""ET CURRENT_EVENTS php with eval/gzinflate/base64_decode possible webshell""
SID: 2014847
Revision: 5
Class Type: web-application-attack
Metadata: created_at 2012_05_30, updated_at 2012_06_01
Reference:
Protocol: tcp
Source Network: $EXTERNAL_NET
Source Port: $HTTP_PORTS
Destination Network: $HTTP_SERVERS
Destination Port: any
Flow: to_client,established
Contents:
-
Value: "<?"
-
Value: "eval(gzinflate(base64_decode("
Within:
PCRE:
Special Options:
- file_data