Rule History

SID: 2049898 • Source: et/open

Versions (3)

Version DetailsCurrent

Rev: 1 • Jan 3, 2024, 12:00 PM

Message:

ET MALWARE Suspected Generic PHP Backdoor Activity M1

Rule:

alert http $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET MALWARE Suspected Generic PHP Backdoor Activity M1"; flow:established,to_server; flowbits:set,ET.misc.phpbackdoor; flowbits:noalert; http.method; content:"GET"; http.uri; content:".php"; content:"47712="; fast_pattern; reference:url,bartbroere.eu/2023/12/31/php-backdoor-malware/; reference:url,seclists.org/snort/2024/q1/0; classtype:web-application-activity; sid:2049898; rev:1; metadata:affected_product Wordpress, attack_target Web_Server, created_at 2024_01_03, deployment Perimeter, confidence Medium, signature_severity Minor, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_01_03;)

Created:

Jan 3, 2024, 12:00 PM

Updated:

Jan 3, 2024, 12:00 PM

DB Created:

Jan 3, 2024, 10:00 PM

DB Updated:

Aug 15, 2025, 8:34 PM

Filename:

rules/emerging-malware.rules