X-Git-Url: http://ftp.carnet.hr/carnet-debian/scm?p=ossec-hids.git;a=blobdiff_plain;f=debian%2Fossec-hids%2Fvar%2Fossec%2Frules%2Flog-entries%2Fworms;fp=debian%2Fossec-hids%2Fvar%2Fossec%2Frules%2Flog-entries%2Fworms;h=40951022e0ae4c5d6e3f123cec99d13e4bd65fd0;hp=0000000000000000000000000000000000000000;hb=3f728675941dc69d4e544d3a880a56240a6e394a;hpb=927951d1c1ad45ba9e7325f07d996154a91c911b diff --git a/debian/ossec-hids/var/ossec/rules/log-entries/worms b/debian/ossec-hids/var/ossec/rules/log-entries/worms new file mode 100644 index 0000000..4095102 --- /dev/null +++ b/debian/ossec-hids/var/ossec/rules/log-entries/worms @@ -0,0 +1,54 @@ +86 200.255.5.155 TCP_MISS/404 1495 GET http://pawlacz.com/nul.php - DIRECT/193.84.182.19 text/html +588 200.255.5.155 TCP_MISS/404 1495 GET http://pawlacz.com/nul.php - DIRECT/193.84.182.19 text/html +9 200.255.5.155 TCP_NEGATIVE_HIT/404 726 GET http://arborfolia.com/nul.php - NONE/- text/html +326 200.255.5.155 TCP_MISS/404 717 GET http://arborfolia.com/nul.php - DIRECT/66.49.208.142 text/html +1001 200.255.5.155 TCP_MISS/404 4439 GET http://appaloosa.no/nul.php - DIRECT/85.19.133.103 text/html +966 200.255.5.155 TCP_MISS/404 4439 GET http://appaloosa.no/nul.php - DIRECT/85.19.133.103 text/html +543 200.255.5.155 TCP_MISS/404 518 GET http://1point2.iae.nl/nul.php - DIRECT/212.61.24.92 text/html +545 200.255.5.155 TCP_MISS/404 518 GET http://1point2.iae.nl/nul.php - DIRECT/212.61.24.92 text/html +504 200.255.5.155 TCP_MISS/404 443 GET http://ujscie.one.pl/nul.php - DIRECT/82.96.66.63 text/html + + +OSSEC HIDS Notification. +2006 Jun 20 08:09:32 + +Received From: (wrouter) 200.255.5.3->/usr/local/squid/var/logs/access.log +Rule: 5055 fired (level 10) -> "Multiple attempts to access a non-existent file.'" +Portion of the log(s): + +576 200.255.5.155 TCP_MISS/404 520 GET http://www.autovorota.ru/nul.php - DIRECT/84.252.138.31 text/html +543 200.255.5.155 TCP_MISS/404 520 GET http://www.autovorota.ru/nul.php - DIRECT/84.252.138.31 text/html +955 200.255.5.155 TCP_MISS/404 4920 GET http://www.autoekb.ru/nul.php - DIRECT/217.114.0.67 text/html +934 200.255.5.155 TCP_MISS/404 4920 GET http://www.autoekb.ru/nul.php - DIRECT/217.114.0.67 text/html +328 200.255.5.155 TCP_MISS/404 722 GET http://www.aureaorodeley.com/nul.php - DIRECT/70.84.243.130 text/html +329 200.255.5.155 TCP_MISS/404 722 GET http://www.aureaorodeley.com/nul.php - DIRECT/70.84.243.130 text/html +546 200.255.5.155 TCP_MISS/404 536 GET http://asdesign.cz/nul.php - DIRECT/193.86.238.16 text/html +512 200.255.5.155 TCP_MISS/404 536 GET http://asdesign.cz/nul.php - DIRECT/193.86.238.16 text/html +2085 200.255.5.155 TCP_MISS/404 502 GET http://www.jonogueira.com/nul.php - DIRECT/69.0.160.233 text/html + + + + --END OF NOTIFICATION + + + + OSSEC HIDS Notification. + 2006 Jun 20 08:09:33 + + Received From: (wrouter) 200.255.5.3->/usr/local/squid/var/logs/access.log + Rule: 5055 fired (level 10) -> "Multiple attempts to access a non-existent file.'" + Portion of the log(s): + + 1004 200.255.5.155 TCP_MISS/404 1812 GET http://avenue.ee/nul.php - DIRECT/195.5.116.3 text/html + 784 200.255.5.155 TCP_MISS/404 1812 GET http://avenue.ee/nul.php - DIRECT/195.5.116.3 text/html + 543 200.255.5.155 TCP_MISS/404 520 GET http://www.autovorota.ru/nul.php - DIRECT/84.252.138.31 text/html + 955 200.255.5.155 TCP_MISS/404 4920 GET http://www.autoekb.ru/nul.php - DIRECT/217.114.0.67 text/html + 934 200.255.5.155 TCP_MISS/404 4920 GET http://www.autoekb.ru/nul.php - DIRECT/217.114.0.67 text/html + 328 200.255.5.155 TCP_MISS/404 722 GET http://www.aureaorodeley.com/nul.php - DIRECT/70.84.243.130 text/html + 329 200.255.5.155 TCP_MISS/404 722 GET http://www.aureaorodeley.com/nul.php - DIRECT/70.84.243.130 text/html + 546 200.255.5.155 TCP_MISS/404 536 GET http://asdesign.cz/nul.php - DIRECT/193.86.238.16 text/html + 512 200.255.5.155 TCP_MISS/404 536 GET http://asdesign.cz/nul.php - DIRECT/193.86.238.16 text/html + +http://www.fortinet.com/VirusEncyclopedia/search/encyclopediaSearch.do?method=viewVirusDetailsInfoDirectly&fid=223894 + +http://www.trendmicro.co.jp/vinfo/virusencyclo/default5.asp?VName=TROJ_BAGLE.EY&VSect=T