alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Modx Revolution < 2.6.4 phpthumb.php RCE Attempt"; flow:established,to_server; urilen:31; http.method; content:"POST"; http.uri; content:"/connectors/system/phpthumb.php"; fast_pattern; http.request_body; content:"<?php"; nocase; content:"($_SERVER"; nocase; distance:0; reference:url,exploit-db.com/exploits/45055/; classtype:web-application-attack; sid:2025917; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2018_07_27, deployment Perimeter, signature_severity Minor, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2020_08_25;)