Versions (3)
Version DetailsCurrent
Rev: 9 • Sep 28, 2010, 12:00 PMET WEB_SERVER Gootkit Website Infection Request for FTP Credentials from Control Server
alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Gootkit Website Infection Request for FTP Credentials from Control Server"; flow:established,to_server; flowbits:set,ET.GOOTKIT; http.method; content:"GET"; http.uri; content:"/ftp"; nocase; http.header; content:!"www.trendmicro.com"; http.user_agent; content:"Mozilla/4.0 (compatible|3B 20|Win32|3B 20|WinHttp.WinHttpRequest"; nocase; startswith; reference:url,www.m86security.com/labs/i/GootKit--Automated-Website-Infection,trace.1368~.asp; classtype:web-application-attack; sid:2011290; rev:9; metadata:created_at 2010_09_28, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2020_09_14;)
Sep 28, 2010, 12:00 PM
Sep 14, 2020, 12:00 PM
Sep 21, 2024, 3:00 AM
Oct 10, 2025, 8:34 PM
rules/emerging-web_server.rules