alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE r57 phpshell footer detected"; flow:established,from_server; file_data; content:"r57shell - http-shell by RST/GHC"; fast_pattern:only; reference:url,www.pestpatrol.com/spywarecenter/pest.aspx?id=453096755; reference:url,doc.emergingthreats.net/bin/view/Main/2003535; classtype:web-application-activity; sid:2003535; rev:8;)

Added 2011-10-12 19:13:38 UTC


alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE r57 phpshell footer detected"; flow:established,from_server; file_data; content:"r57shell - http-shell by RST/GHC"; fast_pattern:only; classtype:web-application-activity; reference:url,www.pestpatrol.com/spywarecenter/pest.aspx?id=453096755; reference:url,doc.emergingthreats.net/bin/view/Main/2003535; sid:2003535; rev:8;)

Added 2011-09-14 22:26:38 UTC


alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE r57 phpshell footer detected"; flow:established,from_server; file_data; content:"r57shell - http-shell by RST/GHC"; fast_pattern:only; classtype:web-application-activity; reference:url,www.pestpatrol.com/spywarecenter/pest.aspx?id=453096755; reference:url,doc.emergingthreats.net/bin/view/Main/2003535; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_PHP_Shells; sid:2003535; rev:8;)

Added 2011-02-04 17:22:32 UTC


alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE r57 phpshell footer detected"; flow:established,from_server; content:"r57shell - http-shell by RST/GHC"; classtype:web-application-activity; reference:url,www.pestpatrol.com/spywarecenter/pest.aspx?id=453096755; reference:url,doc.emergingthreats.net/bin/view/Main/2003535; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_PHP_Shells; sid:2003535; rev:6;)

Added 2010-06-15 13:15:59 UTC


alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE r57 phpshell footer detected"; flow:established,from_server; content:"r57shell - http-shell by RST/GHC"; classtype:web-application-activity; reference:url,www.pestpatrol.com/spywarecenter/pest.aspx?id=453096755; reference:url,doc.emergingthreats.net/bin/view/Main/2003535; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_PHP_Shells; sid:2003535; rev:6;)

Added 2010-06-15 13:15:59 UTC


alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK RESPONSE r57 phpshell footer detected"; flow:established,from_server; content:"r57shell - http-shell by RST/GHC"; classtype:web-application-activity; reference:url,www.pestpatrol.com/spywarecenter/pest.aspx?id=453096755; reference:url,doc.emergingthreats.net/bin/view/Main/2003535; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_PHP_Shells; sid:2003535; rev:5;)

Added 2009-02-06 19:00:55 UTC


alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK RESPONSE r57 phpshell footer detected"; flow:established,from_server; content:"r57shell - http-shell by RST/GHC"; classtype:web-application-activity; reference:url,www.pestpatrol.com/spywarecenter/pest.aspx?id=453096755; reference:url,doc.emergingthreats.net/bin/view/Main/2003535; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_PHP_Shells; sid:2003535; rev:5;)

Added 2009-02-06 19:00:55 UTC


alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK RESPONSE r57 phpshell footer detected"; flow:established,from_server; content:"r57shell - http-shell by RST/GHC"; classtype:web-application-activity; reference:url,www.pestpatrol.com/spywarecenter/pest.aspx?id=453096755; sid:2003535; rev:4;)

Added 2008-05-18 19:52:13 UTC


alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK RESPONSE r57 phpshell footer detected"; flow:established,from_server; content:"r57shell - http-shell by RST/GHC"; classtype:web-application-activity; reference:url,www.pestpatrol.com/spywarecenter/pest.aspx?id=453096755; sid:2003535; rev:4;)

Added 2008-05-18 19:52:13 UTC


alert tcp $HTTP_SERVERS $HTTP_PORTS -> any any (msg:"ET ATTACK RESPONSE r57 phpshell footer detected"; content:"r57shell - http-shell by RST/GHC"; classtype:web-application-activity; reference:url,www.pestpatrol.com/spywarecenter/pest.aspx?id=453096755; sid:2003535; rev:2;)

Added 2008-01-23 10:46:28 UTC


alert tcp $HTTP_SERVERS $HTTP_PORTS -> any any (msg:"ET ATTACK RESPONSE r57 phpshell footer detected"; content:"r57shell - http-shell by RST/GHC"; classtype:web-application-activity; reference:url,www.pestpatrol.com/spywarecenter/pest.aspx?id=453096755; sid:2003535; rev:2;)

Added 2008-01-23 10:46:27 UTC


alert tcp $HTTP_SERVERS $HTTP_PORTS -> any any (msg:"BLEEDING-EDGE ATTACK RESPONSE r57 phpshell footer detected"; content:"r57shell - http-shell by RST/GHC"; classtype:web-application-activity; reference:url,www.pestpatrol.com/spywarecenter/pest.aspx?id=453096755; sid:2003535; rev:1;)

Added 2007-11-02 00:32:08 UTC


alert tcp $HTTP_SERVERS $HTTP_PORTS -> any any (msg:"BLEEDING-EDGE ATTACK RESPONSE r57 phpshell footer detected"; content:"r57shell - http-shell by RST/GHC"; classtype:web-application-activity; reference:url,www.pestpatrol.com/spywarecenter/pest.aspx?id=453096755; sid:2003535; rev:1;)

Added 2007-11-02 00:32:08 UTC


alert tcp $HTTP_SERVERS $HTTP_PORTS -> any any (msg:"BLEEDING-EDGE ATTACK RESPONSE r57 phpshell footer detected"; content:"r57shell - http-shell by RST/GHC"; classtype:web-application-activity; reference:url,www.pestpatrol.com/spywarecenter/pest.aspx?id=453096755; sid:2003535; rev:1;)

Added 2007-04-05 11:00:40 UTC

fixed a doubled quote in the msg

-- MattJonkman - 05 Apr 2007


alert tcp $HTTP_SERVERS $HTTP_PORTS -> any any (msg:""BLEEDING-EDGE ATTACK RESPONSE r57 phpshell footer detected"; content:"r57shell - http-shell by RST/GHC"; classtype:web-application-activity; reference:url,www.pestpatrol.com/spywarecenter/pest.aspx?id=453096755; sid:2003535; rev:1;)

Added 2007-04-05 10:15:20 UTC

By Cees Elzinga

-- MattJonkman - 05 Apr 2007

Reference sister rule: http://doc.bleedingthreats.net/bin/view/Main/2003536

-- MattJonkman - 05 Apr 2007

R57shell is a russian php shell, but an english translation is built-in. The shell has all kinds of functionality, including:

  • Executing shell commands
  • Editing files
  • Executing php code
  • Sending e-mail
  • Installing a backdoor
  • Simple ftp brute forcer
  • And so on...

The shell is most likely used when an attackers finds a way to upload PHP files to a vulnerable server.

When using http_inspect_server don't forget to check your flow_depth setting. This rule will trigger on traffic originating from your server.

False positives when an attacker manually changes the footer.

-- CeesElzinga - 05 Apr 2007


Topic revision: r5 - 2007-04-05 - CeesElzinga
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats