[Community-sigs] new sig Linux.Backdoor.Concbak
Ben Baker
bbaker at sourcefire.com
Wed Mar 18 10:39:20 EDT 2015
Thanks Andrei! Your sig passed FP check and has been published. Since you
included really unique network info, I'll make a Snort rule for that as
well.
On Mon, Mar 16, 2015 at 7:52 PM, <andreisaygo at live.ie> wrote:
> Signature:
>
> Linux.Backdoor.Concbak;Target:6;(0&1&2)&(3|4|5);2F676174652E706870;2670636E616D653D00;26687769643D00;756470666C6F6F6400;6261636B636F6E6E65637400;2F6574632F736861646F7700
>
> Hashes:
> MD5: 88119dc700357d2d486efb2d1369b105
> SHA1: 36361d6472d3c675182a2ca01ceed968d6c8e46b
> SHA256: 6b2cc3d64aa719c4910b89dc841f7ae07a5eab481d9ad2ed75059ac5173092b1
>
> Sig0:
> /gate.php
>
> Sig1:
> &pcname=
>
> Sig2:
> &hwid=
>
> Sig3:
> udpflood
> Sig4:
> backconnect
> Sig5:
> /etc/shadow
>
> Additional details:
> Full link:
> hxxp://webcrawl.marketplay.be:80//platforms/linux_v6//gate.php
>
> HTTP header:
> User-Agent: Firefox.3.5
> Referer: http://google.com/
> Accept-Encoding: identity
>
>
> Regards,
> Andrei Saygo
> _______________________________________________
> Community-sigs mailing list
> Community-sigs at lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs
>
> http://www.clamav.net/contact.html#ml
>
More information about the Community-sigs
mailing list