alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible CVE-2013-2618 Attempt (PHP Weathermap Persistent XSS)"; flow:established,to_server; content:"="; pcre:"/.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=))/R"; http.method; content:"POST"; http.uri; content:"/editor.php"; content:"&map_title="; nocase; content:"&map_legend="; nocase; content:"&editorsettings_showrelative="; fast_pattern; nocase; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/cryptocurrency-miner-distributed-via-php-weathermap-vulnerability-targets-linux-servers/; reference:cve,2013-2618; classtype:attempted-admin; sid:2025459; rev:4; metadata:affected_product Linux, attack_target Server, created_at 2018_04_03, cve CVE_2013_2618, deployment Perimeter, performance_impact Low, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2020_11_05;)