""ET WEB_SERVER Gootkit Website Infection Request for FTP Credentials from Control Server""
SID: 2011290
Revision: 7
Class Type: web-application-attack
Metadata: created_at 2010_09_28, updated_at 2016_07_05
Reference:
Protocol: tcp
Source Network: $HTTP_SERVERS
Source Port: any
Destination Network: $EXTERNAL_NET
Destination Port: $HTTP_PORTS
Flow: established,to_server
Contents:
-
Value: "GET"
-
Value: "/ftp"
-
Value: "User-Agent|3A| Mozilla/4.0 (compatible|3B| Win32|3B| WinHttp.WinHttpRequest"
-
Value: !"www.trendmicro.com"
Within:
PCRE:
Special Options:
-
nocase
-
http_method
-
http_uri
-
nocase
-
fast_pattern
-
http_header
-
nocase
-
http_header