""ET WEB_SERVER Generic Webshell Accessed on Internal Compromised Server""

SID: 2034248

Revision: 1

Class Type: web-application-attack

Metadata: affected_product HTTP_Server, attack_target Web_Server, created_at 2021_10_25, deployment Perimeter, signature_severity Major, updated_at 2021_10_25

Reference:

Protocol: tcp

Source Network: $HTTP_SERVERS

Source Port: any

Destination Network: $EXTERNAL_NET

Destination Port: any

Flow: established,to_client

Contents:

  • Value: "MARIJUANA"

  • Value: "|e2 80 94 20|DIOS|20 e2 80 94 20|NO|20 e2 80 94 20|CREA|20 e2 80 94 20|NADA|20 e2 80 94 20|EN|20 e2 80 94 20|VANO|20 e2 80 94|"

Within:

PCRE:

Special Options:

  • file_data

  • fast_pattern

source