rule counterPHPredirectBHEK { meta: author = "adnan.shukor@gmail.com" description = "Detection rule to detect compromised page injected with invisible counter.php redirector" ref = "http://blog.xanda.org/2013/04/05/detecting-counter-php-the-blackhole-redirector" cve = "NA" version = "1" impact = 4 hide = false strings: $counterPHP = /\$/ condition: all of them }