Merge pull request #131 from vlad-s/master

Added fire2013.php and chinese spam files

Merge pull request #131 from vlad-s/master
Added fire2013.php and chinese spam files
1972cde1 · mmorenog · GitHub · 642e4150 · e48f522e · 1972cde1
Commit 1972cde1 authored Jul 20, 2016 by mmorenog Committed by GitHub Jul 20, 2016
Hide whitespace changes
Inline Side-by-side

Showing with 61 additions and 0 deletions

chinese-spam.yar Webshells/chinese-spam.yar +35 -0

fire2013.yar Webshells/fire2013.yar +26 -0

No files found.
--- a/Webshells/chinese-spam.yar
+++ b/Webshells/chinese-spam.yar
+/*
+    PHP file(s) (spreader) that, using multiple remote
+    servers, use file_get_contents() to get more PHP
+    content that it writes in files with random name
+    (echoers), file(s) which use file_get_contents()
+    to get and echo the HTML (chinese blog/shop/???).
+*/
+rule chinese_spam_spreader
+{
+    meta:
+        author      = "Vlad https://github.com/vlad-s"
+        date        = "2016/07/18"
+        description = "Catches chinese PHP spam files (autospreaders)"
+    strings:
+        $a = "User-Agent: aQ0O010O"
+        $b = "<font color='red'><b>Connection Error!</b></font>"
+        $c = /if ?\(\$_POST\[Submit\]\) ?{/
+    condition:
+        all of them
+}
+rule chinese_spam_echoer
+{
+    meta:
+        author      = "Vlad https://github.com/vlad-s"
+        date        = "2016/07/18"
+        description = "Catches chinese PHP spam files (printers)"
+    strings:
+        $a = "set_time_limit(0)"
+        $b = "date_default_timezone_set('PRC');"
+        $c = "$Content_mb;"
+        $d = "/index.php?host="
+    condition:
+        all of them
+}
--- a/Webshells/fire2013.yar
+++ b/Webshells/fire2013.yar
+/*
+    Webshell "fire2013.php" - shell apended to PHP!Anuna code,
+    found in the wild both appended and single.
+    Shell prints a fake "404 not found" Apache message, while
+    the user has to post "pass=Fuck1950xx=" to enable it.
+    As written in the original (decoded PHP) file,
+    @define('VERSION', 'v4 by Sp4nksta');
+    Shell is also backdoored, it mails the shell location and
+    info on "h4x4rwow@yahoo.com" as written in the "system32()"
+    function.
+*/
+rule fire2013
+{
+    meta:
+        author      = "Vlad https://github.com/vlad-s"
+        date        = "2016/07/18"
+        description = "Catches a webshell"
+    strings:
+        $a = "eval(\"\\x65\\x76\\x61\\x6C\\x28\\x67\\x7A\\x69\\x6E\\x66\\x6C\\x61"
+        $b = "yc0CJYb+O//Xgj9/y+U/dd//vkf'\\x29\\x29\\x29\\x3B\")"
+    condition:
+        all of them
+}