Et rule 2028992 - Magic-SigExplorer

""ET TROJAN SuperSocialat Plugin Backdoor Code Execution Attempt""

SID: 2028992

Revision: 2

Class Type: trojan-activity

Metadata: affected_product Wordpress_Plugins, created_at 2019_11_18, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2019_11_18

Reference:

Protocol: tcp

Source Network: $EXTERNAL_NET

Source Port: any

Destination Network: $HOME_NET

Destination Port: $HTTP_PORTS

Flow: established,to_server

Contents:

Value: "GET"
Value: "/wp-content" Depth: 11
Value: "/plugins/super-socialat/super_socialat.php?dl="

Within:

PCRE: "/\/super_socialat.php\?dl=(?:[A-Z0-9+/]{4})*(?:[A-Z0-9+/]{2}==|[A-Z0-9+/]{3}=|[A-Z0-9+/]{4})$/Ui"

Special Options:

http_method
http_uri
http_uri
fast_pattern

source