Rule History

SID: 10000084 • Source: ptrules/open

Versions (6)

Version DetailsCurrent

Rev: 3 • Jul 24, 2025, 5:44 PM

Message:

ATTACK [PTsecurity] FreePBX 13/14 Remote Command Execution attempt

Rule:

alert http any any -> any any (msg:"ATTACK [PTsecurity] FreePBX 13/14 Remote Command Execution attempt"; flow:to_server; content:"POST"; http_method; content:"/admin/ajax.php"; http_uri; content:"Content-Type: application/x-www-form-urlencoded"; nocase; http_header; pcre:"/file=[^&]*\x60[^&]*\x60/P"; pcre:"/module=recordings/P"; xbits:isnotset, FreePBXMaliciousFilenameUpload, track ip_dst; reference:exploitdb, 40232; reference:url, rules.ptsecurity.com; classtype:attempted-admin; sid:10000084; rev:3;)

Created:

Jul 24, 2025, 5:44 PM

Updated:

Jul 24, 2025, 5:44 PM

DB Created:

Oct 16, 2025, 10:34 AM

DB Updated:

Oct 16, 2025, 10:34 AM

Filename:

rules/ptopen-attacks.rules