Created
February 21, 2023 12:54
-
-
Save fox-srt/5df012e6e780ba85897f457308c5c940 to your computer and use it in GitHub Desktop.
Snort & Suricata signatures for Godzilla Web shell variant and SimpleHTTPServerWithUpload
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Detection for Godzilla webshell variant and SimpleHTTPServerWithUpload | |
| alert tcp any any -> any any (msg:"FOX-SRT - Suspicious - Python SimpleHTTPServerWithUpload Observed"; flow:established, from_server; content:"Server: SimpleHTTPWithUpload/"; http_header; threshold: type limit, track by_dst, count 1, seconds 600; classtype:bad-unknown; metadata:created_at 2023-01-06; priority:2; sid:21004337; rev:1;) | |
| alert tcp any any -> any any (msg:"FOX-SRT - IOC - Godzilla Variant ZK Web Shell Request Observed"; flow:established, to_server; content:"/zkau/jquery"; http_uri; threshold:type limit, track by_dst, count 1, seconds 600; flowbits:set, fox.zkau.webshell; classtype:trojan-activity; metadata:created_at 2023-01-09; priority:3; sid:21004344; rev:1;) | |
| alert tcp any any -> any any (msg:"FOX-SRT - Webshell - Godzilla Variant ZK Web Shell Response Observed"; flow:established, from_server; flowbits:isset, fox.zkau.webshell; content:"200"; http_stat_code; threshold:type limit, track by_src, count 1, seconds 600; classtype:trojan-activity; metadata:created_at 2023-01-09; priority:1; sid:21004345; rev:1;) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Blog post: https://blog.fox-it.com/2023/02/22/from-backup-to-backdoor-exploitation-of-cve-2022-36537-in-r1soft-server-backup-manager/