#alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET ATTACK_RESPONSE r57 phpshell source being uploaded"; flow:established,to_server; content:"/* (c)oded by 1dt.w0lf"; content:"/* RST/GHC http"; distance:0; reference:url,www.pestpatrol.com/spywarecenter/pest.aspx?id=453096755; reference:url,doc.emergingthreats.net/bin/view/Main/2003536; classtype:web-application-activity; sid:2003536; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

Added 2017-08-07 20:56:47 UTC


#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET ATTACK_RESPONSE r57 phpshell source being uploaded"; flow:established,to_server; content:"/* (c)oded by 1dt.w0lf"; content:"/* RST/GHC http"; distance:0; fast_pattern; reference:url,www.pestpatrol.com/spywarecenter/pest.aspx?id=453096755; reference:url,doc.emergingthreats.net/bin/view/Main/2003536; classtype:web-application-activity; sid:2003536; rev:9;)

Added 2011-10-12 19:13:39 UTC


#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET ATTACK_RESPONSE r57 phpshell source being uploaded"; flow:established,to_server; content:"/* (c)oded by 1dt.w0lf"; content:"/* RST/GHC http"; distance:0; fast_pattern; classtype:web-application-activity; reference:url,www.pestpatrol.com/spywarecenter/pest.aspx?id=453096755; reference:url,doc.emergingthreats.net/bin/view/Main/2003536; sid:2003536; rev:9;)

Added 2011-09-14 22:26:38 UTC


#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET ATTACK_RESPONSE r57 phpshell source being uploaded"; flow:established,to_server; content:"/* (c)oded by 1dt.w0lf"; content:"/* RST/GHC http"; distance:0; fast_pattern; classtype:web-application-activity; reference:url,www.pestpatrol.com/spywarecenter/pest.aspx?id=453096755; reference:url,doc.emergingthreats.net/bin/view/Main/2003536; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_PHP_Shells; sid:2003536; rev:9;)

Added 2011-02-04 17:22:32 UTC


alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET ATTACK_RESPONSE r57 phpshell source being uploaded"; flow:established,to_server; content:"/* (c)oded by 1dt.w0lf"; content:"/* RST/GHC http"; distance:0; classtype:web-application-activity; reference:url,www.pestpatrol.com/spywarecenter/pest.aspx?id=453096755; reference:url,doc.emergingthreats.net/bin/view/Main/2003536; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_PHP_Shells; sid:2003536; rev:8;)

Added 2010-06-15 13:15:59 UTC


alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET ATTACK_RESPONSE r57 phpshell source being uploaded"; flow:established,to_server; content:"/* (c)oded by 1dt.w0lf"; content:"/* RST/GHC http"; distance:0; classtype:web-application-activity; reference:url,www.pestpatrol.com/spywarecenter/pest.aspx?id=453096755; reference:url,doc.emergingthreats.net/bin/view/Main/2003536; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_PHP_Shells; sid:2003536; rev:8;)

Added 2010-06-15 13:15:59 UTC


alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET ATTACK RESPONSE r57 phpshell source being uploaded"; flow:established,to_server; content:"/* (c)oded by 1dt.w0lf"; content:"/* RST/GHC http"; distance:0; classtype:web-application-activity; reference:url,www.pestpatrol.com/spywarecenter/pest.aspx?id=453096755; reference:url,doc.emergingthreats.net/bin/view/Main/2003536; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_PHP_Shells; sid:2003536; rev:7;)

Added 2009-02-17 01:45:23 UTC


alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET ATTACK RESPONSE r57 phpshell source being uploaded"; flow:established,to_server; content:"/* (c)oded by 1dt.w0lf"; content:"/* RST/GHC http"; distance:0; classtype:web-application-activity; reference:url,www.pestpatrol.com/spywarecenter/pest.aspx?id=453096755; reference:url,doc.emergingthreats.net/bin/view/Main/2003536; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_PHP_Shells; sid:2003536; rev:7;)

Added 2009-02-17 01:45:23 UTC


alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET ATTACK RESPONSE r57 phpshell source being uploaded"; flow:established,to_server; content:"/* (c)oded by 1dt.w0lf"; content:"/* RST/GHC http"; distance:0; classtype:web-application-activity; reference:url,www.pestpatrol.com/spywarecenter/pest.aspx?id=453096755; reference:url,doc.emergingthreats.net/bin/view/Main/2003536; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_PHP_Shells; sid:2003536; rev:6;)

Added 2009-02-06 19:00:55 UTC


alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET ATTACK RESPONSE r57 phpshell source being uploaded"; flow:established,to_server; content:"/* (c)oded by 1dt.w0lf"; content:"/* RST/GHC http"; distance:0; classtype:web-application-activity; reference:url,www.pestpatrol.com/spywarecenter/pest.aspx?id=453096755; reference:url,doc.emergingthreats.net/bin/view/Main/2003536; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_PHP_Shells; sid:2003536; rev:6;)

Added 2009-02-06 19:00:55 UTC


alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET ATTACK RESPONSE r57 phpshell source being uploaded"; flow:established,to_server; content:"/* (c)oded by 1dt.w0lf"; content:"/* RST/GHC http"; distance:0; classtype:web-application-activity; reference:url,www.pestpatrol.com/spywarecenter/pest.aspx?id=453096755; sid:2003536; rev:5;)

Added 2008-05-18 19:52:13 UTC


alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET ATTACK RESPONSE r57 phpshell source being uploaded"; flow:established,to_server; content:"/* (c)oded by 1dt.w0lf"; content:"/* RST/GHC http"; distance:0; classtype:web-application-activity; reference:url,www.pestpatrol.com/spywarecenter/pest.aspx?id=453096755; sid:2003536; rev:5;)

Added 2008-05-18 19:52:13 UTC


alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET ATTACK RESPONSE r57 phpshell source being uploaded"; content:"/* (c)oded by 1dt.w0lf"; content:"/* RST/GHC http"; distance:0; classtype:web-application-activity; reference:url,www.pestpatrol.com/spywarecenter/pest.aspx?id=453096755; sid:2003536; rev:3;)

Added 2008-01-23 10:46:28 UTC


alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET ATTACK RESPONSE r57 phpshell source being uploaded"; content:"/* (c)oded by 1dt.w0lf"; content:"/* RST/GHC http"; distance:0; classtype:web-application-activity; reference:url,www.pestpatrol.com/spywarecenter/pest.aspx?id=453096755; sid:2003536; rev:3;)

Added 2008-01-23 10:46:28 UTC


alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BLEEDING-EDGE ATTACK RESPONSE r57 phpshell source being uploaded"; content:"/* (c)oded by 1dt.w0lf"; content:"/* RST/GHC http"; distance:0; classtype:web-application-activity; reference:url,www.pestpatrol.com/spywarecenter/pest.aspx?id=453096755; sid:2003536; rev:2;)

Added 2007-11-02 00:32:08 UTC


alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BLEEDING-EDGE ATTACK RESPONSE r57 phpshell source being uploaded"; content:"/* (c)oded by 1dt.w0lf"; content:"/* RST/GHC http"; distance:0; classtype:web-application-activity; reference:url,www.pestpatrol.com/spywarecenter/pest.aspx?id=453096755; sid:2003536; rev:2;)

Added 2007-11-02 00:32:08 UTC


alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BLEEDING-EDGE ATTACK RESPONSE r57 phpshell source being uploaded"; content:"/* (c)oded by 1dt.w0lf"; content:"/* RST/GHC http"; distance:0; classtype:web-application-activity; reference:url,www.pestpatrol.com/spywarecenter/pest.aspx?id=453096755; sid:2003536; rev:2;)

Added 2007-04-05 11:00:40 UTC

reversed this since the source will only be seen going TO the server

-- MattJonkman - 05 Apr 2007


alert tcp $HTTP_SERVERS $HTTP_PORTS -> any any (msg:""BLEEDING-EDGE ATTACK RESPONSE r57 phpshell header detected"; content:"/* (c)oded by 1dt.w0lf"; content:"/* RST/GHC http"; distance:0; classtype:web-application-activity; reference:url,www.pestpatrol.com/spywarecenter/pest.aspx?id=453096755; sid:2003536; rev:1;)

Added 2007-04-05 10:15:20 UTC

By Cees Elzinga

-- MattJonkman - 05 Apr 2007

Reference sister rule: http://doc.bleedingthreats.net/bin/view/Main/2003535

-- MattJonkman - 05 Apr 2007

R57shell is a russian php shell, but an english translation is built-in. The shell has all kinds of functionality, including:

  • Executing shell commands
  • Editing files
  • Executing php code
  • Sending e-mail
  • Installing a backdoor
  • Simple ftp brute forcer
  • And so on...

The shell is most likely used when an attackers finds a way to upload PHP files to a vulnerable server.

-- CeesElzinga - 05 Apr 2007


Topic revision: r5 - 2007-04-05 - CeesElzinga
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats