[ SEA-GHOST MINI SHELL]
/*
Yara Rule Set
Author: Brian Laskowski
Date: 2018-09-25
Identifier: shell1
Reference: https://github.com/Hestat/lw-yara/
*/
/* Rule Set ----------------------------------------------------------------- */
rule infected_09_25_18_index {
meta:
description = "shell1 - file index.php"
author = "Brian Laskowski"
reference = "https://github.com/Hestat/lw-yara/"
date = "2018-09-25"
hash1 = "d34230484525def656f5e7124b871515b3fb026d92496b8e89c0d7a0ac0e4ff9"
strings:
$s1 = "<?php error_reporting(0); $r=$_SERVER[\"HTTP_USER_AGENT\"];if((preg_match(\"/MSIE 9.0; Windows NT 6.0; Trident\\/5.0/i\",$r)) OR" ascii
$s2 = "* Joomla! is free software. This version may have been modified pursuant" fullword ascii
$s3 = "<?php error_reporting(0); $r=$_SERVER[\"HTTP_USER_AGENT\"];if((preg_match(\"/MSIE 9.0; Windows NT 6.0; Trident\\/5.0/i\",$r)) OR" ascii
$s4 = "* See COPYRIGHT.php for copyright notices and details." fullword ascii
$s5 = "* is derivative of works licensed under the GNU General Public License or" fullword ascii
$s6 = "* to the GNU General Public License, and as distributed it includes or" fullword ascii
$s7 = "Copyright (C) 2005 - 2010 Open Source Matters. All rights reserved." fullword ascii
$s8 = "echo JResponse::toString($mainframe->getCfg('gzip'));" fullword ascii
$s9 = "require_once ( JPATH_BASE .DS.'includes'.DS.'framework.php' );" fullword ascii
$s10 = "* other free or open source software licenses." fullword ascii
$s11 = "t($_GET[\"z\"]))){echo \"<title>Hacked by d3b~X</title><center><div id=q>Gantengers Crew<br><font size=2>SultanHaikal - d3b~X - " ascii
$s12 = "$option = JRequest::getCmd('option');" fullword ascii
$s13 = "define( '_JEXEC', 1 );" fullword ascii
$s14 = "require_once ( JPATH_BASE .DS.'includes'.DS.'defines.php' );" fullword ascii
$s15 = "* RETURN THE RESPONSE" fullword ascii
$s16 = "an Kamikaze - Coupdegrace - Mdn_newbie - Index Php <style>body{overflow:hidden;background-color:black}#q{font:40px impact;color:" ascii
$s17 = "$mainframe->authorize($Itemid);" fullword ascii
$s18 = "$Itemid = JRequest::getInt( 'Itemid');" fullword ascii
$s19 = "$mainframe =& JFactory::getApplication('site');" fullword ascii
$s20 = "$Id: index.php 14401 2010-01-26 14:10:00Z louis $" fullword ascii
condition:
( uint16(0) == 0x3f3c and
filesize < 7KB and
( 8 of them )
) or ( all of them )
}
SEA-GHOST - SHELL CODING BY SEA-GHOST