Versions (3)
Version DetailsCurrent
Rev: 4 • Sep 28, 2010, 12:00 PMET WEB_SERVER Gootkit Website Infection Receiving FTP Credentials from Control Server
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Gootkit Website Infection Receiving FTP Credentials from Control Server"; flowbits:isset,ET.GOOTKIT; flow:established,from_server; content:"<acc><login>"; nocase; content:"</login><pass>"; nocase; distance:0; content:"</pass><serv>"; nocase; distance:0; content:"</serv><port>21</port>"; nocase; distance:0; reference:url,www.m86security.com/labs/i/GootKit--Automated-Website-Infection,trace.1368~.asp; classtype:web-application-attack; sid:2011287; rev:4; metadata:created_at 2010_09_28, signature_severity Unknown, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2019_09_27;)
Sep 28, 2010, 12:00 PM
Sep 27, 2019, 12:00 PM
Sep 21, 2024, 3:00 AM
Oct 10, 2025, 8:34 PM
rules/emerging-web_server.rules