alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Wordpress timthumb look-alike domain list RFI"; flow:to_server,established; http.uri; content:"/timthumb.php?"; content:!"webshot=1"; distance:0; content:"src="; distance:0; content:"http"; distance:0; pcre:"/src\s*=\s*https?\x3A\x2f+[^\x2f]*?(?:(?:(?:(?:static)?flick|blogge)r|p(?:hotobucket|icasa)|wordpress|tinypic)\.com|im(?:g(?:\.youtube|ur)\.com|ageshack\.us)|upload\.wikimedia\.org)[^\x2f]/i"; reference:url,code.google.com/p/timthumb/issues/detail?id=212; classtype:exploit-kit; sid:2014846; rev:14; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2012_05_30, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2020_09_13;)