""ET WEB_SERVER Possible Encrypted Webshell Download""
SID: 2017640
Revision: 2
Class Type: bad-unknown
Metadata: affected_product PHP, attack_target Web_Server, created_at 2013_10_28, deployment Datacenter, performance_impact Low, signature_severity Major, updated_at 2017_01_23
Reference:
Protocol: tcp
Source Network: $EXTERNAL_NET
Source Port: $HTTP_PORTS
Destination Network: $HTTP_SERVERS
Destination Port: any
Flow: established,to_client
Contents:
-
Value: "eval"
-
Value: "mcrypt_decrypt"
Within: 30
PCRE:
Special Options:
- file_data