alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER FOX-SRT - Backdoor - CryptoPHP? Shell C2 POST"; flow:established,to_server; content:"POST"; http_method; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|serverKey|22|"; http_client_body; fast_pattern; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|data|22|"; http_client_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|key|22|"; http_client_body; http_header_names; content:!"Referer|0d 0a|"; content:!"User-Agent"; content:!"Cookie|0d 0a|"; threshold: type limit, track by_src, count 1, seconds 600; reference:url,blog.fox-it.com/2014/11/18/cryptophp-analysis-of-a-hidden-threat-inside-popular-content-management-systems/; classtype:trojan-activity; sid:2019748; rev:3; metadata:created_at 2014_11_20, former_category WEB_SERVER, updated_at 2020_11_05;)

Added 2020-11-05 18:35:55 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER FOX-SRT - Backdoor - CryptoPHP? Shell C2 POST"; flow:established,to_server; content:"POST"; http_method; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|serverKey|22|"; http_client_body; fast_pattern; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|data|22|"; http_client_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|key|22|"; http_client_body; http_header_names; content:!"Referer|0d 0a|"; content:!"User-Agent"; content:!"Cookie|0d 0a|"; threshold: type limit, track by_src, count 1, seconds 600; reference:url,blog.fox-it.com/2014/11/18/cryptophp-analysis-of-a-hidden-threat-inside-popular-content-management-systems/; classtype:trojan-activity; sid:2019748; rev:3; metadata:created_at 2014_11_20, former_category WEB_SERVER, updated_at 2020_03_06;)

Added 2020-08-05 19:10:31 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER FOX-SRT - Backdoor - CryptoPHP? Shell C2 POST"; flow:established,to_server; content:"POST"; http_method; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|serverKey|22|"; http_client_body; fast_pattern; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|data|22|"; http_client_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|key|22|"; http_client_body; http_header_names; content:!"Referer|0d 0a|"; content:!"User-Agent"; content:!"Cookie|0d 0a|"; threshold: type limit, track by_src, count 1, seconds 600; metadata: former_category WEB_SERVER; reference:url,blog.fox-it.com/2014/11/18/cryptophp-analysis-of-a-hidden-threat-inside-popular-content-management-systems/; classtype:trojan-activity; sid:2019748; rev:3; metadata:created_at 2014_11_20, updated_at 2020_03_06;)

Added 2020-03-06 18:55:21 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER FOX-SRT - Backdoor - CryptoPHP? Shell C2 POST"; flow:established,to_server; content:"POST"; http_method; content:"Content-Disposition|3a| form-data|3b| name=|22|serverKey|22|"; http_client_body; fast_pattern:28,20; content:"Content-Disposition|3a| form-data|3b| name=|22|data|22|"; http_client_body; content:"Content-Disposition|3a| form-data|3b| name=|22|key|22|"; http_client_body; content:!"Referer|3a| "; http_header; content:!"User-Agent"; http_header; content:!"Cookie|3a|"; threshold: type limit, track by_src, count 1, seconds 600; metadata: former_category WEB_SERVER; reference:url,blog.fox-it.com/2014/11/18/cryptophp-analysis-of-a-hidden-threat-inside-popular-content-management-systems/; classtype:trojan-activity; sid:2019748; rev:2; metadata:created_at 2014_11_20, updated_at 2014_11_20;)

Added 2019-09-19 19:26:10 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER FOX-SRT - Backdoor - CryptoPHP? Shell C2 POST"; flow:established,to_server; content:"POST"; http_method; content:"Content-Disposition|3a| form-data|3b| name=|22|serverKey|22|"; http_client_body; fast_pattern:28,20; content:"Content-Disposition|3a| form-data|3b| name=|22|data|22|"; http_client_body; content:"Content-Disposition|3a| form-data|3b| name=|22|key|22|"; http_client_body; content:!"Referer|3a| "; http_header; content:!"User-Agent"; http_header; content:!"Cookie|3a|"; threshold: type limit, track by_src, count 1, seconds 600; reference:url,blog.fox-it.com/2014/11/18/cryptophp-analysis-of-a-hidden-threat-inside-popular-content-management-systems/; classtype:trojan-activity; sid:2019748; rev:2; metadata:created_at 2014_11_20, updated_at 2014_11_20;)

Added 2018-09-13 19:49:51 UTC


Added 2018-09-13 17:59:19 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER FOX-SRT - Backdoor - CryptoPHP? Shell C2 POST"; flow:established,to_server; content:"POST"; http_method; content:"Content-Disposition|3a| form-data|3b| name=|22|serverKey|22|"; http_client_body; fast_pattern:28,20; content:"Content-Disposition|3a| form-data|3b| name=|22|data|22|"; http_client_body; content:"Content-Disposition|3a| form-data|3b| name=|22|key|22|"; http_client_body; content:!"Referer|3a| "; http_header; content:!"User-Agent"; http_header; content:!"Cookie|3a|"; threshold: type limit, track by_src, count 1, seconds 600; reference:url,blog.fox-it.com/2014/11/18/cryptophp-analysis-of-a-hidden-threat-inside-popular-content-management-systems/; classtype:trojan-activity; sid:2019748; rev:2; metadata:created_at 2014_11_20, updated_at 2014_11_20;)

Added 2017-08-07 21:14:03 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER FOX-SRT - Backdoor - CryptoPHP? Shell C2 POST"; flow:established,to_server; content:"POST"; http_method; content:"Content-Disposition|3a| form-data|3b| name=|22|serverKey|22|"; http_client_body; fast_pattern:28,20; content:"Content-Disposition|3a| form-data|3b| name=|22|data|22|"; http_client_body; content:"Content-Disposition|3a| form-data|3b| name=|22|key|22|"; http_client_body; content:!"Referer|3a| "; http_header; content:!"User-Agent"; http_header; content:!"Cookie|3a|"; threshold: type limit, track by_src, count 1, seconds 600; reference:url,blog.fox-it.com/2014/11/18/cryptophp-analysis-of-a-hidden-threat-inside-popular-content-management-systems/; classtype:trojan-activity; sid:2019748; rev:2;)

Added 2014-11-20 17:48:07 UTC


Topic revision: r1 - 2020-11-05 - TWikiGuest
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats