[Snort-sigs] Weevely PHP Backdoor - Rule Proposal

Anestis Bechtsoudis bechtsoudis.a at ...2420...
Sun Nov 20 16:19:54 EST 2011

I work in the NOC team at a University Campus in Greece, and recently i
have noticed a noticeable increase in web hacking incidents. In many of
them the attackers used the weevely*1 php backdoor to maintain access to
the hacked system.

I have searched around the net for some relative snort rules but i
didn't find a match. So i decided to write my own. I thought these rules
might pose an interest to the community so i decided to share them in
this list (see the attachment).

A detailed analysis of how i concluded to these content patterns can be
found in my blog post*2.

I admit that i'm not a Snort expert, so any propositions are welcome.

*1 http://code.google.com/p/weevely/
*2 http://bechtsoudis.com/security/put-weevely-on-the-your-nids-radar/

* Anestis Bechtsoudis                         *
* Undergraduate Student                       *
*                                             *
* Network Operation Center (NOC Group)        *
* Dept. of Computer Engineering & Informatics *
* University of Patras, Greece                *
*                                             *
* Website: https://bechtsoudis.com            *
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: web-weevely.rules
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20111120/7c58bdec/attachment.ksh>

More information about the Snort-sigs mailing list