Versions (4)
Version DetailsCurrent
Rev: 5 • Apr 4, 2013, 12:00 PMET EXPLOIT_KIT BHEK ff.php iframe outbound
alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT BHEK ff.php iframe outbound"; flow:established,to_client; file_data; content:"/ff.php"; fast_pattern; content:"<iframe"; pcre:"/^((?!<\/iframe).)*?[\r\n\s]src[\r\n\s]*=[\r\n\s]*(?P<q1>[\x22\x27])http\x3a\/\/[^\x5c]+?\/(?:[a-f0-9]{16}|[a-f0-9]{32})\/ff\.php(?P=q1)/Rs"; reference:url,blog.sucuri.net/2013/02/web-server-compromise-debian-distro-identify-and-remove-corrupt-apache-modules.html; classtype:exploit-kit; sid:2016719; rev:5; metadata:created_at 2013_04_04, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2019_10_08;)
Apr 4, 2013, 12:00 PM
Oct 8, 2019, 12:00 PM
Sep 21, 2024, 3:00 AM
Nov 3, 2025, 10:34 PM
rules/emerging-exploit_kit.rules