alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT BHEK q.php iframe inbound"; flow:established,to_client; file_data; content:"/q.php"; fast_pattern; content:"<iframe"; pcre:"/^((?!<\/iframe).)*?[\r\n\s]src[\r\n\s]*=[\r\n\s]*(?P<q1>[\x22\x27])http\x3a\/\/[^\x5c]+?\/(?:[a-f0-9]{16}|[a-f0-9]{32})\/q\.php(?P=q1)/Rs"; reference:url,blog.sucuri.net/2013/02/web-server-compromise-debian-distro-identify-and-remove-corrupt-apache-modules.html; classtype:exploit-kit; sid:2016716; rev:6; metadata:created_at 2013_04_04, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2019_10_08;)