ZmEu Attack

ZmEu Attack은 아래 링크에서 이해를 하시면 되겠습니다.

http://linux.m2osw.com/zmeu-attack

아래와 같은 웹 로그 형태가 아직도 많이 보이는것 같습니다.

GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1″ “69.55.233.22” “ZmEu”
GET /scripts/setup.php HTTP/1.1″ “69.55.233.22” “ZmEu”
GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1″ “69.55.233.23” “ZmEu”
GET /admin/scripts/setup.php HTTP/1.1″ “69.55.233.22” “ZmEu”
GET /scripts/setup.php HTTP/1.1″ “69.55.233.23” “ZmEu”
GET /admin/pma/scripts/setup.php HTTP/1.1″ “69.55.233.22” “ZmEu”
GET /admin/scripts/setup.php HTTP/1.1″ “69.55.233.23” “ZmEu”
GET /admin/phpmyadmin/scripts/setup.php HTTP/1.1″ 302 20 “69.55.233.22” “ZmEu”
GET /admin/pma/scripts/setup.php HTTP/1.1″ “69.55.233.23” “ZmEu”
GET /admin/phpmyadmin/scripts/setup.php HTTP/1.1″ “69.55.233.23” “ZmEu”
GET /db/scripts/setup.php HTTP/1.1″ “69.55.233.22” “ZmEu”

 그래서 패턴을 아래와 같이 만들어 봤습니다.

alert tcp any any -> any 80 (flow:established, to_server; content:”|0d0a|User-Agent|3a20|ZmEu|0d0a|”; nocase;)

Advertisements

About this entry