[Snort-sigs] new sig for detecting Apache / PHP RCE

rmkml rmkml at ...174...
Wed Oct 30 17:30:48 EDT 2013


Hi,

Created a new Community rule for detecting this exploit:

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Apache / 
PHP 5.x Remote Code Execution Kingcope attempt"; flow:to_server,established; 
content:"POST"; nocase; http_method; content:"/cgi-bin/php"; nocase; http_uri; 
content:"-d"; nocase; http_uri; distance:0; content:!"|0A|Referer|3a|"; nocase; 
http_header; pcre:"/^\/cgi\-bin\/php(?:|[45]|[\-\.]cgi)\?/Ui"; 
pcre:"/\b(?:proc_open\s*\(|pcntl_fork\s*\(|chdir\s*\(|umask\s*\()/Psi"; 
reference:url,www.exploit-db.com/exploits/29290; classtype:attempted-admin; 
sid:95417; rev:1; )

Please follow my new project http://etplc.org

Regards
@Rmkml

PS: Thx @Kingcope




More information about the Snort-sigs mailing list