alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT DBltek GoIP GoIP-1 GSM Gateway - Local File Inclusion"; flow:established,to_server; http.uri; content:"/default/en_US/frame."; startswith; fast_pattern; content:"html?"; within:10; pcre:"/^\x2fdefault\x2fen_US\x2fframe(?:\x2eA100)?\x2ehtml\?(?:content|sidebar)=.*\x2e\x2e\x2f/i"; reference:url,shufflingbytes.com/posts/hacking-goip-gsm-gateway/; reference:url,www.exploit-db.com/exploits/50775; reference:url,cybersecurity.att.com/blogs/labs-research/rapidly-evolving-iot-malware-enemybot-now-targeting-content-management-system-servers; classtype:attempted-admin; sid:2036729; rev:3; metadata:attack_target Server, created_at 2022_05_31, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, tag LFI, tag RFI, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_11_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)