Versions (4)
Version DetailsCurrent
Rev: 2 • May 31, 2022, 12:00 PMET DELETED PHP Code in User-Agent (Inbound) - Possible Command Injections
alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET DELETED PHP Code in User-Agent (Inbound) - Possible Command Injections"; flow:established,to_server; http.user_agent; content:"|3c 3f|php"; reference:url,cybersecurity.att.com/blogs/labs-research/rapidly-evolving-iot-malware-enemybot-now-targeting-content-management-system-servers; reference:url,www.exploit-db.com/exploits/50844; classtype:bad-unknown; sid:2036728; rev:2; metadata:attack_target Client_and_Server, created_at 2022_05_31, deployment Perimeter, deployment SSLDecrypt, deprecation_reason Duplicate, performance_impact Low, signature_severity Minor, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2022_06_01, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)
May 31, 2022, 12:00 PM
Jun 1, 2022, 12:00 PM
May 31, 2022, 11:00 PM
Sep 2, 2025, 9:35 PM
rules/emerging-deleted.rules