[Community-sigs] new sig Linux.Backdoor.Concbak
andreisaygo at live.ie
andreisaygo at live.ie
Wed Mar 18 10:42:59 EDT 2015
Hi Ben,
Sounds great, thanks. I'll make sure to include similar info (if possible) from now on.
Regards,
Andrei Saygo
> Date: Wed, 18 Mar 2015 10:39:20 -0400
> From: bbaker at sourcefire.com
> To: community-sigs at lists.clamav.net
> Subject: Re: [Community-sigs] new sig Linux.Backdoor.Concbak
>
> Thanks Andrei! Your sig passed FP check and has been published. Since you
> included really unique network info, I'll make a Snort rule for that as
> well.
>
> On Mon, Mar 16, 2015 at 7:52 PM, <andreisaygo at live.ie> wrote:
>
> > Signature:
> >
> > Linux.Backdoor.Concbak;Target:6;(0&1&2)&(3|4|5);2F676174652E706870;2670636E616D653D00;26687769643D00;756470666C6F6F6400;6261636B636F6E6E65637400;2F6574632F736861646F7700
> >
> > Hashes:
> > MD5: 88119dc700357d2d486efb2d1369b105
> > SHA1: 36361d6472d3c675182a2ca01ceed968d6c8e46b
> > SHA256: 6b2cc3d64aa719c4910b89dc841f7ae07a5eab481d9ad2ed75059ac5173092b1
> >
> > Sig0:
> > /gate.php
> >
> > Sig1:
> > &pcname=
> >
> > Sig2:
> > &hwid=
> >
> > Sig3:
> > udpflood
> > Sig4:
> > backconnect
> > Sig5:
> > /etc/shadow
> >
> > Additional details:
> > Full link:
> > hxxp://webcrawl.marketplay.be:80//platforms/linux_v6//gate.php
> >
> > HTTP header:
> > User-Agent: Firefox.3.5
> > Referer: http://google.com/
> > Accept-Encoding: identity
> >
> >
> > Regards,
> > Andrei Saygo
> > _______________________________________________
> > Community-sigs mailing list
> > Community-sigs at lists.clamav.net
> > http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs
> >
> > http://www.clamav.net/contact.html#ml
> >
> _______________________________________________
> Community-sigs mailing list
> Community-sigs at lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs
>
> http://www.clamav.net/contact.html#ml
More information about the Community-sigs
mailing list