""ET WEB_SERVER Compromised Wordpress Install Serving Malicious JS""
SID: 2015481
Revision: 2
Class Type: trojan-activity
Metadata: affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_07_17, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2012_07_17
Reference:
Protocol: tcp
Source Network: $EXTERNAL_NET
Source Port: $HTTP_PORTS
Destination Network: $HOME_NET
Destination Port: any
Flow: established,to_client
Contents:
-
Value: "var wow"
-
Value: "Date"
Within: 200
PCRE: "/var wow\s=\s\x22[^\x22\n]+?\x22\x3b[^\x3b\n]?Date[^\x3b\n]?\x3b/"
Special Options:
-
file_data
-
fast_pattern