Monday, January 4, 2010

CZ32ts - Auto SQL Injection attacks, and a Sig to catch it

As many people hosting websites have noticed attack traffic in their logs from what appears to be an automated SQL Injection attack from a botnet that has a user agent of 'NV32ts' in recent months, a Snort signature was created to detect this activity, and there is now what appears to be a botnet using a user agent string of 'CZ32ts', and this is the signature created to detect it.


Just search for 'CZ32ts' and you will see plenty of people talking about it already, but here's a specific link to a discussion about CZ32ts:

http://www.webmasterworld.com/search_engine_spiders/4025814.htm

and here's a discussion on NV32ts:

http://stackoverflow.com/questions/436715/what-is-nv32ts-and-its-sql-injection-attack-trying-to-do


Here's the signature I just created to catch CZ32ts (things like the version number and sig id will be changed in the future, but this is what I have for now):

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER SQL Injection Attempt (Agent CZ32ts)"; flow:to_server,established; content:"|0d 0a|User-Agent: CZ32ts|0d 0a|"; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2009029; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SERVER/WEB_SQL_Injection_Monster_List; reference:url,www.Whitehatsecurityresponse.blogspot.com; sid:2010621; rev:1;)

No comments:

Post a Comment