[ SEA-GHOST MINI SHELL]

Path : /usr/local/scan/lw-yara/includes/
FILE UPLOADER :
Current File : //usr/local/scan/lw-yara/includes/index-malware-092518.yar

/*
   Yara Rule Set
   Author: Brian Laskowski
   Date: 2018-09-25
   Identifier: shell1
   Reference: https://github.com/Hestat/lw-yara/
*/

/* Rule Set ----------------------------------------------------------------- */

rule infected_09_25_18_index {
   meta:
      description = "shell1 - file index.php"
      author = "Brian Laskowski"
      reference = "https://github.com/Hestat/lw-yara/"
      date = "2018-09-25"
      hash1 = "d34230484525def656f5e7124b871515b3fb026d92496b8e89c0d7a0ac0e4ff9"
   strings:
      $s1 = "<?php error_reporting(0); $r=$_SERVER[\"HTTP_USER_AGENT\"];if((preg_match(\"/MSIE 9.0; Windows NT 6.0; Trident\\/5.0/i\",$r)) OR" ascii
      $s2 = "* Joomla! is free software. This version may have been modified pursuant" fullword ascii
      $s3 = "<?php error_reporting(0); $r=$_SERVER[\"HTTP_USER_AGENT\"];if((preg_match(\"/MSIE 9.0; Windows NT 6.0; Trident\\/5.0/i\",$r)) OR" ascii
      $s4 = "* See COPYRIGHT.php for copyright notices and details." fullword ascii
      $s5 = "* is derivative of works licensed under the GNU General Public License or" fullword ascii
      $s6 = "* to the GNU General Public License, and as distributed it includes or" fullword ascii
      $s7 = "Copyright (C) 2005 - 2010 Open Source Matters. All rights reserved." fullword ascii
      $s8 = "echo JResponse::toString($mainframe->getCfg('gzip'));" fullword ascii
      $s9 = "require_once ( JPATH_BASE .DS.'includes'.DS.'framework.php' );" fullword ascii
      $s10 = "* other free or open source software licenses." fullword ascii
      $s11 = "t($_GET[\"z\"]))){echo \"<title>Hacked by d3b~X</title><center><div id=q>Gantengers Crew<br><font size=2>SultanHaikal - d3b~X - " ascii
      $s12 = "$option = JRequest::getCmd('option');" fullword ascii
      $s13 = "define( '_JEXEC', 1 );" fullword ascii
      $s14 = "require_once ( JPATH_BASE .DS.'includes'.DS.'defines.php' );" fullword ascii
      $s15 = "* RETURN THE RESPONSE" fullword ascii
      $s16 = "an Kamikaze - Coupdegrace - Mdn_newbie - Index Php <style>body{overflow:hidden;background-color:black}#q{font:40px impact;color:" ascii
      $s17 = "$mainframe->authorize($Itemid);" fullword ascii
      $s18 = "$Itemid = JRequest::getInt( 'Itemid');" fullword ascii
      $s19 = "$mainframe =& JFactory::getApplication('site');" fullword ascii
      $s20 = "$Id: index.php 14401 2010-01-26 14:10:00Z louis $" fullword ascii
   condition:
      ( uint16(0) == 0x3f3c and
         filesize < 7KB and
         ( 8 of them )
      ) or ( all of them )
}


SEA-GHOST - SHELL CODING BY SEA-GHOST