Dear Friends,
I want to search a infection based on file name and the filename information provided below
Find the below info which shows a successful exploit callback. I am not sure how to make search on SA with file name since the file name is alphanumeric and its gets change randomly. I believe there could be lots of infection with same pattern. We use only packet decoder so regex won't work.
Please note that i want search with only filename since the directory field is always empty.
![]() | orig_ip : | 10.32.7.154 |
![]() | ip.addr : | 10.32.7.154 |
![]() | action : | post |
![]() | alias.ip : | 188.165.235.115 |
![]() | directory : | / |
![]() | filename : | 6197C9EB5912A0CF20F5E130E79F0B14 |
![]() | content : | application/x-www-form-urlencoded |
![]() | alias.ip : | 188.165.235.115 |
![]() | alert.id : | nw32550 |
![]() | risk.info : | http direct to ip request |
![]() | threat.category : | spectrum |
![]() | threat.source : | netwitness |
![]() | orig_ip : | 10.32.7.154 |
Thank you,
Awaiting for valuable response.
Looks like the same exploit activity as here on UrlQuery.
urlquery.net - Free url scanner
To get this rule to work, look for" action=put && directory='/' && filename length 32 "
I'd be curious to know what this type of malware is if you are willing to share?