24 lines
751 B
Text
24 lines
751 B
Text
|
rule iframeRedKit
|
||
|
{
|
||
|
meta:
|
||
|
author = "adnan.shukor@gmail.com"
|
||
|
description = "Detection rule to detect compromised page injected with invisible iframe of Redkit redirector"
|
||
|
ref = "http://blog.xanda.org/2013/02/15/redkit-redirector-injected-into-legitimate-javascript-code/"
|
||
|
cve = "NA"
|
||
|
version = "1.2"
|
||
|
impact = 4
|
||
|
hide = false
|
||
|
strings:
|
||
|
$iRedKit_1 = /name\=['"]?Twitter['"]?/
|
||
|
$iRedKit_2 = /scrolling\=['"]?auto['"]?/
|
||
|
$iRedKit_3 = /frameborder\=['"]?no['"]?/
|
||
|
$iRedKit_4 = /align\=['"]?center['"]?/
|
||
|
$iRedKit_5 = /height\=['"]?2['"]?/
|
||
|
$iRedKit_6 = /width\=['"]?2['"]?/
|
||
|
$iRedKit_7 = /src\=['"]?http:\/\/[\w\.\-]{4,}\/(([a-z]{4}\.html?(\?[hij]=\d{7})?)|([a-z]{4,}\.php\?[a-z]{4,}\=[a-f0-9]{16}))['"]?/
|
||
|
condition:
|
||
|
all of them
|
||
|
}
|
||
|
|
||
|
|