/*
Webshell "fire2013.php" - shell apended to PHP!Anuna code,
found in the wild both appended and single.
Shell prints a fake "404 not found" Apache message, while
the user has to post "pass=Fuck1950xx=" to enable it.
As written in the original (decoded PHP) file,
@define('VERSION', 'v4 by Sp4nksta');
Shell is also backdoored, it mails the shell location and
info on "h4x4rwow@yahoo.com" as written in the "system32()"
function.
*/
rule fire2013 : webshell
{
meta:
author = "Vlad https://github.com/vlad-s"
date = "2016/07/18"
description = "Catches a webshell"
strings:
$a = "eval(\"\\x65\\x76\\x61\\x6C\\x28\\x67\\x7A\\x69\\x6E\\x66\\x6C\\x61"
$b = "yc0CJYb+O//Xgj9/y+U/dd//vkf'\\x29\\x29\\x29\\x3B\")"
condition:
all of them
}