alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER PIWIK Backdoored Version calls home"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/x.php"; http.host; content:"prostoivse.com"; endswith; http.request_body; content:"reff="; nocase; reference:url,piwik.org/blog/2012/11/security-report-piwik-org-webserver-hacked-for-a-few-hours-on-2012-nov-26th/; reference:url,forum.piwik.org/read.php?2,97666; classtype:web-application-attack; sid:2015953; rev:5; metadata:created_at 2012_11_28, signature_severity Major, updated_at 2020_04_22;)