alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET TROJAN China Chopper Command Struct"; flow:to_server,established; content:"POST"; nocase; http_method; content:"&z"; http_client_body; pcre:"/^\d{1,3}=/PRi"; content:"FromBase64String"; fast_pattern; content:"unsafe"; distance:0; content:"eval("; reference:url,www.fireeye.com/blog/technical/botnet-activities-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html; classtype:trojan-activity; sid:2017313; rev:4; metadata:created_at 2013_08_12, updated_at 2020_11_03;)

Added 2020-11-03 18:44:37 UTC


alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET TROJAN China Chopper Command Struct"; flow:to_server,established; content:"POST"; nocase; http_method; content:"&z"; http_client_body; pcre:"/^\d{1,3}=/PRi"; content:"FromBase64String"; fast_pattern; content:"unsafe"; distance:0; content:"eval("; reference:url,www.fireeye.com/blog/technical/botnet-activities-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html; classtype:trojan-activity; sid:2017313; rev:4; metadata:created_at 2013_08_12, updated_at 2020_03_03;)

Added 2020-03-03 18:12:52 UTC


alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET TROJAN China Chopper Command Struct"; flow:to_server,established; content:"FromBase64String"; fast_pattern; content:"unsafe"; distance:0; content:"eval("; pcre:"/&z\d{1,3}=/Pi"; content:"POST"; nocase; http_method; reference:url,www.fireeye.com/blog/technical/botnet-activities-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html; classtype:trojan-activity; sid:2017313; rev:3; metadata:created_at 2013_08_12, updated_at 2013_08_12;)

Added 2018-09-13 19:47:31 UTC


Added 2018-09-13 17:57:57 UTC


alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET TROJAN China Chopper Command Struct"; flow:to_server,established; content:"FromBase64String"; fast_pattern; content:"unsafe"; distance:0; content:"eval("; pcre:"/&z\d{1,3}=/Pi"; content:"POST"; nocase; http_method; reference:url,www.fireeye.com/blog/technical/botnet-activities-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html; classtype:trojan-activity; sid:2017313; rev:3; metadata:created_at 2013_08_12, updated_at 2013_08_12;)

Added 2017-08-07 21:11:12 UTC


alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET TROJAN China Chopper Command Struct"; flow:to_server,established; content:"FromBase64String"; fast_pattern; content:"unsafe"; distance:0; content:"eval("; pcre:"/&z\d{1,3}=/Pi"; content:"POST"; nocase; http_method; reference:url,www.fireeye.com/blog/technical/botnet-activities-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html; classtype:trojan-activity; sid:2017313; rev:2;)

Added 2013-08-12 00:23:53 UTC


Topic revision: r1 - 2020-11-03 - TWikiGuest
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats