new sig for detecting Apache / PHP RCE

[rmkml <rmkml () yahoo fr>]

Hi,

Created a new Community rule for detecting this exploit:

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Apache / 
PHP 5.x Remote Code Execution Kingcope attempt"; flow:to_server,established; 
content:"POST"; nocase; http_method; content:"/cgi-bin/php"; nocase; http_uri; 
content:"-d"; nocase; http_uri; distance:0; content:!"|0A|Referer|3a|"; nocase; 
http_header; pcre:"/^\/cgi\-bin\/php(?:|[45]|[\-\.]cgi)\?/Ui"; 
pcre:"/\b(?:proc_open\s*\(|pcntl_fork\s*\(|chdir\s*\(|umask\s*\()/Psi"; 
reference:url,www.exploit-db.com/exploits/29290; classtype:attempted-admin; 
sid:95417; rev:1; )

Please follow my new project http://etplc.org

Regards
@Rmkml

PS: Thx @Kingcope

------------------------------------------------------------------------------
Android is increasing in popularity, but the open development platform that
developers love is also attractive to malware creators. Download this white
paper to learn more about secure code signing practices that can help keep
Android apps secure.
http://pubads.g.doubleclick.net/gampad/clk?id=65839951&iu=/4140/ostg.clktrk
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!