Rule History

alert http [$HOME_NET,$HTTP_SERVERS] any -> $EXTERNAL_NET any (msg:"ET MALWARE Wordpress Social Warfare Plugin Exploit C2 Connect Request (POST)"; flow:established,to_server; urilen:11; http.method; content:"POST"; http.uri; content:"/pinche.php"; fast_pattern; http.content_type; bsize:33; content:"application/x-www-form-urlencoded"; http.request_body; content:"uid"; content:"i_name"; reference:md5,0469a5e49620710a3e2d579fdfe011e1; reference:url,wordpress.org/support/topic/a-security-message-from-the-plugin-review-team/; classtype:attempted-admin; sid:2053871; rev:1; metadata:affected_product Wordpress_Plugins, attack_target Server, tls_state TLSDecrypt, created_at 2024_06_25, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence Medium, signature_severity Major, tag Wordpress, tag Exploit, updated_at 2024_06_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)