NeoSploit/Fiesta Exploit Kit

Redirs:

*/counter.php?id=1
*/counter.php?id=2
*/counter.php?id=3
*/counter.php?id=4
*/counter.php?fid=2

Can try regexing URI for “\/[a-z0-9A-Z]{7}\/\?[0-9]”, but may be costly depending on log size.

Often may be useful to search for the identifier as they appear to be used over and over.

identifier = \/[a-zA-Z0-9]{7}\/

See Neosploit Examples on urlquery.net

PDF

HTTP Request Method = GET
Content-type = “application/pdf”
Regex HTTP URI for \/[a-zA-Z0-9]{7}\/\?[0-9A-F]{50,}$

JAR

HTTP Request Method = GET
Content-type = “application/x-java-archive”
Regex HTTP URI for \/[a-zA-Z0-9]{7}\/\?[0-9A-F]{50,}$

EXEs

HTTP Request Method = GET
Content-type = “application/octet-stream”
Regex HTTP URI for \/[a-zA-Z0-9]{7}\/\?[0-9A-F]{50,}(;[0-9]){2}$

Confirms of Java Exploit/Download

HTTP Request Method = GET
User-agent = */Java1.*
Regex HTTP URI for \/[a-zA-Z0-9]{7}\/\?[0-9A-F]{50,}(;[0-9]){3}$

Comments are closed.