Rule History

SID: 2038490 • Source: et/open

Versions (5)

Version DetailsCurrent

Rev: 1 • Aug 11, 2022, 12:00 PM

Message:

ET WEB_SERVER Suspected China Chopper Variant Webshell Command (inbound)

Rule:

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SERVER Suspected China Chopper Variant Webshell Command (inbound)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"kfaero="; startswith; fast_pattern; content:"&Z1="; distance:0; within:5; content:"&Z2="; distance:0; reference:url,www.microsoft.com/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/; classtype:attempted-admin; sid:2038490; rev:1; metadata:attack_target Web_Server, created_at 2022_08_11, deployment Perimeter, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2022_08_11, reviewed_at 2024_05_07;)

Created:

Aug 11, 2022, 12:00 PM

Updated:

Aug 11, 2022, 12:00 PM

DB Created:

Sep 21, 2024, 3:00 AM

DB Updated:

Sep 1, 2025, 8:35 PM

Filename:

rules/emerging-web_server.rules