Skip to content

R
rules
Commit 46bcc842 by mmorenog
Options

Update and rename Webshell-shell.yar to THOR_Webshells.yar

parent d931b223
Showing with 609 additions and 9 deletions
malware/Webshell-shell.yar malware/THOR_Webshells.yar
......@@ -3,7 +3,21 @@
*/
import "pe"
/*
THOR APT Scanner - Web Shells Extract
This rulset is a subset of all hack tool rules included in our
APT Scanner THOR - the full featured APT scanner
We will frequently update this file with new rules rated TLP:WHITE
Florian Roth
BSK Consulting GmbH
Web: bsk-consulting.de
revision: 20150122
*/
rule Weevely_Webshell {
meta:
......@@ -3214,7 +3228,323 @@ rule webshell_webshells_new_Asp {
1 of them
}
/* Update from hackers tool pack */
rule perlbot_pl {
meta:
description = "Semi-Auto-generated - file perlbot.pl.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "7e4deb9884ffffa5d82c22f8dc533a45"
strings:
$s0 = "my @adms=(\"Kelserific\",\"Puna\",\"nod32\")"
$s1 = "#Acesso a Shel - 1 ON 0 OFF"
condition:
1 of them
}
rule php_backdoor_php {
meta:
description = "Semi-Auto-generated - file php-backdoor.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "2b5cb105c4ea9b5ebc64705b4bd86bf7"
strings:
$s0 = "http://michaeldaw.org 2006"
$s1 = "or http://<? echo $SERVER_NAME.$REQUEST_URI; ?>?d=c:/windows on win"
$s3 = "coded by z0mbie"
condition:
1 of them
}
rule Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit_php {
meta:
description = "Semi-Auto-generated - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "c6eeacbe779518ea78b8f7ed5f63fc11"
strings:
$s0 = "<option value=\"cat /var/cpanel/accounting.log\">/var/cpanel/accounting.log</opt"
$s1 = "Liz0ziM Private Safe Mode Command Execuriton Bypass"
$s2 = "echo \"<b><font color=red>Kimim Ben :=)</font></b>:$uid<br>\";" fullword
condition:
1 of them
}
rule Nshell__1__php_php {
meta:
description = "Semi-Auto-generated - file Nshell (1).php.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "973fc89694097a41e684b43a21b1b099"
strings:
$s0 = "echo \"Command : <INPUT TYPE=text NAME=cmd value=\".@stripslashes(htmlentities($"
$s1 = "if(!$whoami)$whoami=exec(\"whoami\"); echo \"whoami :\".$whoami.\"<br>\";" fullword
condition:
1 of them
}
rule shankar_php_php {
meta:
description = "Semi-Auto-generated - file shankar.php.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "6eb9db6a3974e511b7951b8f7e7136bb"
strings:
$sAuthor = "ShAnKaR"
$s0 = "<input type=checkbox name='dd' \".(isset($_POST['dd'])?'checked':'').\">DB<input"
$s3 = "Show<input type=text size=5 value=\".((isset($_POST['br_st']) && isset($_POST['b"
condition:
1 of ($s*) and $sAuthor
}
rule Casus15_php_php {
meta:
description = "Semi-Auto-generated - file Casus15.php.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "5e2ede2d1c4fa1fcc3cbfe0c005d7b13"
strings:
$s0 = "copy ( $dosya_gonder2, \"$dir/$dosya_gonder2_name\") ? print(\"$dosya_gonder2_na"
$s2 = "echo \"<center><font size='$sayi' color='#FFFFFF'>HACKLERIN<font color='#008000'"
$s3 = "value='Calistirmak istediginiz "
condition:
1 of them
}
rule small_php_php {
meta:
description = "Semi-Auto-generated - file small.php.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "fcee6226d09d150bfa5f103bee61fbde"
strings:
$s1 = "$pass='abcdef1234567890abcdef1234567890';" fullword
$s2 = "eval(gzinflate(base64_decode('FJzHkqPatkU/550IGnjXxHvv6bzAe0iE5+svFVGtKqXMZq05x1"
$s4 = "@ini_set('error_log',NULL);" fullword
condition:
2 of them
}
rule shellbot_pl {
meta:
description = "Semi-Auto-generated - file shellbot.pl.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "b2a883bc3c03a35cfd020dd2ace4bab8"
strings:
$s0 = "ShellBOT"
$s1 = "PacktsGr0up"
$s2 = "CoRpOrAtIoN"
$s3 = "# Servidor de irc que vai ser usado "
$s4 = "/^ctcpflood\\s+(\\d+)\\s+(\\S+)"
condition:
2 of them
}
rule fuckphpshell_php {
meta:
description = "Semi-Auto-generated - file fuckphpshell.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "554e50c1265bb0934fcc8247ec3b9052"
strings:
$s0 = "$succ = \"Warning! "
$s1 = "Don`t be stupid .. this is a priv3 server, so take extra care!"
$s2 = "\\*=-- MEMBERS AREA --=*/"
$s3 = "preg_match('/(\\n[^\\n]*){' . $cache_lines . '}$/', $_SESSION['o"
condition:
2 of them
}
rule ngh_php_php {
meta:
description = "Semi-Auto-generated - file ngh.php.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "c372b725419cdfd3f8a6371cfeebc2fd"
strings:
$s0 = "Cr4sh_aka_RKL"
$s1 = "NGH edition"
$s2 = "/* connectback-backdoor on perl"
$s3 = "<form action=<?=$script?>?act=bindshell method=POST>"
$s4 = "$logo = \"R0lGODlhMAAwAOYAAAAAAP////r"
condition:
1 of them
}
rule jsp_reverse_jsp {
meta:
description = "Semi-Auto-generated - file jsp-reverse.jsp.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "8b0e6779f25a17f0ffb3df14122ba594"
strings:
$s0 = "// backdoor.jsp"
$s1 = "JSP Backdoor Reverse Shell"
$s2 = "http://michaeldaw.org"
condition:
2 of them
}
rule Tool_asp {
meta:
description = "Semi-Auto-generated - file Tool.asp.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "8febea6ca6051ae5e2ad4c78f4b9c1f2"
strings:
$s0 = "mailto:rhfactor@antisocial.com"
$s2 = "?raiz=root"
$s3 = "DIGO CORROMPIDO<BR>CORRUPT CODE"
$s4 = "key = \"5DCADAC1902E59F7273E1902E5AD8414B1902E5ABF3E661902E5B554FC41902E53205CA0"
condition:
2 of them
}
rule NT_Addy_asp {
meta:
description = "Semi-Auto-generated - file NT Addy.asp.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "2e0d1bae844c9a8e6e351297d77a1fec"
strings:
$s0 = "NTDaddy v1.9 by obzerve of fux0r inc"
$s2 = "<ERROR: THIS IS NOT A TEXT FILE>"
$s4 = "RAW D.O.S. COMMAND INTERFACE"
condition:
1 of them
}
rule SimAttacker___Vrsion_1_0_0___priv8_4_My_friend_php {
meta:
description = "Semi-Auto-generated - file SimAttacker - Vrsion 1.0.0 - priv8 4 My friend.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "089ff24d978aeff2b4b2869f0c7d38a3"
strings:
$s0 = "SimAttacker - Vrsion : 1.0.0 - priv8 4 My friend"
$s3 = " fputs ($fp ,\"\\n*********************************************\\nWelcome T0 Sim"
$s4 = "echo \"<a target='_blank' href='?id=fm&fedit=$dir$file'><span style='text-decora"
condition:
1 of them
}
rule RemExp_asp {
meta:
description = "Semi-Auto-generated - file RemExp.asp.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "aa1d8491f4e2894dbdb91eec1abc2244"
strings:
$s0 = "<title>Remote Explorer</title>"
$s3 = " FSO.CopyFile Request.QueryString(\"FolderPath\") & Request.QueryString(\"CopyFi"
$s4 = "<td bgcolor=\"<%=BgColor%>\" title=\"<%=File.Name%>\"> <a href= \"showcode.asp?f"
condition:
2 of them
}
rule phvayvv_php_php {
meta:
description = "Semi-Auto-generated - file phvayvv.php.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "35fb37f3c806718545d97c6559abd262"
strings:
$s0 = "{mkdir(\"$dizin/$duzenx2\",777)"
$s1 = "$baglan=fopen($duzkaydet,'w');"
$s2 = "PHVayv 1.0"
condition:
1 of them
}
rule klasvayv_asp {
meta:
description = "Semi-Auto-generated - file klasvayv.asp.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "2b3e64bf8462fc3d008a3d1012da64ef"
strings:
$s1 = "set aktifklas=request.querystring(\"aktifklas\")"
$s2 = "action=\"klasvayv.asp?klasorac=1&aktifklas=<%=aktifklas%>&klas=<%=aktifklas%>"
$s3 = "<font color=\"#858585\">www.aventgrup.net"
$s4 = "style=\"BACKGROUND-COLOR: #95B4CC; BORDER-BOTTOM: #000000 1px inset; BORDER-LEFT"
condition:
1 of them
}
rule r57shell_php_php {
meta:
description = "Semi-Auto-generated - file r57shell.php.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "d28445de424594a5f14d0fe2a7c4e94f"
strings:
$s0 = "r57shell" fullword
$s1 = " else if ($HTTP_POST_VARS['with'] == \"lynx\") { $HTTP_POST_VARS['cmd']= \"lynx "
$s2 = "RusH security team"
$s3 = "'ru_text12' => 'back-connect"
condition:
1 of them
}
rule rst_sql_php_php {
meta:
description = "Semi-Auto-generated - file rst_sql.php.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "0961641a4ab2b8cb4d2beca593a92010"
strings:
$s0 = "C:\\tmp\\dump_"
$s1 = "RST MySQL"
$s2 = "http://rst.void.ru"
$s3 = "$st_form_bg='R0lGODlhCQAJAIAAAOfo6u7w8yH5BAAAAAAALAAAAAAJAAkAAAIPjAOnuJfNHJh0qtfw0lcVADs=';"
condition:
2 of them
}
rule wh_bindshell_py {
meta:
description = "Semi-Auto-generated - file wh_bindshell.py.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "fab20902862736e24aaae275af5e049c"
strings:
$s0 = "#Use: python wh_bindshell.py [port] [password]"
$s2 = "python -c\"import md5;x=md5.new('you_password');print x.hexdigest()\"" fullword
$s3 = "#bugz: ctrl+c etc =script stoped=" fullword
condition:
1 of them
}
rule lurm_safemod_on_cgi {
meta:
description = "Semi-Auto-generated - file lurm_safemod_on.cgi.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "5ea4f901ce1abdf20870c214b3231db3"
strings:
$s0 = "Network security team :: CGI Shell" fullword
$s1 = "#########################<<KONEC>>#####################################" fullword
$s2 = "##if (!defined$param{pwd}){$param{pwd}='Enter_Password'};##" fullword
condition:
1 of them
}
rule c99madshell_v2_0_php_php {
meta:
description = "Semi-Auto-generated - file c99madshell_v2.0.php.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "d27292895da9afa5b60b9d3014f39294"
strings:
$s2 = "eval(gzinflate(base64_decode('HJ3HkqNQEkU/ZzqCBd4t8V4YAQI2E3jvPV8/1Gw6orsVFLyXef"
condition:
all of them
}
rule backupsql_php_often_with_c99shell {
meta:
description = "Semi-Auto-generated - file backupsql.php.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "ab1a06ab1a1fe94e3f3b7f80eedbc12f"
strings:
$s2 = "//$message.= \"--{$mime_boundary}\\n\" .\"Content-Type: {$fileatt_type};\\n\" ."
$s4 = "$ftpconnect = \"ncftpput -u $ftp_user_name -p $ftp_user_pass -d debsender_ftplog"
condition:
all of them
}
rule uploader_php_php {
meta:
description = "Semi-Auto-generated - file uploader.php.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "0b53b67bb3b004a8681e1458dd1895d0"
strings:
$s2 = "move_uploaded_file($userfile, \"entrika.php\"); " fullword
$s3 = "Send this file: <INPUT NAME=\"userfile\" TYPE=\"file\">" fullword
$s4 = "<INPUT TYPE=\"hidden\" name=\"MAX_FILE_SIZE\" value=\"100000\">" fullword
condition:
2 of them
}
rule telnet_pl {
meta:
description = "Semi-Auto-generated - file telnet.pl.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "dd9dba14383064e219e29396e242c1ec"
strings:
$s0 = "W A R N I N G: Private Server"
$s2 = "$Message = q$<pre><font color=\"#669999\"> _____ _____ _____ _____ "
condition:
all of them
}
rule w3d_php_php {
meta:
description = "Semi-Auto-generated - file w3d.php.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "987f66b29bfb209a0b4f097f84f57c3b"
strings:
$s0 = "W3D Shell"
$s1 = "By: Warpboy"
$s2 = "No Query Executed"
condition:
2 of them
}
rule WebShell_cgi {
meta:
description = "Semi-Auto-generated - file WebShell.cgi.txt"
......@@ -3238,8 +3568,6 @@ rule WinX_Shell_html {
condition:
2 of them
}
rule Dx_php_php {
meta:
description = "Semi-Auto-generated - file Dx.php.php.txt"
......@@ -4084,7 +4412,7 @@ rule cmdjsp_jsp {
$s2 = "cmdjsp.jsp"
$s3 = "michaeldaw.org" fullword
condition:
1 of them
2 of them
}
rule h4ntu_shell__powered_by_tsoi_ {
meta:
......@@ -4723,6 +5051,7 @@ rule GIFCloaked_Webshell {
$s3 = "LANGUAGE='VBScript'"
condition:
( $magic at 0 ) and ( 1 of ($s*) )
and not filepath contains "AppData"
}
rule PHP_Cloaked_Webshell_SuperFetchExec {
......@@ -6301,7 +6630,6 @@ rule hkshell_hkshell {
condition:
all of them
}
rule iMHaPFtp {
meta:
description = "Webshells Auto-generated - file iMHaPFtp.php"
......@@ -6332,7 +6660,7 @@ rule DarkSpy105 {
condition:
all of them
}
rule EditServer_3 {
rule EditServer {
meta:
description = "Webshells Auto-generated - file EditServer.exe"
author = "Yara Bulk Rule Generator by Florian Roth"
......@@ -7767,8 +8095,6 @@ rule r57shell_3 {
condition:
all of them
}
rule HDConfig {
meta:
description = "Webshells Auto-generated - file HDConfig.exe"
......@@ -7921,7 +8247,6 @@ rule SoakSoak_Infected_Wordpress {
all of ($s*)
}
rule Pastebin_Webshell {
meta:
description = "Detects a web shell that downloads content from pastebin.com http://goo.gl/7dbyZs"
......@@ -7969,3 +8294,278 @@ rule ASPXspy2 {
condition:
6 of them
}
/*
Yara Rule Set
Author: Florian Roth
Date: 2016-01-11
Identifier: Web Shell Repo
Reference: https://github.com/nikicat/web-malware-collection
*/
rule Webshell_27_9_c66_c99 {
meta:
description = "Detects Webshell - rule generated from from files 27.9.txt, c66.php, c99-shadows-mod.php, c99.php ..."
author = "Florian Roth"
reference = "https://github.com/nikicat/web-malware-collection"
date = "2016-01-11"
score = 70
hash1 = "2b8aed49f50acd0c1b89a399647e1218f2a8545da96631ac0882da28810eecc4"
hash2 = "5d7709a33879d1060a6cff5bae119de7d5a3c17f65415822fd125af56696778c"
hash3 = "c377f9316a4c953602879eb8af1fd7cbb0dd35de6bb4747fa911234082c45596"
hash4 = "80ec7831ae888d5603ed28d81225ed8b256c831077bb8feb235e0a1a9b68b748"
hash5 = "6ce99e07aa98ba6dc521c34cf16fbd89654d0ba59194878dffca857a4c34e57b"
hash6 = "383d771b55bbe5343bab946fd7650fd42de1933c4c8f32449d9a40c898444ef1"
hash7 = "07f9ec716fb199e00a90091ffba4c2ee1a328a093a64e610e51ab9dd6d33357a"
hash8 = "615e768522447558970c725909e064558f33d38e6402c63c92a1a8bc62b64966"
hash9 = "ef3a7cd233a880fc61efc3884f127dd8944808babd1203be2400144119b6057f"
hash10 = "a4db77895228f02ea17ff48976e03100ddfaef7c9f48c1d40462872f103451d5"
strings:
$s4 = "if (!empty($unset_surl)) {setcookie(\"c99sh_surl\"); $surl = \"\";}" fullword ascii
$s6 = "@extract($_REQUEST[\"c99shcook\"]);" fullword ascii
$s7 = "if (!function_exists(\"c99_buff_prepare\"))" fullword ascii
condition:
filesize < 685KB and 1 of them
}
rule Webshell_acid_AntiSecShell_3 {
meta:
description = "Detects Webshell Acid"
author = "Florian Roth"
reference = "https://github.com/nikicat/web-malware-collection"
date = "2016-01-11"
score = 70
hash1 = "2b8aed49f50acd0c1b89a399647e1218f2a8545da96631ac0882da28810eecc4"
hash2 = "7a69466dbd18182ce7da5d9d1a9447228dcebd365e0fe855d0e02024f4117549"
hash3 = "0202f72b3e8b62e5ebc99164c7d4eb8ec5be6a7527286e9059184aa8321e0092"
hash4 = "d4424c61fe29d2ee3d8503f7d65feb48341ac2fc0049119f83074950e41194d5"
hash5 = "5d7709a33879d1060a6cff5bae119de7d5a3c17f65415822fd125af56696778c"
hash6 = "21dd06ec423f0b49732e4289222864dcc055967922d0fcec901d38a57ed77f06"
hash7 = "c377f9316a4c953602879eb8af1fd7cbb0dd35de6bb4747fa911234082c45596"
hash8 = "816e699014be9a6d02d5d184eb958c49469d687b7c6fb88e878bca64688a19c9"
hash9 = "383d771b55bbe5343bab946fd7650fd42de1933c4c8f32449d9a40c898444ef1"
hash10 = "07f9ec716fb199e00a90091ffba4c2ee1a328a093a64e610e51ab9dd6d33357a"
hash11 = "615e768522447558970c725909e064558f33d38e6402c63c92a1a8bc62b64966"
hash12 = "bbe0f7278041cb3a6338844aa12c3df6b700a12a78b0a58bce3dce14f1c37b96"
hash13 = "d0edca7539ef2d30f0b3189b21a779c95b5815c1637829b5594e2601e77cb4dc"
hash14 = "65e7edf10ffb355bed81b7413c77d13d592f63d39e95948cdaea4ea0a376d791"
hash15 = "ef3a7cd233a880fc61efc3884f127dd8944808babd1203be2400144119b6057f"
hash16 = "ba87d26340f799e65c771ccb940081838afe318ecb20ee543f32d32db8533e7f"
hash17 = "a4db77895228f02ea17ff48976e03100ddfaef7c9f48c1d40462872f103451d5"
hash18 = "1fdf6e142135a34ae1caf1d84adf5e273b253ca46c409b2530ca06d65a55ecbd"
strings:
$s0 = "echo \"<option value=delete\".($dspact == \"delete\"?\" selected\":\"\").\">Delete</option>\";" fullword ascii
$s1 = "if (!is_readable($o)) {return \"<font color=red>\".view_perms(fileperms($o)).\"</font>\";}" fullword ascii
condition:
filesize < 900KB and all of them
}
rule Webshell_c99_4 {
meta:
description = "Detects C99 Webshell"
author = "Florian Roth"
reference = "https://github.com/nikicat/web-malware-collection"
date = "2016-01-11"
score = 70
hash1 = "2b8aed49f50acd0c1b89a399647e1218f2a8545da96631ac0882da28810eecc4"
hash2 = "0202f72b3e8b62e5ebc99164c7d4eb8ec5be6a7527286e9059184aa8321e0092"
hash3 = "d4424c61fe29d2ee3d8503f7d65feb48341ac2fc0049119f83074950e41194d5"
hash4 = "5d7709a33879d1060a6cff5bae119de7d5a3c17f65415822fd125af56696778c"
hash5 = "21dd06ec423f0b49732e4289222864dcc055967922d0fcec901d38a57ed77f06"
hash6 = "c377f9316a4c953602879eb8af1fd7cbb0dd35de6bb4747fa911234082c45596"
hash7 = "816e699014be9a6d02d5d184eb958c49469d687b7c6fb88e878bca64688a19c9"
hash8 = "383d771b55bbe5343bab946fd7650fd42de1933c4c8f32449d9a40c898444ef1"
hash9 = "07f9ec716fb199e00a90091ffba4c2ee1a328a093a64e610e51ab9dd6d33357a"
hash10 = "615e768522447558970c725909e064558f33d38e6402c63c92a1a8bc62b64966"
hash11 = "bbe0f7278041cb3a6338844aa12c3df6b700a12a78b0a58bce3dce14f1c37b96"
hash12 = "ef3a7cd233a880fc61efc3884f127dd8944808babd1203be2400144119b6057f"
hash13 = "a4db77895228f02ea17ff48976e03100ddfaef7c9f48c1d40462872f103451d5"
hash14 = "1fdf6e142135a34ae1caf1d84adf5e273b253ca46c409b2530ca06d65a55ecbd"
strings:
$s1 = "displaysecinfo(\"List of Attributes\",myshellexec(\"lsattr -a\"));" fullword ascii
$s2 = "displaysecinfo(\"RAM\",myshellexec(\"free -m\"));" fullword ascii
$s3 = "displaysecinfo(\"Where is perl?\",myshellexec(\"whereis perl\"));" fullword ascii
$s4 = "$ret = myshellexec($handler);" fullword ascii
$s5 = "if (posix_kill($pid,$sig)) {echo \"OK.\";}" fullword ascii
condition:
filesize < 900KB and 1 of them
}
rule Webshell_r57shell_2 {
meta:
description = "Detects Webshell R57"
author = "Florian Roth"
reference = "https://github.com/nikicat/web-malware-collection"
date = "2016-01-11"
score = 70
hash1 = "e46777e5f1ac1652db3ce72dd0a2475ea515b37a737fffd743126772525a47e6"
hash2 = "aa957ca4154b7816093d667873cf6bdaded03f820e84d8f1cd5ad75296dd5d4d"
hash3 = "aa957ca4154b7816093d667873cf6bdaded03f820e84d8f1cd5ad75296dd5d4d"
hash4 = "756b788401aad4bfd4dbafd15c382d98e3ba079390addb5b0cea7ff7f985f881"
hash5 = "756b788401aad4bfd4dbafd15c382d98e3ba079390addb5b0cea7ff7f985f881"
hash6 = "16b6ec4b80f404f4616e44d8c21978dcdad9f52c84d23ba27660ee8e00984ff2"
hash7 = "59105e4623433d5bf93b9e17d72a43a40a4d8ac99e4a703f1d8851ad1276cd88"
hash8 = "1db0549066f294f814ec14ba4e9f63d88c4460d68477e5895236173df437d2b8"
hash9 = "c6a5148c81411ec9200810619fa5eec6616800a4d76c988431c272bc8679254f"
hash10 = "c6a5148c81411ec9200810619fa5eec6616800a4d76c988431c272bc8679254f"
hash11 = "59ea6cf16ea06ff47cf0e6a398df2eaec4d329707b8c3201fc63cbf0b7c85519"
hash12 = "0e0227a0001b38fb59fc07749e80c9d298ff0e6aca126ea8f4ea68ebc9a3661f"
hash13 = "ef74644065925aa8d64913f5f124fe73d8d289d5f019a104bf5f56689f49ba92"
strings:
$s1 = "$connection = @ftp_connect($ftp_server,$ftp_port,10);" fullword ascii
$s2 = "echo $lang[$language.'_text98'].$suc.\"\\r\\n\";" fullword ascii
condition:
filesize < 900KB and all of them
}
rule Webshell_27_9_acid_c99_locus7s {
meta:
description = "Detects Webshell - rule generated from from files 27.9.txt, acid.php, c99_locus7s.txt"
author = "Florian Roth"
reference = "https://github.com/nikicat/web-malware-collection"
date = "2016-01-11"
score = 70
hash1 = "2b8aed49f50acd0c1b89a399647e1218f2a8545da96631ac0882da28810eecc4"
hash2 = "7a69466dbd18182ce7da5d9d1a9447228dcebd365e0fe855d0e02024f4117549"
hash3 = "960feb502f913adff6b322bc9815543e5888bbf9058ba0eb46ceb1773ea67668"
hash4 = "07f9ec716fb199e00a90091ffba4c2ee1a328a093a64e610e51ab9dd6d33357a"
hash5 = "bbe0f7278041cb3a6338844aa12c3df6b700a12a78b0a58bce3dce14f1c37b96"
hash6 = "5ae121f868555fba112ca2b1a9729d4414e795c39d14af9e599ce1f0e4e445d3"
hash7 = "ef3a7cd233a880fc61efc3884f127dd8944808babd1203be2400144119b6057f"
hash8 = "ba87d26340f799e65c771ccb940081838afe318ecb20ee543f32d32db8533e7f"
strings:
$s0 = "$blah = ex($p2.\" /tmp/back \".$_POST['backconnectip'].\" \".$_POST['backconnectport'].\" &\");" fullword ascii
$s1 = "$_POST['backcconnmsge']=\"</br></br><b><font color=red size=3>Error:</font> Can't backdoor host!</b>\";" fullword ascii
condition:
filesize < 1711KB and 1 of them
}
rule Webshell_Backdoor_PHP_Agent_r57_mod_bizzz_shell_r57 {
meta:
description = "Detects Webshell - rule generated from from files Backdoor.PHP.Agent.php, r57.mod-bizzz.shell.txt ..."
author = "Florian Roth"
reference = "https://github.com/nikicat/web-malware-collection"
date = "2016-01-11"
score = 70
hash1 = "e46777e5f1ac1652db3ce72dd0a2475ea515b37a737fffd743126772525a47e6"
hash2 = "f51a5c5775d9cca0b137ddb28ff3831f4f394b7af6f6a868797b0df3dcdb01ba"
hash3 = "16b6ec4b80f404f4616e44d8c21978dcdad9f52c84d23ba27660ee8e00984ff2"
hash4 = "59105e4623433d5bf93b9e17d72a43a40a4d8ac99e4a703f1d8851ad1276cd88"
hash5 = "6dc417db9e07420a618d44217932ca8baf3541c08d5e68281e1be10af4280e4a"
hash6 = "5d07fdfee2dc6d81da26f05028f79badd10dec066909932129d398627b2f4e94"
hash7 = "1db0549066f294f814ec14ba4e9f63d88c4460d68477e5895236173df437d2b8"
hash8 = "c6a5148c81411ec9200810619fa5eec6616800a4d76c988431c272bc8679254f"
hash9 = "59ea6cf16ea06ff47cf0e6a398df2eaec4d329707b8c3201fc63cbf0b7c85519"
hash10 = "0e0227a0001b38fb59fc07749e80c9d298ff0e6aca126ea8f4ea68ebc9a3661f"
hash11 = "ef74644065925aa8d64913f5f124fe73d8d289d5f019a104bf5f56689f49ba92"
strings:
$s1 = "$_POST['cmd'] = which('" ascii
$s2 = "$blah = ex(" fullword ascii
condition:
filesize < 600KB and all of them
}
rule Webshell_c100 {
meta:
description = "Detects Webshell - rule generated from from files c100 v. 777shell"
author = "Florian Roth"
reference = "https://github.com/nikicat/web-malware-collection"
date = "2016-01-11"
score = 70
hash1 = "0202f72b3e8b62e5ebc99164c7d4eb8ec5be6a7527286e9059184aa8321e0092"
hash2 = "d4424c61fe29d2ee3d8503f7d65feb48341ac2fc0049119f83074950e41194d5"
hash3 = "21dd06ec423f0b49732e4289222864dcc055967922d0fcec901d38a57ed77f06"
hash4 = "c377f9316a4c953602879eb8af1fd7cbb0dd35de6bb4747fa911234082c45596"
hash5 = "816e699014be9a6d02d5d184eb958c49469d687b7c6fb88e878bca64688a19c9"
hash6 = "bbe0f7278041cb3a6338844aa12c3df6b700a12a78b0a58bce3dce14f1c37b96"
hash7 = "ef3a7cd233a880fc61efc3884f127dd8944808babd1203be2400144119b6057f"
strings:
$s0 = "<OPTION VALUE=\"wget http://ftp.powernet.com.tr/supermail/debug/k3\">Kernel attack (Krad.c) PT1 (If wget installed)" fullword ascii
$s1 = "<center>Kernel Info: <form name=\"form1\" method=\"post\" action=\"http://google.com/search\">" fullword ascii
$s3 = "cut -d: -f1,2,3 /etc/passwd | grep ::" ascii
$s4 = "which wget curl w3m lynx" ascii
$s6 = "netstat -atup | grep IST" ascii
condition:
filesize < 685KB and 2 of them
}
rule Webshell_AcidPoison {
meta:
description = "Detects Poison Sh3ll - Webshell"
author = "Florian Roth"
reference = "https://github.com/nikicat/web-malware-collection"
date = "2016-01-11"
score = 70
hash1 = "7a69466dbd18182ce7da5d9d1a9447228dcebd365e0fe855d0e02024f4117549"
hash2 = "7a69466dbd18182ce7da5d9d1a9447228dcebd365e0fe855d0e02024f4117549"
hash3 = "d0edca7539ef2d30f0b3189b21a779c95b5815c1637829b5594e2601e77cb4dc"
hash4 = "d0edca7539ef2d30f0b3189b21a779c95b5815c1637829b5594e2601e77cb4dc"
hash5 = "65e7edf10ffb355bed81b7413c77d13d592f63d39e95948cdaea4ea0a376d791"
hash6 = "65e7edf10ffb355bed81b7413c77d13d592f63d39e95948cdaea4ea0a376d791"
hash7 = "be541cf880a8e389a0767b85f1686443f35b508d1975ee25e1ce3f08fa32cfb5"
hash8 = "be541cf880a8e389a0767b85f1686443f35b508d1975ee25e1ce3f08fa32cfb5"
hash9 = "ba87d26340f799e65c771ccb940081838afe318ecb20ee543f32d32db8533e7f"
hash10 = "ba87d26340f799e65c771ccb940081838afe318ecb20ee543f32d32db8533e7f"
strings:
$s1 = "elseif ( enabled(\"exec\") ) { exec($cmd,$o); $output = join(\"\\r\\n\",$o); }" fullword ascii
condition:
filesize < 550KB and all of them
}
rule Webshell_acid_FaTaLisTiCz_Fx_fx_p0isoN_sh3ll_x0rg_byp4ss_256 {
meta:
description = "Detects Webshell - rule generated from from files acid.php, FaTaLisTiCz_Fx.txt, fx.txt, p0isoN.sh3ll.txt, x0rg.byp4ss.txt"
author = "Florian Roth"
reference = "https://github.com/nikicat/web-malware-collection"
date = "2016-01-11"
score = 70
hash1 = "7a69466dbd18182ce7da5d9d1a9447228dcebd365e0fe855d0e02024f4117549"
hash2 = "d0edca7539ef2d30f0b3189b21a779c95b5815c1637829b5594e2601e77cb4dc"
hash3 = "65e7edf10ffb355bed81b7413c77d13d592f63d39e95948cdaea4ea0a376d791"
hash4 = "ba87d26340f799e65c771ccb940081838afe318ecb20ee543f32d32db8533e7f"
hash5 = "1fdf6e142135a34ae1caf1d84adf5e273b253ca46c409b2530ca06d65a55ecbd"
strings:
$s0 = "<form method=\"POST\"><input type=hidden name=act value=\"ls\">" fullword ascii
$s2 = "foreach($quicklaunch2 as $item) {" fullword ascii
condition:
filesize < 882KB and all of them
}
rule Webshell_Ayyildiz {
meta:
description = "Detects Webshell - rule generated from from files Ayyildiz Tim -AYT- Shell v 2.1 Biz.txt, Macker's Private PHPShell.php, matamu.txt, myshell.txt, PHP Shell.txt"
author = "Florian Roth"
reference = "https://github.com/nikicat/web-malware-collection"
date = "2016-01-11"
score = 70
hash1 = "0e25aec0a9131e8c7bd7d5004c5c5ffad0e3297f386675bccc07f6ea527dded5"
hash2 = "9c43aada0d5429f8c47595f79a7cdd5d4eb2ba5c559fb5da5a518a6c8c7c330a"
hash3 = "2ebf3e5f5dde4a27bbd60e15c464e08245a35d15cc370b4be6b011aa7a46eaca"
hash4 = "77a63b26f52ba341dd2f5e8bbf5daf05ebbdef6b3f7e81cec44ce97680e820f9"
hash5 = "61c4fcb6e788c0dffcf0b672ae42b1676f8a9beaa6ec7453fc59ad821a4a8127"
strings:
$s0 = "echo \"<option value=\\\"\". strrev(substr(strstr(strrev($work_dir), \"/\"), 1)) .\"\\\">Parent Directory</option>\\n\";" fullword ascii
$s1 = "echo \"<option value=\\\"$work_dir\\\" selected>Current Directory</option>\\n\";" fullword ascii
condition:
filesize < 112KB and all of them
}
rule Webshell_zehir {
meta:
description = "Detects Webshell - rule generated from from files elmaliseker.asp, zehir.asp, zehir.txt, zehir4.asp, zehir4.txt"
author = "Florian Roth"
reference = "https://github.com/nikicat/web-malware-collection"
date = "2016-01-11"
score = 70
hash1 = "16e1e886576d0c70af0f96e3ccedfd2e72b8b7640f817c08a82b95ff5d4b1218"
hash2 = "0c5f8a2ed62d10986a2dd39f52886c0900a18c03d6d279207b8de8e2ed14adf6"
hash3 = "cb9d5427a83a0fc887e49f07f20849985bd2c3850f272ae1e059a08ac411ff66"
hash4 = "b57bf397984545f419045391b56dcaf7b0bed8b6ee331b5c46cee35c92ffa13d"
hash5 = "febf37a9e8ba8ece863f506ae32ad398115106cc849a9954cbc0277474cdba5c"
strings:
$s1 = "for (i=1; i<=frmUpload.max.value; i++) str+='File '+i+': <input type=file name=file'+i+'><br>';" fullword ascii
$s2 = "if (frmUpload.max.value<=0) frmUpload.max.value=1;" fullword ascii
condition:
filesize < 200KB and 1 of them
}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment