ET WEB_SERVER Gootkit Website Infection Receiving FTP Credentials from Control Server
Sourceet/open
Fileemerging-web_server.rules
CreatedSeptember 28, 2010
UpdatedApril 9, 2024
Classificationweb-application-attack
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Gootkit Website Infection Receiving FTP Credentials from Control Server"; flow:established,to_client ; flowbits:isset,ET.GOOTKIT ; file.data; content:"<acc><login>"; nocase; content:"</login><pass>"; nocase; distance:0; content:"</pass><serv>"; nocase; distance:0; content:"</serv><port>21</port>"; fast_pattern; nocase; distance:0; reference:url,www.m86security.com/labs/i/GootKit--Automated-Website-Infection,trace.1368~.asp ; classtype:web-application-attack; sid:2011287; rev:8; metadata:created_at 2010_09_28, signature_severity Unknown, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_04_09;)
Metadata
created at2010_09_28
signature severityUnknown
tagDescription_Generated_By_Proofpoint_Nexus
updated at2024_04_09
Comments (0)
Please sign in to leave a comment.
Sign inNo comments yet. Be the first to comment!