Threat Encyclopedia

ReGeorg.HTTP.Tunnel

Description

This indicates an attempt to access ReGeorg HTTP Tunnel.
ReGeorg acts as a HTTP proxy to tunnel data in and out of a network. It is used to bypass firewall policy that only allows HTTP traffics. ReGeorg can transport other TCP sessions such as RDP, SSH, and SMB through the HTTP tunnel.
ReGeorg is an upgraded version of ReDuh. The ReGeorg server script is often installed by attackers after a web server is compromised.

Affected Products

All web servers

Impact

System Compromise: Remote attackers can gain control of vulnerable systems.

Recommended Actions

Monitor the traffic from the network for any suspicious activity.
Look for a suspicious PHP, ASP, JSP, or JS file on the web server, based on the IPS log entry.