کسانی که از Snort استفاده می کنند. می توانند برای جلوگیری از این مشکل و حل کامل موضوع و جلوگیری از خروج نرافیک از سرور می توانید ازرول های زیر استفاده نمایید.
کد:
#
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET WEB_SERVER FOX-SRT - Backdoor - CryptoPHP Shell C2 POST"; flow:established,to_server; content:"POST"; http_method; content:"Content-Disposition|3a| form-data|3b| name=|22|serverKey|22|"; http_client_body; fast_pattern:28,20; content:"Content-Disposition|3a| form-data|3b| name=|22|data|22|"; http_client_body; content:"Content-Disposition|3a| form-data|3b| name=|22|key|22|"; http_client_body; content:!"Referer|3a| "; http_header; content:!"User-Agent"; http_header; content:!"Cookie|3a|"; threshold: type limit, track by_src, count 1, seconds 600; reference:url,blog.fox-it.com/2014/11/18/cryptophp-analysis-of-a-hidden-threat-inside-popular-content-management-systems/; classtype:trojan-activity; sid:2019748; rev:1;)
کد:
#
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET WEB_SERVER FOX-SRT - Backdoor - CryptoPHP Shell C2 POST (fsockopen)"; flow:established,to_server; content:"POST"; http_method; content:"Content-Type: application/x-www-form-urlencoded"; http_header; content:"Connection|3a| close"; http_header; content:"serverKey="; fast_pattern; content:"data="; content:"key="; content:!"Referer|3a|"; http_header; content:!"User-Agent"; http_header; content:!"Cookie|3a|"; threshold: type limit, track by_src, count 1, seconds 600; reference:url,blog.fox-it.com/2014/11/18/cryptophp-analysis-of-a-hidden-threat-inside-popular-content-management-systems/; classtype:trojan-activity; sid:2019749; rev:1;)
کد:
#
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER PHP.//Input in HTTP POST"; flow:established,to_server; content:"POST"; http_method; content:"php|3a 2f 2f|input"; http_raw_uri; content:"<?"; http_client_body; depth:2; reference:url,www.deependresearch.org/2014/07/another-linux-ddos-bot-via-cve-2012-1823.html; classtype:trojan-activity; sid:2019804; rev:3;)
باتشکر