-2007-1135 || url,www.securityfocus.com/bid/22726 || url,doc.emergingthreats.net/2004761 +1 || 2004762 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WebMplayer SQL Injection Attempt -- filecheck.php id INSERT || cve,CVE-2007-1135 || url,www.securityfocus.com/bid/22726 || url,doc.emergingthreats.net/2004762 +1 || 2004763 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WebMplayer SQL Injection Attempt -- filecheck.php id DELETE || cve,CVE-2007-1135 || url,www.securityfocus.com/bid/22726 || url,doc.emergingthreats.net/2004763 +1 || 2004764 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WebMplayer SQL Injection Attempt -- filecheck.php id ASCII || cve,CVE-2007-1135 || url,www.securityfocus.com/bid/22726 || url,doc.emergingthreats.net/2004764 +1 || 2004765 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WebMplayer SQL Injection Attempt -- filecheck.php id UPDATE || cve,CVE-2007-1135 || url,www.securityfocus.com/bid/22726 || url,doc.emergingthreats.net/2004765 +1 || 2004766 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Mambo LaiThai SQL Injection Attempt -- mambo.php SELECT || cve,CVE-2006-7092 || url,www.securityfocus.com/bid/20413 || url,doc.emergingthreats.net/2004766 +1 || 2004767 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Mambo LaiThai SQL Injection Attempt -- mambo.php UNION SELECT || cve,CVE-2006-7092 || url,www.securityfocus.com/bid/20413 || url,doc.emergingthreats.net/2004767 +1 || 2004768 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Mambo LaiThai SQL Injection Attempt -- mambo.php INSERT || cve,CVE-2006-7092 || url,www.securityfocus.com/bid/20413 || url,doc.emergingthreats.net/2004768 +1 || 2004769 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Mambo LaiThai SQL Injection Attempt -- mambo.php DELETE || cve,CVE-2006-7092 || url,www.securityfocus.com/bid/20413 || url,doc.emergingthreats.net/2004769 +1 || 2004770 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Mambo LaiThai SQL Injection Attempt -- mambo.php ASCII || cve,CVE-2006-7092 || url,www.securityfocus.com/bid/20413 || url,doc.emergingthreats.net/2004770 +1 || 2004771 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Mambo LaiThai SQL Injection Attempt -- mambo.php UPDATE || cve,CVE-2006-7092 || url,www.securityfocus.com/bid/20413 || url,doc.emergingthreats.net/2004771 +1 || 2004772 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Ban SQL Injection Attempt -- connexion.php id SELECT || cve,CVE-2006-7089 || url,marc.theaimsgroup.com/?l=bugtraq&m=116205673106780&w=2 || url,doc.emergingthreats.net/2004772 +1 || 2004773 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Ban SQL Injection Attempt -- connexion.php id UNION SELECT || cve,CVE-2006-7089 || url,marc.theaimsgroup.com/?l=bugtraq&m=116205673106780&w=2 || url,doc.emergingthreats.net/2004773 +1 || 2004774 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Ban SQL Injection Attempt -- connexion.php id INSERT || cve,CVE-2006-7089 || url,marc.theaimsgroup.com/?l=bugtraq&m=116205673106780&w=2 || url,doc.emergingthreats.net/2004774 +1 || 2004775 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Ban SQL Injection Attempt -- connexion.php id DELETE || cve,CVE-2006-7089 || url,marc.theaimsgroup.com/?l=bugtraq&m=116205673106780&w=2 || url,doc.emergingthreats.net/2004775 +1 || 2004776 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Ban SQL Injection Attempt -- connexion.php id ASCII || cve,CVE-2006-7089 || url,marc.theaimsgroup.com/?l=bugtraq&m=116205673106780&w=2 || url,doc.emergingthreats.net/2004776 +1 || 2004778 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Ban SQL Injection Attempt -- connexion.php id UPDATE || cve,CVE-2006-7089 || url,marc.theaimsgroup.com/?l=bugtraq&m=116205673106780&w=2 || url,doc.emergingthreats.net/2004778 +1 || 2004779 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Simple PHP Forum SQL Injection Attempt -- logon_user.php username SELECT || cve,CVE-2006-7088 || url,xforce.iss.net/xforce/xfdb/30252 || url,doc.emergingthreats.net/2004779 +1 || 2004780 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Simple PHP Forum SQL Injection Attempt -- logon_user.php username UNION SELECT || cve,CVE-2006-7088 || url,xforce.iss.net/xforce/xfdb/30252 || url,doc.emergingthreats.net/2004780 +1 || 2004781 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Simple PHP Forum SQL Injection Attempt -- logon_user.php username INSERT || cve,CVE-2006-7088 || url,xforce.iss.net/xforce/xfdb/30252 || url,doc.emergingthreats.net/2004781 +1 || 2004782 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Simple PHP Forum SQL Injection Attempt -- logon_user.php username DELETE || cve,CVE-2006-7088 || url,xforce.iss.net/xforce/xfdb/30252 || url,doc.emergingthreats.net/2004782 +1 || 2004783 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Simple PHP Forum SQL Injection Attempt -- logon_user.php username ASCII || cve,CVE-2006-7088 || url,xforce.iss.net/xforce/xfdb/30252 || url,doc.emergingthreats.net/2004783 +1 || 2004784 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Simple PHP Forum SQL Injection Attempt -- logon_user.php username UPDATE || cve,CVE-2006-7088 || url,xforce.iss.net/xforce/xfdb/30252 || url,doc.emergingthreats.net/2004784 +1 || 2004785 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Simple PHP Forum SQL Injection Attempt -- update_profile.php username SELECT || cve,CVE-2006-7088 || url,xforce.iss.net/xforce/xfdb/30252 || url,doc.emergingthreats.net/2004785 +1 || 2004786 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Simple PHP Forum SQL Injection Attempt -- update_profile.php username UNION SELECT || cve,CVE-2006-7088 || url,xforce.iss.net/xforce/xfdb/30252 || url,doc.emergingthreats.net/2004786 +1 || 2004787 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Simple PHP Forum SQL Injection Attempt -- update_profile.php username INSERT || cve,CVE-2006-7088 || url,xforce.iss.net/xforce/xfdb/30252 || url,doc.emergingthreats.net/2004787 +1 || 2004788 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Simple PHP Forum SQL Injection Attempt -- update_profile.php username DELETE || cve,CVE-2006-7088 || url,xforce.iss.net/xforce/xfdb/30252 || url,doc.emergingthreats.net/2004788 +1 || 2004789 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Simple PHP Forum SQL Injection Attempt -- update_profile.php username ASCII || cve,CVE-2006-7088 || url,xforce.iss.net/xforce/xfdb/30252 || url,doc.emergingthreats.net/2004789 +1 || 2004790 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Simple PHP Forum SQL Injection Attempt -- update_profile.php username UPDATE || cve,CVE-2006-7088 || url,xforce.iss.net/xforce/xfdb/30252 || url,doc.emergingthreats.net/2004790 +1 || 2004797 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Invision Power Board (IPB) SQL Injection Attempt -- class_session.php CLIENT_IP SELECT || cve,CVE-2006-7071 || url,www.milw0rm.com/exploits/2010 || url,doc.emergingthreats.net/2004797 +1 || 2004798 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Invision Power Board (IPB) SQL Injection Attempt -- class_session.php CLIENT_IP UNION SELECT || cve,CVE-2006-7071 || url,www.milw0rm.com/exploits/2010 || url,doc.emergingthreats.net/2004798 +1 || 2004799 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Invision Power Board (IPB) SQL Injection Attempt -- class_session.php CLIENT_IP INSERT || cve,CVE-2006-7071 || url,www.milw0rm.com/exploits/2010 || url,doc.emergingthreats.net/2004799 +1 || 2004800 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Invision Power Board (IPB) SQL Injection Attempt -- class_session.php CLIENT_IP DELETE || cve,CVE-2006-7071 || url,www.milw0rm.com/exploits/2010 || url,doc.emergingthreats.net/2004800 +1 || 2004801 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Invision Power Board (IPB) SQL Injection Attempt -- class_session.php CLIENT_IP ASCII || cve,CVE-2006-7071 || url,www.milw0rm.com/exploits/2010 || url,doc.emergingthreats.net/2004801 +1 || 2004802 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Invision Power Board (IPB) SQL Injection Attempt -- class_session.php CLIENT_IP UPDATE || cve,CVE-2006-7071 || url,www.milw0rm.com/exploits/2010 || url,doc.emergingthreats.net/2004802 +1 || 2004803 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Mathis Dirksen-Thedens ZephyrSoft Toolbox Address Book Continued (ABC) SQL Injection Attempt -- functions.php id SELECT || cve,CVE-2007-1122 || url,www.securityfocus.com/bid/22685 || url,doc.emergingthreats.net/2004803 +1 || 2004804 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Mathis Dirksen-Thedens ZephyrSoft Toolbox Address Book Continued (ABC) SQL Injection Attempt -- functions.php id UNION SELECT || cve,CVE-2007-1122 || url,www.securityfocus.com/bid/22685 || url,doc.emergingthreats.net/2004804 +1 || 2004805 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Mathis Dirksen-Thedens ZephyrSoft Toolbox Address Book Continued (ABC) SQL Injection Attempt -- functions.php id INSERT || cve,CVE-2007-1122 || url,www.securityfocus.com/bid/22685 || url,doc.emergingthreats.net/2004805 +1 || 2004806 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Mathis Dirksen-Thedens ZephyrSoft Toolbox Address Book Continued (ABC) SQL Injection Attempt -- functions.php id DELETE || cve,CVE-2007-1122 || url,www.securityfocus.com/bid/22685 || url,doc.emergingthreats.net/2004806 +1 || 2004807 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Mathis Dirksen-Thedens ZephyrSoft Toolbox Address Book Continued (ABC) SQL Injection Attempt -- functions.php id ASCII || cve,CVE-2007-1122 || url,www.securityfocus.com/bid/22685 || url,doc.emergingthreats.net/2004807 +1 || 2004808 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Mathis Dirksen-Thedens ZephyrSoft Toolbox Address Book Continued (ABC) SQL Injection Attempt -- functions.php id UPDATE || cve,CVE-2007-1122 || url,www.securityfocus.com/bid/22685 || url,doc.emergingthreats.net/2004808 +1 || 2004809 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Coppermine Photo Gallery (CPG) SQL Injection Attempt -- thumbnails.php cpg131_fav SELECT || cve,CVE-2007-1107 || url,www.milw0rm.com/exploits/3371 || url,doc.emergingthreats.net/2004809 +1 || 2004810 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Coppermine Photo Gallery (CPG) SQL Injection Attempt -- thumbnails.php cpg131_fav UNION SELECT || cve,CVE-2007-1107 || url,www.milw0rm.com/exploits/3371 || url,doc.emergingthreats.net/2004810 +1 || 2004811 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Coppermine Photo Gallery (CPG) SQL Injection Attempt -- thumbnails.php cpg131_fav INSERT || cve,CVE-2007-1107 || url,www.milw0rm.com/exploits/3371 || url,doc.emergingthreats.net/2004811 +1 || 2004812 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Coppermine Photo Gallery (CPG) SQL Injection Attempt -- thumbnails.php cpg131_fav DELETE || cve,CVE-2007-1107 || url,www.milw0rm.com/exploits/3371 || url,doc.emergingthreats.net/2004812 +1 || 2004813 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Coppermine Photo Gallery (CPG) SQL Injection Attempt -- thumbnails.php cpg131_fav ASCII || cve,CVE-2007-1107 || url,www.milw0rm.com/exploits/3371 || url,doc.emergingthreats.net/2004813 +1 || 2004815 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Coppermine Photo Gallery (CPG) SQL Injection Attempt -- thumbnails.php cpg131_fav UPDATE || cve,CVE-2007-1107 || url,www.milw0rm.com/exploits/3371 || url,doc.emergingthreats.net/2004815 +1 || 2004816 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Sphider SQL Injection Attempt -- search.php category SELECT || cve,CVE-2006-7057 || url,www.secunia.com/advisories/20131 || url,doc.emergingthreats.net/2004816 +1 || 2004817 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Sphider SQL Injection Attempt -- search.php category UNION SELECT || cve,CVE-2006-7057 || url,www.secunia.com/advisories/20131 || url,doc.emergingthreats.net/2004817 +1 || 2004818 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Sphider SQL Injection Attempt -- search.php category INSERT || cve,CVE-2006-7057 || url,www.secunia.com/advisories/20131 || url,doc.emergingthreats.net/2004818 +1 || 2004819 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Sphider SQL Injection Attempt -- search.php category DELETE || cve,CVE-2006-7057 || url,www.secunia.com/advisories/20131 || url,doc.emergingthreats.net/2004819 +1 || 2004820 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Sphider SQL Injection Attempt -- search.php category ASCII || cve,CVE-2006-7057 || url,www.secunia.com/advisories/20131 || url,doc.emergingthreats.net/2004820 +1 || 2004821 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Sphider SQL Injection Attempt -- search.php category UPDATE || cve,CVE-2006-7057 || url,www.secunia.com/advisories/20131 || url,doc.emergingthreats.net/2004821 +1 || 2004822 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Super Link Exchange Script SQL Injection Attempt -- directory.php cat SELECT || cve,CVE-2006-7034 || url,www.securityfocus.com/archive/1/archive/1/435166/30/4680/threaded || url,doc.emergingthreats.net/2004822 +1 || 2004823 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Super Link Exchange Script SQL Injection Attempt -- directory.php cat UNION SELECT || cve,CVE-2006-7034 || url,www.securityfocus.com/archive/1/archive/1/435166/30/4680/threaded || url,doc.emergingthreats.net/2004823 +1 || 2004824 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Super Link Exchange Script SQL Injection Attempt -- directory.php cat INSERT || cve,CVE-2006-7034 || url,www.securityfocus.com/archive/1/archive/1/435166/30/4680/threaded || url,doc.emergingthreats.net/2004824 +1 || 2004825 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Super Link Exchange Script SQL Injection Attempt -- directory.php cat DELETE || cve,CVE-2006-7034 || url,www.securityfocus.com/archive/1/archive/1/435166/30/4680/threaded || url,doc.emergingthreats.net/2004825 +1 || 2004826 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Super Link Exchange Script SQL Injection Attempt -- directory.php cat ASCII || cve,CVE-2006-7034 || url,www.securityfocus.com/archive/1/archive/1/435166/30/4680/threaded || url,doc.emergingthreats.net/2004826 +1 || 2004827 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Super Link Exchange Script SQL Injection Attempt -- directory.php cat UPDATE || cve,CVE-2006-7034 || url,www.securityfocus.com/archive/1/archive/1/435166/30/4680/threaded || url,doc.emergingthreats.net/2004827 +1 || 2004828 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Bookmark4U SQL Injection Attempt -- config.php sqlcmd SELECT || cve,CVE-2006-7025 || url,www.secunia.com/advisories/19758 || url,doc.emergingthreats.net/2004828 +1 || 2004829 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Bookmark4U SQL Injection Attempt -- config.php sqlcmd UNION SELECT || cve,CVE-2006-7025 || url,www.secunia.com/advisories/19758 || url,doc.emergingthreats.net/2004829 +1 || 2004830 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Bookmark4U SQL Injection Attempt -- config.php sqlcmd INSERT || cve,CVE-2006-7025 || url,www.secunia.com/advisories/19758 || url,doc.emergingthreats.net/2004830 +1 || 2004831 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Bookmark4U SQL Injection Attempt -- config.php sqlcmd DELETE || cve,CVE-2006-7025 || url,www.secunia.com/advisories/19758 || url,doc.emergingthreats.net/2004831 +1 || 2004832 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Bookmark4U SQL Injection Attempt -- config.php sqlcmd ASCII || cve,CVE-2006-7025 || url,www.secunia.com/advisories/19758 || url,doc.emergingthreats.net/2004832 +1 || 2004833 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Bookmark4U SQL Injection Attempt -- config.php sqlcmd UPDATE || cve,CVE-2006-7025 || url,www.secunia.com/advisories/19758 || url,doc.emergingthreats.net/2004833 +1 || 2004834 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Design4Online UserPages2 SQL Injection Attempt -- page.asp art_id SELECT || cve,CVE-2007-1077 || url,www.securityfocus.com/bid/22636 || url,doc.emergingthreats.net/2004834 +1 || 2004835 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Design4Online UserPages2 SQL Injection Attempt -- page.asp art_id UNION SELECT || cve,CVE-2007-1077 || url,www.securityfocus.com/bid/22636 || url,doc.emergingthreats.net/2004835 +1 || 2004836 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Design4Online UserPages2 SQL Injection Attempt -- page.asp art_id INSERT || cve,CVE-2007-1077 || url,www.securityfocus.com/bid/22636 || url,doc.emergingthreats.net/2004836 +1 || 2004837 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Design4Online UserPages2 SQL Injection Attempt -- page.asp art_id DELETE || cve,CVE-2007-1077 || url,www.securityfocus.com/bid/22636 || url,doc.emergingthreats.net/2004837 +1 || 2004838 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Design4Online UserPages2 SQL Injection Attempt -- page.asp art_id ASCII || cve,CVE-2007-1077 || url,www.securityfocus.com/bid/22636 || url,doc.emergingthreats.net/2004838 +1 || 2004839 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Design4Online UserPages2 SQL Injection Attempt -- page.asp art_id UPDATE || cve,CVE-2007-1077 || url,www.securityfocus.com/bid/22636 || url,doc.emergingthreats.net/2004839 +1 || 2004840 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS mcRefer SQL Injection Attempt -- install.php bgcolor SELECT || cve,CVE-2007-1073 || url,www.securityfocus.com/archive/1/archive/1/459796/100/200/threaded || url,doc.emergingthreats.net/2004840 +1 || 2004841 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS mcRefer SQL Injection Attempt -- install.php bgcolor UNION SELECT || cve,CVE-2007-1073 || url,www.securityfocus.com/archive/1/archive/1/459796/100/200/threaded || url,doc.emergingthreats.net/2004841 +1 || 2004842 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS mcRefer SQL Injection Attempt -- install.php bgcolor INSERT || cve,CVE-2007-1073 || url,www.securityfocus.com/archive/1/archive/1/459796/100/200/threaded || url,doc.emergingthreats.net/2004842 +1 || 2004843 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS mcRefer SQL Injection Attempt -- install.php bgcolor DELETE || cve,CVE-2007-1073 || url,www.securityfocus.com/archive/1/archive/1/459796/100/200/threaded || url,doc.emergingthreats.net/2004843 +1 || 2004844 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS mcRefer SQL Injection Attempt -- install.php bgcolor ASCII || cve,CVE-2007-1073 || url,www.securityfocus.com/archive/1/archive/1/459796/100/200/threaded || url,doc.emergingthreats.net/2004844 +1 || 2004845 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS mcRefer SQL Injection Attempt -- install.php bgcolor UPDATE || cve,CVE-2007-1073 || url,www.securityfocus.com/archive/1/archive/1/459796/100/200/threaded || url,doc.emergingthreats.net/2004845 +1 || 2004846 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Online Web Building SQL Injection Attempt -- page.asp art_id UNION SELECT || cve,CVE-2007-1058 || url,www.milw0rm.com/exploits/3339 || url,doc.emergingthreats.net/2004846 +1 || 2004847 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Online Web Building SQL Injection Attempt -- page.asp art_id INSERT || cve,CVE-2007-1058 || url,www.milw0rm.com/exploits/3339 || url,doc.emergingthreats.net/2004847 +1 || 2004848 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Online Web Building SQL Injection Attempt -- page.asp art_id DELETE || cve,CVE-2007-1058 || url,www.milw0rm.com/exploits/3339 || url,doc.emergingthreats.net/2004848 +1 || 2004849 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Online Web Building SQL Injection Attempt -- page.asp art_id ASCII || cve,CVE-2007-1058 || url,www.milw0rm.com/exploits/3339 || url,doc.emergingthreats.net/2004849 +1 || 2004850 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Online Web Building SQL Injection Attempt -- page.asp art_id UPDATE || cve,CVE-2007-1058 || url,www.milw0rm.com/exploits/3339 || url,doc.emergingthreats.net/2004850 +1 || 2004851 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- modules.php category_id SELECT || cve,CVE-2007-1034 || url,www.milw0rm.com/exploits/3334 || url,doc.emergingthreats.net/2004851 +1 || 2004852 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- modules.php category_id UNION SELECT || cve,CVE-2007-1034 || url,www.milw0rm.com/exploits/3334 || url,doc.emergingthreats.net/2004852 +1 || 2004853 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- modules.php category_id INSERT || cve,CVE-2007-1034 || url,www.milw0rm.com/exploits/3334 || url,doc.emergingthreats.net/2004853 +1 || 2004854 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- modules.php category_id DELETE || cve,CVE-2007-1034 || url,www.milw0rm.com/exploits/3334 || url,doc.emergingthreats.net/2004854 +1 || 2004855 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- modules.php category_id ASCII || cve,CVE-2007-1034 || url,www.milw0rm.com/exploits/3334 || url,doc.emergingthreats.net/2004855 +1 || 2004856 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- modules.php category_id UPDATE || cve,CVE-2007-1034 || url,www.milw0rm.com/exploits/3334 || url,doc.emergingthreats.net/2004856 +1 || 2004857 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS XLAtunes SQL Injection Attempt -- view.php album SELECT || cve,CVE-2007-1026 || url,www.milw0rm.com/exploits/3327 || url,doc.emergingthreats.net/2004857 +1 || 2004858 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS XLAtunes SQL Injection Attempt -- view.php album UNION SELECT || cve,CVE-2007-1026 || url,www.milw0rm.com/exploits/3327 || url,doc.emergingthreats.net/2004858 +1 || 2004859 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS XLAtunes SQL Injection Attempt -- view.php album INSERT || cve,CVE-2007-1026 || url,www.milw0rm.com/exploits/3327 || url,doc.emergingthreats.net/2004859 +1 || 2004860 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS XLAtunes SQL Injection Attempt -- view.php album DELETE || cve,CVE-2007-1026 || url,www.milw0rm.com/exploits/3327 || url,doc.emergingthreats.net/2004860 +1 || 2004861 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS XLAtunes SQL Injection Attempt -- view.php album ASCII || cve,CVE-2007-1026 || url,www.milw0rm.com/exploits/3327 || url,doc.emergingthreats.net/2004861 +1 || 2004862 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS XLAtunes SQL Injection Attempt -- view.php album UPDATE || cve,CVE-2007-1026 || url,www.milw0rm.com/exploits/3327 || url,doc.emergingthreats.net/2004862 +1 || 2004863 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Snitz Forums 2000 SQL Injection Attempt -- pop_profile.asp id SELECT || cve,CVE-2007-1023 || url,www.milw0rm.com/exploits/3321 || url,doc.emergingthreats.net/2004863 +1 || 2004864 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Snitz Forums 2000 SQL Injection Attempt -- pop_profile.asp id UNION SELECT || cve,CVE-2007-1023 || url,www.milw0rm.com/exploits/3321 || url,doc.emergingthreats.net/2004864 +1 || 2004865 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Snitz Forums 2000 SQL Injection Attempt -- pop_profile.asp id INSERT || cve,CVE-2007-1023 || url,www.milw0rm.com/exploits/3321 || url,doc.emergingthreats.net/2004865 +1 || 2004866 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Snitz Forums 2000 SQL Injection Attempt -- pop_profile.asp id DELETE || cve,CVE-2007-1023 || url,www.milw0rm.com/exploits/3321 || url,doc.emergingthreats.net/2004866 +1 || 2004867 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Snitz Forums 2000 SQL Injection Attempt -- pop_profile.asp id ASCII || cve,CVE-2007-1023 || url,www.milw0rm.com/exploits/3321 || url,doc.emergingthreats.net/2004867 +1 || 2004868 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Snitz Forums 2000 SQL Injection Attempt -- pop_profile.asp id UPDATE || cve,CVE-2007-1023 || url,www.milw0rm.com/exploits/3321 || url,doc.emergingthreats.net/2004868 +1 || 2004869 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Turuncu Portal SQL Injection Attempt -- h_goster.asp id SELECT || cve,CVE-2007-1022 || url,www.securityfocus.com/bid/22591 || url,doc.emergingthreats.net/2004869 +1 || 2004870 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Turuncu Portal SQL Injection Attempt -- h_goster.asp id UNION SELECT || cve,CVE-2007-1022 || url,www.securityfocus.com/bid/22591 || url,doc.emergingthreats.net/2004870 +1 || 2004871 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Turuncu Portal SQL Injection Attempt -- h_goster.asp id INSERT || cve,CVE-2007-1022 || url,www.securityfocus.com/bid/22591 || url,doc.emergingthreats.net/2004871 +1 || 2004872 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Turuncu Portal SQL Injection Attempt -- h_goster.asp id DELETE || cve,CVE-2007-1022 || url,www.securityfocus.com/bid/22591 || url,doc.emergingthreats.net/2004872 +1 || 2004873 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Turuncu Portal SQL Injection Attempt -- h_goster.asp id ASCII || cve,CVE-2007-1022 || url,www.securityfocus.com/bid/22591 || url,doc.emergingthreats.net/2004873 +1 || 2004874 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Turuncu Portal SQL Injection Attempt -- h_goster.asp id UPDATE || cve,CVE-2007-1022 || url,www.securityfocus.com/bid/22591 || url,doc.emergingthreats.net/2004874 +1 || 2004875 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS CodeAvalanche News SQL Injection Attempt -- inc_listnews.asp CAT_ID SELECT || cve,CVE-2007-1021 || url,www.milw0rm.com/exploits/3317 || url,doc.emergingthreats.net/2004875 +1 || 2004876 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS CodeAvalanche News SQL Injection Attempt -- inc_listnews.asp CAT_ID UNION SELECT || cve,CVE-2007-1021 || url,www.milw0rm.com/exploits/3317 || url,doc.emergingthreats.net/2004876 +1 || 2004877 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS CodeAvalanche News SQL Injection Attempt -- inc_listnews.asp CAT_ID INSERT || cve,CVE-2007-1021 || url,www.milw0rm.com/exploits/3317 || url,doc.emergingthreats.net/2004877 +1 || 2004878 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS CodeAvalanche News SQL Injection Attempt -- inc_listnews.asp CAT_ID DELETE || cve,CVE-2007-1021 || url,www.milw0rm.com/exploits/3317 || url,doc.emergingthreats.net/2004878 +1 || 2004879 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS CodeAvalanche News SQL Injection Attempt -- inc_listnews.asp CAT_ID ASCII || cve,CVE-2007-1021 || url,www.milw0rm.com/exploits/3317 || url,doc.emergingthreats.net/2004879 +1 || 2004880 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS CodeAvalanche News SQL Injection Attempt -- inc_listnews.asp CAT_ID UPDATE || cve,CVE-2007-1021 || url,www.milw0rm.com/exploits/3317 || url,doc.emergingthreats.net/2004880 +1 || 2004881 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- index.php showonly SELECT || cve,CVE-2007-1019 || url,www.milw0rm.com/exploits/3325 || url,doc.emergingthreats.net/2004881 +1 || 2004882 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- index.php showonly UNION SELECT || cve,CVE-2007-1019 || url,www.milw0rm.com/exploits/3325 || url,doc.emergingthreats.net/2004882 +1 || 2004883 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- index.php showonly INSERT || cve,CVE-2007-1019 || url,www.milw0rm.com/exploits/3325 || url,doc.emergingthreats.net/2004883 +1 || 2004884 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- index.php showonly DELETE || cve,CVE-2007-1019 || url,www.milw0rm.com/exploits/3325 || url,doc.emergingthreats.net/2004884 +1 || 2004885 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- index.php showonly ASCII || cve,CVE-2007-1019 || url,www.milw0rm.com/exploits/3325 || url,doc.emergingthreats.net/2004885 +1 || 2004886 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- index.php showonly UPDATE || cve,CVE-2007-1019 || url,www.milw0rm.com/exploits/3325 || url,doc.emergingthreats.net/2004886 +1 || 2004887 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Aktueldownload Haber script SQL Injection Attempt -- HaberDetay.asp id SELECT || cve,CVE-2007-1016 || url,www.frsirt.com/english/advisories/2007/0620 || url,doc.emergingthreats.net/2004887 +1 || 2004888 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Aktueldownload Haber script SQL Injection Attempt -- HaberDetay.asp id UNION SELECT || cve,CVE-2007-1016 || url,www.frsirt.com/english/advisories/2007/0620 || url,doc.emergingthreats.net/2004888 +1 || 2004889 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Aktueldownload Haber script SQL Injection Attempt -- HaberDetay.asp id INSERT || cve,CVE-2007-1016 || url,www.frsirt.com/english/advisories/2007/0620 || url,doc.emergingthreats.net/2004889 +1 || 2004890 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Aktueldownload Haber script SQL Injection Attempt -- HaberDetay.asp id DELETE || cve,CVE-2007-1016 || url,www.frsirt.com/english/advisories/2007/0620 || url,doc.emergingthreats.net/2004890 +1 || 2004891 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Aktueldownload Haber script SQL Injection Attempt -- HaberDetay.asp id ASCII || cve,CVE-2007-1016 || url,www.frsirt.com/english/advisories/2007/0620 || url,doc.emergingthreats.net/2004891 +1 || 2004892 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Aktueldownload Haber script SQL Injection Attempt -- HaberDetay.asp id UPDATE || cve,CVE-2007-1016 || url,www.frsirt.com/english/advisories/2007/0620 || url,doc.emergingthreats.net/2004892 +1 || 2004893 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Aktueldownload Haber script SQL Injection Attempt -- rss.asp kid SELECT || cve,CVE-2007-1016 || url,www.frsirt.com/english/advisories/2007/0620 || url,doc.emergingthreats.net/2004893 +1 || 2004894 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Aktueldownload Haber script SQL Injection Attempt -- rss.asp kid UNION SELECT || cve,CVE-2007-1016 || url,www.frsirt.com/english/advisories/2007/0620 || url,doc.emergingthreats.net/2004894 +1 || 2004895 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Aktueldownload Haber script SQL Injection Attempt -- rss.asp kid INSERT || cve,CVE-2007-1016 || url,www.frsirt.com/english/advisories/2007/0620 || url,doc.emergingthreats.net/2004895 +1 || 2004896 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Aktueldownload Haber script SQL Injection Attempt -- rss.asp kid DELETE || cve,CVE-2007-1016 || url,www.frsirt.com/english/advisories/2007/0620 || url,doc.emergingthreats.net/2004896 +1 || 2004897 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Aktueldownload Haber script SQL Injection Attempt -- rss.asp kid ASCII || cve,CVE-2007-1016 || url,www.frsirt.com/english/advisories/2007/0620 || url,doc.emergingthreats.net/2004897 +1 || 2004898 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Aktueldownload Haber script SQL Injection Attempt -- rss.asp kid UPDATE || cve,CVE-2007-1016 || url,www.frsirt.com/english/advisories/2007/0620 || url,doc.emergingthreats.net/2004898 +1 || 2004899 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS phpCC SQL Injection Attempt -- nickpage.php npid SELECT || cve,CVE-2007-0985 || url,www.milw0rm.com/exploits/3299 || url,doc.emergingthreats.net/2004899 +1 || 2004900 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS phpCC SQL Injection Attempt -- nickpage.php npid UNION SELECT || cve,CVE-2007-0985 || url,www.milw0rm.com/exploits/3299 || url,doc.emergingthreats.net/2004900 +1 || 2004901 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS phpCC SQL Injection Attempt -- nickpage.php npid INSERT || cve,CVE-2007-0985 || url,www.milw0rm.com/exploits/3299 || url,doc.emergingthreats.net/2004901 +1 || 2004902 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS phpCC SQL Injection Attempt -- nickpage.php npid DELETE || cve,CVE-2007-0985 || url,www.milw0rm.com/exploits/3299 || url,doc.emergingthreats.net/2004902 +1 || 2004903 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS phpCC SQL Injection Attempt -- nickpage.php npid ASCII || cve,CVE-2007-0985 || url,www.milw0rm.com/exploits/3299 || url,doc.emergingthreats.net/2004903 +1 || 2004904 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS phpCC SQL Injection Attempt -- nickpage.php npid UPDATE || cve,CVE-2007-0985 || url,www.milw0rm.com/exploits/3299 || url,doc.emergingthreats.net/2004904 +1 || 2004905 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PollMentor SQL Injection Attempt -- pollmentorres.asp id SELECT || cve,CVE-2007-0984 || url,www.milw0rm.com/exploits/3301 || url,doc.emergingthreats.net/2004905 +1 || 2004906 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PollMentor SQL Injection Attempt -- pollmentorres.asp id UNION SELECT || cve,CVE-2007-0984 || url,www.milw0rm.com/exploits/3301 || url,doc.emergingthreats.net/2004906 +1 || 2004907 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PollMentor SQL Injection Attempt -- pollmentorres.asp id INSERT || cve,CVE-2007-0984 || url,www.milw0rm.com/exploits/3301 || url,doc.emergingthreats.net/2004907 +1 || 2004908 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PollMentor SQL Injection Attempt -- pollmentorres.asp id DELETE || cve,CVE-2007-0984 || url,www.milw0rm.com/exploits/3301 || url,doc.emergingthreats.net/2004908 +1 || 2004909 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PollMentor SQL Injection Attempt -- pollmentorres.asp id ASCII || cve,CVE-2007-0984 || url,www.milw0rm.com/exploits/3301 || url,doc.emergingthreats.net/2004909 +1 || 2004910 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PollMentor SQL Injection Attempt -- pollmentorres.asp id UPDATE || cve,CVE-2007-0984 || url,www.milw0rm.com/exploits/3301 || url,doc.emergingthreats.net/2004910 +1 || 2004911 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WebTester SQL Injection Attempt -- directions.php testID SELECT || cve,CVE-2007-0970 || url,www.securityfocus.com/bid/22559 || url,doc.emergingthreats.net/2004911 +1 || 2004912 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WebTester SQL Injection Attempt -- directions.php testID UNION SELECT || cve,CVE-2007-0970 || url,www.securityfocus.com/bid/22559 || url,doc.emergingthreats.net/2004912 +1 || 2004913 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WebTester SQL Injection Attempt -- directions.php testID INSERT || cve,CVE-2007-0970 || url,www.securityfocus.com/bid/22559 || url,doc.emergingthreats.net/2004913 +1 || 2004914 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WebTester SQL Injection Attempt -- directions.php testID DELETE || cve,CVE-2007-0970 || url,www.securityfocus.com/bid/22559 || url,doc.emergingthreats.net/2004914 +1 || 2004915 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WebTester SQL Injection Attempt -- directions.php testID ASCII || cve,CVE-2007-0970 || url,www.securityfocus.com/bid/22559 || url,doc.emergingthreats.net/2004915 +1 || 2004916 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WebTester SQL Injection Attempt -- directions.php testID UPDATE || cve,CVE-2007-0970 || url,www.securityfocus.com/bid/22559 || url,doc.emergingthreats.net/2004916 +1 || 2004917 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Fullaspsite ASP Hosting Site SQL Injection Attempt -- listmain.asp cat SELECT || cve,CVE-2007-0951 || url,www.securityfocus.com/bid/22545 || url,doc.emergingthreats.net/2004917 +1 || 2004918 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Fullaspsite ASP Hosting Site SQL Injection Attempt -- listmain.asp cat UNION SELECT || cve,CVE-2007-0951 || url,www.securityfocus.com/bid/22545 || url,doc.emergingthreats.net/2004918 +1 || 2004919 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Fullaspsite ASP Hosting Site SQL Injection Attempt -- listmain.asp cat INSERT || cve,CVE-2007-0951 || url,www.securityfocus.com/bid/22545 || url,doc.emergingthreats.net/2004919 +1 || 2004920 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Fullaspsite ASP Hosting Site SQL Injection Attempt -- listmain.asp cat DELETE || cve,CVE-2007-0951 || url,www.securityfocus.com/bid/22545 || url,doc.emergingthreats.net/2004920 +1 || 2004921 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Fullaspsite ASP Hosting Site SQL Injection Attempt -- listmain.asp cat ASCII || cve,CVE-2007-0951 || url,www.securityfocus.com/bid/22545 || url,doc.emergingthreats.net/2004921 +1 || 2004923 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Fullaspsite ASP Hosting Site SQL Injection Attempt -- listmain.asp cat UPDATE || cve,CVE-2007-0951 || url,www.securityfocus.com/bid/22545 || url,doc.emergingthreats.net/2004923 +1 || 2004924 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Philboard SQL Injection Attempt -- philboard_forum.asp forumid SELECT || cve,CVE-2007-0920 || url,www.milw0rm.com/exploits/3295 || url,doc.emergingthreats.net/2004924 +1 || 2004925 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Philboard SQL Injection Attempt -- philboard_forum.asp forumid UNION SELECT || cve,CVE-2007-0920 || url,www.milw0rm.com/exploits/3295 || url,doc.emergingthreats.net/2004925 +1 || 2004926 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Philboard SQL Injection Attempt -- philboard_forum.asp forumid INSERT || cve,CVE-2007-0920 || url,www.milw0rm.com/exploits/3295 || url,doc.emergingthreats.net/2004926 +1 || 2004927 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Philboard SQL Injection Attempt -- philboard_forum.asp forumid DELETE || cve,CVE-2007-0920 || url,www.milw0rm.com/exploits/3295 || url,doc.emergingthreats.net/2004927 +1 || 2004928 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Philboard SQL Injection Attempt -- philboard_forum.asp forumid ASCII || cve,CVE-2007-0920 || url,www.milw0rm.com/exploits/3295 || url,doc.emergingthreats.net/2004928 +1 || 2004929 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Philboard SQL Injection Attempt -- philboard_forum.asp forumid UPDATE || cve,CVE-2007-0920 || url,www.milw0rm.com/exploits/3295 || url,doc.emergingthreats.net/2004929 +1 || 2004930 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PSY Auction SQL Injection Attempt -- item.php id SELECT || cve,CVE-2006-7005 || url,www.securityfocus.com/bid/17974 || url,doc.emergingthreats.net/2004930 +1 || 2004931 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PSY Auction SQL Injection Attempt -- item.php id UNION SELECT || cve,CVE-2006-7005 || url,www.securityfocus.com/bid/17974 || url,doc.emergingthreats.net/2004931 +1 || 2004932 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PSY Auction SQL Injection Attempt -- item.php id INSERT || cve,CVE-2006-7005 || url,www.securityfocus.com/bid/17974 || url,doc.emergingthreats.net/2004932 +1 || 2004933 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PSY Auction SQL Injection Attempt -- item.php id DELETE || cve,CVE-2006-7005 || url,www.securityfocus.com/bid/17974 || url,doc.emergingthreats.net/2004933 +1 || 2004934 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PSY Auction SQL Injection Attempt -- item.php id ASCII || cve,CVE-2006-7005 || url,www.securityfocus.com/bid/17974 || url,doc.emergingthreats.net/2004934 +1 || 2004935 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PSY Auction SQL Injection Attempt -- item.php id UPDATE || cve,CVE-2006-7005 || url,www.securityfocus.com/bid/17974 || url,doc.emergingthreats.net/2004935 +1 || 2004936 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php commentname SELECT || cve,CVE-2006-6993 || url,www.secunia.com/advisories/19703 || url,doc.emergingthreats.net/2004936 +1 || 2004937 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php commentname UNION SELECT || cve,CVE-2006-6993 || url,www.secunia.com/advisories/19703 || url,doc.emergingthreats.net/2004937 +1 || 2004938 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php commentname INSERT || cve,CVE-2006-6993 || url,www.secunia.com/advisories/19703 || url,doc.emergingthreats.net/2004938 +1 || 2004939 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php commentname DELETE || cve,CVE-2006-6993 || url,www.secunia.com/advisories/19703 || url,doc.emergingthreats.net/2004939 +1 || 2004940 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php commentname ASCII || cve,CVE-2006-6993 || url,www.secunia.com/advisories/19703 || url,doc.emergingthreats.net/2004940 +1 || 2004941 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php commentname UPDATE || cve,CVE-2006-6993 || url,www.secunia.com/advisories/19703 || url,doc.emergingthreats.net/2004941 +1 || 2004942 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php commentmail SELECT || cve,CVE-2006-6993 || url,www.secunia.com/advisories/19703 || url,doc.emergingthreats.net/2004942 +1 || 2004943 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php commentmail UNION SELECT || cve,CVE-2006-6993 || url,www.secunia.com/advisories/19703 || url,doc.emergingthreats.net/2004943 +1 || 2004945 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php commentmail INSERT || cve,CVE-2006-6993 || url,www.secunia.com/advisories/19703 || url,doc.emergingthreats.net/2004945 +1 || 2004946 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php commentmail DELETE || cve,CVE-2006-6993 || url,www.secunia.com/advisories/19703 || url,doc.emergingthreats.net/2004946 +1 || 2004947 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php commentmail ASCII || cve,CVE-2006-6993 || url,www.secunia.com/advisories/19703 || url,doc.emergingthreats.net/2004947 +1 || 2004948 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php commentmail UPDATE || cve,CVE-2006-6993 || url,www.secunia.com/advisories/19703 || url,doc.emergingthreats.net/2004948 +1 || 2004949 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php commentwebsite SELECT || cve,CVE-2006-6993 || url,www.secunia.com/advisories/19703 || url,doc.emergingthreats.net/2004949 +1 || 2004950 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php commentwebsite UNION SELECT || cve,CVE-2006-6993 || url,www.secunia.com/advisories/19703 || url,doc.emergingthreats.net/2004950 +1 || 2004951 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php commentwebsite INSERT || cve,CVE-2006-6993 || url,www.secunia.com/advisories/19703 || url,doc.emergingthreats.net/2004951 +1 || 2004952 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php commentwebsite DELETE || cve,CVE-2006-6993 || url,www.secunia.com/advisories/19703 || url,doc.emergingthreats.net/2004952 +1 || 2004953 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php commentwebsite ASCII || cve,CVE-2006-6993 || url,www.secunia.com/advisories/19703 || url,doc.emergingthreats.net/2004953 +1 || 2004954 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php commentwebsite UPDATE || cve,CVE-2006-6993 || url,www.secunia.com/advisories/19703 || url,doc.emergingthreats.net/2004954 +1 || 2004955 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php comment SELECT || cve,CVE-2006-6993 || url,www.secunia.com/advisories/19703 || url,doc.emergingthreats.net/2004955 +1 || 2004956 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php comment UNION SELECT || cve,CVE-2006-6993 || url,www.secunia.com/advisories/19703 || url,doc.emergingthreats.net/2004956 +1 || 2004957 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php comment INSERT || cve,CVE-2006-6993 || url,www.secunia.com/advisories/19703 || url,doc.emergingthreats.net/2004957 +1 || 2004958 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php comment DELETE || cve,CVE-2006-6993 || url,www.secunia.com/advisories/19703 || url,doc.emergingthreats.net/2004958 +1 || 2004959 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php comment ASCII || cve,CVE-2006-6993 || url,www.secunia.com/advisories/19703 || url,doc.emergingthreats.net/2004959 +1 || 2004960 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Neuron Blog SQL Injection Attempt -- addcomment2.php comment UPDATE || cve,CVE-2006-6993 || url,www.secunia.com/advisories/19703 || url,doc.emergingthreats.net/2004960 +1 || 2004961 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS LushiNews SQL Injection Attempt -- comments.php id SELECT || cve,CVE-2007-0865 || url,www.exploit-db.com/exploits/3287/ || url,doc.emergingthreats.net/2004961 +1 || 2004962 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS LushiNews SQL Injection Attempt -- comments.php id UNION SELECT || cve,CVE-2007-0865 || url,www.exploit-db.com/exploits/3287/ || url,doc.emergingthreats.net/2004962 +1 || 2004963 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS LushiNews SQL Injection Attempt -- comments.php id INSERT || cve,CVE-2007-0865 || url,www.exploit-db.com/exploits/3287/ || url,doc.emergingthreats.net/2004963 +1 || 2004964 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS LushiNews SQL Injection Attempt -- comments.php id DELETE || cve,CVE-2007-0865 || url,www.exploit-db.com/exploits/3287/ || url,doc.emergingthreats.net/2004964 +1 || 2004965 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS LushiNews SQL Injection Attempt -- comments.php id ASCII || cve,CVE-2007-0865 || url,www.exploit-db.com/exploits/3287/ || url,doc.emergingthreats.net/2004965 +1 || 2004966 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS LushiNews SQL Injection Attempt -- comments.php id UPDATE || cve,CVE-2007-0865 || url,www.exploit-db.com/exploits/3287/ || url,doc.emergingthreats.net/2004966 +1 || 2004967 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS LushiWarPlaner SQL Injection Attempt -- register.php id SELECT || cve,CVE-2007-0864 || url,www.exploit-db.com/exploits/3288/ || url,doc.emergingthreats.net/2004967 +1 || 2004968 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS LushiWarPlaner SQL Injection Attempt -- register.php id UNION SELECT || cve,CVE-2007-0864 || url,www.exploit-db.com/exploits/3288/ || url,doc.emergingthreats.net/2004968 +1 || 2004969 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS LushiWarPlaner SQL Injection Attempt -- register.php id INSERT || cve,CVE-2007-0864 || url,www.exploit-db.com/exploits/3288/ || url,doc.emergingthreats.net/2004969 +1 || 2004970 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS LushiWarPlaner SQL Injection Attempt -- register.php id DELETE || cve,CVE-2007-0864 || url,www.exploit-db.com/exploits/3288/ || url,doc.emergingthreats.net/2004970 +1 || 2004971 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS LushiWarPlaner SQL Injection Attempt -- register.php id ASCII || cve,CVE-2007-0864 || url,www.exploit-db.com/exploits/3288/ || url,doc.emergingthreats.net/2004971 +1 || 2004972 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS LushiWarPlaner SQL Injection Attempt -- register.php id UPDATE || cve,CVE-2007-0864 || url,www.exploit-db.com/exploits/3288/ || url,doc.emergingthreats.net/2004972 +1 || 2004979 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Kisisel Site 2007 SQL Injection Attempt -- forum.asp forumid SELECT || cve,CVE-2007-0826 || url,www.exploit-db.com/exploits/3278/ || url,doc.emergingthreats.net/2004979 +1 || 2004980 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Kisisel Site 2007 SQL Injection Attempt -- forum.asp forumid UNION SELECT || cve,CVE-2007-0826 || url,www.exploit-db.com/exploits/3278/ || url,doc.emergingthreats.net/2004980 +1 || 2004981 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Kisisel Site 2007 SQL Injection Attempt -- forum.asp forumid INSERT || cve,CVE-2007-0826 || url,www.exploit-db.com/exploits/3278/ || url,doc.emergingthreats.net/2004981 +1 || 2004982 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Kisisel Site 2007 SQL Injection Attempt -- forum.asp forumid DELETE || cve,CVE-2007-0826 || url,www.exploit-db.com/exploits/3278/ || url,doc.emergingthreats.net/2004982 +1 || 2004983 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Kisisel Site 2007 SQL Injection Attempt -- forum.asp forumid ASCII || cve,CVE-2007-0826 || url,www.exploit-db.com/exploits/3278/ || url,doc.emergingthreats.net/2004983 +1 || 2004984 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Kisisel Site 2007 SQL Injection Attempt -- forum.asp forumid UPDATE || cve,CVE-2007-0826 || url,www.exploit-db.com/exploits/3278/ || url,doc.emergingthreats.net/2004984 +1 || 2004985 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS BtitTracker SQL Injection Attempt -- torrents.php by SELECT || cve,CVE-2006-6972 || url,www.securityfocus.com/bid/18549 || url,doc.emergingthreats.net/2004985 +1 || 2004986 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS BtitTracker SQL Injection Attempt -- torrents.php by UNION SELECT || cve,CVE-2006-6972 || url,www.securityfocus.com/bid/18549 || url,doc.emergingthreats.net/2004986 +1 || 2004987 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS BtitTracker SQL Injection Attempt -- torrents.php by INSERT || cve,CVE-2006-6972 || url,www.securityfocus.com/bid/18549 || url,doc.emergingthreats.net/2004987 +1 || 2004988 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS BtitTracker SQL Injection Attempt -- torrents.php by DELETE || cve,CVE-2006-6972 || url,www.securityfocus.com/bid/18549 || url,doc.emergingthreats.net/2004988 +1 || 2004989 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS BtitTracker SQL Injection Attempt -- torrents.php by ASCII || cve,CVE-2006-6972 || url,www.securityfocus.com/bid/18549 || url,doc.emergingthreats.net/2004989 +1 || 2004990 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS BtitTracker SQL Injection Attempt -- torrents.php by UPDATE || cve,CVE-2006-6972 || url,www.securityfocus.com/bid/18549 || url,doc.emergingthreats.net/2004990 +1 || 2004991 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS BtitTracker SQL Injection Attempt -- torrents.php order SELECT || cve,CVE-2006-6972 || url,www.securityfocus.com/bid/18549 || url,doc.emergingthreats.net/2004991 +1 || 2004992 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS BtitTracker SQL Injection Attempt -- torrents.php order UNION SELECT || cve,CVE-2006-6972 || url,www.securityfocus.com/bid/18549 || url,doc.emergingthreats.net/2004992 +1 || 2004993 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS BtitTracker SQL Injection Attempt -- torrents.php order INSERT || cve,CVE-2006-6972 || url,www.securityfocus.com/bid/18549 || url,doc.emergingthreats.net/2004993 +1 || 2004994 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS BtitTracker SQL Injection Attempt -- torrents.php order DELETE || cve,CVE-2006-6972 || url,www.securityfocus.com/bid/18549 || url,doc.emergingthreats.net/2004994 +1 || 2004995 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS BtitTracker SQL Injection Attempt -- torrents.php order ASCII || cve,CVE-2006-6972 || url,www.securityfocus.com/bid/18549 || url,doc.emergingthreats.net/2004995 +1 || 2004996 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS BtitTracker SQL Injection Attempt -- torrents.php order UPDATE || cve,CVE-2006-6972 || url,www.securityfocus.com/bid/18549 || url,doc.emergingthreats.net/2004996 +1 || 2004997 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Woltlab Burning Board (wBB) Lite SQL Injection Attempt -- pms.php pmid SELECT || cve,CVE-2007-0812 || url,www.milw0rm.com/exploits/3262 || url,doc.emergingthreats.net/2004997 +1 || 2004998 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Woltlab Burning Board (wBB) Lite SQL Injection Attempt -- pms.php pmid UNION SELECT || cve,CVE-2007-0812 || url,www.milw0rm.com/exploits/3262 || url,doc.emergingthreats.net/2004998 +1 || 2004999 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Woltlab Burning Board (wBB) Lite SQL Injection Attempt -- pms.php pmid INSERT || cve,CVE-2007-0812 || url,www.milw0rm.com/exploits/3262 || url,doc.emergingthreats.net/2004999 +1 || 2005000 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Woltlab Burning Board (wBB) Lite SQL Injection Attempt -- pms.php pmid DELETE || cve,CVE-2007-0812 || url,www.milw0rm.com/exploits/3262 || url,doc.emergingthreats.net/2005000 +1 || 2005001 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Woltlab Burning Board (wBB) Lite SQL Injection Attempt -- pms.php pmid ASCII || cve,CVE-2007-0812 || url,www.milw0rm.com/exploits/3262 || url,doc.emergingthreats.net/2005001 +1 || 2005002 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Woltlab Burning Board (wBB) Lite SQL Injection Attempt -- pms.php pmid UPDATE || cve,CVE-2007-0812 || url,www.milw0rm.com/exploits/3262 || url,doc.emergingthreats.net/2005002 +1 || 2005003 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Ublog Reload SQL Injection Attempt -- badword.asp SELECT || cve,CVE-2007-0799 || url,www.securityfocus.com/bid/22382 || url,doc.emergingthreats.net/2005003 +1 || 2005004 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Ublog Reload SQL Injection Attempt -- badword.asp UNION SELECT || cve,CVE-2007-0799 || url,www.securityfocus.com/bid/22382 || url,doc.emergingthreats.net/2005004 +1 || 2005005 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Ublog Reload SQL Injection Attempt -- badword.asp INSERT || cve,CVE-2007-0799 || url,www.securityfocus.com/bid/22382 || url,doc.emergingthreats.net/2005005 +1 || 2005006 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Ublog Reload SQL Injection Attempt -- badword.asp DELETE || cve,CVE-2007-0799 || url,www.securityfocus.com/bid/22382 || url,doc.emergingthreats.net/2005006 +1 || 2005007 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Ublog Reload SQL Injection Attempt -- badword.asp ASCII || cve,CVE-2007-0799 || url,www.securityfocus.com/bid/22382 || url,doc.emergingthreats.net/2005007 +1 || 2005008 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Ublog Reload SQL Injection Attempt -- badword.asp UPDATE || cve,CVE-2007-0799 || url,www.securityfocus.com/bid/22382 || url,doc.emergingthreats.net/2005008 +1 || 2005009 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS GlobalMegaCorp dvddb SQL Injection Attempt -- common.php user SELECT || cve,CVE-2007-0794 || url,www.securityfocus.com/archive/1/archive/1/459151/100/0/threaded || url,doc.emergingthreats.net/2005009 +1 || 2005010 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS GlobalMegaCorp dvddb SQL Injection Attempt -- common.php user UNION SELECT || cve,CVE-2007-0794 || url,www.securityfocus.com/archive/1/archive/1/459151/100/0/threaded || url,doc.emergingthreats.net/2005010 +1 || 2005011 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS GlobalMegaCorp dvddb SQL Injection Attempt -- common.php user INSERT || cve,CVE-2007-0794 || url,www.securityfocus.com/archive/1/archive/1/459151/100/0/threaded || url,doc.emergingthreats.net/2005011 +1 || 2005012 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS GlobalMegaCorp dvddb SQL Injection Attempt -- common.php user DELETE || cve,CVE-2007-0794 || url,www.securityfocus.com/archive/1/archive/1/459151/100/0/threaded || url,doc.emergingthreats.net/2005012 +1 || 2005013 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS GlobalMegaCorp dvddb SQL Injection Attempt -- common.php user ASCII || cve,CVE-2007-0794 || url,www.securityfocus.com/archive/1/archive/1/459151/100/0/threaded || url,doc.emergingthreats.net/2005013 +1 || 2005014 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS GlobalMegaCorp dvddb SQL Injection Attempt -- common.php user UPDATE || cve,CVE-2007-0794 || url,www.securityfocus.com/archive/1/archive/1/459151/100/0/threaded || url,doc.emergingthreats.net/2005014 +1 || 2005015 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Noname Media Photo Galerie Standard SQL Injection Attempt -- view.php id SELECT || cve,CVE-2007-0786 || url,www.milw0rm.com/exploits/3261 || url,doc.emergingthreats.net/2005015 +1 || 2005016 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Noname Media Photo Galerie Standard SQL Injection Attempt -- view.php id UNION SELECT || cve,CVE-2007-0786 || url,www.milw0rm.com/exploits/3261 || url,doc.emergingthreats.net/2005016 +1 || 2005017 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Noname Media Photo Galerie Standard SQL Injection Attempt -- view.php id INSERT || cve,CVE-2007-0786 || url,www.milw0rm.com/exploits/3261 || url,doc.emergingthreats.net/2005017 +1 || 2005018 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Noname Media Photo Galerie Standard SQL Injection Attempt -- view.php id DELETE || cve,CVE-2007-0786 || url,www.milw0rm.com/exploits/3261 || url,doc.emergingthreats.net/2005018 +1 || 2005019 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Noname Media Photo Galerie Standard SQL Injection Attempt -- view.php id ASCII || cve,CVE-2007-0786 || url,www.milw0rm.com/exploits/3261 || url,doc.emergingthreats.net/2005019 +1 || 2005020 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Noname Media Photo Galerie Standard SQL Injection Attempt -- view.php id UPDATE || cve,CVE-2007-0786 || url,www.milw0rm.com/exploits/3261 || url,doc.emergingthreats.net/2005020 +1 || 2005021 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- login.asp user SELECT || cve,CVE-2007-0784 || url,www.securityfocus.com/archive/1/archive/1/458560/100/0/threaded || url,doc.emergingthreats.net/2005021 +1 || 2005022 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- login.asp user UNION SELECT || cve,CVE-2007-0784 || url,www.securityfocus.com/archive/1/archive/1/458560/100/0/threaded || url,doc.emergingthreats.net/2005022 +1 || 2005023 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- login.asp user INSERT || cve,CVE-2007-0784 || url,www.securityfocus.com/archive/1/archive/1/458560/100/0/threaded || url,doc.emergingthreats.net/2005023 +1 || 2005024 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- login.asp user DELETE || cve,CVE-2007-0784 || url,www.securityfocus.com/archive/1/archive/1/458560/100/0/threaded || url,doc.emergingthreats.net/2005024 +1 || 2005025 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- login.asp user ASCII || cve,CVE-2007-0784 || url,www.securityfocus.com/archive/1/archive/1/458560/100/0/threaded || url,doc.emergingthreats.net/2005025 +1 || 2005026 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- login.asp user UPDATE || cve,CVE-2007-0784 || url,www.securityfocus.com/archive/1/archive/1/458560/100/0/threaded || url,doc.emergingthreats.net/2005026 +1 || 2005027 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- login.asp password SELECT || cve,CVE-2007-0784 || url,www.securityfocus.com/archive/1/archive/1/458560/100/0/threaded || url,doc.emergingthreats.net/2005027 +1 || 2005028 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- login.asp password UNION SELECT || cve,CVE-2007-0784 || url,www.securityfocus.com/archive/1/archive/1/458560/100/0/threaded || url,doc.emergingthreats.net/2005028 +1 || 2005029 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- login.asp password INSERT || cve,CVE-2007-0784 || url,www.securityfocus.com/archive/1/archive/1/458560/100/0/threaded || url,doc.emergingthreats.net/2005029 +1 || 2005030 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- login.asp password DELETE || cve,CVE-2007-0784 || url,www.securityfocus.com/archive/1/archive/1/458560/100/0/threaded || url,doc.emergingthreats.net/2005030 +1 || 2005031 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- login.asp password ASCII || cve,CVE-2007-0784 || url,www.securityfocus.com/archive/1/archive/1/458560/100/0/threaded || url,doc.emergingthreats.net/2005031 +1 || 2005032 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- login.asp password UPDATE || cve,CVE-2007-0784 || url,www.securityfocus.com/archive/1/archive/1/458560/100/0/threaded || url,doc.emergingthreats.net/2005032 +1 || 2005033 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS dB Masters Curium CMS SQL Injection Attempt -- news.php c_id SELECT || cve,CVE-2007-0765 || url,www.milw0rm.com/exploits/3256 || url,doc.emergingthreats.net/2005033 +1 || 2005034 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS dB Masters Curium CMS SQL Injection Attempt -- news.php c_id UNION SELECT || cve,CVE-2007-0765 || url,www.milw0rm.com/exploits/3256 || url,doc.emergingthreats.net/2005034 +1 || 2005035 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS dB Masters Curium CMS SQL Injection Attempt -- news.php c_id INSERT || cve,CVE-2007-0765 || url,www.milw0rm.com/exploits/3256 || url,doc.emergingthreats.net/2005035 +1 || 2005036 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS dB Masters Curium CMS SQL Injection Attempt -- news.php c_id DELETE || cve,CVE-2007-0765 || url,www.milw0rm.com/exploits/3256 || url,doc.emergingthreats.net/2005036 +1 || 2005037 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS dB Masters Curium CMS SQL Injection Attempt -- news.php c_id ASCII || cve,CVE-2007-0765 || url,www.milw0rm.com/exploits/3256 || url,doc.emergingthreats.net/2005037 +1 || 2005038 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS dB Masters Curium CMS SQL Injection Attempt -- news.php c_id UPDATE || cve,CVE-2007-0765 || url,www.milw0rm.com/exploits/3256 || url,doc.emergingthreats.net/2005038 +1 || 2005039 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS EasyMoblog SQL Injection Attempt -- add_comment.php i SELECT || cve,CVE-2007-0759 || url,www.securityfocus.com/bid/22369 || url,doc.emergingthreats.net/2005039 +1 || 2005040 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS EasyMoblog SQL Injection Attempt -- add_comment.php i UNION SELECT || cve,CVE-2007-0759 || url,www.securityfocus.com/bid/22369 || url,doc.emergingthreats.net/2005040 +1 || 2005041 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS EasyMoblog SQL Injection Attempt -- add_comment.php i INSERT || cve,CVE-2007-0759 || url,www.securityfocus.com/bid/22369 || url,doc.emergingthreats.net/2005041 +1 || 2005042 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS EasyMoblog SQL Injection Attempt -- add_comment.php i DELETE || cve,CVE-2007-0759 || url,www.securityfocus.com/bid/22369 || url,doc.emergingthreats.net/2005042 +1 || 2005043 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS EasyMoblog SQL Injection Attempt -- add_comment.php i ASCII || cve,CVE-2007-0759 || url,www.securityfocus.com/bid/22369 || url,doc.emergingthreats.net/2005043 +1 || 2005044 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS EasyMoblog SQL Injection Attempt -- add_comment.php post_id SELECT || cve,CVE-2007-0759 || url,www.securityfocus.com/bid/22369 || url,doc.emergingthreats.net/2005044 +1 || 2005045 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS EasyMoblog SQL Injection Attempt -- add_comment.php i UPDATE || cve,CVE-2007-0759 || url,www.securityfocus.com/bid/22369 || url,doc.emergingthreats.net/2005045 +1 || 2005046 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS EasyMoblog SQL Injection Attempt -- add_comment.php post_id UNION SELECT || cve,CVE-2007-0759 || url,www.securityfocus.com/bid/22369 || url,doc.emergingthreats.net/2005046 +1 || 2005047 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS EasyMoblog SQL Injection Attempt -- add_comment.php post_id INSERT || cve,CVE-2007-0759 || url,www.securityfocus.com/bid/22369 || url,doc.emergingthreats.net/2005047 +1 || 2005048 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS EasyMoblog SQL Injection Attempt -- add_comment.php post_id DELETE || cve,CVE-2007-0759 || url,www.securityfocus.com/bid/22369 || url,doc.emergingthreats.net/2005048 +1 || 2005049 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS EasyMoblog SQL Injection Attempt -- add_comment.php post_id ASCII || cve,CVE-2007-0759 || url,www.securityfocus.com/bid/22369 || url,doc.emergingthreats.net/2005049 +1 || 2005050 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS EasyMoblog SQL Injection Attempt -- add_comment.php post_id UPDATE || cve,CVE-2007-0759 || url,www.securityfocus.com/bid/22369 || url,doc.emergingthreats.net/2005050 +1 || 2005051 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS EasyMoblog SQL Injection Attempt -- list_comments.php i SELECT || cve,CVE-2007-0759 || url,www.securityfocus.com/bid/22369 || url,doc.emergingthreats.net/2005051 +1 || 2005052 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS EasyMoblog SQL Injection Attempt -- list_comments.php i UNION SELECT || cve,CVE-2007-0759 || url,www.securityfocus.com/bid/22369 || url,doc.emergingthreats.net/2005052 +1 || 2005053 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS EasyMoblog SQL Injection Attempt -- list_comments.php i INSERT || cve,CVE-2007-0759 || url,www.securityfocus.com/bid/22369 || url,doc.emergingthreats.net/2005053 +1 || 2005054 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS EasyMoblog SQL Injection Attempt -- list_comments.php i DELETE || cve,CVE-2007-0759 || url,www.securityfocus.com/bid/22369 || url,doc.emergingthreats.net/2005054 +1 || 2005055 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS EasyMoblog SQL Injection Attempt -- list_comments.php i ASCII || cve,CVE-2007-0759 || url,www.securityfocus.com/bid/22369 || url,doc.emergingthreats.net/2005055 +1 || 2005056 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS EasyMoblog SQL Injection Attempt -- list_comments.php i UPDATE || cve,CVE-2007-0759 || url,www.securityfocus.com/bid/22369 || url,doc.emergingthreats.net/2005056 +1 || 2005057 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ACGVannu SQL Injection Attempt -- modif.html id_mod SELECT || cve,CVE-2007-0698 || url,www.frsirt.com/english/advisories/2007/0388 || url,doc.emergingthreats.net/2005057 +1 || 2005058 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ACGVannu SQL Injection Attempt -- modif.html id_mod UNION SELECT || cve,CVE-2007-0698 || url,www.frsirt.com/english/advisories/2007/0388 || url,doc.emergingthreats.net/2005058 +1 || 2005059 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ACGVannu SQL Injection Attempt -- modif.html id_mod INSERT || cve,CVE-2007-0698 || url,www.frsirt.com/english/advisories/2007/0388 || url,doc.emergingthreats.net/2005059 +1 || 2005060 || 10 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ACGVannu SQL Injection Attempt -- modif.html id_mod DELETE || cve,CVE-2007-0698 || url,www.frsirt.com/english/advisories/2007/0388 || url,doc.emergingthreats.net/2005060 +1 || 2005061 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ACGVannu SQL Injection Attempt -- modif.html id_mod ASCII || cve,CVE-2007-0698 || url,www.frsirt.com/english/advisories/2007/0388 || url,doc.emergingthreats.net/2005061 +1 || 2005062 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ACGVannu SQL Injection Attempt -- modif.html id_mod UPDATE || cve,CVE-2007-0698 || url,www.frsirt.com/english/advisories/2007/0388 || url,doc.emergingthreats.net/2005062 +1 || 2005063 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Hunkaray Duyuru Scripti SQL Injection Attempt -- oku.asp id SELECT || cve,CVE-2007-0688 || url,www.milw0rm.com/exploits/3241 || url,doc.emergingthreats.net/2005063 +1 || 2005064 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Hunkaray Duyuru Scripti SQL Injection Attempt -- oku.asp id UNION SELECT || cve,CVE-2007-0688 || url,www.milw0rm.com/exploits/3241 || url,doc.emergingthreats.net/2005064 +1 || 2005065 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Hunkaray Duyuru Scripti SQL Injection Attempt -- oku.asp id INSERT || cve,CVE-2007-0688 || url,www.milw0rm.com/exploits/3241 || url,doc.emergingthreats.net/2005065 +1 || 2005066 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Hunkaray Duyuru Scripti SQL Injection Attempt -- oku.asp id DELETE || cve,CVE-2007-0688 || url,www.milw0rm.com/exploits/3241 || url,doc.emergingthreats.net/2005066 +1 || 2005067 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Hunkaray Duyuru Scripti SQL Injection Attempt -- oku.asp id ASCII || cve,CVE-2007-0688 || url,www.milw0rm.com/exploits/3241 || url,doc.emergingthreats.net/2005067 +1 || 2005068 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Hunkaray Duyuru Scripti SQL Injection Attempt -- oku.asp id UPDATE || cve,CVE-2007-0688 || url,www.milw0rm.com/exploits/3241 || url,doc.emergingthreats.net/2005068 +1 || 2005069 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Michelles L2J Dropcalc SQL Injection Attempt -- i-search.php itemid SELECT || cve,CVE-2007-0687 || url,www.exploit-db.com/exploits/3232/ || url,doc.emergingthreats.net/2005069 +1 || 2005070 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Michelles L2J Dropcalc SQL Injection Attempt -- i-search.php itemid UNION SELECT || cve,CVE-2007-0687 || url,www.exploit-db.com/exploits/3232/ || url,doc.emergingthreats.net/2005070 +1 || 2005071 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Michelles L2J Dropcalc SQL Injection Attempt -- i-search.php itemid INSERT || cve,CVE-2007-0687 || url,www.exploit-db.com/exploits/3232/ || url,doc.emergingthreats.net/2005071 +1 || 2005072 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Michelles L2J Dropcalc SQL Injection Attempt -- i-search.php itemid DELETE || cve,CVE-2007-0687 || url,www.exploit-db.com/exploits/3232/ || url,doc.emergingthreats.net/2005072 +1 || 2005073 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Michelles L2J Dropcalc SQL Injection Attempt -- i-search.php itemid ASCII || cve,CVE-2007-0687 || url,www.exploit-db.com/exploits/3232/ || url,doc.emergingthreats.net/2005073 +1 || 2005074 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Michelles L2J Dropcalc SQL Injection Attempt -- i-search.php itemid UPDATE || cve,CVE-2007-0687 || url,www.exploit-db.com/exploits/3232/ || url,doc.emergingthreats.net/2005074 +1 || 2005075 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Fullaspsite Asp Hosting Sitesi SQL Injection Attempt -- windows.asp kategori_id SELECT || cve,CVE-2007-0678 || url,www.milw0rm.com/exploits/3233 || url,doc.emergingthreats.net/2005075 +1 || 2005076 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Fullaspsite Asp Hosting Sitesi SQL Injection Attempt -- windows.asp kategori_id UNION SELECT || cve,CVE-2007-0678 || url,www.milw0rm.com/exploits/3233 || url,doc.emergingthreats.net/2005076 +1 || 2005077 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Fullaspsite Asp Hosting Sitesi SQL Injection Attempt -- windows.asp kategori_id INSERT || cve,CVE-2007-0678 || url,www.milw0rm.com/exploits/3233 || url,doc.emergingthreats.net/2005077 +1 || 2005078 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Fullaspsite Asp Hosting Sitesi SQL Injection Attempt -- windows.asp kategori_id DELETE || cve,CVE-2007-0678 || url,www.milw0rm.com/exploits/3233 || url,doc.emergingthreats.net/2005078 +1 || 2005079 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Fullaspsite Asp Hosting Sitesi SQL Injection Attempt -- windows.asp kategori_id ASCII || cve,CVE-2007-0678 || url,www.milw0rm.com/exploits/3233 || url,doc.emergingthreats.net/2005079 +1 || 2005080 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Fullaspsite Asp Hosting Sitesi SQL Injection Attempt -- windows.asp kategori_id UPDATE || cve,CVE-2007-0678 || url,www.milw0rm.com/exploits/3233 || url,doc.emergingthreats.net/2005080 +1 || 2005081 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ExoPHPDesk SQL Injection Attempt -- faq.php id SELECT || cve,CVE-2007-0676 || url,www.milw0rm.com/exploits/3234 || url,doc.emergingthreats.net/2005081 +1 || 2005082 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ExoPHPDesk SQL Injection Attempt -- faq.php id UNION SELECT || cve,CVE-2007-0676 || url,www.milw0rm.com/exploits/3234 || url,doc.emergingthreats.net/2005082 +1 || 2005083 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ExoPHPDesk SQL Injection Attempt -- faq.php id INSERT || cve,CVE-2007-0676 || url,www.milw0rm.com/exploits/3234 || url,doc.emergingthreats.net/2005083 +1 || 2005084 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ExoPHPDesk SQL Injection Attempt -- faq.php id DELETE || cve,CVE-2007-0676 || url,www.milw0rm.com/exploits/3234 || url,doc.emergingthreats.net/2005084 +1 || 2005085 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ExoPHPDesk SQL Injection Attempt -- faq.php id ASCII || cve,CVE-2007-0676 || url,www.milw0rm.com/exploits/3234 || url,doc.emergingthreats.net/2005085 +1 || 2005086 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ExoPHPDesk SQL Injection Attempt -- faq.php id UPDATE || cve,CVE-2007-0676 || url,www.milw0rm.com/exploits/3234 || url,doc.emergingthreats.net/2005086 +1 || 2005087 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Eclectic Designs CascadianFAQ SQL Injection Attempt -- index.php qid SELECT || cve,CVE-2007-0663 || url,www.frsirt.com/english/advisories/2007/0424 || url,doc.emergingthreats.net/2005087 +1 || 2005088 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Eclectic Designs CascadianFAQ SQL Injection Attempt -- index.php qid UNION SELECT || cve,CVE-2007-0663 || url,www.frsirt.com/english/advisories/2007/0424 || url,doc.emergingthreats.net/2005088 +1 || 2005089 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Eclectic Designs CascadianFAQ SQL Injection Attempt -- index.php qid INSERT || cve,CVE-2007-0663 || url,www.frsirt.com/english/advisories/2007/0424 || url,doc.emergingthreats.net/2005089 +1 || 2005090 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Eclectic Designs CascadianFAQ SQL Injection Attempt -- index.php qid DELETE || cve,CVE-2007-0663 || url,www.frsirt.com/english/advisories/2007/0424 || url,doc.emergingthreats.net/2005090 +1 || 2005091 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Eclectic Designs CascadianFAQ SQL Injection Attempt -- index.php qid ASCII || cve,CVE-2007-0663 || url,www.frsirt.com/english/advisories/2007/0424 || url,doc.emergingthreats.net/2005091 +1 || 2005092 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Eclectic Designs CascadianFAQ SQL Injection Attempt -- index.php qid UPDATE || cve,CVE-2007-0663 || url,www.frsirt.com/english/advisories/2007/0424 || url,doc.emergingthreats.net/2005092 +1 || 2005093 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- user_confirm.asp id SELECT || cve,CVE-2007-0642 || url,www.securityfocus.com/bid/22350 || url,doc.emergingthreats.net/2005093 +1 || 2005094 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- user_confirm.asp id UNION SELECT || cve,CVE-2007-0642 || url,www.securityfocus.com/bid/22350 || url,doc.emergingthreats.net/2005094 +1 || 2005095 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- user_confirm.asp id INSERT || cve,CVE-2007-0642 || url,www.securityfocus.com/bid/22350 || url,doc.emergingthreats.net/2005095 +1 || 2005096 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- user_confirm.asp id DELETE || cve,CVE-2007-0642 || url,www.securityfocus.com/bid/22350 || url,doc.emergingthreats.net/2005096 +1 || 2005097 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- user_confirm.asp id ASCII || cve,CVE-2007-0642 || url,www.securityfocus.com/bid/22350 || url,doc.emergingthreats.net/2005097 +1 || 2005098 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- user_confirm.asp id UPDATE || cve,CVE-2007-0642 || url,www.securityfocus.com/bid/22350 || url,doc.emergingthreats.net/2005098 +1 || 2005099 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- user_confirm.asp pass SELECT || cve,CVE-2007-0642 || url,www.securityfocus.com/bid/22350 || url,doc.emergingthreats.net/2005099 +1 || 2005100 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- user_confirm.asp pass UNION SELECT || cve,CVE-2007-0642 || url,www.securityfocus.com/bid/22350 || url,doc.emergingthreats.net/2005100 +1 || 2005101 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- user_confirm.asp pass INSERT || cve,CVE-2007-0642 || url,www.securityfocus.com/bid/22350 || url,doc.emergingthreats.net/2005101 +1 || 2005102 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- user_confirm.asp pass DELETE || cve,CVE-2007-0642 || url,www.securityfocus.com/bid/22350 || url,doc.emergingthreats.net/2005102 +1 || 2005103 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- user_confirm.asp pass ASCII || cve,CVE-2007-0642 || url,www.securityfocus.com/bid/22350 || url,doc.emergingthreats.net/2005103 +1 || 2005104 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Raymond BERTHOU script SQL Injection Attempt -- user_confirm.asp pass UPDATE || cve,CVE-2007-0642 || url,www.securityfocus.com/bid/22350 || url,doc.emergingthreats.net/2005104 +1 || 2005105 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ASP EDGE SQL Injection Attempt -- artreplydelete.asp username SELECT || cve,CVE-2007-0632 || url,www.frsirt.com/english/advisories/2007/0341 || url,doc.emergingthreats.net/2005105 +1 || 2005106 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ASP EDGE SQL Injection Attempt -- artreplydelete.asp username UNION SELECT || cve,CVE-2007-0632 || url,www.frsirt.com/english/advisories/2007/0341 || url,doc.emergingthreats.net/2005106 +1 || 2005107 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ASP EDGE SQL Injection Attempt -- artreplydelete.asp username INSERT || cve,CVE-2007-0632 || url,www.frsirt.com/english/advisories/2007/0341 || url,doc.emergingthreats.net/2005107 +1 || 2005108 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ASP EDGE SQL Injection Attempt -- artreplydelete.asp username DELETE || cve,CVE-2007-0632 || url,www.frsirt.com/english/advisories/2007/0341 || url,doc.emergingthreats.net/2005108 +1 || 2005109 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ASP EDGE SQL Injection Attempt -- artreplydelete.asp username ASCII || cve,CVE-2007-0632 || url,www.frsirt.com/english/advisories/2007/0341 || url,doc.emergingthreats.net/2005109 +1 || 2005110 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ASP EDGE SQL Injection Attempt -- artreplydelete.asp username UPDATE || cve,CVE-2007-0632 || url,www.frsirt.com/english/advisories/2007/0341 || url,doc.emergingthreats.net/2005110 +1 || 2005111 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Eclectic Designs CascadianFAQ SQL Injection Attempt -- index.php catid SELECT || cve,CVE-2007-0631 || url,www.milw0rm.com/exploits/3227 || url,doc.emergingthreats.net/2005111 +1 || 2005112 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Eclectic Designs CascadianFAQ SQL Injection Attempt -- index.php catid UNION SELECT || cve,CVE-2007-0631 || url,www.milw0rm.com/exploits/3227 || url,doc.emergingthreats.net/2005112 +1 || 2005113 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Eclectic Designs CascadianFAQ SQL Injection Attempt -- index.php catid INSERT || cve,CVE-2007-0631 || url,www.milw0rm.com/exploits/3227 || url,doc.emergingthreats.net/2005113 +1 || 2005114 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Eclectic Designs CascadianFAQ SQL Injection Attempt -- index.php catid DELETE || cve,CVE-2007-0631 || url,www.milw0rm.com/exploits/3227 || url,doc.emergingthreats.net/2005114 +1 || 2005115 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Eclectic Designs CascadianFAQ SQL Injection Attempt -- index.php catid ASCII || cve,CVE-2007-0631 || url,www.milw0rm.com/exploits/3227 || url,doc.emergingthreats.net/2005115 +1 || 2005116 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Eclectic Designs CascadianFAQ SQL Injection Attempt -- index.php catid UPDATE || cve,CVE-2007-0631 || url,www.milw0rm.com/exploits/3227 || url,doc.emergingthreats.net/2005116 +1 || 2005117 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS X-dev xNews SQL Injection Attempt -- class.news.php id SELECT || cve,CVE-2007-0630 || url,www.frsirt.com/english/advisories/2007/0395 || url,doc.emergingthreats.net/2005117 +1 || 2005118 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS X-dev xNews SQL Injection Attempt -- class.news.php id UNION SELECT || cve,CVE-2007-0630 || url,www.frsirt.com/english/advisories/2007/0395 || url,doc.emergingthreats.net/2005118 +1 || 2005119 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS X-dev xNews SQL Injection Attempt -- class.news.php id INSERT || cve,CVE-2007-0630 || url,www.frsirt.com/english/advisories/2007/0395 || url,doc.emergingthreats.net/2005119 +1 || 2005120 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS X-dev xNews SQL Injection Attempt -- class.news.php id DELETE || cve,CVE-2007-0630 || url,www.frsirt.com/english/advisories/2007/0395 || url,doc.emergingthreats.net/2005120 +1 || 2005121 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS X-dev xNews SQL Injection Attempt -- class.news.php id ASCII || cve,CVE-2007-0630 || url,www.frsirt.com/english/advisories/2007/0395 || url,doc.emergingthreats.net/2005121 +1 || 2005122 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS X-dev xNews SQL Injection Attempt -- class.news.php id UPDATE || cve,CVE-2007-0630 || url,www.frsirt.com/english/advisories/2007/0395 || url,doc.emergingthreats.net/2005122 +1 || 2005123 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS X-dev xNews SQL Injection Attempt -- class.news.php from SELECT || cve,CVE-2007-0630 || url,www.frsirt.com/english/advisories/2007/0395 || url,doc.emergingthreats.net/2005123 +1 || 2005124 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS X-dev xNews SQL Injection Attempt -- class.news.php from UNION SELECT || cve,CVE-2007-0630 || url,www.frsirt.com/english/advisories/2007/0395 || url,doc.emergingthreats.net/2005124 +1 || 2005125 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS X-dev xNews SQL Injection Attempt -- class.news.php from INSERT || cve,CVE-2007-0630 || url,www.frsirt.com/english/advisories/2007/0395 || url,doc.emergingthreats.net/2005125 +1 || 2005126 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS X-dev xNews SQL Injection Attempt -- class.news.php from DELETE || cve,CVE-2007-0630 || url,www.frsirt.com/english/advisories/2007/0395 || url,doc.emergingthreats.net/2005126 +1 || 2005127 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS X-dev xNews SQL Injection Attempt -- class.news.php from ASCII || cve,CVE-2007-0630 || url,www.frsirt.com/english/advisories/2007/0395 || url,doc.emergingthreats.net/2005127 +1 || 2005128 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS X-dev xNews SQL Injection Attempt -- class.news.php from UPDATE || cve,CVE-2007-0630 || url,www.frsirt.com/english/advisories/2007/0395 || url,doc.emergingthreats.net/2005128 +1 || 2005129 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS X-dev xNews SQL Injection Attempt -- class.news.php q SELECT || cve,CVE-2007-0630 || url,www.frsirt.com/english/advisories/2007/0395 || url,doc.emergingthreats.net/2005129 +1 || 2005130 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS X-dev xNews SQL Injection Attempt -- class.news.php q UNION SELECT || cve,CVE-2007-0630 || url,www.frsirt.com/english/advisories/2007/0395 || url,doc.emergingthreats.net/2005130 +1 || 2005131 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS X-dev xNews SQL Injection Attempt -- class.news.php q INSERT || cve,CVE-2007-0630 || url,www.frsirt.com/english/advisories/2007/0395 || url,doc.emergingthreats.net/2005131 +1 || 2005132 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS X-dev xNews SQL Injection Attempt -- class.news.php q DELETE || cve,CVE-2007-0630 || url,www.frsirt.com/english/advisories/2007/0395 || url,doc.emergingthreats.net/2005132 +1 || 2005133 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS X-dev xNews SQL Injection Attempt -- class.news.php q ASCII || cve,CVE-2007-0630 || url,www.frsirt.com/english/advisories/2007/0395 || url,doc.emergingthreats.net/2005133 +1 || 2005134 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS X-dev xNews SQL Injection Attempt -- class.news.php q UPDATE || cve,CVE-2007-0630 || url,www.frsirt.com/english/advisories/2007/0395 || url,doc.emergingthreats.net/2005134 +1 || 2005135 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS MAXdev MDPro SQL Injection Attempt -- index.php startrow SELECT || cve,CVE-2007-0623 || url,www.securityfocus.com/bid/22293 || url,doc.emergingthreats.net/2005135 +1 || 2005136 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS MAXdev MDPro SQL Injection Attempt -- index.php startrow UNION SELECT || cve,CVE-2007-0623 || url,www.securityfocus.com/bid/22293 || url,doc.emergingthreats.net/2005136 +1 || 2005137 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS MAXdev MDPro SQL Injection Attempt -- index.php startrow INSERT || cve,CVE-2007-0623 || url,www.securityfocus.com/bid/22293 || url,doc.emergingthreats.net/2005137 +1 || 2005138 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS MAXdev MDPro SQL Injection Attempt -- index.php startrow DELETE || cve,CVE-2007-0623 || url,www.securityfocus.com/bid/22293 || url,doc.emergingthreats.net/2005138 +1 || 2005139 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS MAXdev MDPro SQL Injection Attempt -- index.php startrow ASCII || cve,CVE-2007-0623 || url,www.securityfocus.com/bid/22293 || url,doc.emergingthreats.net/2005139 +1 || 2005140 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS MAXdev MDPro SQL Injection Attempt -- index.php startrow UPDATE || cve,CVE-2007-0623 || url,www.securityfocus.com/bid/22293 || url,doc.emergingthreats.net/2005140 +1 || 2005141 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Martyn Kilbryde Newsposter Script SQL Injection Attempt -- news_page.asp uid SELECT || cve,CVE-2007-0600 || url,www.exploit-db.com/exploits/3194/ || url,doc.emergingthreats.net/2005141 +1 || 2005142 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Martyn Kilbryde Newsposter Script SQL Injection Attempt -- news_page.asp uid UNION SELECT || cve,CVE-2007-0600 || url,www.exploit-db.com/exploits/3194/ || url,doc.emergingthreats.net/2005142 +1 || 2005143 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Martyn Kilbryde Newsposter Script SQL Injection Attempt -- news_page.asp uid INSERT || cve,CVE-2007-0600 || url,www.exploit-db.com/exploits/3194/ || url,doc.emergingthreats.net/2005143 +1 || 2005144 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Martyn Kilbryde Newsposter Script SQL Injection Attempt -- news_page.asp uid DELETE || cve,CVE-2007-0600 || url,www.exploit-db.com/exploits/3194/ || url,doc.emergingthreats.net/2005144 +1 || 2005145 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Martyn Kilbryde Newsposter Script SQL Injection Attempt -- news_page.asp uid ASCII || cve,CVE-2007-0600 || url,www.exploit-db.com/exploits/3194/ || url,doc.emergingthreats.net/2005145 +1 || 2005146 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Martyn Kilbryde Newsposter Script SQL Injection Attempt -- news_page.asp uid UPDATE || cve,CVE-2007-0600 || url,www.exploit-db.com/exploits/3194/ || url,doc.emergingthreats.net/2005146 +1 || 2005147 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Forum Livre SQL Injection Attempt -- info_user.asp user UNION SELECT || cve,CVE-2007-0589 || url,www.milw0rm.com/exploits/3197 || url,doc.emergingthreats.net/2005147 +1 || 2005148 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Forum Livre SQL Injection Attempt -- info_user.asp user INSERT || cve,CVE-2007-0589 || url,www.milw0rm.com/exploits/3197 || url,doc.emergingthreats.net/2005148 +1 || 2005149 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Forum Livre SQL Injection Attempt -- info_user.asp user DELETE || cve,CVE-2007-0589 || url,www.milw0rm.com/exploits/3197 || url,doc.emergingthreats.net/2005149 +1 || 2005150 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Forum Livre SQL Injection Attempt -- info_user.asp user ASCII || cve,CVE-2007-0589 || url,www.milw0rm.com/exploits/3197 || url,doc.emergingthreats.net/2005150 +1 || 2005151 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Forum Livre SQL Injection Attempt -- info_user.asp user UPDATE || cve,CVE-2007-0589 || url,www.milw0rm.com/exploits/3197 || url,doc.emergingthreats.net/2005151 +1 || 2005152 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS SpoonLabs Vivvo Article Management CMS (phpWordPress) SQL Injection Attempt -- show_webfeed.php wcHeadlines SELECT || cve,CVE-2007-0574 || url,www.securityfocus.com/bid/22282 || url,doc.emergingthreats.net/2005152 +1 || 2005153 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS SpoonLabs Vivvo Article Management CMS (phpWordPress) SQL Injection Attempt -- show_webfeed.php wcHeadlines UNION SELECT || cve,CVE-2007-0574 || url,www.securityfocus.com/bid/22282 || url,doc.emergingthreats.net/2005153 +1 || 2005154 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS SpoonLabs Vivvo Article Management CMS (phpWordPress) SQL Injection Attempt -- show_webfeed.php wcHeadlines DELETE || cve,CVE-2007-0574 || url,www.securityfocus.com/bid/22282 || url,doc.emergingthreats.net/2005154 +1 || 2005155 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS SpoonLabs Vivvo Article Management CMS (phpWordPress) SQL Injection Attempt -- show_webfeed.php wcHeadlines INSERT || cve,CVE-2007-0574 || url,www.securityfocus.com/bid/22282 || url,doc.emergingthreats.net/2005155 +1 || 2005156 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS SpoonLabs Vivvo Article Management CMS (phpWordPress) SQL Injection Attempt -- show_webfeed.php wcHeadlines ASCII || cve,CVE-2007-0574 || url,www.securityfocus.com/bid/22282 || url,doc.emergingthreats.net/2005156 +1 || 2005157 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS SpoonLabs Vivvo Article Management CMS (phpWordPress) SQL Injection Attempt -- show_webfeed.php wcHeadlines UPDATE || cve,CVE-2007-0574 || url,www.securityfocus.com/bid/22282 || url,doc.emergingthreats.net/2005157 +1 || 2005158 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS xNews SQL Injection Attempt -- xNews.php id SELECT || cve,CVE-2007-0569 || url,www.milw0rm.com/exploits/3216 || url,doc.emergingthreats.net/2005158 +1 || 2005159 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS xNews SQL Injection Attempt -- xNews.php id UNION SELECT || cve,CVE-2007-0569 || url,www.milw0rm.com/exploits/3216 || url,doc.emergingthreats.net/2005159 +1 || 2005160 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS xNews SQL Injection Attempt -- xNews.php id INSERT || cve,CVE-2007-0569 || url,www.milw0rm.com/exploits/3216 || url,doc.emergingthreats.net/2005160 +1 || 2005161 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS xNews SQL Injection Attempt -- xNews.php id DELETE || cve,CVE-2007-0569 || url,www.milw0rm.com/exploits/3216 || url,doc.emergingthreats.net/2005161 +1 || 2005162 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS xNews SQL Injection Attempt -- xNews.php id ASCII || cve,CVE-2007-0569 || url,www.milw0rm.com/exploits/3216 || url,doc.emergingthreats.net/2005162 +1 || 2005163 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS xNews SQL Injection Attempt -- xNews.php id UPDATE || cve,CVE-2007-0569 || url,www.milw0rm.com/exploits/3216 || url,doc.emergingthreats.net/2005163 +1 || 2005164 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ASP NEWS SQL Injection Attempt -- news_detail.asp id SELECT || cve,CVE-2007-0566 || url,www.milw0rm.com/exploits/3187 || url,doc.emergingthreats.net/2005164 +1 || 2005165 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ASP NEWS SQL Injection Attempt -- news_detail.asp id UNION SELECT || cve,CVE-2007-0566 || url,www.milw0rm.com/exploits/3187 || url,doc.emergingthreats.net/2005165 +1 || 2005166 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ASP NEWS SQL Injection Attempt -- news_detail.asp id INSERT || cve,CVE-2007-0566 || url,www.milw0rm.com/exploits/3187 || url,doc.emergingthreats.net/2005166 +1 || 2005167 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ASP NEWS SQL Injection Attempt -- news_detail.asp id DELETE || cve,CVE-2007-0566 || url,www.milw0rm.com/exploits/3187 || url,doc.emergingthreats.net/2005167 +1 || 2005168 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ASP NEWS SQL Injection Attempt -- news_detail.asp id ASCII || cve,CVE-2007-0566 || url,www.milw0rm.com/exploits/3187 || url,doc.emergingthreats.net/2005168 +1 || 2005169 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ASP NEWS SQL Injection Attempt -- news_detail.asp id UPDATE || cve,CVE-2007-0566 || url,www.milw0rm.com/exploits/3187 || url,doc.emergingthreats.net/2005169 +1 || 2005170 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ASP EDGE SQL Injection Attempt -- user.asp user SELECT || cve,CVE-2007-0560 || url,www.milw0rm.com/exploits/3186 || url,doc.emergingthreats.net/2005170 +1 || 2005171 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ASP EDGE SQL Injection Attempt -- user.asp user UNION SELECT || cve,CVE-2007-0560 || url,www.milw0rm.com/exploits/3186 || url,doc.emergingthreats.net/2005171 +1 || 2005172 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ASP EDGE SQL Injection Attempt -- user.asp user INSERT || cve,CVE-2007-0560 || url,www.milw0rm.com/exploits/3186 || url,doc.emergingthreats.net/2005172 +1 || 2005173 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ASP EDGE SQL Injection Attempt -- user.asp user DELETE || cve,CVE-2007-0560 || url,www.milw0rm.com/exploits/3186 || url,doc.emergingthreats.net/2005173 +1 || 2005174 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ASP EDGE SQL Injection Attempt -- user.asp user ASCII || cve,CVE-2007-0560 || url,www.milw0rm.com/exploits/3186 || url,doc.emergingthreats.net/2005174 +1 || 2005175 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ASP EDGE SQL Injection Attempt -- user.asp user UPDATE || cve,CVE-2007-0560 || url,www.milw0rm.com/exploits/3186 || url,doc.emergingthreats.net/2005175 +1 || 2005176 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Forum Livre SQL Injection Attempt -- info_user.asp user SELECT || cve,CVE-2007-0589 || url,www.milw0rm.com/exploits/3197 || url,doc.emergingthreats.net/2005176 +1 || 2005177 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS AJ Forum SQL Injection Attempt -- topic_title.php td_id UNION SELECT || cve,CVE-2007-1295 || url,www.milw0rm.com/exploits/3411 || url,doc.emergingthreats.net/2005177 +1 || 2005179 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Hunkaray Okul Portaly SQL Injection Attempt -- haberoku.asp id SELECT || cve,CVE-2007-3080 || url,www.securityfocus.com/bid/24288 || url,doc.emergingthreats.net/2005179 +1 || 2005180 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHPWind SQL Injection Attempt -- admin.php INSERT || cve,CVE-2006-7101 || url,www.milw0rm.com/exploits/2759 || url,doc.emergingthreats.net/2005180 +1 || 2005181 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHPWind SQL Injection Attempt -- admin.php UPDATE || cve,CVE-2006-7101 || url,www.milw0rm.com/exploits/2759 || url,doc.emergingthreats.net/2005181 +1 || 2005185 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Tyger Bug Tracking System (TygerBT) SQL Injection Attempt -- ViewBugs.php s UNION SELECT || cve,CVE-2007-1289 || url,www.securityfocus.com/bid/22799 || url,doc.emergingthreats.net/2005185 +1 || 2005186 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Online Web Building SQL Injection Attempt -- page.asp art_id SELECT || cve,CVE-2007-1058 || url,www.milw0rm.com/exploits/3339 || url,doc.emergingthreats.net/2005186 +1 || 2005187 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS W2B Online Banking SQL Injection Attempt -- DocPay.w2b listDocPay UNION SELECT || cve,CVE-2007-3175 || url,xforce.iss.net/xforce/xfdb/34593 || url,doc.emergingthreats.net/2005187 +1 || 2005188 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS W2B Online Banking SQL Injection Attempt -- DocPay.w2b listDocPay INSERT || cve,CVE-2007-3175 || url,xforce.iss.net/xforce/xfdb/34593 || url,doc.emergingthreats.net/2005188 +1 || 2005189 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS W2B Online Banking SQL Injection Attempt -- DocPay.w2b listDocPay DELETE || cve,CVE-2007-3175 || url,xforce.iss.net/xforce/xfdb/34593 || url,doc.emergingthreats.net/2005189 +1 || 2005190 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS W2B Online Banking SQL Injection Attempt -- DocPay.w2b listDocPay ASCII || cve,CVE-2007-3175 || url,xforce.iss.net/xforce/xfdb/34593 || url,doc.emergingthreats.net/2005190 +1 || 2005191 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS W2B Online Banking SQL Injection Attempt -- DocPay.w2b listDocPay UPDATE || cve,CVE-2007-3175 || url,xforce.iss.net/xforce/xfdb/34593 || url,doc.emergingthreats.net/2005191 +1 || 2005192 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- mezungiris.asp id SELECT || cve,CVE-2007-3178 || url,www.securityfocus.com/archive/1/archive/1/469710/100/0/threaded || url,doc.emergingthreats.net/2005192 +1 || 2005193 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- mezungiris.asp id UNION SELECT || cve,CVE-2007-3178 || url,www.securityfocus.com/archive/1/archive/1/469710/100/0/threaded || url,doc.emergingthreats.net/2005193 +1 || 2005194 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- mezungiris.asp id INSERT || cve,CVE-2007-3178 || url,www.securityfocus.com/archive/1/archive/1/469710/100/0/threaded || url,doc.emergingthreats.net/2005194 +1 || 2005195 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- mezungiris.asp id DELETE || cve,CVE-2007-3178 || url,www.securityfocus.com/archive/1/archive/1/469710/100/0/threaded || url,doc.emergingthreats.net/2005195 +1 || 2005196 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- mezungiris.asp id ASCII || cve,CVE-2007-3178 || url,www.securityfocus.com/archive/1/archive/1/469710/100/0/threaded || url,doc.emergingthreats.net/2005196 +1 || 2005197 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- mezungiris.asp id UPDATE || cve,CVE-2007-3178 || url,www.securityfocus.com/archive/1/archive/1/469710/100/0/threaded || url,doc.emergingthreats.net/2005197 +1 || 2005198 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- mezungiris.asp pass SELECT || cve,CVE-2007-3178 || url,www.securityfocus.com/archive/1/archive/1/469710/100/0/threaded || url,doc.emergingthreats.net/2005198 +1 || 2005199 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- mezungiris.asp pass UNION SELECT || cve,CVE-2007-3178 || url,www.securityfocus.com/archive/1/archive/1/469710/100/0/threaded || url,doc.emergingthreats.net/2005199 +1 || 2005200 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- mezungiris.asp pass INSERT || cve,CVE-2007-3178 || url,www.securityfocus.com/archive/1/archive/1/469710/100/0/threaded || url,doc.emergingthreats.net/2005200 +1 || 2005201 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- mezungiris.asp pass DELETE || cve,CVE-2007-3178 || url,www.securityfocus.com/archive/1/archive/1/469710/100/0/threaded || url,doc.emergingthreats.net/2005201 +1 || 2005202 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- mezungiris.asp pass ASCII || cve,CVE-2007-3178 || url,www.securityfocus.com/archive/1/archive/1/469710/100/0/threaded || url,doc.emergingthreats.net/2005202 +1 || 2005203 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- mezungiris.asp pass UPDATE || cve,CVE-2007-3178 || url,www.securityfocus.com/archive/1/archive/1/469710/100/0/threaded || url,doc.emergingthreats.net/2005203 +1 || 2005204 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- ogretmenkontrol.asp pass SELECT || cve,CVE-2007-3178 || url,www.securityfocus.com/archive/1/archive/1/469710/100/0/threaded || url,doc.emergingthreats.net/2005204 +1 || 2005205 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- ogretmenkontrol.asp pass UNION SELECT || cve,CVE-2007-3178 || url,www.securityfocus.com/archive/1/archive/1/469710/100/0/threaded || url,doc.emergingthreats.net/2005205 +1 || 2005206 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- ogretmenkontrol.asp pass INSERT || cve,CVE-2007-3178 || url,www.securityfocus.com/archive/1/archive/1/469710/100/0/threaded || url,doc.emergingthreats.net/2005206 +1 || 2005207 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- ogretmenkontrol.asp pass DELETE || cve,CVE-2007-3178 || url,www.securityfocus.com/archive/1/archive/1/469710/100/0/threaded || url,doc.emergingthreats.net/2005207 +1 || 2005208 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- ogretmenkontrol.asp pass ASCII || cve,CVE-2007-3178 || url,www.securityfocus.com/archive/1/archive/1/469710/100/0/threaded || url,doc.emergingthreats.net/2005208 +1 || 2005209 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- ogretmenkontrol.asp pass UPDATE || cve,CVE-2007-3178 || url,www.securityfocus.com/archive/1/archive/1/469710/100/0/threaded || url,doc.emergingthreats.net/2005209 +1 || 2005210 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- ogretmenkontrol.asp id SELECT || cve,CVE-2007-3178 || url,www.securityfocus.com/archive/1/archive/1/469710/100/0/threaded || url,doc.emergingthreats.net/2005210 +1 || 2005211 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- ogretmenkontrol.asp id UNION SELECT || cve,CVE-2007-3178 || url,www.securityfocus.com/archive/1/archive/1/469710/100/0/threaded || url,doc.emergingthreats.net/2005211 +1 || 2005212 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- ogretmenkontrol.asp id INSERT || cve,CVE-2007-3178 || url,www.securityfocus.com/archive/1/archive/1/469710/100/0/threaded || url,doc.emergingthreats.net/2005212 +1 || 2005213 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- ogretmenkontrol.asp id DELETE || cve,CVE-2007-3178 || url,www.securityfocus.com/archive/1/archive/1/469710/100/0/threaded || url,doc.emergingthreats.net/2005213 +1 || 2005214 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- ogretmenkontrol.asp id ASCII || cve,CVE-2007-3178 || url,www.securityfocus.com/archive/1/archive/1/469710/100/0/threaded || url,doc.emergingthreats.net/2005214 +1 || 2005215 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Zindizayn Okul Web Sistemi SQL Injection Attempt -- ogretmenkontrol.asp id UPDATE || cve,CVE-2007-3178 || url,www.securityfocus.com/archive/1/archive/1/469710/100/0/threaded || url,doc.emergingthreats.net/2005215 +1 || 2005216 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Particle Blogger SQL Injection Attempt -- archives.php month SELECT || cve,CVE-2007-3179 || url,www.securityfocus.com/archive/1/archive/1/469984/100/0/threaded || url,doc.emergingthreats.net/2005216 +1 || 2005217 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Particle Blogger SQL Injection Attempt -- archives.php month UNION SELECT || cve,CVE-2007-3179 || url,www.securityfocus.com/archive/1/archive/1/469984/100/0/threaded || url,doc.emergingthreats.net/2005217 +1 || 2005218 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Particle Blogger SQL Injection Attempt -- archives.php month INSERT || cve,CVE-2007-3179 || url,www.securityfocus.com/archive/1/archive/1/469984/100/0/threaded || url,doc.emergingthreats.net/2005218 +1 || 2005219 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Particle Blogger SQL Injection Attempt -- archives.php month DELETE || cve,CVE-2007-3179 || url,www.securityfocus.com/archive/1/archive/1/469984/100/0/threaded || url,doc.emergingthreats.net/2005219 +1 || 2005220 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Particle Blogger SQL Injection Attempt -- archives.php month ASCII || cve,CVE-2007-3179 || url,www.securityfocus.com/archive/1/archive/1/469984/100/0/threaded || url,doc.emergingthreats.net/2005220 +1 || 2005221 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Particle Blogger SQL Injection Attempt -- archives.php month UPDATE || cve,CVE-2007-3179 || url,www.securityfocus.com/archive/1/archive/1/469984/100/0/threaded || url,doc.emergingthreats.net/2005221 +1 || 2005222 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Guo Xu Guos Posting System (GPS) SQL Injection Attempt -- print.asp id SELECT || cve,CVE-2007-0554 || url,www.milw0rm.com/exploits/3195 || url,doc.emergingthreats.net/2005222 +1 || 2005223 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Guo Xu Guos Posting System (GPS) SQL Injection Attempt -- print.asp id UNION SELECT || cve,CVE-2007-0554 || url,www.milw0rm.com/exploits/3195 || url,doc.emergingthreats.net/2005223 +1 || 2005224 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Guo Xu Guos Posting System (GPS) SQL Injection Attempt -- print.asp id INSERT || cve,CVE-2007-0554 || url,www.milw0rm.com/exploits/3195 || url,doc.emergingthreats.net/2005224 +1 || 2005225 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Guo Xu Guos Posting System (GPS) SQL Injection Attempt -- print.asp id DELETE || cve,CVE-2007-0554 || url,www.milw0rm.com/exploits/3195 || url,doc.emergingthreats.net/2005225 +1 || 2005226 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Guo Xu Guos Posting System (GPS) SQL Injection Attempt -- print.asp id UPDATE || cve,CVE-2007-0554 || url,www.milw0rm.com/exploits/3195 || url,doc.emergingthreats.net/2005226 +1 || 2005227 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Website Baker SQL Injection Attempt -- eWebQuiz.asp QuizID SELECT || cve,CVE-2007-0527 || url,downloads.securityfocus.com/vulnerabilities/exploits/22176.html || url,doc.emergingthreats.net/2005227 +1 || 2005228 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Website Baker SQL Injection Attempt -- eWebQuiz.asp QuizID UNION SELECT || cve,CVE-2007-0527 || url,downloads.securityfocus.com/vulnerabilities/exploits/22176.html || url,doc.emergingthreats.net/2005228 +1 || 2005229 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Website Baker SQL Injection Attempt -- eWebQuiz.asp QuizID INSERT || cve,CVE-2007-0527 || url,downloads.securityfocus.com/vulnerabilities/exploits/22176.html || url,doc.emergingthreats.net/2005229 +1 || 2005230 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Website Baker SQL Injection Attempt -- eWebQuiz.asp QuizID DELETE || cve,CVE-2007-0527 || url,downloads.securityfocus.com/vulnerabilities/exploits/22176.html || url,doc.emergingthreats.net/2005230 +1 || 2005231 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Website Baker SQL Injection Attempt -- eWebQuiz.asp QuizID ASCII || cve,CVE-2007-0527 || url,downloads.securityfocus.com/vulnerabilities/exploits/22176.html || url,doc.emergingthreats.net/2005231 +1 || 2005232 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Website Baker SQL Injection Attempt -- eWebQuiz.asp QuizID UPDATE || cve,CVE-2007-0527 || url,downloads.securityfocus.com/vulnerabilities/exploits/22176.html || url,doc.emergingthreats.net/2005232 +1 || 2005233 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Unique Ads (UDS) SQL Injection Attempt -- banner.php bid SELECT || cve,CVE-2007-0520 || url,www.securityfocus.com/archive/1/archive/1/457667/100/0/threaded || url,doc.emergingthreats.net/2005233 +1 || 2005234 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Unique Ads (UDS) SQL Injection Attempt -- banner.php bid UNION SELECT || cve,CVE-2007-0520 || url,www.securityfocus.com/archive/1/archive/1/457667/100/0/threaded || url,doc.emergingthreats.net/2005234 +1 || 2005235 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Unique Ads (UDS) SQL Injection Attempt -- banner.php bid INSERT || cve,CVE-2007-0520 || url,www.securityfocus.com/archive/1/archive/1/457667/100/0/threaded || url,doc.emergingthreats.net/2005235 +1 || 2005236 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Unique Ads (UDS) SQL Injection Attempt -- banner.php bid DELETE || cve,CVE-2007-0520 || url,www.securityfocus.com/archive/1/archive/1/457667/100/0/threaded || url,doc.emergingthreats.net/2005236 +1 || 2005237 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Unique Ads (UDS) SQL Injection Attempt -- banner.php bid ASCII || cve,CVE-2007-0520 || url,www.securityfocus.com/archive/1/archive/1/457667/100/0/threaded || url,doc.emergingthreats.net/2005237 +1 || 2005238 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Unique Ads (UDS) SQL Injection Attempt -- banner.php bid UPDATE || cve,CVE-2007-0520 || url,www.securityfocus.com/archive/1/archive/1/457667/100/0/threaded || url,doc.emergingthreats.net/2005238 +1 || 2005239 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php picID SELECT || cve,CVE-2007-0520 || url,www.milw0rm.com/exploits/3172 || url,doc.emergingthreats.net/2005239 +1 || 2005240 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php picID UNION SELECT || cve,CVE-2007-0520 || url,www.milw0rm.com/exploits/3172 || url,doc.emergingthreats.net/2005240 +1 || 2005241 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php picID INSERT || cve,CVE-2007-0520 || url,www.milw0rm.com/exploits/3172 || url,doc.emergingthreats.net/2005241 +1 || 2005242 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php picID DELETE || cve,CVE-2007-0520 || url,www.milw0rm.com/exploits/3172 || url,doc.emergingthreats.net/2005242 +1 || 2005243 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php picID ASCII || cve,CVE-2007-0520 || url,www.milw0rm.com/exploits/3172 || url,doc.emergingthreats.net/2005243 +1 || 2005244 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php picID UPDATE || cve,CVE-2007-0520 || url,www.milw0rm.com/exploits/3172 || url,doc.emergingthreats.net/2005244 +1 || 2005245 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php id SELECT || cve,CVE-2007-0492 || url,www.frsirt.com/english/advisories/2007/0270 || url,doc.emergingthreats.net/2005245 +1 || 2005246 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php id UNION SELECT || cve,CVE-2007-0492 || url,www.frsirt.com/english/advisories/2007/0270 || url,doc.emergingthreats.net/2005246 +1 || 2005247 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php id INSERT || cve,CVE-2007-0492 || url,www.frsirt.com/english/advisories/2007/0270 || url,doc.emergingthreats.net/2005247 +1 || 2005248 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php id DELETE || cve,CVE-2007-0492 || url,www.frsirt.com/english/advisories/2007/0270 || url,doc.emergingthreats.net/2005248 +1 || 2005249 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php id ASCII || cve,CVE-2007-0492 || url,www.frsirt.com/english/advisories/2007/0270 || url,doc.emergingthreats.net/2005249 +1 || 2005250 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php id UPDATE || cve,CVE-2007-0492 || url,www.frsirt.com/english/advisories/2007/0270 || url,doc.emergingthreats.net/2005250 +1 || 2005251 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php galleryID SELECT || cve,CVE-2007-0492 || url,www.frsirt.com/english/advisories/2007/0270 || url,doc.emergingthreats.net/2005251 +1 || 2005252 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php galleryID INSERT || cve,CVE-2007-0492 || url,www.frsirt.com/english/advisories/2007/0270 || url,doc.emergingthreats.net/2005252 +1 || 2005253 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php galleryID DELETE || cve,CVE-2007-0492 || url,www.frsirt.com/english/advisories/2007/0270 || url,doc.emergingthreats.net/2005253 +1 || 2005254 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php galleryID ASCII || cve,CVE-2007-0492 || url,www.frsirt.com/english/advisories/2007/0270 || url,doc.emergingthreats.net/2005254 +1 || 2005255 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php galleryID UPDATE || cve,CVE-2007-0492 || url,www.frsirt.com/english/advisories/2007/0270 || url,doc.emergingthreats.net/2005255 +1 || 2005256 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Enthusiast SQL Injection Attempt -- show_owned.php cat SELECT || cve,CVE-2007-0484 || url,www.securityfocus.com/bid/22180 || url,doc.emergingthreats.net/2005256 +1 || 2005257 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Enthusiast SQL Injection Attempt -- show_owned.php cat UNION SELECT || cve,CVE-2007-0484 || url,www.securityfocus.com/bid/22180 || url,doc.emergingthreats.net/2005257 +1 || 2005258 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Enthusiast SQL Injection Attempt -- show_owned.php cat INSERT || cve,CVE-2007-0484 || url,www.securityfocus.com/bid/22180 || url,doc.emergingthreats.net/2005258 +1 || 2005259 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Enthusiast SQL Injection Attempt -- show_owned.php cat DELETE || cve,CVE-2007-0484 || url,www.securityfocus.com/bid/22180 || url,doc.emergingthreats.net/2005259 +1 || 2005260 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Enthusiast SQL Injection Attempt -- show_owned.php cat ASCII || cve,CVE-2007-0484 || url,www.securityfocus.com/bid/22180 || url,doc.emergingthreats.net/2005260 +1 || 2005261 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Enthusiast SQL Injection Attempt -- show_owned.php cat UPDATE || cve,CVE-2007-0484 || url,www.securityfocus.com/bid/22180 || url,doc.emergingthreats.net/2005261 +1 || 2005262 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Enthusiast SQL Injection Attempt -- show_joined.php cat SELECT || cve,CVE-2007-0484 || url,www.securityfocus.com/bid/22180 || url,doc.emergingthreats.net/2005262 +1 || 2005263 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Enthusiast SQL Injection Attempt -- show_joined.php cat UNION SELECT || cve,CVE-2007-0484 || url,www.securityfocus.com/bid/22180 || url,doc.emergingthreats.net/2005263 +1 || 2005264 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Enthusiast SQL Injection Attempt -- show_joined.php cat INSERT || cve,CVE-2007-0484 || url,www.securityfocus.com/bid/22180 || url,doc.emergingthreats.net/2005264 +1 || 2005265 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Enthusiast SQL Injection Attempt -- show_joined.php cat DELETE || cve,CVE-2007-0484 || url,www.securityfocus.com/bid/22180 || url,doc.emergingthreats.net/2005265 +1 || 2005266 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Enthusiast SQL Injection Attempt -- show_joined.php cat ASCII || cve,CVE-2007-0484 || url,www.securityfocus.com/bid/22180 || url,doc.emergingthreats.net/2005266 +1 || 2005267 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Enthusiast SQL Injection Attempt -- show_joined.php cat UPDATE || cve,CVE-2007-0484 || url,www.securityfocus.com/bid/22180 || url,doc.emergingthreats.net/2005267 +1 || 2005268 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Easebay Resources Paypal Subscription Manager SQL Injection Attempt -- memberlist.php keyword SELECT || cve,CVE-2007-0403 || url,www.securityfocus.com/archive/1/archive/1/457506/100/0/threaded || url,doc.emergingthreats.net/2005268 +1 || 2005269 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Easebay Resources Paypal Subscription Manager SQL Injection Attempt -- memberlist.php keyword UNION SELECT || cve,CVE-2007-0403 || url,www.securityfocus.com/archive/1/archive/1/457506/100/0/threaded || url,doc.emergingthreats.net/2005269 +1 || 2005270 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Easebay Resources Paypal Subscription Manager SQL Injection Attempt -- memberlist.php keyword INSERT || cve,CVE-2007-0403 || url,www.securityfocus.com/archive/1/archive/1/457506/100/0/threaded || url,doc.emergingthreats.net/2005270 +1 || 2005271 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Easebay Resources Paypal Subscription Manager SQL Injection Attempt -- memberlist.php keyword DELETE || cve,CVE-2007-0403 || url,www.securityfocus.com/archive/1/archive/1/457506/100/0/threaded || url,doc.emergingthreats.net/2005271 +1 || 2005272 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Easebay Resources Paypal Subscription Manager SQL Injection Attempt -- memberlist.php keyword ASCII || cve,CVE-2007-0403 || url,www.securityfocus.com/archive/1/archive/1/457506/100/0/threaded || url,doc.emergingthreats.net/2005272 +1 || 2005273 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Easebay Resources Paypal Subscription Manager SQL Injection Attempt -- memberlist.php keyword UPDATE || cve,CVE-2007-0403 || url,www.securityfocus.com/archive/1/archive/1/457506/100/0/threaded || url,doc.emergingthreats.net/2005273 +1 || 2005274 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Easebay Resources Login Manager SQL Injection Attempt -- memberlist.php init_row SELECT || cve,CVE-2007-0401 || url,www.securityfocus.com/archive/1/archive/1/457505/100/0/threaded || url,doc.emergingthreats.net/2005274 +1 || 2005275 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Easebay Resources Login Manager SQL Injection Attempt -- memberlist.php init_row UNION SELECT || cve,CVE-2007-0401 || url,www.securityfocus.com/archive/1/archive/1/457505/100/0/threaded || url,doc.emergingthreats.net/2005275 +1 || 2005276 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Easebay Resources Login Manager SQL Injection Attempt -- memberlist.php init_row INSERT || cve,CVE-2007-0401 || url,www.securityfocus.com/archive/1/archive/1/457505/100/0/threaded || url,doc.emergingthreats.net/2005276 +1 || 2005277 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Easebay Resources Login Manager SQL Injection Attempt -- memberlist.php init_row DELETE || cve,CVE-2007-0401 || url,www.securityfocus.com/archive/1/archive/1/457505/100/0/threaded || url,doc.emergingthreats.net/2005277 +1 || 2005278 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Easebay Resources Login Manager SQL Injection Attempt -- memberlist.php init_row ASCII || cve,CVE-2007-0401 || url,www.securityfocus.com/archive/1/archive/1/457505/100/0/threaded || url,doc.emergingthreats.net/2005278 +1 || 2005279 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Easebay Resources Login Manager SQL Injection Attempt -- memberlist.php init_row UPDATE || cve,CVE-2007-0401 || url,www.securityfocus.com/archive/1/archive/1/457505/100/0/threaded || url,doc.emergingthreats.net/2005279 +1 || 2005280 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Woltlab Burning Board (wBB) SQL Injection Attempt -- search.php boardids SELECT || cve,CVE-2007-0388 || url,www.milw0rm.com/exploits/3144 || url,doc.emergingthreats.net/2005280 +1 || 2005281 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Woltlab Burning Board (wBB) SQL Injection Attempt -- search.php boardids UNION SELECT || cve,CVE-2007-0388 || url,www.milw0rm.com/exploits/3144 || url,doc.emergingthreats.net/2005281 +1 || 2005282 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Woltlab Burning Board (wBB) SQL Injection Attempt -- search.php boardids INSERT || cve,CVE-2007-0388 || url,www.milw0rm.com/exploits/3144 || url,doc.emergingthreats.net/2005282 +1 || 2005283 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Woltlab Burning Board (wBB) SQL Injection Attempt -- search.php boardids DELETE || cve,CVE-2007-0388 || url,www.milw0rm.com/exploits/3144 || url,doc.emergingthreats.net/2005283 +1 || 2005284 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Woltlab Burning Board (wBB) SQL Injection Attempt -- search.php boardids ASCII || cve,CVE-2007-0388 || url,www.milw0rm.com/exploits/3144 || url,doc.emergingthreats.net/2005284 +1 || 2005285 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Woltlab Burning Board (wBB) SQL Injection Attempt -- search.php boardids UPDATE || cve,CVE-2007-0388 || url,www.milw0rm.com/exploits/3144 || url,doc.emergingthreats.net/2005285 +1 || 2005286 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Woltlab Burning Board (wBB) SQL Injection Attempt -- search.php board SELECT || cve,CVE-2007-0388 || url,www.milw0rm.com/exploits/3144 || url,doc.emergingthreats.net/2005286 +1 || 2005287 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Woltlab Burning Board (wBB) SQL Injection Attempt -- search.php board UNION SELECT || cve,CVE-2007-0388 || url,www.milw0rm.com/exploits/3144 || url,doc.emergingthreats.net/2005287 +1 || 2005288 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Woltlab Burning Board (wBB) SQL Injection Attempt -- search.php board INSERT || cve,CVE-2007-0388 || url,www.milw0rm.com/exploits/3144 || url,doc.emergingthreats.net/2005288 +1 || 2005289 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Woltlab Burning Board (wBB) SQL Injection Attempt -- search.php board DELETE || cve,CVE-2007-0388 || url,www.milw0rm.com/exploits/3144 || url,doc.emergingthreats.net/2005289 +1 || 2005290 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Woltlab Burning Board (wBB) SQL Injection Attempt -- search.php board ASCII || cve,CVE-2007-0388 || url,www.milw0rm.com/exploits/3144 || url,doc.emergingthreats.net/2005290 +1 || 2005291 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Woltlab Burning Board (wBB) SQL Injection Attempt -- search.php board UPDATE || cve,CVE-2007-0388 || url,www.milw0rm.com/exploits/3144 || url,doc.emergingthreats.net/2005291 +1 || 2005292 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- category.php catid SELECT || cve,CVE-2007-0387 || url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded || url,doc.emergingthreats.net/2005292 +1 || 2005293 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- category.php catid UNION SELECT || cve,CVE-2007-0387 || url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded || url,doc.emergingthreats.net/2005293 +1 || 2005294 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- category.php catid INSERT || cve,CVE-2007-0387 || url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded || url,doc.emergingthreats.net/2005294 +1 || 2005295 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- category.php catid DELETE || cve,CVE-2007-0387 || url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded || url,doc.emergingthreats.net/2005295 +1 || 2005296 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- category.php catid ASCII || cve,CVE-2007-0387 || url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded || url,doc.emergingthreats.net/2005296 +1 || 2005297 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- category.php catid UPDATE || cve,CVE-2007-0387 || url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded || url,doc.emergingthreats.net/2005297 +1 || 2005298 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- letterman.class.php id SELECT || cve,CVE-2007-0382 || url,www.securityfocus.com/bid/22117 || url,doc.emergingthreats.net/2005298 +1 || 2005299 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- letterman.class.php id UNION SELECT || cve,CVE-2007-0382 || url,www.securityfocus.com/bid/22117 || url,doc.emergingthreats.net/2005299 +1 || 2005300 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- letterman.class.php id INSERT || cve,CVE-2007-0382 || url,www.securityfocus.com/bid/22117 || url,doc.emergingthreats.net/2005300 +1 || 2005301 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- letterman.class.php id DELETE || cve,CVE-2007-0382 || url,www.securityfocus.com/bid/22117 || url,doc.emergingthreats.net/2005301 +1 || 2005302 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- letterman.class.php id ASCII || cve,CVE-2007-0382 || url,www.securityfocus.com/bid/22117 || url,doc.emergingthreats.net/2005302 +1 || 2005303 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- letterman.class.php id UPDATE || cve,CVE-2007-0382 || url,www.securityfocus.com/bid/22117 || url,doc.emergingthreats.net/2005303 +1 || 2005304 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS W2B Online Banking SQL Injection Attempt -- mailer.w2b draft SELECT || cve,CVE-2007-3175 || url,xforce.iss.net/xforce/xfdb/34593 || url,doc.emergingthreats.net/2005304 +1 || 2005305 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS W2B Online Banking SQL Injection Attempt -- mailer.w2b draft UNION SELECT || cve,CVE-2007-3175 || url,xforce.iss.net/xforce/xfdb/34593 || url,doc.emergingthreats.net/2005305 +1 || 2005306 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS W2B Online Banking SQL Injection Attempt -- mailer.w2b draft INSERT || cve,CVE-2007-3175 || url,xforce.iss.net/xforce/xfdb/34593 || url,doc.emergingthreats.net/2005306 +1 || 2005307 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS W2B Online Banking SQL Injection Attempt -- mailer.w2b draft DELETE || cve,CVE-2007-3175 || url,xforce.iss.net/xforce/xfdb/34593 || url,doc.emergingthreats.net/2005307 +1 || 2005308 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS W2B Online Banking SQL Injection Attempt -- mailer.w2b draft ASCII || cve,CVE-2007-3175 || url,xforce.iss.net/xforce/xfdb/34593 || url,doc.emergingthreats.net/2005308 +1 || 2005309 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS W2B Online Banking SQL Injection Attempt -- mailer.w2b draft UPDATE || cve,CVE-2007-3175 || url,xforce.iss.net/xforce/xfdb/34593 || url,doc.emergingthreats.net/2005309 +1 || 2005310 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS W2B Online Banking SQL Injection Attempt -- DocPay.w2b listDocPay SELECT || cve,CVE-2007-3175 || url,xforce.iss.net/xforce/xfdb/34593 || url,doc.emergingthreats.net/2005310 +1 || 2005311 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Guo Xu Guos Posting System (GPS) SQL Injection Attempt -- print.asp id ASCII || cve,CVE-2007-0554 || url,www.milw0rm.com/exploits/3195 || url,doc.emergingthreats.net/2005311 +1 || 2005312 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS webSPELL SQL Injection Attempt -- gallery.php galleryID UNION SELECT || cve,CVE-2007-0492 || url,www.frsirt.com/english/advisories/2007/0270 || url,doc.emergingthreats.net/2005312 +1 || 2005318 || 8 || trojan-activity || 0 || ET MALWARE Statblaster.com Spyware User-Agent (fetcher) || url,doc.emergingthreats.net/2005318 +1 || 2005319 || 5 || trojan-activity || 0 || ET MALWARE Bizconcept.info Spyware Checkin || url,doc.emergingthreats.net/bin/view/Main/2005319 +1 || 2005320 || 10 || trojan-activity || 0 || ET TROJAN Suspicious User-Agent (MyAgent) || url,doc.emergingthreats.net/bin/view/Main/2005320 +1 || 2005321 || 8 || trojan-activity || 0 || ET MALWARE NavExcel Spyware User-Agent (NavHelper) || url,doc.emergingthreats.net/2005321 +1 || 2005322 || 9 || trojan-activity || 0 || ET MALWARE Spylocked Fake Anti-Spyware User-Agent (SpyLocked) +1 || 2005324 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS bbPress SQL Injection Attempt -- formatting-functions.php SELECT || cve,CVE-2007-3244 || url,trac.bbpress.org/ticket/592 || url,doc.emergingthreats.net/2005324 +1 || 2005325 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS bbPress SQL Injection Attempt -- formatting-functions.php UNION SELECT || cve,CVE-2007-3244 || url,trac.bbpress.org/ticket/592 || url,doc.emergingthreats.net/2005325 +1 || 2005326 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS bbPress SQL Injection Attempt -- formatting-functions.php INSERT || cve,CVE-2007-3244 || url,trac.bbpress.org/ticket/592 || url,doc.emergingthreats.net/2005326 +1 || 2005327 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS bbPress SQL Injection Attempt -- formatting-functions.php DELETE || cve,CVE-2007-3244 || url,trac.bbpress.org/ticket/592 || url,doc.emergingthreats.net/2005327 +1 || 2005328 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS bbPress SQL Injection Attempt -- formatting-functions.php ASCII || cve,CVE-2007-3244 || url,trac.bbpress.org/ticket/592 || url,doc.emergingthreats.net/2005328 +1 || 2005329 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS bbPress SQL Injection Attempt -- formatting-functions.php UPDATE || cve,CVE-2007-3244 || url,trac.bbpress.org/ticket/592 || url,doc.emergingthreats.net/2005329 +1 || 2005330 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Fuzzylime Forum SQL Injection Attempt -- low.php topic SELECT || cve,CVE-2007-3235 || url,www.milw0rm.com/exploits/4062 || url,doc.emergingthreats.net/2005330 +1 || 2005331 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Fuzzylime Forum SQL Injection Attempt -- low.php topic UNION SELECT || cve,CVE-2007-3235 || url,www.milw0rm.com/exploits/4062 || url,doc.emergingthreats.net/2005331 +1 || 2005332 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Fuzzylime Forum SQL Injection Attempt -- low.php topic INSERT || cve,CVE-2007-3235 || url,www.milw0rm.com/exploits/4062 || url,doc.emergingthreats.net/2005332 +1 || 2005333 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Fuzzylime Forum SQL Injection Attempt -- low.php topic DELETE || cve,CVE-2007-3235 || url,www.milw0rm.com/exploits/4062 || url,doc.emergingthreats.net/2005333 +1 || 2005334 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Fuzzylime Forum SQL Injection Attempt -- low.php topic ASCII || cve,CVE-2007-3235 || url,www.milw0rm.com/exploits/4062 || url,doc.emergingthreats.net/2005334 +1 || 2005335 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Fuzzylime Forum SQL Injection Attempt -- low.php topic UPDATE || cve,CVE-2007-3235 || url,www.milw0rm.com/exploits/4062 || url,doc.emergingthreats.net/2005335 +1 || 2005336 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS e-Vision CMS SQL Injection Attempt -- style.php template SELECT || cve,CVE-2007-3214 || url,www.milw0rm.com/exploits/4054 || url,doc.emergingthreats.net/2005336 +1 || 2005337 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS e-Vision CMS SQL Injection Attempt -- style.php template UNION SELECT || cve,CVE-2007-3214 || url,www.milw0rm.com/exploits/4054 || url,doc.emergingthreats.net/2005337 +1 || 2005338 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS e-Vision CMS SQL Injection Attempt -- style.php template INSERT || cve,CVE-2007-3214 || url,www.milw0rm.com/exploits/4054 || url,doc.emergingthreats.net/2005338 +1 || 2005339 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS e-Vision CMS SQL Injection Attempt -- style.php template DELETE || cve,CVE-2007-3214 || url,www.milw0rm.com/exploits/4054 || url,doc.emergingthreats.net/2005339 +1 || 2005340 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS e-Vision CMS SQL Injection Attempt -- style.php template ASCII || cve,CVE-2007-3214 || url,www.milw0rm.com/exploits/4054 || url,doc.emergingthreats.net/2005340 +1 || 2005341 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS e-Vision CMS SQL Injection Attempt -- style.php template UPDATE || cve,CVE-2007-3214 || url,www.milw0rm.com/exploits/4054 || url,doc.emergingthreats.net/2005341 +1 || 2005342 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Just For Fun Network Management System (JFFNMS) SQL Injection Attempt -- auth.php pass SELECT || cve,CVE-2007-3204 || url,www.secunia.com/advisories/25587 || url,doc.emergingthreats.net/2005342 +1 || 2005343 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Just For Fun Network Management System (JFFNMS) SQL Injection Attempt -- auth.php pass UNION SELECT || cve,CVE-2007-3204 || url,www.secunia.com/advisories/25587 || url,doc.emergingthreats.net/2005343 +1 || 2005344 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Just For Fun Network Management System (JFFNMS) SQL Injection Attempt -- auth.php pass INSERT || cve,CVE-2007-3204 || url,www.secunia.com/advisories/25587 || url,doc.emergingthreats.net/2005344 +1 || 2005345 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Just For Fun Network Management System (JFFNMS) SQL Injection Attempt -- auth.php pass DELETE || cve,CVE-2007-3204 || url,www.secunia.com/advisories/25587 || url,doc.emergingthreats.net/2005345 +1 || 2005346 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Just For Fun Network Management System (JFFNMS) SQL Injection Attempt -- auth.php pass ASCII || cve,CVE-2007-3204 || url,www.secunia.com/advisories/25587 || url,doc.emergingthreats.net/2005346 +1 || 2005347 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Just For Fun Network Management System (JFFNMS) SQL Injection Attempt -- auth.php pass UPDATE || cve,CVE-2007-3204 || url,www.secunia.com/advisories/25587 || url,doc.emergingthreats.net/2005347 +1 || 2005348 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS vBSupport SQL Injection Attempt -- vBSupport.php SELECT || cve,CVE-2007-3197 || url,www.vbulletin.org/forum/showthread.php?t=94023&page=38 || url,doc.emergingthreats.net/2005348 +1 || 2005349 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS vBSupport SQL Injection Attempt -- vBSupport.php UNION SELECT || cve,CVE-2007-3197 || url,www.vbulletin.org/forum/showthread.php?t=94023&page=38 || url,doc.emergingthreats.net/2005349 +1 || 2005350 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS vBSupport SQL Injection Attempt -- vBSupport.php INSERT || cve,CVE-2007-3197 || url,www.vbulletin.org/forum/showthread.php?t=94023&page=38 || url,doc.emergingthreats.net/2005350 +1 || 2005351 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS vBSupport SQL Injection Attempt -- vBSupport.php DELETE || cve,CVE-2007-3197 || url,www.vbulletin.org/forum/showthread.php?t=94023&page=38 || url,doc.emergingthreats.net/2005351 +1 || 2005352 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS vBSupport SQL Injection Attempt -- vBSupport.php ASCII || cve,CVE-2007-3197 || url,www.vbulletin.org/forum/showthread.php?t=94023&page=38 || url,doc.emergingthreats.net/2005352 +1 || 2005353 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS vBSupport SQL Injection Attempt -- vBSupport.php UPDATE || cve,CVE-2007-3197 || url,www.vbulletin.org/forum/showthread.php?t=94023&page=38 || url,doc.emergingthreats.net/2005353 +1 || 2005354 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS vSupport Integrated Ticket System SQL Injection Attempt -- vBSupport.php ticketid SELECT || cve,CVE-2007-3196 || url,www.securityfocus.com/bid/24397 || url,doc.emergingthreats.net/2005354 +1 || 2005355 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS vSupport Integrated Ticket System SQL Injection Attempt -- vBSupport.php ticketid UNION SELECT || cve,CVE-2007-3196 || url,www.securityfocus.com/bid/24397 || url,doc.emergingthreats.net/2005355 +1 || 2005356 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS vSupport Integrated Ticket System SQL Injection Attempt -- vBSupport.php ticketid INSERT || cve,CVE-2007-3196 || url,www.securityfocus.com/bid/24397 || url,doc.emergingthreats.net/2005356 +1 || 2005357 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS vSupport Integrated Ticket System SQL Injection Attempt -- vBSupport.php ticketid DELETE || cve,CVE-2007-3196 || url,www.securityfocus.com/bid/24397 || url,doc.emergingthreats.net/2005357 +1 || 2005358 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS vSupport Integrated Ticket System SQL Injection Attempt -- vBSupport.php ticketid ASCII || cve,CVE-2007-3196 || url,www.securityfocus.com/bid/24397 || url,doc.emergingthreats.net/2005358 +1 || 2005359 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS vSupport Integrated Ticket System SQL Injection Attempt -- vBSupport.php ticketid UPDATE || cve,CVE-2007-3196 || url,www.securityfocus.com/bid/24397 || url,doc.emergingthreats.net/2005359 +1 || 2005360 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Just For Fun Network Management System (JFFNMS) SQL Injection Attempt -- auth.php user SELECT || cve,CVE-2007-3190 || url,www.secunia.com/advisories/25587 || url,doc.emergingthreats.net/2005360 +1 || 2005361 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Just For Fun Network Management System (JFFNMS) SQL Injection Attempt -- auth.php user UNION SELECT || cve,CVE-2007-3190 || url,www.secunia.com/advisories/25587 || url,doc.emergingthreats.net/2005361 +1 || 2005362 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Just For Fun Network Management System (JFFNMS) SQL Injection Attempt -- auth.php user INSERT || cve,CVE-2007-3190 || url,www.secunia.com/advisories/25587 || url,doc.emergingthreats.net/2005362 +1 || 2005363 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Just For Fun Network Management System (JFFNMS) SQL Injection Attempt -- auth.php user DELETE || cve,CVE-2007-3190 || url,www.secunia.com/advisories/25587 || url,doc.emergingthreats.net/2005363 +1 || 2005364 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Just For Fun Network Management System (JFFNMS) SQL Injection Attempt -- auth.php user ASCII || cve,CVE-2007-3190 || url,www.secunia.com/advisories/25587 || url,doc.emergingthreats.net/2005364 +1 || 2005365 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Just For Fun Network Management System (JFFNMS) SQL Injection Attempt -- auth.php user UPDATE || cve,CVE-2007-3190 || url,www.secunia.com/advisories/25587 || url,doc.emergingthreats.net/2005365 +1 || 2005366 || 8 || web-application-attack || 0 || ET DELETED Just For Fun Network Management System (JFFNMS) SQL Injection Attempt -- auth.php pass SELECT || cve,CVE-2007-3190 || url,www.secunia.com/advisories/25587 || url,doc.emergingthreats.net/2005366 +1 || 2005367 || 8 || web-application-attack || 0 || ET DELETED Just For Fun Network Management System (JFFNMS) SQL Injection Attempt -- auth.php pass UNION SELECT || cve,CVE-2007-3190 || url,www.secunia.com/advisories/25587 || url,doc.emergingthreats.net/2005367 +1 || 2005368 || 8 || web-application-attack || 0 || ET DELETED Just For Fun Network Management System (JFFNMS) SQL Injection Attempt -- auth.php pass INSERT || cve,CVE-2007-3190 || url,www.secunia.com/advisories/25587 || url,doc.emergingthreats.net/2005368 +1 || 2005369 || 8 || web-application-attack || 0 || ET DELETED Just For Fun Network Management System (JFFNMS) SQL Injection Attempt -- auth.php pass DELETE || cve,CVE-2007-3190 || url,www.secunia.com/advisories/25587 || url,doc.emergingthreats.net/2005369 +1 || 2005370 || 8 || web-application-attack || 0 || ET DELETED Just For Fun Network Management System (JFFNMS) SQL Injection Attempt -- auth.php pass ASCII || cve,CVE-2007-3190 || url,www.secunia.com/advisories/25587 || url,doc.emergingthreats.net/2005370 +1 || 2005371 || 8 || web-application-attack || 0 || ET DELETED Just For Fun Network Management System (JFFNMS) SQL Injection Attempt -- auth.php pass UPDATE || cve,CVE-2007-3190 || url,www.secunia.com/advisories/25587 || url,doc.emergingthreats.net/2005371 +1 || 2005372 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Fullaspsite GeometriX Download Portal SQL Injection Attempt -- down_indir.asp id SELECT || cve,CVE-2007-3188 || url,www.milw0rm.com/exploits/4057 || url,doc.emergingthreats.net/2005372 +1 || 2005373 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Fullaspsite GeometriX Download Portal SQL Injection Attempt -- down_indir.asp id UNION SELECT || cve,CVE-2007-3188 || url,www.milw0rm.com/exploits/4057 || url,doc.emergingthreats.net/2005373 +1 || 2005374 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Fullaspsite GeometriX Download Portal SQL Injection Attempt -- down_indir.asp id INSERT || cve,CVE-2007-3188 || url,www.milw0rm.com/exploits/4057 || url,doc.emergingthreats.net/2005374 +1 || 2005375 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Fullaspsite GeometriX Download Portal SQL Injection Attempt -- down_indir.asp id DELETE || cve,CVE-2007-3188 || url,www.milw0rm.com/exploits/4057 || url,doc.emergingthreats.net/2005375 +1 || 2005376 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Fullaspsite GeometriX Download Portal SQL Injection Attempt -- down_indir.asp id ASCII || cve,CVE-2007-3188 || url,www.milw0rm.com/exploits/4057 || url,doc.emergingthreats.net/2005376 +1 || 2005377 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Fullaspsite GeometriX Download Portal SQL Injection Attempt -- down_indir.asp id UPDATE || cve,CVE-2007-3188 || url,www.milw0rm.com/exploits/4057 || url,doc.emergingthreats.net/2005377 +1 || 2005378 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Xoops SQL Injection Attempt -- group.php id SELECT || cve,CVE-2007-0377 || url,www.securityfocus.com/bid/22399 || url,doc.emergingthreats.net/2005378 +1 || 2005379 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Xoops SQL Injection Attempt -- group.php id UNION SELECT || cve,CVE-2007-0377 || url,www.securityfocus.com/bid/22399 || url,doc.emergingthreats.net/2005379 +1 || 2005380 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Xoops SQL Injection Attempt -- group.php id INSERT || cve,CVE-2007-0377 || url,www.securityfocus.com/bid/22399 || url,doc.emergingthreats.net/2005380 +1 || 2005381 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Xoops SQL Injection Attempt -- group.php id DELETE || cve,CVE-2007-0377 || url,www.securityfocus.com/bid/22399 || url,doc.emergingthreats.net/2005381 +1 || 2005382 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Xoops SQL Injection Attempt -- group.php id ASCII || cve,CVE-2007-0377 || url,www.securityfocus.com/bid/22399 || url,doc.emergingthreats.net/2005382 +1 || 2005383 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Xoops SQL Injection Attempt -- group.php id UPDATE || cve,CVE-2007-0377 || url,www.securityfocus.com/bid/22399 || url,doc.emergingthreats.net/2005383 +1 || 2005384 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Xoops SQL Injection Attempt -- table_broken.php lid SELECT || cve,CVE-2007-0377 || url,www.securityfocus.com/bid/22399 || url,doc.emergingthreats.net/2005384 +1 || 2005385 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Xoops SQL Injection Attempt -- table_broken.php lid UNION SELECT || cve,CVE-2007-0377 || url,www.securityfocus.com/bid/22399 || url,doc.emergingthreats.net/2005385 +1 || 2005386 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Xoops SQL Injection Attempt -- table_broken.php lid INSERT || cve,CVE-2007-0377 || url,www.securityfocus.com/bid/22399 || url,doc.emergingthreats.net/2005386 +1 || 2005387 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Xoops SQL Injection Attempt -- table_broken.php lid DELETE || cve,CVE-2007-0377 || url,www.securityfocus.com/bid/22399 || url,doc.emergingthreats.net/2005387 +1 || 2005388 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Xoops SQL Injection Attempt -- table_broken.php lid ASCII || cve,CVE-2007-0377 || url,www.securityfocus.com/bid/22399 || url,doc.emergingthreats.net/2005388 +1 || 2005389 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Xoops SQL Injection Attempt -- table_broken.php lid UPDATE || cve,CVE-2007-0377 || url,www.securityfocus.com/bid/22399 || url,doc.emergingthreats.net/2005389 +1 || 2005390 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php SELECT || cve,CVE-2007-0375 || url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded || url,doc.emergingthreats.net/2005390 +1 || 2005391 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php UNION SELECT || cve,CVE-2007-0375 || url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded || url,doc.emergingthreats.net/2005391 +1 || 2005392 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php DELETE || cve,CVE-2007-0375 || url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded || url,doc.emergingthreats.net/2005392 +1 || 2005394 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php ASCII || cve,CVE-2007-0375 || url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded || url,doc.emergingthreats.net/2005394 +1 || 2005395 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php UPDATE || cve,CVE-2007-0375 || url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded || url,doc.emergingthreats.net/2005395 +1 || 2005396 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- gmail.php SELECT || cve,CVE-2007-0375 || url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded || url,doc.emergingthreats.net/2005396 +1 || 2005397 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- gmail.php UNION SELECT || cve,CVE-2007-0375 || url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded || url,doc.emergingthreats.net/2005397 +1 || 2005398 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- gmail.php INSERT || cve,CVE-2007-0375 || url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded || url,doc.emergingthreats.net/2005398 +1 || 2005399 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- gmail.php DELETE || cve,CVE-2007-0375 || url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded || url,doc.emergingthreats.net/2005399 +1 || 2005400 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- gmail.php ASCII || cve,CVE-2007-0375 || url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded || url,doc.emergingthreats.net/2005400 +1 || 2005401 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- gmail.php UPDATE || cve,CVE-2007-0375 || url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded || url,doc.emergingthreats.net/2005401 +1 || 2005402 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php SELECT || cve,CVE-2007-0375 || url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded || url,doc.emergingthreats.net/2005402 +1 || 2005403 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php UNION SELECT || cve,CVE-2007-0375 || url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded || url,doc.emergingthreats.net/2005403 +1 || 2005404 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php INSERT || cve,CVE-2007-0375 || url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded || url,doc.emergingthreats.net/2005404 +1 || 2005405 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php DELETE || cve,CVE-2007-0375 || url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded || url,doc.emergingthreats.net/2005405 +1 || 2005406 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php ASCII || cve,CVE-2007-0375 || url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded || url,doc.emergingthreats.net/2005406 +1 || 2005407 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php UPDATE || cve,CVE-2007-0375 || url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded || url,doc.emergingthreats.net/2005407 +1 || 2005408 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- ldap.php SELECT || cve,CVE-2007-0375 || url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded || url,doc.emergingthreats.net/2005408 +1 || 2005409 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- ldap.php UNION SELECT || cve,CVE-2007-0375 || url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded || url,doc.emergingthreats.net/2005409 +1 || 2005410 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- ldap.php INSERT || cve,CVE-2007-0375 || url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded || url,doc.emergingthreats.net/2005410 +1 || 2005411 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- ldap.php DELETE || cve,CVE-2007-0375 || url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded || url,doc.emergingthreats.net/2005411 +1 || 2005412 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- ldap.php ASCII || cve,CVE-2007-0375 || url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded || url,doc.emergingthreats.net/2005412 +1 || 2005413 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- ldap.php UPDATE || cve,CVE-2007-0375 || url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded || url,doc.emergingthreats.net/2005413 +1 || 2005414 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- menu.php SELECT || cve,CVE-2007-0375 || url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded || url,doc.emergingthreats.net/2005414 +1 || 2005415 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- menu.php UNION SELECT || cve,CVE-2007-0375 || url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded || url,doc.emergingthreats.net/2005415 +1 || 2005416 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- menu.php INSERT || cve,CVE-2007-0375 || url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded || url,doc.emergingthreats.net/2005416 +1 || 2005417 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- menu.php DELETE || cve,CVE-2007-0375 || url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded || url,doc.emergingthreats.net/2005417 +1 || 2005418 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- menu.php ASCII || cve,CVE-2007-0375 || url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded || url,doc.emergingthreats.net/2005418 +1 || 2005419 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- menu.php UPDATE || cve,CVE-2007-0375 || url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded || url,doc.emergingthreats.net/2005419 +1 || 2005420 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- content.php where SELECT || cve,CVE-2007-0373 || url,www.securityfocus.com/bid/22122 || url,doc.emergingthreats.net/2005420 +1 || 2005421 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- content.php where UNION SELECT || cve,CVE-2007-0373 || url,www.securityfocus.com/bid/22122 || url,doc.emergingthreats.net/2005421 +1 || 2005422 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- content.php where INSERT || cve,CVE-2007-0373 || url,www.securityfocus.com/bid/22122 || url,doc.emergingthreats.net/2005422 +1 || 2005423 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- content.php where DELETE || cve,CVE-2007-0373 || url,www.securityfocus.com/bid/22122 || url,doc.emergingthreats.net/2005423 +1 || 2005424 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- content.php where ASCII || cve,CVE-2007-0373 || url,www.securityfocus.com/bid/22122 || url,doc.emergingthreats.net/2005424 +1 || 2005425 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- content.php where UPDATE || cve,CVE-2007-0373 || url,www.securityfocus.com/bid/22122 || url,doc.emergingthreats.net/2005425 +1 || 2005426 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- weblinks.php where SELECT || cve,CVE-2007-0373 || url,www.securityfocus.com/bid/22122 || url,doc.emergingthreats.net/2005426 +1 || 2005427 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- weblinks.php where UNION SELECT || cve,CVE-2007-0373 || url,www.securityfocus.com/bid/22122 || url,doc.emergingthreats.net/2005427 +1 || 2005428 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- weblinks.php where INSERT || cve,CVE-2007-0373 || url,www.securityfocus.com/bid/22122 || url,doc.emergingthreats.net/2005428 +1 || 2005429 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- weblinks.php where DELETE || cve,CVE-2007-0373 || url,www.securityfocus.com/bid/22122 || url,doc.emergingthreats.net/2005429 +1 || 2005430 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- weblinks.php where ASCII || cve,CVE-2007-0373 || url,www.securityfocus.com/bid/22122 || url,doc.emergingthreats.net/2005430 +1 || 2005431 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- weblinks.php where UPDATE || cve,CVE-2007-0373 || url,www.securityfocus.com/bid/22122 || url,doc.emergingthreats.net/2005431 +1 || 2005432 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- contacts.php text SELECT || cve,CVE-2007-0373 || url,www.securityfocus.com/bid/22122 || url,doc.emergingthreats.net/2005432 +1 || 2005433 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- contacts.php text UNION SELECT || cve,CVE-2007-0373 || url,www.securityfocus.com/bid/22122 || url,doc.emergingthreats.net/2005433 +1 || 2005434 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- contacts.php text INSERT || cve,CVE-2007-0373 || url,www.securityfocus.com/bid/22122 || url,doc.emergingthreats.net/2005434 +1 || 2005435 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- contacts.php text DELETE || cve,CVE-2007-0373 || url,www.securityfocus.com/bid/22122 || url,doc.emergingthreats.net/2005435 +1 || 2005436 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- contacts.php text ASCII || cve,CVE-2007-0373 || url,www.securityfocus.com/bid/22122 || url,doc.emergingthreats.net/2005436 +1 || 2005437 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- contacts.php text UPDATE || cve,CVE-2007-0373 || url,www.securityfocus.com/bid/22122 || url,doc.emergingthreats.net/2005437 +1 || 2005438 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- categories.php text SELECT || cve,CVE-2007-0373 || url,www.securityfocus.com/bid/22122 || url,doc.emergingthreats.net/2005438 +1 || 2005439 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- categories.php text UNION SELECT || cve,CVE-2007-0373 || url,www.securityfocus.com/bid/22122 || url,doc.emergingthreats.net/2005439 +1 || 2005440 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- categories.php text INSERT || cve,CVE-2007-0373 || url,www.securityfocus.com/bid/22122 || url,doc.emergingthreats.net/2005440 +1 || 2005441 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- categories.php text DELETE || cve,CVE-2007-0373 || url,www.securityfocus.com/bid/22122 || url,doc.emergingthreats.net/2005441 +1 || 2005442 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- categories.php text ASCII || cve,CVE-2007-0373 || url,www.securityfocus.com/bid/22122 || url,doc.emergingthreats.net/2005442 +1 || 2005443 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- categories.php text UPDATE || cve,CVE-2007-0373 || url,www.securityfocus.com/bid/22122 || url,doc.emergingthreats.net/2005443 +1 || 2005444 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- sections.php text SELECT || cve,CVE-2007-0373 || url,www.securityfocus.com/bid/22122 || url,doc.emergingthreats.net/2005444 +1 || 2005445 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- sections.php text UNION SELECT || cve,CVE-2007-0373 || url,www.securityfocus.com/bid/22122 || url,doc.emergingthreats.net/2005445 +1 || 2005446 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- sections.php text INSERT || cve,CVE-2007-0373 || url,www.securityfocus.com/bid/22122 || url,doc.emergingthreats.net/2005446 +1 || 2005447 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- sections.php text DELETE || cve,CVE-2007-0373 || url,www.securityfocus.com/bid/22122 || url,doc.emergingthreats.net/2005447 +1 || 2005448 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- sections.php text ASCII || cve,CVE-2007-0373 || url,www.securityfocus.com/bid/22122 || url,doc.emergingthreats.net/2005448 +1 || 2005449 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- sections.php text UPDATE || cve,CVE-2007-0373 || url,www.securityfocus.com/bid/22122 || url,doc.emergingthreats.net/2005449 +1 || 2005450 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- user.php email SELECT || cve,CVE-2007-0373 || url,www.securityfocus.com/bid/22122 || url,doc.emergingthreats.net/2005450 +1 || 2005451 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- user.php email UNION SELECT || cve,CVE-2007-0373 || url,www.securityfocus.com/bid/22122 || url,doc.emergingthreats.net/2005451 +1 || 2005452 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- user.php email INSERT || cve,CVE-2007-0373 || url,www.securityfocus.com/bid/22122 || url,doc.emergingthreats.net/2005452 +1 || 2005453 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- user.php email DELETE || cve,CVE-2007-0373 || url,www.securityfocus.com/bid/22122 || url,doc.emergingthreats.net/2005453 +1 || 2005454 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- user.php email ASCII || cve,CVE-2007-0373 || url,www.securityfocus.com/bid/22122 || url,doc.emergingthreats.net/2005454 +1 || 2005455 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- user.php email UPDATE || cve,CVE-2007-0373 || url,www.securityfocus.com/bid/22122 || url,doc.emergingthreats.net/2005455 +1 || 2005456 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- modules.php active SELECT || cve,CVE-2007-0372 || url,www.securityfocus.com/bid/22116 || url,doc.emergingthreats.net/2005456 +1 || 2005457 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- modules.php active UNION SELECT || cve,CVE-2007-0372 || url,www.securityfocus.com/bid/22116 || url,doc.emergingthreats.net/2005457 +1 || 2005458 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- modules.php active INSERT || cve,CVE-2007-0372 || url,www.securityfocus.com/bid/22116 || url,doc.emergingthreats.net/2005458 +1 || 2005459 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- modules.php active DELETE || cve,CVE-2007-0372 || url,www.securityfocus.com/bid/22116 || url,doc.emergingthreats.net/2005459 +1 || 2005460 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- modules.php active ASCII || cve,CVE-2007-0372 || url,www.securityfocus.com/bid/22116 || url,doc.emergingthreats.net/2005460 +1 || 2005461 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- modules.php active UPDATE || cve,CVE-2007-0372 || url,www.securityfocus.com/bid/22116 || url,doc.emergingthreats.net/2005461 +1 || 2005462 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php ad_class SELECT || cve,CVE-2007-0372 || url,www.securityfocus.com/bid/22116 || url,doc.emergingthreats.net/2005462 +1 || 2005463 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php ad_class UNION SELECT || cve,CVE-2007-0372 || url,www.securityfocus.com/bid/22116 || url,doc.emergingthreats.net/2005463 +1 || 2005464 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php ad_class INSERT || cve,CVE-2007-0372 || url,www.securityfocus.com/bid/22116 || url,doc.emergingthreats.net/2005464 +1 || 2005465 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php ad_class DELETE || cve,CVE-2007-0372 || url,www.securityfocus.com/bid/22116 || url,doc.emergingthreats.net/2005465 +1 || 2005466 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php ad_class ASCII || cve,CVE-2007-0372 || url,www.securityfocus.com/bid/22116 || url,doc.emergingthreats.net/2005466 +1 || 2005467 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php ad_class UPDATE || cve,CVE-2007-0372 || url,www.securityfocus.com/bid/22116 || url,doc.emergingthreats.net/2005467 +1 || 2005468 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php imageurl SELECT || cve,CVE-2007-0372 || url,www.securityfocus.com/bid/22116 || url,doc.emergingthreats.net/2005468 +1 || 2005469 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php imageurl UNION SELECT || cve,CVE-2007-0372 || url,www.securityfocus.com/bid/22116 || url,doc.emergingthreats.net/2005469 +1 || 2005470 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php imageurl INSERT || cve,CVE-2007-0372 || url,www.securityfocus.com/bid/22116 || url,doc.emergingthreats.net/2005470 +1 || 2005471 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php imageurl DELETE || cve,CVE-2007-0372 || url,www.securityfocus.com/bid/22116 || url,doc.emergingthreats.net/2005471 +1 || 2005472 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php imageurl ASCII || cve,CVE-2007-0372 || url,www.securityfocus.com/bid/22116 || url,doc.emergingthreats.net/2005472 +1 || 2005473 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php imageurl UPDATE || cve,CVE-2007-0372 || url,www.securityfocus.com/bid/22116 || url,doc.emergingthreats.net/2005473 +1 || 2005474 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php clickurl SELECT || cve,CVE-2007-0372 || url,www.securityfocus.com/bid/22116 || url,doc.emergingthreats.net/2005474 +1 || 2005475 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php clickurl UNION SELECT || cve,CVE-2007-0372 || url,www.securityfocus.com/bid/22116 || url,doc.emergingthreats.net/2005475 +1 || 2005476 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php clickurl INSERT || cve,CVE-2007-0372 || url,www.securityfocus.com/bid/22116 || url,doc.emergingthreats.net/2005476 +1 || 2005477 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php clickurl DELETE || cve,CVE-2007-0372 || url,www.securityfocus.com/bid/22116 || url,doc.emergingthreats.net/2005477 +1 || 2005478 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php clickurl ASCII || cve,CVE-2007-0372 || url,www.securityfocus.com/bid/22116 || url,doc.emergingthreats.net/2005478 +1 || 2005479 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php clickurl UPDATE || cve,CVE-2007-0372 || url,www.securityfocus.com/bid/22116 || url,doc.emergingthreats.net/2005479 +1 || 2005480 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php ad_code SELECT || cve,CVE-2007-0372 || url,www.securityfocus.com/bid/22116 || url,doc.emergingthreats.net/2005480 +1 || 2005481 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php ad_code UNION SELECT || cve,CVE-2007-0372 || url,www.securityfocus.com/bid/22116 || url,doc.emergingthreats.net/2005481 +1 || 2005482 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php ad_code INSERT || cve,CVE-2007-0372 || url,www.securityfocus.com/bid/22116 || url,doc.emergingthreats.net/2005482 +1 || 2005483 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php ad_code DELETE || cve,CVE-2007-0372 || url,www.securityfocus.com/bid/22116 || url,doc.emergingthreats.net/2005483 +1 || 2005484 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php ad_code ASCII || cve,CVE-2007-0372 || url,www.securityfocus.com/bid/22116 || url,doc.emergingthreats.net/2005484 +1 || 2005485 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php ad_code UPDATE || cve,CVE-2007-0372 || url,www.securityfocus.com/bid/22116 || url,doc.emergingthreats.net/2005485 +1 || 2005486 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php position SELECT || cve,CVE-2007-0372 || url,www.securityfocus.com/bid/22116 || url,doc.emergingthreats.net/2005486 +1 || 2005487 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php position UNION SELECT || cve,CVE-2007-0372 || url,www.securityfocus.com/bid/22116 || url,doc.emergingthreats.net/2005487 +1 || 2005489 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php position INSERT || cve,CVE-2007-0372 || url,www.securityfocus.com/bid/22116 || url,doc.emergingthreats.net/2005489 +1 || 2005490 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php position DELETE || cve,CVE-2007-0372 || url,www.securityfocus.com/bid/22116 || url,doc.emergingthreats.net/2005490 +1 || 2005491 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php position ASCII || cve,CVE-2007-0372 || url,www.securityfocus.com/bid/22116 || url,doc.emergingthreats.net/2005491 +1 || 2005492 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php position UPDATE || cve,CVE-2007-0372 || url,www.securityfocus.com/bid/22116 || url,doc.emergingthreats.net/2005492 +1 || 2005493 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Virtuemart SQL Injection Attempt -- virtuemart_parser.php Itemid SELECT || cve,CVE-2006-6945 || url,www.securityfocus.com/bid/22123 || url,doc.emergingthreats.net/2005493 +1 || 2005494 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Virtuemart SQL Injection Attempt -- virtuemart_parser.php Itemid UNION SELECT || cve,CVE-2006-6945 || url,www.securityfocus.com/bid/22123 || url,doc.emergingthreats.net/2005494 +1 || 2005495 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Virtuemart SQL Injection Attempt -- virtuemart_parser.php Itemid INSERT || cve,CVE-2006-6945 || url,www.securityfocus.com/bid/22123 || url,doc.emergingthreats.net/2005495 +1 || 2005496 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Virtuemart SQL Injection Attempt -- virtuemart_parser.php Itemid DELETE || cve,CVE-2006-6945 || url,www.securityfocus.com/bid/22123 || url,doc.emergingthreats.net/2005496 +1 || 2005497 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Virtuemart SQL Injection Attempt -- virtuemart_parser.php Itemid ASCII || cve,CVE-2006-6945 || url,www.securityfocus.com/bid/22123 || url,doc.emergingthreats.net/2005497 +1 || 2005498 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Virtuemart SQL Injection Attempt -- virtuemart_parser.php Itemid UPDATE || cve,CVE-2006-6945 || url,www.securityfocus.com/bid/22123 || url,doc.emergingthreats.net/2005498 +1 || 2005499 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Virtuemart SQL Injection Attempt -- virtuemart_parser.php product_id SELECT || cve,CVE-2006-6945 || url,www.securityfocus.com/bid/22123 || url,doc.emergingthreats.net/2005499 +1 || 2005500 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Virtuemart SQL Injection Attempt -- virtuemart_parser.php product_id UNION SELECT || cve,CVE-2006-6945 || url,www.securityfocus.com/bid/22123 || url,doc.emergingthreats.net/2005500 +1 || 2005501 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Virtuemart SQL Injection Attempt -- virtuemart_parser.php product_id INSERT || cve,CVE-2006-6945 || url,www.securityfocus.com/bid/22123 || url,doc.emergingthreats.net/2005501 +1 || 2005502 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Virtuemart SQL Injection Attempt -- virtuemart_parser.php product_id DELETE || cve,CVE-2006-6945 || url,www.securityfocus.com/bid/22123 || url,doc.emergingthreats.net/2005502 +1 || 2005503 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Virtuemart SQL Injection Attempt -- virtuemart_parser.php product_id ASCII || cve,CVE-2006-6945 || url,www.securityfocus.com/bid/22123 || url,doc.emergingthreats.net/2005503 +1 || 2005504 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Virtuemart SQL Injection Attempt -- virtuemart_parser.php product_id UPDATE || cve,CVE-2006-6945 || url,www.securityfocus.com/bid/22123 || url,doc.emergingthreats.net/2005504 +1 || 2005505 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Virtuemart SQL Injection Attempt -- virtuemart_parser.php category_id SELECT || cve,CVE-2006-6945 || url,www.securityfocus.com/bid/22123 || url,doc.emergingthreats.net/2005505 +1 || 2005506 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Virtuemart SQL Injection Attempt -- virtuemart_parser.php category_id UNION SELECT || cve,CVE-2006-6945 || url,www.securityfocus.com/bid/22123 || url,doc.emergingthreats.net/2005506 +1 || 2005507 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Virtuemart SQL Injection Attempt -- virtuemart_parser.php category_id INSERT || cve,CVE-2006-6945 || url,www.securityfocus.com/bid/22123 || url,doc.emergingthreats.net/2005507 +1 || 2005508 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Virtuemart SQL Injection Attempt -- virtuemart_parser.php category_id DELETE || cve,CVE-2006-6945 || url,www.securityfocus.com/bid/22123 || url,doc.emergingthreats.net/2005508 +1 || 2005509 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Virtuemart SQL Injection Attempt -- virtuemart_parser.php category_id ASCII || cve,CVE-2006-6945 || url,www.securityfocus.com/bid/22123 || url,doc.emergingthreats.net/2005509 +1 || 2005510 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Virtuemart SQL Injection Attempt -- virtuemart_parser.php category_id UPDATE || cve,CVE-2006-6945 || url,www.securityfocus.com/bid/22123 || url,doc.emergingthreats.net/2005510 +1 || 2005511 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS MGB OpenSource Guestbook SQL Injection Attempt -- email.php id SELECT || cve,CVE-2007-0354 || url,www.milw0rm.com/exploits/3141 || url,doc.emergingthreats.net/2005511 +1 || 2005512 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS MGB OpenSource Guestbook SQL Injection Attempt -- email.php id UNION SELECT || cve,CVE-2007-0354 || url,www.milw0rm.com/exploits/3141 || url,doc.emergingthreats.net/2005512 +1 || 2005514 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS MGB OpenSource Guestbook SQL Injection Attempt -- email.php id INSERT || cve,CVE-2007-0354 || url,www.milw0rm.com/exploits/3141 || url,doc.emergingthreats.net/2005514 +1 || 2005515 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS MGB OpenSource Guestbook SQL Injection Attempt -- email.php id DELETE || cve,CVE-2007-0354 || url,www.milw0rm.com/exploits/3141 || url,doc.emergingthreats.net/2005515 +1 || 2005516 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS MGB OpenSource Guestbook SQL Injection Attempt -- email.php id ASCII || cve,CVE-2007-0354 || url,www.milw0rm.com/exploits/3141 || url,doc.emergingthreats.net/2005516 +1 || 2005517 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS MGB OpenSource Guestbook SQL Injection Attempt -- email.php id UPDATE || cve,CVE-2007-0354 || url,www.milw0rm.com/exploits/3141 || url,doc.emergingthreats.net/2005517 +1 || 2005518 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php ps SELECT || cve,CVE-2007-0350 || url,www.frsirt.com/english/advisories/2007/0221 || url,doc.emergingthreats.net/2005518 +1 || 2005519 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php ps UNION SELECT || cve,CVE-2007-0350 || url,www.frsirt.com/english/advisories/2007/0221 || url,doc.emergingthreats.net/2005519 +1 || 2005520 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php ps INSERT || cve,CVE-2007-0350 || url,www.frsirt.com/english/advisories/2007/0221 || url,doc.emergingthreats.net/2005520 +1 || 2005521 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php ps DELETE || cve,CVE-2007-0350 || url,www.frsirt.com/english/advisories/2007/0221 || url,doc.emergingthreats.net/2005521 +1 || 2005522 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php ps ASCII || cve,CVE-2007-0350 || url,www.frsirt.com/english/advisories/2007/0221 || url,doc.emergingthreats.net/2005522 +1 || 2005523 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php ps UPDATE || cve,CVE-2007-0350 || url,www.frsirt.com/english/advisories/2007/0221 || url,doc.emergingthreats.net/2005523 +1 || 2005524 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php us SELECT || cve,CVE-2007-0350 || url,www.frsirt.com/english/advisories/2007/0221 || url,doc.emergingthreats.net/2005524 +1 || 2005525 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php us UNION SELECT || cve,CVE-2007-0350 || url,www.frsirt.com/english/advisories/2007/0221 || url,doc.emergingthreats.net/2005525 +1 || 2005526 || 9 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php us INSERT || cve,CVE-2007-0350 || url,www.frsirt.com/english/advisories/2007/0221 || url,doc.emergingthreats.net/2005526 +1 || 2005527 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php us DELETE || cve,CVE-2007-0350 || url,www.frsirt.com/english/advisories/2007/0221 || url,doc.emergingthreats.net/2005527 +1 || 2005528 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php us ASCII || cve,CVE-2007-0350 || url,www.frsirt.com/english/advisories/2007/0221 || url,doc.emergingthreats.net/2005528 +1 || 2005529 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php us UPDATE || cve,CVE-2007-0350 || url,www.frsirt.com/english/advisories/2007/0221 || url,doc.emergingthreats.net/2005529 +1 || 2005530 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php f SELECT || cve,CVE-2007-0350 || url,www.frsirt.com/english/advisories/2007/0221 || url,doc.emergingthreats.net/2005530 +1 || 2005531 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php f UNION SELECT || cve,CVE-2007-0350 || url,www.frsirt.com/english/advisories/2007/0221 || url,doc.emergingthreats.net/2005531 +1 || 2005532 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php f INSERT || cve,CVE-2007-0350 || url,www.frsirt.com/english/advisories/2007/0221 || url,doc.emergingthreats.net/2005532 +1 || 2005533 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php f DELETE || cve,CVE-2007-0350 || url,www.frsirt.com/english/advisories/2007/0221 || url,doc.emergingthreats.net/2005533 +1 || 2005534 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php f ASCII || cve,CVE-2007-0350 || url,www.frsirt.com/english/advisories/2007/0221 || url,doc.emergingthreats.net/2005534 +1 || 2005535 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php f UPDATE || cve,CVE-2007-0350 || url,www.frsirt.com/english/advisories/2007/0221 || url,doc.emergingthreats.net/2005535 +1 || 2005536 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php code SELECT || cve,CVE-2007-0350 || url,www.frsirt.com/english/advisories/2007/0221 || url,doc.emergingthreats.net/2005536 +1 || 2005537 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php code UNION SELECT || cve,CVE-2007-0350 || url,www.frsirt.com/english/advisories/2007/0221 || url,doc.emergingthreats.net/2005537 +1 || 2005538 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php code INSERT || cve,CVE-2007-0350 || url,www.frsirt.com/english/advisories/2007/0221 || url,doc.emergingthreats.net/2005538 +1 || 2005539 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php code DELETE || cve,CVE-2007-0350 || url,www.frsirt.com/english/advisories/2007/0221 || url,doc.emergingthreats.net/2005539 +1 || 2005540 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php code ASCII || cve,CVE-2007-0350 || url,www.frsirt.com/english/advisories/2007/0221 || url,doc.emergingthreats.net/2005540 +1 || 2005541 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php code UPDATE || cve,CVE-2007-0350 || url,www.frsirt.com/english/advisories/2007/0221 || url,doc.emergingthreats.net/2005541 +1 || 2005542 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php code SELECT || cve,CVE-2007-0350 || url,www.frsirt.com/english/advisories/2007/0221 || url,doc.emergingthreats.net/2005542 +1 || 2005543 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php code UNION SELECT || cve,CVE-2007-0350 || url,www.frsirt.com/english/advisories/2007/0221 || url,doc.emergingthreats.net/2005543 +1 || 2005544 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php code INSERT || cve,CVE-2007-0350 || url,www.frsirt.com/english/advisories/2007/0221 || url,doc.emergingthreats.net/2005544 +1 || 2005545 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php code DELETE || cve,CVE-2007-0350 || url,www.frsirt.com/english/advisories/2007/0221 || url,doc.emergingthreats.net/2005545 +1 || 2005546 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php code ASCII || cve,CVE-2007-0350 || url,www.frsirt.com/english/advisories/2007/0221 || url,doc.emergingthreats.net/2005546 +1 || 2005547 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php code UPDATE || cve,CVE-2007-0350 || url,www.frsirt.com/english/advisories/2007/0221 || url,doc.emergingthreats.net/2005547 +1 || 2005548 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php f SELECT || cve,CVE-2007-0350 || url,www.frsirt.com/english/advisories/2007/0221 || url,doc.emergingthreats.net/2005548 +1 || 2005549 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php f UNION SELECT || cve,CVE-2007-0350 || url,www.frsirt.com/english/advisories/2007/0221 || url,doc.emergingthreats.net/2005549 +1 || 2005550 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php f INSERT || cve,CVE-2007-0350 || url,www.frsirt.com/english/advisories/2007/0221 || url,doc.emergingthreats.net/2005550 +1 || 2005551 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php f DELETE || cve,CVE-2007-0350 || url,www.frsirt.com/english/advisories/2007/0221 || url,doc.emergingthreats.net/2005551 +1 || 2005552 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php f ASCII || cve,CVE-2007-0350 || url,www.frsirt.com/english/advisories/2007/0221 || url,doc.emergingthreats.net/2005552 +1 || 2005553 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php f UPDATE || cve,CVE-2007-0350 || url,www.frsirt.com/english/advisories/2007/0221 || url,doc.emergingthreats.net/2005553 +1 || 2005554 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php us SELECT || cve,CVE-2007-0350 || url,www.frsirt.com/english/advisories/2007/0221 || url,doc.emergingthreats.net/2005554 +1 || 2005555 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php us UNION SELECT || cve,CVE-2007-0350 || url,www.frsirt.com/english/advisories/2007/0221 || url,doc.emergingthreats.net/2005555 +1 || 2005556 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php us INSERT || cve,CVE-2007-0350 || url,www.frsirt.com/english/advisories/2007/0221 || url,doc.emergingthreats.net/2005556 +1 || 2005557 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php us DELETE || cve,CVE-2007-0350 || url,www.frsirt.com/english/advisories/2007/0221 || url,doc.emergingthreats.net/2005557 +1 || 2005558 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php us ASCII || cve,CVE-2007-0350 || url,www.frsirt.com/english/advisories/2007/0221 || url,doc.emergingthreats.net/2005558 +1 || 2005559 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php us UPDATE || cve,CVE-2007-0350 || url,www.frsirt.com/english/advisories/2007/0221 || url,doc.emergingthreats.net/2005559 +1 || 2005560 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php ps SELECT || cve,CVE-2007-0350 || url,www.frsirt.com/english/advisories/2007/0221 || url,doc.emergingthreats.net/2005560 +1 || 2005561 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php ps UNION SELECT || cve,CVE-2007-0350 || url,www.frsirt.com/english/advisories/2007/0221 || url,doc.emergingthreats.net/2005561 +1 || 2005562 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php ps INSERT || cve,CVE-2007-0350 || url,www.frsirt.com/english/advisories/2007/0221 || url,doc.emergingthreats.net/2005562 +1 || 2005563 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php ps DELETE || cve,CVE-2007-0350 || url,www.frsirt.com/english/advisories/2007/0221 || url,doc.emergingthreats.net/2005563 +1 || 2005564 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php ps ASCII || cve,CVE-2007-0350 || url,www.frsirt.com/english/advisories/2007/0221 || url,doc.emergingthreats.net/2005564 +1 || 2005566 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- dl.php ps UPDATE || cve,CVE-2007-0350 || url,www.frsirt.com/english/advisories/2007/0221 || url,doc.emergingthreats.net/2005566 +1 || 2005567 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ThWboard SQL Injection Attempt -- index.php board SELECT || cve,CVE-2007-0340 || url,www.milw0rm.com/exploits/3124 || url,doc.emergingthreats.net/2005567 +1 || 2005568 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ThWboard SQL Injection Attempt -- index.php board UNION SELECT || cve,CVE-2007-0340 || url,www.milw0rm.com/exploits/3124 || url,doc.emergingthreats.net/2005568 +1 || 2005569 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ThWboard SQL Injection Attempt -- index.php board INSERT || cve,CVE-2007-0340 || url,www.milw0rm.com/exploits/3124 || url,doc.emergingthreats.net/2005569 +1 || 2005570 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ThWboard SQL Injection Attempt -- index.php board DELETE || cve,CVE-2007-0340 || url,www.milw0rm.com/exploits/3124 || url,doc.emergingthreats.net/2005570 +1 || 2005571 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ThWboard SQL Injection Attempt -- index.php board ASCII || cve,CVE-2007-0340 || url,www.milw0rm.com/exploits/3124 || url,doc.emergingthreats.net/2005571 +1 || 2005572 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ThWboard SQL Injection Attempt -- index.php board UPDATE || cve,CVE-2007-0340 || url,www.milw0rm.com/exploits/3124 || url,doc.emergingthreats.net/2005572 +1 || 2005573 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS All In One Control Panel (AIOCP) SQL Injection Attempt -- cp_authorization.php xuser_name SELECT || cve,CVE-2007-0316 || url,www.securityfocus.com/bid/22032 || url,doc.emergingthreats.net/2005573 +1 || 2005574 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS All In One Control Panel (AIOCP) SQL Injection Attempt -- cp_authorization.php xuser_name UNION SELECT || cve,CVE-2007-0316 || url,www.securityfocus.com/bid/22032 || url,doc.emergingthreats.net/2005574 +1 || 2005575 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS All In One Control Panel (AIOCP) SQL Injection Attempt -- cp_authorization.php xuser_name INSERT || cve,CVE-2007-0316 || url,www.securityfocus.com/bid/22032 || url,doc.emergingthreats.net/2005575 +1 || 2005576 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS All In One Control Panel (AIOCP) SQL Injection Attempt -- cp_authorization.php xuser_name DELETE || cve,CVE-2007-0316 || url,www.securityfocus.com/bid/22032 || url,doc.emergingthreats.net/2005576 +1 || 2005577 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS All In One Control Panel (AIOCP) SQL Injection Attempt -- cp_authorization.php xuser_name ASCII || cve,CVE-2007-0316 || url,www.securityfocus.com/bid/22032 || url,doc.emergingthreats.net/2005577 +1 || 2005578 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS All In One Control Panel (AIOCP) SQL Injection Attempt -- cp_authorization.php xuser_name UPDATE || cve,CVE-2007-0316 || url,www.securityfocus.com/bid/22032 || url,doc.emergingthreats.net/2005578 +1 || 2005579 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS All In One Control Panel (AIOCP) SQL Injection Attempt -- cp_downloads.php did SELECT || cve,CVE-2007-0316 || url,www.securityfocus.com/bid/22032 || url,doc.emergingthreats.net/2005579 +1 || 2005580 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS All In One Control Panel (AIOCP) SQL Injection Attempt -- cp_downloads.php did UNION SELECT || cve,CVE-2007-0316 || url,www.securityfocus.com/bid/22032 || url,doc.emergingthreats.net/2005580 +1 || 2005581 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS All In One Control Panel (AIOCP) SQL Injection Attempt -- cp_downloads.php did INSERT || cve,CVE-2007-0316 || url,www.securityfocus.com/bid/22032 || url,doc.emergingthreats.net/2005581 +1 || 2005582 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS All In One Control Panel (AIOCP) SQL Injection Attempt -- cp_downloads.php did DELETE || cve,CVE-2007-0316 || url,www.securityfocus.com/bid/22032 || url,doc.emergingthreats.net/2005582 +1 || 2005583 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS All In One Control Panel (AIOCP) SQL Injection Attempt -- cp_downloads.php did ASCII || cve,CVE-2007-0316 || url,www.securityfocus.com/bid/22032 || url,doc.emergingthreats.net/2005583 +1 || 2005584 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS All In One Control Panel (AIOCP) SQL Injection Attempt -- cp_downloads.php did UPDATE || cve,CVE-2007-0316 || url,www.securityfocus.com/bid/22032 || url,doc.emergingthreats.net/2005584 +1 || 2005585 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- block-Old_Articles.php cat SELECT || cve,CVE-2007-0309 || url,www.securityfocus.com/bid/22037 || url,doc.emergingthreats.net/2005585 +1 || 2005586 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- block-Old_Articles.php cat UNION SELECT || cve,CVE-2007-0309 || url,www.securityfocus.com/bid/22037 || url,doc.emergingthreats.net/2005586 +1 || 2005587 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- block-Old_Articles.php cat INSERT || cve,CVE-2007-0309 || url,www.securityfocus.com/bid/22037 || url,doc.emergingthreats.net/2005587 +1 || 2005588 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- block-Old_Articles.php cat DELETE || cve,CVE-2007-0309 || url,www.securityfocus.com/bid/22037 || url,doc.emergingthreats.net/2005588 +1 || 2005589 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- block-Old_Articles.php cat ASCII || cve,CVE-2007-0309 || url,www.securityfocus.com/bid/22037 || url,doc.emergingthreats.net/2005589 +1 || 2005590 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- block-Old_Articles.php cat UPDATE || cve,CVE-2007-0309 || url,www.securityfocus.com/bid/22037 || url,doc.emergingthreats.net/2005590 +1 || 2005591 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Digiappz DigiAffiliate SQL Injection Attempt -- visu_user.asp id SELECT || cve,CVE-2007-0306 || url,www.milw0rm.com/exploits/3122 || url,doc.emergingthreats.net/2005591 +1 || 2005592 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Digiappz DigiAffiliate SQL Injection Attempt -- visu_user.asp id UNION SELECT || cve,CVE-2007-0306 || url,www.milw0rm.com/exploits/3122 || url,doc.emergingthreats.net/2005592 +1 || 2005593 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Digiappz DigiAffiliate SQL Injection Attempt -- visu_user.asp id INSERT || cve,CVE-2007-0306 || url,www.milw0rm.com/exploits/3122 || url,doc.emergingthreats.net/2005593 +1 || 2005594 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Digiappz DigiAffiliate SQL Injection Attempt -- visu_user.asp id DELETE || cve,CVE-2007-0306 || url,www.milw0rm.com/exploits/3122 || url,doc.emergingthreats.net/2005594 +1 || 2005595 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Digiappz DigiAffiliate SQL Injection Attempt -- visu_user.asp id ASCII || cve,CVE-2007-0306 || url,www.milw0rm.com/exploits/3122 || url,doc.emergingthreats.net/2005595 +1 || 2005596 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Digiappz DigiAffiliate SQL Injection Attempt -- visu_user.asp id UPDATE || cve,CVE-2007-0306 || url,www.milw0rm.com/exploits/3122 || url,doc.emergingthreats.net/2005596 +1 || 2005597 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Okul Web Otomasyon Sistemi SQL Injection Attempt -- etkinlikbak.asp id SELECT || cve,CVE-2007-0305 || url,www.milw0rm.com/exploits/3135 || url,doc.emergingthreats.net/2005597 +1 || 2005598 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Okul Web Otomasyon Sistemi SQL Injection Attempt -- etkinlikbak.asp id UNION SELECT || cve,CVE-2007-0305 || url,www.milw0rm.com/exploits/3135 || url,doc.emergingthreats.net/2005598 +1 || 2005599 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Okul Web Otomasyon Sistemi SQL Injection Attempt -- etkinlikbak.asp id INSERT || cve,CVE-2007-0305 || url,www.milw0rm.com/exploits/3135 || url,doc.emergingthreats.net/2005599 +1 || 2005600 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Okul Web Otomasyon Sistemi SQL Injection Attempt -- etkinlikbak.asp id DELETE || cve,CVE-2007-0305 || url,www.milw0rm.com/exploits/3135 || url,doc.emergingthreats.net/2005600 +1 || 2005601 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Okul Web Otomasyon Sistemi SQL Injection Attempt -- etkinlikbak.asp id ASCII || cve,CVE-2007-0305 || url,www.milw0rm.com/exploits/3135 || url,doc.emergingthreats.net/2005601 +1 || 2005602 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Okul Web Otomasyon Sistemi SQL Injection Attempt -- etkinlikbak.asp id UPDATE || cve,CVE-2007-0305 || url,www.milw0rm.com/exploits/3135 || url,doc.emergingthreats.net/2005602 +1 || 2005603 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS MiNT Haber Sistemi SQL Injection Attempt -- duyuru.asp id SELECT || cve,CVE-2007-0304 || url,www.milw0rm.com/exploits/3120 || url,doc.emergingthreats.net/2005603 +1 || 2005604 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS MiNT Haber Sistemi SQL Injection Attempt -- duyuru.asp id UNION SELECT || cve,CVE-2007-0304 || url,www.milw0rm.com/exploits/3120 || url,doc.emergingthreats.net/2005604 +1 || 2005605 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS MiNT Haber Sistemi SQL Injection Attempt -- duyuru.asp id INSERT || cve,CVE-2007-0304 || url,www.milw0rm.com/exploits/3120 || url,doc.emergingthreats.net/2005605 +1 || 2005606 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS MiNT Haber Sistemi SQL Injection Attempt -- duyuru.asp id DELETE || cve,CVE-2007-0304 || url,www.milw0rm.com/exploits/3120 || url,doc.emergingthreats.net/2005606 +1 || 2005607 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS MiNT Haber Sistemi SQL Injection Attempt -- duyuru.asp id ASCII || cve,CVE-2007-0304 || url,www.milw0rm.com/exploits/3120 || url,doc.emergingthreats.net/2005607 +1 || 2005608 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS MiNT Haber Sistemi SQL Injection Attempt -- duyuru.asp id UPDATE || cve,CVE-2007-0304 || url,www.milw0rm.com/exploits/3120 || url,doc.emergingthreats.net/2005608 +1 || 2005609 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Xtreme ASP Photo Gallery SQL Injection Attempt -- displaypic.asp sortorder SELECT || cve,CVE-2006-6937 || url,www.securityfocus.com/bid/21138 || url,doc.emergingthreats.net/2005609 +1 || 2005610 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Xtreme ASP Photo Gallery SQL Injection Attempt -- displaypic.asp sortorder UNION SELECT || cve,CVE-2006-6937 || url,www.securityfocus.com/bid/21138 || url,doc.emergingthreats.net/2005610 +1 || 2005611 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Xtreme ASP Photo Gallery SQL Injection Attempt -- displaypic.asp sortorder INSERT || cve,CVE-2006-6937 || url,www.securityfocus.com/bid/21138 || url,doc.emergingthreats.net/2005611 +1 || 2005612 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Xtreme ASP Photo Gallery SQL Injection Attempt -- displaypic.asp sortorder DELETE || cve,CVE-2006-6937 || url,www.securityfocus.com/bid/21138 || url,doc.emergingthreats.net/2005612 +1 || 2005613 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Xtreme ASP Photo Gallery SQL Injection Attempt -- displaypic.asp sortorder ASCII || cve,CVE-2006-6937 || url,www.securityfocus.com/bid/21138 || url,doc.emergingthreats.net/2005613 +1 || 2005614 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Xtreme ASP Photo Gallery SQL Injection Attempt -- displaypic.asp sortorder UPDATE || cve,CVE-2006-6937 || url,www.securityfocus.com/bid/21138 || url,doc.emergingthreats.net/2005614 +1 || 2005615 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Ezboxx Portal System Beta SQL Injection Attempt -- ShowAppendix.asp iid SELECT || cve,CVE-2007-0266 || url,www.securityfocus.com/archive/1/archive/1/456699/100/0/threaded || url,doc.emergingthreats.net/2005615 +1 || 2005616 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Ezboxx Portal System Beta SQL Injection Attempt -- ShowAppendix.asp iid UNION SELECT || cve,CVE-2007-0266 || url,www.securityfocus.com/archive/1/archive/1/456699/100/0/threaded || url,doc.emergingthreats.net/2005616 +1 || 2005617 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Ezboxx Portal System Beta SQL Injection Attempt -- ShowAppendix.asp iid INSERT || cve,CVE-2007-0266 || url,www.securityfocus.com/archive/1/archive/1/456699/100/0/threaded || url,doc.emergingthreats.net/2005617 +1 || 2005618 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Ezboxx Portal System Beta SQL Injection Attempt -- ShowAppendix.asp iid DELETE || cve,CVE-2007-0266 || url,www.securityfocus.com/archive/1/archive/1/456699/100/0/threaded || url,doc.emergingthreats.net/2005618 +1 || 2005619 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Ezboxx Portal System Beta SQL Injection Attempt -- ShowAppendix.asp iid ASCII || cve,CVE-2007-0266 || url,www.securityfocus.com/archive/1/archive/1/456699/100/0/threaded || url,doc.emergingthreats.net/2005619 +1 || 2005620 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Ezboxx Portal System Beta SQL Injection Attempt -- ShowAppendix.asp iid UPDATE || cve,CVE-2007-0266 || url,www.securityfocus.com/archive/1/archive/1/456699/100/0/threaded || url,doc.emergingthreats.net/2005620 +1 || 2005621 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Portix-PHP SQL Injection Attempt -- archive.php blogid SELECT || cve,CVE-2006-6935 || url,www.securityfocus.com/bid/20974/exploit || url,doc.emergingthreats.net/2005621 +1 || 2005622 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Portix-PHP SQL Injection Attempt -- archive.php blogid UNION SELECT || cve,CVE-2006-6935 || url,www.securityfocus.com/bid/20974/exploit || url,doc.emergingthreats.net/2005622 +1 || 2005623 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Portix-PHP SQL Injection Attempt -- archive.php blogid INSERT || cve,CVE-2006-6935 || url,www.securityfocus.com/bid/20974/exploit || url,doc.emergingthreats.net/2005623 +1 || 2005624 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Portix-PHP SQL Injection Attempt -- archive.php blogid DELETE || cve,CVE-2006-6935 || url,www.securityfocus.com/bid/20974/exploit || url,doc.emergingthreats.net/2005624 +1 || 2005625 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Portix-PHP SQL Injection Attempt -- archive.php blogid ASCII || cve,CVE-2006-6935 || url,www.securityfocus.com/bid/20974/exploit || url,doc.emergingthreats.net/2005625 +1 || 2005626 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Portix-PHP SQL Injection Attempt -- archive.php blogid UPDATE || cve,CVE-2006-6935 || url,www.securityfocus.com/bid/20974/exploit || url,doc.emergingthreats.net/2005626 +1 || 2005627 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Portix-PHP SQL Injection Attempt -- archive.php pid SELECT || cve,CVE-2006-6935 || url,www.securityfocus.com/bid/20974/exploit || url,doc.emergingthreats.net/2005627 +1 || 2005628 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Portix-PHP SQL Injection Attempt -- archive.php pid UNION SELECT || cve,CVE-2006-6935 || url,www.securityfocus.com/bid/20974/exploit || url,doc.emergingthreats.net/2005628 +1 || 2005629 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Portix-PHP SQL Injection Attempt -- archive.php pid INSERT || cve,CVE-2006-6935 || url,www.securityfocus.com/bid/20974/exploit || url,doc.emergingthreats.net/2005629 +1 || 2005630 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Portix-PHP SQL Injection Attempt -- archive.php pid DELETE || cve,CVE-2006-6935 || url,www.securityfocus.com/bid/20974/exploit || url,doc.emergingthreats.net/2005630 +1 || 2005631 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Portix-PHP SQL Injection Attempt -- archive.php pid ASCII || cve,CVE-2006-6935 || url,www.securityfocus.com/bid/20974/exploit || url,doc.emergingthreats.net/2005631 +1 || 2005632 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Portix-PHP SQL Injection Attempt -- archive.php pid UPDATE || cve,CVE-2006-6935 || url,www.securityfocus.com/bid/20974/exploit || url,doc.emergingthreats.net/2005632 +1 || 2005633 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Portix-PHP SQL Injection Attempt -- index.php blogid SELECT || cve,CVE-2006-6935 || url,www.securityfocus.com/bid/20974/exploit || url,doc.emergingthreats.net/2005633 +1 || 2005634 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Portix-PHP SQL Injection Attempt -- index.php blogid UNION SELECT || cve,CVE-2006-6935 || url,www.securityfocus.com/bid/20974/exploit || url,doc.emergingthreats.net/2005634 +1 || 2005635 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Portix-PHP SQL Injection Attempt -- index.php blogid INSERT || cve,CVE-2006-6935 || url,www.securityfocus.com/bid/20974/exploit || url,doc.emergingthreats.net/2005635 +1 || 2005636 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Portix-PHP SQL Injection Attempt -- index.php blogid DELETE || cve,CVE-2006-6935 || url,www.securityfocus.com/bid/20974/exploit || url,doc.emergingthreats.net/2005636 +1 || 2005637 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Portix-PHP SQL Injection Attempt -- index.php blogid ASCII || cve,CVE-2006-6935 || url,www.securityfocus.com/bid/20974/exploit || url,doc.emergingthreats.net/2005637 +1 || 2005638 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Portix-PHP SQL Injection Attempt -- index.php blogid UPDATE || cve,CVE-2006-6935 || url,www.securityfocus.com/bid/20974/exploit || url,doc.emergingthreats.net/2005638 +1 || 2005639 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Image Gallery with Access Database SQL Injection Attempt -- dispimage.asp id SELECT || cve,CVE-2006-6932 || url,www.securityfocus.com/bid/21131 || url,doc.emergingthreats.net/2005639 +1 || 2005640 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Image Gallery with Access Database SQL Injection Attempt -- dispimage.asp id UNION SELECT || cve,CVE-2006-6932 || url,www.securityfocus.com/bid/21131 || url,doc.emergingthreats.net/2005640 +1 || 2005641 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Image Gallery with Access Database SQL Injection Attempt -- dispimage.asp id INSERT || cve,CVE-2006-6932 || url,www.securityfocus.com/bid/21131 || url,doc.emergingthreats.net/2005641 +1 || 2005642 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Image Gallery with Access Database SQL Injection Attempt -- dispimage.asp id DELETE || cve,CVE-2006-6932 || url,www.securityfocus.com/bid/21131 || url,doc.emergingthreats.net/2005642 +1 || 2005643 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Image Gallery with Access Database SQL Injection Attempt -- dispimage.asp id ASCII || cve,CVE-2006-6932 || url,www.securityfocus.com/bid/21131 || url,doc.emergingthreats.net/2005643 +1 || 2005644 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Image Gallery with Access Database SQL Injection Attempt -- dispimage.asp id UPDATE || cve,CVE-2006-6932 || url,www.securityfocus.com/bid/21131 || url,doc.emergingthreats.net/2005644 +1 || 2005645 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Image Gallery with Access Database SQL Injection Attempt -- default.asp order SELECT || cve,CVE-2006-6932 || url,www.securityfocus.com/bid/21131 || url,doc.emergingthreats.net/2005645 +1 || 2005646 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Image Gallery with Access Database SQL Injection Attempt -- default.asp order UNION SELECT || cve,CVE-2006-6932 || url,www.securityfocus.com/bid/21131 || url,doc.emergingthreats.net/2005646 +1 || 2005647 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Image Gallery with Access Database SQL Injection Attempt -- default.asp order INSERT || cve,CVE-2006-6932 || url,www.securityfocus.com/bid/21131 || url,doc.emergingthreats.net/2005647 +1 || 2005648 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Image Gallery with Access Database SQL Injection Attempt -- default.asp order DELETE || cve,CVE-2006-6932 || url,www.securityfocus.com/bid/21131 || url,doc.emergingthreats.net/2005648 +1 || 2005649 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Image Gallery with Access Database SQL Injection Attempt -- default.asp order ASCII || cve,CVE-2006-6932 || url,www.securityfocus.com/bid/21131 || url,doc.emergingthreats.net/2005649 +1 || 2005650 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Image Gallery with Access Database SQL Injection Attempt -- default.asp order UPDATE || cve,CVE-2006-6932 || url,www.securityfocus.com/bid/21131 || url,doc.emergingthreats.net/2005650 +1 || 2005651 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Image Gallery with Access Database SQL Injection Attempt -- default.asp page SELECT || cve,CVE-2006-6932 || url,www.securityfocus.com/bid/21131 || url,doc.emergingthreats.net/2005651 +1 || 2005652 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Image Gallery with Access Database SQL Injection Attempt -- default.asp page UNION SELECT || cve,CVE-2006-6932 || url,www.securityfocus.com/bid/21131 || url,doc.emergingthreats.net/2005652 +1 || 2005653 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Image Gallery with Access Database SQL Injection Attempt -- default.asp page INSERT || cve,CVE-2006-6932 || url,www.securityfocus.com/bid/21131 || url,doc.emergingthreats.net/2005653 +1 || 2005654 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Image Gallery with Access Database SQL Injection Attempt -- default.asp page DELETE || cve,CVE-2006-6932 || url,www.securityfocus.com/bid/21131 || url,doc.emergingthreats.net/2005654 +1 || 2005655 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Image Gallery with Access Database SQL Injection Attempt -- default.asp page ASCII || cve,CVE-2006-6932 || url,www.securityfocus.com/bid/21131 || url,doc.emergingthreats.net/2005655 +1 || 2005656 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Image Gallery with Access Database SQL Injection Attempt -- default.asp page UPDATE || cve,CVE-2006-6932 || url,www.securityfocus.com/bid/21131 || url,doc.emergingthreats.net/2005656 +1 || 2005657 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php SELECT || cve,CVE-2007-0233 || url,www.milw0rm.com/exploits/3109 || url,doc.emergingthreats.net/2005657 +1 || 2005658 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php UNION SELECT || cve,CVE-2007-0233 || url,www.milw0rm.com/exploits/3109 || url,doc.emergingthreats.net/2005658 +1 || 2005659 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php INSERT || cve,CVE-2007-0233 || url,www.milw0rm.com/exploits/3109 || url,doc.emergingthreats.net/2005659 +1 || 2005660 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php DELETE || cve,CVE-2007-0233 || url,www.milw0rm.com/exploits/3109 || url,doc.emergingthreats.net/2005660 +1 || 2005661 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php ASCII || cve,CVE-2007-0233 || url,www.milw0rm.com/exploits/3109 || url,doc.emergingthreats.net/2005661 +1 || 2005662 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php UPDATE || cve,CVE-2007-0233 || url,www.milw0rm.com/exploits/3109 || url,doc.emergingthreats.net/2005662 +1 || 2005663 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS uniForum SQL Injection Attempt -- wbsearch.aspx SELECT || cve,CVE-2007-0226 || url,www.milw0rm.com/exploits/3106 || url,doc.emergingthreats.net/2005663 +1 || 2005664 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS uniForum SQL Injection Attempt -- wbsearch.aspx UNION SELECT || cve,CVE-2007-0226 || url,www.milw0rm.com/exploits/3106 || url,doc.emergingthreats.net/2005664 +1 || 2005665 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS uniForum SQL Injection Attempt -- wbsearch.aspx INSERT || cve,CVE-2007-0226 || url,www.milw0rm.com/exploits/3106 || url,doc.emergingthreats.net/2005665 +1 || 2005666 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS uniForum SQL Injection Attempt -- wbsearch.aspx DELETE || cve,CVE-2007-0226 || url,www.milw0rm.com/exploits/3106 || url,doc.emergingthreats.net/2005666 +1 || 2005667 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS uniForum SQL Injection Attempt -- wbsearch.aspx ASCII || cve,CVE-2007-0226 || url,www.milw0rm.com/exploits/3106 || url,doc.emergingthreats.net/2005667 +1 || 2005668 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS uniForum SQL Injection Attempt -- wbsearch.aspx UPDATE || cve,CVE-2007-0226 || url,www.milw0rm.com/exploits/3106 || url,doc.emergingthreats.net/2005668 +1 || 2005669 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS VP-ASP Shopping Cart SQL Injection Attempt -- shopgiftregsearch.asp LoginLastname SELECT || cve,CVE-2007-0224 || url,www.milw0rm.com/exploits/3115 || url,doc.emergingthreats.net/2005669 +1 || 2005670 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS VP-ASP Shopping Cart SQL Injection Attempt -- shopgiftregsearch.asp LoginLastname UNION SELECT || cve,CVE-2007-0224 || url,www.milw0rm.com/exploits/3115 || url,doc.emergingthreats.net/2005670 +1 || 2005671 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS VP-ASP Shopping Cart SQL Injection Attempt -- shopgiftregsearch.asp LoginLastname INSERT || cve,CVE-2007-0224 || url,www.milw0rm.com/exploits/3115 || url,doc.emergingthreats.net/2005671 +1 || 2005672 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS VP-ASP Shopping Cart SQL Injection Attempt -- shopgiftregsearch.asp LoginLastname DELETE || cve,CVE-2007-0224 || url,www.milw0rm.com/exploits/3115 || url,doc.emergingthreats.net/2005672 +1 || 2005673 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS VP-ASP Shopping Cart SQL Injection Attempt -- shopgiftregsearch.asp LoginLastname ASCII || cve,CVE-2007-0224 || url,www.milw0rm.com/exploits/3115 || url,doc.emergingthreats.net/2005673 +1 || 2005674 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS VP-ASP Shopping Cart SQL Injection Attempt -- shopgiftregsearch.asp LoginLastname UPDATE || cve,CVE-2007-0224 || url,www.milw0rm.com/exploits/3115 || url,doc.emergingthreats.net/2005674 +1 || 2005675 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Nicola Asuni All In One Control Panel (AIOCP) SQL Injection Attempt -- cp_functions_downloads.php download_category SELECT || cve,CVE-2007-0223 || url,www.secunia.com/advisories/23726 || url,doc.emergingthreats.net/2005675 +1 || 2005676 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Nicola Asuni All In One Control Panel (AIOCP) SQL Injection Attempt -- cp_functions_downloads.php download_category UNION SELECT || cve,CVE-2007-0223 || url,www.secunia.com/advisories/23726 || url,doc.emergingthreats.net/2005676 +1 || 2005677 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Nicola Asuni All In One Control Panel (AIOCP) SQL Injection Attempt -- cp_functions_downloads.php download_category INSERT || cve,CVE-2007-0223 || url,www.secunia.com/advisories/23726 || url,doc.emergingthreats.net/2005677 +1 || 2005678 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Nicola Asuni All In One Control Panel (AIOCP) SQL Injection Attempt -- cp_functions_downloads.php download_category DELETE || cve,CVE-2007-0223 || url,www.secunia.com/advisories/23726 || url,doc.emergingthreats.net/2005678 +1 || 2005679 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Nicola Asuni All In One Control Panel (AIOCP) SQL Injection Attempt -- cp_functions_downloads.php download_category ASCII || cve,CVE-2007-0223 || url,www.secunia.com/advisories/23726 || url,doc.emergingthreats.net/2005679 +1 || 2005680 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Nicola Asuni All In One Control Panel (AIOCP) SQL Injection Attempt -- cp_functions_downloads.php download_category UPDATE || cve,CVE-2007-0223 || url,www.secunia.com/advisories/23726 || url,doc.emergingthreats.net/2005680 +1 || 2005681 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Rapid Classified SQL Injection Attempt -- viewad.asp id SELECT || cve,CVE-2006-6930 || url,www.securityfocus.com/bid/21197 || url,doc.emergingthreats.net/2005681 +1 || 2005682 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Rapid Classified SQL Injection Attempt -- viewad.asp id UNION SELECT || cve,CVE-2006-6930 || url,www.securityfocus.com/bid/21197 || url,doc.emergingthreats.net/2005682 +1 || 2005683 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Rapid Classified SQL Injection Attempt -- viewad.asp id INSERT || cve,CVE-2006-6930 || url,www.securityfocus.com/bid/21197 || url,doc.emergingthreats.net/2005683 +1 || 2005684 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Rapid Classified SQL Injection Attempt -- viewad.asp id DELETE || cve,CVE-2006-6930 || url,www.securityfocus.com/bid/21197 || url,doc.emergingthreats.net/2005684 +1 || 2005685 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Rapid Classified SQL Injection Attempt -- viewad.asp id ASCII || cve,CVE-2006-6930 || url,www.securityfocus.com/bid/21197 || url,doc.emergingthreats.net/2005685 +1 || 2005686 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Rapid Classified SQL Injection Attempt -- viewad.asp id UPDATE || cve,CVE-2006-6930 || url,www.securityfocus.com/bid/21197 || url,doc.emergingthreats.net/2005686 +1 || 2005687 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- listfull.asp ID SELECT || cve,CVE-2006-6927 || url,www.securityfocus.com/bid/21191 || url,doc.emergingthreats.net/2005687 +1 || 2005688 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- listfull.asp ID UNION SELECT || cve,CVE-2006-6927 || url,www.securityfocus.com/bid/21191 || url,doc.emergingthreats.net/2005688 +1 || 2005689 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- listfull.asp ID INSERT || cve,CVE-2006-6927 || url,www.securityfocus.com/bid/21191 || url,doc.emergingthreats.net/2005689 +1 || 2005690 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- listfull.asp ID DELETE || cve,CVE-2006-6927 || url,www.securityfocus.com/bid/21191 || url,doc.emergingthreats.net/2005690 +1 || 2005691 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- listfull.asp ID ASCII || cve,CVE-2006-6927 || url,www.securityfocus.com/bid/21191 || url,doc.emergingthreats.net/2005691 +1 || 2005692 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- listfull.asp ID UPDATE || cve,CVE-2006-6927 || url,www.securityfocus.com/bid/21191 || url,doc.emergingthreats.net/2005692 +1 || 2005693 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- printmain.asp ID SELECT || cve,CVE-2006-6927 || url,www.securityfocus.com/bid/21191 || url,doc.emergingthreats.net/2005693 +1 || 2005694 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- printmain.asp ID UNION SELECT || cve,CVE-2006-6927 || url,www.securityfocus.com/bid/21191 || url,doc.emergingthreats.net/2005694 +1 || 2005695 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- printmain.asp ID INSERT || cve,CVE-2006-6927 || url,www.securityfocus.com/bid/21191 || url,doc.emergingthreats.net/2005695 +1 || 2005696 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- printmain.asp ID DELETE || cve,CVE-2006-6927 || url,www.securityfocus.com/bid/21191 || url,doc.emergingthreats.net/2005696 +1 || 2005697 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- printmain.asp ID ASCII || cve,CVE-2006-6927 || url,www.securityfocus.com/bid/21191 || url,doc.emergingthreats.net/2005697 +1 || 2005698 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- printmain.asp ID UPDATE || cve,CVE-2006-6927 || url,www.securityfocus.com/bid/21191 || url,doc.emergingthreats.net/2005698 +1 || 2005699 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- listmain.asp cat SELECT || cve,CVE-2006-6927 || url,www.securityfocus.com/bid/21191 || url,doc.emergingthreats.net/2005699 +1 || 2005700 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- listmain.asp cat UNION SELECT || cve,CVE-2006-6927 || url,www.securityfocus.com/bid/21191 || url,doc.emergingthreats.net/2005700 +1 || 2005701 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- listmain.asp cat INSERT || cve,CVE-2006-6927 || url,www.securityfocus.com/bid/21191 || url,doc.emergingthreats.net/2005701 +1 || 2005702 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- listmain.asp cat DELETE || cve,CVE-2006-6927 || url,www.securityfocus.com/bid/21191 || url,doc.emergingthreats.net/2005702 +1 || 2005703 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- listmain.asp cat ASCII || cve,CVE-2006-6927 || url,www.securityfocus.com/bid/21191 || url,doc.emergingthreats.net/2005703 +1 || 2005704 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- listmain.asp cat UPDATE || cve,CVE-2006-6927 || url,www.securityfocus.com/bid/21191 || url,doc.emergingthreats.net/2005704 +1 || 2005705 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp cat SELECT || cve,CVE-2006-6927 || url,www.securityfocus.com/bid/21191 || url,doc.emergingthreats.net/2005705 +1 || 2005706 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp cat UNION SELECT || cve,CVE-2006-6927 || url,www.securityfocus.com/bid/21191 || url,doc.emergingthreats.net/2005706 +1 || 2005707 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp cat INSERT || cve,CVE-2006-6927 || url,www.securityfocus.com/bid/21191 || url,doc.emergingthreats.net/2005707 +1 || 2005708 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp cat DELETE || cve,CVE-2006-6927 || url,www.securityfocus.com/bid/21191 || url,doc.emergingthreats.net/2005708 +1 || 2005709 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp cat ASCII || cve,CVE-2006-6927 || url,www.securityfocus.com/bid/21191 || url,doc.emergingthreats.net/2005709 +1 || 2005710 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp cat UPDATE || cve,CVE-2006-6927 || url,www.securityfocus.com/bid/21191 || url,doc.emergingthreats.net/2005710 +1 || 2005711 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchmain.asp cat SELECT || cve,CVE-2006-6927 || url,www.securityfocus.com/bid/21191 || url,doc.emergingthreats.net/2005711 +1 || 2005712 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchmain.asp cat UNION SELECT || cve,CVE-2006-6927 || url,www.securityfocus.com/bid/21191 || url,doc.emergingthreats.net/2005712 +1 || 2005713 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchmain.asp cat INSERT || cve,CVE-2006-6927 || url,www.securityfocus.com/bid/21191 || url,doc.emergingthreats.net/2005713 +1 || 2005714 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchmain.asp cat DELETE || cve,CVE-2006-6927 || url,www.securityfocus.com/bid/21191 || url,doc.emergingthreats.net/2005714 +1 || 2005715 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchmain.asp cat ASCII || cve,CVE-2006-6927 || url,www.securityfocus.com/bid/21191 || url,doc.emergingthreats.net/2005715 +1 || 2005716 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchmain.asp cat UPDATE || cve,CVE-2006-6927 || url,www.securityfocus.com/bid/21191 || url,doc.emergingthreats.net/2005716 +1 || 2005717 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchkey.asp Keyword SELECT || cve,CVE-2006-6927 || url,www.securityfocus.com/bid/21191 || url,doc.emergingthreats.net/2005717 +1 || 2005718 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchkey.asp Keyword UNION SELECT || cve,CVE-2006-6927 || url,www.securityfocus.com/bid/21191 || url,doc.emergingthreats.net/2005718 +1 || 2005719 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchkey.asp Keyword INSERT || cve,CVE-2006-6927 || url,www.securityfocus.com/bid/21191 || url,doc.emergingthreats.net/2005719 +1 || 2005720 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchkey.asp Keyword DELETE || cve,CVE-2006-6927 || url,www.securityfocus.com/bid/21191 || url,doc.emergingthreats.net/2005720 +1 || 2005721 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchkey.asp Keyword ASCII || cve,CVE-2006-6927 || url,www.securityfocus.com/bid/21191 || url,doc.emergingthreats.net/2005721 +1 || 2005722 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchkey.asp Keyword UPDATE || cve,CVE-2006-6927 || url,www.securityfocus.com/bid/21191 || url,doc.emergingthreats.net/2005722 +1 || 2005723 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchmain.asp area SELECT || cve,CVE-2006-6927 || url,www.securityfocus.com/bid/21191 || url,doc.emergingthreats.net/2005723 +1 || 2005724 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchmain.asp area UNION SELECT || cve,CVE-2006-6927 || url,www.securityfocus.com/bid/21191 || url,doc.emergingthreats.net/2005724 +1 || 2005725 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchmain.asp area INSERT || cve,CVE-2006-6927 || url,www.securityfocus.com/bid/21191 || url,doc.emergingthreats.net/2005725 +1 || 2005726 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchmain.asp area DELETE || cve,CVE-2006-6927 || url,www.securityfocus.com/bid/21191 || url,doc.emergingthreats.net/2005726 +1 || 2005727 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchmain.asp area ASCII || cve,CVE-2006-6927 || url,www.securityfocus.com/bid/21191 || url,doc.emergingthreats.net/2005727 +1 || 2005728 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchmain.asp area UPDATE || cve,CVE-2006-6927 || url,www.securityfocus.com/bid/21191 || url,doc.emergingthreats.net/2005728 +1 || 2005729 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp area SELECT || cve,CVE-2006-6927 || url,www.securityfocus.com/bid/21191 || url,doc.emergingthreats.net/2005729 +1 || 2005730 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp area UNION SELECT || cve,CVE-2006-6927 || url,www.securityfocus.com/bid/21191 || url,doc.emergingthreats.net/2005730 +1 || 2005731 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp area INSERT || cve,CVE-2006-6927 || url,www.securityfocus.com/bid/21191 || url,doc.emergingthreats.net/2005731 +1 || 2005732 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp area DELETE || cve,CVE-2006-6927 || url,www.securityfocus.com/bid/21191 || url,doc.emergingthreats.net/2005732 +1 || 2005733 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp area ASCII || cve,CVE-2006-6927 || url,www.securityfocus.com/bid/21191 || url,doc.emergingthreats.net/2005733 +1 || 2005734 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp area UPDATE || cve,CVE-2006-6927 || url,www.securityfocus.com/bid/21191 || url,doc.emergingthreats.net/2005734 +1 || 2005735 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchkey.asp searchin SELECT || cve,CVE-2006-6927 || url,www.securityfocus.com/bid/21191 || url,doc.emergingthreats.net/2005735 +1 || 2005736 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchkey.asp searchin UNION SELECT || cve,CVE-2006-6927 || url,www.securityfocus.com/bid/21191 || url,doc.emergingthreats.net/2005736 +1 || 2005738 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchkey.asp searchin INSERT || cve,CVE-2006-6927 || url,www.securityfocus.com/bid/21191 || url,doc.emergingthreats.net/2005738 +1 || 2005739 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchkey.asp searchin DELETE || cve,CVE-2006-6927 || url,www.securityfocus.com/bid/21191 || url,doc.emergingthreats.net/2005739 +1 || 2005740 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchkey.asp searchin ASCII || cve,CVE-2006-6927 || url,www.securityfocus.com/bid/21191 || url,doc.emergingthreats.net/2005740 +1 || 2005741 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchkey.asp searchin UPDATE || cve,CVE-2006-6927 || url,www.securityfocus.com/bid/21191 || url,doc.emergingthreats.net/2005741 +1 || 2005742 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp cost1 SELECT || cve,CVE-2006-6927 || url,www.securityfocus.com/bid/21191 || url,doc.emergingthreats.net/2005742 +1 || 2005743 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp cost1 UNION SELECT || cve,CVE-2006-6927 || url,www.securityfocus.com/bid/21191 || url,doc.emergingthreats.net/2005743 +1 || 2005744 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp cost1 INSERT || cve,CVE-2006-6927 || url,www.securityfocus.com/bid/21191 || url,doc.emergingthreats.net/2005744 +1 || 2005745 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp cost1 DELETE || cve,CVE-2006-6927 || url,www.securityfocus.com/bid/21191 || url,doc.emergingthreats.net/2005745 +1 || 2005746 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp cost1 ASCII || cve,CVE-2006-6927 || url,www.securityfocus.com/bid/21191 || url,doc.emergingthreats.net/2005746 +1 || 2005747 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp cost1 UPDATE || cve,CVE-2006-6927 || url,www.securityfocus.com/bid/21191 || url,doc.emergingthreats.net/2005747 +1 || 2005748 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp cost2 SELECT || cve,CVE-2006-6927 || url,www.securityfocus.com/bid/21191 || url,doc.emergingthreats.net/2005748 +1 || 2005749 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp cost2 UNION SELECT || cve,CVE-2006-6927 || url,www.securityfocus.com/bid/21191 || url,doc.emergingthreats.net/2005749 +1 || 2005750 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp cost2 INSERT || cve,CVE-2006-6927 || url,www.securityfocus.com/bid/21191 || url,doc.emergingthreats.net/2005750 +1 || 2005751 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp cost2 DELETE || cve,CVE-2006-6927 || url,www.securityfocus.com/bid/21191 || url,doc.emergingthreats.net/2005751 +1 || 2005752 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp cost2 ASCII || cve,CVE-2006-6927 || url,www.securityfocus.com/bid/21191 || url,doc.emergingthreats.net/2005752 +1 || 2005753 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp cost2 UPDATE || cve,CVE-2006-6927 || url,www.securityfocus.com/bid/21191 || url,doc.emergingthreats.net/2005753 +1 || 2005754 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp acreage1 SELECT || cve,CVE-2006-6927 || url,www.securityfocus.com/bid/21191 || url,doc.emergingthreats.net/2005754 +1 || 2005755 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp acreage1 UNION SELECT || cve,CVE-2006-6927 || url,www.securityfocus.com/bid/21191 || url,doc.emergingthreats.net/2005755 +1 || 2005756 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp acreage1 INSERT || cve,CVE-2006-6927 || url,www.securityfocus.com/bid/21191 || url,doc.emergingthreats.net/2005756 +1 || 2005757 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp acreage1 DELETE || cve,CVE-2006-6927 || url,www.securityfocus.com/bid/21191 || url,doc.emergingthreats.net/2005757 +1 || 2005758 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp acreage1 ASCII || cve,CVE-2006-6927 || url,www.securityfocus.com/bid/21191 || url,doc.emergingthreats.net/2005758 +1 || 2005759 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp acreage1 UPDATE || cve,CVE-2006-6927 || url,www.securityfocus.com/bid/21191 || url,doc.emergingthreats.net/2005759 +1 || 2005760 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp squarefeet1 SELECT || cve,CVE-2006-6927 || url,www.securityfocus.com/bid/21191 || url,doc.emergingthreats.net/2005760 +1 || 2005761 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp squarefeet1 UNION SELECT || cve,CVE-2006-6927 || url,www.securityfocus.com/bid/21191 || url,doc.emergingthreats.net/2005761 +1 || 2005762 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp squarefeet1 INSERT || cve,CVE-2006-6927 || url,www.securityfocus.com/bid/21191 || url,doc.emergingthreats.net/2005762 +1 || 2005763 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp squarefeet1 DELETE || cve,CVE-2006-6927 || url,www.securityfocus.com/bid/21191 || url,doc.emergingthreats.net/2005763 +1 || 2005764 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp squarefeet1 ASCII || cve,CVE-2006-6927 || url,www.securityfocus.com/bid/21191 || url,doc.emergingthreats.net/2005764 +1 || 2005765 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Rialto SQL Injection Attempt -- searchoption.asp squarefeet1 UPDATE || cve,CVE-2006-6927 || url,www.securityfocus.com/bid/21191 || url,doc.emergingthreats.net/2005765 +1 || 2005766 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS bitweaver SQL Injection Attempt -- edition.php tk SELECT || cve,CVE-2006-6923 || url,www.securityfocus.com/bid/20996 || url,doc.emergingthreats.net/2005766 +1 || 2005767 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS bitweaver SQL Injection Attempt -- edition.php tk UNION SELECT || cve,CVE-2006-6923 || url,www.securityfocus.com/bid/20996 || url,doc.emergingthreats.net/2005767 +1 || 2005768 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS bitweaver SQL Injection Attempt -- edition.php tk INSERT || cve,CVE-2006-6923 || url,www.securityfocus.com/bid/20996 || url,doc.emergingthreats.net/2005768 +1 || 2005769 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS bitweaver SQL Injection Attempt -- edition.php tk DELETE || cve,CVE-2006-6923 || url,www.securityfocus.com/bid/20996 || url,doc.emergingthreats.net/2005769 +1 || 2005770 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS bitweaver SQL Injection Attempt -- edition.php tk ASCII || cve,CVE-2006-6923 || url,www.securityfocus.com/bid/20996 || url,doc.emergingthreats.net/2005770 +1 || 2005771 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS bitweaver SQL Injection Attempt -- edition.php tk UPDATE || cve,CVE-2006-6923 || url,www.securityfocus.com/bid/20996 || url,doc.emergingthreats.net/2005771 +1 || 2005772 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS @lex Guestbook SQL Injection Attempt -- index.php lang SELECT || cve,CVE-2007-0202 || url,www.milw0rm.com/exploits/3103 || url,doc.emergingthreats.net/2005772 +1 || 2005773 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS @lex Guestbook SQL Injection Attempt -- index.php lang UNION SELECT || cve,CVE-2007-0202 || url,www.milw0rm.com/exploits/3103 || url,doc.emergingthreats.net/2005773 +1 || 2005774 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS @lex Guestbook SQL Injection Attempt -- index.php lang INSERT || cve,CVE-2007-0202 || url,www.milw0rm.com/exploits/3103 || url,doc.emergingthreats.net/2005774 +1 || 2005775 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS @lex Guestbook SQL Injection Attempt -- index.php lang DELETE || cve,CVE-2007-0202 || url,www.milw0rm.com/exploits/3103 || url,doc.emergingthreats.net/2005775 +1 || 2005776 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS @lex Guestbook SQL Injection Attempt -- index.php lang ASCII || cve,CVE-2007-0202 || url,www.milw0rm.com/exploits/3103 || url,doc.emergingthreats.net/2005776 +1 || 2005777 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS @lex Guestbook SQL Injection Attempt -- index.php lang UPDATE || cve,CVE-2007-0202 || url,www.milw0rm.com/exploits/3103 || url,doc.emergingthreats.net/2005777 +1 || 2005778 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Motionborg Web Real Estate SQL Injection Attempt -- admin_check_user.asp txtUserName SELECT || cve,CVE-2007-0196 || url,www.milw0rm.com/exploits/3105 || url,doc.emergingthreats.net/2005778 +1 || 2005779 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Motionborg Web Real Estate SQL Injection Attempt -- admin_check_user.asp txtUserName UNION SELECT || cve,CVE-2007-0196 || url,www.milw0rm.com/exploits/3105 || url,doc.emergingthreats.net/2005779 +1 || 2005780 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Motionborg Web Real Estate SQL Injection Attempt -- admin_check_user.asp txtUserName INSERT || cve,CVE-2007-0196 || url,www.milw0rm.com/exploits/3105 || url,doc.emergingthreats.net/2005780 +1 || 2005781 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Motionborg Web Real Estate SQL Injection Attempt -- admin_check_user.asp txtUserName DELETE || cve,CVE-2007-0196 || url,www.milw0rm.com/exploits/3105 || url,doc.emergingthreats.net/2005781 +1 || 2005782 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Motionborg Web Real Estate SQL Injection Attempt -- admin_check_user.asp txtUserName ASCII || cve,CVE-2007-0196 || url,www.milw0rm.com/exploits/3105 || url,doc.emergingthreats.net/2005782 +1 || 2005783 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Motionborg Web Real Estate SQL Injection Attempt -- admin_check_user.asp txtUserName UPDATE || cve,CVE-2007-0196 || url,www.milw0rm.com/exploits/3105 || url,doc.emergingthreats.net/2005783 +1 || 2005784 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHPKIT SQL Injection Attempt -- comment.php subid SELECT || cve,CVE-2007-0179 || url,www.securityfocus.com/bid/21962 || url,doc.emergingthreats.net/2005784 +1 || 2005785 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHPKIT SQL Injection Attempt -- comment.php subid UNION SELECT || cve,CVE-2007-0179 || url,www.securityfocus.com/bid/21962 || url,doc.emergingthreats.net/2005785 +1 || 2005786 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHPKIT SQL Injection Attempt -- comment.php subid INSERT || cve,CVE-2007-0179 || url,www.securityfocus.com/bid/21962 || url,doc.emergingthreats.net/2005786 +1 || 2005787 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHPKIT SQL Injection Attempt -- comment.php subid DELETE || cve,CVE-2007-0179 || url,www.securityfocus.com/bid/21962 || url,doc.emergingthreats.net/2005787 +1 || 2005788 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHPKIT SQL Injection Attempt -- comment.php subid ASCII || cve,CVE-2007-0179 || url,www.securityfocus.com/bid/21962 || url,doc.emergingthreats.net/2005788 +1 || 2005789 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHPKIT SQL Injection Attempt -- comment.php subid UPDATE || cve,CVE-2007-0179 || url,www.securityfocus.com/bid/21962 || url,doc.emergingthreats.net/2005789 +1 || 2005790 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ShopStoreNow E-commerce Shopping Cart SQL Injection Attempt -- orange.asp CatID SELECT || cve,CVE-2007-0142 || url,www.securityfocus.com/bid/21905 || url,doc.emergingthreats.net/2005790 +1 || 2005791 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ShopStoreNow E-commerce Shopping Cart SQL Injection Attempt -- orange.asp CatID UNION SELECT || cve,CVE-2007-0142 || url,www.securityfocus.com/bid/21905 || url,doc.emergingthreats.net/2005791 +1 || 2005792 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ShopStoreNow E-commerce Shopping Cart SQL Injection Attempt -- orange.asp CatID INSERT || cve,CVE-2007-0142 || url,www.securityfocus.com/bid/21905 || url,doc.emergingthreats.net/2005792 +1 || 2005793 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ShopStoreNow E-commerce Shopping Cart SQL Injection Attempt -- orange.asp CatID DELETE || cve,CVE-2007-0142 || url,www.securityfocus.com/bid/21905 || url,doc.emergingthreats.net/2005793 +1 || 2005794 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ShopStoreNow E-commerce Shopping Cart SQL Injection Attempt -- orange.asp CatID ASCII || cve,CVE-2007-0142 || url,www.securityfocus.com/bid/21905 || url,doc.emergingthreats.net/2005794 +1 || 2005795 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ShopStoreNow E-commerce Shopping Cart SQL Injection Attempt -- orange.asp CatID UPDATE || cve,CVE-2007-0142 || url,www.securityfocus.com/bid/21905 || url,doc.emergingthreats.net/2005795 +1 || 2005796 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Kolayindir Download (Yenionline) SQL Injection Attempt -- down.asp id SELECT || cve,CVE-2007-0140 || url,www.securityfocus.com/bid/21889 || url,doc.emergingthreats.net/2005796 +1 || 2005797 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Kolayindir Download (Yenionline) SQL Injection Attempt -- down.asp id UNION SELECT || cve,CVE-2007-0140 || url,www.securityfocus.com/bid/21889 || url,doc.emergingthreats.net/2005797 +1 || 2005798 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Kolayindir Download (Yenionline) SQL Injection Attempt -- down.asp id INSERT || cve,CVE-2007-0140 || url,www.securityfocus.com/bid/21889 || url,doc.emergingthreats.net/2005798 +1 || 2005799 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Kolayindir Download (Yenionline) SQL Injection Attempt -- down.asp id DELETE || cve,CVE-2007-0140 || url,www.securityfocus.com/bid/21889 || url,doc.emergingthreats.net/2005799 +1 || 2005800 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Kolayindir Download (Yenionline) SQL Injection Attempt -- down.asp id ASCII || cve,CVE-2007-0140 || url,www.securityfocus.com/bid/21889 || url,doc.emergingthreats.net/2005800 +1 || 2005801 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Kolayindir Download (Yenionline) SQL Injection Attempt -- down.asp id UPDATE || cve,CVE-2007-0140 || url,www.securityfocus.com/bid/21889 || url,doc.emergingthreats.net/2005801 +1 || 2005802 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla! SQL Injection Attempt -- example.php INSERT || cve,CVE-2007-0375 || url,www.securityfocus.com/archive/1/archive/1/459203/100/0/threaded || url,doc.emergingthreats.net/2005802 +1 || 2005804 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS iGeneric iG Shop SQL Injection Attempt -- display_review.php id INSERT || cve,CVE-2007-0133 || url,www.frsirt.com/english/advisories/2007/0056 || url,doc.emergingthreats.net/2005804 +1 || 2005806 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS iGeneric iG Shop SQL Injection Attempt -- display_review.php id DELETE || cve,CVE-2007-0133 || url,www.frsirt.com/english/advisories/2007/0056 || url,doc.emergingthreats.net/2005806 +1 || 2005807 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS iGeneric iG Shop SQL Injection Attempt -- display_review.php id SELECT || cve,CVE-2007-0133 || url,www.frsirt.com/english/advisories/2007/0056 || url,doc.emergingthreats.net/2005807 +1 || 2005808 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS iGeneric iG Shop SQL Injection Attempt -- display_review.php id UNION SELECT || cve,CVE-2007-0133 || url,www.frsirt.com/english/advisories/2007/0056 || url,doc.emergingthreats.net/2005808 +1 || 2005809 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS iGeneric iG Shop SQL Injection Attempt -- display_review.php id ASCII || cve,CVE-2007-0133 || url,www.frsirt.com/english/advisories/2007/0056 || url,doc.emergingthreats.net/2005809 +1 || 2005810 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS iGeneric iG Shop SQL Injection Attempt -- display_review.php id UPDATE || cve,CVE-2007-0133 || url,www.frsirt.com/english/advisories/2007/0056 || url,doc.emergingthreats.net/2005810 +1 || 2005811 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS iGeneric iG Shop SQL Injection Attempt -- display_review.php user_login_cookie SELECT || cve,CVE-2007-0133 || url,www.frsirt.com/english/advisories/2007/0056 || url,doc.emergingthreats.net/2005811 +1 || 2005812 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS iGeneric iG Shop SQL Injection Attempt -- display_review.php user_login_cookie UNION SELECT || cve,CVE-2007-0133 || url,www.frsirt.com/english/advisories/2007/0056 || url,doc.emergingthreats.net/2005812 +1 || 2005813 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS iGeneric iG Shop SQL Injection Attempt -- display_review.php user_login_cookie INSERT || cve,CVE-2007-0133 || url,www.frsirt.com/english/advisories/2007/0056 || url,doc.emergingthreats.net/2005813 +1 || 2005814 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS iGeneric iG Shop SQL Injection Attempt -- display_review.php user_login_cookie DELETE || cve,CVE-2007-0133 || url,www.frsirt.com/english/advisories/2007/0056 || url,doc.emergingthreats.net/2005814 +1 || 2005815 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS iGeneric iG Shop SQL Injection Attempt -- display_review.php user_login_cookie ASCII || cve,CVE-2007-0133 || url,www.frsirt.com/english/advisories/2007/0056 || url,doc.emergingthreats.net/2005815 +1 || 2005816 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS iGeneric iG Shop SQL Injection Attempt -- display_review.php user_login_cookie UPDATE || cve,CVE-2007-0133 || url,www.frsirt.com/english/advisories/2007/0056 || url,doc.emergingthreats.net/2005816 +1 || 2005817 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS iGeneric iG Shop SQL Injection Attempt -- compare_product.php id SELECT || cve,CVE-2007-0132 || url,www.milw0rm.com/exploits/3083 || url,doc.emergingthreats.net/2005817 +1 || 2005818 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS iGeneric iG Shop SQL Injection Attempt -- compare_product.php id UNION SELECT || cve,CVE-2007-0132 || url,www.milw0rm.com/exploits/3083 || url,doc.emergingthreats.net/2005818 +1 || 2005819 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS iGeneric iG Shop SQL Injection Attempt -- compare_product.php id INSERT || cve,CVE-2007-0132 || url,www.milw0rm.com/exploits/3083 || url,doc.emergingthreats.net/2005819 +1 || 2005820 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS iGeneric iG Shop SQL Injection Attempt -- compare_product.php id DELETE || cve,CVE-2007-0132 || url,www.milw0rm.com/exploits/3083 || url,doc.emergingthreats.net/2005820 +1 || 2005821 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS iGeneric iG Shop SQL Injection Attempt -- compare_product.php id ASCII || cve,CVE-2007-0132 || url,www.milw0rm.com/exploits/3083 || url,doc.emergingthreats.net/2005821 +1 || 2005822 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS iGeneric iG Shop SQL Injection Attempt -- compare_product.php id UPDATE || cve,CVE-2007-0132 || url,www.milw0rm.com/exploits/3083 || url,doc.emergingthreats.net/2005822 +1 || 2005823 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS iGeneric iG Calendar SQL Injection Attempt -- user.php id SELECT || cve,CVE-2007-0130 || url,www.milw0rm.com/exploits/3082 || url,doc.emergingthreats.net/2005823 +1 || 2005824 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS iGeneric iG Calendar SQL Injection Attempt -- user.php id UNION SELECT || cve,CVE-2007-0130 || url,www.milw0rm.com/exploits/3082 || url,doc.emergingthreats.net/2005824 +1 || 2005825 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS iGeneric iG Calendar SQL Injection Attempt -- user.php id INSERT || cve,CVE-2007-0130 || url,www.milw0rm.com/exploits/3082 || url,doc.emergingthreats.net/2005825 +1 || 2005826 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS iGeneric iG Calendar SQL Injection Attempt -- user.php id DELETE || cve,CVE-2007-0130 || url,www.milw0rm.com/exploits/3082 || url,doc.emergingthreats.net/2005826 +1 || 2005827 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS iGeneric iG Calendar SQL Injection Attempt -- user.php id ASCII || cve,CVE-2007-0130 || url,www.milw0rm.com/exploits/3082 || url,doc.emergingthreats.net/2005827 +1 || 2005828 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS iGeneric iG Calendar SQL Injection Attempt -- user.php id UPDATE || cve,CVE-2007-0130 || url,www.milw0rm.com/exploits/3082 || url,doc.emergingthreats.net/2005828 +1 || 2005829 || 9 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS LocazoList SQL Injection Attempt -- main.asp subcatID SELECT || cve,CVE-2007-0129 || url,www.exploit-db.com/exploits/3073/ || url,doc.emergingthreats.net/2005829 +1 || 2005830 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS LocazoList SQL Injection Attempt -- main.asp subcatID UNION SELECT || cve,CVE-2007-0129 || url,www.exploit-db.com/exploits/3073/ || url,doc.emergingthreats.net/2005830 +1 || 2005831 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS LocazoList SQL Injection Attempt -- main.asp subcatID INSERT || cve,CVE-2007-0129 || url,www.exploit-db.com/exploits/3073/ || url,doc.emergingthreats.net/2005831 +1 || 2005832 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS LocazoList SQL Injection Attempt -- main.asp subcatID DELETE || cve,CVE-2007-0129 || url,www.exploit-db.com/exploits/3073/ || url,doc.emergingthreats.net/2005832 +1 || 2005833 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS LocazoList SQL Injection Attempt -- main.asp subcatID ASCII || cve,CVE-2007-0129 || url,www.exploit-db.com/exploits/3073/ || url,doc.emergingthreats.net/2005833 +1 || 2005834 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS LocazoList SQL Injection Attempt -- main.asp subcatID UPDATE || cve,CVE-2007-0129 || url,www.exploit-db.com/exploits/3073/ || url,doc.emergingthreats.net/2005834 +1 || 2005835 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Digirez SQL Injection Attempt -- info_book.asp book_id SELECT || cve,CVE-2007-0128 || url,www.milw0rm.com/exploits/3081 || url,doc.emergingthreats.net/2005835 +1 || 2005836 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Digirez SQL Injection Attempt -- info_book.asp book_id UNION SELECT || cve,CVE-2007-0128 || url,www.milw0rm.com/exploits/3081 || url,doc.emergingthreats.net/2005836 +1 || 2005837 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Digirez SQL Injection Attempt -- info_book.asp book_id INSERT || cve,CVE-2007-0128 || url,www.milw0rm.com/exploits/3081 || url,doc.emergingthreats.net/2005837 +1 || 2005838 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Digirez SQL Injection Attempt -- info_book.asp book_id DELETE || cve,CVE-2007-0128 || url,www.milw0rm.com/exploits/3081 || url,doc.emergingthreats.net/2005838 +1 || 2005839 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Digirez SQL Injection Attempt -- info_book.asp book_id ASCII || cve,CVE-2007-0128 || url,www.milw0rm.com/exploits/3081 || url,doc.emergingthreats.net/2005839 +1 || 2005840 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Digirez SQL Injection Attempt -- info_book.asp book_id UPDATE || cve,CVE-2007-0128 || url,www.milw0rm.com/exploits/3081 || url,doc.emergingthreats.net/2005840 +1 || 2005841 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Coppermine Photo Gallery SQL Injection Attempt -- albmgr.php cat SELECT || cve,CVE-2007-0122 || url,www.securityfocus.com/bid/21894 || url,doc.emergingthreats.net/2005841 +1 || 2005842 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Coppermine Photo Gallery SQL Injection Attempt -- albmgr.php cat UNION SELECT || cve,CVE-2007-0122 || url,www.securityfocus.com/bid/21894 || url,doc.emergingthreats.net/2005842 +1 || 2005843 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Coppermine Photo Gallery SQL Injection Attempt -- albmgr.php cat INSERT || cve,CVE-2007-0122 || url,www.securityfocus.com/bid/21894 || url,doc.emergingthreats.net/2005843 +1 || 2005844 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Coppermine Photo Gallery SQL Injection Attempt -- albmgr.php cat DELETE || cve,CVE-2007-0122 || url,www.securityfocus.com/bid/21894 || url,doc.emergingthreats.net/2005844 +1 || 2005845 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Coppermine Photo Gallery SQL Injection Attempt -- albmgr.php cat ASCII || cve,CVE-2007-0122 || url,www.securityfocus.com/bid/21894 || url,doc.emergingthreats.net/2005845 +1 || 2005846 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Coppermine Photo Gallery SQL Injection Attempt -- albmgr.php cat UPDATE || cve,CVE-2007-0122 || url,www.securityfocus.com/bid/21894 || url,doc.emergingthreats.net/2005846 +1 || 2005847 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Coppermine Photo Gallery SQL Injection Attempt -- usermgr.php gid SELECT || cve,CVE-2007-0122 || url,www.securityfocus.com/bid/21894 || url,doc.emergingthreats.net/2005847 +1 || 2005848 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Coppermine Photo Gallery SQL Injection Attempt -- usermgr.php gid UNION SELECT || cve,CVE-2007-0122 || url,www.securityfocus.com/bid/21894 || url,doc.emergingthreats.net/2005848 +1 || 2005849 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Coppermine Photo Gallery SQL Injection Attempt -- usermgr.php gid INSERT || cve,CVE-2007-0122 || url,www.securityfocus.com/bid/21894 || url,doc.emergingthreats.net/2005849 +1 || 2005850 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Coppermine Photo Gallery SQL Injection Attempt -- usermgr.php gid DELETE || cve,CVE-2007-0122 || url,www.securityfocus.com/bid/21894 || url,doc.emergingthreats.net/2005850 +1 || 2005851 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Coppermine Photo Gallery SQL Injection Attempt -- usermgr.php gid ASCII || cve,CVE-2007-0122 || url,www.securityfocus.com/bid/21894 || url,doc.emergingthreats.net/2005851 +1 || 2005852 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Coppermine Photo Gallery SQL Injection Attempt -- usermgr.php gid UPDATE || cve,CVE-2007-0122 || url,www.securityfocus.com/bid/21894 || url,doc.emergingthreats.net/2005852 +1 || 2005853 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Coppermine Photo Gallery SQL Injection Attempt -- db_ecard.php start SELECT || cve,CVE-2007-0122 || url,www.securityfocus.com/bid/21894 || url,doc.emergingthreats.net/2005853 +1 || 2005854 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Coppermine Photo Gallery SQL Injection Attempt -- db_ecard.php start UNION SELECT || cve,CVE-2007-0122 || url,www.securityfocus.com/bid/21894 || url,doc.emergingthreats.net/2005854 +1 || 2005855 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Coppermine Photo Gallery SQL Injection Attempt -- db_ecard.php start INSERT || cve,CVE-2007-0122 || url,www.securityfocus.com/bid/21894 || url,doc.emergingthreats.net/2005855 +1 || 2005856 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Coppermine Photo Gallery SQL Injection Attempt -- db_ecard.php start DELETE || cve,CVE-2007-0122 || url,www.securityfocus.com/bid/21894 || url,doc.emergingthreats.net/2005856 +1 || 2005857 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Coppermine Photo Gallery SQL Injection Attempt -- db_ecard.php start ASCII || cve,CVE-2007-0122 || url,www.securityfocus.com/bid/21894 || url,doc.emergingthreats.net/2005857 +1 || 2005858 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Coppermine Photo Gallery SQL Injection Attempt -- db_ecard.php start UPDATE || cve,CVE-2007-0122 || url,www.securityfocus.com/bid/21894 || url,doc.emergingthreats.net/2005858 +1 || 2005859 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS CreateAuction SQL Injection Attempt -- cats.asp catid SELECT || cve,CVE-2007-0112 || url,www.securityfocus.com/bid/21929 || url,doc.emergingthreats.net/2005859 +1 || 2005860 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS CreateAuction SQL Injection Attempt -- cats.asp catid UNION SELECT || cve,CVE-2007-0112 || url,www.securityfocus.com/bid/21929 || url,doc.emergingthreats.net/2005860 +1 || 2005861 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS CreateAuction SQL Injection Attempt -- cats.asp catid INSERT || cve,CVE-2007-0112 || url,www.securityfocus.com/bid/21929 || url,doc.emergingthreats.net/2005861 +1 || 2005862 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS CreateAuction SQL Injection Attempt -- cats.asp catid DELETE || cve,CVE-2007-0112 || url,www.securityfocus.com/bid/21929 || url,doc.emergingthreats.net/2005862 +1 || 2005863 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS CreateAuction SQL Injection Attempt -- cats.asp catid ASCII || cve,CVE-2007-0112 || url,www.securityfocus.com/bid/21929 || url,doc.emergingthreats.net/2005863 +1 || 2005864 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS CreateAuction SQL Injection Attempt -- cats.asp catid UPDATE || cve,CVE-2007-0112 || url,www.securityfocus.com/bid/21929 || url,doc.emergingthreats.net/2005864 +1 || 2005865 || 6 || web-application-attack || 0 || ET DELETED WordPress SQL Injection Attempt -- wp-trackback.php SELECT || cve,CVE-2007-0107 || url,www.securityfocus.com/bid/21907 || url,doc.emergingthreats.net/2005865 +1 || 2005866 || 6 || web-application-attack || 0 || ET DELETED WordPress SQL Injection Attempt -- wp-trackback.php UNION SELECT || cve,CVE-2007-0107 || url,www.securityfocus.com/bid/21907 || url,doc.emergingthreats.net/2005866 +1 || 2005867 || 6 || web-application-attack || 0 || ET DELETED WordPress SQL Injection Attempt -- wp-trackback.php INSERT || cve,CVE-2007-0107 || url,www.securityfocus.com/bid/21907 || url,doc.emergingthreats.net/2005867 +1 || 2005868 || 6 || web-application-attack || 0 || ET DELETED WordPress SQL Injection Attempt -- wp-trackback.php DELETE || cve,CVE-2007-0107 || url,www.securityfocus.com/bid/21907 || url,doc.emergingthreats.net/2005868 +1 || 2005869 || 6 || web-application-attack || 0 || ET DELETED WordPress SQL Injection Attempt -- wp-trackback.php ASCII || cve,CVE-2007-0107 || url,www.securityfocus.com/bid/21907 || url,doc.emergingthreats.net/2005869 +1 || 2005870 || 6 || web-application-attack || 0 || ET DELETED WordPress SQL Injection Attempt -- wp-trackback.php UPDATE || cve,CVE-2007-0107 || url,www.securityfocus.com/bid/21907 || url,doc.emergingthreats.net/2005870 +1 || 2005871 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Simple Web Content Management System SQL Injection Attempt -- page.php id SELECT || cve,CVE-2007-0093 || url,www.milw0rm.com/exploits/3076 || url,doc.emergingthreats.net/2005871 +1 || 2005872 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Simple Web Content Management System SQL Injection Attempt -- page.php id UNION SELECT || cve,CVE-2007-0093 || url,www.milw0rm.com/exploits/3076 || url,doc.emergingthreats.net/2005872 +1 || 2005873 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Simple Web Content Management System SQL Injection Attempt -- page.php id INSERT || cve,CVE-2007-0093 || url,www.milw0rm.com/exploits/3076 || url,doc.emergingthreats.net/2005873 +1 || 2005874 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Simple Web Content Management System SQL Injection Attempt -- page.php id DELETE || cve,CVE-2007-0093 || url,www.milw0rm.com/exploits/3076 || url,doc.emergingthreats.net/2005874 +1 || 2005875 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Simple Web Content Management System SQL Injection Attempt -- page.php id ASCII || cve,CVE-2007-0093 || url,www.milw0rm.com/exploits/3076 || url,doc.emergingthreats.net/2005875 +1 || 2005876 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Simple Web Content Management System SQL Injection Attempt -- page.php id UPDATE || cve,CVE-2007-0093 || url,www.milw0rm.com/exploits/3076 || url,doc.emergingthreats.net/2005876 +1 || 2005877 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS E-SMARTCART SQL Injection Attempt -- productdetail.asp product_id SELECT || cve,CVE-2007-0092 || url,www.milw0rm.com/exploits/3074 || url,doc.emergingthreats.net/2005877 +1 || 2005878 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS E-SMARTCART SQL Injection Attempt -- productdetail.asp product_id UNION SELECT || cve,CVE-2007-0092 || url,www.milw0rm.com/exploits/3074 || url,doc.emergingthreats.net/2005878 +1 || 2005879 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS E-SMARTCART SQL Injection Attempt -- productdetail.asp product_id INSERT || cve,CVE-2007-0092 || url,www.milw0rm.com/exploits/3074 || url,doc.emergingthreats.net/2005879 +1 || 2005880 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS E-SMARTCART SQL Injection Attempt -- productdetail.asp product_id DELETE || cve,CVE-2007-0092 || url,www.milw0rm.com/exploits/3074 || url,doc.emergingthreats.net/2005880 +1 || 2005881 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS E-SMARTCART SQL Injection Attempt -- productdetail.asp product_id ASCII || cve,CVE-2007-0092 || url,www.milw0rm.com/exploits/3074 || url,doc.emergingthreats.net/2005881 +1 || 2005882 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS E-SMARTCART SQL Injection Attempt -- productdetail.asp product_id UPDATE || cve,CVE-2007-0092 || url,www.milw0rm.com/exploits/3074 || url,doc.emergingthreats.net/2005882 +1 || 2005883 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ASP SiteWare autoDealer SQL Injection Attempt -- detail.asp iPro SELECT || cve,CVE-2007-0053 || url,www.milw0rm.com/exploits/3062 || url,doc.emergingthreats.net/2005883 +1 || 2005884 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ASP SiteWare autoDealer SQL Injection Attempt -- detail.asp iPro UNION SELECT || cve,CVE-2007-0053 || url,www.milw0rm.com/exploits/3062 || url,doc.emergingthreats.net/2005884 +1 || 2005885 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ASP SiteWare autoDealer SQL Injection Attempt -- detail.asp iPro INSERT || cve,CVE-2007-0053 || url,www.milw0rm.com/exploits/3062 || url,doc.emergingthreats.net/2005885 +1 || 2005886 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ASP SiteWare autoDealer SQL Injection Attempt -- detail.asp iPro DELETE || cve,CVE-2007-0053 || url,www.milw0rm.com/exploits/3062 || url,doc.emergingthreats.net/2005886 +1 || 2005887 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ASP SiteWare autoDealer SQL Injection Attempt -- detail.asp iPro ASCII || cve,CVE-2007-0053 || url,www.milw0rm.com/exploits/3062 || url,doc.emergingthreats.net/2005887 +1 || 2005888 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ASP SiteWare autoDealer SQL Injection Attempt -- detail.asp iPro UPDATE || cve,CVE-2007-0053 || url,www.milw0rm.com/exploits/3062 || url,doc.emergingthreats.net/2005888 +1 || 2005889 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Vizayn Haber SQL Injection Attempt -- haberdetay.asp id SELECT || cve,CVE-2007-0052 || url,www.milw0rm.com/exploits/3061 || url,doc.emergingthreats.net/2005889 +1 || 2005890 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Vizayn Haber SQL Injection Attempt -- haberdetay.asp id UNION SELECT || cve,CVE-2007-0052 || url,www.milw0rm.com/exploits/3061 || url,doc.emergingthreats.net/2005890 +1 || 2005891 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Vizayn Haber SQL Injection Attempt -- haberdetay.asp id INSERT || cve,CVE-2007-0052 || url,www.milw0rm.com/exploits/3061 || url,doc.emergingthreats.net/2005891 +1 || 2005892 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Vizayn Haber SQL Injection Attempt -- haberdetay.asp id DELETE || cve,CVE-2007-0052 || url,www.milw0rm.com/exploits/3061 || url,doc.emergingthreats.net/2005892 +1 || 2005893 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Vizayn Haber SQL Injection Attempt -- haberdetay.asp id ASCII || cve,CVE-2007-0052 || url,www.milw0rm.com/exploits/3061 || url,doc.emergingthreats.net/2005893 +1 || 2005894 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Vizayn Haber SQL Injection Attempt -- haberdetay.asp id UPDATE || cve,CVE-2007-0052 || url,www.milw0rm.com/exploits/3061 || url,doc.emergingthreats.net/2005894 +1 || 2005895 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Digitizing Quote And Ordering System SQL Injection Attempt -- search.asp ordernum SELECT || cve,CVE-2006-6911 || url,www.milw0rm.com/exploits/3089 || url,doc.emergingthreats.net/2005895 +1 || 2005896 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Digitizing Quote And Ordering System SQL Injection Attempt -- search.asp ordernum UNION SELECT || cve,CVE-2006-6911 || url,www.milw0rm.com/exploits/3089 || url,doc.emergingthreats.net/2005896 +1 || 2005897 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Digitizing Quote And Ordering System SQL Injection Attempt -- search.asp ordernum INSERT || cve,CVE-2006-6911 || url,www.milw0rm.com/exploits/3089 || url,doc.emergingthreats.net/2005897 +1 || 2005898 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Digitizing Quote And Ordering System SQL Injection Attempt -- search.asp ordernum DELETE || cve,CVE-2006-6911 || url,www.milw0rm.com/exploits/3089 || url,doc.emergingthreats.net/2005898 +1 || 2005899 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Digitizing Quote And Ordering System SQL Injection Attempt -- search.asp ordernum ASCII || cve,CVE-2006-6911 || url,www.milw0rm.com/exploits/3089 || url,doc.emergingthreats.net/2005899 +1 || 2005900 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Digitizing Quote And Ordering System SQL Injection Attempt -- search.asp ordernum UPDATE || cve,CVE-2006-6911 || url,www.milw0rm.com/exploits/3089 || url,doc.emergingthreats.net/2005900 +1 || 2005901 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newmessage SELECT || cve,CVE-2006-6880 || url,www.milw0rm.com/exploits/3017 || url,doc.emergingthreats.net/2005901 +1 || 2005902 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newmessage UNION SELECT || cve,CVE-2006-6880 || url,www.milw0rm.com/exploits/3017 || url,doc.emergingthreats.net/2005902 +1 || 2005903 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newmessage INSERT || cve,CVE-2006-6880 || url,www.milw0rm.com/exploits/3017 || url,doc.emergingthreats.net/2005903 +1 || 2005904 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newmessage DELETE || cve,CVE-2006-6880 || url,www.milw0rm.com/exploits/3017 || url,doc.emergingthreats.net/2005904 +1 || 2005905 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newmessage ASCII || cve,CVE-2006-6880 || url,www.milw0rm.com/exploits/3017 || url,doc.emergingthreats.net/2005905 +1 || 2005906 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newmessage UPDATE || cve,CVE-2006-6880 || url,www.milw0rm.com/exploits/3017 || url,doc.emergingthreats.net/2005906 +1 || 2005907 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newname SELECT || cve,CVE-2006-6880 || url,www.milw0rm.com/exploits/3017 || url,doc.emergingthreats.net/2005907 +1 || 2005908 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newname UNION SELECT || cve,CVE-2006-6880 || url,www.milw0rm.com/exploits/3017 || url,doc.emergingthreats.net/2005908 +1 || 2005909 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newname INSERT || cve,CVE-2006-6880 || url,www.milw0rm.com/exploits/3017 || url,doc.emergingthreats.net/2005909 +1 || 2005910 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newname DELETE || cve,CVE-2006-6880 || url,www.milw0rm.com/exploits/3017 || url,doc.emergingthreats.net/2005910 +1 || 2005911 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newname ASCII || cve,CVE-2006-6880 || url,www.milw0rm.com/exploits/3017 || url,doc.emergingthreats.net/2005911 +1 || 2005912 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newname UPDATE || cve,CVE-2006-6880 || url,www.milw0rm.com/exploits/3017 || url,doc.emergingthreats.net/2005912 +1 || 2005913 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newwebsite SELECT || cve,CVE-2006-6880 || url,www.milw0rm.com/exploits/3017 || url,doc.emergingthreats.net/2005913 +1 || 2005914 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newwebsite UNION SELECT || cve,CVE-2006-6880 || url,www.milw0rm.com/exploits/3017 || url,doc.emergingthreats.net/2005914 +1 || 2005915 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newwebsite INSERT || cve,CVE-2006-6880 || url,www.milw0rm.com/exploits/3017 || url,doc.emergingthreats.net/2005915 +1 || 2005916 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newwebsite DELETE || cve,CVE-2006-6880 || url,www.milw0rm.com/exploits/3017 || url,doc.emergingthreats.net/2005916 +1 || 2005917 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newwebsite ASCII || cve,CVE-2006-6880 || url,www.milw0rm.com/exploits/3017 || url,doc.emergingthreats.net/2005917 +1 || 2005918 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newwebsite UPDATE || cve,CVE-2006-6880 || url,www.milw0rm.com/exploits/3017 || url,doc.emergingthreats.net/2005918 +1 || 2005919 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newemail SELECT || cve,CVE-2006-6880 || url,www.milw0rm.com/exploits/3017 || url,doc.emergingthreats.net/2005919 +1 || 2005920 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newemail UNION SELECT || cve,CVE-2006-6880 || url,www.milw0rm.com/exploits/3017 || url,doc.emergingthreats.net/2005920 +1 || 2005921 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newemail INSERT || cve,CVE-2006-6880 || url,www.milw0rm.com/exploits/3017 || url,doc.emergingthreats.net/2005921 +1 || 2005922 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newemail DELETE || cve,CVE-2006-6880 || url,www.milw0rm.com/exploits/3017 || url,doc.emergingthreats.net/2005922 +1 || 2005923 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newemail ASCII || cve,CVE-2006-6880 || url,www.milw0rm.com/exploits/3017 || url,doc.emergingthreats.net/2005923 +1 || 2005924 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHP-Update SQL Injection Attempt -- guestadd.php newemail UPDATE || cve,CVE-2006-6880 || url,www.milw0rm.com/exploits/3017 || url,doc.emergingthreats.net/2005924 +1 || 2005925 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS eNdonesia SQL Injection Attempt -- mod.php did SELECT || cve,CVE-2006-6873 || url,www.milw0rm.com/exploits/3004 || url,doc.emergingthreats.net/2005925 +1 || 2005926 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS eNdonesia SQL Injection Attempt -- mod.php did UNION SELECT || cve,CVE-2006-6873 || url,www.milw0rm.com/exploits/3004 || url,doc.emergingthreats.net/2005926 +1 || 2005927 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS eNdonesia SQL Injection Attempt -- mod.php did INSERT || cve,CVE-2006-6873 || url,www.milw0rm.com/exploits/3004 || url,doc.emergingthreats.net/2005927 +1 || 2005928 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS eNdonesia SQL Injection Attempt -- mod.php did DELETE || cve,CVE-2006-6873 || url,www.milw0rm.com/exploits/3004 || url,doc.emergingthreats.net/2005928 +1 || 2005929 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS eNdonesia SQL Injection Attempt -- mod.php did ASCII || cve,CVE-2006-6873 || url,www.milw0rm.com/exploits/3004 || url,doc.emergingthreats.net/2005929 +1 || 2005930 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS eNdonesia SQL Injection Attempt -- mod.php did UPDATE || cve,CVE-2006-6873 || url,www.milw0rm.com/exploits/3004 || url,doc.emergingthreats.net/2005930 +1 || 2005931 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS eNdonesia SQL Injection Attempt -- mod.php cid SELECT || cve,CVE-2006-6873 || url,www.milw0rm.com/exploits/3004 || url,doc.emergingthreats.net/2005931 +1 || 2005932 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS eNdonesia SQL Injection Attempt -- mod.php cid UNION SELECT || cve,CVE-2006-6873 || url,www.milw0rm.com/exploits/3004 || url,doc.emergingthreats.net/2005932 +1 || 2005933 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS eNdonesia SQL Injection Attempt -- mod.php cid INSERT || cve,CVE-2006-6873 || url,www.milw0rm.com/exploits/3004 || url,doc.emergingthreats.net/2005933 +1 || 2005934 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS eNdonesia SQL Injection Attempt -- mod.php cid DELETE || cve,CVE-2006-6873 || url,www.milw0rm.com/exploits/3004 || url,doc.emergingthreats.net/2005934 +1 || 2005935 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS eNdonesia SQL Injection Attempt -- mod.php cid ASCII || cve,CVE-2006-6873 || url,www.milw0rm.com/exploits/3004 || url,doc.emergingthreats.net/2005935 +1 || 2005936 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS eNdonesia SQL Injection Attempt -- mod.php cid UPDATE || cve,CVE-2006-6873 || url,www.milw0rm.com/exploits/3004 || url,doc.emergingthreats.net/2005936 +1 || 2005937 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Outfront Spooky Login SQL Injection Attempt -- register.asp UserUpdate SELECT || cve,CVE-2006-6861 || url,www.securityfocus.com/bid/21822 || url,doc.emergingthreats.net/2005937 +1 || 2005938 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Outfront Spooky Login SQL Injection Attempt -- register.asp UserUpdate UNION SELECT || cve,CVE-2006-6861 || url,www.securityfocus.com/bid/21822 || url,doc.emergingthreats.net/2005938 +1 || 2005939 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Outfront Spooky Login SQL Injection Attempt -- register.asp UserUpdate INSERT || cve,CVE-2006-6861 || url,www.securityfocus.com/bid/21822 || url,doc.emergingthreats.net/2005939 +1 || 2005940 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Outfront Spooky Login SQL Injection Attempt -- register.asp UserUpdate DELETE || cve,CVE-2006-6861 || url,www.securityfocus.com/bid/21822 || url,doc.emergingthreats.net/2005940 +1 || 2005941 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Outfront Spooky Login SQL Injection Attempt -- register.asp UserUpdate ASCII || cve,CVE-2006-6861 || url,www.securityfocus.com/bid/21822 || url,doc.emergingthreats.net/2005941 +1 || 2005942 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Outfront Spooky Login SQL Injection Attempt -- register.asp UserUpdate UPDATE || cve,CVE-2006-6861 || url,www.securityfocus.com/bid/21822 || url,doc.emergingthreats.net/2005942 +1 || 2005943 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Outfront Spooky Login SQL Injection Attempt -- a_register.asp SELECT || cve,CVE-2006-6861 || url,www.securityfocus.com/bid/21822 || url,doc.emergingthreats.net/2005943 +1 || 2005944 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Outfront Spooky Login SQL Injection Attempt -- a_register.asp UNION SELECT || cve,CVE-2006-6861 || url,www.securityfocus.com/bid/21822 || url,doc.emergingthreats.net/2005944 +1 || 2005945 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Outfront Spooky Login SQL Injection Attempt -- a_register.asp INSERT || cve,CVE-2006-6861 || url,www.securityfocus.com/bid/21822 || url,doc.emergingthreats.net/2005945 +1 || 2005946 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Outfront Spooky Login SQL Injection Attempt -- a_register.asp DELETE || cve,CVE-2006-6861 || url,www.securityfocus.com/bid/21822 || url,doc.emergingthreats.net/2005946 +1 || 2005947 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Outfront Spooky Login SQL Injection Attempt -- a_register.asp ASCII || cve,CVE-2006-6861 || url,www.securityfocus.com/bid/21822 || url,doc.emergingthreats.net/2005947 +1 || 2005948 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Outfront Spooky Login SQL Injection Attempt -- a_register.asp UPDATE || cve,CVE-2006-6861 || url,www.securityfocus.com/bid/21822 || url,doc.emergingthreats.net/2005948 +1 || 2005949 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Website Designs For Less Click N Print Coupons SQL Injection Attempt -- coupon_detail.asp key SELECT || cve,CVE-2006-6859 || url,www.securityfocus.com/bid/21824 || url,doc.emergingthreats.net/2005949 +1 || 2005950 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Website Designs For Less Click N Print Coupons SQL Injection Attempt -- coupon_detail.asp key UNION SELECT || cve,CVE-2006-6859 || url,www.securityfocus.com/bid/21824 || url,doc.emergingthreats.net/2005950 +1 || 2005951 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Website Designs For Less Click N Print Coupons SQL Injection Attempt -- coupon_detail.asp key INSERT || cve,CVE-2006-6859 || url,www.securityfocus.com/bid/21824 || url,doc.emergingthreats.net/2005951 +1 || 2005952 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Website Designs For Less Click N Print Coupons SQL Injection Attempt -- coupon_detail.asp key DELETE || cve,CVE-2006-6859 || url,www.securityfocus.com/bid/21824 || url,doc.emergingthreats.net/2005952 +1 || 2005953 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Website Designs For Less Click N Print Coupons SQL Injection Attempt -- coupon_detail.asp key ASCII || cve,CVE-2006-6859 || url,www.securityfocus.com/bid/21824 || url,doc.emergingthreats.net/2005953 +1 || 2005954 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Website Designs For Less Click N Print Coupons SQL Injection Attempt -- coupon_detail.asp key UPDATE || cve,CVE-2006-6859 || url,www.securityfocus.com/bid/21824 || url,doc.emergingthreats.net/2005954 +1 || 2005955 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS While You Were Out (WYWO) InOut Board SQL Injection Attempt -- phonemessage.asp num SELECT || cve,CVE-2006-6846 || url,www.milw0rm.com/exploits/3032 || url,doc.emergingthreats.net/2005955 +1 || 2005956 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS While You Were Out (WYWO) InOut Board SQL Injection Attempt -- phonemessage.asp num UNION SELECT || cve,CVE-2006-6846 || url,www.milw0rm.com/exploits/3032 || url,doc.emergingthreats.net/2005956 +1 || 2005957 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS While You Were Out (WYWO) InOut Board SQL Injection Attempt -- phonemessage.asp num INSERT || cve,CVE-2006-6846 || url,www.milw0rm.com/exploits/3032 || url,doc.emergingthreats.net/2005957 +1 || 2005958 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS While You Were Out (WYWO) InOut Board SQL Injection Attempt -- phonemessage.asp num DELETE || cve,CVE-2006-6846 || url,www.milw0rm.com/exploits/3032 || url,doc.emergingthreats.net/2005958 +1 || 2005959 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS While You Were Out (WYWO) InOut Board SQL Injection Attempt -- phonemessage.asp num ASCII || cve,CVE-2006-6846 || url,www.milw0rm.com/exploits/3032 || url,doc.emergingthreats.net/2005959 +1 || 2005960 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS While You Were Out (WYWO) InOut Board SQL Injection Attempt -- phonemessage.asp num UPDATE || cve,CVE-2006-6846 || url,www.milw0rm.com/exploits/3032 || url,doc.emergingthreats.net/2005960 +1 || 2005961 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS While You Were Out (WYWO) InOut Board SQL Injection Attempt -- faqDsp.asp catcode SELECT || cve,CVE-2006-6846 || url,www.milw0rm.com/exploits/3032 || url,doc.emergingthreats.net/2005961 +1 || 2005962 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS While You Were Out (WYWO) InOut Board SQL Injection Attempt -- faqDsp.asp catcode UNION SELECT || cve,CVE-2006-6846 || url,www.milw0rm.com/exploits/3032 || url,doc.emergingthreats.net/2005962 +1 || 2005963 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS While You Were Out (WYWO) InOut Board SQL Injection Attempt -- faqDsp.asp catcode INSERT || cve,CVE-2006-6846 || url,www.milw0rm.com/exploits/3032 || url,doc.emergingthreats.net/2005963 +1 || 2005964 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS While You Were Out (WYWO) InOut Board SQL Injection Attempt -- faqDsp.asp catcode DELETE || cve,CVE-2006-6846 || url,www.milw0rm.com/exploits/3032 || url,doc.emergingthreats.net/2005964 +1 || 2005965 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS While You Were Out (WYWO) InOut Board SQL Injection Attempt -- faqDsp.asp catcode ASCII || cve,CVE-2006-6846 || url,www.milw0rm.com/exploits/3032 || url,doc.emergingthreats.net/2005965 +1 || 2005966 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS While You Were Out (WYWO) InOut Board SQL Injection Attempt -- faqDsp.asp catcode UPDATE || cve,CVE-2006-6846 || url,www.milw0rm.com/exploits/3032 || url,doc.emergingthreats.net/2005966 +1 || 2005967 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS phpBB2 Plus SQL Injection Attempt -- admin_acronyms.php id SELECT || cve,CVE-2006-6842 || url,www.milw0rm.com/exploits/3033 || url,doc.emergingthreats.net/2005967 +1 || 2005968 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS phpBB2 Plus SQL Injection Attempt -- admin_acronyms.php id UNION SELECT || cve,CVE-2006-6842 || url,www.milw0rm.com/exploits/3033 || url,doc.emergingthreats.net/2005968 +1 || 2005969 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS phpBB2 Plus SQL Injection Attempt -- admin_acronyms.php id INSERT || cve,CVE-2006-6842 || url,www.milw0rm.com/exploits/3033 || url,doc.emergingthreats.net/2005969 +1 || 2005970 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS phpBB2 Plus SQL Injection Attempt -- admin_acronyms.php id DELETE || cve,CVE-2006-6842 || url,www.milw0rm.com/exploits/3033 || url,doc.emergingthreats.net/2005970 +1 || 2005971 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS phpBB2 Plus SQL Injection Attempt -- admin_acronyms.php id ASCII || cve,CVE-2006-6842 || url,www.milw0rm.com/exploits/3033 || url,doc.emergingthreats.net/2005971 +1 || 2005972 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS phpBB2 Plus SQL Injection Attempt -- admin_acronyms.php id UPDATE || cve,CVE-2006-6842 || url,www.milw0rm.com/exploits/3033 || url,doc.emergingthreats.net/2005972 +1 || 2005973 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Neocrome Land Down Under (LDU) SQL Injection Attempt -- journal.php w SELECT || cve,CVE-2006-6835 || url,www.securityfocus.com/archive/1/archive/1/455495/100/0/threaded || url,doc.emergingthreats.net/2005973 +1 || 2005974 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Neocrome Land Down Under (LDU) SQL Injection Attempt -- journal.php w UNION SELECT || cve,CVE-2006-6835 || url,www.securityfocus.com/archive/1/archive/1/455495/100/0/threaded || url,doc.emergingthreats.net/2005974 +1 || 2005975 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Neocrome Land Down Under (LDU) SQL Injection Attempt -- journal.php w INSERT || cve,CVE-2006-6835 || url,www.securityfocus.com/archive/1/archive/1/455495/100/0/threaded || url,doc.emergingthreats.net/2005975 +1 || 2005976 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Neocrome Land Down Under (LDU) SQL Injection Attempt -- journal.php w DELETE || cve,CVE-2006-6835 || url,www.securityfocus.com/archive/1/archive/1/455495/100/0/threaded || url,doc.emergingthreats.net/2005976 +1 || 2005977 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Neocrome Land Down Under (LDU) SQL Injection Attempt -- journal.php w ASCII || cve,CVE-2006-6835 || url,www.securityfocus.com/archive/1/archive/1/455495/100/0/threaded || url,doc.emergingthreats.net/2005977 +1 || 2005978 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Neocrome Land Down Under (LDU) SQL Injection Attempt -- journal.php w UPDATE || cve,CVE-2006-6835 || url,www.securityfocus.com/archive/1/archive/1/455495/100/0/threaded || url,doc.emergingthreats.net/2005978 +1 || 2005979 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS aFAQ SQL Injection Attempt -- faqDsp.asp catcode SELECT || cve,CVE-2006-6831 || url,www.milw0rm.com/exploits/3031 || url,doc.emergingthreats.net/2005979 +1 || 2005980 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS aFAQ SQL Injection Attempt -- faqDsp.asp catcode UNION SELECT || cve,CVE-2006-6831 || url,www.milw0rm.com/exploits/3031 || url,doc.emergingthreats.net/2005980 +1 || 2005981 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS aFAQ SQL Injection Attempt -- faqDsp.asp catcode INSERT || cve,CVE-2006-6831 || url,www.milw0rm.com/exploits/3031 || url,doc.emergingthreats.net/2005981 +1 || 2005982 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS aFAQ SQL Injection Attempt -- faqDsp.asp catcode DELETE || cve,CVE-2006-6831 || url,www.milw0rm.com/exploits/3031 || url,doc.emergingthreats.net/2005982 +1 || 2005983 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS aFAQ SQL Injection Attempt -- faqDsp.asp catcode ASCII || cve,CVE-2006-6831 || url,www.milw0rm.com/exploits/3031 || url,doc.emergingthreats.net/2005983 +1 || 2005984 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS aFAQ SQL Injection Attempt -- faqDsp.asp catcode UPDATE || cve,CVE-2006-6831 || url,www.milw0rm.com/exploits/3031 || url,doc.emergingthreats.net/2005984 +1 || 2005985 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- admin.asp grup SELECT || cve,CVE-2006-6828 || url,www.frsirt.com/english/advisories/2006/5150 || url,doc.emergingthreats.net/2005985 +1 || 2005986 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- admin.asp grup UNION SELECT || cve,CVE-2006-6828 || url,www.frsirt.com/english/advisories/2006/5150 || url,doc.emergingthreats.net/2005986 +1 || 2005987 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- admin.asp grup INSERT || cve,CVE-2006-6828 || url,www.frsirt.com/english/advisories/2006/5150 || url,doc.emergingthreats.net/2005987 +1 || 2005988 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- admin.asp grup DELETE || cve,CVE-2006-6828 || url,www.frsirt.com/english/advisories/2006/5150 || url,doc.emergingthreats.net/2005988 +1 || 2005989 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- admin.asp grup ASCII || cve,CVE-2006-6828 || url,www.frsirt.com/english/advisories/2006/5150 || url,doc.emergingthreats.net/2005989 +1 || 2005990 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- admin.asp grup UPDATE || cve,CVE-2006-6828 || url,www.frsirt.com/english/advisories/2006/5150 || url,doc.emergingthreats.net/2005990 +1 || 2005991 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- default.asp id SELECT || cve,CVE-2006-6828 || url,www.frsirt.com/english/advisories/2006/5150 || url,doc.emergingthreats.net/2005991 +1 || 2005992 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- default.asp id UNION SELECT || cve,CVE-2006-6828 || url,www.frsirt.com/english/advisories/2006/5150 || url,doc.emergingthreats.net/2005992 +1 || 2005993 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- default.asp id INSERT || cve,CVE-2006-6828 || url,www.frsirt.com/english/advisories/2006/5150 || url,doc.emergingthreats.net/2005993 +1 || 2005994 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- default.asp id DELETE || cve,CVE-2006-6828 || url,www.frsirt.com/english/advisories/2006/5150 || url,doc.emergingthreats.net/2005994 +1 || 2005995 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- default.asp id ASCII || cve,CVE-2006-6828 || url,www.frsirt.com/english/advisories/2006/5150 || url,doc.emergingthreats.net/2005995 +1 || 2005996 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- default.asp id UPDATE || cve,CVE-2006-6828 || url,www.frsirt.com/english/advisories/2006/5150 || url,doc.emergingthreats.net/2005996 +1 || 2005997 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- admin.asp id SELECT || cve,CVE-2006-6828 || url,www.frsirt.com/english/advisories/2006/5150 || url,doc.emergingthreats.net/2005997 +1 || 2005998 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- admin.asp id UNION SELECT || cve,CVE-2006-6828 || url,www.frsirt.com/english/advisories/2006/5150 || url,doc.emergingthreats.net/2005998 +1 || 2005999 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- admin.asp id INSERT || cve,CVE-2006-6828 || url,www.frsirt.com/english/advisories/2006/5150 || url,doc.emergingthreats.net/2005999 +1 || 2006000 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- admin.asp id DELETE || cve,CVE-2006-6828 || url,www.frsirt.com/english/advisories/2006/5150 || url,doc.emergingthreats.net/2006000 +1 || 2006001 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- admin.asp id ASCII || cve,CVE-2006-6828 || url,www.frsirt.com/english/advisories/2006/5150 || url,doc.emergingthreats.net/2006001 +1 || 2006002 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- admin.asp id UPDATE || cve,CVE-2006-6828 || url,www.frsirt.com/english/advisories/2006/5150 || url,doc.emergingthreats.net/2006002 +1 || 2006003 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php lastname SELECT || cve,CVE-2006-4575 || url,www.securityfocus.com/bid/21870 || url,doc.emergingthreats.net/2006003 +1 || 2006004 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php lastname UNION SELECT || cve,CVE-2006-4575 || url,www.securityfocus.com/bid/21870 || url,doc.emergingthreats.net/2006004 +1 || 2006005 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php lastname INSERT || cve,CVE-2006-4575 || url,www.securityfocus.com/bid/21870 || url,doc.emergingthreats.net/2006005 +1 || 2006006 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php lastname DELETE || cve,CVE-2006-4575 || url,www.securityfocus.com/bid/21870 || url,doc.emergingthreats.net/2006006 +1 || 2006007 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php lastname ASCII || cve,CVE-2006-4575 || url,www.securityfocus.com/bid/21870 || url,doc.emergingthreats.net/2006007 +1 || 2006008 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php lastname UPDATE || cve,CVE-2006-4575 || url,www.securityfocus.com/bid/21870 || url,doc.emergingthreats.net/2006008 +1 || 2006009 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php firstname SELECT || cve,CVE-2006-4575 || url,www.securityfocus.com/bid/21870 || url,doc.emergingthreats.net/2006009 +1 || 2006010 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php firstname UNION SELECT || cve,CVE-2006-4575 || url,www.securityfocus.com/bid/21870 || url,doc.emergingthreats.net/2006010 +1 || 2006011 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php firstname INSERT || cve,CVE-2006-4575 || url,www.securityfocus.com/bid/21870 || url,doc.emergingthreats.net/2006011 +1 || 2006012 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php firstname DELETE || cve,CVE-2006-4575 || url,www.securityfocus.com/bid/21870 || url,doc.emergingthreats.net/2006012 +1 || 2006013 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php firstname ASCII || cve,CVE-2006-4575 || url,www.securityfocus.com/bid/21870 || url,doc.emergingthreats.net/2006013 +1 || 2006014 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php firstname UPDATE || cve,CVE-2006-4575 || url,www.securityfocus.com/bid/21870 || url,doc.emergingthreats.net/2006014 +1 || 2006015 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php passwordOld SELECT || cve,CVE-2006-4575 || url,www.securityfocus.com/bid/21870 || url,doc.emergingthreats.net/2006015 +1 || 2006016 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php passwordOld UNION SELECT || cve,CVE-2006-4575 || url,www.securityfocus.com/bid/21870 || url,doc.emergingthreats.net/2006016 +1 || 2006017 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php passwordOld INSERT || cve,CVE-2006-4575 || url,www.securityfocus.com/bid/21870 || url,doc.emergingthreats.net/2006017 +1 || 2006018 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php passwordOld DELETE || cve,CVE-2006-4575 || url,www.securityfocus.com/bid/21870 || url,doc.emergingthreats.net/2006018 +1 || 2006019 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php passwordOld ASCII || cve,CVE-2006-4575 || url,www.securityfocus.com/bid/21870 || url,doc.emergingthreats.net/2006019 +1 || 2006020 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php passwordOld UPDATE || cve,CVE-2006-4575 || url,www.securityfocus.com/bid/21870 || url,doc.emergingthreats.net/2006020 +1 || 2006021 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php passwordNew SELECT || cve,CVE-2006-4575 || url,www.securityfocus.com/bid/21870 || url,doc.emergingthreats.net/2006021 +1 || 2006022 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php passwordNew UNION SELECT || cve,CVE-2006-4575 || url,www.securityfocus.com/bid/21870 || url,doc.emergingthreats.net/2006022 +1 || 2006023 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php passwordNew INSERT || cve,CVE-2006-4575 || url,www.securityfocus.com/bid/21870 || url,doc.emergingthreats.net/2006023 +1 || 2006024 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php passwordNew DELETE || cve,CVE-2006-4575 || url,www.securityfocus.com/bid/21870 || url,doc.emergingthreats.net/2006024 +1 || 2006025 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php passwordNew ASCII || cve,CVE-2006-4575 || url,www.securityfocus.com/bid/21870 || url,doc.emergingthreats.net/2006025 +1 || 2006026 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php passwordNew UPDATE || cve,CVE-2006-4575 || url,www.securityfocus.com/bid/21870 || url,doc.emergingthreats.net/2006026 +1 || 2006027 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php id SELECT || cve,CVE-2006-4575 || url,www.securityfocus.com/bid/21870 || url,doc.emergingthreats.net/2006027 +1 || 2006028 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php id UNION SELECT || cve,CVE-2006-4575 || url,www.securityfocus.com/bid/21870 || url,doc.emergingthreats.net/2006028 +1 || 2006029 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php id INSERT || cve,CVE-2006-4575 || url,www.securityfocus.com/bid/21870 || url,doc.emergingthreats.net/2006029 +1 || 2006030 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php id DELETE || cve,CVE-2006-4575 || url,www.securityfocus.com/bid/21870 || url,doc.emergingthreats.net/2006030 +1 || 2006031 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php id ASCII || cve,CVE-2006-4575 || url,www.securityfocus.com/bid/21870 || url,doc.emergingthreats.net/2006031 +1 || 2006032 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php id UPDATE || cve,CVE-2006-4575 || url,www.securityfocus.com/bid/21870 || url,doc.emergingthreats.net/2006032 +1 || 2006033 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php language SELECT || cve,CVE-2006-4575 || url,www.securityfocus.com/bid/21870 || url,doc.emergingthreats.net/2006033 +1 || 2006034 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php language UNION SELECT || cve,CVE-2006-4575 || url,www.securityfocus.com/bid/21870 || url,doc.emergingthreats.net/2006034 +1 || 2006035 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php language INSERT || cve,CVE-2006-4575 || url,www.securityfocus.com/bid/21870 || url,doc.emergingthreats.net/2006035 +1 || 2006036 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php language DELETE || cve,CVE-2006-4575 || url,www.securityfocus.com/bid/21870 || url,doc.emergingthreats.net/2006036 +1 || 2006037 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php language ASCII || cve,CVE-2006-4575 || url,www.securityfocus.com/bid/21870 || url,doc.emergingthreats.net/2006037 +1 || 2006038 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php language UPDATE || cve,CVE-2006-4575 || url,www.securityfocus.com/bid/21870 || url,doc.emergingthreats.net/2006038 +1 || 2006039 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php defaultLetter SELECT || cve,CVE-2006-4575 || url,www.securityfocus.com/bid/21870 || url,doc.emergingthreats.net/2006039 +1 || 2006040 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php defaultLetter UNION SELECT || cve,CVE-2006-4575 || url,www.securityfocus.com/bid/21870 || url,doc.emergingthreats.net/2006040 +1 || 2006041 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php defaultLetter INSERT || cve,CVE-2006-4575 || url,www.securityfocus.com/bid/21870 || url,doc.emergingthreats.net/2006041 +1 || 2006042 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php defaultLetter DELETE || cve,CVE-2006-4575 || url,www.securityfocus.com/bid/21870 || url,doc.emergingthreats.net/2006042 +1 || 2006043 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php defaultLetter ASCII || cve,CVE-2006-4575 || url,www.securityfocus.com/bid/21870 || url,doc.emergingthreats.net/2006043 +1 || 2006044 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php defaultLetter UPDATE || cve,CVE-2006-4575 || url,www.securityfocus.com/bid/21870 || url,doc.emergingthreats.net/2006044 +1 || 2006045 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php newuserPass SELECT || cve,CVE-2006-4575 || url,www.securityfocus.com/bid/21870 || url,doc.emergingthreats.net/2006045 +1 || 2006046 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php newuserPass UNION SELECT || cve,CVE-2006-4575 || url,www.securityfocus.com/bid/21870 || url,doc.emergingthreats.net/2006046 +1 || 2006047 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php newuserPass INSERT || cve,CVE-2006-4575 || url,www.securityfocus.com/bid/21870 || url,doc.emergingthreats.net/2006047 +1 || 2006048 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php newuserPass DELETE || cve,CVE-2006-4575 || url,www.securityfocus.com/bid/21870 || url,doc.emergingthreats.net/2006048 +1 || 2006049 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php newuserPass ASCII || cve,CVE-2006-4575 || url,www.securityfocus.com/bid/21870 || url,doc.emergingthreats.net/2006049 +1 || 2006050 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php newuserPass UPDATE || cve,CVE-2006-4575 || url,www.securityfocus.com/bid/21870 || url,doc.emergingthreats.net/2006050 +1 || 2006051 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php newuserType SELECT || cve,CVE-2006-4575 || url,www.securityfocus.com/bid/21870 || url,doc.emergingthreats.net/2006051 +1 || 2006052 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php newuserType UNION SELECT || cve,CVE-2006-4575 || url,www.securityfocus.com/bid/21870 || url,doc.emergingthreats.net/2006052 +1 || 2006053 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php newuserType INSERT || cve,CVE-2006-4575 || url,www.securityfocus.com/bid/21870 || url,doc.emergingthreats.net/2006053 +1 || 2006054 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php newuserType DELETE || cve,CVE-2006-4575 || url,www.securityfocus.com/bid/21870 || url,doc.emergingthreats.net/2006054 +1 || 2006055 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php newuserType ASCII || cve,CVE-2006-4575 || url,www.securityfocus.com/bid/21870 || url,doc.emergingthreats.net/2006055 +1 || 2006056 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php newuserType UPDATE || cve,CVE-2006-4575 || url,www.securityfocus.com/bid/21870 || url,doc.emergingthreats.net/2006056 +1 || 2006057 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php newuserEmail SELECT || cve,CVE-2006-4575 || url,www.securityfocus.com/bid/21870 || url,doc.emergingthreats.net/2006057 +1 || 2006058 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php newuserEmail UNION SELECT || cve,CVE-2006-4575 || url,www.securityfocus.com/bid/21870 || url,doc.emergingthreats.net/2006058 +1 || 2006059 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php newuserEmail INSERT || cve,CVE-2006-4575 || url,www.securityfocus.com/bid/21870 || url,doc.emergingthreats.net/2006059 +1 || 2006060 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php newuserEmail DELETE || cve,CVE-2006-4575 || url,www.securityfocus.com/bid/21870 || url,doc.emergingthreats.net/2006060 +1 || 2006061 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php newuserEmail ASCII || cve,CVE-2006-4575 || url,www.securityfocus.com/bid/21870 || url,doc.emergingthreats.net/2006061 +1 || 2006062 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- user.php newuserEmail UPDATE || cve,CVE-2006-4575 || url,www.securityfocus.com/bid/21870 || url,doc.emergingthreats.net/2006062 +1 || 2006063 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- search.php goTo SELECT || cve,CVE-2006-4575 || url,www.securityfocus.com/bid/21870 || url,doc.emergingthreats.net/2006063 +1 || 2006064 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- search.php goTo UNION SELECT || cve,CVE-2006-4575 || url,www.securityfocus.com/bid/21870 || url,doc.emergingthreats.net/2006064 +1 || 2006065 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- search.php goTo INSERT || cve,CVE-2006-4575 || url,www.securityfocus.com/bid/21870 || url,doc.emergingthreats.net/2006065 +1 || 2006066 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- search.php goTo DELETE || cve,CVE-2006-4575 || url,www.securityfocus.com/bid/21870 || url,doc.emergingthreats.net/2006066 +1 || 2006067 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- search.php goTo ASCII || cve,CVE-2006-4575 || url,www.securityfocus.com/bid/21870 || url,doc.emergingthreats.net/2006067 +1 || 2006068 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- search.php goTo UPDATE || cve,CVE-2006-4575 || url,www.securityfocus.com/bid/21870 || url,doc.emergingthreats.net/2006068 +1 || 2006069 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- search.php search SELECT || cve,CVE-2006-4575 || url,www.securityfocus.com/bid/21870 || url,doc.emergingthreats.net/2006069 +1 || 2006070 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- search.php search UNION SELECT || cve,CVE-2006-4575 || url,www.securityfocus.com/bid/21870 || url,doc.emergingthreats.net/2006070 +1 || 2006071 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- search.php search INSERT || cve,CVE-2006-4575 || url,www.securityfocus.com/bid/21870 || url,doc.emergingthreats.net/2006071 +1 || 2006072 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- search.php search DELETE || cve,CVE-2006-4575 || url,www.securityfocus.com/bid/21870 || url,doc.emergingthreats.net/2006072 +1 || 2006073 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- search.php search ASCII || cve,CVE-2006-4575 || url,www.securityfocus.com/bid/21870 || url,doc.emergingthreats.net/2006073 +1 || 2006074 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- search.php search UPDATE || cve,CVE-2006-4575 || url,www.securityfocus.com/bid/21870 || url,doc.emergingthreats.net/2006074 +1 || 2006075 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- save.php groupAddName SELECT || cve,CVE-2006-4575 || url,www.securityfocus.com/bid/21870 || url,doc.emergingthreats.net/2006075 +1 || 2006076 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- save.php groupAddName UNION SELECT || cve,CVE-2006-4575 || url,www.securityfocus.com/bid/21870 || url,doc.emergingthreats.net/2006076 +1 || 2006077 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- save.php groupAddName INSERT || cve,CVE-2006-4575 || url,www.securityfocus.com/bid/21870 || url,doc.emergingthreats.net/2006077 +1 || 2006078 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- save.php groupAddName DELETE || cve,CVE-2006-4575 || url,www.securityfocus.com/bid/21870 || url,doc.emergingthreats.net/2006078 +1 || 2006079 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- save.php groupAddName ASCII || cve,CVE-2006-4575 || url,www.securityfocus.com/bid/21870 || url,doc.emergingthreats.net/2006079 +1 || 2006080 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS The Address Book SQL Injection Attempt -- save.php groupAddName UPDATE || cve,CVE-2006-4575 || url,www.securityfocus.com/bid/21870 || url,doc.emergingthreats.net/2006080 +1 || 2006081 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- set_preferences.asp SELECT || cve,CVE-2006-6816 || url,www.securityfocus.com/bid/21788 || url,doc.emergingthreats.net/2006081 +1 || 2006082 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- set_preferences.asp UNION SELECT || cve,CVE-2006-6816 || url,www.securityfocus.com/bid/21788 || url,doc.emergingthreats.net/2006082 +1 || 2006083 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- set_preferences.asp INSERT || cve,CVE-2006-6816 || url,www.securityfocus.com/bid/21788 || url,doc.emergingthreats.net/2006083 +1 || 2006084 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- set_preferences.asp DELETE || cve,CVE-2006-6816 || url,www.securityfocus.com/bid/21788 || url,doc.emergingthreats.net/2006084 +1 || 2006085 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- set_preferences.asp ASCII || cve,CVE-2006-6816 || url,www.securityfocus.com/bid/21788 || url,doc.emergingthreats.net/2006085 +1 || 2006086 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- set_preferences.asp UPDATE || cve,CVE-2006-6816 || url,www.securityfocus.com/bid/21788 || url,doc.emergingthreats.net/2006086 +1 || 2006087 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- send_password_preferences.asp SELECT || cve,CVE-2006-6816 || url,www.securityfocus.com/bid/21788 || url,doc.emergingthreats.net/2006087 +1 || 2006088 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- send_password_preferences.asp UNION SELECT || cve,CVE-2006-6816 || url,www.securityfocus.com/bid/21788 || url,doc.emergingthreats.net/2006088 +1 || 2006089 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- send_password_preferences.asp INSERT || cve,CVE-2006-6816 || url,www.securityfocus.com/bid/21788 || url,doc.emergingthreats.net/2006089 +1 || 2006090 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- send_password_preferences.asp DELETE || cve,CVE-2006-6816 || url,www.securityfocus.com/bid/21788 || url,doc.emergingthreats.net/2006090 +1 || 2006091 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- send_password_preferences.asp ASCII || cve,CVE-2006-6816 || url,www.securityfocus.com/bid/21788 || url,doc.emergingthreats.net/2006091 +1 || 2006092 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- send_password_preferences.asp UPDATE || cve,CVE-2006-6816 || url,www.securityfocus.com/bid/21788 || url,doc.emergingthreats.net/2006092 +1 || 2006093 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- list.asp SELECT || cve,CVE-2006-6816 || url,www.securityfocus.com/bid/21788 || url,doc.emergingthreats.net/2006093 +1 || 2006094 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- list.asp UNION SELECT || cve,CVE-2006-6816 || url,www.securityfocus.com/bid/21788 || url,doc.emergingthreats.net/2006094 +1 || 2006095 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- list.asp INSERT || cve,CVE-2006-6816 || url,www.securityfocus.com/bid/21788 || url,doc.emergingthreats.net/2006095 +1 || 2006096 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- list.asp DELETE || cve,CVE-2006-6816 || url,www.securityfocus.com/bid/21788 || url,doc.emergingthreats.net/2006096 +1 || 2006097 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- list.asp ASCII || cve,CVE-2006-6816 || url,www.securityfocus.com/bid/21788 || url,doc.emergingthreats.net/2006097 +1 || 2006098 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- list.asp UPDATE || cve,CVE-2006-6816 || url,www.securityfocus.com/bid/21788 || url,doc.emergingthreats.net/2006098 +1 || 2006099 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- login.asp sent SELECT || cve,CVE-2006-6816 || url,www.securityfocus.com/bid/21788 || url,doc.emergingthreats.net/2006099 +1 || 2006100 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- login.asp sent UNION SELECT || cve,CVE-2006-6816 || url,www.securityfocus.com/bid/21788 || url,doc.emergingthreats.net/2006100 +1 || 2006101 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- login.asp sent INSERT || cve,CVE-2006-6816 || url,www.securityfocus.com/bid/21788 || url,doc.emergingthreats.net/2006101 +1 || 2006102 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- login.asp sent DELETE || cve,CVE-2006-6816 || url,www.securityfocus.com/bid/21788 || url,doc.emergingthreats.net/2006102 +1 || 2006103 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- login.asp sent ASCII || cve,CVE-2006-6816 || url,www.securityfocus.com/bid/21788 || url,doc.emergingthreats.net/2006103 +1 || 2006104 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- login.asp sent UPDATE || cve,CVE-2006-6816 || url,www.securityfocus.com/bid/21788 || url,doc.emergingthreats.net/2006104 +1 || 2006105 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- content.asp sent SELECT || cve,CVE-2006-6816 || url,www.securityfocus.com/bid/21788 || url,doc.emergingthreats.net/2006105 +1 || 2006106 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- content.asp sent UNION SELECT || cve,CVE-2006-6816 || url,www.securityfocus.com/bid/21788 || url,doc.emergingthreats.net/2006106 +1 || 2006107 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- content.asp sent INSERT || cve,CVE-2006-6816 || url,www.securityfocus.com/bid/21788 || url,doc.emergingthreats.net/2006107 +1 || 2006108 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- content.asp sent DELETE || cve,CVE-2006-6816 || url,www.securityfocus.com/bid/21788 || url,doc.emergingthreats.net/2006108 +1 || 2006109 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- content.asp sent ASCII || cve,CVE-2006-6816 || url,www.securityfocus.com/bid/21788 || url,doc.emergingthreats.net/2006109 +1 || 2006110 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- content.asp sent UPDATE || cve,CVE-2006-6816 || url,www.securityfocus.com/bid/21788 || url,doc.emergingthreats.net/2006110 +1 || 2006111 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- members.asp sent SELECT || cve,CVE-2006-6816 || url,www.securityfocus.com/bid/21788 || url,doc.emergingthreats.net/2006111 +1 || 2006112 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- members.asp sent UNION SELECT || cve,CVE-2006-6816 || url,www.securityfocus.com/bid/21788 || url,doc.emergingthreats.net/2006112 +1 || 2006113 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- members.asp sent INSERT || cve,CVE-2006-6816 || url,www.securityfocus.com/bid/21788 || url,doc.emergingthreats.net/2006113 +1 || 2006114 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- members.asp sent DELETE || cve,CVE-2006-6816 || url,www.securityfocus.com/bid/21788 || url,doc.emergingthreats.net/2006114 +1 || 2006115 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- members.asp sent ASCII || cve,CVE-2006-6816 || url,www.securityfocus.com/bid/21788 || url,doc.emergingthreats.net/2006115 +1 || 2006116 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- members.asp sent UPDATE || cve,CVE-2006-6816 || url,www.securityfocus.com/bid/21788 || url,doc.emergingthreats.net/2006116 +1 || 2006117 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- inc_secureloginmanager.asp sent SELECT || cve,CVE-2006-6816 || url,www.securityfocus.com/bid/21788 || url,doc.emergingthreats.net/2006117 +1 || 2006118 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- inc_secureloginmanager.asp sent UNION SELECT || cve,CVE-2006-6816 || url,www.securityfocus.com/bid/21788 || url,doc.emergingthreats.net/2006118 +1 || 2006119 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- inc_secureloginmanager.asp sent INSERT || cve,CVE-2006-6816 || url,www.securityfocus.com/bid/21788 || url,doc.emergingthreats.net/2006119 +1 || 2006120 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- inc_secureloginmanager.asp sent DELETE || cve,CVE-2006-6816 || url,www.securityfocus.com/bid/21788 || url,doc.emergingthreats.net/2006120 +1 || 2006121 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- inc_secureloginmanager.asp sent ASCII || cve,CVE-2006-6816 || url,www.securityfocus.com/bid/21788 || url,doc.emergingthreats.net/2006121 +1 || 2006122 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS DMXReady Secure Login Manager SQL Injection Attempt -- inc_secureloginmanager.asp sent UPDATE || cve,CVE-2006-6816 || url,www.securityfocus.com/bid/21788 || url,doc.emergingthreats.net/2006122 +1 || 2006123 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Mxmania File Upload Manager (FUM) SQL Injection Attempt -- detail.asp ID SELECT || cve,CVE-2006-6813 || url,www.milw0rm.com/exploits/2997 || url,doc.emergingthreats.net/2006123 +1 || 2006124 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Mxmania File Upload Manager (FUM) SQL Injection Attempt -- detail.asp ID UNION SELECT || cve,CVE-2006-6813 || url,www.milw0rm.com/exploits/2997 || url,doc.emergingthreats.net/2006124 +1 || 2006125 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Mxmania File Upload Manager (FUM) SQL Injection Attempt -- detail.asp ID INSERT || cve,CVE-2006-6813 || url,www.milw0rm.com/exploits/2997 || url,doc.emergingthreats.net/2006125 +1 || 2006126 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Mxmania File Upload Manager (FUM) SQL Injection Attempt -- detail.asp ID DELETE || cve,CVE-2006-6813 || url,www.milw0rm.com/exploits/2997 || url,doc.emergingthreats.net/2006126 +1 || 2006127 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Mxmania File Upload Manager (FUM) SQL Injection Attempt -- detail.asp ID ASCII || cve,CVE-2006-6813 || url,www.milw0rm.com/exploits/2997 || url,doc.emergingthreats.net/2006127 +1 || 2006128 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Mxmania File Upload Manager (FUM) SQL Injection Attempt -- detail.asp ID UPDATE || cve,CVE-2006-6813 || url,www.milw0rm.com/exploits/2997 || url,doc.emergingthreats.net/2006128 +1 || 2006129 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Softwebs Nepal Ananda Real Estate SQL Injection Attempt -- list.asp agent SELECT || cve,CVE-2006-6807 || url,www.milw0rm.com/exploits/3001 || url,doc.emergingthreats.net/2006129 +1 || 2006130 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Softwebs Nepal Ananda Real Estate SQL Injection Attempt -- list.asp agent UNION SELECT || cve,CVE-2006-6807 || url,www.milw0rm.com/exploits/3001 || url,doc.emergingthreats.net/2006130 +1 || 2006131 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Softwebs Nepal Ananda Real Estate SQL Injection Attempt -- list.asp agent INSERT || cve,CVE-2006-6807 || url,www.milw0rm.com/exploits/3001 || url,doc.emergingthreats.net/2006131 +1 || 2006132 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Softwebs Nepal Ananda Real Estate SQL Injection Attempt -- list.asp agent DELETE || cve,CVE-2006-6807 || url,www.milw0rm.com/exploits/3001 || url,doc.emergingthreats.net/2006132 +1 || 2006133 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Softwebs Nepal Ananda Real Estate SQL Injection Attempt -- list.asp agent ASCII || cve,CVE-2006-6807 || url,www.milw0rm.com/exploits/3001 || url,doc.emergingthreats.net/2006133 +1 || 2006134 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Softwebs Nepal Ananda Real Estate SQL Injection Attempt -- list.asp agent UPDATE || cve,CVE-2006-6807 || url,www.milw0rm.com/exploits/3001 || url,doc.emergingthreats.net/2006134 +1 || 2006135 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Enthrallweb eMates SQL Injection Attempt -- newsdetail.asp ID SELECT || cve,CVE-2006-6806 || url,www.milw0rm.com/exploits/2990 || url,doc.emergingthreats.net/2006135 +1 || 2006136 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Enthrallweb eMates SQL Injection Attempt -- newsdetail.asp ID UNION SELECT || cve,CVE-2006-6806 || url,www.milw0rm.com/exploits/2990 || url,doc.emergingthreats.net/2006136 +1 || 2006137 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Enthrallweb eMates SQL Injection Attempt -- newsdetail.asp ID INSERT || cve,CVE-2006-6806 || url,www.milw0rm.com/exploits/2990 || url,doc.emergingthreats.net/2006137 +1 || 2006138 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Enthrallweb eMates SQL Injection Attempt -- newsdetail.asp ID DELETE || cve,CVE-2006-6806 || url,www.milw0rm.com/exploits/2990 || url,doc.emergingthreats.net/2006138 +1 || 2006139 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Enthrallweb eMates SQL Injection Attempt -- newsdetail.asp ID ASCII || cve,CVE-2006-6806 || url,www.milw0rm.com/exploits/2990 || url,doc.emergingthreats.net/2006139 +1 || 2006140 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Enthrallweb eMates SQL Injection Attempt -- newsdetail.asp ID UPDATE || cve,CVE-2006-6806 || url,www.milw0rm.com/exploits/2990 || url,doc.emergingthreats.net/2006140 +1 || 2006141 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Dragon Business Directory SQL Injection Attempt -- bus_details.asp ID SELECT || cve,CVE-2006-6804 || url,www.milw0rm.com/exploits/2992 || url,doc.emergingthreats.net/2006141 +1 || 2006142 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Dragon Business Directory SQL Injection Attempt -- bus_details.asp ID UNION SELECT || cve,CVE-2006-6804 || url,www.milw0rm.com/exploits/2992 || url,doc.emergingthreats.net/2006142 +1 || 2006143 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Dragon Business Directory SQL Injection Attempt -- bus_details.asp ID INSERT || cve,CVE-2006-6804 || url,www.milw0rm.com/exploits/2992 || url,doc.emergingthreats.net/2006143 +1 || 2006144 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Dragon Business Directory SQL Injection Attempt -- bus_details.asp ID DELETE || cve,CVE-2006-6804 || url,www.milw0rm.com/exploits/2992 || url,doc.emergingthreats.net/2006144 +1 || 2006145 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Dragon Business Directory SQL Injection Attempt -- bus_details.asp ID ASCII || cve,CVE-2006-6804 || url,www.milw0rm.com/exploits/2992 || url,doc.emergingthreats.net/2006145 +1 || 2006146 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Dragon Business Directory SQL Injection Attempt -- bus_details.asp ID UPDATE || cve,CVE-2006-6804 || url,www.milw0rm.com/exploits/2992 || url,doc.emergingthreats.net/2006146 +1 || 2006147 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Enthrallweb eCars SQL Injection Attempt -- Types.asp Type_id SELECT || cve,CVE-2006-6803 || url,www.milw0rm.com/exploits/2989 || url,doc.emergingthreats.net/2006147 +1 || 2006148 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Enthrallweb eCars SQL Injection Attempt -- Types.asp Type_id UNION SELECT || cve,CVE-2006-6803 || url,www.milw0rm.com/exploits/2989 || url,doc.emergingthreats.net/2006148 +1 || 2006149 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Enthrallweb eCars SQL Injection Attempt -- Types.asp Type_id INSERT || cve,CVE-2006-6803 || url,www.milw0rm.com/exploits/2989 || url,doc.emergingthreats.net/2006149 +1 || 2006150 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Enthrallweb eCars SQL Injection Attempt -- Types.asp Type_id DELETE || cve,CVE-2006-6803 || url,www.milw0rm.com/exploits/2989 || url,doc.emergingthreats.net/2006150 +1 || 2006151 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Enthrallweb eCars SQL Injection Attempt -- Types.asp Type_id ASCII || cve,CVE-2006-6803 || url,www.milw0rm.com/exploits/2989 || url,doc.emergingthreats.net/2006151 +1 || 2006152 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Enthrallweb eCars SQL Injection Attempt -- Types.asp Type_id UPDATE || cve,CVE-2006-6803 || url,www.milw0rm.com/exploits/2989 || url,doc.emergingthreats.net/2006152 +1 || 2006153 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Enthrallweb ePages SQL Injection Attempt -- actualpic.asp Biz_ID SELECT || cve,CVE-2006-6802 || url,www.milw0rm.com/exploits/2991 || url,doc.emergingthreats.net/2006153 +1 || 2006154 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Enthrallweb ePages SQL Injection Attempt -- actualpic.asp Biz_ID UNION SELECT || cve,CVE-2006-6802 || url,www.milw0rm.com/exploits/2991 || url,doc.emergingthreats.net/2006154 +1 || 2006155 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Enthrallweb ePages SQL Injection Attempt -- actualpic.asp Biz_ID INSERT || cve,CVE-2006-6802 || url,www.milw0rm.com/exploits/2991 || url,doc.emergingthreats.net/2006155 +1 || 2006156 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Enthrallweb ePages SQL Injection Attempt -- actualpic.asp Biz_ID DELETE || cve,CVE-2006-6802 || url,www.milw0rm.com/exploits/2991 || url,doc.emergingthreats.net/2006156 +1 || 2006157 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Enthrallweb ePages SQL Injection Attempt -- actualpic.asp Biz_ID ASCII || cve,CVE-2006-6802 || url,www.milw0rm.com/exploits/2991 || url,doc.emergingthreats.net/2006157 +1 || 2006158 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Enthrallweb ePages SQL Injection Attempt -- actualpic.asp Biz_ID UPDATE || cve,CVE-2006-6802 || url,www.milw0rm.com/exploits/2991 || url,doc.emergingthreats.net/2006158 +1 || 2006159 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- default.asp grup SELECT || cve,CVE-2006-6794 || url,www.securityfocus.com/bid/21726 || url,doc.emergingthreats.net/2006159 +1 || 2006160 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- default.asp grup UNION SELECT || cve,CVE-2006-6794 || url,www.securityfocus.com/bid/21726 || url,doc.emergingthreats.net/2006160 +1 || 2006161 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- default.asp grup INSERT || cve,CVE-2006-6794 || url,www.securityfocus.com/bid/21726 || url,doc.emergingthreats.net/2006161 +1 || 2006162 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- default.asp grup DELETE || cve,CVE-2006-6794 || url,www.securityfocus.com/bid/21726 || url,doc.emergingthreats.net/2006162 +1 || 2006163 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- default.asp grup ASCII || cve,CVE-2006-6794 || url,www.securityfocus.com/bid/21726 || url,doc.emergingthreats.net/2006163 +1 || 2006164 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Efkan Forum SQL Injection Attempt -- default.asp grup UPDATE || cve,CVE-2006-6794 || url,www.securityfocus.com/bid/21726 || url,doc.emergingthreats.net/2006164 +1 || 2006165 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Calendar MX BASIC SQL Injection Attempt -- calendar_detail.asp ID SELECT || cve,CVE-2006-6792 || url,www.milw0rm.com/exploits/2993 || url,doc.emergingthreats.net/2006165 +1 || 2006166 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Calendar MX BASIC SQL Injection Attempt -- calendar_detail.asp ID UNION SELECT || cve,CVE-2006-6792 || url,www.milw0rm.com/exploits/2993 || url,doc.emergingthreats.net/2006166 +1 || 2006167 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Calendar MX BASIC SQL Injection Attempt -- calendar_detail.asp ID INSERT || cve,CVE-2006-6792 || url,www.milw0rm.com/exploits/2993 || url,doc.emergingthreats.net/2006167 +1 || 2006168 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Calendar MX BASIC SQL Injection Attempt -- calendar_detail.asp ID DELETE || cve,CVE-2006-6792 || url,www.milw0rm.com/exploits/2993 || url,doc.emergingthreats.net/2006168 +1 || 2006169 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Calendar MX BASIC SQL Injection Attempt -- calendar_detail.asp ID ASCII || cve,CVE-2006-6792 || url,www.milw0rm.com/exploits/2993 || url,doc.emergingthreats.net/2006169 +1 || 2006170 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Calendar MX BASIC SQL Injection Attempt -- calendar_detail.asp ID UPDATE || cve,CVE-2006-6792 || url,www.milw0rm.com/exploits/2993 || url,doc.emergingthreats.net/2006170 +1 || 2006171 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS chatwm SQL Injection Attempt -- SelGruFra.asp txtUse SELECT || cve,CVE-2006-6791 || url,www.securityfocus.com/bid/21732 || url,doc.emergingthreats.net/2006171 +1 || 2006172 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS chatwm SQL Injection Attempt -- SelGruFra.asp txtUse UNION SELECT || cve,CVE-2006-6791 || url,www.securityfocus.com/bid/21732 || url,doc.emergingthreats.net/2006172 +1 || 2006173 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS chatwm SQL Injection Attempt -- SelGruFra.asp txtUse INSERT || cve,CVE-2006-6791 || url,www.securityfocus.com/bid/21732 || url,doc.emergingthreats.net/2006173 +1 || 2006174 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS chatwm SQL Injection Attempt -- SelGruFra.asp txtUse DELETE || cve,CVE-2006-6791 || url,www.securityfocus.com/bid/21732 || url,doc.emergingthreats.net/2006174 +1 || 2006175 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS chatwm SQL Injection Attempt -- SelGruFra.asp txtUse ASCII || cve,CVE-2006-6791 || url,www.securityfocus.com/bid/21732 || url,doc.emergingthreats.net/2006175 +1 || 2006176 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS chatwm SQL Injection Attempt -- SelGruFra.asp txtUse UPDATE || cve,CVE-2006-6791 || url,www.securityfocus.com/bid/21732 || url,doc.emergingthreats.net/2006176 +1 || 2006177 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS chatwm SQL Injection Attempt -- SelGruFra.asp txtPas SELECT || cve,CVE-2006-6791 || url,www.securityfocus.com/bid/21732 || url,doc.emergingthreats.net/2006177 +1 || 2006178 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS chatwm SQL Injection Attempt -- SelGruFra.asp txtPas UNION SELECT || cve,CVE-2006-6791 || url,www.securityfocus.com/bid/21732 || url,doc.emergingthreats.net/2006178 +1 || 2006179 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS chatwm SQL Injection Attempt -- SelGruFra.asp txtPas INSERT || cve,CVE-2006-6791 || url,www.securityfocus.com/bid/21732 || url,doc.emergingthreats.net/2006179 +1 || 2006180 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS chatwm SQL Injection Attempt -- SelGruFra.asp txtPas DELETE || cve,CVE-2006-6791 || url,www.securityfocus.com/bid/21732 || url,doc.emergingthreats.net/2006180 +1 || 2006181 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS chatwm SQL Injection Attempt -- SelGruFra.asp txtPas ASCII || cve,CVE-2006-6791 || url,www.securityfocus.com/bid/21732 || url,doc.emergingthreats.net/2006181 +1 || 2006182 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS chatwm SQL Injection Attempt -- SelGruFra.asp txtPas UPDATE || cve,CVE-2006-6791 || url,www.securityfocus.com/bid/21732 || url,doc.emergingthreats.net/2006182 +1 || 2006183 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Newsletter MX SQL Injection Attempt -- admin_mail_adressee.asp ID SELECT || cve,CVE-2006-6787 || url,www.milw0rm.com/exploits/2998 || url,doc.emergingthreats.net/2006183 +1 || 2006184 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Newsletter MX SQL Injection Attempt -- admin_mail_adressee.asp ID UNION SELECT || cve,CVE-2006-6787 || url,www.milw0rm.com/exploits/2998 || url,doc.emergingthreats.net/2006184 +1 || 2006185 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Newsletter MX SQL Injection Attempt -- admin_mail_adressee.asp ID INSERT || cve,CVE-2006-6787 || url,www.milw0rm.com/exploits/2998 || url,doc.emergingthreats.net/2006185 +1 || 2006186 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Newsletter MX SQL Injection Attempt -- admin_mail_adressee.asp ID DELETE || cve,CVE-2006-6787 || url,www.milw0rm.com/exploits/2998 || url,doc.emergingthreats.net/2006186 +1 || 2006187 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Newsletter MX SQL Injection Attempt -- admin_mail_adressee.asp ID ASCII || cve,CVE-2006-6787 || url,www.milw0rm.com/exploits/2998 || url,doc.emergingthreats.net/2006187 +1 || 2006188 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Newsletter MX SQL Injection Attempt -- admin_mail_adressee.asp ID UPDATE || cve,CVE-2006-6787 || url,www.milw0rm.com/exploits/2998 || url,doc.emergingthreats.net/2006188 +1 || 2006189 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Future Internet SQL Injection Attempt -- index.cfm newsId SELECT || cve,CVE-2006-6776 || url,www.securityfocus.com/bid/21727 || url,doc.emergingthreats.net/2006189 +1 || 2006190 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Future Internet SQL Injection Attempt -- index.cfm newsId UNION SELECT || cve,CVE-2006-6776 || url,www.securityfocus.com/bid/21727 || url,doc.emergingthreats.net/2006190 +1 || 2006191 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Future Internet SQL Injection Attempt -- index.cfm newsId INSERT || cve,CVE-2006-6776 || url,www.securityfocus.com/bid/21727 || url,doc.emergingthreats.net/2006191 +1 || 2006192 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Future Internet SQL Injection Attempt -- index.cfm newsId DELETE || cve,CVE-2006-6776 || url,www.securityfocus.com/bid/21727 || url,doc.emergingthreats.net/2006192 +1 || 2006193 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Future Internet SQL Injection Attempt -- index.cfm newsId ASCII || cve,CVE-2006-6776 || url,www.securityfocus.com/bid/21727 || url,doc.emergingthreats.net/2006193 +1 || 2006194 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Future Internet SQL Injection Attempt -- index.cfm newsId UPDATE || cve,CVE-2006-6776 || url,www.securityfocus.com/bid/21727 || url,doc.emergingthreats.net/2006194 +1 || 2006195 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Future Internet SQL Injection Attempt -- index.cfm categoryid SELECT || cve,CVE-2006-6776 || url,www.securityfocus.com/bid/21727 || url,doc.emergingthreats.net/2006195 +1 || 2006196 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Future Internet SQL Injection Attempt -- index.cfm categoryid UNION SELECT || cve,CVE-2006-6776 || url,www.securityfocus.com/bid/21727 || url,doc.emergingthreats.net/2006196 +1 || 2006197 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Future Internet SQL Injection Attempt -- index.cfm categoryid INSERT || cve,CVE-2006-6776 || url,www.securityfocus.com/bid/21727 || url,doc.emergingthreats.net/2006197 +1 || 2006198 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Future Internet SQL Injection Attempt -- index.cfm categoryid DELETE || cve,CVE-2006-6776 || url,www.securityfocus.com/bid/21727 || url,doc.emergingthreats.net/2006198 +1 || 2006199 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Future Internet SQL Injection Attempt -- index.cfm categoryid ASCII || cve,CVE-2006-6776 || url,www.securityfocus.com/bid/21727 || url,doc.emergingthreats.net/2006199 +1 || 2006200 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Future Internet SQL Injection Attempt -- index.cfm categoryid UPDATE || cve,CVE-2006-6776 || url,www.securityfocus.com/bid/21727 || url,doc.emergingthreats.net/2006200 +1 || 2006201 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Future Internet SQL Injection Attempt -- index.cfm langId SELECT || cve,CVE-2006-6776 || url,www.securityfocus.com/bid/21727 || url,doc.emergingthreats.net/2006201 +1 || 2006202 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Future Internet SQL Injection Attempt -- index.cfm langId UNION SELECT || cve,CVE-2006-6776 || url,www.securityfocus.com/bid/21727 || url,doc.emergingthreats.net/2006202 +1 || 2006203 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Future Internet SQL Injection Attempt -- index.cfm langId INSERT || cve,CVE-2006-6776 || url,www.securityfocus.com/bid/21727 || url,doc.emergingthreats.net/2006203 +1 || 2006204 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Future Internet SQL Injection Attempt -- index.cfm langId DELETE || cve,CVE-2006-6776 || url,www.securityfocus.com/bid/21727 || url,doc.emergingthreats.net/2006204 +1 || 2006205 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Future Internet SQL Injection Attempt -- index.cfm langId ASCII || cve,CVE-2006-6776 || url,www.securityfocus.com/bid/21727 || url,doc.emergingthreats.net/2006205 +1 || 2006206 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Future Internet SQL Injection Attempt -- index.cfm langId UPDATE || cve,CVE-2006-6776 || url,www.securityfocus.com/bid/21727 || url,doc.emergingthreats.net/2006206 +1 || 2006207 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Ixprim SQL Injection Attempt -- ixm_ixpnews.php story_id SELECT || cve,CVE-2006-6754 || url,www.securityfocus.com/bid/21710 || url,doc.emergingthreats.net/2006207 +1 || 2006208 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Ixprim SQL Injection Attempt -- ixm_ixpnews.php story_id UNION SELECT || cve,CVE-2006-6754 || url,www.securityfocus.com/bid/21710 || url,doc.emergingthreats.net/2006208 +1 || 2006209 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Ixprim SQL Injection Attempt -- ixm_ixpnews.php story_id INSERT || cve,CVE-2006-6754 || url,www.securityfocus.com/bid/21710 || url,doc.emergingthreats.net/2006209 +1 || 2006210 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Ixprim SQL Injection Attempt -- ixm_ixpnews.php story_id DELETE || cve,CVE-2006-6754 || url,www.securityfocus.com/bid/21710 || url,doc.emergingthreats.net/2006210 +1 || 2006211 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Ixprim SQL Injection Attempt -- ixm_ixpnews.php story_id ASCII || cve,CVE-2006-6754 || url,www.securityfocus.com/bid/21710 || url,doc.emergingthreats.net/2006211 +1 || 2006212 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Ixprim SQL Injection Attempt -- ixm_ixpnews.php story_id UPDATE || cve,CVE-2006-6754 || url,www.securityfocus.com/bid/21710 || url,doc.emergingthreats.net/2006212 +1 || 2006213 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Xt-News SQL Injection Attempt -- show_news.php id_news SELECT || cve,CVE-2006-6747 || url,www.securityfocus.com/bid/21719 || url,doc.emergingthreats.net/2006213 +1 || 2006214 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Xt-News SQL Injection Attempt -- show_news.php id_news UNION SELECT || cve,CVE-2006-6747 || url,www.securityfocus.com/bid/21719 || url,doc.emergingthreats.net/2006214 +1 || 2006215 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Xt-News SQL Injection Attempt -- show_news.php id_news INSERT || cve,CVE-2006-6747 || url,www.securityfocus.com/bid/21719 || url,doc.emergingthreats.net/2006215 +1 || 2006216 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Xt-News SQL Injection Attempt -- show_news.php id_news DELETE || cve,CVE-2006-6747 || url,www.securityfocus.com/bid/21719 || url,doc.emergingthreats.net/2006216 +1 || 2006217 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Xt-News SQL Injection Attempt -- show_news.php id_news ASCII || cve,CVE-2006-6747 || url,www.securityfocus.com/bid/21719 || url,doc.emergingthreats.net/2006217 +1 || 2006218 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Xt-News SQL Injection Attempt -- show_news.php id_news UPDATE || cve,CVE-2006-6747 || url,www.securityfocus.com/bid/21719 || url,doc.emergingthreats.net/2006218 +1 || 2006219 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Eric GUILLAUME uploader&downloader SQL Injection Attempt -- administre2.php id_user SELECT || cve,CVE-2006-6716 || url,www.milw0rm.com/exploits/2945 || url,doc.emergingthreats.net/2006219 +1 || 2006220 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Eric GUILLAUME uploader&downloader SQL Injection Attempt -- administre2.php id_user UNION SELECT || cve,CVE-2006-6716 || url,www.milw0rm.com/exploits/2945 || url,doc.emergingthreats.net/2006220 +1 || 2006221 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Eric GUILLAUME uploader&downloader SQL Injection Attempt -- administre2.php id_user INSERT || cve,CVE-2006-6716 || url,www.milw0rm.com/exploits/2945 || url,doc.emergingthreats.net/2006221 +1 || 2006222 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Eric GUILLAUME uploader&downloader SQL Injection Attempt -- administre2.php id_user DELETE || cve,CVE-2006-6716 || url,www.milw0rm.com/exploits/2945 || url,doc.emergingthreats.net/2006222 +1 || 2006223 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Eric GUILLAUME uploader&downloader SQL Injection Attempt -- administre2.php id_user ASCII || cve,CVE-2006-6716 || url,www.milw0rm.com/exploits/2945 || url,doc.emergingthreats.net/2006223 +1 || 2006224 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Eric GUILLAUME uploader&downloader SQL Injection Attempt -- administre2.php id_user UPDATE || cve,CVE-2006-6716 || url,www.milw0rm.com/exploits/2945 || url,doc.emergingthreats.net/2006224 +1 || 2006225 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- detail.asp p SELECT || cve,CVE-2006-6709 || url,www.securityfocus.com/bid/21073 || url,doc.emergingthreats.net/2006225 +1 || 2006226 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- detail.asp p UNION SELECT || cve,CVE-2006-6709 || url,www.securityfocus.com/bid/21073 || url,doc.emergingthreats.net/2006226 +1 || 2006227 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- detail.asp p INSERT || cve,CVE-2006-6709 || url,www.securityfocus.com/bid/21073 || url,doc.emergingthreats.net/2006227 +1 || 2006228 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- detail.asp p DELETE || cve,CVE-2006-6709 || url,www.securityfocus.com/bid/21073 || url,doc.emergingthreats.net/2006228 +1 || 2006229 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- detail.asp p ASCII || cve,CVE-2006-6709 || url,www.securityfocus.com/bid/21073 || url,doc.emergingthreats.net/2006229 +1 || 2006230 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- detail.asp p UPDATE || cve,CVE-2006-6709 || url,www.securityfocus.com/bid/21073 || url,doc.emergingthreats.net/2006230 +1 || 2006231 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- listings.asp l SELECT || cve,CVE-2006-6709 || url,www.securityfocus.com/bid/21073 || url,doc.emergingthreats.net/2006231 +1 || 2006232 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- listings.asp l UNION SELECT || cve,CVE-2006-6709 || url,www.securityfocus.com/bid/21073 || url,doc.emergingthreats.net/2006232 +1 || 2006233 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- listings.asp l INSERT || cve,CVE-2006-6709 || url,www.securityfocus.com/bid/21073 || url,doc.emergingthreats.net/2006233 +1 || 2006234 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- listings.asp l DELETE || cve,CVE-2006-6709 || url,www.securityfocus.com/bid/21073 || url,doc.emergingthreats.net/2006234 +1 || 2006235 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- listings.asp l ASCII || cve,CVE-2006-6709 || url,www.securityfocus.com/bid/21073 || url,doc.emergingthreats.net/2006235 +1 || 2006236 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- listings.asp l UPDATE || cve,CVE-2006-6709 || url,www.securityfocus.com/bid/21073 || url,doc.emergingthreats.net/2006236 +1 || 2006237 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- listings.asp typ SELECT || cve,CVE-2006-6709 || url,www.securityfocus.com/bid/21073 || url,doc.emergingthreats.net/2006237 +1 || 2006238 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- listings.asp typ UNION SELECT || cve,CVE-2006-6709 || url,www.securityfocus.com/bid/21073 || url,doc.emergingthreats.net/2006238 +1 || 2006239 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- listings.asp typ INSERT || cve,CVE-2006-6709 || url,www.securityfocus.com/bid/21073 || url,doc.emergingthreats.net/2006239 +1 || 2006240 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- listings.asp typ DELETE || cve,CVE-2006-6709 || url,www.securityfocus.com/bid/21073 || url,doc.emergingthreats.net/2006240 +1 || 2006241 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- listings.asp typ ASCII || cve,CVE-2006-6709 || url,www.securityfocus.com/bid/21073 || url,doc.emergingthreats.net/2006241 +1 || 2006242 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- listings.asp typ UPDATE || cve,CVE-2006-6709 || url,www.securityfocus.com/bid/21073 || url,doc.emergingthreats.net/2006242 +1 || 2006243 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- listings.asp loc SELECT || cve,CVE-2006-6709 || url,www.securityfocus.com/bid/21073 || url,doc.emergingthreats.net/2006243 +1 || 2006244 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- listings.asp loc UNION SELECT || cve,CVE-2006-6709 || url,www.securityfocus.com/bid/21073 || url,doc.emergingthreats.net/2006244 +1 || 2006245 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- listings.asp loc INSERT || cve,CVE-2006-6709 || url,www.securityfocus.com/bid/21073 || url,doc.emergingthreats.net/2006245 +1 || 2006246 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- listings.asp loc DELETE || cve,CVE-2006-6709 || url,www.securityfocus.com/bid/21073 || url,doc.emergingthreats.net/2006246 +1 || 2006247 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- listings.asp loc ASCII || cve,CVE-2006-6709 || url,www.securityfocus.com/bid/21073 || url,doc.emergingthreats.net/2006247 +1 || 2006248 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS MGinternet Property Site Manager SQL Injection Attempt -- listings.asp loc UPDATE || cve,CVE-2006-6709 || url,www.securityfocus.com/bid/21073 || url,doc.emergingthreats.net/2006248 +1 || 2006249 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- HABERLER.ASP kid SELECT || cve,CVE-2006-6672 || url,www.frsirt.com/english/advisories/2006/5085 || url,doc.emergingthreats.net/2006249 +1 || 2006250 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- HABERLER.ASP kid UNION SELECT || cve,CVE-2006-6672 || url,www.frsirt.com/english/advisories/2006/5085 || url,doc.emergingthreats.net/2006250 +1 || 2006251 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- HABERLER.ASP kid INSERT || cve,CVE-2006-6672 || url,www.frsirt.com/english/advisories/2006/5085 || url,doc.emergingthreats.net/2006251 +1 || 2006252 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- HABERLER.ASP kid DELETE || cve,CVE-2006-6672 || url,www.frsirt.com/english/advisories/2006/5085 || url,doc.emergingthreats.net/2006252 +1 || 2006253 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- HABERLER.ASP kid ASCII || cve,CVE-2006-6672 || url,www.frsirt.com/english/advisories/2006/5085 || url,doc.emergingthreats.net/2006253 +1 || 2006254 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- HABERLER.ASP kid UPDATE || cve,CVE-2006-6672 || url,www.frsirt.com/english/advisories/2006/5085 || url,doc.emergingthreats.net/2006254 +1 || 2006255 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- HABERLER.ASP id SELECT || cve,CVE-2006-6672 || url,www.frsirt.com/english/advisories/2006/5085 || url,doc.emergingthreats.net/2006255 +1 || 2006256 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- HABERLER.ASP id UNION SELECT || cve,CVE-2006-6672 || url,www.frsirt.com/english/advisories/2006/5085 || url,doc.emergingthreats.net/2006256 +1 || 2006257 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- HABERLER.ASP id INSERT || cve,CVE-2006-6672 || url,www.frsirt.com/english/advisories/2006/5085 || url,doc.emergingthreats.net/2006257 +1 || 2006258 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- HABERLER.ASP id DELETE || cve,CVE-2006-6672 || url,www.frsirt.com/english/advisories/2006/5085 || url,doc.emergingthreats.net/2006258 +1 || 2006259 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- HABERLER.ASP id ASCII || cve,CVE-2006-6672 || url,www.frsirt.com/english/advisories/2006/5085 || url,doc.emergingthreats.net/2006259 +1 || 2006260 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- HABERLER.ASP id UPDATE || cve,CVE-2006-6672 || url,www.frsirt.com/english/advisories/2006/5085 || url,doc.emergingthreats.net/2006260 +1 || 2006261 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- ASPKAT.ASP id SELECT || cve,CVE-2006-6672 || url,www.frsirt.com/english/advisories/2006/5085 || url,doc.emergingthreats.net/2006261 +1 || 2006262 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- ASPKAT.ASP id UNION SELECT || cve,CVE-2006-6672 || url,www.frsirt.com/english/advisories/2006/5085 || url,doc.emergingthreats.net/2006262 +1 || 2006263 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- ASPKAT.ASP id INSERT || cve,CVE-2006-6672 || url,www.frsirt.com/english/advisories/2006/5085 || url,doc.emergingthreats.net/2006263 +1 || 2006264 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- ASPKAT.ASP id DELETE || cve,CVE-2006-6672 || url,www.frsirt.com/english/advisories/2006/5085 || url,doc.emergingthreats.net/2006264 +1 || 2006265 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- ASPKAT.ASP id ASCII || cve,CVE-2006-6672 || url,www.frsirt.com/english/advisories/2006/5085 || url,doc.emergingthreats.net/2006265 +1 || 2006266 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- ASPKAT.ASP id UPDATE || cve,CVE-2006-6672 || url,www.frsirt.com/english/advisories/2006/5085 || url,doc.emergingthreats.net/2006266 +1 || 2006267 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- ASPKAT.ASP kid SELECT || cve,CVE-2006-6672 || url,www.frsirt.com/english/advisories/2006/5085 || url,doc.emergingthreats.net/2006267 +1 || 2006268 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- ASPKAT.ASP kid UNION SELECT || cve,CVE-2006-6672 || url,www.frsirt.com/english/advisories/2006/5085 || url,doc.emergingthreats.net/2006268 +1 || 2006269 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- ASPKAT.ASP kid INSERT || cve,CVE-2006-6672 || url,www.frsirt.com/english/advisories/2006/5085 || url,doc.emergingthreats.net/2006269 +1 || 2006270 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- ASPKAT.ASP kid DELETE || cve,CVE-2006-6672 || url,www.frsirt.com/english/advisories/2006/5085 || url,doc.emergingthreats.net/2006270 +1 || 2006271 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- ASPKAT.ASP kid ASCII || cve,CVE-2006-6672 || url,www.frsirt.com/english/advisories/2006/5085 || url,doc.emergingthreats.net/2006271 +1 || 2006272 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- ASPKAT.ASP kid UPDATE || cve,CVE-2006-6672 || url,www.frsirt.com/english/advisories/2006/5085 || url,doc.emergingthreats.net/2006272 +1 || 2006273 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- down.asp id SELECT || cve,CVE-2006-6671 || url,www.securityfocus.com/bid/21676 || url,doc.emergingthreats.net/2006273 +1 || 2006274 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- down.asp id UNION SELECT || cve,CVE-2006-6671 || url,www.securityfocus.com/bid/21676 || url,doc.emergingthreats.net/2006274 +1 || 2006275 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- down.asp id INSERT || cve,CVE-2006-6671 || url,www.securityfocus.com/bid/21676 || url,doc.emergingthreats.net/2006275 +1 || 2006276 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- down.asp id DELETE || cve,CVE-2006-6671 || url,www.securityfocus.com/bid/21676 || url,doc.emergingthreats.net/2006276 +1 || 2006277 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- down.asp id ASCII || cve,CVE-2006-6671 || url,www.securityfocus.com/bid/21676 || url,doc.emergingthreats.net/2006277 +1 || 2006278 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt -- down.asp id UPDATE || cve,CVE-2006-6671 || url,www.securityfocus.com/bid/21676 || url,doc.emergingthreats.net/2006278 +1 || 2006279 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- repass.php nick_mod SELECT || cve,CVE-2006-6667 || url,www.frsirt.com/english/advisories/2006/5059 || url,doc.emergingthreats.net/2006279 +1 || 2006280 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- repass.php nick_mod UNION SELECT || cve,CVE-2006-6667 || url,www.frsirt.com/english/advisories/2006/5059 || url,doc.emergingthreats.net/2006280 +1 || 2006281 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- repass.php nick_mod INSERT || cve,CVE-2006-6667 || url,www.frsirt.com/english/advisories/2006/5059 || url,doc.emergingthreats.net/2006281 +1 || 2006282 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- repass.php nick_mod DELETE || cve,CVE-2006-6667 || url,www.frsirt.com/english/advisories/2006/5059 || url,doc.emergingthreats.net/2006282 +1 || 2006283 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- repass.php nick_mod ASCII || cve,CVE-2006-6667 || url,www.frsirt.com/english/advisories/2006/5059 || url,doc.emergingthreats.net/2006283 +1 || 2006284 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- repass.php nick_mod UPDATE || cve,CVE-2006-6667 || url,www.frsirt.com/english/advisories/2006/5059 || url,doc.emergingthreats.net/2006284 +1 || 2006285 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- repass.php nick SELECT || cve,CVE-2006-6667 || url,www.frsirt.com/english/advisories/2006/5059 || url,doc.emergingthreats.net/2006285 +1 || 2006286 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- repass.php nick UNION SELECT || cve,CVE-2006-6667 || url,www.frsirt.com/english/advisories/2006/5059 || url,doc.emergingthreats.net/2006286 +1 || 2006287 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- repass.php nick INSERT || cve,CVE-2006-6667 || url,www.frsirt.com/english/advisories/2006/5059 || url,doc.emergingthreats.net/2006287 +1 || 2006288 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- repass.php nick DELETE || cve,CVE-2006-6667 || url,www.frsirt.com/english/advisories/2006/5059 || url,doc.emergingthreats.net/2006288 +1 || 2006289 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- repass.php nick ASCII || cve,CVE-2006-6667 || url,www.frsirt.com/english/advisories/2006/5059 || url,doc.emergingthreats.net/2006289 +1 || 2006290 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- repass.php nick UPDATE || cve,CVE-2006-6667 || url,www.frsirt.com/english/advisories/2006/5059 || url,doc.emergingthreats.net/2006290 +1 || 2006291 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- verify.php nick SELECT || cve,CVE-2006-6667 || url,www.frsirt.com/english/advisories/2006/5059 || url,doc.emergingthreats.net/2006291 +1 || 2006292 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- verify.php nick UNION SELECT || cve,CVE-2006-6667 || url,www.frsirt.com/english/advisories/2006/5059 || url,doc.emergingthreats.net/2006292 +1 || 2006293 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- verify.php nick INSERT || cve,CVE-2006-6667 || url,www.frsirt.com/english/advisories/2006/5059 || url,doc.emergingthreats.net/2006293 +1 || 2006294 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- verify.php nick DELETE || cve,CVE-2006-6667 || url,www.frsirt.com/english/advisories/2006/5059 || url,doc.emergingthreats.net/2006294 +1 || 2006295 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- verify.php nick ASCII || cve,CVE-2006-6667 || url,www.frsirt.com/english/advisories/2006/5059 || url,doc.emergingthreats.net/2006295 +1 || 2006296 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- verify.php nick UPDATE || cve,CVE-2006-6667 || url,www.frsirt.com/english/advisories/2006/5059 || url,doc.emergingthreats.net/2006296 +1 || 2006297 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- verify.php nick_mod SELECT || cve,CVE-2006-6667 || url,www.frsirt.com/english/advisories/2006/5059 || url,doc.emergingthreats.net/2006297 +1 || 2006298 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- verify.php nick_mod UNION SELECT || cve,CVE-2006-6667 || url,www.frsirt.com/english/advisories/2006/5059 || url,doc.emergingthreats.net/2006298 +1 || 2006299 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- verify.php nick_mod INSERT || cve,CVE-2006-6667 || url,www.frsirt.com/english/advisories/2006/5059 || url,doc.emergingthreats.net/2006299 +1 || 2006300 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- verify.php nick_mod DELETE || cve,CVE-2006-6667 || url,www.frsirt.com/english/advisories/2006/5059 || url,doc.emergingthreats.net/2006300 +1 || 2006301 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- verify.php nick_mod ASCII || cve,CVE-2006-6667 || url,www.frsirt.com/english/advisories/2006/5059 || url,doc.emergingthreats.net/2006301 +1 || 2006302 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS VerliAdmin SQL Injection Attempt -- verify.php nick_mod UPDATE || cve,CVE-2006-6667 || url,www.frsirt.com/english/advisories/2006/5059 || url,doc.emergingthreats.net/2006302 +1 || 2006303 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Contra Haber Sistemi SQL Injection Attempt -- haber.asp id SELECT || cve,CVE-2006-6642 || url,www.securityfocus.com/bid/21626 || url,doc.emergingthreats.net/2006303 +1 || 2006304 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Contra Haber Sistemi SQL Injection Attempt -- haber.asp id UNION SELECT || cve,CVE-2006-6642 || url,www.securityfocus.com/bid/21626 || url,doc.emergingthreats.net/2006304 +1 || 2006305 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Contra Haber Sistemi SQL Injection Attempt -- haber.asp id INSERT || cve,CVE-2006-6642 || url,www.securityfocus.com/bid/21626 || url,doc.emergingthreats.net/2006305 +1 || 2006306 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Contra Haber Sistemi SQL Injection Attempt -- haber.asp id DELETE || cve,CVE-2006-6642 || url,www.securityfocus.com/bid/21626 || url,doc.emergingthreats.net/2006306 +1 || 2006307 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Contra Haber Sistemi SQL Injection Attempt -- haber.asp id ASCII || cve,CVE-2006-6642 || url,www.securityfocus.com/bid/21626 || url,doc.emergingthreats.net/2006307 +1 || 2006308 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Contra Haber Sistemi SQL Injection Attempt -- haber.asp id UPDATE || cve,CVE-2006-6642 || url,www.securityfocus.com/bid/21626 || url,doc.emergingthreats.net/2006308 +1 || 2006309 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ScriptMate User Manager SQL Injection Attempt -- usermessages.asp mesid SELECT || cve,CVE-2006-6594 || url,www.secunia.com/advisories/23372 || url,doc.emergingthreats.net/2006309 +1 || 2006310 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ScriptMate User Manager SQL Injection Attempt -- usermessages.asp mesid UNION SELECT || cve,CVE-2006-6594 || url,www.secunia.com/advisories/23372 || url,doc.emergingthreats.net/2006310 +1 || 2006311 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ScriptMate User Manager SQL Injection Attempt -- usermessages.asp mesid INSERT || cve,CVE-2006-6594 || url,www.secunia.com/advisories/23372 || url,doc.emergingthreats.net/2006311 +1 || 2006312 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ScriptMate User Manager SQL Injection Attempt -- usermessages.asp mesid DELETE || cve,CVE-2006-6594 || url,www.secunia.com/advisories/23372 || url,doc.emergingthreats.net/2006312 +1 || 2006313 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ScriptMate User Manager SQL Injection Attempt -- usermessages.asp mesid ASCII || cve,CVE-2006-6594 || url,www.secunia.com/advisories/23372 || url,doc.emergingthreats.net/2006313 +1 || 2006314 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ScriptMate User Manager SQL Injection Attempt -- usermessages.asp mesid UPDATE || cve,CVE-2006-6594 || url,www.secunia.com/advisories/23372 || url,doc.emergingthreats.net/2006314 +1 || 2006315 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Neocrome Land Down Under (LDU) SQL Injection Attempt -- polls.php id SELECT || cve,CVE-2006-6577 || url,www.securityfocus.com/bid/21366 || url,doc.emergingthreats.net/2006315 +1 || 2006316 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Neocrome Land Down Under (LDU) SQL Injection Attempt -- polls.php id UNION SELECT || cve,CVE-2006-6577 || url,www.securityfocus.com/bid/21366 || url,doc.emergingthreats.net/2006316 +1 || 2006317 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Neocrome Land Down Under (LDU) SQL Injection Attempt -- polls.php id INSERT || cve,CVE-2006-6577 || url,www.securityfocus.com/bid/21366 || url,doc.emergingthreats.net/2006317 +1 || 2006318 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Neocrome Land Down Under (LDU) SQL Injection Attempt -- polls.php id DELETE || cve,CVE-2006-6577 || url,www.securityfocus.com/bid/21366 || url,doc.emergingthreats.net/2006318 +1 || 2006319 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Neocrome Land Down Under (LDU) SQL Injection Attempt -- polls.php id ASCII || cve,CVE-2006-6577 || url,www.securityfocus.com/bid/21366 || url,doc.emergingthreats.net/2006319 +1 || 2006320 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Neocrome Land Down Under (LDU) SQL Injection Attempt -- polls.php id UPDATE || cve,CVE-2006-6577 || url,www.securityfocus.com/bid/21366 || url,doc.emergingthreats.net/2006320 +1 || 2006321 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Lotfian Request For Travel SQL Injection Attempt -- ProductDetails.asp PID SELECT || cve,CVE-2006-6559 || url,www.exploit-db.com/exploits/2908/ || url,doc.emergingthreats.net/2006321 +1 || 2006322 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Lotfian Request For Travel SQL Injection Attempt -- ProductDetails.asp PID UNION SELECT || cve,CVE-2006-6559 || url,www.exploit-db.com/exploits/2908/ || url,doc.emergingthreats.net/2006322 +1 || 2006323 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Lotfian Request For Travel SQL Injection Attempt -- ProductDetails.asp PID INSERT || cve,CVE-2006-6559 || url,www.exploit-db.com/exploits/2908/ || url,doc.emergingthreats.net/2006323 +1 || 2006324 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Lotfian Request For Travel SQL Injection Attempt -- ProductDetails.asp PID DELETE || cve,CVE-2006-6559 || url,www.exploit-db.com/exploits/2908/ || url,doc.emergingthreats.net/2006324 +1 || 2006325 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Lotfian Request For Travel SQL Injection Attempt -- ProductDetails.asp PID ASCII || cve,CVE-2006-6559 || url,www.exploit-db.com/exploits/2908/ || url,doc.emergingthreats.net/2006325 +1 || 2006326 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Lotfian Request For Travel SQL Injection Attempt -- ProductDetails.asp PID UPDATE || cve,CVE-2006-6559 || url,www.exploit-db.com/exploits/2908/ || url,doc.emergingthreats.net/2006326 +1 || 2006327 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Fantastic News SQL Injection Attempt -- news.php id SELECT || cve,CVE-2006-6542 || url,www.milw0rm.com/exploits/2906 || url,doc.emergingthreats.net/2006327 +1 || 2006328 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Fantastic News SQL Injection Attempt -- news.php id UNION SELECT || cve,CVE-2006-6542 || url,www.milw0rm.com/exploits/2906 || url,doc.emergingthreats.net/2006328 +1 || 2006329 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Fantastic News SQL Injection Attempt -- news.php id INSERT || cve,CVE-2006-6542 || url,www.milw0rm.com/exploits/2906 || url,doc.emergingthreats.net/2006329 +1 || 2006330 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Fantastic News SQL Injection Attempt -- news.php id DELETE || cve,CVE-2006-6542 || url,www.milw0rm.com/exploits/2906 || url,doc.emergingthreats.net/2006330 +1 || 2006331 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Fantastic News SQL Injection Attempt -- news.php id ASCII || cve,CVE-2006-6542 || url,www.milw0rm.com/exploits/2906 || url,doc.emergingthreats.net/2006331 +1 || 2006332 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Fantastic News SQL Injection Attempt -- news.php id UPDATE || cve,CVE-2006-6542 || url,www.milw0rm.com/exploits/2906 || url,doc.emergingthreats.net/2006332 +1 || 2006333 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Bluetrait SQL Injection Attempt -- bt-trackback.php SELECT || cve,CVE-2006-6540 || url,www.secunia.com/advisories/23316 || url,doc.emergingthreats.net/2006333 +1 || 2006334 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Bluetrait SQL Injection Attempt -- bt-trackback.php UNION SELECT || cve,CVE-2006-6540 || url,www.secunia.com/advisories/23316 || url,doc.emergingthreats.net/2006334 +1 || 2006335 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Bluetrait SQL Injection Attempt -- bt-trackback.php INSERT || cve,CVE-2006-6540 || url,www.secunia.com/advisories/23316 || url,doc.emergingthreats.net/2006335 +1 || 2006336 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Bluetrait SQL Injection Attempt -- bt-trackback.php DELETE || cve,CVE-2006-6540 || url,www.secunia.com/advisories/23316 || url,doc.emergingthreats.net/2006336 +1 || 2006337 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Bluetrait SQL Injection Attempt -- bt-trackback.php ASCII || cve,CVE-2006-6540 || url,www.secunia.com/advisories/23316 || url,doc.emergingthreats.net/2006337 +1 || 2006338 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Bluetrait SQL Injection Attempt -- bt-trackback.php UPDATE || cve,CVE-2006-6540 || url,www.secunia.com/advisories/23316 || url,doc.emergingthreats.net/2006338 +1 || 2006339 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS EzHRS HR Assist SQL Injection Attempt -- vdateUsr.asp SELECT || cve,CVE-2006-6525 || url,www.secunia.com/advisories/23304 || url,doc.emergingthreats.net/2006339 +1 || 2006340 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS EzHRS HR Assist SQL Injection Attempt -- vdateUsr.asp UNION SELECT || cve,CVE-2006-6525 || url,www.secunia.com/advisories/23304 || url,doc.emergingthreats.net/2006340 +1 || 2006341 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS EzHRS HR Assist SQL Injection Attempt -- vdateUsr.asp INSERT || cve,CVE-2006-6525 || url,www.secunia.com/advisories/23304 || url,doc.emergingthreats.net/2006341 +1 || 2006342 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS EzHRS HR Assist SQL Injection Attempt -- vdateUsr.asp DELETE || cve,CVE-2006-6525 || url,www.secunia.com/advisories/23304 || url,doc.emergingthreats.net/2006342 +1 || 2006343 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS EzHRS HR Assist SQL Injection Attempt -- vdateUsr.asp ASCII || cve,CVE-2006-6525 || url,www.secunia.com/advisories/23304 || url,doc.emergingthreats.net/2006343 +1 || 2006344 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS EzHRS HR Assist SQL Injection Attempt -- vdateUsr.asp UPDATE || cve,CVE-2006-6525 || url,www.secunia.com/advisories/23304 || url,doc.emergingthreats.net/2006344 +1 || 2006345 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Messageriescripthp SQL Injection Attempt -- lire-avis.php aa SELECT || cve,CVE-2006-6521 || url,www.securityfocus.com/bid/21513 || url,doc.emergingthreats.net/2006345 +1 || 2006346 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Messageriescripthp SQL Injection Attempt -- lire-avis.php aa UNION SELECT || cve,CVE-2006-6521 || url,www.securityfocus.com/bid/21513 || url,doc.emergingthreats.net/2006346 +1 || 2006347 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Messageriescripthp SQL Injection Attempt -- lire-avis.php aa INSERT || cve,CVE-2006-6521 || url,www.securityfocus.com/bid/21513 || url,doc.emergingthreats.net/2006347 +1 || 2006348 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Messageriescripthp SQL Injection Attempt -- lire-avis.php aa DELETE || cve,CVE-2006-6521 || url,www.securityfocus.com/bid/21513 || url,doc.emergingthreats.net/2006348 +1 || 2006349 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Messageriescripthp SQL Injection Attempt -- lire-avis.php aa ASCII || cve,CVE-2006-6521 || url,www.securityfocus.com/bid/21513 || url,doc.emergingthreats.net/2006349 +1 || 2006350 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Messageriescripthp SQL Injection Attempt -- lire-avis.php aa UPDATE || cve,CVE-2006-6521 || url,www.securityfocus.com/bid/21513 || url,doc.emergingthreats.net/2006350 +1 || 2006351 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ProNews SQL Injection Attempt -- lire-avis.php aa SELECT || cve,CVE-2006-6519 || url,www.securityfocus.com/bid/21516 || url,doc.emergingthreats.net/2006351 +1 || 2006352 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ProNews SQL Injection Attempt -- lire-avis.php aa UNION SELECT || cve,CVE-2006-6519 || url,www.securityfocus.com/bid/21516 || url,doc.emergingthreats.net/2006352 +1 || 2006353 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ProNews SQL Injection Attempt -- lire-avis.php aa INSERT || cve,CVE-2006-6519 || url,www.securityfocus.com/bid/21516 || url,doc.emergingthreats.net/2006353 +1 || 2006354 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ProNews SQL Injection Attempt -- lire-avis.php aa DELETE || cve,CVE-2006-6519 || url,www.securityfocus.com/bid/21516 || url,doc.emergingthreats.net/2006354 +1 || 2006355 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ProNews SQL Injection Attempt -- lire-avis.php aa ASCII || cve,CVE-2006-6519 || url,www.securityfocus.com/bid/21516 || url,doc.emergingthreats.net/2006355 +1 || 2006356 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ProNews SQL Injection Attempt -- lire-avis.php aa UPDATE || cve,CVE-2006-6519 || url,www.securityfocus.com/bid/21516 || url,doc.emergingthreats.net/2006356 +1 || 2006357 || 9 || trojan-activity || 0 || ET MALWARE User Agent (TEST) - Likely Webhancer Related Spyware || url,doc.emergingthreats.net/bin/view/Main/2006357 +1 || 2006361 || 9 || trojan-activity || 0 || ET MALWARE Suspicious User-Agent (Huai_Huai) || md5,ee600bdcc45989750dee846b5049f935 || md5,91b9aa25563ae524d3ca4582630eb8eb || md5,1051f7176fe0a50414649d369e752e98 +1 || 2006362 || 9 || trojan-activity || 0 || ET MALWARE Qcbar/Adultlinks Spyware User-Agent (IBSBand) || url,doc.emergingthreats.net/2006362 +1 || 2006364 || 7 || trojan-activity || 0 || ET TROJAN Dialer-967 User-Agent || url,doc.emergingthreats.net/2006364 +1 || 2006365 || 9 || trojan-activity || 0 || ET TROJAN Suspicious User-Agent (MYURL) || url,doc.emergingthreats.net/bin/view/Main/2006365 +1 || 2006366 || 7 || trojan-activity || 0 || ET TROJAN Bot Backdoor Checkin/registration Request || url,doc.emergingthreats.net/2006366 +1 || 2006367 || 7 || policy-violation || 0 || ET DELETED Metacafe.com family filter off || url,doc.emergingthreats.net/2006367 +1 || 2006368 || 7 || policy-violation || 0 || ET DELETED Rapidshare download unauthd image post || url,en.wikipedia.org/wiki/RapidShare || url,doc.emergingthreats.net/2006368 +1 || 2006369 || 6 || policy-violation || 0 || ET POLICY Rapidshare auth cookie download || url,en.wikipedia.org/wiki/RapidShare || url,doc.emergingthreats.net/2006369 +1 || 2006370 || 9 || trojan-activity || 0 || ET MALWARE Effectivebrands.com Spyware User-Agent (atsu) || url,doc.emergingthreats.net/2006370 +1 || 2006371 || 7 || trojan-activity || 0 || ET P2P BearShare P2P Gnutella Client User-Agent (BearShare 6.x.x.x) || url,doc.emergingthreats.net/bin/view/Main/2006371 +1 || 2006372 || 7 || trojan-activity || 0 || ET P2P Bittorrent P2P Client User-Agent (Bittorrent/5.x.x) || url,doc.emergingthreats.net/bin/view/Main/2006372 +1 || 2006375 || 5 || trojan-activity || 0 || ET P2P Bittorrent P2P Client HTTP Request || url,doc.emergingthreats.net/bin/view/Main/2006375 +1 || 2006377 || 6 || trojan-activity || 0 || ET TROJAN Downloader.Win32.Agent.bwr || url,doc.emergingthreats.net/2006377 +1 || 2006379 || 6 || trojan-activity || 0 || ET P2P BearShare P2P Gnutella Client HTTP Request || url,doc.emergingthreats.net/bin/view/Main/2006379 +1 || 2006380 || 12 || policy-violation || 0 || ET POLICY Outgoing Basic Auth Base64 HTTP Password detected unencrypted || url,doc.emergingthreats.net/bin/view/Main/2006380 +1 || 2006381 || 11 || trojan-activity || 0 || ET MALWARE Ask.com Toolbar/Spyware User-Agent (AskPBar) || url,doc.emergingthreats.net/2006381 +1 || 2006382 || 9 || trojan-activity || 0 || ET TROJAN Matcash or related downloader User-Agent Detected || url,doc.emergingthreats.net/2006382 +1 || 2006384 || 7 || trojan-activity || 0 || ET TROJAN Generic Password Stealer Checkin URL Detected || url,doc.emergingthreats.net/2006384 +1 || 2006385 || 10 || trojan-activity || 0 || ET DELETED PWS-LDPinch posting data || url,doc.emergingthreats.net/2006385 +1 || 2006386 || 9 || trojan-activity || 0 || ET MALWARE Deepdo.com Toolbar/Spyware User Agent (DeepdoUpdate) || url,doc.emergingthreats.net/2006386 +1 || 2006387 || 8 || trojan-activity || 0 || ET TROJAN Downloader User-Agent Detected (Windows Updates Manager|3.12|...) || url,doc.emergingthreats.net/2006387 +1 || 2006388 || 8 || trojan-activity || 0 || ET MALWARE Suspicious User-Agent (006) || url,doc.emergingthreats.net/bin/view/Main/2006388 +1 || 2006391 || 5 || trojan-activity || 0 || ET TROJAN Poebot Related User Agent (SPM_ID=) || url,doc.emergingthreats.net/2006391 +1 || 2006392 || 10 || trojan-activity || 0 || ET MALWARE Win-touch.com Spyware User-Agent (WTRecover) || url,doc.emergingthreats.net/2006392 +1 || 2006393 || 10 || trojan-activity || 0 || ET MALWARE Win-touch.com Spyware User-Agent (WTInstaller) || url,doc.emergingthreats.net/2006393 +1 || 2006394 || 7 || trojan-activity || 0 || ET TROJAN Downloader User-Agent Detected (ld) || url,doc.emergingthreats.net/2006394 +1 || 2006395 || 5 || trojan-activity || 0 || ET TROJAN Socks666 Connection Initial Packet || url,doc.emergingthreats.net/2006396 +1 || 2006396 || 5 || trojan-activity || 0 || ET TROJAN Socks666 Connect Command Packet || url,doc.emergingthreats.net/2006396 +1 || 2006397 || 6 || trojan-activity || 0 || ET TROJAN Socks666 Successful Connect Packet Packet || url,doc.emergingthreats.net/2006396 +1 || 2006398 || 6 || trojan-activity || 0 || ET TROJAN Socks666 Checkin Packet || url,doc.emergingthreats.net/2006396 +1 || 2006399 || 5 || trojan-activity || 0 || ET TROJAN Socks666 Checkin Success Packet || url,doc.emergingthreats.net/2006396 +1 || 2006400 || 6 || trojan-activity || 0 || ET TROJAN Downloader.26001 Url Pattern Detected || url,doc.emergingthreats.net/2006400 +1 || 2006401 || 6 || trojan-activity || 0 || ET TROJAN Downloader.26001 Url Pattern Detected (lunch_id) || url,doc.emergingthreats.net/2006401 +1 || 2006402 || 10 || policy-violation || 0 || ET POLICY Incoming Basic Auth Base64 HTTP Password detected unencrypted || url,doc.emergingthreats.net/bin/view/Main/2006402 +1 || 2006403 || 6 || trojan-activity || 0 || ET TROJAN General Trojan Checkin by MAC chkmac.php +1 || 2006404 || 5 || trojan-activity || 0 || ET TROJAN DownLoader.30525 Checkin || url,doc.emergingthreats.net/bin/view/Main/2006404 +1 || 2006405 || 4 || trojan-activity || 0 || ET TROJAN Proxy.Win32.Agent.mx || url,doc.emergingthreats.net/2006405 +1 || 2006406 || 5 || trojan-activity || 0 || ET TROJAN Proxy.Win32.Agent.mx (2) || url,doc.emergingthreats.net/2006406 +1 || 2006408 || 14 || policy-violation || 0 || ET POLICY HTTP Request on Unusual Port Possibly Hostile || url,doc.emergingthreats.net/2006408 +1 || 2006409 || 10 || policy-violation || 0 || ET POLICY HTTP POST on unusual Port Possibly Hostile || url,doc.emergingthreats.net/2006409 +1 || 2006410 || 6 || policy-violation || 0 || ET DELETED PHP Anonymizing/Evasion Proxy In Use || url,sourceforge.net/projects/php-proxy/ || url,doc.emergingthreats.net/2006410 +1 || 2006411 || 9 || trojan-activity || 0 || ET TROJAN Storm Worm HTTP Request || url,doc.emergingthreats.net/2006411 +1 || 2006413 || 8 || trojan-activity || 0 || ET MALWARE Mycashbank.co.kr Spyware User-Agent (pint_agency) || url,doc.emergingthreats.net/2006413 +1 || 2006414 || 5 || trojan-activity || 0 || ET TROJAN Possible Warezov/Stration Data Post to Controller (pr2.cgi) || url,doc.emergingthreats.net/2006414 +1 || 2006417 || 8 || policy-violation || 0 || ET ATTACK_RESPONSE Weak Netbios Lanman Auth Challenge Detected || url,doc.emergingthreats.net/bin/view/Main/2006417 +1 || 2006418 || 8 || trojan-activity || 0 || ET USER_AGENTS Vaccineprogram.co.kr Related Spyware User-Agent (Museon) || url,doc.emergingthreats.net/2006418 +1 || 2006419 || 8 || trojan-activity || 0 || ET MALWARE Vaccineprogram.co.kr Related Spyware User-Agent (anycleaner) || url,doc.emergingthreats.net/2006419 +1 || 2006420 || 7 || trojan-activity || 0 || ET USER_AGENTS Vaccineprogram.co.kr Related Spyware User Agent (pcsafe) || url,doc.emergingthreats.net/2006420 +1 || 2006421 || 8 || trojan-activity || 0 || ET MALWARE Doctorvaccine.co.kr Related Spyware User-Agent (DoctorVaccine) || url,doc.emergingthreats.net/2006421 +1 || 2006422 || 8 || trojan-activity || 0 || ET MALWARE Platinumreward.co.kr Spyware User-Agent (WT_GET_COMM) || url,doc.emergingthreats.net/2006422 +1 || 2006423 || 8 || trojan-activity || 0 || ET MALWARE Doctorpro.co.kr Related Spyware User-Agent (doctorpro1) || url,doc.emergingthreats.net/2006423 +1 || 2006425 || 6 || trojan-activity || 0 || ET DELETED Doctorpro.co.kr Related Fake Anti-Spyware Install Checkin || url,doc.emergingthreats.net/bin/view/Main/2006425 +1 || 2006426 || 6 || trojan-activity || 0 || ET DELETED Doctorpro.co.kr Related Fake Anti-Spyware Checkin || url,doc.emergingthreats.net/bin/view/Main/2006426 +1 || 2006427 || 6 || trojan-activity || 0 || ET MALWARE Doctorpro.co.kr Related Fake Anti-Spyware Mac Check || url,doc.emergingthreats.net/bin/view/Main/2006427 +1 || 2006428 || 6 || trojan-activity || 0 || ET MALWARE Doctorpro.co.kr Related Fake Anti-Spyware Checkin (open) || url,doc.emergingthreats.net/bin/view/Main/2006428 +1 || 2006429 || 9 || trojan-activity || 0 || ET MALWARE Karine.co.kr Related Spyware User Agent (chk Profile) || url,doc.emergingthreats.net/2006429 +1 || 2006430 || 9 || trojan-activity || 0 || ET MALWARE Karine.co.kr Related Spyware User-Agent (Access down) || url,doc.emergingthreats.net/2006430 +1 || 2006431 || 6 || trojan-activity || 0 || ET MALWARE Doctorpro.co.kr Related Fake Anti-Spyware Post || url,doc.emergingthreats.net/bin/view/Main/2006431 +1 || 2006432 || 6 || trojan-activity || 0 || ET MALWARE Doctorpro.co.kr Related Fake Anti-Spyware Checkin (ret) || url,doc.emergingthreats.net/bin/view/Main/2006432 +1 || 2006433 || 6 || trojan-activity || 0 || ET MALWARE Doctorpro.co.kr Related Fake Anti-Spyware Post (api_result) || url,doc.emergingthreats.net/bin/view/Main/2006433 +1 || 2006434 || 8 || trojan-activity || 0 || ET POLICY Possible Ecard Trojan download || url,doc.emergingthreats.net/2006434 +1 || 2006435 || 8 || misc-activity || 0 || ET SCAN LibSSH Based SSH Connection - Often used as a BruteForce Tool || url,doc.emergingthreats.net/2006435 +1 || 2006441 || 7 || trojan-activity || 0 || ET TROJAN Zlob User Agent - updating (Winlogon) || url,doc.emergingthreats.net/2006441 +1 || 2006443 || 10 || web-application-attack || 0 || ET WEB_SERVER Possible SQL Injection Attempt DELETE FROM || url,en.wikipedia.org/wiki/SQL_injection || url,doc.emergingthreats.net/2006443 +1 || 2006444 || 10 || web-application-attack || 0 || ET WEB_SERVER Possible SQL Injection Attempt INSERT INTO || url,en.wikipedia.org/wiki/SQL_injection || url,doc.emergingthreats.net/2006444 +1 || 2006445 || 10 || web-application-attack || 0 || ET WEB_SERVER Possible SQL Injection Attempt SELECT FROM || url,en.wikipedia.org/wiki/SQL_injection || url,doc.emergingthreats.net/2006445 +1 || 2006446 || 11 || web-application-attack || 0 || ET WEB_SERVER Possible SQL Injection Attempt UNION SELECT || url,en.wikipedia.org/wiki/SQL_injection || url,doc.emergingthreats.net/2006446 +1 || 2006447 || 12 || web-application-attack || 0 || ET WEB_SERVER Possible SQL Injection Attempt UPDATE SET || url,en.wikipedia.org/wiki/SQL_injection || url,doc.emergingthreats.net/2006447 +1 || 2006448 || 4 || trojan-activity || 0 || ET TROJAN Win32.Agent.ajx Trojan Reporting to Server || url,doc.emergingthreats.net/2006448 +1 || 2006449 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Elxis CMS SQL Injection Attempt -- mod_banners.php SELECT || cve,CVE-2007-3250 || url,www.securityfocus.com/bid/24478 || url,doc.emergingthreats.net/2006449 +1 || 2006450 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Elxis CMS SQL Injection Attempt -- mod_banners.php UNION SELECT || cve,CVE-2007-3250 || url,www.securityfocus.com/bid/24478 || url,doc.emergingthreats.net/2006450 +1 || 2006451 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Elxis CMS SQL Injection Attempt -- mod_banners.php INSERT || cve,CVE-2007-3250 || url,www.securityfocus.com/bid/24478 || url,doc.emergingthreats.net/2006451 +1 || 2006452 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Elxis CMS SQL Injection Attempt -- mod_banners.php DELETE || cve,CVE-2007-3250 || url,www.securityfocus.com/bid/24478 || url,doc.emergingthreats.net/2006452 +1 || 2006453 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Elxis CMS SQL Injection Attempt -- mod_banners.php ASCII || cve,CVE-2007-3250 || url,www.securityfocus.com/bid/24478 || url,doc.emergingthreats.net/2006453 +1 || 2006454 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Elxis CMS SQL Injection Attempt -- mod_banners.php UPDATE || cve,CVE-2007-3250 || url,www.securityfocus.com/bid/24478 || url,doc.emergingthreats.net/2006454 +1 || 2006455 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WSPortal SQL Injection Attempt -- content.php page SELECT || cve,CVE-2007-3128 || url,www.osvdb.org/34164 || url,doc.emergingthreats.net/2006455 +1 || 2006456 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WSPortal SQL Injection Attempt -- content.php page UNION SELECT || cve,CVE-2007-3128 || url,www.osvdb.org/34164 || url,doc.emergingthreats.net/2006456 +1 || 2006457 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WSPortal SQL Injection Attempt -- content.php page INSERT || cve,CVE-2007-3128 || url,www.osvdb.org/34164 || url,doc.emergingthreats.net/2006457 +1 || 2006458 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WSPortal SQL Injection Attempt -- content.php page DELETE || cve,CVE-2007-3128 || url,www.osvdb.org/34164 || url,doc.emergingthreats.net/2006458 +1 || 2006459 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WSPortal SQL Injection Attempt -- content.php page ASCII || cve,CVE-2007-3128 || url,www.osvdb.org/34164 || url,doc.emergingthreats.net/2006459 +1 || 2006460 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WSPortal SQL Injection Attempt -- content.php page UPDATE || cve,CVE-2007-3128 || url,www.osvdb.org/34164 || url,doc.emergingthreats.net/2006460 +1 || 2006461 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS FuseTalk SQL Injection Attempt -- index.cfm SELECT || cve,CVE-2007-3273 || url,www.securityfocus.com/bid/24498 || url,doc.emergingthreats.net/2006461 +1 || 2006462 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS FuseTalk SQL Injection Attempt -- index.cfm UNION SELECT || cve,CVE-2007-3273 || url,www.securityfocus.com/bid/24498 || url,doc.emergingthreats.net/2006462 +1 || 2006463 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS FuseTalk SQL Injection Attempt -- index.cfm INSERT || cve,CVE-2007-3273 || url,www.securityfocus.com/bid/24498 || url,doc.emergingthreats.net/2006463 +1 || 2006464 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS FuseTalk SQL Injection Attempt -- index.cfm DELETE || cve,CVE-2007-3273 || url,www.securityfocus.com/bid/24498 || url,doc.emergingthreats.net/2006464 +1 || 2006465 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS FuseTalk SQL Injection Attempt -- index.cfm ASCII || cve,CVE-2007-3273 || url,www.securityfocus.com/bid/24498 || url,doc.emergingthreats.net/2006465 +1 || 2006466 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS FuseTalk SQL Injection Attempt -- index.cfm UPDATE || cve,CVE-2007-3273 || url,www.securityfocus.com/bid/24498 || url,doc.emergingthreats.net/2006466 +1 || 2006467 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS FuseTalk SQL Injection Attempt -- autherror.cfm errorcode SELECT || cve,CVE-2007-3301 || url,www.securityfocus.com/bid/24528 || url,doc.emergingthreats.net/2006467 +1 || 2006468 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS FuseTalk SQL Injection Attempt -- autherror.cfm errorcode UNION SELECT || cve,CVE-2007-3301 || url,www.securityfocus.com/bid/24528 || url,doc.emergingthreats.net/2006468 +1 || 2006469 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS FuseTalk SQL Injection Attempt -- autherror.cfm errorcode INSERT || cve,CVE-2007-3301 || url,www.securityfocus.com/bid/24528 || url,doc.emergingthreats.net/2006469 +1 || 2006470 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS FuseTalk SQL Injection Attempt -- autherror.cfm errorcode DELETE || cve,CVE-2007-3301 || url,www.securityfocus.com/bid/24528 || url,doc.emergingthreats.net/2006470 +1 || 2006471 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS FuseTalk SQL Injection Attempt -- autherror.cfm errorcode ASCII || cve,CVE-2007-3301 || url,www.securityfocus.com/bid/24528 || url,doc.emergingthreats.net/2006471 +1 || 2006472 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS FuseTalk SQL Injection Attempt -- autherror.cfm errorcode UPDATE || cve,CVE-2007-3301 || url,www.securityfocus.com/bid/24528 || url,doc.emergingthreats.net/2006472 +1 || 2006473 || 9 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS LiveCMS SQL Injection Attempt -- categoria.php cid SELECT || cve,CVE-2007-3293 || url,www.exploit-db.com/exploits/4082/ || url,doc.emergingthreats.net/2006473 +1 || 2006474 || 9 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS LiveCMS SQL Injection Attempt -- categoria.php cid UNION SELECT || cve,CVE-2007-3293 || url,www.exploit-db.com/exploits/4082/ || url,doc.emergingthreats.net/2006474 +1 || 2006475 || 9 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS LiveCMS SQL Injection Attempt -- categoria.php cid INSERT || cve,CVE-2007-3293 || url,www.exploit-db.com/exploits/4082/ || url,doc.emergingthreats.net/2006475 +1 || 2006476 || 9 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS LiveCMS SQL Injection Attempt -- categoria.php cid DELETE || cve,CVE-2007-3293 || url,www.exploit-db.com/exploits/4082/ || url,doc.emergingthreats.net/2006476 +1 || 2006477 || 9 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS LiveCMS SQL Injection Attempt -- categoria.php cid ASCII || cve,CVE-2007-3293 || url,www.exploit-db.com/exploits/4082/ || url,doc.emergingthreats.net/2006477 +1 || 2006478 || 9 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS LiveCMS SQL Injection Attempt -- categoria.php cid UPDATE || cve,CVE-2007-3293 || url,www.exploit-db.com/exploits/4082/ || url,doc.emergingthreats.net/2006478 +1 || 2006479 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Solar Empire SQL Injection Attempt -- game_listing.php SELECT || cve,CVE-2007-3307 || url,www.milw0rm.com/exploits/4078 || url,doc.emergingthreats.net/2006479 +1 || 2006480 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Solar Empire SQL Injection Attempt -- game_listing.php UNION SELECT || cve,CVE-2007-3307 || url,www.milw0rm.com/exploits/4078 || url,doc.emergingthreats.net/2006480 +1 || 2006481 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Solar Empire SQL Injection Attempt -- game_listing.php INSERT || cve,CVE-2007-3307 || url,www.milw0rm.com/exploits/4078 || url,doc.emergingthreats.net/2006481 +1 || 2006482 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Solar Empire SQL Injection Attempt -- game_listing.php DELETE || cve,CVE-2007-3307 || url,www.milw0rm.com/exploits/4078 || url,doc.emergingthreats.net/2006482 +1 || 2006484 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Solar Empire SQL Injection Attempt -- game_listing.php ASCII || cve,CVE-2007-3307 || url,www.milw0rm.com/exploits/4078 || url,doc.emergingthreats.net/2006484 +1 || 2006485 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Solar Empire SQL Injection Attempt -- game_listing.php UPDATE || cve,CVE-2007-3307 || url,www.milw0rm.com/exploits/4078 || url,doc.emergingthreats.net/2006485 +1 || 2006486 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Xoops SQL Injection Attempt -- print.php id SELECT || cve,CVE-2007-3311 || url,www.milw0rm.com/exploits/3588 || url,doc.emergingthreats.net/2006486 +1 || 2006487 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Xoops SQL Injection Attempt -- print.php id UNION SELECT || cve,CVE-2007-3311 || url,www.milw0rm.com/exploits/3588 || url,doc.emergingthreats.net/2006487 +1 || 2006488 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Xoops SQL Injection Attempt -- print.php id INSERT || cve,CVE-2007-3311 || url,www.milw0rm.com/exploits/3588 || url,doc.emergingthreats.net/2006488 +1 || 2006489 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Xoops SQL Injection Attempt -- print.php id DELETE || cve,CVE-2007-3311 || url,www.milw0rm.com/exploits/3588 || url,doc.emergingthreats.net/2006489 +1 || 2006490 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Xoops SQL Injection Attempt -- print.php id ASCII || cve,CVE-2007-3311 || url,www.milw0rm.com/exploits/3588 || url,doc.emergingthreats.net/2006490 +1 || 2006491 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Xoops SQL Injection Attempt -- print.php id UPDATE || cve,CVE-2007-3311 || url,www.milw0rm.com/exploits/3588 || url,doc.emergingthreats.net/2006491 +1 || 2006492 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Jasmine CMS SQL Injection Attempt -- login.php login_username SELECT || cve,CVE-2007-3313 || url,www.milw0rm.com/exploits/4081 || url,doc.emergingthreats.net/2006492 +1 || 2006493 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Jasmine CMS SQL Injection Attempt -- login.php login_username UNION SELECT || cve,CVE-2007-3313 || url,www.milw0rm.com/exploits/4081 || url,doc.emergingthreats.net/2006493 +1 || 2006494 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Jasmine CMS SQL Injection Attempt -- login.php login_username INSERT || cve,CVE-2007-3313 || url,www.milw0rm.com/exploits/4081 || url,doc.emergingthreats.net/2006494 +1 || 2006495 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Jasmine CMS SQL Injection Attempt -- login.php login_username DELETE || cve,CVE-2007-3313 || url,www.milw0rm.com/exploits/4081 || url,doc.emergingthreats.net/2006495 +1 || 2006496 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Jasmine CMS SQL Injection Attempt -- login.php login_username ASCII || cve,CVE-2007-3313 || url,www.milw0rm.com/exploits/4081 || url,doc.emergingthreats.net/2006496 +1 || 2006497 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Jasmine CMS SQL Injection Attempt -- login.php login_username UPDATE || cve,CVE-2007-3313 || url,www.milw0rm.com/exploits/4081 || url,doc.emergingthreats.net/2006497 +1 || 2006498 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Jasmine CMS SQL Injection Attempt -- news.php item SELECT || cve,CVE-2007-3313 || url,www.milw0rm.com/exploits/4081 || url,doc.emergingthreats.net/2006498 +1 || 2006499 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Jasmine CMS SQL Injection Attempt -- news.php item UNION SELECT || cve,CVE-2007-3313 || url,www.milw0rm.com/exploits/4081 || url,doc.emergingthreats.net/2006499 +1 || 2006500 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Jasmine CMS SQL Injection Attempt -- news.php item INSERT || cve,CVE-2007-3313 || url,www.milw0rm.com/exploits/4081 || url,doc.emergingthreats.net/2006500 +1 || 2006501 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Jasmine CMS SQL Injection Attempt -- news.php item DELETE || cve,CVE-2007-3313 || url,www.milw0rm.com/exploits/4081 || url,doc.emergingthreats.net/2006501 +1 || 2006502 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Jasmine CMS SQL Injection Attempt -- news.php item ASCII || cve,CVE-2007-3313 || url,www.milw0rm.com/exploits/4081 || url,doc.emergingthreats.net/2006502 +1 || 2006503 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Jasmine CMS SQL Injection Attempt -- news.php item UPDATE || cve,CVE-2007-3313 || url,www.milw0rm.com/exploits/4081 || url,doc.emergingthreats.net/2006503 +1 || 2006504 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Comersus Shop Cart SQL Injection Attempt -- comersus_optReviewReadExec.asp idProduct SELECT || cve,CVE-2007-3323 || url,www.securityfocus.com/bid/24562 || url,doc.emergingthreats.net/2006504 +1 || 2006505 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Comersus Shop Cart SQL Injection Attempt -- comersus_optReviewReadExec.asp idProduct UNION SELECT || cve,CVE-2007-3323 || url,www.securityfocus.com/bid/24562 || url,doc.emergingthreats.net/2006505 +1 || 2006506 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Comersus Shop Cart SQL Injection Attempt -- comersus_optReviewReadExec.asp idProduct INSERT || cve,CVE-2007-3323 || url,www.securityfocus.com/bid/24562 || url,doc.emergingthreats.net/2006506 +1 || 2006507 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Comersus Shop Cart SQL Injection Attempt -- comersus_optReviewReadExec.asp idProduct DELETE || cve,CVE-2007-3323 || url,www.securityfocus.com/bid/24562 || url,doc.emergingthreats.net/2006507 +1 || 2006508 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Comersus Shop Cart SQL Injection Attempt -- comersus_optReviewReadExec.asp idProduct ASCII || cve,CVE-2007-3323 || url,www.securityfocus.com/bid/24562 || url,doc.emergingthreats.net/2006508 +1 || 2006509 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Comersus Shop Cart SQL Injection Attempt -- comersus_optReviewReadExec.asp idProduct UPDATE || cve,CVE-2007-3323 || url,www.securityfocus.com/bid/24562 || url,doc.emergingthreats.net/2006509 +1 || 2006510 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Outgoing_Type_ID SELECT || cve,CVE-2007-3345 || url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html || url,doc.emergingthreats.net/2006510 +1 || 2006511 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Outgoing_Type_ID UNION SELECT || cve,CVE-2007-3345 || url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html || url,doc.emergingthreats.net/2006511 +1 || 2006512 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Outgoing_Type_ID INSERT || cve,CVE-2007-3345 || url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html || url,doc.emergingthreats.net/2006512 +1 || 2006513 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Outgoing_Type_ID DELETE || cve,CVE-2007-3345 || url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html || url,doc.emergingthreats.net/2006513 +1 || 2006514 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Outgoing_Type_ID ASCII || cve,CVE-2007-3345 || url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html || url,doc.emergingthreats.net/2006514 +1 || 2006515 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Outgoing_Type_ID UPDATE || cve,CVE-2007-3345 || url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html || url,doc.emergingthreats.net/2006515 +1 || 2006516 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Outgoing_ID SELECT || cve,CVE-2007-3345 || url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html || url,doc.emergingthreats.net/2006516 +1 || 2006517 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Outgoing_ID UNION SELECT || cve,CVE-2007-3345 || url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html || url,doc.emergingthreats.net/2006517 +1 || 2006518 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Outgoing_ID INSERT || cve,CVE-2007-3345 || url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html || url,doc.emergingthreats.net/2006518 +1 || 2006519 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Outgoing_ID DELETE || cve,CVE-2007-3345 || url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html || url,doc.emergingthreats.net/2006519 +1 || 2006520 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Outgoing_ID ASCII || cve,CVE-2007-3345 || url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html || url,doc.emergingthreats.net/2006520 +1 || 2006521 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Outgoing_ID UPDATE || cve,CVE-2007-3345 || url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html || url,doc.emergingthreats.net/2006521 +1 || 2006522 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Project_ID SELECT || cve,CVE-2007-3345 || url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html || url,doc.emergingthreats.net/2006522 +1 || 2006523 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Project_ID UNION SELECT || cve,CVE-2007-3345 || url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html || url,doc.emergingthreats.net/2006523 +1 || 2006524 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Project_ID INSERT || cve,CVE-2007-3345 || url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html || url,doc.emergingthreats.net/2006524 +1 || 2006525 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Project_ID DELETE || cve,CVE-2007-3345 || url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html || url,doc.emergingthreats.net/2006525 +1 || 2006526 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Project_ID ASCII || cve,CVE-2007-3345 || url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html || url,doc.emergingthreats.net/2006526 +1 || 2006527 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Project_ID UPDATE || cve,CVE-2007-3345 || url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html || url,doc.emergingthreats.net/2006527 +1 || 2006528 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Client_ID SELECT || cve,CVE-2007-3345 || url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html || url,doc.emergingthreats.net/2006528 +1 || 2006529 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Client_ID UNION SELECT || cve,CVE-2007-3345 || url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html || url,doc.emergingthreats.net/2006529 +1 || 2006530 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Client_ID INSERT || cve,CVE-2007-3345 || url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html || url,doc.emergingthreats.net/2006530 +1 || 2006531 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Client_ID DELETE || cve,CVE-2007-3345 || url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html || url,doc.emergingthreats.net/2006531 +1 || 2006532 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Client_ID ASCII || cve,CVE-2007-3345 || url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html || url,doc.emergingthreats.net/2006532 +1 || 2006533 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Client_ID UPDATE || cve,CVE-2007-3345 || url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html || url,doc.emergingthreats.net/2006533 +1 || 2006534 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Invoice_ID SELECT || cve,CVE-2007-3345 || url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html || url,doc.emergingthreats.net/2006534 +1 || 2006535 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Invoice_ID UNION SELECT || cve,CVE-2007-3345 || url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html || url,doc.emergingthreats.net/2006535 +1 || 2006536 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Invoice_ID INSERT || cve,CVE-2007-3345 || url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html || url,doc.emergingthreats.net/2006536 +1 || 2006537 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Invoice_ID DELETE || cve,CVE-2007-3345 || url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html || url,doc.emergingthreats.net/2006537 +1 || 2006538 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Invoice_ID ASCII || cve,CVE-2007-3345 || url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html || url,doc.emergingthreats.net/2006538 +1 || 2006539 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Invoice_ID UPDATE || cve,CVE-2007-3345 || url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html || url,doc.emergingthreats.net/2006539 +1 || 2006540 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Vendor_ID SELECT || cve,CVE-2007-3345 || url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html || url,doc.emergingthreats.net/2006540 +1 || 2006541 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Vendor_ID UNION SELECT || cve,CVE-2007-3345 || url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html || url,doc.emergingthreats.net/2006541 +1 || 2006542 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Vendor_ID INSERT || cve,CVE-2007-3345 || url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html || url,doc.emergingthreats.net/2006542 +1 || 2006543 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Vendor_ID DELETE || cve,CVE-2007-3345 || url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html || url,doc.emergingthreats.net/2006543 +1 || 2006544 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Vendor_ID ASCII || cve,CVE-2007-3345 || url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html || url,doc.emergingthreats.net/2006544 +1 || 2006545 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHPAccounts SQL Injection Attempt -- index.php Vendor_ID UPDATE || cve,CVE-2007-3345 || url,pridels-team.blogspot.com/2007/06/phpaccounts-vuln.html || url,doc.emergingthreats.net/2006545 +1 || 2006546 || 7 || attempted-admin || 0 || ET SCAN LibSSH Based Frequent SSH Connections Likely BruteForce Attack! || url,doc.emergingthreats.net/2006546 +1 || 2006547 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS NetClassifieds Premium Edition SQL Injection Attempt -- ViewCat.php s_user_id SELECT || cve,CVE-2007-3354 || url,www.securityfocus.com/bid/24584 || url,doc.emergingthreats.net/2006547 +1 || 2006548 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS NetClassifieds Premium Edition SQL Injection Attempt -- ViewCat.php s_user_id UNION SELECT || cve,CVE-2007-3354 || url,www.securityfocus.com/bid/24584 || url,doc.emergingthreats.net/2006548 +1 || 2006549 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS NetClassifieds Premium Edition SQL Injection Attempt -- ViewCat.php s_user_id INSERT || cve,CVE-2007-3354 || url,www.securityfocus.com/bid/24584 || url,doc.emergingthreats.net/2006549 +1 || 2006550 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS NetClassifieds Premium Edition SQL Injection Attempt -- ViewCat.php s_user_id DELETE || cve,CVE-2007-3354 || url,www.securityfocus.com/bid/24584 || url,doc.emergingthreats.net/2006550 +1 || 2006551 || 9 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS NetClassifieds Premium Edition SQL Injection Attempt -- ViewCat.php s_user_id ASCII || cve,CVE-2007-3354 || url,www.securityfocus.com/bid/24584 || url,doc.emergingthreats.net/2006551 +1 || 2006552 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS NetClassifieds Premium Edition SQL Injection Attempt -- ViewCat.php s_user_id UPDATE || cve,CVE-2007-3354 || url,www.securityfocus.com/bid/24584 || url,doc.emergingthreats.net/2006552 +1 || 2006553 || 9 || trojan-activity || 0 || ET MALWARE Cpushpop.com Spyware User-Agent (CPUSH_UPDATER) || url,doc.emergingthreats.net/2006553 +1 || 2006554 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS EasyPage SQL Injection Attempt -- default.aspx docId SELECT || cve,CVE-2006-6486 || url,www.securityfocus.com/archive/1/archive/1/453586/100/100/threaded || url,doc.emergingthreats.net/2006554 +1 || 2006555 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS EasyPage SQL Injection Attempt -- default.aspx docId UNION SELECT || cve,CVE-2006-6486 || url,www.securityfocus.com/archive/1/archive/1/453586/100/100/threaded || url,doc.emergingthreats.net/2006555 +1 || 2006556 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS EasyPage SQL Injection Attempt -- default.aspx docId INSERT || cve,CVE-2006-6486 || url,www.securityfocus.com/archive/1/archive/1/453586/100/100/threaded || url,doc.emergingthreats.net/2006556 +1 || 2006557 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS EasyPage SQL Injection Attempt -- default.aspx docId DELETE || cve,CVE-2006-6486 || url,www.securityfocus.com/archive/1/archive/1/453586/100/100/threaded || url,doc.emergingthreats.net/2006557 +1 || 2006558 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS EasyPage SQL Injection Attempt -- default.aspx docId ASCII || cve,CVE-2006-6486 || url,www.securityfocus.com/archive/1/archive/1/453586/100/100/threaded || url,doc.emergingthreats.net/2006558 +1 || 2006559 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS EasyPage SQL Injection Attempt -- default.aspx docId UPDATE || cve,CVE-2006-6486 || url,www.securityfocus.com/archive/1/archive/1/453586/100/100/threaded || url,doc.emergingthreats.net/2006559 +1 || 2006560 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- email.php id SELECT || cve,CVE-2006-6478 || url,www.securityfocus.com/bid/21514/exploit || url,doc.emergingthreats.net/2006560 +1 || 2006561 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- email.php id UNION SELECT || cve,CVE-2006-6478 || url,www.securityfocus.com/bid/21514/exploit || url,doc.emergingthreats.net/2006561 +1 || 2006562 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- email.php id INSERT || cve,CVE-2006-6478 || url,www.securityfocus.com/bid/21514/exploit || url,doc.emergingthreats.net/2006562 +1 || 2006564 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- email.php id DELETE || cve,CVE-2006-6478 || url,www.securityfocus.com/bid/21514/exploit || url,doc.emergingthreats.net/2006564 +1 || 2006565 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- email.php id ASCII || cve,CVE-2006-6478 || url,www.securityfocus.com/bid/21514/exploit || url,doc.emergingthreats.net/2006565 +1 || 2006566 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- email.php id UPDATE || cve,CVE-2006-6478 || url,www.securityfocus.com/bid/21514/exploit || url,doc.emergingthreats.net/2006566 +1 || 2006567 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- voirannonce.php no SELECT || cve,CVE-2006-6478 || url,www.securityfocus.com/bid/21514/exploit || url,doc.emergingthreats.net/2006567 +1 || 2006568 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- voirannonce.php no UNION SELECT || cve,CVE-2006-6478 || url,www.securityfocus.com/bid/21514/exploit || url,doc.emergingthreats.net/2006568 +1 || 2006569 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- voirannonce.php no INSERT || cve,CVE-2006-6478 || url,www.securityfocus.com/bid/21514/exploit || url,doc.emergingthreats.net/2006569 +1 || 2006570 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- voirannonce.php no DELETE || cve,CVE-2006-6478 || url,www.securityfocus.com/bid/21514/exploit || url,doc.emergingthreats.net/2006570 +1 || 2006571 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- voirannonce.php no ASCII || cve,CVE-2006-6478 || url,www.securityfocus.com/bid/21514/exploit || url,doc.emergingthreats.net/2006571 +1 || 2006572 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- voirannonce.php no UPDATE || cve,CVE-2006-6478 || url,www.securityfocus.com/bid/21514/exploit || url,doc.emergingthreats.net/2006572 +1 || 2006573 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- fiche_membre.php idmembre SELECT || cve,CVE-2006-6478 || url,www.securityfocus.com/bid/21514/exploit || url,doc.emergingthreats.net/2006573 +1 || 2006574 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- fiche_membre.php idmembre UNION SELECT || cve,CVE-2006-6478 || url,www.securityfocus.com/bid/21514/exploit || url,doc.emergingthreats.net/2006574 +1 || 2006575 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- fiche_membre.php idmembre INSERT || cve,CVE-2006-6478 || url,www.securityfocus.com/bid/21514/exploit || url,doc.emergingthreats.net/2006575 +1 || 2006576 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- fiche_membre.php idmembre DELETE || cve,CVE-2006-6478 || url,www.securityfocus.com/bid/21514/exploit || url,doc.emergingthreats.net/2006576 +1 || 2006577 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- fiche_membre.php idmembre ASCII || cve,CVE-2006-6478 || url,www.securityfocus.com/bid/21514/exploit || url,doc.emergingthreats.net/2006577 +1 || 2006578 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- fiche_membre.php idmembre UPDATE || cve,CVE-2006-6478 || url,www.securityfocus.com/bid/21514/exploit || url,doc.emergingthreats.net/2006578 +1 || 2006579 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- okvalannonce.php idannonce SELECT || cve,CVE-2006-6478 || url,www.securityfocus.com/bid/21514/exploit || url,doc.emergingthreats.net/2006579 +1 || 2006580 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- okvalannonce.php idannonce UNION SELECT || cve,CVE-2006-6478 || url,www.securityfocus.com/bid/21514/exploit || url,doc.emergingthreats.net/2006580 +1 || 2006581 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- okvalannonce.php idannonce INSERT || cve,CVE-2006-6478 || url,www.securityfocus.com/bid/21514/exploit || url,doc.emergingthreats.net/2006581 +1 || 2006582 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- okvalannonce.php idannonce DELETE || cve,CVE-2006-6478 || url,www.securityfocus.com/bid/21514/exploit || url,doc.emergingthreats.net/2006582 +1 || 2006583 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- okvalannonce.php idannonce ASCII || cve,CVE-2006-6478 || url,www.securityfocus.com/bid/21514/exploit || url,doc.emergingthreats.net/2006583 +1 || 2006584 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- okvalannonce.php idannonce UPDATE || cve,CVE-2006-6478 || url,www.securityfocus.com/bid/21514/exploit || url,doc.emergingthreats.net/2006584 +1 || 2006585 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- changeannonce.php idannonce SELECT || cve,CVE-2006-6478 || url,www.securityfocus.com/bid/21514/exploit || url,doc.emergingthreats.net/2006585 +1 || 2006586 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- changeannonce.php idannonce UNION SELECT || cve,CVE-2006-6478 || url,www.securityfocus.com/bid/21514/exploit || url,doc.emergingthreats.net/2006586 +1 || 2006587 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- changeannonce.php idannonce INSERT || cve,CVE-2006-6478 || url,www.securityfocus.com/bid/21514/exploit || url,doc.emergingthreats.net/2006587 +1 || 2006588 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- changeannonce.php idannonce DELETE || cve,CVE-2006-6478 || url,www.securityfocus.com/bid/21514/exploit || url,doc.emergingthreats.net/2006588 +1 || 2006589 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- changeannonce.php idannonce ASCII || cve,CVE-2006-6478 || url,www.securityfocus.com/bid/21514/exploit || url,doc.emergingthreats.net/2006589 +1 || 2006590 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt -- changeannonce.php idannonce UPDATE || cve,CVE-2006-6478 || url,www.securityfocus.com/bid/21514/exploit || url,doc.emergingthreats.net/2006590 +1 || 2006591 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Novell ZENworks Patch Management (ZPM) SQL Injection Attempt -- downloadreport.asp agentid SELECT || cve,CVE-2006-6450 || url,www.securityfocus.com/bid/21473 || url,doc.emergingthreats.net/2006591 +1 || 2006592 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Novell ZENworks Patch Management (ZPM) SQL Injection Attempt -- downloadreport.asp agentid UNION SELECT || cve,CVE-2006-6450 || url,www.securityfocus.com/bid/21473 || url,doc.emergingthreats.net/2006592 +1 || 2006593 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Novell ZENworks Patch Management (ZPM) SQL Injection Attempt -- downloadreport.asp agentid INSERT || cve,CVE-2006-6450 || url,www.securityfocus.com/bid/21473 || url,doc.emergingthreats.net/2006593 +1 || 2006594 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Novell ZENworks Patch Management (ZPM) SQL Injection Attempt -- downloadreport.asp agentid DELETE || cve,CVE-2006-6450 || url,www.securityfocus.com/bid/21473 || url,doc.emergingthreats.net/2006594 +1 || 2006595 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Novell ZENworks Patch Management (ZPM) SQL Injection Attempt -- downloadreport.asp agentid ASCII || cve,CVE-2006-6450 || url,www.securityfocus.com/bid/21473 || url,doc.emergingthreats.net/2006595 +1 || 2006596 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Novell ZENworks Patch Management (ZPM) SQL Injection Attempt -- downloadreport.asp agentid UPDATE || cve,CVE-2006-6450 || url,www.securityfocus.com/bid/21473 || url,doc.emergingthreats.net/2006596 +1 || 2006597 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Novell ZENworks Patch Management (ZPM) SQL Injection Attempt -- downloadreport.asp pass SELECT || cve,CVE-2006-6450 || url,www.securityfocus.com/bid/21473 || url,doc.emergingthreats.net/2006597 +1 || 2006598 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Novell ZENworks Patch Management (ZPM) SQL Injection Attempt -- downloadreport.asp pass UNION SELECT || cve,CVE-2006-6450 || url,www.securityfocus.com/bid/21473 || url,doc.emergingthreats.net/2006598 +1 || 2006599 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Novell ZENworks Patch Management (ZPM) SQL Injection Attempt -- downloadreport.asp pass INSERT || cve,CVE-2006-6450 || url,www.securityfocus.com/bid/21473 || url,doc.emergingthreats.net/2006599 +1 || 2006600 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Novell ZENworks Patch Management (ZPM) SQL Injection Attempt -- downloadreport.asp pass DELETE || cve,CVE-2006-6450 || url,www.securityfocus.com/bid/21473 || url,doc.emergingthreats.net/2006600 +1 || 2006601 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Novell ZENworks Patch Management (ZPM) SQL Injection Attempt -- downloadreport.asp pass ASCII || cve,CVE-2006-6450 || url,www.securityfocus.com/bid/21473 || url,doc.emergingthreats.net/2006601 +1 || 2006602 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Novell ZENworks Patch Management (ZPM) SQL Injection Attempt -- downloadreport.asp pass UPDATE || cve,CVE-2006-6450 || url,www.securityfocus.com/bid/21473 || url,doc.emergingthreats.net/2006602 +1 || 2006603 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Vt-Forum Lite SQL Injection Attempt -- vf_memberdetail.asp user SELECT || cve,CVE-2006-6448 || url,www.frsirt.com/english/advisories/2006/4850 || url,doc.emergingthreats.net/2006603 +1 || 2006604 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Vt-Forum Lite SQL Injection Attempt -- vf_memberdetail.asp user UNION SELECT || cve,CVE-2006-6448 || url,www.frsirt.com/english/advisories/2006/4850 || url,doc.emergingthreats.net/2006604 +1 || 2006605 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Vt-Forum Lite SQL Injection Attempt -- vf_memberdetail.asp user INSERT || cve,CVE-2006-6448 || url,www.frsirt.com/english/advisories/2006/4850 || url,doc.emergingthreats.net/2006605 +1 || 2006606 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Vt-Forum Lite SQL Injection Attempt -- vf_memberdetail.asp user DELETE || cve,CVE-2006-6448 || url,www.frsirt.com/english/advisories/2006/4850 || url,doc.emergingthreats.net/2006606 +1 || 2006607 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Vt-Forum Lite SQL Injection Attempt -- vf_memberdetail.asp user ASCII || cve,CVE-2006-6448 || url,www.frsirt.com/english/advisories/2006/4850 || url,doc.emergingthreats.net/2006607 +1 || 2006608 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Vt-Forum Lite SQL Injection Attempt -- vf_memberdetail.asp user UPDATE || cve,CVE-2006-6448 || url,www.frsirt.com/english/advisories/2006/4850 || url,doc.emergingthreats.net/2006608 +1 || 2006609 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS iWare Professional SQL Injection Attempt -- index.php D SELECT || cve,CVE-2006-6446 || url,www.securityfocus.com/bid/21467 || url,doc.emergingthreats.net/2006609 +1 || 2006610 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS iWare Professional SQL Injection Attempt -- index.php D UNION SELECT || cve,CVE-2006-6446 || url,www.securityfocus.com/bid/21467 || url,doc.emergingthreats.net/2006610 +1 || 2006611 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS iWare Professional SQL Injection Attempt -- index.php D INSERT || cve,CVE-2006-6446 || url,www.securityfocus.com/bid/21467 || url,doc.emergingthreats.net/2006611 +1 || 2006612 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS iWare Professional SQL Injection Attempt -- index.php D DELETE || cve,CVE-2006-6446 || url,www.securityfocus.com/bid/21467 || url,doc.emergingthreats.net/2006612 +1 || 2006613 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS iWare Professional SQL Injection Attempt -- index.php D ASCII || cve,CVE-2006-6446 || url,www.securityfocus.com/bid/21467 || url,doc.emergingthreats.net/2006613 +1 || 2006614 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS iWare Professional SQL Injection Attempt -- index.php D UPDATE || cve,CVE-2006-6446 || url,www.securityfocus.com/bid/21467 || url,doc.emergingthreats.net/2006614 +1 || 2006615 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS dol storye SQL Injection Attempt -- dettaglio.asp id_doc SELECT || cve,CVE-2006-6414 || url,www.securityfocus.com/bid/21463 || url,doc.emergingthreats.net/2006615 +1 || 2006616 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS dol storye SQL Injection Attempt -- dettaglio.asp id_doc UNION SELECT || cve,CVE-2006-6414 || url,www.securityfocus.com/bid/21463 || url,doc.emergingthreats.net/2006616 +1 || 2006617 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS dol storye SQL Injection Attempt -- dettaglio.asp id_doc INSERT || cve,CVE-2006-6414 || url,www.securityfocus.com/bid/21463 || url,doc.emergingthreats.net/2006617 +1 || 2006618 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS dol storye SQL Injection Attempt -- dettaglio.asp id_doc DELETE || cve,CVE-2006-6414 || url,www.securityfocus.com/bid/21463 || url,doc.emergingthreats.net/2006618 +1 || 2006619 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS dol storye SQL Injection Attempt -- dettaglio.asp id_doc ASCII || cve,CVE-2006-6414 || url,www.securityfocus.com/bid/21463 || url,doc.emergingthreats.net/2006619 +1 || 2006620 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS dol storye SQL Injection Attempt -- dettaglio.asp id_doc UPDATE || cve,CVE-2006-6414 || url,www.securityfocus.com/bid/21463 || url,doc.emergingthreats.net/2006620 +1 || 2006621 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS dol storye SQL Injection Attempt -- dettaglio.asp id_aut SELECT || cve,CVE-2006-6414 || url,www.securityfocus.com/bid/21463 || url,doc.emergingthreats.net/2006621 +1 || 2006622 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS dol storye SQL Injection Attempt -- dettaglio.asp id_aut UNION SELECT || cve,CVE-2006-6414 || url,www.securityfocus.com/bid/21463 || url,doc.emergingthreats.net/2006622 +1 || 2006623 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS dol storye SQL Injection Attempt -- dettaglio.asp id_aut INSERT || cve,CVE-2006-6414 || url,www.securityfocus.com/bid/21463 || url,doc.emergingthreats.net/2006623 +1 || 2006624 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS dol storye SQL Injection Attempt -- dettaglio.asp id_aut DELETE || cve,CVE-2006-6414 || url,www.securityfocus.com/bid/21463 || url,doc.emergingthreats.net/2006624 +1 || 2006625 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS dol storye SQL Injection Attempt -- dettaglio.asp id_aut ASCII || cve,CVE-2006-6414 || url,www.securityfocus.com/bid/21463 || url,doc.emergingthreats.net/2006625 +1 || 2006626 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS dol storye SQL Injection Attempt -- dettaglio.asp id_aut UPDATE || cve,CVE-2006-6414 || url,www.securityfocus.com/bid/21463 || url,doc.emergingthreats.net/2006626 +1 || 2006627 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS MyStats SQL Injection Attempt -- mystats.php details SELECT || cve,CVE-2006-6403 || url,marc.theaimsgroup.com/?l=bugtraq&m=116344068502988&w=2 || url,doc.emergingthreats.net/2006627 +1 || 2006628 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS MyStats SQL Injection Attempt -- mystats.php details UNION SELECT || cve,CVE-2006-6403 || url,marc.theaimsgroup.com/?l=bugtraq&m=116344068502988&w=2 || url,doc.emergingthreats.net/2006628 +1 || 2006629 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS MyStats SQL Injection Attempt -- mystats.php details INSERT || cve,CVE-2006-6403 || url,marc.theaimsgroup.com/?l=bugtraq&m=116344068502988&w=2 || url,doc.emergingthreats.net/2006629 +1 || 2006630 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS MyStats SQL Injection Attempt -- mystats.php details DELETE || cve,CVE-2006-6403 || url,marc.theaimsgroup.com/?l=bugtraq&m=116344068502988&w=2 || url,doc.emergingthreats.net/2006630 +1 || 2006631 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS MyStats SQL Injection Attempt -- mystats.php details ASCII || cve,CVE-2006-6403 || url,marc.theaimsgroup.com/?l=bugtraq&m=116344068502988&w=2 || url,doc.emergingthreats.net/2006631 +1 || 2006632 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS MyStats SQL Injection Attempt -- mystats.php details UPDATE || cve,CVE-2006-6403 || url,marc.theaimsgroup.com/?l=bugtraq&m=116344068502988&w=2 || url,doc.emergingthreats.net/2006632 +1 || 2006633 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- sendarticle.asp SELECT || cve,CVE-2006-6398 || url,www.securityfocus.com/archive/1/archive/1/453462/100/0/threaded || url,doc.emergingthreats.net/2006633 +1 || 2006634 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- sendarticle.asp UNION SELECT || cve,CVE-2006-6398 || url,www.securityfocus.com/archive/1/archive/1/453462/100/0/threaded || url,doc.emergingthreats.net/2006634 +1 || 2006635 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- sendarticle.asp INSERT || cve,CVE-2006-6398 || url,www.securityfocus.com/archive/1/archive/1/453462/100/0/threaded || url,doc.emergingthreats.net/2006635 +1 || 2006636 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- sendarticle.asp DELETE || cve,CVE-2006-6398 || url,www.securityfocus.com/archive/1/archive/1/453462/100/0/threaded || url,doc.emergingthreats.net/2006636 +1 || 2006637 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- sendarticle.asp ASCII || cve,CVE-2006-6398 || url,www.securityfocus.com/archive/1/archive/1/453462/100/0/threaded || url,doc.emergingthreats.net/2006637 +1 || 2006638 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- sendarticle.asp UPDATE || cve,CVE-2006-6398 || url,www.securityfocus.com/archive/1/archive/1/453462/100/0/threaded || url,doc.emergingthreats.net/2006638 +1 || 2006639 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- printarticle.asp SELECT || cve,CVE-2006-6398 || url,www.securityfocus.com/archive/1/archive/1/453462/100/0/threaded || url,doc.emergingthreats.net/2006639 +1 || 2006640 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- printarticle.asp UNION SELECT || cve,CVE-2006-6398 || url,www.securityfocus.com/archive/1/archive/1/453462/100/0/threaded || url,doc.emergingthreats.net/2006640 +1 || 2006641 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- printarticle.asp INSERT || cve,CVE-2006-6398 || url,www.securityfocus.com/archive/1/archive/1/453462/100/0/threaded || url,doc.emergingthreats.net/2006641 +1 || 2006642 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- printarticle.asp DELETE || cve,CVE-2006-6398 || url,www.securityfocus.com/archive/1/archive/1/453462/100/0/threaded || url,doc.emergingthreats.net/2006642 +1 || 2006643 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- printarticle.asp ASCII || cve,CVE-2006-6398 || url,www.securityfocus.com/archive/1/archive/1/453462/100/0/threaded || url,doc.emergingthreats.net/2006643 +1 || 2006644 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- printarticle.asp UPDATE || cve,CVE-2006-6398 || url,www.securityfocus.com/archive/1/archive/1/453462/100/0/threaded || url,doc.emergingthreats.net/2006644 +1 || 2006645 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- index.asp ID SELECT || cve,CVE-2006-6398 || url,www.securityfocus.com/archive/1/archive/1/453462/100/0/threaded || url,doc.emergingthreats.net/2006645 +1 || 2006646 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- index.asp ID UNION SELECT || cve,CVE-2006-6398 || url,www.securityfocus.com/archive/1/archive/1/453462/100/0/threaded || url,doc.emergingthreats.net/2006646 +1 || 2006647 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- index.asp ID INSERT || cve,CVE-2006-6398 || url,www.securityfocus.com/archive/1/archive/1/453462/100/0/threaded || url,doc.emergingthreats.net/2006647 +1 || 2006648 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- index.asp ID DELETE || cve,CVE-2006-6398 || url,www.securityfocus.com/archive/1/archive/1/453462/100/0/threaded || url,doc.emergingthreats.net/2006648 +1 || 2006649 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- index.asp ID ASCII || cve,CVE-2006-6398 || url,www.securityfocus.com/archive/1/archive/1/453462/100/0/threaded || url,doc.emergingthreats.net/2006649 +1 || 2006650 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- index.asp ID UPDATE || cve,CVE-2006-6398 || url,www.securityfocus.com/archive/1/archive/1/453462/100/0/threaded || url,doc.emergingthreats.net/2006650 +1 || 2006651 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- preferences.asp ID SELECT || cve,CVE-2006-6398 || url,www.securityfocus.com/archive/1/archive/1/453462/100/0/threaded || url,doc.emergingthreats.net/2006651 +1 || 2006652 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- preferences.asp ID UNION SELECT || cve,CVE-2006-6398 || url,www.securityfocus.com/archive/1/archive/1/453462/100/0/threaded || url,doc.emergingthreats.net/2006652 +1 || 2006653 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- preferences.asp ID INSERT || cve,CVE-2006-6398 || url,www.securityfocus.com/archive/1/archive/1/453462/100/0/threaded || url,doc.emergingthreats.net/2006653 +1 || 2006654 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- preferences.asp ID DELETE || cve,CVE-2006-6398 || url,www.securityfocus.com/archive/1/archive/1/453462/100/0/threaded || url,doc.emergingthreats.net/2006654 +1 || 2006655 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- preferences.asp ID ASCII || cve,CVE-2006-6398 || url,www.securityfocus.com/archive/1/archive/1/453462/100/0/threaded || url,doc.emergingthreats.net/2006655 +1 || 2006656 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Superfreaker Studios UPublisher SQL Injection Attempt -- preferences.asp ID UPDATE || cve,CVE-2006-6398 || url,www.securityfocus.com/archive/1/archive/1/453462/100/0/threaded || url,doc.emergingthreats.net/2006656 +1 || 2006657 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS LINK Content Management Server (CMS) SQL Injection Attempt -- navigacija.php IDMeniGlavni SELECT || cve,CVE-2006-6387 || url,www.securityfocus.com/bid/21464 || url,doc.emergingthreats.net/2006657 +1 || 2006658 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS LINK Content Management Server (CMS) SQL Injection Attempt -- navigacija.php IDMeniGlavni UNION SELECT || cve,CVE-2006-6387 || url,www.securityfocus.com/bid/21464 || url,doc.emergingthreats.net/2006658 +1 || 2006659 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS LINK Content Management Server (CMS) SQL Injection Attempt -- navigacija.php IDMeniGlavni INSERT || cve,CVE-2006-6387 || url,www.securityfocus.com/bid/21464 || url,doc.emergingthreats.net/2006659 +1 || 2006660 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS LINK Content Management Server (CMS) SQL Injection Attempt -- navigacija.php IDMeniGlavni DELETE || cve,CVE-2006-6387 || url,www.securityfocus.com/bid/21464 || url,doc.emergingthreats.net/2006660 +1 || 2006661 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS LINK Content Management Server (CMS) SQL Injection Attempt -- navigacija.php IDMeniGlavni ASCII || cve,CVE-2006-6387 || url,www.securityfocus.com/bid/21464 || url,doc.emergingthreats.net/2006661 +1 || 2006662 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS LINK Content Management Server (CMS) SQL Injection Attempt -- navigacija.php IDMeniGlavni UPDATE || cve,CVE-2006-6387 || url,www.securityfocus.com/bid/21464 || url,doc.emergingthreats.net/2006662 +1 || 2006663 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS LINK Content Management Server (CMS) SQL Injection Attempt -- prikazInformacije.php IDStranicaPodaci SELECT || cve,CVE-2006-6387 || url,www.securityfocus.com/bid/21464 || url,doc.emergingthreats.net/2006663 +1 || 2006664 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS LINK Content Management Server (CMS) SQL Injection Attempt -- prikazInformacije.php IDStranicaPodaci UNION SELECT || cve,CVE-2006-6387 || url,www.securityfocus.com/bid/21464 || url,doc.emergingthreats.net/2006664 +1 || 2006665 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS LINK Content Management Server (CMS) SQL Injection Attempt -- prikazInformacije.php IDStranicaPodaci INSERT || cve,CVE-2006-6387 || url,www.securityfocus.com/bid/21464 || url,doc.emergingthreats.net/2006665 +1 || 2006666 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS LINK Content Management Server (CMS) SQL Injection Attempt -- prikazInformacije.php IDStranicaPodaci DELETE || cve,CVE-2006-6387 || url,www.securityfocus.com/bid/21464 || url,doc.emergingthreats.net/2006666 +1 || 2006667 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS LINK Content Management Server (CMS) SQL Injection Attempt -- prikazInformacije.php IDStranicaPodaci ASCII || cve,CVE-2006-6387 || url,www.securityfocus.com/bid/21464 || url,doc.emergingthreats.net/2006667 +1 || 2006668 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS LINK Content Management Server (CMS) SQL Injection Attempt -- prikazInformacije.php IDStranicaPodaci UPDATE || cve,CVE-2006-6387 || url,www.securityfocus.com/bid/21464 || url,doc.emergingthreats.net/2006668 +1 || 2006669 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Invision Gallery SQL Injection Attempt -- post.php img SELECT || cve,CVE-2006-6370 || url,www.securityfocus.com/archive/1/archive/1/453468/100/0/threaded || url,doc.emergingthreats.net/2006669 +1 || 2006670 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Invision Gallery SQL Injection Attempt -- post.php img UNION SELECT || cve,CVE-2006-6370 || url,www.securityfocus.com/archive/1/archive/1/453468/100/0/threaded || url,doc.emergingthreats.net/2006670 +1 || 2006671 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Invision Gallery SQL Injection Attempt -- post.php img INSERT || cve,CVE-2006-6370 || url,www.securityfocus.com/archive/1/archive/1/453468/100/0/threaded || url,doc.emergingthreats.net/2006671 +1 || 2006672 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Invision Gallery SQL Injection Attempt -- post.php img DELETE || cve,CVE-2006-6370 || url,www.securityfocus.com/archive/1/archive/1/453468/100/0/threaded || url,doc.emergingthreats.net/2006672 +1 || 2006673 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Invision Gallery SQL Injection Attempt -- post.php img ASCII || cve,CVE-2006-6370 || url,www.securityfocus.com/archive/1/archive/1/453468/100/0/threaded || url,doc.emergingthreats.net/2006673 +1 || 2006674 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Invision Gallery SQL Injection Attempt -- post.php img UPDATE || cve,CVE-2006-6370 || url,www.securityfocus.com/archive/1/archive/1/453468/100/0/threaded || url,doc.emergingthreats.net/2006674 +1 || 2006675 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Invision Gallery SQL Injection Attempt -- index.php img SELECT || cve,CVE-2006-6370 || url,www.securityfocus.com/archive/1/archive/1/453468/100/0/threaded || url,doc.emergingthreats.net/2006675 +1 || 2006676 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Invision Gallery SQL Injection Attempt -- index.php img UNION SELECT || cve,CVE-2006-6370 || url,www.securityfocus.com/archive/1/archive/1/453468/100/0/threaded || url,doc.emergingthreats.net/2006676 +1 || 2006677 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Invision Gallery SQL Injection Attempt -- index.php img INSERT || cve,CVE-2006-6370 || url,www.securityfocus.com/archive/1/archive/1/453468/100/0/threaded || url,doc.emergingthreats.net/2006677 +1 || 2006678 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Invision Gallery SQL Injection Attempt -- index.php img DELETE || cve,CVE-2006-6370 || url,www.securityfocus.com/archive/1/archive/1/453468/100/0/threaded || url,doc.emergingthreats.net/2006678 +1 || 2006679 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Invision Gallery SQL Injection Attempt -- index.php img ASCII || cve,CVE-2006-6370 || url,www.securityfocus.com/archive/1/archive/1/453468/100/0/threaded || url,doc.emergingthreats.net/2006679 +1 || 2006680 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Invision Gallery SQL Injection Attempt -- index.php img UPDATE || cve,CVE-2006-6370 || url,www.securityfocus.com/archive/1/archive/1/453468/100/0/threaded || url,doc.emergingthreats.net/2006680 +1 || 2006681 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Invision Community Blog Mod SQL Injection Attempt -- entry_reply_entry.php eid SELECT || cve,CVE-2006-6369 || url,www.securityfocus.com/archive/1/archive/1/453159/100/100/threaded || url,doc.emergingthreats.net/2006681 +1 || 2006682 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Invision Community Blog Mod SQL Injection Attempt -- entry_reply_entry.php eid UNION SELECT || cve,CVE-2006-6369 || url,www.securityfocus.com/archive/1/archive/1/453159/100/100/threaded || url,doc.emergingthreats.net/2006682 +1 || 2006683 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Invision Community Blog Mod SQL Injection Attempt -- entry_reply_entry.php eid INSERT || cve,CVE-2006-6369 || url,www.securityfocus.com/archive/1/archive/1/453159/100/100/threaded || url,doc.emergingthreats.net/2006683 +1 || 2006684 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Invision Community Blog Mod SQL Injection Attempt -- entry_reply_entry.php eid DELETE || cve,CVE-2006-6369 || url,www.securityfocus.com/archive/1/archive/1/453159/100/100/threaded || url,doc.emergingthreats.net/2006684 +1 || 2006685 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Invision Community Blog Mod SQL Injection Attempt -- entry_reply_entry.php eid ASCII || cve,CVE-2006-6369 || url,www.securityfocus.com/archive/1/archive/1/453159/100/100/threaded || url,doc.emergingthreats.net/2006685 +1 || 2006686 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Invision Community Blog Mod SQL Injection Attempt -- entry_reply_entry.php eid UPDATE || cve,CVE-2006-6369 || url,www.securityfocus.com/archive/1/archive/1/453159/100/100/threaded || url,doc.emergingthreats.net/2006686 +1 || 2006687 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS DUware DUdownload SQL Injection Attempt -- detail.asp iFile SELECT || cve,CVE-2006-6367 || url,www.securityfocus.com/bid/21405 || url,doc.emergingthreats.net/2006687 +1 || 2006688 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS DUware DUdownload SQL Injection Attempt -- detail.asp iFile UNION SELECT || cve,CVE-2006-6367 || url,www.securityfocus.com/bid/21405 || url,doc.emergingthreats.net/2006688 +1 || 2006689 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS DUware DUdownload SQL Injection Attempt -- detail.asp iFile INSERT || cve,CVE-2006-6367 || url,www.securityfocus.com/bid/21405 || url,doc.emergingthreats.net/2006689 +1 || 2006690 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS DUware DUdownload SQL Injection Attempt -- detail.asp iFile DELETE || cve,CVE-2006-6367 || url,www.securityfocus.com/bid/21405 || url,doc.emergingthreats.net/2006690 +1 || 2006691 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS DUware DUdownload SQL Injection Attempt -- detail.asp iFile ASCII || cve,CVE-2006-6367 || url,www.securityfocus.com/bid/21405 || url,doc.emergingthreats.net/2006691 +1 || 2006692 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS DUware DUdownload SQL Injection Attempt -- detail.asp iFile UPDATE || cve,CVE-2006-6367 || url,www.securityfocus.com/bid/21405 || url,doc.emergingthreats.net/2006692 +1 || 2006694 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS DUware DUdownload SQL Injection Attempt -- detail.asp action SELECT || cve,CVE-2006-6367 || url,www.securityfocus.com/bid/21405 || url,doc.emergingthreats.net/2006694 +1 || 2006695 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS DUware DUdownload SQL Injection Attempt -- detail.asp action UNION SELECT || cve,CVE-2006-6367 || url,www.securityfocus.com/bid/21405 || url,doc.emergingthreats.net/2006695 +1 || 2006696 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS DUware DUdownload SQL Injection Attempt -- detail.asp action INSERT || cve,CVE-2006-6367 || url,www.securityfocus.com/bid/21405 || url,doc.emergingthreats.net/2006696 +1 || 2006697 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS DUware DUdownload SQL Injection Attempt -- detail.asp action DELETE || cve,CVE-2006-6367 || url,www.securityfocus.com/bid/21405 || url,doc.emergingthreats.net/2006697 +1 || 2006698 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS DUware DUdownload SQL Injection Attempt -- detail.asp action ASCII || cve,CVE-2006-6367 || url,www.securityfocus.com/bid/21405 || url,doc.emergingthreats.net/2006698 +1 || 2006699 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS DUware DUdownload SQL Injection Attempt -- detail.asp action UPDATE || cve,CVE-2006-6367 || url,www.securityfocus.com/bid/21405 || url,doc.emergingthreats.net/2006699 +1 || 2006700 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS DUware DUpaypal SQL Injection Attempt -- detail.asp iType SELECT || cve,CVE-2006-6365 || url,www.securityfocus.com/bid/14034 || url,doc.emergingthreats.net/2006700 +1 || 2006701 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS DUware DUpaypal SQL Injection Attempt -- detail.asp iType UNION SELECT || cve,CVE-2006-6365 || url,www.securityfocus.com/bid/14034 || url,doc.emergingthreats.net/2006701 +1 || 2006702 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS DUware DUpaypal SQL Injection Attempt -- detail.asp iType INSERT || cve,CVE-2006-6365 || url,www.securityfocus.com/bid/14034 || url,doc.emergingthreats.net/2006702 +1 || 2006703 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS DUware DUpaypal SQL Injection Attempt -- detail.asp iType DELETE || cve,CVE-2006-6365 || url,www.securityfocus.com/bid/14034 || url,doc.emergingthreats.net/2006703 +1 || 2006704 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS DUware DUpaypal SQL Injection Attempt -- detail.asp iType ASCII || cve,CVE-2006-6365 || url,www.securityfocus.com/bid/14034 || url,doc.emergingthreats.net/2006704 +1 || 2006705 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS DUware DUpaypal SQL Injection Attempt -- detail.asp iType UPDATE || cve,CVE-2006-6365 || url,www.securityfocus.com/bid/14034 || url,doc.emergingthreats.net/2006705 +1 || 2006706 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS DuWare DuClassmate SQL Injection Attempt -- default.asp iCity SELECT || cve,CVE-2006-6355 || url,www.securityfocus.com/archive/1/archive/1/453318/100/0/threaded || url,doc.emergingthreats.net/2006706 +1 || 2006707 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS DuWare DuClassmate SQL Injection Attempt -- default.asp iCity UNION SELECT || cve,CVE-2006-6355 || url,www.securityfocus.com/archive/1/archive/1/453318/100/0/threaded || url,doc.emergingthreats.net/2006707 +1 || 2006708 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS DuWare DuClassmate SQL Injection Attempt -- default.asp iCity INSERT || cve,CVE-2006-6355 || url,www.securityfocus.com/archive/1/archive/1/453318/100/0/threaded || url,doc.emergingthreats.net/2006708 +1 || 2006709 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS DuWare DuClassmate SQL Injection Attempt -- default.asp iCity DELETE || cve,CVE-2006-6355 || url,www.securityfocus.com/archive/1/archive/1/453318/100/0/threaded || url,doc.emergingthreats.net/2006709 +1 || 2006710 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS DuWare DuClassmate SQL Injection Attempt -- default.asp iCity ASCII || cve,CVE-2006-6355 || url,www.securityfocus.com/archive/1/archive/1/453318/100/0/threaded || url,doc.emergingthreats.net/2006710 +1 || 2006711 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS DuWare DuClassmate SQL Injection Attempt -- default.asp iCity UPDATE || cve,CVE-2006-6355 || url,www.securityfocus.com/archive/1/archive/1/453318/100/0/threaded || url,doc.emergingthreats.net/2006711 +1 || 2006712 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS DuWare DuNews SQL Injection Attempt -- detail.asp iNews SELECT || cve,CVE-2006-6354 || url,www.securityfocus.com/bid/15681 || url,doc.emergingthreats.net/2006712 +1 || 2006713 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS DuWare DuNews SQL Injection Attempt -- detail.asp iNews UNION SELECT || cve,CVE-2006-6354 || url,www.securityfocus.com/bid/15681 || url,doc.emergingthreats.net/2006713 +1 || 2006714 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS DuWare DuNews SQL Injection Attempt -- detail.asp iNews INSERT || cve,CVE-2006-6354 || url,www.securityfocus.com/bid/15681 || url,doc.emergingthreats.net/2006714 +1 || 2006715 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS DuWare DuNews SQL Injection Attempt -- detail.asp iNews DELETE || cve,CVE-2006-6354 || url,www.securityfocus.com/bid/15681 || url,doc.emergingthreats.net/2006715 +1 || 2006716 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS DuWare DuNews SQL Injection Attempt -- detail.asp iNews ASCII || cve,CVE-2006-6354 || url,www.securityfocus.com/bid/15681 || url,doc.emergingthreats.net/2006716 +1 || 2006717 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS DuWare DuNews SQL Injection Attempt -- detail.asp iNews UPDATE || cve,CVE-2006-6354 || url,www.securityfocus.com/bid/15681 || url,doc.emergingthreats.net/2006717 +1 || 2006718 || 8 || web-application-attack || 0 || ET DELETED DuWare DuNews SQL Injection Attempt -- detail.asp iType SELECT || cve,CVE-2006-6354 || url,www.securityfocus.com/bid/15681 || url,doc.emergingthreats.net/2006718 +1 || 2006719 || 7 || web-application-attack || 0 || ET DELETED DuWare DuNews SQL Injection Attempt -- detail.asp iType UNION SELECT || cve,CVE-2006-6354 || url,www.securityfocus.com/bid/15681 || url,doc.emergingthreats.net/2006719 +1 || 2006720 || 7 || web-application-attack || 0 || ET DELETED DuWare DuNews SQL Injection Attempt -- detail.asp iType INSERT || cve,CVE-2006-6354 || url,www.securityfocus.com/bid/15681 || url,doc.emergingthreats.net/2006720 +1 || 2006721 || 7 || web-application-attack || 0 || ET DELETED DuWare DuNews SQL Injection Attempt -- detail.asp iType DELETE || cve,CVE-2006-6354 || url,www.securityfocus.com/bid/15681 || url,doc.emergingthreats.net/2006721 +1 || 2006722 || 8 || web-application-attack || 0 || ET DELETED DuWare DuNews SQL Injection Attempt -- detail.asp iType ASCII || cve,CVE-2006-6354 || url,www.securityfocus.com/bid/15681 || url,doc.emergingthreats.net/2006722 +1 || 2006723 || 8 || web-application-attack || 0 || ET DELETED DuWare DuNews SQL Injection Attempt -- detail.asp iType UPDATE || cve,CVE-2006-6354 || url,www.securityfocus.com/bid/15681 || url,doc.emergingthreats.net/2006723 +1 || 2006724 || 8 || web-application-attack || 0 || ET DELETED DuWare DuNews SQL Injection Attempt -- detail.asp Action SELECT || cve,CVE-2006-6354 || url,www.securityfocus.com/bid/15681 || url,doc.emergingthreats.net/2006724 +1 || 2006725 || 8 || web-application-attack || 0 || ET DELETED DuWare DuNews SQL Injection Attempt -- detail.asp Action UNION SELECT || cve,CVE-2006-6354 || url,www.securityfocus.com/bid/15681 || url,doc.emergingthreats.net/2006725 +1 || 2006726 || 8 || web-application-attack || 0 || ET DELETED DuWare DuNews SQL Injection Attempt -- detail.asp Action INSERT || cve,CVE-2006-6354 || url,www.securityfocus.com/bid/15681 || url,doc.emergingthreats.net/2006726 +1 || 2006727 || 8 || web-application-attack || 0 || ET DELETED DuWare DuNews SQL Injection Attempt -- detail.asp Action DELETE || cve,CVE-2006-6354 || url,www.securityfocus.com/bid/15681 || url,doc.emergingthreats.net/2006727 +1 || 2006728 || 8 || web-application-attack || 0 || ET DELETED DuWare DuNews SQL Injection Attempt -- detail.asp Action ASCII || cve,CVE-2006-6354 || url,www.securityfocus.com/bid/15681 || url,doc.emergingthreats.net/2006728 +1 || 2006729 || 8 || web-application-attack || 0 || ET DELETED DuWare DuNews SQL Injection Attempt -- detail.asp Action UPDATE || cve,CVE-2006-6354 || url,www.securityfocus.com/bid/15681 || url,doc.emergingthreats.net/2006729 +1 || 2006730 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PWP Technologies The Classified Ad System SQL Injection Attempt -- default.asp main SELECT || cve,CVE-2006-6349 || url,downloads.securityfocus.com/vulnerabilities/exploits/21758.pl || url,doc.emergingthreats.net/2006730 +1 || 2006731 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PWP Technologies The Classified Ad System SQL Injection Attempt -- default.asp main UNION SELECT || cve,CVE-2006-6349 || url,downloads.securityfocus.com/vulnerabilities/exploits/21758.pl || url,doc.emergingthreats.net/2006731 +1 || 2006732 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PWP Technologies The Classified Ad System SQL Injection Attempt -- default.asp main INSERT || cve,CVE-2006-6349 || url,downloads.securityfocus.com/vulnerabilities/exploits/21758.pl || url,doc.emergingthreats.net/2006732 +1 || 2006733 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PWP Technologies The Classified Ad System SQL Injection Attempt -- default.asp main DELETE || cve,CVE-2006-6349 || url,downloads.securityfocus.com/vulnerabilities/exploits/21758.pl || url,doc.emergingthreats.net/2006733 +1 || 2006734 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PWP Technologies The Classified Ad System SQL Injection Attempt -- default.asp main ASCII || cve,CVE-2006-6349 || url,downloads.securityfocus.com/vulnerabilities/exploits/21758.pl || url,doc.emergingthreats.net/2006734 +1 || 2006735 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PWP Technologies The Classified Ad System SQL Injection Attempt -- default.asp main UPDATE || cve,CVE-2006-6349 || url,downloads.securityfocus.com/vulnerabilities/exploits/21758.pl || url,doc.emergingthreats.net/2006735 +1 || 2006736 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- ipsearch.admin.php SELECT || cve,CVE-2006-6344 || url,www.secunia.com/advisories/23180 || url,doc.emergingthreats.net/2006736 +1 || 2006737 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- ipsearch.admin.php UNION SELECT || cve,CVE-2006-6344 || url,www.secunia.com/advisories/23180 || url,doc.emergingthreats.net/2006737 +1 || 2006738 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- ipsearch.admin.php INSERT || cve,CVE-2006-6344 || url,www.secunia.com/advisories/23180 || url,doc.emergingthreats.net/2006738 +1 || 2006739 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- ipsearch.admin.php DELETE || cve,CVE-2006-6344 || url,www.secunia.com/advisories/23180 || url,doc.emergingthreats.net/2006739 +1 || 2006740 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- ipsearch.admin.php ASCII || cve,CVE-2006-6344 || url,www.secunia.com/advisories/23180 || url,doc.emergingthreats.net/2006740 +1 || 2006741 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- ipsearch.admin.php UPDATE || cve,CVE-2006-6344 || url,www.secunia.com/advisories/23180 || url,doc.emergingthreats.net/2006741 +1 || 2006742 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- pfs.edit.inc.php SELECT || cve,CVE-2006-6344 || url,www.secunia.com/advisories/23180 || url,doc.emergingthreats.net/2006742 +1 || 2006743 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- pfs.edit.inc.php UNION SELECT || cve,CVE-2006-6344 || url,www.secunia.com/advisories/23180 || url,doc.emergingthreats.net/2006743 +1 || 2006744 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- pfs.edit.inc.php INSERT || cve,CVE-2006-6344 || url,www.secunia.com/advisories/23180 || url,doc.emergingthreats.net/2006744 +1 || 2006745 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- pfs.edit.inc.php DELETE || cve,CVE-2006-6344 || url,www.secunia.com/advisories/23180 || url,doc.emergingthreats.net/2006745 +1 || 2006746 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- pfs.edit.inc.php ASCII || cve,CVE-2006-6344 || url,www.secunia.com/advisories/23180 || url,doc.emergingthreats.net/2006746 +1 || 2006747 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- pfs.edit.inc.php UPDATE || cve,CVE-2006-6344 || url,www.secunia.com/advisories/23180 || url,doc.emergingthreats.net/2006747 +1 || 2006748 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- users.register.inc.php SELECT || cve,CVE-2006-6344 || url,www.secunia.com/advisories/23180 || url,doc.emergingthreats.net/2006748 +1 || 2006749 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- users.register.inc.php UNION SELECT || cve,CVE-2006-6344 || url,www.secunia.com/advisories/23180 || url,doc.emergingthreats.net/2006749 +1 || 2006750 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- users.register.inc.php INSERT || cve,CVE-2006-6344 || url,www.secunia.com/advisories/23180 || url,doc.emergingthreats.net/2006750 +1 || 2006751 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- users.register.inc.php DELETE || cve,CVE-2006-6344 || url,www.secunia.com/advisories/23180 || url,doc.emergingthreats.net/2006751 +1 || 2006752 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- users.register.inc.php ASCII || cve,CVE-2006-6344 || url,www.secunia.com/advisories/23180 || url,doc.emergingthreats.net/2006752 +1 || 2006753 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- users.register.inc.php UPDATE || cve,CVE-2006-6344 || url,www.secunia.com/advisories/23180 || url,doc.emergingthreats.net/2006753 +1 || 2006754 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- polls.php id SELECT || cve,CVE-2006-6344 || url,www.secunia.com/advisories/23180 || url,doc.emergingthreats.net/2006754 +1 || 2006755 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- polls.php id UNION SELECT || cve,CVE-2006-6344 || url,www.secunia.com/advisories/23180 || url,doc.emergingthreats.net/2006755 +1 || 2006756 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- polls.php id INSERT || cve,CVE-2006-6344 || url,www.secunia.com/advisories/23180 || url,doc.emergingthreats.net/2006756 +1 || 2006757 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- polls.php id DELETE || cve,CVE-2006-6344 || url,www.secunia.com/advisories/23180 || url,doc.emergingthreats.net/2006757 +1 || 2006758 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- polls.php id ASCII || cve,CVE-2006-6344 || url,www.secunia.com/advisories/23180 || url,doc.emergingthreats.net/2006758 +1 || 2006759 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- polls.php id UPDATE || cve,CVE-2006-6344 || url,www.secunia.com/advisories/23180 || url,doc.emergingthreats.net/2006759 +1 || 2006760 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- search_listing.asp category SELECT || cve,CVE-2006-6342 || url,www.securityfocus.com/bid/21199 || url,doc.emergingthreats.net/2006760 +1 || 2006761 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- search_listing.asp category UNION SELECT || cve,CVE-2006-6342 || url,www.securityfocus.com/bid/21199 || url,doc.emergingthreats.net/2006761 +1 || 2006762 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- search_listing.asp category INSERT || cve,CVE-2006-6342 || url,www.securityfocus.com/bid/21199 || url,doc.emergingthreats.net/2006762 +1 || 2006763 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- search_listing.asp category DELETE || cve,CVE-2006-6342 || url,www.securityfocus.com/bid/21199 || url,doc.emergingthreats.net/2006763 +1 || 2006764 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- search_listing.asp category ASCII || cve,CVE-2006-6342 || url,www.securityfocus.com/bid/21199 || url,doc.emergingthreats.net/2006764 +1 || 2006765 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- search_listing.asp category UPDATE || cve,CVE-2006-6342 || url,www.securityfocus.com/bid/21199 || url,doc.emergingthreats.net/2006765 +1 || 2006766 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- search_listing.asp agent SELECT || cve,CVE-2006-6342 || url,www.securityfocus.com/bid/21199 || url,doc.emergingthreats.net/2006766 +1 || 2006767 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- search_listing.asp agent UNION SELECT || cve,CVE-2006-6342 || url,www.securityfocus.com/bid/21199 || url,doc.emergingthreats.net/2006767 +1 || 2006768 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- search_listing.asp agent INSERT || cve,CVE-2006-6342 || url,www.securityfocus.com/bid/21199 || url,doc.emergingthreats.net/2006768 +1 || 2006769 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- search_listing.asp agent DELETE || cve,CVE-2006-6342 || url,www.securityfocus.com/bid/21199 || url,doc.emergingthreats.net/2006769 +1 || 2006770 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- search_listing.asp agent ASCII || cve,CVE-2006-6342 || url,www.securityfocus.com/bid/21199 || url,doc.emergingthreats.net/2006770 +1 || 2006771 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- search_listing.asp agent UPDATE || cve,CVE-2006-6342 || url,www.securityfocus.com/bid/21199 || url,doc.emergingthreats.net/2006771 +1 || 2006772 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- detail.asp property_id SELECT || cve,CVE-2006-6342 || url,www.securityfocus.com/bid/21199 || url,doc.emergingthreats.net/2006772 +1 || 2006773 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- detail.asp property_id UNION SELECT || cve,CVE-2006-6342 || url,www.securityfocus.com/bid/21199 || url,doc.emergingthreats.net/2006773 +1 || 2006774 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- detail.asp property_id INSERT || cve,CVE-2006-6342 || url,www.securityfocus.com/bid/21199 || url,doc.emergingthreats.net/2006774 +1 || 2006775 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- detail.asp property_id DELETE || cve,CVE-2006-6342 || url,www.securityfocus.com/bid/21199 || url,doc.emergingthreats.net/2006775 +1 || 2006776 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- detail.asp property_id ASCII || cve,CVE-2006-6342 || url,www.securityfocus.com/bid/21199 || url,doc.emergingthreats.net/2006776 +1 || 2006777 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS KLF-DESIGN (aka Kim L. Fraser) KLF-REALTY SQL Injection Attempt -- detail.asp property_id UPDATE || cve,CVE-2006-6342 || url,www.securityfocus.com/bid/21199 || url,doc.emergingthreats.net/2006777 +1 || 2006778 || 9 || trojan-activity || 0 || ET MALWARE Debelizombi.com Spyware User-Agent (blahrx) || url,doc.emergingthreats.net/2006778 +1 || 2006779 || 7 || not-suspicious || 0 || ET POLICY Nagios HTTP Monitoring Connection || url,doc.emergingthreats.net/2006779 +1 || 2006780 || 8 || trojan-activity || 0 || ET MALWARE Zango Cash Spyware User-Agent (ZC-Bridgev26) || url,doc.emergingthreats.net/2006780 +1 || 2006781 || 39 || trojan-activity || 0 || ET MALWARE Zango Cash Spyware User-Agent (ZC XML-RPC C++ Client) || url,doc.emergingthreats.net/2006781 +1 || 2006782 || 9 || trojan-activity || 0 || ET MALWARE Mirage.ru Related Spyware User-Agent (szNotifyIdent) || url,doc.emergingthreats.net/2006782 +1 || 2006783 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Aspee and Dogantepe Ziyaretci Defteri SQL Injection Attempt -- giris.asp kullanici SELECT || cve,CVE-2006-6337 || url,www.securityfocus.com/bid/21398 || url,doc.emergingthreats.net/2006783 +1 || 2006784 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Aspee and Dogantepe Ziyaretci Defteri SQL Injection Attempt -- giris.asp kullanici UNION SELECT || cve,CVE-2006-6337 || url,www.securityfocus.com/bid/21398 || url,doc.emergingthreats.net/2006784 +1 || 2006785 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Aspee and Dogantepe Ziyaretci Defteri SQL Injection Attempt -- giris.asp kullanici INSERT || cve,CVE-2006-6337 || url,www.securityfocus.com/bid/21398 || url,doc.emergingthreats.net/2006785 +1 || 2006786 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Aspee and Dogantepe Ziyaretci Defteri SQL Injection Attempt -- giris.asp kullanici DELETE || cve,CVE-2006-6337 || url,www.securityfocus.com/bid/21398 || url,doc.emergingthreats.net/2006786 +1 || 2006787 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Aspee and Dogantepe Ziyaretci Defteri SQL Injection Attempt -- giris.asp kullanici ASCII || cve,CVE-2006-6337 || url,www.securityfocus.com/bid/21398 || url,doc.emergingthreats.net/2006787 +1 || 2006788 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Aspee and Dogantepe Ziyaretci Defteri SQL Injection Attempt -- giris.asp kullanici UPDATE || cve,CVE-2006-6337 || url,www.securityfocus.com/bid/21398 || url,doc.emergingthreats.net/2006788 +1 || 2006789 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Aspee and Dogantepe Ziyaretci Defteri SQL Injection Attempt -- giris.asp parola SELECT || cve,CVE-2006-6337 || url,www.securityfocus.com/bid/21398 || url,doc.emergingthreats.net/2006789 +1 || 2006790 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Aspee and Dogantepe Ziyaretci Defteri SQL Injection Attempt -- giris.asp parola UNION SELECT || cve,CVE-2006-6337 || url,www.securityfocus.com/bid/21398 || url,doc.emergingthreats.net/2006790 +1 || 2006791 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Aspee and Dogantepe Ziyaretci Defteri SQL Injection Attempt -- giris.asp parola INSERT || cve,CVE-2006-6337 || url,www.securityfocus.com/bid/21398 || url,doc.emergingthreats.net/2006791 +1 || 2006792 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Aspee and Dogantepe Ziyaretci Defteri SQL Injection Attempt -- giris.asp parola DELETE || cve,CVE-2006-6337 || url,www.securityfocus.com/bid/21398 || url,doc.emergingthreats.net/2006792 +1 || 2006793 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Aspee and Dogantepe Ziyaretci Defteri SQL Injection Attempt -- giris.asp parola ASCII || cve,CVE-2006-6337 || url,www.securityfocus.com/bid/21398 || url,doc.emergingthreats.net/2006793 +1 || 2006794 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Aspee and Dogantepe Ziyaretci Defteri SQL Injection Attempt -- giris.asp parola UPDATE || cve,CVE-2006-6337 || url,www.securityfocus.com/bid/21398 || url,doc.emergingthreats.net/2006794 +1 || 2006795 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Metyus Okul Yonetim Sistemi SQL Injection Attempt -- uye_giris_islem.asp kullanici_ismi SELECT || cve,CVE-2006-6298 || url,www.securityfocus.com/bid/21418 || url,doc.emergingthreats.net/2006795 +1 || 2006796 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Metyus Okul Yonetim Sistemi SQL Injection Attempt -- uye_giris_islem.asp kullanici_ismi UNION SELECT || cve,CVE-2006-6298 || url,www.securityfocus.com/bid/21418 || url,doc.emergingthreats.net/2006796 +1 || 2006797 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Metyus Okul Yonetim Sistemi SQL Injection Attempt -- uye_giris_islem.asp kullanici_ismi INSERT || cve,CVE-2006-6298 || url,www.securityfocus.com/bid/21418 || url,doc.emergingthreats.net/2006797 +1 || 2006798 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Metyus Okul Yonetim Sistemi SQL Injection Attempt -- uye_giris_islem.asp kullanici_ismi DELETE || cve,CVE-2006-6298 || url,www.securityfocus.com/bid/21418 || url,doc.emergingthreats.net/2006798 +1 || 2006799 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Metyus Okul Yonetim Sistemi SQL Injection Attempt -- uye_giris_islem.asp kullanici_ismi ASCII || cve,CVE-2006-6298 || url,www.securityfocus.com/bid/21418 || url,doc.emergingthreats.net/2006799 +1 || 2006800 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Metyus Okul Yonetim Sistemi SQL Injection Attempt -- uye_giris_islem.asp kullanici_ismi UPDATE || cve,CVE-2006-6298 || url,www.securityfocus.com/bid/21418 || url,doc.emergingthreats.net/2006800 +1 || 2006801 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Metyus Okul Yonetim Sistemi SQL Injection Attempt -- uye_giris_islem.asp sifre SELECT || cve,CVE-2006-6298 || url,www.securityfocus.com/bid/21418 || url,doc.emergingthreats.net/2006801 +1 || 2006802 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Metyus Okul Yonetim Sistemi SQL Injection Attempt -- uye_giris_islem.asp sifre UNION SELECT || cve,CVE-2006-6298 || url,www.securityfocus.com/bid/21418 || url,doc.emergingthreats.net/2006802 +1 || 2006803 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Metyus Okul Yonetim Sistemi SQL Injection Attempt -- uye_giris_islem.asp sifre INSERT || cve,CVE-2006-6298 || url,www.securityfocus.com/bid/21418 || url,doc.emergingthreats.net/2006803 +1 || 2006804 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Metyus Okul Yonetim Sistemi SQL Injection Attempt -- uye_giris_islem.asp sifre DELETE || cve,CVE-2006-6298 || url,www.securityfocus.com/bid/21418 || url,doc.emergingthreats.net/2006804 +1 || 2006805 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Metyus Okul Yonetim Sistemi SQL Injection Attempt -- uye_giris_islem.asp sifre ASCII || cve,CVE-2006-6298 || url,www.securityfocus.com/bid/21418 || url,doc.emergingthreats.net/2006805 +1 || 2006806 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Metyus Okul Yonetim Sistemi SQL Injection Attempt -- uye_giris_islem.asp sifre UPDATE || cve,CVE-2006-6298 || url,www.securityfocus.com/bid/21418 || url,doc.emergingthreats.net/2006806 +1 || 2006807 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Oxygen (O2PHP Bulletin Board) SQL Injection Attempt -- viewthread.php pid SELECT || cve,CVE-2006-6280 || url,www.securityfocus.com/bid/21172 || url,doc.emergingthreats.net/2006807 +1 || 2006808 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Oxygen (O2PHP Bulletin Board) SQL Injection Attempt -- viewthread.php pid UNION SELECT || cve,CVE-2006-6280 || url,www.securityfocus.com/bid/21172 || url,doc.emergingthreats.net/2006808 +1 || 2006809 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Oxygen (O2PHP Bulletin Board) SQL Injection Attempt -- viewthread.php pid INSERT || cve,CVE-2006-6280 || url,www.securityfocus.com/bid/21172 || url,doc.emergingthreats.net/2006809 +1 || 2006810 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Oxygen (O2PHP Bulletin Board) SQL Injection Attempt -- viewthread.php pid DELETE || cve,CVE-2006-6280 || url,www.securityfocus.com/bid/21172 || url,doc.emergingthreats.net/2006810 +1 || 2006811 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Oxygen (O2PHP Bulletin Board) SQL Injection Attempt -- viewthread.php pid ASCII || cve,CVE-2006-6280 || url,www.securityfocus.com/bid/21172 || url,doc.emergingthreats.net/2006811 +1 || 2006812 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Oxygen (O2PHP Bulletin Board) SQL Injection Attempt -- viewthread.php pid UPDATE || cve,CVE-2006-6280 || url,www.securityfocus.com/bid/21172 || url,doc.emergingthreats.net/2006812 +1 || 2006813 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Expinion.net iNews SQL Injection Attempt -- articles.asp ex SELECT || cve,CVE-2006-6274 || url,www.securityfocus.com/bid/21296 || url,doc.emergingthreats.net/2006813 +1 || 2006814 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Expinion.net iNews SQL Injection Attempt -- articles.asp ex UNION SELECT || cve,CVE-2006-6274 || url,www.securityfocus.com/bid/21296 || url,doc.emergingthreats.net/2006814 +1 || 2006815 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Expinion.net iNews SQL Injection Attempt -- articles.asp ex INSERT || cve,CVE-2006-6274 || url,www.securityfocus.com/bid/21296 || url,doc.emergingthreats.net/2006815 +1 || 2006816 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Expinion.net iNews SQL Injection Attempt -- articles.asp ex DELETE || cve,CVE-2006-6274 || url,www.securityfocus.com/bid/21296 || url,doc.emergingthreats.net/2006816 +1 || 2006817 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Expinion.net iNews SQL Injection Attempt -- articles.asp ex ASCII || cve,CVE-2006-6274 || url,www.securityfocus.com/bid/21296 || url,doc.emergingthreats.net/2006817 +1 || 2006818 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Expinion.net iNews SQL Injection Attempt -- articles.asp ex UPDATE || cve,CVE-2006-6274 || url,www.securityfocus.com/bid/21296 || url,doc.emergingthreats.net/2006818 +1 || 2006819 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- forum2.asp soruid SELECT || cve,CVE-2006-6270 || url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded || url,doc.emergingthreats.net/2006819 +1 || 2006820 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- forum2.asp soruid UNION SELECT || cve,CVE-2006-6270 || url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded || url,doc.emergingthreats.net/2006820 +1 || 2006821 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- forum2.asp soruid INSERT || cve,CVE-2006-6270 || url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded || url,doc.emergingthreats.net/2006821 +1 || 2006822 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- forum2.asp soruid DELETE || cve,CVE-2006-6270 || url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded || url,doc.emergingthreats.net/2006822 +1 || 2006823 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- forum2.asp soruid ASCII || cve,CVE-2006-6270 || url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded || url,doc.emergingthreats.net/2006823 +1 || 2006824 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- forum2.asp soruid UPDATE || cve,CVE-2006-6270 || url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded || url,doc.emergingthreats.net/2006824 +1 || 2006825 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- kullanicilistesi.asp ak SELECT || cve,CVE-2006-6270 || url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded || url,doc.emergingthreats.net/2006825 +1 || 2006826 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- kullanicilistesi.asp ak UNION SELECT || cve,CVE-2006-6270 || url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded || url,doc.emergingthreats.net/2006826 +1 || 2006827 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- kullanicilistesi.asp ak INSERT || cve,CVE-2006-6270 || url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded || url,doc.emergingthreats.net/2006827 +1 || 2006828 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- kullanicilistesi.asp ak DELETE || cve,CVE-2006-6270 || url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded || url,doc.emergingthreats.net/2006828 +1 || 2006829 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- kullanicilistesi.asp ak ASCII || cve,CVE-2006-6270 || url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded || url,doc.emergingthreats.net/2006829 +1 || 2006830 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- kullanicilistesi.asp ak UPDATE || cve,CVE-2006-6270 || url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded || url,doc.emergingthreats.net/2006830 +1 || 2006831 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- aramayap.asp kelimeler SELECT || cve,CVE-2006-6270 || url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded || url,doc.emergingthreats.net/2006831 +1 || 2006832 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- aramayap.asp kelimeler UNION SELECT || cve,CVE-2006-6270 || url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded || url,doc.emergingthreats.net/2006832 +1 || 2006833 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- aramayap.asp kelimeler INSERT || cve,CVE-2006-6270 || url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded || url,doc.emergingthreats.net/2006833 +1 || 2006834 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- aramayap.asp kelimeler DELETE || cve,CVE-2006-6270 || url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded || url,doc.emergingthreats.net/2006834 +1 || 2006835 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- aramayap.asp kelimeler ASCII || cve,CVE-2006-6270 || url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded || url,doc.emergingthreats.net/2006835 +1 || 2006836 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- aramayap.asp kelimeler UPDATE || cve,CVE-2006-6270 || url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded || url,doc.emergingthreats.net/2006836 +1 || 2006837 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- giris.asp kullaniciadi SELECT || cve,CVE-2006-6270 || url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded || url,doc.emergingthreats.net/2006837 +1 || 2006838 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- giris.asp kullaniciadi UNION SELECT || cve,CVE-2006-6270 || url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded || url,doc.emergingthreats.net/2006838 +1 || 2006839 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- giris.asp kullaniciadi INSERT || cve,CVE-2006-6270 || url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded || url,doc.emergingthreats.net/2006839 +1 || 2006840 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- giris.asp kullaniciadi DELETE || cve,CVE-2006-6270 || url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded || url,doc.emergingthreats.net/2006840 +1 || 2006841 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- giris.asp kullaniciadi ASCII || cve,CVE-2006-6270 || url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded || url,doc.emergingthreats.net/2006841 +1 || 2006842 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- giris.asp kullaniciadi UPDATE || cve,CVE-2006-6270 || url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded || url,doc.emergingthreats.net/2006842 +1 || 2006843 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- mesajkutum.asp mesajno SELECT || cve,CVE-2006-6270 || url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded || url,doc.emergingthreats.net/2006843 +1 || 2006844 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- mesajkutum.asp mesajno UNION SELECT || cve,CVE-2006-6270 || url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded || url,doc.emergingthreats.net/2006844 +1 || 2006845 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- mesajkutum.asp mesajno INSERT || cve,CVE-2006-6270 || url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded || url,doc.emergingthreats.net/2006845 +1 || 2006846 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- mesajkutum.asp mesajno DELETE || cve,CVE-2006-6270 || url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded || url,doc.emergingthreats.net/2006846 +1 || 2006847 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- mesajkutum.asp mesajno ASCII || cve,CVE-2006-6270 || url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded || url,doc.emergingthreats.net/2006847 +1 || 2006848 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- mesajkutum.asp mesajno UPDATE || cve,CVE-2006-6270 || url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded || url,doc.emergingthreats.net/2006848 +1 || 2006849 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- kullanicilistesi.asp harf SELECT || cve,CVE-2006-6270 || url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded || url,doc.emergingthreats.net/2006849 +1 || 2006850 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- kullanicilistesi.asp harf UNION SELECT || cve,CVE-2006-6270 || url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded || url,doc.emergingthreats.net/2006850 +1 || 2006851 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- kullanicilistesi.asp harf INSERT || cve,CVE-2006-6270 || url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded || url,doc.emergingthreats.net/2006851 +1 || 2006852 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- kullanicilistesi.asp harf DELETE || cve,CVE-2006-6270 || url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded || url,doc.emergingthreats.net/2006852 +1 || 2006853 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- kullanicilistesi.asp harf ASCII || cve,CVE-2006-6270 || url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded || url,doc.emergingthreats.net/2006853 +1 || 2006854 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- kullanicilistesi.asp harf UPDATE || cve,CVE-2006-6270 || url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded || url,doc.emergingthreats.net/2006854 +1 || 2006855 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- forum.asp baslik SELECT || cve,CVE-2006-6270 || url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded || url,doc.emergingthreats.net/2006855 +1 || 2006856 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- forum.asp baslik UNION SELECT || cve,CVE-2006-6270 || url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded || url,doc.emergingthreats.net/2006856 +1 || 2006857 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- forum.asp baslik INSERT || cve,CVE-2006-6270 || url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded || url,doc.emergingthreats.net/2006857 +1 || 2006858 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- forum.asp baslik DELETE || cve,CVE-2006-6270 || url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded || url,doc.emergingthreats.net/2006858 +1 || 2006859 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- forum.asp baslik ASCII || cve,CVE-2006-6270 || url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded || url,doc.emergingthreats.net/2006859 +1 || 2006860 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ASPMForum SQL Injection Attempt -- forum.asp baslik UPDATE || cve,CVE-2006-6270 || url,www.securityfocus.com/archive/1/archive/1/451958/100/200/threaded || url,doc.emergingthreats.net/2006860 +1 || 2006862 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Infinitytechs Restaurants CM SQL Injection Attempt -- rating.asp id SELECT || cve,CVE-2006-6269 || url,www.securityfocus.com/archive/1/archive/1/451970/100/200/threaded || url,doc.emergingthreats.net/2006862 +1 || 2006863 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Infinitytechs Restaurants CM SQL Injection Attempt -- rating.asp id UNION SELECT || cve,CVE-2006-6269 || url,www.securityfocus.com/archive/1/archive/1/451970/100/200/threaded || url,doc.emergingthreats.net/2006863 +1 || 2006864 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Infinitytechs Restaurants CM SQL Injection Attempt -- rating.asp id INSERT || cve,CVE-2006-6269 || url,www.securityfocus.com/archive/1/archive/1/451970/100/200/threaded || url,doc.emergingthreats.net/2006864 +1 || 2006865 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Infinitytechs Restaurants CM SQL Injection Attempt -- rating.asp id DELETE || cve,CVE-2006-6269 || url,www.securityfocus.com/archive/1/archive/1/451970/100/200/threaded || url,doc.emergingthreats.net/2006865 +1 || 2006866 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Infinitytechs Restaurants CM SQL Injection Attempt -- rating.asp id ASCII || cve,CVE-2006-6269 || url,www.securityfocus.com/archive/1/archive/1/451970/100/200/threaded || url,doc.emergingthreats.net/2006866 +1 || 2006867 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Infinitytechs Restaurants CM SQL Injection Attempt -- rating.asp id UPDATE || cve,CVE-2006-6269 || url,www.securityfocus.com/archive/1/archive/1/451970/100/200/threaded || url,doc.emergingthreats.net/2006867 +1 || 2006868 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Infinitytechs Restaurants CM SQL Injection Attempt -- meal_rest.asp mealid SELECT || cve,CVE-2006-6269 || url,www.securityfocus.com/archive/1/archive/1/451970/100/200/threaded || url,doc.emergingthreats.net/2006868 +1 || 2006869 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Infinitytechs Restaurants CM SQL Injection Attempt -- meal_rest.asp mealid UNION SELECT || cve,CVE-2006-6269 || url,www.securityfocus.com/archive/1/archive/1/451970/100/200/threaded || url,doc.emergingthreats.net/2006869 +1 || 2006870 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Infinitytechs Restaurants CM SQL Injection Attempt -- meal_rest.asp mealid INSERT || cve,CVE-2006-6269 || url,www.securityfocus.com/archive/1/archive/1/451970/100/200/threaded || url,doc.emergingthreats.net/2006870 +1 || 2006871 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Infinitytechs Restaurants CM SQL Injection Attempt -- meal_rest.asp mealid DELETE || cve,CVE-2006-6269 || url,www.securityfocus.com/archive/1/archive/1/451970/100/200/threaded || url,doc.emergingthreats.net/2006871 +1 || 2006872 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Infinitytechs Restaurants CM SQL Injection Attempt -- meal_rest.asp mealid ASCII || cve,CVE-2006-6269 || url,www.securityfocus.com/archive/1/archive/1/451970/100/200/threaded || url,doc.emergingthreats.net/2006872 +1 || 2006873 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Infinitytechs Restaurants CM SQL Injection Attempt -- meal_rest.asp mealid UPDATE || cve,CVE-2006-6269 || url,www.securityfocus.com/archive/1/archive/1/451970/100/200/threaded || url,doc.emergingthreats.net/2006873 +1 || 2006874 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Infinitytechs Restaurants CM SQL Injection Attempt -- res_details.asp resid SELECT || cve,CVE-2006-6269 || url,www.securityfocus.com/archive/1/archive/1/451970/100/200/threaded || url,doc.emergingthreats.net/2006874 +1 || 2006875 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Infinitytechs Restaurants CM SQL Injection Attempt -- res_details.asp resid UNION SELECT || cve,CVE-2006-6269 || url,www.securityfocus.com/archive/1/archive/1/451970/100/200/threaded || url,doc.emergingthreats.net/2006875 +1 || 2006876 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Infinitytechs Restaurants CM SQL Injection Attempt -- res_details.asp resid INSERT || cve,CVE-2006-6269 || url,www.securityfocus.com/archive/1/archive/1/451970/100/200/threaded || url,doc.emergingthreats.net/2006876 +1 || 2006877 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Infinitytechs Restaurants CM SQL Injection Attempt -- res_details.asp resid DELETE || cve,CVE-2006-6269 || url,www.securityfocus.com/archive/1/archive/1/451970/100/200/threaded || url,doc.emergingthreats.net/2006877 +1 || 2006878 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Infinitytechs Restaurants CM SQL Injection Attempt -- res_details.asp resid ASCII || cve,CVE-2006-6269 || url,www.securityfocus.com/archive/1/archive/1/451970/100/200/threaded || url,doc.emergingthreats.net/2006878 +1 || 2006879 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Infinitytechs Restaurants CM SQL Injection Attempt -- res_details.asp resid UPDATE || cve,CVE-2006-6269 || url,www.securityfocus.com/archive/1/archive/1/451970/100/200/threaded || url,doc.emergingthreats.net/2006879 +1 || 2006880 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Neocrome Land Down Under (LDU) SQL Injection Attempt -- users.php id SELECT || cve,CVE-2006-6268 || url,www.securityfocus.com/bid/21227 || url,doc.emergingthreats.net/2006880 +1 || 2006881 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Neocrome Land Down Under (LDU) SQL Injection Attempt -- users.php id UNION SELECT || cve,CVE-2006-6268 || url,www.securityfocus.com/bid/21227 || url,doc.emergingthreats.net/2006881 +1 || 2006882 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Neocrome Land Down Under (LDU) SQL Injection Attempt -- users.php id INSERT || cve,CVE-2006-6268 || url,www.securityfocus.com/bid/21227 || url,doc.emergingthreats.net/2006882 +1 || 2006883 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Neocrome Land Down Under (LDU) SQL Injection Attempt -- users.php id DELETE || cve,CVE-2006-6268 || url,www.securityfocus.com/bid/21227 || url,doc.emergingthreats.net/2006883 +1 || 2006884 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Neocrome Land Down Under (LDU) SQL Injection Attempt -- users.php id ASCII || cve,CVE-2006-6268 || url,www.securityfocus.com/bid/21227 || url,doc.emergingthreats.net/2006884 +1 || 2006885 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Neocrome Land Down Under (LDU) SQL Injection Attempt -- users.php id UPDATE || cve,CVE-2006-6268 || url,www.securityfocus.com/bid/21227 || url,doc.emergingthreats.net/2006885 +1 || 2006886 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Uapplication UPhotoGallery SQL Injection Attempt -- slideshow.asp ci SELECT || cve,CVE-2006-6247 || url,www.securityfocus.com/bid/21319 || url,doc.emergingthreats.net/2006886 +1 || 2006887 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Uapplication UPhotoGallery SQL Injection Attempt -- slideshow.asp ci UNION SELECT || cve,CVE-2006-6247 || url,www.securityfocus.com/bid/21319 || url,doc.emergingthreats.net/2006887 +1 || 2006888 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Uapplication UPhotoGallery SQL Injection Attempt -- slideshow.asp ci INSERT || cve,CVE-2006-6247 || url,www.securityfocus.com/bid/21319 || url,doc.emergingthreats.net/2006888 +1 || 2006889 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Uapplication UPhotoGallery SQL Injection Attempt -- slideshow.asp ci DELETE || cve,CVE-2006-6247 || url,www.securityfocus.com/bid/21319 || url,doc.emergingthreats.net/2006889 +1 || 2006890 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Uapplication UPhotoGallery SQL Injection Attempt -- slideshow.asp ci ASCII || cve,CVE-2006-6247 || url,www.securityfocus.com/bid/21319 || url,doc.emergingthreats.net/2006890 +1 || 2006891 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Uapplication UPhotoGallery SQL Injection Attempt -- slideshow.asp ci UPDATE || cve,CVE-2006-6247 || url,www.securityfocus.com/bid/21319 || url,doc.emergingthreats.net/2006891 +1 || 2006892 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Uapplication UPhotoGallery SQL Injection Attempt -- thumbnails.asp ci SELECT || cve,CVE-2006-6247 || url,www.securityfocus.com/bid/21319 || url,doc.emergingthreats.net/2006892 +1 || 2006893 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Uapplication UPhotoGallery SQL Injection Attempt -- thumbnails.asp ci UNION SELECT || cve,CVE-2006-6247 || url,www.securityfocus.com/bid/21319 || url,doc.emergingthreats.net/2006893 +1 || 2006894 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Uapplication UPhotoGallery SQL Injection Attempt -- thumbnails.asp ci INSERT || cve,CVE-2006-6247 || url,www.securityfocus.com/bid/21319 || url,doc.emergingthreats.net/2006894 +1 || 2006895 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Uapplication UPhotoGallery SQL Injection Attempt -- thumbnails.asp ci DELETE || cve,CVE-2006-6247 || url,www.securityfocus.com/bid/21319 || url,doc.emergingthreats.net/2006895 +1 || 2006896 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Uapplication UPhotoGallery SQL Injection Attempt -- thumbnails.asp ci ASCII || cve,CVE-2006-6247 || url,www.securityfocus.com/bid/21319 || url,doc.emergingthreats.net/2006896 +1 || 2006897 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Uapplication UPhotoGallery SQL Injection Attempt -- thumbnails.asp ci UPDATE || cve,CVE-2006-6247 || url,www.securityfocus.com/bid/21319 || url,doc.emergingthreats.net/2006897 +1 || 2006898 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS FipsSHOP SQL Injection Attempt -- index.asp cat SELECT || cve,CVE-2006-6243 || url,www.securityfocus.com/bid/21289 || url,doc.emergingthreats.net/2006898 +1 || 2006899 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS FipsSHOP SQL Injection Attempt -- index.asp cat UNION SELECT || cve,CVE-2006-6243 || url,www.securityfocus.com/bid/21289 || url,doc.emergingthreats.net/2006899 +1 || 2006900 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS FipsSHOP SQL Injection Attempt -- index.asp cat INSERT || cve,CVE-2006-6243 || url,www.securityfocus.com/bid/21289 || url,doc.emergingthreats.net/2006900 +1 || 2006901 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS FipsSHOP SQL Injection Attempt -- index.asp cat DELETE || cve,CVE-2006-6243 || url,www.securityfocus.com/bid/21289 || url,doc.emergingthreats.net/2006901 +1 || 2006902 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS FipsSHOP SQL Injection Attempt -- index.asp cat ASCII || cve,CVE-2006-6243 || url,www.securityfocus.com/bid/21289 || url,doc.emergingthreats.net/2006902 +1 || 2006903 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS FipsSHOP SQL Injection Attempt -- index.asp cat UPDATE || cve,CVE-2006-6243 || url,www.securityfocus.com/bid/21289 || url,doc.emergingthreats.net/2006903 +1 || 2006904 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS FipsSHOP SQL Injection Attempt -- index.asp did SELECT || cve,CVE-2006-6243 || url,www.securityfocus.com/bid/21289 || url,doc.emergingthreats.net/2006904 +1 || 2006905 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS FipsSHOP SQL Injection Attempt -- index.asp did UNION SELECT || cve,CVE-2006-6243 || url,www.securityfocus.com/bid/21289 || url,doc.emergingthreats.net/2006905 +1 || 2006906 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS FipsSHOP SQL Injection Attempt -- index.asp did INSERT || cve,CVE-2006-6243 || url,www.securityfocus.com/bid/21289 || url,doc.emergingthreats.net/2006906 +1 || 2006907 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS FipsSHOP SQL Injection Attempt -- index.asp did DELETE || cve,CVE-2006-6243 || url,www.securityfocus.com/bid/21289 || url,doc.emergingthreats.net/2006907 +1 || 2006908 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS FipsSHOP SQL Injection Attempt -- index.asp did ASCII || cve,CVE-2006-6243 || url,www.securityfocus.com/bid/21289 || url,doc.emergingthreats.net/2006908 +1 || 2006909 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS FipsSHOP SQL Injection Attempt -- index.asp did UPDATE || cve,CVE-2006-6243 || url,www.securityfocus.com/bid/21289 || url,doc.emergingthreats.net/2006909 +1 || 2006910 || 7 || trojan-activity || 0 || ET DELETED perlb0t/w0rmb0t Response (Case 1) || url,doc.emergingthreats.net/2006910 +1 || 2006911 || 8 || trojan-activity || 0 || ET TROJAN perlb0t/w0rmb0t Response 2 || url,doc.emergingthreats.net/2006911 +1 || 2006912 || 10 || trojan-activity || 0 || ET DELETED perlb0t/w0rmb0t Response (Case 3) || url,doc.emergingthreats.net/2006912 +1 || 2006921 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Woltlab Burning Board Lite SQL Injection Attempt -- thread.php threadvisit SELECT || cve,CVE-2006-6237 || url,www.milw0rm.com/exploits/2841 || url,doc.emergingthreats.net/2006921 +1 || 2006922 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Woltlab Burning Board Lite SQL Injection Attempt -- thread.php threadvisit UNION SELECT || cve,CVE-2006-6237 || url,www.milw0rm.com/exploits/2841 || url,doc.emergingthreats.net/2006922 +1 || 2006923 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Woltlab Burning Board Lite SQL Injection Attempt -- thread.php threadvisit INSERT || cve,CVE-2006-6237 || url,www.milw0rm.com/exploits/2841 || url,doc.emergingthreats.net/2006923 +1 || 2006924 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Woltlab Burning Board Lite SQL Injection Attempt -- thread.php threadvisit DELETE || cve,CVE-2006-6237 || url,www.milw0rm.com/exploits/2841 || url,doc.emergingthreats.net/2006924 +1 || 2006925 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Woltlab Burning Board Lite SQL Injection Attempt -- thread.php threadvisit ASCII || cve,CVE-2006-6237 || url,www.milw0rm.com/exploits/2841 || url,doc.emergingthreats.net/2006925 +1 || 2006926 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Woltlab Burning Board Lite SQL Injection Attempt -- thread.php threadvisit UPDATE || cve,CVE-2006-6237 || url,www.milw0rm.com/exploits/2841 || url,doc.emergingthreats.net/2006926 +1 || 2006927 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- modules.php cid SELECT || cve,CVE-2006-6234 || url,www.securityfocus.com/archive/1/archive/1/437835/100/200/threaded || url,doc.emergingthreats.net/2006927 +1 || 2006928 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- modules.php cid UNION SELECT || cve,CVE-2006-6234 || url,www.securityfocus.com/archive/1/archive/1/437835/100/200/threaded || url,doc.emergingthreats.net/2006928 +1 || 2006929 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- modules.php cid INSERT || cve,CVE-2006-6234 || url,www.securityfocus.com/archive/1/archive/1/437835/100/200/threaded || url,doc.emergingthreats.net/2006929 +1 || 2006930 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- modules.php cid DELETE || cve,CVE-2006-6234 || url,www.securityfocus.com/archive/1/archive/1/437835/100/200/threaded || url,doc.emergingthreats.net/2006930 +1 || 2006931 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- modules.php cid ASCII || cve,CVE-2006-6234 || url,www.securityfocus.com/archive/1/archive/1/437835/100/200/threaded || url,doc.emergingthreats.net/2006931 +1 || 2006932 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- modules.php cid UPDATE || cve,CVE-2006-6234 || url,www.securityfocus.com/archive/1/archive/1/437835/100/200/threaded || url,doc.emergingthreats.net/2006932 +1 || 2006933 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- modules.php pid SELECT || cve,CVE-2006-6234 || url,www.securityfocus.com/archive/1/archive/1/437835/100/200/threaded || url,doc.emergingthreats.net/2006933 +1 || 2006934 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- modules.php pid UNION SELECT || cve,CVE-2006-6234 || url,www.securityfocus.com/archive/1/archive/1/437835/100/200/threaded || url,doc.emergingthreats.net/2006934 +1 || 2006935 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- modules.php pid INSERT || cve,CVE-2006-6234 || url,www.securityfocus.com/archive/1/archive/1/437835/100/200/threaded || url,doc.emergingthreats.net/2006935 +1 || 2006936 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- modules.php pid DELETE || cve,CVE-2006-6234 || url,www.securityfocus.com/archive/1/archive/1/437835/100/200/threaded || url,doc.emergingthreats.net/2006936 +1 || 2006937 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- modules.php pid ASCII || cve,CVE-2006-6234 || url,www.securityfocus.com/archive/1/archive/1/437835/100/200/threaded || url,doc.emergingthreats.net/2006937 +1 || 2006938 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHP-Nuke SQL Injection Attempt -- modules.php pid UPDATE || cve,CVE-2006-6234 || url,www.securityfocus.com/archive/1/archive/1/437835/100/200/threaded || url,doc.emergingthreats.net/2006938 +1 || 2006939 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Recipes Complete Website SQL Injection Attempt -- recipe.php recipeid SELECT || cve,CVE-2006-6220 || url,www.milw0rm.com/exploits/2834 || url,doc.emergingthreats.net/2006939 +1 || 2006940 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Recipes Complete Website SQL Injection Attempt -- recipe.php recipeid UNION SELECT || cve,CVE-2006-6220 || url,www.milw0rm.com/exploits/2834 || url,doc.emergingthreats.net/2006940 +1 || 2006941 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Recipes Complete Website SQL Injection Attempt -- recipe.php recipeid INSERT || cve,CVE-2006-6220 || url,www.milw0rm.com/exploits/2834 || url,doc.emergingthreats.net/2006941 +1 || 2006942 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Recipes Complete Website SQL Injection Attempt -- recipe.php recipeid DELETE || cve,CVE-2006-6220 || url,www.milw0rm.com/exploits/2834 || url,doc.emergingthreats.net/2006942 +1 || 2006943 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Recipes Complete Website SQL Injection Attempt -- recipe.php recipeid ASCII || cve,CVE-2006-6220 || url,www.milw0rm.com/exploits/2834 || url,doc.emergingthreats.net/2006943 +1 || 2006944 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Recipes Complete Website SQL Injection Attempt -- recipe.php recipeid UPDATE || cve,CVE-2006-6220 || url,www.milw0rm.com/exploits/2834 || url,doc.emergingthreats.net/2006944 +1 || 2006945 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Recipes Complete Website SQL Injection Attempt -- list.php categoryid SELECT || cve,CVE-2006-6220 || url,www.milw0rm.com/exploits/2834 || url,doc.emergingthreats.net/2006945 +1 || 2006946 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Recipes Complete Website SQL Injection Attempt -- list.php categoryid UNION SELECT || cve,CVE-2006-6220 || url,www.milw0rm.com/exploits/2834 || url,doc.emergingthreats.net/2006946 +1 || 2006947 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Recipes Complete Website SQL Injection Attempt -- list.php categoryid INSERT || cve,CVE-2006-6220 || url,www.milw0rm.com/exploits/2834 || url,doc.emergingthreats.net/2006947 +1 || 2006948 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Recipes Complete Website SQL Injection Attempt -- list.php categoryid DELETE || cve,CVE-2006-6220 || url,www.milw0rm.com/exploits/2834 || url,doc.emergingthreats.net/2006948 +1 || 2006949 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Recipes Complete Website SQL Injection Attempt -- list.php categoryid ASCII || cve,CVE-2006-6220 || url,www.milw0rm.com/exploits/2834 || url,doc.emergingthreats.net/2006949 +1 || 2006950 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Recipes Complete Website SQL Injection Attempt -- list.php categoryid UPDATE || cve,CVE-2006-6220 || url,www.milw0rm.com/exploits/2834 || url,doc.emergingthreats.net/2006950 +1 || 2006951 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php seite_id SELECT || cve,CVE-2006-6218 || url,www.securityfocus.com/bid/21170 || url,doc.emergingthreats.net/2006951 +1 || 2006952 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php seite_id UNION SELECT || cve,CVE-2006-6218 || url,www.securityfocus.com/bid/21170 || url,doc.emergingthreats.net/2006952 +1 || 2006953 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php seite_id INSERT || cve,CVE-2006-6218 || url,www.securityfocus.com/bid/21170 || url,doc.emergingthreats.net/2006953 +1 || 2006954 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php seite_id DELETE || cve,CVE-2006-6218 || url,www.securityfocus.com/bid/21170 || url,doc.emergingthreats.net/2006954 +1 || 2006955 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php seite_id ASCII || cve,CVE-2006-6218 || url,www.securityfocus.com/bid/21170 || url,doc.emergingthreats.net/2006955 +1 || 2006956 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php seite_id UPDATE || cve,CVE-2006-6218 || url,www.securityfocus.com/bid/21170 || url,doc.emergingthreats.net/2006956 +1 || 2006957 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php gruppe_id SELECT || cve,CVE-2006-6218 || url,www.securityfocus.com/bid/21170 || url,doc.emergingthreats.net/2006957 +1 || 2006958 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php gruppe_id UNION SELECT || cve,CVE-2006-6218 || url,www.securityfocus.com/bid/21170 || url,doc.emergingthreats.net/2006958 +1 || 2006959 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php gruppe_id INSERT || cve,CVE-2006-6218 || url,www.securityfocus.com/bid/21170 || url,doc.emergingthreats.net/2006959 +1 || 2006960 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php gruppe_id DELETE || cve,CVE-2006-6218 || url,www.securityfocus.com/bid/21170 || url,doc.emergingthreats.net/2006960 +1 || 2006961 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php gruppe_id ASCII || cve,CVE-2006-6218 || url,www.securityfocus.com/bid/21170 || url,doc.emergingthreats.net/2006961 +1 || 2006962 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php gruppe_id UPDATE || cve,CVE-2006-6218 || url,www.securityfocus.com/bid/21170 || url,doc.emergingthreats.net/2006962 +1 || 2006963 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php go_target SELECT || cve,CVE-2006-6218 || url,www.securityfocus.com/bid/21170 || url,doc.emergingthreats.net/2006963 +1 || 2006964 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php go_target UNION SELECT || cve,CVE-2006-6218 || url,www.securityfocus.com/bid/21170 || url,doc.emergingthreats.net/2006964 +1 || 2006965 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php go_target INSERT || cve,CVE-2006-6218 || url,www.securityfocus.com/bid/21170 || url,doc.emergingthreats.net/2006965 +1 || 2006966 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php go_target DELETE || cve,CVE-2006-6218 || url,www.securityfocus.com/bid/21170 || url,doc.emergingthreats.net/2006966 +1 || 2006967 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php go_target ASCII || cve,CVE-2006-6218 || url,www.securityfocus.com/bid/21170 || url,doc.emergingthreats.net/2006967 +1 || 2006968 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php go_target UPDATE || cve,CVE-2006-6218 || url,www.securityfocus.com/bid/21170 || url,doc.emergingthreats.net/2006968 +1 || 2006969 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS phpBB SQL Injection Attempt -- admin_hacks_list.php hack_id SELECT || cve,CVE-2006-6216 || url,www.milw0rm.com/exploits/2851 || url,doc.emergingthreats.net/2006969 +1 || 2006970 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS phpBB SQL Injection Attempt -- admin_hacks_list.php hack_id UNION SELECT || cve,CVE-2006-6216 || url,www.milw0rm.com/exploits/2851 || url,doc.emergingthreats.net/2006970 +1 || 2006971 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS phpBB SQL Injection Attempt -- admin_hacks_list.php hack_id INSERT || cve,CVE-2006-6216 || url,www.milw0rm.com/exploits/2851 || url,doc.emergingthreats.net/2006971 +1 || 2006972 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS phpBB SQL Injection Attempt -- admin_hacks_list.php hack_id DELETE || cve,CVE-2006-6216 || url,www.milw0rm.com/exploits/2851 || url,doc.emergingthreats.net/2006972 +1 || 2006973 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS phpBB SQL Injection Attempt -- admin_hacks_list.php hack_id ASCII || cve,CVE-2006-6216 || url,www.milw0rm.com/exploits/2851 || url,doc.emergingthreats.net/2006973 +1 || 2006974 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS phpBB SQL Injection Attempt -- admin_hacks_list.php hack_id UPDATE || cve,CVE-2006-6216 || url,www.milw0rm.com/exploits/2851 || url,doc.emergingthreats.net/2006974 +1 || 2006975 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- process.php login SELECT || cve,CVE-2006-6215 || url,www.frsirt.com/english/advisories/2006/4687 || url,doc.emergingthreats.net/2006975 +1 || 2006976 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- process.php login UNION SELECT || cve,CVE-2006-6215 || url,www.frsirt.com/english/advisories/2006/4687 || url,doc.emergingthreats.net/2006976 +1 || 2006977 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- process.php login INSERT || cve,CVE-2006-6215 || url,www.frsirt.com/english/advisories/2006/4687 || url,doc.emergingthreats.net/2006977 +1 || 2006978 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- process.php login DELETE || cve,CVE-2006-6215 || url,www.frsirt.com/english/advisories/2006/4687 || url,doc.emergingthreats.net/2006978 +1 || 2006979 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- process.php login ASCII || cve,CVE-2006-6215 || url,www.frsirt.com/english/advisories/2006/4687 || url,doc.emergingthreats.net/2006979 +1 || 2006980 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- process.php login UPDATE || cve,CVE-2006-6215 || url,www.frsirt.com/english/advisories/2006/4687 || url,doc.emergingthreats.net/2006980 +1 || 2006981 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- process.php password SELECT || cve,CVE-2006-6215 || url,www.frsirt.com/english/advisories/2006/4687 || url,doc.emergingthreats.net/2006981 +1 || 2006982 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- process.php password UNION SELECT || cve,CVE-2006-6215 || url,www.frsirt.com/english/advisories/2006/4687 || url,doc.emergingthreats.net/2006982 +1 || 2006983 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- process.php password INSERT || cve,CVE-2006-6215 || url,www.frsirt.com/english/advisories/2006/4687 || url,doc.emergingthreats.net/2006983 +1 || 2006984 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- process.php password DELETE || cve,CVE-2006-6215 || url,www.frsirt.com/english/advisories/2006/4687 || url,doc.emergingthreats.net/2006984 +1 || 2006985 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- process.php password ASCII || cve,CVE-2006-6215 || url,www.frsirt.com/english/advisories/2006/4687 || url,doc.emergingthreats.net/2006985 +1 || 2006986 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- process.php password UPDATE || cve,CVE-2006-6215 || url,www.frsirt.com/english/advisories/2006/4687 || url,doc.emergingthreats.net/2006986 +1 || 2006987 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- dlwallpaper.php wallpaperid SELECT || cve,CVE-2006-6215 || url,www.frsirt.com/english/advisories/2006/4687 || url,doc.emergingthreats.net/2006987 +1 || 2006988 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- dlwallpaper.php wallpaperid UNION SELECT || cve,CVE-2006-6215 || url,www.frsirt.com/english/advisories/2006/4687 || url,doc.emergingthreats.net/2006988 +1 || 2006989 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- dlwallpaper.php wallpaperid INSERT || cve,CVE-2006-6215 || url,www.frsirt.com/english/advisories/2006/4687 || url,doc.emergingthreats.net/2006989 +1 || 2006990 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- dlwallpaper.php wallpaperid DELETE || cve,CVE-2006-6215 || url,www.frsirt.com/english/advisories/2006/4687 || url,doc.emergingthreats.net/2006990 +1 || 2006991 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- dlwallpaper.php wallpaperid ASCII || cve,CVE-2006-6215 || url,www.frsirt.com/english/advisories/2006/4687 || url,doc.emergingthreats.net/2006991 +1 || 2006992 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- dlwallpaper.php wallpaperid UPDATE || cve,CVE-2006-6215 || url,www.frsirt.com/english/advisories/2006/4687 || url,doc.emergingthreats.net/2006992 +1 || 2006993 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- wallpaper.php wallpaperid SELECT || cve,CVE-2006-6214 || url,www.milw0rm.com/exploits/2835 || url,doc.emergingthreats.net/2006993 +1 || 2006994 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- wallpaper.php wallpaperid UNION SELECT || cve,CVE-2006-6214 || url,www.milw0rm.com/exploits/2835 || url,doc.emergingthreats.net/2006994 +1 || 2006995 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- wallpaper.php wallpaperid INSERT || cve,CVE-2006-6214 || url,www.milw0rm.com/exploits/2835 || url,doc.emergingthreats.net/2006995 +1 || 2006996 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- wallpaper.php wallpaperid DELETE || cve,CVE-2006-6214 || url,www.milw0rm.com/exploits/2835 || url,doc.emergingthreats.net/2006996 +1 || 2006997 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- wallpaper.php wallpaperid ASCII || cve,CVE-2006-6214 || url,www.milw0rm.com/exploits/2835 || url,doc.emergingthreats.net/2006997 +1 || 2006998 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Wallpaper Complete Website SQL Injection Attempt -- wallpaper.php wallpaperid UPDATE || cve,CVE-2006-6214 || url,www.milw0rm.com/exploits/2835 || url,doc.emergingthreats.net/2006998 +1 || 2006999 || 8 || trojan-activity || 0 || ET TROJAN Brontok User-Agent Detected (Brontok.A3 Browser) || url,doc.emergingthreats.net/2006999 +1 || 2007000 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ASP ListPics SQL Injection Attempt -- listpics.asp ID SELECT || cve,CVE-2006-6210 || url,www.securityfocus.com/bid/21279 || url,doc.emergingthreats.net/2007000 +1 || 2007001 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ASP ListPics SQL Injection Attempt -- listpics.asp ID UNION SELECT || cve,CVE-2006-6210 || url,www.securityfocus.com/bid/21279 || url,doc.emergingthreats.net/2007001 +1 || 2007002 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ASP ListPics SQL Injection Attempt -- listpics.asp ID INSERT || cve,CVE-2006-6210 || url,www.securityfocus.com/bid/21279 || url,doc.emergingthreats.net/2007002 +1 || 2007003 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ASP ListPics SQL Injection Attempt -- listpics.asp ID DELETE || cve,CVE-2006-6210 || url,www.securityfocus.com/bid/21279 || url,doc.emergingthreats.net/2007003 +1 || 2007004 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ASP ListPics SQL Injection Attempt -- listpics.asp ID ASCII || cve,CVE-2006-6210 || url,www.securityfocus.com/bid/21279 || url,doc.emergingthreats.net/2007004 +1 || 2007005 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ASP ListPics SQL Injection Attempt -- listpics.asp ID UPDATE || cve,CVE-2006-6210 || url,www.securityfocus.com/bid/21279 || url,doc.emergingthreats.net/2007005 +1 || 2007006 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS MidiCart ASP Shopping Cart and ASP Plus Shopping Cart SQL Injection Attempt -- item_show.asp id2006quant SELECT || cve,CVE-2006-6209 || url,www.securityfocus.com/bid/21273 || url,doc.emergingthreats.net/2007006 +1 || 2007007 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS MidiCart ASP Shopping Cart and ASP Plus Shopping Cart SQL Injection Attempt -- item_show.asp id2006quant UNION SELECT || cve,CVE-2006-6209 || url,www.securityfocus.com/bid/21273 || url,doc.emergingthreats.net/2007007 +1 || 2007008 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS MidiCart ASP Shopping Cart and ASP Plus Shopping Cart SQL Injection Attempt -- item_show.asp id2006quant INSERT || cve,CVE-2006-6209 || url,www.securityfocus.com/bid/21273 || url,doc.emergingthreats.net/2007008 +1 || 2007009 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS MidiCart ASP Shopping Cart and ASP Plus Shopping Cart SQL Injection Attempt -- item_show.asp id2006quant DELETE || cve,CVE-2006-6209 || url,www.securityfocus.com/bid/21273 || url,doc.emergingthreats.net/2007009 +1 || 2007010 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS MidiCart ASP Shopping Cart and ASP Plus Shopping Cart SQL Injection Attempt -- item_show.asp id2006quant ASCII || cve,CVE-2006-6209 || url,www.securityfocus.com/bid/21273 || url,doc.emergingthreats.net/2007010 +1 || 2007011 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS MidiCart ASP Shopping Cart and ASP Plus Shopping Cart SQL Injection Attempt -- item_show.asp id2006quant UPDATE || cve,CVE-2006-6209 || url,www.securityfocus.com/bid/21273 || url,doc.emergingthreats.net/2007011 +1 || 2007012 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS MidiCart ASP Shopping Cart and ASP Plus Shopping Cart SQL Injection Attempt -- item_list.asp maingroup SELECT || cve,CVE-2006-6209 || url,www.securityfocus.com/bid/21273 || url,doc.emergingthreats.net/2007012 +1 || 2007013 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS MidiCart ASP Shopping Cart and ASP Plus Shopping Cart SQL Injection Attempt -- item_list.asp maingroup UNION SELECT || cve,CVE-2006-6209 || url,www.securityfocus.com/bid/21273 || url,doc.emergingthreats.net/2007013 +1 || 2007014 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS MidiCart ASP Shopping Cart and ASP Plus Shopping Cart SQL Injection Attempt -- item_list.asp maingroup INSERT || cve,CVE-2006-6209 || url,www.securityfocus.com/bid/21273 || url,doc.emergingthreats.net/2007014 +1 || 2007015 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS MidiCart ASP Shopping Cart and ASP Plus Shopping Cart SQL Injection Attempt -- item_list.asp maingroup DELETE || cve,CVE-2006-6209 || url,www.securityfocus.com/bid/21273 || url,doc.emergingthreats.net/2007015 +1 || 2007016 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS MidiCart ASP Shopping Cart and ASP Plus Shopping Cart SQL Injection Attempt -- item_list.asp maingroup ASCII || cve,CVE-2006-6209 || url,www.securityfocus.com/bid/21273 || url,doc.emergingthreats.net/2007016 +1 || 2007017 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS MidiCart ASP Shopping Cart and ASP Plus Shopping Cart SQL Injection Attempt -- item_list.asp maingroup UPDATE || cve,CVE-2006-6209 || url,www.securityfocus.com/bid/21273 || url,doc.emergingthreats.net/2007017 +1 || 2007018 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS MidiCart ASP Shopping Cart and ASP Plus Shopping Cart SQL Injection Attempt -- item_list.asp secondgroup SELECT || cve,CVE-2006-6209 || url,www.securityfocus.com/bid/21273 || url,doc.emergingthreats.net/2007018 +1 || 2007019 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS MidiCart ASP Shopping Cart and ASP Plus Shopping Cart SQL Injection Attempt -- item_list.asp secondgroup UNION SELECT || cve,CVE-2006-6209 || url,www.securityfocus.com/bid/21273 || url,doc.emergingthreats.net/2007019 +1 || 2007020 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS MidiCart ASP Shopping Cart and ASP Plus Shopping Cart SQL Injection Attempt -- item_list.asp secondgroup INSERT || cve,CVE-2006-6209 || url,www.securityfocus.com/bid/21273 || url,doc.emergingthreats.net/2007020 +1 || 2007021 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS MidiCart ASP Shopping Cart and ASP Plus Shopping Cart SQL Injection Attempt -- item_list.asp secondgroup DELETE || cve,CVE-2006-6209 || url,www.securityfocus.com/bid/21273 || url,doc.emergingthreats.net/2007021 +1 || 2007022 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS MidiCart ASP Shopping Cart and ASP Plus Shopping Cart SQL Injection Attempt -- item_list.asp secondgroup ASCII || cve,CVE-2006-6209 || url,www.securityfocus.com/bid/21273 || url,doc.emergingthreats.net/2007022 +1 || 2007023 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS MidiCart ASP Shopping Cart and ASP Plus Shopping Cart SQL Injection Attempt -- item_list.asp secondgroup UPDATE || cve,CVE-2006-6209 || url,www.securityfocus.com/bid/21273 || url,doc.emergingthreats.net/2007023 +1 || 2007024 || 8 || web-application-attack || 0 || ET DELETED Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp ad_id SELECT || cve,CVE-2006-6208 || url,www.securityfocus.com/bid/21192 || url,doc.emergingthreats.net/2007024 +1 || 2007025 || 8 || web-application-attack || 0 || ET DELETED Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp ad_id UNION SELECT || cve,CVE-2006-6208 || url,www.securityfocus.com/bid/21192 || url,doc.emergingthreats.net/2007025 +1 || 2007026 || 8 || web-application-attack || 0 || ET DELETED Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp ad_id INSERT || cve,CVE-2006-6208 || url,www.securityfocus.com/bid/21192 || url,doc.emergingthreats.net/2007026 +1 || 2007027 || 8 || web-application-attack || 0 || ET DELETED Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp ad_id DELETE || cve,CVE-2006-6208 || url,www.securityfocus.com/bid/21192 || url,doc.emergingthreats.net/2007027 +1 || 2007028 || 8 || web-application-attack || 0 || ET DELETED Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp ad_id ASCII || cve,CVE-2006-6208 || url,www.securityfocus.com/bid/21192 || url,doc.emergingthreats.net/2007028 +1 || 2007029 || 8 || web-application-attack || 0 || ET DELETED Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp ad_id UPDATE || cve,CVE-2006-6208 || url,www.securityfocus.com/bid/21192 || url,doc.emergingthreats.net/2007029 +1 || 2007030 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- dircat.asp cid SELECT || cve,CVE-2006-6208 || url,www.securityfocus.com/bid/21192 || url,doc.emergingthreats.net/2007030 +1 || 2007031 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- dircat.asp cid UNION SELECT || cve,CVE-2006-6208 || url,www.securityfocus.com/bid/21192 || url,doc.emergingthreats.net/2007031 +1 || 2007032 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- dircat.asp cid INSERT || cve,CVE-2006-6208 || url,www.securityfocus.com/bid/21192 || url,doc.emergingthreats.net/2007032 +1 || 2007033 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- dircat.asp cid DELETE || cve,CVE-2006-6208 || url,www.securityfocus.com/bid/21192 || url,doc.emergingthreats.net/2007033 +1 || 2007034 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- dircat.asp cid ASCII || cve,CVE-2006-6208 || url,www.securityfocus.com/bid/21192 || url,doc.emergingthreats.net/2007034 +1 || 2007035 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- dircat.asp cid UPDATE || cve,CVE-2006-6208 || url,www.securityfocus.com/bid/21192 || url,doc.emergingthreats.net/2007035 +1 || 2007036 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- dirSub.asp sid SELECT || cve,CVE-2006-6208 || url,www.securityfocus.com/bid/21192 || url,doc.emergingthreats.net/2007036 +1 || 2007037 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- dirSub.asp sid UNION SELECT || cve,CVE-2006-6208 || url,www.securityfocus.com/bid/21192 || url,doc.emergingthreats.net/2007037 +1 || 2007038 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- dirSub.asp sid INSERT || cve,CVE-2006-6208 || url,www.securityfocus.com/bid/21192 || url,doc.emergingthreats.net/2007038 +1 || 2007039 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- dirSub.asp sid DELETE || cve,CVE-2006-6208 || url,www.securityfocus.com/bid/21192 || url,doc.emergingthreats.net/2007039 +1 || 2007040 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- dirSub.asp sid ASCII || cve,CVE-2006-6208 || url,www.securityfocus.com/bid/21192 || url,doc.emergingthreats.net/2007040 +1 || 2007041 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- dirSub.asp sid UPDATE || cve,CVE-2006-6208 || url,www.securityfocus.com/bid/21192 || url,doc.emergingthreats.net/2007041 +1 || 2007042 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp AD_ID SELECT || cve,CVE-2006-6208 || url,www.securityfocus.com/bid/21192 || url,doc.emergingthreats.net/2007042 +1 || 2007043 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp AD_ID UNION SELECT || cve,CVE-2006-6208 || url,www.securityfocus.com/bid/21192 || url,doc.emergingthreats.net/2007043 +1 || 2007044 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp AD_ID INSERT || cve,CVE-2006-6208 || url,www.securityfocus.com/bid/21192 || url,doc.emergingthreats.net/2007044 +1 || 2007045 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp AD_ID DELETE || cve,CVE-2006-6208 || url,www.securityfocus.com/bid/21192 || url,doc.emergingthreats.net/2007045 +1 || 2007046 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp AD_ID ASCII || cve,CVE-2006-6208 || url,www.securityfocus.com/bid/21192 || url,doc.emergingthreats.net/2007046 +1 || 2007047 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp AD_ID UPDATE || cve,CVE-2006-6208 || url,www.securityfocus.com/bid/21192 || url,doc.emergingthreats.net/2007047 +1 || 2007048 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp cat_id SELECT || cve,CVE-2006-6208 || url,www.securityfocus.com/bid/21192 || url,doc.emergingthreats.net/2007048 +1 || 2007049 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp sub_id UPDATE || cve,CVE-2006-6208 || url,www.securityfocus.com/bid/21192 || url,doc.emergingthreats.net/2007049 +1 || 2007050 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp cat_id INSERT || cve,CVE-2006-6208 || url,www.securityfocus.com/bid/21192 || url,doc.emergingthreats.net/2007050 +1 || 2007051 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp cat_id DELETE || cve,CVE-2006-6208 || url,www.securityfocus.com/bid/21192 || url,doc.emergingthreats.net/2007051 +1 || 2007052 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp cat_id ASCII || cve,CVE-2006-6208 || url,www.securityfocus.com/bid/21192 || url,doc.emergingthreats.net/2007052 +1 || 2007053 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp cat_id UPDATE || cve,CVE-2006-6208 || url,www.securityfocus.com/bid/21192 || url,doc.emergingthreats.net/2007053 +1 || 2007054 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp sub_id SELECT || cve,CVE-2006-6208 || url,www.securityfocus.com/bid/21192 || url,doc.emergingthreats.net/2007054 +1 || 2007055 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp sub_id UNION SELECT || cve,CVE-2006-6208 || url,www.securityfocus.com/bid/21192 || url,doc.emergingthreats.net/2007055 +1 || 2007056 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp sub_id INSERT || cve,CVE-2006-6208 || url,www.securityfocus.com/bid/21192 || url,doc.emergingthreats.net/2007056 +1 || 2007057 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp sub_id DELETE || cve,CVE-2006-6208 || url,www.securityfocus.com/bid/21192 || url,doc.emergingthreats.net/2007057 +1 || 2007058 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp sub_id ASCII || cve,CVE-2006-6208 || url,www.securityfocus.com/bid/21192 || url,doc.emergingthreats.net/2007058 +1 || 2007059 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Enthrallweb eClassifieds SQL Injection Attempt -- ad.asp cat_id UNION SELECT || cve,CVE-2006-6208 || url,www.securityfocus.com/bid/21192 || url,doc.emergingthreats.net/2007059 +1 || 2007060 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Evolve shopping cart SQL Injection Attempt -- products.asp partno SELECT || cve,CVE-2006-6207 || url,www.securityfocus.com/bid/21323 || url,doc.emergingthreats.net/2007060 +1 || 2007061 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Evolve shopping cart SQL Injection Attempt -- products.asp partno UNION SELECT || cve,CVE-2006-6207 || url,www.securityfocus.com/bid/21323 || url,doc.emergingthreats.net/2007061 +1 || 2007062 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Evolve shopping cart SQL Injection Attempt -- products.asp partno INSERT || cve,CVE-2006-6207 || url,www.securityfocus.com/bid/21323 || url,doc.emergingthreats.net/2007062 +1 || 2007063 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Evolve shopping cart SQL Injection Attempt -- products.asp partno DELETE || cve,CVE-2006-6207 || url,www.securityfocus.com/bid/21323 || url,doc.emergingthreats.net/2007063 +1 || 2007064 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Evolve shopping cart SQL Injection Attempt -- products.asp partno ASCII || cve,CVE-2006-6207 || url,www.securityfocus.com/bid/21323 || url,doc.emergingthreats.net/2007064 +1 || 2007065 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Evolve shopping cart SQL Injection Attempt -- products.asp partno UPDATE || cve,CVE-2006-6207 || url,www.securityfocus.com/bid/21323 || url,doc.emergingthreats.net/2007065 +1 || 2007066 || 4 || policy-violation || 0 || ET DELETED Yahoo Chat Signin Inside Webmail || url,yahoo.com || url,doc.emergingthreats.net/2007066 +1 || 2007067 || 4 || policy-violation || 0 || ET DELETED Yahoo Chat Signin Success Inside Webmail || url,yahoo.com || url,doc.emergingthreats.net/2007067 +1 || 2007068 || 4 || policy-violation || 0 || ET DELETED Yahoo Chat Activity Inside Webmail || url,yahoo.com || url,doc.emergingthreats.net/2007068 +1 || 2007069 || 3 || policy-violation || 0 || ET DELETED Yahoo Chat Activity Inside Webmail (2) || url,yahoo.com || url,doc.emergingthreats.net/2007069 +1 || 2007070 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WarHound General Shopping Cart SQL Injection Attempt -- item.asp ItemID SELECT || cve,CVE-2006-6206 || url,www.securityfocus.com/bid/21324 || url,doc.emergingthreats.net/2007070 +1 || 2007071 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WarHound General Shopping Cart SQL Injection Attempt -- item.asp ItemID UNION SELECT || cve,CVE-2006-6206 || url,www.securityfocus.com/bid/21324 || url,doc.emergingthreats.net/2007071 +1 || 2007072 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WarHound General Shopping Cart SQL Injection Attempt -- item.asp ItemID INSERT || cve,CVE-2006-6206 || url,www.securityfocus.com/bid/21324 || url,doc.emergingthreats.net/2007072 +1 || 2007073 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WarHound General Shopping Cart SQL Injection Attempt -- item.asp ItemID DELETE || cve,CVE-2006-6206 || url,www.securityfocus.com/bid/21324 || url,doc.emergingthreats.net/2007073 +1 || 2007074 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WarHound General Shopping Cart SQL Injection Attempt -- item.asp ItemID ASCII || cve,CVE-2006-6206 || url,www.securityfocus.com/bid/21324 || url,doc.emergingthreats.net/2007074 +1 || 2007075 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WarHound General Shopping Cart SQL Injection Attempt -- item.asp ItemID UPDATE || cve,CVE-2006-6206 || url,www.securityfocus.com/bid/21324 || url,doc.emergingthreats.net/2007075 +1 || 2007076 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- dircat.asp cid SELECT || cve,CVE-2006-6204 || url,www.securityfocus.com/bid/21193 || url,doc.emergingthreats.net/2007076 +1 || 2007077 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- dircat.asp cid UNION SELECT || cve,CVE-2006-6204 || url,www.securityfocus.com/bid/21193 || url,doc.emergingthreats.net/2007077 +1 || 2007078 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- dircat.asp cid INSERT || cve,CVE-2006-6204 || url,www.securityfocus.com/bid/21193 || url,doc.emergingthreats.net/2007078 +1 || 2007079 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- dircat.asp cid DELETE || cve,CVE-2006-6204 || url,www.securityfocus.com/bid/21193 || url,doc.emergingthreats.net/2007079 +1 || 2007080 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- dircat.asp cid ASCII || cve,CVE-2006-6204 || url,www.securityfocus.com/bid/21193 || url,doc.emergingthreats.net/2007080 +1 || 2007081 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- dircat.asp cid UPDATE || cve,CVE-2006-6204 || url,www.securityfocus.com/bid/21193 || url,doc.emergingthreats.net/2007081 +1 || 2007082 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- dirSub.asp sid SELECT || cve,CVE-2006-6204 || url,www.securityfocus.com/bid/21193 || url,doc.emergingthreats.net/2007082 +1 || 2007083 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- dirSub.asp sid UNION SELECT || cve,CVE-2006-6204 || url,www.securityfocus.com/bid/21193 || url,doc.emergingthreats.net/2007083 +1 || 2007084 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- dirSub.asp sid INSERT || cve,CVE-2006-6204 || url,www.securityfocus.com/bid/21193 || url,doc.emergingthreats.net/2007084 +1 || 2007085 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- dirSub.asp sid DELETE || cve,CVE-2006-6204 || url,www.securityfocus.com/bid/21193 || url,doc.emergingthreats.net/2007085 +1 || 2007086 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- dirSub.asp sid ASCII || cve,CVE-2006-6204 || url,www.securityfocus.com/bid/21193 || url,doc.emergingthreats.net/2007086 +1 || 2007087 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- dirSub.asp sid UPDATE || cve,CVE-2006-6204 || url,www.securityfocus.com/bid/21193 || url,doc.emergingthreats.net/2007087 +1 || 2007088 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- types.asp TYPE_ID SELECT || cve,CVE-2006-6204 || url,www.securityfocus.com/bid/21193 || url,doc.emergingthreats.net/2007088 +1 || 2007089 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- types.asp TYPE_ID UNION SELECT || cve,CVE-2006-6204 || url,www.securityfocus.com/bid/21193 || url,doc.emergingthreats.net/2007089 +1 || 2007090 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- types.asp TYPE_ID INSERT || cve,CVE-2006-6204 || url,www.securityfocus.com/bid/21193 || url,doc.emergingthreats.net/2007090 +1 || 2007091 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- types.asp TYPE_ID DELETE || cve,CVE-2006-6204 || url,www.securityfocus.com/bid/21193 || url,doc.emergingthreats.net/2007091 +1 || 2007092 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- types.asp TYPE_ID ASCII || cve,CVE-2006-6204 || url,www.securityfocus.com/bid/21193 || url,doc.emergingthreats.net/2007092 +1 || 2007093 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- types.asp TYPE_ID UPDATE || cve,CVE-2006-6204 || url,www.securityfocus.com/bid/21193 || url,doc.emergingthreats.net/2007093 +1 || 2007094 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- homeDetail.asp AD_ID SELECT || cve,CVE-2006-6204 || url,www.securityfocus.com/bid/21193 || url,doc.emergingthreats.net/2007094 +1 || 2007095 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- homeDetail.asp AD_ID UNION SELECT || cve,CVE-2006-6204 || url,www.securityfocus.com/bid/21193 || url,doc.emergingthreats.net/2007095 +1 || 2007096 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- homeDetail.asp AD_ID INSERT || cve,CVE-2006-6204 || url,www.securityfocus.com/bid/21193 || url,doc.emergingthreats.net/2007096 +1 || 2007097 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- homeDetail.asp AD_ID DELETE || cve,CVE-2006-6204 || url,www.securityfocus.com/bid/21193 || url,doc.emergingthreats.net/2007097 +1 || 2007098 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- homeDetail.asp AD_ID ASCII || cve,CVE-2006-6204 || url,www.securityfocus.com/bid/21193 || url,doc.emergingthreats.net/2007098 +1 || 2007099 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- homeDetail.asp AD_ID UPDATE || cve,CVE-2006-6204 || url,www.securityfocus.com/bid/21193 || url,doc.emergingthreats.net/2007099 +1 || 2007100 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp cat SELECT || cve,CVE-2006-6204 || url,www.securityfocus.com/bid/21193 || url,doc.emergingthreats.net/2007100 +1 || 2007101 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp cat UNION SELECT || cve,CVE-2006-6204 || url,www.securityfocus.com/bid/21193 || url,doc.emergingthreats.net/2007101 +1 || 2007102 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp cat INSERT || cve,CVE-2006-6204 || url,www.securityfocus.com/bid/21193 || url,doc.emergingthreats.net/2007102 +1 || 2007103 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp cat DELETE || cve,CVE-2006-6204 || url,www.securityfocus.com/bid/21193 || url,doc.emergingthreats.net/2007103 +1 || 2007104 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp cat ASCII || cve,CVE-2006-6204 || url,www.securityfocus.com/bid/21193 || url,doc.emergingthreats.net/2007104 +1 || 2007105 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp cat UPDATE || cve,CVE-2006-6204 || url,www.securityfocus.com/bid/21193 || url,doc.emergingthreats.net/2007105 +1 || 2007106 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- compareHomes.asp compare SELECT || cve,CVE-2006-6204 || url,www.securityfocus.com/bid/21193 || url,doc.emergingthreats.net/2007106 +1 || 2007107 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- compareHomes.asp compare UNION SELECT || cve,CVE-2006-6204 || url,www.securityfocus.com/bid/21193 || url,doc.emergingthreats.net/2007107 +1 || 2007108 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- compareHomes.asp compare INSERT || cve,CVE-2006-6204 || url,www.securityfocus.com/bid/21193 || url,doc.emergingthreats.net/2007108 +1 || 2007109 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- compareHomes.asp compare DELETE || cve,CVE-2006-6204 || url,www.securityfocus.com/bid/21193 || url,doc.emergingthreats.net/2007109 +1 || 2007110 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- compareHomes.asp compare ASCII || cve,CVE-2006-6204 || url,www.securityfocus.com/bid/21193 || url,doc.emergingthreats.net/2007110 +1 || 2007111 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- compareHomes.asp compare UPDATE || cve,CVE-2006-6204 || url,www.securityfocus.com/bid/21193 || url,doc.emergingthreats.net/2007111 +1 || 2007112 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- compareHomes.asp clear SELECT || cve,CVE-2006-6204 || url,www.securityfocus.com/bid/21193 || url,doc.emergingthreats.net/2007112 +1 || 2007113 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- compareHomes.asp clear UNION SELECT || cve,CVE-2006-6204 || url,www.securityfocus.com/bid/21193 || url,doc.emergingthreats.net/2007113 +1 || 2007114 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- compareHomes.asp clear INSERT || cve,CVE-2006-6204 || url,www.securityfocus.com/bid/21193 || url,doc.emergingthreats.net/2007114 +1 || 2007115 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- compareHomes.asp clear DELETE || cve,CVE-2006-6204 || url,www.securityfocus.com/bid/21193 || url,doc.emergingthreats.net/2007115 +1 || 2007116 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- compareHomes.asp clear ASCII || cve,CVE-2006-6204 || url,www.securityfocus.com/bid/21193 || url,doc.emergingthreats.net/2007116 +1 || 2007117 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- compareHomes.asp clear UPDATE || cve,CVE-2006-6204 || url,www.securityfocus.com/bid/21193 || url,doc.emergingthreats.net/2007117 +1 || 2007118 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- compareHomes.asp adID SELECT || cve,CVE-2006-6204 || url,www.securityfocus.com/bid/21193 || url,doc.emergingthreats.net/2007118 +1 || 2007119 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- compareHomes.asp adID UNION SELECT || cve,CVE-2006-6204 || url,www.securityfocus.com/bid/21193 || url,doc.emergingthreats.net/2007119 +1 || 2007120 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- compareHomes.asp adID INSERT || cve,CVE-2006-6204 || url,www.securityfocus.com/bid/21193 || url,doc.emergingthreats.net/2007120 +1 || 2007121 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- compareHomes.asp adID DELETE || cve,CVE-2006-6204 || url,www.securityfocus.com/bid/21193 || url,doc.emergingthreats.net/2007121 +1 || 2007122 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- compareHomes.asp adID ASCII || cve,CVE-2006-6204 || url,www.securityfocus.com/bid/21193 || url,doc.emergingthreats.net/2007122 +1 || 2007123 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- compareHomes.asp adID UPDATE || cve,CVE-2006-6204 || url,www.securityfocus.com/bid/21193 || url,doc.emergingthreats.net/2007123 +1 || 2007124 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp aminprice SELECT || cve,CVE-2006-6204 || url,www.securityfocus.com/bid/21193 || url,doc.emergingthreats.net/2007124 +1 || 2007125 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp aminprice UNION SELECT || cve,CVE-2006-6204 || url,www.securityfocus.com/bid/21193 || url,doc.emergingthreats.net/2007125 +1 || 2007126 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp aminprice INSERT || cve,CVE-2006-6204 || url,www.securityfocus.com/bid/21193 || url,doc.emergingthreats.net/2007126 +1 || 2007127 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp aminprice DELETE || cve,CVE-2006-6204 || url,www.securityfocus.com/bid/21193 || url,doc.emergingthreats.net/2007127 +1 || 2007128 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp aminprice ASCII || cve,CVE-2006-6204 || url,www.securityfocus.com/bid/21193 || url,doc.emergingthreats.net/2007128 +1 || 2007129 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp aminprice UPDATE || cve,CVE-2006-6204 || url,www.securityfocus.com/bid/21193 || url,doc.emergingthreats.net/2007129 +1 || 2007130 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp amaxprice SELECT || cve,CVE-2006-6204 || url,www.securityfocus.com/bid/21193 || url,doc.emergingthreats.net/2007130 +1 || 2007131 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp amaxprice UNION SELECT || cve,CVE-2006-6204 || url,www.securityfocus.com/bid/21193 || url,doc.emergingthreats.net/2007131 +1 || 2007132 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp amaxprice INSERT || cve,CVE-2006-6204 || url,www.securityfocus.com/bid/21193 || url,doc.emergingthreats.net/2007132 +1 || 2007133 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp amaxprice DELETE || cve,CVE-2006-6204 || url,www.securityfocus.com/bid/21193 || url,doc.emergingthreats.net/2007133 +1 || 2007134 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp amaxprice ASCII || cve,CVE-2006-6204 || url,www.securityfocus.com/bid/21193 || url,doc.emergingthreats.net/2007134 +1 || 2007135 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp amaxprice UPDATE || cve,CVE-2006-6204 || url,www.securityfocus.com/bid/21193 || url,doc.emergingthreats.net/2007135 +1 || 2007136 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp abedrooms SELECT || cve,CVE-2006-6204 || url,www.securityfocus.com/bid/21193 || url,doc.emergingthreats.net/2007136 +1 || 2007137 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp abedrooms UNION SELECT || cve,CVE-2006-6204 || url,www.securityfocus.com/bid/21193 || url,doc.emergingthreats.net/2007137 +1 || 2007138 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp abedrooms INSERT || cve,CVE-2006-6204 || url,www.securityfocus.com/bid/21193 || url,doc.emergingthreats.net/2007138 +1 || 2007139 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp abedrooms DELETE || cve,CVE-2006-6204 || url,www.securityfocus.com/bid/21193 || url,doc.emergingthreats.net/2007139 +1 || 2007140 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp abedrooms ASCII || cve,CVE-2006-6204 || url,www.securityfocus.com/bid/21193 || url,doc.emergingthreats.net/2007140 +1 || 2007141 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt -- result.asp abedrooms UPDATE || cve,CVE-2006-6204 || url,www.securityfocus.com/bid/21193 || url,doc.emergingthreats.net/2007141 +1 || 2007142 || 4 || trojan-activity || 0 || ET TROJAN Virtumonde Variant Reporting to Controller via HTTP || url,doc.emergingthreats.net/2007142 +1 || 2007176 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php sid SELECT || cve,CVE-2006-6200 || url,www.securityfocus.com/archive/1/archive/1/452553/100/0/threaded || url,doc.emergingthreats.net/2007176 +1 || 2007177 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php sid UNION SELECT || cve,CVE-2006-6200 || url,www.securityfocus.com/archive/1/archive/1/452553/100/0/threaded || url,doc.emergingthreats.net/2007177 +1 || 2007178 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php sid INSERT || cve,CVE-2006-6200 || url,www.securityfocus.com/archive/1/archive/1/452553/100/0/threaded || url,doc.emergingthreats.net/2007178 +1 || 2007179 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php sid DELETE || cve,CVE-2006-6200 || url,www.securityfocus.com/archive/1/archive/1/452553/100/0/threaded || url,doc.emergingthreats.net/2007179 +1 || 2007180 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php sid ASCII || cve,CVE-2006-6200 || url,www.securityfocus.com/archive/1/archive/1/452553/100/0/threaded || url,doc.emergingthreats.net/2007180 +1 || 2007181 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Francisco Burzi PHP-Nuke SQL Injection Attempt -- index.php sid UPDATE || cve,CVE-2006-6200 || url,www.securityfocus.com/archive/1/archive/1/452553/100/0/threaded || url,doc.emergingthreats.net/2007181 +1 || 2007182 || 9 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Fixit iDMS Pro Image Gallery SQL Injection Attempt -- filelist.asp show_id SELECT || cve,CVE-2006-6195 || url,www.securityfocus.com/bid/21282 || url,doc.emergingthreats.net/2007182 +1 || 2007183 || 9 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Fixit iDMS Pro Image Gallery SQL Injection Attempt -- filelist.asp show_id UNION SELECT || cve,CVE-2006-6195 || url,www.securityfocus.com/bid/21282 || url,doc.emergingthreats.net/2007183 +1 || 2007184 || 9 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Fixit iDMS Pro Image Gallery SQL Injection Attempt -- filelist.asp show_id INSERT || cve,CVE-2006-6195 || url,www.securityfocus.com/bid/21282 || url,doc.emergingthreats.net/2007184 +1 || 2007185 || 9 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Fixit iDMS Pro Image Gallery SQL Injection Attempt -- filelist.asp show_id DELETE || cve,CVE-2006-6195 || url,www.securityfocus.com/bid/21282 || url,doc.emergingthreats.net/2007185 +1 || 2007186 || 9 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Fixit iDMS Pro Image Gallery SQL Injection Attempt -- filelist.asp show_id ASCII || cve,CVE-2006-6195 || url,www.securityfocus.com/bid/21282 || url,doc.emergingthreats.net/2007186 +1 || 2007187 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Fixit iDMS Pro Image Gallery SQL Injection Attempt -- filelist.asp show_id UPDATE || cve,CVE-2006-6195 || url,www.securityfocus.com/bid/21282 || url,doc.emergingthreats.net/2007187 +1 || 2007188 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Fixit iDMS Pro Image Gallery SQL Injection Attempt -- filelist.asp parentid SELECT || cve,CVE-2006-6195 || url,www.securityfocus.com/bid/21282 || url,doc.emergingthreats.net/2007188 +1 || 2007189 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Fixit iDMS Pro Image Gallery SQL Injection Attempt -- filelist.asp parentid UNION SELECT || cve,CVE-2006-6195 || url,www.securityfocus.com/bid/21282 || url,doc.emergingthreats.net/2007189 +1 || 2007190 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Fixit iDMS Pro Image Gallery SQL Injection Attempt -- filelist.asp parentid INSERT || cve,CVE-2006-6195 || url,www.securityfocus.com/bid/21282 || url,doc.emergingthreats.net/2007190 +1 || 2007191 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Fixit iDMS Pro Image Gallery SQL Injection Attempt -- filelist.asp parentid DELETE || cve,CVE-2006-6195 || url,www.securityfocus.com/bid/21282 || url,doc.emergingthreats.net/2007191 +1 || 2007192 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Fixit iDMS Pro Image Gallery SQL Injection Attempt -- filelist.asp parentid ASCII || cve,CVE-2006-6195 || url,www.securityfocus.com/bid/21282 || url,doc.emergingthreats.net/2007192 +1 || 2007193 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Fixit iDMS Pro Image Gallery SQL Injection Attempt -- filelist.asp parentid UPDATE || cve,CVE-2006-6195 || url,www.securityfocus.com/bid/21282 || url,doc.emergingthreats.net/2007193 +1 || 2007194 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Fixit iDMS Pro Image Gallery SQL Injection Attempt -- showfile.asp fid SELECT || cve,CVE-2006-6195 || url,www.securityfocus.com/bid/21282 || url,doc.emergingthreats.net/2007194 +1 || 2007195 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Fixit iDMS Pro Image Gallery SQL Injection Attempt -- showfile.asp fid UNION SELECT || cve,CVE-2006-6195 || url,www.securityfocus.com/bid/21282 || url,doc.emergingthreats.net/2007195 +1 || 2007196 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Fixit iDMS Pro Image Gallery SQL Injection Attempt -- showfile.asp fid INSERT || cve,CVE-2006-6195 || url,www.securityfocus.com/bid/21282 || url,doc.emergingthreats.net/2007196 +1 || 2007197 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Fixit iDMS Pro Image Gallery SQL Injection Attempt -- showfile.asp fid DELETE || cve,CVE-2006-6195 || url,www.securityfocus.com/bid/21282 || url,doc.emergingthreats.net/2007197 +1 || 2007198 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Fixit iDMS Pro Image Gallery SQL Injection Attempt -- showfile.asp fid ASCII || cve,CVE-2006-6195 || url,www.securityfocus.com/bid/21282 || url,doc.emergingthreats.net/2007198 +1 || 2007199 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Fixit iDMS Pro Image Gallery SQL Injection Attempt -- showfile.asp fid UPDATE || cve,CVE-2006-6195 || url,www.securityfocus.com/bid/21282 || url,doc.emergingthreats.net/2007199 +1 || 2007200 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Ultimate Survey Pro SQL Injection Attempt -- index.asp cat UNION SELECT || cve,CVE-2006-6194 || url,www.securityfocus.com/archive/1/archive/1/452554/100/0/threaded || url,doc.emergingthreats.net/2007200 +1 || 2007201 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Ultimate Survey Pro SQL Injection Attempt -- index.asp cat INSERT || cve,CVE-2006-6194 || url,www.securityfocus.com/archive/1/archive/1/452554/100/0/threaded || url,doc.emergingthreats.net/2007201 +1 || 2007202 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Ultimate Survey Pro SQL Injection Attempt -- index.asp cat DELETE || cve,CVE-2006-6194 || url,www.securityfocus.com/archive/1/archive/1/452554/100/0/threaded || url,doc.emergingthreats.net/2007202 +1 || 2007203 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Ultimate Survey Pro SQL Injection Attempt -- index.asp cat ASCII || cve,CVE-2006-6194 || url,www.securityfocus.com/archive/1/archive/1/452554/100/0/threaded || url,doc.emergingthreats.net/2007203 +1 || 2007204 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Ultimate Survey Pro SQL Injection Attempt -- index.asp cat UPDATE || cve,CVE-2006-6194 || url,www.securityfocus.com/archive/1/archive/1/452554/100/0/threaded || url,doc.emergingthreats.net/2007204 +1 || 2007205 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Ultimate Survey Pro SQL Injection Attempt -- index.asp did SELECT || cve,CVE-2006-6194 || url,www.securityfocus.com/archive/1/archive/1/452554/100/0/threaded || url,doc.emergingthreats.net/2007205 +1 || 2007206 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Ultimate Survey Pro SQL Injection Attempt -- index.asp did UNION SELECT || cve,CVE-2006-6194 || url,www.securityfocus.com/archive/1/archive/1/452554/100/0/threaded || url,doc.emergingthreats.net/2007206 +1 || 2007207 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Ultimate Survey Pro SQL Injection Attempt -- index.asp did INSERT || cve,CVE-2006-6194 || url,www.securityfocus.com/archive/1/archive/1/452554/100/0/threaded || url,doc.emergingthreats.net/2007207 +1 || 2007208 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Ultimate Survey Pro SQL Injection Attempt -- index.asp did DELETE || cve,CVE-2006-6194 || url,www.securityfocus.com/archive/1/archive/1/452554/100/0/threaded || url,doc.emergingthreats.net/2007208 +1 || 2007209 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Ultimate Survey Pro SQL Injection Attempt -- index.asp did ASCII || cve,CVE-2006-6194 || url,www.securityfocus.com/archive/1/archive/1/452554/100/0/threaded || url,doc.emergingthreats.net/2007209 +1 || 2007210 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Ultimate Survey Pro SQL Injection Attempt -- index.asp did UPDATE || cve,CVE-2006-6194 || url,www.securityfocus.com/archive/1/archive/1/452554/100/0/threaded || url,doc.emergingthreats.net/2007210 +1 || 2007211 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS BasicForum SQL Injection Attempt -- edit.asp id SELECT || cve,CVE-2006-6193 || url,www.milw0rm.com/exploits/2848 || url,doc.emergingthreats.net/2007211 +1 || 2007212 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS BasicForum SQL Injection Attempt -- edit.asp id UNION SELECT || cve,CVE-2006-6193 || url,www.milw0rm.com/exploits/2848 || url,doc.emergingthreats.net/2007212 +1 || 2007213 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS BasicForum SQL Injection Attempt -- edit.asp id INSERT || cve,CVE-2006-6193 || url,www.milw0rm.com/exploits/2848 || url,doc.emergingthreats.net/2007213 +1 || 2007214 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS BasicForum SQL Injection Attempt -- edit.asp id DELETE || cve,CVE-2006-6193 || url,www.milw0rm.com/exploits/2848 || url,doc.emergingthreats.net/2007214 +1 || 2007215 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS BasicForum SQL Injection Attempt -- edit.asp id ASCII || cve,CVE-2006-6193 || url,www.milw0rm.com/exploits/2848 || url,doc.emergingthreats.net/2007215 +1 || 2007216 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS BasicForum SQL Injection Attempt -- edit.asp id UPDATE || cve,CVE-2006-6193 || url,www.milw0rm.com/exploits/2848 || url,doc.emergingthreats.net/2007216 +1 || 2007217 || 10 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS 8pixel.net simpleblog SQL Injection Attempt -- edit.asp id SELECT || cve,CVE-2006-6191 || url,www.milw0rm.com/exploits/2853 || url,doc.emergingthreats.net/2007217 +1 || 2007218 || 10 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS 8pixel.net simpleblog SQL Injection Attempt -- edit.asp id UNION SELECT || cve,CVE-2006-6191 || url,www.milw0rm.com/exploits/2853 || url,doc.emergingthreats.net/2007218 +1 || 2007219 || 10 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS 8pixel.net simpleblog SQL Injection Attempt -- edit.asp id INSERT || cve,CVE-2006-6191 || url,www.milw0rm.com/exploits/2853 || url,doc.emergingthreats.net/2007219 +1 || 2007220 || 12 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS 8pixel.net simpleblog SQL Injection Attempt -- edit.asp id DELETE || cve,CVE-2006-6191 || url,www.milw0rm.com/exploits/2853 || url,doc.emergingthreats.net/2007220 +1 || 2007221 || 10 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS 8pixel.net simpleblog SQL Injection Attempt -- edit.asp id ASCII || cve,CVE-2006-6191 || url,www.milw0rm.com/exploits/2853 || url,doc.emergingthreats.net/2007221 +1 || 2007222 || 9 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS 8pixel.net simpleblog SQL Injection Attempt -- edit.asp id UPDATE || cve,CVE-2006-6191 || url,www.milw0rm.com/exploits/2853 || url,doc.emergingthreats.net/2007222 +1 || 2007223 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ClickTech Click Blog SQL Injection Attempt -- displayCalendar.asp date SELECT || cve,CVE-2006-6189 || url,www.securityfocus.com/bid/21310 || url,doc.emergingthreats.net/2007223 +1 || 2007224 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ClickTech Click Blog SQL Injection Attempt -- displayCalendar.asp date UNION SELECT || cve,CVE-2006-6189 || url,www.securityfocus.com/bid/21310 || url,doc.emergingthreats.net/2007224 +1 || 2007225 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ClickTech Click Blog SQL Injection Attempt -- displayCalendar.asp date INSERT || cve,CVE-2006-6189 || url,www.securityfocus.com/bid/21310 || url,doc.emergingthreats.net/2007225 +1 || 2007226 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ClickTech Click Blog SQL Injection Attempt -- displayCalendar.asp date DELETE || cve,CVE-2006-6189 || url,www.securityfocus.com/bid/21310 || url,doc.emergingthreats.net/2007226 +1 || 2007227 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ClickTech Click Blog SQL Injection Attempt -- displayCalendar.asp date ASCII || cve,CVE-2006-6189 || url,www.securityfocus.com/bid/21310 || url,doc.emergingthreats.net/2007227 +1 || 2007228 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ClickTech Click Blog SQL Injection Attempt -- displayCalendar.asp date UPDATE || cve,CVE-2006-6189 || url,www.securityfocus.com/bid/21310 || url,doc.emergingthreats.net/2007228 +1 || 2007229 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- view_gallery.asp currentpage SELECT || cve,CVE-2006-6187 || url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded || url,doc.emergingthreats.net/2007229 +1 || 2007230 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- view_gallery.asp currentpage UNION SELECT || cve,CVE-2006-6187 || url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded || url,doc.emergingthreats.net/2007230 +1 || 2007231 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- view_gallery.asp currentpage INSERT || cve,CVE-2006-6187 || url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded || url,doc.emergingthreats.net/2007231 +1 || 2007232 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- view_gallery.asp currentpage DELETE || cve,CVE-2006-6187 || url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded || url,doc.emergingthreats.net/2007232 +1 || 2007233 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- view_gallery.asp currentpage ASCII || cve,CVE-2006-6187 || url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded || url,doc.emergingthreats.net/2007233 +1 || 2007234 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- view_gallery.asp currentpage UPDATE || cve,CVE-2006-6187 || url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded || url,doc.emergingthreats.net/2007234 +1 || 2007235 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- view_gallery.asp gallery_id SELECT || cve,CVE-2006-6187 || url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded || url,doc.emergingthreats.net/2007235 +1 || 2007236 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- view_gallery.asp gallery_id UNION SELECT || cve,CVE-2006-6187 || url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded || url,doc.emergingthreats.net/2007236 +1 || 2007237 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- view_gallery.asp gallery_id INSERT || cve,CVE-2006-6187 || url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded || url,doc.emergingthreats.net/2007237 +1 || 2007238 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- view_gallery.asp gallery_id DELETE || cve,CVE-2006-6187 || url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded || url,doc.emergingthreats.net/2007238 +1 || 2007239 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- view_gallery.asp gallery_id ASCII || cve,CVE-2006-6187 || url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded || url,doc.emergingthreats.net/2007239 +1 || 2007240 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- view_gallery.asp gallery_id UPDATE || cve,CVE-2006-6187 || url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded || url,doc.emergingthreats.net/2007240 +1 || 2007241 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- download_image.asp image_id SELECT || cve,CVE-2006-6187 || url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded || url,doc.emergingthreats.net/2007241 +1 || 2007242 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- download_image.asp image_id UNION SELECT || cve,CVE-2006-6187 || url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded || url,doc.emergingthreats.net/2007242 +1 || 2007243 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- download_image.asp image_id INSERT || cve,CVE-2006-6187 || url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded || url,doc.emergingthreats.net/2007243 +1 || 2007244 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- download_image.asp image_id DELETE || cve,CVE-2006-6187 || url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded || url,doc.emergingthreats.net/2007244 +1 || 2007245 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- download_image.asp image_id ASCII || cve,CVE-2006-6187 || url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded || url,doc.emergingthreats.net/2007245 +1 || 2007246 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- download_image.asp image_id UPDATE || cve,CVE-2006-6187 || url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded || url,doc.emergingthreats.net/2007246 +1 || 2007247 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- gallery.asp currentpage SELECT || cve,CVE-2006-6187 || url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded || url,doc.emergingthreats.net/2007247 +1 || 2007248 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- gallery.asp currentpage UNION SELECT || cve,CVE-2006-6187 || url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded || url,doc.emergingthreats.net/2007248 +1 || 2007249 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- gallery.asp currentpage INSERT || cve,CVE-2006-6187 || url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded || url,doc.emergingthreats.net/2007249 +1 || 2007250 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- gallery.asp currentpage DELETE || cve,CVE-2006-6187 || url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded || url,doc.emergingthreats.net/2007250 +1 || 2007251 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- gallery.asp currentpage ASCII || cve,CVE-2006-6187 || url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded || url,doc.emergingthreats.net/2007251 +1 || 2007252 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- gallery.asp currentpage UPDATE || cve,CVE-2006-6187 || url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded || url,doc.emergingthreats.net/2007252 +1 || 2007253 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- gallery.asp orderby SELECT || cve,CVE-2006-6187 || url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded || url,doc.emergingthreats.net/2007253 +1 || 2007254 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- gallery.asp orderby UNION SELECT || cve,CVE-2006-6187 || url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded || url,doc.emergingthreats.net/2007254 +1 || 2007255 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- gallery.asp orderby INSERT || cve,CVE-2006-6187 || url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded || url,doc.emergingthreats.net/2007255 +1 || 2007256 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- gallery.asp orderby DELETE || cve,CVE-2006-6187 || url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded || url,doc.emergingthreats.net/2007256 +1 || 2007257 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- gallery.asp orderby ASCII || cve,CVE-2006-6187 || url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded || url,doc.emergingthreats.net/2007257 +1 || 2007258 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- gallery.asp orderby UPDATE || cve,CVE-2006-6187 || url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded || url,doc.emergingthreats.net/2007258 +1 || 2007259 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- view_recent.asp currentpage SELECT || cve,CVE-2006-6187 || url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded || url,doc.emergingthreats.net/2007259 +1 || 2007260 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- view_recent.asp currentpage UNION SELECT || cve,CVE-2006-6187 || url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded || url,doc.emergingthreats.net/2007260 +1 || 2007261 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- view_recent.asp currentpage INSERT || cve,CVE-2006-6187 || url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded || url,doc.emergingthreats.net/2007261 +1 || 2007262 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- view_recent.asp currentpage DELETE || cve,CVE-2006-6187 || url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded || url,doc.emergingthreats.net/2007262 +1 || 2007263 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- view_recent.asp currentpage ASCII || cve,CVE-2006-6187 || url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded || url,doc.emergingthreats.net/2007263 +1 || 2007264 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ClickTech Click Gallery SQL Injection Attempt -- view_recent.asp currentpage UPDATE || cve,CVE-2006-6187 || url,www.securityfocus.com/archive/1/archive/1/452733/100/0/threaded || url,doc.emergingthreats.net/2007264 +1 || 2007265 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ClickTech ClickContact SQL Injection Attempt -- default.asp AlphaSort SELECT || cve,CVE-2006-6181 || url,www.securityfocus.com/bid/21302 || url,doc.emergingthreats.net/2007265 +1 || 2007266 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ClickTech ClickContact SQL Injection Attempt -- default.asp AlphaSort UNION SELECT || cve,CVE-2006-6181 || url,www.securityfocus.com/bid/21302 || url,doc.emergingthreats.net/2007266 +1 || 2007267 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ClickTech ClickContact SQL Injection Attempt -- default.asp AlphaSort INSERT || cve,CVE-2006-6181 || url,www.securityfocus.com/bid/21302 || url,doc.emergingthreats.net/2007267 +1 || 2007268 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ClickTech ClickContact SQL Injection Attempt -- default.asp AlphaSort DELETE || cve,CVE-2006-6181 || url,www.securityfocus.com/bid/21302 || url,doc.emergingthreats.net/2007268 +1 || 2007269 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ClickTech ClickContact SQL Injection Attempt -- default.asp AlphaSort ASCII || cve,CVE-2006-6181 || url,www.securityfocus.com/bid/21302 || url,doc.emergingthreats.net/2007269 +1 || 2007270 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ClickTech ClickContact SQL Injection Attempt -- default.asp AlphaSort UPDATE || cve,CVE-2006-6181 || url,www.securityfocus.com/bid/21302 || url,doc.emergingthreats.net/2007270 +1 || 2007271 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ClickTech ClickContact SQL Injection Attempt -- default.asp In SELECT || cve,CVE-2006-6181 || url,www.securityfocus.com/bid/21302 || url,doc.emergingthreats.net/2007271 +1 || 2007272 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ClickTech ClickContact SQL Injection Attempt -- default.asp In UNION SELECT || cve,CVE-2006-6181 || url,www.securityfocus.com/bid/21302 || url,doc.emergingthreats.net/2007272 +1 || 2007273 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ClickTech ClickContact SQL Injection Attempt -- default.asp In INSERT || cve,CVE-2006-6181 || url,www.securityfocus.com/bid/21302 || url,doc.emergingthreats.net/2007273 +1 || 2007274 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ClickTech ClickContact SQL Injection Attempt -- default.asp In DELETE || cve,CVE-2006-6181 || url,www.securityfocus.com/bid/21302 || url,doc.emergingthreats.net/2007274 +1 || 2007275 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ClickTech ClickContact SQL Injection Attempt -- default.asp In ASCII || cve,CVE-2006-6181 || url,www.securityfocus.com/bid/21302 || url,doc.emergingthreats.net/2007275 +1 || 2007276 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ClickTech ClickContact SQL Injection Attempt -- default.asp In UPDATE || cve,CVE-2006-6181 || url,www.securityfocus.com/bid/21302 || url,doc.emergingthreats.net/2007276 +1 || 2007277 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ClickTech ClickContact SQL Injection Attempt -- default.asp orderby SELECT || cve,CVE-2006-6181 || url,www.securityfocus.com/bid/21302 || url,doc.emergingthreats.net/2007277 +1 || 2007278 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ClickTech ClickContact SQL Injection Attempt -- default.asp orderby UNION SELECT || cve,CVE-2006-6181 || url,www.securityfocus.com/bid/21302 || url,doc.emergingthreats.net/2007278 +1 || 2007279 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ClickTech ClickContact SQL Injection Attempt -- default.asp orderby INSERT || cve,CVE-2006-6181 || url,www.securityfocus.com/bid/21302 || url,doc.emergingthreats.net/2007279 +1 || 2007280 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ClickTech ClickContact SQL Injection Attempt -- default.asp orderby DELETE || cve,CVE-2006-6181 || url,www.securityfocus.com/bid/21302 || url,doc.emergingthreats.net/2007280 +1 || 2007281 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ClickTech ClickContact SQL Injection Attempt -- default.asp orderby ASCII || cve,CVE-2006-6181 || url,www.securityfocus.com/bid/21302 || url,doc.emergingthreats.net/2007281 +1 || 2007282 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ClickTech ClickContact SQL Injection Attempt -- default.asp orderby UPDATE || cve,CVE-2006-6181 || url,www.securityfocus.com/bid/21302 || url,doc.emergingthreats.net/2007282 +1 || 2007283 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Ultimate Survey Pro SQL Injection Attempt -- index.asp cat SELECT || cve,CVE-2006-6194 || url,www.securityfocus.com/archive/1/archive/1/452554/100/0/threaded || url,doc.emergingthreats.net/2007283 +1 || 2007284 || 6 || trojan-activity || 0 || ET TROJAN Downloader.Win32.Agent.cav Url Pattern Detected (ping) || url,doc.emergingthreats.net/2007284 +1 || 2007285 || 4 || trojan-activity || 0 || ET TROJAN Virtumonde Variant Reporting to Controller via HTTP (2) || url,doc.emergingthreats.net/2007285 +1 || 2007286 || 6 || trojan-activity || 0 || ET TROJAN Feral Checkin via HTTP || url,doc.emergingthreats.net/2007286 +1 || 2007288 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- users.php id SELECT || cve,CVE-2006-6177 || url,www.securityfocus.com/archive/1/archive/1/452269/100/100/threaded || url,doc.emergingthreats.net/2007288 +1 || 2007289 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- users.php id UNION SELECT || cve,CVE-2006-6177 || url,www.securityfocus.com/archive/1/archive/1/452269/100/100/threaded || url,doc.emergingthreats.net/2007289 +1 || 2007290 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- users.php id INSERT || cve,CVE-2006-6177 || url,www.securityfocus.com/archive/1/archive/1/452269/100/100/threaded || url,doc.emergingthreats.net/2007290 +1 || 2007291 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- users.php id DELETE || cve,CVE-2006-6177 || url,www.securityfocus.com/archive/1/archive/1/452269/100/100/threaded || url,doc.emergingthreats.net/2007291 +1 || 2007292 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- users.php id ASCII || cve,CVE-2006-6177 || url,www.securityfocus.com/archive/1/archive/1/452269/100/100/threaded || url,doc.emergingthreats.net/2007292 +1 || 2007293 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt -- users.php id UPDATE || cve,CVE-2006-6177 || url,www.securityfocus.com/archive/1/archive/1/452269/100/100/threaded || url,doc.emergingthreats.net/2007293 +1 || 2007294 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- status.asp id SELECT || cve,CVE-2006-6161 || url,www.frsirt.com/english/advisories/2006/4704 || url,doc.emergingthreats.net/2007294 +1 || 2007295 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- status.asp id UNION SELECT || cve,CVE-2006-6161 || url,www.frsirt.com/english/advisories/2006/4704 || url,doc.emergingthreats.net/2007295 +1 || 2007296 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- status.asp id INSERT || cve,CVE-2006-6161 || url,www.frsirt.com/english/advisories/2006/4704 || url,doc.emergingthreats.net/2007296 +1 || 2007297 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- status.asp id DELETE || cve,CVE-2006-6161 || url,www.frsirt.com/english/advisories/2006/4704 || url,doc.emergingthreats.net/2007297 +1 || 2007298 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- status.asp id ASCII || cve,CVE-2006-6161 || url,www.frsirt.com/english/advisories/2006/4704 || url,doc.emergingthreats.net/2007298 +1 || 2007299 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- status.asp id UPDATE || cve,CVE-2006-6161 || url,www.frsirt.com/english/advisories/2006/4704 || url,doc.emergingthreats.net/2007299 +1 || 2007300 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- update.asp id SELECT || cve,CVE-2006-6161 || url,www.frsirt.com/english/advisories/2006/4704 || url,doc.emergingthreats.net/2007300 +1 || 2007301 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- update.asp id UNION SELECT || cve,CVE-2006-6161 || url,www.frsirt.com/english/advisories/2006/4704 || url,doc.emergingthreats.net/2007301 +1 || 2007302 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- update.asp id INSERT || cve,CVE-2006-6161 || url,www.frsirt.com/english/advisories/2006/4704 || url,doc.emergingthreats.net/2007302 +1 || 2007303 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- update.asp id DELETE || cve,CVE-2006-6161 || url,www.frsirt.com/english/advisories/2006/4704 || url,doc.emergingthreats.net/2007303 +1 || 2007304 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- update.asp id ASCII || cve,CVE-2006-6161 || url,www.frsirt.com/english/advisories/2006/4704 || url,doc.emergingthreats.net/2007304 +1 || 2007305 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- update.asp id UPDATE || cve,CVE-2006-6161 || url,www.frsirt.com/english/advisories/2006/4704 || url,doc.emergingthreats.net/2007305 +1 || 2007306 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- forgotpass.asp id SELECT || cve,CVE-2006-6161 || url,www.frsirt.com/english/advisories/2006/4704 || url,doc.emergingthreats.net/2007306 +1 || 2007307 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- forgotpass.asp id UNION SELECT || cve,CVE-2006-6161 || url,www.frsirt.com/english/advisories/2006/4704 || url,doc.emergingthreats.net/2007307 +1 || 2007308 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- forgotpass.asp id INSERT || cve,CVE-2006-6161 || url,www.frsirt.com/english/advisories/2006/4704 || url,doc.emergingthreats.net/2007308 +1 || 2007309 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- forgotpass.asp id DELETE || cve,CVE-2006-6161 || url,www.frsirt.com/english/advisories/2006/4704 || url,doc.emergingthreats.net/2007309 +1 || 2007310 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- forgotpass.asp id ASCII || cve,CVE-2006-6161 || url,www.frsirt.com/english/advisories/2006/4704 || url,doc.emergingthreats.net/2007310 +1 || 2007311 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- forgotpass.asp id UPDATE || cve,CVE-2006-6161 || url,www.frsirt.com/english/advisories/2006/4704 || url,doc.emergingthreats.net/2007311 +1 || 2007312 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- forgotpass.asp uid SELECT || cve,CVE-2006-6161 || url,www.frsirt.com/english/advisories/2006/4704 || url,doc.emergingthreats.net/2007312 +1 || 2007313 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- forgotpass.asp uid UNION SELECT || cve,CVE-2006-6161 || url,www.frsirt.com/english/advisories/2006/4704 || url,doc.emergingthreats.net/2007313 +1 || 2007314 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- forgotpass.asp uid INSERT || cve,CVE-2006-6161 || url,www.frsirt.com/english/advisories/2006/4704 || url,doc.emergingthreats.net/2007314 +1 || 2007315 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- forgotpass.asp uid DELETE || cve,CVE-2006-6161 || url,www.frsirt.com/english/advisories/2006/4704 || url,doc.emergingthreats.net/2007315 +1 || 2007316 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- forgotpass.asp uid ASCII || cve,CVE-2006-6161 || url,www.frsirt.com/english/advisories/2006/4704 || url,doc.emergingthreats.net/2007316 +1 || 2007317 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- forgotpass.asp uid UPDATE || cve,CVE-2006-6161 || url,www.frsirt.com/english/advisories/2006/4704 || url,doc.emergingthreats.net/2007317 +1 || 2007318 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- update.asp uid SELECT || cve,CVE-2006-6161 || url,www.frsirt.com/english/advisories/2006/4704 || url,doc.emergingthreats.net/2007318 +1 || 2007319 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- update.asp uid UNION SELECT || cve,CVE-2006-6161 || url,www.frsirt.com/english/advisories/2006/4704 || url,doc.emergingthreats.net/2007319 +1 || 2007320 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- update.asp uid INSERT || cve,CVE-2006-6161 || url,www.frsirt.com/english/advisories/2006/4704 || url,doc.emergingthreats.net/2007320 +1 || 2007321 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- update.asp uid DELETE || cve,CVE-2006-6161 || url,www.frsirt.com/english/advisories/2006/4704 || url,doc.emergingthreats.net/2007321 +1 || 2007322 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- update.asp uid ASCII || cve,CVE-2006-6161 || url,www.frsirt.com/english/advisories/2006/4704 || url,doc.emergingthreats.net/2007322 +1 || 2007323 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- update.asp uid UPDATE || cve,CVE-2006-6161 || url,www.frsirt.com/english/advisories/2006/4704 || url,doc.emergingthreats.net/2007323 +1 || 2007324 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- status.asp uid SELECT || cve,CVE-2006-6161 || url,www.frsirt.com/english/advisories/2006/4704 || url,doc.emergingthreats.net/2007324 +1 || 2007325 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- status.asp uid UNION SELECT || cve,CVE-2006-6161 || url,www.frsirt.com/english/advisories/2006/4704 || url,doc.emergingthreats.net/2007325 +1 || 2007326 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- status.asp uid INSERT || cve,CVE-2006-6161 || url,www.frsirt.com/english/advisories/2006/4704 || url,doc.emergingthreats.net/2007326 +1 || 2007327 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- status.asp uid DELETE || cve,CVE-2006-6161 || url,www.frsirt.com/english/advisories/2006/4704 || url,doc.emergingthreats.net/2007327 +1 || 2007328 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- status.asp uid ASCII || cve,CVE-2006-6161 || url,www.frsirt.com/english/advisories/2006/4704 || url,doc.emergingthreats.net/2007328 +1 || 2007329 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- status.asp uid UPDATE || cve,CVE-2006-6161 || url,www.frsirt.com/english/advisories/2006/4704 || url,doc.emergingthreats.net/2007329 +1 || 2007330 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- details.asp id SELECT || cve,CVE-2006-6160 || url,www.milw0rm.com/exploits/2846 || url,doc.emergingthreats.net/2007330 +1 || 2007331 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- details.asp id UNION SELECT || cve,CVE-2006-6160 || url,www.milw0rm.com/exploits/2846 || url,doc.emergingthreats.net/2007331 +1 || 2007332 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- details.asp id INSERT || cve,CVE-2006-6160 || url,www.milw0rm.com/exploits/2846 || url,doc.emergingthreats.net/2007332 +1 || 2007333 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- details.asp id DELETE || cve,CVE-2006-6160 || url,www.milw0rm.com/exploits/2846 || url,doc.emergingthreats.net/2007333 +1 || 2007334 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- details.asp id ASCII || cve,CVE-2006-6160 || url,www.milw0rm.com/exploits/2846 || url,doc.emergingthreats.net/2007334 +1 || 2007335 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Doug Luxem Liberum Help Desk SQL Injection Attempt -- details.asp id UPDATE || cve,CVE-2006-6160 || url,www.milw0rm.com/exploits/2846 || url,doc.emergingthreats.net/2007335 +1 || 2007336 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ContentNow SQL Injection Attempt -- index.php pageid SELECT || cve,CVE-2006-6157 || url,www.milw0rm.com/exploits/2822 || url,doc.emergingthreats.net/2007336 +1 || 2007337 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ContentNow SQL Injection Attempt -- index.php pageid UNION SELECT || cve,CVE-2006-6157 || url,www.milw0rm.com/exploits/2822 || url,doc.emergingthreats.net/2007337 +1 || 2007338 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ContentNow SQL Injection Attempt -- index.php pageid INSERT || cve,CVE-2006-6157 || url,www.milw0rm.com/exploits/2822 || url,doc.emergingthreats.net/2007338 +1 || 2007339 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ContentNow SQL Injection Attempt -- index.php pageid DELETE || cve,CVE-2006-6157 || url,www.milw0rm.com/exploits/2822 || url,doc.emergingthreats.net/2007339 +1 || 2007340 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ContentNow SQL Injection Attempt -- index.php pageid ASCII || cve,CVE-2006-6157 || url,www.milw0rm.com/exploits/2822 || url,doc.emergingthreats.net/2007340 +1 || 2007341 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ContentNow SQL Injection Attempt -- index.php pageid UPDATE || cve,CVE-2006-6157 || url,www.milw0rm.com/exploits/2822 || url,doc.emergingthreats.net/2007341 +1 || 2007344 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS JiRos FAQ Manager SQL Injection Attempt -- index.asp tID SELECT || cve,CVE-2006-6149 || url,www.milw0rm.com/exploits/2836 || url,doc.emergingthreats.net/2007344 +1 || 2007345 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS JiRos FAQ Manager SQL Injection Attempt -- index.asp tID UNION SELECT || cve,CVE-2006-6149 || url,www.milw0rm.com/exploits/2836 || url,doc.emergingthreats.net/2007345 +1 || 2007346 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS JiRos FAQ Manager SQL Injection Attempt -- index.asp tID INSERT || cve,CVE-2006-6149 || url,www.milw0rm.com/exploits/2836 || url,doc.emergingthreats.net/2007346 +1 || 2007347 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS JiRos FAQ Manager SQL Injection Attempt -- index.asp tID DELETE || cve,CVE-2006-6149 || url,www.milw0rm.com/exploits/2836 || url,doc.emergingthreats.net/2007347 +1 || 2007348 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS JiRos FAQ Manager SQL Injection Attempt -- index.asp tID ASCII || cve,CVE-2006-6149 || url,www.milw0rm.com/exploits/2836 || url,doc.emergingthreats.net/2007348 +1 || 2007349 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS JiRos FAQ Manager SQL Injection Attempt -- index.asp tID UPDATE || cve,CVE-2006-6149 || url,www.milw0rm.com/exploits/2836 || url,doc.emergingthreats.net/2007349 +1 || 2007350 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS JiRos Links Manager SQL Injection Attempt -- openlink.asp LinkID SELECT || cve,CVE-2006-6147 || url,www.securityfocus.com/bid/21226 || url,doc.emergingthreats.net/2007350 +1 || 2007351 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS JiRos Links Manager SQL Injection Attempt -- openlink.asp LinkID UNION SELECT || cve,CVE-2006-6147 || url,www.securityfocus.com/bid/21226 || url,doc.emergingthreats.net/2007351 +1 || 2007352 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS JiRos Links Manager SQL Injection Attempt -- openlink.asp LinkID INSERT || cve,CVE-2006-6147 || url,www.securityfocus.com/bid/21226 || url,doc.emergingthreats.net/2007352 +1 || 2007353 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS JiRos Links Manager SQL Injection Attempt -- openlink.asp LinkID DELETE || cve,CVE-2006-6147 || url,www.securityfocus.com/bid/21226 || url,doc.emergingthreats.net/2007353 +1 || 2007354 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS JiRos Links Manager SQL Injection Attempt -- openlink.asp LinkID ASCII || cve,CVE-2006-6147 || url,www.securityfocus.com/bid/21226 || url,doc.emergingthreats.net/2007354 +1 || 2007355 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS JiRos Links Manager SQL Injection Attempt -- openlink.asp LinkID UPDATE || cve,CVE-2006-6147 || url,www.securityfocus.com/bid/21226 || url,doc.emergingthreats.net/2007355 +1 || 2007356 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS JiRos Links Manager SQL Injection Attempt -- viewlinks.asp CategoryID SELECT || cve,CVE-2006-6147 || url,www.securityfocus.com/bid/21226 || url,doc.emergingthreats.net/2007356 +1 || 2007357 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS JiRos Links Manager SQL Injection Attempt -- viewlinks.asp CategoryID UNION SELECT || cve,CVE-2006-6147 || url,www.securityfocus.com/bid/21226 || url,doc.emergingthreats.net/2007357 +1 || 2007358 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS JiRos Links Manager SQL Injection Attempt -- viewlinks.asp CategoryID INSERT || cve,CVE-2006-6147 || url,www.securityfocus.com/bid/21226 || url,doc.emergingthreats.net/2007358 +1 || 2007359 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS JiRos Links Manager SQL Injection Attempt -- viewlinks.asp CategoryID DELETE || cve,CVE-2006-6147 || url,www.securityfocus.com/bid/21226 || url,doc.emergingthreats.net/2007359 +1 || 2007360 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS JiRos Links Manager SQL Injection Attempt -- viewlinks.asp CategoryID ASCII || cve,CVE-2006-6147 || url,www.securityfocus.com/bid/21226 || url,doc.emergingthreats.net/2007360 +1 || 2007361 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS JiRos Links Manager SQL Injection Attempt -- viewlinks.asp CategoryID UPDATE || cve,CVE-2006-6147 || url,www.securityfocus.com/bid/21226 || url,doc.emergingthreats.net/2007361 +1 || 2007362 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Link Exchange Lite SQL Injection Attempt -- linkslist.asp psearch SELECT || cve,CVE-2006-6132 || url,www.securityfocus.com/archive/1/archive/1/452256/100/0/threaded || url,doc.emergingthreats.net/2007362 +1 || 2007363 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Link Exchange Lite SQL Injection Attempt -- linkslist.asp psearch INSERT || cve,CVE-2006-6132 || url,www.securityfocus.com/archive/1/archive/1/452256/100/0/threaded || url,doc.emergingthreats.net/2007363 +1 || 2007364 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Link Exchange Lite SQL Injection Attempt -- linkslist.asp psearch UNION SELECT || cve,CVE-2006-6132 || url,www.securityfocus.com/archive/1/archive/1/452256/100/0/threaded || url,doc.emergingthreats.net/2007364 +1 || 2007365 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Link Exchange Lite SQL Injection Attempt -- linkslist.asp psearch DELETE || cve,CVE-2006-6132 || url,www.securityfocus.com/archive/1/archive/1/452256/100/0/threaded || url,doc.emergingthreats.net/2007365 +1 || 2007366 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Link Exchange Lite SQL Injection Attempt -- linkslist.asp psearch ASCII || cve,CVE-2006-6132 || url,www.securityfocus.com/archive/1/archive/1/452256/100/0/threaded || url,doc.emergingthreats.net/2007366 +1 || 2007367 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Link Exchange Lite SQL Injection Attempt -- linkslist.asp psearch UPDATE || cve,CVE-2006-6132 || url,www.securityfocus.com/archive/1/archive/1/452256/100/0/threaded || url,doc.emergingthreats.net/2007367 +1 || 2007368 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Link Exchange Lite SQL Injection Attempt -- search.asp SELECT || cve,CVE-2006-6132 || url,www.securityfocus.com/archive/1/archive/1/452256/100/0/threaded || url,doc.emergingthreats.net/2007368 +1 || 2007369 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Link Exchange Lite SQL Injection Attempt -- search.asp UNION SELECT || cve,CVE-2006-6132 || url,www.securityfocus.com/archive/1/archive/1/452256/100/0/threaded || url,doc.emergingthreats.net/2007369 +1 || 2007370 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Link Exchange Lite SQL Injection Attempt -- search.asp INSERT || cve,CVE-2006-6132 || url,www.securityfocus.com/archive/1/archive/1/452256/100/0/threaded || url,doc.emergingthreats.net/2007370 +1 || 2007371 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Link Exchange Lite SQL Injection Attempt -- search.asp DELETE || cve,CVE-2006-6132 || url,www.securityfocus.com/archive/1/archive/1/452256/100/0/threaded || url,doc.emergingthreats.net/2007371 +1 || 2007372 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Link Exchange Lite SQL Injection Attempt -- search.asp ASCII || cve,CVE-2006-6132 || url,www.securityfocus.com/archive/1/archive/1/452256/100/0/threaded || url,doc.emergingthreats.net/2007372 +1 || 2007373 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Link Exchange Lite SQL Injection Attempt -- search.asp UPDATE || cve,CVE-2006-6132 || url,www.securityfocus.com/archive/1/archive/1/452256/100/0/threaded || url,doc.emergingthreats.net/2007373 +1 || 2007374 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS fipsGallery SQL Injection Attempt -- index1.asp which SELECT || cve,CVE-2006-6117 || url,www.milw0rm.com/exploits/2829 || url,doc.emergingthreats.net/2007374 +1 || 2007375 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS fipsGallery SQL Injection Attempt -- index1.asp which UNION SELECT || cve,CVE-2006-6117 || url,www.milw0rm.com/exploits/2829 || url,doc.emergingthreats.net/2007375 +1 || 2007376 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS fipsGallery SQL Injection Attempt -- index1.asp which INSERT || cve,CVE-2006-6117 || url,www.milw0rm.com/exploits/2829 || url,doc.emergingthreats.net/2007376 +1 || 2007377 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS fipsGallery SQL Injection Attempt -- index1.asp which DELETE || cve,CVE-2006-6117 || url,www.milw0rm.com/exploits/2829 || url,doc.emergingthreats.net/2007377 +1 || 2007378 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS fipsGallery SQL Injection Attempt -- index1.asp which ASCII || cve,CVE-2006-6117 || url,www.milw0rm.com/exploits/2829 || url,doc.emergingthreats.net/2007378 +1 || 2007379 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS fipsGallery SQL Injection Attempt -- index1.asp which UPDATE || cve,CVE-2006-6117 || url,www.milw0rm.com/exploits/2829 || url,doc.emergingthreats.net/2007379 +1 || 2007380 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS fipsForum SQL Injection Attempt -- default2.asp kat SELECT || cve,CVE-2006-6116 || url,www.milw0rm.com/exploits/2830 || url,doc.emergingthreats.net/2007380 +1 || 2007381 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS fipsForum SQL Injection Attempt -- default2.asp kat UNION SELECT || cve,CVE-2006-6116 || url,www.milw0rm.com/exploits/2830 || url,doc.emergingthreats.net/2007381 +1 || 2007382 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS fipsForum SQL Injection Attempt -- default2.asp kat INSERT || cve,CVE-2006-6116 || url,www.milw0rm.com/exploits/2830 || url,doc.emergingthreats.net/2007382 +1 || 2007383 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS fipsForum SQL Injection Attempt -- default2.asp kat DELETE || cve,CVE-2006-6116 || url,www.milw0rm.com/exploits/2830 || url,doc.emergingthreats.net/2007383 +1 || 2007384 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS fipsForum SQL Injection Attempt -- default2.asp kat ASCII || cve,CVE-2006-6116 || url,www.milw0rm.com/exploits/2830 || url,doc.emergingthreats.net/2007384 +1 || 2007385 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS fipsForum SQL Injection Attempt -- default2.asp kat UPDATE || cve,CVE-2006-6116 || url,www.milw0rm.com/exploits/2830 || url,doc.emergingthreats.net/2007385 +1 || 2007386 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS fipsCMS SQL Injection Attempt -- index.asp fid SELECT || cve,CVE-2006-6115 || url,www.milw0rm.com/exploits/2828 || url,doc.emergingthreats.net/2007386 +1 || 2007387 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS fipsCMS SQL Injection Attempt -- index.asp fid UNION SELECT || cve,CVE-2006-6115 || url,www.milw0rm.com/exploits/2828 || url,doc.emergingthreats.net/2007387 +1 || 2007388 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS fipsCMS SQL Injection Attempt -- index.asp fid INSERT || cve,CVE-2006-6115 || url,www.milw0rm.com/exploits/2828 || url,doc.emergingthreats.net/2007388 +1 || 2007389 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS fipsCMS SQL Injection Attempt -- index.asp fid DELETE || cve,CVE-2006-6115 || url,www.milw0rm.com/exploits/2828 || url,doc.emergingthreats.net/2007389 +1 || 2007390 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS fipsCMS SQL Injection Attempt -- index.asp fid ASCII || cve,CVE-2006-6115 || url,www.milw0rm.com/exploits/2828 || url,doc.emergingthreats.net/2007390 +1 || 2007391 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS fipsCMS SQL Injection Attempt -- index.asp fid UPDATE || cve,CVE-2006-6115 || url,www.milw0rm.com/exploits/2828 || url,doc.emergingthreats.net/2007391 +1 || 2007392 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Alan Ward A-Cart Pro SQL Injection Attempt -- product.asp productid SELECT || cve,CVE-2006-6111 || url,www.securityfocus.com/bid/21166 || url,doc.emergingthreats.net/2007392 +1 || 2007393 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Alan Ward A-Cart Pro SQL Injection Attempt -- product.asp productid UNION SELECT || cve,CVE-2006-6111 || url,www.securityfocus.com/bid/21166 || url,doc.emergingthreats.net/2007393 +1 || 2007394 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Alan Ward A-Cart Pro SQL Injection Attempt -- product.asp productid INSERT || cve,CVE-2006-6111 || url,www.securityfocus.com/bid/21166 || url,doc.emergingthreats.net/2007394 +1 || 2007395 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Alan Ward A-Cart Pro SQL Injection Attempt -- product.asp productid DELETE || cve,CVE-2006-6111 || url,www.securityfocus.com/bid/21166 || url,doc.emergingthreats.net/2007395 +1 || 2007396 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Alan Ward A-Cart Pro SQL Injection Attempt -- product.asp productid ASCII || cve,CVE-2006-6111 || url,www.securityfocus.com/bid/21166 || url,doc.emergingthreats.net/2007396 +1 || 2007397 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Alan Ward A-Cart Pro SQL Injection Attempt -- product.asp productid UPDATE || cve,CVE-2006-6111 || url,www.securityfocus.com/bid/21166 || url,doc.emergingthreats.net/2007397 +1 || 2007398 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Alan Ward A-Cart Pro SQL Injection Attempt -- search.asp search SELECT || cve,CVE-2006-6111 || url,www.securityfocus.com/bid/21166 || url,doc.emergingthreats.net/2007398 +1 || 2007399 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Alan Ward A-Cart Pro SQL Injection Attempt -- search.asp search UNION SELECT || cve,CVE-2006-6111 || url,www.securityfocus.com/bid/21166 || url,doc.emergingthreats.net/2007399 +1 || 2007400 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Alan Ward A-Cart Pro SQL Injection Attempt -- search.asp search INSERT || cve,CVE-2006-6111 || url,www.securityfocus.com/bid/21166 || url,doc.emergingthreats.net/2007400 +1 || 2007401 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Alan Ward A-Cart Pro SQL Injection Attempt -- search.asp search DELETE || cve,CVE-2006-6111 || url,www.securityfocus.com/bid/21166 || url,doc.emergingthreats.net/2007401 +1 || 2007402 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Alan Ward A-Cart Pro SQL Injection Attempt -- search.asp search ASCII || cve,CVE-2006-6111 || url,www.securityfocus.com/bid/21166 || url,doc.emergingthreats.net/2007402 +1 || 2007403 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Alan Ward A-Cart Pro SQL Injection Attempt -- search.asp search UPDATE || cve,CVE-2006-6111 || url,www.securityfocus.com/bid/21166 || url,doc.emergingthreats.net/2007403 +1 || 2007404 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS HIOX Star Rating System Script (HSRS) SQL Injection Attempt -- addrating.php ipadd SELECT || cve,CVE-2006-6155 || url,www.frsirt.com/english/advisories/2006/4689 || url,doc.emergingthreats.net/2007404 +1 || 2007405 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS HIOX Star Rating System Script (HSRS) SQL Injection Attempt -- addrating.php ipadd UNION SELECT || cve,CVE-2006-6155 || url,www.frsirt.com/english/advisories/2006/4689 || url,doc.emergingthreats.net/2007405 +1 || 2007406 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS HIOX Star Rating System Script (HSRS) SQL Injection Attempt -- addrating.php ipadd INSERT || cve,CVE-2006-6155 || url,www.frsirt.com/english/advisories/2006/4689 || url,doc.emergingthreats.net/2007406 +1 || 2007407 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS HIOX Star Rating System Script (HSRS) SQL Injection Attempt -- addrating.php ipadd DELETE || cve,CVE-2006-6155 || url,www.frsirt.com/english/advisories/2006/4689 || url,doc.emergingthreats.net/2007407 +1 || 2007408 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS HIOX Star Rating System Script (HSRS) SQL Injection Attempt -- addrating.php ipadd ASCII || cve,CVE-2006-6155 || url,www.frsirt.com/english/advisories/2006/4689 || url,doc.emergingthreats.net/2007408 +1 || 2007409 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS HIOX Star Rating System Script (HSRS) SQL Injection Attempt -- addrating.php ipadd UPDATE || cve,CVE-2006-6155 || url,www.frsirt.com/english/advisories/2006/4689 || url,doc.emergingthreats.net/2007409 +1 || 2007410 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS HIOX Star Rating System Script (HSRS) SQL Injection Attempt -- addrating.php url SELECT || cve,CVE-2006-6155 || url,www.frsirt.com/english/advisories/2006/4689 || url,doc.emergingthreats.net/2007410 +1 || 2007411 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS HIOX Star Rating System Script (HSRS) SQL Injection Attempt -- addrating.php url UNION SELECT || cve,CVE-2006-6155 || url,www.frsirt.com/english/advisories/2006/4689 || url,doc.emergingthreats.net/2007411 +1 || 2007412 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS HIOX Star Rating System Script (HSRS) SQL Injection Attempt -- addrating.php url INSERT || cve,CVE-2006-6155 || url,www.frsirt.com/english/advisories/2006/4689 || url,doc.emergingthreats.net/2007412 +1 || 2007413 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS HIOX Star Rating System Script (HSRS) SQL Injection Attempt -- addrating.php url DELETE || cve,CVE-2006-6155 || url,www.frsirt.com/english/advisories/2006/4689 || url,doc.emergingthreats.net/2007413 +1 || 2007414 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS HIOX Star Rating System Script (HSRS) SQL Injection Attempt -- addrating.php url ASCII || cve,CVE-2006-6155 || url,www.frsirt.com/english/advisories/2006/4689 || url,doc.emergingthreats.net/2007414 +1 || 2007415 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS HIOX Star Rating System Script (HSRS) SQL Injection Attempt -- addrating.php url UPDATE || cve,CVE-2006-6155 || url,www.frsirt.com/english/advisories/2006/4689 || url,doc.emergingthreats.net/2007415 +1 || 2007416 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- cat.asp cat SELECT || cve,CVE-2006-6152 || url,www.securityfocus.com/bid/21190 || url,doc.emergingthreats.net/2007416 +1 || 2007417 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- cat.asp cat UNION SELECT || cve,CVE-2006-6152 || url,www.securityfocus.com/bid/21190 || url,doc.emergingthreats.net/2007417 +1 || 2007418 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- cat.asp cat INSERT || cve,CVE-2006-6152 || url,www.securityfocus.com/bid/21190 || url,doc.emergingthreats.net/2007418 +1 || 2007419 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- cat.asp cat DELETE || cve,CVE-2006-6152 || url,www.securityfocus.com/bid/21190 || url,doc.emergingthreats.net/2007419 +1 || 2007420 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- cat.asp cat ASCII || cve,CVE-2006-6152 || url,www.securityfocus.com/bid/21190 || url,doc.emergingthreats.net/2007420 +1 || 2007421 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- cat.asp cat UPDATE || cve,CVE-2006-6152 || url,www.securityfocus.com/bid/21190 || url,doc.emergingthreats.net/2007421 +1 || 2007422 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp keyword SELECT || cve,CVE-2006-6152 || url,www.securityfocus.com/bid/21190 || url,doc.emergingthreats.net/2007422 +1 || 2007423 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp keyword UNION SELECT || cve,CVE-2006-6152 || url,www.securityfocus.com/bid/21190 || url,doc.emergingthreats.net/2007423 +1 || 2007424 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp keyword INSERT || cve,CVE-2006-6152 || url,www.securityfocus.com/bid/21190 || url,doc.emergingthreats.net/2007424 +1 || 2007425 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp keyword DELETE || cve,CVE-2006-6152 || url,www.securityfocus.com/bid/21190 || url,doc.emergingthreats.net/2007425 +1 || 2007426 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp keyword ASCII || cve,CVE-2006-6152 || url,www.securityfocus.com/bid/21190 || url,doc.emergingthreats.net/2007426 +1 || 2007427 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp keyword UPDATE || cve,CVE-2006-6152 || url,www.securityfocus.com/bid/21190 || url,doc.emergingthreats.net/2007427 +1 || 2007428 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp order SELECT || cve,CVE-2006-6152 || url,www.securityfocus.com/bid/21190 || url,doc.emergingthreats.net/2007428 +1 || 2007429 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp order UNION SELECT || cve,CVE-2006-6152 || url,www.securityfocus.com/bid/21190 || url,doc.emergingthreats.net/2007429 +1 || 2007430 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp order INSERT || cve,CVE-2006-6152 || url,www.securityfocus.com/bid/21190 || url,doc.emergingthreats.net/2007430 +1 || 2007431 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp order DELETE || cve,CVE-2006-6152 || url,www.securityfocus.com/bid/21190 || url,doc.emergingthreats.net/2007431 +1 || 2007432 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp order ASCII || cve,CVE-2006-6152 || url,www.securityfocus.com/bid/21190 || url,doc.emergingthreats.net/2007432 +1 || 2007433 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp order UPDATE || cve,CVE-2006-6152 || url,www.securityfocus.com/bid/21190 || url,doc.emergingthreats.net/2007433 +1 || 2007434 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp sort SELECT || cve,CVE-2006-6152 || url,www.securityfocus.com/bid/21190 || url,doc.emergingthreats.net/2007434 +1 || 2007435 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp sort UNION SELECT || cve,CVE-2006-6152 || url,www.securityfocus.com/bid/21190 || url,doc.emergingthreats.net/2007435 +1 || 2007436 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp sort INSERT || cve,CVE-2006-6152 || url,www.securityfocus.com/bid/21190 || url,doc.emergingthreats.net/2007436 +1 || 2007437 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp sort DELETE || cve,CVE-2006-6152 || url,www.securityfocus.com/bid/21190 || url,doc.emergingthreats.net/2007437 +1 || 2007438 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp sort ASCII || cve,CVE-2006-6152 || url,www.securityfocus.com/bid/21190 || url,doc.emergingthreats.net/2007438 +1 || 2007439 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp sort UPDATE || cve,CVE-2006-6152 || url,www.securityfocus.com/bid/21190 || url,doc.emergingthreats.net/2007439 +1 || 2007440 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp menuSelect SELECT || cve,CVE-2006-6152 || url,www.securityfocus.com/bid/21190 || url,doc.emergingthreats.net/2007440 +1 || 2007441 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp menuSelect UNION SELECT || cve,CVE-2006-6152 || url,www.securityfocus.com/bid/21190 || url,doc.emergingthreats.net/2007441 +1 || 2007442 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp menuSelect INSERT || cve,CVE-2006-6152 || url,www.securityfocus.com/bid/21190 || url,doc.emergingthreats.net/2007442 +1 || 2007443 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp menuSelect DELETE || cve,CVE-2006-6152 || url,www.securityfocus.com/bid/21190 || url,doc.emergingthreats.net/2007443 +1 || 2007444 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp menuSelect ASCII || cve,CVE-2006-6152 || url,www.securityfocus.com/bid/21190 || url,doc.emergingthreats.net/2007444 +1 || 2007445 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp menuSelect UPDATE || cve,CVE-2006-6152 || url,www.securityfocus.com/bid/21190 || url,doc.emergingthreats.net/2007445 +1 || 2007446 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp state SELECT || cve,CVE-2006-6152 || url,www.securityfocus.com/bid/21190 || url,doc.emergingthreats.net/2007446 +1 || 2007447 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp state UNION SELECT || cve,CVE-2006-6152 || url,www.securityfocus.com/bid/21190 || url,doc.emergingthreats.net/2007447 +1 || 2007448 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp state INSERT || cve,CVE-2006-6152 || url,www.securityfocus.com/bid/21190 || url,doc.emergingthreats.net/2007448 +1 || 2007449 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp state DELETE || cve,CVE-2006-6152 || url,www.securityfocus.com/bid/21190 || url,doc.emergingthreats.net/2007449 +1 || 2007450 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp state ASCII || cve,CVE-2006-6152 || url,www.securityfocus.com/bid/21190 || url,doc.emergingthreats.net/2007450 +1 || 2007451 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS vSpin.net Classified System SQL Injection Attempt -- search.asp state UPDATE || cve,CVE-2006-6152 || url,www.securityfocus.com/bid/21190 || url,doc.emergingthreats.net/2007451 +1 || 2007452 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS BPG-InfoTech Content Management System SQL Injection Attempt -- publications_list.asp vjob SELECT || cve,CVE-2006-6110 || url,www.securityfocus.com/archive/1/archive/1/451537/100/100/threaded || url,doc.emergingthreats.net/2007452 +1 || 2007453 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS BPG-InfoTech Content Management System SQL Injection Attempt -- publications_list.asp vjob UNION SELECT || cve,CVE-2006-6110 || url,www.securityfocus.com/archive/1/archive/1/451537/100/100/threaded || url,doc.emergingthreats.net/2007453 +1 || 2007454 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS BPG-InfoTech Content Management System SQL Injection Attempt -- publications_list.asp vjob INSERT || cve,CVE-2006-6110 || url,www.securityfocus.com/archive/1/archive/1/451537/100/100/threaded || url,doc.emergingthreats.net/2007454 +1 || 2007455 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS BPG-InfoTech Content Management System SQL Injection Attempt -- publications_list.asp vjob DELETE || cve,CVE-2006-6110 || url,www.securityfocus.com/archive/1/archive/1/451537/100/100/threaded || url,doc.emergingthreats.net/2007455 +1 || 2007456 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS BPG-InfoTech Content Management System SQL Injection Attempt -- publications_list.asp vjob ASCII || cve,CVE-2006-6110 || url,www.securityfocus.com/archive/1/archive/1/451537/100/100/threaded || url,doc.emergingthreats.net/2007456 +1 || 2007457 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS BPG-InfoTech Content Management System SQL Injection Attempt -- publications_list.asp vjob UPDATE || cve,CVE-2006-6110 || url,www.securityfocus.com/archive/1/archive/1/451537/100/100/threaded || url,doc.emergingthreats.net/2007457 +1 || 2007458 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS BPG-InfoTech Content Management System SQL Injection Attempt -- publication_view.asp InfoID SELECT || cve,CVE-2006-6110 || url,www.securityfocus.com/archive/1/archive/1/451537/100/100/threaded || url,doc.emergingthreats.net/2007458 +1 || 2007459 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS BPG-InfoTech Content Management System SQL Injection Attempt -- publication_view.asp InfoID UNION SELECT || cve,CVE-2006-6110 || url,www.securityfocus.com/archive/1/archive/1/451537/100/100/threaded || url,doc.emergingthreats.net/2007459 +1 || 2007460 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS BPG-InfoTech Content Management System SQL Injection Attempt -- publication_view.asp InfoID INSERT || cve,CVE-2006-6110 || url,www.securityfocus.com/archive/1/archive/1/451537/100/100/threaded || url,doc.emergingthreats.net/2007460 +1 || 2007461 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS BPG-InfoTech Content Management System SQL Injection Attempt -- publication_view.asp InfoID DELETE || cve,CVE-2006-6110 || url,www.securityfocus.com/archive/1/archive/1/451537/100/100/threaded || url,doc.emergingthreats.net/2007461 +1 || 2007462 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS BPG-InfoTech Content Management System SQL Injection Attempt -- publication_view.asp InfoID ASCII || cve,CVE-2006-6110 || url,www.securityfocus.com/archive/1/archive/1/451537/100/100/threaded || url,doc.emergingthreats.net/2007462 +1 || 2007463 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS BPG-InfoTech Content Management System SQL Injection Attempt -- publication_view.asp InfoID UPDATE || cve,CVE-2006-6110 || url,www.securityfocus.com/archive/1/archive/1/451537/100/100/threaded || url,doc.emergingthreats.net/2007463 +1 || 2007464 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS CandyPress Store SQL Injection Attempt -- openPolicy.asp policy SELECT || cve,CVE-2006-6109 || url,www.securityfocus.com/bid/21090/info || url,doc.emergingthreats.net/2007464 +1 || 2007465 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS CandyPress Store SQL Injection Attempt -- openPolicy.asp policy UNION SELECT || cve,CVE-2006-6109 || url,www.securityfocus.com/bid/21090/info || url,doc.emergingthreats.net/2007465 +1 || 2007466 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS CandyPress Store SQL Injection Attempt -- openPolicy.asp policy INSERT || cve,CVE-2006-6109 || url,www.securityfocus.com/bid/21090/info || url,doc.emergingthreats.net/2007466 +1 || 2007467 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS CandyPress Store SQL Injection Attempt -- openPolicy.asp policy DELETE || cve,CVE-2006-6109 || url,www.securityfocus.com/bid/21090/info || url,doc.emergingthreats.net/2007467 +1 || 2007468 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS CandyPress Store SQL Injection Attempt -- openPolicy.asp policy ASCII || cve,CVE-2006-6109 || url,www.securityfocus.com/bid/21090/info || url,doc.emergingthreats.net/2007468 +1 || 2007469 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS CandyPress Store SQL Injection Attempt -- openPolicy.asp policy UPDATE || cve,CVE-2006-6109 || url,www.securityfocus.com/bid/21090/info || url,doc.emergingthreats.net/2007469 +1 || 2007470 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS CandyPress Store SQL Injection Attempt -- prodList.asp brand SELECT || cve,CVE-2006-6109 || url,www.securityfocus.com/bid/21090/info || url,doc.emergingthreats.net/2007470 +1 || 2007471 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS CandyPress Store SQL Injection Attempt -- prodList.asp brand UNION SELECT || cve,CVE-2006-6109 || url,www.securityfocus.com/bid/21090/info || url,doc.emergingthreats.net/2007471 +1 || 2007472 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS CandyPress Store SQL Injection Attempt -- prodList.asp brand INSERT || cve,CVE-2006-6109 || url,www.securityfocus.com/bid/21090/info || url,doc.emergingthreats.net/2007472 +1 || 2007473 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS CandyPress Store SQL Injection Attempt -- prodList.asp brand DELETE || cve,CVE-2006-6109 || url,www.securityfocus.com/bid/21090/info || url,doc.emergingthreats.net/2007473 +1 || 2007474 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS CandyPress Store SQL Injection Attempt -- prodList.asp brand ASCII || cve,CVE-2006-6109 || url,www.securityfocus.com/bid/21090/info || url,doc.emergingthreats.net/2007474 +1 || 2007475 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS CandyPress Store SQL Injection Attempt -- prodList.asp brand UPDATE || cve,CVE-2006-6109 || url,www.securityfocus.com/bid/21090/info || url,doc.emergingthreats.net/2007475 +1 || 2007476 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activenews_view.asp articleID SELECT || cve,CVE-2006-6095 || url,www.securityfocus.com/bid/21167 || url,doc.emergingthreats.net/2007476 +1 || 2007477 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activenews_view.asp articleID UNION SELECT || cve,CVE-2006-6095 || url,www.securityfocus.com/bid/21167 || url,doc.emergingthreats.net/2007477 +1 || 2007478 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activenews_view.asp articleID INSERT || cve,CVE-2006-6095 || url,www.securityfocus.com/bid/21167 || url,doc.emergingthreats.net/2007478 +1 || 2007479 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activenews_view.asp articleID DELETE || cve,CVE-2006-6095 || url,www.securityfocus.com/bid/21167 || url,doc.emergingthreats.net/2007479 +1 || 2007480 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activenews_view.asp articleID ASCII || cve,CVE-2006-6095 || url,www.securityfocus.com/bid/21167 || url,doc.emergingthreats.net/2007480 +1 || 2007481 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activenews_view.asp articleID UPDATE || cve,CVE-2006-6095 || url,www.securityfocus.com/bid/21167 || url,doc.emergingthreats.net/2007481 +1 || 2007482 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- default.asp page SELECT || cve,CVE-2006-6095 || url,www.securityfocus.com/bid/21167 || url,doc.emergingthreats.net/2007482 +1 || 2007483 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- default.asp page UNION SELECT || cve,CVE-2006-6095 || url,www.securityfocus.com/bid/21167 || url,doc.emergingthreats.net/2007483 +1 || 2007484 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- default.asp page DELETE || cve,CVE-2006-6095 || url,www.securityfocus.com/bid/21167 || url,doc.emergingthreats.net/2007484 +1 || 2007485 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- default.asp page ASCII || cve,CVE-2006-6095 || url,www.securityfocus.com/bid/21167 || url,doc.emergingthreats.net/2007485 +1 || 2007486 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- default.asp page UPDATE || cve,CVE-2006-6095 || url,www.securityfocus.com/bid/21167 || url,doc.emergingthreats.net/2007486 +1 || 2007487 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activeNews_categories.asp catID SELECT || cve,CVE-2006-6094 || url,www.securityfocus.com/bid/21167 || url,doc.emergingthreats.net/2007487 +1 || 2007488 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activeNews_categories.asp catID UNION SELECT || cve,CVE-2006-6094 || url,www.securityfocus.com/bid/21167 || url,doc.emergingthreats.net/2007488 +1 || 2007489 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activeNews_categories.asp catID INSERT || cve,CVE-2006-6094 || url,www.securityfocus.com/bid/21167 || url,doc.emergingthreats.net/2007489 +1 || 2007490 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activeNews_categories.asp catID DELETE || cve,CVE-2006-6094 || url,www.securityfocus.com/bid/21167 || url,doc.emergingthreats.net/2007490 +1 || 2007491 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activeNews_categories.asp catID ASCII || cve,CVE-2006-6094 || url,www.securityfocus.com/bid/21167 || url,doc.emergingthreats.net/2007491 +1 || 2007492 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activeNews_categories.asp catID UPDATE || cve,CVE-2006-6094 || url,www.securityfocus.com/bid/21167 || url,doc.emergingthreats.net/2007492 +1 || 2007493 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activeNews_comments.asp articleID SELECT || cve,CVE-2006-6094 || url,www.securityfocus.com/bid/21167 || url,doc.emergingthreats.net/2007493 +1 || 2007494 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activeNews_comments.asp articleID UNION SELECT || cve,CVE-2006-6094 || url,www.securityfocus.com/bid/21167 || url,doc.emergingthreats.net/2007494 +1 || 2007495 || 9 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activeNews_comments.asp articleID INSERT || cve,CVE-2006-6094 || url,www.securityfocus.com/bid/21167 || url,doc.emergingthreats.net/2007495 +1 || 2007496 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activeNews_comments.asp articleID DELETE || cve,CVE-2006-6094 || url,www.securityfocus.com/bid/21167 || url,doc.emergingthreats.net/2007496 +1 || 2007497 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activeNews_comments.asp articleID ASCII || cve,CVE-2006-6094 || url,www.securityfocus.com/bid/21167 || url,doc.emergingthreats.net/2007497 +1 || 2007498 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activeNews_comments.asp articleID UPDATE || cve,CVE-2006-6094 || url,www.securityfocus.com/bid/21167 || url,doc.emergingthreats.net/2007498 +1 || 2007499 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activenews_search.asp query SELECT || cve,CVE-2006-6094 || url,www.securityfocus.com/bid/21167 || url,doc.emergingthreats.net/2007499 +1 || 2007500 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activenews_search.asp query UNION SELECT || cve,CVE-2006-6094 || url,www.securityfocus.com/bid/21167 || url,doc.emergingthreats.net/2007500 +1 || 2007501 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activenews_search.asp query INSERT || cve,CVE-2006-6094 || url,www.securityfocus.com/bid/21167 || url,doc.emergingthreats.net/2007501 +1 || 2007502 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activenews_search.asp query DELETE || cve,CVE-2006-6094 || url,www.securityfocus.com/bid/21167 || url,doc.emergingthreats.net/2007502 +1 || 2007503 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activenews_search.asp query ASCII || cve,CVE-2006-6094 || url,www.securityfocus.com/bid/21167 || url,doc.emergingthreats.net/2007503 +1 || 2007504 || 9 || web-application-attack || 0 || ET DELETED 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp vehicleID SELECT || cve,CVE-2006-6092 || url,www.securityfocus.com/bid/21154 || url,doc.emergingthreats.net/2007504 +1 || 2007505 || 9 || web-application-attack || 0 || ET DELETED 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp vehicleID UNION SELECT || cve,CVE-2006-6092 || url,www.securityfocus.com/bid/21154 || url,doc.emergingthreats.net/2007505 +1 || 2007506 || 9 || web-application-attack || 0 || ET DELETED 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp vehicleID INSERT || cve,CVE-2006-6092 || url,www.securityfocus.com/bid/21154 || url,doc.emergingthreats.net/2007506 +1 || 2007507 || 9 || web-application-attack || 0 || ET DELETED 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp vehicleID DELETE || cve,CVE-2006-6092 || url,www.securityfocus.com/bid/21154 || url,doc.emergingthreats.net/2007507 +1 || 2007508 || 9 || web-application-attack || 0 || ET DELETED 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp vehicleID ASCII || cve,CVE-2006-6092 || url,www.securityfocus.com/bid/21154 || url,doc.emergingthreats.net/2007508 +1 || 2007509 || 9 || web-application-attack || 0 || ET DELETED 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp vehicleID UPDATE || cve,CVE-2006-6092 || url,www.securityfocus.com/bid/21154 || url,doc.emergingthreats.net/2007509 +1 || 2007510 || 9 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp categoryID_list SELECT || cve,CVE-2006-6092 || url,www.securityfocus.com/bid/21154 || url,doc.emergingthreats.net/2007510 +1 || 2007511 || 10 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp categoryID_list UNION SELECT || cve,CVE-2006-6092 || url,www.securityfocus.com/bid/21154 || url,doc.emergingthreats.net/2007511 +1 || 2007512 || 9 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp categoryID_list INSERT || cve,CVE-2006-6092 || url,www.securityfocus.com/bid/21154 || url,doc.emergingthreats.net/2007512 +1 || 2007513 || 9 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp categoryID_list DELETE || cve,CVE-2006-6092 || url,www.securityfocus.com/bid/21154 || url,doc.emergingthreats.net/2007513 +1 || 2007514 || 9 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp categoryID_list ASCII || cve,CVE-2006-6092 || url,www.securityfocus.com/bid/21154 || url,doc.emergingthreats.net/2007514 +1 || 2007515 || 9 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp categoryID_list UPDATE || cve,CVE-2006-6092 || url,www.securityfocus.com/bid/21154 || url,doc.emergingthreats.net/2007515 +1 || 2007516 || 9 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp sale_type SELECT || cve,CVE-2006-6092 || url,www.securityfocus.com/bid/21154 || url,doc.emergingthreats.net/2007516 +1 || 2007517 || 9 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp sale_type UNION SELECT || cve,CVE-2006-6092 || url,www.securityfocus.com/bid/21154 || url,doc.emergingthreats.net/2007517 +1 || 2007518 || 9 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp sale_type INSERT || cve,CVE-2006-6092 || url,www.securityfocus.com/bid/21154 || url,doc.emergingthreats.net/2007518 +1 || 2007519 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp sale_type DELETE || cve,CVE-2006-6092 || url,www.securityfocus.com/bid/21154 || url,doc.emergingthreats.net/2007519 +1 || 2007520 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp sale_type ASCII || cve,CVE-2006-6092 || url,www.securityfocus.com/bid/21154 || url,doc.emergingthreats.net/2007520 +1 || 2007521 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp sale_type UPDATE || cve,CVE-2006-6092 || url,www.securityfocus.com/bid/21154 || url,doc.emergingthreats.net/2007521 +1 || 2007522 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp stock_number SELECT || cve,CVE-2006-6092 || url,www.securityfocus.com/bid/21154 || url,doc.emergingthreats.net/2007522 +1 || 2007523 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp stock_number UNION SELECT || cve,CVE-2006-6092 || url,www.securityfocus.com/bid/21154 || url,doc.emergingthreats.net/2007523 +1 || 2007524 || 9 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp stock_number INSERT || cve,CVE-2006-6092 || url,www.securityfocus.com/bid/21154 || url,doc.emergingthreats.net/2007524 +1 || 2007525 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp stock_number DELETE || cve,CVE-2006-6092 || url,www.securityfocus.com/bid/21154 || url,doc.emergingthreats.net/2007525 +1 || 2007526 || 9 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp stock_number ASCII || cve,CVE-2006-6092 || url,www.securityfocus.com/bid/21154 || url,doc.emergingthreats.net/2007526 +1 || 2007527 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp stock_number UPDATE || cve,CVE-2006-6092 || url,www.securityfocus.com/bid/21154 || url,doc.emergingthreats.net/2007527 +1 || 2007528 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp manufacturer SELECT || cve,CVE-2006-6092 || url,www.securityfocus.com/bid/21154 || url,doc.emergingthreats.net/2007528 +1 || 2007529 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp manufacturer UNION SELECT || cve,CVE-2006-6092 || url,www.securityfocus.com/bid/21154 || url,doc.emergingthreats.net/2007529 +1 || 2007530 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp manufacturer INSERT || cve,CVE-2006-6092 || url,www.securityfocus.com/bid/21154 || url,doc.emergingthreats.net/2007530 +1 || 2007531 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp manufacturer DELETE || cve,CVE-2006-6092 || url,www.securityfocus.com/bid/21154 || url,doc.emergingthreats.net/2007531 +1 || 2007532 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp manufacturer ASCII || cve,CVE-2006-6092 || url,www.securityfocus.com/bid/21154 || url,doc.emergingthreats.net/2007532 +1 || 2007533 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp manufacturer UPDATE || cve,CVE-2006-6092 || url,www.securityfocus.com/bid/21154 || url,doc.emergingthreats.net/2007533 +1 || 2007534 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp model SELECT || cve,CVE-2006-6092 || url,www.securityfocus.com/bid/21154 || url,doc.emergingthreats.net/2007534 +1 || 2007535 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp model UNION SELECT || cve,CVE-2006-6092 || url,www.securityfocus.com/bid/21154 || url,doc.emergingthreats.net/2007535 +1 || 2007536 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp model INSERT || cve,CVE-2006-6092 || url,www.securityfocus.com/bid/21154 || url,doc.emergingthreats.net/2007536 +1 || 2007537 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp model DELETE || cve,CVE-2006-6092 || url,www.securityfocus.com/bid/21154 || url,doc.emergingthreats.net/2007537 +1 || 2007538 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp model ASCII || cve,CVE-2006-6092 || url,www.securityfocus.com/bid/21154 || url,doc.emergingthreats.net/2007538 +1 || 2007539 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp model UPDATE || cve,CVE-2006-6092 || url,www.securityfocus.com/bid/21154 || url,doc.emergingthreats.net/2007539 +1 || 2007540 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp vehicleID SELECT || cve,CVE-2006-6092 || url,www.securityfocus.com/bid/21154 || url,doc.emergingthreats.net/2007540 +1 || 2007541 || 9 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp vehicleID UNION SELECT || cve,CVE-2006-6092 || url,www.securityfocus.com/bid/21154 || url,doc.emergingthreats.net/2007541 +1 || 2007542 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp vehicleID INSERT || cve,CVE-2006-6092 || url,www.securityfocus.com/bid/21154 || url,doc.emergingthreats.net/2007542 +1 || 2007543 || 9 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp vehicleID DELETE || cve,CVE-2006-6092 || url,www.securityfocus.com/bid/21154 || url,doc.emergingthreats.net/2007543 +1 || 2007544 || 9 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp vehicleID ASCII || cve,CVE-2006-6092 || url,www.securityfocus.com/bid/21154 || url,doc.emergingthreats.net/2007544 +1 || 2007545 || 9 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp vehicleID UPDATE || cve,CVE-2006-6092 || url,www.securityfocus.com/bid/21154 || url,doc.emergingthreats.net/2007545 +1 || 2007546 || 9 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp year SELECT || cve,CVE-2006-6092 || url,www.securityfocus.com/bid/21154 || url,doc.emergingthreats.net/2007546 +1 || 2007547 || 9 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp year UNION SELECT || cve,CVE-2006-6092 || url,www.securityfocus.com/bid/21154 || url,doc.emergingthreats.net/2007547 +1 || 2007548 || 9 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp year INSERT || cve,CVE-2006-6092 || url,www.securityfocus.com/bid/21154 || url,doc.emergingthreats.net/2007548 +1 || 2007549 || 9 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp year DELETE || cve,CVE-2006-6092 || url,www.securityfocus.com/bid/21154 || url,doc.emergingthreats.net/2007549 +1 || 2007550 || 9 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp year ASCII || cve,CVE-2006-6092 || url,www.securityfocus.com/bid/21154 || url,doc.emergingthreats.net/2007550 +1 || 2007551 || 9 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp year UPDATE || cve,CVE-2006-6092 || url,www.securityfocus.com/bid/21154 || url,doc.emergingthreats.net/2007551 +1 || 2007552 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp vin SELECT || cve,CVE-2006-6092 || url,www.securityfocus.com/bid/21154 || url,doc.emergingthreats.net/2007552 +1 || 2007553 || 10 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp vin UNION SELECT || cve,CVE-2006-6092 || url,www.securityfocus.com/bid/21154 || url,doc.emergingthreats.net/2007553 +1 || 2007554 || 9 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp vin INSERT || cve,CVE-2006-6092 || url,www.securityfocus.com/bid/21154 || url,doc.emergingthreats.net/2007554 +1 || 2007555 || 9 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp vin DELETE || cve,CVE-2006-6092 || url,www.securityfocus.com/bid/21154 || url,doc.emergingthreats.net/2007555 +1 || 2007556 || 9 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp vin ASCII || cve,CVE-2006-6092 || url,www.securityfocus.com/bid/21154 || url,doc.emergingthreats.net/2007556 +1 || 2007557 || 9 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp vin UPDATE || cve,CVE-2006-6092 || url,www.securityfocus.com/bid/21154 || url,doc.emergingthreats.net/2007557 +1 || 2007558 || 9 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp listing_price SELECT || cve,CVE-2006-6092 || url,www.securityfocus.com/bid/21154 || url,doc.emergingthreats.net/2007558 +1 || 2007559 || 10 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp listing_price UNION SELECT || cve,CVE-2006-6092 || url,www.securityfocus.com/bid/21154 || url,doc.emergingthreats.net/2007559 +1 || 2007560 || 9 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp listing_price INSERT || cve,CVE-2006-6092 || url,www.securityfocus.com/bid/21154 || url,doc.emergingthreats.net/2007560 +1 || 2007561 || 9 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp listing_price DELETE || cve,CVE-2006-6092 || url,www.securityfocus.com/bid/21154 || url,doc.emergingthreats.net/2007561 +1 || 2007562 || 9 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp listing_price ASCII || cve,CVE-2006-6092 || url,www.securityfocus.com/bid/21154 || url,doc.emergingthreats.net/2007562 +1 || 2007563 || 9 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS 20/20 Auto Gallery SQL Injection Attempt -- vehiclelistings.asp listing_price UPDATE || cve,CVE-2006-6092 || url,www.securityfocus.com/bid/21154 || url,doc.emergingthreats.net/2007563 +1 || 2007564 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- default.asp page INSERT || cve,CVE-2006-6095 || url,www.securityfocus.com/bid/21167 || url,doc.emergingthreats.net/2007564 +1 || 2007565 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt -- activenews_search.asp query UPDATE || cve,CVE-2006-6094 || url,www.securityfocus.com/bid/21167 || url,doc.emergingthreats.net/2007565 +1 || 2007566 || 8 || trojan-activity || 0 || ET TROJAN Downloader.MisleadApp Fake Security Product Install || url,doc.emergingthreats.net/2007566 +1 || 2007567 || 10 || trojan-activity || 0 || ET TROJAN Zlob User Agent - updating (unknown) || url,doc.emergingthreats.net/2007567 +1 || 2007568 || 5 || trojan-activity || 0 || ET TROJAN Zlob Updating via HTTP || url,doc.emergingthreats.net/2007568 +1 || 2007569 || 11 || trojan-activity || 0 || ET DELETED QQPass Related User-Agent Infection Checkin (App4) || url,doc.emergingthreats.net/2007569 +1 || 2007570 || 8 || trojan-activity || 0 || ET MALWARE User-Agent (Dummy) || url,doc.emergingthreats.net/bin/view/Main/2007570 +1 || 2007571 || 6 || policy-violation || 0 || ET POLICY Remote Desktop Connection via non RDP Port || url,doc.emergingthreats.net/2007571 +1 || 2007572 || 5 || trojan-activity || 0 || ET DELETED Vundo.dam http Checkin after infection || url,doc.emergingthreats.net/2007572 +1 || 2007573 || 4 || trojan-activity || 0 || ET TROJAN Vundo.dam http Update || url,doc.emergingthreats.net/2007573 +1 || 2007575 || 8 || trojan-activity || 0 || ET MALWARE User-Agent (AntiSpyware) - Likely 2squared.com related || url,doc.emergingthreats.net/bin/view/Main/2007575 +1 || 2007576 || 4 || trojan-activity || 0 || ET POLICY CCProxy in use remotely - Possibly Hostile/Malware || url,www.youngzsoft.net || url,doc.emergingthreats.net/bin/view/Main/2007576 +1 || 2007577 || 6 || trojan-activity || 0 || ET TROJAN General Downloader Checkin URL (GUID+) || url,doc.emergingthreats.net/2007577 +1 || 2007578 || 4 || trojan-activity || 0 || ET TROJAN Trojan.Win32.Qhost C&C Traffic Outbound (case1) || url,/www.viruslist.com/en/viruses/encyclopedia?virusid=142254 || url,doc.emergingthreats.net/2007578 +1 || 2007579 || 4 || trojan-activity || 0 || ET TROJAN Trojan.Win32.Qhost C&C Traffic Outbound (case2) || url,/www.viruslist.com/en/viruses/encyclopedia?virusid=142254 || url,doc.emergingthreats.net/2007579 +1 || 2007580 || 4 || trojan-activity || 0 || ET TROJAN Trojan.Win32.Qhost C&C Traffic Inbound (case1) || url,/www.viruslist.com/en/viruses/encyclopedia?virusid=142254 || url,doc.emergingthreats.net/2007580 +1 || 2007581 || 4 || trojan-activity || 0 || ET TROJAN Trojan.Win32.Qhost C&C Traffic Inbound (case2) || url,/www.viruslist.com/en/viruses/encyclopedia?virusid=142254 || url,doc.emergingthreats.net/2007581 +1 || 2007582 || 9 || trojan-activity || 0 || ET MALWARE Vikiller.com Fake Antispyware User-Agent (vikiller ctrl...) || url,doc.emergingthreats.net/2007582 +1 || 2007583 || 10 || trojan-activity || 0 || ET TROJAN iebar Spyware User Agent (iebar) || url,doc.emergingthreats.net/2007583 +1 || 2007584 || 7 || misc-attack || 0 || ET EXPLOIT TrendMicro ServerProtect Exploit possible worma(little-endian DCERPC Request) || url,isc.sans.org/diary.html?storyid=3310 || url,doc.emergingthreats.net/bin/view/Main/2007584 +1 || 2007585 || 4 || trojan-activity || 0 || ET TROJAN Win32.SkSocket C&C Connection || url,doc.emergingthreats.net/2007585 +1 || 2007587 || 6 || trojan-activity || 0 || ET TROJAN General Downloader or Virut C&C Ack || url,doc.emergingthreats.net/2007587 +1 || 2007592 || 7 || trojan-activity || 0 || ET TROJAN Hupigon URL Infection Checkin Detected || url,doc.emergingthreats.net/2007592 +1 || 2007593 || 5 || trojan-activity || 0 || ET MALWARE SpyShredder Fake Anti-Spyware Install Download || url,doc.emergingthreats.net/bin/view/Main/2007593 +1 || 2007594 || 9 || trojan-activity || 0 || ET TROJAN Banker.Delf User-Agent (Mz) || url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html || url,doc.emergingthreats.net/2007594 +1 || 2007595 || 6 || trojan-activity || 0 || ET TROJAN Downloader.Dluca HTTP Checkin || url,doc.emergingthreats.net/2007595 +1 || 2007597 || 8 || trojan-activity || 0 || ET MALWARE NewWeb/Sudui.com Spyware User-Agent (B Register) || url,doc.emergingthreats.net/2007597 +1 || 2007598 || 8 || trojan-activity || 0 || ET MALWARE NewWeb/Sudui.com Spyware User-Agent (updatesodui) || url,doc.emergingthreats.net/2007598 +1 || 2007599 || 8 || trojan-activity || 0 || ET MALWARE NewWeb/Sudui.com Spyware User-Agent (aaaabbb) || url,doc.emergingthreats.net/2007599 +1 || 2007600 || 8 || trojan-activity || 0 || ET MALWARE TryMedia Spyware User-Agent (TryMedia_DM_2.0.0) || url,doc.emergingthreats.net/2007600 +1 || 2007601 || 6 || trojan-activity || 0 || ET MALWARE Advertisementserver.com Spyware Initial Checkin || url,doc.emergingthreats.net/bin/view/Main/2007601 +1 || 2007602 || 8 || trojan-activity || 0 || ET MALWARE Advertisementserver.com Spyware Checkin || url,doc.emergingthreats.net/bin/view/Main/2007602 +1 || 2007603 || 4 || trojan-activity || 0 || ET TROJAN Proxy.Win32.Wopla.ag Check-In || url,doc.emergingthreats.net/2007603 +1 || 2007604 || 5 || trojan-activity || 0 || ET TROJAN Proxy.Win32.Wopla.ag Server Reply || url,doc.emergingthreats.net/2007604 +1 || 2007605 || 3 || trojan-activity || 0 || ET DELETED Singworm MSN message Outbound || url,doc.emergingthreats.net/2007605 +1 || 2007606 || 3 || trojan-activity || 0 || ET DELETED Singworm MSN message Inbound || url,doc.emergingthreats.net/2007606 +1 || 2007607 || 5 || trojan-activity || 0 || ET MALWARE Zango Spyware Post || url,usa.kaspersky.com/about-us/news-press-releases.php?smnr_id=900000045 || url,doc.emergingthreats.net/bin/view/Main/2007607 +1 || 2007608 || 3 || trojan-activity || 0 || ET TROJAN Win32.Agent.bea C&C connection || url,doc.emergingthreats.net/2007608 +1 || 2007609 || 4 || trojan-activity || 0 || ET TROJAN Win32.Small.qh/xSock User-Agent Detected || url,doc.emergingthreats.net/2007609 +1 || 2007610 || 6 || trojan-activity || 0 || ET TROJAN Win32.Small.qh/xSock Checkin URL Detected || url,doc.emergingthreats.net/2007610 +1 || 2007611 || 8 || trojan-activity || 0 || ET TROJAN Possible Infection Report Mail - Indy Mail lib and No Message Body - Priority 1 || url,doc.emergingthreats.net/2007611 +1 || 2007612 || 8 || trojan-activity || 0 || ET TROJAN Possible Infection Report Mail - Indy Mail lib and No Message Body - Priority 3 || url,doc.emergingthreats.net/2007612 +1 || 2007613 || 7 || trojan-activity || 0 || ET TROJAN Possible Infection Report Mail - Indy Mail lib and MAC Message Body - Priority 1 || url,doc.emergingthreats.net/2007613 +1 || 2007614 || 7 || trojan-activity || 0 || ET TROJAN Possible Infection Report Mail - Indy Mail lib and MAC Message Body - Priority 3 || url,doc.emergingthreats.net/2007614 +1 || 2007615 || 8 || trojan-activity || 0 || ET DELETED Unidentified Spyware User Agent (0 0 + 128 chars) || url,doc.emergingthreats.net/2007615 +1 || 2007616 || 11 || trojan-activity || 0 || ET USER_AGENTS klm123.com Spyware User Agent || url,doc.emergingthreats.net/2007616 +1 || 2007617 || 9 || trojan-activity || 0 || ET MALWARE VirusProtectPro Spyware User-Agent (VirusProtectPro) || url,doc.emergingthreats.net/2007617 +1 || 2007618 || 6 || trojan-activity || 0 || ET TROJAN Storm Worm ICMP DDOS Traffic || url,doc.emergingthreats.net/2007618 +1 || 2007620 || 6 || trojan-activity || 0 || ET TROJAN Zlob Updating via HTTP (v2) || url,doc.emergingthreats.net/2007620 +1 || 2007621 || 5 || trojan-activity || 0 || ET DELETED Kaiten IRCbotnet login || url,en.wikipedia.org/wiki/IRC_bot || url,doc.emergingthreats.net/2007621 +1 || 2007622 || 4 || trojan-activity || 0 || ET DELETED Kaiten IRCbotnet Response || url,en.wikipedia.org/wiki/IRC_bot || url,doc.emergingthreats.net/2007622 +1 || 2007623 || 5 || trojan-activity || 0 || ET DELETED Kaiten IRCbotnet Commands || url,en.wikipedia.org/wiki/IRC_bot || url,doc.emergingthreats.net/2007623 +1 || 2007624 || 5 || trojan-activity || 0 || ET DELETED Pitbull IRCbotnet Response || url,en.wikipedia.org/wiki/IRC_bot || url,doc.emergingthreats.net/2007624 +1 || 2007625 || 6 || trojan-activity || 0 || ET DELETED Pitbull IRCbotnet Commands || url,en.wikipedia.org/wiki/IRC_bot || url,doc.emergingthreats.net/2007625 +1 || 2007626 || 6 || trojan-activity || 0 || ET DELETED Pitbull IRCbotnet Fetch || url,en.wikipedia.org/wiki/IRC_bot || url,doc.emergingthreats.net/2007626 +1 || 2007627 || 5 || policy-violation || 0 || ET POLICY Hyves Login Attempt || url,doc.emergingthreats.net/2007627 +1 || 2007628 || 5 || policy-violation || 0 || ET POLICY Hyves Inbox Access || url,doc.emergingthreats.net/2007628 +1 || 2007629 || 5 || policy-violation || 0 || ET POLICY Hyves Message Access || url,doc.emergingthreats.net/2007629 +1 || 2007630 || 6 || policy-violation || 0 || ET POLICY Hyves Compose Message || url,doc.emergingthreats.net/2007630 +1 || 2007631 || 6 || policy-violation || 0 || ET POLICY Hyves Message Submit || url,doc.emergingthreats.net/2007631 +1 || 2007633 || 8 || trojan-activity || 0 || ET TROJAN Suspicious User-Agent - Matcash related Trojan Downloader (Ismazo Advanced Loader) || url,doc.emergingthreats.net/2007633 +1 || 2007634 || 3 || trojan-activity || 0 || ET TROJAN Storm Worm Encrypted Traffic Outbound - Likely Search by md5 || url,doc.emergingthreats.net/2007634 +1 || 2007635 || 3 || trojan-activity || 0 || ET TROJAN Storm Worm Encrypted Traffic Inbound - Likely Connect Ack || url,doc.emergingthreats.net/2007635 +1 || 2007636 || 3 || trojan-activity || 0 || ET TROJAN Storm Worm Encrypted Traffic Inbound - Likely Search by md5 || url,doc.emergingthreats.net/2007636 +1 || 2007637 || 3 || trojan-activity || 0 || ET TROJAN Storm Worm Encrypted Traffic Outbound - Likely Connect Ack || url,doc.emergingthreats.net/2007637 +1 || 2007638 || 4 || policy-violation || 0 || ET POLICY Netflix On-demand User-Agent || url,doc.emergingthreats.net/2007638 +1 || 2007639 || 5 || policy-violation || 0 || ET POLICY FOX,ABC On-demand UA || url,doc.emergingthreats.net/2007639 +1 || 2007640 || 6 || trojan-activity || 0 || ET DELETED Storm Making initial outbound connection || url,doc.emergingthreats.net/bin/view/Main/StormWorm +1 || 2007641 || 6 || trojan-activity || 0 || ET DELETED Storm Controller Response to Drone via tcp || url,doc.emergingthreats.net/bin/view/Main/StormWorm +1 || 2007642 || 6 || trojan-activity || 0 || ET MALWARE Viruscheck.co.kr Related Fake Anti-Spyware Post (chkvs) || url,doc.emergingthreats.net/bin/view/Main/2007642 +1 || 2007643 || 10 || trojan-activity || 0 || ET MALWARE Viruscheck.co.kr Fake Antispyware User-Agent (viruscheck) || url,doc.emergingthreats.net/2007643 +1 || 2007644 || 7 || trojan-activity || 0 || ET TROJAN Win32.Agent.cah Checkin Request || url,doc.emergingthreats.net/2007644 +1 || 2007645 || 10 || trojan-activity || 0 || ET MALWARE Ufixer.com Fake Antispyware User-Agent (Ultimate Fixer) || url,doc.emergingthreats.net/2007645 +1 || 2007646 || 9 || trojan-activity || 0 || ET TROJAN Farfli User Agent Detected || url,doc.emergingthreats.net/2007646 +1 || 2007647 || 9 || trojan-activity || 0 || ET DELETED Casalemedia.com Related User Agent (0 0 ...) || url,doc.emergingthreats.net/2007647 +1 || 2007648 || 8 || trojan-activity || 0 || ET MALWARE Spyware User-Agent (XXX) || url,doc.emergingthreats.net/bin/view/Main/2007648 +1 || 2007649 || 5 || trojan-activity || 0 || ET MALWARE Spylog.ru Related Spyware Checkin || url,doc.emergingthreats.net/bin/view/Main/2007649 +1 || 2007650 || 4 || trojan-activity || 0 || ET TROJAN Mac Trojan HTTP Checkin (accept-language violation) || url,doc.emergingthreats.net/2007650 +1 || 2007651 || 6 || web-application-activity || 0 || ET ATTACK_RESPONSE x2300 phpshell detected || url,www.rfxn.com/vdb.php || url,doc.emergingthreats.net/bin/view/Main/2007651 +1 || 2007652 || 5 || web-application-activity || 0 || ET ATTACK_RESPONSE c99shell phpshell detected || url,www.rfxn.com/vdb.php || url,doc.emergingthreats.net/bin/view/Main/2007652 +1 || 2007653 || 6 || web-application-activity || 0 || ET ATTACK_RESPONSE RFI Scanner detected || url,www.rfxn.com/vdb.php || url,doc.emergingthreats.net/bin/view/Main/2007653 +1 || 2007654 || 6 || web-application-activity || 0 || ET ATTACK_RESPONSE C99 Modified phpshell detected || url,www.rfxn.com/vdb.php || url,doc.emergingthreats.net/bin/view/Main/2007654 +1 || 2007655 || 6 || web-application-activity || 0 || ET ATTACK_RESPONSE lila.jpg phpshell detected || url,www.rfxn.com/vdb.php || url,doc.emergingthreats.net/bin/view/Main/2007655 +1 || 2007656 || 6 || web-application-activity || 0 || ET ATTACK_RESPONSE ALBANIA id.php detected || url,www.rfxn.com/vdb.php || url,doc.emergingthreats.net/bin/view/Main/2007656 +1 || 2007657 || 6 || web-application-activity || 0 || ET ATTACK_RESPONSE Mic22 id.php detected || url,www.rfxn.com/vdb.php || url,doc.emergingthreats.net/bin/view/Main/2007657 +1 || 2007659 || 9 || trojan-activity || 0 || ET MALWARE Spyware User-Agent (QdrBi Starter) || url,doc.emergingthreats.net/bin/view/Main/2007659 +1 || 2007660 || 11 || trojan-activity || 0 || ET MALWARE Winxpperformance.com Related Spyware User-Agent (Microsoft Internet Browser) || url,doc.emergingthreats.net/2007660 +1 || 2007661 || 6 || trojan-activity || 0 || ET TROJAN Hupigon User Agent Detected (RAV1.23) || url,doc.emergingthreats.net/2007661 +1 || 2007663 || 4 || trojan-activity || 0 || ET TROJAN Win32.Agent.pt User-Agent Detected || url,doc.emergingthreats.net/2007663 +1 || 2007664 || 5 || trojan-activity || 0 || ET MALWARE AVSystemcare.com.com Fake Anti-Virus Product || url,doc.emergingthreats.net/bin/view/Main/2007664 +1 || 2007666 || 8 || trojan-activity || 0 || ET MALWARE Spyware User-Agent (install_s) || url,doc.emergingthreats.net/bin/view/Main/2007666 +1 || 2007667 || 8 || trojan-activity || 0 || ET MALWARE Spyware User-Agent (count) || url,doc.emergingthreats.net/bin/view/Main/2007667 +1 || 2007668 || 17 || trojan-activity || 0 || ET TROJAN Blackenergy Bot Checkin to C&C || url,asert.arbornetworks.com/2007/10/blackenergy-ddos-bot-analysis-available || url,doc.emergingthreats.net/2007668 +1 || 2007669 || 11 || trojan-activity || 0 || ET DELETED Nulprot Checkin Response || url,doc.emergingthreats.net/2007669 +1 || 2007670 || 9 || not-suspicious || 0 || ET DELETED Likely Binary in HTTP by Type Flowbit || url,doc.emergingthreats.net/2007670 +1 || 2007671 || 15 || policy-violation || 0 || ET POLICY Binary Download Smaller than 1 MB Likely Hostile || url,doc.emergingthreats.net/2007671 +1 || 2007672 || 7 || misc-activity || 0 || ET DELETED B0tN3t IRCbotnet || url,en.wikipedia.org/wiki/Botnet || url,doc.emergingthreats.net/2007672 +1 || 2007673 || 6 || trojan-activity || 0 || ET TROJAN E-Jihad 3.0 DNS Activity TCP (1) || url,doc.emergingthreats.net/bin/view/Main/EJihadHackTool +1 || 2007674 || 6 || trojan-activity || 0 || ET TROJAN E-Jihad 3.0 DNS Activity TCP (2) || url,doc.emergingthreats.net/bin/view/Main/EJihadHackTool +1 || 2007675 || 6 || trojan-activity || 0 || ET TROJAN E-Jihad 3.0 DNS Activity TCP (3) || url,doc.emergingthreats.net/bin/view/Main/EJihadHackTool +1 || 2007676 || 6 || trojan-activity || 0 || ET TROJAN E-Jihad 3.0 DNS Activity TCP (4) || url,doc.emergingthreats.net/bin/view/Main/EJihadHackTool +1 || 2007677 || 6 || trojan-activity || 0 || ET TROJAN E-Jihad 3.0 DNS Activity TCP (5) || url,doc.emergingthreats.net/bin/view/Main/EJihadHackTool +1 || 2007678 || 6 || trojan-activity || 0 || ET TROJAN E-Jihad 3.0 DNS Activity UDP (1) || url,doc.emergingthreats.net/bin/view/Main/EJihadHackTool +1 || 2007679 || 6 || trojan-activity || 0 || ET TROJAN E-Jihad 3.0 DNS Activity UDP (2) || url,doc.emergingthreats.net/bin/view/Main/EJihadHackTool +1 || 2007680 || 6 || trojan-activity || 0 || ET TROJAN E-Jihad 3.0 DNS Activity UDP (3) || url,doc.emergingthreats.net/bin/view/Main/EJihadHackTool +1 || 2007681 || 6 || trojan-activity || 0 || ET TROJAN E-Jihad 3.0 DNS Activity UDP (4) || url,doc.emergingthreats.net/bin/view/Main/EJihadHackTool +1 || 2007682 || 6 || trojan-activity || 0 || ET TROJAN E-Jihad 3.0 DNS Activity UDP (5) || url,doc.emergingthreats.net/bin/view/Main/EJihadHackTool +1 || 2007683 || 12 || trojan-activity || 0 || ET TROJAN E-Jihad 3.0 HTTP Activity 1 || url,doc.emergingthreats.net/bin/view/Main/EJihadHackTool +1 || 2007684 || 12 || trojan-activity || 0 || ET TROJAN E-Jihad 3.0 HTTP Activity 2 || url,doc.emergingthreats.net/bin/view/Main/EJihadHackTool +1 || 2007685 || 12 || trojan-activity || 0 || ET TROJAN E-Jihad 3.0 HTTP Activity 3 || url,doc.emergingthreats.net/bin/view/Main/EJihadHackTool +1 || 2007686 || 10 || denial-of-service || 0 || ET TROJAN E-Jihad 3.0 DDoS HTTP Activity OUTBOUND || url,doc.emergingthreats.net/bin/view/Main/EJihadHackTool +1 || 2007687 || 10 || denial-of-service || 0 || ET TROJAN E-Jihad 3.0 DDoS HTTP Activity INBOUND || url,doc.emergingthreats.net/bin/view/Main/EJihadHackTool +1 || 2007688 || 10 || trojan-activity || 0 || ET TROJAN Prg Trojan HTTP POST v1 || url,www.securescience.net/FILES/securescience/10378/pubMalwareCaseStudy.pdf || url,doc.emergingthreats.net/2007688 +1 || 2007689 || 5 || trojan-activity || 0 || ET TROJAN Hupigon User Agent Detected (??) || url,doc.emergingthreats.net/2007689 +1 || 2007690 || 9 || trojan-activity || 0 || ET MALWARE IEDefender (iedefender.com) Fake Antispyware User Agent (IEDefender 2.1) || url,doc.emergingthreats.net/2007690 +1 || 2007692 || 7 || trojan-activity || 0 || ET TROJAN Basine Trojan Checkin || url,doc.emergingthreats.net/2007692 +1 || 2007693 || 10 || trojan-activity || 0 || ET MALWARE Zredirector.com Related Spyware User-Agent (BndDriveLoader) || url,doc.emergingthreats.net/2007693 +1 || 2007694 || 9 || trojan-activity || 0 || ET MALWARE Popads123.com Related Spyware User-Agent (LmaokaazLdr) || url,doc.emergingthreats.net/2007694 +1 || 2007695 || 19 || policy-violation || 0 || ET POLICY Windows 98 User-Agent Detected - Possible Malware or Non-Updated System || url,doc.emergingthreats.net/bin/view/Main/Windows98UA +1 || 2007696 || 5 || trojan-activity || 0 || ET MALWARE Softwarereferral.com Adware Checkin || url,doc.emergingthreats.net/bin/view/Main/2007696 +1 || 2007697 || 10 || trojan-activity || 0 || ET MALWARE Antivirgear.com Fake Anti-Spyware User-Agent (AntiVirGear) || url,doc.emergingthreats.net/2007697 +1 || 2007698 || 4 || trojan-activity || 0 || ET TROJAN Vanquish Trojan HTTP Checkin || url,doc.emergingthreats.net/2007698 +1 || 2007699 || 7 || trojan-activity || 0 || ET TROJAN Banker.Delf User-Agent (WINDOWS_LOADS) || url,doc.emergingthreats.net/2007699 +1 || 2007700 || 6 || trojan-activity || 0 || ET TROJAN ExplorerHijack Trojan HTTP Checkin || url,doc.emergingthreats.net/2007700 +1 || 2007701 || 5 || trojan-activity || 0 || ET DELETED Storm Worm Encrypted Variant 1 Traffic (1) || url,doc.emergingthreats.net/2007701 +1 || 2007702 || 5 || trojan-activity || 0 || ET DELETED Storm Worm Encrypted Variant 1 Traffic (2) || url,doc.emergingthreats.net/2007702 +1 || 2007703 || 11 || attempted-user || 0 || ET WEB_CLIENT Apple Quicktime RTSP Content-Type overflow attempt || url,www.kb.cert.org/vuls/id/659761 || url,www.milw0rm.com/exploits/4657 || url,doc.emergingthreats.net/2007703 +1 || 2007704 || 6 || attempted-user || 0 || ET WEB_CLIENT Apple Quicktime RTSP Content-Type overflow attempt || url,www.kb.cert.org/vuls/id/659761 || url,www.milw0rm.com/exploits/4657 || url,doc.emergingthreats.net/2007704 +1 || 2007711 || 11 || trojan-activity || 0 || ET DELETED Srizbi registering with controller || url,www.secureworks.com/research/threats/ronpaul/ || url,doc.emergingthreats.net/2007711 +1 || 2007712 || 8 || trojan-activity || 0 || ET TROJAN Srizbi requesting template || url,www.secureworks.com/research/threats/ronpaul/ || url,doc.emergingthreats.net/2007712 +1 || 2007715 || 9 || trojan-activity || 0 || ET ATTACK_RESPONSE Off-Port FTP Without Banners - user || url,doc.emergingthreats.net/bin/view/Main/2007715 +1 || 2007717 || 7 || trojan-activity || 0 || ET ATTACK_RESPONSE Off-Port FTP Without Banners - pass || url,doc.emergingthreats.net/bin/view/Main/2007717 +1 || 2007723 || 8 || trojan-activity || 0 || ET ATTACK_RESPONSE Off-Port FTP Without Banners - retr || url,doc.emergingthreats.net/bin/view/Main/2007723 +1 || 2007724 || 12 || trojan-activity || 0 || ET TROJAN Prg Trojan HTTP POST version 2 || url,www.securescience.net/FILES/securescience/10378/pubMalwareCaseStudy.pdf || url,doc.emergingthreats.net/2007724 +1 || 2007725 || 6 || trojan-activity || 0 || ET ATTACK_RESPONSE Unusual FTP Server Banner on High Port (WinFtpd) || url,doc.emergingthreats.net/bin/view/Main/2007725 +1 || 2007726 || 6 || trojan-activity || 0 || ET ATTACK_RESPONSE Unusual FTP Server Banner on High Port (StnyFtpd) || url,doc.emergingthreats.net/bin/view/Main/2007726 +1 || 2007727 || 5 || policy-violation || 0 || ET P2P possible torrent download || url,doc.emergingthreats.net/bin/view/Main/2007727 +1 || 2007728 || 10 || trojan-activity || 0 || ET TROJAN TROJ_PROX.AFV POST || url,trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ%5FPROXY%2EAFV&VSect=T || url,doc.emergingthreats.net/2007728 +1 || 2007742 || 7 || trojan-activity || 0 || ET TROJAN Storm C&C with typo'd User-Agent (Windoss) || url,doc.emergingthreats.net/2007742 +1 || 2007743 || 10 || trojan-activity || 0 || ET TROJAN Nebuler/Dialer.qn HTTP Request - Checkin || url,www.symantec.com/security_response/writeup.jsp?docid=2006-051916-2518-99&tabid=2 || url,www.microsoft.com/security/portal/Entry.aspx?Name=Trojan%3aWin32%2fNebuler.gen!D || url,www.threatexpert.com/report.aspx?md5=e9f1f226ff86e72c558e9a9da32c796d || url,doc.emergingthreats.net/2007743 +1 || 2007744 || 8 || trojan-activity || 0 || ET MALWARE Guard-Center.com Fake AntiVirus Post-Install Checkin || url,doc.emergingthreats.net/bin/view/Main/2007744 +1 || 2007746 || 5 || policy-violation || 0 || ET GAMES Gold VIP Club Casino Client in Use || url,doc.emergingthreats.net/2007746 +1 || 2007747 || 7 || trojan-activity || 0 || ET DELETED MBR Trojan (Sinowal/Mebroot/) Phoning Home || url,doc.emergingthreats.net/2007747 +1 || 2007748 || 8 || trojan-activity || 0 || ET DELETED NPRC Malicious POST Request Possible DOJ or DOT Malware || url,www.websense.com/securitylabs/alerts/alert.php?AlertID=835 || url,doc.emergingthreats.net/2007748 +1 || 2007749 || 6 || trojan-activity || 0 || ET MALWARE host-domain-lookup.com spyware related Checkin || url,doc.emergingthreats.net/bin/view/Main/2007749 +1 || 2007750 || 6 || trojan-activity || 0 || ET MALWARE host-domain-lookup.com spyware related Start Report || url,doc.emergingthreats.net/bin/view/Main/2007750 +1 || 2007751 || 3 || trojan-activity || 0 || ET TROJAN Saturn Proxy Initial Outbound Checkin (404.txt) || url,doc.emergingthreats.net/2007751 +1 || 2007752 || 5 || trojan-activity || 0 || ET TROJAN Saturn Proxy Checkin Response || url,doc.emergingthreats.net/2007752 +1 || 2007753 || 3 || trojan-activity || 0 || ET TROJAN Saturn Proxy C&C Activity || url,doc.emergingthreats.net/2007753 +1 || 2007754 || 4 || policy-violation || 0 || ET POLICY Club World Casino Client in Use || url,doc.emergingthreats.net/2007754 +1 || 2007755 || 5 || trojan-activity || 0 || ET DELETED Trojan-Downloader.Win32.Small.hkp Checkin via HTTP || url,doc.emergingthreats.net/2007755 +1 || 2007756 || 11 || trojan-activity || 0 || ET DELETED PWS-LDPinch posting data (2) || url,doc.emergingthreats.net/2007756 +1 || 2007757 || 10 || attempted-recon || 0 || ET SCAN w3af User Agent || url,w3af.sourceforge.net || url,doc.emergingthreats.net/2007757 +1 || 2007758 || 8 || trojan-activity || 0 || ET TROJAN Eldorado.BHO User-Agent Detected (netcfg) || url,doc.emergingthreats.net/2007758 +1 || 2007759 || 7 || trojan-activity || 0 || ET MALWARE Alfaantivirus.com Fake Anti-Virus User-Agent (IM Download) || url,doc.emergingthreats.net/2007759 +1 || 2007762 || 5 || trojan-activity || 0 || ET DELETED Majestic-12 Spider Bot User-Agent Inbound (MJ12bot) || url,www.majestic12.co.uk/ || url,doc.emergingthreats.net/2007762 +1 || 2007763 || 6 || policy-violation || 0 || ET POLICY CBS Streaming Video || url,doc.emergingthreats.net/2007763 +1 || 2007764 || 5 || policy-violation || 0 || ET POLICY NBC Streaming Video || url,doc.emergingthreats.net/2007764 +1 || 2007765 || 9 || policy-violation || 0 || ET POLICY Logmein.com Host List Download || url,doc.emergingthreats.net/2007765 +1 || 2007766 || 6 || policy-violation || 0 || ET POLICY Logmein.com Update Activity || url,doc.emergingthreats.net/2007766 +1 || 2007767 || 6 || trojan-activity || 0 || ET TROJAN Pakes User-Agent Detected || url,doc.emergingthreats.net/2007767 +1 || 2007768 || 6 || trojan-activity || 0 || ET TROJAN Pakes Update Detected || url,doc.emergingthreats.net/2007768 +1 || 2007769 || 4 || trojan-activity || 0 || ET TROJAN Zhelatin Update Detected || url,doc.emergingthreats.net/2007769 +1 || 2007770 || 6 || trojan-activity || 0 || ET TROJAN Tear Application User-Agent Detected || url,doc.emergingthreats.net/2007770 +1 || 2007771 || 10 || trojan-activity || 0 || ET TROJAN Pushdo Update URL Detected || url,doc.emergingthreats.net/2007771 +1 || 2007772 || 8 || trojan-activity || 0 || ET MALWARE User-Agent (Internet Explorer (compatible)) || url,doc.emergingthreats.net/bin/view/Main/2007772 +1 || 2007774 || 9 || trojan-activity || 0 || ET TROJAN Lop.gfr/Swizzor HTTP Update/Checkin || url,doc.emergingthreats.net/2007774 +1 || 2007775 || 10 || trojan-activity || 0 || ET DELETED Krunchy/BZub HTTP Checkin/Update || url,doc.emergingthreats.net/2007775 +1 || 2007776 || 9 || trojan-activity || 0 || ET TROJAN Krunchy/BZub HTTP POST Update || url,doc.emergingthreats.net/2007776 +1 || 2007777 || 4 || trojan-activity || 0 || ET DELETED Browser HiJacker/Infostealer Stat file || url,doc.emergingthreats.net/2007777 +1 || 2007778 || 13 || trojan-activity || 0 || ET TROJAN User-agent DownloadNetFile Win32.small.hsh downloader || url,doc.emergingthreats.net/2007778 +1 || 2007779 || 5 || trojan-activity || 0 || ET TROJAN Kpang.com Related Trojan User-Agent (kpangupdate) || url,doc.emergingthreats.net/2007779 +1 || 2007780 || 3 || trojan-activity || 0 || ET TROJAN Ssppyy.com Surveillance Agent Reporting via Email || url,doc.emergingthreats.net/2007780 +1 || 2007781 || 6 || trojan-activity || 0 || ET DELETED Zapchast Bot User-Agent || url,www.majestic12.co.uk/bot.php || url,doc.emergingthreats.net/2007781 +1 || 2007786 || 7 || trojan-activity || 0 || ET MALWARE PCDoc.co.kr Fake AV User-Agent (PCDoc11) || url,doc.emergingthreats.net/bin/view/Main/2007786 +1 || 2007787 || 4 || trojan-activity || 0 || ET TROJAN Zhelatin npopup Update Detected || url,doc.emergingthreats.net/2007787 +1 || 2007788 || 5 || trojan-activity || 0 || ET MALWARE Theinstalls.com Initial Checkin || url,www.theinstalls.com || url,doc.emergingthreats.net/bin/view/Main/2007788 +1 || 2007798 || 7 || trojan-activity || 0 || ET DELETED Theinstalls.com Trojan Download || url,www.theinstalls.com || url,doc.emergingthreats.net/bin/view/Main/2007798 +1 || 2007799 || 4 || policy-violation || 0 || ET P2P Azureus P2P Client User-Agent || url,doc.emergingthreats.net/bin/view/Main/2007799 +1 || 2007800 || 4 || policy-violation || 0 || ET P2P LimeWire P2P Traffic || url,www.limewire.com || url,doc.emergingthreats.net/bin/view/Main/2007800 +1 || 2007801 || 4 || policy-violation || 0 || ET P2P Gnutella TCP Traffic || url,doc.emergingthreats.net/bin/view/Main/2007801 +1 || 2007802 || 4 || network-scan || 0 || ET SCAN Grim's Ping ftp scanning tool || url,archives.neohapsis.com/archives/snort/2002-04/0448.html || url,grimsping.cjb.net || url,doc.emergingthreats.net/2007802 +1 || 2007803 || 4 || trojan-activity || 0 || ET TROJAN Win32.Inject.ql Checkin Post || url,doc.emergingthreats.net/2007803 +1 || 2007804 || 6 || trojan-activity || 0 || ET MALWARE PCDoc.co.kr Fake AV User-Agent (mypcdoctor) || url,doc.emergingthreats.net/bin/view/Main/2007804 +1 || 2007805 || 4 || trojan-activity || 0 || ET DELETED Blink.com related Backdoor Checkin || url,doc.emergingthreats.net/2007805 +1 || 2007806 || 5 || trojan-activity || 0 || ET DELETED Blink.com related Upgrade Command Given || url,doc.emergingthreats.net/2007806 +1 || 2007807 || 4 || trojan-activity || 0 || ET TROJAN Rcash.co.kr Bootup Checkin via HTTP || url,doc.emergingthreats.net/2007807 +1 || 2007808 || 6 || trojan-activity || 0 || ET TROJAN Cashpoint.com Related checkin User-Agent (inetinst) || url,doc.emergingthreats.net/2007808 +1 || 2007809 || 7 || trojan-activity || 0 || ET MALWARE Doctorvaccine.co.kr Related Spyware-User Agent (ers) || url,doc.emergingthreats.net/2007809 +1 || 2007810 || 6 || trojan-activity || 0 || ET TROJAN Cashpoint.com Related checkin User-Agent (okcpmgr) || url,doc.emergingthreats.net/2007810 +1 || 2007811 || 5 || trojan-activity || 0 || ET TROJAN Metajuan trojan checkin || url,www.symantec.com/security_response/writeup.jsp?docid=2007-030112-0714-99 || url,doc.emergingthreats.net/2007811 +1 || 2007820 || 6 || trojan-activity || 0 || ET MALWARE Rabio Spyware/Adware Initial Registration || url,www.spywareguide.com/product_show.php?id=3770 || url,www.rabio.com || url,doc.emergingthreats.net/bin/view/Main/2007820 +1 || 2007821 || 6 || trojan-activity || 0 || ET MALWARE Rabio.com Related Adware/Spyware User-Agent (HTTP_CONNECT_2) || url,doc.emergingthreats.net/bin/view/Main/2007821 +1 || 2007822 || 5 || trojan-activity || 0 || ET TROJAN Densmail.com Related Trojan Checkin || url,doc.emergingthreats.net/2007822 +1 || 2007823 || 8 || trojan-activity || 0 || ET DELETED Banker.OT Checkin || url,doc.emergingthreats.net/2007823 +1 || 2007824 || 7 || trojan-activity || 0 || ET TROJAN Banker.anv Generally Suspicious User-Agent (CustomExchangeBrowser) || url,doc.emergingthreats.net/2007824 +1 || 2007825 || 4 || trojan-activity || 0 || ET TROJAN Neonaby.com Related Trojan User-Agent (neonabyupdate) || url,doc.emergingthreats.net/2007825 +1 || 2007826 || 5 || trojan-activity || 0 || ET TROJAN Suspicious Useragent Used by Several trojans (API-Guide test program) || url,doc.emergingthreats.net/2007826 +1 || 2007827 || 8 || trojan-activity || 0 || ET MALWARE User-Agent (ie) - Possible Trojan Downloader || url,doc.emergingthreats.net/2007827 +1 || 2007828 || 14 || trojan-activity || 0 || ET DELETED LDPinch Checkin (2) || url,doc.emergingthreats.net/2007828 +1 || 2007829 || 9 || trojan-activity || 0 || ET TROJAN Illusion Bot (Lussilon) Checkin || url,doc.emergingthreats.net/2007829 +1 || 2007831 || 5 || trojan-activity || 0 || ET TROJAN Downloader General Bot Checking In via HTTP Post (bot_id push) || url,doc.emergingthreats.net/2007831 +1 || 2007832 || 3 || trojan-activity || 0 || ET TROJAN Theoreon.com Related Trojan Checkin || url,doc.emergingthreats.net/2007832 +1 || 2007833 || 5 || trojan-activity || 0 || ET TROJAN Eldorado.BHO User-Agent Detected (MSIE 5.5) || url,doc.emergingthreats.net/2007833 +1 || 2007834 || 4 || trojan-activity || 0 || ET TROJAN Renos/ssd.com HTTP Checkin || url,doc.emergingthreats.net/2007834 +1 || 2007836 || 6 || trojan-activity || 0 || ET TROJAN Downloader General Bot Checking In - Possible Win32.Small.htz related || url,doc.emergingthreats.net/2007836 +1 || 2007837 || 5 || trojan-activity || 0 || ET TROJAN Suspicious User-Agent - Possible Trojan Downloader (WinInet) || url,doc.emergingthreats.net/2007837 +1 || 2007838 || 5 || trojan-activity || 0 || ET TROJAN Delf HTTP Checkin (1) || url,doc.emergingthreats.net/2007838 +1 || 2007839 || 7 || trojan-activity || 0 || ET MALWARE Drpcclean.com Related Spyware User-Agent (DrPCClean Transmit) || url,doc.emergingthreats.net/2007839 +1 || 2007840 || 8 || trojan-activity || 0 || ET TROJAN Suspicious User-Agent Possible Trojan Downloader Shell || url,doc.emergingthreats.net/2007840 || url,www.securelist.com/en/blog/434/The_Chinese_bootkit +1 || 2007842 || 6 || trojan-activity || 0 || ET DELETED Softspydelete.com Fake Anti-Spyware Checkin || url,doc.emergingthreats.net/bin/view/Main/2007842 +1 || 2007843 || 6 || trojan-activity || 0 || ET TROJAN Bzub2 Related RPC/Http Checkin || url,doc.emergingthreats.net/2007843 +1 || 2007845 || 9 || trojan-activity || 0 || ET MALWARE Errclean.com Related Spyware User-Agent (Locus NetInstaller) || url,doc.emergingthreats.net/2007845 +1 || 2007847 || 3 || web-application-attack || 0 || ET ACTIVEX Sony ImageStation (SonyISUpload.cab 1.0.0.38) ActiveX Buffer Overflow Exploit || url,www.milw0rm.com/exploits/5086 || url,www.milw0rm.com/exploits/5100 || url,doc.emergingthreats.net/bin/view/Main/2007847 +1 || 2007849 || 4 || trojan-activity || 0 || ET TROJAN Kpang.com Related Trojan User-Agent (alertup) || url,doc.emergingthreats.net/2007849 +1 || 2007851 || 9 || web-application-attack || 0 || ET ACTIVEX Citrix Presentation Server Client WFICA.OCX ActiveX Component Heap Buffer Overflow Exploit || url,www.milw0rm.com/exploits/5106 || bugtraq,21458 || cve,CVE-2006-6334 || url,doc.emergingthreats.net/bin/view/Main/2007851 +1 || 2007852 || 9 || web-application-attack || 0 || ET ACTIVEX Gateway Weblaunch2.ocx ActiveX Control Insecure Method Exploit || url,www.milw0rm.com/exploits/4982 || bugtraq,27193 || url,doc.emergingthreats.net/2007852 +1 || 2007853 || 7 || web-application-attack || 0 || ET ACTIVEX ImageShack Toolbar ImageShackToolbar.dll ActiveX Control Insecure Method Vulnerability || url,www.milw0rm.com/exploits/4981 || bugtraq,27439 || url,doc.emergingthreats.net/2007853 +1 || 2007854 || 8 || trojan-activity || 0 || ET MALWARE User-Agent (Mozilla) - Possible Spyware Related || url,doc.emergingthreats.net/bin/view/Main/2007854 +1 || 2007855 || 5 || trojan-activity || 0 || ET MALWARE OneStepSearch Host Activity || url,doc.emergingthreats.net/bin/view/Main/2007855 +1 || 2007856 || 4 || trojan-activity || 0 || ET MALWARE System-defender.com Fake AV Install Checkin || url,www.system-defender.com || url,doc.emergingthreats.net/bin/view/Main/2007856 +1 || 2007858 || 2 || trojan-activity || 0 || ET TROJAN Delf Keylog FTP Upload || url,doc.emergingthreats.net/2007858 +1 || 2007859 || 7 || trojan-activity || 0 || ET MALWARE User-Agent (microsoft) - Possible Trojan Downloader || url,doc.emergingthreats.net/bin/view/Main/2007859 +1 || 2007860 || 7 || trojan-activity || 0 || ET MALWARE User-Agent (Internet Explorer 6.0) - Possible Trojan Downloader || url,doc.emergingthreats.net/bin/view/Main/2007860 +1 || 2007861 || 4 || trojan-activity || 0 || ET MALWARE Softcashier.com Spyware Install Checkin || url,doc.emergingthreats.net/bin/view/Main/2007861 +1 || 2007862 || 11 || trojan-activity || 0 || ET TROJAN LDPinch Checkin (3) || url,doc.emergingthreats.net/2007862 +1 || 2007863 || 9 || trojan-activity || 0 || ET TROJAN Banload HTTP Checkin || url,doc.emergingthreats.net/2007863 +1 || 2007864 || 8 || trojan-activity || 0 || ET TROJAN Banload HTTP Checkin Detected || url,doc.emergingthreats.net/2007864 +1 || 2007865 || 4 || trojan-activity || 0 || ET MALWARE Winreanimator.com Fake AV Install Attempt || url,www.winreanimator.com || url,doc.emergingthreats.net/bin/view/Main/2007865 +1 || 2007866 || 8 || trojan-activity || 0 || ET CHAT Gadu-Gadu Chat Client Checkin via HTTP || url,doc.emergingthreats.net/2007866 +1 || 2007867 || 10 || trojan-activity || 0 || ET DELETED Delf HTTP Post Checkin (1) || url,doc.emergingthreats.net/2007867 +1 || 2007868 || 8 || trojan-activity || 0 || ET MALWARE User-Agent (Firefox) - Possible Trojan Downloader || url,doc.emergingthreats.net/bin/view/Main/2007868 +1 || 2007869 || 7 || trojan-activity || 0 || ET MALWARE Vombanetwork Spyware User-Agent (VombaProductsInstaller) || url,doc.emergingthreats.net/2007869 +1 || 2007870 || 4 || trojan-activity || 0 || ET MALWARE Vombanetworks.com Spyware Installer Checkin || url,doc.emergingthreats.net/bin/view/Main/2007870 +1 || 2007874 || 6 || web-application-attack || 0 || ET EXPLOIT Now SMS/MMS Gateway HTTP BOF Vulnerability || bugtraq,27896 || url,aluigi.altervista.org/adv/nowsmsz-adv.txt || url,doc.emergingthreats.net/bin/view/Main/2007874 +1 || 2007875 || 4 || web-application-attack || 0 || ET EXPLOIT Now SMS/MMS Gateway SMPP BOF Vulnerability || bugtraq,27896 || url,aluigi.altervista.org/adv/nowsmsz-adv.txt || url,doc.emergingthreats.net/bin/view/Main/2007875 +1 || 2007876 || 2 || successful-dos || 0 || ET EXPLOIT ExtremeZ-IP File and Print Server Multiple Vulnerabilities - udp || bugtraq,27718 || url,aluigi.altervista.org/adv/ezipirla-adv.txt || cve,CVE-2008-0767 || url,doc.emergingthreats.net/bin/view/Main/2007876 +1 || 2007877 || 4 || successful-dos || 0 || ET EXPLOIT ExtremeZ-IP File and Print Server Multiple Vulnerabilities - tcp || bugtraq,27718 || url,aluigi.altervista.org/adv/ezipirla-adv.txt || cve,CVE-2008-0759 || url,doc.emergingthreats.net/bin/view/Main/2007877 +1 || 2007878 || 11 || web-application-attack || 0 || ET ACTIVEX Apple QuickTime <= 7.4.1 QTPlugin.ocx Multiple Remote Stack Overflow || bugtraq,27769 || cve,CVE-2008-0778 || url,www.milw0rm.com/exploits/5110 || url,doc.emergingthreats.net/2007878 +1 || 2007880 || 6 || trojan-activity || 0 || ET MALWARE User-Agent (single dash) || url,doc.emergingthreats.net/bin/view/Main/2007880 +1 || 2007881 || 7 || trojan-activity || 0 || ET MALWARE Mycomclean.com Spyware User-Agent (HTTP_GET_COMM) || url,doc.emergingthreats.net/2007881 +1 || 2007882 || 7 || trojan-activity || 0 || ET MALWARE Mycomclean.com Spyware User-Agent (SHINI) || url,doc.emergingthreats.net/2007882 +1 || 2007883 || 7 || trojan-activity || 0 || ET MALWARE Virusheat.com Fake Anti-Spyware User-Agent (VirusHeat 4.3) || url,doc.emergingthreats.net/2007883 +1 || 2007884 || 7 || trojan-activity || 0 || ET MALWARE User-Agent (Example) || url,doc.emergingthreats.net/bin/view/Main/2007884 +1 || 2007885 || 8 || trojan-activity || 0 || ET MALWARE Suspicious User-Agent (downloader) || url,doc.emergingthreats.net/bin/view/Main/2007885 +1 || 2007886 || 5 || trojan-activity || 0 || ET DELETED Anti-virus-pro.com Fake AV Checkin || url,doc.emergingthreats.net/bin/view/Main/2007886 +1 || 2007889 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Cacti SQL Injection Vulnerability graph_view graph_list UNION SELECT || cve,CVE-2008-0785 || bugtraq,27749 || url,doc.emergingthreats.net/2007889 +1 || 2007890 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Cacti SQL Injection Vulnerability graph_view graph_list INSERT || cve,CVE-2008-0785 || bugtraq,27749 || url,doc.emergingthreats.net/2007890 +1 || 2007891 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Cacti SQL Injection Vulnerability graph_view graph_list DELETE || cve,CVE-2008-0785 || bugtraq,27749 || url,doc.emergingthreats.net/2007891 +1 || 2007892 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Cacti SQL Injection Vulnerability graph_view graph_list UPDATE || cve,CVE-2008-0785 || bugtraq,27749 || url,doc.emergingthreats.net/2007892 +1 || 2007893 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Cacti SQL Injection Vulnerability tree.php leaf_id SELECT || cve,CVE-2008-0785 || bugtraq,27749 || url,doc.emergingthreats.net/2007893 +1 || 2007894 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Cacti SQL Injection Vulnerability tree.php leaf_id UNION SELECT || cve,CVE-2008-0785 || bugtraq,27749 || url,doc.emergingthreats.net/2007894 +1 || 2007895 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Cacti SQL Injection Vulnerability tree.php leaf_id INSERT || cve,CVE-2008-0785 || bugtraq,27749 || url,doc.emergingthreats.net/2007895 +1 || 2007896 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Cacti SQL Injection Vulnerability tree.php leaf_id DELETE || cve,CVE-2008-0785 || bugtraq,27749 || url,doc.emergingthreats.net/2007896 +1 || 2007897 || 9 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Cacti SQL Injection Vulnerability tree.php leaf_id UPDATE || cve,CVE-2008-0785 || bugtraq,27749 || url,doc.emergingthreats.net/2007897 +1 || 2007898 || 5 || trojan-activity || 0 || ET TROJAN Sohanad Checkin via HTTP || url,doc.emergingthreats.net/2007898 +1 || 2007899 || 7 || trojan-activity || 0 || ET MALWARE User-Agent (HTTP_CONNECT) || url,doc.emergingthreats.net/bin/view/Main/2007899 +1 || 2007900 || 7 || trojan-activity || 0 || ET MALWARE Kpang.com Spyware User-Agent (auctionplusup) || url,doc.emergingthreats.net/2007900 +1 || 2007901 || 7 || trojan-activity || 0 || ET TROJAN Banker.OPX HTTP Checkin || url,doc.emergingthreats.net/2007901 +1 || 2007903 || 8 || web-application-attack || 0 || ET ACTIVEX 4XEM VatDecoder VatCtrl Class ActiveX Control Url Property Buffer Overflow Vulnerability || bugtraq,28010 || url,www.milw0rm.com/exploits/5193 || url,doc.emergingthreats.net/2007903 +1 || 2007904 || 8 || web-application-attack || 0 || ET ACTIVEX RTSP MPEG4 SP Control ActiveX Control Url Property Buffer Overflow Vulnerability || bugtraq,28010 || url,www.milw0rm.com/exploits/5193 || url,doc.emergingthreats.net/2007904 +1 || 2007905 || 48 || web-application-attack || 0 || ET ACTIVEX D-Link MPEG4 SHM (Audio) Control ActiveX Control Url Property Buffer Overflow Vulnerability || bugtraq,28010 || url,www.milw0rm.com/exploits/5193 || url,doc.emergingthreats.net/2007905 +1 || 2007908 || 7 || trojan-activity || 0 || ET MALWARE Searchspy.co.kr Spyware User-Agent (HTTPGETDATA) || url,doc.emergingthreats.net/2007908 +1 || 2007909 || 7 || trojan-activity || 0 || ET MALWARE Searchspy.co.kr Spyware User-Agent (HTTPFILEDOWN) || url,doc.emergingthreats.net/2007909 +1 || 2007910 || 8 || trojan-activity || 0 || ET MALWARE Searchspy.co.kr Spyware User-Agent (HTTP_FILEDOWN) || url,doc.emergingthreats.net/2007910 +1 || 2007911 || 7 || trojan-activity || 0 || ET TROJAN Delf Download via HTTP || url,doc.emergingthreats.net/2007911 +1 || 2007912 || 5 || trojan-activity || 0 || ET TROJAN Suspicious User-Agent - Possible Trojan-Dropper.Win32.Agent.eut (Yhrbg) || url,doc.emergingthreats.net/2007912 +1 || 2007913 || 7 || trojan-activity || 0 || ET TROJAN Dialer.MC(vf) HTTP Request - Checkin || url,doc.emergingthreats.net/2007913 +1 || 2007914 || 4 || trojan-activity || 0 || ET WORM SDBot HTTP Checkin || url,doc.emergingthreats.net/2007914 +1 || 2007917 || 2 || trojan-activity || 0 || ET TROJAN Dropper-497 (Yumato) Initial Checkin || url,doc.emergingthreats.net/bin/view/Main/TrojanDropper497 +1 || 2007918 || 2 || trojan-activity || 0 || ET TROJAN Dropper-497 (Yumato) System Stats Report || url,doc.emergingthreats.net/bin/view/Main/TrojanDropper497 +1 || 2007919 || 2 || trojan-activity || 0 || ET TROJAN Dropper-497 Yumato Reply from server || url,doc.emergingthreats.net/bin/view/Main/TrojanDropper497 +1 || 2007920 || 3 || trojan-activity || 0 || ET TROJAN Dropper-497 (Yumato) Status Reply from server || url,doc.emergingthreats.net/bin/view/Main/TrojanDropper497 +1 || 2007921 || 8 || trojan-activity || 0 || ET MALWARE User-Agent (Explorer) || url,doc.emergingthreats.net/bin/view/Main/2007921 +1 || 2007922 || 5 || trojan-activity || 0 || ET TROJAN Backdoor.Win32.VB.brg C&C Checkin || url,doc.emergingthreats.net/2007922 +1 || 2007923 || 5 || trojan-activity || 0 || ET TROJAN Suspicious User-Agent - Possible Trojan Downloader (Digital) || url,doc.emergingthreats.net/2007923 +1 || 2007924 || 5 || trojan-activity || 0 || ET TROJAN Suspicious User-Agent - Possible Trojan Downloader (downloaded) || url,doc.emergingthreats.net/2007924 +1 || 2007925 || 5 || trojan-activity || 0 || ET TROJAN Suspicious User-Agent - Possible Trojan Downloader (wnames) || url,doc.emergingthreats.net/2007925 +1 || 2007926 || 6 || trojan-activity || 0 || ET DELETED Suspicious User-Agent - Possible Trojan Downloader (cv_v5.0.0) || url,doc.emergingthreats.net/2007926 +1 || 2007927 || 7 || trojan-activity || 0 || ET MALWARE Donkeyhote.co.kr Spyware User-Agent (UDonkey) || url,doc.emergingthreats.net/2007927 +1 || 2007928 || 7 || trojan-activity || 0 || ET MALWARE Gcashback.co.kr Spyware User-Agent (InvokeAd) || url,doc.emergingthreats.net/2007928 +1 || 2007929 || 8 || trojan-activity || 0 || ET MALWARE User-Agent (User-Agent Mozilla/4.0 (compatible )) || url,doc.emergingthreats.net/bin/view/Main/2007929 +1 || 2007930 || 4 || trojan-activity || 0 || ET TROJAN Delf/Hupigon C&C Channel Version Report || url,doc.emergingthreats.net/2007930 +1 || 2007931 || 7 || web-application-attack || 0 || ET ACTIVEX ACTIVEX IncrediMail IMMenuShellExt ActiveX Control Buffer Overflow Vulnerability || url,www.milw0rm.com/exploits/3877 || bugtraq,23674 || cve,CVE-2007-1683 || url,doc.emergingthreats.net/2007931 +1 || 2007932 || 8 || web-application-attack || 0 || ET ACTIVEX Symantec BackupExec Calendar Control (PVCalendar.ocx) BoF Vulnerability || url,www.milw0rm.com/exploits/5205 || cve,CVE-2007-6017 || bugtraq,28008 || url,doc.emergingthreats.net/2007932 +1 || 2007933 || 8 || misc-attack || 0 || ET EXPLOIT Zilab Chat and Instant Messaging Heap Overflow Vulnerability || url,aluigi.altervista.org/adv/zilabzcsx-adv.txt || bugtraq,27940 || url,doc.emergingthreats.net/bin/view/Main/2007933 +1 || 2007934 || 7 || misc-attack || 0 || ET EXPLOIT Zilab Chat and Instant Messaging User Info BoF Vulnerability || url,aluigi.altervista.org/adv/zilabzcsx-adv.txt || bugtraq,27940 || url,doc.emergingthreats.net/bin/view/Main/2007934 +1 || 2007935 || 7 || trojan-activity || 0 || ET MALWARE Geopia.com Fake Anti-Spyware/AV User-Agent (fs3update) || url,doc.emergingthreats.net/2007935 +1 || 2007937 || 4 || successful-dos || 0 || ET EXPLOIT Borland VisiBroker Smart Agent Heap Overflow || bugtraq,28084 || url,aluigi.altervista.org/adv/visibroken-adv.txt || url,doc.emergingthreats.net/bin/view/Main/2007937 +1 || 2007938 || 7 || trojan-activity || 0 || ET MALWARE Geopia.com Fake Anti-Spyware/AV User-Agent (fian3manager) || url,doc.emergingthreats.net/2007938 +1 || 2007939 || 5 || trojan-activity || 0 || ET TROJAN Delf Checkin via HTTP (up) || url,doc.emergingthreats.net/2007939 +1 || 2007940 || 5 || trojan-activity || 0 || ET TROJAN Banker.ili HTTP Checkin || url,doc.emergingthreats.net/2007940 +1 || 2007942 || 7 || trojan-activity || 0 || ET USER_AGENTS Suspicious User Agent (_) || url,doc.emergingthreats.net/bin/view/Main/2007942 +1 || 2007943 || 8 || trojan-activity || 0 || ET MALWARE User-Agent (HTTP) || url,doc.emergingthreats.net/bin/view/Main/2007943 +1 || 2007944 || 6 || trojan-activity || 0 || ET MALWARE SysVenFak Fake AV Package User-Agent (gh2008) || url,doc.emergingthreats.net/bin/view/Main/2007944 +1 || 2007945 || 4 || trojan-activity || 0 || ET MALWARE SysVenFak Fake AV Package Victim Checkin (victim.php) || url,doc.emergingthreats.net/bin/view/Main/2007945 +1 || 2007946 || 8 || trojan-activity || 0 || ET MALWARE User-Agent (popup) || url,doc.emergingthreats.net/bin/view/Main/2007946 +1 || 2007947 || 7 || trojan-activity || 0 || ET MALWARE Nguide.co.kr Fake Security Tool User-Agent (nguideup) || url,doc.emergingthreats.net/2007947 +1 || 2007948 || 9 || trojan-activity || 0 || ET MALWARE User-Agent (double dashes) || url,doc.emergingthreats.net/bin/view/Main/2007948 +1 || 2007949 || 6 || trojan-activity || 0 || ET TROJAN Medbod UDP Phone Home Packet || url,doc.emergingthreats.net/2007949 +1 || 2007950 || 4 || trojan-activity || 0 || ET TROJAN Possible Infection Report Mail - Indy Mail lib and Nome do Computador in Body || url,doc.emergingthreats.net/2007950 +1 || 2007951 || 5 || trojan-activity || 0 || ET MALWARE Hex Encoded IP HTTP Request - Likely Malware || url,doc.emergingthreats.net/bin/view/Main/2007951 +1 || 2007952 || 5 || trojan-activity || 0 || ET TROJAN Downloader.49651 Checkin || url,doc.emergingthreats.net/2007952 +1 || 2007953 || 5 || trojan-activity || 0 || ET TROJAN Downloader.49651 Install Report || url,doc.emergingthreats.net/2007953 +1 || 2007954 || 5 || trojan-activity || 0 || ET TROJAN Downloader.49651 Online Report || url,doc.emergingthreats.net/2007954 +1 || 2007955 || 5 || trojan-activity || 0 || ET TROJAN Cygo Checkin || url,doc.emergingthreats.net/2007955 +1 || 2007956 || 7 || trojan-activity || 0 || ET MALWARE Snoopstick.net Related Spyware User-Agent (SnoopStick Updater) || url,doc.emergingthreats.net/bin/view/Main/2007956 +1 || 2007957 || 2 || trojan-activity || 0 || ET TROJAN Banker.ike UDP C&C || url,doc.emergingthreats.net/2007957 +1 || 2007958 || 7 || trojan-activity || 0 || ET MALWARE Msconfig.co.kr Related User Agent (BACKMAN) || url,doc.emergingthreats.net/2007958 +1 || 2007959 || 7 || trojan-activity || 0 || ET MALWARE Msconfig.co.kr Related User-Agent (GLOBALx) || url,doc.emergingthreats.net/2007959 +1 || 2007961 || 9 || trojan-activity || 0 || ET MALWARE Fake Wget User-Agent (wget 3.0) - Likely Hostile || url,doc.emergingthreats.net/2007961 +1 || 2007962 || 7 || trojan-activity || 0 || ET TROJAN Vipdataend C&C Traffic Checkin || url,doc.emergingthreats.net/2007962 +1 || 2007963 || 4 || trojan-activity || 0 || ET TROJAN Vipdataend C&C Traffic - Status OK || url,doc.emergingthreats.net/2007963 +1 || 2007964 || 4 || trojan-activity || 0 || ET TROJAN Vipdataend C&C Traffic - Server Status OK || url,doc.emergingthreats.net/2007964 +1 || 2007965 || 5 || trojan-activity || 0 || ET TROJAN Goldun Reporting Install || url,doc.emergingthreats.net/2007965 +1 || 2007966 || 2 || trojan-activity || 0 || ET TROJAN Win32.Inject.zy Checkin Post || url,doc.emergingthreats.net/2007966 +1 || 2007967 || 6 || trojan-activity || 0 || ET TROJAN Universal1337 FTP Upload of Compromised Data || url,doc.emergingthreats.net/bin/view/Main/TrojanUniversal1337 || url,www.megasecurity.org/trojans/u/universal1337/Universal1337v2.html +1 || 2007968 || 5 || trojan-activity || 0 || ET TROJAN Universal1337 Email Upload of Compromised Data || url,doc.emergingthreats.net/bin/view/Main/TrojanUniversal1337 || url,www.megasecurity.org/trojans/u/universal1337/Universal1337v2.html +1 || 2007970 || 7 || trojan-activity || 0 || ET TROJAN Vipdataend C&C Traffic - Checkin (XY) || url,doc.emergingthreats.net/2007970 +1 || 2007971 || 3 || policy-violation || 0 || ET POLICY SSN Detected in Clear Text (SSN ) || url,doc.emergingthreats.net/2007971 +1 || 2007972 || 3 || policy-violation || 0 || ET POLICY SSN Detected in Clear Text (SSN# ) || url,doc.emergingthreats.net/2007972 +1 || 2007973 || 3 || trojan-activity || 0 || ET TROJAN Perfect Keylogger FTP Initial Install Log Upload || url,doc.emergingthreats.net/2007973 +1 || 2007974 || 4 || trojan-activity || 0 || ET TROJAN Perfect Keylogger FTP Log Upload || url,doc.emergingthreats.net/2007974 +1 || 2007975 || 5 || trojan-activity || 0 || ET TROJAN Common Downloader Trojan Checkin || url,doc.emergingthreats.net/2007975 +1 || 2007977 || 7 || trojan-activity || 0 || ET MALWARE Dokterfix.com Fake AV User-Agent (Magic NetInstaller) || url,doc.emergingthreats.net/2007977 +1 || 2007978 || 5 || trojan-activity || 0 || ET MALWARE Direct-web.co.kr Related Spyware Checkin || url,doc.emergingthreats.net/bin/view/Main/2007978 +1 || 2007979 || 5 || trojan-activity || 0 || ET TROJAN Backdoor.Win32.VB.brg C&C Reporting Version || url,doc.emergingthreats.net/2007979 +1 || 2007980 || 4 || trojan-activity || 0 || ET TROJAN Backdoor.Win32.VB.brg C&C Kill Command Send || url,doc.emergingthreats.net/2007980 +1 || 2007981 || 4 || trojan-activity || 0 || ET TROJAN Backdoor.Win32.VB.brg C&C Kill Command Acknowledge || url,doc.emergingthreats.net/2007981 +1 || 2007982 || 3 || trojan-activity || 0 || ET TROJAN Backdoor.Win32.VB.brg C&C DDoS Outbound || url,doc.emergingthreats.net/2007982 +1 || 2007984 || 6 || trojan-activity || 0 || ET TROJAN Banker Trojan (General) HTTP Checkin || url,doc.emergingthreats.net/2007984 +1 || 2007986 || 6 || trojan-activity || 0 || ET TROJAN Emogen Reporting via HTTP || url,doc.emergingthreats.net/2007986 +1 || 2007987 || 5 || trojan-activity || 0 || ET TROJAN Dropper.Win32.VB.on Keylog/System Info Report via HTTP || url,doc.emergingthreats.net +1 || 2007989 || 3 || trojan-activity || 0 || ET TROJAN Vundo HTTP Pre-Install Checkin || url,doc.emergingthreats.net/2007989 +1 || 2007990 || 3 || trojan-activity || 0 || ET TROJAN Vundo HTTP Post-Install Checkin || url,doc.emergingthreats.net/2007990 +1 || 2007991 || 7 || trojan-activity || 0 || ET MALWARE User-Agent (Unknown) || url,doc.emergingthreats.net/bin/view/Main/2007991 +1 || 2007992 || 3 || trojan-activity || 0 || ET TROJAN Shark Pass Stealer Email Report || url,doc.emergingthreats.net/2007992 +1 || 2007993 || 12 || trojan-activity || 0 || ET MALWARE User-Agent (2 spaces) || url,doc.emergingthreats.net/bin/view/Main/2007993 +1 || 2007994 || 8 || trojan-activity || 0 || ET MALWARE Suspicious User-Agent (1 space) || url,doc.emergingthreats.net/bin/view/Main/2007994 +1 || 2007995 || 6 || trojan-activity || 0 || ET MALWARE Vaccine-program.co.kr Related Spyware Checkin || url,doc.emergingthreats.net/bin/view/Main/2007995 +1 || 2007996 || 4 || trojan-activity || 0 || ET MALWARE Sears.com/Kmart.com My SHC Community spyware download || url,community.ca.com/blogs/securityadvisor/archive/2007/12/20/sears-com-join-the-community-get-spyware.aspx || url,www.benedelman.org/news/010108-1.html || url,doc.emergingthreats.net/bin/view/Main/2007996 +1 || 2007998 || 9 || web-application-attack || 0 || ET ACTIVEX Rediff Bol Downloader ActiveX Control Remote Code Execution || cve,CVE-2006-6838 || bugtraq,21831 || url,downloads.securityfocus.com/vulnerabilities/exploits/21831.html || url,doc.emergingthreats.net/2007998 +1 || 2007999 || 7 || trojan-activity || 0 || ET TROJAN Banker Trojan (General) HTTP Checkin (vit) || url,doc.emergingthreats.net/2007999 +1 || 2008000 || 7 || trojan-activity || 0 || ET MALWARE Easydownloadsoft.com Fake Anti-Virus User-Agent (IM Downloader) || url,doc.emergingthreats.net/2008000 +1 || 2008003 || 4 || trojan-activity || 0 || ET TROJAN Win32.Agent.cyt (Or variant) HTTP POST Checkin || url,doc.emergingthreats.net/2008003 +1 || 2008004 || 4 || trojan-activity || 0 || ET TROJAN Win32.Agent.cyt (Or variant) HTTP POST Checkin (2) || url,doc.emergingthreats.net/2008004 +1 || 2008005 || 4 || trojan-activity || 0 || ET TROJAN Backdoor.Win32.VB.cfi (related) System Info Upload via FTP || url,doc.emergingthreats.net/2008005 +1 || 2008006 || 6 || trojan-activity || 0 || ET TROJAN Delf CnC Channel Packet 1 || url,doc.emergingthreats.net/2008006 +1 || 2008007 || 5 || trojan-activity || 0 || ET TROJAN Delf CnC Channel Packet 1 reply || url,doc.emergingthreats.net/2008007 +1 || 2008008 || 5 || trojan-activity || 0 || ET TROJAN Delf CnC Channel Checkin Replies || url,doc.emergingthreats.net/2008008 +1 || 2008009 || 5 || trojan-activity || 0 || ET TROJAN Delf CnC Channel Keepalive Pong || url,doc.emergingthreats.net/2008009 +1 || 2008010 || 6 || trojan-activity || 0 || ET TROJAN Delf CnC Channel Keepalive Ping || url,doc.emergingthreats.net/2008010 +1 || 2008012 || 6 || trojan-activity || 0 || ET TROJAN Winquickupdates.com/Mycashloads.com Related Trojan Install Report || url,doc.emergingthreats.net/bin/view/Main/2008012 +1 || 2008013 || 8 || trojan-activity || 0 || ET MALWARE User-Agent (Internet) || url,doc.emergingthreats.net/bin/view/Main/2008013 +1 || 2008015 || 10 || trojan-activity || 0 || ET MALWARE User-Agent (Win95) || url,doc.emergingthreats.net/bin/view/Main/2008015 +1 || 2008016 || 4 || trojan-activity || 0 || ET MALWARE Servicepack.kr Fake Patch Software Checkin || url,doc.emergingthreats.net/bin/view/Main/2008016 +1 || 2008017 || 3 || trojan-activity || 0 || ET TROJAN Philis.J ICMP Sweep (Payload Hello,World) || url,vil.nai.com/vil/content/v_141203.htm || url,doc.emergingthreats.net/2008017 +1 || 2008019 || 6 || trojan-activity || 0 || ET TROJAN Suspicious User-Agent - Possible Trojan Downloader (https) || url,doc.emergingthreats.net/2008019 +1 || 2008020 || 4 || trojan-activity || 0 || ET WORM Win32.Socks.s HTTP Post Checkin || url,doc.emergingthreats.net/2008020 +1 || 2008021 || 3 || trojan-activity || 0 || ET TROJAN Turkojan C&C Initial Checkin (ams) || url,doc.emergingthreats.net/2008021 +1 || 2008022 || 4 || trojan-activity || 0 || ET TROJAN Turkojan C&C Info Command (MINFO) || url,doc.emergingthreats.net/2008022 +1 || 2008023 || 5 || trojan-activity || 0 || ET TROJAN Turkojan C&C Info Command Response (MINFO) || url,doc.emergingthreats.net/2008023 +1 || 2008024 || 4 || trojan-activity || 0 || ET TROJAN Turkojan C&C Logs Parse Command (LOGS1) || url,doc.emergingthreats.net/2008024 +1 || 2008025 || 3 || trojan-activity || 0 || ET TROJAN Turkojan C&C Logs Parse Response Response (LOGS1) || url,doc.emergingthreats.net/2008025 +1 || 2008026 || 3 || trojan-activity || 0 || ET TROJAN Turkojan C&C Keepalive (BAGLANTI) || url,doc.emergingthreats.net/2008026 +1 || 2008027 || 3 || trojan-activity || 0 || ET TROJAN Turkojan C&C Browse Drive Command (BROWSC) || url,doc.emergingthreats.net/2008027 +1 || 2008028 || 3 || trojan-activity || 0 || ET TROJAN Turkojan C&C Browse Drive Command Response (metin) || url,doc.emergingthreats.net/2008028 +1 || 2008029 || 3 || trojan-activity || 0 || ET TROJAN Turkojan C&C nxt Command (nxt) || url,doc.emergingthreats.net/2008029 +1 || 2008030 || 3 || trojan-activity || 0 || ET TROJAN Turkojan C&C nxt Command Response (nxt) || url,doc.emergingthreats.net/2008030 +1 || 2008031 || 3 || trojan-activity || 0 || ET TROJAN Dorf/Win32.Inject.adt C&C Communication Outbound || url,doc.emergingthreats.net/2008031 +1 || 2008032 || 3 || trojan-activity || 0 || ET TROJAN Dorf/Win32.Inject.adt C&C Communication Inbound || url,doc.emergingthreats.net/2008032 +1 || 2008033 || 5 || trojan-activity || 0 || ET TROJAN Banker.maf SMTP Checkin (Not in the Control...) || url,doc.emergingthreats.net/2008033 +1 || 2008034 || 6 || trojan-activity || 0 || ET TROJAN LDPinch SMTP Password Report || url,doc.emergingthreats.net/2008034 +1 || 2008035 || 6 || trojan-activity || 0 || ET TROJAN System.Poser HTTP Checkin || url,doc.emergingthreats.net/2008035 +1 || 2008036 || 9 || trojan-activity || 0 || ET MALWARE 360safe.com related Fake Security Product Update || url,doc.emergingthreats.net/bin/view/Main/2008036 +1 || 2008037 || 8 || policy-violation || 0 || ET POLICY Gteko User-Agent Detected - Dell Remote Access || url,doc.emergingthreats.net/bin/view/Main/Windows98UA +1 || 2008038 || 7 || trojan-activity || 0 || ET MALWARE User-Agent (Mozilla/4.0 (compatible ICS)) || url,doc.emergingthreats.net/bin/view/Main/2008038 +1 || 2008039 || 3 || trojan-activity || 0 || ET TROJAN Egspy Infection Report Email || url,research.sunbelt-software.com/threatdisplay.aspx?name=EgySpy&threatid=48410 || url,doc.emergingthreats.net/2008039 +1 || 2008040 || 7 || trojan-activity || 0 || ET MALWARE Privacyprotector Related Spyware User-Agent (Ssol NetInstaller) || url,doc.emergingthreats.net/2008040 +1 || 2008041 || 4 || trojan-activity || 0 || ET TROJAN Hupigon CnC init (variant abb) || url,doc.emergingthreats.net/2008041 +1 || 2008042 || 3 || trojan-activity || 0 || ET TROJAN Hupigon CnC Data Post (variant abb) || url,doc.emergingthreats.net/2008042 +1 || 2008043 || 9 || trojan-activity || 0 || ET TROJAN Suspicious User-Agent (c \windows) || url,doc.emergingthreats.net/bin/view/Main/2008043 +1 || 2008044 || 8 || trojan-activity || 0 || ET TROJAN Delf Checkin via HTTP (5) || url,doc.emergingthreats.net/2008044 +1 || 2008046 || 7 || trojan-activity || 0 || ET TROJAN Rf-cheats.ru Trojan Related User-Agent (RFRudokop v.1.1 account verification) || url,doc.emergingthreats.net/2008046 +1 || 2008047 || 7 || trojan-activity || 0 || ET TROJAN Egspy Infection Report via HTTP || url,research.sunbelt-software.com/threatdisplay.aspx?name=EgySpy&threatid=48410 || url,doc.emergingthreats.net/2008047 +1 || 2008048 || 9 || trojan-activity || 0 || ET TROJAN Suspicious User-Agent (Version 1.23) || url,doc.emergingthreats.net/bin/view/Main/2008048 +1 || 2008049 || 5 || trojan-activity || 0 || ET TROJAN Yahoo550.com Related Downloader/Trojan Checkin || url,doc.emergingthreats.net/2008049 +1 || 2008051 || 4 || not-suspicious || 0 || ET POLICY Dell MyWay Remote control agent || url,doc.emergingthreats.net/2008051 +1 || 2008052 || 10 || trojan-activity || 0 || ET MALWARE User-Agent (Internet Explorer) || url,doc.emergingthreats.net/bin/view/Main/2008052 +1 || 2008054 || 7 || bad-unknown || 0 || ET DELETED Nginx Server in use - Often Hostile Traffic || url,doc.emergingthreats.net/2008054 +1 || 2008055 || 3 || trojan-activity || 0 || ET TROJAN Win32.Inject.ajq Initial Checkin to CnC || url,doc.emergingthreats.net/2008055 +1 || 2008056 || 4 || trojan-activity || 0 || ET TROJAN Win32.Inject.ajq Initial Checkin to CnC packet 2 || url,doc.emergingthreats.net/2008056 +1 || 2008057 || 2 || trojan-activity || 0 || ET TROJAN Win32.Inject.ajq Initial Checkin to CnC Response || url,doc.emergingthreats.net/2008057 +1 || 2008058 || 6 || trojan-activity || 0 || ET TROJAN Win32.Inject.ajq Initial Checkin to CnC port 443 || url,doc.emergingthreats.net/2008058 +1 || 2008059 || 4 || trojan-activity || 0 || ET DELETED Win32.Inject.ajq Initial Checkin to CnC packet 2 port 443 || url,doc.emergingthreats.net/2008059 +1 || 2008060 || 2 || trojan-activity || 0 || ET TROJAN Win32.Inject.ajq Initial Checkin to CnC Response port 443 || url,doc.emergingthreats.net/2008060 +1 || 2008061 || 5 || trojan-activity || 0 || ET DELETED LDPinch Checkin (4) || url,doc.emergingthreats.net/2008061 +1 || 2008062 || 9 || web-application-attack || 0 || ET ACTIVEX Universal HTTP File Upload Remote File Deletetion || url,www.milw0rm.com/exploits/5272 || url,doc.emergingthreats.net/2008062 +1 || 2008063 || 3 || successful-user || 0 || ET EXPLOIT MDAEMON (Post Auth) Remote Root IMAP FETCH Command Universal Exploit || url,www.milw0rm.com/exploits/5248 || bugtraq,28245 || url,doc.emergingthreats.net/bin/view/Main/2008063 || cve,2008-1358 +1 || 2008064 || 6 || bad-unknown || 0 || ET DELETED Nginx Server with no version string - Often Hostile Traffic || url,doc.emergingthreats.net/2008064 +1 || 2008065 || 5 || bad-unknown || 0 || ET POLICY Nginx Server with modified version string - Often Hostile Traffic || url,doc.emergingthreats.net/2008065 +1 || 2008066 || 7 || trojan-activity || 0 || ET MALWARE Blank User-Agent (descriptor but no string) || url,doc.emergingthreats.net/bin/view/Main/2008066 +1 || 2008067 || 4 || trojan-activity || 0 || ET MALWARE Kwsearchguide.com Related Spyware Checkin || url,doc.emergingthreats.net/bin/view/Main/2008067 +1 || 2008069 || 4 || trojan-activity || 0 || ET MALWARE Kwsearchguide.com Related Spyware Keepalive || url,doc.emergingthreats.net/bin/view/Main/2008069 +1 || 2008070 || 8 || policy-violation || 0 || ET POLICY Windows 98 User-Agent Detected - Possible Malware or Non-Updated System (Win98) || url,doc.emergingthreats.net/bin/view/Main/Windows98UA +1 || 2008071 || 6 || trojan-activity || 0 || ET TROJAN Delf Checkin via HTTP (6) || url,doc.emergingthreats.net/2008071 +1 || 2008073 || 13 || trojan-activity || 0 || ET TROJAN Suspicious User-Agent (App4) || url,doc.emergingthreats.net/bin/view/Main/2008073 +1 || 2008074 || 8 || trojan-activity || 0 || ET TROJAN Banload User-Agent Detected (WebUpdate) || url,doc.emergingthreats.net/2008074 +1 || 2008076 || 5 || trojan-activity || 0 || ET TROJAN General Downloader URL Pattern (/loader/setup.php) || url,doc.emergingthreats.net/2008076 +1 || 2008081 || 3 || trojan-activity || 0 || ET TROJAN Xorer.ez HTTP Checkin to CnC || url,doc.emergingthreats.net/2008081 +1 || 2008082 || 3 || trojan-activity || 0 || ET TROJAN Vundo HTTP Post-Install Checkin (2) || url,doc.emergingthreats.net/2008082 +1 || 2008083 || 13 || trojan-activity || 0 || ET DELETED Suspicious User Agent (Zlob Related) (UA00000) || url,doc.emergingthreats.net/2008083 +1 || 2008084 || 8 || trojan-activity || 0 || ET TROJAN Suspicious User-Agent (Mozilla-web) || url,doc.emergingthreats.net/bin/view/Main/2008084 +1 || 2008085 || 10 || trojan-activity || 0 || ET MALWARE Alexa Search Toolbar User-Agent 2 (Alexa Toolbar) || url,doc.emergingthreats.net/2008085 +1 || 2008086 || 5 || trojan-activity || 0 || ET TROJAN Daemonize.ft HTTP Checkin || url,doc.emergingthreats.net/2008086 +1 || 2008087 || 5 || trojan-activity || 0 || ET TROJAN Downloader.VB.CEJ HTTP Checkin || url,doc.emergingthreats.net/2008087 +1 || 2008090 || 6 || trojan-activity || 0 || ET TROJAN Delf Checkin via HTTP (7) || url,doc.emergingthreats.net/2008090 +1 || 2008091 || 5 || trojan-activity || 0 || ET DELETED LDPinch Checkin (8) || url,doc.emergingthreats.net/2008091 +1 || 2008092 || 3 || attempted-recon || 0 || ET SCAN Internal to Internal UPnP Request tcp port 2555 || url,www.upnp-hacks.org/upnp.html || url,doc.emergingthreats.net/2008092 +1 || 2008093 || 5 || attempted-recon || 0 || ET SCAN External to Internal UPnP Request tcp port 2555 || url,www.upnp-hacks.org/upnp.html || url,doc.emergingthreats.net/2008093 +1 || 2008094 || 4 || attempted-recon || 0 || ET SCAN External to Internal UPnP Request udp port 1900 || url,www.upnp-hacks.org/upnp.html || url,doc.emergingthreats.net/2008094 +1 || 2008096 || 8 || trojan-activity || 0 || ET TROJAN Suspicious User-Agent (INSTALLER) || url,doc.emergingthreats.net/bin/view/Main/2008096 +1 || 2008097 || 8 || trojan-activity || 0 || ET TROJAN Suspicious User-Agent (IEMGR) || url,doc.emergingthreats.net/bin/view/Main/2008097 +1 || 2008098 || 8 || trojan-activity || 0 || ET TROJAN Suspicious User-Agent (GOOGLE) || url,doc.emergingthreats.net/bin/view/Main/2008098 +1 || 2008099 || 8 || web-application-attack || 0 || ET ACTIVEX ChilkatHttp ActiveX 2.3 Arbitrary Files Overwrite || bugtraq,28546 || url,www.milw0rm.com/exploits/5338 || url,doc.emergingthreats.net/2008099 +1 || 2008100 || 11 || trojan-activity || 0 || ET TROJAN PRG/wnspoem/Zeus InfoStealer Trojan Config Download || url,doc.emergingthreats.net/2008100 +1 || 2008103 || 4 || trojan-activity || 0 || ET DELETED Bobax/Kraken/Oderoor TCP 447 CnC Channel Initial Packet Outbound || url,doc.emergingthreats.net/bin/view/Main/OdeRoor +1 || 2008104 || 3 || trojan-activity || 0 || ET TROJAN Bobax/Kraken/Oderoor UDP 447 CnC Channel Initial Packet Outbound || url,doc.emergingthreats.net/bin/view/Main/OdeRoor +1 || 2008105 || 3 || trojan-activity || 0 || ET TROJAN Bobax/Kraken/Oderoor UDP 447 CnC Channel Initial Packet Inbound || url,doc.emergingthreats.net/bin/view/Main/OdeRoor +1 || 2008106 || 3 || trojan-activity || 0 || ET TROJAN Bobax/Kraken/Oderoor TCP 447 CnC Channel Initial Packet Inbound || url,doc.emergingthreats.net/bin/view/Main/OdeRoor +1 || 2008107 || 4 || trojan-activity || 0 || ET DELETED Possible Bobax/Kraken/Oderoor UDP 447 CnC Channel Inbound || url,doc.emergingthreats.net/bin/view/Main/OdeRoor +1 || 2008108 || 4 || trojan-activity || 0 || ET DELETED Possible Bobax/Kraken/Oderoor TCP 447 CnC Channel Inbound || url,doc.emergingthreats.net/bin/view/Main/OdeRoor +1 || 2008109 || 3 || trojan-activity || 0 || ET TROJAN Possible Bobax/Kraken/Oderoor UDP 447 CnC Channel Outbound || url,doc.emergingthreats.net/bin/view/Main/OdeRoor +1 || 2008110 || 4 || trojan-activity || 0 || ET DELETED Possible Bobax/Kraken/Oderoor TCP 447 CnC Channel Outbound || url,doc.emergingthreats.net/bin/view/Main/OdeRoor +1 || 2008113 || 3 || policy-violation || 0 || ET P2P Tor Get Server Request || url,tor.eff.org || url,doc.emergingthreats.net/2008113 +1 || 2008115 || 3 || policy-violation || 0 || ET P2P Tor Get Status Request || url,tor.eff.org || url,doc.emergingthreats.net/2008115 +1 || 2008116 || 3 || policy-violation || 0 || ET TFTP Outbound TFTP Write Request || url,doc.emergingthreats.net/2008116 +1 || 2008117 || 3 || policy-violation || 0 || ET TFTP Outbound TFTP Data Transfer || url,doc.emergingthreats.net/2008117 +1 || 2008118 || 3 || policy-violation || 0 || ET TFTP Outbound TFTP ACK || url,doc.emergingthreats.net/2008118 +1 || 2008119 || 3 || policy-violation || 0 || ET TFTP Outbound TFTP Error Message || url,doc.emergingthreats.net/2008119 +1 || 2008120 || 3 || policy-violation || 0 || ET TFTP Outbound TFTP Read Request || url,doc.emergingthreats.net/2008120 +1 || 2008123 || 7 || trojan-activity || 0 || ET TROJAN Likely Bot Username in IRC (XP-..) || url,doc.emergingthreats.net/2008123 +1 || 2008124 || 5 || trojan-activity || 0 || ET TROJAN Likely Bot Nick in IRC (USA +..) || url,doc.emergingthreats.net/2008124 +1 || 2008126 || 8 || web-application-attack || 0 || ET ACTIVEX IBiz E-Banking Integrator V2 ActiveX Edition Insecure Method || url,www.milw0rm.com/exploits/5416 || url,doc.emergingthreats.net/2008126 +1 || 2008127 || 10 || web-application-attack || 0 || ET ACTIVEX Data Dynamics ActiveBar ActiveX Control (Actbar3.ocx 3.2) Multiple Insecure Methods || bugtraq,24959 || cve,CVE-2007-3883 || url,www.exploit-db.com/exploits/5395/ || url,doc.emergingthreats.net/2008127 +1 || 2008128 || 9 || web-application-attack || 0 || ET ACTIVEX Tumbleweed SecureTransport FileTransfer ActiveX BOF Exploit || bugtraq,28662 || url,www.milw0rm.com/exploits/5398 || url,doc.emergingthreats.net/2008128 +1 || 2008129 || 7 || web-application-attack || 0 || ET ACTIVEX LEADTOOLS Multimedia Toolkit 15 Arbitrary Files Overwrite || url,www.shinnai.altervista.org/xplits/TXT_lyyELAFI8pOPu2p7N6cq.html || bugtraq,28442 || cve,CVE-2008-1605 || url,doc.emergingthreats.net/2008129 +1 || 2008130 || 5 || trojan-activity || 0 || ET TROJAN Win32.Lydra.hj HTTP Checkin || url,doc.emergingthreats.net/2008130 +1 || 2008132 || 5 || trojan-activity || 0 || ET TROJAN Common Downloader Access Count Tracking URL || url,doc.emergingthreats.net/2008132 +1 || 2008133 || 5 || trojan-activity || 0 || ET TROJAN Common Downloader Install Count Tracking URL || url,doc.emergingthreats.net/2008133 +1 || 2008134 || 8 || trojan-activity || 0 || ET TROJAN Common Downloader Install Count Tracking URL (partner) || url,doc.emergingthreats.net/2008134 || url,www.threatexpert.com/report.aspx?md5=ea70e0971cc490a15e53d24ad6564403 +1 || 2008135 || 4 || trojan-activity || 0 || ET MALWARE Soft-Show.cn Related Fake AV Install || url,doc.emergingthreats.net/bin/view/Main/2008135 +1 || 2008136 || 5 || trojan-activity || 0 || ET TROJAN Egspy Install Report via HTTP || url,doc.emergingthreats.net/2008136 +1 || 2008139 || 7 || trojan-activity || 0 || ET TROJAN RhiFrem Trojan Activity - cmd || url,www.castlecops.com/U_S_Courts_phish792683.html || url,doc.emergingthreats.net/2008139 +1 || 2008140 || 8 || trojan-activity || 0 || ET TROJAN RhiFrem Trojan Activity - log || url,www.castlecops.com/U_S_Courts_phish792683.html || url,doc.emergingthreats.net/2008140 +1 || 2008141 || 8 || trojan-activity || 0 || ET MALWARE Win-touch.com Spyware User-Agent (WinTouch) || url,doc.emergingthreats.net/2008141 +1 || 2008142 || 4 || trojan-activity || 0 || ET TROJAN Vapsup User-Agent (doshowmeanad loader v2.1) || url,doc.emergingthreats.net/2008142 +1 || 2008143 || 5 || trojan-activity || 0 || ET DELETED Downloader Checkin Pattern Used by Several Trojans || url,doc.emergingthreats.net/2008143 +1 || 2008144 || 6 || trojan-activity || 0 || ET TROJAN Proxy.Corpes.j Infection Report || url,doc.emergingthreats.net/2008144 +1 || 2008145 || 7 || trojan-activity || 0 || ET MALWARE Speed-runner.com Fake Speed Test User-Agent (SRInstaller) || url,doc.emergingthreats.net/2008145 +1 || 2008146 || 7 || trojan-activity || 0 || ET MALWARE Speed-runner.com Fake Speed Test User-Agent (SpeedRunner) || url,doc.emergingthreats.net/2008146 +1 || 2008147 || 8 || trojan-activity || 0 || ET TROJAN Suspicious User-Agent (RBR) || url,doc.emergingthreats.net/bin/view/Main/2008147 +1 || 2008148 || 4 || trojan-activity || 0 || ET MALWARE Soft-Show.cn Related Fake AV Install Ad Pull || url,doc.emergingthreats.net/bin/view/Main/2008148 +1 || 2008149 || 8 || trojan-activity || 0 || ET MALWARE 360safe.com related Fake Security Product Update (KillerSet) || url,doc.emergingthreats.net/bin/view/Main/2008149 +1 || 2008150 || 7 || trojan-activity || 0 || ET MALWARE Avsystemcare.com Fake AV User-Agent (LocusSoftware, NetInstaller) || url,doc.emergingthreats.net/2008150 +1 || 2008151 || 7 || trojan-activity || 0 || ET MALWARE Speed-runner.com Fake Speed Test User-Agent (SRRecover) || url,doc.emergingthreats.net/2008151 +1 || 2008152 || 6 || trojan-activity || 0 || ET TROJAN Pakes/Cutwail/Kobcka Checkin URL || url,doc.emergingthreats.net/2008152 +1 || 2008153 || 5 || trojan-activity || 0 || ET TROJAN Citi-bank.ru Related Trojan Checkin || url,doc.emergingthreats.net/2008153 +1 || 2008155 || 4 || trojan-activity || 0 || ET TROJAN Trats.a Post-Infection Checkin || url,doc.emergingthreats.net/2008155 +1 || 2008156 || 4 || trojan-activity || 0 || ET TROJAN Hupigon User Agent Detected (VIP2007) || url,doc.emergingthreats.net/2008156 +1 || 2008157 || 6 || trojan-activity || 0 || ET MALWARE Sidelinker.com-Upspider.com Spyware Checkin || url,doc.emergingthreats.net/bin/view/Main/2008157 +1 || 2008158 || 5 || trojan-activity || 0 || ET MALWARE Sidelinker.com-Upspider.com Spyware Count || url,doc.emergingthreats.net/bin/view/Main/2008158 +1 || 2008159 || 4 || trojan-activity || 0 || ET TROJAN Otwycal User-Agent (Downing) || url,doc.emergingthreats.net/2008159 +1 || 2008170 || 8 || web-application-attack || 0 || ET WEB_CLIENT Microsoft Internet Explorer ieframe.dll Script Injection Vulnerability || bugtraq,28581 || url,doc.emergingthreats.net/bin/view/Main/2008170 +1 || 2008171 || 7 || web-application-attack || 0 || ET WEB_SERVER HP OpenView Network Node Manager CGI Directory Traversal || bugtraq,28745 || cve,CVE-2008-0068 || url,aluigi.altervista.org/adv/closedviewx-adv.txt || url,doc.emergingthreats.net/2008171 +1 || 2008173 || 8 || web-application-attack || 0 || ET ACTIVEX PPStream PowerPlayer.DLL ActiveX Control BoF Vulnerability || bugtraq,25502 || url,doc.emergingthreats.net/2008173 +1 || 2008174 || 8 || trojan-activity || 0 || ET DELETED Generic Spambot (often Tibs) Post-Infection Checkin || url,doc.emergingthreats.net/2008174 +1 || 2008175 || 5 || attempted-admin || 0 || ET WEB_SERVER Possible SQL Injection (varchar) || url,doc.emergingthreats.net/2008175 +1 || 2008176 || 6 || attempted-admin || 0 || ET WEB_SERVER Possible SQL Injection (exec) || url,doc.emergingthreats.net/2008176 +1 || 2008177 || 5 || trojan-activity || 0 || ET TROJAN Ceckno Reporting to Controller || url,doc.emergingthreats.net/2008177 +1 || 2008178 || 3 || trojan-activity || 0 || ET TROJAN Ceckno Keepalive from Controller || url,doc.emergingthreats.net/2008178 +1 || 2008179 || 3 || not-suspicious || 0 || ET SCAN PRO Search Crawler Probe || url,sourceforge.net/project/showfiles.php?group_id=149797 || url,doc.emergingthreats.net/2008179 +1 || 2008180 || 6 || trojan-activity || 0 || ET MALWARE V-Clean.com Fake AV Checkin || url,doc.emergingthreats.net/bin/view/Main/2008180 +1 || 2008181 || 9 || trojan-activity || 0 || ET TROJAN Suspicious User-Agent (MS Internet Explorer) || url,doc.emergingthreats.net/bin/view/Main/2008181 +1 || 2008182 || 8 || trojan-activity || 0 || ET TROJAN Common Downloader Install Report URL || url,doc.emergingthreats.net/2008182 +1 || 2008183 || 7 || trojan-activity || 0 || ET TROJAN Common Downloader Install Report URL (pid - mac) || url,doc.emergingthreats.net/2008183 +1 || 2008184 || 8 || trojan-activity || 0 || ET TROJAN Suspicious User-Agent (Installer) || url,doc.emergingthreats.net/bin/view/Main/2008184 +1 || 2008185 || 4 || trojan-activity || 0 || ET TROJAN Win32 Cloaker Related Post Infection Checkin || url,doc.emergingthreats.net/2008185 +1 || 2008186 || 4 || web-application-attack || 0 || ET SCAN DirBuster Web App Scan in Progress || url,owasp.org || url,doc.emergingthreats.net/2008186 +1 || 2008187 || 8 || attempted-recon || 0 || ET SCAN Paros Proxy Scanner Detected || url,www.parosproxy.org || url,doc.emergingthreats.net/2008187 +1 || 2008189 || 5 || trojan-activity || 0 || ET TROJAN SpamTool.Win32.Agent.gy/Grum/Tedroo Or Similar HTTP Checkin || url,doc.emergingthreats.net/2008189 || url,www.secureworks.com/research/threats/botnets2009/ || url,securitylabs.websense.com/content/Blogs/2721.aspx +1 || 2008190 || 7 || trojan-activity || 0 || ET MALWARE WinButler User-Agent (WinButler) || url,www.winbutler.com || url,www.prevx.com/filenames/239975745155427649-0/WINBUTLER.EXE.html || url,doc.emergingthreats.net/2008190 +1 || 2008192 || 3 || trojan-activity || 0 || ET WORM Korgo.P Reporting || url,www.f-secure.com/v-descs/korgo_p.shtml || url,doc.emergingthreats.net/2008192 +1 || 2008194 || 6 || trojan-activity || 0 || ET TROJAN Common Downloader Install Report URL (wmid - ucid) || url,doc.emergingthreats.net/2008194 +1 || 2008195 || 5 || trojan-activity || 0 || ET TROJAN Dropper mdodo.com Related Trojan || url,doc.emergingthreats.net/2008195 +1 || 2008196 || 5 || trojan-activity || 0 || ET TROJAN Dropper 6dzone.com Related Trojan || url,doc.emergingthreats.net/2008196 +1 || 2008197 || 5 || trojan-activity || 0 || ET MALWARE Winxdefender.com Fake AV Package Post Install Checkin || url,doc.emergingthreats.net/bin/view/Main/2008197 +1 || 2008198 || 7 || trojan-activity || 0 || ET MALWARE Pcclear.co.kr/Pcclear.com Fake AV User-Agent (PCClearPlus) || url,www.pcclear.com || url,www.pcclear.co.kr || url,doc.emergingthreats.net/2008198 +1 || 2008199 || 17 || trojan-activity || 0 || ET TROJAN Suspicious User-Agent (QQ) || url,doc.emergingthreats.net/bin/view/Main/2008199 +1 || 2008200 || 8 || trojan-activity || 0 || ET MALWARE vaccine-program.co.kr Related Spyware User-Agent (vaccine) || url,doc.emergingthreats.net/2008200 +1 || 2008201 || 7 || trojan-activity || 0 || ET MALWARE Sidebar Related Spyware User-Agent (Sidebar Client) || url,doc.emergingthreats.net/2008201 +1 || 2008202 || 7 || trojan-activity || 0 || ET MALWARE UbrenQuatroRusDldr Downloader User-Agent (UbrenQuatroRusDldr 096044) || url,doc.emergingthreats.net/2008202 +1 || 2008203 || 8 || trojan-activity || 0 || ET MALWARE BndVeano4GetDownldr Downloader User-Agent (BndVeano4GetDownldr) || url,doc.emergingthreats.net/2008203 +1 || 2008204 || 7 || trojan-activity || 0 || ET MALWARE yeps.co.kr Related User-Agent (ISecu) || url,doc.emergingthreats.net/2008204 +1 || 2008205 || 8 || trojan-activity || 0 || ET MALWARE yeps.co.kr Related User-Agent (ISUpd) || url,doc.emergingthreats.net/2008205 +1 || 2008206 || 3 || web-application-attack || 0 || ET CURRENT_EVENTS Client Visiting Possibly Compromised Site (HaCKeD By BeLa & BodyguarD) || url,www.incidents.org/diary.html?storyid=4405 || url,doc.emergingthreats.net/bin/view/Main/2008206 +1 || 2008207 || 3 || web-application-attack || 0 || ET CURRENT_EVENTS Possible File Injection Compromise (HaCKeD By BeLa & BodyguarD) || url,www.incidents.org/diary.html?storyid=4405 || url,doc.emergingthreats.net/bin/view/Main/2008207 +1 || 2008208 || 9 || trojan-activity || 0 || ET TROJAN Suspicious User-Agent (TestAgent) || url,doc.emergingthreats.net/bin/view/Main/2008208 +1 || 2008209 || 8 || trojan-activity || 0 || ET TROJAN Suspicious User-Agent (SERVER2_03) || url,doc.emergingthreats.net/bin/view/Main/2008209 +1 || 2008210 || 8 || trojan-activity || 0 || ET MALWARE Misspelled Mozilla User-Agent (Mozila) || url,doc.emergingthreats.net/bin/view/Main/2008210 +1 || 2008211 || 8 || trojan-activity || 0 || ET TROJAN Suspicious User-Agent (WinProxy) || url,doc.emergingthreats.net/bin/view/Main/2008211 +1 || 2008212 || 5 || trojan-activity || 0 || ET TROJAN Optix Pro Trojan/Keylogger Reporting Installation via Email || url,en.wikipedia.org/wiki/Optix_Pro +1 || 2008213 || 8 || trojan-activity || 0 || ET DELETED LDPinch Checkin (9) || url,doc.emergingthreats.net/2008213 +1 || 2008214 || 8 || trojan-activity || 0 || ET TROJAN Suspicious User-Agent (sickness29a/0.1) || url,doc.emergingthreats.net/bin/view/Main/2008214 +1 || 2008215 || 9 || trojan-activity || 0 || ET TROJAN Suspicious User-Agent (up2dash updater) || url,doc.emergingthreats.net/bin/view/Main/2008215 +1 || 2008216 || 8 || trojan-activity || 0 || ET TROJAN Suspicious User-Agent (NSIS_DOWNLOAD) || url,doc.emergingthreats.net/bin/view/Main/2008216 +1 || 2008218 || 7 || trojan-activity || 0 || ET TROJAN Optix Pro Trojan/Keylogger Reporting Installation via HTTP-Email Post || url,en.wikipedia.org/wiki/Optix_Pro || url,doc.emergingthreats.net/2008218 +1 || 2008219 || 6 || trojan-activity || 0 || ET TROJAN Looked.P/Gamania/Delf #108/! Style CnC Checkin || url,doc.emergingthreats.net/bin/view/Main/Win32Looked +1 || 2008220 || 5 || trojan-activity || 0 || ET TROJAN Looked.P/Gamania/Delf #109/! Style CnC Checkin Response from Server || url,doc.emergingthreats.net/bin/view/Main/Win32Looked +1 || 2008221 || 4 || trojan-activity || 0 || ET TROJAN Asprox-style Message ID || url,www.secureworks.com/research/threats/danmecasprox || url,doc.emergingthreats.net/2008221 +1 || 2008222 || 4 || trojan-activity || 0 || ET TROJAN Asprox phishing email detected || url,www.secureworks.com/research/threats/danmecasprox || url,doc.emergingthreats.net/2008222 +1 || 2008223 || 4 || trojan-activity || 0 || ET TROJAN Vipdataend C&C Traffic - Checkin (FYWL) || url,doc.emergingthreats.net/2008223 +1 || 2008224 || 4 || trojan-activity || 0 || ET TROJAN Vipdataend C&C Traffic - Checkin (XYLL) || url,doc.emergingthreats.net/2008224 +1 || 2008225 || 8 || web-application-attack || 0 || ET ACTIVEX Possible Universal HTTP Image/File Upload ActiveX Remote File Deletion Exploit || url,www.milw0rm.com/exploits/5569 || url,doc.emergingthreats.net/2008225 +1 || 2008226 || 8 || web-application-attack || 0 || ET ACTIVEX Microsoft Works 7 WkImgSrv.dll ActiveX Remote BOF Exploit || bugtraq,28820 || url,www.milw0rm.com/exploits/5460 || url,www.milw0rm.com/exploits/5530 || url,doc.emergingthreats.net/2008226 +1 || 2008228 || 10 || trojan-activity || 0 || ET SCAN Suspicious User-Agent inbound (bot) || url,doc.emergingthreats.net/bin/view/Main/2008228 +1 || 2008230 || 2 || misc-activity || 0 || ET SCAN Behavioral Unusually fast outbound Telnet Connections, Potential Scan or Brute Force || url,www.rapid7.com/nexpose-faq-answer2.htm || url,doc.emergingthreats.net/2008230 +1 || 2008231 || 8 || trojan-activity || 0 || ET TROJAN Suspicious User-Agent (Mozilla 1.02.45 biz) || url,doc.emergingthreats.net/bin/view/Main/2008231 +1 || 2008232 || 5 || trojan-activity || 0 || ET TROJAN Generic Spambot (often Tibs) Post-Infection Checkin (justcount.net likely) || url,doc.emergingthreats.net/2008232 +1 || 2008233 || 12 || trojan-activity || 0 || ET TROJAN Common Downloader Install Report URL (farfly checkin) || url,doc.emergingthreats.net/2008233 +1 || 2008236 || 3 || trojan-activity || 0 || ET TROJAN Fake.Googlebar or Softcash.org Related Post-Infection Checkin || url,doc.emergingthreats.net/2008236 +1 || 2008237 || 3 || trojan-activity || 0 || ET TROJAN Pass Stealer FTP Upload || url,doc.emergingthreats.net/2008237 +1 || 2008238 || 4 || policy-violation || 0 || ET POLICY Hotmail Inbox Access || url,doc.emergingthreats.net/2008238 +1 || 2008239 || 4 || policy-violation || 0 || ET POLICY Hotmail Message Access || url,doc.emergingthreats.net/2008239 +1 || 2008240 || 4 || policy-violation || 0 || ET POLICY Hotmail Compose Message Access || url,doc.emergingthreats.net/2008240 +1 || 2008241 || 5 || policy-violation || 0 || ET DELETED Hotmail Compose Message Submit || url,doc.emergingthreats.net/2008241 +1 || 2008242 || 4 || policy-violation || 0 || ET POLICY Hotmail Access Full Mode || url,doc.emergingthreats.net/2008242 +1 || 2008243 || 5 || trojan-activity || 0 || ET TROJAN my247eshop.com User-Agent || url,doc.emergingthreats.net/2008243 +1 || 2008244 || 5 || trojan-activity || 0 || ET TROJAN ProxyBot Phone Home Traffic || url,doc.emergingthreats.net/2008244 +1 || 2008245 || 5 || trojan-activity || 0 || ET DELETED Juicopotomous to Controller || url,doc.emergingthreats.net/2008245 +1 || 2008246 || 4 || trojan-activity || 0 || ET DELETED Juicopotomous ack from Controller || url,doc.emergingthreats.net/2008246 +1 || 2008247 || 5 || trojan-activity || 0 || ET DELETED Juicopotomous ack to Controller || url,doc.emergingthreats.net/2008247 +1 || 2008248 || 5 || trojan-activity || 0 || ET TROJAN Cashout Proxy Bot reg_DST || url,doc.emergingthreats.net/2008248 +1 || 2008249 || 4 || trojan-activity || 0 || ET TROJAN Knockbot Proxy Checkin || url,doc.emergingthreats.net/2008249 +1 || 2008250 || 3 || trojan-activity || 0 || ET TROJAN Winspywareprotect.com Fake AV/Anti-Spyware Install Checkin || url,doc.emergingthreats.net/2008250 +1 || 2008251 || 3 || trojan-activity || 0 || ET TROJAN Winspywareprotect.com Fake AV/Anti-Spyware Secondary Checkin || url,doc.emergingthreats.net/2008251 +1 || 2008253 || 9 || trojan-activity || 0 || ET TROJAN Suspicious User-Agent (chek) || url,doc.emergingthreats.net/bin/view/Main/2008253 +1 || 2008254 || 4 || trojan-activity || 0 || ET TROJAN Vipdataend/Ceckno C&C Traffic - Checkin || url,doc.emergingthreats.net/2008254 +1 || 2008255 || 8 || trojan-activity || 0 || ET TROJAN Suspicious User-Agent (IE) || url,doc.emergingthreats.net/bin/view/Main/2008255 +1 || 2008256 || 7 || trojan-activity || 0 || ET TROJAN Banload HTTP Checkin Detected (envia.php) || url,doc.emergingthreats.net/2008256 +1 || 2008257 || 7 || trojan-activity || 0 || ET TROJAN Suspicious User-Agent (Nimo Software HTTP Retriever 1.0) || url,doc.emergingthreats.net/bin/view/Main/2008257 +1 || 2008258 || 3 || trojan-activity || 0 || ET TROJAN Hupigon CnC Communication (variant bysj) || url,doc.emergingthreats.net/2008258 +1 || 2008259 || 8 || trojan-activity || 0 || ET TROJAN Suspicious User-Agent (AutoHotkey) || url,doc.emergingthreats.net/bin/view/Main/2008259 +1 || 2008260 || 5 || trojan-activity || 0 || ET TROJAN Pointpack.kr Related Trojan Checkin || url,doc.emergingthreats.net/2008260 +1 || 2008261 || 4 || trojan-activity || 0 || ET TROJAN Common Spambot HTTP Checkin || url,doc.emergingthreats.net/2008261 +1 || 2008262 || 7 || trojan-activity || 0 || ET TROJAN Suspicious User-Agent (WebForm 1) || url,doc.emergingthreats.net/bin/view/Main/2008262 +1 || 2008263 || 13 || trojan-activity || 0 || ET TROJAN DNS Changer HTTP Post Checkin || url,doc.emergingthreats.net/2008263 +1 || 2008264 || 7 || trojan-activity || 0 || ET TROJAN Suspicious User-Agent (opera) || url,doc.emergingthreats.net/bin/view/Main/2008264 +1 || 2008266 || 7 || trojan-activity || 0 || ET TROJAN Suspicious User-Agent (Zilla) || url,doc.emergingthreats.net/bin/view/Main/2008266 +1 || 2008267 || 8 || trojan-activity || 0 || ET TROJAN Banker.JU Related HTTP Post-infection Checkin || url,doc.emergingthreats.net/2008267 +1 || 2008268 || 9 || trojan-activity || 0 || ET DELETED Delf Checkin via HTTP (8) || url,doc.emergingthreats.net/2008268 +1 || 2008269 || 3 || trojan-activity || 0 || ET TROJAN Emogen Infection Checkin Initial Packet || url,doc.emergingthreats.net/2008269 +1 || 2008270 || 3 || trojan-activity || 0 || ET TROJAN Emogen Infection Checkin CnC Keepalive || url,doc.emergingthreats.net/2008270 +1 || 2008271 || 9 || trojan-activity || 0 || ET TROJAN DMSpammer HTTP Post Checkin || url,doc.emergingthreats.net/2008271 +1 || 2008273 || 4 || trojan-activity || 0 || ET TROJAN Bifrose Connect to Controller || url,doc.emergingthreats.net/2008273 +1 || 2008274 || 4 || trojan-activity || 0 || ET TROJAN Bifrose Response from Controller || url,doc.emergingthreats.net/2008274 +1 || 2008275 || 5 || trojan-activity || 0 || ET TROJAN Hitpop Checkin || url,atlas-public.ec2.arbor.net/docs/Hitpop_DDoS_Malware_Analysis_PUBLIC.pdf || url,doc.emergingthreats.net/2008275 +1 || 2008276 || 14 || trojan-activity || 0 || ET TROJAN Suspicious User-Agent (contains loader) || url,doc.emergingthreats.net/bin/view/Main/2008276 +1 || 2008277 || 7 || trojan-activity || 0 || ET TROJAN Pakes Winifixer.com Related Checkin URL || url,doc.emergingthreats.net/2008277 +1 || 2008278 || 3 || trojan-activity || 0 || ET DELETED Generic Raider Obfuscated VBScript || url,bbs.duba.net/viewthread.php?tid=21892104&page=1&extra=page=1 || url,doc.emergingthreats.net/2008278 +1 || 2008279 || 9 || trojan-activity || 0 || ET MALWARE ZenoSearch Spyware User-Agent || url,doc.emergingthreats.net/2008279 +1 || 2008280 || 6 || trojan-activity || 0 || ET TROJAN 3alupKo/Win32.Socks.n Related Checkin URL || url,doc.emergingthreats.net/2008280 +1 || 2008282 || 5 || trojan-activity || 0 || ET TROJAN Antispywaremaster.com Fake AV Checkin || url,doc.emergingthreats.net/2008282 +1 || 2008283 || 9 || trojan-activity || 0 || ET TROJAN Banload HTTP Checkin Detected (quem=) || url,doc.emergingthreats.net/2008283 +1 || 2008284 || 3 || misc-activity || 0 || ET POLICY Inbound HTTP CONNECT Attempt on Off-Port || url,doc.emergingthreats.net/2008284 +1 || 2008285 || 2 || trojan-activity || 0 || ET TROJAN RLPacked Binary - Likely Hostile || url,rlpack.jezgra.net || url,www.teamfurry.com/wordpress/2007/04/01/unpacking-rlpack/ || url,doc.emergingthreats.net/2008285 +1 || 2008289 || 5 || policy-violation || 0 || ET CHAT Possible MSN Messenger File Transfer || url,www.hypothetic.org/docs/msn/client/file_transfer.php || url,doc.emergingthreats.net/2008289 +1 || 2008291 || 3 || trojan-activity || 0 || ET TROJAN Win32.Onlinegames.ajok CnC Packet to Server || url,doc.emergingthreats.net/2008291 +1 || 2008292 || 3 || trojan-activity || 0 || ET TROJAN Win32.Onlinegames.ajok CnC Packet from Server || url,doc.emergingthreats.net/2008292 +1 || 2008294 || 7 || trojan-activity || 0 || ET MALWARE AntiSpywareMaster.com Fake AV User-Agent (AsmUpdater) || url,doc.emergingthreats.net/2008294 +1 || 2008295 || 6 || policy-violation || 0 || ET CHAT Gadu-Gadu IM Login Server Request || url,piotr.trzcionkowski.pl/default.asp?load=/programy/pppgg_protokol.html || url,doc.emergingthreats.net/2008295 +1 || 2008297 || 4 || policy-violation || 0 || ET CHAT GaduGadu Chat Server Welcome Packet || url,piotr.trzcionkowski.pl/default.asp?load=/programy/pppgg_protokol.html || url,doc.emergingthreats.net/2008297 +1 || 2008298 || 3 || policy-violation || 0 || ET CHAT GaduGadu Chat Client Login Packet || url,piotr.trzcionkowski.pl/default.asp?load=/programy/pppgg_protokol.html || url,doc.emergingthreats.net/2008298 +1 || 2008299 || 3 || policy-violation || 0 || ET CHAT GaduGadu Chat Server Login OK Packet || url,piotr.trzcionkowski.pl/default.asp?load=/programy/pppgg_protokol.html || url,doc.emergingthreats.net/2008299 +1 || 2008300 || 3 || policy-violation || 0 || ET CHAT GaduGadu Chat Server Login Failed Packet || url,piotr.trzcionkowski.pl/default.asp?load=/programy/pppgg_protokol.html || url,doc.emergingthreats.net/2008300 +1 || 2008301 || 3 || policy-violation || 0 || ET CHAT GaduGadu Chat Server Available Status Packet || url,piotr.trzcionkowski.pl/default.asp?load=/programy/pppgg_protokol.html || url,doc.emergingthreats.net/2008301 +1 || 2008302 || 3 || policy-violation || 0 || ET CHAT GaduGadu Chat Send Message || url,piotr.trzcionkowski.pl/default.asp?load=/programy/pppgg_protokol.html || url,doc.emergingthreats.net/2008302 +1 || 2008303 || 3 || policy-violation || 0 || ET CHAT GaduGadu Chat Receive Message || url,piotr.trzcionkowski.pl/default.asp?load=/programy/pppgg_protokol.html || url,doc.emergingthreats.net/2008303 +1 || 2008304 || 3 || policy-violation || 0 || ET CHAT GaduGadu Chat Keepalive PING || url,piotr.trzcionkowski.pl/default.asp?load=/programy/pppgg_protokol.html || url,doc.emergingthreats.net/2008304 +1 || 2008305 || 3 || policy-violation || 0 || ET CHAT GaduGadu Chat Keepalive PONG || url,piotr.trzcionkowski.pl/default.asp?load=/programy/pppgg_protokol.html || url,doc.emergingthreats.net/2008305 +1 || 2008306 || 3 || policy-violation || 0 || ET CHAT GaduGadu Chat File Send Request || url,piotr.trzcionkowski.pl/default.asp?load=/programy/pppgg_protokol.html || url,doc.emergingthreats.net/2008306 +1 || 2008307 || 3 || policy-violation || 0 || ET CHAT GaduGadu Chat File Send Details || url,piotr.trzcionkowski.pl/default.asp?load=/programy/pppgg_protokol.html || url,doc.emergingthreats.net/2008307 +1 || 2008308 || 3 || policy-violation || 0 || ET CHAT GaduGadu Chat File Send Accept || url,piotr.trzcionkowski.pl/default.asp?load=/programy/pppgg_protokol.html || url,doc.emergingthreats.net/2008308 +1 || 2008309 || 3 || policy-violation || 0 || ET CHAT GaduGadu Chat File Send Begin || url,piotr.trzcionkowski.pl/default.asp?load=/programy/pppgg_protokol.html || url,doc.emergingthreats.net/2008309 +1 || 2008310 || 2 || trojan-activity || 0 || ET TROJAN Codesoft PW Stealer Email Report Outbound || url,doc.emergingthreats.net/2008310 +1 || 2008311 || 5 || attempted-recon || 0 || ET SCAN Watchfire AppScan Web App Vulnerability Scanner || url,www.watchfire.com/products/appscan/default.aspx || url,doc.emergingthreats.net/2008311 +1 || 2008312 || 4 || attempted-recon || 0 || ET SCAN DEBUG Method Request with Command || url,doc.emergingthreats.net/2008312 +1 || 2008313 || 7 || web-application-attack || 0 || ET WEB_CLIENT Iframe in Purported Image Download (jpeg) - Likely SQL Injection Attacks Related || url,doc.emergingthreats.net/bin/view/Main/2008313 +1 || 2008314 || 7 || web-application-attack || 0 || ET WEB_CLIENT Iframe in Purported Image Download (gif) - Likely SQL Injection Attacks Related || url,doc.emergingthreats.net/bin/view/Main/2008314 +1 || 2008315 || 6 || web-application-attack || 0 || ET DELETED Iframe in Purported Image Download (png) - Likely SQL Injection Attacks Related || url,doc.emergingthreats.net/bin/view/Main/2008315 +1 || 2008317 || 9 || trojan-activity || 0 || ET TROJAN Hitpop.AG/Pophot.az HTTP Checkin || url,doc.emergingthreats.net/2008317 +1 || 2008318 || 5 || trojan-activity || 0 || ET MALWARE Adaware.BarACE Checkin and Update || url,www.symantec.com/security_response/writeup.jsp?docid=2007-021714-2431-99&tabid=2 || url,doc.emergingthreats.net/bin/view/Main/2008318 +1 || 2008319 || 6 || trojan-activity || 0 || ET TROJAN Win32.Small.wpx or Related Downloader Posting Data || url,doc.emergingthreats.net/2008319 +1 || 2008320 || 2 || trojan-activity || 0 || ET TROJAN Banload Gadu-Gadu CnC Message Detected || url,doc.emergingthreats.net/2008320 +1 || 2008321 || 3 || trojan-activity || 0 || ET TROJAN Win32.Small.AB or related Post-infection checkin || url,doc.emergingthreats.net/2008321 +1 || 2008322 || 10 || trojan-activity || 0 || ET TROJAN FraudLoad.aww HTTP CnC Post || url,doc.emergingthreats.net/2008322 +1 || 2008324 || 6 || trojan-activity || 0 || ET TROJAN Zalupko/Koceg/Mandaph manda.php Checkin || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=Backdoor%3aWin32%2fKoceg.gen!B || url,www.symantec.com/security_response/writeup.jsp?docid=2008-042816-0445-99&tabid=2 || url,www.threatexpert.com/report.aspx?md5=b2aad8e259cbfdd2ba1fcbf22bcee2e9 || url,doc.emergingthreats.net/2008324 +1 || 2008326 || 7 || trojan-activity || 0 || ET TROJAN Banker Infostealer/PRG POST on High Port || url,www.securescience.net/FILES/securescience/10378/pubMalwareCaseStudy.pdf || url,doc.emergingthreats.net/2008326 +1 || 2008327 || 2 || trojan-activity || 0 || ET TROJAN Perfect Keylogger FTP Initial Install Log Upload (Null obfuscated) || url,doc.emergingthreats.net/2008327 +1 || 2008328 || 7 || trojan-activity || 0 || ET DELETED Banload iLLBrain Trojan Activity || url,doc.emergingthreats.net/2008328 +1 || 2008329 || 5 || trojan-activity || 0 || ET TROJAN xpsecuritycenter.com Fake AntiVirus GET-Install Checkin || url,www.symantec.com/security_response/writeup.jsp?docid=2008-051910-0118-99&tabid=1 || url,doc.emergingthreats.net/2008329 +1 || 2008330 || 11 || misc-activity || 0 || ET POLICY HTTP CONNECT Tunnel Attempt Outbound || url,doc.emergingthreats.net/2008330 +1 || 2008331 || 8 || trojan-activity || 0 || ET TROJAN Banker/Banbra Variant POST via x-www-form-urlencoded || url,doc.emergingthreats.net/2008331 +1 || 2008332 || 2 || trojan-activity || 0 || ET TROJAN Steam Pass Stealer FTP Upload || url,doc.emergingthreats.net/2008332 +1 || 2008333 || 4 || trojan-activity || 0 || ET TROJAN Lop.gfr/Swizzor HTTP Update/Checkin (usually host-domain-lookup.com related) || url,doc.emergingthreats.net/2008333 +1 || 2008334 || 9 || trojan-activity || 0 || ET TROJAN Beizhu/Womble/Vipdataend Checking in with Controller || url,doc.emergingthreats.net/2008334 +1 || 2008335 || 7 || trojan-activity || 0 || ET TROJAN Beizhu/Womble/Vipdataend Controller Keepalive || url,doc.emergingthreats.net/2008335 +1 || 2008336 || 6 || policy-violation || 0 || ET POLICY Eurobarre.us Setup User-Agent || url,doc.emergingthreats.net/2008336 +1 || 2008338 || 9 || trojan-activity || 0 || ET TROJAN KLog Nick Keylogger Checkin || url,doc.emergingthreats.net/2008338 +1 || 2008339 || 4 || trojan-activity || 0 || ET TROJAN Keypack.co.kr Related Trojan User-Agent Detected || url,doc.emergingthreats.net/2008339 +1 || 2008340 || 10 || trojan-activity || 0 || ET TROJAN Lost Door Checkin || url,doc.emergingthreats.net/2008340 +1 || 2008341 || 4 || trojan-activity || 0 || ET TROJAN Themida Packed Binary - Likely Hostile || url,www.oreans.com/themida.php || url,cwsandbox.org/?page=samdet&id=164533&password=wnnpi || url,doc.emergingthreats.net/2008341 +1 || 2008342 || 11 || trojan-activity || 0 || ET TROJAN Suspicious User-Agent (ld) || url,doc.emergingthreats.net/bin/view/Main/2008342 +1 || 2008343 || 8 || trojan-activity || 0 || ET TROJAN Suspicious User-Agent (123) || url,doc.emergingthreats.net/bin/view/Main/2008343 +1 || 2008344 || 7 || trojan-activity || 0 || ET TROJAN Suspicious User-Agent (DownloadNetFile) || url,doc.emergingthreats.net/bin/view/Main/2008344 +1 || 2008345 || 5 || trojan-activity || 0 || ET TROJAN Dialer.Trojan Activity || url,doc.emergingthreats.net/2008345 +1 || 2008346 || 6 || trojan-activity || 0 || ET DELETED Mitglieder Checkin || url,doc.emergingthreats.net/2008346 +1 || 2008347 || 8 || successful-recon-limited || 0 || ET TROJAN Swizzor Checkin || url,doc.emergingthreats.net/2008347 +1 || 2008348 || 2 || trojan-activity || 0 || ET TROJAN SC-KeyLog Keylogger Installed - Sending Log Email Report || url,www.soft-central.net/keylog.php || url,doc.emergingthreats.net/2008348 +1 || 2008349 || 9 || trojan-activity || 0 || ET DELETED Injecter Checkin || url,doc.emergingthreats.net/2008349 +1 || 2008350 || 7 || policy-violation || 0 || ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile || url,doc.emergingthreats.net/bin/view/Main/2008350 +1 || 2008351 || 4 || policy-violation || 0 || ET POLICY ICP Email Send via HTTP - Often Trojan Install Reports || url,doc.emergingthreats.net/2008351 +1 || 2008352 || 9 || trojan-activity || 0 || ET TROJAN CoreFlooder.Q Data Posting || url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ%5FCOREFLOOD%2EQ || url,doc.emergingthreats.net/2008352 +1 || 2008353 || 8 || trojan-activity || 0 || ET TROJAN CoreFlooder.Q C&C Checkin || url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ%5FCOREFLOOD%2EQ || url,doc.emergingthreats.net/2008353 +1 || 2008354 || 4 || trojan-activity || 0 || ET DELETED LDPinch Checkin on Port 82 || url,doc.emergingthreats.net/2008354 +1 || 2008355 || 8 || trojan-activity || 0 || ET TROJAN Suspicious User-Agent (angel) || url,doc.emergingthreats.net/bin/view/Main/2008355 +1 || 2008356 || 4 || trojan-activity || 0 || ET MALWARE Seekmo.com Spyware Data Upload || url,doc.emergingthreats.net/bin/view/Main/2008356 +1 || 2008358 || 5 || trojan-activity || 0 || ET TROJAN Pakes/Cutwail/Kobcka Checkin Detected High Ports || url,doc.emergingthreats.net/2008358 +1 || 2008359 || 8 || trojan-activity || 0 || ET TROJAN Unnamed - kuaiche.com related || url,doc.emergingthreats.net/bin/view/Main/2008359 +1 || 2008360 || 4 || trojan-activity || 0 || ET TROJAN Steam Steal0r || url,doc.emergingthreats.net/2008360 +1 || 2008361 || 7 || trojan-activity || 0 || ET TROJAN Suspicious User-Agent (Accessing) || url,doc.emergingthreats.net/bin/view/Main/2008361 +1 || 2008362 || 4 || web-application-activity || 0 || ET SCAN bsqlbf Brute Force SQL Injection || url,code.google.com/p/bsqlbf-v2/ || url,doc.emergingthreats.net/2008362 +1 || 2008363 || 7 || trojan-activity || 0 || ET TROJAN Suspicious User-Agent (ISMYIE) || url,doc.emergingthreats.net/bin/view/Main/2008363 +1 || 2008364 || 6 || trojan-activity || 0 || ET TROJAN Donkeyp2p Update Detected || url,doc.emergingthreats.net/2008364 +1 || 2008365 || 8 || trojan-activity || 0 || ET TROJAN Playtech Downloader Online Gaming Checkin || md5,00740d7d15862efb30629ab1fd7b8242 +1 || 2008366 || 4 || trojan-activity || 0 || ET TROJAN LD Pinch Checkin (HTTP POST on port 82) || url,doc.emergingthreats.net/2008366 +1 || 2008367 || 8 || trojan-activity || 0 || ET DELETED Possible Windows executable sent when remote host claims to send Javascript || url,doc.emergingthreats.net/bin/view/Main/2008367 +1 || 2008368 || 7 || trojan-activity || 0 || ET TROJAN Unknown Keylogger checkin || url,doc.emergingthreats.net/bin/view/Main/2008368 +1 || 2008369 || 8 || trojan-activity || 0 || ET TROJAN Keylogger Crack by bahman || url,doc.emergingthreats.net/2008369 +1 || 2008370 || 4 || trojan-activity || 0 || ET MALWARE Shopcenter.co.kr Spyware Install Report || url,doc.emergingthreats.net/bin/view/Main/2008370 +1 || 2008372 || 10 || trojan-activity || 0 || ET MALWARE Adsincontext.com Related Spyware User-Agent (Connector v1.2) || url,doc.emergingthreats.net/2008372 +1 || 2008374 || 15 || trojan-activity || 0 || ET POLICY Suspicious User-Agent (InetURL) || url,doc.emergingthreats.net/bin/view/Main/2008374 +1 || 2008375 || 7 || trojan-activity || 0 || ET MALWARE Gooochi Related Spyware Ad pull || url,www.threatexpert.com/reports.aspx?find=ads.gooochi.biz || url,doc.emergingthreats.net/bin/view/Main/2008375 +1 || 2008376 || 5 || trojan-activity || 0 || ET TROJAN RegHelper Installation || url,doc.emergingthreats.net/2008376 +1 || 2008377 || 5 || trojan-activity || 0 || ET TROJAN Virtumod/Agent.ufv/Virtumonde Get Request || url,doc.emergingthreats.net/2008377 +1 || 2008378 || 11 || trojan-activity || 0 || ET TROJAN Suspicious User-Agent (ErrCode) || url,doc.emergingthreats.net/bin/view/Main/2008378 +1 || 2008379 || 5 || trojan-activity || 0 || ET TROJAN Swizzor Checkin (kgen_up) || url,doc.emergingthreats.net/2008379 +1 || 2008380 || 2 || trojan-activity || 0 || ET TROJAN Poison Ivy Key Exchange with CnC Init || url,doc.emergingthreats.net/2008380 +1 || 2008381 || 2 || trojan-activity || 0 || ET TROJAN Poison Ivy Key Exchange with CnC Response || url,doc.emergingthreats.net/2008381 +1 || 2008382 || 6 || trojan-activity || 0 || ET TROJAN Piptea.a Related Trojan Checkin (1) || url,doc.emergingthreats.net/2008382 +1 || 2008383 || 6 || trojan-activity || 0 || ET TROJAN Piptea.a Related Trojan Checkin (2) || url,doc.emergingthreats.net/2008383 +1 || 2008384 || 6 || trojan-activity || 0 || ET TROJAN Piptea.a Related Trojan Checkin (3) || url,doc.emergingthreats.net/2008384 +1 || 2008386 || 4 || trojan-activity || 0 || ET TROJAN Zlob HTTP Checkin || url,doc.emergingthreats.net/2008386 +1 || 2008387 || 7 || trojan-activity || 0 || ET CURRENT_EVENTS Possible ASPROX Hostile JS Being Served by a Local Webserver (/ngg.js) || url,doc.emergingthreats.net/bin/view/Main/2008387 || url,infosec20.blogspot.com/2008/07/asprox-payload-morphed.html +1 || 2008388 || 6 || trojan-activity || 0 || ET CURRENT_EVENTS Possible ASPROX Hostile JS Being Served by a Local Webserver (/b.js) || url,doc.emergingthreats.net/bin/view/Main/2008388 +1 || 2008389 || 2 || trojan-activity || 0 || ET DELETED Likely Hupigon Post to Controller || url,www.f-secure.com/v-descs/backdoor_w32_hupigon.shtml || url,doc.emergingthreats.net/2008389 +1 || 2008390 || 2 || trojan-activity || 0 || ET DELETED Hupigon Response from Controller (YES - ~~@@) || url,www.f-secure.com/v-descs/backdoor_w32_hupigon.shtml || url,doc.emergingthreats.net/2008390 +1 || 2008391 || 11 || trojan-activity || 0 || ET TROJAN Suspicious User-Agent (svchost) || url,doc.emergingthreats.net/bin/view/Main/2008391 +1 || 2008393 || 3 || trojan-activity || 0 || ET TROJAN 3alupKo/Win32.Socks.n Related Checkin URL (2) || url,doc.emergingthreats.net/2008393 +1 || 2008395 || 4 || trojan-activity || 0 || ET TROJAN 3alupKo/Win32.Socks.n Related Checkin URL (3) || url,doc.emergingthreats.net/2008395 +1 || 2008396 || 4 || trojan-activity || 0 || ET TROJAN Zlob Initial Check-in Version 2 (confirm.php?sid=) || url,doc.emergingthreats.net/2008396 +1 || 2008397 || 5 || trojan-activity || 0 || ET TROJAN Fullspace.cc or Related Checkin (1) || url,doc.emergingthreats.net/2008397 +1 || 2008398 || 5 || trojan-activity || 0 || ET TROJAN Fullspace.cc or Related Checkin (2) || url,doc.emergingthreats.net/2008398 +1 || 2008399 || 6 || trojan-activity || 0 || ET TROJAN contacy.info Trojan Checkin (User agent clk_jdfhid) || url,doc.emergingthreats.net/2008399 +1 || 2008400 || 10 || trojan-activity || 0 || ET TROJAN Suspicious User-Agent (ReadFileURL) || url,doc.emergingthreats.net/bin/view/Main/2008400 +1 || 2008402 || 3 || trojan-activity || 0 || ET MALWARE Realtimegaming.com Online Casino Spyware Gaming Checkin || url,doc.emergingthreats.net/bin/view/Main/2008402 +1 || 2008405 || 5 || trojan-activity || 0 || ET TROJAN Obitel trojan calling home || url,www.abuse.ch/?p=143 || url,doc.emergingthreats.net/2008405 +1 || 2008406 || 8 || trojan-activity || 0 || ET POLICY RemoteSpy.com Upload Detect || url,doc.emergingthreats.net/2008406 +1 || 2008407 || 5 || web-application-attack || 0 || ET ACTIVEX Snapshot Viewer for Microsoft Access ActiveX Control Arbitrary File Download (1) || bugtraq,30114 || url,downloads.securityfocus.com/vulnerabilities/exploits/30114.html || url,pstgroup.blogspot.com/2008/07/exploitmicrosoft-office-snapshot-viewer.html || url,doc.emergingthreats.net/bin/view/Main/2008407 +1 || 2008408 || 5 || web-application-attack || 0 || ET ACTIVEX Snapshot Viewer for Microsoft Access ActiveX Control Arbitrary File Download (2) || bugtraq,30114 || url,downloads.securityfocus.com/vulnerabilities/exploits/30114.html || url,pstgroup.blogspot.com/2008/07/exploitmicrosoft-office-snapshot-viewer.html || url,doc.emergingthreats.net/bin/view/Main/2008408 +1 || 2008409 || 4 || web-application-attack || 0 || ET ACTIVEX Snapshot Viewer for Microsoft Access ActiveX Control Arbitrary File Download (3) || bugtraq,30114 || url,downloads.securityfocus.com/vulnerabilities/exploits/30114.html || url,pstgroup.blogspot.com/2008/07/exploitmicrosoft-office-snapshot-viewer.html || url,doc.emergingthreats.net/bin/view/Main/2008409 +1 || 2008411 || 5 || trojan-activity || 0 || ET TROJAN LDPinch SMTP Password Report with mail client The Bat! || url,doc.emergingthreats.net/2008411 +1 || 2008412 || 5 || trojan-activity || 0 || ET TROJAN Trojan-Dropper.Win32.Small.avu HTTP Checkin || url,doc.emergingthreats.net/2008412 +1 || 2008413 || 9 || trojan-activity || 0 || ET TROJAN Suspicious User-Agent (PcPcUpdater) || url,doc.emergingthreats.net/bin/view/Main/2008413 +1 || 2008414 || 2 || attempted-recon || 0 || ET SCAN Cisco Torch TFTP Scan || url,www.hackingexposedcisco.com/?link=tools || url,www.securiteam.com/tools/5EP0F1FEUA.html || url,doc.emergingthreats.net/2008414 +1 || 2008415 || 9 || attempted-recon || 0 || ET SCAN Cisco Torch IOS HTTP Scan || url,www.hackingexposedcisco.com/?link=tools || url,www.securiteam.com/tools/5EP0F1FEUA.html || url,doc.emergingthreats.net/2008415 +1 || 2008416 || 6 || attempted-recon || 0 || ET SCAN Httprint Web Server Fingerprint Scan || url,www.net-square.com/httprint/ || url,www.net-square.com/httprint/httprint_paper.html || url,doc.emergingthreats.net/2008416 +1 || 2008417 || 8 || attempted-recon || 0 || ET SCAN Wapiti Web Server Vulnerability Scan || url,wapiti.sourceforge.net/ || url,doc.emergingthreats.net/2008417 +1 || 2008418 || 5 || misc-activity || 0 || ET POLICY Metasploit Framework Update || url,www.metasploit.com/framework/ || url,www.ethicalhacker.net/content/view/29/24/ || url,doc.emergingthreats.net/2008418 +1 || 2008419 || 4 || trojan-activity || 0 || ET MALWARE Advert-network.com Related Spyware Updating || url,doc.emergingthreats.net/bin/view/Main/2008419 +1 || 2008420 || 3 || trojan-activity || 0 || ET TROJAN HTTP GET Request on port 53 - Very Likely Hostile || url,doc.emergingthreats.net/2008420 +1 || 2008422 || 9 || trojan-activity || 0 || ET TROJAN Suspicious User-Agent (Inet_read) || url,doc.emergingthreats.net/bin/view/Main/2008422 +1 || 2008423 || 9 || trojan-activity || 0 || ET TROJAN Suspicious User-Agent (CFS Agent) || url,doc.emergingthreats.net/bin/view/Main/2008423 +1 || 2008424 || 9 || trojan-activity || 0 || ET TROJAN Suspicious User-Agent (CFS_DOWNLOAD) || url,doc.emergingthreats.net/bin/view/Main/2008424 +1 || 2008425 || 6 || trojan-activity || 0 || ET MALWARE Advert-network.com Related Spyware Checking for Updates || url,doc.emergingthreats.net/bin/view/Main/2008425 +1 || 2008426 || 4 || misc-attack || 0 || ET EXPLOIT SecurityGateway 1.0.1 Remote Buffer Overflow || url,frsirt.com/english/advisories/2008/1717 || url,milw0rm.com/exploits/5718 || url,doc.emergingthreats.net/bin/view/Main/2008426 || cve,2008-4193 +1 || 2008427 || 8 || trojan-activity || 0 || ET TROJAN Suspicious User-Agent (AdiseExplorer) || url,doc.emergingthreats.net/bin/view/Main/2008427 +1 || 2008428 || 9 || trojan-activity || 0 || ET TROJAN Suspicious User-Agent (HTTP Downloader) || url,doc.emergingthreats.net/bin/view/Main/2008428 +1 || 2008429 || 8 || trojan-activity || 0 || ET TROJAN Suspicious User-Agent (HttpDownload) || url,doc.emergingthreats.net/bin/view/Main/2008429 +1 || 2008430 || 5 || trojan-activity || 0 || ET TROJAN Win32.Dialer.buv Sending Information Home || url,doc.emergingthreats.net/2008430 +1 || 2008431 || 5 || trojan-activity || 0 || ET TROJAN PWS.Gamania Checkin || url,doc.emergingthreats.net/2008431 +1 || 2008433 || 8 || trojan-activity || 0 || ET TROJAN Pandex checkin detected || url,doc.emergingthreats.net/2008433 +1 || 2008434 || 8 || trojan-activity || 0 || ET TROJAN Coreflood/AFcore Trojan Infection || url,www.secureworks.com/research/threats/coreflood || url,doc.emergingthreats.net/2008434 +1 || 2008435 || 2 || trojan-activity || 0 || ET TROJAN Win32.Testlink Trojan Speed Test Start port 8888 || url,doc.emergingthreats.net/2008435 +1 || 2008436 || 3 || trojan-activity || 0 || ET TROJAN Win32.Testlink Trojan Speed Test port 8888 || url,doc.emergingthreats.net/2008436 +1 || 2008437 || 2 || trojan-activity || 0 || ET TROJAN Win32.Testlink Trojan Checkin port 8888 || url,doc.emergingthreats.net/2008437 +1 || 2008438 || 13 || trojan-activity || 0 || ET MALWARE Possible Windows executable sent when remote host claims to send a Text File || url,doc.emergingthreats.net/bin/view/Main/2008438 +1 || 2008439 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS AlstraSoft Affiliate Network Pro (pgm) Parameter SQL Injection || bugtraq,30259 || url,milw0rm.com/exploits/6087 || url,doc.emergingthreats.net/2008439 +1 || 2008440 || 11 || trojan-activity || 0 || ET TROJAN Suspicious User-Agent (Download App) || url,doc.emergingthreats.net/bin/view/Main/2008440 +1 || 2008441 || 8 || trojan-activity || 0 || ET TROJAN Win32 Dialer Variant || url,doc.emergingthreats.net/2008441 +1 || 2008442 || 8 || trojan-activity || 0 || ET TROJAN Rootkit.Win32.Clbd.cz Checkin || url,doc.emergingthreats.net/2008442 +1 || 2008443 || 9 || trojan-activity || 0 || ET TROJAN Coreflood/AFcore Trojan Infection (2) || url,www.secureworks.com/research/threats/coreflood || url,doc.emergingthreats.net/2008443 +1 || 2008444 || 3 || suspicious-filename-detect || 0 || ET EXPLOIT PWDump4 Password dumping exe copied to victim || url,xinn.org/Snort-pwdump4.html || url,doc.emergingthreats.net/bin/view/Main/2008444 +1 || 2008445 || 3 || suspicious-filename-detect || 0 || ET EXPLOIT Pwdump6 Session Established test file created on victim || url,xinn.org/Snort-pwdump6.html || url,doc.emergingthreats.net/bin/view/Main/2008445 +1 || 2008446 || 9 || bad-unknown || 0 || ET DNS Excessive DNS Responses with 1 or more RR's (100+ in 10 seconds) - possible Cache Poisoning Attempt || url,doc.emergingthreats.net/bin/view/Main/2008446 +1 || 2008447 || 7 || bad-unknown || 0 || ET DNS Query Responses with 3 RR's set (50+ in 2 seconds) - possible NS RR Cache Poisoning Attempt || url,infosec20.blogspot.com/2008/07/kaminsky-dns-cache-poisoning-poc.html || url,doc.emergingthreats.net/bin/view/Main/2008447 +1 || 2008449 || 2 || trojan-activity || 0 || ET TROJAN Keylogger.ane Checkin || url,doc.emergingthreats.net/2008449 +1 || 2008450 || 5 || trojan-activity || 0 || ET TROJAN Donbot Connect to CnC || url,doc.emergingthreats.net/2008450 || url,blog.fireeye.com/research/2009/10/a-little_more_on_donbot.html || url,www.avertlabs.com/research/blog/index.php/2009/04/05/donbot-joining-the-club-of-million-dollar-botnets/ +1 || 2008451 || 3 || trojan-activity || 0 || ET TROJAN Donbot Report to CnC || url,blog.fireeye.com/research/2009/10/a-little_more_on_donbot.html || url,www.avertlabs.com/research/blog/index.php/2009/04/05/donbot-joining-the-club-of-million-dollar-botnets/ || url,doc.emergingthreats.net/2008451 +1 || 2008452 || 10 || trojan-activity || 0 || ET DELETED Emo/Downloader.uxk checkin || url,doc.emergingthreats.net/2008452 +1 || 2008453 || 7 || web-application-attack || 0 || ET SCAN Tomcat Auth Brute Force attempt (admin) || url,doc.emergingthreats.net/2008453 +1 || 2008454 || 7 || web-application-attack || 0 || ET SCAN Tomcat Auth Brute Force attempt (tomcat) || url,doc.emergingthreats.net/2008454 +1 || 2008455 || 6 || web-application-attack || 0 || ET SCAN Tomcat Auth Brute Force attempt (manager) || url,doc.emergingthreats.net/2008455 +1 || 2008456 || 5 || trojan-activity || 0 || ET MALWARE EMO/PCPrivacyCleaner Rougue Secuirty App GET Checkin || url,www.spywaresignatures.com/details/pcprivacycleaner.pdf || url,doc.emergingthreats.net/bin/view/Main/2008456 +1 || 2008457 || 9 || trojan-activity || 0 || ET MALWARE Deepdo Toolbar User-Agent (FavUpdate) || url,research.sunbelt-software.com/threatdisplay.aspx?name=Deepdo%20Toolbar&threatid=129378 || url,doc.emergingthreats.net/2008457 +1 || 2008458 || 8 || trojan-activity || 0 || ET TROJAN Downloader UserAgent(AutoDL\/1.0) || url,doc.emergingthreats.net/2008458 +1 || 2008460 || 10 || trojan-activity || 0 || ET TROJAN Suspicious User-Agent (hacker) || url,doc.emergingthreats.net/bin/view/Main/2008460 +1 || 2008461 || 6 || trojan-activity || 0 || ET TROJAN Rouge Security Software Win32.BHO.egw || url,research.sunbelt-software.com/threatdisplay.aspx?name=Trojan.Win32.BHO.egw&threatid=313636 || url,doc.emergingthreats.net/2008461 +1 || 2008463 || 9 || trojan-activity || 0 || ET TROJAN Suspicious User-Agent (ieguideupdate) || url,doc.emergingthreats.net/bin/view/Main/2008463 +1 || 2008464 || 8 || trojan-activity || 0 || ET TROJAN Suspicious User-Agent (adsntD) || url,doc.emergingthreats.net/bin/view/Main/2008464 +1 || 2008465 || 2 || trojan-activity || 0 || ET TROJAN Backdoor Possible Backdoor.Cow Varient (Backdoor.Win32.Agent.lam) C&C traffic || url,doc.emergingthreats.net/2008465 +1 || 2008467 || 5 || attempted-admin || 0 || ET WEB_SERVER Possible SQL Injection Attempt Danmec related (declare) || url,doc.emergingthreats.net/2008467 +1 || 2008468 || 4 || trojan-activity || 0 || ET DELETED LDPinch Checkin Flowbit set || url,doc.emergingthreats.net/2008468 +1 || 2008469 || 7 || trojan-activity || 0 || ET DELETED LDPinch Checkin v2 || url,doc.emergingthreats.net/2008469 +1 || 2008470 || 6 || bad-unknown || 0 || ET DNS Excessive NXDOMAIN responses - Possible DNS Backscatter or Domain Generation Algorithm Lookups || url,doc.emergingthreats.net/bin/view/Main/2008470 +1 || 2008471 || 4 || trojan-activity || 0 || ET TROJAN HotLan.C Spambot C&C download command || url,doc.emergingthreats.net/2008471 +1 || 2008472 || 4 || policy-violation || 0 || ET POLICY Netviewer.com Remote Control Proxy Test || url,doc.emergingthreats.net/2008472 +1 || 2008473 || 9 || trojan-activity || 0 || ET TROJAN HotLan.C Spambot Trojan Activity || url,doc.emergingthreats.net/2008473 +1 || 2008474 || 4 || trojan-activity || 0 || ET MALWARE Adware.Look2Me Activity || url,doc.emergingthreats.net/bin/view/Main/2008474 +1 || 2008475 || 4 || bad-unknown || 0 || ET DNS Query Responses with 3 RR's set (50+ in 2 seconds) - possible A RR Cache Poisoning Attempt || url,infosec20.blogspot.com/2008/07/kaminsky-dns-cache-poisoning-poc.html || url,doc.emergingthreats.net/bin/view/Main/2008475 +1 || 2008476 || 3 || suspicious-filename-detect || 0 || ET EXPLOIT Foofus.net Password dumping, dll injection || url,xinn.org/Snort-fgdump.html || url,doc.emergingthreats.net/bin/view/Main/2008476 +1 || 2008477 || 6 || trojan-activity || 0 || ET TROJAN Banload POST Checkin (dados) || url,doc.emergingthreats.net/2008477 +1 || 2008481 || 3 || trojan-activity || 0 || ET TROJAN Trojan-PSW.Win32.Nilage.crg Checkin || url,doc.emergingthreats.net/2008481 +1 || 2008482 || 4 || trojan-activity || 0 || ET TROJAN thespybot.com installation download detected || url,doc.emergingthreats.net/2008482 +1 || 2008483 || 8 || trojan-activity || 0 || ET TROJAN Win32/Antivirus2008 || url,doc.emergingthreats.net/2008483 +1 || 2008484 || 7 || trojan-activity || 0 || ET MALWARE Cleancop.co.kr Fake AV User-Agent (CleancopUpdate) || url,doc.emergingthreats.net/2008484 +1 || 2008485 || 7 || trojan-activity || 0 || ET MALWARE Searchtool.co.kr Fake Product User-Agent (searchtoolup) || url,doc.emergingthreats.net/2008485 +1 || 2008488 || 8 || trojan-activity || 0 || ET TROJAN Suspicious User-Agent (NULL) || url,doc.emergingthreats.net/bin/view/Main/2008488 +1 || 2008489 || 9 || policy-violation || 0 || ET POLICY Suspicious User-Agent (dwplayer) || url,doc.emergingthreats.net/bin/view/Main/2008489 +1 || 2008490 || 7 || trojan-activity || 0 || ET TROJAN Dialer.Win32.E-Group.n Checkin || url,doc.emergingthreats.net/2008490 +1 || 2008491 || 3 || trojan-activity || 0 || ET DELETED Banker.OT Checkin (2 packet) || url,doc.emergingthreats.net/2008491 +1 || 2008492 || 5 || trojan-activity || 0 || ET TROJAN Win32.Downloader.pgp Checkin || url,doc.emergingthreats.net/2008492 +1 || 2008493 || 6 || trojan-activity || 0 || ET TROJAN Pushdo Checkin || url,doc.emergingthreats.net/2008493 +1 || 2008494 || 7 || trojan-activity || 0 || ET TROJAN Suspicious User-Agent (ieagent) || url,doc.emergingthreats.net/bin/view/Main/2008494 +1 || 2008495 || 7 || trojan-activity || 0 || ET TROJAN Suspicious User-Agent (antispyprogram) || url,doc.emergingthreats.net/bin/view/Main/2008495 +1 || 2008500 || 7 || trojan-activity || 0 || ET MALWARE Sogoul.com Spyware User-Agent (SogouIMEMiniSetup) || url,doc.emergingthreats.net/2008500 +1 || 2008502 || 5 || trojan-activity || 0 || ET TROJAN Antispywareexpert.com Fake AS Install Checkin || url,doc.emergingthreats.net/2008502 +1 || 2008503 || 8 || policy-violation || 0 || ET MALWARE ZCOM Adware/Spyware User-Agent (ZCOM Software) +1 || 2008504 || 7 || trojan-activity || 0 || ET TROJAN Suspicious User-Agent (SUiCiDE/1.5) || url,doc.emergingthreats.net/bin/view/Main/2008504 +1 || 2008506 || 9 || trojan-activity || 0 || ET TROJAN Trojan-PWS.Win32.VB.tr Checkin Detected || url,doc.emergingthreats.net/2008506 +1 || 2008507 || 3 || trojan-activity || 0 || ET TROJAN Backdoor.Win32.VB.fdi Bot Reporting to Controller || url,doc.emergingthreats.net/2008507 +1 || 2008509 || 3 || trojan-activity || 0 || ET TROJAN VirtualProtect Packed Binary - Likely Hostile || url,bits.packetninjas.org/eblog/?p=3 || url,doc.emergingthreats.net/2008509 +1 || 2008510 || 7 || trojan-activity || 0 || ET TROJAN Suspicious User-Agent - Possible Trojan Downloader (\xa2\xa2HttpClient) || url,doc.emergingthreats.net/bin/view/Main/2008510 +1 || 2008511 || 5 || trojan-activity || 0 || ET TROJAN Win32/Antivirus2008 Fake AV Install Report || url,doc.emergingthreats.net/2008511 +1 || 2008512 || 13 || trojan-activity || 0 || ET TROJAN Suspicious User-Agent (C slash) +1 || 2008513 || 8 || trojan-activity || 0 || ET TROJAN Suspicious User-Agent (msIE 7.0) || url,doc.emergingthreats.net/bin/view/Main/2008513 +1 || 2008514 || 7 || trojan-activity || 0 || ET TROJAN Suspicious User-Agent (AVP2006IE) || url,doc.emergingthreats.net/bin/view/Main/2008514 +1 || 2008515 || 8 || trojan-activity || 0 || ET TROJAN Hupigon.AZG Checkin || url,www.pandasecurity.com/homeusers/security-info/about-malware/encyclopedia/overview.aspx?idvirus=143511&sind=0 || url,vil.nai.com/vil/content/v_145056.htm || url,doc.emergingthreats.net/2008515 +1 || 2008516 || 5 || trojan-activity || 0 || ET TROJAN XPantivirus2008 Download || url,www.theregister.co.uk/2008/08/22/anatomy_of_a_hack/page4.html || url,seo.mhvt.net/blog/?p=390 || url,virscan.org/report/a61cd44fc387188da2ee3fbdeda10782.html || url,doc.emergingthreats.net/2008516 +1 || 2008517 || 2 || attempted-user || 0 || ET EXPLOIT SQL sp_configure - configuration change || url,msdn.microsoft.com/en-us/library/ms190693.aspx || url,doc.emergingthreats.net/bin/view/Main/2008517 +1 || 2008518 || 2 || attempted-user || 0 || ET EXPLOIT SQL sp_configure attempt || url,msdn.microsoft.com/en-us/library/ms190693.aspx || url,doc.emergingthreats.net/bin/view/Main/2008518 +1 || 2008519 || 6 || trojan-activity || 0 || ET TROJAN Win32.Agent.zrm/Infostealer.Bancos Checkin || url,doc.emergingthreats.net/2008519 +1 || 2008520 || 5 || trojan-activity || 0 || ET DELETED Sinowal/Mebroot/Torpig Client POST || url,doc.emergingthreats.net/2008520 +1 || 2008521 || 3 || trojan-activity || 0 || ET TROJAN Keylogger Infection Report via POST || url,doc.emergingthreats.net/2008521 +1 || 2008522 || 3 || trojan-activity || 0 || ET TROJAN Stpage Checkin (nomodem) || url,doc.emergingthreats.net/2008522 +1 || 2008523 || 8 || trojan-activity || 0 || ET TROJAN Proxy.Win32.Fackemo.g/Katusha/FakeAlert Checkin || md5,29457bd7a95e11bfd0e614a6e237a344 || md5,173a060ed791e620c2ec84d7b360ed60 || url,www.bugbopper.com/NameLookup.asp?Name=Packed_Win32_TDSS_o +1 || 2008524 || 2 || misc-activity || 0 || ET DELETED Milw0rm Exploit Archive Download || url,www.milw0rm.com || url,doc.emergingthreats.net/2008524 +1 || 2008525 || 2 || misc-activity || 0 || ET DELETED Packetstormsecurity Exploits Of The Month Download || url,www.packetstormsecurity.org || url,doc.emergingthreats.net/2008525 +1 || 2008526 || 5 || attempted-recon || 0 || ET SCAN Smap VOIP Device Scan || url,www.go2linux.org/smap-find-voip-enabled-devices || url,doc.emergingthreats.net/2008526 +1 || 2008527 || 5 || trojan-activity || 0 || ET TROJAN Virusremover2008.com Checkin || url,doc.emergingthreats.net/2008527 +1 || 2008529 || 6 || web-application-activity || 0 || ET SCAN Core-Project Scanning Bot UA Detected +1 || 2008531 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Infected System Looking up chr.santa-inbox.com CnC Server || url,doc.emergingthreats.net/bin/view/Main/2008531 +1 || 2008532 || 3 || trojan-activity || 0 || ET TROJAN Bifrose Connect to Controller (variant 2) || url,doc.emergingthreats.net/2008532 +1 || 2008533 || 3 || policy-violation || 0 || ET POLICY Possible External Ultrasurf Anonymizer DNS Query || url,doc.emergingthreats.net/2008533 +1 || 2008536 || 6 || attempted-recon || 0 || ET DELETED Halberd Load Balanced Webserver Detection Scan || url,www.halberd.superadditive.com || url,doc.emergingthreats.net/2008536 +1 || 2008537 || 6 || attempted-recon || 0 || ET SCAN Hmap Webserver Fingerprint Scan || url,www.ujeni.murkyroc.com/hmap/ || url,doc.emergingthreats.net/2008537 +1 || 2008538 || 6 || attempted-recon || 0 || ET SCAN Sqlmap SQL Injection Scan || url,sqlmap.sourceforge.net || url,doc.emergingthreats.net/2008538 +1 || 2008540 || 4 || trojan-activity || 0 || ET TROJAN Hupigon.dkxh Checkin to CnC || url,doc.emergingthreats.net/2008540 +1 || 2008541 || 7 || trojan-activity || 0 || ET TROJAN Bravix Checkin || url,doc.emergingthreats.net/2008541 +1 || 2008542 || 7 || attempted-user || 0 || ET SCADA CitectSCADA ODBC Overflowflow Attempt || cve,2008-2639 || url,www.digitalbond.com/index.php/2008/09/08/ids-signature-for-citect-vuln/ || url,digitalbond.com/tools/quickdraw/vulnerability-rules +1 || 2008543 || 2 || not-suspicious || 0 || ET POLICY Known SSL traffic on port 995 (imaps) being excluded from SSL Alerts || url,doc.emergingthreats.net/2008543 +1 || 2008544 || 7 || trojan-activity || 0 || ET TROJAN Suspicious User-Agent (winlogon) || url,doc.emergingthreats.net/bin/view/Main/2008544 +1 || 2008545 || 3 || trojan-activity || 0 || ET TROJAN Social-bos.biz related trojan checkin (trackid=hex) || url,doc.emergingthreats.net/2008545 +1 || 2008546 || 6 || trojan-activity || 0 || ET DELETED Emo/Downloader.vr Checkin || url,doc.emergingthreats.net/2008546 || url,www.malwaredomainlist.com/mdl.php?search=emo+&colsearch=All&quantity=50 +1 || 2008547 || 3 || trojan-activity || 0 || ET TROJAN PECompact2 Packed Binary - Likely Hostile || url,www.bitsum.com/pecompact.shtml || url,bits.packetninjas.org/eblog/?p=306 || url,doc.emergingthreats.net/2008547 +1 || 2008549 || 13 || trojan-activity || 0 || ET MALWARE Systemdoctor.com/Antivir2008 related Fake Anti-Virus User-Agent (AntivirXP) || url,www.wiki-security.com/wiki/Parasite/Antivirus2008 || url,doc.emergingthreats.net/2008549 +1 || 2008550 || 5 || trojan-activity || 0 || ET TROJAN General Bot HTTP CnC Pattern || url,doc.emergingthreats.net/2008550 +1 || 2008551 || 3 || trojan-activity || 0 || ET TROJAN Banito/Agent.pb Pass Stealer Email Report Outbound || url,doc.emergingthreats.net/2008551 +1 || 2008556 || 6 || trojan-activity || 0 || ET ATTACK_RESPONSE FTP CWD to windows system32 - Suspicious || url,doc.emergingthreats.net/bin/view/Main/2008556 +1 || 2008557 || 2 || trojan-activity || 0 || ET DELETED Likely EXE Cryptor Packed Binary - Likely Malware || url,bits.packetninjas.org || url,doc.emergingthreats.net/2008557 +1 || 2008558 || 7 || trojan-activity || 0 || ET MALWARE iwin.com Games/Spyware User-Agent (iWin GameInfo Installer Helper) || url,doc.emergingthreats.net/2008558 +1 || 2008559 || 7 || trojan-activity || 0 || ET ATTACK_RESPONSE Windows LMHosts File Download - Likely DNSChanger Infection || url,doc.emergingthreats.net/bin/view/Main/2008559 +1 || 2008560 || 2 || misc-activity || 0 || ET SCAN NNG MS02-039 Exploit False Positive Generator - May Conceal A Genuine Attack || url,packetstormsecurity.nl/filedesc/nng-4.13r-public.rar.html || url,doc.emergingthreats.net/2008560 +1 || 2008561 || 3 || misc-activity || 0 || ET POLICY External Unencrypted Connection To Aanval Console || url,www.aanval.com || url,doc.emergingthreats.net/bin/view/Main/2008561 +1 || 2008562 || 3 || unknown || 0 || ET TROJAN Suspicious SMTP handshake outbound || url,doc.emergingthreats.net/bin/view/Main/2008562 +1 || 2008563 || 3 || unknown || 0 || ET TROJAN Suspicious SMTP handshake reply || url,doc.emergingthreats.net/bin/view/Main/2008563 +1 || 2008564 || 8 || trojan-activity || 0 || ET TROJAN Suspicious User-Agent (Internet HTTP Request) || url,doc.emergingthreats.net/bin/view/Main/2008564 +1 || 2008567 || 5 || trojan-activity || 0 || ET TROJAN Win32.Crypt.nc Checkin || url,doc.emergingthreats.net/2008567 +1 || 2008568 || 3 || attempted-recon || 0 || ET SCAN Voiper Toolkit Torturer Scan || url,sourceforge.net/projects/voiper || url,doc.emergingthreats.net/2008568 +1 || 2008569 || 3 || misc-activity || 0 || ET POLICY External Unencrypted Connection to Ossec WUI || url,www.ossec.net || url,doc.emergingthreats.net/2008569 +1 || 2008570 || 3 || misc-activity || 0 || ET POLICY External Unencrypted Connection to BASE Console || url,base.secureideas.net || url,doc.emergingthreats.net/bin/view/Main/2008570 +1 || 2008571 || 5 || attempted-recon || 0 || ET SCAN Acunetix Version 6 Crawl/Scan Detected || url,www.acunetix.com/ || url,doc.emergingthreats.net/2008571 +1 || 2008572 || 3 || trojan-activity || 0 || ET POLICY External MYSQL Server Connection || url,doc.emergingthreats.net/2008572 +1 || 2008573 || 3 || trojan-activity || 0 || ET TROJAN Viruscatch.co.kr/Win32.Small.hvd Mysql Command and Control Connection (user viruscatch) || url,doc.emergingthreats.net/2008573 +1 || 2008575 || 4 || trojan-activity || 0 || ET POLICY ASProtect/ASPack Packed Binary || url,www.aspack.com/downloads.aspx || url,bits.packetninjas.org/eblog/ || url,doc.emergingthreats.net/2008575 +1 || 2008576 || 5 || trojan-activity || 0 || ET DELETED TinyPE Binary - Possibly Hostile || url,www.phreedom.org/solar/code/tinype/ || url,www.packetninjas.net/blog/2008/11/20/ids-signature-for-extremely-small-portable-executable-files.html || url,doc.emergingthreats.net/2008576 +1 || 2008577 || 3 || attempted-recon || 0 || ET SCAN Voiper Fuzzing Scan || url,sourceforge.net/projects/voiper || url,doc.emergingthreats.net/2008577 +1 || 2008578 || 4 || attempted-recon || 0 || ET SCAN Sipvicious Scan || url,blog.sipvicious.org || url,doc.emergingthreats.net/2008578 +1 || 2008579 || 4 || attempted-recon || 0 || ET SCAN Sipp SIP Stress Test Detected || url,sourceforge.net/projects/sipp/ || url,doc.emergingthreats.net/2008579 +1 || 2008580 || 5 || trojan-activity || 0 || ET TROJAN Trojan Sinowal/Torpig Phoning Home || url,doc.emergingthreats.net/2008580 +1 || 2008581 || 3 || policy-violation || 0 || ET P2P BitTorrent DHT ping request || url,wiki.theory.org/BitTorrentDraftDHTProtocol || url,doc.emergingthreats.net/bin/view/Main/2008581 +1 || 2008582 || 7 || policy-violation || 0 || ET P2P BitTorrent DHT find_node request || url,wiki.theory.org/BitTorrentDraftDHTProtocol || url,doc.emergingthreats.net/bin/view/Main/2008582 +1 || 2008583 || 4 || policy-violation || 0 || ET P2P BitTorrent DHT nodes reply || url,wiki.theory.org/BitTorrentDraftDHTProtocol || url,doc.emergingthreats.net/bin/view/Main/2008583 +1 || 2008584 || 5 || policy-violation || 0 || ET P2P BitTorrent DHT get_peers request || url,wiki.theory.org/BitTorrentDraftDHTProtocol || url,doc.emergingthreats.net/bin/view/Main/2008584 +1 || 2008585 || 4 || policy-violation || 0 || ET P2P BitTorrent DHT announce_peers request || url,wiki.theory.org/BitTorrentDraftDHTProtocol || url,doc.emergingthreats.net/bin/view/Main/2008585 +1 || 2008586 || 8 || trojan-activity || 0 || ET USER_AGENTS Casino Related Spyware User-Agent Detected (Viper 4.0) || url,doc.emergingthreats.net/2008586 +1 || 2008587 || 3 || trojan-activity || 0 || ET TROJAN TroDjan 2.0 Infection Report || url,doc.emergingthreats.net/2008587 +1 || 2008588 || 2 || trojan-activity || 0 || ET TROJAN TroDjan 2.0 FTP Channel Open Command || url,doc.emergingthreats.net/2008588 +1 || 2008589 || 2 || trojan-activity || 0 || ET POLICY FTP Conversation on Low Port - Likely Hostile (TYPE A) || url,doc.emergingthreats.net/2008589 +1 || 2008590 || 2 || trojan-activity || 0 || ET POLICY FTP Conversation on Low Port - Likely Hostile (PASV) || url,doc.emergingthreats.net/2008590 +1 || 2008591 || 3 || policy-violation || 0 || ET P2P Ares Server Connection || url,aresgalaxy.sourceforge.net || url,doc.emergingthreats.net/bin/view/Main/2008591 +1 || 2008592 || 4 || trojan-activity || 0 || ET TROJAN Nbar.co.kr Related Trojan Checkin || url,doc.emergingthreats.net/2008592 +1 || 2008594 || 8 || trojan-activity || 0 || ET MALWARE ezday.co.kr Related Spyware User-Agent (Ezshop) || url,doc.emergingthreats.net/2008594 +1 || 2008595 || 8 || policy-violation || 0 || ET P2P SoulSeek P2P Server Connection || url,www.slsknet.org || url,doc.emergingthreats.net/2008595 +1 || 2008597 || 3 || attempted-recon || 0 || ET SCAN Cisco Torch SNMP Scan || url,www.hackingexposedcisco.com/?link=tools || url,www.securiteam.com/tools/5EP0F1FEUA.html || url,doc.emergingthreats.net/2008597 +1 || 2008598 || 3 || attempted-recon || 0 || ET SCAN Sipsak SIP scan || url,sipsak.org/ || url,doc.emergingthreats.net/2008598 +1 || 2008600 || 8 || trojan-activity || 0 || ET DELETED Suspicious User-Agent Detected (Windows+NT) || url,doc.emergingthreats.net/bin/view/Main/2008600 +1 || 2008601 || 2 || trojan-activity || 0 || ET TROJAN Visual Shock Keylogger Reporting to Controller || url,research.sunbelt-software.com/threatdisplay.aspx?threatid=42573 || url,doc.emergingthreats.net/2008601 +1 || 2008602 || 2 || trojan-activity || 0 || ET TROJAN Visual Shock Keylogger Reporting Idle to Controller || url,research.sunbelt-software.com/threatdisplay.aspx?threatid=42573 || url,doc.emergingthreats.net/2008602 +1 || 2008603 || 7 || trojan-activity || 0 || ET TROJAN Suspicious User-Agent Detected (RLMultySocket) || url,doc.emergingthreats.net/bin/view/Main/2008603 +1 || 2008605 || 3 || attempted-recon || 0 || ET SCAN Stompy Web Application Session Scan || url,www.darknet.org.uk/2007/03/stompy-the-web-application-session-analyzer-tool/ || url,doc.emergingthreats.net/2008605 +1 || 2008606 || 3 || attempted-recon || 0 || ET SCAN Enumiax Inter-Asterisk Exchange Protocol Username Scan || url,sourceforge.net/projects/enumiax/ || url,doc.emergingthreats.net/2008606 +1 || 2008607 || 10 || web-application-attack || 0 || ET ACTIVEX Chilkat IMAP ActiveX File Execution and IE DoS || url,www.milw0rm.com/exploits/6600 || url,doc.emergingthreats.net/2008607 +1 || 2008608 || 8 || trojan-activity || 0 || ET TROJAN WinFixer Trojan Related User-Agent (ElectroSun) || url,doc.emergingthreats.net/2008608 +1 || 2008609 || 4 || attempted-recon || 0 || ET SCAN Sivus VOIP Vulnerability Scanner SIP Scan || url,www.security-database.com/toolswatch/SiVus-VoIP-Security-Scanner-1-09.html || url,www.vopsecurity.org/ || url,doc.emergingthreats.net/2008609 +1 || 2008610 || 3 || attempted-recon || 0 || ET SCAN Sivus VOIP Vulnerability Scanner SIP Components Scan || url,www.security-database.com/toolswatch/SiVus-VoIP-Security-Scanner-1-09.html || url,www.vopsecurity.org/ || url,doc.emergingthreats.net/2008610 +1 || 2008611 || 5 || policy-violation || 0 || ET P2P SoulSeek P2P Login Response || url,www.slsknet.org || url,doc.emergingthreats.net/2008611 +1 || 2008612 || 9 || web-application-attack || 0 || ET ACTIVEX Autodesk Design Review DWF Viewer ActiveX Control SaveAs Insecure Method || url,retrogod.altervista.org/9sg_autodesk_revit_arch_2009_exploit.html || url,secunia.com/Advisories/31989/ || url,doc.emergingthreats.net/2008612 +1 || 2008613 || 9 || web-application-attack || 0 || ET ACTIVEX GdPicture Pro ActiveX control SaveAsPDF Insecure Method || url,secunia.com/Advisories/31966/ || url,milw0rm.com/exploits/6638 || url,doc.emergingthreats.net/2008613 +1 || 2008614 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHP-Lance show.php catid SQL Injection || url,secunia.com/Advisories/32027/ || url,www.milw0rm.com/exploits/6605 || url,doc.emergingthreats.net/2008614 +1 || 2008615 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Real Estate Manager realestate-index.php cat_id SQL Injection || url,secunia.com/Advisories/32049/ || url,www.milw0rm.com/exploits/6599 || url,doc.emergingthreats.net/2008615 +1 || 2008616 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Pilot Online Training Solution news_read.php id SQL Injection || url,secunia.com/Advisories/31969/ || url,www.milw0rm.com/exploits/6613 || url,doc.emergingthreats.net/2008616 +1 || 2008617 || 5 || attempted-recon || 0 || ET SCAN Wikto Scan || url,www.sensepost.com/research/wikto/WiktoDoc1-51.htm || url,doc.emergingthreats.net/2008617 +1 || 2008618 || 8 || web-application-attack || 0 || ET ACTIVEX IAS Helper COM Component iashlpr.dll activex remote DOS || url,www.securityfocus.com/archive/1/archive/1/496695/100/0/threaded || cve,2008-2639 || url,securityreason.com/securityalert/4323 || url,doc.emergingthreats.net/2008618 +1 || 2008619 || 8 || web-application-attack || 0 || ET ACTIVEX Novell ZENWorks for Desktops Remote Heap-Based Buffer Overflow || bugtraq,31435 || url,securitytracker.com/alerts/2008/Sep/1020951.html || url,doc.emergingthreats.net/2008619 +1 || 2008620 || 38 || web-application-attack || 0 || ET ACTIVEX Internet Information Service iisext.dll activex setpassword Insecure Method || cve,2008-4301 || url,www.securityfocus.com/archive/1/archive/1/496694/100/0/threaded || url,doc.emergingthreats.net/2008620 +1 || 2008621 || 7 || web-application-attack || 0 || ET ACTIVEX Internet Information Service adsiis.dll activex remote DOS || cve,2008-4300 || url,securityreason.com/securityalert/4325 || url,doc.emergingthreats.net/2008621 +1 || 2008623 || 6 || trojan-activity || 0 || ET TROJAN Cinmus.Checkin 1 || url,doc.emergingthreats.net/2008623 +1 || 2008624 || 8 || trojan-activity || 0 || ET TROJAN Cinmus.Checkin 2 || url,doc.emergingthreats.net/2008624 +1 || 2008625 || 6 || policy-violation || 0 || ET P2P Pando Client User-Agent Detected (Mozilla/4.0 (Windows U) Pando/1.xx) || url,doc.emergingthreats.net/bin/view/Main/2008625 +1 || 2008626 || 4 || trojan-activity || 0 || ET TROJAN PlayMP3z.biz Related Spyware/Trojan Install Report || url,doc.emergingthreats.net/2008626 +1 || 2008627 || 7 || attempted-recon || 0 || ET SCAN Httprecon Web Server Fingerprint Scan || url,www.computec.ch/projekte/httprecon/ || url,doc.emergingthreats.net/2008627 +1 || 2008628 || 6 || attempted-recon || 0 || ET SCAN WSFuzzer Web Application Fuzzing || url,www.owasp.org/index.php/Category%3aOWASP_WSFuzzer_Project || url,doc.emergingthreats.net/2008628 +1 || 2008629 || 6 || attempted-recon || 0 || ET SCAN Wikto Backend Data Miner Scan || url,www.sensepost.com/research/wikto/WiktoDoc1-51.htm || url,doc.emergingthreats.net/2008629 +1 || 2008639 || 6 || trojan-activity || 0 || ET TROJAN Tibs Trojan Downloader || url,doc.emergingthreats.net/2008639 +1 || 2008640 || 5 || attempted-recon || 0 || ET SCAN SIP erase_registrations/add registrations attempt || url,www.hackingvoip.com/sec_tools.html || url,doc.emergingthreats.net/2008640 +1 || 2008641 || 4 || attempted-recon || 0 || ET SCAN sipscan probe || url,www.hackingvoip.com/sec_tools.html || url,doc.emergingthreats.net/2008641 +1 || 2008642 || 2 || trojan-activity || 0 || ET TROJAN Keylogger PRO GOLD Post || url,doc.emergingthreats.net/2008642 +1 || 2008643 || 7 || trojan-activity || 0 || ET TROJAN Suspicious User-Agent Detected (Downloader1.2) || url,doc.emergingthreats.net/bin/view/Main/2008643 +1 || 2008644 || 4 || trojan-activity || 0 || ET TROJAN Spy-Net Trojan Connection || url,doc.emergingthreats.net/2008644 +1 || 2008645 || 3 || trojan-activity || 0 || ET TROJAN Spy-Net Trojan Connection (2) || url,doc.emergingthreats.net/2008645 +1 || 2008647 || 8 || trojan-activity || 0 || ET MALWARE Internet-antivirus.com Related Fake AV User-Agent (Update Internet Antivirus) || url,doc.emergingthreats.net/2008647 +1 || 2008648 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS trac q variable open redirect || cve,CVE-2008-2951 || url,doc.emergingthreats.net/2008648 +1 || 2008649 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Realtor v_cat SQL Injection || url,www.milw0rm.com/exploits/6694 || url,secunia.com/advisories/32149/ || url,doc.emergingthreats.net/2008649 +1 || 2008650 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Autos catid SQL Injection || url,www.milw0rm.com/exploits/6696 || url,secunia.com/advisories/32139/ || url,doc.emergingthreats.net/2008650 +1 || 2008651 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS JMweb MP3 src Multiple Local File Inclusion || url,www.exploit-db.com/exploits/6669/ || url,doc.emergingthreats.net/2008651 +1 || 2008652 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ScriptsEz Easy Image Downloader id File Disclosure || url,www.milw0rm.com/exploits/6715 || url,secunia.com/Advisories/32210/ || url,doc.emergingthreats.net/2008652 +1 || 2008653 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Built2go Real Estate Listings event_id SQL Injection || url,www.milw0rm.com/exploits/6697 || url,secunia.com/Advisories/32129/ || url,doc.emergingthreats.net/2008653 +1 || 2008654 || 6 || attempted-recon || 0 || ET SCAN SQLix SQL Injection Vector Scan || url,www.owasp.org/index.php/Category%3aOWASP_SQLiX_Project || url,doc.emergingthreats.net/2008654 +1 || 2008656 || 7 || trojan-activity || 0 || ET MALWARE AV2010 Rogue Security Application User-Agent (AV2010) || url,doc.emergingthreats.net/2008656 +1 || 2008657 || 7 || trojan-activity || 0 || ET TROJAN Suspicious User-Agent Detected (Compatible) || url,doc.emergingthreats.net/bin/view/Main/2008657 +1 || 2008658 || 7 || trojan-activity || 0 || ET TROJAN Suspicious User-Agent Detected (GetUrlSize) || url,doc.emergingthreats.net/bin/view/Main/2008658 +1 || 2008659 || 7 || trojan-activity || 0 || ET DELETED Suspicious User-Agent Detected (DigitAl56K/6.3) || url,doc.emergingthreats.net/bin/view/Main/2008659 +1 || 2008660 || 7 || trojan-activity || 0 || ET TROJAN Torpig Infection Reporting || url,www2.gmer.net/mbr/ || url,www.cs.ucsb.edu/~seclab/projects/torpig/torpig.pdf || url,doc.emergingthreats.net/2008660 || url,offensivecomputing.net/?q=node/909 +1 || 2008661 || 6 || trojan-activity || 0 || ET TROJAN Zbot/Zeus HTTP POST || url,doc.emergingthreats.net/2008661 +1 || 2008662 || 3 || trojan-activity || 0 || ET TROJAN Generic PSW Agent server reply || url,doc.emergingthreats.net/2008662 +1 || 2008663 || 8 || trojan-activity || 0 || ET TROJAN Suspicious User-Agent Detected (aguarovex-loader v3.221) || url,doc.emergingthreats.net/bin/view/Main/2008663 +1 || 2008664 || 11 || trojan-activity || 0 || ET TROJAN Generic Dropper HTTP Bot grabbing config || url,doc.emergingthreats.net/2008664 +1 || 2008665 || 8 || trojan-activity || 0 || ET TROJAN Zbot/Zeus or Related Infection Checkin || url,doc.emergingthreats.net/2008665 +1 || 2008666 || 9 || trojan-activity || 0 || ET TROJAN Delf Key Checkin (Clicker.Win32.Delf.afl) || url,doc.emergingthreats.net/2008666 +1 || 2008667 || 5 || trojan-activity || 0 || ET TROJAN Backdoor.Win32.Agent.fvt Checkin || url,doc.emergingthreats.net/2008667 +1 || 2008668 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS myEvent viewevent.php SQL Injection || bugtraq,31773 || url,www.milw0rm.com/exploits/6760 || url,doc.emergingthreats.net/2008668 +1 || 2008669 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS AstroSPACES profile.php SQL Injection || bugtraq,31771 || url,www.milw0rm.com/exploits/6758 || url,doc.emergingthreats.net/2008669 +1 || 2008672 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS My PHP Dating id parameter SQL Injection || url,secunia.com/advisories/32268 || url,www.exploit-db.com/exploits/6754/ || url,doc.emergingthreats.net/2008672 +1 || 2008673 || 11 || web-application-attack || 0 || ET ACTIVEX Microsoft PicturePusher ActiveX Cross Site File Upload Attack || url,milw0rm.com/exploits/6699 || url,doc.emergingthreats.net/2008673 +1 || 2008674 || 3 || trojan-activity || 0 || ET TROJAN Likely eCard Malware Laden Email Inbound || url,www.sophos.com/blogs/gc/g/2008/10/15/you-have-not-received-an-ecard/ || url,doc.emergingthreats.net/2008674 +1 || 2008675 || 4 || trojan-activity || 0 || ET TROJAN Backdoor.Win32.Assasin.20.C Control Session Start || url,doc.emergingthreats.net/2008675 +1 || 2008676 || 4 || trojan-activity || 0 || ET TROJAN Backdoor.Win32.Assasin.20.C Control Session Server Reply || url,doc.emergingthreats.net/2008676 +1 || 2008677 || 4 || trojan-activity || 0 || ET TROJAN Backdoor.Win32.Assasin.20.C Control Channel Client Reply || url,doc.emergingthreats.net/2008677 +1 || 2008678 || 9 || web-application-attack || 0 || ET ACTIVEX Hummingbird Deployment Wizard 2008 ActiveX Insecure Methods || url,secunia.com/Advisories/32337/ || url,doc.emergingthreats.net/2008678 +1 || 2008679 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS CafeEngine id Remote SQL Injection (dish.php) || url,secunia.com/advisories/32308/ || url,milw0rm.com/exploits/6762 || url,doc.emergingthreats.net/2008679 +1 || 2008680 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS CafeEngine id Remote SQL Injection (menu.php) || url,secunia.com/advisories/32308/ || url,milw0rm.com/exploits/6762 || url,doc.emergingthreats.net/2008680 +1 || 2008681 || 6 || trojan-activity || 0 || ET MALWARE iframebiz - /qwertyuiyw12ertyuytre/adv***.php || url,iframecash.biz || url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_DLOADR.QC&VSect=T || url,doc.emergingthreats.net/bin/view/Main/2008681 +1 || 2008682 || 4 || trojan-activity || 0 || ET TROJAN Trojan.Zonebac.D || url,doc.emergingthreats.net/2008682 +1 || 2008683 || 9 || web-application-attack || 0 || ET ACTIVEX Dart Communications PowerTCP FTP for ActiveX DartFtp.dll Control Buffer Overflow || bugtraq,31814 || url,www.milw0rm.com/exploits/6793 || url,doc.emergingthreats.net/2008683 +1 || 2008684 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS E-Shop Shopping Cart Script search_results.php SQL Injection || bugtraq,30692 || url,doc.emergingthreats.net/2008684 +1 || 2008685 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla DS-Syndicate Component feed_id SQL Injection || url,www.secunia.com/advisories/32321 || url,www.exploit-db.com/exploits/6792/ || url,doc.emergingthreats.net/2008685 +1 || 2008686 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS zeeproperty adid Parameter Remote SQL Injection || url,secunia.com/Advisories/32333/ || url,milw0rm.com/exploits/6780 || url,doc.emergingthreats.net/2008686 +1 || 2008687 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PassWiki site_id Parameter Local File Inclusion || bugtraq,29455 || url,doc.emergingthreats.net/2008687 +1 || 2008688 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS XOOPS Makale Module id SQL Injection || url,secunia.com/advisories/32347/ || url,www.milw0rm.com/exploits/6795 || url,doc.emergingthreats.net/2008688 +1 || 2008689 || 5 || trojan-activity || 0 || ET TROJAN Gimmiv.A.dll Infection || url,www.microsoft.com/security/portal/Entry.aspx?name=TrojanSpy%3aWin32%2fGimmiv.A || url,doc.emergingthreats.net/2008689 +1 || 2008690 || 5 || attempted-admin || 0 || ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (1) || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx || cve,2008-4250 || url,www.kb.cert.org/vuls/id/827267 || url,doc.emergingthreats.net/bin/view/Main/2008690 +1 || 2008691 || 6 || attempted-admin || 0 || ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (2) || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx || cve,2008-4250 || url,www.kb.cert.org/vuls/id/827267 || url,doc.emergingthreats.net/bin/view/Main/2008691 +1 || 2008692 || 5 || attempted-admin || 0 || ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (3) || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx || cve,2008-4250 || url,www.kb.cert.org/vuls/id/827267 || url,doc.emergingthreats.net/bin/view/Main/2008692 +1 || 2008693 || 5 || attempted-admin || 0 || ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (4) || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx || cve,2008-4250 || url,www.kb.cert.org/vuls/id/827267 || url,doc.emergingthreats.net/bin/view/Main/2008693 +1 || 2008694 || 5 || attempted-admin || 0 || ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (5) || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx || cve,2008-4250 || url,www.kb.cert.org/vuls/id/827267 || url,doc.emergingthreats.net/bin/view/Main/2008694 +1 || 2008695 || 5 || attempted-admin || 0 || ET DELETED Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (6) || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx || cve,2008-4250 || url,www.kb.cert.org/vuls/id/827267 || url,doc.emergingthreats.net/bin/view/Main/2008695 +1 || 2008696 || 6 || attempted-admin || 0 || ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (7) || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx || cve,2008-4250 || url,www.kb.cert.org/vuls/id/827267 || url,doc.emergingthreats.net/bin/view/Main/2008696 +1 || 2008697 || 5 || attempted-admin || 0 || ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (8) || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx || cve,2008-4250 || url,www.kb.cert.org/vuls/id/827267 || url,doc.emergingthreats.net/bin/view/Main/2008697 +1 || 2008698 || 5 || attempted-admin || 0 || ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (9) || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx || cve,2008-4250 || url,www.kb.cert.org/vuls/id/827267 || url,doc.emergingthreats.net/bin/view/Main/2008698 +1 || 2008699 || 5 || attempted-admin || 0 || ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (10) || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx || cve,2008-4250 || url,www.kb.cert.org/vuls/id/827267 || url,doc.emergingthreats.net/bin/view/Main/2008699 +1 || 2008700 || 5 || attempted-admin || 0 || ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 - Known Exploit Instance || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx || cve,2008-4250 || url,www.kb.cert.org/vuls/id/827267 || url,doc.emergingthreats.net/bin/view/Main/2008700 +1 || 2008701 || 5 || attempted-admin || 0 || ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (11) || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx || cve,2008-4250 || url,www.kb.cert.org/vuls/id/827267 || url,doc.emergingthreats.net/bin/view/Main/2008701 +1 || 2008702 || 6 || attempted-admin || 0 || ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (12) || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx || cve,2008-4250 || url,www.kb.cert.org/vuls/id/827267 || url,doc.emergingthreats.net/bin/view/Main/2008702 +1 || 2008703 || 5 || attempted-admin || 0 || ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (13) || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx || cve,2008-4250 || url,www.kb.cert.org/vuls/id/827267 || url,doc.emergingthreats.net/bin/view/Main/2008703 +1 || 2008704 || 5 || attempted-admin || 0 || ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (14) || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx || cve,2008-4250 || url,www.kb.cert.org/vuls/id/827267 || url,doc.emergingthreats.net/bin/view/Main/2008704 +1 || 2008705 || 5 || attempted-admin || 0 || ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (15) || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx || cve,2008-4250 || url,www.kb.cert.org/vuls/id/827267 || url,doc.emergingthreats.net/bin/view/Main/2008705 +1 || 2008706 || 5 || attempted-admin || 0 || ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (16) || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx || cve,2008-4250 || url,www.kb.cert.org/vuls/id/827267 || url,doc.emergingthreats.net/bin/view/Main/2008706 +1 || 2008707 || 6 || attempted-admin || 0 || ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (17) || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx || cve,2008-4250 || url,www.kb.cert.org/vuls/id/827267 || url,doc.emergingthreats.net/bin/view/Main/2008707 +1 || 2008708 || 5 || attempted-admin || 0 || ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (18) || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx || cve,2008-4250 || url,www.kb.cert.org/vuls/id/827267 || url,doc.emergingthreats.net/bin/view/Main/2008708 +1 || 2008709 || 5 || attempted-admin || 0 || ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (19) || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx || cve,2008-4250 || url,www.kb.cert.org/vuls/id/827267 || url,doc.emergingthreats.net/bin/view/Main/2008709 +1 || 2008710 || 5 || attempted-admin || 0 || ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (20) || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx || cve,2008-4250 || url,www.kb.cert.org/vuls/id/827267 || url,doc.emergingthreats.net/bin/view/Main/2008710 +1 || 2008711 || 5 || attempted-admin || 0 || ET DELETED Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (21) || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx || cve,2008-4250 || url,www.kb.cert.org/vuls/id/827267 || url,doc.emergingthreats.net/bin/view/Main/2008711 +1 || 2008712 || 6 || attempted-admin || 0 || ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (22) || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx || cve,2008-4250 || url,www.kb.cert.org/vuls/id/827267 || url,doc.emergingthreats.net/bin/view/Main/2008712 +1 || 2008713 || 5 || attempted-admin || 0 || ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (23) || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx || cve,2008-4250 || url,www.kb.cert.org/vuls/id/827267 || url,doc.emergingthreats.net/bin/view/Main/2008713 +1 || 2008714 || 5 || attempted-admin || 0 || ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (24) || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx || cve,2008-4250 || url,www.kb.cert.org/vuls/id/827267 || url,doc.emergingthreats.net/bin/view/Main/2008714 +1 || 2008715 || 5 || attempted-admin || 0 || ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (25) || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx || cve,2008-4250 || url,www.kb.cert.org/vuls/id/827267 || url,doc.emergingthreats.net/bin/view/Main/2008715 +1 || 2008716 || 5 || attempted-admin || 0 || ET DELETED Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (26) || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx || cve,2008-4250 || url,www.kb.cert.org/vuls/id/827267 || url,doc.emergingthreats.net/bin/view/Main/2008716 +1 || 2008717 || 6 || attempted-admin || 0 || ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (27) || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx || cve,2008-4250 || url,www.kb.cert.org/vuls/id/827267 || url,doc.emergingthreats.net/bin/view/Main/2008717 +1 || 2008718 || 5 || attempted-admin || 0 || ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (28) || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx || cve,2008-4250 || url,www.kb.cert.org/vuls/id/827267 || url,doc.emergingthreats.net/bin/view/Main/2008718 +1 || 2008719 || 5 || attempted-admin || 0 || ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (29) || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx || cve,2008-4250 || url,www.kb.cert.org/vuls/id/827267 || url,doc.emergingthreats.net/bin/view/Main/2008719 +1 || 2008720 || 5 || attempted-admin || 0 || ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 (30) || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx || cve,2008-4250 || url,www.kb.cert.org/vuls/id/827267 || url,doc.emergingthreats.net/bin/view/Main/2008720 +1 || 2008721 || 5 || attempted-admin || 0 || ET NETBIOS Microsoft Windows NETAPI Stack Overflow Inbound - MS08-067 - Known Exploit Instance (2) || url,www.microsoft.com/technet/security/Bulletin/MS08-067.mspx || cve,2008-4250 || url,www.kb.cert.org/vuls/id/827267 || url,doc.emergingthreats.net/bin/view/Main/2008721 +1 || 2008722 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Simple Customer contact.php SQL injection || bugtraq,28852 || url,doc.emergingthreats.net/2008722 +1 || 2008723 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ShopMaker product.php id Parameter Remote SQL Injection || url,www.milw0rm.com/exploits/6799 || bugtraq,31854 || url,doc.emergingthreats.net/2008723 +1 || 2008724 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Bahar Download Script aspkat.asp SQL Injection || bugtraq,31852 || url,doc.emergingthreats.net/2008724 +1 || 2008725 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WordPress Newsletter Plugin newsletter Parameter SQL Injection || url,milw0rm.com/exploits/6777 || url,secunia.com/advisories/32336 || url,doc.emergingthreats.net/2008725 +1 || 2008726 || 3 || trojan-activity || 0 || ET TROJAN Gimmiv Infection Ping Outbound || url,doc.emergingthreats.net/2008726 +1 || 2008727 || 3 || trojan-activity || 0 || ET TROJAN Gimmiv Infection Ping Inbound || url,doc.emergingthreats.net/2008727 +1 || 2008728 || 6 || trojan-activity || 0 || ET DELETED General Downloader URL - Post Infection || url,doc.emergingthreats.net/2008728 +1 || 2008729 || 5 || attempted-recon || 0 || ET SCAN Mini MySqlatOr SQL Injection Scanner || url,www.scrt.ch/pages_en/minimysqlator.html || url,doc.emergingthreats.net/2008729 +1 || 2008730 || 3 || trojan-activity || 0 || ET TROJAN Ipbill.com Related Dialer Trojan Checkin || url,doc.emergingthreats.net/2008730 +1 || 2008731 || 3 || trojan-activity || 0 || ET TROJAN Ipbill.com Related Dialer Trojan Server Response || url,doc.emergingthreats.net/2008731 +1 || 2008732 || 4 || trojan-activity || 0 || ET TROJAN FraudTool.Win32.SysCleaner.a || url,doc.emergingthreats.net/2008732 +1 || 2008733 || 2 || trojan-activity || 0 || ET TROJAN Trojan.Win32.Regrun.ro FTP connection detected || url,doc.emergingthreats.net/2008733 +1 || 2008734 || 7 || trojan-activity || 0 || ET TROJAN Suspicious User-Agent Detected (WINS_HTTP_SEND Program/1.0) || url,doc.emergingthreats.net/bin/view/Main/2008734 +1 || 2008735 || 8 || trojan-activity || 0 || ET MALWARE Suspicious User Agent (FTP) || url,doc.emergingthreats.net/bin/view/Main/2008735 +1 || 2008736 || 5 || bad-unknown || 0 || ET DELETED Borlander Adware Checkin || url,doc.emergingthreats.net/bin/view/Main/2008736 +1 || 2008737 || 12 || trojan-activity || 0 || ET TROJAN Conficker/KernelBot/MS08-067 related Trojan Checkin || url,doc.emergingthreats.net/bin/view/Main/2008737 +1 || 2008738 || 8 || not-suspicious || 0 || ET TROJAN Suspicious Accept-Language HTTP Header, zh-cn, likely Kernelbot/Conficker Trojan Related || url,doc.emergingthreats.net/bin/view/Main/2008738 +1 || 2008739 || 8 || trojan-activity || 0 || ET TROJAN Conficker/MS08-067 Worm Traffic Outbound || url,doc.emergingthreats.net/bin/view/Main/2008739 +1 || 2008740 || 6 || trojan-activity || 0 || ET DELETED Ligats/DR.Ilomo Agent Post || url,doc.emergingthreats.net/2008740 +1 || 2008742 || 9 || trojan-activity || 0 || ET MALWARE Admoke/Adload.AFB!tr.dldr Checkin || md5,6085f2ff15282611fd82f9429d82912b +1 || 2008743 || 8 || trojan-activity || 0 || ET MALWARE User-Agent (bdsclk) - Possible Admoke Admware || url,doc.emergingthreats.net/bin/view/Main/2008743 +1 || 2008744 || 2 || policy-violation || 0 || ET POLICY Possible External FreeGate DNS Query || url,doc.emergingthreats.net/2008744 +1 || 2008745 || 2 || policy-violation || 0 || ET POLICY Possible External FreeGate DNS Query || url,doc.emergingthreats.net/2008745 +1 || 2008746 || 2 || policy-violation || 0 || ET POLICY Possible External FreeGate DNS Query || url,doc.emergingthreats.net/2008746 +1 || 2008747 || 2 || policy-violation || 0 || ET POLICY Possible External FreeGate DNS Query || url,doc.emergingthreats.net/2008747 +1 || 2008748 || 3 || policy-violation || 0 || ET POLICY Possible External FreeGate DNS Query || url,doc.emergingthreats.net/2008748 +1 || 2008749 || 7 || trojan-activity || 0 || ET TROJAN Suspicious User-Agent (checkonline) || url,doc.emergingthreats.net/bin/view/Main/2008749 +1 || 2008750 || 4 || trojan-activity || 0 || ET DELETED Buzus FTP Log Upload || url,doc.emergingthreats.net/2008750 +1 || 2008752 || 3 || trojan-activity || 0 || ET TROJAN AdWare.Win32.Yokbar User-Agent Detected (YOK Agent) || url,doc.emergingthreats.net/2008752 +1 || 2008753 || 3 || trojan-activity || 0 || ET TROJAN AdWare.Win32.Yokbar Checkin URL || url,doc.emergingthreats.net/2008753 +1 || 2008754 || 6 || trojan-activity || 0 || ET TROJAN Possible Rar'd Malware sent when remote host claims to send an Image || url,doc.emergingthreats.net/bin/view/Main/2008754 +1 || 2008755 || 3 || trojan-activity || 0 || ET TROJAN Autorun.qvi Related HTTP Get on Off Port || url,doc.emergingthreats.net/2008755 +1 || 2008756 || 7 || trojan-activity || 0 || ET TROJAN Suspicious User-Agent (Kvadrlson 1.0) || url,doc.emergingthreats.net/bin/view/Main/2008756 +1 || 2008757 || 5 || trojan-activity || 0 || ET MALWARE Zenosearch Malware Checkin HTTP POST || url,doc.emergingthreats.net/bin/view/Main/2008757 +1 || 2008758 || 4 || trojan-activity || 0 || ET TROJAN Mcboo.com/Bundlext.com related Trojan Checkin URL || url,doc.emergingthreats.net/2008758 +1 || 2008759 || 7 || trojan-activity || 0 || ET MALWARE Matcash Trojan Related Spyware Code Download || url,doc.emergingthreats.net/bin/view/Main/2008759 +1 || 2008760 || 6 || trojan-activity || 0 || ET TROJAN Insidebar.co.kr Related Infection Checkin || url,doc.emergingthreats.net/2008760 +1 || 2008765 || 7 || trojan-activity || 0 || ET TROJAN Brontok/Joseray User-Agent Detected (Joseray.A3 Browser) || url,doc.emergingthreats.net/2008765 +1 || 2008766 || 5 || trojan-activity || 0 || ET DELETED Generic Downloader Checkin Url Detected || url,doc.emergingthreats.net/2008766 +1 || 2008767 || 4 || trojan-activity || 0 || ET TROJAN Kangkio User-Agent (lsosss) || url,doc.emergingthreats.net/2008767 +1 || 2008770 || 5 || trojan-activity || 0 || ET P2P Unknown Trojan P2P Data Download || url,www.chinatechnews.com/2008/07/21/7014-baofengcom-shifts-to-internet-video-sector/ || url,doc.emergingthreats.net/2008770 +1 || 2008771 || 7 || trojan-activity || 0 || ET P2P Unknown Trojan P2P Download Request || url,www.chinatechnews.com/2008/07/21/7014-baofengcom-shifts-to-internet-video-sector/ || url,doc.emergingthreats.net/2008771 +1 || 2008772 || 5 || trojan-activity || 0 || ET P2P Unknown Trojan P2P Request || url,www.chinatechnews.com/2008/07/21/7014-baofengcom-shifts-to-internet-video-sector/ || url,doc.emergingthreats.net/2008772 +1 || 2008776 || 3 || web-application-attack || 0 || ET EXPLOIT GuildFTPd CWD and LIST Command Heap Overflow - POC-1 || url,milw0rm.com/exploits/6738 || cve,CVE-2008-4572 || bugtraq,31729 || url,doc.emergingthreats.net/bin/view/Main/2008776 +1 || 2008777 || 3 || web-application-attack || 0 || ET EXPLOIT GuildFTPd CWD and LIST Command Heap Overflow - POC-2 || url,milw0rm.com/exploits/6738 || cve,CVE-2008-4572 || bugtraq,31729 || url,doc.emergingthreats.net/bin/view/Main/2008777 +1 || 2008779 || 4 || unknown || 0 || ET DELETED Unknown Keepalive out || url,doc.emergingthreats.net/bin/view/Main/2008779 +1 || 2008780 || 4 || unknown || 0 || ET DELETED Unknown Keepalive in || url,doc.emergingthreats.net/bin/view/Main/2008780 +1 || 2008781 || 6 || trojan-activity || 0 || ET DELETED Set flow on rar file get || url,doc.emergingthreats.net/2008781 +1 || 2008782 || 5 || trojan-activity || 0 || ET POLICY Possible Trojan File Download bad rar file header (not a valid rar file) || url,www.win-rar.com/index.php?id=24&kb=1&kb_article_id=162 || url,doc.emergingthreats.net/2008782 +1 || 2008783 || 7 || trojan-activity || 0 || ET DELETED Possible Trojan File Download - Rar Requested but not received || url, www.win-rar.com/index.php?id=24&kb=1&kb_article_id=162 || url,doc.emergingthreats.net/2008783 +1 || 2008784 || 6 || trojan-activity || 0 || ET DELETED Lighty Variant or UltimateDefender POST || url,doc.emergingthreats.net/2008784 +1 || 2008785 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Aj Square RSS Reader url SQL Injection || url,secunia.com/advisories/32413/ || url,milw0rm.com/exploits/6856 || url,doc.emergingthreats.net/2008785 +1 || 2008786 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PozScripts Classified Auctions id parameter SQL Injection || url,milw0rm.com/exploits/6839 || url,secunia.com/advisories/32373 || url,doc.emergingthreats.net/2008786 +1 || 2008787 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS All In One Control Panel poll_id parameter SQL Injection || url,milw0rm.com/exploits/6854 || url,secunia.com/advisories/32431 || url,doc.emergingthreats.net/2008787 +1 || 2008788 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS e107 BLOG Engine macgurublog.php uid Parameter SQL Injection || bugtraq,29344 || url,milw0rm.com/exploits/6856 || url,doc.emergingthreats.net/2008788 +1 || 2008789 || 6 || web-application-attack || 0 || ET ACTIVEX DB Software Laboratory VImpX.ocx ActiveX Control Multiple Insecure Methods || bugtraq,31907 || url,milw0rm.com/exploits/6828 || url,doc.emergingthreats.net/2008789 +1 || 2008790 || 5 || web-application-attack || 0 || ET ACTIVEX DjVu DjVu_ActiveX_MSOffice.dll ActiveX Component Heap Buffer Overflow || bugtraq,31987 || url,milw0rm.com/exploits/6878 || url,doc.emergingthreats.net/2008790 +1 || 2008791 || 3 || web-application-attack || 0 || ET ACTIVEX Visagesoft eXPert PDF Viewer ActiveX Control Arbitrary File Overwrite || bugtraq,31984 || url,milw0rm.com/exploits/6875 || url,doc.emergingthreats.net/2008791 +1 || 2008792 || 48 || web-application-attack || 0 || ET ACTIVEX Microsoft DebugDiag CrashHangExt.dll ActiveX Control Remote Denial of Service || bugtraq,31996 || url,doc.emergingthreats.net/2008792 +1 || 2008793 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS SFS EZ BIZ PRO track.php id Parameter Remote SQL Injection || url,secunia.com/advisories/32552/ || url,milw0rm.com/exploits/6910 || url,doc.emergingthreats.net/2008793 +1 || 2008794 || 3 || misc-activity || 0 || ET POLICY TeamViewer Keep-alive outbound || url,www.teamviewer.com || url,en.wikipedia.org/wiki/TeamViewer || url,doc.emergingthreats.net/2008794 +1 || 2008795 || 4 || misc-activity || 0 || ET POLICY TeamViewer Keep-alive inbound || url,www.teamviewer.com || url,en.wikipedia.org/wiki/TeamViewer || url,doc.emergingthreats.net/2008795 +1 || 2008797 || 8 || trojan-activity || 0 || ET TROJAN Suspicious User-Agent (miip) || url,doc.emergingthreats.net/bin/view/Main/2008797 +1 || 2008798 || 5 || trojan-activity || 0 || ET MALWARE Zenosearch Malware Checkin HTTP POST (2) || url,doc.emergingthreats.net/bin/view/Main/2008798 +1 || 2008802 || 8 || trojan-activity || 0 || ET DELETED Possible Downadup/Conficker-A Worm Activity || url,www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.A || url,www.f-secure.com/v-descs/worm_w32_downadup_a.shtml || url,doc.emergingthreats.net/bin/view/Main/2008802 +1 || 2008805 || 3 || trojan-activity || 0 || ET TROJAN DNS Changer.bnm/Downloader.bnm CnC Channel Start || url,doc.emergingthreats.net/2008805 +1 || 2008806 || 3 || trojan-activity || 0 || ET TROJAN DNS Changer.bnm/Downloader.bnm CnC Channel Start Response || url,doc.emergingthreats.net/2008806 +1 || 2008807 || 4 || trojan-activity || 0 || ET TROJAN DNS Changer.bnm/Downloader.bnm Second CnC Channel Start || url,doc.emergingthreats.net/2008807 +1 || 2008808 || 4 || trojan-activity || 0 || ET TROJAN DNS Changer.bnm/Downloader.bnm Second CnC Channel Traffic || url,doc.emergingthreats.net/2008808 +1 || 2008809 || 9 || web-application-attack || 0 || ET ACTIVEX MW6 Technologies Barcode ActiveX Barcode.dll Multiple Arbitrary File Overwrite || bugtraq,31979 || url,milw0rm.com/exploits/6871 || url,doc.emergingthreats.net/2008809 +1 || 2008810 || 9 || web-application-attack || 0 || ET ACTIVEX MW6 PDF417 MW6PDF417.dll ActiveX Control Multiple Arbitrary File Overwrite || bugtraq,31983 || url,milw0rm.com/exploits/6873 || url,doc.emergingthreats.net/2008810 +1 || 2008811 || 9 || web-application-attack || 0 || ET ACTIVEX MW6 DataMatrix DataMatrix.dll ActiveX Control Multiple Arbitrary File Overwrite || bugtraq,31980 || url,milw0rm.com/exploits/6872 || url,doc.emergingthreats.net/2008811 +1 || 2008812 || 9 || web-application-attack || 0 || ET ACTIVEX MW6 Aztec ActiveX Aztec.dll ActiveX Control Multiple Arbitrary File Overwrite || bugtraq,31974 || url,milw0rm.com/exploits/6870 || url,doc.emergingthreats.net/2008812 +1 || 2008813 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS e107 Plugin lyrics_menu lyrics_song.php l_id Parameter Remote SQL Injection || url,secunia.com/advisories/32477/ || url,milw0rm.com/exploits/6885 || url,doc.emergingthreats.net/2008813 +1 || 2008814 || 9 || web-application-attack || 0 || ET ACTIVEX Chilkat Crypt ActiveX Component WriteFile Insecure Method || url,secunia.com/Advisories/32513/ || url,milw0rm.com/exploits/6963 || url,doc.emergingthreats.net/2008814 +1 || 2008815 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS SFS EZ Hotscripts-like Site showcategory.php cid Parameter SQL Injection || url,secunia.com/advisories/32536/ || url,milw0rm.com/exploits/6903 || url,doc.emergingthreats.net/2008815 +1 || 2008816 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS SFS EZ Hotscripts-like Site software-description.php id Parameter SQL Injection || url,secunia.com/advisories/32536/ || url,milw0rm.com/exploits/6915 || url,doc.emergingthreats.net/2008816 +1 || 2008817 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS YourFreeWorld Autoresponder hosting tr.php id Parameter SQL Injection || url,secunia.com/advisories/32504/ || url,milw0rm.com/exploits/6938 || url,doc.emergingthreats.net/2008817 +1 || 2008818 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS YourFreeWorld Reminder Service tr.php id Parameter SQL Injection || url,secunia.com/advisories/32504/ || url,milw0rm.com/exploits/6943 || url,doc.emergingthreats.net/2008818 +1 || 2008819 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS YourFreeWorld Classifieds Blaster tr.php id Parameter SQL Injection || url,secunia.com/advisories/32504/ || url,milw0rm.com/exploits/6944 || url,doc.emergingthreats.net/2008819 +1 || 2008821 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Tours Manager cityview.php cityid Parameter SQL Injection || url,secunia.com/advisories/32503/ || url,milw0rm.com/exploits/6988 || url,doc.emergingthreats.net/2008821 +1 || 2008822 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla Pro Desk Component include_file Local File Inclusion || url,secunia.com/advisories/32523/ || url,www.exploit-db.com/exploits/6980/ || url,doc.emergingthreats.net/2008822 +1 || 2008823 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Pre Podcast Portal tour.php id SQL Injection || url,secunia.com/advisories/32563/ || url,milw0rm.com/exploits/6997 || url,doc.emergingthreats.net/2008823 +1 || 2008824 || 4 || web-application-attack || 0 || ET DELETED Way Of The Warrior visualizza.php plancia Parameter Local File Inclusion || url,secunia.com/advisories/32515/ || url,milw0rm.com/exploits/6992 || url,doc.emergingthreats.net/2008824 +1 || 2008825 || 3 || web-application-attack || 0 || ET DELETED Way Of The Warrior crea.php plancia Parameter Local File Inclusion || url,secunia.com/advisories/32515/ || url,milw0rm.com/exploits/6992 || url,doc.emergingthreats.net/2008825 +1 || 2008826 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Way Of The Warrior crea.php plancia Remote File Inclusion || url,secunia.com/advisories/32515/ || url,milw0rm.com/exploits/6992 || url,doc.emergingthreats.net/2008826 +1 || 2008827 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS TurnkeyForms Business Survey Pro id parameter SQL Injection || url,secunia.com/advisories/32561/ || url,milw0rm.com/exploits/7029 || url,doc.emergingthreats.net/2008827 +1 || 2008828 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Turnkeyforms Software Directory showcategory.php cid parameter SQL Injection || url,secunia.com/advisories/32568/ || url,milw0rm.com/exploits/7027 || url,doc.emergingthreats.net/2008828 +1 || 2008829 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS TurnkeyForms Local Classifieds listtest.php r parameter SQL Injection || url,secunia.com/advisories/32591/ || url,milw0rm.com/exploits/7035 || url,doc.emergingthreats.net/2008829 +1 || 2008830 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS DevelopItEasy Photo Gallery cat_id paramter SQL Injection || url,secunia.com/advisories/32593/ || url,milw0rm.com/exploits/7016 || url,doc.emergingthreats.net/2008830 +1 || 2008831 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS DevelopItEasy Photo Gallery photo_id paramter SQL Injection || url,secunia.com/advisories/32593/ || url,milw0rm.com/exploits/7016 || url,doc.emergingthreats.net/2008831 +1 || 2008832 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Enthusiast path parameter Local File Inclusion || url,secunia.com/advisories/32628/ || url,bugreport.ir/index_57.htm || url,doc.emergingthreats.net/2008832 +1 || 2008833 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Enthusiast path parameter Remote File Inclusion || url,secunia.com/advisories/32628/ || url,bugreport.ir/index_57.htm || url,doc.emergingthreats.net/2008833 +1 || 2008834 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS DevelopItEasy News And Article aid parameter SQL Injection || url,milw0rm.com/exploits/7014 || url,secunia.com/Advisories/32595/ || url,doc.emergingthreats.net/2008834 +1 || 2008835 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS MyioSoft EasyBookMarker Parent parameter SQL Injection || url,secunia.com/advisories/32636/ || url,www.exploit-db.com/exploits/7053/ || url,doc.emergingthreats.net/2008835 +1 || 2008837 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Maran PHP Shop id Parameter Remote SQL Injection || bugtraq,32043 || url,frsirt.com/english/advisories/2008/2976 || url,doc.emergingthreats.net/2008837 +1 || 2008838 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS DeltaScripts PHP Classifieds siteid parameter Remote SQL Injection || url,frsirt.com/english/advisories/2008/3079 || bugtraq,32191 || url,doc.emergingthreats.net/2008838 +1 || 2008839 || 7 || trojan-activity || 0 || ET MALWARE AdWare.Win32.MWGuide checkin || url,doc.emergingthreats.net/2008839 +1 || 2008840 || 6 || trojan-activity || 0 || ET MALWARE AdWare.Win32.MWGuide keepalive || url,doc.emergingthreats.net/2008840 +1 || 2008841 || 5 || trojan-activity || 0 || ET TROJAN Trojan-PWS.Win32.Small.gs Passwords leak over FTP || url,doc.emergingthreats.net/2008841 +1 || 2008842 || 4 || policy-violation || 0 || ET POLICY Possible HTTP-TUNNEL to External Proxy for Anonymous Access || url,doc.emergingthreats.net/2008842 +1 || 2008843 || 4 || policy-violation || 0 || ET POLICY Possible HTTP-TUNNEL to External Proxy for Anonymous Access (server download) || url,doc.emergingthreats.net/2008843 +1 || 2008846 || 4 || trojan-activity || 0 || ET DELETED Worm.Win32.Evolmi Checkin || url,doc.emergingthreats.net/2008846 +1 || 2008847 || 8 || trojan-activity || 0 || ET TROJAN Suspicious User-Agent (Mozil1a) || url,doc.emergingthreats.net/bin/view/Main/2008847 +1 || 2008848 || 7 || trojan-activity || 0 || ET DELETED Worm.Win32.Koobface.C User-Agent || url,doc.emergingthreats.net/2008848 +1 || 2008849 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS evision cms add3rdparty.php module parameter Local File Inclusion || bugtraq,32180 || url,milw0rm.com/exploits/7031 || url,doc.emergingthreats.net/2008849 +1 || 2008850 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS evision cms addpolling.php module parameter Local File Inclusion || bugtraq,32180 || url,milw0rm.com/exploits/7031 || url,doc.emergingthreats.net/2008850 +1 || 2008851 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS evision cms addcontact.php module parameter Local File Inclusion || bugtraq,32180 || url,milw0rm.com/exploits/7031 || url,doc.emergingthreats.net/2008851 +1 || 2008852 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS evision cms addbrandnews.php module parameter Local File Inclusion || bugtraq,32180 || url,milw0rm.com/exploits/7031 || url,doc.emergingthreats.net/2008852 +1 || 2008853 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS evision cms addnewsletter.php module parameter Local File Inclusion || bugtraq,32180 || url,milw0rm.com/exploits/7031 || url,doc.emergingthreats.net/2008853 +1 || 2008854 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS evision cms addgame.php module parameter Local File Inclusion || bugtraq,32180 || url,milw0rm.com/exploits/7031 || url,doc.emergingthreats.net/2008854 +1 || 2008855 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS evision cms addtour.php module parameter Local File Inclusion || bugtraq,32180 || url,milw0rm.com/exploits/7031 || url,doc.emergingthreats.net/2008855 +1 || 2008856 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS evision cms addarticles.php module parameter Local File Inclusion || bugtraq,32180 || url,milw0rm.com/exploits/7031 || url,doc.emergingthreats.net/2008856 +1 || 2008857 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS evision cms addproduct.php module parameter Local File Inclusion || bugtraq,32180 || url,milw0rm.com/exploits/7031 || url,doc.emergingthreats.net/2008857 +1 || 2008858 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS evision cms addplain.php module parameter Local File Inclusion || bugtraq,32180 || url,milw0rm.com/exploits/7031 || url,doc.emergingthreats.net/2008858 +1 || 2008859 || 5 || trojan-activity || 0 || ET TROJAN Downloader Win32.Small.agoy Checkin || url,www.threatexpert.com/report.aspx?md5=e491d25d82f4928138a0d8b3a6365c39 || url,www.threatexpert.com/reports.aspx?find=%2Fjutr%2F || url,doc.emergingthreats.net/2008859 +1 || 2008860 || 3 || misc-activity || 0 || ET TELNET External Telnet Attempt To Cisco Device With No Telnet Password Set (Automatically Dissalowed Until Password Set) || url,articles.techrepublic.com.com/5100-10878_11-5875046.html || url,doc.emergingthreats.net/bin/view/Main/2008860 +1 || 2008861 || 4 || misc-activity || 0 || ET TELNET External Telnet Login To Cisco Device || url,articles.techrepublic.com.com/5100-10878_11-5875046.html || url,doc.emergingthreats.net/bin/view/Main/2008861 +1 || 2008862 || 3 || misc-activity || 0 || ET POLICY External Access to Cisco Aironet AP Over HTTP (Post Authentication) || url,supportwiki.cisco.com/ViewWiki/index.php/How_to_configure_HTTPS_on_the_AP || url,doc.emergingthreats.net/bin/view/Main/2008862 +1 || 2008863 || 4 || trojan-activity || 0 || ET TROJAN Virtumonde Variant Reporting to Controller via HTTP (3) || url,www.threatexpert.com/reports.aspx?find=apstpldr.dll.html || url,doc.emergingthreats.net/2008863 +1 || 2008864 || 7 || trojan-activity || 0 || ET TROJAN Koobface Trojan HTTP Post Checkin || url,doc.emergingthreats.net/2008864 +1 || 2008865 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PozScripts Business Directory Script cid parameter SQL Injection || url,frsirt.com/english/advisories/2008/3118 || url,milw0rm.com/exploits/7098 || url,doc.emergingthreats.net/2008865 +1 || 2008866 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ClipShare Pro channel_detail.php chid Parameter SQL Injection || bugtraq,32311 || url,milw0rm.com/exploits/7128 || url,doc.emergingthreats.net/2008866 +1 || 2008867 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS SlimCMS edit.php pageid Parameter SQL Injection || bugtraq,32300 || url,doc.emergingthreats.net/2008867 +1 || 2008869 || 7 || web-application-attack || 0 || ET ACTIVEX VeryDOC PDF Viewer ActiveX Control OpenPDF Buffer Overflow || bugtraq,32313 || url,milw0rm.com/exploits/7126 || url,doc.emergingthreats.net/2008869 +1 || 2008870 || 10 || web-application-attack || 0 || ET ACTIVEX Chilkat Socket ACTIVEX Remote Arbitrary File Creation || bugtraq,32333 || url,milw0rm.com/exploits/7142 || url,doc.emergingthreats.net/2008870 +1 || 2008871 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS phpFan init.php Remote File Inclusion || bugtraq,32335 || url,milw0rm.com/exploits/7143 || url,doc.emergingthreats.net/2008871 +1 || 2008872 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Ultrastats serverid parameter SQL Injection || bugtraq,32340 || url,milw0rm.com/exploits/7148 || url,doc.emergingthreats.net/2008872 +1 || 2008873 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHPStore Wholesales id Parameter SQL Injection || url,secunia.com/advisories/32741/ || url,packetstorm.linuxsecurity.com/0811-exploits/wholesale-sql.txt || url,doc.emergingthreats.net/2008873 +1 || 2008874 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHPStore Yahoo Answers id parameter SQL Injection || url,secunia.com/advisories/32717/ || url,milw0rm.com/exploits/7131 || url,doc.emergingthreats.net/2008874 +1 || 2008875 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Vlog System note parameter SQL Injection || url,secunia.com/advisories/32784/ || url,www.milw0rm.com/exploits/7186 || url,doc.emergingthreats.net/2008875 +1 || 2008878 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Free Directory Script 1.1.1 API_HOME_DIR Local File Inclusion || url,secunia.com/advisories/32745/ || url,milw0rm.com/exploits/7155 || url,doc.emergingthreats.net/2008878 +1 || 2008879 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Free Directory Script 1.1.1 API_HOME_DIR parameter Remote File Inclusion || url,secunia.com/advisories/32745/ || url,milw0rm.com/exploits/7155 || url,doc.emergingthreats.net/2008879 +1 || 2008880 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PunBB Functions_navlinks.php pun_user language Parameter Local File Inclusion || bugtraq,32360 || url,milw0rm.com/exploits/7159 || url,doc.emergingthreats.net/2008880 +1 || 2008881 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PunBB profile_send.php pun_user language Parameter Local File Inclusion || bugtraq,32360 || url,milw0rm.com/exploits/7159 || url,doc.emergingthreats.net/2008881 +1 || 2008882 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PunBB viewtopic_PM-link.php pun_user language Parameter Local File Inclusion || bugtraq,32360 || url,milw0rm.com/exploits/7159 || url,doc.emergingthreats.net/2008882 +1 || 2008883 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Easyedit CMS page.php intpageID parameter sql injection || url,secunia.com/advisories/32822/ || url,packetstormsecurity.org/0811-exploits/easyeditcms-sql.txt || url,doc.emergingthreats.net/2008883 +1 || 2008884 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Easyedit CMS subcategory.php intSubCategoryID parameter sql injection || url,secunia.com/advisories/32822/ || url,packetstormsecurity.org/0811-exploits/easyeditcms-sql.txt || url,doc.emergingthreats.net/2008884 +1 || 2008885 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Easyedit CMS news.php intPageID parameter sql injection || url,secunia.com/advisories/32822/ || url,packetstormsecurity.org/0811-exploits/easyeditcms-sql.txt || url,doc.emergingthreats.net/2008885 +1 || 2008886 || 6 || web-application-attack || 0 || ET DELETED Microsoft XML Core Services DTD Cross Domain Information Disclosure object || bugtraq,32155 || url,milw0rm.com/exploits/7196 || url,doc.emergingthreats.net/2008886 +1 || 2008887 || 7 || web-application-attack || 0 || ET ACTIVEX Microsoft XML Core Services DTD Cross Domain Information Disclosure clsid || bugtraq,32155 || url,milw0rm.com/exploits/7196 || url,doc.emergingthreats.net/2008887 +1 || 2008888 || 5 || trojan-activity || 0 || ET DELETED Gh0st Remote Access Trojan Client Connect || url,doc.emergingthreats.net/2008888 +1 || 2008889 || 5 || trojan-activity || 0 || ET DELETED Gh0st Remote Access Trojan Server Response || url,www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20081211 || url,doc.emergingthreats.net/2008889 +1 || 2008891 || 7 || trojan-activity || 0 || ET TROJAN MEREDROP/micr0s0fts.cn Related Checkin || url,doc.emergingthreats.net/2008891 +1 || 2008892 || 7 || trojan-activity || 0 || ET MALWARE Smileware Connection Spyware Related User-Agent (Smileware Connection) || url,doc.emergingthreats.net/2008892 +1 || 2008893 || 9 || trojan-activity || 0 || ET TROJAN Perfect Keylogger Install Email Report || url,doc.emergingthreats.net/2008893 +1 || 2008894 || 7 || trojan-activity || 0 || ET MALWARE Popupblockade.com Spyware Related User-Agent (PopupBlockade/1.63.0.2/Reg) || url,doc.emergingthreats.net/2008894 +1 || 2008895 || 6 || web-application-attack || 0 || ET ACTIVEX Visagesoft eXPert PDF EditorX ActiveX Control Arbitrary File Overwrite || bugtraq,32664 || url,milw0rm.com/exploits/7358 || url,doc.emergingthreats.net/2008895 +1 || 2008896 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Bandwebsite lyrics.php id parameter Sql Injection || url,www.milw0rm.com/exploits/7215 || bugtraq,32454 || url,doc.emergingthreats.net/2008896 +1 || 2008897 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS MODx CMS snippet.reflect.php reflect_base Remote File Inclusion || url,www.exploit-db.com/exploits/7204/ || url,secunia.com/advisories/32824/ || url,doc.emergingthreats.net/2008897 +1 || 2008898 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS MODx CMS snippet.reflect.php reflect_base Local File Inclusion || url,www.exploit-db.com/exploits/7204/ || url,secunia.com/advisories/32824/ || url,doc.emergingthreats.net/2008898 +1 || 2008899 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Pie RSS module lib parameter remote file inclusion || bugtraq,32465 || url,milw0rm.com/exploits/7225 || url,doc.emergingthreats.net/2008899 +1 || 2008900 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ModernBill export_batch.inc.php DIR Parameter Remote File Inclusion || url,secunia.com/advisories/32529/ || url,milw0rm.com/exploits/6916 || url,doc.emergingthreats.net/2008900 +1 || 2008901 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ModernBill run_auto_suspend.cron.php DIR Parameter Remote File Inclusion || url,secunia.com/advisories/32529/ || url,milw0rm.com/exploits/6916 || url,doc.emergingthreats.net/2008901 +1 || 2008902 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ModernBill send_email_cache.php DIR Parameter Remote File Inclusion || url,secunia.com/advisories/32529/ || url,milw0rm.com/exploits/6916 || url,doc.emergingthreats.net/2008902 +1 || 2008903 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ModernBill 2checkout_return.inc.php DIR Parameter Remote File Inclusion || url,secunia.com/advisories/32529/ || url,milw0rm.com/exploits/6916 || url,doc.emergingthreats.net/2008903 +1 || 2008904 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ModernBill nettools.popup.php DIR Parameter Remote File Inclusion || url,secunia.com/advisories/32529/ || url,milw0rm.com/exploits/6916 || url,doc.emergingthreats.net/2008904 +1 || 2008905 || 3 || trojan-activity || 0 || ET TROJAN Trojan.Delf-5496 Checkin Error || url,doc.emergingthreats.net/2008905 +1 || 2008906 || 3 || trojan-activity || 0 || ET TROJAN Trojan.Delf-5496 Egg Request || url,doc.emergingthreats.net/2008906 +1 || 2008907 || 3 || trojan-activity || 0 || ET TROJAN Trojan.Delf-5496 File Manager Access Report || url,doc.emergingthreats.net/2008907 +1 || 2008908 || 3 || trojan-activity || 0 || ET TROJAN Trojan.Delf-5496 New Infection Report || url,doc.emergingthreats.net/2008908 +1 || 2008909 || 2 || attempted-user || 0 || ET SQL MSSQL sp_replwritetovarbin - potential memory overwrite case 1 || url,archives.neohapsis.com/archives/fulldisclosure/2008-12/0239.html || url,doc.emergingthreats.net/bin/view/Main/2008909 +1 || 2008910 || 2 || attempted-user || 0 || ET DELETED MSSQL sp_replwritetovarbin - potential memory overwrite case 2 || url,archives.neohapsis.com/archives/fulldisclosure/2008-12/0239.html || url,doc.emergingthreats.net/bin/view/Main/2008910 +1 || 2008911 || 3 || trojan-activity || 0 || ET TROJAN Spyguarder.com Fake AV Install Report || url,doc.emergingthreats.net/2008911 +1 || 2008912 || 8 || trojan-activity || 0 || ET TROJAN Suspicious User-Agent (Errordigger.com related) || url,doc.emergingthreats.net/bin/view/Main/2008912 +1 || 2008913 || 9 || trojan-activity || 0 || ET TROJAN Suspicious User-Agent (Trojan.Hijack.IrcBot.457 related) || url,doc.emergingthreats.net/bin/view/Main/2008913 +1 || 2008914 || 9 || trojan-activity || 0 || ET TROJAN Suspicious User-Agent (xr - Worm.Win32.VB.cj related) || url,doc.emergingthreats.net/bin/view/Main/2008914 +1 || 2008915 || 5 || trojan-activity || 0 || ET MALWARE MySideSearch.com Spyware Install || url,doc.emergingthreats.net/bin/view/Main/2008915 +1 || 2008916 || 8 || trojan-activity || 0 || ET TROJAN Suspicious User-Agent (Yandesk) || url,doc.emergingthreats.net/bin/view/Main/2008916 +1 || 2008917 || 4 || trojan-activity || 0 || ET MALWARE Hotbar.com Related Spyware Install Report || url,doc.emergingthreats.net/bin/view/Main/2008917 +1 || 2008918 || 5 || trojan-activity || 0 || ET MALWARE Hotbar.com Related Spyware Activity Report || url,doc.emergingthreats.net/bin/view/Main/2008918 +1 || 2008919 || 8 || trojan-activity || 0 || ET TROJAN Suspicious User-Agent pricers.info related (section) || url,doc.emergingthreats.net/bin/view/Main/2008919 +1 || 2008920 || 2 || trojan-activity || 0 || ET TROJAN Backdoor.Win32/PcClient.ZL Checkin || url,doc.emergingthreats.net/2008920 +1 || 2008921 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Nitrotech members.php id Parameter SQL Injection || bugtraq,32458 || url,doc.emergingthreats.net/2008921 +1 || 2008922 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Nitrotech common.php root Parameter Remote File Inclusion || url,xforce.iss.net/xforce/xfdb/29904 || url,milw0rm.com/exploits/7218 || url,doc.emergingthreats.net/2008922 +1 || 2008923 || 3 || web-application-attack || 0 || ET DELETED TxtBlog index.php m Parameter Local File Inclusion || bugtraq,32498 || url,milw0rm.com/exploits/7241 || url,doc.emergingthreats.net/2008923 +1 || 2008924 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Rakhi Software Price Comparison Script product.php subcategory_id SQL Injection || bugtraq,32504 || url,milw0rm.com/exploits/7250 || url,doc.emergingthreats.net/2008924 +1 || 2008925 || 8 || web-application-attack || 0 || ET ACTIVEX Microsoft Windows Media Services nskey.dll ActiveX Control Possible Remote Buffer Overflow || bugtraq,30814 || cve,2008-5232 || url,doc.emergingthreats.net/2008925 +1 || 2008926 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Venalsur Booking Centre HotelID Parameter SQL Injection || url,www.milw0rm.com/exploits/7253 || bugtraq,32512 || url,doc.emergingthreats.net/2008926 +1 || 2008927 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Lito Lite CMS cate.php cid parameter Remote SQL Injection || url,www.exploit-db.com/exploits/7294/ || url,secunia.com/advisories/32910/ || url,doc.emergingthreats.net/2008927 +1 || 2008928 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS z1exchange edit.php site parameter SQL injection || bugtraq,32556 || url,milw0rm.com/exploits/7311 || url,doc.emergingthreats.net/2008928 +1 || 2008929 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS bcoos adresses module viewcat.php cid Parameter SQL injection || url,secunia.com/Advisories/32870/ || url,milw0rm.com/exploits/7317 || url,doc.emergingthreats.net/2008929 +1 || 2008930 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ParsBlogger blog.asp wr parameter Remote SQL Injection || url,milw0rm.com/exploits/7239 || bugtraq,32488 || url,doc.emergingthreats.net/2008930 +1 || 2008931 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Experts answer.php question_id parameter SQL Injection || cve,2008-5267 || url,milw0rm.com/exploits/5776 || bugtraq,29642 || url,doc.emergingthreats.net/2008931 +1 || 2008932 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS SunByte e-Flower popupproduct.php id Parameter SQL Injection || url,www.milw0rm.com/exploits/7323 || bugtraq,32589 || url,doc.emergingthreats.net/2008932 +1 || 2008933 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Check New findoffice.php search parameter Remote SQL Injection || url,www.milw0rm.com/exploits/7328 || bugtraq,32590 || url,doc.emergingthreats.net/2008933 +1 || 2008934 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Turnkey Arcade Script id parameter SQL injection || url,secunia.com/advisories/32890/ || url,milw0rm.com/exploits/7256 || url,doc.emergingthreats.net/2008934 +1 || 2008935 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Werner Hilversum FAQ Manager header.php config_path parameter Remote File Inclusion || bugtraq,32472 || url,milw0rm.com/exploits/7229 || url,doc.emergingthreats.net/2008935 +1 || 2008936 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ASPApps.com Template Creature media_level.asp mcatid parameter SQL Injection || url,www.milw0rm.com/exploits/7339 || bugtraq,32641 || url,doc.emergingthreats.net/2008936 +1 || 2008937 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS gravity-gtd rpc.php objectname parameter Local File Inclusion || url,www.milw0rm.com/exploits/7344 || url,secunia.com/advisories/32982/ || url,doc.emergingthreats.net/2008937 +1 || 2008938 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Multi SEO phpBB pfad parameter local file inclusion || url,secunia.com/advisories/32986/ || url,milw0rm.com/exploits/7335 || url,doc.emergingthreats.net/2008938 +1 || 2008939 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Wbstreet show.php id parameter Remote SQL Injection || url,www.milw0rm.com/exploits/7337 || bugtraq,32635 || url,doc.emergingthreats.net/2008939 +1 || 2008940 || 6 || trojan-activity || 0 || ET TROJAN DNSChanger.AT or related Infection Checkin Post || url,doc.emergingthreats.net/2008940 +1 || 2008941 || 9 || trojan-activity || 0 || ET TROJAN Suspicious User-Agent (HELLO) || url,doc.emergingthreats.net/bin/view/Main/2008941 +1 || 2008942 || 7 || attempted-admin || 0 || ET POLICY Dlink Soho Router Config Page Access Attempt || url,doc.emergingthreats.net/2008942 +1 || 2008943 || 7 || trojan-activity || 0 || ET TROJAN Lop_com or variant Checkin (9kgen_up) || url,www.threatexpert.com/reports.aspx?find=9kgen_up.int || url,doc.emergingthreats.net/2008943 +1 || 2008944 || 4 || trojan-activity || 0 || ET TROJAN TDSServ or Tidserv variant Checkin || url,www.threatexpert.com/reports.aspx?find=%2Fcrcmds%2Fmain || url,doc.emergingthreats.net/2008944 +1 || 2008945 || 6 || trojan-activity || 0 || ET TROJAN dlink router access attempt || url,doc.emergingthreats.net/2008945 +1 || 2008946 || 4 || trojan-activity || 0 || ET TROJAN UpackbyDwing binary in HTTP Download Possibly Hostile || url,www.packetninjas.net || url,doc.emergingthreats.net/2008946 +1 || 2008947 || 5 || trojan-activity || 0 || ET TROJAN UpackbyDwing binary in HTTP (2) Possibly Hostile || url,www.packetninjas.net || url,doc.emergingthreats.net/2008947 +1 || 2008949 || 5 || trojan-activity || 0 || ET TROJAN Win32.Small.yml or Related HTTP Checkin || url,doc.emergingthreats.net/2008949 +1 || 2008950 || 3 || trojan-activity || 0 || ET TROJAN Trojan.Win32.Small.yml client registration || url,doc.emergingthreats.net/2008950 +1 || 2008951 || 3 || trojan-activity || 0 || ET TROJAN Trojan.Win32.Small.yml client command || url,doc.emergingthreats.net/2008951 +1 || 2008952 || 4 || trojan-activity || 0 || ET TROJAN Win32.Small.yml or Related HTTP Command || url,doc.emergingthreats.net/2008952 +1 || 2008953 || 9 || successful-admin || 0 || ET ATTACK_RESPONSE Possible MS CMD Shell opened on local system || url,doc.emergingthreats.net/bin/view/Main/2008953 +1 || 2008954 || 6 || trojan-activity || 0 || ET DELETED Mac User-Agent Typo Likely Hostile/Trojan Infection || url,doc.emergingthreats.net/2008954 +1 || 2008955 || 7 || trojan-activity || 0 || ET TROJAN Mac User-Agent Typo INBOUND Likely Hostile || url,doc.emergingthreats.net/2008955 +1 || 2008956 || 8 || trojan-activity || 0 || ET TROJAN Suspicious User-Agent (IE/1.0) || url,doc.emergingthreats.net/bin/view/Main/2008956 +1 || 2008958 || 5 || trojan-activity || 0 || ET TROJAN Waledac Beacon Traffic Detected || url,www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20081231 || url,doc.emergingthreats.net/2008958 +1 || 2008961 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHPmyGallery lang parameter Local File Inclusion || url,milw0rm.com/exploits/7392 || bugtraq,32705 || url,doc.emergingthreats.net/2008961 +1 || 2008962 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHPmyGallery confdir parameter Remote File Inclusion || url,milw0rm.com/exploits/7392 || bugtraq,32705 || url,doc.emergingthreats.net/2008962 +1 || 2008963 || 9 || web-application-attack || 0 || ET ACTIVEX EasyMail Objects emmailstore.dll ActiveX Control Remote Buffer Overflow || bugtraq,32722 || url,milw0rm.com/exploits/7402 || url,doc.emergingthreats.net/2008963 +1 || 2008964 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS lcxBBportal Alpha portal_block.php phpbb_root_path parameter Remote File Inclusion || url,milw0rm.com/exploits/7341 || bugtraq,32647 || url,doc.emergingthreats.net/2008964 +1 || 2008965 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS lcxBBportal Alpha acp_lcxbbportal.php phpbb_root_path parameter Remote File Inclusion || url,milw0rm.com/exploits/7341 || bugtraq,32647 || url,doc.emergingthreats.net/2008965 +1 || 2008966 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ccTiddly index.php cct_base parameter Remote File Inclusion || url,www.milw0rm.com/exploits/7336 || url,secunia.com/Advisories/32995/ || url,doc.emergingthreats.net/2008966 +1 || 2008967 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ccTiddly proxy.php cct_base parameter Remote File Inclusion || url,www.milw0rm.com/exploits/7336 || url,secunia.com/Advisories/32995/ || url,doc.emergingthreats.net/2008967 +1 || 2008968 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ccTiddly header.php cct_base parameter Remote File Inclusion || url,www.milw0rm.com/exploits/7336 || url,secunia.com/Advisories/32995/ || url,doc.emergingthreats.net/2008968 +1 || 2008969 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ccTiddly include.php cct_base parameter Remote File Inclusion || url,www.milw0rm.com/exploits/7336 || url,secunia.com/Advisories/32995/ || url,doc.emergingthreats.net/2008969 +1 || 2008970 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ccTiddly workspace.php cct_base parameter Remote File Inclusion || url,www.milw0rm.com/exploits/7336 || url,secunia.com/Advisories/32995/ || url,doc.emergingthreats.net/2008970 +1 || 2008972 || 4 || trojan-activity || 0 || ET TROJAN Pointfree.co.kr Trojan/Spyware Infection Checkin || url,doc.emergingthreats.net/2008972 +1 || 2008973 || 5 || trojan-activity || 0 || ET TROJAN onmuz.com Infection Activity || url,doc.emergingthreats.net/2008973 +1 || 2008974 || 8 || trojan-activity || 0 || ET MALWARE User-Agent (Mozilla/4.0 (compatible)) || url,doc.emergingthreats.net/bin/view/Main/2008974 +1 || 2008975 || 12 || trojan-activity || 0 || ET TROJAN Suspicious Malformed Double Accept Header || url,doc.emergingthreats.net/2008975 +1 || 2008976 || 5 || trojan-activity || 0 || ET TROJAN Vundo Variant reporting to Controller via HTTP (1) || url,doc.emergingthreats.net/2008976 +1 || 2008977 || 5 || trojan-activity || 0 || ET TROJAN Vundo Variant reporting to Controller via HTTP (2) || url,doc.emergingthreats.net/2008977 +1 || 2008983 || 6 || trojan-activity || 0 || ET USER_AGENTS Suspicious User Agent (BlackSun) || url,www.bitdefender.com/VIRUS-1000328-en--Trojan.Pws.Wow.NCY.html || url,doc.emergingthreats.net/bin/view/Main/2008983 +1 || 2008984 || 6 || trojan-activity || 0 || ET TROJAN Trojan-GameThief.Win32.OnLineGames infection report || url,doc.emergingthreats.net/2008984 +1 || 2008985 || 3 || attempted-recon || 0 || ET POLICY Internal Host Retrieving External IP via whatismyip.com Automation Page - Possible Infection || url,doc.emergingthreats.net/2008985 +1 || 2008986 || 5 || attempted-recon || 0 || ET POLICY Internal Host Retrieving External IP via whatismyip.com - Possible Infection +1 || 2008987 || 4 || attempted-recon || 0 || ET POLICY Internal Host Retrieving External IP via showip.net - Possible Infection || url,doc.emergingthreats.net/2008987 +1 || 2008988 || 4 || attempted-recon || 0 || ET POLICY Internal Host Retrieving External IP via cmyip.com - Possible Infection || url,doc.emergingthreats.net/2008988 +1 || 2008989 || 4 || attempted-recon || 0 || ET POLICY Internal Host Retrieving External IP via showmyip.com - Possible Infection || url,doc.emergingthreats.net/2008989 +1 || 2008992 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS phpAddEdit editform parameter Local File Inclusion || url,milw0rm.com/exploits/7417 || bugtraq,32774 || url,doc.emergingthreats.net/2008992 +1 || 2008993 || 8 || web-application-attack || 0 || ET ACTIVEX Microsoft Visual Basic Common AVI ActiveX Control File Parsing Buffer Overflow || url,www.milw0rm.com/exploits/7431 || bugtraq,32613 || url,doc.emergingthreats.net/2008993 +1 || 2008994 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Multiple Membership Script id parameter SQL injection || url,secunia.com/advisories/33019/ || url,milw0rm.com/exploits/7346 || url,doc.emergingthreats.net/2008994 +1 || 2008995 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS CF_Calendar calid parameter SQL Injection || url,secunia.com/advisories/33074/ || url,milw0rm.com/exploits/7413 || url,doc.emergingthreats.net/2008995 +1 || 2008996 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Simple Text-File Login script slogin_path parameter remote file inclusion || bugtraq,32811 || url,milw0rm.com/exploits/7444 || url,doc.emergingthreats.net/2008996 +1 || 2008997 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS icash Click&BaneX user_menu.asp ID parameter SQL Injection || url,milw0rm.com/exploits/7484 || bugtraq,32856 || url,doc.emergingthreats.net/2008997 +1 || 2008998 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS EvimGibi Pro Resim Galerisi kat_id parameter SQL Injection || url,secunia.com/advisories/33199/ || url,packetstorm.linuxsecurity.com/0812-exploits/evimgibi-sql.txt || url,doc.emergingthreats.net/2008998 +1 || 2008999 || 8 || web-application-attack || 0 || ET ACTIVEX EvansFTP EvansFTP.ocx Remote Buffer Overflow || bugtraq,32814 || url,www.milw0rm.com/exploits/7460 || url,doc.emergingthreats.net/2008999 +1 || 2009000 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS RSS Simple News news.php pid parameter Remote SQL Injection || url,www.milw0rm.com/exploits/7541 || bugtraq,32962 || url,doc.emergingthreats.net/2009000 +1 || 2009001 || 4 || policy-violation || 0 || ET POLICY Login Credentials Possibly Passed in URI || url,doc.emergingthreats.net/2009001 +1 || 2009002 || 8 || web-application-attack || 0 || ET ACTIVEX Phoenician Casino FlashAX ActiveX Control Remote Buffer Overflow || bugtraq,32901 || url,www.milw0rm.com/exploits/7505 || url,doc.emergingthreats.net/2009002 +1 || 2009003 || 7 || trojan-activity || 0 || ET TROJAN Win32/Korklic.A || url,doc.emergingthreats.net/2009003 +1 || 2009004 || 4 || policy-violation || 0 || ET POLICY Login Credentials Possibly Passed in POST Data || url,doc.emergingthreats.net/2009004 +1 || 2009005 || 10 || policy-violation || 0 || ET MALWARE Simbar Spyware User-Agent Detected || url,research.sunbelt-software.com/threatdisplay.aspx?name=AdWare.Win32.Simbar.a&threatid=427805 || url,vil.nai.com/vil/content/v_131206.htm || url,doc.emergingthreats.net/bin/view/Main/2009005 +1 || 2009009 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ClaSS export.php ftype parameter Information Disclosure || url,secunia.com/advisories/33222 || bugtraq,32929 || url,doc.emergingthreats.net/2009009 +1 || 2009010 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Wordpress Plugin Page Flip Image Gallery getConfig.php book_id parameter Remote File Disclosure || url,www.milw0rm.com/exploits/7543 || bugtraq,32966 || url,doc.emergingthreats.net/2009010 +1 || 2009011 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Rematic CMS referenzdetail.php id parameter SQL Injection || url,secunia.com/advisories/33208/ || url,milw0rm.com/exploits/7502 || url,doc.emergingthreats.net/2009011 +1 || 2009012 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Rematic CMS produkte.php id parameter SQL Injection || url,secunia.com/advisories/33208/ || url,milw0rm.com/exploits/7502 || url,doc.emergingthreats.net/2009012 +1 || 2009013 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WebPhotoPro art.php idm Parameter SQL Injection || bugtraq,32829 || url,packetstormsecurity.org/0808-exploits/webphotopro-sql.txt || url,doc.emergingthreats.net/2009013 +1 || 2009014 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WebPhotoPro rub.php idr Parameter SQL Injection || bugtraq,32829 || url,packetstormsecurity.org/0808-exploits/webphotopro-sql.txt || url,doc.emergingthreats.net/2009014 +1 || 2009015 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WebPhotoPro galeri_info.php ida Parameter SQL Injection || bugtraq,32829 || url,packetstormsecurity.org/0808-exploits/webphotopro-sql.txt || url,doc.emergingthreats.net/2009015 +1 || 2009016 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WebPhotoPro galeri_info.php lang Parameter SQL Injection || bugtraq,32829 || url,packetstormsecurity.org/0808-exploits/webphotopro-sql.txt || url,doc.emergingthreats.net/2009016 +1 || 2009017 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WebPhotoPro rubrika.php idr Parameter SQL Injection || bugtraq,32829 || url,packetstormsecurity.org/0808-exploits/webphotopro-sql.txt || url,doc.emergingthreats.net/2009017 +1 || 2009018 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Text Lines Rearrange Script filename parameter File Disclosure || url,securityfocus.com/bid/32968 || url,milw0rm.com/exploits/7542 || url,doc.emergingthreats.net/2009018 +1 || 2009019 || 2 || trojan-activity || 0 || ET TROJAN VMProtect Demo version Packed Binary - Likely Hostile || url,www.vmprotect.ru || url,www.packetninjas.net || url,doc.emergingthreats.net/2009019 +1 || 2009020 || 3 || attempted-recon || 0 || ET POLICY Internal Host Retrieving External IP via ipchicken.com - Possible Infection || url,doc.emergingthreats.net/2009020 +1 || 2009021 || 9 || trojan-activity || 0 || ET MALWARE User-Agent (IE_6.0) || url,doc.emergingthreats.net/bin/view/Main/2009021 +1 || 2009022 || 6 || trojan-activity || 0 || ET TROJAN Zlob User Agent (securityinternet) || url,www.bitdefender.com/VIRUS-1000328-en--Trojan.Pws.Wow.NCY.html || url,doc.emergingthreats.net/2009022 +1 || 2009024 || 13 || trojan-activity || 0 || ET TROJAN Downadup/Conficker A or B Worm reporting || url,www.f-secure.com/weblog/archives/00001584.html || url,doc.emergingthreats.net/bin/view/Main/2009024 +1 || 2009025 || 3 || trojan-activity || 0 || ET TROJAN Vipdataend C&C Traffic Checkin variant 2 || url,doc.emergingthreats.net/2009025 +1 || 2009026 || 3 || trojan-activity || 0 || ET TROJAN Vipdataend C&C Traffic - Status OK (variant 2) || url,doc.emergingthreats.net/2009026 +1 || 2009027 || 8 || trojan-activity || 0 || ET MALWARE User-Agent (FileDownloader) || url,doc.emergingthreats.net/bin/view/Main/2009027 +1 || 2009028 || 9 || attempted-admin || 0 || ET MALWARE 404 Response with an EXE Attached - Likely Malware Drop || url,doc.emergingthreats.net/bin/view/Main/2009028 +1 || 2009029 || 6 || web-application-attack || 0 || ET WEB_SERVER SQL Injection Attempt (Agent NV32ts) || url,doc.emergingthreats.net/2009029 +1 || 2009032 || 9 || trojan-activity || 0 || ET DELETED Armitage Exploit Request || url,doc.emergingthreats.net/2009032 +1 || 2009033 || 7 || policy-violation || 0 || ET POLICY Suspicious Executable (Win exe under 128) || url,doc.emergingthreats.net/2009033 +1 || 2009034 || 7 || policy-violation || 0 || ET POLICY Suspicious Executable (PE offset 160) || url,doc.emergingthreats.net/2009034 +1 || 2009035 || 7 || policy-violation || 0 || ET POLICY Suspicious Executable (PE offset 512) || url,doc.emergingthreats.net/2009035 +1 || 2009036 || 8 || trojan-activity || 0 || ET TROJAN Armitage Loader Check-in || url,doc.emergingthreats.net/2009036 +1 || 2009037 || 2 || trojan-activity || 0 || ET TROJAN Vipdataend C&C Traffic - Checkin (variant 3) || url,doc.emergingthreats.net/2009037 +1 || 2009038 || 3 || attempted-recon || 0 || ET SCAN SQLNinja MSSQL Version Scan || url,sqlninja.sourceforge.net/index.html || url,doc.emergingthreats.net/2009038 +1 || 2009039 || 3 || attempted-recon || 0 || ET SCAN SQLNinja MSSQL XPCmdShell Scan || url,sqlninja.sourceforge.net/index.html || url,doc.emergingthreats.net/2009039 +1 || 2009040 || 4 || attempted-recon || 0 || ET SCAN SQLNinja MSSQL User Scan || url,sqlninja.sourceforge.net/index.html || url,doc.emergingthreats.net/2009040 +1 || 2009041 || 4 || attempted-recon || 0 || ET SCAN SQLNinja MSSQL Database User Rights Scan || url,sqlninja.sourceforge.net/index.html || url,doc.emergingthreats.net/2009041 +1 || 2009042 || 5 || attempted-recon || 0 || ET SCAN SQLNinja MSSQL Authentication Mode Scan || url,sqlninja.sourceforge.net/index.html || url,doc.emergingthreats.net/2009042 +1 || 2009043 || 4 || attempted-admin || 0 || ET SCAN SQLNinja Attempt To Recreate xp_cmdshell Using sp_configure || url,sqlninja.sourceforge.net/index.html || url,doc.emergingthreats.net/2009043 +1 || 2009044 || 4 || attempted-admin || 0 || ET SCAN SQLNinja Attempt To Create xp_cmdshell Session || url,sqlninja.sourceforge.net/index.html || url,doc.emergingthreats.net/2009044 +1 || 2009045 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS cfagcms right.php title Parameter SQL Injection || bugtraq,32851 || url,milw0rm.com/exploits/7483 || url,doc.emergingthreats.net/2009045 +1 || 2009046 || 48 || web-application-attack || 0 || ET ACTIVEX Chilkat Socket Activex Remote Arbitrary File Overwrite 1 || bugtraq,32333 || url,milw0rm.com/exploits/7594 || url,doc.emergingthreats.net/2009046 +1 || 2009047 || 8 || web-application-attack || 0 || ET ACTIVEX SaschArt SasCam Webcam Server ActiveX Control Get Method Buffer Overflow || bugtraq,33053 || url,milw0rm.com/exploits/7617 || url,doc.emergingthreats.net/2009047 +1 || 2009048 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Sepcity Lawyer Portal deptdisplay.asp ID parameter SQL Injection || url,milw0rm.com/exploits/7610 || bugtraq,33040 || url,doc.emergingthreats.net/2009048 +1 || 2009049 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS RealtyListings type.asp iType Parameter SQL Injection || url,secunia.com/advisories/33167/ || url,milw0rm.com/exploits/7464 || url,doc.emergingthreats.net/2009049 +1 || 2009050 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS RealtyListings detail.asp iPro Parameter SQL Injection || url,secunia.com/advisories/33167/ || url,milw0rm.com/exploits/7464 || url,doc.emergingthreats.net/2009050 +1 || 2009051 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHPOF DB_AdoDB.Class.PHP PHPOF_INCLUDE_PATH parameter Remote File Inclusion || bugtraq,25541 || url,doc.emergingthreats.net/2009051 +1 || 2009052 || 3 || trojan-activity || 0 || ET TROJAN Hupigon System Stats Report (I-variant) || url,doc.emergingthreats.net/bin/view/Main/TrojanDropper497 +1 || 2009053 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS MODx CMS Thumbnail.php base_path Remote File Inclusion || url,securityvulns.com/Odocument913.html || url,doc.emergingthreats.net/2009053 +1 || 2009054 || 8 || trojan-activity || 0 || ET TROJAN Asprox Form Submission to C&C || url,doc.emergingthreats.net/2009054 +1 || 2009055 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Pligg check_url.php url parameter SQL Injection || url,milw0rm.com/exploits/7544 || bugtraq,32970 || url,doc.emergingthreats.net/2009055 +1 || 2009056 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Pixel8 Web Photo Album AlbumID SQL Injection || url,secunia.com/advisories/33373/ || url,milw0rm.com/exploits/7627 || url,doc.emergingthreats.net/2009056 +1 || 2009057 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PowerNews news.php newsid parameter SQL Injection || url,secunia.com/advisories/33363/ || url,milw0rm.com/exploits/7641 || url,doc.emergingthreats.net/2009057 +1 || 2009058 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WSN Guest search.php search parameter SQL Injection || bugtraq,33097 || url,milw0rm.com/exploits/7659 || url,doc.emergingthreats.net/2009058 +1 || 2009059 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Recly Feederator add_tmsp.php mosConfig_absolute_path parameter remote file inclusion || bugtraq,32194 || url,milw0rm.com/exploits/7040 || url,doc.emergingthreats.net/2009059 +1 || 2009060 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Recly Feederator edit_tmsp.php mosConfig_absolute_path parameter remote file inclusion || bugtraq,32194 || url,milw0rm.com/exploits/7040 || url,doc.emergingthreats.net/2009060 +1 || 2009061 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Recly Feederator subscription.php GLOBALS mosConfig_absolute_path parameter remote file inclusion || bugtraq,32194 || url,milw0rm.com/exploits/7040 || url,doc.emergingthreats.net/2009061 +1 || 2009062 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Recly Feederator tmsp.php mosConfig_absolute_path parameter remote file inclusion || bugtraq,32194 || url,milw0rm.com/exploits/7040 || url,doc.emergingthreats.net/2009062 +1 || 2009063 || 8 || web-application-attack || 0 || ET ACTIVEX Easy Grid ActiveX Multiple Arbitrary File Overwrite || bugtraq,33272 || url,doc.emergingthreats.net/2009063 +1 || 2009064 || 8 || web-application-attack || 0 || ET ACTIVEX Ciansoft PDFBuilderX Control ActiveX Arbitrary File Overwrite || bugtraq,33233 || url,milw0rm.com/exploits/7794 || url,doc.emergingthreats.net/2009064 +1 || 2009065 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHP-Daily add_postit.php id Parameter SQL Injection || url,secunia.com/Advisories/32408 || url,milw0rm.com/exploits/6833 || url,doc.emergingthreats.net/2009065 +1 || 2009066 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHP-Daily delete.php id Parameter SQL Injection || url,secunia.com/Advisories/32/32408 || url,milw0rm.com/exploits/6833 || url,doc.emergingthreats.net/2009066 +1 || 2009067 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHP-Fusion Members CV(job) Module members.php sortby parameter SQL injection || bugtraq,33156 || url,milw0rm.com/exploits/7697 || url,doc.emergingthreats.net/2009067 +1 || 2009068 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS iGaming CMS previews.php browse parameter SQL injection || cve,2008-5841 || bugtraq,31340 || url,milw0rm.com/exploits/6540 || url,doc.emergingthreats.net/2009068 +1 || 2009069 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS iGaming CMS reviews.php browse parameter SQL injection || cve,2008-5841 || bugtraq,31340 || url,milw0rm.com/exploits/6540 || url,doc.emergingthreats.net/2009069 +1 || 2009070 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS phpSkelSite TplSuffix parameter local file inclusion || bugtraq,33092 || url,doc.emergingthreats.net/2009070 +1 || 2009071 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS phpSkelSite theme parameter remote file inclusion || bugtraq,33092 || url,doc.emergingthreats.net/2009071 +1 || 2009073 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PNphpBB2 admin_words.php ModName parameter Local File inclusion || bugtraq,33103 || url,doc.emergingthreats.net/2009073 +1 || 2009074 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PNphpBB2 admin_groups_reapir.php ModName parameter Local File inclusion || bugtraq,33103 || url,doc.emergingthreats.net/2009074 +1 || 2009075 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PNphpBB2 admin_smilies.php ModName parameter Local File inclusion || bugtraq,33103 || url,doc.emergingthreats.net/2009075 +1 || 2009076 || 16 || bad-unknown || 0 || ET DELETED Nginx Serving PDF - Possible hostile content (PDF) || url,doc.emergingthreats.net/bin/view/Main/2009076 +1 || 2009077 || 3 || trojan-activity || 0 || ET TROJAN TROJ_INJECT.NI Update Request || url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_INJECT.NI&VSect=T || url,doc.emergingthreats.net/2009077 +1 || 2009078 || 5 || trojan-activity || 0 || ET TROJAN Backdoor Lanfiltrator Checkin || url,research.sunbelt-software.com/threatdisplay.aspx?name=Backdoor.Win32.LanFiltrator.3b&threatid=51642 || url,doc.emergingthreats.net/2009078 +1 || 2009079 || 3 || trojan-activity || 0 || ET TROJAN Delfsnif/Buzus.fte Remote Response || url,www.threatexpert.com/threats/virtool-win32-delfsnif-gen.html || url,doc.emergingthreats.net/2009079 +1 || 2009080 || 8 || trojan-activity || 0 || ET TROJAN VMProtect Packed Binary Inbound via HTTP - Likely Hostile || url,doc.emergingthreats.net/2009080 +1 || 2009081 || 10 || trojan-activity || 0 || ET TROJAN Password Stealer - User-Agent (Ucheck) || url,doc.emergingthreats.net/2009081 +1 || 2009082 || 6 || trojan-activity || 0 || ET DELETED Password Stealer Reporting - ?a=%NN&b= || url,doc.emergingthreats.net/2009082 +1 || 2009083 || 6 || not-suspicious || 0 || ET DELETED Set flow on bmp file get || url,doc.emergingthreats.net/2009083 +1 || 2009084 || 9 || trojan-activity || 0 || ET DELETED Possible Trojan File Download - BMP Requested but not received || url,doc.emergingthreats.net/2009084 +1 || 2009085 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS playSMS init.php apps_path plug parameter local file inclusion || url,secunia.com/advisories/33386/ || url,milw0rm.com/exploits/7687 || url,doc.emergingthreats.net/2009085 +1 || 2009086 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS playSMS init.php apps_path themes parameter remote file inclusion || url,secunia.com/advisories/33386/ || url,milw0rm.com/exploits/7687 || url,doc.emergingthreats.net/2009086 +1 || 2009087 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS playSMS init.php apps_path themes parameter local file inclusion || url,secunia.com/advisories/33386/ || url,milw0rm.com/exploits/7687 || url,doc.emergingthreats.net/2009087 +1 || 2009088 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS playSMS function.php apps_path libs parameter remote file inclusion || url,secunia.com/advisories/33386/ || url,milw0rm.com/exploits/7687 || url,doc.emergingthreats.net/2009088 +1 || 2009089 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS playSMS function.php apps_path libs parameter local file inclusion || url,secunia.com/advisories/33386/ || url,milw0rm.com/exploits/7687 || url,doc.emergingthreats.net/2009089 +1 || 2009090 || 5 || trojan-activity || 0 || ET TROJAN Generic Banker Trojan Downloader Config to client || url,doc.emergingthreats.net/2009090 +1 || 2009091 || 5 || policy-violation || 0 || ET MALWARE Adware/Spyware Trymedia.com EXE download || url,www.browserdefender.com/site/trymedia.com || url,www.threatexpert.com/reports.aspx?find=Adware.Trymedia || url,doc.emergingthreats.net/2009091 +1 || 2009092 || 9 || trojan-activity || 0 || ET DELETED New Malware Information Post || url,doc.emergingthreats.net/2009092 +1 || 2009093 || 5 || trojan-activity || 0 || ET DELETED Backdoor PcClient.CAK.Pakes POST on non-http Port || url,doc.emergingthreats.net/2009093 +1 || 2009094 || 7 || trojan-activity || 0 || ET TROJAN Password Stealer (PSW.Win32.Magania Family) GET || url,www.f-secure.com/v-descs/trojan-psw_w32_magania.shtml || url,www.threatexpert.com/reports.aspx?find=Trojan-PWS.Magania || url,doc.emergingthreats.net/2009094 +1 || 2009095 || 3 || policy-violation || 0 || ET POLICY Newzbin Usenet Reader License Check || url,doc.emergingthreats.net/2009095 +1 || 2009096 || 8 || trojan-activity || 0 || ET TROJAN Tigger.a/Syzor Control Checkin || url,voices.washingtonpost.com/securityfix/2009/02/the_t-i-double-guh-r_trojan_ic.html?wprss=securityfix || url,mnin.blogspot.com/2009/02/why-i-enjoyed-tiggersyzor.html || url,doc.emergingthreats.net/2009096 +1 || 2009097 || 2 || policy-violation || 0 || ET P2P Manolito Connection (1) || url,doc.emergingthreats.net/2009097 +1 || 2009098 || 3 || policy-violation || 0 || ET P2P Manolito Ping || url,doc.emergingthreats.net/2009098 +1 || 2009099 || 3 || policy-violation || 0 || ET P2P ThunderNetwork UDP Traffic || url,xunlei.com || url,en.wikipedia.org/wiki/Xunlei || url,doc.emergingthreats.net/2009099 +1 || 2009100 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS SocialEngine browse_classifieds.php Remote SQL Injection || url,secunia.com/advisories/33474/ || url,milw0rm.com/exploits/7730 || url,doc.emergingthreats.net/2009100 +1 || 2009101 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS REALTOR define.php Remote File Inclusion || bugtraq,33227 || url,milw0rm.com/exploits/7743 || url,doc.emergingthreats.net/2009101 +1 || 2009102 || 8 || web-application-attack || 0 || ET ACTIVEX Easy Grid ActiveX Multiple Arbitrary File Overwrite || bugtraq,33272 || url,doc.emergingthreats.net/2009102 +1 || 2009103 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Free Bible Search readbible.php SQL Injection || bugtraq,33301 || url,milw0rm.com/exploits/7798 || url,doc.emergingthreats.net/2009103 +1 || 2009104 || 8 || web-application-attack || 0 || ET ACTIVEX MetaProducts MetaTreeX ActiveX Control Arbitrary File Overwrite || bugtraq,33318 || url,milw0rm.com/exploits/7804 || url,doc.emergingthreats.net/2009104 +1 || 2009108 || 4 || trojan-activity || 0 || ET TROJAN Parite Setup Connection (tqzn.com related) || url,doc.emergingthreats.net/2009108 +1 || 2009111 || 7 || trojan-activity || 0 || ET MALWARE User-Agent (get_site1) || url,doc.emergingthreats.net/2009111 +1 || 2009114 || 7 || trojan-activity || 0 || ET TROJAN Downadup/Conficker A Worm reporting || url,www.f-secure.com/weblog/archives/00001584.html || url,doc.emergingthreats.net/bin/view/Main/2009114 +1 || 2009115 || 6 || web-application-attack || 0 || ET ACTIVEX JamDTA ActiveX Control SaveToFile Arbitrary File Overwrite || bugtraq,33345 || url,doc.emergingthreats.net/2009115 +1 || 2009117 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Easynet4u Link Host directory.php cat_id parameter SQL Injection || bugtraq,31717 || url,www.milw0rm.com/exploits/6728 || url,doc.emergingthreats.net/2009117 +1 || 2009118 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Jetik.net ESA sayfalar.php KayitNo Parameter SQL Injection || bugtraq,31352 || url,www.milw0rm.com/exploits/6549 || url,doc.emergingthreats.net/2009118 +1 || 2009119 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Jetik.net ESA diger.php KayitNo Parameter SQL Injection || bugtraq,31352 || url,www.milw0rm.com/exploits/6549 || url,doc.emergingthreats.net/2009119 +1 || 2009120 || 9 || web-application-attack || 0 || ET ACTIVEX FlexCell Grid ActiveX Multiple Arbitrary File Overwrite || url,www.milw0rm.com/exploits/7868 || bugtraq,33453 || url,doc.emergingthreats.net/2009120 +1 || 2009121 || 9 || web-application-attack || 0 || ET ACTIVEX NCTsoft NCTAudioFile2 ActiveX Control NCTWMAFILE2.DLL Arbitrary File Overwrite || url,www.milw0rm.com/exploits/7871 || bugtraq,24613 || url,doc.emergingthreats.net/2009121 +1 || 2009122 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Wazzum Dating Software profile_view.php userid Parameter SQL Injection || url,www.milw0rm.com/exploits/7877 || url,secunia.com/Advisories/33654/ || url,doc.emergingthreats.net/2009122 +1 || 2009123 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS SezHoo SezHooTabsAndActions.php IP Parameter Remote File Inclusion || bugtraq,31756 || url,www.milw0rm.com/exploits/6751 || url,doc.emergingthreats.net/2009123 +1 || 2009124 || 7 || trojan-activity || 0 || ET MALWARE User-Agent (GETJOB) || url,doc.emergingthreats.net/2009124 +1 || 2009125 || 15 || trojan-activity || 0 || ET TROJAN Trojan.Win32.Inject.esi/Comfoo Outbound Communication || url,doc.emergingthreats.net/2009125 || url,www.secureworks.com/cyber-threat-intelligence/threats/secrets-of-the-comfoo-masters/ +1 || 2009126 || 8 || trojan-activity || 0 || ET TROJAN Win32/Monkif Downloader Checkin || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3aWin32%2fMonkif.C || url,doc.emergingthreats.net/2009126 +1 || 2009127 || 7 || trojan-activity || 0 || ET TROJAN General Banker.PWS POST Checkin || url,doc.emergingthreats.net/2009127 +1 || 2009128 || 5 || trojan-activity || 0 || ET TROJAN Bifrose Connect to Controller (PING PONG) || url,doc.emergingthreats.net/2009128 +1 || 2009129 || 5 || trojan-activity || 0 || ET TROJAN Bifrose Response from Controller (PING PONG) || url,doc.emergingthreats.net/2009129 +1 || 2009130 || 3 || trojan-activity || 0 || ET TROJAN Overtoolbar.net Backdoor ICMP Checkin Request || url,doc.emergingthreats.net/2009130 +1 || 2009131 || 3 || trojan-activity || 0 || ET TROJAN Overtoolbar.net Backdoor ICMP Checkin Response || url,doc.emergingthreats.net/2009131 +1 || 2009132 || 6 || web-application-attack || 0 || ET WEB_CLIENT Internet Explorer javascript onUnload http spliting attempt (body) || url,doc.emergingthreats.net/2009132 +1 || 2009133 || 6 || web-application-attack || 0 || ET WEB_CLIENT Internet Explorer javascript onUnload http spliting attempt (img) || url,doc.emergingthreats.net/2009133 +1 || 2009134 || 6 || web-application-attack || 0 || ET WEB_CLIENT Internet Explorer javascript onURLFlip http spliting attempt (body) || url,doc.emergingthreats.net/2009134 +1 || 2009135 || 6 || web-application-attack || 0 || ET WEB_CLIENT Internet Explorer javascript onURLFlip http spliting attempt || url,doc.emergingthreats.net/2009135 +1 || 2009136 || 6 || web-application-attack || 0 || ET ACTIVEX Web on Windows ActiveX Insecure Methods || bugtraq,33515 || url,xforce.iss.net/xforce/xfdb/48337 || url,doc.emergingthreats.net/2009136 +1 || 2009137 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHP Realty dpage.php docID parameter SQL Injection || url,secunia.com/advisories/31484/ || url,packetstorm.linuxsecurity.com/0808-exploits/phprealty-sql.txt || url,doc.emergingthreats.net/2009137 +1 || 2009138 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Synactis All_IN_THE_BOX ActiveX SaveDoc Method Arbitrary File Overwrite || url,milw0rm.com/exploits/7928 || bugtraq,33535 || url,doc.emergingthreats.net/2009138 +1 || 2009139 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Million Pixel Ad Script tops_top.php id_cat parameter SQL Injection || url,secunia.com/advisories/31626/ || url,milw0rm.com/exploits/6044 || url,doc.emergingthreats.net/2009139 +1 || 2009140 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ReVou Micro Blogging user_updates.php user Parameter SQL Injection || url,milw0rm.com/exploits/7925 || bugtraq,33540 || url,doc.emergingthreats.net/2009140 +1 || 2009141 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS MiNBank utdb_access.php minsoft_path Parameter Remote File Inclusion || bugtraq,31492 || url,milw0rm.com/exploits/6632 || url,doc.emergingthreats.net/2009141 +1 || 2009142 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS MiNBank utgn_message.php minsoft_path Parameter Remote File Inclusion || bugtraq,31492 || url,milw0rm.com/exploits/6632 || url,doc.emergingthreats.net/2009142 +1 || 2009143 || 37 || web-application-attack || 0 || ET ACTIVEX ACTIVEX PPMate PPMedia Class ActiveX Control Buffer Overflow || cve,2008-3242 || url,secunia.com/advisories/30952 || url,milw0rm.com/exploits/6090 || url,doc.emergingthreats.net/2009143 +1 || 2009144 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Sourdough neededFiles Parameter Remote File Inclusion || url,doc.emergingthreats.net/2009144 +1 || 2009145 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Syntax Desktop preview.php synTarget Parameter Local File Inclusion || url,www.milw0rm.com/exploits/7977 || bugtraq,33601 || url,doc.emergingthreats.net/2009145 +1 || 2009146 || 4 || web-application-activity || 0 || ET ATTACK_RESPONSE Possible ASPXSpy Request || url,doc.emergingthreats.net/2009146 +1 || 2009147 || 4 || web-application-activity || 0 || ET ATTACK_RESPONSE Possible ASPXSpy Related Activity || url,doc.emergingthreats.net/2009147 +1 || 2009149 || 4 || web-application-activity || 0 || ET ATTACK_RESPONSE Possible ASPXSpy Upload Attempt || url,doc.emergingthreats.net/2009149 +1 || 2009150 || 6 || trojan-activity || 0 || ET MALWARE Viruskill.co.kr Fake AV User-Agent Detected (virus_kill) || url,doc.emergingthreats.net/2009150 +1 || 2009151 || 8 || web-application-attack || 0 || ET WEB_SERVER PHP Generic Remote File Include Attempt (HTTP) || url,doc.emergingthreats.net/2009151 +1 || 2009152 || 8 || web-application-attack || 0 || ET WEB_SERVER PHP Generic Remote File Include Attempt (HTTPS) || url,doc.emergingthreats.net/2009152 +1 || 2009153 || 8 || web-application-attack || 0 || ET WEB_SERVER PHP Generic Remote File Include Attempt (FTP) || url,doc.emergingthreats.net/2009153 +1 || 2009154 || 8 || attempted-recon || 0 || ET SCAN Automated Injection Tool User-Agent (AutoGetColumn) || url,doc.emergingthreats.net/2009154 +1 || 2009155 || 8 || web-application-attack || 0 || ET WEB_SERVER PHP Generic Remote File Include Attempt (FTPS) || url,doc.emergingthreats.net/2009155 +1 || 2009156 || 9 || trojan-activity || 0 || ET TROJAN Koobface Checkin via POST || url,www.virustotal.com/analisis/a4a854e56ecc0a54204fc3b043c63094 || url,doc.emergingthreats.net/2009156 +1 || 2009157 || 6 || trojan-activity || 0 || ET MALWARE Fake AV User-Agent (N1) || url,doc.emergingthreats.net/2009157 +1 || 2009158 || 4 || attempted-recon || 0 || ET SCAN WebShag Web Application Scan Detected || url,www.scrt.ch/pages_en/outils.html || url,doc.emergingthreats.net/2009158 +1 || 2009159 || 7 || attempted-recon || 0 || ET SCAN Toata Scanner User-Agent Detected || url,isc.sans.org/diary.html?storyid=5599 || url,doc.emergingthreats.net/2009159 +1 || 2009160 || 8 || web-application-attack || 0 || ET ACTIVEX GeoVision LiveX_v8200 ActiveX Control Arbitrary File Overwrite || url,milw0rm.com/exploits/8059 || url,doc.emergingthreats.net/2009160 +1 || 2009161 || 8 || web-application-attack || 0 || ET ACTIVEX GeoVision LiveX_v7000 ActiveX Control Arbitrary File Overwrite || url,xforce.iss.net/xforce/xfdb/48773 || url,milw0rm.com/exploits/8059 || url,doc.emergingthreats.net/2009161 +1 || 2009162 || 8 || web-application-attack || 0 || ET ACTIVEX GeoVision LiveX_v8120 ActiveX Control Arbitrary File Overwrite || url,xforce.iss.net/xforce/xfdb/48773 || url,milw0rm.com/exploits/8059 || url,doc.emergingthreats.net/2009162 +1 || 2009163 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS GBook header.php abspath Parameter Remote File Inclusion || url,secunia.com/advisories/33768/ || url,milw0rm.com/exploits/7955 || url,doc.emergingthreats.net/2009163 +1 || 2009164 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS openEngine filepool.php oe_classpath parameter Remote File Inclusion || bugtraq,31423 || url,milw0rm.com/exploits/6585 || url,doc.emergingthreats.net/2009164 +1 || 2009165 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Barcode Generator LSTable.php class_dir parameter Remote File Inclusion || bugtraq,31419 || url,milw0rm.com/exploits/6575 || url,doc.emergingthreats.net/2009165 +1 || 2009166 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Concord Consortium CoAST header.php sections_file parameter remote file inclusion || bugtraq,31461 || url,milw0rm.com/exploits/6598 || url,doc.emergingthreats.net/2009166 +1 || 2009167 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS AdaptCMS Lite rss_importer_functions.php sitepath Parameter Remote File Inclusion || url,milw0rm.com/exploits/8016 || bugtraq,33698 || url,doc.emergingthreats.net/2009167 +1 || 2009168 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Papoo CMS message_class.php pfadhier Local File Inclusion || bugtraq,33718 || url,milw0rm.com/exploits/8030 || url,doc.emergingthreats.net/2009168 +1 || 2009169 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Thyme export.php export_to Parameter Local File Inclusion || bugtraq,33731 || url,milw0rm.com/exploits/8029 || url,doc.emergingthreats.net/2009169 +1 || 2009170 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Psyb0t Code Download || url,www.adam.com.au/bogaurd/PSYB0T.pdf || url,doc.emergingthreats.net/2009170 +1 || 2009171 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS Psyb0t Bot Nick || url,www.adam.com.au/bogaurd/PSYB0T.pdf || url,doc.emergingthreats.net/2009171 +1 || 2009172 || 2 || trojan-activity || 0 || ET TROJAN Psyb0t joining an IRC Channel || url,www.adam.com.au/bogaurd/PSYB0T.pdf || url,doc.emergingthreats.net/2009172 +1 || 2009173 || 5 || trojan-activity || 0 || ET TROJAN Possible Vundo Trojan Variant reporting to Controller || url,doc.emergingthreats.net/2009173 +1 || 2009174 || 4 || trojan-activity || 0 || ET TROJAN Possible Vundo EXE Download Attempt || url,doc.emergingthreats.net/2009174 +1 || 2009175 || 6 || trojan-activity || 0 || ET DELETED Zbot/Zeus C&C Access || url,doc.emergingthreats.net/2009175 +1 || 2009178 || 8 || web-application-attack || 0 || ET ACTIVEX Nokia Phoenix Service Software ActiveX Control Buffer Overflow || bugtraq,33726 || url,doc.emergingthreats.net/2009178 +1 || 2009179 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS SnippetMaster vars.inc.php _SESSION Parameter Remote File Inclusion || url,secunia.com/advisories/33865/ || url,milw0rm.com/exploits/8017 || url,doc.emergingthreats.net/2009179 +1 || 2009180 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS SnippetMaster pcltar.lib.php g_pcltar_lib_dir Parameter Remote File Inclusion || url,secunia.com/advisories/33865/ || url,milw0rm.com/exploits/8017 || url,doc.emergingthreats.net/2009180 +1 || 2009181 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS SnippetMaster vars.inc.php _SESSION Parameter Local File Inclusion || url,secunia.com/advisories/33865/ || url,milw0rm.com/exploits/8017 || url,doc.emergingthreats.net/2009181 +1 || 2009182 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS SnippetMaster pcltar.lib.php g_pcltar_lib_dir Parameter Local File Inclusion || url,secunia.com/advisories/33865/ || url,milw0rm.com/exploits/8017 || url,doc.emergingthreats.net/2009182 +1 || 2009184 || 8 || web-application-attack || 0 || ET ACTIVEX FathFTP ActiveX DeleteFile Arbitrary File Deletion || bugtraq,33842 || url,xforce.iss.net/xforce/xfdb/48837 || url,doc.emergingthreats.net/2009184 +1 || 2009185 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS A Better Member-Based ASP Photo Gallery view.asp entry parameter SQL injection || bugtraq,33693 || url,milw0rm.com/exploits/8012 || url,doc.emergingthreats.net/2009185 +1 || 2009186 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Auto Listings Script moreinfo.php itemno Parameter SQL Injection || bugtraq,32131 || url,milw0rm.com/exploits/7003 || url,doc.emergingthreats.net/2009186 +1 || 2009187 || 7 || web-application-attack || 0 || ET ACTIVEX iDefense COMRaider ActiveX Control Arbitrary File Deletion || bugtraq,33867 || bugtraq,33942 || url,doc.emergingthreats.net/2009187 +1 || 2009188 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS gapicms toolbar.php dirDepth Parameter Remote File Inclusion || url,vupen.com/english/advisories/2008/2059 || url,milw0rm.com/exploits/6036 || url,doc.emergingthreats.net/2009188 +1 || 2009190 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS YACS update_trailer.php context Parameter Remote File Inclusion || url,milw0rm.com/exploits/8066 || url,secunia.com/advisories/33959/ || url,doc.emergingthreats.net/2009190 +1 || 2009191 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS YACS update_trailer.php context Parameter Local File Inclusion || url,milw0rm.com/exploits/8066 || url,secunia.com/advisories/33959/ || url,doc.emergingthreats.net/2009191 +1 || 2009192 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS CMS Faethon info.php item Parameter SQL Injection || bugtraq,33775 || url,milw0rm.com/exploits/8054 || url,doc.emergingthreats.net/2009192 +1 || 2009194 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS X7 Chat mini.php help_file Parameter Local File Inclusion || url,milw0rm.com/exploits/6592 || bugtraq,31460 || url,doc.emergingthreats.net/2009194 +1 || 2009195 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Basebuilder main.inc.php mj_config Parameter Local File Inclusion || url,secunia.com/advisories/31947/ || url,milw0rm.com/exploits/6533 || url,doc.emergingthreats.net/2009195 +1 || 2009196 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Basebuilder main.inc.php mj_config Parameter Remote File inclusion || url,secunia.com/advisories/31947/ || url,milw0rm.com/exploits/6533 || url,doc.emergingthreats.net/2009196 +1 || 2009198 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Kalptaru Infotech Product Sale Framework customer.forumtopic.php forum_topic_id parameter SQL Injection || cve,2008-5590 || bugtraq,32672 || url,www.exploit-db.com/exploits/7368/ || url,doc.emergingthreats.net/2009198 +1 || 2009199 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Script Toko Online shop_display_products.php cat_id Parameter SQL Injection || cve,CVE-2009-0296 || url,secunia.com/advisories/33661/ || url,milw0rm.com/exploits/7873 || url,doc.emergingthreats.net/2009199 +1 || 2009200 || 6 || trojan-activity || 0 || ET TROJAN Conficker.a Shellcode || url,www.honeynet.org/node/388 || url,doc.emergingthreats.net/2009200 +1 || 2009201 || 6 || trojan-activity || 0 || ET TROJAN Conficker.b Shellcode || url,www.honeynet.org/node/388 || url,doc.emergingthreats.net/2009201 +1 || 2009202 || 8 || trojan-activity || 0 || ET DELETED GhostNet Trojan Reporting || url,www.scribd.com/doc/13731776/Tracking-GhostNet-Investigating-a-Cyber-Espionage-Network || url,doc.emergingthreats.net/2009202 +1 || 2009203 || 5 || trojan-activity || 0 || ET TROJAN Alman Dropper Checkin || url,doc.emergingthreats.net/2009203 +1 || 2009204 || 7 || trojan-activity || 0 || ET TROJAN Crypt.CFI.Gen Checkin || url,doc.emergingthreats.net/2009204 +1 || 2009205 || 5 || trojan-activity || 0 || ET TROJAN Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 1) || url,mtc.sri.com/Conficker/addendumC/ || url,doc.emergingthreats.net/2009205 +1 || 2009206 || 4 || trojan-activity || 0 || ET TROJAN Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 4) || url,mtc.sri.com/Conficker/addendumC/ || url,doc.emergingthreats.net/2009206 +1 || 2009207 || 4 || trojan-activity || 0 || ET TROJAN Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 5) || url,mtc.sri.com/Conficker/addendumC/ || url,doc.emergingthreats.net/2009207 +1 || 2009208 || 4 || trojan-activity || 0 || ET TROJAN Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 16) || url,mtc.sri.com/Conficker/addendumC/ || url,doc.emergingthreats.net/2009208 +1 || 2009209 || 5 || trojan-activity || 0 || ET TROJAN Rogue A/V Win32/FakeXPA GET Request || url,doc.emergingthreats.net/2009209 +1 || 2009210 || 3 || trojan-activity || 0 || ET ATTACK_RESPONSE Unusual FTP Server Banner (fuckFtpd) || url,doc.emergingthreats.net/2009210 +1 || 2009211 || 3 || trojan-activity || 0 || ET ATTACK_RESPONSE Unusual FTP Server Banner (NzmxFtpd) || url,doc.emergingthreats.net/2009211 +1 || 2009212 || 5 || trojan-activity || 0 || ET TROJAN Zbot/Zeus Dropper Infection - /check || url,doc.emergingthreats.net/2009212 +1 || 2009213 || 6 || trojan-activity || 0 || ET TROJAN Zbot/Zeus Dropper Infection - /loads.php || url,doc.emergingthreats.net/2009213 +1 || 2009215 || 5 || trojan-activity || 0 || ET TROJAN Farfli HTTP Checkin Activity || url,www.virustotal.com/analisis/3b532a7bf7850483882024652f6c8a8b || url,doc.emergingthreats.net/2009215 +1 || 2009216 || 7 || attempted-admin || 0 || ET DELETED Oracle WebLogic IIS connector JSESSIONID Remote Overflow Exploit || cve,2008-5457 || url,infosec20.blogspot.com/2009/04/oracle-weblogic-iis-remote-buffer.html || url,doc.emergingthreats.net/2009216 +1 || 2009217 || 6 || attempted-admin || 0 || ET SCAN Tomcat admin-admin login credentials || url,tomcat.apache.org || url,doc.emergingthreats.net/2009217 +1 || 2009218 || 7 || attempted-admin || 0 || ET SCAN Tomcat admin-blank login credentials || url,tomcat.apache.org || url,doc.emergingthreats.net/2009218 +1 || 2009219 || 3 || successful-admin || 0 || ET SCAN Tomcat Successful default credential login from external source || url,tomcat.apache.org || url,doc.emergingthreats.net/2009219 +1 || 2009220 || 4 || successful-admin || 0 || ET SCAN Tomcat upload from external source || url,tomcat.apache.org || url,doc.emergingthreats.net/2009220 +1 || 2009222 || 7 || trojan-activity || 0 || ET MALWARE NewWeb User-Agent (Lobo Lunar) || url,doc.emergingthreats.net/2009222 +1 || 2009223 || 8 || trojan-activity || 0 || ET TROJAN Fake AV Downloader.Onestage/FakeAlert.ZR User-Agent (AV1) || md5,208e5551efce47ac6c95691715c12e46 || md5,735dff747d0c7ce74dde31547b2b5750 || md5,a84a144677a786c6855fd4899d024948 +1 || 2009224 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ea-gBook index_inc.php inc_ordner parameter local file inclusion || url,secunia.com/advisories/33927/ || bugtraq,33774 || url,milw0rm.com/exploits/8052 || url,doc.emergingthreats.net/2009224 +1 || 2009225 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ea-gBook index_inc.php inc_ordner parameter remote file inclusion || url,secunia.com/advisories/33927/ || bugtraq,33774 || url,milw0rm.com/exploits/8052 || url,doc.emergingthreats.net/2009225 +1 || 2009226 || 8 || web-application-attack || 0 || ET ACTIVEX Sopcast SopCore ActiveX Control Remote Code Execution || bugtraq,33920 || url,packetstorm.linuxsecurity.com/0902-exploits/9sg_sopcastia.txt || url,doc.emergingthreats.net/2009226 +1 || 2009227 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS eFiction toplists.php list Parameter SQL Injection || url,secunia.com/advisories/30606/ || url,milw0rm.com/exploits/5785 || url,doc.emergingthreats.net/2009227 +1 || 2009228 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS AlstraSoft Video Share Enterprise album.php UID Parameter SQL Injection || cve,CVE-2008-3386 || url,www.milw0rm.com/exploits/6092 || url,secunia.com/advisories/31134/ || url,doc.emergingthreats.net/2009228 +1 || 2009229 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS TECHNOTE shop_this_skin_path Paramter Remote File Inclusion || url,secunia.com/advisories/33732/ || cve,CVE-2009-0441 || url,milw0rm.com/exploits/7965 || url,doc.emergingthreats.net/2009229 +1 || 2009230 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS TECHNOTE shop_this_skin_path Paramter Local File Inclusion || url,secunia.com/advisories/33732/ || cve,CVE-2009-0441 || url,milw0rm.com/exploits/7965 || url,doc.emergingthreats.net/2009230 +1 || 2009231 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Hedgehog CMS header.php c_temp_path Local File Inclusion || cve,CVE-2008-2898 || url,secunia.com/advisories/30778/ || url,milw0rm.com/exploits/5904 || url,doc.emergingthreats.net/2009231 +1 || 2009232 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Hedgehog CMS footer.php c_temp_path Remote File Inclusion || cve,CVE-2008-2898 || url,secunia.com/advisories/30778/ || url,milw0rm.com/exploits/8028 || url,doc.emergingthreats.net/2009232 +1 || 2009233 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Hedgehog CMS header.php c_temp_path Remote File Inclusion || cve,CVE-2008-2898 || url,secunia.com/advisories/30778/ || url,milw0rm.com/exploits/5904 || url,doc.emergingthreats.net/2009233 +1 || 2009234 || 5 || policy-violation || 0 || ET MALWARE Adware-Mirar Reporting (BAR) || url,doc.emergingthreats.net/2009234 +1 || 2009235 || 5 || trojan-activity || 0 || ET TROJAN PWSteal.Bancos Generic Banker Trojan SCR Download || url,www.symantec.com/security_response/writeup.jsp?docid=2005-050210-0214-99&tabid=2 || url,www.packetninjas.net || url,doc.emergingthreats.net/2009235 +1 || 2009236 || 9 || trojan-activity || 0 || ET MALWARE Pigeon.AYX/AVKill Related User-Agent (CTTBasic) || url,doc.emergingthreats.net/2009236 +1 || 2009238 || 2 || trojan-activity || 0 || ET TROJAN PcClient Backdoor Checkin Packet 1 || url,doc.emergingthreats.net/2009238 +1 || 2009239 || 2 || trojan-activity || 0 || ET TROJAN PcClient Backdoor Checkin || url,doc.emergingthreats.net/2009239 +1 || 2009240 || 8 || trojan-activity || 0 || ET TROJAN General Win32 Backdoor Checkin POST Packet 1 || url,doc.emergingthreats.net/2009240 +1 || 2009241 || 6 || trojan-activity || 0 || ET TROJAN General Win32 Backdoor Checkin POST || url,doc.emergingthreats.net/2009241 +1 || 2009242 || 3 || trojan-activity || 0 || ET TROJAN LDPinch Reporting infection via Email || url,doc.emergingthreats.net/2009242 +1 || 2009243 || 2 || bad-unknown || 0 || ET POLICY HSRP Active Router Changed || url,packetlife.net/blog/2008/oct/27/hijacking-hsrp/ || url,doc.emergingthreats.net/2009243 +1 || 2009244 || 2 || bad-unknown || 0 || ET ATTACK_RESPONSE Cisco TclShell TFTP Read Request || url,wwww.irmplc.com/downloads/whitepapers/Creating_Backdoors_in_Cisco_IOS_using_Tcl.pdf || url,doc.emergingthreats.net/2009244 +1 || 2009245 || 2 || bad-unknown || 0 || ET ATTACK_RESPONSE Cisco TclShell TFTP Download || url,wwww.irmplc.com/downloads/whitepapers/Creating_Backdoors_in_Cisco_IOS_using_Tcl.pdf || url,doc.emergingthreats.net/2009245 +1 || 2009246 || 3 || shellcode-detect || 0 || ET SHELLCODE Bindshell2 Decoder Shellcode || url,doc.emergingthreats.net/2009246 +1 || 2009247 || 3 || shellcode-detect || 0 || ET SHELLCODE Rothenburg Shellcode || url,doc.emergingthreats.net/2009247 +1 || 2009248 || 3 || shellcode-detect || 0 || ET SHELLCODE Lindau (linkbot) xor Decoder Shellcode || url,doc.emergingthreats.net/2009248 +1 || 2009249 || 3 || shellcode-detect || 0 || ET SHELLCODE Adenau Shellcode || url,doc.emergingthreats.net/2009249 +1 || 2009250 || 3 || shellcode-detect || 0 || ET SHELLCODE Mainz/Bielefeld Shellcode || url,doc.emergingthreats.net/2009250 +1 || 2009251 || 3 || shellcode-detect || 0 || ET SHELLCODE Wuerzburg Shellcode || url,doc.emergingthreats.net/2009251 +1 || 2009252 || 3 || shellcode-detect || 0 || ET SHELLCODE Schauenburg Shellcode || url,doc.emergingthreats.net/2009252 +1 || 2009253 || 3 || shellcode-detect || 0 || ET SHELLCODE Koeln Shellcode || url,doc.emergingthreats.net/2009253 +1 || 2009254 || 3 || shellcode-detect || 0 || ET SHELLCODE Lichtenfels Shellcode || url,doc.emergingthreats.net/2009254 +1 || 2009255 || 3 || shellcode-detect || 0 || ET SHELLCODE Mannheim Shellcode || url,doc.emergingthreats.net/2009255 +1 || 2009256 || 3 || shellcode-detect || 0 || ET SHELLCODE Berlin Shellcode || url,doc.emergingthreats.net/2009256 +1 || 2009257 || 3 || shellcode-detect || 0 || ET SHELLCODE Leimbach Shellcode || url,doc.emergingthreats.net/2009257 +1 || 2009258 || 3 || shellcode-detect || 0 || ET SHELLCODE Aachen Shellcode || url,doc.emergingthreats.net/2009258 +1 || 2009259 || 3 || shellcode-detect || 0 || ET SHELLCODE Furth Shellcode || url,doc.emergingthreats.net/2009259 +1 || 2009260 || 3 || shellcode-detect || 0 || ET SHELLCODE Langenfeld Shellcode || url,doc.emergingthreats.net/2009260 +1 || 2009261 || 3 || shellcode-detect || 0 || ET SHELLCODE Bonn Shellcode || url,doc.emergingthreats.net/2009261 +1 || 2009262 || 3 || shellcode-detect || 0 || ET SHELLCODE Siegburg Shellcode || url,doc.emergingthreats.net/2009262 +1 || 2009263 || 3 || shellcode-detect || 0 || ET SHELLCODE Plain1 Shellcode || url,doc.emergingthreats.net/2009263 +1 || 2009264 || 3 || shellcode-detect || 0 || ET SHELLCODE Plain2 Shellcode || url,doc.emergingthreats.net/2009264 +1 || 2009265 || 3 || shellcode-detect || 0 || ET SHELLCODE Bindshell1 Decoder Shellcode || url,doc.emergingthreats.net/2009265 +1 || 2009266 || 2 || shellcode-detect || 0 || ET SHELLCODE Bindshell1 Decoder Shellcode (UDP) || url,doc.emergingthreats.net/2009266 +1 || 2009267 || 2 || shellcode-detect || 0 || ET SHELLCODE Plain2 Shellcode (UDP) || url,doc.emergingthreats.net/2009267 +1 || 2009268 || 2 || shellcode-detect || 0 || ET SHELLCODE Plain1 Shellcode (UDP) || url,doc.emergingthreats.net/2009268 +1 || 2009269 || 2 || shellcode-detect || 0 || ET SHELLCODE Siegburg Shellcode (UDP) || url,doc.emergingthreats.net/2009269 +1 || 2009270 || 2 || shellcode-detect || 0 || ET SHELLCODE Bonn Shellcode (UDP) || url,doc.emergingthreats.net/2009270 +1 || 2009271 || 2 || shellcode-detect || 0 || ET SHELLCODE Langenfeld Shellcode (UDP) || url,doc.emergingthreats.net/2009271 +1 || 2009272 || 2 || shellcode-detect || 0 || ET SHELLCODE Furth Shellcode (UDP) || url,doc.emergingthreats.net/2009272 +1 || 2009273 || 2 || shellcode-detect || 0 || ET SHELLCODE Aachen Shellcode (UDP) || url,doc.emergingthreats.net/2009273 +1 || 2009274 || 2 || shellcode-detect || 0 || ET SHELLCODE Leimbach Shellcode (UDP) || url,doc.emergingthreats.net/2009274 +1 || 2009275 || 2 || shellcode-detect || 0 || ET SHELLCODE Berlin Shellcode (UDP) || url,doc.emergingthreats.net/2009275 +1 || 2009276 || 2 || shellcode-detect || 0 || ET SHELLCODE Mannheim Shellcode (UDP) || url,doc.emergingthreats.net/2009276 +1 || 2009277 || 2 || shellcode-detect || 0 || ET SHELLCODE Lichtenfels Shellcode (UDP) || url,doc.emergingthreats.net/2009277 +1 || 2009278 || 2 || shellcode-detect || 0 || ET SHELLCODE Koeln Shellcode (UDP) || url,doc.emergingthreats.net/2009278 +1 || 2009279 || 2 || shellcode-detect || 0 || ET SHELLCODE Schauenburg Shellcode (UDP) || url,doc.emergingthreats.net/2009279 +1 || 2009280 || 2 || shellcode-detect || 0 || ET SHELLCODE Wuerzburg Shellcode (UDP) || url,doc.emergingthreats.net/2009280 +1 || 2009281 || 2 || shellcode-detect || 0 || ET SHELLCODE Mainz/Bielefeld Shellcode (UDP) || url,doc.emergingthreats.net/2009281 +1 || 2009282 || 2 || shellcode-detect || 0 || ET SHELLCODE Adenau Shellcode (UDP) || url,doc.emergingthreats.net/2009282 +1 || 2009283 || 2 || shellcode-detect || 0 || ET SHELLCODE Lindau (linkbot) xor Decoder Shellcode (UDP) || url,doc.emergingthreats.net/2009283 +1 || 2009284 || 2 || shellcode-detect || 0 || ET SHELLCODE Rothenburg Shellcode (UDP) || url,doc.emergingthreats.net/2009284 +1 || 2009285 || 2 || shellcode-detect || 0 || ET SHELLCODE Bindshell2 Decoder Shellcode (UDP) || url,doc.emergingthreats.net/2009285 +1 || 2009286 || 3 || bad-unknown || 0 || ET SCAN Modbus Scanning detected || url,code.google.com/p/modscan/ || url,www.rtaautomation.com/modbustcp/ || url,doc.emergingthreats.net/2009286 +1 || 2009287 || 7 || trojan-activity || 0 || ET TROJAN CoreFlooder C&C Checkin (2) || url,doc.emergingthreats.net/2009287 +1 || 2009288 || 56 || web-application-attack || 0 || ET WEB_SERVER Attack Tool Revolt Scanner || url,www.Whitehatsecurityresponse.blogspot.com || url,doc.emergingthreats.net/2009288 +1 || 2009289 || 6 || trojan-activity || 0 || ET MALWARE No-ad.co.kr Fake AV Related User-Agent (U2Clean) || url,doc.emergingthreats.net/2009289 +1 || 2009290 || 2 || trojan-activity || 0 || ET DELETED Possible Hupigon Connect || url,doc.emergingthreats.net/2009290 +1 || 2009291 || 2 || trojan-activity || 0 || ET DELETED Hupigon CnC Client Status || url,doc.emergingthreats.net/2009291 +1 || 2009292 || 2 || trojan-activity || 0 || ET DELETED Hupigon CnC Server Response || url,doc.emergingthreats.net/2009292 +1 || 2009293 || 1 || policy-violation || 0 || ET POLICY Credit Card Number Detected in Clear (15 digit spaced 2) || url,www.beachnet.com/~hstiles/cardtype.html || url,doc.emergingthreats.net/2009293 +1 || 2009294 || 1 || policy-violation || 0 || ET POLICY Credit Card Number Detected in Clear (15 digit dashed 2) || url,www.beachnet.com/~hstiles/cardtype.html || url,doc.emergingthreats.net/2009294 +1 || 2009295 || 9 || trojan-activity || 0 || ET USER_AGENTS Suspicious Mozilla User-Agent Likely Fake (Mozilla/5.0) || url,doc.emergingthreats.net/2009295 +1 || 2009296 || 6 || trojan-activity || 0 || ET TROJAN Banker/Banbra Related HTTP Post-infection Checkin || url,doc.emergingthreats.net/2009296 +1 || 2009297 || 6 || trojan-activity || 0 || ET TROJAN Boaxxe HTTP POST Checkin || url,doc.emergingthreats.net/2009297 +1 || 2009298 || 3 || attempted-recon || 0 || ET SCAN Port Unreachable Response to Xprobe2 OS Fingerprint Scan || url,xprobe.sourceforge.net/ || url,doc.emergingthreats.net/2009298 +1 || 2009299 || 6 || trojan-activity || 0 || ET TROJAN General Trojan Downloader || url,doc.emergingthreats.net/2009299 +1 || 2009300 || 6 || trojan-activity || 0 || ET TROJAN Small.zon checkin || url,doc.emergingthreats.net/2009300 +1 || 2009301 || 6 || policy-violation || 0 || ET DELETED Megaupload file download service access || url,doc.emergingthreats.net/2009301 +1 || 2009302 || 7 || policy-violation || 0 || ET POLICY Badongo file download service access || url,doc.emergingthreats.net/2009302 +1 || 2009303 || 4 || policy-violation || 0 || ET POLICY MediaFire file download service access || url,doc.emergingthreats.net/2009303 +1 || 2009304 || 4 || policy-violation || 0 || ET POLICY Gigasize file download service access || url,doc.emergingthreats.net/2009304 +1 || 2009305 || 6 || trojan-activity || 0 || ET DELETED Adware.AdzgaloreBiz/AdRotator!IK Install/Checkin || url,www.threatexpert.com/report.aspx?md5=1ca433d3f5538fda49c5defb59232f9d || url,doc.emergingthreats.net/2009305 +1 || 2009306 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WeBid cron.php include_path Parameter Local File Inclusion || url,milw0rm.com/exploits/8195 || bugtraq,34074 || url,doc.emergingthreats.net/2009306 +1 || 2009307 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WeBid cron.php include_path Parameter Remote File Inclusion || url,milw0rm.com/exploits/8195 || bugtraq,34074 || url,doc.emergingthreats.net/2009307 +1 || 2009308 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WeBid ST_browsers.php include_path Parameter Local File Inclusion || url,milw0rm.com/exploits/8195 || bugtraq,34074 || url,doc.emergingthreats.net/2009308 +1 || 2009309 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WeBid ST_browsers.php include_path Parameter Remote File Inclusion || url,milw0rm.com/exploits/8195 || bugtraq,34074 || url,doc.emergingthreats.net/2009309 +1 || 2009310 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WeBid ST_countries.php include_path Parameter Local File Inclusion || url,milw0rm.com/exploits/8195 || bugtraq,34074 || url,doc.emergingthreats.net/2009310 +1 || 2009311 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WeBid ST_countries.php include_path Parameter Remote File Inclusion || url,milw0rm.com/exploits/8195 || bugtraq,34074 || url,doc.emergingthreats.net/2009311 +1 || 2009312 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WeBid ST_platforms.php include_path Parameter Local File Inclusion || url,milw0rm.com/exploits/8195 || bugtraq,34074 || url,doc.emergingthreats.net/2009312 +1 || 2009313 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WeBid ST_platforms.php include_path Parameter Remote File Inclusion || url,milw0rm.com/exploits/8195 || bugtraq,34074 || url,doc.emergingthreats.net/2009313 +1 || 2009314 || 9 || web-application-attack || 0 || ET ACTIVEX Orbit Downloader ActiveX Control Arbitrary File Delete || bugtraq,34200 || url,milw0rm.com/exploits/8257 || url,doc.emergingthreats.net/2009314 +1 || 2009315 || 8 || web-application-attack || 0 || ET ACTIVEX PrecisionID Datamatrix ActiveX control Arbitrary File Overwrite || url,milw0rm.com/exploits/8332 || url,securityfocus.com/archive/1/502319 || url,doc.emergingthreats.net/2009315 +1 || 2009316 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS YapBB class_yapbbcooker.php cfgIncludeDirectory Parameter Remote File Inclusion || bugtraq,30686 || url,doc.emergingthreats.net/2009316 +1 || 2009317 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS DesktopOnNet don3_requiem.php app_path Parameter Remote File Inclusion || cve,2008-2649 || url,xforce.iss.net/xforce/xfdb/42790 || url,milw0rm.com/exploits/5715 || url,doc.emergingthreats.net/2009317 +1 || 2009318 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS DesktopOnNet frontpage.php app_path Parameter Remote File Inclusion || cve,2008-2649 || url,xforce.iss.net/xforce/xfdb/42790 || url,milw0rm.com/exploits/5715 || url,doc.emergingthreats.net/2009318 +1 || 2009319 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS DeZine DZcms products.php pcat parameter SQL injection || bugtraq,33194 || url,milw0rm.com/exploits/7722 || url,doc.emergingthreats.net/2009319 +1 || 2009320 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS rgboard _footer.php skin_path parameter local file inclusion || bugtraq,33621 || url,milw0rm.com/exploits/7978 || url,doc.emergingthreats.net/2009320 +1 || 2009321 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS rgboard footer.php _path parameter remote file inclusion || bugtraq,33621 || url,milw0rm.com/exploits/7978 || url,doc.emergingthreats.net/2009321 +1 || 2009322 || 7 || web-application-attack || 0 || ET ACTIVEX SupportSoft DNA Editor Module ActiveX Control Insecure Method Remote Code Execution || bugtraq,34004 || url,milw0rm.com/exploits/8160 || url,doc.emergingthreats.net/2009322 +1 || 2009323 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Demium CMS tracking.php follow_kat Parameter SQL Injection || bugtraq,33933 || url,milw0rm.com/exploits/8124 || url,doc.emergingthreats.net/2009323 +1 || 2009324 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Demium CMS urheber.php name Parameter Local File Inclusion || bugtraq,33933 || url,milw0rm.com/exploits/8124 || url,doc.emergingthreats.net/2009324 +1 || 2009325 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS phPortal gunaysoft.php icerikyolu Parameter Remote File Inclusion || bugtraq,30064 || cve,CVE-2008-3022 || url,xforce.iss.net/xforce/xfdb/43569 || url,doc.emergingthreats.net/2009325 +1 || 2009326 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS phPortal gunaysoft.php sayfaid Parameter Remote File Inclusion || bugtraq,30064 || cve,CVE-2008-3022 || url,xforce.iss.net/xforce/xfdb/43569 || url,doc.emergingthreats.net/2009326 +1 || 2009327 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS phPortal gunaysoft.php uzanti Parameter Remote File Inclusion || bugtraq,30064 || cve,CVE-2008-3022 || url,xforce.iss.net/xforce/xfdb/43569 || url,doc.emergingthreats.net/2009327 +1 || 2009328 || 8 || web-application-attack || 0 || ET ACTIVEX GeoVision LiveAudio ActiveX Control Remote Code Execution || bugtraq,34115 || url,milw0rm.com/exploits/8206 || url,doc.emergingthreats.net/2009328 +1 || 2009329 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ZABBIX locales.php srclang Parameter Local File Inclusion || url,secunia.com/advisories/34091/ || url,milw0rm.com/exploits/8140 || bugtraq,33965 || url,doc.emergingthreats.net/2009329 +1 || 2009330 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS MyForum centre.php padmin Parameter Local File Inclusion || url,vupen.com/english/advisories/2008/2938 || url,www.exploit-db.com/exploits/6846/ || url,doc.emergingthreats.net/2009330 +1 || 2009331 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS tinyCMS templater.php Local File Inclusion || url,milw0rm.com/exploits/6287 || bugtraq,30785 || url,doc.emergingthreats.net/2009331 +1 || 2009332 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ODARS resource_categories_view.php CLASSES_ROOT parameter local file inclusion || url,secunia.com/advisories/30784/ || url,milw0rm.com/exploits/5906 || url,doc.emergingthreats.net/2009332 +1 || 2009333 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ODARS resource_categories_view.php CLASSES_ROOT parameter Remote file inclusion || url,secunia.com/advisories/30784/ || url,milw0rm.com/exploits/5906 || url,doc.emergingthreats.net/2009333 +1 || 2009334 || 30 || web-application-attack || 0 || ET ACTIVEX Morovia Barcode ActiveX Control Arbitrary File Overwrite || url,milw0rm.com/exploits/8208 || bugtraq,23934 || url,doc.emergingthreats.net/2009334 +1 || 2009335 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS nicLOR CMS-School showarticle.php aID Parameter SQL Injection || bugtraq,32112 || url,milw0rm.com/exploits/6982 || url,xforce.iss.net/xforce/xfdb/46330 || url,doc.emergingthreats.net/2009335 +1 || 2009345 || 8 || attempted-recon || 0 || ET ATTACK_RESPONSE HTTP 401 Unauthorized || url,doc.emergingthreats.net/2009345 +1 || 2009346 || 9 || attempted-recon || 0 || ET ATTACK_RESPONSE Frequent HTTP 401 Unauthorized - Possible Brute Force Attack || url,doc.emergingthreats.net/2009346 +1 || 2009347 || 6 || trojan-activity || 0 || ET TROJAN Tigger.a/Syzor Checkin || url,doc.emergingthreats.net/2009347 +1 || 2009349 || 6 || trojan-activity || 0 || ET TROJAN Metafisher/Bzub/Cimuz/Tanspy Reporting User Activity || url,doc.emergingthreats.net/2009349 +1 || 2009350 || 4 || trojan-activity || 0 || ET TROJAN Win32.Hupigon Control Server Response || url,doc.emergingthreats.net/2009350 +1 || 2009351 || 8 || trojan-activity || 0 || ET TROJAN Urlzone/Bebloh Communication with Controller || url,threatinfo.trendmicro.com/vinfo/grayware/ve_graywareDetails.asp?GNAME=TSPY_BEBLOH.KO&VSect=Td || url,doc.emergingthreats.net/2009351 +1 || 2009353 || 9 || trojan-activity || 0 || ET TROJAN Bredolab Downloader Communicating With Controller (1) || url,www.microsoft.com/security/portal/Entry.aspx?Name=TrojanDownloader%3aWin32/Bredolab.B || url,doc.emergingthreats.net/2009353 +1 || 2009354 || 9 || trojan-activity || 0 || ET TROJAN Bredolab Downloader Communicating With Controller (2) || url,www.microsoft.com/security/portal/Entry.aspx?Name=TrojanDownloader%3aWin32/Bredolab.B || url,doc.emergingthreats.net/2009354 +1 || 2009355 || 8 || trojan-activity || 0 || ET TROJAN Suspicious User-Agent (runUpdater.html) || url,doc.emergingthreats.net/2009355 +1 || 2009356 || 8 || trojan-activity || 0 || ET TROJAN Suspicious User-Agent (runPatch.html) || url,doc.emergingthreats.net/2009356 +1 || 2009358 || 5 || web-application-attack || 0 || ET SCAN Nmap Scripting Engine User-Agent Detected (Nmap Scripting Engine) || url,doc.emergingthreats.net/2009358 +1 || 2009359 || 3 || web-application-attack || 0 || ET SCAN Nmap Scripting Engine User-Agent Detected (Nmap NSE) || url,doc.emergingthreats.net/2009359 +1 || 2009360 || 10 || trojan-activity || 0 || ET TROJAN Bredolab Check In || url,www.martinsecurity.net/2009/05/20/inside-the-massive-gumblar-attacka-dentro-del-enorme-ataque-gumblar/ || url,doc.emergingthreats.net/2009360 +1 || 2009361 || 5 || attempted-recon || 0 || ET WEB_SERVER cmd.exe In URI - Possible Command Execution Attempt || url,doc.emergingthreats.net/2009361 +1 || 2009362 || 5 || attempted-recon || 0 || ET WEB_SERVER /system32/ in Uri - Possible Protected Directory Access Attempt || url,doc.emergingthreats.net/2009362 +1 || 2009363 || 6 || attempted-admin || 0 || ET WEB_SERVER Suspicious Chmod Usage in URI || url,doc.emergingthreats.net/2009363 +1 || 2009364 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Beerwins PHPLinkAdmin linkadmin.php page Parameter Remote File Inclusion || url,milw0rm.com/exploits/8216 || bugtraq,34129 || url,doc.emergingthreats.net/2009364 +1 || 2009365 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Beerwins PHPLinkAdmin edlink.php linkid Parameter SQL Injection || url,milw0rm.com/exploits/8216 || bugtraq,34129 || url,doc.emergingthreats.net/2009365 +1 || 2009366 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS EasySiteNetwork Riddles Complete Website riddle.php riddleid Parameter SQL Injection || bugtraq,29966 || url,milw0rm.com/exploits/5946 || url,doc.emergingthreats.net/2009366 +1 || 2009367 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS cmsWorks lib.module.php mod_root Parameter Remote File Inclusion || url,milw0rm.com/exploits/5921 || bugtraq,29914 || url,doc.emergingthreats.net/2009367 +1 || 2009368 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS DeluxeBB misc.php qorder Parameter SQL Injection || bugtraq,34174 || url,milw0rm.com/exploits/8240 || url,doc.emergingthreats.net/2009368 +1 || 2009369 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla Simple RSS Reader admin.rssreader.php mosConfig_live_site Parameter Remote File Inclusion || url,vupen.com/english/advisories/2008/3119 || bugtraq,32265 || url,www.exploit-db.com/exploits/7096/ || url,doc.emergingthreats.net/2009369 +1 || 2009370 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Boonex Dolphin HTMLSax3.php Remote File Inclusion || url,milw0rm.com/exploits/6024 || bugtraq,30136 || url,doc.emergingthreats.net/2009370 +1 || 2009371 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Boonex Dolphin safehtml.php Remote File Inclusion || url,milw0rm.com/exploits/6024 || bugtraq,30136 || url,doc.emergingthreats.net/2009371 +1 || 2009372 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Boonex Dolphin content.inc.php Remote File Inclusion || url,milw0rm.com/exploits/6024 || bugtraq,30136 || url,doc.emergingthreats.net/2009372 +1 || 2009373 || 8 || web-application-attack || 0 || ET ACTIVEX Symantec Norton Ghost EasySetupInt.dll ActiveX Multiple Remote Denial of Service || url,milw0rm.com/exploits/8523 || bugtraq,34696 || url,doc.emergingthreats.net/2009373 +1 || 2009374 || 10 || trojan-activity || 0 || ET TROJAN Virut Counter/Check-in || url,www.threatexpert.com/reports.aspx?find=ipk8888.cn&x=0&y=0 || url,doc.emergingthreats.net/2009374 +1 || 2009375 || 3 || policy-violation || 0 || ET CHAT General MSN Chat Activity || url,www.hypothetic.org/docs/msn/general/http_examples.php || url,doc.emergingthreats.net/2009375 +1 || 2009376 || 5 || policy-violation || 0 || ET CHAT MSN User-Agent Activity || url,www.hypothetic.org/docs/msn/general/http_examples.php || url,doc.emergingthreats.net/2009376 +1 || 2009377 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Acute Control Panel container.php theme_directory parameter local file inclusion || url,secunia.com/advisories/34485/ || bugtraq,34265 || url,milw0rm.com/exploits/8291 || url,doc.emergingthreats.net/2009377 +1 || 2009378 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Acute Control Panel container.php theme_directory parameter remote file inclusion || url,secunia.com/advisories/34485/ || bugtraq,34265 || url,milw0rm.com/exploits/8291 || url,doc.emergingthreats.net/2009378 +1 || 2009379 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Acute Control Panel header.php theme_directory parameter remote file inclusion || url,secunia.com/advisories/34485/ || bugtraq,34265 || url,milw0rm.com/exploits/8291 || url,doc.emergingthreats.net/2009379 +1 || 2009380 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Acute Control Panel header.php theme_directory parameter local file inclusion || url,secunia.com/advisories/34485/ || bugtraq,34265 || url,milw0rm.com/exploits/8291 || url,doc.emergingthreats.net/2009380 +1 || 2009381 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Interact embedforum.php Remote File Inclusion || url,milw0rm.com/exploits/5526 || bugtraq,28996 || url,doc.emergingthreats.net/2009381 +1 || 2009382 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Agares Media ThemeSiteScript frontpage_right.php Remote File Inclusion || bugtraq,31959 || url,milw0rm.com/exploits/6859 || url,vupen.com/english/advisories/2008/2959 || url,doc.emergingthreats.net/2009382 +1 || 2009383 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla Dada Mail Manager Component config.dadamail.php GLOBALS Parameter Local File Inclusion || url,secunia.com/advisories/32551 || bugtraq,32135 || url,www.exploit-db.com/exploits/7002/ || url,doc.emergingthreats.net/2009383 +1 || 2009384 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla Dada Mail Manager Component config.dadamail.php GLOBALS Parameter Remote File Inclusion || url,secunia.com/advisories/32551 || bugtraq,32135 || url,www.exploit-db.com/exploits/7002/ || url,doc.emergingthreats.net/2009384 +1 || 2009385 || 7 || web-application-attack || 0 || ET ACTIVEX Symantec WinFax Pro DCCFAXVW.DLL Heap Buffer Overflow || bugtraq,34766 || url,milw0rm.com/exploits/8562 || url,doc.emergingthreats.net/2009385 +1 || 2009386 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Interact lib.inc.php Remote File Inclusion || url,milw0rm.com/exploits/5526 || bugtraq,28996 || url,doc.emergingthreats.net/2009386 +1 || 2009387 || 4 || attempted-admin || 0 || ET POLICY PPTP Requester is not authorized to establish a command channel || url,tools.ietf.org/html/rfc2637 || url,doc.emergingthreats.net/2009387 || url,lists.emergingthreats.net/pipermail/emerging-sigs/2009-June/002705.html +1 || 2009388 || 5 || trojan-activity || 0 || ET TROJAN Bredolab Downloader Response Binaries from Controller || url,www.microsoft.com/security/portal/Entry.aspx?Name=TrojanDownloader%3aWin32/Bredolab.B || url,doc.emergingthreats.net/2009388 +1 || 2009389 || 9 || trojan-activity || 0 || ET DELETED Tornado Pack Binary Request || url,dxp2532.blogspot.com/2009/05/tornado-exploit-pack.html +1 || 2009390 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHPizabi dac.php sendChatData Parameter Local File Inclusion || url,milw0rm.com/exploits/8268 || bugtraq,34213 || url,doc.emergingthreats.net/2009390 +1 || 2009391 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla Onguma Time Sheet Component onguma.class.php mosConfig_absolute_path Parameter Remote File Inclusion || bugtraq,32095 || cve,CVE-2008-6347 || url,www.exploit-db.com/exploits/6976/ || url,doc.emergingthreats.net/2009391 +1 || 2009393 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS YouTube Blog cuerpo.php base_archivo Local File Inclusion || url,milw0rm.com/exploits/6117 || bugtraq,30345 || url,secunia.com/advisories/31161 || url,doc.emergingthreats.net/2009393 +1 || 2009394 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS GDL gdl.php node Parameter SQL Injection || bugtraq,34144 || url,milw0rm.com/exploits/8228 || url,doc.emergingthreats.net/2009394 +1 || 2009395 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS OTManager ADM_Pagina.php Tipo Remote File Inclusion || cve,CVE-2008-5063 || url,vupen.com/english/advisories/2008/3093 || url,secunia.com/advisories/32645 || url,doc.emergingthreats.net/2009395 +1 || 2009396 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS OTManager ADM_Pagina.php Tipo Local File Inclusion || cve,CVE-2008-5063 || url,vupen.com/english/advisories/2008/3093 || url,secunia.com/advisories/32645 || url,doc.emergingthreats.net/2009396 +1 || 2009397 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS phpProfiles body_comm.inc.php content parameter remote file inclusion || bugtraq,27952 || url,milw0rm.com/exploits/5175 || url,doc.emergingthreats.net/2009397 +1 || 2009398 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS HoMaP plugin_admin.php _settings Parameter Remote File Inclusion || url,milw0rm.com/exploits/5902 || bugtraq,29877 || url,doc.emergingthreats.net/2009398 +1 || 2009399 || 8 || web-application-attack || 0 || ET ACTIVEX Autodesk IDrop Indicator ActiveX Control Memory Corruption || url,secunia.com/advisories/34563/ || url,archives.neohapsis.com/archives/fulldisclosure/2009-04/0020.html || url,vupen.com/english/advisories/2009/0942 || url,milw0rm.com/exploits/8560 || url,doc.emergingthreats.net/2009399 +1 || 2009400 || 8 || attempted-user || 0 || ET ACTIVEX Microsoft Communications Control Clsid Access || url,www.microsoft.com/technet/security/advisory/969898.mspx || url,doc.emergingthreats.net/2009400 +1 || 2009401 || 26 || attempted-user || 0 || ET ACTIVEX Microgaming FlashXControl Control Clsid Access || url,www.microsoft.com/technet/security/advisory/969898.mspx || url,www.microgaming.co.uk/news_flashxcontrol.php || url,doc.emergingthreats.net/2009401 +1 || 2009402 || 9 || attempted-user || 0 || ET ACTIVEX eBay Enhanced Picture Services Control Clsid Access (1) || url,www.kb.cert.org/vuls/id/983731 || url,www.microsoft.com/technet/security/advisory/969898.mspx || url,pages.ebay.com/securitycenter/activex/index.html || url,doc.emergingthreats.net/2009402 +1 || 2009403 || 9 || attempted-user || 0 || ET ACTIVEX eBay Enhanced Picture Services Control Clsid Access (2) || url,www.kb.cert.org/vuls/id/983731 || url,www.microsoft.com/technet/security/advisory/969898.mspx || url,pages.ebay.com/securitycenter/activex/index.html || url,doc.emergingthreats.net/2009403 +1 || 2009404 || 8 || attempted-user || 0 || ET ACTIVEX HP Virtual Rooms Control Clsid Access || url,www.microsoft.com/technet/security/advisory/969898.mspx || url,h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01678405 || url,doc.emergingthreats.net/2009404 +1 || 2009405 || 4 || trojan-activity || 0 || ET TROJAN Personal Defender 2009 - prinimalka.py || url,malwarebytes.besttechie.net/2008/11/03/removal-instructions-for-personal-defender-2009/ || url,doc.emergingthreats.net/2009405 +1 || 2009406 || 4 || trojan-activity || 0 || ET TROJAN Personal Defender 2009 - trash.py || url,malwarebytes.besttechie.net/2008/11/03/removal-instructions-for-personal-defender-2009/ || url,doc.emergingthreats.net/2009406 +1 || 2009407 || 2 || trojan-activity || 0 || ET TROJAN Koobface BLACKLABEL || url,blog.threatexpert.com/2008/12/koobface-leaves-victims-black-spot.html || url,doc.emergingthreats.net/2009407 +1 || 2009408 || 8 || trojan-activity || 0 || ET TROJAN Patcher/Bankpatch V2 Communication with Controller || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=PWS%3AWin32%2FBanker.O +1 || 2009409 || 5 || trojan-activity || 0 || ET TROJAN Patcher/Bankpatch Module Download Request || url,www.symantec.com/security_response/writeup.jsp?docid=2008-081817-1808-99&tabid=2 || url,doc.emergingthreats.net/2009409 +1 || 2009410 || 5 || trojan-activity || 0 || ET TROJAN Gozi check-in / update || url,www.secureworks.com/research/threats/gozi || url,doc.emergingthreats.net/2009410 +1 || 2009411 || 10 || attempted-user || 0 || ET ACTIVEX McAfee ePolicy Orchestrator naPolicyManager.dll Arbitrary Data Write Attempt || url,www.securitytracker.com/alerts/2009/Jun/1022413.html || url,www.packetstormsecurity.com/0906-exploits/mcafee-activex.txt || url,doc.emergingthreats.net/2009411 +1 || 2009412 || 11 || trojan-activity || 0 || ET DELETED Generic Trojan Checkin || url,doc.emergingthreats.net/2009412 +1 || 2009413 || 4 || attempted-dos || 0 || ET DELETED Possible Slowloris Tool HTTP/Proxy Denial Of Service Attempt || url,isc.sans.org/diary.html?storyid=6601 || url,www.packetstormsecurity.com/filedesc/slowloris.pl.txt.html || url,doc.emergingthreats.net/2009413 +1 || 2009414 || 5 || attempted-dos || 0 || ET DOS Large amount of TCP ZeroWindow - Possible Nkiller2 DDos attack || url,doc.emergingthreats.net/2009414 +1 || 2009415 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PhpBlock basicfogfactory.class.php PATH_TO_CODE Parameter Remote File Inclusion || bugtraq,28588 || url,milw0rm.com/exploits/5348 || url,doc.emergingthreats.net/2009415 +1 || 2009416 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS txtSQL startup.php CFG Parameter Remote File Inclusion || bugtraq,30625 || url,milw0rm.com/exploits/6224 || url,doc.emergingthreats.net/2009416 +1 || 2009417 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Blogplus block_center_down.php Local File Inclusion || url,milw0rm.com/exploits/8290 || bugtraq,34261 || url,secunia.com/advisories/34480/ || url,doc.emergingthreats.net/2009417 +1 || 2009418 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Blogplus block_center_top.php Local File Inclusion || url,milw0rm.com/exploits/8290 || bugtraq,34261 || url,secunia.com/advisories/34480/ || url,doc.emergingthreats.net/2009418 +1 || 2009420 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Blogplus block_left.php Local File Inclusion || url,milw0rm.com/exploits/8290 || bugtraq,34261 || url,secunia.com/advisories/34480/ || url,doc.emergingthreats.net/2009420 +1 || 2009421 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Blogplus block_right.php Local File Inclusion || url,milw0rm.com/exploits/8290 || bugtraq,34261 || url,secunia.com/advisories/34480/ || url,doc.emergingthreats.net/2009421 +1 || 2009422 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Blogplus window_down.php Local File Inclusion || url,milw0rm.com/exploits/8290 || bugtraq,34261 || url,secunia.com/advisories/34480/ || url,doc.emergingthreats.net/2009422 +1 || 2009423 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Blogplus window_top.php Local File Inclusion || url,milw0rm.com/exploits/8290 || bugtraq,34261 || url,secunia.com/advisories/34480/ || url,doc.emergingthreats.net/2009423 +1 || 2009424 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS AjaxPortal ajaxp_backend.php page Parameter SQL Injection || url,milw0rm.com/exploits/8341 || bugtraq,34338 || url,doc.emergingthreats.net/2009424 +1 || 2009425 || 10 || web-application-attack || 0 || ET ACTIVEX BaoFeng Storm ActiveX Control OnBeforeVideoDownload Method Buffer Overflow || bugtraq,34789 || url,milw0rm.com/exploits/8579 || url,doc.emergingthreats.net/2009425 +1 || 2009427 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Grape Web Statistics functions.php location Parameter Remote File Inclusion || bugtraq,28838 || url,juniper.net/security/auto/vulnerabilities/vuln28838.html || url,milw0rm.com/exploits/5463 || url,doc.emergingthreats.net/2009427 +1 || 2009428 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ExBB threadstop.php exbb Parameter Local File Inclusion || bugtraq,28686 || url,milw0rm.com/exploits/5405 || url,doc.emergingthreats.net/2009428 +1 || 2009429 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS CAT2 spaw_control.class.php spaw_root Parameter Local File Inclusion || url,xforce.iss.net/xforce/xfdb/43536 || bugtraq,30042 || url,milw0rm.com/exploits/5983 || url,doc.emergingthreats.net/2009429 +1 || 2009430 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Mole viewsource.php fname Parameter Local File Inclusion || url,milw0rm.com/exploits/5394 || url,secunia.com/advisories/29685 || bugtraq,28659 || url,doc.emergingthreats.net/2009430 +1 || 2009431 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS NewsOffice news_show.php newsoffice_directory Parameter Local File Inclusion || url,secunia.com/advisories/29797 || bugtraq,28748 || url,www.exploit-db.com/exploits/5429/ || url,doc.emergingthreats.net/2009431 +1 || 2009432 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS NewsOffice news_show.php newsoffice_directory Parameter Remote File Inclusion || url,secunia.com/advisories/29797 || bugtraq,28748 || url,www.exploit-db.com/exploits/5429/ || url,doc.emergingthreats.net/2009432 +1 || 2009434 || 6 || web-application-attack || 0 || ET ACTIVEX Sun Java Runtime Environment ActiveX Control Multiple Remote Buffer Overflow || url,xforce.iss.net/xforce/xfdb/50508 || bugtraq,34931 || url,milw0rm.com/exploits/8665 || url,doc.emergingthreats.net/2009434 +1 || 2009435 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS e107 123 FlashChat Module 123flashchat.php e107path Parameter Remote File Inclusion || url,xforce.iss.net/xforce/xfdb/41867 || url,secunia.com/advisories/29870 || url,milw0rm.com/exploits/5459 || url,doc.emergingthreats.net/2009435 +1 || 2009436 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS e107 123 FlashChat Module 123flashchat.php e107path Parameter Local File Inclusion || url,xforce.iss.net/xforce/xfdb/41867 || url,secunia.com/advisories/29870 || url,milw0rm.com/exploits/5459 || url,doc.emergingthreats.net/2009436 +1 || 2009437 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Mole viewsource.php dirn Parameter Local File Inclusion || url,milw0rm.com/exploits/5394 || url,secunia.com/advisories/29685 || bugtraq,28659 || url,doc.emergingthreats.net/2009437 +1 || 2009438 || 8 || trojan-activity || 0 || ET MALWARE User-Agent (Mozilla/4.8 ru) || url,doc.emergingthreats.net/2009438 +1 || 2009439 || 8 || trojan-activity || 0 || ET MALWARE User-Agent (HelpSrvc) || url,doc.emergingthreats.net/2009439 +1 || 2009440 || 6 || trojan-activity || 0 || ET DELETED Suspicious User Agent (Internet Antivirus Pro) || url,doc.emergingthreats.net/2009440 +1 || 2009441 || 6 || trojan-activity || 0 || ET TROJAN Swizzor Family GET || url,www.threatexpert.com/report.aspx?md5=ed06e3cd6f57fc260194bf9fa224181e || url,doc.emergingthreats.net/2009441 +1 || 2009442 || 10 || trojan-activity || 0 || ET TROJAN Murlo Trojan Checkin || url,doc.emergingthreats.net/2009442 +1 || 2009443 || 5 || trojan-activity || 0 || ET TROJAN NoBo Downloader Dropper GET || url,www.spynomore.com/trojan-nobo-v1-3.htm || url,doc.emergingthreats.net/2009443 +1 || 2009444 || 5 || trojan-activity || 0 || ET TROJAN Virut Family GET || url,www.f-secure.com/v-descs/virus_w32_virut.shtml || url,www.spywareremove.com/removeVirusVirutr.html || url,www.malwaredomainlist.com/mdl.php?search=lgate.php&colsearch=All&quantity=50 || url,www.threatexpert.com/reports.aspx?find=virut&x=0&y=0 || url,doc.emergingthreats.net/2009444 +1 || 2009445 || 10 || trojan-activity || 0 || ET MALWARE User-Agent (AgavaDwnl) - Possibly Xema || url,doc.emergingthreats.net/2009445 +1 || 2009446 || 8 || trojan-activity || 0 || ET POLICY trymedia.com User-Agent (Macrovision_DM) || url,doc.emergingthreats.net/2009445 +1 || 2009447 || 7 || trojan-activity || 0 || ET TROJAN TSPY_BANKER.IDV/Infostealer.Bancos Module Download || url,doc.emergingthreats.net/2009447 +1 || 2009448 || 5 || trojan-activity || 0 || ET TROJAN Zbot/Beomok/PSW - HTTP POST || url,doc.emergingthreats.net/2009448 +1 || 2009449 || 4 || trojan-activity || 0 || ET TROJAN Trash Family - HTTP POST || url,www.spywareguide.com/product_show.php?id=1935 || url,www.sunbeltsecurity.com/threatdisplay.aspx?name=Trojan.Trash.Gen&tid=178782&cs=03253E96A71C3EE824071E5BE3A32CCD || url,doc.emergingthreats.net/2009449 +1 || 2009450 || 6 || trojan-activity || 0 || ET TROJAN Atya Dropper Possible Rootkit - HTTP GET || url,www.paretologic.com/resources/definitions.aspx?remove=%41%67%65%6e%74%20%41%74%79%61%20%54%72%6f%6a%61%6e || url,doc.emergingthreats.net/2009450 +1 || 2009451 || 6 || trojan-activity || 0 || ET TROJAN Common Trojan HTTP GET Logging || url,www.virustotal.com/analisis/df09ec9ec4e5caa42db9d08e0f9d34b378e301a1eeb3aa1e6dbd0de1aa4a66be-1246158969 || url,doc.emergingthreats.net/2009451 +1 || 2009453 || 6 || trojan-activity || 0 || ET TROJAN BANLOAD Downloader GET Checkin || url,www.sophos.com/security/analyses/viruses-and-spyware/trojbanloe.html || url,doc.emergingthreats.net/2009453 +1 || 2009454 || 6 || trojan-activity || 0 || ET DELETED Parite.B GET || url,www.pandasecurity.com/homeusers/security-info/18181/information/Parite.B || url,www.pctools.com/mrc/infections/id/Virus.Parite.B/ || url,www.threatexpert.com/threats/w32-parite-b.html || url,doc.emergingthreats.net/2009454 +1 || 2009455 || 7 || trojan-activity || 0 || ET TROJAN FAKE AV HTTP CnC Post || url,doc.emergingthreats.net/2009455 +1 || 2009456 || 5 || trojan-activity || 0 || ET DELETED Suspicious User Agent (ClickAdsByIE) || url,doc.emergingthreats.net/2009445 +1 || 2009457 || 6 || trojan-activity || 0 || ET TROJAN Virut Counter/Check-in || url,www.threatexpert.com/reports.aspx?find=ipk8888.cn&x=0&y=0 || url,doc.emergingthreats.net/2009457 +1 || 2009458 || 8 || trojan-activity || 0 || ET TROJAN Win32/Sisron/BackDoor.Cybergate.1 Checkin || url,doc.emergingthreats.net/2009458 +1 || 2009459 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Orlando CMS classes init.php GLOBALS Parameter Remote File Inclusion || bugtraq,29820 || url,milw0rm.com/exploits/5864 || url,doc.emergingthreats.net/2009459 +1 || 2009460 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Orlando CMS newscat.php GLOBALS Parameter Remote File Inclusion || bugtraq,29820 || url,milw0rm.com/exploits/5864 || url,doc.emergingthreats.net/2009460 +1 || 2009461 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Orlando CMS init.php GLOBALS Parameter Local File Inclusion || bugtraq,29820 || url,milw0rm.com/exploits/5864 || url,doc.emergingthreats.net/2009461 +1 || 2009462 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Orlando CMS stage1.php GLOBALS Parameter Local File Inclusion || bugtraq,29820 || url,milw0rm.com/exploits/5864 || url,doc.emergingthreats.net/2009462 +1 || 2009463 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Orlando CMS stage4.php GLOBALS Parameter Local File Inclusion || bugtraq,29820 || url,milw0rm.com/exploits/5864 || url,doc.emergingthreats.net/2009463 +1 || 2009464 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Orlando CMS stage6.php GLOBALS Parameter Local File Inclusion || bugtraq,29820 || url,milw0rm.com/exploits/5864 || url,doc.emergingthreats.net/2009464 +1 || 2009466 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Recly Competitions Component add.php GLOBALS Parameter Remote File Inclusion || bugtraq,32192 || url,milw0rm.com/exploits/7039 || url,doc.emergingthreats.net/2009466 +1 || 2009467 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Recly Competitions Component competitions.php GLOBALS Parameter Remote File Inclusion || bugtraq,32192 || url,milw0rm.com/exploits/7039 || url,doc.emergingthreats.net/2009467 +1 || 2009468 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Recly Competitions Component settings.php mosConfig_absolute_path Parameter Remote File Inclusion || bugtraq,32192 || url,milw0rm.com/exploits/7039 || url,doc.emergingthreats.net/2009468 +1 || 2009469 || 11 || web-application-attack || 0 || ET ACTIVEX AOL Radio AmpX ActiveX Control ConvertFile Method Buffer Overflow || url,milw0rm.com/exploits/8733 || bugtraq,35028 || url,doc.emergingthreats.net/2009469 +1 || 2009470 || 10 || trojan-activity || 0 || ET TROJAN Generic Info Stealer - HTTP POST || url,doc.emergingthreats.net/2009470 +1 || 2009471 || 9 || trojan-activity || 0 || ET TROJAN Bancos/Banker Info Stealer Post || url,www.pctools.com/mrc/infections/id/Trojan.Bancos/ || url,www.threatexpert.com/reports.aspx?find=Trojan.Bancos || url,doc.emergingthreats.net/2009471 +1 || 2009472 || 6 || trojan-activity || 0 || ET TROJAN Fasec/FakeAV Alert/Keylogger/Dropper/DNSChanger Possible Rootkit - HTTP GET || url,www.avast.com/eng/win32-fasec.html || url,www.threatexpert.com/threats/virus-win32-fasec.html || url,doc.emergingthreats.net/2009472 +1 || 2009474 || 4 || trojan-activity || 0 || ET TROJAN Sality - Fake Opera User-Agent || url,www.spywareremove.com/removeTrojanDownloaderSalityG.html || url,www.microsoft.com/security/portal/beta/Threat/Encyclopedia/Entry.aspx?Name=Virus%3AWin32%2FSality.AM || url,doc.emergingthreats.net/2009474 +1 || 2009475 || 8 || policy-violation || 0 || ET POLICY TeamViewer Dyngate User-Agent || url,www.teamviewer.com/index.aspx || url,doc.emergingthreats.net/2009475 +1 || 2009476 || 8 || attempted-recon || 0 || ET SCAN Possible jBroFuzz Fuzzer Detected || url,www.owasp.org/index.php/Category%3aOWASP_JBroFuzz || url,doc.emergingthreats.net/2009476 +1 || 2009477 || 3 || attempted-recon || 0 || ET SCAN SQLBrute SQL Scan Detected || url,www.justinclarke.com/archives/2006/03/sqlbrute.html || url,www.darknet.org.uk/2007/06/sqlbrute-sql-injection-brute-force-tool/ || url,doc.emergingthreats.net/2009477 +1 || 2009478 || 4 || attempted-recon || 0 || ET DELETED SQLCheck Database Scan Detected || url,wiki.remote-exploit.org/backtrack/wiki/SQLcheck || url,doc.emergingthreats.net/2009478 +1 || 2009479 || 8 || attempted-recon || 0 || ET SCAN Asp-Audit Web Scan Detected || url,www.hacker-soft.net/Soft/Soft_2895.htm || url,wiki.remote-exploit.org/backtrack/wiki/asp-audit || url,doc.emergingthreats.net/2009479 +1 || 2009480 || 7 || attempted-recon || 0 || ET SCAN Grendel Web Scan - Default User Agent Detected || url,www.grendel-scan.com || url,doc.emergingthreats.net/2009480 +1 || 2009481 || 5 || attempted-recon || 0 || ET SCAN Grendel-Scan Web Application Security Scan Detected || url,www.grendel-scan.com || url,doc.emergingthreats.net/2009481 +1 || 2009483 || 4 || attempted-recon || 0 || ET SCAN Grabber.py Web Scan Detected || url,rgaucher.info/beta/grabber/ || url,doc.emergingthreats.net/2009483 +1 || 2009484 || 7 || web-application-attack || 0 || ET WEB_SERVER Cpanel lastvisit.html Arbitary file disclosure || url,milw0rm.com/exploits/9039 || bugtraq,35518 || url,doc.emergingthreats.net/2009484 +1 || 2009485 || 6 || attempted-recon || 0 || ET WEB_SERVER /etc/shadow Detected in URI || url,en.wikipedia.org/wiki/Shadow_password || url,doc.emergingthreats.net/2009485 +1 || 2009486 || 14 || trojan-activity || 0 || ET TROJAN APT1 WEBC2-UGX Related Pingbed/Downbot User-Agent (Windows+NT+5.x) || url,www.mandiant.com/apt1 || md5,14cfaefa5b8bc6400467fba8af146b71 +1 || 2009487 || 5 || trojan-activity || 0 || ET TROJAN Downloader Possible AV KILLER || url,doc.emergingthreats.net/2009487 +1 || 2009491 || 4 || web-application-attack || 0 || ET DELETED Microsoft DirectShow ActiveX Exploit Attempt || url,csis.dk/dk/nyheder/nyheder.asp?tekstID=799 || url,tools.cisco.com/security/center/viewAlert.x?alertId=18595 || url,doc.emergingthreats.net/2009491 +1 || 2009493 || 5 || trojan-activity || 0 || ET DELETED Likely MSVIDCTL.dll exploit in transit || url,isc.sans.org/diary.html?storyid=6733 || url,tools.cisco.com/security/center/viewAlert.x?alertId=18595 || url,doc.emergingthreats.net/2009493 +1 || 2009494 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Horde XSS attempt colorpicker.php || url,bugs.horde.org/ticket/8399 || url,doc.emergingthreats.net/2009494 +1 || 2009495 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Horde XSS attempt test.php || url,bugs.horde.org/ticket/8399 || url,doc.emergingthreats.net/2009495 +1 || 2009496 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Horde XSS attempt passwd/main.php || url,bugs.horde.org/ticket/8398 || url,doc.emergingthreats.net/2009496 +1 || 2009497 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Horde XSS attempt colorpicker.php (2) || url,bugs.horde.org/ticket/8399 || url,doc.emergingthreats.net/2009497 +1 || 2009498 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Horde XSS attempt test.php (2) || url,bugs.horde.org/ticket/8399 || url,doc.emergingthreats.net/2009498 +1 || 2009499 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Horde XSS attempt passwd/main.php (2) || url,bugs.horde.org/ticket/8398 || url,doc.emergingthreats.net/2009499 +1 || 2009500 || 8 || web-application-attack || 0 || ET ACTIVEX Chinagames ActiveX Control CreateChinagames Method Buffer Overflow || bugtraq,34871 || url,milw0rm.com/exploits/8758 || url,doc.emergingthreats.net/2009500 +1 || 2009501 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS nweb2fax viewrq.php var_filename Parameter Directory Traversal || bugtraq,29804 || url,milw0rm.com/exploits/5856 || url,doc.emergingthreats.net/2009501 +1 || 2009502 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Quantum Game Library server_request.php CONFIG Parameter Remote File Inclusion || bugtraq,27945 || url,secunia.com/advisories/29077 || url,milw0rm.com/exploits/5174 || url,doc.emergingthreats.net/2009502 +1 || 2009503 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Quantum Game Library server_request.php CONFIG Parameter Local File Inclusion || bugtraq,27945 || url,secunia.com/advisories/29077 || url,milw0rm.com/exploits/5174 || url,doc.emergingthreats.net/2009503 +1 || 2009504 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Quantum Game Library smarty.inc.php CONFIG Parameter Remote File Inclusion || bugtraq,27945 || url,secunia.com/advisories/29077 || url,milw0rm.com/exploits/5174 || url,doc.emergingthreats.net/2009504 +1 || 2009505 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Quantum Game Library smarty.inc.php CONFIG Parameter Local File Inclusion || bugtraq,27945 || url,secunia.com/advisories/29077 || url,milw0rm.com/exploits/5174 || url,doc.emergingthreats.net/2009505 +1 || 2009506 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Falcon Series One sitemap.xml.php dir Parameter Remote File Inclusion || url,secunia.com/advisories/28047 || url,milw0rm.com/exploits/4712 || url,doc.emergingthreats.net/2009506 +1 || 2009507 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Falcon Series One sitemap.xml.php dir Parameter Local File Inclusion || url,secunia.com/advisories/28047 || url,milw0rm.com/exploits/4712 || url,doc.emergingthreats.net/2009507 +1 || 2009508 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Job2C windetail.php adtype Parameter Local File Inclusion || bugtraq,34537 || url,milw0rm.com/exploits/8443 || url,doc.emergingthreats.net/2009508 +1 || 2009509 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Job2C detail.php adtype Parameter Local File Inclusion || bugtraq,34537 || url,milw0rm.com/exploits/8443 || url,doc.emergingthreats.net/2009509 +1 || 2009511 || 7 || web-application-attack || 0 || ET EXPLOIT VLC web interface buffer overflow attempt || url,milw0rm.org/exploits/9029 || url,doc.emergingthreats.net/2009511 +1 || 2009512 || 8 || trojan-activity || 0 || ET TROJAN Suspicious User-Agent (Session) - Possible Trojan-Clicker || url,doc.emergingthreats.net/2009512 +1 || 2009513 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Possible Rentventory SQL Injection Attempt || url,www.milw0rm.com/exploits/9081 || url,doc.emergingthreats.net/2009513 +1 || 2009514 || 6 || trojan-activity || 0 || ET TROJAN FAKE/ROGUE AV HTTP Post || url,doc.emergingthreats.net/2009514 +1 || 2009516 || 7 || trojan-activity || 0 || ET TROJAN Generic Win32.Autorun HTTP Post || url,www.threatexpert.com/threats/worm-win32-autorun.html || url,doc.emergingthreats.net/2009516 +1 || 2009517 || 8 || trojan-activity || 0 || ET TROJAN Qhosts Trojan Check-in || url,www.symantec.com/security_response/writeup.jsp?docid=2003-100116-5901-99 || url,doc.emergingthreats.net/2009517 +1 || 2009518 || 4 || trojan-activity || 0 || ET TROJAN s4t4n1c Trojan Check-in || url,doc.emergingthreats.net/2009518 +1 || 2009519 || 8 || trojan-activity || 0 || ET TROJAN Gaboc Trojan Check-in || url,www.threatexpert.com/report.aspx?md5=6e871b9c440d5c77b9158ebcbe3fcd4b || url,doc.emergingthreats.net/2009519 +1 || 2009520 || 7 || trojan-activity || 0 || ET TROJAN Urlzone/Bebloh Trojan Check-in || url,doc.emergingthreats.net/2009520 +1 || 2009521 || 4 || trojan-activity || 0 || ET TROJAN Unknown Trojan HTTP Check-in || url,doc.emergingthreats.net/2009521 +1 || 2009522 || 8 || trojan-activity || 0 || ET TROJAN Win32/Pasta Downloader - GET Checkin to Fake GIF || url,malwarebytes.org/malwarenet.php?name=Trojan.Pasta || url,doc.emergingthreats.net/2009522 +1 || 2009524 || 7 || trojan-activity || 0 || ET MALWARE MySideSearch Browser Optimizer || url,www.spywareremove.com/removeMySideSearch.html || url,www.threatexpert.com/threats/adware-win32-mysidesearch.html || url,www.pctools.com/mrc/infections/id/Adware.MySideSearch/ || url,doc.emergingthreats.net/2009524 +1 || 2009525 || 5 || trojan-activity || 0 || ET TROJAN Sality - Fake Opera User-Agent || url,www.spywareremove.com/removeTrojanDownloaderSalityG.html || url,www.microsoft.com/security/portal/beta/Threat/Encyclopedia/Entry.aspx?Name=Virus%3AWin32%2FSality.AM || url,doc.emergingthreats.net/2009525 +1 || 2009526 || 6 || trojan-activity || 0 || ET TROJAN Downloader Checkin - Downloads Rogue Adware || url,doc.emergingthreats.net/2009526 +1 || 2009527 || 7 || trojan-activity || 0 || ET TROJAN Generic Downloader Checkin - HTTP GET || url,doc.emergingthreats.net/2009527 +1 || 2009530 || 6 || trojan-activity || 0 || ET TROJAN Sality - Fake Opera User-Agent (Opera/8.89) || url,www.spywareremove.com/removeTrojanDownloaderSalityG.html || url,www.microsoft.com/security/portal/beta/Threat/Encyclopedia/Entry.aspx?Name=Virus%3AWin32%2FSality.AM || url,doc.emergingthreats.net/2009530 +1 || 2009531 || 9 || trojan-activity || 0 || ET TROJAN Gamania Trojan Check-in || url,home.mcafee.com/VirusInfo/VirusProfile.aspx?key=166939 || url,doc.emergingthreats.net/2009531 +1 || 2009532 || 5 || trojan-activity || 0 || ET TROJAN BackDoor-EGB Check-in || url,doc.emergingthreats.net/2009532 || url,home.mcafee.com/virusinfo/virusprofile.aspx?key=239060 +1 || 2009533 || 7 || trojan-activity || 0 || ET TROJAN Keylogger Pro Update Check || url,vil.nai.com/vil/content/v_130975.htm || url,doc.emergingthreats.net/2009533 +1 || 2009534 || 7 || trojan-activity || 0 || ET TROJAN Suspicious User-Agent (Poker) || url,vil.nai.com/vil/content/v_130975.htm || url,doc.emergingthreats.net/2009534 +1 || 2009535 || 4 || misc-activity || 0 || ET POLICY Telnet to HP JetDirect Printer With No Password Set || url,h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=bpj05999#A3 || url,doc.emergingthreats.net/2009535 +1 || 2009536 || 4 || misc-activity || 0 || ET POLICY External FTP Connection TO Local HP JetDirect Printer || url,h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=bpj06165 || url,doc.emergingthreats.net/2009536 +1 || 2009537 || 7 || trojan-activity || 0 || ET TROJAN Suspicious User-Agent (Loands) - Possible Trojan Downloader GET Request || url,doc.emergingthreats.net/2009537 +1 || 2009538 || 5 || trojan-activity || 0 || ET TROJAN Suspicious User-Agent (ms_ie) - Crypt.ZPACK Gen Trojan Downloader GET Request || url,doc.emergingthreats.net/2009538 +1 || 2009539 || 8 || trojan-activity || 0 || ET TROJAN Downloader Infostealer - GET Checkin || url,doc.emergingthreats.net/2009539 +1 || 2009540 || 9 || trojan-activity || 0 || ET TROJAN PCFlashbang.com Spyware Checkin (PCFlashBangA) || url,www.ca.com/us/securityadvisor/pest/pest.aspx?id=453113169 || url,doc.emergingthreats.net/2009540 +1 || 2009541 || 6 || trojan-activity || 0 || ET TROJAN Suspicious User-Agent filled with System Details - GET Request || url,doc.emergingthreats.net/2009541 +1 || 2009542 || 5 || trojan-activity || 0 || ET DELETED Silentbanker/Yaludle Checkin to C&C || url,doc.emergingthreats.net/2009542 +1 || 2009544 || 6 || trojan-activity || 0 || ET TROJAN Suspicious User-Agent (InHold) - Possible Trojan Downloader GET Request || url,doc.emergingthreats.net/2009544 +1 || 2009545 || 9 || trojan-activity || 0 || ET MALWARE User-Agent (_TEST_) || url,doc.emergingthreats.net/2009545 +1 || 2009547 || 5 || trojan-activity || 0 || ET TROJAN Suspicious User-Agent (Forthgoner) - Possible Trojan Downloader GET Request || url,doc.emergingthreats.net/2009547 +1 || 2009548 || 5 || trojan-activity || 0 || ET DELETED Adware/Spyware Adrotator for Rogue AV || url,www.spywaredetector.net/spyware_encyclopedia/Trojan.Vapsup.htm || url,www.spywaredetector.net/spyware_encyclopedia/Fake AntiSpyware.POWER-ANTIVIRUS-2009.htm || url,www.threatexpert.com/threats/adware-agent-gen.html || url,novirusthanks.org/blog/2008/11/rogue-antispyware-2009-served-through-beedlyus-ads/ || url,doc.emergingthreats.net/2009548 +1 || 2009549 || 6 || trojan-activity || 0 || ET TROJAN Generic Downloader - HTTP POST || url,doc.emergingthreats.net/2009549 +1 || 2009550 || 8 || trojan-activity || 0 || ET TROJAN Banker PWS/Infostealer HTTP GET Checkin || url,www.pctools.com/mrc/infections/id/Trojan.Banker/ || url,doc.emergingthreats.net/2009550 +1 || 2009553 || 7 || trojan-activity || 0 || ET TROJAN FAKE/ROGUE AV Encoded data= HTTP POST || url,doc.emergingthreats.net/2009553 +1 || 2009554 || 6 || trojan-activity || 0 || ET TROJAN FAKE/ROGUE AV/Security Application Checkin || url,doc.emergingthreats.net/2009554 +1 || 2009555 || 7 || attempted-recon || 0 || ET SCAN Absinthe SQL Injection Tool HTTP Header Detected || url,0x90.org/releases/absinthe || url,doc.emergingthreats.net/2009555 +1 || 2009557 || 2 || trojan-activity || 0 || ET TROJAN Yoda's Protector Packed Binary - VERY Likely Hostile || url,doc.emergingthreats.net/2009557 +1 || 2009558 || 2 || successful-user || 0 || ET ATTACK_RESPONSE Metasploit Meterpreter File Download Detected || url,www.nologin.org/Downloads/Papers/meterpreter.pdf || url,doc.emergingthreats.net/2009558 +1 || 2009559 || 2 || successful-user || 0 || ET ATTACK_RESPONSE Metasploit Meterpreter Process List (ps) Command Detected || url,www.nologin.org/Downloads/Papers/meterpreter.pdf || url,doc.emergingthreats.net/2009559 +1 || 2009560 || 2 || successful-user || 0 || ET ATTACK_RESPONSE Metasploit Meterpreter Getuid Command Detected || url,www.nologin.org/Downloads/Papers/meterpreter.pdf || url,doc.emergingthreats.net/2009560 +1 || 2009561 || 2 || successful-user || 0 || ET ATTACK_RESPONSE Metasploit Meterpreter Process Migration Detected || url,www.nologin.org/Downloads/Papers/meterpreter.pdf || url,doc.emergingthreats.net/2009561 +1 || 2009562 || 2 || successful-user || 0 || ET ATTACK_RESPONSE Metasploit Meterpreter ipconfig Command Detected || url,www.nologin.org/Downloads/Papers/meterpreter.pdf || url,doc.emergingthreats.net/2009562 +1 || 2009563 || 2 || successful-user || 0 || ET ATTACK_RESPONSE Metasploit Meterpreter Sysinfo Command Detected || url,www.nologin.org/Downloads/Papers/meterpreter.pdf || url,doc.emergingthreats.net/2009563 +1 || 2009564 || 2 || successful-user || 0 || ET ATTACK_RESPONSE Metasploit Meterpreter Route Command Detected || url,www.nologin.org/Downloads/Papers/meterpreter.pdf || url,doc.emergingthreats.net/2009564 +1 || 2009565 || 2 || successful-user || 0 || ET ATTACK_RESPONSE Metasploit Meterpreter Kill Process Command Detected || url,www.nologin.org/Downloads/Papers/meterpreter.pdf || url,doc.emergingthreats.net/2009565 +1 || 2009566 || 2 || successful-user || 0 || ET ATTACK_RESPONSE Metasploit Meterpreter Print Working Directory Command Detected || url,www.nologin.org/Downloads/Papers/meterpreter.pdf || url,doc.emergingthreats.net/2009566 +1 || 2009567 || 2 || successful-user || 0 || ET ATTACK_RESPONSE Metasploit Meterpreter View Current Process ID Command Detected || url,www.nologin.org/Downloads/Papers/meterpreter.pdf || url,doc.emergingthreats.net/2009567 +1 || 2009568 || 2 || successful-user || 0 || ET ATTACK_RESPONSE Metasploit Meterpreter Execute Command Detected || url,www.nologin.org/Downloads/Papers/meterpreter.pdf || url,doc.emergingthreats.net/2009568 +1 || 2009569 || 2 || successful-user || 0 || ET ATTACK_RESPONSE Metasploit Meterpreter System Reboot/Shutdown Detected || url,www.nologin.org/Downloads/Papers/meterpreter.pdf || url,doc.emergingthreats.net/2009569 +1 || 2009570 || 2 || successful-user || 0 || ET ATTACK_RESPONSE Metasploit Meterpreter System Get Idle Time Command Detected || url,www.nologin.org/Downloads/Papers/meterpreter.pdf || url,doc.emergingthreats.net/2009570 +1 || 2009571 || 2 || successful-user || 0 || ET ATTACK_RESPONSE Metasploit Meterpreter Make Directory Command Detected || url,www.nologin.org/Downloads/Papers/meterpreter.pdf || url,doc.emergingthreats.net/2009571 +1 || 2009572 || 2 || successful-user || 0 || ET ATTACK_RESPONSE Metasploit Meterpreter Remove Directory Command Detected || url,www.nologin.org/Downloads/Papers/meterpreter.pdf || url,doc.emergingthreats.net/2009572 +1 || 2009573 || 2 || successful-user || 0 || ET ATTACK_RESPONSE Metasploit Meterpreter Change Directory Command Detected || url,www.nologin.org/Downloads/Papers/meterpreter.pdf || url,doc.emergingthreats.net/2009573 +1 || 2009574 || 3 || successful-user || 0 || ET ATTACK_RESPONSE Metasploit Meterpreter List (ls) Command Detected || url,www.nologin.org/Downloads/Papers/meterpreter.pdf || url,doc.emergingthreats.net/2009574 +1 || 2009575 || 3 || successful-user || 0 || ET ATTACK_RESPONSE Metasploit Meterpreter rev2self Command Detected || url,www.nologin.org/Downloads/Papers/meterpreter.pdf || url,doc.emergingthreats.net/2009575 +1 || 2009576 || 2 || successful-user || 0 || ET ATTACK_RESPONSE Metasploit Meterpreter Enabling/Disabling of Keyboard Detected || url,www.nologin.org/Downloads/Papers/meterpreter.pdf || url,doc.emergingthreats.net/2009576 +1 || 2009577 || 2 || successful-user || 0 || ET ATTACK_RESPONSE Metasploit Meterpreter Enabling/Disabling of Mouse Detected || url,www.nologin.org/Downloads/Papers/meterpreter.pdf || url,doc.emergingthreats.net/2009577 +1 || 2009578 || 2 || successful-user || 0 || ET ATTACK_RESPONSE Metasploit Meterpreter File/Memory Interaction Detected || url,www.nologin.org/Downloads/Papers/meterpreter.pdf || url,doc.emergingthreats.net/2009578 +1 || 2009579 || 2 || successful-user || 0 || ET ATTACK_RESPONSE Metasploit Meterpreter Registry Interation Detected || url,www.nologin.org/Downloads/Papers/meterpreter.pdf || url,doc.emergingthreats.net/2009579 +1 || 2009580 || 2 || successful-user || 0 || ET ATTACK_RESPONSE Metasploit Meterpreter File Upload Detected || url,www.nologin.org/Downloads/Papers/meterpreter.pdf || url,doc.emergingthreats.net/2009580 +1 || 2009581 || 4 || successful-admin || 0 || ET ATTACK_RESPONSE Metasploit/Meterpreter - Sending metsrv.dll to Compromised Host || url,doc.emergingthreats.net/2009581 +1 || 2009582 || 2 || attempted-recon || 0 || ET SCAN NMAP -sS window 1024 || url,doc.emergingthreats.net/2000537 +1 || 2009583 || 2 || attempted-recon || 0 || ET SCAN NMAP -sS window 3072 || url,doc.emergingthreats.net/2000537 +1 || 2009584 || 1 || attempted-recon || 0 || ET SCAN NMAP -sS window 4096 || url,doc.emergingthreats.net/2000537 +1 || 2009586 || 3 || misc-activity || 0 || ET DELETED Milw0rm Exploit Launch Attempt || url,www.milw0rm.com || url,doc.emergingthreats.net/2009586 +1 || 2009587 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Virtualmin left.cgi XSS attempt || url,milw0rm.com/exploits/9143 || url,doc.emergingthreats.net/2009587 +1 || 2009588 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Virtualmin link.cgi XSS attempt || url,milw0rm.com/exploits/9143 || url,doc.emergingthreats.net/2009588 +1 || 2009589 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Virtualmin Anonymous Proxy attempt || url,milw0rm.com/exploits/9143 || url,doc.emergingthreats.net/2009589 +1 || 2009590 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Citrix XenCenterWeb edituser.php XSS attempt || url,milw0rm.com/exploits/9106 || url,doc.emergingthreats.net/2009590 +1 || 2009591 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Citrix XenCenterWeb console.php XSS attempt || url,milw0rm.com/exploits/9106 || url,doc.emergingthreats.net/2009591 +1 || 2009592 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Citrix XenCenterWeb forcesd.php XSS attempt || url,milw0rm.com/exploits/9106 || url,doc.emergingthreats.net/2009592 +1 || 2009593 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Citrix XenCenterWeb forcerestart.php XSS attempt || url,milw0rm.com/exploits/9106 || url,doc.emergingthreats.net/2009593 +1 || 2009594 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Citrix XenCenterWeb changepw.php CSRF attempt || url,milw0rm.com/exploits/9106 || url,doc.emergingthreats.net/2009594 +1 || 2009595 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Citrix XenCenterWeb hardstopvm.php CSRF attempt || url,milw0rm.com/exploits/9106 || url,doc.emergingthreats.net/2009595 +1 || 2009596 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Citrix XenCenterWeb writeconfig.php Remote Command Execution attempt || url,milw0rm.com/exploits/9106 || url,doc.emergingthreats.net/2009596 +1 || 2009597 || 4 || trojan-activity || 0 || ET DELETED Adware Istbar Search Hijacker and Downloader || url,www.pctools.com/mrc/infections/id/Trojan.ISTbar/ || url,www.threatexpert.com/reports.aspx?find=Trojan.ISTbar || url,doc.emergingthreats.net/2009597 +1 || 2009598 || 6 || web-application-attack || 0 || ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (29) || url,microsoft.com/technet/security/advisory/972890.mspx || url,doc.emergingthreats.net/2009598 +1 || 2009599 || 6 || web-application-attack || 0 || ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (30) || url,microsoft.com/technet/security/advisory/972890.mspx || url,doc.emergingthreats.net/2009599 +1 || 2009600 || 6 || web-application-attack || 0 || ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (31) || url,microsoft.com/technet/security/advisory/972890.mspx || url,doc.emergingthreats.net/2009600 +1 || 2009601 || 6 || web-application-attack || 0 || ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (32) || url,microsoft.com/technet/security/advisory/972890.mspx || url,doc.emergingthreats.net/2009601 +1 || 2009602 || 6 || web-application-attack || 0 || ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (33) || url,microsoft.com/technet/security/advisory/972890.mspx || url,doc.emergingthreats.net/2009602 +1 || 2009603 || 6 || web-application-attack || 0 || ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (34) || url,microsoft.com/technet/security/advisory/972890.mspx || url,doc.emergingthreats.net/2009603 +1 || 2009604 || 6 || web-application-attack || 0 || ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (35) || url,microsoft.com/technet/security/advisory/972890.mspx || url,doc.emergingthreats.net/2009604 +1 || 2009606 || 4 || web-application-attack || 0 || ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (37) || url,microsoft.com/technet/security/advisory/972890.mspx || url,doc.emergingthreats.net/2009606 +1 || 2009607 || 4 || web-application-attack || 0 || ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (38) || url,microsoft.com/technet/security/advisory/972890.mspx || url,doc.emergingthreats.net/2009607 +1 || 2009609 || 4 || web-application-attack || 0 || ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (40) || url,microsoft.com/technet/security/advisory/972890.mspx || url,doc.emergingthreats.net/2009609 +1 || 2009610 || 4 || web-application-attack || 0 || ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (41) || url,microsoft.com/technet/security/advisory/972890.mspx || url,doc.emergingthreats.net/2009610 +1 || 2009611 || 4 || web-application-attack || 0 || ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (42) || url,microsoft.com/technet/security/advisory/972890.mspx || url,doc.emergingthreats.net/2009611 +1 || 2009612 || 3 || web-application-attack || 0 || ET DELETED Vulnerable Microsoft Video ActiveX CLSID access (43) || url,microsoft.com/technet/security/advisory/972890.mspx || url,doc.emergingthreats.net/2009612 +1 || 2009613 || 4 || web-application-attack || 0 || ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (44) || url,microsoft.com/technet/security/advisory/972890.mspx || url,doc.emergingthreats.net/2009613 +1 || 2009614 || 4 || web-application-attack || 0 || ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (1) || url,microsoft.com/technet/security/advisory/972890.mspx || url,doc.emergingthreats.net/2009614 +1 || 2009615 || 4 || web-application-attack || 0 || ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (2) || url,microsoft.com/technet/security/advisory/972890.mspx || url,doc.emergingthreats.net/2009615 +1 || 2009616 || 4 || web-application-attack || 0 || ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (3) || url,microsoft.com/technet/security/advisory/972890.mspx || url,doc.emergingthreats.net/2009616 +1 || 2009617 || 4 || web-application-attack || 0 || ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (4) || url,microsoft.com/technet/security/advisory/972890.mspx || url,doc.emergingthreats.net/2009617 +1 || 2009618 || 4 || web-application-attack || 0 || ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (5) || url,microsoft.com/technet/security/advisory/972890.mspx || url,doc.emergingthreats.net/2009618 +1 || 2009619 || 4 || web-application-attack || 0 || ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (6) || url,microsoft.com/technet/security/advisory/972890.mspx || url,doc.emergingthreats.net/2009619 +1 || 2009620 || 3 || web-application-attack || 0 || ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (7) || url,microsoft.com/technet/security/advisory/972890.mspx || url,doc.emergingthreats.net/2009620 +1 || 2009621 || 3 || web-application-attack || 0 || ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (8) || url,microsoft.com/technet/security/advisory/972890.mspx || url,doc.emergingthreats.net/2009621 +1 || 2009622 || 3 || web-application-attack || 0 || ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (9) || url,microsoft.com/technet/security/advisory/972890.mspx || url,doc.emergingthreats.net/2009622 +1 || 2009623 || 3 || web-application-attack || 0 || ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (10) || url,microsoft.com/technet/security/advisory/972890.mspx || url,doc.emergingthreats.net/2009623 +1 || 2009624 || 3 || web-application-attack || 0 || ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (11) || url,microsoft.com/technet/security/advisory/972890.mspx || url,doc.emergingthreats.net/2009624 +1 || 2009625 || 3 || web-application-attack || 0 || ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (12) || url,microsoft.com/technet/security/advisory/972890.mspx || url,doc.emergingthreats.net/2009625 +1 || 2009626 || 3 || web-application-attack || 0 || ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (13) || url,microsoft.com/technet/security/advisory/972890.mspx || url,doc.emergingthreats.net/2009626 +1 || 2009627 || 3 || web-application-attack || 0 || ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (14) || url,microsoft.com/technet/security/advisory/972890.mspx || url,doc.emergingthreats.net/2009627 +1 || 2009628 || 3 || web-application-attack || 0 || ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (15) || url,microsoft.com/technet/security/advisory/972890.mspx || url,doc.emergingthreats.net/2009628 +1 || 2009629 || 3 || web-application-attack || 0 || ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (16) || url,microsoft.com/technet/security/advisory/972890.mspx || url,doc.emergingthreats.net/2009629 +1 || 2009630 || 3 || web-application-attack || 0 || ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (17) || url,microsoft.com/technet/security/advisory/972890.mspx || url,doc.emergingthreats.net/2009630 +1 || 2009631 || 3 || web-application-attack || 0 || ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (18) || url,microsoft.com/technet/security/advisory/972890.mspx || url,doc.emergingthreats.net/2009631 +1 || 2009632 || 3 || web-application-attack || 0 || ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (19) || url,microsoft.com/technet/security/advisory/972890.mspx || url,doc.emergingthreats.net/2009632 +1 || 2009633 || 3 || web-application-attack || 0 || ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (20) || url,microsoft.com/technet/security/advisory/972890.mspx || url,doc.emergingthreats.net/2009633 +1 || 2009634 || 3 || web-application-attack || 0 || ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (21) || url,microsoft.com/technet/security/advisory/972890.mspx || url,doc.emergingthreats.net/2009634 +1 || 2009635 || 3 || web-application-attack || 0 || ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (22) || url,microsoft.com/technet/security/advisory/972890.mspx || url,doc.emergingthreats.net/2009635 +1 || 2009636 || 3 || web-application-attack || 0 || ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (23) || url,microsoft.com/technet/security/advisory/972890.mspx || url,doc.emergingthreats.net/2009636 +1 || 2009638 || 3 || web-application-attack || 0 || ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (24) || url,microsoft.com/technet/security/advisory/972890.mspx || url,doc.emergingthreats.net/2009638 +1 || 2009639 || 3 || web-application-attack || 0 || ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (25) || url,microsoft.com/technet/security/advisory/972890.mspx || url,doc.emergingthreats.net/2009639 +1 || 2009640 || 3 || web-application-attack || 0 || ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (26) || url,microsoft.com/technet/security/advisory/972890.mspx || url,doc.emergingthreats.net/2009640 +1 || 2009641 || 3 || web-application-attack || 0 || ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (27) || url,microsoft.com/technet/security/advisory/972890.mspx || url,doc.emergingthreats.net/2009641 +1 || 2009642 || 3 || web-application-attack || 0 || ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (28) || url,microsoft.com/technet/security/advisory/972890.mspx || url,doc.emergingthreats.net/2009642 +1 || 2009643 || 5 || web-application-attack || 0 || ET WEB_SERVER Oracle Secure Enterprise Search 10.1.8 search Script XSS attempt || url,dsecrg.com/pages/vul/show.php?id=125 || url,doc.emergingthreats.net/2009643 +1 || 2009644 || 5 || web-application-attack || 0 || ET WEB_SERVER Oracle BEA Weblogic Server 10.3 searchQuery XSS attempt || url,dsecrg.com/pages/vul/show.php?id=131 || url,doc.emergingthreats.net/2009644 +1 || 2009646 || 5 || attempted-recon || 0 || ET SCAN Acunetix Version 6 (Free Edition) Scan Detected || url,www.acunetix.com/ || url,doc.emergingthreats.net/2009646 +1 || 2009647 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Hubscript XSS Attempt || url,www.packetstormsecurity.com/0907-exploits/hubscript-xssphpinfo.txt || url,doc.emergingthreats.net/2009647 +1 || 2009650 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Hubscript PHPInfo Attempt || url,www.packetstormsecurity.com/0907-exploits/hubscript-xssphpinfo.txt || url,doc.emergingthreats.net/2009650 +1 || 2009651 || 3 || successful-user || 0 || ET ATTACK_RESPONSE Metasploit Meterpreter Channel Interaction Detected, Likely Interaction With Executable || url,www.nologin.org/Downloads/Papers/meterpreter.pdf || url,doc.emergingthreats.net/2009651 +1 || 2009652 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS FreeWebShop startmodules.inc.php lang_file Parameter Local File Inclusion || bugtraq,34538 || url,milw0rm.com/exploits/8446 || url,doc.emergingthreats.net/2009652 +1 || 2009653 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS SMA-DB format.php _page_css Parameter Remote File Inclusion || bugtraq,34569 || url,milw0rm.com/exploits/8460 || url,doc.emergingthreats.net/2009653 +1 || 2009654 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS SMA-DB format.php _page_javascript Parameter Remote File Inclusion || bugtraq,34569 || url,milw0rm.com/exploits/8460 || url,doc.emergingthreats.net/2009654 +1 || 2009656 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS SMA-DB format.php _page_content Parameter Remote File Inclusion || bugtraq,34569 || url,milw0rm.com/exploits/8460 || url,doc.emergingthreats.net/2009656 +1 || 2009657 || 8 || web-application-attack || 0 || ET ACTIVEX BaoFeng Storm ActiveX Control SetAttributeValue Method Buffer Overflow || bugtraq,34869 || url,juniper.net/security/auto/vulnerabilities/vuln34869.html || url,vupen.com/english/advisories/2009/1392 || url,milw0rm.com/exploits/8757 || url,doc.emergingthreats.net/2009657 +1 || 2009658 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Kalptaru Infotech Automated Link Exchange Portal cat_id Parameter SQL Injection || bugtraq,29205 || url,milw0rm.com/exploits/5611 || url,doc.emergingthreats.net/2009658 +1 || 2009659 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PowerPHPBoard footer.inc.php settings Parameter Local File Inclusion || cve,CVE-2008-1534 || url,juniper.net/security/auto/vulnerabilities/vuln28421.html || bugtraq,28421 || url,milw0rm.com/exploits/5303 || url,doc.emergingthreats.net/2009659 +1 || 2009660 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PowerPHPBoard header.inc.php settings Parameter Local File Inclusion || cve,CVE-2008-1534 || url,juniper.net/security/auto/vulnerabilities/vuln28421.html || bugtraq,28421 || url,milw0rm.com/exploits/5303 || url,doc.emergingthreats.net/2009660 +1 || 2009661 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS artmedic weblog artmedic_print.php date Parameter Local File Inclusion || url,secunia.com/advisories/28927/ || url,milw0rm.com/exploits/5116 || url,doc.emergingthreats.net/2009661 +1 || 2009663 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS TotalCalendar config.php inc_dir Parameter Remote File Inclusion || bugtraq,34617 || url,milw0rm.com/exploits/8494 || url,doc.emergingthreats.net/2009663 +1 || 2009665 || 5 || attempted-user || 0 || ET CURRENT_EVENTS Possible JAVA pack200-zip-exploit attempt || url,isc.sans.org/diary.html?storyid=6805&rss || url,doc.emergingthreats.net/2009665 +1 || 2009667 || 2 || attempted-admin || 0 || ET POLICY FTP Frequent Administrator Login Attempts || url,doc.emergingthreats.net/2009667 +1 || 2009668 || 2 || attempted-admin || 0 || ET POLICY FTP Frequent Admin Login Attempts || url,doc.emergingthreats.net/2009668 +1 || 2009670 || 9 || web-application-attack || 0 || ET WEB_SERVER Nagios statuswml.cgi Remote Arbitrary Shell Command Injection attempt || bugtraq,35464 || url,doc.emergingthreats.net/2009670 +1 || 2009671 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS millionpixel payment.php order_id XSS attempt || url,www.packetstormsecurity.org/0907-exploits/millionpixel-xss.txt || url,doc.emergingthreats.net/2009671 +1 || 2009672 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS programsrating rate.php id XSS attempt || url,www.packetstormsecurity.org/0907-exploits/programsrating-xss.txt || url,doc.emergingthreats.net/2009672 +1 || 2009673 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS programsrating postcomments.php id XSS attempt || url,www.packetstormsecurity.org/0907-exploits/programsrating-xss.txt || url,doc.emergingthreats.net/2009673 +1 || 2009674 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Guestbook guestbook.php mes_id SQL Injection attempt || url,www.milw0rm.com/exploits/9197 || url,doc.emergingthreats.net/2009674 +1 || 2009675 || 5 || successful-recon-limited || 0 || ET ATTACK_RESPONSE Possible Ipconfig Information Detected in HTTP Response || url,en.wikipedia.org/wiki/Ipconfig || url,doc.emergingthreats.net/2009675 +1 || 2009676 || 4 || successful-recon-limited || 0 || ET ATTACK_RESPONSE Ipconfig Response Detected || url,en.wikipedia.org/wiki/Ipconfig || url,doc.emergingthreats.net/2009676 +1 || 2009677 || 7 || web-application-attack || 0 || ET WEB_SERVER Possible BASE Authentication Bypass Attempt || url,seclists.org/bugtraq/2009/Jun/0218.html || url,seclists.org/bugtraq/2009/Jun/0217.html || url,doc.emergingthreats.net/2009677 +1 || 2009678 || 6 || attempted-admin || 0 || ET WEB_SERVER Possible DD-WRT Metacharacter Injection Command Execution Attempt || url,isc.sans.org/diary.html?storyid=6853 || url,www.theregister.co.uk/2009/07/21/critical_ddwrt_router_vuln/ || url,doc.emergingthreats.net/2009678 || url,www.dd-wrt.com/phpBB2/viewtopic.php?t=55173 || bid,35742 || cve,2009-2765 +1 || 2009679 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Phorum Possible Javascript/Remote-File-Inclusion 1 || url,www.securityfocus.com/bid/12869 || url,www.milw0rm.com/exploits/9231 || url,doc.emergingthreats.net/2009679 +1 || 2009680 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Phorum Possible Javascript/Remote-File-Inclusion 2 || url,www.securityfocus.com/bid/12869 || url,www.milw0rm.com/exploits/9231 || url,doc.emergingthreats.net/2009680 +1 || 2009681 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Phorum Possible Javascript/Remote-File-Inclusion 3 || url,www.securityfocus.com/bid/12869 || url,www.milw0rm.com/exploits/9231 || url,doc.emergingthreats.net/2009681 +1 || 2009682 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Phorum Possible Javascript/Remote-File-Inclusion 4 || url,www.securityfocus.com/bid/12869 || url,www.milw0rm.com/exploits/9231 || url,doc.emergingthreats.net/2009682 +1 || 2009683 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Phorum Possible Javascript/Remote-File-Inclusion 5 || url,www.securityfocus.com/bid/12869 || url,www.milw0rm.com/exploits/9231 || url,doc.emergingthreats.net/2009683 +1 || 2009684 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Phorum Possible Javascript/Remote-File-Inclusion 6 || url,www.securityfocus.com/bid/12869 || url,www.milw0rm.com/exploits/9231 || url,doc.emergingthreats.net/2009684 +1 || 2009685 || 4 || trojan-activity || 0 || ET TROJAN Unkown Trojan User-Agent (5.1 ...) || url,doc.emergingthreats.net/2009685 +1 || 2009687 || 9 || web-application-attack || 0 || ET ACTIVEX Akamai Download Manager Stack Buffer Overflow CLSID Access 1 || url,labs.idefense.com/intelligence/vulnerabilities/display.php?id=813 || url,doc.emergingthreats.net/2009687 +1 || 2009688 || 8 || web-application-attack || 0 || ET ACTIVEX Akamai Download Manager Stack Buffer Overflow CLSID Access 2 || url,labs.idefense.com/intelligence/vulnerabilities/display.php?id=813 || url,doc.emergingthreats.net/2009688 +1 || 2009689 || 9 || web-application-attack || 0 || ET ACTIVEX Akamai Download Manager Stack Buffer Overflow CLSID Access 3 || url,labs.idefense.com/intelligence/vulnerabilities/display.php?id=813 || url,doc.emergingthreats.net/2009689 +1 || 2009690 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WebMoney html.php page Remote File Inclusion || url,www.packetstormsecurity.org/0907-exploits/3awebmoney-rfi.txt || url,doc.emergingthreats.net/2009690 +1 || 2009691 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WebMoney html2.php page Remote File Inclusion || url,www.packetstormsecurity.org/0907-exploits/3awebmoney-rfi.txt || url,doc.emergingthreats.net/2009691 +1 || 2009693 || 4 || web-application-activity || 0 || ET WEB_SPECIFIC_APPS Zen Cart Remote Code Execution || url,www.securityfocus.com/bid/35467 || url,www.milw0rm.com/exploits/9004 || url,doc.emergingthreats.net/2009663 +1 || 2009694 || 4 || trojan-activity || 0 || ET TROJAN Navipromo related update || url,doc.emergingthreats.net/2009694 +1 || 2009696 || 3 || misc-activity || 0 || ET POLICY External Connection to Altiris HelpDesk || url,www.symantec.com/business/theme.jsp?themeid=altiris || url,doc.emergingthreats.net/2009696 +1 || 2009697 || 3 || misc-activity || 0 || ET POLICY External Connection to Altiris Console || url,www.symantec.com/business/theme.jsp?themeid=altiris || url,doc.emergingthreats.net/2009697 +1 || 2009698 || 1 || attempted-dos || 0 || ET VOIP INVITE Message Flood UDP || url,doc.emergingthreats.net/2009698 +1 || 2009699 || 1 || attempted-dos || 0 || ET VOIP REGISTER Message Flood UDP || url,doc.emergingthreats.net/2009699 +1 || 2009700 || 1 || attempted-dos || 0 || ET VOIP Multiple Unauthorized SIP Responses UDP || url,doc.emergingthreats.net/2009700 +1 || 2009701 || 2 || attempted-dos || 0 || ET DOS DNS BIND 9 Dynamic Update DoS attempt || cve,2009-0696 || url,doc.emergingthreats.net/2009701 +1 || 2009702 || 5 || policy-violation || 0 || ET POLICY DNS Update From External net || url,doc.emergingthreats.net/2009702 +1 || 2009703 || 7 || trojan-activity || 0 || ET TROJAN Suspicious User-Agent (INet) || url,doc.emergingthreats.net/2009703 +1 || 2009704 || 9 || trojan-activity || 0 || ET TROJAN Win32.Hupigon.dkwt Related Checkin || url,doc.emergingthreats.net/2009704 +1 || 2009705 || 5 || trojan-activity || 0 || ET MALWARE W3i Related Adware/Spyware || url,www.tallemu.com/oasis2/vendor/w3i__llc/623302 || url,doc.emergingthreats.net/2009705 +1 || 2009706 || 5 || misc-activity || 0 || ET POLICY Nessus Vulnerability Scanner Plugins Update || url,www.nessus.org/nessus/ || url,www.nessus.org/plugins/ || url,doc.emergingthreats.net/2009706 +1 || 2009709 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS phpMyAdmin Setup Code Injection (phpinfo) || cve,CVE-2009-1151 || url,www.securityfocus.com/bid/34236 || url,labs.neohapsis.com/2009/04/06/about-cve-2009-1151/ || url,doc.emergingthreats.net/2009709 +1 || 2009710 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS phpMyAdmin Setup Code Injection (system) || cve,CVE-2009-1151 || url,www.securityfocus.com/bid/34236 || url,labs.neohapsis.com/2009/04/06/about-cve-2009-1151/ || url,doc.emergingthreats.net/2009710 +1 || 2009711 || 7 || trojan-activity || 0 || ET TROJAN Win32.Runner/Bublik Checkin || url,www.spywarecease.com/spyware-list/Spyware_Trojan.Win32.Runner.s.html || url,www.threatexpert.com/threats/trojan-win32-runner.html || md5,6d2919a92d7dda22f4bc7f9a9b15739f +1 || 2009712 || 5 || trojan-activity || 0 || ET MALWARE Adware PlusDream - GET Config Download/Update || url,doc.emergingthreats.net/2009712 +1 || 2009714 || 5 || web-application-attack || 0 || ET WEB_SERVER Script tag in URI, Possible Cross Site Scripting Attempt || url,ha.ckers.org/xss.html || url,doc.emergingthreats.net/2009714 +1 || 2009715 || 5 || web-application-attack || 0 || ET WEB_SERVER Onmouseover= in URI - Likely Cross Site Scripting Attempt || url,www.w3schools.com/jsref/jsref_onmouseover.asp || url,doc.emergingthreats.net/2009715 +1 || 2009716 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ECShop user.php order_sn Parameter SQL Injection || bugtraq,34733 || url,milw0rm.com/exploits/8548 || url,doc.emergingthreats.net/2009716 +1 || 2009717 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS 1024 CMS standard.php page_include Parameter Remote File Inclusion || url,vupen.com/english/advisories/2009/0360 || url,milw0rm.com/exploits/8003 || url,doc.emergingthreats.net/2009717 +1 || 2009718 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS AvailScript Photo Album Script pics.php sid Parameter SQL Injection || bugtraq,31085 || url,milw0rm.com/exploits/6411 || url,doc.emergingthreats.net/2009718 +1 || 2009719 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS pHNews comments.php templates_dir Local File Inclusion || url,milw0rm.com/exploits/6000 || bugtraq,19838 || url,doc.emergingthreats.net/2009719 +1 || 2009720 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS pHNews comments.php template Local File Inclusion || url,milw0rm.com/exploits/6000 || bugtraq,19838 || url,doc.emergingthreats.net/2009720 +1 || 2009723 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS QuickTeam qte_web.php qte_web_path Parameter Remote File Inclusion || url,secunia.com/advisories/34997/ || url,milw0rm.com/exploits/8602 || url,doc.emergingthreats.net/2009723 +1 || 2009724 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS QuickTeam qte_init.php qte_root Parameter Local File Inclusion || url,secunia.com/advisories/34997/ || url,milw0rm.com/exploits/8602 || url,doc.emergingthreats.net/2009724 +1 || 2009725 || 8 || web-application-attack || 0 || ET ACTIVEX Roxio CinePlayer SonicDVDDashVRNav.DLL ActiveX Control Remote Buffer Overflow || url,milw0rm.com/exploits/8824 || bugtraq,23412 || url,doc.emergingthreats.net/2009725 +1 || 2009726 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS TotalCalendar config.php inc_dir Parameter Local File Inclusion || bugtraq,34617 || url,milw0rm.com/exploits/8494 || url,doc.emergingthreats.net/2009726 +1 || 2009727 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Scripts For Sites EZ e-store searchresults.php where Parameter SQL Injection || cve,CVE-2008-6242 || bugtraq,32039 || url,milw0rm.com/exploits/6922 || url,doc.emergingthreats.net/2009727 +1 || 2009728 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS NotFTP config.php languages Parameter Local File Inclusion || url,milw0rm.com/exploits/8504 || bugtraq,34636 || url,doc.emergingthreats.net/2009728 +1 || 2009729 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS TotalCalendar cms_detect.php include Parameter Local File Inclusion || url,milw0rm.com/exploits/8503 || bugtraq,34634 || url,doc.emergingthreats.net/2009729 +1 || 2009730 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS JobHut browse.php pk Parameter SQL Injection || bugtraq,34300 || url,milw0rm.com/exploits/8318 || url,doc.emergingthreats.net/2009730 +1 || 2009731 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS VS Panel showcat.php Cat_ID Parameter SQL Injection || bugtraq,34648 || url,milw0rm.com/exploits/8506 || url,doc.emergingthreats.net/2009731 +1 || 2009733 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Golabi index_logged.php cur_module Parameter Remote File Inclusion || url,milw0rm.com/exploits/8112 || url,vupen.com/english/advisories/2009/0553 || bugtraq,33916 || url,doc.emergingthreats.net/2009733 +1 || 2009734 || 8 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS 212cafe Board view.php qID Parameter SQL Injection || bugtraq,31426 || url,xforce.iss.net/xforce/xfdb/45428 || url,milw0rm.com/exploits/6578 || url,doc.emergingthreats.net/2009734 +1 || 2009735 || 8 || web-application-attack || 0 || ET ACTIVEX Roxio CinePlayer IAManager.dll ActiveX Control Buffer Overflow || url,xforce.iss.net/xforce/xfdb/50868 || url,milw0rm.com/exploits/8835 || url,doc.emergingthreats.net/2009735 +1 || 2009736 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ProjectCMS select_image.php dir Parameter Directory Traversal || url,milw0rm.com/exploits/8608 || bugtraq,34816 || url,doc.emergingthreats.net/2009736 +1 || 2009737 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ProjectCMS admin_theme_remove.php file Parameter Remote Directory Delete || url,milw0rm.com/exploits/8608 || bugtraq,34816 || url,doc.emergingthreats.net/2009737 +1 || 2009738 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS X-BLC get_read.php section Parameter SQL Injection || url,milw0rm.com/exploits/8258 || bugtraq,34197 || url,doc.emergingthreats.net/2009738 +1 || 2009739 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS DMXReady Multiple Products upload_image_category.asp cid Parameter SQL Injection || bugtraq,33253 || url,xforce.iss.net/xforce/xfdb/47959 || url,milw0rm.com/exploits/7767 || url,doc.emergingthreats.net/2009739 +1 || 2009740 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS BibCiter projects.php idp Parameter SQL Injection || url,secunia.com/advisories/33555 || bugtraq,33329 || url,milw0rm.com/exploits/7814 || url,doc.emergingthreats.net/2009740 +1 || 2009741 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS BibCiter contacts.php idc Parameter SQL Injection || url,secunia.com/advisories/33555 || bugtraq,33329 || url,milw0rm.com/exploits/7814 || url,doc.emergingthreats.net/2009741 +1 || 2009742 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS BibCiter users.php idu Parameter SQL Injection || url,secunia.com/advisories/33555 || bugtraq,33329 || url,milw0rm.com/exploits/7814 || url,doc.emergingthreats.net/2009742 +1 || 2009743 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS phpDatingClub website.php page Parameter Local File Inclusion || bugtraq,30176 || url,milw0rm.com/exploits/6037 || url,doc.emergingthreats.net/2009743 +1 || 2009744 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS SuperNews valor.php noticia Parameter SQL Injection || url,milw0rm.com/exploits/8255 || bugtraq,34195 || url,doc.emergingthreats.net/2009744 +1 || 2009745 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Flatchat pmscript.php with Parameter Local File Inclusion || url,milw0rm.com/exploits/8549 || bugtraq,34734 || url,doc.emergingthreats.net/2009745 +1 || 2009746 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS QuickTeam qte_web.php qte_web_path Parameter Local File Inclusion || url,secunia.com/advisories/34997/ || url,milw0rm.com/exploits/8602 || url,doc.emergingthreats.net/2009746 +1 || 2009747 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS AvailScript Article Script articles.php aIDS Parameter SQL Injection || cve,CVE-2008-4371 || url,secunia.com/advisories/31816/ || url,milw0rm.com/exploits/6409 || url,doc.emergingthreats.net/2009747 +1 || 2009749 || 4 || attempted-recon || 0 || ET SCAN Unusually Fast 403 Error Messages, Possible Web Application Scan || url,www.checkupdown.com/status/E403.html || url,doc.emergingthreats.net/2009749 +1 || 2009750 || 6 || trojan-activity || 0 || ET TROJAN Banker/Bancos/Infostealer Possible Rootkit - HTTP HEAD Request || url,www.pctools.com/mrc/infections/id/Trojan.Banker/ || url,www.anti-spyware-101.com/remove-trojanbanker || url,doc.emergingthreats.net/2009750 +1 || 2009751 || 9 || trojan-activity || 0 || ET TROJAN Fraudload/FakeAlert/FakeVimes Downloader - POST || url,www.pctools.com/mrc/infections/id/Trojan-Downloader.FraudLoad/ || url,www.threatexpert.com/reports.aspx?find=Trojan-Downloader.FraudLoad || url,doc.emergingthreats.net/2009751 +1 || 2009752 || 7 || trojan-activity || 0 || ET TROJAN Monkif/DlKroha Trojan Activity HTTP Outbound || url,doc.emergingthreats.net/2009752 || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3aWin32%2fMonkif.C +1 || 2009754 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Clickheat install.clickheat.php mosConfig_absolute_path Remote File Inclusion || url,milw0rm.com/exploits/7038 || bugtraq,32190 || url,doc.emergingthreats.net/2009754 +1 || 2009755 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Clickheat _main.php mosConfig_absolute_path Parameter Remote File Inclusion - 1 || url,milw0rm.com/exploits/7038 || bugtraq,32190 || url,doc.emergingthreats.net/2009755 +1 || 2009756 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Clickheat main.php mosConfig_absolute_path Parameter Remote File Inclusion - 2 || url,milw0rm.com/exploits/7038 || bugtraq,32190 || url,doc.emergingthreats.net/2009756 +1 || 2009757 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Clickheat Cache.php mosConfig_absolute_path Remote File Inclusion || url,milw0rm.com/exploits/7038 || bugtraq,32190 || url,doc.emergingthreats.net/2009757 +1 || 2009758 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Clickheat Clickheat_Heatmap.php mosConfig_absolute_path Remote File Inclusion || url,milw0rm.com/exploits/7038 || bugtraq,32190 || url,doc.emergingthreats.net/2009758 +1 || 2009759 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Clickheat GlobalVariables.php mosConfig_absolute_path Remote File Inclusion - 1 || url,milw0rm.com/exploits/7038 || bugtraq,32190 || url,doc.emergingthreats.net/2009759 +1 || 2009760 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Clickheat main.php mosConfig_absolute_path Parameter Remote File Inclusion -2 || url,milw0rm.com/exploits/7038 || bugtraq,32190 || url,doc.emergingthreats.net/2009760 +1 || 2009761 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS LWS php User Base unverified.inc.php template Parameter Local File Inclusion || bugtraq,27964 || url,juniper.net/security/auto/vulnerabilities/vuln27964.html || url,www.exploit-db.com/exploits/5179/ || url,doc.emergingthreats.net/2009761 +1 || 2009764 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Cyberfolio css.php theme Parameter Local File Inclusion || cve,CVE-2008-6265 || bugtraq,32218 || url,vupen.com/english/advisories/2008/3070 || url,milw0rm.com/exploits/7065 || url,doc.emergingthreats.net/2009764 +1 || 2009765 || 8 || trojan-activity || 0 || ET MALWARE Pivim Multibar User-Agent (Pivim Multibar) || url,doc.emergingthreats.net/2009765 +1 || 2009766 || 9 || trojan-activity || 0 || ET MALWARE IE Toolbar User-Agent (IEToolbar) || url,doc.emergingthreats.net/2009766 +1 || 2009767 || 4 || attempted-recon || 0 || ET SCAN Multiple NBTStat Query Responses to External Destination, Possible Automated Windows Network Enumeration || url,technet.microsoft.com/en-us/library/cc940106.aspx || url,doc.emergingthreats.net/2009767 +1 || 2009768 || 4 || attempted-recon || 0 || ET SCAN NBTStat Query Response to External Destination, Possible Windows Network Enumeration || url,technet.microsoft.com/en-us/library/cc940106.aspx || url,doc.emergingthreats.net/2009768 +1 || 2009769 || 3 || attempted-recon || 0 || ET SCAN SQL Power Injector SQL Injection User Agent Detected || url,www.sqlpowerinjector.com/index.htm || url,en.wikipedia.org/wiki/Sql_injection || url,doc.emergingthreats.net/2009769 +1 || 2009770 || 6 || web-application-attack || 0 || ET WEB_SERVER Possible UNION SELECT SQL Injection In Cookie || url,www.w3schools.com/sql/sql_union.asp || url,www.w3schools.com/sql/sql_select.asp || url,en.wikipedia.org/wiki/SQL_injection || url,www.owasp.org/index.php/SQL_Injection || url,doc.emergingthreats.net/2009770 +1 || 2009771 || 6 || web-application-attack || 0 || ET WEB_SERVER Possible SELECT FROM SQL Injection In Cookie || url,www.w3schools.com/sql/sql_select.asp || url,en.wikipedia.org/wiki/SQL_injection || url,www.owasp.org/index.php/SQL_Injection || url,doc.emergingthreats.net/2009771 +1 || 2009772 || 6 || web-application-attack || 0 || ET WEB_SERVER Possible DELETE FROM SQL Injection In Cookie || url,www.w3schools.com/Sql/sql_delete.asp || url,en.wikipedia.org/wiki/SQL_injection || url,www.owasp.org/index.php/SQL_Injection || url,doc.emergingthreats.net/2009772 +1 || 2009773 || 36 || web-application-attack || 0 || ET WEB_SERVER Possible INSERT INTO SQL Injection In Cookie || url,www.w3schools.com/SQL/sql_insert.asp || url,en.wikipedia.org/wiki/SQL_injection || url,www.owasp.org/index.php/SQL_Injection || url,doc.emergingthreats.net/2009773 +1 || 2009776 || 7 || trojan-activity || 0 || ET TROJAN Oficla Downloader Activity Observed || url,www.threatexpert.com/report.aspx?md5=38e1d644e2a16041b5ec1a02826df280 || url,www.threatexpert.com/report.aspx?md5=1db0c8d48a76662496af7faf581b1cf0 || url,doc.emergingthreats.net/2009776 +1 || 2009778 || 7 || attempted-recon || 0 || ET WEB_SPECIFIC_APPS Joomla Full Path Disclosure -- php5x.php || bugtraq,35780 || url,www.securityfocus.com/archive/1/505231 || url,doc.emergingthreats.net/2009778 +1 || 2009779 || 6 || attempted-recon || 0 || ET WEB_SPECIFIC_APPS Joomla Full Path Disclosure -- ldap.php || bugtraq,35780 || url,www.securityfocus.com/archive/1/505231 || url,doc.emergingthreats.net/2009779 +1 || 2009780 || 6 || attempted-recon || 0 || ET WEB_SPECIFIC_APPS Joomla Full Path Disclosure -- content.php || bugtraq,35780 || url,www.securityfocus.com/archive/1/505231 || url,doc.emergingthreats.net/2009780 +1 || 2009783 || 8 || trojan-activity || 0 || ET MALWARE RubyFortune Spyware Capabilities User-Agent (Microgaming Install Program) - GET || url,vil.nai.com/vil/content/v_151034.htm || url,www.emsisoft.com/en/malware/?Adware.Win32.Ruby+Fortune+Casino+3.2.0.25 || url,www.threatexpert.com/reports.aspx?find=mgsmup.com || url,doc.emergingthreats.net/2009783 +1 || 2009785 || 8 || trojan-activity || 0 || ET MALWARE QVOD Related Spyware/Malware User-Agent (Qvod) || url,www.siteadvisor.com/sites/update.qvod.com || url,www.threatexpert.com/reports.aspx?find=update.qvod.com || url,doc.emergingthreats.net/2009785 +1 || 2009787 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Community CMS view.php article_id Parameter SQL Injection || bugtraq,34303 || url,milw0rm.com/exploits/8323 || url,doc.emergingthreats.net/2009787 +1 || 2009788 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS RSS-aggregator display.php path Parameter Remote File Inclusion || bugtraq,29873 || url,milw0rm.com/exploits/5900 || url,doc.emergingthreats.net/2009788 +1 || 2009789 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS TinyButStrong bs_us_examples_0view.php script Parameter Local File Inclusion || url,milw0rm.com/exploits/8667 || url,vupen.com/english/advisories/2009/1304 || url,doc.emergingthreats.net/2009789 +1 || 2009790 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS beLive arch.php arch Parameter Local File Inclusion || url,milw0rm.com/exploits/8680 || bugtraq,34968 || url,secunia.com/advisories/35059/ || url,doc.emergingthreats.net/2009790 +1 || 2009791 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS GS Real Estate Portal email.php AgentID Parameter SQL Injection || url,juniper.net/security/auto/vulnerabilities/vuln32307.html || url,xforce.iss.net/xforce/xfdb/46638 || url,milw0rm.com/exploits/7117 || url,doc.emergingthreats.net/2009791 +1 || 2009792 || 8 || web-application-attack || 0 || ET ACTIVEX Avax Vector avPreview.ocx ActiveX Control Buffer Overflow || url,packetstormsecurity.nl/0907-exploits/avax13-dos.txt || bugtraq,35582 || url,juniper.net/security/auto/vulnerabilities/vuln35583.html || url,doc.emergingthreats.net/2009792 +1 || 2009793 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHP Crawler footer.php footer_file Parameter Remote File Inclusion || bugtraq,31217 || url,milw0rm.com/exploits/6475 || url,doc.emergingthreats.net/2009793 +1 || 2009794 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS VidShare Pro listing_video.php catid Parameter SQL Injection || url,milw0rm.com/exploits/8737 || bugtraq,35033 || url,doc.emergingthreats.net/2009794 +1 || 2009795 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Dog Pedigree Online Database managePerson.php personId Parameter SQL Injection || bugtraq,35032 || url,milw0rm.com/exploits/8738 || url,doc.emergingthreats.net/2009795 +1 || 2009796 || 8 || trojan-activity || 0 || ET MALWARE FakeAV Windows Protection Suite/ReleaseXP.exe User-Agent (Releasexp) || url,doc.emergingthreats.net/2009796 +1 || 2009797 || 3 || trojan-activity || 0 || ET TROJAN Bifrose Response from victim || url,doc.emergingthreats.net/2009797 +1 || 2009798 || 2 || policy-violation || 0 || ET POLICY Carbonite Online Backup SSL Handshake || url,doc.emergingthreats.net/2009798 +1 || 2009799 || 5 || web-application-attack || 0 || ET WEB_SERVER PHP Attack Tool Morfeus F Scanner - M || url,www.webmasterworld.com/search_engine_spiders/3227720.htm || url,doc.emergingthreats.net/2003466 +1 || 2009800 || 4 || policy-violation || 0 || ET POLICY Carbonite.com Backup Software Leaking MAC Address || url,doc.emergingthreats.net/2009800 +1 || 2009801 || 8 || policy-violation || 0 || ET POLICY Carbonite.com Backup Software User-Agent (Carbonite Installer) || url,doc.emergingthreats.net/2009801 +1 || 2009803 || 6 || trojan-activity || 0 || ET DELETED Downloader Generic - GET || url,doc.emergingthreats.net/2009803 +1 || 2009804 || 7 || trojan-activity || 0 || ET TROJAN Screenblaze SCR Related Backdoor - GET || url,vil.nai.com/vil/content/v_156782.htm || url,www.spywaredetector.net/spyware_encyclopedia/Backdoor.Prosti.htm || url,home.mcafee.com/VirusInfo/VirusProfile.aspx?key=207702#none || url,www.threatexpert.com/report.aspx?md5=0bcdc9c2e2102f36f594b9e727dae3c7 || url,doc.emergingthreats.net/2009804 +1 || 2009805 || 5 || trojan-activity || 0 || ET TROJAN Luder.B User-Agent (Mozilla/4.0 (SPGK)) - GET || url,home.mcafee.com/VirusInfo/VirusProfile.aspx?key=212955#none || url,www.threatexpert.com/threats/virus-win32-luder-b.html || url,doc.emergingthreats.net/2009805 +1 || 2009806 || 5 || trojan-activity || 0 || ET TROJAN Poison Ivy RAT/Backdoor follow on POST Data PUSH Packet || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPoisonivy.I&ThreatID=-2147363597 || url,www.viruslist.com/en/viruses/encyclopedia?virusid=133781 || url,doc.emergingthreats.net/2009806 +1 || 2009807 || 5 || trojan-activity || 0 || ET MALWARE 2020search/PowerSearch Toolbar Adware/Spyware - GET || url,vil.nai.com/vil/content/v_103738.htm || url,www.sunbeltsecurity.com/ThreatDisplay.aspx?tid=13811&cs=1437A28B7A90C4C502B683CE6DE23C4E || url,www.symantec.com/security_response/writeup.jsp?docid=2004-111918-0210-99 || url,doc.emergingthreats.net/2009807 +1 || 2009808 || 5 || trojan-activity || 0 || ET TROJAN Win32.Virut - GET || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Win32%2fVirut || url,www.avast.com/eng/win32-virut.html || url,free.avg.com/66558 || url,www.threatexpert.com/threats/virus-win32-virut-ce.html || url,doc.emergingthreats.net/2009808 +1 || 2009809 || 2 || trojan-activity || 0 || ET TROJAN Generic/Unknown Downloader Config to client || url,doc.emergingthreats.net/2009809 +1 || 2009810 || 8 || trojan-activity || 0 || ET TROJAN Swizzor-based Downloader - Invalid User-Agent (Mozilla/4.0 (compatible MSIE 7.0 na .NET CLR 2.0.50727 .NET CLR 3.0.4506.2152 .NET CLR 3.5.30729)) || url,www.cyber-ta.org/releases/malware-analysis/public/2009-07-12-public/ARCHIVE/1247423556.chatter || url,doc.emergingthreats.net/2009810 +1 || 2009811 || 6 || trojan-activity || 0 || ET TROJAN KillAV/Dropper/Mdrop/Hupigon - HTTP GET || url,doc.emergingthreats.net/2009811 +1 || 2009812 || 7 || trojan-activity || 0 || ET TROJAN AVKiller with Backdoor checkin || url,doc.emergingthreats.net/2009812 +1 || 2009813 || 3 || trojan-activity || 0 || ET TROJAN Trojan.MyDNS DNSChanger - HTTP POST || url,doc.emergingthreats.net/2009813 +1 || 2009814 || 8 || trojan-activity || 0 || ET TROJAN Downloader (Win32.Doneltart) Checkin - HTTP GET || url,doc.emergingthreats.net/2009814 +1 || 2009815 || 5 || web-application-attack || 0 || ET WEB_SERVER Attempt To Access MSSQL xp_cmdshell Stored Procedure Via URI || url,msdn.microsoft.com/en-us/library/ms175046.aspx || url,www.databasejournal.com/features/mssql/article.php/3372131/Using-xpcmdshell.htm || url,doc.emergingthreats.net/2009815 +1 || 2009816 || 5 || web-application-attack || 0 || ET WEB_SERVER Attempt To Access MSSQL xp_servicecontrol Stored Procedure Via URI || url,www.sqlusa.com/bestpractices2005/administration/xpservicecontrol/ || url,doc.emergingthreats.net/2009816 +1 || 2009817 || 5 || web-application-attack || 0 || ET WEB_SERVER Attempt To Access MSSQL sp_adduser Stored Procedure Via URI to Create New Database User || url,technet.microsoft.com/en-us/library/ms181422.aspx || url,doc.emergingthreats.net/2009817 +1 || 2009818 || 5 || web-application-attack || 0 || ET WEB_SERVER Attempt To Access MSSQL xp_regread/xp_regwrite/xp_regdeletevalue/xp_regdeletekey Stored Procedure Via URI to Modify Registry || url,www.mssqlcity.com/Articles/Undoc/UndocExtSP.htm || url,www.sql-server-performance.com/articles/dev/extended_stored_procedures_p1.aspx || url,doc.emergingthreats.net/2009818 +1 || 2009819 || 5 || web-application-attack || 0 || ET WEB_SERVER Attempt To Access MSSQL xp_fileexist Stored Procedure Via URI to Locate Files On Disk || url,www.mssqlcity.com/Articles/Undoc/UndocExtSP.htm || url,www.dugger-it.com/articles/xp_fileexist.asp || url,www.sql-server-performance.com/articles/dev/extended_stored_procedures_p1.aspx || url,doc.emergingthreats.net/2009819 +1 || 2009820 || 5 || web-application-attack || 0 || ET WEB_SERVER Attempt To Access MSSQL xp_enumerrorlogs Stored Procedure Via URI to View Error Logs || url,www.mssqlcity.com/Articles/Undoc/UndocExtSP.htm || url,www.sql-server-performance.com/articles/dev/extended_stored_procedures_p1.aspx || url,doc.emergingthreats.net/2009820 +1 || 2009822 || 5 || web-application-attack || 0 || ET WEB_SERVER Attempt To Access MSSQL xp_readerrorlogs Stored Procedure Via URI to View Error Logs || url,www.sql-server-performance.com/articles/dev/extended_stored_procedures_p1.aspx || url,www.sqlteam.com/article/using-xp_readerrorlog-in-sql-server-2005 || url,doc.emergingthreats.net/2009822 +1 || 2009823 || 5 || web-application-attack || 0 || ET WEB_SERVER Attempt To Access MSSQL xp_enumdsn/xp_enumgroups/xp_ntsec_enumdomains Stored Procedure Via URI || url,www.mssqlcity.com/Articles/Undoc/UndocExtSP.htm || url,ferruh.mavituna.com/sql-injection-cheatsheet-oku/ || url,msdn.microsoft.com/en-us/library/ms173792.aspx || url,doc.emergingthreats.net/2009823 +1 || 2009824 || 6 || trojan-activity || 0 || ET TROJAN Downloader.Win32.Delf followon POST Data PUSH Packet || url,www.threatexpert.com/threats/trojan-downloader-win32-delf.html || url,doc.emergingthreats.net/2009824 +1 || 2009825 || 8 || trojan-activity || 0 || ET TROJAN Win32.VB.tdq - Fake User-Agent || url,vil.nai.com/vil/content/v_187654.htm || url,home.mcafee.com/VirusInfo/VirusProfile.aspx?key=187654 || url,doc.emergingthreats.net/2009825 +1 || 2009826 || 9 || trojan-activity || 0 || ET DELETED Generic Backdoor Retrieve Instructions/Configs - HTTP GET || url,doc.emergingthreats.net/2009826 +1 || 2009827 || 3 || attempted-recon || 0 || ET SCAN Pavuk User Agent Detected - Website Mirroring Tool for Off-line Analysis || url,pavuk.sourceforge.net/about.html || url,doc.emergingthreats.net/2009827 +1 || 2009828 || 6 || attempted-admin || 0 || ET EXPLOIT Possible IIS FTP Exploit attempt - Large SITE command || url,www.milw0rm.com/exploits/9541 || url,doc.emergingthreats.net/2009828 || cve,2009-3023 +1 || 2009829 || 4 || trojan-activity || 0 || ET TROJAN Virut/Virutas/Virtob/QQHelper Dropper Family - HTTP GET || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3AWin32%2FQQHelper.gen!E&ThreatID=-2147371486 || url,www.sophos.com/security/analyses/viruses-and-spyware/w32viruti.html || url,www.threatexpert.com/threats/w32-virut-i.html || url,doc.emergingthreats.net/2009829 +1 || 2009830 || 7 || trojan-activity || 0 || ET TROJAN Win32/Wombot.A checkin Possible Bruteforcer for Web Forms and Accounts - HTTP POST || url,doc.emergingthreats.net/2009830 || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FWombot.A +1 || 2009831 || 6 || trojan-activity || 0 || ET MALWARE Topgame-online.com Ruch Casino Install User-Agent (RichCasino) || url,doc.emergingthreats.net/2009831 +1 || 2009832 || 3 || attempted-recon || 0 || ET SCAN DCERPC rpcmgmt ifids Unauthenticated BIND || url,www.symantec.com/avcenter/reference/Vista_Network_Attack_Surface_RTM.pdf || url,www.blackhat.com/presentations/win-usa-04/bh-win-04-seki-up2.pdf || url,seclists.org/fulldisclosure/2003/Aug/0432.html || url,doc.emergingthreats.net/2009832 +1 || 2009833 || 9 || attempted-recon || 0 || ET SCAN WITOOL SQL Injection Scan || url,witool.sourceforge.net/ || url,doc.emergingthreats.net/2009833 +1 || 2009834 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla portalid Component UNION SELECT SQL Injection || url,www.exploit-db.com/exploits/9563/ || url,www.securityfocus.com/bid/36206/info || url,doc.emergingthreats.net/2009834 +1 || 2009835 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla portalid Component SELECT FROM SQL Injection || url,www.exploit-db.com/exploits/9563/ || url,www.securityfocus.com/bid/36206/info || url,doc.emergingthreats.net/2009835 +1 || 2009836 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla portalid Component DELETE FROM SQL Injection || url,www.exploit-db.com/exploits/9563/ || url,www.securityfocus.com/bid/36206/info || url,doc.emergingthreats.net/2009836 +1 || 2009837 || 7 || attempted-recon || 0 || ET DELETED OWASP Joomla Vulnerability Scanner Detected || url,www.owasp.org/index.php/Category%3aOWASP_Joomla_Vulnerability_Scanner_Project || url,doc.emergingthreats.net/2009837 +1 || 2009838 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WB News search.php config Parameter Remote File Inclusion || bugtraq,33434 || url,juniper.net/security/auto/vulnerabilities/vuln33434.html || url,doc.emergingthreats.net/2009838 +1 || 2009839 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WB News archive.php config Parameter Remote File Inclusion -1 || bugtraq,33434 || url,juniper.net/security/auto/vulnerabilities/vuln33434.html || url,doc.emergingthreats.net/2009839 +1 || 2009840 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WB News Archive.php config Parameter Remote File Inclusion -2 || bugtraq,33434 || url,juniper.net/security/auto/vulnerabilities/vuln33434.html || url,doc.emergingthreats.net/2009840 +1 || 2009841 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WB News comments.php config Parameter Remote File Inclusion -1 || bugtraq,33434 || url,juniper.net/security/auto/vulnerabilities/vuln33434.html || url,doc.emergingthreats.net/2009841 +1 || 2009842 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WB News Comments.php config Parameter Remote File Inclusion -2 || bugtraq,33434 || url,juniper.net/security/auto/vulnerabilities/vuln33434.html || url,doc.emergingthreats.net/2009842 +1 || 2009843 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WB News news.php config Parameter Remote File Inclusion -1 || bugtraq,33434 || url,juniper.net/security/auto/vulnerabilities/vuln33434.html || url,doc.emergingthreats.net/2009843 +1 || 2009844 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WB News News.php config Parameter Remote File Inclusion -2 || bugtraq,33434 || url,juniper.net/security/auto/vulnerabilities/vuln33434.html || url,doc.emergingthreats.net/2009844 +1 || 2009845 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WB News SendFriend.php config Parameter Remote File Inclusion || bugtraq,33434 || url,juniper.net/security/auto/vulnerabilities/vuln33434.html || url,doc.emergingthreats.net/2009845 +1 || 2009846 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WB News global.php config Parameter Remote File Inclusion || url,secunia.com/advisories/33691 || url,milw0rm.com/exploits/8026 || url,doc.emergingthreats.net/2009846 +1 || 2009847 || 7 || web-application-attack || 0 || ET ACTIVEX Symantec Security Check RuFSI ActiveX Control Buffer Overflow || bugtraq,8008 || url,xforce.iss.net/xforce/xfdb/12423 || url,juniper.net/security/auto/vulnerabilities/vuln8008.html || url,doc.emergingthreats.net/2009847 +1 || 2009848 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Dragoon header.inc.php root Parameter Remote File Inclusion || url,milw0rm.com/exploits/5393 || bugtraq,28660 || url,doc.emergingthreats.net/2009848 +1 || 2009849 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Flash Quiz num_questions.php quiz Parameter SQL Injection || bugtraq,35060 || url,milw0rm.com/exploits/8759 || url,doc.emergingthreats.net/2009849 +1 || 2009850 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Flash Quiz answers.php quiz Parameter SQL Injection || bugtraq,35060 || url,milw0rm.com/exploits/8759 || url,doc.emergingthreats.net/2009850 +1 || 2009851 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Flash Quiz answers.php order_number Parameter SQL Injection || bugtraq,35060 || url,milw0rm.com/exploits/8759 || url,doc.emergingthreats.net/2009851 +1 || 2009852 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Flash Quiz high_score_web.php quiz Parameter SQL Injection || bugtraq,35060 || url,milw0rm.com/exploits/8759 || url,doc.emergingthreats.net/2009852 +1 || 2009853 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Flash Quiz results_table_web.php quiz Parameter SQL Injection || bugtraq,35060 || url,milw0rm.com/exploits/8759 || url,doc.emergingthreats.net/2009853 +1 || 2009854 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Flash Quiz question.php quiz Parameter SQL Injection || bugtraq,35060 || url,milw0rm.com/exploits/8759 || url,doc.emergingthreats.net/2009854 +1 || 2009855 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Flash Quiz question.php order_number Parameter SQL Injection || bugtraq,35060 || url,milw0rm.com/exploits/8759 || url,doc.emergingthreats.net/2009855 +1 || 2009856 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Flash Quiz high_score.php quiz Parameter SQL Injection || bugtraq,35060 || url,milw0rm.com/exploits/8759 || url,doc.emergingthreats.net/2009856 +1 || 2009857 || 7 || web-application-attack || 0 || ET ACTIVEX Awingsoft Web3D Player Remote Buffer Overflow || url,secunia.com/advisories/35764/ || url,milw0rm.com/exploits/9116 || url,shinnai.net/xplits/TXT_nsGUdeley3EHfKEV690p.html || url,doc.emergingthreats.net/2009857 +1 || 2009858 || 8 || attempted-user || 0 || ET ACTIVEX Possible PPStream MList.ocx Buffer Overflow Attempt || url,www.securityfocus.com/bid/36234/info || url,doc.emergingthreats.net/2009858 +1 || 2009860 || 5 || attempted-admin || 0 || ET EXPLOIT IIS FTP Exploit - NLST Globbing Exploit || url,www.milw0rm.com/exploits/9541 || url,doc.emergingthreats.net/2009860 || cve,2009-3023 +1 || 2009861 || 6 || trojan-activity || 0 || ET MALWARE ErrorNuker FakeAV User-Agent (ERRN2004 (Windows XP)) || url,doc.emergingthreats.net/2009861 +1 || 2009862 || 3 || trojan-activity || 0 || ET TROJAN Banker Trojan CnC AddNew Command || url,doc.emergingthreats.net/2009862 +1 || 2009863 || 3 || trojan-activity || 0 || ET TROJAN Banker Trojan CnC Hello Command || url,doc.emergingthreats.net/2009863 +1 || 2009864 || 5 || trojan-activity || 0 || ET DELETED Banker Trojan CnC Server Ping || url,doc.emergingthreats.net/2009864 +1 || 2009867 || 6 || trojan-activity || 0 || ET TROJAN Suspicious User-Agent (Mozilla/3.0 (compatible)) || url,doc.emergingthreats.net/2009867 +1 || 2009868 || 11 || attempted-user || 0 || ET ACTIVEX Possible Acer LunchApp Arbitrary Code Exucution Attempt || url,securitytracker.com/alerts/2009/Aug/1022752.html || url,www.kb.cert.org/vuls/id/485961 || url,www.securityfocus.com/bid/21207/info || url,doc.emergingthreats.net/2009868 +1 || 2009869 || 9 || attempted-user || 0 || ET ACTIVEX Possible SmartVMD VideoMovement.dll Buffer Overflow Attempt || url,www.securityfocus.com/bid/36217/info || url,doc.emergingthreats.net/2009869 +1 || 2009870 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS XRMS CRM workflow-activities.php include_directory Remote File Inclusion || cve,CVE-2008-3399 || url,milw0rm.com/exploits/6131 || url,xforce.iss.net/xforce/xfdb/43992 || url,doc.emergingthreats.net/2009870 +1 || 2009871 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHPauction GPL converter.inc.php include_path Parameter Remote File Inclusion || url,vupen.com/english/advisories/2008/0908 || bugtraq,28284 || url,milw0rm.com/exploits/5266 || url,doc.emergingthreats.net/2009871 +1 || 2009872 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHPauction GPL messages.inc.php include_path Parameter Remote File Inclusion || url,vupen.com/english/advisories/2008/0908 || bugtraq,28284 || url,milw0rm.com/exploits/5266 || url,doc.emergingthreats.net/2009872 +1 || 2009873 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHPauction GPL settings.inc.php include_path Parameter Remote File Inclusion || url,vupen.com/english/advisories/2008/0908 || bugtraq,28284 || url,milw0rm.com/exploits/5266 || url,doc.emergingthreats.net/2009873 +1 || 2009874 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS cpCommerce _functions.php GLOBALS Parameter Remote File Inclusion || bugtraq,35103 || url,milw0rm.com/exploits/8790 || url,doc.emergingthreats.net/2009874 +1 || 2009875 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS cpCommerce _functions.php GLOBALS Parameter Local File Inclusion || bugtraq,35103 || url,milw0rm.com/exploits/8790 || url,doc.emergingthreats.net/2009875 +1 || 2009876 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Dokuwiki doku.php config_cascade Local File Inclusion || bugtraq,35095 || url,milw0rm.com/exploits/8781 || url,doc.emergingthreats.net/2009876 +1 || 2009877 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS VirtueMart Google Base Component admin.googlebase.php Remote File Inclusion || bugtraq,32098 || url,milw0rm.com/exploits/6975 || url,doc.emergingthreats.net/2009877 +1 || 2009878 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Harlandscripts Pro Traffic One mypage.php trg Parameter SQL Injection || url,secunia.com/advisories/32467 || bugtraq,31986 || url,milw0rm.com/exploits/6874 || url,doc.emergingthreats.net/2009878 +1 || 2009880 || 6 || trojan-activity || 0 || ET MALWARE Casalemedia Spyware Reporting URL Visited 3 || url,doc.emergingthreats.net/2009880 +1 || 2009881 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Possible Joomla Com_joomlub Component Union Select SQL Injection || url,www.exploit-db.com/exploits/9593/ || url,doc.emergingthreats.net/2009881 +1 || 2009882 || 3 || attempted-recon || 0 || ET SCAN Default Mysqloit User Agent Detected - Mysql Injection Takover Tool || url,code.google.com/p/mysqloit/ || url,doc.emergingthreats.net/2009882 +1 || 2009883 || 5 || attempted-recon || 0 || ET SCAN Possible Mysqloit Operating System Fingerprint/SQL Injection Test Scan Detected || url,code.google.com/p/mysqloit/ || url,doc.emergingthreats.net/2009883 +1 || 2009884 || 3 || attempted-recon || 0 || ET SCAN Unusually Fast 400 Error Messages (Bad Request), Possible Web Application Scan || url,www.w3.org/Protocols/rfc2616/rfc2616-sec10.html || url,support.microsoft.com/kb/247249 || url,doc.emergingthreats.net/2009884 +1 || 2009885 || 3 || attempted-recon || 0 || ET SCAN Unusually Fast 404 Error Messages (Page Not Found), Possible Web Application Scan/Directory Guessing Attack || url,www.w3.org/Protocols/rfc2616/rfc2616-sec10.html || url,en.wikipedia.org/wiki/HTTP_404 || url,doc.emergingthreats.net/2009885 +1 || 2009886 || 4 || attempted-dos || 0 || ET NETBIOS Remote SMB2.0 DoS Exploit || url,securityreason.com/exploitalert/7138 || url,doc.emergingthreats.net/2009886 +1 || 2009887 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ProjectButler RFI attempt || url,www.sans.org/top20/ || url,www.packetstormsecurity.org/0908-exploits/projectbutler-rfi.txt || url,doc.emergingthreats.net/2009887 +1 || 2009888 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS MAXcms RFI attempt (1) || url,www.sans.org/top20/ || url,packetstormsecurity.org/0908-exploits/maxcms-rfi.txt || url,doc.emergingthreats.net/2009888 +1 || 2009889 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS MAXcms RFI attempt (2) || url,www.sans.org/top20/ || url,packetstormsecurity.org/0908-exploits/maxcms-rfi.txt || url,doc.emergingthreats.net/2009889 +1 || 2009890 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS MAXcms RFI attempt (3) || url,www.sans.org/top20/ || url,packetstormsecurity.org/0908-exploits/maxcms-rfi.txt || url,doc.emergingthreats.net/2009890 +1 || 2009891 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS MAXcms RFI attempt (4) || url,www.sans.org/top20/ || url,packetstormsecurity.org/0908-exploits/maxcms-rfi.txt || url,doc.emergingthreats.net/2009891 +1 || 2009892 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHP-Paid4Mail RFI attempt || url,packetstormsecurity.org/0907-exploits/paid4mail-rfi.txt || url,doc.emergingthreats.net/2009892 +1 || 2009893 || 7 || attempted-user || 0 || ET ACTIVEX Possible HTTP ACTi SetText() nvUnifiedControl.dll Buffer Overflow Attempt || url,tools.cisco.com/security/center/viewIpsSignature.x?signatureId=18237&signatureSubId=1&softwareVersion=6.0&releaseVersion=S429 || url,www.symantec.com/business/security_response/attacksignatures/detail.jsp?asid=22546 || url,www.securityfocus.com/bid/25465 || url,doc.emergingthreats.net/2009893 +1 || 2009894 || 7 || attempted-user || 0 || ET ACTIVEX Possible HTTP ACTi SaveXMLFile()/DeleteXMLFile() nvUnifiedControl.dll Arbitrary File Overwrite/Deletion Attempt || url,tools.cisco.com/security/center/viewIpsSignature.x?signatureId=18237&signatureSubId=1&softwareVersion=6.0&releaseVersion=S429 || url,www.symantec.com/business/security_response/attacksignatures/detail.jsp?asid=22546 || url,www.securityfocus.com/bid/25465 || url,doc.emergingthreats.net/2009894 +1 || 2009895 || 3 || policy-violation || 0 || ET POLICY OperaUnite URL Registration || url,unite.opera.com || url,doc.emergingthreats.net/2009895 +1 || 2009896 || 3 || trojan-activity || 0 || ET TROJAN Win32/Winwebsec User-Agent Detected || url,www.f-secure.com/sw-desc/rogue_w32_winwebsec.shtml || url,blogs.technet.com/mmpc/archive/2009/05/13/msrt-tackles-another-rogue.aspx || url,doc.emergingthreats.net/2009896 +1 || 2009897 || 11 || trojan-activity || 0 || ET MALWARE Possible Windows executable sent when remote host claims to send html content || url,doc.emergingthreats.net/2009897 +1 || 2009898 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Pragyan CMS form.lib.php sourceFolder Parameter Remote File Inclusion || bugtraq,30235 || url,juniper.net/security/auto/vulnerabilities/vuln30235.html || url,milw0rm.com/exploits/6078 || url,doc.emergingthreats.net/2009898 +1 || 2009903 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS AdaptBB latestposts.php forumspath Parameter Remote File Inclusion || url,secunia.com/advisories/35315/ || url,milw0rm.com/exploits/8851 || url,doc.emergingthreats.net/2009903 +1 || 2009904 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS AdaptBB latestposts.php forumspath Parameter Local File Inclusion || url,secunia.com/advisories/35315/ || url,milw0rm.com/exploits/8851 || url,doc.emergingthreats.net/2009904 +1 || 2009905 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Unclassified NewsBoard forum.php __tplCollection Parameter Local File Inclusion || url,www.exploit-db.com/exploits/8841/ || url,secunia.com/advisories/35299/ || url,doc.emergingthreats.net/2009905 +1 || 2009906 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Online Grades parents.php ADD Parameter SQL Injection || url,secunia.com/advisories/35304/ || url,milw0rm.com/exploits/8844 || url,doc.emergingthreats.net/2009906 +1 || 2009907 || 8 || attempted-user || 0 || ET ACTIVEX Remote Desktop Connection ActiveX Control Heap Overflow clsid access || cve,2009-1929 || url,www.microsoft.com/technet/security/Bulletin/MS09-044.mspx || url,doc.emergingthreats.net/2009907 +1 || 2009908 || 7 || trojan-activity || 0 || ET DELETED PinBall Corp. Related suspicious activity || url,doc.emergingthreats.net/2009908 +1 || 2009909 || 9 || trojan-activity || 0 || ET TROJAN Possible Windows executable sent when remote host claims to send HTML/CSS Content || url,doc.emergingthreats.net/bin/view/Main/2009909 +1 || 2009913 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS joomla com_djcatalog component SELECT FROM SQL Injection || url,www.exploit-db.com/exploits/9693/ || url,doc.emergingthreats.net/2009913 +1 || 2009914 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS joomla com_djcatalog component DELETE FROM SQL Injection || url,www.exploit-db.com/exploits/9693/ || url,doc.emergingthreats.net/2009914 +1 || 2009915 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS joomla com_djcatalog component INSERT INTO SQL Injection || url,www.exploit-db.com/exploits/9693/ || url,doc.emergingthreats.net/2009915 +1 || 2009916 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS joomla com_djcatalog component UNION SELECT SQL Injection || url,www.exploit-db.com/exploits/9693/ || url,doc.emergingthreats.net/2009916 +1 || 2009917 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS joomla com_djcatalog component UPDATE SET SQL Injection || url,www.exploit-db.com/exploits/9693/ || url,doc.emergingthreats.net/2009917 +1 || 2009919 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla! Foobla RSS Feed Creator Component 'id' Parameter SELECT FROM SQL Injection || url,www.securityfocus.com/bid/36427/info || url,doc.emergingthreats.net/2009919 +1 || 2009920 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla! Foobla RSS Feed Creator Component 'id' Parameter DELETE FROM SQL Injection || url,www.securityfocus.com/bid/36427/info || url,doc.emergingthreats.net/2009920 +1 || 2009921 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla! Foobla RSS Feed Creator Component 'id' Parameter UNION SELECT SQL Injection || url,www.securityfocus.com/bid/36427/info || url,doc.emergingthreats.net/2009921 +1 || 2009922 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla! Foobla RSS Feed Creator Component 'id' Parameter UPDATE SET SQL Injection || url,www.securityfocus.com/bid/36427/info || url,doc.emergingthreats.net/2009922 +1 || 2009923 || 9 || attempted-user || 0 || ET ACTIVEX Possible Novell GroupWise Client 'gxmim1.dll' ActiveX Buffer Overflow Attempt || url,www.securityfocus.com/bid/36398 || url,doc.emergingthreats.net/2009923 +1 || 2009924 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla! Foobla RSS Feed Creator Component 'id' Parameter INSERT INTO SQL Injection || url,www.securityfocus.com/bid/36427/info || url,doc.emergingthreats.net/2009924 +1 || 2009925 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS x10 Automatic MP3 Script function_core.php web_root Parameter Remote File Inclusion || url,secunia.com/advisories/31920 || bugtraq,31225 || url,milw0rm.com/exploits/6480 || url,doc.emergingthreats.net/2009925 +1 || 2009926 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS x10 Automatic MP3 Script function_core.php web_root Parameter Local File Inclusion || url,secunia.com/advisories/31920 || bugtraq,31225 || url,milw0rm.com/exploits/6480 || url,doc.emergingthreats.net/2009926 +1 || 2009927 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS x10 Automatic MP3 Script layout_lyrics.php web_root Parameter Remote File Inclusion || url,secunia.com/advisories/31920 || bugtraq,31225 || url,milw0rm.com/exploits/6480 || url,doc.emergingthreats.net/2009927 +1 || 2009928 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS x10 Automatic MP3 Script layout_lyrics.php web_root Parameter Local file Inclusion || url,secunia.com/advisories/31920 || bugtraq,31225 || url,milw0rm.com/exploits/6480 || url,doc.emergingthreats.net/2009928 +1 || 2009929 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Possible Joomla! com_album Component Local File Inclusion Attempt || url,www.securityfocus.com/bid/36441/info || url,www.exploit-db.com/exploits/9706/ || url,doc.emergingthreats.net/2009929 +1 || 2009930 || 9 || trojan-activity || 0 || ET MALWARE User-Agent (User Agent) - Likely Hostile || url,doc.emergingthreats.net/2009930 +1 || 2009931 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Possible OpenSiteAdmin pageHeader.php Remote File Inclusion Attempt || url,www.securityfocus.com/bid/36445/info || url,www.owasp.org/index.php/PHP_File_Inclusion || url,doc.emergingthreats.net/2009931 +1 || 2009932 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Possible eFront database.php Remote File Inclusion Attempt || url,www.securityfocus.com/bid/36411/info || url,www.owasp.org/index.php/PHP_File_Inclusion || url,doc.emergingthreats.net/2009932 +1 || 2009933 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Possible Mambo/Joomla! com_koesubmit Component 'koesubmit.php' Remote File Inclusion Attempt || url,www.securityfocus.com/bid/36447/info || url,www.owasp.org/index.php/PHP_File_Inclusion || url,doc.emergingthreats.net/2009933 +1 || 2009934 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Ideal MooFAQ Joomla Component file_includer.php file Parameter Local File Inclusion || bugtraq,35259 || url,www.exploit-db.com/exploits/8898/ || url,doc.emergingthreats.net/2009934 +1 || 2009935 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Frontis aps_browse_sources.php source_class Parameter SQL Injection || url,secunia.com/advisories/35369/ || url,milw0rm.com/exploits/8900 || url,doc.emergingthreats.net/2009935 +1 || 2009936 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Plogger plog-download.php checked Parameter SQL Injection || bugtraq,30547 || url,xforce.iss.net/xforce/xfdb/44233 || url,milw0rm.com/exploits/6204 || url,doc.emergingthreats.net/2009936 +1 || 2009937 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Possible Mambo MOStlyCE Module Image Manager Utility Arbitrary File Upload Attempt || url,www.securityfocus.com/bid/27472/info || url,doc.emergingthreats.net/2009937 +1 || 2009938 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla! Survey Manager Component SELECT FROM SQL Injection || url,www.securityfocus.com/bid/36464/info || url,doc.emergingthreats.net/2009938 +1 || 2009939 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla! Survey Manager Component DELETE FROM SQL Injection || url,www.securityfocus.com/bid/36464/info || url,doc.emergingthreats.net/2009939 +1 || 2009940 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla! Survey Manager Component UNION SELECT SQL Injection || url,www.securityfocus.com/bid/36464/info || url,doc.emergingthreats.net/2009940 +1 || 2009941 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla! Survey Manager Component INSERT INTO SQL Injection || url,www.securityfocus.com/bid/36464/info || url,doc.emergingthreats.net/2009941 +1 || 2009942 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla! Survey Manager Component UPDATE SET SQL Injection || url,www.securityfocus.com/bid/36464/info || url,doc.emergingthreats.net/2009942 +1 || 2009943 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla! JBudgetsMagic 'bid' Parameter SELECT FROM SQL Injection || url,www.securityfocus.com/bid/36461/info || url,doc.emergingthreats.net/2009943 +1 || 2009944 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla! JBudgetsMagic 'bid' Parameter DELETE FROM SQL Injection || url,www.securityfocus.com/bid/36461/info || url,doc.emergingthreats.net/2009944 +1 || 2009945 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla! JBudgetsMagic 'bid' Parameter UNION SELECT SQL Injection || url,www.securityfocus.com/bid/36461/info || url,doc.emergingthreats.net/2009945 +1 || 2009946 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla! JBudgetsMagic 'bid' Parameter INSERT INTO SQL Injection || url,www.securityfocus.com/bid/36461/info || url,doc.emergingthreats.net/2009946 +1 || 2009947 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla! JBudgetsMagic 'bid' Parameter UPDATE SET SQL Injection || url,www.securityfocus.com/bid/36461/info || url,doc.emergingthreats.net/2009947 +1 || 2009948 || 9 || attempted-user || 0 || ET ACTIVEX Quiksoft EasyMail imap connect() ActiveX stack overflow vulnerability || url,www.milw0rm.com/exploits/9704 || url,www.securityfocus.com/bid/22583 || url,doc.emergingthreats.net/2009948 +1 || 2009949 || 10 || web-application-attack || 0 || ET WEB_SERVER Tilde in URI, potential .pl source disclosure vulnerability || url,seclists.org/fulldisclosure/2009/Sep/0321.html || url,doc.emergingthreats.net/2009949 +1 || 2009950 || 10 || web-application-attack || 0 || ET WEB_SERVER Tilde in URI, potential .inc source disclosure vulnerability || url,seclists.org/fulldisclosure/2009/Sep/0321.html || url,doc.emergingthreats.net/2009950 +1 || 2009951 || 10 || web-application-attack || 0 || ET WEB_SERVER Tilde in URI, potential .conf source disclosure vulnerability || url,seclists.org/fulldisclosure/2009/Sep/0321.html || url,doc.emergingthreats.net/2009951 +1 || 2009952 || 10 || web-application-attack || 0 || ET WEB_SERVER Tilde in URI, potential .asp source disclosure vulnerability || url,seclists.org/fulldisclosure/2009/Sep/0321.html || url,doc.emergingthreats.net/2009952 +1 || 2009953 || 10 || web-application-attack || 0 || ET WEB_SERVER Tilde in URI, potential .aspx source disclosure vulnerability || url,seclists.org/fulldisclosure/2009/Sep/0321.html || url,doc.emergingthreats.net/2009953 +1 || 2009954 || 9 || web-application-attack || 0 || ET DELETED Tilde in URI after file, potential source disclosure vulnerability || url,seclists.org/fulldisclosure/2009/Sep/0321.html || url,doc.emergingthreats.net/2009954 +1 || 2009955 || 10 || web-application-attack || 0 || ET WEB_SERVER Tilde in URI, potential .php source disclosure vulnerability || url,seclists.org/fulldisclosure/2009/Sep/0321.html || url,doc.emergingthreats.net/2009955 +1 || 2009956 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla! JoomlaFacebook Component SELECT FROM SQL Injection || url,www.securityfocus.com/bid/36484/info || url,doc.emergingthreats.net/2009956 +1 || 2009957 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla! JoomlaFacebook Component DELETE FROM SQL Injection || url,www.securityfocus.com/bid/36484/info || url,doc.emergingthreats.net/2009957 +1 || 2009958 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla! JoomlaFacebook Component UNION SELECT SQL Injection || url,www.securityfocus.com/bid/36484/info || url,doc.emergingthreats.net/2009958 +1 || 2009959 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla! JoomlaFacebook Component INSERT INTO SQL Injection || url,www.securityfocus.com/bid/36484/info || url,doc.emergingthreats.net/2009959 +1 || 2009960 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla! JoomlaFacebook Component UPDATE SET SQL Injection || url,www.securityfocus.com/bid/36484/info || url,doc.emergingthreats.net/2009960 +1 || 2009961 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla! SportFusion Component SELECT FROM SQL Injection || url,www.securityfocus.com/bid/36481/info || url,doc.emergingthreats.net/2009961 +1 || 2009962 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla! SportFusion Component DELETE FROM SQL Injection || url,www.securityfocus.com/bid/36481/info || url,doc.emergingthreats.net/2009962 +1 || 2009963 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla! SportFusion Component UNION SELECT SQL Injection || url,www.securityfocus.com/bid/36481/info || url,doc.emergingthreats.net/2009963 +1 || 2009964 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla! SportFusion Component INSERT INTO SQL Injection || url,www.securityfocus.com/bid/36481/info || url,doc.emergingthreats.net/2009964 +1 || 2009965 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla! SportFusion Component UPDATE SET SQL Injection || url,www.securityfocus.com/bid/36481/info || url,doc.emergingthreats.net/2009965 +1 || 2009966 || 3 || policy-violation || 0 || ET P2P KuGoo P2P Connection || url,koogoo.com || url,doc.emergingthreats.net/2009966 +1 || 2009967 || 5 || policy-violation || 0 || ET P2P eMule KAD Network Connection Request || url,emule-project.net || url,doc.emergingthreats.net/2009967 +1 || 2009968 || 4 || policy-violation || 0 || ET P2P eMule KAD Network Connection Request(2) || url,emule-project.net || url,doc.emergingthreats.net/2009968 +1 || 2009969 || 4 || policy-violation || 0 || ET P2P eMule KAD Network Firewalled Request || url,emule-project.net || url,doc.emergingthreats.net/2009969 +1 || 2009970 || 4 || policy-violation || 0 || ET P2P eMule Kademlia Hello Request || url,emule-project.net || url,doc.emergingthreats.net/2009970 +1 || 2009971 || 5 || policy-violation || 0 || ET P2P eMule KAD Network Hello Request (2) || url,emule-project.net || url,doc.emergingthreats.net/2009971 +1 || 2009972 || 4 || policy-violation || 0 || ET P2P eMule KAD Network Server Status Request || url,emule-project.net || url,doc.emergingthreats.net/2009972 +1 || 2009973 || 4 || policy-violation || 0 || ET P2P eMule KAD Network Send Username || url, emule-project.net || url,doc.emergingthreats.net/2009973 +1 || 2009976 || 4 || denial-of-service || 0 || ET EXPLOIT Siemens Gigaset SE361 WLAN Data Flood Denial of Service Vulnerability || cve,CVE-2009-3322 || bugtraq,36366 || url,www.milw0rm.com/exploits/9646 || url,doc.emergingthreats.net/2009976 +1 || 2009977 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS CMScontrol 7.x (index.php id_menu) SQL Injection Vulnerability || cve,CVE-2009-3326 || url,www.milw0rm.com/exploits/9727 || url,doc.emergingthreats.net/2009977 +1 || 2009978 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS CMScontrol 7.x (index.php id_menu) SQL Injection Vulnerability || cve,CVE-2009-3326 || url,www.milw0rm.com/exploits/9727 || url,doc.emergingthreats.net/2009978 +1 || 2009979 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS CMScontrol 7.x (index.php id_menu) SQL Injection Vulnerability || cve,CVE-2009-3326 || url,www.milw0rm.com/exploits/9727 || url,doc.emergingthreats.net/2009979 +1 || 2009980 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS CMScontrol 7.x (index.php id_menu) SQL Injection Vulnerability || cve,CVE-2009-3326 || url,www.milw0rm.com/exploits/9727 || url,doc.emergingthreats.net/2009980 +1 || 2009981 || 2 || attempted-user || 0 || ET FTP Possible FTP Daemon Username SELECT FROM SQL Injection Attempt || url,en.wikipedia.org/wiki/SQL_injection || url,doc.emergingthreats.net/2009981 +1 || 2009982 || 2 || attempted-user || 0 || ET FTP Possible FTP Daemon Username DELETE FROM SQL Injection Attempt || url,en.wikipedia.org/wiki/SQL_injection || url,doc.emergingthreats.net/2009982 +1 || 2009983 || 2 || attempted-user || 0 || ET FTP Possible FTP Daemon Username INSERT INTO SQL Injection Attempt || url,en.wikipedia.org/wiki/SQL_injection || url,doc.emergingthreats.net/2009983 +1 || 2009984 || 2 || attempted-user || 0 || ET FTP Possible FTP Daemon Username UPDATE SET SQL Injection Attempt || url,en.wikipedia.org/wiki/SQL_injection || url,doc.emergingthreats.net/2009984 +1 || 2009985 || 2 || attempted-user || 0 || ET FTP Possible FTP Daemon Username UNION SELECT SQL Injection Attempt || url,en.wikipedia.org/wiki/SQL_injection || url,doc.emergingthreats.net/2009985 +1 || 2009986 || 2 || trojan-activity || 0 || ET P2P Octoshape UDP Session || url,msmvps.com/blogs/bradley/archive/2009/01/20/peer-to-peer-on-cnn.aspx || url,doc.emergingthreats.net/2009986 +1 || 2009987 || 7 || trojan-activity || 0 || ET DELETED OneStep Adware related User Agent (x) || url,www.symantec.com/security_response/writeup.jsp?docid=2008-112613-5052-99&tabid=2 +1 || 2009988 || 5 || trojan-activity || 0 || ET TROJAN Banker.Delf User-Agent (MzApp) || url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html || url,doc.emergingthreats.net/2007594 +1 || 2009990 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Possible IBM Lotus Connections simpleSearch.do Cross-Site Scripting Attempt || url,www.securitytracker.com/alerts/2009/Sep/1022945.html || url,doc.emergingthreats.net/2009990 +1 || 2009991 || 8 || trojan-activity || 0 || ET MALWARE User-Agent (MyIE/1.0) || url,doc.emergingthreats.net/2009991 +1 || 2009993 || 8 || trojan-activity || 0 || ET MALWARE www.vaccinekiller.com Related Spyware User-Agent (VaccineKillerIU) || url,doc.emergingthreats.net/2009993 +1 || 2009994 || 7 || trojan-activity || 0 || ET TROJAN User-Agent (STEROID Download) || url,anubis.iseclab.org/?action=result&task_id=17b118a86edba30f4f588db66eaf55d10 || url,security.thejoshmeister.com/2009/09/new-malware-ddos-botexe-etc-and.html || url,doc.emergingthreats.net/2009994 +1 || 2009995 || 8 || trojan-activity || 0 || ET MALWARE User-Agent (ONANDON) || url,doc.emergingthreats.net/2009995 +1 || 2009998 || 9 || policy-violation || 0 || ET POLICY Smilebox Spyware Download || url,www.smilebox.com/info/privacy.html || url,doc.emergingthreats.net/2009998 +1 || 2009999 || 3 || attempted-user || 0 || ET EXPLOIT xp_servicecontrol access || url,doc.emergingthreats.net/2009999 +1 || 2010000 || 3 || attempted-user || 0 || ET EXPLOIT xp_fileexist access || url,doc.emergingthreats.net/2010000 +1 || 2010001 || 3 || attempted-user || 0 || ET EXPLOIT xp_enumerrorlogs access || url,doc.emergingthreats.net/2010001 +1 || 2010002 || 4 || attempted-user || 0 || ET EXPLOIT xp_readerrorlogs access || url,doc.emergingthreats.net/2010002 +1 || 2010003 || 4 || attempted-user || 0 || ET EXPLOIT xp_enumdsn access || url,doc.emergingthreats.net/2010003 +1 || 2010004 || 5 || attempted-user || 0 || ET WEB_SERVER SQL sp_start_job attempt || url,doc.emergingthreats.net/2010004 +1 || 2010007 || 12 || trojan-activity || 0 || ET TROJAN Potential Gemini Malware Download || url,www.virustotal.com/analisis/c36e206c6dfe88345815da41c1b14b4f33a9636ad94dd46ce48f5b367f1c736c-1254242791 || url,doc.emergingthreats.net/2010007 +1 || 2010008 || 4 || policy-violation || 0 || ET P2P Octoshape P2P streaming media || url,doc.emergingthreats.net/2010008 +1 || 2010009 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Webmin Pre-1.290 Compromise Attempt || url,bliki.rimuhosting.com/comments/knowledgebase/linux/miscapplications/webmin || url,doc.emergingthreats.net/2010009 +1 || 2010010 || 8 || attempted-user || 0 || ET ACTIVEX Possible HP LoadRunner XUpload.ocx ActiveX Control MakeHttpRequest Arbitrary File Download Attempt || url,www.securityfocus.com/bid/36550/info || url,doc.emergingthreats.net/2010010 +1 || 2010011 || 8 || attempted-user || 0 || ET ACTIVEX Possible Symantec Altiris Deployment Solution AeXNSPkgDLLib.dll ActiveX Control DownloadAndInstall Method Arbitrary Code Execution Attempt || url,securitytracker.com/alerts/2009/Sep/1022928.html || url,www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2009&suid=20090922_00 || url,trac.metasploit.com/browser/framework3/trunk/modules/exploits/windows/browser/symantec_altirisdeployment_downloadandinstall.rb?rev=7023 || url,doc.emergingthreats.net/2010011 +1 || 2010012 || 7 || attempted-user || 0 || ET ACTIVEX Possible EMC Captiva QuickScan Pro KeyWorks KeyHelp Module keyhelp.ocx ActiveX Control Remote Buffer Overflow Attempt || url,www.securityfocus.com/bid/36546/info || url,tools.cisco.com/security/center/viewAlert.x?alertId=19135 || url,downloads.securityfocus.com/vulnerabilities/exploits/36546.html || url,doc.emergingthreats.net/2010012 +1 || 2010013 || 8 || attempted-user || 0 || ET ACTIVEX Possible SAP GUI ActiveX Control Insecure Method File Overwrite Attempt || url,www.securitytracker.com/alerts/2009/Sep/1022953.html || url,doc.emergingthreats.net/2010013 +1 || 2010014 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Possible Joomla! Game Server Component 'id' Parameter UNION SELECT SQL Injection || url,www.securityfocus.com/bid/36213/info || url,doc.emergingthreats.net/2010014 +1 || 2010015 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Possible Joomla! Game Server Component 'id' Parameter SELECT FROM SQL Injection || url,www.securityfocus.com/bid/36213/info || url,doc.emergingthreats.net/2010015 +1 || 2010016 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Possible Joomla! Game Server Component 'id' Parameter DELETE FROM SQL Injection || url,www.securityfocus.com/bid/36213/info || url,doc.emergingthreats.net/2010016 +1 || 2010017 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Possible Joomla! Game Server Component 'id' Parameter UPDATE SET SQL Injection || url,www.securityfocus.com/bid/36213/info || url,doc.emergingthreats.net/2010017 +1 || 2010018 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Possible Joomla Game Server Component id Parameter INSERT INTO SQL Injection || url,www.securityfocus.com/bid/36213/info || url,doc.emergingthreats.net/2010018 +1 || 2010019 || 8 || attempted-recon || 0 || ET SCAN Tomcat Web Application Manager scanning || url,doc.emergingthreats.net/2010019 +1 || 2010020 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS SHOP-INET show_cat2.php grid Parameter SQL Injection || bugtraq,33471 || url,milw0rm.com/exploits/7874 || url,secunia.com/advisories/33660/ || url,doc.emergingthreats.net/2010020 +1 || 2010021 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS RS-CMS rscms_mod_newsview.php key Parameter Processing Remote SQL Injection || url,milw0rm.com/exploits/9000 || url,vupen.com/english/advisories/2009/1658 || url,doc.emergingthreats.net/2010021 +1 || 2010022 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS AdaptWeb a_index.php CodigoDisciplina Parameter Remote SQL Injection || cve,CVE-2009-2152 || url,en.securitylab.ru/nvd/381723.php || url,milw0rm.com/exploits/8954 || url,doc.emergingthreats.net/2010022 +1 || 2010023 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS LightOpenCMS smarty.php cwd Parameter Local File Inclusion || url,www.exploit-db.com/exploits/9015/ || url,en.securitylab.ru/nvd/381880.php || url,doc.emergingthreats.net/2010023 +1 || 2010024 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS LightOpenCMS smarty.php cwd Parameter Remote File Inclusion || url,www.exploit-db.com/exploits/9015/ || url,en.securitylab.ru/nvd/381880.php || url,doc.emergingthreats.net/2010024 +1 || 2010025 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS DM Albums album.php SECURITY_FILE Parameter Local File Inclusion || url,secunia.com/advisories/35622/ || bugtraq,35521 || url,milw0rm.com/exploits/9044 || url,doc.emergingthreats.net/2010025 +1 || 2010026 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS TorrentTrader Classic delreq.php categ Parameter Sql Injection || url,milw0rm.com/exploits/8958 || bugtraq,35369 || url,doc.emergingthreats.net/2010026 +1 || 2010027 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS DM Albums album.php SECURITY_FILE Parameter Remote File Inclusion || url,secunia.com/advisories/35622/ || bugtraq,35521 || url,milw0rm.com/exploits/9044 || url,doc.emergingthreats.net/2010027 +1 || 2010028 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS NewSolved newsscript.php jahr Parameter SQL Injection || url,secunia.com/advisories/35611/ || url,www.exploit-db.com/exploits/9042/ || url,doc.emergingthreats.net/7741 +1 || 2010029 || 9 || web-application-attack || 0 || ET ACTIVEX PDFZilla 1.0.8 ActiveX DebugMsgLog method DOS CLSid Access || url,packetstormsecurity.org/0908-exploits/pdfzilla-overflow.txt || url,doc.emergingthreats.net/9130 +1 || 2010030 || 6 || web-application-activity || 0 || ET POLICY Exchange 2003 OWA plain-text E-Mail message access not SSL || url,support.microsoft.com/kb/321832 +1 || 2010031 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Possible Novell eDirectory 'dconserv.dlm' Cross-Site Scripting Attempt || url,www.securityfocus.com/bid/36567/info || url,doc.emergingthreats.net/2010031 +1 || 2010032 || 4 || trojan-activity || 0 || ET DELETED Internal User may have Visited an ASProx Infected Site (ads-t.ru) || url,garwarner.blogspot.com/2009/10/cyber-security-awareness-month-day-one.html || url,doc.emergingthreats.net/2010032 +1 || 2010033 || 5 || trojan-activity || 0 || ET DELETED Internal User may have Visited an ASProx Infected Site (bannert.ru) || url,garwarner.blogspot.com/2009/10/cyber-security-awareness-month-day-one.html || url,doc.emergingthreats.net/2010033 +1 || 2010034 || 6 || trojan-activity || 0 || ET DELETED Internal User may have Visited an ASProx Infected Site (bannerdriven.ru) || url,garwarner.blogspot.com/2009/10/cyber-security-awareness-month-day-one.html || url,doc.emergingthreats.net/2010034 +1 || 2010035 || 6 || attempted-user || 0 || ET ACTIVEX Possible EMC Captiva PixTools Distributed Imaging ActiveX Control Vulnerable WriteToLog Method Arbitrary File Creation/Overwrite Attempt || url,www.securityfocus.com/bid/36566/info || url,www.shinnai.net/xplits/TXT_17zVMhRhsRE6qC6DAj52.html || url,doc.emergingthreats.net/2010035 +1 || 2010036 || 4 || attempted-user || 0 || ET ACTIVEX Possible EMC Captiva PixTools Distributed Imaging ActiveX Control Vulnerable SetLogLevel/SetLogFileName Method Arbitrary File Creation/Overwrite Attempt || url,www.securityfocus.com/bid/36566/info || url,www.shinnai.net/xplits/TXT_17zVMhRhsRE6qC6DAj52.html || url,doc.emergingthreats.net/2010036 +1 || 2010037 || 3 || web-application-attack || 0 || ET WEB_SERVER Possible SQL Injection INTO OUTFILE Arbitrary File Write Attempt || url,www.milw0rm.com/papers/372 || url,www.greensql.net/publications/backdoor-webserver-using-mysql-sql-injection || url,websec.wordpress.com/2007/11/17/mysql-into-outfile/ || url,doc.emergingthreats.net/2010037 +1 || 2010038 || 3 || web-application-attack || 0 || ET WEB_SERVER Possible INTO OUTFILE Arbitrary File Write SQL Injection In Cookie || url,www.milw0rm.com/papers/372 || url,www.greensql.net/publications/backdoor-webserver-using-mysql-sql-injection || url,websec.wordpress.com/2007/11/17/mysql-into-outfile/ || url,doc.emergingthreats.net/2010038 +1 || 2010039 || 6 || attempted-user || 0 || ET ACTIVEX Possible AOL SuperBuddy ActiveX Control Remote Code Execution Attempt || url,www.securityfocus.com/bid/36580/info || url,www.securityfocus.com/archive/1/506889 || url,doc.emergingthreats.net/2010039 +1 || 2010040 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla! CB Resume Builder 'group_id' Parameter SELECT FROM SQL Injection || url,www.securityfocus.com/bid/36598/info || url,doc.emergingthreats.net/2010040 +1 || 2010041 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla! CB Resume Builder 'group_id' Parameter DELETE FROM SQL Injection || url,www.securityfocus.com/bid/36598/info || url,doc.emergingthreats.net/2010041 +1 || 2010042 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla! CB Resume Builder 'group_id' Parameter UNION SELECT SQL Injection || url,www.securityfocus.com/bid/36598/info || url,doc.emergingthreats.net/2010042 +1 || 2010043 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla! CB Resume Builder 'group_id' Parameter INSERT INTO SQL Injection || url,www.securityfocus.com/bid/36598/info || url,doc.emergingthreats.net/2010043 +1 || 2010044 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla! CB Resume Builder 'group_id' Parameter UPDATE SET SQL Injection || url,www.securityfocus.com/bid/36598/info || url,doc.emergingthreats.net/2010044 +1 || 2010045 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla! Soundset Component 'cat_id' Parameter SELECT FROM SQL Injection || url,www.securityfocus.com/bid/36597/info || url,doc.emergingthreats.net/2010045 +1 || 2010046 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla! Soundset Component 'cat_id' Parameter DELETE FROM SQL Injection || url,www.securityfocus.com/bid/36597/info || url,doc.emergingthreats.net/2010046 +1 || 2010047 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla! Soundset Component 'cat_id' Parameter UNION SELECT SQL Injection || url,www.securityfocus.com/bid/36597/info || url,doc.emergingthreats.net/2010047 +1 || 2010048 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla! Soundset Component 'cat_id' Parameter INSERT INTO SQL Injection || url,www.securityfocus.com/bid/36597/info || url,doc.emergingthreats.net/2010048 +1 || 2010050 || 6 || trojan-activity || 0 || ET TROJAN Likely Fake Antivirus Download Antivirus_21.exe || url,doc.emergingthreats.net/2010050 +1 || 2010051 || 4 || trojan-activity || 0 || ET TROJAN Likely Fake Antivirus Download ws.exe || url,doc.emergingthreats.net/2010051 +1 || 2010052 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS MALWARE Likely Rogue Antivirus Download - ws.zip || url,doc.emergingthreats.net/2010052 +1 || 2010053 || 3 || trojan-activity || 0 || ET DELETED TROJAN Likely FakeRean Download || url,doc.emergingthreats.net/2010053 +1 || 2010054 || 6 || trojan-activity || 0 || ET TROJAN Likely TDSS Download (codec.exe) || url,doc.emergingthreats.net/2010054 +1 || 2010055 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS Likely TDSS Download (pcdef.exe) || url,doc.emergingthreats.net/2010055 +1 || 2010056 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS TROJAN Likely TDSS Download (197.exe) || url,doc.emergingthreats.net/2010056 +1 || 2010057 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS Likely Fake Antivirus Download installpv.exe || url,doc.emergingthreats.net/2010057 +1 || 2010058 || 3 || trojan-activity || 0 || ET DELETED MALWARE Likely Unknown Trojan Download || url,doc.emergingthreats.net/2010058 +1 || 2010059 || 7 || trojan-activity || 0 || ET TROJAN Likely Infostealer exe Download +1 || 2010060 || 3 || trojan-activity || 0 || ET DELETED TROJAN Likely Possible Rogue A/V Win32/FakeXPA Download || url,doc.emergingthreats.net/2010060 +1 || 2010061 || 10 || trojan-activity || 0 || ET TROJAN Likely Fake Antivirus Download InternetAntivirusPro.exe || url,doc.emergingthreats.net/2010061 +1 || 2010062 || 5 || trojan-activity || 0 || ET TROJAN Likely Fake Antivirus Download AntivirusPlus.exe || url,doc.emergingthreats.net/2010062 +1 || 2010064 || 6 || trojan-activity || 0 || ET DELETED Buzus Posting Data || url,doc.emergingthreats.net/2010064 +1 || 2010065 || 5 || trojan-activity || 0 || ET TROJAN SafeFighter Fake Scanner Installation in Progress || url,doc.emergingthreats.net/2010065 +1 || 2010066 || 10 || trojan-activity || 0 || ET POLICY Data POST to an image file (gif) || url,doc.emergingthreats.net/2010066 +1 || 2010067 || 9 || trojan-activity || 0 || ET POLICY Data POST to an image file (jpg) || url,doc.emergingthreats.net/2010067 +1 || 2010068 || 7 || trojan-activity || 0 || ET POLICY Data POST to an image file (jpeg) || url,doc.emergingthreats.net/2010068 +1 || 2010069 || 7 || trojan-activity || 0 || ET POLICY Data POST to an image file (bmp) || url,doc.emergingthreats.net/2010069 +1 || 2010070 || 6 || trojan-activity || 0 || ET POLICY Data POST to an image file (png) || url,doc.emergingthreats.net/2010070 +1 || 2010071 || 9 || trojan-activity || 0 || ET TROJAN Hiloti/Mufanom Downloader Checkin || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3aWin32%2fHiloti.gen!A || url,doc.emergingthreats.net/2010071 || url,blog.fortinet.com/hiloti-the-botmaster-of-disguise/ +1 || 2010072 || 8 || trojan-activity || 0 || ET TROJAN Bredolab Infection - Windows Key || url,doc.emergingthreats.net/2010072 +1 || 2010073 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Possible Docebo UPDATE SET SQL Injection Attempt || url,www.securityfocus.com/bid/36654/info || url,www.securityfocus.com/archive/1/507072 || url,doc.emergingthreats.net/2010073 +1 || 2010074 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Possible Docebo UNION SELECT SQL Injection Attempt || url,www.securityfocus.com/bid/36654/info || url,www.securityfocus.com/archive/1/507072 || url,doc.emergingthreats.net/2010074 +1 || 2010075 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Possible Docebo SELECT FROM SQL Injection Attempt || url,www.securityfocus.com/bid/36654/info || url,www.securityfocus.com/archive/1/507072 || url,doc.emergingthreats.net/2010075 +1 || 2010076 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Possible Docebo DELETE FROM SQL Injection Attempt || url,www.securityfocus.com/bid/36654/info || url,www.securityfocus.com/archive/1/507072 || url,doc.emergingthreats.net/2010076 +1 || 2010077 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Possible Docebo INSERT INTO Injection Attempt || url,www.securityfocus.com/bid/36654/info || url,www.securityfocus.com/archive/1/507072 || url,doc.emergingthreats.net/2010077 +1 || 2010078 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Possible Docebo UPDATE SET SQL Injection Attempt || url,www.securityfocus.com/bid/36654/info || url,www.securityfocus.com/archive/1/507072 || url,doc.emergingthreats.net/2010078 +1 || 2010080 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Possible AIOCP cp_html2xhtmlbasic.php Remote File Inclusion Attempt || url,www.securityfocus.com/bid/36609/info || url,www.securityfocus.com/archive/1/507030 || url,doc.emergingthreats.net/2010080 +1 || 2010081 || 2 || attempted-user || 0 || ET FTP Possible FTP Daemon Username INTO OUTFILE SQL Injection Attempt || url,www.milw0rm.com/papers/372 || url,www.greensql.net/publications/backdoor-webserver-using-mysql-sql-injection || url,websec.wordpress.com/2007/11/17/mysql-into-outfile/ || url,doc.emergingthreats.net/2010081 +1 || 2010082 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Possible AWStats awstats.pl Cross-Site Scripting Attempt || url,www.securityfocus.com/bid/30730/info || url,bugzilla.redhat.com/show_bug.cgi?id=474396 || url,sourceforge.net/tracker/index.php?func=detail&aid=2001151&group_id=13764&atid=113764 || cve,2008-3714 || url,doc.emergingthreats.net/2010082 +1 || 2010084 || 4 || web-application-attack || 0 || ET WEB_SERVER Possible ALTER SQL Injection Attempt || url,www.owasp.org/index.php/SQL_Injection || url,www.w3schools.com/SQl/sql_alter.asp || url,doc.emergingthreats.net/2010084 +1 || 2010085 || 4 || web-application-attack || 0 || ET WEB_SERVER Possible DROP SQL Injection Attempt || url,www.owasp.org/index.php/SQL_Injection || url,www.w3schools.com/SQl/sql_drop.asp || url,doc.emergingthreats.net/2010085 +1 || 2010086 || 5 || web-application-attack || 0 || ET WEB_SERVER Possible CREATE SQL Injection Attempt in URI || url,www.owasp.org/index.php/SQL_Injection || url,www.w3schools.com/Sql/sql_create_db.asp || url,doc.emergingthreats.net/2010086 +1 || 2010087 || 6 || attempted-recon || 0 || ET SCAN Suspicious User-Agent Containing SQL Inject/ion, Likely SQL Injection Scanner || url,www.owasp.org/index.php/SQL_Injection || url,doc.emergingthreats.net/2010087 +1 || 2010088 || 5 || attempted-recon || 0 || ET SCAN Suspicious User-Agent Containing Web Scan/er, Likely Web Scanner || url,doc.emergingthreats.net/2010088 +1 || 2010089 || 5 || attempted-recon || 0 || ET SCAN Suspicious User-Agent Containing Security Scan/ner, Likely Scan || url,doc.emergingthreats.net/2010089 +1 || 2010092 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Webradev Download Protect EmailTemplates.class.php Remote File Inclusion || url,milw0rm.com/exploits/8792 || url,doc.emergingthreats.net/2010092 +1 || 2010093 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Webradev Download Protect PDPEmailReplaceConstants.class.php Remote File Inclusion || url,milw0rm.com/exploits/8792 || url,doc.emergingthreats.net/2010093 +1 || 2010094 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Webradev Download Protect ResellersManager.class.php Remote File Inclusion || url,milw0rm.com/exploits/8792 || url,doc.emergingthreats.net/2010094 +1 || 2010095 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHPGenealogy CoupleDB.php DataDirectory Parameter Remote File Inclusion || url,milw0rm.com/exploits/9155 || url,packetstormsecurity.org/0907-exploits/phpgenealogy-rfi.txt || url,doc.emergingthreats.net/2010095 +1 || 2010096 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS GROUP-E head_auth.php CFG Parameter Remote File Inclusion || url,juniper.net/security/auto/vulnerabilities/vuln28024.html || bugtraq,28024 || url,milw0rm.com/exploits/5197 || url,doc.emergingthreats.net/2010096 +1 || 2010097 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS RaXnet Cacti top_graph_header.php config Parameter Remote File Inclusion || bugtraq,14030 || url,doc.emergingthreats.net/2010097 +1 || 2010098 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Telephone Directory 2008 edit1.php code Parameter SQL Injection || bugtraq,29614 || url,xforce.iss.net/xforce/xfdb/42972 || url,milw0rm.com/exploits/5764 || url,doc.emergingthreats.net/2010098 +1 || 2010099 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS News Manager ch_readalso.php read_xml_include Parameter Remote File Inclusion || bugtraq,29251 || url,xforce.iss.net/xforce/xfdb/42459 || url,milw0rm.com/exploits/5624 || url,doc.emergingthreats.net/2010099 +1 || 2010100 || 7 || trojan-activity || 0 || ET TROJAN Palevo/BFBot/Mariposa client join attempt || url,defintel.com/docs/Mariposa_Analysis.pdf || url,defintel.blogspot.com/2009/09/half-of-fortune-100-companies.html || url,doc.emergingthreats.net/2010100 || url,blogs.pcmag.com/securitywatch/2009/09/botnet_reported_loose_in_fortu.php || url,www.symantec.com/business/security_response/writeup.jsp?docid=2009-093006-0442-99&tabid=2 || url,www.symantec.com/connect/blogs/mariposa-butterfly +1 || 2010101 || 6 || trojan-activity || 0 || ET TROJAN Palevo/BFBot/Mariposa server join acknowledgement || url,defintel.com/docs/Mariposa_Analysis.pdf || url,defintel.blogspot.com/2009/09/half-of-fortune-100-companies.html || url,doc.emergingthreats.net/2010101 || url,blogs.pcmag.com/securitywatch/2009/09/botnet_reported_loose_in_fortu.php || url,www.symantec.com/business/security_response/writeup.jsp?docid=2009-093006-0442-99&tabid=2 || url,www.symantec.com/connect/blogs/mariposa-butterfly +1 || 2010119 || 6 || web-application-attack || 0 || ET WEB_SERVER xp_cmdshell Attempt in Cookie || url,www.databasejournal.com/features/mssql/article.php/3372131/Using-xpcmdshell.htm || url,msdn.microsoft.com/en-us/library/ms175046.aspx || url,tools.cisco.com/security/center/viewAlert.x?alertId=4072 || url,doc.emergingthreats.net/2010119 +1 || 2010121 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Celepar module for Xoops aviso.php codigo SQL injection || url,milw0rm.com/exploits/9249 || url,xforce.iss.net/xforce/xfdb/51985 || url,doc.emergingthreats.net/2010121 +1 || 2010122 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS NewSolved newsscript.php idneu Parameter SQL Injection || url,secunia.com/advisories/35611/ || url,www.exploit-db.com/exploits/9042/ || url,doc.emergingthreats.net/2010122 +1 || 2010123 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS NewSolved newsscript.php newsid Parameter SQL Injection || url,secunia.com/advisories/35611/ || url,www.exploit-db.com/exploits/9042/ || url,doc.emergingthreats.net/2010123 +1 || 2010124 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS SERWeb load_lang.php configdir Parameter Remote File Inclusion || bugtraq,26747 || url,milworm.com/exploits/9284 || url,doc.emergingthreats.net/2010124 +1 || 2010125 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS SERWeb main_prepend.php functionsdir Parameter Remote File Inclusion || bugtraq,26747 || url,milworm.com/exploits/9284 || url,doc.emergingthreats.net/2010125 +1 || 2010126 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Ultrize TimeSheet timesheet.php include_dir Parameter Remote File Inclusion || url,milw0rm.com/exploits/9297 || url,secunia.com/advisories/36033/ || url,doc.emergingthreats.net/2010126 +1 || 2010127 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Ultrize TimeSheet timesheet.php include_dir Parameter Local File Inclusion || url,milw0rm.com/exploits/9297 || url,secunia.com/advisories/36033/ || url,doc.emergingthreats.net/2010127 +1 || 2010129 || 6 || trojan-activity || 0 || ET TROJAN TROJAN Drop.Agent.bfsv HTTP Activity (UsER-AgENt) || url,doc.emergingthreats.net/2010129 +1 || 2010131 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Possible Achievo userid= Variable UNION SELECT SQL Injection Attempt || url,securitytracker.com/alerts/2009/Oct/1023017.html || url,www.bonsai-sec.com/research/vulnerabilities/achievo-sql-injection-0102.txt || url,www.securityfocus.com/bid/36660/info || cve,2009-2734 || url,doc.emergingthreats.net/2010131 +1 || 2010132 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Possible Achievo userid= Variable SELECT FROM SQL Injection Attempt || url,securitytracker.com/alerts/2009/Oct/1023017.html || url,www.bonsai-sec.com/research/vulnerabilities/achievo-sql-injection-0102.txt || url,www.securityfocus.com/bid/36660/info || cve,2009-2734 || url,doc.emergingthreats.net/2010132 +1 || 2010133 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Possible Achievo userid= Variable INSERT INTO SQL Injection Attempt || url,securitytracker.com/alerts/2009/Oct/1023017.html || url,www.bonsai-sec.com/research/vulnerabilities/achievo-sql-injection-0102.txt || url,www.securityfocus.com/bid/36660/info || cve,2009-2734 || url,doc.emergingthreats.net/2010133 +1 || 2010134 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Possible Achievo userid= Variable DELETE FROM SQL Injection Attempt || url,securitytracker.com/alerts/2009/Oct/1023017.html || url,www.bonsai-sec.com/research/vulnerabilities/achievo-sql-injection-0102.txt || url,www.securityfocus.com/bid/36660/info || cve,2009-2734 || url,doc.emergingthreats.net/2010134 +1 || 2010135 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Possible Achievo userid= Variable UPDATE SET SQL Injection Attempt || url,securitytracker.com/alerts/2009/Oct/1023017.html || url,www.bonsai-sec.com/research/vulnerabilities/achievo-sql-injection-0102.txt || url,www.securityfocus.com/bid/36660/info || cve,2009-2734 || url,doc.emergingthreats.net/2010135 +1 || 2010136 || 5 || trojan-activity || 0 || ET DELETED Suspicious User-Agent (asp2009) || url,www.threatexpert.com/report.aspx?md5=6cad864a439da7bbd6f1cec941cca72b || url,doc.emergingthreats.net/2010136 +1 || 2010137 || 5 || trojan-activity || 0 || ET MALWARE Suspicious User-Agent (Sme32) || url,doc.emergingthreats.net/2010137 +1 || 2010138 || 4 || trojan-activity || 0 || ET TROJAN Possible Win32/Agent.QBY CnC Post || url,www.threatexpert.com/report.aspx?uid=4f05faef-6a70-4957-8990-b316d8487f63 || url,doc.emergingthreats.net/2010138 +1 || 2010139 || 5 || policy-violation || 0 || ET P2P Vuze BT Connection || url,vuze.com || url,doc.emergingthreats.net/2010139 +1 || 2010140 || 5 || policy-violation || 0 || ET P2P Vuze BT UDP Connection || url,vuze.com || url,doc.emergingthreats.net/2010140 +1 || 2010141 || 3 || policy-violation || 0 || ET P2P Vuze BT UDP Connection (2) || url,vuze.com || url,doc.emergingthreats.net/2010141 +1 || 2010142 || 4 || policy-violation || 0 || ET P2P Vuze BT UDP Connection (3) || url,doc.emergingthreats.net/2010142 +1 || 2010143 || 3 || policy-violation || 0 || ET P2P Vuze BT UDP Connection (4) || url,doc.emergingthreats.net/2010143 +1 || 2010144 || 5 || policy-violation || 0 || ET P2P Vuze BT UDP Connection (5) || url,vuze.com || url,doc.emergingthreats.net/2010144 +1 || 2010145 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Possible IBM Rational RequisitePro ReqWebHelp Cross Site Scripting Attempt || url,www.securityfocus.com/bid/36721/info || url,www-01.ibm.com/support/docview.wss?uid=swg1PK83895 || url,doc.emergingthreats.net/2010145 +1 || 2010146 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Possible Apache Tomcat Host Manager Cross Site Scripting Attempt || url,www.securityfocus.com/bid/29502/info || cve,2008-1947 || url,doc.emergingthreats.net/2010146 +1 || 2010147 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Possible bloofoxCMS 'search' Parameter Cross Site Scripting Attempt || url,www.securityfocus.com/bid/36700/info || url,doc.emergingthreats.net/2010147 +1 || 2010148 || 12 || trojan-activity || 0 || ET CURRENT_EVENTS DHL Spam Inbound || url,doc.emergingthreats.net/2010148 +1 || 2010150 || 6 || trojan-activity || 0 || ET TROJAN Koobface HTTP Request (2) || url,ddanchev.blogspot.com/2009/09/koobface-botnets-scareware-business.html || url,doc.emergingthreats.net/2010150 +1 || 2010151 || 8 || trojan-activity || 0 || ET TROJAN Koobface C&C availability check || url,us.trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis/the_20heart_20of_20koobface_final_1_.pdf || url,doc.emergingthreats.net/2010151 +1 || 2010152 || 3 || trojan-activity || 0 || ET TROJAN Koobface C&C availability check successful || url,us.trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis/the_20heart_20of_20koobface_final_1_.pdf || url,doc.emergingthreats.net/2010152 +1 || 2010153 || 6 || trojan-activity || 0 || ET TROJAN Koobface fetch C&C command detected || url,us.trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis/the_20heart_20of_20koobface_final_1_.pdf || url,doc.emergingthreats.net/2010153 +1 || 2010154 || 5 || web-application-attack || 0 || ET ACTIVEX EMC Captiva PixTools ActiveX Arbitrary File Creation/Overwrite function call Attempt || url,www.securityfocus.com/bid/36566/info || url,www.shinnai.net/xplits/TXT_17zVMhRhsRE6qC6DAj52.html || url,doc.emergingthreats.net/2010154 +1 || 2010155 || 5 || web-application-attack || 0 || ET ACTIVEX EMC Captiva PixTools ActiveX Arbitrary File Creation/Overwrite function call Attempt || url,www.securityfocus.com/bid/36566/info || url,www.shinnai.net/xplits/TXT_17zVMhRhsRE6qC6DAj52.html || url,doc.emergingthreats.net/2010155 +1 || 2010156 || 6 || misc-attack || 0 || ET GAMES Alien Arena 7.30 Remote Code Execution Attempt || url,www.packetstormsecurity.org/0910-advisories/alienarena-exec.txt || url,doc.emergingthreats.net/2010156 +1 || 2010157 || 8 || not-suspicious || 0 || ET POLICY Suspicious User-Agent (XXX) Often Sony Update Related || url,doc.emergingthreats.net/bin/view/Main/2010157 +1 || 2010158 || 6 || trojan-activity || 0 || ET TROJAN Nanspy Bot Checkin || url,doc.emergingthreats.net/2010158 +1 || 2010159 || 4 || attempted-admin || 0 || ET WEB_SERVER Possible 3Com OfficeConnect Router Default User Account Remote Command Execution Attempt || url,securitytracker.com/alerts/2009/Oct/1023051.html || url,www.securityfocus.com/archive/1/507263 || url,www.securityfocus.com/bid/36722/info || url,doc.emergingthreats.net/2010159 +1 || 2010160 || 7 || attempted-user || 0 || ET ACTIVEX Possible AOL IWinAmp ActiveX ConvertFile Buffer Overflow Attempt || url,www.milw0rm.org/exploits/8733 || url,www.securityfocus.com/bid/35028 || url,doc.emergingthreats.net/2010160 +1 || 2010161 || 5 || attempted-user || 0 || ET ACTIVEX Possible Edraw PDF Viewer FtpConnect Component ActiveX Remote code execution Attempt || url,www.milw0rm.org/exploits/8986 || url,doc.emergingthreats.net/2010161 +1 || 2010162 || 3 || attempted-recon || 0 || ET WEB_SERVER Possible Sucessful Juniper NetScreen ScreenOS Firmware Version Disclosure Attempt || url,securitytracker.com/alerts/2009/Apr/1022123.html || url,www.securityfocus.com/bid/34710 || url,seclists.org/bugtraq/2009/Apr/242 || url,www.procheckup.com/vulnerability_manager/vulnerabilities/pr09-05 || url,doc.emergingthreats.net/2010162 +1 || 2010163 || 7 || trojan-activity || 0 || ET TROJAN Glacial Dracon C&C Communication || url,www.threatexpert.com/report.aspx?md5=912692cb4e3f960c9cb4bbc96fa17c9d || url,www.threatexpert.com/report.aspx?md5=fd3d061ee86987e8f3f245c2dc0ceb46 || url,doc.emergingthreats.net/2010163 +1 || 2010164 || 6 || trojan-activity || 0 || ET TROJAN Daonol C&C Communication || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Win32%2fDaonol || url,blog.fireeye.com/research/2009/10/gumblar-not-gumby.html || url,www.iss.net/threats/gumblar.html || url,blog.scansafe.com/journal/2009/10/15/gumblar-website-botnet-awakes.html || url,doc.emergingthreats.net/2010164 +1 || 2010165 || 7 || trojan-activity || 0 || ET TROJAN Tibs/Harnig Downloader Activity || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3aWin32%2fHarnig || url,www.threatexpert.com/report.aspx?md5=2ce9c871a8a217cafcdce15c6c1e8dfc || url,doc.emergingthreats.net/2010165 +1 || 2010167 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WebSense Email security viewHeaders.asp Queue XSS Attempt || url,www.securityfocus.com/bid/36741/ || url,doc.emergingthreats.net/2010167 +1 || 2010168 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WebSense Email security viewHeaders.asp FileName XSS Attempt || url,www.securityfocus.com/bid/36741/ || url,doc.emergingthreats.net/2010168 +1 || 2010169 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WebSense Email security viewHeaders.asp IsolatedMessageID XSS Attempt || url,www.securityfocus.com/bid/36741/ || url,doc.emergingthreats.net/2010169 +1 || 2010170 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WebSense Email security viewHeaders.asp ServerName XSS Attempt || url,www.securityfocus.com/bid/36741/ || url,doc.emergingthreats.net/2010170 +1 || 2010171 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WebSense Email security msgAnalyse.asp FileName XSS Attempt || url,www.securityfocus.com/bid/36741/ || url,doc.emergingthreats.net/2010171 +1 || 2010172 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WebSense Email security msgAnalyse.asp IsolatedMessageID XSS Attempt || url,www.securityfocus.com/bid/36741/ || url,doc.emergingthreats.net/2010172 +1 || 2010173 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WebSense Email security msgAnalyse.asp ServerName XSS Attempt || url,www.securityfocus.com/bid/36741/ || url,doc.emergingthreats.net/2010173 +1 || 2010174 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WebSense Email security msgAnalyse.asp Dictionary XSS Attempt || url,www.securityfocus.com/bid/36741/ || url,doc.emergingthreats.net/2010174 +1 || 2010175 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WebSense Email security msgAnalyse.asp Scoring XSS Attempt || url,www.securityfocus.com/bid/36741/ || url,doc.emergingthreats.net/2010175 +1 || 2010176 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WebSense Email security msgAnalyse.asp MessagePart XSS Attempt || url,www.securityfocus.com/bid/36741/ || url,doc.emergingthreats.net/2010176 +1 || 2010177 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WebSense Email security msgForwardToRiskFilter.asp Queue XSS Attempt || url,www.securityfocus.com/bid/36741/ || url,doc.emergingthreats.net/2010177 +1 || 2010178 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WebSense Email security msgForwardToRiskFilter.asp FileName XSS Attempt || url,www.securityfocus.com/bid/36741/ || url,doc.emergingthreats.net/2010178 +1 || 2010179 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WebSense Email security msgForwardToRiskFilter.asp IsolatedMessageID XSS Attempt || url,www.securityfocus.com/bid/36741/ || url,doc.emergingthreats.net/2010179 +1 || 2010180 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WebSense Email security msgForwardToRiskFilter.asp ServerName XSS Attempt || url,www.securityfocus.com/bid/36741/ || url,doc.emergingthreats.net/2010180 +1 || 2010181 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS IBM Rational RequisitePro ReqWebHelp searchWord Cross Site Scripting Attempt || url,www.securityfocus.com/bid/36721/info || url,www-01.ibm.com/support/docview.wss?uid=swg1PK83895 || url,doc.emergingthreats.net/2010181 +1 || 2010182 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS IBM Rational RequisitePro ReqWebHelp maxHits Cross Site Scripting Attempt || url,www.securityfocus.com/bid/36721/info || url,www-01.ibm.com/support/docview.wss?uid=swg1PK83895 || url,doc.emergingthreats.net/2010182 +1 || 2010183 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS IBM Rational RequisitePro ReqWebHelp scopedSearch Cross Site Scripting Attempt || url,www.securityfocus.com/bid/36721/info || url,www-01.ibm.com/support/docview.wss?uid=swg1PK83895 || url,doc.emergingthreats.net/2010183 +1 || 2010184 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS IBM Rational RequisitePro ReqWebHelp scope Cross Site Scripting Attempt || url,www.securityfocus.com/bid/36721/info || url,www-01.ibm.com/support/docview.wss?uid=swg1PK83895 || url,doc.emergingthreats.net/2010184 +1 || 2010185 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS QUICKTEAM qte_result.php title Parameter SELECT FROM SQL Injection Attempt || url,packetstormsecurity.org/0910-exploits/quickteam-sql.txt || url,doc.emergingthreats.net/2010185 +1 || 2010186 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS QUICKTEAM qte_result.php title Parameter DELETE FROM SQL Injection Attempt || url,packetstormsecurity.org/0910-exploits/quickteam-sql.txt || url,doc.emergingthreats.net/2010186 +1 || 2010187 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS QUICKTEAM qte_result.php title Parameter UNION SELECT SQL Injection Attempt || url,packetstormsecurity.org/0910-exploits/quickteam-sql.txt || url,doc.emergingthreats.net/2010187 +1 || 2010188 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS QUICKTEAM qte_result.php title Parameter INSERT INTO SQL Injection Attempt || url,packetstormsecurity.org/0910-exploits/quickteam-sql.txt || url,doc.emergingthreats.net/2010188 +1 || 2010189 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS QUICKTEAM qte_result.php title Parameter UPDATE SET SQL Injection Attempt || url,packetstormsecurity.org/0910-exploits/quickteam-sql.txt || url,doc.emergingthreats.net/2010189 +1 || 2010190 || 4 || attempted-user || 0 || ET ACTIVEX Altirix eXpress NS SC ActiveX Arbitrary Code Execution Function Call || url,trac.metasploit.com/browser/framework3/trunk/modules/exploits/windows/browser/symantec_altirisdeployment_downloadandinstall.rb?rev=7023 || url,secunia.com/advisories/36679 || url,doc.emergingthreats.net/2010190 +1 || 2010191 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS justVisual contact.php fs_jVroot Parameter Remote File Inclusion || url,secunia.com/advisories/36072/ || url,milw0rm.com/exploits/9308 || url,doc.emergingthreats.net/2010191 +1 || 2010192 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS justVisual pageTemplate.php fs_jVroot Parameter Remote File Inclusion || url,secunia.com/advisories/36072/ || url,milw0rm.com/exploits/9308 || url,doc.emergingthreats.net/2010192 +1 || 2010193 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS justVisual utilities.php fs_jVroot Parameter Remote File Inclusion || url,secunia.com/advisories/36072/ || url,milw0rm.com/exploits/9308 || url,doc.emergingthreats.net/2010193 +1 || 2010194 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Adobe JRun Directory Traversal || url,www.dsecrg.ru/pages/vul/show.php?id=152 || url,www.vupen.com/english/advisories/2009/2285 || url,doc.emergingthreats.net/2010194 +1 || 2010195 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS DS CMS DetailFile.php nFileId Parameter SQL Injection || url,packetstormsecurity.org/0908-exploits/dscms-sql.txt || url,doc.emergingthreats.net/2010195 +1 || 2010196 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS 2FLY Gift Delivery 2fly_gift.php gameid Parameter SQL Injection || url,secunia.com/advisories/36294/ || url,osvdb.org/show/osvdb/57136 || url,doc.emergingthreats.net/2010196 +1 || 2010197 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS KingCMS menu.php CONFIG Parameter Remote File Inclusion || url,osvdb.org/show/osvdb/57688 || url,doc.emergingthreats.net/2010197 +1 || 2010198 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Autonomous LAN Party _bot.php master Parameter Remote File Inclusion || url,secunia.com/advisories/36354 || url,packetstormsecurity.nl/0908-exploits/autonomouslan-rfi.txt || url,doc.emergingthreats.net/2010198 +1 || 2010200 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Possible Computer Associates SiteMinder Web Agent Smpwservices.FCC Cross Site Scripting Attempt || cve,2007-5923 || url,www.securityfocus.com/bid/26375/info || url,doc.emergingthreats.net/2010200 +1 || 2010201 || 3 || trojan-activity || 0 || ET TROJAN Silon Encrypted Data POST to C&C || url,www.trusteer.com/webform/w32silon-malware-analysis || url,doc.emergingthreats.net/2010201 +1 || 2010203 || 6 || attempted-user || 0 || ET ACTIVEX Possible Black Ice Printer Driver Resource Toolkit ActiveX Control EnableStartApplication/EnableStartBeforePrint/EnableKeepExistingFiles/EnablePassParameters Buffer Overflow Attempt || url,www.securityfocus.com/bid/36548 || url,doc.emergingthreats.net/2010203 +1 || 2010204 || 6 || attempted-user || 0 || ET ACTIVEX Possible Black Ice Printer Driver Resource Toolkit ActiveX Control SetApplicationPath/SetStartApplicationParamCode/SetCustomStartAppParameter Buffer Overflow Attempt || url,www.securityfocus.com/bid/36548 || url,doc.emergingthreats.net/2010204 +1 || 2010205 || 7 || attempted-user || 0 || ET ACTIVEX Possible Black Ice Printer Driver Resource Toolkit ActiveX Control SaveBlackIceDEVMODE Buffer Overflow Attempt || url,www.securityfocus.com/bid/36548 || url,doc.emergingthreats.net/2010205 +1 || 2010206 || 6 || attempted-user || 0 || ET ACTIVEX Possible Black Ice Printer Driver Resource Toolkit ActiveX Control ClearUserSettings Buffer Overflow Attempt || url,www.securityfocus.com/bid/36548 || url,doc.emergingthreats.net/2010206 +1 || 2010207 || 6 || attempted-user || 0 || ET ACTIVEX Possible Black Ice Printer Driver Resource Toolkit ActiveX Control ControlJob Buffer Overflow Attempt || url,www.securityfocus.com/bid/36548 || url,doc.emergingthreats.net/2010207 +1 || 2010208 || 4 || attempted-user || 0 || ET ACTIVEX Possible Black Ice Printer Driver Resource Toolkit ActiveX Control EnableStartApplication/EnableStartBeforePrint/EnableKeepExistingFiles/EnablePassParameters Function Call Attempt || url,www.securityfocus.com/bid/36548 || url,doc.emergingthreats.net/2010208 +1 || 2010209 || 4 || attempted-user || 0 || ET ACTIVEX Possible Black Ice Printer Driver Resource Toolkit ActiveX Control SetApplicationPath/SetStartApplicationParamCode/SetCustomStartAppParameter Function Call Attempt || url,www.securityfocus.com/bid/36548 || url,doc.emergingthreats.net/2010209 +1 || 2010210 || 4 || attempted-user || 0 || ET ACTIVEX Possible Black Ice Printer Driver Resource Toolkit ActiveX Control SaveBlackIceDEVMODE Function Call Attempt || url,www.securityfocus.com/bid/36548 || url,doc.emergingthreats.net/2010210 +1 || 2010211 || 4 || attempted-user || 0 || ET ACTIVEX Possible Black Ice Printer Driver Resource Toolkit ActiveX Control ClearUserSettings Function Call Attempt || url,www.securityfocus.com/bid/36548 || url,doc.emergingthreats.net/2010211 +1 || 2010212 || 4 || attempted-user || 0 || ET ACTIVEX Possible Black Ice Printer Driver Resource Toolkit ActiveX Control ControlJob Function Call Attempt || url,www.securityfocus.com/bid/36548 || url,doc.emergingthreats.net/2010212 +1 || 2010214 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Possible Adobe Flex SDK index.template.html Cross Site Scripting Attempt || cve,2009-1879 || url,securitytracker.com/alerts/2009/Aug/1022748.html || url,doc.emergingthreats.net/2010214 +1 || 2010215 || 4 || web-application-attack || 0 || ET SCAN SQL Injection Attempt (Agent uil2pn) || url,www.prevx.com/filenames/89385984947861762-X1/UIL2PN.EXE.html || url,doc.emergingthreats.net/2010215 +1 || 2010217 || 9 || trojan-activity || 0 || ET TROJAN DownloaderExchanger/Cbeplay Variant Checkin || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3aWin32%2fCbeplay.B || url,www.secureworks.com/research/threats/ppi/ || url,doc.emergingthreats.net/2010217 +1 || 2010218 || 5 || trojan-activity || 0 || ET MALWARE Win32/InternetAntivirus User-Agent (Internet Antivirus Pro) || url,doc.emergingthreats.net/2010218 +1 || 2010219 || 6 || attempted-user || 0 || ET ACTIVEX ACTIVEX SAP AG SAPgui sapirrfc.dll ActiveX Control Buffer Overflow Attempt || url,www.securityfocus.com/bid/35256/info || url,doc.emergingthreats.net/2010219 +1 || 2010220 || 5 || trojan-activity || 0 || ET TROJAN Suspicious User-Agent (ClickAdsByIE) || url,doc.emergingthreats.net/2010220 +1 || 2010221 || 6 || trojan-activity || 0 || ET TROJAN Possible Fake-Rean Installer Activity (Malwareurl.com Top 30) || url,www.sophos.com/security/analyses/viruses-and-spyware/trojfakereane.html?_log_from=rss || url,doc.emergingthreats.net/2010221 +1 || 2010222 || 4 || bad-unknown || 0 || ET DELETED MALWARE Potential exploit redirect, in.cgi pepsi || url,malwareurl.com || url,doc.emergingthreats.net/2010222 +1 || 2010223 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Possible Mambo Cache_Lite Class mosConfig_absolute_path Remote File Inclusion Attempt || url,www.securityfocus.com/bid/29716/info || url,downloads.securityfocus.com/vulnerabilities/exploits/29716.rb || url,doc.emergingthreats.net/2010223 +1 || 2010224 || 4 || trojan-activity || 0 || ET TROJAN Opachki Link Hijacker Traffic Redirection || url,www.secureworks.com/research/threats/opachki/?threat=opachki || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3aWin32%2fOpachki.A || url,www.symantec.com/security_response/writeup.jsp?docid=2009-092213-3317-99&tabid=2 || url,doc.emergingthreats.net/2010224 +1 || 2010227 || 5 || attempted-user || 0 || ET ACTIVEX Symantec Multiple Altiris Products AeXNSConsoleUtilities.dll ActiveX Control BrowseAndSaveFile Method Buffer Overflow Attempt || url,www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2009&suid=20091102_00 || url,www.securityfocus.com/bid/36698/info || url,sotiriu.de/adv/NSOADV-2009-001.txt || cve,2009-3031 || url,doc.emergingthreats.net/2010227 +1 || 2010228 || 7 || policy-violation || 0 || ET POLICY Suspicious Microsoft Windows NT 6.1 User-Agent Detected || url,www.microsoft.com/windows/windows-7/default.aspx || url,doc.emergingthreats.net/2010228 +1 || 2010229 || 3 || attempted-dos || 0 || ET WEB_SERVER Possible Cherokee Web Server GET AUX Request Denial Of Service Attempt || url,securitytracker.com/alerts/2009/Oct/1023095.html || url,www.securityfocus.com/bid/36814/info || url,www.securityfocus.com/archive/1/507456 || url,doc.emergingthreats.net/2010229 +1 || 2010230 || 7 || trojan-activity || 0 || ET TROJAN W32.Koblu || url,doc.emergingthreats.net/2010230 +1 || 2010231 || 6 || trojan-activity || 0 || ET CURRENT_EVENTS FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack Encrypted GIF download 1 || url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.GUZZ&VSect=T || url,www.threatexpert.com/threats/trojan-fraudpack-sd6.html || url,vil.nai.com/vil/content/v_157489.htm || url,blog.threatfire.com/2009/06/streamviewers-gif-images-embedded-with-encrypted-malware.html || url,doc.emergingthreats.net/2010231 +1 || 2010232 || 5 || trojan-activity || 0 || ET CURRENT_EVENTS FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack Encrypted GIF download 2 || url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.GUZZ&VSect=T || url,vil.nai.com/vil/content/v_157489.htm || url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_DLOAD.TID&VSect=T || url,blog.threatfire.com/2009/06/streamviewers-gif-images-embedded-with-encrypted-malware.html || url,doc.emergingthreats.net/2010232 +1 || 2010233 || 5 || trojan-activity || 0 || ET CURRENT_EVENTS FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack Encrypted GIF download 3 || url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.GUZZ&VSect=T || url,vil.nai.com/vil/content/v_157489.htm || url,blog.threatfire.com/2009/06/streamviewers-gif-images-embedded-with-encrypted-malware.html || url,doc.emergingthreats.net/2010233 +1 || 2010234 || 7 || trojan-activity || 0 || ET CURRENT_EVENTS FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack HTTP Post 1 || url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.GUZZ&VSect=T || url,www.threatexpert.com/report.aspx?md5=7ca709f154e6abc678fbc4df8a3256b6 || url,www.threatexpert.com/threats/trojan-fraudpack-sd6.html || url,doc.emergingthreats.net/2010234 +1 || 2010235 || 7 || trojan-activity || 0 || ET CURRENT_EVENTS FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack HTTP Post 2 || url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.GUZZ&VSect=T || url,www.threatexpert.com/threats/trojan-fraudpack-sd6.html || url,vil.nai.com/vil/content/v_157489.htm || url,doc.emergingthreats.net/2010235 +1 || 2010236 || 6 || trojan-activity || 0 || ET CURRENT_EVENTS FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack HTTP Post 3 || url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.GUZZ&VSect=T || url,vil.nai.com/vil/content/v_157489.htm || url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_DLOAD.TID&VSect=T || url,doc.emergingthreats.net/2010236 +1 || 2010237 || 6 || trojan-activity || 0 || ET CURRENT_EVENTS FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack HTTP Post 4 || url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.GUZZ&VSect=T || url,vil.nai.com/vil/content/v_157489.htm || url,doc.emergingthreats.net/2010237 +1 || 2010238 || 6 || trojan-activity || 0 || ET CURRENT_EVENTS FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack HTTP Post 5 || url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.GUZZ&VSect=T || url,vil.nai.com/vil/content/v_157489.htm || url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_DLOAD.TID&VSect=T || url,doc.emergingthreats.net/2010238 +1 || 2010239 || 6 || trojan-activity || 0 || ET CURRENT_EVENTS FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack HTTP Post 6 || url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.GUZZ&VSect=T || url,vil.nai.com/vil/content/v_157489.htm || url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_DLOAD.TID&VSect=T || url,www.threatexpert.com/report.aspx?md5=316fd88ac18d21889b1dbf9b979c1959 || url,doc.emergingthreats.net/2010239 +1 || 2010240 || 4 || trojan-activity || 0 || ET TROJAN WindowsEnterpriseSuite FakeAV check-in HEAD || url,www.threatexpert.com/report.aspx?md5=d9bcb4e4d650a6ed4402fab8f9ef1387 || url,doc.emergingthreats.net/2010240 +1 || 2010241 || 6 || trojan-activity || 0 || ET TROJAN WindowsEnterpriseSuite FakeAV check-in GET || url,www.threatexpert.com/report.aspx?md5=d9bcb4e4d650a6ed4402fab8f9ef1387 || url,doc.emergingthreats.net/2010241 +1 || 2010242 || 4 || trojan-activity || 0 || ET TROJAN WindowsEnterpriseSuite FakeAV get_product_domains.php || url,www.threatexpert.com/report.aspx?md5=d9bcb4e4d650a6ed4402fab8f9ef1387 || url,doc.emergingthreats.net/2010242 +1 || 2010243 || 4 || trojan-activity || 0 || ET DELETED Agent.END || url,doc.emergingthreats.net/2010243 +1 || 2010244 || 5 || trojan-activity || 0 || ET TROJAN Obitel Downloader Request || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3aWin32%2fObitel.gen!A || url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.ASLV&VSect=T || url,doc.emergingthreats.net/2010244 +1 || 2010245 || 6 || attempted-user || 0 || ET ACTIVEX Multiple Altiris Products AeXNSConsoleUtilities.dll ActiveX Control BrowseAndSaveFile Method Buffer Overflow Attempt Function Call || url,www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2009&suid=20091102_00 || url,www.securityfocus.com/bid/36698/info || url,sotiriu.de/adv/NSOADV-2009-001.txt || url,securitytracker.com/alerts/2009/Nov/1023122.html || cve,2009-3031 || url,doc.emergingthreats.net/2010245 +1 || 2010246 || 8 || trojan-activity || 0 || ET TROJAN WindowsEnterpriseSuite FakeAV Reporting via POST initial check-in || url,www.threatexpert.com/report.aspx?md5=d9bcb4e4d650a6ed4402fab8f9ef1387 || url,doc.emergingthreats.net/2010246 +1 || 2010247 || 6 || trojan-activity || 0 || ET TROJAN WindowsEnterpriseSuite FakeAV Reporting via POST || url,www.threatexpert.com/report.aspx?md5=d9bcb4e4d650a6ed4402fab8f9ef1387 || url,doc.emergingthreats.net/2010247 +1 || 2010248 || 5 || trojan-activity || 0 || ET TROJAN Eleonore Exploit Pack activity || url,www.offensivecomputing.net/?q=node/1419 || url,doc.emergingthreats.net/2010248 +1 || 2010252 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Datalife Engine api.class.php dle_config_api Parameter Remote File Inclusion || url,www.juniper.net/security/auto/vulnerabilities/vuln36212.html || url,milw0rm.com/exploits/9572 || url,doc.emergingthreats.net/2010252 +1 || 2010253 || 6 || web-application-attack || 0 || ET ACTIVEX EasyMail Quicksoft ActiveX Control Remote code excution clsid access attempt || url,milw0rm.com/exploits/9684 || url,doc.emergingthreats.net/2010253 +1 || 2010254 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Ve-EDIT edit_htmlarea.php highlighter Parameter Remote File Inclusion || url,osvdb.org/show/osvdb/57679 || url,doc.emergingthreats.net/2010254 +1 || 2010255 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Ve-EDIT debug_php.php _GET Parameter Local File Inclusion || url,osvdb.org/show/osvdb/57680 || url,doc.emergingthreats.net/2010255 +1 || 2010256 || 6 || web-application-attack || 0 || ET ACTIVEX Adobe Shockwave Player ActiveX Control Buffer Overflow clsid access || url,www.milw0rm.com/exploits/9682 || url,doc.emergingthreats.net/2010256 +1 || 2010257 || 4 || attempted-user || 0 || ET ACTIVEX Installshiled 2009 premier ActiveX File Overwrite Function Call || url,packetstormsecurity.com/0909-exploits/installshield-overwrite.txt || url,doc.emergingthreats.net/2010257 +1 || 2010258 || 4 || web-application-attack || 0 || ET ACTIVEX Installshiled 2009 premier ActiveX File Overwrite clsid Access || url,packetstormsecurity.com/0909-exploits/installshield-overwrite.txt || url,doc.emergingthreats.net/2010258 +1 || 2010259 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS DvBBS boardrule.php groupboardid Parameter SQL Injection || bugtraq,36282 || url,doc.emergingthreats.net/2010259 +1 || 2010260 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla AjaxChat Component ajcuser.php GLOBALS Parameter Remote File Inclusion Attempt || url,osvdb.org/show/osvdb/59056 || url,packetstormsecurity.org/0910-exploits/joomlaajaxchat-rfi.txt || url,doc.emergingthreats.net/2010260 +1 || 2010261 || 5 || trojan-activity || 0 || ET TROJAN WindowsEnterpriseSuite FakeAV User-Agent TALWinHttpClient || url,www.threatexpert.com/report.aspx?md5=d9bcb4e4d650a6ed4402fab8f9ef1387 || url,doc.emergingthreats.net/2010261 +1 || 2010262 || 6 || trojan-activity || 0 || ET TROJAN WindowsEnterpriseSuite FakeAV Dynamic User-Agent || url,www.threatexpert.com/report.aspx?md5=d9bcb4e4d650a6ed4402fab8f9ef1387 || url,doc.emergingthreats.net/2010262 +1 || 2010263 || 6 || attempted-user || 0 || ET ACTIVEX Wmm2fxa.dll COM Object Instantiation Memory Corruption CLSID 2 Access Attempt || cve,2006-1303 || bugtraq,18328 || url,www.microsoft.com/technet/security/bulletin/ms06-021.mspx || url,doc.emergingthreats.net/2010263 +1 || 2010264 || 6 || attempted-user || 0 || ET ACTIVEX Wmm2fxa.dll COM Object Instantiation Memory Corruption CLSID 3 Access Attempt || cve,2006-1303 || bugtraq,18328 || url,www.microsoft.com/technet/security/bulletin/ms06-021.mspx || url,doc.emergingthreats.net/2010264 +1 || 2010265 || 5 || trojan-activity || 0 || ET MALWARE User-Agent (M0zilla) || url,doc.emergingthreats.net/2010265 +1 || 2010266 || 6 || trojan-activity || 0 || ET TROJAN Banload Checkin || url,doc.emergingthreats.net/2010266 +1 || 2010267 || 4 || trojan-activity || 0 || ET TROJAN Sinowal/Torpig Checkin || url,doc.emergingthreats.net/2010267 +1 || 2010268 || 4 || trojan-activity || 0 || ET TROJAN W32.SillyFDC Checkin || url,doc.emergingthreats.net/2010268 +1 || 2010270 || 6 || trojan-activity || 0 || ET TROJAN Asprox Data Post to C&C || url,www.secureworks.com/research/threats/danmecasprox/ || url,www.toorcon.org/tcx/18_Brown.pdf || url,doc.emergingthreats.net/2010270 +1 || 2010271 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS DEDECMS feedback_js.php arcurl Parameter SELECT FROM SQL Injection Attempt || url,osvdb.org/show/osvdb/59406 || url,www.packetstormsecurity.org/0910-exploits/dedecms-sql.txt || url,doc.emergingthreats.net/2010271 +1 || 2010272 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS DEDECMS feedback_js.php arcurl Parameter DELETE FROM SQL Injection Attempt || url,osvdb.org/show/osvdb/59406 || url,www.packetstormsecurity.org/0910-exploits/dedecms-sql.txt || url,doc.emergingthreats.net/2010272 +1 || 2010273 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS DEDECMS feedback_js.php arcurl Parameter UNION SELECT SQL Injection Attempt || url,osvdb.org/show/osvdb/59406 || url,www.packetstormsecurity.org/0910-exploits/dedecms-sql.txt || url,doc.emergingthreats.net/2010273 +1 || 2010274 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS DEDECMS feedback_js.php arcurl Parameter INSERT INTO SQL Injection Attempt || url,osvdb.org/show/osvdb/59406 || url,www.packetstormsecurity.org/0910-exploits/dedecms-sql.txt || url,doc.emergingthreats.net/2010274 +1 || 2010275 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS DEDECMS feedback_js.php arcurl Parameter UPDATE SET SQL Injection Attempt || url,osvdb.org/show/osvdb/59406 || url,www.packetstormsecurity.org/0910-exploits/dedecms-sql.txt || url,doc.emergingthreats.net/2010275 +1 || 2010276 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ProdLer prodler.class.php sPath Parameter Remote File Inclusion Attempt || url,osvdb.org/show/osvdb/58298 || url,doc.emergingthreats.net/2010276 +1 || 2010277 || 6 || web-application-attack || 0 || ET ACTIVEX EasyMail Quicksoft ActiveX CreateStore method Remote code excution clsid access || url,www.milw0rm.com/exploits/9685 || url,doc.emergingthreats.net/2010277 +1 || 2010278 || 6 || web-application-attack || 0 || ET ACTIVEX EasyMail ActiveX AddAttachment method Remote code excution clsid access attempt || url,www.milw0rm.com/exploits/9705 || url,doc.emergingthreats.net/2010278 +1 || 2010279 || 5 || web-application-attack || 0 || ET ACTIVEX InstanGet v2.08 Activex Control DOS clsid access attempt || url,www.packetstormsecurity.org/0909-exploits/instantget-dos.txt || url,doc.emergingthreats.net/2010279 +1 || 2010280 || 6 || web-application-attack || 0 || ET ACTIVEX Charm Real Converter pro 6.6 Activex Control DOS clsid access attempt || url,www.packetstormsecurity.org/0909-exploits/charmrc-dos.txt || url,doc.emergingthreats.net/2010280 +1 || 2010281 || 3 || attempted-user || 0 || ET WEB_SERVER Apache mod_perl Apache Status and Apache2 Status Cross Site Scripting Attempt || url,www.securityfocus.com/bid/34383/info || cve,2009-0796 || url,doc.emergingthreats.net/2010281 +1 || 2010282 || 8 || trojan-activity || 0 || ET TROJAN Generic Trojan Checkin (double Content-Type headers) || url,doc.emergingthreats.net/2010282 +1 || 2010283 || 9 || trojan-activity || 0 || ET TROJAN Opachki Link Hijacker HTTP Header Injection || url,www.secureworks.com/research/threats/opachki/?threat=opachki || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3aWin32%2fOpachki.A || url,www.symantec.com/security_response/writeup.jsp?docid=2009-092213-3317-99&tabid=2 || url,doc.emergingthreats.net/2010283 +1 || 2010284 || 3 || web-application-attack || 0 || ET WEB_SERVER SELECT INSTR in URI, Possible ORACLE Related Blind SQL Injection Attempt || url,www.psoug.org/reference/substr_instr.html || url,www.easywebtech.com/artical/Oracle_INSTR.html || url,www.owasp.org/index.php/SQL_Injection || url,msdn.microsoft.com/en-us/library/ms161953.aspx || url,doc.emergingthreats.net/2010284 +1 || 2010285 || 5 || web-application-attack || 0 || ET WEB_SERVER SELECT SUBSTR/ING in URI, Possible Blind SQL Injection Attempt || url,www.1keydata.com/sql/sql-substring.html || url,www.owasp.org/index.php/SQL_Injection || url,msdn.microsoft.com/en-us/library/ms161953.aspx || url,doc.emergingthreats.net/2010285 +1 || 2010286 || 3 || web-application-attack || 0 || ET WEB_SERVER SELECT INSTR in Cookie, Possible ORACLE Related Blind SQL Injection Attempt || url,www.psoug.org/reference/substr_instr.html || url,www.easywebtech.com/artical/Oracle_INSTR.html || url,www.owasp.org/index.php/SQL_Injection || url,msdn.microsoft.com/en-us/library/ms161953.aspx || url,doc.emergingthreats.net/2010286 +1 || 2010287 || 3 || web-application-attack || 0 || ET WEB_SERVER SELECT SUBSTR/ING in Cookie, Possible Blind SQL Injection Attempt || url,www.1keydata.com/sql/sql-substring.html || url,www.owasp.org/index.php/SQL_Injection || url,msdn.microsoft.com/en-us/library/ms161953.aspx || url,doc.emergingthreats.net/2010287 +1 || 2010288 || 3 || trojan-activity || 0 || ET TROJAN W32/Scar Downloader Request || url,www.f-secure.com/v-descs/trojan_w32_scar_a.shtml || url,doc.emergingthreats.net/2010288 +1 || 2010289 || 5 || trojan-activity || 0 || ET TROJAN Clod/Sereki Communication with C&C || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3aWin32%2fSereki.A || url,www.threatexpert.com/report.aspx?md5=bbb6ac2181dbbe15efd13c294cb991fa || url,www.threatexpert.com/report.aspx?md5=3c39bfc78fcf3fe805c7472296bf6319 || url,doc.emergingthreats.net/2010289 +1 || 2010290 || 10 || trojan-activity || 0 || ET TROJAN Clod/Sereki Checkin with C&C (noalert) || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3aWin32%2fSereki.A || url,www.threatexpert.com/report.aspx?md5=bbb6ac2181dbbe15efd13c294cb991fa || url,www.threatexpert.com/report.aspx?md5=3c39bfc78fcf3fe805c7472296bf6319 || url,doc.emergingthreats.net/2010290 +1 || 2010291 || 4 || trojan-activity || 0 || ET TROJAN Clod/Sereki Checkin Response || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3aWin32%2fSereki.A || url,www.threatexpert.com/report.aspx?md5=bbb6ac2181dbbe15efd13c294cb991fa || url,www.threatexpert.com/report.aspx?md5=3c39bfc78fcf3fe805c7472296bf6319 || url,doc.emergingthreats.net/2010291 +1 || 2010292 || 6 || attempted-user || 0 || ET ACTIVEX COM Object MS06-042 CLSID 1 Access Attempt || cve,2006-3638 || url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx || url,doc.emergingthreats.net/2010292 +1 || 2010293 || 6 || attempted-user || 0 || ET ACTIVEX COM Object MS06-042 CLSID 2 Access Attempt || cve,2006-3638 || url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx || url,doc.emergingthreats.net/2010293 +1 || 2010294 || 6 || attempted-user || 0 || ET ACTIVEX COM Object MS06-042 CLSID 3 Access Attempt || cve,2006-3638 || url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx || url,doc.emergingthreats.net/2010294 +1 || 2010295 || 6 || attempted-user || 0 || ET ACTIVEX COM Object MS06-042 CLSID 4 Access Attempt || cve,2006-3638 || url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx || url,doc.emergingthreats.net/2010295 +1 || 2010296 || 6 || attempted-user || 0 || ET ACTIVEX COM Object MS06-042 CLSID 5 Access Attempt || cve,2006-3638 || url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx || url,doc.emergingthreats.net/2010296 +1 || 2010297 || 6 || attempted-user || 0 || ET ACTIVEX COM Object MS06-042 CLSID 6 Access Attempt || cve,2006-3638 || url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx || url,doc.emergingthreats.net/2010297 +1 || 2010298 || 6 || attempted-user || 0 || ET ACTIVEX COM Object MS06-042 CLSID 7 Access Attempt || cve,2006-3638 || url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx || url,doc.emergingthreats.net/2010298 +1 || 2010299 || 6 || attempted-user || 0 || ET ACTIVEX COM Object MS06-042 CLSID 8 Access Attempt || cve,2006-3638 || url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx || url,doc.emergingthreats.net/2010299 +1 || 2010300 || 6 || attempted-user || 0 || ET ACTIVEX COM Object MS06-042 CLSID 9 Access Attempt || cve,2006-3638 || url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx || url,doc.emergingthreats.net/2010300 +1 || 2010301 || 6 || attempted-user || 0 || ET ACTIVEX COM Object MS06-042 CLSID 10 Access Attempt || cve,2006-3638 || url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx || url,doc.emergingthreats.net/2010301 +1 || 2010302 || 6 || attempted-user || 0 || ET ACTIVEX COM Object MS06-042 CLSID 11 Access Attempt || cve,2006-3638 || url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx || url,doc.emergingthreats.net/2010302 +1 || 2010303 || 6 || attempted-user || 0 || ET ACTIVEX COM Object MS06-042 CLSID 12 Access Attempt || cve,2006-3638 || url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx || url,doc.emergingthreats.net/2010303 +1 || 2010304 || 6 || attempted-user || 0 || ET ACTIVEX COM Object MS06-042 CLSID 13 Access Attempt || cve,2006-3638 || url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx || url,doc.emergingthreats.net/2010304 +1 || 2010305 || 6 || attempted-user || 0 || ET ACTIVEX COM Object MS06-042 CLSID 14 Access Attempt || cve,2006-3638 || url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx || url,doc.emergingthreats.net/2010305 +1 || 2010306 || 6 || attempted-user || 0 || ET ACTIVEX COM Object MS06-042 CLSID 15 Access Attempt || cve,2006-3638 || url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx || url,doc.emergingthreats.net/2010306 +1 || 2010307 || 6 || attempted-user || 0 || ET ACTIVEX COM Object MS06-042 CLSID 16 Access Attempt || cve,2006-3638 || url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx || url,doc.emergingthreats.net/2010307 +1 || 2010308 || 6 || attempted-user || 0 || ET ACTIVEX COM Object MS06-042 CLSID 17 Access Attempt || cve,2006-3638 || url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx || url,doc.emergingthreats.net/2010308 +1 || 2010309 || 6 || attempted-user || 0 || ET ACTIVEX COM Object MS06-042 CLSID 18 Access Attempt || cve,2006-3638 || url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx || url,doc.emergingthreats.net/2010309 +1 || 2010310 || 6 || attempted-user || 0 || ET ACTIVEX COM Object MS06-042 CLSID 19 Access Attempt || cve,2006-3638 || url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx || url,doc.emergingthreats.net/2010310 +1 || 2010311 || 6 || attempted-user || 0 || ET ACTIVEX COM Object MS06-042 CLSID 20 Access Attempt || cve,2006-3638 || url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx || url,doc.emergingthreats.net/2010311 +1 || 2010312 || 6 || attempted-user || 0 || ET ACTIVEX COM Object MS06-042 CLSID 21 Access Attempt || cve,2006-3638 || url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx || url,doc.emergingthreats.net/2010312 +1 || 2010313 || 5 || attempted-user || 0 || ET ACTIVEX COM Object MS06-042 CLSID 22 Access Attempt || cve,2006-3638 || url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx || url,doc.emergingthreats.net/2010313 +1 || 2010314 || 5 || attempted-user || 0 || ET ACTIVEX COM Object MS06-042 CLSID 23 Access Attempt || cve,2006-3638 || url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx || url,doc.emergingthreats.net/2010314 +1 || 2010315 || 5 || attempted-user || 0 || ET ACTIVEX COM Object MS06-042 CLSID 24 Access Attempt || cve,2006-3638 || url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx || url,doc.emergingthreats.net/2010315 +1 || 2010316 || 5 || attempted-user || 0 || ET ACTIVEX COM Object MS06-042 CLSID 25 Access Attempt || cve,2006-3638 || url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx || url,doc.emergingthreats.net/2010316 +1 || 2010317 || 5 || attempted-user || 0 || ET ACTIVEX COM Object MS06-042 CLSID 26 Access Attempt || cve,2006-3638 || url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx || url,doc.emergingthreats.net/2010317 +1 || 2010318 || 5 || attempted-user || 0 || ET ACTIVEX COM Object MS06-042 CLSID 27 Access Attempt || cve,2006-3638 || url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx || url,doc.emergingthreats.net/2010318 +1 || 2010319 || 5 || attempted-user || 0 || ET ACTIVEX COM Object MS06-042 CLSID 28 Access Attempt || cve,2006-3638 || url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx || url,doc.emergingthreats.net/2010319 +1 || 2010320 || 5 || attempted-user || 0 || ET ACTIVEX COM Object MS06-042 CLSID 29 Access Attempt || cve,2006-3638 || url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx || url,doc.emergingthreats.net/2010320 +1 || 2010321 || 5 || attempted-user || 0 || ET ACTIVEX COM Object MS06-042 CLSID 30 Access Attempt || cve,2006-3638 || url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx || url,doc.emergingthreats.net/2010321 +1 || 2010322 || 5 || attempted-user || 0 || ET ACTIVEX COM Object MS06-042 CLSID 31 Access Attempt || cve,2006-3638 || url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx || url,doc.emergingthreats.net/2010322 +1 || 2010323 || 5 || attempted-user || 0 || ET ACTIVEX COM Object MS06-042 CLSID 32 Access Attempt || cve,2006-3638 || url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx || url,doc.emergingthreats.net/2010323 +1 || 2010324 || 5 || attempted-user || 0 || ET ACTIVEX COM Object MS06-042 CLSID 33 Access Attempt || cve,2006-3638 || url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx || url,doc.emergingthreats.net/2010324 +1 || 2010325 || 5 || attempted-user || 0 || ET ACTIVEX COM Object MS06-042 CLSID 34 Access Attempt || cve,2006-3638 || url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx || url,doc.emergingthreats.net/2010325 +1 || 2010326 || 5 || attempted-user || 0 || ET ACTIVEX COM Object MS06-042 CLSID 35 Access Attempt || cve,2006-3638 || url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx || url,doc.emergingthreats.net/2010326 +1 || 2010327 || 5 || attempted-user || 0 || ET ACTIVEX COM Object MS06-042 CLSID 36 Access Attempt || cve,2006-3638 || url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx || url,doc.emergingthreats.net/2010327 +1 || 2010328 || 5 || attempted-user || 0 || ET ACTIVEX COM Object MS06-042 CLSID 37 Access Attempt || cve,2006-3638 || url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx || url,doc.emergingthreats.net/2010328 +1 || 2010329 || 5 || attempted-user || 0 || ET ACTIVEX COM Object MS06-042 CLSID 38 Access Attempt || cve,2006-3638 || url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx || url,doc.emergingthreats.net/2010329 +1 || 2010330 || 5 || attempted-user || 0 || ET ACTIVEX COM Object MS06-042 CLSID 39 Access Attempt || cve,2006-3638 || url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx || url,doc.emergingthreats.net/2010330 +1 || 2010331 || 5 || attempted-user || 0 || ET ACTIVEX COM Object MS06-042 CLSID 40 Access Attempt || cve,2006-3638 || url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx || url,doc.emergingthreats.net/2010331 +1 || 2010332 || 5 || attempted-user || 0 || ET ACTIVEX COM Object MS06-042 CLSID 41 Access Attempt || cve,2006-3638 || url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx || url,doc.emergingthreats.net/2010332 +1 || 2010333 || 5 || trojan-activity || 0 || ET MALWARE User-Agent (CrazyBro) || url,www.f-secure.com/v-descs/trojan-proxy_w32_kvadr_gen!a.shtml || url,www.threatexpert.com/report.aspx?md5=fd2d6bb1d2a9803c49f1e175d558a934 || url,www.threatexpert.com/report.aspx?md5=e4664144f8e95cfec510d5efa24a35e7 || url,anubis.iseclab.org/?action=result&task_id=14118b80c1b346124c183394d5b3004b1&format=html || url,doc.emergingthreats.net/2010333 +1 || 2010334 || 5 || trojan-activity || 0 || ET TROJAN Dosenjo/Kvadr Proxy Trojan Activity || url,www.f-secure.com/v-descs/trojan-proxy_w32_kvadr_gen!a.shtml || url,www.threatexpert.com/report.aspx?md5=fd2d6bb1d2a9803c49f1e175d558a934 || url,www.threatexpert.com/report.aspx?md5=e4664144f8e95cfec510d5efa24a35e7 || url,doc.emergingthreats.net/2010334 +1 || 2010337 || 19 || trojan-activity || 0 || ET TROJAN FakeAV Reporting - POST often to resolution|borders.php || url,www.sophos.com/security/analyses/viruses-and-spyware/trojagentmbr.html?_log_from=rss || url,doc.emergingthreats.net/2010337 +1 || 2010338 || 2 || policy-violation || 0 || ET DELETED offers.e-centives.com Coupon Printer || url,offers.e-centives.com || url,doc.emergingthreats.net/2010338 +1 || 2010339 || 3 || trojan-activity || 0 || ET DELETED Potential Fake Anti-Virus Download Inst_58s6.exe || url,cyveillanceblog.com/general-cyberintel/malware-google-search-results || url,doc.emergingthreats.net/2010339 +1 || 2010341 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS OS Commerce 2.2 RC2 Potential Anonymous Remote Code Execution || url,seclists.org/fulldisclosure/2009/Nov/169 || url,seclists.org/fulldisclosure/2009/Nov/170 || url,www.milw0rm.com/exploits/9556 || url,doc.emergingthreats.net/2010341 +1 || 2010342 || 5 || trojan-activity || 0 || ET DELETED NACHA/Zeus Phishing Executable Download Attempt || url,garwarner.blogspot.com/2009/11/newest-zeus-nacha-electronic-payments.html || url,doc.emergingthreats.net/2010342 +1 || 2010343 || 5 || web-application-activity || 0 || ET SCAN pangolin SQL injection tool || url,www.lifedork.net/pangolin-best-sql-injection-tool.html || url,doc.emergingthreats.net/2010343 +1 || 2010344 || 3 || trojan-activity || 0 || ET TROJAN Chorns/Poison Ivy related Backdoor Initial Connection || url,doc.emergingthreats.net/2010344 +1 || 2010345 || 3 || trojan-activity || 0 || ET TROJAN Chorns/Poison Ivy related Backdoor Keep Alive || url,doc.emergingthreats.net/2010345 +1 || 2010346 || 6 || trojan-activity || 0 || ET TROJAN Ultimate HAckerz Team User-Agent (Made by UltimateHackerzTeam) - Likely Trojan Report || url,doc.emergingthreats.net/2010346 +1 || 2010347 || 6 || trojan-activity || 0 || ET TROJAN Fake/Rogue AV Landing Page Encountered || url,en.wikipedia.org/wiki/Scareware || url,doc.emergingthreats.net/2010347 +1 || 2010348 || 6 || trojan-activity || 0 || ET TROJAN - Possible Zeus/Perkesh (.bin) configuration download || url,zeustracker.abuse.ch || url,doc.emergingthreats.net/2010348 +1 || 2010349 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla com_photoblog component category Parameter SELECT FROM SQL Injection Attempt || bugtraq,36809 || url,www.packetstormsecurity.org/0910-exploits/joomlaphotoblog-sql.txt || url,doc.emergingthreats.net/2010349 +1 || 2010350 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla com_photoblog component category Parameter DELETE FROM SQL Injection Attempt || bugtraq,36809 || url,www.packetstormsecurity.org/0910-exploits/joomlaphotoblog-sql.txt || url,doc.emergingthreats.net/2010350 +1 || 2010351 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla com_photoblog component category Parameter UNION SELECT SQL Injection Attempt || bugtraq,36809 || url,www.packetstormsecurity.org/0910-exploits/joomlaphotoblog-sql.txt || url,doc.emergingthreats.net/2010351 +1 || 2010352 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla com_photoblog component category Parameter INSERT INTO SQL Injection Attempt || bugtraq,36809 || url,www.packetstormsecurity.org/0910-exploits/joomlaphotoblog-sql.txt || url,doc.emergingthreats.net/2010352 +1 || 2010353 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla com_photoblog component category Parameter UPDATE SET SQL Injection Attempt || bugtraq,36809 || url,www.packetstormsecurity.org/0910-exploits/joomlaphotoblog-sql.txt || url,doc.emergingthreats.net/2010353 +1 || 2010354 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Achievo debugger.php config_atkroot parameter Remote File Inclusion Attempt || bugtraq,36822 || url,doc.emergingthreats.net/2010354 +1 || 2010355 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS OBOphiX fonctions_racine.php chemin_lib parameter Remote File Inclusion Attempt || url,osvdb.org/show/osvdb/57869 || url,secunia.com/advisories/36658/ || url,doc.emergingthreats.net/2010355 +1 || 2010356 || 6 || web-application-attack || 0 || ET ACTIVEX NCTAVIFile V 1.6.2 Activex File Creation clsid access attempt || url,www.packetstatic.com/0909-exploits/nctavi-exec.txt || url,doc.emergingthreats.net/2010356 +1 || 2010357 || 4 || web-application-attack || 0 || ET ACTIVEX NCTAVIFile V 1.6.2 ActiveX File Creation Function call attempt || url,www.packetstatic.com/0909-exploits/nctavi-exec.txt || url,doc.emergingthreats.net/2010357 +1 || 2010358 || 6 || successful-user || 0 || ET ACTIVEX Macrovision FLEXnet Connect ActiveX Control Arbitrary File Download || bugtraq,27279 || url,www.milw0rm.com/exploits/4913 || url,doc.emergingthreats.net/2010358 +1 || 2010359 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS FSphp FSphp.php FSPHP_LIB Parameter Remote File Inclusion Attempt || url,osvdb.org/show/osvdb/58315 || url,www.milw0rm.com/exploits/9720 || url,doc.emergingthreats.net/2010359 +1 || 2010360 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS FSphp navigation.php FSPHP_LIB Parameter Remote File Inclusion Attempt || url,osvdb.org/show/osvdb/58316 || url,www.milw0rm.com/exploits/9720 || url,doc.emergingthreats.net/2010360 +1 || 2010361 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS FSphp pathwirte.php FSPHP_LIB Parameter Remote File Inclusion Attempt || url,osvdb.org/show/osvdb/58317 || url,www.milw0rm.com/exploits/9720 || url,doc.emergingthreats.net/2010361 +1 || 2010362 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS AjaxPortal di.php pathtoserverdata Parameter Remote File Inclusion Attempt || url,osvdb.org/show/osvdb/55485 || url,doc.emergingthreats.net/2010362 +1 || 2010363 || 6 || web-application-attack || 0 || ET ACTIVEX Orca Browser 1.1 Activex Command Execution clsid access attempt || url,www.packetstormsecurity.org/0909-exploits/orca-exec.txt || url,doc.emergingthreats.net/2010363 +1 || 2010364 || 4 || web-application-attack || 0 || ET ACTIVEX Orca Browser 1.1 ActiveX Command Execution Function call attempt || url,www.packetstormsecurity.org/0909-exploits/orca-exec.txt || url,doc.emergingthreats.net/2010364 +1 || 2010365 || 6 || web-application-attack || 0 || ET ACTIVEX ProgramChecker 1.5 Activex Command Execution clsid access attempt || url,www.packetstormsecurity.org/0909-exploits/programchecker-exec.txt || url,doc.emergingthreats.net/2010365 +1 || 2010366 || 4 || web-application-attack || 0 || ET ACTIVEX ProgramChecker 1.5 ActiveX Command Execution Function call attempt || url,www.packetstormsecurity.org/0909-exploits/programchecker-exec.txt || url,doc.emergingthreats.net/2010366 +1 || 2010367 || 6 || web-application-attack || 0 || ET ACTIVEX Gom Player V 2.1.16 Activex Command Execution clsid access attempt || url,www.packetstormsecurity.org/0909-exploits/gomplayer-exec.txt || url,doc.emergingthreats.net/2010367 +1 || 2010368 || 4 || web-application-attack || 0 || ET ACTIVEX Gom Player V 2.1.16 ActiveX Command Execution Function call attempt || url,www.packetstormsecurity.org/0909-exploits/gomplayer-exec.txt || url,doc.emergingthreats.net/2010368 +1 || 2010369 || 5 || attempted-user || 0 || ET ACTIVEX Possible Symantec Altiris Deployment Solution and Notification Server ActiveX Control RunCmd Arbitrary Code Execution Attempt || url,securitytracker.com/alerts/2009/Nov/1023238.html || url,www.securityfocus.com/bid/37092 || cve,2009-3033 || url,doc.emergingthreats.net/2010369 +1 || 2010370 || 4 || attempted-user || 0 || ET ACTIVEX ACTIVEX Possible Symantec Altiris Deployment Solution and Notification Server ActiveX Control RunCmd Arbitrary Code Execution Function Call Attempt || url,securitytracker.com/alerts/2009/Nov/1023238.html || url,www.securityfocus.com/bid/37092 || cve,2009-3033 || url,doc.emergingthreats.net/2010370 +1 || 2010371 || 2 || attempted-recon || 0 || ET SCAN Amap TCP Service Scan Detected || url,freeworld.thc.org/thc-amap/ || url,doc.emergingthreats.net/2010371 +1 || 2010372 || 2 || attempted-recon || 0 || ET SCAN Amap UDP Service Scan Detected || url,freeworld.thc.org/thc-amap/ || url,doc.emergingthreats.net/2010372 +1 || 2010373 || 6 || attempted-user || 0 || ET ACTIVEX Haihaisoft Universal Player ActiveX Control URL Property Buffer Overflow Attempt || url,www.shinnai.net/exploits/ZzLsi6TIfSuVPh1kPHmP.txt || url,www.securityfocus.com/bid/37151/info || url,doc.emergingthreats.net/2010373 +1 || 2010374 || 4 || attempted-user || 0 || ET ACTIVEX Haihaisoft Universal Player ActiveX Control URL Property Buffer Overflow Function Call Attempt || url,www.shinnai.net/exploits/ZzLsi6TIfSuVPh1kPHmP.txt || url,www.securityfocus.com/bid/37151/info || url,doc.emergingthreats.net/2010374 +1 || 2010375 || 2 || attempted-admin || 0 || ET EXPLOIT Possible Oracle Database Text Component ctxsys.drvxtabc.create_tables Remote SQL Injection Attempt || url,www.securityfocus.com/bid/36748 || cve,2009-1991 || url,doc.emergingthreats.net/2010375 +1 || 2010376 || 3 || trojan-activity || 0 || ET DELETED WU Malicious Spam Inbound || url,doc.emergingthreats.net/2010376 +1 || 2010377 || 6 || web-application-attack || 0 || ET POLICY JBOSS/JMX port 80 access from outside || url,www.notsosecure.com/folder2/2009/10/27/hacking-jboss-with-jmx-console/ || url,www.nruns.com/_downloads/Whitepaper-Hacking-jBoss-using-a-Browser.pdf || url,doc.emergingthreats.net/2010377 +1 || 2010378 || 5 || web-application-attack || 0 || ET POLICY JBOSS/JMX port 8080 access from outside || url,www.notsosecure.com/folder2/2009/10/27/hacking-jboss-with-jmx-console/ || url,www.nruns.com/_downloads/Whitepaper-Hacking-jBoss-using-a-Browser.pdf || url,doc.emergingthreats.net/2010378 +1 || 2010379 || 5 || web-application-attack || 0 || ET WEB_SERVER JBOSS/JMX REMOTE WAR deployment attempt (POST) || url,www.notsosecure.com/folder2/2009/10/27/hacking-jboss-with-jmx-console/ || url,www.nruns.com/_downloads/Whitepaper-Hacking-jBoss-using-a-Browser.pdf || url,doc.emergingthreats.net/2010379 +1 || 2010380 || 5 || web-application-attack || 0 || ET WEB_SERVER JBOSS/JMX REMOTE WAR deployment attempt (GET) || url,www.notsosecure.com/folder2/2009/10/27/hacking-jboss-with-jmx-console/ || url,www.nruns.com/_downloads/Whitepaper-Hacking-jBoss-using-a-Browser.pdf || url,doc.emergingthreats.net/2010380 +1 || 2010381 || 10 || trojan-activity || 0 || ET TROJAN Syrutrk/Gibon/Bredolab Checkin || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3aWin32%2fSyrutrk.A || url,www.threatexpert.com/report.aspx?md5=a5f94577d00d0306e4ef64bad30e5d37 || url,www.threatexpert.com/report.aspx?md5=011d403b345672adc29846074e717865 || url,doc.emergingthreats.net/2010381 +1 || 2010382 || 7 || trojan-activity || 0 || ET TROJAN Fake AV GET || url,threatexpert.com/report.aspx?md5=8d1b47452307259f1e191e16ed23cd35 || url,doc.emergingthreats.net/2010382 +1 || 2010383 || 2 || shellcode-detect || 0 || ET SHELLCODE METASPLOIT BSD Bind shell || url,doc.emergingthreats.net/2010383 +1 || 2010385 || 4 || shellcode-detect || 0 || ET SHELLCODE METASPLOIT BSD Bind shell (Countdown Encoded 2) || url,doc.emergingthreats.net/2010385 +1 || 2010386 || 3 || shellcode-detect || 0 || ET SHELLCODE METASPLOIT BSD Bind shell (Countdown Encoded 3) || url,doc.emergingthreats.net/2010386 +1 || 2010387 || 3 || shellcode-detect || 0 || ET SHELLCODE METASPLOIT BSD Bind shell (Countdown Encoded 4) || url,doc.emergingthreats.net/2010387 +1 || 2010388 || 3 || shellcode-detect || 0 || ET SHELLCODE METASPLOIT BSD Bind shell (Countdown Encoded 5) || url,doc.emergingthreats.net/2010388 +1 || 2010389 || 3 || shellcode-detect || 0 || ET SHELLCODE METASPLOIT BSD Bind shell (Pex Encoded 1) || url,doc.emergingthreats.net/2010389 +1 || 2010390 || 3 || shellcode-detect || 0 || ET SHELLCODE METASPLOIT BSD Bind shell (Pex Encoded 2) || url,doc.emergingthreats.net/2010390 +1 || 2010391 || 3 || shellcode-detect || 0 || ET SHELLCODE METASPLOIT BSD Bind shell (Not Encoded 1) || url,doc.emergingthreats.net/2010391 +1 || 2010392 || 2 || shellcode-detect || 0 || ET SHELLCODE METASPLOIT BSD Bind shell (Not Encoded 2) || url,doc.emergingthreats.net/2010392 +1 || 2010393 || 3 || shellcode-detect || 0 || ET SHELLCODE METASPLOIT BSD Bind shell (Not Encoded 3) || url,doc.emergingthreats.net/2010393 +1 || 2010394 || 3 || shellcode-detect || 0 || ET SHELLCODE METASPLOIT BSD Bind shell (Not Encoded 4) || url,doc.emergingthreats.net/2010394 +1 || 2010395 || 3 || shellcode-detect || 0 || ET SHELLCODE METASPLOIT BSD Bind shell (Not Encoded 5) || url,doc.emergingthreats.net/2010395 +1 || 2010396 || 3 || shellcode-detect || 0 || ET SHELLCODE METASPLOIT BSD Bind shell (Pex Alphanumeric Encoded 1) || url,doc.emergingthreats.net/2010396 +1 || 2010397 || 3 || shellcode-detect || 0 || ET SHELLCODE METASPLOIT BSD Bind shell (Pex Alphanumeric Encoded 2) || url,doc.emergingthreats.net/2010397 +1 || 2010398 || 3 || shellcode-detect || 0 || ET SHELLCODE METASPLOIT BSD Bind shell (Pex Alphanumeric Encoded 3) || url,doc.emergingthreats.net/2010398 +1 || 2010399 || 3 || shellcode-detect || 0 || ET SHELLCODE METASPLOIT BSD Bind shell (Pex Alphanumeric Encoded 4) || url,doc.emergingthreats.net/2010399 +1 || 2010400 || 3 || shellcode-detect || 0 || ET SHELLCODE METASPLOIT BSD Bind shell (Pex Alphanumeric Encoded 5) || url,doc.emergingthreats.net/2010400 +1 || 2010401 || 3 || shellcode-detect || 0 || ET SHELLCODE METASPLOIT BSD Bind shell (PexFstEnvMov Encoded 1) || url,doc.emergingthreats.net/2010401 +1 || 2010402 || 3 || shellcode-detect || 0 || ET SHELLCODE METASPLOIT BSD Bind shell (PexFstEnvMov Encoded 2) || url,doc.emergingthreats.net/2010402 +1 || 2010403 || 3 || shellcode-detect || 0 || ET SHELLCODE METASPLOIT BSD Bind shell (JmpCallAdditive Encoded) || url,doc.emergingthreats.net/2010403 +1 || 2010404 || 3 || shellcode-detect || 0 || ET SHELLCODE METASPLOIT BSD Bind shell (Alpha2 Encoded 1) || url,doc.emergingthreats.net/2010404 +1 || 2010405 || 3 || shellcode-detect || 0 || ET SHELLCODE METASPLOIT BSD Bind shell (Alpha2 Encoded 2) || url,doc.emergingthreats.net/2010405 +1 || 2010406 || 3 || shellcode-detect || 0 || ET SHELLCODE METASPLOIT BSD Bind shell (Alpha2 Encoded 3) || url,doc.emergingthreats.net/2010406 +1 || 2010407 || 3 || shellcode-detect || 0 || ET SHELLCODE METASPLOIT BSD Reverse shell (PexFnstenvSub Encoded 1) || url,doc.emergingthreats.net/2010407 +1 || 2010408 || 3 || shellcode-detect || 0 || ET SHELLCODE METASPLOIT BSD Reverse shell (PexFnstenvSub Encoded 2) || url,doc.emergingthreats.net/2010408 +1 || 2010409 || 3 || shellcode-detect || 0 || ET SHELLCODE METASPLOIT BSD Reverse shell (Countdown Encoded 1) || url,doc.emergingthreats.net/2010409 +1 || 2010410 || 3 || shellcode-detect || 0 || ET SHELLCODE METASPLOIT BSD Reverse shell (Countdown Encoded 2) || url,doc.emergingthreats.net/2010410 +1 || 2010411 || 3 || shellcode-detect || 0 || ET SHELLCODE METASPLOIT BSD Reverse shell (Countdown Encoded 3) || url,doc.emergingthreats.net/2010411 +1 || 2010412 || 3 || shellcode-detect || 0 || ET SHELLCODE METASPLOIT BSD Reverse shell (Countdown Encoded 4) || url,doc.emergingthreats.net/2010412 +1 || 2010413 || 3 || shellcode-detect || 0 || ET SHELLCODE METASPLOIT BSD Reverse shell (Pex Encoded 1) || url,doc.emergingthreats.net/2010413 +1 || 2010414 || 3 || shellcode-detect || 0 || ET SHELLCODE METASPLOIT BSD Reverse shell (Pex Encoded 2) || url,doc.emergingthreats.net/2010414 +1 || 2010415 || 3 || shellcode-detect || 0 || ET SHELLCODE METASPLOIT BSD Reverse shell (Not Encoded 1) || url,doc.emergingthreats.net/2010415 +1 || 2010416 || 3 || shellcode-detect || 0 || ET SHELLCODE METASPLOIT BSD Reverse shell (Not Encoded 2) || url,doc.emergingthreats.net/2010416 +1 || 2010417 || 3 || shellcode-detect || 0 || ET SHELLCODE METASPLOIT BSD Reverse shell (Not Encoded 3) || url,doc.emergingthreats.net/2010417 +1 || 2010418 || 3 || shellcode-detect || 0 || ET SHELLCODE METASPLOIT BSD Reverse shell (Pex Alphanumeric Encoded 1) || url,doc.emergingthreats.net/2010418 +1 || 2010419 || 3 || shellcode-detect || 0 || ET SHELLCODE METASPLOIT BSD Reverse shell (Pex Alphanumeric Encoded 2) || url,doc.emergingthreats.net/2010419 +1 || 2010420 || 3 || shellcode-detect || 0 || ET SHELLCODE METASPLOIT BSD Reverse shell (Pex Alphanumeric Encoded 3) || url,doc.emergingthreats.net/2010420 +1 || 2010421 || 3 || shellcode-detect || 0 || ET SHELLCODE METASPLOIT BSD Reverse shell (PexFnstenvMov Encoded 1) || url,doc.emergingthreats.net/2010421 +1 || 2010422 || 3 || shellcode-detect || 0 || ET SHELLCODE METASPLOIT BSD Reverse shell (PexFnstenvMov Encoded 2) || url,doc.emergingthreats.net/2010422 +1 || 2010423 || 2 || shellcode-detect || 0 || ET SHELLCODE METASPLOIT BSD Reverse shell (JmpCallAdditive Encoded 1) || url,doc.emergingthreats.net/2010423 +1 || 2010424 || 2 || shellcode-detect || 0 || ET SHELLCODE METASPLOIT BSD Reverse shell (Alpha2 Encoded 1) || url,doc.emergingthreats.net/2010424 +1 || 2010425 || 2 || shellcode-detect || 0 || ET SHELLCODE METASPLOIT BSD Reverse shell (Alpha2 Encoded 2) || url,doc.emergingthreats.net/2010425 +1 || 2010426 || 2 || shellcode-detect || 0 || ET SHELLCODE METASPLOIT BSD Reverse shell (Alpha2 Encoded 3) || url,doc.emergingthreats.net/2010426 +1 || 2010427 || 2 || shellcode-detect || 0 || ET SHELLCODE METASPLOIT BSD SPARC Bind shell (SPARC Encoded 1) || url,doc.emergingthreats.net/2010427 +1 || 2010428 || 2 || shellcode-detect || 0 || ET SHELLCODE METASPLOIT BSD SPARC Bind shell (SPARC Encoded 2) || url,doc.emergingthreats.net/2010428 +1 || 2010429 || 2 || shellcode-detect || 0 || ET SHELLCODE METASPLOIT BSD SPARC Bind shell (Not Encoded 1) || url,doc.emergingthreats.net/2010429 +1 || 2010430 || 2 || shellcode-detect || 0 || ET SHELLCODE METASPLOIT BSD SPARC Bind shell (Not Encoded 2) || url,doc.emergingthreats.net/2010430 +1 || 2010431 || 2 || shellcode-detect || 0 || ET SHELLCODE METASPLOIT BSD SPARC Bind shell (Not Encoded 3) || url,doc.emergingthreats.net/2010431 +1 || 2010432 || 2 || shellcode-detect || 0 || ET SHELLCODE METASPLOIT BSD SPARC Bind shell (Not Encoded 4) || url,doc.emergingthreats.net/2010432 +1 || 2010433 || 2 || shellcode-detect || 0 || ET SHELLCODE METASPLOIT BSD SPARC Reverse shell (Not Encoded 1) || url,doc.emergingthreats.net/2010433 +1 || 2010434 || 2 || shellcode-detect || 0 || ET SHELLCODE METASPLOIT BSD SPARC Reverse shell (Not Encoded 2) || url,doc.emergingthreats.net/2010434 +1 || 2010435 || 2 || shellcode-detect || 0 || ET SHELLCODE METASPLOIT BSD SPARC Reverse shell (SPARC Encoded 1) || url,doc.emergingthreats.net/2010435 +1 || 2010436 || 2 || shellcode-detect || 0 || ET SHELLCODE METASPLOIT BSD SPARC Reverse shell (SPARC Encoded 2) || url,doc.emergingthreats.net/2010436 +1 || 2010437 || 2 || shellcode-detect || 0 || ET SHELLCODE METASPLOIT BSD SPARC Reverse shell (Not Encoded 3) || url,doc.emergingthreats.net/2010437 +1 || 2010438 || 6 || trojan-activity || 0 || ET MALWARE Possible Malicious Applet Access (justexploit kit) || url,www.malwaredomainlist.com/forums/index.php?topic=3570.0 || url,doc.emergingthreats.net/2010438 +1 || 2010439 || 8 || trojan-activity || 0 || ET TROJAN Generic Trojan Checkin (UA VBTagEdit) || url,doc.emergingthreats.net/2010439 +1 || 2010440 || 8 || bad-unknown || 0 || ET CURRENT_EVENTS Potential Malware Download flash-HQ-plugin exe || url,malwareurl.com || url,doc.emergingthreats.net/2010440 +1 || 2010441 || 5 || trojan-activity || 0 || ET TROJAN Possible Storm Variant HTTP Post (S) || url,cyber.secdev.ca/2009/11/russian-malware-bundle || url,www.blackhat.com/presentations/bh-usa-08/Stewart/BH_US_08_Stewart_Protocols_of_the_Storm.pdf || url,doc.emergingthreats.net/2010441 +1 || 2010442 || 4 || trojan-activity || 0 || ET TROJAN Possible Storm Variant HTTP Post (U) || url,cyber.secdev.ca/2009/11/russian-malware-bundle || url,www.blackhat.com/presentations/bh-usa-08/Stewart/BH_US_08_Stewart_Protocols_of_the_Storm.pdf || url,doc.emergingthreats.net/2010442 +1 || 2010444 || 3 || bad-unknown || 0 || ET DELETED MALWARE Potential Malware Download, pdf exploit || url,malwareurl.com || url,doc.emergingthreats.net/2010444 +1 || 2010446 || 3 || bad-unknown || 0 || ET DELETED MALWARE Potential Malware Download, loadjavad.php exploit || url,malwareurl.com || url,doc.emergingthreats.net/2010446 +1 || 2010447 || 3 || bad-unknown || 0 || ET DELETED MALWARE Potential Malware Download, rogue antivirus (IAInstall.exe) || url,malwareurl.com || url,doc.emergingthreats.net/2010447 +1 || 2010448 || 3 || bad-unknown || 0 || ET DELETED MALWARE Potential Malware Download, trojan zbot || url,malwareurl.com || url,doc.emergingthreats.net/2010448 +1 || 2010449 || 3 || bad-unknown || 0 || ET DELETED MALWARE Potential Malware Download, exploit redirect || url,malwareurl.com || url,doc.emergingthreats.net/2010449 +1 || 2010450 || 5 || trojan-activity || 0 || ET TROJAN Potential Gemini/Fake AV Download URL Detected || url,www.virustotal.com/analisis/c36e206c6dfe88345815da41c1b14b4f33a9636ad94dd46ce48f5b367f1c736c-1254242791 || url,doc.emergingthreats.net/2010450 +1 || 2010452 || 8 || trojan-activity || 0 || ET TROJAN Potential Fake AV GET installer.1.exe || url,www.malwareurl.com || url,doc.emergingthreats.net/2010452 +1 || 2010453 || 7 || trojan-activity || 0 || ET TROJAN Potential Fake AV GET installer_1.exe || url,www.malwareurl.com || url,doc.emergingthreats.net/2010453 +1 || 2010454 || 3 || successful-admin || 0 || ET ATTACK_RESPONSE Metasploit/Meterpreter - Sending metsrv.dll to Compromised Host || url,doc.emergingthreats.net/2010454 +1 || 2010456 || 6 || attempted-user || 0 || ET ACTIVEX SonicWALL SSL VPN Client Remote ActiveX AddRouteEntry Attempt || url,www.securityfocus.com/bid/26288/info || cve,2007-5603 || url,doc.emergingthreats.net/2010456 +1 || 2010457 || 6 || attempted-user || 0 || ET WEB_SERVER Possible Cisco Adaptive Security Appliance Web VPN FTP or CIFS Authentication Form Phishing Attempt || url,www.securityfocus.com/bid/35475/info || cve,2009-1203 || url,doc.emergingthreats.net/2010457 +1 || 2010458 || 10 || trojan-activity || 0 || ET TROJAN Dropper Checkin (often scripts.dlv4.com related) || url,doc.emergingthreats.net/2010458 +1 || 2010460 || 4 || attempted-user || 0 || ET WEB_SERVER Cisco BBSM Captive Portal AccesCodeStart.asp Cross-Site Scripting Attempt || url,www.securityfocus.com/bid/29191/info || cve,2008-2165 || url,doc.emergingthreats.net/2010460 +1 || 2010461 || 6 || trojan-activity || 0 || ET MALWARE User-Agent (MSIE7 na) || url,doc.emergingthreats.net/2010461 +1 || 2010462 || 3 || web-application-attack || 0 || ET WEB_SERVER Possible Barracuda IM Firewall smtp_test.cgi Cross-Site Scripting Attempt || url,www.securityfocus.com/bid/37248/info || url,doc.emergingthreats.net/2010462 +1 || 2010463 || 6 || successful-user || 0 || ET WEB_SERVER RFI Scanner Success (Fx29ID) || url,doc.emergingthreats.net/2010463 || url,opinion.josepino.com/php/howto_website_hack1 +1 || 2010465 || 5 || trojan-activity || 0 || ET TROJAN Potential Fake AV Download (download/install.php) || url,lists.emergingthreats.net/pipermail/emerging-sigs/2009-December/004891.html || url,malwareurl.com || url,www.malwaredomainlist.com || url,doc.emergingthreats.net/2010465 +1 || 2010466 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PointComma pctemplate.php pcConfig Parameter Remote File Inclusion Attempt || url,www.packetstormsecurity.nl/0911-exploits/pointcomma-rfi.txt || url,doc.emergingthreats.net/2010466 +1 || 2010467 || 4 || web-application-attack || 0 || ET ACTIVEX SAP GUI vsflexGrid ActiveX Buffer Overflow Function call Attempt || url,dsecrg.com/pages/vul/show.php?id=117 || url,osvdb.org/show/osvdb/41939 || url,doc.emergingthreats.net/2010467 +1 || 2010468 || 6 || web-application-attack || 0 || ET ACTIVEX SAP GUI vsflexGrid ActiveX Archive method Buffer Overflow CLSID Attempt || url,dsecrg.com/pages/vul/show.php?id=117 || url,osvdb.org/show/osvdb/41939 || url,doc.emergingthreats.net/2010468 +1 || 2010469 || 6 || web-application-attack || 0 || ET ACTIVEX SAP GUI vsflexGrid ActiveX Text method Buffer Overflow CLSID Attempt || url,dsecrg.com/pages/vul/show.php?id=117 || url,osvdb.org/show/osvdb/41939 || url,doc.emergingthreats.net/2010469 +1 || 2010470 || 6 || web-application-attack || 0 || ET ACTIVEX SAP GUI vsflexGrid ActiveX EditSelText method Buffer Overflow CLSID Attempt || url,dsecrg.com/pages/vul/show.php?id=117 || url,osvdb.org/show/osvdb/41939 || url,doc.emergingthreats.net/2010470 +1 || 2010471 || 6 || web-application-attack || 0 || ET ACTIVEX SAP GUI vsflexGrid ActiveX EditText method Buffer Overflow CLSID Attempt || url,dsecrg.com/pages/vul/show.php?id=117 || url,osvdb.org/show/osvdb/41939 || url,doc.emergingthreats.net/2010471 +1 || 2010472 || 6 || web-application-attack || 0 || ET ACTIVEX SAP GUI vsflexGrid ActiveX CellFontName method Buffer Overflow CLSID Attempt || url,dsecrg.com/pages/vul/show.php?id=117 || url,osvdb.org/show/osvdb/41939 || url,doc.emergingthreats.net/2010472 +1 || 2010473 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS p-Table for WordPress wptable-tinymce.php ABSPATH Parameter RFI Attempt || url,osvdb.org/show/osvdb/56763 || url,doc.emergingthreats.net/2010473 +1 || 2010474 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla eZine Component d4m_ajax_pagenav.php Remote File Inclusion Attempt || bugtraq,37043 || url,doc.emergingthreats.net/2010474 +1 || 2010475 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS KR-Web krgourl.php DOCUMENT_ROOT Parameter Remote File Inclusion Attempt || url,www.packetstormsecurity.nl/0911-exploits/krweb-rfi.txt || url,doc.emergingthreats.net/2010475 +1 || 2010476 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla com_jshop pid Parameter SELECT FROM SQL Injection Attempt || bugtraq,36808 || url,www.packetstormsecurity.org/0910-exploits/joomlajshop-sql.txt || url,doc.emergingthreats.net/2010476 +1 || 2010477 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla com_jshop pid Parameter DELETE FROM SQL Injection Attempt || bugtraq,36808 || url,www.packetstormsecurity.org/0910-exploits/joomlajshop-sql.txt || url,doc.emergingthreats.net/2010477 +1 || 2010478 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla com_jshop pid Parameter UNION SELECT SQL Injection Attempt || bugtraq,36808 || url,www.packetstormsecurity.org/0910-exploits/joomlajshop-sql.txt || url,doc.emergingthreats.net/2010478 +1 || 2010479 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla com_jshop component pid Parameter INSERT INTO SQL Injection Attempt || bugtraq,36808 || url,www.packetstormsecurity.org/0910-exploits/joomlajshop-sql.txt || url,doc.emergingthreats.net/2010479 +1 || 2010480 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla com_jshop component pid Parameter UPDATE SET SQL Injection Attempt || bugtraq,36808 || url,www.packetstormsecurity.org/0910-exploits/joomlajshop-sql.txt || url,doc.emergingthreats.net/2010480 +1 || 2010481 || 6 || attempted-user || 0 || ET ACTIVEX SAP AG SAPgui EAI WebViewer2D ActiveX stack buffer overflow CLSid Access || url,dsecrg.com/pages/vul/show.php?id=143 || url,doc.emergingthreats.net/2010481 +1 || 2010482 || 5 || attempted-user || 0 || ET ACTIVEX IBM Access Support ActiveX GetXMLValue Stack Overflow Attempt || url,dev.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/windows/browser/ibmegath_getxmlvalue.rb || url,www.kb.cert.org/vuls/id/340420 || url,tools.cisco.com/security/center/viewAlert.x?alertId=17871 || cve,2009-0215 || url,doc.emergingthreats.net/2010482 +1 || 2010483 || 7 || attempted-user || 0 || ET ACTIVEX IBM Access Support ActiveX GetXMLValue Stack Overflow Attempt || url,dev.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/windows/browser/ibmegath_getxmlvalue.rb || url,www.kb.cert.org/vuls/id/340420 || url,tools.cisco.com/security/center/viewAlert.x?alertId=17871 || cve,2009-0215 || url,doc.emergingthreats.net/2010483 +1 || 2010484 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS FormMailer formmailer.admin.inc.php BASE_DIR Parameter Remote File Inclusion Attempt || url,osvdb.org/show/osvdb/55751 || url,doc.emergingthreats.net/2010484 +1 || 2010485 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS phptraverse mp3_id.php GLOBALS Parameter Remote File Inclusion Attempt || url,www.packetstormsecurity.nl/0911-exploits/phptraverse-rfi.txt || url,doc.emergingthreats.net/2010485 +1 || 2010486 || 2 || attempted-dos || 0 || ET DOS Potential Inbound NTP denial-of-service attempt (repeated mode 7 request) || url,www.kb.cert.org/vuls/id/568372 || cve,2009-3563 || url,doc.emergingthreats.net/2010486 +1 || 2010487 || 2 || attempted-dos || 0 || ET DOS Potential Inbound NTP denial-of-service attempt (repeated mode 7 reply) || url,www.kb.cert.org/vuls/id/568372 || cve,2009-3563 || url,doc.emergingthreats.net/2010487 +1 || 2010488 || 2 || attempted-dos || 0 || ET DELETED Potential Inbound NTP denial-of-service attempt (repeated mode 7 request) || url,www.kb.cert.org/vuls/id/568372 || cve,2009-3563 || url,doc.emergingthreats.net/2010488 +1 || 2010489 || 2 || attempted-dos || 0 || ET DELETED Potential Inbound NTP denial-of-service attempt (repeated mode 7 reply) || url,www.kb.cert.org/vuls/id/568372 || cve,2009-3563 || url,doc.emergingthreats.net/2010489 +1 || 2010490 || 6 || trojan-activity || 0 || ET TROJAN Vundo User-Agent Check-in || url,www.symantec.com/security_response/writeup.jsp?docid=2004-112111-3912-99 || url,doc.emergingthreats.net/2010490 +1 || 2010491 || 2 || attempted-dos || 0 || ET DOS Possible MYSQL GeomFromWKB() function Denial Of Service Attempt || url,www.securityfocus.com/bid/37297/info || url,marc.info/?l=oss-security&m=125881733826437&w=2 || url,downloads.securityfocus.com/vulnerabilities/exploits/37297.txt || cve,2009-4019 || url,doc.emergingthreats.net/2010491 +1 || 2010492 || 3 || attempted-dos || 0 || ET DOS Possible MYSQL SELECT WHERE to User Variable Denial Of Service Attempt || url,www.securityfocus.com/bid/37297/info || url,marc.info/?l=oss-security&m=125881733826437&w=2 || url,downloads.securityfocus.com/vulnerabilities/exploits/37297-2.txt || cve,2009-4019 || url,doc.emergingthreats.net/2010492 +1 || 2010493 || 2 || attempted-recon || 0 || ET SCAN Non-Allowed Host Tried to Connect to MySQL Server || url,www.cyberciti.biz/tips/how-do-i-enable-remote-access-to-mysql-database-server.html || url,doc.emergingthreats.net/2010493 +1 || 2010494 || 2 || attempted-recon || 0 || ET SCAN Multiple MySQL Login Failures, Possible Brute Force Attempt || url,doc.emergingthreats.net/2010494 +1 || 2010495 || 13 || attempted-user || 0 || ET WEB_CLIENT Possible Adobe Multimedia Doc.media.newPlayer Memory Corruption Attempt || url,www.metasploit.com/redmine/projects/framework/repository/revisions/7881/entry/modules/exploits/windows/fileformat/adobe_media_newplayer.rb || url,vrt-sourcefire.blogspot.com/2009/12/adobe-reader-medianewplayer-analysis.html || bid,37331 || cve,2009-4324 +1 || 2010496 || 6 || trojan-activity || 0 || ET DELETED Adobe 0day Shovelware || url,isc.sans.org/diary.html?storyid=7747 || url,doc.emergingthreats.net/2010496 +1 || 2010497 || 9 || trojan-activity || 0 || ET CURRENT_EVENTS Facebook Spam Inbound (1) || url,doc.emergingthreats.net/2010497 || url,postmaster.facebook.com/outbound +1 || 2010498 || 4 || trojan-activity || 0 || ET DELETED Facebook Spam Inbound (2) || url,doc.emergingthreats.net/2010498 +1 || 2010500 || 5 || trojan-activity || 0 || ET MALWARE Executable purporting to be .txt file with no Referrer - Likely Malware || url,www.symantec.com/security_response/writeup.jsp?docid=2009-072313-3630-99 || url,doc.emergingthreats.net/2010500 +1 || 2010501 || 5 || trojan-activity || 0 || ET MALWARE Executable purporting to be .cfg file with no Referrer - Likely Malware || url,www.symantec.com/security_response/writeup.jsp?docid=2009-072313-3630-99 || url,doc.emergingthreats.net/2010501 +1 || 2010505 || 6 || attempted-user || 0 || ET WEB_SPECIFIC_APPS Cisco Adaptive Security Appliance WebVPN Cross Site Scripting Attempt || url,www.securityfocus.com/bid/34307/info || url,tools.cisco.com/security/center/viewAlert.x?alertId=17950 || cve,2009-1220 || url,doc.emergingthreats.net/2010505 +1 || 2010506 || 5 || attempted-user || 0 || ET WEB_SPECIFIC_APPS Cisco BBSM Captive Portal AccesCodeStart.asp Cross-Site Scripting Attempt || url,www.securityfocus.com/bid/29191/info || cve,2008-2165 || url,doc.emergingthreats.net/2010506 +1 || 2010507 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Possible APC Switched Rack PDU Web Administration Interface Cross Site Scripting Attempt || url,securitytracker.com/alerts/2009/Dec/1023331.html || url,doc.emergingthreats.net/2010507 +1 || 2010508 || 4 || attempted-recon || 0 || ET SCAN Springenwerk XSS Scanner User-Agent Detected || url,springenwerk.org/ || url,doc.emergingthreats.net/2010508 +1 || 2010509 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Sonicwall NSA E7500 XSS attempt (fwReg parameter) || url,securiteam.com/exploits/6O00C1FQAS.html || url,doc.emergingthreats.net/2010509 +1 || 2010510 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Possible OSSIM uniqueid Parameter Remote Command Execution Attempt || url, www.securityfocus.com/bid/37375/info || url,doc.emergingthreats.net/2010510 +1 || 2010511 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Sonicwall Global Management System XSS attempt (scrn_name parameter) || url,securiteam.com/exploits/6P00D1FQAG.html || url,doc.emergingthreats.net/2010511 +1 || 2010512 || 9 || trojan-activity || 0 || ET TROJAN FakeAV FakeSmoke HTTP POST check-in || url,isc.sans.org/diary.html?storyid=7768 || url,doc.emergingthreats.net/2010512 +1 || 2010513 || 3 || web-application-attack || 0 || ET WEB_SERVER Possible HTTP 401 XSS Attempt (Local Source) || url,doc.emergingthreats.net/2010513 +1 || 2010514 || 4 || web-application-attack || 0 || ET WEB_CLIENT Possible HTTP 401 XSS Attempt (External Source) || url,doc.emergingthreats.net/2010514 +1 || 2010515 || 5 || web-application-attack || 0 || ET WEB_SERVER Possible HTTP 403 XSS Attempt (Local Source) || url,doc.emergingthreats.net/2010515 +1 || 2010516 || 4 || web-application-attack || 0 || ET WEB_CLIENT Possible HTTP 403 XSS Attempt (External Source) || url,doc.emergingthreats.net/2010516 +1 || 2010517 || 3 || web-application-attack || 0 || ET WEB_SERVER Possible HTTP 404 XSS Attempt (Local Source) || url,doc.emergingthreats.net/2010517 +1 || 2010518 || 4 || web-application-attack || 0 || ET WEB_CLIENT Possible HTTP 404 XSS Attempt (External Source) || url,doc.emergingthreats.net/2010518 +1 || 2010519 || 3 || web-application-attack || 0 || ET WEB_SERVER Possible HTTP 405 XSS Attempt (Local Source) || url,doc.emergingthreats.net/2010519 +1 || 2010520 || 4 || web-application-attack || 0 || ET WEB_CLIENT Possible HTTP 405 XSS Attempt (External Source) || url,doc.emergingthreats.net/2010520 +1 || 2010521 || 3 || web-application-attack || 0 || ET WEB_SERVER Possible HTTP 406 XSS Attempt (Local Source) || url,doc.emergingthreats.net/2010521 +1 || 2010522 || 4 || web-application-attack || 0 || ET WEB_CLIENT Possible HTTP 406 XSS Attempt (External Source) || url,doc.emergingthreats.net/2010522 +1 || 2010524 || 3 || web-application-attack || 0 || ET WEB_SERVER Possible HTTP 500 XSS Attempt (Internal Source) || url,doc.emergingthreats.net/2010524 +1 || 2010525 || 4 || web-application-attack || 0 || ET WEB_CLIENT Possible HTTP 500 XSS Attempt (External Source) || url,doc.emergingthreats.net/2010525 +1 || 2010526 || 3 || web-application-attack || 0 || ET WEB_SERVER Possible HTTP 503 XSS Attempt (Internal Source) || url,doc.emergingthreats.net/2010526 +1 || 2010527 || 4 || web-application-attack || 0 || ET WEB_CLIENT Possible HTTP 503 XSS Attempt (External Source) || url,doc.emergingthreats.net/2010527 +1 || 2010528 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla MyRemote Video Gallery (user_id) Blind SQL Injection Attempt || url,milw0rm.org/exploits/9733 || url,doc.emergingthreats.net/2010528 +1 || 2010529 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla component com_jinc (newsid) Blind SQL Injection Attempt || url,milw0rm.org/exploits/9732 || url,doc.emergingthreats.net/2010529 +1 || 2010530 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Loggix Project RFI Attempt || url,www.exploit-db.com/exploits/9729/ || url,doc.emergingthreats.net/2010530 +1 || 2010531 || 2 || web-application-attack || 0 || ET DELETED Possible PHP-Calendar configfile Remote .PHP File Inclusion Arbitrary Code Execution Attempt || url,securitytracker.com/alerts/2009/Dec/1023375.html || cve,2009-3702 || url,doc.emergingthreats.net/2010531 +1 || 2010532 || 3 || trojan-activity || 0 || ET DELETED Malwareurl.com - potential oficla download (annonce.pdf) || url,www.malwareurl.com || url,doc.emergingthreats.net/2010532 +1 || 2010534 || 3 || trojan-activity || 0 || ET DELETED Malwareurl.com - potential oficla download (loadjavad.php) || url,www.malwareurl.com || url,doc.emergingthreats.net/2010534 +1 || 2010535 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla Component City Portal (Itemid) Blind SQL Injection Attempt || url,packetstormsecurity.org/0912-exploits/joomlacp-sql.txt || url,doc.emergingthreats.net/2010535 +1 || 2010536 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla Component Event Manager 1.5 (id) Blind SQL Injection Attempt || url,packetstormsecurity.org/0912-exploits/joomlacp-sql.txt || url,doc.emergingthreats.net/2010536 +1 || 2010537 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla Component com_zcalendar (eid) Blind SQL Injection Attempt || url,packetstormsecurity.org/0912-exploits/joomlazal-sql.txt || url,doc.emergingthreats.net/2010537 +1 || 2010538 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla Component com_acmis (Itemid) SQL Injection Attempt || url,packetstormsecurity.org/0912-exploits/joomlazal-sql.txt || url,doc.emergingthreats.net/2010538 +1 || 2010539 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla Component com_digistore (pid) Blind SQL Injection Attempt || url,packetstormsecurity.org/0903-exploits/joomladigistore-sql.txt || url,doc.emergingthreats.net/2010539 +1 || 2010540 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla Component com_jbook (Itemid) Blind SQL Injection Attempt || url,packetstormsecurity.org/filedesc/joomlajbook-sql.txt.html || url,doc.emergingthreats.net/2010540 +1 || 2010541 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla Component com_personel (id) Blind SQL Injection Attempt || url,packetstormsecurity.org/0912-exploits/joomlapersonel-sql.txt || url,doc.emergingthreats.net/2010541 +1 || 2010542 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla Component com_joomportfolio (secid) Blind SQL Injection Attempt || url,packetstormsecurity.org/0912-exploits/joomlaportfolio-sql.txt || url,doc.emergingthreats.net/2010542 +1 || 2010543 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS F3Site2009 LFI Exploit Attempt (poll.php) || url,packetstormsecurity.org/0912-exploits/f3site2009-lfi.txt || url,doc.emergingthreats.net/2010543 +1 || 2010544 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS F3Site2009 LFI Exploit Attempt (new.php) || url,packetstormsecurity.org/0912-exploits/f3site2009-lfi.txt || url,doc.emergingthreats.net/2010544 +1 || 2010546 || 3 || attempted-admin || 0 || ET EXPLOIT HP Open View Data Protector Buffer Overflow Attempt || url,dvlabs.tippingpoint.com/advisory/TPTI-09-15 || url,doc.emergingthreats.net/2010546 || cve,2007-2281 +1 || 2010547 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Barracuda Web Application Firewall 600 XSS attempt (backup_username) || url,packetstormsecurity.org/0912-exploits/barracuda-inject.txt || url,doc.emergingthreats.net/2010547 +1 || 2010548 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Barracuda Web Application Firewall 600 XSS attempt (backup_server) || url,packetstormsecurity.org/0912-exploits/barracuda-inject.txt || url,doc.emergingthreats.net/2010548 +1 || 2010549 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Barracuda Web Application Firewall 600 XSS attempt (backup_path) || url,packetstormsecurity.org/0912-exploits/barracuda-inject.txt || url,doc.emergingthreats.net/2010549 +1 || 2010550 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Barracuda Web Application Firewall 600 XSS attempt (backup_password) || url,packetstormsecurity.org/0912-exploits/barracuda-inject.txt || url,doc.emergingthreats.net/2010550 +1 || 2010551 || 8 || trojan-activity || 0 || ET DELETED iPhone Bot iKee.B Contacting C&C || url,mtc.sri.com/iPhone/ || url,doc.emergingthreats.net/2010551 +1 || 2010553 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHP-Nuke Module Emporium SQL Injection Attempt || url,milw0rm.com/exploits/3334 || url,packetstormsecurity.org/0912-exploits/phpnukeemporium-sql.txt || url,doc.emergingthreats.net/2010553 +1 || 2010554 || 4 || attempted-dos || 0 || ET DOS Netgear DG632 Web Management Denial Of Service Attempt || url, securitytracker.com/alerts/2009/Jun/1022403.html || cve,2009-2256 || url,doc.emergingthreats.net/2010554 +1 || 2010555 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla com_joaktree Component treeId Parameter SELECT FROM SQL Injection Attempt || bugtraq,37178 || url,secunia.com/advisories/37535/ || url,doc.emergingthreats.net/2010555 +1 || 2010556 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla com_joaktree Component treeId Parameter DELETE FROM SQL Injection Attempt || bugtraq,37178 || url,secunia.com/advisories/37535/ || url,doc.emergingthreats.net/2010556 +1 || 2010557 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla com_joaktree Component treeId Parameter UNION SELECT SQL Injection Attempt || bugtraq,37178 || url,secunia.com/advisories/37535/ || url,doc.emergingthreats.net/2010557 +1 || 2010558 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla com_joaktree Component treeId Parameter INSERT INTO SQL Injection Attempt || bugtraq,37178 || url,secunia.com/advisories/37535/ || url,doc.emergingthreats.net/2010558 +1 || 2010559 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla com_joaktree Component treeId Parameter UPDATE SET SQL Injection Attempt || bugtraq,37178 || url,secunia.com/advisories/37535/ || url,doc.emergingthreats.net/2010559 +1 || 2010560 || 4 || web-application-attack || 0 || ET ACTIVEX Microsoft Whale Intelligent App Gateway ActiveX Buffer Overflow Function call-1 || url,dev.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/windows/browser/mswhale_checkforupdates.rb || url,www.kb.cert.org/vuls/id/789121 || url,doc.emergingthreats.net/210560 +1 || 2010561 || 4 || web-application-attack || 0 || ET ACTIVEX Microsoft Whale Intelligent App Gateway ActiveX Buffer Overflow Function call-2 || url,dev.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/windows/browser/mswhale_checkforupdates.rb || url,www.kb.cert.org/vuls/id/789121 || url,doc.emergingthreats.net/2010561 +1 || 2010562 || 6 || web-application-attack || 0 || ET ACTIVEX Microsoft Whale Intelligent Application Gateway ActiveX Buffer Overflow-1 || url,dev.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/windows/browser/mswhale_checkforupdates.rb || url,www.kb.cert.org/vuls/id/789121 || url,doc.emergingthreats.net/2010562 +1 || 2010563 || 6 || web-application-attack || 0 || ET ACTIVEX Microsoft Whale Intelligent Application Gateway ActiveX Buffer Overflow-2 || url,dev.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/windows/browser/mswhale_checkforupdates.rb || url,www.kb.cert.org/vuls/id/789121 || url,doc.emergingthreats.net/2010563 +1 || 2010564 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Sisplet CMS komentar.php site_path Parameter Remote File Inclusion Attempt || bugtraq,23334 || url,doc.emergingthreats.net/2010564 +1 || 2010565 || 12 || trojan-activity || 0 || ET TROJAN Bebloh C&C HTTP POST || url,doc.emergingthreats.net/2010565 +1 || 2010566 || 4 || trojan-activity || 0 || ET DELETED Zbot update (av_base/pay.php) || url,www.threatexpert.com/report.aspx?md5=06e69bfb6fffa17c4fc1e23af71b345c || url,doc.emergingthreats.net/2010566 +1 || 2010567 || 4 || trojan-activity || 0 || ET DELETED Zbot update (av_base/ip.php) || url,www.threatexpert.com/report.aspx?md5=06e69bfb6fffa17c4fc1e23af71b345c || url,doc.emergingthreats.net/2010567 +1 || 2010568 || 4 || trojan-activity || 0 || ET DELETED Zbot update (av-i386-daily.zip) || url,www.threatexpert.com/report.aspx?md5=06e69bfb6fffa17c4fc1e23af71b345c || url,doc.emergingthreats.net/2010565 +1 || 2010569 || 6 || trojan-activity || 0 || ET DELETED Trojan Downloader Win32/Small.CBA download || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3AWin32%2FSmall.CBA&ThreatID=-2147372177 || url,doc.emergingthreats.net/2010569 +1 || 2010570 || 2 || policy-violation || 0 || ET POLICY Possible Reference to Terrorist Literature (Moderate Islam...) || url,doc.emergingthreats.net/2010570 +1 || 2010571 || 2 || policy-violation || 0 || ET POLICY Possible Reference to Terrorist Literature (Jihad, Martyrdom...) || url,doc.emergingthreats.net/2010571 +1 || 2010572 || 2 || policy-violation || 0 || ET POLICY Possible Reference to Terrorist Literature (The Call to Global...) || url,doc.emergingthreats.net/2010572 +1 || 2010573 || 3 || policy-violation || 0 || ET POLICY Possible Reference to Terrorist Literature (Knights under the...) || url,doc.emergingthreats.net/2010573 +1 || 2010574 || 2 || policy-violation || 0 || ET POLICY Possible Reference to Terrorist Literature (Jihad against...) || url,doc.emergingthreats.net/2010574 +1 || 2010575 || 2 || policy-violation || 0 || ET POLICY Possible Reference to Terrorist Literature (Declaration of War against the Americans...) || url,doc.emergingthreats.net/2010575 +1 || 2010576 || 2 || policy-violation || 0 || ET POLICY Possible Reference to Terrorist Literature (Join the Caravan of Martyrs...) || url,doc.emergingthreats.net/2010576 +1 || 2010577 || 2 || policy-violation || 0 || ET POLICY Possible Reference to Terrorist Literature (Sharia and Democracy...) || url,doc.emergingthreats.net/2010577 +1 || 2010578 || 2 || policy-violation || 0 || ET POLICY Possible Reference to Al Qaeda Propaganda Theme (fardh ain) || url,doc.emergingthreats.net/2010578 +1 || 2010579 || 2 || policy-violation || 0 || ET POLICY Possible Reference to Al Qaeda Propaganda Theme/Group (Takfir) || url,doc.emergingthreats.net/2010579 +1 || 2010580 || 4 || policy-violation || 0 || ET POLICY Possible Reference to Al Qaeda Propaganda Theme (Al-Wala' Wal Bara) || url,doc.emergingthreats.net/2010580 +1 || 2010581 || 2 || policy-violation || 0 || ET POLICY Possible Reference to Terrorist Literature (Moderate Islam...) SMTP || url,doc.emergingthreats.net/2010581 +1 || 2010582 || 2 || policy-violation || 0 || ET POLICY Possible Reference to Terrorist Literature (Jihad, Martyrdom...) SMTP || url,doc.emergingthreats.net/2010582 +1 || 2010583 || 2 || policy-violation || 0 || ET POLICY Possible Reference to Terrorist Literature (The Call to Global...) SMTP || url,doc.emergingthreats.net/2010583 +1 || 2010584 || 3 || policy-violation || 0 || ET POLICY Possible Reference to Terrorist Literature (Knights under the...) SMTP || url,doc.emergingthreats.net/2010584 +1 || 2010585 || 2 || policy-violation || 0 || ET POLICY Possible Reference to Terrorist Literature (Jihad against...) SMTP || url,doc.emergingthreats.net/2010585 +1 || 2010586 || 2 || policy-violation || 0 || ET POLICY Possible Reference to Terrorist Literature (Declaration of War against the Americans...) SMTP || url,doc.emergingthreats.net/2010586 +1 || 2010587 || 2 || policy-violation || 0 || ET POLICY Possible Reference to Terrorist Literature (Join the Caravan of Martyrs...) SMTP || url,doc.emergingthreats.net/2010587 +1 || 2010588 || 2 || policy-violation || 0 || ET POLICY Possible Reference to Terrorist Literature (Sharia and Democracy...) SMTP || url,doc.emergingthreats.net/2010588 +1 || 2010589 || 2 || policy-violation || 0 || ET POLICY Possible Reference to Al Qaeda Propaganda Theme (fardh ain) SMTP || url,doc.emergingthreats.net/2010589 +1 || 2010590 || 2 || policy-violation || 0 || ET POLICY Possible Reference to Al Qaeda Propaganda Theme/Group (Takfir) SMTP || url,doc.emergingthreats.net/2010590 +1 || 2010591 || 4 || policy-violation || 0 || ET POLICY Possible Reference to Al Qaeda Propaganda Theme (Al-Wala' Wal Bara) SMTP || url,doc.emergingthreats.net/2010591 +1 || 2010592 || 7 || web-application-attack || 0 || ET WEB_SERVER Possible Microsoft Internet Information Services (IIS) .asp Filename Extension Parsing File Upload Security Bypass Attempt (asp) || url,www.securityfocus.com/bid/37460/info || url,doc.emergingthreats.net/2010592 || url,www.securityfocus.com/bid/37460/info || url,soroush.secproject.com/downloadable/iis-semicolon-report.pdf || cve,2009-4444 +1 || 2010593 || 7 || web-application-attack || 0 || ET WEB_SERVER Possible Microsoft Internet Information Services (IIS) .aspx Filename Extension Parsing File Upload Security Bypass Attempt (aspx) || url,www.securityfocus.com/bid/37460/info || url,doc.emergingthreats.net/2010593 || url,www.securityfocus.com/bid/37460/info || url,soroush.secproject.com/downloadable/iis-semicolon-report.pdf || cve,2009-4444 +1 || 2010594 || 7 || trojan-activity || 0 || ET TROJAN Potential FakeAV HTTP POST Check-IN (?r=) || url,www.threatexpert.com/report.aspx?md5=94e13e13c6da5e32bde00bc527475bd2 || url,www.malwaredomainlist.com/forums/index.php?topic=3190.420 || url,doc.emergingthreats.net/2010594 +1 || 2010595 || 5 || trojan-activity || 0 || ET MALWARE User-Agent (???) || url,doc.emergingthreats.net/2010595 +1 || 2010596 || 2 || trojan-activity || 0 || ET TROJAN Trest1 Binary Download Attempt (multiple malware variants served) || url,www.malwaredomainlist.com || url,www.malwareurl.com/search.php?domain=&s=trest1&match=0&rp=200&urls=on&redirs=on&ip=on&reverse=on&as=on || url,doc.emergingthreats.net/2010596 +1 || 2010597 || 5 || trojan-activity || 0 || ET TROJAN Potential FakeAV HTTP GET Check-IN (/check) || url,www.threatexpert.com/report.aspx?md5=94e13e13c6da5e32bde00bc527475bd2 || url,www.malwaredomainlist.com/forums/index.php?topic=3190.420 || url,doc.emergingthreats.net/2010597 +1 || 2010599 || 6 || trojan-activity || 0 || ET MALWARE User-Agent Mozilla/3.0 || url,doc.emergingthreats.net/2010599 +1 || 2010600 || 3 || trojan-activity || 0 || ET DELETED Suspicious User Agent WebUpdate || url,doc.emergingthreats.net/2010600 +1 || 2010601 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS 35mm Slide Gallery imgdir Parameter Directory Traversal Attempt || url,www.packetstormsecurity.org/0912-exploits/35mmsg-traversal.txt || url,doc.emergingthreats.net/2010601 +1 || 2010602 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ClarkConnect Linux proxy.php XSS Attempt || url,www.securityfocus.com/bid/37446/info || url,doc.emergingthreats.net/2010602 +1 || 2010604 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PozScripts Classified Ads 'store_info.php' SQL Injection Attempt || url,www.securityfocus.com/bid/37541/info || url,doc.emergingthreats.net/2010604 +1 || 2010605 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Mambo Component com_viewfulllisting SQL Injection Attempt || url,www.packetstormsecurity.org/0912-exploits/mambovfl-sql.txt || url,doc.emergingthreats.net/2010605 +1 || 2010606 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla Component com_kkcontent Blind SQL Injection Attempt || url,www.packetstormsecurity.org/0912-exploits/joomlakkcontent-sql.txt || url,doc.emergingthreats.net/2010606 +1 || 2010607 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS XOOPS Module dictionary 2.0.18 (detail.php) SQL Injection Attempt || url,www.packetstormsecurity.org/0912-exploits/xoopsdictionary-sql.txt || url,doc.emergingthreats.net/2010607 +1 || 2010608 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS iPortal X gallery_show.asp GID parameter Blind SQL Injection Attempt || url,www.packetstormsecurity.org/0912-exploits/galleryshow-sql.txt || url,doc.emergingthreats.net/2010608 +1 || 2010609 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Helpdesk Pilot Knowledge Base SQL Injection Attempt || url,www.www.packetstormsecurity.org/0912-exploits/helpdesk-sql.txt || url,doc.emergingthreats.net/2010609 +1 || 2010610 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS RoseOnline CMS LFI Attempt || url,www.packetstormsecurity.org/0912-exploits/roseonlinecms-lfi.txt || url,doc.emergingthreats.net/2010610 +1 || 2010611 || 6 || web-application-attack || 0 || ET ACTIVEX HP Openview NNM ActiveX DisplayName method Memory corruption Attempt || url,www.securityfocus.com/archive/1/507948 || url,doc.emergingthreats.net/2010611 +1 || 2010612 || 6 || web-application-attack || 0 || ET ACTIVEX HP Openview NNM ActiveX AddGroup method Memory corruption Attempt || url,www.securityfocus.com/archive/1/507948 || url,doc.emergingthreats.net/2010612 +1 || 2010613 || 6 || web-application-attack || 0 || ET ACTIVEX HP Openview NNM ActiveX InstallComponent method Memory corruption Attempt || url,www.securityfocus.com/archive/1/507948 || url,doc.emergingthreats.net/2010613 +1 || 2010614 || 6 || web-application-attack || 0 || ET ACTIVEX HP Openview NNM ActiveX Subscribe method Memory corruption Attempt || url,www.securityfocus.com/archive/1/507948 || url,doc.emergingthreats.net/2010614 +1 || 2010615 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS phpBMS invoices_discount_ajax.php id Parameter SELECT FROM SQL Injection Attempt || url,osvdb.org/show/osvdb/59194 || url,xforce.iss.net/xforce/xfdb/51650 || url,doc.emergingthreats.net/2010615 +1 || 2010616 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS phpBMS invoices_discount_ajax.php id Parameter DELETE FROM SQL Injection Attempt || url,osvdb.org/show/osvdb/59194 || url,xforce.iss.net/xforce/xfdb/51650 || url,doc.emergingthreats.net/2010616 +1 || 2010617 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS phpBMS invoices_discount_ajax.php id Parameter UNION SELECT SQL Injection Attempt || url,osvdb.org/show/osvdb/59194 || url,xforce.iss.net/xforce/xfdb/51650 || url,doc.emergingthreats.net/2010617 +1 || 2010618 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS phpBMS invoices_discount_ajax.php id Parameter INSERT INTO SQL Injection Attempt || url,osvdb.org/show/osvdb/59194 || url,xforce.iss.net/xforce/xfdb/51650 || url,doc.emergingthreats.net/2010618 +1 || 2010619 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS phpBMS invoices_discount_ajax.php id Parameter UPDATE SET SQL Injection Attempt || url,osvdb.org/show/osvdb/59194 || url,xforce.iss.net/xforce/xfdb/51650 || url,doc.emergingthreats.net/2010619 +1 || 2010620 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Mamboleto Joomla component mamboleto.php Remote File Inclusion Attempt || url,xforce.iss.net/xforce/xfdb/54662 || url,www.exploit-db.com/exploits/10369 || url,doc.emergingthreats.net/2010620 +1 || 2010621 || 4 || web-application-attack || 0 || ET WEB_SERVER SQL Injection Attempt (Agent CZ32ts) || url,doc.emergingthreats.net/2009029 || url,www.Whitehatsecurityresponse.blogspot.com +1 || 2010622 || 4 || web-application-attack || 0 || ET WEB_SERVER Possible Cisco Subscriber Edge Services Manager Cross Site Scripting/HTML Injection Attempt || url,www.securityfocus.com/bid/34454/info || url,doc.emergingthreats.net/2010622 +1 || 2010623 || 3 || web-application-attack || 0 || ET WEB_SERVER Cisco IOS HTTP Server Exec Command Execution Attempt || url,articles.techrepublic.com.com/5100-10878_11-6039967.html || url,doc.emergingthreats.net/2010623 +1 || 2010624 || 2 || attempted-dos || 0 || ET CURRENT_EVENTS Possible Cisco PIX/ASA Denial Of Service Attempt (Hping Created Packets) || url,www.securityfocus.com/bid/34429/info || url,www.securityfocus.com/bid/34429/exploit || url,www.cisco.com/en/US/products/products_applied_mitigation_bulletin09186a0080a99518.html || cve,2009-1157 || url,doc.emergingthreats.net/2010624 +1 || 2010625 || 7 || trojan-activity || 0 || ET TROJAN FakeAV Landing Page (aid,sid) || url,www.bleepingcomputer.com/forums/lofiversion/index.php/t247125.html || url,doc.emergingthreats.net/2010625 +1 || 2010626 || 7 || trojan-activity || 0 || ET TROJAN Likely FakeAV/Fakeinit/FraudLoad Checkin || url,www.threatexpert.com/report.aspx?md5=f5e907a11831c757a94cde9257b3574c || url,doc.emergingthreats.net/2010626 +1 || 2010627 || 7 || trojan-activity || 0 || ET TROJAN Likely FakeAV/Fakeinit/FraudLoad Checkin || url,www.threatexpert.com/report.aspx?md5=f5e907a11831c757a94cde9257b3574c || url,doc.emergingthreats.net/2010627 +1 || 2010628 || 7 || trojan-activity || 0 || ET TROJAN Likely FakeAV/Fakeinit/FraudLoad Checkin || url,www.threatexpert.com/report.aspx?md5=f5e907a11831c757a94cde9257b3574c || url,doc.emergingthreats.net/2010628 +1 || 2010629 || 3 || trojan-activity || 0 || ET DELETED MySpace Spam Inbound || url,doc.emergingthreats.net/2010629 +1 || 2010630 || 5 || trojan-activity || 0 || ET MALWARE Generic Adware Install Report || url,doc.emergingthreats.net/2010630 +1 || 2010631 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS MyFusion last_seen_users_panel.php settings Parameter Local File Inclusion Attempt || url,osvdb.org/show/osvdb/56583 || url,www.exploit-db.com/exploits/9018/ || url,doc.emergingthreats.net/2010631 +1 || 2010636 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla com_jphoto Component Id Parameter SELECT FROM SQL Injection Attempt || bugtraq,37279 || url,doc.emergingthreats.net/2010636 +1 || 2010637 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla com_jphoto Component Id Parameter DELETE FROM SQL Injection Attempt || bugtraq,37279 || url,doc.emergingthreats.net/2010637 +1 || 2010638 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla com_jphoto Component Id Parameter UNION SELECT SQL Injection Attempt || bugtraq,37279 || url,doc.emergingthreats.net/2010638 +1 || 2010639 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla com_jphoto Component Id Parameter INSERT INTO SQL Injection Attempt || bugtraq,37279 || url,doc.emergingthreats.net/2010639 +1 || 2010640 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla com_jphoto Component Id Parameter UPDATE SET SQL Injection Attempt || bugtraq,37279 || url,doc.emergingthreats.net/2010640 +1 || 2010641 || 2 || misc-activity || 0 || ET SCAN ICMP @hello request, Likely Precursor to Scan || url,doc.emergingthreats.net/2010641 +1 || 2010642 || 3 || attempted-recon || 0 || ET SCAN Multiple FTP Root Login Attempts from Single Source - Possible Brute Force Attempt || url,doc.emergingthreats.net/2010642 +1 || 2010643 || 3 || attempted-recon || 0 || ET SCAN Multiple FTP Administrator Login Attempts from Single Source - Possible Brute Force Attempt || url,doc.emergingthreats.net/2010643 +1 || 2010644 || 15 || trojan-activity || 0 || ET CURRENT_EVENTS UPS Spam Inbound +1 || 2010645 || 8 || trojan-activity || 0 || ET POLICY User-Agent (Launcher) || url,doc.emergingthreats.net/2010645 +1 || 2010646 || 3 || trojan-activity || 0 || ET TROJAN Lethic Spambot CnC Initial Connect || url,www.m86security.com/trace/spambotitem.asp?article=1205 || url,doc.emergingthreats.net/2010646 +1 || 2010647 || 3 || trojan-activity || 0 || ET TROJAN Lethic Spambot CnC Initial Connect Bot Response || url,www.m86security.com/trace/spambotitem.asp?article=1205 || url,doc.emergingthreats.net/2010647 +1 || 2010648 || 3 || trojan-activity || 0 || ET TROJAN Lethic Spambot CnC Connect Command || url,www.m86security.com/trace/spambotitem.asp?article=1205 || url,doc.emergingthreats.net/2010648 +1 || 2010649 || 3 || trojan-activity || 0 || ET TROJAN Lethic Spambot CnC Connect Command (port 25 specifically) || url,www.m86security.com/trace/spambotitem.asp?article=1205 || url,doc.emergingthreats.net/2010649 +1 || 2010650 || 3 || trojan-activity || 0 || ET TROJAN Lethic Spambot CnC Bot Command Confirmation || url,www.m86security.com/trace/spambotitem.asp?article=1205 || url,doc.emergingthreats.net/2010650 +1 || 2010651 || 3 || trojan-activity || 0 || ET TROJAN Lethic Spambot CnC Bot Transaction Relay || url,www.m86security.com/trace/spambotitem.asp?article=1205 || url,doc.emergingthreats.net/2010651 +1 || 2010652 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS OSSIM repository_attachment.php SELECT FROM SQL Injection Attempt || url,www.exploit-db.com/exploits/10479 || url,doc.emergingthreats.net/2010652 +1 || 2010653 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS OSSIM repository_attachment.php DELETE FROM SQL Injection Attempt || url,www.exploit-db.com/exploits/10479 || url,doc.emergingthreats.net/2010653 +1 || 2010654 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS OSSIM repository_attachment.php UNION SELECT SQL Injection Attempt || url,www.exploit-db.com/exploits/10479 || url,doc.emergingthreats.net/2010654 +1 || 2010655 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS OSSIM repository_attachment.php INSERT INTO SQL Injection Attempt || url,www.exploit-db.com/exploits/10479 || url,doc.emergingthreats.net/2010655 +1 || 2010656 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS OSSIM repository_attachment.php UPDATE SET SQL Injection Attempt || url,www.exploit-db.com/exploits/10479 || url,doc.emergingthreats.net/2010656 +1 || 2010657 || 5 || web-application-attack || 0 || ET ACTIVEX EasyMail Object SMTP Component Buffer Overflow Function call Attempt || url,secunia.com/advisories/24199/ || url,www.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/windows/browser/oracle_dc_submittoexpress.rb || url,doc.emergingthreats.net/2010657 +1 || 2010658 || 2 || web-application-attack || 0 || ET ACTIVEX EasyMail Object IMAP4 Component Buffer Overflow Function call Attempt || url,secunia.com/advisories/24199/ || url,doc.emergingthreats.net/2010658 +1 || 2010659 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla mojoBlog wp-comments-post.php Remote File Inclusion Attempt || url,www.packetstormsecurity.nl/0912-exploits/joomlamojoblog-rfi.txt || bugtraq,37179 || url,doc.emergingthreats.net/2010659 +1 || 2010660 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla mojoBlog wp-trackback.php Remote File Inclusion Attempt || url,www.packetstormsecurity.nl/0912-exploits/joomlamojoblog-rfi.txt || bugtraq,37179 || url,doc.emergingthreats.net/2010660 +1 || 2010661 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS epay a_affil.php _REQUEST Remote File Inclusion Attempt || url,www.exploit-db.com/exploits/10697 || url,doc.emergingthreats.net/2010661 +1 || 2010664 || 5 || attempted-user || 0 || ET WEB_CLIENT Possible Adobe Reader and Acrobat Forms Data Format Remote Security Bypass Attempt || url,www.securityfocus.com/bid/37763 || cve,2009-3956 || url,doc.emergingthreats.net/2010664 || url,www.stratsec.net/files/SS-2010-001_Stratsec_Acrobat_Script_Injection_Security_Advisory_v1.0.pdf +1 || 2010665 || 7 || attempted-user || 0 || ET ACTIVEX Possible NOS Microsystems Adobe Reader/Acrobat getPlus Get_atlcomHelper ActiveX Control Multiple Stack Overflows Remote Code Execution Attempt || url,www.securityfocus.com/bid/37759 || url,www.kb.cert.org/vuls/id/773545 || url,www.adobe.com/support/security/bulletins/apsb10-02.html || url,www.exploit-db.com/exploits/11172/ || cve,2009-3958 || url,doc.emergingthreats.net/2010665 +1 || 2010666 || 3 || attempted-user || 0 || ET DELETED Adobe Macromedia Flash Player In Windows XP Remote Arbitrary Code Execution CLSID Access Attempt || url,tools.cisco.com/security/center/viewAlert.x?alertId=19710 || url,www.kb.cert.org/vuls/id/204889 || url,www.microsoft.com/technet/security/advisory/979267.mspx || url,doc.emergingthreats.net/2010666 +1 || 2010667 || 5 || web-application-attack || 0 || ET WEB_SERVER /bin/bash In URI, Possible Shell Command Execution Attempt Within Web Exploit || url,doc.emergingthreats.net/2010667 +1 || 2010669 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Possible Zenoss Network Monitoring Application INTO OUTFILE SQL Injection Attempt || url,www.securityfocus.com/bid/37802/info || url,doc.emergingthreats.net/2010669 +1 || 2010670 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Possible Zenoss Network Monitoring Application SELECT FROM SQL Injection Attempt || url,www.securityfocus.com/bid/37802/info || url,doc.emergingthreats.net/2010670 +1 || 2010672 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Possible Zenoss Network Monitoring Application INSERT INTO SQL Injection Attempt || url,www.securityfocus.com/bid/37802/info || url,doc.emergingthreats.net/2010672 +1 || 2010673 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Possible Zenoss Network Monitoring Application UNTION SELECT SQL Injection Attempt || url,www.securityfocus.com/bid/37802/info || url,doc.emergingthreats.net/2010673 +1 || 2010674 || 7 || attempted-dos || 0 || ET DOS Cisco 4200 Wireless Lan Controller Long Authorisation Denial of Service Attempt || url,www.securityfocus.com/bid/35805 || url,www.cisco.com/warp/public/707/cisco-amb-20090727-wlc.shtml || cve,2009-1164 || url,doc.emergingthreats.net/2010674 +1 || 2010675 || 5 || trojan-activity || 0 || ET MALWARE User-Agent (SogouExplorerMiniSetup) || url,doc.emergingthreats.net/2010675 +1 || 2010676 || 6 || trojan-activity || 0 || ET MALWARE User-Agent (Fast Browser Search) || url,doc.emergingthreats.net/2010676 +1 || 2010677 || 6 || trojan-activity || 0 || ET MALWARE Suspicious User-Agent (My Session) || url,doc.emergingthreats.net/2010677 +1 || 2010678 || 6 || trojan-activity || 0 || ET TROJAN Win32.OnLineGames User-Agent (BigFoot) || url,doc.emergingthreats.net/2010678 +1 || 2010679 || 5 || trojan-activity || 0 || ET MALWARE Trojan.Win32.InternetAntivirus User-Agent (General Antivirus) || url,doc.emergingthreats.net/2010679 +1 || 2010680 || 5 || trojan-activity || 0 || ET MALWARE chnsystem.com Spyware User-Agent (Update1.0) || url,doc.emergingthreats.net/2010680 +1 || 2010681 || 2 || misc-activity || 0 || ET SCAN ICMP Delphi, Likely Precursor to Scan || url,www.koders.com/delphi/fid942A4EAF946B244BD3CD9BC83FEAAC35BA1F38AB.aspx || url,doc.emergingthreats.net/2010681 +1 || 2010682 || 5 || trojan-activity || 0 || ET DELETED FakeAV AntivirusDoktor2009 User-Agent (768) || url,doc.emergingthreats.net/2010682 +1 || 2010683 || 6 || trojan-activity || 0 || ET DELETED FakeAV AntivirusDoktor2009 User-Agent (657) || url,doc.emergingthreats.net/2010683 +1 || 2010684 || 4 || trojan-activity || 0 || ET TROJAN Likely Fake Antivirus Download Setup_2012.exe || url,doc.emergingthreats.net/xxxxxxx +1 || 2010686 || 2 || misc-activity || 0 || ET SCAN ICMP =XXXXXXXX Likely Precursor to Scan || url,doc.emergingthreats.net/2010686 +1 || 2010687 || 5 || web-application-attack || 0 || ET WEB_SERVER HP OpenView Network Node Manager Snmp.exe CGI Buffer Overflow Attempt || cve,2009-3849 || url,doc.emergingthreats.net/2010687 +1 || 2010690 || 4 || attempted-user || 0 || ET ACTIVEX Possible activePDF WebGrabber ActiveX Control Buffer Overflow Function Call Attempt || url,www.fortiguard.com/encyclopedia/vulnerability/activepdf.webgrabber.apwebgrb.ocx.activex.access.html || url,packetstormsecurity.org/0911-exploits/activepdf_webgrabber.rb.txt || url,doc.emergingthreats.net/2010690 +1 || 2010691 || 5 || attempted-user || 0 || ET ACTIVEX Possible activePDF WebGrabber ActiveX Control Buffer Overflow Attempt || url,www.fortiguard.com/encyclopedia/vulnerability/activepdf.webgrabber.apwebgrb.ocx.activex.access.html || url,packetstormsecurity.org/0911-exploits/activepdf_webgrabber.rb.txt || url,doc.emergingthreats.net/2010691 +1 || 2010692 || 4 || attempted-user || 0 || ET ACTIVEX Possible McAfee Remediation Client Enginecom.Dll ActiveX Code Execution Function Call Attempt || url,fgc.fortinet.com/encyclopedia/vulnerability/mcafee.remediation.client.enginecom.dll.activex.access.html || url,doc.emergingthreats.net/2010692 +1 || 2010693 || 6 || attempted-user || 0 || ET ACTIVEX Possible Novell iPrint Client ExecuteRequest ActiveX Control Buffer Overflow Attempt || cve,2008-0935 || url,doc.emergingthreats.net/2010693 +1 || 2010694 || 6 || attempted-user || 0 || ET ACTIVEX Possible Novell iPrint Client GetDriverSettings ActiveX Control Buffer Overflow Attempt || cve,2008-2908 || url,doc.emergingthreats.net/2010694 +1 || 2010695 || 2 || trojan-activity || 0 || ET TROJAN Aurora Backdoor (C&C) client connection to CnC || url,www.trustedsource.org/blog/373/An-Insight-into-the-Aurora-Communication-Protocol || url,doc.emergingthreats.net/2010695 +1 || 2010696 || 2 || trojan-activity || 0 || ET TROJAN Aurora Backdoor (C&C) connection CnC response || url,www.trustedsource.org/blog/373/An-Insight-into-the-Aurora-Communication-Protocol || url,doc.emergingthreats.net/2010696 +1 || 2010697 || 5 || trojan-activity || 0 || ET USER_AGENTS Suspicious User-Agent Beginning with digits - Likely spyware/trojan || url,doc.emergingthreats.net/2010697 +1 || 2010698 || 3 || web-application-attack || 0 || ET WEB_SERVER Possible D-Link Router HNAP Protocol Security Bypass Attempt || url,www.securityfocus.com/bid/37690 || url,doc.emergingthreats.net/2010698 +1 || 2010699 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Possible HP Power Manager Management Web Server Login Remote Buffer Overflow Attempt || url,www.securityfocus.com/bid/36933 || cve,2009-2685 || url,doc.emergingthreats.net/2010699 +1 || 2010700 || 6 || trojan-activity || 0 || ET TROJAN Likely Koobface Beaconing (getexe) || url,doc.emergingthreats.net/2010700 +1 || 2010701 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS VBulletin 4.0.1 SQL Injection Attempt || url,www.packetstormsecurity.org/1001-exploits/vbulletin401-sql.txt || url,doc.emergingthreats.net/2010701 +1 || 2010702 || 4 || attempted-user || 0 || ET ACTIVEX Possible Windows Live Messenger ActiveX Control RichUploadControlContextData Buffer Overflow Attempt || url,www.securityfocus.com/bid/37908/info || url,doc.emergingthreats.net/2010702 +1 || 2010703 || 4 || attempted-user || 0 || ET ACTIVEX Possible Windows Live Messenger ActiveX Control RichUploadControlContextData Buffer Overflow Function Call Attempt || url,www.securityfocus.com/bid/37908/info || url,doc.emergingthreats.net/2010703 +1 || 2010704 || 5 || web-application-attack || 0 || ET WEB_SERVER Possible HP OpenView Network Node Manager ovalarm.exe CGI Buffer Overflow Attempt || cve,2009-4179 || url,doc.emergingthreats.net/2010704 +1 || 2010705 || 3 || attempted-user || 0 || ET ACTIVEX Adobe browser document ActiveX DoS Function call Attempt || url,www.packetstormsecurity.nl/0911-exploits/acropdf-dos.txt || url,doc.emergingthreats.net/2010705 +1 || 2010706 || 9 || policy-violation || 0 || ET USER_AGENTS Internet Explorer 6 in use - Significant Security Risk || url,doc.emergingthreats.net/2010706 +1 || 2010707 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Dros core.write_compiled_include.php smarty Remote File Inclusion Attempt || url,www.exploit-db.com/exploits/10682 || url,doc.emergingthreats.net/2010707 +1 || 2010708 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Dros core.process_compiled_include.php smarty Remote File Inclusion Attempt || url,www.exploit-db.com/exploits/10682 || url,doc.emergingthreats.net/2010708 +1 || 2010709 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Dros function.config_load.php _compile_file Remote File Inclusion Attempt || url,www.exploit-db.com/exploits/10682 || url,doc.emergingthreats.net/2010709 +1 || 2010710 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla Foobla Suggestions Component idea_id SELECT FROM SQL Injection Attempt || bugtraq,36425 || url,doc.emergingthreats.net/2010710 +1 || 2010711 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla Foobla Suggestions Component idea_id DELETE FROM SQL Injection Attempt || bugtraq,36425 || url,doc.emergingthreats.net/2010711 +1 || 2010712 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla Foobla Suggestions Component idea_id UNION SELECT SQL Injection Attempt || bugtraq,36425 || url,doc.emergingthreats.net/2010712 +1 || 2010713 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla Foobla Suggestions Component idea_id INSERT INTO SQL Injection Attempt || bugtraq,36425 || url,doc.emergingthreats.net/2010713 +1 || 2010714 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla Foobla Suggestions Component idea_id UPDATE SET SQL Injection Attempt || bugtraq,36425 || url,doc.emergingthreats.net/2010714 +1 || 2010715 || 9 || web-application-attack || 0 || ET SCAN ZmEu exploit scanner || url,doc.emergingthreats.net/2010715 +1 || 2010716 || 3 || trojan-activity || 0 || ET DELETED Malwareurl - wywg executable download Likely Malware || url,malwareurl.com || url,doc.emergingthreats.net/2010716 +1 || 2010717 || 5 || trojan-activity || 0 || ET MALWARE Suspicious User-Agent (FaceCooker) || url,doc.emergingthreats.net/2010717 +1 || 2010718 || 6 || trojan-activity || 0 || ET TROJAN Gootkit Checkin User-Agent (Gootkit HTTP Client) || url,doc.emergingthreats.net/2010718 +1 || 2010719 || 2 || attempted-admin || 0 || ET WEB_SPECIFIC_APPS e107 CMS backdoor access, admin-access cookie and HTTP POST || url,seclists.org/fulldisclosure/2010/Jan/480 || url,www.e107.org/news.php || url,doc.emergingthreats.net/2010719 +1 || 2010720 || 3 || web-application-attack || 0 || ET WEB_SERVER PHP Scan Precursor || url,doc.emergingthreats.net/2010720 +1 || 2010721 || 7 || bad-unknown || 0 || ET USER_AGENTS Suspicious Non-Escaping backslash in User-Agent Outbound || url,www.w3.org/Protocols/rfc2616/rfc2616-sec14.html || url,mws.amazon.com/docs/devGuide/UserAgent.html || url,doc.emergingthreats.net/2010721 +1 || 2010722 || 7 || bad-unknown || 0 || ET USER_AGENTS Suspicious Non-Escaping backslash in User-Agent Inbound || url,www.w3.org/Protocols/rfc2616/rfc2616-sec14.html || url,mws.amazon.com/docs/devGuide/UserAgent.html || url,doc.emergingthreats.net/2010722 +1 || 2010723 || 4 || trojan-activity || 0 || ET TROJAN Oficla Russian Malware Bundle C&C instruction response with runurl || url,malwarelab.org/2009/11/russian-malware-bundle/ || url,doc.emergingthreats.net/2010723 +1 || 2010724 || 4 || trojan-activity || 0 || ET TROJAN Oficla Russian Malware Bundle C&C instruction response || url,malwarelab.org/2009/11/russian-malware-bundle/ || url,doc.emergingthreats.net/2010724 +1 || 2010725 || 8 || attempted-recon || 0 || ET POLICY ApacheBenchmark Tool User-Agent Detected || url,httpd.apache.org/docs/2.0/programs/ab.html/ || url,doc.emergingthreats.net/2010725 +1 || 2010726 || 3 || attempted-user || 0 || ET ACTIVEX Adobe browser document ActiveX DoS Attempt || url,www.packetstormsecurity.nl/0911-exploits/acropdf-dos.txt || url,doc.emergingthreats.net/2010726 +1 || 2010727 || 5 || trojan-activity || 0 || ET MALWARE User-Agent (Live Enterprise Suite) || url,doc.emergingthreats.net/2010727 +1 || 2010728 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WordPress wp-admin/admin.php Module Configuration Security Bypass Attempt || url,www.securityfocus.com/bid/35584 || cve,2009-2334 || url,doc.emergingthreats.net/2010728 +1 || 2010729 || 6 || trojan-activity || 0 || ET DELETED Zeus Bot / Zbot Checkin (/us01d/in.php) || url,garwarner.blogspot.com/2010/01/american-bankers-association-version-of.html || url,doc.emergingthreats.net/2010729 +1 || 2010730 || 3 || web-application-attack || 0 || ET WEB_SERVER Possible Cisco ASA Appliance Clientless SSL VPN HTML Rewriting Security Bypass Attempt/Cross Site Scripting Attempt || url,tools.cisco.com/security/center/viewAlert.x?alertId=18442 || url,www.securityfocus.com/archive/1/504516 || url,www.securityfocus.com/bid/35476 || cve,2009-1201 || cve,2009-1202 || url,doc.emergingthreats.net/2010730 +1 || 2010731 || 4 || attempted-recon || 0 || ET FTP FTP CWD command attempt without login || url,www.nsftools.com/tips/RawFTP.htm || url,doc.emergingthreats.net/2010731 +1 || 2010732 || 2 || attempted-recon || 0 || ET FTP FTP SITE command attempt without login || url,www.nsftools.com/tips/RawFTP.htm || url,doc.emergingthreats.net/2010732 +1 || 2010733 || 2 || attempted-recon || 0 || ET FTP FTP RMDIR command attempt without login || url,www.nsftools.com/tips/RawFTP.htm || url,doc.emergingthreats.net/2010733 +1 || 2010734 || 2 || attempted-recon || 0 || ET FTP FTP MKDIR command attempt without login || url,www.nsftools.com/tips/RawFTP.htm || url,doc.emergingthreats.net/2010734 +1 || 2010735 || 2 || attempted-recon || 0 || ET FTP FTP PWD command attempt without login || url,www.nsftools.com/tips/RawFTP.htm || url,doc.emergingthreats.net/2010735 +1 || 2010736 || 2 || attempted-recon || 0 || ET FTP FTP RETR command attempt without login || url,www.nsftools.com/tips/RawFTP.htm || url,doc.emergingthreats.net/2010736 +1 || 2010737 || 2 || attempted-recon || 0 || ET FTP FTP NLST command attempt without login || url,www.nsftools.com/tips/RawFTP.htm || url,doc.emergingthreats.net/2010737 +1 || 2010738 || 2 || attempted-recon || 0 || ET FTP FTP RNTO command attempt without login || url,www.nsftools.com/tips/RawFTP.htm || url,doc.emergingthreats.net/2010738 +1 || 2010739 || 2 || attempted-recon || 0 || ET FTP FTP RNFR command attempt without login || url,www.nsftools.com/tips/RawFTP.htm || url,doc.emergingthreats.net/2010739 +1 || 2010740 || 2 || attempted-recon || 0 || ET FTP FTP STOR command attempt without login || url,www.nsftools.com/tips/RawFTP.htm || url,doc.emergingthreats.net/2010740 +1 || 2010741 || 4 || trojan-activity || 0 || ET TROJAN Suspicious exe.exe request - possible downloader/Oficla || url,anubis.iseclab.org/?action=result&task_id=11873c8979f34c8d4fd0da512df635cac&format=txt || url,doc.emergingthreats.net/2010741 +1 || 2010742 || 4 || trojan-activity || 0 || ET DELETED Pinkslipbot Trojan Downloader || url,doc.emergingthreats.net/2010742 +1 || 2010743 || 8 || trojan-activity || 0 || ET TROJAN Oficla Checkin (1) || url,www.threatexpert.com/report.aspx?md5=f71d48a86776f8c0da4d7a46257ff97c || url,doc.emergingthreats.net/2010743 +1 || 2010744 || 4 || trojan-activity || 0 || ET TROJAN Oficla Russian Malware Bundle C&C instruction response (2) || url,malwarelab.org/2009/11/russian-malware-bundle/ || url,doc.emergingthreats.net/2010744 +1 || 2010745 || 2 || attempted-user || 0 || ET ACTIVEX SoftArtisans XFile FileManager ActiveX stack overfow Function call Attempt || url,www.kb.cert.org/vuls/id/914785 || url,/www.packetstormsecurity.nl/0911-exploits/softartisans_getdrivename.rb.txt || url,osvdb.org/47794 || url,doc.emergingthreats.net/2010745 +1 || 2010746 || 2 || attempted-user || 0 || ET ACTIVEX SoftArtisans XFile FileManager ActiveX Buildpath method stack overflow Attempt || url,www.kb.cert.org/vuls/id/914785 || url,/www.packetstormsecurity.nl/0911-exploits/softartisans_getdrivename.rb.txt || url,osvdb.org/47794 || url,doc.emergingthreats.net/2010746 +1 || 2010747 || 2 || attempted-user || 0 || ET ACTIVEX SoftArtisans XFile FileManager ActiveX GetDriveName method stack overflow Attempt || url,www.kb.cert.org/vuls/id/914785 || url,/www.packetstormsecurity.nl/0911-exploits/softartisans_getdrivename.rb.txt || url,osvdb.org/47794 || url,doc.emergingthreats.net/2010747 +1 || 2010748 || 2 || attempted-user || 0 || ET ACTIVEX SoftArtisans XFile FileManager ActiveX DriveExists method stack overflow Attempt || url,www.kb.cert.org/vuls/id/914785 || url,/www.packetstormsecurity.nl/0911-exploits/softartisans_getdrivename.rb.txt || url,osvdb.org/47794 || url,doc.emergingthreats.net/2010748 +1 || 2010749 || 2 || attempted-user || 0 || ET ACTIVEX SoftArtisans XFile FileManager ActiveX DeleteFile method stack overflow Attempt || url,www.kb.cert.org/vuls/id/914785 || url,/www.packetstormsecurity.nl/0911-exploits/softartisans_getdrivename.rb.txt || url,osvdb.org/47794 || url,doc.emergingthreats.net/2010749 +1 || 2010750 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla com_musicgallery Component Id Parameter SELECT FROM SQL Injection Attempt || bugtraq,37146 || url,www.packetstormsecurity.nl/0911-exploits/joomlamg-sql.txt || url,doc.emergingthreats.net/2010750 +1 || 2010751 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla com_musicgallery Component Id Parameter DELETE FROM SQL Injection Attempt || bugtraq,37146 || url,www.packetstormsecurity.nl/0911-exploits/joomlamg-sql.txt || url,doc.emergingthreats.net/2010751 +1 || 2010752 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla com_musicgallery Component Id Parameter UNION SELECT SQL Injection Attempt || bugtraq,37146 || url,www.packetstormsecurity.nl/0911-exploits/joomlamg-sql.txt || url,doc.emergingthreats.net/2010752 +1 || 2010753 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla com_musicgallery Component Id Parameter INSERT INTO SQL Injection Attempt || bugtraq,37146 || url,www.packetstormsecurity.nl/0911-exploits/joomlamg-sql.txt || url,doc.emergingthreats.net/2010753 +1 || 2010754 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla com_musicgallery Component Id Parameter UPDATE SET SQL Injection Attempt || bugtraq,37146 || url,www.packetstormsecurity.nl/0911-exploits/joomlamg-sql.txt || url,doc.emergingthreats.net/2010754 +1 || 2010755 || 4 || attempted-dos || 0 || ET DOS IBM DB2 kuddb2 Remote Denial of Service Attempt || url,www.securityfocus.com/bid/38018 || url,intevydis.blogspot.com/2010/01/ibm-db2-97-kuddb2-dos.html || url,doc.emergingthreats.net/2010755 +1 || 2010756 || 3 || trojan-activity || 0 || ET TROJAN Sasfis Botnet Client Reporting Back to Controller After Command Execution || url,www.fortiguard.com/analysis/sasfisanalysis.html || url,doc.emergingthreats.net/2010756 +1 || 2010757 || 6 || not-suspicious || 0 || ET WEB_CLIENT VLC Media Player Aegisub Advanced SubStation (.ass) File Request flowbit set || url,doc.emergingthreats.net/2010757 +1 || 2010758 || 5 || attempted-user || 0 || ET WEB_CLIENT VLC Media Player .ass File Buffer Overflow Attempt || url,www.securityfocus.com/bid/37832/info || url,doc.emergingthreats.net/2010758 +1 || 2010759 || 2 || attempted-admin || 0 || ET EXPLOIT Xerox WorkCentre PJL Daemon Buffer Overflow Attempt || url,www.securityfocus.com/bid/38010 || url,doc.emergingthreats.net/2010759 +1 || 2010760 || 6 || attempted-user || 0 || ET ACTIVEX Possible Gracenote CDDBControl ActiveX Control ViewProfile Method Heap Buffer Overflow Attempt || url,www.securityfocus.com/bid/37834 || url,doc.emergingthreats.net/2010760 +1 || 2010761 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Possible Zenoss Cross Site Request Forgery Attempt || url,www.securityfocus.com/bid/37843 || url,doc.emergingthreats.net/2010761 +1 || 2010762 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Possible Zenoss Cross Site Request Forgery UserCommand Attempt || url,www.securityfocus.com/bid/37843 || url,doc.emergingthreats.net/2010762 +1 || 2010763 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Possible Zenoss Cross Site Request Forgery Ping UserCommand Attempt || url,www.securityfocus.com/bid/37843 || url,doc.emergingthreats.net/2010763 +1 || 2010765 || 5 || trojan-activity || 0 || ET TROJAN Zalupko/Koceg/Mandaph HTTP Checkin (2) || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=Backdoor%3aWin32%2fKoceg.gen!B || url,www.symantec.com/security_response/writeup.jsp?docid=2008-042816-0445-99&tabid=2 || url,www.threatexpert.com/report.aspx?md5=b2aad8e259cbfdd2ba1fcbf22bcee2e9 || url,doc.emergingthreats.net/2010765 +1 || 2010766 || 11 || bad-unknown || 0 || ET POLICY Proxy TRACE Request - inbound || url,doc.emergingthreats.net/2010766 +1 || 2010767 || 9 || bad-unknown || 0 || ET POLICY TRACE Request - outbound || url,doc.emergingthreats.net/2010767 +1 || 2010768 || 5 || bad-unknown || 0 || ET SCAN Open-Proxy ScannerBot (webcollage-UA) || url, stateofsecurity.com/?p=526 || url,www.botsvsbrowsers.com/details/214715/index.html || url,doc.emergingthreats.net/2010768 +1 || 2010770 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS HP System Management Homepage Input Validation Cross Site Scripting Attempt || url,h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02000727 || cve,2009-4185 || url,doc.emergingthreats.net/2010770 +1 || 2010771 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS asaher pro view_messages.php row_y5_site_configuration Remote File Inclusion Attempt || url,www.packetstormsecurity.org/0912-exploits/asaherpro-rfi.txt || url,doc.emergingthreats.net/2010771 +1 || 2010772 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS asaher pro view_blog_comments.php Remote File Inclusion Attempt || url,www.packetstormsecurity.org/0912-exploits/asaherpro-rfi.txt || url,doc.emergingthreats.net/2010772 +1 || 2010773 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS asaher pro view_blog_archives.php Remote File Inclusion Attempt || url,www.packetstormsecurity.org/0912-exploits/asaherpro-rfi.txt || url,doc.emergingthreats.net/2010773 +1 || 2010774 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS asaher pro add_comments.php row_y5_site_configuration Remote File Inclusion Attempt || url,www.packetstormsecurity.org/0912-exploits/asaherpro-rfi.txt || url,doc.emergingthreats.net/2010774 +1 || 2010775 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS asaher pro downloads.php row_y5_site_configuration Remote File Inclusion Attempt || url,www.packetstormsecurity.org/0912-exploits/asaherpro-rfi.txt || url,doc.emergingthreats.net/2010775 +1 || 2010776 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS asaher pro emailsender.php row_y5_site_configuration Remote File Inclusion Attempt || url,www.packetstormsecurity.org/0912-exploits/asaherpro-rfi.txt || url,doc.emergingthreats.net/2010776 +1 || 2010777 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS asaher pro left_menu.php row_y5_site_configuration Remote File Inclusion Attempt || url,www.packetstormsecurity.org/0912-exploits/asaherpro-rfi.txt || url,doc.emergingthreats.net/2010777 +1 || 2010778 || 6 || attempted-user || 0 || ET ACTIVEX HP Mercury Quality Center ActiveX ProgColor Buffer Overflow Attempt -1 || url,secunia.com/advisories/24692/ || url,www.packetstormsecurity.nl/0911-exploits/hpmqc_progcolor.rb.txt || url,www.kb.cert.org/vuls/id/589097 || url,doc.emergingthreats.net/2010778 +1 || 2010779 || 6 || attempted-user || 0 || ET ACTIVEX HP Mercury Quality Center ActiveX ProgColor Buffer Overflow Attempt -2 || url,secunia.com/advisories/24692/ || url,www.packetstormsecurity.nl/0911-exploits/hpmqc_progcolor.rb.txt || url,www.kb.cert.org/vuls/id/589097 || url,doc.emergingthreats.net/2010779 +1 || 2010780 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla mediaslide component viewer.php path Local File Inclusion Attempt || bugtraq,37440 || url,doc.emergingthreats.net/2010780 +1 || 2010781 || 2 || suspicious-filename-detect || 0 || ET POLICY PsExec service created || url,xinn.org/Snort-psexec.html || url,doc.emergingthreats.net/2010781 +1 || 2010782 || 2 || suspicious-filename-detect || 0 || ET POLICY RemoteControlX rctrlx service created || url,xinn.org/Snort-rctrlx.html || url,doc.emergingthreats.net/2010782 +1 || 2010783 || 3 || suspicious-filename-detect || 0 || ET EXPLOIT GsecDump executed || url,xinn.org/Snort-gsecdump.html || url,doc.emergingthreats.net/2010783 +1 || 2010784 || 4 || policy-violation || 0 || ET CHAT Facebook Chat (send message) || url,doc.emergingthreats.net/2010784 +1 || 2010785 || 6 || policy-violation || 0 || ET CHAT Facebook Chat (buddy list) || url,doc.emergingthreats.net/2010785 +1 || 2010786 || 4 || policy-violation || 0 || ET CHAT Facebook Chat (settings) || url,doc.emergingthreats.net/2010786 +1 || 2010787 || 5 || trojan-activity || 0 || ET TROJAN Knockbot Proxy Response From Controller || url,www.malwaredomainlist.com/mdl.php?search=knock.php || url,doc.emergingthreats.net/2010787 +1 || 2010788 || 5 || trojan-activity || 0 || ET TROJAN Knockbot Proxy Response From Controller (empty command) || url,www.malwaredomainlist.com/mdl.php?search=knock.php || url,doc.emergingthreats.net/2010788 +1 || 2010789 || 5 || trojan-activity || 0 || ET DELETED SpyEye Bot Checkin || url,www.symantec.com/connect/blogs/spyeye-bot-versus-zeus-bot || url,www.symantec.com/business/security_response/writeup.jsp?docid=2010-020216-0135-99 || url,malwareint.blogspot.com/2010/01/spyeye-new-bot-on-market.html || url,www.threatexpert.com/report.aspx?md5=2b8a408b56eaf3ce0198c9d1d8a75ec0 || url,doc.emergingthreats.net/2010789 +1 || 2010790 || 4 || trojan-activity || 0 || ET TROJAN Bredavi Configuration Update Response || url,doc.emergingthreats.net/2010790 +1 || 2010791 || 3 || trojan-activity || 0 || ET DELETED Bredavi Checkin || url,doc.emergingthreats.net/2010791 +1 || 2010794 || 7 || attempted-recon || 0 || ET WEB_SERVER DFind w00tw00t GET-Requests || url,doc.emergingthreats.net/2010794 +1 || 2010795 || 8 || trojan-activity || 0 || ET ATTACK_RESPONSE Matahari client || url,doc.emergingthreats.net/2010795 +1 || 2010796 || 3 || bad-unknown || 0 || ET CURRENT_EVENTS MALWARE Unknown Malware Download Attempt || url,malwareurl.com || url,doc.emergingthreats.net/2010796 +1 || 2010797 || 3 || policy-violation || 0 || ET POLICY Twitter Status Update || url,twitter.com || url,doc.emergingthreats.net/2010797 +1 || 2010798 || 4 || attempted-user || 0 || ET WEB_CLIENT Possible Microsoft Internet Explorer URI Validation Remote Code Execution Attempt || url,www.securityfocus.com/bid/37884 || cve,2010-0027 || url,doc.emergingthreats.net/2010798 +1 || 2010799 || 5 || attempted-user || 0 || ET WEB_CLIENT Possible Internet Explorer srcElement Memory Corruption Attempt || url,www.microsoft.com/technet/security/bulletin/ms10-002.mspx || url,tools.cisco.com/security/center/viewAlert.x?alertId=19726 || url,www.kb.cert.org/vuls/id/492515 || cve,2010-0249 || url,doc.emergingthreats.net/2010799 +1 || 2010800 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS F5 Data Manager DiagLogListActionBody.do Local File Inclusion Attempt || url,secunia.com/advisories/38113/ || url,doc.emergingthreats.net/2010800 +1 || 2010801 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS F5 Data Manager DiagCaptureFileListActionBody.do Local File Inclusion Attempt || url,secunia.com/advisories/38113/ || url,doc.emergingthreats.net/2010801 +1 || 2010802 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS F5 Data Manager ViewSatReport.do Local File Inclusion Attempt || url,secunia.com/advisories/38113/ || url,doc.emergingthreats.net/2010802 +1 || 2010803 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS F5 Data Manager DiagCaptureFileListActionBody.do capture parameter LFI Attempt || url,secunia.com/advisories/38113/ || url,doc.emergingthreats.net/2010803 +1 || 2010804 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS F5 Data Manager ViewInventoryErrorReport.do Local File Inclusion Attempt || url,secunia.com/advisories/38113/ || url,doc.emergingthreats.net/2010804 +1 || 2010805 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla com_yelp Component cid Parameter SELECT FROM SQL Injection Attempt || bugtraq,38022 || url,doc.emergingthreats.net/2010805 +1 || 2010806 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla com_yelp Component cid Parameter DELETE FROM SQL Injection Attempt || bugtraq,38022 || url,doc.emergingthreats.net/2010806 +1 || 2010807 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla com_yelp Component cid Parameter UNION SELECT SQL Injection Attempt || bugtraq,38022 || url,doc.emergingthreats.net/2010807 +1 || 2010808 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla com_yelp Component cid Parameter INSERT INTO SQL Injection Attempt || bugtraq,38022 || url,doc.emergingthreats.net/2010808 +1 || 2010809 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla com_yelp Component cid Parameter UPDATE SET SQL Injection Attempt || bugtraq,38022 || url,doc.emergingthreats.net/2010809 +1 || 2010813 || 5 || attempted-user || 0 || ET WEB_CLIENT VLC Media Player smb URI Handling Remote Buffer Overflow Attempt || url,www.securityfocus.com/bid/35500/info || url,doc.emergingthreats.net/2010813 +1 || 2010814 || 5 || attempted-user || 0 || ET ACTIVEX Possible AOL 9.5 BindToFile Heap Overflow Attempt || url,tcc.hellcode.net/advisories/hellcode-adv008.txt || url,doc.emergingthreats.net/2010814 +1 || 2010815 || 5 || misc-activity || 0 || ET POLICY Incoming Connection Attempt From Amazon EC2 Cloud || url,doc.emergingthreats.net/2010815 +1 || 2010816 || 6 || misc-activity || 0 || ET POLICY Incoming UDP Packet From Amazon EC2 Cloud || url,doc.emergingthreats.net/2010816 +1 || 2010817 || 3 || attempted-dos || 0 || ET DOS Possible Cisco ASA 5500 Series Adaptive Security Appliance Remote SIP Inspection Device Reload Denial of Service Attempt || url,tools.cisco.com/security/center/viewAlert.x?alertId=19915 || cve,2010-0569 || url,doc.emergingthreats.net/2010817 +1 || 2010818 || 4 || attempted-dos || 0 || ET DELETED Possible Cisco ASA 5500 Series Adaptive Security Appliance Remote SIP Inspection Device Reload Denial of Service Attempt || url,tools.cisco.com/security/center/viewAlert.x?alertId=19915 || cve,2010-0569 || url,doc.emergingthreats.net/2010818 +1 || 2010819 || 4 || policy-violation || 0 || ET CHAT Facebook Chat using XMPP || url,www.facebook.com/sitetour/chat.php || url,doc.emergingthreats.net/2010819 +1 || 2010820 || 4 || web-application-attack || 0 || ET WEB_SERVER Tilde in URI, potential .cgi source disclosure vulnerability || url,seclists.org/fulldisclosure/2009/Sep/0321.html || url,doc.emergingthreats.net/2010820 +1 || 2010821 || 3 || trojan-activity || 0 || ET TROJAN Java Downloader likely malicious payload download src=xrun || url,www.bluetack.co.uk/forums/lofiversion/index.php/t18462.html || url,doc.emergingthreats.net/2010821 +1 || 2010822 || 5 || trojan-activity || 0 || ET TROJAN smain?scout=acxc Generic Download landing || url,www.bluetack.co.uk/forums/lofiversion/index.php/t18462.html || url,www.threatexpert.com/report.aspx?md5=513077916da4e86827a6000b40db95d5 || url,doc.emergingthreats.net/2010822 +1 || 2010823 || 4 || trojan-activity || 0 || ET TROJAN Torpig Related Fake User-Agent (Apache (compatible...)) || url,doc.emergingthreats.net/2010823 +1 || 2010824 || 4 || trojan-activity || 0 || ET DELETED Torpig Ping-Pong Keepalives Outbound || url,doc.emergingthreats.net/2010824 +1 || 2010825 || 4 || trojan-activity || 0 || ET DELETED Torpig Ping-Pong Keepalives Inbound || url,doc.emergingthreats.net/2010825 +1 || 2010826 || 3 || trojan-activity || 0 || ET TROJAN Torpig Initial CnC Connect on port 8392 || url,doc.emergingthreats.net/2010826 +1 || 2010827 || 3 || trojan-activity || 0 || ET TROJAN Torpig CnC Connect on port 8392 || url,doc.emergingthreats.net/2010827 +1 || 2010828 || 3 || trojan-activity || 0 || ET TROJAN Torpig CnC IP Report Command on port 8392 || url,doc.emergingthreats.net/2010828 +1 || 2010829 || 3 || trojan-activity || 0 || ET TROJAN Torpig CnC Report Command on port 8392 || url,doc.emergingthreats.net/2010829 +1 || 2010830 || 5 || trojan-activity || 0 || ET DELETED Unknown Dropper Checkin (2) || url,doc.emergingthreats.net/2010830 +1 || 2010833 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla intuit component intuit.php approval Local File Inclusion Attempt || url,www.exploit-db.com/exploits/10730 || url,doc.emergingthreats.net/2010833 +1 || 2010834 || 6 || attempted-user || 0 || ET ACTIVEX Windows Defender ActiveX DeleteValue/WriteValue method Heap Overflow Attempt || url,www.packetstormsecurity.org/1001-exploits/msdef1-overflow.txt || url,doc.emergingthreats.net/2010834 +1 || 2010835 || 4 || attempted-user || 0 || ET ACTIVEX Windows Defender ActiveX DeleteValue method Remote Code Execution Function Call || url,www.packetstormsecurity.org/1001-exploits/msdef1-overflow.txt || url,doc.emergingthreats.net/2010835 +1 || 2010837 || 4 || attempted-user || 0 || ET ACTIVEX Windows Defender ActiveX WriteValue method Remote Code Execution Function Call || url,www.packetstormsecurity.org/1001-exploits/msdef2-overflow.txt || url,doc.emergingthreats.net/2010837 +1 || 2010838 || 6 || trojan-activity || 0 || ET TROJAN WScript/VBScript XMLHTTP downloader likely malicious get?src= || url,www.bluetack.co.uk/forums/lofiversion/index.php/t18462.html || url,doc.emergingthreats.net/2010838 +1 || 2010839 || 6 || attempted-user || 0 || ET ACTIVEX Possible Rising Online Virus Scanner ActiveX Control Scan() Method Stack Buffer Overflow Attempt || url,www.securityfocus.com/bid/38282 || url,doc.emergingthreats.net/2010839 +1 || 2010840 || 5 || attempted-user || 0 || ET ACTIVEX Viscom Software Movie Player Pro SDK ActiveX 6.8 Remote Buffer Overflow Attempt || url,en.securitylab.ru/poc/extra/389924.php || url,doc.emergingthreats.net/2010840 +1 || 2010841 || 4 || attempted-user || 0 || ET WEB_CLIENT DX Studio Player Firefox Plug-in Command Injection Attempt || cve,2009-2011 || url,doc.emergingthreats.net/2010841 +1 || 2010842 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla com_avosbillets Component id Parameter UPDATE SET SQL Injection Attempt || bugtraq,37576 || url,doc.emergingthreats.net/2010842 +1 || 2010843 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla com_avosbilletsy Component id Parameter SELECT FROM SQL Injection Attempt || bugtraq,37576 || url,doc.emergingthreats.net/2010843 +1 || 2010844 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla com_avosbillets Component id Parameter DELETE FROM SQL Injection Attempt || bugtraq,37576 || url,doc.emergingthreats.net/2010844 +1 || 2010845 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla com_avosbillets Component id Parameter UNION SELECT SQL Injection Attempt || bugtraq,37576 || url,doc.emergingthreats.net/2010845 +1 || 2010846 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla com_avosbillets Component id Parameter INSERT INTO SQL Injection Attempt || bugtraq,37576 || url,doc.emergingthreats.net/2010846 +1 || 2010847 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS com_if_nexus controller Parameter Remote File Inclusion Attempt || url,www.exploit-db.com/exploits/10754 || url,doc.emergingthreats.net/2010847 +1 || 2010848 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla morfeoshow morfeoshow.html.php Remote File Inclusion Attempt || url,secdb.4sec.org/?s1=exp&sid=18773 || url,doc.emergingthreats.net/2010848 +1 || 2010851 || 4 || web-application-attack || 0 || ET ACTIVEX Logitech VideoCall ActiveX Start method buffer overflow Attempt || url,osvdb.org/36820 || url,www.packetstormsecurity.nl/0911-exploits/logitechvideocall_start.rb.txt || url,www.kb.cert.org/vuls/id/330289 || url,doc.emergingthreats.net/2010851 +1 || 2010852 || 4 || web-application-attack || 0 || ET ACTIVEX WinDVD7 IASystemInfo.DLL ActiveX ApplicationType method buffer overflow Attempt || url,www.packetstormsecurity.nl/0911-exploits/windvd7_applicationtype.rb.txt || url,secunia.com/advisories/24556/ || url,doc.emergingthreats.net/2010852 +1 || 2010853 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla com_job Component id_job Parameter SELECT FROM SQL Injection Attempt || url,packetstorm.foofus.com/1002-exploits/joomlajobcom-sql.txt || url,doc.emergingthreats.net/2010853 +1 || 2010854 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla com_job Component id_job Parameter DELETE FROM SQL Injection Attempt || url,packetstorm.foofus.com/1002-exploits/joomlajobcom-sql.txt || url,doc.emergingthreats.net/2010854 +1 || 2010855 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla com_job Component id_job Parameter UNION SELECT SQL Injection Attempt || url,packetstorm.foofus.com/1002-exploits/joomlajobcom-sql.txt || url,doc.emergingthreats.net/2010855 +1 || 2010856 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla com_job Component id_job Parameter INSERT INTO SQL Injection Attempt || url,packetstorm.foofus.com/1002-exploits/joomlajobcom-sql.txt || url,doc.emergingthreats.net/2010856 +1 || 2010857 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla com_job Component id_job Parameter UPDATE SET SQL Injection Attempt || url,packetstorm.foofus.com/1002-exploits/joomlajobcom-sql.txt || url,doc.emergingthreats.net/2010857 +1 || 2010859 || 5 || trojan-activity || 0 || ET DELETED Gh0st Trojan CnC || url,doc.emergingthreats.net/2010859 +1 || 2010860 || 5 || trojan-activity || 0 || ET DELETED Gh0st Trojan CnC Response || url,doc.emergingthreats.net/2010860 +1 || 2010861 || 7 || trojan-activity || 0 || ET DELETED Zeus Bot Request to CnC || url,doc.emergingthreats.net/2010861 +1 || 2010862 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Possible APC Network Management Card Cross Site Scripting Attempt || cve,2009-1798 || url,doc.emergingthreats.net/2010862 +1 || 2010863 || 6 || web-application-attack || 0 || ET WEB_SERVER LANDesk Command Injection Attempt || url,www.coresecurity.com/content/landesk-csrf-vulnerability || cve,2010-0369 || url,doc.emergingthreats.net/2010863 +1 || 2010864 || 6 || web-application-attack || 0 || ET WEB_SERVER HP OpenView /OvCgi/Toolbar.exe Accept Language Heap Buffer Overflow Attempt || cve,2009-0921 || url,doc.emergingthreats.net/2010864 +1 || 2010865 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS IBM Possible Lotus Domino readme.nsf Cross Site Scripting Attempt || url,www.securityfocus.com/bid/38481 || url,doc.emergingthreats.net/2010865 +1 || 2010866 || 4 || trojan-activity || 0 || ET DELETED Hostile domain, NeoSploit FakeAV google.analytics.com.*.info || url,www.malwaredomainlist.com/forums/index.php?action=printpage#-#-topic=3781.0 || url,doc.emergingthreats.net/2010866 +1 || 2010867 || 6 || trojan-activity || 0 || ET CURRENT_EVENTS Potential FakeAV download Setup_103s1 or Setup_207 variant || url,www.prevx.com/avgraph/1/AVG.html || url,doc.emergingthreats.net/2010867 +1 || 2010868 || 6 || bad-unknown || 0 || ET MALWARE Incorrectly formatted User-Agent string (dashes instead of semicolons) Likely Hostile || url,doc.emergingthreats.net/2010868 +1 || 2010869 || 3 || policy-violation || 0 || ET DELETED PE EXE or DLL Windows file download (2) || url,doc.emergingthreats.net/2010869 +1 || 2010870 || 6 || trojan-activity || 0 || ET DELETED NeoSploit Exploit Kit Java exploit drive-by host likely infected (kav) || url,www.malwaredomainlist.com/forums/index.php?action=printpage%3btopic=3781.0 || url,doc.emergingthreats.net/2010870 +1 || 2010871 || 6 || trojan-activity || 0 || ET DELETED NeoSploit Exploit Kit Java exploit drive-by host likely infected (nte) || url,www.malwaredomainlist.com/forums/index.php?action=printpage%3btopic=3781.0 || url,doc.emergingthreats.net/2010871 +1 || 2010872 || 5 || trojan-activity || 0 || ET TROJAN Pragma hack Detected Outbound - Likely Infected Source || url,doc.emergingthreats.net/2010872 +1 || 2010873 || 5 || not-suspicious || 0 || ET DELETED Opera User-Agent Flowbit Set || url,doc.emergingthreats.net/2010873 +1 || 2010875 || 7 || trojan-activity || 0 || ET TROJAN Blackenergy Bot Checkin to C&C (2) || url,doc.emergingthreats.net/2010875 +1 || 2010876 || 5 || attempted-user || 0 || ET DELETED Foxit PDF Reader Buffer Overflow Attempt || url,www.coresecurity.com/content/foxit-reader-vulnerabilities#lref.4 || cve,2009-0837 || url,doc.emergingthreats.net/2010876 +1 || 2010877 || 3 || attempted-user || 0 || ET EXPLOIT Possible SpamAssassin Milter Plugin Remote Arbitrary Command Injection Attempt || url,www.securityfocus.com/bid/38578 || url,seclists.org/fulldisclosure/2010/Mar/140 || url,doc.emergingthreats.net/2010877 +1 || 2010878 || 6 || attempted-user || 0 || ET EXPLOIT Possible Foxit PDF Reader Authentication Bypass Attempt || url,www.coresecurity.com/content/foxit-reader-vulnerabilities#lref.4 || cve,2009-0836 || url,doc.emergingthreats.net/2010878 +1 || 2010879 || 4 || misc-activity || 0 || ET DELETED Hex Obfuscated arguments.callee Javascript Method in PDF Possibly Hostile PDF || url,doc.emergingthreats.net/2010879 +1 || 2010880 || 3 || misc-activity || 0 || ET DELETED Possible Hex Obfuscation of Javascript Declaration Within PDF File - Likely Hostile || url,doc.emergingthreats.net/2010880 +1 || 2010881 || 6 || bad-unknown || 0 || ET WEB_CLIENT PDF With Unescape Method Defined Possible Hostile Obfuscation Attempt || url,isc.sans.org/diary.html?storyid=7903 || url,isc.sans.org/diary.html?storyid=7906 || url,doc.emergingthreats.net/2010881 +1 || 2010882 || 8 || misc-activity || 0 || ET POLICY PDF File Containing Javascript +1 || 2010883 || 5 || misc-activity || 0 || ET POLICY PDF File Containing arguments.callee in Cleartext - Likely Hostile || url,isc.sans.org/diary.html?storyid=1519 || url,isc.sans.org/diary.html?storyid=7906 || url,doc.emergingthreats.net/2010883 +1 || 2010884 || 4 || misc-activity || 0 || ET DELETED .pdf File Possibly Containing Basic Hex Obfuscation || url,isc.sans.org/diary.html?storyid=7903 || url,isc.sans.org/diary.html?storyid=7906 || url,doc.emergingthreats.net/2010884 +1 || 2010885 || 8 || trojan-activity || 0 || ET TROJAN BlackEnergy v2.x HTTP Request with Encrypted Variables || url,www.secureworks.com/research/threats/blackenergy2/?threat=blackenergy2 || url,doc.emergingthreats.net/2010885 +1 || 2010886 || 6 || trojan-activity || 0 || ET TROJAN BlackEnergy v2.x Plugin Download Request || url,www.secureworks.com/research/threats/blackenergy2/?threat=blackenergy2 || url,doc.emergingthreats.net/2010886 +1 || 2010888 || 7 || trojan-activity || 0 || ET TROJAN Generic Downloader checkin (3) || url,doc.emergingthreats.net/2010888 +1 || 2010889 || 3 || trojan-activity || 0 || ET USER_AGENTS Win32.Tdss User Agent Detected (Mozzila) || url,doc.emergingthreats.net/2010889 +1 || 2010890 || 2 || attempted-user || 0 || ET WEB_SPECIFIC_APPS phpBB3 registration (Step1 GET) || url,doc.emergingthreats.net/2010890 +1 || 2010891 || 2 || attempted-user || 0 || ET WEB_SPECIFIC_APPS phpBB3 registration (Step2 POST) || url,doc.emergingthreats.net/2010891 +1 || 2010892 || 2 || attempted-user || 0 || ET WEB_SPECIFIC_APPS phpBB3 registration (Step3 GET) || url,doc.emergingthreats.net/2010892 +1 || 2010893 || 2 || attempted-user || 0 || ET WEB_SPECIFIC_APPS phpBB3 registration (Step4 POST) || url,doc.emergingthreats.net/2010893 +1 || 2010894 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS phpBB3 Brute-Force reg attempt (Bad pf_XXXXX) || url,doc.emergingthreats.net/2010894 +1 || 2010895 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS phpBB3 Brute-Force reg attempt (Bad pf_XXXXX) || url,doc.emergingthreats.net/2010895 +1 || 2010896 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS phpBB3 Brute-Force reg attempt (Bad flow 2) || url,doc.emergingthreats.net/2010896 +1 || 2010897 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS phpBB3 Brute-Force reg attempt (Bad flow 2) || url,doc.emergingthreats.net/2010897 +1 || 2010898 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS phpBB3 registration (Bogus Stage3 GET) || url,doc.emergingthreats.net/2010898 +1 || 2010899 || 2 || attempted-user || 0 || ET WEB_SPECIFIC_APPS phpBB3 multiple login attempts || url,doc.emergingthreats.net/2010899 +1 || 2010900 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS phpBB3 possible spammer posting attempts || url,doc.emergingthreats.net/2010900 +1 || 2010901 || 6 || trojan-activity || 0 || ET CURRENT_EVENTS Potential FakeAV download ASetup_2009.exe variant || url,www.prevx.com/avgraph/1/AVG.html || url,doc.emergingthreats.net/2010901 +1 || 2010902 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS phpMyAdmin Remote Code Execution Proof of Concept (p=) || url,www.gnucitizen.org/blog/cve-2009-1151-phpmyadmin-remote-code-execution-proof-of-concept/ || url,doc.emergingthreats.net/2010902 +1 || 2010903 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS phpMyAdmin Remote Code Execution Proof of Concept (c=) || url,www.gnucitizen.org/blog/cve-2009-1151-phpmyadmin-remote-code-execution-proof-of-concept/ || url,doc.emergingthreats.net/2010903 +1 || 2010904 || 7 || bad-unknown || 0 || ET MALWARE Fake Mozilla User-Agent (Mozilla/0.xx) Inbound || url,doc.emergingthreats.net/2010904 +1 || 2010905 || 7 || bad-unknown || 0 || ET MALWARE Fake Mozilla UA Outbound (Mozilla/0.xx) || url,doc.emergingthreats.net/2010905 +1 || 2010906 || 5 || bad-unknown || 0 || ET USER_AGENTS badly formatted User-Agent string (no closing parenthesis) || url,doc.emergingthreats.net/2010906 +1 || 2010908 || 5 || trojan-activity || 0 || ET MALWARE Mozilla User-Agent (Mozilla/5.0) Inbound Likely Fake || url,doc.emergingthreats.net/2010908 +1 || 2010909 || 2 || trojan-activity || 0 || ET TROJAN Arucer Command Execution || url,doc.emergingthreats.net/2010909 +1 || 2010910 || 2 || trojan-activity || 0 || ET TROJAN Arucer DIR Listing || url,doc.emergingthreats.net/2010910 +1 || 2010911 || 2 || trojan-activity || 0 || ET TROJAN Arucer WRITE FILE command || url,doc.emergingthreats.net/2010911 +1 || 2010912 || 2 || trojan-activity || 0 || ET TROJAN Arucer READ FILE Command || url,doc.emergingthreats.net/2010912 +1 || 2010913 || 2 || trojan-activity || 0 || ET TROJAN Arucer NOP Command || url,doc.emergingthreats.net/2010913 +1 || 2010914 || 2 || trojan-activity || 0 || ET TROJAN Arucer FIND FILE Command || url,doc.emergingthreats.net/2010914 +1 || 2010915 || 2 || trojan-activity || 0 || ET TROJAN Arucer YES Command || url,doc.emergingthreats.net/2010915 +1 || 2010916 || 2 || trojan-activity || 0 || ET TROJAN Arucer ADD RUN ONCE Command || url,doc.emergingthreats.net/2010916 +1 || 2010917 || 2 || trojan-activity || 0 || ET TROJAN Arucer DEL FILE Command || url,doc.emergingthreats.net/2010917 +1 || 2010918 || 6 || trojan-activity || 0 || ET DELETED Paymilon-A HTTP POST || url,www.sophos.com/security/analyses/viruses-and-spyware/malpaymilona.html || url,doc.emergingthreats.net/2010918 +1 || 2010919 || 3 || web-application-attack || 0 || ET WEB_SERVER HP LaserJet Printer Cross Site Scripting Attempt || url,dsecrg.com/pages/vul/show.php?id=148 || cve,2009-2684 || url,doc.emergingthreats.net/2010919 +1 || 2010920 || 7 || web-application-attack || 0 || ET WEB_SERVER Exploit Suspected PHP Injection Attack (cmd=) || cve,2002-0953 || url,doc.emergingthreats.net/2010920 +1 || 2010921 || 3 || web-application-attack || 0 || ET ACTIVEX Ask.com Toolbar askBar.dll ActiveX ShortFormat Buffer Overflow Attempt || url,www.packetstormsecurity.nl/0911-exploits/ask_shortformat.rb.txt || url,secunia.com/advisories/26960/ || url,doc.emergingthreats.net/2010921 +1 || 2010922 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS SaurusCMS class.writeexcel_workbook.inc.php class_path Remote File Inclusion Attempt || url,www.packetstormsecurity.org/0912-exploits/saurus-rfi.txt || url,doc.emergingthreats.net/2010922 +1 || 2010923 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS SaurusCMS class.writeexcel_worksheet.inc.php class_path Remote File Inclusion Attempt || url,www.packetstormsecurity.org/0912-exploits/saurus-rfi.txt || url,doc.emergingthreats.net/2010923 +1 || 2010924 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla com_perchagallery Component id Parameter SELECT FROM SQL Injection Attempt || url,www.exploit-db.com/exploits/11103 || url,doc.emergingthreats.net/2010924 +1 || 2010925 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla com_perchagallery Component id Parameter DELETE FROM SQL Injection Attempt || url,www.exploit-db.com/exploits/11103 || url,doc.emergingthreats.net/2010925 +1 || 2010926 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla com_perchagallery Component id Parameter UNION SELECT SQL Injection Attempt || url,www.exploit-db.com/exploits/11103 || url,doc.emergingthreats.net/2010926 +1 || 2010927 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla com_perchagallery Component id Parameter INSERT INTO SQL Injection Attempt || url,www.exploit-db.com/exploits/11103 || url,doc.emergingthreats.net/2010927 +1 || 2010928 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla com_perchagallery Component id Parameter UPDATE SET SQL Injection Attempt || url,www.exploit-db.com/exploits/11103 || url,doc.emergingthreats.net/2010928 +1 || 2010929 || 6 || attempted-user || 0 || ET ACTIVEX Foxit Reader ActiveX control OpenFile method Heap Overflow Attempt || url,www.exploit-db.com/exploits/11196 || url,doc.emergingthreats.net/2010929 +1 || 2010930 || 4 || attempted-user || 0 || ET ACTIVEX Foxit Reader ActiveX OpenFile method Remote Code Execution Function Call || url,www.exploit-db.com/exploits/11196 || url,doc.emergingthreats.net/2010930 +1 || 2010931 || 7 || attempted-user || 0 || ET WEB_CLIENT Possible IE iepeers.dll Use-after-free Code Execution Attempt || url,www.rec-sec.com/2010/03/10/internet-explorer-iepeers-use-after-free-exploit/ || url,tools.cisco.com/security/center/viewAlert.x?alertId=20052 || url,www.microsoft.com/technet/security/bulletin/ms10-018.mspx || url,www.kb.cert.org/vuls/id/744549 || cve,2010-0806 || url,doc.emergingthreats.net/2010931 +1 || 2010932 || 5 || trojan-activity || 0 || ET TROJAN Dropper Checkin 2 (often scripts.dlv4.com related) || url,doc.emergingthreats.net/2010932 +1 || 2010934 || 5 || trojan-activity || 0 || ET MALWARE Infobox3 Spyware User-Agent (InfoBox) || url,doc.emergingthreats.net/2010934 +1 || 2010935 || 2 || bad-unknown || 0 || ET POLICY Suspicious inbound to MSSQL port 1433 || url,doc.emergingthreats.net/2010935 +1 || 2010936 || 2 || bad-unknown || 0 || ET POLICY Suspicious inbound to Oracle SQL port 1521 || url,doc.emergingthreats.net/2010936 +1 || 2010937 || 2 || bad-unknown || 0 || ET POLICY Suspicious inbound to mySQL port 3306 || url,doc.emergingthreats.net/2010937 +1 || 2010938 || 2 || bad-unknown || 0 || ET POLICY Suspicious inbound to mSQL port 4333 || url,doc.emergingthreats.net/2010938 +1 || 2010939 || 2 || bad-unknown || 0 || ET POLICY Suspicious inbound to PostgreSQL port 5432 || url,doc.emergingthreats.net/2010939 +1 || 2010941 || 1 || attempted-user || 0 || ET EXPLOIT Possible Sendmail SpamAssassin Milter Plugin Remote Arbitrary Command Injection Attempt || url,www.securityfocus.com/bid/38578 || url,seclists.org/fulldisclosure/2010/Mar/140 || url,doc.emergingthreats.net/2010941 +1 || 2010942 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla Component com_jcollection controller Parameter Local File Inclusion Attempt || url,www.exploit-db.com/exploits/11088 || url,doc.emergingthreats.net/2010942 +1 || 2010943 || 2 || web-application-attack || 0 || ET ACTIVEX SoftCab Sound Converter ActiveX SaveFormat File overwrite Attempt || url,secunia.com/advisories/37967/ || url,doc.emergingthreats.net/2010943 +1 || 2010944 || 2 || attempted-user || 0 || ET ACTIVEX Viscom Movie Player Pro SDK ActiveX DrawText method Buffer Overflow Function Call || url,www.shinnai.net/exploits/X6hU4E0E7P5H3qH5yXrn.txt || url,secunia.com/advisories/38156/ || url,doc.emergingthreats.net/2010944 +1 || 2010945 || 2 || attempted-user || 0 || ET WEB_SPECIFIC_APPS Yahoo CD Player ActiveX Open Stack Overflow Attempt || url,www.shinnai.net/exploits/pD9YWswsoR3EIcE9bf3N.txt || url,doc.emergingthreats.net/2010945 +1 || 2010946 || 2 || attempted-user || 0 || ET WEB_SPECIFIC_APPS Yahoo CD Player ActiveX Open Stack Overflow Function Call || url,www.shinnai.net/exploits/pD9YWswsoR3EIcE9bf3N.txt || url,doc.emergingthreats.net/2010946 +1 || 2010947 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla com_hdflvplayer Component id Parameter SELECT FROM SQL Injection Attempt || url,secunia.com/advisories/38691/ || url,doc.emergingthreats.net/2010947 +1 || 2010948 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla com_hdflvplayer Component id Parameter DELETE FROM SQL Injection Attempt || url,secunia.com/advisories/38691/ || url,doc.emergingthreats.net/2010948 +1 || 2010949 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla com_hdflvplayer Component id Parameter UNION SELECT SQL Injection Attempt || url,secunia.com/advisories/38691/ || url,doc.emergingthreats.net/2010949 +1 || 2010950 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla com_hdflvplayer Component id Parameter INSERT INTO SQL Injection Attempt || url,secunia.com/advisories/38691/ || url,doc.emergingthreats.net/2010950 +1 || 2010951 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla com_hdflvplayer Component id Parameter UPDATE SET SQL Injection Attempt || url,secunia.com/advisories/38691/ || url,doc.emergingthreats.net/2010951 +1 || 2010952 || 4 || policy-violation || 0 || ET DELETED facebook activity || url,compnetworking.about.com/od/traceipaddresses/f/facebook-ip-address.htm || url,doc.emergingthreats.net/2010952 +1 || 2010953 || 3 || attempted-recon || 0 || ET SCAN Skipfish Web Application Scan Detected || url,isc.sans.org/diary.html?storyid=8467 || url,code.google.com/p/skipfish/ || url,doc.emergingthreats.net/2010953 +1 || 2010954 || 4 || network-scan || 0 || ET SCAN crimscanner User-Agent detected || url,doc.emergingthreats.net/2010954 +1 || 2010956 || 3 || attempted-recon || 0 || ET SCAN Skipfish Web Application Scan Detected (2) || url,isc.sans.org/diary.html?storyid=8467 || url,code.google.com/p/skipfish/ || url,doc.emergingthreats.net/2010956 +1 || 2010957 || 6 || attempted-user || 0 || ET ACTIVEX SAP GUI SAPBExCommonResources ActiveX Insecure Method Code Execution Attempt || url,dsecrg.com/pages/vul/show.php?id=164 || url,doc.emergingthreats.net/2010957 +1 || 2010958 || 5 || attempted-user || 0 || ET ACTIVEX Possible Symantec Antivirus 10.0 Client Proxy ActiveX Control Buffer Overflow Attempt || url,www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2010&suid=20100217_02 || url,dsecrg.com/pages/vul/show.php?id=139 || cve,2010-0108 || url,doc.emergingthreats.net/2010958 +1 || 2010959 || 4 || attempted-user || 0 || ET ACTIVEX Possible Symantec Antivirus 10.0 Client Proxy ActiveX Control Buffer Overflow Function Call Attempt || url,www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2010&suid=20100217_02 || url,dsecrg.com/pages/vul/show.php?id=139 || cve,2010-0108 || url,doc.emergingthreats.net/2010959 +1 || 2010960 || 3 || attempted-recon || 0 || ET SCAN WhatWeb Web Application Fingerprint Scanner Default User-Agent Detected || url,www.morningstarsecurity.com/research/whatweb || url,doc.emergingthreats.net/2010960 +1 || 2010961 || 5 || attempted-user || 0 || ET WEB_CLIENT Wscript Shell Run Attempt - Likely Hostile || url,msdn.microsoft.com/en-us/library/d5fk67ky(VS.85).aspx || url,doc.emergingthreats.net/2010961 +1 || 2010962 || 6 || attempted-user || 0 || ET ACTIVEX AOL 9.5 Phobos.Playlist Import ActiveX Buffer Overflow Attempt || url,www.rec-sec.com/2010/01/25/aol-playlist-class-buffer-overflow/ || url,doc.emergingthreats.net/2010962 +1 || 2010963 || 4 || web-application-attack || 0 || ET WEB_SERVER SELECT USER SQL Injection Attempt in URI || url,en.wikipedia.org/wiki/SQL_injection || url,doc.emergingthreats.net/2010963 +1 || 2010964 || 3 || web-application-attack || 0 || ET WEB_SERVER SHOW CHARACTER SET SQL Injection Attempt in URI || url,en.wikipedia.org/wiki/SQL_injection || url,dev.mysql.com/doc/refman/5.0/en/show-character-set.html || url,doc.emergingthreats.net/2010964 +1 || 2010965 || 3 || web-application-attack || 0 || ET WEB_SERVER SHOW VARIABLES SQL Injection Attempt in URI || url,en.wikipedia.org/wiki/SQL_injection || url,dev.mysql.com/doc/refman/5.1/en/server-system-variables.html || url,doc.emergingthreats.net/2010965 +1 || 2010966 || 3 || web-application-attack || 0 || ET WEB_SERVER SHOW CURDATE/CURTIME SQL Injection Attempt in URI || url,en.wikipedia.org/wiki/SQL_injection || url,dev.mysql.com/doc/refman/5.1/en/date-and-time-functions.html#function_curdate || url,dev.mysql.com/doc/refman/5.1/en/date-and-time-functions.html#function_curtime || url,doc.emergingthreats.net/2010966 +1 || 2010967 || 3 || web-application-attack || 0 || ET WEB_SERVER SHOW TABLES SQL Injection Attempt in URI || url,en.wikipedia.org/wiki/SQL_injection || url,dev.mysql.com/doc/refman/4.1/en/show-tables.html || url,doc.emergingthreats.net/2010967 +1 || 2010968 || 7 || attempted-user || 0 || ET WEB_CLIENT Possible Foxit/Adobe PDF Reader Launch Action Remote Code Execution Attempt || url,www.kb.cert.org/vuls/id/570177 || url,www.h-online.com/security/news/item/Criminals-attempt-to-exploit-unpatched-hole-in-Adobe-Reader-979286.html || url,www.sudosecure.net/archives/673 || url,www.h-online.com/security/news/item/Adobe-issues-official-workaround-for-PDF-vulnerability-971932.html || url,blog.didierstevens.com/2010/03/31/escape-from-foxit-reader/ || url,www.m86security.com/labs/i/PDF-Launch-Feature-Used-to-Install-Zeus,trace.1301~.asp || url,doc.emergingthreats.net/2010968 +1 || 2010969 || 3 || policy-violation || 0 || ET POLICY Possible ProxyShell Anonymous Access Connection || url,doc.emergingthreats.net/2010969 +1 || 2010970 || 3 || web-application-attack || 0 || ET WEB_SERVER HP OpenView Network Node Manager OvWebHelp.exe Heap Buffer Overflow Attempt || cve,2009-4178 || url,doc.emergingthreats.net/2010970 +1 || 2010972 || 3 || policy-violation || 0 || ET POLICY Possible ProxyShell Hide IP Installation file download || url,www.browserdefender.com/file/484661/site/putas18.info/ || url,doc.emergingthreats.net/2010792 +1 || 2010973 || 4 || trojan-activity || 0 || ET TROJAN Vobfus/Changeup/Chinky Download Command || url,doc.emergingthreats.net/2010973 || url,www.sunbeltsecurity.com/partnerresources/cwsandbox/md5.aspx?id=beb8bc1ba5dbd8de0761ef362bc8b0a4 || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Win32%2fVobfus || url,www.symantec.com/security_response/writeup.jsp?docid=2009-081806-2906-99&tabid=2 || url,www.symantec.com/connect/blogs/w32changeup-threat-profile || url,www.threatexpert.com/report.aspx?md5=f8880b851ea5ed92dd97657574fb4f70 +1 || 2010975 || 5 || trojan-activity || 0 || ET TROJAN Unruy Downloader Checkin || url,ddanchev.blogspot.com/2010/03/copyright-lawsuit-filed-against-you.html || url,isc.sans.org/diary.html?storyid=8497 || url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.STM&VSect=T || url,doc.emergingthreats.net/2010975 +1 || 2010976 || 5 || attempted-user || 0 || ET WEB_SPECIFIC_APPS JcomBand toolbar ActiveX Control isRegistered Property Buffer Overflow Attempt || url,www.exploit-db.com/exploits/11059 || url,secunia.com/advisories/38081/ || url,doc.emergingthreats.net/2010976 +1 || 2010977 || 5 || attempted-user || 0 || ET ACTIVEX AOL 9.5 ActiveX control Import method Heap Overflow Attempt || url,www.exploit-db.com/exploits/11204 || url,doc.emergingthreats.net/2010977 +1 || 2010978 || 5 || attempted-user || 0 || ET ACTIVEX IE ActiveX control Exec method Remote code execution Attempt || url,www.packetstormsecurity.org/1001-exploits/wshomocx-activex.txt || url,doc.emergingthreats.net/2010978 +1 || 2010979 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ispCP Omega admin1.template.php Remote File Inclusion Attempt || url,packetstorm.foofus.com/1003-exploits/ispcp-rfi.txt || bugtraq,38644 || url,doc.emergingthreats.net/2010979 +1 || 2010980 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS IBM ENOVIA SmarTeam v5 LoginPage.aspx Cross Site Scripting Attempt || url,packetstorm.foofus.com/1003-exploits/ibmenovia-xss.txt || url,doc.emergingthreats.net/2010980 +1 || 2010981 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla com_quicknews Component newsid Parameter SELECT FROM SQL Injection Attempt || bugtraq,37161 || url,doc.emergingthreats.net/2010981 +1 || 2010982 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla com_quicknews Component newsid Parameter DELETE FROM SQL Injection Attempt || bugtraq,37161 || url,doc.emergingthreats.net/2010982 +1 || 2010983 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla com_quicknews Component newsid Parameter UNION SELECT SQL Injection Attempt || bugtraq,37161 || url,doc.emergingthreats.net/2010983 +1 || 2010984 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla com_quicknews Component newsid Parameter INSERT INTO SQL Injection Attempt || bugtraq,37161 || url,doc.emergingthreats.net/2010984 +1 || 2010985 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla com_quicknews Component newsid Parameter UPDATE SET SQL Injection Attempt || bugtraq,37161 || url,doc.emergingthreats.net/2010985 +1 || 2010986 || 6 || attempted-user || 0 || ET ACTIVEX AOLShare ActiveX AppString method denial of service Attempt || url,packetstorm.foofus.com/1001-exploits/aolactivex-dos.txt || url,doc.emergingthreats.net/2010986 +1 || 2010987 || 4 || attempted-user || 0 || ET ACTIVEX AOLShare ActiveX AppString method denial of service Function Call || url,packetstorm.foofus.com/1001-exploits/aolactivex-dos.txt || url,doc.emergingthreats.net/2010987 +1 || 2010988 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS CommonSpot Server longproc.cfm Cross Site Scripting Attempt || bugtraq,37986 || url,doc.emergingthreats.net/2010988 +1 || 2010989 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla Component com_ccnewsletter controller Parameter Local File Inclusion Attempt || bugtraq,37987 || url,doc.emergingthreats.net/2010989 +1 || 2010990 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla SQL Reports user_id Parameter SELECT FROM SQL Injection Attempt || url,secunia.com/advisories/38678/ || url,doc.emergingthreats.net/2010990 +1 || 2010991 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla SQL Reports user_id Parameter DELETE FROM SQL Injection Attempt || url,secunia.com/advisories/38678/ || url,doc.emergingthreats.net/2010991 +1 || 2010992 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla SQL Reports user_id Parameter UNION SELECT SQL Injection Attempt || url,secunia.com/advisories/38678/ || url,doc.emergingthreats.net/2010992 +1 || 2010993 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla SQL Reports user_id Parameter INSERT INTO SQL Injection Attempt || url,secunia.com/advisories/38678/ || url,doc.emergingthreats.net/2010993 +1 || 2010994 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla SQL Reports user_id Parameter UPDATE SET SQL Injection Attempt || url,secunia.com/advisories/38678/ || url,doc.emergingthreats.net/2010994 +1 || 2010995 || 4 || attempted-user || 0 || ET ACTIVEX BaoFeng Storm mps.dll ActiveX OnBeforeVideoDownload Buffer Overflow Function Call || bugtraq,34789 || url,doc.emergingthreats.net/2010995 +1 || 2010996 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla Component com_communitypolls controller Parameter Local File Inclusion Attempt || url,www.exploit-db.com/exploits/11511 || url,doc.emergingthreats.net/2010996 +1 || 2010997 || 6 || attempted-user || 0 || ET ACTIVEX Hyleos ChemView ActiveX Control SaveasMolFile Method Buffer Overflow Attempt || url,www.security-assessment.com/files/advisories/2010-02-11_ChemviewX_Activex.pdf || url,secunia.com/advisories/38523/ || url,doc.emergingthreats.net/2010997 +1 || 2010998 || 6 || attempted-user || 0 || ET ACTIVEX Hyleos ChemView ActiveX Control ReadMolFile Method Buffer Overflow Attempt || url,www.security-assessment.com/files/advisories/2010-02-11_ChemviewX_Activex.pdf || url,secunia.com/advisories/38523/ || url,doc.emergingthreats.net/2010998 +1 || 2010999 || 4 || attempted-user || 0 || ET ACTIVEX Hyleos ChemView ActiveX Buffer Overflow Function Call || url,www.security-assessment.com/files/advisories/2010-02-11_ChemviewX_Activex.pdf || url,secunia.com/advisories/38523/ || url,doc.emergingthreats.net/2010999 +1 || 2011000 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Worksystems linkbar.php cfile Remote File Inclusion Attempt || url,www.exploit-db.com/exploits/10676 || url,doc.emergingthreats.net/2011000 +1 || 2011001 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla com_rsgallery2 Component catid Parameter SELECT FROM SQL Injection Attempt || bugtraq,38009 || url,doc.emergingthreats.net/2011001 +1 || 2011002 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla com_rsgallery2 Component catid Parameter DELETE FROM SQL Injection Attempt || bugtraq,38009 || url,doc.emergingthreats.net/2011002 +1 || 2011003 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla com_rsgallery2 Component catid Parameter UNION SELECT SQL Injection Attempt || bugtraq,38009 || url,doc.emergingthreats.net/2011003 +1 || 2011004 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla com_rsgallery2 Component catid Parameter INSERT INTO SQL Injection Attempt || bugtraq,38009 || url,doc.emergingthreats.net/2011004 +1 || 2011005 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla com_rsgallery2 Component catid Parameter UPDATE SET SQL Injection Attempt || bugtraq,38009 || url,doc.emergingthreats.net/2011005 +1 || 2011006 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Wordpress NextGEN Gallery Plugin Cross Site Scripting Attempt || url,www.coresecurity.com/content/nextgen-gallery-xss-vulnerability || cve,2010-1186 || url,doc.emergingthreats.net/2011006 +1 || 2011007 || 8 || attempted-user || 0 || ET ACTIVEX Microsoft Internet Explorer Tabular DataURL ActiveX Control Memory Corruption Attempt || url,securitytracker.com/alerts/2010/Mar/1023773.html || url,tools.cisco.com/security/center/viewAlert.x?alertId=20202 || url,www.metasploit.com/redmine/projects/framework/repository/revisions/9018/entry/modules/exploits/windows/browser/ms10_018_ie_tabular_activex.rb || url,www.microsoft.com/technet/security/bulletin/ms10-018.mspx || url,www.vupen.com/english/advisories/2010/0744 || url,www.kb.cert.org/vuls/id/744549 || cve,2010-0805 || url,doc.emergingthreats.net/2011007 +1 || 2011008 || 4 || misc-activity || 0 || ET POLICY Possible Multiple Levels of Javascript Encoding & Compression Filters in PDF, Possibly Hostile PDF || url,www.symantec.com/connect/blogs/journey-center-pdf-stream || url,doc.emergingthreats.net/2011008 +1 || 2011009 || 5 || bad-unknown || 0 || ET DELETED Java JAR PROPFIND via DAV possible alternative JVM exploit || url,blogs.zdnet.com/security/?p=6082 || url,doc.emergingthreats.net/2011009 +1 || 2011010 || 5 || attempted-user || 0 || ET ACTIVEX Possible Java Deployment Toolkit CSLID Command Execution Attempt || url,seclists.org/fulldisclosure/2010/Apr/119 || url,doc.emergingthreats.net/2011010 +1 || 2011011 || 2 || attempted-admin || 0 || ET SNMP Attempted UDP Access Attempt to Cisco IOS 12.1 Hidden Read/Write Community String ILMI || url,www.cisco.com/warp/public/707/cisco-sa-20010228-ios-snmp-community.shtml || url,www.cisco.com/warp/public/707/cisco-sa-20010227-ios-snmp-ilmi.shtml || url,doc.emergingthreats.net/2011011 +1 || 2011012 || 2 || attempted-admin || 0 || ET SNMP Attempted TCP Access Attempt to Cisco IOS 12.1 Hidden Read/Write Community String ILMI || url,www.cisco.com/warp/public/707/cisco-sa-20010228-ios-snmp-community.shtml || url,www.cisco.com/warp/public/707/cisco-sa-20010227-ios-snmp-ilmi.shtml || url,doc.emergingthreats.net/2011012 +1 || 2011013 || 2 || attempted-admin || 0 || ET SNMP Attempted UDP Access Attempt to Cisco IOS 12.1 Hidden Read/Write Community String cable-docsis || url,www.cisco.com/warp/public/707/cisco-sa-20010228-ios-snmp-community.shtml || url,www.iss.net/security_center/reference/vuln/cisco-ios-cable-docsis.htm || url,www.kb.cert.org/vuls/id/840665 || cve,2004-1776 || url,doc.emergingthreats.net/2011013 +1 || 2011014 || 2 || attempted-admin || 0 || ET SNMP Attempted TCP Access Attempt to Cisco IOS 12.1 Hidden Read/Write Community String cable-docsis || url,www.cisco.com/warp/public/707/cisco-sa-20010228-ios-snmp-community.shtml || url,www.iss.net/security_center/reference/vuln/cisco-ios-cable-docsis.htm || url,www.kb.cert.org/vuls/id/840665 || cve,2004-1776 || url,doc.emergingthreats.net/2011014 +1 || 2011015 || 3 || web-application-attack || 0 || ET WEB_SERVER Possible Sun Microsystems Sun Java System Web Server Remote File Disclosure Attempt || url,www.packetstormsecurity.org/1004-exploits/sun-knockout.txt || url,doc.emergingthreats.net/2011015 +1 || 2011016 || 4 || web-application-attack || 0 || ET WEB_SERVER Possible Sun Microsystems Sun Java System Web Server Long OPTIONS URI Overflow Attmept || url,www.packetstormsecurity.com/1004-exploits/sunjavasystem-exec.txt || cve,2010-0361 || url,doc.emergingthreats.net/2011016 +1 || 2011017 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla com_jcalpro cal_popup.php Remote File Inclusion Attempt || url,www.packetstormsecurity.org/0912-exploits/joomlajcalpro-rfi.txt || url,doc.emergingthreats.net/2011017 +1 || 2011018 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Gallery2 adodb-error.inc.php ADODB_LANG Remote File Inclusion Attempt || url,www.exploit-db.com/exploits/10705 || url,doc.emergingthreats.net/2011018 +1 || 2011019 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Comtrend ADSL Router srvName parameter XSS attempt || url,packetstorm.foofus.com/1001-exploits/comtrend-xss.txt || url,xforce.iss.net/xforce/xfdb/47765 || url,doc.emergingthreats.net/2011019 +1 || 2011020 || 6 || attempted-user || 0 || ET ACTIVEX RKD Software ActiveX Control SaveasMolFile Method Buffer Overflow Attempt || url,packetstorm.foofus.com/1002-exploits/barcode_ax49.rb.txt || bugtraq,24596 || url,doc.emergingthreats.net/2011020 +1 || 2011021 || 4 || attempted-user || 0 || ET ACTIVEX Rising Online Virus Scanner ActiveX Scan Method stack Overflow Function Call || url,packetstorm.foofus.com/1002-exploits/risingonline-dos.txt || bugtraq,38282 || url,doc.emergingthreats.net/2011021 +1 || 2011022 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla com_blog Component id Parameter SELECT FROM SQL Injection Attempt || bugtraq,38668 || url,exploit-db.com/exploits/11688 || url,doc.emergingthreats.net/2011022 +1 || 2011023 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla com_blog Component id Parameter DELETE FROM SQL Injection Attempt || bugtraq,38668 || url,exploit-db.com/exploits/11688 || url,doc.emergingthreats.net/2011023 +1 || 2011024 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla com_blog Component id Parameter UNION SELECT SQL Injection Attempt || bugtraq,38668 || url,exploit-db.com/exploits/11688 || url,doc.emergingthreats.net/2011024 +1 || 2011025 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla com_blog Component id Parameter INSERT INTO SQL Injection Attempt || bugtraq,38668 || url,exploit-db.com/exploits/11688 || url,doc.emergingthreats.net/2011025 +1 || 2011026 || 13 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla com_blog Component id Parameter UPDATE SET SQL Injection Attempt || bugtraq,38668 || url,exploit-db.com/exploits/11688 || url,doc.emergingthreats.net/2011026 +1 || 2011027 || 4 || attempted-recon || 0 || ET SCAN w3af Scan In Progress ARGENTINA Req Method || url,w3af.sourceforge.net || url,doc.emergingthreats.net/2011027 +1 || 2011028 || 6 || attempted-recon || 0 || ET SCAN HZZP Scan in Progress calc in Headers || url,www.krakowlabs.com/dev.html || url,doc.emergingthreats.net/2011028 +1 || 2011029 || 8 || attempted-recon || 0 || ET SCAN Netsparker Default User-Agent || url,www.mavitunasecurity.com/communityedition/ +1 || 2011030 || 5 || attempted-recon || 0 || ET SCAN Netsparker Scan in Progress || url,www.mavitunasecurity.com/communityedition/ || url,doc.emergingthreats.net/2011030 +1 || 2011031 || 4 || bad-unknown || 0 || ET SCAN HTTP GET invalid method case || url,www.w3.org/Protocols/rfc2616/rfc2616-sec9.html || url,doc.emergingthreats.net/2011031 +1 || 2011032 || 4 || bad-unknown || 0 || ET SCAN HTTP POST invalid method case || url,www.w3.org/Protocols/rfc2616/rfc2616-sec9.html || url,doc.emergingthreats.net/2011032 +1 || 2011033 || 4 || bad-unknown || 0 || ET SCAN HTTP HEAD invalid method case || url,www.w3.org/Protocols/rfc2616/rfc2616-sec9.html || url,doc.emergingthreats.net/2011033 +1 || 2011034 || 5 || bad-unknown || 0 || ET SCAN HTTP OPTIONS invalid method case || url,www.w3.org/Protocols/rfc2616/rfc2616-sec9.html || url,doc.emergingthreats.net/2011034 +1 || 2011035 || 4 || web-application-attack || 0 || ET WEB_SERVER SQL Injection BULK INSERT in URI to Insert File Content into Database Table || url,msdn.microsoft.com/en-us/library/ms188365.aspx || url,msdn.microsoft.com/en-us/library/ms175915.aspx || url,www.sqlteam.com/article/using-bulk-insert-to-load-a-text-file || url,doc.emergingthreats.net/2011035 +1 || 2011037 || 4 || web-application-attack || 0 || ET WEB_SERVER Possible Attempt to Get SQL Server Version in URI using SELECT VERSION || url,support.microsoft.com/kb/321185 || url,doc.emergingthreats.net/2011037 +1 || 2011039 || 3 || web-application-attack || 0 || ET WEB_SERVER Possible INSERT VALUES SQL Injection Attempt || url,ferruh.mavituna.com/sql-injection-cheatsheet-oku/ || url,en.wikipedia.org/wiki/Insert_(SQL) || url,doc.emergingthreats.net/2011039 +1 || 2011040 || 3 || web-application-attack || 0 || ET WEB_SERVER Possible Usage of MYSQL Comments in URI for SQL Injection || url,dev.mysql.com/doc/refman/5.0/en/comments.html || url,en.wikipedia.org/wiki/SQL_injection || url,doc.emergingthreats.net/2011040 +1 || 2011041 || 3 || web-application-attack || 0 || ET WEB_SERVER MYSQL Benchmark Command in URI to Consume Server Resources || url,dev.mysql.com/doc/refman/5.1/en/information-functions.html#function_benchmark || url,doc.emergingthreats.net/2011041 +1 || 2011042 || 3 || web-application-attack || 0 || ET WEB_SERVER MYSQL SELECT CONCAT SQL Injection Attempt || url,ferruh.mavituna.com/sql-injection-cheatsheet-oku/ || url,www.webdevelopersnotes.com/tutorials/sql/a_little_more_on_the_mysql_select_statement.php3 || url,doc.emergingthreats.net/2011042 +1 || 2011044 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WordPress Copperleaf Photolog postid Parameter SELECT FROM SQL Injection Attempt || url,www.exploit-db.com/exploits/11458 || url,doc.emergingthreats.net/2011044 +1 || 2011045 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WordPress Copperleaf Photolog postid Parameter DELETE FROM SQL Injection Attempt || url,www.exploit-db.com/exploits/11458 || url,doc.emergingthreats.net/2011045 +1 || 2011046 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WordPress Copperleaf Photolog postid Parameter INSERT INTO SQL Injection Attempt || url,www.exploit-db.com/exploits/11458 || url,doc.emergingthreats.net/2011046 +1 || 2011047 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WordPress Copperleaf Photolog postid Parameter UPDATE SET SQL Injection Attempt || url,www.exploit-db.com/exploits/11458 || url,doc.emergingthreats.net/2011047 +1 || 2011048 || 4 || attempted-user || 0 || ET ACTIVEX IncrediMail 2.0 Authenticate Method Remote Buffer Overflow Attempt || url,packetstormsecurity.org/1004-exploits/incredimail20-overflow.txt || url,exploit-db.com/exploits/12030 || url,doc.emergingthreats.net/2011048 +1 || 2011049 || 6 || attempted-user || 0 || ET ACTIVEX IncrediMail 2.0 Authenticate Method Remote Buffer Overflow Function Call Attempt || url,packetstormsecurity.org/1004-exploits/incredimail20-overflow.txt || url,exploit-db.com/exploits/12030 || url,doc.emergingthreats.net/2011049 +1 || 2011050 || 4 || attempted-user || 0 || ET ACTIVEX Liquid XML Studio 2010 OpenFile Method Remote Heap Overflow Attempt || url,exploit-db.com/exploits/11750 || url,doc.emergingthreats.net/2011050 +1 || 2011051 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Softsaurus CMS subHeader.php objects_path Parameter Remote File Inclusion -1 || bugtraq,38842 || url,exploit-db.com/exploits/11807 || url,doc.emergingthreats.net/2011051 +1 || 2011052 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Softsaurus CMS subHeader.php objects_path Parameter Remote File Inclusion -2 || bugtraq,38842 || url,exploit-db.com/exploits/11807 || url,doc.emergingthreats.net/2011052 +1 || 2011053 || 3 || attempted-user || 0 || ET WEB_CLIENT Possible Java Deployment Toolkit Launch Method Remote Code Execution Attempt || url,seclists.org/fulldisclosure/2010/Apr/119 || url,www.darknet.org.uk/2010/04/serious-java-bug-exposes-users-to-code-execution/ || url,doc.emergingthreats.net/2011053 +1 || 2011054 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Possible CactuShop User Invoices Persistent XSS Attempt || url,www.coresecurity.com/content/cactushop-xss-persistent-vulnerability || cve,2010-1486 || url,doc.emergingthreats.net/2011054 +1 || 2011055 || 7 || attempted-user || 0 || ET ACTIVEX Possible EDraw Flowchart ActiveX Control OpenDocument Method Remote Code Execution Attempt || url,doc.emergingthreats.net/2011055 +1 || 2011057 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Oracle E-Business Suite Financials jtfwcpnt.jsp SELECT FROM SQL Injection Attempt || bugtraq,39510 || url,doc.emergingthreats.net/2011057 +1 || 2011058 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Oracle E-Business Suite Financials jtfwcpnt.jsp DELETE FROM SQL Injection Attempt || bugtraq,39510 || url,doc.emergingthreats.net/2011058 +1 || 2011059 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Oracle E-Business Suite Financials jtfwcpnt.jsp UNION SELECT SQL Injection Attempt || bugtraq,39510 || url,doc.emergingthreats.net/2011059 +1 || 2011060 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Oracle E-Business Suite Financials jtfwcpnt.jsp INSERT INTO SQL Injection Attempt || bugtraq,39510 || url,doc.emergingthreats.net/2011060 +1 || 2011061 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Oracle E-Business Suite Financials jtfwcpnt.jsp UPDATE SET SQL Injection Attempt || bugtraq,39510 || url,doc.emergingthreats.net/2011061 +1 || 2011062 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Mp3 Online Id Tag Editor getid3.php Remote File Inclusion Attempt || url,exploit-db.com/exploits/12219 || url,doc.emergingthreats.net/2011062 +1 || 2011063 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Mp3 Online Id Tag Editor module.archive.gzip.php Remote File Inclusion Attempt || url,exploit-db.com/exploits/12219 || url,doc.emergingthreats.net/2011063 +1 || 2011065 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS SurgeFTP surgeftpmgr.cgi classid Parameter Cross Site Scripting Attempt || url,secunia.com/advisories/38097 || url,packetstormsecurity.org/1001-exploits/surgeftp-xss.txt || url,doc.emergingthreats.net/2011065 +1 || 2011066 || 6 || trojan-activity || 0 || ET DELETED TROJAN SEO HTTP REFERER landing capture rewrite, likely Fake AV || url,doc.emergingthreats.net/2011066 +1 || 2011067 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla wgPicasa Component controller Parameter Local File Inclusion Attempt || url,secunia.com/advisories/39467 || url,exploit-db.com/exploits/12230 || url,doc.emergingthreats.net/2011067 +1 || 2011071 || 1 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WordPress Copperleaf Photolog postid Parameter UNION SELECT SQL Injection Attempt || url,www.exploit-db.com/exploits/11458 || url,doc.emergingthreats.net/2011071 +1 || 2011072 || 5 || trojan-activity || 0 || ET TROJAN Fruspam polling for IP likely infected || url,community.ca.com/blogs/securityadvisor/archive/2009/03/26/in-the-wild-win32-fruspam-using-american-greetings.aspx || url,doc.emergingthreats.net/2011072 +1 || 2011073 || 5 || web-application-attack || 0 || ET WEB_SERVER Microsoft SharePoint Server 2007 _layouts/help.aspx Cross Site Scripting Attempt || url,www.htbridge.ch/advisory/xss_in_microsoft_sharepoint_server_2007.html || url,tools.cisco.com/security/center/viewAlert.x?alertId=20415 || url,www.microsoft.com/technet/security/Bulletin/MS10-039.mspx || url,tools.cisco.com/security/center/viewAlert.x?alertId=20610 || cve,2010-0817 || url,doc.emergingthreats.net/2011073 +1 || 2011075 || 8 || attempted-user || 0 || ET ACTIVEX HP Operations Manager SourceView ActiveX LoadFile/SaveFile Method Buffer Overflow Attempt || url,packetstormsecurity.org/1004-exploits/CORELAN-10-027.txt || url,secunia.com/advisories/39538/ || url,doc.emergingthreats.net/2011075 +1 || 2011077 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla FaceBook Component face_id Parameter SELECT FROM SQL Injection Attempt || url,exploit-db.com/exploits/12299 || url,packetstormsecurity.org/1004-exploits/joomlagbufacebook-sql.txt || url,doc.emergingthreats.net/2011077 +1 || 2011078 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla FaceBook Component face_id Parameter DELETE FROM SQL Injection Attempt || url,exploit-db.com/exploits/12299 || url,packetstormsecurity.org/1004-exploits/joomlagbufacebook-sql.txt || url,doc.emergingthreats.net/2011078 +1 || 2011079 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla FaceBook Component face_id Parameter UNION SELECT SQL Injection Attempt || url,exploit-db.com/exploits/12299 || url,packetstormsecurity.org/1004-exploits/joomlagbufacebook-sql.txt || url,doc.emergingthreats.net/2011079 +1 || 2011080 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla FaceBook Component face_id Parameter INSERT INTO SQL Injection Attempt || url,exploit-db.com/exploits/12299 || url,packetstormsecurity.org/1004-exploits/joomlagbufacebook-sql.txt || url,doc.emergingthreats.net/2011080 +1 || 2011081 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla FaceBook Component face_id Parameter UPDATE SET SQL Injection Attempt || url,exploit-db.com/exploits/12299 || url,packetstormsecurity.org/1004-exploits/joomlagbufacebook-sql.txt || url,doc.emergingthreats.net/2011081 +1 || 2011082 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS McAfee Email Gateway queueMsgType Parameter Cross Site Scripting Attempt || url,exploit-db.com/sploits/cybsec_advisory_2010_0402.pdf || url,doc.emergingthreats.net/2011082 +1 || 2011083 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS McAfee Email Gateway QtnType Parameter Cross Site Scripting Attempt || url,exploit-db.com/sploits/cybsec_advisory_2010_0402.pdf || url,doc.emergingthreats.net/2011083 +1 || 2011084 || 5 || trojan-activity || 0 || ET DELETED User-Agent (BlueSky) || url,doc.emergingthreats.net/2011084 +1 || 2011085 || 7 || misc-activity || 0 || ET POLICY HTTP Redirect to IPv4 Address || url,doc.emergingthreats.net/2011085 +1 || 2011086 || 6 || trojan-activity || 0 || ET TROJAN Trojan-Dropper.Win32.Flystud || url,doc.emergingthreats.net/2011086 +1 || 2011087 || 6 || trojan-activity || 0 || ET MALWARE User-Agent (gomtour) || url,doc.emergingthreats.net/2011087 +1 || 2011088 || 3 || attempted-recon || 0 || ET SCAN Possible DavTest WebDav Vulnerability Scanner Initial Check Detected || url,www.darknet.org.uk/2010/04/davtest-webdav-vulerability-scanning-scanner-tool/ || url,code.google.com/p/davtest/ || url,doc.emergingthreats.net/2011088 +1 || 2011089 || 3 || attempted-recon || 0 || ET SCAN DavTest WebDav Vulnerability Scanner Default User Agent Detected || url,www.darknet.org.uk/2010/04/davtest-webdav-vulerability-scanning-scanner-tool/ || url,code.google.com/p/davtest/ || url,doc.emergingthreats.net/2011089 +1 || 2011090 || 8 || trojan-activity || 0 || ET POLICY User-Agent Recuva (Recuva) || url,doc.emergingthreats.net/2011090 || url,www.piriform.com/ +1 || 2011091 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Manage Engine Service Desk Plus WorkOrder.do SELECT FROM SQL Injection Attempt || url,secunia.com/advisories/39032/ || url,exploit-db.com/exploits/11793 || url,doc.emergingthreats.net/2011091 +1 || 2011092 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Manage Engine Service Desk Plus WorkOrder.do DELETE FROM SQL Injection Attempt || url,secunia.com/advisories/39032/ || url,exploit-db.com/exploits/11793 || url,doc.emergingthreats.net/2011092 +1 || 2011093 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Manage Engine Service Desk Plus WorkOrder.do UNION SELECT SQL Injection Attempt || url,secunia.com/advisories/39032/ || url,exploit-db.com/exploits/11793 || url,doc.emergingthreats.net/2011093 +1 || 2011094 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Manage Engine Service Desk Plus WorkOrder.do INSERT INTO SQL Injection Attempt || url,secunia.com/advisories/39032/ || url,exploit-db.com/exploits/11793 || url,doc.emergingthreats.net/2011094 +1 || 2011095 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Manage Engine Service Desk Plus WorkOrder.do UPDATE SET SQL Injection Attempt || url,secunia.com/advisories/39032/ || url,exploit-db.com/exploits/11793 || url,doc.emergingthreats.net/2011095 +1 || 2011096 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Fatwiki datumscalc.php Remote File Inclusion Attempt || url,exploit-db.com/exploits/11188 || url,doc.emergingthreats.net/2011096 +1 || 2011097 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Fatwiki monatsblatt.php Remote File Inclusion Attempt || url,exploit-db.com/exploits/11188 || url,doc.emergingthreats.net/2011097 +1 || 2011098 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS YaPig last_gallery.php YAPIG_PATH Parameter Remote File Inclusion Attempt || url,inj3ct0r.com/exploits/11708 || url,doc.emergingthreats.net/2011098 +1 || 2011099 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS DaFun Spirit lgsl_players.php lgsl_path Parameter Remote File Inclusion || url,exploit-db.com/exploits/11888 || url,doc.emergingthreats.net/2011099 +1 || 2011100 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS DaFun Spirit lgsl_settings.php lgsl_path Parameter Remote File Inclusion || url,exploit-db.com/exploits/11888 || url,doc.emergingthreats.net/2011100 +1 || 2011101 || 7 || trojan-activity || 0 || ET MALWARE Recuva User-Agent (OpenPage) - likely trojan dropper || url,doc.emergingthreats.net/2011101 +1 || 2011103 || 10 || trojan-activity || 0 || ET TROJAN Exploit kit download payload likely Hiloti Gozi FakeAV etc || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3AWin32%2FHiloti.gen%21D || url,doc.emergingthreats.net/2011103 +1 || 2011104 || 10 || trojan-activity || 0 || ET TROJAN Exploit kit attack activity likely hostile || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3AWin32%2FHiloti.gen%21D || url,doc.emergingthreats.net/2011104 +1 || 2011105 || 5 || trojan-activity || 0 || ET MALWARE User-Agent (i-scan) || url,doc.emergingthreats.net/2011105 +1 || 2011106 || 5 || trojan-activity || 0 || ET MALWARE Suspicious User-Agent (lineguide) || url,doc.emergingthreats.net/2011106 +1 || 2011107 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WordPress WP-Cumulus Plugin tagcloud.swf Cross-Site Scripting Attempt || url,doc.emergingthreats.net/2011107 +1 || 2011108 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Openfire Jabber-Server type Parameter SELECT FROM SQL Injection Attempt || url,www.securiteam.com/securitynews/6T00C0AN5G.html || url,doc.emergingthreats.net/2011108 +1 || 2011109 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Openfire Jabber-Server type Parameter DELETE FROM SQL Injection Attempt || url,www.securiteam.com/securitynews/6T00C0AN5G.html || url,doc.emergingthreats.net/2011109 +1 || 2011110 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Openfire Jabber-Server type Parameter UNION SELECT SQL Injection Attempt || url,www.securiteam.com/securitynews/6T00C0AN5G.html || url,doc.emergingthreats.net/2011110 +1 || 2011111 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Openfire Jabber-Server type Parameter INSERT INTO SQL Injection Attempt || url,www.securiteam.com/securitynews/6T00C0AN5G.html || url,doc.emergingthreats.net/2011111 +1 || 2011112 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Openfire Jabber-Server type Parameter UPDATE SET SQL Injection Attempt || url,www.securiteam.com/securitynews/6T00C0AN5G.html || url,doc.emergingthreats.net/2011112 +1 || 2011113 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Business Objects Crystal Reports Web Form Viewer Directory Traversal Attempt || url,secunia.com/advisories/11803/ || bugtraq,10260 || url,doc.emergingthreats.net/2011113 +1 || 2011114 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ARISg errmsg Parameter Cross Site Scripting Attempt || bugtraq,38441 || url,secunia.com/advisories/38793 || url,doc.emergingthreats.net/2011114 +1 || 2011115 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS cPanel fileop Parameter Cross Site Scripting Attempt || bugtraq,37394 || url,vupen.com/english/advisories/2009/3608 || url,doc.emergingthreats.net/2011115 +1 || 2011116 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Gallo gfw_smarty.php gfwroot Parameter Remote File Inclusion Attempt || url,exploit-db.com/exploits/12488 || bugtraq,39890 || url,doc.emergingthreats.net/2011116 +1 || 2011117 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PowerEasy ComeUrl Parameter Cross Site Scripting Attempt || bugtraq,39696 || url,secunia.com/advisories/39627 || url,doc.emergingthreats.net/2011117 +1 || 2011118 || 4 || trojan-activity || 0 || ET DELETED Suspicious User Agent Maxthon || url,doc.emergingthreats.net/2011118 +1 || 2011120 || 7 || trojan-activity || 0 || ET MALWARE User-Agent (Save) || url,poweredbysave.com +1 || 2011121 || 6 || trojan-activity || 0 || ET TROJAN Phoenix Exploit Kit Facebook phishing page payload could be ZeuS || url,malwareint.blogspot.com/2010/03/new-phishing-campaign-against-facebook.html || url,doc.emergingthreats.net/2011121 +1 || 2011122 || 3 || web-application-attack || 0 || ET WEB_SERVER Possible SQL injection obfuscated via REVERSE function || url,snosoft.blogspot.com/2010/05/reversenoitcejni-lqs-dnilb-bank-hacking.html || url,doc.emergingthreats.net/2011122 +1 || 2011123 || 5 || trojan-activity || 0 || ET MALWARE User-Agent (Yodao Desktop Dict) || url,doc.emergingthreats.net/2011123 +1 || 2011124 || 15 || non-standard-protocol || 0 || ET MALWARE Suspicious FTP 220 Banner on Local Port (spaced) || url,doc.emergingthreats.net/2011124 +1 || 2011125 || 7 || not-suspicious || 0 || ET POLICY Maxthon Browser Background Agent UA (MxAgent) || url,doc.emergingthreats.net/2011125 +1 || 2011126 || 5 || attempted-user || 0 || ET ACTIVEX Possible VMware Console ActiveX Format String Remote Code Execution Attempt || url,dsecrg.com/pages/vul/show.php?id=153 || url,lists.vmware.com/pipermail/security-announce/2010/000090.html || cve,2009-3732 || url,doc.emergingthreats.net/2011126 +1 || 2011127 || 8 || trojan-activity || 0 || ET MALWARE Suspicious User-Agent (InTeRNeT) || url,doc.emergingthreats.net/2011127 +1 || 2011128 || 4 || trojan-activity || 0 || ET TROJAN Eleonore Exploit Pack activity variant May 2010 || url,www.offensivecomputing.net/?q=node/1419 || url,doc.emergingthreats.net/2010248 +1 || 2011129 || 6 || attempted-user || 0 || ET ACTIVEX Possible Attachmate Reflection X ActiveX Control 'ControlID' Buffer Overflow Attempt || url,doc.emergingthreats.net/2011129 +1 || 2011130 || 4 || attempted-user || 0 || ET ACTIVEX Possible Attachmate Reflection X ActiveX Control 'ControlID' Buffer Overflow Function Call Attempt || url,doc.emergingthreats.net/2011130 +1 || 2011131 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla jwmmxtd Component mosConfig_absolute_path Parameter Remote File Inclusion || url,exploit-db.com/exploits/11845 || url,doc.emergingthreats.net/2011131 +1 || 2011132 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla com_universal Component Remote File Inclusion || url,exploit-db.com/exploits/11865 || bugtraq,38949 || url,doc.emergingthreats.net/2011132 +1 || 2011133 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHP-Nuke viewslink module sid Parameter SELECT FROM SQL Injection Attempt || url,exploit-db.com/exploits/12514 || bugtraq,39925 || url,doc.emergingthreats.net/2011133 +1 || 2011134 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHP-Nuke viewslink module sid Parameter DELETE FROM SQL Injection Attempt || url,exploit-db.com/exploits/12514 || bugtraq,39925 || url,doc.emergingthreats.net/2011134 +1 || 2011135 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHP-Nuke viewslink module sid Parameter UNION SELECT SQL Injection Attempt || url,exploit-db.com/exploits/12514 || bugtraq,39925 || url,doc.emergingthreats.net/2011135 +1 || 2011136 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHP-Nuke viewslink module sid Parameter INSERT INTO SQL Injection Attempt || url,exploit-db.com/exploits/12514 || bugtraq,39925 || url,doc.emergingthreats.net/2011136 +1 || 2011137 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHP-Nuke viewslink module sid Parameter UPDATE SET SQL Injection Attempt || url,exploit-db.com/exploits/12514 || bugtraq,39925 || url,doc.emergingthreats.net/2011137 +1 || 2011138 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS XAMPP showcode.php TEXT Parameter Cross Site Scripting Attempt || bugtraq,37997 || url,doc.emergingthreats.net/2011138 +1 || 2011139 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS XAMPP xamppsecurity.phpp TEXT Parameter Cross Site Scripting Attempt || bugtraq,37997 || url,doc.emergingthreats.net/2011139 +1 || 2011140 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS JE Ajax Event Calendar view Parameter Local File Inclusion Attempt || url,exploit-db.com/exploits/12598 || url,doc.emergingthreats.net/2011140 +1 || 2011141 || 3 || attempted-recon || 0 || ET WEB_SERVER PHP Easteregg Information-Disclosure (phpinfo) || url,osvdb.org/12184 || url,www.0php.com/php_easter_egg.php || url,seclists.org/nmap-dev/2010/q2/569 || url,doc.emergingthreats.net/2011141 +1 || 2011142 || 3 || attempted-recon || 0 || ET WEB_SERVER PHP Easteregg Information-Disclosure (php-logo) || url,osvdb.org/12184 || url,www.0php.com/php_easter_egg.php || url,seclists.org/nmap-dev/2010/q2/569 || url,doc.emergingthreats.net/2011142 +1 || 2011143 || 3 || attempted-recon || 0 || ET WEB_SERVER PHP Easteregg Information-Disclosure (zend-logo) || url,osvdb.org/12184 || url,www.0php.com/php_easter_egg.php || url,seclists.org/nmap-dev/2010/q2/569 || url,doc.emergingthreats.net/2011143 +1 || 2011144 || 3 || attempted-recon || 0 || ET WEB_SERVER PHP Easteregg Information-Disclosure (funny-logo) || url,osvdb.org/12184 || url,www.0php.com/php_easter_egg.php || url,seclists.org/nmap-dev/2010/q2/569 || url,doc.emergingthreats.net/2011144 +1 || 2011145 || 3 || web-application-attack || 0 || ET WEB_SERVER 3Com Intelligent Management Center Cross Site Scripting Attempt || url,securitytracker.com/alerts/2010/May/1024022.html || url,support.3com.com/documents/netmgr/imc/3Com_IMC_readme_plat_3.30-SP2.html || url,www.procheckup.com/vulnerability_manager/vulnerabilities/pr10-02 || url,doc.emergingthreats.net/2011145 +1 || 2011146 || 5 || policy-violation || 0 || ET MALWARE User-Agent (Download Master) - Possible Malware Downloader || url,www.httpuseragent.org/list/Download+Master-n727.htm || url,www.westbyte.com/dm/ || url,doc.emergingthreats.net/2011146 +1 || 2011148 || 5 || trojan-activity || 0 || ET TROJAN Unknown Malware Download Request || url,www.prevx.com/filenames/X22210989379038527-X1/GR_OLD_CR.EXE.html || url,doc.emergingthreats.net/2011148 +1 || 2011149 || 7 || trojan-activity || 0 || ET MALWARE User-Agent (webcount) || url,doc.emergingthreats.net/2011149 +1 || 2011150 || 3 || trojan-activity || 0 || ET DELETED UPS Spam Inbound Variant 2 || url,doc.emergingthreats.net/201150 +1 || 2011151 || 3 || trojan-activity || 0 || ET DELETED UPS Spam Inbound Variant 3 || url,doc.emergingthreats.net/2011151 +1 || 2011152 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Consona Products n6plugindestructor.asp Cross Site Scripting Attempt || bugtraq,39999 || url,juniper.net/security/auto/vulnerabilities/vuln39999.html || url,doc.emergingthreats.net/2011152 +1 || 2011153 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Ektron CMS400.NET reterror.aspx info Parameter Cross Site Scripting Attempt || bugtraq,39679 || url,secunia.com/advisories/39547/ || url,doc.emergingthreats.net/2011153 +1 || 2011154 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Ektron CMS400.NET medialist.aspx selectids Parameter Cross Site Scripting Attempt || bugtraq,39679 || url,secunia.com/advisories/39547/ || url,doc.emergingthreats.net/2011154 +1 || 2011155 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS RJ-iTop Network Vulnerabilities Scan System id SELECT FROM SQL Injection Attempt || url,secunia.com/advisories/39404/ || url,doc.emergingthreats.net/2011155 +1 || 2011156 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS RJ-iTop Network Vulnerabilities Scan System id DELETE FROM SQL Injection Attempt || url,secunia.com/advisories/39404/ || url,doc.emergingthreats.net/2011156 +1 || 2011157 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS RJ-iTop Network Vulnerabilities Scan System id UNION SELECT SQL Injection Attempt || url,secunia.com/advisories/39404/ || url,doc.emergingthreats.net/2011157 +1 || 2011158 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS RJ-iTop Network Vulnerabilities Scan System id INSERT INTO SQL Injection Attempt || url,secunia.com/advisories/39404/ || url,doc.emergingthreats.net/2011158 +1 || 2011159 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS RJ-iTop Network Vulnerabilities Scan System id UPDATE SET SQL Injection Attempt || url,secunia.com/advisories/39404/ || url,doc.emergingthreats.net/2011159 +1 || 2011160 || 4 || web-application-attack || 0 || ET WEB_SERVER Apache Axis2 xsd Parameter Directory Traversal Attempt || bugtraq,40343 || url,doc.emergingthreats.net/2011160 +1 || 2011161 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS HotNews hnmain.inc.php3 incdir Parameter Remote File Inclusion Attempt || url,inj3ct0r.com/exploits/11731 || url,exploit-db.com/exploits/12160 || url,doc.emergingthreats.net/2011161 +1 || 2011162 || 5 || trojan-activity || 0 || ET TROJAN IRC Potential bot update/download via ftp command || url,doc.emergingthreats.net/2011162 +1 || 2011164 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS 29o3 CMS pageDescriptionObject.php LibDir Parameter Remote File Inclusion Attempt || url,exploit-db.com/exploits/12558 || bugtraq,40049 || url,doc.emergingthreats.net/2011164 || cve,2010-1922 +1 || 2011165 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS 29o3 CMS layoutHeaderFuncs.php LibDir Parameter Remote File Inclusion Attempt || url,exploit-db.com/exploits/12558 || bugtraq,40049 || url,doc.emergingthreats.net/2011165 +1 || 2011167 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS 29o3 CMS layoutParser.php LibDir Parameter Remote File Inclusion Attempt || url,exploit-db.com/exploits/12558 || bugtraq,40049 || url,doc.emergingthreats.net/2011167 +1 || 2011168 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHP-Nuke FriendSend module sid Parameter SELECT FROM SQL Injection Attempt || url,packetstormsecurity.org/1005-exploits/phpnukefriend-sql.txt || bugtraq,39992 || url,doc.emergingthreats.net/2011168 +1 || 2011169 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHP-Nuke FriendSend module sid Parameter DELETE FROM SQL Injection Attempt || url,packetstormsecurity.org/1005-exploits/phpnukefriend-sql.txt || bugtraq,39992 || url,doc.emergingthreats.net/2011169 +1 || 2011170 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHP-Nuke FriendSend module sid Parameter UNION SELECT SQL Injection Attempt || url,packetstormsecurity.org/1005-exploits/phpnukefriend-sql.txt || bugtraq,39992 || url,doc.emergingthreats.net/2011170 +1 || 2011171 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHP-Nuke FriendSend module sid Parameter INSERT INTO SQL Injection Attempt || url,packetstormsecurity.org/1005-exploits/phpnukefriend-sql.txt || bugtraq,39992 || url,doc.emergingthreats.net/2011171 +1 || 2011172 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHP-Nuke FriendSend module sid Parameter UPDATE SET SQL Injection Attempt || url,packetstormsecurity.org/1005-exploits/phpnukefriend-sql.txt || bugtraq,39992 || url,doc.emergingthreats.net/2011172 +1 || 2011173 || 11 || misc-attack || 0 || ET ACTIVEX Windows Help Center Arbitrary Command Execution Exploit Attempt || url,www.exploit-db.com/exploits/13808/ || url,doc.emergingthreats.net/2011173 || cve,2010-1885 +1 || 2011174 || 3 || web-application-attack || 0 || ET WEB_SERVER SQL Injection Attempt (Agent CZxt2s) || url,doc.emergingthreats.net/2011174 +1 || 2011175 || 5 || web-application-attack || 0 || ET WEB_SERVER Casper Bot Search RFI Scan || url,doc.emergingthreats.net/2011175 +1 || 2011176 || 4 || web-application-attack || 0 || ET DELETED MaMa CaSpEr RFI Scan || url,doc.emergingthreats.net/2011176 +1 || 2011178 || 6 || trojan-activity || 0 || ET CURRENT_EVENTS FakeAV Download with Cookie WinSec || url,www.virustotal.com/analisis/6b5ff522ddf418a5cca87ebd924736774c1a58a9b51bb44ee72dac01f0db317a-1278686791 || url,doc.emergingthreats.net/2011178 +1 || 2011179 || 5 || trojan-activity || 0 || ET TROJAN Generic Checkin - MSCommonInfoEx || url,doc.emergingthreats.net/2011179 +1 || 2011180 || 4 || trojan-activity || 0 || ET TROJAN Phoenix Exploit Kit pdfopen.pdf || url,doc.emergingthreats.net/2011180 +1 || 2011181 || 4 || trojan-activity || 0 || ET TROJAN Phoenix Exploit Kit pdfswf.pdf || url,doc.emergingthreats.net/2011181 +1 || 2011182 || 4 || trojan-activity || 0 || ET TROJAN Phoenix Exploit Kit - libtiff.pdf || url,doc.emergingthreats.net/2011182 +1 || 2011183 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS Phoenix Exploit Kit malware payload download || url,doc.emergingthreats.net/2011183 +1 || 2011184 || 4 || trojan-activity || 0 || ET TROJAN Phoenix Exploit Kit VBscript download || url,doc.emergingthreats.net/2011184 +1 || 2011185 || 2 || trojan-activity || 0 || ET DELETED Nine Ball Infection Ping Outbound || url,doc.emergingthreats.net/2011185 +1 || 2011186 || 6 || trojan-activity || 0 || ET TROJAN Nine Ball Infection ya.ru Post || url,www.martinsecurity.net/page/3 || url,doc.emergingthreats.net/2011186 +1 || 2011187 || 3 || trojan-activity || 0 || ET DELETED Nine Ball Infection Posting Data || url,www.martinsecurity.net/page/3 || url,doc.emergingthreats.net/2011187 +1 || 2011188 || 5 || trojan-activity || 0 || ET TROJAN Nine Ball User-Agent Detected (NQX315) || url,doc.emergingthreats.net/2011188 +1 || 2011189 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Possible Cisco IOS HTTP Server Cross Site Scripting Attempt || url,tools.cisco.com/security/center/viewAlert.x?alertId=17364 || url,www.cisco.com/en/US/products/products_security_response09186a0080a5c501.html || cve,2008-3821 || url,doc.emergingthreats.net/2011189 +1 || 2011190 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Possible IBM BladeCenter Management Module cindefn.php Cross Site Scripting Attempt || url,dsecrg.com/pages/vul/show.php?id=154 || url,doc.emergingthreats.net/2011190 +1 || 2011191 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Possible IBM BladeCenter Management Module power_management_policy_options.php Cross Site Scripting Attempt || url,dsecrg.com/pages/vul/show.php?id=154 || url,doc.emergingthreats.net/2011191 +1 || 2011192 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Possible IBM BladeCenter Management Module pm_temp.php Cross Site Scripting Attempt || url,dsecrg.com/pages/vul/show.php?id=154 || url,doc.emergingthreats.net/2011192 +1 || 2011193 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Possible IBM BladeCenter Management Module power_module.php Cross Site Scripting Attempt || url,dsecrg.com/pages/vul/show.php?id=154 || url,doc.emergingthreats.net/2011193 +1 || 2011194 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Possible IBM BladeCenter Management Module blade_leds.php Cross Site Scripting Attempt || url,dsecrg.com/pages/vul/show.php?id=154 || url,doc.emergingthreats.net/2011194 +1 || 2011195 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Possible IBM BladeCenter Management Module ipmi_bladestatus.php Cross Site Scripting Attempt || url,dsecrg.com/pages/vul/show.php?id=154 || url,doc.emergingthreats.net/2011195 +1 || 2011196 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Possible HP OpenView Network Node Manager Getnnmdata.exe Invalid ICount Remote Code Execution Attempt || url,www.zerodayinitiative.com/advisories/ZDI-10-085/ || cve,2010-1554 || url,doc.emergingthreats.net/2011196 +1 || 2011197 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Possible HP OpenView Network Node Manager Getnnmdata.exe Invalid MaxAge Remote Code Execution Attempt || url,www.zerodayinitiative.com/advisories/ZDI-10-084/ || cve,2010-1553 || url,doc.emergingthreats.net/2011197 +1 || 2011198 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Possible HP OpenView Network Node Manager Getnnmdata.exe Invalid Hostname Remote Code Execution Attempt || url,www.zerodayinitiative.com/advisories/ZDI-10-086/ || cve,2010-1555 || url,doc.emergingthreats.net/2011198 +1 || 2011199 || 2 || trojan-activity || 0 || ET TROJAN Outbound AVISOSVB MSSQL Request || url,www.threatexpert.com/report.aspx?md5=1f5b6d6d94cc6272c937045e22e6d192 || url,doc.emergingthreats.net/2011199 +1 || 2011200 || 3 || attempted-user || 0 || ET ACTIVEX AVTECH Software ActiveX SendCommand Method Buffer Overflow Attempt || url,zeroscience.mk/en/vulnerabilities/ZSL-2010-4934.php || url,exploit-db.com/exploits/12294 || url,doc.emergingthreats.net/2011200 +1 || 2011201 || 3 || attempted-user || 0 || ET ACTIVEX AVTECH Software ActiveX Login Method Buffer Oveflow Attempt || url,zeroscience.mk/en/vulnerabilities/ZSL-2010-4934.php || url,exploit-db.com/exploits/12294 || url,doc.emergingthreats.net/2011201 +1 || 2011202 || 3 || attempted-user || 0 || ET ACTIVEX AVTECH Software ActiveX Snapshot Method Buffer Overflow Attempt || url,zeroscience.mk/en/vulnerabilities/ZSL-2010-4934.php || url,exploit-db.com/exploits/12294 || url,doc.emergingthreats.net/2011202 +1 || 2011203 || 3 || attempted-user || 0 || ET ACTIVEX AVTECH Software ActiveX _DownloadPBOpen Method Buffer Overflow Attempt || url,zeroscience.mk/en/vulnerabilities/ZSL-2010-4934.php || url,exploit-db.com/exploits/12294 || url,doc.emergingthreats.net/2011203 +1 || 2011204 || 3 || attempted-user || 0 || ET ACTIVEX AVTECH Software ActiveX _DownloadPBClose Method Buffer Overflow Attempt || url,zeroscience.mk/en/vulnerabilities/ZSL-2010-4934.php || url,exploit-db.com/exploits/12294 || url,doc.emergingthreats.net/2011204 +1 || 2011205 || 3 || attempted-user || 0 || ET ACTIVEX AVTECH Software ActiveX _DownloadPBControl Method Buffer Overflow Attempt || url,zeroscience.mk/en/vulnerabilities/ZSL-2010-4934.php || url,exploit-db.com/exploits/12294 || url,doc.emergingthreats.net/2011205 +1 || 2011206 || 3 || attempted-user || 0 || ET ACTIVEX AVTECH Software ActiveX Buffer Overflow Function Call || url,zeroscience.mk/en/vulnerabilities/ZSL-2010-4934.php || url,exploit-db.com/exploits/12294 || url,doc.emergingthreats.net/2011206 +1 || 2011207 || 2 || web-application-attack || 0 || ET ACTIVEX SaschArt SasCam Webcam Server ActiveX Control Head Method Buffer Overflow Attempt || url,exploit-db.com/exploits/14215/ || bugtraq,41343 || url,doc.emergingthreats.net/2011207 +1 || 2011208 || 3 || attempted-user || 0 || ET WEB_SPECIFIC_APPS SaschArt SasCam Webcam Server ActiveX Buffer Overflow Function Call || url,exploit-db.com/exploits/14215/ || bugtraq,41343 || url,doc.emergingthreats.net/2011208 +1 || 2011209 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ClearSite device_admin.php cs_base_path Parameter Remote File Inclusion Attempt || url,osvdb.org/show/osvdb/65117 || cve,CVE-2010-2145 || url,doc.emergingthreats.net/2011209 +1 || 2011210 || 6 || attempted-user || 0 || ET ACTIVEX ComponentOne VSFlexGrid ActiveX Control Archive Method Buffer Overflow Attempt || url,exploit-db.com/exploits/12673 || url,doc.emergingthreats.net/2011210 +1 || 2011211 || 4 || attempted-user || 0 || ET ACTIVEX AtHocGov IWSAlerts ActiveX Control Buffer Overflow Function Call Attempt || url,metasploit.com/modules/exploit/windows/browser/athocgov_completeinstallation || url,athoc.com/products/IWSAlerts_overview.aspx || url,doc.emergingthreats.net/2011211 +1 || 2011212 || 6 || attempted-user || 0 || ET ACTIVEX Consona Products SdcUser.TgConCtl ActiveX Control Buffer Overflow Attempt || url,www.kb.cert.org/vuls/id/602801 || bugtraq,40006 || url,juniper.net/security/auto/vulnerabilities/vuln40006.html || url,doc.emergingthreats.net/2011212 +1 || 2011213 || 4 || attempted-user || 0 || ET ACTIVEX Consona Products SdcUser.TgConCtl ActiveX Control BOF Function Call || url,www.kb.cert.org/vuls/id/602801 || bugtraq,40006 || url,juniper.net/security/auto/vulnerabilities/vuln40006.html || url,doc.emergingthreats.net/2011213 +1 || 2011214 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ArdeaCore pathForArdeaCore Parameter Remote File Inclusion Attempt || bugtraq,40811 || url,vupen.com/english/advisories/2010/1444 || url,exploit-db.com/exploits/13832/ || url,doc.emergingthreats.net/2011214 +1 || 2011215 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Campsite article_id Parameter SELECT FROM SQL Injection Attempt || url,secunia.com/advisories/39580/ || url,doc.emergingthreats.net/2011215 +1 || 2011216 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Campsite article_id Parameter DELETE FROM SQL Injection Attempt || url,secunia.com/advisories/39580/ || url,doc.emergingthreats.net/2011216 +1 || 2011217 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Campsite article_id Parameter UNION SELECT SQL Injection Attempt || url,secunia.com/advisories/39580/ || url,doc.emergingthreats.net/2011217 +1 || 2011218 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Campsite article_id Parameter INSERT INTO SQL Injection Attempt || url,secunia.com/advisories/39580/ || url,doc.emergingthreats.net/2011218 +1 || 2011219 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Campsite article_id Parameter UPDATE SET SQL Injection Attempt || url,secunia.com/advisories/39580/ || url,doc.emergingthreats.net/2011219 +1 || 2011220 || 3 || trojan-activity || 0 || ET DELETED Executable requested from /wp-content/languages || url,www.malewareurl.com || url,doc.emergingthreats.net/2011220 +1 || 2011221 || 3 || trojan-activity || 0 || ET DELETED FakeAV Served To Client || url,doc.emergingthreats.net/2011221 +1 || 2011222 || 3 || bad-unknown || 0 || ET DELETED Malvertising drive by kit encountered - bmb cookie || url,doc.emergingthreats.net/2011222 +1 || 2011223 || 5 || bad-unknown || 0 || ET CURRENT_EVENTS Malvertising drive by kit encountered - Loading... || url,doc.emergingthreats.net/2011223 +1 || 2011224 || 4 || bad-unknown || 0 || ET DELETED Malvertising drive by kit collecting browser info || url,doc.emergingthreats.net/2011224 +1 || 2011225 || 6 || policy-violation || 0 || ET POLICY Suspicious User Agent (AskInstallChecker) || url,doc.emergingthreats.net/2011225 +1 || 2011226 || 5 || trojan-activity || 0 || ET MALWARE Sogou Toolbar Checkin || url,doc.emergingthreats.net/2011225 +1 || 2011227 || 4 || trojan-activity || 0 || ET POLICY User-Agent (NSIS_Inetc (Mozilla)) - Sometimes used by hostile installers || url,doc.emergingthreats.net/2011227 +1 || 2011228 || 3 || trojan-activity || 0 || ET DELETED Trojan.StartPage activity || url,doc.emergingthreats.net/2011228 +1 || 2011229 || 6 || trojan-activity || 0 || ET MALWARE User-Agent (Suggestion) || url,doc.emergingthreats.net/2011229 +1 || 2011230 || 4 || bad-unknown || 0 || ET DELETED MALVERTISING client requesting drive by - /x/?src= || url,doc.emergingthreats.net/2011230 +1 || 2011231 || 5 || bad-unknown || 0 || ET DELETED MALVERTISING client requesting redirect to drive by - .php?c=cust || url,doc.emergingthreats.net/2011231 +1 || 2011232 || 7 || trojan-activity || 0 || ET P2P p2p Related User-Agent (eChanblard) || url,doc.emergingthreats.net/2011232 +1 || 2011233 || 2 || trojan-activity || 0 || ET TROJAN Troxen GetSpeed Request || url,www.threatexpert.com/report.aspx?md5=af89d15930fe59dcb621069abc83cc66 || url,doc.emergingthreats.net/2011233 +1 || 2011234 || 4 || trojan-activity || 0 || ET TROJAN Cosmu Process Dump Report || url,doc.emergingthreats.net/2011234 +1 || 2011235 || 2 || attempted-admin || 0 || ET EXPLOIT Possible Novell Groupwise Internet Agent CREATE Verb Stack Overflow Attempt || url,www.exploit-db.com/exploits/14379/ || url,www.zerodayinitiative.com/advisories/ZDI-10-129/ || url,www.novell.com/support/php/search.do?cmd=displayKC&docType=kc&externalId=7006374&sliceId=2&docTypeID=DT_TID_1_1&dialogID=155271264&stateId=0 0 155267598 || url,doc.emergingthreats.net/2011235 +1 || 2011236 || 4 || trojan-activity || 0 || ET TROJAN Trojan-Downloader Win32.Genome.avan || url,doc.emergingthreats.net/2011236 +1 || 2011238 || 6 || trojan-activity || 0 || ET MALWARE User-Agent (Mozilla/4.0 (SP3 WINLD)) || url,doc.emergingthreats.net/2011238 +1 || 2011239 || 3 || attempted-user || 0 || ET DELETED Possible Microsoft Windows Shortcut LNK File Automatic File Execution Attempt Via WebDAV || url,support.microsoft.com/kb/2286198 || url,www.kb.cert.org/vuls/id/940193 || url,tools.cisco.com/security/center/viewAlert.x?alertId=20918 || cve,2010-2568 || url,doc.emergingthreats.net/2011239 +1 || 2011240 || 5 || misc-attack || 0 || ET WEB_CLIENT Mozilla Firefox Window.Open Document URI Spoofing Attempt || url,www.mozilla.org/security/announce/2010/mfsa2010-45.html || url,bugzilla.mozilla.org/show_bug.cgi?id=556957 || cve,2010-1206 || url,doc.emergingthreats.net/2011240 +1 || 2011241 || 2 || not-suspicious || 0 || ET EXPLOIT M3U File Request Flowbit Set || url,doc.emergingthreats.net/2011241 +1 || 2011242 || 3 || attempted-user || 0 || ET EXPLOIT Possible VLC Media Player M3U File FTP URL Processing Stack Buffer Overflow Attempt || url,securitytracker.com/alerts/2010/Jul/1024172.html || url,doc.emergingthreats.net/2011242 +1 || 2011243 || 4 || web-application-attack || 0 || ET WEB_SERVER Bot Search RFI Scan (ByroeNet/Casper-Like, planetwork) || url,eromang.zataz.com/2010/07/13/byroenet-casper-bot-search-e107-rce-scanner/ || url,doc.emergingthreats.net/2011243 +1 || 2011244 || 5 || web-application-attack || 0 || ET WEB_SERVER Bot Search RFI Scan (ByroeNet/Casper-Like sun4u) || url,eromang.zataz.com/2010/07/13/byroenet-casper-bot-search-e107-rce-scanner/ || url,doc.emergingthreats.net/2011244 +1 || 2011245 || 3 || bad-unknown || 0 || ET WEB_CLIENT PDF Containing Windows Commands Downloaded || url,doc.emergingthreats.net/2011245 +1 || 2011246 || 4 || bad-unknown || 0 || ET WEB_CLIENT Likely Malicious PDF Containing StrReverse || url,doc.emergingthreats.net/2011246 +1 || 2011247 || 6 || trojan-activity || 0 || ET MALWARE Likely Hostile User-Agent (Forthgoer) || url,doc.emergingthreats.net/2011247 +1 || 2011248 || 6 || trojan-activity || 0 || ET MALWARE User-Agent (XieHongWei-HttpDown/2.0) || url,doc.emergingthreats.net/2011248 +1 || 2011249 || 6 || web-application-attack || 0 || ET ACTIVEX RSP MP3 Player OCX ActiveX OpenFile Method Buffer Overflow Attempt || url,exploit-db.com/exploits/14309/ || url,packetstormsecurity.org/1007-exploits/rspmp3-overflow.txt || url,doc.emergingthreats.net/2011249 +1 || 2011250 || 4 || web-application-attack || 0 || ET ACTIVEX Image22 ActiveX DrawIcon Method Buffer Overflow Attempt || url,exploit-db.com/exploits/14321/ || url,doc.emergingthreats.net/2011250 +1 || 2011251 || 7 || web-application-attack || 0 || ET ACTIVEX FathFTP ActiveX Control GetFromURL Method Buffer Overflow Attempt || url,exploit-db.com/exploits/14269/ || url,doc.emergingthreats.net/2011251 +1 || 2011252 || 5 || web-application-attack || 0 || ET DELETED FathFTP ActiveX Control RasIsConnected Method Buffer Overflow Attempt || url,exploit-db.com/exploits/14269/ || url,doc.emergingthreats.net/2011252 +1 || 2011253 || 6 || attempted-user || 0 || ET ACTIVEX Registry OCX ActiveX FullPath Method Buffer Overflow Attempt || url,exploit-db.com/exploits/14200/ || url,doc.emergingthreats.net/2011253 +1 || 2011254 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Redaxo CMS index.inc.php Remote File Inclusion Attempt || url,vupen.com/english/advisories/2010/0942 || url,exploit-db.com/exploits/12276 || url,doc.emergingthreats.net/2011254 +1 || 2011255 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Redaxo CMS specials.inc.php Remote File Inclusion Attempt || url,vupen.com/english/advisories/2010/0942 || url,exploit-db.com/exploits/12276 || url,doc.emergingthreats.net/2011255 +1 || 2011256 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS FireStats window-add-excluded-ip.php Cross Site Scripting Attempt || url,secunia.com/advisories/40569/ || url,h.ackack.net/more-0day-wordpress-security-leaks-in-firestats.html || url,doc.emergingthreats.net/2011256 +1 || 2011257 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS FireStats window-add-excluded-url.php Cross Site Scripting Attempt || url,secunia.com/advisories/40569/ || url,h.ackack.net/more-0day-wordpress-security-leaks-in-firestats.html || url,doc.emergingthreats.net/2011257 +1 || 2011258 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS FireStats window-new-edit-site.php Cross Site Scripting Attempt || url,secunia.com/advisories/40569/ || url,h.ackack.net/more-0day-wordpress-security-leaks-in-firestats.html || url,doc.emergingthreats.net/2011258 +1 || 2011259 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS MAXcms fm_includes_special Parameter Remote File Inclusion Attempt || url,www.exploit-db.com/exploits/9350/ || url,vupen.com/english/advisories/2009/2136 || url,doc.emergingthreats.net/2011259 +1 || 2011262 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Group-Office comment_id Parameter SELECT FROM SQL Injection Attempt || url,secunia.com/advisories/40665/ || url,packetstormsecurity.org/1007-exploits/groupoffice-sql.txt || url,doc.emergingthreats.net/2011262 +1 || 2011263 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Group-Office comment_id Parameter DELETE FROM SQL Injection Attempt || url,secunia.com/advisories/40665/ || url,packetstormsecurity.org/1007-exploits/groupoffice-sql.txt || url,doc.emergingthreats.net/2011263 +1 || 2011264 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Group-Office comment_id Parameter UNION SELECT SQL Injection Attempt || url,secunia.com/advisories/40665/ || url,packetstormsecurity.org/1007-exploits/groupoffice-sql.txt || url,doc.emergingthreats.net/2011264 +1 || 2011265 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Group-Office comment_id Parameter INSERT INTO SQL Injection Attempt || url,secunia.com/advisories/40665/ || url,packetstormsecurity.org/1007-exploits/groupoffice-sql.txt || url,doc.emergingthreats.net/2011265 +1 || 2011266 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Group-Office comment_id Parameter UPDATE SET SQL Injection Attempt || url,secunia.com/advisories/40665/ || url,packetstormsecurity.org/1007-exploits/groupoffice-sql.txt || url,doc.emergingthreats.net/2011266 +1 || 2011268 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Oracle Business Process Management context Parameter Cross Site Scripting Attempt || url,exploit-db.com/exploits/14369/ || url,secunia.com/advisories/40605 || url,doc.emergingthreats.net/2011268 +1 || 2011269 || 6 || trojan-activity || 0 || ET TROJAN Downloader.Win32.Small || url,doc.emergingthreats.net/2011269 +1 || 2011270 || 3 || attempted-user || 0 || ET CURRENT_EVENTS Possible Microsoft Windows .lnk File Processing WebDAV Arbitrary Code Execution Attempt || url,tools.cisco.com/security/center/viewAlert.x?alertId=20918 || url,www.kb.cert.org/vuls/id/940193 || url,www.microsoft.com/technet/security/advisory/2286198.mspx || cve,2010-2568 || url,doc.emergingthreats.net/2011270 +1 || 2011271 || 5 || trojan-activity || 0 || ET MALWARE User-Agent (CustomSpy) || url,doc.emergingthreats.net/2011271 +1 || 2011272 || 5 || trojan-activity || 0 || ET TROJAN Win32/Chekafe.A or Related Infection Checkin || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3AWin32/Chekafe.A || url,doc.emergingthreats.net/2011272 +1 || 2011273 || 5 || trojan-activity || 0 || ET DELETED User-Agent (GM Login) || url,doc.emergingthreats.net/2011273 +1 || 2011274 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS OpenX phpAdsNew phpAds_geoPlugin Parameter Remote File Inclusion Attempt || url,exploit-db.com/exploits/14432/ || url,inj3ct0r.com/exploits/13426 || url,doc.emergingthreats.net/2011274 +1 || 2011275 || 5 || policy-violation || 0 || ET DELETED Akamai Redswoosh CLIOnlineManager Connection Detected || url,doc.emergingthreats.net/2011275 +1 || 2011276 || 7 || trojan-activity || 0 || ET TROJAN Suspicious User-Agent (InfoBot) || url,doc.emergingthreats.net/2011276 +1 || 2011277 || 8 || trojan-activity || 0 || ET TROJAN Rogue.Win32/Winwebsec Checkin || url,doc.emergingthreats.net/2011277 +1 || 2011278 || 3 || trojan-activity || 0 || ET TROJAN Trojan.Win32.Cosmu.xet || url,www.threatexpert.com/report.aspx?md5=f39554f3afe92dca3597efc1f7709ad4 +1 || 2011279 || 3 || trojan-activity || 0 || ET MALWARE User-Agent (browserbob.com) +1 || 2011280 || 3 || bad-unknown || 0 || ET WEB_SERVER Phoenix Exploit Kit - Admin Login Page Detected Outbound +1 || 2011281 || 2 || bad-unknown || 0 || ET WEB_CLIENT phoenix exploit kit - admin login page detected +1 || 2011282 || 3 || trojan-activity || 0 || ET USER_AGENTS Suspicious User Agent (ScrapeBox) +1 || 2011283 || 4 || trojan-activity || 0 || ET MALWARE User-Agent (TALWinInetHTTPClient) +1 || 2011285 || 4 || web-application-attack || 0 || ET WEB_SERVER Bot Search RFI Scan (Casper-Like, Jcomers Bot scan) || url,eromang.zataz.com/2010/07/13/byroenet-casper-bot-search-e107-rce-scanner/ || url,doc.emergingthreats.net/2011285 +1 || 2011286 || 4 || web-application-attack || 0 || ET WEB_SERVER Bot Search RFI Scan (Casper-Like MaMa Cyber/ebes) || url,eromang.zataz.com/2010/07/13/byroenet-casper-bot-search-e107-rce-scanner/ || url,doc.emergingthreats.net/2011286 +1 || 2011287 || 3 || web-application-attack || 0 || ET WEB_SERVER Gootkit Website Infection Receiving FTP Credentials from Control Server || url,www.m86security.com/labs/i/GootKit--Automated-Website-Infection,trace.1368~.asp || url,doc.emergingthreats.net/2011287 +1 || 2011289 || 3 || web-application-attack || 0 || ET WEB_SERVER Local Website Infected By Gootkit || url,www.m86security.com/labs/i/GootKit--Automated-Website-Infection,trace.1368~.asp || url,doc.emergingthreats.net/2011285 +1 || 2011290 || 6 || web-application-attack || 0 || ET WEB_SERVER Gootkit Website Infection Request for FTP Credentials from Control Server || url,www.m86security.com/labs/i/GootKit--Automated-Website-Infection,trace.1368~.asp || url,doc.emergingthreats.net/2011286 +1 || 2011291 || 3 || web-application-attack || 0 || ET WEB_SERVER Asprox Spambot SQL-Injection Atempt +1 || 2011293 || 7 || trojan-activity || 0 || ET MALWARE Suspicious User Agent (GabPath) +1 || 2011294 || 3 || trojan-activity || 0 || ET TROJAN Trojan.Win32.FraudPack.aweo || url,www.threatexpert.com/report.aspx?md5=4bc4c32a8d93c29b026bbfb24ccecd14 +1 || 2011295 || 7 || trojan-activity || 0 || ET TROJAN Butterfly/Mariposa Bot client init connection +1 || 2011296 || 2 || trojan-activity || 0 || ET TROJAN Butterfly/Mariposa Bot Join Acknowledgment +1 || 2011297 || 3 || trojan-activity || 0 || ET MALWARE User-Agent (KRMAK) Butterfly Bot download +1 || 2011300 || 3 || trojan-activity || 0 || ET TROJAN Stuxnet index.php || url,research.zscaler.com/2010/07/lnk-cve-2010-2568-stuxnet-incident.html +1 || 2011302 || 3 || bad-unknown || 0 || ET DELETED MALVERTISING request to media.fastclick.net.* host +1 || 2011303 || 1 || bad-unknown || 0 || ET DELETED MALVERTISING request to js.zedo.com.* host +1 || 2011304 || 1 || bad-unknown || 0 || ET DELETED MALVERTISING request to view.ads.* host +1 || 2011305 || 1 || bad-unknown || 0 || ET DELETED MALVERTISING request to adnet.media.* host +1 || 2011306 || 1 || bad-unknown || 0 || ET DELETED MALVERTISING request to adfarm.mediaplex.com.* host +1 || 2011307 || 2 || bad-unknown || 0 || ET DELETED DRIVEBY bredolab - hidden div served by nginx +1 || 2011311 || 4 || policy-violation || 0 || ET CURRENT_EVENTS request for hide-my-ip.com autoupdate +1 || 2011312 || 3 || policy-violation || 0 || ET CURRENT_EVENTS hide-my-ip.com POST version check +1 || 2011324 || 3 || policy-violation || 0 || ET CURRENT_EVENTS Games.jar Download Suspicious Possible Exploit Attempt +1 || 2011325 || 3 || policy-violation || 0 || ET DELETED Notes1.pdf Download Suspicious Possible Exploit Attempt +1 || 2011326 || 2 || policy-violation || 0 || ET CURRENT_EVENTS NewGames.jar Download Suspicious Possible Exploit Attempt +1 || 2011328 || 4 || web-application-attack || 0 || ET EXPLOIT HP OpenView Network Node Manager OvJavaLocale Cookie Value Buffer Overflow Attempt || url,www.coresecurity.com/content/hp-nnm-ovjavalocale-buffer-overflow || bugtraq,42154 || cve,2010-2709 +1 || 2011329 || 5 || bad-unknown || 0 || ET WEB_CLIENT Possible PDF Launch Function Remote Code Execution Attempt with Name Representation Obfuscation || url,www.kb.cert.org/vuls/id/570177 || url,www.h-online.com/security/news/item/Criminals-attempt-to-exploit-unpatched-hole-in-Adobe-Reader-979286.html || url,www.sudosecure.net/archives/673 || url,www.h-online.com/security/news/item/Adobe-issues-official-workaround-for-PDF-vulnerability-971932.html || url,blog.didierstevens.com/2010/03/31/escape-from-foxit-reader/ || url,www.m86security.com/labs/i/PDF-Launch-Feature-Used-to-Install-Zeus,trace.1301~.asp || url,blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/ +1 || 2011330 || 3 || bad-unknown || 0 || ET CURRENT_EVENTS DRIVEBY Fragus - landing page delivered +1 || 2011334 || 6 || bad-unknown || 0 || ET MALWARE User-Agent (C\:\\WINDOWS\\system32\\NetLogom.exe) +1 || 2011335 || 3 || trojan-activity || 0 || ET TROJAN Sality Variant Checkin Activity || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Virus%3AWin32%2FSality.AU || url,www.threatexpert.com/report.aspx?md5=f39d0a669ad98b95370a4f525d7d79ec +1 || 2011336 || 4 || trojan-activity || 0 || ET TROJAN Sality Variant Downloader Activity || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Virus%3AWin32%2FSality.AU || url,www.threatexpert.com/report.aspx?md5=f39d0a669ad98b95370a4f525d7d79ec +1 || 2011337 || 3 || trojan-activity || 0 || ET TROJAN Sality Variant Downloader Activity (2) || url,www.threatexpert.com/report.aspx?md5=76cf08503cdd036850bcc4f29f64022f || url,www.threatexpert.com/report.aspx?md5=579f2e29434218d62d31625d369cbc42 +1 || 2011338 || 3 || trojan-activity || 0 || ET TROJAN Sality Variant Downloader Activity (3) || url,www.threatexpert.com/report.aspx?md5=438bcb3c4a304b65419674ce8775d8a3 +1 || 2011339 || 2 || bad-unknown || 0 || ET DELETED PHARMSPAM image requested layout viagra_super_active.jpg +1 || 2011341 || 6 || trojan-activity || 0 || ET TROJAN Suspicious POST to WINDOWS Folder Possible Malware Infection +1 || 2011342 || 1 || bad-unknown || 0 || ET CURRENT_EVENTS Malvertising DRIVEBY Fragus Admin Panel Delivered To Client +1 || 2011343 || 3 || bad-unknown || 0 || ET WEB_CLIENT FakeAV scanner page encountered Initializing Virus Protection System +1 || 2011344 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS POST to /x48/x58/ Possible Zeus Version 3 Command and Control Server Traffic || url,www.m86security.com/labs/i/Customers-of-Global-Financial-Institution-Hit-by-Cybercrime,trace.1431~.asp || url,www.m86security.com/documents/pdfs/security_labs/cybercriminals_target_online_banking.pdf +1 || 2011345 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Possible Zeus Version 3 Infection Posting Banking HTTP Log to Command and Control Server || url,www.m86security.com/labs/i/Customers-of-Global-Financial-Institution-Hit-by-Cybercrime,trace.1431~.asp || url,www.m86security.com/documents/pdfs/security_labs/cybercriminals_target_online_banking.pdf +1 || 2011346 || 7 || shellcode-detect || 0 || ET SHELLCODE Possible Unescape %u Shellcode/Heap Spray || url,www.w3schools.com/jsref/jsref_unescape.asp || url,isc.sans.org/diary.html?storyid=7906 || url,isc.sans.org/diary.html?storyid=7903 || url,malzilla.sourceforge.net/tutorial01/index.html || url,doc.emergingthreats.net/2011346 +1 || 2011347 || 2 || bad-unknown || 0 || ET WEB_CLIENT Possible String.FromCharCode Javascript Obfuscation Attempt || url,www.w3schools.com/jsref/jsref_fromCharCode.asp || url,www.roseindia.net/javascript/method-fromcharcode.shtml || url,isc.sans.org/diary.html?storyid=7906 || url,isc.sans.org/diary.html?storyid=7903 +1 || 2011348 || 4 || bad-unknown || 0 || ET CURRENT_EVENTS DRIVEBY SEO Exploit Kit request for PDF exploit +1 || 2011349 || 6 || bad-unknown || 0 || ET CURRENT_EVENTS DRIVEBY SEO Exploit Kit request for Java exploit +1 || 2011350 || 8 || bad-unknown || 0 || ET CURRENT_EVENTS DRIVEBY SEO Exploit Kit request for Java and PDF exploits +1 || 2011351 || 2 || bad-unknown || 0 || ET DELETED Driveby bredolab server response contains .ru 8080/index.php? +1 || 2011353 || 2 || bad-unknown || 0 || ET DELETED Driveby bredolab jquery.jxx +1 || 2011354 || 3 || bad-unknown || 0 || ET DELETED Driveby bredolab request to a .ru 8080 URI +1 || 2011355 || 2 || bad-unknown || 0 || ET CURRENT_EVENTS Driveby bredolab hidden div served by nginx +1 || 2011357 || 3 || trojan-activity || 0 || ET TROJAN FakeAV SetupSecure Download Attempt SetupSecure || url,www.malwareurl.com/listing.php?domain=virus-scanner-6.com +1 || 2011358 || 4 || web-application-attack || 0 || ET WEB_SERVER ColdFusion Path Traversal (locale 1/5) || url,h30507.www3.hp.com/t5/Following-the-White-Rabbit-A/Adobe-ColdFusion-s-Directory-Traversal-Disaster/ba-p/81964 || url,www.gnucitizen.org/blog/coldfusion-directory-traversal-faq-cve-2010-2861/ || cve,CVE-2010-2861 || url,www.exploit-db.com/exploits/14641/ +1 || 2011359 || 5 || web-application-attack || 0 || ET WEB_SERVER ColdFusion Path Traversal (locale 2/5) || url,h30507.www3.hp.com/t5/Following-the-White-Rabbit-A/Adobe-ColdFusion-s-Directory-Traversal-Disaster/ba-p/81964 || url,www.gnucitizen.org/blog/coldfusion-directory-traversal-faq-cve-2010-2861/ || cve,CVE-2010-2861 || url,www.exploit-db.com/exploits/14641/ +1 || 2011360 || 5 || web-application-attack || 0 || ET WEB_SERVER ColdFusion Path Traversal (locale 3/5) || url,h30507.www3.hp.com/t5/Following-the-White-Rabbit-A/Adobe-ColdFusion-s-Directory-Traversal-Disaster/ba-p/81964 || url,www.gnucitizen.org/blog/coldfusion-directory-traversal-faq-cve-2010-2861/ || cve,CVE-2010-2861 || url,www.exploit-db.com/exploits/14641/ +1 || 2011362 || 5 || web-application-attack || 0 || ET WEB_SERVER ColdFusion Path Traversal (locale 5/5) || url,h30507.www3.hp.com/t5/Following-the-White-Rabbit-A/Adobe-ColdFusion-s-Directory-Traversal-Disaster/ba-p/81964 || url,www.gnucitizen.org/blog/coldfusion-directory-traversal-faq-cve-2010-2861/ || cve,CVE-2010-2861 || url,www.exploit-db.com/exploits/14641/ +1 || 2011364 || 5 || trojan-activity || 0 || ET TROJAN Sinowal/sinonet/mebroot/Torpig infected host POSTing process list +1 || 2011365 || 10 || trojan-activity || 0 || ET TROJAN Sinowal/sinonet/mebroot/Torpig infected host checkin +1 || 2011366 || 2 || attempted-user || 0 || ET WEB_CLIENT Possible Apple Quicktime Invalid SMIL URI Buffer Overflow Attempt || url,securitytracker.com/alerts/2010/Aug/1024336.html || bugtraq,41962 || cve,2010-1799 +1 || 2011367 || 1 || bad-unknown || 0 || ET SCAN TCP Traffic (ET SCAN Malformed Packet SYN FIN) +1 || 2011368 || 1 || bad-unknown || 0 || ET SCAN TCP Traffic (ET SCAN Malformed Packet SYN RST) +1 || 2011369 || 1 || bad-unknown || 0 || ET CURRENT_EVENTS DRIVEBY phoenix exploit kit landing page +1 || 2011370 || 3 || trojan-activity || 0 || ET TROJAN Stupid Stealer C&C Communication (1) || url,amada.abuse.ch/?search=f4bf4fb71d0846b0d43f22f0a77253fb +1 || 2011371 || 3 || trojan-activity || 0 || ET TROJAN Stupid Stealer C&C Communication (2) || url,amada.abuse.ch/?search=f4bf4fb71d0846b0d43f22f0a77253fb +1 || 2011373 || 3 || bad-unknown || 0 || ET CURRENT_EVENTS FakeAV client requesting fake scanner page +1 || 2011374 || 5 || bad-unknown || 0 || ET CURRENT_EVENTS HTTP Request to a *.co.cc domain +1 || 2011375 || 3 || bad-unknown || 0 || ET CURRENT_EVENTS HTTP Request to a *.cz.cc domain +1 || 2011377 || 1 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS SaurusCMS com_del.php class_path Parameter Remote File Inclusion Attempt || url,inj3ct0r.com/exploits/13665 +1 || 2011378 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS iScripts MultiCart orderid Parameter SELECT FROM SQL Injection Attempt || bugtraq,41377 +1 || 2011380 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS iScripts MultiCart orderid Parameter UNION SELECT SQL Injection Attempt || bugtraq,41377 +1 || 2011381 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS iScripts MultiCart orderid Parameter INSERT INTO SQL Injection Attempt || bugtraq,41377 +1 || 2011382 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS iScripts MultiCart orderid Parameter UPDATE SET SQL Injection Attempt || bugtraq,41377 +1 || 2011383 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS CSSTidy css_optimiser.php url Parameter Cross Site Scripting Attempt || url,secunia.com/advisories/40515/ || url,cross-site-scripting.blogspot.com/2010/07/impresscms-121-final-reflected-cross.html +1 || 2011384 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS MAXcms fm_includes_special Parameter Remote File Inclusion Attempt || url,inj3ct0r.com/exploits/5609 || url,vupen.com/english/advisories/2009/2136 +1 || 2011385 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla NoticeBoard Component controller Parameter Local File Inclusion Attempt || url,exploit-db.com/exploits/12427 +1 || 2011387 || 5 || trojan-activity || 0 || ET TROJAN indux.php check-in +1 || 2011389 || 4 || web-application-activity || 0 || ET SCAN w3af Scan Remote File Include Retrieval || url,w3af.sourceforge.net +1 || 2011390 || 2 || web-application-activity || 0 || ET SCAN Nikto Scan Remote File Include Retrieval || url,cirt.net/nikto2 +1 || 2011391 || 9 || trojan-activity || 0 || ET MALWARE web shell detected +1 || 2011392 || 4 || trojan-activity || 0 || ET MALWARE User-Agent (http-get-demo) Possible Reverse Web Shell +1 || 2011393 || 3 || trojan-activity || 0 || ET MALWARE User-Agent (Microsoft Internet Explorer 6.0) Possible Reverse Web Shell +1 || 2011395 || 3 || trojan-activity || 0 || ET TROJAN wisp backdoor detected reporting +1 || 2011396 || 3 || trojan-activity || 0 || ET TROJAN FakeYak or Related Infection Checkin 1 || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Rogue%3aWin32%2fFakeYak +1 || 2011397 || 3 || trojan-activity || 0 || ET TROJAN FakeYak or Related Infection Checkin 2 || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Rogue%3aWin32%2fFakeYak +1 || 2011398 || 3 || trojan-activity || 0 || ET TROJAN Yoyo-DDoS Bot Execute DDoS Command From CnC Server || url,asert.arbornetworks.com/2010/08/yoyoddos-a-new-family-of-ddos-bots/ +1 || 2011399 || 4 || trojan-activity || 0 || ET TROJAN Yoyo-DDoS Bot Download and Launch Executable Message From CnC Server || url,asert.arbornetworks.com/2010/08/yoyoddos-a-new-family-of-ddos-bots/ +1 || 2011400 || 3 || trojan-activity || 0 || ET TROJAN Yoyo-DDoS Bot Execute SYN Flood Command Message From CnC Server || url,asert.arbornetworks.com/2010/08/yoyoddos-a-new-family-of-ddos-bots/ +1 || 2011401 || 1 || trojan-activity || 0 || ET TROJAN Yoyo-DDoS Bot Unknown Command From CnC Server || url,asert.arbornetworks.com/2010/08/yoyoddos-a-new-family-of-ddos-bots/ +1 || 2011402 || 4 || denial-of-service || 0 || ET TROJAN Yoyo-DDoS Bot HTTP Flood Attack Inbound || url,asert.arbornetworks.com/2010/08/yoyoddos-a-new-family-of-ddos-bots/ +1 || 2011403 || 3 || denial-of-service || 0 || ET TROJAN Yoyo-DDoS Bot HTTP Flood Attack Outbound || url,asert.arbornetworks.com/2010/08/yoyoddos-a-new-family-of-ddos-bots/ +1 || 2011407 || 3 || bad-unknown || 0 || ET DNS DNS Query for Suspicious .com.ru Domain || url,sign.kaffenews.com/?p=104 +1 || 2011408 || 3 || bad-unknown || 0 || ET DNS DNS Query for Suspicious .com.cn Domain || url,sign.kaffenews.com/?p=104 +1 || 2011409 || 3 || bad-unknown || 0 || ET DNS DNS Query for Suspicious .co.cc Domain || url,sign.kaffenews.com/?p=104 +1 || 2011410 || 3 || bad-unknown || 0 || ET DNS DNS Query for Suspicious .cz.cc Domain || url,sign.kaffenews.com/?p=104 +1 || 2011411 || 3 || bad-unknown || 0 || ET DNS DNS Query for Suspicious .co.kr Domain || url,sign.kaffenews.com/?p=104 +1 || 2011412 || 2 || attempted-user || 0 || ET ACTIVEX Apple QuickTime _Marshaled_pUnk Backdoor Param Arbitrary Code Execution Attempt || url,www.exploit-db.com/exploits/14843/ +1 || 2011413 || 1 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Group Office json.php fingerprint Parameter Remote Command Execution Attempt || url,inj3ct0r.com/exploits/13365 +1 || 2011414 || 4 || trojan-activity || 0 || ET TROJAN Win32/Small.gen!AQ Communication with Controller || url,perpetualhorizon.blogspot.com/2010/08/shot-in-dark-analysis-of-failed-malware.html || url,www.threatexpert.com/report.aspx?md5=eb3140416c06fa8cb7851076dd100dfb || url,www.threatexpert.com/report.aspx?md5=8033dffa899dcd16769f389073f9f053 +1 || 2011415 || 4 || trojan-activity || 0 || ET DELETED General Trojan Downloader Request Observed || url,www.threatexpert.com/report.aspx?md5=3dd8193692b62a875985349b67da38c6 || url,www.threatexpert.com/report.aspx?md5=6c9ad4d06f72edcd2b301d66b25ad101 || url,www.threatexpert.com/report.aspx?md5=91fa03240b5a59853d0dad708055a7a8 +1 || 2011416 || 4 || trojan-activity || 0 || ET TROJAN General Trojan FakeAV Downloader +1 || 2011417 || 3 || bad-unknown || 0 || ET DELETED MALVERTISING Hidden iframe Redirecting to SEO Driveby Site +1 || 2011419 || 2 || bad-unknown || 0 || ET CURRENT_EVENTS FAKEAV landing page - sector.hdd.png no-repeat +1 || 2011420 || 3 || bad-unknown || 0 || ET CURRENT_EVENTS FAKEAV client requesting image - sector.hdd.png +1 || 2011421 || 2 || bad-unknown || 0 || ET DELETED FAKEAV redirecting to fake scanner page - /?777 +1 || 2011422 || 2 || attempted-recon || 0 || ET VOIP Possible Modified Sipvicious OPTIONS Scan || url,code.google.com/p/sipvicious/ || url,blog.sipvicious.org/ +1 || 2011423 || 1 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Cacti cacti/utilities.php Cross Site Scripting Attempt || bid,42575 || cve,2010-2544 || cve,2010-2545 +1 || 2011424 || 3 || web-application-attack || 0 || ET WEB_SERVER Possible SQL Injection Using MSSQL sp_configure Command || url,technet.microsoft.com/en-us/library/ms188787.aspx || url,technet.microsoft.com/en-us/library/ms190693.aspx +1 || 2011425 || 4 || web-application-attack || 0 || ET DELETED Possible Attempt to Create MSSQL SOAP/HTTP Endpoint in URI to Allow for Operating System Interaction || url,msdn.microsoft.com/en-us/library/ms345123.aspx +1 || 2011426 || 1 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS V-EVA Classified Script clsid Parameter SELECT FROM SQL Injection Attempt || bugtraq,41204 +1 || 2011427 || 1 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS V-EVA Classified Script clsid Parameter DELETE FROM SQL Injection Attempt || bugtraq,41204 +1 || 2011428 || 1 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS V-EVA Classified Script clsid Parameter UNION SELECT SQL Injection Attempt || bugtraq,41204 +1 || 2011429 || 1 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS V-EVA Classified Script clsid Parameter INSERT INTO SQL Injection Attempt || bugtraq,41204 +1 || 2011450 || 1 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS V-EVA Classified Script clsid Parameter UPDATE SET SQL Injection Attempt || bugtraq,41204 +1 || 2011451 || 1 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla JGrid Component File Inclusion Attempt || url,secunia.com/advisories/40987/ || url,exploit-db.com/exploits/14656/ +1 || 2011452 || 1 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Dance Studio Manager dailyview.php date Parameter Cross Site Scripting Attempt || url,inj3ct0r.com/exploits/13770 +1 || 2011453 || 1 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHP-Fusion maincore.php folder_level Parameter Local File Inclusion Attempt || url,inj3ct0r.com/exploits/13709 +1 || 2011454 || 1 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS 4images global.php db_servertype Parameter Remote File Inclusion Attempt || url,exploit-db.com/exploits/14712/ +1 || 2011456 || 3 || misc-activity || 0 || ET WEB_CLIENT PROPFIND Flowbit Set +1 || 2011457 || 6 || attempted-user || 0 || ET WEB_CLIENT DLL or EXE File From Possible WebDAV Share, Possible DLL Preloading Exploit Attempt || url,blog.metasploit.com/2010/08/exploiting-dll-hijacking-flaws.html || url,www.us-cert.gov/cas/techalerts/TA10-238A.html || url,www.microsoft.com/technet/security/advisory/2269637.mspx || url,blogs.technet.com/b/srd/archive/2010/08/23/more-information-about-dll-preloading-remote-attack-vector.aspx || url,blog.metasploit.com/2010/08/better-faster-stronger.html || url,blog.rapid7.com/?p=5325 +1 || 2011464 || 4 || web-application-attack || 0 || ET WEB_SERVER /bin/csh In URI Possible Shell Command Execution Attempt +1 || 2011465 || 7 || web-application-attack || 0 || ET WEB_SERVER /bin/sh In URI Possible Shell Command Execution Attempt +1 || 2011466 || 5 || web-application-attack || 0 || ET WEB_SERVER /bin/tsh In URI Possible Shell Command Execution Attempt +1 || 2011467 || 5 || web-application-attack || 0 || ET WEB_SERVER /bin/ksh In URI Possible Shell Command Execution Attempt +1 || 2011468 || 4 || bad-unknown || 0 || ET DELETED MALVERTISING trafficbiztds.com - client requesting redirect to exploit kit +1 || 2011469 || 6 || bad-unknown || 0 || ET DELETED MALVERTISING trafficbiztds.com - client receiving redirect to exploit kit +1 || 2011470 || 3 || trojan-activity || 0 || ET TROJAN Daurso FTP Credential Theft Reported || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Win32%2fDaurso || url,xanalysis.blogspot.com/2009/07/9121219837-badness.html || url,www.threatexpert.com/report.aspx?md5=348ba619aab3a92b99701335f95fe2a7 || url,www.threatexpert.com/report.aspx?md5=8be56dbd057c3bde42ae804bfd647bb6 +1 || 2011471 || 3 || trojan-activity || 0 || ET TROJAN Daurso Checkin || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Win32%2fDaurso || url,xanalysis.blogspot.com/2009/07/9121219837-badness.html || url,www.threatexpert.com/report.aspx?md5=348ba619aab3a92b99701335f95fe2a7 || url,www.threatexpert.com/report.aspx?md5=8be56dbd057c3bde42ae804bfd647bb6 +1 || 2011472 || 2 || bad-unknown || 0 || ET WEB_CLIENT Possible Microsoft Internet Explorer CSS Cross-Origin Theft Attempt || url,www.theregister.co.uk/2010/09/06/mystery_ie_bug/ || url,www.darknet.org.uk/2010/09/microsoft-investigate-ie-css-cross-origin-theft-vulnerability/ || url,seclists.org/fulldisclosure/2010/Sep/64 +1 || 2011473 || 4 || trojan-activity || 0 || ET TROJAN Antivirus2010 Checkin port 8082 || url,blog.emsisoft.com/2010/08/09/antivirus2010-userinit-and-then-some-more/ || url,doc.emergingthreats.net/2011473 +1 || 2011474 || 3 || trojan-activity || 0 || ET DELETED FakeAV Checkin +1 || 2011475 || 3 || bad-unknown || 0 || ET CURRENT_EVENTS FAKEAV scanner page enocuntered - .hdd_icon +1 || 2011478 || 5 || attempted-user || 0 || ET EXPLOIT Possible Microsoft Office Word 2007 sprmCMajority Buffer Overflow Attempt || url,www.exploit-db.com/moaub11-microsoft-office-word-sprmcmajority-buffer-overflow/ || url,www.microsoft.com/technet/security/Bulletin/MS10-056.mspx || bid,42136 || cve,2010-1900 +1 || 2011479 || 3 || bad-unknown || 0 || ET CURRENT_EVENTS MALVERTISING redirect to exploit kit (unoeuro server) +1 || 2011480 || 4 || trojan-activity || 0 || ET TROJAN IMDDOS Botnet User-Agent STORMDDOS || url,www.damballa.com/downloads/r_pubs/Damballa_Report_IMDDOS.pdf +1 || 2011481 || 4 || trojan-activity || 0 || ET TROJAN IMDDOS Botnet User-Agent IAMDDOS || url,www.damballa.com/downloads/r_pubs/Damballa_Report_IMDDOS.pdf +1 || 2011482 || 5 || trojan-activity || 0 || ET TROJAN IMDDOS Botnet User-Agent kav || url,www.damballa.com/downloads/r_pubs/Damballa_Report_IMDDOS.pdf +1 || 2011483 || 4 || trojan-activity || 0 || ET TROJAN IMDDOS Botnet User-Agent YTDDOS || url,www.damballa.com/downloads/r_pubs/Damballa_Report_IMDDOS.pdf +1 || 2011484 || 4 || trojan-activity || 0 || ET TROJAN IMDDOS Botnet User-Agent i am ddos || url,www.damballa.com/downloads/r_pubs/Damballa_Report_IMDDOS.pdf +1 || 2011485 || 2 || attempted-user || 0 || ET WEB_CLIENT RealPlayer FLV Parsing Integer Overflow Attempt || url,service.real.com/realplayer/security/08262010_player/en/ || url,www.exploit-db.com/moaub-13-realplayer-flv-parsing-multiple-integer-overflow/ || bugtraq,42775 || cve,2010-3000 +1 || 2011486 || 1 || bad-unknown || 0 || ET CURRENT_EVENTS Phoenix landing page - valium +1 || 2011487 || 2 || bad-unknown || 0 || ET FTP Suspicious Percentage Symbol Usage in FTP Username || url,www.checkpoint.com/defense/advisories/public/2010/sbp-16-Aug.html +1 || 2011488 || 1 || bad-unknown || 0 || ET FTP Suspicious Quotation Mark Usage in FTP Username || url,www.checkpoint.com/defense/advisories/public/2010/sbp-16-Aug.html +1 || 2011489 || 5 || trojan-activity || 0 || ET TROJAN Meredrop/Nusump Checkin || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3AWin32%2FNusump&ThreatID=-2147329857 || url,www.threatexpert.com/report.aspx?md5=ef0616d75bd892ed69fe22a510079686 || url,www.threatexpert.com/report.aspx?md5=463cdec2df12a04d6ea1d015746ee950 +1 || 2011490 || 3 || trojan-activity || 0 || ET TROJAN Downloader.Win32.Zlob.bgs Checkin(1) || url,threatexpert.com/report.aspx?md5=ffdcea0ed88d47bc21d71040f9289ef4 +1 || 2011491 || 3 || trojan-activity || 0 || ET TROJAN Downloader.Win32.Zlob.bgs Checkin(2) || url,threatexpert.com/report.aspx?md5=ffdcea0ed88d47bc21d71040f9289ef4 +1 || 2011492 || 2 || trojan-activity || 0 || ET TROJAN Adware.Kraddare Checkin +1 || 2011493 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS OpenX OpenFlashChart Remote Exploit Attempt || url,www.afterdawn.com/news/article.cfm/2010/09/12/vulnerability_in_openx_advertisement_server_afterdawn_s_ads_affected_as_well || url,www.esarcasm.com/17960/no-esarcasm-is-not-a-tool-of-satan-or-malware-authors/ || url,www.thinq.co.uk/2010/9/13/pirate-bay-cracked-spread-malware/ || url,www.kreativrauschen.com/blog/2010/09/09/critical-vulnerability-in-openx-286-open-flash-chart-2/ || url,www.heise.de/newsticker/meldung/Ein-Jahr-alte-Luecke-gefaehrdet-OpenX-Ad-Server-1077941.html || url,www.kreativrauschen.de/blog/2010/09/09/kritische-sicherheitsluecke-in-openx-2-8-6-open-flash-chart-2/ || url,doc.emergingthreats.net/2011493 +1 || 2011494 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS OpenX OpenFlashChart Remote Exploit - possible Access to uploaded Files || url,www.afterdawn.com/news/article.cfm/2010/09/12/vulnerability_in_openx_advertisement_server_afterdawn_s_ads_affected_as_well || url,www.esarcasm.com/17960/no-esarcasm-is-not-a-tool-of-satan-or-malware-authors/ || url,www.thinq.co.uk/2010/9/13/pirate-bay-cracked-spread-malware/ || url,www.kreativrauschen.com/blog/2010/09/09/critical-vulnerability-in-openx-286-open-flash-chart-2/ || url,www.heise.de/newsticker/meldung/Ein-Jahr-alte-Luecke-gefaehrdet-OpenX-Ad-Server-1077941.html || url,www.kreativrauschen.de/blog/2010/09/09/kritische-sicherheitsluecke-in-openx-2-8-6-open-flash-chart-2/ || url,doc.emergingthreats.net/2011494 +1 || 2011495 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Executable Download named to be .com FQDN || url,malwareurl.com +1 || 2011496 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Executable Download named to be FQDN || url,malwareurl.com +1 || 2011497 || 4 || attempted-recon || 0 || ET SCAN Hydra User-Agent || url,freeworld.thc.org/thc-hydra +1 || 2011499 || 4 || bad-unknown || 0 || ET WEB_CLIENT PDF With Embedded Adobe Shockwave Flash, Possibly Related to Remote Code Execution Attempt || url,feliam.wordpress.com/2010/02/11/flash-on-a-pdf-with-minipdf-py/ || cve,2010-1297 || cve,2010-2201 +1 || 2011500 || 2 || attempted-user || 0 || ET WEB_CLIENT Possible Adobe Acrobat and Reader Pushstring Memory Corruption Attempt || url,www.exploit-db.com/moaub12-adobe-acrobat-and-reader-pushstring-memory-corruption/ || bugtraq,41237 || cve,2010-2201 +1 || 2011501 || 3 || attempted-user || 0 || ET CURRENT_EVENTS Possible Adobe CoolType Smart INdependent Glyplets - SING - Table uniqueName Stack Buffer Overflow Attempt || url,contagiodump.blogspot.com/2010/09/cve-david-leadbetters-one-point-lesson.html || cve,2010-2883 +1 || 2011502 || 1 || misc-attack || 0 || ET EXPLOIT Possible Etrust Secure Transaction Platform Identification and Entitlements Server File Disclosure Attempt || url,shh.thathost.com/secadv/2009-06-15-entrust-ies.txt || url,securitytracker.com/alerts/2010/Sep/1024391.html +1 || 2011503 || 1 || misc-attack || 0 || ET EXPLOIT Sucessful Etrust Secure Transaction Platform Identification and Entitlements Server File Disclosure Attempt || url,shh.thathost.com/secadv/2009-06-15-entrust-ies.txt || url,securitytracker.com/alerts/2010/Sep/1024391.html +1 || 2011504 || 3 || bad-unknown || 0 || ET WEB_CLIENT String Replace in PDF File, Likely Hostile || url,www.w3schools.com/jsref/jsref_replace.asp +1 || 2011505 || 3 || bad-unknown || 0 || ET WEB_CLIENT PDF With Embedded Flash, Possible Remote Code Execution Attempt || url,feliam.wordpress.com/2010/02/11/flash-on-a-pdf-with-minipdf-py/ || cve,2010-1297 +1 || 2011506 || 3 || bad-unknown || 0 || ET WEB_CLIENT PDF With eval Function - Possibly Hostile || url,www.w3schools.com/jsref/jsref_eval.asp +1 || 2011507 || 7 || bad-unknown || 0 || ET WEB_CLIENT PDF With Embedded File || url,blog.didierstevens.com/2009/07/01/embedding-and-hiding-files-in-pdf-documents/ +1 || 2011509 || 2 || attempted-user || 0 || ET ACTIVEX Possible Novell iPrint Client Browser Plugin ExecuteRequest debug Parameter Stack Overflow Attempt || url,www.exploit-db.com/moaub-14-novell-iprint-client-browser-plugin-executerequest-debug-parameter-stack-overflow/ || bid,42100 || url,doc.emergingthreats.net/2011509 +1 || 2011510 || 2 || bad-unknown || 0 || ET CURRENT_EVENTS DRIVEBY Eleonore - landing page +1 || 2011511 || 1 || denial-of-service || 0 || ET DOS ntop Basic-Auth DOS inbound || url,www.securityfocus.com/bid/36074 || url,www.securityfocus.com/archive/1/505862 || url,www.securityfocus.com/archive/1/505876 +1 || 2011512 || 1 || denial-of-service || 0 || ET DOS ntop Basic-Auth DOS outbound || url,www.securityfocus.com/bid/36074 || url,www.securityfocus.com/archive/1/505862 || url,www.securityfocus.com/archive/1/505876 +1 || 2011513 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Possible Phoenix Exploit Kit - PROPFIND AVI +1 || 2011514 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Phoenix Exploit Kit - tmp/flash.swf +1 || 2011515 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Phoenix Exploit Kit - collab.pdf +1 || 2011517 || 3 || trojan-activity || 0 || ET MALWARE Inbound AlphaServer User-Agent (Powered By 64-Bit Alpha Processor) +1 || 2011518 || 3 || trojan-activity || 0 || ET MALWARE Outbound AlphaServer User-Agent (Powered By 64-Bit Alpha Processor) +1 || 2011519 || 2 || attempted-user || 0 || ET WEB_CLIENT Possible Adobe Acrobat Reader Newclass Invalid Pointer Remote Code Execution Attempt || url,www.exploit-db.com/adobe-acrobat-newclass-invalid-pointer-vulnerability/ || cve,2010-1297 +1 || 2011520 || 4 || trojan-activity || 0 || ET TROJAN Knock.php Shiz or Rohimafo CnC Server Contact URL || url,asert.arbornetworks.com/2010/09/shiz-and-rohimafo-malware-cousins/ || url,threatexpert.com/report.aspx?md5=3614d4f6527d512b61c27c4e213347a6 || url,threatexpert.com/report.aspx?md5=0bb4662b54f02c989edc520314fc20ea || url,threatexpert.com/report.aspx?md5=a671eb9979505119f4106a990c4ef7ab +1 || 2011521 || 4 || trojan-activity || 0 || ET DELETED Shiz or Rohimafo config download || url,asert.arbornetworks.com/2010/09/shiz-and-rohimafo-malware-cousins/ || url,threatexpert.com/report.aspx?md5=3614d4f6527d512b61c27c4e213347a6 || url,threatexpert.com/report.aspx?md5=0bb4662b54f02c989edc520314fc20ea || url,threatexpert.com/report.aspx?md5=a671eb9979505119f4106a990c4ef7ab +1 || 2011522 || 3 || trojan-activity || 0 || ET DELETED Shiz or Rohimafo config loaded || url,asert.arbornetworks.com/2010/09/shiz-and-rohimafo-malware-cousins/ || url,threatexpert.com/report.aspx?md5=3614d4f6527d512b61c27c4e213347a6 || url,threatexpert.com/report.aspx?md5=0bb4662b54f02c989edc520314fc20ea || url,threatexpert.com/report.aspx?md5=a671eb9979505119f4106a990c4ef7ab +1 || 2011523 || 3 || trojan-activity || 0 || ET TROJAN Shiz or Rohimafo Reporting Listening Socket to CnC Server || url,asert.arbornetworks.com/2010/09/shiz-and-rohimafo-malware-cousins/ || url,threatexpert.com/report.aspx?md5=3614d4f6527d512b61c27c4e213347a6 || url,threatexpert.com/report.aspx?md5=0bb4662b54f02c989edc520314fc20ea || url,threatexpert.com/report.aspx?md5=a671eb9979505119f4106a990c4ef7ab +1 || 2011524 || 3 || trojan-activity || 0 || ET DELETED Knok.php Shiz or Rohimafo Host Information Submission to CnC Server || url,asert.arbornetworks.com/2010/09/shiz-and-rohimafo-malware-cousins/ || url,threatexpert.com/report.aspx?md5=3614d4f6527d512b61c27c4e213347a6 || url,threatexpert.com/report.aspx?md5=0bb4662b54f02c989edc520314fc20ea || url,threatexpert.com/report.aspx?md5=a671eb9979505119f4106a990c4ef7ab +1 || 2011525 || 3 || not-suspicious || 0 || ET POLICY OpenSSL Demo Cert Exchange +1 || 2011526 || 1 || suspicious-filename-detect || 0 || ET NETBIOS windows recycler request - suspicious || url,about-threats.trendmicro.com/ArchiveMalware.aspx?name=WORM_AUTORUN.ZBC || url,www.symantec.com/connect/forums/virus-alert-crecyclers-1-5-21-1482476501-1644491937-682003330-1013svchostexe || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3AWin32%2FFakerecy.A || url,support.microsoft.com/kb/971029 +1 || 2011527 || 4 || suspicious-filename-detect || 0 || ET NETBIOS windows recycler .exe request - suspicious || url,about-threats.trendmicro.com/ArchiveMalware.aspx?name=WORM_AUTORUN.ZBC || url,www.symantec.com/connect/forums/virus-alert-crecyclers-1-5-21-1482476501-1644491937-682003330-1013svchostexe +1 || 2011528 || 6 || bad-unknown || 0 || ET WEB_CLIENT PDF Name Representation Obfuscation of /Subtype || url,blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/ +1 || 2011529 || 6 || bad-unknown || 0 || ET WEB_CLIENT PDF Name Representation Obfuscation of Action || url,blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/ +1 || 2011530 || 4 || bad-unknown || 0 || ET WEB_CLIENT PDF Name Representation Obfuscation of EmbeddedFile || url,blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/ +1 || 2011531 || 4 || bad-unknown || 0 || ET WEB_CLIENT PDF Name Representation Obfuscation of Type || url,blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/ +1 || 2011532 || 4 || bad-unknown || 0 || ET WEB_CLIENT PDF Name Representation Obfuscation of Javascript || url,blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/ +1 || 2011533 || 4 || bad-unknown || 0 || ET WEB_CLIENT PDF Name Representation Obfuscation of URL || url,blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/ +1 || 2011534 || 7 || attempted-user || 0 || ET DELETED PDF Name Representation Obfuscation of JBIG2Decode, Very Likely Memory Corruption Attempt || url,blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/ || url,blog.didierstevens.com/2009/03/01/quickpost-jbig2decode-signatures/ || bugtraq,33751 || cve,2009-0658 +1 || 2011535 || 4 || bad-unknown || 0 || ET WEB_CLIENT PDF Name Representation Obfuscation of JS || url,blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/ +1 || 2011536 || 5 || bad-unknown || 0 || ET WEB_CLIENT PDF Name Representation Obfuscation of Pages || url,blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/ +1 || 2011537 || 4 || bad-unknown || 0 || ET WEB_CLIENT PDF Name Representation Obfuscation of OpenAction || url,blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/ +1 || 2011538 || 2 || attempted-user || 0 || ET WEB_CLIENT Firefox Plugin Parameter EnsureCachedAttrParamArrays Remote Code Execution Attempt || url,www.exploit-db.com/moaub-17-firefox-plugin-parameter-ensurecachedattrparamarrays-remote-code-execution/ || url,www.mozilla.org/security/announce/2010/mfsa2010-37.html || bugtraq,41842 || cve,2010-1214 +1 || 2011539 || 3 || not-suspicious || 0 || ET POLICY OpenSSL Demo CA - Internet Widgits Pty (CN) +1 || 2011540 || 4 || trojan-activity || 0 || ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O) +1 || 2011541 || 4 || trojan-activity || 0 || ET POLICY OpenSSL Demo CA - Cryptsoft Pty (CN) +1 || 2011542 || 6 || bad-unknown || 0 || ET POLICY OpenSSL Demo CA - Cryptsoft Pty (O) +1 || 2011543 || 5 || attempted-user || 0 || ET WEB_CLIENT Adobe Shockwave Director tSAC Chunk memory corruption Attempt || url,exploit-db.com/download_pdf/15077 +1 || 2011544 || 7 || trojan-activity || 0 || ET TROJAN JAR Download From Crimepack Exploit Kit || url,doc.emergingthreats.net/2011544 || url,krebsonsecurity.com/tag/crimepack/ || url,www.offensivecomputing.net/?q=node/1572 +1 || 2011545 || 2 || bad-unknown || 0 || ET CURRENT_EVENTS Possible Client requesting fake scanner page /scan/?key= +1 || 2011546 || 2 || bad-unknown || 0 || ET DELETED FAKEAV client requesting fake scanner page +1 || 2011547 || 1 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS AlstraSoft AskMe que_id Parameter SELECT FROM SQL Injection Attempt || url,exploit-db.com/exploits/14979/ +1 || 2011552 || 1 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS FCMS familynews.php current_user_id Parameter Remote File Inclusion Attempt || url,exploit-db.com/exploits/14965/ +1 || 2011553 || 1 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS FCMS settings.php current_user_id Parameter Remote File Inclusion Attempt || url,exploit-db.com/exploits/14965/ +1 || 2011554 || 1 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla Component com_jphone Local File Inclusion Attempt || url,exploit-db.com/exploits/14964/ +1 || 2011555 || 1 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS SnortReport nmap.php target Parameter Arbitrary Command Execution Attempt || url,osvdb.org/show/osvdb/67739 +1 || 2011556 || 1 || web-application-attack || 0 || ET DELETED ClearSite device_admin.php cs_base_path Parameter Remote File Inclusion Attempt || url,osvdb.org/show/osvdb/65117 || cve,CVE-2010-2145 +1 || 2011557 || 1 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla com_zoomportfolio component UNION SELECT SQL Injection Attempt || url,secunia.com/advisories/41047/ || url,exploit-db.com/exploits/14718/ +1 || 2011558 || 1 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla com_zoomportfolio component INSERT INTO SQL Injection Attempt || url,secunia.com/advisories/41047/ || url,exploit-db.com/exploits/14718/ +1 || 2011559 || 1 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla com_zoomportfolio component UPDATE SET SQL Injection Attempt || url,secunia.com/advisories/41047/ || url,exploit-db.com/exploits/14718/ +1 || 2011560 || 1 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla com_zoomportfolio component SELECT FROM SQL Injection Attempt || url,secunia.com/advisories/41047/ || url,exploit-db.com/exploits/14718/ +1 || 2011561 || 1 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla com_zoomportfolio component DELETE FROM SQL Injection Attempt || url,secunia.com/advisories/41047/ || url,exploit-db.com/exploits/14718/ +1 || 2011562 || 1 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PithCMS oldnews_reader.php lang Parameter Local File Inclusion Attempt || url,exploit-db.com/exploits/13899/ +1 || 2011563 || 1 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS DynPage dynpage_load.php file Parameter Local File Inclusion Attempt || url,secunia.com/advisories/41317/ +1 || 2011564 || 1 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHP Classifieds class.phpmailer.php lang_path Parameter Remote File Inclusion Attempt || url,exploit-db.com/exploits/14893/ +1 || 2011565 || 1 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Dompdf dompdf.php input_file Parameter Remote File Inclusion Attempt || url,exploit-db.com/exploits/14851/ +1 || 2011566 || 1 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Easypush Server Manager addressbook.cgi page Parameter Cross Site Scripting Attempt || url,inj3ct0r.com/exploits/13944 +1 || 2011571 || 1 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Euchia CMS catalogo.php id_livello Parameter Cross Site Scripting Attempt || url,inj3ct0r.com/exploits/13028 +1 || 2011572 || 1 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Plogger phpThumb.php h Parameter Remote File Disclosure Attempt || url,exploit-db.com/exploits/14636/ +1 || 2011573 || 1 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Plogger phpThumb.php src Parameter Remote File Disclosure Attempt || url,exploit-db.com/exploits/14636/ +1 || 2011574 || 1 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Plogger phpThumb.php w Parameter Remote File Disclosure Attempt || url,exploit-db.com/exploits/14636/ +1 || 2011575 || 2 || attempted-user || 0 || ET WEB_CLIENT Adobe Acrobat newfunction Remote Code Execution Attempt || url,www.adobe.com/support/security/bulletins/apsb10-15.html || url,www.exploit-db.com/moaub-23-adobe-acrobat-and-reader-newfunction-remote-code-execution-vulnerability/ || bid,41236 || cve,2010-2168 +1 || 2011576 || 4 || trojan-activity || 0 || ET TROJAN nte Binary Download Attempt (multiple malware variants served) || url,www.malwaredomainlist.com || url,www.malwareurl.com/search.php?domain=&s=trest1&match=0&rp=200&urls=on&redirs=on&ip=on&reverse=on&as=on +1 || 2011577 || 3 || trojan-activity || 0 || ET TROJAN DNSTrojan FakeAV Dropper Activity Observed (1) || url,www.abuse.ch/?p=2740 || url,www.abuse.ch/?p=2796 || url,www.threatexpert.com/report.aspx?md5=c59cdd1366dd5c2f448c03738ec0dc88 || url,www.threatexpert.com/report.aspx?md5=b93360ec3798215a5cca573747df0139 +1 || 2011578 || 3 || trojan-activity || 0 || ET TROJAN DNSTrojan FakeAV Dropper Activity Observed (2) || url,www.abuse.ch/?p=2740 || url,www.abuse.ch/?p=2796 || url,www.threatexpert.com/report.aspx?md5=c59cdd1366dd5c2f448c03738ec0dc88 || url,www.threatexpert.com/report.aspx?md5=b93360ec3798215a5cca573747df0139 +1 || 2011579 || 1 || bad-unknown || 0 || ET POLICY route1.com SSL certificate for remote access detected +1 || 2011581 || 9 || bad-unknown || 0 || ET POLICY Vulnerable Java Version 1.5.x Detected || url,javatester.org/version.html +1 || 2011582 || 33 || bad-unknown || 0 || ET POLICY Vulnerable Java Version 1.6.x Detected || url,javatester.org/version.html +1 || 2011583 || 4 || attempted-user || 0 || ET CURRENT_EVENTS Neosploit Exploit Pack Activity Observed || url,blog.fireeye.com/research/2010/01/pdf-obfuscation.html || url,blog.fireeye.com/research/2010/06/neosploit_notes.html || url,dxp2532.blogspot.com/2007/12/neosploit-exploit-toolkit.html +1 || 2011584 || 11 || bad-unknown || 0 || ET POLICY Vulnerable Java Version 1.4.x Detected || url,javatester.org/version.html +1 || 2011585 || 3 || trojan-activity || 0 || ET TROJAN Avzhan DDOS Bot Outbound Hardcoded Malformed GET Request Denial Of Service Attack Detected || url,asert.arbornetworks.com/2010/09/another-family-of-ddos-bots-avzhan/ +1 || 2011588 || 19 || trojan-activity || 0 || ET TROJAN Zeus Bot Request to CnC || url,www.secureworks.com/research/threats/zeus/?threat=zeus || url,lists.emergingthreats.net/pipermail/emerging-sigs/2010-October/009807.html +1 || 2011589 || 6 || web-application-attack || 0 || ET ACTIVEX Microsoft DirectX 9 msvidctl.dll ActiveX Control Code Execution Attempt || url,packetstorm.linuxsecurity.com/1009-exploits/msvidctl-activex.txt +1 || 2011590 || 3 || attempted-user || 0 || ET ACTIVEX Microsoft DirectX 9 ActiveX Control Format String Function Call || url,packetstorm.linuxsecurity.com/1009-exploits/msvidctl-activex.txt +1 || 2011591 || 3 || trojan-activity || 0 || ET TROJAN Potential-Hiloti/FakeAV site access +1 || 2011592 || 1 || trojan-activity || 0 || ET TROJAN Yoyo-DDoS Bot Download and Launch Executable Message From CnC Server || url,asert.arbornetworks.com/2010/08/yoyoddos-a-new-family-of-ddos-bots/ +1 || 2011666 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS 29o3 CMS layoutManager.php LibDir Parameter Remote File Inclusion Attempt || url,exploit-db.com/exploits/12558 || bugtraq,40049 || url,doc.emergingthreats.net/2011666 +1 || 2011667 || 6 || trojan-activity || 0 || ET ATTACK_RESPONSE Backdoor reDuh http initiate || url,www.sensepost.com/labs/tools/pentest/reduh || url,doc.emergingthreats.net/2011667 +1 || 2011668 || 6 || trojan-activity || 0 || ET ATTACK_RESPONSE Backdoor reDuh http tunnel || url,www.sensepost.com/labs/tools/pentest/reduh || url,doc.emergingthreats.net/2011668 +1 || 2011669 || 4 || attempted-admin || 0 || ET EXPLOIT Linksys WAP54G debug.cgi Shell Access as Gemtek || url,seclists.org/fulldisclosure/2010/Jun/176 || url,doc.emergingthreats.net/2011669 +1 || 2011670 || 3 || trojan-activity || 0 || ET DELETED Fake AV Related CSS Download || url,doc.emergingthreats.net/2011670 +1 || 2011672 || 4 || misc-attack || 0 || ET DELETED Adobe Flash 0Day Exploit Attempt || url,www.exploit-db.com/exploits/13787/ || url,doc.emergingthreats.net/2011672 +1 || 2011673 || 3 || attempted-dos || 0 || ET DOS Possible SolarWinds TFTP Server Read Request Denial Of Service Attempt || url,www.exploit-db.com/exploits/12683/ || url,doc.emergingthreats.net/2011673 +1 || 2011674 || 3 || attempted-dos || 0 || ET DOS SolarWinds TFTP Server Long Write Request Denial Of Service Attempt || url,www.exploit-db.com/exploits/13836/ || url,doc.emergingthreats.net/2011674 +1 || 2011675 || 4 || attempted-user || 0 || ET ACTIVEX Possible NOS Microsystems Adobe Reader/Acrobat getPlus Get_atlcom Helper ActiveX Control Multiple Stack Overflows Remote Code Execution Attempt || url,www.securityfocus.com/bid/37759 || url,www.kb.cert.org/vuls/id/773545 || url,www.exploit-db.com/exploits/11172/ || url,www.adobe.com/support/security/bulletins/apsb10-02.html || cve,2009-3958 || url,doc.emergingthreats.net/2011675 +1 || 2011676 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Cisco Collaboration Server LoginPage.jhtml Cross Site Scripting Attempt || url,www.exploit-db.com/exploits/11403/ || cve,2010-0641 || url,doc.emergingthreats.net/2011676 +1 || 2011677 || 7 || trojan-activity || 0 || ET MALWARE MSIL.Amiricil.gen HTTP Checkin || url,www.threatexpert.com/report.aspx?md5=af0bbdf6097233e8688c5429aa97bbed || url,doc.emergingthreats.net/2011677 +1 || 2011678 || 5 || trojan-activity || 0 || ET MALWARE User-Agent (HTTP_Query) || url,doc.emergingthreats.net/2011678 +1 || 2011679 || 6 || trojan-activity || 0 || ET MALWARE User-Agent (dbcount) || url,doc.emergingthreats.net/2011679 +1 || 2011680 || 6 || trojan-activity || 0 || ET DELETED Skype Easybits Extras Manager - Exploit || url,www.m86security.com/labs/traceitem.asp?article=1347 || url,doc.emergingthreats.net/2011680 +1 || 2011681 || 3 || attempted-user || 0 || ET ACTIVEX Avaya CallPilot Unified Messaging ActiveX Function Call || url,secunia.com/advisories/40184/ || bugtraq,40535 || url,doc.emergingthreats.net/2011681 +1 || 2011690 || 7 || attempted-user || 0 || ET ACTIVEX Possible Sygate Personal Firewall ActiveX SetRegString Method Stack Overflow Attempt || url,www.exploit-db.com/exploits/13834/ || url,www.corelan.be#=#=8800/index.php/forum/security-advisories/10-050-sygate-personal-firewall-5-6-build-2808-activex/ || url,doc.emergingthreats.net/2011690 +1 || 2011691 || 6 || trojan-activity || 0 || ET MALWARE Hotbar Agent User-Agent (PinballCorp) || url,doc.emergingthreats.net/2011691 +1 || 2011692 || 3 || attempted-user || 0 || ET ACTIVEX Avaya CallPilot Unified Messaging ActiveX InstallFrom Method Access Attempt || url,secunia.com/advisories/40184/ || bugtraq,40535 || url,doc.emergingthreats.net/10767 +1 || 2011693 || 5 || trojan-activity || 0 || ET TROJAN Fragus Exploit Kit Landing || url,jsunpack.jeek.org/dec/go?report=d60344851322218108076f1ad8d21435de9d5b7c || url,www.malwareurl.com || url,doc.emergingthreats.net/2011693 +1 || 2011694 || 9 || policy-violation || 0 || ET POLICY Windows 3.1 User-Agent Detected - Possible Malware or Non-Updated System || url,doc.emergingthreats.net/2011694 +1 || 2011695 || 4 || attempted-user || 0 || ET WEB_CLIENT Possible Microsoft Internet Explorer Dynamic Object Tag/URLMON Sniffing Cross Domain Information Disclosure Attempt || url,tools.cisco.com/security/center/viewAlert.x?alertId=19873 || url,tools.cisco.com/security/center/viewAlert.x?alertId=20610 || url,www.microsoft.com/technet/security/bulletin/ms10-035.mspx || url,www.coresecurity.com/content/internet-explorer-dynamic-object-tag || cve,2010-0255 || url,doc.emergingthreats.net/2011695 +1 || 2011696 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Possible JBoss JMX Console Beanshell Deployer WAR Upload and Deployment Exploit Attempt || url,www.redteam-pentesting.de/en/publications/jboss/-bridging-the-gap-between-the-enterprise-and-you-or-whos-the-jboss-now || cve,2010-0738 || url,doc.emergingthreats.net/2011696 +1 || 2011697 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS JBoss JMX Console Beanshell Deployer .WAR File Upload and Deployment Cross Site Request Forgery Attempt || url,www.redteam-pentesting.de/en/publications/jboss/-bridging-the-gap-between-the-enterprise-and-you-or-whos-the-jboss-now || cve,2010-0738 || url,doc.emergingthreats.net/2011697 +1 || 2011698 || 6 || web-application-attack || 0 || ET WEB_CLIENT Java Web Start Command Injection (.jar) || url,seclists.org/fulldisclosure/2010/Apr/119 || url,doc.emergingthreats.net/2011698 +1 || 2011699 || 4 || policy-violation || 0 || ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x) || url,www.transmissionbt.com || url,doc.emergingthreats.net/2011699 +1 || 2011700 || 4 || policy-violation || 0 || ET P2P Bittorrent P2P Client User-Agent (KTorrent/3.x.x) || url,ktorrent.org || url,doc.emergingthreats.net/2011700 +1 || 2011701 || 6 || policy-violation || 0 || ET P2P Bittorrent P2P Client User-Agent (Opera/10.x) || url,www.opera.com || url,doc.emergingthreats.net/2011701 +1 || 2011702 || 4 || policy-violation || 0 || ET P2P Bittorrent P2P Client User-Agent (BitTornado) || url,www.bittornado.com || url,doc.emergingthreats.net/2011702 +1 || 2011703 || 6 || policy-violation || 0 || ET P2P Bittorrent P2P Client User-Agent (Enhanced CTorrent 3.x) || url,www.rahul.net/dholmes/ctorrent || url,doc.emergingthreats.net/2011703 +1 || 2011704 || 5 || policy-violation || 0 || ET P2P Bittorrent P2P Client User-Agent (Deluge 1.x.x) || url,deluge-torrent.org || url,doc.emergingthreats.net/2011704 +1 || 2011705 || 4 || policy-violation || 0 || ET P2P Bittorrent P2P Client User-Agent (rTorrent) || url,libtorrent.rakshasa.no || url,doc.emergingthreats.net/2011705 +1 || 2011706 || 4 || policy-violation || 0 || ET P2P Bittorrent P2P Client User-Agent (uTorrent) || url,www.utorrent.com || url,doc.emergingthreats.net/2011706 +1 || 2011707 || 4 || policy-violation || 0 || ET P2P Client User-Agent (Shareaza 2.x) || url,shareaza.sourceforge.net || url,doc.emergingthreats.net/2011707 +1 || 2011708 || 6 || policy-violation || 0 || ET GAMES Blizzard Downloader Client User-Agent (Blizzard Downloader 2.x) || url,www.worldofwarcraft.com/info/faq/blizzarddownloader.html || url,doc.emergingthreats.net/2011708 +1 || 2011710 || 4 || policy-violation || 0 || ET P2P Bittorrent P2P Client User-Agent (BitComet) || url,www.bitcomet.com || url,doc.emergingthreats.net/2011710 +1 || 2011711 || 4 || policy-violation || 0 || ET P2P Bittorrent P2P Client User-Agent (KTorrent 2.x) || url,ktorrent.org || url,doc.emergingthreats.net/2011711 +1 || 2011712 || 6 || policy-violation || 0 || ET P2P Bittorrent P2P Client User-Agent (FDM 3.x) || url,www.freedownloadmanager.org || url,doc.emergingthreats.net/2011712 +1 || 2011713 || 4 || policy-violation || 0 || ET P2P Bittorrent P2P Client User-Agent (BTSP) || url,doc.emergingthreats.net/2011713 +1 || 2011714 || 6 || bad-unknown || 0 || ET DELETED Hidden iframe Served by nginx - Likely Hostile Code || url,doc.emergingthreats.net/2011714 +1 || 2011715 || 3 || trojan-activity || 0 || ET DELETED MALVERTISING Adobe Exploited Check-In || url,doc.emergingthreats.net/2011715 +1 || 2011716 || 3 || attempted-recon || 0 || ET SCAN Sipvicious User-Agent Detected (friendly-scanner) || url,code.google.com/p/sipvicious/ || url,blog.sipvicious.org/ || url,doc.emergingthreats.net/2011716 +1 || 2011718 || 5 || trojan-activity || 0 || ET MALWARE User-Agent (RangeCheck/0.1) || url,doc.emergingthreats.net/2011718 +1 || 2011719 || 7 || trojan-activity || 0 || ET POLICY Win32/Sogou User-Agent (SOGOU_UPDATER) || url,doc.emergingthreats.net/2011719 || url,microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Program%3aWin32%2fSogou +1 || 2011720 || 3 || attempted-recon || 0 || ET SCAN Possible WafWoof Web Application Firewall Detection Scan || url,code.google.com/p/waffit/ || url,doc.emergingthreats.net/2011720 +1 || 2011721 || 3 || attempted-recon || 0 || ET SCAN Possible Fast-Track Tool Spidering User-Agent Detected || url,www.offensive-security.com/metasploit-unleashed/Fast-Track-Modes || url,doc.emergingthreats.net/2011721 +1 || 2011722 || 3 || attempted-user || 0 || ET ACTIVEX Axis Media Controller ActiveX SetImage Method Remote Code Execution Attempt || bugtraq,41078 || url,doc.emergingthreats.net/2011722 +1 || 2011723 || 2 || attempted-user || 0 || ET WEB_SPECIFIC_APPS Webmoney Advisor ActiveX Redirect Method Remote DoS Attempt || url,exploit-db.com/exploits/12431 || url,doc.emergingthreats.net/2011723 +1 || 2011724 || 2 || attempted-user || 0 || ET WEB_SPECIFIC_APPS Webmoney Advisor ActiveX Control DoS Function Call || url,exploit-db.com/exploits/12431 || url,doc.emergingthreats.net/2011724 +1 || 2011725 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS EZPX photoblog tpl_base_dir Parameter Remote File Inclusion Attempt || url,exploit-db.com/exploits/13890/ || url,vupen.com/english/advisories/2010/1497 || bugtraq,40881 || url,doc.emergingthreats.net/2011725 +1 || 2011726 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS SchoolMation studentmain.php session Parameter SELECT FROM SQL Injection Attempt || bugtraq,40737 || url,exploit-db.com/exploits/13812/ || url,doc.emergingthreats.net/2011726 +1 || 2011727 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS SchoolMation studentmain.php session Parameter DELETE FROM SQL Injection Attempt || bugtraq,40737 || url,exploit-db.com/exploits/13812/ || url,doc.emergingthreats.net/2011727 +1 || 2011728 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS SchoolMation studentmain.php session Parameter UNION SELECT SQL Injection Attempt || bugtraq,40737 || url,exploit-db.com/exploits/13812/ || url,doc.emergingthreats.net/2011728 +1 || 2011729 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS SchoolMation studentmain.php session Parameter INSERT INTO SQL Injection Attempt || bugtraq,40737 || url,exploit-db.com/exploits/13812/ || url,doc.emergingthreats.net/2011729 +1 || 2011730 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS SchoolMation studentmain.php session Parameter UPDATE SET SQL Injection Attempt || bugtraq,40737 || url,exploit-db.com/exploits/13812/ || url,doc.emergingthreats.net/2011730 +1 || 2011731 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS SchoolMation studentmain.php session Parameter Cross Site Scripting Attempt || bugtraq,40737 || url,exploit-db.com/exploits/13812/ || url,doc.emergingthreats.net/2011731 +1 || 2011732 || 2 || attempted-dos || 0 || ET DOS Possible VNC ClientCutText Message Denial of Service/Memory Corruption Attempt || url,www.fortiguard.com/encyclopedia/vulnerability/vnc.server.clientcuttext.message.memory.corruption.html || url,doc.emergingthreats.net/2011732 +1 || 2011733 || 3 || policy-violation || 0 || ET GAMES TeamSpeak3 Connect || url,teamspeak.com || url,doc.emergingthreats.net/2011733 +1 || 2011734 || 3 || policy-violation || 0 || ET GAMES TeamSpeak2 Connection/Login || url,teamspeak.com || url,doc.emergingthreats.net/2011734 +1 || 2011735 || 3 || policy-violation || 0 || ET GAMES TeamSpeak2 Connection/Login Replay || url,teamspeak.com || url,doc.emergingthreats.net/2011735 +1 || 2011736 || 3 || policy-violation || 0 || ET GAMES TeamSpeak2 Connection/Ping || url,teamspeak.com || url,doc.emergingthreats.net/2011736 +1 || 2011737 || 3 || policy-violation || 0 || ET GAMES TeamSpeak2 Connection/Ping Reply || url,teamspeak.com || url,doc.emergingthreats.net/2011737 +1 || 2011738 || 4 || policy-violation || 0 || ET GAMES TeamSpeak2 Standard/Login Part 2 || url,teamspeak.com || url,doc.emergingthreats.net/2011738 +1 || 2011739 || 3 || policy-violation || 0 || ET GAMES TeamSpeak2 Standard/Channel List || url,teamspeak.com || url,doc.emergingthreats.net/2011739 +1 || 2011740 || 3 || policy-violation || 0 || ET GAMES TeamSpeak2 Standard/Player List || url,teamspeak.com || url,doc.emergingthreats.net/2011740 +1 || 2011741 || 3 || policy-violation || 0 || ET GAMES TeamSpeak2 Standard/Login End || url,teamspeak.com || url,doc.emergingthreats.net/2011741 +1 || 2011742 || 3 || policy-violation || 0 || ET GAMES TeamSpeak2 Standard/New Player Joined || url,teamspeak.com || url,doc.emergingthreats.net/2011742 +1 || 2011743 || 3 || policy-violation || 0 || ET GAMES TeamSpeak2 Standard/Player Left || url,teamspeak.com || url,doc.emergingthreats.net/2011743 +1 || 2011744 || 3 || policy-violation || 0 || ET GAMES TeamSpeak2 Standard/Change Status || url,teamspeak.com || url,doc.emergingthreats.net/2011744 +1 || 2011745 || 3 || policy-violation || 0 || ET GAMES TeamSpeak2 Standard/Known Player Update || url,teamspeak.com || url,doc.emergingthreats.net/2011745 +1 || 2011746 || 3 || policy-violation || 0 || ET GAMES TeamSpeak2 Standard/Disconnect || url,teamspeak.com || url,doc.emergingthreats.net/2011746 +1 || 2011747 || 3 || policy-violation || 0 || ET GAMES TeamSpeak2 ACK || url,teamspeak.com || url,doc.emergingthreats.net/2011747 +1 || 2011748 || 4 || policy-violation || 0 || ET GAMES TrackMania Game Launch || url,www.trackmania.com || url,doc.emergingthreats.net/2011748 +1 || 2011749 || 3 || policy-violation || 0 || ET GAMES TrackMania Game Check for Patch || url,www.trackmania.com || url,doc.emergingthreats.net/2011749 +1 || 2011750 || 4 || policy-violation || 0 || ET GAMES TrackMania Request GetConnectionAndGameParams || url,www.trackmania.com || url,doc.emergingthreats.net/2011750 +1 || 2011751 || 4 || policy-violation || 0 || ET GAMES TrackMania Request OpenSession || url,www.trackmania.com || url,doc.emergingthreats.net/2011751 +1 || 2011752 || 5 || policy-violation || 0 || ET GAMES TrackMania Request Connect || url,www.trackmania.com || url,doc.emergingthreats.net/2011752 +1 || 2011753 || 4 || policy-violation || 0 || ET GAMES TrackMania Request Disconnect || url,www.trackmania.com || url,doc.emergingthreats.net/2011753 +1 || 2011754 || 4 || policy-violation || 0 || ET GAMES TrackMania Request GetOnlineProfile || url,www.trackmania.com || url,doc.emergingthreats.net/2011754 +1 || 2011755 || 4 || policy-violation || 0 || ET GAMES TrackMania Request GetBuddies || url,www.trackmania.com || url,doc.emergingthreats.net/2011755 +1 || 2011756 || 4 || policy-violation || 0 || ET GAMES TrackMania Request SearchNew || url,www.trackmania.com || url,doc.emergingthreats.net/2011756 +1 || 2011757 || 4 || policy-violation || 0 || ET GAMES TrackMania Request LiveUpdate || url,www.trackmania.com || url,doc.emergingthreats.net/2011757 +1 || 2011758 || 3 || policy-violation || 0 || ET GAMES TrackMania Ad Report || url,www.trackmania.com || url,doc.emergingthreats.net/2011758 +1 || 2011759 || 4 || web-application-activity || 0 || ET WEB_SERVER TIEHTTP User-Agent || url,www.torry.net/authorsmore.php?id=4292 || url,doc.emergingthreats.net/2011759 +1 || 2011760 || 6 || bad-unknown || 0 || ET DELETED Likely FAKEAV scanner page encountered - i1000000.gif || url,doc.emergingthreats.net/2011760 +1 || 2011761 || 2 || attempted-dos || 0 || ET DOS Possible MySQL ALTER DATABASE Denial Of Service Attempt || url,securitytracker.com/alerts/2010/Jun/1024160.html || url,dev.mysql.com/doc/refman/5.1/en/alter-database.html || cve,2010-2008 || url,doc.emergingthreats.net/2011761 +1 || 2011763 || 3 || web-application-attack || 0 || ET WEB_SERVER Possible Cisco PIX/ASA HTTP Web Interface HTTP Response Splitting Attempt || url,www.secureworks.com/ctu/advisories/SWRX-2010-001/ || url,tools.cisco.com/security/center/viewAlert.x?alertId=20737 || cve,2008-7257 || url,doc.emergingthreats.net/2011763 +1 || 2011764 || 4 || attempted-user || 0 || ET WEB_CLIENT Possible Microsoft Internet Explorer mshtml.dll Timer ID Memory Pointer Information Disclosure Attempt || url,tools.cisco.com/security/center/viewAlert.x?alertId=20815 || url,reversemode.com/index.php?option=com_content&task=view&id=68&Itemid=1 || url,doc.emergingthreats.net/2011764 +1 || 2011765 || 3 || bad-unknown || 0 || ET POLICY eval(function(p a c k e d) JavaScript from nginx Detected - Likely Hostile || url,doc.emergingthreats.net/2011765 +1 || 2011766 || 3 || attempted-recon || 0 || ET SCAN Modified Sipvicious User-Agent Detected (sundayddr) || url,honeynet.org.au/?q=sunday_scanner || url,code.google.com/p/sipvicious/ || url,blog.sipvicious.org/ || url,doc.emergingthreats.net/2011766 +1 || 2011767 || 3 || attempted-dos || 0 || ET TROJAN Avzhan DDOS Bot Inbound Hardcoded Malformed GET Request Denial Of Service Attack Detected || url,asert.arbornetworks.com/2010/09/another-family-of-ddos-bots-avzhan/ +1 || 2011768 || 6 || web-application-attack || 0 || ET WEB_SERVER PHP tags in HTTP POST || url,isc.sans.edu/diary.html?storyid=9478 +1 || 2011769 || 5 || trojan-activity || 0 || ET TROJAN Shiz/Rohimafo Binary Download Request || url,www.symantec.com/business/security_response/writeup.jsp?docid=2010-041308-3301-99&tabid=2 || url,asert.arbornetworks.com/2010/09/shiz-and-rohimafo-malware-cousins/ || url,threatexpert.com/report.aspx?md5=3614d4f6527d512b61c27c4e213347a6 || url,threatexpert.com/report.aspx?md5=0bb4662b54f02c989edc520314fc20ea || url,threatexpert.com/report.aspx?md5=a671eb9979505119f4106a990c4ef7ab || url,doc.emergingthreats.net/2010793 +1 || 2011791 || 4 || trojan-activity || 0 || ET TROJAN Shiz/Rohimafo Checkin || url,www.symantec.com/business/security_response/writeup.jsp?docid=2010-041308-3301-99&tabid=2 || url,asert.arbornetworks.com/2010/09/shiz-and-rohimafo-malware-cousins/ || url,threatexpert.com/report.aspx?md5=3614d4f6527d512b61c27c4e213347a6 || url,threatexpert.com/report.aspx?md5=0bb4662b54f02c989edc520314fc20ea || url,threatexpert.com/report.aspx?md5=a671eb9979505119f4106a990c4ef7ab || url,doc.emergingthreats.net/2010791 +1 || 2011792 || 5 || trojan-activity || 0 || ET DELETED Shiz/Rohimafo Proxy Registration || url,www.symantec.com/business/security_response/writeup.jsp?docid=2010-041308-3301-99&tabid=2 || url,asert.arbornetworks.com/2010/09/shiz-and-rohimafo-malware-cousins/ || url,threatexpert.com/report.aspx?md5=3614d4f6527d512b61c27c4e213347a6 || url,threatexpert.com/report.aspx?md5=0bb4662b54f02c989edc520314fc20ea || url,threatexpert.com/report.aspx?md5=a671eb9979505119f4106a990c4ef7ab +1 || 2011794 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS iScripts MultiCart orderid Parameter DELETE FROM SQL Injection Attempt || bugtraq,41377 +1 || 2011795 || 2 || bad-unknown || 0 || ET CURRENT_EVENTS Driveby Bredolab - client requesting java exploit +1 || 2011796 || 2 || bad-unknown || 0 || ET CURRENT_EVENTS Driveby Bredolab - landing page +1 || 2011797 || 1 || trojan-activity || 0 || ET CURRENT_EVENTS Driveby Bredolab - client exploited by acrobat +1 || 2011798 || 3 || trojan-activity || 0 || ET TROJAN carberp check in +1 || 2011799 || 7 || trojan-activity || 0 || ET TROJAN Carberp checkin task || url,www.trustdefender.com/blog/2010/10/06/carberp-%E2%80%93-a-new-trojan-in-the-making/ || url,www.honeynet.org/node/578 || url,www.symantec.com/security_response/writeup.jsp?docid=2010-101313-5632-99&tabid=2 || url,www.eset.com/threat-center/encyclopedia/threats/win32trojandownloadercarberpb || url,www.threatexpert.com/report.aspx?md5=31a4bc4e9a431d91dc0b368f4a76ee85 || url,www.threatexpert.com/report.aspx?md5=1d0d38dd63551a30eda664611ed4958b || url,www.threatexpert.com/report.aspx?md5=6f89b98729483839283d04b82055dc44 || url,www.threatexpert.com/report.aspx?md5=07d3fbb124ff39bd5c1045599f719e36 +1 || 2011800 || 8 || trojan-activity || 0 || ET POLICY Abnormal User-Agent No space after colon - Likely Hostile +1 || 2011801 || 2 || web-application-attack || 0 || ET ACTIVEX AoA Audio Extractor ActiveX Control Buffer Overflow Attempt || url,exploit-db.com/exploits/14599/ || url,packetstormsecurity.org/1010-exploits/aoaae-rop.txt +1 || 2011802 || 3 || bad-unknown || 0 || ET DNS DNS Lookup for localhost.DOMAIN.TLD +1 || 2011803 || 5 || shellcode-detect || 0 || ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected || url,www.networkforensics.com/2010/05/16/network-detection-of-x86-buffer-overflow-shellcode/ +1 || 2011804 || 2 || shellcode-detect || 0 || ET SHELLCODE Possible UDP x86 JMP to CALL Shellcode Detected || url,www.networkforensics.com/2010/05/16/network-detection-of-x86-buffer-overflow-shellcode/ +1 || 2011806 || 4 || web-application-attack || 0 || ET WEB_SERVER ScriptResource.axd access without t (time) parameter - possible ASP padding-oracle exploit || url,netifera.com/research/ || url,www.microsoft.com/technet/security/advisory/2416728.mspx +1 || 2011807 || 6 || web-application-attack || 0 || ET WEB_SERVER WebResource.axd access without t (time) parameter - possible ASP padding-oracle exploit || url,netifera.com/research/ || url,www.microsoft.com/technet/security/advisory/2416728.mspx +1 || 2011808 || 3 || attempted-recon || 0 || ET SCAN Inspathx Path Disclosure Scanner User-Agent Detected || url,code.google.com/p/inspathx/ || url,www.darknet.org.uk/2010/09/inspathx-tool-for-finding-path-disclosure-vulnerabilities/ +1 || 2011809 || 5 || attempted-recon || 0 || ET SCAN Inspathx Path Disclosure Scan || url,code.google.com/p/inspathx/ || url,www.darknet.org.uk/2010/09/inspathx-tool-for-finding-path-disclosure-vulnerabilities/ +1 || 2011810 || 1 || bad-unknown || 0 || ET DELETED MALVERTISING redirect to eleonore exploit kit +1 || 2011811 || 3 || trojan-activity || 0 || ET DELETED ZeuS http client library detected +1 || 2011812 || 4 || bad-unknown || 0 || ET CURRENT_EVENTS SEO Exploit Kit - Landing Page +1 || 2011813 || 6 || bad-unknown || 0 || ET CURRENT_EVENTS SEO Exploit Kit - client exploited +1 || 2011814 || 3 || bad-unknown || 0 || ET DELETED SEO Exploit Kit - client exploited by SMB +1 || 2011815 || 2 || bad-unknown || 0 || ET DELETED SEO Exploit Kit - client exploited by Acrobat +1 || 2011816 || 16 || trojan-activity || 0 || ET DELETED Zeus POST Request to CnC || url,www.secureworks.com/research/threats/zeus/?threat=zeus || url,lists.emergingthreats.net/pipermail/emerging-sigs/2010-October/009807.html +1 || 2011817 || 3 || trojan-activity || 0 || ET DELETED Zeus GET Request to CnC +1 || 2011818 || 4 || trojan-activity || 0 || ET DELETED Zeus http client library detected +1 || 2011819 || 1 || bad-unknown || 0 || ET POLICY Zero Content-Length HTTP POST with data (outbound) +1 || 2011820 || 3 || trojan-activity || 0 || ET TROJAN Fake AV CnC Checkin cycle_report || url,www.threatexpert.com/report.aspx?md5=fa078834dd3b4c6604d12823a6f9f17e +1 || 2011821 || 1 || denial-of-service || 0 || ET CURRENT_EVENTS User-Agent used in known DDoS Attacks Detected outbound || url,www.linuxquestions.org/questions/linux-security-4/massive-ddos-need-advice-help-795298/ +1 || 2011822 || 1 || denial-of-service || 0 || ET CURRENT_EVENTS User-Agent used in known DDoS Attacks Detected inbound || url,www.linuxquestions.org/questions/linux-security-4/massive-ddos-need-advice-help-795298/ +1 || 2011823 || 1 || denial-of-service || 0 || ET CURRENT_EVENTS User-Agent used in known DDoS Attacks Detected outbound 2 || url,www.linuxquestions.org/questions/linux-security-4/massive-ddos-need-advice-help-795298/ +1 || 2011824 || 2 || denial-of-service || 0 || ET CURRENT_EVENTS User-Agent used in known DDoS Attacks Detected inbound 2 || url,www.linuxquestions.org/questions/linux-security-4/massive-ddos-need-advice-help-795298/ +1 || 2011825 || 9 || trojan-activity || 0 || ET TROJAN MUROFET/Licat Trojan || url,extraexploit.blogspot.com/2010/10/some-domains-for-licatmurofettrojanzbot.html +1 || 2011826 || 2 || web-application-attack || 0 || ET DELETED Pre Projects E-Smart Cart login.asp Arbitrary SQL Command Injection Attempt || url,juniper-federal.org/security/auto/vulnerabilities/vuln37418.html || url,exploit-db.com/exploits/14376 +1 || 2011827 || 4 || trojan-activity || 0 || ET TROJAN Xilcter/Zeus related malware dropper reporting in +1 || 2011828 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS 724CMS section.php Module Parameter Local File inclusion Attempt || url,packetstormsecurity.org/1005-exploits/724cms459-lfi.txt +1 || 2011829 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS MyOWNspace getfeed.php file Parameter Local File Inclusion Attempt(1) || url,inj3ct0r.com/exploits/12674 +1 || 2011830 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS MyOWNspace getfeed.php file Parameter Local File Inclusion Attempt(2) || url,inj3ct0r.com/exploits/12674 +1 || 2011831 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS CMS Board site_path Parameter Remote File Inclusion Attempt || url,packetstormsecurity.org/1010-exploits/cmsboard-rfi.txt +1 || 2011832 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS OvBB admincp.php smilieid Parameter SELECT FROM SQL Injection Attempt || url,inj3ct0r.com/exploits/14205 +1 || 2011833 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS OvBB admincp.php smilieid Parameter DELETE FROM SQL Injection Attempt || url,inj3ct0r.com/exploits/14205 +1 || 2011834 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS OvBB admincp.php smilieid Parameter UNION SELECT SQL Injection Attempt || url,inj3ct0r.com/exploits/14205 +1 || 2011835 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS OvBB admincp.php smilieid Parameter UPDATE SET SQL Injection Attempt || url,inj3ct0r.com/exploits/14205 +1 || 2011836 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS OvBB admincp.php smilieid Parameter INSERT INTO SQL Injection Attempt || url,inj3ct0r.com/exploits/14205 +1 || 2011837 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS A6MamboHelpDesk Admin.a6mambohelpdesk.php Remote File inclusion Attempt || bugtraq,19198 || cve,CVE-2006-3930 +1 || 2011838 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHP-Fusion mguser fotoalbum album_id Parameter SELECT FROM SQL Injection Attempt || url,packetstormsecurity.com/1010-exploits/phpfusionmguser-sql.txt +1 || 2011839 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHP-Fusion mguser fotoalbum album_id Parameter DELETE FROM SQL Injection Attempt || url,packetstormsecurity.com/1010-exploits/phpfusionmguser-sql.txt +1 || 2011840 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHP-Fusion mguser fotoalbum album_id Parameter UNION SELECT SQL Injection Attempt || url,packetstormsecurity.com/1010-exploits/phpfusionmguser-sql.txt +1 || 2011841 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHP-Fusion mguser fotoalbum album_id Parameter UPDATE SET SQL Injection Attempt || url,packetstormsecurity.com/1010-exploits/phpfusionmguser-sql.txt +1 || 2011842 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHP-Fusion mguser fotoalbum album_id Parameter INSERT INTO SQL Injection Attempt || url,packetstormsecurity.com/1010-exploits/phpfusionmguser-sql.txt +1 || 2011843 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS BaconMap updatelist.php filepath Local File Inclusion Attempt || url,packetstormsecurity.com/1010-exploits/baconmap10-lfi.txt +1 || 2011844 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla com_rwcards mosConfig_absolute_path Remote File Inclusion Attempt || url,packetstormsecurity.com/1010-exploits/joomlarwcards-rfi.txt +1 || 2011845 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Lantern CMS intPassedLocationID Parameter Cross Site Scripting Attempt || bugtraq,43865 +1 || 2011846 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS OrangeHRM uri Parameter Local File Inclusion Attempt || url,exploit-db.com/exploits/15232 +1 || 2011847 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla com_jomestate Parameter Remote File Inclusion Attempt || url,inj3ct0r.com/exploits/12835 +1 || 2011848 || 5 || trojan-activity || 0 || ET TROJAN Win32/Comotor.A!dll Reporting 1 || url,threatexpert.com/report.aspx?md5=5e1c680e70e423dd02e31ab9d689e40b || url,microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3AWin32%2FComotor.A!dll&ThreatID=-2147346593 +1 || 2011849 || 4 || trojan-activity || 0 || ET TROJAN Win32/Comotor.A!dll Reporting 2 || url,threatexpert.com/report.aspx?md5=5e1c680e70e423dd02e31ab9d689e40b || url,microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3AWin32%2FComotor.A!dll&ThreatID=-2147346593 +1 || 2011850 || 4 || trojan-activity || 0 || ET TROJAN Carberp file download +1 || 2011851 || 7 || trojan-activity || 0 || ET TROJAN Carberp CnC Reply no tasks +1 || 2011852 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS W-Agora search.php bn Parameter Cross Site Scripting Attempt || bugtraq,44370 +1 || 2011853 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS W-Agora search.php bn Parameter Local File Inclusion Attempt || bugtraq,44370 +1 || 2011854 || 3 || not-suspicious || 0 || ET POLICY Java JAR file download +1 || 2011855 || 2 || bad-unknown || 0 || ET POLICY Java JAR Download Attempt || url,blogs.technet.com/b/mmpc/archive/2010/10/18/have-you-checked-the-java.aspx +1 || 2011856 || 3 || trojan-activity || 0 || ET MALWARE HTML.Psyme.Gen Reporting || url,threatexpert.com/report.aspx?md5=de1adb1df396863e7e3967271e7db734 +1 || 2011857 || 6 || trojan-activity || 0 || ET TROJAN SpyEye C&C Check-in URI || url,www.symantec.com/connect/blogs/spyeye-bot-versus-zeus-bot || url,krebsonsecurity.com/2010/10/spyeye-v-zeus-rivalry-ends-in-quiet-merger/ +1 || 2011858 || 12 || trojan-activity || 0 || ET TROJAN Likely Hostile HTTP Header GET structure +1 || 2011860 || 2 || attempted-admin || 0 || ET WEB_SPECIFIC_APPS Oracle Fusion Middleware BPEL Console Cross Site Scripting || bid,43954 || cve,2010-3581 +1 || 2011861 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Bredolab CnC URL Detected || url,blog.fireeye.com/.a/6a00d835018afd53ef013488839529970c-pi +1 || 2011862 || 4 || trojan-activity || 0 || ET TROJAN Feodo Banking Trojan Account Details Post || url,blog.fireeye.com/research/2010/10/feodosoff-a-new-botnet-on-the-rise.html#more +1 || 2011863 || 5 || trojan-activity || 0 || ET DELETED Feodo Banking Trojan Receiving Configuration File || url,blog.fireeye.com/research/2010/10/feodosoff-a-new-botnet-on-the-rise.html +1 || 2011864 || 2 || attempted-user || 0 || ET WEB_CLIENT Possible Oracle Java APPLET Tag Children Property Memory Corruption Attempt || url,code.google.com/p/skylined/issues/detail?id=18 || url,www.oracle.com/technetwork/topics/security/javacpuoct2010-176258.html +1 || 2011865 || 3 || bad-unknown || 0 || ET WEB_CLIENT Embedded Executable File in PDF - This Program Cannot Be Run in DOS Mode +1 || 2011866 || 4 || bad-unknown || 0 || ET WEB_CLIENT Suspicious Embedded Shockwave Flash In PDF +1 || 2011867 || 2 || attempted-user || 0 || ET ACTIVEX Trend Micro Internet Security Pro 2010 ActiveX extSetOwner Remote Code Execution Attempt || url,www.exploit-db.com/trend-micro-internet-security-pro-2010-activex-extsetowner-remote-code-execution/ +1 || 2011868 || 3 || bad-unknown || 0 || ET WEB_CLIENT Possible Javascript obfuscation using app.setTimeOut in PDF in Order to Run Code || url,www.h-online.com/security/features/CSI-Internet-PDF-timebomb-1038864.html?page=4 || url,www.vicheck.ca/md5query.php?hash=6932d141916cd95e3acaa3952c7596e4 +1 || 2011869 || 2 || web-application-attack || 0 || ET ACTIVEX Softek Barcode Reader Toolkit ActiveX Control Buffer Overflow Attempt || url,exploit-db.com/exploits/15071 +1 || 2011870 || 2 || attempted-user || 0 || ET ACTIVEX Softek Barcode Reader Toolkit ActiveX Control Format String Function Call || url,exploit-db.com/exploits/15071/ +1 || 2011871 || 1 || policy-violation || 0 || ET POLICY SubmitToTDWTF.asmx DailyWTF Potential Source Code Leakage || url,thedailywtf.com/Articles/Submit-WTF-Code-Directly-From-Your-IDE.aspx || url,code.google.com/p/submittotdwtf/source/browse/trunk/ +1 || 2011872 || 3 || trojan-activity || 0 || ET MALWARE User-Agent (Gbot) +1 || 2011873 || 4 || trojan-activity || 0 || ET DELETED Suspicious HTTP GET to JPG with query string +1 || 2011874 || 3 || policy-violation || 0 || ET POLICY NSPlayer User-Agent Windows Media Player streaming detected || url,msdn.microsoft.com/en-us/library/cc234851 +1 || 2011875 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS DBHcms editmenu Parameter SELECT FROM SQL Injection Attempt || url,exploit-db.com/exploits/15309/ +1 || 2011876 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS DBHcms editmenu Parameter DELETE FROM SQL Injection Attempt || url,exploit-db.com/exploits/15309/ +1 || 2011877 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS DBHcms editmenu Parameter UNION SELECT SQL Injection Attempt || url,exploit-db.com/exploits/15309/ +1 || 2011878 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS DBHcms editmenu Parameter INSERT INTO SQL Injection Attempt || url,exploit-db.com/exploits/15309/ +1 || 2011879 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS DBHcms editmenu Parameter UPDATE SET SQL Injection Attempt || url,exploit-db.com/exploits/15309/ +1 || 2011880 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS phpBazar picturelib.php Remote File inclusion Attempt || cve,CVE-2010-2315 || url,exploit-db.com/exploits/12855/ +1 || 2011881 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Open Web Analytics mw_plugin.php IP Parameter Remote File inclusion Attempt || url,exploit-db.com/exploits/11903/ +1 || 2011882 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Open Web Analytics owa_action Parameter Local File inclusion Attempt || url,exploit-db.com/exploits/11903/ +1 || 2011883 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Open Web Analytics owa_do Parameter Local File inclusion Attempt || url,exploit-db.com/exploits/11903/ +1 || 2011884 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS iGaming CMS loadplugin.php load Parameter Local File inclusion Attempt || url,packetstormsecurity.org/1010-exploits/igamingcms-lfi.txt +1 || 2011886 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Webspell wCMS-Clanscript staticID Parameter SQL Injection Attempt || url,exploit-db.com/exploits/15152/ +1 || 2011887 || 1 || attempted-recon || 0 || ET SCAN Medusa User-Agent || url,www.foofus.net/~jmk/medusa/medusa.html +1 || 2011889 || 5 || attempted-user || 0 || ET DELETED HP Data Protector Media Operations SignInName Parameter Overflow || url,elotrolad0.blogspot.com/2010/10/hp-data-protector-media-operations-611_23.html || url,securitytracker.com/id?1024634 +1 || 2011890 || 7 || trojan-activity || 0 || ET DELETED Potential TDSS HTTP Library GET +1 || 2011891 || 2 || attempted-user || 0 || ET CURRENT_EVENTS Possible Microsoft Internet Explorer CSS Tags Remote Code Execution Attempt || bid,44536 || cve,2010-3962 +1 || 2011892 || 4 || attempted-user || 0 || ET CURRENT_EVENTS Microsoft IE CSS Clip Attribute Memory Corruption (POC SPECIFIC) || url,extraexploit.blogspot.com/2010/11/cve-2010-3962-yet-another-internet.html || url,www.symantec.com/connect/blogs/new-ie-0-day-used-targeted-attacks || url,blog.fireeye.com/research/2010/11/ie-0-day-hupigon-joins-the-party.html || url,www.offensive-security.com/0day/ie-0day.txt || url,www.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/windows/browser/ms10_xxx_ie_css_clip.rb +1 || 2011893 || 2 || attempted-user || 0 || ET CURRENT_EVENTS Firefox Interleaving document.write and appendChild Overflow (POC SPECIFIC) || url,bugzilla.mozilla.org/show_bug.cgi?id=607222 || url,blog.mozilla.com/security/2010/10/26/critical-vulnerability-in-firefox-3-5-and-firefox-3-6/ +1 || 2011894 || 16 || trojan-activity || 0 || ET TROJAN TDSS/TDL/Alureon MBR rootkit Checkin +1 || 2011895 || 1 || bad-unknown || 0 || ET CURRENT_EVENTS Driveby leads to exploits aaitsol1/networks.php +1 || 2011896 || 2 || bad-unknown || 0 || ET DELETED ZBot sp107fb/photo.exe +1 || 2011897 || 1 || bad-unknown || 0 || ET CURRENT_EVENTS vb exploits / trojan vietshow +1 || 2011898 || 1 || bad-unknown || 0 || ET DELETED Rogue antivirus downloader x/l.php?id=RdxUVjSVVKicADPtx=6666os=5.1n=1 +1 || 2011899 || 1 || bad-unknown || 0 || ET CURRENT_EVENTS Trojan perflogger ~duydati/inst_PCvw.exe +1 || 2011900 || 1 || bad-unknown || 0 || ET DELETED Trojandropper dunik!rts xxx/download7/21/install_flash_player.exe +1 || 2011901 || 1 || bad-unknown || 0 || ET CURRENT_EVENTS Hacked server to exploits ~rio1/admin/login.php +1 || 2011902 || 1 || bad-unknown || 0 || ET CURRENT_EVENTS Phishing ~mbscom/moneybookers/app/login/login.html +1 || 2011903 || 1 || bad-unknown || 0 || ET CURRENT_EVENTS iframe Phoenix Exploit & ZBot vt073pd/photo.exe +1 || 2011904 || 2 || bad-unknown || 0 || ET CURRENT_EVENTS fast flux rogue antivirus download.php?id=2004 +1 || 2011905 || 1 || bad-unknown || 0 || ET CURRENT_EVENTS exploit kit x/index.php?s=dexc +1 || 2011906 || 2 || bad-unknown || 0 || ET CURRENT_EVENTS exploit kit x/load/svchost.exe +1 || 2011907 || 1 || bad-unknown || 0 || ET CURRENT_EVENTS exploit kit x/l.php?s=dexc +1 || 2011908 || 2 || bad-unknown || 0 || ET CURRENT_EVENTS exploit kit x/exe.php?x=mdac +1 || 2011909 || 1 || bad-unknown || 0 || ET CURRENT_EVENTS trojan renos Flash.HD.exe +1 || 2011910 || 6 || attempted-user || 0 || ET WEB_CLIENT Possible Adobe Reader 9.4 this.printSeps Memory Corruption Attempt || bid,44638 || cve,2010-4091 +1 || 2011911 || 2 || bad-unknown || 0 || ET DNS Hiloti DNS CnC Channel Successful Install Message || url,sign.kaffenews.com/?p=104 || url,blog.fortinet.com/hiloti-the-botmaster-of-disguise/ +1 || 2011912 || 5 || trojan-activity || 0 || ET CURRENT_EVENTS Possible Fake AV Checkin +1 || 2011914 || 1 || attempted-recon || 0 || ET SCAN DirBuster Scan in Progress || url,www.owasp.org/index.php/Category%3aOWASP_DirBuster_Project +1 || 2011915 || 1 || attempted-recon || 0 || ET SCAN DotDotPwn User-Agent || url,dotdotpwn.sectester.net +1 || 2011916 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS SEO/Malvertising Executable Landing exe2.php +1 || 2011917 || 3 || bad-unknown || 0 || ET CURRENT_EVENTS FAKEAV Gemini - JavaScript Redirection To Scanning Page +1 || 2011918 || 3 || bad-unknown || 0 || ET CURRENT_EVENTS FAKEAV Gemini - JavaScript Redirection To FakeAV Binary +1 || 2011919 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS FAKEAV Gemini - packupdate*.exe download +1 || 2011920 || 4 || bad-unknown || 0 || ET DELETED FAKEAV CryptMEN - 302 Redirect +1 || 2011921 || 1 || bad-unknown || 0 || ET CURRENT_EVENTS FAKEAV CryptMEN - Landing Page Download Contains .hdd_icon +1 || 2011922 || 4 || bad-unknown || 0 || ET CURRENT_EVENTS FAKEAV CryptMEN - Random Named DeObfuscation JavaScript File Download +1 || 2011923 || 6 || trojan-activity || 0 || ET DELETED FAKEAV CryptMEN inst.exe Payload Download +1 || 2011924 || 2 || web-application-attack || 0 || ET SCAN Havij SQL Injection Tool User-Agent Outbound || url,itsecteam.com/en/projects/project1.htm +1 || 2011925 || 5 || trojan-activity || 0 || ET CURRENT_EVENTS Rogue AV Downloader concat URI || url,malwareurl.com +1 || 2011926 || 5 || trojan-activity || 0 || ET TROJAN X-Tag Zeus Mitmo user agent || url,eternal-todo.com/blog/thoughts-facts-zeus-mitmo +1 || 2011927 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS SiteloomCMS mailform_1 variable Cross Site Scripting Attempt || url,packetstormsecurity.org/1008-exploits/siteloomcms-xss.txt +1 || 2011928 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS TFTgallery adminlangfile Parameter Local File inclusion Attempt || url,exploit-db.com/exploits/15345/ +1 || 2011929 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla Component com_banners banners.class.php Remote File inclusion Attempt || url,packetstormsecurity.org/1010-exploits/joomlabanners-rfi.txt +1 || 2011930 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Interactive Web Solutions site_info.php SELECT FROM SQL Injection Attempt || url,inj3ct0r.com/exploits/14090 +1 || 2011931 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Interactive Web Solutions site_info.php DELETE FROM SQL Injection Attempt || url,inj3ct0r.com/exploits/14090 +1 || 2011932 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Interactive Web Solutions site_info.php UNION SELECT SQL Injection Attempt || url,inj3ct0r.com/exploits/14090 +1 || 2011933 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Interactive Web Solutions site_info.php INSERT INTO SQL Injection Attempt || url,inj3ct0r.com/exploits/14090 +1 || 2011934 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Interactive Web Solutions site_info.php UPDATE SET SQL Injection Attempt || url,inj3ct0r.com/exploits/14090 +1 || 2011935 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla Component joomlaXplorer admin.joomlaxplorer.php File Inclusion Attempt || url,packetstormsecurity.org/1011-exploits/joomlaxplorer-rfi.txt +1 || 2011936 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Dolphin BxDolGzip.php file Disclosure Attempt || url,secunia.com/advisories/42108 || url,exploit-db.com/exploits/15400/ +1 || 2011938 || 5 || trojan-activity || 0 || ET MALWARE CryptMEN HTTP library purporting to be MSIE to PHP HTTP 1.0 +1 || 2011939 || 7 || trojan-activity || 0 || ET MALWARE CryptMEN HTTP library purporting to be MSIE to PHP HTTP 1.1 +1 || 2011940 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PossibleFreeNAS exec_raw.php Arbitrary Command Execution Attempt || bid,44974 +1 || 2011941 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Open Source Support Ticket System module.php Local File Inclusion Attempt || url,packetstormsecurity.org/files/view/95646/osticket-lfi.txt +1 || 2011942 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WordPress Vodpod Video Gallery Plugin gid Cross-Site Scripting Attempt || url,secunia.com/advisories/42195 +1 || 2011943 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS GeekLog filemgt SELECT FROM SQL Injection Attempt || url,securityreason.com/exploitalert/9145 +1 || 2011944 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS GeekLog filemgt DELETE FROM SQL Injection Attempt || url,securityreason.com/exploitalert/9145 +1 || 2011945 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS GeekLog filemgt UNION SELECT SQL Injection Attempt || url,securityreason.com/exploitalert/9145 +1 || 2011946 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS GeekLog filemgt INSERT INTO SQL Injection Attempt || url,securityreason.com/exploitalert/9145 +1 || 2011947 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS GeekLog filemgt UPDATE SET SQL Injection Attempt || url,securityreason.com/exploitalert/9145 +1 || 2011948 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS AWCM window_top.php Remote File Inclusion Attempt || url,exploit-db.com/exploits/15510/ +1 || 2011949 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS AWCM common.php Remote File Inclusion Attempt || url,exploit-db.com/exploits/15510/ +1 || 2011950 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS AWCM header.php Remote File Inclusion Attempt || url,exploit-db.com/exploits/15510/ +1 || 2011951 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS DRIVEBY SEO Client Exploited By SMB/JavaWebStart +1 || 2011952 || 1 || trojan-activity || 0 || ET CURRENT_EVENTS DRIVEBY SEO Client Exploited By PDF +1 || 2011953 || 1 || bad-unknown || 0 || ET CURRENT_EVENTS DRIVEBY SEO Client Requesting Malicious jjar.jar +1 || 2011954 || 1 || bad-unknown || 0 || ET CURRENT_EVENTS DRIVEBY SEO Client Requesting Malicious loadjjar.php +1 || 2011955 || 1 || bad-unknown || 0 || ET CURRENT_EVENTS DRIVEBY SEO Client Requesting Malicious lib.pdf +1 || 2011956 || 1 || bad-unknown || 0 || ET CURRENT_EVENTS DRIVEBY SEO Client Requesting Malicious loadpeers.php +1 || 2011957 || 2 || bad-unknown || 0 || ET CURRENT_EVENTS DRIVEBY SEO Landing Page Encountered +1 || 2011958 || 2 || bad-unknown || 0 || ET CURRENT_EVENTS DRIVEBY SEO Obfuscated JavaScript desttable +1 || 2011959 || 3 || bad-unknown || 0 || ET CURRENT_EVENTS DRIVEBY SEO Obfuscated JavaScript srctable +1 || 2011960 || 3 || bad-unknown || 0 || ET CURRENT_EVENTS MALVERTISING SEO iframe redirect to drive by +1 || 2011961 || 4 || bad-unknown || 0 || ET DELETED MALVERTISING SEO iframe redirect to drive by 2 +1 || 2011962 || 1 || bad-unknown || 0 || ET DELETED FAKEAV client requesting fake scanner page +1 || 2011966 || 1 || trojan-activity || 0 || ET CURRENT_EVENTS Trojan downloader (AS8514) || url,www.malwareurl.com/listing.php?domain=1001jimm.ru +1 || 2011967 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Trojan Zbot (AS9121) || url,www.malwareurl.com/listing.php?domain=19eylulmusikicemiyeti.com +1 || 2011968 || 1 || trojan-activity || 0 || ET CURRENT_EVENTS Trojan Banker (AS33182) || url,www.malwareurl.com/listing.php?domain=allmobilefashion.com +1 || 2011969 || 8 || trojan-activity || 0 || ET CURRENT_EVENTS Ponmocup C2 Post-infection Checkin +1 || 2011970 || 1 || bad-unknown || 0 || ET CURRENT_EVENTS SWF served from /tmp/ +1 || 2011972 || 3 || bad-unknown || 0 || ET CURRENT_EVENTS PDF served from /tmp/ could be Phoenix Exploit Kit +1 || 2011973 || 3 || bad-unknown || 0 || ET CURRENT_EVENTS JAR served from /tmp/ could be Phoenix Exploit Kit +1 || 2011974 || 3 || attempted-recon || 0 || ET SCAN Metasploit WMAP GET len 0 and type +1 || 2011975 || 2 || attempted-recon || 0 || ET SCAN RatProxy in-use +1 || 2011976 || 1 || attempted-dos || 0 || ET SCADA RealWin SCADA System Buffer Overflow || url,www.exploit-db.com/exploits/15337/ +1 || 2011978 || 3 || bad-unknown || 0 || ET CURRENT_EVENTS MALVERTISING Alureon JavaScript IFRAME Redirect +1 || 2011979 || 1 || trojan-activity || 0 || ET CURRENT_EVENTS FedEX Spam Inbound +1 || 2011980 || 1 || bad-unknown || 0 || ET CURRENT_EVENTS Suspicious executable download possible Ircbrute Trojan || url,www.malwareurl.com/listing.php?domain=egyboys.net +1 || 2011981 || 1 || bad-unknown || 0 || ET CURRENT_EVENTS Suspicious executable download possible Eleonore Exploit Pack / Trojan Brebolab || url,www.malwareurl.com/listing.php?domain=media-download-kb572810.biz +1 || 2011982 || 1 || bad-unknown || 0 || ET CURRENT_EVENTS Suspicious executable download possible Trojan Ransom.AM || url,www.malwareurl.com/listing.php?domain=newpornmov.info +1 || 2011983 || 2 || bad-unknown || 0 || ET CURRENT_EVENTS Suspicious executable download possible Fast Flux Trojan || url,www.malwareurl.com/listing.php?domain=mediafilesonline.net +1 || 2011984 || 2 || bad-unknown || 0 || ET CURRENT_EVENTS Suspicious executable download possible Fast Flux Rogue Antivirus MalvRem || url,www.malwareurl.com/listing.php?domain=giga-protectiona.com || url,www.malwareurl.com/listing.php?domain=protectsystemf.com || url,www.malwareurl.com/listing.php?domain=1cnetantispy.com || url,www.malwareurl.com/listing.php?domain=3gb-scanner.com +1 || 2011985 || 2 || bad-unknown || 0 || ET CURRENT_EVENTS Suspicious executable download possible Fast Flux Rogue Antivirus avdistr || url,www.malwareurl.com/listing.php?domain=giga-protectiona.com || url,www.malwareurl.com/listing.php?domain=protectsystemf.com || url,www.malwareurl.com/listing.php?domain=1cnetantispy.com || url,www.malwareurl.com/listing.php?domain=3gb-scanner.com +1 || 2011986 || 1 || bad-unknown || 0 || ET CURRENT_EVENTS Suspicious executable download possible Fast Flux Rogue Antivirus RunAV || url,www.malwareurl.com/listing.php?domain=giga-protectiona.com || url,www.malwareurl.com/listing.php?domain=protectsystemf.com || url,www.malwareurl.com/listing.php?domain=1cnetantispy.com || url,www.malwareurl.com/listing.php?domain=3gb-scanner.com +1 || 2011987 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Softbiz Article Directory Script sbiz_id Parameter Blind SQL Injection Attempt || url,exploit-db.com/exploits/14910/ +1 || 2011988 || 5 || trojan-activity || 0 || ET CURRENT_EVENTS Phoenix-style Exploit Kit Java Request with semicolon in URI +1 || 2011989 || 1 || bad-unknown || 0 || ET CURRENT_EVENTS Suspicious executable download possible Fast Flux Trojan (adobe-flash.v.) || url,www.malwareurl.com/listing.php?domain=realmultimediaonline.com +1 || 2011990 || 2 || bad-unknown || 0 || ET CURRENT_EVENTS Suspicious executable download possible Rogue AV (installer.xxxx.exe) || url,www.malwareurl.com/listing.php?domain=scripttoscan.co.cc +1 || 2011991 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS FAKEAV Gemini systempack exe download +1 || 2011992 || 3 || trojan-activity || 0 || ET DELETED Possible ProFTPD Backdoor Initiate Attempt || url,xorl.wordpress.com/2010/12/02/news-proftpd-owned-and-backdoored/ || url, sourceforge.net/mailarchive/message.php?msg_name=alpine.DEB.2.00.1012011542220.12930%40familiar.castaglia.org || url,slashdot.org/story/10/12/02/131214/ProFTPDorg-Compromised-Backdoor-Distributed +1 || 2011993 || 1 || trojan-activity || 0 || ET CURRENT_EVENTS ProFTPD Backdoor outbound Request Sent || url,slashdot.org/story/10/12/02/131214/ProFTPDorg-Compromised-Backdoor-Distributed || url,xorl.wordpress.com/2010/12/02/news-proftpd-owned-and-backdoored/ || url, sourceforge.net/mailarchive/message.php?msg_name=alpine.DEB.2.00.1012011542220.12930%40familiar.castaglia.org +1 || 2011994 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS ProFTPD Backdoor Inbound Backdoor Open Request (ACIDBITCHEZ) || url,slashdot.org/story/10/12/02/131214/ProFTPDorg-Compromised-Backdoor-Distributed || url,xorl.wordpress.com/2010/12/02/news-proftpd-owned-and-backdoored/ || url, sourceforge.net/mailarchive/message.php?msg_name=alpine.DEB.2.00.1012011542220.12930%40familiar.castaglia.org +1 || 2011995 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS invoice.scr download most likely a TROJAN +1 || 2011996 || 11 || trojan-activity || 0 || ET TROJAN Darkness DDoS Bot Checkin || url,www.shadowserver.org/wiki/pmwiki.php/Calendar/20101205 || url,ef.kaffenews.com/?p=833 || url,www.threatexpert.com/report.aspx?md5=55edeb8742f0c38aaa3d984eb4205c68 || url,www.threatexpert.com/report.aspx?md5=60c84bb1ca03f80ca385f16946322440 || url,www.threatexpert.com/report.aspx?md5=7fcebf5bd67cede35d08bedd683e3524 || url,www.threatexpert.com/report.aspx?md5=778113cc4e758ed65de0123bb79cbd1f +1 || 2011999 || 6 || trojan-activity || 0 || ET TROJAN Trojan.Spy.YEK MAC and IP POST || url,www.shadowserver.org/wiki/pmwiki.php/Calendar/20101115 +1 || 2012000 || 3 || trojan-activity || 0 || ET MALWARE ASKTOOLBAR.DLL Reporting || url,threatexpert.com/report.aspx?md5=3f6413475b1466964498c8450de4062f +1 || 2012001 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS digiSHOP cart.php SELECT FROM SQL Injection Attempt || url,exploit-db.com/exploits/15405/ +1 || 2012002 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS digiSHOP cart.php DELETE FROM SQL Injection Attempt || url,exploit-db.com/exploits/15405/ +1 || 2012003 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS digiSHOP cart.php UNION SELECT SQL Injection Attempt || url,exploit-db.com/exploits/15405/ +1 || 2012004 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS digiSHOP cart.php INSERT INTO SQL Injection Attempt || url,exploit-db.com/exploits/15405/ +1 || 2012005 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS digiSHOP cart.php UPDATE SET SQL Injection Attempt || url,exploit-db.com/exploits/15405/ +1 || 2012006 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS MassMirror Uploader example_1.php Remote File Inclusion attempt || url,exploit-db.com/exploits/15441/ +1 || 2012007 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS phpCow skin_file Parameter Remote File Inclusion Attempt || url,packetstormsecurity.org/1011-exploits/phpcow-rfilfi.txt +1 || 2012008 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS phpCow skin_file Parameter Local File Inclusion Attempt || url,packetstormsecurity.org/1011-exploits/phpcow-rfilfi.txt +1 || 2012009 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WordPress FeedList Plugin i Parameter Cross Site Scripting Attempt || url,secunia.com/advisories/42197/ || url,johnleitch.net/Vulnerabilities/WordPress.Feed.List.2.61.01.Reflected.Cross-site.Scripting/56 +1 || 2012010 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Zen Cart loader_file Parameter Local File Inclusion Attempt || url,secunia.com/advisories/42101/ +1 || 2012011 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Horde IMP fetchmailprefs.php Cross Site Scripting Attempt || url,packetstormsecurity.org/files/view/94299/hordeimp-xss.txt +1 || 2012012 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS The Uploader download_launch.php Remote File Disclosure Attempt || url,exploit-db.com/exploits/13966/ +1 || 2012013 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Mambo Component com_smf smf.php Remote File Inclusion Attempt || url,packetstormsecurity.org/files/view/95510/mambosmf-rfi.txt +1 || 2012014 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla Jimtawl Component task Parameter Local File Inclusion Attempt || url,expbase.com/WebApps/13388.html || url,secunia.com/advisories/42324/ +1 || 2012015 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WebRCSdiff viewver.php File Inclusion Attempt || url,expbase.com/WebApps/13387.html || url,xforce.iss.net/xforce/xfdb/63343 +1 || 2012016 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS DVD Rental Software cat_id parameter SELECT FROM SQL Injection Attempt || url,expbase.com/WebApps/13391.html || url,secunia.com/advisories/42330/ +1 || 2012017 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS DVD Rental Software cat_id parameter DELETE FROM SQL Injection Attempt || url,expbase.com/WebApps/13391.html || url,secunia.com/advisories/42330/ +1 || 2012018 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS DVD Rental Software cat_id parameter UNION SELECT SQL Injection Attempt || url,expbase.com/WebApps/13391.html || url,secunia.com/advisories/42330/ +1 || 2012019 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS DVD Rental Software cat_id parameter INSERT INTO SQL Injection Attempt || url,expbase.com/WebApps/13391.html || url,secunia.com/advisories/42330/ +1 || 2012020 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS DVD Rental Software cat_id parameter UPDATE SET SQL Injection Attempt || url,expbase.com/WebApps/13391.html || url,secunia.com/advisories/42330/ +1 || 2012021 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS jSchool Advanced id_gallery Parameter SQL Injection Attempt || url,exploit-db.com/exploits/15595/ || url,secunia.com/advisories/42334/ +1 || 2012022 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla Community Builder Enhenced Component Local File Inclusion Attempt || url,exploit-db.com/exploits/15222/ +1 || 2012023 || 1 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ZyXEL P-660R-T1 HomeCurrent_Date Parameter Cross Site Scripting Attempt || url,secunia.com/advisories/42344/ || url,archives.neohapsis.com/archives/bugtraq/2010-11/0190.html +1 || 2012024 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Gbook MX newlangsel Parameter Remote File Inclusion Attempt || url,exploit-db.com/exploits/10986/ +1 || 2012025 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Seo Panel file Parameter Local File Inclusion Attempt || url,packetstormsecurity.org/files/view/95644/seopanel-disclose.txt +1 || 2012026 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Pre Online Tests Generator Pro SELECT FROM SQL Injection Attempt || url,exploit-db.com/exploits/15526/ +1 || 2012027 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Pre Online Tests Generator Pro DELETE FROM SQL Injection Attempt || url,exploit-db.com/exploits/15526/ +1 || 2012028 || 1 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Pre Online Tests Generator Pro UNION SELECT SQL Injection Attempt || url,exploit-db.com/exploits/15526/ +1 || 2012029 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Pre Online Tests Generator Pro INSERT INTO SQL Injection Attempt || url,exploit-db.com/exploits/15526/ +1 || 2012030 || 1 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Pre Online Tests Generator Pro UPDATE SET SQL Injection Attempt || url,exploit-db.com/exploits/15526/ +1 || 2012031 || 1 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Abtp Portal Project skel_null.php Remote File Inclusion Attempt || url,exploit-db.com/exploits/15711/ +1 || 2012032 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Abtp Portal Project skel_null.php Local File Inclusion Attempt || url,exploit-db.com/exploits/15711/ +1 || 2012033 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS N-13 News default_login_language Parameter Local File Inclusion Attempt || url,secunia.com/advisories/39144/ || url,1337db.com/exploits/11446 +1 || 2012034 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS eNdonesia artid Parameter SELECT FROM SQL Injection Attempt || url,exploit-db.com/exploits/15006/ +1 || 2012035 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS eNdonesia artid Parameter DELETE FROM SQL Injection Attempt || url,exploit-db.com/exploits/15006/ +1 || 2012036 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS eNdonesia artid Parameter UNION SELECT SQL Injection Attempt || url,exploit-db.com/exploits/15006/ +1 || 2012037 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS eNdonesia artid Parameter INSERT INTO SQL Injection Attempt || url,exploit-db.com/exploits/15006/ +1 || 2012038 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS eNdonesia artid Parameter UPDATE SET SQL Injection Attempt || url,exploit-db.com/exploits/15006/ +1 || 2012039 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Car Portal car Parameter Blind SQL Injection Attempt || url,exploit-db.com/exploits/15135/ +1 || 2012040 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Contenido idart Parameter Cross Site Scripting Attempt || url,secunia.com/advisories/42440/ +1 || 2012041 || 2 || bad-unknown || 0 || ET WEB_CLIENT Hex Obfuscation of String.fromCharCode % Encoding || url,cansecwest.com/slides07/csw07-nazario.pdf || url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html +1 || 2012042 || 4 || bad-unknown || 0 || ET WEB_CLIENT Hex Obfuscation of String.fromCharCode %u UTF-8 Encoding || url,cansecwest.com/slides07/csw07-nazario.pdf || url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html +1 || 2012043 || 2 || bad-unknown || 0 || ET WEB_CLIENT Hex Obfuscation of charCodeAt % Encoding || url,cansecwest.com/slides07/csw07-nazario.pdf || url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html +1 || 2012044 || 2 || bad-unknown || 0 || ET WEB_CLIENT Hex Obfuscation of charCodeAt %u UTF-8 Encoding || url,cansecwest.com/slides07/csw07-nazario.pdf || url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html +1 || 2012045 || 4 || attempted-admin || 0 || ET EXPLOIT VMware Tools Update OS Command Injection Attempt || url,www.exploit-db.com/exploits/15717/ || cve,2010-4297 +1 || 2012046 || 3 || web-application-attack || 0 || ET DELETED Android Use-After-Free Remote Code Execution on Webkit || url,exploit-db.com/exploits/15548/ +1 || 2012048 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS Outbound Low Orbit Ion Cannon LOIC Tool Internal User May Be Participating in DDOS || url,www.isc.sans.org/diary.html?storyid=10051 +1 || 2012049 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS Inbound Low Orbit Ion Cannon LOIC DDOS Tool desu string || url,www.isc.sans.org/diary.html?storyid=10051 +1 || 2012050 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS Outbound Low Orbit Ion Cannon LOIC Tool Internal User May Be Participating in DDOS desu string || url,www.isc.sans.org/diary.html?storyid=10051 +1 || 2012052 || 1 || misc-attack || 0 || ET WEB_CLIENT Winzip 15.0 WZFLDVW.OCX IconIndex Property Denial of Service || url,www.exploit-db.com/exploits/15695/ +1 || 2012053 || 1 || misc-attack || 0 || ET WEB_CLIENT Winzip 15.0 WZFLDVW.OCX Text Property Denial of Service || url,www.exploit-db.com/exploits/15694/ +1 || 2012054 || 3 || attempted-admin || 0 || ET SMTP Potential Exim HeaderX with run exploit attempt || url,www.exim.org/lurker/message/20101207.215955.bb32d4f2.en.html || url,eclists.org/fulldisclosure/2010/Dec/221 +1 || 2012055 || 2 || attempted-recon || 0 || ET EXPLOIT JDownloader Webinterface Source Code Disclosure || url,packetstormsecurity.org/files/view/96126/jdownloader-disclose.txt +1 || 2012056 || 2 || attempted-dos || 0 || ET WEB_CLIENT Flash Player Flash6.ocx AllowScriptAccess Denial of Service || url,www.exploit-db.com/exploits/15698/ +1 || 2012057 || 2 || attempted-recon || 0 || ET EXPLOIT VMware 2 Web Server Directory Traversal || url,www.exploit-db.com/exploits/15617/ +1 || 2012058 || 1 || misc-attack || 0 || ET EXPLOIT HP LaserJet PLJ Interface Directory Traversal || url,www.exploit-db.com/exploits/15631/ || bugtraq,44882 || cve,2010-4107 +1 || 2012059 || 2 || bad-unknown || 0 || ET WEB_CLIENT Hex Obfuscation of document.write % Encoding || url,cansecwest.com/slides07/csw07-nazario.pdf || url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html +1 || 2012060 || 2 || bad-unknown || 0 || ET WEB_CLIENT Hex Obfuscation of document.write %u UTF-8 Encoding || url,cansecwest.com/slides07/csw07-nazario.pdf || url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html +1 || 2012061 || 2 || bad-unknown || 0 || ET WEB_CLIENT Hex Obfuscation of arguments.callee % Encoding || url,cansecwest.com/slides07/csw07-nazario.pdf || url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html +1 || 2012062 || 2 || bad-unknown || 0 || ET WEB_CLIENT Hex Obfuscation of arguments.callee %u UTF-8 Encoding || url,cansecwest.com/slides07/csw07-nazario.pdf || url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html +1 || 2012063 || 1 || attempted-user || 0 || ET NETBIOS Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference || url,www.exploit-db.com/exploits/14674/ || url,www.microsoft.com/technet/security/bulletin/ms09-050.mspx || cve,2009-3103 +1 || 2012064 || 4 || attempted-user || 0 || ET WEB_CLIENT Foxit PDF Reader Title Stack Overflow || url,www.exploit-db.com/exploits/15532/ +1 || 2012065 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Aigaion ID Parameter UNION SELECT SQL Injection Attempt || url,secunia.com/advisories/42463/ || url,securityreason.com/securityalert/7955 +1 || 2012066 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Aigaion ID Parameter INSERT INTO SQL Injection Attempt || url,secunia.com/advisories/42463/ || url,securityreason.com/securityalert/7955 +1 || 2012068 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Profi Einzelgebots Auktions System auktion_text.php Blind SQL Injection Attempt || url,exploit-db.com/exploits/12005/ +1 || 2012069 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS MantisBT db_type Parameter Local File Inclusion Attempt || url,exploit-db.com/exploits/15736/ || url,secunia.com/advisories/42597/ +1 || 2012070 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS MantisBT db_type Parameter Cross Site Scripting Attempt || url,exploit-db.com/exploits/15735/ || url,secunia.com/advisories/42597/ +1 || 2012071 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Google Urchin session.cgi Local File Inclusion Attempt || url,exploit-db.com/exploits/15737/ +1 || 2012072 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WordPress Safe Search Plugin v1 Parameter Cross Site Scripting Attempt || url,secunia.com/advisories/42544 +1 || 2012073 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Aigaion ID Parameter SELECT FROM SQL Injection Attempt || url,secunia.com/advisories/42463/ || url,securityreason.com/securityalert/7955 +1 || 2012074 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Aigaion ID Parameter DELETE FROM SQL Injection Attempt || url,secunia.com/advisories/42463/ || url,securityreason.com/securityalert/7955 +1 || 2012075 || 2 || attempted-user || 0 || ET WEB_CLIENT Possible Internet Explorer CSS Parser Remote Code Execution Attempt || url,seclists.org/fulldisclosure/2010/Dec/110 || url,www.breakingpointsystems.com/community/blog/ie-vulnerability/ || url,seclists.org/fulldisclosure/2010/Dec/110 || url,www.breakingpointsystems.com/community/blog/ie-vulnerability/ || url,www.microsoft.com/technet/security/advisory/2488013.mspx || bid,45246 || cve,2010-3971 +1 || 2012076 || 2 || trojan-activity || 0 || ET TROJAN Win32.Krap.ar Infection URL Request || url,www.threatexpert.com/report.aspx?md5=df29b9866397fd311a5259c5d4bc00dd +1 || 2012077 || 2 || attempted-recon || 0 || ET SCAN Goatzapszu Header from unknown Scanning Tool +1 || 2012078 || 5 || policy-violation || 0 || ET POLICY Windows-Based OpenSSL Tunnel Outbound || url,www.stunnel.org/download/binaries.html +1 || 2012079 || 4 || policy-violation || 0 || ET POLICY Windows-Based OpenSSL Tunnel Connection Outbound 2 || url,www.stunnel.org/download/binaries.html +1 || 2012080 || 4 || policy-violation || 0 || ET POLICY Windows-Based OpenSSL Tunnel Connection Outbound 3 || url,www.stunnel.org/download/binaries.html +1 || 2012081 || 4 || trojan-activity || 0 || ET DELETED Possible Bozvanovna Zeus Campaign Config File URL || url,www.abuse.ch/?p=2986 +1 || 2012082 || 3 || trojan-activity || 0 || ET DELETED Possible Bozvanovna Zeus Campaign Binary File URL || url,www.abuse.ch/?p=2986 +1 || 2012083 || 1 || trojan-activity || 0 || ET DELETED Possible Bozvanovna Zeus Campaign SSL Certificate || url,www.abuse.ch/?p=2986 +1 || 2012084 || 2 || attempted-user || 0 || ET NETBIOS Microsoft Windows SMB Client Race Condition Remote Code Execution || url,www.exploit-db.com/exploits/12258/ || cve,2010-0017 || bid,38100 || url,www.microsoft.com/technet/security/Bulletin/MS10-006.mspx +1 || 2012085 || 2 || not-suspicious || 0 || ET WEB_CLIENT Oracle Java 6 Object Tag launchjnlp docbase Parameters Flowbits Set +1 || 2012086 || 2 || shellcode-detect || 0 || ET SHELLCODE Possible Call with No Offset TCP Shellcode || url,www.networkforensics.com/2010/05/16/network-detection-of-x86-buffer-overflow-shellcode/ +1 || 2012087 || 2 || shellcode-detect || 0 || ET SHELLCODE Possible Call with No Offset UDP Shellcode || url,www.networkforensics.com/2010/05/16/network-detection-of-x86-buffer-overflow-shellcode/ +1 || 2012088 || 2 || shellcode-detect || 0 || ET SHELLCODE Possible Call with No Offset TCP Shellcode || url,www.networkforensics.com/2010/05/16/network-detection-of-x86-buffer-overflow-shellcode/ +1 || 2012089 || 2 || shellcode-detect || 0 || ET SHELLCODE Possible Call with No Offset TCP Shellcode || url,www.networkforensics.com/2010/05/16/network-detection-of-x86-buffer-overflow-shellcode/ +1 || 2012090 || 2 || shellcode-detect || 0 || ET SHELLCODE Possible Call with No Offset TCP Shellcode || url,www.networkforensics.com/2010/05/16/network-detection-of-x86-buffer-overflow-shellcode/ +1 || 2012091 || 3 || shellcode-detect || 0 || ET SHELLCODE Possible Call with No Offset UDP Shellcode || url,www.networkforensics.com/2010/05/16/network-detection-of-x86-buffer-overflow-shellcode/ +1 || 2012092 || 2 || shellcode-detect || 0 || ET SHELLCODE Possible Call with No Offset TCP Shellcode || url,www.networkforensics.com/2010/05/16/network-detection-of-x86-buffer-overflow-shellcode/ +1 || 2012093 || 3 || shellcode-detect || 0 || ET SHELLCODE Possible Call with No Offset UDP Shellcode || url,www.networkforensics.com/2010/05/16/network-detection-of-x86-buffer-overflow-shellcode/ +1 || 2012094 || 2 || attempted-user || 0 || ET NETBIOS SMB Trans2 Query_Fs_Attribute_Info SrvSmbQueryFsInformation Pool Buffer Overflow || url,www.exploit-db.com/exploits/14607/ || url,seclists.org/fulldisclosure/2010/Aug/122 || cve,2010-2550 || bid,42224 || url,www.microsoft.com/technet/security/Bulletin/MS10-054.mspx +1 || 2012096 || 1 || attempted-user || 0 || ET SCADA DATAC RealWin SCADA Server Buffer Overflow || url,www.securityfocus.com/bid/31418 || cve,2008-4322 || url,secunia.com/advisories/32055 +1 || 2012099 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla Component Billy Portfolio catid Parameter Blind SQL Injection Attempt || url,exploit-db.com/exploits/15721/ +1 || 2012100 || 4 || attempted-user || 0 || ET WEB_CLIENT Oracle Java 6 Object Tag launchjnlp docbase Parameters Buffer Overflow || url,www.exploit-db.com/exploits/15241/ || cve,2010-3552 || bid,44023 +1 || 2012101 || 2 || attempted-user || 0 || ET EXPLOIT Oracle Virtual Server Agent Command Injection Attempt || url,exploit-db.com/exploits/15244/ +1 || 2012102 || 4 || attempted-user || 0 || ET ACTIVEX Image Viewer CP Gold Image2PDF Buffer Overflow || url,www.exploit-db.com/exploits/15658/ +1 || 2012103 || 5 || web-application-attack || 0 || ET EXPLOIT D-Link bsc_wlan.php Security Bypass || url,packetstormsecurity.org/files/view/96100/dlinkwlan-bypass.txt +1 || 2012104 || 4 || trojan-activity || 0 || ET MALWARE User-Agent (AdVantage) || url,www.siteadvisor.com/sites/config.poweredbyadvantage.com +1 || 2012105 || 3 || trojan-activity || 0 || ET MALWARE AdVantage Malware URL Infection Report || url,www.siteadvisor.com/sites/config.poweredbyadvantage.com +1 || 2012106 || 2 || bad-unknown || 0 || ET WEB_CLIENT Hex Obfuscation of arguments.callee %u UTF-16 Encoding || url,cansecwest.com/slides07/csw07-nazario.pdf || url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html +1 || 2012107 || 2 || bad-unknown || 0 || ET WEB_CLIENT Hex Obfuscation of document.write %u UTF-16 Encoding || url,cansecwest.com/slides07/csw07-nazario.pdf || url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html +1 || 2012108 || 2 || bad-unknown || 0 || ET WEB_CLIENT Hex Obfuscation of charCodeAt %u UTF-16 Encoding || url,cansecwest.com/slides07/csw07-nazario.pdf || url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html +1 || 2012109 || 2 || bad-unknown || 0 || ET WEB_CLIENT Hex Obfuscation of String.fromCharCode %u UTF-16 Encoding || url,cansecwest.com/slides07/csw07-nazario.pdf || url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html +1 || 2012110 || 3 || shellcode-detect || 0 || ET SHELLCODE Possible UTF-8 %u90 NOP SLED || url,cansecwest.com/slides07/csw07-nazario.pdf || url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html || url,www.windowsecurity.com/articles/Obfuscated-Shellcode-Part1.html +1 || 2012111 || 4 || shellcode-detect || 0 || ET SHELLCODE Possible UTF-16 %u9090 NOP SLED || url,cansecwest.com/slides07/csw07-nazario.pdf || url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html || url,www.windowsecurity.com/articles/Obfuscated-Shellcode-Part1.html +1 || 2012112 || 4 || shellcode-detect || 0 || ET SHELLCODE Possible Encoded %90 NOP SLED || url,cansecwest.com/slides07/csw07-nazario.pdf || url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html || url,www.windowsecurity.com/articles/Obfuscated-Shellcode-Part1.html +1 || 2012113 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Trojan.BackDoor-DRV.gen.c Reporting-1 || url,threatexpert.com/report.aspx?md5=d5ff6df296c068fcc0ddd303984fa6b9 || url,support.clean-mx.de/clean-mx/viruses.php?domain=wyunion.com&sort=first desc +1 || 2012114 || 3 || trojan-activity || 0 || ET TROJAN Trojan.BackDoor-DRV.gen.c Reporting-2 || url,threatexpert.com/report.aspx?md5=d5ff6df296c068fcc0ddd303984fa6b9 || url,support.clean-mx.de/clean-mx/viruses.php?domain=wyunion.com&sort=first desc +1 || 2012115 || 5 || bad-unknown || 0 || ET CURRENT_EVENTS DNS Query for a Suspicious Malware Related Numerical .in Domain || url,sign.kaffenews.com/?p=104 || url,www.isc.sans.org/diary.html?storyid=10165 +1 || 2012116 || 4 || attempted-recon || 0 || ET WEB_SERVER DD-WRT Information Disclosure Attempt || url,www.exploit-db.com/exploits/15842/ +1 || 2012117 || 2 || successful-recon-limited || 0 || ET WEB_SERVER Successful DD-WRT Information Disclosure || url,www.exploit-db.com/exploits/15842/ +1 || 2012118 || 2 || bad-unknown || 0 || ET CURRENT_EVENTS http string in hex Likely Obfuscated Exploit Redirect +1 || 2012119 || 3 || bad-unknown || 0 || ET WEB_CLIENT Possible Hex Obfuscation Usage On Webpage || url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html || url,cansecwest.com/slides07/csw07-nazario.pdf +1 || 2012120 || 2 || shellcode-detect || 0 || ET SHELLCODE Possible Usage of Actionscript ByteArray writeByte Function to Build Shellcode || url,blog.fireeye.com/research/2009/07/actionscript_heap_spray.html +1 || 2012121 || 1 || attempted-user || 0 || ET DELETED Adobe Reader and Acrobat U3D File Invalid Array Index Remote Code Execution Attempt || url,labs.idefense.com/intelligence/vulnerabilities/display.php?id=827 || url,www.adobe.com/support/security/bulletins/apsb09-15.html || bid,36638 || cve,2009-2990 +1 || 2012122 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-1 || url,exploit-db.com/exploits/15783/ || url,doc.emergingthreats.net/2012122 +1 || 2012123 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-2 || url,exploit-db.com/exploits/15783/ || url,doc.emergingthreats.net/2012123 +1 || 2012124 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-3 || url,exploit-db.com/exploits/15783/ || url,doc.emergingthreats.net/2012124 +1 || 2012125 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-4 || url,exploit-db.com/exploits/15783/ || url,doc.emergingthreats.net/2012125 +1 || 2012126 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-5 || url,exploit-db.com/exploits/15783/ || url,doc.emergingthreats.net/2012126 +1 || 2012127 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-6 || url,exploit-db.com/exploits/15783/ || url,doc.emergingthreats.net/2012127 +1 || 2012128 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-7 || url,exploit-db.com/exploits/15783/ || url,doc.emergingthreats.net/2012128 +1 || 2012129 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS MaticMarket modulename Parameter Local File Inclusion Attempt-8 || url,exploit-db.com/exploits/15783/ || url,doc.emergingthreats.net/2012129 +1 || 2012130 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS myBloggie mybloggie_root_path Parameter Remote File Inclusion Attempt || url,packetstormsecurity.org/files/view/96805/mybloggie216-rfi.txt || url,doc.emergingthreats.net/2012130 +1 || 2012131 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla Seyret Video com_seyret Component Blind SQL Injection Attempt || url,exploit-db.com/exploits/14172/ || url,doc.emergingthreats.net/2012131 +1 || 2012132 || 5 || trojan-activity || 0 || ET CURRENT_EVENTS p2pshare.org Malware Related Activity +1 || 2012133 || 4 || attempted-user || 0 || ET ACTIVEX FathFTP 1.8 EnumFiles Method ActiveX Buffer Overflow || url,www.exploit-db.com/exploits/14552/ +1 || 2012134 || 4 || attempted-user || 0 || ET ACTIVEX SigPlus Pro 3.74 ActiveX LCDWriteString Method Remote Buffer Overflow || cve,2010-2931 || url,www.exploit-db.com/exploits/14514/ +1 || 2012135 || 3 || attempted-user || 0 || ET SMTP IBM Lotus Domino iCalendar Email Address Stack Buffer Overflow Attempt || url,www.exploit-db.com/exploits/15005/ || cve,2010-3407 +1 || 2012136 || 9 || trojan-activity || 0 || ET TROJAN Waledac 2.0/Storm Worm 3.0 GET request detected +1 || 2012137 || 5 || trojan-activity || 0 || ET TROJAN Storm/Waledac 3.0 Checkin 1 +1 || 2012139 || 8 || trojan-activity || 0 || ET TROJAN Storm/Waledac 3.0 Checkin 2 +1 || 2012140 || 5 || trojan-activity || 0 || ET MOBILE_MALWARE Android Trojan Command and Control Communication || url,www.isc.sans.org/diary.html?storyid=10186 +1 || 2012141 || 2 || policy-violation || 0 || ET POLICY Protocol 41 IPv6 encapsulation potential 6in4 IPv6 tunnel active || url,en.wikipedia.org/wiki/6in4 +1 || 2012142 || 2 || not-suspicious || 0 || ET WEB_CLIENT AVI RIFF Chunk Access Flowbit Set +1 || 2012143 || 3 || attempted-user || 0 || ET WEB_CLIENT Microsoft Windows MPEG Layer-3 Audio Decoder Buffer Overflow || cve,2010-0480 || url,www.exploit-db.com/moaub-5-microsoft-mpeg-layer-3-audio-stack-based-overflow/ || url,www.exploit-db.com/exploits/14895/ || url,www.microsoft.com/technet/security/Bulletin/MS10-026.mspx +1 || 2012144 || 3 || bad-unknown || 0 || ET DELETED Possible Malware Related Numerical .co Domain Lookup || url,sign.kaffenews.com/?p=104 || url,www.isc.sans.org/diary.html?storyid=10165 +1 || 2012145 || 4 || attempted-user || 0 || ET ACTIVEX Netcraft Toolbar Remote Code Execution || url,www.exploit-db.com/exploits/15600 +1 || 2012146 || 8 || attempted-user || 0 || ET ACTIVEX ImageShack Toolbar Remote Code Execution || url,www.exploit-db.com/exploits/15601 +1 || 2012147 || 7 || attempted-user || 0 || ET ACTIVEX Advanced File Vault Activex Heap Spray Attempt || url,www.exploit-db.com/exploits/14580/ +1 || 2012148 || 6 || attempted-user || 0 || ET ACTIVEX dBpowerAMP Audio Player 2 FileExists Method ActiveX Buffer Overflow || url,www.exploit-db.com/exploits/14586/ +1 || 2012149 || 4 || attempted-admin || 0 || ET WEB_CLIENT MS10-090 IE CSS Exploit Metasploit POC Specific Unicoded || cve,CVE-2010-3971 || url,breakingpointsystems.com/community/blog/ie-vulnerability/ || bid,45246 +1 || 2012150 || 2 || attempted-dos || 0 || ET WEB_SERVER PHP Large Subnormal Double Precision Floating Point Number PHP DoS in URI || url,bugs.php.net/bug.php?id=53632 +1 || 2012151 || 1 || attempted-dos || 0 || ET WEB_SERVER PHP Large Subnormal Double Precision Floating Point Number PHP DoS Inbound || url,bugs.php.net/bug.php?id=53632 +1 || 2012152 || 2 || not-suspicious || 0 || ET WEB_CLIENT DXF Extension File Detection Access Flowbit Set +1 || 2012153 || 3 || attempted-user || 0 || ET WEB_CLIENT Microsoft Office Visio DXF File Processing Remote Code Execution || url,www.exploit-db.com/moaub-8-microsoft-office-visio-dxf-file-stack-overflow || url,www.exploit-db.com/exploits/14944/ || cve,2010-1681 || url,www.microsoft.com/technet/security/bulletin/ms10-028.mspx || bid,39836 +1 || 2012154 || 2 || attempted-user || 0 || ET EXPLOIT Wireshark ENTTEC DMX Data Processing Code Execution Attempt 1 || url,www.exploit-db.com/exploits/15898/ || bid,45634 +1 || 2012155 || 2 || attempted-user || 0 || ET EXPLOIT Wireshark ENTTEC DMX Data Processing Code Execution Attempt 2 || url,www.exploit-db.com/exploits/15898/ || bid,45634 +1 || 2012156 || 1 || attempted-user || 0 || ET WEB_CLIENT Possible Adobe Reader 9.4 doc.printSeps Memory Corruption Attempt || bid,44638 || cve,2010-4091 +1 || 2012157 || 2 || attempted-user || 0 || ET ACTIVEX Possible Microsoft WMI Administration Tools WEBSingleView.ocx ActiveX Buffer Overflow Attempt Function Call || url,xcon.xfocus.net/XCon2010_ChenXie_EN.pdf || url,wooyun.org/bug.php?action=view&id=1006 +1 || 2012158 || 3 || attempted-user || 0 || ET ACTIVEX Possible Microsoft WMI Administration Tools WEBSingleView.ocx ActiveX Buffer Overflow Attempt || url,xcon.xfocus.net/XCon2010_ChenXie_EN.pdf || url,wooyun.org/bug.php?action=view&id=1006 || bid,45546 || cve,CVE-2010-3973 +1 || 2012159 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Informacion General informacion_general.php SELECT FROM SQL Injection Attempt || url,packetstormsecurity.org/files/view/97188/phpig-sql.txt +1 || 2012160 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Informacion General informacion_general.php DELETE FROM SQL Injection Attempt || url,packetstormsecurity.org/files/view/97188/phpig-sql.txt +1 || 2012161 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Informacion General informacion_general.php UNION SELECT SQL Injection Attempt || url,packetstormsecurity.org/files/view/97188/phpig-sql.txt +1 || 2012162 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Informacion General informacion_general.php INSERT INTO SQL Injection Attempt || url,packetstormsecurity.org/files/view/97188/phpig-sql.txt +1 || 2012163 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Informacion General informacion_general.php UPDATE SET SQL Injection Attempt || url,packetstormsecurity.org/files/view/97188/phpig-sql.txt +1 || 2012164 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WORDPRESS Plugin Accept Signups email Parameter Cross Site Scripting Attempt || url,packetstormsecurity.org/files/view/96928/wpsignups-xss.txt +1 || 2012165 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Concrete DIR_FILES_BLOCK_TYPES_CORE Parameter Remote File Inclusion Attempt || bugtraq,45669 +1 || 2012166 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla Component com_xmovie file Parameter Local File Inclusion Attempt || url,packetstormsecurity.org/files/view/96996/xmovie-fli.txt +1 || 2012167 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ndCMS editor.aspx index Parameter SQL Injection Attempt || url,exploit-db.com/exploits/15124/ +1 || 2012168 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Tiki Wiki CMS Groupware language Parameter Local File Inclusion Attempt || url,johnleitch.net/Vulnerabilities/Tiki.Wiki.CMS.Groupware.5.2.Local.File.Inclusion/46 +1 || 2012169 || 9 || bad-unknown || 0 || ET TROJAN Potential Blackhole Exploit Pack Binary Load Request || url,krebsonsecurity.com/2010/10/java-a-gift-to-exploit-pack-makers/ +1 || 2012170 || 2 || policy-violation || 0 || ET GAMES Blizzard Web Downloader Install Detected +1 || 2012171 || 6 || misc-activity || 0 || ET INFO DYNAMIC_DNS Query to 3322.org Domain || url,isc.sans.edu/diary.html?storyid=3266 || url,isc.sans.edu/diary.html?storyid=5710 || url,google.com/safebrowsing/diagnostic?site=3322.org/ || url,www.mywot.com/en/scorecard/3322.org +1 || 2012172 || 5 || trojan-activity || 0 || ET MALWARE User-Agent (mrgud) +1 || 2012173 || 2 || bad-unknown || 0 || ET WEB_CLIENT eval String.fromCharCode String Which May Be Malicious +1 || 2012174 || 8 || attempted-admin || 0 || ET EXPLOIT Microsoft Windows Common Control Library Heap Buffer Overflow || bugtraq,43717 || url,www.microsoft.com/technet/security/bulletin/MS10-081.mspx +1 || 2012176 || 1 || misc-activity || 0 || ET MALWARE Lookup of Malware Domain twothousands.cm Likely Infection +1 || 2012177 || 5 || trojan-activity || 0 || ET CURRENT_EVENTS p2pshares.org Related Malware +1 || 2012178 || 4 || trojan-activity || 0 || ET TROJAN Carberp CnC request POST /set/task.html +1 || 2012179 || 6 || attempted-user || 0 || ET WEB_CLIENT Adobe Reader and Acrobat U3D File Invalid Array Index Remote Code Execution Attempt || url,labs.idefense.com/intelligence/vulnerabilities/display.php?id=827 || url,www.adobe.com/support/security/bulletins/apsb09-15.html || bid,36638 || cve,2009-2990 +1 || 2012180 || 3 || bad-unknown || 0 || ET USER_AGENTS Suspicious User Agent no space +1 || 2012181 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Nucleus action.php Remote File Inclusion Attempt || url,exploit-db.com/exploits/15907/ +1 || 2012182 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Nucleus media.php Remote File Inclusion Attempt || url,exploit-db.com/exploits/15907/ +1 || 2012183 || 3 || attempted-recon || 0 || ET DELETED Possible Open SIP Relay scanner Fake Eyebeam User-Agent Detected || url,honeynet.org.au/?q=open_sip_relay_scanner +1 || 2012184 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Nucleus server.php Remote File Inclusion Attempt || url,exploit-db.com/exploits/15907/ +1 || 2012185 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Nucleus PLUGINADMIN.php Remote File Inclusion Attempt || url,exploit-db.com/exploits/15907/ +1 || 2012186 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS axdcms aXconf Parameter Local File Inclusion Attempt || url,exploit-db.com/exploits/15938/ +1 || 2012187 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS bizdir.cgi f_srch Parameter Cross Site Scripting Attempt || url,packetstormsecurity.org/files/view/96613/bizdir510-xss.txt +1 || 2012189 || 1 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS phpscripte24 Vor und Ruckwarts Auktions System Blind SQL Injection Attempt || url,exploit-db.com/exploits/12026/ +1 || 2012190 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Zimplit CMS client Parameter Cross Site Scripting Attempt || url,packetstormsecurity.org/files/view/96466/zimplit-xss.txt +1 || 2012191 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Zimplit CMS file Parameter Cross Site Scripting Attempt || url,packetstormsecurity.org/files/view/96466/zimplit-xss.txt +1 || 2012192 || 3 || attempted-user || 0 || ET ACTIVEX NewV SmartClient NewvCommon.ocx DelFile Method Arbitrary File Deletion Attempt || url,packetstormsecurity.org/files/view/97394/newvcommon-insecure.txt +1 || 2012193 || 2 || web-application-attack || 0 || ET EXPLOIT Lexmark Printer RDYMSG Cross Site Scripting Attempt || url,packetstormsecurity.org/files/view/97265/lexmark-xss.txt +1 || 2012194 || 3 || attempted-user || 0 || ET ACTIVEX Real Networks RealPlayer SP RecordClip Method Remote Code Execution Attempt || bid,44443 || cve,2010-3749 +1 || 2012195 || 3 || misc-activity || 0 || ET DELETED Nginx Serving EXE/DLL File Often Malware Related +1 || 2012196 || 3 || shellcode-detect || 0 || ET SHELLCODE Possible Unescape Encoded Content With Split String Obfuscation || url,cansecwest.com/slides07/csw07-nazario.pdf || url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html +1 || 2012197 || 4 || shellcode-detect || 0 || ET SHELLCODE Possible Unescape Encoded Content With Split String Obfuscation 2 || url,cansecwest.com/slides07/csw07-nazario.pdf || url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html +1 || 2012198 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS Possible Worm W32.Svich or Other Infection Request for setting.ini || url,www.threatexpert.com/report.aspx?md5=fcb828c0b735ea8d560a45b3bdd29b94 || url,www.threatexpert.com/report.aspx?md5=36d9a446d6311f9a4c19865e2b62f15d +1 || 2012199 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Possible Worm W32.Svich or Other Infection Request for setting.xls || url,www.threatexpert.com/report.aspx?md5=fb789b067c2809c25fb36abb677cdfcd +1 || 2012200 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Possible Worm W32.Svich or Other Infection Request for setting.doc || url,www.threatexpert.com/report.aspx?md5=fb789b067c2809c25fb36abb677cdfcd +1 || 2012201 || 3 || trojan-activity || 0 || ET WORM Possible Worm Sohanad.Z or Other Infection Request for setting.nql || url,www.threatexpert.com/report.aspx?md5=a70aad8f27957702febfa162556dc5b5 +1 || 2012202 || 2 || trojan-activity || 0 || ET DELETED DNS Lookup of Known BlackEnergy DDOS Botnet CnC Server greenter.ru || url,www.shadowserver.org/wiki/pmwiki.php/Calendar/20110116 || url,www.shadowserver.org/wiki/pmwiki.php/Calendar/20100913 +1 || 2012204 || 3 || attempted-recon || 0 || ET SCAN Modified Sipvicious Sundayddr Scanner (sipsscuser) || url,code.google.com/p/sipvicious/ || url,blog.sipvicious.org/ || url,honeynet.org.au/?q=sunday_scanner +1 || 2012205 || 2 || misc-activity || 0 || ET WEB_CLIENT Possible Malicious String.fromCharCode with charCodeAt String +1 || 2012206 || 2 || attempted-user || 0 || ET ACTIVEX Novell iPrint ActiveX GetDriverSettings Remote Code Execution Attempt || url,www.zerodayinitiative.com/advisories/ZDI-10-256/ || url,www.vupen.com/english/advisories/2010/3023 || bid,44966 || cve,2010-4321 +1 || 2012207 || 4 || misc-attack || 0 || ET DELETED Possible Twitter Worm Attack || url,threatpost.com/en_us/blogs/twitter-worm-uses-google-url-shortener-spread-scareware-012011 +1 || 2012208 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS FAKEAV CryptMEN pack.exe Payload Download +1 || 2012209 || 2 || trojan-activity || 0 || ET DELETED m28sx twitter worm redirect access || url,isc.sans.edu/diary.html?storyid=10297 +1 || 2012210 || 2 || trojan-activity || 0 || ET DELETED DNS Lookup of Twitter m28sx Worm || url,isc.sans.edu/diary.html?storyid=10297 +1 || 2012211 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Tunngavik CMS id Parameter SELECT FROM SQL Injection Attempt || url,packetstormsecurity.org/files/view/96808/tunngavikcms-sql.txt +1 || 2012212 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Tunngavik CMS id Parameter DELETE FROM SQL Injection Attempt || url,packetstormsecurity.org/files/view/96808/tunngavikcms-sql.txt +1 || 2012213 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Tunngavik CMS id Parameter UNION SELECT SQL Injection Attempt || url,packetstormsecurity.org/files/view/96808/tunngavikcms-sql.txt +1 || 2012214 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Tunngavik CMS id Parameter INSERT INTO SQL Injection Attempt || url,packetstormsecurity.org/files/view/96808/tunngavikcms-sql.txt +1 || 2012215 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Tunngavik CMS id Parameter UPDATE SET SQL Injection Attempt || url,packetstormsecurity.org/files/view/96808/tunngavikcms-sql.txt +1 || 2012216 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS B-Cumulus tagcloud.swf Cross Site Scripting Attempt || url,packetstormsecurity.org/files/view/97618/bcumulus-xss.txt +1 || 2012217 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS LetoDMS lang Parameter Local File Inclusion Attempt || bugtraq,37828 +1 || 2012218 || 3 || web-application-attack || 0 || ET ACTIVEX Possible UserManager SelectServer method Buffer Overflow Attempt || url,exploit-db.com/exploits/16002/ +1 || 2012219 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS BetMore Site Suite mainx_a.php bid Paramter Blind SQL Injection Attempt || url,exploit-db.com/exploits/15999/ +1 || 2012220 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS B-Cumulus tagcloud-ru.swf Cross Site Scripting Attempt || url,packetstormsecurity.org/files/view/97618/bcumulus-xss.txt +1 || 2012221 || 2 || trojan-activity || 0 || ET USER_AGENTS Malware Related msndown || url,www.sunbeltsecurity.com/partnerresources/cwsandbox/md5.aspx?id=17fdf0cb5970b71b81b1a5406e017ac1 +1 || 2012222 || 2 || trojan-activity || 0 || ET TROJAN Winsoft.E Checkin 1 || url,www.threatexpert.com/report.aspx?md5=d773d063d8cf35166831af0dae13a4b7 || url,xml.ssdsandbox.net/index.php/935021734dd64921defd1eb266c3fb39 +1 || 2012223 || 2 || trojan-activity || 0 || ET TROJAN Winsoft.E Checkin 2 || url,www.threatexpert.com/report.aspx?md5=d773d063d8cf35166831af0dae13a4b7 || url,xml.ssdsandbox.net/index.php/935021734dd64921defd1eb266c3fb39 +1 || 2012224 || 2 || trojan-activity || 0 || ET TROJAN Winsoft.E Checkin 3 || url,www.threatexpert.com/report.aspx?md5=d773d063d8cf35166831af0dae13a4b7 || url,xml.ssdsandbox.net/index.php/935021734dd64921defd1eb266c3fb39 +1 || 2012225 || 4 || trojan-activity || 0 || ET TROJAN Spy Banker Outbound Communication Attempt || url,www.threatexpert.com/report.aspx?md5=58b3c37b61d27cdc0a55321f4c12ef04 +1 || 2012226 || 4 || trojan-activity || 0 || ET TROJAN Win32/Banbra Banking Trojan Communication || url,www.threatexpert.com/report.aspx?md5=7ce03717d6879444d8e45b7cf6470c67 +1 || 2012227 || 5 || trojan-activity || 0 || ET CURRENT_EVENTS FAKEAV Gemini softupdate*.exe download +1 || 2012228 || 5 || misc-activity || 0 || ET MALWARE Suspicious Russian Content-Language Ru Which May Be Malware Related +1 || 2012229 || 7 || misc-activity || 0 || ET MALWARE Suspicious Chinese Content-Language zh-cn Which May be Malware Related +1 || 2012230 || 4 || web-application-attack || 0 || ET WEB_SERVER Likely Malicious Request for /proc/self/environ +1 || 2012231 || 2 || attempted-user || 0 || ET ACTIVEX Oracle Document Capture Insecure Read Method File Access Attempt || cve,2010-3595 +1 || 2012232 || 2 || attempted-user || 0 || ET ACTIVEX Oracle Document Capture File Deletion Attempt || cve,2010-3591 +1 || 2012233 || 3 || attempted-user || 0 || ET ACTIVEX Oracle Document Capture File Overwrite Attempt || cve,2010-3591 +1 || 2012234 || 3 || attempted-user || 0 || ET ACTIVEX Oracle Document Capture File Overwrite or Buffer Overflow Attempt || cve,2010-3599 +1 || 2012235 || 3 || trojan-activity || 0 || ET DELETED UPS Spam Inbound Variant 4 +1 || 2012236 || 2 || trojan-activity || 0 || ET TROJAN x0Proto Init +1 || 2012237 || 2 || trojan-activity || 0 || ET TROJAN x0Proto Client Info +1 || 2012238 || 2 || trojan-activity || 0 || ET TROJAN x0Proto Pong +1 || 2012239 || 2 || trojan-activity || 0 || ET TROJAN x0Proto Ping +1 || 2012240 || 2 || trojan-activity || 0 || ET TROJAN x0Proto Download Cmd +1 || 2012241 || 2 || bad-unknown || 0 || ET WEB_CLIENT Possible % Encoded Iframe Tag || url,cansecwest.com/slides07/csw07-nazario.pdf || url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html || url,www.guardian.co.uk/technology/2008/apr/03/security.google +1 || 2012242 || 2 || bad-unknown || 0 || ET WEB_CLIENT Possible %u UTF-8 Encoded Iframe Tag || url,cansecwest.com/slides07/csw07-nazario.pdf || url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html || url,www.guardian.co.uk/technology/2008/apr/03/security.google +1 || 2012243 || 2 || bad-unknown || 0 || ET WEB_CLIENT Possible %u UTF-16 Encoded Iframe Tag || url,cansecwest.com/slides07/csw07-nazario.pdf || url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html || url,www.guardian.co.uk/technology/2008/apr/03/security.google +1 || 2012244 || 2 || bad-unknown || 0 || ET WEB_CLIENT Possible # Encoded Iframe Tag || url,cansecwest.com/slides07/csw07-nazario.pdf || url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html || url,www.guardian.co.uk/technology/2008/apr/03/security.google +1 || 2012245 || 2 || bad-unknown || 0 || ET WEB_CLIENT Hex Obfuscation of document.write # Encoding || url,cansecwest.com/slides07/csw07-nazario.pdf || url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html +1 || 2012246 || 3 || trojan-activity || 0 || ET USER_AGENTS Unknown Trojan Checkin UA Detected iamx +1 || 2012247 || 3 || policy-violation || 0 || ET P2P BTWebClient UA uTorrent in use +1 || 2012248 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS MUROFET/Licat Trojan Checkin Forum || url,extraexploit.blogspot.com/2010/10/some-domains-for-licatmurofettrojanzbot.html || url,www.threatexpert.com/report.aspx?md5=531e84b0894a7496479d186712acd7d2 +1 || 2012249 || 4 || trojan-activity || 0 || ET USER_AGENTS Suspicious Win32 User Agent +1 || 2012250 || 3 || trojan-activity || 0 || ET TROJAN Unknown Web Backdoor Keep-Alive +1 || 2012251 || 8 || policy-violation || 0 || ET MOBILE_MALWARE Google Android Device HTTP Request +1 || 2012252 || 3 || shellcode-detect || 0 || ET SHELLCODE Common 0a0a0a0a Heap Spray String || url,www.darkreading.com/security/vulnerabilities/221901428/index.html +1 || 2012253 || 2 || shellcode-detect || 0 || ET SHELLCODE Common %0a%0a%0a%0a Heap Spray String || url,www.darkreading.com/security/vulnerabilities/221901428/index.html +1 || 2012254 || 3 || shellcode-detect || 0 || ET SHELLCODE Common %u0a0a%u0a0a UTF-16 Heap Spray String || url,www.darkreading.com/security/vulnerabilities/221901428/index.html +1 || 2012255 || 3 || shellcode-detect || 0 || ET SHELLCODE Common %u0a%u0a%u0a%u0a UTF-8 Heap Spray String || url,www.darkreading.com/security/vulnerabilities/221901428/index.html +1 || 2012256 || 2 || shellcode-detect || 0 || ET SHELLCODE Common 0c0c0c0c Heap Spray String || url,www.darkreading.com/security/vulnerabilities/221901428/index.html +1 || 2012257 || 3 || shellcode-detect || 0 || ET SHELLCODE Common %0c%0c%0c%0c Heap Spray String || url,www.darkreading.com/security/vulnerabilities/221901428/index.html +1 || 2012258 || 3 || shellcode-detect || 0 || ET SHELLCODE Common %u0c0c%u0c0c UTF-16 Heap Spray String || url,www.darkreading.com/security/vulnerabilities/221901428/index.html +1 || 2012259 || 3 || shellcode-detect || 0 || ET SHELLCODE Common %u0c%u0c%u0c%u0c UTF-8 Heap Spray String || url,www.darkreading.com/security/vulnerabilities/221901428/index.html +1 || 2012260 || 3 || bad-unknown || 0 || ET WEB_CLIENT Hex Obfuscation of parseInt % Encoding || url,cansecwest.com/slides07/csw07-nazario.pdf || url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html || url,/www.w3schools.com/jsref/jsref_parseInt.asp +1 || 2012261 || 3 || bad-unknown || 0 || ET WEB_CLIENT Hex Obfuscation of parseInt %u UTF-8 Encoding || url,cansecwest.com/slides07/csw07-nazario.pdf || url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html || url,/www.w3schools.com/jsref/jsref_parseInt.asp +1 || 2012262 || 3 || bad-unknown || 0 || ET WEB_CLIENT Hex Obfuscation of parseInt %u UTF-16 Encoding || url,cansecwest.com/slides07/csw07-nazario.pdf || url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html || url,/www.w3schools.com/jsref/jsref_parseInt.asp +1 || 2012263 || 3 || bad-unknown || 0 || ET WEB_CLIENT Hex Obfuscation of Script Tag % Encoding || url,cansecwest.com/slides07/csw07-nazario.pdf || url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html +1 || 2012264 || 3 || bad-unknown || 0 || ET WEB_CLIENT Hex Obfuscation of Script Tag %u UTF-8 Encoding || url,cansecwest.com/slides07/csw07-nazario.pdf || url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html +1 || 2012265 || 3 || bad-unknown || 0 || ET WEB_CLIENT Hex Obfuscation of Script Tag %u UTF-16 Encoding || url,cansecwest.com/slides07/csw07-nazario.pdf || url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html +1 || 2012266 || 4 || bad-unknown || 0 || ET WEB_CLIENT Hex Obfuscation of unescape % Encoding || url,cansecwest.com/slides07/csw07-nazario.pdf || url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html +1 || 2012267 || 3 || bad-unknown || 0 || ET WEB_CLIENT Hex Obfuscation of unescape %u UTF-8 Encoding || url,cansecwest.com/slides07/csw07-nazario.pdf || url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html +1 || 2012268 || 3 || bad-unknown || 0 || ET WEB_CLIENT Hex Obfuscation of unescape %u UTF-16 Encoding || url,cansecwest.com/slides07/csw07-nazario.pdf || url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html +1 || 2012269 || 3 || bad-unknown || 0 || ET WEB_CLIENT Hex Obfuscation of substr % Encoding || url,cansecwest.com/slides07/csw07-nazario.pdf || url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html +1 || 2012270 || 3 || bad-unknown || 0 || ET WEB_CLIENT Hex Obfuscation of substr %u UTF-8 Encoding || url,cansecwest.com/slides07/csw07-nazario.pdf || url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html +1 || 2012271 || 3 || bad-unknown || 0 || ET WEB_CLIENT Hex Obfuscation of substr %u UTF-16 Encoding || url,cansecwest.com/slides07/csw07-nazario.pdf || url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html +1 || 2012272 || 3 || bad-unknown || 0 || ET WEB_CLIENT Hex Obfuscation of eval % Encoding || url,cansecwest.com/slides07/csw07-nazario.pdf || url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html +1 || 2012273 || 3 || bad-unknown || 0 || ET WEB_CLIENT Hex Obfuscation of eval %u UTF-8 Encoding || url,cansecwest.com/slides07/csw07-nazario.pdf || url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html +1 || 2012274 || 3 || bad-unknown || 0 || ET WEB_CLIENT Hex Obfuscation of eval %u UTF-16 Encoding || url,cansecwest.com/slides07/csw07-nazario.pdf || url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html +1 || 2012275 || 1 || trojan-activity || 0 || ET CURRENT_EVENTS Post Express Inbound SPAM (possible Spyeye) || url,nakedsecurity.sophos.com/2011/02/01/outbreak-post-express-service-malware-attack-spammed-out +1 || 2012276 || 1 || trojan-activity || 0 || ET CURRENT_EVENTS USPS Inbound SPAM +1 || 2012278 || 5 || trojan-activity || 0 || ET USER_AGENTS Suspicious User-Agent (Our_Agent) +1 || 2012279 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS SpyEye HTTP Library Checkin || url,nakedsecurity.sophos.com/2011/02/01/outbreak-post-express-service-malware-attack-spammed-out +1 || 2012280 || 2 || trojan-activity || 0 || ET DELETED SpyEye Post_Express_Label infection activity to document.doc || url,nakedsecurity.sophos.com/2011/02/01/outbreak-post-express-service-malware-attack-spammed-out +1 || 2012281 || 2 || trojan-activity || 0 || ET DELETED SpyEye Post_Express_Label infection activity multi-stage download request || url,nakedsecurity.sophos.com/2011/02/01/outbreak-post-express-service-malware-attack-spammed-out +1 || 2012282 || 4 || trojan-activity || 0 || ET DELETED SpyEye Post_Express_Label infection activity multi-stage download confirmed success || url,nakedsecurity.sophos.com/2011/02/01/outbreak-post-express-service-malware-attack-spammed-out +1 || 2012283 || 4 || trojan-activity || 0 || ET DELETED SpyEye Post_Express_Label infection check-in || url,nakedsecurity.sophos.com/2011/02/01/outbreak-post-express-service-malware-attack-spammed-out +1 || 2012284 || 3 || trojan-activity || 0 || ET TROJAN SpyEye Post_Express_Label ftpgrabber check-in || url,nakedsecurity.sophos.com/2011/02/01/outbreak-post-express-service-malware-attack-spammed-out +1 || 2012285 || 4 || trojan-activity || 0 || ET DELETED Trojan/Win32.CodecPack Reporting +1 || 2012286 || 4 || attempted-recon || 0 || ET WEB_SERVER Automated Site Scanning for backupdata +1 || 2012287 || 3 || attempted-recon || 0 || ET WEB_SERVER Automated Site Scanning for backup_data +1 || 2012288 || 4 || trojan-activity || 0 || ET TROJAN Spy.Win32.Agent.bijs Reporting 2 || url,threatexpert.com/report.aspx?md5=846ac24b003c6d468a833bff58db5f5c +1 || 2012289 || 4 || trojan-activity || 0 || ET TROJAN Win32 Troxen Reporting || url,threatexpert.com/report.aspx?md5=664a5147e6258f10893c3fd375f16ce4 || url,microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3aWin32/Troxen!rts +1 || 2012290 || 4 || trojan-activity || 0 || ET TROJAN Spy.Win32.Agent.bijs Reporting 1 || url,threatexpert.com/report.aspx?md5=846ac24b003c6d468a833bff58db5f5c +1 || 2012291 || 2 || attempted-user || 0 || ET DELETED Base64 Encoded FTP Commands (21 > o&echo user 1 1 >> o &echo get) +1 || 2012292 || 3 || attempted-user || 0 || ET DELETED Base64 Encoded FTP Commands Upload (21 > o&echo user 1 1 >> o &echo get) +1 || 2012295 || 3 || trojan-activity || 0 || ET USER_AGENTS suspicious user-agent (REKOM) +1 || 2012296 || 2 || attempted-recon || 0 || ET VOIP Modified Sipvicious Asterisk PBX User-Agent || url,blog.sipvicious.org/2010/11/distributed-sip-scanning-during.html +1 || 2012297 || 2 || attempted-recon || 0 || ET VOIP Possible Inbound VOIP Scan/Misuse With User-Agent Zoiper || url,blog.sipvicious.org/2010/12/11-million-euro-loss-in-voip-fraud-and.html +1 || 2012298 || 3 || trojan-activity || 0 || ET MALWARE User-Agent (0xa10xa1HttpClient) +1 || 2012299 || 3 || trojan-activity || 0 || ET TROJAN W32 Bamital or Backdoor.Win32.Shiz CnC Communication || url,www.threatexpert.com/report.aspx?md5=fbcdfecc73c4389e8d3ed7e2e573b6f1 +1 || 2012300 || 3 || trojan-activity || 0 || ET TROJAN Win32.Banker.AAD CnC Communication || url,www.threatexpert.com/report.aspx?md5=8556aec7ff96824e2da9d1b948ed7029 +1 || 2012301 || 3 || trojan-activity || 0 || ET TROJAN Potential Trojan dropper Wlock.A (AS1680) || url,www.malwareurl.com/listing.php?domain=pworldxxx.info +1 || 2012302 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Potential Fake AV Scan (AS31252) || url,www.malwareurl.com/listing.php?domain=scan.dpowerprotection.com +1 || 2012303 || 4 || trojan-activity || 0 || ET TROJAN Night Dragon CnC Beacon Outbound || url,www.mcafee.com/us/resources/white-papers/wp-global-energy-cyberattacks-night-dragon.pdf +1 || 2012304 || 6 || trojan-activity || 0 || ET TROJAN Night Dragon CnC Beacon Inbound || url,www.mcafee.com/us/resources/white-papers/wp-global-energy-cyberattacks-Night-dragon.pdf +1 || 2012305 || 5 || trojan-activity || 0 || ET TROJAN Night Dragon CnC Traffic Inbound 2 || url,www.mcafee.com/us/resources/white-papers/wp-global-energy-cyberattacks-Night-dragon.pdf +1 || 2012306 || 6 || trojan-activity || 0 || ET TROJAN Night Dragon CnC Traffic Outbound 2 || url,www.mcafee.com/us/resources/white-papers/wp-global-energy-cyberattacks-Night-dragon.pdf +1 || 2012307 || 1 || trojan-activity || 0 || ET TROJAN Night Dragon CMD Shell || url,www.mcafee.com/us/resources/white-papers/wp-global-energy-cyberattacks-Night-dragon.pdf +1 || 2012308 || 2 || trojan-activity || 0 || ET TROJAN Night Dragon Dropper Download Command || url,www.mcafee.com/us/resources/white-papers/wp-global-energy-cyberattacks-Night-dragon.pdf +1 || 2012309 || 1 || trojan-activity || 0 || ET TROJAN Night Dragon Server Auth to Bot || url,www.mcafee.com/us/resources/white-papers/wp-global-energy-cyberattacks-Night-dragon.pdf +1 || 2012310 || 5 || trojan-activity || 0 || ET TROJAN Si25f_302 User-Agent +1 || 2012311 || 4 || trojan-activity || 0 || ET DELETED W32.SillyP2P Checkin || url,www.securehomenetwork.blogspot.com/2011/02/anonleaks-continues-relationship-with.html || url,www.threatexpert.com/report.aspx?md5=a7e1388c38c1fed12785bc335f95b15d +1 || 2012312 || 5 || trojan-activity || 0 || ET TROJAN Generic Trojan with /? and Indy Library User-Agent +1 || 2012313 || 5 || trojan-activity || 0 || ET USER_AGENTS Suspicious User-Agent Moxilla +1 || 2012314 || 3 || trojan-activity || 0 || ET TROJAN Rootkit TDSS/Alureon Checkin 2 || url,contagiodump.blogspot.com/2011/02/tdss-tdl-4-alureon-32-bit-and-64-bit.html +1 || 2012315 || 2 || trojan-activity || 0 || ET USER_AGENTS Fake Opera 8.11 UA related to Trojan Activity +1 || 2012316 || 3 || trojan-activity || 0 || ET DELETED Suspicious Win32 User Agent +1 || 2012317 || 2 || attempted-admin || 0 || ET NETBIOS Microsoft Windows Server 2003 Active Directory Pre-Auth BROWSER ELECTION Heap Overflow Attempt || url,tools.cisco.com/security/center/viewAlert.x?alertId=22457 || bid,46360 +1 || 2012318 || 5 || trojan-activity || 0 || ET CURRENT_EVENTS FAKEAV download (AntiSpyWareSetup.exe) +1 || 2012319 || 1 || trojan-activity || 0 || ET CURRENT_EVENTS IRS Inbound SMTP Malware +1 || 2012320 || 1 || trojan-activity || 0 || ET CURRENT_EVENTS IRS Inbound SPAM +1 || 2012321 || 2 || bad-unknown || 0 || ET CURRENT_EVENTS HTTP Request to a *.cx.cc domain +1 || 2012322 || 7 || trojan-activity || 0 || ET TROJAN Possible TDSS User-Agent CMD || url,www.kernelmode.info/forum/viewtopic.php?f=16&t=19 || url,www.securelist.com/en/analysis/204792180/TDL4_Top_Bot +1 || 2012323 || 3 || bad-unknown || 0 || ET DELETED Malicious Advertizing URL in.cgi/antibot_hash +1 || 2012324 || 3 || bad-unknown || 0 || ET EXPLOIT Unknown Exploit Pack URL Detected +1 || 2012325 || 4 || bad-unknown || 0 || ET WEB_CLIENT Obfuscated Javascript // ptth +1 || 2012326 || 5 || bad-unknown || 0 || ET WEB_CLIENT Obfuscated Javascript // ptth (escaped) +1 || 2012327 || 3 || misc-activity || 0 || ET MALWARE All Numerical .cn Domain Likely Malware Related +1 || 2012328 || 5 || misc-activity || 0 || ET MALWARE All Numerical .ru Domain Lookup Likely Malware Related +1 || 2012329 || 1 || trojan-activity || 0 || ET CURRENT_EVENTS IRS Inbound SPAM variant 3 +1 || 2012330 || 4 || bad-unknown || 0 || ET CURRENT_EVENTS HTTP Request to a *.rr.nu domain +1 || 2012331 || 3 || policy-violation || 0 || ET POLICY Apple iDisk Sync Unencrypted +1 || 2012332 || 2 || bad-unknown || 0 || ET CURRENT_EVENTS Possible Fast Flux Trojan Rogue Antivirus || url,www.malwareurl.com/listing.php?domain=microantivirus5.com +1 || 2012333 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Possible Neosploit Toolkit download || url,www.malwareurl.com/listing.php?domain=piadraspgdw.com || url,labs.m86security.com/2011/01/shedding-light-on-the-neosploit-exploit-kit +1 || 2012334 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Froxlor customer_ftp.php id Parameter Remote File Inclusion Attempt || url,exploit-db.com/exploits/16051/ +1 || 2012335 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Coupon Script bus parameter Blind SQL Injection Attempt || url,exploit-db.com/exploits/16034/ +1 || 2012336 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS CultBooking lang parameter Local File Inclusion Attempt || url,exploit-db.com/exploits/16028/ +1 || 2012337 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS CultBooking lang Parameter Cross Site Scripting Attempt || url,exploit-db.com/exploits/16028/ +1 || 2012338 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHP-fusion Team Structure Infusion team_id Parameter SELECT FROM SQL Injection Attempt || url,packetstormsecurity.org/files/view/97588/phpfusiontsi-sql.txt +1 || 2012339 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHP-fusion Team Structure Infusion team_id Parameter DELETE FROM SQL Injection Attempt || url,packetstormsecurity.org/files/view/97588/phpfusiontsi-sql.txt +1 || 2012340 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHP-fusion Team Structure Infusion team_id Parameter UNION SELECT SQL Injection Attempt || url,packetstormsecurity.org/files/view/97588/phpfusiontsi-sql.txt +1 || 2012341 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHP-fusion Team Structure Infusion team_id Parameter INSERT INTO SQL Injection Attempt || url,packetstormsecurity.org/files/view/97588/phpfusiontsi-sql.txt +1 || 2012342 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHP-fusion Team Structure Infusion team_id Parameter UPDATE SET SQL Injection Attempt || url,packetstormsecurity.org/files/view/97588/phpfusiontsi-sql.txt +1 || 2012343 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WeBid active_auctions.php lan Parameter Local File inclusion Attempt || url,johnleitch.net/Vulnerabilities/WeBid.0.8.5P1.Local.File.Inclusion/63 +1 || 2012344 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Madirish Webmail basedir Parameter Remote File inclusion Attempt || url,exploit-db.com/exploits/12369/ +1 || 2012345 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla Frontend-User-Access controller Parameter Local File Inclusion Attempt || url,secunia.com/advisories/43137/ || url,securityhome.eu/exploits/exploit.php?eid=17879866924d479451d88fa8.02873909 +1 || 2012346 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PMB Services id Parameter SELECT FROM SQL Injection Attempt || url,exploit-db.com/exploits/16087/ +1 || 2012347 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PMB Services id Parameter DELETE FROM SQL Injection Attempt || url,exploit-db.com/exploits/16087/ +1 || 2012348 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Services id Parameter UNION SELECT SQL Injection Attempt || url,exploit-db.com/exploits/16087/ +1 || 2012349 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PMB Services id Parameter INSERT INTO SQL Injection Attempt || url,exploit-db.com/exploits/16087/ +1 || 2012350 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PMB Services id Parameter UPDATE SET SQL Injection Attempt || url,exploit-db.com/exploits/16087/ +1 || 2012351 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Emerson Network AllResults.aspx Cross Site Scripting Attempt || url,packetstormsecurity.org/files/view/98029/enp-xss.txt +1 || 2012352 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHP Classified ads software cid parameter Blind SQL Injection Attempt || url,exploit-db.com/exploits/16062/ +1 || 2012353 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WordPress Audio showfile Parameter Cross Site Scripting Attempt || url,packetstormsecurity.org/files/view/97834/WordPressAudio0.5.1-xss.txt +1 || 2012354 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Dokeos and Chamilo open_document.php file Parameter File Disclosure Attempt || bugtraq,46173 +1 || 2012355 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Moodle PHPCOVERAGE_HOME Parameter Cross Site Scripting Attempt || url,packetstormsecurity.org/files/view/98053/Moodle2.0.1-xss.txt +1 || 2012356 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WordPress Featured Content param Parameter Cross Site Scripting Attempt || url,packetstormsecurity.org/files/view/97826/WordPressFeaturedContent0.0.1-xss.txt +1 || 2012357 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla XGallery com_xgallery Component Local File Inclusion Attempt || url,packetstormsecurity.org/files/view/96864/joomlaxgallery-lfi.txt +1 || 2012358 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHPCMS modelid Parameter SQL Injection Attempt || bugtraq,45933 +1 || 2012359 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS T-Content Management System id_novedad Parameter SELECT FROM SQL Injection Attempt || url,packetstormsecurity.org/files/view/98190/tcms-sql.txt +1 || 2012360 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS T-Content Management System id_novedad Parameter DELETE FROM SQL Injection Attempt || url,packetstormsecurity.org/files/view/98190/tcms-sql.txt +1 || 2012361 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS T-Content Management System id_novedad Parameter UNION SELECT SQL Injection Attempt || url,packetstormsecurity.org/files/view/98190/tcms-sql.txt +1 || 2012362 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS T-Content Management System id_novedad Parameter INSERT INTO SQL Injection Attempt || url,packetstormsecurity.org/files/view/98190/tcms-sql.txt +1 || 2012363 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS T-Content Management System id_novedad Parameter UPDATE SET SQL Injection Attempt || url,packetstormsecurity.org/files/view/98190/tcms-sql.txt +1 || 2012364 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Bexfront sid Parameter SELECT FROM SQL Injection Attempt || url,packetstormsecurity.org/files/view/97294/phpbexfront-sql.txt +1 || 2012365 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Bexfront sid Parameter DELETE FROM SQL Injection Attempt || url,packetstormsecurity.org/files/view/97294/phpbexfront-sql.txt +1 || 2012366 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Bexfront sid Parameter UNION SELECT SQL Injection Attempt || url,packetstormsecurity.org/files/view/97294/phpbexfront-sql.txt +1 || 2012367 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Bexfront sid Parameter INSERT INTO SQL Injection Attempt || url,packetstormsecurity.org/files/view/97294/phpbexfront-sql.txt +1 || 2012368 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Bexfront sid Parameter UPDATE SET SQL Injection Attempt || url,packetstormsecurity.org/files/view/97294/phpbexfront-sql.txt +1 || 2012369 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla swMenuPro ImageManager.php Remote File Inclusion Attempt || url,packetstormsecurity.org/files/view/95505/joomlaswmenupro-rfi.txt +1 || 2012370 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Boonex Dolphin explain Parameter Cross Site Scripting Attempt || url,packetstormsecurity.org/files/view/98408/Dolphin7.0.4-xss.txt || bugtraq,46337 +1 || 2012371 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Boonex Dolphin relocate Parameter Cross Site Scripting Attempt || url,packetstormsecurity.org/files/view/98408/Dolphin7.0.4-xss.txt || bugtraq,46337 +1 || 2012372 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ColdUserGroup LibraryID Parameter Blind SQL Injection Attempt || url,exploit-db.com/exploits/14935/ +1 || 2012373 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Horde type Parameter Local File Inclusion Attempt || url,packetstormsecurity.org/files/view/98424/horde-lfi.txt +1 || 2012374 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Woltlab Burning Board katid Parameter SELECT FROM SQL Injection Attempt || url,exploit-db.com/exploits/16202/ +1 || 2012375 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Woltlab Burning Board katid Parameter DELETE FROM SQL Injection Attempt || url,exploit-db.com/exploits/16202/ +1 || 2012376 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Woltlab Burning Board katid Parameter UNION SELECT SQL Injection Attempt || url,exploit-db.com/exploits/16202/ +1 || 2012377 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Woltlab Burning Board katid Parameter INSERT INTO SQL Injection Attempt || url,exploit-db.com/exploits/16202/ +1 || 2012378 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Woltlab Burning Board katid Parameter UPDATE SET SQL Injection Attempt || url,exploit-db.com/exploits/16202/ +1 || 2012379 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS TelebidAuctionScript aid Parameter Blind SQL Injection Attempt || url,packetstormsecurity.org/files/view/82724/telebidauction-sql.txt +1 || 2012380 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Podcast Generator themes.php Cross Site Scripting Attempt || url,packetstormsecurity.org/files/view/98143/podcastgenerator-xss.txt +1 || 2012381 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ITechBids productid Parameter Blind SQL Injection Attempt || url,exploit-db.com/exploits/9497 +1 || 2012382 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Coppermine Photo Gallery output Parameter Remote Command Execution Attempt || url,packetstormsecurity.org/files/view/98347/cpg15x-exec.txt +1 || 2012383 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Coppermine Photo Gallery retva Parameter Remote Command Execution Attempt || url,packetstormsecurity.org/files/view/98347/cpg15x-exec.txt +1 || 2012384 || 3 || trojan-activity || 0 || ET INFO Suspicious Purported MSIE 7 with terse HTTP Headers GET to PHP +1 || 2012385 || 3 || trojan-activity || 0 || ET DELETED Likely Infected HTTP POST to PHP with User-Agent of HTTP Client +1 || 2012386 || 2 || trojan-activity || 0 || ET USER_AGENTS Suspicious User-Agent VCTestClient +1 || 2012387 || 2 || trojan-activity || 0 || ET USER_AGENTS Suspicious User-Agent PrivacyInfoUpdate +1 || 2012388 || 1 || trojan-activity || 0 || ET CURRENT_EVENTS USPS SPAM Inbound possible spyeye trojan || url,www.virustotal.com/file-scan/report.html?id=ed1766eb13cc7f41243dd722baab9973560c999c1489763c0704debebe8f4cb1-1298551066 +1 || 2012389 || 3 || trojan-activity || 0 || ET TROJAN Java Exploit Kit Success Check-in Executable Download Likely +1 || 2012390 || 2 || trojan-activity || 0 || ET P2P Libtorrent User-Agent +1 || 2012391 || 3 || trojan-activity || 0 || ET TROJAN Tatanga Checkin || url,securityblog.s21sec.com/2011/02/tatanga-new-banking-trojan-with-mitb.html || url,www.sophos.com/security/analyses/viruses-and-spyware/trojtatangac.html || url,support.clean-mx.de/clean-mx/view_joebox.php?md5=4b5eb54de32f86819c638878ac2c7985&id=740958 || url,www.malware-control.com/statics-pages/06198e9b72e1bb0c256769c5754ed821.php +1 || 2012392 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS Potential Fast Flux Rogue Antivirus (Setup_245.exe) || url,www.malwareurl.com/listing.php?domain=antivirus-live21.com +1 || 2012393 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Awstats Apache Tomcat Configuration File Remote Arbitrary Command Execution Attempt || bid,45123 || cve,2010-4367 +1 || 2012394 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS IBM Lotus Sametime Server stconf.nsf Cross Site Scripting Attempt || bid,46471 || cve,2011-1038 +1 || 2012395 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS IBM Lotus Sametime Server stconf.nsf Cross Site Scripting Attempt || bid,46471 || cve,2011-1038 +1 || 2012396 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Eclipse IDE Help Component Cross Site Scripting Attempt || bid,44883 || cve,2010-4647 +1 || 2012397 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Eclipse IDE Help Component Cross Site Scripting Attempt || bid,44883 || cve,2010-4647 +1 || 2012398 || 4 || bad-unknown || 0 || ET WEB_CLIENT Hex Obfuscation of replace Javascript Function % Encoding || url,cansecwest.com/slides07/csw07-nazario.pdf || url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html +1 || 2012399 || 4 || bad-unknown || 0 || ET WEB_CLIENT Hex Obfuscation of replace Javascript Function %u UTF-8 Encoding || url,cansecwest.com/slides07/csw07-nazario.pdf || url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html +1 || 2012400 || 4 || bad-unknown || 0 || ET WEB_CLIENT Hex Obfuscation of replace Javascript Function %u UTF-16 Encoding || url,cansecwest.com/slides07/csw07-nazario.pdf || url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html +1 || 2012401 || 11 || trojan-activity || 0 || ET CURRENT_EVENTS Likely Blackhole Exploit Kit Driveby Download Secondary Request +1 || 2012402 || 7 || trojan-activity || 0 || ET DELETED Facebook URL Redirect Vulnerability || url,lists.grok.org.uk/pipermail/full-disclosure/2011-February/079577.html +1 || 2012403 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Potential Rogue Antivirus FakePAV || url,www.malwareurl.com/listing.php?domain=76.76.102.214 +1 || 2012404 || 2 || bad-unknown || 0 || ET WEB_CLIENT Likely Hostile Eval CRYPT.obfuscate Usage || url,research.zscaler.com/2010/05/malicious-hidden-iframes-using-publicly.html +1 || 2012405 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Potential FakePAV Checkin || url,www.threatexpert.com/report.aspx?md5=f5dd61e29eff89a93c591fba7ea14d92 +1 || 2012406 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Potential Cewolf DOS attempt || url,lists.grok.org.uk/pipermail/full-disclosure/2011-February/079547.html +1 || 2012407 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Potential Wordpress local file disclosure vulnerability || url,lists.grok.org.uk/pipermail/full-disclosure/2011-February/079568.html +1 || 2012408 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Potential Wordpress local file disclosure vulnerability || url,lists.grok.org.uk/pipermail/full-disclosure/2011-February/079568.html +1 || 2012409 || 3 || trojan-activity || 0 || ET DELETED Unknown Malware Keepalive +1 || 2012410 || 2 || trojan-activity || 0 || ET MOBILE_MALWARE DroidDream Android Trojan info upload || url,androguard.blogspot.com/2011/03/droiddream.html || url,blog.aegislab.com/index.php?op=ViewArticle&articleId=79&blogId=1 || url,blog.mylookout.com/2011/03/android-malware-droiddream-how-it-works/ || url,countermeasures.trendmicro.eu/google-android-rooted-backdoored-infected/ +1 || 2012411 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS IWantOneButton Wordpress updateAJAX.php post_id Parameter Cross Site Scripting Attempt || url,exploit-db.com/exploits/16236/ || url,htbridge.ch/advisory/sql_injection_in_iwantonebutton_wordpress_plugin.html +1 || 2012412 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS IWantOneButton Wordpress SQL Injection Attempt updateAJAX.php post_id SELECT || url,exploit-db.com/exploits/16236/ || url,htbridge.ch/advisory/sql_injection_in_iwantonebutton_wordpress_plugin.html +1 || 2012413 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS IWantOneButton Wordpress SQL Injection Attempt updateAJAX.php post_id UNION SELECT || url,exploit-db.com/exploits/16236/ || url,htbridge.ch/advisory/sql_injection_in_iwantonebutton_wordpress_plugin.html +1 || 2012414 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS IWantOneButton Wordpress SQL Injection Attempt updateAJAX.php post_id INSERT || url,exploit-db.com/exploits/16236/ || url,htbridge.ch/advisory/sql_injection_in_iwantonebutton_wordpress_plugin.html +1 || 2012415 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS IWantOneButton Wordpress SQL Injection Attempt updateAJAX.php post_id DELETE || url,exploit-db.com/exploits/16236/ || url,htbridge.ch/advisory/sql_injection_in_iwantonebutton_wordpress_plugin.html +1 || 2012416 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS IWantOneButton Wordpress SQL Injection Attempt updateAJAX.php post_id ASCII || url,exploit-db.com/exploits/16236/ || url,htbridge.ch/advisory/sql_injection_in_iwantonebutton_wordpress_plugin.html +1 || 2012417 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS IWantOneButton Wordpress SQL Injection Attempt updateAJAX.php post_id UPDATE || url,exploit-db.com/exploits/16236/ || url,htbridge.ch/advisory/sql_injection_in_iwantonebutton_wordpress_plugin.html +1 || 2012418 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PhreeBooks js_include.php form Parameter Cross Site Scripting Attempt 1 || url,packetstormsecurity.org/files/view/98756/PhreeBooksR30RC4-xss.txt || url,exploit-db.com/exploits/16249/ +1 || 2012419 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PhreeBooks js_include.php form Parameter Cross Site Scripting Attempt 2 || url,packetstormsecurity.org/files/view/98756/PhreeBooksR30RC4-xss.txt || url,exploit-db.com/exploits/16249/ +1 || 2012420 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS SOPHIA CMS SQL Injection Attempt dsp_page.cfm pageid SELECT || url,exploit-db.com/exploits/16225/ || url,securelist.com/en/advisories/43460 || url,secunia.com/advisories/43460 +1 || 2012421 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS SOPHIA CMS SQL Injection Attempt -- dsp_page.cfm pageid UNION SELECT || url,exploit-db.com/exploits/16225/ || url,securelist.com/en/advisories/43460 || url,secunia.com/advisories/43460 +1 || 2012422 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS SOPHIA CMS SQL Injection Attempt -- dsp_page.cfm pageid INSERT || url,exploit-db.com/exploits/16225/ || url,securelist.com/en/advisories/43460 || url,secunia.com/advisories/43460 +1 || 2012423 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS SOPHIA CMS SQL Injection Attempt -- dsp_page.cfm pageid DELETE || url,exploit-db.com/exploits/16225/ || url,securelist.com/en/advisories/43460 || url,secunia.com/advisories/43460 +1 || 2012424 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS SOPHIA CMS SQL Injection Attempt -- dsp_page.cfm pageid ASCII || url,exploit-db.com/exploits/16225/ || url,securelist.com/en/advisories/43460 || url,secunia.com/advisories/43460 +1 || 2012425 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS SOPHIA CMS SQL Injection Attempt -- dsp_page.cfm pageid UPDATE || url,exploit-db.com/exploits/16225/ || url,securelist.com/en/advisories/43460 || url,secunia.com/advisories/43460 +1 || 2012426 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WordPress XCloner Plugin cloner.cron.php config Parameter Local File Inclusion Attempt || bugtraq,46582 || url,exploit-db.com/exploits/16246/ +1 || 2012427 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla XCloner Component cloner.cron.php config Parameter Local File Inclusion Attempt || bugtraq,46582 || url,exploit-db.com/exploits/16246/ +1 || 2012428 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WordPress XCloner Plugin index2.php option Parameter Cross Site Scripting Attempt || bugtraq,46582 || url,exploit-db.com/exploits/16246/ +1 || 2012429 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WordPress XCloner Plugin index2.php mosmsg Parameter Cross Site Scripting Attempt || bugtraq,46582 || url,exploit-db.com/exploits/16246/ +1 || 2012430 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla XCloner Component index2.php mosmsg Parameter Cross Site Scripting Attempt || bugtraq,46582 || url,exploit-db.com/exploits/16246/ +1 || 2012431 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WP Forum Server wordpress plugin SQL Injection Attempt -- feed.php topic SELECT || url,exploit-db.com/exploits/16235/ +1 || 2012432 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WP Forum Server wordpress plugin SQL Injection Attempt -- feed.php topic UNION SELECT || url,exploit-db.com/exploits/16235/ +1 || 2012433 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WP Forum Server wordpress plugin SQL Injection Attempt -- feed.php topic INSERT || url,exploit-db.com/exploits/16235/ +1 || 2012434 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WP Forum Server wordpress plugin SQL Injection Attempt -- feed.php topic DELETE || url,exploit-db.com/exploits/16235/ +1 || 2012435 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WP Forum Server wordpress plugin SQL Injection Attempt -- feed.php topic ASCII || url,exploit-db.com/exploits/16235/ +1 || 2012436 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WP Forum Server wordpress plugin SQL Injection Attempt -- feed.php topic UPDATE || url,exploit-db.com/exploits/16235/ +1 || 2012437 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WordPress Zotpress citation Parameter Cross Site Scripting Attempt || url,packetstormsecurity.org/files/view/98746/WordPressZotpress2.6-xss.txt +1 || 2012438 || 5 || trojan-activity || 0 || ET TROJAN TrojanDownloader Win32/Harnig.gen-P Reporting || url,threatexpert.com/report.aspx?md5=40d1819b9c3c85e1f3b7723c7a9118ad +1 || 2012439 || 4 || trojan-activity || 0 || ET TROJAN Win32.Vilsel.akd Reporting || url,threatexpert.com/report.aspx?md5=2d6cede13913b17bc2ea7c7f70ce5fa8 +1 || 2012440 || 4 || trojan-activity || 0 || ET TROJAN Downloader.Win32.Agent.bqkb Reporting || url,threatexpert.com/report.aspx?md5=de85ae919d48325189bead995e8052e7 || url,support.clean-mx.de/clean-mx/viruses.php?ip=210.163.9.69&sort=first desc +1 || 2012441 || 4 || trojan-activity || 0 || ET TROJAN Downloader.Win32.Banload Reporting || url,threatexpert.com/report.aspx?md5=43b0ddf87c66418053ee055501193abf || url,scumware.org/report/89.108.68.81 +1 || 2012442 || 2 || trojan-activity || 0 || ET DELETED UPS Inbound bad attachment v.4 +1 || 2012443 || 1 || trojan-activity || 0 || ET CURRENT_EVENTS UPS Inbound bad attachment v.5 +1 || 2012444 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS UPS Inbound bad attachment v.6 +1 || 2012445 || 5 || trojan-activity || 0 || ET CURRENT_EVENTS Post Express Inbound bad attachment +1 || 2012446 || 2 || trojan-activity || 0 || ET TROJAN Possible Eleonore Exploit pack download || url,www.malwareurl.com/listing.php?domain=ultranichehost.com +1 || 2012447 || 2 || trojan-activity || 0 || ET TROJAN Possible Fast Flux Rogue Antivirus || url,www.malwareurl.com/listing.php?domain=spyremover-k3.com +1 || 2012448 || 2 || trojan-activity || 0 || ET TROJAN Downloader Win32.Agent.FakeAV.AVG 1 || url,support.clean-mx.de/clean-mx/view_joebox.php?md5=96742442435325983fefb385174a57be&id=765408 +1 || 2012449 || 2 || trojan-activity || 0 || ET TROJAN Downloader Win32.Agent.FakeAV.AVG 2 || url,support.clean-mx.de/clean-mx/view_joebox.php?md5=96742442435325983fefb385174a57be&id=765408 +1 || 2012450 || 3 || trojan-activity || 0 || ET MOBILE_MALWARE Android Trojan HongTouTou Command and Control Communication || url,blog.netqin.com/en/?p=451 +1 || 2012451 || 5 || trojan-activity || 0 || ET MOBILE_MALWARE Android Trojan MSO.PJApps checkin 1 || url,virus.netqin.com/en/android/MSO.PJApps.A +1 || 2012452 || 2 || trojan-activity || 0 || ET MOBILE_MALWARE Android Trojan MSO.PJApps checkin 2 || url,virus.netqin.com/en/android/MSO.PJApps.A/ +1 || 2012453 || 3 || trojan-activity || 0 || ET MOBILE_MALWARE Android Trojan DroidDream Command and Control Communication || url,blog.mylookout.com/2011/03/security-alert-malware-found-in-official-android-market-droiddream/ +1 || 2012454 || 2 || trojan-activity || 0 || ET MOBILE_MALWARE Android Trojan Fake10086 checkin 1 || url,blog.aegislab.com/index.php?op=ViewArticle&articleId=81&blogId=1 +1 || 2012455 || 2 || trojan-activity || 0 || ET MOBILE_MALWARE Android Trojan Fake10086 checkin 2 || url,blog.aegislab.com/index.php?op=ViewArticle&articleId=81&blogId=1 +1 || 2012456 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Possible JKDDOS download 500.exe || url,asert.arbornetworks.com/2011/03/jkddos-ddos-bot-with-an-interest-in-the-mining-industry +1 || 2012457 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Possible JKDDOS download ddos.exe || url,asert.arbornetworks.com/2011/03/jkddos-ddos-bot-with-an-interest-in-the-mining-industry +1 || 2012458 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Possible JKDDOS download desyms.exe || url,asert.arbornetworks.com/2011/03/jkddos-ddos-bot-with-an-interest-in-the-mining-industry +1 || 2012459 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Possible JKDDOS download 1691.exe || url,asert.arbornetworks.com/2011/03/jkddos-ddos-bot-with-an-interest-in-the-mining-industry +1 || 2012460 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Possible JKDDOS download wm.exe || url,asert.arbornetworks.com/2011/03/jkddos-ddos-bot-with-an-interest-in-the-mining-industry +1 || 2012461 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Possible JKDDOS download cl.exe || url,asert.arbornetworks.com/2011/03/jkddos-ddos-bot-with-an-interest-in-the-mining-industry +1 || 2012466 || 3 || trojan-activity || 0 || ET DELETED Possible JKDDOS download b.exe || url,asert.arbornetworks.com/2011/03/jkddos-ddos-bot-with-an-interest-in-the-mining-industry +1 || 2012467 || 2 || policy-violation || 0 || ET P2P Ocelot BitTorrent Server in Use +1 || 2012468 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS All In One Control Panel SQL Injection Attempt -- cp_menu_data_file.php menu SELECT || url,securityreason.com/wlb_show/WLB-2011020009 +1 || 2012469 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS All In One Control Panel SQL Injection Attempt -- cp_menu_data_file.php menu UNION SELECT || url,securityreason.com/wlb_show/WLB-2011020009 +1 || 2012470 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS All In One Control Panel SQL Injection Attempt -- cp_menu_data_file.php menu INSERT || url,securityreason.com/wlb_show/WLB-2011020009 +1 || 2012471 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS All In One Control Panel SQL Injection Attempt -- cp_menu_data_file.php menu DELETE || url,securityreason.com/wlb_show/WLB-2011020009 +1 || 2012472 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS All In One Control Panel SQL Injection Attempt -- cp_menu_data_file.php menu ASCII || url,securityreason.com/wlb_show/WLB-2011020009 +1 || 2012473 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS All In One Control Panel SQL Injection Attempt -- cp_menu_data_file.php menu UPDATE || url,securityreason.com/wlb_show/WLB-2011020009 +1 || 2012474 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS RecordPress rp-menu.php sess_user Parameter Cross Site Scripting Attempt || bugtraq,46798 || url,exploit-db.com/exploits/16950/ +1 || 2012475 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS RecordPress header.php titledesc Parameter Cross Site Scripting Attempt || bugtraq,46798 || url,exploit-db.com/exploits/16950/ +1 || 2012476 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Flash Gallery wordpress plugin folder.php type Parameter Cross Site Scripting Attempt || url,htbridge.ch/advisory/xss_in_1_flash_gallery_wordpress_plugin.html || url,packetstormsecurity.org/files/view/99086/1flashgal-sqlxss.txt +1 || 2012477 || 7 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Flash Gallery wordpress plugin SQL Injection Attempt -- massedit_album.php gall_id SELECT || url,htbridge.ch/advisory/sql_injection_in_1_flash_gallery_wordpress_plugin.html +1 || 2012478 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Flash Gallery wordpress plugin SQL Injection Attempt -- massedit_album.php gall_id UNION SELECT || url,htbridge.ch/advisory/sql_injection_in_1_flash_gallery_wordpress_plugin.html +1 || 2012479 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Flash Gallery wordpress plugin SQL Injection Attempt -- massedit_album.php gall_id INSERT || url,htbridge.ch/advisory/sql_injection_in_1_flash_gallery_wordpress_plugin.html +1 || 2012480 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Flash Gallery wordpress plugin SQL Injection Attempt -- massedit_album.php gall_id DELETE || url,htbridge.ch/advisory/sql_injection_in_1_flash_gallery_wordpress_plugin.html +1 || 2012481 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Flash Gallery wordpress plugin SQL Injection Attempt -- massedit_album.php gall_id ASCII || url,htbridge.ch/advisory/sql_injection_in_1_flash_gallery_wordpress_plugin.html +1 || 2012482 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Flash Gallery wordpress plugin SQL Injection Attempt -- massedit_album.php gall_id UPDATE || url,htbridge.ch/advisory/sql_injection_in_1_flash_gallery_wordpress_plugin.html +1 || 2012483 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Wikiwig spell-check-savedicts.php to_p_dict Parameter Cross Site Scripting Attempt || url,secunia.com/advisories/43709 +1 || 2012484 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Wikiwig spell-check-savedicts.php to_r_list Parameter Cross Site Scripting Attempt || url,secunia.com/advisories/43709 +1 || 2012485 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Keynect Ecommerce SQL Injection Attempt -- products.php ctf SELECT || url,exploit-db.com/exploits/16954/ +1 || 2012486 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Keynect Ecommerce SQL Injection Attempt -- products.php ctf UNION SELECT || url,exploit-db.com/exploits/16954/ +1 || 2012487 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Keynect Ecommerce SQL Injection Attempt -- products.php ctf INSERT || url,exploit-db.com/exploits/16954/ +1 || 2012488 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Keynect Ecommerce SQL Injection Attempt -- products.php ctf DELETE || url,exploit-db.com/exploits/16954/ +1 || 2012489 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Keynect Ecommerce SQL Injection Attempt -- products.php ctf ASCII || url,exploit-db.com/exploits/16954/ +1 || 2012490 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Keynect Ecommerce SQL Injection Attempt -- products.php ctf UPDATE || url,exploit-db.com/exploits/16954/ +1 || 2012491 || 6 || trojan-activity || 0 || ET TROJAN Suspicious User-Agent (Presto) +1 || 2012492 || 1 || trojan-activity || 0 || ET CURRENT_EVENTS DHL Spam Inbound +1 || 2012493 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS DHL Spam Inbound +1 || 2012494 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS FakeAV InstallInternetDefender Download +1 || 2012495 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS FakeAV campaign related JavaScript eval document obfuscation +1 || 2012496 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Sahana Agasti AccessController.php approot Parameter Remote File Inclusion Attempt || bugtraq,45656 || url,exploit-db.com/exploits/15896/ || url,xforce.iss.net/xforce/xfdb/64442 +1 || 2012497 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Sahana Agasti dao.php approot Parameter Remote File Inclusion Attempt || bugtraq,45656 || url,exploit-db.com/exploits/15896/ || url,xforce.iss.net/xforce/xfdb/64442 +1 || 2012498 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Constructr CMS SQL Injection Attempt -- constructrXmlOutput.content.xml.php page_id SELECT || bugtraq,46842 || url,packetstormsecurity.org/files/99204 || url,exploit-db.com/exploits/16963/ +1 || 2012499 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Constructr CMS SQL Injection Attempt -- constructrXmlOutput.content.xml.php page_id UNION SELECT || bugtraq,46842 || url,packetstormsecurity.org/files/99204 || url,exploit-db.com/exploits/16963/ +1 || 2012500 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Constructr CMS SQL Injection Attempt -- constructrXmlOutput.content.xml.php page_id INSERT || bugtraq,46842 || url,packetstormsecurity.org/files/99204 || url,exploit-db.com/exploits/16963/ +1 || 2012501 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Constructr CMS Injection Attempt -- constructrXmlOutput.content.xml.php page_id DELETE || bugtraq,46842 || url,packetstormsecurity.org/files/99204 || url,exploit-db.com/exploits/16963/ +1 || 2012502 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Constructr CMS SQL Injection Attempt -- constructrXmlOutput.content.xml.php page_id ASCII || bugtraq,46842 || url,packetstormsecurity.org/files/99204 || url,exploit-db.com/exploits/16963/ +1 || 2012503 || 4 || attempted-user || 0 || ET CURRENT_EVENTS Compressed Adobe Flash File Embedded in XLS FILE Caution - Could be Exploit || url,blogs.adobe.com/asset/2011/03/background-on-apsa11-01-patch-schedule.html || url,bugix-security.blogspot.com/2011/03/cve-2011-0609-adobe-flash-player.html || bid,46860 || cve,2011-0609 +1 || 2012504 || 6 || bad-unknown || 0 || ET CURRENT_EVENTS Excel with Embedded .emf object downloaded +1 || 2012505 || 4 || trojan-activity || 0 || ET TROJAN Monkif Checkin +1 || 2012506 || 5 || trojan-activity || 0 || ET TROJAN Driveby Exploit Attempt Often to Install Monkif +1 || 2012507 || 5 || trojan-activity || 0 || ET TROJAN Monkif CnC response in fake JPEG || url,2009.brucon.org/material/Julia_Wolf_Brucon_final.pdf || url,research.zscaler.com/2010/03/trojan-monkif-is-still-active-and.html || url,blogs.mcafee.com/mcafee-labs/monkif-botnet-hides-commands-in-jpegs +1 || 2012508 || 2 || policy-violation || 0 || ET POLICY Akamai NetSession Interface PUTing data || url,www.akamai.com/html/misc/akamai_client/netsession_interface_faq.html +1 || 2012509 || 2 || attempted-user || 0 || ET WEB_CLIENT Android Webkit removeChild Use-After-Free Remote Code Execution Attempt || bid,40642 || cve,2010-1119 +1 || 2012510 || 2 || bad-unknown || 0 || ET SHELLCODE UTF-8/16 Encoded Shellcode || url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html +1 || 2012511 || 2 || attempted-user || 0 || ET WEB_CLIENT Opera Window.Open document.cloneNode Null Pointer Deference Attempt || url,www.exploit-db.com/exploits/16979/ +1 || 2012512 || 2 || trojan-activity || 0 || ET TROJAN Hiloti loader installed successfully response +1 || 2012513 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Hiloti loader installed successfully request +1 || 2012514 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Hiloti loader requesting payload URL +1 || 2012515 || 5 || trojan-activity || 0 || ET DELETED Hiloti loader receiving payload URL +1 || 2012516 || 2 || trojan-activity || 0 || ET DELETED Fake Google Toolbar User-Agent +1 || 2012517 || 2 || trojan-activity || 0 || ET TROJAN Win32/Rimecud.B Activity || url,www.threatexpert.com/report.aspx?md5=01dd7102b9d36ec8556eed2909b74f52 +1 || 2012518 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS RetroGuard Obfuscated JAR likely part of hostile exploit kit || url,www.retrologic.com +1 || 2012519 || 4 || attempted-user || 0 || ET DELETED Microsoft Publisher Array Indexing Memory Corruption SET || cve,2010-3995 || url,www.microsoft.com/technet/security/bulletin/MS10-103.mspx +1 || 2012520 || 7 || protocol-command-decode || 0 || ET WEB_CLIENT Microsoft OLE Compound File Magic Bytes Flowbit Set +1 || 2012521 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Generic Win32 Banker Trojan CheckIn || url,www.xandora.net/xangui/malware/view/18e5c43b3d430526e90799e7cc2c3ec8 || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanSpy%3AWin32%2FBancos.ZY +1 || 2012522 || 1 || policy-violation || 0 || ET POLICY DNS Query For XXX Adult Site Top Level Domain || url,mashable.com/2011/03/19/xxx-tld-porn/ || url,mashable.com/2010/06/24/dot-xxx-porn-domain/ +1 || 2012523 || 8 || trojan-activity || 0 || ET POLICY Executable Download From Russian Content-Language Website +1 || 2012524 || 7 || trojan-activity || 0 || ET POLICY Executable Download From Chinese Content-Language Website +1 || 2012525 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Download of Microsft Office File From Russian Content-Language Website +1 || 2012526 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Download of Microsoft Office File From Chinese Content-Language Website +1 || 2012527 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Download of PDF File From Russian Content-Language Website +1 || 2012528 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Download of PDF File From Chinese Content-Language Website +1 || 2012529 || 3 || bad-unknown || 0 || ET CURRENT_EVENTS WindowsLive Imposter Site WindowsLive.png +1 || 2012530 || 3 || bad-unknown || 0 || ET CURRENT_EVENTS WindowsLive Imposter Site Landing Page +1 || 2012531 || 3 || bad-unknown || 0 || ET CURRENT_EVENTS WindowsLive Imposter Site blt .png +1 || 2012532 || 2 || bad-unknown || 0 || ET CURRENT_EVENTS WindowsLive Imposter Site Payload Download +1 || 2012533 || 4 || trojan-activity || 0 || ET TROJAN Win32/Virut.BN Checkin || url,www.threatexpert.com/report.aspx?md5=199d9ea754f193194e251415a2f6dd46 +1 || 2012534 || 2 || shellcode-detect || 0 || ET SHELLCODE Unescape Variable %u Shellcode || url,www.symantec.com/avcenter/reference/evolving.shell.code.pdf +1 || 2012535 || 2 || shellcode-detect || 0 || ET SHELLCODE Unescape Variable Unicode Shellcode || url,www.symantec.com/avcenter/reference/evolving.shell.code.pdf +1 || 2012536 || 3 || trojan-activity || 0 || ET MALWARE Mozilla 3.0 and Indy Library User-Agent Likely Hostile +1 || 2012537 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Possible Zbot Trojan || url,www.malwareurl.com/listing.php?domain=umbralinversiones.com +1 || 2012538 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Possible Zbot Trojan || url,www.malwareurl.com/listing.php?domain=poleoa.net +1 || 2012539 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Possible Rogue Antivirus || url,www.malwareurl.com/listing.php?domain=umbralinversiones.com +1 || 2012540 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Possible Win32 Backdoor Poison || url,www.malwareurl.com/listing.php?domain=arteencueros.com +1 || 2012541 || 2 || trojan-activity || 0 || ET TROJAN Downloader.small Generic Checkin +1 || 2012542 || 4 || bad-unknown || 0 || ET CURRENT_EVENTS HTTP Request to a *.gv.vg domain +1 || 2012543 || 3 || attempted-user || 0 || ET ACTIVEX RealPlayer CDDA URI Overflow Uninitialized Pointer Attempt || bid,44450 || cve,2010-3747 +1 || 2012546 || 4 || misc-activity || 0 || ET CURRENT_EVENTS Known Fraudulent SSL Certificate for addons.mozilla.org +1 || 2012547 || 4 || misc-activity || 0 || ET CURRENT_EVENTS Known Fraudulent SSL Certificate for Global Trustee +1 || 2012548 || 4 || misc-activity || 0 || ET CURRENT_EVENTS Known Fraudulent SSL Certificate for login.live.com +1 || 2012549 || 4 || misc-activity || 0 || ET CURRENT_EVENTS Known Fraudulent SSL Certificate for login.skype.com +1 || 2012550 || 4 || misc-activity || 0 || ET CURRENT_EVENTS Known Fraudulent SSL Certificate for login.yahoo.com 1 +1 || 2012551 || 5 || misc-activity || 0 || ET CURRENT_EVENTS Known Fraudulent SSL Certificate for login.yahoo.com 2 +1 || 2012552 || 4 || misc-activity || 0 || ET CURRENT_EVENTS Known Fraudulent SSL Certificate for login.yahoo.com 3 +1 || 2012553 || 5 || misc-activity || 0 || ET CURRENT_EVENTS Known Fraudulent SSL Certificate for mail.google.com +1 || 2012554 || 6 || misc-activity || 0 || ET CURRENT_EVENTS Known Fraudulent SSL Certificate for www.google.com +1 || 2012555 || 2 || trojan-activity || 0 || ET USER_AGENTS Suspicious User-Agent (VMozilla) || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3aWin32%2fNeeris.BF || url,www.avira.com/en/support-threats-description/tid/6259/tlang/en +1 || 2012556 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Shape Web Solutions imprimir.php SELECT FROM SQL Injection Attempt || url,packetstormsecurity.org/files/view/99467/shapewebsolutions-sql.txt +1 || 2012557 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Shape Web Solutions imprimir.php DELETE FROM SQL Injection Attempt || url,packetstormsecurity.org/files/view/99467/shapewebsolutions-sql.txt +1 || 2012558 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Shape Web Solutions imprimir.php UNION SELECT SQL Injection Attempt || url,packetstormsecurity.org/files/view/99467/shapewebsolutions-sql.txt +1 || 2012559 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Shape Web Solutions imprimir.php INSERT INTO SQL Injection Attempt || url,packetstormsecurity.org/files/view/99467/shapewebsolutions-sql.txt +1 || 2012560 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Shape Web Solutions imprimir.php UPDATE SET SQL Injection Attempt || url,packetstormsecurity.org/files/view/99467/shapewebsolutions-sql.txt +1 || 2012561 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Openfoncier action.class.php script Remote File inclusion Attempt || url,exploit-db.com/exploits/12366 +1 || 2012562 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Openfoncier architecte.class.php script Remote File inclusion Attempt || url,exploit-db.com/exploits/12366 +1 || 2012563 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Openfoncier avis.class.php script Remote File inclusion Attempt || url,exploit-db.com/exploits/12366 +1 || 2012564 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Openfoncier bible.class.php script Remote File inclusion Attempt || url,exploit-db.com/exploits/12366 +1 || 2012565 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Openfoncier blocnote.class.php script Remote File inclusion Attempt || url,exploit-db.com/exploits/12366 +1 || 2012566 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS vBulletin vbBux vbplaza.php Blind SQL Injection Attempt || url,exploit-db.com/exploits/8784/ +1 || 2012567 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS coRED CMS rubID Parameter SELECT FROM SQL Injection Attempt || url,packetstormsecurity.org/files/view/98769/coredcms-sql.txt +1 || 2012568 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS coRED CMS rubID Parameter UNION SELECT SQL Injection Attempt || url,packetstormsecurity.org/files/view/98769/coredcms-sql.txt +1 || 2012569 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS coRED CMS rubID Parameter INSERT INTO SQL Injection Attempt || url,packetstormsecurity.org/files/view/98769/coredcms-sql.txt +1 || 2012570 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS coRED CMS rubID Parameter UPDATE SET SQL Injection Attempt || url,packetstormsecurity.org/files/view/98769/coredcms-sql.txt +1 || 2012571 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS jQuery Mega Menu Wordpress Plugin Local File Inclusion Attempt || url,exploit-db.com/exploits/16250 +1 || 2012572 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Mambo Cache_Lite Class mosConfig_absolute_path Remote File inclusion Attempt || url,exploit-db.com/exploits/16912 +1 || 2012573 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS RecordPress header.php Cross Site Scripting Attempt || url,packetstormsecurity.org/files/view/99118/recordpress-xsrfxss.txt +1 || 2012574 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS RecordPress header.php rp-menu.php Cross Site Scripting Attempt || url,packetstormsecurity.org/files/view/99118/recordpress-xsrfxss.txt +1 || 2012575 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS mySeatXT SQL Injection Attempt autocomplete.php field SELECT || url,packetstormsecurity.org/files/view/98636/mySeatXT0.164-SQL.txt +1 || 2012576 || 5 || web-application-attack || 0 || ET DELETED mySeatXT SQL Injection Attempt autocomplete.php field UNION SELECT || url,packetstormsecurity.org/files/view/98636/mySeatXT0.164-SQL.txt +1 || 2012577 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS mySeatXT SQL Injection Attempt autocomplete.php field INSERT || url,packetstormsecurity.org/files/view/98636/mySeatXT0.164-SQL.txt +1 || 2012578 || 5 || web-application-attack || 0 || ET DELETED mySeatXT SQL Injection Attempt autocomplete.php field DELETE || url,packetstormsecurity.org/files/view/98636/mySeatXT0.164-SQL.txt +1 || 2012579 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS mySeatXT SQL Injection Attempt autocomplete.php field ASCII || url,packetstormsecurity.org/files/view/98636/mySeatXT0.164-SQL.txt +1 || 2012580 || 4 || web-application-attack || 0 || ET DELETED mySeatXT SQL Injection Attempt autocomplete.php field UPDATE || url,packetstormsecurity.org/files/view/98636/mySeatXT0.164-SQL.txt +1 || 2012581 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WordPress Lazyest Gallery Plugin image Parameter Cross Site Scripting Attempt || url,htbridge.ch/advisory/xss_in_lazyest_gallery_wordpress_plugin.html || url,secunia.com/advisories/43661/ +1 || 2012582 || 4 || web-application-attack || 0 || ET DELETED Interleave basicstats.php AjaxHandler Parameter Cross Site Scripting Attempt || bugtraq,46771 || url,xforce.iss.net/xforce/xfdb/65942 || url,packetstorm.linuxsecurity.com/1103-exploits/Interleave5.5.0.2-xss.txt +1 || 2012583 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ardeaCore PHP Framework appMVCPath Parameter Remote File Inclusion Attempt || url,exploit-db.com/exploits/15840/ || url,securityreason.com/wlb_show/WLB-2011010005 +1 || 2012584 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ardeaCore PHP Framework CURRENT_BLOG_PATH Parameter Remote File Inclusion Attempt || url,exploit-db.com/exploits/15840/ || url,securityreason.com/wlb_show/WLB-2011010005 +1 || 2012585 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS coRED CMS rubID Parameter DELETE FROM SQL Injection Attempt || url,packetstormsecurity.org/files/view/98769/coredcms-sql.txt +1 || 2012586 || 2 || trojan-activity || 0 || ET TROJAN Suspicious User-Agent I mLuo +1 || 2012587 || 4 || trojan-activity || 0 || ET TROJAN VirTool-Win32-VBInject.gen-FA Reporting || url,threatexpert.com/report.aspx?md5=85a9f25c9b6614a8ad16dd7f3363a247 +1 || 2012588 || 4 || web-application-attack || 0 || ET DELETED RiskTool.Win32.WFPDisabler Reporting || url,threatexpert.com/report.aspx?md5=c81be1cf10d9578803dab8c1bc62ccfa +1 || 2012589 || 4 || trojan-activity || 0 || ET DELETED Trojan-Dropper.Win32.Mudrop.asj Reporting || url,threatexpert.com/report.aspx?md5=0398af3218eb6f21195d701a0b001445 +1 || 2012590 || 5 || trojan-activity || 0 || ET TROJAN Best Spyware Scanner FaveAV Download +1 || 2012591 || 5 || bad-unknown || 0 || ET DELETED EICAR test file with MZ header double-stacking AV evasion technique || url,isc.sans.edu/diary/Strange+Shockwave+File+with+Surprising+Attachments/10612 || url,www.eicar.org/anti_virus_test_file.htm +1 || 2012592 || 5 || trojan-activity || 0 || ET TROJAN PWS-Banker.gen.b Reporting || url,threatexpert.com/report.aspx?md5=e3fdf31ce57b3807352971a62f85c55b +1 || 2012593 || 4 || bad-unknown || 0 || ET CURRENT_EVENTS HTTP Request to a *.ce.ms domain +1 || 2012595 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS mySeatXT SQL Injection Attempt autocomplete.php field SELECT || url,packetstormsecurity.org/files/view/98636/mySeatXT0.164-SQL.txt +1 || 2012596 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS mySeatXT SQL Injection Attempt autocomplete.php field UNION SELECT || url,packetstormsecurity.org/files/view/98636/mySeatXT0.164-SQL.txt +1 || 2012597 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS mySeatXT SQL Injection Attempt autocomplete.php field INSERT || url,packetstormsecurity.org/files/view/98636/mySeatXT0.164-SQL.txt +1 || 2012598 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS mySeatXT SQL Injection Attempt autocomplete.php field DELETE || url,packetstormsecurity.org/files/view/98636/mySeatXT0.164-SQL.txt +1 || 2012599 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS mySeatXT SQL Injection Attempt autocomplete.php field ASCII || url,packetstormsecurity.org/files/view/98636/mySeatXT0.164-SQL.txt +1 || 2012600 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS mySeatXT SQL Injection Attempt autocomplete.php field UPDATE || url,packetstormsecurity.org/files/view/98636/mySeatXT0.164-SQL.txt +1 || 2012601 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WordPress Lazyest Gallery Plugin image Parameter Cross Site Scripting Attempt || url,htbridge.ch/advisory/xss_in_lazyest_gallery_wordpress_plugin.html || url,secunia.com/advisories/43661/ +1 || 2012603 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Interleave basicstats.php AjaxHandler Parameter Cross Site Scripting Attempt || bugtraq,46771 || url,xforce.iss.net/xforce/xfdb/65942 || url,packetstorm.linuxsecurity.com/1103-exploits/Interleave5.5.0.2-xss.txt +1 || 2012604 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ardeaCore PHP Framework appMVCPath Parameter Remote File Inclusion Attempt || url,exploit-db.com/exploits/15840/ || url,securityreason.com/wlb_show/WLB-2011010005 +1 || 2012605 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ardeaCore PHP Framework CURRENT_BLOG_PATH Parameter Remote File Inclusion Attempt || url,exploit-db.com/exploits/15840/ || url,securityreason.com/wlb_show/WLB-2011010005 +1 || 2012606 || 3 || web-application-attack || 0 || ET SCAN Havij SQL Injection Tool User-Agent Inbound || url,itsecteam.com/en/projects/project1.htm +1 || 2012607 || 4 || trojan-activity || 0 || ET USER_AGENTS Lowercase User-Agent header purporting to be MSIE +1 || 2012608 || 7 || trojan-activity || 0 || ET DELETED Java Exploit Attempt applet via file URI || url,fhoguin.com/2011/03/oracle-java-unsigned-applet-applet2classloader-remote-code-execution-vulnerability-zdi-11-084-explained/ || cve,CVE-2010-4452 +1 || 2012609 || 6 || trojan-activity || 0 || ET CURRENT_EVENTS Phoenix Java Exploit Attempt Request for .class from octal host || url,fhoguin.com/2011/03/oracle-java-unsigned-applet-applet2classloader-remote-code-execution-vulnerability-zdi-11-084-explained/ || cve,CVE-2010-4452 +1 || 2012610 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Java Exploit io.exe download served +1 || 2012611 || 5 || trojan-activity || 0 || ET USER_AGENTS Suspicious User-Agent Sample +1 || 2012612 || 11 || trojan-activity || 0 || ET TROJAN Hiloti Style GET to PHP with invalid terse MSIE headers +1 || 2012613 || 5 || trojan-activity || 0 || ET DELETED SpyeEye Trojan Request file=grabbers +1 || 2012614 || 5 || web-application-attack || 0 || ET CURRENT_EVENTS Internal WebServer Compromised By Lizamoon Mass SQL-Injection Attacks || url,malwaresurvival.net/tag/lizamoon-com/ +1 || 2012615 || 2 || trojan-activity || 0 || ET MALWARE Unknown Malware PUTLINK Command Message +1 || 2012616 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Slugin.A PatchTimeCheck.dat Request +1 || 2012617 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS Unknown Malware PatchPathNewS3.dat Request +1 || 2012618 || 2 || trojan-activity || 0 || ET DELETED .dll Request Without User-Agent Likely Malware +1 || 2012619 || 6 || trojan-activity || 0 || ET USER_AGENTS Suspicious User-Agent Mozilla/3.0 +1 || 2012620 || 9 || trojan-activity || 0 || ET TROJAN Unknown Fake antivirus check-in +1 || 2012621 || 4 || attempted-user || 0 || ET CURRENT_EVENTS Adobe Flash SWF File Embedded in XLS FILE Caution - Could be Exploit || url,blogs.adobe.com/asset/2011/03/background-on-apsa11-01-patch-schedule.html || url,bugix-security.blogspot.com/2011/03/cve-2011-0609-adobe-flash-player.html || bid,46860 || cve,2011-0609 +1 || 2012622 || 5 || attempted-user || 0 || ET CURRENT_EVENTS Adobe Flash Unicode SWF File Embedded in Office File Caution - Could be Hostile || url,blogs.adobe.com/asset/2011/03/background-on-apsa11-01-patch-schedule.html || url,bugix-security.blogspot.com/2011/03/cve-2011-0609-adobe-flash-player.html || bid,46860 || cve,2011-0609 || url,www.adobe.com/support/security/advisories/apsa11-02.html || cve,2011-0611 +1 || 2012624 || 5 || attempted-user || 0 || ET CURRENT_EVENTS Lizamoon Related Compromised site served to local client +1 || 2012625 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Potential Lizamoon Client Request /ur.php +1 || 2012626 || 4 || trojan-activity || 0 || ET TROJAN Unknown Dropper Checkin with NSISDL/1.2 User-Agent +1 || 2012627 || 2 || trojan-activity || 0 || ET TROJAN FakeAV Check-in purporting to be MSIE with invalid terse HTTP headers +1 || 2012628 || 5 || trojan-activity || 0 || ET CURRENT_EVENTS Java Exploit Attempt Request for .id from octal host || url,fhoguin.com/2011/03/oracle-java-unsigned-applet-applet2classloader-remote-code-execution-vulnerability-zdi-11-084-explained/ || cve,CVE-2010-4452 +1 || 2012629 || 4 || trojan-activity || 0 || ET USER_AGENTS Unknown Trojan User-Agent IE6 on Windows XP +1 || 2012630 || 3 || bad-unknown || 0 || ET CURRENT_EVENTS Paypal Phishing victim POSTing data +1 || 2012631 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS Chinese Bootkit Checkin || url,www.securelist.com/en/blog/434/The_Chinese_bootkit +1 || 2012632 || 3 || bad-unknown || 0 || ET CURRENT_EVENTS Potential Paypal Phishing Form Attachment +1 || 2012633 || 3 || trojan-activity || 0 || ET DELETED Content-Type image/jpeg with DOS MZ header set likely 2nd stage download +1 || 2012634 || 3 || trojan-activity || 0 || ET DELETED Content-Type image/jpeg with Win32 MZ header set likely 2nd stage download +1 || 2012635 || 2 || bad-unknown || 0 || ET CURRENT_EVENTS Potential ACH Transaction Phishing Attachment +1 || 2012636 || 3 || attempted-user || 0 || ET ACTIVEX RealNetworks RealGames StubbyUtil.ProcessMgr.1 InstallerDlg.dll Remote Command Execution Attempt || url,www.exploit-db.com/exploits/17105/ || bid,47133 +1 || 2012637 || 4 || attempted-user || 0 || ET ACTIVEX RealNetworks RealGames StubbyUtil.ProcessMgr.1 InstallerDlg.dll Remote Command Execution Attempt || url,www.exploit-db.com/exploits/17105/ || bid,47133 +1 || 2012638 || 4 || attempted-user || 0 || ET ACTIVEX RealNetworks RealGames StubbyUtil.ShellCtl.1 InstallerDlg.dll Remote Command Execution Attempt || url,www.exploit-db.com/exploits/17105/ || bid,47133 +1 || 2012639 || 4 || attempted-user || 0 || ET ACTIVEX RealNetworks RealGames StubbyUtil.ShellCtl.1 InstallerDlg.dll Remote Command Execution Attempt || url,www.exploit-db.com/exploits/17105/ || bid,47133 +1 || 2012640 || 4 || attempted-user || 0 || ET ACTIVEX RealNetworks RealGames StubbyUtil.ShellCtl.1 InstallerDlg.dll Remote Command Execution Attempt || url,www.exploit-db.com/exploits/17105/ || bid,47133 +1 || 2012641 || 3 || attempted-user || 0 || ET ACTIVEX Sun Java Runtime New Plugin Docbase Buffer Overflow Attempt || bid,44023 || cve,2010-3552 +1 || 2012642 || 7 || trojan-activity || 0 || ET MALWARE Lowercase mozilla/2.0 User-Agent Likely Malware || url,www.microsoft.com/security/portal/threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FCycbot.B +1 || 2012643 || 2 || trojan-activity || 0 || ET TROJAN Trojan-Clicker.Win32.Agent.qqf Checkin || url,www.threatexpert.com/report.aspx?md5=f468778836fd27a2ccca88c99f6dd3e9 +1 || 2012644 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Java Exploit Attempt Request for hostile binary +1 || 2012645 || 4 || trojan-activity || 0 || ET TROJAN GET to Google with specific HTTP lib likely Cycbot/Bifrose/Kryptic checking Internet connection +1 || 2012646 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Malicious JAR olig +1 || 2012647 || 3 || policy-violation || 0 || ET POLICY Dropbox.com Offsite File Backup in Use || url,www.dropbox.com || url,dereknewton.com/2011/04/dropbox-authentication-static-host-ids/ +1 || 2012648 || 3 || policy-violation || 0 || ET POLICY Dropbox Client Broadcasting +1 || 2012649 || 4 || misc-activity || 0 || ET MALWARE All Numerical .ru Domain HTTP Request Likely Malware Related +1 || 2012650 || 6 || misc-activity || 0 || ET CURRENT_EVENTS HTTP Request to a Malware Related Numerical .cn Domain +1 || 2012651 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHP-Nuke Surveys pollID parameter SELECT FROM SQL Injection Attempt || url,packetstormsecurity.org/files/view/100119/phpnukesurveys-sql.txt +1 || 2012652 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHP-Nuke Surveys pollID parameter DELETE FROM SQL Injection Attempt || url,packetstormsecurity.org/files/view/100119/phpnukesurveys-sql.txt +1 || 2012653 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHP-Nuke Surveys pollID parameter UNION SELECT SQL Injection Attempt || url,packetstormsecurity.org/files/view/100119/phpnukesurveys-sql.txt +1 || 2012654 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHP-Nuke Surveys pollID parameter INSERT INTO SQL Injection Attempt || url,packetstormsecurity.org/files/view/100119/phpnukesurveys-sql.txt +1 || 2012655 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHP-Nuke Surveys pollID parameter UPDATE SET SQL Injection Attempt || url,packetstormsecurity.org/files/view/100119/phpnukesurveys-sql.txt +1 || 2012656 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS eyeOS callback parameter Cross Site Scripting Attempt || url,secunia.com/advisories/43818 +1 || 2012657 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS eyeOS file Parameter Local File Inclusion Attempt || url,secunia.com/advisories/43818 +1 || 2012658 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS OrangeHRM recruitcode parameter Cross Site Script Attempt || bugtraq,47046 +1 || 2012659 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla Component com_doqment Remote File inclusion Attempt || url,packetstormsecurity.org/files/view/99278/joomladoqment-rfilfisql.txt +1 || 2012660 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Portel patron Parameter Blind SQL Injection Attempt || url,packetstormsecurity.org/files/view/80053/portel-sql.txt +1 || 2012661 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS vBulletin cChatBox messageid Parameter SELECT FROM SQL Injection Attempt || bugtraq,46635 +1 || 2012662 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS vBulletin cChatBox messageid Parameter DELETE FROM SQL Injection Attempt || bugtraq,46635 +1 || 2012663 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS vBulletin cChatBox messageid Parameter UNION SELECT SQL Injection Attempt || bugtraq,46635 +1 || 2012664 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS vBulletin cChatBox messageid Parameter INSERT INTO SQL Injection Attempt || bugtraq,46635 +1 || 2012665 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS vBulletin cChatBox messageid Parameter UPDATE SET SQL Injection Attempt || bugtraq,46635 +1 || 2012666 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla component smartformer Remote File Inclusion Attempt || url,packetstormsecurity.org/files/view/95477/joomlasmartformer-rfi.txt +1 || 2012667 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla Component Media Mall Factory Blind SQL Injection Attempt || url,packetstormsecurity.org/files/view/88439/joomlamediamallfactory-bsql.txt +1 || 2012668 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS LoCal Calendar System LIBDIR Parameter Local File Inclusion Attempt || url,secunia.com/advisories/22484 +1 || 2012669 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ClanSphere 'CKEditorFuncNum' parameter Cross Site Scripting Attempt || url,packetstormsecurity.org/files/view/99698/ClanSphere2010.3CKEditor-xss.txt +1 || 2012670 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PhotoSmash action Parameter Cross Site Scripting Attempt || url,packetstormsecurity.org/files/view/99089/photosmash-xss.txt +1 || 2012672 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Andy PHP Knowledgebase SQL Injection Attempt pdfgen.php pdfa SELECT || url,exploit-db.com/exploits/17061/ || url,vupen.com/english/advisories/2011/0823 +1 || 2012673 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Andy PHP Knowledgebase SQL Injection Attempt pdfgen.php pdfa UNION SELECT || url,exploit-db.com/exploits/17061/ || url,vupen.com/english/advisories/2011/0823 +1 || 2012674 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Andy PHP Knowledgebase SQL Injection Attempt pdfgen.php pdfa INSERT || url,exploit-db.com/exploits/17061/ || url,vupen.com/english/advisories/2011/0823 +1 || 2012675 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Andy PHP Knowledgebase SQL Injection Attempt pdfgen.php pdfa DELETE || url,exploit-db.com/exploits/17061/ || url,vupen.com/english/advisories/2011/0823 +1 || 2012676 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Andy PHP Knowledgebase SQL Injection Attempt pdfgen.php pdfa ASCII || url,exploit-db.com/exploits/17061/ || url,vupen.com/english/advisories/2011/0823 +1 || 2012677 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Andy PHP Knowledgebase SQL Injection Attempt pdfgen.php pdfa UPDATE || url,exploit-db.com/exploits/17061/ || url,vupen.com/english/advisories/2011/0823 +1 || 2012678 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS webEdition CMS openBrowser.php Cross Site Scripting Attempt || bugtraq,47047 || url,packetstormsecurity.org/files/99790 || url,exploit-db.com/exploits/17054/ +1 || 2012679 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS webEdition CMS edit_shop_editorFrameset.php Cross Site Scripting Attempt || bugtraq,47047 || url,packetstormsecurity.org/files/99790 || url,exploit-db.com/exploits/17054/ +1 || 2012680 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS webEdition CMS we_transaction Parameter Cross Site Scripting Attempt || bugtraq,47047 || url,packetstormsecurity.org/files/99790 || url,exploit-db.com/exploits/17054/ +1 || 2012681 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS webEdition CMS shop_artikelid Parameter Cross Site Scripting Attempt || bugtraq,47047 || url,packetstormsecurity.org/files/99790 || url,exploit-db.com/exploits/17054/ +1 || 2012682 || 6 || attempted-admin || 0 || ET EXPLOIT HP OpenView NNM snmpviewer.exe CGI Stack Buffer Overflow 1 || cve,CVE-2010-1552 || bugtraq,40068 +1 || 2012683 || 5 || attempted-admin || 0 || ET EXPLOIT HP OpenView NNM snmpviewer.exe CGI Stack Buffer Overflow 2 || cve,CVE-2010-1552 || bugtraq,40068 +1 || 2012684 || 8 || trojan-activity || 0 || ET WEB_CLIENT Office File With Embedded Executable +1 || 2012685 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Win32/CazinoSilver Download VegasVIP_setup.exe || url,ddanchev.blogspot.com/2011/04/dont-play-poker-on-infected-table-part.html +1 || 2012686 || 4 || trojan-activity || 0 || ET TROJAN SpyEye Checkin version 1.3.25 or later +1 || 2012687 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Unknown Exploit Pack Binary Load Request +1 || 2012688 || 5 || bad-unknown || 0 || ET CURRENT_EVENTS Potential Blackhole Exploit Pack landing || url,krebsonsecurity.com/2010/10/java-a-gift-to-exploit-pack-makers/ +1 || 2012689 || 5 || attempted-recon || 0 || ET POLICY LoJack asset recovery/tracking - not malicious || url,www.absolute.com/en/lojackforlaptops/home.aspx +1 || 2012690 || 1 || successful-admin || 0 || ET ATTACK_RESPONSE Windows 7 CMD Shell from Local System +1 || 2012691 || 2 || policy-violation || 0 || ET POLICY Internal Host visiting Showmyipaddress.com - Possible Trojan +1 || 2012692 || 6 || trojan-activity || 0 || ET POLICY Microsoft user-agent automated process response to automated request +1 || 2012693 || 3 || trojan-activity || 0 || ET MALWARE overtls.com adware request +1 || 2012694 || 3 || policy-violation || 0 || ET POLICY request to .xxx TLD || url,en.wikipedia.org/wiki/.xxx +1 || 2012695 || 2 || trojan-activity || 0 || ET USER_AGENTS suspicious User Agent (Lotto) +1 || 2012696 || 3 || trojan-activity || 0 || ET TROJAN FakeAV InstallInternetProtection Download +1 || 2012697 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla virtuemart Blind SQL Injection Attempt || url,exploit-db.com/exploits/17132 +1 || 2012698 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS eGroupware loaddetails.php script SELECT FROM SQL Injection Attempt || url,securityreason.com/wlb_show/WLB-2011040052 +1 || 2012699 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS eGroupware loaddetails.php script DELETE FROM SQL Injection Attempt || url,securityreason.com/wlb_show/WLB-2011040052 +1 || 2012700 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS eGroupware loaddetails.php script UNION SELECT SQL Injection Attempt || url,securityreason.com/wlb_show/WLB-2011040052 +1 || 2012701 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS eGroupware loaddetails.php script INSERT INTO SQL Injection Attempt || url,securityreason.com/wlb_show/WLB-2011040052 +1 || 2012702 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS eGroupware loaddetails.php script UPDATE SET SQL Injection Attempt || url,securityreason.com/wlb_show/WLB-2011040052 +1 || 2012703 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla mod_virtuemart_latestprod module Remote File inclusion Attempt || url,packetstormsecurity.org/files/view/100324 +1 || 2012704 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla mod_virtuemart_featureprod module Remote File inclusion Attempt || url,packetstormsecurity.org/files/view/100325 +1 || 2012705 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WordPress WP Publication file Parameter Local File Inclusion Attempt || url,secunia.com/advisories/43067 || url,securelist.com/en/advisories/43067 +1 || 2012706 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS vtiger CRM service parameter Cross Site Scripting Attempt || url,packetstormsecurity.org/files/view/100183/vtigerCRM5.2.1-XSS.txt +1 || 2012707 || 4 || trojan-activity || 0 || ET TROJAN Suspicious double Server Header +1 || 2012708 || 2 || web-application-attack || 0 || ET WEB_SERVER HTTP 414 Request URI Too Large +1 || 2012709 || 5 || protocol-command-decode || 0 || ET POLICY MS Remote Desktop Administrator Login Request || cve,CAN-2001-0540 +1 || 2012710 || 1 || protocol-command-decode || 0 || ET POLICY MS Terminal Server Root login || cve,2001-0540 +1 || 2012711 || 1 || protocol-command-decode || 0 || ET POLICY MS Remote Desktop POS User Login Request || cve,2001-0540 +1 || 2012712 || 1 || protocol-command-decode || 0 || ET POLICY MS Remote Desktop Service User Login Request || cve,CAN-2001-0540 +1 || 2012713 || 3 || trojan-activity || 0 || ET TROJAN Internet Protection FakeAV checkin || url,www.threatexpert.com/report.aspx?md5=7710686d03cd3174b6f644434750b22b +1 || 2012714 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS FakeAV BestAntivirus2011 Download +1 || 2012715 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS I-Escorts Directory country_id parameter SELECT FROM SQL Injection Attempt || url,exploit-db.com/exploits/10809 +1 || 2012716 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS I-Escorts Directory country_id parameter DELETE FROM SQL Injection Attempt || url,exploit-db.com/exploits/10809 +1 || 2012717 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS I-Escorts Directory country_id parameter UNION SELECT SQL Injection Attempt || url,exploit-db.com/exploits/10809 +1 || 2012718 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS I-Escorts Directory country_id parameter INSERT INTO SQL Injection Attempt || url,exploit-db.com/exploits/10809 +1 || 2012719 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS I-Escorts Directory country_id parameter UPDATE SET SQL Injection Attempt || url,exploit-db.com/exploits/10809 +1 || 2012720 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Simploo CMS x parameter Remote PHP Code Execution Attempt || url,exploit-db.com/exploits/16016 +1 || 2012721 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS LightNEasy File Manager language Parameter Local File Inclusion Attempt || url,secunia.com/advisories/39517 +1 || 2012722 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WordPress SocialGrid Plugin default_services Cross-Site Scripting Vulnerability || url,secunia.com/advisories/44256 || url,htbridge.ch/advisory/xss_in_socialgrid_wordpress_plugin.html +1 || 2012723 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Mambo component com_zoom Blind SQL Injection Vulnerability || url,packetstormsecurity.org/files/view/80992/mambozoom-sql.txt +1 || 2012724 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS CitusCMS filePath Parameter Remote File inclusion Attempt || url,packetstormsecurity.org/files/view/100525/cituscms-rfi.txt +1 || 2012725 || 9 || trojan-activity || 0 || ET TROJAN Win32/FakeSysdef Rogue AV Checkin || url,www.threatexpert.com/report.aspx?md5=f0f750e8f195dcfc8623679ff2df1267 || url,www.threatexpert.com/report.aspx?md5=e186e530ebf0aec07f0cd2afd706633c || url,www.threatexpert.com/report.aspx?md5=294a729bb6a8fc266990b4c94eb86359 +1 || 2012726 || 4 || attempted-recon || 0 || ET SCAN OpenVAS User-Agent Inbound || url,openvas.org +1 || 2012727 || 3 || trojan-activity || 0 || ET TROJAN BestAntivirus2011 Fake AV reporting +1 || 2012728 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Known Hostile Domain citi-bank.ru Lookup +1 || 2012729 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Known Hostile Domain .ntkrnlpa.info Lookup +1 || 2012730 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Known Hostile Domain ilo.brenz.pl Lookup +1 || 2012731 || 2 || attempted-user || 0 || ET CURRENT_EVENTS Likely Redirector to Exploit Page /in/rdrct/rckt/? +1 || 2012732 || 2 || bad-unknown || 0 || ET CURRENT_EVENTS Unknown .ru Exploit Redirect Page +1 || 2012734 || 4 || trojan-activity || 0 || ET USER_AGENTS Suspicious User-Agent String (AskPartnerCobranding) +1 || 2012735 || 7 || policy-violation || 0 || ET POLICY Babylon User-Agent (Translation App Observed in PPI MALWARE) || md5,54e482d6c0344935115d04b411afdb27 || md5,54dfd618401a573996b2b32bdd21b2d4 || md5,546888f8a18ed849058a5325015c29ef || url,www.babylon.com +1 || 2012736 || 8 || trojan-activity || 0 || ET CURRENT_EVENTS Trojan-GameThief.Win32.OnLineGames.bnye Checkin || url,www.threatexpert.com/report.aspx?md5=014945cf93ffc94833f7a3efd92fe263 +1 || 2012737 || 3 || bad-unknown || 0 || ET CURRENT_EVENTS HTTP Request to a *.cw.cm domain +1 || 2012738 || 5 || misc-activity || 0 || ET INFO DYNAMIC_DNS Query to 3322.net Domain *.8866.org || url,isc.sans.edu/diary.html?storyid=6739 || url,google.com/safebrowsing/diagnostic?site=8866.org/ || url,www.mywot.com/en/scorecard/8866.org +1 || 2012739 || 2 || trojan-activity || 0 || ET WORM Rimecud Worm checkin || url,www.threatexpert.com/report.aspx?md5=9623efa133415d19c941ef92a4f921fc +1 || 2012740 || 3 || trojan-activity || 0 || ET USER_AGENTS Backdoor.Win32.Vertexbot.A User-Agent (VERTEXNET) || url,www.symantec.com/business/security_response/writeup.jsp?docid=2011-032315-2902-99&tabid=2 +1 || 2012741 || 4 || web-application-attack || 0 || ET ACTIVEX Gesytec ElonFmt ActiveX Component GetItem1 member Buffer Overflow Attempt || url,exploit-db.com/exploits/17196 +1 || 2012742 || 2 || attempted-user || 0 || ET ACTIVEX Gesytec ElonFmt ActiveX Component Format String Function Call || url,exploit-db.com/exploits/17196 +1 || 2012743 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS SaurusCMS captcha_image.php script Remote File inclusion Attempt || url,packetstormsecurity.org/files/view/100461/sauruscms-rfi.txt +1 || 2012744 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Publishing Technology id Parameter Blind SQL Injection Attempt || url,packetstormsecurity.org/files/view/100822/publishingtechnology-sql.txt +1 || 2012745 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS phpRS id parameter SELECT FROM SQL Injection Attempt || url,packetstormsecurity.org/files/view/96760/phprsmk-sql.txt +1 || 2012746 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS phpRS id parameter DELETE FROM SQL Injection Attempt || url,packetstormsecurity.org/files/view/96760/phprsmk-sql.txt +1 || 2012747 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS phpRS id parameter UNION SELECT SQL Injection Attempt || url,packetstormsecurity.org/files/view/96760/phprsmk-sql.txt +1 || 2012748 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS phpRS id parameter INSERT INTO SQL Injection Attempt || url,packetstormsecurity.org/files/view/96760/phprsmk-sql.txt +1 || 2012749 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS phpRS id parameter UPDATE SET SQL Injection Attempt || url,packetstormsecurity.org/files/view/96760/phprsmk-sql.txt +1 || 2012750 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS OrangeHRM path Parameter Local File Inclusion Attempt || url,packetstormsecurity.org/files/view/100823/OrangeHRM2.6.3-lfi.txt +1 || 2012751 || 2 || trojan-activity || 0 || ET USER_AGENTS suspicious user agent string (changhuatong) +1 || 2012752 || 2 || trojan-activity || 0 || ET DELETED Vertex Trojan UA (VERTEXNET) +1 || 2012753 || 6 || trojan-activity || 0 || ET MALWARE Possible FakeAV Binary Download +1 || 2012754 || 2 || attempted-recon || 0 || ET SCAN Possible SQLMAP Scan || url,sqlmap.sourceforge.net || url,www.darknet.org.uk/2011/04/sqlmap-0-9-released-automatic-blind-sql-injection-tool/ +1 || 2012755 || 4 || attempted-recon || 0 || ET SCAN Possible SQLMAP Scan || url,sqlmap.sourceforge.net || url,www.darknet.org.uk/2011/04/sqlmap-0-9-released-automatic-blind-sql-injection-tool/ +1 || 2012756 || 2 || attempted-user || 0 || ET WEB_CLIENT Windows Help and Support Center XSS Attempt || cve,2010-1885 +1 || 2012757 || 5 || trojan-activity || 0 || ET USER_AGENTS suspicious user agent string (CholTBAgent) +1 || 2012758 || 4 || misc-activity || 0 || ET INFO DYNAMIC_DNS Query to *.dyndns. Domain +1 || 2012760 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Cisco Unified Communications Manager xmldirectorylist.jsp SQL Injection Attempt || url,www.cisco.com/en/US/products/products_security_advisory09186a0080b79904.shtml || bid,47607 || cve,2011-1609 +1 || 2012761 || 2 || trojan-activity || 0 || ET USER_AGENTS Suspicious user agent (mdms) +1 || 2012762 || 2 || trojan-activity || 0 || ET USER_AGENTS Suspicious user agent (asd) +1 || 2012763 || 9 || bad-unknown || 0 || ET DELETED Suspicious IAT Checking for Debugger || url,sans.org/reading_room/whitepapers/malicious/rss/_33649 +1 || 2012764 || 5 || misc-activity || 0 || ET DELETED Suspicious IAT NtQueryInformationProcess Possibly Checking for Debugger || url,sans.org/reading_room/whitepapers/malicious/rss/_33649 +1 || 2012765 || 7 || misc-activity || 0 || ET DELETED Suspicious IAT GetStartupInfo || url, sans.org/reading_room/whitepapers/malicious/rss/_33649 +1 || 2012766 || 5 || misc-activity || 0 || ET DELETED Suspicious IAT GetComputerName || url, sans.org/reading_room/whitepapers/malicious/rss/_33649 +1 || 2012767 || 11 || misc-activity || 0 || ET TROJAN Suspicious IAT HttpAddRequestHeader - Can Be Used For HTTP CnC || url,sans.org/reading_room/whitepapers/malicious/rss/_33649 +1 || 2012768 || 7 || misc-activity || 0 || ET TROJAN Suspicious IAT ZwProtectVirtualMemory - Undocumented API Which Can be Used for Rootkit Functionality || url,sans.org/reading_room/whitepapers/malicious/rss/_33649 +1 || 2012769 || 2 || misc-activity || 0 || ET DELETED Suspicious IAT ZwSetSystemInformation - Undocumented API Which Can be Used for Rootkit Functionality || url,sans.org/reading_room/whitepapers/malicious/rss/_33649 +1 || 2012770 || 2 || misc-activity || 0 || ET DELETED Suspicious IAT ZwWriteVirtualMemory - Undocumented API Which Can be Used for CnC Functionality || url,sans.org/reading_room/whitepapers/malicious/rss/_33649 +1 || 2012771 || 2 || misc-activity || 0 || ET DELETED Suspicious IAT SetSfcFileException - Undocumented API Which Can be Used for Disabling Windows File Protections || url,sans.org/reading_room/whitepapers/malicious/rss/_33649 +1 || 2012772 || 2 || misc-activity || 0 || ET DELETED Suspicious IAT NtQueueApcThread - Undocumented API Which Can be Used for Thread Injection/Downloading || url,sans.org/reading_room/whitepapers/malicious/rss/_33649 +1 || 2012773 || 2 || misc-activity || 0 || ET DELETED Suspicious IAT NtResumeThread - Undocumented API Which Can be Used to Resume Thread Injection || url,sans.org/reading_room/whitepapers/malicious/rss/_33649 +1 || 2012774 || 2 || misc-activity || 0 || ET DELETED Suspicious IAT NoExecuteAddFileOptOutList - Undocumented API to Add Executable to DEP Exception List || url,sans.org/reading_room/whitepapers/malicious/rss/_33649 +1 || 2012775 || 2 || misc-activity || 0 || ET DELETED Suspicious IAT ModifyExecuteProtectionSupport - Undocumented API to Modify DEP || url,sans.org/reading_room/whitepapers/malicious/rss/_33649 +1 || 2012776 || 2 || misc-activity || 0 || ET DELETED Suspicious IAT LdrLoadDll - Undocumented Low Level API to Load DLL || url,sans.org/reading_room/whitepapers/malicious/rss/_33649 +1 || 2012777 || 5 || misc-activity || 0 || ET POLICY Suspicious IAT EnableExecuteProtectionSupport - Undocumented API to Modify DEP || url,sans.org/reading_room/whitepapers/malicious/rss/_33649 +1 || 2012778 || 3 || misc-activity || 0 || ET DELETED Suspicious IAT NamedPipe - May Indicate Reverse Shell/Backdoor Functionality || url,sans.org/reading_room/whitepapers/malicious/rss/_33649 +1 || 2012779 || 4 || misc-activity || 0 || ET DELETED Suspicious IAT FTP File Interaction || url,sans.org/reading_room/whitepapers/malicious/rss/_33649 +1 || 2012780 || 6 || misc-activity || 0 || ET POLICY Suspicious IAT SetKeyboardState - Can Be Used for Keylogging || url,sans.org/reading_room/whitepapers/malicious/rss/_33649 +1 || 2012781 || 1 || trojan-activity || 0 || ET CURRENT_EVENTS Possible Hiloti DNS Checkin Message explorer_exe || url,blog.fortinet.com/hiloti-the-botmaster-of-disguise/ +1 || 2012782 || 2 || trojan-activity || 0 || ET MOBILE_MALWARE SymbOS SuperFairy.D StartUpdata.ini Missing File HTTP Request || url,www.fortiguard.com/encyclopedia/virus/symbos_superfairy.d!tr.html +1 || 2012783 || 3 || trojan-activity || 0 || ET MOBILE_MALWARE SymbOS SuperFairy.D BackgroundUpdata.ini Missing File HTTP Request || url,www.fortiguard.com/encyclopedia/virus/symbos_superfairy.d!tr.html +1 || 2012784 || 2 || trojan-activity || 0 || ET MOBILE_MALWARE SymbOS SuperFairy.D active.txt Missing File HTTP Request || url,www.fortiguard.com/encyclopedia/virus/symbos_superfairy.d!tr.html +1 || 2012785 || 3 || trojan-activity || 0 || ET DELETED Egypack/1.0 User-Agent Likely Malware || url,www.vbulletin.com/forum/showthread.php/338741-vBulletin-Footer-SQL-Injection-Hack +1 || 2012786 || 1 || bad-unknown || 0 || ET TROJAN DNS Query for Possible FakeAV Domain +1 || 2012787 || 4 || attempted-user || 0 || ET SCADA ICONICS WebHMI ActiveX Stack Overflow || url,www.security-assessment.com/files/documents/advisory/ICONICS_WebHMI.pdf || url,www.exploit-db.com/exploits/17240/ +1 || 2012788 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS KLINK txtCodiInfo parameter SELECT FROM SQL Injection Attempt || url,packetstormsecurity.org/files/view/97186/klink-sql.txt +1 || 2012789 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS KLINK txtCodiInfo parameter DELETE FROM SQL Injection Attempt || url,packetstormsecurity.org/files/view/97186/klink-sql.txt +1 || 2012790 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS KLINK txtCodiInfo parameter UNION SELECT SQL Injection Attempt || url,packetstormsecurity.org/files/view/97186/klink-sql.txt +1 || 2012791 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS KLINK txtCodiInfo parameter INSERT INTO SQL Injection Attempt || url,packetstormsecurity.org/files/view/97186/klink-sql.txt +1 || 2012792 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS KLINK txtCodiInfo parameter UPDATE SET SQL Injection Attempt || url,packetstormsecurity.org/files/view/97186/klink-sql.txt +1 || 2012793 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS E-Xoopport Samsara Sections module secid Parameter Blind SQL Injection Exploit || url,exploit-db.com/exploits/15004 +1 || 2012794 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ClanSphere CurrentFolder Parameter Local File Inclusion Attempt || bugtraq,47636 +1 || 2012795 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Golem Gaming Portal root_path Parameter Remote File inclusion Attempt || url,securityreason.com/exploitalert/7180 +1 || 2012796 || 3 || bad-unknown || 0 || ET DELETED Malicious SEO landing in.cgi with URI HTTP_REFERER +1 || 2012797 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WebAuction lang parameter Cross Site Scripting Attempt || url,packetstormsecurity.org/files/view/101056/WebAuction0.3.6-XSS.txt +1 || 2012799 || 5 || trojan-activity || 0 || ET CURRENT_EVENTS Ponmocup C2 Sending Data to Controller 1 || url,malwaresurvival.net/2011/04/21/media-site-pimping-malware/ || url,community.websense.com/forums/p/10728/23862.aspx || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?ThreatID=146443 || url,www9.dyndns-server.com%3a8080/pub/botnet-links.html +1 || 2012800 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Ponmocup C2 Sending Data to Controller 2 || url,malwaresurvival.net/2011/04/21/media-site-pimping-malware/ || url,community.websense.com/forums/p/10728/23862.aspx || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?ThreatID=146443 +1 || 2012801 || 5 || trojan-activity || 0 || ET TROJAN Spoofed MSIE 7 User-Agent Likely Ponmocup || url,malwaresurvival.net/2011/04/21/media-site-pimping-malware/ || url,community.websense.com/forums/p/10728/23862.aspx || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?ThreatID=146443 +1 || 2012802 || 4 || trojan-activity || 0 || ET MALWARE Spoofed MSIE 8 User-Agent Likely Ponmocup || url,malwaresurvival.net/2011/04/21/media-site-pimping-malware/ || url,community.websense.com/forums/p/10728/23862.aspx || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?ThreatID=146443 +1 || 2012803 || 5 || trojan-activity || 0 || ET TROJAN Delf Alms backdoor checkin +1 || 2012804 || 5 || trojan-activity || 0 || ET MALWARE Possible Windows executable sent ASCII-hex-encoded || url,www.xanalysis.blogspot.com/2008/11/cve-2008-2992-adobe-pdf-exploitation.html || url,www.threatexpert.com/report.aspx?md5=513077916da4e86827a6000b40db95d5 +1 || 2012805 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Automne upload-controler.php Arbitrary File Upload Vulnerability || url,securelist.com/en/advisories/43589 +1 || 2012806 || 4 || attempted-user || 0 || ET WEB_CLIENT QuickTime Remote Exploit (exploit specific) || url,www.1337day.com/exploits/16077 +1 || 2012807 || 4 || attempted-user || 0 || ET DELETED Possible g01pack Exploit Pack Malicious JAR File Request || url,blog.tllod.com/2010/11/03/statistics-dont-lie-or-do-they/ || url,community.websense.com/blogs/securitylabs/archive/2011/04/19/Mass-Injections-Leading-to-g01pack-Exploit-Kit.aspx +1 || 2012808 || 2 || attempted-recon || 0 || ET WEB_SPECIFIC_APPS WordPress DB XML dump attempted access || url,seclists.org/fulldisclosure/2011/May/322 +1 || 2012809 || 3 || successful-recon-largescale || 0 || ET WEB_SPECIFIC_APPS WordPress DB XML dump successful leakage || url,seclists.org/fulldisclosure/2011/May/322 +1 || 2012810 || 7 || bad-unknown || 0 || ET CURRENT_EVENTS HTTP Request to a *.tk domain +1 || 2012811 || 1 || bad-unknown || 0 || ET CURRENT_EVENTS DNS Query to a .tk domain - Likely Hostile +1 || 2012812 || 3 || bad-unknown || 0 || ET CURRENT_EVENTS Known Malicious Facebook Javascript || url,blog.trendmicro.com/dubious-javascript-code-found-in-facebook-application/ +1 || 2012813 || 2 || bad-unknown || 0 || ET WEB_CLIENT PDF With Adobe Audition Session File Handling Buffer Overflow Flowbit Set || url,exploit-db.com/exploits/17278/ || url,securitytracker.com/id/1025530 +1 || 2012814 || 3 || attempted-user || 0 || ET WEB_CLIENT PDF With Adobe Audition Session File Handling Memory Corruption Attempt || url,exploit-db.com/exploits/17278/ || url,securitytracker.com/id/1025530 +1 || 2012815 || 3 || bad-unknown || 0 || ET DELETED FAKEAV Scanner Landing Page (Initializing Virus Protection System...) +1 || 2012816 || 8 || bad-unknown || 0 || ET TROJAN EXE Using Suspicious IAT ZwUnmapViewOfSection Possible Malware Process Hollowing || url,blog.spiderlabs.com/2011/05/analyzing-malware-hollow-processes.html || url,sans.org/reading_room/whitepapers/malicious/rss/_33649 +1 || 2012817 || 4 || bad-unknown || 0 || ET DELETED EXE Using Suspicious IAT NtUnmapViewOfSection Possible Malware Process Hollowing || url,blog.spiderlabs.com/2011/05/analyzing-malware-hollow-processes.html || url,sans.org/reading_room/whitepapers/malicious/rss/_33649 +1 || 2012818 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Cisco Unified Operations Manager Blind SQL Injection Attempt || url,www.exploit-db.com/exploits/17304/ || cve,2011-0960 +1 || 2012819 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Cisco Unified Operations Manager advancedfind.do Reflective XSS Attempt || url,www.exploit-db.com/exploits/17304/ || cve,2011-0959 +1 || 2012820 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Cisco Unified Operations Manager deviceInstanceName Reflective XSS Attempt || url,www.exploit-db.com/exploits/17304/ || cve,2011-0959 +1 || 2012821 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Cisco Unified Operations Manager eventmon Reflective XSS Attempt || url,www.exploit-db.com/exploits/17304/ || cve,2011-0959 +1 || 2012822 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Cisco Unified Operations Manager eventmon_wrapper.jsp Reflective XSS Attempt || url,www.exploit-db.com/exploits/17304/ || cve,2011-0959 +1 || 2012823 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Cisco Unified Operations Manager clusterName Reflective XSS Attempt || url,www.exploit-db.com/exploits/17304/ || cve,2011-0959 +1 || 2012824 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Cisco Common Services Framework Reflective XSS Attempt || url,www.exploit-db.com/exploits/17304/ || cve,2011-0962 +1 || 2012825 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS CiscoWorks Help Servlet Reflective XSS Attempt || url,www.exploit-db.com/exploits/17304/ || cve,2011-0961 +1 || 2012826 || 1 || bad-unknown || 0 || ET DNS DNS Query to a Suspicious *.vv.cc domain +1 || 2012827 || 4 || bad-unknown || 0 || ET CURRENT_EVENTS HTTP Request to a *.vv.cc domain +1 || 2012828 || 2 || trojan-activity || 0 || ET TROJAN Win32/Rimecud download || url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Trojan%3aWin32/Rimecud.A +1 || 2012829 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla Component com_hello SELECT FROM SQL Injection Attempt || url,packetstormsecurity.org/files/view/101251/joomlahelo-sql.txt +1 || 2012830 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla Component com_hello DELETE FROM SQL Injection Attempt || url,packetstormsecurity.org/files/view/101251/joomlahelo-sql.txt +1 || 2012831 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla Component com_hello UNION SELECT SQL Injection Attempt || url,packetstormsecurity.org/files/view/101251/joomlahelo-sql.txt +1 || 2012832 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla Component com_hello INSERT INTO SQL Injection Attempt || url,packetstormsecurity.org/files/view/101251/joomlahelo-sql.txt +1 || 2012833 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla Component com_hello UPDATE SET SQL Injection Attempt || url,packetstormsecurity.org/files/view/101251/joomlahelo-sql.txt +1 || 2012834 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ChillyCMS mod Parameter Blind SQL Injection Attempt || url,packetstormsecurity.org/files/view/89665/chillycms-sql.txt || url,exploit-db.com/exploits/12643 +1 || 2012835 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS f-fileman direkt Parameter Directory Traversal Vulnerability || url,packetstormsecurity.org/files/view/101212/ffileman-traversal.txt +1 || 2012836 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Slooze Web Photo Album file Parameter Command Execution Attempt || url,1337day.com/exploits/12148 +1 || 2012837 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla Component com_mgm Remote File inclusion Attempt || url,packetstormsecurity.org/files/view/94593/joomlamgm-rfi.txt || url,securityreason.com/wlb_show/WLB-2010100045 +1 || 2012838 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Wordpress Plugin Is-human type Parameter Remote Code Execution Attempt || url,exploit-db.com/exploits/17299 +1 || 2012839 || 4 || trojan-activity || 0 || ET TROJAN Trojan-Downloader.Win32.Small Checkin || url,threatexpert.com/report.aspx?md5=48432bdd116dccb684c8cef84579b963 +1 || 2012841 || 5 || attempted-user || 0 || ET TROJAN Incognito Exploit Kit Checkin || url,blog.fireeye.com/research/2011/03/the-rise-of-incognito.html +1 || 2012842 || 2 || trojan-activity || 0 || ET TROJAN Backdoor.Win32.Xyligan Checkin || url,www.threatexpert.com/report.aspx?md5=bfbc0b106a440c111a42936906d36643 || url,www.threatexpert.com/report.aspx?md5=2190a2c0a3775bc9c60629ec2eb6f3b9 +1 || 2012843 || 3 || policy-violation || 0 || ET POLICY Cleartext WordPress Login +1 || 2012844 || 2 || trojan-activity || 0 || ET MOBILE_MALWARE SymbOS/Yxes.B/E CnC Checkin Request || url,blog.fortinet.com/symbosyxes-or-downloading-customized-malware/ +1 || 2012845 || 2 || trojan-activity || 0 || ET MOBILE_MALWARE SymbOS/Yxes CnC Checkin Request || url,blog.fortinet.com/symbosyxes-or-downloading-customized-malware/ +1 || 2012846 || 2 || trojan-activity || 0 || ET MOBILE_MALWARE SymbOS/Yxes CnC Checkin Request 2 || url,blog.fortinet.com/symbosyxes-or-downloading-customized-malware/ +1 || 2012847 || 2 || trojan-activity || 0 || ET MOBILE_MALWARE SymbOS/Yxes.F CnC Checkin Request 3 || url,blog.fortinet.com/symbosyxes-or-downloading-customized-malware/ +1 || 2012848 || 2 || trojan-activity || 0 || ET MOBILE_MALWARE Possible Mobile Malware POST of IMEI International Mobile Equipment Identity in URI || url,www.met.police.uk/mobilephone/imei.htm +1 || 2012849 || 2 || trojan-activity || 0 || ET MOBILE_MALWARE Possible Mobile Malware POST of IMSI International Mobile Subscriber Identity in URI || url,www.learntelecom.com/telephony/gsm/international-mobile-subscriber-identity-imsi +1 || 2012850 || 2 || trojan-activity || 0 || ET MOBILE_MALWARE SymbOS.Flexispy.a Commercial Spying App Sending User Information to Server || url,www.fortiguard.com/encyclopedia/virus/symbos_flexispy.a!tr.spy.html +1 || 2012851 || 3 || trojan-activity || 0 || ET MOBILE_MALWARE SymbOS/Yxes.I PropertyFile.jsp CnC Server Communication || url,www.fortiguard.com/encyclopedia/virus/symbos_yxes.i!worm.html +1 || 2012852 || 4 || trojan-activity || 0 || ET MOBILE_MALWARE SymbOS/Yxes.I TipFile.jsp CnC Server Communication || url,www.fortiguard.com/encyclopedia/virus/symbos_yxes.i!worm.html +1 || 2012853 || 2 || trojan-activity || 0 || ET MOBILE_MALWARE SymbOS/Yxes.I NumberFile.jsp CnC Server Communication || url,www.fortiguard.com/encyclopedia/virus/symbos_yxes.i!worm.html +1 || 2012854 || 2 || trojan-activity || 0 || ET MOBILE_MALWARE SymbOS/Merogo User Agent || url,www.fortiguard.com/encyclopedia/virus/symbos_merogo.b!tr.html +1 || 2012855 || 3 || trojan-activity || 0 || ET MOBILE_MALWARE SPR/MobileSpy Mobile Spyware Sending Geographic Location Logs To Remote Server || url,www.fortiguard.com/encyclopedia/virus/spy_mobilespy!iphoneos.html +1 || 2012856 || 3 || trojan-activity || 0 || ET MOBILE_MALWARE SPR/MobileSpy Mobile Spyware Sending Call Logs to Remote Server || url,www.fortiguard.com/encyclopedia/virus/spy_mobilespy!iphoneos.html +1 || 2012857 || 3 || trojan-activity || 0 || ET MOBILE_MALWARE SPR/MobileSpy Mobile Spyware Sending SMS Logs to Remote Server || url,www.fortiguard.com/encyclopedia/virus/spy_mobilespy!iphoneos.html +1 || 2012858 || 3 || trojan-activity || 0 || ET MOBILE_MALWARE SymbOS.Sagasi.a Worm Sending Data to Server || url,www.fortiguard.com/encyclopedia/virus/symbos_sagasi.a!tr.html +1 || 2012859 || 3 || trojan-activity || 0 || ET MOBILE_MALWARE SymbOS.Sagasi.a Worm Sending Data to Server || url,www.fortiguard.com/encyclopedia/virus/symbos_sagasi.a!tr.html +1 || 2012860 || 4 || bad-unknown || 0 || ET USER_AGENTS Suspicious User-Agent SimpleClient 1.0 || url,www.fortiguard.com/encyclopedia/virus/symbos_sagasi.a!tr.html +1 || 2012861 || 4 || trojan-activity || 0 || ET MOBILE_MALWARE SymbOS.Sagasi.a User Agent LARK/1.3.0 || url,www.fortiguard.com/encyclopedia/virus/symbos_sagasi.a!tr.html +1 || 2012862 || 3 || trojan-activity || 0 || ET MOBILE_MALWARE SslCrypt Server Communication || url,www.fortiguard.com/encyclopedia/virus/adware_sslcrypt!symbos.html +1 || 2012863 || 3 || trojan-activity || 0 || ET MOBILE_MALWARE SslCrypt Server Communication || url,www.fortiguard.com/encyclopedia/virus/adware_sslcrypt!symbos.html +1 || 2012864 || 2 || trojan-activity || 0 || ET MOBILE_MALWARE SslCrypt Server Communication || url,www.fortiguard.com/encyclopedia/virus/adware_sslcrypt!symbos.html +1 || 2012865 || 10 || trojan-activity || 0 || ET TROJAN Vinself Backdoor Checkin || url,blog.fireeye.com/research/2010/11/winself-a-new-backdoor-in-town.html +1 || 2012866 || 2 || attempted-admin || 0 || ET EXPLOIT RXS-3211 IP Camera Password Information Disclosure Attempt || bid,47976 +1 || 2012867 || 3 || trojan-activity || 0 || ET TROJAN Clicker.Win32.AutoIt.ai Checkin || url,www.threatexpert.com/report.aspx?md5=39d0dbe4f6923ed36864ae339f558963 +1 || 2012868 || 3 || policy-violation || 0 || ET POLICY HTTP Outbound Request containing a password +1 || 2012869 || 2 || policy-violation || 0 || ET POLICY HTTP Outbound Request containing a pass field +1 || 2012870 || 2 || policy-violation || 0 || ET POLICY HTTP Outbound Request contains pw +1 || 2012871 || 4 || trojan-activity || 0 || ET TROJAN Gozi posting form data +1 || 2012872 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS TCExam tce_xml_user_results.php script SELECT FROM SQL Injection Attempt || url,autosectools.com/Advisory/TCExam-11.1.029-SQL-Injection-201 +1 || 2012873 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS TCExam tce_xml_user_results.php script DELETE FROM SQL Injection Attempt || url,autosectools.com/Advisory/TCExam-11.1.029-SQL-Injection-201 +1 || 2012874 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS TCExam tce_xml_user_results.php script UNION SELECT SQL Injection Attempt || url,autosectools.com/Advisory/TCExam-11.1.029-SQL-Injection-201 +1 || 2012875 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS TCExam tce_xml_user_results.php script INSERT INTO SQL Injection Attempt || url,autosectools.com/Advisory/TCExam-11.1.029-SQL-Injection-201 +1 || 2012876 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS TCExam tce_xml_user_results.php script UPDATE SET SQL Injection Attempt || url,autosectools.com/Advisory/TCExam-11.1.029-SQL-Injection-201 +1 || 2012877 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS e107 HANDLERS_DIRECTORY Parameter Remote File inclusion Attempt || url,packetstormsecurity.org/files/view/100565/e1070725-xssrfi.txt +1 || 2012878 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS e107 IMAGES_DIRECTORY Parameter Remote File inclusion Attempt || url,packetstormsecurity.org/files/view/100565/e1070725-xssrfi.txt +1 || 2012879 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS e107 imgp Parameter Remote File inclusion Attempt || url,packetstormsecurity.org/files/view/100565/e1070725-xssrfi.txt +1 || 2012880 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS e107 trackback_url Parameter Remote File inclusion Attempt || url,packetstormsecurity.org/files/view/100565/e1070725-xssrfi.txt +1 || 2012881 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS e107 permLink Parameter Remote File inclusion Attempt || url,packetstormsecurity.org/files/view/100565/e1070725-xssrfi.txt +1 || 2012882 || 4 || trojan-activity || 0 || ET TROJAN Backdoor.Win32.Poison.AU checkin || url,www.threatexpert.com/report.aspx?md5=4b8adc7612e984d12b77f197c59827a2 +1 || 2012883 || 6 || bad-unknown || 0 || ET DELETED MALVERTISING Malicious Advertizing URL in.cgi +1 || 2012884 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Java Exploit Attempt applet via file URI param || url,fhoguin.com/2011/03/oracle-java-unsigned-applet-applet2classloader-remote-code-execution-vulnerability-zdi-11-084-explained/ || cve,CVE-2010-4452 +1 || 2012885 || 3 || policy-violation || 0 || ET POLICY Http Client Body contains password= in cleartext +1 || 2012886 || 3 || policy-violation || 0 || ET POLICY Http Client Body contains passwd= in cleartext +1 || 2012887 || 3 || policy-violation || 0 || ET POLICY Http Client Body contains pass= in cleartext +1 || 2012888 || 3 || policy-violation || 0 || ET POLICY Http Client Body contains pwd= in cleartext +1 || 2012889 || 3 || policy-violation || 0 || ET POLICY Http Client Body contains pw= in cleartext +1 || 2012890 || 3 || policy-violation || 0 || ET POLICY Http Client Body contains passphrase= in cleartext +1 || 2012891 || 3 || policy-violation || 0 || ET POLICY Http Client Body contains pword= in cleartext +1 || 2012892 || 2 || trojan-activity || 0 || ET TROJAN JKDDOS Bot CnC Phone Home Message || url,asert.arbornetworks.com/2011/03/jkddos-ddos-bot-with-an-interest-in-the-mining-industry/ || url,www.threatexpert.com/report.aspx?md5=d6b3baae9fb476f0cf3196e556cab348 +1 || 2012893 || 2 || trojan-activity || 0 || ET USER_AGENTS Known Skunkx DDOS Bot User-Agent Cyberdog || url,asert.arbornetworks.com/2011/03/skunkx-ddos-bot-analysis/ +1 || 2012894 || 4 || trojan-activity || 0 || ET TROJAN Dropper.Win32.Agent.bpxo Checkin || url,www.threatexpert.com/report.aspx?md5=02e447b347a90680e03c8b7d843a8e46 || url,www.antivirus365.org/PCAntivirus/37128.html +1 || 2012895 || 2 || trojan-activity || 0 || ET TROJAN Dropper.Win32.Agent.ahju Checkin || url,www.threatexpert.com/report.aspx?md5=48ad09c574a4bd3bb24d007005382e63 || url,www.threatexpert.com/report.aspx?md5=a264690a775a4e1b3d91c2dbcd850ce9 +1 || 2012896 || 2 || bad-unknown || 0 || ET CURRENT_EVENTS HTTP Request to a *.ae.am domain +1 || 2012897 || 2 || bad-unknown || 0 || ET CURRENT_EVENTS HTTP Request to a *.noc.su domain +1 || 2012898 || 2 || bad-unknown || 0 || ET CURRENT_EVENTS HTTP Request to a *.be.ma domain +1 || 2012899 || 2 || bad-unknown || 0 || ET CURRENT_EVENTS HTTP Request to a *.qc.cx domain +1 || 2012900 || 2 || bad-unknown || 0 || ET DNS DNS Query for a Suspicious *.ae.am domain +1 || 2012901 || 2 || bad-unknown || 0 || ET DNS DNS Query for a Suspicious *.noc.su domain +1 || 2012902 || 3 || bad-unknown || 0 || ET DNS DNS Query for a Suspicious *.be.ma domain +1 || 2012903 || 2 || bad-unknown || 0 || ET DNS DNS Query for a Suspicious *.qc.cx domain +1 || 2012904 || 2 || trojan-activity || 0 || ET MOBILE_MALWARE SymbOS/SuperFairy.D Bookmarked Connection to Server || url,www.fortiguard.com/encyclopedia/virus/symbos_superfairy.d!tr.html +1 || 2012905 || 2 || attempted-user || 0 || ET ACTIVEX Magneto ICMP ActiveX ICMPSendEchoRequest Remote Code Execution Attempt || url,www.exploit-db.com/exploits/17328/ +1 || 2012906 || 3 || misc-activity || 0 || ET WEB_CLIENT Download of PDF With Uncompressed Flash Content flowbit set || url,www.symantec.com/connect/blogs/analysis-zero-day-exploit-adobe-flash-and-reader || url,blog.zynamics.com/2010/06/09/analyzing-the-currently-exploited-0-day-for-adobe-reader-and-adobe-flash/ +1 || 2012907 || 3 || misc-activity || 0 || ET WEB_CLIENT Download of PDF With Compressed Flash Content || url,www.symantec.com/connect/blogs/analysis-zero-day-exploit-adobe-flash-and-reader || url,blog.zynamics.com/2010/06/09/analyzing-the-currently-exploited-0-day-for-adobe-reader-and-adobe-flash/ +1 || 2012908 || 3 || bad-unknown || 0 || ET TROJAN Backdoor Win32/Begman.A Checkin || url,support.clean-mx.de/clean-mx/view_joebox.php?md5=2eb07de0ccaed89cd099fe61e6ae689e&id=766255/ || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FBegman.A || url,www.virustotal.com/file-scan/report.html?id=0bb86bf59dd554f98194b23a16b96f873ddab8cbe11de627415ff81facd84f48-1299508248 || url,anubis.iseclab.org/?action=result&task_id=138559df2a6ed04a401366a9c60e2e1cf&format=txt +1 || 2012909 || 3 || trojan-activity || 0 || ET USER_AGENTS Suspicious User-Agent Fragment (WORKED) +1 || 2012910 || 6 || trojan-activity || 0 || ET DELETED CPL Trojan Downloader Request +1 || 2012911 || 2 || policy-violation || 0 || ET POLICY URL Contains password Parameter +1 || 2012912 || 2 || policy-violation || 0 || ET POLICY URL Contains passwd Parameter +1 || 2012913 || 2 || policy-violation || 0 || ET POLICY URL Contains pass Parameter +1 || 2012914 || 2 || policy-violation || 0 || ET POLICY URL Contains pwd Parameter +1 || 2012915 || 2 || policy-violation || 0 || ET POLICY URL Contains pw Parameter +1 || 2012916 || 3 || policy-violation || 0 || ET POLICY URL Contains passphrase Parameter +1 || 2012917 || 2 || policy-violation || 0 || ET POLICY URL Contains pword Parameter +1 || 2012918 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Possible TDSS Trojan GET with xxxx_ string +1 || 2012919 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Nagios Expand Parameter XSS Attempt || bid,48087 +1 || 2012921 || 2 || trojan-activity || 0 || ET TROJAN Possible TDSS Base64 Encoded Command 1 +1 || 2012922 || 2 || trojan-activity || 0 || ET TROJAN Possible TDSS Base64 Encoded Command 2 +1 || 2012923 || 2 || trojan-activity || 0 || ET TROJAN Possible TDSS Base64 Encoded Command 3 +1 || 2012924 || 3 || trojan-activity || 0 || ET MOBILE_MALWARE Android/Smspacem CnC Communication Attempt || url,www.fortiguard.com/encyclopedia/virus/android_smspacem.a!tr.html +1 || 2012925 || 2 || shellcode-detect || 0 || ET SHELLCODE Javascript Split String Unicode Heap Spray Attempt +1 || 2012926 || 3 || attempted-dos || 0 || ET WEB_SERVER Apache APR apr_fnmatch Stack Overflow Denial of Service || cve,2011-0419 || url,cxib.net/stuff/apr_fnmatch.txt || url,bugzilla.redhat.com/show_bug.cgi?id=703390 +1 || 2012927 || 4 || bad-unknown || 0 || ET DELETED DYNAMIC_DNS HTTP Request to a *.dyndns.* domain +1 || 2012928 || 7 || bad-unknown || 0 || ET DELETED DYNAMIC_DNS HTTP Request to a *.dyndns-*.com domain +1 || 2012929 || 2 || attempted-user || 0 || ET ACTIVEX Cisco AnyConnect VPN Secure Mobility Client Arbitrary Program Execution Attempt || url,labs.idefense.com/intelligence/vulnerabilities/display.php?id=909 || bid,48081 || cve,2011-2039 || cve,2011-2040 +1 || 2012930 || 3 || attempted-user || 0 || ET ACTIVEX Cisco AnyConnect VPN Secure Mobility Client Cisco.AnyConnect.VPNWeb.1 Arbitrary Program Execution Attempt || url,labs.idefense.com/intelligence/vulnerabilities/display.php?id=909 || bid,48081 || cve,2011-2039 || cve,2011-2040 +1 || 2012931 || 4 || trojan-activity || 0 || ET TROJAN Generic Dropper/Clicker Checkin +1 || 2012932 || 6 || trojan-activity || 0 || ET CURRENT_EVENTS Suspicious Email Attachment Possibly Related to Mydoom.L@mm || url,www.symantec.com/security_response/writeup.jsp?docid=2004-071915-0829-99&tabid=2 || url,www.threatexpert.com/report.aspx?md5=28110a8ea5c13859ddf026db5a8a864a +1 || 2012933 || 3 || policy-violation || 0 || ET POLICY Smilebox Software/Adware Checkin || url,www.smilebox.com/privacy-policy.html +1 || 2012934 || 4 || trojan-activity || 0 || ET TROJAN Generic adClicker Checkin +1 || 2012935 || 6 || policy-violation || 0 || ET POLICY Google Music Streaming || url,music.google.com/about +1 || 2012936 || 3 || trojan-activity || 0 || ET SCAN ZmEu Scanner User-Agent Inbound +1 || 2012937 || 2 || trojan-activity || 0 || ET SCAN Internal Dummy Connection User-Agent Inbound +1 || 2012938 || 2 || denial-of-service || 0 || ET DOS IBM Tivoli Endpoint Buffer Overflow Attempt || url, zerodayinitiative.com/advisories/ZDI-11-169/ +1 || 2012939 || 7 || trojan-activity || 0 || ET TROJAN Kazy/Kryptor/Cycbot Trojan Checkin +1 || 2012940 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Eleonore Exploit Pack exemple.com Request +1 || 2012941 || 7 || attempted-user || 0 || ET CURRENT_EVENTS Phoenix Exploit Kit Newplayer.pdf || cve,2009-4324 || url,www.m86security.com/labs/i/Phoenix-Exploit-Kit-2-0,trace.1427~.asp +1 || 2012942 || 7 || attempted-user || 0 || ET CURRENT_EVENTS Phoenix Exploit Kit Printf.pdf || cve,2008-2992 || url,www.m86security.com/labs/i/Phoenix-Exploit-Kit-2-0,trace.1427~.asp +1 || 2012943 || 7 || attempted-user || 0 || ET CURRENT_EVENTS Phoenix Exploit Kit Geticon.pdf || url,www.m86security.com/labs/i/Phoenix-Exploit-Kit-2-0,trace.1427~.asp +1 || 2012944 || 7 || attempted-user || 0 || ET CURRENT_EVENTS Phoenix Exploit Kit All.pdf || url,www.m86security.com/labs/i/Phoenix-Exploit-Kit-2-0,trace.1427~.asp +1 || 2012945 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS nvisionix Roaming System sessions.php script Local File Inclusion Attempt || url,packetstormsecurity.org/files/view/101786/nvisionix-lfi.txt +1 || 2012946 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WordPress inline-gallery do parameter Cross Site Scripting Attempt || bugtraq,46781 +1 || 2012947 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WebC.be Fichier_a_telecharger Parameter Local File Disclosure Attempt || url,1337day.com/exploits/16237 +1 || 2012948 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla Component com_jmsfileseller view Parameter Local File Inclusion Attempt || url,exploit-db.com/exploits/17338 +1 || 2012949 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Opencadastre soustab.php script Local File Inclusion Vulnerability || url,hack0wn.com/view.php?xroot=1440.0&cat=exploits +1 || 2012950 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Openscrutin droit.class.php path_om Parameter Remote File inclusion Attempt || url,packetstormsecurity.org/files/view/88613/openscrutin-rfilfi.txt +1 || 2012951 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Openscrutin collectivite.class.php path_om Parameter Remote File inclusion Attempt || url,packetstormsecurity.org/files/view/88613/openscrutin-rfilfi.txt +1 || 2012952 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Openscrutin utilisateur.class.php path_om Parameter Remote File inclusion Attempt || url,packetstormsecurity.org/files/view/88613/openscrutin-rfilfi.txt +1 || 2012953 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Openscrutin courrier.class.php path_om Parameter Remote File inclusion Attempt || url,packetstormsecurity.org/files/view/88613/openscrutin-rfilfi.txt +1 || 2012954 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Openscrutin profil.class.php path_om Remote File inclusion Attempt || url,packetstormsecurity.org/files/view/88613/openscrutin-rfilfi.txt +1 || 2012955 || 2 || bad-unknown || 0 || ET CURRENT_EVENTS HTTP Request to a *.co.tv domain +1 || 2012956 || 2 || bad-unknown || 0 || ET DNS DNS Query for a Suspicious *.co.tv domain +1 || 2012957 || 2 || trojan-activity || 0 || ET TROJAN Backdoor.Win32.ZZSlash/Redosdru.E checkin || url,www.threatexpert.com/report.aspx?md5=3b0299d72c853f56a1595c855776f89f || url,www.threatexpert.com/report.aspx?md5=adc3a35d1244c9129be6edd6ccfaec5b +1 || 2012958 || 5 || trojan-activity || 0 || ET DELETED MacDefender OS X Fake AV Scareware || url,blog.spiderlabs.com/2011/06/analysis-and-evolution-of-macdefender-os-x-fake-av-scareware.html +1 || 2012959 || 3 || trojan-activity || 0 || ET TROJAN MacShield User-Agent Likely Malware || url,blog.spiderlabs.com/2011/06/analysis-and-evolution-of-macdefender-os-x-fake-av-scareware.html +1 || 2012960 || 8 || trojan-activity || 0 || ET TROJAN Trojan.Vaklik.kku Checkin Request || url,threatexpert.com/report.aspx?md5=47a6dd02ee197f82b28cee0ab2b9bd35 || url,threatexpert.com/report.aspx?md5=81d8a235cb5f7345b5796483abe8145f || url,www.threatexpert.com/report.aspx?md5=9688d1d37a7ced200c53ec2b9332a0ad +1 || 2012961 || 3 || trojan-activity || 0 || ET TROJAN Trojan.Vaklik.kku Checkin Response || url,threatexpert.com/report.aspx?md5=81d8a235cb5f7345b5796483abe8145f || url,www.threatexpert.com/report.aspx?md5=9688d1d37a7ced200c53ec2b9332a0ad +1 || 2012962 || 3 || shellcode-detect || 0 || ET SHELLCODE Possible 0x0a0a0a0a Heap Spray Attempt +1 || 2012963 || 2 || shellcode-detect || 0 || ET SHELLCODE Possible 0x0b0b0b0b Heap Spray Attempt +1 || 2012964 || 3 || shellcode-detect || 0 || ET SHELLCODE Possible 0x0c0c0c0c Heap Spray Attempt +1 || 2012965 || 3 || shellcode-detect || 0 || ET SHELLCODE Possible 0x0d0d0d0d Heap Spray Attempt +1 || 2012966 || 3 || shellcode-detect || 0 || ET SHELLCODE Possible %0d%0d%0d%0d Heap Spray Attempt || url,www.darkreading.com/security/vulnerabilities/221901428/index.html +1 || 2012967 || 3 || shellcode-detect || 0 || ET SHELLCODE Possible %u0d%u0d%u0d%u0d UTF-8 Heap Spray Attempt || url,www.darkreading.com/security/vulnerabilities/221901428/index.html +1 || 2012968 || 3 || shellcode-detect || 0 || ET SHELLCODE Possible %u0d0d%u0d0d UTF-16 Heap Spray Attempt || url,www.darkreading.com/security/vulnerabilities/221901428/index.html +1 || 2012969 || 2 || shellcode-detect || 0 || ET SHELLCODE Possible Vertical Slash Unicode Heap Spray Attempt || url,www.darkreading.com/security/vulnerabilities/221901428/index.html +1 || 2012970 || 2 || shellcode-detect || 0 || ET SHELLCODE Possible Backslash Unicode Heap Spray Attempt || url,www.darkreading.com/security/vulnerabilities/221901428/index.html +1 || 2012971 || 2 || trojan-activity || 0 || ET TROJAN W32.Qakbot Update Request || url,www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_qakbot_in_detail.pdf || url,www.symantec.com/security_response/writeup.jsp?docid=2009-050707-0639-99 +1 || 2012972 || 2 || trojan-activity || 0 || ET TROJAN W32.Qakbot Request for Compromised FTP Sites || url,www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_qakbot_in_detail.pdf || url,www.symantec.com/security_response/writeup.jsp?docid=2009-050707-0639-99 +1 || 2012973 || 3 || trojan-activity || 0 || ET TROJAN W32.Qakbot Webpage Infection Routine POST || url,www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_qakbot_in_detail.pdf || url,www.symantec.com/security_response/writeup.jsp?docid=2009-050707-0639-99 +1 || 2012974 || 2 || trojan-activity || 0 || ET TROJAN W32.Qakbot .cb File Extention FTP Upload || url,www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_qakbot_in_detail.pdf || url,www.symantec.com/security_response/writeup.jsp?docid=2009-050707-0639-99 +1 || 2012975 || 2 || trojan-activity || 0 || ET TROJAN W32.Qakbot Seclog FTP Upload || url,www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_qakbot_in_detail.pdf || url,www.symantec.com/security_response/writeup.jsp?docid=2009-050707-0639-99 +1 || 2012976 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS HP Insight Diagnostics Online Edition search.php XSS Attempt || bid,45420 || cve,2010-4111 +1 || 2012977 || 2 || attempted-recon || 0 || ET WEB_SPECIFIC_APPS Possible Oracle GlassFish Server Administration Console Authentication Bypass Attempt || url,www.coresecurity.com/content/oracle-glassfish-server-administration-console-authentication-bypass || bid,47818 || cve,2011-1511 +1 || 2012978 || 2 || attempted-user || 0 || ET WEB_CLIENT Adobe Audition Malformed Session File Buffer Overflow Attempt || url,www.coresecurity.com/content/Adobe-Audition-malformed-SES-file || bid,47838 || cve,2011-0615 +1 || 2012979 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Possible ZOHO ManageEngine ADSelfService Captcha Bypass Attempt || url,www.coresecurity.com/content/zoho-manageengine-vulnerabilities || cve,2010-3272 +1 || 2012980 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ZOHO ManageEngine ADSelfService Employee Search XSS Attempt || url,www.coresecurity.com/content/zoho-manageengine-vulnerabilities || cve,2010-3274 +1 || 2012981 || 3 || trojan-activity || 0 || ET TROJAN Possible FakeAV Binary Download (Security) +1 || 2012982 || 3 || not-suspicious || 0 || ET SMTP Abuseat.org Block Message +1 || 2012986 || 2 || not-suspicious || 0 || ET SMTP Robtex.com Block Message +1 || 2012987 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS TEDE Simplificado processaPesquisa.php script SELECT FROM SQL Injection Attempt || url,packetstormsecurity.org/files/view/101876/tedesimplificado-sql.txt +1 || 2012988 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS TEDE Simplificado processaPesquisa.php script DELETE FROM SQL Injection Attempt || url,packetstormsecurity.org/files/view/101876/tedesimplificado-sql.txt +1 || 2012989 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS TEDE Simplificado processaPesquisa.php script UNION SELECT SQL Injection Attempt || url,packetstormsecurity.org/files/view/101876/tedesimplificado-sql.txt +1 || 2012990 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS TEDE Simplificado processaPesquisa.php script INSERT INTO SQL Injection Attempt || url,packetstormsecurity.org/files/view/101876/tedesimplificado-sql.txt +1 || 2012991 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS TEDE Simplificado processaPesquisa.php script UPDATE SET SQL Injection Attempt || url,packetstormsecurity.org/files/view/101876/tedesimplificado-sql.txt +1 || 2012992 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Nakid CMS CKEditorFuncNum parameter Cross Site Scripting Attempt || url,autosectools.com/Advisory/Nakid-CMS-1.0.2-Reflected-Cross-site-Scripting-230 +1 || 2012993 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PEAR include_path Parameter Remote File inclusion Attempt || url,packetstormsecurity.org/files/view/86292/pear-rfi.txt +1 || 2012994 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PEAR_PHPDIR Parameter Remote File inclusion Attempt || url,packetstormsecurity.org/files/view/86292/pear-rfi.txt +1 || 2012995 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS People Joomla Component controller Parameter Local File Inclusion Vulnerability || url,exploit-db.com/exploits/16001 +1 || 2012996 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS AWStats Totals sort parameter Remote Code Execution Attempt || url,packetstormsecurity.org/files/view/101698/awstatstotals_multisort.rb.txt +1 || 2012997 || 4 || web-application-attack || 0 || ET WEB_SERVER PHP Possible http Remote File Inclusion Attempt || cve,2002-0953 || url,diablohorn.wordpress.com/2010/01/16/interesting-local-file-inclusion-method/ +1 || 2012998 || 4 || web-application-attack || 0 || ET WEB_SERVER PHP Possible https Local File Inclusion Attempt || cve,2002-0953 || url,diablohorn.wordpress.com/2010/01/16/interesting-local-file-inclusion-method/ +1 || 2012999 || 4 || web-application-attack || 0 || ET WEB_SERVER PHP Possible ftp Remote File Inclusion Attempt || cve,2002-0953 || url,diablohorn.wordpress.com/2010/01/16/interesting-local-file-inclusion-method/ +1 || 2013000 || 4 || web-application-attack || 0 || ET WEB_SERVER PHP Possible ftps Local File Inclusion Attempt || cve,2002-0953 || url,diablohorn.wordpress.com/2010/01/16/interesting-local-file-inclusion-method/ +1 || 2013001 || 4 || web-application-attack || 0 || ET WEB_SERVER PHP Possible php Remote File Inclusion Attempt || cve,2002-0953 || url,diablohorn.wordpress.com/2010/01/16/interesting-local-file-inclusion-method/ +1 || 2013002 || 5 || web-application-attack || 0 || ET WEB_SERVER PHP Possible file Remote File Inclusion Attempt || cve,2002-0953 || url,diablohorn.wordpress.com/2010/01/16/interesting-local-file-inclusion-method/ +1 || 2013003 || 4 || web-application-attack || 0 || ET WEB_SERVER PHP Possible data Remote File Inclusion Attempt || cve,2002-0953 || url,diablohorn.wordpress.com/2010/01/16/interesting-local-file-inclusion-method/ +1 || 2013004 || 4 || web-application-attack || 0 || ET WEB_SERVER PHP Possible glob Remote File Inclusion Attempt || cve,2002-0953 || url,diablohorn.wordpress.com/2010/01/16/interesting-local-file-inclusion-method/ +1 || 2013005 || 5 || web-application-attack || 0 || ET WEB_SERVER PHP Possible phar Remote File Inclusion Attempt || cve,2002-0953 || url,diablohorn.wordpress.com/2010/01/16/interesting-local-file-inclusion-method/ +1 || 2013006 || 4 || web-application-attack || 0 || ET WEB_SERVER PHP Possible ssh2 Remote File Inclusion Attempt || cve,2002-0953 || url,diablohorn.wordpress.com/2010/01/16/interesting-local-file-inclusion-method/ +1 || 2013007 || 4 || web-application-attack || 0 || ET WEB_SERVER PHP Possible rar Remote File Inclusion Attempt || cve,2002-0953 || url,diablohorn.wordpress.com/2010/01/16/interesting-local-file-inclusion-method/ +1 || 2013008 || 4 || web-application-attack || 0 || ET WEB_SERVER PHP Possible ogg Remote File Inclusion Attempt || cve,2002-0953 || url,diablohorn.wordpress.com/2010/01/16/interesting-local-file-inclusion-method/ +1 || 2013009 || 4 || web-application-attack || 0 || ET WEB_SERVER PHP Possible expect Remote File Inclusion Attempt || cve,2002-0953 || url,diablohorn.wordpress.com/2010/01/16/interesting-local-file-inclusion-method/ +1 || 2013010 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Request to malicious info.php drive-by landing +1 || 2013011 || 6 || trojan-activity || 0 || ET CURRENT_EVENTS Malicious PHP 302 redirect response with avtor URI and cookie +1 || 2013012 || 4 || bad-unknown || 0 || ET DELETED MALVERTISING SL_*_0000 JavaScript redirect +1 || 2013013 || 3 || policy-violation || 0 || ET POLICY StumbleUpon Submission Detected +1 || 2013014 || 5 || web-application-attack || 0 || ET WEB_SERVER PHP Possible zlib Remote File Inclusion Attempt || cve,2002-0953 || url,diablohorn.wordpress.com/2010/01/16/interesting-local-file-inclusion-method/ +1 || 2013015 || 2 || policy-violation || 0 || ET CURRENT_EVENTS HTTP Request to Illegal Drug Sales Site (SilkRoad) +1 || 2013016 || 2 || policy-violation || 0 || ET DNS DNS Query for Illegal Drug Sales Site (SilkRoad) +1 || 2013017 || 4 || trojan-activity || 0 || ET TROJAN Known Malicious User-Agent (x) Win32/Tracur.A or OneStep Adware Related || url,www.symantec.com/security_response/writeup.jsp?docid=2008-112613-5052-99&tabid=2 || url,doc.emergingthreats.net/2009987 +1 || 2013018 || 5 || trojan-activity || 0 || ET POLICY HTMLGET User Agent Detected - Often Linux utility based || url,mtc.sri.com/iPhone/ +1 || 2013019 || 2 || trojan-activity || 0 || ET MOBILE_MALWARE Iphone iKee.B Checkin || url,mtc.sri.com/iPhone/ +1 || 2013020 || 2 || trojan-activity || 0 || ET MOBILE_MALWARE DroidKungFu Checkin || url,extraexploit.blogspot.com/2011/06/droidkungfu-just-some-piece-of-code.html || url,www.redmondpie.com/droidkungfu-new-hard-to-detect-android-malware-threat-on-the-loose-steals-user-data-and-more/ || url,www.fortiguard.com/encyclopedia/virus/android_droidkungfu.a!tr.html +1 || 2013021 || 2 || trojan-activity || 0 || ET MOBILE_MALWARE Possible Post of Infected Mobile Device Location Information +1 || 2013022 || 2 || trojan-activity || 0 || ET MOBILE_MALWARE DroidKungFu Checkin 2 || url,extraexploit.blogspot.com/2011/06/droidkungfu-just-some-piece-of-code.html || url,www.redmondpie.com/droidkungfu-new-hard-to-detect-android-malware-threat-on-the-loose-steals-user-data-and-more/ || url,www.fortiguard.com/encyclopedia/virus/android_droidkungfu.a!tr.html +1 || 2013023 || 2 || trojan-activity || 0 || ET MOBILE_MALWARE DNS Query for gongfu-android.com DroidKungFu CnC Server || url,extraexploit.blogspot.com/2011/06/droidkungfu-just-some-piece-of-code.html || url,www.redmondpie.com/droidkungfu-new-hard-to-detect-android-malware-threat-on-the-loose-steals-user-data-and-more/ || url,www.fortiguard.com/encyclopedia/virus/android_droidkungfu.a!tr.html +1 || 2013024 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Exploit kit mario.jar +1 || 2013025 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Java/PDF Exploit kit from /Home/games/ initial landing +1 || 2013026 || 2 || trojan-activity || 0 || ET TROJAN Secure-Soft.Stealer Checkin || url,www.threatexpert.com/report.aspx?md5=c86923d90ef91653b0a61eb2fbfae202 || url,www.threatexpert.com/report.aspx?md5=0a52131eebbee1df877767875ab32352 +1 || 2013027 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Java/PDF Exploit kit initial landing +1 || 2013028 || 4 || attempted-recon || 0 || ET POLICY curl User-Agent Outbound || url,www.useragentstring.com/pages/useragentstring.php +1 || 2013029 || 2 || attempted-recon || 0 || ET DELETED Java User Agent || url,www.useragentstring.com/pages/useragentstring.php +1 || 2013030 || 3 || attempted-recon || 0 || ET POLICY libwww-perl User-Agent || url,www.useragentstring.com/pages/useragentstring.php +1 || 2013031 || 3 || attempted-recon || 0 || ET POLICY Python-urllib/ Suspicious User Agent || url,www.useragentstring.com/pages/useragentstring.php +1 || 2013032 || 2 || attempted-recon || 0 || ET USER_AGENTS EmailSiphon Suspicious User-Agent Inbound || url,www.useragentstring.com/pages/useragentstring.php +1 || 2013033 || 3 || attempted-recon || 0 || ET USER_AGENTS EmailSiphon Suspicious User-Agent Outbound || url,www.useragentstring.com/pages/useragentstring.php +1 || 2013034 || 4 || trojan-activity || 0 || ET TROJAN WebToolbar.Win32.WhenU.r Reporting || url,threatexpert.com/report.aspx?md5=27867435a1b6b3f35daf13faac6f77b7 +1 || 2013035 || 3 || misc-activity || 0 || ET POLICY Java Client HTTP Request +1 || 2013036 || 7 || trojan-activity || 0 || ET TROJAN Java EXE Download by Vulnerable Version - Likely Driveby +1 || 2013037 || 7 || trojan-activity || 0 || ET POLICY Java EXE Download +1 || 2013038 || 3 || trojan-activity || 0 || ET MOBILE_MALWARE DNS Query For Known Mobile Malware Control Server Waplove.cn || url,www.symantec.com/security_response/writeup.jsp?docid=2011-060910-5804-99&tabid=2 +1 || 2013039 || 5 || trojan-activity || 0 || ET DELETED Android.Tonclank Sending Device Information || url,www.symantec.com/security_response/writeup.jsp?docid=2011-061012-4545-99&tabid=2 +1 || 2013040 || 3 || trojan-activity || 0 || ET MOBILE_MALWARE Android.Tonclank JAR File Download || url,www.symantec.com/security_response/writeup.jsp?docid=2011-061012-4545-99&tabid=2 +1 || 2013042 || 6 || trojan-activity || 0 || ET POLICY Android.Plankton/Tonclank Successful Installation Device Information POST || url,www.csc.ncsu.edu/faculty/jiang/Plankton/ || url,www.symantec.com/security_response/writeup.jsp?docid=2011-060910-5804-99&tabid=2 +1 || 2013043 || 4 || trojan-activity || 0 || ET POLICY Android.Plankton/Tonclank Successful Installation Device Information POST Message Body || url,www.csc.ncsu.edu/faculty/jiang/Plankton/ || url,www.symantec.com/security_response/writeup.jsp?docid=2011-060910-5804-99&tabid=2 +1 || 2013044 || 4 || trojan-activity || 0 || ET MOBILE_MALWARE Android.Plankton/Tonclank Control Server Responding With JAR Download URL || url,www.csc.ncsu.edu/faculty/jiang/Plankton/ || url,www.symantec.com/security_response/writeup.jsp?docid=2011-060910-5804-99&tabid=2 +1 || 2013045 || 2 || trojan-activity || 0 || ET TROJAN DLoader File Download Request Activity || url,www.f-secure.com/v-descs/trojan-downloader_w32_kdv176347.shtml || url,about-threats.trendmicro.com/malware.aspx?language=us&name=TROJ_VBKRYPT.CB || url,www.threatexpert.com/report.aspx?md5=3310259795b787210dd6825e7b6d6d28 || url,www.threatexpert.com/report.aspx?md5=12554e7f2e78daf26e73a2f92d01e7a7 || url,www.threatexpert.com/report.aspx?md5=7af2097d75869aa5aa656cd6e523c8b3 +1 || 2013046 || 3 || trojan-activity || 0 || ET TROJAN DLoader PWS Module Data Upload Activity || url,www.f-secure.com/v-descs/trojan-downloader_w32_kdv176347.shtml || url,about-threats.trendmicro.com/malware.aspx?language=us&name=TROJ_VBKRYPT.CB || url,www.threatexpert.com/report.aspx?md5=3310259795b787210dd6825e7b6d6d28 || url,www.threatexpert.com/report.aspx?md5=12554e7f2e78daf26e73a2f92d01e7a7 || url,www.threatexpert.com/report.aspx?md5=7af2097d75869aa5aa656cd6e523c8b3 +1 || 2013047 || 4 || trojan-activity || 0 || ET TROJAN DonBot Checkin || url,labs.m86security.com/2011/06/new-bots-old-bots-ii-donbot/ +1 || 2013048 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS Fake Shipping Invoice Request to JPG.exe Executable +1 || 2013049 || 2 || attempted-recon || 0 || ET WEB_SERVER Binget PHP Library User Agent Inbound || url,www.bin-co.com/php/scripts/load/ || url,www.useragentstring.com/pages/useragentstring.php +1 || 2013050 || 2 || attempted-recon || 0 || ET USER_AGENTS Binget PHP Library User Agent Outbound || url,www.bin-co.com/php/scripts/load/ || url,www.useragentstring.com/pages/useragentstring.php +1 || 2013051 || 2 || attempted-recon || 0 || ET WEB_SERVER pxyscand Suspicious User Agent Inbound || url,www.useragentstring.com/pages/useragentstring.php +1 || 2013052 || 2 || attempted-recon || 0 || ET USER_AGENTS pxyscand/ Suspicious User Agent Outbound || url,www.useragentstring.com/pages/useragentstring.php +1 || 2013053 || 2 || attempted-recon || 0 || ET WEB_SERVER PyCurl Suspicious User Agent Inbound || url,www.useragentstring.com/pages/useragentstring.php +1 || 2013054 || 2 || attempted-recon || 0 || ET USER_AGENTS PyCurl Suspicious User Agent Outbound || url,www.useragentstring.com/pages/useragentstring.php +1 || 2013055 || 2 || attempted-recon || 0 || ET POLICY Peach C++ Library User Agent Inbound || url,www.useragentstring.com/pages/useragentstring.php || url,www.useragentstring.com/Peach1.01_id_12276.php +1 || 2013056 || 4 || attempted-recon || 0 || ET POLICY Peach C++ Library User Agent Outbound || url,www.useragentstring.com/pages/useragentstring.php || url,www.useragentstring.com/Peach1.01_id_12276.php +1 || 2013057 || 3 || attempted-recon || 0 || ET WEB_SERVER Inbound PHP User-Agent || url,www.useragentstring.com/pages/useragentstring.php +1 || 2013058 || 3 || attempted-recon || 0 || ET WEB_SERVER Outbound PHP User-Agent || url,www.useragentstring.com/pages/useragentstring.php +1 || 2013059 || 3 || bad-unknown || 0 || ET POLICY BitCoin +1 || 2013060 || 3 || web-application-attack || 0 || ET DELETED Client Visiting Sidename.js Injected Website - Malware Related || url,blog.armorize.com/2011/06/mass-meshing-injection-sidenamejs.html +1 || 2013061 || 3 || web-application-attack || 0 || ET CURRENT_EVENTS Sidename.js Injected Script Served by Local WebServer || url,blog.armorize.com/2011/06/mass-meshing-injection-sidenamejs.html +1 || 2013062 || 2 || trojan-activity || 0 || ET TROJAN MacShield FakeAV CnC Communication || url,blog.trendmicro.com/obfuscated-ip-addresses-and-affiliate-ids-in-mac-fakeav/ +1 || 2013063 || 2 || trojan-activity || 0 || ET MOBILE_MALWARE DroidKungFu Checkin 3 || url,extraexploit.blogspot.com/2011/06/droidkungfu-just-some-piece-of-code.html || url,www.redmondpie.com/droidkungfu-new-hard-to-detect-android-malware-threat-on-the-loose-steals-user-data-and-more/ || url,www.fortiguard.com/encyclopedia/virus/android_droidkungfu.a!tr.html || url,blog.fortinet.com/androiddroidkungfu-attacking-from-a-mobile-device/ +1 || 2013064 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Possible Tracur.Q HTTP Communication || url,xml.ssdsandbox.net/view/d2afc3be7357f96834ec684ab329d7e2 +1 || 2013065 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS Possible CVE-2011-2110 Flash Exploit Attempt || url,www.shadowserver.org/wiki/pmwiki.php/Calendar/20110617 +1 || 2013066 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Java Exploit Attempt applet via file URI setAttribute || url,fhoguin.com/2011/03/oracle-java-unsigned-applet-applet2classloader-remote-code-execution-vulnerability-zdi-11-084-explained/ || cve,CVE-2010-4452 +1 || 2013067 || 2 || trojan-activity || 0 || ET DELETED Win32/Fynloski Backdoor Keepalive Message || url,www.threatexpert.com/report.aspx?md5=baca8170608c189e2911dc4e430c7719 +1 || 2013068 || 3 || web-application-attack || 0 || ET WEB_SERVER Possible GRANT TO SQL Injection Attempt || url,beginner-sql-tutorial.com/sql-grant-revoke-privileges-roles.htm +1 || 2013069 || 3 || attempted-user || 0 || ET WEB_CLIENT Adobe Shockwave rcsL Chunk Remote Code Execution Attempt || url,www.abysssec.com/blog/2010/10/adobe-shockwave-player-rcsl-chunk-memory-corruption-0day/ || bid,42682 || cve,2010-2873 +1 || 2013070 || 3 || attempted-user || 0 || ET WEB_CLIENT Adobe Shockwave Director tSAC Chunk memory corruption Attempt || url,www.exploit-db.com/moaub-22-adobe-shockwave-director-tsac-chunk-memory-corruption/ +1 || 2013071 || 4 || trojan-activity || 0 || ET TROJAN Dropper.MSIL.Agent.ate Checkin || url,threatexpert.com/report.aspx?md5=4860e53b7e71cd57956e10ef48342b5f +1 || 2013072 || 2 || trojan-activity || 0 || ET MOBILE_MALWARE Android.HongTouTou Checkin || url,www.fortiguard.com/encyclopedia/virus/android_hongtoutou.a!tr.html +1 || 2013073 || 4 || trojan-activity || 0 || ET TROJAN Win32.Meredrop Checkin || url,www.virustotal.com/file-scan/report.html?id=14c8e9f054d6f7ff4d59b71b65933d73027fe39a2a62729257712170e36f32c5-1308250070 +1 || 2013075 || 9 || bad-unknown || 0 || ET CURRENT_EVENTS Large DNS Query possible covert channel +1 || 2013076 || 7 || trojan-activity || 0 || ET TROJAN Zeus Bot GET to Google checking Internet connectivity || url,www.secureworks.com/research/threats/zeus/?threat=zeus || url,lists.emergingthreats.net/pipermail/emerging-sigs/2010-October/009807.html +1 || 2013077 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS Blackhole Exploit Pack HCP overflow Media Player lt 10 +1 || 2013078 || 2 || trojan-activity || 0 || ET MOBILE_MALWARE Android.YzhcSms CnC Keepalive Message || url,www.fortiguard.com/encyclopedia/virus/android_yzhcsms.a!tr.html +1 || 2013079 || 2 || trojan-activity || 0 || ET MOBILE_MALWARE Android.YzhcSms URL for Possible File Download || url,www.fortiguard.com/encyclopedia/virus/android_yzhcsms.a!tr.html +1 || 2013080 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHP link Directory sbcat_id Parameter SELECT FROM SQL Injection Attempt || bugtraq,46048 +1 || 2013081 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHP link Directory sbcat_id Parameter DELETE FROM SQL Injection Attempt || bugtraq,46048 +1 || 2013082 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHP link Directory sbcat_id Parameter UNION SELECT SQL Injection Attempt || bugtraq,46048 +1 || 2013083 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHP link Directory sbcat_id Parameter INSERT INTO SQL Injection Attempt || bugtraq,46048 +1 || 2013084 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHP link Directory sbcat_id Parameter UPDATE SET SQL Injection Attempt || bugtraq,46048 +1 || 2013085 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS BLOG CMS nsextt parameter Cross Site Scripting Vulnerability || url,seclists.org/bugtraq/2011/Jun/59 +1 || 2013086 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS vBulletin sortorder parameter Cross Site Scripting Attempt || url,packetstormsecurity.org/files/view/102001/xperience-xss.txt +1 || 2013087 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS impressCMS FCKeditor root_path Parameter Remote File inclusion Attempt || url,1337day.com/exploits/16001 +1 || 2013088 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS impressCMS tinymce root_path Parameter Remote File inclusion Attempt || url,1337day.com/exploits/16001 +1 || 2013089 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS impressCMS dhtmltextarea root_path Parameter Remote File inclusion Attempt || url,1337day.com/exploits/16001 +1 || 2013090 || 10 || trojan-activity || 0 || ET TROJAN Backdoor.Win32.Fynloski.A/DarkRat Checkin Outbound || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3aWin32%2fFynloski.A&ThreatID=-2147327112 || url,www.contextis.com/research/blog/darkcometrat/ || url,www.eff.org/deeplinks/2012/08/syrian-malware-post || md5,a2f58a4215441276706f18519dae9102 +1 || 2013091 || 5 || trojan-activity || 0 || ET TROJAN Backdoor.Win32.Fynloski.A Checkin Inbound || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3aWin32%2fFynloski.A&ThreatID=-2147327112 || url,www.contextis.com/research/blog/darkcometrat/ +1 || 2013092 || 4 || trojan-activity || 0 || ET TROJAN VBKrypt.cmtp Login to Server || url,vil.nai.com/vil/content/v_377875.htm +1 || 2013093 || 3 || bad-unknown || 0 || ET CURRENT_EVENTS Clickfraud Framework Request +1 || 2013094 || 8 || bad-unknown || 0 || ET CURRENT_EVENTS Phoenix/Fiesta URI Requested Contains /? and hex +1 || 2013095 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Nagios Expand Parameter Cross Site Scripting Attempt || bid,48087 || cve,2011-2179 +1 || 2013096 || 4 || bad-unknown || 0 || ET INFO DYNAMIC_DNS HTTP Request to a *.dyndns-*.com domain +1 || 2013097 || 7 || bad-unknown || 0 || ET INFO DYNAMIC_DNS HTTP Request to a *.dyndns.* domain +1 || 2013098 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Driveby Exploit Kit Browser Progress Checkin - Binary Likely Previously Downloaded +1 || 2013099 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Apache Archive useredit script Cross Site Scripting Attempt || url,packetstormsecurity.org/files/view/101797/apachearchivapoc-xss.txt +1 || 2013100 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Apache Archive roleedit script Cross Site Scripting Attempt || url,packetstormsecurity.org/files/view/101797/apachearchivapoc-xss.txt +1 || 2013101 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Apache Archive userlist script Cross Site Scripting Attempt || url,packetstormsecurity.org/files/view/101797/apachearchivapoc-xss.txt +1 || 2013102 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Apache Archive deleteArtifact script Cross Site Scripting Attempt || url,packetstormsecurity.org/files/view/101797/apachearchivapoc-xss.txt +1 || 2013103 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Apache Archive addLegacyArtifactPath script Cross Site Scripting Attempt || url,packetstormsecurity.org/files/view/101797/apachearchivapoc-xss.txt +1 || 2013104 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Apache Archive deleteNetworkProxy script Cross Site Scripting Attempt || url,packetstormsecurity.org/files/view/101797/apachearchivapoc-xss.txt +1 || 2013105 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Apache Archive addRepository script Cross Site Scripting Attempt || url,packetstormsecurity.org/files/view/101797/apachearchivapoc xss.txt +1 || 2013106 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Apache Archive confirmDeleteRepository script Cross Site Scripting Attempt || url,packetstormsecurity.org/files/view/101797/apachearchivapoc xss.txt +1 || 2013107 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Apache Archive editAppearance script Cross Site Scripting Attempt || url,packetstormsecurity.org/files/view/101797/apachearchivapoc-xss.txt +1 || 2013108 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Apache Archive addLegacyArtifactPath.action Cross Site Scripting Attempt || url,packetstormsecurity.org/files/view/101797/apachearchivapoc-xss.txt +1 || 2013109 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Apache Archive addNetworkProxy script Cross Site Scripting Attempt || url,packetstormsecurity.org/files/view/101797/apachearchivapoc-xss.txt +1 || 2013110 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Apache Archive networkProxies script Cross Site Scripting Attempt || url,packetstormsecurity.org/files/view/101797/apachearchivapoc-xss.txt +1 || 2013111 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Apache Archive legacyArtifactPath script Cross Site Scripting Attempt || url,packetstormsecurity.org/files/view/101797/apachearchivapoc-xss.txt +1 || 2013112 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Apache Archive configureAppearance script Cross Site Scripting Attempt || url,packetstormsecurity.org/files/view/101797/apachearchivapoc-xss.txt +1 || 2013113 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Possible CVE-2011-2110 Flash Exploit Campaign Log.txt Request || cve,2011-2110 || url,blog.fireeye.com/research/2011/06/old-wine-in-a-new-bottle.html +1 || 2013114 || 2 || trojan-activity || 0 || ET TROJAN Win32.Vilsel Checkin || url,www.malware-control.com/statics-pages/5de2e2f56e5277cfe3d44299ab496648.php || url,www.malware-control.com/statics-pages/87290c3019b7dbac0d7d2e15f03572ba.php +1 || 2013115 || 3 || attempted-recon || 0 || ET WEB_SERVER Muieblackcat scanner +1 || 2013116 || 5 || attempted-recon || 0 || ET SCAN Potential muieblackcat scanner double-URI and HTTP library +1 || 2013117 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Apache Tomcat Sort Paramter Cross Site Scripting Attempt || bid,45015 || cve,2010-4172 +1 || 2013118 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Apache Tomcat Orderby Paramter Cross Site Scripting Attempt || bid,45015 || cve,2010-4172 +1 || 2013119 || 2 || attempted-user || 0 || ET ACTIVEX Easewe FTP OCX ActiveX Control EaseWeFtp.ocx Remote Code Execution Attempt || bid,48393 +1 || 2013120 || 1 || denial-of-service || 0 || ET SCADA Siemens FactoryLink 8 CSService Logging Buffer Overflow Vulnerability || url,packetstormsecurity.org/files/view/102579/factorylink_csservice.rb.txt +1 || 2013121 || 3 || trojan-activity || 0 || ET DELETED Win32.VB.OWR Checkin || url,www.threatexpert.com/report.aspx?md5=7684532e7e1d717427f6842e9d5ecd56 || url,anubis.iseclab.org/?action=result&task_id=1ac5dbffd86ddd7f49da78a66fbeb6c37&format=txt +1 || 2013122 || 5 || trojan-activity || 0 || ET TROJAN Vilsel.ayjv Checkin (aid) +1 || 2013123 || 4 || bad-unknown || 0 || ET CURRENT_EVENTS HTTP Request to a *.co.be domain +1 || 2013124 || 3 || bad-unknown || 0 || ET DNS DNS Query for Suspicious .co.be Domain +1 || 2013125 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS SoftMP3 search Parameter SELECT FROM SQL Injection Attempt || url,exploit-db.com/exploits/17209 +1 || 2013126 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS SoftMP3 search Parameter DELETE FROM SQL Injection Attempt || url,exploit-db.com/exploits/17209 +1 || 2013127 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS SoftMP3 search Parameter UNION SELECT SQL Injection Attempt || url,exploit-db.com/exploits/17209 +1 || 2013128 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS SoftMP3 search Parameter INSERT INTO SQL Injection Attempt || url,exploit-db.com/exploits/17209 +1 || 2013129 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS SoftMP3 search Parameter UPDATE SET SQL Injection Attempt || url,exploit-db.com/exploits/17209 +1 || 2013130 || 2 || attempted-user || 0 || ET ACTIVEX Black Ice Cover Page SDK DownloadImageFileURL Method Exploit || url,exploit-db.com/exploits/17415/ || cve,2008-2683 +1 || 2013131 || 2 || attempted-user || 0 || ET ACTIVEX Black Ice Fax Voice SDK GetItemQueue Method Remote Code Execution Exploit || url,exploit-db.com/exploits/17416 +1 || 2013132 || 2 || attempted-user || 0 || ET ACTIVEX Black Ice Fax Voice SDK GetFirstItem Method Remote Code Execution Exploit || url,exploit-db.com/exploits/17416 +1 || 2013133 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS vBulletin vBTube vidid Parameter Cross Site Scripting Attempt || url,packetstormsecurity.org/files/view/102238/vbtube129-xss.txt +1 || 2013134 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS vBulletin vBTube uname Parameter Cross Site Scripting Attempt || url,packetstormsecurity.org/files/view/102238/vbtube129-xss.txt +1 || 2013135 || 1 || trojan-activity || 0 || ET TROJAN FakeAV FakeAlert.Rena.n Checkin Flowbit set +1 || 2013136 || 6 || trojan-activity || 0 || ET TROJAN FakeAV FakeAlertRena.n Checkin Response from Server +1 || 2013137 || 3 || attempted-user || 0 || ET CURRENT_EVENTS Possible CVE-2011-2110 Flash Exploit Attempt Embedded in Web Page || url,stopmalvertising.com/malware-reports/all-ur-swf-bel0ng-2-us-analysis-of-cve-2011-2110.html || bid,48268 || cve,2011-2110 +1 || 2013138 || 8 || trojan-activity || 0 || ET MOBILE_MALWARE XML Style POST Of IMEI International Mobile Equipment Identity || url,www.met.police.uk/mobilephone/imei.htm +1 || 2013139 || 2 || trojan-activity || 0 || ET MOBILE_MALWARE XML Style POST Of IMSI International Mobile Subscriber Identity || url,www.learntelecom.com/telephony/gsm/international-mobile-subscriber-identity-imsi +1 || 2013140 || 3 || trojan-activity || 0 || ET MOBILE_MALWARE SymbOS/Yxes CnC Checkin Message || url,blog.fortinet.com/symbosyxes-goes-version-2/ +1 || 2013141 || 3 || trojan-activity || 0 || ET MOBILE_MALWARE SymbOS/Yxes Plugucsrv.sisx File Download || url,blog.fortinet.com/symbosyxes-goes-version-2/ +1 || 2013142 || 3 || trojan-activity || 0 || ET MOBILE_MALWARE SymbOS/Yxes Jump.jsp CnC Checkin Message || url,blog.fortinet.com/symbosyxes-goes-version-2/ +1 || 2013143 || 2 || trojan-activity || 0 || ET MOBILE_MALWARE SymbOS/Yxes KernelPara.jsp CnC Checkin Message || url,blog.fortinet.com/symbosyxes-goes-version-2/ +1 || 2013144 || 2 || attempted-user || 0 || ET WEB_CLIENT Mozilla Firefox nsTreeSelection Element invalidateSelection Remote Code Execution Attempt || bid,41853 || cve,2010-2753 +1 || 2013145 || 2 || shellcode-detect || 0 || ET SHELLCODE Possible %41%41%41%41 Heap Spray Attempt +1 || 2013146 || 2 || shellcode-detect || 0 || ET SHELLCODE Possible %u41%u41%u41%u41 UTF-8 Heap Spray Attempt +1 || 2013147 || 2 || shellcode-detect || 0 || ET SHELLCODE Possible %u4141%u4141 UTF-16 Heap Spray Attempt +1 || 2013148 || 3 || shellcode-detect || 0 || ET SHELLCODE JavaScript Redefinition of a HeapLib Object - Likely Malicious Heap Spray Attempt +1 || 2013149 || 2 || trojan-activity || 0 || ET MALWARE RogueAntiSpyware.AntiVirusPro Checkin || url,www.threatexpert.com/report.aspx?md5=8d1b47452307259f1e191e16ed23cd35 +1 || 2013150 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ZyXEL ZyWALL LoginPassword/HiddenPassword Cross Site Scripting Attempt || cve,2011-2466 +1 || 2013152 || 2 || attempted-user || 0 || ET WEB_CLIENT Adobe Acrobat Util.printf Buffer Overflow Attempt || url,www.coresecurity.com/content/adobe-reader-buffer-overflow || bid,30035 || cve,2008-2992 +1 || 2013153 || 2 || attempted-user || 0 || ET WEB_CLIENT Adobe Acrobat Reader FlateDecode Stream Predictor Exploit Attempt || url,www.fortiguard.com/analysis/pdfanalysis.html || bid,36600 || cve,2009-3459 +1 || 2013154 || 5 || trojan-activity || 0 || ET TROJAN Backdoor.Win32.Gbod.dv Checkin +1 || 2013155 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Wordpress plugin Flash Album Gallery pid Parameter SELECT FROM SQL Injection Attempt || url,htbridge.ch/advisory/sql_injection_in_grand_flash_album_gallery_wordpress_plugin.html +1 || 2013156 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Wordpress plugin Flash Album Gallery pid Parameter DELETE FROM SQL Injection Attempt || url,htbridge.ch/advisory/sql_injection_in_grand_flash_album_gallery_wordpress_plugin.html +1 || 2013157 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Wordpress plugin Flash Album Gallery pid Parameter UNION SELECT SQL Injection Attempt || url,htbridge.ch/advisory/sql_injection_in_grand_flash_album_gallery_wordpress_plugin.html +1 || 2013158 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Wordpress plugin Flash Album Gallery pid Parameter INSERT INTO SQL Injection Attempt || url,htbridge.ch/advisory/sql_injection_in_grand_flash_album_gallery_wordpress_plugin.html +1 || 2013159 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Wordpress plugin Flash Album Gallery pid Parameter UPDATE SET SQL Injection Attempt || url,htbridge.ch/advisory/sql_injection_in_grand_flash_album_gallery_wordpress_plugin.html +1 || 2013160 || 2 || attempted-user || 0 || ET ACTIVEX CygniCon CyViewer ActiveX Control SaveData Insecure Method Vulnerability || bugtraq,48483 +1 || 2013161 || 2 || attempted-user || 0 || ET ACTIVEX Ubisoft CoGSManager ActiveX Initialize method Buffer Overflow Vulnerability || url,secunia.com/advisories/45044 +1 || 2013162 || 2 || attempted-user || 0 || ET ACTIVEX Ubisoft CoGSManager ActiveX RunCore method Buffer Overflow Vulnerability || url,secunia.com/advisories/45044 +1 || 2013163 || 2 || attempted-user || 0 || ET ACTIVEX LEADTOOLS Imaging LEADSmtp ActiveX SaveMessage Method Vulnerability || bugtraq,48408 +1 || 2013164 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Webcat web_id Parameter Blind SQL Injection Vulnerability || url,exploit-db.com/exploits/17444 +1 || 2013165 || 2 || attempted-admin || 0 || ET EXPLOIT 2Wire Password Reset Vulnerability via GET || url,www.seguridad.unam.mx/doc/?ap=articulo&id=196 || url,packetstormsecurity.org/files/view/102614/2wire-reset.rb.txt +1 || 2013166 || 2 || attempted-admin || 0 || ET EXPLOIT 2Wire Password Reset Vulnerability via POST || url,www.seguridad.unam.mx/doc/?ap=articulo&id=196 || url,packetstormsecurity.org/files/view/102614/2wire-reset.rb.txt +1 || 2013167 || 4 || misc-activity || 0 || ET EXPLOIT FreeBSD OpenSSH 3.5p1 possible vulnerable server || url,packetstormsecurity.org/files/view/102683/ssh_preauth_freebsd.txt || url,seclists.org/2011/Jul/6 +1 || 2013168 || 5 || trojan-activity || 0 || ET TROJAN Generic Bot Checkin || url,www.threatexpert.com/report.aspx?md5=be3aed34928cb826030b462279a1c453 +1 || 2013169 || 2 || trojan-activity || 0 || ET TROJAN Gozi Communication 2 +1 || 2013170 || 2 || bad-unknown || 0 || ET CURRENT_EVENTS HTTP Request to a *.cu.cc domain +1 || 2013171 || 2 || web-application-attack || 0 || ET SCAN DominoHunter Security Scan in Progress || url,packetstormsecurity.org/files/31653/DominoHunter-0.92.zip.html +1 || 2013172 || 2 || bad-unknown || 0 || ET DNS DNS Query for a Suspicious *.cu.cc domain +1 || 2013173 || 3 || attempted-recon || 0 || ET USER_AGENTS Atomic_Email_Hunter User-Agent Inbound || url,www.useragentstring.com/pages/useragentstring.php +1 || 2013174 || 3 || attempted-recon || 0 || ET USER_AGENTS Atomic_Email_Hunter User-Agent Outbound || url,www.useragentstring.com/pages/useragentstring.php +1 || 2013175 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS Likely EgyPack Exploit kit landing page (EGYPACK_CRYPT) || url,www.kahusecurity.com/2011/new-exploit-kit-egypack/ || url,www.vbulletin.com/forum/forum/vbulletin-3-8/vbulletin-3-8-questions-problems-and-troubleshooting/346989-vbulletin-footer-sql-injection-hack || url,blog.webroot.com/2013/03/29/a-peek-inside-the-egypack-web-malware-exploitation-kit/ +1 || 2013176 || 6 || trojan-activity || 0 || ET TROJAN EgyPack Exploit Kit Post-Infection Request || url,www.kahusecurity.com/2011/new-exploit-kit-egypack/ || url,www.vbulletin.com/forum/forum/vbulletin-3-8/vbulletin-3-8-questions-problems-and-troubleshooting/346989-vbulletin-footer-sql-injection-hack || url,blog.webroot.com/2013/03/29/a-peek-inside-the-egypack-web-malware-exploitation-kit/ +1 || 2013178 || 3 || trojan-activity || 0 || ET TROJAN Long Fake wget 3.0 User-Agent Detected +1 || 2013179 || 8 || trojan-activity || 0 || ET CURRENT_EVENTS Ponmocup C2 Malware Update before fake JPEG download || url,www9.dyndns-server.com%3a8080/pub/botnet-links.html +1 || 2013180 || 9 || trojan-activity || 0 || ET CURRENT_EVENTS Ponmocup C2 Malware Update after fake JPEG download || url,www9.dyndns-server.com%3a8080/pub/botnet-links.html +1 || 2013181 || 7 || trojan-activity || 0 || ET CURRENT_EVENTS Ponmocup Redirection from infected Website to Trojan-Downloader || url,www9.dyndns-server.com%3a8080/pub/botnet-links.html +1 || 2013182 || 1 || trojan-activity || 0 || ET TROJAN Sidetab or Related Trojan Checkin +1 || 2013183 || 3 || bad-unknown || 0 || ET CURRENT_EVENTS Known Facebook Iframe Phishing Attempt || url,www.f-secure.com/weblog/archives/00002196.html +1 || 2013184 || 5 || trojan-activity || 0 || ET TROJAN Artro Downloader User-Agent Detected || url,www.securelist.com/en/analysis/204792172/The_Advertising_Botnet +1 || 2013185 || 6 || trojan-activity || 0 || ET TROJAN Trojan-Banker.Win32.Agent Checkin || url,www.sunbeltsecurity.com/partnerresources/cwsandbox/md5.aspx?id=1bcc87209703cf73c80f9772935e47b0 || url,www.threatexpert.com/report.aspx?md5=c8b3d2bc407b0260b40b7f97e504faa5 +1 || 2013186 || 12 || trojan-activity || 0 || ET CURRENT_EVENTS Win32.Renos/Artro Trojan Checkin || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=TROJANDOWNLOADER%3aWIN32/RENOS.MJ || url,www.securelist.com/en/analysis/204792172/The_Advertising_Botnet || url,www.threatexpert.com/report.aspx?md5=01ca25570659c2e1b8b887a3229ef421 +1 || 2013187 || 1 || misc-activity || 0 || ET CURRENT_EVENTS Backdoor Win32/IRCbot.FJ Cnc connection dns lookup || url,www.exposedbotnets.com/2011/02/minervacdmonorgbotnet-hosted-in.html || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3aWin32%2fIRCbot.FJ || url,www.threatexpert.com/report.aspx?md5=13e43c44681ba9acb8fd42217bd3dbd2 || url,www.bfk.de/bfk_dnslogger_en.html?query=minerva.cdmon.org +1 || 2013188 || 5 || attempted-admin || 0 || ET EXPLOIT VSFTPD Backdoor User Login Smiley +1 || 2013189 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Unknown Dropper HTTP POST Check-in || url,www.mywot.com/en/forum/13816-clickjacking-scam-spreading-on-facebook +1 || 2013190 || 3 || trojan-activity || 0 || ET POLICY Likely PCTools.com Installer User-Agent (Installer Ping) +1 || 2013191 || 2 || web-application-attack || 0 || ET CURRENT_EVENTS Client Visiting cssminibar.js Injected Website Malware Related || url,blog.armorize.com/2011/06/mass-meshing-injection-sidenamejs.html +1 || 2013192 || 2 || web-application-attack || 0 || ET CURRENT_EVENTS cssminibar.js Injected Script Served by Local WebServer || url,blog.armorize.com/2011/06/mass-meshing-injection-sidenamejs.html +1 || 2013193 || 2 || trojan-activity || 0 || ET MOBILE_MALWARE Android.CruseWin Retriving XML File from Hard Coded CnC || url,www.fortiguard.com/encyclopedia/virus/android_crusewin.a!tr.html +1 || 2013194 || 3 || trojan-activity || 0 || ET MOBILE_MALWARE Android.CruseWin XML Configuration File Sent From CnC Server || url,www.fortiguard.com/encyclopedia/virus/android_crusewin.a!tr.html +1 || 2013195 || 2 || trojan-activity || 0 || ET MALWARE Win32.EZula Adware Reporting Sucessful Install || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Adware%3AWin32%2FEzula.F +1 || 2013196 || 2 || trojan-activity || 0 || ET TROJAN Win32.Genome Initial Checkin +1 || 2013197 || 2 || trojan-activity || 0 || ET TROJAN Win32.Genome Download.php HTTP Request on Off Port +1 || 2013198 || 2 || trojan-activity || 0 || ET TROJAN Trojan/Hacktool.Sniffer Initial Checkin +1 || 2013199 || 4 || trojan-activity || 0 || ET TROJAN Trojan/Hacktool.Sniffer Sucessful Install Message +1 || 2013200 || 2 || trojan-activity || 0 || ET MALWARE Unknown Malware patchlist.xml Request +1 || 2013201 || 6 || trojan-activity || 0 || ET TROJAN Win32/Rodecap CnC Checkin +1 || 2013202 || 2 || trojan-activity || 0 || ET TROJAN Win32/Fosniw MacTryCnt CnC Style Checkin || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3AWin32%2FFosniw.B +1 || 2013203 || 2 || trojan-activity || 0 || ET TROJAN Win32/Fosniw CnC Checkin Style 2 || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3AWin32%2FFosniw.B +1 || 2013204 || 3 || trojan-activity || 0 || ET DELETED Unknown Generic Trojan Checkin +1 || 2013205 || 3 || trojan-activity || 0 || ET DELETED Win32.Hooker Checkin Message +1 || 2013206 || 3 || trojan-activity || 0 || ET TROJAN Unknown Trojan POST datan.php +1 || 2013207 || 5 || trojan-activity || 0 || ET TROJAN Trojan Internet Connectivity Check +1 || 2013208 || 2 || trojan-activity || 0 || ET MOBILE_MALWARE Mobile Malware Posting Device Phone Number +1 || 2013209 || 2 || trojan-activity || 0 || ET MOBILE_MALWARE Android.Walkinwat Sending Data to CnC Server || url,us.norton.com/security_response/writeup.jsp?docid=2011-033008-4831-99&tabid=2 || url,blog.avast.com/2011/03/21/android-is-calling-walk-and-text-and-be-malicious/ +1 || 2013210 || 2 || trojan-activity || 0 || ET MOBILE_MALWARE Android.Bgserv POST of Data to CnC Server || url,us.norton.com/security_response/writeup.jsp?docid=2011-031005-2918-99&tabid=2 +1 || 2013211 || 2 || trojan-activity || 0 || ET TROJAN Backdoor.Esion CnC Checkin || url,us.norton.com/security_response/writeup.jsp?docid=2011-052510-1535-99&tabid=2 +1 || 2013212 || 3 || trojan-activity || 0 || ET TROJAN Backdoor.Meciv Checkin || url,us.norton.com/security_response/writeup.jsp?docid=2011-070516-5325-99&tabid=2 || url,www.secureworks.com/research/threats/sindigoo/ +1 || 2013213 || 5 || misc-activity || 0 || ET INFO DYNAMIC_DNS HTTP Request to a 3322.net Domain *.3322.org +1 || 2013214 || 2 || trojan-activity || 0 || ET TROJAN GhOst Remote Access Trojan Encrypted Session To CnC Server || url,www.scribd.com/doc/13731776/Tracking-GhostNet-Investigating-a-Cyber-Espionage-Network || url,www.symantec.com/connect/blogs/inside-back-door-attack +1 || 2013215 || 3 || trojan-activity || 0 || ET DELETED W32/Alworo CnC Checkin || url,us.norton.com/security_response/writeup.jsp?docid=2011-062909-5644-99&tabid=2 +1 || 2013217 || 2 || attempted-recon || 0 || ET POLICY Internal Host Retrieving External IP Via myip.ozymo.com +1 || 2013218 || 2 || trojan-activity || 0 || ET TROJAN Backdoor.Specfix Checkin || url,us.norton.com/security_response/writeup.jsp?docid=2011-062203-3150-99&tabid=2 +1 || 2013219 || 3 || trojan-activity || 0 || ET DELETED Android.Ggtracker Ggtrack.org Checkin || url,us.norton.com/security_response/writeup.jsp?docid=2011-062208-5013-99&tabid=2 +1 || 2013220 || 4 || misc-activity || 0 || ET INFO DYNAMIC_DNS HTTP Request to a 3322.net Domain *.8866.org || url,www.mywot.com/en/scorecard/8866.org +1 || 2013221 || 2 || trojan-activity || 0 || ET TROJAN Win32/Sefnit Initial Checkin +1 || 2013222 || 3 || shellcode-detect || 0 || ET SHELLCODE Excessive Use of HeapLib Objects Likely Malicious Heap Spray Attempt +1 || 2013224 || 9 || trojan-activity || 0 || ET POLICY Suspicious User-Agent Containing .exe +1 || 2013225 || 3 || trojan-activity || 0 || ET TROJAN W32/IRCBrute Checkin 2 || url,www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~DwnLdr-IRB/detailed-analysis.aspx +1 || 2013226 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Immophp secteur parameter Cross Site Scripting Attempt || bugtraq,48341 +1 || 2013227 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Immophp annonce parameter SELECT FROM SQL Injection Attempt || bugtraq,48341 +1 || 2013228 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Immophp annonce parameter DELETE FROM SQL Injection Attempt || bugtraq,48341 +1 || 2013229 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Immophp annonce parameter UNION SELECT SQL Injection Attempt || bugtraq,48341 +1 || 2013230 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Immophp annonce parameter INSERT INTO SQL Injection Attempt || bugtraq,48341 +1 || 2013231 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Immophp annonce parameter UPDATE SET SQL Injection Attempt || bugtraq,48341 +1 || 2013232 || 2 || attempted-user || 0 || ET ACTIVEX IDrive Online Backup ActiveX control SaveToFile Insecure Method || url,htbridge.ch/advisory/idrive_online_backup_activex_control_insecure_method.html +1 || 2013233 || 3 || attempted-user || 0 || ET ACTIVEX Chilkat Crypt ActiveX Control SaveDecrypted Insecure Method Vulnerability || bugtraq,48585 +1 || 2013234 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ActivDesk cid Parameter Blind SQL Injection Attempt || url,packetstormsecurity.org/files/view/102537/activdesk-sqlxss.txt +1 || 2013236 || 2 || trojan-activity || 0 || ET TROJAN Palevo (OUTBOUND) || url,threatexpert.com/report.aspx?md5=5f1296995c7ccba13c0c0655baf03a3a +1 || 2013237 || 5 || trojan-activity || 0 || ET CURRENT_EVENTS Obfuscated Javascript Often Used in Drivebys +1 || 2013238 || 4 || trojan-activity || 0 || ET MOBILE_MALWARE Android/GoldDream Infected Device Registration || url,www.fortiguard.com/encyclopedia/virus/android_golddream.a!tr.spy.html +1 || 2013240 || 3 || trojan-activity || 0 || ET MOBILE_MALWARE Android/GoldDream Task Information Retrieval || url,www.fortiguard.com/encyclopedia/virus/android_golddream.a!tr.spy.html +1 || 2013241 || 2 || trojan-activity || 0 || ET MOBILE_MALWARE Android/GoldDream Uploading Watch Files || url,www.fortiguard.com/encyclopedia/virus/android_golddream.a!tr.spy.html +1 || 2013242 || 3 || bad-unknown || 0 || ET DELETED HTTP Request to a Suspicious *.cu.cc domain +1 || 2013243 || 2 || trojan-activity || 0 || ET MALWARE SweetIM Install in Progress +1 || 2013244 || 2 || misc-activity || 0 || ET CURRENT_EVENTS Known Injected Credit Card Fraud Malvertisement Script || url,blogs.paretologic.com/malwarediaries/index.php/2011/07/06/stolen-credit-cards-site-injected-with-malware/ +1 || 2013245 || 3 || trojan-activity || 0 || ET TROJAN Ruskill/Palevo Download Command || url,www.threatexpert.com/report.aspx?md5=2d69d8d243499ab53b840c64f68cc830 || url,sebdraven.tumblr.com/post/6769853139/palevo-analysises +1 || 2013246 || 2 || trojan-activity || 0 || ET TROJAN Ruskill/Palevo CnC PONG || url,ore.carnivore.it/malware/hash/d4dc8459a34ea14d856e529d3a9e0362 || url,sebdraven.tumblr.com/post/6769853139/palevo-analysises +1 || 2013247 || 5 || trojan-activity || 0 || ET TROJAN Ruskill/Palevo KCIK IRC Command || url,ore.carnivore.it/malware/hash/d4dc8459a34ea14d856e529d3a9e0362 || url,sebdraven.tumblr.com/post/6769853139/palevo-analysises +1 || 2013248 || 3 || bad-unknown || 0 || ET DELETED HTTP Request to a *.uni.cc domain +1 || 2013249 || 3 || attempted-recon || 0 || ET SCAN Vega Web Application Scan || url,www.subgraph.com/products.html || url,www.darknet.org.uk/2011/07/vega-open-source-cross-platform-web-application-security-assessment-platform/ +1 || 2013250 || 3 || attempted-user || 0 || ET WEB_CLIENT Microsoft Word RTF pFragments Stack Buffer Overflow Attempt || url,labs.m86security.com/2011/07/resurrection-of-cve-2010-3333-in-the-wild/ || bid,44652 || cve,2010-3333 +1 || 2013251 || 2 || attempted-user || 0 || ET CURRENT_EVENTS Known in Wild Microsoft Internet Explorer Time Element Uninitialized Memory Remote Code Execution Attempt || url,labs.m86security.com/2011/06/0-day-exploit-used-in-a-targeted-attack-cve-2011-1255/ || bid,48206 || cve,2011-1255 +1 || 2013252 || 3 || attempted-user || 0 || ET WEB_CLIENT Microsoft Internet Explorer Time Element Uninitialized Memory Remote Code Execution Attempt || url,labs.m86security.com/2011/06/0-day-exploit-used-in-a-targeted-attack-cve-2011-1255/ || bid,48206 || cve,2011-1255 +1 || 2013253 || 4 || policy-violation || 0 || ET POLICY Yandexbot Request Inbound +1 || 2013254 || 2 || trojan-activity || 0 || ET TROJAN Yandexbot Request Outbound +1 || 2013255 || 4 || trojan-activity || 0 || ET POLICY Majestic12 User-Agent Request Inbound +1 || 2013256 || 3 || trojan-activity || 0 || ET TROJAN Majestic12 User-Agent Request Outbound +1 || 2013258 || 7 || trojan-activity || 0 || ET USER_AGENTS Avzhan DDoS Bot User-Agent MyIE || url,asert.arbornetworks.com/2010/09/another-family-of-ddos-bots-avzhan/ || url,blog.fireeye.com/research/2010/10/avzhan-botnet-the-story-of-evolution.html +1 || 2013259 || 3 || trojan-activity || 0 || ET TROJAN Guagua Trojan Update Checkin +1 || 2013260 || 3 || trojan-activity || 0 || ET TROJAN Win32/Nekill Checkin || url,blog.emergingthreatspro.com/2011/07/bot-of-day-nekilla.html +1 || 2013261 || 2 || trojan-activity || 0 || ET MOBILE_MALWARE SymbOS/CommDN Downloading Second Stage Malware Binary || url,www.fortiguard.com/encyclopedia/virus/symbos_commdn.a!tr.html +1 || 2013263 || 3 || attempted-recon || 0 || ET SCAN Nessus FTP Scan detected (ftp_anonymous.nasl) || url,www.nessus.org/plugins/index.php?view=single&id=10079 || url,osvdb.org/show/osvdb/69 +1 || 2013264 || 2 || attempted-recon || 0 || ET SCAN Nessus FTP Scan detected (ftp_writeable_directories.nasl) || url,www.nessus.org/plugins/index.php?view=single&id=19782 || url,osvdb.org/show/osvdb/76 +1 || 2013265 || 2 || trojan-activity || 0 || ET MOBILE_MALWARE SymbOS/SymGam CnC Checkin || url,www.fortiguard.com/encyclopedia/virus/symbos_symgam.a!tr.html +1 || 2013266 || 2 || trojan-activity || 0 || ET MOBILE_MALWARE SymbOS/SymGam Receiving SMS Message Template from CnC Server || url,www.fortiguard.com/encyclopedia/virus/symbos_symgam.a!tr.html +1 || 2013267 || 4 || shellcode-detect || 0 || ET SHELLCODE Hex Obfuscated JavaScript Heap Spray 0a0a0a0a || url,www.darkreading.com/security/vulnerabilities/221901428/index.html +1 || 2013268 || 4 || shellcode-detect || 0 || ET SHELLCODE Hex Obfuscated JavaScript Heap Spray 0b0b0b0b || url,www.darkreading.com/security/vulnerabilities/221901428/index.html +1 || 2013269 || 2 || shellcode-detect || 0 || ET SHELLCODE Hex Obfuscated JavaScript Heap Spray 0c0c0c0c || url,www.darkreading.com/security/vulnerabilities/221901428/index.html +1 || 2013270 || 2 || shellcode-detect || 0 || ET SHELLCODE Hex Obfuscated JavaScript Heap Spray 0d0d0d0d || url,www.darkreading.com/security/vulnerabilities/221901428/index.html +1 || 2013271 || 2 || shellcode-detect || 0 || ET SHELLCODE Hex Obfuscated JavaScript NOP SLED || url,www.darkreading.com/security/vulnerabilities/221901428/index.html +1 || 2013272 || 3 || shellcode-detect || 0 || ET SHELLCODE Unescape Hex Obfuscated Content +1 || 2013273 || 2 || shellcode-detect || 0 || ET SHELLCODE Hex Obfuscated JavaScript Heap Spray 41414141 || url,www.darkreading.com/security/vulnerabilities/221901428/index.html +1 || 2013274 || 2 || shellcode-detect || 0 || ET SHELLCODE Double BackSlash Hex Obfuscated JavaScript Heap Spray 0a0a0a0a || url,www.darkreading.com/security/vulnerabilities/221901428/index.html +1 || 2013275 || 2 || shellcode-detect || 0 || ET SHELLCODE Double BackSlash Hex Obfuscated JavaScript Heap Spray 0b0b0b0b || url,www.darkreading.com/security/vulnerabilities/221901428/index.html +1 || 2013276 || 2 || shellcode-detect || 0 || ET SHELLCODE Double BackSlash Hex Obfuscated JavaScript Heap Spray 0c0c0c0c || url,www.darkreading.com/security/vulnerabilities/221901428/index.html +1 || 2013277 || 2 || shellcode-detect || 0 || ET SHELLCODE Double BackSlash Hex Obfuscated JavaScript Heap Spray 0d0d0d0d || url,www.darkreading.com/security/vulnerabilities/221901428/index.html +1 || 2013278 || 2 || shellcode-detect || 0 || ET SHELLCODE Double BackSlash Hex Obfuscated JavaScript NOP SLED || url,www.darkreading.com/security/vulnerabilities/221901428/index.html +1 || 2013279 || 2 || shellcode-detect || 0 || ET SHELLCODE Double BackSlash Hex Obfuscated JavaScript Heap Spray 41414141 || url,www.darkreading.com/security/vulnerabilities/221901428/index.html +1 || 2013280 || 2 || attempted-user || 0 || ET WEB_CLIENT Microsoft Word RTF pFragments Stack Overflow Attempt || url,labs.m86security.com/2011/07/resurrection-of-cve-2010-3333-in-the-wild/ || bid,44652 || cve,2010-3333 +1 || 2013281 || 2 || attempted-user || 0 || ET WEB_CLIENT Adobe Authplay.dll NewClass Memory Corruption Attempt || url,www.exploit-db.com/adobe-acrobat-newclass-invalid-pointer-vulnerability/ || bid,40586 || cve,2010-1297 +1 || 2013282 || 2 || attempted-user || 0 || ET WEB_CLIENT Adobe Flash Player Button Remote Code Execution Attempt || bid,44504 || cve,2010-3654 +1 || 2013283 || 3 || trojan-activity || 0 || ET TROJAN DarkComet-RAT init connection || url,www.darkcomet-rat.com || url,anubis.iseclab.org/?action=result&task_id=1a7326f61fef1ecb4ed4fbf3de3f3b8cb&format=txt +1 || 2013284 || 3 || trojan-activity || 0 || ET TROJAN DarkComet-RAT server join acknowledgement || url,www.darkcomet-rat.com || url,anubis.iseclab.org/?action=result&task_id=1a7326f61fef1ecb4ed4fbf3de3f3b8cb&format=txt +1 || 2013285 || 2 || trojan-activity || 0 || ET TROJAN DarkComet-RAT Client Keepalive || url,www.darkcomet-rat.com +1 || 2013286 || 2 || trojan-activity || 0 || ET TROJAN Win32.Jadtre Retrieving Cfg File +1 || 2013287 || 5 || trojan-activity || 0 || ET TROJAN Papras Banking Trojan Checkin || url,www.threatexpert.com/report.aspx?md5=85d82c840f4b90fcb6d5311f501374ca +1 || 2013288 || 3 || web-application-attack || 0 || ET EXPLOIT HP OpenView Network Node Manager Toolbar.exe CGI Buffer Overflow Attempt || url,exploit-db.com/exploits/17536/ +1 || 2013289 || 6 || attempted-recon || 0 || ET POLICY MOBILE Apple device leaking UDID from SpringBoard || url,www.innerfence.com/howto/find-iphone-unique-device-identifier-udid || url,support.apple.com/kb/HT4061 +1 || 2013290 || 2 || attempted-recon || 0 || ET POLICY MOBILE Apple device leaking UDID from SpringBoard via GET || url,www.innerfence.com/howto/find-iphone-unique-device-identifier-udid || url,support.apple.com/kb/HT4061 +1 || 2013291 || 2 || trojan-activity || 0 || ET TROJAN Win32/Cycbot Pay-Per-Install Executable Download || url,www.eset.com/about/blog/blog/article/cycbot-ready-to-ride/ +1 || 2013292 || 2 || trojan-activity || 0 || ET TROJAN Win32/Cycbot Initial Checkin to CnC || url,www.eset.com/about/blog/blog/article/cycbot-ready-to-ride/ +1 || 2013293 || 2 || trojan-activity || 0 || ET TROJAN Win32/Glupteba CnC Checkin || url,blog.eset.com/2011/03/02/tdl4-and-glubteba-piggyback-piggybugs +1 || 2013294 || 2 || policy-violation || 0 || ET POLICY Self Signed SSL Certificate (Persona Not Validated) +1 || 2013295 || 2 || policy-violation || 0 || ET POLICY Self Signed SSL Certificate (Snake Oil CA) +1 || 2013296 || 3 || policy-violation || 0 || ET POLICY Free SSL Certificate Provider (StartCom Class 1 Primary Intermediate Server CA) +1 || 2013297 || 3 || policy-violation || 0 || ET POLICY Free SSL Certificate (StartCom Free Certificate Member) +1 || 2013298 || 2 || bad-unknown || 0 || ET POLICY Nessus Server SSL certificate detected +1 || 2013299 || 3 || trojan-activity || 0 || ET MOBILE_MALWARE Android/HippoSms Method Request to CnC || url,www.fortiguard.com/encyclopedia/virus/android_hipposms.a!tr.html +1 || 2013303 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Nuke Evolution Xtreme pid Parameter SELECT FROM SQL Injection Attempt || url,packetstormsecurity.org/files/view/101249/nukeevolution-sql.txt +1 || 2013304 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Nuke Evolution Xtreme pid Parameter DELETE FROM SQL Injection Attempt || url,packetstormsecurity.org/files/view/101249/nukeevolution-sql.txt +1 || 2013305 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Nuke Evolution Xtreme pid Parameter UNION SELECT SQL Injection Attempt || url,packetstormsecurity.org/files/view/101249/nukeevolution-sql.txt +1 || 2013306 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Nuke Evolution Xtreme pid Parameter INSERT INTO SQL Injection Attempt || url,packetstormsecurity.org/files/view/101249/nukeevolution-sql.txt +1 || 2013307 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Nuke Evolution Xtreme pid Parameter UPDATE SET SQL Injection Attempt || url,packetstormsecurity.org/files/view/101249/nukeevolution-sql.txt +1 || 2013308 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WordPress PHP Speedy Plugin page Parameter Remote File inclusion Attempt || url,secunia.com/advisories/43652 +1 || 2013309 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WordPress PHP Speedy Plugin page Parameter Local File Inclusion Attempt || url,secunia.com/advisories/43652 +1 || 2013310 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WordPress PHP Speedy Plugin title parameter Cross Site Scripting Attempt || url,secunia.com/advisories/43652 +1 || 2013311 || 3 || bad-unknown || 0 || ET CURRENT_EVENTS HTTP Request to a *.dlinkddns.com domain +1 || 2013312 || 3 || bad-unknown || 0 || ET TROJAN Possible Ponmocup Driveby Download || url,www9.dyndns-server.com%3a8080/pub/botnet/r-cgi_malware_analyse.txt +1 || 2013313 || 7 || trojan-activity || 0 || ET TROJAN Obfuscated Javascript Often Used in the Blackhole Exploit Kit 3 +1 || 2013314 || 5 || trojan-activity || 0 || ET TROJAN Phoenix Landing Page Obfuscated Javascript 2 +1 || 2013315 || 10 || trojan-activity || 0 || ET TROJAN Suspicious User-Agent (Agent and 5 or 6 digits) +1 || 2013316 || 4 || trojan-activity || 0 || ET MOBILE_MALWARE Android.AdSms Retrieving XML File from CnC Server || url,www.fortiguard.com/encyclopedia/virus/android_adsms.a!tr.html +1 || 2013317 || 4 || trojan-activity || 0 || ET MOBILE_MALWARE Android.AdSms XML File From CnC Server || url,www.fortiguard.com/encyclopedia/virus/android_adsms.a!tr.html +1 || 2013318 || 1 || trojan-activity || 0 || ET TROJAN Google Warning Infected Local User +1 || 2013319 || 2 || shellcode-detect || 0 || ET SHELLCODE Unicode UTF-8 Heap Spray Attempt +1 || 2013320 || 2 || shellcode-detect || 0 || ET SHELLCODE Unicode UTF-16 Heap Spray Attempt +1 || 2013321 || 2 || attempted-user || 0 || ET WEB_CLIENT Internet Explorer toStaticHTML HTML Sanitizing Information Disclosure Attempt || bid,48199 || cve,2011-1252 +1 || 2013322 || 2 || attempted-user || 0 || ET WEB_CLIENT Microsoft Visio 2003 mfc71enu.dll DLL Loading Arbitrary Code Execution Attempt || url,tools.cisco.com/security/center/viewAlert.x?alertId=23601 || url,www.microsoft.com/technet/security/bulletin/MS11-055.mspx || bid,42681 || cve,2010-3148 +1 || 2013323 || 3 || trojan-activity || 0 || ET DELETED Dictcn Trojan Downloader Update Check to CnC +1 || 2013324 || 3 || trojan-activity || 0 || ET DELETED Dictcn Trojan Downloader Receiving XML Format Update File From CnC Server +1 || 2013325 || 3 || trojan-activity || 0 || ET DELETED Dictcn Trojan Downloader Receiving XML Format Node ID File From CnC Server +1 || 2013326 || 4 || trojan-activity || 0 || ET DELETED Dictcn Trojan Downloader Node Server Type +1 || 2013327 || 3 || trojan-activity || 0 || ET MOBILE_MALWARE Android.Zitmo Forwarding SMS Message to CnC Server || url,blog.fortinet.com/zitmo-hits-android/ +1 || 2013328 || 3 || bad-unknown || 0 || ET CURRENT_EVENTS DNS Query for Known Hostile Domain gooqlepics com || url,blog.armorize.com/2011/07/willysycom-mass-injection-ongoing.html +1 || 2013329 || 3 || trojan-activity || 0 || ET TROJAN Ruskill CnC Download Command 1 +1 || 2013330 || 1 || trojan-activity || 0 || ET TROJAN Ruskill CnC Download Command 2 +1 || 2013331 || 1 || trojan-activity || 0 || ET TROJAN Ruskill Reporting on Local Scans +1 || 2013332 || 4 || trojan-activity || 0 || ET TROJAN FakeAV Landing Page || url,www.symantec.com/business/security_response/attacksignatures/detail.jsp?asid=23514 +1 || 2013333 || 4 || trojan-activity || 0 || ET MALWARE Zugo.com SearchToolbar User-Agent (SearchToolbar) || url,www.zugo.com/faq/ || url,plus.google.com/109412257237874861202/posts/FXL1y8qG7YF +1 || 2013334 || 4 || not-suspicious || 0 || ET DELETED SSL MiTM Vulnerable or EOL iOS 3.x device || url,support.apple.com/kb/HT1222 || url,support.apple.com/kb/HT4824 || url,en.wikipedia.org/wiki/IOS_version_history +1 || 2013335 || 5 || not-suspicious || 0 || ET DELETED SSL MiTM Vulnerable or EOL iOS 4.x device || url,support.apple.com/kb/HT1222 || url,support.apple.com/kb/HT4824 || url,en.wikipedia.org/wiki/IOS_version_history +1 || 2013336 || 4 || not-suspicious || 0 || ET POLICY SSL MiTM Vulnerable iOS 4.x CDMA iPhone device || url,support.apple.com/kb/HT1222 || url,support.apple.com/kb/HT4825 || url,en.wikipedia.org/wiki/IOS_version_history +1 || 2013337 || 5 || trojan-activity || 0 || ET TROJAN PoisonIvy.E Keepalive to CnC || url,www.threatexpert.com/report.aspx?md5=fc414168a5b4ca074ea6e03f770659ef +1 || 2013338 || 2 || trojan-activity || 0 || ET TROJAN Bifrose Client Checkin +1 || 2013339 || 5 || trojan-activity || 0 || ET TROJAN Win32.FakeAV.Rean Checkin || url,www.threatexpert.com/report.aspx?md5=0a998a070beb287524f9be6dd650c959 +1 || 2013340 || 2 || trojan-activity || 0 || ET TROJAN FakeAV/Application JPDesk/Delf checkin || url,www.threatexpert.com/report.aspx?md5=08f116cf4feff245dca581244e4f509c +1 || 2013341 || 3 || trojan-activity || 0 || ET DELETED Trojan Dropper User-Agent Firefox/3.6.3 +1 || 2013342 || 4 || trojan-activity || 0 || ET TROJAN Win32/Sisproc Variant POST to CnC Server || url,www.sunbeltsecurity.com/partnerresources/cwsandbox/md5.aspx?id=04dc87d4dcf12f9c05a22ab9890a6323 || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3AWin32%2FSisproc&ThreatID=-2147342628 +1 || 2013343 || 3 || trojan-activity || 0 || ET DELETED Backdoor W32/Phanta Checkin || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3AWin32%2FPopureb.A || url,www.threatexpert.com/report.aspx?md5=0012a0b60572dfa4f42a4325507841d8 +1 || 2013344 || 4 || trojan-activity || 0 || ET TROJAN Unknown Trojan Checkin to CnC Server +1 || 2013345 || 2 || trojan-activity || 0 || ET TROJAN Win32.Pamesg/ArchSMS.HL CnC Checkin || url,www.threatexpert.com/report.aspx?md5= 00068992bc003713058a17d50d9e3e14 +1 || 2013346 || 3 || trojan-activity || 0 || ET TROJAN Unknown Trojan File Stealer FTP File Upload +1 || 2013348 || 8 || trojan-activity || 0 || ET TROJAN Zeus Bot Request to CnC 2 +1 || 2013349 || 4 || trojan-activity || 0 || ET TROJAN Connectivity Check of Unknown Origin 1 +1 || 2013350 || 3 || trojan-activity || 0 || ET TROJAN Connectivity Check of Unknown Origin 2 +1 || 2013351 || 3 || trojan-activity || 0 || ET TROJAN Connectivity Check of Unknown Origin 3 +1 || 2013352 || 3 || trojan-activity || 0 || ET TROJAN Executable Download Purporting to be JavaScript likely 2nd stage Infection +1 || 2013353 || 3 || web-application-attack || 0 || ET CURRENT_EVENTS Wordpress possible Malicious DNS-Requests - flickr.com.* || url,markmaunder.com/2011/zero-day-vulnerability-in-many-wordpress-themes/ || url,www.us-cert.gov/current/index.html#wordpress_themes_vulnerability || url,blog.sucuri.net/2011/08/timthumb-security-vulnerability-list-of-themes-including-it.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SucuriSecurity+%28Sucuri+Security%29 +1 || 2013354 || 3 || web-application-attack || 0 || ET CURRENT_EVENTS Wordpress possible Malicious DNS-Requests - picasa.com.* || url,markmaunder.com/2011/zero-day-vulnerability-in-many-wordpress-themes/ || url,www.us-cert.gov/current/index.html#wordpress_themes_vulnerability || url,blog.sucuri.net/2011/08/timthumb-security-vulnerability-list-of-themes-including-it.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SucuriSecurity+%28Sucuri+Security%29 +1 || 2013355 || 3 || web-application-attack || 0 || ET CURRENT_EVENTS Wordpress possible Malicious DNS-Requests - blogger.com.* || url,markmaunder.com/2011/zero-day-vulnerability-in-many-wordpress-themes/ || url,www.us-cert.gov/current/index.html#wordpress_themes_vulnerability || url,blog.sucuri.net/2011/08/timthumb-security-vulnerability-list-of-themes-including-it.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SucuriSecurity+%28Sucuri+Security%29 +1 || 2013356 || 2 || web-application-attack || 0 || ET DELETED Wordpress possible Malicious DNS-Requests - wordpress.com.* || url,markmaunder.com/2011/zero-day-vulnerability-in-many-wordpress-themes/ || url,www.us-cert.gov/current/index.html#wordpress_themes_vulnerability || url,blog.sucuri.net/2011/08/timthumb-security-vulnerability-list-of-themes-including-it.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SucuriSecurity+%28Sucuri+Security%29 +1 || 2013357 || 1 || web-application-attack || 0 || ET CURRENT_EVENTS Wordpress possible Malicious DNS-Requests - wordpress.com.* || url,markmaunder.com/2011/zero-day-vulnerability-in-many-wordpress-themes/ || url,www.us-cert.gov/current/index.html#wordpress_themes_vulnerability || url,blog.sucuri.net/2011/08/timthumb-security-vulnerability-list-of-themes-including-it.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SucuriSecurity+%28Sucuri+Security%29 +1 || 2013358 || 2 || web-application-attack || 0 || ET CURRENT_EVENTS Wordpress possible Malicious DNS-Requests - img.youtube.com.* || url,markmaunder.com/2011/zero-day-vulnerability-in-many-wordpress-themes/ || url,www.us-cert.gov/current/index.html#wordpress_themes_vulnerability || url,blog.sucuri.net/2011/08/timthumb-security-vulnerability-list-of-themes-including-it.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SucuriSecurity+%28Sucuri+Security%29 +1 || 2013359 || 2 || web-application-attack || 0 || ET CURRENT_EVENTS Wordpress possible Malicious DNS-Requests - upload.wikimedia.com.* || url,markmaunder.com/2011/zero-day-vulnerability-in-many-wordpress-themes/ || url,www.us-cert.gov/current/index.html#wordpress_themes_vulnerability || url,blog.sucuri.net/2011/08/timthumb-security-vulnerability-list-of-themes-including-it.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SucuriSecurity+%28Sucuri+Security%29 +1 || 2013360 || 1 || web-application-attack || 0 || ET CURRENT_EVENTS Wordpress possible Malicious DNS-Requests - photobucket.com.* || url,markmaunder.com/2011/zero-day-vulnerability-in-many-wordpress-themes/ || url,www.us-cert.gov/current/index.html#wordpress_themes_vulnerability || url,blog.sucuri.net/2011/08/timthumb-security-vulnerability-list-of-themes-including-it.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SucuriSecurity+%28Sucuri+Security%29 +1 || 2013361 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS HTran/SensLiceld.A Checkin 1 || url,www.secureworks.com/research/threats/htran/ || url,www.symantec.com/connect/blogs/truth-behind-shady-rat || url,www.symantec.com/security_response/writeup.jsp?docid=2010-120716-4344-99&tabid=2 || url,www.securelist.com/en/descriptions/10120120/Trojan-Spy.Win32.Agent.bptu +1 || 2013362 || 6 || trojan-activity || 0 || ET CURRENT_EVENTS HTran/SensLiceld.A Checkin 2 (unicode) || url,www.secureworks.com/research/threats/htran/ || url,www.symantec.com/connect/blogs/truth-behind-shady-rat || url,www.symantec.com/security_response/writeup.jsp?docid=2010-120716-4344-99&tabid=2 || url,www.securelist.com/en/descriptions/10120120/Trojan-Spy.Win32.Agent.bptu +1 || 2013363 || 4 || trojan-activity || 0 || ET DELETED Blackhole Exploit Kit Request tkr +1 || 2013364 || 6 || trojan-activity || 0 || ET CURRENT_EVENTS windows_security_update Fake AV download +1 || 2013365 || 2 || web-application-attack || 0 || ET WEB_SERVER PUT Website Defacement Attempt +1 || 2013366 || 2 || trojan-activity || 0 || ET TROJAN FakeAV Checkin +1 || 2013367 || 4 || trojan-activity || 0 || ET TROJAN KeyloggerOnline Keylogger Checkin (kill) || url,threatexpert.com/report.aspx?md5=06b783d348a4f9d72bf743c8262778ef +1 || 2013368 || 3 || trojan-activity || 0 || ET TROJAN KeyloggerOnline Keylogger Checkin (sleep) || url,threatexpert.com/report.aspx?md5=06b783d348a4f9d72bf743c8262778ef +1 || 2013369 || 3 || trojan-activity || 0 || ET TROJAN KeyloggerOnline Keylogger Checkin (go https) || url,threatexpert.com/report.aspx?md5=06b783d348a4f9d72bf743c8262778ef +1 || 2013370 || 3 || trojan-activity || 0 || ET DELETED Unknown Trojan Checkin 1 +1 || 2013371 || 3 || trojan-activity || 0 || ET DELETED Unknown Trojan Checkin 2 +1 || 2013372 || 3 || trojan-activity || 0 || ET TROJAN Win32/Oliga Fake User Agent +1 || 2013373 || 2 || trojan-activity || 0 || ET TROJAN FakeAV oms.php Data Post +1 || 2013374 || 2 || trojan-activity || 0 || ET TROJAN FakeAV User-Agent XML +1 || 2013375 || 2 || trojan-activity || 0 || ET TROJAN W32/Nolja Trojan Downloader Initial Checkin +1 || 2013376 || 2 || trojan-activity || 0 || ET TROJAN W32/Nolja Trojan User-Agent (FileNolja) +1 || 2013377 || 2 || trojan-activity || 0 || ET TROJAN W32/Alunik User Agent Detected +1 || 2013378 || 2 || bad-unknown || 0 || ET CURRENT_EVENTS HTTP Request to a *.de.ms domain +1 || 2013379 || 3 || trojan-activity || 0 || ET TROJAN Downbot/Shady Rat Remote Shell Connection || url,www.symantec.com/connect/blogs/truth-behind-shady-rat +1 || 2013380 || 2 || bad-unknown || 0 || ET CURRENT_EVENTS Malicious 1px iframe related to Mass Wordpress Injections +1 || 2013381 || 2 || trojan-activity || 0 || ET TROJAN W32/Sality Executable Pack Digital Signature ASCII Marker || url,www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/sality_peer_to_peer_viral_network.pdf +1 || 2013382 || 3 || trojan-activity || 0 || ET TROJAN Fakealert.Rena CnC Checkin 2 || url,www.malware-control.com/statics-pages/24b9c5f59a4706689d4f9bb5f510ec35.php +1 || 2013383 || 3 || trojan-activity || 0 || ET TROJAN Fakealert.Rena CnC Checkin 1 +1 || 2013384 || 3 || trojan-activity || 0 || ET TROJAN W32/Siscos CnC Checkin +1 || 2013385 || 3 || trojan-activity || 0 || ET TROJAN Accept-encode HTTP header with UA indicating infected host +1 || 2013386 || 2 || trojan-activity || 0 || ET TROJAN W32/FakeAlert Fake Security Tool Checkin || url,threatexpert.com/reports.aspx?find=03abdc31d0f864c7b69b09d6481d3ff7 +1 || 2013387 || 4 || trojan-activity || 0 || ET POLICY User Agent Ryeol HTTP Client Class +1 || 2013388 || 4 || trojan-activity || 0 || ET MALWARE Adrevmedia Related Media Manager Spyware Checkin +1 || 2013389 || 2 || trojan-activity || 0 || ET MALWARE Adware/CommonName Reporting +1 || 2013390 || 2 || trojan-activity || 0 || ET TROJAN Suspicious User Agent 3653Client +1 || 2013391 || 3 || trojan-activity || 0 || ET TROJAN Ufasoft bitcoin Related User-Agent +1 || 2013392 || 2 || trojan-activity || 0 || ET TROJAN W32/Hupigon.B User Agent TSDownload +1 || 2013393 || 4 || trojan-activity || 0 || ET DELETED Suspicious User-Agent FSD - Possible FakeAV Related +1 || 2013394 || 2 || trojan-activity || 0 || ET TROJAN W32/SpeedRunner User-Agent SRRemove +1 || 2013395 || 2 || trojan-activity || 0 || ET TROJAN Suspicious User-Agent _updater_agent +1 || 2013396 || 2 || trojan-activity || 0 || ET TROJAN W32/Skintrim CnC Checkin +1 || 2013397 || 3 || trojan-activity || 0 || ET TROJAN W32/Pandex Trojan Dropper Initial Checkin +1 || 2013398 || 5 || trojan-activity || 0 || ET TROJAN Backdoor.Win32/Momibot Checkin || url,hypersecurity.blogspot.com/2011/08/uncovering-win32momibot-communication.html +1 || 2013399 || 3 || trojan-activity || 0 || ET TROJAN Backdoor.Win32/Momibot Ping Checkin || url,hypersecurity.blogspot.com/2011/08/uncovering-win32momibot-communication.html +1 || 2013400 || 7 || policy-violation || 0 || ET POLICY Request to Suspicious Games at pcgame.gamedia.cn +1 || 2013401 || 2 || trojan-activity || 0 || ET TROJAN Win32/Winshow User Agent +1 || 2013402 || 3 || trojan-activity || 0 || ET DELETED Win32/TrojanDropper.Agent Checkin +1 || 2013403 || 7 || trojan-activity || 0 || ET DELETED Suspicious User-Agent (TheWorld) || url,www.virustotal.com/file-scan/report.html?id=70e502c9b8752da6dc0ff2a41c6975d59090482d2c0758387aca1b5702f96988-1305238279 +1 || 2013404 || 2 || trojan-activity || 0 || ET TROJAN Suspicious User Agent ksdl_1_0 +1 || 2013405 || 3 || trojan-activity || 0 || ET MALWARE W32/Baigoo User Agent +1 || 2013406 || 5 || not-suspicious || 0 || ET POLICY SSL MiTM Vulnerable or EOL iOS 3.x device || url,support.apple.com/kb/HT1222 || url,support.apple.com/kb/HT4824 || url,en.wikipedia.org/wiki/IOS_version_history || url,github.com/jan0/isslfix || cve,CVE-2011-0228 +1 || 2013407 || 5 || not-suspicious || 0 || ET POLICY SSL MiTM Vulnerable or EOL iOS 4.x device || url,support.apple.com/kb/HT1222 || url,support.apple.com/kb/HT4824 || url,en.wikipedia.org/wiki/IOS_version_history || url,github.com/jan0/isslfix || cve,CVE-2011-0228 +1 || 2013408 || 6 || not-suspicious || 0 || ET POLICY SSL MiTM Vulnerable iOS 4.x CDMA iPhone device || url,support.apple.com/kb/HT1222 || url,support.apple.com/kb/HT4825 || url,en.wikipedia.org/wiki/IOS_version_history || url,github.com/jan0/isslfix || cve,CVE-2011-0228 +1 || 2013409 || 3 || bad-unknown || 0 || ET POLICY Outbound MSSQL Connection to Non-Standard Port - Likely Malware +1 || 2013410 || 4 || bad-unknown || 0 || ET POLICY Outbound MSSQL Connection to Standard port (1433) +1 || 2013411 || 1 || trojan-activity || 0 || ET TROJAN Bancos.DV MSSQL CnC Connection Outbound +1 || 2013412 || 2 || bad-unknown || 0 || ET CURRENT_EVENTS HTTP Request to a *.co.com.au domain +1 || 2013413 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS FakeAV Landing Page Checking firewall status +1 || 2013414 || 10 || bad-unknown || 0 || ET POLICY Executable served from Amazon S3 || url,blog.trendmicro.com/cybercriminals-using-amazon-web-services-aws-to-host-malware/ || url,www.securelist.com/en/blog/208188099/Financial_data_stealing_Malware_now_on_Amazon_Web_Services_Cloud +1 || 2013415 || 2 || bad-unknown || 0 || ET CURRENT_EVENTS HTTP Request to a *.cz.tf domain +1 || 2013416 || 8 || attempted-recon || 0 || ET SCAN libwww-perl GET to // with specific HTTP header ordering without libwww-perl User-Agent +1 || 2013417 || 2 || attempted-user || 0 || ET WEB_CLIENT Mozilla Firefox mChannel Object Dangling Pointer Use-After-Free Memory Corruption Attempt || url,www.mozilla.org/security/announce/2011/mfsa2011-13.html || bid,47635 || cve,2011-0065 +1 || 2013418 || 5 || trojan-activity || 0 || ET DELETED Mitglieder Proxy Trojan CnC || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=Win32%2fMitglieder +1 || 2013419 || 4 || trojan-activity || 0 || ET TROJAN FakeAV FakeAlert.Rena or similar Checkin Flowbit Set 2 +1 || 2013420 || 4 || trojan-activity || 0 || ET TROJAN FakeAV FakeAlertRena.n Checkin NO Response from Server +1 || 2013422 || 2 || trojan-activity || 0 || ET MALWARE HTTP Connection to go2000.cn - Common Malware Checkin Server || url,www.mywot.com/en/scorecard/go2000.cn +1 || 2013423 || 7 || trojan-activity || 0 || ET TROJAN User-Agent in Referrer Field - Likely Malware +1 || 2013424 || 3 || trojan-activity || 0 || ET TROJAN W32/UFR POST to CnC +1 || 2013425 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Wordpress eShop plugin eshoptemplate parameter Cross Site Scripting Attempt || url,secunia.com/advisories/45553 +1 || 2013426 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Wordpress eShop plugin action parameter Cross Site Scripting Attempt || url,secunia.com/advisories/45553 +1 || 2013427 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Wordpress eShop plugin viewemail parameter Cross Site Scripting Attempt || url,secunia.com/advisories/45553 +1 || 2013428 || 2 || attempted-user || 0 || ET ACTIVEX TeeChart Professional ActiveX Control integer overflow Vulnerability 1 || url,packetstormsecurity.org/files/view/103964/teechart_pro.rb.txt +1 || 2013429 || 2 || attempted-user || 0 || ET ACTIVEX TeeChart Professional ActiveX Control integer overflow Vulnerability 2 || url,packetstormsecurity.org/files/view/103964/teechart_pro.rb.txt +1 || 2013430 || 2 || attempted-user || 0 || ET ACTIVEX TeeChart Professional ActiveX Control integer overflow Vulnerability 3 || url,packetstormsecurity.org/files/view/103964/teechart_pro.rb.txt +1 || 2013431 || 2 || attempted-user || 0 || ET ACTIVEX TeeChart Professional ActiveX Control integer overflow Vulnerability 4 || url,packetstormsecurity.org/files/view/103964/teechart_pro.rb.txt +1 || 2013432 || 2 || attempted-user || 0 || ET ACTIVEX TeeChart Professional ActiveX Control integer overflow Vulnerability 5 || url,packetstormsecurity.org/files/view/103964/teechart_pro.rb.txt +1 || 2013433 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla jfeedback Component controller parameter Local File Inclusion Attempt || url,xforce.iss.net/xforce/xfdb/57654 +1 || 2013434 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Tiki Wiki CMS ajax parameter XSS Vulnerability || url,packetstormsecurity.org/files/view/103179/tikiwiki7-xss.txt +1 || 2013435 || 3 || trojan-activity || 0 || ET TROJAN Win32.Shiz.fxm/Agent-TBT Checkin +1 || 2013436 || 3 || bad-unknown || 0 || ET CURRENT_EVENTS Redirection to driveby Page Home index.php +1 || 2013437 || 5 || bad-unknown || 0 || ET DELETED Executable served from Amazon S3 || url,blog.trendmicro.com/cybercriminals-using-amazon-web-services-aws-to-host-malware/ || url,www.securelist.com/en/blog/208188099/Financial_data_stealing_Malware_now_on_Amazon_Web_Services_Cloud +1 || 2013438 || 2 || bad-unknown || 0 || ET CURRENT_EVENTS HTTP Request to a *.uni.cc domain +1 || 2013439 || 9 || trojan-activity || 0 || ET TROJAN Dirt Jumper/Russkill3 Checkin || url,www.threatexpert.com/report.aspx?md5=905ffd2089d6bd50f8f1fed04b27013e || url,asert.arbornetworks.com/2011/08/dirt-jumper-caught/ || url,www.deependresearch.org/2011/10/dirt-jumper-ddos-bot-new-versions-new.html +1 || 2013440 || 6 || trojan-activity || 0 || ET TROJAN W32/DirtJumper CnC Server Providing DDOS Targets || url,asert.arbornetworks.com/2011/08/dirt-jumper-caught/ +1 || 2013441 || 9 || trojan-activity || 0 || ET TROJAN EXE Download When Server Claims To Send Audio File - Must Be Win32 +1 || 2013442 || 3 || trojan-activity || 0 || ET DELETED EXE Download When Server Claims To Send Audio File - DOS Mode +1 || 2013443 || 4 || trojan-activity || 0 || ET TROJAN W32/Mnless Checkin +1 || 2013444 || 3 || trojan-activity || 0 || ET TROJAN Win32/Onescan FraudWare User-Agent +1 || 2013445 || 3 || trojan-activity || 0 || ET TROJAN W32/NetShare User-Agent +1 || 2013446 || 2 || trojan-activity || 0 || ET TROJAN Win32/TrojanDownloader.Chekafe.D User-Agent my_check_data On Off HTTP Port +1 || 2013447 || 3 || trojan-activity || 0 || ET TROJAN Win32/TrojanDownloader.Chekafe.D Initial Checkin +1 || 2013448 || 6 || trojan-activity || 0 || ET MALWARE SurfSideKick Activity (iinfo) +1 || 2013449 || 3 || trojan-activity || 0 || ET DELETED W32/Rbot User-Agent (tiehttp) +1 || 2013450 || 3 || trojan-activity || 0 || ET TROJAN Troxen Downloader Checkin || url,www.threatexpert.com/report.aspx?md5=c936b15a8f7a3732bc16ee36693831ec +1 || 2013451 || 3 || trojan-activity || 0 || ET TROJAN NgrBot IRC CnC Channel Join || url,stopmalvertising.com/rootkits/analysis-of-ngrbot.html +1 || 2013452 || 3 || trojan-activity || 0 || ET MALWARE Suspicious User-Agent (go-diva) || url,pcthreat.com/parasitebyid-8835en.html +1 || 2013453 || 2 || policy-violation || 0 || ET POLICY CNET Custom Installer Possible Bundled Bloatware || url,www.extremetech.com/computing/93504-download-com-wraps-downloads-in-bloatware-lies-about-motivations +1 || 2013454 || 3 || policy-violation || 0 || ET POLICY CNET TechTracker Software Manager request || url,www.cnet.com/techtracker-free/ +1 || 2013455 || 2 || trojan-activity || 0 || ET TROJAN Suspicious User-Agent (GUIDTracker) || url,threatexpert.com/report.aspx?md5=7a8807f4de0999dba66a8749b2366def +1 || 2013456 || 5 || trojan-activity || 0 || ET TROJAN Win32/VB.HV Checkin || url,microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDropper%3AWin32%2FVB.HV +1 || 2013457 || 4 || trojan-activity || 0 || ET POLICY BitCoin User-Agent Likely Bitcoin Miner || url,isc.sans.edu/diary.html?storyid=11059 +1 || 2013458 || 2 || policy-violation || 0 || ET POLICY Facebook Like Button Clicked (1) || url,developers.facebook.com/docs/reference/plugins/like/ || url,news.cnet.com/8301-1023_3-20094866-93/facebooks-like-button-illegal-in-german-state/ +1 || 2013459 || 2 || policy-violation || 0 || ET POLICY Facebook Like Button Clicked (2) || url,developers.facebook.com/docs/reference/plugins/like/ || url,news.cnet.com/8301-1023_3-20094866-93/facebooks-like-button-illegal-in-german-state/ +1 || 2013460 || 2 || bad-unknown || 0 || ET CURRENT_EVENTS HTTP Request to a *.c0m.li domain +1 || 2013461 || 3 || trojan-activity || 0 || ET TROJAN Win32/Wizpop Initial Checkin || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Adware%3AWin32%2FWizpop&ThreatID=159818 +1 || 2013462 || 2 || web-application-attack || 0 || ET DOS Skype FindCountriesByNamePattern property Buffer Overflow Attempt || url,garage4hackers.com/f43/skype-5-x-activex-crash-poc-981.html +1 || 2013463 || 2 || attempted-user || 0 || ET DOS Skype FindCountriesByNamePattern property Buffer Overflow Attempt Format String Function Call || url,garage4hackers.com/f43/skype-5-x-activex-crash-poc-981.html +1 || 2013464 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WordPress UnGallery pic Parameter Local File Inclusion Attempt || url,packetstormsecurity.org/files/view/99004/RhinOS3.0r1113-lfi.txt +1 || 2013465 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS EasySiteEdit langval Parameter Remote File inclusion Attempt || url,packetstormsecurity.org/files/view/104292/easysiteedit-rfi.txt +1 || 2013466 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS DiY-CMS lang Parameter Remote File inclusion Attempt || url,packetstormsecurity.org/files/view/93285/diycms-rfi.txt +1 || 2013467 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla Community component userid parameter SELECT FROM SQL Injection Attempt || url,packetstormsecurity.org/files/view/103680/joomlacommunity-sql.txt +1 || 2013468 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla Community component userid parameter DELETE FROM SQL Injection Attempt || url,exploit-db.com/exploits/12644 +1 || 2013469 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla Community component userid parameter UNION SELECT SQL Injection Attempt || url,exploit-db.com/exploits/12644 +1 || 2013470 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla Community component userid parameter INSERT INTO SQL Injection Attempt || url,exploit-db.com/exploits/12644 +1 || 2013471 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla Community component userid parameter UPDATE SET SQL Injection Attempt || url,exploit-db.com/exploits/12644 +1 || 2013472 || 4 || attempted-dos || 0 || ET SCAN Kingcope KillApache.pl Apache mod_deflate DoS attempt || url,seclists.org/fulldisclosure/2011/Aug/175 +1 || 2013473 || 5 || attempted-dos || 0 || ET SCAN Apache mod_deflate DoS via many multiple byte Range values || url,seclists.org/fulldisclosure/2011/Aug/175 +1 || 2013474 || 4 || bad-unknown || 0 || ET CURRENT_EVENTS DRIVEBY ACH - Redirection +1 || 2013475 || 2 || bad-unknown || 0 || ET POLICY SUSPICIOUS *.doc.exe in HTTP URL +1 || 2013476 || 2 || bad-unknown || 0 || ET POLICY SUSPICIOUS *.pdf.exe in HTTP URL +1 || 2013477 || 9 || bad-unknown || 0 || ET POLICY SUSPICIOUS *.doc.exe in HTTP HEADER +1 || 2013478 || 8 || bad-unknown || 0 || ET POLICY SUSPICIOUS *.pdf.exe in HTTP HEADER +1 || 2013479 || 3 || misc-activity || 0 || ET SCAN Behavioral Unusually fast Terminal Server Traffic, Potential Scan or Infection (Outbound) || url,threatpost.com/en_us/blogs/new-worm-morto-using-rdp-infect-windows-pcs-082811 +1 || 2013480 || 1 || bad-unknown || 0 || ET CURRENT_EVENTS DNS query for Morto RDP worm related domain qfsl.net || url,www.f-secure.com/weblog/archives/00002227.html +1 || 2013481 || 1 || bad-unknown || 0 || ET CURRENT_EVENTS DNS query for Morto RDP worm related domain jaifr.com || url,www.f-secure.com/weblog/archives/00002227.html +1 || 2013482 || 2 || bad-unknown || 0 || ET CURRENT_EVENTS DNS query for Morto RDP worm related domain jaifr.net || url,www.f-secure.com/weblog/archives/00002227.html +1 || 2013483 || 1 || bad-unknown || 0 || ET CURRENT_EVENTS DNS query for Morto RDP worm related domain jifr.co.cc || url,www.f-secure.com/weblog/archives/00002227.html +1 || 2013484 || 3 || bad-unknown || 0 || ET CURRENT_EVENTS Phoenix Java MIDI Exploit Received By Vulnerable Client +1 || 2013485 || 3 || bad-unknown || 0 || ET CURRENT_EVENTS Phoenix Java MIDI Exploit Received +1 || 2013486 || 3 || bad-unknown || 0 || ET CURRENT_EVENTS Phoenix landing page JAVASMB +1 || 2013487 || 5 || trojan-activity || 0 || ET CURRENT_EVENTS Likely Generic Java Exploit Attempt Request for Java to decimal host || url,fhoguin.com/2011/03/oracle-java-unsigned-applet-applet2classloader-remote-code-execution-vulnerability-zdi-11-084-explained/ || cve,CVE-2010-4452 +1 || 2013488 || 3 || trojan-activity || 0 || ET TROJAN Zeus Bot GET to Bing checking Internet connectivity || url,www.secureworks.com/research/threats/zeus/?threat=zeus || url,lists.emergingthreats.net/pipermail/emerging-sigs/2010-October/009807.html +1 || 2013489 || 3 || bad-unknown || 0 || ET TROJAN Best Pack Exploit Pack Binary Load Request || url,www.kahusecurity.com/2011/best-pack/ +1 || 2013490 || 2 || unknown || 0 || ET POLICY NetBIOS nbtstat Type Query Outbound +1 || 2013491 || 2 || unknown || 0 || ET POLICY NetBIOS nbtstat Type Query Inbound +1 || 2013492 || 4 || attempted-recon || 0 || ET SCAN McAfee/Foundstone Scanner Web Scan || url,www.mcafee.com/us/products/vulnerability-manager.aspx +1 || 2013493 || 1 || bad-unknown || 0 || ET CURRENT_EVENTS DNS query for Morto RDP worm related domain qfsl.co.be || url,contagiodump.blogspot.com/2011/08/aug-28-morto-tsclient-rdp-worm-with.html +1 || 2013494 || 1 || bad-unknown || 0 || ET CURRENT_EVENTS DNS query for Morto RDP worm related domain qfsl.co.cc || url,contagiodump.blogspot.com/2011/08/aug-28-morto-tsclient-rdp-worm-with.html +1 || 2013495 || 1 || bad-unknown || 0 || ET CURRENT_EVENTS DNS query for Morto RDP worm related domain jifr.info || url,contagiodump.blogspot.com/2011/08/aug-28-morto-tsclient-rdp-worm-with.html +1 || 2013496 || 1 || bad-unknown || 0 || ET CURRENT_EVENTS DNS query for Morto RDP worm related domain jifr.co.be || url,contagiodump.blogspot.com/2011/08/aug-28-morto-tsclient-rdp-worm-with.html +1 || 2013497 || 2 || protocol-command-decode || 0 || ET TROJAN MS Terminal Server User A Login, possible Morto inbound || cve,CAN-2001-0540 +1 || 2013498 || 2 || policy-violation || 0 || ET POLICY Netflix Streaming Player Access || url,netflix.com +1 || 2013499 || 3 || policy-violation || 0 || ET POLICY IncrediMail Install Callback || url,www.incredimail.com +1 || 2013500 || 2 || misc-activity || 0 || ET CURRENT_EVENTS Known Fraudulent DigiNotar SSL Certificate for google.com || url,www.vasco.com/company/press_room/news_archive/2011/news_diginotar_reports_security_incident.aspx +1 || 2013501 || 2 || misc-activity || 0 || ET DELETED Known Fraudulent DigiNotar SSL Certificate for google.com 2 || url,www.vasco.com/company/press_room/news_archive/2011/news_diginotar_reports_security_incident.aspx +1 || 2013502 || 4 || trojan-activity || 0 || ET TROJAN Win32/Wizpop Checkin || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Adware%3AWin32%2FWizpop&ThreatID=159818 +1 || 2013503 || 3 || policy-violation || 0 || ET POLICY OS X Software Update Request Outbound || url,www.apple.com/softwareupdate/ +1 || 2013504 || 5 || not-suspicious || 0 || ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management || url,help.ubuntu.com/community/AptGet/Howto +1 || 2013505 || 3 || policy-violation || 0 || ET POLICY GNU/Linux YUM User-Agent Outbound likely related to package management || url,www.phy.duke.edu/~rgb/General/yum_HOWTO/yum_HOWTO/ +1 || 2013506 || 1 || trojan-activity || 0 || ET TROJAN W32/Badlib Connectivity Check To Department of Defense Intelligence Information Systems || url,blog.eset.com/2011/08/03/win32delf-qcztrust-me-i%E2%80%99m-your-anti-virus || url,www.eset.com/about/blog/blog/article/win32delf-qcz-additional-details +1 || 2013507 || 2 || trojan-activity || 0 || ET TROJAN Win32/Dynamer Trojan Dropper User-Agent VB Http || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3AWin32%2FDynamer!dtc +1 || 2013508 || 3 || trojan-activity || 0 || ET TROJAN Downloader User-Agent HTTPGET +1 || 2013509 || 2 || trojan-activity || 0 || ET TROJAN W32/Lalus Trojan Downloader Checkin +1 || 2013510 || 2 || trojan-activity || 0 || ET TROJAN W32/Lalus Trojan Downloader User Agent (Message Center) +1 || 2013511 || 2 || trojan-activity || 0 || ET TROJAN Win32/CazinoSilver User-Agent (DMFR) +1 || 2013512 || 3 || trojan-activity || 0 || ET TROJAN Suspicious User-Agent (MadeByLc) +1 || 2013513 || 2 || trojan-activity || 0 || ET TROJAN W32/Bancos Reporting +1 || 2013514 || 2 || trojan-activity || 0 || ET TROJAN Potential DNS Command and Control via TXT queries || url,lists.emergingthreats.net/pipermail/emerging-sigs/2011-September/015625.html +1 || 2013515 || 3 || trojan-activity || 0 || ET TROJAN Potential DNS Command and Control via TXT queries || url,lists.emergingthreats.net/pipermail/emerging-sigs/2011-September/015625.html +1 || 2013516 || 1 || trojan-activity || 0 || ET TROJAN TR/Spy.Gen checkin via dns ANY query || url,anubis.iseclab.org/?action=result&task_id=1623d5fd288be7024e56c5bd38359c33c || url,mwanalysis.org/?page=report&analysisid=430235&password=wwgcvyheon || url,www.threatexpert.com/report.aspx?md5=2519bdb5459bc9f59f59cd7ccb147d23 +1 || 2013517 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Morto Worm Rar Download || url,contagiodump.blogspot.com/2011/08/aug-28-morto-tsclient-rdp-worm-with.html +1 || 2013518 || 2 || trojan-activity || 0 || ET TROJAN Driveby Loader Request List.php +1 || 2013519 || 2 || trojan-activity || 0 || ET TROJAN Driveby Loader Request sn.php +1 || 2013520 || 4 || trojan-activity || 0 || ET DELETED Unknown Loader *.jpg?t=0.* in http_uri +1 || 2013521 || 4 || trojan-activity || 0 || ET TROJAN Spyeye Data Exfiltration 0 +1 || 2013522 || 4 || trojan-activity || 0 || ET TROJAN Spyeye Data Exfiltration 1 +1 || 2013523 || 4 || trojan-activity || 0 || ET TROJAN Spyeye Data Exfiltration 2 +1 || 2013524 || 3 || trojan-activity || 0 || ET TROJAN Spyeye Data Exfiltration 3 +1 || 2013525 || 3 || trojan-activity || 0 || ET TROJAN Spyeye Data Exfiltration 4 +1 || 2013526 || 3 || trojan-activity || 0 || ET TROJAN Spyeye Data Exfiltration 5 +1 || 2013527 || 3 || trojan-activity || 0 || ET TROJAN Spyeye Data Exfiltration 6 +1 || 2013528 || 3 || trojan-activity || 0 || ET TROJAN Spyeye Data Exfiltration 7 +1 || 2013529 || 3 || trojan-activity || 0 || ET TROJAN Spyeye Data Exfiltration 8 +1 || 2013530 || 3 || trojan-activity || 0 || ET TROJAN Spyeye Data Exfiltration 9 +1 || 2013531 || 2 || protocol-command-decode || 0 || ET TROJAN MS Terminal Server User A Login, possible Morto Outbound || cve,CAN-2001-0540 +1 || 2013532 || 2 || trojan-activity || 0 || ET TROJAN Backdoor.Win32.Fynloski.A Command Request || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3aWin32%2fFynloski.A&ThreatID=-2147327112 || url,home.mcafee.com/virusinfo/virusprofile.aspx?key=570863 +1 || 2013533 || 2 || trojan-activity || 0 || ET TROJAN Backdoor.Win32.Fynloski.A Command Response || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3aWin32%2fFynloski.A&ThreatID=-2147327112 || url,home.mcafee.com/virusinfo/virusprofile.aspx?key=570863 +1 || 2013534 || 7 || trojan-activity || 0 || ET TROJAN VirTool.Win32/VBInject.gen!DM Checkin || url,microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=VirTool%3aWin32/VBInject.gen!DM +1 || 2013535 || 2 || bad-unknown || 0 || ET CURRENT_EVENTS HTTP Request to a *.tc domain +1 || 2013536 || 2 || trojan-activity || 0 || ET TROJAN BKDR_BTMINE.MNR BitCoin Miner Retrieving Server IP Addresses || url,about-threats.trendmicro.com/malware.aspx?language=us&name=BKDR_BTMINE.MNR +1 || 2013537 || 2 || trojan-activity || 0 || ET TROJAN BKDR_BTMINE.MNR BitCoin Miner Retrieving New IP Addresses From Server || url,about-threats.trendmicro.com/malware.aspx?language=us&name=BKDR_BTMINE.MNR +1 || 2013538 || 2 || trojan-activity || 0 || ET TROJAN BKDR_BTMINE.MNR BitCoin Miner Retrieving New Malware From Server || url,about-threats.trendmicro.com/malware.aspx?language=us&name=BKDR_BTMINE.MNR +1 || 2013539 || 2 || trojan-activity || 0 || ET TROJAN BKDR_BTMINE.MNR BitCoin Miner Server Checkin || url,about-threats.trendmicro.com/malware.aspx?language=us&name=BKDR_BTMINE.MNR +1 || 2013540 || 5 || trojan-activity || 0 || ET MALWARE Win32/Adware.Kraddare.FJ Checkin +1 || 2013541 || 3 || trojan-activity || 0 || ET DELETED Win32/Daemonize Trojan Proxy Initial Checkin || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanProxy%3AWin32%2FDaemonize.A&ThreatID=-2147464655 +1 || 2013542 || 2 || trojan-activity || 0 || ET USER_AGENTS Win32/OnLineGames User-Agent (Revolution Win32) || url,threatexpert.com/report.aspx?md5=1431f4ab4bbe3ad1087eb14cf4d7dff9 +1 || 2013543 || 3 || trojan-activity || 0 || ET TROJAN W32/iGrabber Info Stealer FTP Upload +1 || 2013544 || 2 || trojan-activity || 0 || ET TROJAN TROJ_VB.FJP Generic Dowbnloader Connectivity Check to Google +1 || 2013545 || 3 || trojan-activity || 0 || ET DELETED Helpexpress Spyware User-Agent HXLogOnly +1 || 2013546 || 2 || trojan-activity || 0 || ET TROJAN W32/Gagolino Banking Trojan Reporting to CnC +1 || 2013547 || 2 || trojan-activity || 0 || ET TROJAN Win32.Unknown.UDP.edsm CnC traffic || url,xml.ssdsandbox.net/view/11c0df38d31121885a76500140780cef +1 || 2013548 || 3 || bad-unknown || 0 || ET CURRENT_EVENTS Blackhole Exploit Pack HCP exploit +1 || 2013549 || 3 || bad-unknown || 0 || ET CURRENT_EVENTS Blackhole Exploit Pack HCP exploit 2 +1 || 2013550 || 5 || bad-unknown || 0 || ET TROJAN Potential Blackhole Exploit Pack Binary Load Request 2 || url,krebsonsecurity.com/2010/10/java-a-gift-to-exploit-pack-makers/ +1 || 2013551 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Driveby Generic Java Exploit Attempt || url,fhoguin.com/2011/03/oracle-java-unsigned-applet-applet2classloader-remote-code-execution-vulnerability-zdi-11-084-explained/ || cve,CVE-2010-4452 +1 || 2013552 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Driveby Generic Java Exploit Attempt 2 || url,fhoguin.com/2011/03/oracle-java-unsigned-applet-applet2classloader-remote-code-execution-vulnerability-zdi-11-084-explained/ || cve,CVE-2010-4452 +1 || 2013553 || 6 || bad-unknown || 0 || ET CURRENT_EVENTS Blackhole landing page with malicious Java applet +1 || 2013554 || 7 || bad-unknown || 0 || ET CURRENT_EVENTS Blackhole MapYandex.class malicious jar +1 || 2013555 || 5 || trojan-activity || 0 || ET TROJAN Fivfrom Downloader (Unitrix) +1 || 2013556 || 2 || trojan-activity || 0 || ET TROJAN UBar Trojan/Adware Checkin 1 || url,www.threatexpert.com/report.aspx?md5=81a119f7f47663c03053e76146f54fe9 +1 || 2013557 || 2 || trojan-activity || 0 || ET TROJAN UBar Trojan/Adware Checkin 2 +1 || 2013558 || 2 || trojan-activity || 0 || ET TROJAN UBar Trojan/Adware Checkin 3 +1 || 2013559 || 4 || trojan-activity || 0 || ET TROJAN Delphi Trojan Downloader User-Agent (JEDI-VCL) +1 || 2013560 || 3 || trojan-activity || 0 || ET TROJAN Potentially Unwanted Program Storm3-607.exe Download Reporting +1 || 2013561 || 3 || trojan-activity || 0 || ET TROJAN Suspicious User-Agent (windsoft) +1 || 2013562 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Openads row Parameter Remote File inclusion Attempt +1 || 2013563 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS bug_actiongroup_ext_page.php script Local File Inclusion Attempt +1 || 2013564 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS bug_actiongroup_page.php script Local File Inclusion Attempt +1 || 2013565 || 2 || web-application-attack || 0 || ET ACTIVEX Tom Sawyer Software Possible Memory Corruption Attempt +1 || 2013566 || 2 || attempted-user || 0 || ET ACTIVEX Tom Sawyer Possible Memory Corruption Attempt Format String Function Call +1 || 2013567 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Pranian Group e107 page Parameter Cross Site Scripting Vulnerability Attempt +1 || 2013568 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS OneFileCMS p parameter Cross Site Scripting Attempt +1 || 2013569 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS University Of Vermont intro Parameter Remote File inclusion Attempt +1 || 2013651 || 2 || trojan-activity || 0 || ET DELETED Driveby Download Secondary Request 4 +1 || 2013652 || 5 || bad-unknown || 0 || ET CURRENT_EVENTS Blackhole Exploit Kit Landing Reporting Successful Java Compromise +1 || 2013653 || 2 || trojan-activity || 0 || ET TROJAN Shady RAT Get File Command || url,www.symantec.com/connect/blogs/truth-behind-shady-rat +1 || 2013654 || 2 || trojan-activity || 0 || ET TROJAN Shady RAT Put File Command || url,www.symantec.com/connect/blogs/truth-behind-shady-rat +1 || 2013655 || 2 || trojan-activity || 0 || ET TROJAN Shady RAT Retrieve and Execute Command || url,www.symantec.com/connect/blogs/truth-behind-shady-rat +1 || 2013656 || 2 || trojan-activity || 0 || ET TROJAN Shady RAT Relay Command || url,www.symantec.com/connect/blogs/truth-behind-shady-rat +1 || 2013657 || 2 || trojan-activity || 0 || ET TROJAN Shady RAT Send Status Result || url,www.symantec.com/connect/blogs/truth-behind-shady-rat +1 || 2013658 || 2 || bad-unknown || 0 || ET MALWARE Zugo Toolbar Spyware/Adware download request || url,zugo.com/privacy-policy/ +1 || 2013659 || 4 || policy-violation || 0 || ET POLICY Self Signed SSL Certificate (SomeOrganizationalUnit) +1 || 2013660 || 4 || bad-unknown || 0 || ET CURRENT_EVENTS Unknown Exploit Kit Landing Response Malicious JavaScript +1 || 2013661 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Exploit kit worms.jar +1 || 2013662 || 1 || web-application-attack || 0 || ET CURRENT_EVENTS Crimepack Java exploit attempt(2) +1 || 2013663 || 2 || trojan-activity || 0 || ET TROJAN Unknown Exploit Pack Binary Load Request (server_privileges.php) +1 || 2013664 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS Likely Blackhole Exploit Kit Driveby ?b Download Secondary Request +1 || 2013665 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Likely Blackhole Exploit Kit Driveby ?n Download Secondary Request +1 || 2013666 || 7 || trojan-activity || 0 || ET CURRENT_EVENTS Likely Blackhole Exploit Kit Driveby ?page Download Secondary Request +1 || 2013667 || 3 || trojan-activity || 0 || ET DELETED Likely Blackhole Exploit Kit Driveby ?v Download Secondary Request +1 || 2013668 || 2 || trojan-activity || 0 || ET TROJAN Win32.Riberow.A (listdir) || url,www.threatexpert.com/report.aspx?md5=c55fe941b80b3e5e77be8728642d138e +1 || 2013669 || 2 || trojan-activity || 0 || ET TROJAN Win32.Riberow.A (mkdir) || url,www.threatexpert.com/report.aspx?md5=c55fe941b80b3e5e77be8728642d138e +1 || 2013670 || 2 || trojan-activity || 0 || ET TROJAN Win32.Riberow.A (fsize) || url,www.threatexpert.com/report.aspx?md5=c55fe941b80b3e5e77be8728642d138e +1 || 2013671 || 2 || trojan-activity || 0 || ET TROJAN Win32.Riberow.A (touch) || url,www.threatexpert.com/report.aspx?md5=c55fe941b80b3e5e77be8728642d138e +1 || 2013672 || 3 || trojan-activity || 0 || ET TROJAN Win32.Riberow.A (postit3) || url,www.threatexpert.com/report.aspx?md5=c55fe941b80b3e5e77be8728642d138e +1 || 2013673 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WordPress Tune Library Plugin letter parameter SELECT FROM SQL Injection Attempt || bugtraq,49553 +1 || 2013674 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WordPress Tune Library Plugin letter parameter DELETE FROM SQL Injection Attempt || bugtraq,49553 +1 || 2013675 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WordPress Tune Library Plugin letter parameter UNION SELECT SQL Injection Attempt || bugtraq,49553 +1 || 2013676 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WordPress Tune Library Plugin letter parameter INSERT INTO SQL Injection Attempt || bugtraq,49553 +1 || 2013677 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WordPress Tune Library Plugin letter parameter UPDATE SET SQL Injection Attempt || bugtraq,49553 +1 || 2013678 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla Component com_jr_questionnaire Directory Traversal Attempt || url,packetstormsecurity.org/files/view/102784/joomlajrqn-traversal.txt +1 || 2013679 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS BbZL.PhP lien_2 Parameter Remote File Inclusion Attempt || url,exploit-db.com/exploits/17495 +1 || 2013680 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla EZ Realty id Parameter Blind SQL Injection Attempt || url,packetstormsecurity.org/files/view/104017/joomlarealestate-sql.txt +1 || 2013681 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS American Bankers Association Cross Site Scripting Attempt || url,packetstormsecurity.org/files/view/103855/aba-xss.txt +1 || 2013682 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Simplis CMS download_file Parameter Local File Inclusion Attempt || url,packetstormsecurity.org/files/view/99797/simpliscms-disclose.txt +1 || 2013683 || 2 || trojan-activity || 0 || ET TROJAN Win32.Parite Checkin SQL Database || url,www.threatexpert.com/report.aspx?md5=19441bc629e6c1dcb54cb5febdf9a22d +1 || 2013684 || 2 || bad-unknown || 0 || ET CURRENT_EVENTS HTTP Request to a *.dtdns.net domain +1 || 2013685 || 2 || trojan-activity || 0 || ET TROJAN ZeroAccess/Max++ Rootkit C&C Activity 1 || url,resources.infosecinstitute.com/step-by-step-tutorial-on-reverse-engineering-malware-the-zeroaccessmaxsmiscer-crimeware-rootkit/ || url,www.symantec.com/security_response/writeup.jsp?docid=2011-071314-0410-99&tabid=2 || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDropper%3aWin32%2fSirefef.B +1 || 2013686 || 2 || trojan-activity || 0 || ET TROJAN ZeroAccess/Max++ Rootkit C&C Activity 2 || url,resources.infosecinstitute.com/step-by-step-tutorial-on-reverse-engineering-malware-the-zeroaccessmaxsmiscer-crimeware-rootkit/ || url,www.symantec.com/security_response/writeup.jsp?docid=2011-071314-0410-99&tabid=2 || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDropper%3aWin32%2fSirefef.B +1 || 2013687 || 4 || trojan-activity || 0 || ET TROJAN Shylock Module Data POST || url,anubis.iseclab.org/index.php?action=result&task_id=86c6da9437e65c94990ddd85d87299f1 || url,www.threatexpert.com/report.aspx?md5=4fda5e7e8e682870e993f97ad26ba6b2 +1 || 2013688 || 2 || trojan-activity || 0 || ET TROJAN Shylock Module Server Response || url,anubis.iseclab.org/index.php?action=result&task_id=86c6da9437e65c94990ddd85d87299f1 || url,www.threatexpert.com/report.aspx?md5=4fda5e7e8e682870e993f97ad26ba6b2 +1 || 2013690 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Unknown Exploit Kit reporting Java and PDF state +1 || 2013691 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Unknown Exploit Kit Java requesting malicious JAR +1 || 2013692 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Unknown Exploit Kit Java requesting malicious EXE +1 || 2013693 || 7 || trojan-activity || 0 || ET CURRENT_EVENTS Unknown Exploit Kit request for pdf_err__Error__Unspecified +1 || 2013694 || 3 || trojan-activity || 0 || ET MOBILE_MALWARE Android/Netisend.A Posting Information to CnC || url,www.fortiguard.com/latest/mobile/2959807 +1 || 2013695 || 4 || trojan-activity || 0 || ET DELETED Unknown Java Exploit Kit cc exploit progress status cookie +1 || 2013696 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Unknown Java Exploit Kit x.jar?o= +1 || 2013697 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Unknown Java Exploit Kit lo.class +1 || 2013698 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Unknown Java Exploit Kit lo2.jar +1 || 2013699 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Unknown Java Exploit Kit applet landing +1 || 2013700 || 4 || bad-unknown || 0 || ET CURRENT_EVENTS Blackhole landing page with malicious Java applet +1 || 2013701 || 2 || trojan-activity || 0 || ET TROJAN Agent-TMF Checkin +1 || 2013702 || 3 || trojan-activity || 0 || ET TROJAN Trojan Downloader User-Agent (NOPE) || url,support.clean-mx.de/clean-mx/view_joebox.php?md5=b0b7c391d084974b2666c1c57b349b62&id=711369 || url,www.virustotal.com/file-scan/report.html?id=54dcad20b326a409c09f1b059925ba4ba260ef58297cda1421ffca79942a96a5-1305296734 +1 || 2013703 || 2 || bad-unknown || 0 || ET CURRENT_EVENTS Suspicious Self Signed SSL Certificate to 'My Company Ltd' could be SSL C&C +1 || 2013704 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Mambo N-Myndir SELECT FROM SQL Injection Attempt || url,packetstormsecurity.org/files/view/104706/mambonmyndir-sql.txt +1 || 2013705 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Mambo N-Myndir DELETE FROM SQL Injection Attempt || url,packetstormsecurity.org/files/view/104706/mambonmyndir-sql.txt +1 || 2013706 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Mambo N-Myndir UNION SELECT SQL Injection Attempt || url,packetstormsecurity.org/files/view/104706/mambonmyndir-sql.txt +1 || 2013707 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Mambo N-Myndir INSERT INTO SQL Injection Attempt || url,packetstormsecurity.org/files/view/104706/mambonmyndir-sql.txt +1 || 2013708 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Mambo N-Myndir UPDATE SET SQL Injection Attempt || url,packetstormsecurity.org/files/view/104706/mambonmyndir-sql.txt +1 || 2013709 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WordPress Annonces Remote File inclusion Attempt || url,packetstormsecurity.org/files/view/105224/wpannonces-rfi.txt +1 || 2013710 || 5 || trojan-activity || 0 || ET POLICY FreeRide Games Some AVs report as TrojWare.Win32.Trojan.Agent.Gen || url,forums.comodo.com/av-false-positivenegative-detection-reporting/trojwarewin32trojanagentgen-t55152.0.html +1 || 2013711 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS TinyWebGallery workaround_dir parameter Local File Inclusion Attempt || url,packetstormsecurity.org/files/view/104631/tinywebgallery-lfishellsql.txt +1 || 2013712 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS TinyWebGallery install_path parameter Local File Inclusion Attempt || url,packetstormsecurity.org/files/view/104631/tinywebgallery-lfishellsql.txt +1 || 2013713 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joostina CMS users component Blind SQL Injection Attempt || url,packetstormsecurity.org/files/view/100853/joostinausers-sql.txt +1 || 2013714 || 3 || trojan-activity || 0 || ET DELETED Win32/Spy.Lpxenur Checkin +1 || 2013715 || 4 || policy-violation || 0 || ET POLICY BingBar ToolBar User-Agent (BingBar) +1 || 2013716 || 3 || trojan-activity || 0 || ET DELETED W32/Parite CnC Checkin +1 || 2013717 || 2 || trojan-activity || 0 || ET USER_AGENTS Trojan Downloader User-Agent BGroom +1 || 2013718 || 2 || trojan-activity || 0 || ET USER_AGENTS Trojan Downloader User-Agent (Tiny) +1 || 2013719 || 3 || trojan-activity || 0 || ET POLICY GridinSoft.com Software Version Check +1 || 2013720 || 3 || trojan-activity || 0 || ET TROJAN Win32/Wapomi.AD Variant Checkin +1 || 2013721 || 3 || trojan-activity || 0 || ET TROJAN Suspicious User-Agent (WindowsNT) With No Separating Space +1 || 2013722 || 2 || trojan-activity || 0 || ET DELETED W32/OpenCapture CnC Checkin +1 || 2013723 || 2 || trojan-activity || 0 || ET TROJAN Win32/Daemonize Trojan Proxy Initial Checkin || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanProxy%3AWin32%2FDaemonize.A&ThreatID=-2147464655 +1 || 2013724 || 2 || trojan-activity || 0 || ET TROJAN W32/OnlineGames User-Agent (LockXLS) +1 || 2013725 || 2 || trojan-activity || 0 || ET TROJAN Win32/OnLineGames User-Agent (Revolution Win32) +1 || 2013727 || 1 || trojan-activity || 0 || ET DELETED W32/iGrabber Info Stealer FTP Upload +1 || 2013728 || 2 || trojan-activity || 0 || ET TROJAN Win32/OnLineGames GetMyIP Style Checkin +1 || 2013729 || 2 || trojan-activity || 0 || ET MALWARE Adware/Helpexpress User Agent HXLogOnly +1 || 2013730 || 3 || attempted-user || 0 || ET SCADA PcVue Activex Control Insecure method (AddPage) || url,exploit-db.com/exploits/17896 +1 || 2013731 || 3 || attempted-user || 0 || ET SCADA PcVue Activex Control Insecure method (DeletePage) || url,exploit-db.com/exploits/17896 +1 || 2013732 || 3 || attempted-user || 0 || ET SCADA PcVue Activex Control Insecure method (SaveObject) || url,exploit-db.com/exploits/17896 +1 || 2013733 || 3 || attempted-user || 0 || ET SCADA PcVue Activex Control Insecure method (LoadObject) || url,exploit-db.com/exploits/17896 +1 || 2013734 || 3 || attempted-user || 0 || ET SCADA PcVue Activex Control Insecure method (GetExtendedColor) || url,exploit-db.com/exploits/17896 +1 || 2013735 || 3 || attempted-user || 0 || ET SCADA Sunway ForceControl Activex Control Vulnerability || bugtraq,49747 +1 || 2013736 || 4 || attempted-user || 0 || ET SCADA Sunway ForceControl Activex Control Remote Code Execution Vulnerability 2 || bugtraq,49747 +1 || 2013737 || 4 || trojan-activity || 0 || ET TROJAN Suspicious User-Agent (GenericHttp/VER_STR_COMMA) +1 || 2013738 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla RokQuickCart view Parameter Local File Inclusion Attempt || url,packetstormsecurity.org/files/view/96804/joomlarokquickcart-lfi.txt +1 || 2013739 || 13 || trojan-activity || 0 || ET TROJAN Zeus P2P CnC || url,www.abuse.ch/?p=3499 +1 || 2013740 || 9 || trojan-activity || 0 || ET TROJAN Zeus/Aeausuc P2P Variant Retrieving Peers List || url,www.abuse.ch/?p=3499 +1 || 2013741 || 6 || trojan-activity || 0 || ET TROJAN Trojan-Dropper.Win32.StartPage.dvm or Mebromi Bios Rootkit CnC Count Checkin || url,www.threatexpert.com/report.aspx?md5=7d2eb4b364e15e90cec1ddd7dcb97f64 || url,blog.webroot.com/2011/09/13/mebromi-the-first-bios-rootkit-in-the-wild/ || url,threatexpert.com/report.aspx?md5=b3106dbfb3ab114755af311883f33697%20 +1 || 2013742 || 3 || attempted-user || 0 || ET WEB_CLIENT Google Chrome Multiple Iframe PDF File Handling Memory Corruption Attempt || bid,49933 || cve,2011-2841 +1 || 2013743 || 3 || bad-unknown || 0 || ET INFO DYNAMIC_DNS Query to a Suspicious no-ip Domain +1 || 2013744 || 8 || bad-unknown || 0 || ET INFO DYNAMIC_DNS HTTP Request to a no-ip Domain +1 || 2013745 || 5 || bad-unknown || 0 || ET TROJAN Double HTTP/1.1 Header Outbound - Likely Infected or Hostile Traffic +1 || 2013746 || 7 || bad-unknown || 0 || ET CURRENT_EVENTS Blackhole Exploit Pack HCP exploit 3 +1 || 2013747 || 4 || trojan-activity || 0 || ET TROJAN Backdoor.Win32.Aldibot.A User-Agent (Aldi Bot) || url,www.asert.arbornetworks.com/2011/10/ddos-aldi-bot || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3aWin32%2fAbot.gen!A +1 || 2013748 || 4 || trojan-activity || 0 || ET TROJAN Backdoor.Win32.Aldibot.A Checkin || url,www.asert.arbornetworks.com/2011/10/ddos-aldi-bot/ || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3aWin32%2fAbot.gen!A +1 || 2013749 || 5 || policy-violation || 0 || ET POLICY VMware User-Agent Outbound || url,www.vmware.com +1 || 2013750 || 3 || attempted-user || 0 || ET ACTIVEX DivX Plus Web Player DivXPlaybackModule File URL Buffer Overflow Attempt || url,www.dl.packetstormsecurity.net/1109-advisories/sa45550.txt +1 || 2013751 || 3 || trojan-activity || 0 || ET TROJAN Possible German Governmental Backdoor/R2D2.A 1 || url,ccc.de/en/updates/2011/staatstrojaner +1 || 2013752 || 3 || trojan-activity || 0 || ET TROJAN Possible German Governmental Backdoor/R2D2.A 2 || url,ccc.de/en/updates/2011/staatstrojaner +1 || 2013753 || 4 || trojan-activity || 0 || ET TROJAN Bundestrojaner (W32/R2D2 BTrojan) Inbound SRV-2 || url,www.ccc.de/de/updates/2011/staatstrojaner || url,www.ccc.de/system/uploads/76/original/staatstrojaner-report23.pdf || url,www.f-secure.com/weblog/archives/00002249.html || url,www.heise.de/newsticker/meldung/CCC-knackt-Staatstrojaner-1357670.html || url,www.virustotal.com/file-scan/report.html?id=be36ce1e79ba6f97038a6f9198057abecf84b38f0ebb7aaa897fd5cf385d702f-1318152545 || url,www.ccc.de/en/updates/2011/staatstrojaner +1 || 2013754 || 4 || trojan-activity || 0 || ET TROJAN Bundestrojaner (W32/R2D2 BTrojan) Outbound SRV-2 || url,www.ccc.de/de/updates/2011/staatstrojaner || url,www.ccc.de/system/uploads/76/original/staatstrojaner-report23.pdf || url,www.f-secure.com/weblog/archives/00002249.html || url,www.heise.de/newsticker/meldung/CCC-knackt-Staatstrojaner-1357670.html || url,www.virustotal.com/file-scan/report.html?id=be36ce1e79ba6f97038a6f9198057abecf84b38f0ebb7aaa897fd5cf385d702f-1318152545 || url,www.ccc.de/en/updates/2011/staatstrojaner +1 || 2013755 || 4 || trojan-activity || 0 || ET TROJAN Bundestrojaner (W32/R2D2 BTrojan) Inbound SRV-1 || url,www.ccc.de/de/updates/2011/staatstrojaner || url,www.ccc.de/system/uploads/76/original/staatstrojaner-report23.pdf || url,www.f-secure.com/weblog/archives/00002249.html || url,www.heise.de/newsticker/meldung/CCC-knackt-Staatstrojaner-1357670.html || url,www.virustotal.com/file scan/report.html?id=be36ce1e79ba6f97038a6f9198057abecf84b38f0ebb7aaa897fd5cf385d702f-1318152545 || url,www.ccc.de/en/updates/2011/staatstrojaner +1 || 2013756 || 4 || trojan-activity || 0 || ET TROJAN Bundestrojaner (W32/R2D2 BTrojan) Outbound SRV-1 || url,www.ccc.de/de/updates/2011/staatstrojaner || url,www.ccc.de/system/uploads/76/original/staatstrojaner-report23.pdf || url,www.f-secure.com/weblog/archives/00002249.html || url,www.heise.de/newsticker/meldung/CCC-knackt-Staatstrojaner-1357670.html || url,www.virustotal.com/file-scan/report.html?id=be36ce1e79ba6f97038a6f9198057abecf84b38f0ebb7aaa897fd5cf385d702f-1318152545 || url,www.ccc.de/en/updates/2011/staatstrojaner +1 || 2013757 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS iBrowser Plugin dir Parameter Cross Site Scripting Attempt-1 || url,packetstormsecurity.org/files/105196 +1 || 2013758 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Wordpress Zingiri webshop plugin Remote File inclusion Attempt || url,packetstormsecurity.org/files/view/105237/wpzingiri-rfi.txt +1 || 2013759 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Mambo AHS Shop component SELECT FROM SQL Injection Attempt || url,packetstormsecurity.org/files/view/104695/mamboahsshopf-sql.txt +1 || 2013760 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Mambo AHS Shop component DELETE FROM SQL Injection Attempt || url,packetstormsecurity.org/files/view/104695/mamboahsshopf-sql.txt +1 || 2013761 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Mambo AHS Shop component UNION SELECT SQL Injection Attempt || url,packetstormsecurity.org/files/view/104695/mamboahsshopf-sql.txt +1 || 2013762 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Mambo AHS Shop component INSERT INTO SQL Injection Attempt || url,packetstormsecurity.org/files/view/104695/mamboahsshopf-sql.txt +1 || 2013763 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Mambo AHS Shop component UPDATE SET SQL Injection Attempt || url,packetstormsecurity.org/files/view/104695/mamboahsshopf-sql.txt +1 || 2013764 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla Redirect Component view Parameter Local File Inclusion Attempt || url,packetstormsecurity.org/files/view/96608/joomlaredirect-lfi.txt +1 || 2013765 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS iBrowser Plugin dir Parameter Cross Site Scripting Attempt-2 || url,packetstormsecurity.org/files/105196 +1 || 2013766 || 5 || trojan-activity || 0 || ET TROJAN Win32.Swisyn Reporting || url,precisesecurity.com/worms/trojan-win32-swisyn-algm +1 || 2013767 || 3 || trojan-activity || 0 || ET TROJAN W32/Einstein CnC Checkin || url,www.cyberesi.com/2011/10/06/trojan-matryoshka-and-trojan-einstein/ +1 || 2013768 || 4 || trojan-activity || 0 || ET TROJAN Win32.Dropper.Wlock Checkin || url,www.threatexpert.com/report.aspx?md5=881e21645e5ffe1ffb959835f8fdf71d +1 || 2013769 || 1 || trojan-activity || 0 || ET TROJAN Backdoor.Win32.Prosti Checkin || url,www.threatexpert.com/report.aspx?md5=5113c6dbd644874482f3a26650970600 +1 || 2013770 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS USPS Spam/Trojan Executable Download || url,www.virustotal.com/file-scan/report.html?id=41866ac1950b620bd13fb3d6063e3781eaa3bbccb3089b13073abe752d0a6ffa-1318350235 +1 || 2013771 || 4 || trojan-activity || 0 || ET TROJAN Win32.Cerberus RAT Checkin Outbound || url,www.threatexpert.com/report.aspx?md5=76e084e9420bfaa31c0f0bf000f1c301 +1 || 2013772 || 2 || trojan-activity || 0 || ET TROJAN Win32.Cerberus RAT Checkin Response || url,www.threatexpert.com/report.aspx?md5=76e084e9420bfaa31c0f0bf000f1c301 +1 || 2013773 || 2 || trojan-activity || 0 || ET TROJAN Win32.Cerberus RAT Client pong || url,www.threatexpert.com/report.aspx?md5=76e084e9420bfaa31c0f0bf000f1c301 +1 || 2013774 || 2 || trojan-activity || 0 || ET TROJAN Win32.Cerberus RAT Server ping || url,www.threatexpert.com/report.aspx?md5=76e084e9420bfaa31c0f0bf000f1c301 +1 || 2013775 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Saturn Exploit Kit binary download request +1 || 2013776 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Saturn Exploit Kit probable Java exploit request +1 || 2013777 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Saturn Exploit Kit probable Java MIDI exploit request +1 || 2013778 || 2 || web-application-attack || 0 || ET SCAN NMAP SQL Spider Scan || url,nmap.org/nsedoc/scripts/sql-injection.html +1 || 2013779 || 4 || attempted-recon || 0 || ET SCAN Positive Technologies XSpider Security Scanner User-Agent (PTX) || url,www.securitylab.ru/forum/forum16/topic26800/ +1 || 2013780 || 2 || trojan-activity || 0 || ET TROJAN Suspicious HTTP Request for gift.exe +1 || 2013781 || 4 || trojan-activity || 0 || ET TROJAN Win32.Scar.dvov Searchstar.co.kr related Checkin || url,www.threatexpert.com/report.aspx?md5=07ed70b6e7775a510d725c9f032c70d8 +1 || 2013782 || 3 || trojan-activity || 0 || ET DELETED W32.Duqu User-Agent || url,www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_to_the_next_stuxnet.pdf +1 || 2013783 || 5 || policy-violation || 0 || ET TROJAN W32.Duqu UA and Filename Requested || url,www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_to_the_next_stuxnet.pdf +1 || 2013784 || 6 || not-suspicious || 0 || ET POLICY Windows Mobile 7.0 User-Agent detected +1 || 2013785 || 3 || trojan-activity || 0 || ET TROJAN Zentom FakeAV Checkin +1 || 2013786 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Blackhole Acrobat 8/9.3 PDF exploit download request 2 +1 || 2013787 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Blackhole Acrobat 1-7 PDF exploit download request 2 +1 || 2013788 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Likely Blackhole Exploit Kit Driveby ?doit Download Secondary Request +1 || 2013789 || 3 || trojan-activity || 0 || ET DELETED Win32.PEx.C.91139756616/Win32.Zwangi-BU Checkin || url,threatcenter.crdf.fr/?More&ID=49889&D=CRDF.Win32.Win32.PEx.C.91139756616 || md5,2c969afbe71f35571d11e30f1e854b29 || url,www.pcsafedoctor.com/Adware/remove-AdWare.Win32.Zwangi.bu.html +1 || 2013790 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS Cnzz.cn Related Dropper Checkin +1 || 2013791 || 2 || attempted-recon || 0 || ET SCAN Apache mod_proxy Reverse Proxy Exposure 1 || url,www.contextis.com/research/blog/reverseproxybypass/ || url,mail-archives.apache.org/mod_mbox/httpd-announce/201110.mbox/%3C20111005141541.GA7696@redhat.com%3E +1 || 2013792 || 3 || attempted-recon || 0 || ET SCAN Apache mod_proxy Reverse Proxy Exposure 2 || url,www.contextis.com/research/blog/reverseproxybypass/ || url,mail-archives.apache.org/mod_mbox/httpd-announce/201110.mbox/%3C20111005141541.GA7696@redhat.com%3E +1 || 2013793 || 1 || trojan-activity || 0 || ET TROJAN Dropper.Win32.Npkon Client Checkin || url,www.threatexpert.com/report.aspx?md5=a7f4a7d08fa650a5f09a00519b944b0b +1 || 2013794 || 1 || trojan-activity || 0 || ET TROJAN Dropper.Win32.Npkon Server Responce || url,www.threatexpert.com/report.aspx?md5=a7f4a7d08fa650a5f09a00519b944b0b +1 || 2013795 || 9 || trojan-activity || 0 || ET TROJAN Bifrose/Cycbot Checkin +1 || 2013796 || 6 || trojan-activity || 0 || ET CURRENT_EVENTS W32/Bifrose Second Stage Obfuscated Binary Download Claiming to Be JPEG +1 || 2013797 || 4 || trojan-activity || 0 || ET MALWARE Win32/Adware.Winggo.AB Checkin || url,www.threatexpert.com/report.aspx?md5=2700d3fcdd4b8a7c22788db1658d9163 || url,www.threatcenter.crdf.fr/?More&ID=46606&D=CRDF.Malware.Win32.PEx.Delphi.307674628 +1 || 2013798 || 3 || trojan-activity || 0 || ET TROJAN Win32.PEx.Delphi.1151005043 Post-infection Checkin || url,www.threatexpert.com/report.aspx?md5=b58485c9a221e8bd5b4725e7e19988b0 || url,www.threatcenter.crdf.fr/?More&ID=49992&D=CRDF.Malware.Win32.PEx.Delphi.1151005043 +1 || 2013799 || 3 || trojan-activity || 0 || ET TROJAN Win32.Trojan.SuspectCRC FakeAV Checkin || url,www.threatexpert.com/report.aspx?md5=54c9d51661a05151e5143f4e80cbed86 +1 || 2013800 || 2 || not-suspicious || 0 || ET POLICY OutGoing Chromoting Session || url,xinn.org/Chromoting.html +1 || 2013801 || 3 || not-suspicious || 0 || ET POLICY Incoming Chromoting Session || url,xinn.org/Chromoting.html +1 || 2013802 || 3 || trojan-activity || 0 || ET TROJAN Cycbot POST || url,www.threatexpert.com/report.aspx?md5=1f04bd1b4eceb42e6d5859b6330fc7d7 || url,www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Cycbot-O/detailed-analysis.aspx +1 || 2013803 || 5 || trojan-activity || 0 || ET DELETED Unknown checkin +1 || 2013804 || 4 || misc-attack || 0 || ET DELETED Possible Redirection to Unknown Exploit Pack || url,www.kahusecurity.com/2011/malware-infection-from-new-exploit-pack/ +1 || 2013805 || 4 || bad-unknown || 0 || ET CURRENT_EVENTS Suspicious Self Signed SSL Certificate CN of common Possible SSL CnC +1 || 2013806 || 4 || bad-unknown || 0 || ET CURRENT_EVENTS Suspicious Self Signed SSL Certificate with admin@common Possible SSL CnC +1 || 2013807 || 3 || trojan-activity || 0 || ET TROJAN Jorik FakeAV GET +1 || 2013808 || 3 || trojan-activity || 0 || ET TROJAN Dooptroop Dropper Checkin +1 || 2013809 || 3 || attempted-user || 0 || ET ACTIVEX Oracle AutoVue Activex Insecure method (SaveViewStateToFile) || url,exploit-db.com/exploits/18016 +1 || 2013810 || 3 || attempted-user || 0 || ET ACTIVEX Oracle AutoVue Activex Insecure method (SaveViewStateToFile) Format String Function Call || url,exploit-db.com/exploits/18016 +1 || 2013811 || 4 || attempted-user || 0 || ET ACTIVEX Oracle AutoVue Activex Insecure method (Export3DBom) || url,packetstormsecurity.org/files/106064/9sg_autovueii.tgz +1 || 2013812 || 3 || attempted-user || 0 || ET ACTIVEX Oracle AutoVue Activex Insecure method (Export3DBom) Format String Function Call || url,packetstormsecurity.org/files/106064/9sg_autovueii.tgz +1 || 2013813 || 3 || attempted-user || 0 || ET ACTIVEX Oracle AutoVue Activex Insecure method (ExportEdaBom) || url,packetstormsecurity.org/files/106065/9sg_autovueiii.tgz +1 || 2013814 || 3 || attempted-user || 0 || ET ACTIVEX Oracle AutoVue Activex Insecure method (ExportEdaBom) Format String Function Call || url,packetstormsecurity.org/files/106065/9sg_autovueiii.tgz +1 || 2013815 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHool mainnav Parameter Remote File inclusion Attempt || url,packetstormsecurity.org/files/106073/sportsphool-rfi.txt +1 || 2013816 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla YJ Contact Local File Inclusion Vulnerability || url,/packetstormsecurity.org/files/106222/joomlayjcontact-lfi.txt +1 || 2013817 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Wordpress Easy Stats plugin homep Parameter Remote File inclusion Attempt || url,secunia.com/advisories/46069 || url,spareclockcycles.org/2011/09/18/exploitring-the-wordpress-extension-repos +1 || 2013818 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WHMCompleteSolution templatefile Parameter Local File Inclusion Attempt || url,dl.packetstormsecurity.net/1110-exploits/whmcompletesolution-disclose.txt +1 || 2013819 || 4 || trojan-activity || 0 || ET TROJAN Tatanga/Win32.Kexject.A Checkin || url,securityblog.s21sec.com/2011/02/tatanga-new-banking-trojan-with-mitb.html +1 || 2013821 || 2 || trojan-activity || 0 || ET TROJAN Trojan.Kryptik/proscan.co.kr Checkin || url,www.threatexpert.com/report.aspx?md5=bf156b649cb5da6603a5f665a7d8f13b +1 || 2013822 || 3 || trojan-activity || 0 || ET DELETED Trojan.Kryptik/proscan.co.kr Checkin 2 || url,www.threatexpert.com/report.aspx?md5=bf156b649cb5da6603a5f665a7d8f13b +1 || 2013823 || 2 || bad-unknown || 0 || ET INFO DYNAMIC_DNS Query to a Suspicious *.myftp.biz Domain +1 || 2013824 || 4 || bad-unknown || 0 || ET INFO DYNAMIC_DNS HTTP Request to a *.myftp.biz Domain +1 || 2013826 || 3 || trojan-activity || 0 || ET TROJAN SecurityDefender exe Download Likely FakeAV Install +1 || 2013827 || 6 || trojan-activity || 0 || ET TROJAN AntiVirus exe Download Likely FakeAV Install +1 || 2013828 || 2 || bad-unknown || 0 || ET CURRENT_EVENTS HTTP Request to a *.eu.tf domain +1 || 2013829 || 3 || bad-unknown || 0 || ET CURRENT_EVENTS HTTP Request to a *.int.tf domain +1 || 2013830 || 3 || bad-unknown || 0 || ET CURRENT_EVENTS HTTP Request to a *.edu.tf domain +1 || 2013831 || 3 || bad-unknown || 0 || ET CURRENT_EVENTS HTTP Request to a *.us.tf domain +1 || 2013832 || 3 || bad-unknown || 0 || ET CURRENT_EVENTS HTTP Request to a *.ca.tf domain +1 || 2013833 || 3 || bad-unknown || 0 || ET CURRENT_EVENTS HTTP Request to a *.bg.tf domain +1 || 2013834 || 3 || bad-unknown || 0 || ET CURRENT_EVENTS HTTP Request to a *.ru.tf domain +1 || 2013835 || 3 || bad-unknown || 0 || ET CURRENT_EVENTS HTTP Request to a *.pl.tf domain +1 || 2013836 || 3 || bad-unknown || 0 || ET DELETED HTTP Request to a *.cz.tf domain +1 || 2013837 || 3 || bad-unknown || 0 || ET CURRENT_EVENTS HTTP Request to a *.de.tf domain +1 || 2013838 || 3 || bad-unknown || 0 || ET CURRENT_EVENTS HTTP Request to a *.at.tf domain +1 || 2013839 || 3 || bad-unknown || 0 || ET CURRENT_EVENTS HTTP Request to a *.ch.tf domain +1 || 2013840 || 5 || bad-unknown || 0 || ET CURRENT_EVENTS HTTP Request to a *.sg.tf domain +1 || 2013841 || 3 || bad-unknown || 0 || ET CURRENT_EVENTS HTTP Request to a *.nl.ai domain +1 || 2013842 || 3 || bad-unknown || 0 || ET CURRENT_EVENTS HTTP Request to a *.xe.cx domain +1 || 2013843 || 1 || bad-unknown || 0 || ET CURRENT_EVENTS DNS Query to a Suspicious *.orge.pl Domain +1 || 2013844 || 3 || bad-unknown || 0 || ET CURRENT_EVENTS HTTP Request to a *.orge.pl Domain +1 || 2013845 || 2 || bad-unknown || 0 || ET INFO DYNAMIC_DNS Query to a Suspicious *.ez-dns.com Domain +1 || 2013846 || 3 || bad-unknown || 0 || ET INFO DYNAMIC_DNS HTTP Request to a *.ez-dns.com Domain +1 || 2013847 || 1 || bad-unknown || 0 || ET DNS Query for Suspicious .net.tf Domain +1 || 2013848 || 1 || bad-unknown || 0 || ET DNS Query for Suspicious .eu.tf Domain +1 || 2013849 || 1 || bad-unknown || 0 || ET DNS Query for Suspicious .int.tf Domain +1 || 2013850 || 1 || bad-unknown || 0 || ET DNS Query for Suspicious .edu.tf Domain +1 || 2013851 || 1 || bad-unknown || 0 || ET DNS Query for Suspicious .us.tf Domain +1 || 2013852 || 1 || bad-unknown || 0 || ET DNS Query for Suspicious .ca.tf Domain +1 || 2013853 || 1 || bad-unknown || 0 || ET DNS Query for Suspicious .bg.tf Domain +1 || 2013854 || 1 || bad-unknown || 0 || ET DNS Query for Suspicious .ru.tf Domain +1 || 2013855 || 1 || bad-unknown || 0 || ET DNS Query for Suspicious .pl.tf Domain +1 || 2013856 || 1 || bad-unknown || 0 || ET DNS Query for Suspicious .cz.tf Domain +1 || 2013857 || 1 || bad-unknown || 0 || ET DNS Query for Suspicious .de.tf Domain +1 || 2013858 || 1 || bad-unknown || 0 || ET DNS Query for Suspicious .at.tf Domain +1 || 2013859 || 1 || bad-unknown || 0 || ET DNS Query for Suspicious .ch.tf Domain +1 || 2013860 || 1 || bad-unknown || 0 || ET DNS Query for Suspicious .sg.tf Domain +1 || 2013861 || 1 || bad-unknown || 0 || ET DNS Query for Suspicious .nl.ai Domain +1 || 2013862 || 1 || bad-unknown || 0 || ET DNS Query for Suspicious .xe.cx Domain +1 || 2013863 || 3 || bad-unknown || 0 || ET INFO DYNAMIC_DNS Query to a Suspicious *.dyndns-web.com Domain +1 || 2013864 || 3 || bad-unknown || 0 || ET INFO DYNAMIC_DNS HTTP Request to a *.dyndns-web.com Domain +1 || 2013865 || 6 || trojan-activity || 0 || ET TROJAN Kazy/Kryptor/Cycbot Trojan Checkin 2 +1 || 2013866 || 6 || trojan-activity || 0 || ET DELETED Kazy/Kryptor/Cycbot Trojan Checkin 3 +1 || 2013867 || 3 || policy-violation || 0 || ET POLICY Bomgar Remote Assistance Tool Download || url,www.bomgar.com +1 || 2013868 || 4 || trojan-activity || 0 || ET TROJAN Win32/Sefbov.E Reporting || url,threatexpert.com/report.aspx?md5=f50d954f1fd38c6eb10e7e399caab480 +1 || 2013869 || 6 || policy-violation || 0 || ET P2P Torrent Client User-Agent (Solid Core/0.82) || url,sunbeltsecurity.com/partnerresources/cwsandbox/md5.aspx?id=4a9f376e8d01cb5f7990576ed927869b +1 || 2013870 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla component Simple File Lister sflDir Parameter directory traversal attempt || url,exploit-db.com/exploits/17736 +1 || 2013871 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS IBSng str Parameter Cross Site Scripting Attempt || bugtraq,50468 +1 || 2013872 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Mole Group Vacation Estate Listing Script Blind SQL Injection Attempt || url,exploit-db.com/exploits/7626 +1 || 2013873 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla techfolio component SELECT FROM SQL Injection Attempt || url,1337day.com/exploits/17138 +1 || 2013874 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla techfolio component DELETE FROM SQL Injection Attempt || url,1337day.com/exploits/17138 +1 || 2013875 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla techfolio component UNION SELECT SQL Injection Attempt || url,1337day.com/exploits/17138 +1 || 2013876 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla techfolio component INSERT INTO SQL Injection Attempt || url,1337day.com/exploits/17138 +1 || 2013877 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla techfolio component UPDATE SET SQL Injection Attempt || url,1337day.com/exploits/17138 +1 || 2013878 || 4 || attempted-user || 0 || ET SCADA PROMOTIC ActiveX Control Insecure method (SaveCfg) || url,aluigi.altervista.org/adv/promotic_1-adv.txt +1 || 2013879 || 2 || attempted-user || 0 || ET SCADA PROMOTIC ActiveX Control Insecure method (AddTrend) || url,aluigi.altervista.org/adv/promotic_1-adv.txt +1 || 2013880 || 3 || trojan-activity || 0 || ET TROJAN Suspicious User-Agent (FULLSTUFF) || url,threatexpert.com/reports.aspx?find=mrb.mail.ru +1 || 2013881 || 3 || trojan-activity || 0 || ET TROJAN Suspicious User-Agent (NateFinder) +1 || 2013882 || 5 || trojan-activity || 0 || ET POLICY Norton Update User-Agent (Install Stub) || url,threatexpert.com/reports.aspx?find=stats.norton.com +1 || 2013883 || 3 || trojan-activity || 0 || ET TROJAN Suspicious User-Agent (webfile) || url,threatexpert.com/reports.aspx?find=upsh.playmusic.co.kr +1 || 2013884 || 3 || trojan-activity || 0 || ET TROJAN Suspicious User-Agent (DARecover) || url,threatexpert.com/reports.aspx?find=clients.mydealassistant.com +1 || 2013885 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS 1024 CMS filename Parameter Local File Inclusion Attempt || url,exploit-db.com/exploits/18000 +1 || 2013886 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Wordpress disclosure policy plugin Remote File Inclusion Attempt || url,exploit-db.com/exploits/17865 +1 || 2013887 || 3 || trojan-activity || 0 || ET TROJAN W32/Fullstuff Initial Checkin +1 || 2013888 || 5 || trojan-activity || 0 || ET POLICY Cnet App Download and Checkin +1 || 2013889 || 2 || trojan-activity || 0 || ET TROJAN Suspicious User-Agent (MediaLabsSiteInstaller) +1 || 2013890 || 2 || trojan-activity || 0 || ET TROJAN W32/Koobface Variant Initial Checkin +1 || 2013891 || 1 || trojan-activity || 0 || ET TROJAN Backdoor.Win32.Svlk Client Checkin || url,www.threatexpert.com/report.aspx?md5=c929e8c75901c7e50685df0445a38bd0 +1 || 2013892 || 1 || trojan-activity || 0 || ET TROJAN Backdoor.Win32.Svlk Server Reply || url,www.threatexpert.com/report.aspx?md5=c929e8c75901c7e50685df0445a38bd0 +1 || 2013893 || 2 || trojan-activity || 0 || ET TROJAN Backdoor.Win32.Svlk Client Ping || url,www.threatexpert.com/report.aspx?md5=c929e8c75901c7e50685df0445a38bd0 +1 || 2013894 || 4 || bad-unknown || 0 || ET CURRENT_EVENTS Excessive DNS Responses with 1 or more RR's (100+ in 10 seconds) to google.com.br possible Cache Poisoning Attempt || url,www.securelist.com/en/blog/208193214/Massive_DNS_poisoning_attacks_in_Brazil || url,www.zdnet.com/blog/security/massive-dns-poisoning-attack-in-brazil-serving-exploits-and-malware/9780 +1 || 2013895 || 3 || bad-unknown || 0 || ET CURRENT_EVENTS google.com.br DNS Poisoning redirecting to exploit kit 1 || url,www.zdnet.com/blog/security/massive-dns-poisoning-attack-in-brazil-serving-exploits-and-malware/9780 || url,www.securelist.com/en/blog/208193214/Massive_DNS_poisoning_attacks_in_Brazil +1 || 2013896 || 3 || bad-unknown || 0 || ET CURRENT_EVENTS google.com.br DNS Poisoning redirecting to exploit kit 2 || url,www.zdnet.com/blog/security/massive-dns-poisoning-attack-in-brazil-serving-exploits-and-malware/9780 || url,www.securelist.com/en/blog/208193214/Massive_DNS_poisoning_attacks_in_Brazil +1 || 2013897 || 2 || bad-unknown || 0 || ET CURRENT_EVENTS google.com.br DNS Poisoning redirecting to exploit kit 3 || url,www.zdnet.com/blog/security/massive-dns-poisoning-attack-in-brazil-serving-exploits-and-malware/9780 || url,www.securelist.com/en/blog/208193214/Massive_DNS_poisoning_attacks_in_Brazil +1 || 2013898 || 2 || bad-unknown || 0 || ET CURRENT_EVENTS google.com.br DNS Poisoning redirecting to exploit kit 4 || url,www.zdnet.com/blog/security/massive-dns-poisoning-attack-in-brazil-serving-exploits-and-malware/9780 || url,www.securelist.com/en/blog/208193214/Massive_DNS_poisoning_attacks_in_Brazil +1 || 2013899 || 2 || bad-unknown || 0 || ET CURRENT_EVENTS google.com.br DNS Poisoning redirecting to exploit kit 5 || url,www.zdnet.com/blog/security/massive-dns-poisoning-attack-in-brazil-serving-exploits-and-malware/9780 || url,www.securelist.com/en/blog/208193214/Massive_DNS_poisoning_attacks_in_Brazil +1 || 2013900 || 2 || trojan-activity || 0 || ET TROJAN W32/Yaq Checkin +1 || 2013901 || 2 || trojan-activity || 0 || ET TROJAN Suspicious User Agent GeneralDownloadApplication +1 || 2013902 || 3 || trojan-activity || 0 || ET TROJAN Win32.BlackControl Retrieving IP Information +1 || 2013903 || 2 || trojan-activity || 0 || ET TROJAN Suspicious User Agent GetFile +1 || 2013904 || 2 || trojan-activity || 0 || ET TROJAN W32/Rimecud User Agent beat +1 || 2013905 || 2 || trojan-activity || 0 || ET TROJAN Suspicious User Agent banderas +1 || 2013906 || 4 || trojan-activity || 0 || ET DELETED Ghost Click DNSChanger DNS Request (UDP) || url,www.fbi.gov/news/stories/2011/november/malware_110911/DNS-changer-malware.pdf +1 || 2013907 || 3 || trojan-activity || 0 || ET TROJAN ZAccess/Sirefef/MAX++/Jorik/Smadow Checkin +1 || 2013908 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS ZeuS estatements mailing campaign landing page +1 || 2013909 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS ZeuS estatements fake transaction page flash warning +1 || 2013910 || 3 || policy-violation || 0 || ET GAMES Second Life setup download || url,en.wikifur.com/wiki/Second_Life || url,wiki.secondlife.com/wiki/Furry +1 || 2013911 || 9 || trojan-activity || 0 || ET TROJAN P2P Zeus or ZeroAccess Request To CnC || url,www.abuse.ch/?p=3499 || url,www.kindsight.net/sites/default/files/Kindsight_Malware_Analysis-ZeroAcess-Botnet-final.pdf +1 || 2013912 || 4 || trojan-activity || 0 || ET TROJAN P2P Zeus Response From CnC || url,www.abuse.ch/?p=3499 +1 || 2013913 || 3 || trojan-activity || 0 || ET TROJAN Request for utu.dat Likely Ponmocup checkin || url,www.threatexpert.com/report.aspx?md5=6fd8cdee653c0fde769e6c48d65e28bd +1 || 2013914 || 4 || policy-violation || 0 || ET POLICY APT User-Agent to BackTrack Repository || url,www.backtrack-linux.org +1 || 2013916 || 6 || trojan-activity || 0 || ET CURRENT_EVENTS Incognito Exploit Kit Java request to showthread.php?t= || url,research.zscaler.com/2012/01/popularity-of-exploit-kits-leading-to.html +1 || 2013917 || 4 || trojan-activity || 0 || ET TROJAN Win32/Dofoil.L Checkin || url,www.threatexpert.com/report.aspx?md5=47f2b8fcc2873f4dfd573b0e8a77aaa9 || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3AWin32%2FDofoil.L&ThreatID=-2147317615 +1 || 2013918 || 3 || attempted-user || 0 || ET EXPLOIT Possible BSNL Router DNS Change Attempt || url,www.hackersbay.in/2011/02/pwning-routersbsnl.html +1 || 2013919 || 2 || not-suspicious || 0 || ET POLICY external cPanel login +1 || 2013920 || 2 || not-suspicious || 0 || ET POLICY external cPanel password change +1 || 2013921 || 2 || web-application-attack || 0 || ET WEB_SERVER DNS changer cPanel attempt +1 || 2013922 || 1 || trojan-activity || 0 || ET TROJAN PoisonIvy.Emp Keepalive to CnC || url,www.mcafee.com/threat-intelligence/malware/default.aspx?id=541210 +1 || 2013923 || 1 || trojan-activity || 0 || ET TROJAN PoisonIvy.Eu2 Keepalive to CnC +1 || 2013924 || 1 || trojan-activity || 0 || ET TROJAN PoisonIvy.Eu3 Keepalive to CnC +1 || 2013925 || 1 || trojan-activity || 0 || ET TROJAN PoisonIvy.Eu4 Keepalive to CnC +1 || 2013926 || 6 || bad-unknown || 0 || ET POLICY HTTP traffic on port 443 (POST) +1 || 2013927 || 3 || bad-unknown || 0 || ET POLICY HTTP traffic on port 443 (HEAD) +1 || 2013928 || 3 || bad-unknown || 0 || ET POLICY HTTP traffic on port 443 (PROPFIND) +1 || 2013929 || 3 || bad-unknown || 0 || ET POLICY HTTP traffic on port 443 (OPTIONS) +1 || 2013930 || 2 || bad-unknown || 0 || ET POLICY HTTP traffic on port 443 (PUT) +1 || 2013931 || 2 || bad-unknown || 0 || ET POLICY HTTP traffic on port 443 (DELETE) +1 || 2013932 || 2 || bad-unknown || 0 || ET POLICY HTTP traffic on port 443 (TRACE) +1 || 2013933 || 3 || bad-unknown || 0 || ET POLICY HTTP traffic on port 443 (CONNECT) +1 || 2013934 || 5 || trojan-activity || 0 || ET TROJAN Win32.Fareit.A/Pony Downloader Checkin || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=PWS%3aWin32%2fFareit.A || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=PWS%3aWin32%2fFareit || url,www.threatexpert.com/report.aspx?md5=99fab94fd824737393f5184685e8edf2 || url,www.threatexpert.com/report.aspx?md5=9544c681ae5c4fe3fdbd4d5c6c90e38e || url,www.threatexpert.com/report.aspx?md5=d50c39753ba88daa00bc40848f174168 || url,www.threatexpert.com/report.aspx?md5=bf422f3aa215d896f55bbe2ebcd25d17 +1 || 2013935 || 2 || trojan-activity || 0 || ET TROJAN Win32.Zbot.chas/Unruy.H Covert DNS CnC Channel TXT Response +1 || 2013936 || 5 || bad-unknown || 0 || ET POLICY SSH banner detected on TCP 443 likely proxy evasion +1 || 2013937 || 4 || web-application-activity || 0 || ET WEB_SERVER Weevely PHP backdoor detected (system() function used) || url,bechtsoudis.com/security/put-weevely-on-the-your-nids-radar +1 || 2013938 || 3 || web-application-activity || 0 || ET WEB_SERVER Weevely PHP backdoor detected (passthru() function used) || url,bechtsoudis.com/security/put-weevely-on-the-your-nids-radar +1 || 2013939 || 3 || web-application-activity || 0 || ET WEB_SERVER Weevely PHP backdoor detected (shell_exec() function used) || url,bechtsoudis.com/security/put-weevely-on-the-your-nids-radar +1 || 2013940 || 3 || web-application-activity || 0 || ET WEB_SERVER Weevely PHP backdoor detected (proc_open() function used) || url,bechtsoudis.com/security/put-weevely-on-the-your-nids-radar +1 || 2013941 || 3 || web-application-activity || 0 || ET WEB_SERVER Weevely PHP backdoor detected (popen() function used) || url,bechtsoudis.com/security/put-weevely-on-the-your-nids-radar +1 || 2013942 || 3 || web-application-activity || 0 || ET WEB_SERVER Weevely PHP backdoor detected (python_eval() function used) || url,bechtsoudis.com/security/put-weevely-on-the-your-nids-radar +1 || 2013943 || 4 || web-application-activity || 0 || ET WEB_SERVER Weevely PHP backdoor detected (pcntl_exec() function used) || url,bechtsoudis.com/security/put-weevely-on-the-your-nids-radar +1 || 2013944 || 3 || web-application-activity || 0 || ET WEB_SERVER Weevely PHP backdoor detected (perl->system() function used) || url,bechtsoudis.com/security/put-weevely-on-the-your-nids-radar +1 || 2013945 || 3 || web-application-activity || 0 || ET WEB_SERVER Weevely PHP backdoor detected (exec() function used) || url,bechtsoudis.com/security/put-weevely-on-the-your-nids-radar +1 || 2013946 || 4 || trojan-activity || 0 || ET TROJAN FakeAV.EGZ Checkin 1 || url,www.virustotal.com/file-scan/report.html?id=458ec5d5b3c1c02b6c64b360f82bcbf529f580c2d646b2ae161fc7dd2ea9927d-1321069787 +1 || 2013947 || 4 || trojan-activity || 0 || ET TROJAN FakeAV.EGZ Checkin 2 +1 || 2013948 || 4 || trojan-activity || 0 || ET TROJAN PWS.TIBIA Checkin or Data Post +1 || 2013949 || 4 || trojan-activity || 0 || ET TROJAN PWS.TIBIA Checkin or Data Post 2 +1 || 2013950 || 1 || bad-unknown || 0 || ET CURRENT_EVENTS Blackhole obfuscated Javascript padded charcodes 25 +1 || 2013951 || 3 || trojan-activity || 0 || ET TROJAN Win32/Rimecud.A User-Agent (needit) || url,www.threatexpert.com/report.aspx?md5=1b1fff82c72277aff808291d53df7fd8 || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3AWin32%2FRimecud.A +1 || 2013952 || 3 || trojan-activity || 0 || ET TROJAN TR/Rimecud.aksa User-Agent (indy) || url,www.threatexpert.com/report.aspx?md5=1536a7072981ce5140efe6b9c193bb7e || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3AWin32%2FRimecud.A +1 || 2013953 || 3 || trojan-activity || 0 || ET TROJAN Win32/Rimecud.A User-Agent (counters) || url,www.threatexpert.com/report.aspx?md5=60ce66bd10fcac3c97151612c8a4d343 || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3AWin32%2FRimecud.A +1 || 2013954 || 2 || trojan-activity || 0 || ET TROJAN Win32/Rimecud.A User-Agent (giftz) || url,www.threatexpert.com/report.aspx?md5=0f726e84bae5a8d1f166bbf6d09d821b || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3AWin32%2FRimecud.A +1 || 2013955 || 3 || bad-unknown || 0 || ET CURRENT_EVENTS Jupiter Exploit Kit Landing Page with Malicious Java Applets +1 || 2013956 || 2 || trojan-activity || 0 || ET TROJAN W32/SmartPops Adware Outbound Off-Port MSSQL Communication +1 || 2013959 || 2 || trojan-activity || 0 || ET TROJAN Win32.Sality User-Agent (DEBUT.TMP) +1 || 2013960 || 6 || attempted-user || 0 || ET CURRENT_EVENTS Blackhole Exploit Kit Delivering PDF Exploit to Client || url,isc.sans.org/diary/Updates+on+ZeroAccess+and+BlackHole+front+/12079 +1 || 2013961 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS Blackhole Exploit Kit Delivering Java Exploit to Client || url,isc.sans.org/diary/Updates+on+ZeroAccess+and+BlackHole+front+/12079 +1 || 2013962 || 12 || trojan-activity || 0 || ET CURRENT_EVENTS Blackhole Exploit Kit Delivering Executable to Client || url,isc.sans.org/diary/Updates+on+ZeroAccess+and+BlackHole+front+/12079 +1 || 2013963 || 3 || trojan-activity || 0 || ET TROJAN Win32.Sality User-Agent (Internet Explorer 5.01) +1 || 2013964 || 1 || trojan-activity || 0 || ET CURRENT_EVENTS Mozilla / 4.0 CNC traffic +1 || 2013965 || 2 || trojan-activity || 0 || ET MOBILE_MALWARE Android/SndApp.B Sending Device Information || url,www.fortiguard.com/latest/mobile/3302891 +1 || 2013966 || 2 || trojan-activity || 0 || ET MOBILE_MALWARE Android/Ozotshielder.A Checkin || url,www.fortiguard.com/latest/mobile/3302951 +1 || 2013967 || 3 || trojan-activity || 0 || ET USER_AGENTS Suspicious User-Agent (adlib) || url,blog.trendmicro.com/connections-between-droiddreamlight-and-droidkungfu/ +1 || 2013968 || 2 || trojan-activity || 0 || ET MOBILE_MALWARE Android/KungFu Package Delete Command || url,blog.trendmicro.com/connections-between-droiddreamlight-and-droidkungfu/ +1 || 2013969 || 2 || bad-unknown || 0 || ET CURRENT_EVENTS HTTP Request to a .noip.cn domain +1 || 2013970 || 1 || bad-unknown || 0 || ET DNS Query for Suspicious .noip.cn Domain +1 || 2013971 || 3 || bad-unknown || 0 || ET INFO DYNAMIC_DNS Query for Suspicious .dyndns-at-home.com Domain +1 || 2013972 || 5 || trojan-activity || 0 || ET CURRENT_EVENTS Initial Blackhole Landing Loading... Wait Please || url,isc.sans.org/diary/Updates+on+ZeroAccess+and+BlackHole+front+/12079 +1 || 2013974 || 3 || trojan-activity || 0 || ET POLICY Suspicious Invalid HTTP Accept Header of ? +1 || 2013975 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Neosploit Java Exploit Kit request to /? plus hex 32 +1 || 2013976 || 10 || trojan-activity || 0 || ET TROJAN Zeus POST Request to CnC - URL agnostic || url,www.secureworks.com/research/threats/zeus/?threat=zeus || url,lists.emergingthreats.net/pipermail/emerging-sigs/2010-October/009807.html +1 || 2013977 || 1 || trojan-activity || 0 || ET TROJAN TDSS DNS Based Internet Connectivity Check +1 || 2013978 || 3 || bad-unknown || 0 || ET CURRENT_EVENTS Lilupophilupop Injected Script Being Served to Client +1 || 2013979 || 3 || bad-unknown || 0 || ET CURRENT_EVENTS Lilupophilupop Injected Script Being Served from Local Server +1 || 2013980 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Tinderbox.mozilla.org showbuilds.cgi Cross Site Scripting Attempt || url,packetstorm.codar.com.br/1111-exploits/tinderbox-xss.txt +1 || 2013981 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Orbis editor-body.php script Cross Site Scripting Attempt || url,autosectools.com/Advisory/Orbis-1.0.2-Reflected-Cross-site-Scripting-4 +1 || 2013982 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Web File Browser file Parameter Local File Inclusion Attempt || url,exploit-db.com/exploits/18070/ +1 || 2013983 || 5 || trojan-activity || 0 || ET MALWARE Adware-Win32/EoRezo Reporting || url,threatexpert.com/report.aspx?md5=b5708efc8b478274df4b03d8b7dbbb26 +1 || 2013984 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Zabbix popup.php SELECT FROM SQL Injection Vulnerability || url,1337day.com/exploits/17081 +1 || 2013985 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Zabbix popup.php DELETE FROM SQL Injection Vulnerability || url,1337day.com/exploits/17081 +1 || 2013986 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Zabbix popup.php UNION SELECT SQL Injection Vulnerability || url,1337day.com/exploits/17081 +1 || 2013987 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Zabbix popup.php UPDATE SET SQL Injection Vulnerability || url,1337day.com/exploits/17081 +1 || 2013988 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Zabbix popup.php INSERT INTO SQL Injection Vulnerability || url,1337day.com/exploits/17081 +1 || 2013989 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla component img Local File Inclusion Attempt || url,packetstormsecurity.org/files/95683/joomlaimg-lfi.txt +1 || 2013990 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Blackhole Exploit Kit hostile PDF qwe123 +1 || 2013991 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS Blackhole hostile PDF v1 +1 || 2013992 || 5 || trojan-activity || 0 || ET CURRENT_EVENTS Blackhole hostile PDF v2 +1 || 2013993 || 2 || web-application-activity || 0 || ET WEB_SPECIFIC_APPS Cacti Input Validation Attack 2 || url,www.cacti.net || url,www.idefense.com/application/poi/display?id=265&type=vulnerabilities || url,www.idefense.com/application/poi/display?id=266&type=vulnerabilities +1 || 2013994 || 4 || trojan-activity || 0 || ET DELETED LDPinch Loader Binary Request +1 || 2013995 || 2 || bad-unknown || 0 || ET WEB_CLIENT PDF With Embedded U3D || url,www.adobe.com/support/security/advisories/apsa11-04.html +1 || 2013996 || 3 || bad-unknown || 0 || ET CURRENT_EVENTS Adobe PDF Universal 3D file corrupted download 1 || url,www.adobe.com/support/security/advisories/apsa11-04.html +1 || 2013997 || 5 || bad-unknown || 0 || ET CURRENT_EVENTS Adobe PDF Universal 3D file corrupted download 2 || url,www.adobe.com/support/security/advisories/apsa11-04.html +1 || 2013998 || 3 || trojan-activity || 0 || ET TROJAN W32/Jorik DDOS Instructions From CnC Server +1 || 2013999 || 2 || trojan-activity || 0 || ET MALWARE W32/Adware.Ibryte User-Agent (ic Windows NT 5.1 MSIE 6.0 Firefox/ Def) +1 || 2014001 || 4 || trojan-activity || 0 || ET USER_AGENTS W32/Kazy User-Agent (Windows NT 5.1 \; v.) space infront of semi-colon +1 || 2014002 || 7 || trojan-activity || 0 || ET TROJAN Fake Variation of Mozilla 4.0 - Likely Trojan +1 || 2014003 || 3 || trojan-activity || 0 || ET TROJAN VBKrypt.dytr Checkin || url,www.threatexpert.com/report.aspx?md5=090986b0e303779bde1ddad3c65a9d78 +1 || 2014004 || 4 || trojan-activity || 0 || ET MALWARE Win32/SWInformer.B Checkin || url,www.threatexpert.com/report.aspx?md5=0f90568d86557d62f7d4e1c0f7167431 +1 || 2014005 || 3 || trojan-activity || 0 || ET DELETED DNS Query for Sykipot C&C www.prettylikeher.com || cve,CVE-2011-2462 || url,contagiodump.blogspot.com/2011/12/adobe-zero-day-cve-2011-2462.html +1 || 2014006 || 2 || trojan-activity || 0 || ET TROJAN Backdoor.Win32.Sykipot Checkin || cve,CVE-2011-2462 || url,blog.9bplus.com/analyzing-cve-2011-2462 || url,contagiodump.blogspot.com/2011/12/adobe-zero-day-cve-2011-2462.html +1 || 2014007 || 2 || trojan-activity || 0 || ET TROJAN Backdoor.Win32.Sykipot Put || cve,CVE-2011-2462 || url,blog.9bplus.com/analyzing-cve-2011-2462 || url,contagiodump.blogspot.com/2011/12/adobe-zero-day-cve-2011-2462.html +1 || 2014008 || 5 || trojan-activity || 0 || ET TROJAN Backdoor.Win32.Sykipot Get Config Request || cve,CVE-2011-2462 || url,contagiodump.blogspot.com/2011/12/adobe-zero-day-cve-2011-2462.html || url,blog.9bplus.com/analyzing-cve-2011-2462 +1 || 2014009 || 3 || trojan-activity || 0 || ET TROJAN Smokeloader getgrab Command +1 || 2014010 || 3 || trojan-activity || 0 || ET TROJAN Smokeloader getproxy Command +1 || 2014011 || 3 || trojan-activity || 0 || ET TROJAN Smokeloader getsock Command +1 || 2014012 || 3 || trojan-activity || 0 || ET TROJAN Smokeloader getload Command || url,sophosnews.files.wordpress.com/2013/07/sophosszappanosplugxrevisitedintroducingsmoaler-rev1.pdf || url,symantec.com/security_response/writeup.jsp?docid=2011-100515-1838-99&tabid=2 +1 || 2014014 || 6 || trojan-activity || 0 || ET TROJAN Zeus Checkin Header Pattern +1 || 2014015 || 7 || trojan-activity || 0 || ET DELETED TROJAN LDPinch Loader Binary Request +1 || 2014017 || 2 || web-application-activity || 0 || ET WEB_SERVER JBoss jmx-console Probe || cve,2010-0738 +1 || 2014018 || 2 || web-application-activity || 0 || ET WEB_SERVER JBoss jmx-console Access Control Bypass Attempt || cve,2010-0738 +1 || 2014019 || 4 || trojan-activity || 0 || ET DELETED Kargany Loader Obfuscated Payload Download +1 || 2014020 || 4 || attempted-recon || 0 || ET WEB_SERVER Wordpress Login Bruteforcing Detected +1 || 2014021 || 2 || trojan-activity || 0 || ET TROJAN Gootkit Checkin User-Agent 2 +1 || 2014022 || 2 || web-application-attack || 0 || ET SCAN Gootkit Scanner User-Agent Inbound +1 || 2014023 || 2 || web-application-attack || 0 || ET TROJAN Gootkit Scanner User-Agent Outbound +1 || 2014024 || 4 || bad-unknown || 0 || ET CURRENT_EVENTS Probable Scalaxy exploit kit secondary request +1 || 2014025 || 1 || bad-unknown || 0 || ET CURRENT_EVENTS Probable Scalaxy exploit kit Java or PDF exploit request +1 || 2014026 || 1 || trojan-activity || 0 || ET DELETED Scalaxy exploit kit binary download request +1 || 2014027 || 2 || bad-unknown || 0 || ET CURRENT_EVENTS Obfuscated Base64 in Javascript probably Scalaxy exploit kit +1 || 2014028 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Likely CryptMEN FakeAV Download vclean +1 || 2014029 || 3 || trojan-activity || 0 || ET TROJAN Agent.UGP!tr/Cryptor/Graftor Dropper Requesting exe +1 || 2014030 || 2 || trojan-activity || 0 || ET POLICY Rebate Informer User-Agent (REBATEINF) || url,www.rebategiant.com +1 || 2014031 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS DRIVEBY Generic Java Rhino Scripting Engine Exploit Previously Requested com.class +1 || 2014032 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS DRIVEBY Generic Java Rhino Scripting Engine Exploit Previously Requested org.class +1 || 2014033 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS DRIVEBY Generic Java Rhino Scripting Engine Exploit Previously Requested edu.class +1 || 2014034 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS DRIVEBY Generic Java Rhino Scripting Engine Exploit Previously Requested net.class +1 || 2014035 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS DRIVEBY Blackhole PDF Exploit Request /fdp2.php || md5,8a33d1d36d097ca13136832aa10ae5ca || cve,CVE-2011-0611 +1 || 2014036 || 6 || bad-unknown || 0 || ET CURRENT_EVENTS DRIVEBY Generic Java Exploit Obfuscated With Allatori +1 || 2014037 || 2 || bad-unknown || 0 || ET CURRENT_EVENTS HTTP Request to a *.osa.pl domain +1 || 2014038 || 4 || bad-unknown || 0 || ET CURRENT_EVENTS MALVERTISING OpenX BrowserDetect.init Download +1 || 2014039 || 4 || bad-unknown || 0 || ET CURRENT_EVENTS MALVERTISING Alureon Malicious IFRAME +1 || 2014040 || 3 || trojan-activity || 0 || ET TROJAN Win32.PowerPointer checkin +1 || 2014041 || 5 || trojan-activity || 0 || ET WORM AirOS .css Worm Outbound Propagation Sweep || url,seclists.org/fulldisclosure/2011/Dec/419 || url,www.root.cz/clanky/virus-v-bezdratovych-routerech-skynet/ +1 || 2014042 || 4 || trojan-activity || 0 || ET WORM AirOS admin.cgi/css Exploit Attempt || url,seclists.org/fulldisclosure/2011/Dec/419 || url,www.root.cz/clanky/virus-v-bezdratovych-routerech-skynet/ +1 || 2014044 || 5 || trojan-activity || 0 || ET TROJAN SpyEye Checkin version 1.3.25 or later 2 +1 || 2014045 || 3 || attempted-dos || 0 || ET WEB_SERVER Generic Web Server Hashing Collision Attack || cve,2011-3414 || url,events.ccc.de/congress/2011/Fahrplan/events/4680.en.html || url,technet.microsoft.com/en-us/security/advisory/2659883 || url,blogs.technet.com/b/srd/archive/2011/12/29/asp-net-security-update-is-live.aspx +1 || 2014046 || 3 || attempted-dos || 0 || ET WEB_SERVER Generic Web Server Hashing Collision Attack 2 || cve,2011-3414 || url,events.ccc.de/congress/2011/Fahrplan/events/4680.en.html || url,technet.microsoft.com/en-us/security/advisory/2659883 || url,blogs.technet.com/b/srd/archive/2011/12/29/asp-net-security-update-is-live.aspx +1 || 2014047 || 3 || bad-unknown || 0 || ET TROJAN Double HTTP/1.1 Header Inbound - Likely Hostile Traffic +1 || 2014048 || 6 || attempted-user || 0 || ET CURRENT_EVENTS Blackhole Exploit Kit Java Rhino Script Engine Remote Code Execution Attempt || url,blog.eset.com/2011/12/15/spam-campaign-uses-blackhole-exploit-kit-to-install-spyeye || bid,50218 || cve,2011-3544 +1 || 2014049 || 2 || not-suspicious || 0 || ET POLICY Bluecoat Proxy in use +1 || 2014050 || 3 || trojan-activity || 0 || ET DELETED Blackhole Rhino Java Exploit request to /content/v1.jar || md5,8a33d1d36d097ca13136832aa10ae5ca || cve,CVE-2011-0611 +1 || 2014051 || 1 || trojan-activity || 0 || ET DELETED Blackhole Acrobat 8/9.3 PDF exploit download request 3 || md5,8a33d1d36d097ca13136832aa10ae5ca || cve,CVE-2011-0611 +1 || 2014052 || 1 || trojan-activity || 0 || ET CURRENT_EVENTS Blackhole Acrobat 1-7 PDF exploit download request 3 || md5,8a33d1d36d097ca13136832aa10ae5ca || cve,CVE-2011-0611 +1 || 2014053 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Blackhole Likely Flash exploit download request score.swf || cve,CVE-2011-0611 +1 || 2014054 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS User-Agent used in Injection Attempts || url,lists.emergingthreats.net/pipermail/emerging-sigs/2011-December/016882.html +1 || 2014055 || 1 || trojan-activity || 0 || ET TROJAN Win32/Hilgild!gen.A CnC Communication || md5,d8edad03f5524369e60c69a7483f8365 +1 || 2014056 || 2 || trojan-activity || 0 || ET TROJAN PoisonIvy.Eu5 Keepalive to CnC || md5,d8edad03f5524369e60c69a7483f8365 +1 || 2014057 || 2 || trojan-activity || 0 || ET TROJAN PoisonIvy.Eu5 Keepalive from CnC || md5,d8edad03f5524369e60c69a7483f8365 +1 || 2014058 || 3 || trojan-activity || 0 || ET DELETED Unknown Loader EXE Payload Request +1 || 2014059 || 7 || trojan-activity || 0 || ET POLICY Spyware.Agent.elbb lava.cn Game Exe Download || url,securelist.com/en/descriptions/17601150/Trojan-Dropper.Win32.Agent.elbb?print_mode=1 || md5,c2b4f8abc742bf048f3856525c1b2800 || md5,4937dc6e111996dbe331327e7e9a4a12 || url,www.amada.abuse.ch/?search=download.lava.cn +1 || 2014060 || 4 || trojan-activity || 0 || ET MALWARE Tool.InstallToolbar.24 Reporting || url,virustotal.com/file-scan/report.html?id=1439d4061659a8534435352274b72dc2fe03c3deeb84e32fc90d40380c35cab1-1322189076 +1 || 2014061 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla com_dshop Component SELECT FROM SQL Injection Attempt || bugtraq,51116 +1 || 2014062 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla com_dshop Component DELETE FROM SQL Injection Attempt || bugtraq,51116 +1 || 2014063 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla com_dshop Component UNION SELECT SQL Injection Attempt || bugtraq,51116 +1 || 2014064 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla com_dshop Component INSERT INTO SQL Injection Attempt || bugtraq,51116 +1 || 2014065 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla com_dshop Component UPDATE SET SQL Injection Attempt || bugtraq,51116 +1 || 2014066 || 4 || trojan-activity || 0 || ET TROJAN Trojan-Clicker.Win32.VB.gnf Reporting || url,microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanClicker%3AWin32%2FVB.GE +1 || 2014067 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHP Booking Calendar page_info_message parameter Cross-Site Scripting Vulnerability || url,packetstormsecurity.org/files/107995 +1 || 2014068 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Plone and Zope cmd Parameter Remote Command Execution Attempt || url,exploit-db.com/exploits/18262 +1 || 2014069 || 4 || trojan-activity || 0 || ET MALWARE Win32-Adware.Hotclip.A Reporting || url,spydig.com/spyware-info/Win32-Adware-Hotclip-A.html +1 || 2014070 || 4 || trojan-activity || 0 || ET TROJAN Trojan Downloader.Bancos Reporting || url,symantec.com/security_response/writeup.jsp?docid=2006-061110-0512-99 +1 || 2014071 || 4 || trojan-activity || 0 || ET MALWARE Adware.Gen5 Reporting || url,threatexpert.com/report.aspx?md5=90410d783f6321c8684ccb9ff0613a51 +1 || 2014072 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Pet Listing Script type_id Parameter Cross Site Scripting Attempt || url,packetstorm.foofus.com/1112-exploits/petlisting-xss.txt +1 || 2014073 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WordPress The-Welcomizer plugin page parameter Cross Site Scripting Attempt || url,dl.packetstormsecurity.net/1112-exploits/wpthewelcomizer-xss.txt +1 || 2014074 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS jbShop e107 CMS plugin item_id parameter SELECT FROM SQL Injection Attempt || url,exploit-db.com/exploits/18056/ +1 || 2014075 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS jbShop e107 CMS plugin item_id parameter DELETE FROM SQL Injection Attempt || url,exploit-db.com/exploits/18056/ +1 || 2014076 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS jbShop e107 CMS plugin item_id parameter UNION SELECT SQL Injection Attempt || url,exploit-db.com/exploits/18056/ +1 || 2014077 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS jbShop e107 CMS plugin item_id parameter INSERT INTO SQL Injection Attempt || url,exploit-db.com/exploits/18056/ +1 || 2014078 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS jbShop e107 CMS plugin item_id parameter UPDATE SET SQL Injection Attempt || url,exploit-db.com/exploits/18056/ +1 || 2014079 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Mambo Zorder zorder Parameter UNION SELECT SQL Injection Vulnerability || url,dl.packetstormsecurity.net/1111-exploits/zorder-sql.txt +1 || 2014080 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Mambo Zorder zorder Parameter UPDATE SET SQL Injection Vulnerability || url,dl.packetstormsecurity.net/1111-exploits/zorder-sql.txt +1 || 2014081 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Mambo Zorder zorder Parameter INSERT INTO SQL Injection Vulnerability || url,dl.packetstormsecurity.net/1111-exploits/zorder-sql.txt +1 || 2014082 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS SourceBans ajaxargs Parameter Local File Inclusion Attempt || url,dl.packetstormsecurity.net/1112-exploits/sourcebans-lfisql.txt +1 || 2014083 || 4 || trojan-activity || 0 || ET TROJAN Trojan.Win32.Generic.pak!cobra Reporting || url,securelist.com/en/descriptions/24405309/Trojan.Win32.FakeAV.dlbc +1 || 2014084 || 5 || trojan-activity || 0 || ET TROJAN TROJAN Win32.OnlineGames.Bft Reporting || url,threatexpert.com/report.aspx?md5=e488fca95cb923a0ecd329642c076e0d || url,www.thespywaredetector.com/spywareinfo.aspx?ID=1874131 +1 || 2014085 || 5 || trojan-activity || 0 || ET TROJAN TROJAN Win32-WebSec Reporting || url,threatexpert.com/report.aspx?md5=971e560b80e335ab88ef518b416d415a +1 || 2014086 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Planex Mini-300PU & Mini100s Cross-site Scripting Attempt || url,exploit-db.com/exploits/17114 +1 || 2014087 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Mambo Zorder zorder Parameter SELECT FROM SQL Injection Vulnerability || url,dl.packetstormsecurity.net/1111-exploits/zorder-sql.txt +1 || 2014088 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Mambo Zorder zorder Parameter DELETE FROM SQL Injection Vulnerability || url,dl.packetstormsecurity.net/1111-exploits/zorder-sql.txt +1 || 2014090 || 6 || trojan-activity || 0 || ET TROJAN Suspicious user agent (V32) +1 || 2014091 || 2 || not-suspicious || 0 || ET POLICY Dyndns Client IP Check +1 || 2014092 || 2 || not-suspicious || 0 || ET POLICY Dyndns Client User-Agent +1 || 2014093 || 3 || trojan-activity || 0 || ET TROJAN Downloader.Win32.Nurech Checkin UA +1 || 2014094 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Blackhole-like Java Exploit request to .jar?t= +1 || 2014095 || 4 || policy-violation || 0 || ET POLICY Kindle Fire Browser User-Agent Outbound || url,www.amazon.com/gp/product/B0051VVOB2%23silk +1 || 2014096 || 6 || bad-unknown || 0 || ET CURRENT_EVENTS Document.write Long Backslash UTF-16 Encoded Content - Exploit Kit Behavior Flowbit Set || url,www.kahusecurity.com/2011/elaborate-black-hole-infection/ +1 || 2014097 || 3 || bad-unknown || 0 || ET CURRENT_EVENTS Excessive new Array With Newline - Exploit Kit Behavior Flowbit Set || url,www.kahusecurity.com/2011/elaborate-black-hole-infection/ +1 || 2014098 || 4 || bad-unknown || 0 || ET DELETED Excessive JavaScript replace /g - Exploit Kit Behavior Flowbit Set +1 || 2014099 || 3 || trojan-activity || 0 || ET TROJAN Exploit Kit Delivering Office File to Client +1 || 2014100 || 3 || attempted-user || 0 || ET WEB_SERVER ASP.NET Forms Authentication Bypass || cve,2011-3416 +1 || 2014101 || 2 || trojan-activity || 0 || ET TROJAN Blackshades Payload Download Command +1 || 2014102 || 3 || not-suspicious || 0 || ET POLICY FACEBOOK user id in http_client_body, lookup with fb.com/profile.php?id= +1 || 2014103 || 2 || web-application-activity || 0 || ET WEB_SERVER Unusually Fast HTTP Requests With Referrer Url Matching DoS Tool || url,community.qualys.com/blogs/securitylabs/2012/01/05/slow-read +1 || 2014104 || 2 || trojan-activity || 0 || ET DELETED Zeus POST Request to CnC - content-type variation +1 || 2014105 || 4 || trojan-activity || 0 || ET TROJAN Zeus Bot GET to Google checking Internet connectivity using proxy || url,www.secureworks.com/research/threats/zeus/?threat=zeus || url,lists.emergingthreats.net/pipermail/emerging-sigs/2010-October/009807.html +1 || 2014106 || 3 || trojan-activity || 0 || ET DELETED Zeus POST Request to CnC - content-type variation +1 || 2014107 || 3 || trojan-activity || 0 || ET TROJAN Zeus POST Request to CnC - cookie variation || url,zeustracker.abuse.ch/monitor.php?search=209.59.216.103 +1 || 2014108 || 1 || trojan-activity || 0 || ET TROJAN PoisonIvy.Eu6 Keepalive to CnC +1 || 2014109 || 2 || trojan-activity || 0 || ET DELETED Backdoor.Win32.Gh0st.QQ Checkin || url,www.threatexpert.com/report.aspx?md5=899feda736be77a39d05f0a5002048f0 +1 || 2014110 || 4 || trojan-activity || 0 || ET DELETED Backdoor.Win32.Gh0st.QQ Checkin 2 || url,www.threatexpert.com/report.aspx?md5=899feda736be77a39d05f0a5002048f0 +1 || 2014111 || 6 || trojan-activity || 0 || ET TROJAN Win32.UFRStealer.A issuing MKD command FTP || url,www.threatexpert.com/report.aspx?md5=a251ef38f048d695eae52626e57d617d +1 || 2014112 || 3 || trojan-activity || 0 || ET TROJAN W32.Menti/TrojanClicker.Agent.NII Checkin || url,blog.eset.com/2012/03/17/drive-by-ftp-a-new-view-of-cve-2011-3544 +1 || 2014113 || 4 || trojan-activity || 0 || ET TROJAN Win32-Dynamer.dtc Reporting || url,microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Trojan%3aWin32/Dynamer!dtc || md5,989ba48e0a9e39b4b6fc5c6bf400c41b +1 || 2014114 || 4 || trojan-activity || 0 || ET TROJAN Delf/Troxen/Zema Reporting 1 || md5,3d18363a20882bd74ae7e0f68d3ed8ef +1 || 2014115 || 3 || trojan-activity || 0 || ET TROJAN Delf/Troxen/Zema Reporting 2 || md5,3d18363a20882bd74ae7e0f68d3ed8ef +1 || 2014116 || 2 || trojan-activity || 0 || ET TROJAN Suspicious User-Agent build - possibly Delf/Troxen/Zema || md5,3d18363a20882bd74ae7e0f68d3ed8ef +1 || 2014117 || 3 || trojan-activity || 0 || ET TROJAN Trojan-Dropper.Win32.Dapato Checkin || url,www.threatexpert.com/report.aspx?md5=8eaf3b7b72a9af5a85d01b674653ccac || url,camas.comodo.com/cgi-bin/submit?file=31c027c13105e23af64b1b02882fb2b8300fdf7f511bb4c63c71f9b09c75dd6c +1 || 2014118 || 2 || successful-admin || 0 || ET TROJAN Cythosia V2 DDoS WebPanel Hosted Locally || url,blog.webroot.com/2012/01/09/a-peek-inside-the-cythosia-v2-ddos-bot/ +1 || 2014119 || 3 || trojan-activity || 0 || ET TROJAN W32/Lici Initial Checkin || md5,2f4d35e797249e837159ff60b827c601 +1 || 2014120 || 3 || trojan-activity || 0 || ET MALWARE Win32/Eorezo-B Adware Checkin || md5,6631bb8d95906decc7e6f7c51f6469e6 +1 || 2014121 || 2 || trojan-activity || 0 || ET TROJAN Win32/Nuclear Checkin || md5,bd4af162f583899eeb6ce574863b4db6 +1 || 2014122 || 3 || trojan-activity || 0 || ET MALWARE W32/OpenCandy Adware Checkin +1 || 2014123 || 2 || policy-violation || 0 || ET POLICY Softango.com Installer Checking For Update +1 || 2014124 || 3 || policy-violation || 0 || ET POLICY Softango.com Installer POSTing Data +1 || 2014125 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS DRIVEBY Blackhole - Help and Control Panel Exploit Request || url,jsunpack.jeek.org/?report=2b1d42ba5b47676db4864855ac239a73fb8217ff +1 || 2014126 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS DRIVEBY Blackhole Likely Flash Exploit Request /field.swf +1 || 2014127 || 1 || not-suspicious || 0 || ET POLICY Splashtop Remote Control Checkin || url,www.splashtop.com +1 || 2014128 || 1 || not-suspicious || 0 || ET POLICY Splashtop Remote Control Session Start Request || url,www.splashtop.com +1 || 2014129 || 1 || not-suspicious || 0 || ET POLICY Splashtop Remote Control Session Keepalive || url,www.splashtop.com +1 || 2014131 || 3 || trojan-activity || 0 || ET TROJAN W32/Ramnit Initial CnC Connection || url,contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html +1 || 2014133 || 4 || trojan-activity || 0 || ET TROJAN W32/Jiwerks.A Checkin || md5,0e47c711d9edee337575b6dbef850514 +1 || 2014135 || 3 || trojan-activity || 0 || ET TROJAN Zeus/Reveton checkin to /images.rar || md5,2697e2b81ba1c90fcd32e24715fcf40a +1 || 2014136 || 6 || trojan-activity || 0 || ET CURRENT_EVENTS Unknown Java Exploit Version Check with hidden applet +1 || 2014137 || 3 || trojan-activity || 0 || ET MALWARE Common Adware Library ISX User Agent Detected || url,www.dateiliste.com/d3files/tools/mphider/isxdl.htm +1 || 2014138 || 2 || trojan-activity || 0 || ET DELETED DRIVEBY Generic Java Rhino Scripting Engine Exploit Previously Requested class.class +1 || 2014139 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Query to Known CnC Domain msnsolution.nicaze.net || md5,89332c92d0360095e2dda8385d400258 +1 || 2014140 || 5 || attempted-dos || 0 || ET WEB_SERVER LOIC Javascript DDoS Inbound || url,isc.sans.org/diary/Javascript+DDoS+Tool+Analysis/12442 || url,www.wired.com/threatlevel/2012/01/anons-rickroll-botnet +1 || 2014141 || 4 || attempted-dos || 0 || ET CURRENT_EVENTS LOIC Javascript DDoS Outbound || url,isc.sans.org/diary/Javascript+DDoS+Tool+Analysis/12442 || url,www.wired.com/threatlevel/2012/01/anons-rickroll-botnet +1 || 2014142 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS Likely Driveby Delivered Malicious PDF +1 || 2014143 || 1 || trojan-activity || 0 || ET DELETED PoisonIvy.Esf Keepalive to CnC || md5,e6ca06e9b000933567a8604300094a85 +1 || 2014144 || 1 || trojan-activity || 0 || ET DELETED PoisonIvy.Eks Keepalive to CnC || md5,9a494e7a48436e6defcb44dd6f053b33 +1 || 2014145 || 1 || trojan-activity || 0 || ET TROJAN PoisonIvy.Ehy Keepalive to CnC || md5,d2311b7208d563ac59c9114f5d422441 +1 || 2014146 || 1 || trojan-activity || 0 || ET TROJAN Win32/Spy.Banker Reporting Via SMTP +1 || 2014147 || 2 || bad-unknown || 0 || ET CURRENT_EVENTS Sakura Exploit Kit Landing Page Request || url,xylibox.blogspot.com/2012/01/sakura-exploit-pack-10.html +1 || 2014148 || 2 || attempted-user || 0 || ET CURRENT_EVENTS Sakura Exploit Kit Binary Load Request +1 || 2014149 || 4 || trojan-activity || 0 || ET INFO Possible URL List or Clickfraud URLs Delivered To Client +1 || 2014150 || 2 || bad-unknown || 0 || ET CURRENT_EVENTS Suspicious executable download possible Trojan NgrBot +1 || 2014151 || 2 || bad-unknown || 0 || ET CURRENT_EVENTS Known Malicious Link Leading to Exploit Kits (t.php?id=is1) +1 || 2014152 || 3 || trojan-activity || 0 || ET TROJAN Gozi Checkin to CnC +1 || 2014153 || 3 || attempted-dos || 0 || ET CURRENT_EVENTS High Orbit Ion Cannon (HOIC) Attack Inbound Generic Detection Double Spaced UA || url,blog.spiderlabs.com/2012/01/hoic-ddos-analysis-and-detection.html +1 || 2014154 || 4 || attempted-user || 0 || ET CURRENT_EVENTS DRIVEBY PDF Containing Subform with JavaScript +1 || 2014155 || 5 || attempted-user || 0 || ET CURRENT_EVENTS JavaScript Obfuscation JSXX Script || cve,2012-0003 || url,eromang.zataz.com/2012/10/22/gong-da-gondad-exploit-pack-evolutions/ +1 || 2014156 || 5 || attempted-user || 0 || ET CURRENT_EVENTS Microsoft Windows Media component specific exploit || cve,2012-0003 +1 || 2014157 || 1 || trojan-activity || 0 || ET CURRENT_EVENTS Blackhole Acrobat 8/9.3 PDF exploit download request 4 +1 || 2014158 || 1 || trojan-activity || 0 || ET CURRENT_EVENTS Blackhole Acrobat 1-7 PDF exploit download request 4 +1 || 2014159 || 2 || trojan-activity || 0 || ET DELETED Blackhole Rhino Java Exploit request to /content/rino.jar || cve,CVE-2011-0611 +1 || 2014160 || 2 || trojan-activity || 0 || ET DELETED Blackhole OBE Java Exploit request to /content/obe.jar || cve,CVE-2010-0840 || cve,CVE-2010-0842 +1 || 2014161 || 3 || trojan-activity || 0 || ET MOBILE_MALWARE Android/FakeTimer.A Reporting to CnC || url,about-threats.trendmicro.com/Malware.aspx?language=uk&name=ANDROIDOS_FAKETIMER.A || url,anubis.iseclab.org/?action=result&task_id=1ba82b938005acea4ddefc8eff1f4db06 || md5,cf9ba4996531d40402efe268c7efda91 || md5,537f190d3d469ad1f178024940affcb5 +1 || 2014162 || 2 || trojan-activity || 0 || ET MOBILE_MALWARE Android/SndApps.SM Sending Information to CnC || url,about-threats.trendmicro.com/Malware.aspx?language=uk&name=ANDROIDOS_SNDAPPS.SM +1 || 2014163 || 8 || trojan-activity || 0 || ET TROJAN Bifrose/Cycbot Checkin 2 || md5,8c4f90bb59c05269c6c6990ec434eab6 +1 || 2014164 || 2 || trojan-activity || 0 || ET TROJAN W32/DelfInject.A CnC Checkin 2 || md5,d8c2f31493692895c45d620723e9a8c3 +1 || 2014165 || 3 || trojan-activity || 0 || ET TROJAN Suspicious User-Agent MyAgrent || md5,75c2f3168eca26e10bd5b2f3f0e2a8c5 +1 || 2014166 || 2 || trojan-activity || 0 || ET TROJAN W32/Mentory CnC Server Providing Update Details || md5,6724bb601611dcc0140960c59c7b3393 +1 || 2014167 || 2 || trojan-activity || 0 || ET TROJAN W32/Mentory CnC Server Providing File Info Details || md5,6724bb601611dcc0140960c59c7b3393 +1 || 2014168 || 3 || attempted-user || 0 || ET CURRENT_EVENTS DRIVEBY Unknown Landing Page Received +1 || 2014169 || 1 || trojan-activity || 0 || ET POLICY DNS Query for .su TLD (Soviet Union) Often Malware Related || url,www.abuse.ch/?p=3581 +1 || 2014170 || 2 || trojan-activity || 0 || ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related || url,www.abuse.ch/?p=3581 +1 || 2014171 || 4 || bad-unknown || 0 || ET CURRENT_EVENTS Styx Exploit Kit Landing +1 || 2014172 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS TROJAN ClickCounter Connectivity Check +1 || 2014173 || 3 || trojan-activity || 0 || ET TROJAN Win32/Cryptrun.B Connectivity check || url,blog.9bplus.com/kim-jong-il-pdf-malware +1 || 2014174 || 4 || trojan-activity || 0 || ET TROJAN Win32/Cryptrun.B/MSUpdater C&C traffic 1 || url,blog.9bplus.com/kim-jong-il-pdf-malware || url,www.seculert.com/reports/MSUpdaterTrojanWhitepaper.pdf || url,research.zscaler.com/2012/01/msupdater-trojan-and-link-to-targeted.html || url,blog.seculert.com/2012/01/msupdater-trojan-and-conference-invite.html +1 || 2014175 || 3 || trojan-activity || 0 || ET TROJAN Win32.MSUpdater C&C traffic GET || url,www.seculert.com/reports/MSUpdaterTrojanWhitepaper.pdf || url,research.zscaler.com/2012/01/msupdater-trojan-and-link-to-targeted.html || url,blog.seculert.com/2012/01/msupdater-trojan-and-conference-invite.html +1 || 2014176 || 3 || trojan-activity || 0 || ET DELETED Incognito/Sakura exploit kit landing page with obfuscated URLs +1 || 2014177 || 5 || trojan-activity || 0 || ET DELETED Incognito/Sakura exploit kit binary download request +1 || 2014178 || 2 || trojan-activity || 0 || ET DELETED Unknown Malware Checkin Possibly ZeuS || url,anubis.iseclab.org/?action=result&task_id=1c19710e150ee00941148dee842a02976 +1 || 2014179 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla mod_currencyconverter from Cross Site Scripting Attempt || url,packetstormsecurity.org/files/109337/Joomla-Currency-Converter-Cross-Site-Scripting.html +1 || 2014180 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS SAPID get_infochannel.inc.php Remote File inclusion Attempt || url,packetstormsecurity.org/files/108488/sapidstable-rfi.txt +1 || 2014181 || 5 || trojan-activity || 0 || ET DELETED Malicious file BaiduPlayer1.0.21.25.exe download +1 || 2014182 || 3 || trojan-activity || 0 || ET DELETED Malicious getpvstat.php file Reporting +1 || 2014183 || 4 || trojan-activity || 0 || ET MALWARE Malicious ad_track.php file Reporting +1 || 2014184 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS IBBY nouvelles.php id Parameter SELECT FROM SQL Injection Attempt || url,packetstormsecurity.org/files/109169/IBBY-SQL-Injection.html +1 || 2014185 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS IBBY nouvelles.php id Parameter DELETE FROM SQL Injection Attempt || url,packetstormsecurity.org/files/109169/IBBY-SQL-Injection.html +1 || 2014186 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS IBBY nouvelles.php id Parameter UNION SELECT SQL Injection Attempt || url,packetstormsecurity.org/files/109169/IBBY-SQL-Injection.html +1 || 2014187 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS IBBY nouvelles.php id Parameter INSERT INTO SQL Injection Attempt || url,packetstormsecurity.org/files/109169/IBBY-SQL-Injection.html +1 || 2014188 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS IBBY nouvelles.php id Parameter UPDATE SET SQL Injection Attempt || url,packetstormsecurity.org/files/109169/IBBY-SQL-Injection.html +1 || 2014189 || 3 || trojan-activity || 0 || ET DELETED Likely Blackhole Exploit Kit Driveby ?id Download Secondary Request +1 || 2014190 || 2 || trojan-activity || 0 || ET MALWARE W32/OpenTrio User-Agent (Open3) +1 || 2014191 || 4 || trojan-activity || 0 || ET TROJAN W32/118GotYourNo Reporting to CnC +1 || 2014192 || 3 || trojan-activity || 0 || ET MALWARE W32/MediaGet Checkin +1 || 2014193 || 2 || trojan-activity || 0 || ET TROJAN W32/VPEYE Trojan Downloader User-Agent (VP-EYE Downloader) +1 || 2014194 || 4 || trojan-activity || 0 || ET DELETED Blackhole Exploit Kit JavaScript colon string splitting +1 || 2014195 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS Blackhole Acrobat 8/9.3 PDF exploit download request 5 +1 || 2014196 || 3 || trojan-activity || 0 || ET DELETED Blackhole Java Exploit request to /content/rin.jar +1 || 2014197 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Yang Pack Exploit Kit Landing Page Known JavaScript Function Detected || url,www.kahusecurity.com/2012/chinese-exploit-packs/ +1 || 2014198 || 6 || trojan-activity || 0 || ET TROJAN ZeuS - ICE-IX cid= in cookie +1 || 2014199 || 1 || trojan-activity || 0 || ET CURRENT_EVENTS Exploit Kit Exploiting IEPeers || url,www.kahusecurity.com/2011/cve-2011-2140-caught-in-the-wild/ || cve,2010-0806 +1 || 2014200 || 4 || trojan-activity || 0 || ET TROJAN Dapato/Cleaman Checkin || md5,1d26f4c1cfedd3d34b5067726a0460b0d || md5,45b3b6fcb666c93e305dba35832e1d42 || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3AWin32%2FCleaman.G +1 || 2014201 || 3 || misc-activity || 0 || ET POLICY Outbound HTTP Connection From Cisco IOS Device +1 || 2014202 || 2 || misc-activity || 0 || ET POLICY File Being Uploaded to SendSpace File Hosting Site +1 || 2014203 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS CUTE-IE.html CutePack Exploit Kit Landing Page Request || url,www.kahusecurity.com/2012/chinese-exploit-packs/ +1 || 2014204 || 1 || trojan-activity || 0 || ET CURRENT_EVENTS CutePack Exploit Kit JavaScript Variable Detected || url,www.kahusecurity.com/2012/chinese-exploit-packs/ +1 || 2014205 || 1 || trojan-activity || 0 || ET CURRENT_EVENTS CUTE-IE.html CutePack Exploit Kit Iframe for Landing Page Detected || url,www.kahusecurity.com/2012/chinese-exploit-packs/ +1 || 2014206 || 1 || trojan-activity || 0 || ET CURRENT_EVENTS CutePack Exploit Kit Landing Page Detected || url,www.kahusecurity.com/2012/chinese-exploit-packs/ +1 || 2014207 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Likely MS12-004 midiOutPlayNextPolyEvent Heap Overflow Midi Filename Requested baby.mid || cve,2012-0003 +1 || 2014208 || 2 || trojan-activity || 0 || ET TROJAN TLD4 Purple Haze Variant Initial CnC Request for Ad Servers || url,contagiodump.blogspot.com/2012/02/purple-haze-bootkit.html +1 || 2014209 || 3 || trojan-activity || 0 || ET TROJAN Sykipot SSL Certificate serial number detected || url,labs.alienvault.com/labs/index.php/2011/are-the-sykipots-authors-obsessed-with-next-generation-us-drones/ +1 || 2014210 || 1 || trojan-activity || 0 || ET TROJAN Sykipot SSL Certificate subject emailAddress detected || url,labs.alienvault.com/labs/index.php/2011/are-the-sykipots-authors-obsessed-with-next-generation-us-drones/ +1 || 2014211 || 2 || trojan-activity || 0 || ET TROJAN MSUpdater alt checkin to CnC || url,research.zscaler.com/2012/01/msupdater-trojan-and-link-to-targeted.html || url,blog.seculert.com/2012/01/msupdater-trojan-and-conference-invite.html +1 || 2014212 || 3 || trojan-activity || 0 || ET TROJAN MSUpdater POST checkin to CnC || url,research.zscaler.com/2012/01/msupdater-trojan-and-link-to-targeted.html || url,blog.seculert.com/2012/01/msupdater-trojan-and-conference-invite.html +1 || 2014213 || 2 || trojan-activity || 0 || ET TROJAN MSUpdater Connectivity Check to Google || url,research.zscaler.com/2012/01/msupdater-trojan-and-link-to-targeted.html || url,blog.seculert.com/2012/01/msupdater-trojan-and-conference-invite.html +1 || 2014214 || 2 || trojan-activity || 0 || ET DELETED MSUpdater post-auth checkin || url,research.zscaler.com/2012/01/msupdater-trojan-and-link-to-targeted.html || url,blog.seculert.com/2012/01/msupdater-trojan-and-conference-invite.html +1 || 2014215 || 2 || trojan-activity || 0 || ET MOBILE_MALWARE Android/Plankton.P Commands Request to CnC Server || url,about-threats.trendmicro.com/Malware.aspx?language=uk&name=ANDROIDOS_PLANKTON.P +1 || 2014216 || 2 || trojan-activity || 0 || ET TROJAN Delf/Troxen/Zema controller responding to client +1 || 2014217 || 3 || trojan-activity || 0 || ET TROJAN Delf/Troxen/Zema controller delivering clickfraud instructions +1 || 2014218 || 5 || trojan-activity || 0 || ET TROJAN Zeus POST Request to CnC sk1 and bn1 post parameters +1 || 2014219 || 4 || trojan-activity || 0 || ET TROJAN TSPY_SPCESEND.A Checkin || url,blog.trendmicro.com/malware-uses-sendspace-to-store-stolen-documents/ +1 || 2014220 || 7 || trojan-activity || 0 || ET DELETED TDS Sutra Exploit Kit Redirect Received +1 || 2014221 || 3 || trojan-activity || 0 || ET DELETED Unknown HTTP CnC Checkin +1 || 2014222 || 2 || trojan-activity || 0 || ET TROJAN QDIGIT Trojan Protocol detected || url,www.commandfive.com/papers/C5_APT_C2InTheFifthDomain.pdf +1 || 2014223 || 4 || trojan-activity || 0 || ET TROJAN UPDATE Protocol Trojan Communication detected on http ports || url,www.commandfive.com/papers/C5_APT_C2InTheFifthDomain.pdf +1 || 2014224 || 4 || trojan-activity || 0 || ET TROJAN UPDATE Protocol Trojan Communication detected on non-http ports || url,www.commandfive.com/papers/C5_APT_C2InTheFifthDomain.pdf +1 || 2014225 || 2 || trojan-activity || 0 || ET TROJAN LURK Trojan Communication Protocol detected || url,www.commandfive.com/papers/C5_APT_C2InTheFifthDomain.pdf +1 || 2014226 || 2 || trojan-activity || 0 || ET TROJAN IP2B Trojan Communication Protocol detected || url,www.commandfive.com/papers/C5_APT_C2InTheFifthDomain.pdf +1 || 2014227 || 2 || trojan-activity || 0 || ET TROJAN BB Trojan Communication Protocol detected || url,www.commandfive.com/papers/C5_APT_C2InTheFifthDomain.pdf +1 || 2014228 || 7 || trojan-activity || 0 || ET TROJAN Backdoor Win32.Idicaf/Atraps || url,www.commandfive.com/papers/C5_APT_C2InTheFifthDomain.pdf +1 || 2014229 || 3 || trojan-activity || 0 || ET TROJAN NfLog Checkin || url,contagiodump.blogspot.com/2012/02/feb-9-cve-2011-1980-msoffice-dll.html +1 || 2014230 || 5 || trojan-activity || 0 || ET TROJAN Karagany/Kazy Obfuscated Payload Download || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3AWin32%2FKaragany.I || url,www.virustotal.com/file/6c7ae03b8b660826f0c58bbec4208bf03e704201131b3b5c5709e5837bfdd218/analysis/1334672726/ +1 || 2014231 || 3 || trojan-activity || 0 || ET TROJAN UPDATE Protocol Trojan Communication detected on non-http ports 2 +1 || 2014232 || 3 || trojan-activity || 0 || ET TROJAN UPDATE Protocol Trojan Communication detected on http ports 2 +1 || 2014233 || 3 || network-scan || 0 || ET POLICY ASafaWeb Scan User-Agent (asafaweb.com) || url,asafaweb.com +1 || 2014234 || 10 || trojan-activity || 0 || ET TROJAN Fareit/Pony Downloader Checkin 3 || md5,dcc2c110e509fa777ab1460f665bd137 || url,www.threatexpert.com/report.aspx?md5=9544c681ae5c4fe3fdbd4d5c6c90e38e || url,www.threatexpert.com/report.aspx?md5=d50c39753ba88daa00bc40848f174168 || url,www.threatexpert.com/report.aspx?md5=bf422f3aa215d896f55bbe2ebcd25d17 +1 || 2014235 || 12 || bad-unknown || 0 || ET CURRENT_EVENTS DRIVEBY Blackhole - Payload Download - info.exe +1 || 2014236 || 6 || bad-unknown || 0 || ET CURRENT_EVENTS DRIVEBY Blackhole - Payload Download - contacts.exe +1 || 2014237 || 6 || bad-unknown || 0 || ET CURRENT_EVENTS DRIVEBY Blackhole - Payload Download - calc.exe +1 || 2014238 || 7 || bad-unknown || 0 || ET CURRENT_EVENTS DRIVEBY Blackhole - Payload Download - about.exe +1 || 2014239 || 3 || trojan-activity || 0 || ET TROJAN W32.Duptwux/Ganelp FTP Username - onthelinux +1 || 2014240 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Win32/Cridex.B Self Signed SSL Certificate (root@ks310208.kimsufi.com) +1 || 2014241 || 7 || bad-unknown || 0 || ET DELETED DRIVEBY Generic - Java Exploit Obfuscated With Allatori +1 || 2014242 || 5 || bad-unknown || 0 || ET CURRENT_EVENTS TDS Trojan Stream request /stream? +1 || 2014243 || 4 || bad-unknown || 0 || ET CURRENT_EVENTS DRIVEBY Java Rhino Scripting Engine Exploit Downloaded +1 || 2014244 || 1 || bad-unknown || 0 || ET DELETED Blackhole Java applet with obfuscated URL 2 +1 || 2014245 || 3 || trojan-activity || 0 || ET DELETED Blackhole Java Exploit request similar to /content/jav.jar +1 || 2014246 || 3 || trojan-activity || 0 || ET DELETED Sefnit Checkin 3 +1 || 2014247 || 2 || trojan-activity || 0 || ET TROJAN Sefnit Checkin 4 +1 || 2014248 || 2 || trojan-activity || 0 || ET TROJAN Sefnit Checkin 5 +1 || 2014249 || 4 || trojan-activity || 0 || ET MALWARE W32/GameplayLabs.Adware Installer Checkin +1 || 2014250 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla com_jreactions mosConfig_absolute_path Parameter Remote File inclusion Attempt || url,packetstormsecurity.org/files/95431/Joomla-Jreactions-Remote-File-Inclusion.html +1 || 2014251 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Grady Levkov id Parameter Cross Site Scripting Attempt || url,packetstormsecurity.org/files/109814/Grady-Levkov-Cross-Site-Scripting.html +1 || 2014252 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHP Membership Site Manager Script key Parameter Cross Site Scripting Attempt || url,packetstormsecurity.org/files/108687/PHP-Membership-Site-Manager-Script-Cross-Site-Scripting.html +1 || 2014253 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS pfile file.php id Parameter SELECT FROM SQL Injection Attempt || url,packetstormsecurity.org/files/109670/Pfile-1.02-Cross-Site-Scripting-SQL-Injection.html +1 || 2014254 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS pfile file.php id Parameter DELETE FROM SQL Injection Attempt || url,packetstormsecurity.org/files/109670/Pfile-1.02-Cross-Site-Scripting-SQL-Injection.html +1 || 2014255 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS pfile file.php id Parameter UNION SELECT SQL Injection Attempt || url,packetstormsecurity.org/files/109670/Pfile-1.02-Cross-Site-Scripting-SQL-Injection.html +1 || 2014256 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS pfile file.php id Parameter INSERT INTO SQL Injection Attempt || url,packetstormsecurity.org/files/109670/Pfile-1.02-Cross-Site-Scripting-SQL-Injection.html +1 || 2014257 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS pfile file.php id Parameter UPDATE SET SQL Injection Attempt || url,packetstormsecurity.org/files/109670/Pfile-1.02-Cross-Site-Scripting-SQL-Injection.html +1 || 2014258 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla com_visa controller Local File Inclusion Attempt || url,packetstormsecurity.org/files/109214/Joomla-Visa-SQL-Injection-Local-File-Inclusion.html +1 || 2014259 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla com_eventcal mosConfig_absolute_path Parameter Remote File inclusion Attempt || url,packetstormsecurity.org/files/94983/Joomla-Eventcal-Remote-File-Inclusion.html +1 || 2014260 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Horde 3.3.12 Backdoor Attempt || cve,2012-0209 +1 || 2014261 || 2 || trojan-activity || 0 || ET MALWARE W32/PlaySushi User-Agent || md5,039815a7cb0b7ee52b753a9b79006f97 +1 || 2014262 || 4 || trojan-activity || 0 || ET MALWARE AdWare.Win32.Sushi.au Checkin || md5,3aad2075e00d5169299a0a8889afa30b || url,www.securelist.com/en/descriptions/24412036/not-a-virus%3aAdWare.Win32.Sushi.au +1 || 2014263 || 2 || trojan-activity || 0 || ET TROJAN W32/Pasta.IK Checkin || md5,1a13d56365e864aba54967d4745ab660 +1 || 2014264 || 6 || policy-violation || 0 || ET POLICY IP Geo Location Request || md5,0e2c46dc89dceb14e7add66cbfe8a2f8 +1 || 2014265 || 4 || policy-violation || 0 || ET POLICY IP geo location service response || md5,0e2c46dc89dceb14e7add66cbfe8a2f8 +1 || 2014266 || 4 || trojan-activity || 0 || ET TROJAN Trojan.Win32.NfLog Checkin (TTip) || url,contagiodump.blogspot.com/2012/02/feb-9-cve-2011-1980-msoffice-dll.html +1 || 2014267 || 1 || trojan-activity || 0 || ET TROJAN Query for Known Hostile *test.3322.org.cn Domain || url,www.sans.org/reading_room/whitepapers/malicious/detailed-analysis-advanced-persistent-threat-malware_33814 || md5,e4afcee06ddaf093982f80dafbf9c447 +1 || 2014268 || 1 || trojan-activity || 0 || ET TROJAN Backdoor.Win32.RShot Checkin || md5,c0aadd5594d340d8a4909d172017e5d0 +1 || 2014269 || 5 || trojan-activity || 0 || ET TROJAN Backdoor.Win32.RShot HTTP Checkin || md5,c0aadd5594d340d8a4909d172017e5d0 +1 || 2014270 || 2 || trojan-activity || 0 || ET TROJAN Backdoor.Win32.RShot Ping Outbound || md5,c0aadd5594d340d8a4909d172017e5d0 +1 || 2014271 || 1 || trojan-activity || 0 || ET TROJAN Win32/Cutwail.BE Checkin 1 || md5,3d766c4d53188eb8173a5dc3cfc4e317 || md5,289f457083e8f59520b31a7ea13d16ec +1 || 2014272 || 1 || trojan-activity || 0 || ET TROJAN Win32/Cutwail.BE Checkin 2 || md5,3d766c4d53188eb8173a5dc3cfc4e317 || md5,289f457083e8f59520b31a7ea13d16ec +1 || 2014273 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS W32/DarkComet Second Stage Download Request || url,blog.trendmicro.com/darkcomet-surfaced-in-the-targeted-attacks-in-syrian-conflict/ +1 || 2014274 || 1 || attempted-admin || 0 || ET CURRENT_EVENTS Blackhole Tax Landing Page with JavaScript Attack +1 || 2014275 || 4 || trojan-activity || 0 || ET TROJAN W32/Rovnix Activity || url,blog.eset.com/2012/02/22/rovnix-reloaded-new-step-of-evolution +1 || 2014276 || 4 || trojan-activity || 0 || ET TROJAN W32/Rovnix Downloading Config File From CnC || url,blog.eset.com/2012/02/22/rovnix-reloaded-new-step-of-evolution +1 || 2014277 || 2 || bad-unknown || 0 || ET CURRENT_EVENTS DNS Query for try2check.me Carder Tool || url,cert.xmco.fr/blog/index.php?post/2012/02/23/Try2check.me%2C-le-maillon-fort +1 || 2014278 || 2 || trojan-activity || 0 || ET DELETED Blackhole Java Exploit request to /content/jav2.jar +1 || 2014279 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Blackhole Acrobat 8/9.3 PDF exploit download request 6 +1 || 2014280 || 1 || trojan-activity || 0 || ET CURRENT_EVENTS Blackhole Acrobat 1-7 PDF exploit download request 6 +1 || 2014281 || 4 || bad-unknown || 0 || ET CURRENT_EVENTS Blackhole Java Applet with Obfuscated URL 2 +1 || 2014282 || 1 || bad-unknown || 0 || ET CURRENT_EVENTS Blackhole Download Secondary Request ?pagpag +1 || 2014283 || 3 || trojan-activity || 0 || ET TROJAN Trustezeb Checkin to CnC || url,www.mysonicwall.com/sonicalert/searchresults.aspx?ev=article&id=417 +1 || 2014284 || 3 || bad-unknown || 0 || ET CURRENT_EVENTS Blackhole Exploit Pack HCP exploit 4 +1 || 2014285 || 4 || bad-unknown || 0 || ET DNS DNS Query for Suspicious .ch.vu Domain || url,google.com/safebrowsing/diagnostic?site=ch.vu +1 || 2014288 || 2 || trojan-activity || 0 || ET TROJAN Java Archive sent when remote host claims to send an image +1 || 2014289 || 2 || bad-unknown || 0 || ET CURRENT_EVENTS HTTP Request to a 3322.org.cn Domain +1 || 2014290 || 2 || trojan-activity || 0 || ET TROJAN Backdoor.Win32.PEx.942728546 Checkin || md5,25e9e3652e567e70fba00c53738bdf74 || url,threatcenter.crdf.fr/?More&ID=74977&D=CRDF.Backdoor.Win32.PEx.942728546 +1 || 2014291 || 4 || trojan-activity || 0 || ET TROJAN W32/Backdoor.Kbot Config Retrieval || md5,b8ee86e57261fd3fb422a2b20a3c3e09 +1 || 2014292 || 2 || trojan-activity || 0 || ET POLICY External IP Lookup +1 || 2014293 || 3 || trojan-activity || 0 || ET TROJAN Smart Fortress FakeAV/Kryptik.ABNC Checkin || md5,1ddfc3f3a804f0844c5fdf49dc10562a6 || url,support.kaspersky.com/viruses/rogue/description?qid=208286259 +1 || 2014294 || 2 || bad-unknown || 0 || ET CURRENT_EVENTS High Probability Blackhole Landing with catch qq +1 || 2014295 || 5 || bad-unknown || 0 || ET CURRENT_EVENTS DRIVEBY Java Atomic Exploit Downloaded +1 || 2014296 || 2 || web-application-attack || 0 || ET WEB_SERVER eval/base64_decode Exploit Attempt Inbound +1 || 2014297 || 25 || bad-unknown || 0 || ET POLICY Vulnerable Java Version 1.7.x Detected || url,javatester.org/version.html +1 || 2014298 || 1 || bad-unknown || 0 || ET CURRENT_EVENTS Blackhole obfuscated Javascript 171 charcodes >= 48 +1 || 2014299 || 2 || trojan-activity || 0 || ET DELETED Blackhole Java Exploit request to /content/viewer.jar +1 || 2014300 || 1 || trojan-activity || 0 || ET TROJAN Win32/Kryptik.ABUD Checkin || md5,00b714468f1bc2254559dd8fd84186f1 +1 || 2014301 || 9 || bad-unknown || 0 || ET CURRENT_EVENTS DRIVEBY Blackhole - Payload Download - readme.exe +1 || 2014302 || 2 || trojan-activity || 0 || ET TROJAN Suspicious HTTP Referrer C Drive Path || md5,8ef81f2555725f7eeae00b3e31229e0e +1 || 2014303 || 2 || trojan-activity || 0 || ET TROJAN W32/Koobface Variant Checkin Attempt || md5,62aa9e798746e586fb1f03459a970104 +1 || 2014304 || 3 || misc-activity || 0 || ET POLICY External IP Lookup Attempt To Wipmania || md5,b318988249cd8e8629b4ef8a52760b65 +1 || 2014305 || 3 || trojan-activity || 0 || ET TROJAN W32/TCYWin.Downloader User-Agent || md5,4cfe5674d9f33804572ae0d14f0c941b +1 || 2014306 || 3 || trojan-activity || 0 || ET TROJAN W32/Backdoor.BlackMonay Checkin || md5,4a203e37caa2e04671388341419bda69 +1 || 2014307 || 4 || trojan-activity || 0 || ET TROJAN W32/SelfStarterInternet.InfoStealer Checkin || md5,67c748f3ecc0278f1f94596f86edc509 +1 || 2014308 || 1 || bad-unknown || 0 || ET CURRENT_EVENTS Obfuscated Content Using Dadongs JSXX 0.41 VIP Obfuscation Script || url,www.kahusecurity.com/2012/chinese-pack-using-dadongs-jsxx-vip-script/ +1 || 2014309 || 3 || trojan-activity || 0 || ET TROJAN W32/LockScreen Scareware Geolocation Request || url,www.abuse.ch/?p=3610 || url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_police_trojan.pdf +1 || 2014310 || 5 || trojan-activity || 0 || ET TROJAN RegSubsDat Checkin || url,www.secureworks.com/research/threats/sindigoo/ +1 || 2014312 || 2 || trojan-activity || 0 || ET TROJAN W32/NSIS.TrojanDownloader Second Stage Download Instructions from Server || md5,3ce5da32903b52394cff2517df51f599 +1 || 2014313 || 8 || not-suspicious || 0 || ET POLICY Executable Download From DropBox +1 || 2014314 || 7 || attempted-user || 0 || ET CURRENT_EVENTS DRIVEBY Incognito Payload Download /load/*exe +1 || 2014315 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS DRIVEBY Incognito libtiff PDF Exploit Requested +1 || 2014316 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS DRIVEBY Incognito libtiff PDF Exploit Recieved +1 || 2014317 || 2 || trojan-activity || 0 || ET TROJAN ZeuS Clickfraud List Delivered To Client +1 || 2014318 || 2 || bad-unknown || 0 || ET CURRENT_EVENTS Clickpayz redirection to *.clickpayz.com +1 || 2014319 || 2 || bad-unknown || 0 || ET CURRENT_EVENTS Dadong Java Exploit Requested +1 || 2014320 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ButorWiki service Parameter Cross Site Scripting Attempt || url,packetstormsecurity.org/files/109852/ButorWiki-Cross-Site-Scripting.html +1 || 2014321 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS b2evolution inc_path Parameter Remote File inclusion Attempt || url,packetstormsecurity.org/files/100798/b2evolution-4.0.5-Remote-File-Inclusion.html +1 || 2014322 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS b2evolution skins_path Parameter Remote File inclusion Attempt || url,packetstormsecurity.org/files/100798/b2evolution-4.0.5-Remote-File-Inclusion.html +1 || 2014323 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla com_bch controller Local File Inclusion Attempt || url,packetstormsecurity.org/files/109025/Joomla-BCH-Local-File-Inclusion.html +1 || 2014324 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Fork-CMS js.php module parameter Local File Inclusion Attempt || url,packetstormsecurity.org/files/109709/Fork-CMS-3.2.4-Cross-Site-Scripting-Local-File-Inclusion.html +1 || 2014325 || 3 || attempted-user || 0 || ET ACTIVEX ASUS Net4Switch ipswcom.dll ActiveX Stack Buffer Overflow || url,packetstormsecurity.org/files/110296/ASUS-Net4Switch-ipswcom.dll-ActiveX-Stack-Buffer-Overflow.html +1 || 2014326 || 2 || attempted-user || 0 || ET ACTIVEX ASUS Net4Switch ActiveX CxDbgPrint Format String Function Call Attempt || url,packetstormsecurity.org/files/110296/ASUS-Net4Switch-ipswcom.dll-ActiveX-Stack-Buffer-Overflow.html +1 || 2014327 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS starCMS q parameter Cross Site Scripting Attempt || url,packetstormsecurity.org/files/110376/starCMS-Cross-Site-Scripting.html +1 || 2014328 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla com_boss controller Local File Inclusion Attempt || url,packetstormsecurity.org/files/108905/Joomla-Boss-Local-File-Inclusion.html +1 || 2014329 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Snipsnap search Cross Site Scripting Attempt || url,packetstormsecurity.org/files/109543/Snipsnap-Cross-Site-Scripting.html +1 || 2014330 || 3 || trojan-activity || 0 || ET TROJAN Kelihos/Hlux GET jucheck.exe from CnC || url,www.abuse.ch/?p=3658 +1 || 2014331 || 1 || trojan-activity || 0 || ET TROJAN Trojan.Win32.Genome.aetqe Checkin || md5,700b7a81d1460a652e5f9f06fc54dcd6 +1 || 2014332 || 1 || policy-violation || 0 || ET POLICY Coral Web Proxy/Content Distribution Net Use || url,en.wikipedia.org/wiki/Coral_Content_Distribution_Network +1 || 2014333 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS OSX/Flashback Checkin via Twitter Hashtag Pepbyfadxeoa || url,blog.intego.com/flashback-mac-malware-uses-twitter-as-command-and-control-center/ +1 || 2014334 || 4 || attempted-user || 0 || ET CURRENT_EVENTS Compromised Wordpress Redirect || url,community.websense.com/blogs/securitylabs/archive/2012/03/02/mass-injection-of-wordpress-sites.aspx +1 || 2014335 || 4 || attempted-user || 0 || ET CURRENT_EVENTS Adobe Flash Player Malformed MP4 Remote Code Execution Attempt || url,contagiodump.blogspot.com/2012/03/mar-2-cve-2012-0754-irans-oil-and.html || bid,52034 || cve,2012-0754 +1 || 2014336 || 3 || trojan-activity || 0 || ET TROJAN Yayih.A Checkin || url,contagiodump.blogspot.com/2012/03/mar-2-cve-2012-0754-irans-oil-and.html +1 || 2014337 || 2 || attempted-user || 0 || ET CURRENT_EVENTS RougeAV Wordpress Injection Campaign Compromised Page Served to Local Client || url,community.websense.com/blogs/securitylabs/archive/2012/03/05/mass-injection-of-wordpress-sites.aspx +1 || 2014338 || 3 || successful-admin || 0 || ET CURRENT_EVENTS RougeAV Wordpress Injection Campaign Compromised Page Served From Local Compromised Server || url,community.websense.com/blogs/securitylabs/archive/2012/03/05/mass-injection-of-wordpress-sites.aspx +1 || 2014339 || 2 || trojan-activity || 0 || ET MALWARE W32/GameVance Adware Checkin || md5,2609c78efbc325d1834e49553a9a9f89 || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Adware%3aWin32/GameVance +1 || 2014340 || 4 || trojan-activity || 0 || ET MALWARE W32/GameVance Adware User Agent || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Adware%3aWin32/GameVance +1 || 2014341 || 2 || trojan-activity || 0 || ET POLICY Installshield One Click Install User-Agent Toys File || md5,22d3165c0e80ba50bc6a42a2e82b2874 +1 || 2014342 || 4 || trojan-activity || 0 || ET POLICY Snadboy.com Products User-Agent || md5,26a813eadbf11a1dfc2e63dc7dc87480 +1 || 2014343 || 2 || bad-unknown || 0 || ET TROJAN SMTP Subject Line Contains C Path and EXE Possible Trojan Reporting Execution Path/Binary Name || md5,24e937b9f3fd6a04dde46a2bc75d4b18 +1 || 2014344 || 2 || trojan-activity || 0 || ET TROJAN W32/Coced.PasswordStealer User-Agent 5.0 || md5,24e937b9f3fd6a04dde46a2bc75d4b18 +1 || 2014345 || 3 || trojan-activity || 0 || ET POLICY Suspicious User Agent UpdateSoft || md5,254efc77c18eb2f427d2a3920e07c2e8 +1 || 2014346 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS INBOUND Blackhole Java Exploit request similar to /content/jav.jar +1 || 2014347 || 5 || trojan-activity || 0 || ET TROJAN Peed Checkin || md5,142ff7d3d931ecfa9a06229842ceefc4 || md5,df690cbf6e33e9ee53fdcfc456dc4c1f +1 || 2014348 || 2 || trojan-activity || 0 || ET TROJAN RevProxy ClientHello || md5,5d6f186f10acf5f21a3498601465cf40 +1 || 2014349 || 2 || trojan-activity || 0 || ET DELETED RevProxy ServerRespone || md5,5d6f186f10acf5f21a3498601465cf40 +1 || 2014350 || 2 || trojan-activity || 0 || ET DELETED RevProxy ClientPing || md5,5d6f186f10acf5f21a3498601465cf40 +1 || 2014351 || 3 || trojan-activity || 0 || ET DELETED RevProxy CnC List Request || md5,5d6f186f10acf5f21a3498601465cf40 +1 || 2014352 || 3 || attempted-admin || 0 || ET WEB_SERVER Possible SQL Injection Attempt char() Danmec related +1 || 2014353 || 3 || trojan-activity || 0 || ET MALWARE W32/MediaGet.Adware Installer Download || url,home.mcafee.com/VirusInfo/VirusProfile.aspx?key=860182 || md5,39c1769c39f61dd2ec009de8374352c6 +1 || 2014355 || 2 || trojan-activity || 0 || ET MALWARE W32/SoftonicDownloader.Adware User Agent || md5,1047b186bb2822dbb5907cd743069261 +1 || 2014356 || 4 || trojan-activity || 0 || ET TROJAN W32/ProxyChanger.InfoStealer Checkin || url,67c9799940dce6b9af2e6f98f52afdf7 +1 || 2014357 || 4 || trojan-activity || 0 || ET TROJAN W32/Kazy Checkin || md5,bb129d433271951abb0e5262060a4583 +1 || 2014358 || 2 || trojan-activity || 0 || ET TROJAN Backdoor.Win32.Riern.K Checkin Off Port +1 || 2014359 || 7 || trojan-activity || 0 || ET POLICY DNSWatch.info IP Check +1 || 2014360 || 4 || trojan-activity || 0 || ET TROJAN Win32/Protux.B POST checkin || md5,53105ecf3cf6040039e16abb382fb836 +1 || 2014361 || 2 || trojan-activity || 0 || ET TROJAN Win32/Protux.B Download Update || md5,53105ecf3cf6040039e16abb382fb836 +1 || 2014362 || 3 || bad-unknown || 0 || ET CURRENT_EVENTS Likely Scalaxy Exploit Kit URL template download +1 || 2014363 || 6 || trojan-activity || 0 || ET CURRENT_EVENTS Lookup of Algorithm Generated Zeus CnC Domain (DGA) +1 || 2014364 || 2 || trojan-activity || 0 || ET TROJAN W32.Blocker Checkin || md5,1d8841128e63ed7e26200d4ed3bc8e05 +1 || 2014365 || 3 || trojan-activity || 0 || ET TROJAN Backdoor.Graybird Checkin || md5,0fd68129ecbf68ad1290a41429ee3e73 || md5,11353f5bdbccdd59d241644701e858e6 +1 || 2014366 || 4 || trojan-activity || 0 || ET TROJAN Suspicious User-Agent Post +1 || 2014367 || 1 || trojan-activity || 0 || ET CURRENT_EVENTS Banload Trojan Downloader Dropped Binary || md5,31bb4e0d67a5af96d5b5691966e25d73 +1 || 2014368 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS Blackhole qwe123 PDF +1 || 2014369 || 3 || bad-unknown || 0 || ET CURRENT_EVENTS Blackhole Landing with prototype catch +1 || 2014370 || 3 || trojan-activity || 0 || ET TROJAN W32/GamesForum.InfoStealer Reporting to CnC +1 || 2014371 || 6 || trojan-activity || 0 || ET DELETED Possible Kelihos .eu CnC Domain Generation Algorithm (DGA) Lookup Detected +1 || 2014372 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS Possible Kelihos .eu CnC Domain Generation Algorithm (DGA) Lookup NXDOMAIN Response +1 || 2014373 || 1 || trojan-activity || 0 || ET CURRENT_EVENTS Possible Zeus .ru CnC Domain Generation Algorithm (DGA) Lookup NXDOMAIN Response +1 || 2014374 || 1 || trojan-activity || 0 || ET CURRENT_EVENTS Possible Zeus .info CnC Domain Generation Algorithm (DGA) Lookup NXDOMAIN Response +1 || 2014375 || 1 || trojan-activity || 0 || ET CURRENT_EVENTS Possible Zeus .biz CnC Domain Generation Algorithm (DGA) Lookup NXDOMAIN Response +1 || 2014376 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Possible Zeus .ru CnC Domain Generation Algorithm (DGA) Lookup Detected +1 || 2014377 || 2 || bad-unknown || 0 || ET DELETED Cutwail Landing Page WAIT PLEASE +1 || 2014378 || 4 || bad-unknown || 0 || ET CURRENT_EVENTS Blackhole/Cutwail Redirection Page 1 +1 || 2014379 || 2 || bad-unknown || 0 || ET POLICY HTTP GET invalid method case outbound || url,www.w3.org/Protocols/rfc2616/rfc2616-sec9.html +1 || 2014381 || 2 || bad-unknown || 0 || ET POLICY HTTP HEAD invalid method case outbound || url,www.w3.org/Protocols/rfc2616/rfc2616-sec9.html +1 || 2014383 || 2 || attempted-admin || 0 || ET EXPLOIT Microsoft RDP Server targetParams Exploit Attempt || url,msdn.microsoft.com/en-us/library/cc240836.aspx || cve,2012-0002 +1 || 2014384 || 8 || attempted-dos || 0 || ET DOS Microsoft Remote Desktop (RDP) Syn then Reset 30 Second DoS Attempt || cve,2012-0152 +1 || 2014385 || 5 || not-suspicious || 0 || ET DOS Microsoft Remote Desktop (RDP) Syn/Ack Outbound Flowbit Set || cve,2012-0152 +1 || 2014386 || 2 || not-suspicious || 0 || ET DOS Microsoft Remote Desktop (RDP) Session Established Flowbit Set || cve,2012-0152 +1 || 2014387 || 1 || trojan-activity || 0 || ET TROJAN Generic Dropper User-Agent (XXXwww) +1 || 2014388 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla com_phocadownload folder Parameter Remote File inclusion Attempt || url,packetstormsecurity.org/files/100406/Joomla-Phocadownload-Remote-File-Inclusion.html +1 || 2014389 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla com_adsmanager mosConfig_absolute_path Remote File inclusion Attempt || url,packetstorm.foofus.com/1012-exploits/joomlaadsmanager-rfi.txt +1 || 2014390 || 2 || attempted-user || 0 || ET ACTIVEX EdrawSoft Office Viewer Component ActiveX FtpUploadFile Stack Buffer Overflow || url,packetstormsecurity.org/files/109298/EdrawSoft-Office-Viewer-Component-ActiveX-5.6-Buffer-Overflow.html +1 || 2014391 || 2 || attempted-user || 0 || ET ACTIVEX EdrawSoft Office Viewer Component ActiveX FtpUploadFile Format String Function Call Attempt || url,packetstormsecurity.org/files/109298/EdrawSoft-Office-Viewer-Component-ActiveX-5.6-Buffer-Overflow.html +1 || 2014392 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla com_fundhelp controller Local File Inclusion Attempt || url,packetstormsecurity.org/files/109023/Joomla-Fundhelp-Local-File-Inclusion.html +1 || 2014393 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla com_rule controller Local File Inclusion Attempt || url,packetstormsecurity.org/files/109026/Joomla-Rule-Local-File-Inclusion.html +1 || 2014394 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla com_kp controller parameter Local File Inclusion Attempt || url,packetstormsecurity.org/files/108917/Joomla-KP-Local-File-Inclusion.html +1 || 2014395 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHP Address Book from Parameter Cross Site Scripting Attempt || url,packetstormsecurity.org/files/110667/PHP-Address-Book-6.2.12-SQL-Injection-Cross-Site-Scripting.html +1 || 2014396 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Volusion Chat ID Parameter Cross Site Scripting Attempt || url,packetstormsecurity.org/files/110811/Volusion-Chat-Cross-Site-Scripting.html +1 || 2014397 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS EJBCA issuer Parameter Cross Site Scripting Attempt || url,packetstormsecurity.org/files/110683/EJBCA-4.0.7-Cross-Site-Scripting-User-Enumeration.html +1 || 2014398 || 3 || trojan-activity || 0 || ET TROJAN Generic.KD.291903/Win32.TrojanClicker.Agent.NII Nconfirm Checkin || url,blog.eset.com/2012/03/17/drive-by-ftp-a-new-view-of-cve-2011-3544 +1 || 2014399 || 3 || trojan-activity || 0 || ET TROJAN Trojan-Spy.Win32.Zbot.djrm Checkin || md5,b895249cce7d2c27cb9c480feb36560c || md5,f70a5f52d4c0071963602c25b62865cb +1 || 2014400 || 3 || trojan-activity || 0 || ET MALWARE W32/LoudMo.Adware Checkin || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Adware%3AWin32%2FLoudmo || md5,fc06c613e83f0d3271beba4fdcda987f +1 || 2014401 || 2 || trojan-activity || 0 || ET WORM W32/Rimecud /qvod/ff.txt Checkin || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3AWin32%2FRimecud || md5,f97e1c4aefbd2595fcfeb0f482c47517 || md5,f96a29bcf6cba870efd8f7dd9344c39e || md5,fae8675502d909d6b546c111625bcfba +1 || 2014402 || 2 || trojan-activity || 0 || ET WORM W32/Rimecud wg.txt Checkin || md5,a89f7289d5cce821a194542e90026082 || md5,fd56ce176889d4fbe588760a1da6462b || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3AWin32%2FRimecud +1 || 2014403 || 2 || trojan-activity || 0 || ET MALWARE W32/PaPaPaEdge.Adware/Gambling Poker-Edge Checkin || md5,f9d226bf9807c72432050f7dcb396b06 +1 || 2014404 || 3 || trojan-activity || 0 || ET DELETED W32/Bifrose.Backdoor Checkin Attempt via Facebook || md5,61661202e320dd91e4f7e4a10616eefc +1 || 2014405 || 10 || trojan-activity || 0 || ET TROJAN Cridex.B/Feodo Checkin || md5,7ed139b53e24e4385c4c59cd2aa0e5f7 || url,labs.m86security.com/2012/03/the-cridex-trojan-targets-137-financial-organizations-in-one-go/ || url,blog.fireeye.com/research/2010/10/feodosoff-a-new-botnet-on-the-rise.html || url,about-threats.trendmicro.com/Malware.aspx?language=us&name=WORM_CRIDEX.IC +1 || 2014406 || 2 || policy-violation || 0 || ET MOBILE_MALWARE iOS Keylogger iKeyMonitor access || url,moreinfo.thebigboss.org/moreinfo/depiction.php?file=ikeymonitorDp +1 || 2014407 || 3 || bad-unknown || 0 || ET CURRENT_EVENTS DRIVEBY EgyPack Exploit Kit Cookie Set || url,www.kahusecurity.com/2011/new-exploit-kit-egypack/ || url,www.vbulletin.com/forum/forum/vbulletin-3-8/vbulletin-3-8-questions-problems-and-troubleshooting/346989-vbulletin-footer-sql-injection-hack || url,blog.webroot.com/2013/03/29/a-peek-inside-the-egypack-web-malware-exploitation-kit/ +1 || 2014408 || 4 || bad-unknown || 0 || ET CURRENT_EVENTS DRIVEBY EgyPack Exploit Kit Cookie Present || url,www.kahusecurity.com/2011/new-exploit-kit-egypack/ || url,www.vbulletin.com/forum/forum/vbulletin-3-8/vbulletin-3-8-questions-problems-and-troubleshooting/346989-vbulletin-footer-sql-injection-hack || url,blog.webroot.com/2013/03/29/a-peek-inside-the-egypack-web-malware-exploitation-kit/ +1 || 2014409 || 3 || trojan-activity || 0 || ET TROJAN FakeAV.dfze/FakeAV!IK Checkin || md5,fe1e735ec10fb8836691fe2f2ac7ea44 +1 || 2014410 || 5 || trojan-activity || 0 || ET TROJAN Backdoor.Win32.Ixeshe || url,blog.spiderlabs.com/2012/03/dirty-rat.html +1 || 2014411 || 10 || trojan-activity || 0 || ET TROJAN Fareit/Pony Downloader Checkin 2 || md5,99FAB94FD824737393F5184685E8EDF2 || url,www.threatexpert.com/report.aspx?md5=9544c681ae5c4fe3fdbd4d5c6c90e38e || url,www.threatexpert.com/report.aspx?md5=d50c39753ba88daa00bc40848f174168 || url,www.threatexpert.com/report.aspx?md5=bf422f3aa215d896f55bbe2ebcd25d17 +1 || 2014412 || 3 || bad-unknown || 0 || ET CURRENT_EVENTS DRIVEBY Blackhole client=done Cookie Set +1 || 2014413 || 3 || bad-unknown || 0 || ET CURRENT_EVENTS DRIVEBY Blackhole client=done Cookie Present +1 || 2014414 || 2 || bad-unknown || 0 || ET CURRENT_EVENTS DRIVEBY Blackhole Landing Page applet param window.document +1 || 2014415 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS Blackhole Exploit Kit JavaScript dotted quad hostile applet || url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx +1 || 2014416 || 3 || attempted-user || 0 || ET ACTIVEX Cisco Linksys WVC200 Wireless-G PTZ Internet Video Camera PlayerPT ActiveX Control PlayerPT.ocx Access 1 || url,retrogod.altervista.org/9sg_linksys_playerpt.htm +1 || 2014417 || 3 || attempted-user || 0 || ET ACTIVEX Cisco Linksys WVC200 Wireless-G PTZ Internet Video Camera PlayerPT ActiveX Control PlayerPT.ocx Access 2 || url,retrogod.altervista.org/9sg_linksys_playerpt.htm +1 || 2014418 || 4 || attempted-user || 0 || ET ACTIVEX 2X ApplicationServer TuxSystem Class ActiveX Control ImportSettings Remote File Overwrite Attempt || url,www.exploit-db.com/exploits/18625/ +1 || 2014419 || 3 || attempted-user || 0 || ET ACTIVEX 2X ApplicationServer TuxSystem Class ActiveX Control ImportSettings Function Call Attempt || url,www.exploit-db.com/exploits/18625/ +1 || 2014420 || 2 || attempted-user || 0 || ET ACTIVEX 2X ApplicationServer TuxSystem Class ActiveX Control ExportSettings Remote File Overwrite Attempt || url,www.exploit-db.com/exploits/18625/ +1 || 2014421 || 2 || attempted-user || 0 || ET ACTIVEX 2X ApplicationServer TuxSystem Class ActiveX Control ExportSettings Function Call Attempt || url,www.exploit-db.com/exploits/18625/ +1 || 2014422 || 3 || attempted-user || 0 || ET ACTIVEX 2X Client for RDP ClientSystem Class ActiveX Control InstallClient Download and Execute || url,www.exploit-db.com/exploits/18624/ +1 || 2014423 || 2 || attempted-user || 0 || ET ACTIVEX 2X Client for RDP ClientSystem Class ActiveX Control InstallClient Function Call Attempt || url,www.exploit-db.com/exploits/18624/ +1 || 2014424 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS VTiger CRM module_name parameter Local File Inclusion Attempt || url,packetstormsecurity.org/files/111075/Vtiger-5.1.0-Local-File-Inclusion.html +1 || 2014425 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS OneFileCMS f parameter Local File Inclusion Attempt || url,packetstormsecurity.org/files/110906/OneFileCMS-1.1.5-Local-File-Inclusion.html +1 || 2014426 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WikyBlog which Parameter Cross Site Scripting Attempt || url,packetstormsecurity.org/files/110863/WikyBlog-1.7.3RC2-Cross-Site-Scripting.html +1 || 2014427 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Greenpeace.fr filter_dpt Parameter Cross Site Scripting Attempt || url,packetstormsecurity.org/files/110989/Greenpeace.fr-Cross-Site-Scripting.html +1 || 2014428 || 6 || trojan-activity || 0 || ET TROJAN SpyEye Checkin version 1.3.25 or later 3 +1 || 2014429 || 5 || attempted-user || 0 || ET CURRENT_EVENTS Java Rhino Exploit Attempt - evilcode.class || cve,2011-3544 +1 || 2014430 || 13 || attempted-dos || 0 || ET DOS Microsoft Remote Desktop Protocol (RDP) maxChannelIds DoS Attempt Negative INT || url,www.msdn.microsoft.com/en-us/library/cc240836.aspx || cve,2012-0002 || url,technet.microsoft.com/en-us/security/bulletin/ms12-020 || url,stratsec.blogspot.com.au/2012/03/ms12-020-vulnerability-for-breakfast.html || url,aluigi.org/adv/termdd_1-adv.txt || url,blog.binaryninjas.org/?p=58 || url,luca.ntop.org/Teaching/Appunti/asn1.html +1 || 2014431 || 15 || attempted-dos || 0 || ET DOS Microsoft Remote Desktop Protocol (RDP) maxChannelIds DoS Attempt || url,www.msdn.microsoft.com/en-us/library/cc240836.aspx || cve,2012-0002 || url,technet.microsoft.com/en-us/security/bulletin/ms12-020 || url,stratsec.blogspot.com.au/2012/03/ms12-020-vulnerability-for-breakfast.html || url,aluigi.org/adv/termdd_1-adv.txt || url,blog.binaryninjas.org/?p=58 || url,luca.ntop.org/Teaching/Appunti/asn1.html +1 || 2014432 || 9 || attempted-dos || 0 || ET DELETED Microsoft Remote Desktop Protocol (RDP) maxChannelIds DoS Attempt 2 byte || url,www.msdn.microsoft.com/en-us/library/cc240836.aspx || cve,2012-0002 || url,technet.microsoft.com/en-us/security/bulletin/ms12-020 || url,stratsec.blogspot.com.au/2012/03/ms12-020-vulnerability-for-breakfast.html || url,aluigi.org/adv/termdd_1-adv.txt || url,blog.binaryninjas.org/?p=58 || url,luca.ntop.org/Teaching/Appunti/asn1.html +1 || 2014433 || 10 || attempted-dos || 0 || ET DELETED Microsoft Remote Desktop Protocol (RDP) maxChannelIds DoS Attempt 3 byte || url,www.msdn.microsoft.com/en-us/library/cc240836.aspx || cve,2012-0002 || url,technet.microsoft.com/en-us/security/bulletin/ms12-020 || url,stratsec.blogspot.com.au/2012/03/ms12-020-vulnerability-for-breakfast.html || url,aluigi.org/adv/termdd_1-adv.txt || url,blog.binaryninjas.org/?p=58 || url,luca.ntop.org/Teaching/Appunti/asn1.html +1 || 2014434 || 10 || attempted-dos || 0 || ET DELETED Microsoft Remote Desktop Protocol (RDP) maxChannelIds DoS Attempt 4 byte || url,www.msdn.microsoft.com/en-us/library/cc240836.aspx || cve,2012-0002 || url,technet.microsoft.com/en-us/security/bulletin/ms12-020 || url,stratsec.blogspot.com.au/2012/03/ms12-020-vulnerability-for-breakfast.html || url,aluigi.org/adv/termdd_1-adv.txt || url,blog.binaryninjas.org/?p=58 || url,luca.ntop.org/Teaching/Appunti/asn1.html +1 || 2014435 || 11 || trojan-activity || 0 || ET TROJAN Infostealer.Banprox Proxy.pac Download || md5,3baae632d2476cbd3646c5e1b245d9be || md5,ace343a70fbd26e79358db4c27de73db +1 || 2014436 || 3 || trojan-activity || 0 || ET DELETED Blackhole Java Exploit request to /Pol.jar +1 || 2014437 || 5 || trojan-activity || 0 || ET CURRENT_EVENTS FakeAV Landing Page - Initializing Protection System +1 || 2014438 || 8 || bad-unknown || 0 || ET CURRENT_EVENTS DRIVEBY Unknown - news=1 in http_cookie +1 || 2014439 || 4 || trojan-activity || 0 || ET TROJAN IRC Bot Download http Command || md5,fa6ae89b101a0367cc98798c7333e3a4 +1 || 2014440 || 5 || bad-unknown || 0 || ET CURRENT_EVENTS DRIVEBY Blackhole - Payload Download - scandsk.exe +1 || 2014441 || 5 || bad-unknown || 0 || ET CURRENT_EVENTS DRIVEBY Blackhole - Landing Page Requested - /Home/index.php +1 || 2014442 || 6 || bad-unknown || 0 || ET CURRENT_EVENTS DRIVEBY Blackhole - Landing Page Requested - *.php?*=16HexCharacters in http_uri +1 || 2014443 || 5 || bad-unknown || 0 || ET DELETED DRIVEBY Blackhole - Landing Page Recieved - applet and flowbit +1 || 2014444 || 5 || bad-unknown || 0 || ET CURRENT_EVENTS DRIVEBY Blackhole - Page redirecting to driveby +1 || 2014445 || 5 || bad-unknown || 0 || ET CURRENT_EVENTS Possible Dynamic DNS Exploit Pack Payload +1 || 2014446 || 2 || bad-unknown || 0 || ET CURRENT_EVENTS Possible Dynamic DNS Exploit Pack Landing Page /de/sN +1 || 2014447 || 6 || bad-unknown || 0 || ET CURRENT_EVENTS Possible Dynamic Dns Exploit Pack Java exploit +1 || 2014448 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WEB-PHP Wordpress enable-latex plugin url Remote File inclusion Attempt || url,packetstormsecurity.org/files/107260/WordPress-Enable-Latex-Remote-File-Inclusion.html +1 || 2014449 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Event Calendar PHP cal_year Parameter Cross Site Scripting Attempt || url,packetstormsecurity.org/files/111161/Event-Calendar-PHP-Cross-Site-Scripting.html +1 || 2014450 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WordPress Mini Mail Dashboard Widget abspath Remote File inclusion Attempt || url,packetstormsecurity.org/files/105238/WordPress-Mini-Mail-Dashboard-Widget-1.36-Remote-File-Inclusion.html +1 || 2014451 || 2 || attempted-user || 0 || ET ACTIVEX Dell Webcam CrazyTalk ActiveX Control BackImage Access Potential Buffer Overflow Attempt || url,packetstormsecurity.org/files/111077/Dell-Webcam-CrazyTalk-ActiveX-BackImage-Vulnerability.html +1 || 2014452 || 5 || attempted-user || 0 || ET ACTIVEX Dell Webcam CrazyTalk ActiveX Control BackImage Access Potential Buffer Overflow Attempt 2 || url,packetstormsecurity.org/files/111077/Dell-Webcam-CrazyTalk-ActiveX-BackImage-Vulnerability.html +1 || 2014453 || 4 || attempted-user || 0 || ET ACTIVEX Quest InTrust Annotation Objects ActiveX Control Add Access Potential Remote Code Execution || url,www.exploit-db.com/exploits/18674/ +1 || 2014454 || 4 || attempted-user || 0 || ET ACTIVEX Quest InTrust Annotation Objects ActiveX Control Add Access Potential Remote Code Execution 2 || url,www.exploit-db.com/exploits/18674/ +1 || 2014455 || 3 || attempted-user || 0 || ET ACTIVEX TRENDnet TV-IP121WN UltraMJCam ActiveX Control OpenFileDlg Access Potential Remote Stack Buffer Overflow || url,www.exploit-db.com/exploits/18675/ +1 || 2014456 || 4 || attempted-user || 0 || ET ACTIVEX TRENDnet TV-IP121WN UltraMJCam ActiveX Control OpenFileDlg Access Potential Remote Stack Buffer Overflow 2 || url,www.exploit-db.com/exploits/18675/ +1 || 2014457 || 4 || trojan-activity || 0 || ET DELETED Blackhole Exploit Kit JAR from //Home/ || url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx +1 || 2014458 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Italian Spam Campaign || md5,c64504b68d34b18a370f5e77bd0b0337 +1 || 2014459 || 2 || policy-violation || 0 || ET P2P QVOD P2P Sharing Traffic detected (tcp) +1 || 2014460 || 5 || trojan-activity || 0 || ET DELETED Zeus CnC Checkin POST to Config.php || url,blog.fireeye.com/research/2012/04/zeus-takeover-leaves-undead-remains.html#more +1 || 2014461 || 7 || bad-unknown || 0 || ET EXPLOIT Java Atomic Reference Exploit Attempt Metasploit Specific || cve,CVE-2012-0507 || url,www.metasploit.com/modules/exploit/multi/browser/java_atomicreferencearray +1 || 2014462 || 3 || trojan-activity || 0 || ET TROJAN LuckyCat/TROJ_WIMMIE Checkin || url,blog.trendmicro.com/luckycat-redux-inside-an-apt-campaign/ || url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_luckycat_redux.pdf +1 || 2014463 || 3 || attempted-user || 0 || ET WEB_CLIENT Internet Explorer CTableRowCellsCollectionCacheItem.GetNext Memory Use-After-Free Attempt || url,dvlabs.tippingpoint.com/blog/2012/03/15/pwn2own-2012-challenge-writeup || url,technet.microsoft.com/en-us/security/bulletin/MS10-002 || bid,37894 || cve,2010-0248 +1 || 2014464 || 2 || trojan-activity || 0 || ET TROJAN DwnLdr-JMZ Downloading Binary || url,sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~DwnLdr-JMZ/detailed-analysis.aspx +1 || 2014465 || 2 || trojan-activity || 0 || ET TROJAN DwnLdr-JMZ Downloading Binary 2 || url,sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~DwnLdr-JMZ/detailed-analysis.aspx +1 || 2014466 || 4 || trojan-activity || 0 || ET TROJAN Win32.Datamaikon Checkin +1 || 2014467 || 4 || trojan-activity || 0 || ET TROJAN Win32.Datamaikon Checkin NewAgent || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3AWin32%2FDatamaikon.gen!A&ThreatID=-2147312276 || md5,77d68770fcdc6052bd8d761d14a14f5a +1 || 2014468 || 3 || trojan-activity || 0 || ET TROJAN Win32.Datamaikon Checkin myAgent || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3AWin32%2FDatamaikon.gen!A&ThreatID=-2147312276 || md5,a51933ee0f2ade7df98feb7207a2ffaf +1 || 2014470 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Likely Blackhole PDF served from iframe || url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx +1 || 2014471 || 6 || trojan-activity || 0 || ET POLICY DRIVEBY Generic - EXE Download by Java +1 || 2014472 || 6 || trojan-activity || 0 || ET INFO JAVA - Java Archive Download +1 || 2014473 || 4 || trojan-activity || 0 || ET INFO JAVA - Java Archive Download By Vulnerable Client +1 || 2014474 || 6 || trojan-activity || 0 || ET INFO JAVA - Java Class Download +1 || 2014475 || 6 || trojan-activity || 0 || ET INFO JAVA - Java Class Download By Vulnerable Client +1 || 2014476 || 2 || trojan-activity || 0 || ET TROJAN HTTP Request to Zaletelly CnC Domain zaletellyxx.be || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3aWin32/Gamarue.F +1 || 2014477 || 2 || trojan-activity || 0 || ET TROJAN HTTP Request to Zaletelly CnC Domain atserverxx.info || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3aWin32/Gamarue.F +1 || 2014478 || 4 || bad-unknown || 0 || ET INFO DYNAMIC_DNS Query to a *.3d-game.com Domain +1 || 2014479 || 3 || bad-unknown || 0 || ET INFO DYNAMIC_DNS HTTP Request to a *.3d-game.com Domain +1 || 2014480 || 4 || bad-unknown || 0 || ET INFO DYNAMIC_DNS Query to a *.4irc.com Domain +1 || 2014481 || 3 || bad-unknown || 0 || ET INFO DYNAMIC_DNS HTTP Request to a *.4irc.com Domain +1 || 2014482 || 4 || bad-unknown || 0 || ET INFO DYNAMIC_DNS Query to a *.b0ne.com Domain +1 || 2014483 || 3 || bad-unknown || 0 || ET INFO DYNAMIC_DNS HTTP Request to a *.b0ne.com Domain +1 || 2014484 || 4 || bad-unknown || 0 || ET INFO DYNAMIC_DNS Query to a *.bbsindex.com Domain +1 || 2014485 || 3 || bad-unknown || 0 || ET INFO DYNAMIC_DNS HTTP Request to a *.bbsindex.com Domain +1 || 2014486 || 4 || bad-unknown || 0 || ET INFO DYNAMIC_DNS Query to a *.chatnook.com Domain +1 || 2014487 || 3 || bad-unknown || 0 || ET INFO DYNAMIC_DNS HTTP Request to a *.chatnook.com Domain +1 || 2014488 || 4 || bad-unknown || 0 || ET INFO DYNAMIC_DNS Query to a *.darktech.org Domain +1 || 2014489 || 3 || bad-unknown || 0 || ET INFO DYNAMIC_DNS HTTP Request to a *.darktech.org Domain +1 || 2014490 || 4 || bad-unknown || 0 || ET INFO DYNAMIC_DNS Query to a *.deaftone.com Domain +1 || 2014491 || 3 || bad-unknown || 0 || ET INFO DYNAMIC_DNS HTTP Request to a *.deaftone.com Domain +1 || 2014492 || 4 || bad-unknown || 0 || ET INFO DYNAMIC_DNS Query to a *.dtdns.net Domain +1 || 2014493 || 6 || bad-unknown || 0 || ET INFO DYNAMIC_DNS HTTP Request to a *.dtdns.net Domain +1 || 2014494 || 4 || bad-unknown || 0 || ET INFO DYNAMIC_DNS Query to a *.effers.com Domain +1 || 2014495 || 3 || bad-unknown || 0 || ET INFO DYNAMIC_DNS HTTP Request to a *.effers.com Domain +1 || 2014496 || 4 || bad-unknown || 0 || ET INFO DYNAMIC_DNS Query to a *.etowns.net Domain +1 || 2014497 || 3 || bad-unknown || 0 || ET INFO DYNAMIC_DNS HTTP Request to a *.etowns.net Domain +1 || 2014498 || 4 || bad-unknown || 0 || ET INFO DYNAMIC_DNS Query to a *.etowns.org Domain +1 || 2014499 || 3 || bad-unknown || 0 || ET INFO DYNAMIC_DNS HTTP Request to a *.etowns.org Domain +1 || 2014500 || 4 || bad-unknown || 0 || ET INFO DYNAMIC_DNS Query to a *.flnet.org Domain +1 || 2014501 || 3 || bad-unknown || 0 || ET INFO DYNAMIC_DNS HTTP Request to a *.flnet.org Domain +1 || 2014502 || 4 || bad-unknown || 0 || ET INFO DYNAMIC_DNS Query to a *.gotgeeks.com Domain +1 || 2014503 || 3 || bad-unknown || 0 || ET INFO DYNAMIC_DNS HTTP Request to a *.gotgeeks.com Domain +1 || 2014504 || 4 || bad-unknown || 0 || ET INFO DYNAMIC_DNS Query to a *.scieron.com Domain +1 || 2014505 || 4 || bad-unknown || 0 || ET INFO DYNAMIC_DNS HTTP Request to a *.scieron.com Domain +1 || 2014506 || 5 || bad-unknown || 0 || ET INFO DYNAMIC_DNS Query to a *.slyip.com Domain +1 || 2014507 || 4 || bad-unknown || 0 || ET INFO DYNAMIC_DNS HTTP Request to a *.slyip.com Domain +1 || 2014508 || 4 || bad-unknown || 0 || ET CURRENT_EVENTS DNS Query to a *.slyip.net Dynamic DNS Domain +1 || 2014509 || 4 || bad-unknown || 0 || ET INFO DYNAMIC_DNS HTTP Request to a *.slyip.net Domain +1 || 2014510 || 5 || bad-unknown || 0 || ET INFO DYNAMIC_DNS Query to a *.suroot.com Domain +1 || 2014511 || 4 || bad-unknown || 0 || ET INFO DYNAMIC_DNS HTTP Request to a *.suroot.com Domain +1 || 2014513 || 1 || trojan-activity || 0 || ET TROJAN DNS Request for Zaletelly CnC Domain || url,www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~MDrop-EAB/detailed-analysis.aspx +1 || 2014514 || 7 || misc-activity || 0 || ET INFO EXE - OSX Executable Download - Multi Arch w/Intel +1 || 2014515 || 4 || misc-activity || 0 || ET INFO EXE - OSX Executable Download - Multi Arch w/PowerPC +1 || 2014516 || 4 || misc-activity || 0 || ET INFO EXE - OSX Executable Download - Intel Arch +1 || 2014517 || 4 || misc-activity || 0 || ET INFO EXE - OSX Executable Download - PowerPC Arch +1 || 2014518 || 5 || misc-activity || 0 || ET INFO EXE - OSX Disk Image Download +1 || 2014519 || 6 || misc-activity || 0 || ET INFO EXE - Served Inline HTTP +1 || 2014520 || 6 || misc-activity || 0 || ET INFO EXE - Served Attached HTTP +1 || 2014521 || 6 || bad-unknown || 0 || ET DELETED Possible Blackhole Landing to 8 chr folder plus index.html +1 || 2014522 || 4 || trojan-activity || 0 || ET TROJAN OSX/Flashback.K/I reporting successful infection || url,f-secure.com/v-descs/trojan-downloader_osx_flashback_k.shtml || url,f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml || url,vms.drweb.com/virus/?i=1816029 +1 || 2014523 || 3 || trojan-activity || 0 || ET TROJAN OSX/Flashback.K/I reporting successful infection 2 || url,f-secure.com/v-descs/trojan-downloader_osx_flashback_k.shtml || url,f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml || url,vms.drweb.com/virus/?i=1816029 +1 || 2014524 || 4 || trojan-activity || 0 || ET TROJAN OSX/Flashback.K/I reporting failed infection || url,f-secure.com/v-descs/trojan-downloader_osx_flashback_k.shtml || url,f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml || url,vms.drweb.com/virus/?i=1816029 +1 || 2014525 || 4 || trojan-activity || 0 || ET TROJAN OSX/Flashback.K first execution checkin || url,f-secure.com/v-descs/trojan-downloader_osx_flashback_k.shtml || url,vms.drweb.com/virus/?i=1816029 +1 || 2014526 || 2 || bad-unknown || 0 || ET CURRENT_EVENTS Exploit Kit Delivering JAR Archive to Client +1 || 2014527 || 3 || bad-unknown || 0 || ET CURRENT_EVENTS Exploit Kit Delivering Compressed Flash Content to Client +1 || 2014528 || 2 || trojan-activity || 0 || ET TROJAN W32/Taidoor.Backdoor Command Request CnC Checkin || url,www.symantec.com/connect/blogs/trojantaidoor-takes-aim-policy-think-tanks +1 || 2014529 || 2 || trojan-activity || 0 || ET TROJAN W32/Taidoor.Backdoor CnC Checkin With Default Substitute MAC Address Field || url,www.symantec.com/connect/blogs/trojantaidoor-takes-aim-policy-think-tanks +1 || 2014530 || 3 || successful-user || 0 || ET TROJAN Metasploit Meterpreter stdapi_* Command Request +1 || 2014531 || 4 || successful-user || 0 || ET TROJAN Metasploit Meterpreter core_channel_* Command Request +1 || 2014532 || 3 || successful-user || 0 || ET TROJAN Metasploit Meterpreter stdapi_* Command Response +1 || 2014533 || 4 || successful-user || 0 || ET TROJAN Metasploit Meterpreter core_channel_* Command Response +1 || 2014534 || 4 || trojan-activity || 0 || ET TROJAN OSX/Flashback.K/I User-Agent || url,f-secure.com/v-descs/trojan-downloader_osx_flashback_k.shtml || url,vms.drweb.com/virus/?i=1816029 || url,f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml +1 || 2014535 || 3 || bad-unknown || 0 || ET MALWARE BitCoinPlus Embedded site forcing visitors to mine BitCoins || url,www.bitcoinplus.com/miner/embeddable || url,www.bitcoinplus.com/miner/whatsthis +1 || 2014536 || 2 || trojan-activity || 0 || ET DELETED Blackhole Java Exploit request to /Klot.jar +1 || 2014537 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Initial Blackhole Landing .prototype.q catch with split +1 || 2014538 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Initial Blackhole Landing Loading... Please Wait +1 || 2014539 || 2 || bad-unknown || 0 || ET CURRENT_EVENTS Malicious TDS /indigo? +1 || 2014540 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Blackhole Landing for Loading prototype catch +1 || 2014541 || 5 || attempted-recon || 0 || ET SCAN FHScan core User-Agent Detect || url,www.tarasco.org/security/FHScan_Fast_HTTP_Vulnerability_Scanner/index.html +1 || 2014542 || 3 || bad-unknown || 0 || ET CURRENT_EVENTS TDS Sutra - redirect received +1 || 2014543 || 2 || bad-unknown || 0 || ET CURRENT_EVENTS TDS Sutra - request in.cgi +1 || 2014544 || 4 || bad-unknown || 0 || ET CURRENT_EVENTS TDS Sutra - cookie set +1 || 2014545 || 4 || bad-unknown || 0 || ET CURRENT_EVENTS TDS Sutra - page redirecting to a SutraTDS +1 || 2014546 || 5 || bad-unknown || 0 || ET CURRENT_EVENTS TDS Sutra - HTTP header redirecting to a SutraTDS +1 || 2014547 || 5 || bad-unknown || 0 || ET CURRENT_EVENTS TDS Sutra - redirect received +1 || 2014548 || 3 || bad-unknown || 0 || ET CURRENT_EVENTS TDS Sutra - cookie set +1 || 2014549 || 2 || bad-unknown || 0 || ET CURRENT_EVENTS TDS Sutra - page redirecting to a SutraTDS +1 || 2014550 || 2 || attempted-user || 0 || ET ACTIVEX Possible IBM Tivoli Provisioning Manager Express Isig.isigCtl.1 ActiveX RunAndUploadFile Method Overflow || url,packetstormsecurity.org/files/111680/IBM-Tivoli-Provisioning-Manager-Express-Overflow.html +1 || 2014551 || 2 || attempted-user || 0 || ET ACTIVEX Possible IBM Tivoli Provisioning Manager Express Isig.isigCtl.1 ActiveX RunAndUploadFile Method Overflow 2 || url,packetstormsecurity.org/files/111680/IBM-Tivoli-Provisioning-Manager-Express-Overflow.html +1 || 2014552 || 2 || attempted-user || 0 || ET ACTIVEX Possible Dell IT Assistant detectIESettingsForITA.ocx ActiveX Control readRegVal Remote Registry Dump Vulnerability || url,exploit-db.com/exploits/17557/ +1 || 2014553 || 2 || attempted-user || 0 || ET ACTIVEX Possible Dell IT Assistant detectIESettingsForITA.ocx ActiveX Control readRegVal Remote Registry Dump Vulnerability 2 || url,exploit-db.com/exploits/17557/ +1 || 2014554 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WordPress Pretty Link plugin url Parameter Cross Site Scripting Attempt || url,packetstormsecurity.org/files/107551/WordPress-Pretty-Link-1.5.2-Cross-Site-Scripting.html +1 || 2014555 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WordPress flash-album-gallery plugin i Parameter Cross Site Scripting Attempt || url,packetstormsecurity.org/files/107424/WordPress-Flash-Album-Gallery-Cross-Site-Scripting.html +1 || 2014556 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS wordpress thecartpress plugin loop parameter Local File Inclusion Attempt || url,1337day.com/exploits/18018 +1 || 2014557 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla com_bulkenquery controller parameter Local File Inclusion Attempt || url,packetstormsecurity.org/files/108913/Joomla-Bulkenquery-Local-File-Inclusion.html +1 || 2014558 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla com_br controller parameter Local File Inclusion Attempt || url,packetstormsecurity.org/files/108948/Joomla-BR-Local-File-Inclusion.html +1 || 2014559 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Free PHP photo gallery script path parameter Remote File inclusion Attempt || url,packetstormsecurity.org/files/92079/Free-PHP-Photo-Gallery-Script-Remote-File-Inclusion.html +1 || 2014560 || 6 || trojan-activity || 0 || ET CURRENT_EVENTS - Modified Metasploit Jar +1 || 2014561 || 5 || bad-unknown || 0 || ET CURRENT_EVENTS landing page with malicious Java applet +1 || 2014562 || 3 || trojan-activity || 0 || ET TROJAN Pony Downloader HTTP Library MSIE 5 Win98 +1 || 2014563 || 3 || trojan-activity || 0 || ET TROJAN Pony Downloader check-in response STATUS-IMPORT-OK +1 || 2014564 || 2 || trojan-activity || 0 || ET TROJAN OS X Backdoor Checkin || url,www.securelist.com/en/blog/208193467/SabPub_Mac_OS_X_Backdoor_Java_Exploits_Targeted_Attacks_and_Possible_APT_link +1 || 2014565 || 2 || bad-unknown || 0 || ET CURRENT_EVENTS JavaScript Determining OS MAC and Serving Java Archive File || url,blog.trendmicro.com/another-tibetan-themed-malware-email-campaign-targeting-windows-and-macs/ || cve,2011-3544 +1 || 2014566 || 2 || trojan-activity || 0 || ET TROJAN W32/UltimateDefender.FakeAV Checkin || md5,cec40236236466a1acb33aca3220eebe +1 || 2014567 || 5 || trojan-activity || 0 || ET INFO EXE Download With Content Type Specified As Empty || md5,d51218653323e48672023806f6ace26b +1 || 2014568 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Unkown exploit kit jar download +1 || 2014569 || 5 || trojan-activity || 0 || ET CURRENT_EVENTS Unkown exploit kit version check +1 || 2014570 || 5 || trojan-activity || 0 || ET CURRENT_EVENTS HTTP Request to a known malware domain (regicsgf.net) || url,www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Coswid-C/detailed-analysis.aspx +1 || 2014571 || 5 || trojan-activity || 0 || ET CURRENT_EVENTS HTTP Request to a a known malware domain (sektori.org) || url,www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Coswid-C/detailed-analysis.aspx +1 || 2014572 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS DNS Query for a known malware domain (regicsgf.net) || url,www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Coswid-C/detailed-analysis.aspx +1 || 2014573 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS DNS Query for a known malware domain (sektori.org) || url,www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Coswid-C/detailed-analysis.aspx +1 || 2014574 || 4 || policy-violation || 0 || ET POLICY CNET TechTracker User-Agent (CNET TechTracker) || url,www.cnet.com/techtracker-free/ +1 || 2014575 || 4 || trojan-activity || 0 || ET INFO Potential Malicious PDF (EmbeddedFiles) improper case || url,blog.didierstevens.com/2009/07/01/embedding-and-hiding-files-in-pdf-documents/ +1 || 2014576 || 2 || policy-violation || 0 || ET POLICY eBook Generator User-Agent (EBook) || url,malwr.com/analysis/a04b28e21adc70837eb7de811556ff4e/ || url,www.ebookgenerator.com/ +1 || 2014577 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS ET CURRENT_EVENTS Italian Spam Campaign ZIP with EXE Containing Many Underscores +1 || 2014578 || 3 || trojan-activity || 0 || ET TROJAN Win32.Winwebsec.B Checkin || md5,9c9109cea5845272d6abd1b5523c8de7 +1 || 2014579 || 3 || trojan-activity || 0 || ET TROJAN Likely Infected HTTP POST to PHP with User-Agent of HTTP Client +1 || 2014581 || 3 || trojan-activity || 0 || ET TROJAN Hoax.Win32.BadJoke/DownLoader1.57593 Checkin || url,malwr.com/analysis/5ee02601d265a9a88f03a5465a99b190/ +1 || 2014583 || 3 || trojan-activity || 0 || ET TROJAN Adware/FakeAV.Kraddare Checkin UA || url,www.scumware.org/report/update.best-pc.co.kr +1 || 2014584 || 5 || bad-unknown || 0 || ET MALWARE Win32/Pdfjsc.XD Related Checkin (microsoft_predator_client header field) || url,www.fourteenforty.jp/products/yarai/CVE2011-0609/ || url,www.kahusecurity.com/2011/apec-spearphish-2/ || md5,3d91d9df315ffeb9bb1c774452b3114b +1 || 2014585 || 2 || attempted-user || 0 || ET ACTIVEX Possible Edraw Diagram Component 5 ActiveX LicenseName Access Potential buffer overflow DOS || url,exploit-db.com/exploits/18461/ +1 || 2014586 || 2 || attempted-user || 0 || ET ACTIVEX Possible Edraw Diagram Component 5 ActiveX LicenseName Access Potential buffer overflow DOS 2 || url,exploit-db.com/exploits/18461/ +1 || 2014587 || 3 || attempted-user || 0 || ET ACTIVEX Possible Quest vWorkspace Broker Client ActiveX Control SaveMiniLaunchFile Remote File Creation/Overwrite || url,exploit-db.com/exploits/18704/ +1 || 2014588 || 2 || attempted-user || 0 || ET ACTIVEX Quest vWorkspace Broker Client ActiveX Control SaveMiniLaunchFile Remote File Creation/Overwrite 2 || url,exploit-db.com/exploits/18704/ +1 || 2014589 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Wordpress yousaytoo-auto-publishing plugin submit Cross-Site Scripting Attempt || url,packetstormsecurity.org/files/108470/wpystap-xss.txt +1 || 2014590 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla com_pinboard option Parameter Remote File inclusion Attempt || url,packetstormsecurity.org/files/94991/Joomla-Pinboard-Remote-File-Inclusion.html +1 || 2014591 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Wordpress whois search domain Parameter Cross Site Scripting Attempt || url,packetstormsecurity.org/files/108271/WordPress-Whois-Search-Cross-Site-Scripting.html +1 || 2014592 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WordPress Facebook-Page-Promoter-Lightbox settings-updated Cross Site Scripting Attempt || url,packetstormsecurity.org/files/108238/WordPress-Facebook-Page-Promoter-Lightbox-Cross-Site-Scripting.html +1 || 2014593 || 3 || attempted-user || 0 || ET ACTIVEX Possible Oracle Hyperion Financial Management TList6 ActiveX Control Remote Code Execution || url,securityfocus.com/archive/1/520353 +1 || 2014594 || 4 || attempted-user || 0 || ET ACTIVEX Possible Oracle Hyperion Financial Management TList6 ActiveX Control Remote Code Execution 2 || url,securityfocus.com/archive/1/520353 +1 || 2014595 || 4 || trojan-activity || 0 || ET DELETED Win32 Jadtre/Wapomi/Nimnul/Viking.AY ICMP ping +1 || 2014596 || 5 || trojan-activity || 0 || ET TROJAN FlashBack Mac OSX malware Checkin || url,blog.intego.com/flashback-mac-trojan-horse-infections-increasing-with-new-variant/ +1 || 2014597 || 2 || trojan-activity || 0 || ET TROJAN Mac Flashback Checkin 1 +1 || 2014598 || 6 || trojan-activity || 0 || ET TROJAN Mac Flashback Checkin 2 +1 || 2014599 || 5 || trojan-activity || 0 || ET TROJAN Mac Flashback Checkin 3 +1 || 2014600 || 5 || trojan-activity || 0 || ET TROJAN Win32/Nitol.A Checkin +1 || 2014601 || 4 || trojan-activity || 0 || ET TROJAN Win32/Nitol.B Checkin +1 || 2014604 || 3 || trojan-activity || 0 || ET TROJAN Trojan.Win32.Yakes.pwo Checkin || md5,d40927e8c4b59a1c2af4f981ef295321 +1 || 2014605 || 6 || trojan-activity || 0 || ET MALWARE W32/GameVance Adware Server Reponse To Client Checkin +1 || 2014606 || 4 || trojan-activity || 0 || ET MALWARE W32/GameVance User-Agent (aw v3) +1 || 2014607 || 9 || attempted-user || 0 || ET CURRENT_EVENTS Nikjju Mass Injection Compromised Site Served To Local Client +1 || 2014608 || 8 || attempted-user || 0 || ET CURRENT_EVENTS Nikjju Mass Injection Internal WebServer Compromised +1 || 2014609 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Incognito Exploit Kit Java request to images.php?t= +1 || 2014610 || 4 || trojan-activity || 0 || ET TROJAN W32/Downvision.A Initial Checkin || url,www.fortiguard.com/av/VID3309956 +1 || 2014611 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS TDS Sutra - cookie set RULEZ +1 || 2014612 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS TDS Sutra - cookie is set RULEZ +1 || 2014613 || 2 || web-application-activity || 0 || ET CURRENT_EVENTS Jembot PHP Webshell (file upload) || url,lab.onsec.ru/2012/04/find-new-web-bot-jembot.html?m=1 +1 || 2014614 || 2 || web-application-activity || 0 || ET CURRENT_EVENTS Jembot PHP Webshell (system command) || url,lab.onsec.ru/2012/04/find-new-web-bot-jembot.html?m=1 +1 || 2014615 || 3 || web-application-activity || 0 || ET CURRENT_EVENTS Jembot PHP Webshell (hell.php) || url,lab.onsec.ru/2012/04/find-new-web-bot-jembot.html?m=1 +1 || 2014616 || 5 || trojan-activity || 0 || ET TROJAN Win32/Usteal.B Checkin || url,www.threatexpert.com/report.aspx?md5=3155b146bee46723acc5637617e3703a || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanSpy%3AWin32%2FUsteal.B&ThreatID=-2147320862 +1 || 2014617 || 2 || misc-activity || 0 || ET POLICY Cisco IOS Self Signed Certificate Served to External Host +1 || 2014618 || 2 || trojan-activity || 0 || ET TROJAN W32/Sogu Remote Access Trojan Social Media Embedded CnC Channel || url,blogs.norman.com/2012/security-research/trojan-moves-its-configuration-to-twitter-linkedin-msdn-and-baidu +1 || 2014619 || 2 || attempted-user || 0 || ET ACTIVEX Possible McAfee SaaS MyCioScan ShowReport Method Call Remote Command Execution || url,packetstormsecurity.org/files/108767/McAfee-SaaS-MyCioScan-ShowReport-Remote-Command-Execution.html +1 || 2014620 || 2 || attempted-user || 0 || ET ACTIVEX Possible McAfee SaaS MyCioScan ShowReport Method Call Remote Command Execution 2 || url,packetstormsecurity.org/files/108767/McAfee-SaaS-MyCioScan-ShowReport-Remote-Command-Execution.html +1 || 2014621 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS DokuWiki target parameter Cross-Site Scripting Attempt || url,packetstormsecurity.org/files/111939/DocuWiki-2012-01-25-Cross-Site-Request-Forgery-Cross-Site-Scripting.html +1 || 2014622 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WordPress 1-jquery-photo-gallery-slideshow-flash plugin page Cross-Site Scripting Attempt || url,packetstormsecurity.org/files/107423/WordPress-1-JQuery-Photo-Gallery-Slideshow-Flash-Cross-Site-Scripting.html +1 || 2014623 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS DirectNews rootpath parameter Remote File inclusion Attempt || url,1337day.com/exploits/15795 +1 || 2014624 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS DirectNews uploadBigFiles.php Remote File inclusion Attempt || url,1337day.com/exploits/15795 +1 || 2014625 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS DirectNews remote.php Remote File inclusion Attempt || url,1337day.com/exploits/15795 +1 || 2014626 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS DirectNews class.panier_article.php Remote File inclusion Attempt || url,1337day.com/exploits/15795 +1 || 2014627 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS DirectNews menu_layers.php Remote File inclusion Attempt || url,1337day.com/exploits/15795 +1 || 2014628 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS DirectNews lib.panier.php Remote File inclusion Attempt || url,1337day.com/exploits/15795 +1 || 2014629 || 3 || bad-unknown || 0 || ET CURRENT_EVENTS Possible Blackhole Landing to 8 chr folder plus js.js +1 || 2014630 || 2 || trojan-activity || 0 || ET TROJAN PoisonIvy.Es11 Keepalive to CnC || md5,4a17e9bd99f496c518ddfaaef93384b0 +1 || 2014631 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS FakeAV Security Shield payment page request +1 || 2014633 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS phpMyAdmin setup.php Remote File inclusion Attempt || url,blog.spiderlabs.com/2012/04/honeypot-alert-phpmyadmin-setupphp-rfi-attacks-detected.html || url,phpmyadmin.net/home_page/security/PMASA-2010-4.php || cve,CVE-2010-3055 +1 || 2014634 || 1 || trojan-activity || 0 || ET TROJAN Possible Variant.Kazy.53640 Malformed Client Hello SSL 3.0 (Session_Id length greater than Client_Hello Length) || md5,a01d75158cf4618677f494f9626b1c4c +1 || 2014635 || 1 || trojan-activity || 0 || ET TROJAN Possible Variant.Kazy.53640 Malformed Client Hello SSL 3.0 (Cipher_Suite length greater than Client_Hello Length) || md5,a01d75158cf4618677f494f9626b1c4c +1 || 2014636 || 3 || trojan-activity || 0 || ET TROJAN Backdoor.Win32/Poison.BI || md5,3e008471eaa5e788c41c2a0dff3d1a89 +1 || 2014637 || 3 || trojan-activity || 0 || ET TROJAN Maljava Dropper for Windows || url,www.symantec.com/connect/blogs/both-mac-and-windows-are-targeted-once +1 || 2014638 || 4 || trojan-activity || 0 || ET TROJAN Maljava Dropper for OS X || url,www.symantec.com/connect/blogs/both-mac-and-windows-are-targeted-once +1 || 2014639 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Incognito Exploit Kit PDF request to images.php?t=81118 +1 || 2014640 || 1 || trojan-activity || 0 || ET CURRENT_EVENTS Incognito Exploit Kit payload request to images.php?t=N +1 || 2014641 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS Incognito Exploit Kit landing page request to images.php?t=4xxxxxxx +1 || 2014642 || 3 || trojan-activity || 0 || ET DELETED Blackhole Java Exploit request to /Edu.jar +1 || 2014643 || 7 || trojan-activity || 0 || ET TROJAN ConstructorWin32/Agent.V || md5,3305ad96bcfd3a406dc9daa31e538902 +1 || 2014644 || 1 || trojan-activity || 0 || ET CURRENT_EVENTS Blackhole - Landing Page Recieved - applet PluginDetect and 10hexchar title +1 || 2014645 || 2 || attempted-admin || 0 || ET CURRENT_EVENTS RuggedCom Banner with MAC || url,www.exploit-db.com/exploits/18779/ || url,arstechnica.com/business/news/2012/04/backdoor-in-mission-critical-hardware-threatens-power-traffic-control-systems.ars +1 || 2014646 || 3 || attempted-admin || 0 || ET CURRENT_EVENTS RuggedCom factory account backdoor || url,www.exploit-db.com/exploits/18779/ || url,arstechnica.com/business/news/2012/04/backdoor-in-mission-critical-hardware-threatens-power-traffic-control-systems.ars +1 || 2014647 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHP Volunteer Management id parameter Cross-Site Scripting Attempt || url,packetstormsecurity.org/files/112219/PHP-Volunteer-Management-1.0.2-Cross-Site-Scripting-SQL-Injection.html +1 || 2014648 || 4 || attempted-user || 0 || ET ACTIVEX Tracker Software pdfSaver ActiveX StoreInRegistry Method Access Potential Buffer Overflow || url,exploit-db.com/exploits/18427/ +1 || 2014649 || 6 || attempted-user || 0 || ET ACTIVEX Tracker Software pdfSaver ActiveX StoreInRegistry Method Access Potential Buffer Overflow 2 || url,exploit-db.com/exploits/18427/ +1 || 2014650 || 4 || attempted-user || 0 || ET ACTIVEX Tracker Software pdfSaver ActiveX InitFromRegistry Method Access Potential Buffer Overflow || url,exploit-db.com/exploits/18427/ +1 || 2014651 || 2 || attempted-user || 0 || ET ACTIVEX Tracker Software pdfSaver ActiveX InitFromRegistry Method Access Potential Buffer Overflow 2 || url,exploit-db.com/exploits/18427/ +1 || 2014652 || 3 || attempted-user || 0 || ET ACTIVEX Quest Explain Plan Display ActiveX Control SaveToFile Insecure Method Access || url,secunia.com/advisories/48681/ +1 || 2014653 || 3 || attempted-user || 0 || ET ACTIVEX Quest Explain Plan Display ActiveX Control SaveToFile Insecure Method Access 2 || url,secunia.com/advisories/48681/ +1 || 2014654 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla com_videogallery controller parameter Local File Inclusion Attempt || url,packetstormsecurity.org/files/112161/Joomla-Video-Gallery-Local-File-Inclusion-SQL-Injection.html +1 || 2014655 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla com_some controller Parameter Local File Inclusion Attempt || url,packetstormsecurity.org/files/108906/Joomla-Some-Local-File-Inclusion.html +1 || 2014656 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WordPress Skysa Official submit parameter Cross-Site Scripting Attempt || url,packetstormsecurity.org/files/107342/WordPress-Skysa-Official-1.01-1.02-1.03-Cross-Site-Scripting.html +1 || 2014657 || 1 || trojan-activity || 0 || ET CURRENT_EVENTS Unkown exploit kit pdf download +1 || 2014658 || 1 || trojan-activity || 0 || ET CURRENT_EVENTS Unkown exploit kit payload download +1 || 2014659 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Blackhole Landing Page Obfuscated Please wait Message || url,isc.sans.edu/diary.html?storyid=13051 +1 || 2014660 || 3 || trojan-activity || 0 || ET TROJAN Win32/Ponmocup.A Checkin || md5,97a1acc085849c0b9af19adcf44607a7 +1 || 2014661 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Blackhole Landing for prototype catch substr +1 || 2014662 || 1 || attempted-dos || 0 || ET DOS Microsoft Remote Desktop Protocol (RDP) maxChannelIds Integer indef DoS Attempt || url,www.msdn.microsoft.com/en-us/library/cc240836.aspx || cve,2012-0002 || url,technet.microsoft.com/en-us/security/bulletin/ms12-020 || url,stratsec.blogspot.com.au/2012/03/ms12-020 vulnerability-for-breakfast.html || url,aluigi.org/adv/termdd_1-adv.txt || url,blog.binaryninjas.org/?p=58 || url,luca.ntop.org/Teaching/Appunti/asn1.html +1 || 2014663 || 1 || attempted-dos || 0 || ET DOS Microsoft Remote Desktop Protocol (RDP) maxChannelIds Negative Integer indef DoS Attempt || url, www.msdn.microsoft.com/en-us/library/cc240836.aspx || cve,2012-0002 || url,technet.microsoft.com/en-us/security/bulletin/ms12-020 || url,stratsec.blogspot.com.au/2012/03/ms12-020 vulnerability-for-breakfast.html || url,aluigi.org/adv/termdd_1-adv.txt || url,blog.binaryninjas.org/?p=58 || url,luca.ntop.org/Teaching/Appunti/asn1.html +1 || 2014664 || 9 || trojan-activity || 0 || ET CURRENT_EVENTS Blackhole - Jar File Naming Algorithm +1 || 2014665 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS DRIVEBY Generic - Redirection to Kit - BrowserDetect with var stopit +1 || 2014666 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS DRIVEBY Blackhole - Injected Page Leading To Driveby +1 || 2014667 || 2 || trojan-activity || 0 || ET MALWARE W32/Dialer.Adultchat Checkin || url,microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3AWin32%2FDluca.AN&ThreatID=-2147365813 || md5,fd2c949dc20b651a53326a3d571641ec +1 || 2014669 || 4 || trojan-activity || 0 || ET DELETED SpyEyeV1.3.48 Data Post to CnC - lol.php || url,blogs.mcafee.com/mcafee-labs/latest-spyeye-botnet-active-and-cheaper +1 || 2014700 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS W32/Backdoor.BAT.Agent.W User Botnet || md5,fc7059ec1e3e86fd0a664c3747f09725 +1 || 2014701 || 9 || policy-violation || 0 || ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 6 or 7 set - Likely Kazy || md5,a56ec0f9bd46f921f65e4f6e598e5ed0 || url,www.emergingthreatspro.com/bot-of-the-day/kazy-part-deux-revenge-of-the-clear-plastic-tarp/ || url,vrt-blog.snort.org/2008/08/checking-multiple-bits-in-flag-field_29.html +1 || 2014702 || 7 || policy-violation || 0 || ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set - Likely Kazy || md5,a56ec0f9bd46f921f65e4f6e598e5ed0 || url,www.emergingthreatspro.com/bot-of-the-day/kazy-part-deux-revenge-of-the-clear-plastic-tarp/ || url,vrt-blog.snort.org/2008/08/checking-multiple-bits-in-flag-field_29.html +1 || 2014703 || 7 || policy-violation || 0 || ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Reserved Bit Set - Likely Kazy || md5,a56ec0f9bd46f921f65e4f6e598e5ed0 || url,www.emergingthreatspro.com/bot-of-the-day/kazy-part-deux-revenge-of-the-clear-plastic-tarp/ || url,vrt-blog.snort.org/2008/08/checking-multiple-bits-in-flag-field_29.html +1 || 2014704 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PHP-CGI query string parameter vulnerability || cve,2012-1823 || url,eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/ || url,varanoid.com/research-alerts/us-cert/vu520827-php-cgi-query-string-parameter-vulnerability/ +1 || 2014705 || 3 || trojan-activity || 1 || ET CURRENT_EVENTS Bleeding Life 2 GPLed Exploit Pack exploit request +1 || 2014706 || 2 || trojan-activity || 1 || ET CURRENT_EVENTS Bleeding Life 2 GPLed Exploit Pack payload request (exploit successful!) +1 || 2014707 || 3 || trojan-activity || 1 || ET CURRENT_EVENTS Bleeding Life 2 GPLed Exploit Pack payload download +1 || 2014708 || 3 || attempted-user || 0 || ET ACTIVEX Possible McAfee Virtual Technician MVT.MVTControl.6300 ActiveX Control GetObject method Remote Code Execution || url,exploit-db.com/exploits/18805/ +1 || 2014709 || 3 || attempted-user || 0 || ET ACTIVEX Possible McAfee Virtual Technician MVT.MVTControl.6300 ActiveX Control GetObject method Remote Code Execution 2 || url,exploit-db.com/exploits/18805/ +1 || 2014710 || 3 || attempted-user || 0 || ET ACTIVEX Possible Samsung NET-i Viewer Active-X SEH Overwrite || url,packetstormsecurity.org/files/112363/Samsung-NET-i Viewer-Active-X-SEH-Overwrite.html +1 || 2014711 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS maxxweb Cms kategorie parameter Cross-Site Scripting Attempt || url,packetstormsecurity.org/files/112289/Maxxweb-CMS-Cross-Site-Scripting.html +1 || 2014712 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Wordpress WPsc-MijnPress plugin rwflush parameter Cross-Site Scripting Attempt || url,packetstormsecurity.org/files/112324/WordPress-WPsc-MijnPress-Cross-Site-Scripting.html +1 || 2014713 || 3 || attempted-user || 0 || ET ACTIVEX Possible WebEx UCF atucfobj.dll ActiveX NewObject Method Buffer Overflow || url,exploit-db.com/exploits/16604/ +1 || 2014714 || 3 || attempted-user || 0 || ET ACTIVEX Possible WebEx UCF atucfobj.dll ActiveX NewObject Method Buffer Overflow 2 || url,exploit-db.com/exploits/16604/ +1 || 2014715 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla com_obsuggest controller parameter Local File Inclusion Attempt || url,packetstormsecurity.org/files/103598/Joomla-obSuggest-Local-File-Inclusion.html +1 || 2014716 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla com_joomtouch controller parameter Local File Inclusion Attempt || url,packetstormsecurity.org/files/104112/Joomla-JoomTouch-1.0.2-Local-File-Inclusion.html +1 || 2014717 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WordPress WP Custom Pages url parameter Local File Inclusion Attempt || url,packetstormsecurity.org/files/100047/WordPress-WP-Custom-Pages-0.5.0.1-Local-File-Inclusion.html +1 || 2014718 || 3 || policy-violation || 0 || ET GAMES Nintendo Wii User-Agent || url,www.useragentstring.com/pages/Opera/ +1 || 2014719 || 2 || trojan-activity || 0 || ET TROJAN W32/Simbot.Backdoor Checkin || md5,a4edc9d31bc0ad763b3424e9306f4d7c +1 || 2014720 || 2 || trojan-activity || 0 || ET TROJAN W32/Downloader/Agent.dxh.1 Reporting to CnC || md5,ded49b8c92d7ab6725649f04f30df8ce +1 || 2014721 || 2 || trojan-activity || 0 || ET TROJAN Boatz Checkin || url,blogs.mcafee.com/mcafee-labs/pastebin-shares-botnet-source-code +1 || 2014722 || 4 || trojan-activity || 0 || ET TROJAN Medfos/Midhos Checkin || md5,00da8acc14d0e827dbb1326c023fc720 || md5,8f561f46fb262cac6bb4cacf3e4e78a6 || md5,63491dcc8e897bf442599febe48b824d +1 || 2014723 || 2 || trojan-activity || 0 || ET TROJAN Suspicious lcon http header in response seen with Medfos/Midhos downloader || md5,63491dcc8e897bf442599febe48b824d +1 || 2014724 || 3 || trojan-activity || 0 || ET DELETED Blackhole Java Exploit request to /Cal.jar +1 || 2014725 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Possible Request for Blackhole Exploit Kit Landing Page - src.php?case= +1 || 2014726 || 33 || policy-violation || 0 || ET POLICY Outdated Windows Flash Version IE || url,www.adobe.com/software/flash/about/ +1 || 2014727 || 26 || policy-violation || 0 || ET POLICY Outdated Mac Flash Version +1 || 2014728 || 4 || trojan-activity || 0 || ET TROJAN Smoke Loader Checkin r=gate || md5,fafada188ce47a1459f4fcea487f06b5 +1 || 2014729 || 3 || bad-unknown || 0 || ET CURRENT_EVENTS FakeAV Landing Page - Viruses were found +1 || 2014730 || 7 || bad-unknown || 0 || ET CURRENT_EVENTS Potential FAKEAV Download a-f0-9 x16 download +1 || 2014731 || 2 || trojan-activity || 0 || ET TROJAN Snap Bot Checkin || md5,a45a1ccf6842b032b7f2ef2f2255c81c || md5,e070ce714e343052d19a7e3213ee2a9a || url,ddanchev.blogspot.com/2011/05/peek-inside-new-ddos-bot-snap.html +1 || 2014732 || 4 || trojan-activity || 0 || ET TROJAN Snap Bot Receiving Download Command || md5,a45a1ccf6842b032b7f2ef2f2255c81c || md5,e070ce714e343052d19a7e3213ee2a9a || url,ddanchev.blogspot.com/2011/05/peek-inside-new-ddos-bot-snap.html +1 || 2014733 || 5 || trojan-activity || 0 || ET TROJAN Snap Bot Receiving DDoS Command || md5,a45a1ccf6842b032b7f2ef2f2255c81c || md5,e070ce714e343052d19a7e3213ee2a9a || url,ddanchev.blogspot.com/2011/05/peek-inside-new-ddos-bot-snap.html +1 || 2014734 || 2 || policy-violation || 0 || ET P2P BitTorrent - Torrent File Downloaded +1 || 2014735 || 3 || trojan-activity || 0 || ET MALWARE Malicious file bitdefender_isecurity.exe download || md5,283ae10839fff3e183193efde3e633eb +1 || 2014736 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Andromeda Streaming MP3 Server andromeda.php Cross-Site Scripting Attempt || url,packetstormsecurity.org/files/112549/Andromeda-Streaming-MP3-Server-1.9.3.6-Cross-Site-Scripting.html +1 || 2014737 || 4 || attempted-user || 0 || ET ACTIVEX Potential ThreeDify Designer ActiveX Control cmdSave Method Access Buffer Overflow || url,secunia.com/advisories/45511 +1 || 2014738 || 4 || attempted-user || 0 || ET ACTIVEX Potential ThreeDify Designer ActiveX Control cmdSave Method Access Buffer Overflow 2 || url,secunia.com/advisories/45511 +1 || 2014739 || 4 || attempted-user || 0 || ET ACTIVEX Potential ThreeDify Designer ActiveX Control cmdExport Method Access Buffer Overflow || url,secunia.com/advisories/45511 +1 || 2014740 || 4 || attempted-user || 0 || ET ACTIVEX Potential ThreeDify Designer ActiveX Control cmdExport Method Access Buffer Overflow 2 || url,secunia.com/advisories/45511 +1 || 2014741 || 4 || attempted-user || 0 || ET ACTIVEX Potential ThreeDify Designer ActiveX Control cmdImport Method Access Buffer Overflow || url,secunia.com/advisories/45511 +1 || 2014742 || 3 || attempted-user || 0 || ET ACTIVEX Potential ThreeDify Designer ActiveX Control cmdImport Method Access Buffer Overflow 2 || url,secunia.com/advisories/45511 +1 || 2014743 || 4 || attempted-user || 0 || ET ACTIVEX Potential ThreeDify Designer ActiveX Control cmdOpen Method Access Buffer Overflow || url,secunia.com/advisories/45511 +1 || 2014744 || 4 || attempted-user || 0 || ET ACTIVEX Potential ThreeDify Designer ActiveX Control cmdOpen Method Access Buffer Overflow 2 || url,secunia.com/advisories/45511 +1 || 2014745 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Blackhole Try Prototype Catch May 11 2012 +1 || 2014746 || 4 || trojan-activity || 0 || ET DELETED Blackhole Java Exploit request to /Set.jar +1 || 2014747 || 3 || trojan-activity || 0 || ET DELETED Blackhole Try Prototype Catch May 14 2012 +1 || 2014748 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS RedKit Repeated Exploit Request Pattern || url,blog.spiderlabs.com/2012/05/a-wild-exploit-kit-appears.html || url,malware.dontneedcoffee.com/2012/05/inside-redkit.html || url,malware.dontneedcoffee.com/2012/05/redkit-not-so-red-anymore.html || url,www.malwaredomainlist.com/forums/index.php?topic=4855.msg23470 +1 || 2014749 || 1 || trojan-activity || 0 || ET CURRENT_EVENTS Redkit Java Exploit request to /24842.jar +1 || 2014750 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Incognito/RedKit Exploit Kit vulnerable Java payload request to /1digit.html +1 || 2014751 || 8 || bad-unknown || 0 || ET CURRENT_EVENTS Nuclear/Safe/CritX/FlashPack - Java Request - 32char hex-ascii +1 || 2014752 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Win32.HLLW.Autoruner USA_Load UA || url,news.drweb.com/show/?i=2440&lng=en&c=5 +1 || 2014753 || 5 || bad-unknown || 0 || ET DELETED probable malicious Glazunov Javascript injection +1 || 2014754 || 6 || trojan-activity || 0 || ET TROJAN W32/Mepaow.Backdoor Initial Checkin to Intermediary Pre-CnC || url,home.mcafee.com/virusinfo/virusprofile.aspx?key=1072862 || url,8af17164500aac1c0965b842aca3fed7 +1 || 2014755 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS W32/HupigonUser.Backdoor Rabclib UA Checkin || md5,65467e7ff3140f42f4758eca7b76185c +1 || 2014756 || 5 || policy-violation || 0 || ET POLICY Logmein.com/Join.me SSL Remote Control Access +1 || 2014757 || 4 || trojan-activity || 0 || ET TROJAN Win32/Comrerop Checkin to FTP server || md5,6b16290b05afd1a9d638737924f2ab5c +1 || 2014758 || 4 || trojan-activity || 0 || ET TROJAN Trojan.BAT.Qhost - SET || md5,8174d42fd82457592c573fe73bdc0cd5 +1 || 2014759 || 3 || trojan-activity || 0 || ET TROJAN Trojan.BAT.Qhost Response from Controller || md5,8174d42fd82457592c573fe73bdc0cd5 +1 || 2014760 || 2 || trojan-activity || 0 || ET TROJAN W32/Votwup.Backdoor Checkin || md5,1325e4e44b5bf2f8dfe550dec016da53 +1 || 2014761 || 2 || misc-activity || 0 || ET POLICY Internal Host Getting External IP Address - ip2city.asp +1 || 2014762 || 2 || trojan-activity || 0 || ET TROJAN W32/SpyBanker Infection Confirmation Email 2 || md5,f091e8ed0e8f4953ff10ce3bd06dbe54 +1 || 2014763 || 5 || attempted-user || 0 || ET ACTIVEX Possible Chilkat Software FTP2 ActiveX Component GetFile Access Remote Code Execution || url,packetstormsecurity.org/files/97160/Chilkat-Software-FTP2-ActiveX-Code-Execution.html +1 || 2014764 || 4 || attempted-user || 0 || ET ACTIVEX Possible Chilkat Software FTP2 ActiveX Component GetFile Access Remote Code Execution 2 || url,packetstormsecurity.org/files/97160/Chilkat-Software-FTP2-ActiveX-Code-Execution.html +1 || 2014765 || 5 || attempted-user || 0 || ET ACTIVEX Possible Windows Live Writer ActiveX BlogThisLink Method Access Denail of Service Attack || url,1337day.com/exploits/17583 +1 || 2014766 || 5 || attempted-user || 0 || ET ACTIVEX Possible Windows Live Writer ActiveX BlogThisLink Method Access Denail of Service Attack 2 || url,1337day.com/exploits/17583 +1 || 2014767 || 5 || trojan-activity || 0 || ET MALWARE Win32.Bublik.B/Birele/Variant.Kazy.66443 Checkin || md5,48352e3a034a95845864c0f6aad07d39 +1 || 2014768 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WordPress WP Survey and Quiz Tool plugin rowcount Cross-Site Scripting Attempt || url,packetstormsecurity.org/files/112685/WordPress-WP-Survey-And-Quiz-Tool-2.9.2-Cross-Site-Scripting.html +1 || 2014769 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WordPress CataBlog plugin category Cross-Site Scripting Attempt || url,packetstormsecurity.org/files/112710/WordPress-CataBlog-1.6-Cross-Site-Scripting.html +1 || 2014770 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WordPress Download Monitor plugin uploader.php Cross-Site Scripting Attempt || url,packetstormsecurity.org/files/112707/WordPress-Download-Monitor-3.3.5.4-Cross-Site-Scripting.html +1 || 2014771 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla Appointment Booking Pro view parameter Local File Inclusion Attempt || url,packetstormsecurity.org/files/103172/Joomla-Appointment-Booking-Pro-Arbitrary-File-Reading.html +1 || 2014772 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla com_media file parameter Local File Inclusion Attempt || url,packetstormsecurity.org/files/99775/Joomla-Media-Local-File-Inclusion.html +1 || 2014773 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Blackhole Landing Page JavaScript Split String Obfuscation of CharCode +1 || 2014774 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Blackhole Malicious PDF qweqwe= || url,jsunpack.jeek.org/dec/go?report=4d25f4f01ff5cdbee35a23fcd9e047b69d917b47 +1 || 2014775 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Blackhole PDF Payload Request +1 || 2014776 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Blackhole PDF Payload Request With Double Colon +1 || 2014777 || 2 || trojan-activity || 0 || ET TROJAN Kazy/Kryptic Checkin with Opera/9 User-Agent || url,malwr.com/analysis/18c5b31198777f93a629a0357b22f2f8/ || md5,18c5b31198777f93a629a0357b22f2f8 || url,www.virustotal.com/file/94cf780fa829c16cd0b09a462b5419cd1175bac01ba935e906a109d97b4dadaa/ +1 || 2014778 || 2 || trojan-activity || 0 || ET TROJAN Bebloh connectivity check || md5,3f9ef604b68da32062ef27e15eb71715 || md5,ccb463b2dadaf362a03c8bbf34dc247e +1 || 2014779 || 6 || misc-activity || 0 || ET INFO DYNAMIC_DNS Query to 3322.net Domain *.2288.org +1 || 2014781 || 6 || misc-activity || 0 || ET INFO DYNAMIC_DNS Query to 3322.net Domain *.3322.net +1 || 2014782 || 6 || misc-activity || 0 || ET INFO DYNAMIC_DNS Query to 3322.net Domain *.6600.org +1 || 2014783 || 6 || misc-activity || 0 || ET INFO DYNAMIC_DNS Query to 3322.net Domain *.7766.org +1 || 2014784 || 5 || misc-activity || 0 || ET INFO DYNAMIC_DNS Query to 3322.net Domain *.8800.org +1 || 2014786 || 5 || misc-activity || 0 || ET INFO DYNAMIC_DNS Query to 3322.net Domain *.9966.org +1 || 2014787 || 5 || misc-activity || 0 || ET INFO DYNAMIC_DNS HTTP Request to a 3322.net Domain *.2288.org +1 || 2014788 || 6 || misc-activity || 0 || ET INFO DYNAMIC_DNS HTTP Request to a 3322.net Domain *.3322.net +1 || 2014789 || 4 || misc-activity || 0 || ET INFO DYNAMIC_DNS HTTP Request to a 3322.net Domain *.6600.org +1 || 2014790 || 6 || misc-activity || 0 || ET INFO DYNAMIC_DNS HTTP Request to a 3322.net Domain *.7766.org +1 || 2014791 || 5 || misc-activity || 0 || ET INFO DYNAMIC_DNS HTTP Request to a 3322.net Domain *.8800.org +1 || 2014792 || 5 || misc-activity || 0 || ET INFO DYNAMIC_DNS HTTP Request to a 3322.net Domain *.9966.org +1 || 2014793 || 3 || trojan-activity || 0 || ET TROJAN Win32/MultiPasswordRecovery.A cs-crash PWS +1 || 2014794 || 4 || trojan-activity || 0 || ET TROJAN Win32/Thetatic.A Client POST Get CMD Checkin +1 || 2014795 || 2 || trojan-activity || 0 || ET TROJAN Win32/Thetatic.A Client POST CMD result +1 || 2014796 || 5 || trojan-activity || 0 || ET DELETED Win32/Thetatic.A Checkin +1 || 2014797 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS ZeuS Ransomware win_unlock || url,www.f-secure.com/weblog/archives/00002367.html || md5,14a1d23b5a8b4f5c186bc5082ede4596 +1 || 2014798 || 2 || bad-unknown || 0 || ET MALWARE PCMightyMax Agent PCMM.Installer +1 || 2014799 || 2 || policy-violation || 0 || ET POLICY OpenVPN Update Check +1 || 2014800 || 2 || trojan-activity || 0 || ET DELETED Blackhole Landing Page getElementByID Qwe - May 22nd 2012 || url,blog.spiderlabs.com/2012/05/catch-me-if-you-can-trojan-banker-zeus-strikes-again-part-2-of-5-1.html +1 || 2014801 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Blackhole Try App.title Catch - May 22nd 2012 || url,blog.spiderlabs.com/2012/05/catch-me-if-you-can-trojan-banker-zeus-strikes-again-part-2-of-5-1.html +1 || 2014802 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Fragus Exploit jar Download +1 || 2014803 || 7 || trojan-activity || 0 || ET TROJAN VBS/Wimmie.A Set || url,www.threatexpert.com/report.aspx?md5=6fd7493e56fdc3b0dd8ecd24aea20da1 || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3AVBS%2FWimmie.A || url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_luckycat_redux.pdf || md5,61474931882dce7b1c67e1f22d26187e +1 || 2014804 || 6 || trojan-activity || 0 || ET TROJAN VBS/Wimmie.A Checkin || url,www.threatexpert.com/report.aspx?md5=6fd7493e56fdc3b0dd8ecd24aea20da1 || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3AVBS%2FWimmie.A || md5,61474931882dce7b1c67e1f22d26187e || url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_luckycat_redux.pdf +1 || 2014805 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Unknown java_ara Bin Download +1 || 2014806 || 5 || attempted-user || 0 || ET ACTIVEX Possible SkinCrafter ActiveX Control InitLicenKeys Method Access Buffer Overflow || url,exploit-db.com/exploits/18892/ +1 || 2014807 || 4 || attempted-user || 0 || ET ACTIVEX Possible SkinCrafter ActiveX Control InitLicenKeys Method Access Buffer Overflow 2 || url,exploit-db.com/exploits/18892/ +1 || 2014808 || 7 || attempted-user || 0 || ET ACTIVEX Possible IBM Lotus Quickr for Domino ActiveX control Attachment_Times Method Access buffer overflow Attempt || url,secunia.com/advisories/49285/ +1 || 2014809 || 4 || attempted-user || 0 || ET ACTIVEX Possible IBM Lotus Quickr for Domino ActiveX control Import_Times Method Access buffer overflow Attempt || url,secunia.com/advisories/49285/ +1 || 2014810 || 4 || trojan-activity || 0 || ET MALWARE Malicious pusk.exe download || md5,eae75c0e34d11e6daef216cfc3fbbb04 +1 || 2014811 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WordPress Dynamic Widgets plugin id parameter Cross-Site Scripting Attempt || url,packetstormsecurity.org/files/112706/WordPress-Dynamic-Widgets-1.5.1-Cross-Site-Scripting.html +1 || 2014812 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WordPress LeagueManager plugin group parameter Cross-Site Scripting Attempt || url,packetstormsecurity.org/files/112698/WordPress-LeagueManager-3.7-Cross-Site-Scripting.html +1 || 2014813 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WordPress LeagueManager plugin season parameter Cross-Site Scripting Attempt || url,packetstormsecurity.org/files/112698/WordPress-LeagueManager-3.7-Cross-Site-Scripting.html +1 || 2014814 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla Component JE Story Submit view parameter Local File Inclusion Attempt || url,packetstormsecurity.org/files/103214/Joomla-JE-K2-Story-Submit-Local-File-Inclusion.html +1 || 2014815 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla com_acooldebate controller parameter Local File Inclusion Attempt || url,packetstormsecurity.org/files/102422/Joomla-A-Cool-Debate-1.0.3-Local-File-Inclusion.html +1 || 2014816 || 5 || trojan-activity || 0 || ET TROJAN Rogue.Win32/Winwebsec Install 2 || md5,181999985de5feae6f44f9578915417f +1 || 2014817 || 2 || trojan-activity || 0 || ET USER_AGENTS W32/Renos.Downloader User Agent zeroup || url,www.f-secure.com/v-descs/trojan_w32_renos_h.shtml || md5,35ba53f6aeb6b38c1107018f271189af +1 || 2014818 || 5 || trojan-activity || 0 || ET CURRENT_EVENTS Possible SKyWIper/Win32.Flame UA || url,crysys.hu/skywiper/skywiper.pdf +1 || 2014819 || 3 || misc-activity || 0 || ET INFO Packed Executable Download +1 || 2014820 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Blackhole Landing Page Obfuscated Javascript Blob +1 || 2014821 || 5 || trojan-activity || 0 || ET CURRENT_EVENTS Blackhole RawValue Specific Exploit PDF || cve,2010-0188 +1 || 2014822 || 5 || trojan-activity || 0 || ET CURRENT_EVENTS Possible SKyWIper/Win32.Flame POST || url,blog.cuckoobox.org/2012/05/29/cuckoo-in-flame/ +1 || 2014823 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS Blackhole Malicious PDF asdvsa +1 || 2014824 || 3 || trojan-activity || 0 || ET DELETED Redkit Java Exploit request to b.class +1 || 2014825 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS Blackhole Landing Page Script Profile ASD +1 || 2014826 || 5 || trojan-activity || 0 || ET TROJAN Virus.Win32.Sality.aa Checkin || md5,1e0e6717f72b66f6fc83f2ef6c00dcb7 +1 || 2014827 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS FedEX Spam Inbound +1 || 2014828 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS UPS Spam Inbound +1 || 2014829 || 1 || trojan-activity || 0 || ET CURRENT_EVENTS Post Express Spam Inbound +1 || 2014830 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Redkit Java Exploit request to .class file +1 || 2014831 || 3 || attempted-user || 0 || ET ACTIVEX Possible Wireless Manager Sony VAIO SetTmpProfileOption Method Access Buffer Overflow || url,packetstormsecurity.org/files/113131/Wireless-Manager-Sony-VAIO-4.0.0.0-Buffer-Overflows.html +1 || 2014832 || 4 || attempted-user || 0 || ET ACTIVEX Possible Wireless Manager Sony VAIO ConnectToNetwork Method Access Buffer Overflow || url,packetstormsecurity.org/files/113131/Wireless-Manager-Sony-VAIO-4.0.0.0-Buffer-Overflows.html +1 || 2014833 || 4 || attempted-user || 0 || ET ACTIVEX Possible LEADTOOLS ActiveX Raster Twain AppName Method Access Buffer Overflow || url,packetstormsecurity.org/files/93252/LEADTOOLS-ActiveX-Raster-Twain-16.5-Buffer-Overflow.html +1 || 2014834 || 4 || attempted-user || 0 || ET ACTIVEX Possible LEADTOOLS ActiveX Raster Twain AppName Method Access Buffer Overflow 2 || url,packetstormsecurity.org/files/93252/LEADTOOLS-ActiveX-Raster-Twain-16.5-Buffer-Overflow.html +1 || 2014835 || 4 || attempted-user || 0 || ET ACTIVEX Possible SonicWALL SSL-VPN End-Point Interrogator/Installer ActiveX Control Install3rdPartyComponent Method Buffer Overflow || url,packetstormsecurity.org/files/95286/SonicWALL-SSL-VPN-End-Point-Interrogator-Installer-ActiveX-Control.html +1 || 2014836 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS DynPG CMS PathToRoot Parameter Remote File inclusion Attempt || url,packetstormsecurity.org/files/87907/DynPG-CMS-4.1.0-Remote-File-Inclusion.html +1 || 2014837 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla Jotloader component section parameter Local File Inclusion Attempt || url,packetstormsecurity.org/files/96812/Joomla-Jotloader-2.2.1-Local-File-Inclusion.html +1 || 2014838 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WordPress PDF and Print Button Joliprint plugin type parameter Cross-Site Scripting Attempt || url,packetstormsecurity.org/files/112700/WordPress-PDF-And-Print-Button-Joliprint-1.3.0-Cross-Site-Scripting.html +1 || 2014839 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WordPress PDF and Print Button Joliprint plugin opt parameter Cross-Site Scripting Attempt || url,packetstormsecurity.org/files/112700/WordPress-PDF-And-Print-Button-Joliprint-1.3.0-Cross-Site-Scripting.html +1 || 2014840 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Exponent file parameter Local File Inclusion Attempt || url,packetstormsecurity.org/files/101230/Exponent-2.0.0-Beta-1.1-Local-File-Inclusion.html +1 || 2014841 || 2 || trojan-activity || 0 || ET TROJAN Possible Feodo/Cridex Traffic Detected +1 || 2014843 || 3 || trojan-activity || 0 || ET TROJAN Blackhole Exploit Kit Request tkr +1 || 2014844 || 2 || bad-unknown || 0 || ET TROJAN Probable Golfhole exploit kit landing page #2 +1 || 2014845 || 2 || trojan-activity || 0 || ET TROJAN Probable Golfhole exploit kit binary download #2 +1 || 2014846 || 11 || web-application-attack || 0 || ET CURRENT_EVENTS Wordpress timthumb look-alike domain list RFI || url,code.google.com/p/timthumb/issues/detail?id=212 +1 || 2014847 || 5 || web-application-attack || 0 || ET CURRENT_EVENTS php with eval/gzinflate/base64_decode possible webshell || url,blog.sucuri.net/2012/05/list-of-domains-hosting-webshells-for-timthumb-attacks.html +1 || 2014848 || 3 || web-application-attack || 0 || ET CURRENT_EVENTS webshell used In timthumb attacks GIF98a 16129xX with PHP || url,blog.sucuri.net/2012/05/list-of-domains-hosting-webshells-for-timthumb-attacks.html +1 || 2014849 || 3 || trojan-activity || 0 || ET TROJAN Flamer WuSetupV module traffic 1 || md5,1f61d280067e2564999cac20e386041c +1 || 2014850 || 5 || trojan-activity || 0 || ET TROJAN Flamer WuSetupV module traffic 2 || md5,1f61d280067e2564999cac20e386041c +1 || 2014851 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Sakura Exploit Kit Version 1.1 Archive Request || url,blog.spiderlabs.com/2012/05/sakura-exploit-kit-11.html +1 || 2014852 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Possible Sakura Exploit Kit Version 1.1 document.write Fake 404 - Landing Page || url,blog.spiderlabs.com/2012/05/sakura-exploit-kit-11.html +1 || 2014853 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS Sakura Exploit Kit Version 1.1 Applet Value lxxt || url,blog.spiderlabs.com/2012/05/sakura-exploit-kit-11.html +1 || 2014854 || 4 || bad-unknown || 0 || ET CURRENT_EVENTS Likely TDS redirecting to exploit kit +1 || 2014855 || 3 || trojan-activity || 0 || ET TROJAN FakeAvCn-A Checkin 1 +1 || 2014856 || 2 || trojan-activity || 0 || ET TROJAN FakeAvCn-A Checkin 2 +1 || 2014857 || 3 || trojan-activity || 0 || ET TROJAN FakeAvCn-A Checkin 3 +1 || 2014858 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Blackhole Fraudulent Paypal Mailing Server Response June 04 2012 +1 || 2014859 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS W32.Tinba/Zusy Banking Trojan Hardcoded CnC Domain Request - dakotavolandos.com || url,www.symantec.com/security_response/writeup.jsp?docid=2012-060111-3803-99&om_rssid=sr-latestthreats30days +1 || 2014860 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS W32.Tinba/Zusy Banking Trojan Hardcoded CnC Domain Request - dak1otavola1ndos.com || url,www.symantec.com/security_response/writeup.jsp?docid=2012-060111-3803-99&om_rssid=sr-latestthreats30days +1 || 2014861 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS W32.Tinba/Zusy Banking Trojan Hardcoded CnC Domain Request - dako22tavol2andos.com || url,www.symantec.com/security_response/writeup.jsp?docid=2012-060111-3803-99&om_rssid=sr-latestthreats30days +1 || 2014862 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS W32.Tinba/Zusy Banking Trojan Hardcoded CnC Domain Request - d3akotav33olandos.com || url,www.symantec.com/security_response/writeup.jsp?docid=2012-060111-3803-99&om_rssid=sr-latestthreats30days +1 || 2014863 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS W32.Tinba/Zusy Banking Trojan Hardcoded CnC Domain Request - d4ak4otavolandos.com || url,www.symantec.com/security_response/writeup.jsp?docid=2012-060111-3803-99&om_rssid=sr-latestthreats30days +1 || 2014864 || 1 || trojan-activity || 0 || ET TROJAN W32.Gimemo/Aldibot CnC POST || url,www.evild3ad.com/?p=1693 +1 || 2014865 || 3 || bad-unknown || 0 || ET WEB_CLIENT MP4 Embedded in PDF File - Potential Flash Exploit || cve,2012-0754 || url,blog.9bplus.com/observing-the-enemy-cve-2012-0754-pdf-interac +1 || 2014866 || 2 || bad-unknown || 0 || ET CURRENT_EVENTS Redirect to driveby sid=mix +1 || 2014867 || 3 || bad-unknown || 0 || ET INFO DYNAMIC_DNS HTTP Request to a dns-stuff.com Domain *.dns-stuff.com +1 || 2014868 || 2 || bad-unknown || 0 || ET INFO DYNAMIC_DNS Query to dns-stuff.com Domain *.dns-stuff.com +1 || 2014869 || 3 || attempted-recon || 0 || ET SCAN Arachni Scanner Web Scan || url,arachni-scanner.com || url,github.com/Zapotek/arachni +1 || 2014870 || 4 || bad-unknown || 0 || ET CURRENT_EVENTS SN and CN From MS TS Revoked Cert Chain Seen || url,blog.crysys.hu/2012/06/the-flame-malware-wusetupv-exe-certificate-chain/ || url,rmhrisk.wpengine.com/?p=52 || url,msdn.microsoft.com/en-us/library/aa448396.aspx || md5,1f61d280067e2564999cac20e386041c +1 || 2014871 || 2 || trojan-activity || 0 || ET TROJAN Self Signed SSL Certificate (Reaserch) +1 || 2014872 || 2 || trojan-activity || 0 || ET TROJAN Self Signed SSL Certificate (John Doe) +1 || 2014873 || 3 || bad-unknown || 0 || ET CURRENT_EVENTS Obfuscated Javascript redirecting to Blackhole June 7 2012 +1 || 2014874 || 7 || attempted-user || 0 || ET ACTIVEX Possible NET-i viewer ActiveX Control BackupToAvi Method Access Buffer Overflow || url,secunia.com/advisories/48966/ +1 || 2014875 || 6 || attempted-user || 0 || ET ACTIVEX Possible NET-i viewer ActiveX Control BackupToAvi Method Access Buffer Overflow 2 || url,secunia.com/advisories/48966/ +1 || 2014876 || 6 || attempted-user || 0 || ET ACTIVEX Possible NET-i viewer ActiveX Control ConnectDDNS Method Access Code Execution Vulnerability || url,secunia.com/advisories/48965/ +1 || 2014877 || 6 || attempted-user || 0 || ET ACTIVEX Possible NET-i viewer ActiveX Control ConnectDDNS Method Access Code Execution Vulnerability 2 || url,secunia.com/advisories/48965/ +1 || 2014878 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla com_jeauto view parameter Local File Inclusion Attempt || url,packetstormsecurity.org/files/96803/Joomla-JE-Auto-Local-File-Inclusion.html +1 || 2014879 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla com_jradio controller parameter Local File Inclusion Attempt || url,packetstormsecurity.org/files/96751/Joomla-JRadio-Local-File-Inclusion.html +1 || 2014880 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Wordpress wp-livephp plugin wp-live.php Cross-Site Scripting Attempt || url,packetstormsecurity.org/files/108282/WordPress-LivePHP-Cross-Site-Scripting.html +1 || 2014881 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WordPress Mingle Forum groupid parameter Cross-Site Scripting Attempt || url,packetstormsecurity.org/files/112696/WordPress-Mingle-Forum-1.0.33-Cross-Site-Scripting.html +1 || 2014882 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla com_catalogue controller parameter Local File Inclusion Attempt || url,packetstormsecurity.org/files/96190/Joomla-Catalogue-Local-File-Inclusion.html +1 || 2014883 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla com_jvb_bridge Itemid Parameter Remote File inclusion Attempt || url,packetstormsecurity.org/files/90844/Joomla-JVB-Bridge-Remote-File-Inclusion.html +1 || 2014884 || 1 || bad-unknown || 0 || ET CURRENT_EVENTS Request to malicious SutraTDS - lonly= in cookie +1 || 2014885 || 2 || bad-unknown || 0 || ET CURRENT_EVENTS SutraTDS (enema) used in Blackhole campaigns +1 || 2014886 || 2 || bad-unknown || 0 || ET WEB_SERVER IIS INDEX_ALLOCATION Auth Bypass Attempt || url,lists.grok.org.uk/pipermail/full-disclosure/2012-June/087269.html +1 || 2014887 || 2 || trojan-activity || 0 || ET TROJAN W32/Bakcorox.A ProxyBot CnC Server Connection || url,contagioexchange.blogspot.co.uk/2012/06/022-crime-win32bakcoroxa-proxy-bot-web.html +1 || 2014888 || 5 || bad-unknown || 0 || ET CURRENT_EVENTS Blackhole Try Prototype Catch June 11 2012 +1 || 2014890 || 2 || attempted-admin || 0 || ET WEB_SERVER Possible attempt to enumerate MS SQL Server version || url,support.microsoft.com/kb/321185 +1 || 2014891 || 1 || trojan-activity || 0 || ET CURRENT_EVENTS RedKit - Java Exploit Requested - 5 digit jar +1 || 2014892 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS RedKit - Jar File Naming Algorithm +1 || 2014893 || 5 || network-scan || 0 || ET SCAN critical.io Scan || url,critical.io/ +1 || 2014894 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS RedKit - Landing Page Received - applet and 5digit jar +1 || 2014895 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS RedKit - Landing Page Received - applet and code +1 || 2014896 || 4 || attempted-user || 0 || ET ACTIVEX Possible IBM Lotus iNotes Upload Module possible ActiveX Control Attachment_Times Method Access Buffer Overflow Attempt || url,secunia.com/advisories/49443/ +1 || 2014897 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla com_jmsfileseller view parameter Local File Inclusion Attempt || url,packetstormsecurity.org/files/101770/Joomla-JMSFileSeller-Local-File-Inclusion.html +1 || 2014898 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla com_mscomment controller parameter Local File Inclusion Attempt || url,1337day.com/exploits/12246 +1 || 2014899 || 6 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Wordpress Plugin Tinymce Thumbnail Gallery href parameter Remote File Disclosure Attempt || url,packetstormsecurity.org/files/113417/WordPress-Tinymce-Thumbnail-Gallery-1.0.7-File-Disclosure.html +1 || 2014900 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WordPress 2 Click Social Media Buttons plugin pinterest-url parameter Cross-Site Scripting Attempt || url,packetstormsecurity.org/files/112711/WordPress-2-Click-Social-Media-Buttons-0.32.2-Cross-Site-Scripting.html +1 || 2014901 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WordPress 2 Click Social Media Buttons plugin xing-url parameter Cross-Site Scripting Attempt || url,packetstormsecurity.org/files/112711/WordPress-2-Click-Social-Media-Buttons-0.32.2-Cross-Site-Scripting.html +1 || 2014902 || 4 || attempted-user || 0 || ET ACTIVEX Possible Camera Stream Client Possible ActiveX Control SetDirectory Method Access Buffer Overflow || url,secunia.com/advisories/48602/ +1 || 2014903 || 2 || attempted-user || 0 || ET ACTIVEX Possible Camera Stream Client Possible ActiveX Control SetDirectory Method Access Buffer Overflow 2 || url,secunia.com/advisories/48602/ +1 || 2014904 || 5 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WordPress Sharebar plugin status parameter Cross-Site Scripting Attempt || url,packetstormsecurity.org/files/112690/WordPress-Sharebar-1.2.1-SQL-Injection-Cross-Site-Scripting.html +1 || 2014905 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla com_ckforms controller parameter Local File Inclusion Attempt || url,packetstormsecurity.org/files/95623/Joomla-CKForms-Local-File-Inclusion.html +1 || 2014906 || 2 || policy-violation || 0 || ET INFO .exe File requested over FTP +1 || 2014907 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Initial Blackhole Landing - UPS Number Loading.. Jun 15 2012 +1 || 2014908 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Initial Blackhole Landing - Verizon Balance Due Jun 15 2012 +1 || 2014909 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Blackhole obfuscated Java EXE Download by Vulnerable Version - Likely Driveby +1 || 2014910 || 2 || bad-unknown || 0 || ET CURRENT_EVENTS MySQL mysql.user Dump (Used in Metasploit Auth-Bypass Module) +1 || 2014911 || 10 || attempted-user || 0 || ET WEB_CLIENT Microsoft Internet Explorer SameID Use-After-Free || cve,CVE-2012-1875 +1 || 2014912 || 6 || trojan-activity || 0 || ET CURRENT_EVENTS Unknown - Java Request - gt 60char hex-ascii +1 || 2014913 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS NuclearPack - JAR Naming Algorithm +1 || 2014914 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS NuclearPack - PDF Naming Algorithm +1 || 2014915 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS NuclearPack - Landing Page Received - applet archive=32CharHex +1 || 2014916 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS RedKit - Landing Page Requested - 8Digit.html +1 || 2014917 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS RedKit - Landing Page Received - applet and flowbit +1 || 2014918 || 3 || trojan-activity || 0 || ET DELETED Blackhole Java Exploit request to Half.jar +1 || 2014919 || 3 || policy-violation || 0 || ET POLICY Microsoft Online Storage Client Hello TLSv1 Possible SkyDrive (1) || url,skydrive.live.com +1 || 2014920 || 3 || policy-violation || 0 || ET POLICY Microsoft Online Storage Client Hello TLSv1 Possible SkyDrive (2) || url,skydrive.live.com +1 || 2014921 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Blackhole Landing Try Prototype Catch Jun 18 2012 +1 || 2014922 || 1 || trojan-activity || 0 || ET CURRENT_EVENTS DRIVEBY Incognito Landing Page Requested .php?showtopic=6digit +1 || 2014923 || 1 || attempted-user || 0 || ET CURRENT_EVENTS DRIVEBY Incognito Landing Page Received applet and flowbit +1 || 2014924 || 1 || attempted-user || 0 || ET CURRENT_EVENTS DRIVEBY Incognito Payload Requested /getfile.php by Java Client +1 || 2014926 || 3 || misc-attack || 0 || ET INFO PDF embedded in XDP file (Possibly Malicious) || url,blog.9bplus.com/av-bypass-for-malicious-pdfs-using-xdp +1 || 2014927 || 1 || trojan-activity || 0 || ET CURRENT_EVENTS Unknown Java Malicious Jar /eeltff.jar +1 || 2014928 || 1 || bad-unknown || 0 || ET CURRENT_EVENTS Unknown - Java Request .jar from dl.dropbox.com +1 || 2014929 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Request to .in FakeAV Campaign June 19 2012 exe or zip || url,isc.sans.edu/diary/+Vulnerabilityqueerprocessbrittleness/13501 +1 || 2014930 || 3 || bad-unknown || 0 || ET CURRENT_EVENTS Obfuscated Javascript redirecting to badness 21 June 2012 +1 || 2014931 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Blackhole Landing Please wait a moment Jun 20 2012 +1 || 2014932 || 2 || bad-unknown || 0 || ET POLICY DynDNS CheckIp External IP Address Server Response +1 || 2014933 || 3 || trojan-activity || 0 || ET TROJAN Win32/Bicololo.Dropper ne_unik CnC Server Response +1 || 2014934 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS FoxxySoftware - Landing Page - eval(function(p,a,c, +1 || 2014935 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS FoxxySoftware - Landing Page Received - foxxysoftware +1 || 2014936 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS FoxxySoftware - Landing Page Received - applet and 0px +1 || 2014937 || 19 || trojan-activity || 0 || ET DELETED Blackhole - Blackhole Java Exploit request to Trop.jar +1 || 2014938 || 13 || attempted-admin || 0 || ET WEB_CLIENT Potential MSXML2.DOMDocument Uninitialized Memory Corruption CVE-2012-1889 || cve,CVE-2012-1889 +1 || 2014939 || 1 || policy-violation || 0 || ET POLICY DNS Query for TOR Hidden Domain .onion Accessible Via TOR || url,en.wikipedia.org/wiki/.onion +1 || 2014940 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS Blackhole RawValue Exploit PDF || cve,2010-0188 +1 || 2014941 || 3 || policy-violation || 0 || ET POLICY TOR .exit Pseudo TLD DNS Query || url,en.wikipedia.org/wiki/.onion +1 || 2014942 || 2 || attempted-user || 0 || ET ACTIVEX Possible Autodesk MapGuide Viewer ActiveX LayersViewWidth Method Access Denial of Service || url,1337day.com/exploits/13938 +1 || 2014943 || 2 || attempted-user || 0 || ET ACTIVEX Possible Autodesk MapGuide Viewer ActiveX LayersViewWidth Method Access Denial of Service 2 || url,1337day.com/exploits/13938 +1 || 2014944 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WHCMS smarty Parameter Remote File inclusion Attempt || url,packetstormsecurity.org/files/113912/WHCMS-5.0.3-Remote-File-Inclusion.html +1 || 2014945 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WHCMS banco Parameter Remote File inclusion Attempt || url,packetstormsecurity.org/files/113912/WHCMS-5.0.3-Remote-File-Inclusion.html +1 || 2014946 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WHCMS smarty Parameter Remote File inclusion Attempt 2 || url,packetstormsecurity.org/files/113912/WHCMS-5.0.3-Remote-File-Inclusion.html +1 || 2014947 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WordPress Thinkun Remind Plugin dirPath Remote File Disclosure Vulnerability || url,secunia.com/advisories/49461 +1 || 2014948 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WordPress Simple Download Button Shortcode Plugin Arbitrary File Disclosure Vulnerability || url,secunia.com/advisories/49462 +1 || 2014949 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Wordpress Plugins Wp-ImageZoom file parameter Remote File Disclosure Vulnerability || url,1337day.com/exploits/18685 +1 || 2014950 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Nagios XI div parameter Cross-Site Scripting Attempt || url,secunia.com/advisories/49544 +1 || 2014951 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Nagios XI view parameter Cross-Site Scripting Attempt || url,secunia.com/advisories/49544 +1 || 2014952 || 3 || trojan-activity || 0 || ET TROJAN Capfire4 Checkin (register machine) || url,labs.alienvault.com/labs/index.php/2012/capfire4-malware-rat-software-and-cc-service-together/ +1 || 2014953 || 3 || trojan-activity || 0 || ET TROJAN Capfire4 Checkin (update machine status) || url,labs.alienvault.com/labs/index.php/2012/capfire4-malware-rat-software-and-cc-service-together/ +1 || 2014954 || 9 || policy-violation || 0 || ET INFO Vulnerable iTunes Version 10.6.x +1 || 2014955 || 2 || trojan-activity || 0 || ET TROJAN Backdoor Win32/Hupigon.CK Client Checkin +1 || 2014956 || 1 || trojan-activity || 0 || ET TROJAN Backdoor Win32/Hupigon.CK Server Checkin +1 || 2014957 || 1 || trojan-activity || 0 || ET TROJAN Backdoor Win32/Hupigon.CK Client Idle +1 || 2014958 || 1 || trojan-activity || 0 || ET TROJAN Backdoor Win32/Hupigon.CK Server Idle +1 || 2014959 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Base64 - Java Exploit Requested - /1Digit +1 || 2014960 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Base64 - Landing Page Received - base64encode(GetOs() +1 || 2014961 || 2 || trojan-activity || 0 || ET TROJAN W32/Scar CnC Checkin || md5,b345634df53511c7195d661ac755b320 +1 || 2014962 || 2 || trojan-activity || 0 || ET TROJAN W32/Nutiliers.A Downloader CnC Checkin - Request Encrypted Response || md5,7b2bfb9d270a5f446f32502d2ed34d67 +1 || 2014963 || 2 || trojan-activity || 0 || ET TROJAN W32/Armageddon CnC Checkin || md5,3f4c5649d66fc5befc0db47930edb9f6 +1 || 2014964 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Hacked Website Response '/*km0ae9gr6m*/' Jun 25 2012 || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ +1 || 2014965 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Hacked Website Response '/*qhk6sa6g1c*/' Jun 25 2012 || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ +1 || 2014966 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Generic - PDF with NEW PDF EXPLOIT +1 || 2014967 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS - Landing Page Requested - 15Alpha1Digit.php +1 || 2014968 || 8 || trojan-activity || 0 || ET DELETED Unknown - Payload Download - 9Alpha1Digit.exe +1 || 2014969 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Unknown - Java Exploit Requested - 13-14Alpha.jar +1 || 2014970 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Runforestrun Malware Campaign Infected Website || url,www.symantec.com/security_response/writeup.jsp?docid=2012-062103-1655-99 || url,isc.sans.edu/diary/Run+Forest+/13540 || url,isc.sans.edu/diary/Run+Forest+Update+/13561 +1 || 2014971 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS JS.Runfore Malware Campaign Request || url,www.symantec.com/security_response/writeup.jsp?docid=2012-062103-1655-99 || url,isc.sans.edu/diary/Run+Forest+/13540 || url,isc.sans.edu/diary/Run+Forest+Update+/13561 +1 || 2014972 || 3 || bad-unknown || 0 || ET CURRENT_EVENTS HeapLib JS Library || url,www.blackhat.com/presentations/bh-europe-07/Sotirov/Presentation/bh-eu-07-sotirov-apr19.pdf +1 || 2014973 || 18 || trojan-activity || 0 || ET DELETED Blackhole - Landing Page Requested - /*.php?*=16HexChar +1 || 2014974 || 6 || trojan-activity || 0 || ET DELETED Blackhole - Landing Page Requested - /*.php?*=8HexChar +1 || 2014975 || 4 || trojan-activity || 0 || ET DELETED Blackhole - Landing Page Requested - /Home/index.php +1 || 2014976 || 3 || trojan-activity || 0 || ET DELETED Blackhole - Landing Page Received - catch and flowbit +1 || 2014977 || 7 || trojan-activity || 0 || ET DELETED Blackhole - Landing Page Recieved - applet and flowbit +1 || 2014979 || 2 || trojan-activity || 0 || ET TROJAN Zbot CnC POST /common/versions.php || md5,43d8afa89bd6bf06973af62220d6c158 +1 || 2014980 || 3 || trojan-activity || 0 || ET TROJAN Zbot CnC GET /lost.dat || md5,43d8afa89bd6bf06973af62220d6c158 +1 || 2014981 || 6 || trojan-activity || 0 || ET CURRENT_EVENTS Blackhole Exploit Kit Landing Page Try Renamed Prototype Catch - June 28th 2012 || url,research.zscaler.com/2012/06/cleartripcom-infected-with-blackhole.html +1 || 2014982 || 2 || attempted-recon || 0 || ET CURRENT_EVENTS Googlebot UA POST to /uploadify.php || url,blog.sucuri.net/2012/06/uploadify-uploadify-and-uploadify-the-new-timthumb.html +1 || 2014983 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Scalaxy Jar file +1 || 2014984 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS Hacked Website Response /*km0ae9gr6m*/ Jun 25 2012 || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ +1 || 2014985 || 5 || trojan-activity || 0 || ET CURRENT_EVENTS Hacked Website Response /*qhk6sa6g1c*/ Jun 25 2012 || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ +1 || 2014986 || 2 || web-application-attack || 0 || ET WEB_SERVER possible IBM Rational Directory Server (RDS) Help system href browser redirect || url,secunia.com/advisories/49627/ +1 || 2014987 || 2 || web-application-attack || 0 || ET WEB_SERVER possible IBM Rational Directory Server (RDS) Help system href Cross Site Scripting Attempt || url,secunia.com/advisories/49627/ +1 || 2014988 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS pliggCMS src parameter Remote File Inclusion Attempt || url,1337day.com/exploits/18854 +1 || 2014989 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WordPress Download Monitor thumbnail parameter Cross-Site Scripting Attempt || url,packetstormsecurity.org/files/112707/WordPress-Download-Monitor-3.3.5.4-Cross-Site-Scripting.html +1 || 2014990 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WordPress Download Monitor tags parameter Cross-Site Scripting Attempt || url,packetstormsecurity.org/files/112707/WordPress-Download-Monitor-3.3.5.4-Cross-Site-Scripting.html +1 || 2014991 || 3 || attempted-user || 0 || ET ACTIVEX Possible SonciWALL Aventail AuthCredential Format String Exploit 2 || url,packetstormsecurity.org/files/92931/SonciWALL-Aventail-epi.dll-AuthCredential-Format-String-Exploit.html +1 || 2014992 || 3 || attempted-user || 0 || ET ACTIVEX Possible SonciWALL Aventail AuthCredential Format String Exploit || url,packetstormsecurity.org/files/92931/SonciWALL-Aventail-epi.dll-AuthCredential-Format-String-Exploit.html +1 || 2014993 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS AdaptCMS sitepath parameter Remote File Inclusion Vulnerability || url,packetstormsecurity.org/files/91022/AdaptCMS-2.0.0-Beta-Remote-File-Inclusion.html +1 || 2014994 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla com_profile controller parameter Local File Inclusion Vulnerability || url,packetstormsecurity.org/files/95609/Joomla-Profile-Local-File-Inclusion.html +1 || 2014995 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WordPress jRSS Widget url parameter Local File Inclusion Vulnerability || url,packetstormsecurity.org/files/95638/WordPress-jRSS-Widget-1.1.1-Local-File-Inclusion.html +1 || 2014996 || 3 || attempted-dos || 0 || ET DOS Microsoft Windows 7 ICMPv6 Router Advertisement Flood || url,www.samsclass.info/ipv6/proj/proj8x-124-flood-router.htm +1 || 2014997 || 2 || policy-violation || 0 || ET POLICY Pandora Usage || url,www.pandora.com +1 || 2014998 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Runforestrun Malware Campaign Infected Website Landing Page Obfuscated String JavaScript DGA || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ +1 || 2014999 || 2 || trojan-activity || 0 || ET TROJAN Zbot CnC POST /common/timestamps.php || md5,43d8afa89bd6bf06973af62220d6c158 +1 || 2015000 || 6 || trojan-activity || 0 || ET CURRENT_EVENTS NuclearPack Java exploit binary get request +1 || 2015001 || 2 || trojan-activity || 0 || ET DELETED Blackhole - Blackhole Java Exploit request to spn.jar +1 || 2015002 || 6 || trojan-activity || 0 || ET TROJAN Pushbot User-Agent || url,www.cert.pl/news/5587/langswitch_lang/en +1 || 2015003 || 4 || trojan-activity || 0 || ET TROJAN Pushbot server response || url,www.cert.pl/news/5587/langswitch_lang/en +1 || 2015004 || 3 || bad-unknown || 0 || ET INFO Compressed Executable SZDD Compress.exe Format Over HTTP || url,blog.fireeye.com/research/2012/07/inside-customized-threat.html#more || url,www.cabextract.org.uk/libmspack/doc/szdd_kwaj_format.html +1 || 2015005 || 3 || bad-unknown || 0 || ET CURRENT_EVENTS Blackhole Java applet with obfuscated URL 3 +1 || 2015006 || 6 || trojan-activity || 0 || ET DELETED SofosFO exploit kit jar download +1 || 2015007 || 9 || trojan-activity || 0 || ET DELETED SofosFO exploit kit version check +1 || 2015009 || 3 || trojan-activity || 0 || ET DELETED SofosFO exploit kit payload download +1 || 2015010 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS g01pack exploit pack /mix/ Java exploit +1 || 2015011 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS g01pack exploit pack /mix/ payload +1 || 2015012 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS Blackhole Split String Obfuscation of Eval 1 +1 || 2015013 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS Blackhole Split String Obfuscation of Eval 2 +1 || 2015014 || 5 || trojan-activity || 0 || ET CURRENT_EVENTS Blackhole Split String Obfuscation of Eval 3 +1 || 2015015 || 1 || policy-violation || 0 || ET POLICY Download Request to Hotfile.com +1 || 2015016 || 2 || misc-activity || 0 || ET INFO FTP STOR to External Network +1 || 2015017 || 4 || trojan-activity || 0 || ET MALWARE W32/OnlineGames Checkin || md5,60763078b8860fd59a1d8bea2bf8900b +1 || 2015018 || 2 || trojan-activity || 0 || ET MALWARE W32/OnlineGames User Agent loadMM || md5,60763078b8860fd59a1d8bea2bf8900b +1 || 2015019 || 1 || trojan-activity || 0 || ET TROJAN W32/Icoo CnC Checkin || md5,1d2ddece4cd5cff3658c59e20d40dd8b +1 || 2015020 || 2 || trojan-activity || 0 || ET TROJAN W32/Numnet.Downloader CnC Checkin 1 || md5,fbc732c7cd1bbd84956b1e76b53384da +1 || 2015021 || 2 || trojan-activity || 0 || ET TROJAN W32/Numnet.Downloader CnC Checkin 2 || md5,fbc732c7cd1bbd84956b1e76b53384da +1 || 2015022 || 2 || trojan-activity || 0 || ET TROJAN W32/Zusy Gettime Checkin || md5,a152772516cef409ddd58f90917a3b44 +1 || 2015023 || 3 || network-scan || 0 || ET WEB_SERVER IIS 8.3 Filename With Wildcard (Possible File/Dir Bruteforce) || url,soroush.secproject.com/downloadable/microsoft_iis_tilde_character_vulnerability_feature.pdf +1 || 2015024 || 1 || trojan-activity || 0 || ET CURRENT_EVENTS Incognito - Malicious PDF Requested - /getfile.php +1 || 2015025 || 6 || trojan-activity || 0 || ET CURRENT_EVENTS Blackhole Landing Page Eval Variable Obfuscation 1 +1 || 2015026 || 6 || trojan-activity || 0 || ET CURRENT_EVENTS Blackhole Landing Page Eval Variable Obfuscation 2 +1 || 2015027 || 6 || trojan-activity || 0 || ET CURRENT_EVENTS Blackhole Landing Page Eval Variable Obfuscation 3 +1 || 2015028 || 4 || trojan-activity || 0 || ET TROJAN Cridex Post to CnC || url,vrt-blog.snort.org/2012/07/banking-trojan-spread-via-ups-phish.html || url,www.virustotal.com/file/00bf5b6f32b6a8223b8e55055800ef7870f8acaed334cb12484e44489b2ace24/analysis/ || url,www.packetninjas.net +1 || 2015030 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Incognito - Java Exploit Requested - /gotit.php by Java Client +1 || 2015031 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Incognito - Payload Request - /load.php by Java Client +1 || 2015032 || 2 || attempted-user || 0 || ET ACTIVEX Possible IBM Rational ClearQuest Activex Control RegisterSchemaRepoFromFileByDbSet Insecure Method Access || url,11337day.com/exploits/18917 +1 || 2015033 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Concrete CMS approveImmediately parameter Cross-Site Scripting Attempt || url,www.securityfocus.com/bid/53268/info +1 || 2015034 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Concrete CMS btask parameter Cross-Site Scripting Attempt || url,www.securityfocus.com/bid/53268/info +1 || 2015035 || 2 || web-application-attack || 0 || ET WEB_SERVER possible SAP Crystal Report Server 2008 path parameter Directory Traversal vulnerability || url,1337day.com/exploits/15332 +1 || 2015036 || 2 || attempted-user || 0 || ET ACTIVEX Possible Crystal Reports Viewer Activex Control ServerResourceVersion Insecure Method Access || url,1337day.com/exploits/15098 +1 || 2015037 || 2 || attempted-user || 0 || ET ACTIVEX Possible Crystal Reports Viewer Activex Control ServerResourceVersion Insecure Method Access 2 || url,1337day.com/exploits/15098 +1 || 2015038 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WordPress Count Per Day Plugin page parameter Cross-Site Scripting Attempt || url,secunia.com/advisories/49692/ +1 || 2015039 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla com_wisroyq controller parameter Local File Inclusion Attempt || url,packetstormsecurity.org/files/95508/Joomla-Wisroyq-Local-File-Inclusion.html +1 || 2015040 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla com_rssreader controller parameter Local File Inclusion Attempt || url,packetstormsecurity.org/files/95430/Joomla-RSSReader-Local-File-Inclusion.html +1 || 2015041 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WordPress Custom Contact Forms options-general.php Cross-Site Scripting Attempt || url,packetstormsecurity.org/files/112616/WordPress-Custom-Contact-Forms-Cross-Site-Scripting.html +1 || 2015042 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS g01pack - 32Char.php by Java Client +1 || 2015043 || 3 || trojan-activity || 0 || ET DELETED Blackhole Exploit Kit Applet Code Rafa.Rafa 6th July 2012 +1 || 2015044 || 3 || trojan-activity || 0 || ET DELETED Blackhole Exploit Kit Obfuscated Applet Value 6th July 2012 +1 || 2015045 || 3 || bad-unknown || 0 || ET INFO Potential Common Malicious JavaScript Loop +1 || 2015046 || 2 || trojan-activity || 0 || ET DELETED Blackhole Exploit Kit Java Exploit request to /Set1.jar 6th July 2012 +1 || 2015047 || 3 || trojan-activity || 0 || ET DELETED Blackhole Exploit Kit Landing Page Redirect.php Port 8080 Request +1 || 2015048 || 2 || bad-unknown || 0 || ET CURRENT_EVENTS 09 July 2012 Blackhole Landing Page - Please Wait Loading +1 || 2015049 || 3 || trojan-activity || 0 || ET DELETED Request For Blackhole Landing Page Go.php +1 || 2015050 || 4 || trojan-activity || 0 || ET TROJAN Generic - 8Char.JAR Naming Algorithm +1 || 2015051 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS c3284d Malware Network Compromised Redirect (comments 1) || url,stopmalvertising.com/malware-reports/the-c3284d-malware-network-stats.php.html +1 || 2015052 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS c3284d Malware Network Compromised Redirect (comments 2) || url,stopmalvertising.com/malware-reports/the-c3284d-malware-network-stats.php.html +1 || 2015053 || 5 || trojan-activity || 0 || ET CURRENT_EVENTS Unknown_s=1 - Landing Page - 10HexChar Title and applet +1 || 2015054 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS Unknown_s=1 - Landing Page - 100HexChar value and applet +1 || 2015055 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Unknown_s=1 - Payload Requested - 32AlphaNum?s=1 Java Request +1 || 2015056 || 5 || trojan-activity || 0 || ET CURRENT_EVENTS Blackhole Exploit Kit Landing Page Structure +1 || 2015057 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS c3284d malware network iframe +1 || 2015061 || 3 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain bdvkpbuldslsapeb.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015062 || 3 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain eilqnjkoytyjuchn.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015063 || 3 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain npxsiiwpxqqiihmo.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015064 || 3 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain qtmyeslmsoxkjbku.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015065 || 3 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain adbjjkquyyhyqknf.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015066 || 3 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain ciqmhuwgvfsxdtrw.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015067 || 3 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain mocrafrewsdjztbj.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015068 || 3 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain otruvbidvikzhlop.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015069 || 3 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain yafzvancybuwmnno.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015070 || 3 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain bhujzorkulhkpwob.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015071 || 3 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain lohnrnnpvvtxedfl.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015072 || 3 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain ntvrnrdpyoadopbo.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015073 || 3 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain wakvnkyzkyietkdr.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015074 || 3 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain zfyafrjmmajqfvbh.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015075 || 3 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain jnlkttkruqsdjqlx.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015076 || 3 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain lsbppxhgckolsnap.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015077 || 3 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain vznrahwzgntmfcqk.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015078 || 3 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain xeeypppxswpquvrf.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015079 || 3 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain inqgvoeohpcsfxmn.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015080 || 3 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain ksgmckchdppqeicu.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015081 || 3 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain uyrorwlibbjeasoq.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015082 || 3 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain wejungvnykczyjam.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015083 || 3 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain gmvdnpqbblixlgxj.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015084 || 3 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain jrkjelzwleadyxsd.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015085 || 3 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain sywleisrsstsqoic.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015086 || 3 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain venrfhmthwpqlqge.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015087 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain fmacqvmqafqwmebl.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015088 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain hrpgglxvqwjesffr.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015089 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain rxbkqfydlnzopqrn.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015090 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain tdsorylshsxjeawf.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015091 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain elfxqghdubihhsgd.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015092 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain gqtcxunxhyujqjkf.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015094 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain sdxkjaophbtufumx.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015095 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain clkujrjqvexvbmoi.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015096 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain fqyyxagzkrpvxtki.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015097 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain owldagkyzrkhqnjo.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015098 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain rccjvgsgffokiwze.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015099 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain blorcdyiipxcwyxv.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015100 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain dpewaddpoewiycnj.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015101 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain nwpykqeizraqthry.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015102 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain pchgijctfprxhnje.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015103 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain zisiiogqigzzqqeq.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015104 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain cpittmwbqtjrjpql.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015105 || 3 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain mvuvchtcxxibeubd.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015106 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain oblcasnhxbbocpfj.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015107 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain xixftoplsduqqorx.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015108 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain bpnqmxkpxxgbdnby.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015109 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain kvzstpqmeoxtcwko.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015110 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain nbqypqrjiqxlfvdj.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015111 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain whddmvrxufbkkoew.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015112 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain ymrhcvphevonympo.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015113 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain jveqgnmjxkocqifr.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015114 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain lavvckpordclbduy.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015115 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain vhhzcvbegxbjsxke.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015116 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain xmwettbvtbhvrjuo.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015117 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain iujniiokeyjbmerc.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015118 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain kzxrowftdocgyghs.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015119 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain gacdiuwnhonuulpe.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015120 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain ifrhgnqeeotnzrmz.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015121 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain rmdlgyreitjsjkfq.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015122 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain uqspvdwyltgcyhft.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015123 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain ezfydrexncoidbus.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015124 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain hfveiooumeyrpchg.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015125 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain qlihxnncwioxkdls.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015126 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain sqwlonyduvpowdgy.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015127 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain dyjvewshptsboygd.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015128 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain febcbuyswmishvpl.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015129 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain plmekaayiholtevt.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015130 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain rpckbgrziwbdrmhr.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015131 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain cyosongjihugkjbg.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015132 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain eefysywrvkgxuqdf.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015133 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain nkrbvqxzfwicmhwb.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015134 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain qphhsudsmeftdaht.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015135 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain axtopsbtntqnfdyk.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015136 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain ddkudnuklgiwtdyw.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015137 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain mkwwclogcvgeekws.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015138 || 3 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain opldkflyvlkywuec.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015139 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain yvxfekhokspfuwqr.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015140 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain bdprvpxdejpohqpt.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015141 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain ljbvfrsvcevyfhor.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015142 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain noqzuukouyfuyrmd.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015143 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain xvcewyydwsmdgaju.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015144 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain zatiscwwtipqlycd.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015145 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain jjgshrjdcynohyuk.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015146 || 3 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain mouwwvcwwlilnxub.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015147 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain vuhaojpwxgsxuitu.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015148 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain yayfefhrwawquwcw.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015149 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain iiloishkjwvqldlq.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015150 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain knauycqgsdhgbwjo.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015151 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain uumwyzhctrwdsrdp.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015152 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain wzbdwenwshfzglwt.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015153 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain hiplksflttfkpsxn.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015154 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain jnfrqmekhoevppvw.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015155 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain ttqtkmthptxvwiku.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015156 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain vygzhvfiuommkqfj.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015157 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain fhuidtlqttqxgjvn.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015158 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain imjosxuhbcdonrco.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015159 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain rtvqcdpbqxgwnrcn.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015160 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain tykvyflnjhbnqpnr.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015161 || 3 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain ehyewyqydfpidbdp.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015162 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain gmokuosvnbkshdtd.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015163 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain qsbourrdxgxgwepy.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015164 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain sxpskxdgoczvcjgp.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015165 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain dhedppigtpbwrmpc.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015166 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain flthmyjeuhdygshf.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015167 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain osflhkaowydftniw.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015168 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain rxupwhkznihnxzqx.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015169 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain bgjzhlasdrwwnenj.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015170 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain elxegvkalqvkyoxc.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015171 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain nrkhysgoltauclop.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015172 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain pwyloytoagndnrex.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015173 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain zenquqdskekaudbe.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015174 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain cldcrgtnuwvgnbfd.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015175 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain mroeqjdaukskbgua.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015176 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain owekhoeuhmdiehrw.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015177 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain ydrngsmrdiiyvoiy.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015178 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain bkhyiqitpoxewhmt.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015179 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain krtbityuhlewigfe.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015180 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain nvjgyermzsmynaeq.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015181 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain jwkpdxqbemsmclal.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015182 || 5 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain lccwpflcdjrdfjib.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015183 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain uinyjmxfqinkxbda.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015184 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain xndfbivuonkxfxrq.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015185 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain hvpmffxpfnlquqxo.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015186 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain kbgsbqjugdqrgtdw.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015187 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain tisubmfvqrgnloxr.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015188 || 4 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain vmibswhnpqhqwyih.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015189 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain gvujhzvjxwptrtdg.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015190 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain iblpdiqdmmsbnuxb.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015191 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain shxrsvasoncjnxpn.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015192 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain ummxjwieppswcnrg.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015193 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain fuyfrockpfclxccd.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015194 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain haqmuqqukywrcxfa.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015195 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain qhcplcuugevvyham.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015196 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain tmrtbcienxrbnsjc.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015197 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain dueebwwdllfburag.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015198 || 3 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain fzsirujgdbvabrjm.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015199 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain pghnrmkoeoetfwsm.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015200 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain rlvqmipovrqbmvqd.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015201 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain ctjbmgjudwisgshv.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015202 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain eyxejlabqaytqmjx.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015203 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain ogmjjmqdhlbyabzg.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015204 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain qlbpfyrupyadvjsl.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015205 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain atnwerhvttvbivra.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015206 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain dydderasilekaegh.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015207 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain mfqfrnqllqcrayiw.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015208 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain pkglwwwmjxokzzfq.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015209 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain yrrnrgliojezjctg.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015210 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain bxhzugppnulxghvm.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015211 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain lfvcngdbzjrzgyby.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015212 || 3 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain nkkijjyioljbfysn.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015213 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain xqwkdyjydkggsppd.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015214 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain axmvnmubgwlmqfrp.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015215 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain keabgwmpzqhpmlng.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015216 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain mjpflkwqskuqbjnk.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015217 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain vqcicnuhtwhxmtjd.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015218 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain yvqnltydqtpresfu.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015219 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain iefwvulgninlkoxe.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015220 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain ljubdldgqwbarplc.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015221 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain upgghggmbusopaxv.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015222 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain wuvjdexaqtmqkvgk.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015223 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain hektxucstnbuncix.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015224 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain jiyxdlvawkranmin.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015225 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain tplczomvebjmhsgk.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015226 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain vuaivypissryzhij.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015227 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain gdoqznfilmtulxxv.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015228 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain iiewprjomieydnix.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015229 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain ropypfmcqjjfdiel.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015230 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain utfenjxpvwtroioi.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015231 || 3 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain edtmjcvfnfcbweed.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015232 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain hhishrpjdixwtctz.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015233 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain qouubrmdxtgnnjvm.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015234 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain stkbtccbckhdkbii.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015235 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain dcyjurmfwhgvyoio.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015236 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain fhnpjsnknkuvhazm.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015237 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain pozrtgdmhvhvdscn.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015238 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain rsoxjlibxohdcyov.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015239 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain ccdifvomwhtynpay.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015240 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain ehsmldxnregnruez.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015241 || 3 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain lsvdxjpwykxxvryd.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015242 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain oxkjnvhjnvnegtyb.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015243 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain xfymtpavzblzbknq.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015244 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain bloxgsfzinxmdspt.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015245 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain ksacasnubklrikdl.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015246 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain mxpgggggukxqteoy.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015247 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain wedkgpdcxlrunbmu.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015248 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain yjsovtnpgbwqcbbd.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015249 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain jrfyaswntteouafv.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015250 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain lwtcxuzbdrsnpqfb.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015251 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain veihxoqukuetxqbn.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015252 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain xiwlnutkxsqxwjge.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015253 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain hrkusbnevtmyisab.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015254 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain kwyyhhqtwxupnhyu.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015255 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain tdndpphrtyniynvz.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015256 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain wicjgufeimlbmcus.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015257 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain gqortbbbsnksxpmm.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015258 || 4 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain fjgtmicxtlxynlpf.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015259 || 4 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain ppsvcvrcgkllplyn.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015260 || 4 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain ruhctasjmpqbyvhm.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015261 || 4 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain bdvkpbuldslsapeb.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015262 || 4 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain eilqnjkoytyjuchn.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015263 || 4 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain npxsiiwpxqqiihmo.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015264 || 4 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain qtmyeslmsoxkjbku.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015265 || 4 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain adbjjkquyyhyqknf.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015266 || 4 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain ciqmhuwgvfsxdtrw.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015267 || 4 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain mocrafrewsdjztbj.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015268 || 4 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain otruvbidvikzhlop.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015269 || 4 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain yafzvancybuwmnno.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015270 || 4 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain bhujzorkulhkpwob.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015271 || 4 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain lohnrnnpvvtxedfl.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015272 || 4 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain ntvrnrdpyoadopbo.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015273 || 4 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain wakvnkyzkyietkdr.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015274 || 4 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain zfyafrjmmajqfvbh.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015275 || 4 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain jnlkttkruqsdjqlx.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015276 || 4 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain lsbppxhgckolsnap.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015277 || 4 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain vznrahwzgntmfcqk.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015278 || 4 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain xeeypppxswpquvrf.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015279 || 4 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain inqgvoeohpcsfxmn.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015280 || 4 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain ksgmckchdppqeicu.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015281 || 4 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain uyrorwlibbjeasoq.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015282 || 4 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain wejungvnykczyjam.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015283 || 4 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain gmvdnpqbblixlgxj.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015284 || 4 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain jrkjelzwleadyxsd.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015285 || 4 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain sywleisrsstsqoic.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015286 || 4 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain venrfhmthwpqlqge.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015287 || 3 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain fmacqvmqafqwmebl.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015288 || 3 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain hrpgglxvqwjesffr.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015289 || 3 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain rxbkqfydlnzopqrn.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015290 || 3 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain tdsorylshsxjeawf.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015291 || 3 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain elfxqghdubihhsgd.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015292 || 3 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain gqtcxunxhyujqjkf.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015293 || 3 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain qxggipnnfmnihkic.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015294 || 3 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain sdxkjaophbtufumx.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015295 || 3 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain clkujrjqvexvbmoi.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015296 || 3 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain fqyyxagzkrpvxtki.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015297 || 3 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain owldagkyzrkhqnjo.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015298 || 3 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain rccjvgsgffokiwze.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015299 || 3 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain blorcdyiipxcwyxv.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015300 || 3 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain dpewaddpoewiycnj.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015301 || 3 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain nwpykqeizraqthry.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015302 || 3 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain pchgijctfprxhnje.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015303 || 3 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain zisiiogqigzzqqeq.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015304 || 3 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain cpittmwbqtjrjpql.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015305 || 3 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain mvuvchtcxxibeubd.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015306 || 3 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain oblcasnhxbbocpfj.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015307 || 3 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain xixftoplsduqqorx.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015308 || 3 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain bpnqmxkpxxgbdnby.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015309 || 3 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain kvzstpqmeoxtcwko.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015310 || 3 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain nbqypqrjiqxlfvdj.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015311 || 3 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain whddmvrxufbkkoew.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015312 || 3 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain ymrhcvphevonympo.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015313 || 3 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain jveqgnmjxkocqifr.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015314 || 3 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain lavvckpordclbduy.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015315 || 3 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain vhhzcvbegxbjsxke.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015316 || 3 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain xmwettbvtbhvrjuo.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015317 || 3 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain iujniiokeyjbmerc.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015318 || 3 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain kzxrowftdocgyghs.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015319 || 3 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain gacdiuwnhonuulpe.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015320 || 3 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain ifrhgnqeeotnzrmz.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015321 || 3 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain rmdlgyreitjsjkfq.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015322 || 3 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain uqspvdwyltgcyhft.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015323 || 3 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain ezfydrexncoidbus.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015324 || 3 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain hfveiooumeyrpchg.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015325 || 3 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain qlihxnncwioxkdls.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015326 || 3 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain sqwlonyduvpowdgy.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015327 || 3 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain dyjvewshptsboygd.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015328 || 3 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain febcbuyswmishvpl.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015329 || 3 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain plmekaayiholtevt.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015330 || 3 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain rpckbgrziwbdrmhr.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015331 || 3 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain cyosongjihugkjbg.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015332 || 3 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain eefysywrvkgxuqdf.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015333 || 3 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain nkrbvqxzfwicmhwb.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015334 || 3 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain qphhsudsmeftdaht.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015335 || 3 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain axtopsbtntqnfdyk.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015336 || 3 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain ddkudnuklgiwtdyw.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015337 || 3 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain mkwwclogcvgeekws.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015338 || 3 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain opldkflyvlkywuec.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015339 || 3 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain yvxfekhokspfuwqr.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015340 || 3 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain bdprvpxdejpohqpt.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015341 || 3 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain ljbvfrsvcevyfhor.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015342 || 3 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain noqzuukouyfuyrmd.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015343 || 3 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain xvcewyydwsmdgaju.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015344 || 3 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain zatiscwwtipqlycd.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015345 || 3 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain jjgshrjdcynohyuk.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015346 || 3 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain mouwwvcwwlilnxub.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015347 || 3 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain vuhaojpwxgsxuitu.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015348 || 3 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain yayfefhrwawquwcw.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015349 || 3 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain iiloishkjwvqldlq.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015350 || 3 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain knauycqgsdhgbwjo.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015351 || 3 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain uumwyzhctrwdsrdp.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015352 || 3 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain wzbdwenwshfzglwt.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015353 || 3 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain hiplksflttfkpsxn.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015354 || 3 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain jnfrqmekhoevppvw.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015355 || 3 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain ttqtkmthptxvwiku.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015356 || 3 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain vygzhvfiuommkqfj.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015357 || 3 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain fhuidtlqttqxgjvn.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015358 || 3 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain imjosxuhbcdonrco.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015359 || 3 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain rtvqcdpbqxgwnrcn.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015360 || 3 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain tykvyflnjhbnqpnr.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015361 || 3 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain ehyewyqydfpidbdp.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015362 || 3 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain gmokuosvnbkshdtd.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015363 || 3 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain qsbourrdxgxgwepy.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015364 || 3 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain sxpskxdgoczvcjgp.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015365 || 3 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain dhedppigtpbwrmpc.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015366 || 3 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain flthmyjeuhdygshf.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015367 || 3 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain osflhkaowydftniw.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015368 || 3 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain rxupwhkznihnxzqx.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015369 || 3 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain bgjzhlasdrwwnenj.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015370 || 3 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain elxegvkalqvkyoxc.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015371 || 3 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain nrkhysgoltauclop.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015372 || 3 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain pwyloytoagndnrex.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015373 || 3 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain zenquqdskekaudbe.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015374 || 3 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain cldcrgtnuwvgnbfd.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015375 || 3 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain mroeqjdaukskbgua.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015376 || 3 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain owekhoeuhmdiehrw.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015377 || 3 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain ydrngsmrdiiyvoiy.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015378 || 3 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain bkhyiqitpoxewhmt.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015379 || 3 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain krtbityuhlewigfe.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015380 || 3 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain nvjgyermzsmynaeq.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015381 || 3 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain jwkpdxqbemsmclal.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015382 || 3 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain lccwpflcdjrdfjib.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015383 || 3 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain uinyjmxfqinkxbda.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015384 || 3 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain xndfbivuonkxfxrq.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015385 || 3 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain hvpmffxpfnlquqxo.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015386 || 3 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain kbgsbqjugdqrgtdw.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015387 || 3 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain tisubmfvqrgnloxr.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015388 || 3 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain vmibswhnpqhqwyih.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015389 || 3 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain gvujhzvjxwptrtdg.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015390 || 3 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain iblpdiqdmmsbnuxb.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015391 || 3 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain shxrsvasoncjnxpn.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015392 || 3 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain ummxjwieppswcnrg.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015393 || 3 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain fuyfrockpfclxccd.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015394 || 3 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain haqmuqqukywrcxfa.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015395 || 3 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain qhcplcuugevvyham.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015396 || 3 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain tmrtbcienxrbnsjc.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015397 || 3 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain dueebwwdllfburag.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015398 || 3 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain fzsirujgdbvabrjm.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015399 || 2 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain pghnrmkoeoetfwsm.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015400 || 2 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain rlvqmipovrqbmvqd.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015401 || 2 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain ctjbmgjudwisgshv.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015402 || 2 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain eyxejlabqaytqmjx.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015403 || 2 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain ogmjjmqdhlbyabzg.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015404 || 2 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain qlbpfyrupyadvjsl.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015405 || 2 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain atnwerhvttvbivra.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015406 || 2 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain dydderasilekaegh.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015407 || 2 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain mfqfrnqllqcrayiw.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015408 || 2 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain pkglwwwmjxokzzfq.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015409 || 2 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain yrrnrgliojezjctg.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015410 || 2 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain bxhzugppnulxghvm.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015411 || 2 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain lfvcngdbzjrzgyby.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015412 || 2 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain nkkijjyioljbfysn.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015413 || 2 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain xqwkdyjydkggsppd.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015414 || 2 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain axmvnmubgwlmqfrp.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015415 || 2 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain keabgwmpzqhpmlng.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015416 || 2 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain mjpflkwqskuqbjnk.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015417 || 2 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain vqcicnuhtwhxmtjd.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015418 || 2 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain yvqnltydqtpresfu.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015419 || 2 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain iefwvulgninlkoxe.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015420 || 2 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain ljubdldgqwbarplc.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015421 || 2 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain upgghggmbusopaxv.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015422 || 2 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain wuvjdexaqtmqkvgk.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015423 || 2 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain hektxucstnbuncix.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015424 || 2 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain jiyxdlvawkranmin.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015425 || 2 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain tplczomvebjmhsgk.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015426 || 2 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain vuaivypissryzhij.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015427 || 2 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain gdoqznfilmtulxxv.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015428 || 2 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain iiewprjomieydnix.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015429 || 2 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain ropypfmcqjjfdiel.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015430 || 2 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain utfenjxpvwtroioi.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015431 || 2 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain edtmjcvfnfcbweed.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015432 || 2 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain hhishrpjdixwtctz.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015433 || 2 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain qouubrmdxtgnnjvm.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015434 || 2 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain stkbtccbckhdkbii.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015435 || 2 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain dcyjurmfwhgvyoio.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015436 || 2 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain fhnpjsnknkuvhazm.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015437 || 2 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain pozrtgdmhvhvdscn.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015438 || 2 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain rsoxjlibxohdcyov.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015439 || 2 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain ccdifvomwhtynpay.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015440 || 2 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain ehsmldxnregnruez.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015441 || 2 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain lsvdxjpwykxxvryd.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015442 || 2 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain oxkjnvhjnvnegtyb.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015443 || 2 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain xfymtpavzblzbknq.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015444 || 2 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain bloxgsfzinxmdspt.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015445 || 2 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain ksacasnubklrikdl.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015446 || 2 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain mxpgggggukxqteoy.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015447 || 2 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain wedkgpdcxlrunbmu.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015448 || 2 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain yjsovtnpgbwqcbbd.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015449 || 2 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain jrfyaswntteouafv.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015450 || 2 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain lwtcxuzbdrsnpqfb.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015451 || 2 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain veihxoqukuetxqbn.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015452 || 2 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain xiwlnutkxsqxwjge.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015453 || 2 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain hrkusbnevtmyisab.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015454 || 2 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain kwyyhhqtwxupnhyu.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015455 || 2 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain tdndpphrtyniynvz.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015456 || 2 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain wicjgufeimlbmcus.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015457 || 2 || bad-unknown || 0 || ET DELETED DNS Query to Zeus CnC DGA Domain gqortbbbsnksxpmm.ru Pseudo Random Domain || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015458 || 2 || trojan-activity || 0 || ET TROJAN Win32/Pift Checkin 1 || url,kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/23000/PD23873/en_US/McAfee%20Labs%20Threat%20Advisory-W32-Pift.pdf || md5,d3c6af8284276b11c2f693c1195b4735 +1 || 2015459 || 2 || trojan-activity || 0 || ET TROJAN Win32/Pift Checkin 2 || url,kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/23000/PD23873/en_US/McAfee%20Labs%20Threat%20Advisory-W32-Pift.pdf || md5,d3c6af8284276b11c2f693c1195b4735 +1 || 2015460 || 3 || trojan-activity || 0 || ET TROJAN Win32/Pift DNS TXT CnC Lookup ppift.net || url,kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/23000/PD23873/en_US/McAfee%20Labs%20Threat%20Advisory-W32-Pift.pdf || md5,d3c6af8284276b11c2f693c1195b4735 +1 || 2015461 || 3 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain fjgtmicxtlxynlpf.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015462 || 2 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain ppsvcvrcgkllplyn.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015463 || 3 || bad-unknown || 0 || ET DELETED HTTP Request to a Zeus CnC DGA Domain ruhctasjmpqbyvhm.ru || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015464 || 2 || attempted-user || 0 || ET ACTIVEX Possible AdminStudio Activex Control LaunchProcess Method Access Arbitrary Code Execution || url,packetstormsecurity.org/files/114564/AdminStudio-LaunchHelp.dll-ActiveX-Arbitrary-Code-Execution.html +1 || 2015465 || 3 || attempted-user || 0 || ET ACTIVEX Possible Oracle AutoVue ActiveX SetMarkupMode Method Access Remote Code Execution || url,packetstormsecurity.org/files/114364/Oracle-AutoVue-ActiveX-SetMarkupMode-Remote-Code-Execution.html +1 || 2015466 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WordPress Leaflet plugin(leaflet_marker) id parameter Cross-Site Scripting Attempt || url,packetstormsecurity.org/files/112699/WordPress-Leaflet-0.0.1-Cross-Site-Scripting.html +1 || 2015467 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WordPress Leaflet plugin(leaflet_layer) id parameter Cross-Site Scripting Attempt || url,packetstormsecurity.org/files/112699/WordPress-Leaflet-0.0.1-Cross-Site-Scripting.html +1 || 2015468 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS joomla com_jstore controller parameter Local File Inclusion vulnerability || url,packetstormsecurity.org/files/94689/Joomla-JStore-Local-File-Inclusion.html +1 || 2015469 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Help Center Live file parameter Local File Inclusion vulnerability || url,packetstormsecurity.org/files/88998/Help-Center-Live-2.0.6-Local-File-Inclusion.html +1 || 2015470 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS phpPollScript include_class Parameter Remote File Inclusion Attempt || url,packetstormsecurity.org/files/81376/phpPollScript-1.3-Remote-File-Inclusion.html +1 || 2015471 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS joomla com_edir controller parameter Local File Inclusion vulnerability || url,packetstormsecurity.org/files/95604/Joomla-eDir-Local-File-Inclusion.html +1 || 2015472 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS joomla com_connect controller parameter Local File Inclusion vulnerability || url,packetstormsecurity.org/files/95590/Joomla-Connect-Local-File-Inclusion.html +1 || 2015473 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WordPress CataBlog plugin category parameter Cross-Site Scripting Attempt || url,packetstormsecurity.org/files/112710/WordPress-CataBlog-1.6-Cross-Site-Scripting.html +1 || 2015474 || 2 || trojan-activity || 0 || ET TROJAN ZeroAccess udp traffic detected +1 || 2015475 || 6 || trojan-activity || 0 || ET CURRENT_EVENTS BlackHole TKR Landing Page /last/index.php +1 || 2015476 || 5 || trojan-activity || 0 || ET DELETED BlackHole Landing Page /upinv.html +1 || 2015477 || 6 || trojan-activity || 0 || ET DELETED Blackhole Eval Split String Obfuscation In Brackets +1 || 2015478 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Possible Unknown TDS /top2.html || url,blog.unmaskparasites.com/2012/07/11/whats-in-your-wp-head/ +1 || 2015479 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Possible Unknown TDS /rem2.html || url,blog.unmaskparasites.com/2012/07/11/whats-in-your-wp-head/ +1 || 2015480 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Compromised WordPress Server pulling Malicious JS || url,blog.unmaskparasites.com/2012/07/11/whats-in-your-wp-head/ +1 || 2015481 || 5 || trojan-activity || 0 || ET CURRENT_EVENTS Compromised Wordpress Install Serving Malicious JS || url,blog.unmaskparasites.com/2012/07/11/whats-in-your-wp-head/ +1 || 2015482 || 8 || trojan-activity || 0 || ET TROJAN ZeroAccess Outbound udp traffic detected +1 || 2015483 || 3 || bad-unknown || 0 || ET INFO Java .jar request to dotted-quad domain +1 || 2015484 || 2 || attempted-recon || 0 || ET SCAN w3af User-Agent 2 +1 || 2015485 || 2 || policy-violation || 0 || ET POLICY TuneIn Internet Radio Usage Detected || url,tunein.com/support/get-started +1 || 2015486 || 8 || trojan-activity || 0 || ET CURRENT_EVENTS Blackhole Java Exploit Recent Jar (1) +1 || 2015487 || 10 || trojan-activity || 0 || ET CURRENT_EVENTS Blackhole Java Exploit Recent Jar (2) +1 || 2015488 || 9 || trojan-activity || 0 || ET CURRENT_EVENTS Blackhole Java Exploit Recent Jar (3) +1 || 2015489 || 2 || trojan-activity || 0 || ET TROJAN W32/OnlineGame.DaGame Variant CnC Checkin +1 || 2015490 || 2 || attempted-user || 0 || ET ACTIVEX Possible beSTORM ActiveX (WinGraphviz.dll) Remote Heap Overflow || url,exploit-db.com/exploits/19861/ +1 || 2015491 || 2 || attempted-user || 0 || ET ACTIVEX Possible CA BrightStor ARCserve Backup ActiveX AddColumn Method Access Buffer Overflow || url,packetstormsecurity.org/files/82950/CA-BrightStor-ARCserve-Backup-AddColumn-ActiveX-Buffer-Overflow.html +1 || 2015492 || 3 || attempted-user || 0 || ET ACTIVEX Possible CA BrightStor ARCserve Backup ActiveX AddColumn Method Access Buffer Overflow 2 || url,packetstormsecurity.org/files/82950/CA-BrightStor-ARCserve-Backup-AddColumn-ActiveX-Buffer-Overflow.html +1 || 2015493 || 2 || attempted-user || 0 || ET ACTIVEX Possible CommuniCrypt Mail SMTP ActiveX AddAttachments Method Access Stack Buffer Overflow || url,packetstormsecurity.org/files/89856/CommuniCrypt-Mail-1.16-SMTP-ActiveX-Stack-Buffer-Overflow.html +1 || 2015494 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Wordpress Plugin PICA Photo Gallery imgname parameter Local File Inclusion Attempt || url,packetstormsecurity.org/files/113404/WordPress-PICA-Photo-Gallery-1.0-File-Disclosure.html +1 || 2015495 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Web Edition mod parameter Local File Inclusion vulnerability || url,packetstormsecurity.org/files/99789/Web-Edition-6.1.0.2-Local-File-Inclusion.html +1 || 2015496 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WordPress church_admin Plugin id parameter Cross-Site Scripting Attempt || url,securityfocus.com/bid/54329 +1 || 2015497 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WordPress Download Manager cid parameter Cross-Site Scripting Attempt || url,packetstormsecurity.org/files/112708/WordPress-Download-Manager-2.2.2-Cross-Site-Scripting.html +1 || 2015498 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla com_hello controller parameter Local File Inclusion vulnerability || url,packetstormsecurity.org/files/114893/Joomla-Hello-Local-File-Inclusion.html +1 || 2015499 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Wordpress Plugin Newsletter data parameter Local File Inclusion vulnerability || url,packetstormsecurity.org/files/113413/WordPress-Newsletter-1.5-File-Disclosure.html +1 || 2015500 || 3 || policy-violation || 0 || ET POLICY Geo Location IP info online service (geoiptool.com) || md5,04f02d7fea812ef78d2340015c5d768e +1 || 2015501 || 4 || trojan-activity || 0 || ET TROJAN ProxyBox - HTTP CnC - Checkin Response || url,www.symantec.com/security_response/writeup.jsp?docid=2012-071005-4515-99&tabid=2 +1 || 2015502 || 2 || trojan-activity || 0 || ET TROJAN ProxyBox -ProxyBotCommand - CHECK_ME || url,www.symantec.com/security_response/writeup.jsp?docid=2012-071005-4515-99&tabid=2 +1 || 2015503 || 2 || trojan-activity || 0 || ET TROJAN ProxyBox - HTTP CnC - .com.tw/check_version.php || url,www.symantec.com/security_response/writeup.jsp?docid=2012-071005-4515-99&tabid=2 +1 || 2015504 || 4 || trojan-activity || 0 || ET TROJAN ProxyBox - HTTP CnC - POST 1-letter.php || url,www.symantec.com/security_response/writeup.jsp?docid=2012-071005-4515-99&tabid=2 +1 || 2015505 || 2 || trojan-activity || 0 || ET TROJAN ProxyBox - HTTP CnC - getiplist.php || url,www.symantec.com/security_response/writeup.jsp?docid=2012-071005-4515-99&tabid=2 +1 || 2015506 || 3 || trojan-activity || 0 || ET TROJAN ProxyBox - HTTP CnC - get_servers.php || url,www.symantec.com/security_response/writeup.jsp?docid=2012-071005-4515-99&tabid=2 +1 || 2015508 || 2 || trojan-activity || 0 || ET TROJAN ProxyBox - HTTP CnC - botinfo.php || url,www.symantec.com/security_response/writeup.jsp?docid=2012-071005-4515-99&tabid=2 +1 || 2015509 || 3 || trojan-activity || 0 || ET DELETED ProxyBox - HTTP CnC - proxy_info.php || url,www.symantec.com/security_response/writeup.jsp?docid=2012-071005-4515-99&tabid=2 +1 || 2015510 || 2 || trojan-activity || 0 || ET TROJAN ProxyBox - ProxyBotCommand - I_AM || url,www.symantec.com/security_response/writeup.jsp?docid=2012-071005-4515-99&tabid=2 +1 || 2015511 || 2 || trojan-activity || 0 || ET TROJAN ProxyBox - ProxyBotCommand - FORCE_AUTHENTICATION* || url,www.symantec.com/security_response/writeup.jsp?docid=2012-071005-4515-99&tabid=2 +1 || 2015512 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS Urlzone/Bebloh/Bublik Checkin /was/vas.php || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3aWin32%2fBublik.B || url,www.threatexpert.com/report.aspx?md5=3ccc73f049a1de731baf7ea8915c92a8 || url,www.threatexpert.com/report.aspx?md5=91ce41376a5b33059744cb58758213bb || url,www.threatexpert.com/report.aspx?md5=21880326089f2eab466128974fc70d24 +1 || 2015513 || 3 || trojan-activity || 0 || ET EXPLOIT Potential RoaringBeast ProFTPd Exploit Specific config files upload || url,www.exploit-db.com/exploits/18181/ || url,stopmalvertising.com/malware-reports/the-c3284d-malware-network-stats.php.html +1 || 2015514 || 2 || trojan-activity || 0 || ET EXPLOIT Potential RoaringBeast ProFTPd Exploit nsswitch.conf Upload || url,www.exploit-db.com/exploits/18181/ || url,stopmalvertising.com/malware-reports/the-c3284d-malware-network-stats.php.html +1 || 2015515 || 2 || trojan-activity || 0 || ET EXPLOIT Potential RoaringBeast ProFTPd Exploit Specific (CHMOD 777) || url,www.exploit-db.com/exploits/18181/ || url,stopmalvertising.com/malware-reports/the-c3284d-malware-network-stats.php.html +1 || 2015516 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS RedKit PluginDetect Rename Saigon +1 || 2015517 || 3 || bad-unknown || 0 || ET CURRENT_EVENTS .HTM being served from WP 1-flash-gallery Upload DIR (likely malicious) +1 || 2015518 || 5 || bad-unknown || 0 || ET CURRENT_EVENTS .PHP being served from WP 1-flash-gallery Upload DIR (likely malicious) +1 || 2015519 || 6 || trojan-activity || 0 || ET DELETED Blackhole Landing Page Split String Obfuscated Math Floor - July 19th 2012 +1 || 2015520 || 4 || trojan-activity || 0 || ET DELETED Blackhole Landing Page Applet Structure +1 || 2015521 || 2 || trojan-activity || 0 || ET TROJAN Pakes2 - Server Hello +1 || 2015522 || 2 || trojan-activity || 0 || ET TROJAN Pakes2 - Client Alive +1 || 2015523 || 3 || trojan-activity || 0 || ET TROJAN Pakes2 - Checkin - /test.php +1 || 2015524 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS c3284d Malware Network Compromised Redirect (comments 3) || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ +1 || 2015525 || 4 || trojan-activity || 0 || ET DELETED Blackhole try eval prototype string splitting evasion Jul 24 2012 +1 || 2015526 || 3 || bad-unknown || 0 || ET WEB_SERVER Fake Googlebot UA 1 Inbound || url,www.incapsula.com/the-incapsula-blog/item/369-was-that-really-a-google-bot-crawling-my-site || url,support.google.com/webmasters/bin/answer.py?hl=en&answer=1061943 +1 || 2015527 || 2 || network-scan || 0 || ET WEB_SERVER Fake Googlebot UA 2 Inbound || url,www.incapsula.com/the-incapsula-blog/item/369-was-that-really-a-google-bot-crawling-my-site || url,support.google.com/webmasters/bin/answer.py?hl=en&answer=1061943 +1 || 2015528 || 4 || trojan-activity || 0 || ET TROJAN Win32.Agent2.fher Related User-Agent (Microsoft Internet Updater) || md5,2c832d51e4e72dc3939c224cc282152c +1 || 2015529 || 3 || bad-unknown || 0 || ET CURRENT_EVENTS Googlebot User-Agent Outbound (likely malicious) +1 || 2015530 || 4 || bad-unknown || 0 || ET CURRENT_EVENTS HTTP Request to RunForestRun DGA Domain 16-alpha.waw.pl || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015531 || 3 || bad-unknown || 0 || ET CURRENT_EVENTS DNS Query to RunForestRun DGA Domain 16-alpha.waw.pl || url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/ || url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/ +1 || 2015532 || 2 || trojan-activity || 0 || ET TROJAN Generic - ProxyJudge Reverse Proxy Scoring Activity +1 || 2015533 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Karagany checkin (sid5 1) +1 || 2015534 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Karagany checkin (sid5 2) +1 || 2015535 || 3 || trojan-activity || 0 || ET TROJAN ZeroAccess HTTP GET request +1 || 2015536 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Wordpress featurific-for-wordpress plugin snum parameter Cross-Site Scripting Attempt || url,packetstormsecurity.org/files/107256/WordPress-Featurific-Cross-Site-Scripting.html +1 || 2015537 || 2 || attempted-user || 0 || ET ACTIVEX Possible Symantec AppStream LaunchObj ActiveX Control Arbitrary File Download and Execute || url,packetstormsecurity.org/files/82969/Symantec-AppStream-LaunchObj-ActiveX-Control-Arbitrary-File-Download-and-Execute..html +1 || 2015538 || 2 || attempted-user || 0 || ET ACTIVEX Possible WinZip FileView ActiveX CreateNewFolderFromName Method Access Buffer Overflow || url,packetstormsecurity.org/files/83024/WinZip-FileView-WZFILEVIEW.FileViewCtrl.61-ActiveX-Buffer-Overflow.html +1 || 2015539 || 2 || attempted-user || 0 || ET ACTIVEX Possible WinZip FileView (WZFILEVIEW.FileViewCtrl.61) ActiveX Buffer Overflow 2 || url,packetstormsecurity.org/files/83024/WinZip-FileView-WZFILEVIEW.FileViewCtrl.61-ActiveX-Buffer-Overflow.html +1 || 2015540 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla com_picasa2gallery controller parameter Local File Inclusion vulnerability || url,packetstormsecurity.org/files/90915/Joomla-Picasa2Gallery-1.2.8-Local-File-Inclusion.html +1 || 2015541 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Commentics id parameter Cross-Site Scripting Attempt || url,packetstormsecurity.org/files/113996/Commentics-2.0-Cross-Site-Request-Forgery-Cross-Site-Scripting.html +1 || 2015542 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Wordpress clickdesk-live-support-chat plugin cdwidgetid parameter Cross-Site Scripting Attempt || url,packetstormsecurity.org/files/107255/WordPress-Clickdesk-Live-Support-Chat-Cross-Site-Scripting.html +1 || 2015543 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS phpProfiles menu Parameter Remote File Inclusion Attempt || url,packetstormsecurity.org/files/114971/phpProfiles-4.5.4-Beta-XSS-RFI-SQL-Injection.html +1 || 2015544 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS phpProfiles topic_title parameter Cross-Site Scripting Attempt || url,packetstormsecurity.org/files/114971/phpProfiles-4.5.4-Beta-XSS-RFI-SQL-Injection.html +1 || 2015545 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla PollXT component Itemid parameter Local File Inclusion Attempt || url,packetstormsecurity.org/files/94681/Joomla-PollXT-Local-File-Inclusion.html +1 || 2015546 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS Trojan Cridex checkin || url,blog.webroot.com/2012/07/13/spamvertised-american-airlines-themed-emails-lead-to-black-hole-exploit-kit/ || url,stopmalvertising.com/rootkits/analysis-of-cridex.html +1 || 2015547 || 3 || trojan-activity || 0 || ET TROJAN Pakes2 - EXE Download Request +1 || 2015548 || 7 || trojan-activity || 0 || ET CURRENT_EVENTS g01pack Exploit Kit Landing Page +1 || 2015549 || 5 || trojan-activity || 0 || ET DELETED g01pack Exploit Kit Landing Page 2 +1 || 2015550 || 1 || bad-unknown || 0 || ET DNS Query for a Suspicious *.upas.su domain +1 || 2015551 || 2 || bad-unknown || 0 || ET CURRENT_EVENTS HTTP Request to a *.upas.su domain +1 || 2015552 || 2 || trojan-activity || 0 || ET SCAN HTExploit Method || url,www.mkit.com.ar/labs/htexploit/download.php +1 || 2015553 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Fake-AV Conditional Redirect (Blackmuscats) || url,blog.sucuri.net/2012/07/blackmuscats-conditional-redirections-to-faveav.html/ +1 || 2015554 || 19 || attempted-admin || 0 || ET WEB_CLIENT Potential MSXML2.DOM Document.3.0 Uninitialized Memory Corruption Attempt || cve,CVE-2012-1889 +1 || 2015555 || 18 || attempted-admin || 0 || ET WEB_CLIENT Potential MSXML2.DOMDocument.4-6.0 Uninitialized Memory Corruption CVE-2012-1889 || cve,CVE-2012-1889 +1 || 2015556 || 20 || attempted-user || 0 || ET WEB_CLIENT Potential MSXML2.DOMDocument ActiveXObject Uninitialized Memory Corruption Attempt || cve,CVE-2012-1889 +1 || 2015557 || 6 || attempted-user || 0 || ET WEB_CLIENT Potential MSXML2.FreeThreadedDOMDocument Uninitialized Memory Corruption Attempt || cve,2012-1889 +1 || 2015558 || 4 || trojan-activity || 0 || ET DELETED g01pack Exploit Kit Landing Page 3 +1 || 2015559 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS Cridex Self Signed SSL Certificate (TR, Some-State, Internet Widgits) +1 || 2015560 || 3 || bad-unknown || 0 || ET TROJAN Suspicious Self Signed SSL Certificate to (MyCompany Ltd) likely Shylock CnC +1 || 2015561 || 2 || bad-unknown || 0 || ET INFO PDF Using CCITTFax Filter || url,nakedsecurity.sophos.com/2012/04/05/ccittfax-pdf-malware/ || url,blog.fireeye.com/research/2012/07/analysis-of-a-different-pdf-malware.html#more +1 || 2015562 || 2 || trojan-activity || 0 || ET TROJAN Trojan.Win32.Jorik.Totem.vg HTTP request || md5,cf5df13f8498326f1c6407749b3fe160 +1 || 2015563 || 3 || attempted-user || 0 || ET ACTIVEX Possible BarCodeWiz BarcodeWiz.dll ActiveX Control Barcode Method Remote Buffer Overflow Attempt || url,securityfocus.com/bid/54701 +1 || 2015564 || 2 || attempted-user || 0 || ET ACTIVEX Possible BarCodeWiz (BARCODEWIZLib.BarCodeWiz) ActiveX Control Buffer Overflow || url,securityfocus.com/bid/54701 +1 || 2015565 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ManageEngine Applications Manager attributeToSelect parameter Cross-Site Script Attempt || url,securityfocus.com/bid/54759/ +1 || 2015566 || 2 || attempted-user || 0 || ET ACTIVEX Possible AOL ICQ ActiveX Control DownloadAgent Method Access Arbitrary File Download and Execute || url,packetstormsecurity.org/files/83020/America-Online-ICQ-ActiveX-Control-Arbitrary-File-Download-and-Execute..html +1 || 2015567 || 2 || attempted-user || 0 || ET ACTIVEX Possible AOL ICQ ActiveX Control DownloadAgent Method Access Arbitrary File Download and Execute 2 || url,packetstormsecurity.org/files/83020/America-Online-ICQ-ActiveX-Control-Arbitrary-File-Download-and-Execute..html +1 || 2015568 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla com_jeformcr view parameter Local File Inclusion Attempt || url,packetstormsecurity.org/files/94549/Joomla-Jeformcr-Local-File-Inclusion.html +1 || 2015569 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla Bsadv controller parameter Local File Inclusion Attempt || url,packetstormsecurity.org/files/94540/Joomla-Basdv-Local-File-Inclusion-Directory-Traversal.html +1 || 2015570 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla com_mailchimpccnewsletter controller parameter Local File Inclusion Attempt || url,packetstormsecurity.org/files/95332/Joomla-MailChimpCCNewsletter-Local-File-Inclusion.html +1 || 2015571 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS pragmaMx img_url parameter Cross-Site Scripting Attempt || url,packetstormsecurity.org/files/113035/pragmaMx-1.12.1-Cross-Site-Scripting.html +1 || 2015572 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS TEMENOS T24 skin parameter Cross-Site Scripting Attempt || url,packetstormsecurity.org/files/115126/Temenos-T24-R07.03-Cross-Site-Scripting.html +1 || 2015573 || 2 || attempted-user || 0 || ET CURRENT_EVENTS Yszz JS/Encryption (Used in KaiXin Exploit Kit) || url,kahusecurity.com/2012/new-chinese-exploit-pack/ +1 || 2015574 || 4 || attempted-user || 0 || ET CURRENT_EVENTS DoSWF Flash Encryption (Used in KaiXin Exploit Kit) || url,kahusecurity.com/2012/new-chinese-exploit-pack/ +1 || 2015575 || 11 || attempted-user || 0 || ET CURRENT_EVENTS KaiXin Exploit Kit Java Class || url,kahusecurity.com/2012/new-chinese-exploit-pack/ +1 || 2015576 || 2 || bad-unknown || 0 || ET CURRENT_EVENTS DNS Query to tor2web.org Domain (.onion proxy) || url,tor2web.org +1 || 2015577 || 3 || trojan-activity || 0 || ET TROJAN W32/Lile.A DoS Outbound || url,symantec.com/security_response/writeup.jsp?docid=2005-101311-0945-99&tabid=2 || md5,d6d0cd7eca2cef5aad66efbd312a7987 +1 || 2015578 || 2 || bad-unknown || 0 || ET CURRENT_EVENTS Obfuscated Javascript redirecting to badness August 6 2012 +1 || 2015579 || 10 || trojan-activity || 0 || ET DELETED Blackhole Exploit Kit Landing Page Structure +1 || 2015580 || 5 || trojan-activity || 0 || ET DELETED Blackhole Replace JavaScript Large Obfuscated Blob - August 3rd 2012 +1 || 2015581 || 1 || trojan-activity || 0 || ET TROJAN Atadommoc.C - HTTP CnC +1 || 2015582 || 5 || trojan-activity || 0 || ET DELETED Blackhole Redirection Page You Will Be Forwarded - 7th August 2012 +1 || 2015583 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS FoxxySoftware - Comments || url,blog.eset.com/2012/08/07/foxxy-software-outfoxed +1 || 2015584 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS FoxxySoftware - Comments(2) || url,blog.eset.com/2012/08/07/foxxy-software-outfoxed +1 || 2015585 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS FoxxySoftware - Hit Counter Access || url,blog.eset.com/2012/08/07/foxxy-software-outfoxed +1 || 2015586 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS Blackhole Redirection Page Try Math.Round Catch - 7th August 2012 +1 || 2015587 || 2 || trojan-activity || 0 || ET TROJAN MP-FormGrabber Checkin || url,www.xylibox.com/2012/08/mp-formgrabber.html?spref=tw +1 || 2015588 || 5 || misc-activity || 0 || ET POLICY Suspicious Windows Executable WriteProcessMemory || url,sans.org/reading_room/whitepapers/malicious/rss/_33649 || url,jessekornblum.livejournal.com/284641.html || url,msdn.microsoft.com/en-us/library/windows/desktop/ms681674%28v=vs.85%29.aspx +1 || 2015589 || 5 || misc-activity || 0 || ET POLICY Suspicious Windows Executable CreateRemoteThread || url,sans.org/reading_room/whitepapers/malicious/rss_33649 || url,jessekornblum.livejournal.com/284641.html || url,msdn.microsoft.com/en-us/library/windows/desktop/ms682437%28v=vs.85%29.aspx +1 || 2015590 || 7 || trojan-activity || 0 || ET DELETED Blackhole Landing Page Intial Structure - 8th August 2012 +1 || 2015591 || 4 || trojan-activity || 0 || ET DELETED Potential Blackhole Zeus Drop - 8th August 2012 +1 || 2015592 || 4 || trojan-activity || 0 || ET DELETED Blackhole Specific JavaScript Replace hwehes - 8th August 2012 +1 || 2015593 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Sutra TDS /simmetry || url,blog.sucuri.net/2012/08/very-good-malware-redirection.html +1 || 2015594 || 2 || trojan-activity || 0 || ET TROJAN FinFisher Malware Connection Initialization || url,community.rapid7.com/community/infosec/blog/2012/08/08/finfisher +1 || 2015595 || 2 || trojan-activity || 0 || ET TROJAN FinFisher Malware Connection Handshake || url,community.rapid7.com/community/infosec/blog/2012/08/08/finfisher +1 || 2015596 || 1 || bad-unknown || 0 || ET CURRENT_EVENTS Unknown .rr.nu Malware landing page || url,isc.sans.edu/diary.html?storyid=13864 +1 || 2015597 || 2 || bad-unknown || 0 || ET CURRENT_EVENTS DNS Query Gauss Domain *.gowin7.com || url,www.securelist.com/en/analysis/204792238/Gauss_Abnormal_Distribution +1 || 2015598 || 2 || bad-unknown || 0 || ET CURRENT_EVENTS DNS Query Gauss Domain *.secuurity.net || url,www.securelist.com/en/analysis/204792238/Gauss_Abnormal_Distribution +1 || 2015599 || 3 || bad-unknown || 0 || ET CURRENT_EVENTS DNS Query Gauss Domain *.bestcomputeradvisor.com || url,www.securelist.com/en/analysis/204792238/Gauss_Abnormal_Distribution +1 || 2015600 || 3 || bad-unknown || 0 || ET CURRENT_EVENTS DNS Query Gauss Domain *.dotnetadvisor.info || url,www.securelist.com/en/analysis/204792238/Gauss_Abnormal_Distribution +1 || 2015601 || 3 || bad-unknown || 0 || ET CURRENT_EVENTS DNS Query Gauss Domain *.dataspotlight.net || url,www.securelist.com/en/analysis/204792238/Gauss_Abnormal_Distribution +1 || 2015602 || 3 || bad-unknown || 0 || ET CURRENT_EVENTS DNS Query Gauss Domain *.guest-access.net || url,www.securelist.com/en/analysis/204792238/Gauss_Abnormal_Distribution +1 || 2015603 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS DRIVEBY SPL - Java Exploit Requested - /spl_data/ +1 || 2015604 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS DRIVEBY SPL - Java Exploit Requested .jar Naming Pattern +1 || 2015605 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS DRIVEBY SPL - Landing Page Received +1 || 2015606 || 2 || attempted-user || 0 || ET ACTIVEX Possible HP Easy Printer Care XMLCacheMgr Class ActiveX Control Remote Code Execution || url,1337day.com/exploits/17395 +1 || 2015607 || 2 || attempted-user || 0 || ET ACTIVEX Possible HP Easy Printer Care XMLCacheMgr Class ActiveX Control Remote Code Execution 2 || url,1337day.com/exploits/17395 +1 || 2015608 || 2 || attempted-user || 0 || ET ACTIVEX Possible Kazaa Altnet Download Manager ActiveX Control Install Method Access Buffer Overflow || url,packetstormsecurity.org/files/83086/Kazaa-Altnet-Download-Manager-ActiveX-Control-Buffer-Overflow.html +1 || 2015609 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WordPress Advanced Text Widget plugin page parameter Cross-Site Script Attempt || url,packetstormsecurity.org/files/107192/WordPress-Advanced-Text-Widget-Cross-Site-Scripting.html +1 || 2015610 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WordPress Lanoba Social plugin action parameter Cross-Site Script Attempt || url,packetstormsecurity.org/files/107191/WordPress-Lanoba-Social-Cross-Site-Scripting.html +1 || 2015611 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla je-media-player view parameter Local File Inclusion Attempt || url,packetstormsecurity.org/files/91171/Joomla-JE-Media-Player-Local-File-Inclusion.html +1 || 2015612 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS dirLIST show_scaled_image.php Local File Inclusion Attempt || url,packetstormsecurity.org/files/115381/dirLIST-0.3.0-Local-File-Inclusion.html +1 || 2015613 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS dirLIST thumb_gen.php Local File Inclusion Attempt || url,packetstormsecurity.org/files/115381/dirLIST-0.3.0-Local-File-Inclusion.html +1 || 2015614 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS BaglerCMS articleID parameter Cross-Site Script Attempt || url,1337day.com/exploits/18221 +1 || 2015615 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WordPress LiveGrounds plugin uid parameter Cross-Site Script Attempt || url,1337day.com/exploits/18932 +1 || 2015616 || 3 || trojan-activity || 0 || ET TROJAN DOCHTML C&C http directive in HTML comments || url,blog.accuvantlabs.com/blog/dgrif/anatomy-targeted-attack +1 || 2015617 || 2 || trojan-activity || 0 || ET TROJAN Smardf/Boaxxe GET to cc.php3 || md5,f856b4c526c3e5cee9d47df59295d2e1 || md5,232b4dbed0453e2a952630fb1076248f +1 || 2015618 || 2 || bad-unknown || 0 || ET CURRENT_EVENTS DNS Query Gauss Domain *.datajunction.org || url,www.securelist.com/en/analysis/204792238/Gauss_Abnormal_Distribution +1 || 2015619 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS Blackhole/Cool jnlp URI Struct +1 || 2015620 || 5 || trojan-activity || 0 || ET DELETED Blackhole Landing Page JavaScript Replace - 13th August 2012 +1 || 2015621 || 4 || trojan-activity || 0 || ET DELETED Blackhole Landing Page ChildNodes.Length - August 13th 2012 +1 || 2015622 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Blackhole Landing Page Hwehes String - August 13th 2012 +1 || 2015623 || 2 || trojan-activity || 0 || ET TROJAN Urlzone/Bebloh/Bublik Checkin /was/uid.php || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3aWin32%2fBublik.B || url,www.threatexpert.com/report.aspx?md5=3ccc73f049a1de731baf7ea8915c92a8 || url,www.threatexpert.com/report.aspx?md5=91ce41376a5b33059744cb58758213bb || url,www.threatexpert.com/report.aspx?md5=21880326089f2eab466128974fc70d24 +1 || 2015625 || 2 || web-application-attack || 0 || ET WEB_SERVER Magento XMLRPC-Exploit Attempt || url,www.magentocommerce.com/blog/comments/important-security-update-zend-platform-vulnerability/ || url,www.magentocommerce.com/blog/update-zend-framework-vulnerability-security-update || url,www.exploit-db.com/exploits/19793/ +1 || 2015627 || 4 || trojan-activity || 0 || ET DELETED Backdoor.Win32.Gh0st Checkin (6 Byte keyword) || url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231 || url,labs.alienvault.com/labs/index.php/2012/new-macontrol-variant-targeting-uyghur-users-the-windows-version-using-gh0st-rat/ || url,www.infowar-monitor.net/2009/09/tracking-ghostnet-investigating-a-cyber-espionage-network/ || url,blogs.rsa.com/will-gragido/lions-at-the-watering-hole-the-voho-affair/ +1 || 2015628 || 4 || trojan-activity || 0 || ET DELETED Backdoor.Win32.Gh0st Checkin (7 Byte keyword) || url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231 || url,labs.alienvault.com/labs/index.php/2012/new-macontrol-variant-targeting-uyghur-users-the-windows-version-using-gh0st-rat/ || url,www.infowar-monitor.net/2009/09/tracking-ghostnet-investigating-a-cyber-espionage-network/ || url,blogs.rsa.com/will-gragido/lions-at-the-watering-hole-the-voho-affair/ +1 || 2015629 || 5 || trojan-activity || 0 || ET TROJAN Cridex Response from exfiltrated data upload || url,www.virustotal.com/file/00bf5b6f32b6a8223b8e55055800ef7870f8acaed334cb12484e44489b2ace24/analysis/ || url,www.packetninjas.net +1 || 2015630 || 5 || trojan-activity || 0 || ET DELETED Possible XDocCrypt/Dorifel CnC IP || url,www.fox-it.com/en/blog/xdoccryptdorifel-document-encrypting-and-network-spreading-virus +1 || 2015631 || 6 || trojan-activity || 0 || ET DELETED Possible XDocCrypt/Dorifel Checkin || url,www.fox-it.com/en/blog/xdoccryptdorifel-document-encrypting-and-network-spreading-virus +1 || 2015632 || 4 || trojan-activity || 0 || ET TROJAN Shamoon/Wiper/DistTrack Checkin || url,www.symantec.com/connect/blogs/shamoon-attacks || url,www.securelist.com/en/blog/208193786/Shamoon_the_Wiper_Copycats_at_Work || url,kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/23000/PD23936/en_US/McAfee_Labs_Threat_Advisory_W32_DistTrack.pdf +1 || 2015633 || 2 || misc-activity || 0 || ET INFO DYNAMIC_DNS Query to Abused Domain *.mooo.com +1 || 2015634 || 3 || bad-unknown || 0 || ET INFO DYNAMIC_DNS HTTP Request to Abused Domain *.mooo.com +1 || 2015635 || 3 || trojan-activity || 0 || ET TROJAN Backdoor.Briba Checkin || url,labs.alienvault.com/labs/index.php/2012/cve-2012-1535-adobe-flash-being-exploited-in-the-wild/ +1 || 2015636 || 4 || attempted-user || 0 || ET ACTIVEX Possible CA eTrust PestPatrol ActiveX Control Buffer Overflow || url,exploit-db.com/exploits/16630/ +1 || 2015637 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS MindTouch Deki Wiki link.php Remote File Inclusion Attempt || url,packetstormsecurity.org/files/115479/MindTouch-Deki-Wiki-10.1.3-Local-File-Inclusion-Remote-File-Inclusion.html +1 || 2015638 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS MindTouch Deki Wiki deki_plugin.php Remote File Inclusion Attempt || url,packetstormsecurity.org/files/115479/MindTouch-Deki-Wiki-10.1.3-Local-File-Inclusion-Remote-File-Inclusion.html +1 || 2015639 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS MindTouch Deki Wiki wgDekiPluginPath parameter Remote File Inclusion Attempt || url,packetstormsecurity.org/files/115479/MindTouch-Deki-Wiki-10.1.3-Local-File-Inclusion-Remote-File-Inclusion.html +1 || 2015640 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS MindTouch Deki Wiki link.php Local File Inclusion Attempt || url,packetstormsecurity.org/files/115479/MindTouch-Deki-Wiki-10.1.3-Local-File-Inclusion-Remote-File-Inclusion.html +1 || 2015641 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS MindTouch Deki Wiki deki_plugin.php Local File Inclusion Attempt || url,packetstormsecurity.org/files/115479/MindTouch-Deki-Wiki-10.1.3-Local-File-Inclusion-Remote-File-Inclusion.html +1 || 2015642 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS MindTouch Deki Wiki wgDekiPluginPath parameter Local File Inclusion Attempt || url,packetstormsecurity.org/files/115479/MindTouch-Deki-Wiki-10.1.3-Local-File-Inclusion-Remote-File-Inclusion.html +1 || 2015643 || 4 || attempted-user || 0 || ET ACTIVEX Possible Electronic Arts SnoopyCtrl ActiveX Control Buffer Overflow || url,exploit-db.com/exploits/16609/ || url,kb.cert.org/vuls/id/179281 +1 || 2015644 || 3 || attempted-user || 0 || ET ACTIVEX Possible Electronic Arts SnoopyCtrl ActiveX Control Buffer Overflow 2 || url,exploit-db.com/exploits/16609/ +1 || 2015645 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla com_g2bridge controller parameter Local File Inclusion Attempt || url,packetstormsecurity.org/files/90150/Joomla-G2Bridge-Local-File-Inclusion.html +1 || 2015646 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS Unknown Exploit Kit seen with O1/O2.class /form +1 || 2015647 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS Unknown Exploit Kit seen with O1/O2.class /search +1 || 2015648 || 7 || trojan-activity || 0 || ET DELETED Blackhole Exploit Kit Landing - Aug 21 2012 +1 || 2015649 || 3 || trojan-activity || 0 || ET DELETED Fake AV base64 affid initial Landing or owned Check-In, asset owned if /callback/ in URI +1 || 2015651 || 3 || trojan-activity || 0 || ET DELETED Blackhole Javascript 23 Aug 2012 split join split applet +1 || 2015652 || 5 || trojan-activity || 0 || ET DELETED Blackhole Java applet with obfuscated URL 23 Aug 2012 +1 || 2015653 || 4 || trojan-activity || 0 || ET TROJAN Rogue.Win32/Winwebsec Install || md5,c527fb441e204baa28a7dcbcd3d91cd1 +1 || 2015654 || 5 || bad-unknown || 0 || ET DELETED Blackhole Landing try catch try catch math eval Aug 27 2012 +1 || 2015655 || 5 || trojan-activity || 0 || ET DELETED 0day JRE 17 exploit Class 1 || url,blog.sucuri.net/2012/08/java-zero-day-in-the-wild.html +1 || 2015656 || 4 || trojan-activity || 0 || ET DELETED 0day JRE 17 exploit Class 2 || url,blog.sucuri.net/2012/08/java-zero-day-in-the-wild.html +1 || 2015657 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS Possible Metasploit Java Payload || url,blog.sucuri.net/2012/08/java-zero-day-in-the-wild.html || url,metasploit.com/modules/exploit/multi/browser/java_jre17_exec +1 || 2015658 || 5 || trojan-activity || 0 || ET CURRENT_EVENTS Possible Metasploit Java Exploit || url,blog.sucuri.net/2012/08/java-zero-day-in-the-wild.html || url,metasploit.com/modules/exploit/multi/browser/java_jre17_exec +1 || 2015659 || 2 || attempted-user || 0 || ET CURRENT_EVENTS Blackhole Admin bhadmin.php access Outbound +1 || 2015660 || 2 || attempted-user || 0 || ET CURRENT_EVENTS - Blackhole Admin Login Outbound +1 || 2015661 || 3 || attempted-user || 0 || ET CURRENT_EVENTS Blackhole Admin bhadmin.php access Inbound +1 || 2015662 || 2 || attempted-user || 0 || ET CURRENT_EVENTS - Blackhole Admin Login Inbound +1 || 2015663 || 4 || attempted-user || 0 || ET DELETED NeoSploit - Obfuscated Payload Requested +1 || 2015664 || 3 || attempted-user || 0 || ET DELETED NeoSploit - PDF Exploit Requested +1 || 2015665 || 2 || attempted-user || 0 || ET CURRENT_EVENTS NeoSploit - TDS +1 || 2015666 || 4 || attempted-user || 0 || ET CURRENT_EVENTS NeoSploit - Version Enumerated - Java +1 || 2015667 || 2 || attempted-user || 0 || ET CURRENT_EVENTS NeoSploit - Version Enumerated - null +1 || 2015668 || 6 || attempted-user || 0 || ET CURRENT_EVENTS FlimKit/Other - Landing Page - 100HexChar value and applet +1 || 2015669 || 10 || attempted-user || 0 || ET CURRENT_EVENTS Malicious Redirect n.php h=*&s=* || url,0xicf.wordpress.com/category/security-updates/ || url,support.clean-mx.de/clean-mx viruses.php?domain=rr.nu&sort=first%20desc || url,urlquery.net/report.php?id=111302 +1 || 2015670 || 2 || bad-unknown || 0 || ET CURRENT_EVENTS Unknown Exploit Kit suspected Blackhole +1 || 2015671 || 9 || not-suspicious || 0 || ET INFO Adobe PDF in HTTP Flowbit Set || cve,CVE-2008-2992 || bugtraq,30035 || secunia,29773 +1 || 2015672 || 5 || bad-unknown || 0 || ET CURRENT_EVENTS Unknown Exploit Kit redirect +1 || 2015673 || 3 || trojan-activity || 0 || ET TROJAN Trojan.JS.QLP Checkin +1 || 2015674 || 3 || misc-activity || 0 || ET INFO 3XX redirect to data URL +1 || 2015675 || 3 || trojan-activity || 0 || ET INFO SimpleTDS go.php (sid) +1 || 2015676 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Unknown Java Exploit Kit Payload Download Request - Sep 04 2012 +1 || 2015677 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS Sakura exploit kit binary download request /out.php +1 || 2015678 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Sakura exploit kit exploit download request /view.php +1 || 2015679 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Probable Sakura exploit kit landing page with obfuscated URLs +1 || 2015680 || 9 || bad-unknown || 0 || ET CURRENT_EVENTS Blackhole Java applet with obfuscated URL Nov 09 2012 +1 || 2015681 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Unknown Java Exploit Kit with fast-flux like behavior hostile FQDN - Sep 05 2012 +1 || 2015682 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Unknown Java Exploit Kit with fast-flux like behavior static initial landing - Sep 05 2012 +1 || 2015683 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Unknown Java Exploit Kit with fast-flux like behavior hostile java archive - Sep 05 2012 +1 || 2015684 || 4 || attempted-user || 0 || ET DELETED Blackhole alt URL request Sep 05 2012 bv6rcs3v1ithi.php?w= || url,urlquery.net/report.php?id=158608 +1 || 2015686 || 2 || misc-activity || 0 || ET POLICY Signed TLS Certificate with md5WithRSAEncryption || url,www.win.tue.nl/hashclash/rogue-ca/ || url,ietf.org/rfc/rfc3280.txt || url,jensign.com/JavaScience/GetTBSCert/index.html || url,luca.ntop.org/Teaching/Appunti/asn1.html || url,news.netcraft.com/archives/2012/08/31/governments-and-banks-still-using-weak-md5-signed-ssl-certificates.html +1 || 2015687 || 2 || attempted-recon || 0 || ET POLICY Inbound /uploadify.php Access || url,blog.sucuri.net/2012/06/uploadify-uploadify-and-uploadify-the-new-timthumb.html +1 || 2015688 || 3 || web-application-attack || 0 || ET CURRENT_EVENTS Possible Remote PHP Code Execution (php.pjpg) || url,exploitsdownload.com/search/Arbitrary%20File%20Upload/27 +1 || 2015689 || 2 || attempted-user || 0 || ET CURRENT_EVENTS DRIVEBY NeoSploit - Java Exploit Requested +1 || 2015690 || 2 || attempted-user || 0 || ET CURRENT_EVENTS NeoSploit - Obfuscated Payload Requested +1 || 2015691 || 2 || attempted-user || 0 || ET CURRENT_EVENTS NeoSploit - PDF Exploit Requested +1 || 2015692 || 3 || attempted-user || 0 || ET DELETED NeoSploit - TDS +1 || 2015693 || 2 || attempted-user || 0 || ET CURRENT_EVENTS NeoSploit - Version Enumerated - Java +1 || 2015694 || 2 || attempted-user || 0 || ET CURRENT_EVENTS NeoSploit - Version Enumerated - null +1 || 2015695 || 4 || attempted-user || 0 || ET CURRENT_EVENTS DRIVEBY Generic - 8Char.JAR Naming Algorithm +1 || 2015696 || 4 || trojan-activity || 0 || ET DELETED g01pack Exploit Kit Landing Page 4 +1 || 2015697 || 3 || trojan-activity || 0 || ET DELETED Blackhole repetitive applet/code tag +1 || 2015698 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS SPL Landing Page Requested +1 || 2015699 || 3 || trojan-activity || 0 || ET DELETED Unknown base64-style Java-based Exploit Kit using github as initial director +1 || 2015700 || 4 || attempted-user || 0 || ET CURRENT_EVENTS Blackhole2 - URI Structure +1 || 2015701 || 3 || attempted-user || 0 || ET DELETED Blackhole2 - Landing Page Received +1 || 2015702 || 3 || attempted-recon || 0 || ET SCAN Brutus Scan Outbound +1 || 2015703 || 3 || attempted-recon || 0 || ET WEB_SERVER Brutus Scan Inbound +1 || 2015704 || 6 || attempted-user || 0 || ET CURRENT_EVENTS DoSWF Flash Encryption Banner +1 || 2015705 || 4 || trojan-activity || 0 || ET DELETED g01pack Exploit Kit Landing Page 6 +1 || 2015706 || 4 || trojan-activity || 0 || ET DELETED g01pack Exploit Kit Landing Page 5 +1 || 2015707 || 2 || misc-activity || 0 || ET INFO JAVA - document.createElement applet +1 || 2015708 || 3 || bad-unknown || 0 || ET CURRENT_EVENTS - Applet Tag In Edwards Packed JavaScript +1 || 2015709 || 6 || bad-unknown || 0 || ET CURRENT_EVENTS Possible Blackhole Landing to 7-8 chr folder plus index.htm or index.html +1 || 2015710 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS DRIVEBY Blackhole2 - Landing Page Received +1 || 2015711 || 5 || attempted-user || 0 || ET CURRENT_EVENTS Internet Explorer execCommand function Use after free Vulnerability 0day || url,eromang.zataz.com/2012/09/16/zero-day-season-is-really-not-over-yet/ || cve,CVE-2012-4969 +1 || 2015712 || 4 || attempted-user || 0 || ET CURRENT_EVENTS Internet Explorer execCommand function Use after free Vulnerability 0day Metasploit || url,eromang.zataz.com/2012/09/16/zero-day-season-is-really-not-over-yet/ || cve,CVE-2012-4969 +1 || 2015713 || 3 || trojan-activity || 0 || ET TROJAN Dapato Checkin 8 || md5,de7c781205d31f58a04d5acd13ff977d +1 || 2015714 || 2 || trojan-activity || 0 || ET TROJAN Mirage Campaign checkin || md5,ce1cdc9c95a6808945f54164b2e4d9d2 || url,secureworks.com/research/threats/the-mirage-campaign/ +1 || 2015716 || 4 || attempted-user || 0 || ET DELETED Blackhole2 - Client reporting targeted software versions +1 || 2015717 || 3 || trojan-activity || 0 || ET TROJAN SSL Cert Used In Unknown Exploit Kit (ashburn) +1 || 2015718 || 2 || trojan-activity || 0 || ET TROJAN SSL Cert Used In Unknown Exploit Kit +1 || 2015719 || 1 || bad-unknown || 0 || ET CURRENT_EVENTS DNS Query to Unknown CnC DGA Domain palauone.com 09/20/12 +1 || 2015720 || 2 || bad-unknown || 0 || ET CURRENT_EVENTS DNS Query to Unknown CnC DGA Domain traindiscover.com 09/20/12 +1 || 2015721 || 2 || bad-unknown || 0 || ET CURRENT_EVENTS DNS Query to Unknown CnC DGA Domain manymanyd.com 09/20/12 +1 || 2015722 || 2 || bad-unknown || 0 || ET CURRENT_EVENTS DNS Query to Unknown CnC DGA Domain whatandwhyeh.com 09/20/12 +1 || 2015723 || 3 || trojan-activity || 0 || ET TROJAN ZeroAccess Checkin || url,sophos.com/en-us/medialibrary/PDFs/technical%20papers/Sophos_ZeroAccess_Botnet.pdf +1 || 2015724 || 10 || trojan-activity || 0 || ET CURRENT_EVENTS pamdql Exploit Kit 09/25/12 Sending Jar +1 || 2015725 || 8 || trojan-activity || 0 || ET DELETED pamdql Exploit Kit 09/25/12 Sending PDF +1 || 2015726 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Access To mm-forms-community upload dir (Outbound) || url,www.exploit-db.com/exploits/18997/ || cve,2012-3574 +1 || 2015727 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Access To mm-forms-community upload dir (Inbound) || url,www.exploit-db.com/exploits/18997/ || cve,2012-3574 +1 || 2015728 || 2 || bad-unknown || 0 || ET CURRENT_EVENTS DNS Query to Unknown CnC DGA Domain bktwenty.com 09/20/12 +1 || 2015729 || 2 || bad-unknown || 0 || ET DELETED DNS Query to Unknown CnC DGA Domain adbullion.com 09/20/12 +1 || 2015730 || 2 || bad-unknown || 0 || ET CURRENT_EVENTS DNS Query to Unknown CnC DGA Domain sleeveblouse.com 09/20/12 +1 || 2015731 || 3 || trojan-activity || 0 || ET DELETED g01pack Exploit Kit Landing Page 7 +1 || 2015732 || 3 || trojan-activity || 0 || ET DELETED Blackhole2 - Landing Page Received - classid +1 || 2015733 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Sakura exploit kit exploit download request /sarah.php +1 || 2015734 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Sakura exploit kit exploit download request /nano.php +1 || 2015735 || 3 || bad-unknown || 0 || ET CURRENT_EVENTS Probable Sakura Java applet with obfuscated URL Sep 21 2012 +1 || 2015736 || 3 || bad-unknown || 0 || ET CURRENT_EVENTS DNS Query to Unknown CnC DGA Domain defmaybe.com 09/25/12 +1 || 2015737 || 5 || attempted-admin || 0 || ET CURRENT_EVENTS PHPMyAdmin BackDoor Access || url,www.phpmyadmin.net/home_page/security/PMASA-2012-5.php +1 || 2015738 || 3 || bad-unknown || 0 || ET CURRENT_EVENTS pamdql obfuscated javascript --- padding +1 || 2015739 || 6 || bad-unknown || 0 || ET DELETED pamdql applet with obfuscated URL +1 || 2015740 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS MALVERTISING - Redirect To Blackhole - Push JavaScript +1 || 2015741 || 3 || bad-unknown || 0 || ET CURRENT_EVENTS DNS Query to Unknown CnC DGA Domain adbullion.com 09/26/12 +1 || 2015742 || 1 || trojan-activity || 0 || ET TROJAN SSL Cert Used In Unknown Exploit Kit +1 || 2015743 || 1 || policy-violation || 0 || ET CURRENT_EVENTS Revoked Adobe Code Signing Certificate Seen || url,www.adobe.com/support/security/advisories/apsa12-01.html +1 || 2015744 || 2 || misc-activity || 0 || ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging) +1 || 2015745 || 2 || misc-activity || 0 || ET INFO EXE CheckRemoteDebuggerPresent (Used in Malware Anti-Debugging) +1 || 2015747 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Possible JBoss/JMX InvokerServlet Auth Bypass Attempt || cve,CVE-2007-1036 || url,exploit-db.com/exploits/21080/ +1 || 2015748 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Fake Anti-Hacking Tool || md5,93443e59c473b89b5afad940a843982a || url,eff.org/deeplinks/2012/08/syrian-malware-post +1 || 2015749 || 2 || attempted-admin || 0 || ET WEB_SERVER Possible Oracle SQL Injection utl_inaddr call in URI +1 || 2015750 || 4 || trojan-activity || 0 || ET DELETED SofosFO/NeoSploit possible landing page 10/01/12 +1 || 2015751 || 4 || trojan-activity || 0 || ET DELETED SofosFO/NeoSploit possible landing page 10/01/12 (2) +1 || 2015752 || 3 || trojan-activity || 0 || ET DELETED Windows EXE with alternate byte XOR 51 - possible SofosFO/NeoSploit download +1 || 2015753 || 3 || trojan-activity || 0 || ET TROJAN Pincav.cjvb Checkin || md5,1e5499640ca31e4b1f113b97a0cae08b +1 || 2015754 || 2 || attempted-recon || 0 || ET SCAN Nessus Netbios Scanning || url,www.tenable.com/products/nessus/nessus-product-overview +1 || 2015755 || 3 || attempted-user || 0 || ET WEB_SERVER Image Content-Type with Obfuscated PHP (Seen with C99 Shell) || url,malwaremustdie.blogspot.jp/2012/10/how-far-phpc99shell-malware-can-go-from.html +1 || 2015756 || 8 || trojan-activity || 0 || ET CURRENT_EVENTS Trojan Downloader GetBooks UA +1 || 2015757 || 2 || policy-violation || 0 || ET POLICY AskSearch Toolbar Spyware User-Agent (AskTBar) 2 +1 || 2015758 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS g01pack Exploit Kit Landing Page (2) +1 || 2015759 || 7 || trojan-activity || 0 || ET CURRENT_EVENTS Blackhole Java Exploit Recent Jar (4) +1 || 2015780 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS Zbot UA +1 || 2015781 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Unknown Java Exploit Kit 32-32 byte hex initial landing +1 || 2015782 || 5 || trojan-activity || 0 || ET CURRENT_EVENTS Magnitude EK (formerly Popads) Other Java Exploit Kit 32-32 byte hex hostile jar +1 || 2015783 || 5 || trojan-activity || 0 || ET CURRENT_EVENTS BegOp Exploit Kit Payload +1 || 2015785 || 4 || bad-unknown || 0 || ET DELETED pamdql obfuscated javascript _222_ padding +1 || 2015786 || 3 || trojan-activity || 0 || ET TROJAN Ransom.Win32.Birele.gsg Checkin || md5,116aaaa5765228d61501322b02a6a3b1 || md5,2e66f39a263cb2e95425847b60ee2a93 || md5,0ea9b34e9d77b5a4ef5170406ed1aaed +1 || 2015787 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Blackhole/Cool eot URI Struct +1 || 2015788 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS BegOpEK - Landing Page +1 || 2015789 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS BegOpEK - TDS - icon.php +1 || 2015790 || 2 || attempted-user || 0 || ET WEB_CLIENT Microsoft Rich Text File download - SET || cve,2012-0183 +1 || 2015791 || 4 || trojan-activity || 0 || ET POLICY archive.org heritix Crawler User-Agent (Outbound) || md5,9fcbd8ebbbafdb0f64805f2c9a53fb7b || url,crawler.archive.org/index.html +1 || 2015792 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Scalaxy Secondary Landing Page 10/11/12 +1 || 2015793 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Scalaxy Java Exploit 10/11/12 +1 || 2015794 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PhpTax Possible Remote Code Exec +1 || 2015796 || 6 || trojan-activity || 0 || ET CURRENT_EVENTS Blackhole/Cool Jar URI Struct +1 || 2015797 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS Blackhole 2 Landing Page (3) +1 || 2015798 || 5 || trojan-activity || 0 || ET CURRENT_EVENTS Blackhole/Cool EXE URI Struct +1 || 2015799 || 6 || trojan-activity || 0 || ET TROJAN Win32.Fareit.A/Pony Downloader Checkin (2) || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=PWS%3aWin32%2fFareit.A || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=PWS%3aWin32%2fFareit || url,www.threatexpert.com/report.aspx?md5=99fab94fd824737393f5184685e8edf2 || url,www.threatexpert.com/report.aspx?md5=9544c681ae5c4fe3fdbd4d5c6c90e38e || url,www.threatexpert.com/report.aspx?md5=d50c39753ba88daa00bc40848f174168 || url,www.threatexpert.com/report.aspx?md5=bf422f3aa215d896f55bbe2ebcd25d17 +1 || 2015800 || 7 || trojan-activity || 0 || ET TROJAN Dorkbot GeoIP Lookup to wipmania +1 || 2015801 || 4 || bad-unknown || 0 || ET DELETED pamdql obfuscated javascript -_-- padding +1 || 2015802 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Blackhole 2 Landing Page (5) +1 || 2015803 || 8 || trojan-activity || 0 || ET CURRENT_EVENTS Possible Blackhole/Cool Landing URI Struct || url,fortknoxnetworks.blogspot.com/2012/10/blackhhole-exploit-kit-v-20-url-pattern.html +1 || 2015804 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS BlackHole 2 PDF Exploit || url,fortknoxnetworks.blogspot.com/2012/10/blackhhole-exploit-kit-v-20-url-pattern.html +1 || 2015805 || 2 || trojan-activity || 0 || ET TROJAN Mini-Flame v 4.x C2 HTTP request || url,www.securelist.com/en/analysis/204792247/miniFlame_aka_SPE_Elvis_and_his_friends +1 || 2015806 || 2 || trojan-activity || 0 || ET TROJAN Mini-Flame v 5.x C2 HTTP request || url,www.securelist.com/en/analysis/204792247/miniFlame_aka_SPE_Elvis_and_his_friends +1 || 2015807 || 3 || trojan-activity || 0 || ET TROJAN Backdoor.Win32.Pushdo.s Checkin || md5,58ffe2b79be4e789be80f92b7f96e20c +1 || 2015808 || 3 || trojan-activity || 0 || ET TROJAN Taidoor Checkin +1 || 2015809 || 5 || trojan-activity || 0 || ET WEB_CLIENT Adobe Flash Vuln (CVE-2012-1535 Uncompressed) Exploit Specific +1 || 2015810 || 2 || trojan-activity || 0 || ET WEB_CLIENT Adobe Flash Vuln (CVE-2012-1535 Uncompressed) Exploit Specific +1 || 2015811 || 2 || web-application-activity || 0 || ET WEB_SERVER FaTaLisTiCz_Fx Webshell Detected +1 || 2015812 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS SofosFO Jar file 10/17/12 +1 || 2015813 || 4 || bad-unknown || 0 || ET CURRENT_EVENTS DNS Query Torpig Sinkhole Domain (Possible Infected Host) || url,www.sysenter-honeynet.org/?p=269 +1 || 2015814 || 12 || trojan-activity || 0 || ET TROJAN Win32/Fujacks Activity +1 || 2015815 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS CoolEK Font File Download (32-bit Host) Dec 11 2012 +1 || 2015816 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS CoolEK Font File Download (64-bit Host) Dec 11 2012 +1 || 2015817 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Blackhole2 Non-Vulnerable Client Fed Fake Flash Executable || url,research.zscaler.com/2012/10/blackhole-exploit-kit-v2-on-rise.html +1 || 2015818 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS g01pack Exploit Kit .homeip. Landing Page +1 || 2015819 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS g01pack Exploit Kit .homelinux. Landing Page +1 || 2015820 || 3 || trojan-activity || 0 || ET INFO Suspicious Windows NT version 7 User-Agent +1 || 2015821 || 3 || trojan-activity || 0 || ET INFO Suspicious Windows NT version 8 User-Agent +1 || 2015822 || 3 || trojan-activity || 0 || ET INFO Suspicious Windows NT version 9 User-Agent +1 || 2015823 || 6 || bad-unknown || 0 || ET DELETED Blackhole Java applet with obfuscated URL Oct 19 2012 +1 || 2015824 || 6 || trojan-activity || 0 || ET TROJAN GeckaSeka User-Agent +1 || 2015825 || 8 || trojan-activity || 0 || ET TROJAN Zeus/Citadel Control Panel Access (Outbound) || url,xylithreats.free.fr/public/ || url,www.xylibox.com/2012/10/citadel-1351-rain-edition.html +1 || 2015826 || 8 || trojan-activity || 0 || ET TROJAN Zeus/Citadel Control Panel Access (Inbound) || url,xylithreats.free.fr/public/ || url,www.xylibox.com/2012/10/citadel-1351-rain-edition.html +1 || 2015827 || 6 || trojan-activity || 0 || ET TROJAN Citadel API Access Iframer Controller (Outbound) || url,xylithreats.free.fr/public/ || url,www.xylibox.com/2012/10/citadel-1351-rain-edition.html +1 || 2015828 || 7 || trojan-activity || 0 || ET TROJAN Citadel API Access IFramer Controller (Inbound) || url,xylithreats.free.fr/public/ || url,www.xylibox.com/2012/10/citadel-1351-rain-edition.html +1 || 2015829 || 6 || trojan-activity || 0 || ET TROJAN Citadel API Access VNC Controller (Outbound) || url,xylithreats.free.fr/public/ || url,www.xylibox.com/2012/10/citadel-1351-rain-edition.html +1 || 2015830 || 6 || trojan-activity || 0 || ET TROJAN Citadel API Access VNC Controller (Inbound) || url,xylithreats.free.fr/public/ || url,www.xylibox.com/2012/10/citadel-1351-rain-edition.html +1 || 2015831 || 6 || trojan-activity || 0 || ET TROJAN Citadel API Access Bot Controller (Outbound) || url,xylithreats.free.fr/public/ || url,www.xylibox.com/2012/10/citadel-1351-rain-edition.html +1 || 2015832 || 6 || trojan-activity || 0 || ET TROJAN Citadel API Access Bot Controller (Inbound) || url,xylithreats.free.fr/public/ || url,www.xylibox.com/2012/10/citadel-1351-rain-edition.html +1 || 2015833 || 6 || trojan-activity || 0 || ET TROJAN Citadel API Access Video Controller (Outbound) || url,xylithreats.free.fr/public/ || url,www.xylibox.com/2012/10/citadel-1351-rain-edition.html +1 || 2015834 || 7 || trojan-activity || 0 || ET TROJAN Citadel API Access Video Controller (Inbound) || url,xylithreats.free.fr/public/ || url,www.xylibox.com/2012/10/citadel-1351-rain-edition.html +1 || 2015835 || 6 || trojan-activity || 0 || ET TROJAN Smoke Loader C2 Response +1 || 2015836 || 6 || successful-user || 0 || ET CURRENT_EVENTS Blackhole 2.0 Binary Get Request || url,fortknoxnetworks.blogspot.be/2012/10/blackhole-20-binary-get-request.html +1 || 2015837 || 2 || trojan-activity || 0 || ET TROJAN SSL Cert Used In Unknown Exploit Kit +1 || 2015840 || 3 || successful-user || 0 || ET CURRENT_EVENTS Unknown Exploit Kit Landing Page +1 || 2015841 || 3 || successful-user || 0 || ET CURRENT_EVENTS Unknown Exploit Kit Landing Page +1 || 2015842 || 2 || misc-activity || 0 || ET INFO LLNMR query response to wpad +1 || 2015843 || 5 || trojan-activity || 0 || ET DELETED Blackhole request for file containing Java payload URIs (1) +1 || 2015844 || 4 || trojan-activity || 0 || ET DELETED Blackhole file containing obfuscated Java payload URIs +1 || 2015845 || 4 || bad-unknown || 0 || ET DELETED pamdql obfuscated javascript __-_ padding +1 || 2015846 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS NeoSploit Jar with three-letter class names +1 || 2015847 || 5 || trojan-activity || 0 || ET CURRENT_EVENTS SofosFO/NeoSploit possible second stage landing page +1 || 2015848 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Imposter USPS Domain +1 || 2015849 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Metasploit CVE-2012-1723 Path (Seen in Unknown EK) 10/29/12 +1 || 2015850 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Georgian Targeted Attack - Trojan Checkin || md5,d4af87ba30c59d816673df165511e466 || url,dea.gov.ge/uploads/CERT%20DOCS/Cyber%20Espionage.pdf +1 || 2015851 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Georgian Targeted Attack - Client Request || md5,d4af87ba30c59d816673df165511e466 || url,dea.gov.ge/uploads/CERT%20DOCS/Cyber%20Espionage.pdf +1 || 2015852 || 5 || trojan-activity || 0 || ET CURRENT_EVENTS Georgian Targeted Attack - Server Response || md5,d4af87ba30c59d816673df165511e466 || url,dea.gov.ge/uploads/CERT%20DOCS/Cyber%20Espionage.pdf +1 || 2015853 || 2 || trojan-activity || 0 || ET TROJAN Georbot requesting update +1 || 2015854 || 2 || trojan-activity || 0 || ET TROJAN Georbot initial checkin +1 || 2015855 || 2 || trojan-activity || 0 || ET TROJAN Georbot checkin +1 || 2015856 || 5 || policy-violation || 0 || ET SNMP Attempt to retrieve Cisco Config via TFTP (CISCO-CONFIG-COPY) +1 || 2015857 || 4 || policy-violation || 0 || ET TFTP Outbound TFTP Data Transfer with Cisco config +1 || 2015858 || 3 || bad-unknown || 0 || ET CURRENT_EVENTS Sakura/RedKit obfuscated URL +1 || 2015859 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS Metasploit CVE-2012-1723 Attacker.class (Seen in Unknown EK) 11/01/12 +1 || 2015860 || 8 || trojan-activity || 0 || ET TROJAN System Progressive Detection FakeAV (INTEL) || md5,76bea2200601172ebc2374e4b418c63a +1 || 2015861 || 7 || trojan-activity || 0 || ET TROJAN System Progressive Detection FakeAV (AMD) || md5,76bea2200601172ebc2374e4b418c63a +1 || 2015862 || 3 || trojan-activity || 0 || ET TROJAN Potentially Unwanted Program RebateInformerSetup.exe Download Reporting || url,www.ripoffreport.com/directory/rebategiant-com.aspx +1 || 2015863 || 6 || trojan-activity || 0 || ET CURRENT_EVENTS Blackhole request for file containing Java payload URIs (2) +1 || 2015864 || 3 || attempted-user || 0 || ET DELETED Blackhole 2.0 PDF GET request || url,fortknoxnetworks.blogspot.com/2012/11/deeper-into-blackhole-urls-and-dialects.html +1 || 2015865 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Self-Singed SSL Cert Used in Conjunction with Neosploit +1 || 2015866 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS Sophos PDF Standard Encryption Key Length Buffer Overflow +1 || 2015867 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Sophos PDF Standard Encryption Key Length Buffer Overflow +1 || 2015868 || 2 || trojan-activity || 0 || ET TROJAN Backdoor.ADDNEW (DarKDdoser) CnC 1 || url,blog.fireeye.com/research/2012/11/backdooraddnew-darkddoser-and-gh0st-a-match-made-in-heaven.html || md5,691305b05ae75389526aa7c15b319c3b +1 || 2015869 || 2 || trojan-activity || 0 || ET TROJAN Backdoor.ADDNEW (DarKDdoser) CnC 2 || url,blog.fireeye.com/research/2012/11/backdooraddnew-darkddoser-and-gh0st-a-match-made-in-heaven.html || md5,691305b05ae75389526aa7c15b319c3b +1 || 2015870 || 2 || trojan-activity || 0 || ET TROJAN Backdoor.ADDNEW (DarKDdoser) CnC 3 || url,blog.fireeye.com/research/2012/11/backdooraddnew-darkddoser-and-gh0st-a-match-made-in-heaven.html || md5,691305b05ae75389526aa7c15b319c3b +1 || 2015871 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS Blackhole request for file containing Java payload URIs (3) +1 || 2015872 || 6 || trojan-activity || 0 || ET CURRENT_EVENTS Blackhole request for Payload +1 || 2015873 || 5 || trojan-activity || 0 || ET CURRENT_EVENTS Cool Exploit Kit Requesting Payload +1 || 2015874 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS Known Reveton Domain HTTP whatwillber.com +1 || 2015875 || 4 || bad-unknown || 0 || ET CURRENT_EVENTS DNS Query Known Reveton Domain whatwillber.com +1 || 2015876 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS SofosFO Jar file 09 Nov 12 +1 || 2015877 || 6 || trojan-activity || 0 || ET CURRENT_EVENTS Blackhole 16/32-hex/a-z.php Landing Page URI +1 || 2015878 || 2 || policy-violation || 0 || ET POLICY Maxmind geoip check to /app/geoip.js +1 || 2015881 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS KaiXin Exploit Kit Landing Page NOP String || url,ondailybasis.com/blog/?p=1610 +1 || 2015882 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS KaiXin Exploit Kit Landing Page parseInt Javascript Replace || url,ondailybasis.com/blog/?p=1610 +1 || 2015883 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Java Exploit Campaign SetAttribute Java Applet || url,ondailybasis.com/blog/?p=1593 +1 || 2015884 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS CritXPack Landing Page +1 || 2015885 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS CritXPack - No Java URI - Dot.class +1 || 2015886 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS CirtXPack - No Java URI - /a.Test +1 || 2015887 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS Possible exploitation of CVE-2012-5076 by an exploit kit Nov 13 2012 +1 || 2015888 || 8 || trojan-activity || 0 || ET CURRENT_EVENTS Magnitude EK (formerly Popads) Java Exploit Kit 32 byte hex with trailing digit java payload request +1 || 2015889 || 9 || trojan-activity || 0 || ET DELETED SofosFO/NeoSploit possible second stage landing page (1) +1 || 2015890 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS CoolEK - Landing Page - FlashExploit +1 || 2015891 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS CoolEK - Landing Page - Title +1 || 2015892 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS CoolEK - PDF Exploit - pdf_new.php +1 || 2015893 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS CoolEK - PDF Exploit - pdf_old.php +1 || 2015894 || 2 || trojan-activity || 0 || ET TROJAN Unknown FakeAV - /get/*.crp +1 || 2015895 || 2 || trojan-activity || 0 || ET TROJAN Unknown_comee.pl - POST with stpfu in http_client_body +1 || 2015896 || 3 || trojan-activity || 0 || ET TROJAN Andromeda Check-in Response +1 || 2015897 || 3 || bad-unknown || 0 || ET CURRENT_EVENTS Possible TDS Exploit Kit /flow redirect at .ru domain +1 || 2015898 || 5 || trojan-activity || 0 || ET INFO Suspicious Windows NT version 1 User-Agent +1 || 2015899 || 3 || trojan-activity || 0 || ET INFO Suspicious Windows NT version 2 User-Agent +1 || 2015900 || 4 || trojan-activity || 0 || ET INFO Suspicious Windows NT version 3 User-Agent +1 || 2015901 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Magnitude EK (formerly Popads) - Landing Page - Java ClassID and 32HexChar.jar +1 || 2015902 || 7 || trojan-activity || 0 || ET TROJAN Win32/Kuluoz.B CnC || url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-asprox-reborn.pdf +1 || 2015903 || 5 || trojan-activity || 0 || ET TROJAN Win32/Kuluoz.B CnC 2 || md5,a88ba0c2b30afba357ebb38df9898f9e || url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-asprox-reborn.pdf +1 || 2015904 || 5 || trojan-activity || 0 || ET TROJAN Win32/Kuluoz.B CnC 3 || md5,a88ba0c2b30afba357ebb38df9898f9e || url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-asprox-reborn.pdf +1 || 2015905 || 2 || attempted-user || 0 || ET CURRENT_EVENTS WSO - WebShell Activity - WSO Title +1 || 2015906 || 2 || attempted-user || 0 || ET CURRENT_EVENTS WSO - WebShell Activity - POST structure +1 || 2015907 || 2 || bad-unknown || 0 || ET CURRENT_EVENTS BoA -Account Phished +1 || 2015908 || 2 || bad-unknown || 0 || ET CURRENT_EVENTS BoA - PII Phished +1 || 2015909 || 2 || bad-unknown || 0 || ET CURRENT_EVENTS - BoA - Creds Phished +1 || 2015910 || 3 || bad-unknown || 0 || ET CURRENT_EVENTS Remax - AOL Creds +1 || 2015911 || 4 || bad-unknown || 0 || ET CURRENT_EVENTS Remax - Yahoo Creds +1 || 2015912 || 3 || bad-unknown || 0 || ET CURRENT_EVENTS Remax - Gmail Creds +1 || 2015913 || 3 || bad-unknown || 0 || ET CURRENT_EVENTS Remax - Hotmail Creds +1 || 2015914 || 4 || bad-unknown || 0 || ET CURRENT_EVENTS Remax - Other Creds +1 || 2015915 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS CoolEK Landing Pattern (1) +1 || 2015916 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS CoolEK Landing Pattern (2) +1 || 2015917 || 2 || bad-unknown || 0 || ET WEB_SERVER WebShell - D.K - Title +1 || 2015918 || 2 || attempted-user || 0 || ET WEB_SERVER WebShell - Generic - c99shell based header +1 || 2015919 || 3 || attempted-user || 0 || ET WEB_SERVER WebShell - Generic - c99shell based header w/colons +1 || 2015920 || 2 || attempted-user || 0 || ET WEB_SERVER WebShell - Generic - c99shell based POST structure w/multipart +1 || 2015921 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Spam Campaign JPG CnC Link || url,blog.fireeye.com/research/2012/11/more-phish.html +1 || 2015922 || 6 || trojan-activity || 0 || ET CURRENT_EVENTS Possible Glazunov Java exploit request /9-10-/4-5-digit +1 || 2015923 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Possible Glazunov Java payload request /5-digit +1 || 2015924 || 2 || web-application-activity || 0 || ET WEB_SERVER WebShell - PHP eMailer +1 || 2015925 || 2 || web-application-activity || 0 || ET WEB_SERVER WebShell - Unknown - self-kill +1 || 2015926 || 2 || web-application-activity || 0 || ET WEB_SERVER WebShell - Unknown - .php?x=img&img= +1 || 2015927 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS RedKit /h***.htm(l) Landing Page - Set +1 || 2015928 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS RedKit Exploit Kit Java Request to Recent jar (1) +1 || 2015929 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS RedKit Exploit Kit Java Request to Recent jar (2) +1 || 2015930 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS RedKit Exploit Kit Vulnerable Java Payload Request URI (1) +1 || 2015931 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS RedKit Exploit Kit vulnerable Java Payload Request to URI (2) +1 || 2015932 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS Blackhole 2 Landing Page (7) +1 || 2015933 || 6 || trojan-activity || 0 || ET CURRENT_EVENTS Blackhole/Cool txt URI Struct +1 || 2015936 || 5 || trojan-activity || 0 || ET CURRENT_EVENTS Nuclear Exploit Kit HTTP Off-port Landing Page Request +1 || 2015937 || 7 || misc-activity || 0 || ET WEB_SERVER WebShell - PostMan +1 || 2015938 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Unknown Banking PHISH - Login.php?LOB=RBG +1 || 2015939 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS g01pack Exploit Kit .blogsite. Landing Page +1 || 2015940 || 2 || attempted-recon || 0 || ET SCAN SFTP/FTP Password Exposure via sftp-config.json || url,blog.sucuri.net/2012/11/psa-sftpftp-password-exposure-via-sftp-config-json.html +1 || 2015941 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS CrimeBoss - Java Exploit - Recent Jar (1) +1 || 2015942 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS CrimeBoss - Java Exploit - Recent Jar (2) +1 || 2015943 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Crimeboss - Java Exploit - Recent Jar (3) +1 || 2015944 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS CrimeBoss - Stats Access +1 || 2015945 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS CrimeBoss - Stats Java On +1 || 2015946 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS CrimeBoss - Setup +1 || 2015947 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Piwik Backdoor Access || url,blog.sucuri.net/2012/11/piwik-org-webserver-hacked-and-backdoor-added-to-piwik.html +1 || 2015948 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Piwik Backdoor Access 2 || url,blog.sucuri.net/2012/11/piwik-org-webserver-hacked-and-backdoor-added-to-piwik.html +1 || 2015949 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Propack Recent Jar (1) +1 || 2015950 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Propack Payload Request +1 || 2015951 || 17 || trojan-activity || 0 || ET CURRENT_EVENTS SibHost Jar Request +1 || 2015952 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS PHISH Generic -SSN - ssn1 ssn2 ssn3 +1 || 2015953 || 4 || web-application-attack || 0 || ET WEB_SERVER PIWIK Backdored Version calls home || url,piwik.org/blog/2012/11/security-report-piwik-org-webserver-hacked-for-a-few-hours-on-2012-nov-26th/ || url,forum.piwik.org/read.php?2,97666 +1 || 2015954 || 2 || trojan-activity || 0 || ET INFO PDF /FlateDecode and PDF version 1.0 +1 || 2015955 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS PDF /FlateDecode and PDF version 1.1 (seen in pamdql EK) +1 || 2015956 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Serenity Exploit Kit Landing Page HTML Header +1 || 2015957 || 7 || trojan-activity || 0 || ET TROJAN Lyposit Ransomware Checkin 1 +1 || 2015958 || 3 || trojan-activity || 0 || ET TROJAN Lyposit Ransomware Checkin 2 +1 || 2015959 || 2 || attempted-admin || 0 || ET SNMP Samsung Printer SNMP Hardcode RW Community String || url,www.l8security.com/post/36715280176/vu-281284-samsung-printer-snmp-backdoor +1 || 2015960 || 12 || trojan-activity || 0 || ET CURRENT_EVENTS CritXPack Jar Request +1 || 2015961 || 11 || trojan-activity || 0 || ET CURRENT_EVENTS CritXPack PDF Request +1 || 2015962 || 11 || trojan-activity || 0 || ET CURRENT_EVENTS CritXPack Payload Request +1 || 2015963 || 3 || bad-unknown || 0 || ET INFO PHISH Generic - Bank and Routing +1 || 2015964 || 11 || trojan-activity || 0 || ET CURRENT_EVENTS Unknown EK Landing URL +1 || 2015965 || 4 || misc-activity || 0 || ET INFO EXE SCardForgetReaderGroupA (Used in Malware Anti-Debugging) || url,www.trusteer.com/blog/evading-malware-researchers-shylock%E2%80%99s-new-trick +1 || 2015968 || 8 || trojan-activity || 0 || ET TROJAN WORM_VOBFUS Checkin 1 || md5,f127ed76dc5e48f69a1070f314488ce2 || url,blog.trendmicro.com/trendlabs-security-intelligence/watch-out-for-worm_vobfus/ +1 || 2015969 || 11 || trojan-activity || 0 || ET TROJAN WORM_VOBFUS Requesting exe || md5,f127ed76dc5e48f69a1070f314488ce2 || url,blog.trendmicro.com/trendlabs-security-intelligence/watch-out-for-worm_vobfus/ +1 || 2015970 || 11 || trojan-activity || 0 || ET CURRENT_EVENTS Zuponcic EK Payload Request +1 || 2015971 || 9 || trojan-activity || 0 || ET CURRENT_EVENTS Zuponcic EK Java Exploit Jar +1 || 2015972 || 2 || bad-unknown || 0 || ET CURRENT_EVENTS PHISH PayPal - Account Phished +1 || 2015973 || 2 || bad-unknown || 0 || ET CURRENT_EVENTS PHISH Gateway POST to gateway-p +1 || 2015974 || 14 || trojan-activity || 0 || ET CURRENT_EVENTS Sibhost Status Check +1 || 2015975 || 5 || attempted-user || 0 || ET EXPLOIT MySQL Stack based buffer overrun Exploit Specific || url,seclists.org/fulldisclosure/2012/Dec/4 +1 || 2015976 || 2 || trojan-activity || 0 || ET TROJAN WORM_VOBFUS Checkin Generic || md5,f127ed76dc5e48f69a1070f314488ce2 || url,blog.trendmicro.com/trendlabs-security-intelligence/watch-out-for-worm_vobfus/ || url,blog.dynamoo.com/2012/11/vobfus-sites-to-block.html +1 || 2015977 || 7 || bad-unknown || 0 || ET CURRENT_EVENTS probable malicious Glazunov Javascript injection +1 || 2015978 || 7 || bad-unknown || 0 || ET CURRENT_EVENTS Blackhole Java applet with obfuscated URL Dec 03 2012 +1 || 2015979 || 1 || bad-unknown || 0 || ET CURRENT_EVENTS CritXPack - Landing Page +1 || 2015980 || 2 || bad-unknown || 0 || ET CURRENT_EVENTS PHISH Google - Account Phished +1 || 2015981 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Zuponcic Hostile Jar +1 || 2015982 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Zuponcic Hostile JavaScript +1 || 2015983 || 2 || bad-unknown || 0 || ET CURRENT_EVENTS PHISH Bank - York - Creds Phished +1 || 2015984 || 2 || web-application-attack || 0 || ET CURRENT_EVENTS Joomla Component SQLi Attempt +1 || 2015985 || 4 || trojan-activity || 0 || ET TROJAN Win32/Kuluoz.B Request || md5,0282bc929bae27ef95733cfa390b10e0 +1 || 2015986 || 5 || protocol-command-decode || 0 || ET SCAN MYSQL MySQL Remote FAST Account Password Cracking || url,www.securityfocus.com/archive/1/524927/30/0/threaded +1 || 2015987 || 2 || attempted-user || 0 || ET EXPLOIT MySQL Heap based buffer overrun Exploit Specific || url,archives.neohapsis.com/archives/fulldisclosure/2012-12/0006.html +1 || 2015988 || 2 || bad-unknown || 0 || ET CURRENT_EVENTS CrimeBoss - Stats Load Fail +1 || 2015989 || 2 || bad-unknown || 0 || ET CURRENT_EVENTS RedKit - Potential Java Exploit Requested - 3 digit jar +1 || 2015990 || 2 || bad-unknown || 0 || ET CURRENT_EVENTS RedKit - Potential Payload Requested - /2Digit.html +1 || 2015991 || 4 || bad-unknown || 0 || ET CURRENT_EVENTS Robopak - Landing Page Received +1 || 2015992 || 6 || attempted-user || 0 || ET EXPLOIT MySQL (Linux) Database Privilege Elevation (Exploit Specific) || cve,2012-5613 || url,seclists.org/fulldisclosure/2012/Dec/6 +1 || 2015993 || 2 || protocol-command-decode || 0 || ET ATTACK_RESPONSE MySQL User Account Enumeration || url,seclists.org/fulldisclosure/2012/Dec/att-9/ +1 || 2015994 || 2 || misc-activity || 0 || ET INFO MySQL Database Query Version OS compile +1 || 2015995 || 4 || attempted-user || 0 || ET EXPLOIT MySQL Server for Windows Remote SYSTEM Level Exploit (Stuxnet Techique DUMP INTO executable) || url,seclists.org/fulldisclosure/2012/Dec/att-13/ +1 || 2015996 || 2 || attempted-user || 0 || ET EXPLOIT MySQL Server for Windows Remote SYSTEM Level Exploit (Stuxnet Techique) || url,seclists.org/fulldisclosure/2012/Dec/att-13/ +1 || 2015997 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Fake Google Chrome Update/Install || url,www.barracudanetworks.com/blogs/labsblog?bid=3108 || url,www.bluecoat.com/security-blog/2012-12-05/blackhole-kit-doesnt-chrome +1 || 2015998 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS CritXPack Landing Pattern +1 || 2015999 || 2 || trojan-activity || 0 || ET TROJAN W32/Quarian HTTP Proxy Header || url,vrt-blog.snort.org/2012/12/quarian.html +1 || 2016000 || 2 || trojan-activity || 0 || ET TROJAN Win32/Necurs || md5,871ecf11ddd7ffe294cab82bcaf9c310 || url,blogs.technet.com/b/mmpc/archive/2012/12/06/unexpected-reboot-necurs.aspx +1 || 2016001 || 5 || trojan-activity || 0 || ET CURRENT_EVENTS PDF /XFA and PDF-1.[0-4] Spec Violation (seen in pamdql and other EKs) +1 || 2016002 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ViArt Shop Evaluation admin_header.php Remote File Inclusion Attempt || url,packetstormsecurity.org/files/116871/ViArt-Shop-Evaluation-4.1-Remote-File-Inclusion.html +1 || 2016003 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ViArt Shop Evaluation ajax_list_tree.php Remote File Inclusion Attempt || url,packetstormsecurity.org/files/116871/ViArt-Shop-Evaluation-4.1-Remote-File-Inclusion.html +1 || 2016004 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS ViArt Shop Evaluation previews_functions.php Remote File Inclusion Attempt || url,packetstormsecurity.org/files/116871/ViArt-Shop-Evaluation-4.1-Remote-File-Inclusion.html +1 || 2016005 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Achievo atknodetype parameter Local File Inclusion Vulnerability || url,packetstormsecurity.org/files/117822/Achievo-1.4.5-XSS-LFI-SQL-Injection.html +1 || 2016006 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PRADO PHP Framework functional_tests.php Local File Inclusion Vulnerability || url,packetstormsecurity.org/files/118348/PRADO-PHP-Framework-3.2.0-File-Read.html +1 || 2016007 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS PRADO PHP Framework functional.php Local File Inclusion Vulnerability || url,packetstormsecurity.org/files/118348/PRADO-PHP-Framework-3.2.0-File-Read.html +1 || 2016008 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Inventory consulta_fact.php Cross Site Scripting Attempt || url,packetstormsecurity.org/files/117683/Inventory-1.0-Cross-Site-Scripting.html +1 || 2016009 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Inventory newinventario.php Cross Site Scripting Attempt || url,packetstormsecurity.org/files/117683/Inventory-1.0-Cross-Site-Scripting.html +1 || 2016010 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Inventory newtransact.php Cross Site Scripting Attempt || url,packetstormsecurity.org/files/117683/Inventory-1.0-Cross-Site-Scripting.html +1 || 2016011 || 4 || trojan-activity || 0 || ET TROJAN SmokeBot grab data plaintext +1 || 2016012 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS CritXPack PDF Request (2) +1 || 2016013 || 6 || trojan-activity || 0 || ET CURRENT_EVENTS CritXPack Jar Request (2) +1 || 2016014 || 2 || trojan-activity || 0 || ET TROJAN Win32/Trojan.Agent.AXMO CnC Beacon || url,contagiodump.blogspot.co.uk/2012/12/osxdockstera-and-win32trojanagentaxmo.html +1 || 2016015 || 3 || attempted-user || 0 || ET WEB_SPECIFIC_APPS Nagios XI Network Monitor - OS Command Injection || url,exchange.nagios.org/directory/Addons/Components/Graph-Explorer-Component/details +1 || 2016016 || 6 || bad-unknown || 0 || ET CURRENT_EVENTS DNS Amplification Attack Inbound +1 || 2016017 || 6 || bad-unknown || 0 || ET CURRENT_EVENTS DNS Amplification Attack Outbound +1 || 2016018 || 2 || attempted-user || 0 || ET CURRENT_EVENTS Embedded Open Type Font file .eot seeing at Cool Exploit Kit || cve,2011-3402 +1 || 2016019 || 5 || trojan-activity || 0 || ET TROJAN Win32.boCheMan-A/Dexter || md5,ccc99c9f07e7be0f408ef3a68a9da298 +1 || 2016020 || 3 || bad-unknown || 0 || ET CURRENT_EVENTS FakeScan - Landing Page - Title - Microsoft Antivirus 2013 +1 || 2016021 || 2 || bad-unknown || 0 || ET CURRENT_EVENTS FakeScan - Payload Download Received +1 || 2016022 || 2 || bad-unknown || 0 || ET CURRENT_EVENTS MALVERTISING FlashPost - Redirection IFRAME +1 || 2016023 || 3 || bad-unknown || 0 || ET CURRENT_EVENTS MALVERTISING FlashPost - POST to *.stats +1 || 2016024 || 2 || bad-unknown || 0 || ET CURRENT_EVENTS Blackhole - TDS Redirection To Exploit Kit - Loading +1 || 2016025 || 3 || bad-unknown || 0 || ET DELETED Blackhole - TDS Redirection To Exploit Kit - /head/head1.html +1 || 2016026 || 3 || bad-unknown || 0 || ET CURRENT_EVENTS NuclearPack - Landing Page Received - applet and 32HexChar.jar +1 || 2016027 || 5 || bad-unknown || 0 || ET CURRENT_EVENTS g01pack - Landing Page Received - applet and 32AlphaNum.jar +1 || 2016028 || 2 || bad-unknown || 0 || ET EXPLOIT Metasploit -Java Atomic Exploit Downloaded +1 || 2016029 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Kelihos.K Executable Download DGA +1 || 2016030 || 3 || web-application-attack || 0 || ET CURRENT_EVENTS LOIC POST +1 || 2016031 || 2 || web-application-attack || 0 || ET CURRENT_EVENTS LOIC GET +1 || 2016032 || 2 || web-application-attack || 0 || ET CURRENT_EVENTS JCE Joomla Scanner +1 || 2016033 || 3 || web-application-attack || 0 || ET CURRENT_EVENTS Simple Slowloris Flooder || url,www.imperva.com/docs/HII_Denial_of_Service_Attacks-Trends_Techniques_and_Technologies.pdf +1 || 2016034 || 3 || trojan-activity || 0 || ET TROJAN Faked Russian Opera UA without Accept - probable downloader +1 || 2016035 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Possible SibHost PDF Request +1 || 2016036 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Simplemachines view parameter Cross Site Scripting Attempt || url,packetstormsecurity.org/files/117618/SMF-2.0.2-Cross-Site-Scripting.html +1 || 2016037 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WordPress FSML Plugin fsml-admin.js.php Remote File Inclusion Attempt || url,secunia.com/advisories/51346 +1 || 2016038 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WordPress FSML Plugin fsml-hideshow.js.php Remote File Inclusion Attempt || url,secunia.com/advisories/51346 +1 || 2016039 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Havalite userId parameter Cross Site Scripting Attempt || url,packetstormsecurity.org/files/118714/Havalite-1.1.7-Cross-Site-Scripting-Shell-Upload.html +1 || 2016040 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS SimpleInvoices having parameter Cross Site Scripting Attempt || url,packetstormsecurity.org/files/118737/SimpleInvoices-2011.1-Cross-Site-Scripting.html +1 || 2016041 || 3 || attempted-user || 0 || ET ACTIVEX Possible NVIDIA Install Application ActiveX Control AddPackages Unicode Buffer Overflow || url,packetstormsecurity.org/files/118648/NVIDIA-Install-Application-2.1002.85.551-Buffer-Overflow.html +1 || 2016042 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Manhali download.php Local File Inclusion Vulnerability || url,packetstormsecurity.org/files/116724/Manhali-1.8-Local-File-Inclusion.html +1 || 2016043 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS RIPS code.php Local File Inclusion Vulnerability || url,packetstormsecurity.org/files/111164/RIPS-0.53-Local-File-Inclusion.html +1 || 2016044 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS RIPS function.php Local File Inclusion Vulnerability || url,packetstormsecurity.org/files/111164/RIPS-0.53-Local-File-Inclusion.html +1 || 2016045 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Admidio headline parameter Cross Site Scripting Attempt || url,packetstormsecurity.org/files/116155/Admidio-2.3.5-Cross-Site-Scripting-SQL-Injection.html +1 || 2016046 || 6 || trojan-activity || 0 || ET DELETED SofosFO/NeoSploit possible second stage landing page (2) +1 || 2016047 || 2 || trojan-activity || 0 || ET TROJAN W32/Prinimalka Get Task CnC Beacon || url,ddos.arbornetworks.com/2012/10/trojan-prinimalka-bits-and-pieces/ +1 || 2016048 || 2 || trojan-activity || 0 || ET TROJAN W32/Prinimalka Configuration Update Request || url,ddos.arbornetworks.com/2012/10/trojan-prinimalka-bits-and-pieces/ +1 || 2016049 || 2 || trojan-activity || 0 || ET TROJAN W32/Prinimalka Prinimalka.py Script In CnC Beacon || url,ddos.arbornetworks.com/2012/10/trojan-prinimalka-bits-and-pieces/ +1 || 2016050 || 3 || trojan-activity || 0 || ET TROJAN W32.Daws/Sanny CnC Initial Beacon || url,blog.fireeye.com/research/2012/12/to-russia-with-apt.html || url,contagiodump.blogspot.co.uk/2012/12/end-of-year-presents-continue.html +1 || 2016051 || 5 || trojan-activity || 0 || ET TROJAN W32.Daws/Sanny CnC POST || url,blog.fireeye.com/research/2012/12/to-russia-with-apt.html || url,contagiodump.blogspot.co.uk/2012/12/end-of-year-presents-continue.html +1 || 2016052 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS Unknown_gmf EK - Payload Download Requested +1 || 2016053 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Unknown_gmf EK - Payload Download Received +1 || 2016054 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Unknown_gmf EK - Server Response - Application Error +1 || 2016055 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Unknown_gmf EK - pdfx.html +1 || 2016056 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Unknown_gmf EK - flsh.html +1 || 2016057 || 8 || trojan-activity || 0 || ET DELETED CoolEK Font File Download Dec 18 2012 +1 || 2016058 || 10 || trojan-activity || 0 || ET CURRENT_EVENTS CoolEK - New PDF Exploit - Dec 18 2012 +1 || 2016059 || 13 || trojan-activity || 0 || ET CURRENT_EVENTS CoolEK - Old PDF Exploit - Dec 18 2012 +1 || 2016060 || 18 || trojan-activity || 0 || ET CURRENT_EVENTS CoolEK - Jar - Jun 05 2013 +1 || 2016061 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Possible WordpressPingbackPortScanner detected || url,seclists.org/bugtraq/2012/Dec/101 || url,github.com/FireFart/WordpressPingbackPortScanner/ || url,www.acunetix.com/blog/web-security-zone/wordpress-pingback-vulnerability/ +1 || 2016062 || 2 || trojan-activity || 0 || ET TROJAN Linux/Chapro.A Malicious Apache Module CnC Beacon || url,blog.eset.com/2012/12/18/malicious-apache-module-used-for-content-injection-linuxchapro-a +1 || 2016063 || 2 || bad-unknown || 0 || ET CURRENT_EVENTS PHISH PayPal - Account Phished +1 || 2016064 || 5 || attempted-user || 0 || ET DELETED Popads Exploit Kit font request 32hex digit .eot +1 || 2016065 || 4 || attempted-user || 0 || ET CURRENT_EVENTS Magnitude EK (formerly Popads) Embedded Open Type Font file .eot || cve,2011-3402 +1 || 2016066 || 3 || trojan-activity || 0 || ET DELETED CoolEK - Landing Page (2) +1 || 2016067 || 3 || trojan-activity || 0 || ET POLICY Possible BitCoin Miner User-Agent (miner) || url,abcpool.co/mining-software-comparison.php +1 || 2016068 || 3 || trojan-activity || 0 || ET POLICY poclbm BitCoin miner || url,abcpool.co/mining-software-comparison.php +1 || 2016069 || 3 || bad-unknown || 0 || ET MALWARE suspicious User-Agent (vb wininet) +1 || 2016070 || 5 || bad-unknown || 0 || ET CURRENT_EVENTS SofosFO obfuscator string 19 Dec 12 - possible landing +1 || 2016071 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS SofosFO 20 Dec 12 - .jar file request +1 || 2016072 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS SofosFO 20 Dec 12 - .pdf file request +1 || 2016073 || 7 || trojan-activity || 0 || ET CURRENT_EVENTS SofosFO - possible second stage landing page +1 || 2016074 || 4 || trojan-activity || 0 || ET TROJAN Backdoor.Win32.Skill.gk User-Agent +1 || 2016075 || 3 || trojan-activity || 0 || ET DELETED FakeAV Checkin || md5,527e115876d0892c9a0ddfc96e852a16 +1 || 2016076 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WordPress Video Lead Form plugin errMsg parameter Cross Site Scripting Attempt || url,packetstormsecurity.org/files/118466/WordPress-Video-Lead-Form-0.5-Cross-Site-Scripting.html +1 || 2016077 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Amateur Photographer Image Gallery albumid parameter Cross Site Scripting Attempt || url,packetstormsecurity.org/files/117463/Amateur-Photographers-Image-Gallery-0.9a-XSS-SQL-Injection.html +1 || 2016078 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Amateur Photographer Image Gallery file parameter Local File Inclusion Attempt || url,packetstormsecurity.org/files/117463/Amateur-Photographers-Image-Gallery-0.9a-XSS-SQL-Injection.html +1 || 2016079 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS simple machines forum include parameter Local File Inclusion Attempt || url,packetstormsecurity.org/files/116709/SMF-2.0.2-Local-File-Inclusion.html +1 || 2016080 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WordPress Cloudsafe365 file parameter Local File Inclusion Attempt || url,packetstormsecurity.org/files/115972/WordPress-Cloudsafe365-Local-File-Inclusion.html +1 || 2016081 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Zenphoto date parameter Cross Site Scripting Attempt || url,packetstormsecurity.org/files/117067/Zenphoto-1.4.3.2-Cross-Site-Scripting.html +1 || 2016082 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Wordpress Token Manager Plugin tokenmanageredit page XSS Attempt || url,packetstormsecurity.org/files/116837/Wordpress-Plugin-Token-Manager-Cross-Site-Scripting.html +1 || 2016083 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Wordpress Token Manager Plugin tokenmanagertypeedit page XSS Attempt || url,packetstormsecurity.org/files/116837/Wordpress-Plugin-Token-Manager-Cross-Site-Scripting.html +1 || 2016084 || 3 || attempted-user || 0 || ET ACTIVEX Possible HP ALM XGO.ocx ActiveX Control SetShapeNodeType method Remote Code Execution || url,packetstormsecurity.org/files/116848/HP-ALM-Remote-Code-Execution.html +1 || 2016085 || 3 || attempted-user || 0 || ET ACTIVEX Possible Cyme ChartFX client server ActiveX Control ShowPropertiesDialog arbitrary code execution || url,packetstormsecurity.org/files/117137/Cyme-ChartFX-Client-Server-Array-Indexing.html +1 || 2016086 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS SonicWALL SonicOS searchStr XML Tag Script Insertion Attempt || url,securelist.com/en/advisories/51615 || url,seclists.org/bugtraq/2012/Dec/110 +1 || 2016087 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS TROJAN Unk_Banker - Check In +1 || 2016088 || 2 || trojan-activity || 0 || ET TROJAN SmokeLoader - Init 0x +1 || 2016089 || 4 || trojan-activity || 0 || ET TROJAN FakeAV checkin || md5,dd4d18c07e93c34d082dab57a38f1b86 || md5,5a864ccfeee9c0c893cfdc35dd8820a6 +1 || 2016090 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Hostile Gate landing seen with pamdql/Sweet Orange /in.php?q= +1 || 2016091 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Hostile Gate landing seen with pamdql/Sweet Orange base64 +1 || 2016092 || 3 || trojan-activity || 0 || ET DELETED pamdql/Sweet Orange delivering hostile XOR trojan payload from robots.php +1 || 2016093 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS pamdql/Sweet Orange delivering exploit kit payload +1 || 2016094 || 2 || trojan-activity || 0 || ET MOBILE_MALWARE Android/Updtkiller Sending Device Information || url,www.symantec.com/ja/jp/security_response/writeup.jsp?docid=2012-082308-1823-99&tabid=2 +1 || 2016095 || 2 || trojan-activity || 0 || ET TROJAN W32/Dexter Infostealer CnC POST || url,contagiodump.blogspot.co.uk/2012/12/dexter-pos-infostealer-samples-and.html +1 || 2016096 || 4 || trojan-activity || 0 || ET DELETED W32/Stabuniq CnC POST || url,contagiodump.blogspot.co.uk/2012/12/dec-2012-trojanstabuniq-samples.html || url,www.symantec.com/connect/blogs/trojanstabuniq-found-financial-institution-servers +1 || 2016097 || 4 || trojan-activity || 0 || ET TROJAN Unknown - Loader - Check .exe Updated +1 || 2016098 || 2 || bad-unknown || 0 || ET CURRENT_EVENTS Drupal Mass Injection Campaign Inbound +1 || 2016099 || 2 || bad-unknown || 0 || ET CURRENT_EVENTS Drupal Mass Injection Campaign Outbound +1 || 2016100 || 2 || trojan-activity || 0 || ET WEB_SPECIFIC_APPS Request to Wordpress W3TC Plug-in dbcache Directory || url,seclists.org/fulldisclosure/2012/Dec/242 +1 || 2016101 || 2 || trojan-activity || 0 || ET TROJAN DNS Reply Sinkhole - Microsoft - 131.253.18.0/24 +1 || 2016102 || 2 || trojan-activity || 0 || ET TROJAN DNS Reply Sinkhole - Microsoft - 199.2.137.0/24 +1 || 2016103 || 2 || trojan-activity || 0 || ET TROJAN DNS Reply Sinkhole - Microsoft - 207.46.90.0/24 +1 || 2016104 || 3 || trojan-activity || 0 || ET TROJAN DNS Reply for unallocated address space - Potentially Malicious 1.1.1.0/24 +1 || 2016105 || 3 || trojan-activity || 0 || ET DELETED DNS Reply Sinkhole - zeus.redheberg.com - 95.130.14.32 +1 || 2016106 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Unknown EK Landing Page +1 || 2016107 || 6 || trojan-activity || 0 || ET CURRENT_EVENTS Topic EK Requesting Jar +1 || 2016108 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Topic EK Requesting PDF +1 || 2016109 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WordPress WP-Property Plugin uploadify.php Arbitrary File Upload Vulnerability || url,www.securityfocus.com/bid/53787/info || url,downloads.securityfocus.com/vulnerabilities/exploits/53787.php +1 || 2016110 || 3 || trojan-activity || 0 || ET TROJAN FakeAV Download antivirus-installer.exe +1 || 2016111 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS Sweet Orange Java payload request (1) +1 || 2016112 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Sweet Orange Java obfuscated binary (1) +1 || 2016113 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Redkit encrypted binary (1) +1 || 2016114 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS gpEasy CMS section parameter XSS Attempt || url,1337day.com/exploit/19949 +1 || 2016115 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS gpEasy CMS index.php file XSS Attempt || url,1337day.com/exploit/19949 +1 || 2016116 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS gpEasy CMS key parameter XSS Attempt || url,1337day.com/exploit/19949 +1 || 2016117 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WordPress Mailing List plugin wpabspath parameter Remote File Inclusion Attempt || url,packetstormsecurity.org/files/105236/WordPress-Mailing-List-1.3.2-Remote-File-Inclusion.html +1 || 2016118 || 3 || attempted-user || 0 || ET ACTIVEX Possible Advantech Studio ISSymbol ActiveX Control Multiple Buffer Overflow Attempt || url,securityfocus.com/bid/47596 +1 || 2016119 || 3 || attempted-user || 0 || ET WEB_SPECIFIC_APPS Symantec Messaging Gateway 9.5.3-3 - Arbitrary file download 2 || url,www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2012&suid=20120827_00 +1 || 2016120 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Wiki Web Help configpath parameter Remote File Inclusion Attempt || url,packetstormsecurity.org/files/116202/Wiki-Web-Help-0.3.11-Remote-File-Inclusion.html +1 || 2016121 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WordPress Relocate Upload plugin abspath parameter Remote File Inclusion Attempt || url,packetstormsecurity.org/files/105239/WordPress-Relocate-Upload-0.14-Remote-File-Inclusion.html +1 || 2016122 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS LogAnalyzer asktheoracle.php file XSS Attempt || url,packetstormsecurity.org/files/119015/Loganalyzer-3.6.0-Cross-Site-Scripting.html +1 || 2016123 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Wordpress Myflash path parameter Local File Inclusion Attempt || url,packetstormsecurity.org/files/118400/WordPress-Myflash-Local-File-Inclusion.html +1 || 2016124 || 2 || trojan-activity || 0 || ET TROJAN W32/Downloader.FakeFlashPlayer Clientregister.php CnC Beacon +1 || 2016125 || 2 || trojan-activity || 0 || ET TROJAN W32/Downloader.FakeFlashPlayer Status.Php CnC Beacon +1 || 2016126 || 2 || trojan-activity || 0 || ET TROJAN W32/Downloader.FakeFlashPlayer Bitensiteler CnC Beacon +1 || 2016127 || 2 || trojan-activity || 0 || ET TROJAN W32/Downloader.FakeFlashPlayer Kelimeid CnC Beacon +1 || 2016128 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS RedKit - Landing Page +1 || 2016129 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS Unknown_gmf/Styx EK - fnts.html +1 || 2016130 || 3 || trojan-activity || 0 || ET TROJAN Stabuniq Checkin || url,www.symantec.com/connect/blogs/trojanstabuniq-found-financial-institution-servers || url,www.symantec.com/security_response/writeup.jsp?docid=2012-121809-2437-99&tabid=2 || url,contagiodump.blogspot.com/2012/12/dec-2012-trojanstabuniq-samples.html +1 || 2016131 || 3 || trojan-activity || 0 || ET DELETED Stabuniq Observed C&C POST Target /rss.php || url,www.symantec.com/connect/blogs/trojanstabuniq-found-financial-institution-servers || url,www.symantec.com/security_response/writeup.jsp?docid=2012-121809-2437-99&tabid=2 || url,contagiodump.blogspot.com/2012/12/dec-2012-trojanstabuniq-samples.html +1 || 2016132 || 3 || attempted-user || 0 || ET CURRENT_EVENTS Escaped Unicode Char in Window Location CVE-2012-4792 EIP || cve,2012-4792 || url,github.com/rapid7/metasploit-framework/commit/6cb9106218bde56fc5e8d72c66fbba9f11c24449 || url,eromang.zataz.com/2012/12/29/attack-and-ie-0day-informations-used-against-council-on-foreign-relations/ +1 || 2016133 || 3 || attempted-user || 0 || ET CURRENT_EVENTS Escaped Unicode Char in Location CVE-2012-4792 EIP (Exploit Specific replace) || cve,2012-4792 || url,github.com/rapid7/metasploit-framework/commit/6cb9106218bde56fc5e8d72c66fbba9f11c24449 || url,eromang.zataz.com/2012/12/29/attack-and-ie-0day-informations-used-against-council-on-foreign-relations/ +1 || 2016134 || 3 || attempted-user || 0 || ET CURRENT_EVENTS Escaped Unicode Char in Location CVE-2012-4792 EIP % Hex Encode || cve,2012-4792 || url,github.com/rapid7/metasploit-framework/commit/6cb9106218bde56fc5e8d72c66fbba9f11c24449 || url,eromang.zataz.com/2012/12/29/attack-and-ie-0day-informations-used-against-council-on-foreign-relations/ +1 || 2016135 || 2 || attempted-user || 0 || ET CURRENT_EVENTS CFR DRIVEBY CVE-2012-4792 DNS Query for C2 domain || cve,2012-4792 || url,github.com/rapid7/metasploit-framework/commit/6cb9106218bde56fc5e8d72c66fbba9f11c24449 || url,eromang.zataz.com/2012/12/29/attack-and-ie-0day-informations-used-against-council-on-foreign-relations/ +1 || 2016136 || 3 || attempted-user || 0 || ET CURRENT_EVENTS Metasploit CVE-2012-4792 EIP in URI IE 8 || cve,2012-4792 || url,github.com/rapid7/metasploit-framework/commit/6cb9106218bde56fc5e8d72c66fbba9f11c24449 || url,eromang.zataz.com/2012/12/29/attack-and-ie-0day-informations-used-against-council-on-foreign-relations/ +1 || 2016137 || 2 || attempted-user || 0 || ET CURRENT_EVENTS CVE-2012-4792 EIP in URI (1) || cve,2012-4792 || url,github.com/rapid7/metasploit-framework/commit/6cb9106218bde56fc5e8d72c66fbba9f11c24449 || url,eromang.zataz.com/2012/12/29/attack-and-ie-0day-informations-used-against-council-on-foreign-relations/ +1 || 2016138 || 4 || attempted-user || 0 || ET CURRENT_EVENTS Possible Exodus Intel IE HTML+TIME EIP Control Technique || cve,2012-4792 || url,blog.exodusintel.com/2013/01/02/happy-new-year-analysis-of-cve-2012-4792/ +1 || 2016139 || 3 || trojan-activity || 0 || ET TROJAN TR/Spy.55808.201 +1 || 2016140 || 5 || trojan-activity || 0 || ET DELETED Suspicious User Agent (iexplorer) +1 || 2016141 || 3 || trojan-activity || 0 || ET INFO Exectuable Download from dotted-quad Host +1 || 2016142 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Sweet Orange Java payload request (2) +1 || 2016143 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Sweet Orange Java obfuscated binary (2) +1 || 2016144 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Injected iframe leading to Redkit Jan 02 2013 +1 || 2016145 || 2 || protocol-command-decode || 0 || ET INFO PTUNNEL OUTBOUND || url,github.com/madeye/ptunnel || url,cs.uit.no/~daniels/PingTunnel/#protocol +1 || 2016146 || 3 || protocol-command-decode || 0 || ET INFO PTUNNEL INBOUND || url,github.com/madeye/ptunnel || url,cs.uit.no/~daniels/PingTunnel/#protocol +1 || 2016147 || 2 || trojan-activity || 0 || ET TROJAN Request for fake postal receipt from e-mail link +1 || 2016148 || 2 || attempted-user || 0 || ET WEB_SPECIFIC_APPS WordPress Plugin Advanced Custom Fields Remote File Inclusion +1 || 2016151 || 3 || attempted-user || 0 || ET WEB_SERVER WebShell - JSP RAT +1 || 2016152 || 4 || attempted-user || 0 || ET WEB_SERVER WebShell - JSP File Admin +1 || 2016153 || 3 || attempted-user || 0 || ET WEB_SERVER WebShell - JSP File Admin - POST Structure - dir +1 || 2016154 || 1 || policy-violation || 0 || ET CURRENT_EVENTS Possible TURKTRUST Spoofed Google Cert +1 || 2016155 || 4 || attempted-user || 0 || ET CURRENT_EVENTS Magnitude EK (formerly Popads) - Font Exploit - 32HexChar.eot +1 || 2016156 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Mahara query Parameter Cross Site Scripting Attempt || url,securityfocus.com/bid/56718 +1 || 2016157 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WHM filtername Parameter Cross Site Scripting Attempt || url,securityfocus.com/bid/57061 +1 || 2016158 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Wordpress Google Doc Embedder plugin file parameter Local File Inclusion Attempt || url,secunia.com/advisories/50832 +1 || 2016159 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Simple Machines Forum ssi_function parameter path disclosure vulnerability || url,packetstormsecurity.com/files/119240/Simple-Machines-Forum-2.0.3-Path-Disclosure.html +1 || 2016160 || 3 || attempted-user || 0 || ET ACTIVEX Possible Sony PC Companion Load method Stack-based Unicode Buffer Overload SEH || url,packetstormsecurity.com/files/119022/Sony-PC-Companion-2.1-Load-Unicode-Buffer-Overflow.html +1 || 2016161 || 3 || attempted-user || 0 || ET ACTIVEX Possible Sony PC Companion CheckCompatibility method Stack-based Unicode Buffer Overload || url,packetstormsecurity.com/files/119023/Sony-PC-Companion-2.1-CheckCompatibility-Unicode-Buffer-Overflow.html +1 || 2016162 || 3 || attempted-user || 0 || ET ACTIVEX Possible Sony PC Companion Admin_RemoveDirectory Stack-based Unicode Buffer Overload SEH || url,packetstormsecurity.com/files/119024/Sony-PC-Companion-2.1-Admin_RemoveDirectory-Unicode-Buffer-Overflow.html +1 || 2016163 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS SiteGo get_templet.php of green Remote File Inclusion Attempt || url,packetstormsecurity.com/files/116412/SiteGo-Remote-File-Inclusion.html +1 || 2016164 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS SiteGo get_templet.php of blue Remote File Inclusion Attempt || url,packetstormsecurity.com/files/116412/SiteGo-Remote-File-Inclusion.html +1 || 2016165 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS cPanel dir Parameter Cross Site Scripting Attempt || url,securityfocus.com/bid/57064 +1 || 2016166 || 6 || attempted-user || 0 || ET CURRENT_EVENTS Blackhole Exploit Kit PluginDetect FromCharCode Jan 04 2013 +1 || 2016167 || 3 || trojan-activity || 0 || ET TROJAN Poison Ivy.2013Jan04 victim beacon || md5,62f20326e0f08c0786df6886f0427ea7 +1 || 2016168 || 4 || trojan-activity || 0 || ET TROJAN Poison Ivy.2013Jan04 server response || md5,62f20326e0f08c0786df6886f0427ea7 +1 || 2016169 || 3 || bad-unknown || 0 || ET CURRENT_EVENTS Possible CrimeBoss Generic URL Structure +1 || 2016170 || 2 || attempted-user || 0 || ET CURRENT_EVENTS CVE-2012-4792 EIP in URI (2) || cve,2012-4792 || url,github.com/rapid7/metasploit-framework/commit/6cb9106218bde56fc5e8d72c66fbba9f11c24449 || url,eromang.zataz.com/2012/12/29/attack-and-ie-0day-informations-used-against-council-on-foreign-relations/ +1 || 2016171 || 2 || trojan-activity || 0 || ET TROJAN ProxyBox - HTTP CnC - proxy_info.php +1 || 2016172 || 8 || bad-unknown || 0 || ET TROJAN Generic -POST To file.php w/Extended ASCII Characters +1 || 2016173 || 8 || bad-unknown || 0 || ET TROJAN Generic -POST To gate.php w/Extended ASCII Characters +1 || 2016174 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS DRIVEBY RedKit - Landing Page +1 || 2016175 || 3 || web-application-attack || 0 || ET CURRENT_EVENTS Possible CVE-2013-0156 Ruby On Rails XML POST to Disallowed Type YAML || url,groups.google.com/forum/?hl=en&fromgroups=#!topic/rubyonrails-security/61bkgvnSGTQ +1 || 2016176 || 3 || web-application-activity || 0 || ET CURRENT_EVENTS Possible CVE-2013-0156 Ruby On Rails XML POST to Disallowed Type SYMBOL || url,groups.google.com/forum/?hl=en&fromgroups=#!topic/rubyonrails-security/61bkgvnSGTQ +1 || 2016177 || 2 || trojan-activity || 0 || ET TROJAN FakeAV security_scanner.exe +1 || 2016178 || 2 || misc-attack || 0 || ET SNMP missing community string attempt 1 || bugtraq,2112 || cve,1999-0517 +1 || 2016179 || 2 || misc-attack || 0 || ET SNMP missing community string attempt 2 || bugtraq,2112 || cve,1999-0517 +1 || 2016180 || 2 || misc-attack || 0 || ET SNMP missing community string attempt 3 || bugtraq,2112 || cve,1999-0517 +1 || 2016181 || 2 || misc-attack || 0 || ET SNMP missing community string attempt 4 || bugtraq,2112 || cve,1999-0517 +1 || 2016182 || 6 || web-application-attack || 0 || ET WEB_SERVER ColdFusion componentutils access || url,www.adobe.com/support/security/advisories/apsa13-01.html +1 || 2016183 || 4 || web-application-attack || 0 || ET WEB_SERVER ColdFusion adminapi access || url,www.adobe.com/support/security/advisories/apsa13-01.html +1 || 2016184 || 5 || web-application-attack || 0 || ET WEB_SERVER ColdFusion administrator access || url,www.adobe.com/support/security/advisories/apsa13-01.html +1 || 2016185 || 2 || trojan-activity || 0 || ET TROJAN Unknown Ransomware Checkin +1 || 2016186 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS W32/Tobfy.Ransomware CnC Request - status.php || url,blog.fireeye.com/research/2013/01/happy-new-year-from-new-java-zero-day.html +1 || 2016187 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS W32/Tobfy.Ransomware Invalid URI CnC Request - || url,blog.fireeye.com/research/2013/01/happy-new-year-from-new-java-zero-day.html +1 || 2016188 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Potential Zeus Binary Download - Specific PE Sections Structure || url,ioactive.com/pdfs/ZeusSpyEyeBankingTrojanAnalysis.pdf +1 || 2016189 || 2 || trojan-activity || 0 || ET TROJAN Midhos/Medfos downloader +1 || 2016190 || 4 || bad-unknown || 0 || ET CURRENT_EVENTS DRIVEBY SPL - Landing Page Received +1 || 2016191 || 6 || bad-unknown || 0 || ET CURRENT_EVENTS CoolEK - Landing Page Received +1 || 2016192 || 5 || bad-unknown || 0 || ET CURRENT_EVENTS DRIVEBY Unknown - Please wait... +1 || 2016193 || 7 || bad-unknown || 0 || ET CURRENT_EVENTS DRIVEBY Unknown - Landing Page Requested - /?Digit +1 || 2016194 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Wordpress NextGEN Gallery plugin test-head parameter XSS Attempt || url,packetstormsecurity.com/files/119360/WordPress-NextGEN-Gallery-1.9.10-Cross-Site-Scripting.html +1 || 2016195 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WordPress Browser Rejector Plugin wppath Remote File Inclusion Attempt || url,secunia.com/advisories/51739/ +1 || 2016196 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Dell OpenManage Server Administrator topic parameter XSS Attempt || url,kb.cert.org/vuls/id/950172 +1 || 2016197 || 3 || attempted-user || 0 || ET ACTIVEX Possible Honeywell Tema Remote Installer ActiveX DownloadFromURL method Remote Code Execution || url,packetstormsecurity.com/files/119427/Honeywell-Tema-Remote-Installer-ActiveX-Remote-Code-Execution.html +1 || 2016198 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Free Blog Arbitrary File Deletion Attempt || url,packetstormsecurity.com/files/119385/Free-Blog-1.0-Shell-Upload-Arbitrary-File-Deletion.html +1 || 2016199 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Adiscon LogAnalyzer viewid Cross-Site Scripting Attempt || url,secunia.com/advisories/51816/ +1 || 2016200 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS TinyBrowser tinybrowser.php file Script Execution Attempt || url,securityfocus.com/bid/57230/ +1 || 2016201 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS TinyBrowser edit.php file Script Execution Attempt || url,securityfocus.com/bid/57230/ +1 || 2016202 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS TinyBrowser upload.php file Script Execution Attempt || url,securityfocus.com/bid/57230/ +1 || 2016203 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WordPress Gallery Plugin filename_1 Parameter Remote File Access Attempt || url,securityfocus.com/bid/57256/ +1 || 2016204 || 3 || web-application-attack || 0 || ET CURRENT_EVENTS Possible CVE-2013-0156 Ruby On Rails XML YAML tag with !ruby || url,groups.google.com/forum/?hl=en&fromgroups=#!topic/rubyonrails-security/61bkgvnSGTQ +1 || 2016205 || 3 || trojan-activity || 0 || ET TROJAN W32/Zemra.DDoS.Bot Variant CnC Beacon || url,thegoldenmessenger.blogspot.de/2012/09/2-disclosure-of-interesting-botnet-part-1.html || url,thegoldenmessenger.blogspot.de/2012/09/2-disclosure-of-interesting-botnet-part-2.html +1 || 2016206 || 3 || trojan-activity || 0 || ET TROJAN W32/Iyus.H Initial CnC Beacon || url,www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Iyus-H/detailed-analysis.aspx +1 || 2016207 || 3 || trojan-activity || 0 || ET TROJAN W32/Iyus.H work_troy.php CnC Request || url,www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Iyus-H/detailed-analysis.aspx +1 || 2016208 || 3 || trojan-activity || 0 || ET TROJAN W32/Downloader Secondary Download Request - W32/Hupigon.Backdoor Likely Secondary Payload || url,www.f-secure.com/v-descs/backdoor_w32_hupigon.shtml +1 || 2016209 || 2 || trojan-activity || 0 || ET MOBILE_MALWARE Android/CoolPaperLeak Sending Information To CnC || url,www.symantec.com/connect/blogs/androidcoolpaperleak-million-download-baby +1 || 2016210 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Redkit Exploit Kit Three Numerical Character Naming Convention PDF Request || url,blogs.mcafee.com/mcafee-labs/red-kit-an-emerging-exploit-pack || cve,2010-0188 +1 || 2016211 || 5 || trojan-activity || 0 || ET TROJAN W32/Karagany.Downloader CnC Beacon || url,malwaremustdie.blogspot.co.uk/2013/01/once-upon-time-with-cool-exploit-kit.html || url,www.fortiguard.com/latest/av/4057936 || md5,92899c20da4d9db5627af89998aadc58 +1 || 2016212 || 3 || web-application-attack || 0 || ET CURRENT_EVENTS BroBot POST +1 || 2016213 || 3 || trojan-activity || 0 || ET DELETED Blackhole Exploit Kit encoded PluginDetect Jan 15 2013 +1 || 2016214 || 3 || trojan-activity || 0 || ET TROJAN Red October/Win32.Digitalia Checkin cgi-bin/nt/th || url,www.securelist.com/en/analysis/204792262/Red_October_Diplomatic_Cyber_Attacks_Investigation +1 || 2016215 || 3 || trojan-activity || 0 || ET TROJAN Red October/Win32.Digitalia Checkin cgi-bin/nt/sk || url,www.securelist.com/en/analysis/204792262/Red_October_Diplomatic_Cyber_Attacks_Investigation +1 || 2016216 || 6 || trojan-activity || 0 || ET TROJAN Red October/Win32.Digitalia Checkin cgi-bin/dllhost/ac || url,www.securelist.com/en/analysis/204792262/Red_October_Diplomatic_Cyber_Attacks_Investigation +1 || 2016217 || 3 || trojan-activity || 0 || ET TROJAN Red October/Win32.Digitalia Checkin cgi-bin/ms/check || url,www.securelist.com/en/analysis/204792262/Red_October_Diplomatic_Cyber_Attacks_Investigation +1 || 2016218 || 3 || trojan-activity || 0 || ET TROJAN Red October/Win32.Digitalia Checkin cgi-bin/ms/flush || url,www.securelist.com/en/analysis/204792262/Red_October_Diplomatic_Cyber_Attacks_Investigation +1 || 2016219 || 3 || trojan-activity || 0 || ET TROJAN Red October/Win32.Digitalia Checkin cgi-bin/win/wcx || url,www.securelist.com/en/analysis/204792262/Red_October_Diplomatic_Cyber_Attacks_Investigation +1 || 2016220 || 3 || trojan-activity || 0 || ET TROJAN Red October/Win32.Digitalia Checkin cgi-bin/win/cab || url,www.securelist.com/en/analysis/204792262/Red_October_Diplomatic_Cyber_Attacks_Investigation +1 || 2016221 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS CoolEK Payload Download +1 || 2016222 || 2 || web-application-attack || 0 || ET SCAN GET with HTML tag in start of URI seen with PHPMyAdmin scanning +1 || 2016223 || 8 || trojan-activity || 0 || ET TROJAN Andromeda Checkin || md5,50a538221e015d77cf4794ae78978ce2 +1 || 2016224 || 3 || trojan-activity || 0 || ET TROJAN Possible Red October proxy CnC 1 +1 || 2016225 || 2 || trojan-activity || 0 || ET TROJAN Possible Red October proxy CnC 2 +1 || 2016226 || 2 || trojan-activity || 0 || ET TROJAN Possible Red October proxy CnC 3 +1 || 2016227 || 4 || attempted-user || 0 || ET CURRENT_EVENTS Metasploit CVE-2013-0422 Landing Page +1 || 2016228 || 5 || attempted-user || 0 || ET CURRENT_EVENTS Metasploit CVE-2013-0422 Jar +1 || 2016229 || 11 || trojan-activity || 0 || ET CURRENT_EVENTS Blackhole 16/32-hex/a-z.php Jar Download +1 || 2016230 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WordPress Age Verification plugin redirect_to Parameter URI Redirection || url,securityfocus.com/bid/51357/ +1 || 2016231 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Cartweaver 3 Local File Inclusion Attempt || url,packetstormsecurity.com/files/117370/Cartweaver-3-Local-File-Inclusion.html +1 || 2016232 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla com_bit controller parameter Local File Inclusion Attempt || url,packetstormsecurity.com/files/118943/Joomla-Bit-Local-File-Inclusion.html +1 || 2016233 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla com_ztautolink controller parameter Local File Inclusion Attempt || url,packetstormsecurity.com/files/118944/Joomla-ZtAutoLink-Local-File-Inclusion.html +1 || 2016234 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Mu Perspectives Cms id parameter Cross-Site Scripting Attempt || url,packetstormsecurity.com/files/116148/Mu-Perspectives-CMS-Cross-Site-Scripting.html +1 || 2016235 || 3 || attempted-user || 0 || ET ACTIVEX Possible KeyHelp ActiveX LaunchTriPane Remote Code Execution Vulnerability 2 || url,packetstormsecurity.com/files/117293/KeyHelp-ActiveX-LaunchTriPane-Remote-Code-Execution.html +1 || 2016236 || 3 || attempted-user || 0 || ET ACTIVEX Possible KeyHelp ActiveX LaunchTriPane Remote Code Execution Vulnerability || url,packetstormsecurity.com/files/117293/KeyHelp-ActiveX-LaunchTriPane-Remote-Code-Execution.html +1 || 2016237 || 3 || attempted-user || 0 || ET ACTIVEX Possible Samsung Kies ActiveX PrepareSync method Buffer overflow || url,packetstormsecurity.com/files/119423/Samsung-Kies-2.5.0.12114_1-Buffer-Overflow.html +1 || 2016238 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla Incapsula component Security.php XSS Attempt || url,packetstormsecurity.com/files/119364/Joomla-Incapsula-1.4.6_b-Cross-Site-Scripting.html +1 || 2016239 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla Incapsula component Performance.php file XSS Attempt || url,packetstormsecurity.com/files/119364/Joomla-Incapsula-1.4.6_b-Cross-Site-Scripting.html +1 || 2016240 || 5 || trojan-activity || 0 || ET CURRENT_EVENTS Impact Exploit Kit Class Download +1 || 2016241 || 4 || trojan-activity || 0 || ET DELETED SofosFO - Landing Page +1 || 2016242 || 6 || bad-unknown || 0 || ET CURRENT_EVENTS Blackhole Java applet with obfuscated URL Jan 21 2012 +1 || 2016243 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Request for FakeAV Binary /two/data.exe Infection Campaign +1 || 2016244 || 2 || bad-unknown || 0 || ET WEB_SERVER WebShell - Symlink_Sa +1 || 2016245 || 3 || bad-unknown || 0 || ET WEB_SERVER WebShell - Generic - c99shell based header +1 || 2016247 || 6 || bad-unknown || 0 || ET CURRENT_EVENTS StyX Landing Page +1 || 2016248 || 6 || bad-unknown || 0 || ET CURRENT_EVENTS StyX Landing Page +1 || 2016249 || 8 || bad-unknown || 0 || ET CURRENT_EVENTS Redkit Class Request (1) +1 || 2016250 || 8 || bad-unknown || 0 || ET CURRENT_EVENTS Redkit Class Request (2) +1 || 2016251 || 4 || trojan-activity || 0 || ET TROJAN Win32/Emold.C Checkin || url,www.threatexpert.com/report.aspx?md5=49205774f0ff7605c226828e080238f3 || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDropper%3AWin32%2FEmold.C +1 || 2016252 || 3 || trojan-activity || 0 || ET TROJAN Unknown POST of Windows PW Hashes to External Site +1 || 2016253 || 3 || trojan-activity || 0 || ET TROJAN Unknown POST of System Info +1 || 2016254 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Possible Red Dot Exploit Kit Single Character JAR Request || url,malware.dontneedcoffee.com/ +1 || 2016255 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Red Dot Exploit Kit Binary Payload Request || url,malware.dontneedcoffee.com/ +1 || 2016256 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Gondad Exploit Kit Post Exploitation Request +1 || 2016257 || 3 || trojan-activity || 0 || ET DELETED Win32/Kelihos.F Checkin 1 || md5,56e0e87e64299f5bb91d2183bbff7cfa +1 || 2016258 || 3 || trojan-activity || 0 || ET DELETED Win32/Kelihos.F Checkin 2 || md5,56e0e87e64299f5bb91d2183bbff7cfa +1 || 2016259 || 3 || trojan-activity || 0 || ET DELETED Win32/Kelihos.F Checkin 3 || md5,56e0e87e64299f5bb91d2183bbff7cfa +1 || 2016260 || 4 || trojan-activity || 0 || ET DELETED Win32/Kelihos.F Checkin 4 || md5,56e0e87e64299f5bb91d2183bbff7cfa +1 || 2016261 || 3 || trojan-activity || 0 || ET DELETED Win32/Kelihos.F Checkin 5 || md5,56e0e87e64299f5bb91d2183bbff7cfa +1 || 2016262 || 4 || trojan-activity || 0 || ET DELETED Win32/Kelihos.F Checkin 6 || md5,56e0e87e64299f5bb91d2183bbff7cfa +1 || 2016263 || 4 || trojan-activity || 0 || ET DELETED Win32/Kelihos.F Checkin 7 || md5,56e0e87e64299f5bb91d2183bbff7cfa +1 || 2016264 || 4 || trojan-activity || 0 || ET DELETED Win32/Kelihos.F Checkin 8 || md5,56e0e87e64299f5bb91d2183bbff7cfa +1 || 2016265 || 4 || trojan-activity || 0 || ET DELETED Win32/Kelihos.F Checkin 9 || md5,56e0e87e64299f5bb91d2183bbff7cfa +1 || 2016266 || 3 || trojan-activity || 0 || ET DELETED Win32/Kelihos.F Checkin 10 || md5,56e0e87e64299f5bb91d2183bbff7cfa +1 || 2016267 || 3 || trojan-activity || 0 || ET DELETED Win32/Kelihos.F Checkin 11 || md5,56e0e87e64299f5bb91d2183bbff7cfa +1 || 2016268 || 3 || trojan-activity || 0 || ET DELETED Win32/Kelihos.F Checkin 12 || md5,56e0e87e64299f5bb91d2183bbff7cfa +1 || 2016270 || 2 || trojan-activity || 0 || ET TROJAN Poison Ivy Variant Jan 24 2013 || url,blog.avast.com/2013/01/22/reporters-without-borders-website-misused-in-wateringhole-attack/ +1 || 2016271 || 2 || trojan-activity || 0 || ET TROJAN Poison Ivy Variant Jan 24 2013 || url,blog.avast.com/2013/01/22/reporters-without-borders-website-misused-in-wateringhole-attack/ +1 || 2016272 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS TDS - in.php +1 || 2016273 || 2 || trojan-activity || 0 || ET TROJAN W32/Bilakip.A Downloader API Ping CnC Beacon || url,about-threats.trendmicro.com/Malware.aspx?id=50100&name=TROJ_DLOADR.BKM&language=au +1 || 2016274 || 2 || trojan-activity || 0 || ET TROJAN W32/Bilakip.A Downloader Viruslist Download For Populating FakeAV || url,about-threats.trendmicro.com/Malware.aspx?id=50100&name=TROJ_DLOADR.BKM&language=au +1 || 2016275 || 9 || trojan-activity || 0 || ET TROJAN Win32/Xtrat.A Checkin || url,threatexpert.com/report.aspx?md5=f45b1b82c849fbbea3374ae7e9200092 +1 || 2016276 || 5 || bad-unknown || 0 || ET CURRENT_EVENTS MetaSploit CVE-2012-1723 Class File (seen in live EKs) +1 || 2016277 || 5 || bad-unknown || 0 || ET CURRENT_EVENTS MetaSploit CVE-2012-1723 Class File (seen in live EKs) +1 || 2016278 || 5 || trojan-activity || 0 || ET CURRENT_EVENTS CoolEK - New PDF Exploit - Jan 24 2013 +1 || 2016279 || 5 || trojan-activity || 0 || ET CURRENT_EVENTS CoolEK Payload Download (2) +1 || 2016280 || 6 || trojan-activity || 0 || ET CURRENT_EVENTS CoolEK Payload Download (3) +1 || 2016281 || 4 || trojan-activity || 0 || ET DELETED Win32/Kelihos.F Checkin 13 || md5,56e0e87e64299f5bb91d2183bbff7cfa +1 || 2016282 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Openconstructor CMS result Parameter Cross Site Scripting Attempt || url,packetstormsecurity.com/files/115284/Openconstructor-CMS-3.12.0-Reflected-XSS.html +1 || 2016283 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Openconstructor CMS keyword Parameter Cross Site Scripting Attempt || url,packetstormsecurity.com/files/115284/Openconstructor-CMS-3.12.0-Reflected-XSS.html +1 || 2016284 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS CubeCart loc parameter Local File Inclusion Attempt || url,packetstormsecurity.com/files/119082/CubeCart-4.4.6-Local-File-Inclusion.html +1 || 2016285 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS GetSimple CMS path parameter Local File Inclusion Attempt || url,packetstormsecurity.com/files/115302/GetSimple-CMS-3.1.2-Local-File-Inclusion-Path-Disclosure.html +1 || 2016286 || 3 || attempted-user || 0 || ET ACTIVEX Possible Aloaha PDF Crypter activex SaveToFile method arbitrary file overwrite || url,exploit-db.com/exploits/24319/ +1 || 2016287 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Banana Dance name Parameter Local File Inclusion Attempt || url,packetstormsecurity.com/files/118964/Banana-Dance-B.2.6-Inclusion-Access-Control-SQL-Injection.html +1 || 2016288 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Joomla com_collector Component Arbitrary File Upload Vulnerability || url,exploit-db.com/exploits/24228/ +1 || 2016289 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS web wiz forums ForumID Parameter Cross Site Scripting Attempt || url,packetstormsecurity.com/files/115886/Web-Wiz-Forums-10.03-Cross-Site-Scripting.html +1 || 2016290 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS web wiz forums ThreadPage Parameter Cross Site Scripting Attempt || url,packetstormsecurity.com/files/115886/Web-Wiz-Forums-10.03-Cross-Site-Scripting.html +1 || 2016291 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS phpMiniAdmin db Parameter Cross Site Scripting Attempt || url,cxsecurity.com/issue/WLB-2013010179 +1 || 2016292 || 6 || trojan-activity || 0 || ET TROJAN Mashigoom/Tranwos/RevProxy ClickFraud - hello +1 || 2016293 || 2 || trojan-activity || 0 || ET TROJAN RevProxy - ClickFraud - MIDUIDEND +1 || 2016294 || 10 || attempted-user || 0 || ET WEB_SPECIFIC_APPS Jenkins Script Console Usage (Can be Used to Spawn Shell) +1 || 2016295 || 7 || attempted-user || 0 || ET WEB_SPECIFIC_APPS Jenkins Script Console Usage (Metasploit Windows CMD Shell) +1 || 2016296 || 7 || attempted-user || 0 || ET WEB_SPECIFIC_APPS Jenkins Script Console Usage (Metasploit Unix Shell) +1 || 2016297 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS Malicious iframe +1 || 2016298 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS Malicious iframe +1 || 2016299 || 10 || bad-unknown || 0 || ET CURRENT_EVENTS Redkit Class Request (3) +1 || 2016300 || 4 || trojan-activity || 0 || ET TROJAN Simda.C Checkin || md5,10642e1067aca9f04ca874c02aabda5c +1 || 2016302 || 5 || successful-recon-limited || 0 || ET INFO UPnP Discovery Search Response vulnerable UPnP device 1 || url,community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play || url,upnp.org/specs/arch/UPnP-arch-DeviceArchitecture-v1.1.pdf || cve,2013-0229 +1 || 2016303 || 4 || successful-recon-limited || 0 || ET INFO UPnP Discovery Search Response vulnerable UPnP device 2 || url,community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play || url,upnp.org/specs/arch/UPnP-arch-DeviceArchitecture-v1.1.pdf || cve,2012-5958 || cve,2012-5959 +1 || 2016304 || 2 || successful-recon-limited || 0 || ET INFO UPnP Discovery Search Response vulnerable UPnP device 3 || url,community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play || url,upnp.org/specs/arch/UPnP-arch-DeviceArchitecture-v1.1.pdf || cve,2012-5958 || cve,2012-5959 +1 || 2016305 || 6 || web-application-activity || 0 || ET CURRENT_EVENTS Ruby on Rails CVE-2013-0333 Attempt || url,gist.github.com/4660248 +1 || 2016306 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS JDB Exploit Kit Landing URL structure +1 || 2016307 || 6 || trojan-activity || 0 || ET CURRENT_EVENTS JDB Exploit Kit Landing Page +1 || 2016308 || 6 || trojan-activity || 0 || ET CURRENT_EVENTS Possible JDB Exploit Kit Class Request +1 || 2016309 || 7 || trojan-activity || 0 || ET CURRENT_EVENTS JDB Exploit Kit JAR Download +1 || 2016310 || 5 || trojan-activity || 0 || ET CURRENT_EVENTS JDB Exploit Kit Fake Adobe Download +1 || 2016311 || 6 || bad-unknown || 0 || ET CURRENT_EVENTS Non-Standard HTML page in Joomla /com_content/ dir (Observed in Recent Pharma Spam) +1 || 2016312 || 2 || trojan-activity || 0 || ET TROJAN W32/DownloaderAgent.fajk Successful Infection CnC Beacon || url,www.securelist.com/en/descriptions/15316120/Trojan.Win32.Agent.fajk +1 || 2016313 || 3 || trojan-activity || 0 || ET TROJAN W32/DownloaderAgent.fajk Second Stage Download List Requested || url,www.securelist.com/en/descriptions/15316120/Trojan.Win32.Agent.fajk +1 || 2016314 || 2 || trojan-activity || 0 || ET TROJAN Linux/SSHDoor.A Reporting Backdoor CnC Beacon || url,blog.eset.com/2013/01/24/linux-sshdoor-a-backdoored-ssh-daemon-that-steals-passwords +1 || 2016315 || 3 || trojan-activity || 0 || ET DELETED Linux/SSHDoor.A User Login CnC Beacon || url,blog.eset.com/2013/01/24/linux-sshdoor-a-backdoored-ssh-daemon-that-steals-passwords +1 || 2016316 || 3 || trojan-activity || 0 || ET TROJAN W32/StartPage.eba Dropper Checkin || url,www.securelist.com/en/descriptions/24621847/Trojan-Dropper.Win32.StartPage.eba +1 || 2016317 || 2 || trojan-activity || 0 || ET TROJAN Suspicious user-agent (f**king) +1 || 2016318 || 6 || trojan-activity || 0 || ET MOBILE_MALWARE Android/Ksapp.A Checkin || md5,e6d9776113b29680aec73ac2d1445946 || md5,13e6ce4aac7e60b10bfde091c09b9d88 || url,anubis.iseclab.org/?action=result&task_id=16b7814b794cd728435e122ca2c2fcdd3 || url,www.fortiguard.com/latest/mobile/4158213 || url,symantec.com/connect/blogs/mdk-largest-mobile-botnet-china +1 || 2016319 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Impact Exploit Kit Landing Page +1 || 2016320 || 5 || trojan-activity || 0 || ET CURRENT_EVENTS Exploit Kit Java gif download +1 || 2016321 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Possible g01pack Jar download +1 || 2016322 || 1 || attempted-dos || 0 || ET DOS LibuPnP CVE-2012-5958 ST DeviceType Buffer Overflow || cve,CVE_2012-5958 || cve,CVE-2012-5962 +1 || 2016323 || 1 || attempted-dos || 0 || ET DOS LibuPnP CVE-2012-5963 ST UDN Buffer Overflow || cve,CVE-2012-5963 +1 || 2016324 || 1 || attempted-dos || 0 || ET DOS LibuPnP CVE-2012-5964 ST URN ServiceType Buffer Overflow || cve,CVE-2012-5964 +1 || 2016325 || 1 || attempted-dos || 0 || ET DOS LibuPnP CVE-2012-5965 ST URN DeviceType Buffer Overflow || cve,CVE-2012-5965 +1 || 2016326 || 1 || attempted-dos || 0 || ET DOS LibuPnP CVE-2012-5961 ST UDN Buffer Overflow || cve,CVE-2012-5961 +1 || 2016327 || 2 || bad-unknown || 0 || ET CURRENT_EVENTS PHISH Generic - POST to myform.php +1 || 2016328 || 1 || trojan-activity || 0 || ET TROJAN ZeuS Post to C&C footer.php +1 || 2016329 || 4 || trojan-activity || 0 || ET TROJAN W32/SecVerif.Downloader Initial Checkin || url,anubis.iseclab.org/?action=result&task_id=19f379c075627c7b44d0a0db154394f63 +1 || 2016330 || 3 || trojan-activity || 0 || ET TROJAN W32/SecVerif.Downloader Second Stage Download Request || url,anubis.iseclab.org/?action=result&task_id=19f379c075627c7b44d0a0db154394f63 +1 || 2016331 || 1 || trojan-activity || 0 || ET TROJAN W32/Jabberbot.A Trednet XMPP CnC Beacon || url,blog.eset.com/2013/01/30/walking-through-win32jabberbot-a-instant-messaging-cc +1 || 2016333 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS Possible g01pack Landing Page +1 || 2016334 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS OSClass file Parameter Remote File Access Attempt || url,securityfocus.com/bid/51721/ +1 || 2016335 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS OSClass id parameter data access Attempt 1 || url,securityfocus.com/bid/51721/ +1 || 2016336 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS OSClass id parameter data access Attempt 2 || url,securityfocus.com/bid/51721/ +1 || 2016337 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WordPress Chocolate WP Theme src Cross Site Scripting Attempt || url,securityfocus.com/bid/57541/ +1 || 2016338 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WordPress Chocolate WP Theme src Remote File Inclusion Attempt || url,securityfocus.com/bid/57541/ +1 || 2016339 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS CMSQLITE id parameter Cross Site Scripting Attempt || url,securityfocus.com/bid/56132/ +1 || 2016340 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS CMSQLITE mediaAdmin.php file Local File Inclusion Attempt || url,securityfocus.com/bid/56132/ +1 || 2016341 || 4 || bad-unknown || 0 || ET CURRENT_EVENTS Blackhole Java applet with obfuscated URL Feb 04 2012 +1 || 2016342 || 2 || trojan-activity || 0 || ET TROJAN W32/Beebus HTTP POST CnC Beacon || url,blog.fireeye.com/research/2013/02/operation-beebus.html +1 || 2016343 || 4 || trojan-activity || 0 || ET MOBILE_MALWARE Android TrojanFakeLookout.A || url,blog.trustgo.com/fakelookout/ || md5,65baecf1fe1ec7b074a5255dc5014beb +1 || 2016344 || 3 || trojan-activity || 0 || ET MOBILE_MALWARE Android/Fakelash.A!tr.spy Checkin || md5,7dec1c9174d0f688667f6c34c0fa66c2 || url,blog.fortiguard.com/android-malware-distributed-by-malicious-sms-in-france/ +1 || 2016345 || 5 || trojan-activity || 0 || ET MOBILE_MALWARE DroidKungFu Variant +1 || 2016347 || 6 || bad-unknown || 0 || ET CURRENT_EVENTS Styx Exploit Kit Secondary Landing +1 || 2016348 || 7 || trojan-activity || 0 || ET CURRENT_EVENTS WhiteHole Exploit Landing Page +1 || 2016349 || 5 || trojan-activity || 0 || ET CURRENT_EVENTS WhiteHole Exploit Kit Jar Request +1 || 2016350 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS WhiteHole Exploit Kit Payload Download +1 || 2016352 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Styx Exploit Kit Jerk.cgi TDS || url,malwaremustdie.blogspot.co.uk/2013/02/the-infection-of-styx-exploit-kit.html +1 || 2016353 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Styx Exploit Kit Landing Applet With Getmyfile.exe Payload || url,malwaremustdie.blogspot.co.uk/2013/02/the-infection-of-styx-exploit-kit.html +1 || 2016354 || 3 || attempted-user || 0 || ET CURRENT_EVENTS WSO WebShell Activity POST structure 2 +1 || 2016355 || 2 || trojan-activity || 0 || ET TROJAN W32/ServStart.Variant CnC Beacon +1 || 2016356 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS CritXPack - Landing Page - Received +1 || 2016357 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS CritXPack - URI - jpfoff.php +1 || 2016358 || 4 || trojan-activity || 0 || ET TROJAN W32/ZeroAccess Counter.img Checkin || url,malwaremustdie.blogspot.co.uk/2013/02/blackhole-of-closest-version-with.html +1 || 2016359 || 3 || trojan-activity || 0 || ET TROJAN Request for fake postal receipt from e-mail link +1 || 2016360 || 2 || misc-activity || 0 || ET INFO JAVA - ClassID +1 || 2016361 || 2 || misc-activity || 0 || ET INFO JAVA - ClassID +1 || 2016363 || 2 || attempted-dos || 0 || ET DOS Miniupnpd M-SEARCH Buffer Overflow CVE-2013-0229 || url,community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play || url,upnp.org/specs/arch/UPnP-arch-DeviceArchitecture-v1.1.pdf || cve,CVE-2013-0229 +1 || 2016365 || 5 || trojan-activity || 0 || ET CURRENT_EVENTS CritXPack Jar Request (3) +1 || 2016366 || 3 || trojan-activity || 0 || ET TROJAN Umbra/Multibot Loader User-Agent (umbra) || url,malware.dontneedcoffee.com/2013/02/inside-multi-botnet-ver4-c-panel.html +1 || 2016367 || 3 || trojan-activity || 0 || ET TROJAN Umbra/MultiBot Plugin access || url,malware.dontneedcoffee.com/2013/02/inside-multi-botnet-ver4-c-panel.html +1 || 2016368 || 3 || trojan-activity || 0 || ET TROJAN Win32/Toby.N Multilocker Checkin || url,malware.dontneedcoffee.com/2013/02/inside-multi-botnet-ver4-c-panel.html +1 || 2016369 || 4 || trojan-activity || 0 || ET TROJAN Win32/Toby.N Multilocker Request || url,malware.dontneedcoffee.com/2013/02/inside-multi-botnet-ver4-c-panel.html +1 || 2016370 || 3 || trojan-activity || 0 || ET TROJAN Win32/Toby.N Multilocker Image Request || url,malware.dontneedcoffee.com/2013/02/inside-multi-botnet-ver4-c-panel.html +1 || 2016371 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS Exploit Kit Java jpg download +1 || 2016373 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Unknown_MM EK - Landing Page +1 || 2016374 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS Unknown_MM - Java Exploit - jaxws.jar +1 || 2016375 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS Unknown_MM - Java Exploit - jre.jar +1 || 2016377 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Unknown_MM - Payload Download +1 || 2016378 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Unknown_MM EK - Java Exploit - fbyte.jar +1 || 2016379 || 5 || trojan-activity || 0 || ET CURRENT_EVENTS DRIVEBY Generic - JAR Containing Windows Executable +1 || 2016380 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS Sakura Exploit Kit Encrypted Binary (1) +1 || 2016381 || 4 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WordPress WP ecommerce Shop Styling Plugin dompdf RFI Attempt || url,secunia.com/advisories/51707/ +1 || 2016382 || 3 || attempted-user || 0 || ET ACTIVEX Possible Ecava IntegraXor save method Remote ActiveX Buffer Overflow || url,1337day.org/exploit/15398 +1 || 2016383 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Wordpress Audio Player Plugin playerID parameter XSS attempt in swf || url,packetstormsecurity.com/files/120129/WordPress-Audio-Player-SWF-Cross-Site-Scripting.html +1 || 2016384 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS WordPress CommentLuv Plugin _ajax_nonce Parameter XSS Attempt || url,securityfocus.com/bid/57771/ +1 || 2016385 || 3 || trojan-activity || 0 || ET DELETED Android/DNightmare - Task Killer Checkin 1 || url,anubis.iseclab.org/index.php?action=result&task_id=4fdbf09e9bb20824658cfd45b63a309e +1 || 2016386 || 4 || trojan-activity || 0 || ET DELETED Android/DNightmare - Task Killer Checkin 2 || md5,745513a53af2befe3dc00d0341d80ca6 +1 || 2016387 || 4 || trojan-activity || 0 || ET DELETED Android/DNightmare -Task Killer Checkin 3 || md5,745513a53af2befe3dc00d0341d80ca6 +1 || 2016388 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS SiteGo file parameter Local File Inclusion Attempt || url,securityfocus.com/bid/57845/ +1 || 2016389 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS SiteGo OpenFolder parameter Local File Inclusion Attempt || url,securityfocus.com/bid/57845/ +1 || 2016390 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Glossword gw_admin.php Cross Site Scripting Attempt || url,packetstormsecurity.com/files/120045/Glossword-1.8.12-XSS-CSRF-Shell-Upload-Database-Disclosure.html +1 || 2016391 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Adobe Flash Zero Day LadyBoyle Infection Campaign || md5,3de314089db35af9baaeefc598f09b23 || md5,2568615875525003688839cb8950aeae || url,blog.fireeye.com/research/2013/02/lady-boyle-comes-to-town-with-a-new-exploit.html || url,www.adobe.com/go/apsb13-04 || cve,2013-0633 || cve,2013-0633 +1 || 2016393 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Impact Exploit Kit Landing Page +1 || 2016394 || 5 || trojan-activity || 0 || ET WEB_CLIENT Adobe Flash Uncompressed +1 || 2016395 || 7 || protocol-command-decode || 0 || ET WEB_CLIENT Microsoft OLE Compound File With Flash +1 || 2016396 || 5 || trojan-activity || 0 || ET CURRENT_EVENTS Exploit Specific Uncompressed Flash CVE-2013-0634 +1 || 2016397 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS Exploit Specific Uncompressed Flash Inside of OLE CVE-2013-0634 +1 || 2016398 || 8 || trojan-activity || 0 || ET TROJAN Variant.Graftor.5628 CnC Traffic || md5,81687637b7bf2b90258a5006683e781c || url,www.fireeye.com/blog/technical/cyber-exploits/2013/08/the-sunshop-campaign-continues.html +1 || 2016399 || 3 || trojan-activity || 0 || ET TROJAN W32/FloatingCloud.Banker CnC Beacon || url,www.securelist.com/en/blog/798/God_horses_are_floating_clouds_The_story_of_a_Chinese_banker_Trojan +1 || 2016400 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Flash Action Script Invalid Regex CVE-2013-0634 || cve,2013-0634 +1 || 2016401 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Flash Action Script Invalid Regex CVE-2013-0634 || cve,2013-0364 +1 || 2016402 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Exploit Kit Java png download +1 || 2016403 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS CoolEK Payload - obfuscated binary base 0 +1 || 2016404 || 3 || not-suspicious || 0 || ET INFO MPEG Download Over HTTP (1) +1 || 2016405 || 6 || trojan-activity || 0 || ET CURRENT_EVENTS CoolEK - PDF Exploit - Feb 12 2013 +1 || 2016406 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS CoolEK landing applet plus class Feb 12 2013 +1 || 2016407 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Cool Java Exploit Recent Jar (1) +1 || 2016408 || 13 || trojan-activity || 0 || ET CURRENT_EVENTS CoolEK Payload Download (4) +1 || 2016409 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Adobe PDF Zero Day Trojan.666 Payload libarhlp32.dll Second Stage Download POST || url,blog.fireeye.com/research/2013/02/the-number-of-the-beast.html +1 || 2016410 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Adobe PDF Zero Day Trojan.666 Payload libarext32.dll Second Stage Download POST || url,blog.fireeye.com/research/2013/02/the-number-of-the-beast.html +1 || 2016411 || 3 || trojan-activity || 0 || ET TROJAN PDF 0day Communication - agent UA Feb 14 2013 || url,www.joesecurity.org/reports/report-f3b9663a01a73c5eca9d6b2a0519049e.html +1 || 2016412 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS TDS Vdele +1 || 2016413 || 4 || trojan-activity || 0 || ET DNS Reply Sinkhole - sinkhole.cert.pl 148.81.111.111 +1 || 2016414 || 8 || trojan-activity || 0 || ET CURRENT_EVENTS CoolEK Payload Download (5) +1 || 2016415 || 3 || bad-unknown || 0 || ET WEB_SERVER PHP tag in UA || url,blog.spiderlabs.com/2013/02/honeypot-alert-user-agent-field-php-injection-attacks.html +1 || 2016416 || 3 || bad-unknown || 0 || ET WEB_SERVER base64_decode in UA || url,blog.spiderlabs.com/2013/02/honeypot-alert-user-agent-field-php-injection-attacks.html +1 || 2016417 || 2 || trojan-activity || 0 || ET TROJAN W32/Vundo.Downloader Reporting User Website Session Information || url,www.lavasoft.com/mylavasoft/malware-descriptions/blog/trojandownloaderwin32vundojd +1 || 2016418 || 5 || trojan-activity || 0 || ET DNS Reply Sinkhole - Dr. Web || url,virustracker.info +1 || 2016419 || 5 || trojan-activity || 0 || ET DNS Reply Sinkhole - Zinkhole.org +1 || 2016420 || 5 || trojan-activity || 0 || ET DNS Reply Sinkhole - German Company || url,virustracker.info +1 || 2016421 || 5 || trojan-activity || 0 || ET DNS Reply Sinkhole - 1and1 Internet AG || url,virustracker.info +1 || 2016422 || 5 || trojan-activity || 0 || ET DNS Reply Sinkhole - Georgia Tech (1) || url,virustracker.info +1 || 2016423 || 6 || trojan-activity || 0 || ET DNS Reply Sinkhole - Georgia Tech (2) || url,virustracker.info +1 || 2016424 || 5 || trojan-activity || 0 || ET TROJAN Win32/Vundo.OD Checkin || url,www.threatexpert.com/report.aspx?md5=8840a0d9d7f4dba3953ccb68b17b2d6c || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3AWin32%2FVundo.OD +1 || 2016425 || 5 || trojan-activity || 0 || ET TROJAN Win32.Zbot.ivgw Downloading EXE || md5,e8e3d22203f9549d6c5f361dfe51f8c6 +1 || 2016426 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS CoolEK landing applet plus class Feb 18 2013 +1 || 2016427 || 7 || trojan-activity || 0 || ET CURRENT_EVENTS CoolEK Possible Java Payload Download +1 || 2016428 || 7 || trojan-activity || 0 || ET TROJAN Backdoor.Win32.Likseput.B Checkin 2 || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3aWin32%2fLikseput.B +1 || 2016429 || 4 || trojan-activity || 0 || ET TROJAN Shady Rat/HTran style HTTP Header Pattern Request UHCa and Google MSIE UA || url,www.secureworks.com/research/threats/htran/ +1 || 2016430 || 3 || trojan-activity || 0 || ET TROJAN Trojan-Downloader.Win32.Agent.vhvw Checkin MINIASP || md5,e4a4e2a3b3adaf3a31e34cd2844a3374 || url,home.mcafee.com/VirusInfo/VirusProfile.aspx?key=1042762#none +1 || 2016431 || 4 || trojan-activity || 0 || ET TROJAN Win32/Tosct.B UA Mandiant APT1 Related || url,www.mandiant.com/apt1 || md5,5bcaa2f4bc7567f6ffd5507a161e221a +1 || 2016432 || 4 || trojan-activity || 0 || ET TROJAN Likseput.B Checkin || md5,95d85aa629a786bb67439a064c4349ec +1 || 2016433 || 3 || trojan-activity || 0 || ET TROJAN Backdoor.Win32/Likseput.A Checkin Windows Vista/7/8 || md5,b5e9ce72771217680efaeecfafe3da3f || url,threatexpert.com/report.aspx?md5=4b6f5e62d7913fc1ab6c71b5b909ecbf +1 || 2016434 || 3 || trojan-activity || 0 || ET TROJAN Win32/COOKIEBAG Cookie APT1 Related || url,www.mandiant.com/apt1 +1 || 2016435 || 5 || trojan-activity || 0 || ET TROJAN WEBC2-TABLE Checkin 1 - APT1 Related || md5,7a7a46e8fbc25a624d58e897dee04ffa || md5,110160e9d6e1483192653d4bfdcbb609 || url,www.mandiant.com/apt1 +1 || 2016436 || 2 || trojan-activity || 0 || ET TROJAN WEBC2-TABLE Checkin 2 - APT1 Related || md5,7a7a46e8fbc25a624d58e897dee04ffa || md5,110160e9d6e1483192653d4bfdcbb609 || url,www.mandiant.com/apt1 +1 || 2016437 || 2 || trojan-activity || 0 || ET TROJAN WEBC2-TABLE Checkin 3 - APT1 Related || md5,7a7a46e8fbc25a624d58e897dee04ffa || md5,110160e9d6e1483192653d4bfdcbb609 || url,www.mandiant.com/apt1 +1 || 2016438 || 2 || trojan-activity || 0 || ET TROJAN WEBC2-TABLE Checkin Response - Embedded CnC APT1 Related || url,www.mandiant.com/apt1 || md5,7a7a46e8fbc25a624d58e897dee04ffa || md5,110160e9d6e1483192653d4bfdcbb609 +1 || 2016439 || 3 || trojan-activity || 0 || ET TROJAN Win32/Namsoth.A Checkin/NEWSREELS APT1 Related || md5,a2cd1189860b9ba214421aab86ecbc8a || url,www.mandiant.com/apt1 +1 || 2016440 || 2 || trojan-activity || 0 || ET TROJAN SEASALT HTTP Checkin || md5,5e0df5b28a349d46ac8cc7d9e5e61a96 || url,www.mandiant.com/apt1 +1 || 2016441 || 2 || trojan-activity || 0 || ET TROJAN SEASALT Client Checkin || md5,5e0df5b28a349d46ac8cc7d9e5e61a96 || url,www.mandiant.com/apt1 +1 || 2016442 || 2 || trojan-activity || 0 || ET TROJAN SEASALT Server Response || md5,5e0df5b28a349d46ac8cc7d9e5e61a96 || url,www.mandiant.com/apt1 +1 || 2016443 || 2 || trojan-activity || 0 || ET TROJAN STARSYPOUND Client Checkin || md5,8442ae37b91f279a9f06de4c60b286a3 || url,www.mandiant.com/apt1 +1 || 2016444 || 3 || trojan-activity || 0 || ET TROJAN STARSYPOUND Client Checkin || md5,8442ae37b91f279a9f06de4c60b286a3 || url,www.mandiant.com/apt1 +1 || 2016445 || 2 || trojan-activity || 0 || ET TROJAN SWORD Sending Sword Marker || md5,052f5da1734464a985dcd669bff62f93 || url,www.mandiant.com/apt1 +1 || 2016446 || 4 || trojan-activity || 0 || ET TROJAN TABMSGSQL/Sluegot.C Checkin || url,www.cyberesi.com/2011/06/15/trojan-letsgo-analysis/ || url,www.mandiant.com/apt1 || md5,052ec04866e4a67f31845d656531830d +1 || 2016447 || 2 || trojan-activity || 0 || ET TROJAN WARP Win32/Barkiofork.A || url,www.mandiant.com/apt1 || md5,7acb0d1df51706536f33bbdb990041d3 +1 || 2016448 || 2 || trojan-activity || 0 || ET TROJAN WEBC2-ADSPACE Server Response || url,www.mandiant.com/apt1 +1 || 2016449 || 3 || trojan-activity || 0 || ET TROJAN WEBC2-AUSOV Checkin Response - Embedded CnC APT1 Related || url,www.mandiant.com/apt1 || md5,0cf9e999c574ec89595263446978dc9f || md5,0cf9e999c574ec89595263446978dc9f +1 || 2016450 || 3 || trojan-activity || 0 || ET TROJAN Backdoor.Win32/Likseput.A Checkin || url,threatexpert.com/report.aspx?md5=4b6f5e62d7913fc1ab6c71b5b909ecbf +1 || 2016451 || 3 || trojan-activity || 0 || ET TROJAN WEBC2-QBP Checkin Response 1 - Embedded CnC APT1 Related || url,intelreport.mandiant.com || md5,0cf9e999c574ec89595263446978dc9f || md5,fcdaa67e33357f64bc4ce7b57491fc53 +1 || 2016452 || 2 || trojan-activity || 0 || ET TROJAN WEBC2-CLOVER Checkin APT1 Related || url,www.mandiant.com/apt1 || md5,29c691978af80dc23c4df96b5f6076bb +1 || 2016453 || 2 || trojan-activity || 0 || ET TROJAN WEBC2-CLOVER Download UA || url,www.mandiant.com/apt1 || md5,29c691978af80dc23c4df96b5f6076bb +1 || 2016454 || 2 || trojan-activity || 0 || ET TROJAN WEBC2-DIV UA || url,www.mandiant.com/apt1 || md5,1e5ec6c06e4f6bb958dcbb9fc636009d +1 || 2016455 || 3 || trojan-activity || 0 || ET TROJAN Possible WEBC2-GREENCAT Response - Embedded CnC APT1 Related || url,www.mandiant.com/apt1 || md5,1014af80798518864d5d3dfa4e1cd079e +1 || 2016456 || 2 || trojan-activity || 0 || ET TROJAN WEBC2-KT3 Intial Connection Beacon APT1 Related || url,www.mandiant.com/apt1 || md5,ec3a2197ca6b63ee1454d99a6ae145ab +1 || 2016457 || 3 || trojan-activity || 0 || ET TROJAN WEBC2-KT3 Intial Connection Beacon Server Response APT1 Related || url,www.mandiant.com/apt1 || md5,ec3a2197ca6b63ee1454d99a6ae145ab +1 || 2016458 || 3 || trojan-activity || 0 || ET TROJAN WEBC2-RAVE UA || url,www.mandiant.com/apt1 || md5,5bcaa2f4bc7567f6ffd5507a161e221a +1 || 2016459 || 5 || trojan-activity || 0 || ET TROJAN Win32/Small.XR Checkin 2 WEBC2-CSON APT1 Related || url,www.threatexpert.com/report.aspx?md5=ba45339da92ca4622b472ac458f4c8f2 || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3AWin32%2FSmall.XR || url,www.mandiant.com/apt1 +1 || 2016460 || 6 || trojan-activity || 0 || ET TROJAN WEBC2-CSON Checkin - APT1 Related || url,www.threatexpert.com/report.aspx?md5=ba45339da92ca4622b472ac458f4c8f2 || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3AWin32%2FSmall.XR || url,intelreport.mandiant.com/ || md5, 8dd6a7fe83bd9682187d956f160ffb47 +1 || 2016461 || 4 || trojan-activity || 0 || ET TROJAN Win32.Sluegot.A Checkin WEBC2-YAHOO APT1 Related || url,www.securelist.com/en/descriptions/24052976/Trojan.Win32.Scar.ddxe || md5,0149b7bd7218aab4e257d28469fddb0d || md5,6f9992c486195edcf0bf2f6ee6c3ec74 || url,www.mandiant.com/apt1 +1 || 2016462 || 3 || trojan-activity || 0 || ET TROJAN Fake Virtually SSL Cert APT1 || url,www.mandiant.com/apt1 +1 || 2016463 || 3 || trojan-activity || 0 || ET TROJAN Fake IBM SSL Cert APT1 || url,www.mandiant.com/apt1 +1 || 2016464 || 3 || trojan-activity || 0 || ET TROJAN EMAIL SSL Cert APT1 || url,www.mandiant.com/apt1 +1 || 2016465 || 3 || trojan-activity || 0 || ET TROJAN LAME SSL Cert APT1 || url,www.mandiant.com/apt1 +1 || 2016466 || 3 || trojan-activity || 0 || ET TROJAN NS SSL Cert APT1 || url,www.mandiant.com/apt1 +1 || 2016467 || 3 || trojan-activity || 0 || ET TROJAN SERVER SSL Cert APT1 || url,www.mandiant.com/apt1 +1 || 2016468 || 4 || trojan-activity || 0 || ET TROJAN SUR SSL Cert APT1 || url,www.mandiant.com/apt1 +1 || 2016469 || 3 || trojan-activity || 0 || ET TROJAN FAKE AOL SSL Cert APT1 || url,www.mandiant.com/apt1 +1 || 2016470 || 3 || trojan-activity || 0 || ET TROJAN FAKE YAHOO SSL Cert APT1 || url,www.mandiant.com/apt1 +1 || 2016471 || 3 || trojan-activity || 0 || ET TROJAN WEBC2-UGX User-Agent (Windows+NT+5.x) APT1 || url,www.mandiant.com/apt1 +1 || 2016472 || 2 || trojan-activity || 0 || ET TROJAN WEBC2-UGX Embedded CnC Response APT1 || md5,ae45648a8fc01b71214482d35cf8da54 || url,www.mandiant.com/apt1 +1 || 2016473 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Possible DNS Data Exfiltration to SSHD Rootkit Last Resort CnC || url,isc.sans.edu/diary/SSHD+rootkit+in+the+wild/15229 +1 || 2016474 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS - CommentCrew UGX Backdoor initial connection +1 || 2016475 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS - CommentCrew downloader without user-agent string exe download without User Agent +1 || 2016476 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS - CommentCrew Possible APT c2 communications get system +1 || 2016477 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS - CommentCrew Possible APT c2 communications html return 1 +1 || 2016478 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS - CommentCrew Possible APT c2 communications sleep +1 || 2016479 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS - CommentCrew Possible APT c2 communications sleep2 +1 || 2016480 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS - CommentCrew Possible APT c2 communications sleep3 +1 || 2016482 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS - CommentCrew Possible APT c2 communications sleep5 +1 || 2016483 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS - CommentCrew Possible APT c2 communications download client.png +1 || 2016484 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS - CommentCrew Possible APT crabdance backdoor base64 head 2 +1 || 2016485 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS - CommentCrew Possible APT crabdance backdoor base64 head +1 || 2016486 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS - CommentCrew Possible APT backdoor stage 2 download base64 update.gif +1 || 2016487 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS - CommentCrew Possible APT backdoor download logo.png +1 || 2016488 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS - CommentCrew Possible APT c2 communications get command client key +1 || 2016489 || 4 || trojan-activity || 0 || ET TROJAN CBeplay Downloading Design +1 || 2016490 || 12 || trojan-activity || 0 || ET CURRENT_EVENTS CoolEK/BHEK/Impact EK Java7 Exploit Class Request (1) +1 || 2016491 || 11 || trojan-activity || 0 || ET CURRENT_EVENTS CoolEK/BHEK/Impact EK Java7 Exploit Class Request (2) +1 || 2016492 || 12 || trojan-activity || 0 || ET CURRENT_EVENTS CoolEK/BHEK/Impact EK Java7 Exploit Class Request (3) +1 || 2016493 || 11 || trojan-activity || 0 || ET CURRENT_EVENTS CoolEK/BHEK/Impact EK Java7 Exploit Class Request (3) +1 || 2016494 || 5 || trojan-activity || 0 || ET INFO Serialized Java Applet (Used by some EKs in the Wild) +1 || 2016495 || 7 || trojan-activity || 0 || ET CURRENT_EVENTS Exploit Kit Java .psd download +1 || 2016496 || 4 || trojan-activity || 0 || ET TROJAN Gimemo Ransomware Checkin +1 || 2016497 || 7 || bad-unknown || 0 || ET CURRENT_EVENTS StyX Landing Page (2) +1 || 2016498 || 7 || trojan-activity || 0 || ET CURRENT_EVENTS Styx Exploit Kit Landing Applet With Payload || url,malwaremustdie.blogspot.co.uk/2013/02/the-infection-of-styx-exploit-kit.html +1 || 2016499 || 11 || bad-unknown || 0 || ET CURRENT_EVENTS Styx Exploit Kit Payload Download +1 || 2016500 || 8 || bad-unknown || 0 || ET CURRENT_EVENTS Possible Nicepack EK Landing (Anti-VM) +1 || 2016501 || 2 || attempted-user || 0 || ET WEB_SERVER WebShell - zecmd - Form +1 || 2016502 || 2 || trojan-activity || 0 || ET INFO Java Serialized Data via vulnerable client +1 || 2016503 || 2 || trojan-activity || 0 || ET INFO Java Serialized Data +1 || 2016504 || 4 || bad-unknown || 0 || ET INFO Serialized Data request +1 || 2016505 || 2 || trojan-activity || 0 || ET INFO file possibly containing Serialized Data file +1 || 2016506 || 7 || trojan-activity || 0 || ET CURRENT_EVENTS Exploit Kit Java jpeg download +1 || 2016507 || 5 || trojan-activity || 0 || ET TROJAN W32/Caphaw Requesting Additional Modules From CnC || url,www.welivesecurity.com/2013/02/25/caphaw-attacking-major-european-banks-with-webinject-plugin/ +1 || 2016508 || 2 || trojan-activity || 0 || ET TROJAN W32/Caphaw CnC Configuration File Request || url,www.welivesecurity.com/2013/02/25/caphaw-attacking-major-european-banks-with-webinject-plugin/ +1 || 2016509 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS W32/Zbot.Variant Fake MSIE 6.0 UA +1 || 2016510 || 4 || trojan-activity || 0 || ET INFO Serialized Java Applet (Used by some EKs in the Wild) +1 || 2016511 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS Successful Compromise svchost.jpg Beacon - Java Zeroday || url,blog.fireeye.com/research/2013/02/yaj0-yet-another- java-zero-day-2.html +1 || 2016512 || 3 || trojan-activity || 0 || ET MOBILE_MALWARE Android/Smsilence.A Successful Install Report || url,blogs.mcafee.com/mcafee-labs/sms-trojan-targets-south-korean-android-devices +1 || 2016513 || 3 || trojan-activity || 0 || ET MOBILE_MALWARE Android/Smsilence.A Sending SMS Messages CnC Beacon || url,blogs.mcafee.com/mcafee-labs/sms-trojan-targets-south-korean-android-devices +1 || 2016514 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS CrimeBoss - Java Exploit - jhan.jar +1 || 2016515 || 4 || trojan-activity || 0 || ET TROJAN Gimemo Activity +1 || 2016516 || 2 || attempted-user || 0 || ET WEB_SERVER WebShell - Generic - c99shell based POST structure +1 || 2016519 || 3 || attempted-user || 0 || ET EXPLOIT Metasploit js_property_spray sprayHeap || url,community.rapid7.com/community/metasploit/blog/2013/03/04/new-heap-spray-technique-for-metasploit-browser-exploitation +1 || 2016520 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Probable Sakura exploit kit landing page obfuscated applet tag Mar 1 2013 +1 || 2016521 || 5 || bad-unknown || 0 || ET CURRENT_EVENTS Unknown Exploit Kit Java Archive Request (Java-SPLOIT.jar) +1 || 2016522 || 2 || bad-unknown || 0 || ET CURRENT_EVENTS Unknown Exploit Kit Payload Request +1 || 2016523 || 2 || bad-unknown || 0 || ET CURRENT_EVENTS Unknown Exploit Kit Exploit Request +1 || 2016524 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Blackhole V2 Exploit Kit Landing Page Try Catch Body Specific - 4/3/2013 +1 || 2016525 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Blackhole V2 Exploit Kit Landing Page Try Catch Body Style 2 Specific - 4/3/2013 +1 || 2016526 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Blackhole V2 Exploit Kit Landing Page Try Catch False Specific - 4/3/2013 +1 || 2016527 || 3 || trojan-activity || 0 || ET TROJAN W32/Asprox php.dll.crp POST CnC Beacon || url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-asprox-reborn.pdf +1 || 2016528 || 3 || trojan-activity || 0 || ET TROJAN W32/Asprox CnC Beacon || url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-asprox-reborn.pdf +1 || 2016529 || 2 || trojan-activity || 0 || ET TROJAN W32/Asprox Passgrub POST CnC Beacon || url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-asprox-reborn.pdf +1 || 2016530 || 2 || trojan-activity || 0 || ET TROJAN W32/Asprox.FakeAV Affiliate Second Stage Download Location Request || url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-asprox-reborn.pdf +1 || 2016531 || 2 || trojan-activity || 0 || ET TROJAN W32/Asprox.FakeAV Affiliate Download Location Response - Likely Pay-Per-Install For W32/Papras.Spy or W32/ZeroAccess || url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-asprox-reborn.pdf +1 || 2016533 || 2 || trojan-activity || 0 || ET TROJAN W32/TrojanSpy.MSIL Fetch Time CnC Beacon || url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=TrojanSpy%3AMSIL%2FCrime.B +1 || 2016534 || 2 || trojan-activity || 0 || ET TROJAN W32/TrojanSpy.MSIL Get New MAC CnC Beacon || url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=TrojanSpy%3AMSIL%2FCrime.B +1 || 2016535 || 2 || trojan-activity || 0 || ET TROJAN W32/TrojanSpy.MSIL Set Done Day CnC Beacon || url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=TrojanSpy%3AMSIL%2FCrime.B +1 || 2016536 || 2 || trojan-activity || 0 || ET TROJAN W32/TrojanSpy.MSIL Fetch Header CnC Beacon || url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=TrojanSpy%3AMSIL%2FCrime.B +1 || 2016537 || 2 || bad-unknown || 0 || ET INFO GET Minimal HTTP Headers Flowbit Set +1 || 2016538 || 3 || bad-unknown || 0 || ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download +1 || 2016539 || 5 || bad-unknown || 0 || ET CURRENT_EVENTS Java Download non Jar file +1 || 2016540 || 3 || bad-unknown || 0 || ET CURRENT_EVENTS SUSPICIOUS JAR Download by Java UA with non JAR EXT matches various EKs +1 || 2016541 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Cool landing applet plus class Mar 03 2013 +1 || 2016542 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Possible Portal TDS Kit GET || url,ondailybasis.com/blog/?p=1867 +1 || 2016543 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Possible Portal TDS Kit GET (2) || url,ondailybasis.com/blog/?p=1867 +1 || 2016544 || 4 || trojan-activity || 0 || ET DELETED Blackhole/Cool plugindetect in octal Mar 6 2013 +1 || 2016546 || 3 || trojan-activity || 0 || ET MALWARE W32/Eorezo.Adware CnC Beacon || url,www.symantec.com/security_response/writeup.jsp?docid=2012-061213-2441-99 +1 || 2016547 || 8 || trojan-activity || 0 || ET CURRENT_EVENTS CoolEK Payload Download (6) +1 || 2016548 || 3 || trojan-activity || 0 || ET DELETED W32/Ponik.Downloader Randomware Download || url,www.symantec.com/connect/blogs/fake-adobe-flash-update-installs-ransomware-performs-click-fraud || url,www.symantec.com/security_response/writeup.jsp?docid=2012-110915-5758-99 +1 || 2016549 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS Base64 http argument in applet (Neutrino/Angler) +1 || 2016550 || 5 || trojan-activity || 0 || ET TROJAN Win32/Fareit Checkin 2 || md5,10baa5250610fc2b5b2cdf932f2007c0 +1 || 2016551 || 8 || trojan-activity || 0 || ET CURRENT_EVENTS Possible Neutrino EK Downloading Jar +1 || 2016552 || 2 || trojan-activity || 0 || ET TROJAN W32/Trustezeb.C CnC Beacon || url,www.abuse.ch/?p=5175 || url,www.virusradar.com/Win32_Trustezeb.C/description +1 || 2016553 || 3 || trojan-activity || 0 || ET TROJAN Win32/Urausy.C Checkin || md5,09462f13d7e6aaa0bff2788158343829 || md5,b18f80d665f340af91003226a2b974b6 || md5,1494b8b9f42753a4bc1762d8f3287db6 +1 || 2016554 || 7 || trojan-activity || 0 || ET DELETED Possible FiestaEK CVE-2013-0431 Artifact (1) Mar 07 2013 +1 || 2016555 || 7 || trojan-activity || 0 || ET DELETED Possible FiestaEK CVE-2013-0431 Artifact (2) Mar 07 2013 +1 || 2016556 || 6 || trojan-activity || 0 || ET DELETED Possible FiestaEK CVE-2013-0431 Artifact (3) Mar 07 2013 +1 || 2016557 || 6 || trojan-activity || 0 || ET DELETED Possible FiestaEK CVE-2013-0431 Artifact (4) Mar 07 2013 +1 || 2016558 || 4 || bad-unknown || 0 || ET CURRENT_EVENTS Possible CrimeBoss Generic URL Structure +1 || 2016559 || 14 || trojan-activity || 0 || ET CURRENT_EVENTS CoolEK Payload Download (7) +1 || 2016560 || 10 || attempted-user || 0 || ET CURRENT_EVENTS GonDadEK Plugin Detect March 11 2013 || url,kahusecurity.com/2012/new-chinese-exploit-pack/ +1 || 2016561 || 3 || trojan-activity || 0 || ET DELETED W32/Asprox Spam Module CnC Beacon || url,www.welivesecurity.com/2013/03/08/sinkholing-trojan-downloader-zortob-b-reveals-fast-growing-malware-threat/ || url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-asprox-reborn.pdf +1 || 2016562 || 7 || trojan-activity || 0 || ET CURRENT_EVENTS Possible Neutrino EK Posting Plugin-Detect Data +1 || 2016563 || 7 || trojan-activity || 0 || ET CURRENT_EVENTS Blackhole 16-hex/q.php Landing Page/Java exploit URI +1 || 2016564 || 9 || trojan-activity || 0 || ET CURRENT_EVENTS Blackhole 16-hex/q.php Jar Download +1 || 2016566 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS SNET EK Downloading Payload +1 || 2016567 || 4 || trojan-activity || 0 || ET TROJAN Win32/Urausy.C Checkin 2 || md5,09462f13d7e6aaa0bff2788158343829 || md5,b18f80d665f340af91003226a2b974b6 || md5,1494b8b9f42753a4bc1762d8f3287db6 +1 || 2016568 || 2 || trojan-activity || 0 || ET TROJAN W32/LetsGo.APT Sleep CnC Beacon || url,www.fireeye.com/blog/technical/targeted-attack/2013/03/the-dingo-and-the-baby.html +1 || 2016569 || 3 || bad-unknown || 0 || ET DNS APT_NGO_wuaclt C2 Domain micorsofts.net || url,labs.alienvault.com +1 || 2016570 || 2 || bad-unknown || 0 || ET DNS APT_NGO_wuaclt C2 Domain micorsofts.com || url,labs.alienvault.com +1 || 2016571 || 1 || bad-unknown || 0 || ET DNS APT_NGO_wuaclt C2 Domain hotmal1.com || url,labs.alienvault.com +1 || 2016572 || 2 || trojan-activity || 0 || ET TROJAN APT_NGO_wuaclt C2 Check-in || url,labs.alienvault.com +1 || 2016573 || 2 || trojan-activity || 0 || ET TROJAN APT_NGO_wuaclt || url,labs.alienvault.com +1 || 2016574 || 2 || bad-unknown || 0 || ET WEB_SERVER WebShell - MySQL Interface - Database List +1 || 2016575 || 3 || bad-unknown || 0 || ET WEB_SERVER WebShell - MySQL Interface - Client Cookie mysql_web_admin*= +1 || 2016576 || 2 || bad-unknown || 0 || ET WEB_SERVER WebShell - MySQL Interface - Server Set Cookie mysql_web_admin*= +1 || 2016577 || 4 || bad-unknown || 0 || ET WEB_SERVER WebShell - Romanian Webshell +1 || 2016578 || 4 || trojan-activity || 0 || ET TROJAN Dorkbot Loader Payload Request || md5, 3452c20fd0df69ccfdea520a6515208a +1 || 2016579 || 2 || trojan-activity || 0 || ET TROJAN APT_NGO_wuaclt PDF file || url,labs.alienvault.com/labs/index.php/2013/latest-adobe-pdf-exploit-used-to-target-uyghur-and-tibetan-activists/ +1 || 2016580 || 3 || bad-unknown || 0 || ET CURRENT_EVENTS SUSPICIOUS Java Request to DynDNS Pro Dynamic DNS Domain +1 || 2016581 || 3 || bad-unknown || 0 || ET CURRENT_EVENTS SUSPICIOUS Java Request to ChangeIP Dynamic DNS Domain +1 || 2016582 || 4 || bad-unknown || 0 || ET CURRENT_EVENTS SUSPICIOUS Java Request to NOIP Dynamic DNS Domain +1 || 2016583 || 4 || bad-unknown || 0 || ET CURRENT_EVENTS SUSPICIOUS Java Request to DNSDynamic Dynamic DNS Domain +1 || 2016584 || 4 || bad-unknown || 0 || ET CURRENT_EVENTS SUSPICIOUS Java Request to DtDNS Dynamic DNS Domain +1 || 2016585 || 7 || trojan-activity || 0 || ET CURRENT_EVENTS Sweet Orange applet with obfuscated URL March 03 2013 +1 || 2016586 || 5 || bad-unknown || 0 || ET CURRENT_EVENTS Query to a *.opengw.net Open VPN Relay Domain || url,www.vpngate.net +1 || 2016587 || 6 || trojan-activity || 0 || ET CURRENT_EVENTS Redkit Landing Page URL March 03 2013 +1 || 2016588 || 14 || trojan-activity || 0 || ET CURRENT_EVENTS Redkit Jar Naming Pattern March 03 2013 +1 || 2016589 || 7 || trojan-activity || 0 || ET CURRENT_EVENTS Redkit URI Struct Flowbit +1 || 2016591 || 5 || trojan-activity || 0 || ET DNS Reply Sinkhole - 46.149.18.14 blacklistthisdomain.com +1 || 2016592 || 3 || trojan-activity || 0 || ET TROJAN RevProxy Java Settings +1 || 2016593 || 8 || trojan-activity || 0 || ET CURRENT_EVENTS RedDotv2 Java Check-in +1 || 2016594 || 7 || trojan-activity || 0 || ET CURRENT_EVENTS RedDotv2 Jar March 18 2013 +1 || 2016595 || 6 || bad-unknown || 0 || ET CURRENT_EVENTS SUSPICIOUS Java Request to cd.am Dynamic DNS Domain +1 || 2016596 || 6 || attempted-admin || 0 || ET WEB_SERVER Possible SQL Injection (varchar2) || url,doc.emergingthreats.net/2008175 +1 || 2016597 || 5 || trojan-activity || 0 || ET DELETED CrimeBoss - Java Exploit - m11.jar +1 || 2016598 || 5 || trojan-activity || 0 || ET CURRENT_EVENTS CrimeBoss - Java Exploit - jmx.jar +1 || 2016599 || 4 || trojan-activity || 0 || ET TROJAN Backdoor.Win32.Xtrat Checkin 2 || md5,fea70e818984b82c9a6bbdc5157d4a40 || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3aWin32%2fXtrat.A +1 || 2016600 || 1 || trojan-activity || 0 || ET CURRENT_EVENTS DNS Query Sykipot Domain peocity.com +1 || 2016601 || 1 || trojan-activity || 0 || ET CURRENT_EVENTS DNS Query Sykipot Domain rusview.net +1 || 2016602 || 1 || trojan-activity || 0 || ET CURRENT_EVENTS DNS Query Sykipot Domain skyruss.net +1 || 2016603 || 1 || trojan-activity || 0 || ET CURRENT_EVENTS DNS Query Sykipot Domain commanal.net +1 || 2016604 || 1 || trojan-activity || 0 || ET CURRENT_EVENTS DNS Query Sykipot Domain natareport.com +1 || 2016605 || 1 || trojan-activity || 0 || ET CURRENT_EVENTS DNS Query Sykipot Domain photogellrey.com +1 || 2016606 || 1 || trojan-activity || 0 || ET CURRENT_EVENTS DNS Query Sykipot Domain photogalaxyzone.com +1 || 2016607 || 1 || trojan-activity || 0 || ET CURRENT_EVENTS DNS Query Sykipot Domain insdet.com +1 || 2016608 || 1 || trojan-activity || 0 || ET CURRENT_EVENTS DNS Query Sykipot Domain creditrept.com +1 || 2016609 || 1 || trojan-activity || 0 || ET CURRENT_EVENTS DNS Query Sykipot Domain pollingvoter.org +1 || 2016610 || 1 || trojan-activity || 0 || ET CURRENT_EVENTS DNS Query Sykipot Domain dfasonline.com +1 || 2016611 || 1 || trojan-activity || 0 || ET CURRENT_EVENTS DNS Query Sykipot Domain hudsoninst.com +1 || 2016612 || 1 || trojan-activity || 0 || ET CURRENT_EVENTS DNS Query Sykipot Domain wsurveymaster.com +1 || 2016613 || 1 || trojan-activity || 0 || ET CURRENT_EVENTS DNS Query Sykipot Domain nhrasurvey.org +1 || 2016614 || 1 || trojan-activity || 0 || ET CURRENT_EVENTS DNS Query Sykipot Domain pdi2012.org +1 || 2016615 || 1 || trojan-activity || 0 || ET CURRENT_EVENTS DNS Query Sykipot Domain nceba.org +1 || 2016616 || 1 || trojan-activity || 0 || ET CURRENT_EVENTS DNS Query Sykipot Domain linkedin-blog.com +1 || 2016617 || 1 || trojan-activity || 0 || ET CURRENT_EVENTS DNS Query Sykipot Domain aafbonus.com +1 || 2016618 || 1 || trojan-activity || 0 || ET CURRENT_EVENTS DNS Query Sykipot Domain milstars.org +1 || 2016619 || 1 || trojan-activity || 0 || ET CURRENT_EVENTS DNS Query Sykipot Domain vatdex.com +1 || 2016620 || 1 || trojan-activity || 0 || ET CURRENT_EVENTS DNS Query Sykipot Domain insightpublicaffairs.org +1 || 2016621 || 1 || trojan-activity || 0 || ET CURRENT_EVENTS DNS Query Sykipot Domain applesea.net +1 || 2016622 || 1 || trojan-activity || 0 || ET CURRENT_EVENTS DNS Query Sykipot Domain appledmg.net +1 || 2016623 || 1 || trojan-activity || 0 || ET CURRENT_EVENTS DNS Query Sykipot Domain appleintouch.net +1 || 2016624 || 1 || trojan-activity || 0 || ET CURRENT_EVENTS DNS Query Sykipot Domain seyuieyahooapis.com +1 || 2016625 || 1 || trojan-activity || 0 || ET CURRENT_EVENTS DNS Query Sykipot Domain appledns.net +1 || 2016626 || 1 || trojan-activity || 0 || ET CURRENT_EVENTS DNS Query Sykipot Domain emailserverctr.com +1 || 2016627 || 1 || trojan-activity || 0 || ET CURRENT_EVENTS DNS Query Sykipot Domain dailynewsjustin.com +1 || 2016628 || 1 || trojan-activity || 0 || ET CURRENT_EVENTS DNS Query Sykipot Domain hi-tecsolutions.org +1 || 2016629 || 1 || trojan-activity || 0 || ET CURRENT_EVENTS DNS Query Sykipot Domain slashdoc.org +1 || 2016630 || 1 || trojan-activity || 0 || ET CURRENT_EVENTS DNS Query Sykipot Domain photosmagnum.com +1 || 2016631 || 1 || trojan-activity || 0 || ET CURRENT_EVENTS DNS Query Sykipot Domain resume4jobs.net +1 || 2016632 || 1 || trojan-activity || 0 || ET CURRENT_EVENTS DNS Query Sykipot Domain searching-job.net +1 || 2016633 || 1 || trojan-activity || 0 || ET CURRENT_EVENTS DNS Query Sykipot Domain servagency.com +1 || 2016634 || 1 || trojan-activity || 0 || ET CURRENT_EVENTS DNS Query Sykipot Domain gsasmartpay.org +1 || 2016635 || 1 || trojan-activity || 0 || ET CURRENT_EVENTS DNS Query Sykipot Domain tech-att.com +1 || 2016636 || 3 || trojan-activity || 0 || ET DELETED Blackhole/Cool plugindetect in octal -2 Mar 13 2013 +1 || 2016637 || 3 || trojan-activity || 0 || ET TROJAN W32/GameThief Initial CnC Beacon +1 || 2016638 || 2 || trojan-activity || 0 || ET TROJAN W32/Depyot.Downloader CnC Beacon || url,www.fireeye.com/blog/technical/targeted-attack/2013/03/internet-explorer-8-exploit-found-in-watering-hole-campaign-targeting-chinese-dissidents.html || url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=TrojanDownloader%3AWin32%2FDepyot.A&ThreatID=-2147288740 +1 || 2016639 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS Watering Hole applet name AppletHigh.jar || url,www.fireeye.com/blog/technical/targeted-attack/2013/03/internet-explorer-8-exploit-found-in-watering-hole-campaign-targeting-chinese-dissidents.html +1 || 2016640 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS Watering Hole applet name AppletLow.jar || url,www.fireeye.com/blog/technical/targeted-attack/2013/03/internet-explorer-8-exploit-found-in-watering-hole-campaign-targeting-chinese-dissidents.html +1 || 2016641 || 6 || web-application-attack || 0 || ET WEB_SERVER Possible Perl Shell in HTTP POST || url,isc.sans.edu/diary.html?storyid=9478 +1 || 2016642 || 6 || web-application-attack || 0 || ET WEB_SERVER Possible Perl Shell in HTTP POST || url,isc.sans.edu/diary.html?storyid=9478 +1 || 2016643 || 5 || trojan-activity || 0 || ET CURRENT_EVENTS Possible RedDotv2 applet with 32hex value Landing Page +1 || 2016644 || 2 || trojan-activity || 0 || ET TROJAN Galock Ransomware Check-in || url,twitter.com/kafeine/status/314859973064667136/photo/1 +1 || 2016645 || 2 || trojan-activity || 0 || ET TROJAN Galock Ransomware Command || url,twitter.com/kafeine/status/314859973064667136/photo/1 +1 || 2016646 || 3 || not-suspicious || 0 || ET INFO Old/Rare PDF Generator Acrobat Web Capture [8-9].0 || url,carnal0wnage.attackresearch.com/2013/03/apt-pdfs-and-metadata-extraction.html +1 || 2016647 || 3 || not-suspicious || 0 || ET INFO Old/Rare PDF Generator Adobe LiveCycle Designer ES 8.2 || url,carnal0wnage.attackresearch.com/2013/03/apt-pdfs-and-metadata-extraction.html +1 || 2016648 || 3 || not-suspicious || 0 || ET INFO Old/Rare PDF Generator Python PDF Library || url,carnal0wnage.attackresearch.com/2013/03/apt-pdfs-and-metadata-extraction.html +1 || 2016649 || 2 || not-suspicious || 0 || ET INFO Old/Rare PDF Generator Acrobat Distiller 9.0.0 (Windows) || url,carnal0wnage.attackresearch.com/2013/03/apt-pdfs-and-metadata-extraction.html +1 || 2016650 || 2 || not-suspicious || 0 || ET INFO Old/Rare PDF Generator Acrobat Distiller 6.0.1 (Windows) || url,carnal0wnage.attackresearch.com/2013/03/apt-pdfs-and-metadata-extraction.html +1 || 2016651 || 2 || not-suspicious || 0 || ET INFO Old/Rare PDF Generator pdfeTeX-1.21a || url,carnal0wnage.attackresearch.com/2013/03/apt-pdfs-and-metadata-extraction.html +1 || 2016652 || 2 || not-suspicious || 0 || ET INFO Old/Rare PDF Generator Adobe Acrobat 9.2.0 || url,carnal0wnage.attackresearch.com/2013/03/apt-pdfs-and-metadata-extraction.html +1 || 2016653 || 2 || not-suspicious || 0 || ET INFO Old/Rare PDF Generator Adobe PDF Library 9.0 || url,carnal0wnage.attackresearch.com/2013/03/apt-pdfs-and-metadata-extraction.html +1 || 2016654 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Postal Reciept EXE in Zip +1 || 2016655 || 5 || trojan-activity || 0 || ET CURRENT_EVENTS Sweet Orange Java obfuscated binary (3) +1 || 2016656 || 2 || trojan-activity || 0 || ET TROJAN [CrowdStrike] ANCHOR PANDA - Adobe Gh0st Beacon || url,blog.crowdstrike.com/whois-anchor-panda/index.html +1 || 2016657 || 3 || trojan-activity || 0 || ET DELETED [CrowdStrike] ANCHOR PANDA - Poison Ivy Keep-Alive - From Controller || url,blog.crowdstrike.com/whois-anchor-panda/index.html +1 || 2016658 || 5 || trojan-activity || 0 || ET DELETED [CrowdStrike] ANCHOR PANDA - Poison Ivy Keep-Alive - From Victim || url,blog.crowdstrike.com/whois-anchor-panda/index.html +1 || 2016659 || 2 || trojan-activity || 0 || ET TROJAN [CrowdStrike] ANCHOR PANDA Torn RAT Beacon Message Header Local || url,blog.crowdstrike.com/whois-anchor-panda/index.html +1 || 2016660 || 2 || trojan-activity || 0 || ET TROJAN [CrowdStrike] ANCHOR PANDA Torn RAT Beacon Message || url,blog.crowdstrike.com/whois-anchor-panda/index.html +1 || 2016661 || 3 || trojan-activity || 0 || ET DELETED Blackhole/Cool plugindetect in octal -4 Mar 22 2013 +1 || 2016662 || 3 || policy-violation || 0 || ET P2P Possible Bittorrent Activity - Multiple DNS Queries For tracker hosts +1 || 2016663 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Karagany encrypted binary (1) +1 || 2016664 || 2 || bad-unknown || 0 || ET WEB_SERVER SQL Errors in HTTP 200 Response (mssql_query) +1 || 2016665 || 2 || bad-unknown || 0 || ET WEB_SERVER SQL Errors in HTTP 500 Response (mssql_query) +1 || 2016666 || 2 || bad-unknown || 0 || ET WEB_SERVER SQL Errors in HTTP 200 Response (pgsql_query) +1 || 2016667 || 2 || bad-unknown || 0 || ET WEB_SERVER SQL Errors in HTTP 500 Response (pgsql_query) +1 || 2016668 || 2 || bad-unknown || 0 || ET WEB_SERVER SQL Errors in HTTP 200 Response (mysql_query) +1 || 2016669 || 2 || bad-unknown || 0 || ET WEB_SERVER SQL Errors in HTTP 500 Response (mysql_query) +1 || 2016670 || 2 || bad-unknown || 0 || ET WEB_SERVER SQL Errors in HTTP 200 Response (SqlException) +1 || 2016671 || 2 || bad-unknown || 0 || ET WEB_SERVER SQL Errors in HTTP 500 Response (SqlException) +1 || 2016672 || 2 || bad-unknown || 0 || ET WEB_SERVER SQL Errors in HTTP 200 Response (error in your SQL syntax) +1 || 2016673 || 2 || bad-unknown || 0 || ET WEB_SERVER SQL Errors in HTTP 500 Response (error in your SQL syntax) +1 || 2016674 || 3 || bad-unknown || 0 || ET WEB_SERVER SQL Errors in HTTP 200 Response (ERROR syntax error at or near) +1 || 2016675 || 3 || bad-unknown || 0 || ET WEB_SERVER SQL Errors in HTTP 500 Response (ERROR syntax error at or near) +1 || 2016676 || 2 || bad-unknown || 0 || ET WEB_SERVER SQL Errors in HTTP 200 Response (ORA-) +1 || 2016677 || 2 || bad-unknown || 0 || ET WEB_SERVER SQL Errors in HTTP 500 Response (ORA-) +1 || 2016678 || 4 || trojan-activity || 0 || ET DELETED Blackhole/Cool plugindetect in octal -5 Mar 26 2013 +1 || 2016679 || 2 || bad-unknown || 0 || ET WEB_SERVER WebShell - Simple - Title +1 || 2016680 || 5 || bad-unknown || 0 || ET WEB_SERVER WebShell Generic - net user +1 || 2016681 || 2 || bad-unknown || 0 || ET WEB_SERVER WebShell Generic - netsh firewall +1 || 2016682 || 2 || bad-unknown || 0 || ET WEB_SERVER WebShell Generic - reg HKEY_LOCAL_MACHINE +1 || 2016683 || 2 || bad-unknown || 0 || ET WEB_SERVER WebShell Generic - wget http - POST +1 || 2016684 || 2 || bad-unknown || 0 || ET WEB_SERVER WebShell - JSPCMD - Form +1 || 2016685 || 2 || trojan-activity || 0 || ET TROJAN Win32/Delfinject Check-in || md5,90f8b934c541966aede75094cfef27ed || url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=VirTool%3AWin32%2FDelfInject +1 || 2016686 || 4 || trojan-activity || 0 || ET DELETED Blackhole/Cool plugindetect in octal -7 Mar 30 2013 +1 || 2016687 || 3 || misc-activity || 0 || ET FTP Outbound Java Anonymous FTP Login +1 || 2016688 || 2 || misc-activity || 0 || ET FTP Outbound Java Downloading jar over FTP +1 || 2016689 || 2 || bad-unknown || 0 || ET WEB_SERVER WebShell - MySQL Interface - Auth Prompt +1 || 2016690 || 12 || trojan-activity || 0 || ET TROJAN Kovter Ransomware Check-in || url,www.botnets.fr/index.php/Kovter || md5,82d0e4f8b34d6d39ee4ff59d0816ec05 +1 || 2016692 || 4 || bad-unknown || 0 || ET INFO SUSPICIOUS UA starting with Mozilla/7 +1 || 2016693 || 4 || bad-unknown || 0 || ET INFO SUSPICIOUS UA starting with Mozilla/8 +1 || 2016694 || 4 || bad-unknown || 0 || ET INFO SUSPICIOUS UA starting with Mozilla/9 +1 || 2016695 || 2 || bad-unknown || 0 || ET INFO SUSPICIOUS UA starting with Mozilla/0 +1 || 2016696 || 13 || bad-unknown || 0 || ET CURRENT_EVENTS SUSPICIOUS svchost.exe in URI Probable Process Dump/Trojan Download +1 || 2016697 || 13 || bad-unknown || 0 || ET CURRENT_EVENTS SUSPICIOUS winlogon.exe in URI || md5,fd95cc0bb7d3ea5a0c86d45570df5228 || md5,09330c596a33689a610a1b183a651118 +1 || 2016698 || 13 || bad-unknown || 0 || ET CURRENT_EVENTS SUSPICIOUS services.exe in URI || md5,145c06300d61b3a0ce2c944fe7cdcb96 +1 || 2016699 || 13 || bad-unknown || 0 || ET CURRENT_EVENTS SUSPICIOUS lsass.exe in URI || md5,d929747212309559cb702dd062fb3e5d +1 || 2016700 || 13 || bad-unknown || 0 || ET CURRENT_EVENTS SUSPICIOUS explorer.exe in URI || md5,de1bc32ad135b14ad3a5cf72566a63ff +1 || 2016701 || 12 || bad-unknown || 0 || ET CURRENT_EVENTS SUSPICIOUS smss.exe in URI || md5,450dbe96d7f4108474071aca5826fc43 +1 || 2016702 || 12 || bad-unknown || 0 || ET CURRENT_EVENTS SUSPICIOUS csrss.exe in URI || md5,21a069667a6dba38f06765e414e48824 +1 || 2016703 || 12 || bad-unknown || 0 || ET CURRENT_EVENTS SUSPICIOUS rundll32.exe in URI || md5,ea3dec87f79ff97512c637a5c8868a7e +1 || 2016704 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Probable Sakura exploit kit landing page obfuscated applet tag Mar 28 2013 +1 || 2016705 || 19 || trojan-activity || 0 || ET CURRENT_EVENTS Sweet Orange applet with obfuscated URL April 01 2013 +1 || 2016706 || 19 || trojan-activity || 0 || ET CURRENT_EVENTS SofosFO/NeoSploit possible second stage landing page (1) +1 || 2016707 || 4 || trojan-activity || 0 || ET TROJAN Win32/Enchanim Checkin || md5,539d3b15e9c3882ac70bb1ac7f90a837 +1 || 2016708 || 8 || trojan-activity || 0 || ET CURRENT_EVENTS CrimeBoss Recent Jar (3) +1 || 2016709 || 8 || trojan-activity || 0 || ET CURRENT_EVENTS CrimeBoss Recent Jar (4) +1 || 2016710 || 3 || trojan-activity || 0 || ET TROJAN Zeus User-Agent(z00sAgent) || md5,e94fb19f3a38f9b2a775b925e4c0abe3 +1 || 2016711 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS DNS Query Targeted Tibetan Android Malware C2 Domain || url,citizenlab.org/2013/04/permission-to-spy-an-analysis-of-android-malware-targeting-tibetans/ +1 || 2016712 || 3 || bad-unknown || 0 || ET DELETED Empty HTTP Content Type Server Response - Potential CnC Server +1 || 2016713 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS W32/BaneChant.APT Winword.pkg Redirect || url,www.fireeye.com/blog/technical/malware-research/2013/04/trojan-apt-banechant-in-memory-trojan-that-observes-for-multiple-mouse-clicks.html +1 || 2016714 || 2 || bad-unknown || 0 || ET SHELLCODE Possible Backslash Escaped UTF-8 0c0c Heap Spray +1 || 2016715 || 2 || bad-unknown || 0 || ET SHELLCODE Possible Backslash Escaped UTF-16 0c0c Heap Spray +1 || 2016716 || 5 || trojan-activity || 0 || ET CURRENT_EVENTS BHEK q.php iframe inbound || url,blog.sucuri.net/2013/02/web-server-compromise-debian-distro-identify-and-remove-corrupt-apache-modules.html +1 || 2016717 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS BHEK ff.php iframe inbound || url,blog.sucuri.net/2013/02/web-server-compromise-debian-distro-identify-and-remove-corrupt-apache-modules.html +1 || 2016718 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS BHEK q.php iframe outbound || url,blog.sucuri.net/2013/02/web-server-compromise-debian-distro-identify-and-remove-corrupt-apache-modules.html +1 || 2016719 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS BHEK ff.php iframe outbound || url,blog.sucuri.net/2013/02/web-server-compromise-debian-distro-identify-and-remove-corrupt-apache-modules.html +1 || 2016720 || 5 || trojan-activity || 0 || ET DELETED Sakura Jar Download SET +1 || 2016721 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS Possible Sakura Jar Download +1 || 2016722 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS Blackhole 32-hex/ff.php Landing Page/Java exploit URI +1 || 2016723 || 7 || trojan-activity || 0 || ET CURRENT_EVENTS Blackhole 32-hex/ff.php Jar Download +1 || 2016724 || 6 || trojan-activity || 0 || ET CURRENT_EVENTS Blackhole 16-hex/ff.php Landing Page/Java exploit URI +1 || 2016725 || 8 || trojan-activity || 0 || ET CURRENT_EVENTS Blackhole 16-hex/ff.php Jar Download +1 || 2016726 || 6 || trojan-activity || 0 || ET CURRENT_EVENTS Potential Fiesta Flash Exploit +1 || 2016727 || 2 || trojan-activity || 0 || ET TROJAN W32/BaneChant.APT Data Exfiltration POST to CnC || url,www.fireeye.com/blog/technical/malware-research/2013/04/trojan-apt-banechant-in-memory-trojan-that-observes-for-multiple-mouse-clicks.html +1 || 2016728 || 2 || trojan-activity || 0 || ET TROJAN W32/BaneChant.APT Initial CnC Beacon || url,www.fireeye.com/blog/technical/malware-research/2013/04/trojan-apt-banechant-in-memory-trojan-that-observes-for-multiple-mouse-clicks.html +1 || 2016729 || 11 || trojan-activity || 0 || ET CURRENT_EVENTS Reversed Applet Observed in Sakura/Blackhole Landing +1 || 2016730 || 13 || trojan-activity || 0 || ET DELETED Blackhole/Cool plugindetect in octal +1 || 2016731 || 4 || trojan-activity || 0 || ET TROJAN Revoyem Ransomware Check-in || url,www.botnets.fr/index.php/Revoyem +1 || 2016732 || 4 || trojan-activity || 0 || ET TROJAN Revoyem Ransomware Activity || url,www.botnets.fr/index.php/Revoyem +1 || 2016733 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS Sakura encrypted binary (2) +1 || 2016734 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS RedKit applet + obfuscated URL Apr 7 2013 +1 || 2016735 || 5 || trojan-activity || 0 || ET CURRENT_EVENTS GonDadEK Java Exploit Requested +1 || 2016736 || 5 || trojan-activity || 0 || ET CURRENT_EVENTS GonDadEK Java Exploit Requested +1 || 2016737 || 11 || attempted-user || 0 || ET CURRENT_EVENTS GonDadEK Kit Jar || url,kahusecurity.com/2012/new-chinese-exploit-pack/ +1 || 2016738 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS W32/Citadel Infection or Config URL Request || url,malwaremustdie.blogspot.co.uk/2013/04/wireshark-analysis-of-citadel-trojan.html || url,seifreed.es/docs/Citadel%20Trojan%20Report_eng.pdf +1 || 2016739 || 2 || trojan-activity || 0 || ET TROJAN W32/Citadel File.php CnC POST || url,malwaremustdie.blogspot.co.uk/2013/04/wireshark-analysis-of-citadel-trojan.html || url,seifreed.es/docs/Citadel%20Trojan%20Report_eng.pdf +1 || 2016740 || 2 || trojan-activity || 0 || ET TROJAN W32/Citadel Content.php CnC POST || url,malwaremustdie.blogspot.co.uk/2013/04/wireshark-analysis-of-citadel-trojan.html || url,seifreed.es/docs/Citadel%20Trojan%20Report_eng.pdf +1 || 2016741 || 2 || trojan-activity || 0 || ET TROJAN W32/Citadel Pro File.php CnC POST || url,malwaremustdie.blogspot.co.uk/2013/04/wireshark-analysis-of-citadel-trojan.html || url,seifreed.es/docs/Citadel%20Trojan%20Report_eng.pdf +1 || 2016742 || 6 || trojan-activity || 0 || ET TROJAN Possible W32/Citadel Download From CnC Server Self Referenced /files/ attachment || url,malwaremustdie.blogspot.co.uk/2013/04/wireshark-analysis-of-citadel-trojan.html || url,seifreed.es/docs/Citadel%20Trojan%20Report_eng.pdf +1 || 2016743 || 2 || trojan-activity || 0 || ET TROJAN W32/Citadel Conf.bin Download From CnC Server || url,malwaremustdie.blogspot.co.uk/2013/04/wireshark-analysis-of-citadel-trojan.html || url,seifreed.es/docs/Citadel%20Trojan%20Report_eng.pdf +1 || 2016744 || 5 || trojan-activity || 0 || ET POLICY NSISDL Iplookup.php IPCheck +1 || 2016746 || 2 || trojan-activity || 0 || ET TROJAN W32/NSISDL.Downloader CnC Server Response +1 || 2016748 || 2 || trojan-activity || 0 || ET TROJAN RansomCrypt Intial Check-in +1 || 2016749 || 2 || trojan-activity || 0 || ET TROJAN RansomCrypt Getting Template +1 || 2016751 || 9 || trojan-activity || 0 || ET CURRENT_EVENTS RedKit/Sakura applet + obfuscated URL Apr 10 2013 +1 || 2016752 || 3 || trojan-activity || 0 || ET DELETED W32/Nymaim Checkin || md5,b904ce55532582a6ea516399d8e4b410 +1 || 2016753 || 10 || trojan-activity || 0 || ET CURRENT_EVENTS Possible Neutrino EK Posting Plugin-Detect Data April 12 2013 +1 || 2016754 || 2 || attempted-recon || 0 || ET POLICY Internal Host Retrieving External IP via myip.dnsomatic.com - Possible Infection +1 || 2016755 || 6 || trojan-activity || 0 || ET CURRENT_EVENTS Blackhole 2 Landing Page (9) +1 || 2016756 || 6 || trojan-activity || 0 || ET CURRENT_EVENTS Neutrino EK Plugin-Detect April 12 2013 +1 || 2016757 || 5 || trojan-activity || 0 || ET TROJAN W32/Nymaim Checkin (2) +1 || 2016758 || 4 || policy-violation || 0 || ET POLICY Bitcoin Mining Extensions Header +1 || 2016759 || 1 || trojan-activity || 0 || ET TROJAN Win32/Redyms.A Checkin +1 || 2016760 || 2 || attempted-user || 0 || ET WEB_SERVER WebShell - PHPShell - Comment +1 || 2016761 || 2 || attempted-user || 0 || ET WEB_SERVER WebShell - PHPShell - Haxplorer URI +1 || 2016762 || 2 || attempted-user || 0 || ET WEB_SERVER WebShell - PHPShell - PHPKonsole URI +1 || 2016763 || 6 || network-scan || 0 || ET SCAN Non-Malicious SSH/SSL Scanner on the run || url,pki.net.in.tum.de/node/21 || url,isc.sans.edu/diary/SSH%2bscans%2bfrom%2b188.95.234.6/15532 +1 || 2016764 || 14 || trojan-activity || 0 || ET CURRENT_EVENTS SofosFO PDF Payload Download +1 || 2016765 || 2 || misc-activity || 0 || ET INFO PDF - Acrobat Enumeration - pdfobject.js +1 || 2016766 || 2 || misc-activity || 0 || ET INFO PDF - Acrobat Enumeration - var PDFObject +1 || 2016767 || 3 || bad-unknown || 0 || ET INFO EXE - SCR in PKZip Compressed Data Download +1 || 2016768 || 3 || trojan-activity || 0 || ET TROJAN Backdoor.Win32.Dorkbot.AR Join IRC channel || url,microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Worm%3AWin32/Dorkbot.AR || md5,7e76c7db8706511fc59508af4aef27fa +1 || 2016769 || 2 || trojan-activity || 0 || ET TROJAN Win32/Enchanim Check-in Response || md5,2642999a085443e9055b292c4d405e64 || md5,37066ed52cd7510bf04808c332599f1c || url,www.seculert.com/blog/2013/04/magic-persistent-threat.html +1 || 2016770 || 2 || trojan-activity || 0 || ET TROJAN Win32/Enchanim Process List Dump || md5,2642999a085443e9055b292c4d405e64 || md5,37066ed52cd7510bf04808c332599f1c || url,www.seculert.com/blog/2013/04/magic-persistent-threat.html +1 || 2016771 || 4 || trojan-activity || 0 || ET TROJAN Win32/Enchanim C2 Injection Download || md5,2642999a085443e9055b292c4d405e64 || md5,37066ed52cd7510bf04808c332599f1c || url,www.seculert.com/blog/2013/04/magic-persistent-threat.html +1 || 2016773 || 2 || trojan-activity || 0 || ET TROJAN Mutter Backdoor Checkin || url,fireeye.com/blog/technical/malware-research/2013/04/the-mutter-backdoor-operation-beebus-with-new-targets.html +1 || 2016774 || 2 || misc-activity || 0 || ET INFO Generic HTTP EXE Upload Inbound +1 || 2016775 || 2 || misc-activity || 0 || ET INFO Generic HTTP EXE Upload Outbound +1 || 2016776 || 3 || trojan-activity || 0 || ET DELETED Blackhole/Cool plugindetect in octal Apr 18 2013 +1 || 2016777 || 10 || bad-unknown || 0 || ET INFO HTTP Request to a *.pw domain +1 || 2016778 || 3 || bad-unknown || 0 || ET INFO DNS Query to a *.pw domain - Likely Hostile +1 || 2016779 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS Fake DHL Kuluoz.B URI +1 || 2016780 || 4 || trojan-activity || 0 || ET MALWARE Adware.Win32/SProtector.A Client Checkin || md5,38f61d046e575971ed83c4f71accd132 +1 || 2016781 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Sakura obfuscated javascript Apr 21 2013 +1 || 2016782 || 15 || trojan-activity || 0 || ET CURRENT_EVENTS CoolEK Payload Download (8) +1 || 2016784 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Fiesta - Payload - flashplayer11 +1 || 2016785 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Sakura - Java Exploit Recievied +1 || 2016786 || 5 || trojan-activity || 0 || ET CURRENT_EVENTS Sakura - Payload Requested +1 || 2016787 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Sakura - Payload Downloaded +1 || 2016788 || 2 || attempted-user || 0 || ET CURRENT_EVENTS Possible Wordpress Super Cache Plugin PHP Injection mfunc +1 || 2016789 || 2 || attempted-user || 0 || ET CURRENT_EVENTS Possible Wordpress Super Cache Plugin PHP Injection mclude +1 || 2016790 || 2 || attempted-user || 0 || ET CURRENT_EVENTS Possible Wordpress Super Cache Plugin PHP Injection dynamic-cached-content +1 || 2016791 || 6 || trojan-activity || 0 || ET CURRENT_EVENTS Sakura - Landing Page - Received +1 || 2016792 || 3 || attempted-user || 0 || ET WEB_SERVER Plesk Panel Possible HTTP_AUTH_LOGIN SQLi CVE-2012-1557 || cve,CVE-2012-1557 +1 || 2016793 || 5 || trojan-activity || 0 || ET TROJAN Linux Backdoor Linux/Cdorked.A Redirect 1 || url,welivesecurity.com/2013/04/26/linuxcdorked-new-apache-backdoor-in-the-wild-serves-blackhole/ +1 || 2016794 || 4 || attempted-user || 0 || ET CURRENT_EVENTS Possible Linux/Cdorked.A Incoming Command +1 || 2016795 || 4 || trojan-activity || 0 || ET TROJAN ET TROJAN TROJ_NAIKON.A SSL Cert || url,blog.trendmicro.com/trendlabs-security-intelligence/targeted-attack-campaign-hides-behind-ssl-communication/ +1 || 2016796 || 5 || trojan-activity || 0 || ET CURRENT_EVENTS Possible Java Applet JNLP applet_ssv_validated in Base64 || url,immunityproducts.blogspot.fr/2013/04/yet-another-java-security-warning-bypass.html +1 || 2016797 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Possible Java Applet JNLP applet_ssv_validated Click To Run Bypass || url,immunityproducts.blogspot.fr/2013/04/yet-another-java-security-warning-bypass.html +1 || 2016798 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Magnitude EK (formerly Popads) Java JNLP Requested +1 || 2016799 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Magnitude EK (formerly Popads) Flash Exploit Requested +1 || 2016800 || 6 || misc-activity || 0 || ET TROJAN Medfos Connectivity Check +1 || 2016801 || 7 || trojan-activity || 0 || ET CURRENT_EVENTS Nuclear landing with obfuscated plugindetect Apr 29 2013 +1 || 2016802 || 4 || misc-activity || 0 || ET INFO myobfuscate.com Encoded Script Calling home +1 || 2016803 || 4 || trojan-activity || 0 || ET TROJAN Known Sinkhole Response Header +1 || 2016804 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS Unknown_MM - Java Exploit - jreg.jar +1 || 2016805 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Unknown EK UAC Disable in Uncompressed JAR +1 || 2016806 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS Tor2Web .onion Proxy Service SSL Cert (1) || url,uscyberlabs.com/blog/2013/04/30/tor-exploit-pak/ +1 || 2016807 || 5 || trojan-activity || 0 || ET CURRENT_EVENTS Eval With Base64.decode seen in DOL Watering Hole Attack 05/01/13 +1 || 2016808 || 2 || trojan-activity || 0 || ET TROJAN Cookies/Cookiebag Checkin || md5,840BD11343D140916F45223BA05ABACB +1 || 2016809 || 5 || trojan-activity || 0 || ET TROJAN Win32/Urausy.C Checkin 3 || md5,09462f13d7e6aaa0bff2788158343829 || md5,b18f80d665f340af91003226a2b974b6 || md5,1494b8b9f42753a4bc1762d8f3287db6 +1 || 2016810 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS Tor2Web .onion Proxy Service SSL Cert (2) || url,uscyberlabs.com/blog/2013/04/30/tor-exploit-pak/ +1 || 2016811 || 6 || trojan-activity || 0 || ET CURRENT_EVENTS - Possible Redkit 1-4 char JNLP request +1 || 2016812 || 4 || trojan-activity || 0 || ET TROJAN Greencat SSL Certificate +1 || 2016813 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS - Possible BlackHole request with decryption Base +1 || 2016814 || 4 || trojan-activity || 0 || ET TROJAN Linux Backdoor Linux/Cdorked.A Redirect 2 || url,welivesecurity.com/2013/04/26/linuxcdorked-new-apache-backdoor-in-the-wild-serves-blackhole/ +1 || 2016815 || 4 || trojan-activity || 0 || ET TROJAN Linux Backdoor Linux/Cdorked.A Redirect 3 || url,welivesecurity.com/2013/04/26/linuxcdorked-new-apache-backdoor-in-the-wild-serves-blackhole/ +1 || 2016816 || 3 || trojan-activity || 0 || ET TROJAN Variant.Zusy.45802 Checkin +1 || 2016817 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS Possible Java Applet JNLP applet_ssv_validated in Base64 2 || url,immunityproducts.blogspot.fr/2013/04/yet-another-java-security-warning-bypass.html +1 || 2016818 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS Possible Java Applet JNLP applet_ssv_validated in Base64 3 || url,immunityproducts.blogspot.fr/2013/04/yet-another-java-security-warning-bypass.html +1 || 2016819 || 5 || trojan-activity || 0 || ET TROJAN DEEP PANDA Checkin 1 || url,labs.alienvault.com/labs/index.php/2013/u-s-department-of-labor-website-hacked-and-redirecting-to-malicious-code/ || url,crowdstrike.com/sites/default/files/AdversaryIntelligenceReport_DeepPanda_0.pdf +1 || 2016820 || 2 || trojan-activity || 0 || ET TROJAN DEEP PANDA Checkin 2 || url,labs.alienvault.com/labs/index.php/2013/u-s-department-of-labor-website-hacked-and-redirecting-to-malicious-code/ || url,crowdstrike.com/sites/default/files/AdversaryIntelligenceReport_DeepPanda_0.pdf +1 || 2016821 || 3 || trojan-activity || 0 || ET TROJAN DEEP PANDA Checkin 3 || url,labs.alienvault.com/labs/index.php/2013/u-s-department-of-labor-website-hacked-and-redirecting-to-malicious-code/ || url,crowdstrike.com/sites/default/files/AdversaryIntelligenceReport_DeepPanda_0.pdf +1 || 2016822 || 2 || attempted-user || 0 || ET WEB_CLIENT Possible CVE-2013-1347 IE 0-day used in DOL attack || cve,2013-1347 || url,labs.alienvault.com/labs/index.php/2013/u-s-department-of-labor-website-hacked-and-redirecting-to-malicious-code/ || url,technet.microsoft.com/en-us/security/advisory/2847140 +1 || 2016823 || 4 || trojan-activity || 0 || ET TROJAN Suspicious Fake Opera 10 User-Agent || url,dev.opera.com/articles/view/opera-ua-string-changes || url,blog.avast.com/2013/05/03/regents-of-louisiana-spreading-sirefef-malware +1 || 2016824 || 3 || attempted-user || 0 || ET EXPLOIT Metasploit mstime_malloc no-spray || url,community.rapid7.com/community/metasploit/blog/2013/03/04/new-heap-spray-technique-for-metasploit-browser-exploitation +1 || 2016825 || 3 || misc-activity || 0 || ET INFO Suspicious Possible CollectGarbage in base64 1 +1 || 2016826 || 3 || misc-activity || 0 || ET INFO Suspicious Possible CollectGarbage in base64 2 +1 || 2016827 || 3 || misc-activity || 0 || ET INFO Suspicious Possible CollectGarbage in base64 3 +1 || 2016828 || 5 || trojan-activity || 0 || ET CURRENT_EVENTS Unknown EK Requsting Payload +1 || 2016829 || 3 || trojan-activity || 0 || ET TROJAN Unknown Checkin +1 || 2016830 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Injection - var j=0 +1 || 2016831 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS CVE-2013-2423 IVKM PoC Seen in Unknown EK || url,weblog.ikvm.net/CommentView.aspx?guid=acd2dd6d-1028-4996-95df-efa42ac237f0 +1 || 2016832 || 7 || trojan-activity || 0 || ET CURRENT_EVENTS HellSpawn EK Requesting Jar +1 || 2016833 || 5 || attempted-user || 0 || ET CURRENT_EVENTS IE HTML+TIME ANIMATECOLOR with eval as seen in unknown EK || url,blog.exodusintel.com/2013/01/02/happy-new-year-analysis-of-cve-2012-4792/ +1 || 2016834 || 2 || trojan-activity || 0 || ET DELETED Unknown Trojan POST +1 || 2016835 || 2 || attempted-admin || 0 || ET EXPLOIT Exim/Dovecot Possible MAIL FROM Command Execution || url,redteam-pentesting.de/de/advisories/rt-sa-2013-001/-exim-with-dovecot-typical-misconfiguration-leads-to-remote-command-execution +1 || 2016836 || 3 || web-application-attack || 0 || ET WEB_SERVER ColdFusion password.properties access || url,cxsecurity.com/issue/WLB-2013050065 +1 || 2016837 || 6 || trojan-activity || 0 || ET TROJAN Alina Checkin || url,blog.spiderlabs.com/2013/05/alina-shedding-some-light-on-this-malware-family.html +1 || 2016838 || 5 || trojan-activity || 0 || ET TROJAN Alina User-Agent(Alina) || url,blog.spiderlabs.com/2013/05/alina-shedding-some-light-on-this-malware-family.html +1 || 2016839 || 6 || trojan-activity || 0 || ET CURRENT_EVENTS FlimKit hex.zip Java Downloading Jar +1 || 2016840 || 5 || trojan-activity || 0 || ET CURRENT_EVENTS FlimKit Landing +1 || 2016841 || 4 || web-application-attack || 0 || ET WEB_SERVER ColdFusion path disclosure to get the absolute path || url,www.exploit-db.com/exploits/25305/ +1 || 2016842 || 2 || web-application-attack || 0 || ET WEB_SERVER ColdFusion scheduletasks access || url,exploit-db.com/exploits/24946/ +1 || 2016843 || 2 || web-application-attack || 0 || ET WEB_SERVER ColdFusion scheduleedit access || url,exploit-db.com/exploits/24946/ +1 || 2016844 || 3 || trojan-activity || 0 || ET TROJAN Trojan-Downloader.Win32.AutoIt.mj Checkin || url,threatexpert.com/report.aspx?md5=c4e923564c564163620959f23691cc26 || md5,4a77d3575845cf24b72400816d0b95c2 +1 || 2016845 || 3 || policy-violation || 0 || ET WEB_SERVER HTTPing Usage Inbound || url,www.vanheusden.com/httping/ +1 || 2016846 || 4 || bad-unknown || 0 || ET INFO Possible Firefox Plugin install || url,research.zscaler.com/2012/09/how-to-install-silently-malicious.html +1 || 2016847 || 3 || bad-unknown || 0 || ET INFO Possible Chrome Plugin install || url,blogs.technet.com/b/mmpc/archive/2013/05/10/browser-extension-hijacks-facebook-profiles.aspx +1 || 2016848 || 12 || policy-violation || 0 || ET CURRENT_EVENTS BlackHole Java Exploit Artifact || url,vanheusden.com/httping/ +1 || 2016850 || 2 || trojan-activity || 0 || ET TROJAN Possible Linux/Cdorked.A CnC || url,code.google.com/p/malware-lu/wiki/en_malware_cdorked_A || url,welivesecurity.com/2013/04/26/linuxcdorked-new-apache-backdoor-in-the-wild-serves-blackhole/ +1 || 2016851 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Winwebsec/Zbot/Luder Checkin Response +1 || 2016852 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Sakura obfuscated javascript May 10 2013 +1 || 2016853 || 15 || trojan-activity || 0 || ET CURRENT_EVENTS Possible Neutrino EK Posting Plugin-Detect Data May 15 2013 +1 || 2016854 || 3 || trojan-activity || 0 || ET TROJAN Embedded Android Dalvik Executable File With Fake Windows Executable Header - Possible AV Bypass Attempt || url,research.zscaler.com/2013/03/guess-who-am-i-pe-or-apk.html +1 || 2016855 || 2 || trojan-activity || 0 || ET TROJAN Embedded ZIP/APK File With Fake Windows Executable Header - Possible AV Bypass Attempt || url,research.zscaler.com/2013/03/guess-who-am-i-pe-or-apk.html +1 || 2016856 || 2 || policy-violation || 0 || ET POLICY Android Dalvik Executable File Download || url,source.android.com/tech/dalvik/dex-format.html +1 || 2016857 || 2 || trojan-activity || 0 || ET TROJAN W32/Pushdo CnC Server Fake JPEG Response || url,www.damballa.com/downloads/r_pubs/Damballa_mv20_case_study.pdf +1 || 2016858 || 9 || trojan-activity || 0 || ET TROJAN Generic - POST To .php w/Extended ASCII Characters +1 || 2016859 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS Unknown_MM - Java Exploit - cee.jar +1 || 2016860 || 18 || trojan-activity || 0 || ET CURRENT_EVENTS Sweet Orange Landing Page May 16 2013 +1 || 2016861 || 2 || trojan-activity || 0 || ET TROJAN Hangover Campaign Keylogger Checkin || md5,023d82950ebec016cd4016d7a11be58d || url,enterprise.norman.com/resources/files/unveiling_an_indian_cyberattack_infrastructure_appendixes.pdf +1 || 2016862 || 3 || trojan-activity || 0 || ET TROJAN Hangover Campaign Keylogger 2 checkin || md5,0b38f87841ed347cc2a5ffa510a1c8f6 || url,enterprise.norman.com/resources/files/unveiling_an_indian_cyberattack_infrastructure_appendixes.pdf +1 || 2016863 || 2 || trojan-activity || 0 || ET TROJAN Trojan.Win32.VB.cefz Checkin || md5,0cace87b377a00df82839c659fc3adea || url,enterprise.norman.com/resources/files/unveiling_an_indian_cyberattack_infrastructure_appendixes.pdf +1 || 2016864 || 3 || trojan-activity || 0 || ET TROJAN Backdoor.Win32.Agent.bjjv Checkin || md5,06ba10a49c8cea32a51f0bbe8f5073f1 || url,enterprise.norman.com/resources/files/unveiling_an_indian_cyberattack_infrastructure_appendixes.pdf +1 || 2016865 || 2 || trojan-activity || 0 || ET TROJAN TrojanSpy.KeyLogger.acqh User-Agent(EMSFRTCBVD) || md5,0e9e46d068fea834e12b2226cc8969fd || url,enterprise.norman.com/resources/files/unveiling_an_indian_cyberattack_infrastructure_appendixes.pdf +1 || 2016866 || 4 || trojan-activity || 0 || ET TROJAN Trojan-Spy.Win32.KeyLogger.acuj Checkin || md5,078d12eb9fc2b1665c0cc3001448b69b || url,enterprise.norman.com/resources/files/unveiling_an_indian_cyberattack_infrastructure_appendixes.pdf +1 || 2016867 || 2 || trojan-activity || 0 || ET TROJAN Backdoor.Win32.Pushdo.s Checkin +1 || 2016868 || 13 || trojan-activity || 0 || ET CURRENT_EVENTS Neutrino Plugin-Detect 2 May 20 2013 +1 || 2016869 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS FlimKit Post Exploit Payload Download +1 || 2016870 || 8 || policy-violation || 0 || ET POLICY Unsupported/Fake Internet Explorer Version MSIE 5. +1 || 2016871 || 4 || policy-violation || 0 || ET POLICY Unsupported/Fake Internet Explorer Version MSIE 4. +1 || 2016872 || 4 || policy-violation || 0 || ET POLICY Unsupported/Fake Internet Explorer Version MSIE 3. +1 || 2016873 || 5 || policy-violation || 0 || ET POLICY Unsupported/Fake Internet Explorer Version MSIE 2. +1 || 2016874 || 4 || policy-violation || 0 || ET POLICY Unsupported/Fake Internet Explorer Version MSIE 1. +1 || 2016875 || 4 || policy-violation || 0 || ET POLICY Unsupported/Fake FireFox Version 0. +1 || 2016876 || 4 || policy-violation || 0 || ET POLICY Unsupported/Fake FireFox Version 1. +1 || 2016877 || 4 || policy-violation || 0 || ET POLICY Unsupported/Fake FireFox Version 2. +1 || 2016878 || 4 || policy-violation || 0 || ET POLICY Unsupported/Fake Windows NT Version 4. +1 || 2016879 || 4 || policy-violation || 0 || ET POLICY Unsupported/Fake Windows NT Version 5.0 +1 || 2016880 || 6 || trojan-activity || 0 || ET INFO Suspicious Windows NT version 0 User-Agent +1 || 2016881 || 4 || trojan-activity || 0 || ET TROJAN TrojanSpy.KeyLogger Hangover Campaign User-Agent(FMBVDFRESCT) || url,blogs.rsa.com/dont-fear-the-hangover-network-detection-of-hangover-malware-samples || url,enterprise.norman.com/resources/files/unveiling_an_indian_cyberattack_infrastructure_appendixes.pdf +1 || 2016882 || 3 || trojan-activity || 0 || ET TROJAN TrojanSpy.KeyLogger Hangover Campaign User-Agent(DSMBVCTFRE) || url,blogs.rsa.com/dont-fear-the-hangover-network-detection-of-hangover-malware-samples || url,enterprise.norman.com/resources/files/unveiling_an_indian_cyberattack_infrastructure_appendixes.pdf +1 || 2016883 || 3 || trojan-activity || 0 || ET TROJAN TrojanSpy.KeyLogger Hangover Campaign User-Agent(MBESCVDFRT) || url,blogs.rsa.com/dont-fear-the-hangover-network-detection-of-hangover-malware-samples || url,enterprise.norman.com/resources/files/unveiling_an_indian_cyberattack_infrastructure_appendixes.pdf +1 || 2016884 || 3 || trojan-activity || 0 || ET TROJAN TrojanSpy.KeyLogger Hangover Campaign User-Agent(TCBFRVDEMS) || url,blogs.rsa.com/dont-fear-the-hangover-network-detection-of-hangover-malware-samples || url,enterprise.norman.com/resources/files/unveiling_an_indian_cyberattack_infrastructure_appendixes.pdf +1 || 2016885 || 3 || trojan-activity || 0 || ET TROJAN TrojanSpy.KeyLogger Hangover Campaign User-Agent(DEMOMAKE) || url,blogs.rsa.com/dont-fear-the-hangover-network-detection-of-hangover-malware-samples || url,enterprise.norman.com/resources/files/unveiling_an_indian_cyberattack_infrastructure_appendixes.pdf +1 || 2016886 || 2 || trojan-activity || 0 || ET TROJAN TrojanSpy.KeyLogger Hangover Campaign User-Agent(DEMO) || url,blogs.rsa.com/dont-fear-the-hangover-network-detection-of-hangover-malware-samples || url,enterprise.norman.com/resources/files/unveiling_an_indian_cyberattack_infrastructure_appendixes.pdf +1 || 2016887 || 5 || trojan-activity || 0 || ET TROJAN TrojanSpy.KeyLogger Hangover Campaign User-Agent(UPHTTP) || url,blogs.rsa.com/dont-fear-the-hangover-network-detection-of-hangover-malware-samples || url,enterprise.norman.com/resources/files/unveiling_an_indian_cyberattack_infrastructure_appendixes.pdf +1 || 2016888 || 4 || trojan-activity || 0 || ET TROJAN TrojanSpy.KeyLogger Hangover Campaign User-Agent(sendFile) || url,blogs.rsa.com/dont-fear-the-hangover-network-detection-of-hangover-malware-samples || url,enterprise.norman.com/resources/files/unveiling_an_indian_cyberattack_infrastructure_appendixes.pdf +1 || 2016889 || 5 || trojan-activity || 0 || ET DELETED TrojanSpy.KeyLogger Hangover Campaign User-Agent(wininetget/0.1) || url,blogs.rsa.com/dont-fear-the-hangover-network-detection-of-hangover-malware-samples || url,enterprise.norman.com/resources/files/unveiling_an_indian_cyberattack_infrastructure_appendixes.pdf +1 || 2016890 || 3 || trojan-activity || 0 || ET DELETED TrojanSpy.KeyLogger Hangover Campaign User-Agent(file) || url,blogs.rsa.com/dont-fear-the-hangover-network-detection-of-hangover-malware-samples || url,enterprise.norman.com/resources/files/unveiling_an_indian_cyberattack_infrastructure_appendixes.pdf +1 || 2016891 || 3 || trojan-activity || 0 || ET TROJAN TrojanSpy.KeyLogger Hangover Campaign User-Agent(vbusers) || url,blogs.rsa.com/dont-fear-the-hangover-network-detection-of-hangover-malware-samples || url,enterprise.norman.com/resources/files/unveiling_an_indian_cyberattack_infrastructure_appendixes.pdf +1 || 2016892 || 3 || trojan-activity || 0 || ET TROJAN TrojanSpy.KeyLogger Hangover Campaign User-Agent(folderwin) || url,blogs.rsa.com/dont-fear-the-hangover-network-detection-of-hangover-malware-samples || url,enterprise.norman.com/resources/files/unveiling_an_indian_cyberattack_infrastructure_appendixes.pdf +1 || 2016893 || 3 || trojan-activity || 0 || ET TROJAN TrojanSpy.KeyLogger Hangover Campaign User-Agent(smaal) || url,blogs.rsa.com/dont-fear-the-hangover-network-detection-of-hangover-malware-samples || url,enterprise.norman.com/resources/files/unveiling_an_indian_cyberattack_infrastructure_appendixes.pdf +1 || 2016894 || 3 || trojan-activity || 0 || ET TROJAN TrojanSpy.KeyLogger Hangover Campaign User-Agent(nento) || url,blogs.rsa.com/dont-fear-the-hangover-network-detection-of-hangover-malware-samples || url,enterprise.norman.com/resources/files/unveiling_an_indian_cyberattack_infrastructure_appendixes.pdf +1 || 2016895 || 3 || trojan-activity || 0 || ET TROJAN TrojanSpy.KeyLogger Hangover Campaign User-Agent(bugmaal) || url,blogs.rsa.com/dont-fear-the-hangover-network-detection-of-hangover-malware-samples || url,enterprise.norman.com/resources/files/unveiling_an_indian_cyberattack_infrastructure_appendixes.pdf +1 || 2016896 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS Unknown EK Requesting Payload +1 || 2016897 || 7 || trojan-activity || 0 || ET TROJAN Possible Win32/Gapz MSIE 9 on Windows NT 5 || url,windows.microsoft.com/en-us/internet-explorer/products/ie-9/system-requirements +1 || 2016898 || 6 || trojan-activity || 0 || ET INFO Suspicious MSIE 10 on Windows NT 5 +1 || 2016899 || 4 || trojan-activity || 0 || ET TROJAN Trojan.BlackRev Registering Client || url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi/ +1 || 2016900 || 5 || trojan-activity || 0 || ET DELETED Trojan.BlackRev Polling for DoS targets || url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi/ +1 || 2016901 || 5 || trojan-activity || 0 || ET DELETED Trojan.BlackRev Download Executable || url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi/ +1 || 2016902 || 5 || trojan-activity || 0 || ET TROJAN Trojan.BlackRev Download Executable || url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi/ +1 || 2016903 || 4 || trojan-activity || 0 || ET USER_AGENTS Suspicious User-Agent (DownloadMR) || url,www.virustotal.com/en/file/93236b781e147e3ac983be1374a5f807fabd27ee2b92e6d99e293a6eb070ac2b/analysis/ || md5, 0da0d8e664f44400c19898b4c9e71456 +1 || 2016904 || 3 || trojan-activity || 0 || ET USER_AGENTS User-Agent (ChilkatUpload) || url,chilkatsoft.com +1 || 2016905 || 3 || trojan-activity || 0 || ET MALWARE AdWare.MSIL.Solimba.b GET || url,virustotal.com/en/file/93236b781e147e3ac983be1374a5f807fabd27ee2b92e6d99e293a6eb070ac2b/analysis/ || md5, 0da0d8e664f44400c19898b4c9e71456 +1 || 2016906 || 3 || trojan-activity || 0 || ET MALWARE AdWare.MSIL.Solimba.b POST || url,virustotal.com/en/file/93236b781e147e3ac983be1374a5f807fabd27ee2b92e6d99e293a6eb070ac2b/analysis/ || md5, 0da0d8e664f44400c19898b4c9e71456 +1 || 2016907 || 5 || trojan-activity || 0 || ET TROJAN Trojan-Spy.Win32.Agent.byhm User-Agent (EMSCBVDFRT) +1 || 2016908 || 5 || trojan-activity || 0 || ET TROJAN Trojan.Win32.FresctSpy.A User-Agent (MBVDFRESCT) || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanSpy%3AWin32%2FAgent.CZ +1 || 2016909 || 3 || trojan-activity || 0 || ET TROJAN Trojan.BlackRev Registration Rev3 || url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi/ +1 || 2016910 || 3 || trojan-activity || 0 || ET TROJAN Trojan.BlackRev Get Command Rev3 || url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi/ +1 || 2016911 || 3 || trojan-activity || 0 || ET TROJAN W32/Briba CnC POST Beacon || url,www.fireeye.com/blog/technical/cyber-exploits/2013/05/ready-for-summer-the-sunshop-campaign.html || url,citizenlab.org/wp-content/uploads/2012/09/IEXPL0RE_RAT.pdf || url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=PWS%3AWin32%2FBriba.A +1 || 2016912 || 4 || trojan-activity || 0 || ET TROJAN W32/KeyLogger.ACQH!tr Checkin || md5,eddce1a6c0cc0eb7b739cb758c516975 || md5,c0d9352ad82598362a426cd38a7ecf0e || url,www.fortiguard.com/av/VID4225990 || url,enterprise.norman.com/resources/files/unveiling_an_indian_cyberattack_infrastructure_appendixes.pdf +1 || 2016913 || 4 || trojan-activity || 0 || ET TROJAN Backdoor.Win32.VB.Alsci/Dragon Eye RAT Checkin (sending user info) || url,www.threatexpert.com/report.aspx?md5=e7d9bc670d69ad8a6ad2784255324eec || url,www.threatexpert.com/report.aspx?md5=37207835e128516fe17af3dacc83a00c +1 || 2016914 || 3 || trojan-activity || 0 || ET TROJAN Trojan.Win32.Antavmu.guw Checkin || md5,2b63ed542eb0e1a4547a2b6e91391dc0 || url,www.securelist.com/en/descriptions/16150989/Trojan.Win32.Antavmu.guw?print_mode=1 || url,www.threatexpert.com/report.aspx?md5=a80f33c94c44556caa2ef46cd5eb863c +1 || 2016915 || 4 || trojan-activity || 0 || ET MALWARE Suspicious User Agent Smart-RTP || url,www.threatexpert.com/report.aspx?md5=a80f33c94c44556caa2ef46cd5eb863c || url,www.drwebhk.com/en/virus_techinfo/Trojan.DownLoader8.25530.html || md5, 2b63ed542eb0e1a4547a2b6e91391dc0 +1 || 2016916 || 3 || trojan-activity || 0 || ET MALWARE Suspicious User Agent Custom_56562_HttpClient/VER_STR_COMMA +1 || 2016917 || 2 || trojan-activity || 0 || ET MALWARE Adware pricepeep Adware.Shopper.297 || url,virustotal.com/en/file/1ea487b1507305f17a2cd2ab0dbcfac523419dbc27cde38e27cb5c4a8d3c9caf/analysis/ || url,lists.clean-mx.com/pipermail/viruswatch/20121222/037085.html || md5,0564e603f9ed646553933cb0d271f906 +1 || 2016918 || 6 || attempted-admin || 0 || ET WEB_SERVER Possible NGINX Overflow CVE-2013-2028 Exploit Specific || url,www.vnsecurity.net/2013/05/analysis-of-nginx-cve-2013-2028/ || url,github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/nginx_chunked_size.rb +1 || 2016919 || 8 || trojan-activity || 0 || ET CURRENT_EVENTS Malicious Redirect URL +1 || 2016920 || 2 || attempted-admin || 0 || ET WEB_SERVER Apache Struts Possible xwork Disable Method Execution || url,struts.apache.org/development/2.x/docs/s2-013.html +1 || 2016921 || 5 || trojan-activity || 0 || ET INFO Suspicious Mozilla UA with no Space after colon +1 || 2016922 || 10 || trojan-activity || 0 || ET TROJAN Backdoor family PCRat/Gh0st CnC traffic || url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231 || url,labs.alienvault.com/labs/index.php/2012/new-macontrol-variant-targeting-uyghur-users-the-windows-version-using-gh0st-rat/ || url,www.infowar-monitor.net/2009/09/tracking-ghostnet-investigating-a-cyber-espionage-network/ || url,blogs.rsa.com/will-gragido/lions-at-the-watering-hole-the-voho-affair/ || url,www.norman.com/about_norman/press_center/news_archive/2012/the_many_faces_of_gh0st_rat/en +1 || 2016923 || 13 || attempted-user || 0 || ET CURRENT_EVENTS KaiXin Exploit Kit Java Class 1 May 24 2013 || url,kahusecurity.com/2012/new-chinese-exploit-pack/ +1 || 2016924 || 11 || attempted-user || 0 || ET CURRENT_EVENTS KaiXin Exploit Kit Java Class 2 May 24 2013 || url,kahusecurity.com/2012/new-chinese-exploit-pack/ +1 || 2016925 || 2 || attempted-user || 0 || ET CURRENT_EVENTS KaiXin Exploit Landing Page 1 May 24 2013 || url,kahusecurity.com/2012/new-chinese-exploit-pack/ +1 || 2016926 || 2 || attempted-user || 0 || ET CURRENT_EVENTS KaiXin Exploit Landing Page 2 May 24 2013 || url,kahusecurity.com/2012/new-chinese-exploit-pack/ +1 || 2016927 || 11 || trojan-activity || 0 || ET CURRENT_EVENTS HellSpawn EK Landing 1 May 24 2013 +1 || 2016928 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS HellSpawn EK Landing 2 May 24 2013 +1 || 2016929 || 11 || trojan-activity || 0 || ET CURRENT_EVENTS Possible HellSpawn EK Fake Flash May 24 2013 +1 || 2016930 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS Possible HellSpawn EK Java Artifact May 24 2013 +1 || 2016931 || 7 || trojan-activity || 0 || ET CURRENT_EVENTS BlackHole EK JNLP request +1 || 2016932 || 2 || trojan-activity || 0 || ET TROJAN Spy/Infostealer.Win32.Embed.A Client Traffic || url,contagiodump.blogspot.no/2011/01/jan-6-cve-2010-3333-with-info-theft.html +1 || 2016933 || 4 || bad-unknown || 0 || ET CURRENT_EVENTS SUSPICIOUS Java Request to Afraid.org Top 100 Dynamic DNS Domain May 28 2013 +1 || 2016934 || 3 || trojan-activity || 0 || ET TROJAN W32/Safe User Agent Fantasia || url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-safe-a-targeted-threat.pdf +1 || 2016935 || 2 || web-application-attack || 0 || ET WEB_SERVER SQL Injection Select Sleep Time Delay || url,pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet +1 || 2016936 || 2 || web-application-attack || 0 || ET WEB_SERVER SQL Injection Local File Access Attempt Using LOAD_FILE || url,dev.mysql.com/doc/refman/5.1/en/string-functions.html#function_load-file || url,pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet +1 || 2016937 || 3 || web-application-attack || 0 || ET WEB_SERVER SQL Injection List Priveleges Attempt || url,pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet +1 || 2016938 || 3 || trojan-activity || 0 || ET MALWARE Adware.Ezula Checkin || md5,dede600f1e78fd20e4515bea1f2bdf61 +1 || 2016939 || 2 || trojan-activity || 0 || ET TROJAN Variant.Kazy.174106 Checkin || md5,ff7a263e89ff01415294470e1e52c010 +1 || 2016940 || 3 || trojan-activity || 0 || ET TROJAN Vobfus Check-in +1 || 2016941 || 5 || trojan-activity || 0 || ET TROJAN W32/PolyCrypt.A Checkin || url,www.threatexpert.com/report.aspx?md5=44be7c6d4109ae5fb0ceb2824facf2dd +1 || 2016942 || 6 || trojan-activity || 0 || ET CURRENT_EVENTS Sakura - Landing Page - Received May 29 2013 +1 || 2016943 || 8 || trojan-activity || 0 || ET CURRENT_EVENTS Sakura - Payload Requested +1 || 2016944 || 2 || bad-unknown || 0 || ET CURRENT_EVENTS HTTP connection to net78.net Free Web Hosting (Used by Various Trojans) || url,www.net78.net +1 || 2016945 || 8 || trojan-activity || 0 || ET CURRENT_EVENTS Sakura encrypted binary (2) +1 || 2016946 || 3 || trojan-activity || 0 || ET TROJAN Possible Win32.Bicololo Checkin || md5,252c95327ce556a21bdd7e9a322e206c || url,www.virusradar.com/Win32_Bicololo.A/description +1 || 2016947 || 2 || trojan-activity || 0 || ET TROJAN Win32.Bicololo Response 1 || md5,691bd07048b09c73f0a979529a66f6e3 +1 || 2016948 || 2 || trojan-activity || 0 || ET TROJAN Win32.Bicololo Response 2 || md5,691bd07048b09c73f0a979529a66f6e3 +1 || 2016949 || 3 || trojan-activity || 0 || ET TROJAN Possible Backdoor.Linux.Tsunami Outbound HTTP request || url,malwaremustdie.blogspot.jp/2013/05/story-of-unix-trojan-tsunami-ircbot-w.html +1 || 2016950 || 2 || trojan-activity || 0 || ET TROJAN Possible Win32/Hupigon ip.txt with a Non-Mozilla UA || md5,4d23395fcbab1dabef9afe6af81df558 +1 || 2016951 || 5 || trojan-activity || 0 || ET TROJAN Backdoor.Win32.Trup.CX Checkin 1 || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3aWin32/Agent.AAE +1 || 2016952 || 7 || bad-unknown || 0 || ET CURRENT_EVENTS Probable Nuclear exploit kit landing page +1 || 2016953 || 3 || attempted-user || 0 || ET EXPLOIT Apache Struts Possible OGNL Java Exec In URI +1 || 2016954 || 3 || attempted-user || 0 || ET EXPLOIT Apache Struts Possible OGNL AllowStaticMethodAccess in client body +1 || 2016956 || 3 || attempted-user || 0 || ET EXPLOIT Apache Struts Possible OGNL AllowStaticMethodAccess in URI || url,struts.apache.org/development/2.x/docs/s2-013.html +1 || 2016957 || 3 || attempted-user || 0 || ET EXPLOIT Apache Struts Possible OGNL Java Exec in client body || url,struts.apache.org/development/2.x/docs/s2-013.html +1 || 2016958 || 3 || attempted-user || 0 || ET EXPLOIT Apache Struts Possible OGNL Java WriteFile in client_body || url,struts.apache.org/development/2.x/docs/s2-013.html +1 || 2016959 || 3 || attempted-user || 0 || ET EXPLOIT Apache Struts Possible OGNL Java WriteFile in URI || url,struts.apache.org/development/2.x/docs/s2-013.html +1 || 2016960 || 10 || trojan-activity || 0 || ET TROJAN System Progressive Detection FakeAV (AuthenticAMD) || md5,16d529fc48250571a9e667fb264c8497 +1 || 2016961 || 11 || trojan-activity || 0 || ET TROJAN System Progressive Detection FakeAV (GenuineIntel) || md5,16d529fc48250571a9e667fb264c8497 +1 || 2016962 || 2 || trojan-activity || 0 || ET DELETED Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 2 || url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231 +1 || 2016963 || 5 || trojan-activity || 0 || ET TROJAN Trojan.Win32/Mutopy.A Checkin || md5,2a0344bac492c65400eb944ac79ac3c3 || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3AWin32%2FMutopy.A&ThreatID=-2147312217 || url,blog.trendmicro.com/trendlabs-security-intelligence/header-spoofing-hides-malware-communication/ +1 || 2016964 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS CritX/SafePack Reporting Plugin Detect Data June 03 2013 +1 || 2016965 || 7 || trojan-activity || 0 || ET CURRENT_EVENTS Metasploit Based Unknown EK Jar Download June 03 2013 +1 || 2016966 || 7 || trojan-activity || 0 || ET CURRENT_EVENTS Sakura obfuscated javascript Jun 1 2013 +1 || 2016967 || 2 || trojan-activity || 0 || ET TROJAN W32/Symmi Remote File Injector Initial CnC Beacon || url,www.deependresearch.org/2013/05/under-this-rock-vulnerable.html +1 || 2016968 || 5 || trojan-activity || 0 || ET TROJAN Win32/Travnet.A Checkin || md5,d04a7f30c83290b86cac8d762dcc2df5 || md5,cb9cc50b18a7c91cf4a34c624b90db5d || url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=TrojanSpy%3AWin32%2FTravnet.A || url,blogs.mcafee.com/mcafee-labs/travnet-botnet-steals-huge-amount-of-sensitive-data || url,www.securelist.com/en/downloads/vlpdfs/kaspersky-the-net-traveler-part1-final.pdf +1 || 2016969 || 5 || trojan-activity || 0 || ET TROJAN Possible Win32/Travnet.A Internet Connection Check (microsoft.com) || md5,d04a7f30c83290b86cac8d762dcc2df5 || md5,cb9cc50b18a7c91cf4a34c624b90db5d || url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=TrojanSpy%3AWin32%2FTravnet.A || url,blogs.mcafee.com/mcafee-labs/travnet-botnet-steals-huge-amount-of-sensitive-data +1 || 2016970 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS Karagany encrypted binary (3) +1 || 2016971 || 5 || trojan-activity || 0 || ET CURRENT_EVENTS Blackhole 32-hex/a.php Landing Page/Java exploit URI +1 || 2016972 || 8 || trojan-activity || 0 || ET CURRENT_EVENTS Blackhole 32-hex/a.php Jar Download +1 || 2016973 || 7 || trojan-activity || 0 || ET CURRENT_EVENTS Blackhole 16-hex/a.php Landing Page/Java exploit URI +1 || 2016974 || 9 || trojan-activity || 0 || ET CURRENT_EVENTS Blackhole 16-hex/a.php Jar Download +1 || 2016975 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Neutrino EK Landing URI Format +1 || 2016976 || 9 || trojan-activity || 0 || ET CURRENT_EVENTS CoolEK Payload Download (9) +1 || 2016977 || 3 || trojan-activity || 0 || ET WEB_SERVER allow_url_include PHP config option in uri || url,seclists.org/fulldisclosure/2013/Jun/21 +1 || 2016978 || 3 || trojan-activity || 0 || ET WEB_SERVER safe_mode PHP config option in uri || url,seclists.org/fulldisclosure/2013/Jun/21 +1 || 2016979 || 4 || trojan-activity || 0 || ET WEB_SERVER suhosin.simulation PHP config option in uri || url,seclists.org/fulldisclosure/2013/Jun/21 +1 || 2016980 || 5 || trojan-activity || 0 || ET WEB_SERVER disable_functions PHP config option in uri || url,seclists.org/fulldisclosure/2013/Jun/21 +1 || 2016981 || 4 || trojan-activity || 0 || ET WEB_SERVER open_basedir PHP config option in uri || url,seclists.org/fulldisclosure/2013/Jun/21 +1 || 2016982 || 3 || trojan-activity || 0 || ET WEB_SERVER auto_prepend_file PHP config option in uri || url,seclists.org/fulldisclosure/2013/Jun/21 +1 || 2016983 || 2 || trojan-activity || 0 || ET WEB_SERVER Access to /phppath/php Possible Plesk 0-day Exploit June 05 2013 || url,seclists.org/fulldisclosure/2013/Jun/21 +1 || 2016984 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS BlackHole EK Initial Gate from Linked-In Mailing Campaign +1 || 2016985 || 2 || bad-unknown || 0 || ET INFO Executable Served From /tmp/ Directory - Malware Hosting Behaviour +1 || 2016986 || 2 || trojan-activity || 0 || ET TROJAN KeyBoy Backdoor Login || url,community.rapid7.com/community/infosec/blog/2013/06/07/keyboy-tar geted-attacks-against-vietnam-and-india +1 || 2016987 || 2 || trojan-activity || 0 || ET TROJAN KeyBoy Backdoor SysInfo Response header || url,community.rapid7.com/community/infosec/blog/2013/06/07/keyboy-tar geted-attacks-against-vietnam-and-india +1 || 2016988 || 3 || trojan-activity || 0 || ET TROJAN KeyBoy Backdoor File Manager Response Header || url,community.rapid7.com/community/infosec/blog/2013/06/07/keyboy-tar geted-attacks-against-vietnam-and-india +1 || 2016989 || 2 || trojan-activity || 0 || ET TROJAN KeyBoy Backdoor File Download Response Header || url,community.rapid7.com/community/infosec/blog/2013/06/07/keyboy-tar geted-attacks-against-vietnam-and-india +1 || 2016990 || 2 || trojan-activity || 0 || ET TROJAN KeyBoy Backdoor File Upload Response Header || url,community.rapid7.com/community/infosec/blog/2013/06/07/keyboy-tar geted-attacks-against-vietnam-and-india +1 || 2016991 || 4 || trojan-activity || 0 || ET TROJAN Alina Server Response Code || url,blog.spiderlabs.com/2013/05/alina-shedding-some-light-on-this-malware-family.html || md5,7d6ec042a38d108899c8985ed7417e4a +1 || 2016992 || 2 || bad-unknown || 0 || ET WEB_SERVER WebShell Generic - *.tar.gz in POST body +1 || 2016993 || 3 || trojan-activity || 0 || ET TROJAN Connection to AnubisNetworks Sinkhole IP (Possible Infected Host) +1 || 2016994 || 2 || trojan-activity || 0 || ET TROJAN Connection to Georgia Tech Sinkhole IP (Possible Infected Host) +1 || 2016995 || 3 || trojan-activity || 0 || ET TROJAN Connection to 1&1 Sinkhole IP (Possible Infected Host) +1 || 2016996 || 2 || trojan-activity || 0 || ET TROJAN Connection to Zinkhole Sinkhole IP (Possible Infected Host) +1 || 2016997 || 2 || trojan-activity || 0 || ET TROJAN Connection to Dr Web Sinkhole IP(Possible Infected Host) +1 || 2016998 || 2 || trojan-activity || 0 || ET TROJAN Connection to Fitsec Sinkhole IP (Possible Infected Host) +1 || 2016999 || 3 || trojan-activity || 0 || ET TROJAN Connection to Microsoft Sinkhole IP (Possbile Infected Host) +1 || 2017000 || 3 || trojan-activity || 0 || ET TROJAN Connection to unallocated address space 1.1.1.0/24 +1 || 2017001 || 2 || trojan-activity || 0 || ET TROJAN Connection to a cert.pl Sinkhole IP (Possible Infected Host) +1 || 2017002 || 6 || trojan-activity || 0 || ET CURRENT_EVENTS Kuluoz.B Shipping Label Spam Campaign +1 || 2017003 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Kuluoz.B Spam Campaign Shipment_Label.exe in Zip +1 || 2017004 || 4 || trojan-activity || 0 || ET TROJAN Win32/Tobfy.S || md5,ac03c5980e2019992b876798df2df9ab +1 || 2017005 || 5 || attempted-user || 0 || ET CURRENT_EVENTS Possible Microsoft Office PNG overflow attempt invalid tEXt chunk length || cve,2013-1331 || url,blogs.technet.com/b/srd/archive/2013/06/11/ms13-051-get-out-of-my-office.aspx +1 || 2017006 || 5 || attempted-user || 0 || ET EXPLOIT CVE-2013-1331 Microsoft Office PNG Exploit plugin-detect script access || url,blogs.technet.com/b/srd/archive/2013/06/11/ms13-051-get-out-of-my-office.aspx +1 || 2017007 || 6 || attempted-user || 0 || ET EXPLOIT CVE-2013-1331 Microsoft Office PNG Exploit plugin-detect script access || url,blogs.technet.com/b/srd/archive/2013/06/11/ms13-051-get-out-of-my-office.aspx +1 || 2017008 || 5 || attempted-user || 0 || ET EXPLOIT CVE-2013-1331 Microsoft Office PNG Exploit Specific +1 || 2017009 || 5 || trojan-activity || 0 || ET TROJAN KimJongRAT cnc exe pull || url,malware.lu/Pro/RAP003_KimJongRAT-Stealer_Analysis.1.0.pdf +1 || 2017010 || 3 || bad-unknown || 0 || ET WEB_SERVER Possible SQLi xp_cmdshell POST body +1 || 2017011 || 7 || trojan-activity || 0 || ET CURRENT_EVENTS Glazunov EK Downloading Jar +1 || 2017012 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS Possible 2012-1533 altjvm (jvm.dll) Requested Over WeBDAV || cve,2012-1533 +1 || 2017013 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Possible 2012-1533 altjvm RCE via JNLP command injection || cve,2012-1533 +1 || 2017014 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Unknown EK Landing (Payload Downloaded Via Dropbox) +1 || 2017015 || 6 || policy-violation || 0 || ET POLICY DropBox User Content Access over SSL || url,www.dropbox.com/help/201/en +1 || 2017016 || 7 || trojan-activity || 0 || ET CURRENT_EVENTS Unknown EK Jar 1 June 12 2013 +1 || 2017017 || 6 || trojan-activity || 0 || ET CURRENT_EVENTS Unknown EK Jar 2 June 12 2013 +1 || 2017018 || 6 || trojan-activity || 0 || ET CURRENT_EVENTS Unknown EK Jar 3 June 12 2013 +1 || 2017019 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Dotka Chef EK .cache request +1 || 2017020 || 10 || trojan-activity || 0 || ET CURRENT_EVENTS Dotka Chef EK exploit/payload URI request +1 || 2017021 || 5 || trojan-activity || 0 || ET TROJAN TripleNine RAT Checkin +1 || 2017022 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS CritX/SafePack/FlashPack URI Format June 17 2013 1 || url,www.malwaresigs.com/2013/06/14/slight-change-in-flashpack-uri/ +1 || 2017023 || 5 || trojan-activity || 0 || ET CURRENT_EVENTS CritX/SafePack/FlashPack URI Format June 17 2013 2 || url,www.malwaresigs.com/2013/06/14/slight-change-in-flashpack-uri/ +1 || 2017024 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS CritX/SafePack/FlashPack URI Format June 17 2013 3 || url,www.malwaresigs.com/2013/06/14/slight-change-in-flashpack-uri/ +1 || 2017025 || 3 || successful-user || 0 || ET ATTACK_RESPONSE Net User Command Response +1 || 2017026 || 2 || trojan-activity || 0 || ET TROJAN Unknown Webserver Backdoor || url,blog.sucuri.net/2013/06/apache-php-injection-to-javascript-files.html +1 || 2017027 || 2 || trojan-activity || 0 || ET TROJAN Unknown Webserver Backdoor Domain (google-analytcs) || url,blog.sucuri.net/2013/06/apache-php-injection-to-javascript-files.html +1 || 2017028 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS MALVERTISING Unknown_InIFRAME - RedTDS URI Structure +1 || 2017029 || 5 || trojan-activity || 0 || ET CURRENT_EVENTS Unknown_InIFRAME - URI Structure +1 || 2017030 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Unknown_InIFRAME - Redirect to /iniframe/ URI +1 || 2017031 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Unknown_InIFRAME - In Referrer +1 || 2017032 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS MALVERTISING Flash - URI - /loading?vkn= +1 || 2017034 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS NailedPack EK Landing June 18 2013 || url,www.basemont.com/june_2013_exploit_kit_2 +1 || 2017035 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Malicious Redirect June 18 2013 +1 || 2017036 || 3 || trojan-activity || 0 || ET TROJAN Activity related to APT.Seinup Checkin 1 || url,fireeye.com/blog/technical/malware-research/2013/06/trojan-apt-seinup-hitting-asean.html +1 || 2017037 || 2 || bad-unknown || 0 || ET CURRENT_EVENTS Javadoc API Redirect CVE-2013-1571 || cve,2013-1571 +1 || 2017038 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS RedKit Jar Download June 20 2013 +1 || 2017039 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS X20 EK Payload Download +1 || 2017040 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Rawin Exploit Kit Landing URI Struct +1 || 2017041 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS Rawin Exploit Kit Jar 1.7.x +1 || 2017042 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS Rawin Exploit Kit Jar 1.6 (Old) +1 || 2017043 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS Rawin Exploit Kit Jar 1.6 (New) +1 || 2017044 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS Rawin Exploit Kit Jar 1.6 (New) +1 || 2017045 || 3 || trojan-activity || 0 || ET TROJAN Possible Drive DDoS Check-in +1 || 2017046 || 3 || trojan-activity || 0 || ET TROJAN Drive Receiving GET DDoS instructions || url,ddos.arbornetworks.com/2013/06/dirtjumpers-ddos-engine-gets-a-tune-up-with-new-drive-variant/ +1 || 2017047 || 3 || trojan-activity || 0 || ET TROJAN Drive Receiving POST1 DDoS instructions || url,ddos.arbornetworks.com/2013/06/dirtjumpers-ddos-engine-gets-a-tune-up-with-new-drive-variant/ +1 || 2017048 || 3 || trojan-activity || 0 || ET TROJAN Drive Receiving POST2 DDoS instructions || url,ddos.arbornetworks.com/2013/06/dirtjumpers-ddos-engine-gets-a-tune-up-with-new-drive-variant/ +1 || 2017049 || 3 || trojan-activity || 0 || ET TROJAN Drive Receiving IP DDoS instructions || url,ddos.arbornetworks.com/2013/06/dirtjumpers-ddos-engine-gets-a-tune-up-with-new-drive-variant/ +1 || 2017050 || 4 || trojan-activity || 0 || ET TROJAN Drive Receiving IP2 DDoS instructions || url,ddos.arbornetworks.com/2013/06/dirtjumpers-ddos-engine-gets-a-tune-up-with-new-drive-variant/ +1 || 2017051 || 3 || trojan-activity || 0 || ET TROJAN Drive Receiving UDP DDoS instructions || url,ddos.arbornetworks.com/2013/06/dirtjumpers-ddos-engine-gets-a-tune-up-with-new-drive-variant/ +1 || 2017052 || 2 || trojan-activity || 0 || ET TROJAN Poison Ivy [victim beacon] +1 || 2017053 || 3 || trojan-activity || 0 || ET TROJAN Poison Ivy [server response] +1 || 2017054 || 2 || bad-unknown || 0 || ET WEB_SERVER WebShell Generic - ELF File Uploaded +1 || 2017055 || 1 || trojan-activity || 0 || ET CURRENT_EVENTS AryaN IRC bot CnC1 +1 || 2017056 || 1 || trojan-activity || 0 || ET CURRENT_EVENTS AryaN IRC bot CnC2 +1 || 2017057 || 1 || trojan-activity || 0 || ET CURRENT_EVENTS AryaN IRC bot Download and Execute Scheduled file command +1 || 2017058 || 1 || trojan-activity || 0 || ET CURRENT_EVENTS AryaN IRC bot Flood command +1 || 2017059 || 1 || trojan-activity || 0 || ET CURRENT_EVENTS AryaN IRC bot Botkill command +1 || 2017060 || 3 || trojan-activity || 0 || ET EXPLOIT SolusVM 1.13.03 SQL injection +1 || 2017061 || 3 || trojan-activity || 0 || ET EXPLOIT SolusVM 1.13.03 Access to solusvmc-node setuid bin +1 || 2017063 || 3 || trojan-activity || 0 || ET EXPLOIT SolusVM WHMCS CURL Multi-part Boundary Issue || url,localhost.re/p/solusvm-whmcs-module-316-vulnerability +1 || 2017064 || 17 || trojan-activity || 0 || ET CURRENT_EVENTS Cool/BHEK Applet with Alpha-Numeric Encoded HTML entity +1 || 2017065 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS Pony Loader default URI struct +1 || 2017066 || 7 || trojan-activity || 0 || ET TROJAN Win32/Comisproc Checkin || url,threatexpert.com/report.aspx?md5=9378ef5f2fb2e71e5eeed20f9f21d8dd || url,microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3aWin32/Comisproc&ThreatID=-2147341910 || url,unixfreaxjp.blogspot.com.br/2012/11/ocjp-080-bootkitsoftbankbb.html +1 || 2017067 || 5 || trojan-activity || 0 || ET USER_AGENTS Suspicious user agent (Google page) +1 || 2017068 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Neutrino Exploit Kit Redirector To Landing Page || url,malwaremustdie.blogspot.co.uk/2013/06/knockin-on-neutrino-exploit-kits-door.html +1 || 2017069 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Neutrino Exploit Kit Clicker.php TDS || url,malwaremustdie.blogspot.co.uk/2013/06/knockin-on-neutrino-exploit-kits-door.html +1 || 2017070 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Applet tag in jjencode as (as seen in Dotka Chef EK) +1 || 2017071 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Neutrino Exploit Kit XOR decodeURIComponent +1 || 2017072 || 3 || trojan-activity || 0 || ET DELETED Blackhole/Cool plugindetect in octal Jun 26 2013 +1 || 2017073 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Cool Exploit Kit iframe with obfuscated Java version check Jun 26 2013 +1 || 2017074 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS MoinMoin twikidraw Action Traversal File Upload || bugtraq,57082 || cve,2012-6081 || url,packetstormsecurity.com/files/122079/moinmoin_twikidraw.rb.txt || url,exploit-db.com/exploits/25304/ +1 || 2017075 || 5 || trojan-activity || 0 || ET CURRENT_EVENTS Sweet Orange applet structure June 27 2013 +1 || 2017076 || 9 || trojan-activity || 0 || ET CURRENT_EVENTS BlackHole EK Variant Payload Download +1 || 2017077 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Redirect to DotkaChef EK Landing +1 || 2017078 || 5 || trojan-activity || 0 || ET CURRENT_EVENTS Lucky7 Java Exploit URI Struct June 28 2013 +1 || 2017079 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Sibhost Status Check GET Jul 01 2013 +1 || 2017080 || 2 || policy-violation || 0 || ET INFO ClearTextAuth - HTTP - http_client_body contains pasa= +1 || 2017081 || 2 || policy-violation || 0 || ET INFO ClearTextAuth - HTTP - http_uri contains pasa= +1 || 2017082 || 2 || policy-violation || 0 || ET INFO ClearTextAuth - HTTP - http_client_body contains pasa form +1 || 2017083 || 2 || trojan-activity || 0 || ET WEB_SERVER WebShell - GODSpy - GOD Hacker +1 || 2017084 || 3 || trojan-activity || 0 || ET WEB_SERVER WebShell - GODSpy - GODSpy title +1 || 2017085 || 2 || trojan-activity || 0 || ET WEB_SERVER WebShell - GODSpy - Cookie +1 || 2017086 || 2 || trojan-activity || 0 || ET WEB_SERVER WebShell - GODSpy - MySQL +1 || 2017087 || 3 || trojan-activity || 0 || ET WEB_SERVER WebShell - GODSpy - Auth Prompt +1 || 2017088 || 2 || trojan-activity || 0 || ET WEB_SERVER WebShell - GODSPy - Auth Creds +1 || 2017089 || 2 || trojan-activity || 0 || ET WEB_SERVER WebShell - Pouya - Pouya_Server Shell +1 || 2017090 || 2 || trojan-activity || 0 || ET WEB_SERVER WebShell - Pouya - URI - raiz +1 || 2017091 || 2 || trojan-activity || 0 || ET WEB_SERVER WebShell - Pouya - URI - action= +1 || 2017092 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS CritX/SafePack/FlashPack Jar Download Jul 01 2013 || url,www.malwaresigs.com/2013/06/14/slight-change-in-flashpack-uri/ +1 || 2017093 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS CritX/SafePack/FlashPack EXE Download Jul 01 2013 || url,www.malwaresigs.com/2013/06/14/slight-change-in-flashpack-uri/ +1 || 2017094 || 3 || attempted-admin || 0 || ET EXPLOIT IPMI Cipher 0 Authentication mode set || url,www.intel.com/content/dam/www/public/us/en/documents/product-briefs/second-gen-interface-spec-v2.pdf || url,community.rapid7.com/community/metasploit/blog/2013/06/23/a-penetration-testers-guide-to-ipmi +1 || 2017095 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Unknown Malvertising Exploit Kit Hostile Jar pipe.class +1 || 2017096 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS Unknown Malvertising Exploit Kit Hostile Jar app.jar +1 || 2017097 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS Unknown Malvertising Exploit Kit Hostile Jar cm2.jar +1 || 2017098 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Lucky7 EK Landing Encoded Plugin-Detect +1 || 2017099 || 2 || attempted-user || 0 || ET CURRENT_EVENTS Lucky7 EK IE Exploit +1 || 2017100 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS /Styx EK - /jlnp.html || url,blogs.mcafee.com/mcafee-labs/styx-exploit-kit-takes-advantage-of-vulnerabilities +1 || 2017101 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS /Styx EK - /jovf.html || url,blogs.mcafee.com/mcafee-labs/styx-exploit-kit-takes-advantage-of-vulnerabilities +1 || 2017102 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS /Styx EK - /jorg.html || url,blogs.mcafee.com/mcafee-labs/styx-exploit-kit-takes-advantage-of-vulnerabilities +1 || 2017104 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS Neutrino EK Landing URI Format July 04 2013 +1 || 2017106 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS FlimKit Landing Applet Jul 05 2013 +1 || 2017107 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS FlashPlayerSetup.x86.exe pull || url,blog.avast.com/2013/07/03/fake-flash-player-installer +1 || 2017108 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS FlashPlayerSetup.x86.exe checkin UA || url,blog.avast.com/2013/07/03/fake-flash-player-installer +1 || 2017109 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS FlashPlayerSetup.x86.exe checkin response 2 || url,blog.avast.com/2013/07/03/fake-flash-player-installer +1 || 2017110 || 7 || trojan-activity || 0 || ET CURRENT_EVENTS Sweet Orange applet structure Jul 05 2013 +1 || 2017111 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS VBulletin Backdoor CMD inbound || url,blog.sucuri.net/2013/07/vbulletin-infections-from-adabeupdate.html +1 || 2017112 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS VBulletin Backdoor C2 URI Structure || url,blog.sucuri.net/2013/07/vbulletin-infections-from-adabeupdate.html +1 || 2017113 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS VBulletin Backdoor C2 Domain || url,blog.sucuri.net/2013/07/vbulletin-infections-from-adabeupdate.html +1 || 2017114 || 5 || trojan-activity || 0 || ET CURRENT_EVENTS Styx iframe with obfuscated Java version check Jul 04 2013 +1 || 2017115 || 8 || trojan-activity || 0 || ET CURRENT_EVENTS Sweet Orange applet July 08 2013 +1 || 2017116 || 5 || trojan-activity || 0 || ET CURRENT_EVENTS Sweet Orange Landing with Applet July 08 2013 +1 || 2017117 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Cool Exploit Kit Plugin-Detect July 08 2013 +1 || 2017118 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Sibhost Zip as Applet Archive July 08 2013 +1 || 2017119 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS CritX/SafePack Java Exploit Payload June 03 2013 +1 || 2017122 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Fake Adobe Flash Player update warning enticing clicks to malware payload +1 || 2017123 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Fake Adobe Flash Player malware binary requested +1 || 2017124 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS DRIVEBY Redirection - Wordpress Injection +1 || 2017125 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Probable FlimKit Redirect July 10 2013 +1 || 2017126 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS FlimKit Landing July 10 2013 +1 || 2017127 || 2 || bad-unknown || 0 || ET INFO JJEncode Encoded Script +1 || 2017128 || 5 || trojan-activity || 0 || ET TROJAN Expiro Trojan Check-in +1 || 2017129 || 3 || attempted-user || 0 || ET WEB_CLIENT Potential Interent Explorer Use After Free CVE-2013-3163 || cve,2013-3163 || url,blogs.technet.com/b/srd/archive/2013/07/10/running-in-the-wild-not-for-so-long.aspx +1 || 2017130 || 2 || attempted-user || 0 || ET WEB_CLIENT Potential Interent Explorer Use After Free CVE-2013-3163 2 || cve,2013-3163 || url,blogs.technet.com/b/srd/archive/2013/07/10/running-in-the-wild-not-for-so-long.aspx +1 || 2017131 || 2 || attempted-user || 0 || ET CURRENT_EVENTS Potential Interent Explorer Use After Free CVE-2013-3163 Exploit URI Struct 1 || url,blogs.technet.com/b/srd/archive/2013/07/10/running-in-the-wild-not-for-so-long.aspx +1 || 2017133 || 3 || attempted-user || 0 || ET WEB_CLIENT Microsoft Internet Explorer Use-After-Free CVE-2013-3163 || cve,2013-3163 +1 || 2017134 || 4 || trojan-activity || 0 || ET WEB_SERVER WebShell - Generic - GIF Header With HTML Form +1 || 2017135 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS PHISH Remax - function Validate +1 || 2017136 || 3 || trojan-activity || 0 || ET MALWARE Adware.Gamevance.AV Checkin || url,virustotal.com/en/file/21e04ef285d9df2876bab83dd91a8bd78ecdf0d47a8e4693e2ec1924f642bfc8/analysis/ || md5,0134997dff945fbfe62f343bcba782bc +1 || 2017137 || 2 || trojan-activity || 0 || ET TROJAN Cryptmen FakAV page Title +1 || 2017138 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS g01pack - Java JNLP Requested +1 || 2017139 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS DotkaChef JJencode Script URI Struct +1 || 2017140 || 10 || trojan-activity || 0 || ET CURRENT_EVENTS Possible Blackhole EK Jar Download URI Struct +1 || 2017141 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Blackhole EK Plugin-Detect July 12 2013 +1 || 2017142 || 2 || attempted-recon || 0 || ET SCAN Arachni Web Scan || url,www.arachni-scanner.com/ +1 || 2017143 || 3 || web-application-attack || 0 || ET WEB_SERVER CRLF Injection - Newline Characters in URL || url,www.owasp.org/index.php/CRLF_Injection +1 || 2017146 || 3 || web-application-attack || 0 || ET WEB_SERVER HTTP Request Smuggling Attempt - Double Content-Length Headers || url,www.owasp.org/index.php/HTTP_Request_Smuggling +1 || 2017147 || 2 || web-application-attack || 0 || ET WEB_SERVER HTTP Request Smuggling Attempt - Two Transfer-Encoding Values Specified || url,www.owasp.org/index.php/HTTP_Request_Smuggling +1 || 2017148 || 3 || successful-admin || 0 || ET ATTACK_RESPONSE Non-Local Burp Proxy Error || url,portswigger.net/burp/proxy.html +1 || 2017149 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS DRIVEBY Redirection - phpBB Injection +1 || 2017150 || 12 || trojan-activity || 0 || ET CURRENT_EVENTS Cool PDF July 15 2013 +1 || 2017151 || 12 || trojan-activity || 0 || ET CURRENT_EVENTS Styx PDF July 15 2013 +1 || 2017152 || 5 || trojan-activity || 0 || ET CURRENT_EVENTS FlimKit Jar URI Struct +1 || 2017153 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS FlimKit JNLP URI Struct +1 || 2017154 || 2 || attempted-dos || 0 || ET DOS Squid-3.3.5 DoS +1 || 2017155 || 4 || attempted-user || 0 || ET WEB_SERVER Possible Apache Struts OGNL Command Execution CVE-2013-2251 redirect || url,struts.apache.org/release/2.3.x/docs/s2-016.html +1 || 2017156 || 4 || attempted-user || 0 || ET WEB_SERVER Possible Apache Struts OGNL Command Execution CVE-2013-2251 redirectAction || url,struts.apache.org/release/2.3.x/docs/s2-016.html +1 || 2017157 || 4 || attempted-user || 0 || ET WEB_SERVER Possible Apache Struts OGNL Command Execution CVE-2013-2251 action || url,struts.apache.org/release/2.3.x/docs/s2-016.html +1 || 2017161 || 1 || attempted-recon || 0 || ET SCAN SipCLI VOIP Scan - TCP || url,www.yasinkaplan.com/SipCli/ +1 || 2017162 || 2 || attempted-recon || 0 || ET SCAN SipCLI VOIP Scan || url,www.yasinkaplan.com/SipCli/ +1 || 2017163 || 2 || trojan-activity || 0 || ET MOBILE_MALWARE signed-unsigned integer mismatch code-verification bypass || url,sophos.com/2013/07/17/anatomy-of-another-android-hole-chinese-researchers-claim-new-code-verification-bypass/ +1 || 2017164 || 4 || trojan-activity || 0 || ET DELETED BlackHole EK Non-standard base64 Key +1 || 2017165 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS JS Browser Based Ransomware || url,blog.malwarebytes.org/intelligence/2013/07/fbi-ransomware-now-targeting-apples-mac-os-x-users/ || url,www.f-secure.com/weblog/archives/00002577.html +1 || 2017166 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS Sibhost Zip as Applet Archive July 08 2013 +1 || 2017167 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS X20 EK Landing July 22 2013 +1 || 2017168 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS FlimKit Landing 07/22/13 +1 || 2017169 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS FlimKit Landing 07/22/13 2 +1 || 2017170 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS FlimKit Landing 07/22/13 3 +1 || 2017171 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS FlimKit Landing 07/22/13 4 +1 || 2017172 || 4 || attempted-user || 0 || ET EXPLOIT Apache Struts Possible OGNL Java ProcessBuilder URI +1 || 2017173 || 4 || attempted-user || 0 || ET EXPLOIT Apache Struts Possible OGNL Java ProcessBuilder in client body || url,struts.apache.org/development/2.x/docs/s2-013.html +1 || 2017174 || 4 || attempted-user || 0 || ET WEB_SERVER Possible Apache Struts OGNL Command Execution CVE-2013-2251 redirect || url,struts.apache.org/release/2.3.x/docs/s2-016.html +1 || 2017175 || 4 || attempted-user || 0 || ET WEB_SERVER Possible Apache Struts OGNL Command Execution CVE-2013-2251 redirectAction || url,struts.apache.org/release/2.3.x/docs/s2-016.html +1 || 2017176 || 4 || attempted-user || 0 || ET WEB_SERVER Possible Apache Struts OGNL Command Execution CVE-2013-2251 action || url,struts.apache.org/release/2.3.x/docs/s2-016.html +1 || 2017177 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS DRIVEBY Rawin - Landing Page Received +1 || 2017178 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS DRIVEBY Rawin - Java Exploit -dubspace.jar +1 || 2017179 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS Possible Neutrino Java Payload Download +1 || 2017180 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS Possible Neutrino Java Payload Download 2 +1 || 2017181 || 5 || trojan-activity || 0 || ET CURRENT_EVENTS Sibhost/FlimKit/Glazunov Jar with lowercase class names +1 || 2017182 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS DRIVEBY Possible CritXPack - Landing Page - jnlp_embedded +1 || 2017183 || 3 || trojan-activity || 0 || ET WEB_SERVER WebShell ASPXShell - Title +1 || 2017184 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS c0896 Hacked Site Response (Inbound) 1 +1 || 2017185 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS c0896 Hacked Site Response (Inbound) 2 +1 || 2017186 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS c0896 Hacked Site Response (Inbound) 3 +1 || 2017187 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS c0896 Hacked Site Response (Outbound) 1 +1 || 2017188 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS c0896 Hacked Site Response (Outbound) 2 +1 || 2017189 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS c0896 Hacked Site Response (Outbound) 3 +1 || 2017190 || 5 || trojan-activity || 0 || ET TROJAN Win32/Kelihos.F exe Download 2 || md5,1303188d039076998b170fffe48e4cc0 +1 || 2017191 || 3 || trojan-activity || 0 || ET TROJAN Win32/Kelihos.F Checkin || md5,00db349caf2eefc3be5ee30b8b8947a2 +1 || 2017192 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS c0896 Hacked Site Response Octal (Outbound) +1 || 2017193 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS c0896 Hacked Site Response Hex (Outbound) +1 || 2017194 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS c0896 Hacked Site Response Octal (Inbound) +1 || 2017195 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS c0896 Hacked Site Response Hex (Inbound) +1 || 2017196 || 4 || trojan-activity || 0 || ET MALWARE Crossrider Spyware Checkin +1 || 2017197 || 3 || bad-unknown || 0 || ET INFO JNLP embedded file +1 || 2017198 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Reversed Embedded JNLP Observed in Sakura/Blackhole Landing +1 || 2017199 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS Java UA Requesting Numeric.ext From Base Dir (Observed in Redkit/Sakura) +1 || 2017200 || 5 || trojan-activity || 0 || ET CURRENT_EVENTS Possible Sakura Jar Download +1 || 2017201 || 6 || trojan-activity || 0 || ET CURRENT_EVENTS Possible Java Applet JNLP applet_ssv_validated in Base64 (Reversed) || url,immunityproducts.blogspot.fr/2013/04/yet-another-java-security-warning-bypass.html +1 || 2017202 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Possible Java Applet JNLP applet_ssv_validated Click To Run Bypass (Reversed) || url,immunityproducts.blogspot.fr/2013/04/yet-another-java-security-warning-bypass.html +1 || 2017203 || 5 || trojan-activity || 0 || ET CURRENT_EVENTS Possible Java Applet JNLP applet_ssv_validated in Base64 2 (Reversed) || url,immunityproducts.blogspot.fr/2013/04/yet-another-java-security-warning-bypass.html +1 || 2017204 || 5 || trojan-activity || 0 || ET CURRENT_EVENTS Possible Java Applet JNLP applet_ssv_validated in Base64 3 (Reversed) || url,immunityproducts.blogspot.fr/2013/04/yet-another-java-security-warning-bypass.html +1 || 2017205 || 2 || attempted-user || 0 || ET EXPLOIT Wscript Shell Run Attempt - Likely Hostile +1 || 2017206 || 2 || trojan-activity || 0 || ET INFO Obfuscated Eval String 1 +1 || 2017207 || 2 || trojan-activity || 0 || ET INFO Obfuscated Eval String 2 +1 || 2017208 || 2 || trojan-activity || 0 || ET INFO Obfuscated Eval String 3 +1 || 2017209 || 2 || trojan-activity || 0 || ET INFO Obfuscated Eval String 4 +1 || 2017210 || 2 || trojan-activity || 0 || ET INFO Obfuscated Eval String 5 +1 || 2017211 || 2 || trojan-activity || 0 || ET INFO Obfuscated Eval String 6 +1 || 2017212 || 2 || trojan-activity || 0 || ET INFO Obfuscated Eval String (Single Q) 1 +1 || 2017213 || 2 || trojan-activity || 0 || ET INFO Obfuscated Eval String (Single Q) 2 +1 || 2017214 || 2 || trojan-activity || 0 || ET INFO Obfuscated Eval String (Single Q) 3 +1 || 2017215 || 2 || trojan-activity || 0 || ET INFO Obfuscated Eval String (Single Q) 4 +1 || 2017216 || 2 || trojan-activity || 0 || ET INFO Obfuscated Eval String (Single Q) 5 +1 || 2017217 || 2 || trojan-activity || 0 || ET INFO Obfuscated Eval String (Single Q) 6 +1 || 2017218 || 2 || trojan-activity || 0 || ET INFO Obfuscated Eval String (Single Q) 7 +1 || 2017219 || 2 || trojan-activity || 0 || ET INFO Obfuscated Eval String 7 +1 || 2017220 || 2 || bad-unknown || 0 || ET INFO Obfuscated Split String (Single Q) 1 +1 || 2017221 || 2 || bad-unknown || 0 || ET INFO Obfuscated Split String (Single Q) 2 +1 || 2017222 || 2 || bad-unknown || 0 || ET INFO Obfuscated Split String (Single Q) 3 +1 || 2017223 || 2 || bad-unknown || 0 || ET INFO Obfuscated Split String (Single Q) 4 +1 || 2017224 || 2 || bad-unknown || 0 || ET INFO Obfuscated Split String (Single Q) 5 +1 || 2017225 || 2 || bad-unknown || 0 || ET INFO Obfuscated Split String (Single Q) 6 +1 || 2017226 || 2 || bad-unknown || 0 || ET INFO Obfuscated Split String (Single Q) 7 +1 || 2017227 || 2 || bad-unknown || 0 || ET INFO Obfuscated Split String (Single Q) 8 +1 || 2017228 || 2 || bad-unknown || 0 || ET INFO Obfuscated Split String (Single Q) 9 +1 || 2017229 || 2 || bad-unknown || 0 || ET INFO Obfuscated Split String (Single Q) 10 +1 || 2017230 || 2 || bad-unknown || 0 || ET INFO Obfuscated Split String (Single Q) 11 +1 || 2017231 || 2 || bad-unknown || 0 || ET INFO Obfuscated Split String (Single Q) 12 +1 || 2017232 || 2 || bad-unknown || 0 || ET INFO Obfuscated Split String (Single Q) 13 +1 || 2017233 || 2 || bad-unknown || 0 || ET INFO Obfuscated Split String (Double Q) 1 +1 || 2017234 || 2 || bad-unknown || 0 || ET INFO Obfuscated Split String (Double Q) 2 +1 || 2017235 || 2 || bad-unknown || 0 || ET INFO Obfuscated Split String (Double Q) 3 +1 || 2017236 || 2 || bad-unknown || 0 || ET INFO Obfuscated Split String (Double Q) 4 +1 || 2017237 || 2 || bad-unknown || 0 || ET INFO Obfuscated Split String (Double Q) 5 +1 || 2017238 || 2 || bad-unknown || 0 || ET INFO Obfuscated Split String (Double Q) 6 +1 || 2017239 || 2 || bad-unknown || 0 || ET INFO Obfuscated Split String (Double Q) 7 +1 || 2017240 || 2 || bad-unknown || 0 || ET INFO Obfuscated Split String (Double Q) 8 +1 || 2017241 || 2 || bad-unknown || 0 || ET INFO Obfuscated Split String (Double Q) 9 +1 || 2017242 || 2 || bad-unknown || 0 || ET INFO Obfuscated Split String (Double Q) 10 +1 || 2017243 || 2 || bad-unknown || 0 || ET INFO Obfuscated Split String (Double Q) 11 +1 || 2017244 || 2 || bad-unknown || 0 || ET INFO Obfuscated Split String (Double Q) 12 +1 || 2017245 || 2 || bad-unknown || 0 || ET INFO Obfuscated Split String (Double Q) 13 +1 || 2017246 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS c0896 Hacked Site Response (Outbound) 4 +1 || 2017247 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS c0896 Hacked Site Response (Inbound) 4 +1 || 2017248 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS PluginDetect plus Java version check +1 || 2017249 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS %Hex Encoded Applet (Observed in Sakura) +1 || 2017250 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS %Hex Encoded jnlp_embedded (Observed in Sakura) +1 || 2017251 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS %Hex Encoded applet_ssv_validated (Observed in Sakura) +1 || 2017252 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS %Hex Encoded/base64 1 applet_ssv_validated (Observed in Sakura) +1 || 2017253 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS %Hex Encoded/base64 2 applet_ssv_validated (Observed in Sakura) +1 || 2017254 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS %Hex Encoded/base64 3 applet_ssv_validated (Observed in Sakura) +1 || 2017257 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Fake FedEX/Pony spam campaign URI Struct 2 +1 || 2017258 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS Fake FedEX/Pony spam campaign URI Struct +1 || 2017259 || 11 || trojan-activity || 0 || ET TROJAN Generic - POST To .php w/Extended ASCII Characters +1 || 2017260 || 11 || trojan-activity || 0 || ET WEB_SERVER WebShell Generic - ASP File Uploaded +1 || 2017261 || 2 || trojan-activity || 0 || ET TROJAN TrojanDownloader.Win32/Dofoil.U Trojan Checkin +1 || 2017262 || 5 || trojan-activity || 0 || ET TROJAN Comfoo Checkin || url,www.secureworks.com/cyber-threat-intelligence/threats/secrets-of-the-comfoo-masters/ +1 || 2017263 || 2 || trojan-activity || 0 || ET TROJAN StealRat Checkin +1 || 2017264 || 2 || trojan-activity || 0 || ET TROJAN CBReplay Checkin +1 || 2017265 || 5 || trojan-activity || 0 || ET CURRENT_EVENTS BlackHole EK Non-standard base64 Key +1 || 2017266 || 7 || trojan-activity || 0 || ET CURRENT_EVENTS Neutrino EK Landing URI Format Sep 30 2013 +1 || 2017267 || 7 || trojan-activity || 0 || ET CURRENT_EVENTS Possible Neutrino Java Exploit Download Sep 30 2013 +1 || 2017268 || 7 || trojan-activity || 0 || ET CURRENT_EVENTS Possible Neutrino Java Payload Download Sep 30 2013 +1 || 2017269 || 2 || trojan-activity || 0 || ET TROJAN CBReplay.P Ransomware +1 || 2017270 || 7 || trojan-activity || 0 || ET CURRENT_EVENTS Styx Exploit Kit Landing Applet With Payload Aug 02 2013 || url,malwaremustdie.blogspot.co.uk/2013/02/the-infection-of-styx-exploit-kit.html +1 || 2017271 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Plugin-Detect with global % replace on unescaped string (Sakura) +1 || 2017272 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS Rawin EK Java (Old) /golem.jar +1 || 2017273 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Rawin EK Java 1.7 /caramel.jar +1 || 2017274 || 2 || trojan-activity || 0 || ET TROJAN W32/StealRat.SpamBot Configuration File Request || url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-stealrat.pdf +1 || 2017275 || 2 || trojan-activity || 0 || ET TROJAN W32/StealRat.SpamBot CnC Server Configuration File Response || url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-stealrat.pdf +1 || 2017276 || 2 || trojan-activity || 0 || ET TROJAN W32/StealRat.SpamBot Email Template Request || url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-stealrat.pdf +1 || 2017277 || 4 || attempted-user || 0 || ET WEB_SERVER Possible Apache Struts OGNL in Dynamic Action || cve,2013-2135 || bugtraq,60345 || url,cwiki.apache.org/confluence/display/WW/S2-015 +1 || 2017278 || 2 || web-application-attack || 0 || ET WEB_SERVER Possible Apache Struts OGNL Expression Injection || cve,2013-2135 || bugtraq,60345 || url,cwiki.apache.org/confluence/display/WW/S2-015 +1 || 2017279 || 3 || trojan-activity || 0 || ET TROJAN Win32.Rovnix.I Checkin || md5,605daaa9662b82c0d5982ad3a742d2e7 +1 || 2017280 || 3 || trojan-activity || 0 || ET WEB_SERVER Possible OpenX Backdoor Backdoor Access POST to flowplayer || url,blog.sucuri.net/2013/08/openx-org-compromised-and-downloads-injected-with-a-backdoor.html +1 || 2017281 || 3 || trojan-activity || 0 || ET TROJAN Trojan-Ransom.Win32.Blocker.bjat +1 || 2017282 || 3 || trojan-activity || 0 || ET INFO Microsoft Script Encoder Encoded File +1 || 2017283 || 4 || trojan-activity || 0 || ET TROJAN ATTACKER IRCBot - net user - PRIVMSG Command +1 || 2017284 || 4 || trojan-activity || 0 || ET TROJAN ATTACKER IRCBot - net localgroup - PRIVMSG Command +1 || 2017285 || 4 || trojan-activity || 0 || ET TROJAN ATTACKER IRCBot - net add PRIVMSG Command +1 || 2017286 || 4 || trojan-activity || 0 || ET TROJAN ATTACKER IRCBot - netsh - PRIVMSG Command +1 || 2017287 || 4 || trojan-activity || 0 || ET TROJAN ATTACKER IRCBot - ipconfig - PRIVMSG Command +1 || 2017288 || 4 || trojan-activity || 0 || ET TROJAN ATTACKER IRCBot - reg - PRIVMSG Command +1 || 2017289 || 4 || trojan-activity || 0 || ET TROJAN ATTACKER IRCBot - The command completed successfully - PRIVMSG Response +1 || 2017290 || 3 || trojan-activity || 0 || ET TROJAN ATTACKER IRCBot - PRIVMSG Response - Directory Listing +1 || 2017291 || 5 || trojan-activity || 0 || ET TROJAN ATTACKER IRCBot - PRIVMSG Response - net command output +1 || 2017292 || 4 || trojan-activity || 0 || ET TROJAN ATTACKER IRCBot - PRIVMSG Response - ipconfig command output +1 || 2017293 || 2 || bad-unknown || 0 || ET WEB_SERVER - EXE File Uploaded - Hex Encoded +1 || 2017294 || 3 || misc-activity || 0 || ET INFO Adobe PKG Download Flowbit Set +1 || 2017295 || 6 || trojan-activity || 0 || ET CURRENT_EVENTS Styx iframe with obfuscated Java version check Jul 04 2013 +1 || 2017296 || 5 || trojan-activity || 0 || ET CURRENT_EVENTS Possible CritX/SafePack/FlashPack Jar Download +1 || 2017297 || 6 || trojan-activity || 0 || ET CURRENT_EVENTS Possible CritX/SafePack/FlashPack EXE Download +1 || 2017298 || 3 || attempted-user || 0 || ET WEB_CLIENT Possible Firefox CVE-2013-1690 || cve,2013-1690 +1 || 2017299 || 6 || trojan-activity || 0 || ET CURRENT_EVENTS X20 EK Download Aug 07 2013 +1 || 2017300 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Rawin -TDS - POST w/Java Version +1 || 2017301 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Fake Trojan Dropper purporting to be missing application page landing +1 || 2017302 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Fake Trojan Dropper purporting to be missing application - findloader +1 || 2017303 || 5 || trojan-activity || 0 || ET TROJAN ATTACKER IRCBot - PRIVMSG Response - Directory Listing *nix +1 || 2017305 || 3 || trojan-activity || 0 || ET TROJAN Win32/Cridex Checkin || md5,94e496decf90c4ba2fb3e7113a081726 +1 || 2017306 || 5 || trojan-activity || 0 || ET CURRENT_EVENTS 0f2490 Hacked Site Response (Inbound) +1 || 2017307 || 5 || trojan-activity || 0 || ET CURRENT_EVENTS 0f2490 Hacked Site Response (Outbound) +1 || 2017308 || 3 || trojan-activity || 0 || ET TROJAN W32/PornoAsset.Ransomware CnC Checkin || url,anubis.iseclab.org/?action=result&task_id=19e3b6cbfdf8d6bd429ecc75ed016fb91 || url,blog.avast.com/2013/11/21/ransomware-annoys-its-victims-by-displaying-child-pornography-pictures/#more-20393 || url,blog.avast.com/2013/10/24/what-to-do-if-your-computer-is-attacked-by-ransomware/ +1 || 2017309 || 3 || trojan-activity || 0 || ET TROJAN FortDisco Reporting Status || url,www.arbornetworks.com/asert/2013/08/fort-disco-bruteforce-campaign/ || md5,722a1809bd4fd75743083f3577e1e6a4 +1 || 2017310 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Possible FortDisco Wordpress Brute-force Site list download 10+ wp-login.php || url,www.arbornetworks.com/asert/2013/08/fort-disco-bruteforce-campaign/ || md5,722a1809bd4fd75743083f3577e1e6a4 +1 || 2017311 || 3 || trojan-activity || 0 || ET TROJAN Possible FortDisco Reporting Hacked Accounts || url,www.arbornetworks.com/asert/2013/08/fort-disco-bruteforce-campaign/ +1 || 2017312 || 4 || trojan-activity || 0 || ET TROJAN Win32/Pift DNS TXT CnC Lookup ppidn.net || url,kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/23000/PD23873/en_US/McAfee%20Labs%20Threat%20Advisory-W32-Pift.pdf || md5,d3c6af8284276b11c2f693c1195b4735 +1 || 2017313 || 3 || trojan-activity || 0 || ET TROJAN China Chopper Command Struct || url,www.fireeye.com/blog/technical/botnet-activities-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html +1 || 2017314 || 2 || trojan-activity || 0 || ET TROJAN PRISM Backdoor +1 || 2017315 || 2 || trojan-activity || 0 || ET TROJAN Unknown Covert Channel (VERSONEX and Mr.Black) +1 || 2017317 || 2 || trojan-activity || 0 || ET ATTACK_RESPONSE python shell spawn attempt +1 || 2017318 || 3 || bad-unknown || 0 || ET CURRENT_EVENTS SUSPICIOUS IRC - PRIVMSG *.(exe|tar|tgz|zip) download command +1 || 2017319 || 6 || bad-unknown || 0 || ET CURRENT_EVENTS SUSPICIOUS IRC - NICK and 3 Letter Country Code +1 || 2017321 || 8 || bad-unknown || 0 || ET CURRENT_EVENTS SUSPICIOUS IRC - NICK and Possible Windows XP/7 +1 || 2017322 || 4 || bad-unknown || 0 || ET CURRENT_EVENTS SUSPICIOUS IRC - NICK and Win +1 || 2017323 || 4 || bad-unknown || 0 || ET CURRENT_EVENTS SUSPICIOUS IRC - NICK and -PC +1 || 2017324 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS FlimKit obfuscated hex-encoded jnlp_embedded Aug 08 2013 +1 || 2017325 || 4 || trojan-activity || 0 || ET TROJAN Yayih.A Checkin 2 || md5,832f5e01be536da71d5b3f7e41938cfb || url,fireeye.com/blog/technical/2013/08/survival-of-the-fittest-new-york-times-attackers-evolve-quickly.html +1 || 2017326 || 2 || trojan-activity || 0 || ET TROJAN Yayih.A Checkin 3 || md5,832f5e01be536da71d5b3f7e41938cfb || url,fireeye.com/blog/technical/2013/08/survival-of-the-fittest-new-york-times-attackers-evolve-quickly.html +1 || 2017327 || 2 || attempted-user || 0 || ET WEB_SERVER Joomla Upload File Filter Bypass +1 || 2017328 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Unknown EK setSecurityManager hex August 14 2013 || url,piratebrowser.com +1 || 2017329 || 2 || policy-violation || 0 || ET POLICY Pirate Browser Download || url,piratebrowser.com +1 || 2017330 || 2 || attempted-admin || 0 || ET WEB_SERVER SQLi - SELECT and sysobject +1 || 2017333 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Styx EK - /jvvn.html +1 || 2017334 || 3 || bad-unknown || 0 || ET INFO SUSPICIOUS Reassigned Eval Function 1 +1 || 2017335 || 3 || bad-unknown || 0 || ET INFO SUSPICIOUS Reassigned Eval Function 2 +1 || 2017336 || 3 || bad-unknown || 0 || ET INFO SUSPICIOUS Reassigned Eval Function 3 +1 || 2017337 || 2 || attempted-user || 0 || ET WEB_SERVER ATTACKER SQLi - SELECT and Schema Columns +1 || 2017340 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Blackhole Exploit Kit Shrift.php Microsoft OpenType Font Exploit Request || cve,2011-3402 +1 || 2017341 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Blackhole Exploit Kit Microsoft OpenType Font Exploit || cve,2011-3402 +1 || 2017342 || 3 || bad-unknown || 0 || ET INFO Iframe For IP Address Site +1 || 2017343 || 2 || trojan-activity || 0 || ET TROJAN W32/Spy.KeyLogger.OCI CnC Checkin || url,www.virusradar.com/en/Win32_Spy.KeyLogger.OCI/description || url,www.virustotal.com/en/file/ec19e12e5dafc7aafaa0f582cd714ee5aa3615b89fe2f36f7851d96ec55e3344/analysis/ +1 || 2017344 || 3 || trojan-activity || 0 || ET TROJAN Proxychecker Lookup || url,www.virustotal.com/en/file/ec19e12e5dafc7aafaa0f582cd714ee5aa3615b89fe2f36f7851d96ec55e3344/analysis +1 || 2017345 || 4 || shellcode-detect || 0 || ET SHELLCODE Possible UTF-16 u9090 NOP SLED || url,cansecwest.com/slides07/csw07-nazario.pdf || url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html || url,www.windowsecurity.com/articles/Obfuscated-Shellcode-Part1.html +1 || 2017346 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Blackhole/Cool obfuscated plugindetect in charcodes w/o sep Jul 10 2013 +1 || 2017347 || 4 || trojan-activity || 0 || ET TROJAN Trojan Related Lame Updater User-Agent +1 || 2017348 || 5 || trojan-activity || 0 || ET USER_AGENTS Trojan.Win32.VBKrypt.cugq Checkin || url,www.securelist.com/en/descriptions/10316591/Trojan.Win32.VBKrypt.cugq || url,www.mcafee.com/threat-intelligence/malware/default.aspx?id=456326 || url,www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Agent-RDK/detailed-analysis.aspx || md5,79e24434a74a985e1c64925fd0ac4b28 +1 || 2017349 || 3 || trojan-activity || 0 || ET TROJAN Win32.Troj.Cidox Checkin || md5,0ce7f9dde5c273d7e71c9f1301fe505d +1 || 2017350 || 2 || trojan-activity || 0 || ET TROJAN PoisonIvy.admin@388 Keepalive to CnC || url,www.fireeye.com/resources/pdfs/fireeye-poison-ivy-report.pdf +1 || 2017351 || 2 || trojan-activity || 0 || ET TROJAN PoisonIvy.th3bug Keepalive to CnC || url,www.fireeye.com/resources/pdfs/fireeye-poison-ivy-report.pdf +1 || 2017352 || 2 || trojan-activity || 0 || ET TROJAN PoisonIvy.keaidestone Keepalive to CnC || url,www.fireeye.com/resources/pdfs/fireeye-poison-ivy-report.pdf +1 || 2017353 || 2 || trojan-activity || 0 || ET TROJAN PoisonIvy.suzuki Keepalive to CnC || url,www.fireeye.com/resources/pdfs/fireeye-poison-ivy-report.pdf +1 || 2017354 || 2 || trojan-activity || 0 || ET TROJAN PoisonIvy.happyyongzi Keepalive to CnC || url,www.fireeye.com/resources/pdfs/fireeye-poison-ivy-report.pdf +1 || 2017355 || 2 || trojan-activity || 0 || ET TROJAN PoisonIvy.key@123 Keepalive to CnC || url,www.fireeye.com/resources/pdfs/fireeye-poison-ivy-report.pdf +1 || 2017356 || 2 || trojan-activity || 0 || ET TROJAN PoisonIvy.gwx@123 Keepalive to CnC || url,www.fireeye.com/resources/pdfs/fireeye-poison-ivy-report.pdf +1 || 2017357 || 2 || trojan-activity || 0 || ET TROJAN PoisonIvy.wwwst@Admin Keepalive to CnC || url,www.fireeye.com/resources/pdfs/fireeye-poison-ivy-report.pdf +1 || 2017358 || 2 || trojan-activity || 0 || ET TROJAN PoisonIvy.xiaoxiaohuli Keepalive to CnC || url,www.fireeye.com/resources/pdfs/fireeye-poison-ivy-report.pdf +1 || 2017359 || 2 || trojan-activity || 0 || ET TROJAN PoisonIvy.smallfish Keepalive to CnC || url,www.fireeye.com/resources/pdfs/fireeye-poison-ivy-report.pdf +1 || 2017360 || 2 || trojan-activity || 0 || ET TROJAN PoisonIvy.XGstone Keepalive to CnC || url,www.fireeye.com/resources/pdfs/fireeye-poison-ivy-report.pdf +1 || 2017361 || 2 || trojan-activity || 0 || ET TROJAN PoisonIvy.fishplay Keepalive to CnC || url,www.fireeye.com/resources/pdfs/fireeye-poison-ivy-report.pdf +1 || 2017362 || 2 || trojan-activity || 0 || ET TROJAN Win32/Napolar.A Getting URL || md5,9a8cee88d7440f25be8404b71cb584de || md5,b70f8d0afa82c222f55f7a18d2ad0b81 +1 || 2017363 || 2 || bad-unknown || 0 || ET INFO InetSim Response from External Source Possible SinkHole +1 || 2017364 || 7 || trojan-activity || 0 || ET CURRENT_EVENTS Blackhole obfuscated base64 key string +1 || 2017365 || 8 || bad-unknown || 0 || ET TROJAN SUSPICIOUS UA (iexplore) || md5,b0e8ce16c42dee20d2c1dfb1b87b3afc +1 || 2017366 || 2 || attempted-user || 0 || ET WEB_SERVER Coldfusion 9 Auth Bypass CVE-2013-0632 || url,www.exploit-db.com/exploits/27755/ || cve,2013-0632 +1 || 2017367 || 2 || trojan-activity || 0 || ET TROJAN Possible Win32/Napolar.A URL Response || md5,9a8cee88d7440f25be8404b71cb584de || md5,b70f8d0afa82c222f55f7a18d2ad0b81 +1 || 2017368 || 2 || trojan-activity || 0 || ET TROJAN Possible Avatar RootKit Yahoo Group Search || md5,7b6409fc32c70908a9468eaac845bdaa || md5,b647a4af77b2fad3f40c6769c22ebf74 || url,www.welivesecurity.com/2013/08/20/avatar-rootkit-the-continuing-saga/ +1 || 2017369 || 2 || trojan-activity || 0 || ET TROJAN Bitcoin variant Checkin || url,blog.avast.com/2013/08/01/malicious-bitcoin-miners-target-czech-republic/ || md5,15cb65409f9b935cfdff72c22c358e34 +1 || 2017370 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS AutoIT C&C Check-In 2013-08-23 URL || url,malwr.com/analysis/MWM3NDA2NTdhM2U4NGE0NjgwY2IzN2Y3ZDk4ZTcyMmM/ +1 || 2017371 || 10 || trojan-activity || 0 || ET TROJAN Win32/Neurevt.A checkin || md5,c447d364a9dad369ff07dcc14f5fbefb || md5,a0a66dfbdf1ce76782ba20a07a052976 +1 || 2017372 || 5 || trojan-activity || 0 || ET CURRENT_EVENTS Sweet Orange Landing with Applet Aug 26 2013 +1 || 2017373 || 6 || trojan-activity || 0 || ET CURRENT_EVENTS Possible CookieBomb Generic JavaScript Format +1 || 2017374 || 6 || trojan-activity || 0 || ET CURRENT_EVENTS CookieBomb Generic PHP Format +1 || 2017375 || 6 || trojan-activity || 0 || ET CURRENT_EVENTS CookieBomb Generic HTML Format +1 || 2017376 || 7 || trojan-activity || 0 || ET CURRENT_EVENTS Possible BHEK Landing URI Format +1 || 2017377 || 2 || trojan-activity || 0 || ET TROJAN Win64/Vabushky.A Malicious driver download || url,welivesecurity.com/2013/08/27/the-powerloader-64-bit-update-based-on-leaked-exploits/ +1 || 2017378 || 5 || trojan-activity || 0 || ET TROJAN Drive DDoS Tool get command received key=okokokjjk || url,www.arbornetworks.com/asert/2013/08/dirtjumper-drive-shifts-into-a-new-gear/ +1 || 2017379 || 5 || trojan-activity || 0 || ET TROJAN Drive DDoS Tool long command received key=okokokjjk || url,www.arbornetworks.com/asert/2013/08/dirtjumper-drive-shifts-into-a-new-gear/ +1 || 2017380 || 5 || trojan-activity || 0 || ET TROJAN Drive DDoS Tool smart command received key=okokokjjk || url,www.arbornetworks.com/asert/2013/08/dirtjumper-drive-shifts-into-a-new-gear/ +1 || 2017381 || 5 || trojan-activity || 0 || ET TROJAN Drive DDoS Tool post1 command received key=okokokjjk || url,www.arbornetworks.com/asert/2013/08/dirtjumper-drive-shifts-into-a-new-gear/ +1 || 2017382 || 5 || trojan-activity || 0 || ET TROJAN Drive DDoS Tool post2 command received key=okokokjjk || url,www.arbornetworks.com/asert/2013/08/dirtjumper-drive-shifts-into-a-new-gear/ +1 || 2017383 || 5 || trojan-activity || 0 || ET TROJAN Drive DDoS Tool byte command received key=okokokjjk || url,www.arbornetworks.com/asert/2013/08/dirtjumper-drive-shifts-into-a-new-gear/ +1 || 2017384 || 5 || trojan-activity || 0 || ET TROJAN Drive DDoS Tool byte command received key=okokokjjk || url,www.arbornetworks.com/asert/2013/08/dirtjumper-drive-shifts-into-a-new-gear/ +1 || 2017385 || 2 || trojan-activity || 0 || ET TROJAN Trojan.Dirtjump Checkin || url,www.arbornetworks.com/asert/2013/08/dirtjumper-drive-shifts-into-a-new-gear/ || md5,50a538221e015d77cf4794ae78978ce2 +1 || 2017386 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Possible APT-12 Related C2 || url,community.rapid7.com/community/infosec/blog/2013/08/26/upcoming-g20-summit-fuels-espionage-operations +1 || 2017387 || 5 || trojan-activity || 0 || ET CURRENT_EVENTS Unknown EK Landing Aug 27 2013 +1 || 2017388 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Possible Sweet Orange Payload Download Aug 28 2013 +1 || 2017389 || 2 || trojan-activity || 0 || ET WEB_SERVER WebShell - ASPyder - Auth Creds +1 || 2017390 || 3 || trojan-activity || 0 || ET WEB_SERVER WebShell - ASPyder - File Browser - Interface +1 || 2017391 || 2 || trojan-activity || 0 || ET WEB_SERVER WebShell - ASPyder - Auth Prompt +1 || 2017392 || 2 || trojan-activity || 0 || ET WEB_SERVER WebShell - ASPyder - File Browser - POST Structure +1 || 2017393 || 2 || trojan-activity || 0 || ET WEB_SERVER WebShell - ASPyder -File Upload - POST Structure +1 || 2017394 || 2 || trojan-activity || 0 || ET WEB_SERVER WebShell - ASPyder - File Upload - Response +1 || 2017395 || 3 || trojan-activity || 0 || ET TROJAN Likely Bot Nick in IRC ([country|so version|CPU]) +1 || 2017396 || 5 || trojan-activity || 0 || ET CURRENT_EVENTS CoolEK Landing Aug 29 2013 +1 || 2017397 || 2 || bad-unknown || 0 || ET DOS Apple CoreText Exploit Specific string || url,techcrunch.com/2013/08/29/bug-in-apples-coretext-allows-specific-string-of-characters-to-crash-ios-6-os-x-10-8-apps/ +1 || 2017398 || 2 || attempted-recon || 0 || ET POLICY Internal Host Retrieving External IP via icanhazip.com - Possible Infection +1 || 2017399 || 7 || trojan-activity || 0 || ET WEB_SERVER WebShell Generic eval of base64_decode +1 || 2017400 || 7 || trojan-activity || 0 || ET WEB_SERVER WebShell Generic eval of gzinflate +1 || 2017401 || 7 || trojan-activity || 0 || ET WEB_SERVER WebShell Generic eval of str_rot13 +1 || 2017402 || 7 || trojan-activity || 0 || ET WEB_SERVER WebShell Generic eval of gzuncompress +1 || 2017403 || 7 || trojan-activity || 0 || ET WEB_SERVER WebShell Generic eval of convert_uudecode +1 || 2017404 || 3 || trojan-activity || 0 || ET WORM W32/Njw0rm CnC Beacon || url,www.fireeye.com/blog/technical/malware-research/2013/08/njw0rm-brother-from-the-same-mother.html || md5,4c60493b14c666c56db163203e819272 || md5,b0e1d20accd9a2ed29cdacb803e4a89d +1 || 2017405 || 6 || trojan-activity || 0 || ET CURRENT_EVENTS Sweet Orange Landing with Applet Aug 30 2013 +1 || 2017406 || 5 || trojan-activity || 0 || ET CURRENT_EVENTS Rawin EK Java /victoria.jar +1 || 2017407 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Sakura Landing with Applet Aug 30 2013 +1 || 2017408 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS GondadEK Landing Sept 03 2013 || url,www.kahusecurity.com/2013/deobfuscating-the-ck-exploit-kit +1 || 2017409 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Possible MHTML CVE-2012-0158 Vulnerable CLSID+b64 Office Doc Magic 1 || url,www.antiy.net/wp-content/uploads/The-Latest-APT-Attack-by-Exploiting-CVE2012-0158-Vulnerability.pdf || url,contagiodump.blogspot.com/2013/09/sandbox-miming-cve-2012-0158-in-mhtml.html +1 || 2017410 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Possible MHTML CVE-2012-0158 Vulnerable CLSID+b64 Office Doc Magic 2 || url,www.antiy.net/wp-content/uploads/The-Latest-APT-Attack-by-Exploiting-CVE2012-0158-Vulnerability.pdf || url,contagiodump.blogspot.com/2013/09/sandbox-miming-cve-2012-0158-in-mhtml.html +1 || 2017411 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Possible MHTML CVE-2012-0158 Vulnerable CLSID+b64 Office Doc Magic 3 || url,www.antiy.net/wp-content/uploads/The-Latest-APT-Attack-by-Exploiting-CVE2012-0158-Vulnerability.pdf || url,contagiodump.blogspot.com/2013/09/sandbox-miming-cve-2012-0158-in-mhtml.html +1 || 2017412 || 7 || trojan-activity || 0 || ET TROJAN Gh0st_Apple Checkin || url,contagiodump.blogspot.com.br/2013/09/sandbox-miming-cve-2012-0158-in-mhtml.html || md5,f4d4076dff760eb92e4ae559c2dc4525 +1 || 2017413 || 2 || trojan-activity || 0 || ET TROJAN NJRat-backdoor Checkin || url,contagiodump.blogspot.com.br/2013/09/sandbox-miming-cve-2012-0158-in-mhtml.html +1 || 2017414 || 3 || trojan-activity || 0 || ET DELETED Unknown Malware CnC response with exe file || url,contagiodump.blogspot.com.br/2013/09/sandbox-miming-cve-2012-0158-in-mhtml.html +1 || 2017415 || 4 || trojan-activity || 0 || ET DELETED Taidoor Checkin || url,contagiodump.blogspot.com.br/2013/09/sandbox-miming-cve-2012-0158-in-mhtml.html +1 || 2017416 || 6 || trojan-activity || 0 || ET CURRENT_EVENTS BlackHole EK Variant PDF Download +1 || 2017417 || 8 || trojan-activity || 0 || ET TROJAN Bladabindi/njrat CnC Keep-Alive (INBOUND) || md5,0ae2261385c482d55519be9b0e4afef3 || url,anubis.iseclab.org/?action=result&task_id=1043e1f5f61319b944d51d0d6d7e23f2e || md5,41a0a4c0831dbcbbfd877c7d37b671e0 || url,blog.fireeye.com/research/2012/09/the-story-behind-backdoorlv.html +1 || 2017418 || 2 || trojan-activity || 0 || ET TROJAN Bladabindi/njrat CnC Keep-Alive (OUTBOUND) || url,threatgeek.com/2013/07/njrat-detection-rules-using-yara-.html +1 || 2017419 || 2 || trojan-activity || 0 || ET TROJAN Bladabindi/njrat CnC Checkin || url,threatgeek.com/2013/07/njrat-detection-rules-using-yara-.html +1 || 2017420 || 2 || trojan-activity || 0 || ET TROJAN Bladabindi/njrat CnC Command (File Manager) || url,threatgeek.com/2013/07/njrat-detection-rules-using-yara-.html +1 || 2017421 || 2 || trojan-activity || 0 || ET TROJAN Bladabindi/njrat CnC Command Response (File Manager) || url,threatgeek.com/2013/07/njrat-detection-rules-using-yara-.html +1 || 2017422 || 2 || trojan-activity || 0 || ET TROJAN Bladabindi/njrat CnC Command (Remote Desktop) || url,threatgeek.com/2013/07/njrat-detection-rules-using-yara-.html +1 || 2017423 || 2 || trojan-activity || 0 || ET TROJAN Bladabindi/njrat CnC Command Response (Remote Desktop) || url,threatgeek.com/2013/07/njrat-detection-rules-using-yara-.html +1 || 2017424 || 2 || trojan-activity || 0 || ET TROJAN Bladabindi/njrat CnC Command (Remote Cam) || url,threatgeek.com/2013/07/njrat-detection-rules-using-yara-.html +1 || 2017425 || 2 || trojan-activity || 0 || ET TROJAN Bladabindi/njrat CnC Command Response (Remote Cam) || url,threatgeek.com/2013/07/njrat-detection-rules-using-yara-.html +1 || 2017426 || 2 || trojan-activity || 0 || ET TROJAN Bladabindi/njrat CnC Command (Remote Shell) || url,threatgeek.com/2013/07/njrat-detection-rules-using-yara-.html +1 || 2017427 || 2 || trojan-activity || 0 || ET TROJAN Bladabindi/njrat CnC Command Response (Process listing) || url,threatgeek.com/2013/07/njrat-detection-rules-using-yara-.html +1 || 2017428 || 2 || trojan-activity || 0 || ET TROJAN Bladabindi/njrat CnC Command (Kill Process) || url,threatgeek.com/2013/07/njrat-detection-rules-using-yara-.html +1 || 2017429 || 2 || trojan-activity || 0 || ET TROJAN Bladabindi/njrat CnC Command (Registry) || url,threatgeek.com/2013/07/njrat-detection-rules-using-yara-.html +1 || 2017430 || 2 || trojan-activity || 0 || ET TROJAN Bladabindi/njrat CnC Command (Keylogger) || url,threatgeek.com/2013/07/njrat-detection-rules-using-yara-.html +1 || 2017431 || 3 || trojan-activity || 0 || ET TROJAN Bladabindi/njrat CnC Command (Get Passwords) || url,threatgeek.com/2013/07/njrat-detection-rules-using-yara-.html +1 || 2017432 || 2 || trojan-activity || 0 || ET TROJAN Bladabindi/njrat CnC Command Response (Get Passwords) || url,threatgeek.com/2013/07/njrat-detection-rules-using-yara-.html +1 || 2017433 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Sakura EK Landing Sep 06 2013 +1 || 2017434 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Unknown Bleeding EK Variant Landing Sep 06 2013 +1 || 2017435 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS Unknown Bleeding EK Variant Landing JAR Sep 06 2013 +1 || 2017436 || 2 || bad-unknown || 0 || ET WEB_SERVER PHP SERVER SuperGlobal in URI || url,imperva.com/download.asp?id=421 +1 || 2017437 || 2 || bad-unknown || 0 || ET WEB_SERVER PHP GET SuperGlobal in URI || url,imperva.com/download.asp?id=421 +1 || 2017438 || 2 || bad-unknown || 0 || ET WEB_SERVER PHP POST SuperGlobal in URI || url,imperva.com/download.asp?id=421 +1 || 2017439 || 2 || bad-unknown || 0 || ET WEB_SERVER PHP COOKIE SuperGlobal in URI || url,imperva.com/download.asp?id=421 +1 || 2017440 || 2 || bad-unknown || 0 || ET WEB_SERVER PHP SESSION SuperGlobal in URI || url,imperva.com/download.asp?id=421 +1 || 2017441 || 2 || bad-unknown || 0 || ET WEB_SERVER PHP REQUEST SuperGlobal in URI || url,imperva.com/download.asp?id=421 +1 || 2017442 || 2 || bad-unknown || 0 || ET WEB_SERVER PHP ENV SuperGlobal in URI || url,imperva.com/download.asp?id=421 +1 || 2017443 || 2 || bad-unknown || 0 || ET WEB_SERVER PHP SERVER SuperGlobal in POST || url,imperva.com/download.asp?id=421 +1 || 2017444 || 2 || bad-unknown || 0 || ET WEB_SERVER PHP GET SuperGlobal in POST || url,imperva.com/download.asp?id=421 +1 || 2017445 || 2 || bad-unknown || 0 || ET WEB_SERVER PHP POST SuperGlobal in POST || url,imperva.com/download.asp?id=421 +1 || 2017446 || 2 || bad-unknown || 0 || ET WEB_SERVER PHP COOKIE SuperGlobal in POST || url,imperva.com/download.asp?id=421 +1 || 2017447 || 2 || bad-unknown || 0 || ET WEB_SERVER PHP SESSION SuperGlobal in POST || url,imperva.com/download.asp?id=421 +1 || 2017448 || 2 || bad-unknown || 0 || ET WEB_SERVER PHP REQUEST SuperGlobal in POST || url,imperva.com/download.asp?id=421 +1 || 2017449 || 2 || bad-unknown || 0 || ET WEB_SERVER PHP ENV SuperGlobal in POST || url,imperva.com/download.asp?id=421 +1 || 2017450 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Sakura Sep 10 2013 +1 || 2017451 || 6 || trojan-activity || 0 || ET CURRENT_EVENTS FlimKit Landing Page +1 || 2017452 || 3 || trojan-activity || 0 || ET DELETED Blackhole hex and wordlist initial landing and exploit path +1 || 2017453 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS DRIVEBY Redirection - Forum Injection +1 || 2017454 || 12 || trojan-activity || 0 || ET CURRENT_EVENTS BlackHole EK Payload Download Sep 11 2013 +1 || 2017455 || 6 || trojan-activity || 0 || ET TROJAN Waledac FACEPUNCH Traffic Detected || url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_infiltrating_the_waledac_botnet_v2.pdf +1 || 2017456 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS BlackHole EK Variant PDF Download Sep 11 2013 +1 || 2017457 || 3 || bad-unknown || 0 || ET INFO SUSPICIOUS Java request to UNI.ME Domain Set 1 +1 || 2017458 || 3 || bad-unknown || 0 || ET INFO SUSPICIOUS Java request to UNI.ME Domain Set 2 +1 || 2017459 || 3 || bad-unknown || 0 || ET INFO SUSPICIOUS Java request to UNI.ME Domain Set 3 +1 || 2017460 || 3 || bad-unknown || 0 || ET INFO SUSPICIOUS Java request to UNI.ME Domain Set 4 +1 || 2017461 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Blackhole obfuscated base64 decoder Sep 12 2013 +1 || 2017462 || 2 || trojan-activity || 0 || ET TROJAN ZeroAccess P2P Module v6 Reporting || url,dnsamplificationattacks.blogspot.gr/p/blog-page.html +1 || 2017463 || 2 || attempted-user || 0 || ET WEB_CLIENT MS13-055 CAnchorElement Use-After-Free +1 || 2017464 || 2 || trojan-activity || 0 || ET TROJAN W32/Hesperus.Banker Tr-mail Variant Sending Data To CnC || url,blogs.mcafee.com/mcafee-labs/hesperus-evening-star-shines-as-latest-banker-trojan +1 || 2017465 || 3 || trojan-activity || 0 || ET TROJAN W32/Hesperus.Banker Nlog.php Variant Sending Data To CnC || url,blogs.mcafee.com/mcafee-labs/hesperus-evening-star-shines-as-latest-banker-trojan +1 || 2017466 || 2 || trojan-activity || 0 || ET MOBILE_MALWARE Android/FakeAhnAV.A CnC Beacon || url,blogs.mcafee.com/mcafee-labs/android-fake-av-hosted-in-google-code-targets-south-koreans +1 || 2017467 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Unknown EK Reversed Country Code and 32 hex Jar Sep 16 2013 +1 || 2017468 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Unknown EK Fake Microsoft Security Update Applet Sep 16 2013 +1 || 2017469 || 5 || trojan-activity || 0 || ET CURRENT_EVENTS Possible SNET EK VBS Download +1 || 2017470 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS SNET EK Encoded VBS 1 +1 || 2017471 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS SNET EK Encoded VBS 2 +1 || 2017472 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS SNET EK Encoded VBS 3 +1 || 2017473 || 6 || trojan-activity || 0 || ET CURRENT_EVENTS Possible CoolEK Variant Payload Download Sep 16 2013 +1 || 2017474 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS CoolEK Variant Landing Page - Applet Sep 16 2013 +1 || 2017475 || 2 || trojan-activity || 0 || ET TROJAN Win32/Dipverdle.A Activity || md5,182ea2f564f6211d37a6c35a4bd99ee6 +1 || 2017476 || 5 || trojan-activity || 0 || ET CURRENT_EVENTS DRIVEBY SweetOrange - Java Exploit Downloaded +1 || 2017477 || 5 || attempted-user || 0 || ET WEB_CLIENT CVE-2013-3893 Possible IE Memory Corruption Vulnerability with HXDS ASLR Bypass || cve,2013-3893 || url,blogs.technet.com/b/srd/archive/2013/09/17/cve-2013-3893-fix-it-workaround-available.aspx +1 || 2017478 || 4 || attempted-user || 0 || ET WEB_CLIENT CVE-2013-3893 IE Memory Corruption Vulnerability || cve,2013-3893 || url,blogs.technet.com/b/srd/archive/2013/09/17/cve-2013-3893-fix-it-workaround-available.aspx +1 || 2017479 || 5 || attempted-user || 0 || ET WEB_CLIENT CVE-2013-3893 IE Memory Corruption Vulnerability || cve,2013-3893 || url,blogs.technet.com/b/srd/archive/2013/09/17/cve-2013-3893-fix-it-workaround-available.aspx +1 || 2017480 || 5 || attempted-user || 0 || ET WEB_CLIENT CVE-2013-3893 IE Memory Corruption Vulnerability || cve,2013-3893 || url,blogs.technet.com/b/srd/archive/2013/09/17/cve-2013-3893-fix-it-workaround-available.aspx +1 || 2017481 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS BlackHole initial landing/gate +1 || 2017482 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS DRIVEBY Styx - TDS - Redirect To Landing Page +1 || 2017483 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS Unknown EK Using Office/.Net ROP/ASLR Bypass +1 || 2017484 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Unknown EK Using Office/.Net ROP/ASLR Bypass +1 || 2017485 || 1 || trojan-activity || 0 || ET CURRENT_EVENTS Unknown EK Using Office/.Net ROP/ASLR Bypass +1 || 2017486 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Unknown EK Using Office/.Net ROP/ASLR Bypass +1 || 2017487 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Unknown EK Using Office/.Net ROP/ASLR Bypass +1 || 2017488 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Unknown EK Using Office/.Net ROP/ASLR Bypass +1 || 2017489 || 2 || trojan-activity || 0 || ET TROJAN W32/Zzinfor.A Retrieving Instructions From CnC Server || md5,7e37a407a8fb0df3b2835419ad16f500 || md5,422b926dbbe03d0e4555328282c8f32b +1 || 2017490 || 2 || trojan-activity || 0 || ET TROJAN W32/Downloader.Mevade.FBV CnC Beacon || url,blog.trendmicro.com/trendlabs-security-intelligence/us-taiwan-most-affected-by-mevade-malware/ || url,blog.damballa.com/archives/2135 +1 || 2017491 || 5 || trojan-activity || 0 || ET CURRENT_EVENTS Neutrino EK Landing URI Format Sep 19 2013 +1 || 2017492 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS Possible Neutrino EK Java Exploit Download Sep 19 2013 +1 || 2017493 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS Possible Neutrino EK Java Payload Download Sep 19 2013 +1 || 2017494 || 2 || attempted-user || 0 || ET CURRENT_EVENTS Possible JavaFX Click To Run Bypass 1 || url,seclists.org/bugtraq/2013/Jul/41 +1 || 2017495 || 3 || attempted-user || 0 || ET CURRENT_EVENTS Possible JavaFX Click To Run Bypass 2 || url,seclists.org/bugtraq/2013/Jul/41 +1 || 2017496 || 3 || attempted-user || 0 || ET CURRENT_EVENTS Possible JavaFX Click To Run Bypass 3 || url,seclists.org/bugtraq/2013/Jul/41 +1 || 2017497 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Rawin EK - Java Exploit - bona.jar +1 || 2017498 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Blatantly Evil JS Function +1 || 2017499 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Probably Evil Long Unicode string only string and unescape 1 +1 || 2017500 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Probably Evil Long Unicode string only string and unescape 2 +1 || 2017501 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Probably Evil Long Unicode string only string and unescape 3 +1 || 2017502 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Probably Evil Long Unicode string only string and unescape 3 +1 || 2017503 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Unknown EK Used in various watering hole attacks +1 || 2017504 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS DRIVEBY Generic - *.com.exe HTTP Attachment +1 || 2017505 || 2 || trojan-activity || 0 || ET TROJAN Gh0st Trojan CnC 2 +1 || 2017506 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Sakura - Java Exploit Recieved - Atomic +1 || 2017507 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Cushion Redirection || url,malwaremustdie.blogspot.co.uk/2013/09/302-redirector-new-cushion-attempt-to.html +1 || 2017508 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Styx J7u21 click2play bypass +1 || 2017509 || 2 || attempted-user || 0 || ET CURRENT_EVENTS Possible J7u21 click2play bypass +1 || 2017510 || 2 || attempted-user || 0 || ET EXPLOIT Metasploit CVE-2013-3205 Exploit Specific +1 || 2017511 || 2 || trojan-activity || 0 || ET TROJAN DeputyDog callback || url,www.fireeye.com/blog/technical/cyber-exploits/2013/09/operation-deputydog-zero-day-cve-2013-3893-attack-against-japanese-targets.html +1 || 2017512 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS W32/Caphaw DriveBy Campaign Statistic.js || url,research.zscaler.com/2013/09/a-new-wave-of-win32caphaw-attacks.html || url,blog.damballa.com/archives/2147 +1 || 2017513 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS W32/Caphaw DriveBy Campaign Ping.html || url,research.zscaler.com/2013/09/a-new-wave-of-win32caphaw-attacks.html || url,blog.damballa.com/archives/2147 +1 || 2017515 || 4 || attempted-recon || 0 || ET INFO User-Agent (python-requests) Inbound to Webserver +1 || 2017516 || 3 || trojan-activity || 0 || ET TROJAN Worm.VBS.ayr Checkin 1 || md5,d2e799904582f03281060689f5447585 +1 || 2017517 || 4 || trojan-activity || 0 || ET TROJAN Worm.VBS.ayr Checkin 2 || md5,d2e799904582f03281060689f5447585 +1 || 2017518 || 2 || trojan-activity || 0 || ET TROJAN Worm.VBS.ayr CnC command (/iam-ready) || url,www.fireeye.com/blog/uncategorized/2013/09/now-you-see-me-h-worm-by-houdini.html +1 || 2017519 || 2 || trojan-activity || 0 || ET TROJAN Worm.VBS.ayr CnC command (is-enum-driver) || url,www.fireeye.com/blog/uncategorized/2013/09/now-you-see-me-h-worm-by-houdini.html +1 || 2017520 || 3 || trojan-activity || 0 || ET TROJAN Worm.VBS.ayr CnC command (is-enum-folder) || url,www.fireeye.com/blog/uncategorized/2013/09/now-you-see-me-h-worm-by-houdini.html +1 || 2017521 || 2 || trojan-activity || 0 || ET TROJAN Worm.VBS.ayr CnC command (is-enum-process) || url,www.fireeye.com/blog/uncategorized/2013/09/now-you-see-me-h-worm-by-houdini.html +1 || 2017522 || 2 || trojan-activity || 0 || ET TROJAN Worm.VBS.ayr CnC command (is-cmd-shell) || url,www.fireeye.com/blog/uncategorized/2013/09/now-you-see-me-h-worm-by-houdini.html +1 || 2017523 || 5 || trojan-activity || 0 || ET TROJAN Worm.VBS.ayr CnC command response || url,www.fireeye.com/blog/uncategorized/2013/09/now-you-see-me-h-worm-by-houdini.html +1 || 2017524 || 3 || trojan-activity || 0 || ET TROJAN DATA-BROKER BOT Activity || url,krebsonsecurity.com/2013/09/data-broker-giants-hacked-by-id-theft-service/ || md5,adcfe50aaaa0928adf2785fefe7307cc +1 || 2017525 || 2 || trojan-activity || 0 || ET TROJAN OSX/Leverage.A Checkin +1 || 2017526 || 3 || trojan-activity || 0 || ET TROJAN Hiloti/Mufanom CnC Response +1 || 2017527 || 3 || trojan-activity || 0 || ET TROJAN W32/Napolar Checkin || url,blog.avast.com/2013/09/25/win3264napolar-new-trojan-shines-on-the-cyber-crime-scene/ || url,www.welivesecurity.com/2013/09/25/win32napolar-a-new-bot-on-the-block/ || md5,2c344add2ee6201f4e2cdf604548408b +1 || 2017528 || 4 || bad-unknown || 0 || ET WEB_SERVER UA WordPress, probable DDOS-Attack || url,thehackernews.com/2013/09/thousands-of-wordpress-blogs.html || url,pastebin.com/NP64hTQr +1 || 2017529 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS LightsOut EK Payload Download || url,blogs.cisco.com/security/watering-hole-attacks-target-energy-sector +1 || 2017530 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Possible LightsOut EK info3i.html || url,blogs.cisco.com/security/watering-hole-attacks-target-energy-sector +1 || 2017531 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS Possible LightsOut EK info3i.php || url,blogs.cisco.com/security/watering-hole-attacks-target-energy-sector +1 || 2017532 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS Possible LightsOut EK inden2i.html || url,blogs.cisco.com/security/watering-hole-attacks-target-energy-sector +1 || 2017533 || 5 || trojan-activity || 0 || ET CURRENT_EVENTS Possible LightsOut EK sort.html || url,blogs.cisco.com/security/watering-hole-attacks-target-energy-sector +1 || 2017534 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS Possible LightsOut EK leks.html || url,blogs.cisco.com/security/watering-hole-attacks-target-energy-sector +1 || 2017535 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS Possible LightsOut EK negc.html || url,blogs.cisco.com/security/watering-hole-attacks-target-energy-sector +1 || 2017536 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS Possible LightsOut EK negq.html || url,blogs.cisco.com/security/watering-hole-attacks-target-energy-sector +1 || 2017537 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS Possible LightsOut EK leks.jar || url,blogs.cisco.com/security/watering-hole-attacks-target-energy-sector +1 || 2017538 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS Possible LightsOut EK start.jar || url,blogs.cisco.com/security/watering-hole-attacks-target-energy-sector +1 || 2017539 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS Possible LightsOut EK stoq.jar || url,blogs.cisco.com/security/watering-hole-attacks-target-energy-sector +1 || 2017540 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS Possible LightsOut EK erno_rfq.html || url,blogs.cisco.com/security/watering-hole-attacks-target-energy-sector +1 || 2017541 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS Possible LightsOut EK inden2i.php || url,blogs.cisco.com/security/watering-hole-attacks-target-energy-sector +1 || 2017542 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS Possible LightsOut EK gami.html || url,blogs.cisco.com/security/watering-hole-attacks-target-energy-sector +1 || 2017543 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS Possible LightsOut EK gami.jar || url,blogs.cisco.com/security/watering-hole-attacks-target-energy-sector +1 || 2017544 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS LightsOut EK POST Compromise POST || url,blogs.cisco.com/security/watering-hole-attacks-target-energy-sector +1 || 2017545 || 6 || trojan-activity || 0 || ET CURRENT_EVENTS Sweet Orange Landing with Applet Sep 30 2013 +1 || 2017546 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Possible FortDisco POP3 Site list download || md5,538a4cedad8791e27088666a4a6bf9c5 || md5,87c21bc9c804cefba6bb4148dbe4c4de || url,www.abuse.ch/?p=5813 +1 || 2017547 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS CoolEK Jar Download Sep 30 2013 || md5,d58fea2d0f791e65c6aae8e52f7089c1 +1 || 2017548 || 4 || trojan-activity || 0 || ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 3 || url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231 +1 || 2017549 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Fake MS Security Update (Jar) +1 || 2017550 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS HiMan EK Landing Oct 1 2013 +1 || 2017551 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Obfuscated http 2 digit sep in applet (Seen in HiMan EK) +1 || 2017552 || 5 || trojan-activity || 0 || ET CURRENT_EVENTS Cushion Redirection || url,malwaremustdie.blogspot.co.uk/2013/09/302-redirector-new-cushion-attempt-to.html +1 || 2017553 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS HiMan EK Reporting Host/Exploit Info +1 || 2017554 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS BHEK Payload Download (java only alternate method may overlap with 2017454) +1 || 2017555 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS DotkaChef EK initial landing from Oct 02 2013 mass-site compromise EK campaign +1 || 2017556 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS BlackHole EK Variant PDF Download +1 || 2017557 || 3 || attempted-user || 0 || ET CURRENT_EVENTS Possible Java CVE-2013-1488 java.sql.Drivers Service Object in JAR || cve,2013-1488 || url,www.contextis.com/research/blog/java-pwn2own/ || url,www.rapid7.com/db/modules/exploit/multi/browser/java_jre17_driver_manager +1 || 2017558 || 2 || misc-activity || 0 || ET TROJAN Mevade Checkin +1 || 2017559 || 2 || trojan-activity || 0 || ET TROJAN SSH Connection on 443 - Mevade Banner +1 || 2017560 || 3 || attempted-admin || 0 || ET WEB_SPECIFIC_APPS Possible WHMCS SQLi AES_ENCRYPT at start of value || url,localhost.re/p/whmcs-527-vulnerability +1 || 2017561 || 3 || trojan-activity || 0 || ET MALWARE W32/Wajam.Adware Sucessful Install +1 || 2017562 || 6 || trojan-activity || 0 || ET CURRENT_EVENTS Sweet Orange Landing with Applet Oct 4 2013 +1 || 2017563 || 3 || attempted-user || 0 || ET CURRENT_EVENTS Possible Java CVE-2013-2465 Based on PoC || cve,2013-2465 || url,seclists.org/fulldisclosure/2013/Aug/134 || url,malwageddon.blogspot.com/2013/10/unknown-ek-i-wanna-be-billionaire-so.html +1 || 2017564 || 3 || attempted-user || 0 || ET CURRENT_EVENTS Unknown EK Landing || cve,2013-2465 || url,malwageddon.blogspot.com/2013/10/unknown-ek-i-wanna-be-billionaire-so.html || url,seclists.org/fulldisclosure/2013/Aug/134 +1 || 2017565 || 4 || bad-unknown || 0 || ET INFO Obfuscated fromCharCode +1 || 2017566 || 5 || bad-unknown || 0 || ET INFO Obfuscated fromCharCode +1 || 2017567 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS FiestaEK js-redirect +1 || 2017568 || 3 || attempted-user || 0 || ET CURRENT_EVENTS Possible Metasploit Java CVE-2013-2465 Class Name Sub Algo || cve,2013-2465 || url,seclists.org/fulldisclosure/2013/Aug/134 || url,github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/browser/java_storeimagearray.rb +1 || 2017569 || 6 || trojan-activity || 0 || ET CURRENT_EVENTS Angler EK Landing Page +1 || 2017570 || 5 || trojan-activity || 0 || ET CURRENT_EVENTS Angler EK Exploit Download +1 || 2017571 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS Angler EK Payload Download +1 || 2017572 || 5 || attempted-user || 0 || ET WEB_CLIENT Possible Microsoft Internet Explorer Use-After-Free CVE-2013-3897 || cve,2013-3897 +1 || 2017573 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Possible JBoss/JMX InvokerServlet RCE Using Marshalled Object || url,www.exploit-db.com/exploits/28713/ +1 || 2017574 || 3 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Possible JBoss/JMX EJBInvokerServlet RCE Using Marshalled Object || url,www.exploit-db.com/exploits/28713/ +1 || 2017575 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Possible VBulletin Unauthorized Admin Account Creation || url,blog.imperva.com/2013/10/threat-advisory-a-vbulletin-exploit-administrator-injection.html +1 || 2017576 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Styx EK jply.html +1 || 2017577 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS Fiesta EK Landing Oct 09 2013 +1 || 2017578 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Fake MS Security Update EK (Payload Download) +1 || 2017579 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS SUSPICIOUS Possible Secondary Indicator of Java Exploit (Artifact Observed mostly in EKs/a few mis-configured apps) +1 || 2017580 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS DotkaChef Payload October 09 +1 || 2017582 || 3 || trojan-activity || 0 || ET TROJAN CryptoLocker Ransomware check-in 2 || md5,a354873df6dbce59e801380cee39ac17 +1 || 2017583 || 4 || trojan-activity || 0 || ET TROJAN CryptoLocker EXE Download +1 || 2017584 || 5 || trojan-activity || 0 || ET TROJAN CryptoLocker Ransomware check-in || md5,6afc848066d274d8632c742340560a67 +1 || 2017585 || 3 || trojan-activity || 0 || ET TROJAN Possible W32/KanKan tools.ini Request || url,www.welivesecurity.com/2013/10/11/win32kankan-chinese-drama/ +1 || 2017586 || 2 || trojan-activity || 0 || ET TROJAN Possible W32/KanKan Update officeaddinupdate.xml Request || url,www.welivesecurity.com/2013/10/11/win32kankan-chinese-drama/ +1 || 2017587 || 2 || trojan-activity || 0 || ET MOBILE_MALWARE Android/Opfake.A GetTask CnC Beacon || url,quequero.org/2013/09/android-opfake-malware-analysis/ +1 || 2017588 || 2 || trojan-activity || 0 || ET MOBILE_MALWARE Android/Opfake.A Country CnC Beacon || url,quequero.org/2013/09/android-opfake-malware-analysis/ +1 || 2017589 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Unknown EK Initial Payload Internet Connectivity Check || url,malwageddon.blogspot.fi/2013/09/unknown-ek-it-aint-no-trick-to-get-rich.html +1 || 2017590 || 3 || attempted-admin || 0 || ET CURRENT_EVENTS D-LINK Router Backdoor via Specific UA || url,www.devttys0.com/2013/10/reverse-engineering-a-d-link-backdoor/ +1 || 2017591 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Unknown Malvertising Related EK Landing Oct 14 2013 || url,www.malwaresigs.com/2013/10/14/unknown-ek/ +1 || 2017592 || 1 || trojan-activity || 0 || ET CURRENT_EVENTS Unknown Malvertising Related EK Redirect Oct 14 2013 || url,malwageddon.blogspot.fi/2013/09/unknown-ek-it-aint-no-trick-to-get-rich.html +1 || 2017593 || 7 || trojan-activity || 0 || ET CURRENT_EVENTS Neutrino EK Landing URI Format Oct 15 2013 +1 || 2017594 || 7 || trojan-activity || 0 || ET CURRENT_EVENTS Possible Neutrino Java Exploit Download Oct 15 2013 +1 || 2017595 || 8 || trojan-activity || 0 || ET CURRENT_EVENTS Possible Neutrino Java Payload Download Oct 15 2013 +1 || 2017596 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Neutrino XORed pluginDetect 1 +1 || 2017597 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Neutrino XORed pluginDetect 2 +1 || 2017598 || 5 || trojan-activity || 0 || ET TROJAN Possible Kelihos.F EXE Download Common Structure +1 || 2017599 || 3 || trojan-activity || 0 || ET TROJAN Backdoor.Egobot Checkin || url,symantec.com/connect/blogs/backdooregobot-how-effectively-execute-targeted-campaign +1 || 2017600 || 2 || trojan-activity || 0 || ET TROJAN W32.Nemim Checkin || url,symantec.com/connect/blogs/infostealernemim-how-pervasive-infostealer-continues-evolve +1 || 2017601 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS Nuclear EK CVE-2013-2551 IE Exploit URI Struct +1 || 2017602 || 5 || trojan-activity || 0 || ET CURRENT_EVENTS Magnitude EK - Landing Page - Java ClassID and 32/32 archive Oct 16 2013 +1 || 2017603 || 8 || trojan-activity || 0 || ET CURRENT_EVENTS Magnitude EK (formerly Popads) Java Exploit 32-32 byte hex java payload request Oct 16 2013 +1 || 2017604 || 2 || successful-admin || 0 || ET WEB_SERVER PHP WebShell Embedded In GIF (OUTBOUND) || url,blog.spiderlabs.com/2013/10/hiding-webshell-backdoor-code-in-image-files.html +1 || 2017605 || 2 || successful-admin || 0 || ET WEB_SERVER PHP WebShell Embedded In JPG (OUTBOUND) || url,blog.spiderlabs.com/2013/10/hiding-webshell-backdoor-code-in-image-files.html +1 || 2017606 || 2 || successful-admin || 0 || ET WEB_SERVER PHP WebShell Embedded In PNG (OUTBOUND) || url,blog.spiderlabs.com/2013/10/hiding-webshell-backdoor-code-in-image-files.html +1 || 2017607 || 2 || successful-admin || 0 || ET WEB_SERVER PHP WebShell Embedded In GIF (INBOUND) || url,blog.spiderlabs.com/2013/10/hiding-webshell-backdoor-code-in-image-files.html +1 || 2017608 || 2 || successful-admin || 0 || ET WEB_SERVER PHP WebShell Embedded In JPG (INBOUND) || url,blog.spiderlabs.com/2013/10/hiding-webshell-backdoor-code-in-image-files.html +1 || 2017609 || 3 || successful-admin || 0 || ET WEB_SERVER PHP WebShell Embedded In PNG (INBOUND) || url,blog.spiderlabs.com/2013/10/hiding-webshell-backdoor-code-in-image-files.html +1 || 2017610 || 2 || web-application-attack || 0 || ET DELETED vBulletin Administrator Injection Attempt || url,blog.imperva.com/2013/10/threat-advisory-a-vbulletin-exploit-administrator-injection.html +1 || 2017611 || 2 || web-application-attack || 0 || ET WEB_SPECIFIC_APPS Oracle JSF2 Path Traversal Attempt || url,security.coverity.com/advisory/2013/Oct/two-path-traversal-defects-in-oracles-jsf2-implementation.html || cve,2013-3815 +1 || 2017612 || 5 || trojan-activity || 0 || ET DELETED Kelihos p2p traffic detected via byte_test - SET +1 || 2017613 || 9 || trojan-activity || 0 || ET CURRENT_EVENTS Possible Magnitude EK (formerly Popads) IE Exploit with IE UA Oct 16 2013 +1 || 2017614 || 2 || trojan-activity || 0 || ET DELETED Kelihos p2p traffic detected via byte_test CnC Response +1 || 2017615 || 4 || network-scan || 0 || ET SCAN NETWORK Outgoing Masscan detected || url,blog.erratasec.com/2013/10/that-dlink-bug-masscan.html || url,blog.erratasec.com/2013/09/masscan-entire-internet-in-3-minutes.html +1 || 2017616 || 4 || network-scan || 0 || ET SCAN NETWORK Incoming Masscan detected || url,blog.erratasec.com/2013/10/that-dlink-bug-masscan.html || url,blog.erratasec.com/2013/09/masscan-entire-internet-in-3-minutes.html +1 || 2017617 || 3 || trojan-activity || 0 || ET TROJAN W32/Onkod.Downloader Executable Download || url,blog.fortinet.com/Avoiding-Heuristic-Detection/ +1 || 2017620 || 3 || trojan-activity || 0 || ET TROJAN Kuluoz Activity || md5,c71416a9ec5414fe487167b5bfd921ec +1 || 2017621 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Possible Cutwail Redirect to Magnitude EK || url,www.secureworks.com/resources/blog/research/cutwail-spam-swapping-blackhole-for-magnitude-exploit-kit/ +1 || 2017622 || 5 || attempted-admin || 0 || ET WEB_SPECIFIC_APPS WHMCS lt 5.2.8 SQL Injection || url,localhost.re/res/whmcs2.py +1 || 2017623 || 3 || attempted-admin || 0 || ET CURRENT_EVENTS Tenda Router Backdoor 1 || url,www.devttys0.com/2013/10/from-china-with-love/ +1 || 2017624 || 3 || attempted-admin || 0 || ET CURRENT_EVENTS Tenda Router Backdoor 2 || url,www.devttys0.com/2013/10/from-china-with-love/ +1 || 2017625 || 6 || trojan-activity || 0 || ET CURRENT_EVENTS 81a338 Hacked Site Response (Outbound) +1 || 2017626 || 7 || trojan-activity || 0 || ET CURRENT_EVENTS 81a338 Hacked Site Response (Inbound) +1 || 2017628 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS Possible Sakura Jar Download Oct 22 2013 +1 || 2017629 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS FlashPack Oct 23 2013 +1 || 2017630 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Angler EK encrypted binary (1) +1 || 2017631 || 2 || attempted-admin || 0 || ET CURRENT_EVENTS Netgear WNDR4700 Auth Bypass || url,securityevaluators.com/content/case-studies/routers/netgear_wndr4700.jsp +1 || 2017632 || 2 || attempted-admin || 0 || ET CURRENT_EVENTS Netgear WNDR3700 Auth Bypass || url,shadow-file.blogspot.ro/2013/10/complete-persistent-compromise-of.html +1 || 2017633 || 3 || trojan-activity || 0 || ET TROJAN Athena DDoS Bot Checkin || md5,19ca0d830cd7b44e5de1ab85f4e17d82 +1 || 2017634 || 7 || trojan-activity || 0 || ET CURRENT_EVENTS Sweet Orange Landing Page Oct 25 2013 +1 || 2017635 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS Styx Landing Page Oct 25 2013 +1 || 2017636 || 8 || trojan-activity || 0 || ET CURRENT_EVENTS Nuclear EK PDF URI Struct +1 || 2017637 || 2 || bad-unknown || 0 || ET INFO Java File Sent With X-Powered By HTTP Header - Common In Exploit Kits +1 || 2017638 || 2 || attempted-admin || 0 || ET CURRENT_EVENTS Alpha Networks ADSL2/2+ router remote administration password disclosure || url,packetstorm.foofus.com/1208-exploits/asl26555_pass_disclosure.txt +1 || 2017639 || 6 || bad-unknown || 0 || ET INFO JAR Size Under 30K Size - Potentially Hostile +1 || 2017640 || 2 || bad-unknown || 0 || ET WEB_SERVER Possible Encrypted Webshell Download || url,blog.sucuri.net/2013/10/backdoor-evasion-using-encrypted-content.html +1 || 2017641 || 3 || bad-unknown || 0 || ET WEB_SERVER Possible Encrypted Webshell in POST || url,blog.sucuri.net/2013/10/backdoor-evasion-using-encrypted-content.html +1 || 2017642 || 3 || trojan-activity || 0 || ET TROJAN Linux/Ssemgrvd sshd Backdoor HTTP CNC 1 +1 || 2017643 || 3 || trojan-activity || 0 || ET TROJAN Linux/Ssemgrvd sshd Backdoor HTTP CNC 2 +1 || 2017644 || 2 || bad-unknown || 0 || ET CURRENT_EVENTS Host Domain .bit || url,www.normanshark.com/blog/necurs-cc-domains-non-censorable/ +1 || 2017645 || 2 || bad-unknown || 0 || ET CURRENT_EVENTS DNS Query Domain .bit || url,www.normanshark.com/blog/necurs-cc-domains-non-censorable/ +1 || 2017646 || 4 || trojan-activity || 0 || ET TROJAN possible TRAT proxy component user agent detected || url,www.fireeye.com/blog/technical/malware-research/2013/10/evasive-tactics-terminator-rat.html +1 || 2017647 || 2 || trojan-activity || 0 || ET TROJAN FakeAV Install || md5,d1663e13314a6722db7cb7549b470c64 +1 || 2017648 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS Possible Sweet Orange payload Request +1 || 2017649 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS Sweet Orange encrypted payload +1 || 2017650 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS SofosFO/Grandsoft Plugin-Detect +1 || 2017652 || 8 || trojan-activity || 0 || ET CURRENT_EVENTS Possible Neutrino EK Landing URI Format Nov 1 2013 +1 || 2017653 || 13 || trojan-activity || 0 || ET CURRENT_EVENTS Possible Neutrino Java Exploit/Payload Download Nov 1 2013 || url,pastebin.com/194D8UuK +1 || 2017654 || 4 || trojan-activity || 0 || ET DELETED W32/Badur.Spy User Agent HWMPro || md5,234c47b5b29a2cfcc00900bbc13ea181 +1 || 2017655 || 3 || trojan-activity || 0 || ET TROJAN W32/Badur.Spy User Agent lawl || md5,4f5d28c43795b9c4e6257bf26c52bdfe +1 || 2017656 || 3 || trojan-activity || 0 || ET TROJAN W32/InstallMonster.Downloader Checkin || md5,70a6d9cb37e346b4dfd28bd4ea1f8671 +1 || 2017657 || 6 || attempted-user || 0 || ET WEB_CLIENT SUSPICIOUS JS Multiple Debug Math.atan2 calls with CollectGarbage || url,blog.exodusintel.com/2013/01/02/happy-new-year-analysis-of-cve-2012-4792/ || url,cyvera.com/cve-2013-3897-analysis-of-yet-another-ie-0-day/ +1 || 2017658 || 5 || trojan-activity || 0 || ET TROJAN Unknown Trojan Secondary Download || md5,3a2c3b422a7ec78f88a939d20ed07615 +1 || 2017659 || 5 || trojan-activity || 0 || ET TROJAN Unknown Trojan Download || md5,3a2c3b422a7ec78f88a939d20ed07615 +1 || 2017660 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Malicious Cookie Set By Flash Malvertising || md5,cce9dcad030c4cba605a8ee65572136a +1 || 2017661 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Possible Redirect to Neutrino goi.php Nov 4 2013 +1 || 2017662 || 2 || trojan-activity || 0 || ET TROJAN Known Sinkhole Response Header || md5,723a90462a417337355138cc6aba2290 +1 || 2017663 || 2 || web-application-attack || 0 || ET CURRENT_EVENTS Fredcot campaign php5-cgi initial exploit || cve,2012-1823 || url,eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/ +1 || 2017664 || 5 || trojan-activity || 0 || ET CURRENT_EVENTS Fredcot campaign payload download || md5,e69bbd29f2822c1846d569ace710c9d5 || url,permalink.gmane.org/gmane.comp.security.ids.snort.emerging-sigs/20243 +1 || 2017665 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Fredcot campaign IRC CnC || md5,e69bbd29f2822c1846d569ace710c9d5 || url,permalink.gmane.org/gmane.comp.security.ids.snort.emerging-sigs/20243 +1 || 2017666 || 5 || trojan-activity || 0 || ET CURRENT_EVENTS Nuclear EK JAR URI Struct Nov 05 2013 +1 || 2017667 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS Nuclear EK Payload URI Struct Nov 05 2013 +1 || 2017668 || 4 || attempted-user || 0 || ET TROJAN Possible Backdoor.Adwind Download || url,www.symantec.com/security_response/writeup.jsp?docid=2013-070113-1904-99&tabid=3 +1 || 2017669 || 5 || misc-activity || 0 || ET INFO Zip File +1 || 2017670 || 6 || trojan-activity || 0 || ET CURRENT_EVENTS SUSPICIOUS Word DOCX with Many ActiveX Objects and Media || url,blogs.mcafee.com/mcafee-labs/mcafee-labs-detects-zero-day-exploit-targeting-microsoft-office-2 +1 || 2017671 || 5 || trojan-activity || 0 || ET CURRENT_EVENTS Possible CVE-2013-3906 CnC Checkin || url,alienvault.com/open-threat-exchange/blog/microsoft-office-zeroday-used-to-attack-pakistani-targets +1 || 2017672 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS SUSPICIOUS msctcd.exe in URI Probable Process Dump/Trojan Download || url,alienvault.com/open-threat-exchange/blog/microsoft-office-zeroday-used-to-attack-pakistani-targets +1 || 2017673 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS SUSPICIOUS taskmgr.exe in URI Probable Process Dump/Trojan Download || url,alienvault.com/open-threat-exchange/blog/microsoft-office-zeroday-used-to-attack-pakistani-targets +1 || 2017674 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS SUSPICIOUS wsqmocn.exe in URI Probable Process Dump/Trojan Download || url,alienvault.com/open-threat-exchange/blog/microsoft-office-zeroday-used-to-attack-pakistani-targets +1 || 2017675 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS SUSPICIOUS connhost.exe in URI Probable Process Dump/Trojan Download || url,alienvault.com/open-threat-exchange/blog/microsoft-office-zeroday-used-to-attack-pakistani-targets +1 || 2017676 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS SUSPICIOUS lgfxsrvc.exe in URI Probable Process Dump/Trojan Download +1 || 2017677 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS SUSPICIOUS wimhost.exe in URI Probable Process Dump/Trojan Download || url,alienvault.com/open-threat-exchange/blog/microsoft-office-zeroday-used-to-attack-pakistani-targets +1 || 2017678 || 3 || trojan-activity || 0 || ET DELETED SUSPICIOUS lgfxsrvc.exe in URI Probable Process Dump/Trojan Download +1 || 2017679 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS SUSPICIOUS winlog.exe in URI Probable Process Dump/Trojan Download || url,alienvault.com/open-threat-exchange/blog/microsoft-office-zeroday-used-to-attack-pakistani-targets +1 || 2017680 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS SUSPICIOUS waulct.exe in URI Probable Process Dump/Trojan Download || url,alienvault.com/open-threat-exchange/blog/microsoft-office-zeroday-used-to-attack-pakistani-targets +1 || 2017681 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS SUSPICIOUS alg.exe in URI Probable Process Dump/Trojan Download || url,alienvault.com/open-threat-exchange/blog/microsoft-office-zeroday-used-to-attack-pakistani-targets +1 || 2017682 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS SUSPICIOUS mssrs.exe in URI Probable Process Dump/Trojan Download || url,alienvault.com/open-threat-exchange/blog/microsoft-office-zeroday-used-to-attack-pakistani-targets +1 || 2017683 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS SUSPICIOUS winhosts.exe in URI Probable Process Dump/Trojan Download || url,alienvault.com/open-threat-exchange/blog/microsoft-office-zeroday-used-to-attack-pakistani-targets +1 || 2017684 || 2 || attempted-admin || 0 || ET WEB_SERVER Possible SUPERMICRO IPMI login.cgi Name Parameter Buffer Overflow Attempt CVE-2013-3621 || cve,CVE-2013-3621 || url,community.rapid7.com/community/metasploit/blog/2013/11/06/supermicro-ipmi-firmware-vulnerabilities +1 || 2017685 || 2 || attempted-admin || 0 || ET WEB_SERVER Possible SUPERMICRO IPMI login.cgi PWD Parameter Buffer Overflow Attempt CVE-2013-3621 || cve,CVE-2013-3621 || url,community.rapid7.com/community/metasploit/blog/2013/11/06/supermicro-ipmi-firmware-vulnerabilities +1 || 2017686 || 2 || attempted-admin || 0 || ET WEB_SERVER Possible SUPERMICRO IPMI close_window.cgi sess_sid Parameter Buffer Overflow Attempt CVE-2013-3623 || cve,CVE-2013-3623 || url,community.rapid7.com/community/metasploit/blog/2013/11/06/supermicro-ipmi-firmware-vulnerabilities +1 || 2017687 || 2 || attempted-admin || 0 || ET WEB_SERVER Possible SUPERMICRO IPMI close_window.cgi ACT Parameter Buffer Overflow Attempt CVE-2013-3623 || cve,CVE-2013-3623 || url,community.rapid7.com/community/metasploit/blog/2013/11/06/supermicro-ipmi-firmware-vulnerabilities +1 || 2017688 || 2 || attempted-admin || 0 || ET WEB_SERVER Possible SUPERMICRO IPMI url_redirect.cgi Directory Traversal Attempt || url,community.rapid7.com/community/metasploit/blog/2013/11/06/supermicro-ipmi-firmware-vulnerabilities +1 || 2017689 || 2 || trojan-activity || 0 || ET TROJAN Possible Schneebly Posting ScreenShot || url,www.alienvault.com/open-threat-exchange/blog/microsoft-office-zeroday-used-to-attack-pakistani-targets +1 || 2017690 || 2 || trojan-activity || 0 || ET TROJAN W32/Citadel.Arx Variant CnC Beacon 1 || url,botnetlegalnotice.com/citadel/files/Patel_Decl_Ex20.pdf || url,www.fireeye.com/blog/technical/cyber-exploits/2013/11/the-dual-use-exploit-cve-2013-3906-used-in-both-targeted-attacks-and-crimeware-campaigns.html +1 || 2017691 || 2 || trojan-activity || 0 || ET TROJAN W32/Citadel.Arx Varient CnC Beacon 2 || url,botnetlegalnotice.com/citadel/files/Patel_Decl_Ex20.pdf || url,www.fireeye.com/blog/technical/cyber-exploits/2013/11/the-dual-use-exploit-cve-2013-3906-used-in-both-targeted-attacks-and-crimeware-campaigns.html +1 || 2017693 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Styx iframe with obfuscated CVE-2013-2551 +1 || 2017694 || 6 || trojan-activity || 0 || ET CURRENT_EVENTS Possible Magnitude IE EK Payload Nov 8 2013 +1 || 2017695 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS Possible Angler EK Flash Exploit +1 || 2017696 || 5 || trojan-activity || 0 || ET CURRENT_EVENTS FaceBook IM & Web Driven Facebook Trojan Download || url,pastebin.com/raw.php?i=tdATTg7L +1 || 2017697 || 5 || trojan-activity || 0 || ET TROJAN FaceBook IM & Web Driven Facebook Trojan Posting Data || url,pastebin.com/raw.php?i=tdATTg7L +1 || 2017698 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Magnitude Landing Nov 11 2013 +1 || 2017699 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Grandsoft/SofosFO EK PDF URI Struct +1 || 2017700 || 3 || trojan-activity || 0 || ET TROJAN Possible Stitur Secondary Download +1 || 2017701 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS webr00t WebShell Access || url,blog.sucuri.net/2013/11/case-study-analyzing-a-wordpress-attack-dissecting-the-webr00t-cgi-shell-part-i.html +1 || 2017702 || 2 || trojan-activity || 0 || ET TROJAN Possible Trojan.APT.9002 POST || url,www.fireeye.com/blog/technical/cyber-exploits/2013/11/operation-ephemeral-hydra-ie-zero-day-linked-to-deputydog-uses-diskless-method.html +1 || 2017703 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Angler EK Possible Flash/IE Payload +1 || 2017704 || 3 || attempted-user || 0 || ET WEB_CLIENT Possible IE 0day CVE-2013-3918 1 || url,www.fireeye.com/blog/technical/cyber-exploits/2013/11/operation-ephemeral-hydra-ie-zero-day-linked-to-deputydog-uses-diskless-method.html +1 || 2017705 || 3 || attempted-user || 0 || ET WEB_CLIENT Possible IE 0day CVE-2013-3918 2 || url,www.fireeye.com/blog/technical/cyber-exploits/2013/11/operation-ephemeral-hydra-ie-zero-day-linked-to-deputydog-uses-diskless-method.html +1 || 2017706 || 5 || trojan-activity || 0 || ET CURRENT_EVENTS Possible Sweet Orange IE Payload Request +1 || 2017707 || 1 || trojan-activity || 0 || ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 4 || url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231 +1 || 2017708 || 3 || attempted-user || 0 || ET WEB_CLIENT Possible IE 0day CVE-2013-3918 3 || url,www.fireeye.com/blog/technical/cyber-exploits/2013/11/operation-ephemeral-hydra-ie-zero-day-linked-to-deputydog-uses-diskless-method.html +1 || 2017709 || 3 || attempted-user || 0 || ET WEB_CLIENT Possible IE 0day CVE-2013-3918 4 || url,www.fireeye.com/blog/technical/cyber-exploits/2013/11/operation-ephemeral-hydra-ie-zero-day-linked-to-deputydog-uses-diskless-method.html +1 || 2017710 || 3 || trojan-activity || 0 || ET TROJAN Bamital checkin +1 || 2017711 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Possible Fake Codec Download +1 || 2017712 || 10 || attempted-admin || 0 || ET EXPLOIT Microsoft Outlook/Crypto API X.509 oid id-pe-authorityInfoAccessSyntax design bug allow blind HTTP requests attempt || cve,2013-3870 || url,www.microsoft.com/technet/security/bulletin/MS13-068.mspx || url,blog.nruns.com/blog/2013/11/12/A-portscan-by-email-Alex +1 || 2017713 || 6 || trojan-activity || 0 || ET TROJAN Taidoor Checkin || url,fireeye.com/blog/technical/cyber-exploits/2013/11/exploit-proliferation-additional-threat-groups-acquire-cve-2013-3906.html || md5,17f9f999e1814b99601446f8ce7eb816 +1 || 2017714 || 5 || trojan-activity || 0 || ET TROJAN PlugX Checkin || url,fireeye.com/blog/technical/cyber-exploits/2013/11/exploit-proliferation-additional-threat-groups-acquire-cve-2013-3906.html || md5,17f9f999e1814b99601446f8ce7eb816 +1 || 2017715 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Possible Angler EK SilverLight Exploit +1 || 2017716 || 3 || trojan-activity || 0 || ET TROJAN Athena Bot Nick in IRC || url,arbornetworks.com/asert/2013/11/athena-a-ddos-malware-odyssey/ || md5,859c2fec50ba1212dca9f00aa4a64ec4 +1 || 2017717 || 3 || trojan-activity || 0 || ET TROJAN Trojan.BlackRev Botnet Monitor Request CnC Beacon || url,www.btpro.net/blog/2013/05/black-revolution-botnet-trojan/ +1 || 2017718 || 4 || trojan-activity || 0 || ET TROJAN Trojan.BlackRev Botnet Login Request CnC Beacon || url,www.btpro.net/blog/2013/05/black-revolution-botnet-trojan/ +1 || 2017721 || 3 || trojan-activity || 0 || ET TROJAN Trojan.BlackRev V1.Botnet HTTP Login POST Flood Traffic Outbound || url,www.btpro.net/blog/2013/05/black-revolution-botnet-trojan/ +1 || 2017722 || 3 || attempted-dos || 0 || ET DOS Trojan.BlackRev V1.Botnet HTTP Login POST Flood Traffic Inbound || url,www.btpro.net/blog/2013/05/black-revolution-botnet-trojan/ +1 || 2017723 || 2 || trojan-activity || 0 || ET TROJAN Trojan.BlackRev Botnet Command Request CnC Beacon || url,www.btpro.net/blog/2013/05/black-revolution-botnet-trojan/ +1 || 2017724 || 3 || trojan-activity || 0 || ET TROJAN PWS Win32/Lmir.BMQ checkin || md5,0fe0cf9a2d8c3ccd1c92acbb81ff6343 || url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=PWS%3AWin32%2FLmir.BMQ +1 || 2017725 || 5 || trojan-activity || 0 || ET TROJAN Sisproc update || md5,f8b3fb4e5f8f1b3bd643e58f1015f9fc +1 || 2017726 || 4 || trojan-activity || 0 || ET TROJAN Downloader (P2P Zeus dropper UA) +1 || 2017727 || 6 || trojan-activity || 0 || ET TROJAN Possible SSH Linux.Fokirtor backchannel command || url,www.symantec.com/connect/blogs/linux-back-door-uses-covert-communication-protocol +1 || 2017728 || 2 || trojan-activity || 0 || ET TROJAN Trojan.Dropper.Win32.Dapato.braa.AMN CnC traffic || md5,6ef66c2336b2b5aaa697c2d0ab2b66e2 +1 || 2017729 || 7 || trojan-activity || 0 || ET CURRENT_EVENTS Angler Landing Nov 18 2013 +1 || 2017730 || 4 || attempted-user || 0 || ET EXPLOIT JavaX Toolkit Posting Plugin-Detect Data || url,github.com/MrXors/Javax/ +1 || 2017731 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Possible Styx EK SilverLight Payload +1 || 2017732 || 6 || trojan-activity || 0 || ET CURRENT_EVENTS Possible Styx/Angler SilverLight Exploit +1 || 2017733 || 2 || trojan-activity || 0 || ET DELETED Possible Upatre Downloader SSL certificate +1 || 2017734 || 4 || attempted-admin || 0 || ET WEB_SERVER WEBSHELL pwn.jsp shell || url,nickhumphreyit.blogspot.co.il/2013/10/jboss-42-hacked-by-pwnjsp.html || url,blog.imperva.com/2013/11/threat-advisory-a-jboss-as-exploit-web-shell-code-injection.html +1 || 2017735 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS WhiteLotus EK PluginDetect Nov 20 2013 +1 || 2017736 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS Possible WhiteLotus EK 2013-2551 Exploit 1 +1 || 2017737 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS Possible WhiteLotus EK 2013-2551 Exploit 2 +1 || 2017738 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS Possible WhiteLotus EK 2013-2551 Exploit 3 +1 || 2017739 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS Possible WhiteLotus Java Payload +1 || 2017740 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Sweet Orange Landing Page Nov 21 2013 +1 || 2017741 || 3 || attempted-user || 0 || ET TROJAN Kryptik Check-in +1 || 2017742 || 2 || trojan-activity || 0 || ET TROJAN Solarbot Check-in +1 || 2017743 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Possible WhiteLotus IE Payload +1 || 2017744 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS StyX EK Payload Cookie +1 || 2017745 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Fake Media Player malware binary requested +1 || 2017746 || 3 || trojan-activity || 0 || ET TROJAN Trojan-Downloader Win32.Genome.AV || md5,d14314ceb74c8c1a8e1e8ca368d75501 +1 || 2017747 || 3 || trojan-activity || 0 || ET TROJAN Trojan-Downloader Win32.Genome.AV server response || md5,d14314ceb74c8c1a8e1e8ca368d75501 +1 || 2017748 || 6 || misc-activity || 0 || ET INFO Java Downloading Archive flowbit no alert +1 || 2017749 || 6 || misc-activity || 0 || ET INFO Java Downloading Class flowbit no alert +1 || 2017750 || 2 || bad-unknown || 0 || ET CURRENT_EVENTS Possible PHISH Remax - AOL Creds +1 || 2017751 || 2 || bad-unknown || 0 || ET CURRENT_EVENTS Possible PHISH Remax - Yahoo Creds +1 || 2017752 || 2 || bad-unknown || 0 || ET CURRENT_EVENTS Possible PHISH Remax - GMail Creds +1 || 2017753 || 2 || bad-unknown || 0 || ET CURRENT_EVENTS Possible PHISH Remax - Hotmail Creds +1 || 2017754 || 2 || bad-unknown || 0 || ET CURRENT_EVENTS Possible PHISH Remax - Other Creds +1 || 2017755 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS Possible Goon EK Java Payload +1 || 2017756 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Possible Goon EK Jar Download +1 || 2017757 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Possible Java Lang Runtime in B64 Observed in Goon EK 1 +1 || 2017758 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Possible Java Lang Runtime in B64 Observed in Goon EK 2 +1 || 2017759 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Possible Java Lang Runtime in B64 Observed in Goon EK 3 +1 || 2017760 || 2 || bad-unknown || 0 || ET CURRENT_EVENTS SUSPICIOUS Java Request With Uncompressed JAR/Class file Accessing Security Manager +1 || 2017761 || 2 || bad-unknown || 0 || ET CURRENT_EVENTS SUSPICIOUS Java Request With Uncompressed JAR/Class file Importing Protection Domain +1 || 2017762 || 2 || bad-unknown || 0 || ET CURRENT_EVENTS SUSPICIOUS Java Request With Uncompressed JAR/Class Accessing Importing glassfish +1 || 2017763 || 2 || bad-unknown || 0 || ET CURRENT_EVENTS SUSPICIOUS Java Request With Uncompressed JAR/Class B64 encoded class +1 || 2017764 || 2 || bad-unknown || 0 || ET CURRENT_EVENTS SUSPICIOUS Java Request With Uncompressed JAR/Class Importing jmx mbeanserver +1 || 2017765 || 2 || bad-unknown || 0 || ET CURRENT_EVENTS SUSPICIOUS Java Request With Uncompressed JAR/Class Importing mbeanserver Introspector +1 || 2017766 || 2 || bad-unknown || 0 || ET CURRENT_EVENTS SUSPICIOUS Java Request With Uncompressed JAR/Class Importing glassfish external statistics impl +1 || 2017767 || 2 || bad-unknown || 0 || ET CURRENT_EVENTS SUSPICIOUS Java Request With Uncompressed JAR/Class Importing management MBeanServer +1 || 2017768 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS SUSPICIOUS Java Request With Uncompressed JAR/Class Mozilla JS Class Creation +1 || 2017769 || 2 || bad-unknown || 0 || ET CURRENT_EVENTS SUSPICIOUS Java Request With Uncompressed JAR/Class Hex Encoded Class file +1 || 2017770 || 2 || bad-unknown || 0 || ET CURRENT_EVENTS SUSPICIOUS Java Request With Uncompressed JAR/Class Importing tracing Provider Factory +1 || 2017771 || 2 || bad-unknown || 0 || ET CURRENT_EVENTS SUSPICIOUS Java Request With Uncompressed JAR/Class Importing Classes used in awt exploits +1 || 2017772 || 2 || bad-unknown || 0 || ET CURRENT_EVENTS SUSPICIOUS Java Request With Uncompressed JAR/Class Importing Classe used in CVE-2013-2471/2472/2473 +1 || 2017773 || 2 || bad-unknown || 0 || ET CURRENT_EVENTS SUSPICIOUS Java Request With Uncompressed JAR/Class Importing Classe used in CVE-2013-2465/2463 +1 || 2017774 || 8 || trojan-activity || 0 || ET CURRENT_EVENTS Nuclear EK CVE-2013-2551 URI Struct Nov 26 2013 +1 || 2017775 || 7 || trojan-activity || 0 || ET TROJAN Darkness DDoS HTTP Target/EXE +1 || 2017776 || 7 || trojan-activity || 0 || ET TROJAN Darkness DDoS Common Intial Check-in Response wtf || md5,a9af388f5a627aa66c34074ef45db1b7 +1 || 2017777 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Possible Android InMobi SDK SideDoor Access takeCameraPicture || url,www.fireeye.com/blog/technical/vulnerabilities/2013/11/inmobi-another-vulnaggressive-adware-opens-billions-of-javascript-sidedoors-on-android-devices.html +1 || 2017778 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Possible Android InMobi SDK SideDoor Access getGalleryImage || url,www.fireeye.com/blog/technical/vulnerabilities/2013/11/inmobi-another-vulnaggressive-adware-opens-billions-of-javascript-sidedoors-on-android-devices.html +1 || 2017779 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Possible Android InMobi SDK SideDoor Access makeCall || url,www.fireeye.com/blog/technical/vulnerabilities/2013/11/inmobi-another-vulnaggressive-adware-opens-billions-of-javascript-sidedoors-on-android-devices.html +1 || 2017780 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Possible Android InMobi SDK SideDoor Access postToSocial || url,www.fireeye.com/blog/technical/vulnerabilities/2013/11/inmobi-another-vulnaggressive-adware-opens-billions-of-javascript-sidedoors-on-android-devices.html +1 || 2017781 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Possible Android InMobi SDK SideDoor Access sendMail || url,www.fireeye.com/blog/technical/vulnerabilities/2013/11/inmobi-another-vulnaggressive-adware-opens-billions-of-javascript-sidedoors-on-android-devices.html +1 || 2017782 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Possible Android InMobi SDK SideDoor Access sendSMS || url,www.fireeye.com/blog/technical/vulnerabilities/2013/11/inmobi-another-vulnaggressive-adware-opens-billions-of-javascript-sidedoors-on-android-devices.html +1 || 2017783 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Possible Android InMobi SDK SideDoor Access registerMicListener || url,www.fireeye.com/blog/technical/vulnerabilities/2013/11/inmobi-another-vulnaggressive-adware-opens-billions-of-javascript-sidedoors-on-android-devices.html +1 || 2017784 || 3 || trojan-activity || 0 || ET TROJAN WORM_VOBFUS Checkin Generic 2 || md5,f127ed76dc5e48f69a1070f314488ce2 || url,blog.trendmicro.com/trendlabs-security-intelligence/watch-out-for-worm_vobfus/ || url,blog.dynamoo.com/2012/11/vobfus-sites-to-block.html +1 || 2017785 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Nuclear EK IE Exploit CVE-2013-2551 +1 || 2017786 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS SNET EK Activity Nov 27 2013 +1 || 2017787 || 2 || trojan-activity || 0 || ET MOBILE_MALWARE Android.KorBanker Fake Banking App Install CnC Beacon || url,www.fireeye.com/blog/technical/targeted-attack/2013/11/dissecting-android-korbanker.html || md5,a68bbfe91fab666daaf2c070db00022f || md5,a68bbfe91fab666daaf2c070db00022f +1 || 2017788 || 2 || trojan-activity || 0 || ET MOBILE_MALWARE Android.KorBanker Sucessful Fake Banking App Install CnC Server Acknowledgement || url,www.fireeye.com/blog/technical/targeted-attack/2013/11/dissecting-android-korbanker.html || md5,a68bbfe91fab666daaf2c070db00022f || md5,a68bbfe91fab666daaf2c070db00022f +1 || 2017789 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS JJEncode Encoded Script Inside of PDF Likely Evil || md5,6776bda19a3a8ed4c2870c34279dbaa9 +1 || 2017790 || 2 || attempted-user || 0 || ET EXPLOIT Adobe PDF CVE-2013-0640 || url,www.exploit-db.com/exploits/29881/ +1 || 2017791 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Polling/Check-in/Compromise from fake DHL mailing campaign +1 || 2017792 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Hostile fake DHL mailing campaign +1 || 2017793 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS HiMan EK - Payload Requested +1 || 2017794 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS HiMan EK - Flash Exploit +1 || 2017795 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS HiMan EK - Payload Downloaded - EXE in ZIP Downloaded by Java +1 || 2017796 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS HiMan EK - Landing Page +1 || 2017797 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS HiMan EK - TDS - POST hyt= +1 || 2017798 || 2 || trojan-activity || 0 || ET EXPLOIT Zollard PHP Exploit UA || url,deependresearch.org/2013/12/hey-zollard-leave-my-internet-of-things.html +1 || 2017801 || 3 || attempted-admin || 0 || ET WEB_SPECIFIC_APPS PeopleSoft Portal Command with Default Creds || url,media.blackhat.com/us-13/US-13-Polyakov-Practical-Pentesting-of-ERPs-and-Business-Applications-Slides.pdf +1 || 2017802 || 3 || attempted-admin || 0 || ET WEB_SPECIFIC_APPS SAP Possible CTC Auth/HTTP Verb Bypass Attempt || url,media.blackhat.com/us-13/US-13-Polyakov-Practical-Pentesting-of-ERPs-and-Business-Applications-Slides.pdf +1 || 2017803 || 4 || attempted-admin || 0 || ET WEB_SERVER Possible WebLogic Admin Login With Default Creds || url,media.blackhat.com/us-13/US-13-Polyakov-Practical-Pentesting-of-ERPs-and-Business-Applications-Slides.pdf +1 || 2017804 || 3 || attempted-admin || 0 || ET WEB_SERVER Possible WebLogic Admin Login With Default Creds || url,media.blackhat.com/us-13/US-13-Polyakov-Practical-Pentesting-of-ERPs-and-Business-Applications-Slides.pdf +1 || 2017805 || 3 || attempted-user || 0 || ET WEB_SERVER Possible WebLogic Monitor Login With Default Creds || url,media.blackhat.com/us-13/US-13-Polyakov-Practical-Pentesting-of-ERPs-and-Business-Applications-Slides.pdf +1 || 2017806 || 2 || attempted-user || 0 || ET WEB_SERVER Possible WebLogic Operator Login With Default Creds || url,media.blackhat.com/us-13/US-13-Polyakov-Practical-Pentesting-of-ERPs-and-Business-Applications-Slides.pdf +1 || 2017807 || 3 || web-application-attack || 0 || ET WEB_SERVER Possible MySQL SQLi User-Dump Attempt || url,pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet +1 || 2017808 || 2 || web-application-attack || 0 || ET WEB_SERVER Possible MySQL SQLi Attempt Information Schema Access || url,pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet +1 || 2017809 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Angler EK XOR'd Payload +1 || 2017810 || 2 || trojan-activity || 0 || ET EXPLOIT Metasploit Browser Exploit Server Plugin Detect +1 || 2017811 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Magnitude EK (formerly Popads) Java Jar Download +1 || 2017812 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Safe/CritX/FlashPack URI with Windows Plugin-Detect Data +1 || 2017813 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Safe/CritX/FlashPack SilverLight Payload +1 || 2017814 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Safe/CritX/FlashPack URI Struct .php?id=Hex +1 || 2017815 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Possible Safe/CritX/FlashPack Edwards Packed PluginDetect +1 || 2017816 || 4 || trojan-activity || 0 || ET TROJAN Possible Upatre Downloader SSL certificate || url,blogs.technet.com/b/mmpc/archive/2013/10/31/upatre-emerging-up-d-at-er-in-the-wild.aspx +1 || 2017817 || 7 || trojan-activity || 0 || ET CURRENT_EVENTS Sweet Orange Landing Page Dec 09 2013 +1 || 2017818 || 2 || trojan-activity || 0 || ET TROJAN Common Zbot EXE filename Dec 09 2013 +1 || 2017819 || 5 || trojan-activity || 0 || ET CURRENT_EVENTS Styx EK iexp.html +1 || 2017820 || 5 || trojan-activity || 0 || ET WEB_SERVER IIS ISN BackDoor Command GetLog || url,blog.spiderlabs.com/2013/12/the-curious-case-of-the-malicious-iis-module.html +1 || 2017821 || 5 || trojan-activity || 0 || ET WEB_SERVER IIS ISN BackDoor Command Delete Log || url,blog.spiderlabs.com/2013/12/the-curious-case-of-the-malicious-iis-module.html +1 || 2017822 || 5 || trojan-activity || 0 || ET WEB_SERVER IIS ISN BackDoor Command Get Logpath || url,blog.spiderlabs.com/2013/12/the-curious-case-of-the-malicious-iis-module.html +1 || 2017823 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS heapSpray in jjencode || url,www.invincea.com/2013/12/e-k-i-a-adobe-reader-exploit-cve-2013-3346-kernel-ndproxy-sys-zero-day-eop/ +1 || 2017824 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Neutrino Landing Page Dec 09 2013 +1 || 2017825 || 2 || trojan-activity || 0 || ET EXPLOIT Zollard PHP Exploit UA Outbound || cve,2012-1823 || url,blogs.cisco.com/security/the-internet-of-everything-including-malware/ +1 || 2017826 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS SPL2 EK Landing Dec 09 2013 +1 || 2017827 || 6 || trojan-activity || 0 || ET CURRENT_EVENTS SPL2 EK Dec 09 2013 Java Request +1 || 2017828 || 2 || trojan-activity || 0 || ET WEB_SERVER Perl/Mambo.WebShell Spreader IRC Scanning Message +1 || 2017829 || 2 || trojan-activity || 0 || ET WEB_SERVER Perl/Mambo.WebShell Spreader IRC Open Ports Message +1 || 2017830 || 1 || trojan-activity || 0 || ET WEB_SERVER Perl/Mambo.WebShell Spreader IRC No Open Ports Message +1 || 2017831 || 2 || trojan-activity || 0 || ET WEB_SERVER Mambo.PerlBot Spreader IRC DDOS Attacking Message +1 || 2017832 || 1 || trojan-activity || 0 || ET WEB_SERVER Mambo.PerlBot Spreader IRC DDOS Attack Done Message +1 || 2017833 || 2 || trojan-activity || 0 || ET WEB_SERVER Mambo.PerlBot Spreader IRC DDOS PerlBot Version Message +1 || 2017834 || 2 || trojan-activity || 0 || ET WEB_SERVER Mambo.PerlBot Spreader IRC DDOS Mambo Scanning Message +1 || 2017835 || 3 || trojan-activity || 0 || ET WEB_SERVER Mambo.PerlBot Spreader IRC DDOS Exploited Message +1 || 2017836 || 3 || trojan-activity || 0 || ET TROJAN Possible Zbot Activity Common Download Struct +1 || 2017837 || 3 || trojan-activity || 0 || ET TROJAN Possible Zbot Activity Common Download Struct +1 || 2017838 || 2 || trojan-activity || 0 || ET TROJAN HTTP Connection To Known Sinkhole Domain sinkdns.org +1 || 2017839 || 2 || trojan-activity || 0 || ET TROJAN Vawtrak/NeverQuest Checkin +1 || 2017840 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Styx Exploit Kit - JAR Exploit +1 || 2017841 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Styx Exploit Kit - HTML +1 || 2017842 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS SUSPICIOUS winhost(32|64).exe in URI +1 || 2017843 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS SUSPICIOUS pony.exe in URI +1 || 2017844 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Styx Exploit Kit - EOT Exploit +1 || 2017845 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS DRIVEBY FakeUpdate - URI - /styles/javaupdate.css +1 || 2017846 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS DRIVEBY FakeUpdate - URI - Payload Requested +1 || 2017847 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Browlock Landing Page URI Struct +1 || 2017848 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS SPL2 EK SilverLight +1 || 2017849 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Possible CVE-2013-2551 As seen in SPL2 EK +1 || 2017850 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS SPL2 PluginDetect Data Hash +1 || 2017851 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS HiMan EK Exploit URI Struct +1 || 2017852 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS HiMan EK Secondary Landing +1 || 2017853 || 2 || attempted-admin || 0 || ET WEB_SPECIFIC_APPS Wordpress OptimizePress Arbitratry File Upload || url,blog.sucuri.net/2013/12/wordpress-optimizepress-theme-file-upload-vulnerability.html +1 || 2017854 || 2 || attempted-admin || 0 || ET CURRENT_EVENTS PHP script in OptimizePress Upload Directory Possible WebShell Access || url,blog.sucuri.net/2013/12/wordpress-optimizepress-theme-file-upload-vulnerability.html +1 || 2017855 || 2 || trojan-activity || 0 || ET TROJAN W32/Ke3chang.MovieStar.APT Campaign CnC Beacon || url,www.fireeye.com/resources/pdfs/fireeye-operation-ke3chang.pdf || url,www.fireeye.com/blog/technical/malware-research/2013/12/operation-ke3chang-targeted-attacks-against-ministries-of-foreign-affairs.html +1 || 2017856 || 2 || trojan-activity || 0 || ET TROJAN W32/Ke3chang.Snake.APT Campaign CnC Beacon || url,www.fireeye.com/resources/pdfs/fireeye-operation-ke3chang.pdf || url,www.fireeye.com/blog/technical/malware-research/2013/12/operation-ke3chang-targeted-attacks-against-ministries-of-foreign-affairs.html +1 || 2017857 || 2 || trojan-activity || 0 || ET TROJAN W32/Ke3chang.MyWeb.APT Campaign CnC Beacon || url,www.fireeye.com/resources/pdfs/fireeye-operation-ke3chang.pdf || url,www.fireeye.com/blog/technical/malware-research/2013/12/operation-ke3chang-targeted-attacks-against-ministries-of-foreign-affairs.html +1 || 2017858 || 2 || trojan-activity || 0 || ET TROJAN W32/Ke3chang.BMW.APT Campaign CnC Beacon || url,www.fireeye.com/resources/pdfs/fireeye-operation-ke3chang.pdf || url,www.fireeye.com/blog/technical/malware-research/2013/12/operation-ke3chang-targeted-attacks-against-ministries-of-foreign-affairs.html +1 || 2017859 || 2 || trojan-activity || 0 || ET TROJAN W32/Ke3chang.Dream.APT Campaign CnC Beacon 2 || url,www.fireeye.com/resources/pdfs/fireeye-operation-ke3chang.pdf || url,www.fireeye.com/blog/technical/malware-research/2013/12/operation-ke3chang-targeted-attacks-against-ministries-of-foreign-affairs.html +1 || 2017860 || 2 || trojan-activity || 0 || ET TROJAN W32/Ke3chang.MyWeb.APT Eourdegh Campaign CnC Beacon || url,www.fireeye.com/resources/pdfs/fireeye-operation-ke3chang.pdf || url,jsunpack.jeek.org/dec/go?report=e5f9dae61673a75db6dcb2475cb6ea8f22f66e9a +1 || 2017861 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Grandsoft/SofosFO EK Java Payload URI Struct +1 || 2017862 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS CrimePack PDF Exploit +1 || 2017863 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS CrimePack Java Exploit +1 || 2017864 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS CrimePack HCP Exploit +1 || 2017865 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS CrimePack Jar 1 Dec 16 2013 +1 || 2017866 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS CrimePack Jar 2 Dec 16 2013 +1 || 2017867 || 2 || trojan-activity || 0 || ET TROJAN W32/Liftoh.Downloader Feed404 CnC Beacon || url,www.secureworks.com/cyber-threat-intelligence/threats/spam-campaign-delivers-liftoh-downloader/ +1 || 2017868 || 2 || trojan-activity || 0 || ET TROJAN W32/Liftoh.Downloader Images CnC Beacon || url,www.secureworks.com/cyber-threat-intelligence/threats/spam-campaign-delivers-liftoh-downloader/ +1 || 2017869 || 2 || trojan-activity || 0 || ET TROJAN W32/Liftoh.Downloader Final.html Payload Request || url,www.secureworks.com/cyber-threat-intelligence/threats/spam-campaign-delivers-liftoh-downloader/ +1 || 2017870 || 3 || trojan-activity || 0 || ET TROJAN W32/Liftoh.Downloader Get Final Payload Request || url,www.secureworks.com/cyber-threat-intelligence/threats/spam-campaign-delivers-liftoh-downloader/ +1 || 2017871 || 4 || trojan-activity || 0 || ET POLICY W32/BitCoinMiner.MultiThreat Subscribe/Authorize Stratum Protocol Message || url,research.zscaler.com/2013/12/bitcoin-mining-operation-seen-across.html || url,www.btcguild.com/new_protocol.php || url,mining.bitcoin.cz/stratum-mining +1 || 2017872 || 2 || trojan-activity || 0 || ET POLICY W32/BitCoinMiner.MultiThreat Stratum Protocol Mining.Notify Initial Connection Server Response || url,research.zscaler.com/2013/12/bitcoin-mining-operation-seen-across.html || url,www.btcguild.com/new_protocol.php || url,mining.bitcoin.cz/stratum-mining +1 || 2017873 || 3 || trojan-activity || 0 || ET POLICY W32/BitCoinMiner.MultiThreat Stratum Protocol Mining.Notify Work Server Response || url,research.zscaler.com/2013/12/bitcoin-mining-operation-seen-across.html || url,www.btcguild.com/new_protocol.php || url,mining.bitcoin.cz/stratum-mining +1 || 2017874 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS W32/BitCoinMiner Fake Flash Player Distribution Campaign - December 2013 || url,blog.malwarebytes.org/fraud-scam/2013/12/fake-flash-player-wants-to-go-mining/ || url,esearch.zscaler.com/2013/12/bitcoin-mining-operation-seen-across.html +1 || 2017875 || 2 || attempted-user || 0 || ET WEB_SERVER Coldfusion cfcexplorer Directory Traversal || url,blog.spiderlabs.com/2013/12/the-curious-case-of-the-malicious-iis-module-prologue-method-of-entry-analysis.html +1 || 2017876 || 2 || trojan-activity || 0 || ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 5 || url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231 +1 || 2017877 || 2 || trojan-activity || 0 || ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 6 || url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231 +1 || 2017878 || 3 || trojan-activity || 0 || ET POLICY W32/BitCoinMiner.MultiThreat Getblocktemplate Protocol Server Connection || url,en.bitcoin.it/wiki/Getblocktemplate +1 || 2017879 || 3 || trojan-activity || 0 || ET POLICY W32/BitCoinMiner.MultiThreat Getblocktemplate Protocol Server Coinbasetxn Begin Mining Response || url,en.bitcoin.it/wiki/Getblocktemplate +1 || 2017880 || 4 || trojan-activity || 0 || ET MALWARE W32/Linkular.Adware Sucessful Install Beacon || md5,7cc162a2ba136baaa38a9ccf46d97a06 +1 || 2017881 || 3 || trojan-activity || 0 || ET MALWARE W32/Linkular.Adware Icons.dat Second Stage Download || md5,7cc162a2ba136baaa38a9ccf46d97a06 +1 || 2017882 || 2 || attempted-user || 0 || ET WEB_SERVER Apache Solr Arbitrary XSLT inclusion attack || cve,CVE-2013-6397 || url,www.agarri.fr/kom/archives/2013/11/27/compromising_an_unreachable_solr_server_with_cve-2013-6397/index.html +1 || 2017883 || 3 || trojan-activity || 0 || ET DELETED W32/Ferret DDOS Bot CnC Beacon || md5,c49e3411294521d63c7cc28e08cf8a77 || url,www.arbornetworks.com/asert/2013/12/a-business-of-ferrets/ +1 || 2017884 || 5 || bad-unknown || 0 || ET INFO SUSPICIOUS SMTP EXE - ZIP file with .exe filename inside (Inbound) +1 || 2017885 || 5 || bad-unknown || 0 || ET INFO SUSPICIOUS SMTP EXE - RAR file with .exe filename inside +1 || 2017886 || 2 || bad-unknown || 0 || ET INFO SUSPICIOUS SMTP EXE - EXE SMTP Attachment +1 || 2017887 || 2 || bad-unknown || 0 || ET INFO SUSPICIOUS SMTP EXE - ZIP file with .com filename inside +1 || 2017888 || 2 || bad-unknown || 0 || ET INFO SUSPICIOUS SMTP EXE - RAR file with .com filename inside +1 || 2017889 || 2 || bad-unknown || 0 || ET INFO SUSPICIOUS SMTP EXE - ZIP file with .scr filename inside +1 || 2017890 || 2 || bad-unknown || 0 || ET INFO SUSPICIOUS SMTP EXE - RAR file with .scr filename inside +1 || 2017891 || 2 || trojan-activity || 0 || ET TROJAN W32/GMUnpacker.Downloader Download Instructions Response From CnC || md5,43e89125ad40b18d22e01f997da8929a +1 || 2017892 || 2 || trojan-activity || 0 || ET MALWARE GMUnpackerInstaller.A Checkin || md5,43e89125ad40b18d22e01f997da8929a +1 || 2017893 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS DotkaChef Landing URI Struct || url,www.kahusecurity.com/2013/analyzing-dotkachef-exploit-pack/ +1 || 2017894 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS DotkaChef Payload Dec 20 2013 || url,www.kahusecurity.com/2013/analyzing-dotkachef-exploit-pack/ +1 || 2017895 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS Kuluoz/Asprox Activity Dec 23 2013 || md5,a3e0f51356d48124fba25485d1871b28 || url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-asprox-reborn.pdf +1 || 2017896 || 4 || trojan-activity || 0 || ET EXPLOIT Metasploit Plugin-Detect Posting Data 1 || url,github.com/rapid7/metasploit-framework/wiki/How-to-write-a-browser-exploit-using-BrowserExploitServer +1 || 2017897 || 4 || trojan-activity || 0 || ET EXPLOIT Metasploit Plugin-Detect Posting Data 2 || url,github.com/rapid7/metasploit-framework/wiki/How-to-write-a-browser-exploit-using-BrowserExploitServer +1 || 2017898 || 4 || trojan-activity || 0 || ET EXPLOIT Metasploit Plugin-Detect Posting Data 3 || url,github.com/rapid7/metasploit-framework/wiki/How-to-write-a-browser-exploit-using-BrowserExploitServer +1 || 2017899 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS Possible PDF Dictionary Entry with Hex/Ascii replacement +1 || 2017900 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Metasploit 2013-3346 +1 || 2017901 || 5 || trojan-activity || 0 || ET CURRENT_EVENTS Possible Angler EK Flash Exploit Dec 24 2013 +1 || 2017902 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS Angler EK Possible Flash/IE Payload Dec 24 2013 +1 || 2017903 || 2 || trojan-activity || 0 || ET TROJAN Win32/Urausy.C Checkin 4 || md5,0032856449dbef5e63b8ed2f7a61fff9 +1 || 2017904 || 5 || trojan-activity || 0 || ET CURRENT_EVENTS Possible Angler EK Flash Exploit Dec 26 2013 +1 || 2017905 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS SofosFO/GrandSoft PDF +1 || 2017906 || 2 || bad-unknown || 0 || ET CURRENT_EVENTS TDS Unknown_.aso - URI - IP.aso +1 || 2017907 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS GoonEK Landing with CVE-2013-2551 Dec 29 2013 +1 || 2017908 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS GoonEK encrypted binary (1) +1 || 2017909 || 3 || trojan-activity || 0 || ET INFO suspicious - uncompressed pack200-ed JAR +1 || 2017910 || 3 || trojan-activity || 0 || ET INFO suspicious - gzipped file via JAVA - could be pack200-ed JAR +1 || 2017911 || 2 || trojan-activity || 0 || ET MALWARE W32/InstallRex.Adware Initial CnC Beacon || md5,9abbb5ea3f55b5182687db69af6cba66 +1 || 2017912 || 2 || trojan-activity || 0 || ET MALWARE W32/InstallRex.Adware Report CnC Beacon || md5,9abbb5ea3f55b5182687db69af6cba66 +1 || 2017913 || 3 || trojan-activity || 0 || ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 7 || url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:Win32/PcClient.ZR&ThreatID=-2147325231 || md5,a2469f4913f1607e4207ba0a8768491c +1 || 2017914 || 2 || trojan-activity || 0 || ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 8 || url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:Win32/PcClient.ZR&ThreatID=-2147325231 || md5,be92836bee1e8abc1d19d1c552e6c115 +1 || 2017915 || 2 || trojan-activity || 0 || ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 9 || url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:Win32/PcClient.ZR&ThreatID=-2147325231 || md5,a88e0e5a2c8fd31161b5e4a31e1307a0 +1 || 2017916 || 2 || trojan-activity || 0 || ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 10 || url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231 || md5,a88e0e5a2c8fd31161b5e4a31e1307a0 +1 || 2017917 || 5 || trojan-activity || 0 || ET TROJAN W32/Ferret DDOS Bot CnC Beacon 2 || md5,f582667d5ce743436fb24771eb22a0e8 || url,www.arbornetworks.com/asert/2013/12/a-business-of-ferrets/ +1 || 2017918 || 2 || attempted-dos || 0 || ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x02 || url,www.symantec.com/connect/blogs/hackers-spend-christmas-break-launching-large-scale-ntp-reflection-attacks +1 || 2017919 || 2 || attempted-dos || 0 || ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x03 || url,www.symantec.com/connect/blogs/hackers-spend-christmas-break-launching-large-scale-ntp-reflection-attacks +1 || 2017920 || 2 || attempted-dos || 0 || ET DOS Possible NTP DDoS Multiple MON_LIST Seq 0 Response Spanning Multiple Packets IMPL 0x02 || url,www.symantec.com/connect/blogs/hackers-spend-christmas-break-launching-large-scale-ntp-reflection-attacks +1 || 2017921 || 2 || attempted-dos || 0 || ET DOS Possible NTP DDoS Multiple MON_LIST Seq 0 Response Spanning Multiple Packets IMPL 0x03 || url,www.symantec.com/connect/blogs/hackers-spend-christmas-break-launching-large-scale-ntp-reflection-attacks +1 || 2017922 || 3 || trojan-activity || 0 || ET TROJAN Win32.Morix.B checkin || md5,25623fa3a64f6bed301822f8fe6aa9b5 +1 || 2017923 || 2 || web-application-attack || 0 || ET EXPLOIT MMCS service (Little Endian) || url,github.com/elvanderb/TCP-32764 +1 || 2017924 || 2 || web-application-attack || 0 || ET EXPLOIT MMCS service (Big Endian) || url,github.com/elvanderb/TCP-32764 +1 || 2017925 || 3 || policy-violation || 0 || ET POLICY DNS lookup for bridges.torproject.org IP lookup/Tor Usage check || url,www.torproject.org/docs/bridges.html.en || md5,2e3f7f9b3b4c29aceccab693aeccfa5a +1 || 2017926 || 2 || policy-violation || 0 || ET POLICY DNS lookup for check.torproject.org IP lookup/Tor Usage check || md5,e87f0db605517e851d571af2e78c5966 +1 || 2017927 || 2 || policy-violation || 0 || ET POLICY check.torproject.org IP lookup/Tor Usage check over HTTP || md5,e87f0db605517e851d571af2e78c5966 +1 || 2017928 || 2 || policy-violation || 0 || ET POLICY check.torproject.org IP lookup/Tor Usage check over TLS with SNI +1 || 2017929 || 2 || policy-violation || 0 || ET POLICY bridges.torproject.org over TLS with SNI || url,www.torproject.org/docs/bridges.html.en +1 || 2017930 || 9 || trojan-activity || 0 || ET TROJAN Trojan Generic - POST To gate.php with no referer +1 || 2017931 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS DRIVEBY Redirection - Injection - Modified Edwards Packer Script +1 || 2017933 || 2 || policy-violation || 0 || ET POLICY TraceMyIP IP lookup +1 || 2017934 || 3 || trojan-activity || 0 || ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 11 || url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231 || md5,a2469f4913f1607e4207ba0a8768491c +1 || 2017935 || 2 || trojan-activity || 0 || ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 12 SET || url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231 || md5,a2469f4913f1607e4207ba0a8768491c +1 || 2017936 || 3 || trojan-activity || 0 || ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 12 || url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231 || md5,a2469f4913f1607e4207ba0a8768491c +1 || 2017937 || 3 || trojan-activity || 0 || ET TROJAN Fake/Short Google Search Appliance UA Win32/Ranbyus and Others || url,developers.google.com/search-appliance/documentation/50/help_mini/crawl_headers || md5,98b58bd8a5138a31105e118e755a3773 || md5,c07a6035e9c7fed2467afab1a9dbcf40 +1 || 2017938 || 3 || trojan-activity || 0 || ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 13 || url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231 || md5,6a6ef7b4c7e8300a73b206e32e14ce3c +1 || 2017940 || 2 || trojan-activity || 0 || ET TROJAN Zbot Variant SSL cert for whoismama.ru || md5,cca1713888b0534954234cf31dd5a7d4 +1 || 2017941 || 3 || trojan-activity || 0 || ET TROJAN Zbot Variant SSL cert for dewart.ru || md5,6e0a6c4a06a446f70ae1463129711122 +1 || 2017942 || 1 || trojan-activity || 0 || ET TROJAN Zbot Variant SSL cert for anlogtewron.ru || md5,c13c3e331f05d61a7204fb4599b07709 +1 || 2017943 || 1 || trojan-activity || 0 || ET TROJAN Zbot Variant SSL cert for erjentronem.ru || md5,05ddaa5b6b56123e792fd67bb03376bc +1 || 2017944 || 5 || trojan-activity || 0 || ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 14 || url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231 || md5,9fae15fa8ab6bb8d78d609bdceafe28e +1 || 2017945 || 2 || trojan-activity || 0 || ET TROJAN Adware.PUQD Checkin || md5,e44962d7dec79c09a767a1d3e8ce02d8 || url,www.virustotal.com/en/file/1a1ff0fc6af6f7922bae906728e1919957998157f3a0cf1f1a0d3292f0eecd85/analysis/ +1 || 2017946 || 3 || trojan-activity || 0 || ET TROJAN Agent.BAAB Checkin || md5,406fea6262d8ee05e0ab4247c1083443 || url,www.virustotal.com/en/file/b0baed750f09ff058e5bd28d6443da833496dc1d1ed674ee6b2caf91889f648e/analysis/1389133969/ +1 || 2017947 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Possible Styx Kein Landing URI Struct +1 || 2017948 || 2 || trojan-activity || 0 || ET TROJAN LDPinch Checkin Post +1 || 2017949 || 5 || attempted-recon || 0 || ET USER_AGENTS FOCA User-Agent || url,blog.bannasties.com/2013/08/vulnerability-scans/ +1 || 2017950 || 3 || attempted-recon || 0 || ET SCAN FOCA uri || url,blog.bannasties.com/2013/08/vulnerability-scans/ +1 || 2017951 || 3 || web-application-attack || 0 || ET WEB_SERVER ATTACKER WebShell - PHP Offender - Title +1 || 2017952 || 2 || web-application-attack || 0 || ET WEB_SERVER ATTACKER WebShell - PHP Offender - POST Command +1 || 2017953 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Angler EK Landing Jan 10 2014 +1 || 2017954 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Angler EK Landing Jan 10 2014 1 +1 || 2017955 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Angler EK Landing Jan 10 2014 2 +1 || 2017956 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Angler EK Landing Jan 10 2014 3 +1 || 2017957 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS GoonEK Landing Jan 10 2014 +1 || 2017958 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Possible Neutrino EK SilverLight Exploit Jan 11 2014 +1 || 2017959 || 2 || trojan-activity || 0 || ET TROJAN W32/Mevade.Variant CnC POST || url,labs.umbrella.com/2013/10/24/mysterious-dga-lets-investigate-sgraph/ || url,www.anubisnetworks.com/unknowndga17-the-mevade-connection/ +1 || 2017960 || 2 || policy-violation || 0 || ET POLICY Bitcoin Mining Server Stratum Protocol HTTP Header || url,www.anubisnetworks.com/unknowndga17-the-mevade-connection/ +1 || 2017961 || 5 || trojan-activity || 0 || ET DELETED PE EXE or DLL Windows file download disguised as ASCII - SET +1 || 2017962 || 4 || trojan-activity || 0 || ET TROJAN PE EXE or DLL Windows file download disguised as ASCII +1 || 2017963 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Possible Neutrino/Fiesta SilverLight Exploit Jan 13 2014 DLL Naming Convention +1 || 2017964 || 2 || trojan-activity || 0 || ET TROJAN Kishop.A checkin || md5,bad7cd3c534c95867f5dbe5c5169a4da +1 || 2017965 || 3 || attempted-dos || 0 || ET DOS Likely NTP DDoS In Progress MON_LIST Response to Non-Ephemeral Port IMPL 0x02 || url,www.symantec.com/connect/blogs/hackers-spend-christmas-break-launching-large-scale-ntp-reflection-attacks || url,en.wikipedia.org/wiki/Ephemeral_port +1 || 2017967 || 3 || trojan-activity || 0 || ET TROJAN StartPage jsp checkin || md5,bb7bbb0646e705ab036d73d920983256 +1 || 2017968 || 4 || trojan-activity || 0 || ET INFO Suspicious Possible Process Dump in POST body || url,www.securelist.com/en/blog/208214213/The_Icefog_APT_Hits_US_Targets_With_Java_Backdoor +1 || 2017969 || 2 || attempted-admin || 0 || ET CURRENT_EVENTS Netgear N150 passwordrecovered.cgi attempt || url,www.securityfocus.com/archive/1/530743/30/0/threaded +1 || 2017970 || 3 || trojan-activity || 0 || ET TROJAN PWS.Win32/Daceluw.A Checkin || url,xylibox.com/2014/01/trojwowspy-a.html +1 || 2017971 || 9 || trojan-activity || 0 || ET CURRENT_EVENTS Possible Neutrino IE/Silverlight Payload Download +1 || 2017972 || 4 || trojan-activity || 0 || ET TROJAN ICEFOG JAVAFOG JAR checkin || url,www.securelist.com/en/blog/208214213/The_Icefog_APT_Hits_US_Targets_With_Java_Backdoor || url,jsunpack.jeek.org/dec/go?report=6b63068d3259f5032a301e0d3f935b4d3f2e2998 +1 || 2017973 || 9 || trojan-activity || 0 || ET CURRENT_EVENTS Nuclear EK CVE-2013-3918 +1 || 2017974 || 1 || trojan-activity || 0 || ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 15 || url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231 || md5,edd8c8009fc1ce2991eef6069ae6bf82 +1 || 2017975 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Possible AnglerEK Landing URI Struct +1 || 2017976 || 10 || trojan-activity || 0 || ET CURRENT_EVENTS Possible AnglerEK Java Exploit/Payload Structure Jan 16 2014 +1 || 2017977 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Possible Updatre SSL Certificate cardiffpower +1 || 2017978 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Possible Updatre Compromised SSL Certificate marchsf +1 || 2017979 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Possible Updatre Compromised SSL Certificate california89 +1 || 2017980 || 4 || misc-activity || 0 || ET INFO InformationCardSigninHelper ClassID (Vulnerable ActiveX Control in CVE-2013-3918) +1 || 2017981 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Possible Updatre Compromised SSL Certificate thebostonshaker +1 || 2017982 || 3 || trojan-activity || 0 || ET MALWARE Suspicious User-Agent 100 non-printable char || md5,176638536e926019e3e79370777d5e03 +1 || 2017983 || 3 || trojan-activity || 0 || ET TROJAN Java/Jacksbot Check-in || md5,6d93fc6132ae6938013cdd95354bff4e +1 || 2017984 || 5 || trojan-activity || 0 || ET CURRENT_EVENTS Angler EK encrypted binary (1) Jan 17 2013 +1 || 2017985 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Angler EK encrypted binary (2) Jan 17 2013 +1 || 2017986 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Angler EK encrypted binary (3) Jan 17 2013 +1 || 2017987 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Upatre SSL Compromised site appsredeeem +1 || 2017988 || 5 || trojan-activity || 0 || ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 16 || url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231 || md5,ece8808981043f830bacc4133d68e394 +1 || 2017989 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Angler EK encrypted binary (4) +1 || 2017990 || 11 || trojan-activity || 0 || ET TROJAN Cybergate/Rebhip/Spyrat Backdoor Keepalive +1 || 2017991 || 6 || trojan-activity || 0 || ET TROJAN Cybergate/Rebhip/Spyrat Backdoor Keepalive Response +1 || 2017992 || 4 || trojan-activity || 0 || ET TROJAN Win32/OutBrowse.G Variant Checkin || md5,d75055c45e2c5293c3e0fbffb299ea6d || url,www.virustotal.com/en/file/95e0eaaee080f2c167464ed6da7e4b7a27937ac64fd3e1792a1aa84c1aed488e analysis/ +1 || 2017993 || 8 || trojan-activity || 0 || ET TROJAN GoonEK Jan 21 2013 +1 || 2017994 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS VBSAutorun_VBS_Jenxcus Check-in UA || url,kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/24000/PD24761/en_US/McAfee%20Labs%20Threat%20Advisory-VBSAutorun%20Worm.pdf || url, www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?ThreatId=-2147283579&mstLocPickShow=False#tab=2 +1 || 2017995 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS GoonEK Landing Jan 21 2013 SilverLight 1 +1 || 2017996 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS GoonEK Landing Jan 21 2013 SilverLight 2 +1 || 2017997 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS GoonEK Landing Jan 21 2013 SilverLight 3 +1 || 2017998 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Possible IE/SilverLight GoonEK Payload Download +1 || 2017999 || 5 || trojan-activity || 0 || ET MOBILE_MALWARE Android/HeHe.Spy getLastVersion CnC Beacon || url,www.fireeye.com/blog/technical/2014/01/android-hehe-malware-now-disconnects-phone-calls.html +1 || 2018000 || 5 || trojan-activity || 0 || ET MOBILE_MALWARE Android/HeHe.Spy RegisterRequest CnC Beacon || url,www.fireeye.com/blog/technical/2014/01/android-hehe-malware-now-disconnects-phone-calls.html +1 || 2018001 || 4 || trojan-activity || 0 || ET MOBILE_MALWARE Android/HeHe.Spy LoginRequest CnC Beacon || url,www.fireeye.com/blog/technical/2014/01/android-hehe-malware-now-disconnects-phone-calls.html +1 || 2018002 || 5 || trojan-activity || 0 || ET MOBILE_MALWARE Android/HeHe.Spy ReportRequest CnC Beacon || url,www.fireeye.com/blog/technical/2014/01/android-hehe-malware-now-disconnects-phone-calls.html +1 || 2018003 || 3 || trojan-activity || 0 || ET MOBILE_MALWARE Android/HeHe.Spy GetTaskRequest CnC Beacon || url,www.fireeye.com/blog/technical/2014/01/android-hehe-malware-now-disconnects-phone-calls.html +1 || 2018004 || 2 || trojan-activity || 0 || ET MOBILE_MALWARE Android/HeHe.Spy ReportMessageRequest CnC Beacon || url,www.fireeye.com/blog/technical/2014/01/android-hehe-malware-now-disconnects-phone-calls.html +1 || 2018005 || 3 || trojan-activity || 0 || ET TROJAN Possible Upatre Downloader SSL certificate (fake org) +1 || 2018006 || 3 || trojan-activity || 0 || ET CURRENT_EVENTS Possible Browlock Hostname Format US +1 || 2018007 || 3 || trojan-activity || 0 || ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 17 || url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231 +1 || 2018008 || 3 || trojan-activity || 0 || ET TROJAN DNS Query Possible Zbot Infection Query for networksecurityx.hopto.org || md5,37782108e8b7f331a6fdeabef9c8a774 || md5,10fa9c6c27e6eb512d12dee8181e182f +1 || 2018009 || 3 || bad-unknown || 0 || ET DELETED SUSPICIOUS HTTP Request to .bit domain || url,normanshark.com/blog/necurs-cc-domains-non-censorable/ || md5,243dda18666ae2a64685e51d82c5ad69 +1 || 2018010 || 3 || trojan-activity || 0 || ET TROJAN Suspicious UA (^IE[\d\s]) || md5,209e6701da137084c2f60c90d64505f2 +1 || 2018011 || 2 || attempted-user || 0 || ET CURRENT_EVENTS Fiesta EK Landing Jan 24 2013 +1 || 2018012 || 2 || policy-violation || 0 || ET P2P Vagaa peer-to-peer (Transfer) || url,en.wikipedia.org/wiki/Vagaa +1 || 2018013 || 3 || trojan-activity || 0 || ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 18 || url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:Win32/PcClient.ZR&ThreatID=-2147325231 || md5,1f46b1e0a7fe83d24352e98b3ab3fc3f +1 || 2018014 || 1 || policy-violation || 0 || ET POLICY PrimeCoinMiner.Protominer || md5,4cab48eec2b882ec33db2e2a13ecffe6 +1 || 2018015 || 2 || trojan-activity || 0 || ET TROJAN Limitless Logger Sending Data over SMTP || md5,243dda18666ae2a64685e51d82c5ad69 +1 || 2018016 || 2 || trojan-activity || 0 || ET TROJAN Limitless Logger Sending Data over SMTP 2 || md5,243dda18666ae2a64685e51d82c5ad69 +1 || 2018017 || 2 || trojan-activity || 0 || ET TROJAN Predator Logger Sending Data over SMTP || md5,91f885e08d627097fb1116a3d4634b82 +1 || 2018018 || 2 || trojan-activity || 0 || ET TROJAN Win32/Antilam.2_0 Sending Data over SMTP || md5,d95845c510ec1f5ad38cb9ccab16c38b +1 || 2018019 || 2 || trojan-activity || 0 || ET TROJAN Win32.WinSpy.pob Sending Data over SMTP || md5,d95845c510ec1f5ad38cb9ccab16c38b +1 || 2018020 || 2 || trojan-activity || 0 || ET TROJAN Win32.WinSpy.pob Sending Data over SMTP 2 || md5,d95845c510ec1f5ad38cb9ccab16c38b +1 || 2018021 || 4 || policy-violation || 0 || ET POLICY myip.ru IP lookup +1 || 2018022 || 4 || trojan-activity || 0 || ET TROJAN Possible Win32/Dimegup.A Downloading Image Common URI Struct || md5,914c58df5d868f7c3438921d682f7fe5 +1 || 2018023 || 2 || trojan-activity || 0 || ET TROJAN W32/LockscreenBEI.Scareware Cnc Beacon || md5,04948b6045730d4ec626f79504c7f9ad || md5,9fff65c23fe403d25c08a5cdd3dc775d +1 || 2018024 || 3 || trojan-activity || 0 || ET MALWARE W32/BettrExperience.Adware Initial Checkin || md5,b2651071fbd14bff5fb39bd90f447d27 +1 || 2018025 || 3 || trojan-activity || 0 || ET MALWARE W32/BettrExperience.Adware POST Checkin || md5,b2651071fbd14bff5fb39bd90f447d27 +1 || 2018026 || 1 || trojan-activity || 0 || ET MALWARE W32/BettrExperience.Adware Update Checkin || md5,b2651071fbd14bff5fb39bd90f447d27 +1 || 2018027 || 2 || trojan-activity || 0 || ET TROJAN Win32/Xtrat C2 Response || url,threatexpert.com/report.aspx?md5=f45b1b82c849fbbea3374ae7e9200092 +1 || 2018028 || 3 || trojan-activity || 0 || ET TROJAN W32/Madness Checkin || url,www.arbornetworks.com/asert/2014/01/can-i-play-with-madness/ || md5,3e4107ccf956e2fc7af171adf3c18f0a +1 || 2018029 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS ehow/livestrong Malicious Flash 10/11 +1 || 2018030 || 2 || trojan-activity || 0 || ET TROJAN Limitless Logger RAT HTTP Activity +1 || 2018031 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Hostile _dsgweed.class JAR exploit +1 || 2018032 || 2 || trojan-activity || 0 || ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 19 || url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz || url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231 || md5,2b0f0479b14069b378fb454c92086897 +1 || 2018033 || 3 || trojan-activity || 0 || ET TROJAN Win32.Genome.boescz Checkin || md5,313535d09865f3629423cd0e9b2903b2 || url,www.virustotal.com/en/file/75c454bbcfc06375ad1e8b45d4167d7830083202f06c6309146e9a4870cddfba/analysis/ +1 || 2018034 || 1 || trojan-activity || 0 || ET TROJAN W32/Banker.AALV checkin || md5,74bfd81b345a6ef36be5fcf6964af6e1 +1 || 2018035 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS StyX Landing Jan 29 2014 +1 || 2018036 || 4 || trojan-activity || 0 || ET TROJAN SolarBot Plugin Download Server Response +1 || 2018037 || 4 || trojan-activity || 0 || ET CURRENT_EVENTS CookieBomb 2.0 In Server Response Jan 29 2014 || url,malwaremustdie.blogspot.jp/2014/01/and-another-detonating-method-of-todays.html +1 || 2018038 || 2 || trojan-activity || 0 || ET TROJAN SolarBot Plugin Download MessageBox +1 || 2018039 || 2 || trojan-activity || 0 || ET TROJAN SolarBot Plugin Download ComputerInfo +1 || 2018040 || 2 || trojan-activity || 0 || ET TROJAN SolarBot Plugin Download WalletSteal +1 || 2018041 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Current Asprox Spam Campaign +1 || 2100110 || 5 || misc-activity || 0 || GPL DELETED netbus getinfo || arachnids,403 +1 || 2100116 || 6 || misc-activity || 0 || GPL TROJAN BackOrifice access || arachnids,399 +1 || 2100144 || 10 || suspicious-login || 0 || GPL FTP ADMw0rm ftp login attempt || arachnids,01 +1 || 2100252 || 9 || attempted-recon || 0 || GPL DNS named iquery attempt || bugtraq,134 || cve,1999-0009 || url,www.rfc-editor.org/rfc/rfc1035.txt +1 || 2100253 || 5 || bad-unknown || 0 || GPL DNS SPOOF query response PTR with TTL of 1 min. and no authority +1 || 2100254 || 5 || bad-unknown || 0 || GPL DNS SPOOF query response with TTL of 1 min. and no authority +1 || 2100255 || 14 || attempted-recon || 0 || GPL DNS zone transfer TCP || arachnids,212 || cve,1999-0532 || nessus,10595 +1 || 2100256 || 8 || attempted-recon || 0 || GPL DNS named authors attempt || nessus,10728 +1 || 2100257 || 10 || attempted-recon || 0 || GPL DNS named version attempt || arachnids,278 || nessus,10028 +1 || 2100258 || 7 || attempted-admin || 0 || GPL DNS EXPLOIT named 8.2->8.2.1 || bugtraq,788 || cve,1999-0833 +1 || 2100259 || 8 || attempted-admin || 0 || GPL DNS named overflow ADM || bugtraq,788 || cve,1999-0833 +1 || 2100261 || 7 || attempted-admin || 0 || GPL DNS named overflow attempt || url,www.cert.org/advisories/CA-1998-05.html +1 || 2100268 || 5 || attempted-dos || 0 || GPL DOS Jolt attack || cve,1999-0345 +1 || 2100270 || 7 || attempted-dos || 0 || GPL MISC Teardrop attack || bugtraq,124 || cve,1999-0015 || nessus,10279 || url,www.cert.org/advisories/CA-1997-28.html +1 || 2100272 || 11 || attempted-dos || 0 || GPL DOS IGMP dos attack || bugtraq,514 || cve,1999-0918 || url,www.microsoft.com/technet/security/bulletin/MS99-034.mspx +1 || 2100281 || 6 || attempted-dos || 0 || GPL MISC Ascend Route || bugtraq,714 || cve,1999-0060 +1 || 2100286 || 13 || attempted-admin || 0 || GPL POP3 x86 BSD overflow || bugtraq,133 || cve,1999-0006 || nessus,10196 +1 || 2100287 || 8 || attempted-admin || 0 || GPL POP3 x86 BSD overflow 2 +1 || 2100288 || 8 || attempted-admin || 0 || GPL POP3 x86 Linux overflow +1 || 2100289 || 11 || attempted-admin || 0 || GPL POP3 x86 SCO overflow || bugtraq,156 || cve,1999-0006 +1 || 2100290 || 11 || attempted-admin || 0 || GPL DELETED qpopper overflow || bugtraq,830 || cve,1999-0822 || nessus,10184 +1 || 2100291 || 13 || attempted-user || 0 || GPL DELETED Cassandra Overflow || arachnids,274 || bugtraq,1156 || cve,2000-0341 +1 || 2100292 || 9 || attempted-admin || 0 || GPL NETBIOS x86 Linux samba overflow || bugtraq,1816 || bugtraq,536 || cve,1999-0182 || cve,1999-0811 +1 || 2100293 || 8 || attempted-admin || 0 || GPL IMAP Overflow Attempt +1 || 2100302 || 10 || attempted-admin || 0 || GPL EXPLOIT Redhat 7.0 lprd overflow || bugtraq,1712 || cve,2000-0917 +1 || 2100304 || 10 || attempted-admin || 0 || GPL DELETED SCO calserver overflow || bugtraq,2353 || cve,2000-0306 +1 || 2100308 || 11 || attempted-user || 0 || GPL FTP NextFTP client overflow || bugtraq,572 || cve,1999-0671 +1 || 2100312 || 7 || attempted-admin || 0 || GPL EXPLOIT ntpdx overflow attempt || bugtraq,2540 || cve,2001-0414 +1 || 2100315 || 7 || attempted-admin || 0 || GPL EXPLOIT x86 Linux mountd overflow || bugtraq,121 || cve,1999-0002 +1 || 2100319 || 6 || attempted-admin || 0 || GPL EXPLOIT bootp x86 linux overflow || cve,1999-0389 || cve,1999-0798 || cve,1999-0799 +1 || 2100321 || 7 || attempted-recon || 0 || GPL SCAN Finger Account Enumeration Attempt || nessus,10788 +1 || 2100322 || 12 || attempted-recon || 0 || GPL SCAN Finger Search Query || arachnids,375 || cve,1999-0259 +1 || 2100323 || 7 || attempted-recon || 0 || GPL SCAN Finger Root Query || arachnids,376 +1 || 2100324 || 7 || attempted-recon || 0 || GPL SCAN Finger Null Request || arachnids,377 +1 || 2100325 || 6 || attempted-recon || 0 || GPL SCAN Finger Probe 0 Attempt || arachnids,378 +1 || 2100326 || 11 || attempted-user || 0 || GPL MISC Finger remote command execution attempt || arachnids,379 || bugtraq,974 || cve,1999-0150 +1 || 2100327 || 10 || attempted-user || 0 || GPL MISC Finger remote command pipe execution attempt || arachnids,380 || bugtraq,2220 || cve,1999-0152 +1 || 2100328 || 10 || attempted-dos || 0 || GPL MISC Finger bomb attempt || arachnids,381 || cve,1999-0106 +1 || 2100329 || 9 || attempted-recon || 0 || GPL SCAN cybercop redirection || arachnids,11 +1 || 2100330 || 11 || attempted-recon || 0 || GPL SCAN Finger Redirection Attempt || arachnids,251 || cve,1999-0105 || nessus,10073 +1 || 2100331 || 11 || attempted-recon || 0 || GPL SCAN cybercop query || arachnids,132 || cve,1999-0612 +1 || 2100332 || 10 || attempted-recon || 0 || GPL SCAN Finger 0 Query || arachnids,131 || arachnids,378 || cve,1999-0197 || nessus,10069 +1 || 2100333 || 10 || attempted-recon || 0 || GPL SCAN Finger . query || arachnids,130 || cve,1999-0198 || nessus,10072 +1 || 2100334 || 7 || suspicious-filename-detect || 0 || GPL FTP .forward || arachnids,319 +1 || 2100335 || 6 || suspicious-filename-detect || 0 || GPL FTP .rhosts || arachnids,328 +1 || 2100336 || 11 || bad-unknown || 0 || GPL FTP CWD ~root attempt || arachnids,318 || cve,1999-0082 +1 || 2100337 || 13 || attempted-admin || 0 || GPL FTP CEL overflow attempt || arachnids,257 || bugtraq,679 || cve,1999-0789 || nessus,10009 +1 || 2100338 || 11 || attempted-user || 0 || GPL FTP SITE EXEC format string || arachnids,453 || bugtraq,1387 || cve,2000-0573 +1 || 2100339 || 11 || attempted-user || 0 || GPL FTP OpenBSD x86 ftpd || arachnids,446 || bugtraq,2124 || cve,2001-0053 +1 || 2100340 || 9 || attempted-admin || 0 || GPL FTP PWD overflow +1 || 2100341 || 9 || attempted-admin || 0 || GPL FTP XXXXX overflow +1 || 2100342 || 11 || attempted-user || 0 || GPL FTP wu-ftpd 2.6.0 site exec format string overflow Solaris 2.8 || arachnids,451 || bugtraq,1387 || cve,2000-0573 +1 || 2100343 || 12 || attempted-admin || 0 || GPL FTP wu-ftpd 2.6.0 site exec format string overflow FreeBSD || arachnids,228 || bugtraq,1387 || cve,2000-0573 +1 || 2100344 || 12 || attempted-admin || 0 || GPL FTP wu-ftpd 2.6.0 site exec format string overflow Linux || arachnids,287 || bugtraq,1387 || cve,2000-0573 +1 || 2100345 || 13 || attempted-admin || 0 || GPL FTP wu-ftpd 2.6.0 site exec format string overflow generic || arachnids,285 || bugtraq,1387 || cve,2000-0573 || nessus,10452 +1 || 2100346 || 11 || attempted-recon || 0 || GPL FTP wu-ftpd 2.6.0 site exec format string check || arachnids,286 || bugtraq,1387 || cve,2000-0573 +1 || 2100348 || 9 || attempted-user || 0 || GPL FTP wu-ftpd 2.6.0 || arachnids,440 || bugtraq,1387 +1 || 2100349 || 13 || attempted-admin || 0 || GPL FTP MKD overflow || bugtraq,113 || bugtraq,2242 || cve,1999-0368 +1 || 2100353 || 7 || suspicious-login || 0 || GPL SCAN adm scan || arachnids,332 +1 || 2100354 || 7 || suspicious-login || 0 || GPL FTP iss scan || arachnids,331 +1 || 2100355 || 7 || suspicious-login || 0 || GPL FTP pass wh00t || arachnids,324 +1 || 2100356 || 7 || suspicious-filename-detect || 0 || GPL FTP passwd retrieval attempt || arachnids,213 +1 || 2100357 || 7 || suspicious-login || 0 || GPL FTP piss scan +1 || 2100358 || 7 || suspicious-login || 0 || GPL FTP saint scan || arachnids,330 +1 || 2100359 || 7 || suspicious-login || 0 || GPL FTP satan scan || arachnids,329 +1 || 2100360 || 9 || bad-unknown || 0 || GPL FTP serv-u directory transversal || bugtraq,2052 || cve,2001-0054 +1 || 2100361 || 17 || bad-unknown || 0 || GPL FTP SITE EXEC attempt || arachnids,317 || bugtraq,2241 || cve,1999-0080 || cve,1999-0955 +1 || 2100362 || 14 || bad-unknown || 0 || GPL FTP tar parameters || arachnids,134 || bugtraq,2240 || cve,1999-0202 || cve,1999-0997 +1 || 2100363 || 8 || misc-activity || 0 || GPL ICMP_INFO IRDP router advertisement || arachnids,173 || bugtraq,578 || cve,1999-0875 +1 || 2100364 || 8 || misc-activity || 0 || GPL ICMP_INFO IRDP router selection || arachnids,174 || bugtraq,578 || cve,1999-0875 +1 || 2100365 || 9 || misc-activity || 0 || GPL ICMP PING undefined code +1 || 2100366 || 8 || misc-activity || 0 || GPL ICMP_INFO PING *NIX +1 || 2100368 || 7 || misc-activity || 0 || GPL ICMP_INFO PING BSDtype || arachnids,152 +1 || 2100369 || 7 || misc-activity || 0 || GPL ICMP_INFO PING BayRS Router || arachnids,438 || arachnids,444 +1 || 2100370 || 8 || misc-activity || 0 || GPL ICMP_INFO PING BeOS4.x || arachnids,151 +1 || 2100371 || 8 || misc-activity || 0 || GPL ICMP_INFO PING Cisco Type.x || arachnids,153 +1 || 2100372 || 8 || misc-activity || 0 || GPL SCAN PING Delphi-Piette Windows || arachnids,155 +1 || 2100373 || 7 || misc-activity || 0 || GPL ICMP_INFO PING Flowpoint2200 or Network Management Software || arachnids,156 +1 || 2100374 || 8 || misc-activity || 0 || GPL ICMP_INFO PING IP NetMonitor Macintosh || arachnids,157 +1 || 2100375 || 7 || misc-activity || 0 || GPL ICMP_INFO PING LINUX/*BSD || arachnids,447 +1 || 2100376 || 8 || misc-activity || 0 || GPL ICMP_INFO PING Microsoft Windows || arachnids,159 +1 || 2100377 || 8 || misc-activity || 0 || GPL ICMP_INFO PING Network Toolbox 3 Windows || arachnids,161 +1 || 2100378 || 8 || misc-activity || 0 || GPL ICMP_INFO PING Ping-O-MeterWindows || arachnids,164 +1 || 2100379 || 8 || misc-activity || 0 || GPL ICMP_INFO PING Pinger Windows || arachnids,163 +1 || 2100380 || 8 || misc-activity || 0 || GPL ICMP_INFO PING Seer Windows || arachnids,166 +1 || 2100381 || 7 || misc-activity || 0 || GPL ICMP_INFO PING Sun Solaris || arachnids,448 +1 || 2100382 || 8 || misc-activity || 0 || GPL ICMP_INFO PING Windows || arachnids,169 +1 || 2100384 || 6 || misc-activity || 0 || GPL ICMP_INFO PING +1 || 2100385 || 5 || attempted-recon || 0 || GPL ICMP_INFO traceroute || arachnids,118 +1 || 2100386 || 6 || misc-activity || 0 || GPL ICMP_INFO Address Mask Reply +1 || 2100387 || 8 || misc-activity || 0 || GPL ICMP Address Mask Reply undefined code +1 || 2100388 || 6 || misc-activity || 0 || GPL ICMP_INFO Address Mask Request +1 || 2100389 || 8 || misc-activity || 0 || GPL ICMP Address Mask Request undefined code +1 || 2100390 || 6 || misc-activity || 0 || GPL ICMP_INFO Alternate Host Address +1 || 2100391 || 9 || misc-activity || 0 || GPL ICMP Alternate Host Address undefined code +1 || 2100392 || 6 || misc-activity || 0 || GPL ICMP Datagram Conversion Error +1 || 2100393 || 9 || misc-activity || 0 || GPL ICMP Datagram Conversion Error undefined code +1 || 2100394 || 7 || misc-activity || 0 || GPL ICMP_INFO Destination Unreachable Destination Host Unknown +1 || 2100395 || 7 || misc-activity || 0 || GPL ICMP_INFO Destination Unreachable Destination Network Unknown +1 || 2100396 || 7 || misc-activity || 0 || GPL ICMP_INFO Destination Unreachable Fragmentation Needed and DF bit was set +1 || 2100397 || 7 || misc-activity || 0 || GPL ICMP_INFO Destination Unreachable Host Precedence Violation +1 || 2100398 || 7 || misc-activity || 0 || GPL ICMP_INFO Destination Unreachable Host Unreachable for Type of Service +1 || 2100399 || 7 || misc-activity || 0 || GPL ICMP_INFO Destination Unreachable Host Unreachable +1 || 2100400 || 8 || misc-activity || 0 || GPL ICMP_INFO Destination Unreachable Network Unreachable for Type of Service +1 || 2100401 || 7 || misc-activity || 0 || GPL ICMP_INFO Destination Unreachable Network Unreachable +1 || 2100402 || 8 || misc-activity || 0 || GPL ICMP_INFO Destination Unreachable Port Unreachable +1 || 2100403 || 7 || misc-activity || 0 || GPL ICMP_INFO Destination Unreachable Precedence Cutoff in effect +1 || 2100404 || 7 || misc-activity || 0 || GPL ICMP_INFO Destination Unreachable Protocol Unreachable +1 || 2100405 || 7 || misc-activity || 0 || GPL ICMP_INFO Destination Unreachable Source Host Isolated +1 || 2100406 || 7 || misc-activity || 0 || GPL ICMP_INFO Destination Unreachable Source Route Failed +1 || 2100407 || 9 || misc-activity || 0 || GPL ICMP Destination Unreachable undefined code +1 || 2100408 || 6 || misc-activity || 0 || GPL ICMP_INFO Echo Reply +1 || 2100409 || 8 || misc-activity || 0 || GPL ICMP Echo Reply undefined code +1 || 2100410 || 6 || misc-activity || 0 || GPL ICMP_INFO Fragment Reassembly Time Exceeded +1 || 2100411 || 6 || misc-activity || 0 || GPL ICMP_INFO IPV6 I-Am-Here +1 || 2100412 || 8 || misc-activity || 0 || GPL ICMP IPV6 I-Am-Here undefined code +1 || 2100413 || 6 || misc-activity || 0 || GPL ICMP_INFO IPV6 Where-Are-You +1 || 2100414 || 8 || misc-activity || 0 || GPL ICMP IPV6 Where-Are-You undefined code +1 || 2100415 || 6 || misc-activity || 0 || GPL ICMP_INFO Information Reply +1 || 2100416 || 8 || misc-activity || 0 || GPL ICMP Information Reply undefined code +1 || 2100417 || 6 || misc-activity || 0 || GPL ICMP_INFO Information Request +1 || 2100418 || 8 || misc-activity || 0 || GPL ICMP Information Request undefined code +1 || 2100419 || 6 || misc-activity || 0 || GPL ICMP_INFO Mobile Host Redirect +1 || 2100420 || 8 || misc-activity || 0 || GPL ICMP Mobile Host Redirect undefined code +1 || 2100421 || 6 || misc-activity || 0 || GPL ICMP_INFO Mobile Registration Reply +1 || 2100422 || 8 || misc-activity || 0 || GPL ICMP Mobile Registration Reply undefined code +1 || 2100423 || 6 || misc-activity || 0 || GPL ICMP_INFO Mobile Registration Request +1 || 2100424 || 8 || misc-activity || 0 || GPL ICMP Mobile Registration Request undefined code +1 || 2100425 || 7 || misc-activity || 0 || GPL ICMP Parameter Problem Bad Length +1 || 2100426 || 8 || misc-activity || 0 || GPL ICMP Parameter Problem Missing a Required Option +1 || 2100427 || 7 || misc-activity || 0 || GPL ICMP Parameter Problem Unspecified Error +1 || 2100428 || 8 || misc-activity || 0 || GPL ICMP Parameter Problem undefined Code +1 || 2100429 || 7 || misc-activity || 0 || GPL ICMP Photuris Reserved +1 || 2100430 || 7 || misc-activity || 0 || GPL ICMP Photuris Unknown Security Parameters Index +1 || 2100431 || 7 || misc-activity || 0 || GPL ICMP Photuris Valid Security Parameters, But Authentication Failed +1 || 2100432 || 7 || misc-activity || 0 || GPL ICMP Photuris Valid Security Parameters, But Decryption Failed +1 || 2100433 || 9 || misc-activity || 0 || GPL ICMP Photuris undefined code! +1 || 2100436 || 7 || misc-activity || 0 || GPL ICMP_INFO Redirect for TOS and Host +1 || 2100437 || 7 || misc-activity || 0 || GPL ICMP_INFO Redirect for TOS and Network +1 || 2100438 || 10 || misc-activity || 0 || GPL ICMP Redirect undefined code +1 || 2100439 || 7 || misc-activity || 0 || GPL ICMP Reserved for Security Type 19 +1 || 2100440 || 8 || misc-activity || 0 || GPL ICMP Reserved for Security Type 19 undefined code +1 || 2100441 || 7 || misc-activity || 0 || GPL ICMP_INFO Router Advertisement || arachnids,173 +1 || 2100443 || 6 || misc-activity || 0 || GPL ICMP_INFO Router Selection || arachnids,174 +1 || 2100445 || 6 || misc-activity || 0 || GPL ICMP_INFO SKIP +1 || 2100446 || 8 || misc-activity || 0 || GPL ICMP SKIP undefined code +1 || 2100448 || 8 || misc-activity || 0 || GPL ICMP Source Quench undefined code +1 || 2100449 || 7 || misc-activity || 0 || GPL MISC Time-To-Live Exceeded in Transit +1 || 2100450 || 9 || misc-activity || 0 || GPL ICMP Time-To-Live Exceeded in Transit undefined code +1 || 2100451 || 6 || misc-activity || 0 || GPL ICMP_INFO Timestamp Reply +1 || 2100452 || 8 || misc-activity || 0 || GPL ICMP Timestamp Reply undefined code +1 || 2100453 || 6 || misc-activity || 0 || GPL ICMP_INFO Timestamp Request +1 || 2100454 || 8 || misc-activity || 0 || GPL ICMP Timestamp Request undefined code +1 || 2100455 || 8 || misc-activity || 0 || GPL ICMP_INFO Traceroute ipopts || arachnids,238 +1 || 2100456 || 6 || misc-activity || 0 || GPL ICMP_INFO Traceroute +1 || 2100457 || 8 || misc-activity || 0 || GPL ICMP Traceroute undefined code +1 || 2100458 || 8 || misc-activity || 0 || GPL ICMP_INFO unassigned type 1 +1 || 2100459 || 8 || misc-activity || 0 || GPL ICMP unassigned type 1 undefined code +1 || 2100460 || 8 || misc-activity || 0 || GPL ICMP_INFO unassigned type 2 +1 || 2100461 || 8 || misc-activity || 0 || GPL ICMP unassigned type 2 undefined code +1 || 2100462 || 8 || misc-activity || 0 || GPL ICMP_INFO unassigned type 7 +1 || 2100463 || 8 || misc-activity || 0 || GPL ICMP unassigned type 7 undefined code +1 || 2100465 || 4 || attempted-recon || 0 || GPL SCAN ISS Pinger || arachnids,158 +1 || 2100466 || 5 || attempted-recon || 0 || GPL ICMP L3retriever Ping || arachnids,311 +1 || 2100467 || 5 || attempted-recon || 0 || GPL SCAN Nemesis v1.1 Echo || arachnids,449 +1 || 2100469 || 4 || attempted-recon || 0 || GPL SCAN PING NMAP || arachnids,162 +1 || 2100471 || 4 || attempted-recon || 0 || GPL SCAN icmpenum v1.1.1 || arachnids,450 +1 || 2100472 || 5 || bad-unknown || 0 || GPL ICMP_INFO redirect host || arachnids,135 || cve,1999-0265 +1 || 2100473 || 5 || bad-unknown || 0 || GPL ICMP_INFO redirect net || arachnids,199 || cve,1999-0265 +1 || 2100474 || 5 || attempted-recon || 0 || GPL SCAN superscan echo +1 || 2100475 || 4 || attempted-recon || 0 || GPL ICMP_INFO traceroute ipopts || arachnids,238 +1 || 2100476 || 5 || attempted-recon || 0 || GPL SCAN webtrends scanner || arachnids,307 +1 || 2100477 || 3 || bad-unknown || 0 || GPL ICMP_INFO Source Quench +1 || 2100478 || 4 || attempted-recon || 0 || GPL SCAN Broadscan Smurf Scanner +1 || 2100480 || 6 || misc-activity || 0 || GPL ICMP_INFO PING speedera +1 || 2100481 || 6 || misc-activity || 0 || GPL ICMP_INFO TJPingPro1.1Build 2 Windows || arachnids,167 +1 || 2100482 || 6 || misc-activity || 0 || GPL ICMP_INFO PING WhatsupGold Windows || arachnids,168 +1 || 2100483 || 6 || misc-activity || 0 || GPL SCAN PING CyberKit 2.2 Windows || arachnids,154 +1 || 2100484 || 5 || misc-activity || 0 || GPL SCAN PING Sniffer Pro/NetXRay network scan +1 || 2100485 || 5 || misc-activity || 0 || GPL ICMP_INFO Destination Unreachable Communication Administratively Prohibited +1 || 2100486 || 5 || misc-activity || 0 || GPL ICMP_INFO Destination Unreachable Communication with Destination Host is Administratively Prohibited +1 || 2100487 || 5 || misc-activity || 0 || GPL ICMP_INFO Destination Unreachable Communication with Destination Network is Administratively Prohibited +1 || 2100488 || 5 || unknown || 0 || GPL MISC Connection Closed MSG from Port 80 +1 || 2100489 || 9 || unknown || 0 || GPL FTP FTP no password || arachnids,322 +1 || 2100491 || 10 || bad-unknown || 0 || GPL FTP FTP Bad login +1 || 2100492 || 10 || bad-unknown || 0 || GPL TELNET TELNET login failed +1 || 2100494 || 12 || bad-unknown || 0 || GPL ATTACK_RESPONSE command completed || bugtraq,1806 +1 || 2100495 || 10 || bad-unknown || 0 || GPL ATTACK_RESPONSE command error +1 || 2100497 || 14 || bad-unknown || 0 || GPL ATTACK_RESPONSE file copied ok || bugtraq,1806 || cve,2000-0884 +1 || 2100498 || 7 || bad-unknown || 0 || GPL ATTACK_RESPONSE id check returned root +1 || 2100499 || 5 || bad-unknown || 0 || GPL ICMP Large ICMP Packet || arachnids,246 +1 || 2100502 || 3 || bad-unknown || 0 || GPL MISC source route ssrr || arachnids,422 +1 || 2100503 || 8 || bad-unknown || 0 || GPL MISC Source Port 20 to <1024 || arachnids,06 +1 || 2100504 || 8 || bad-unknown || 0 || GPL MISC source port 53 to <1024 || arachnids,07 +1 || 2100507 || 5 || attempted-admin || 0 || GPL POLICY PCAnywhere Attempted Administrator Login +1 || 2100511 || 6 || unsuccessful-user || 0 || GPL MISC Invalid PCAnywhere Login +1 || 2100512 || 5 || unsuccessful-user || 0 || GPL POLICY PCAnywhere Failed Login || arachnids,240 +1 || 2100516 || 7 || attempted-recon || 0 || GPL SNMP SNMP NT UserList || nessus,10546 +1 || 2100517 || 2 || attempted-recon || 0 || GPL MISC xdmcp query +1 || 2100518 || 8 || bad-unknown || 0 || GPL TFTP Put || cve,1999-0183 +1 || 2100519 || 7 || bad-unknown || 0 || GPL TFTP parent directory || cve,1999-0183 || cve,2002-1209 +1 || 2100520 || 6 || bad-unknown || 0 || GPL TFTP root directory || cve,1999-0183 +1 || 2100523 || 6 || misc-activity || 0 || GPL MISC ip reserved bit set +1 || 2100524 || 9 || misc-activity || 0 || GPL POLICY tcp port 0 traffic +1 || 2100525 || 10 || misc-activity || 0 || GPL POLICY udp port 0 traffic || bugtraq,576 || cve,1999-0675 || nessus,10074 +1 || 2100527 || 9 || bad-unknown || 0 || GPL SCAN same SRC/DST || bugtraq,2666 || cve,1999-0016 || url,www.cert.org/advisories/CA-1997-28.html +1 || 2100528 || 6 || bad-unknown || 0 || GPL SCAN loopback traffic || url,rr.sans.org/firewall/egress.php +1 || 2100529 || 8 || attempted-dos || 0 || GPL NETBIOS DOS RFPoison || arachnids,454 +1 || 2100530 || 11 || attempted-recon || 0 || GPL NETBIOS NT NULL session || arachnids,204 || bugtraq,1163 || cve,2000-0347 +1 || 2100532 || 14 || protocol-command-decode || 0 || GPL NETBIOS SMB ADMIN$ share access +1 || 2100533 || 17 || protocol-command-decode || 0 || GPL NETBIOS SMB C$ share access +1 || 2100534 || 7 || attempted-recon || 0 || GPL NETBIOS SMB CD.. || arachnids,338 +1 || 2100535 || 7 || attempted-recon || 0 || GPL NETBIOS SMB CD... || arachnids,337 +1 || 2100536 || 13 || protocol-command-decode || 0 || GPL NETBIOS SMB D$ share access +1 || 2100537 || 17 || protocol-command-decode || 0 || GPL NETBIOS SMB IPC$ share access +1 || 2100538 || 17 || protocol-command-decode || 0 || GPL NETBIOS SMB IPC$ unicode share access +1 || 2100540 || 12 || policy-violation || 0 || GPL CHAT MSN message +1 || 2100541 || 13 || policy-violation || 0 || GPL CHAT ICQ access +1 || 2100543 || 7 || misc-activity || 0 || GPL FTP FTP 'STOR 1MB' possible warez site +1 || 2100544 || 7 || misc-activity || 0 || GPL FTP FTP 'RETR 1MB' possible warez site +1 || 2100545 || 6 || misc-activity || 0 || GPL FTP FTP 'CWD / ' possible warez site +1 || 2100546 || 7 || misc-activity || 0 || GPL FTP FTP 'CWD ' possible warez site +1 || 2100547 || 10 || misc-activity || 0 || GPL FTP MKD space space possible warez site +1 || 2100548 || 7 || misc-activity || 0 || GPL FTP FTP 'MKD .' possible warez site +1 || 2100553 || 8 || misc-activity || 0 || GPL FTP FTP anonymous login attempt +1 || 2100554 || 9 || misc-activity || 0 || GPL FTP MKD / possible warez site +1 || 2100556 || 6 || policy-violation || 0 || GPL P2P Outbound GNUTella client request +1 || 2100557 || 7 || policy-violation || 0 || GPL P2P GNUTella client request +1 || 2100558 || 6 || misc-activity || 0 || GPL DELETED Outbound GNUTella client request +1 || 2100559 || 7 || misc-activity || 0 || GPL DELETED Inbound GNUTella client request +1 || 2100560 || 7 || misc-activity || 0 || GPL POLICY VNC server response +1 || 2100566 || 5 || misc-activity || 0 || GPL POLICY PCAnywhere server response +1 || 2100567 || 12 || misc-activity || 0 || GPL SMTP SMTP relaying denied || arachnids,249 || url,mail-abuse.org/tsi/ar-fix.html +1 || 2100569 || 15 || attempted-admin || 0 || GPL RPC snmpXdmi overflow attempt TCP || bugtraq,2417 || cve,2001-0236 || url,www.cert.org/advisories/CA-2001-05.html +1 || 2100570 || 11 || attempted-admin || 0 || GPL EXPLOIT EXPLOIT ttdbserv solaris overflow || arachnids,242 || bugtraq,122 || cve,1999-0003 || url,www.cert.org/advisories/CA-2001-27.html +1 || 2100571 || 9 || attempted-admin || 0 || GPL EXPLOIT ttdbserv Solaris overflow || arachnids,242 || bugtraq,122 || cve,1999-0003 || url,www.cert.org/advisories/CA-2001-27.html +1 || 2100574 || 9 || attempted-recon || 0 || GPL RPC mountd TCP export request || arachnids,26 +1 || 2100575 || 9 || rpc-portmap-decode || 0 || GPL RPC portmap admind request UDP || arachnids,18 +1 || 2100576 || 9 || rpc-portmap-decode || 0 || GPL RPC portmap amountd request UDP || arachnids,19 +1 || 2100577 || 14 || rpc-portmap-decode || 0 || GPL RPC portmap bootparam request UDP || arachnids,16 || cve,1999-0647 +1 || 2100578 || 9 || rpc-portmap-decode || 0 || GPL RPC portmap cmsd request UDP || arachnids,17 +1 || 2100579 || 9 || rpc-portmap-decode || 0 || GPL RPC portmap mountd request UDP || arachnids,13 +1 || 2100580 || 10 || rpc-portmap-decode || 0 || GPL RPC portmap nisd request UDP || arachnids,21 +1 || 2100581 || 10 || rpc-portmap-decode || 0 || GPL RPC portmap pcnfsd request UDP || arachnids,22 +1 || 2100582 || 9 || rpc-portmap-decode || 0 || GPL RPC portmap rexd request UDP || arachnids,23 +1 || 2100583 || 10 || rpc-portmap-decode || 0 || GPL RPC portmap rstatd request UDP || arachnids,10 +1 || 2100584 || 12 || rpc-portmap-decode || 0 || GPL RPC portmap rusers request UDP || arachnids,133 || cve,1999-0626 +1 || 2100585 || 8 || rpc-portmap-decode || 0 || GPL RPC portmap sadmind request UDP || arachnids,20 +1 || 2100586 || 9 || rpc-portmap-decode || 0 || GPL RPC portmap selection_svc request UDP || arachnids,25 +1 || 2100587 || 9 || rpc-portmap-decode || 0 || GPL RPC portmap status request UDP || arachnids,15 +1 || 2100588 || 18 || rpc-portmap-decode || 0 || GPL RPC portmap ttdbserv request UDP || arachnids,24 || bugtraq,122 || bugtraq,3382 || cve,1999-0003 || cve,1999-0687 || cve,1999-1075 || cve,2001-0717 || url,www.cert.org/advisories/CA-2001-05.html +1 || 2100589 || 9 || rpc-portmap-decode || 0 || GPL RPC portmap yppasswd request UDP || arachnids,14 +1 || 2100590 || 13 || rpc-portmap-decode || 0 || GPL RPC portmap ypserv request UDP || arachnids,12 || bugtraq,5914 || bugtraq,6016 || cve,2000-1042 || cve,2000-1043 || cve,2002-1232 +1 || 2100591 || 11 || rpc-portmap-decode || 0 || GPL RPC portmap ypupdated request TCP || arachnids,125 +1 || 2100593 || 19 || rpc-portmap-decode || 0 || GPL RPC portmap snmpXdmi request TCP || bugtraq,2417 || cve,2001-0236 || url,www.cert.org/advisories/CA-2001-05.html +1 || 2100595 || 17 || rpc-portmap-decode || 0 || GPL RPC portmap espd request TCP || bugtraq,2714 || cve,2001-0331 +1 || 2100598 || 13 || rpc-portmap-decode || 0 || GPL RPC portmap listing TCP 111 || arachnids,428 +1 || 2100600 || 8 || attempted-admin || 0 || GPL EXPLOIT EXPLOIT statdx || arachnids,442 +1 || 2100601 || 7 || bad-unknown || 0 || GPL RPC rlogin LinuxNIS +1 || 2100602 || 6 || attempted-user || 0 || GPL MISC rlogin bin || arachnids,384 +1 || 2100603 || 6 || bad-unknown || 0 || GPL MISC rlogin echo++ || arachnids,385 +1 || 2100604 || 6 || attempted-admin || 0 || GPL EXPLOIT rsh froot || arachnids,387 +1 || 2100605 || 7 || unsuccessful-user || 0 || GPL RPC rlogin login failure || arachnids,393 +1 || 2100606 || 6 || attempted-admin || 0 || GPL MISC rlogin root || arachnids,389 +1 || 2100607 || 6 || attempted-user || 0 || GPL EXPLOIT rsh bin || arachnids,390 +1 || 2100608 || 6 || attempted-user || 0 || GPL MISC rsh echo + + || arachnids,388 +1 || 2100609 || 6 || attempted-admin || 0 || GPL MISC rsh froot || arachnids,387 +1 || 2100610 || 6 || attempted-admin || 0 || GPL MISC rsh root || arachnids,391 +1 || 2100611 || 8 || unsuccessful-user || 0 || GPL RPC rlogin login failure || arachnids,392 +1 || 2100612 || 7 || attempted-recon || 0 || GPL SCAN rusers query UDP || cve,1999-0626 +1 || 2100613 || 7 || attempted-recon || 0 || GPL SCAN myscan || arachnids,439 +1 || 2100615 || 10 || attempted-recon || 0 || GPL POLICY SOCKS Proxy attempt || url,help.undernet.org/proxyscan/ +1 || 2100616 || 5 || attempted-recon || 0 || GPL MISC ident version request || arachnids,303 +1 || 2100617 || 5 || attempted-recon || 0 || GPL SCAN ssh-research-scanner +1 || 2100619 || 7 || attempted-recon || 0 || GPL SCAN cybercop os probe || arachnids,146 +1 || 2100623 || 7 || attempted-recon || 0 || GPL SCAN NULL || arachnids,4 +1 || 2100624 || 8 || attempted-recon || 0 || GPL SCAN SYN FIN || arachnids,198 +1 || 2100625 || 8 || attempted-recon || 0 || GPL SCAN XMAS || arachnids,144 +1 || 2100626 || 9 || attempted-recon || 0 || GPL SCAN cybercop os PA12 attempt || arachnids,149 +1 || 2100627 || 9 || attempted-recon || 0 || GPL SCAN cybercop os SFU12 probe || arachnids,150 +1 || 2100628 || 8 || attempted-recon || 0 || GPL SCAN nmap TCP || arachnids,28 +1 || 2100629 || 7 || attempted-recon || 0 || GPL SCAN nmap fingerprint attempt || arachnids,05 +1 || 2100631 || 7 || protocol-command-decode || 0 || GPL SMTP ehlo cybercop attempt || arachnids,372 +1 || 2100632 || 6 || protocol-command-decode || 0 || GPL SMTP expn cybercop attempt || arachnids,371 +1 || 2100637 || 4 || attempted-recon || 0 || GPL SCAN Webtrends Scanner UDP Probe +1 || 2100638 || 6 || shellcode-detect || 0 || GPL SHELLCODE SGI NOOP || arachnids,356 +1 || 2100639 || 6 || shellcode-detect || 0 || GPL SHELLCODE SGI NOOP || arachnids,357 +1 || 2100640 || 7 || shellcode-detect || 0 || GPL SHELLCODE AIX NOOP +1 || 2100641 || 7 || shellcode-detect || 0 || GPL SHELLCODE Digital UNIX NOOP || arachnids,352 +1 || 2100642 || 7 || shellcode-detect || 0 || GPL SHELLCODE HP-UX NOOP || arachnids,358 +1 || 2100643 || 8 || shellcode-detect || 0 || GPL SHELLCODE HP-UX NOOP || arachnids,359 +1 || 2100644 || 6 || shellcode-detect || 0 || GPL SHELLCODE sparc NOOP || arachnids,345 +1 || 2100645 || 6 || shellcode-detect || 0 || GPL SHELLCODE sparc NOOP || arachnids,353 +1 || 2100646 || 6 || shellcode-detect || 0 || GPL SHELLCODE sparc NOOP || arachnids,355 +1 || 2100647 || 7 || system-call-detect || 0 || GPL SHELLCODE sparc setuid 0 || arachnids,282 +1 || 2100649 || 9 || system-call-detect || 0 || GPL SHELLCODE x86 setgid 0 || arachnids,284 +1 || 2100650 || 9 || system-call-detect || 0 || GPL SHELLCODE x86 setuid 0 || arachnids,436 +1 || 2100651 || 9 || shellcode-detect || 0 || GPL SHELLCODE x86 stealth NOOP || arachnids,291 +1 || 2100652 || 10 || shellcode-detect || 0 || GPL SHELLCODE Linux shellcode || arachnids,343 +1 || 2100654 || 17 || attempted-admin || 0 || GPL SMTP RCPT TO overflow || bugtraq,2283 || bugtraq,9696 || cve,2001-0260 +1 || 2100655 || 9 || attempted-admin || 0 || GPL DELETED sendmail 8.6.9 exploit || arachnids,140 || bugtraq,2311 || cve,1999-0204 +1 || 2100659 || 10 || attempted-recon || 0 || GPL SMTP expn decode || arachnids,32 || cve,1999-0096 || nessus,10248 +1 || 2100660 || 13 || attempted-recon || 0 || GPL SMTP expn root || arachnids,31 || cve,1999-0531 || nessus,10249 +1 || 2100672 || 10 || attempted-recon || 0 || GPL SMTP vrfy decode || arachnids,373 || bugtraq,10248 || cve,1999-0096 +1 || 2100673 || 6 || attempted-user || 0 || GPL SQL sp_start_job - program execution +1 || 2100674 || 9 || attempted-user || 0 || GPL DELETED xp_displayparamstmt possible buffer overflow || bugtraq,2030 || cve,2000-1081 || url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx +1 || 2100675 || 10 || attempted-user || 0 || GPL DELETED xp_setsqlsecurity possible buffer overflow || bugtraq,2043 || cve,2000-1088 || url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx +1 || 2100676 || 7 || attempted-user || 0 || GPL EXPLOIT sp_start_job - program execution +1 || 2100677 || 7 || attempted-user || 0 || GPL SQL sp_password password change +1 || 2100678 || 7 || attempted-user || 0 || GPL SQL sp_delete_alert log file deletion +1 || 2100679 || 7 || attempted-user || 0 || GPL EXPLOIT sp_adduser database user creation +1 || 2100680 || 10 || attempted-user || 0 || GPL SQL sa login failed || bugtraq,4797 || cve,2000-1209 +1 || 2100681 || 7 || attempted-user || 0 || GPL SQL xp_cmdshell program execution +1 || 2100682 || 11 || attempted-user || 0 || GPL DELETED xp_enumresultset possible buffer overflow || bugtraq,2031 || cve,2000-1082 || url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx +1 || 2100683 || 6 || attempted-user || 0 || GPL SQL sp_password - password change +1 || 2100684 || 6 || attempted-user || 0 || GPL SQL sp_delete_alert log file deletion +1 || 2100685 || 6 || attempted-user || 0 || GPL SQL sp_adduser - database user creation +1 || 2100686 || 11 || attempted-user || 0 || GPL NETBIOS xp_reg* - registry access || bugtraq,5205 || cve,2002-0642 || nessus,10642 || url,www.microsoft.com/technet/security/bulletin/MS02-034 +1 || 2100687 || 6 || attempted-user || 0 || GPL EXPLOIT xp_cmdshell - program execution +1 || 2100688 || 11 || unsuccessful-user || 0 || GPL SQL sa login failed || bugtraq,4797 || cve,2000-1209 || nessus,10673 +1 || 2100689 || 12 || attempted-user || 0 || GPL NETBIOS xp_reg* registry access || bugtraq,5205 || cve,2002-0642 || nessus,10642 || url,www.microsoft.com/technet/security/bulletin/MS02-034 +1 || 2100690 || 10 || attempted-user || 0 || GPL SQL xp_printstatements possible buffer overflow || bugtraq,2041 || cve,2000-1086 || url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx +1 || 2100691 || 7 || shellcode-detect || 0 || GPL SHELLCODE MSSQL shellcode attempt +1 || 2100692 || 7 || shellcode-detect || 0 || GPL SQL shellcode attempt +1 || 2100693 || 7 || shellcode-detect || 0 || GPL SQL MSSQL shellcode attempt 2 +1 || 2100694 || 7 || attempted-user || 0 || GPL SQL shellcode attempt +1 || 2100695 || 10 || attempted-user || 0 || GPL EXPLOIT xp_sprintf possible buffer overflow || bugtraq,1204 || url,www.microsoft.com/technet/security/bulletin/MS01-060.mspx +1 || 2100696 || 11 || attempted-user || 0 || GPL DELETED xp_showcolv possible buffer overflow || bugtraq,2038 || cve,2000-1083 || url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx +1 || 2100697 || 11 || attempted-user || 0 || GPL DELETED xp_peekqueue possible buffer overflow || bugtraq,2040 || cve,2000-1085 || url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx +1 || 2100698 || 11 || attempted-user || 0 || GPL DELETED xp_proxiedmetadata possible buffer overflow || bugtraq,2042 || cve,2000-1087 || url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx +1 || 2100699 || 10 || attempted-user || 0 || GPL DELETED xp_printstatements possible buffer overflow || bugtraq,2041 || cve,2000-1086 || url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx +1 || 2100700 || 11 || attempted-user || 0 || GPL DELETED xp_updatecolvbm possible buffer overflow || bugtraq,2039 || cve,2000-1084 || url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx +1 || 2100701 || 10 || attempted-user || 0 || GPL DELETED xp_updatecolvbm possible buffer overflow || bugtraq,2039 || cve,2000-1084 || url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx +1 || 2100702 || 11 || attempted-user || 0 || GPL DELETED xp_displayparamstmt possible buffer overflow || bugtraq,2030 || cve,2000-1081 || url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx +1 || 2100703 || 11 || attempted-user || 0 || GPL DELETED xp_setsqlsecurity possible buffer overflow || bugtraq,2043 || cve,2000-1088 || url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx +1 || 2100704 || 10 || attempted-user || 0 || GPL DELETED xp_sprintf possible buffer overflow || bugtraq,1204 || cve,2001-0542 || url,www.microsoft.com/technet/security/bulletin/MS01-060.mspx +1 || 2100705 || 10 || attempted-user || 0 || GPL DELETED xp_showcolv possible buffer overflow || bugtraq,2038 || cve,2000-1083 || url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx +1 || 2100706 || 10 || attempted-user || 0 || GPL DELETED xp_peekqueue possible buffer overflow || bugtraq,2040 || cve,2000-1085 || url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx +1 || 2100707 || 11 || attempted-user || 0 || GPL DELETED xp_proxiedmetadata possible buffer overflow || bugtraq,2024 || cve,1999-0287 || cve,2000-1087 || url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx +1 || 2100708 || 11 || attempted-user || 0 || GPL DELETED xp_enumresultset possible buffer overflow || bugtraq,2031 || cve,2000-1082 || url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx +1 || 2100716 || 14 || not-suspicious || 0 || GPL TELNET TELNET access || arachnids,08 || cve,1999-0619 || nessus,10280 +1 || 2100717 || 9 || bad-unknown || 0 || GPL TELNET Telnet Root not on console || arachnids,365 +1 || 2100719 || 8 || suspicious-login || 0 || GPL TELNET root login +1 || 2100721 || 10 || suspicious-filename-detect || 0 || GPL SMTP OUTBOUND bad file attachment +1 || 2100824 || 15 || attempted-recon || 0 || GPL EXPLOIT php.cgi access || arachnids,232 || bugtraq,2250 || bugtraq,712 || cve,1999-0238 || cve,1999-058 || nessus,10178 +1 || 2100884 || 17 || web-application-activity || 0 || GPL EXPLOIT formmail access || arachnids,226 || bugtraq,1187 || bugtraq,2079 || cve,1999-0172 || cve,2000-0411 || nessus,10076 || nessus,10782 +1 || 2100909 || 7 || web-application-attack || 0 || GPL WEB_SERVER datasource username attempt || bugtraq,550 +1 || 2100915 || 7 || attempted-recon || 0 || GPL DELETED evaluate.cfm access || bugtraq,550 +1 || 2100919 || 9 || web-application-attack || 0 || GPL WEB_SERVER datasource password attempt || bugtraq,550 +1 || 2100920 || 8 || web-application-attack || 0 || GPL WEB_SERVER datasource attempt || bugtraq,550 +1 || 2100923 || 8 || web-application-attack || 0 || GPL WEB_SERVER getodbcin attempt || bugtraq,550 +1 || 2100937 || 13 || web-application-activity || 0 || GPL WEB_SERVER _vti_rpc access || bugtraq,2144 || cve,2001-0096 || nessus,10585 +1 || 2100951 || 13 || web-application-activity || 0 || GPL WEB_SERVER authors.pwd access || bugtraq,989 || cve,1999-0386 || nessus,10078 +1 || 2100952 || 9 || web-application-activity || 0 || GPL WEB_SERVER author.exe access +1 || 2100953 || 9 || web-application-activity || 0 || GPL EXPLOIT administrators.pwd access || bugtraq,1205 +1 || 2100958 || 12 || web-application-activity || 0 || GPL WEB_SERVER service.cnf access || bugtraq,4078 || nessus,10575 +1 || 2100959 || 9 || web-application-activity || 0 || GPL WEB_SERVER service.pwd || bugtraq,1205 +1 || 2100961 || 12 || web-application-activity || 0 || GPL WEB_SERVER services.cnf access || bugtraq,4078 || nessus,10575 +1 || 2100965 || 12 || web-application-activity || 0 || GPL WEB_SERVER writeto.cnf access || bugtraq,4078 || nessus,10575 +1 || 2100971 || 13 || web-application-activity || 0 || GPL WEB_SERVER ISAPI .printer access || arachnids,533 || bugtraq,2674 || cve,2001-0241 || nessus,10661 || url,www.microsoft.com/technet/security/bulletin/MS01-023.mspx +1 || 2100975 || 14 || web-application-attack || 0 || GPL EXPLOIT Alternate Data streams ASP file access attempt || bugtraq,149 || cve,1999-0278 || nessus,10362 || url,support.microsoft.com/default.aspx?scid=kb#-#-EN-US#-#-q188806 +1 || 2100977 || 13 || web-application-activity || 0 || GPL EXPLOIT .cnf access || bugtraq,4078 || nessus,10575 +1 || 2100981 || 14 || web-application-attack || 0 || GPL EXPLOIT unicode directory traversal attempt || bugtraq,1806 || cve,2000-0884 || nessus,10537 +1 || 2100982 || 12 || web-application-attack || 0 || GPL EXPLOIT unicode directory traversal attempt || bugtraq,1806 || cve,2000-0884 || nessus,10537 +1 || 2100983 || 19 || web-application-attack || 0 || GPL EXPLOIT unicode directory traversal attempt || bugtraq,1806 || cve,2000-0884 || nessus,10537 +1 || 2100987 || 16 || web-application-activity || 0 || GPL EXPLOIT .htr access || bugtraq,1488 || cve,2000-0630 || nessus,10680 +1 || 2100988 || 9 || web-application-attack || 0 || GPL WEB_SERVER SAM Attempt || url,www.ciac.org/ciac/bulletins/h-45.shtml +1 || 2100989 || 13 || web-application-activity || 0 || GPL SCAN sensepost.exe command shell attempt || nessus,11003 +1 || 2100993 || 13 || web-application-attack || 0 || GPL WEB_SERVER iisadmin access || bugtraq,189 || cve,1999-1538 || nessus,11032 +1 || 2100994 || 10 || web-application-attack || 0 || GPL WEB_SERVER /scripts/iisadmin/default.htm access +1 || 2101002 || 10 || web-application-attack || 0 || GPL DELETED cmd.exe access +1 || 2101003 || 11 || web-application-attack || 0 || GPL EXPLOIT cmd? access +1 || 2101008 || 9 || web-application-attack || 0 || GPL ATTACK_RESPONSE del attempt +1 || 2101009 || 8 || web-application-attack || 0 || GPL ATTACK_RESPONSE directory listing || nessus,10573 +1 || 2101013 || 11 || web-application-activity || 0 || GPL EXPLOIT fpcount access || bugtraq,2252 || cve,1999-1376 +1 || 2101016 || 15 || web-application-activity || 0 || GPL WEB_SERVER global.asa access || cve,2000-0778 || nessus,10491 || nessus,10991 +1 || 2101018 || 12 || web-application-attack || 0 || GPL EXPLOIT iisadmpwd attempt || bugtraq,2110 || cve,1999-0407 +1 || 2101023 || 13 || web-application-activity || 0 || GPL WEB_SERVER msadcs.dll access || bugtraq,529 || cve,1999-1011 || nessus,10357 +1 || 2101046 || 11 || web-application-activity || 0 || GPL EXPLOIT site/iisamples access || nessus,10370 +1 || 2101055 || 12 || web-application-attack || 0 || GPL WEB_SERVER Tomcat directory traversal attempt || bugtraq,2518 +1 || 2101056 || 10 || web-application-attack || 0 || GPL WEB_SERVER Tomcat view source attempt || bugtraq,2527 || cve,2001-0590 +1 || 2101058 || 7 || web-application-attack || 0 || GPL DELETED xp_enumdsn attempt +1 || 2101059 || 7 || web-application-attack || 0 || GPL EXPLOIT xp_filelist attempt +1 || 2101060 || 8 || web-application-attack || 0 || GPL DELETED xp_availablemedia attempt +1 || 2101061 || 7 || web-application-attack || 0 || GPL DELETED xp_cmdshell attempt +1 || 2101069 || 7 || web-application-activity || 0 || GPL DELETED xp_regread attempt +1 || 2101071 || 8 || web-application-attack || 0 || GPL WEB_SERVER .htpasswd access +1 || 2101099 || 9 || web-application-activity || 0 || GPL SCAN cybercop scan || arachnids,374 +1 || 2101102 || 10 || web-application-attack || 0 || GPL SCAN nessus 1.X 404 probe || arachnids,301 +1 || 2101108 || 13 || attempted-recon || 0 || GPL WEB_SERVER Tomcat server snoop access || bugtraq,1532 || cve,2000-0760 +1 || 2101110 || 12 || attempted-recon || 0 || GPL WEB_SERVER apache source.asp file access || bugtraq,1457 || cve,2000-0628 || nessus,10480 +1 || 2101111 || 13 || attempted-recon || 0 || GPL EXPLOIT Tomcat server exploit access || bugtraq,1548 || cve,2000-0672 || nessus,10477 +1 || 2101118 || 7 || attempted-recon || 0 || GPL WEB_SERVER ls%20-l +1 || 2101122 || 8 || attempted-recon || 0 || GPL WEB_SERVER /etc/passwd +1 || 2101129 || 8 || attempted-recon || 0 || GPL WEB_SERVER .htaccess access +1 || 2101132 || 9 || attempted-recon || 0 || GPL DELETED Netscape Unixware overflow || arachnids,180 || bugtraq,908 || cve,1999-0744 +1 || 2101133 || 13 || attempted-recon || 0 || GPL SCAN cybercop os probe || arachnids,145 +1 || 2101139 || 8 || attempted-recon || 0 || GPL SCAN whisker HEAD/./ || url,www.wiretrip.net/rfp/pages/whitepapers/whiskerids.html +1 || 2101145 || 10 || attempted-recon || 0 || GPL WEB_SERVER /~root access +1 || 2101156 || 12 || attempted-dos || 0 || GPL WEB_SERVER apache directory disclosure attempt || bugtraq,2503 +1 || 2101193 || 13 || web-application-attack || 0 || GPL WEB_SPECIFIC_APPS oracle web arbitrary command execution attempt || bugtraq,1053 || cve,2000-0169 || nessus,10348 +1 || 2101199 || 13 || web-application-attack || 0 || GPL WEB_SERVER Compaq Insight directory traversal || arachnids,244 || bugtraq,282 || cve,1999-0771 +1 || 2101200 || 12 || attempted-recon || 0 || GPL ATTACK_RESPONSE Invalid URL || url,www.microsoft.com/technet/security/bulletin/MS00-063.mspx +1 || 2101201 || 10 || attempted-recon || 0 || GPL WEB_SERVER 403 Forbidden +1 || 2101228 || 8 || attempted-recon || 0 || GPL SCAN nmap XMAS || arachnids,30 +1 || 2101229 || 8 || bad-unknown || 0 || GPL FTP CWD ... || bugtraq,9237 +1 || 2101236 || 9 || attempted-recon || 0 || GPL WEB_SERVER Tomcat sourcecode view attempt 3 +1 || 2101237 || 8 || attempted-recon || 0 || GPL WEB_SERVER Tomcat sourcecode view attempt 2 +1 || 2101238 || 7 || attempted-recon || 0 || GPL WEB_SERVER Tomcat sourcecode view attempt 1 +1 || 2101239 || 10 || attempted-recon || 0 || GPL NETBIOS RFParalyze Attempt || bugtraq,1163 || cve,2000-0347 || nessus,10392 +1 || 2101242 || 13 || web-application-activity || 0 || GPL EXPLOIT ISAPI .ida access || arachnids,552 || bugtraq,1065 || cve,2000-0071 +1 || 2101243 || 13 || web-application-attack || 0 || GPL EXPLOIT ISAPI .ida attempt || arachnids,552 || bugtraq,1065 || cve,2000-0071 +1 || 2101244 || 16 || web-application-attack || 0 || GPL EXPLOIT ISAPI .idq attempt || arachnids,553 || bugtraq,1065 || bugtraq,968 || cve,2000-0071 || cve,2000-0126 || nessus,10115 +1 || 2101245 || 12 || web-application-activity || 0 || GPL EXPLOIT ISAPI .idq access || arachnids,553 || bugtraq,1065 || cve,2000-0071 +1 || 2101251 || 9 || bad-unknown || 0 || GPL TELNET Bad Login +1 || 2101256 || 10 || web-application-attack || 0 || GPL EXPLOIT CodeRed v2 root.exe access || url,www.cert.org/advisories/CA-2001-19.html +1 || 2101261 || 12 || attempted-user || 0 || GPL EXPLOIT AIX pdnsd overflow || bugtraq,3237 || bugtraq,590 || cve,1999-0745 +1 || 2101262 || 10 || rpc-portmap-decode || 0 || GPL RPC portmap admind request TCP || arachnids,18 +1 || 2101263 || 12 || rpc-portmap-decode || 0 || GPL RPC portmap amountd request TCP || arachnids,19 +1 || 2101264 || 14 || rpc-portmap-decode || 0 || GPL RPC portmap bootparam request TCP || arachnids,16 || cve,1999-0647 +1 || 2101265 || 10 || rpc-portmap-decode || 0 || GPL RPC portmap cmsd request TCP || arachnids,17 +1 || 2101267 || 12 || rpc-portmap-decode || 0 || GPL RPC portmap nisd request TCP || arachnids,21 +1 || 2101268 || 13 || rpc-portmap-decode || 0 || GPL RPC portmap pcnfsd request TCP || arachnids,22 +1 || 2101269 || 11 || rpc-portmap-decode || 0 || GPL RPC portmap rexd request TCP || arachnids,23 +1 || 2101270 || 12 || rpc-portmap-decode || 0 || GPL RPC portmap rstatd request TCP || arachnids,10 +1 || 2101271 || 15 || rpc-portmap-decode || 0 || GPL RPC portmap rusers request TCP || arachnids,133 || cve,1999-0626 +1 || 2101272 || 11 || rpc-portmap-decode || 0 || GPL RPC portmap sadmind request TCP || arachnids,20 +1 || 2101273 || 11 || rpc-portmap-decode || 0 || GPL RPC portmap selection_svc request TCP || arachnids,25 +1 || 2101274 || 19 || rpc-portmap-decode || 0 || GPL RPC portmap ttdbserv request TCP || arachnids,24 || bugtraq,122 || bugtraq,3382 || cve,1999-0003 || cve,1999-0687 || cve,1999-1075 || cve,2001-0717 || url,www.cert.org/advisories/CA-2001-05.html +1 || 2101275 || 11 || rpc-portmap-decode || 0 || GPL RPC portmap yppasswd request TCP || arachnids,14 +1 || 2101276 || 15 || rpc-portmap-decode || 0 || GPL RPC portmap ypserv request TCP || arachnids,12 || bugtraq,5914 || bugtraq,6016 || cve,2000-1042 || cve,2000-1043 || cve,2002-1232 +1 || 2101277 || 10 || rpc-portmap-decode || 0 || GPL RPC portmap ypupdated request UDP +1 || 2101279 || 15 || rpc-portmap-decode || 0 || GPL RPC portmap snmpXdmi request UDP || bugtraq,2417 || cve,2001-0236 || url,www.cert.org/advisories/CA-2001-05.html +1 || 2101280 || 10 || rpc-portmap-decode || 0 || GPL RPC portmap listing UDP 111 || arachnids,428 +1 || 2101281 || 9 || rpc-portmap-decode || 0 || GPL RPC portmap listing UDP 32771 +1 || 2101285 || 10 || web-application-activity || 0 || GPL WEB_SERVER msdac access || nessus,11032 +1 || 2101288 || 12 || web-application-activity || 0 || GPL WEB_SERVER /_vti_bin/ access || nessus,11032 +1 || 2101289 || 5 || successful-admin || 0 || GPL TFTP GET Admin.dll || url,www.cert.org/advisories/CA-2001-26.html +1 || 2101292 || 10 || bad-unknown || 0 || GPL ATTACK_RESPONSE directory listing +1 || 2101311 || 9 || policy-violation || 0 || GPL INAPPROPRIATE hardcore anal +1 || 2101313 || 11 || policy-violation || 0 || GPL INAPPROPRIATE up skirt +1 || 2101315 || 9 || policy-violation || 0 || GPL INAPPROPRIATE hot young sex +1 || 2101316 || 9 || policy-violation || 0 || GPL INAPPROPRIATE fuck fuck fuck +1 || 2101317 || 9 || policy-violation || 0 || GPL INAPPROPRIATE anal sex +1 || 2101318 || 9 || policy-violation || 0 || GPL INAPPROPRIATE hardcore rape +1 || 2101320 || 9 || policy-violation || 0 || GPL INAPPROPRIATE fuck movies +1 || 2101321 || 9 || misc-activity || 0 || GPL MISC 0 ttl || url,support.microsoft.com/default.aspx?scid=kb#-#-EN-US#-#-q138268 || url,www.isi.edu/in-notes/rfc1122.txt +1 || 2101323 || 7 || misc-attack || 0 || GPL MISC rwhoisd format string attempt || bugtraq,3474 || cve,2001-0838 +1 || 2101324 || 7 || shellcode-detect || 0 || GPL SHELLCODE ssh CRC32 overflow /bin/sh || bugtraq,2347 || cve,2001-0144 || cve,2001-0572 +1 || 2101326 || 7 || shellcode-detect || 0 || GPL SHELLCODE ssh CRC32 overflow NOOP || bugtraq,2347 || cve,2001-0144 || cve,2001-0572 +1 || 2101327 || 8 || shellcode-detect || 0 || GPL EXPLOIT ssh CRC32 overflow || bugtraq,2347 || cve,2001-0144 || cve,2001-0572 +1 || 2101328 || 9 || web-application-attack || 0 || GPL WEB_SERVER /bin/ps command attempt +1 || 2101332 || 8 || web-application-attack || 0 || GPL WEB_SERVER /usr/bin/id command attempt +1 || 2101334 || 9 || web-application-attack || 0 || GPL EXPLOIT echo command attempt +1 || 2101340 || 8 || web-application-attack || 0 || GPL EXPLOIT tftp command attempt +1 || 2101349 || 7 || web-application-attack || 0 || GPL WEB_SERVER bin/python access attempt +1 || 2101350 || 10 || web-application-attack || 0 || GPL WEB_SERVER python access attempt +1 || 2101355 || 8 || web-application-attack || 0 || GPL WEB_SERVER /usr/bin/perl execution attempt +1 || 2101368 || 9 || web-application-attack || 0 || GPL WEB_SERVER /bin/ls| command attempt +1 || 2101369 || 8 || web-application-attack || 0 || GPL WEB_SERVER /bin/ls command attempt +1 || 2101370 || 8 || web-application-activity || 0 || GPL WEB_SERVER /etc/inetd.conf access +1 || 2101371 || 7 || web-application-activity || 0 || GPL WEB_SERVER /etc/motd access +1 || 2101372 || 7 || web-application-activity || 0 || GPL DELETED /etc/shadow access +1 || 2101377 || 17 || misc-attack || 0 || GPL FTP wu-ftp bad file completion attempt || bugtraq,3581 || bugtraq,3707 || cve,2001-0550 || cve,2001-0886 +1 || 2101378 || 17 || misc-attack || 0 || GPL FTP wu-ftp bad file completion attempt with brace || bugtraq,3581 || bugtraq,3707 || cve,2001-0550 || cve,2001-0886 +1 || 2101379 || 13 || attempted-admin || 0 || GPL FTP STAT overflow attempt || bugtraq,3507 || bugtraq,8542 || cve,2001-0325 || cve,2001-1021 || url,labs.defcom.com/adv/2001/def-2001-31.txt +1 || 2101384 || 9 || misc-attack || 0 || GPL MISC UPnP malformed advertisement || bugtraq,3723 || cve,2001-0876 || cve,2001-0877 || url,www.microsoft.com/technet/security/bulletin/MS01-059.mspx +1 || 2101388 || 14 || misc-attack || 0 || GPL MISC UPnP Location overflow || bugtraq,3723 || cve,2001-0876 +1 || 2101390 || 6 || shellcode-detect || 0 || GPL SHELLCODE x86 inc ebx NOOP +1 || 2101393 || 13 || misc-attack || 0 || GPL DELETED AIM AddGame attempt || bugtraq,3769 || cve,2002-0005 || url,www.w00w00.org/files/w00aimexp/ +1 || 2101398 || 11 || misc-attack || 0 || GPL EXPLOIT CDE dtspcd exploit attempt || bugtraq,3517 || cve,2001-0803 || url,www.cert.org/advisories/CA-2002-01.html +1 || 2101401 || 10 || web-application-attack || 0 || GPL EXPLOIT /msadc/samples/ access || bugtraq,167 || cve,1999-0736 || nessus,1007 +1 || 2101402 || 8 || web-application-attack || 0 || GPL EXPLOIT iissamples access || nessus,11032 +1 || 2101403 || 11 || web-application-attack || 0 || GPL WEB_SERVER viewcode access || cve,1999-0737 || nessus,10576 || nessus,12048 +1 || 2101409 || 11 || misc-attack || 0 || GPL SNMP SNMP community string buffer overflow attempt || bugtraq,4088 || bugtraq,4089 || bugtraq,4132 || cve,2002-0012 || cve,2002-0013 || url,www.cert.org/advisories/CA-2002-03.html +1 || 2101411 || 12 || attempted-recon || 0 || GPL SNMP public access udp || bugtraq,2112 || bugtraq,4088 || bugtraq,4089 || cve,1999-0517 || cve,2002-0012 || cve,2002-0013 +1 || 2101412 || 14 || attempted-recon || 0 || GPL SNMP public access tcp || bugtraq,2112 || bugtraq,4088 || bugtraq,4089 || bugtraq,7212 || cve,1999-0517 || cve,2002-0012 || cve,2002-0013 +1 || 2101413 || 11 || attempted-recon || 0 || GPL SNMP private access udp || bugtraq,4088 || bugtraq,4089 || bugtraq,4132 || bugtraq,7212 || cve,2002-0012 || cve,2002-0013 +1 || 2101414 || 12 || attempted-recon || 0 || GPL SNMP private access tcp || bugtraq,4088 || bugtraq,4089 || bugtraq,4132 || cve,2002-0012 || cve,2002-0013 +1 || 2101415 || 10 || attempted-recon || 0 || GPL SNMP Broadcast request || bugtraq,4088 || bugtraq,4089 || bugtraq,4132 || cve,2002-0012 || cve,2002-0013 +1 || 2101416 || 10 || attempted-recon || 0 || GPL SNMP broadcast trap || bugtraq,4088 || bugtraq,4089 || bugtraq,4132 || cve,2002-0012 || cve,2002-0013 +1 || 2101417 || 11 || attempted-recon || 0 || GPL SNMP request udp || bugtraq,4088 || bugtraq,4089 || bugtraq,4132 || cve,2002-0012 || cve,2002-0013 +1 || 2101418 || 13 || attempted-recon || 0 || GPL SNMP request tcp || bugtraq,4088 || bugtraq,4089 || bugtraq,4132 || cve,2002-0012 || cve,2002-0013 +1 || 2101419 || 10 || attempted-recon || 0 || GPL SNMP trap udp || bugtraq,4088 || bugtraq,4089 || bugtraq,4132 || cve,2002-0012 || cve,2002-0013 +1 || 2101420 || 12 || attempted-recon || 0 || GPL SNMP trap tcp || bugtraq,4088 || bugtraq,4089 || bugtraq,4132 || cve,2002-0012 || cve,2002-0013 +1 || 2101422 || 11 || misc-attack || 0 || GPL SNMP community string buffer overflow attempt with evasion || bugtraq,4088 || bugtraq,4089 || bugtraq,4132 || cve,2002-0012 || cve,2002-0013 || url,www.cert.org/advisories/CA-2002-03.html +1 || 2101424 || 8 || shellcode-detect || 0 || GPL SHELLCODE x86 0xEB0C NOOP +1 || 2101427 || 5 || misc-attack || 0 || GPL SNMP PROTOS test-suite-trap-app attempt || url,www.ee.oulu.fi/research/ouspg/protos/testing/c06/snmpv1/index.html +1 || 2101432 || 7 || policy-violation || 0 || GPL P2P GNUTella client request +1 || 2101435 || 8 || attempted-recon || 0 || GPL DNS named authors attempt || arachnids,480 || nessus,10728 +1 || 2101437 || 13 || policy-violation || 0 || GPL POLICY Windows Media download +1 || 2101438 || 14 || policy-violation || 0 || GPL POLICY Windows Media Video download +1 || 2101441 || 5 || successful-admin || 0 || GPL TFTP GET nc.exe +1 || 2101442 || 5 || successful-admin || 0 || GPL TFTP GET shadow +1 || 2101443 || 5 || successful-admin || 0 || GPL TFTP GET passwd +1 || 2101444 || 4 || bad-unknown || 0 || GPL TFTP Get +1 || 2101445 || 7 || suspicious-filename-detect || 0 || GPL FTP FTP file_id.diz access possible warez site +1 || 2101446 || 7 || attempted-recon || 0 || GPL SMTP vrfy root +1 || 2101447 || 14 || protocol-command-decode || 0 || GPL POLICY MS Remote Desktop Request RDP || bugtraq,3099 || cve,2001-0540 || url,www.microsoft.com/technet/security/bulletin/MS01-040.mspx +1 || 2101449 || 9 || misc-activity || 0 || GPL FTP FTP anonymous ftp login attempt +1 || 2101450 || 6 || misc-attack || 0 || GPL SMTP expn *@ || cve,1999-1200 +1 || 2101487 || 12 || web-application-activity || 0 || GPL EXPLOIT /iisadmpwd/aexp2.htr access || bugtraq,2110 || bugtraq,4236 || cve,1999-0407 || cve,2002-0421 || nessus,10371 +1 || 2101489 || 10 || web-application-attack || 0 || GPL WEB_SERVER /~nobody access || nessus,10484 +1 || 2101504 || 7 || misc-activity || 0 || GPL POLICY AFS access || nessus,10441 +1 || 2101519 || 11 || web-application-activity || 0 || GPL WEB_SERVER apache ?M=D directory list attempt || bugtraq,3009 || cve,2001-0731 +1 || 2101529 || 12 || attempted-admin || 0 || GPL FTP SITE overflow attempt || cve,1999-0838 || cve,2001-0755 || cve,2001-0770 +1 || 2101530 || 14 || attempted-admin || 0 || GPL FTP format string attempt || nessus,10452 || bugtraq,1387 || bugtraq,2240 || bugtraq,726 || cve,2000-0573 || cve,1999-0997 +1 || 2101538 || 14 || attempted-admin || 0 || GPL MISC AUTHINFO USER overflow attempt || arachnids,274 || bugtraq,1156 || cve,2000-0341 +1 || 2101541 || 6 || attempted-recon || 0 || GPL SCAN Finger Version Query +1 || 2101562 || 13 || attempted-admin || 0 || GPL FTP SITE CHOWN overflow attempt || bugtraq,2120 || cve,2001-0065 +1 || 2101603 || 13 || web-application-activity || 0 || GPL WEB_SERVER DELETE attempt || nessus,10498 +1 || 2101610 || 13 || web-application-attack || 0 || GPL EXPLOIT formmail arbitrary command execution attempt || arachnids,226 || bugtraq,1187 || bugtraq,2079 || cve,1999-0172 || cve,2000-0411 || nessus,10076 || nessus,10782 +1 || 2101616 || 9 || attempted-recon || 0 || GPL DNS named version attempt || nessus,10028 +1 || 2101620 || 7 || non-standard-protocol || 0 || GPL POLICY TRAFFIC Non-Standard IP protocol +1 || 2101621 || 12 || attempted-admin || 0 || GPL FTP CMD overflow attempt +1 || 2101622 || 7 || misc-attack || 0 || GPL FTP RNFR ././ attempt +1 || 2101623 || 7 || protocol-command-decode || 0 || GPL FTP invalid MODE +1 || 2101624 || 9 || protocol-command-decode || 0 || GPL FTP large PWD command +1 || 2101625 || 8 || protocol-command-decode || 0 || GPL FTP large SYST command +1 || 2101627 || 4 || non-standard-protocol || 0 || GPL MISC Unassigned/Reserved IP protocol || url,www.iana.org/assignments/protocol-numbers +1 || 2101631 || 9 || policy-violation || 0 || GPL CHAT AIM login +1 || 2101632 || 7 || policy-violation || 0 || GPL CHAT AIM send message +1 || 2101633 || 7 || policy-violation || 0 || GPL CHAT AIM receive message +1 || 2101634 || 15 || attempted-admin || 0 || GPL POP3 POP3 PASS overflow attempt || bugtraq,791 || cve,1999-1511 || nessus,10325 +1 || 2101635 || 14 || attempted-admin || 0 || GPL POP3 APOP overflow attempt || bugtraq,1652 || cve,2000-0840 || cve,2000-0841 || nessus,10559 +1 || 2101638 || 6 || network-scan || 0 || GPL SCAN SSH Version map attempt +1 || 2101639 || 11 || policy-violation || 0 || GPL CHAT IRC DCC file transfer request +1 || 2101640 || 10 || policy-violation || 0 || GPL CHAT IRC DCC chat request +1 || 2101649 || 10 || attempted-recon || 0 || GPL WEB_SERVER perl command attempt || arachnids,219 || cve,1999-0509 || nessus,10173 || url,www.cert.org/advisories/CA-1996-11.html +1 || 2101661 || 5 || web-application-attack || 0 || GPL EXPLOIT cmd32.exe access +1 || 2101662 || 8 || attempted-recon || 0 || GPL WEB_SERVER /~ftp access +1 || 2101666 || 7 || bad-unknown || 0 || GPL ATTACK_RESPONSE index of /cgi-bin/ response || nessus,10039 +1 || 2101672 || 12 || denial-of-service || 0 || GPL FTP CWD ~ attempt || bugtraq,2601 || bugtraq,9215 || cve,2001-0421 +1 || 2101673 || 4 || system-call-detect || 0 || GPL SQL EXECUTE_SYSTEM attempt +1 || 2101674 || 6 || protocol-command-decode || 0 || GPL SQL connect_data remote version detection attempt +1 || 2101675 || 7 || suspicious-login || 0 || GPL SQL Oracle misparsed login response +1 || 2101698 || 5 || protocol-command-decode || 0 || GPL SQL execute_system attempt +1 || 2101699 || 11 || policy-violation || 0 || GPL P2P Fastrack kazaa/morpheus traffic || url,www.kazaa.com +1 || 2101728 || 9 || denial-of-service || 0 || GPL FTP CWD ~<CR><NEWLINE> attempt || bugtraq,2601 || cve,2001-0421 +1 || 2101729 || 10 || policy-violation || 0 || GPL CHAT IRC Channel join +1 || 2101732 || 10 || rpc-portmap-decode || 0 || GPL RPC portmap rwalld request UDP +1 || 2101733 || 10 || rpc-portmap-decode || 0 || GPL RPC portmap rwalld request TCP +1 || 2101734 || 32 || attempted-admin || 0 || GPL FTP USER overflow attempt || bugtraq,10078 || bugtraq,1227 || bugtraq,1504 || bugtraq,1690 || bugtraq,4638 || bugtraq,7307 || bugtraq,8376 || cve,1999-1510 || cve,1999-1514 || cve,1999-1519 || cve,1999-1539 || cve,2000-0479 || cve,2000-0656 || cve,2000-0761 || cve,2000-0943 || cve,2000-1035 || cve,2000-1194 || cve,2001-0256 || cve,2001-0794 || cve,2001-0826 || cve,2002-0126 || cve,2002-1522 || cve,2003-0271 || cve,2004-0286 +1 || 2101735 || 8 || web-application-attack || 0 || GPL WEB_CLIENT XMLHttpRequest attempt || bugtraq,4628 || cve,2002-0354 +1 || 2101738 || 8 || web-application-attack || 0 || GPL WEB_SERVER global.inc access || bugtraq,4612 || cve,2002-0614 +1 || 2101746 || 12 || rpc-portmap-decode || 0 || GPL RPC portmap cachefsd request UDP || bugtraq,4674 || cve,2002-0033 || cve,2002-0084 +1 || 2101747 || 12 || rpc-portmap-decode || 0 || GPL RPC portmap cachefsd request TCP || bugtraq,4674 || cve,2002-0033 || cve,2002-0084 +1 || 2101748 || 10 || protocol-command-decode || 0 || GPL FTP command overflow attempt || bugtraq,4638 || cve,2002-0606 +1 || 2101751 || 8 || misc-attack || 0 || GPL EXPLOIT cachefsd buffer overflow attempt || bugtraq,4631 || cve,2002-0084 || nessus,10951 +1 || 2101752 || 6 || misc-attack || 0 || GPL DELETED AIM AddExternalApp attempt || url,www.w00w00.org/files/w00aimexp/ +1 || 2101755 || 15 || misc-attack || 0 || GPL IMAP partial body buffer overflow attempt || bugtraq,4713 || cve,2002-0379 +1 || 2101759 || 6 || attempted-user || 0 || GPL EXPLOIT xp_cmdshell program execution 445 +1 || 2101771 || 7 || protocol-command-decode || 0 || GPL POLICY IPSec PGPNet connection attempt +1 || 2101775 || 4 || protocol-command-decode || 0 || GPL SQL MYSQL root login attempt +1 || 2101776 || 4 || protocol-command-decode || 0 || GPL SQL MYSQL show databases attempt +1 || 2101777 || 11 || attempted-dos || 0 || GPL FTP STAT * dos attempt || bugtraq,4482 || cve,2002-0073 || nessus,10934 || url,www.microsoft.com/technet/security/bulletin/MS02-018.mspx +1 || 2101778 || 11 || attempted-dos || 0 || GPL FTP STAT ? dos attempt || bugtraq,4482 || cve,2002-0073 || nessus,10934 || url,www.microsoft.com/technet/security/bulletin/MS02-018.mspx +1 || 2101779 || 5 || denial-of-service || 0 || GPL FTP CWD .... attempt || bugtraq,4884 +1 || 2101780 || 10 || misc-attack || 0 || GPL IMAP EXPLOIT partial body overflow attempt || bugtraq,4713 || cve,2002-0379 +1 || 2101792 || 10 || protocol-command-decode || 0 || GPL MISC return code buffer overflow attempt || bugtraq,4900 || cve,2002-0909 +1 || 2101808 || 7 || web-application-activity || 0 || GPL EXPLOIT apache chunked encoding memory corruption exploit attempt || bugtraq,5033 || cve,2002-0392 +1 || 2101809 || 10 || web-application-attack || 0 || GPL WEB_SERVER Apache Chunked-Encoding worm attempt || bugtraq,4474 || bugtraq,4485 || bugtraq,5033 || cve,2002-0071 || cve,2002-0079 || cve,2002-0392 +1 || 2101817 || 8 || web-application-attack || 0 || GPL WEB_SERVER MS Site Server default login attempt || nessus,11018 +1 || 2101818 || 5 || web-application-attack || 0 || GPL WEB_SERVER MS Site Server admin attempt || nessus,11018 +1 || 2101821 || 9 || system-call-detect || 0 || GPL EXPLOIT LPD dvips remote command execution attempt || bugtraq,3241 || cve,2001-1002 || nessus,11023 +1 || 2101833 || 6 || policy-violation || 0 || GPL INAPPROPRIATE naked lesbians +1 || 2101837 || 6 || policy-violation || 0 || GPL INAPPROPRIATE alt.binaries.pictures.tinygirls +1 || 2101838 || 9 || misc-attack || 0 || GPL EXPLOIT SSH server banner overflow || bugtraq,5287 || cve,2002-1059 +1 || 2101840 || 9 || attempted-user || 0 || GPL WEB_CLIENT Javascript document.domain attempt || bugtraq,5346 || cve,2002-0815 +1 || 2101842 || 16 || attempted-user || 0 || GPL IMAP login buffer overflow attempt || bugtraq,13727 || bugtraq,502 || cve,1999-0005 || cve,1999-1557 || cve,2005-1255 || nessus,10123 || cve,2007-2795 || nessus,10125 +1 || 2101844 || 12 || misc-attack || 0 || GPL IMAP authenticate overflow attempt || bugtraq,12995 || bugtraq,130 || cve,1999-0005 || cve,1999-0042 || nessus,10292 +1 || 2101845 || 16 || misc-attack || 0 || GPL IMAP list literal overflow attempt || bugtraq,1110 || cve,2000-0284 || nessus,10374 +1 || 2101846 || 5 || misc-activity || 0 || GPL POLICY vncviewer Java applet download attempt || nessus,10758 +1 || 2101847 || 12 || web-application-activity || 0 || GPL WEB_SERVER webalizer access || bugtraq,3473 || cve,2001-0835 || nessus,10816 +1 || 2101852 || 5 || web-application-activity || 0 || GPL WEB_SERVER robots.txt access || nessus,10302 +1 || 2101857 || 5 || web-application-activity || 0 || GPL WEB_SERVER robot.txt access || nessus,10302 +1 || 2101859 || 7 || default-login-attempt || 0 || GPL POLICY Sun JavaServer default password login attempt || cve,1999-0508 || nessus,10995 +1 || 2101860 || 9 || default-login-attempt || 0 || GPL POLICY Linksys router default password login attempt || nessus,10999 +1 || 2101861 || 12 || default-login-attempt || 0 || GPL POLICY Linksys router default username and password login attempt || nessus,10999 +1 || 2101864 || 9 || attempted-dos || 0 || GPL FTP SITE NEWER attempt || cve,1999-0880 || nessus,10319 +1 || 2101866 || 14 || attempted-admin || 0 || GPL POP3 USER overflow attempt || bugtraq,11256 || bugtraq,789 || cve,1999-0494 || nessus,10311 +1 || 2101867 || 2 || attempted-recon || 0 || GPL RPC xdmcp info query || nessus,10891 +1 || 2101874 || 5 || web-application-activity || 0 || GPL WEB_SERVER Oracle Java Process Manager access || nessus,10851 +1 || 2101882 || 11 || bad-unknown || 0 || GPL ATTACK_RESPONSE id check returned userid +1 || 2101883 || 7 || bad-unknown || 0 || GPL ATTACK_RESPONSE id check returned nobody +1 || 2101884 || 8 || bad-unknown || 0 || GPL ATTACK_RESPONSE id check returned web +1 || 2101885 || 7 || bad-unknown || 0 || GPL ATTACK_RESPONSE id check returned http +1 || 2101886 || 7 || bad-unknown || 0 || GPL ATTACK_RESPONSE id check returned apache +1 || 2101888 || 9 || misc-attack || 0 || GPL FTP SITE CPWD overflow attempt || bugtraq,5427 || cve,2002-0826 +1 || 2101891 || 9 || misc-attack || 0 || GPL RPC status GHBN format string attack || bugtraq,1480 || cve,2000-0666 +1 || 2101892 || 7 || misc-attack || 0 || GPL SNMP null community string attempt || bugtraq,2112 || bugtraq,8974 || cve,1999-0517 +1 || 2101893 || 5 || misc-attack || 0 || GPL SNMP missing community string attempt || bugtraq,2112 || cve,1999-0517 +1 || 2101894 || 9 || shellcode-detect || 0 || GPL EXPLOIT kadmind buffer overflow attempt || bugtraq,5731 || bugtraq,6024 || cve,2002-1226 || cve,2002-1235 || url,www.kb.cert.org/vuls/id/875073 +1 || 2101895 || 9 || shellcode-detect || 0 || GPL EXPLOIT kadmind buffer overflow attempt || bugtraq,5731 || bugtraq,6024 || cve,2002-1226 || cve,2002-1235 || url,www.kb.cert.org/vuls/id/875073 +1 || 2101896 || 9 || shellcode-detect || 0 || GPL EXPLOIT kadmind buffer overflow attempt || bugtraq,5731 || bugtraq,6024 || cve,2002-1226 || cve,2002-1235 || url,www.kb.cert.org/vuls/id/875073 +1 || 2101897 || 9 || shellcode-detect || 0 || GPL EXPLOIT kadmind buffer overflow attempt || bugtraq,5731 || bugtraq,6024 || cve,2002-1226 || cve,2002-1235 || url,www.kb.cert.org/vuls/id/875073 +1 || 2101898 || 9 || shellcode-detect || 0 || GPL EXPLOIT kadmind buffer overflow attempt 2 || bugtraq,5731 || bugtraq,6024 || cve,2002-1226 || cve,2002-1235 || url,www.kb.cert.org/vuls/id/875073 +1 || 2101899 || 9 || shellcode-detect || 0 || GPL EXPLOIT kadmind buffer overflow attempt 3 || bugtraq,5731 || bugtraq,6024 || cve,2002-1226 || cve,2002-1235 || url,www.kb.cert.org/vuls/id/875073 +1 || 2101900 || 11 || successful-admin || 0 || GPL EXPLOIT successful kadmind buffer overflow attempt || bugtraq,5731 || bugtraq,6024 || cve,2002-1226 || cve,2002-1235 || url,www.kb.cert.org/vuls/id/875073 +1 || 2101901 || 11 || successful-admin || 0 || GPL EXPLOIT successful kadmind buffer overflow attempt || bugtraq,5731 || bugtraq,6024 || cve,2002-1226 || cve,2002-1235 || url,www.kb.cert.org/vuls/id/875073 +1 || 2101902 || 10 || misc-attack || 0 || GPL IMAP lsub literal overflow attempt || bugtraq,1110 || cve,2000-0284 || nessus,10374 +1 || 2101903 || 9 || misc-attack || 0 || GPL IMAP rename overflow attempt || bugtraq,1110 || cve,2000-0284 || nessus,10374 +1 || 2101904 || 8 || misc-attack || 0 || GPL IMAP find overflow attempt || bugtraq,1110 || cve,2000-0284 || nessus,10374 +1 || 2101907 || 11 || attempted-admin || 0 || GPL RPC CMSD UDP CMSD_CREATE buffer overflow attempt || bugtraq,524 || cve,1999-0696 +1 || 2101908 || 10 || attempted-admin || 0 || GPL RPC CMSD TCP CMSD_CREATE buffer overflow attempt || bugtraq,524 || cve,1999-0696 +1 || 2101909 || 13 || misc-attack || 0 || GPL RPC CMSD TCP CMSD_INSERT buffer overflow attempt || bugtraq,524 || cve,1999-0696 || url,www.cert.org/advisories/CA-99-08-cmsd.html +1 || 2101912 || 10 || attempted-admin || 0 || GPL RPC sadmind TCP NETMGT_PROC_SERVICE CLIENT_DOMAIN overflow attempt || bugtraq,0866 || bugtraq,866 || cve,1999-0977 +1 || 2101913 || 11 || attempted-admin || 0 || GPL RPC STATD UDP stat mon_name format string exploit attempt || bugtraq,1480 || cve,2000-0666 +1 || 2101914 || 11 || attempted-admin || 0 || GPL RPC STATD TCP stat mon_name format string exploit attempt || bugtraq,1480 || cve,2000-0666 +1 || 2101915 || 10 || attempted-admin || 0 || GPL RPC STATD UDP monitor mon_name format string exploit attempt || bugtraq,1480 || cve,2000-0666 +1 || 2101916 || 10 || attempted-admin || 0 || GPL RPC STATD TCP monitor mon_name format string exploit attempt || bugtraq,1480 || cve,2000-0666 +1 || 2101917 || 7 || network-scan || 0 || GPL MISC UPnP service discover attempt +1 || 2101918 || 7 || network-scan || 0 || GPL SCAN SolarWinds IP scan attempt +1 || 2101919 || 24 || attempted-admin || 0 || GPL FTP CWD overflow attempt || bugtraq,11069 || bugtraq,1227 || bugtraq,1690 || bugtraq,6869 || bugtraq,7251 || bugtraq,7950 || cve,1999-0219 || cve,1999-1058 || cve,1999-1510 || cve,2000-1035 || cve,2000-1194 || cve,2001-0781 || cve,2002-0126 || cve,2002-0405 +1 || 2101920 || 8 || attempted-admin || 0 || GPL FTP SITE NEWER overflow attempt || bugtraq,229 || cve,1999-0800 +1 || 2101921 || 7 || attempted-admin || 0 || GPL FTP SITE ZIPCHK overflow attempt || cve,2000-0040 +1 || 2101922 || 7 || rpc-portmap-decode || 0 || GPL RPC portmap proxy attempt TCP +1 || 2101923 || 7 || rpc-portmap-decode || 0 || GPL RPC portmap proxy attempt UDP +1 || 2101924 || 8 || attempted-recon || 0 || GPL RPC mountd UDP export request +1 || 2101925 || 7 || attempted-recon || 0 || GPL RPC mountd TCP exportall request || arachnids,26 +1 || 2101926 || 8 || attempted-recon || 0 || GPL RPC mountd UDP exportall request +1 || 2101927 || 6 || suspicious-filename-detect || 0 || GPL FTP authorized_keys file transfered +1 || 2101928 || 7 || suspicious-filename-detect || 0 || GPL FTP shadow retrieval attempt +1 || 2101930 || 7 || misc-attack || 0 || GPL DELETED auth literal overflow attempt || cve,1999-0005 +1 || 2101934 || 11 || attempted-admin || 0 || GPL DELETED FOLD overflow attempt || bugtraq,283 || cve,1999-0920 || nessus,10130 +1 || 2101935 || 6 || misc-attack || 0 || GPL DELETED FOLD arbitrary file attempt +1 || 2101936 || 9 || attempted-admin || 0 || GPL POP3 AUTH overflow attempt || bugtraq,830 || cve,1999-0822 || nessus,10184 +1 || 2101937 || 8 || attempted-admin || 0 || GPL POP3 LIST overflow attempt || bugtraq,948 || cve,2000-0096 || nessus,10197 +1 || 2101938 || 5 || attempted-admin || 0 || GPL POP3 XTND overflow attempt +1 || 2101939 || 5 || misc-activity || 0 || GPL MISC bootp hardware address length overflow || cve,1999-0798 +1 || 2101940 || 4 || misc-activity || 0 || GPL MISC bootp invalid hardware type || cve,1999-0798 +1 || 2101941 || 10 || attempted-admin || 0 || GPL TFTP GET filename overflow attempt || bugtraq,5328 || cve,2002-0813 +1 || 2101942 || 7 || attempted-admin || 0 || GPL FTP RMDIR overflow attempt || bugtraq,819 +1 || 2101945 || 8 || web-application-attack || 0 || GPL WEB_SERVER unicode directory traversal attempt || bugtraq,1806 || cve,2000-0884 || nessus,10537 +1 || 2101948 || 8 || attempted-recon || 0 || GPL DNS zone transfer UDP || cve,1999-0532 || nessus,10595 +1 || 2101949 || 6 || rpc-portmap-decode || 0 || GPL RPC portmap SET attempt TCP 111 +1 || 2101950 || 6 || rpc-portmap-decode || 0 || GPL RPC portmap SET attempt UDP 111 +1 || 2101951 || 6 || attempted-recon || 0 || GPL RPC mountd TCP mount request +1 || 2101952 || 6 || attempted-recon || 0 || GPL RPC mountd UDP mount request +1 || 2101957 || 6 || attempted-admin || 0 || GPL RPC sadmind UDP PING || bugtraq,866 +1 || 2101958 || 6 || attempted-admin || 0 || GPL RPC sadmind TCP PING || bugtraq,866 +1 || 2101959 || 8 || rpc-portmap-decode || 0 || GPL RPC portmap NFS request UDP +1 || 2101960 || 8 || rpc-portmap-decode || 0 || GPL RPC portmap NFS request TCP +1 || 2101961 || 8 || rpc-portmap-decode || 0 || GPL RPC portmap RQUOTA request UDP +1 || 2101962 || 8 || rpc-portmap-decode || 0 || GPL RPC portmap RQUOTA request TCP +1 || 2101963 || 10 || misc-attack || 0 || GPL RPC RQUOTA getquota overflow attempt UDP || bugtraq,864 || cve,1999-0974 +1 || 2101964 || 9 || misc-attack || 0 || GPL RPC tooltalk UDP overflow attempt || bugtraq,122 || cve,1999-0003 +1 || 2101965 || 9 || misc-attack || 0 || GPL RPC tooltalk TCP overflow attempt || bugtraq,122 || cve,1999-0003 +1 || 2101971 || 5 || bad-unknown || 0 || GPL FTP SITE EXEC format string attempt +1 || 2101972 || 18 || attempted-admin || 0 || GPL FTP PASS overflow attempt || bugtraq,10078 || bugtraq,10720 || bugtraq,1690 || bugtraq,3884 || bugtraq,8601 || bugtraq,9285 || cve,1999-1519 || cve,1999-1539 || cve,2000-1035 || cve,2002-0126 || cve,2002-0895 +1 || 2101973 || 11 || attempted-admin || 0 || GPL FTP MKD overflow attempt || bugtraq,612 || bugtraq,7278 || bugtraq,9872 || cve,1999-0911 || nessus,12108 +1 || 2101974 || 7 || attempted-admin || 0 || GPL FTP REST overflow attempt || bugtraq,2972 || cve,2001-0826 +1 || 2101975 || 9 || attempted-admin || 0 || GPL FTP DELE overflow attempt || bugtraq,2972 || cve,2001-0826 || cve,2001-1021 +1 || 2101976 || 10 || attempted-admin || 0 || GPL FTP RMD overflow attempt || bugtraq,2972 || cve,2000-0133 || cve,2001-0826 || cve,2001-1021 +1 || 2101979 || 6 || web-application-attack || 0 || GPL WEB_SERVER perl post attempt || bugtraq,5520 || cve,2002-1436 || nessus,11158 +1 || 2101986 || 7 || policy-violation || 0 || GPL CHAT MSN outbound file transfer request +1 || 2101987 || 8 || misc-activity || 0 || GPL EXPLOIT xfs overflow attempt || bugtraq,6241 || cve,2002-1317 || nessus,11188 +1 || 2101988 || 6 || policy-violation || 0 || GPL CHAT MSN outbound file transfer accept +1 || 2101989 || 7 || policy-violation || 0 || GPL CHAT MSN outbound file transfer rejected +1 || 2101990 || 2 || policy-violation || 0 || GPL CHAT MSN user search +1 || 2101991 || 3 || policy-violation || 0 || GPL CHAT MSN login attempt +1 || 2101992 || 10 || protocol-command-decode || 0 || GPL FTP LIST directory traversal attempt || bugtraq,2618 || cve,2001-0680 || cve,2002-1054 || nessus,11112 +1 || 2101993 || 5 || misc-attack || 0 || GPL IMAP login literal buffer overflow attempt || bugtraq,6298 +1 || 2102003 || 9 || misc-attack || 0 || GPL SQL Slammer Worm propagation attempt || bugtraq,5310 || bugtraq,5311 || cve,2002-0649 || nessus,11214 || url,vil.nai.com/vil/content/v_99992.htm +1 || 2102004 || 8 || misc-attack || 0 || GPL WORM Slammer Worm propagation attempt OUTBOUND || bugtraq,5310 || bugtraq,5311 || cve,2002-0649 || nessus,11214 || url,vil.nai.com/vil/content/v_99992.htm +1 || 2102005 || 11 || rpc-portmap-decode || 0 || GPL RPC portmap kcms_server request UDP || bugtraq,6665 || cve,2003-0027 || url,www.kb.cert.org/vuls/id/850785 +1 || 2102006 || 11 || rpc-portmap-decode || 0 || GPL RPC portmap kcms_server request TCP || bugtraq,6665 || cve,2003-0027 || url,www.kb.cert.org/vuls/id/850785 +1 || 2102007 || 11 || misc-attack || 0 || GPL RPC kcms_server directory traversal attempt || bugtraq,6665 || cve,2003-0027 || url,www.kb.cert.org/vuls/id/850785 +1 || 2102008 || 5 || misc-attack || 0 || GPL MISC CVS invalid user authentication response +1 || 2102009 || 3 || misc-attack || 0 || GPL MISC CVS invalid repository response +1 || 2102010 || 5 || misc-attack || 0 || GPL MISC CVS double free exploit attempt response || bugtraq,6650 || cve,2003-0015 +1 || 2102011 || 5 || misc-attack || 0 || GPL MISC CVS invalid directory response || bugtraq,6650 || cve,2003-0015 +1 || 2102012 || 3 || misc-attack || 0 || GPL MISC CVS missing cvsroot response +1 || 2102013 || 3 || misc-attack || 0 || GPL MISC CVS invalid module response +1 || 2102014 || 6 || rpc-portmap-decode || 0 || GPL RPC portmap UNSET attempt TCP 111 || bugtraq,1892 +1 || 2102015 || 6 || rpc-portmap-decode || 0 || GPL RPC portmap UNSET attempt UDP 111 || bugtraq,1892 +1 || 2102016 || 7 || rpc-portmap-decode || 0 || GPL RPC portmap status request TCP || arachnids,15 +1 || 2102017 || 13 || rpc-portmap-decode || 0 || GPL RPC portmap espd request UDP || bugtraq,2714 || cve,2001-0331 +1 || 2102018 || 5 || attempted-recon || 0 || GPL RPC mountd TCP dump request +1 || 2102019 || 5 || attempted-recon || 0 || GPL RPC mountd UDP dump request +1 || 2102020 || 5 || attempted-recon || 0 || GPL RPC mountd TCP unmount request +1 || 2102021 || 5 || attempted-recon || 0 || GPL RPC mountd UDP unmount request +1 || 2102022 || 5 || attempted-recon || 0 || GPL RPC mountd TCP unmountall request +1 || 2102025 || 10 || rpc-portmap-decode || 0 || GPL RPC yppasswd username overflow attempt UDP || bugtraq,2763 || cve,2001-0779 +1 || 2102026 || 10 || rpc-portmap-decode || 0 || GPL RPC yppasswd username overflow attempt TCP || bugtraq,2763 || cve,2001-0779 +1 || 2102027 || 7 || rpc-portmap-decode || 0 || GPL RPC yppasswd old password overflow attempt UDP || bugtraq,2763 || cve,2001-0779 +1 || 2102028 || 7 || rpc-portmap-decode || 0 || GPL RPC yppasswd old password overflow attempt TCP || bugtraq,2763 || cve,2001-0779 +1 || 2102029 || 7 || rpc-portmap-decode || 0 || GPL RPC yppasswd new password overflow attempt UDP || bugtraq,2763 || cve,2001-0779 +1 || 2102030 || 8 || rpc-portmap-decode || 0 || GPL RPC yppasswd new password overflow attempt TCP || bugtraq,2763 || cve,2001-0779 +1 || 2102031 || 8 || rpc-portmap-decode || 0 || GPL RPC yppasswd user update UDP || bugtraq,2763 || cve,2001-0779 +1 || 2102032 || 7 || rpc-portmap-decode || 0 || GPL RPC yppasswd user update TCP || bugtraq,2763 || cve,2001-0779 +1 || 2102033 || 9 || rpc-portmap-decode || 0 || GPL RPC ypserv maplist request UDP || bugtraq,5914 || bugtraq,6016 || cve,2002-1232 +1 || 2102034 || 8 || rpc-portmap-decode || 0 || GPL DELETED ypserv maplist request TCP || Cve,CAN-2002-1232 || bugtraq,5914 || bugtraq,6016 +1 || 2102035 || 7 || rpc-portmap-decode || 0 || GPL RPC portmap network-status-monitor request UDP +1 || 2102036 || 7 || rpc-portmap-decode || 0 || GPL RPC portmap network-status-monitor request TCP +1 || 2102037 || 6 || rpc-portmap-decode || 0 || GPL DELETED network-status-monitor mon-callback request UDP +1 || 2102038 || 6 || rpc-portmap-decode || 0 || GPL DELETED network-status-monitor mon-callback request TCP +1 || 2102039 || 7 || misc-attack || 0 || GPL EXPLOIT bootp hostname format string attempt || bugtraq,4701 || cve,2002-0702 || nessus,11312 +1 || 2102040 || 4 || misc-activity || 0 || GPL DELETED xtacacs login attempt +1 || 2102042 || 4 || misc-activity || 0 || GPL DELETED xtacacs accepted login response +1 || 2102043 || 3 || misc-activity || 0 || GPL ATTACK_RESPONSE isakmp login failed +1 || 2102044 || 6 || attempted-admin || 0 || GPL POLICY PPTP Start Control Request attempt +1 || 2102046 || 7 || misc-attack || 0 || GPL IMAP partial body.peek buffer overflow attempt || bugtraq,4713 || cve,2002-0379 +1 || 2102047 || 3 || misc-activity || 0 || GPL EXPLOIT rsyncd module list access +1 || 2102048 || 7 || misc-activity || 0 || GPL MISC rsyncd overflow attempt || bugtraq,9153 || cve,2003-0962 || nessus,11943 +1 || 2102049 || 5 || misc-activity || 0 || GPL SQL ping attempt || nessus,10674 +1 || 2102056 || 6 || web-application-attack || 0 || GPL WEB_SERVER TRACE attempt || bugtraq,9561 || nessus,11213 || url,www.whitehatsec.com/press_releases/WH-PR-20030120.pdf +1 || 2102061 || 6 || web-application-attack || 0 || GPL WEB_SERVER Tomcat null byte directory listing attempt || bugtraq,2518 || bugtraq,6721 || cve,2003-0042 +1 || 2102073 || 5 || web-application-activity || 0 || GPL WEB_SERVER globals.pl access || bugtraq,2671 || cve,2001-0330 +1 || 2102079 || 7 || rpc-portmap-decode || 0 || GPL RPC portmap nlockmgr request UDP || bugtraq,1372 || cve,2000-0508 +1 || 2102080 || 7 || rpc-portmap-decode || 0 || GPL RPC portmap nlockmgr request TCP || bugtraq,1372 || cve,2000-0508 +1 || 2102081 || 10 || rpc-portmap-decode || 0 || GPL RPC portmap rpc.xfsmd request UDP || bugtraq,5072 || bugtraq,5075 || cve,2002-0359 +1 || 2102082 || 10 || rpc-portmap-decode || 0 || GPL RPC portmap rpc.xfsmd request TCP || bugtraq,5072 || bugtraq,5075 || cve,2002-0359 +1 || 2102083 || 9 || rpc-portmap-decode || 0 || GPL RPC rpc.xfsmd xfs_export attempt UDP || bugtraq,5072 || bugtraq,5075 || cve,2002-0359 +1 || 2102084 || 9 || rpc-portmap-decode || 0 || GPL RPC rpc.xfsmd xfs_export attempt TCP || bugtraq,5072 || bugtraq,5075 || cve,2002-0359 +1 || 2102088 || 6 || misc-attack || 0 || GPL RPC ypupdated arbitrary command attempt UDP +1 || 2102089 || 6 || misc-attack || 0 || GPL DELETED ypupdated arbitrary command attempt TCP +1 || 2102090 || 12 || attempted-admin || 0 || GPL EXPLOIT WEBDAV exploit attempt || bugtraq,7116 || bugtraq,7716 || cve,2003-0109 || nessus,11413 || url,www.microsoft.com/technet/security/bulletin/ms03-007.mspx +1 || 2102091 || 12 || attempted-admin || 0 || GPL WEB_SERVER WEBDAV nessus safe scan attempt || bugtraq,7116 || cve,2003-0109 || nessus,11412 || nessus,11413 || url,www.microsoft.com/technet/security/bulletin/ms03-007.mspx +1 || 2102092 || 6 || rpc-portmap-decode || 0 || GPL EXPLOIT portmap proxy integer overflow attempt UDP || bugtraq,7123 || cve,2003-0028 +1 || 2102093 || 6 || rpc-portmap-decode || 0 || GPL RPC portmap proxy integer overflow attempt TCP || bugtraq,7123 || cve,2003-0028 +1 || 2102094 || 7 || attempted-admin || 0 || GPL RPC CMSD UDP CMSD_CREATE array buffer overflow attempt || bugtraq,5356 || cve,2002-0391 +1 || 2102095 || 7 || attempted-admin || 0 || GPL RPC CMSD TCP CMSD_CREATE array buffer overflow attempt || bugtraq,5356 || cve,2002-0391 +1 || 2102101 || 12 || denial-of-service || 0 || GPL NETBIOS SMB SMB_COM_TRANSACTION Max Parameter and Max Count of 0 DOS Attempt || bugtraq,5556 || cve,2002-0724 || nessus,11110 || url,www.corest.com/common/showdoc.php?idx=262 || url,www.microsoft.com/technet/security/bulletin/MS02-045.mspx +1 || 2102102 || 10 || denial-of-service || 0 || GPL NETBIOS SMB SMB_COM_TRANSACTION Max Data Count of 0 DOS Attempt || bugtraq,5556 || cve,2002-0724 || url,www.corest.com/common/showdoc.php?idx=262 || url,www.microsoft.com/technet/security/bulletin/MS02-045.mspx || nessus,11110 +1 || 2102103 || 10 || attempted-admin || 0 || GPL NETBIOS SMB trans2open buffer overflow attempt || bugtraq,7294 || cve,2003-0201 || url,www.digitaldefense.net/labs/advisories/DDI-1013.txt +1 || 2102104 || 6 || unsuccessful-user || 0 || GPL RPC rexec username too long response || bugtraq,7459 +1 || 2102105 || 6 || misc-attack || 0 || GPL IMAP authenticate literal overflow attempt || cve,1999-0042 || nessus,10292 +1 || 2102106 || 8 || misc-attack || 0 || GPL IMAP lsub overflow attempt || bugtraq,1110 || cve,2000-0284 || nessus,10374 +1 || 2102107 || 4 || misc-attack || 0 || GPL IMAP create buffer overflow attempt || bugtraq,7446 +1 || 2102108 || 4 || attempted-admin || 0 || GPL POP3 CAPA overflow attempt +1 || 2102109 || 4 || attempted-admin || 0 || GPL POP3 TOP overflow attempt +1 || 2102110 || 4 || attempted-admin || 0 || GPL POP3 STAT overflow attempt +1 || 2102111 || 4 || attempted-admin || 0 || GPL POP3 DELE overflow attempt +1 || 2102112 || 4 || attempted-admin || 0 || GPL POP3 RSET overflow attempt +1 || 2102113 || 4 || attempted-admin || 0 || GPL EXPLOIT rexec username overflow attempt +1 || 2102114 || 4 || attempted-admin || 0 || GPL RPC rexec password overflow attempt +1 || 2102118 || 7 || misc-attack || 0 || GPL IMAP list overflow attempt || bugtraq,1110 || cve,2000-0284 || nessus,10374 +1 || 2102119 || 6 || misc-attack || 0 || GPL IMAP rename literal overflow attempt || bugtraq,1110 || cve,2000-0284 || nessus,10374 +1 || 2102120 || 4 || misc-attack || 0 || GPL IMAP create literal buffer overflow attempt || bugtraq,7446 +1 || 2102121 || 10 || misc-attack || 0 || GPL POP3 DELE negative argument attempt || bugtraq,6053 || bugtraq,7445 || cve,2002-1539 +1 || 2102122 || 11 || misc-attack || 0 || GPL POP3 UIDL negative argument attempt || bugtraq,6053 || cve,2002-1539 || nessus,11570 +1 || 2102123 || 7 || successful-admin || 0 || GPL EXPLOIT Microsoft cmd.exe banner || nessus,11633 +1 || 2102124 || 4 || trojan-activity || 0 || GPL POLICY Remote PC Access connection attempt || nessus,11673 +1 || 2102125 || 10 || protocol-command-decode || 0 || GPL FTP CWD Root directory transversal attempt || bugtraq,7674 || cve,2003-0392 || nessus,11677 +1 || 2102131 || 4 || web-application-activity || 0 || GPL WEB_SERVER IISProtect access || nessus,11661 +1 || 2102156 || 4 || web-application-activity || 0 || GPL WEB_SERVER mod_gzip_status access || nessus,11685 +1 || 2102157 || 3 || web-application-activity || 0 || GPL DELETED IISProtect globaladmin.asp access || nessus,11661 +1 || 2102158 || 9 || bad-unknown || 0 || GPL MISC BGP invalid length || bugtraq,6213 || cve,2002-1350 || url,sf.net/tracker/index.php?func=detail&aid=744523&group_id=53066&atid=469575 +1 || 2102159 || 12 || bad-unknown || 0 || GPL MISC BGP invalid type 0 || bugtraq,6213 || cve,2002-1350 +1 || 2102174 || 9 || protocol-command-decode || 0 || GPL NETBIOS SMB winreg create tree attempt +1 || 2102175 || 10 || protocol-command-decode || 0 || GPL NETBIOS SMB winreg unicode create tree attempt +1 || 2102176 || 6 || attempted-recon || 0 || GPL NETBIOS SMB startup folder access +1 || 2102177 || 5 || attempted-recon || 0 || GPL NETBIOS SMB startup folder unicode access +1 || 2102178 || 17 || misc-attack || 0 || GPL FTP USER format string attempt || bugtraq,7474 || bugtraq,7776 || bugtraq,9262 || bugtraq,9402 || bugtraq,9600 || bugtraq,9800 || cve,2004-0277 || nessus,10041 || nessus,11687 +1 || 2102179 || 7 || misc-attack || 0 || GPL FTP PASS format string attempt || bugtraq,7474 || bugtraq,9262 || bugtraq,9800 || cve,2000-0699 +1 || 2102180 || 5 || policy-violation || 0 || GPL P2P BitTorrent announce request +1 || 2102181 || 3 || policy-violation || 0 || GPL P2P BitTorrent transfer +1 || 2102184 || 8 || misc-attack || 0 || GPL RPC mountd TCP mount path overflow attempt || bugtraq,8179 || cve,2003-0252 || nessus,11800 +1 || 2102185 || 8 || misc-attack || 0 || GPL RPC mountd UDP mount path overflow attempt || bugtraq,8179 || cve,2003-0252 || nessus,11800 +1 || 2102186 || 4 || non-standard-protocol || 0 || GPL MISC IP Proto 53 SWIPE || bugtraq,8211 || cve,2003-0567 +1 || 2102187 || 4 || non-standard-protocol || 0 || GPL MISC IP Proto 55 IP Mobility || bugtraq,8211 || cve,2003-0567 +1 || 2102188 || 4 || non-standard-protocol || 0 || GPL MISC IP Proto 77 Sun ND || bugtraq,8211 || cve,2003-0567 +1 || 2102189 || 4 || non-standard-protocol || 0 || GPL MISC IP Proto 103 PIM || bugtraq,8211 || cve,2003-0567 +1 || 2102190 || 5 || attempted-dos || 0 || GPL NETBIOS DCERPC invalid bind attempt +1 || 2102191 || 4 || attempted-dos || 0 || GPL NETBIOS SMB DCERPC invalid bind attempt +1 || 2102192 || 12 || protocol-command-decode || 0 || GPL NETBIOS DCERPC ISystemActivator bind attempt || bugtraq,8205 || cve,2003-0352 || nessus,11808 || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx +1 || 2102193 || 12 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS DCERPC ISystemActivator bind attempt || bugtraq,8205 || cve,2003-0352 || nessus,11808 || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx +1 || 2102230 || 10 || default-login-attempt || 0 || GPL SCAN NetGear router default password login attempt admin/password || nessus,11737 +1 || 2102250 || 6 || attempted-admin || 0 || GPL POP3 USER format string attempt || bugtraq,10976 || bugtraq,7667 || cve,2003-0391 || nessus,11742 +1 || 2102251 || 16 || attempted-admin || 0 || GPL NETBIOS DCERPC Remote Activation bind attempt || bugtraq,8234 || bugtraq,8458 || cve,2003-0528 || cve,2003-0605 || cve,2003-0715 || nessus,11798 || nessus,11835 || url,www.microsoft.com/technet/security/bulletin/MS03-039.mspx +1 || 2102252 || 15 || attempted-admin || 0 || GPL NETBIOS SMB-DS DCERPC Remote Activation bind attempt || bugtraq,8234 || bugtraq,8458 || cve,2003-0528 || cve,2003-0605 || cve,2003-0715 || nessus,11798 || nessus,11835 || url,www.microsoft.com/technet/security/bulletin/MS03-039.mspx +1 || 2102255 || 5 || misc-attack || 0 || GPL RPC sadmind query with root credentials attempt TCP +1 || 2102256 || 5 || misc-attack || 0 || GPL RPC sadmind query with root credentials attempt UDP +1 || 2102257 || 10 || attempted-admin || 0 || GPL NETBIOS DCERPC Messenger Service buffer overflow attempt || bugtraq,8826 || cve,2003-0717 || nessus,11888 || nessus,11890 || url,www.microsoft.com/technet/security/bulletin/MS03-043.mspx +1 || 2102258 || 10 || attempted-admin || 0 || GPL NETBIOS SMB-DS DCERPC Messenger Service buffer overflow attempt || bugtraq,8826 || cve,2003-0717 || nessus,11888 || nessus,11890 || url,www.microsoft.com/technet/security/bulletin/MS03-043.mspx +1 || 2102259 || 9 || attempted-admin || 0 || GPL SMTP EXPN overflow attempt || bugtraq,6991 || bugtraq,7230 || cve,2002-1337 || cve,2003-0161 +1 || 2102272 || 6 || misc-attack || 0 || GPL FTP LIST integer overflow attempt || bugtraq,8875 || cve,2003-0853 || cve,2003-0854 +1 || 2102275 || 3 || suspicious-login || 0 || GPL SMTP AUTH LOGON brute force attempt +1 || 2102308 || 7 || misc-attack || 0 || GPL NETBIOS SMB DCERPC Workstation Service unicode bind attempt || bugtraq,9011 || cve,2003-0812 || url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx +1 || 2102309 || 7 || misc-attack || 0 || GPL NETBIOS SMB DCERPC Workstation Service bind attempt || bugtraq,9011 || cve,2003-0812 || url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx +1 || 2102310 || 9 || misc-attack || 0 || GPL NETBIOS SMB-DS DCERPC Workstation Service unicode bind attempt || bugtraq,9011 || cve,2003-0812 || url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx +1 || 2102311 || 8 || misc-attack || 0 || GPL NETBIOS SMB-DS DCERPC Workstation Service bind attempt || bugtraq,9011 || cve,2003-0812 || url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx +1 || 2102312 || 3 || shellcode-detect || 0 || GPL SHELLCODE x86 0x71FB7BAB NOOP +1 || 2102313 || 3 || shellcode-detect || 0 || GPL SHELLCODE x86 0x71FB7BAB NOOP unicode +1 || 2102314 || 3 || shellcode-detect || 0 || GPL SHELLCODE x86 0x90 NOOP unicode +1 || 2102315 || 7 || misc-attack || 0 || GPL NETBIOS DCERPC Workstation Service direct service bind attempt || bugtraq,9011 || cve,2003-0812 || url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx +1 || 2102316 || 7 || misc-attack || 0 || GPL NETBIOS DCERPC Workstation Service direct service access attempt || bugtraq,9011 || cve,2003-0812 || url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx +1 || 2102317 || 5 || misc-attack || 0 || GPL MISC CVS non-relative path error response || bugtraq,9178 || cve,2003-0977 +1 || 2102318 || 5 || misc-attack || 0 || GPL EXPLOIT CVS non-relative path access attempt || bugtraq,9178 || cve,2003-0977 +1 || 2102329 || 7 || attempted-user || 0 || GPL SQL probe response overflow attempt || bugtraq,9407 || cve,2003-0903 || url,www.microsoft.com/technet/security/bulletin/MS04-003.mspx +1 || 2102330 || 3 || misc-attack || 0 || GPL IMAP auth overflow attempt || bugtraq,8861 +1 || 2102332 || 2 || misc-attack || 0 || GPL FTP MKDIR format string attempt || bugtraq,9262 +1 || 2102333 || 2 || misc-attack || 0 || GPL FTP RENAME format string attempt || bugtraq,9262 +1 || 2102335 || 3 || attempted-dos || 0 || GPL DELETED RMD / attempt || bugtraq,9159 +1 || 2102336 || 4 || bad-unknown || 0 || GPL TFTP NULL command attempt || bugtraq,7575 +1 || 2102337 || 9 || attempted-admin || 0 || GPL TFTP PUT filename overflow attempt || bugtraq,7819 || bugtraq,8505 || cve,2003-0380 +1 || 2102338 || 14 || misc-attack || 0 || GPL FTP LIST buffer overflow attempt || bugtraq,10181 || bugtraq,6869 || bugtraq,7251 || bugtraq,7861 || bugtraq,8486 || bugtraq,9675 || cve,1999-0349 || cve,1999-1510 || cve,2000-0129 || url,www.microsoft.com/technet/security/bulletin/MS99-003.mspx +1 || 2102340 || 8 || attempted-admin || 0 || GPL FTP SITE CHMOD overflow attempt || bugtraq,10181 || bugtraq,9483 || bugtraq,9675 || cve,1999-0838 || nessus,12037 +1 || 2102343 || 4 || attempted-admin || 0 || GPL FTP STOR overflow attempt || bugtraq,8668 || cve,2000-0133 +1 || 2102344 || 4 || attempted-admin || 0 || GPL FTP XCWD overflow attempt || bugtraq,11542 || bugtraq,8704 +1 || 2102348 || 7 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS DCERPC print spool bind attempt +1 || 2102349 || 7 || attempted-recon || 0 || GPL NETBIOS SMB-DS DCERPC enumerate printers request attempt +1 || 2102373 || 5 || attempted-admin || 0 || GPL FTP XMKD overflow attempt || bugtraq,7909 || cve,2000-0133 || cve,2001-1021 +1 || 2102374 || 7 || attempted-admin || 0 || GPL FTP NLST overflow attempt || bugtraq,10184 || bugtraq,7909 || bugtraq,9675 || cve,1999-1544 +1 || 2102376 || 4 || attempted-admin || 0 || GPL EXPLOIT ISAKMP first payload certificate request length overflow attempt || bugtraq,9582 || cve,2004-0040 +1 || 2102377 || 4 || attempted-admin || 0 || GPL EXPLOIT ISAKMP second payload certificate request length overflow attempt || bugtraq,9582 || cve,2004-0040 +1 || 2102379 || 7 || attempted-admin || 0 || GPL EXPLOIT ISAKMP forth payload certificate request length overflow attempt || bugtraq,9582 || cve,2004-0040 +1 || 2102380 || 5 || attempted-admin || 0 || GPL EXPLOIT ISAKMP fifth payload certificate request length overflow attempt || bugtraq,9582 || cve,2004-0040 +1 || 2102382 || 22 || protocol-command-decode || 0 || GPL NETBIOS SMB Session Setup NTMLSSP asn1 overflow attempt || bugtraq,9633 || bugtraq,9635 || cve,2003-0818 || nessus,12052 || nessus,12065 || url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx +1 || 2102383 || 21 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS Session Setup NTMLSSP asn1 overflow attempt || bugtraq,9633 || bugtraq,9635 || cve,2003-0818 || nessus,12052 || nessus,12065 || url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx +1 || 2102384 || 11 || attempted-dos || 0 || GPL NETBIOS SMB NTLMSSP invalid mechlistMIC attempt || bugtraq,9633 || bugtraq,9635 || cve,2003-0818 || nessus,12052 || nessus,12054 || nessus,12065 +1 || 2102385 || 12 || attempted-dos || 0 || GPL NETBIOS SMB-DS DCERPC NTLMSSP invalid mechlistMIC attempt || bugtraq,9633 || bugtraq,9635 || cve,2003-0818 || nessus,12052 || nessus,12054 || nessus,12065 +1 || 2102386 || 11 || attempted-dos || 0 || GPL EXPLOIT NTLM ASN.1 vulnerability scan attempt || bugtraq,9633 || bugtraq,9635 || cve,2003-0818 || nessus,12052 || nessus,12055 || nessus,12065 || url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx +1 || 2102389 || 8 || attempted-admin || 0 || GPL FTP RNTO overflow attempt || bugtraq,8315 || cve,2000-0133 || cve,2001-1021 || cve,2003-0466 +1 || 2102390 || 5 || attempted-admin || 0 || GPL FTP STOU overflow attempt || bugtraq,8315 || cve,2003-0466 +1 || 2102391 || 11 || attempted-admin || 0 || GPL FTP APPE overflow attempt || bugtraq,8315 || bugtraq,8542 || cve,2000-0133 || cve,2003-0466 +1 || 2102392 || 8 || attempted-admin || 0 || GPL FTP RETR overflow attempt || bugtraq,8315 || cve,2003-0466 || cve,2004-0287 || cve,2004-0298 +1 || 2102401 || 5 || attempted-admin || 0 || GPL NETBIOS SMB Session Setup AndX request username overflow attempt || bugtraq,9752 || url,www.eeye.com/html/Research/Advisories/AD20040226.html +1 || 2102402 || 6 || attempted-admin || 0 || GPL NETBIOS SMB-DS Session Setup AndX request username overflow attempt || bugtraq,9752 || url,www.eeye.com/html/Research/Advisories/AD20040226.html +1 || 2102403 || 7 || protocol-command-decode || 0 || GPL NETBIOS SMB Session Setup AndX request unicode username overflow attempt || bugtraq,9752 || url,www.eeye.com/html/Research/Advisories/AD20040226.html +1 || 2102404 || 7 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS Session Setup AndX request unicode username overflow attempt || bugtraq,9752 || url,www.eeye.com/html/Research/Advisories/AD20040226.html +1 || 2102409 || 2 || attempted-admin || 0 || GPL POP3 APOP USER overflow attempt || bugtraq,9794 +1 || 2102413 || 10 || misc-attack || 0 || GPL EXPLOIT ISAKMP delete hash with empty hash attempt || bugtraq,9416 || bugtraq,9417 || cve,2004-0164 +1 || 2102414 || 10 || misc-attack || 0 || GPL EXPLOIT ISAKMP initial contact notification without SPI attempt || bugtraq,9416 || bugtraq,9417 || cve,2004-0164 +1 || 2102415 || 10 || misc-attack || 0 || GPL EXPLOIT ISAKMP second payload initial contact notification without SPI attempt || bugtraq,9416 || bugtraq,9417 || cve,2004-0164 +1 || 2102416 || 7 || attempted-admin || 0 || GPL FTP invalid MDTM command attempt || bugtraq,9751 || cve,2001-1021 || cve,2004-0330 +1 || 2102417 || 2 || string-detect || 0 || GPL FTP format string attempt +1 || 2102424 || 6 || attempted-admin || 0 || GPL MISC NNTP sendsys overflow attempt || bugtraq,9382 || cve,2004-0045 +1 || 2102425 || 6 || attempted-admin || 0 || GPL MISC NNTP senduuname overflow attempt || bugtraq,9382 || cve,2004-0045 +1 || 2102426 || 6 || attempted-admin || 0 || GPL MISC NNTP version overflow attempt || bugtraq,9382 || cve,2004-0045 +1 || 2102427 || 6 || attempted-admin || 0 || GPL MISC NNTP checkgroups overflow attempt || bugtraq,9382 || cve,2004-0045 +1 || 2102428 || 6 || attempted-admin || 0 || GPL MISC NNTP ihave overflow attempt || bugtraq,9382 || cve,2004-0045 +1 || 2102429 || 6 || attempted-admin || 0 || GPL MISC NNTP sendme overflow attempt || bugtraq,9382 || cve,2004-0045 +1 || 2102430 || 6 || attempted-admin || 0 || GPL MISC NNTP newgroup overflow attempt || bugtraq,9382 || cve,2004-0045 +1 || 2102431 || 6 || attempted-admin || 0 || GPL MISC Nntp rmgroup overflow attempt || bugtraq,9382 || cve,2004-0045 +1 || 2102432 || 4 || attempted-admin || 0 || GPL MISC NNTP article post without path attempt +1 || 2102437 || 9 || attempted-user || 0 || GPL WEB_CLIENT RealPlayer arbitrary javascript command attempt || bugtraq,8453 || bugtraq,9378 || cve,2003-0726 +1 || 2102438 || 7 || attempted-user || 0 || GPL DELETED RealPlayer playlist file URL overflow attempt || bugtraq,9579 || cve,2004-0258 +1 || 2102439 || 6 || attempted-user || 0 || GPL DELETED RealPlayer playlist http URL overflow attempt || bugtraq,9579 || cve,2004-0258 +1 || 2102440 || 7 || attempted-user || 0 || GPL DELETED RealPlayer playlist rtsp URL overflow attempt || bugtraq,9579 || cve,2004-0258 +1 || 2102449 || 3 || attempted-admin || 0 || GPL FTP ALLO overflow attempt || bugtraq,9953 +1 || 2102450 || 5 || policy-violation || 0 || GPL DELETED Yahoo IM successful logon +1 || 2102451 || 4 || policy-violation || 0 || GPL CHAT Yahoo IM voicechat +1 || 2102452 || 5 || policy-violation || 0 || GPL CHAT Yahoo IM ping +1 || 2102453 || 4 || policy-violation || 0 || GPL CHAT Yahoo IM conference invitation +1 || 2102454 || 4 || policy-violation || 0 || GPL CHAT Yahoo IM conference logon success +1 || 2102455 || 4 || policy-violation || 0 || GPL CHAT Yahoo IM conference message +1 || 2102456 || 5 || policy-violation || 0 || GPL CHAT Yahoo Messenger File Transfer Receive Request +1 || 2102458 || 5 || policy-violation || 0 || GPL CHAT Yahoo IM successful chat join +1 || 2102459 || 5 || policy-violation || 0 || GPL CHAT Yahoo IM conference offer invitation +1 || 2102460 || 5 || policy-violation || 0 || GPL CHAT Yahoo IM conference request +1 || 2102461 || 5 || policy-violation || 0 || GPL CHAT Yahoo IM conference watch +1 || 2102462 || 8 || attempted-admin || 0 || GPL EXPLOIT IGMP IGAP account overflow attempt || bugtraq,9952 || cve,2004-0176 || cve,2004-0367 +1 || 2102463 || 8 || attempted-admin || 0 || GPL EXPLOIT IGMP IGAP message overflow attempt || bugtraq,9952 || cve,2004-0176 || cve,2004-0367 +1 || 2102464 || 8 || attempted-admin || 0 || GPL EXPLOIT EIGRP prefix length overflow attempt || bugtraq,9952 || cve,2004-0176 || cve,2004-0367 +1 || 2102465 || 9 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS IPC$ share access +1 || 2102466 || 9 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS IPC$ unicode share access +1 || 2102467 || 9 || protocol-command-decode || 0 || GPL NETBIOS SMB D$ unicode share access +1 || 2102468 || 9 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS D$ share access +1 || 2102469 || 9 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS D$ unicode share access +1 || 2102470 || 12 || protocol-command-decode || 0 || GPL NETBIOS SMB C$ unicode share access +1 || 2102471 || 12 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS C$ share access +1 || 2102472 || 11 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS C$ unicode share access +1 || 2102473 || 9 || protocol-command-decode || 0 || GPL NETBIOS SMB ADMIN$ unicode share access +1 || 2102474 || 9 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS ADMIN$ share access +1 || 2102475 || 9 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS ADMIN$ unicode share access +1 || 2102476 || 8 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS winreg create tree attempt +1 || 2102477 || 8 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS winreg unicode create tree attempt +1 || 2102478 || 9 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS winreg bind attempt +1 || 2102479 || 9 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS winreg unicode bind attempt +1 || 2102480 || 10 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS InitiateSystemShutdown unicode attempt +1 || 2102481 || 10 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS InitiateSystemShutdown unicode little endian attempt +1 || 2102482 || 10 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS InitiateSystemShutdown attempt +1 || 2102483 || 9 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS InitiateSystemShutdown little endian attempt +1 || 2102485 || 8 || attempted-admin || 0 || GPL ACTIVEX Norton antivirus sysmspam.dll load attempt || bugtraq,9916 || cve,2004-0363 +1 || 2102486 || 6 || attempted-dos || 0 || GPL EXPLOIT ISAKMP invalid identification payload attempt || bugtraq,10004 || cve,2004-0184 +1 || 2102491 || 8 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS DCERPC ISystemActivator unicode bind attempt || bugtraq,8811 || cve,2003-0813 || nessus,12206 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx +1 || 2102496 || 9 || misc-attack || 0 || GPL NETBIOS SMB-DS DCEPRC ORPCThis request flood attempt || bugtraq,8811 || cve,2003-0813 || nessus,12206 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx +1 || 2102507 || 8 || protocol-command-decode || 0 || GPL NETBIOS DCERPC LSASS bind attempt || bugtraq,10108 || cve,2003-0533 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx +1 || 2102508 || 8 || attempted-admin || 0 || GPL NETBIOS DCERPC LSASS DsRolerUpgradeDownlevelServer Exploit attempt || bugtraq,10108 || cve,2003-0533 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx +1 || 2102509 || 8 || protocol-command-decode || 0 || GPL NETBIOS SMB DCERPC LSASS unicode bind attempt || bugtraq,10108 || cve,2003-0533 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx +1 || 2102510 || 8 || protocol-command-decode || 0 || GPL NETBIOS SMB DCERPC LSASS bind attempt || bugtraq,10108 || cve,2003-0533 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx +1 || 2102511 || 10 || attempted-admin || 0 || GPL NETBIOS SMB DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt || bugtraq,10108 || cve,2003-0533 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx +1 || 2102512 || 8 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS DCERPC LSASS bind attempt || bugtraq,10108 || cve,2003-0533 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx +1 || 2102513 || 8 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS DCERPC LSASS unicode bind attempt || bugtraq,10108 || cve,2003-0533 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx +1 || 2102514 || 8 || attempted-admin || 0 || GPL NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt || bugtraq,10108 || cve,2003-0533 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx +1 || 2102523 || 8 || attempted-dos || 0 || GPL MISC BGP spoofed connection reset attempt || bugtraq,10183 || cve,2004-0230 || url,www.uniras.gov.uk/vuls/2004/236929/index.htm +1 || 2102524 || 8 || protocol-command-decode || 0 || GPL NETBIOS DCERPC LSASS direct bind attempt || bugtraq,10108 || cve,2003-0533 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx +1 || 2102525 || 7 || protocol-command-decode || 0 || GPL NETBIOS SMB DCERPC LSASS direct bind attempt || bugtraq,10108 || cve,2003-0533 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx +1 || 2102526 || 7 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS DCERPC LSASS direct bind attempt || bugtraq,10108 || cve,2003-0533 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx +1 || 2102546 || 7 || attempted-admin || 0 || GPL FTP MDTM overflow attempt || bugtraq,9751 || cve,2001-1021 || cve,2004-0330 || nessus,12080 +1 || 2102547 || 4 || web-application-activity || 0 || GPL MISC HP Web JetAdmin remote file upload attempt || bugtraq,9978 +1 || 2102548 || 3 || web-application-activity || 0 || GPL MISC HP Web JetAdmin setinfo access || bugtraq,9972 +1 || 2102549 || 2 || web-application-activity || 0 || GPL MISC HP Web JetAdmin file write attempt || bugtraq,9973 +1 || 2102552 || 5 || attempted-admin || 0 || GPL EXPLOIT Oracle Web Cache HEAD overflow attempt || bugtraq,9868 || cve,2004-0385 || nessus,12126 +1 || 2102553 || 5 || attempted-admin || 0 || GPL EXPLOIT Oracle Web Cache PUT overflow attempt || bugtraq,9868 || cve,2004-0385 || nessus,12126 +1 || 2102554 || 5 || attempted-admin || 0 || GPL EXPLOIT Oracle Web Cache POST overflow attempt || bugtraq,9868 || cve,2004-0385 || nessus,12126 +1 || 2102555 || 5 || attempted-admin || 0 || GPL EXPLOIT Oracle Web Cache TRACE overflow attempt || bugtraq,9868 || cve,2004-0385 || nessus,12126 +1 || 2102556 || 6 || attempted-admin || 0 || GPL EXPLOIT Oracle Web Cache DELETE overflow attempt || bugtraq,9868 || cve,2004-0385 || nessus,12126 +1 || 2102557 || 5 || attempted-admin || 0 || GPL EXPLOIT Oracle Web Cache LOCK overflow attempt || bugtraq,9868 || cve,2004-0385 || nessus,12126 +1 || 2102558 || 5 || attempted-admin || 0 || GPL EXPLOIT Oracle Web Cache MKCOL overflow attempt || bugtraq,9868 || cve,2004-0385 || nessus,12126 +1 || 2102559 || 5 || attempted-admin || 0 || GPL EXPLOIT Oracle Web Cache COPY overflow attempt || bugtraq,9868 || cve,2004-0385 || nessus,12126 +1 || 2102560 || 5 || attempted-admin || 0 || GPL EXPLOIT Oracle Web Cache MOVE overflow attempt || bugtraq,9868 || cve,2004-0385 || nessus,12126 +1 || 2102561 || 5 || string-detect || 0 || GPL MISC rsync backup-dir directory traversal attempt || bugtraq,10247 || cve,2004-0426 || nessus,12230 +1 || 2102563 || 6 || attempted-admin || 0 || GPL NETBIOS NS lookup response name overflow attempt || bugtraq,10333 || bugtraq,10334 || cve,2004-0444 || cve,2004-0445 || url,www.eeye.com/html/Research/Advisories/AD20040512A.html +1 || 2102574 || 2 || attempted-admin || 0 || GPL FTP RETR format string attempt || bugtraq,9800 +1 || 2102576 || 7 || attempted-user || 0 || GPL SQL dbms_repcat.generate_replication_support buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck93.html +1 || 2102577 || 7 || attempted-user || 0 || GPL WEB_CLIENT local resource redirection attempt || cve,2004-0549 || url,www.kb.cert.org/vuls/id/713878 +1 || 2102578 || 4 || attempted-admin || 0 || GPL RPC kerberos principal name overflow UDP || url,web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-005-buf.txt +1 || 2102579 || 4 || attempted-admin || 0 || GPL RPC kerberos principal name overflow TCP || url,web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-005-buf.txt +1 || 2102580 || 12 || attempted-admin || 0 || GPL WEB_CLIENT server negative Content-Length attempt || cve,2004-0492 || url,www.guninski.com/modproxy1.html +1 || 2102583 || 3 || misc-attack || 0 || GPL DELETED CVS Max-dotdot integer overflow attempt || bugtraq,10499 || cve,2004-0417 +1 || 2102584 || 5 || attempted-user || 0 || GPL P2P eMule buffer overflow attempt || bugtraq,10039 || nessus,12233 +1 || 2102585 || 3 || attempted-recon || 0 || GPL SCAN nessus 2.x 404 probe || nessus,10386 +1 || 2102586 || 3 || policy-violation || 0 || GPL P2P eDonkey transfer || url,www.kom.e-technik.tu-darmstadt.de/publications/abstracts/HB02-1.html +1 || 2102587 || 4 || policy-violation || 0 || GPL P2P eDonkey server response || url,www.emule-project.net +1 || 2102589 || 7 || attempted-user || 0 || GPL DELETED Content-Disposition CLSID command attempt || bugtraq,9510 || cve,2004-0420 || url,www.microsoft.com/technet/security/bulletin/ms04-024.mspx +1 || 2102590 || 5 || attempted-admin || 0 || GPL SMTP MAIL FROM overflow attempt || bugtraq,10290 || bugtraq,7506 || cve,2004-0399 || url,www.guninski.com/exim1.html +1 || 2102597 || 5 || web-application-attack || 0 || GPL DELETED Samba SWAT Authorization overflow attempt || bugtraq,10780 +1 || 2102598 || 3 || web-application-attack || 0 || GPL DELETED Samba SWAT Authorization port 901 overflow attempt || bugtraq,10780 +1 || 2102599 || 3 || attempted-user || 0 || GPL SQL dbms_repcat.add_grouped_column buffer overflow attempt +1 || 2102600 || 3 || attempted-user || 0 || GPL SQL add_grouped_column ordered sname/oname buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck633.html +1 || 2102601 || 4 || attempted-user || 0 || GPL SQL dbms_repcat.drop_master_repgroup buffer overflow attempt +1 || 2102602 || 3 || attempted-user || 0 || GPL SQL drop_master_repgroup ordered gname buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck87.html +1 || 2102603 || 4 || attempted-user || 0 || GPL SQL dbms_repcat.create_mview_repgroup buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck633.html +1 || 2102604 || 3 || attempted-user || 0 || GPL SQL create_mview_repgroup ordered fname buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck633.html +1 || 2102605 || 4 || attempted-user || 0 || GPL SQL dbms_repcat.compare_old_values buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck91.html +1 || 2102606 || 4 || attempted-user || 0 || GPL SQL dbms_repcat.comment_on_repobject buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck634.html +1 || 2102607 || 3 || attempted-user || 0 || GPL SQL comment_on_repobject ordered type buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck634.html +1 || 2102608 || 4 || attempted-user || 0 || GPL SQL sysdbms_repcat_rgt.check_ddl_text buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck97.html +1 || 2102609 || 4 || attempted-user || 0 || GPL SQL dbms_repcat.cancel_statistics buffer overflow attempt +1 || 2102610 || 3 || attempted-user || 0 || GPL SQL cancel_statistics ordered sname/oname buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck633.html +1 || 2102612 || 4 || attempted-user || 0 || GPL SQL sys.dbms_repcat_auth.revoke_surrogate_repcat buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck97.html +1 || 2102614 || 3 || attempted-user || 0 || GPL SQL time_zone buffer overflow attempt || bugtraq,9587 || url,www.nextgenss.com/advisories/ora_time_zone.txt +1 || 2102615 || 4 || attempted-user || 0 || GPL SQL sys.dbms_repcat_auth.grant_surrogate_repcat buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck97.html +1 || 2102616 || 3 || attempted-user || 0 || GPL SQL grant_surrogate_repcat ordered userid buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck97.html +1 || 2102617 || 4 || attempted-user || 0 || GPL SQL sys.dbms_repcat.alter_mview_propagation buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck632.html +1 || 2102618 || 3 || attempted-user || 0 || GPL SQL alter_mview_propagation ordered gname buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck632.html +1 || 2102619 || 4 || attempted-user || 0 || GPL SQL dbms_repcat.alter_master_repobject buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck634.html +1 || 2102621 || 4 || attempted-user || 0 || GPL SQL dbms_repcat_sna_utl.register_flavor_change buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck97.html +1 || 2102622 || 4 || attempted-user || 0 || GPL SQL dbms_repcat_utl.drop_an_object buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck97.html +1 || 2102623 || 4 || attempted-user || 0 || GPL SQL dbms_repcat_sna_utl.create_snapshot_repgroup buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck97.html +1 || 2102624 || 4 || attempted-user || 0 || GPL SQL dbms_repcat_admin.unregister_user_repgroup buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck94.html +1 || 2102625 || 3 || attempted-user || 0 || GPL SQL unregister_user_repgroup ordered privilege_type buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck94.html +1 || 2102626 || 4 || attempted-user || 0 || GPL SQL dbms_repcat.send_old_values buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck91.html +1 || 2102627 || 4 || attempted-user || 0 || GPL SQL dbms_repcat.repcat_import_check buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck90.html +1 || 2102628 || 3 || attempted-user || 0 || GPL SQL repcat_import_check ordered gowner/gname buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck90.html +1 || 2102629 || 4 || attempted-user || 0 || GPL SQL dbms_repcat_admin.register_user_repgroup buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck94.html +1 || 2102630 || 3 || attempted-user || 0 || GPL SQL register_user_repgroup ordered privilege_type buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck94.html +1 || 2102631 || 4 || attempted-user || 0 || GPL SQL dbms_repcat.refresh_mview_repgroup buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck90.html +1 || 2102632 || 3 || attempted-user || 0 || GPL SQL refresh_mview_repgroup ordered gowner buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck90.html +1 || 2102633 || 4 || attempted-user || 0 || GPL SQL sys.dbms_rectifier_diff.rectify buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck97.html +1 || 2102634 || 3 || attempted-user || 0 || GPL SQL rectifier_diff ordered sname1 buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck97.html +1 || 2102635 || 4 || attempted-user || 0 || GPL SQL dbms_offline_snapshot.end_load buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck632.html +1 || 2102636 || 3 || attempted-user || 0 || GPL SQL snapshot.end_load ordered gname buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck632.html +1 || 2102637 || 4 || attempted-user || 0 || GPL SQL dbms_repcat.drop_master_repobject buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck634.html +1 || 2102638 || 3 || attempted-user || 0 || GPL SQL drop_master_repobject ordered type buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck634.html +1 || 2102639 || 4 || attempted-user || 0 || GPL SQL dbms_repcat.drop_mview_repgroup buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck90.html +1 || 2102640 || 3 || attempted-user || 0 || GPL SQL drop_mview_repgroup ordered gowner/gname buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck90.html +1 || 2102641 || 5 || attempted-user || 0 || GPL SQL dbms_repcat_instantiate.drop_site_instantiation buffer overflow attempt +1 || 2102642 || 3 || attempted-user || 0 || GPL SQL drop_site_instantiate ordered refresh_template_name buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck629.html +1 || 2102643 || 4 || attempted-user || 0 || GPL SQL sys.dbms_repcat_fla.ensure_not_published buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck96.html +1 || 2102644 || 4 || attempted-user || 0 || GPL SQL from_tz buffer overflow attempt || url,www.nextgenss.com/advisories/ora_from_tz.txt +1 || 2102645 || 4 || attempted-user || 0 || GPL SQL dbms_repcat_instantiate.instantiate_offline buffer overflow attempt +1 || 2102646 || 3 || attempted-user || 0 || GPL SQL instantiate_offline ordered refresh_template_name buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck630.html +1 || 2102647 || 4 || attempted-user || 0 || GPL SQL dbms_repcat_instantiate.instantiate_online buffer overflow attempt +1 || 2102648 || 3 || attempted-user || 0 || GPL SQL instantiate_online ordered refresh_template_name buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck631.html +1 || 2102649 || 3 || attempted-user || 0 || GPL SQL service_name buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck52.html +1 || 2102650 || 3 || attempted-user || 0 || GPL SQL user name buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck62.html +1 || 2102652 || 4 || attempted-user || 0 || GPL SQL dbms_offline_og.begin_load buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck632.html +1 || 2102653 || 3 || attempted-user || 0 || GPL SQL og.begin_load ordered gname buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck632.html +1 || 2102654 || 4 || web-application-attack || 0 || GPL WEB_SPECIFIC_APPS PHPNuke Forum viewtopic SQL insertion attempt || bugtraq,7193 +1 || 2102664 || 4 || attempted-admin || 0 || GPL DELETED login format string attempt || bugtraq,10976 +1 || 2102665 || 3 || attempted-admin || 0 || GPL IMAP login literal format string attempt || bugtraq,10976 +1 || 2102666 || 2 || attempted-admin || 0 || GPL POP3 PASS format string attempt || bugtraq,10976 +1 || 2102671 || 6 || attempted-user || 0 || GPL WEB_CLIENT bitmap BitmapOffset integer overflow attempt || bugtraq,9663 || cve,2004-0566 +1 || 2102673 || 6 || attempted-user || 0 || GPL WEB_CLIENT libpng tRNS overflow attempt || bugtraq,10872 || cve,2004-0597 +1 || 2102674 || 2 || attempted-user || 0 || GPL SQL dbms_repcat.add_delete_resolution buffer overflow attempt +1 || 2102675 || 3 || attempted-user || 0 || GPL SQL dbms_repcat_rgt.instantiate_offline buffer overflow attempt +1 || 2102676 || 3 || attempted-user || 0 || GPL SQL dbms_repcat_rgt.drop_site_instantiation buffer overflow attempt +1 || 2102677 || 3 || attempted-user || 0 || GPL SQL dbms_repcat_rgt.instantiate_online buffer overflow attempt +1 || 2102678 || 3 || attempted-user || 0 || GPL SQL ctx_output.start_log buffer overflow attempt +1 || 2102679 || 3 || attempted-user || 0 || GPL SQL sys.dbms_system.ksdwrt buffer overflow attempt +1 || 2102680 || 3 || attempted-user || 0 || GPL SQL ctxsys.driddlr.subindexpopulate buffer overflow attempt +1 || 2102681 || 3 || attempted-user || 0 || GPL SQL mdsys.sdo_admin.sdo_code_size buffer overflow attempt +1 || 2102682 || 3 || attempted-user || 0 || GPL SQL mdsys.md2.validate_geom buffer overflow attempt +1 || 2102683 || 3 || attempted-user || 0 || GPL SQL mdsys.md2.sdo_code_size buffer overflow attempt +1 || 2102684 || 3 || attempted-user || 0 || GPL SQL sys.ltutil.pushdeferredtxns buffer overflow attempt +1 || 2102685 || 3 || attempted-user || 0 || GPL SQL sys.dbms_repcat_rq.add_column buffer overflow attempt +1 || 2102686 || 3 || attempted-user || 0 || GPL SQL sys.dbms_rectifier_diff.differences buffer overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck97.html +1 || 2102687 || 3 || attempted-user || 0 || GPL SQL sys.dbms_internal_repcat.validate buffer overflow attempt +1 || 2102688 || 3 || attempted-user || 0 || GPL SQL sys.dbms_internal_repcat.enable_receiver_trace buffer overflow attempt +1 || 2102689 || 3 || attempted-user || 0 || GPL SQL sys.dbms_internal_repcat.disable_receiver_trace buffer overflow attempt +1 || 2102690 || 3 || attempted-user || 0 || GPL SQL sys.dbms_defer_repcat.enable_propagation_to_dblink buffer overflow attempt +1 || 2102691 || 3 || attempted-user || 0 || GPL SQL sys.dbms_defer_internal_sys.parallel_push_recovery buffer overflow attempt +1 || 2102692 || 3 || attempted-user || 0 || GPL SQL sys.dbms_aqadm_sys.verify_queue_types buffer overflow attempt +1 || 2102693 || 3 || attempted-user || 0 || GPL SQL sys.dbms_aqadm.verify_queue_types_no_queue buffer overflow attempt +1 || 2102694 || 3 || attempted-user || 0 || GPL SQL sys.dbms_aqadm.verify_queue_types_get_nrp buffer overflow attempt +1 || 2102695 || 3 || attempted-user || 0 || GPL SQL sys.dbms_aq_import_internal.aq_table_defn_update buffer overflow attempt +1 || 2102696 || 3 || attempted-user || 0 || GPL SQL sys.dbms_repcat_utl.is_master buffer overflow attempt +1 || 2102697 || 3 || attempted-user || 0 || GPL SQL alter file buffer overflow attempt +1 || 2102698 || 3 || attempted-user || 0 || GPL SQL create file buffer overflow attempt +1 || 2102699 || 2 || attempted-user || 0 || GPL SQL TO_CHAR buffer overflow attempt +1 || 2102700 || 4 || attempted-user || 0 || GPL SQL numtoyminterval buffer overflow attempt +1 || 2102703 || 5 || web-application-attack || 0 || GPL SQL Oracle iSQLPlus login.uix username overflow attempt || bugtraq,10871 || url,www.nextgenss.com/advisories/ora-isqlplus.txt +1 || 2102708 || 3 || attempted-user || 0 || GPL SQL dbms_offline_og.begin_flavor_change buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102709 || 3 || attempted-user || 0 || GPL SQL dbms_offline_og.begin_instantiation buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102710 || 3 || attempted-user || 0 || GPL SQL dbms_offline_og.begin_load buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102711 || 3 || attempted-user || 0 || GPL SQL dbms_offline_og.end_flavor_change buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102712 || 3 || attempted-user || 0 || GPL SQL dbms_offline_og.end_instantiation buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102713 || 3 || attempted-user || 0 || GPL SQL dbms_offline_og.end_load buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102714 || 3 || attempted-user || 0 || GPL SQL dbms_offline_og.resume_subset_of_masters buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102715 || 3 || attempted-user || 0 || GPL SQL dbms_offline_snapshot.begin_load buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102716 || 3 || attempted-user || 0 || GPL SQL dbms_offline_snapshot.end_load buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102717 || 3 || attempted-user || 0 || GPL SQL dbms_rectifier_diff.differences buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102718 || 2 || attempted-user || 0 || GPL SQL dbms_rectifier_diff.rectify buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102719 || 3 || attempted-user || 0 || GPL SQL dbms_repcat.abort_flavor_definition buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102720 || 3 || attempted-user || 0 || GPL SQL dbms_repcat.add_column_group_to_flavor buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102721 || 3 || attempted-user || 0 || GPL SQL dbms_repcat.add_columns_to_flavor buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102722 || 2 || attempted-user || 0 || GPL SQL dbms_repcat.add_object_to_flavor buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102723 || 3 || attempted-user || 0 || GPL SQL dbms_repcat.add_priority_char buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102724 || 3 || attempted-user || 0 || GPL SQL dbms_repcat.add_priority_date buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102725 || 3 || attempted-user || 0 || GPL SQL dbms_repcat.add_priority_nchar buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102726 || 2 || attempted-user || 0 || GPL DELETED dbms_repcat.add_priority_number buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102727 || 3 || attempted-user || 0 || GPL SQL dbms_repcat.add_priority_nvarchar2 buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102728 || 3 || attempted-user || 0 || GPL SQL dbms_repcat.add_priority_raw buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102729 || 3 || attempted-user || 0 || GPL SQL dbms_repcat.add_priority_varchar2 buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102730 || 3 || attempted-user || 0 || GPL SQL dbms_repcat.add_site_priority_site buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102731 || 3 || attempted-user || 0 || GPL SQL dbms_repcat.add_unique_resolution buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102732 || 3 || attempted-user || 0 || GPL SQL dbms_repcat.add_update_resolution buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102733 || 3 || attempted-user || 0 || GPL SQL dbms_repcat.alter_master_propagation buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102734 || 3 || attempted-user || 0 || GPL SQL dbms_repcat.alter_mview_propagation buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102735 || 3 || attempted-user || 0 || GPL SQL dbms_repcat.alter_priority_char buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102736 || 3 || attempted-user || 0 || GPL SQL dbms_repcat.alter_priority_date buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102737 || 3 || attempted-user || 0 || GPL SQL dbms_repcat.alter_priority_nchar buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102738 || 3 || attempted-user || 0 || GPL SQL dbms_repcat.alter_priority_number buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102739 || 3 || attempted-user || 0 || GPL SQL dbms_repcat.alter_priority_nvarchar2 buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102740 || 3 || attempted-user || 0 || GPL SQL dbms_repcat.alter_priority_raw buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102741 || 3 || attempted-user || 0 || GPL SQL dbms_repcat.alter_priority buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102742 || 3 || attempted-user || 0 || GPL SQL dbms_repcat.alter_priority_varchar2 buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102743 || 3 || attempted-user || 0 || GPL SQL dbms_repcat.alter_site_priority_site buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102744 || 3 || attempted-user || 0 || GPL SQL dbms_repcat.alter_site_priority buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102745 || 3 || attempted-user || 0 || GPL SQL dbms_repcat.alter_snapshot_propagation buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102746 || 3 || attempted-user || 0 || GPL SQL dbms_repcat_auth.revoke_surrogate_repcat buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102747 || 3 || attempted-user || 0 || GPL SQL dbms_repcat.begin_flavor_definition buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102748 || 3 || attempted-user || 0 || GPL SQL dbms_repcat.comment_on_column_group buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102749 || 3 || attempted-user || 0 || GPL SQL dbms_repcat.comment_on_delete_resolution buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102750 || 3 || attempted-user || 0 || GPL SQL dbms_repcat.comment_on_mview_repsites buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102751 || 3 || attempted-user || 0 || GPL SQL dbms_repcat.comment_on_priority_group buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102752 || 3 || attempted-user || 0 || GPL SQL dbms_repcat.comment_on_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102753 || 3 || attempted-user || 0 || GPL SQL dbms_repcat.comment_on_repsites buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102754 || 3 || attempted-user || 0 || GPL SQL dbms_repcat.comment_on_site_priority buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102755 || 3 || attempted-user || 0 || GPL SQL dbms_repcat.comment_on_unique_resolution buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102756 || 3 || attempted-user || 0 || GPL SQL dbms_repcat.comment_on_update_resolution buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102757 || 3 || attempted-user || 0 || GPL SQL dbms_repcat.create_master_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102758 || 3 || attempted-user || 0 || GPL SQL dbms_repcat.create_master_repobject buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102759 || 3 || attempted-user || 0 || GPL SQL dbms_repcat.create_snapshot_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102760 || 3 || attempted-user || 0 || GPL SQL dbms_repcat.define_column_group buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102761 || 3 || attempted-user || 0 || GPL SQL dbms_repcat.define_priority_group buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102762 || 3 || attempted-user || 0 || GPL SQL dbms_repcat.define_site_priority buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102763 || 3 || attempted-user || 0 || GPL SQL dbms_repcat.do_deferred_repcat_admin buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102764 || 3 || attempted-user || 0 || GPL SQL dbms_repcat.drop_column_group_from_flavor buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102765 || 3 || attempted-user || 0 || GPL SQL dbms_repcat.drop_column_group buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102766 || 3 || attempted-user || 0 || GPL SQL dbms_repcat.drop_columns_from_flavor buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102767 || 3 || attempted-user || 0 || GPL SQL dbms_repcat.drop_delete_resolution buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102768 || 3 || attempted-user || 0 || GPL SQL dbms_repcat.drop_grouped_column buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102769 || 3 || attempted-user || 0 || GPL SQL dbms_repcat.drop_mview_repobject buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102770 || 3 || attempted-user || 0 || GPL SQL dbms_repcat.drop_object_from_flavor buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102771 || 3 || attempted-user || 0 || GPL SQL dbms_repcat.drop_priority_char buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102772 || 3 || attempted-user || 0 || GPL SQL dbms_repcat.drop_priority_date buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102773 || 3 || attempted-user || 0 || GPL SQL dbms_repcat.drop_priority_nchar buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102774 || 3 || attempted-user || 0 || GPL SQL dbms_repcat.drop_priority_number buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102775 || 3 || attempted-user || 0 || GPL SQL dbms_repcat.drop_priority_nvarchar2 buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102776 || 3 || attempted-user || 0 || GPL SQL dbms_repcat.drop_priority_raw buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102777 || 3 || attempted-user || 0 || GPL SQL dbms_repcat.drop_priority buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102778 || 3 || attempted-user || 0 || GPL SQL dbms_repcat.drop_priority_varchar2 buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102779 || 3 || attempted-user || 0 || GPL SQL dbms_repcat.drop_site_priority_site buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102780 || 3 || attempted-user || 0 || GPL SQL dbms_repcat.drop_site_priority buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102781 || 3 || attempted-user || 0 || GPL SQL dbms_repcat.drop_snapshot_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102782 || 3 || attempted-user || 0 || GPL SQL dbms_repcat.drop_snapshot_repobject buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102783 || 3 || attempted-user || 0 || GPL SQL dbms_repcat.drop_unique_resolution buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102784 || 3 || attempted-user || 0 || GPL SQL dbms_repcat.drop_update_resolution buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102785 || 3 || attempted-user || 0 || GPL SQL dbms_repcat.execute_ddl buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102786 || 3 || attempted-user || 0 || GPL SQL dbms_repcat.generate_replication_package buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102787 || 3 || attempted-user || 0 || GPL SQL dbms_repcat_instantiate.instantiate_online buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102788 || 3 || attempted-user || 0 || GPL SQL dbms_repcat.make_column_group buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102789 || 3 || attempted-user || 0 || GPL SQL dbms_repcat.obsolete_flavor_definition buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102790 || 3 || attempted-user || 0 || GPL SQL dbms_repcat.publish_flavor_definition buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102791 || 3 || attempted-user || 0 || GPL SQL dbms_repcat.purge_flavor_definition buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102792 || 3 || attempted-user || 0 || GPL SQL dbms_repcat.purge_master_log buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102793 || 3 || attempted-user || 0 || GPL SQL dbms_repcat.purge_statistics buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102794 || 3 || attempted-user || 0 || GPL SQL dbms_repcat.refresh_mview_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102795 || 3 || attempted-user || 0 || GPL SQL dbms_repcat.refresh_snapshot_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102796 || 3 || attempted-user || 0 || GPL SQL dbms_repcat.register_mview_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102797 || 3 || attempted-user || 0 || GPL SQL dbms_repcat.register_snapshot_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102798 || 3 || attempted-user || 0 || GPL SQL dbms_repcat.register_statistics buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102799 || 3 || attempted-user || 0 || GPL SQL dbms_repcat.relocate_masterdef buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102800 || 3 || attempted-user || 0 || GPL SQL dbms_repcat.rename_shadow_column_group buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102801 || 3 || attempted-user || 0 || GPL SQL dbms_repcat.resume_master_activity buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102802 || 3 || attempted-user || 0 || GPL SQL dbms_repcat_rgt.check_ddl_text buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102803 || 3 || attempted-user || 0 || GPL SQL dbms_repcat_rgt.drop_site_instantiation buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102804 || 3 || attempted-user || 0 || GPL SQL dbms_repcat.send_and_compare_old_values buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102805 || 3 || attempted-user || 0 || GPL SQL dbms_repcat.set_columns buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102806 || 3 || attempted-user || 0 || GPL SQL dbms_repcat.set_local_flavor buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102807 || 3 || attempted-user || 0 || GPL SQL dbms_repcat.specify_new_masters buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102808 || 3 || attempted-user || 0 || GPL SQL dbms_repcat.suspend_master_activity buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102809 || 3 || attempted-user || 0 || GPL SQL dbms_repcat.unregister_mview_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102810 || 3 || attempted-user || 0 || GPL SQL dbms_repcat.unregister_snapshot_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102811 || 3 || attempted-user || 0 || GPL SQL dbms_repcat.validate_flavor_definition buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102812 || 3 || attempted-user || 0 || GPL SQL dbms_repcat.validate_for_local_flavor buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102813 || 3 || attempted-user || 0 || GPL SQL sys.dbms_repcat_fla.abort_flavor_definition buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102814 || 3 || attempted-user || 0 || GPL SQL sys.dbms_repcat_fla.add_object_to_flavor buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102815 || 3 || attempted-user || 0 || GPL SQL sys.dbms_repcat_fla.begin_flavor_definition buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102816 || 3 || attempted-user || 0 || GPL SQL sys.dbms_repcat_fla.drop_object_from_flavor buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102817 || 3 || attempted-user || 0 || GPL SQL sys.dbms_repcat_fla_mas.add_column_group_to_flavor buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102818 || 3 || attempted-user || 0 || GPL SQL sys.dbms_repcat_fla_mas.add_columns_to_flavor buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102819 || 3 || attempted-user || 0 || GPL SQL sys.dbms_repcat_fla_mas.drop_column_group_from_flavor buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102820 || 3 || attempted-user || 0 || GPL SQL sys.dbms_repcat_fla_mas.drop_columns_from_flavor buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102821 || 3 || attempted-user || 0 || GPL SQL sys.dbms_repcat_fla_mas.obsolete_flavor_definition buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102822 || 3 || attempted-user || 0 || GPL SQL sys.dbms_repcat_fla_mas.publish_flavor_definition buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102823 || 2 || attempted-user || 0 || GPL SQL sys.dbms_repcat_fla_mas.purge_flavor_definition buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102824 || 3 || attempted-user || 0 || GPL SQL sys.dbms_repcat_fla.set_local_flavor buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102825 || 3 || attempted-user || 0 || GPL SQL sys.dbms_repcat_fla.validate_flavor_definition buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102826 || 3 || attempted-user || 0 || GPL SQL sys.dbms_repcat_fla.validate_for_local_flavor buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102827 || 3 || attempted-user || 0 || GPL SQL sys.dbms_repcat_mas.alter_master_repobject buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102828 || 3 || attempted-user || 0 || GPL SQL sys.dbms_repcat_mas.comment_on_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102829 || 3 || attempted-user || 0 || GPL SQL sys.dbms_repcat_mas.comment_on_repobject buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102830 || 3 || attempted-user || 0 || GPL SQL sys.dbms_repcat_mas.create_master_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102831 || 3 || attempted-user || 0 || GPL SQL sys.dbms_repcat_mas.create_master_repobject buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102832 || 3 || attempted-user || 0 || GPL SQL sys.dbms_repcat_mas.do_deferred_repcat_admin buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102833 || 3 || attempted-user || 0 || GPL SQL sys.dbms_repcat_mas.drop_master_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102834 || 3 || attempted-user || 0 || GPL SQL sys.dbms_repcat_mas.generate_replication_package buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102835 || 3 || attempted-user || 0 || GPL SQL sys.dbms_repcat_mas.purge_master_log buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102836 || 3 || attempted-user || 0 || GPL SQL sys.dbms_repcat_mas.relocate_masterdef buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102837 || 3 || attempted-user || 0 || GPL SQL sys.dbms_repcat_mas.rename_shadow_column_group buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102838 || 3 || attempted-user || 0 || GPL SQL sys.dbms_repcat_mas.resume_master_activity buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102839 || 3 || attempted-user || 0 || GPL SQL sys.dbms_repcat_mas.suspend_master_activity buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102840 || 3 || attempted-user || 0 || GPL SQL sys.dbms_repcat_sna_utl.alter_snapshot_propagation buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102841 || 3 || attempted-user || 0 || GPL SQL sys.dbms_repcat_sna_utl.create_snapshot_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102842 || 3 || attempted-user || 0 || GPL SQL sys.dbms_repcat_sna_utl.drop_snapshot_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102843 || 3 || attempted-user || 0 || GPL SQL sys.dbms_repcat_sna_utl.drop_snapshot_repobject buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102844 || 3 || attempted-user || 0 || GPL SQL sys.dbms_repcat_sna_utl.refresh_snapshot_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102845 || 3 || attempted-user || 0 || GPL SQL sys.dbms_repcat_sna_utl.register_snapshot_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102846 || 3 || attempted-user || 0 || GPL SQL sys.dbms_repcat_sna_utl.repcat_import_check buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102847 || 3 || attempted-user || 0 || GPL SQL sys.dbms_repcat_sna_utl.unregister_snapshot_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102848 || 3 || attempted-user || 0 || GPL SQL sys.dbms_repcat_utl4.drop_master_repobject buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102849 || 3 || attempted-user || 0 || GPL SQL sys.dbms_repcat_utl.drop_an_object buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102850 || 3 || attempted-user || 0 || GPL SQL dbms_repcat.create_mview_repobject buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102851 || 3 || attempted-user || 0 || GPL SQL dbms_repcat.create_snapshot_repobject buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102852 || 3 || attempted-user || 0 || GPL SQL dbms_repcat.generate_mview_support buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102853 || 3 || attempted-user || 0 || GPL SQL dbms_repcat.generate_replication_trigger buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102854 || 3 || attempted-user || 0 || GPL SQL dbms_repcat.generate_snapshot_support buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102855 || 3 || attempted-user || 0 || GPL SQL dbms_repcat.remove_master_databases buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102856 || 3 || attempted-user || 0 || GPL SQL dbms_repcat.switch_mview_master buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102857 || 3 || attempted-user || 0 || GPL SQL dbms_repcat.switch_snapshot_master buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102858 || 3 || attempted-user || 0 || GPL SQL sys.dbms_repcat_conf.add_delete_resolution buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102859 || 3 || attempted-user || 0 || GPL SQL sys.dbms_repcat_conf.add_priority_char buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102860 || 4 || attempted-user || 0 || GPL SQL sys.dbms_repcat_conf.add_priority_date buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102861 || 3 || attempted-user || 0 || GPL SQL sys.dbms_repcat_conf.add_priority_nchar buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102862 || 3 || attempted-user || 0 || GPL SQL sys.dbms_repcat_conf.add_priority_number buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102863 || 3 || attempted-user || 0 || GPL SQL sys.dbms_repcat_conf.add_priority_nvarchar2 buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102864 || 3 || attempted-user || 0 || GPL SQL sys.dbms_repcat_conf.add_priority_raw buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102865 || 3 || attempted-user || 0 || GPL SQL sys.dbms_repcat_conf.add_priority_varchar2 buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102866 || 3 || attempted-user || 0 || GPL SQL sys.dbms_repcat_conf.add_site_priority_site buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102867 || 3 || attempted-user || 0 || GPL SQL sys.dbms_repcat_conf.add_unique_resolution buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102868 || 3 || attempted-user || 0 || GPL SQL sys.dbms_repcat_conf.add_update_resolution buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102869 || 3 || attempted-user || 0 || GPL SQL sys.dbms_repcat_conf.alter_priority_char buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102870 || 3 || attempted-user || 0 || GPL SQL sys.dbms_repcat_conf.alter_priority_date buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102871 || 3 || attempted-user || 0 || GPL SQL sys.dbms_repcat_conf.alter_priority_nchar buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102872 || 3 || attempted-user || 0 || GPL SQL sys.dbms_repcat_conf.alter_priority_number buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102874 || 3 || attempted-user || 0 || GPL SQL sys.dbms_repcat_conf.alter_priority_raw buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102875 || 3 || attempted-user || 0 || GPL SQL sys.dbms_repcat_conf.alter_priority buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102876 || 3 || attempted-user || 0 || GPL SQL sys.dbms_repcat_conf.alter_priority_varchar2 buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102877 || 3 || attempted-user || 0 || GPL SQL sys.dbms_repcat_conf.alter_site_priority_site buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102878 || 3 || attempted-user || 0 || GPL SQL sys.dbms_repcat_conf.alter_site_priority buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102879 || 3 || attempted-user || 0 || GPL SQL sys.dbms_repcat_conf.cancel_statistics buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102880 || 3 || attempted-user || 0 || GPL SQL sys.dbms_repcat_conf.comment_on_delete_resolution buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102881 || 3 || attempted-user || 0 || GPL SQL sys.dbms_repcat_conf.comment_on_priority_group buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102882 || 3 || attempted-user || 0 || GPL SQL sys.dbms_repcat_conf.comment_on_site_priority buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102883 || 3 || attempted-user || 0 || GPL SQL sys.dbms_repcat_conf.comment_on_unique_resolution buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102884 || 3 || attempted-user || 0 || GPL SQL sys.dbms_repcat_conf.comment_on_update_resolution buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102885 || 3 || attempted-user || 0 || GPL SQL sys.dbms_repcat_conf.define_priority_group buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102886 || 3 || attempted-user || 0 || GPL SQL sys.dbms_repcat_conf.define_site_priority buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102887 || 3 || attempted-user || 0 || GPL SQL sys.dbms_repcat_conf.drop_delete_resolution buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102888 || 3 || attempted-user || 0 || GPL SQL sys.dbms_repcat_conf.drop_priority_char buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102889 || 3 || attempted-user || 0 || GPL SQL sys.dbms_repcat_conf.drop_priority_date buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102890 || 3 || attempted-user || 0 || GPL SQL sys.dbms_repcat_conf.drop_priority_nchar buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102891 || 3 || attempted-user || 0 || GPL SQL sys.dbms_repcat_conf.drop_priority_number buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102892 || 5 || attempted-user || 0 || GPL SQL sys.dbms_repcat_conf.drop_priority_nvarchar2 buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102893 || 3 || attempted-user || 0 || GPL SQL sys.dbms_repcat_conf.drop_priority_raw buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102894 || 3 || attempted-user || 0 || GPL SQL sys.dbms_repcat_conf.drop_priority buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102895 || 3 || attempted-user || 0 || GPL SQL sys.dbms_repcat_conf.drop_priority_varchar2 buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102896 || 3 || attempted-user || 0 || GPL SQL sys.dbms_repcat_conf.drop_site_priority_site buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102897 || 4 || attempted-user || 0 || GPL SQL sys.dbms_repcat_conf.drop_site_priority buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102898 || 3 || attempted-user || 0 || GPL SQL sys.dbms_repcat_conf.drop_unique_resolution buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102899 || 3 || attempted-user || 0 || GPL SQL sys.dbms_repcat_conf.drop_update_resolution buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102900 || 3 || attempted-user || 0 || GPL SQL sys.dbms_repcat_conf.purge_statistics buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102901 || 3 || attempted-user || 0 || GPL SQL sys.dbms_repcat_conf.register_statistics buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102902 || 3 || attempted-user || 0 || GPL SQL sys.dbms_repcat_sna.alter_snapshot_propagation buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102903 || 3 || attempted-user || 0 || GPL SQL sys.dbms_repcat_sna.create_snapshot_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102904 || 3 || attempted-user || 0 || GPL SQL sys.dbms_repcat_sna.create_snapshot_repobject buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102905 || 3 || attempted-user || 0 || GPL SQL sys.dbms_repcat_sna.create_snapshot_repschema buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102906 || 3 || attempted-user || 0 || GPL SQL sys.dbms_repcat_sna.drop_snapshot_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102907 || 3 || attempted-user || 0 || GPL SQL sys.dbms_repcat_sna.drop_snapshot_repobject buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102908 || 3 || attempted-user || 0 || GPL SQL sys.dbms_repcat_sna.drop_snapshot_repschema buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102909 || 3 || attempted-user || 0 || GPL SQL sys.dbms_repcat_sna.generate_snapshot_support buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102910 || 3 || attempted-user || 0 || GPL SQL sys.dbms_repcat_sna.refresh_snapshot_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102911 || 3 || attempted-user || 0 || GPL SQL sys.dbms_repcat_sna.refresh_snapshot_repschema buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102912 || 3 || attempted-user || 0 || GPL SQL sys.dbms_repcat_sna.register_snapshot_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102913 || 3 || attempted-user || 0 || GPL SQL sys.dbms_repcat_sna.repcat_import_check buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102914 || 3 || attempted-user || 0 || GPL SQL sys.dbms_repcat_sna.set_local_flavor buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102915 || 3 || attempted-user || 0 || GPL SQL sys.dbms_repcat_sna.switch_snapshot_master buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102916 || 3 || attempted-user || 0 || GPL SQL sys.dbms_repcat_sna.unregister_snapshot_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102917 || 3 || attempted-user || 0 || GPL SQL sys.dbms_repcat_sna_utl.switch_snapshot_master buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102918 || 3 || attempted-user || 0 || GPL SQL sys.dbms_repcat_sna.validate_for_local_flavor buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102919 || 3 || attempted-user || 0 || GPL SQL sys.dbms_repcat_untrusted.register_snapshot_repgroup buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +1 || 2102923 || 4 || unsuccessful-user || 0 || GPL NETBIOS SMB repeated logon failure +1 || 2102924 || 4 || unsuccessful-user || 0 || GPL NETBIOS SMB-DS repeated logon failure +1 || 2102925 || 5 || misc-activity || 0 || GPL WEB_CLIENT web bug 0x0 gif attempt +1 || 2102927 || 5 || attempted-admin || 0 || GPL MISC NNTP XPAT pattern overflow attempt || cve,2004-0574 || url,www.microsoft.com/technet/security/bulletin/MS04-036.mspx +1 || 2102928 || 5 || protocol-command-decode || 0 || GPL NETBIOS SMB nddeapi create tree attempt || bugtraq,11372 || cve,2004-0206 +1 || 2102929 || 5 || protocol-command-decode || 0 || GPL NETBIOS SMB nddeapi unicode create tree attempt || bugtraq,11372 || cve,2004-0206 +1 || 2102930 || 5 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS nddeapi create tree attempt || bugtraq,11372 || cve,2004-0206 +1 || 2102931 || 5 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS nddeapi unicode create tree attempt || bugtraq,11372 || cve,2004-0206 +1 || 2102932 || 6 || protocol-command-decode || 0 || GPL NETBIOS SMB nddeapi bind attempt || bugtraq,11372 || cve,2004-0206 +1 || 2102933 || 6 || protocol-command-decode || 0 || GPL NETBIOS SMB nddeapi unicode bind attempt || bugtraq,11372 || cve,2004-0206 +1 || 2102934 || 6 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS nddeapi bind attempt || bugtraq,11372 || cve,2004-0206 +1 || 2102935 || 7 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS nddeapi unicode bind attempt || bugtraq,11372 || cve,2004-0206 +1 || 2102936 || 6 || attempted-admin || 0 || GPL NETBIOS SMB NDdeSetTrustedShareW overflow attempt || bugtraq,11372 || cve,2004-0206 +1 || 2102937 || 6 || attempted-admin || 0 || GPL NETBIOS SMB NDdeSetTrustedShareW unicode overflow attempt || bugtraq,11372 || cve,2004-0206 +1 || 2102938 || 6 || attempted-admin || 0 || GPL NETBIOS SMB-DS NDdeSetTrustedShareW overflow attempt || bugtraq,11372 || cve,2004-0206 +1 || 2102939 || 7 || attempted-admin || 0 || GPL NETBIOS SMB-DS NDdeSetTrustedShareW unicode overflow attempt || bugtraq,11372 || cve,2004-0206 +1 || 2102940 || 6 || protocol-command-decode || 0 || GPL NETBIOS SMB winreg bind attempt +1 || 2102941 || 6 || protocol-command-decode || 0 || GPL NETBIOS SMB winreg unicode bind attempt +1 || 2102942 || 6 || protocol-command-decode || 0 || GPL NETBIOS SMB InitiateSystemShutdown attempt +1 || 2102943 || 6 || protocol-command-decode || 0 || GPL NETBIOS SMB InitiateSystemShutdown little endian attempt +1 || 2102944 || 6 || protocol-command-decode || 0 || GPL NETBIOS SMB InitiateSystemShutdown unicode attempt +1 || 2102945 || 6 || protocol-command-decode || 0 || GPL NETBIOS SMB InitiateSystemShutdown unicode little endian attempt +1 || 2102946 || 7 || attempted-admin || 0 || GPL NETBIOS SMB NDdeSetTrustedShareW little endian overflow attempt || bugtraq,11372 || cve,2004-0206 +1 || 2102947 || 6 || attempted-admin || 0 || GPL NETBIOS SMB NDdeSetTrustedShareW unicode little endian overflow attempt || bugtraq,11372 || cve,2004-0206 +1 || 2102948 || 7 || attempted-admin || 0 || GPL NETBIOS SMB-DS NDdeSetTrustedShareW little endian overflow attempt || bugtraq,11372 || cve,2004-0206 +1 || 2102949 || 7 || attempted-admin || 0 || GPL NETBIOS SMB-DS NDdeSetTrustedShareW unicode little endian overflow attempt || bugtraq,11372 || cve,2004-0206 +1 || 2102950 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB too many stacked requests +1 || 2102951 || 3 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS too many stacked requests +1 || 2102954 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS IPC$ andx share access +1 || 2102955 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS IPC$ unicode andx share access +1 || 2102956 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB nddeapi andx create tree attempt || bugtraq,11372 || cve,2004-0206 +1 || 2102957 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB nddeapi unicode andx create tree attempt || bugtraq,11372 || cve,2004-0206 +1 || 2102958 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS nddeapi andx create tree attempt || bugtraq,11372 || cve,2004-0206 +1 || 2102959 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS nddeapi unicode andx create tree attempt || bugtraq,11372 || cve,2004-0206 +1 || 2102960 || 5 || protocol-command-decode || 0 || GPL NETBIOS SMB nddeapi andx bind attempt || bugtraq,11372 || cve,2004-0206 +1 || 2102961 || 5 || protocol-command-decode || 0 || GPL NETBIOS SMB nddeapi unicode andx bind attempt || bugtraq,11372 || cve,2004-0206 +1 || 2102962 || 5 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS nddeapi andx bind attempt || bugtraq,11372 || cve,2004-0206 +1 || 2102963 || 5 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS nddeapi unicode andx bind attempt || bugtraq,11372 || cve,2004-0206 +1 || 2102964 || 5 || attempted-admin || 0 || GPL NETBIOS SMB NDdeSetTrustedShareW andx overflow attempt || bugtraq,11372 || cve,2004-0206 +1 || 2102965 || 5 || attempted-admin || 0 || GPL NETBIOS SMB NDdeSetTrustedShareW little endian andx overflow attempt || bugtraq,11372 || cve,2004-0206 +1 || 2102966 || 5 || attempted-admin || 0 || GPL NETBIOS SMB NDdeSetTrustedShareW unicode andx overflow attempt || bugtraq,11372 || cve,2004-0206 +1 || 2102967 || 5 || attempted-admin || 0 || GPL NETBIOS SMB NDdeSetTrustedShareW unicode little endian andx overflow attempt || bugtraq,11372 || cve,2004-0206 +1 || 2102968 || 5 || attempted-admin || 0 || GPL NETBIOS SMB-DS NDdeSetTrustedShareW andx overflow attempt || bugtraq,11372 || cve,2004-0206 +1 || 2102969 || 5 || attempted-admin || 0 || GPL NETBIOS SMB-DS NDdeSetTrustedShareW little endian andx overflow attempt || bugtraq,11372 || cve,2004-0206 +1 || 2102970 || 5 || attempted-admin || 0 || GPL NETBIOS SMB-DS NDdeSetTrustedShareW unicode andx overflow attempt || bugtraq,11372 || cve,2004-0206 +1 || 2102971 || 5 || attempted-admin || 0 || GPL NETBIOS SMB-DS NDdeSetTrustedShareW unicode little endian andx overflow attempt || bugtraq,11372 || cve,2004-0206 +1 || 2102974 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS D$ andx share access +1 || 2102975 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS D$ unicode andx share access +1 || 2102978 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS C$ andx share access +1 || 2102979 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS C$ unicode andx share access +1 || 2102982 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS ADMIN$ andx share access +1 || 2102983 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS ADMIN$ unicode andx share access +1 || 2102984 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB winreg andx create tree attempt +1 || 2102985 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB winreg unicode andx create tree attempt +1 || 2102986 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS winreg andx create tree attempt +1 || 2102987 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS winreg unicode andx create tree attempt +1 || 2102988 || 5 || protocol-command-decode || 0 || GPL NETBIOS SMB winreg andx bind attempt +1 || 2102989 || 5 || protocol-command-decode || 0 || GPL NETBIOS SMB winreg unicode andx bind attempt +1 || 2102990 || 5 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS winreg andx bind attempt +1 || 2102991 || 5 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS winreg unicode andx bind attempt +1 || 2102992 || 5 || protocol-command-decode || 0 || GPL NETBIOS SMB InitiateSystemShutdown andx attempt +1 || 2102993 || 5 || protocol-command-decode || 0 || GPL NETBIOS SMB InitiateSystemShutdown little endian andx attempt +1 || 2102994 || 5 || protocol-command-decode || 0 || GPL NETBIOS SMB InitiateSystemShutdown unicode andx attempt +1 || 2102995 || 6 || protocol-command-decode || 0 || GPL NETBIOS SMB InitiateSystemShutdown unicode little endian andx attempt +1 || 2102996 || 6 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS InitiateSystemShutdown andx attempt +1 || 2102997 || 6 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS InitiateSystemShutdown little endian andx attempt +1 || 2102998 || 6 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS InitiateSystemShutdown unicode andx attempt +1 || 2102999 || 7 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS InitiateSystemShutdown unicode little endian andx attempt +1 || 2103000 || 7 || protocol-command-decode || 0 || GPL NETBIOS SMB Session Setup NTMLSSP unicode asn1 overflow attempt || bugtraq,9633 || bugtraq,9635 || cve,2003-0818 || nessus,12052 || nessus,12065 || url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx +1 || 2103001 || 5 || protocol-command-decode || 0 || GPL NETBIOS SMB Session Setup NTMLSSP andx asn1 overflow attempt || bugtraq,9633 || bugtraq,9635 || cve,2003-0818 || nessus,12052 || nessus,12065 || url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx +1 || 2103002 || 5 || protocol-command-decode || 0 || GPL NETBIOS SMB Session Setup NTMLSSP unicode andx asn1 overflow attempt || bugtraq,9633 || bugtraq,9635 || cve,2003-0818 || nessus,12052 || nessus,12065 || url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx +1 || 2103003 || 7 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS Session Setup NTMLSSP unicode asn1 overflow attempt || bugtraq,9633 || bugtraq,9635 || cve,2003-0818 || nessus,12052 || nessus,12065 || url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx +1 || 2103004 || 5 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS Session Setup NTMLSSP andx asn1 overflow attempt || bugtraq,9633 || bugtraq,9635 || cve,2003-0818 || nessus,12052 || nessus,12065 || url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx +1 || 2103005 || 5 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS Session Setup NTMLSSP unicode andx asn1 overflow attempt || bugtraq,9633 || bugtraq,9635 || cve,2003-0818 || nessus,12052 || nessus,12065 || url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx +1 || 2103007 || 2 || misc-attack || 0 || GPL IMAP delete overflow attempt || bugtraq,11675 +1 || 2103008 || 2 || misc-attack || 0 || GPL IMAP delete literal overflow attempt || bugtraq,11675 +1 || 2103017 || 7 || misc-attack || 0 || GPL EXPLOIT WINS overflow attempt || bugtraq,11763 || cve,2004-1080 || url,www.immunitysec.com/downloads/instantanea.pdf || url,www.microsoft.com/technet/security/bulletin/MS04-045.mspx +1 || 2103018 || 5 || protocol-command-decode || 0 || GPL NETBIOS SMB NT Trans NT CREATE oversized Security Descriptor attempt || cve,2004-1154 +1 || 2103019 || 5 || protocol-command-decode || 0 || GPL NETBIOS SMB NT Trans NT CREATE andx oversized Security Descriptor attempt || cve,2004-1154 +1 || 2103020 || 5 || protocol-command-decode || 0 || GPL NETBIOS SMB NT Trans NT CREATE unicode oversized Security Descriptor attempt || cve,2004-1154 +1 || 2103021 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB NT Trans NT CREATE unicode andx oversized Security Descriptor attempt || cve,2004-1154 +1 || 2103022 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS NT Trans NT CREATE oversized Security Descriptor attempt || cve,2004-1154 +1 || 2103023 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS NT Trans NT CREATE andx oversized Security Descriptor attempt || cve,2004-1154 +1 || 2103024 || 3 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS NT Trans NT CREATE unicode oversized Security Descriptor attempt || cve,2004-1154 +1 || 2103025 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS NT Trans NT CREATE unicode andx oversized Security Descriptor attempt || cve,2004-1154 +1 || 2103026 || 5 || protocol-command-decode || 0 || GPL NETBIOS SMB NT Trans NT CREATE SACL overflow attempt || cve,2004-1154 +1 || 2103027 || 6 || protocol-command-decode || 0 || GPL NETBIOS SMB NT Trans NT CREATE andx SACL overflow attempt || cve,2004-1154 +1 || 2103028 || 5 || protocol-command-decode || 0 || GPL NETBIOS SMB NT Trans NT CREATE unicode SACL overflow attempt || cve,2004-1154 +1 || 2103029 || 6 || protocol-command-decode || 0 || GPL NETBIOS SMB NT Trans NT CREATE unicode andx SACL overflow attempt || cve,2004-1154 +1 || 2103030 || 5 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS NT Trans NT CREATE SACL overflow attempt || cve,2004-1154 +1 || 2103031 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS NT Trans NT CREATE andx SACL overflow attempt || cve,2004-1154 +1 || 2103032 || 5 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS NT Trans NT CREATE unicode SACL overflow attempt || cve,2004-1154 +1 || 2103033 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS NT Trans NT CREATE unicode andx SACL overflow attempt || cve,2004-1154 +1 || 2103034 || 5 || protocol-command-decode || 0 || GPL NETBIOS SMB NT Trans NT CREATE DACL overflow attempt || cve,2004-1154 +1 || 2103035 || 9 || protocol-command-decode || 0 || GPL NETBIOS SMB NT Trans NT CREATE andx DACL overflow attempt || cve,2004-1154 +1 || 2103036 || 5 || protocol-command-decode || 0 || GPL NETBIOS SMB NT Trans NT CREATE unicode DACL overflow attempt || cve,2004-1154 +1 || 2103037 || 6 || protocol-command-decode || 0 || GPL NETBIOS SMB NT Trans NT CREATE unicode andx DACL overflow attempt || cve,2004-1154 +1 || 2103038 || 5 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS NT Trans NT CREATE DACL overflow attempt || cve,2004-1154 +1 || 2103039 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS NT Trans NT CREATE andx DACL overflow attempt || cve,2004-1154 +1 || 2103040 || 5 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS NT Trans NT CREATE unicode DACL overflow attempt || cve,2004-1154 +1 || 2103041 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS NT Trans NT CREATE unicode andx DACL overflow attempt || cve,2004-1154 +1 || 2103042 || 5 || protocol-command-decode || 0 || GPL NETBIOS SMB NT Trans NT CREATE invalid SACL ace size dos attempt +1 || 2103043 || 8 || protocol-command-decode || 0 || GPL NETBIOS SMB NT Trans NT CREATE andx invalid SACL ace size dos attempt +1 || 2103044 || 6 || protocol-command-decode || 0 || GPL NETBIOS SMB NT Trans NT CREATE unicode invalid SACL ace size dos attempt +1 || 2103045 || 5 || protocol-command-decode || 0 || GPL NETBIOS SMB NT Trans NT CREATE unicode andx invalid SACL ace size dos attempt +1 || 2103046 || 5 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS NT Trans NT CREATE invalid SACL ace size dos attempt +1 || 2103047 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS NT Trans NT CREATE andx invalid SACL ace size dos attempt +1 || 2103048 || 5 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS NT Trans NT CREATE unicode invalid SACL ace size dos attempt +1 || 2103049 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS NT Trans NT CREATE unicode andx invalid SACL ace size dos attempt +1 || 2103050 || 5 || protocol-command-decode || 0 || GPL NETBIOS SMB NT Trans NT CREATE invalid SACL ace size dos attempt +1 || 2103051 || 6 || protocol-command-decode || 0 || GPL NETBIOS SMB NT Trans NT CREATE andx invalid SACL ace size dos attempt +1 || 2103052 || 5 || protocol-command-decode || 0 || GPL NETBIOS SMB NT Trans NT CREATE unicode invalid SACL ace size dos attempt +1 || 2103053 || 5 || protocol-command-decode || 0 || GPL NETBIOS SMB NT Trans NT CREATE unicode andx invalid SACL ace size dos attempt +1 || 2103054 || 5 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS NT Trans NT CREATE invalid SACL ace size dos attempt +1 || 2103055 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS NT Trans NT CREATE andx invalid SACL ace size dos attempt +1 || 2103056 || 5 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS NT Trans NT CREATE unicode invalid SACL ace size dos attempt +1 || 2103057 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS NT Trans NT CREATE unicode andx invalid SACL ace size dos attempt +1 || 2103058 || 2 || misc-attack || 0 || GPL IMAP copy literal overflow attempt || bugtraq,1110 +1 || 2103059 || 3 || protocol-command-decode || 0 || GPL DELETED TLSv1 Client_Hello via SSLv2 handshake request +1 || 2103061 || 3 || misc-activity || 0 || GPL DELETED distccd command execution attempt || url,distcc.samba.org/security.html +1 || 2103062 || 4 || web-application-activity || 0 || GPL WEB_SPECIFIC_APPS NetScreen SA 5000 delhomepage.cgi access || bugtraq,9791 +1 || 2103063 || 4 || misc-activity || 0 || GPL DELETED Vampire 1.2 connection request +1 || 2103064 || 3 || misc-activity || 0 || GPL DELETED Vampire 1.2 connection confirmation +1 || 2103066 || 3 || misc-attack || 0 || GPL IMAP append overflow attempt || bugtraq,11775 +1 || 2103067 || 2 || misc-attack || 0 || GPL IMAP examine literal overflow attempt || bugtraq,11775 +1 || 2103068 || 2 || misc-attack || 0 || GPL IMAP examine overflow attempt || bugtraq,11775 +1 || 2103069 || 2 || misc-attack || 0 || GPL IMAP fetch literal overflow attempt || bugtraq,11775 +1 || 2103070 || 3 || misc-attack || 0 || GPL IMAP fetch overflow attempt || bugtraq,11775 +1 || 2103071 || 2 || misc-attack || 0 || GPL IMAP status literal overflow attempt || bugtraq,11775 +1 || 2103072 || 3 || misc-attack || 0 || GPL IMAP status overflow attempt || bugtraq,11775 || bugtraq,13727 || cve,2005-1256 +1 || 2103073 || 2 || misc-attack || 0 || GPL IMAP subscribe literal overflow attempt || bugtraq,11775 +1 || 2103074 || 2 || misc-attack || 0 || GPL IMAP subscribe overflow attempt || bugtraq,11775 +1 || 2103075 || 2 || misc-attack || 0 || GPL IMAP unsubscribe literal overflow attempt || bugtraq,11775 +1 || 2103076 || 2 || misc-attack || 0 || GPL IMAP unsubscribe overflow attempt || bugtraq,11775 +1 || 2103077 || 2 || attempted-admin || 0 || GPL FTP RNFR overflow attempt +1 || 2103078 || 3 || attempted-admin || 0 || GPL MISC nntp SEARCH pattern overflow attempt || cve,2004-0574 || url,www.microsoft.com/technet/security/bulletin/MS04-036.mspx +1 || 2103079 || 5 || attempted-user || 0 || GPL WEB_CLIENT Microsoft ANI file parsing overflow || cve,2004-1049 +1 || 2103080 || 3 || misc-attack || 0 || GPL GAMES Unreal Tournament secure overflow attempt || bugtraq,10570 || cve,2004-0608 +1 || 2103088 || 2 || attempted-user || 0 || GPL WEB_CLIENT winamp .cda file name overflow attempt || bugtraq,11730 +1 || 2103089 || 3 || attempted-user || 0 || GPL MISC squid WCCP I_SEE_YOU message overflow attempt || bugtraq,12275 || cve,2005-0095 +1 || 2103090 || 5 || protocol-command-decode || 0 || GPL NETBIOS SMB llsrpc create tree attempt +1 || 2103091 || 5 || protocol-command-decode || 0 || GPL NETBIOS SMB llsrpc unicode create tree attempt +1 || 2103092 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB llsrpc andx create tree attempt +1 || 2103093 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB llsrpc unicode andx create tree attempt +1 || 2103094 || 5 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS llsrpc create tree attempt +1 || 2103095 || 5 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS llsrpc unicode create tree attempt +1 || 2103096 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS llsrpc andx create tree attempt +1 || 2103097 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS llsrpc unicode andx create tree attempt +1 || 2103098 || 5 || protocol-command-decode || 0 || GPL NETBIOS SMB llsrpc bind attempt +1 || 2103099 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB llsrpc little endian bind attempt +1 || 2103100 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB llsrpc unicode bind attempt +1 || 2103101 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB llsrpc unicode little endian bind attempt +1 || 2103102 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB llsrpc andx bind attempt +1 || 2103103 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB llsrpc little endian andx bind attempt +1 || 2103104 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB llsrpc unicode andx bind attempt +1 || 2103105 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB llsrpc unicode little endian andx bind attempt +1 || 2103106 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS llsrpc bind attempt +1 || 2103107 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS llsrpc little endian bind attempt +1 || 2103108 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS llsrpc unicode bind attempt +1 || 2103109 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS llsrpc unicode little endian bind attempt +1 || 2103110 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS llsrpc andx bind attempt +1 || 2103111 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS llsrpc little endian andx bind attempt +1 || 2103112 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS llsrpc unicode andx bind attempt +1 || 2103113 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS llsrpc unicode little endian andx bind attempt +1 || 2103114 || 5 || attempted-admin || 0 || GPL NETBIOS SMB llsrconnect overflow attempt || url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx +1 || 2103115 || 5 || attempted-admin || 0 || GPL NETBIOS SMB llsrconnect little endian overflow attempt || url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx +1 || 2103116 || 5 || attempted-admin || 0 || GPL NETBIOS SMB llsrconnect unicode overflow attempt || url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx +1 || 2103117 || 5 || attempted-admin || 0 || GPL NETBIOS SMB llsrconnect unicode little endian overflow attempt || url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx +1 || 2103118 || 4 || attempted-admin || 0 || GPL NETBIOS SMB llsrconnect andx overflow attempt || url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx +1 || 2103119 || 4 || attempted-admin || 0 || GPL NETBIOS SMB llsrconnect little endian andx overflow attempt || url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx +1 || 2103120 || 4 || attempted-admin || 0 || GPL NETBIOS SMB llsrconnect unicode andx overflow attempt || url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx +1 || 2103121 || 5 || attempted-admin || 0 || GPL NETBIOS SMB llsrconnect unicode little endian andx overflow attempt || url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx +1 || 2103122 || 4 || attempted-admin || 0 || GPL NETBIOS SMB-DS llsrconnect overflow attempt || url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx +1 || 2103123 || 4 || attempted-admin || 0 || GPL NETBIOS SMB-DS llsrconnect little endian overflow attempt || url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx +1 || 2103124 || 4 || attempted-admin || 0 || GPL NETBIOS SMB-DS llsrconnect unicode overflow attempt || url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx +1 || 2103125 || 4 || attempted-admin || 0 || GPL NETBIOS SMB-DS llsrconnect unicode little endian overflow attempt || url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx +1 || 2103126 || 4 || attempted-admin || 0 || GPL NETBIOS SMB-DS llsrconnect andx overflow attempt || url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx +1 || 2103127 || 4 || attempted-admin || 0 || GPL NETBIOS SMB-DS llsrconnect little endian andx overflow attempt || url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx +1 || 2103128 || 4 || attempted-admin || 0 || GPL NETBIOS SMB-DS llsrconnect unicode andx overflow attempt || url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx +1 || 2103129 || 4 || attempted-admin || 0 || GPL NETBIOS SMB-DS llsrconnect unicode little endian andx overflow attempt || url,www.microsoft.com/technet/security/bulletin/ms05-010.mspx +1 || 2103132 || 5 || attempted-user || 0 || GPL WEB_CLIENT PNG large image width download attempt || bugtraq,11523 || cve,2004-0990 || cve,2004-1244 || url,www.microsoft.com/technet/security/bulletin/MS05-009.mspx +1 || 2103133 || 6 || attempted-user || 0 || GPL WEB_CLIENT PNG large image height download attempt || bugtraq,11481 || bugtraq,11523 || cve,2004-0599 || cve,2004-0990 || cve,2004-1244 || url,www.microsoft.com/technet/security/bulletin/MS05-009.mspx +1 || 2103134 || 5 || attempted-user || 0 || GPL WEB_CLIENT PNG large colour depth download attempt || bugtraq,11523 || cve,2004-0990 || cve,2004-1244 || url,www.microsoft.com/technet/security/bulletin/MS05-009.mspx +1 || 2103135 || 5 || protocol-command-decode || 0 || GPL NETBIOS SMB Trans2 QUERY_FILE_INFO attempt +1 || 2103136 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB Trans2 QUERY_FILE_INFO andx attempt +1 || 2103137 || 5 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS Trans2 QUERY_FILE_INFO attempt +1 || 2103138 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS Trans2 QUERY_FILE_INFO andx attempt +1 || 2103139 || 5 || protocol-command-decode || 0 || GPL NETBIOS SMB Trans2 FIND_FIRST2 attempt +1 || 2103140 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB Trans2 FIND_FIRST2 andx attempt +1 || 2103141 || 5 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS Trans2 FIND_FIRST2 attempt +1 || 2103142 || 3 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS Trans2 FIND_FIRST2 andx attempt +1 || 2103143 || 5 || protocol-command-decode || 0 || GPL NETBIOS SMB Trans2 FIND_FIRST2 response overflow attempt || cve,2005-0045 || url,www.microsoft.com/technet/security/Bulletin/MS05-011.mspx +1 || 2103144 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB Trans2 FIND_FIRST2 response andx overflow attempt || cve,2005-0045 || url,www.microsoft.com/technet/security/Bulletin/MS05-011.mspx +1 || 2103145 || 5 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS Trans2 FIND_FIRST2 response overflow attempt || cve,2005-0045 || url,www.microsoft.com/technet/security/Bulletin/MS05-011.mspx +1 || 2103146 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS Trans2 FIND_FIRST2 response andx overflow attempt || cve,2005-0045 || url,www.microsoft.com/technet/security/Bulletin/MS05-011.mspx +1 || 2103148 || 6 || attempted-user || 0 || GPL ACTIVEX winhelp clsid attempt || bugtraq,4857 || cve,2002-0823 || url,www.ngssoftware.com/advisories/ms-winhlp.txt +1 || 2103149 || 4 || attempted-user || 0 || GPL WEB_CLIENT object type overflow attempt || cve,2003-0344 || url,www.microsoft.com/technet/security/bulletin/MS03-020.mspx +1 || 2103151 || 5 || attempted-recon || 0 || GPL SCAN Finger / execution attempt || cve,1999-0612 || cve,2000-0915 +1 || 2103152 || 4 || unsuccessful-user || 0 || GPL SQL sa brute force failed login attempt || bugtraq,4797 || cve,2000-1209 || nessus,10673 +1 || 2103153 || 3 || attempted-admin || 0 || GPL DNS TCP inverse query overflow || bugtraq,134 || cve,1999-0009 +1 || 2103154 || 3 || attempted-admin || 0 || GPL DNS UDP inverse query overflow || bugtraq,134 || cve,1999-0009 +1 || 2103156 || 4 || protocol-command-decode || 0 || GPL NETBIOS DCERPC msqueue bind attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx +1 || 2103157 || 4 || protocol-command-decode || 0 || GPL NETBIOS DCERPC msqueue little endian bind attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx +1 || 2103158 || 6 || attempted-admin || 0 || GPL NETBIOS DCERPC CoGetInstanceFromFile little endian overflow attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx +1 || 2103159 || 4 || attempted-admin || 0 || GPL NETBIOS DCERPC CoGetInstanceFromFile overflow attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx +1 || 2103160 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB msqueue bind attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx +1 || 2103161 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB msqueue little endian bind attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx +1 || 2103162 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB msqueue unicode bind attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx +1 || 2103163 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB msqueue unicode little endian bind attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx +1 || 2103164 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB msqueue andx bind attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx +1 || 2103165 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB msqueue little endian andx bind attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx +1 || 2103166 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB msqueue unicode andx bind attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx +1 || 2103167 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB msqueue unicode little endian andx bind attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx +1 || 2103168 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS msqueue bind attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx +1 || 2103169 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS msqueue little endian bind attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx +1 || 2103170 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS msqueue unicode bind attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx +1 || 2103171 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS msqueue unicode little endian bind attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx +1 || 2103172 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS msqueue andx bind attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx +1 || 2103173 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS msqueue little endian andx bind attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx +1 || 2103174 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS msqueue unicode andx bind attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx +1 || 2103175 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS msqueue unicode little endian andx bind attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx +1 || 2103176 || 4 || attempted-admin || 0 || GPL NETBIOS SMB CoGetInstanceFromFile overflow attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx +1 || 2103177 || 4 || attempted-admin || 0 || GPL NETBIOS SMB CoGetInstanceFromFile little endian overflow attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx +1 || 2103178 || 4 || attempted-admin || 0 || GPL NETBIOS SMB CoGetInstanceFromFile unicode overflow attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx +1 || 2103179 || 4 || attempted-admin || 0 || GPL NETBIOS SMB CoGetInstanceFromFile unicode little endian overflow attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx +1 || 2103180 || 4 || attempted-admin || 0 || GPL NETBIOS SMB CoGetInstanceFromFile andx overflow attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx +1 || 2103181 || 4 || attempted-admin || 0 || GPL NETBIOS SMB CoGetInstanceFromFile little endian andx overflow attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx +1 || 2103182 || 4 || attempted-admin || 0 || GPL NETBIOS SMB CoGetInstanceFromFile unicode andx overflow attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx +1 || 2103183 || 4 || attempted-admin || 0 || GPL NETBIOS SMB CoGetInstanceFromFile unicode little endian andx overflow attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx +1 || 2103184 || 4 || attempted-admin || 0 || GPL NETBIOS SMB-DS CoGetInstanceFromFile overflow attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx +1 || 2103185 || 4 || attempted-admin || 0 || GPL NETBIOS SMB-DS CoGetInstanceFromFile little endian overflow attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx +1 || 2103186 || 4 || attempted-admin || 0 || GPL NETBIOS SMB-DS CoGetInstanceFromFile unicode overflow attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx +1 || 2103187 || 4 || attempted-admin || 0 || GPL NETBIOS SMB-DS CoGetInstanceFromFile unicode little endian overflow attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx +1 || 2103188 || 4 || attempted-admin || 0 || GPL NETBIOS SMB-DS CoGetInstanceFromFile andx overflow attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx +1 || 2103189 || 4 || attempted-admin || 0 || GPL NETBIOS SMB-DS CoGetInstanceFromFile little endian andx overflow attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx +1 || 2103190 || 4 || attempted-admin || 0 || GPL NETBIOS SMB-DS CoGetInstanceFromFile unicode andx overflow attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx +1 || 2103191 || 4 || attempted-admin || 0 || GPL NETBIOS SMB-DS CoGetInstanceFromFile unicode little endian andx overflow attempt || cve,2003-0995 || url,www.eeye.com/html/Research/Advisories/AD20030910.html || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx +1 || 2103192 || 6 || attempted-user || 0 || GPL WEB_CLIENT Windows Media Player directory traversal via Content-Disposition attempt || bugtraq,7517 || cve,2003-0228 || url,www.microsoft.com/technet/security/bulletin/MS03-017.mspx +1 || 2103193 || 5 || web-application-attack || 0 || GPL EXPLOIT .cmd executable file parsing attack || bugtraq,1912 || cve,2000-0886 +1 || 2103195 || 5 || attempted-admin || 0 || GPL NETBIOS name query overflow attempt TCP || bugtraq,9624 || cve,2003-0825 +1 || 2103196 || 3 || attempted-admin || 0 || GPL NETBIOS name query overflow attempt UDP || bugtraq,9624 || cve,2003-0825 +1 || 2103197 || 4 || attempted-admin || 0 || GPL NETBIOS DCERPC ISystemActivator path overflow attempt little endian || bugtraq,8205 || cve,2003-0352 || nessus,11808 || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx +1 || 2103198 || 3 || attempted-admin || 0 || GPL NETBIOS DCERPC ISystemActivator path overflow attempt big endian || bugtraq,8205 || cve,2003-0352 || nessus,11808 || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx +1 || 2103199 || 5 || attempted-admin || 0 || GPL EXPLOIT WINS name query overflow attempt TCP || bugtraq,9624 || cve,2003-0825 || url,www.microsoft.com/technet/security/bulletin/MS04-006.mspx +1 || 2103200 || 4 || attempted-admin || 0 || GPL NETBIOS WINS name query overflow attempt UDP || bugtraq,9624 || cve,2003-0825 || url,www.microsoft.com/technet/security/bulletin/MS04-006.mspx +1 || 2103202 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB winreg bind attempt +1 || 2103203 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB winreg little endian bind attempt +1 || 2103204 || 5 || protocol-command-decode || 0 || GPL NETBIOS SMB winreg unicode bind attempt +1 || 2103205 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB winreg unicode little endian bind attempt +1 || 2103206 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB winreg andx bind attempt +1 || 2103207 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB winreg little endian andx bind attempt +1 || 2103208 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB winreg unicode andx bind attempt +1 || 2103209 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB winreg unicode little endian andx bind attempt +1 || 2103210 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS winreg bind attempt +1 || 2103211 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS winreg little endian bind attempt +1 || 2103212 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS winreg unicode bind attempt +1 || 2103213 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS winreg unicode little endian bind attempt +1 || 2103214 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS winreg andx bind attempt +1 || 2103215 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS winreg little endian andx bind attempt +1 || 2103216 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS winreg unicode andx bind attempt +1 || 2103217 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS winreg unicode little endian andx bind attempt +1 || 2103218 || 5 || attempted-admin || 0 || GPL NETBIOS SMB OpenKey overflow attempt || bugtraq,1331 || cve,2000-0377 || url,www.microsoft.com/technet/security/bulletin/MS00-040.mspx +1 || 2103219 || 4 || attempted-admin || 0 || GPL NETBIOS SMB OpenKey little endian overflow attempt || bugtraq,1331 || cve,2000-0377 +1 || 2103220 || 4 || attempted-admin || 0 || GPL NETBIOS SMB OpenKey unicode overflow attempt || bugtraq,1331 || cve,2000-0377 +1 || 2103221 || 4 || attempted-admin || 0 || GPL NETBIOS SMB OpenKey unicode little endian overflow attempt || bugtraq,1331 || cve,2000-0377 +1 || 2103222 || 4 || attempted-admin || 0 || GPL NETBIOS SMB OpenKey andx overflow attempt || bugtraq,1331 || cve,2000-0377 +1 || 2103223 || 4 || attempted-admin || 0 || GPL NETBIOS SMB OpenKey little endian andx overflow attempt || bugtraq,1331 || cve,2000-0377 +1 || 2103224 || 4 || attempted-admin || 0 || GPL NETBIOS SMB OpenKey unicode andx overflow attempt || bugtraq,1331 || cve,2000-0377 +1 || 2103225 || 4 || attempted-admin || 0 || GPL NETBIOS SMB OpenKey unicode little endian andx overflow attempt || bugtraq,1331 || cve,2000-0377 +1 || 2103226 || 4 || attempted-admin || 0 || GPL NETBIOS SMB-DS OpenKey overflow attempt || bugtraq,1331 || cve,2000-0377 +1 || 2103227 || 4 || attempted-admin || 0 || GPL NETBIOS SMB-DS OpenKey little endian overflow attempt || bugtraq,1331 || cve,2000-0377 +1 || 2103228 || 4 || attempted-admin || 0 || GPL NETBIOS SMB-DS OpenKey unicode overflow attempt || bugtraq,1331 || cve,2000-0377 +1 || 2103229 || 4 || attempted-admin || 0 || GPL NETBIOS SMB-DS OpenKey unicode little endian overflow attempt || bugtraq,1331 || cve,2000-0377 +1 || 2103230 || 4 || attempted-admin || 0 || GPL NETBIOS SMB-DS OpenKey andx overflow attempt || bugtraq,1331 || cve,2000-0377 +1 || 2103231 || 4 || attempted-admin || 0 || GPL NETBIOS SMB-DS OpenKey little endian andx overflow attempt || bugtraq,1331 || cve,2000-0377 +1 || 2103232 || 4 || attempted-admin || 0 || GPL NETBIOS SMB-DS OpenKey unicode andx overflow attempt || bugtraq,1331 || cve,2000-0377 +1 || 2103233 || 5 || attempted-admin || 0 || GPL NETBIOS SMB-DS OpenKey unicode little endian andx overflow attempt || bugtraq,1331 || cve,2000-0377 || url,www.microsoft.com/technet/security/bulletin/MS00-040.mspx +1 || 2103234 || 3 || attempted-admin || 0 || GPL NETBIOS Messenger message little endian overflow attempt || bugtraq,8826 || cve,2003-0717 +1 || 2103235 || 3 || attempted-admin || 0 || GPL NETBIOS Messenger message overflow attempt || bugtraq,8826 || cve,2003-0717 +1 || 2103236 || 3 || protocol-command-decode || 0 || GPL NETBIOS DCERPC irot bind attempt +1 || 2103237 || 3 || protocol-command-decode || 0 || GPL NETBIOS DCERPC irot little endian bind attempt +1 || 2103238 || 4 || protocol-command-decode || 0 || GPL NETBIOS DCERPC IrotIsRunning attempt || bugtraq,6005 || cve,2002-1561 || url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx +1 || 2103239 || 4 || protocol-command-decode || 0 || GPL NETBIOS DCERPC IrotIsRunning little endian attempt || bugtraq,6005 || cve,2002-1561 || url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx +1 || 2103240 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB irot bind attempt +1 || 2103241 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB irot little endian bind attempt +1 || 2103242 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB irot unicode bind attempt +1 || 2103243 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB irot unicode little endian bind attempt +1 || 2103244 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB irot andx bind attempt +1 || 2103245 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB irot little endian andx bind attempt +1 || 2103246 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB irot unicode andx bind attempt +1 || 2103247 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB irot unicode little endian andx bind attempt +1 || 2103248 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS irot bind attempt +1 || 2103249 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS irot little endian bind attempt +1 || 2103250 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS irot unicode bind attempt +1 || 2103251 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS irot unicode little endian bind attempt +1 || 2103252 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS irot andx bind attempt +1 || 2103253 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS irot little endian andx bind attempt +1 || 2103254 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS irot unicode andx bind attempt +1 || 2103255 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS irot unicode little endian andx bind attempt +1 || 2103256 || 5 || protocol-command-decode || 0 || GPL NETBIOS SMB IrotIsRunning attempt || bugtraq,6005 || cve,2002-1561 || url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx +1 || 2103257 || 5 || protocol-command-decode || 0 || GPL NETBIOS SMB IrotIsRunning little endian attempt || bugtraq,6005 || cve,2002-1561 || url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx +1 || 2103258 || 5 || protocol-command-decode || 0 || GPL NETBIOS SMB IrotIsRunning unicode attempt || bugtraq,6005 || cve,2002-1561 || url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx +1 || 2103259 || 5 || protocol-command-decode || 0 || GPL NETBIOS SMB IrotIsRunning unicode little endian attempt || bugtraq,6005 || cve,2002-1561 || url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx +1 || 2103260 || 5 || protocol-command-decode || 0 || GPL NETBIOS SMB IrotIsRunning andx attempt || bugtraq,6005 || cve,2002-1561 || url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx +1 || 2103261 || 5 || protocol-command-decode || 0 || GPL NETBIOS SMB IrotIsRunning little endian andx attempt || bugtraq,6005 || cve,2002-1561 || url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx +1 || 2103262 || 5 || protocol-command-decode || 0 || GPL NETBIOS SMB IrotIsRunning unicode andx attempt || bugtraq,6005 || cve,2002-1561 || url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx +1 || 2103263 || 5 || protocol-command-decode || 0 || GPL NETBIOS SMB IrotIsRunning unicode little endian andx attempt || bugtraq,6005 || cve,2002-1561 || url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx +1 || 2103264 || 5 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS IrotIsRunning attempt || bugtraq,6005 || cve,2002-1561 || url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx +1 || 2103265 || 5 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS IrotIsRunning little endian attempt || bugtraq,6005 || cve,2002-1561 || url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx +1 || 2103266 || 6 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS IrotIsRunning unicode attempt || bugtraq,6005 || cve,2002-1561 || url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx +1 || 2103267 || 5 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS IrotIsRunning unicode little endian attempt || bugtraq,6005 || cve,2002-1561 || url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx +1 || 2103268 || 5 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS IrotIsRunning andx attempt || bugtraq,6005 || cve,2002-1561 || url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx +1 || 2103269 || 5 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS IrotIsRunning little endian andx attempt || bugtraq,6005 || cve,2002-1561 || url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx +1 || 2103270 || 5 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS IrotIsRunning unicode andx attempt || bugtraq,6005 || cve,2002-1561 || url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx +1 || 2103271 || 5 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS IrotIsRunning unicode little endian andx attempt || bugtraq,6005 || cve,2002-1561 || url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx +1 || 2103272 || 3 || trojan-activity || 0 || GPL WORM mydoom.a backdoor upload/execute attempt +1 || 2103273 || 4 || unsuccessful-user || 0 || GPL SQL sa brute force failed login unicode attempt || bugtraq,4797 || cve,2000-1209 || nessus,10673 +1 || 2103274 || 4 || attempted-admin || 0 || GPL EXPLOIT login buffer non-evasive overflow attempt || bugtraq,3681 || cve,2001-0797 +1 || 2103275 || 3 || protocol-command-decode || 0 || GPL NETBIOS DCERPC IActivation bind attempt +1 || 2103276 || 3 || protocol-command-decode || 0 || GPL NETBIOS DCERPC IActivation little endian bind attempt +1 || 2103377 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB IActivation bind attempt +1 || 2103378 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB IActivation little endian bind attempt +1 || 2103379 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB IActivation unicode bind attempt +1 || 2103380 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB IActivation unicode little endian bind attempt +1 || 2103381 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB IActivation andx bind attempt +1 || 2103382 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB IActivation little endian andx bind attempt +1 || 2103383 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB IActivation unicode andx bind attempt +1 || 2103384 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB IActivation unicode little endian andx bind attempt +1 || 2103385 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS IActivation bind attempt +1 || 2103386 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS IActivation little endian bind attempt +1 || 2103387 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS IActivation unicode bind attempt +1 || 2103388 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS IActivation unicode little endian bind attempt +1 || 2103389 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS IActivation andx bind attempt +1 || 2103390 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS IActivation little endian andx bind attempt +1 || 2103391 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS IActivation unicode andx bind attempt +1 || 2103392 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS IActivation unicode little endian andx bind attempt +1 || 2103393 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB ISystemActivator bind attempt +1 || 2103394 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB ISystemActivator little endian bind attempt +1 || 2103395 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB ISystemActivator unicode bind attempt +1 || 2103396 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB ISystemActivator unicode little endian bind attempt +1 || 2103397 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB ISystemActivator andx bind attempt +1 || 2103398 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB ISystemActivator little endian andx bind attempt +1 || 2103399 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB ISystemActivator unicode andx bind attempt +1 || 2103400 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB ISystemActivator unicode little endian andx bind attempt +1 || 2103401 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS ISystemActivator bind attempt +1 || 2103402 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS ISystemActivator little endian bind attempt +1 || 2103403 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS ISystemActivator unicode bind attempt +1 || 2103404 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS ISystemActivator unicode little endian bind attempt +1 || 2103405 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS ISystemActivator andx bind attempt +1 || 2103406 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS ISystemActivator little endian andx bind attempt +1 || 2103407 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS ISystemActivator unicode andx bind attempt +1 || 2103408 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS ISystemActivator unicode little endian andx bind attempt +1 || 2103409 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB RemoteActivation attempt +1 || 2103410 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB RemoteActivation little endian attempt +1 || 2103411 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB RemoteActivation unicode attempt +1 || 2103412 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB RemoteActivation unicode little endian attempt +1 || 2103413 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB RemoteActivation andx attempt +1 || 2103414 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB RemoteActivation little endian andx attempt +1 || 2103415 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB RemoteActivation unicode andx attempt +1 || 2103416 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB RemoteActivation unicode little endian andx attempt +1 || 2103417 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS RemoteActivation attempt +1 || 2103418 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS RemoteActivation little endian attempt +1 || 2103419 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS RemoteActivation unicode attempt +1 || 2103420 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS RemoteActivation unicode little endian attempt +1 || 2103421 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS RemoteActivation andx attempt +1 || 2103422 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS RemoteActivation little endian andx attempt +1 || 2103423 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS RemoteActivation unicode andx attempt +1 || 2103424 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS RemoteActivation unicode little endian andx attempt +1 || 2103425 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB CoGetInstanceFromFile attempt +1 || 2103426 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB CoGetInstanceFromFile little endian attempt +1 || 2103427 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB CoGetInstanceFromFile unicode attempt +1 || 2103428 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB CoGetInstanceFromFile unicode little endian attempt +1 || 2103429 || 5 || protocol-command-decode || 0 || GPL NETBIOS SMB CoGetInstanceFromFile andx attempt +1 || 2103430 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB CoGetInstanceFromFile little endian andx attempt +1 || 2103431 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB CoGetInstanceFromFile unicode andx attempt +1 || 2103432 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB CoGetInstanceFromFile unicode little endian andx attempt +1 || 2103433 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS CoGetInstanceFromFile attempt +1 || 2103434 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS CoGetInstanceFromFile little endian attempt +1 || 2103435 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS CoGetInstanceFromFile unicode attempt +1 || 2103436 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS CoGetInstanceFromFile unicode little endian attempt +1 || 2103437 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS CoGetInstanceFromFile andx attempt +1 || 2103438 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS CoGetInstanceFromFile little endian andx attempt +1 || 2103439 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS CoGetInstanceFromFile unicode andx attempt +1 || 2103440 || 4 || protocol-command-decode || 0 || GPL NETBIOS SMB-DS CoGetInstanceFromFile unicode little endian andx attempt +1 || 2103441 || 2 || misc-attack || 0 || GPL FTP PORT bounce attempt +1 || 2103453 || 2 || attempted-recon || 0 || GPL EXPLOIT Arkeia client backup system info probe || bugtraq,12594 +1 || 2103460 || 3 || attempted-recon || 0 || GPL FTP REST with numeric argument || bugtraq,7825 +1 || 2104469 || 2 || trojan-activity || 0 || ET CURRENT_EVENTS Likely Blackhole eval haha || url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx +1 || 2200000 || 1 || NOCLASS || 0 || SURICATA IPv4 packet too small +1 || 2200001 || 1 || NOCLASS || 0 || SURICATA IPv4 header size too small +1 || 2200002 || 1 || NOCLASS || 0 || SURICATA IPv4 total length smaller than header size +1 || 2200003 || 1 || NOCLASS || 0 || SURICATA IPv4 truncated packet +1 || 2200004 || 1 || NOCLASS || 0 || SURICATA IPv4 invalid option +1 || 2200005 || 1 || NOCLASS || 0 || SURICATA IPv4 invalid option length +1 || 2200006 || 1 || NOCLASS || 0 || SURICATA IPv4 malformed option +1 || 2200007 || 1 || NOCLASS || 0 || SURICATA IPv4 padding required +1 || 2200008 || 1 || NOCLASS || 0 || SURICATA IPv4 option end of list required +1 || 2200009 || 1 || NOCLASS || 0 || SURICATA IPv4 duplicated IP option +1 || 2200010 || 1 || NOCLASS || 0 || SURICATA IPv4 unknown IP option +1 || 2200011 || 1 || NOCLASS || 0 || SURICATA IPv4 wrong IP version +1 || 2200012 || 1 || NOCLASS || 0 || SURICATA IPv6 packet too small +1 || 2200013 || 1 || NOCLASS || 0 || SURICATA IPv6 truncated packet +1 || 2200014 || 1 || NOCLASS || 0 || SURICATA IPv6 truncated extension header +1 || 2200015 || 1 || NOCLASS || 0 || SURICATA IPv6 duplicated Fragment extension header +1 || 2200016 || 1 || NOCLASS || 0 || SURICATA IPv6 duplicated Routing extension header +1 || 2200017 || 1 || NOCLASS || 0 || SURICATA IPv6 duplicated Hop-By-Hop Options extension header +1 || 2200018 || 1 || NOCLASS || 0 || SURICATA IPv6 duplicated Destination Options extension header +1 || 2200019 || 1 || NOCLASS || 0 || SURICATA IPv6 duplicated Authentication Header extension header +1 || 2200020 || 1 || NOCLASS || 0 || SURICATA IPv6 duplicate ESP extension header +1 || 2200021 || 1 || NOCLASS || 0 || SURICATA IPv6 invalid option length in header +1 || 2200022 || 1 || NOCLASS || 0 || SURICATA IPv6 wrong IP version +1 || 2200023 || 1 || NOCLASS || 0 || SURICATA ICMPv4 packet too small +1 || 2200024 || 1 || NOCLASS || 0 || SURICATA ICMPv4 unknown type +1 || 2200025 || 1 || NOCLASS || 0 || SURICATA ICMPv4 unknown code +1 || 2200026 || 1 || NOCLASS || 0 || SURICATA ICMPv4 truncated packet +1 || 2200027 || 1 || NOCLASS || 0 || SURICATA ICMPv4 unknown version +1 || 2200028 || 1 || NOCLASS || 0 || SURICATA ICMPv6 packet too small +1 || 2200029 || 1 || NOCLASS || 0 || SURICATA ICMPv6 unknown type +1 || 2200030 || 1 || NOCLASS || 0 || SURICATA ICMPv6 unknown code +1 || 2200031 || 1 || NOCLASS || 0 || SURICATA ICMPv6 truncated packet +1 || 2200032 || 1 || NOCLASS || 0 || SURICATA ICMPv6 unknown version +1 || 2200033 || 1 || NOCLASS || 0 || SURICATA TCP packet too small +1 || 2200034 || 1 || NOCLASS || 0 || SURICATA TCP header length too small +1 || 2200035 || 1 || NOCLASS || 0 || SURICATA TCP invalid option length +1 || 2200036 || 1 || NOCLASS || 0 || SURICATA TCP option invalid length +1 || 2200037 || 1 || NOCLASS || 0 || SURICATA TCP duplicated option +1 || 2200038 || 1 || NOCLASS || 0 || SURICATA UDP packet too small +1 || 2200039 || 1 || NOCLASS || 0 || SURICATA UDP header length too small +1 || 2200040 || 1 || NOCLASS || 0 || SURICATA UDP invalid header length +1 || 2200041 || 1 || NOCLASS || 0 || SURICATA SLL packet too small +1 || 2200042 || 1 || NOCLASS || 0 || SURICATA Ethernet packet too small +1 || 2200043 || 1 || NOCLASS || 0 || SURICATA PPP packet too small +1 || 2200044 || 1 || NOCLASS || 0 || SURICATA PPP VJU packet too small +1 || 2200045 || 1 || NOCLASS || 0 || SURICATA PPP IPv4 packet too small +1 || 2200046 || 1 || NOCLASS || 0 || SURICATA PPP IPv6 too small +1 || 2200047 || 1 || NOCLASS || 0 || SURICATA PPP wrong type +1 || 2200048 || 1 || NOCLASS || 0 || SURICATA PPP unsupported protocol +1 || 2200049 || 1 || NOCLASS || 0 || SURICATA PPPOE packet too small +1 || 2200050 || 1 || NOCLASS || 0 || SURICATA PPPOE wrong code +1 || 2200051 || 1 || NOCLASS || 0 || SURICATA PPPOE malformed tags +1 || 2200052 || 1 || NOCLASS || 0 || SURICATA GRE packet too small +1 || 2200053 || 1 || NOCLASS || 0 || SURICATA GRE wrong version +1 || 2200054 || 1 || NOCLASS || 0 || SURICATA GRE v0 recursion control +1 || 2200055 || 1 || NOCLASS || 0 || SURICATA GRE v0 flags +1 || 2200056 || 1 || NOCLASS || 0 || SURICATA GRE v0 header too big +1 || 2200057 || 1 || NOCLASS || 0 || SURICATA GRE v1 checksum present +1 || 2200058 || 1 || NOCLASS || 0 || SURICATA GRE v1 routing present +1 || 2200059 || 1 || NOCLASS || 0 || SURICATA GRE v1 strict source route +1 || 2200060 || 1 || NOCLASS || 0 || SURICATA GRE v1 recursion control +1 || 2200061 || 1 || NOCLASS || 0 || SURICATA GRE v1 flags +1 || 2200062 || 1 || NOCLASS || 0 || SURICATA GRE v1 no key present +1 || 2200063 || 1 || NOCLASS || 0 || SURICATA GRE v1 wrong protocol +1 || 2200064 || 1 || NOCLASS || 0 || SURICATA GRE v1 malformed Source Route Entry header +1 || 2200065 || 1 || NOCLASS || 0 || SURICATA GRE v1 header too big +1 || 2200066 || 1 || NOCLASS || 0 || SURICATA VLAN header too small +1 || 2200067 || 1 || NOCLASS || 0 || SURICATA VLAN unknown type +1 || 2200068 || 1 || NOCLASS || 0 || SURICATA IP raw invalid IP version +1 || 2200069 || 1 || NOCLASS || 0 || SURICATA FRAG IPv4 Packet size too large +1 || 2200070 || 1 || NOCLASS || 0 || SURICATA FRAG IPv4 Fragmentation overlap +1 || 2200071 || 1 || NOCLASS || 0 || SURICATA FRAG IPv6 Packet size too large +1 || 2200072 || 1 || NOCLASS || 0 || SURICATA FRAG IPv6 Fragmentation overlap +1 || 2200073 || 1 || NOCLASS || 0 || SURICATA IPv4 invalid checksum +1 || 2200074 || 1 || NOCLASS || 0 || SURICATA TCPv4 invalid checksum +1 || 2200075 || 1 || NOCLASS || 0 || SURICATA UDPv4 invalid checksum +1 || 2200076 || 1 || NOCLASS || 0 || SURICATA ICMPv4 invalid checksum +1 || 2200077 || 1 || NOCLASS || 0 || SURICATA TCPv6 invalid checksum +1 || 2200078 || 1 || NOCLASS || 0 || SURICATA UDPv6 invalid checksum +1 || 2200079 || 1 || NOCLASS || 0 || SURICATA ICMPv6 invalid checksum +1 || 2200080 || 1 || NOCLASS || 0 || SURICATA IPv6 useless Fragment extension header +1 || 2200081 || 1 || NOCLASS || 0 || SURICATA IPv6 AH reserved field not 0 +1 || 2200082 || 1 || NOCLASS || 0 || SURICATA IPv4-in-IPv6 packet too short +1 || 2200083 || 1 || NOCLASS || 0 || SURICATA IPv4-in-IPv6 invalid protocol +1 || 2200084 || 1 || NOCLASS || 0 || SURICATA IPv6-in-IPv6 packet too short +1 || 2200085 || 1 || NOCLASS || 0 || SURICATA IPv6-in-IPv6 invalid protocol +1 || 2210000 || 1 || NOCLASS || 0 || SURICATA STREAM 3way handshake with ack in wrong dir +1 || 2210001 || 1 || NOCLASS || 0 || SURICATA STREAM 3way handshake async wrong sequence +1 || 2210002 || 1 || NOCLASS || 0 || SURICATA STREAM 3way handshake right seq wrong ack evasion +1 || 2210003 || 1 || NOCLASS || 0 || SURICATA STREAM 3way handshake SYNACK in wrong direction +1 || 2210004 || 1 || NOCLASS || 0 || SURICATA STREAM 3way handshake SYNACK resend with different ack +1 || 2210005 || 1 || NOCLASS || 0 || SURICATA STREAM 3way handshake SYNACK resend with different seq +1 || 2210006 || 1 || NOCLASS || 0 || SURICATA STREAM 3way handshake SYNACK to server on SYN recv +1 || 2210007 || 1 || NOCLASS || 0 || SURICATA STREAM 3way handshake SYNACK with wrong ack +1 || 2210008 || 1 || NOCLASS || 0 || SURICATA STREAM 3way handshake SYN resend different seq on SYN recv +1 || 2210009 || 1 || NOCLASS || 0 || SURICATA STREAM 3way handshake SYN to client on SYN recv +1 || 2210010 || 1 || NOCLASS || 0 || SURICATA STREAM 3way handshake wrong seq wrong ack +1 || 2210011 || 1 || NOCLASS || 0 || SURICATA STREAM 4way handshake SYNACK with wrong ACK +1 || 2210012 || 1 || NOCLASS || 0 || SURICATA STREAM 4way handshake SYNACK with wrong SYN +1 || 2210013 || 1 || NOCLASS || 0 || SURICATA STREAM 4way handshake wrong seq +1 || 2210014 || 1 || NOCLASS || 0 || SURICATA STREAM 4way handshake invalid ack +1 || 2210015 || 1 || NOCLASS || 0 || SURICATA STREAM CLOSEWAIT ACK out of window +1 || 2210016 || 1 || NOCLASS || 0 || SURICATA STREAM CLOSEWAIT FIN out of window +1 || 2210017 || 1 || NOCLASS || 0 || SURICATA STREAM CLOSEWAIT invalid ACK +1 || 2210018 || 1 || NOCLASS || 0 || SURICATA STREAM CLOSING ACK wrong seq +1 || 2210019 || 1 || NOCLASS || 0 || SURICATA STREAM CLOSING invalid ACK +1 || 2210020 || 1 || NOCLASS || 0 || SURICATA STREAM ESTABLISHED packet out of window +1 || 2210021 || 2 || NOCLASS || 0 || SURICATA STREAM ESTABLISHED retransmission packet before last ack +1 || 2210022 || 1 || NOCLASS || 0 || SURICATA STREAM ESTABLISHED SYNACK resend +1 || 2210023 || 1 || NOCLASS || 0 || SURICATA STREAM ESTABLISHED SYNACK resend with different ACK +1 || 2210024 || 1 || NOCLASS || 0 || SURICATA STREAM ESTABLISHED SYNACK resend with different seq +1 || 2210025 || 1 || NOCLASS || 0 || SURICATA STREAM ESTABLISHED SYNACK to server +1 || 2210026 || 1 || NOCLASS || 0 || SURICATA STREAM ESTABLISHED SYN resend +1 || 2210027 || 1 || NOCLASS || 0 || SURICATA STREAM ESTABLISHED SYN resend with different seq +1 || 2210028 || 1 || NOCLASS || 0 || SURICATA STREAM ESTABLISHED SYN to client +1 || 2210029 || 1 || NOCLASS || 0 || SURICATA STREAM ESTABLISHED invalid ack +1 || 2210030 || 1 || NOCLASS || 0 || SURICATA STREAM FIN invalid ack +1 || 2210031 || 1 || NOCLASS || 0 || SURICATA STREAM FIN1 ack with wrong seq +1 || 2210032 || 1 || NOCLASS || 0 || SURICATA STREAM FIN1 FIN with wrong seq +1 || 2210033 || 1 || NOCLASS || 0 || SURICATA STREAM FIN1 invalid ack +1 || 2210034 || 1 || NOCLASS || 0 || SURICATA STREAM FIN2 ack with wrong seq +1 || 2210035 || 1 || NOCLASS || 0 || SURICATA STREAM FIN2 FIN with wrong seq +1 || 2210036 || 1 || NOCLASS || 0 || SURICATA STREAM FIN2 invalid ack +1 || 2210037 || 1 || NOCLASS || 0 || SURICATA STREAM FIN recv but no session +1 || 2210038 || 1 || NOCLASS || 0 || SURICATA STREAM FIN out of window +1 || 2210039 || 1 || NOCLASS || 0 || SURICATA STREAM Last ACK with wrong seq +1 || 2210040 || 1 || NOCLASS || 0 || SURICATA STREAM Last ACK invalid ACK +1 || 2210041 || 1 || NOCLASS || 0 || SURICATA STREAM RST recv but no session +1 || 2210042 || 1 || NOCLASS || 0 || SURICATA STREAM TIMEWAIT ACK with wrong seq +1 || 2210043 || 1 || NOCLASS || 0 || SURICATA STREAM TIMEWAIT invalid ack +1 || 2210044 || 1 || NOCLASS || 0 || SURICATA STREAM Packet with invalid timestamp +1 || 2210045 || 1 || NOCLASS || 0 || SURICATA STREAM Packet with invalid ack +1 || 2210046 || 1 || NOCLASS || 0 || SURICATA STREAM SHUTDOWN RST invalid ack +1 || 2210047 || 1 || NOCLASS || 0 || SURICATA STREAM reassembly segment before base seq +1 || 2210048 || 1 || NOCLASS || 0 || SURICATA STREAM reassembly sequence GAP -- missing packet(s) +1 || 2210049 || 1 || NOCLASS || 0 || SURICATA STREAM SYN resend +1 || 2220000 || 1 || protocol-command-decode || 0 || SURICATA SMTP invalid reply +1 || 2220001 || 1 || protocol-command-decode || 0 || SURICATA SMTP unable to match reply with request +1 || 2220002 || 1 || protocol-command-decode || 0 || SURICATA SMTP max command line len exceeded +1 || 2220003 || 1 || protocol-command-decode || 0 || SURICATA SMTP max reply line len exceeded +1 || 2220004 || 1 || protocol-command-decode || 0 || SURICATA SMTP invalid pipelined sequence +1 || 2220005 || 1 || protocol-command-decode || 0 || SURICATA SMTP bdat chunk len exceeded +1 || 2220006 || 1 || protocol-command-decode || 0 || SURICATA SMTP no server welcome message +1 || 2220007 || 1 || protocol-command-decode || 0 || SURICATA SMTP tls rejected +1 || 2220008 || 1 || protocol-command-decode || 0 || SURICATA SMTP data command rejected +1 || 2221000 || 1 || protocol-command-decode || 0 || SURICATA HTTP unknown error +1 || 2221001 || 1 || protocol-command-decode || 0 || SURICATA HTTP gzip decompression failed +1 || 2221002 || 1 || protocol-command-decode || 0 || SURICATA HTTP request field missing colon +1 || 2221003 || 1 || protocol-command-decode || 0 || SURICATA HTTP invalid request chunk len +1 || 2221004 || 1 || protocol-command-decode || 0 || SURICATA HTTP invalid response chunk len +1 || 2221005 || 1 || protocol-command-decode || 0 || SURICATA HTTP invalid transfer encoding value in request +1 || 2221006 || 1 || protocol-command-decode || 0 || SURICATA HTTP invalid transfer encoding value in response +1 || 2221007 || 1 || protocol-command-decode || 0 || SURICATA HTTP invalid content length field in request +1 || 2221008 || 1 || protocol-command-decode || 0 || SURICATA HTTP invalid content length field in response +1 || 2221009 || 1 || protocol-command-decode || 0 || SURICATA HTTP status 100-Continue already seen +1 || 2221010 || 1 || protocol-command-decode || 0 || SURICATA HTTP unable to match response to request +1 || 2221011 || 1 || protocol-command-decode || 0 || SURICATA HTTP invalid server port in request +1 || 2221012 || 1 || protocol-command-decode || 0 || SURICATA HTTP invalid authority port +1 || 2221013 || 1 || protocol-command-decode || 0 || SURICATA HTTP request header invalid +1 || 2221014 || 1 || protocol-command-decode || 0 || SURICATA HTTP missing Host header +1 || 2221015 || 1 || protocol-command-decode || 0 || SURICATA HTTP Host header ambiguous +1 || 2221016 || 1 || protocol-command-decode || 0 || SURICATA HTTP invalid request field folding +1 || 2221017 || 1 || protocol-command-decode || 0 || SURICATA HTTP invalid response field folding +1 || 2221018 || 1 || protocol-command-decode || 0 || SURICATA HTTP request field too long +1 || 2221019 || 1 || protocol-command-decode || 0 || SURICATA HTTP response field too long +1 || 2221020 || 1 || protocol-command-decode || 0 || SURICATA HTTP response field missing colon +1 || 2221021 || 1 || protocol-command-decode || 0 || SURICATA HTTP response header invalid +1 || 2221022 || 1 || protocol-command-decode || 0 || SURICATA HTTP multipart generic error +1 || 2221023 || 1 || protocol-command-decode || 0 || SURICATA HTTP multipart no filedata +1 || 2221024 || 1 || protocol-command-decode || 0 || SURICATA HTTP multipart invalid header +1 || 2221026 || 1 || protocol-command-decode || 0 || SURICATA HTTP request server port doesn't match TCP port +1 || 2230000 || 1 || protocol-command-decode || 0 || SURICATA TLS invalid SSLv2 header +1 || 2230001 || 1 || protocol-command-decode || 0 || SURICATA TLS invalid TLS header +1 || 2230002 || 1 || protocol-command-decode || 0 || SURICATA TLS invalid record type +1 || 2230003 || 1 || protocol-command-decode || 0 || SURICATA TLS invalid handshake message +1 || 2230004 || 1 || protocol-command-decode || 0 || SURICATA TLS invalid certificate +1 || 2230005 || 1 || protocol-command-decode || 0 || SURICATA TLS certificate missing element +1 || 2230006 || 1 || protocol-command-decode || 0 || SURICATA TLS certificate unknown element +1 || 2230007 || 1 || protocol-command-decode || 0 || SURICATA TLS certificate invalid length +1 || 2230008 || 1 || protocol-command-decode || 0 || SURICATA TLS certificate invalid string +1 || 2230009 || 1 || protocol-command-decode || 0 || SURICATA TLS error message encountered +1 || 2400000 || 2420 || misc-attack || 0 || ET DROP Spamhaus DROP Listed Traffic Inbound group 1 || url,www.spamhaus.org/drop/drop.lasso +1 || 2400001 || 2420 || misc-attack || 0 || ET DROP Spamhaus DROP Listed Traffic Inbound group 2 || url,www.spamhaus.org/drop/drop.lasso +1 || 2400002 || 2420 || misc-attack || 0 || ET DROP Spamhaus DROP Listed Traffic Inbound group 3 || url,www.spamhaus.org/drop/drop.lasso +1 || 2400003 || 2420 || misc-attack || 0 || ET DROP Spamhaus DROP Listed Traffic Inbound group 4 || url,www.spamhaus.org/drop/drop.lasso +1 || 2400004 || 2420 || misc-attack || 0 || ET DROP Spamhaus DROP Listed Traffic Inbound group 5 || url,www.spamhaus.org/drop/drop.lasso +1 || 2400005 || 2420 || misc-attack || 0 || ET DROP Spamhaus DROP Listed Traffic Inbound group 6 || url,www.spamhaus.org/drop/drop.lasso +1 || 2400006 || 2420 || misc-attack || 0 || ET DROP Spamhaus DROP Listed Traffic Inbound group 7 || url,www.spamhaus.org/drop/drop.lasso +1 || 2400007 || 2420 || misc-attack || 0 || ET DROP Spamhaus DROP Listed Traffic Inbound group 8 || url,www.spamhaus.org/drop/drop.lasso +1 || 2400008 || 2420 || misc-attack || 0 || ET DROP Spamhaus DROP Listed Traffic Inbound group 9 || url,www.spamhaus.org/drop/drop.lasso +1 || 2400009 || 2420 || misc-attack || 0 || ET DROP Spamhaus DROP Listed Traffic Inbound group 10 || url,www.spamhaus.org/drop/drop.lasso +1 || 2400010 || 2420 || misc-attack || 0 || ET DROP Spamhaus DROP Listed Traffic Inbound group 11 || url,www.spamhaus.org/drop/drop.lasso +1 || 2400011 || 2420 || misc-attack || 0 || ET DROP Spamhaus DROP Listed Traffic Inbound group 12 || url,www.spamhaus.org/drop/drop.lasso +1 || 2400012 || 2420 || misc-attack || 0 || ET DROP Spamhaus DROP Listed Traffic Inbound group 13 || url,www.spamhaus.org/drop/drop.lasso +1 || 2400013 || 2420 || misc-attack || 0 || ET DROP Spamhaus DROP Listed Traffic Inbound group 14 || url,www.spamhaus.org/drop/drop.lasso +1 || 2400014 || 2420 || misc-attack || 0 || ET DROP Spamhaus DROP Listed Traffic Inbound group 15 || url,www.spamhaus.org/drop/drop.lasso +1 || 2400015 || 2420 || misc-attack || 0 || ET DROP Spamhaus DROP Listed Traffic Inbound group 16 || url,www.spamhaus.org/drop/drop.lasso +1 || 2400016 || 2420 || misc-attack || 0 || ET DROP Spamhaus DROP Listed Traffic Inbound group 17 || url,www.spamhaus.org/drop/drop.lasso +1 || 2400017 || 2420 || misc-attack || 0 || ET DROP Spamhaus DROP Listed Traffic Inbound group 18 || url,www.spamhaus.org/drop/drop.lasso +1 || 2400018 || 2420 || misc-attack || 0 || ET DROP Spamhaus DROP Listed Traffic Inbound group 19 || url,www.spamhaus.org/drop/drop.lasso +1 || 2400019 || 2420 || misc-attack || 0 || ET DROP Spamhaus DROP Listed Traffic Inbound group 20 || url,www.spamhaus.org/drop/drop.lasso +1 || 2400020 || 2420 || misc-attack || 0 || ET DROP Spamhaus DROP Listed Traffic Inbound group 21 || url,www.spamhaus.org/drop/drop.lasso +1 || 2400021 || 2420 || misc-attack || 0 || ET DROP Spamhaus DROP Listed Traffic Inbound group 22 || url,www.spamhaus.org/drop/drop.lasso +1 || 2402000 || 3237 || misc-attack || 0 || ET DROP Dshield Block Listed Source group 1 || url,feed.dshield.org/block.txt +1 || 2403300 || 710 || misc-attack || 0 || ET CINS Active Threat Intelligence Poor Reputation IP group 1 || url,www.cinsscore.com || url,www.networkcloaking.com/cins +1 || 2403301 || 710 || misc-attack || 0 || ET CINS Active Threat Intelligence Poor Reputation IP group 2 || url,www.cinsscore.com || url,www.networkcloaking.com/cins +1 || 2403302 || 710 || misc-attack || 0 || ET CINS Active Threat Intelligence Poor Reputation IP group 3 || url,www.cinsscore.com || url,www.networkcloaking.com/cins +1 || 2403303 || 710 || misc-attack || 0 || ET CINS Active Threat Intelligence Poor Reputation IP group 4 || url,www.cinsscore.com || url,www.networkcloaking.com/cins +1 || 2403304 || 710 || misc-attack || 0 || ET CINS Active Threat Intelligence Poor Reputation IP group 5 || url,www.cinsscore.com || url,www.networkcloaking.com/cins +1 || 2403305 || 710 || misc-attack || 0 || ET CINS Active Threat Intelligence Poor Reputation IP group 6 || url,www.cinsscore.com || url,www.networkcloaking.com/cins +1 || 2403306 || 710 || misc-attack || 0 || ET CINS Active Threat Intelligence Poor Reputation IP group 7 || url,www.cinsscore.com || url,www.networkcloaking.com/cins +1 || 2403307 || 710 || misc-attack || 0 || ET CINS Active Threat Intelligence Poor Reputation IP group 8 || url,www.cinsscore.com || url,www.networkcloaking.com/cins +1 || 2403308 || 710 || misc-attack || 0 || ET CINS Active Threat Intelligence Poor Reputation IP group 9 || url,www.cinsscore.com || url,www.networkcloaking.com/cins +1 || 2403309 || 710 || misc-attack || 0 || ET CINS Active Threat Intelligence Poor Reputation IP group 10 || url,www.cinsscore.com || url,www.networkcloaking.com/cins +1 || 2403310 || 710 || misc-attack || 0 || ET CINS Active Threat Intelligence Poor Reputation IP group 11 || url,www.cinsscore.com || url,www.networkcloaking.com/cins +1 || 2403311 || 710 || misc-attack || 0 || ET CINS Active Threat Intelligence Poor Reputation IP group 12 || url,www.cinsscore.com || url,www.networkcloaking.com/cins +1 || 2403312 || 710 || misc-attack || 0 || ET CINS Active Threat Intelligence Poor Reputation IP group 13 || url,www.cinsscore.com || url,www.networkcloaking.com/cins +1 || 2403313 || 710 || misc-attack || 0 || ET CINS Active Threat Intelligence Poor Reputation IP group 14 || url,www.cinsscore.com || url,www.networkcloaking.com/cins +1 || 2403314 || 710 || misc-attack || 0 || ET CINS Active Threat Intelligence Poor Reputation IP group 15 || url,www.cinsscore.com || url,www.networkcloaking.com/cins +1 || 2403315 || 710 || misc-attack || 0 || ET CINS Active Threat Intelligence Poor Reputation IP group 16 || url,www.cinsscore.com || url,www.networkcloaking.com/cins +1 || 2403316 || 710 || misc-attack || 0 || ET CINS Active Threat Intelligence Poor Reputation IP group 17 || url,www.cinsscore.com || url,www.networkcloaking.com/cins +1 || 2403317 || 710 || misc-attack || 0 || ET CINS Active Threat Intelligence Poor Reputation IP group 18 || url,www.cinsscore.com || url,www.networkcloaking.com/cins +1 || 2403318 || 710 || misc-attack || 0 || ET CINS Active Threat Intelligence Poor Reputation IP group 19 || url,www.cinsscore.com || url,www.networkcloaking.com/cins +1 || 2403319 || 710 || misc-attack || 0 || ET CINS Active Threat Intelligence Poor Reputation IP group 20 || url,www.cinsscore.com || url,www.networkcloaking.com/cins +1 || 2403320 || 710 || misc-attack || 0 || ET CINS Active Threat Intelligence Poor Reputation IP group 21 || url,www.cinsscore.com || url,www.networkcloaking.com/cins +1 || 2403321 || 710 || misc-attack || 0 || ET CINS Active Threat Intelligence Poor Reputation IP group 22 || url,www.cinsscore.com || url,www.networkcloaking.com/cins +1 || 2403322 || 710 || misc-attack || 0 || ET CINS Active Threat Intelligence Poor Reputation IP group 23 || url,www.cinsscore.com || url,www.networkcloaking.com/cins +1 || 2403323 || 710 || misc-attack || 0 || ET CINS Active Threat Intelligence Poor Reputation IP group 24 || url,www.cinsscore.com || url,www.networkcloaking.com/cins +1 || 2403324 || 710 || misc-attack || 0 || ET CINS Active Threat Intelligence Poor Reputation IP group 25 || url,www.cinsscore.com || url,www.networkcloaking.com/cins +1 || 2403325 || 710 || misc-attack || 0 || ET CINS Active Threat Intelligence Poor Reputation IP group 26 || url,www.cinsscore.com || url,www.networkcloaking.com/cins +1 || 2403326 || 710 || misc-attack || 0 || ET CINS Active Threat Intelligence Poor Reputation IP group 27 || url,www.cinsscore.com || url,www.networkcloaking.com/cins +1 || 2403327 || 710 || misc-attack || 0 || ET CINS Active Threat Intelligence Poor Reputation IP group 28 || url,www.cinsscore.com || url,www.networkcloaking.com/cins +1 || 2403328 || 710 || misc-attack || 0 || ET CINS Active Threat Intelligence Poor Reputation IP group 29 || url,www.cinsscore.com || url,www.networkcloaking.com/cins +1 || 2404000 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server IP group 1 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2404001 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server IP group 2 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2404002 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server IP group 3 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2404003 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server IP group 4 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2404004 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server IP group 5 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2404005 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server IP group 6 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2404006 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server IP group 7 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2404007 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server IP group 8 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2404008 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server IP group 9 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2404009 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server IP group 10 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2404010 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server IP group 11 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2404011 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server IP group 12 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2404012 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server IP group 13 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2404013 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server IP group 14 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2404014 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server IP group 15 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2404015 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server IP group 16 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2404016 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server IP group 17 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2404017 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server IP group 18 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2404018 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server IP group 19 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2404019 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server IP group 20 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2404020 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server IP group 21 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2404021 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server IP group 22 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2404022 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server IP group 23 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2404023 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server IP group 24 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2404024 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server IP group 25 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2404025 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server IP group 26 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2404026 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server IP group 27 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2404027 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server IP group 28 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2404028 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server IP group 29 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2404029 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server IP group 30 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2404030 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server IP group 31 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2404031 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server IP group 32 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2404032 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server IP group 33 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2404033 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server IP group 34 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2404034 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server IP group 35 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2404035 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server IP group 36 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2404036 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server IP group 37 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2404037 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server IP group 38 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2404038 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server IP group 39 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2404039 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server IP group 40 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2404040 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server IP group 41 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2404041 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server IP group 42 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2404042 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server IP group 43 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2404043 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server IP group 44 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2404044 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server IP group 45 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2404045 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server IP group 46 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2404046 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server IP group 47 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2404047 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server IP group 48 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2404048 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server IP group 49 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2404049 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server group 50 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2404100 || 3351 || trojan-activity || 0 || ET CNC Spyeye Tracker Reported CnC Server group 1 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,spyeyetracker.abuse.ch +1 || 2404101 || 3351 || trojan-activity || 0 || ET CNC Spyeye Tracker Reported CnC Server group 2 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,spyeyetracker.abuse.ch +1 || 2404102 || 3351 || trojan-activity || 0 || ET CNC Spyeye Tracker Reported CnC Server group 3 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,spyeyetracker.abuse.ch +1 || 2404103 || 3351 || trojan-activity || 0 || ET CNC Spyeye Tracker Reported CnC Server group 4 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,spyeyetracker.abuse.ch +1 || 2404104 || 3351 || trojan-activity || 0 || ET CNC Spyeye Tracker Reported CnC Server group 5 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,spyeyetracker.abuse.ch +1 || 2404105 || 3351 || trojan-activity || 0 || ET CNC Spyeye Tracker Reported CnC Server group 6 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,spyeyetracker.abuse.ch +1 || 2404106 || 3351 || trojan-activity || 0 || ET CNC Spyeye Tracker Reported CnC Server group 7 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,spyeyetracker.abuse.ch +1 || 2404107 || 3351 || trojan-activity || 0 || ET CNC Spyeye Tracker Reported CnC Server group 8 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,spyeyetracker.abuse.ch +1 || 2404108 || 3351 || trojan-activity || 0 || ET CNC Spyeye Tracker Reported CnC Server group 9 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,spyeyetracker.abuse.ch +1 || 2404109 || 3351 || trojan-activity || 0 || ET CNC Spyeye Tracker Reported CnC Server group 10 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,spyeyetracker.abuse.ch +1 || 2404110 || 3351 || trojan-activity || 0 || ET CNC Spyeye Tracker Reported CnC Server group 11 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,spyeyetracker.abuse.ch +1 || 2404111 || 3351 || trojan-activity || 0 || ET CNC Spyeye Tracker Reported CnC Server group 12 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,spyeyetracker.abuse.ch +1 || 2404112 || 3351 || trojan-activity || 0 || ET CNC Spyeye Tracker Reported CnC Server group 13 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,spyeyetracker.abuse.ch +1 || 2404113 || 3351 || trojan-activity || 0 || ET CNC Spyeye Tracker Reported CnC Server group 14 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,spyeyetracker.abuse.ch +1 || 2404114 || 3351 || trojan-activity || 0 || ET CNC Spyeye Tracker Reported CnC Server group 15 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,spyeyetracker.abuse.ch +1 || 2404115 || 3351 || trojan-activity || 0 || ET CNC Spyeye Tracker Reported CnC Server group 16 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,spyeyetracker.abuse.ch +1 || 2404116 || 3351 || trojan-activity || 0 || ET CNC Spyeye Tracker Reported CnC Server group 17 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,spyeyetracker.abuse.ch +1 || 2404117 || 3351 || trojan-activity || 0 || ET CNC Spyeye Tracker Reported CnC Server group 18 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,spyeyetracker.abuse.ch +1 || 2404118 || 3351 || trojan-activity || 0 || ET CNC Spyeye Tracker Reported CnC Server group 19 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,spyeyetracker.abuse.ch +1 || 2404119 || 3351 || trojan-activity || 0 || ET CNC Spyeye Tracker Reported CnC Server group 20 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,spyeyetracker.abuse.ch +1 || 2404120 || 3351 || trojan-activity || 0 || ET CNC Spyeye Tracker Reported CnC Server group 21 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,spyeyetracker.abuse.ch +1 || 2404121 || 3351 || trojan-activity || 0 || ET CNC Spyeye Tracker Reported CnC Server group 22 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,spyeyetracker.abuse.ch +1 || 2404122 || 3351 || trojan-activity || 0 || ET CNC Zeus/Spyeye/Palevo Tracker Reported CnC Server group 23 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,spyeyetracker.abuse.ch +1 || 2404150 || 3351 || trojan-activity || 0 || ET CNC Zeus Tracker Reported CnC Server group 1 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,zeustracker.abuse.ch +1 || 2404151 || 3351 || trojan-activity || 0 || ET CNC Zeus Tracker Reported CnC Server group 2 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,zeustracker.abuse.ch +1 || 2404152 || 3351 || trojan-activity || 0 || ET CNC Zeus Tracker Reported CnC Server group 3 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,zeustracker.abuse.ch +1 || 2404153 || 3351 || trojan-activity || 0 || ET CNC Zeus Tracker Reported CnC Server group 4 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,zeustracker.abuse.ch +1 || 2404154 || 3351 || trojan-activity || 0 || ET CNC Zeus Tracker Reported CnC Server group 5 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,zeustracker.abuse.ch +1 || 2404155 || 3351 || trojan-activity || 0 || ET CNC Zeus Tracker Reported CnC Server group 6 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,zeustracker.abuse.ch +1 || 2404156 || 3351 || trojan-activity || 0 || ET CNC Zeus Tracker Reported CnC Server group 7 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,zeustracker.abuse.ch +1 || 2404157 || 3351 || trojan-activity || 0 || ET CNC Zeus Tracker Reported CnC Server group 8 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,zeustracker.abuse.ch +1 || 2404158 || 3351 || trojan-activity || 0 || ET CNC Zeus Tracker Reported CnC Server group 9 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,zeustracker.abuse.ch +1 || 2404159 || 3351 || trojan-activity || 0 || ET CNC Zeus Tracker Reported CnC Server group 10 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,zeustracker.abuse.ch +1 || 2404160 || 3351 || trojan-activity || 0 || ET CNC Zeus Tracker Reported CnC Server group 11 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,zeustracker.abuse.ch +1 || 2404161 || 3351 || trojan-activity || 0 || ET CNC Zeus Tracker Reported CnC Server group 12 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,zeustracker.abuse.ch +1 || 2404162 || 3351 || trojan-activity || 0 || ET CNC Zeus Tracker Reported CnC Server group 13 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,zeustracker.abuse.ch +1 || 2404163 || 3351 || trojan-activity || 0 || ET CNC Zeus Tracker Reported CnC Server group 14 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,zeustracker.abuse.ch +1 || 2404164 || 3351 || trojan-activity || 0 || ET CNC Zeus Tracker Reported CnC Server group 15 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,zeustracker.abuse.ch +1 || 2404165 || 3351 || trojan-activity || 0 || ET CNC Zeus Tracker Reported CnC Server group 16 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,zeustracker.abuse.ch +1 || 2404166 || 3351 || trojan-activity || 0 || ET CNC Zeus Tracker Reported CnC Server group 17 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,zeustracker.abuse.ch +1 || 2404167 || 3351 || trojan-activity || 0 || ET CNC Zeus Tracker Reported CnC Server group 18 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,zeustracker.abuse.ch +1 || 2404168 || 3351 || trojan-activity || 0 || ET CNC Zeus Tracker Reported CnC Server group 19 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,zeustracker.abuse.ch +1 || 2404169 || 3351 || trojan-activity || 0 || ET CNC Zeus Tracker Reported CnC Server group 20 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,zeustracker.abuse.ch +1 || 2404170 || 3351 || trojan-activity || 0 || ET CNC Zeus Tracker Reported CnC Server group 21 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,zeustracker.abuse.ch +1 || 2404171 || 3351 || trojan-activity || 0 || ET CNC Zeus Tracker Reported CnC Server group 22 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,zeustracker.abuse.ch +1 || 2404172 || 3351 || trojan-activity || 0 || ET CNC Zeus Tracker Reported CnC Server group 23 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,zeustracker.abuse.ch +1 || 2404200 || 3351 || trojan-activity || 0 || ET CNC Palevo Tracker Reported CnC Server group 1 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,palevotracker.abuse.ch +1 || 2404201 || 3351 || trojan-activity || 0 || ET CNC Palevo Tracker Reported CnC Server group 2 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,palevotracker.abuse.ch +1 || 2404202 || 3351 || trojan-activity || 0 || ET CNC Palevo Tracker Reported CnC Server group 3 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,palevotracker.abuse.ch +1 || 2404203 || 3351 || trojan-activity || 0 || ET CNC Palevo Tracker Reported CnC Server group 4 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,palevotracker.abuse.ch +1 || 2404204 || 3351 || trojan-activity || 0 || ET CNC Palevo Tracker Reported CnC Server group 5 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,palevotracker.abuse.ch +1 || 2404205 || 3351 || trojan-activity || 0 || ET CNC Palevo Tracker Reported CnC Server group 6 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,palevotracker.abuse.ch +1 || 2404206 || 3351 || trojan-activity || 0 || ET CNC Palevo Tracker Reported CnC Server group 7 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,palevotracker.abuse.ch +1 || 2404207 || 3351 || trojan-activity || 0 || ET CNC Palevo Tracker Reported CnC Server group 8 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,palevotracker.abuse.ch +1 || 2404208 || 3351 || trojan-activity || 0 || ET CNC Palevo Tracker Reported CnC Server group 9 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,palevotracker.abuse.ch +1 || 2404209 || 3351 || trojan-activity || 0 || ET CNC Palevo Tracker Reported CnC Server group 10 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,palevotracker.abuse.ch +1 || 2404210 || 3351 || trojan-activity || 0 || ET CNC Palevo Tracker Reported CnC Server group 11 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,palevotracker.abuse.ch +1 || 2404211 || 3351 || trojan-activity || 0 || ET CNC Palevo Tracker Reported CnC Server group 12 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,palevotracker.abuse.ch +1 || 2404212 || 3351 || trojan-activity || 0 || ET CNC Palevo Tracker Reported CnC Server group 13 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,palevotracker.abuse.ch +1 || 2405000 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server Port 22 Group 1 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2405001 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server Port 80 Group 1 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2405002 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server Port 81 Group 1 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2405003 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server Port 82 Group 1 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2405004 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server Port 443 Group 1 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2405005 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server Port 1023 Group 1 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2405006 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server Port 1111 Group 1 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2405007 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server Port 1337 Group 1 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2405008 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server Port 1863 Group 1 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2405009 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server Port 1887 Group 1 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2405010 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server Port 2211 Group 1 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2405011 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server Port 2222 Group 1 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2405012 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server Port 2319 Group 1 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2405013 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server Port 2525 Group 1 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2405014 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server Port 3211 Group 1 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2405015 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server Port 3305 Group 1 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2405016 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server Port 3333 Group 1 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2405017 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server Port 3463 Group 1 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2405018 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server Port 3921 Group 1 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2405019 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server Port 4040 Group 1 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2405020 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server Port 4042 Group 1 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2405021 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server Port 4080 Group 1 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2405022 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server Port 4156 Group 1 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2405023 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server Port 4242 Group 1 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2405024 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server Port 4244 Group 1 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2405025 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server Port 4367 Group 1 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2405026 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server Port 4619 Group 1 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2405027 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server Port 4949 Group 1 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2405028 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server Port 5050 Group 1 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2405029 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server Port 5456 Group 1 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2405030 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server Port 5612 Group 1 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2405031 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server Port 5874 Group 1 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2405032 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server Port 5900 Group 1 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2405033 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server Port 5966 Group 1 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2405034 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server Port 6104 Group 1 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2405035 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server Port 6138 Group 1 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2405036 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server Port 6281 Group 1 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2405037 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server Port 6556 Group 1 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2405038 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server Port 6660 Group 1 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2405039 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server Port 6661 Group 1 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2405040 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server Port 6663 Group 1 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2405041 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server Port 6664 Group 1 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2405042 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server Port 6665 Group 1 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2405043 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server Port 6666 Group 1 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2405044 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server Port 6667 Group 1 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2405045 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server Port 6667 Group 2 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2405046 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server Port 6667 Group 3 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2405047 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server Port 6667 Group 4 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2405048 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server Port 6667 Group 5 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2405049 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server Port 6667 Group 6 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2405050 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server Port 6667 Group 7 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2405051 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server Port 6667 Group 8 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2405052 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server Port 6667 Group 9 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2405053 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server Port 6667 Group 10 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2405054 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server Port 6667 Group 11 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2405055 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server Port 6667 Group 12 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2405056 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server Port 6667 Group 13 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2405057 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server Port 6668 Group 1 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2405058 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server Port 6669 Group 1 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2405059 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server Port 6678 Group 1 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2405060 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server Port 6680 Group 1 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2405061 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server Port 6697 Group 1 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2405062 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server Port 6768 Group 1 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2405063 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server Port 6867 Group 1 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2405064 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server Port 6900 Group 1 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2405065 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server Port 6967 Group 1 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2405066 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server Port 6969 Group 1 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2405067 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server Port 7000 Group 1 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2405068 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server Port 7000 Group 2 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2405069 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server Port 7100 Group 1 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2405070 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server Port 7106 Group 1 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2405071 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server Port 7486 Group 1 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2405072 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server Port 7500 Group 1 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2405073 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server Port 7649 Group 1 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2405074 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server Port 7771 Group 1 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2405075 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server Port 7999 Group 1 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2405076 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server Port 8002 Group 1 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2405077 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server Port 8070 Group 1 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2405078 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server Port 8080 Group 1 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2405079 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server Port 8484 Group 1 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2405080 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server Port 8585 Group 1 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2405081 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server Port 8685 Group 1 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2405082 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server Port 8754 Group 1 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2405083 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server Port 8782 Group 1 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2405084 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server Port 9000 Group 1 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2405085 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server Port 9425 Group 1 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2405086 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server Port 9595 Group 1 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2405087 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server Port 9731 Group 1 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2405088 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server Port 9999 Group 1 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2405089 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server Port 10324 Group 1 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2405090 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server Port 11830 Group 1 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2405091 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server Port 13001 Group 1 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2405092 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server Port 17405 Group 1 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2405093 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server Port 19899 Group 1 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2405094 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server Port 20560 Group 1 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2405095 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server Port 23232 Group 1 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2405096 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server Port 23765 Group 1 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2405097 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server Port 33333 Group 1 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2405098 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server Port 34345 Group 1 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2405099 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server Port 37894 Group 1 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2405100 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server Port 38294 Group 1 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2405101 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server Port 54321 Group 1 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2405102 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server Port 58914 Group 1 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2405103 || 3351 || trojan-activity || 0 || ET CNC Shadowserver Reported CnC Server Port 61521 Group 1 || url,doc.emergingthreats.net/bin/view/Main/BotCC || url,www.shadowserver.org +1 || 2406000 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 1 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406002 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 2 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406004 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 3 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406006 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 4 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406008 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 5 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406010 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 6 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406012 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 7 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406014 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 8 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406016 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 9 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406018 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 10 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406020 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 11 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406022 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 12 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406024 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 13 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406026 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 14 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406028 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 15 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406030 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 16 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406032 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 17 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406034 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 18 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406036 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 19 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406038 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 20 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406040 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 21 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406042 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 22 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406044 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 23 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406046 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 24 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406048 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 25 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406050 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 26 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406052 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 27 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406054 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 28 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406056 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 29 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406058 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 30 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406060 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 31 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406062 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 32 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406064 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 33 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406066 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 34 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406068 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 35 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406070 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 36 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406072 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 37 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406074 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 38 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406076 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 39 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406078 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 40 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406080 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 41 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406082 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 42 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406084 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 43 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406086 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 44 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406088 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 45 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406090 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 46 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406092 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 47 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406094 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 48 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406096 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 49 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406098 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 50 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406100 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 51 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406102 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 52 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406104 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 53 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406106 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 54 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406108 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 55 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406110 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 56 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406112 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 57 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406114 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 58 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406116 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 59 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406118 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 60 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406120 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 61 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406122 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 62 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406124 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 63 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406126 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 64 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406128 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 65 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406130 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 66 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406132 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 67 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406134 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 68 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406136 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 69 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406138 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 70 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406140 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 71 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406142 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 72 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406144 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 73 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406146 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 74 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406148 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 75 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406150 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 76 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406152 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 77 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406154 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 78 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406156 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 79 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406158 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 80 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406160 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 81 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406162 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 82 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406164 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 83 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406166 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 84 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406168 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 85 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406170 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 86 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406172 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 87 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406174 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 88 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406176 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 89 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406178 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 90 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406180 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 91 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406182 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 92 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406184 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 93 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406186 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 94 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406188 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 95 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406190 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 96 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406192 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 97 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406194 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 98 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406196 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 99 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406198 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 100 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406200 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 101 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406202 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 102 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406204 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 103 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406206 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 104 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406208 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 105 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406210 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 106 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406212 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 107 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406214 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 108 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406216 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 109 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406218 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 110 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406220 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 111 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406222 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 112 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406224 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 113 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406226 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 114 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406228 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 115 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406230 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 116 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406232 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 117 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406234 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 118 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406236 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 119 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406238 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 120 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406240 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 121 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406242 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 122 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406244 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 123 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406246 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 124 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406248 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 125 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406250 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 126 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406252 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 127 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406254 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 128 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406256 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 129 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406258 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 130 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406260 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 131 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406262 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 132 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406264 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 133 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406266 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 134 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406268 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 135 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406270 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 136 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406272 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 137 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406274 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 138 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406276 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 139 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406278 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 140 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406280 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 141 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406282 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 142 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406284 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 143 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406286 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 144 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406288 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 145 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406290 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 146 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406292 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 147 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406294 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 148 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406296 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 149 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406298 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 150 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406300 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 151 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406302 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 152 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406304 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 153 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406306 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 154 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406308 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 155 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406310 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 156 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406312 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 157 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406314 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 158 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406316 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 159 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406318 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 160 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406320 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 161 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406322 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 162 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406324 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 163 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406326 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 164 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406328 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 165 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406330 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 166 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406332 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 167 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406334 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 168 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406336 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 169 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406338 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 170 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406340 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 171 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406342 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 172 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406344 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 173 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406346 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 174 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406348 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 175 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406350 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 176 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406352 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 177 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406354 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 178 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406356 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 179 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406358 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 180 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406360 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 181 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406362 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 182 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406364 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 183 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406366 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 184 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406368 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 185 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406370 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 186 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406372 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 187 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406374 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 188 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406376 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 189 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406378 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 190 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406380 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 191 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406382 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 192 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406384 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 193 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406386 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 194 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406388 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 195 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406390 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 196 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406392 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 197 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406394 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 198 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406396 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 199 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406398 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 200 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406400 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 201 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406402 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 202 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406404 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 203 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406406 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 204 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406408 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 205 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406410 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 206 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406412 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 207 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406414 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 208 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406416 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 209 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406418 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 210 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406420 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 211 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406422 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 212 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406424 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 213 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406426 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 214 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406428 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 215 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406430 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 216 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406432 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 217 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406434 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 218 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406436 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 219 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406438 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 220 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406440 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 221 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406442 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 222 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406444 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 223 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406446 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 224 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406448 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 225 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406450 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 226 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406452 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 227 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406454 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 228 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406456 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 229 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406458 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 230 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406460 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 231 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406462 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 232 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406464 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 233 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406466 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 234 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406468 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 235 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406470 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 236 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406472 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 237 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406474 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 238 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406476 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 239 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406478 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 240 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406480 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 241 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406482 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 242 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406484 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 243 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406486 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 244 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406488 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 245 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406490 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 246 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406492 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 247 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406494 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 248 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406496 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 249 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406498 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 250 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406500 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 251 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406502 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 252 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406504 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 253 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406506 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 254 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406508 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 255 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406510 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 256 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406512 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 257 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406514 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 258 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406516 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 259 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406518 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 260 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406520 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 261 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406522 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 262 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406524 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 263 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406526 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 264 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406528 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 265 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406530 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 266 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406532 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 267 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406534 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 268 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406536 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 269 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406538 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 270 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406540 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 271 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406542 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 272 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406544 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 273 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406546 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 274 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406548 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 275 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406550 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 276 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406552 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 277 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406554 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 278 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406556 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 279 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406558 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 280 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406560 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 281 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406562 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 282 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406564 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 283 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406566 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 284 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406568 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 285 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406570 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 286 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406572 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 287 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406574 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 288 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406576 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 289 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406578 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 290 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406580 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 291 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406582 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 292 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406584 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 293 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406586 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 294 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406588 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 295 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406590 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 296 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406592 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 297 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406594 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 298 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406596 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 299 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406598 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 300 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406600 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 301 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406602 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 302 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406604 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 303 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406606 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 304 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406608 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 305 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406610 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 306 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406612 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 307 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406614 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 308 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406616 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 309 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406618 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 310 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406620 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 311 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406622 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 312 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406624 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 313 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406626 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 314 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406628 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 315 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406630 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 316 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406632 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 317 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406634 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 318 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406636 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 319 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406638 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 320 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406640 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 321 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406642 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 322 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406644 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 323 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406646 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 324 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406648 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 325 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406650 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 326 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406652 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 327 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406654 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 328 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406656 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 329 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406658 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 330 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406660 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 331 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406662 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 332 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406664 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 333 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406666 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 334 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406668 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 335 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406670 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 336 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406672 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 337 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406674 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 338 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406676 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 339 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406678 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 340 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406680 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 341 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406682 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 342 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406684 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 343 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406686 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 344 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406688 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 345 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406690 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 346 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406692 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 347 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406694 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 348 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406696 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 349 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406698 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 350 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406700 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 351 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406702 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 352 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406704 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 353 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406706 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 354 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406708 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 355 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406710 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 356 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406712 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 357 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406714 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 358 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406716 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 359 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406718 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 360 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406720 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 361 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406722 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 362 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406724 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 363 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406726 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 364 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406728 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 365 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406730 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 366 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406732 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 367 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406734 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 368 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406736 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 369 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406738 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 370 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406740 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 371 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406742 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 372 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406744 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 373 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406746 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 374 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406748 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 375 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406750 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 376 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406752 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 377 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406754 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 378 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406756 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 379 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406758 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 380 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406760 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 381 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406762 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 382 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406764 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 383 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406766 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 384 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406768 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 385 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406770 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 386 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406772 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 387 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406774 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 388 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406776 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 389 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406778 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 390 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406780 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 391 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406782 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 392 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406784 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 393 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406786 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 394 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406788 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 395 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406790 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 396 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406792 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 397 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406794 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 398 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406796 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 399 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406798 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 400 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406800 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 401 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406802 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 402 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406804 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 403 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406806 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 404 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406808 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 405 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406810 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 406 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406812 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 407 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406814 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 408 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406816 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 409 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406818 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 410 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406820 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 411 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406822 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 412 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406824 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 413 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406826 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 414 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406828 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 415 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406830 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 416 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406832 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 417 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406834 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 418 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406836 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 419 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406838 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 420 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406840 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 421 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406842 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 422 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406844 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 423 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406846 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 424 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406848 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 425 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406850 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 426 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406852 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 427 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406854 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 428 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406856 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 429 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406858 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 430 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406860 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 431 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406862 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 432 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406864 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 433 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406866 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 434 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406868 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 435 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406870 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 436 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2406872 || 315 || NOCLASS || 0 || ET RBN Known Russian Business Network IP group 437 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2408000 || 315 || NOCLASS || 0 || ET RBN Known Malvertiser IP group 1 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2408002 || 315 || NOCLASS || 0 || ET RBN Known Malvertiser IP group 2 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2408004 || 315 || NOCLASS || 0 || ET RBN Known Malvertiser IP group 3 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2408006 || 315 || NOCLASS || 0 || ET RBN Known Malvertiser IP group 4 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2408008 || 315 || NOCLASS || 0 || ET RBN Known Malvertiser IP group 5 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2408010 || 315 || NOCLASS || 0 || ET RBN Known Malvertiser IP group 6 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2408012 || 315 || NOCLASS || 0 || ET RBN Known Malvertiser IP group 7 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2408014 || 315 || NOCLASS || 0 || ET RBN Known Malvertiser IP group 8 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2408016 || 315 || NOCLASS || 0 || ET RBN Known Malvertiser IP group 9 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2408018 || 315 || NOCLASS || 0 || ET RBN Known Malvertiser IP group 10 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2408020 || 315 || NOCLASS || 0 || ET RBN Known Malvertiser IP group 11 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2408022 || 315 || NOCLASS || 0 || ET RBN Known Malvertiser IP group 12 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2408024 || 315 || NOCLASS || 0 || ET RBN Known Malvertiser IP group 13 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2408026 || 315 || NOCLASS || 0 || ET RBN Known Malvertiser IP group 14 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2408028 || 315 || NOCLASS || 0 || ET RBN Known Malvertiser IP group 15 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2408030 || 315 || NOCLASS || 0 || ET RBN Known Malvertiser IP group 16 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2408032 || 315 || NOCLASS || 0 || ET RBN Known Malvertiser IP group 17 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2408034 || 315 || NOCLASS || 0 || ET RBN Known Malvertiser IP group 18 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2408036 || 315 || NOCLASS || 0 || ET RBN Known Malvertiser IP group 19 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2408038 || 315 || NOCLASS || 0 || ET RBN Known Malvertiser IP group 20 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2408040 || 315 || NOCLASS || 0 || ET RBN Known Malvertiser IP group 21 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2408042 || 315 || NOCLASS || 0 || ET RBN Known Malvertiser IP group 22 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2408044 || 315 || NOCLASS || 0 || ET RBN Known Malvertiser IP group 23 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2408046 || 315 || NOCLASS || 0 || ET RBN Known Malvertiser IP group 24 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2408048 || 315 || NOCLASS || 0 || ET RBN Known Malvertiser IP group 25 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2408050 || 315 || NOCLASS || 0 || ET RBN Known Malvertiser IP group 26 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2408052 || 315 || NOCLASS || 0 || ET RBN Known Malvertiser IP group 27 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2408054 || 315 || NOCLASS || 0 || ET RBN Known Malvertiser IP group 28 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2408056 || 315 || NOCLASS || 0 || ET RBN Known Malvertiser IP group 29 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2408058 || 315 || NOCLASS || 0 || ET RBN Known Malvertiser IP group 30 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2408060 || 315 || NOCLASS || 0 || ET RBN Known Malvertiser IP group 31 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2408062 || 315 || NOCLASS || 0 || ET RBN Known Malvertiser IP group 32 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2408064 || 315 || NOCLASS || 0 || ET RBN Known Malvertiser IP group 33 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2408066 || 315 || NOCLASS || 0 || ET RBN Known Malvertiser IP group 34 || url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork +1 || 2500000 || 3131 || misc-attack || 0 || ET COMPROMISED Known Compromised or Hostile Host Traffic group 1 || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts +1 || 2500002 || 3131 || misc-attack || 0 || ET COMPROMISED Known Compromised or Hostile Host Traffic group 2 || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts +1 || 2500004 || 3131 || misc-attack || 0 || ET COMPROMISED Known Compromised or Hostile Host Traffic group 3 || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts +1 || 2500006 || 3131 || misc-attack || 0 || ET COMPROMISED Known Compromised or Hostile Host Traffic group 4 || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts +1 || 2500008 || 3131 || misc-attack || 0 || ET COMPROMISED Known Compromised or Hostile Host Traffic group 5 || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts +1 || 2500010 || 3131 || misc-attack || 0 || ET COMPROMISED Known Compromised or Hostile Host Traffic group 6 || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts +1 || 2500012 || 3131 || misc-attack || 0 || ET COMPROMISED Known Compromised or Hostile Host Traffic group 7 || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts +1 || 2500014 || 3131 || misc-attack || 0 || ET COMPROMISED Known Compromised or Hostile Host Traffic group 8 || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts +1 || 2500016 || 3131 || misc-attack || 0 || ET COMPROMISED Known Compromised or Hostile Host Traffic group 9 || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts +1 || 2500018 || 3131 || misc-attack || 0 || ET COMPROMISED Known Compromised or Hostile Host Traffic group 10 || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts +1 || 2500020 || 3131 || misc-attack || 0 || ET COMPROMISED Known Compromised or Hostile Host Traffic group 11 || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts +1 || 2500022 || 3131 || misc-attack || 0 || ET COMPROMISED Known Compromised or Hostile Host Traffic group 12 || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts +1 || 2500024 || 3131 || misc-attack || 0 || ET COMPROMISED Known Compromised or Hostile Host Traffic group 13 || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts +1 || 2500026 || 3131 || misc-attack || 0 || ET COMPROMISED Known Compromised or Hostile Host Traffic group 14 || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts +1 || 2500028 || 3131 || misc-attack || 0 || ET COMPROMISED Known Compromised or Hostile Host Traffic group 15 || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts +1 || 2500030 || 3131 || misc-attack || 0 || ET COMPROMISED Known Compromised or Hostile Host Traffic group 16 || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts +1 || 2500032 || 3131 || misc-attack || 0 || ET COMPROMISED Known Compromised or Hostile Host Traffic group 17 || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts +1 || 2500034 || 3131 || misc-attack || 0 || ET COMPROMISED Known Compromised or Hostile Host Traffic group 18 || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts +1 || 2500036 || 3131 || misc-attack || 0 || ET COMPROMISED Known Compromised or Hostile Host Traffic group 19 || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts +1 || 2500038 || 3131 || misc-attack || 0 || ET COMPROMISED Known Compromised or Hostile Host Traffic group 20 || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts +1 || 2500040 || 3131 || misc-attack || 0 || ET COMPROMISED Known Compromised or Hostile Host Traffic group 21 || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts +1 || 2500042 || 3131 || misc-attack || 0 || ET COMPROMISED Known Compromised or Hostile Host Traffic group 22 || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts +1 || 2500044 || 3131 || misc-attack || 0 || ET COMPROMISED Known Compromised or Hostile Host Traffic group 23 || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts +1 || 2500046 || 3131 || misc-attack || 0 || ET COMPROMISED Known Compromised or Hostile Host Traffic group 24 || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts +1 || 2500048 || 3131 || misc-attack || 0 || ET COMPROMISED Known Compromised or Hostile Host Traffic group 25 || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts +1 || 2500050 || 3131 || misc-attack || 0 || ET COMPROMISED Known Compromised or Hostile Host Traffic group 26 || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts +1 || 2500052 || 3131 || misc-attack || 0 || ET COMPROMISED Known Compromised or Hostile Host Traffic group 27 || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts +1 || 2500054 || 3131 || misc-attack || 0 || ET COMPROMISED Known Compromised or Hostile Host Traffic group 28 || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts +1 || 2500056 || 3131 || misc-attack || 0 || ET COMPROMISED Known Compromised or Hostile Host Traffic group 29 || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts +1 || 2500058 || 3131 || misc-attack || 0 || ET COMPROMISED Known Compromised or Hostile Host Traffic group 30 || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts +1 || 2500060 || 3131 || misc-attack || 0 || ET COMPROMISED Known Compromised or Hostile Host Traffic group 31 || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts +1 || 2500062 || 3131 || misc-attack || 0 || ET COMPROMISED Known Compromised or Hostile Host Traffic group 32 || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts +1 || 2500064 || 3131 || misc-attack || 0 || ET COMPROMISED Known Compromised or Hostile Host Traffic group 33 || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts +1 || 2500066 || 3131 || misc-attack || 0 || ET COMPROMISED Known Compromised or Hostile Host Traffic group 34 || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts +1 || 2500068 || 3131 || misc-attack || 0 || ET COMPROMISED Known Compromised or Hostile Host Traffic group 35 || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts +1 || 2500070 || 3131 || misc-attack || 0 || ET COMPROMISED Known Compromised or Hostile Host Traffic group 36 || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts +1 || 2500072 || 3131 || misc-attack || 0 || ET COMPROMISED Known Compromised or Hostile Host Traffic group 37 || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts +1 || 2500074 || 3131 || misc-attack || 0 || ET COMPROMISED Known Compromised or Hostile Host Traffic group 38 || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts +1 || 2500076 || 3131 || misc-attack || 0 || ET COMPROMISED Known Compromised or Hostile Host Traffic group 39 || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts +1 || 2500078 || 3131 || misc-attack || 0 || ET COMPROMISED Known Compromised or Hostile Host Traffic group 40 || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts +1 || 2500080 || 3131 || misc-attack || 0 || ET COMPROMISED Known Compromised or Hostile Host Traffic group 41 || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts +1 || 2500082 || 3131 || misc-attack || 0 || ET COMPROMISED Known Compromised or Hostile Host Traffic group 42 || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts +1 || 2500084 || 3131 || misc-attack || 0 || ET COMPROMISED Known Compromised or Hostile Host Traffic group 43 || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts +1 || 2500086 || 3131 || misc-attack || 0 || ET COMPROMISED Known Compromised or Hostile Host Traffic group 44 || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts +1 || 2500088 || 3131 || misc-attack || 0 || ET COMPROMISED Known Compromised or Hostile Host Traffic group 45 || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts +1 || 2500090 || 3131 || misc-attack || 0 || ET COMPROMISED Known Compromised or Hostile Host Traffic group 46 || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts +1 || 2500092 || 3131 || misc-attack || 0 || ET COMPROMISED Known Compromised or Hostile Host Traffic group 47 || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts +1 || 2500094 || 3131 || misc-attack || 0 || ET COMPROMISED Known Compromised or Hostile Host Traffic group 48 || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts +1 || 2500096 || 3131 || misc-attack || 0 || ET COMPROMISED Known Compromised or Hostile Host Traffic group 49 || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts +1 || 2500098 || 3131 || misc-attack || 0 || ET COMPROMISED Known Compromised or Hostile Host Traffic group 50 || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts +1 || 2500100 || 3131 || misc-attack || 0 || ET COMPROMISED Known Compromised or Hostile Host Traffic group 51 || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts +1 || 2500102 || 3131 || misc-attack || 0 || ET COMPROMISED Known Compromised or Hostile Host Traffic group 52 || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts +1 || 2500104 || 3131 || misc-attack || 0 || ET COMPROMISED Known Compromised or Hostile Host Traffic group 53 || url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts +1 || 2520000 || 1743 || misc-attack || 0 || ET TOR Known Tor Exit Node Traffic group 1 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2520002 || 1743 || misc-attack || 0 || ET TOR Known Tor Exit Node Traffic group 2 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2520004 || 1743 || misc-attack || 0 || ET TOR Known Tor Exit Node Traffic group 3 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2520006 || 1743 || misc-attack || 0 || ET TOR Known Tor Exit Node Traffic group 4 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2520008 || 1743 || misc-attack || 0 || ET TOR Known Tor Exit Node Traffic group 5 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2520010 || 1743 || misc-attack || 0 || ET TOR Known Tor Exit Node Traffic group 6 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2520012 || 1743 || misc-attack || 0 || ET TOR Known Tor Exit Node Traffic group 7 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2520014 || 1743 || misc-attack || 0 || ET TOR Known Tor Exit Node Traffic group 8 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2520016 || 1743 || misc-attack || 0 || ET TOR Known Tor Exit Node Traffic group 9 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2520018 || 1743 || misc-attack || 0 || ET TOR Known Tor Exit Node Traffic group 10 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2520020 || 1743 || misc-attack || 0 || ET TOR Known Tor Exit Node Traffic group 11 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2520022 || 1743 || misc-attack || 0 || ET TOR Known Tor Exit Node Traffic group 12 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2520024 || 1743 || misc-attack || 0 || ET TOR Known Tor Exit Node Traffic group 13 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2520026 || 1743 || misc-attack || 0 || ET TOR Known Tor Exit Node Traffic group 14 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2520028 || 1743 || misc-attack || 0 || ET TOR Known Tor Exit Node Traffic group 15 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2520030 || 1743 || misc-attack || 0 || ET TOR Known Tor Exit Node Traffic group 16 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2520032 || 1743 || misc-attack || 0 || ET TOR Known Tor Exit Node Traffic group 17 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2520034 || 1743 || misc-attack || 0 || ET TOR Known Tor Exit Node Traffic group 18 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2520036 || 1743 || misc-attack || 0 || ET TOR Known Tor Exit Node Traffic group 19 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2520038 || 1743 || misc-attack || 0 || ET TOR Known Tor Exit Node Traffic group 20 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2520040 || 1743 || misc-attack || 0 || ET TOR Known Tor Exit Node Traffic group 21 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2520042 || 1743 || misc-attack || 0 || ET TOR Known Tor Exit Node Traffic group 22 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2520044 || 1743 || misc-attack || 0 || ET TOR Known Tor Exit Node Traffic group 23 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2520046 || 1743 || misc-attack || 0 || ET TOR Known Tor Exit Node Traffic group 24 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2520048 || 1743 || misc-attack || 0 || ET TOR Known Tor Exit Node Traffic group 25 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2520050 || 1743 || misc-attack || 0 || ET TOR Known Tor Exit Node Traffic group 26 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2520052 || 1743 || misc-attack || 0 || ET TOR Known Tor Exit Node Traffic group 27 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2520054 || 1743 || misc-attack || 0 || ET TOR Known Tor Exit Node Traffic group 28 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2520056 || 1743 || misc-attack || 0 || ET TOR Known Tor Exit Node Traffic group 29 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2520058 || 1743 || misc-attack || 0 || ET TOR Known Tor Exit Node Traffic group 30 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2520060 || 1743 || misc-attack || 0 || ET TOR Known Tor Exit Node Traffic group 31 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2520062 || 1743 || misc-attack || 0 || ET TOR Known Tor Exit Node Traffic group 32 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2520064 || 1743 || misc-attack || 0 || ET TOR Known Tor Exit Node Traffic group 33 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2520066 || 1743 || misc-attack || 0 || ET TOR Known Tor Exit Node Traffic group 34 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2520068 || 1743 || misc-attack || 0 || ET TOR Known Tor Exit Node Traffic group 35 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2520070 || 1743 || misc-attack || 0 || ET TOR Known Tor Exit Node Traffic group 36 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2520072 || 1743 || misc-attack || 0 || ET TOR Known Tor Exit Node Traffic group 37 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2520074 || 1743 || misc-attack || 0 || ET TOR Known Tor Exit Node Traffic group 38 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2520076 || 1743 || misc-attack || 0 || ET TOR Known Tor Exit Node Traffic group 39 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2520078 || 1743 || misc-attack || 0 || ET TOR Known Tor Exit Node Traffic group 40 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2520080 || 1743 || misc-attack || 0 || ET TOR Known Tor Exit Node Traffic group 41 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2520082 || 1743 || misc-attack || 0 || ET TOR Known Tor Exit Node Traffic group 42 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2520084 || 1743 || misc-attack || 0 || ET TOR Known Tor Exit Node Traffic group 43 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2520086 || 1743 || misc-attack || 0 || ET TOR Known Tor Exit Node Traffic group 44 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2520088 || 1743 || misc-attack || 0 || ET TOR Known Tor Exit Node Traffic group 45 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2520090 || 1743 || misc-attack || 0 || ET TOR Known Tor Exit Node Traffic group 46 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2520092 || 1743 || misc-attack || 0 || ET TOR Known Tor Exit Node Traffic group 47 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2520094 || 1743 || misc-attack || 0 || ET TOR Known Tor Exit Node Traffic group 48 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2520096 || 1743 || misc-attack || 0 || ET TOR Known Tor Exit Node Traffic group 49 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2520098 || 1743 || misc-attack || 0 || ET TOR Known Tor Exit Node Traffic group 50 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2520100 || 1743 || misc-attack || 0 || ET TOR Known Tor Exit Node Traffic group 51 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2520102 || 1743 || misc-attack || 0 || ET TOR Known Tor Exit Node Traffic group 52 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2520104 || 1743 || misc-attack || 0 || ET TOR Known Tor Exit Node Traffic group 53 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2520106 || 1743 || misc-attack || 0 || ET TOR Known Tor Exit Node Traffic group 54 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2520108 || 1743 || misc-attack || 0 || ET TOR Known Tor Exit Node Traffic group 55 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2520110 || 1743 || misc-attack || 0 || ET TOR Known Tor Exit Node Traffic group 56 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2520112 || 1743 || misc-attack || 0 || ET TOR Known Tor Exit Node Traffic group 57 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2520114 || 1743 || misc-attack || 0 || ET TOR Known Tor Exit Node Traffic group 58 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2520116 || 1743 || misc-attack || 0 || ET TOR Known Tor Exit Node Traffic group 59 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2520118 || 1743 || misc-attack || 0 || ET TOR Known Tor Exit Node Traffic group 60 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2520120 || 1743 || misc-attack || 0 || ET TOR Known Tor Exit Node Traffic group 61 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2520122 || 1743 || misc-attack || 0 || ET TOR Known Tor Exit Node Traffic group 62 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2520124 || 1743 || misc-attack || 0 || ET TOR Known Tor Exit Node Traffic group 63 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2520126 || 1743 || misc-attack || 0 || ET TOR Known Tor Exit Node Traffic group 64 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2520128 || 1743 || misc-attack || 0 || ET TOR Known Tor Exit Node Traffic group 65 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2520130 || 1743 || misc-attack || 0 || ET TOR Known Tor Exit Node Traffic group 66 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2520132 || 1743 || misc-attack || 0 || ET TOR Known Tor Exit Node Traffic group 67 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2520134 || 1743 || misc-attack || 0 || ET TOR Known Tor Exit Node Traffic group 68 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2520136 || 1743 || misc-attack || 0 || ET TOR Known Tor Exit Node Traffic group 69 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2520138 || 1743 || misc-attack || 0 || ET TOR Known Tor Exit Node Traffic group 70 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2520140 || 1743 || misc-attack || 0 || ET TOR Known Tor Exit Node Traffic group 71 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2520142 || 1743 || misc-attack || 0 || ET TOR Known Tor Exit Node Traffic group 72 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2520144 || 1743 || misc-attack || 0 || ET TOR Known Tor Exit Node Traffic group 73 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2520146 || 1743 || misc-attack || 0 || ET TOR Known Tor Exit Node Traffic group 74 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2520148 || 1743 || misc-attack || 0 || ET TOR Known Tor Exit Node Traffic group 75 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2520150 || 1743 || misc-attack || 0 || ET TOR Known Tor Exit Node Traffic group 76 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2520152 || 1743 || misc-attack || 0 || ET TOR Known Tor Exit Node Traffic group 77 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2520154 || 1743 || misc-attack || 0 || ET TOR Known Tor Exit Node Traffic group 78 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2520156 || 1743 || misc-attack || 0 || ET TOR Known Tor Exit Node Traffic group 79 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2520158 || 1743 || misc-attack || 0 || ET TOR Known Tor Exit Node Traffic group 80 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2520160 || 1743 || misc-attack || 0 || ET TOR Known Tor Exit Node Traffic group 81 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2520162 || 1743 || misc-attack || 0 || ET TOR Known Tor Exit Node Traffic group 82 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2520164 || 1743 || misc-attack || 0 || ET TOR Known Tor Exit Node Traffic group 83 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2520166 || 1743 || misc-attack || 0 || ET TOR Known Tor Exit Node Traffic group 84 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2520168 || 1743 || misc-attack || 0 || ET TOR Known Tor Exit Node Traffic group 85 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2520170 || 1743 || misc-attack || 0 || ET TOR Known Tor Exit Node Traffic group 86 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2520172 || 1743 || misc-attack || 0 || ET TOR Known Tor Exit Node Traffic group 87 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2520174 || 1743 || misc-attack || 0 || ET TOR Known Tor Exit Node Traffic group 88 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2520176 || 1743 || misc-attack || 0 || ET TOR Known Tor Exit Node Traffic group 89 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2520178 || 1743 || misc-attack || 0 || ET TOR Known Tor Exit Node Traffic group 90 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2520180 || 1743 || misc-attack || 0 || ET TOR Known Tor Exit Node Traffic group 91 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2520182 || 1743 || misc-attack || 0 || ET TOR Known Tor Exit Node Traffic group 92 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2520184 || 1743 || misc-attack || 0 || ET TOR Known Tor Exit Node Traffic group 93 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2520186 || 1743 || misc-attack || 0 || ET TOR Known Tor Exit Node Traffic group 94 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2520188 || 1743 || misc-attack || 0 || ET TOR Known Tor Exit Node Traffic group 95 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2520190 || 1743 || misc-attack || 0 || ET TOR Known Tor Exit Node Traffic group 96 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522000 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 1 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522002 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 2 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522004 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 3 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522006 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 4 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522008 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 5 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522010 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 6 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522012 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 7 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522014 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 8 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522016 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 9 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522018 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 10 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522020 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 11 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522022 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 12 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522024 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 13 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522026 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 14 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522028 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 15 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522030 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 16 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522032 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 17 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522034 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 18 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522036 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 19 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522038 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 20 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522040 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 21 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522042 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 22 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522044 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 23 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522046 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 24 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522048 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 25 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522050 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 26 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522052 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 27 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522054 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 28 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522056 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 29 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522058 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 30 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522060 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 31 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522062 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 32 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522064 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 33 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522066 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 34 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522068 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 35 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522070 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 36 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522072 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 37 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522074 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 38 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522076 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 39 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522078 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 40 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522080 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 41 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522082 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 42 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522084 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 43 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522086 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 44 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522088 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 45 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522090 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 46 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522092 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 47 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522094 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 48 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522096 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 49 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522098 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 50 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522100 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 51 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522102 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 52 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522104 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 53 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522106 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 54 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522108 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 55 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522110 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 56 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522112 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 57 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522114 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 58 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522116 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 59 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522118 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 60 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522120 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 61 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522122 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 62 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522124 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 63 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522126 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 64 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522128 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 65 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522130 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 66 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522132 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 67 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522134 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 68 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522136 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 69 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522138 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 70 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522140 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 71 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522142 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 72 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522144 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 73 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522146 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 74 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522148 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 75 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522150 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 76 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522152 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 77 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522154 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 78 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522156 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 79 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522158 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 80 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522160 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 81 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522162 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 82 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522164 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 83 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522166 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 84 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522168 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 85 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522170 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 86 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522172 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 87 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522174 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 88 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522176 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 89 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522178 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 90 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522180 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 91 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522182 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 92 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522184 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 93 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522186 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 94 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522188 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 95 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522190 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 96 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522192 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 97 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522194 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 98 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522196 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 99 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522198 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 100 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522200 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 101 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522202 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 102 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522204 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 103 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522206 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 104 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522208 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 105 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522210 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 106 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522212 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 107 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522214 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 108 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522216 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 109 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522218 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 110 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522220 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 111 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522222 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 112 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522224 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 113 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522226 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 114 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522228 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 115 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522230 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 116 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522232 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 117 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522234 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 118 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522236 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 119 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522238 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 120 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522240 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 121 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522242 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 122 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522244 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 123 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522246 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 124 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522248 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 125 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522250 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 126 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522252 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 127 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522254 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 128 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522256 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 129 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522258 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 130 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522260 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 131 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522262 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 132 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522264 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 133 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522266 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 134 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522268 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 135 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522270 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 136 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522272 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 137 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522274 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 138 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522276 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 139 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522278 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 140 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522280 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 141 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522282 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 142 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522284 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 143 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522286 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 144 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522288 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 145 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522290 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 146 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522292 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 147 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522294 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 148 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522296 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 149 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522298 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 150 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522300 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 151 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522302 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 152 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522304 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 153 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522306 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 154 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522308 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 155 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522310 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 156 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522312 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 157 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522314 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 158 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522316 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 159 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522318 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 160 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522320 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 161 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522322 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 162 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522324 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 163 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522326 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 164 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522328 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 165 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522330 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 166 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522332 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 167 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522334 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 168 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522336 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 169 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522338 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 170 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522340 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 171 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522342 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 172 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522344 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 173 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522346 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 174 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522348 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 175 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522350 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 176 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522352 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 177 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522354 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 178 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522356 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 179 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522358 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 180 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522360 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 181 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522362 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 182 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522364 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 183 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522366 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 184 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522368 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 185 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522370 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 186 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522372 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 187 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522374 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 188 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522376 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 189 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522378 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 190 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522380 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 191 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522382 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 192 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522384 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 193 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522386 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 194 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522388 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 195 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522390 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 196 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522392 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 197 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522394 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 198 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522396 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 199 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522398 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 200 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522400 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 201 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522402 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 202 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522404 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 203 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522406 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 204 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522408 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 205 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522410 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 206 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522412 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 207 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522414 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 208 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522416 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 209 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522418 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 210 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522420 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 211 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522422 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 212 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522424 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 213 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522426 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 214 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522428 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 215 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522430 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 216 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522432 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 217 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522434 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 218 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522436 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 219 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522438 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 220 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522440 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 221 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522442 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 222 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522444 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 223 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522446 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 224 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522448 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 225 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522450 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 226 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522452 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 227 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522454 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 228 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522456 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 229 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522458 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 230 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522460 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 231 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522462 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 232 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522464 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 233 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522466 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 234 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522468 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 235 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522470 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 236 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522472 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 237 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522474 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 238 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522476 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 239 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522478 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 240 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522480 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 241 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522482 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 242 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522484 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 243 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522486 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 244 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522488 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 245 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522490 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 246 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522492 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 247 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522494 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 248 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522496 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 249 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522498 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 250 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522500 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 251 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522502 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 252 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522504 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 253 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522506 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 254 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522508 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 255 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522510 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 256 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522512 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 257 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522514 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 258 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522516 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 259 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522518 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 260 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522520 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 261 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522522 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 262 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522524 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 263 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522526 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 264 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522528 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 265 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522530 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 266 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522532 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 267 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522534 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 268 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522536 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 269 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522538 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 270 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522540 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 271 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522542 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 272 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522544 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 273 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522546 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 274 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522548 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 275 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522550 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 276 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522552 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 277 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522554 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 278 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522556 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 279 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522558 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 280 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522560 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 281 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522562 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 282 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522564 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 283 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522566 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 284 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522568 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 285 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522570 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 286 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522572 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 287 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522574 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 288 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522576 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 289 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522578 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 290 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522580 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 291 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522582 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 292 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522584 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 293 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522586 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 294 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522588 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 295 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522590 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 296 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522592 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 297 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522594 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 298 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522596 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 299 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522598 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 300 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522600 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 301 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522602 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 302 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522604 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 303 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522606 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 304 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522608 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 305 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522610 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 306 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522612 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 307 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522614 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 308 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522616 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 309 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522618 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 310 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522620 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 311 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522622 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 312 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522624 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 313 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522626 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 314 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522628 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 315 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522630 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 316 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522632 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 317 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522634 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 318 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522636 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 319 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522638 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 320 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522640 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 321 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522642 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 322 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522644 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 323 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522646 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 324 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522648 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 325 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522650 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 326 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522652 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 327 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522654 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 328 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522656 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 329 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522658 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 330 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522660 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 331 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522662 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 332 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522664 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 333 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522666 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 334 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522668 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 335 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522670 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 336 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522672 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 337 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522674 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 338 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522676 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 339 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522678 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 340 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522680 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 341 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522682 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 342 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522684 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 343 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522686 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 344 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522688 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 345 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522690 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 346 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522692 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 347 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522694 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 348 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522696 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 349 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522698 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 350 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522700 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 351 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522702 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 352 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522704 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 353 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522706 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 354 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522708 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 355 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522710 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 356 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522712 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 357 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522714 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 358 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522716 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 359 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522718 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 360 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522720 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 361 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522722 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 362 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522724 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 363 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522726 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 364 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522728 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 365 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522730 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 366 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522732 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 367 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522734 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 368 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522736 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 369 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522738 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 370 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522740 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 371 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522742 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 372 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522744 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 373 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522746 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 374 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522748 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 375 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522750 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 376 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522752 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 377 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522754 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 378 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522756 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 379 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522758 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 380 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522760 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 381 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522762 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 382 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522764 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 383 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522766 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 384 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522768 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 385 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522770 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 386 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522772 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 387 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522774 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 388 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522776 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 389 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522778 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 390 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522780 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 391 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522782 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 392 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522784 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 393 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522786 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 394 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522788 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 395 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522790 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 396 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522792 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 397 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522794 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 398 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522796 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 399 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522798 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 400 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522800 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 401 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522802 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 402 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522804 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 403 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522806 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 404 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522808 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 405 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522810 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 406 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522812 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 407 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522814 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 408 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522816 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 409 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522818 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 410 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522820 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 411 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522822 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 412 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522824 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 413 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522826 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 414 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522828 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 415 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522830 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 416 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522832 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 417 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522834 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 418 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522836 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 419 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522838 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 420 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522840 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 421 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522842 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 422 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522844 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 423 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522846 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 424 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522848 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 425 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522850 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 426 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522852 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 427 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522854 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 428 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522856 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 429 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522858 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 430 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522860 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 431 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522862 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 432 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522864 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 433 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522866 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 434 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522868 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 435 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522870 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 436 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522872 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 437 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522874 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 438 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522876 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 439 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522878 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 440 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522880 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 441 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522882 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 442 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522884 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 443 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522886 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 444 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522888 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 445 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522890 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 446 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522892 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 447 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522894 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 448 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522896 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 449 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522898 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 450 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522900 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 451 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522902 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 452 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522904 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 453 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522906 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 454 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522908 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 455 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522910 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 456 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522912 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 457 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522914 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 458 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522916 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 459 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522918 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 460 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522920 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 461 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522922 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 462 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522924 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 463 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522926 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 464 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522928 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 465 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522930 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 466 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522932 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 467 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522934 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 468 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522936 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 469 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522938 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 470 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522940 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 471 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522942 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 472 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522944 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 473 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522946 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 474 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522948 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 475 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522950 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 476 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522952 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 477 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522954 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 478 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522956 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 479 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522958 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 480 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522960 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 481 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522962 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 482 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522964 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 483 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522966 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 484 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522968 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 485 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522970 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 486 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522972 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 487 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522974 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 488 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522976 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 489 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522978 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 490 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522980 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 491 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522982 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 492 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522984 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 493 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522986 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 494 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522988 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 495 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522990 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 496 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522992 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 497 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522994 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 498 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522996 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 499 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2522998 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 500 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 2523000 || 1743 || misc-attack || 0 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 501 || url,doc.emergingthreats.net/bin/view/Main/TorRules +1 || 100000102 || 2 || attempted-dos || 0 || GPL GAMES Halocon Denial of Service Empty UDP Packet || bugtraq,12281 +1 || 100000103 || 2 || attempted-dos || 0 || GPL GAMES Breed Game Server Denial of Service Empty UDP Packet || bugtraq,12262 +1 || 100000104 || 2 || attempted-dos || 0 || GPL GAMES Amp II 3D Game Server Denial of Service Empty UDP Packet || bugtraq,12192 +1 || 100000119 || 3 || attempted-admin || 0 || GPL WEB_CLIENT Internet Explorer URLMON.DLL Content-Encoding Overflow Attempt || bugtraq,7419 || cve,2003-0113 || url,www.microsoft.com/technet/security/bulletin/MS03-015.mspx +1 || 100000136 || 3 || misc-attack || 0 || GPL DELETED GNU imapd search format string attempt || url,www.osvdb.org/displayvuln.php?osvdb_id=19306 || cve,2005-2878 +1 || 100000139 || 3 || web-application-activity || 0 || GPL WEB_SERVER WEB-IIS Remote IIS Server Name spoof attempt loopback IP || cve,2005-2678 +1 || 100000149 || 1 || attempted-recon || 0 || GPL EXPLOIT WEB-MISC Jboss % attempt || bugtraq,13985 || cve,2005-2006 || url,www.osvdb.org/displayvuln.php?osvdb_id=17403 +1 || 100000152 || 3 || protocol-command-decode || 0 || GPL DELETED MDaemon authentication protocol decode +1 || 100000153 || 4 || attempted-admin || 0 || GPL IMAP MDaemon authentication multiple packet overflow attempt || bugtraq,14317 +1 || 100000155 || 3 || attempted-admin || 0 || GPL DELETED MDaemon authentication overflow single packet attempt || bugtraq,14317 +1 || 100000158 || 2 || attempted-dos || 0 || GPL VOIP SIP INVITE message flooding +1 || 100000162 || 2 || attempted-dos || 0 || GPL VOIP SIP 401 Unauthorized Flood +1 || 100000163 || 2 || attempted-dos || 0 || GPL VOIP SIP 407 Proxy Authentication Required Flood +1 || 100000166 || 1 || attempted-user || 0 || GPL SQL ORACLE TNS Listener shutdown via iSQLPlus attempt || bugtraq,15032 || url,www.red-database-security.com/advisory/oracle_isqlplus_shutdown.html +1 || 100000167 || 1 || misc-attack || 0 || GPL SMTP SMTP Hydra Activity Detected || url,www.thc.org/releases.php +1 || 100000172 || 4 || attempted-admin || 0 || GPL MISC NNTP Lynx overflow attempt || cve,2005-3120 || bugtraq,15117 || url,www.osvdb.org/displayvuln.php?osvdb_id=20019 || nessus,20035 +1 || 100000176 || 1 || attempted-dos || 0 || GPL EXPLOIT EXPLOIT HPUX LPD overflow attempt || cve,2005-3277 || bugtraq,15136 +1 || 100000177 || 6 || web-application-attack || 0 || GPL WEB_SPECIFIC_APPS Linksys apply.cgi overflow attempt || bugtraq,14822 || cve,2005-2799 || nessus,20096 || url,www.osvdb.org/displayvuln.php?osvdb_id=19389 +1 || 100000180 || 1 || attempted-dos || 0 || GPL EXPLOIT EXPLOIT SIP UDP spoof attempt || bugtraq,14174 || cve,2005-2182 || url,www.osvdb.org/displayvuln.php?osvdb_id=17838 +1 || 100000181 || 2 || attempted-dos || 0 || GPL GAMES FlatFrag game dos exploit || bugtraq,15287 || cve,2005-3492 +1 || 100000183 || 3 || web-application-activity || 0 || GPL WEB_SPECIFIC_APPS SAP WAS syscmd access || url,www.cybsec.com/vuln/CYBSEC_Security_Advisory_Multiple_XSS_in_SAP_WAS.pdf +1 || 100000184 || 2 || misc-activity || 0 || GPL EXPLOIT WEB-MISC JBoss JMXInvokerServlet access || url,online.securityfocus.com/archive/1/415707 +1 || 100000186 || 3 || successful-recon-limited || 0 || GPL WEB_SERVER WEB-PHP phpinfo access || bugtraq,5789 || cve,2002-1149 || url,www.osvdb.org/displayvuln.php?osvdb_id=3356 +1 || 100000196 || 3 || misc-attack || 0 || GPL DELETED Qualcomm WorldMail SELECT dot dot attempt || cve,2005-3189 || bugtraq,15488 +1 || 100000197 || 3 || misc-activity || 0 || GPL ICMP undefined code +1 || 100000207 || 3 || misc-attack || 0 || GPL IMAP GNU Mailutils imap4d hex attempt || cve,2005-2878 || bugtraq,14794 || nessus,19605 || url,www.osvdb.org/displayvuln.php?osvdb_id=19306 +1 || 100000208 || 1 || policy-violation || 0 || GPL POLICY MISC Tunneling IP over DNS with NSTX || url,nstx.dereference.de/nstx/ || url,slashdot.org/articles/00/09/10/2230242.shtml +1 || 100000222 || 1 || attempted-admin || 0 || GPL TFTP MISC TFTP32 Get Format string attempt || url,www.securityfocus.com/archive/1/422405/30/0/threaded || url,www.critical.lt/?vulnerabilities/200 +1 || 100000223 || 1 || misc-attack || 0 || GPL VOIP EXPLOIT SIP UDP Softphone overflow attempt || bugtraq,16213 || cve,2006-0189 +1 || 100000227 || 2 || attempted-recon || 0 || GPL SNMP SNMP trap Format String detected || bugtraq,16267 || cve,2006-0250 || url,www.osvdb.org/displayvuln.php?osvdb_id=22493 +1 || 100000228 || 3 || attempted-admin || 0 || GPL WEB_CLIENT Winamp PlayList buffer overflow attempt || bugtraq,16410 || cve,2006-0476 || url,www.frsirt.com/english/advisories/2006/0361 +1 || 100000229 || 2 || misc-attack || 0 || GPL EXPLOIT MISC Lotus Domino LDAP attack || bugtraq,16523 || cve,2006-0580 || url,lists.immunitysec.com/pipermail/dailydave/2006-February/002896.html +1 || 100000230 || 2 || policy-violation || 0 || GPL CHAT MISC Jabber/Google Talk Outgoing Traffic || url,www.google.com/talk/ +1 || 100000231 || 2 || policy-violation || 0 || GPL CHAT Jabber/Google Talk Outgoing Auth || url,www.google.com/talk/ +1 || 100000232 || 3 || policy-violation || 0 || GPL CHAT Google Talk Logon || url,www.google.com/talk/ +1 || 100000233 || 2 || policy-violation || 0 || GPL CHAT Jabber/Google Talk Outoing Message || url,www.google.com/talk/ +1 || 100000234 || 2 || policy-violation || 0 || GPL CHAT Jabber/Google Talk Log Out || url,www.google.com/talk/ +1 || 100000235 || 2 || policy-violation || 0 || GPL CHAT Jabber/Google Talk Logon Success || url,www.google.com/talk/ +1 || 100000236 || 2 || policy-violation || 0 || GPL CHAT Jabber/Google Talk Incoming Message || url,www.google.com/talk/ +1 || 100000284 || 5 || attempted-user || 0 || GPL DELETED RealMedia invalid chunk size heap overflow attempt || bugtraq,17202 || cve,2005-2922 || url,service.real.com/realplayer/security/03162006_player/en/ +1 || 100000356 || 6 || web-application-attack || 0 || GPL WEB_SPECIFIC_APPS BASE base_qry_common.php remote file include || url,secunia.com/advisories/20300/ +1 || 100000357 || 5 || web-application-attack || 0 || GPL WEB_SPECIFIC_APPS BASE base_stat_common.php remote file include || url,secunia.com/advisories/20300/ +1 || 100000358 || 6 || web-application-attack || 0 || GPL WEB_SPECIFIC_APPS BASE base_include.inc.php remote file include || url,secunia.com/advisories/20300/ +1 || 100000428 || 1 || web-application-attack || 0 || GPL EXPLOIT WEB-MISC JBoss RMI class download service directory listing attempt || url,marc.theaimsgroup.com/?l=bugtraq&m=111911095424496&w=2 +1 || 100000429 || 3 || misc-activity || 0 || GPL WEB_SERVER WEB-MISC JBoss web-console access || url,www.jboss.org/wiki/Wiki.jsp?page=WebConsole +1 || 100000447 || 2 || attempted-user || 0 || GPL WEB_CLIENT Mozilla Firefox DOMNodeRemoved attack attempt || bugtraq,18228 || cve,2006-2779 +1 || 100000692 || 3 || misc-activity || 0 || GPL WEB_CLIENT midi file download attempt || bugtraq,18507 +1 || 100000693 || 3 || attempted-user || 0 || GPL WEB_CLIENT Winamp midi file header overflow attempt || bugtraq,18507 +1 || 100000728 || 6 || web-application-attack || 0 || GPL WEB_SPECIFIC_APPS Geeklog functions.inc remote file include || bugtraq,18740 +1 || 100000729 || 5 || web-application-attack || 0 || GPL WEB_SPECIFIC_APPS Geeklog functions.inc remote file include || bugtraq,18740 +1 || 100000730 || 5 || web-application-attack || 0 || GPL WEB_SPECIFIC_APPS Geeklog BlackList.Examine.class.php remote file include || bugtraq,18740 +1 || 100000731 || 3 || web-application-attack || 0 || GPL WEB_SPECIFIC_APPS Geeklog DeleteComment.Action.class.php remote file include || bugtraq,18740 +1 || 100000732 || 3 || web-application-attack || 0 || GPL WEB_SPECIFIC_APPS Geeklog EditIPofURL.Admin.class.php remote file include || bugtraq,18740 +1 || 100000733 || 3 || web-application-attack || 0 || GPL WEB_SPECIFIC_APPS Geeklog MTBlackList.Examine.class.php remote file include || bugtraq,18740 +1 || 100000734 || 3 || web-application-attack || 0 || GPL WEB_SPECIFIC_APPS Geeklog MassDelete.Admin.class.php remote file include || bugtraq,18740 +1 || 100000735 || 3 || web-application-attack || 0 || GPL WEB_SPECIFIC_APPS Geeklog MailAdmin.Action.class.php remote file include || bugtraq,18740 +1 || 100000736 || 3 || web-application-attack || 0 || GPL WEB_SPECIFIC_APPS Geeklog MassDelTrackback.Admin.class.php remote file include || bugtraq,18740 +1 || 100000737 || 3 || web-application-attack || 0 || GPL WEB_SPECIFIC_APPS Geeklog EditHeader.Admin.class.php remote file include || bugtraq,18740 +1 || 100000738 || 3 || web-application-attack || 0 || GPL WEB_SPECIFIC_APPS Geeklog EditIP.Admin.class.php remote file include || bugtraq,18740 +1 || 100000739 || 3 || web-application-attack || 0 || GPL WEB_SPECIFIC_APPS Geeklog IPofUrl.Examine.class.php remote file include || bugtraq,18740 +1 || 100000740 || 3 || web-application-attack || 0 || GPL WEB_SPECIFIC_APPS Geeklog Import.Admin.class.php remote file include || bugtraq,18740 +1 || 100000741 || 3 || web-application-attack || 0 || GPL WEB_SPECIFIC_APPS Geeklog LogView.Admin.class.php remote file include || bugtraq,18740 +1 || 100000742 || 3 || web-application-attack || 0 || GPL WEB_SPECIFIC_APPS Geeklog functions.inc remote file include || bugtraq,18740 +1 || 100000864 || 5 || web-application-attack || 0 || GPL ACTIVEX WEB-CLIENT tsuserex.dll COM Object Instantiation Vulnerability || url,www.xsec.org/index.php?module=Releases&act=view&type=1&id=14 +1 || 100000876 || 3 || policy-violation || 0 || GPL CHAT Google Talk Version Check +1 || 100000877 || 2 || policy-violation || 0 || GPL CHAT Google Talk Startup +1 || 100000892 || 2 || attempted-dos || 0 || GPL VOIP Q.931 Invalid Call Reference Length Buffer Overflow || url,www.ethereal.com/news/item_20050504_01.html || url,www.elook.org/internet/126.html +1 || 100000908 || 2 || web-application-attack || 0 || GPL WEB_SPECIFIC_APPS WEB-PHP phpMyWebmin create_file script remote file include || url,www.securityfocus.com/bid/20281/info diff --git a/tests/sid-msg.map b/tests/sid-msg.map new file mode 100644 index 0000000..1c6ad36 --- /dev/null +++ b/tests/sid-msg.map @@ -0,0 +1,122 @@ +648 || GPL SHELLCODE x86 NOOP || arachnids,181 +653 || GPL SHELLCODE x86 0x90 unicode NOOP +1266 || GPL RPC portmap mountd request TCP || arachnids,13 +1429 || GPL DELETED poll.gotomypc.com access || url,www.gotomypc.com/help2.tmpl +2351 || GPL NETBIOS DCERPC ISystemActivator path overflow attempt little endian unicode || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx || nessus,11808 || cve,2003-0352 || bugtraq,8205 +2352 || GPL NETBIOS DCERPC ISystemActivator path overflow attempt big endian unicode || url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx || nessus,11808 || cve,2003-0352 || bugtraq,8205 +2492 || GPL NETBIOS SMB DCERPC ISystemActivator bind attempt || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || nessus,12206 || cve,2003-0813 || bugtraq,8811 +2493 || GPL NETBIOS SMB DCERPC ISystemActivator unicode bind attempt || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || nessus,12206 || cve,2003-0813 || bugtraq,8811 +2494 || GPL NETBIOS DCEPRC ORPCThis request flood attempt || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || nessus,12206 || cve,2003-0813 || bugtraq,8811 +2495 || GPL NETBIOS SMB DCEPRC ORPCThis request flood attempt || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || nessus,12206 || cve,2003-0813 || bugtraq,8811 +2873 || GPL DELETED sys.dbms_repcat_conf.alter_priority_nvarchar2 buffer overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html +2952 || GPL NETBIOS SMB IPC$ andx share access +2953 || GPL NETBIOS SMB IPC$ unicode andx share access +2972 || GPL NETBIOS SMB D$ andx share access +2973 || GPL NETBIOS SMB D$ unicode andx share access +2976 || GPL NETBIOS SMB C$ andx share access +2977 || GPL NETBIOS SMB C$ unicode andx share access +2980 || GPL NETBIOS SMB ADMIN$ andx share access +2981 || GPL NETBIOS SMB ADMIN$ unicode andx share access +2000005 || ET EXPLOIT Cisco Telnet Buffer Overflow || url,doc.emergingthreats.net/bin/view/Main/2000005 || url,www.cisco.com/warp/public/707/cisco-sn-20040326-exploits.shtml +2000006 || ET DOS Cisco Router HTTP DoS || url,www.cisco.com/warp/public/707/cisco-sn-20040326-exploits.shtml +2000007 || ET EXPLOIT Catalyst SSH protocol mismatch || url,doc.emergingthreats.net/bin/view/Main/2000007 || url,www.cisco.com/warp/public/707/catalyst-ssh-protocolmismatch-pub.shtml +2000009 || ET DELETED Cisco IOS HTTP DoS || url,doc.emergingthreats.net/bin/view/Main/2000009 || url,www.cisco.com/warp/public/707/ioshttpserverquery-pub.shtml +2000010 || ET DOS Cisco 514 UDP flood DoS || url,doc.emergingthreats.net/bin/view/Main/2000010 || url,www.cisco.com/warp/public/707/IOS-cbac-dynacl-pub.shtml +2000011 || ET DOS Catalyst memory leak attack || url,doc.emergingthreats.net/bin/view/Main/2000011 || url,www.cisco.com/en/US/products/products_security_advisory09186a00800b138e.shtml +2000012 || ET DELETED Cisco %u IDS evasion || url,doc.emergingthreats.net/bin/view/Main/2000012 +2000013 || ET DELETED Cisco IOS HTTP server DoS || url,doc.emergingthreats.net/bin/view/Main/2000013 +2000015 || ET P2P Phatbot Control Connection || url,doc.emergingthreats.net/bin/view/Main/2000015 || url,www.lurhq.com/phatbot.html +2000016 || ET DOS SSL Bomb DoS Attempt || url,doc.emergingthreats.net/bin/view/Main/2000016 || url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx || cve,CAN-2004-0120 +2000017 || ET NETBIOS NII Microsoft ASN.1 Library Buffer Overflow Exploit || url,doc.emergingthreats.net/bin/view/Main/2000017 || url,www.microsoft.com/technet/security/bulletin/ms04-007.asp +2000024 || ET DELETED rcprograms || url,doc.emergingthreats.net/bin/view/Main/2000024 || url,sarc.com/avcenter/venc/data/adware.rcprograms.html +2000025 || ET MALWARE Gator Cookie || url,doc.emergingthreats.net/bin/view/Main/2000025 || url,www3.ca.com/securityadvisor/pest/content.aspx?q=67999 +2000026 || ET USER_AGENTS Gator Agent Traffic || url,doc.emergingthreats.net/2000026 +2000031 || ET EXPLOIT CVS server heap overflow attempt (target BSD) || url,doc.emergingthreats.net/bin/view/Main/2000031 +2000032 || ET NETBIOS LSA exploit || url,doc.emergingthreats.net/bin/view/Main/2000032 || url,www.upenn.edu/computing/virus/04/w32.sasser.worm.html || url,www.eeye.com/html/research/advisories/AD20040501.html +2000033 || ET NETBIOS MS04011 Lsasrv.dll RPC exploit (WinXP) || cve,2003-0533 || url,doc.emergingthreats.net/bin/view/Main/2000033 +2000035 || ET POLICY Hotmail Inbox Access || url,doc.emergingthreats.net/2000035 +2000036 || ET POLICY Hotmail Message Access || url,doc.emergingthreats.net/2000036 +2000037 || ET POLICY Hotmail Compose Message Access || url,doc.emergingthreats.net/2000037 +2000038 || ET POLICY Hotmail Compose Message Submit || url,doc.emergingthreats.net/2000038 +2000039 || ET POLICY Hotmail Compose Message Submit Data || url,doc.emergingthreats.net/2000039 +2000040 || ET WORM Sasser FTP Traffic || url,doc.emergingthreats.net/2000040 || url,vil.mcafeesecurity.com/vil/content/Print125009.htm +2000041 || ET POLICY Yahoo Mail Inbox View || url,doc.emergingthreats.net/2000041 +2000042 || ET POLICY Yahoo Mail Message View || url,doc.emergingthreats.net/2000042 +2000043 || ET POLICY Yahoo Mail Message Compose Open || url,doc.emergingthreats.net/2000043 +2000044 || ET POLICY Yahoo Mail Message Send || url,doc.emergingthreats.net/2000044 +2000045 || ET DELETED Yahoo Mail Message Send Info Capture || url,doc.emergingthreats.net/2000045 +2000046 || ET NETBIOS MS04011 Lsasrv.dll RPC exploit (Win2k) || cve,2003-0533 || url,doc.emergingthreats.net/bin/view/Main/2000046 +2000047 || ET WORM Sasser Transfer _up.exe || url,doc.emergingthreats.net/2000047 || url,vil.mcafeesecurity.com/vil/content/Print125009.htm +2000048 || ET EXPLOIT CVS server heap overflow attempt (target Linux) || url,doc.emergingthreats.net/bin/view/Main/2000048 +2000049 || ET EXPLOIT CVS server heap overflow attempt (target Solaris) || url,doc.emergingthreats.net/bin/view/Main/2000049 +2000105 || ET WEB_SERVER SQL sp_password attempt || url,doc.emergingthreats.net/2000105 +2000106 || ET WEB_SERVER SQL sp_delete_alert attempt || url,doc.emergingthreats.net/2000106 +2000306 || ET DELETED Virtumonde Spyware siae3123.exe GET || url,doc.emergingthreats.net/bin/view/Main/2000306 || url,sarc.com/avcenter/venc/data/adware.virtumonde.html +2000307 || ET DELETED Virtumonde Spyware siae3123.exe GET (8081) || url,doc.emergingthreats.net/bin/view/Main/2000307 || url,sarc.com/avcenter/venc/data/adware.virtumonde.html +2000308 || ET DELETED Virtumonde Spyware Information Post || url,doc.emergingthreats.net/bin/view/Main/2000308 || url,sarc.com/avcenter/venc/data/adware.virtumonde.html +2000309 || ET DELETED GotoMyPC Polling Client || url,doc.emergingthreats.net/2000309 +2000327 || ET DELETED Spyware 2020 || url,doc.emergingthreats.net/bin/view/Main/2000327 || url,securityresponse.symantec.com/avcenter/venc/data/spyware.2020search.html +2000328 || ET POLICY Outbound Multiple Non-SMTP Server Emails || url,doc.emergingthreats.net/2000328 +2000330 || ET P2P ed2k connection to server || url,doc.emergingthreats.net/bin/view/Main/2000330 || url,www.giac.org/practical/GCIH/Ian_Gosling_GCIH.pdf +2000332 || ET P2P ed2k request part || url,doc.emergingthreats.net/bin/view/Main/2000332 || url,www.giac.org/practical/GCIH/Ian_Gosling_GCIH.pdf +2000333 || ET P2P ed2k file request answer || url,doc.emergingthreats.net/bin/view/Main/2000333 || url,www.giac.org/practical/GCIH/Ian_Gosling_GCIH.pdf +2000334 || ET P2P BitTorrent peer sync || url,doc.emergingthreats.net/bin/view/Main/2000334 || url,bitconjurer.org/BitTorrent/protocol.html +2000335 || ET P2P Overnet (Edonkey) Server Announce || url,doc.emergingthreats.net/bin/view/Main/2000335 || url,www.overnet.com +2000336 || ET DELETED Yesadvertising Banking Spyware RETRIEVE || url,doc.emergingthreats.net/bin/view/Main/2000336 || url,isc.sans.org/presentations/banking_malware.pdf +2000337 || ET DELETED Yesadvertising Banking Spyware INFORMATION SUBMIT || url,doc.emergingthreats.net/bin/view/Main/2000337 || url,isc.sans.org/presentations/banking_malware.pdf +2000338 || ET P2P iroffer IRC Bot help message || url,doc.emergingthreats.net/bin/view/Main/2000338 || url,iroffer.org +2000339 || ET P2P iroffer IRC Bot offered files advertisement || url,doc.emergingthreats.net/bin/view/Main/2000339 || url,iroffer.org +2000340 || ET P2P Kaaza Media desktop p2pnetworking.exe Activity || url,doc.emergingthreats.net/bin/view/Main/2000340 || url,www.giac.org/practical/GCIH/Ian_Gosling_GCIH.pdf +2000341 || ET POLICY Yahoo Mail General Page View || url,doc.emergingthreats.net/2000341 +2000342 || ET EXPLOIT Squid NTLM Auth Overflow Exploit || url,doc.emergingthreats.net/bin/view/Main/2000342 || cve,CAN-2004-0541 || url,www.idefense.com/application/poi/display?id=107 +2000345 || ET TROJAN IRC Nick change on non-standard port || url,doc.emergingthreats.net/bin/view/Main/2000345 +2000346 || ET DELETED IRC Name response on non-standard port || url,doc.emergingthreats.net/bin/view/Main/2000346 +2000347 || ET TROJAN IRC Private message on non-standard port || url,doc.emergingthreats.net/bin/view/Main/2000347 +2000348 || ET TROJAN IRC Channel JOIN on non-standard port || url,doc.emergingthreats.net/bin/view/Main/2000348 +2000349 || ET TROJAN IRC DCC file transfer request on non-std port || url,doc.emergingthreats.net/bin/view/Main/2000349 +2000350 || ET TROJAN IRC DCC chat request on non-standard port || url,doc.emergingthreats.net/bin/view/Main/2000350 +2000351 || ET TROJAN IRC Channel join on non-standard port || url,doc.emergingthreats.net/bin/view/Main/2000351 +2000352 || ET TROJAN IRC DNS request on non-standard port || url,doc.emergingthreats.net/bin/view/Main/2000352 +2000355 || ET CHAT IRC authorization message || url,doc.emergingthreats.net/2000355 +2000356 || ET POLICY IRC connection || url,doc.emergingthreats.net/2000356 +2000357 || ET P2P BitTorrent Traffic || url,doc.emergingthreats.net/bin/view/Main/2000357 || url,bitconjurer.org/BitTorrent/protocol.html +2000366 || ET MALWARE Binet (download complete) || url,doc.emergingthreats.net/bin/view/Main/2000366 || url,sarc.com/avcenter/venc/data/pf/adware.betterinternet.html +2000367 || ET MALWARE Binet (set_pix) || url,doc.emergingthreats.net/bin/view/Main/2000367 || url,sarc.com/avcenter/venc/data/pf/adware.betterinternet.html +2000369 || ET P2P BitTorrent Announce || url,doc.emergingthreats.net/bin/view/Main/2000369 || url,bitconjurer.org/BitTorrent/protocol.html +2000371 || ET MALWARE Binet (randreco.exe) || url,doc.emergingthreats.net/bin/view/Main/2000371 || url,sarc.com/avcenter/venc/data/pf/adware.betterinternet.html +2000372 || ET EXPLOIT MS-SQL SQL Injection running SQL statements line comment || url,doc.emergingthreats.net/bin/view/Main/2000372 || url,www.securitymap.net/sdm/docs/windows/mssql-checklist.html || url,www.nextgenss.com/papers/more_advanced_sql_injection.pdf +2000373 || ET EXPLOIT MS-SQL SQL Injection line comment || url,doc.emergingthreats.net/bin/view/Main/2000373 || url,www.securitymap.net/sdm/docs/windows/mssql-checklist.html || url,www.nextgenss.com/papers/more_advanced_sql_injection.pdf +2000377 || ET EXPLOIT MS-SQL heap overflow attempt || url,doc.emergingthreats.net/bin/view/Main/2000377 || url,www.nextgenss.com/papers/tp-SQL2000.pdf +2000378 || ET EXPLOIT MS-SQL DOS attempt (08) || url,doc.emergingthreats.net/bin/view/Main/2000378 || url,www.nextgenss.com/papers/tp-SQL2000.pdf +2000379 || ET EXPLOIT MS-SQL DOS attempt (08) 1 byte || url,doc.emergingthreats.net/bin/view/Main/2000379 || url,www.nextgenss.com/papers/tp-SQL2000.pdf +2000380 || ET EXPLOIT MS-SQL Spike buffer overflow || url,doc.emergingthreats.net/bin/view/Main/2000380 || bugtraq,5411 +2000381 || ET EXPLOIT MS-SQL DOS bouncing packets || url,doc.emergingthreats.net/bin/view/Main/2000381 || url,www.nextgenss.com/papers/tp-SQL2000.pdf +2000418 || ET POLICY Executable and linking format (ELF) file download || url,doc.emergingthreats.net/bin/view/Main/2000418 || url,www.itee.uq.edu.au/~cristina/students/david/honoursThesis96/bff.htm +2000419 || ET POLICY PE EXE or DLL Windows file download || url,doc.emergingthreats.net/bin/view/Main/2000419 +2000420 || ET POLICY REG files version 4 download || url,doc.emergingthreats.net/bin/view/Main/2000420 || url,www.ss64.com/nt/regedit.html +2000421 || ET POLICY REG files version 5 download || url,doc.emergingthreats.net/bin/view/Main/2000421 || url,www.ss64.com/nt/regedit.html +2000422 || ET POLICY REG files version 5 Unicode download || url,doc.emergingthreats.net/bin/view/Main/2000422 || url,www.ss64.com/nt/regedit.html +2000423 || ET DELETED NE EXE OS2 file download || url,doc.emergingthreats.net/bin/view/Main/2000423 || url,www.itee.uq.edu.au/~cristina/students/david/honoursThesis96/bff.htm +2000424 || ET DELETED LX EXE OS2 file download || url,doc.emergingthreats.net/bin/view/Main/2000424 || url,www.itee.uq.edu.au/~cristina/students/david/honoursThesis96/bff.htm +2000425 || ET DELETED NE EXE Windows 3.x file download || url,doc.emergingthreats.net/bin/view/Main/2000425 || url,www.itee.uq.edu.au/~cristina/students/david/honoursThesis96/bff.htm +2000426 || ET POLICY EXE compressed PKWARE Windows file download || url,doc.emergingthreats.net/bin/view/Main/2000426 || url,www.program-transformation.org/Transform/PcExeFormat +2000427 || ET DELETED PE EXE Install Windows file download || url,doc.emergingthreats.net/bin/view/Main/2000427 || url,www.program-transformation.org/Transform/PcExeFormat +2000428 || ET POLICY ZIP file download || url,doc.emergingthreats.net/bin/view/Main/2000428 || url,zziplib.sourceforge.net/zzip-parse.print.html +2000429 || ET POLICY Download Windows Help File CHM 2 || url,doc.emergingthreats.net/bin/view/Main/2000429 || url,www.securiteam.com/windowsntfocus/6V00N000AU.html || url,www.speakeasy.org/~russotto/chm/chmformat.html +2000466 || ET MALWARE User-Agent (iexplore) || url,doc.emergingthreats.net/2000466 +2000488 || ET EXPLOIT MS-SQL SQL Injection closing string plus line comment || url,doc.emergingthreats.net/bin/view/Main/2000488 || url,www.securitymap.net/sdm/docs/windows/mssql-checklist.html || url,www.nextgenss.com/papers/more_advanced_sql_injection.pdf +2000489 || ET POLICY Download Windows Help File CHM || url,doc.emergingthreats.net/bin/view/Main/2000489 || url,www.securiteam.com/windowsntfocus/6V00N000AU.html || url,www.speakeasy.org/~russotto/chm/chmformat.html +2000499 || ET ATTACK_RESPONSE FTP inaccessible directory access COM1 || url,doc.emergingthreats.net/bin/view/Main/2000499 +2000500 || ET ATTACK_RESPONSE FTP inaccessible directory access COM2 || url,doc.emergingthreats.net/bin/view/Main/2000500 +2000501 || ET ATTACK_RESPONSE FTP inaccessible directory access COM3 || url,doc.emergingthreats.net/bin/view/Main/2000501 +2000502 || ET ATTACK_RESPONSE FTP inaccessible directory access COM4 || url,doc.emergingthreats.net/bin/view/Main/2000502 +2000503 || ET ATTACK_RESPONSE FTP inaccessible directory access LPT1 || url,doc.emergingthreats.net/bin/view/Main/2000503 +2000504 || ET ATTACK_RESPONSE FTP inaccessible directory access LPT2 || url,doc.emergingthreats.net/bin/view/Main/2000504 +2000505 || ET ATTACK_RESPONSE FTP inaccessible directory access LPT3 || url,doc.emergingthreats.net/bin/view/Main/2000505 +2000506 || ET ATTACK_RESPONSE FTP inaccessible directory access LPT4 || url,doc.emergingthreats.net/bin/view/Main/2000506 +2000507 || ET ATTACK_RESPONSE FTP inaccessible directory access AUX || url,doc.emergingthreats.net/bin/view/Main/2000507 +2000508 || ET ATTACK_RESPONSE FTP inaccessible directory access NULL || url,doc.emergingthreats.net/bin/view/Main/2000508 +2000514 || ET MALWARE IE homepage hijacking || url,doc.emergingthreats.net/bin/view/Main/2000514 || url,www.geek.com/news/geeknews/2004Jun/gee20040610025522.htm +2000519 || ET MALWARE shell browser vulnerability W9x/XP || url,doc.emergingthreats.net/bin/view/Main/2000519 || url,www.packetfocus.com/shell_exploit.htm +2000520 || ET MALWARE shell browser vulnerability NT/2K || url,doc.emergingthreats.net/bin/view/Main/2000520 || url,www.packetfocus.com/shell_exploit.htm +71918985 || SN: Inbound TCP traffic from suspect network (AS29073 - NL) || url,https://suspect-networks.io/networks/cidr/13/ diff --git a/tests/suricata-test-rules.zip b/tests/suricata-test-rules.zip Binary files differnew file mode 100644 index 0000000..4f834f8 --- /dev/null +++ b/tests/suricata-test-rules.zip diff --git a/tests/test_classificationmap.py b/tests/test_classificationmap.py new file mode 100644 index 0000000..fb3d205 --- /dev/null +++ b/tests/test_classificationmap.py @@ -0,0 +1,46 @@ +# Copyright (C) 2017 Open Information Security Foundation +# +# You can copy, redistribute or modify this Program under the terms of +# the GNU General Public License version 2 as published by the Free +# Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# version 2 along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA +# 02110-1301, USA. + +import unittest + +from suricata.update.maps import ClassificationMap + +class ClassificationMapTestCase(unittest.TestCase): + + test_filename = "tests/classification1.config" + + def test_load_from_file(self): + m = ClassificationMap(open(self.test_filename)) + + # Classifications are indexed at 1. + self.assertEqual(None, m.get(0)) + + c = m.get(1) + self.assertEqual("not-suspicious", c["name"]) + self.assertEqual("Not Suspicious Traffic", c["description"]) + self.assertEqual(3, c["priority"]) + + c = m.get(34) + self.assertEqual("default-login-attempt", c["name"]) + self.assertEqual("Attempt to login by a default username and password", + c["description"]) + self.assertEqual(2, c["priority"]) + + c = m.get_by_name("unknown") + self.assertTrue(c is not None) + self.assertEqual("unknown", c["name"]) + self.assertEqual("Unknown Traffic", c["description"]) + self.assertEqual(3, c["priority"]) diff --git a/tests/test_main.py b/tests/test_main.py new file mode 100644 index 0000000..919b88b --- /dev/null +++ b/tests/test_main.py @@ -0,0 +1,279 @@ +# Copyright (C) 2017 Open Information Security Foundation +# Copyright (c) 2015 Jason Ish +# +# You can copy, redistribute or modify this Program under the terms of +# the GNU General Public License version 2 as published by the Free +# Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# version 2 along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA +# 02110-1301, USA. + +from __future__ import print_function + +import os +import io +import unittest + +import suricata.update.rule +from suricata.update import main +import suricata.update.extract +from suricata.update import matchers as matchers_mod + +class TestRulecat(unittest.TestCase): + + def test_extract_tar(self): + files = suricata.update.extract.extract_tar( + "tests/emerging.rules.tar.gz") + self.assertTrue(len(files) > 0) + + def test_extract_zip(self): + files = suricata.update.extract.extract_zip( + "tests/emerging.rules.zip") + self.assertTrue(len(files) > 0) + + def test_try_extract(self): + files = suricata.update.extract.try_extract( + "tests/emerging.rules.zip") + self.assertTrue(len(files) > 0) + + files = suricata.update.extract.try_extract( + "tests/emerging.rules.tar.gz") + self.assertTrue(len(files) > 0) + + files = suricata.update.extract.try_extract( + "tests/emerging-current_events.rules") + self.assertIsNone(files) + +class TestFetch(unittest.TestCase): + + def test_check_checksum(self): + """Test that we detect when the checksum are the same. This is mainly + to catch issues between Python 2 and 3. + """ + fetch = main.Fetch() + url = "file://%s/emerging.rules.tar.gz" % ( + os.path.dirname(os.path.realpath(__file__))) + local_file = "%s/emerging.rules.tar.gz" % ( + os.path.dirname(os.path.realpath(__file__))) + + # The URL passed to check_checksum is actually a tuple: + # (url, custom-header, has checksum url) + net_arg = (url, None, True) + + r = fetch.check_checksum(local_file, net_arg) + self.assertTrue(r) + +class ThresholdProcessorTestCase(unittest.TestCase): + + processor = main.ThresholdProcessor() + + def test_extract_regex(self): + processor = main.ThresholdProcessor() + + line = "suppress re:java" + self.assertEqual("java", processor.extract_regex(line)) + + line = 'suppress re:"vulnerable java version"' + self.assertEqual( + "vulnerable java version", processor.extract_regex(line)) + + line = "suppress re:java, track <by_src|by_dst>, ip <ip|subnet>" + self.assertEqual("java", processor.extract_regex(line)) + + line = 'suppress re:"vulnerable java version", track <by_src|by_dst>, ip <ip|subnet>' + self.assertEqual( + "vulnerable java version", processor.extract_regex(line)) + + line = 'threshold re:"vulnerable java version", type threshold, track by_dst, count 1, seconds 10' + self.assertEqual( + "vulnerable java version", processor.extract_regex(line)) + + def test_replace(self): + rule_string = """alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Windows executable sent when remote host claims to send an image 2"; flow: established,from_server; content:"|0d 0a|Content-Type|3a| image/jpeg|0d 0a 0d 0a|MZ"; fast_pattern:12,20; classtype:trojan-activity; sid:2020757; rev:2;)""" + rule = suricata.update.rule.parse(rule_string) + + line = "suppress re:windows" + self.assertEqual( + "suppress gen_id 1, sig_id 2020757", + self.processor.replace(line, rule)) + + bad_line = "nothing to match" + self.assertEqual( + "nothing to match", + self.processor.replace(bad_line, rule) + ) + + line = 'threshold re:"ET MALWARE Windows", type threshold, ' \ + 'track by_dst, count 1, seconds 10' + self.assertEqual("threshold gen_id 1, sig_id 2020757, type threshold, track by_dst, count 1, seconds 10", self.processor.replace(line, rule)) + + line = 'threshold re:malware, type threshold, track by_dst, count 1, ' \ + 'seconds 10' + self.assertEqual( + "threshold gen_id 1, sig_id 2020757, type threshold, " + "track by_dst, count 1, seconds 10", + self.processor.replace(line, rule)) + +class ModifyRuleFilterTestCase(unittest.TestCase): + + rule_string = """alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Windows executable sent when remote host claims to send an image 2"; flow: established,from_server; content:"|0d 0a|Content-Type|3a| image/jpeg|0d 0a 0d 0a|MZ"; fast_pattern:12,20; classtype:trojan-activity; sid:2020757; rev:2;)""" + + def test_id_match(self): + rule0 = suricata.update.rule.parse(self.rule_string) + line = r'2020757 "\|0d 0a\|" "|ff ff|"' + rule_filter = matchers_mod.ModifyRuleFilter.parse(line) + self.assertTrue(rule_filter != None) + self.assertTrue(rule_filter.match(rule0)) + rule1 = rule_filter.run(rule0) + self.assertEqual( + str(rule1), + """alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Windows executable sent when remote host claims to send an image 2"; flow: established,from_server; content:"|ff ff|Content-Type|3a| image/jpeg|0d 0a 0d 0a|MZ"; fast_pattern:12,20; classtype:trojan-activity; sid:2020757; rev:2;)""") + + def test_re_match(self): + rule0 = suricata.update.rule.parse(self.rule_string) + line = r're:classtype:trojan-activity "\|0d 0a\|" "|ff ff|"' + rule_filter = matchers_mod.ModifyRuleFilter.parse(line) + self.assertTrue(rule_filter != None) + self.assertTrue(rule_filter.match(rule0)) + rule1 = rule_filter.run(rule0) + self.assertEqual( + str(rule1), + """alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Windows executable sent when remote host claims to send an image 2"; flow: established,from_server; content:"|ff ff|Content-Type|3a| image/jpeg|0d 0a 0d 0a|MZ"; fast_pattern:12,20; classtype:trojan-activity; sid:2020757; rev:2;)""") + + def test_re_backref_one(self): + rule0 = suricata.update.rule.parse(self.rule_string) + line = 're:classtype:trojan-activity "(alert)(.*)" "drop\\2"' + rule_filter = matchers_mod.ModifyRuleFilter.parse(line) + self.assertTrue(rule_filter != None) + self.assertTrue(rule_filter.match(rule0)) + rule1 = rule_filter.run(rule0) + expected = """drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Windows executable sent when remote host claims to send an image 2"; flow: established,from_server; content:"|0d 0a|Content-Type|3a| image/jpeg|0d 0a 0d 0a|MZ"; fast_pattern:12,20; classtype:trojan-activity; sid:2020757; rev:2;)""" + self.assertEqual(str(rule1), expected) + + def test_re_backref_two(self): + rule0 = suricata.update.rule.parse(self.rule_string) + line = 're:classtype:trojan-activity "(alert)(.*)(from_server)(.*)" "drop\\2to_client\\4"' + rule_filter = matchers_mod.ModifyRuleFilter.parse(line) + self.assertTrue(rule_filter != None) + self.assertTrue(rule_filter.match(rule0)) + rule1 = rule_filter.run(rule0) + expected = """drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Windows executable sent when remote host claims to send an image 2"; flow: established,to_client; content:"|0d 0a|Content-Type|3a| image/jpeg|0d 0a 0d 0a|MZ"; fast_pattern:12,20; classtype:trojan-activity; sid:2020757; rev:2;)""" + self.assertEqual(str(rule1), expected) + + def test_drop_to_alert(self): + rule_in = suricata.update.rule.parse(self.rule_string) + self.assertIsNotNone(rule_in) + + f = matchers_mod.ModifyRuleFilter.parse( + 'group:emerging-trojan.rules "^alert" "drop"') + self.assertIsNotNone(f) + + rule_out = f.run(rule_in) + self.assertTrue(rule_out.format().startswith("drop")) + + def test_oinkmaster_backticks(self): + f = matchers_mod.ModifyRuleFilter.parse( + '* "^drop(.*)noalert(.*)" "alert${1}noalert${2}"') + rule_in ="""drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Windows executable sent when remote host claims to send an image 2"; flow: established,to_client; content:"|0d 0a|Content-Type|3a| image/jpeg|0d 0a 0d 0a|MZ"; fast_pattern:12,20; noalert; classtype:trojan-activity; sid:2020757; rev:2;)""" + rule_out = f.run(suricata.update.rule.parse(rule_in)) + self.assertEqual("""alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Windows executable sent when remote host claims to send an image 2"; flow: established,to_client; content:"|0d 0a|Content-Type|3a| image/jpeg|0d 0a 0d 0a|MZ"; fast_pattern:12,20; noalert; classtype:trojan-activity; sid:2020757; rev:2;)""", rule_out.format()) + + def test_oinkmaster_backticks_not_noalert(self): + f = matchers_mod.ModifyRuleFilter.parse( + 'modifysid * "^drop(.*)noalert(.*)" | "alert${1}noalert${2}"') + rule_in ="""drop http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Windows executable sent when remote host claims to send an image 2"; flow: established,to_client; content:"|0d 0a|Content-Type|3a| image/jpeg|0d 0a 0d 0a|MZ"; fast_pattern:12,20; classtype:trojan-activity; sid:2020757; rev:2;)""" + rule_out = f.run(suricata.update.rule.parse(rule_in)) + self.assertEqual(rule_in, rule_out.format()) + + def test_oinkmaster_modify_group_name(self): + """Test an Oinkmaster style modification line using a group name.""" + f = matchers_mod.ModifyRuleFilter.parse( + 'modifysid botcc.rules "^alert" | "drop"') + rule_in ="""alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Windows executable sent when remote host claims to send an image 2"; flow: established,to_client; content:"|0d 0a|Content-Type|3a| image/jpeg|0d 0a 0d 0a|MZ"; fast_pattern:12,20; classtype:trojan-activity; sid:2020757; rev:2;)""" + rule = suricata.update.rule.parse(rule_in, "rules/botcc.rules") + rule_out = f.run(rule) + self.assertTrue(rule_out.format().startswith("drop")) + +class DropRuleFilterTestCase(unittest.TestCase): + + rule_string = """alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Windows executable sent when remote host claims to send an image 2"; flow: established,from_server; content:"|0d 0a|Content-Type|3a| image/jpeg|0d 0a 0d 0a|MZ"; fast_pattern:12,20; classtype:trojan-activity; sid:2020757; rev:2;)""" + + def test_enabled_rule(self): + rule0 = suricata.update.rule.parse(self.rule_string, "rules/malware.rules") + id_matcher = matchers_mod.IdRuleMatcher.parse("2020757") + self.assertTrue(id_matcher.match(rule0)) + + drop_filter = matchers_mod.DropRuleFilter(id_matcher) + rule1 = drop_filter.run(rule0) + self.assertEqual("drop", rule1.action) + self.assertTrue(rule1.enabled) + self.assertTrue(str(rule1).startswith("drop")) + + def test_disabled_rule(self): + rule0 = suricata.update.rule.parse( + "# " + self.rule_string, "rules/malware.rules") + id_matcher = matchers_mod.IdRuleMatcher.parse("2020757") + self.assertTrue(id_matcher.match(rule0)) + + drop_filter = matchers_mod.DropRuleFilter(id_matcher) + rule1 = drop_filter.run(rule0) + self.assertEqual("drop", rule1.action) + self.assertFalse(rule1.enabled) + self.assertTrue(str(rule1).startswith("# drop")) + + def test_drop_noalert(self): + """ Test the rules with "noalert" are not marked as drop. """ + + rule_without_noalert = """alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN [CrowdStrike] ANCHOR PANDA Torn RAT Beacon Message Header Local"; flow:established, to_server; dsize:16; content:"|00 00 00 11 c8 00 00 00 00 00 00 00 00 00 00 00|"; depth:16; flowbits:set,ET.Torn.toread_header; reference:url,blog.crowdstrike.com/whois-anchor-panda/index.html; classtype:trojan-activity; sid:2016659; rev:2; metadata:created_at 2013_03_22, updated_at 2013_03_22;)""" + + rule_with_noalert = """alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN [CrowdStrike] ANCHOR PANDA Torn RAT Beacon Message Header Local"; flow:established, to_server; dsize:16; content:"|00 00 00 11 c8 00 00 00 00 00 00 00 00 00 00 00|"; depth:16; flowbits:set,ET.Torn.toread_header; flowbits: noalert; reference:url,blog.crowdstrike.com/whois-anchor-panda/index.html; classtype:trojan-activity; sid:2016659; rev:2; metadata:created_at 2013_03_22, updated_at 2013_03_22;)""" + + rule = suricata.update.rule.parse(rule_without_noalert) + matcher = matchers_mod.IdRuleMatcher.parse("2016659") + rule_filter = matchers_mod.DropRuleFilter(matcher) + self.assertTrue(rule_filter.match(rule)) + + rule = suricata.update.rule.parse(rule_with_noalert) + matcher = matchers_mod.IdRuleMatcher.parse("2016659") + rule_filter = matchers_mod.DropRuleFilter(matcher) + self.assertFalse(rule_filter.match(rule)) + + +class DummySuriConf(dict): + def __getattr__(self, val): + return self[val] + + +class ClassificationConfigMergeTestCase(unittest.TestCase): + test_fname1 = "tests/classification1.config" + test_fname2 = "tests/classification2.config" + + def test_merge_classification_files(self): + """ Test if the two files get merged properly and priority is maintained""" + suriconf = DummySuriConf() + suriconf["build_info"] = {} + with open(self.test_fname1) as fp: + test_file1 = fp.read() + with open(self.test_fname2) as fp: + test_file2 = fp.read() + files = [("test_file1", test_file1.encode()), + ("test_file2", test_file2.encode())] + cdict = main.load_classification(suriconf, files) + + # Number of classifications in classification1.config: 42 + # Number of classifications in classification2.config: 44 (2 new) + self.assertEqual(44, len(cdict)) + + # classification1.config: + # config classification: misc-attack,Misc Attack,2 + # + # classification2.config: + # config classification: misc-attack,Misc Attack,5 + self.assertEqual("5", cdict["misc-attack"][1]) diff --git a/tests/test_matchers.py b/tests/test_matchers.py new file mode 100644 index 0000000..ad64a54 --- /dev/null +++ b/tests/test_matchers.py @@ -0,0 +1,135 @@ +# Copyright (C) 2018 Open Information Security Foundation +# +# You can copy, redistribute or modify this Program under the terms of +# the GNU General Public License version 2 as published by the Free +# Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# version 2 along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA +# 02110-1301, USA. + +from __future__ import print_function + +import os +import io +import unittest + +import suricata.update.rule +from suricata.update import main +import suricata.update.extract +from suricata.update import matchers as matchers_mod + +class GroupMatcherTestCase(unittest.TestCase): + + rule_string = """alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Windows executable sent when remote host claims to send an image 2"; flow: established,from_server; content:"|0d 0a|Content-Type|3a| image/jpeg|0d 0a 0d 0a|MZ"; fast_pattern:12,20; classtype:trojan-activity; sid:2020757; rev:2;)""" + + def test_match(self): + rule = suricata.update.rule.parse(self.rule_string, "rules/malware.rules") + matcher = matchers_mod.parse_rule_match("group: malware.rules") + self.assertEqual( + matcher.__class__, matchers_mod.GroupMatcher) + self.assertTrue(matcher.match(rule)) + + # Test match of just the group basename. + matcher = matchers_mod.parse_rule_match("group: malware") + self.assertEqual( + matcher.__class__, matchers_mod.GroupMatcher) + self.assertTrue(matcher.match(rule)) + +class FilenameMatcherTestCase(unittest.TestCase): + + rule_string = """alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Windows executable sent when remote host claims to send an image 2"; flow: established,from_server; content:"|0d 0a|Content-Type|3a| image/jpeg|0d 0a 0d 0a|MZ"; fast_pattern:12,20; classtype:trojan-activity; sid:2020757; rev:2;)""" + + def test_match(self): + rule = suricata.update.rule.parse(self.rule_string, "rules/trojan.rules") + matcher = matchers_mod.parse_rule_match("filename: */trojan.rules") + self.assertEqual( + matcher.__class__, matchers_mod.FilenameMatcher) + self.assertTrue(matcher.match(rule)) + +class LoadMatchersTestCase(unittest.TestCase): + + def test_trailing_comment(self): + """Test loading matchers with a trailing comment.""" + matchers = main.parse_matchers(io.StringIO(u"""filename: */trojan.rules +re:.# This is a comment* +1:100 # Trailing comment. +""")) + self.assertEqual( + matchers[0].__class__, matchers_mod.FilenameMatcher) + self.assertEqual( + matchers[1].__class__, matchers_mod.ReRuleMatcher) + self.assertEqual( + matchers[2].__class__, matchers_mod.IdRuleMatcher) + +class IdRuleMatcherTestCase(unittest.TestCase): + + def test_parse_single_sid(self): + matcher = matchers_mod.IdRuleMatcher.parse("123") + self.assertIsNotNone(matcher) + self.assertEqual(1, len(matcher.signatureIds)) + + def test_parse_single_gidsid(self): + matcher = matchers_mod.IdRuleMatcher.parse("1:123") + self.assertIsNotNone(matcher) + self.assertEqual(1, len(matcher.signatureIds)) + + def test_parse_multi_sid(self): + matcher = matchers_mod.IdRuleMatcher.parse("1,2,3") + self.assertIsNotNone(matcher) + self.assertEqual(3, len(matcher.signatureIds)) + + def test_parse_multi_gidsid(self): + matcher = matchers_mod.IdRuleMatcher.parse("1:1000,2:2000, 3:3000, 4:4000") + self.assertIsNotNone(matcher) + self.assertEqual(4, len(matcher.signatureIds)) + + def test_parse_multi_mixed(self): + matcher = matchers_mod.IdRuleMatcher.parse("1:1000, 2000, 3:3000, 4000") + self.assertIsNotNone(matcher) + self.assertEqual(4, len(matcher.signatureIds)) + + def test_parse_invalid(self): + matcher = matchers_mod.IdRuleMatcher.parse("a") + self.assertIsNone(matcher) + + matcher = matchers_mod.IdRuleMatcher.parse("1, a") + self.assertIsNone(matcher) + + matcher = matchers_mod.IdRuleMatcher.parse("1a") + self.assertIsNone(matcher) + + matcher = matchers_mod.IdRuleMatcher.parse("1:a") + self.assertIsNone(matcher) + +class MetadataAddTestCase(unittest.TestCase): + + def test_metadata_add(self): + rule_string = 'alert tcp any any -> any any (msg:"SURICATA STREAM Packet is retransmission"; stream-event:pkt_retransmission; flowint:tcp.retransmission.count,+,1; noalert; classtype:protocol-command-decode; sid:2210053; rev:1;)' + rule = suricata.update.rule.parse(rule_string) + text = 'metadata-add re:"SURICATA STREAM" "evebox.action" "archive"' + metadata_filter = matchers_mod.AddMetadataFilter.parse(text) + self.assertTrue(metadata_filter.match(rule)) + new_rule = metadata_filter.run(rule) + self.assertIsNotNone(new_rule) + self.assertTrue(new_rule.format().find("evebox.action") > -1) + +class MetadataMatchTestCase(unittest.TestCase): + + def test_match_metadata(self): + """ + Looking for: deployment Perimeter + """ + rule_string = b"""alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS PHPStudy Remote Code Execution Backdoor"; flow:established,to_server; http.method; content:"GET"; http.header; content:"Accept-Charset|3a 20|"; fast_pattern; nocase; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})\\x0d\\x0a/R"; reference:url,www.cnblogs.com/-qing-/p/11575622.html; reference:url,www.uedbox.com/post/59265/; classtype:attempted-admin; sid:2028629; rev:1; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2019_09_25, deployment Perimeter, former_category WEB_SPECIFIC_APPS, performance_impact Significant, signature_severity Major, updated_at 2019_09_25;)""" + rule = suricata.update.rule.parse(rule_string) + self.assertIsNotNone(rule) + filter_string = "metadata: deployment perimeter" + metadata_filter = matchers_mod.MetadataRuleMatch.parse(filter_string) + self.assertIsNotNone(metadata_filter) + self.assertTrue(metadata_filter.match(rule)) diff --git a/tests/test_net.py b/tests/test_net.py new file mode 100644 index 0000000..ae5728c --- /dev/null +++ b/tests/test_net.py @@ -0,0 +1,31 @@ +# Copyright (C) 2017 Open Information Security Foundation +# Copyright (c) 2013 Jason Ish +# +# You can copy, redistribute or modify this Program under the terms of +# the GNU General Public License version 2 as published by the Free +# Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# version 2 along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA +# 02110-1301, USA. + +from __future__ import print_function + +import os +import unittest +import io + +from suricata.update import net + +class GetTestCase(unittest.TestCase): + + def test_get0(self): + buf = io.BytesIO() + bytes_read, info = net.get("file:///%s/Makefile" % (os.getcwd()), buf) + self.assertTrue(b"clean" in buf.getvalue()) diff --git a/tests/test_rule.py b/tests/test_rule.py new file mode 100644 index 0000000..c5808d8 --- /dev/null +++ b/tests/test_rule.py @@ -0,0 +1,256 @@ +# Copyright (C) 2017 Open Information Security Foundation +# Copyright (c) 2011-2013 Jason Ish +# +# You can copy, redistribute or modify this Program under the terms of +# the GNU General Public License version 2 as published by the Free +# Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# version 2 along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA +# 02110-1301, USA. + +from __future__ import print_function + +import sys +import unittest +import io +import tempfile + +import suricata.update.rule +import suricata.update.main + +class RuleTestCase(unittest.TestCase): + + def test_parse1(self): + # Some mods have been made to this rule (flowbits) for the + # purpose of testing. + rule = suricata.update.rule.parse("""alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Request to .in FakeAV Campaign June 19 2012 exe or zip"; flow:established,to_server; content:"setup."; fast_pattern:only; http_uri; content:".in|0d 0a|"; flowbits:isset,somebit; flowbits:unset,otherbit; http_header; pcre:"/\/[a-f0-9]{16}\/([a-z0-9]{1,3}\/)?setup\.(exe|zip)$/U"; pcre:"/^Host\x3a\s.+\.in\r?$/Hmi"; metadata:stage,hostile_download; reference:url,isc.sans.edu/diary/+Vulnerabilityqueerprocessbrittleness/13501; classtype:trojan-activity; sid:2014929; rev:1;)""") + self.assertEqual(rule.enabled, True) + self.assertEqual(rule.action, "alert") + self.assertEqual(rule.direction, "->") + self.assertEqual(rule.sid, 2014929) + self.assertEqual(rule.rev, 1) + self.assertEqual(rule.msg, "ET CURRENT_EVENTS Request to .in FakeAV Campaign June 19 2012 exe or zip") + self.assertEqual(len(rule.metadata), 2) + self.assertEqual(rule.metadata[0], "stage") + self.assertEqual(rule.metadata[1], "hostile_download") + self.assertEqual(len(rule.flowbits), 2) + self.assertEqual(rule.flowbits[0], "isset,somebit") + self.assertEqual(rule.flowbits[1], "unset,otherbit") + self.assertEqual(rule.classtype, "trojan-activity") + + def test_disable_rule(self): + rule_buf = """# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"some message"; sid:1;)""" + rule = suricata.update.rule.parse(rule_buf) + self.assertFalse(rule.enabled) + self.assertEqual(rule.raw, """alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"some message"; sid:1;)""") + self.assertEqual(str(rule), rule_buf) + + def test_parse_rule_double_commented(self): + rule_buf = """## alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"some message"; sid:1;)""" + rule = suricata.update.rule.parse(rule_buf) + self.assertFalse(rule.enabled) + self.assertEqual(rule.raw, """alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"some message"; sid:1;)""") + + def test_parse_rule_comments_and_spaces(self): + rule_buf = """## #alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"some message"; sid:1;)""" + rule = suricata.update.rule.parse(rule_buf) + self.assertFalse(rule.enabled) + self.assertEqual(rule.raw, """alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"some message"; sid:1;)""") + + def test_toggle_rule(self): + rule_buf = """# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"some message"; sid:1;)""" + rule = suricata.update.rule.parse(rule_buf) + self.assertFalse(rule.enabled) + rule.enabled = True + self.assertEqual(str(rule), """alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"some message"; sid:1;)""") + + def test_parse_fileobj(self): + rule_buf = ("""alert ( msg:"DECODE_NOT_IPV4_DGRAM" sid:3; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode;) \n""" + """# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"some message";) \n""" + """alert ( msg:"DECODE_NOT_IPV4_DGRAM"; sid:2; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode;)""") + fileobj = io.StringIO() + for i in range(2): + fileobj.write(u"%s\n" % rule_buf) + fileobj.seek(0) + rules = suricata.update.rule.parse_fileobj(fileobj) + self.assertEqual(2, len(rules)) + + def test_parse_file(self): + rule_buf = ("""# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"some message";) \n""" + """alert ( msg:"DECODE_NOT_IPV4_DGRAM"; sid:1; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode;) \n""" + """alert ( msg:"DECODE_NOT_IPV4_DGRAM" sid:1; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode;) \n""") + tmp = tempfile.NamedTemporaryFile() + for i in range(2): + tmp.write(("%s\n" % rule_buf).encode()) + tmp.flush() + rules = suricata.update.rule.parse_file(tmp.name) + self.assertEqual(2, len(rules)) + + def test_parse_file_with_unicode(self): + rules = suricata.update.rule.parse_file("./tests/rule-with-unicode.rules") + + def test_parse_decoder_rule(self): + rule_string = """alert ( msg:"DECODE_NOT_IPV4_DGRAM"; sid:1; gid:116; rev:1; metadata:rule-type decode; classtype:protocol-command-decode;)""" + rule = suricata.update.rule.parse(rule_string) + self.assertEqual(rule["direction"], None) + + def test_multiline_rule(self): + rule_string = u""" +alert dnp3 any any -> any any (msg:"SURICATA DNP3 Request flood detected"; \ + app-layer-event:dnp3.flooded; sid:2200104; rev:1;) +""" + rules = suricata.update.rule.parse_fileobj(io.StringIO(rule_string)) + self.assertEqual(len(rules), 1) + + def test_parse_nomsg(self): + rule_string = u"""alert ip any any -> any any (content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:10000000; rev:1;)""" + rule = suricata.update.rule.parse(rule_string) + self.assertEqual("", rule["msg"]) + + def test_noalert(self): + rule_string = u"""alert ip any any -> any any (content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:10000000; rev:1;)""" + rule = suricata.update.rule.parse(rule_string) + self.assertFalse(rule["noalert"]) + + rule_string = u"""alert ip any any -> any any (content:"uid=0|28|root|29|"; classtype:bad-unknown; flowbits:noalert; sid:10000000; rev:1;)""" + rule = suricata.update.rule.parse(rule_string) + self.assertTrue(rule["noalert"]) + + rule_string = u"""alert ip any any -> any any (content:"uid=0|28|root|29|"; classtype:bad-unknown; noalert; sid:10000000; rev:1;)""" + rule = suricata.update.rule.parse(rule_string) + self.assertTrue(rule["noalert"]) + + def test_set_noalert(self): + rule_string = u"""alert ip any any -> any any (content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:10000000; rev:1;)""" + rule = suricata.update.rule.parse(rule_string) + self.assertFalse(rule["noalert"]) + self.assertTrue(rule.enabled) + rule["noalert"] = True + self.assertEqual(str(rule), """alert ip any any -> any any (content:"uid=0|28|root|29|"; classtype:bad-unknown; noalert; sid:10000000; rev:1;)""") + self.assertTrue(rule["noalert"]) + + rule_string = u"""alert ip any any -> any any (content:"uid=0|28|root|29|"; classtype:bad-unknown; flowbits:noalert; sid:10000000; rev:1;)""" + rule = suricata.update.rule.parse(rule_string) + self.assertTrue(rule["noalert"]) + self.assertTrue(rule.enabled) + self.assertEqual(str(rule), """alert ip any any -> any any (content:"uid=0|28|root|29|"; classtype:bad-unknown; flowbits:noalert; sid:10000000; rev:1;)""") + + def test_resolve_flowbits(self): + rule_string_1 = u"""#alert ip any any -> any any (content:"uid=0|28|root|29|"; classtype:bad-unknown; flowbits:set,bit1; flowbits:noalert; sid:10000001; rev:1;)""" + rule_string_2 = u"""#alert ip any any -> any any (content:"uid=0|28|root|29|"; classtype:bad-unknown; flowbits:isset,bit1; flowbits:set,bit2; flowbits:noalert; sid:10000002; rev:1;)""" + rule_string_3 = u"""alert ip any any -> any any (content:"uid=0|28|root|29|"; classtype:bad-unknown; flowbits:isset,bit2; sid:10000003; rev:1;)""" + rule1 = suricata.update.rule.parse(rule_string_1) + rule2 = suricata.update.rule.parse(rule_string_2) + rule3 = suricata.update.rule.parse(rule_string_3) + rulemap = {} + rulemap[rule1.id] = rule1 + rulemap[rule2.id] = rule2 + rulemap[rule3.id] = rule3 + disabled_rules = [rule1, rule2] + suricata.update.main.resolve_flowbits(rulemap, disabled_rules) + self.assertEqual(str(rule1), """alert ip any any -> any any (content:"uid=0|28|root|29|"; classtype:bad-unknown; flowbits:set,bit1; flowbits:noalert; sid:10000001; rev:1;)""") + self.assertEqual(str(rule2), """alert ip any any -> any any (content:"uid=0|28|root|29|"; classtype:bad-unknown; flowbits:isset,bit1; flowbits:set,bit2; flowbits:noalert; sid:10000002; rev:1;)""") + self.assertEqual(str(rule3), """alert ip any any -> any any (content:"uid=0|28|root|29|"; classtype:bad-unknown; flowbits:isset,bit2; sid:10000003; rev:1;)""") + + rule_string_1 = u"""#alert ip any any -> any any (content:"uid=0|28|root|29|"; classtype:bad-unknown; flowbits:set,bit1; sid:10000001; rev:1;)""" + rule_string_2 = u"""#alert ip any any -> any any (content:"uid=0|28|root|29|"; classtype:bad-unknown; flowbits:isset,bit1; flowbits:set,bit2; sid:10000002; rev:1;)""" + rule_string_3 = u"""alert ip any any -> any any (content:"uid=0|28|root|29|"; classtype:bad-unknown; flowbits:isset,bit2; sid:10000003; rev:1;)""" + rule1 = suricata.update.rule.parse(rule_string_1) + rule2 = suricata.update.rule.parse(rule_string_2) + rule3 = suricata.update.rule.parse(rule_string_3) + rulemap = {} + rulemap[rule1.id] = rule1 + rulemap[rule2.id] = rule2 + rulemap[rule3.id] = rule3 + disabled_rules = [rule1, rule2] + suricata.update.main.resolve_flowbits(rulemap, disabled_rules) + self.assertEqual(str(rule1), """alert ip any any -> any any (content:"uid=0|28|root|29|"; classtype:bad-unknown; flowbits:set,bit1; noalert; sid:10000001; rev:1;)""") + self.assertEqual(str(rule2), """alert ip any any -> any any (content:"uid=0|28|root|29|"; classtype:bad-unknown; flowbits:isset,bit1; flowbits:set,bit2; noalert; sid:10000002; rev:1;)""") + self.assertEqual(str(rule3), """alert ip any any -> any any (content:"uid=0|28|root|29|"; classtype:bad-unknown; flowbits:isset,bit2; sid:10000003; rev:1;)""") + + def test_parse_message_with_semicolon(self): + rule_string = u"""alert ip any any -> any any (msg:"TEST RULE\; and some"; content:"uid=0|28|root|29|"; tag:session,5,packets; classtype:bad-unknown; sid:10000000; rev:1;)""" + rule = suricata.update.rule.parse(rule_string) + self.assertIsNotNone(rule) + self.assertEqual(rule.msg, "TEST RULE\; and some") + + # Look for the expected content. + self.assertEqual("TEST RULE\; and some", rule["msg"]) + + def test_parse_message_with_colon(self): + rule_string = u"""alert tcp 93.174.88.0/21 any -> $HOME_NET any (msg:"SN: Inbound TCP traffic from suspect network (AS29073 - NL)"; flags:S; reference:url,https://suspect-networks.io/networks/cidr/13/; threshold: type limit, track by_dst, seconds 30, count 1; classtype:misc-attack; sid:71918985; rev:1;)""" + rule = suricata.update.rule.parse(rule_string) + self.assertIsNotNone(rule) + self.assertEqual( + rule.msg, + "SN: Inbound TCP traffic from suspect network (AS29073 - NL)") + + def test_parse_multiple_metadata(self): + # metadata: former_category TROJAN; + # metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Ransomware_Onion_Domain, tag Ransomware, signature_severity Major, created_at 2017_08_08, malware_family Crypton, malware_family Nemesis, performance_impact Low, updated_at 2017_08_08; + rule_string = u"""alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN CryptON/Nemesis/X3M Ransomware Onion Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|yvvu3fqglfceuzfu"; fast_pattern; distance:0; nocase; metadata: former_category TROJAN; reference:url,blog.emsisoft.com/2017/05/01/remove-cry128-ransomware-with-emsisofts-free-decrypter/; reference:url,www.cyber.nj.gov/threat-profiles/ransomware-variants/crypt-on; classtype:trojan-activity; sid:2024525; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Ransomware_Onion_Domain, tag Ransomware, signature_severity Major, created_at 2017_08_08, malware_family Crypton, malware_family Nemesis, performance_impact Low, updated_at 2017_08_08;)""" + rule = suricata.update.rule.parse(rule_string) + self.assertIsNotNone(rule) + self.assertTrue("former_category TROJAN" in rule.metadata) + self.assertTrue("updated_at 2017_08_08" in rule.metadata) + + def test_parse_option_missing_end(self): + """Test parsing a rule where the last option is missing a + semicolon. This was responsible for an infinite loop. """ + rule_buf = u"""alert icmp any any -> $HOME_NET any (msg:"ICMP test detected"; gid:0; sid:10000001; rev:1; classtype: icmp-event; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop)""" + self.assertRaises( + suricata.update.rule.NoEndOfOptionError, + suricata.update.rule.parse, rule_buf) + + def test_parse_addr_list(self): + """Test parsing rules where the addresses and parts are lists with + spaces.""" + + rule = suricata.update.rule.parse("""alert any [$HOME_NET, $OTHER_NET] any -> any any (msg:"TEST"; sid:1; rev:1;)""") + self.assertIsNotNone(rule) + self.assertEqual(rule["source_addr"], "[$HOME_NET, $OTHER_NET]") + + rule = suricata.update.rule.parse("""alert any [$HOME_NET, $OTHER_NET] [1, 2, 3] -> any any (msg:"TEST"; sid:1; rev:1;)""") + self.assertIsNotNone(rule) + self.assertEqual(rule["source_port"], "[1, 2, 3]") + + rule = suricata.update.rule.parse("""alert any [$HOME_NET, $OTHER_NET] [1,2,3] -> [!$XNET, $YNET] any (msg:"TEST"; sid:1; rev:1;)""") + self.assertIsNotNone(rule) + self.assertEqual(rule["dest_addr"], "[!$XNET, $YNET]") + + rule = suricata.update.rule.parse("""alert any [$HOME_NET, $OTHER_NET] [1,2,3] -> [!$XNET, $YNET] [!2200, 5500] (msg:"TEST"; sid:1; rev:1;)""") + self.assertIsNotNone(rule) + self.assertEqual(rule["dest_port"], "[!2200, 5500]") + + def test_parse_no_rev(self): + """Test that a rule with no revision gets assigned the default + revision of 0.""" + rule_string = u"""alert ip any any -> any any (content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:10000000;)""" + rule = suricata.update.rule.parse(rule_string) + self.assertEqual(0, rule["rev"]) + + def test_parse_no_sid(self): + """Test parsing a rule where the sid is not parsed correctly. """ + rule_buf = u"""alert icmp any any -> $HOME_NET any (msg:"ICMP test detected"; gid:0; rev:1; classtype: icmp-event;)""" + self.assertRaises( + suricata.update.rule.BadSidError, + suricata.update.rule.parse, rule_buf) + + def test_parse_feature_ja3(self): + """Test parsing rules that should set the ja3 feature.""" + rule_string = u"""alert tls any any -> any any (msg:"REQUIRES JA3"; ja3_hash; content:"61d50e7771aee7f2f4b89a7200b4d45"; sid:1; rev:1;)""" + rule = suricata.update.rule.parse(rule_string) + self.assertIsNotNone(rule) + self.assertTrue("ja3" in rule["features"]) + + rule_string = u"""alert tls any any -> any any (msg:"REQUIRES JA3"; ja3.hash; content:"61d50e7771aee7f2f4b89a7200b4d45"; sid:1; rev:1;)""" + rule = suricata.update.rule.parse(rule_string) + self.assertIsNotNone(rule) + self.assertTrue("ja3" in rule["features"]) diff --git a/tests/test_signaturemap.py b/tests/test_signaturemap.py new file mode 100644 index 0000000..f3c3b3e --- /dev/null +++ b/tests/test_signaturemap.py @@ -0,0 +1,81 @@ +# Copyright (C) 2017 Open Information Security Foundation +# +# You can copy, redistribute or modify this Program under the terms of +# the GNU General Public License version 2 as published by the Free +# Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# version 2 along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA +# 02110-1301, USA. + +import unittest + +from suricata.update import maps + +class SignatureMapTestCase(unittest.TestCase): + + def test_load_generator_map(self): + + sigmap = maps.SignatureMap() + sigmap.load_generator_map(open("tests/gen-msg.map")) + + sig = sigmap.get(1, 1) + self.assertTrue(sig is not None) + self.assertEqual(1, sig["gid"]) + self.assertEqual(1, sig["sid"]) + self.assertEqual("snort general alert", sig["msg"]) + + sig = sigmap.get(139, 1) + self.assertTrue(sig is not None) + self.assertEqual(139, sig["gid"]) + self.assertEqual(1, sig["sid"]) + self.assertEqual( + "sensitive_data: sensitive data global threshold exceeded", + sig["msg"]) + + def test_load_signature_map(self): + + sigmap = maps.SignatureMap() + sigmap.load_signature_map(open("tests/sid-msg.map")) + + # Get a basic signature. + sig = sigmap.get(1, 2000356) + self.assertTrue(sig is not None) + self.assertEqual(1, sig["gid"]) + self.assertEqual(2000356, sig["sid"]) + self.assertEqual("ET POLICY IRC connection", sig["msg"]) + self.assertEqual(len(sig["ref"]), 1) + self.assertEqual("url,doc.emergingthreats.net/2000356", sig["ref"][0]) + + # Try again but with a gid of 3. + self.assertEqual(sig, sigmap.get(3, 2000356)) + + # This signature has multiple refs. + sig = sigmap.get(1, 2000373) + self.assertEqual(3, len(sig["ref"])) + + sig = sigmap.get(1, 71918985) + self.assertEqual( + "SN: Inbound TCP traffic from suspect network (AS29073 - NL)", + sig["msg"]) + + def test_load_signature_v2_map(self): + + sigmap = maps.SignatureMap() + sigmap.load_signature_map(open("tests/sid-msg-v2.map")) + + sig = sigmap.get(1, 2495) + self.assertEqual(1, sig["gid"]) + self.assertEqual(2495, sig["sid"]) + self.assertEqual("misc-attack", sig["classification"]) + self.assertEqual(0, sig["priority"]) + self.assertEqual( + "GPL NETBIOS SMB DCEPRC ORPCThis request flood attempt", + sig["msg"]) + self.assertEqual(4, len(sig["ref"])) diff --git a/tests/test_util.py b/tests/test_util.py new file mode 100644 index 0000000..8862f47 --- /dev/null +++ b/tests/test_util.py @@ -0,0 +1,33 @@ +# Copyright (C) 2017 Open Information Security Foundation +# Copyright (c) 2013 Jason Ish +# +# You can copy, redistribute or modify this Program under the terms of +# the GNU General Public License version 2 as published by the Free +# Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# version 2 along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA +# 02110-1301, USA. + +from __future__ import print_function + +import unittest +import tempfile + +from suricata.update import util + +class Md5TestCase(unittest.TestCase): + + def test_hexdigest(self): + test_file = tempfile.NamedTemporaryFile() + test_file.write(b"This is a test.") + test_file.flush() + self.assertEqual( + "120ea8a25e5d487bf68b5f7096440019", + util.md5_hexdigest(test_file.name)) diff --git a/tests/update.yaml b/tests/update.yaml new file mode 100644 index 0000000..b17bf9e --- /dev/null +++ b/tests/update.yaml @@ -0,0 +1 @@ +# An empty config for tests. diff --git a/tox-integration.ini b/tox-integration.ini new file mode 100644 index 0000000..dfa991f --- /dev/null +++ b/tox-integration.ini @@ -0,0 +1,13 @@ +# Tox (https://tox.readthedocs.io/) is a tool for running tests +# in multiple virtualenvs. This configuration file will run the +# test suite on all supported python versions. To use it, "pip install tox" +# and then run "tox" from this directory. + +[tox] +envlist = py27, py36, py37, py38 + +[testenv] +commands = python ./tests/integration_tests.py +deps = + pytest + pyyaml @@ -0,0 +1,13 @@ +# Tox (https://tox.readthedocs.io/) is a tool for running tests +# in multiple virtualenvs. This configuration file will run the +# test suite on all supported python versions. To use it, "pip install tox" +# and then run "tox" from this directory. + +[tox] +envlist = py27, py36, py37, py38, py39, py310, py311 + +[testenv] +commands = pytest +deps = + pytest + pyyaml |