[Snort-sigs] Weevely PHP Backdoor - Rule Proposal
bechtsoudis.a at ...2420...
Sun Nov 20 16:19:54 EST 2011
I work in the NOC team at a University Campus in Greece, and recently i
have noticed a noticeable increase in web hacking incidents. In many of
them the attackers used the weevely*1 php backdoor to maintain access to
the hacked system.
I have searched around the net for some relative snort rules but i
didn't find a match. So i decided to write my own. I thought these rules
might pose an interest to the community so i decided to share them in
this list (see the attachment).
A detailed analysis of how i concluded to these content patterns can be
found in my blog post*2.
I admit that i'm not a Snort expert, so any propositions are welcome.
* Anestis Bechtsoudis *
* Undergraduate Student *
* Network Operation Center (NOC Group) *
* Dept. of Computer Engineering & Informatics *
* University of Patras, Greece *
* Website: https://bechtsoudis.com *
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
More information about the Snort-sigs