'; } else{ echo ''; } echo 'Hillstone Networks'; } elseif ($_SERVER[HTTP_HOST] == "update1.huaantech.com.cn") { echo ''; echo 'huaantech'; } elseif ($_SERVER[HTTP_HOST] == "update1.dcnetworks.com.cn") { echo ''; echo 'dcnetworks'; } elseif ($_SERVER[HTTP_HOST] == "update1.w-ibeda.com") { if (false===strpos($_SERVER[REQUEST_URI],"/en/")) echo ''; else echo ''; echo 'w-ibeda'; } elseif ($_SERVER[HTTP_HOST] == "update1.hp-telecom.com") { echo ''; echo 'hp-telecom'; } elseif ($_SERVER[HTTP_HOST] == "update1.maipu.com") { echo ''; echo 'Maipu'; } elseif ($_SERVER[HTTP_HOST] == "update1.ncurity.com") { echo ''; echo 'Ncurity'; } elseif ($_SERVER[HTTP_HOST] == "update1.socusnetwork.com") { echo ''; echo 'Socusnetwork'; } else{ echo ''; echo 'Hillstone Networks'; } ?>
 
   
 

RULE(RULE ID:339971)

Rule General Information
Release Date: 2026-05-06
Rule Name: Command Injection Detection - Double Base64 Encoding Reverse Shell
Severity:
CVE ID:
Rule Protection Details
Description: This rule detects command injection attacks using double base64 encoding bypass techniques. The attacker sends arequestwith a malicious payload usingdouble base64 encoding to bypass security devices. This decodes the base64 string twice and pipes it to bash, creating a reverse shell connection to the attacker's server.
Impact: Successful exploitation allows an attacker to execute arbitrary system commands on the target Linux server, establish a reverse shell connection, gain complete system control, steal sensitive data, and perform lateral movement in the network.
Affected OS: Linux
Reference:
Solutions
Implement strict input validation and sanitization for all user inputs. Use parameterized queries or prepared statements when executing system commands. Disable or restrict command execution functions in the application. Implement proper access controls and monitor for suspicious command injection patterns.