""ET WEB_SERVER c99 Shell Backdoor Var Override Cookie""

SID: 2018602

Revision: 1

Class Type: trojan-activity

Metadata: created_at 2014_06_24, updated_at 2014_06_24

Reference:

• Link

Protocol: tcp

Source Network: $EXTERNAL_NET

Source Port: any

Destination Network: $HOME_NET

Destination Port: $HTTP_PORTS

Flow: to_server,established

Contents:

• Value: "c99shcook"

Within:

PCRE: "/c99shcook/Ci"

Special Options:

• nocase

source