alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Linux Backdoor Linux/Cdorked.A Redirect 3"; flow:from_server,established; http.stat_code; content:"302"; http.location; content:"/index.php?"; content:"ZzdXJpP"; fast_pattern; distance:0; pcre:"/^https?\:\/\/[a-f0-9]{16}\.[^\r\n]+?\/index\.php\?[a-z]=(?:[A-Za-z0-9+\/]{4})*(?:[A-Za-z0-9+\/]{2}==|[A-Za-z0-9+\/]{3}=|[A-Za-z0-9+\/]{4})$/i"; reference:url,welivesecurity.com/2013/04/26/linuxcdorked-new-apache-backdoor-in-the-wild-serves-blackhole/; classtype:trojan-activity; sid:2016815; rev:5; metadata:created_at 2013_05_03, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2020_04_24;)