From 3c9bc5f0a597cb5daf0f478f29bd164ead919b6d Mon Sep 17 00:00:00 2001
From: Florian Roth <florian.roth@nextron-systems.com>
Date: Wed, 14 Jul 2021 09:43:54 +0200
Subject: [PATCH] Serv-U exploitation update

---
 yara/yara_mixed_ext_vars.yar | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/yara/yara_mixed_ext_vars.yar b/yara/yara_mixed_ext_vars.yar
index bde5c71..e9a0f3a 100644
--- a/yara/yara_mixed_ext_vars.yar
+++ b/yara/yara_mixed_ext_vars.yar
@@ -331,7 +331,7 @@ rule SUSP_ServU_SSH_Error_Pattern_Jul21_1 {
       date = "2021-07-12"
       score = 60
    strings:
-      $s1 = " - EXCEPTION: " ascii
+      $s1 = "EXCEPTION: C0000005;" ascii
       $s2 = "CSUSSHSocket::ProcessReceive();" ascii
    condition:
       filename == "DebugSocketlog.txt"
@@ -349,6 +349,8 @@ rule SUSP_ServU_Known_Mal_IP_Jul21_1 {
       $xip1 = "98.176.196.89" ascii fullword 
       $xip2 = "68.235.178.32" ascii fullword
       $xip3 = "208.113.35.58" ascii fullword
+      $xip4 = "144.34.179.162" ascii fullword
+      $xip5 = "97.77.97.58" ascii fullword
    condition:
       filename == "DebugSocketlog.txt"
       and 1 of them