Create MALW_Magento_backend.yar

bd52b371 · mmorenog · GitHub · ffa457ec · bd52b371
Commit bd52b371 authored Jan 10, 2017 by mmorenog Committed by GitHub Jan 10, 2017
Hide whitespace changes
Inline Side-by-side

Showing with 253 additions and 0 deletions

MALW_Magento_backend.yar malware/MALW_Magento_backend.yar +253 -0

No files found.
--- a/malware/MALW_Magento_backend.yar
+++ b/malware/MALW_Magento_backend.yar
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+
+*/
+/*
+ref : https://github.com/gwillem/magento-malware-scanner/blob/master/rules/backend.yar
+author : https://github.com/gwillem
+
+*/
+
+rule dump_sales_quote_payment {
+    strings: $ = "include '../../../../../../../../../../app/Mage.php'; Mage::app(); $q = Mage::getModel('sales/quote_payment')->getCollection();"
+    condition: any of them
+}
+rule dump_sales_order {
+    strings: $ = "../../../../../../app/Mage.php'; Mage::app(); var_dump(Mage::getModel('sales/order')"
+    condition: any of them
+}
+rule md5_64651cede2467fdeb1b3b7e6ff3f81cb {
+    strings: $ = "rUl6QttVEP5eqf9usxfJjgoOvdNWFSGoHDgluk+4ONwXQNbGniQLttfyrgkB8d9"
+    condition: any of them
+}
+rule md5_6bf4910b01aa4f296e590b75a3d25642 {
+    strings: $ = "base64_decode('b25lcGFnZXxnY19hZG1pbg==')"
+    condition: any of them
+}
+rule fopo_webshell {
+    strings: 
+        $ = "DNEcHdQbWtXU3dSMDA1VmZ1c29WUVFXdUhPT0xYb0k3ZDJyWmFVZlF5Y0ZEeHV4K2FnVmY0OUtjbzhnc0"
+        $ = "U3hkTVVibSt2MTgyRjY0VmZlQWo3d1VlaFJVNVNnSGZUVUhKZXdEbGxJUTlXWWlqWSt0cEtacUZOSXF4c"
+        $ = "rb2JHaTJVdURMNlhQZ1ZlTGVjVnFobVdnMk5nbDlvbEdBQVZKRzJ1WmZUSjdVOWNwWURZYlZ0L1BtNCt"
+    condition: any of them
+}
+rule eval_post {
+    strings:
+        $ = "eval(base64_decode($_POST"
+        $ = "eval($undecode($tongji))"
+        $ = "eval($_POST"
+    condition: any of them
+}
+rule spam_mailer {
+    strings:
+        $ = "<strong>WwW.Zone-Org</strong>"
+        $ = "echo eval(urldecode("
+    condition: any of them
+}
+rule md5_0105d05660329704bdb0ecd3fd3a473b {
+    /*
+		)){eval (${ $njap58}['q9e5e25' ])
+		) ) { eval ( ${$yed7 }['
+    */
+    strings: $ = /\)\s*\)\s*\{\s*eval\s*\(\s*\$\{/
+    condition: any of them
+}
+rule md5_0b1bfb0bdc7e017baccd05c6af6943ea {
+	/*
+		eval(hnsqqh($llmkuhieq, $dbnlftqgr));?>
+		eval(vW91692($v7U7N9K, $v5N9NGE));?>
+    */
+    strings: $ = /eval\([\w\d]+\(\$[\w\d]+, \$[\w\d]+\)\);/
+    condition: any of them
+}
+rule md5_2495b460f28f45b40d92da406be15627 {
+    strings: $ = "$dez = $pwddir.\"/\".$real;copy($uploaded, $dez);"
+    condition: any of them
+}
+rule md5_2c37d90dd2c9c743c273cb955dd83ef6 {
+    strings: $ = "@$_($_REQUEST['"
+    condition: any of them
+}
+rule md5_3ccdd51fe616c08daafd601589182d38 {
+    strings: $ = "eval(xxtea_decrypt"
+    condition: any of them
+}
+rule md5_4b69af81b89ba444204680d506a8e0a1 {
+    strings: $ = "** Scam Redirector"
+    condition: any of them
+}
+rule md5_71a7c769e644d8cf3cf32419239212c7 {
+	/*
+    // $GLOBALS['ywanc2']($GLOBALS['ggbdg61']
+    */
+    strings: $ = /\$GLOBALS\['[\w\d]+'\]\(\$GLOBALS\['[\w\d]+'\]/
+    condition: any of them
+}
+rule md5_825a3b2a6abbe6abcdeda64a73416b3d {
+	/*
+    // $ooooo00oo0000oo0oo0oo00ooo0ooo0o0o0 = gethostbyname($_SERVER["SERVER_NAME"]);
+    // if(!oo00o0OOo0o00O("fsockopen"))
+    // strings: $ = "$ooooo00oo0000oo0"
+    */
+    strings: $ = /[o0O]{3}\("fsockopen"\)/
+    condition: any of them
+}
+rule md5_87cf8209494eedd936b28ff620e28780 {
+    strings: $ = "curl_close($cu);eval($o);};die();"
+    condition: any of them
+}
+rule md5_9b59cb5b557e46e1487ef891cedaccf7 {
+    strings: 
+        $jpg = { FF D8 FF E0 ?? ?? 4A 46 49 46 00 01 }
+		/*
+        // https://en.wikipedia.org/wiki/List_of_file_signatures
+        // magic module is not standard compiled in on our platform
+        // otherwise: condition: magic.mime_type() == /^image/
+        // $jpg = { 4A 46 49 46 00 01 }
+        */
+        $php = "<?php"
+    condition: ($jpg at 0) and $php
+}
+rule md5_c647e85ad77fd9971ba709a08566935d {
+    strings: $ = "fopen(\"cache.php\", \"w+\")"
+    condition: any of them
+}
+rule md5_fb9e35bf367a106d18eb6aa0fe406437 {
+    strings: $ = "0B6KVua7D2SLCNDN2RW1ORmhZRWs/sp_tilang.js"
+    condition: any of them
+}
+rule md5_8e5f7f6523891a5dcefcbb1a79e5bbe9 {
+    strings: $ = "if(@copy($_FILES['file']['tmp_name'],$_FILES['file']['name'])) {echo '<b>up!!!</b><br><br>';}}"
+    condition: any of them
+}
+rule indoexploit_autoexploiter {
+    strings: $ = "echo \"IndoXploit - Auto Xploiter\""
+    condition: any of them
+}
+rule eval_base64_decode_a {
+    strings: $ = "eval(base64_decode($a));"
+    condition: any of them
+}
+rule obfuscated_eval {
+    strings: 
+	$ = /\\x65\s*\\x76\s*\\x61\s*\\x6C/
+	$ = "\"/.*/e\""
+    condition: any of them
+}
+rule md5_50be694a82a8653fa8b31d049aac721a {
+    strings: $ = "(preg_match('/\\/admin\\/Cms_Wysiwyg\\/directive\\/index\\//', $_SERVER['REQUEST_URI']))"
+    condition: any of them
+}
+rule md5_ab63230ee24a988a4a9245c2456e4874 {
+    strings: $ = "eval(gzinflate(base64_decode(str_rot13(strrev("
+    condition: any of them
+}
+rule md5_b579bff90970ec58862ea8c26014d643 {
+    /* forces php execution of image files, dropped in an .htaccess file under media */
+    strings: $ = /<Files [^>]+.(jpg|png|gif)>\s*ForceType application\/x-httpd-php/
+    condition: any of them
+}
+rule md5_d30b23d1224438518d18e90c218d7c8b {
+    strings: $ = "attribute_code=0x70617373776f72645f68617368"
+    condition: any of them
+}
+rule md5_24f2df1b9d49cfb02d8954b08dba471f {
+    strings: $ = "))unlink('../media/catalog/category/'.basename($"
+    condition: any of them
+}
+rule base64_hidden_in_image {
+    strings: $ = /JPEG-1\.1[a-zA-Z0-9\-\/]{32}/
+    condition: any of them
+}
+rule hide_data_in_jpeg {
+    strings: $ = /file_put_contents\(\$.{2,3},'JPEG-1\.1'\.base64_encode/
+    condition: any of them
+}
+rule hidden_file_upload_in_503 {
+    strings: $ = /error_reporting\(0\);\$f=\$_FILES\[\w+\];copy\(\$f\[tmp_name\],\$f\[name\]\);error_reporting\(E_ALL\);/
+    condition: any of them
+}
+rule md5_fd141197c89d27b30821f3de8627ac38 {
+    strings: $ = "if(isset($_GET['do'])){$g0='adminhtml/default/default/images'"
+    condition: any of them
+}
+rule visbot {
+    strings:
+		$ = "stripos($buf, 'Visbot')!==false && stripos($buf, 'Pong')!==false"
+		$ = "stripos($buf, 'Visbot') !== false && stripos($buf, 'Pong')"
+    condition: any of them
+}
+rule md5_39ca2651740c2cef91eb82161575348b {
+    strings: $ = /if\(md5\(@\$_COOKIE\[..\]\)=='.{32}'\) \(\$_=@\$_REQUEST\[.\]\).@\$_\(\$_REQUEST\[.\]\);/
+    condition: any of them
+}
+rule md5_4c4b3d4ba5bce7191a5138efa2468679 {
+    strings:
+        $ = "<?PHP /*** Magento** NOTICE OF LICENSE** This source file is subject to the Open Software License (OSL 3.0)* that is bundled with this package in the file LICENSE.txt.* It is also available through the world-wide-web at this URL:* http://opensource.org/licenses/osl-3.0.php**/$"
+        $ = "$_SERVER['HTTP_USER_AGENT'] == 'Visbot/2.0 (+http://www.visvo.com/en/webmasters.jsp;bot@visvo.com)'"
+    condition: any of them
+}
+rule md5_6eb201737a6ef3c4880ae0b8983398a9 {
+    strings:
+        $ = "if(md5(@$_COOKIE[qz])=="
+        $ = "($_=@$_REQUEST[q]).@$_($_REQUEST[z]);"
+    condition: all of them
+}
+rule md5_d201d61510f7889f1a47257d52b15fa2 {
+    strings: $ = "@eval(stripslashes($_REQUEST[q]));"
+    condition: any of them
+}
+rule md5_06e3ed58854daeacf1ed82c56a883b04 {
+    strings: $ = "$log_entry = serialize($ARINFO)"
+    condition: any of them
+}
+rule md5_28690a72362e021f65bb74eecc54255e {
+    strings: $ = "curl_setopt($ch, CURLOPT_POSTFIELDS,http_build_query(array('data'=>$data,'utmp'=>$id)));"
+    condition: any of them
+}
+rule overwrite_globals_hack {
+    strings: $ = /\$GLOBALS\['[^']{,20}'\]=Array\(/
+    condition: any of them
+}
+rule md5_4adef02197f50b9cc6918aa06132b2f6 {
+    /* { eval($cco37(${ $kasd1}[ 'n46b398' ] ) );} */
+    strings: $ = /\{\s*eval\s*\(\s*\$.{1,5}\s*\(\$\{\s*\$.{1,5}\s*\}\[\s*'.{1,10}'\s*\]\s*\)\s*\);\}/
+    condition: any of them
+}
+rule obfuscated_globals {
+    /* $GLOBALS['y63581'] = "\x43 */
+    strings: $ = /\$GLOBALS\['.{1,10}'\] = "\\x/
+    condition: any of them
+}
+rule ld_preload_backdoor {
+    strings: $ = "killall -9 \".basename(\"/usr/bin/host"
+    condition: any of them
+}
+rule fake_magentoupdate_site {
+    strings: $ = "magentopatchupdate.com"
+    condition: any of them
+}
+rule md5_b3ee7ea209d2ff0d920dfb870bad8ce5 {
+    strings:
+        $ = /\$mysql_key\s*=\s*@?base64_decode/
+        $ = /eval\(\s*\$mysql_key\s*\)/
+    condition: all of them
+}
+rule md5_e03b5df1fa070675da8b6340ff4a67c2 {
+    strings:
+        $ = /if\(preg_match\("\/onepage\|admin\/",\s*\$_SERVER\['REQUEST_URI'\]\)\)\{\s*@?file_put_contents/
+        $ = /@?base64_encode\(serialize\(\$_REQUEST\)\."--"\.serialize\(\$_COOKIE\)\)\."\\n",\s*FILE_APPEND\)/
+    condition: any of them
+}
+rule md5_023a80d10d10d911989e115b477e42b5 {
+    strings: $ = /chr\(\d{,3}\)\.\"\"\.chr\(\d{,3}\)/
+    condition: any of them
+}
+rule md5_4aa900ddd4f1848a15c61a9b7acd5035 {
+    strings: $ = "'base'.(128/2).'_de'.'code'"
+    condition: any of them
+}
+rule md5_f797dd5d8e13fe5c8898dbe3beb3cc5b {
+    strings: $ = "echo(\"FILE_Bad\");"
+    condition: any of them
+}