Low hanging fruit - inforet

[James Lay <jlay () slave-tothe-box net>]

Not sure where I have this in my archive of bad pcaps, but inforet.html 
sure seems familiar:

http://urlquery.net/report.php?id=148265
http://jsunpack.jeek.org/dec/go?report=a70cd8d80447f3c493b1cb6f8f0706536a84d068
https://www.mywot.com/en/forum/25940--rejected-tax-transaction-rejrev-html-malware


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"COMMUNITY 
INDICATOR-COMPROMISE /inforet.html HTTP request in URI"; 
flow:established,to_server; content:"/inforet.html"; 
http_uri;fast_pattern:only; sid:x; rev:1;)

from the mywot site:
(CAREFUL THESE ARE ACTIVE!)

geoprovi.es/inforet.html
jyyswh.com/inforet.html
mpmusic.es/inforet.html

Pretty sure these will change to something else over time.  Maybe 
useful, maybe not :)

James

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!