EmergingThreats> Main Web>2003535 (revision 3)EditAttach

alert tcp $HTTP_SERVERS $HTTP_PORTS -> any any (msg:""BLEEDING-EDGE ATTACK RESPONSE r57 phpshell footer detected"; content:"r57shell - http-shell by RST/GHC"; classtype:web-application-activity; reference:url,www.pestpatrol.com/spywarecenter/pest.aspx?id=453096755; sid:2003535; rev:1;)

Added 2007-04-05 10:15:20 UTC

By Cees Elzinga

-- MattJonkman - 05 Apr 2007

Reference sister rule: http://doc.bleedingthreats.net/bin/view/Main/2003536

-- MattJonkman - 05 Apr 2007

R57shell is a russian php shell, but an english translation is built-in. The shell has all kinds of functionality, including:

  • Executing shell commands
  • Editing files
  • Executing php code
  • Sending e-mail
  • Installing a backdoor
  • Simple ftp brute forcer
  • And so on...

The shell is most likely used when an attackers finds a way to upload PHP files to a vulnerable server.

When using http_inspect_server don't forget to check your flow_depth setting. This rule will trigger on traffic originating from your server.

-- CeesElzinga - 05 Apr 2007

Topic attachments
I Attachment Action Size Date Who Comment
Texttxt inc.php.txt manage 101.5 K 2007-04-05 - 14:23 MattJonkman r57 shell
Edit | Attach | Print version | History: r5 < r4 < r3 < r2 < r1 | Backlinks | Raw View | Raw edit | More topic actions...
Topic revision: r3 - 2007-04-05 - CeesElzinga
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats