Rule History

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Dotted Quad Host Base64-Encoded PHP payload"; flow:established,to_client; flowbits:isset,http.dottedquadhost; http.stat_code; content:"200"; http.response_body; content:"|3c 3f|"; content:"eval|28|"; nocase; content:" base64_decode|28|"; distance:0; nocase; fast_pattern; reference:url,blog.sucuri.net/2023/04/massive-abuse-of-abandoned-evalphp-wordpress-plugin.html; classtype:trojan-activity; sid:2063008; rev:1; metadata:affected_product PHP, attack_target Client_and_Server, tls_state plaintext, created_at 2025_06_16, deployment Perimeter, confidence Medium, signature_severity Major, tag PHP, updated_at 2025_06_16, mitre_tactic_id TA0002, mitre_tactic_name Execution, mitre_technique_id T1059, mitre_technique_name Command_And_Scripting_Interpreter; target:dest_ip;)