alert http $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET MALWARE Suspected Generic PHP Backdoor Activity M1"; flow:established,to_server; flowbits:set,ET.misc.phpbackdoor; flowbits:noalert; http.method; content:"GET"; http.uri; content:".php"; content:"47712="; fast_pattern; reference:url,bartbroere.eu/2023/12/31/php-backdoor-malware/; reference:url,seclists.org/snort/2024/q1/0; classtype:web-application-activity; sid:2049898; rev:1; metadata:affected_product Wordpress, attack_target Web_Server, created_at 2024_01_03, deployment Perimeter, confidence Medium, signature_severity Minor, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_01_03;)