Et rule 2025594 - Magic-SigExplorer

""ET WEB_SERVER Weevely PHP backdoor detected (passthru() function used) M3""

SID: 2025594

Revision: 1

Class Type: web-application-activity

Metadata: affected_product Web_Server_Applications, attack_target Web_Server, created_at 2018_06_14, deployment Datacenter, malware_family weevely, signature_severity Major, updated_at 2018_06_14

Reference:

Link

Protocol: tcp

Source Network: $EXTERNAL_NET

Source Port: any

Destination Network: $HTTP_SERVERS

Destination Port: $HTTP_PORTS

Flow: to_server,established

Contents:

Value: "AcGFzc3RocnUoJ"

Within:

PCRE:

Special Options:

http_header

source