""ET WEB_SERVER c99 Shell Backdoor Var Override Client Body""

SID: 2018603

Revision: 1

Class Type: trojan-activity

Metadata: created_at 2014_06_24, updated_at 2014_06_24

Reference:

• Link

Protocol: tcp

Source Network: $EXTERNAL_NET

Source Port: any

Destination Network: $HOME_NET

Destination Port: $HTTP_PORTS

Flow: to_server,established

Contents:

• Value: "c99shcook["

Within:

PCRE: "/(?:^|&)c99shcook[/Pi"

Special Options:

• nocase

• http_client_body

source