""ET TROJAN Linux/Ssemgrvd sshd Backdoor HTTP CNC 1""

SID: 2017642

Revision: 3

Class Type: trojan-activity

Metadata: created_at 2013_10_30, former_category MALWARE, updated_at 2022_04_18

Reference:

Protocol: tcp

Source Network: $HOME_NET

Source Port: any

Destination Network: $EXTERNAL_NET

Destination Port: $HTTP_PORTS

Flow: established,to_server

Contents:

• Value: "POST"

• Value: "port="

• Value: "&uname="

• Value: "&uuid="

• Value: "Connection|3A 20|close|0D 0A|Content-Type|3A 20|application/x-www-form-urlencoded|0D 0A|Content-Length|3A 20|"

• Value: !"User-Agent|3A|"

• Value: !"Referer|3a|"

• Value: !"Accept|3a|"

Within:

PCRE: "/&uuid=[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}/P"

Special Options:

• http_method

• fast_pattern

• http_client_body

• http_client_body

• http_client_body

• http_header

• http_header

• http_header

• http_header

source