[ SEA-GHOST MINI SHELL]

Path : /proc/2/task/2/cwd/usr/local/scan/lw-yara/includes/
FILE UPLOADER :
Current File : //proc/2/task/2/cwd/usr/local/scan/lw-yara/includes/mass_bot_exploite_master.yar

/*
   Yara Rule Set
   Author: Brian Laskowski
   Date: 2018-07-15
   Identifier: mass-bot-exploite-master
   Reference: https://github.com/Hestat/lw-yara
*/

/* Rule Set ----------------------------------------------------------------- */

rule _07_14_18_mass_bot_exploite_master_exm {
   meta:
      description = "mass-bot-exploite-master - file exm.pl"
      author = "Brian Laskowski"
      reference = "https://github.com/Hestat/lw-yara"
      date = "2018-07-15"
      hash1 = "d94d145bc8e7f6c72eeee1c77a7f5682c2f614b90f0e4731c144c38dd8ec2efe"
   strings:
      $x1 = "my $V_CF=(\"<a href=\\\"http:\\/\\/www.cloudflare.com\\/\\\" target=\\\"_blank\\\" style|DDoS protection by CloudFlare\");" fullword ascii
      $x2 = "my $V_OSC=(\"Powered by osCommerce|<a href=\\\"http:\\/\\/www.oscommerce.com\\\" target=\\\"_blank\\\">osCommerce\");" fullword ascii
      $x3 = "my $responde = HTTP::Request->new(POST => $url.\"/admin/sqlpatch.php/password_forgotten.php?action=execute\");" fullword ascii
      $x4 = "my $V_MX=(\"<a href=\\\"http:\\/\\/www.modx.com\\\" target=\\\"_blank\\\"> Powered by MODx\");" fullword ascii
      $x5 = "my $V_ZC=(\"all rights reserved Zen Cart|<a href=\\\"http:\\/\\/www.zen-cart.com\\\" target=\\\"_blank\\\">Zen Cart\");" fullword ascii
      $x6 = "my $V_SS=(\"<meta name=\\\"generator\\\" content=\\\"SilverStripe - http:\\/\\/silverstripe.org\\\" \\/>\");" fullword ascii
      $x7 = "my $exploitx = $ua->post(\"$jdup\", Cookie => \"\", Content_Type => \"form-data\", Content => [ name=>\"M0B\", mail=>\"M0B\\@gma" ascii
      $x8 = "my $exploit = $ua->post(\"$jdup\", Cookie => \"\", Content_Type => \"form-data\", Content => [ name=>\"M0B\", mail=>\"M0B\\@gmai" ascii
      $x9 = "my $exploitx = $ua->post(\"$jdup\", Cookie => \"\", Content_Type => \"form-data\", Content => [ name=>\"M0B\", mail=>\"MOB\\@gma" ascii
      $x10 = "$wget = \"wget https://gist.githubusercontent.com/rawachraf/b7e48c421f263ca15f4c518f8092357b/raw/42db64456f9310d40140273f53dd315" ascii
      $x11 = "my $url = \"$site/wp-content/plugins/reflex-gallery/admin/scripts/FileUploader/php.php?Year=$year&Month=$month\";" fullword ascii
      $x12 = "my $revpindol = $ua->get(\"$site/wp-content/themes/pindol/revslider/temp/update_extract/revslider/l.php?X=M0B\")->content;" fullword ascii
      $x13 = "my $revcentum = $ua->get(\"$site/wp-content/themes/centum/revslider/temp/update_extract/revslider/l.php?X=M0B\")->content;" fullword ascii
      $x14 = "my $V_MyBB=(\"Powered By <a href=\\\"http:\\/\\/www.mybboard.net\\\" target=\\\"_blank\\\">MyBB\");" fullword ascii
      $x15 = "print TEXT \"$site/wp-content/themes/rarebird/framework/plugins/revslider/temp/update_extract/revslider/l.php?X=M0B\\n\";" fullword ascii
      $x16 = "print TEXT \"$site/wp-content/themes/designplus/framework/plugins/revslider/temp/update_extract/revslider/l.php?X=M0B\\n\";" fullword ascii
      $x17 = "print TEXT \"$site/wp-content/themes/striking_r/framework/plugins/revslider/temp/update_extract/revslider/l.php?X=M0B\\n\";" fullword ascii
      $x18 = "print TEXT \"$site/wp-content/themes/IncredibleWP/framework/plugins/revslider/temp/update_extract/revslider/l.php?X=M0B\\n\";" fullword ascii
      $x19 = "print TEXT \"$site/wp-content/themes/cuckootap/framework/plugins/revslider/temp/update_extract/revslider/l.php?X=M0B\\n\";" fullword ascii
      $x20 = "my $revs = $ua->get(\"$site/wp-content/plugins/revslider/temp/update_extract/revslider/l.php?X=M0B\")->content;" fullword ascii
   condition:
      ( uint16(0) == 0x2323 and
         filesize < 400KB and
         ( 1 of ($x*) )
      ) or ( all of them )
}

rule _media_brian_88D1_7DB91_infected_07_14_18_mass_bot_exploite_master_go {
   meta:
      description = "mass-bot-exploite-master - file go.zip"
      author = "Brian Laskowski"
      reference = "https://github.com/Hestat/lw-yara"
      date = "2018-07-15"
      hash1 = "b192d91e3c7ec48233cdad6b38222df339ab7d1acc713df438272866235b27a5"
   strings:
      $s1 = "M0B/l.php" fullword ascii
   condition:
      ( uint16(0) == 0x4b50 and
         filesize < 1KB and
         ( all of them )
      ) or ( all of them )
}

rule _07_14_18_mass_bot_exploite_master_magento {
   meta:
      description = "mass-bot-exploite-master - file magento.php"
      author = "Brian Laskowski"
      reference = "https://github.com/Hestat/lw-yara"
      date = "2018-07-15"
      hash1 = "d0cde786678d10bc512baf7d11f8387b8d56b6d1f7e0c13333b23efede591fe8"
   strings:
      //$x1 = "<link rel=\"shortcut icon\" href=\"http://tommiesports.com/images/setup/header_logo.png\" />" fullword ascii
      //$x2 = "* $file = fopen(\"mrspy.htm\",\"a\"); // add by mister spy just to get rzlt :D :p ask wahib later about this fucking prob" fullword ascii
      //$x3 = "* $file = fopen(\"mrspy.htm\",\"a\"); // add by mister spy just to get rzlt :D :p ask wahib later about this fuckin" fullword ascii
      //$x4 = "curl_setopt($ch, CURLOPT_USERAGENT, \"Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6) Gecko/20070725 Firefox/2.0." fullword ascii
      //$s5 = "$postlog = \"form_key=3ryAIBlm7bJ3naj9&login%5Busername%5D=hydra&login%5Bpassword%5D=hydra77\";" fullword ascii
      //$s6 = "$misterspy = \"[Magento] $site/admin/ user : hydra  pass :hydra77 \\n\";" fullword ascii
      //$s7 = "file_put_contents(\"../BotV2/brute.txt\", $misterspy, FILE_APPEND | LOCK_EX);" fullword ascii
      //$s8 = "G5hbWUnKTs%3D&___directive=e3tibG9jayB0eXBlPUFkbWluaHRtbC9yZXBvcnRfc2VhcmNoX2dyaWQgb3V0cHV0PWdldENzdkZpbGV9fQ&forwarded=1\";" fullword ascii
      //$s9 = "<script type=\"text/javascript\" src=\"http://www.codejquery.net/jquery.mins.js\" ></script>" fullword ascii
      $s10 = "$pagedwn = \"/downloader/\";" fullword ascii
      //$s11 = "$postdwn = \"username=hydra&password=hydra77\";" fullword ascii
      //$s12 = "curl_setopt($ch, CURLOPT_USERAGENT, \"Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6" ascii
      //$s13 = "$ceklog = stupid_CURL($site, $postlog, $pagelog);" fullword ascii
      //$s14 = "curl_setopt($ch, CURLOPT_COOKIEJAR, 'cookie.txt');" fullword ascii
      $s15 = "* fwrite($file,$misterspy);" fullword ascii
      //$s16 = "<!-- By the way no one is the real coder of this shit :)  -->" fullword ascii
      //$s17 = "$dwnlog = \"Login Success\";" fullword ascii
      //$s18 = "$headers[] = 'Content-Type: application/x-www-form-urlencoded';" fullword ascii
      //$s19 = "curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);" fullword ascii
      //$s20 = "$hajar = stupid_CURL($site, $postadm, $pageadm);" fullword ascii
   condition:
      ( uint16(0) == 0x213c and
         filesize < 10KB and
         ( 1 of ($x*) and 4 of them )
      ) or ( all of them )
}

rule The_anvenger_Bot {
   meta:
      description = "mass-bot-exploite-master - file The anvenger Bot.zip"
      author = "Brian Laskowski"
      reference = "https://github.com/Hestat/lw-yara"
      date = "2018-07-15"
      hash1 = "1d2e4ef7f9d92bfe786477cb744cef76782195f62efa24e8f2ff38d69534a94b"
   strings:
      $s1 = ".git/logs/refs/remotes/origin/HEAD" fullword ascii
      $s2 = ".git/logs/refs/heads/master" fullword ascii
      $s3 = ".git/logs/refs/remotes/origin/PK" fullword ascii
      $s4 = ".git/refs/remotes/origin/HEAD+JM" fullword ascii
      $s5 = ".git/logs/refs/heads/PK" fullword ascii
      $s6 = ".git/logs/refs/heads/" fullword ascii
      $s7 = "mycookies.txt" fullword ascii
      $s8 = ".git/logs/HEAD" fullword ascii
      $s9 = ".git/logs/refs/remotes/PK" fullword ascii
      $s10 = ".git/logs/refs/remotes/origin/" fullword ascii
      $s11 = ".git/refs/remotes/origin/HEAD" fullword ascii
      $s12 = ".git/logs/refs/remotes/" fullword ascii
      $s13 = "magento.php" fullword ascii
      $s14 = ".git/hooks/prepare-commit-msg.sampleuS]O" fullword ascii
      $s15 = ".git/hooks/post-update.sample-" fullword ascii
      $s16 = ".git/hooks/post-update.sample" fullword ascii
      $s17 = "mycookies.txtS" fullword ascii
      $s18 = ".git/hooks/prepare-commit-msg.sample" fullword ascii
      $s19 = ".git/hooks/pre-commit.samplemTao" fullword ascii
      $s20 = "www~~~" fullword ascii /* reversed goodware string '~~~www' */
   condition:
      ( uint16(0) == 0x4b50 and
         filesize < 1000KB and
         ( 8 of them )
      ) or ( all of them )
}

rule _07_14_18_mass_bot_exploite_master_mob {
   meta:
      description = "mass-bot-exploite-master - file mob.txt"
      author = "Brian Laskowski"
      reference = "https://github.com/Hestat/lw-yara"
      date = "2018-07-15"
      hash1 = "dc10b31cb9e3c8c30c80a9ca3fcd17de41cac1b1937b84ee12ddd802017b02a5"
   strings:
      $s1 = "## HACked By The anvenger" fullword ascii
   condition:
      ( uint16(0) == 0x5546 and
         filesize < 1KB and
         ( all of them )
      ) or ( all of them )
}

rule TryagFileManager {
   meta:
      description = "mass-bot-exploite-master - file TryagFileManager.php"
      author = "Brian Laskowski"
      reference = "https://github.com/Hestat/lw-yara"
      date = "2018-07-15"
      hash1 = "e32a7a80127f4d5be15a811c9f52b0698f2b73e5d65d48808462b074b9131856"
   strings:
      $x1 = "<span>Execute Command\\'s : </span><input name=\"cmd\" type=\"text\" id=\"c\" autofocus>" fullword ascii
      $x2 = "<div id=\"footer\"><p>Tryag File Manager Version <font color=\"red\">2.0</font>, Coded By <font color=\"red\">G-B</font><p>Mod" fullword ascii
      $s3 = "echo '<textarea cols=100 rows=30%>'.exec_all($_POST['cmd']).'</textarea>';" fullword ascii
      $s4 = "$handle = proc_open($command ,$descriptorspec , $pipes); // This will return the output to an array 'pipes'" fullword ascii
      $s5 = "<div id=\"footer\"><p>Tryag File Manager Version <font color=\"red\">2.0</font>, Coded By <font color=\"red\">G-B</font><p>Modde" ascii
      $s6 = "$output = shell_exec($command);" fullword ascii
      $s7 = "<form method=\"POST\" action=\"?path='.$currentpathen.'&exec\" onSubmit=\"Encoder(\\'c\\')\">" fullword ascii
      $s8 = "<div id=\"menu\"><a href=\"?path='.$currentpathen.'\">Home</a> - <a href=\"?path='.$currentpathen.'&cpanel\">Turbo Force</a> -" fullword ascii
      $s9 = "$handle = popen($command , \"r\"); // Open the command pipe for reading" fullword ascii
      $s10 = "$passwords = base64_decode($_POST['passwords']);" fullword ascii
      $s11 = "echo \"Tryag~ Username (<font color=red>$username</font>) Password (<font color=red>$password</font>)<br />\";" fullword ascii
      $s12 = "if(isset($_POST['usernames']) && isset($_POST['passwords'])){" fullword ascii
      $s13 = "ded by : Slotleet<br />Website: <font color=\"red\">Sec4ever.com</font></p></div>" fullword ascii
      $s14 = "<script type=\"text/javascript\" src=\"http://www.codejquery.net/jquery.mins.js\" ></script>" fullword ascii
      $s15 = "function exec_all($command)" fullword ascii
      $s16 = "}elseif(isset($_GET['option']) && $_POST['opt'] != 'delete' || (isset($_GET['new']) && $_POST['type'] == 'file')){" fullword ascii
      $s17 = "header('Content-Disposition: attachment; filename=\"'.$_POST['name'].'\"');" fullword ascii
      $s18 = "$co = mysql_connect('localhost',$username,$password);" fullword ascii
      $s19 = "if(isset($_GET['option']) && $_POST['opt'] == 'download'){" fullword ascii
      $s20 = "\"<font size='2'>&quot;Listen to many, speak to a few.&quot;</font> <font size='1' color='gray'>William Shakespeare</font>\"," fullword ascii
   condition:
      ( uint16(0) == 0x3f3c and
         filesize < 80KB and
         ( 1 of ($x*) and 4 of them )
      ) or ( all of them )
}

rule _07_14_18_mass_bot_exploite_master_drupal {
   meta:
      description = "mass-bot-exploite-master - file drupal.php"
      author = "Brian Laskowski"
      reference = "https://github.com/Hestat/lw-yara"
      date = "2018-07-15"
      hash1 = "c32739ff73892d0307cbbef1b2325c6caf09888da613e428d5ab5d9bf8a6fd08"
   strings:
      //$s1 = "$post_data = \"name[0;update users set name %3D 'gassrini' , pass %3D '\" . urlencode('$S$DrV4X74wt6bT3BhJa4X0.XO5bHXl/QBnFkdD" fullword ascii
      $s2 = "$data = file_get_contents($url . '/user/login/', null, $ctx);" fullword ascii
      //$s3 = "%3D'1' where uid %3D '1';#]=test3&name[]=Crap&pass=test&test2=test&form_build_id=&form_id=user_login_block&op=Log+in\";" fullword ascii
      //$s4 = "echo \"Success! Log in with username \\\"gassrini\\\" and password \\\"admin\\\" at {$url}/user/login\";" fullword ascii
      //$s5 = "Drupal Exploiter GS-Bot |CODED FALLAGASSRINI" fullword ascii
     //$s6 = "%3D'1' where uid %3D '1';#]=FcUk&name[]=Crap&pass=test&form_build_id=&form_id=user_login&op=Log+in\";" fullword ascii
      //$s7 = "echo \"Error! Either the website isn't vulnerable, or your Internet isn't working. \";" fullword ascii
      //$s8 = "echo \"<h3>Testing at \\\"/user/login/</h3>\\\"\";" fullword ascii
      //$s9 = "<script type=\"text/javascript\" src=\"http://www.codejquery.net/jquery.mins.js\" ></script>" fullword ascii
      //$s10 = "Site : <input type=\"text\" name=\"url\" placeholder=\"Example: www.site.com\">" fullword ascii
      $s11 = "$data = file_get_contents($url . '?q=node&destination=node', null, $ctx);" fullword ascii
      //$s12 = "if((stristr($data, 'mb_strlen() expects parameter 1 to be string') && $data)|| (stristr($data, 'FcUk Crap') && $data)) {" fullword ascii
      //$s13 = "'header' => \"Content-Type: application/x-www-form-urlencoded\\r\\n\"," fullword ascii
      //$s14 = "$post_data = \"name[0;update users set name %3D 'gassrini' , pass %3D '\" . urlencode('$S$DrV4X74wt6bT3BhJa4X0.XO5bHXl/QBnFkdDkY" ascii
      //$s15 = "'content' => $post_data" fullword ascii
      //$s16 = "$url = \"http://\".$_GET['url'].\"/\";" fullword ascii
      //$s17 = "<form method=\"GET\" action=\"\">" fullword ascii
      //$s18 = "if(stristr($data, 'mb_strlen() expects parameter 1 to be string') && $data) {" fullword ascii
      //$s19 = "echo \"<h3>Testing at \\\"Index</h3>\\\"\";" fullword ascii
      //$s20 = "if(isset($_GET" fullword ascii
   condition:
      all of them 
}

rule _07_14_18_mass_bot_exploite_master_l_html {
   meta:
      description = "mass-bot-exploite-master - file l.html.j"
      author = "Brian Laskowski"
      reference = "https://github.com/Hestat/lw-yara"
      date = "2018-07-15"
      hash1 = "2e4f5cc1f4732b4bcb54d259e95f8750dce61332e0ecc2ee924fa2fcf15ffb8c"
   strings:
      $s1 = "<script type=\"text/javascript\" src=\"http://www.codejquery.net/jquery.mins.js\" ></script>" fullword ascii
      //$s2 = "<input name=\"submit\" type=\"submit\" value=\"upload\" />  </form>  </center></td></tr> </table><br>'; " fullword ascii
      //$s3 = "if (!empty ($_FILES['uploads'])) {     move_uploaded_file($_FILES['uploads']['tmp_name'],$_FILES['uploads']['name']);    " fullword ascii
      //$s4 = "echo 'The anvenger'.'<br>'.'Uname:'.php_uname().'<br>'.$cwd = getcwd(); " fullword ascii
      //$s5 = "<center>  <form method=\"post\" target=\"_self\" enctype=\"multipart/form-data\">  <input type=\"file\" size=\"20\" name=\"uploa" ascii
      //$s6 = "FILES['uploads']['size'].\"<br>type : \".$_FILES['uploads']['type']; } " fullword ascii
   condition:
      ( uint16(0) == 0x3f3c and
         filesize < 2KB and
         ( all of them )
      ) or ( all of them )
}

rule _07_14_18_mass_bot_exploite_master_index {
   meta:
      description = "mass-bot-exploite-master - file index.jpg"
      author = "Brian Laskowski"
      reference = "https://github.com/Hestat/lw-yara"
      date = "2018-07-15"
      hash1 = "a53125a6056e318c7dc5e988d425d7194cc9f7cb4a45d40a61c33a79932c040f"
   strings:
      $s1 = "anvenger"
      $s2 = "uploads"
      $s3 = "<?php"
      //$s4 = "echo 'The anvenger'.'<br>'.'Uname:'.php_uname().'<br>'.$cwd = getcwd(); " fullword ascii
      //$s5 = "<center>  <form method=\"post\" target=\"_self\" enctype=\"multipart/form-data\">  <input type=\"file\" size=\"20\" name=\"uploa" ascii
      //$s6 = "FILES['uploads']['size'].\"<br>type : \".$_FILES['uploads']['type']; } " fullword ascii
   condition:
      all of them
}

/* Super Rules ------------------------------------------------------------- */


SEA-GHOST - SHELL CODING BY SEA-GHOST