#alert http $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Mic22 id.php detected"; flow:established,from_server; content:"Mic22"; reference:url,www.rfxn.com/vdb.php; reference:url,doc.emergingthreats.net/bin/view/Main/2007657; classtype:web-application-activity; sid:2007657; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
Added 2018-09-13 19:39:20 UTC
Added 2018-09-13 17:53:34 UTC
#alert http $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Mic22 id.php detected"; flow:established,from_server; content:"Mic22"; reference:url,www.rfxn.com/vdb.php; reference:url,doc.emergingthreats.net/bin/view/Main/2007657; classtype:web-application-activity; sid:2007657; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
Added 2017-08-07 21:00:55 UTC
#alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Mic22 id.php detected"; flow:established,from_server; content:"Mic22"; fast_pattern:only; reference:url,www.rfxn.com/vdb.php; reference:url,doc.emergingthreats.net/bin/view/Main/2007657; classtype:web-application-activity; sid:2007657; rev:6;)
Added 2011-10-12 19:23:32 UTC
#alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Mic22 id.php detected"; flow:established,from_server; content:"Mic22"; fast_pattern:only; classtype:web-application-activity; reference:url,www.rfxn.com/vdb.php; reference:url,doc.emergingthreats.net/bin/view/Main/2007657; sid:2007657; rev:6;)
Added 2011-09-14 22:37:06 UTC
#alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Mic22 id.php detected"; flow:established,from_server; content:"Mic22"; fast_pattern:only; classtype:web-application-activity; reference:url,www.rfxn.com/vdb.php; reference:url,doc.emergingthreats.net/bin/view/Main/2007657; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_PHP_Shells; sid:2007657; rev:6;)
Added 2011-02-04 17:26:47 UTC
#alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Mic22 id.php detected"; flow:established,from_server; content:"Mic22"; classtype:web-application-activity; reference:url,www.rfxn.com/vdb.php; reference:url,doc.emergingthreats.net/bin/view/Main/2007657; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_PHP_Shells; sid:2007657; rev:5;)
Added 2010-06-15 13:15:59 UTC
#alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Mic22 id.php detected"; flow:established,from_server; content:"Mic22"; classtype:web-application-activity; reference:url,www.rfxn.com/vdb.php; reference:url,doc.emergingthreats.net/bin/view/Main/2007657; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_PHP_Shells; sid:2007657; rev:5;)
Added 2010-06-15 13:15:59 UTC
#alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK RESPONSE Mic22 id.php detected"; flow:established,from_server; content:"Mic22"; classtype:web-application-activity; reference:url,www.rfxn.com/vdb.php; reference:url,doc.emergingthreats.net/bin/view/Main/2007657; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_PHP_Shells; sid:2007657; rev:4;)
Added 2009-02-06 19:00:55 UTC
#alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK RESPONSE Mic22 id.php detected"; flow:established,from_server; content:"Mic22"; classtype:web-application-activity; reference:url,www.rfxn.com/vdb.php; reference:url,doc.emergingthreats.net/bin/view/Main/2007657; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_PHP_Shells; sid:2007657; rev:4;)
Added 2009-02-06 19:00:55 UTC
#alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK RESPONSE Mic22 id.php detected"; flow:established,from_server; content:"Mic22"; classtype:web-application-activity; reference:url,www.rfxn.com/vdb.php; sid:2007657; rev:3;)
Added 2008-05-18 19:52:13 UTC
#alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK RESPONSE Mic22 id.php detected"; flow:established,from_server; content:"Mic22"; classtype:web-application-activity; reference:url,www.rfxn.com/vdb.php; sid:2007657; rev:3;)
Added 2008-05-18 19:52:13 UTC
#alert tcp $HTTP_SERVERS $HTTP_PORTS -> any any (msg:"ET ATTACK RESPONSE Mic22 id.php detected"; flow:established,from_server; content:"Mic22"; classtype:web-application-activity; reference:url,www.rfxn.com/vdb.php; sid:2007657; rev:2;)
Added 2008-01-23 10:46:28 UTC
#alert tcp $HTTP_SERVERS $HTTP_PORTS -> any any (msg:"ET ATTACK RESPONSE Mic22 id.php detected"; flow:established,from_server; content:"Mic22"; classtype:web-application-activity; reference:url,www.rfxn.com/vdb.php; sid:2007657; rev:2;)
Added 2008-01-23 10:46:28 UTC
#alert tcp $HTTP_SERVERS $HTTP_PORTS -> any any (msg:"BLEEDING-EDGE ATTACK RESPONSE Mic22 id.php detected"; flow:established,from_server; content:"Mic22"; classtype:web-application-activity; reference:url,www.rfxn.com/vdb.php; sid:2007657; rev:1;)
Added 2007-11-02 00:32:08 UTC
Commented out as it's likely ta false positive in a general environment.
if you've got this in just a web server farm only environment, this is more safe to run.
--
MattJonkman - 02 Nov 2007