alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER FOX-SRT - Backdoor - CryptoPHP? Shell C2 POST (fsockopen)"; flow:established,to_server; content:"POST"; http_method; content:"serverKey="; fast_pattern; content:"data="; content:"key="; http_header_names; content:!"Referer|0d 0a|"; content:!"User-Agent"; content:!"Cookie|0d 0a|"; http_connection; content:"close"; depth:5; isdataat:!1,relative; http_content_type; content:"application/x-www-form-urlencoded"; depth:33; threshold: type limit, track by_src, count 1, seconds 600; reference:url,blog.fox-it.com/2014/11/18/cryptophp-analysis-of-a-hidden-threat-inside-popular-content-management-systems/; classtype:trojan-activity; sid:2019749; rev:3; metadata:created_at 2014_11_20, former_category WEB_SERVER, updated_at 2020_11_03;)

Added 2020-11-03 18:44:37 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER FOX-SRT - Backdoor - CryptoPHP? Shell C2 POST (fsockopen)"; flow:established,to_server; content:"POST"; http_method; content:"serverKey="; fast_pattern; content:"data="; content:"key="; http_header_names; content:!"Referer|0d 0a|"; content:!"User-Agent"; content:!"Cookie|0d 0a|"; http_connection; content:"close"; depth:5; isdataat:!1,relative; http_content_type; content:"application/x-www-form-urlencoded"; depth:33; threshold: type limit, track by_src, count 1, seconds 600; reference:url,blog.fox-it.com/2014/11/18/cryptophp-analysis-of-a-hidden-threat-inside-popular-content-management-systems/; classtype:trojan-activity; sid:2019749; rev:3; metadata:created_at 2014_11_20, former_category WEB_SERVER, updated_at 2020_03_03;)

Added 2020-08-05 19:10:31 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER FOX-SRT - Backdoor - CryptoPHP? Shell C2 POST (fsockopen)"; flow:established,to_server; content:"POST"; http_method; content:"serverKey="; fast_pattern; content:"data="; content:"key="; http_header_names; content:!"Referer|0d 0a|"; content:!"User-Agent"; content:!"Cookie|0d 0a|"; http_connection; content:"close"; depth:5; isdataat:!1,relative; http_content_type; content:"application/x-www-form-urlencoded"; depth:33; threshold: type limit, track by_src, count 1, seconds 600; metadata: former_category WEB_SERVER; reference:url,blog.fox-it.com/2014/11/18/cryptophp-analysis-of-a-hidden-threat-inside-popular-content-management-systems/; classtype:trojan-activity; sid:2019749; rev:3; metadata:created_at 2014_11_20, updated_at 2020_03_03;)

Added 2020-03-03 18:12:52 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER FOX-SRT - Backdoor - CryptoPHP? Shell C2 POST (fsockopen)"; flow:established,to_server; content:"POST"; http_method; content:"Content-Type: application/x-www-form-urlencoded"; http_header; content:"Connection|3a| close"; http_header; content:"serverKey="; fast_pattern; content:"data="; content:"key="; content:!"Referer|3a|"; http_header; content:!"User-Agent"; http_header; content:!"Cookie|3a|"; threshold: type limit, track by_src, count 1, seconds 600; metadata: former_category WEB_SERVER; reference:url,blog.fox-it.com/2014/11/18/cryptophp-analysis-of-a-hidden-threat-inside-popular-content-management-systems/; classtype:trojan-activity; sid:2019749; rev:2; metadata:created_at 2014_11_20, updated_at 2014_11_20;)

Added 2019-09-19 19:26:10 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER FOX-SRT - Backdoor - CryptoPHP? Shell C2 POST (fsockopen)"; flow:established,to_server; content:"POST"; http_method; content:"Content-Type: application/x-www-form-urlencoded"; http_header; content:"Connection|3a| close"; http_header; content:"serverKey="; fast_pattern; content:"data="; content:"key="; content:!"Referer|3a|"; http_header; content:!"User-Agent"; http_header; content:!"Cookie|3a|"; threshold: type limit, track by_src, count 1, seconds 600; reference:url,blog.fox-it.com/2014/11/18/cryptophp-analysis-of-a-hidden-threat-inside-popular-content-management-systems/; classtype:trojan-activity; sid:2019749; rev:2; metadata:created_at 2014_11_20, updated_at 2014_11_20;)

Added 2018-09-13 19:49:51 UTC


Added 2018-09-13 17:59:19 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER FOX-SRT - Backdoor - CryptoPHP? Shell C2 POST (fsockopen)"; flow:established,to_server; content:"POST"; http_method; content:"Content-Type: application/x-www-form-urlencoded"; http_header; content:"Connection|3a| close"; http_header; content:"serverKey="; fast_pattern; content:"data="; content:"key="; content:!"Referer|3a|"; http_header; content:!"User-Agent"; http_header; content:!"Cookie|3a|"; threshold: type limit, track by_src, count 1, seconds 600; reference:url,blog.fox-it.com/2014/11/18/cryptophp-analysis-of-a-hidden-threat-inside-popular-content-management-systems/; classtype:trojan-activity; sid:2019749; rev:2; metadata:created_at 2014_11_20, updated_at 2014_11_20;)

Added 2017-08-07 21:14:04 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER FOX-SRT - Backdoor - CryptoPHP? Shell C2 POST (fsockopen)"; flow:established,to_server; content:"POST"; http_method; content:"Content-Type: application/x-www-form-urlencoded"; http_header; content:"Connection|3a| close"; http_header; content:"serverKey="; fast_pattern; content:"data="; content:"key="; content:!"Referer|3a|"; http_header; content:!"User-Agent"; http_header; content:!"Cookie|3a|"; threshold: type limit, track by_src, count 1, seconds 600; reference:url,blog.fox-it.com/2014/11/18/cryptophp-analysis-of-a-hidden-threat-inside-popular-content-management-systems/; classtype:trojan-activity; sid:2019749; rev:2;)

Added 2014-11-20 17:48:07 UTC


Topic revision: r1 - 2020-11-03 - TWikiGuest
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats