|
Written by Matt Jonkman
|
|
Monday, 31 December 2007 |
# seeing some worms/trojans use an ftp server with all banners stripped out
# on off ports to download payload after the initial compromise.
# Just stats codes, no welcome, etc. Very unique
# something like:
#220
#USER a
#331
#PASS a
#230
#TYPE I
#200
#PORT 10,2,32,214,4,9
#200
#RETR msnnmaneger.exe
#150
#226
#QUIT
#221
alert tcp $HOME_NET 1024: -> any 1024: (msg:"BLEEDING-EDGE ATTACK_RESPONSE Off-Port FTP Without Banners - user"; flow:established,frm_server; dsize:>7; content:"USER "; depth:5; offset:0; content:" |0d 0a|"; distance:1; flowbits:noalert; flowbits:set,ET.strippedfpuser; classtype:trojan-activity; sid:2007715; rev:2;)
alert tcp $HOME_NET 1024: -> any 1024: (msg:"BLEEDING-EDGE ATTACK_RESPONSE Off-Port FTP Without Banners - pass"; flowbits:isset,ET.srippedftpuser; flow:established,from_server; dsize:>7; content:"PASS "; depth:5; offset:0; content:" |0d 0a|"; distance:1; flowbitsset,ET.strippedftppass; classtype:trojan-activity; sid:2007717; rev:3;)
alert tcp $HOME_NET 1024: -> any 1024: (msg:"BLEEDING-EDGE ATTACK_RESPONSE Off-Port FTP Without Banners - retr"; flowbits:isset,ET.srippedftppass; flow:established,from_server; dsize:>7; content:"RETR "; depth:5; offset:0; tag:session; classtype:trojan-activity; id:2007723; rev:3;)
|
|
Last Updated ( Wednesday, 02 January 2008 )
|
