[ SEA-GHOST MINI SHELL]
Path : /var/lib/clamav/ |
|
Current File : //var/lib/clamav/rfxn.yara |
rule asp_file : webshell {
meta:
description = "Laudanum Injector Tools - file file.asp"
author = "Florian Roth"
reference = "http://laudanum.inguardians.com/"
date = "2015-06-22"
hash = "ff5b1a9598735440bdbaa768b524c639e22f53c5"
strings:
$s1 = "' *** Written by Tim Medin <tim@counterhack.com>" fullword ascii
$s2 = "Response.BinaryWrite(stream.Read)" fullword ascii
$s3 = "Response.Write(Response.Status & Request.ServerVariables(\"REMOTE_ADDR\"))" fullword ascii /* PEStudio Blacklist: strings */
$s4 = "%><a href=\"<%=Request.ServerVariables(\"URL\")%>\">web root</a><br/><%" fullword ascii /* PEStudio Blacklist: strings */
$s5 = "set folder = fso.GetFolder(path)" fullword ascii
$s6 = "Set file = fso.GetFile(filepath)" fullword ascii
condition:
uint16(0) == 0x253c and filesize < 30KB and 5 of them
}
rule php_killnc : webshell {
meta:
description = "Laudanum Injector Tools - file killnc.php"
author = "Florian Roth"
reference = "http://laudanum.inguardians.com/"
date = "2015-06-22"
hash = "c0dee56ee68719d5ec39e773621ffe40b144fda5"
strings:
$s1 = "if ($_SERVER[\"REMOTE_ADDR\"] == $IP)" fullword ascii /* PEStudio Blacklist: strings */
$s2 = "header(\"HTTP/1.0 404 Not Found\");" fullword ascii
$s3 = "<?php echo exec('killall nc');?>" fullword ascii /* PEStudio Blacklist: strings */
$s4 = "<title>Laudanum Kill nc</title>" fullword ascii /* PEStudio Blacklist: strings */
$s5 = "foreach ($allowedIPs as $IP) {" fullword ascii
condition:
filesize < 15KB and 4 of them
}
rule asp_shell : webshell {
meta:
description = "Laudanum Injector Tools - file shell.asp"
author = "Florian Roth"
reference = "http://laudanum.inguardians.com/"
date = "2015-06-22"
hash = "8bf1ff6f8edd45e3102be5f8a1fe030752f45613"
strings:
$s1 = "<form action=\"shell.asp\" method=\"POST\" name=\"shell\">" fullword ascii /* PEStudio Blacklist: strings */
$s2 = "%ComSpec% /c dir" fullword ascii /* PEStudio Blacklist: strings */
$s3 = "Set objCmd = wShell.Exec(cmd)" fullword ascii /* PEStudio Blacklist: strings */
$s4 = "Server.ScriptTimeout = 180" fullword ascii /* PEStudio Blacklist: strings */
$s5 = "cmd = Request.Form(\"cmd\")" fullword ascii /* PEStudio Blacklist: strings */
$s6 = "' *** http://laudanum.secureideas.net" fullword ascii
$s7 = "Dim wshell, intReturn, strPResult" fullword ascii /* PEStudio Blacklist: strings */
condition:
filesize < 15KB and 4 of them
}
rule settings : webshell {
meta:
description = "Laudanum Injector Tools - file settings.php"
author = "Florian Roth"
reference = "http://laudanum.inguardians.com/"
date = "2015-06-22"
hash = "588739b9e4ef2dbb0b4cf630b73295d8134cc801"
strings:
$s1 = "Port: <input name=\"port\" type=\"text\" value=\"8888\">" fullword ascii /* PEStudio Blacklist: strings */
$s2 = "<li>Reverse Shell - " fullword ascii /* PEStudio Blacklist: strings */
$s3 = "<li><a href=\"<?php echo plugins_url('file.php', __FILE__);?>\">File Browser</a>" ascii /* PEStudio Blacklist: strings */
condition:
filesize < 13KB and all of them
}
rule asp_proxy : webshell {
meta:
description = "Laudanum Injector Tools - file proxy.asp"
author = "Florian Roth"
reference = "http://laudanum.inguardians.com/"
date = "2015-06-22"
hash = "51e97040d1737618b1775578a772fa6c5a31afd8"
strings:
$s1 = "'response.write \"<br/> -value:\" & request.querystring(key)(j)" fullword ascii /* PEStudio Blacklist: strings */
$s2 = "q = q & \"&\" & key & \"=\" & request.querystring(key)(j)" fullword ascii /* PEStudio Blacklist: strings */
$s3 = "for each i in Split(http.getAllResponseHeaders, vbLf)" fullword ascii
$s4 = "'urlquery = mid(urltemp, instr(urltemp, \"?\") + 1)" fullword ascii /* PEStudio Blacklist: strings */
$s5 = "s = urlscheme & urlhost & urlport & urlpath" fullword ascii /* PEStudio Blacklist: strings */
$s6 = "Set http = Server.CreateObject(\"Microsoft.XMLHTTP\")" fullword ascii /* PEStudio Blacklist: strings */
condition:
filesize < 50KB and all of them
}
rule cfm_shell : webshell {
meta:
description = "Laudanum Injector Tools - file shell.cfm"
author = "Florian Roth"
reference = "http://laudanum.inguardians.com/"
date = "2015-06-22"
hash = "885e1783b07c73e7d47d3283be303c9719419b92"
strings:
$s1 = "Executable: <Input type=\"text\" name=\"cmd\" value=\"cmd.exe\"><br>" fullword ascii /* PEStudio Blacklist: strings */
$s2 = "<cfif ( #suppliedCode# neq secretCode )>" fullword ascii /* PEStudio Blacklist: strings */
$s3 = "<cfif IsDefined(\"form.cmd\")>" fullword ascii
condition:
filesize < 20KB and 2 of them
}
rule aspx_shell : webshell{
meta:
description = "Laudanum Injector Tools - file shell.aspx"
author = "Florian Roth"
reference = "http://laudanum.inguardians.com/"
date = "2015-06-22"
hash = "076aa781a004ecb2bf545357fd36dcbafdd68b1a"
strings:
$s1 = "remoteIp = HttpContext.Current.Request.Headers[\"X-Forwarded-For\"].Split(new" ascii /* PEStudio Blacklist: strings */
$s2 = "remoteIp = Request.UserHostAddress;" fullword ascii /* PEStudio Blacklist: strings */
$s3 = "<form method=\"post\" name=\"shell\">" fullword ascii /* PEStudio Blacklist: strings */
$s4 = "<body onload=\"document.shell.c.focus()\">" fullword ascii /* PEStudio Blacklist: strings */
condition:
filesize < 20KB and all of them
}
rule php_shell : webshell{
meta:
description = "Laudanum Injector Tools - file shell.php"
author = "Florian Roth"
reference = "http://laudanum.inguardians.com/"
date = "2015-06-22"
hash = "dc5c03a21267d024ef0f5ab96a34e3f6423dfcd6"
strings:
$s1 = "command_hist[current_line] = document.shell.command.value;" fullword ascii /* PEStudio Blacklist: strings */
$s2 = "if (e.keyCode == 38 && current_line < command_hist.length-1) {" fullword ascii /* PEStudio Blacklist: strings */
$s3 = "array_unshift($_SESSION['history'], $command);" fullword ascii /* PEStudio Blacklist: strings */
$s4 = "if (preg_match('/^[[:blank:]]*cd[[:blank:]]*$/', $command)) {" fullword ascii /* PEStudio Blacklist: strings */
condition:
filesize < 40KB and all of them
}
rule php_reverse_shell : webshell {
meta:
description = "Laudanum Injector Tools - file php-reverse-shell.php"
author = "Florian Roth"
reference = "http://laudanum.inguardians.com/"
date = "2015-06-22"
hash = "3ef03bbe3649535a03315dcfc1a1208a09cea49d"
strings:
$s1 = "$process = proc_open($shell, $descriptorspec, $pipes);" fullword ascii /* PEStudio Blacklist: strings */
$s2 = "printit(\"Successfully opened reverse shell to $ip:$port\");" fullword ascii /* PEStudio Blacklist: strings */
$s3 = "$input = fread($pipes[1], $chunk_size);" fullword ascii /* PEStudio Blacklist: strings */
condition:
filesize < 15KB and all of them
}
rule php_dns : webshell{
meta:
description = "Laudanum Injector Tools - file dns.php"
author = "Florian Roth"
reference = "http://laudanum.inguardians.com/"
date = "2015-06-22"
hash = "01d5d16d876c55d77e094ce2b9c237de43b21a16"
strings:
$s1 = "$query = isset($_POST['query']) ? $_POST['query'] : '';" fullword ascii /* PEStudio Blacklist: strings */
$s2 = "$result = dns_get_record($query, $types[$type], $authns, $addtl);" fullword ascii /* PEStudio Blacklist: strings */
$s3 = "if ($_SERVER[\"REMOTE_ADDR\"] == $IP)" fullword ascii /* PEStudio Blacklist: strings */
$s4 = "foreach (array_keys($types) as $t) {" fullword ascii
condition:
filesize < 15KB and all of them
}
rule WEB_INF_web : webshell{
meta:
description = "Laudanum Injector Tools - file web.xml"
author = "Florian Roth"
reference = "http://laudanum.inguardians.com/"
date = "2015-06-22"
hash = "0251baed0a16c451f9d67dddce04a45dc26cb4a3"
strings:
$s1 = "<servlet-name>Command</servlet-name>" fullword ascii /* PEStudio Blacklist: strings */
$s2 = "<jsp-file>/cmd.jsp</jsp-file>" fullword ascii
condition:
filesize < 1KB and all of them
}
rule jsp_cmd : webshell {
meta:
description = "Laudanum Injector Tools - file cmd.war"
author = "Florian Roth"
reference = "http://laudanum.inguardians.com/"
date = "2015-06-22"
hash = "55e4c3dc00cfab7ac16e7cfb53c11b0c01c16d3d"
strings:
$s0 = "cmd.jsp}" fullword ascii
$s1 = "cmd.jspPK" fullword ascii
$s2 = "WEB-INF/web.xml" fullword ascii /* Goodware String - occured 1 times */
$s3 = "WEB-INF/web.xmlPK" fullword ascii /* Goodware String - occured 1 times */
$s4 = "META-INF/MANIFEST.MF" fullword ascii /* Goodware String - occured 12 times */
condition:
uint16(0) == 0x4b50 and filesize < 2KB and all of them
}
rule laudanum : webshell {
meta:
description = "Laudanum Injector Tools - file laudanum.php"
author = "Florian Roth"
reference = "http://laudanum.inguardians.com/"
date = "2015-06-22"
hash = "fd498c8b195967db01f68776ff5e36a06c9dfbfe"
strings:
$s1 = "public function __activate()" fullword ascii
$s2 = "register_activation_hook(__FILE__, array('WP_Laudanum', 'activate'));" fullword ascii /* PEStudio Blacklist: strings */
condition:
filesize < 5KB and all of them
}
rule php_file : webshell{
meta:
description = "Laudanum Injector Tools - file file.php"
author = "Florian Roth"
reference = "http://laudanum.inguardians.com/"
date = "2015-06-22"
hash = "7421d33e8007c92c8642a36cba7351c7f95a4335"
strings:
$s1 = "$allowedIPs =" fullword ascii /* PEStudio Blacklist: strings */
$s2 = "<a href=\"<?php echo $_SERVER['PHP_SELF'] ?>\">Home</a><br/>" fullword ascii /* PEStudio Blacklist: strings */
$s3 = "$dir = isset($_GET[\"dir\"]) ? $_GET[\"dir\"] : \".\";" fullword ascii
$s4 = "$curdir .= substr($curdir, -1) != \"/\" ? \"/\" : \"\";" fullword ascii
condition:
filesize < 10KB and all of them
}
rule warfiles_cmd : webshell {
meta:
description = "Laudanum Injector Tools - file cmd.jsp"
author = "Florian Roth"
reference = "http://laudanum.inguardians.com/"
date = "2015-06-22"
hash = "3ae3d837e7b362de738cf7fad78eded0dccf601f"
strings:
$s1 = "Process p = Runtime.getRuntime().exec(request.getParameter(\"cmd\"));" fullword ascii /* PEStudio Blacklist: strings */
$s2 = "out.println(\"Command: \" + request.getParameter(\"cmd\") + \"<BR>\");" fullword ascii /* PEStudio Blacklist: strings */
$s3 = "<FORM METHOD=\"GET\" NAME=\"myform\" ACTION=\"\">" fullword ascii
$s4 = "String disr = dis.readLine();" fullword ascii
condition:
filesize < 2KB and all of them
}
rule asp_dns : webshell{
meta:
description = "Laudanum Injector Tools - file dns.asp"
author = "Florian Roth"
reference = "http://laudanum.inguardians.com/"
date = "2015-06-22"
hash = "5532154dd67800d33dace01103e9b2c4f3d01d51"
strings:
$s1 = "command = \"nslookup -type=\" & qtype & \" \" & query " fullword ascii /* PEStudio Blacklist: strings */
$s2 = "Set objCmd = objWShell.Exec(command)" fullword ascii /* PEStudio Blacklist: strings */
$s3 = "Response.Write command & \"<br>\"" fullword ascii /* PEStudio Blacklist: strings */
$s4 = "<form name=\"dns\" method=\"POST\">" fullword ascii /* PEStudio Blacklist: strings */
condition:
filesize < 21KB and all of them
}
rule php_reverse_shell_2 : webshell{
meta:
description = "Laudanum Injector Tools - file php-reverse-shell.php"
author = "Florian Roth"
reference = "http://laudanum.inguardians.com/"
date = "2015-06-22"
hash = "025db3c3473413064f0606d93d155c7eb5049c42"
strings:
$s1 = "$process = proc_open($shell, $descriptorspec, $pipes);" fullword ascii /* PEStudio Blacklist: strings */
$s7 = "$shell = 'uname -a; w; id; /bin/sh -i';" fullword ascii /* PEStudio Blacklist: strings */
condition:
filesize < 10KB and all of them
}
rule Laudanum_Tools_Generic : webshell Toolkit{
meta:
description = "Laudanum Injector Tools"
author = "Florian Roth"
reference = "http://laudanum.inguardians.com/"
date = "2015-06-22"
super_rule = 1
hash0 = "076aa781a004ecb2bf545357fd36dcbafdd68b1a"
hash1 = "885e1783b07c73e7d47d3283be303c9719419b92"
hash2 = "01d5d16d876c55d77e094ce2b9c237de43b21a16"
hash3 = "7421d33e8007c92c8642a36cba7351c7f95a4335"
hash4 = "f49291aef9165ee4904d2d8c3cf5a6515ca0794f"
hash5 = "c0dee56ee68719d5ec39e773621ffe40b144fda5"
hash6 = "f32b9c2cc3a61fa326e9caebce28ef94a7a00c9a"
hash7 = "dc5c03a21267d024ef0f5ab96a34e3f6423dfcd6"
hash8 = "fd498c8b195967db01f68776ff5e36a06c9dfbfe"
hash9 = "b50ae35fcf767466f6ca25984cc008b7629676b8"
hash10 = "5570d10244d90ef53b74e2ac287fc657e38200f0"
hash11 = "42bcb491a11b4703c125daf1747cf2a40a1b36f3"
hash12 = "83e4eaaa2cf6898d7f83ab80158b64b1d48096f4"
hash13 = "dec7ea322898690a7f91db9377f035ad7072b8d7"
hash14 = "a2272b8a4221c6cc373915f0cc555fe55d65ac4d"
hash15 = "588739b9e4ef2dbb0b4cf630b73295d8134cc801"
hash16 = "43320dc23fb2ed26b882512e7c0bfdc64e2c1849"
strings:
$s1 = "*** laudanum@secureideas.net" fullword ascii
$s2 = "*** Laudanum Project" fullword ascii
condition:
filesize < 60KB and all of them
}
/*
I first found this in May 2016, appeared in every PHP file on the
server, cleaned it with `sed` and regex magic. Second time was
in June 2016, same decoded content, different encoding/naming.
https://www.symantec.com/security_response/writeup.jsp?docid=2015-111911-4342-99
*/
rule php_anuna
{
meta:
author = "Vlad https://github.com/vlad-s"
date = "2016/07/18"
description = "Catches a PHP Trojan"
strings:
$a = /<\?php \$[a-z]+ = '/
$b = /\$[a-z]+=explode\(chr\(\([0-9]+[-+][0-9]+\)\)/
$c = /\$[a-z]+=\([0-9]+[-+][0-9]+\)/
$d = /if \(!function_exists\('[a-z]+'\)\)/
condition:
all of them
}
/*
Finds PHP code in JP(E)Gs, GIFs, PNGs.
Magic numbers via Wikipedia.
*/
rule php_in_image
{
meta:
author = "Vlad https://github.com/vlad-s"
date = "2016/07/18"
description = "Finds image files w/ PHP code in images"
strings:
$gif = /^GIF8[79]a/
$jfif = { ff d8 ff e? 00 10 4a 46 49 46 }
$png = { 89 50 4e 47 0d 0a 1a 0a }
$php_tag = "<?php"
condition:
(($gif at 0) or
($jfif at 0) or
($png at 0)) and
$php_tag
}
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
/*
THOR APT Scanner - Web Shells Extract
This rulset is a subset of all hack tool rules included in our
APT Scanner THOR - the full featured APT scanner
We will frequently update this file with new rules rated TLP:WHITE
Florian Roth
BSK Consulting GmbH
Web: bsk-consulting.de
revision: 20150122
*/
rule Weevely_Webshell : webshell {
meta:
description = "Weevely Webshell - Generic Rule - heavily scrambled tiny web shell"
author = "Florian Roth"
reference = "http://www.ehacking.net/2014/12/weevely-php-stealth-web-backdoor-kali.html"
date = "2014/12/14"
score = 60
strings:
$php = "<?php" ascii
$s0 = /\$[a-z]{4} = \$[a-z]{4}\("[a-z][a-z]?",[\s]?"",[\s]?"/ ascii
$s1 = /\$[a-z]{4} = str_replace\("[a-z][a-z]?","","/ ascii
$s2 = /\$[a-z]{4}\.\$[a-z]{4}\.\$[a-z]{4}\.\$[a-z]{4}\)\)\); \$[a-z]{4}\(\);/ ascii
$s4 = /\$[a-z]{4}="[a-zA-Z0-9]{70}/ ascii
condition:
$php at 0 and all of ($s*) and filesize > 570 and filesize < 800
}
rule webshell_h4ntu_shell_powered_by_tsoi_ : webshell {
meta:
description = "Web Shell - file h4ntu shell [powered by tsoi].php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "06ed0b2398f8096f1bebf092d0526137"
strings:
$s0 = " <TD><DIV STYLE=\"font-family: verdana; font-size: 10px;\"><b>Server Adress:</b"
$s3 = " <TD><DIV STYLE=\"font-family: verdana; font-size: 10px;\"><b>User Info:</b> ui"
$s4 = " <TD><DIV STYLE=\"font-family: verdana; font-size: 10px;\"><?= $info ?>: <?= "
$s5 = "<INPUT TYPE=\"text\" NAME=\"cmd\" value=\"<?php echo stripslashes(htmlentities($"
condition:
all of them
}
rule webshell_PHP_sql : webshell {
meta:
description = "Web Shell - file sql.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "2cf20a207695bbc2311a998d1d795c35"
strings:
$s0 = "$result=mysql_list_tables($db) or die (\"$h_error<b>\".mysql_error().\"</b>$f_"
$s4 = "print \"<a href=\\\"$_SERVER[PHP_SELF]?s=$s&login=$login&passwd=$passwd&"
condition:
all of them
}
rule webshell_PHP_a : webshell {
meta:
description = "Web Shell - file a.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "e3b461f7464d81f5022419d87315a90d"
strings:
$s1 = "echo \"<option value=\\\"\". strrev(substr(strstr(strrev($work_dir), \"/\""
$s2 = "echo \"<option value=\\\"$work_dir\\\" selected>Current Directory</option>"
$s4 = "<input name=\"submit_btn\" type=\"submit\" value=\"Execute Command\"></p> " fullword
condition:
2 of them
}
rule webshell_iMHaPFtp_2 : webshell{
meta:
description = "Web Shell - file iMHaPFtp.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "12911b73bc6a5d313b494102abcf5c57"
strings:
$s8 = "if ($l) echo '<a href=\"' . $self . '?action=permission&file=' . urlencode($"
$s9 = "return base64_decode('R0lGODlhEQANAJEDAMwAAP///5mZmf///yH5BAHoAwMALAAAAAARAA0AAA"
condition:
1 of them
}
rule webshell_Jspspyweb : webshell{
meta:
description = "Web Shell - file Jspspyweb.jsp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "4e9be07e95fff820a9299f3fb4ace059"
strings:
$s0 = " out.print(\"<tr><td width='60%'>\"+strCut(convertPath(list[i].getPath()),7"
$s3 = " \"reg add \\\"HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Control"
condition:
all of them
}
rule webshell_Safe_Mode_Bypass_PHP_4_4_2_and_PHP_5_1_2 : webshell{
meta:
description = "Web Shell - file Safe_Mode Bypass PHP 4.4.2 and PHP 5.1.2.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "49ad9117c96419c35987aaa7e2230f63"
strings:
$s0 = "die(\"\\nWelcome.. By This script you can jump in the (Safe Mode=ON) .. Enjoy\\n"
$s1 = "Mode Shell v1.0</font></span></a></font><font face=\"Webdings\" size=\"6\" color"
condition:
1 of them
}
rule webshell_SimAttacker_Vrsion_1_0_0_priv8_4_My_friend : webshell{
meta:
description = "Web Shell - file SimAttacker - Vrsion 1.0.0 - priv8 4 My friend.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "089ff24d978aeff2b4b2869f0c7d38a3"
strings:
$s2 = "echo \"<a href='?id=fm&fchmod=$dir$file'><span style='text-decoration: none'><fo"
$s3 = "fputs ($fp ,\"\\n*********************************************\\nWelcome T0 Sim"
condition:
1 of them
}
rule webshell_phpshell_2_1_pwhash : webshell{
meta:
description = "Web Shell - file pwhash.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "ba120abac165a5a30044428fac1970d8"
strings:
$s1 = "<tt> </tt>\" (space), \"<tt>[</tt>\" (left bracket), \"<tt>|</tt>\" (pi"
$s3 = "word: \"<tt>null</tt>\", \"<tt>yes</tt>\", \"<tt>no</tt>\", \"<tt>true</tt>\","
condition:
1 of them
}
rule webshell_PHPRemoteView : webshell{
meta:
description = "Web Shell - file PHPRemoteView.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "29420106d9a81553ef0d1ca72b9934d9"
strings:
$s2 = "<input type=submit value='\".mm(\"Delete all dir/files recursive\").\" (rm -fr)'"
$s4 = "<a href='$self?c=delete&c2=$c2&confirm=delete&d=\".urlencode($d).\"&f=\".u"
condition:
1 of them
}
rule webshell_jsp_12302 : webshell{
meta:
description = "Web Shell - file 12302.jsp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "a3930518ea57d899457a62f372205f7f"
strings:
$s0 = "</font><%out.print(request.getRealPath(request.getServletPath())); %>" fullword
$s1 = "<%@page import=\"java.io.*,java.util.*,java.net.*\"%>" fullword
$s4 = "String path=new String(request.getParameter(\"path\").getBytes(\"ISO-8859-1\""
condition:
all of them
}
rule webshell_caidao_shell_guo : webshell{
meta:
description = "Web Shell - file guo.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "9e69a8f499c660ee0b4796af14dc08f0"
strings:
$s0 = "<?php ($www= $_POST['ice'])!"
$s1 = "@preg_replace('/ad/e','@'.str_rot13('riny').'($ww"
condition:
1 of them
}
rule webshell_PHP_redcod : webshell{
meta:
description = "Web Shell - file redcod.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "5c1c8120d82f46ff9d813fbe3354bac5"
strings:
$s0 = "H8p0bGFOEy7eAly4h4E4o88LTSVHoAglJ2KLQhUw" fullword
$s1 = "HKP7dVyCf8cgnWFy8ocjrP5ffzkn9ODroM0/raHm" fullword
condition:
all of them
}
rule webshell_remview_fix : webshell{
meta:
description = "Web Shell - file remview_fix.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "a24b7c492f5f00e2a19b0fa2eb9c3697"
strings:
$s4 = "<a href='$self?c=delete&c2=$c2&confirm=delete&d=\".urlencode($d).\"&f=\".u"
$s5 = "echo \"<P><hr size=1 noshade>\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n"
condition:
1 of them
}
rule webshell_asp_cmd : webshell {
meta:
description = "Web Shell - file cmd.asp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "895ca846858c315a3ff8daa7c55b3119"
strings:
$s0 = "<%= \"\\\\\" & oScriptNet.ComputerName & \"\\\" & oScriptNet.UserName %>" fullword
$s1 = "Set oFileSys = Server.CreateObject(\"Scripting.FileSystemObject\")" fullword
$s3 = "Call oScript.Run (\"cmd.exe /c \" & szCMD & \" > \" & szTempFile, 0, True)" fullword
condition:
1 of them
}
rule webshell_php_sh_server : webshell {
meta:
description = "Web Shell - file server.php"
author = "Florian Roth"
date = "2014/01/28"
score = 50
hash = "d87b019e74064aa90e2bb143e5e16cfa"
strings:
$s0 = "eval(getenv('HTTP_CODE'));" fullword
condition:
all of them
}
rule webshell_PH_Vayv_PH_Vayv : webshell {
meta:
description = "Web Shell - file PH Vayv.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "35fb37f3c806718545d97c6559abd262"
strings:
$s0 = "style=\"BACKGROUND-COLOR: #eae9e9; BORDER-BOTTOM: #000000 1px in"
$s4 = "<font color=\"#858585\">SHOPEN</font></a></font><font face=\"Verdana\" style"
condition:
1 of them
}
rule webshell_caidao_shell_ice : webshell{
meta:
description = "Web Shell - file ice.asp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "6560b436d3d3bb75e2ef3f032151d139"
strings:
$s0 = "<%eval request(\"ice\")%>" fullword
condition:
all of them
}
rule webshell_cihshell_fix : webshell {
meta:
description = "Web Shell - file cihshell_fix.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "3823ac218032549b86ee7c26f10c4cb5"
strings:
$s7 = "<tr style='background:#242424;' ><td style='padding:10px;'><form action='' encty"
$s8 = "if (isset($_POST['mysqlw_host'])){$dbhost = $_POST['mysqlw_host'];} else {$dbhos"
condition:
1 of them
}
rule webshell_asp_shell : webshell {
meta:
description = "Web Shell - file shell.asp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "e63f5a96570e1faf4c7b8ca6df750237"
strings:
$s7 = "<input type=\"submit\" name=\"Send\" value=\"GO!\">" fullword
$s8 = "<TEXTAREA NAME=\"1988\" ROWS=\"18\" COLS=\"78\"></TEXTAREA>" fullword
condition:
all of them
}
rule webshell_Private_i3lue : webshell{
meta:
description = "Web Shell - file Private-i3lue.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "13f5c7a035ecce5f9f380967cf9d4e92"
strings:
$s8 = "case 15: $image .= \"\\21\\0\\"
condition:
all of them
}
rule webshell_php_up : webshell {
meta:
description = "Web Shell - file up.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "7edefb8bd0876c41906f4b39b52cd0ef"
strings:
$s0 = "copy($HTTP_POST_FILES['userfile']['tmp_name'], $_POST['remotefile']);" fullword
$s3 = "if(is_uploaded_file($HTTP_POST_FILES['userfile']['tmp_name'])) {" fullword
$s8 = "echo \"Uploaded file: \" . $HTTP_POST_FILES['userfile']['name'];" fullword
condition:
2 of them
}
rule webshell_Mysql_interface_v1_0 {
meta:
description = "Web Shell - file Mysql interface v1.0.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "a12fc0a3d31e2f89727b9678148cd487"
strings:
$s0 = "echo \"<td><a href='$PHP_SELF?action=dropDB&dbname=$dbname' onClick=\\\"return"
condition:
all of them
}
rule webshell_php_s_u {
meta:
description = "Web Shell - file s-u.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "efc7ba1a4023bcf40f5e912f1dd85b5a"
strings:
$s6 = "<a href=\"?act=do\"><font color=\"red\">Go Execute</font></a></b><br /><textarea"
condition:
all of them
}
rule webshell_phpshell_2_1_config {
meta:
description = "Web Shell - file config.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "bd83144a649c5cc21ac41b505a36a8f3"
strings:
$s1 = "; (choose good passwords!). Add uses as simple 'username = \"password\"' lines." fullword
condition:
all of them
}
rule webshell_asp_EFSO_2 {
meta:
description = "Web Shell - file EFSO_2.asp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "a341270f9ebd01320a7490c12cb2e64c"
strings:
$s0 = "%8@#@&P~,P,PP,MV~4BP^~,NS~m~PXc3,_PWbSPU W~~[u3Fffs~/%@#@&~~,PP~~,M!PmS,4S,mBPNB"
condition:
all of them
}
rule webshell_jsp_up {
meta:
description = "Web Shell - file up.jsp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "515a5dd86fe48f673b72422cccf5a585"
strings:
$s9 = "// BUG: Corta el fichero si es mayor de 640Ks" fullword
condition:
all of them
}
rule webshell_NetworkFileManagerPHP {
meta:
description = "Web Shell - file NetworkFileManagerPHP.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "acdbba993a5a4186fd864c5e4ea0ba4f"
strings:
$s9 = " echo \"<br><center>All the data in these tables:<br> \".$tblsv.\" were putted "
condition:
all of them
}
rule webshell_Server_Variables {
meta:
description = "Web Shell - file Server Variables.asp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "47fb8a647e441488b30f92b4d39003d7"
strings:
$s7 = "<% For Each Vars In Request.ServerVariables %>" fullword
$s9 = "Variable Name</B></font></p>" fullword
condition:
all of them
}
rule webshell_caidao_shell_ice_2 {
meta:
description = "Web Shell - file ice.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "1d6335247f58e0a5b03e17977888f5f2"
strings:
$s0 = "<?php ${${eval($_POST[ice])}};?>" fullword
condition:
all of them
}
rule webshell_caidao_shell_mdb {
meta:
description = "Web Shell - file mdb.asp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "fbf3847acef4844f3a0d04230f6b9ff9"
strings:
$s1 = "<% execute request(\"ice\")%>a " fullword
condition:
all of them
}
rule webshell_jsp_guige {
meta:
description = "Web Shell - file guige.jsp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "2c9f2dafa06332957127e2c713aacdd2"
strings:
$s0 = "if(damapath!=null &&!damapath.equals(\"\")&&content!=null"
condition:
all of them
}
rule webshell_phpspy2010 {
meta:
description = "Web Shell - file phpspy2010.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "14ae0e4f5349924a5047fed9f3b105c5"
strings:
$s3 = "eval(gzinflate(base64_decode("
$s5 = "//angel" fullword
$s8 = "$admin['cookiedomain'] = '';" fullword
condition:
all of them
}
rule webshell_asp_ice {
meta:
description = "Web Shell - file ice.asp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "d141e011a92f48da72728c35f1934a2b"
strings:
$s0 = "D,'PrjknD,J~[,EdnMP[,-4;DS6@#@&VKobx2ldd,'~JhC"
condition:
all of them
}
rule webshell_drag_system {
meta:
description = "Web Shell - file system.jsp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "15ae237cf395fb24cf12bff141fb3f7c"
strings:
$s9 = "String sql = \"SELECT * FROM DBA_TABLES WHERE TABLE_NAME not like '%$%' and num_"
condition:
all of them
}
rule webshell_DarkBlade1_3_asp_indexx {
meta:
description = "Web Shell - file indexx.asp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "b7f46693648f534c2ca78e3f21685707"
strings:
$s3 = "Const strs_toTransform=\"command|Radmin|NTAuThenabled|FilterIp|IISSample|PageCou"
condition:
all of them
}
rule webshell_phpshell3 {
meta:
description = "Web Shell - file phpshell3.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "76117b2ee4a7ac06832d50b2d04070b8"
strings:
$s2 = "<input name=\"nounce\" type=\"hidden\" value=\"<?php echo $_SESSION['nounce'];"
$s5 = "<p>Username: <input name=\"username\" type=\"text\" value=\"<?php echo $userna"
$s7 = "$_SESSION['output'] .= \"cd: could not change to: $new_dir\\n\";" fullword
condition:
2 of them
}
rule webshell_jsp_hsxa {
meta:
description = "Web Shell - file hsxa.jsp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "d0e05f9c9b8e0b3fa11f57d9ab800380"
strings:
$s0 = "<%@ page language=\"java\" pageEncoding=\"gbk\"%><jsp:directive.page import=\"ja"
condition:
all of them
}
rule webshell_jsp_utils {
meta:
description = "Web Shell - file utils.jsp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "9827ba2e8329075358b8e8a53e20d545"
strings:
$s0 = "ResultSet r = c.getMetaData().getTables(null, null, \"%\", t);" fullword
$s4 = "String cs = request.getParameter(\"z0\")==null?\"gbk\": request.getParameter(\"z"
condition:
all of them
}
rule webshell_asp_01 {
meta:
description = "Web Shell - file 01.asp"
author = "Florian Roth"
date = "2014/01/28"
score = 50
hash = "61a687b0bea0ef97224c7bd2df118b87"
strings:
$s0 = "<%eval request(\"pass\")%>" fullword
condition:
all of them
}
rule webshell_asp_404 {
meta:
description = "Web Shell - file 404.asp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "d9fa1e8513dbf59fa5d130f389032a2d"
strings:
$s0 = "lFyw6pd^DKV^4CDRWmmnO1GVKDl:y& f+2"
condition:
all of them
}
rule webshell_webshell_cnseay02_1 {
meta:
description = "Web Shell - file webshell-cnseay02-1.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "95fc76081a42c4f26912826cb1bd24b1"
strings:
$s0 = "(93).$_uU(41).$_uU(59);$_fF=$_uU(99).$_uU(114).$_uU(101).$_uU(97).$_uU(116).$_uU"
condition:
all of them
}
rule webshell_php_fbi {
meta:
description = "Web Shell - file fbi.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "1fb32f8e58c8deb168c06297a04a21f1"
strings:
$s7 = "erde types','Getallen','Datum en tijd','Tekst','Binaire gegevens','Netwerk','Geo"
condition:
all of them
}
rule webshell_B374kPHP_B374k {
meta:
description = "Web Shell - file B374k.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "bed7388976f8f1d90422e8795dff1ea6"
strings:
$s0 = "Http://code.google.com/p/b374k-shell" fullword
$s1 = "$_=str_rot13('tm'.'vas'.'yngr');$_=str_rot13(strrev('rqb'.'prq'.'_'.'46r'.'fno'"
$s3 = "Jayalah Indonesiaku & Lyke @ 2013" fullword
$s4 = "B374k Vip In Beautify Just For Self" fullword
condition:
1 of them
}
rule webshell_cmd_asp_5_1 {
meta:
description = "Web Shell - file cmd-asp-5.1.asp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "8baa99666bf3734cbdfdd10088e0cd9f"
strings:
$s9 = "Call oS.Run(\"win.com cmd.exe /c \"\"\" & szCMD & \" > \" & szTF &" fullword
condition:
all of them
}
rule webshell_php_dodo_zip {
meta:
description = "Web Shell - file zip.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "b7800364374077ce8864796240162ad5"
strings:
$s0 = "$hexdtime = '\\x' . $dtime[6] . $dtime[7] . '\\x' . $dtime[4] . $dtime[5] . '\\x"
$s3 = "$datastr = \"\\x50\\x4b\\x03\\x04\\x0a\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
condition:
all of them
}
rule webshell_aZRaiLPhp_v1_0 {
meta:
description = "Web Shell - file aZRaiLPhp v1.0.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "26b2d3943395682e36da06ed493a3715"
strings:
$s5 = "echo \" <font color='#0000FF'>CHMODU \".substr(base_convert(@fileperms($"
$s7 = "echo \"<a href='./$this_file?op=efp&fname=$path/$file&dismi=$file&yol=$path'><fo"
condition:
all of them
}
rule webshell_php_list {
meta:
description = "Web Shell - file list.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "922b128ddd90e1dc2f73088956c548ed"
strings:
$s1 = "// list.php = Directory & File Listing" fullword
$s2 = " echo \"( ) <a href=?file=\" . $fichero . \"/\" . $filename . \">\" . $filena"
$s9 = "// by: The Dark Raver" fullword
condition:
1 of them
}
rule webshell_ironshell {
meta:
description = "Web Shell - file ironshell.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "8bfa2eeb8a3ff6afc619258e39fded56"
strings:
$s4 = "print \"<form action=\\\"\".$me.\"?p=cmd&dir=\".realpath('.').\""
$s8 = "print \"<td id=f><a href=\\\"?p=rename&file=\".realpath($file).\"&di"
condition:
all of them
}
rule webshell_caidao_shell_404 {
meta:
description = "Web Shell - file 404.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "ee94952dc53d9a29bdf4ece54c7a7aa7"
strings:
$s0 = "<?php $K=sTr_RepLaCe('`','','a`s`s`e`r`t');$M=$_POST[ice];IF($M==NuLl)HeaDeR('St"
condition:
all of them
}
rule webshell_ASP_aspydrv {
meta:
description = "Web Shell - file aspydrv.asp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "de0a58f7d1e200d0b2c801a94ebce330"
strings:
$s3 = "<%=thingy.DriveLetter%> </td><td><tt> <%=thingy.DriveType%> </td><td><tt> <%=thi"
condition:
all of them
}
rule webshell_jsp_web {
meta:
description = "Web Shell - file web.jsp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "4bc11e28f5dccd0c45a37f2b541b2e98"
strings:
$s0 = "<%@page import=\"java.io.*\"%><%@page import=\"java.net.*\"%><%String t=request."
condition:
all of them
}
rule webshell_mysqlwebsh {
meta:
description = "Web Shell - file mysqlwebsh.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "babfa76d11943a22484b3837f105fada"
strings:
$s3 = " <TR><TD bgcolor=\"<? echo (!$CONNECT && $action == \"chparam\")?\"#660000\":\"#"
condition:
all of them
}
rule webshell_jspShell {
meta:
description = "Web Shell - file jspShell.jsp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "0d5b5a17552254be6c1c8f1eb3a5fdc1"
strings:
$s0 = "<input type=\"checkbox\" name=\"autoUpdate\" value=\"AutoUpdate\" on"
$s1 = "onblur=\"document.shell.autoUpdate.checked= this.oldValue;"
condition:
all of them
}
rule webshell_Dx_Dx {
meta:
description = "Web Shell - file Dx.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "9cfe372d49fe8bf2fac8e1c534153d9b"
strings:
$s1 = "print \"\\n\".'Tip: to view the file \"as is\" - open the page in <a href=\"'.Dx"
$s9 = "class=linelisting><nobr>POST (php eval)</td><"
condition:
1 of them
}
rule webshell_asp_ntdaddy {
meta:
description = "Web Shell - file ntdaddy.asp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "c5e6baa5d140f73b4e16a6cfde671c68"
strings:
$s9 = "if FP = \"RefreshFolder\" or "
$s10 = "request.form(\"cmdOption\")=\"DeleteFolder\" "
condition:
1 of them
}
rule webshell_MySQL_Web_Interface_Version_0_8 {
meta:
description = "Web Shell - file MySQL Web Interface Version 0.8.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "36d4f34d0a22080f47bb1cb94107c60f"
strings:
$s2 = "href='$PHP_SELF?action=dumpTable&dbname=$dbname&tablename=$tablename'>Dump</a>"
condition:
all of them
}
rule webshell_elmaliseker_2 {
meta:
description = "Web Shell - file elmaliseker.asp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "b32d1730d23a660fd6aa8e60c3dc549f"
strings:
$s1 = "<td<%if (FSO.GetExtensionName(path & \"\\\" & oFile.Name)=\"lnk\") or (FSO.GetEx"
$s6 = "<input type=button value=Save onclick=\"EditorCommand('Save')\"> <input type=but"
condition:
all of them
}
rule webshell_ASP_RemExp {
meta:
description = "Web Shell - file RemExp.asp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "aa1d8491f4e2894dbdb91eec1abc2244"
strings:
$s0 = "<td bgcolor=\"<%=BgColor%>\" title=\"<%=SubFolder.Name%>\"> <a href= \"<%=Reques"
$s1 = "Private Function ConvertBinary(ByVal SourceNumber, ByVal MaxValuePerIndex, ByVal"
condition:
all of them
}
rule webshell_jsp_list1 {
meta:
description = "Web Shell - file list1.jsp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "8d9e5afa77303c9c01ff34ea4e7f6ca6"
strings:
$s1 = "case 's':ConnectionDBM(out,encodeChange(request.getParameter(\"drive"
$s9 = "return \"<a href=\\\"javascript:delFile('\"+folderReplace(file)+\"')\\\""
condition:
all of them
}
rule webshell_phpkit_1_0_odd {
meta:
description = "Web Shell - file odd.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "594d1b1311bbef38a0eb3d6cbb1ab538"
strings:
$s0 = "include('php://input');" fullword
$s1 = "// No eval() calls, no system() calls, nothing normally seen as malicious." fullword
$s2 = "ini_set('allow_url_include, 1'); // Allow url inclusion in this script" fullword
condition:
all of them
}
rule webshell_jsp_123 {
meta:
description = "Web Shell - file 123.jsp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "c691f53e849676cac68a38d692467641"
strings:
$s0 = "<font color=\"blue\">??????????????????:</font><input type=\"text\" size=\"7"
$s3 = "String path=new String(request.getParameter(\"path\").getBytes(\"ISO-8859-1\""
$s9 = "<input type=\"submit\" name=\"btnSubmit\" value=\"Upload\"> " fullword
condition:
all of them
}
rule webshell_asp_1 {
meta:
description = "Web Shell - file 1.asp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "8991148adf5de3b8322ec5d78cb01bdb"
strings:
$s4 = "!22222222222222222222222222222222222222222222222222" fullword
$s8 = "<%eval request(\"pass\")%>" fullword
condition:
all of them
}
rule webshell_ASP_tool {
meta:
description = "Web Shell - file tool.asp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "4ab68d38527d5834e9c1ff64407b34fb"
strings:
$s0 = "Response.Write \"<FORM action=\"\"\" & Request.ServerVariables(\"URL\") & \"\"\""
$s3 = "Response.Write \"<tr><td><font face='arial' size='2'><b><DIR> <a href='\" "
$s9 = "Response.Write \"<font face='arial' size='1'><a href=\"\"#\"\" onclick=\"\"javas"
condition:
2 of them
}
rule webshell_cmd_win32 {
meta:
description = "Web Shell - file cmd_win32.jsp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "cc4d4d6cc9a25984aa9a7583c7def174"
strings:
$s0 = "Process p = Runtime.getRuntime().exec(\"cmd.exe /c \" + request.getParam"
$s1 = "<FORM METHOD=\"POST\" NAME=\"myform\" ACTION=\"\">" fullword
condition:
2 of them
}
rule webshell_jsp_jshell {
meta:
description = "Web Shell - file jshell.jsp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "124b22f38aaaf064cef14711b2602c06"
strings:
$s0 = "kXpeW[\"" fullword
$s4 = "[7b:g0W@W<" fullword
$s5 = "b:gHr,g<" fullword
$s8 = "RhV0W@W<" fullword
$s9 = "S_MR(u7b" fullword
condition:
all of them
}
rule webshell_ASP_zehir4 {
meta:
description = "Web Shell - file zehir4.asp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "7f4e12e159360743ec016273c3b9108c"
strings:
$s9 = "Response.Write \"<a href='\"&dosyaPath&\"?status=7&Path=\"&Path&\"/"
condition:
all of them
}
rule webshell_wsb_idc {
meta:
description = "Web Shell - file idc.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "7c5b1b30196c51f1accbffb80296395f"
strings:
$s1 = "if (md5($_GET['usr'])==$user && md5($_GET['pass'])==$pass)" fullword
$s3 = "{eval($_GET['idc']);}" fullword
condition:
1 of them
}
rule webshell_cpg_143_incl_xpl {
meta:
description = "Web Shell - file cpg_143_incl_xpl.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "5937b131b67d8e0afdbd589251a5e176"
strings:
$s3 = "$data=\"username=\".urlencode($USER).\"&password=\".urlencode($PA"
$s5 = "fputs($sun_tzu,\"<?php echo \\\"Hi Master!\\\";ini_set(\\\"max_execution_time"
condition:
1 of them
}
rule webshell_mumaasp_com {
meta:
description = "Web Shell - file mumaasp.com.asp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "cce32b2e18f5357c85b6d20f564ebd5d"
strings:
$s0 = "&9K_)P82ai,A}I92]R\"q!C:RZ}S6]=PaTTR"
condition:
all of them
}
rule webshell_php_404 {
meta:
description = "Web Shell - file 404.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "ced050df5ca42064056a7ad610a191b3"
strings:
$s0 = "$pass = md5(md5(md5($pass)));" fullword
condition:
all of them
}
rule webshell_webshell_cnseay_x {
meta:
description = "Web Shell - file webshell-cnseay-x.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "a0f9f7f5cd405a514a7f3be329f380e5"
strings:
$s9 = "$_F_F.='_'.$_P_P[5].$_P_P[20].$_P_P[13].$_P_P[2].$_P_P[19].$_P_P[8].$_P_"
condition:
all of them
}
rule webshell_asp_up {
meta:
description = "Web Shell - file up.asp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "f775e721cfe85019fe41c34f47c0d67c"
strings:
$s0 = "Pos = InstrB(BoundaryPos,RequestBin,getByteString(\"Content-Dispositio"
$s1 = "ContentType = getString(MidB(RequestBin,PosBeg,PosEnd-PosBeg))" fullword
condition:
1 of them
}
rule webshell_phpkit_0_1a_odd {
meta:
description = "Web Shell - file odd.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "3c30399e7480c09276f412271f60ed01"
strings:
$s1 = "include('php://input');" fullword
$s3 = "ini_set('allow_url_include, 1'); // Allow url inclusion in this script" fullword
$s4 = "// uses include('php://input') to execute arbritary code" fullword
$s5 = "// php://input based backdoor" fullword
condition:
2 of them
}
rule webshell_ASP_cmd {
meta:
description = "Web Shell - file cmd.asp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "97af88b478422067f23b001dd06d56a9"
strings:
$s0 = "<%= \"\\\\\" & oScriptNet.ComputerName & \"\\\" & oScriptNet.UserName %>" fullword
condition:
all of them
}
rule webshell_PHP_Shell_x3 {
meta:
description = "Web Shell - file PHP Shell.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "a2f8fa4cce578fc9c06f8e674b9e63fd"
strings:
$s4 = " <?php echo buildUrl(\"<font color=\\\"navy\\\">["
$s6 = "echo \"</form><form action=\\\"$SFileName?$urlAdd\\\" method=\\\"post\\\"><input"
$s9 = "if ( ( (isset($http_auth_user) ) && (isset($http_auth_pass)) ) && ( !isset("
condition:
2 of them
}
rule webshell_PHP_g00nv13 {
meta:
description = "Web Shell - file g00nv13.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "35ad2533192fe8a1a76c3276140db820"
strings:
$s1 = "case \"zip\": case \"tar\": case \"rar\": case \"gz\": case \"cab\": cas"
$s4 = "if(!($sqlcon = @mysql_connect($_SESSION['sql_host'] . ':' . $_SESSION['sql_p"
condition:
all of them
}
rule webshell_php_h6ss {
meta:
description = "Web Shell - file h6ss.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "272dde9a4a7265d6c139287560328cd5"
strings:
$s0 = "<?php eval(gzuncompress(base64_decode(\""
condition:
all of them
}
rule webshell_jsp_zx {
meta:
description = "Web Shell - file zx.jsp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "67627c264db1e54a4720bd6a64721674"
strings:
$s0 = "if(request.getParameter(\"f\")!=null)(new java.io.FileOutputStream(application.g"
condition:
all of them
}
rule webshell_Ani_Shell {
meta:
description = "Web Shell - file Ani-Shell.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "889bfc9fbb8ee7832044fc575324d01a"
strings:
$s0 = "$Python_CODE = \"I"
$s6 = "$passwordPrompt = \"\\n================================================="
$s7 = "fputs ($sockfd ,\"\\n==============================================="
condition:
1 of them
}
rule webshell_jsp_k8cmd {
meta:
description = "Web Shell - file k8cmd.jsp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "b39544415e692a567455ff033a97a682"
strings:
$s2 = "if(request.getSession().getAttribute(\"hehe\").toString().equals(\"hehe\"))" fullword
condition:
all of them
}
rule webshell_jsp_cmd {
meta:
description = "Web Shell - file cmd.jsp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "5391c4a8af1ede757ba9d28865e75853"
strings:
$s6 = "out.println(\"Command: \" + request.getParameter(\"cmd\") + \"<BR>\");" fullword
condition:
all of them
}
rule webshell_jsp_k81 {
meta:
description = "Web Shell - file k81.jsp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "41efc5c71b6885add9c1d516371bd6af"
strings:
$s1 = "byte[] binary = BASE64Decoder.class.newInstance().decodeBuffer(cmd);" fullword
$s9 = "if(cmd.equals(\"Szh0ZWFt\")){out.print(\"[S]\"+dir+\"[E]\");}" fullword
condition:
1 of them
}
rule webshell_ASP_zehir {
meta:
description = "Web Shell - file zehir.asp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "0061d800aee63ccaf41d2d62ec15985d"
strings:
$s9 = "Response.Write \"<font face=wingdings size=3><a href='\"&dosyaPath&\"?status=18&"
condition:
all of them
}
rule webshell_Worse_Linux_Shell {
meta:
description = "Web Shell - file Worse Linux Shell.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "8338c8d9eab10bd38a7116eb534b5fa2"
strings:
$s0 = "system(\"mv \".$_FILES['_upl']['tmp_name'].\" \".$currentWD"
condition:
all of them
}
rule webshell_zacosmall {
meta:
description = "Web Shell - file zacosmall.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "5295ee8dc2f5fd416be442548d68f7a6"
strings:
$s0 = "if($cmd!==''){ echo('<strong>'.htmlspecialchars($cmd).\"</strong><hr>"
condition:
all of them
}
rule webshell_Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit {
meta:
description = "Web Shell - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "c6eeacbe779518ea78b8f7ed5f63fc11"
strings:
$s1 = "<option value=\"cat /etc/passwd\">/etc/passwd</option>" fullword
condition:
all of them
}
rule webshell_redirect {
meta:
description = "Web Shell - file redirect.asp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "97da83c6e3efbba98df270cc70beb8f8"
strings:
$s7 = "var flag = \"?txt=\" + (document.getElementById(\"dl\").checked ? \"2\":\"1\" "
condition:
all of them
}
rule webshell_jsp_cmdjsp {
meta:
description = "Web Shell - file cmdjsp.jsp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "b815611cc39f17f05a73444d699341d4"
strings:
$s5 = "<FORM METHOD=GET ACTION='cmdjsp.jsp'>" fullword
condition:
all of them
}
rule webshell_Java_Shell {
meta:
description = "Web Shell - file Java Shell.jsp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "36403bc776eb12e8b7cc0eb47c8aac83"
strings:
$s4 = "public JythonShell(int columns, int rows, int scrollback) {" fullword
$s9 = "this(null, Py.getSystemState(), columns, rows, scrollback);" fullword
condition:
1 of them
}
rule webshell_asp_1d {
meta:
description = "Web Shell - file 1d.asp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "fad7504ca8a55d4453e552621f81563c"
strings:
$s0 = "+9JkskOfKhUxZJPL~\\(mD^W~[,{@#@&EO"
condition:
all of them
}
rule webshell_jsp_IXRbE {
meta:
description = "Web Shell - file IXRbE.jsp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "e26e7e0ebc6e7662e1123452a939e2cd"
strings:
$s0 = "<%if(request.getParameter(\"f\")!=null)(new java.io.FileOutputStream(application"
condition:
all of them
}
rule webshell_PHP_G5 {
meta:
description = "Web Shell - file G5.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "95b4a56140a650c74ed2ec36f08d757f"
strings:
$s3 = "echo \"Hacking Mode?<br><select name='htype'><option >--------SELECT--------</op"
condition:
all of them
}
rule webshell_PHP_r57142 {
meta:
description = "Web Shell - file r57142.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "0911b6e6b8f4bcb05599b2885a7fe8a8"
strings:
$s0 = "$downloaders = array('wget','fetch','lynx','links','curl','get','lwp-mirror');" fullword
condition:
all of them
}
rule webshell_jsp_tree {
meta:
description = "Web Shell - file tree.jsp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "bcdf7bbf7bbfa1ffa4f9a21957dbcdfa"
strings:
$s5 = "$('#tt2').tree('options').url = \"selectChild.action?checki"
$s6 = "String basePath = request.getScheme()+\"://\"+request.getServerName()+\":\"+requ"
condition:
all of them
}
rule webshell_C99madShell_v_3_0_smowu {
meta:
description = "Web Shell - file smowu.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "74e1e7c7a6798f1663efb42882b85bee"
strings:
$s2 = "<tr><td width=\"50%\" height=\"1\" valign=\"top\"><center><b>:: Enter ::</b><for"
$s8 = "<p><font color=red>Wordpress Not Found! <input type=text id=\"wp_pat\"><input ty"
condition:
1 of them
}
rule webshell_simple_backdoor {
meta:
description = "Web Shell - file simple-backdoor.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "f091d1b9274c881f8e41b2f96e6b9936"
strings:
$s0 = "$cmd = ($_REQUEST['cmd']);" fullword
$s1 = "if(isset($_REQUEST['cmd'])){" fullword
$s4 = "system($cmd);" fullword
condition:
2 of them
}
rule webshell_PHP_404 {
meta:
description = "Web Shell - file 404.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "078c55ac475ab9e028f94f879f548bca"
strings:
$s4 = "<span>Posix_getpwuid (\"Read\" /etc/passwd)"
condition:
all of them
}
rule webshell_Macker_s_Private_PHPShell {
meta:
description = "Web Shell - file Macker's Private PHPShell.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "e24cbf0e294da9ac2117dc660d890bb9"
strings:
$s3 = "echo \"<tr><td class=\\\"silver border\\\"> <strong>Server's PHP Version:&n"
$s4 = " <?php echo buildUrl(\"<font color=\\\"navy\\\">["
$s7 = "echo \"<form action=\\\"$SFileName?$urlAdd\\\" method=\\\"POST\\\"><input type="
condition:
all of them
}
rule webshell_Antichat_Shell_v1_3_2 {
meta:
description = "Web Shell - file Antichat Shell v1.3.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "40d0abceba125868be7f3f990f031521"
strings:
$s3 = "$header='<html><head><title>'.getenv(\"HTTP_HOST\").' - Antichat Shell</title><m"
condition:
all of them
}
rule webshell_Safe_mode_breaker {
meta:
description = "Web Shell - file Safe mode breaker.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "5bd07ccb1111950a5b47327946bfa194"
strings:
$s5 = "preg_match(\"/SAFE\\ MODE\\ Restriction\\ in\\ effect\\..*whose\\ uid\\ is("
$s6 = "$path =\"{$root}\".((substr($root,-1)!=\"/\") ? \"/\" : NULL)."
condition:
1 of them
}
rule webshell_Sst_Sheller {
meta:
description = "Web Shell - file Sst-Sheller.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "d93c62a0a042252f7531d8632511ca56"
strings:
$s2 = "echo \"<a href='?page=filemanager&id=fm&fchmod=$dir$file'>"
$s3 = "<? unlink($filename); unlink($filename1); unlink($filename2); unlink($filename3)"
condition:
all of them
}
rule webshell_jsp_list {
meta:
description = "Web Shell - file list.jsp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "1ea290ff4259dcaeb680cec992738eda"
strings:
$s0 = "<FORM METHOD=\"POST\" NAME=\"myform\" ACTION=\"\">" fullword
$s2 = "out.print(\") <A Style='Color: \" + fcolor.toString() + \";' HRef='?file=\" + fn"
$s7 = "if(flist[i].canRead() == true) out.print(\"r\" ); else out.print(\"-\");" fullword
condition:
all of them
}
rule webshell_PHPJackal_v1_5 {
meta:
description = "Web Shell - file PHPJackal v1.5.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "d76dc20a4017191216a0315b7286056f"
strings:
$s7 = "echo \"<center>${t}MySQL cilent:</td><td bgcolor=\\\"#333333\\\"></td></tr><form"
$s8 = "echo \"<center>${t}Wordlist generator:</td><td bgcolor=\\\"#333333\\\"></td></tr"
condition:
all of them
}
rule webshell_customize {
meta:
description = "Web Shell - file customize.jsp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "d55578eccad090f30f5d735b8ec530b1"
strings:
$s4 = "String cs = request.getParameter(\"z0\")==null?\"gbk\": request.getParameter(\"z"
condition:
all of them
}
rule webshell_s72_Shell_v1_1_Coding {
meta:
description = "Web Shell - file s72 Shell v1.1 Coding.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "c2e8346a5515c81797af36e7e4a3828e"
strings:
$s5 = "<font face=\"Verdana\" style=\"font-size: 8pt\" color=\"#800080\">Buradan Dosya "
condition:
all of them
}
rule webshell_jsp_sys3 {
meta:
description = "Web Shell - file sys3.jsp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "b3028a854d07674f4d8a9cf2fb6137ec"
strings:
$s1 = "<input type=\"submit\" name=\"btnSubmit\" value=\"Upload\">" fullword
$s4 = "String path=new String(request.getParameter(\"path\").getBytes(\"ISO-8859-1\""
$s9 = "<%@page contentType=\"text/html;charset=gb2312\"%>" fullword
condition:
all of them
}
rule webshell_jsp_guige02 {
meta:
description = "Web Shell - file guige02.jsp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "a3b8b2280c56eaab777d633535baf21d"
strings:
$s0 = "????????????????%><html><head><title>hahahaha</title></head><body bgcolor=\"#fff"
$s1 = "<%@page contentType=\"text/html; charset=GBK\" import=\"java.io.*;\"%><%!private"
condition:
all of them
}
rule webshell_php_ghost {
meta:
description = "Web Shell - file ghost.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "38dc8383da0859dca82cf0c943dbf16d"
strings:
$s1 = "<?php $OOO000000=urldecode('%61%68%36%73%62%65%68%71%6c%61%34%63%6f%5f%73%61%64'"
$s6 = "//<img width=1 height=1 src=\"http://websafe.facaiok.com/just7z/sx.asp?u=***.***"
$s7 = "preg_replace('\\'a\\'eis','e'.'v'.'a'.'l'.'(KmU(\"" fullword
condition:
all of them
}
rule webshell_WinX_Shell {
meta:
description = "Web Shell - file WinX Shell.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "17ab5086aef89d4951fe9b7c7a561dda"
strings:
$s5 = "print \"<font face=\\\"Verdana\\\" size=\\\"1\\\" color=\\\"#990000\\\">Filenam"
$s8 = "print \"<font face=\\\"Verdana\\\" size=\\\"1\\\" color=\\\"#990000\\\">File: </"
condition:
all of them
}
rule webshell_Crystal_Crystal {
meta:
description = "Web Shell - file Crystal.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "fdbf54d5bf3264eb1c4bff1fac548879"
strings:
$s1 = "show opened ports</option></select><input type=\"hidden\" name=\"cmd_txt\" value"
$s6 = "\" href=\"?act=tools\"><font color=#CC0000 size=\"3\">Tools</font></a></span></f"
condition:
all of them
}
rule webshell_r57_1_4_0 {
meta:
description = "Web Shell - file r57.1.4.0.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "574f3303e131242568b0caf3de42f325"
strings:
$s4 = "@ini_set('error_log',NULL);" fullword
$s6 = "$pass='abcdef1234567890abcdef1234567890';" fullword
$s7 = "@ini_restore(\"disable_functions\");" fullword
$s9 = "@ini_restore(\"safe_mode_exec_dir\");" fullword
condition:
all of them
}
rule webshell_jsp_hsxa1 {
meta:
description = "Web Shell - file hsxa1.jsp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "5686d5a38c6f5b8c55095af95c2b0244"
strings:
$s0 = "<%@ page language=\"java\" pageEncoding=\"gbk\"%><jsp:directive.page import=\"ja"
condition:
all of them
}
rule webshell_asp_ajn {
meta:
description = "Web Shell - file ajn.asp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "aaafafc5d286f0bff827a931f6378d04"
strings:
$s1 = "seal.write \"Set WshShell = CreateObject(\"\"WScript.Shell\"\")\" & vbcrlf" fullword
$s6 = "seal.write \"BinaryStream.SaveToFile \"\"c:\\downloaded.zip\"\", adSaveCreateOve"
condition:
all of them
}
rule webshell_php_cmd {
meta:
description = "Web Shell - file cmd.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "c38ae5ba61fd84f6bbbab98d89d8a346"
strings:
$s0 = "if($_GET['cmd']) {" fullword
$s1 = "// cmd.php = Command Execution" fullword
$s7 = " system($_GET['cmd']);" fullword
condition:
all of them
}
rule webshell_asp_list {
meta:
description = "Web Shell - file list.asp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "1cfa493a165eb4b43e6d4cc0f2eab575"
strings:
$s0 = "<INPUT TYPE=\"hidden\" NAME=\"type\" value=\"<%=tipo%>\">" fullword
$s4 = "Response.Write(\"<h3>FILE: \" & file & \"</h3>\")" fullword
condition:
all of them
}
rule webshell_PHP_co {
meta:
description = "Web Shell - file co.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "62199f5ac721a0cb9b28f465a513874c"
strings:
$s0 = "cGX6R9q733WvRRjISKHOp9neT7wa6ZAD8uthmVJV" fullword
$s11 = "6Mk36lz/HOkFfoXX87MpPhZzBQH6OaYukNg1OE1j" fullword
condition:
all of them
}
rule webshell_PHP_150 {
meta:
description = "Web Shell - file 150.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "400c4b0bed5c90f048398e1d268ce4dc"
strings:
$s0 = "HJ3HjqxclkZfp"
$s1 = "<? eval(gzinflate(base64_decode('" fullword
condition:
all of them
}
rule webshell_jsp_cmdjsp_2 {
meta:
description = "Web Shell - file cmdjsp.jsp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "1b5ae3649f03784e2a5073fa4d160c8b"
strings:
$s0 = "Process p = Runtime.getRuntime().exec(\"cmd.exe /C \" + cmd);" fullword
$s4 = "<FORM METHOD=GET ACTION='cmdjsp.jsp'>" fullword
condition:
all of them
}
rule webshell_PHP_c37 {
meta:
description = "Web Shell - file c37.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "d01144c04e7a46870a8dd823eb2fe5c8"
strings:
$s3 = "array('cpp','cxx','hxx','hpp','cc','jxx','c++','vcproj'),"
$s9 = "++$F; $File = urlencode($dir[$dirFILE]); $eXT = '.:'; if (strpos($dir[$dirFILE],"
condition:
all of them
}
rule webshell_PHP_b37 {
meta:
description = "Web Shell - file b37.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "0421445303cfd0ec6bc20b3846e30ff0"
strings:
$s0 = "xmg2/G4MZ7KpNveRaLgOJvBcqa2A8/sKWp9W93NLXpTTUgRc"
condition:
all of them
}
rule webshell_php_backdoor {
meta:
description = "Web Shell - file php-backdoor.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "2b5cb105c4ea9b5ebc64705b4bd86bf7"
strings:
$s1 = "if(!move_uploaded_file($HTTP_POST_FILES['file_name']['tmp_name'], $dir.$fname))" fullword
$s2 = "<pre><form action=\"<? echo $PHP_SELF; ?>\" METHOD=GET >execute command: <input "
condition:
all of them
}
rule webshell_asp_dabao {
meta:
description = "Web Shell - file dabao.asp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "3919b959e3fa7e86d52c2b0a91588d5d"
strings:
$s2 = " Echo \"<input type=button name=Submit onclick=\"\"document.location ='\" &"
$s8 = " Echo \"document.Frm_Pack.FileName.value=\"\"\"\"+year+\"\"-\"\"+(month+1)+\"\"-"
condition:
all of them
}
rule webshell_php_2 {
meta:
description = "Web Shell - file 2.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "267c37c3a285a84f541066fc5b3c1747"
strings:
$s0 = "<?php assert($_REQUEST[\"c\"]);?> " fullword
condition:
all of them
}
rule webshell_asp_cmdasp {
meta:
description = "Web Shell - file cmdasp.asp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "57b51418a799d2d016be546f399c2e9b"
strings:
$s0 = "<%= \"\\\\\" & oScriptNet.ComputerName & \"\\\" & oScriptNet.UserName %>" fullword
$s7 = "Call oScript.Run (\"cmd.exe /c \" & szCMD & \" > \" & szTempFile, 0, True)" fullword
condition:
all of them
}
rule webshell_spjspshell {
meta:
description = "Web Shell - file spjspshell.jsp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "d39d51154aaad4ba89947c459a729971"
strings:
$s7 = "Unix:/bin/sh -c tar vxf xxx.tar Windows:c:\\winnt\\system32\\cmd.exe /c type c:"
condition:
all of them
}
rule webshell_jsp_action {
meta:
description = "Web Shell - file action.jsp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "5a7d931094f5570aaf5b7b3b06c3d8c0"
strings:
$s1 = "String url=\"jdbc:oracle:thin:@localhost:1521:orcl\";" fullword
$s6 = "<%@ page contentType=\"text/html;charset=gb2312\"%>" fullword
condition:
all of them
}
rule webshell_Inderxer {
meta:
description = "Web Shell - file Inderxer.asp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "9ea82afb8c7070817d4cdf686abe0300"
strings:
$s4 = "<td>Nereye :<td><input type=\"text\" name=\"nereye\" size=25></td><td><input typ"
condition:
all of them
}
rule webshell_asp_Rader {
meta:
description = "Web Shell - file Rader.asp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "ad1a362e0a24c4475335e3e891a01731"
strings:
$s1 = "FONT-WEIGHT: bold; FONT-SIZE: 10px; BACKGROUND: none transparent scroll repeat 0"
$s3 = "m\" target=inf onClick=\"window.open('?action=help','inf','width=450,height=400 "
condition:
all of them
}
rule webshell_c99_madnet_smowu {
meta:
description = "Web Shell - file smowu.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "3aaa8cad47055ba53190020311b0fb83"
strings:
$s0 = "//Authentication" fullword
$s1 = "$login = \"" fullword
$s2 = "eval(gzinflate(base64_decode('"
$s4 = "//Pass"
$s5 = "$md5_pass = \""
$s6 = "//If no pass then hash"
condition:
all of them
}
rule webshell_php_moon {
meta:
description = "Web Shell - file moon.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "2a2b1b783d3a2fa9a50b1496afa6e356"
strings:
$s2 = "echo '<option value=\"create function backshell returns string soname"
$s3 = "echo \"<input name='p' type='text' size='27' value='\".dirname(_FILE_).\""
$s8 = "echo '<option value=\"select cmdshell(\\'net user "
condition:
2 of them
}
rule webshell_jsp_jdbc {
meta:
description = "Web Shell - file jdbc.jsp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "23b0e6f91a8f0d93b9c51a2a442119ce"
strings:
$s4 = "String cs = request.getParameter(\"z0\")==null?\"gbk\": request.getParameter(\"z"
condition:
all of them
}
rule webshell_minupload {
meta:
description = "Web Shell - file minupload.jsp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "ec905a1395d176c27f388d202375bdf9"
strings:
$s0 = "<input type=\"submit\" name=\"btnSubmit\" value=\"Upload\"> " fullword
$s9 = "String path=new String(request.getParameter(\"path\").getBytes(\"ISO-8859"
condition:
all of them
}
rule webshell_ELMALISEKER_Backd00r {
meta:
description = "Web Shell - file ELMALISEKER Backd00r.asp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "3aa403e0a42badb2c23d4a54ef43e2f4"
strings:
$s0 = "response.write(\"<tr><td bgcolor=#F8F8FF><input type=submit name=cmdtxtFileOptio"
$s2 = "if FP = \"RefreshFolder\" or request.form(\"cmdOption\")=\"DeleteFolder\" or req"
condition:
all of them
}
rule webshell_PHP_bug_1_ {
meta:
description = "Web Shell - file bug (1).php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "91c5fae02ab16d51fc5af9354ac2f015"
strings:
$s0 = "@include($_GET['bug']);" fullword
condition:
all of them
}
rule webshell_caidao_shell_hkmjj {
meta:
description = "Web Shell - file hkmjj.asp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "e7b994fe9f878154ca18b7cde91ad2d0"
strings:
$s6 = "codeds=\"Li#uhtxhvw+%{{%,#@%{%#wkhq#hydo#uhtxhvw+%knpmm%,#hqg#li\" " fullword
condition:
all of them
}
rule webshell_jsp_asd {
meta:
description = "Web Shell - file asd.jsp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "a042c2ca64176410236fcc97484ec599"
strings:
$s3 = "<%@ page language=\"java\" pageEncoding=\"gbk\"%>" fullword
$s6 = "<input size=\"100\" value=\"<%=application.getRealPath(\"/\") %>\" name=\"url"
condition:
all of them
}
rule webshell_jsp_inback3 {
meta:
description = "Web Shell - file inback3.jsp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "ea5612492780a26b8aa7e5cedd9b8f4e"
strings:
$s0 = "<%if(request.getParameter(\"f\")!=null)(new java.io.FileOutputStream(application"
condition:
all of them
}
rule webshell_metaslsoft {
meta:
description = "Web Shell - file metaslsoft.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "aa328ed1476f4a10c0bcc2dde4461789"
strings:
$s7 = "$buff .= \"<tr><td><a href=\\\"?d=\".$pwd.\"\\\">[ $folder ]</a></td><td>LINK</t"
condition:
all of them
}
rule webshell_asp_Ajan {
meta:
description = "Web Shell - file Ajan.asp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "b6f468252407efc2318639da22b08af0"
strings:
$s3 = "entrika.write \"BinaryStream.SaveToFile \"\"c:\\downloaded.zip\"\", adSaveCreate"
condition:
all of them
}
rule webshell_config_myxx_zend {
meta:
description = "Web Shell - from files config.jsp, myxx.jsp, zend.jsp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
super_rule = 1
hash0 = "d44df8b1543b837e57cc8f25a0a68d92"
hash1 = "e0354099bee243702eb11df8d0e046df"
hash2 = "591ca89a25f06cf01e4345f98a22845c"
strings:
$s3 = ".println(\"<a href=\\\"javascript:alert('You Are In File Now ! Can Not Pack !');"
condition:
all of them
}
rule webshell_browser_201_3_ma_download {
meta:
description = "Web Shell - from files browser.jsp, 201.jsp, 3.jsp, ma.jsp, download.jsp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
super_rule = 1
hash0 = "37603e44ee6dc1c359feb68a0d566f76"
hash1 = "a7e25b8ac605753ed0c438db93f6c498"
hash2 = "fb8c6c3a69b93e5e7193036fd31a958d"
hash3 = "4cc68fa572e88b669bce606c7ace0ae9"
hash4 = "fa87bbd7201021c1aefee6fcc5b8e25a"
strings:
$s2 = "<small>jsp File Browser version <%= VERSION_NR%> by <a"
$s3 = "else if (fName.endsWith(\".mpg\") || fName.endsWith(\".mpeg\") || fName.endsWith"
condition:
all of them
}
rule webshell_itsec_itsecteam_shell_jHn {
meta:
description = "Web Shell - from files itsec.php, itsecteam_shell.php, jHn.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
super_rule = 1
hash0 = "8ae9d2b50dc382f0571cd7492f079836"
hash1 = "bd6d3b2763c705a01cc2b3f105a25fa4"
hash2 = "40c6ecf77253e805ace85f119fe1cebb"
strings:
$s4 = "echo $head.\"<font face='Tahoma' size='2'>Operating System : \".php_uname().\"<b"
$s5 = "echo \"<center><form name=client method='POST' action='$_SERVER[PHP_SELF]?do=db'"
condition:
all of them
}
rule webshell_ghost_source_icesword_silic {
meta:
description = "Web Shell - from files ghost_source.php, icesword.php, silic.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
super_rule = 1
hash0 = "cbf64a56306c1b5d98898468fc1fdbd8"
hash1 = "6e20b41c040efb453d57780025a292ae"
hash2 = "437d30c94f8eef92dc2f064de4998695"
strings:
$s3 = "if(eregi('WHERE|LIMIT',$_POST['nsql']) && eregi('SELECT|FROM',$_POST['nsql'])) $"
$s6 = "if(!empty($_FILES['ufp']['name'])){if($_POST['ufn'] != '') $upfilename = $_POST["
condition:
all of them
}
rule webshell_JspSpy_JspSpyJDK5_JspSpyJDK51_luci_jsp_spy2009_m_ma3_xxx {
meta:
description = "Web Shell - from files 000.jsp, 403.jsp, 807.jsp, a.jsp, c5.jsp, css.jsp, dm.jsp, he1p.jsp, JspSpy.jsp, JspSpyJDK5.jsp, JspSpyJDK51.jsp, luci.jsp.spy2009.jsp, m.jsp, ma3.jsp, mmym520.jsp, nogfw.jsp, ok.jsp, queryDong.jsp, spyjsp2010.jsp, style.jsp, t00ls.jsp, u.jsp, xia.jsp, cofigrue.jsp, 1.jsp, jspspy.jsp, jspspy_k8.jsp, JspSpy.jsp, JspSpyJDK5.jsp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
super_rule = 1
hash0 = "2eeb8bf151221373ee3fd89d58ed4d38"
hash1 = "059058a27a7b0059e2c2f007ad4675ef"
hash2 = "ae76c77fb7a234380cd0ebb6fe1bcddf"
hash3 = "76037ebd781ad0eac363d56fc81f4b4f"
hash4 = "8b457934da3821ba58b06a113e0d53d9"
hash5 = "fc44f6b4387a2cb50e1a63c66a8cb81c"
hash6 = "14e9688c86b454ed48171a9d4f48ace8"
hash7 = "b330a6c2d49124ef0729539761d6ef0b"
hash8 = "d71716df5042880ef84427acee8b121e"
hash9 = "341298482cf90febebb8616426080d1d"
hash10 = "29aebe333d6332f0ebc2258def94d57e"
hash11 = "42654af68e5d4ea217e6ece5389eb302"
hash12 = "88fc87e7c58249a398efd5ceae636073"
hash13 = "4a812678308475c64132a9b56254edbc"
hash14 = "9626eef1a8b9b8d773a3b2af09306a10"
hash15 = "344f9073576a066142b2023629539ebd"
hash16 = "32dea47d9c13f9000c4c807561341bee"
hash17 = "90a5ba0c94199269ba33a58bc6a4ad99"
hash18 = "655722eaa6c646437c8ae93daac46ae0"
hash19 = "b9744f6876919c46a29ea05b1d95b1c3"
hash20 = "9c94637f76e68487fa33f7b0030dd932"
hash21 = "6acc82544be056580c3a1caaa4999956"
hash22 = "6aa32a6392840e161a018f3907a86968"
hash23 = "349ec229e3f8eda0f9eb918c74a8bf4c"
hash24 = "3ea688e3439a1f56b16694667938316d"
hash25 = "ab77e4d1006259d7cbc15884416ca88c"
hash26 = "71097537a91fac6b01f46f66ee2d7749"
hash27 = "2434a7a07cb47ce25b41d30bc291cacc"
hash28 = "7a4b090619ecce6f7bd838fe5c58554b"
strings:
$s8 = "\"<form action=\\\"\"+SHELL_NAME+\"?o=upload\\\" method=\\\"POST\\\" enctype="
$s9 = "<option value='reg query \\\"HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\T"
condition:
all of them
}
rule webshell_2_520_job_ma1_ma4_2 {
meta:
description = "Web Shell - from files 2.jsp, 520.jsp, job.jsp, ma1.jsp, ma4.jsp, 2.jsp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
super_rule = 1
hash0 = "64a3bf9142b045b9062b204db39d4d57"
hash1 = "9abd397c6498c41967b4dd327cf8b55a"
hash2 = "56c005690da2558690c4aa305a31ad37"
hash3 = "532b93e02cddfbb548ce5938fe2f5559"
hash4 = "6e0fa491d620d4af4b67bae9162844ae"
hash5 = "7eabe0f60975c0c73d625b7ddf7b9cbd"
strings:
$s4 = "_url = \"jdbc:microsoft:sqlserver://\" + dbServer + \":\" + dbPort + \";User=\" "
$s9 = "result += \"<meta http-equiv=\\\"refresh\\\" content=\\\"2;url=\" + request.getR"
condition:
all of them
}
rule webshell_000_403_807_a_c5_config_css_dm_he1p_JspSpy_JspSpyJDK5_JspSpyJDK51_luci_jsp_xxx {
meta:
description = "Web Shell - from files 000.jsp, 403.jsp, 807.jsp, a.jsp, c5.jsp, config.jsp, css.jsp, dm.jsp, he1p.jsp, JspSpy.jsp, JspSpyJDK5.jsp, JspSpyJDK51.jsp, luci.jsp.spy2009.jsp, m.jsp, ma3.jsp, mmym520.jsp, myxx.jsp, nogfw.jsp, ok.jsp, queryDong.jsp, spyjsp2010.jsp, style.jsp, t00ls.jsp, u.jsp, xia.jsp, zend.jsp, cofigrue.jsp, 1.jsp, jspspy.jsp, jspspy_k8.jsp, JspSpy.jsp, JspSpyJDK5.jsp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
super_rule = 1
hash0 = "2eeb8bf151221373ee3fd89d58ed4d38"
hash1 = "059058a27a7b0059e2c2f007ad4675ef"
hash2 = "ae76c77fb7a234380cd0ebb6fe1bcddf"
hash3 = "76037ebd781ad0eac363d56fc81f4b4f"
hash4 = "8b457934da3821ba58b06a113e0d53d9"
hash5 = "d44df8b1543b837e57cc8f25a0a68d92"
hash6 = "fc44f6b4387a2cb50e1a63c66a8cb81c"
hash7 = "14e9688c86b454ed48171a9d4f48ace8"
hash8 = "b330a6c2d49124ef0729539761d6ef0b"
hash9 = "d71716df5042880ef84427acee8b121e"
hash10 = "341298482cf90febebb8616426080d1d"
hash11 = "29aebe333d6332f0ebc2258def94d57e"
hash12 = "42654af68e5d4ea217e6ece5389eb302"
hash13 = "88fc87e7c58249a398efd5ceae636073"
hash14 = "4a812678308475c64132a9b56254edbc"
hash15 = "9626eef1a8b9b8d773a3b2af09306a10"
hash16 = "e0354099bee243702eb11df8d0e046df"
hash17 = "344f9073576a066142b2023629539ebd"
hash18 = "32dea47d9c13f9000c4c807561341bee"
hash19 = "90a5ba0c94199269ba33a58bc6a4ad99"
hash20 = "655722eaa6c646437c8ae93daac46ae0"
hash21 = "b9744f6876919c46a29ea05b1d95b1c3"
hash22 = "9c94637f76e68487fa33f7b0030dd932"
hash23 = "6acc82544be056580c3a1caaa4999956"
hash24 = "6aa32a6392840e161a018f3907a86968"
hash25 = "591ca89a25f06cf01e4345f98a22845c"
hash26 = "349ec229e3f8eda0f9eb918c74a8bf4c"
hash27 = "3ea688e3439a1f56b16694667938316d"
hash28 = "ab77e4d1006259d7cbc15884416ca88c"
hash29 = "71097537a91fac6b01f46f66ee2d7749"
hash30 = "2434a7a07cb47ce25b41d30bc291cacc"
hash31 = "7a4b090619ecce6f7bd838fe5c58554b"
strings:
$s0 = "ports = \"21,25,80,110,1433,1723,3306,3389,4899,5631,43958,65500\";" fullword
$s1 = "private static class VEditPropertyInvoker extends DefaultInvoker {" fullword
condition:
all of them
}
rule webshell_wso2_5_1_wso2_5_wso2 {
meta:
description = "Web Shell - from files wso2.5.1.php, wso2.5.php, wso2.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
super_rule = 1
hash0 = "dbeecd555a2ef80615f0894027ad75dc"
hash1 = "7c8e5d31aad28eb1f0a9a53145551e05"
hash2 = "cbc44fb78220958f81b739b493024688"
strings:
$s7 = "$opt_charsets .= '<option value=\"'.$item.'\" '.($_POST['charset']==$item?'selec"
$s8 = ".'</td><td><a href=\"#\" onclick=\"g(\\'FilesTools\\',null,\\''.urlencode($f['na"
condition:
all of them
}
rule webshell_000_403_c5_queryDong_spyjsp2010_t00ls {
meta:
description = "Web Shell - from files 000.jsp, 403.jsp, c5.jsp, queryDong.jsp, spyjsp2010.jsp, t00ls.jsp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
super_rule = 1
hash0 = "2eeb8bf151221373ee3fd89d58ed4d38"
hash1 = "059058a27a7b0059e2c2f007ad4675ef"
hash2 = "8b457934da3821ba58b06a113e0d53d9"
hash3 = "90a5ba0c94199269ba33a58bc6a4ad99"
hash4 = "655722eaa6c646437c8ae93daac46ae0"
hash5 = "9c94637f76e68487fa33f7b0030dd932"
strings:
$s8 = "table.append(\"<td nowrap> <a href=\\\"#\\\" onclick=\\\"view('\"+tbName+\"')"
$s9 = "\"<p><input type=\\\"hidden\\\" name=\\\"selectDb\\\" value=\\\"\"+selectDb+\""
condition:
all of them
}
rule webshell_404_data_suiyue {
meta:
description = "Web Shell - from files 404.jsp, data.jsp, suiyue.jsp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
super_rule = 1
hash0 = "7066f4469c3ec20f4890535b5f299122"
hash1 = "9f54aa7b43797be9bab7d094f238b4ff"
hash2 = "c93d5bdf5cf62fe22e299d0f2b865ea7"
strings:
$s3 = " sbCopy.append(\"<input type=button name=goback value=' \"+strBack[languageNo]+"
condition:
all of them
}
rule webshell_r57shell_r57shell127_SnIpEr_SA_Shell_EgY_SpIdEr_ShElL_V2_r57_xxx {
meta:
description = "Web Shell - from files r57shell.php, r57shell127.php, SnIpEr_SA Shell.php, EgY_SpIdEr ShElL V2.php, r57_iFX.php, r57_kartal.php, r57_Mohajer22.php, r57.php, r57.php, Backdoor.PHP.Agent.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
super_rule = 1
hash0 = "ef43fef943e9df90ddb6257950b3538f"
hash1 = "ae025c886fbe7f9ed159f49593674832"
hash2 = "911195a9b7c010f61b66439d9048f400"
hash3 = "697dae78c040150daff7db751fc0c03c"
hash4 = "513b7be8bd0595c377283a7c87b44b2e"
hash5 = "1d912c55b96e2efe8ca873d6040e3b30"
hash6 = "e5b2131dd1db0dbdb43b53c5ce99016a"
hash7 = "4108f28a9792b50d95f95b9e5314fa1e"
hash8 = "41af6fd253648885c7ad2ed524e0692d"
hash9 = "6fcc283470465eed4870bcc3e2d7f14d"
strings:
$s2 = "echo sr(15,\"<b>\".$lang[$language.'_text58'].$arrow.\"</b>\",in('text','mk_name"
$s3 = "echo sr(15,\"<b>\".$lang[$language.'_text21'].$arrow.\"</b>\",in('checkbox','nf1"
$s9 = "echo sr(40,\"<b>\".$lang[$language.'_text26'].$arrow.\"</b>\",\"<select size="
condition:
all of them
}
rule webshell_807_a_css_dm_he1p_JspSpy_xxx {
meta:
description = "Web Shell - from files 807.jsp, a.jsp, css.jsp, dm.jsp, he1p.jsp, JspSpy.jsp, JspSpyJDK5.jsp, JspSpyJDK51.jsp, luci.jsp.spy2009.jsp, m.jsp, ma3.jsp, mmym520.jsp, nogfw.jsp, ok.jsp, style.jsp, u.jsp, xia.jsp, cofigrue.jsp, 1.jsp, jspspy.jsp, jspspy_k8.jsp, JspSpy.jsp, JspSpyJDK5.jsp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
super_rule = 1
hash0 = "ae76c77fb7a234380cd0ebb6fe1bcddf"
hash1 = "76037ebd781ad0eac363d56fc81f4b4f"
hash2 = "fc44f6b4387a2cb50e1a63c66a8cb81c"
hash3 = "14e9688c86b454ed48171a9d4f48ace8"
hash4 = "b330a6c2d49124ef0729539761d6ef0b"
hash5 = "d71716df5042880ef84427acee8b121e"
hash6 = "341298482cf90febebb8616426080d1d"
hash7 = "29aebe333d6332f0ebc2258def94d57e"
hash8 = "42654af68e5d4ea217e6ece5389eb302"
hash9 = "88fc87e7c58249a398efd5ceae636073"
hash10 = "4a812678308475c64132a9b56254edbc"
hash11 = "9626eef1a8b9b8d773a3b2af09306a10"
hash12 = "344f9073576a066142b2023629539ebd"
hash13 = "32dea47d9c13f9000c4c807561341bee"
hash14 = "b9744f6876919c46a29ea05b1d95b1c3"
hash15 = "6acc82544be056580c3a1caaa4999956"
hash16 = "6aa32a6392840e161a018f3907a86968"
hash17 = "349ec229e3f8eda0f9eb918c74a8bf4c"
hash18 = "3ea688e3439a1f56b16694667938316d"
hash19 = "ab77e4d1006259d7cbc15884416ca88c"
hash20 = "71097537a91fac6b01f46f66ee2d7749"
hash21 = "2434a7a07cb47ce25b41d30bc291cacc"
hash22 = "7a4b090619ecce6f7bd838fe5c58554b"
strings:
$s1 = "\"<h2>Remote Control »</h2><input class=\\\"bt\\\" onclick=\\\"var"
$s2 = "\"<p>Current File (import new file name and new file)<br /><input class=\\\"inpu"
$s3 = "\"<p>Current file (fullpath)<br /><input class=\\\"input\\\" name=\\\"file\\\" i"
condition:
all of them
}
rule webshell_201_3_ma_download {
meta:
description = "Web Shell - from files 201.jsp, 3.jsp, ma.jsp, download.jsp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
super_rule = 1
hash0 = "a7e25b8ac605753ed0c438db93f6c498"
hash1 = "fb8c6c3a69b93e5e7193036fd31a958d"
hash2 = "4cc68fa572e88b669bce606c7ace0ae9"
hash3 = "fa87bbd7201021c1aefee6fcc5b8e25a"
strings:
$s0 = "<input title=\"Upload selected file to the current working directory\" type=\"Su"
$s5 = "<input title=\"Launch command in current directory\" type=\"Submit\" class=\"but"
$s6 = "<input title=\"Delete all selected files and directories incl. subdirs\" class="
condition:
all of them
}
rule webshell_browser_201_3_400_in_JFolder_jfolder01_jsp_leo_ma_warn_webshell_nc_download {
meta:
description = "Web Shell - from files browser.jsp, 201.jsp, 3.jsp, 400.jsp, in.jsp, JFolder.jsp, jfolder01.jsp, jsp.jsp, leo.jsp, ma.jsp, warn.jsp, webshell-nc.jsp, download.jsp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
super_rule = 1
hash0 = "37603e44ee6dc1c359feb68a0d566f76"
hash1 = "a7e25b8ac605753ed0c438db93f6c498"
hash2 = "fb8c6c3a69b93e5e7193036fd31a958d"
hash3 = "36331f2c81bad763528d0ae00edf55be"
hash4 = "793b3d0a740dbf355df3e6f68b8217a4"
hash5 = "8979594423b68489024447474d113894"
hash6 = "ec482fc969d182e5440521c913bab9bd"
hash7 = "f98d2b33cd777e160d1489afed96de39"
hash8 = "4b4c12b3002fad88ca6346a873855209"
hash9 = "4cc68fa572e88b669bce606c7ace0ae9"
hash10 = "e9a5280f77537e23da2545306f6a19ad"
hash11 = "598eef7544935cf2139d1eada4375bb5"
hash12 = "fa87bbd7201021c1aefee6fcc5b8e25a"
strings:
$s4 = "UplInfo info = UploadMonitor.getInfo(fi.clientFileName);" fullword
$s5 = "long time = (System.currentTimeMillis() - starttime) / 1000l;" fullword
condition:
all of them
}
rule webshell_shell_phpspy_2006_arabicspy {
meta:
description = "Web Shell - from files shell.php, phpspy_2006.php, arabicspy.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
super_rule = 1
hash0 = "791708057d8b429d91357d38edf43cc0"
hash1 = "40a1f840111996ff7200d18968e42cfe"
hash2 = "e0202adff532b28ef1ba206cf95962f2"
strings:
$s0 = "elseif(($regwrite) AND !empty($_POST['writeregname']) AND !empty($_POST['regtype"
$s8 = "echo \"<form action=\\\"?action=shell&dir=\".urlencode($dir).\"\\\" method=\\\"P"
condition:
all of them
}
rule webshell_in_JFolder_jfolder01_jsp_leo_warn {
meta:
description = "Web Shell - from files in.jsp, JFolder.jsp, jfolder01.jsp, jsp.jsp, leo.jsp, warn.jsp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
super_rule = 1
hash0 = "793b3d0a740dbf355df3e6f68b8217a4"
hash1 = "8979594423b68489024447474d113894"
hash2 = "ec482fc969d182e5440521c913bab9bd"
hash3 = "f98d2b33cd777e160d1489afed96de39"
hash4 = "4b4c12b3002fad88ca6346a873855209"
hash5 = "e9a5280f77537e23da2545306f6a19ad"
strings:
$s4 = "sbFile.append(\" <a href=\\\"javascript:doForm('down','\"+formatPath(strD"
$s9 = "sbFile.append(\" <a href=\\\"javascript:doForm('edit','\"+formatPath(strDi"
condition:
all of them
}
rule webshell_2_520_icesword_job_ma1_ma4_2 {
meta:
description = "Web Shell - from files 2.jsp, 520.jsp, icesword.jsp, job.jsp, ma1.jsp, ma4.jsp, 2.jsp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
super_rule = 1
hash0 = "64a3bf9142b045b9062b204db39d4d57"
hash1 = "9abd397c6498c41967b4dd327cf8b55a"
hash2 = "077f4b1b6d705d223b6d644a4f3eebae"
hash3 = "56c005690da2558690c4aa305a31ad37"
hash4 = "532b93e02cddfbb548ce5938fe2f5559"
hash5 = "6e0fa491d620d4af4b67bae9162844ae"
hash6 = "7eabe0f60975c0c73d625b7ddf7b9cbd"
strings:
$s2 = "private String[] _textFileTypes = {\"txt\", \"htm\", \"html\", \"asp\", \"jsp\","
$s3 = "\\\" name=\\\"upFile\\\" size=\\\"8\\\" class=\\\"textbox\\\" /> <input typ"
$s9 = "if (request.getParameter(\"password\") == null && session.getAttribute(\"passwor"
condition:
all of them
}
rule webshell_phpspy_2005_full_phpspy_2005_lite_PHPSPY {
meta:
description = "Web Shell - from files phpspy_2005_full.php, phpspy_2005_lite.php, PHPSPY.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
super_rule = 1
hash0 = "b68bfafc6059fd26732fa07fb6f7f640"
hash1 = "42f211cec8032eb0881e87ebdb3d7224"
hash2 = "0712e3dc262b4e1f98ed25760b206836"
strings:
$s6 = "<input type=\"text\" name=\"command\" size=\"60\" value=\"<?=$_POST['comma"
$s7 = "echo $msg=@copy($_FILES['uploadmyfile']['tmp_name'],\"\".$uploaddir.\"/\".$_FILE"
$s8 = "<option value=\"passthru\" <? if ($execfunc==\"passthru\") { echo \"selected\"; "
condition:
2 of them
}
rule webshell_shell_phpspy_2006_arabicspy_hkrkoz {
meta:
description = "Web Shell - from files shell.php, phpspy_2006.php, arabicspy.php, hkrkoz.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
super_rule = 1
hash0 = "791708057d8b429d91357d38edf43cc0"
hash1 = "40a1f840111996ff7200d18968e42cfe"
hash2 = "e0202adff532b28ef1ba206cf95962f2"
hash3 = "802f5cae46d394b297482fd0c27cb2fc"
strings:
$s5 = "$prog = isset($_POST['prog']) ? $_POST['prog'] : \"/c net start > \".$pathname."
condition:
all of them
}
rule webshell_c99_Shell_ci_Biz_was_here_c100_v_xxx {
meta:
description = "Web Shell - from files c99.php, Shell [ci] .Biz was here.php, c100 v. 777shell v. Undetectable #18a Modded by 777 - Don.php, c66.php, c99-shadows-mod.php, c99shell.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
super_rule = 1
hash0 = "61a92ce63369e2fa4919ef0ff7c51167"
hash1 = "f2fa878de03732fbf5c86d656467ff50"
hash2 = "27786d1e0b1046a1a7f67ee41c64bf4c"
hash3 = "0f5b9238d281bc6ac13406bb24ac2a5b"
hash4 = "68c0629d08b1664f5bcce7d7f5f71d22"
hash5 = "048ccc01b873b40d57ce25a4c56ea717"
strings:
$s8 = "else {echo \"Running datapipe... ok! Connect to <b>\".getenv(\"SERVER_ADDR\""
condition:
all of them
}
rule webshell_2008_2009lite_2009mssql {
meta:
description = "Web Shell - from files 2008.php, 2009lite.php, 2009mssql.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
super_rule = 1
hash0 = "3e4ba470d4c38765e4b16ed930facf2c"
hash1 = "3f4d454d27ecc0013e783ed921eeecde"
hash2 = "aa17b71bb93c6789911bd1c9df834ff9"
strings:
$s0 = "<a href=\"javascript:godir(\\''.$drive->Path.'/\\');"
$s7 = "p('<h2>File Manager - Current disk free '.sizecount($free).' of '.sizecount($all"
condition:
all of them
}
rule webshell_shell_phpspy_2005_full_phpspy_2005_lite_phpspy_2006_arabicspy_PHPSPY_hkrkoz {
meta:
description = "Web Shell - from files shell.php, phpspy_2005_full.php, phpspy_2005_lite.php, phpspy_2006.php, arabicspy.php, PHPSPY.php, hkrkoz.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
super_rule = 1
hash0 = "791708057d8b429d91357d38edf43cc0"
hash1 = "b68bfafc6059fd26732fa07fb6f7f640"
hash2 = "42f211cec8032eb0881e87ebdb3d7224"
hash3 = "40a1f840111996ff7200d18968e42cfe"
hash4 = "e0202adff532b28ef1ba206cf95962f2"
hash5 = "0712e3dc262b4e1f98ed25760b206836"
hash6 = "802f5cae46d394b297482fd0c27cb2fc"
strings:
$s0 = "$mainpath_info = explode('/', $mainpath);" fullword
$s6 = "if (!isset($_GET['action']) OR empty($_GET['action']) OR ($_GET['action'] == \"d"
condition:
all of them
}
rule webshell_807_dm_JspSpyJDK5_m_cofigrue {
meta:
description = "Web Shell - from files 807.jsp, dm.jsp, JspSpyJDK5.jsp, m.jsp, cofigrue.jsp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
super_rule = 1
hash0 = "ae76c77fb7a234380cd0ebb6fe1bcddf"
hash1 = "14e9688c86b454ed48171a9d4f48ace8"
hash2 = "341298482cf90febebb8616426080d1d"
hash3 = "88fc87e7c58249a398efd5ceae636073"
hash4 = "349ec229e3f8eda0f9eb918c74a8bf4c"
strings:
$s1 = "url_con.setRequestProperty(\"REFERER\", \"\"+fckal+\"\");" fullword
$s9 = "FileLocalUpload(uc(dx())+sxm,request.getRequestURL().toString(), \"GBK\");" fullword
condition:
1 of them
}
rule webshell_Dive_Shell_1_0_Emperor_Hacking_Team_xxx {
meta:
description = "Web Shell - from files Dive Shell 1.0 - Emperor Hacking Team.php, phpshell.php, SimShell 1.0 - Simorgh Security MGZ.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
super_rule = 1
hash0 = "1b5102bdc41a7bc439eea8f0010310a5"
hash1 = "f8a6d5306fb37414c5c772315a27832f"
hash2 = "37cb1db26b1b0161a4bf678a6b4565bd"
strings:
$s1 = "if (($i = array_search($_REQUEST['command'], $_SESSION['history'])) !== fals"
$s9 = "if (ereg('^[[:blank:]]*cd[[:blank:]]*$', $_REQUEST['command'])) {" fullword
condition:
all of them
}
rule webshell_404_data_in_JFolder_jfolder01_xxx {
meta:
description = "Web Shell - from files 404.jsp, data.jsp, in.jsp, JFolder.jsp, jfolder01.jsp, jsp.jsp, leo.jsp, suiyue.jsp, warn.jsp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
super_rule = 1
hash0 = "7066f4469c3ec20f4890535b5f299122"
hash1 = "9f54aa7b43797be9bab7d094f238b4ff"
hash2 = "793b3d0a740dbf355df3e6f68b8217a4"
hash3 = "8979594423b68489024447474d113894"
hash4 = "ec482fc969d182e5440521c913bab9bd"
hash5 = "f98d2b33cd777e160d1489afed96de39"
hash6 = "4b4c12b3002fad88ca6346a873855209"
hash7 = "c93d5bdf5cf62fe22e299d0f2b865ea7"
hash8 = "e9a5280f77537e23da2545306f6a19ad"
strings:
$s4 = " <TEXTAREA NAME=\"cqq\" ROWS=\"20\" COLS=\"100%\"><%=sbCmd.toString()%></TE"
condition:
all of them
}
rule webshell_jsp_reverse_jsp_reverse_jspbd {
meta:
description = "Web Shell - from files jsp-reverse.jsp, jsp-reverse.jsp, jspbd.jsp"
author = "Florian Roth"
date = "2014/01/28"
super_rule = 1
hash0 = "8b0e6779f25a17f0ffb3df14122ba594"
hash1 = "ea87f0c1f0535610becadf5a98aca2fc"
hash2 = "7d5e9732766cf5b8edca9b7ae2b6028f"
score = 50
strings:
$s0 = "osw = new BufferedWriter(new OutputStreamWriter(os));" fullword
$s7 = "sock = new Socket(ipAddress, (new Integer(ipPort)).intValue());" fullword
$s9 = "isr = new BufferedReader(new InputStreamReader(is));" fullword
condition:
all of them
}
rule webshell_400_in_JFolder_jfolder01_jsp_leo_warn_webshell_nc {
meta:
description = "Web Shell - from files 400.jsp, in.jsp, JFolder.jsp, jfolder01.jsp, jsp.jsp, leo.jsp, warn.jsp, webshell-nc.jsp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
super_rule = 1
hash0 = "36331f2c81bad763528d0ae00edf55be"
hash1 = "793b3d0a740dbf355df3e6f68b8217a4"
hash2 = "8979594423b68489024447474d113894"
hash3 = "ec482fc969d182e5440521c913bab9bd"
hash4 = "f98d2b33cd777e160d1489afed96de39"
hash5 = "4b4c12b3002fad88ca6346a873855209"
hash6 = "e9a5280f77537e23da2545306f6a19ad"
hash7 = "598eef7544935cf2139d1eada4375bb5"
strings:
$s0 = "sbFolder.append(\"<tr><td > </td><td>\");" fullword
$s1 = "return filesize / intDivisor + \".\" + strAfterComma + \" \" + strUnit;" fullword
$s5 = "FileInfo fi = (FileInfo) ht.get(\"cqqUploadFile\");" fullword
$s6 = "<input type=\"hidden\" name=\"cmd\" value=\"<%=strCmd%>\">" fullword
condition:
2 of them
}
rule webshell_2_520_job_JspWebshell_1_2_ma1_ma4_2 {
meta:
description = "Web Shell - from files 2.jsp, 520.jsp, job.jsp, JspWebshell 1.2.jsp, ma1.jsp, ma4.jsp, 2.jsp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
super_rule = 1
hash0 = "64a3bf9142b045b9062b204db39d4d57"
hash1 = "9abd397c6498c41967b4dd327cf8b55a"
hash2 = "56c005690da2558690c4aa305a31ad37"
hash3 = "70a0ee2624e5bbe5525ccadc467519f6"
hash4 = "532b93e02cddfbb548ce5938fe2f5559"
hash5 = "6e0fa491d620d4af4b67bae9162844ae"
hash6 = "7eabe0f60975c0c73d625b7ddf7b9cbd"
strings:
$s1 = "while ((nRet = insReader.read(tmpBuffer, 0, 1024)) != -1) {" fullword
$s6 = "password = (String)session.getAttribute(\"password\");" fullword
$s7 = "insReader = new InputStreamReader(proc.getInputStream(), Charset.forName(\"GB231"
condition:
2 of them
}
rule webshell_shell_2008_2009mssql_phpspy_2005_full_phpspy_2006_arabicspy_hkrkoz {
meta:
description = "Web Shell - from files shell.php, 2008.php, 2009mssql.php, phpspy_2005_full.php, phpspy_2006.php, arabicspy.php, hkrkoz.php"
author = "Florian Roth"
date = "2014/01/28"
score = 60
super_rule = 1
hash0 = "791708057d8b429d91357d38edf43cc0"
hash1 = "3e4ba470d4c38765e4b16ed930facf2c"
hash2 = "aa17b71bb93c6789911bd1c9df834ff9"
hash3 = "b68bfafc6059fd26732fa07fb6f7f640"
hash4 = "40a1f840111996ff7200d18968e42cfe"
hash5 = "e0202adff532b28ef1ba206cf95962f2"
hash6 = "802f5cae46d394b297482fd0c27cb2fc"
strings:
$s0 = "$tabledump .= \"'\".mysql_escape_string($row[$fieldcounter]).\"'\";" fullword
$s5 = "while(list($kname, $columns) = @each($index)) {" fullword
$s6 = "$tabledump = \"DROP TABLE IF EXISTS $table;\\n\";" fullword
$s9 = "$tabledump .= \" PRIMARY KEY ($colnames)\";" fullword
$fn = "filename: backup"
condition:
2 of ($s*) and not $fn
}
rule webshell_gfs_sh_r57shell_r57shell127_SnIpEr_SA_xxx {
meta:
description = "Web Shell - from files gfs_sh.php, r57shell.php, r57shell127.php, SnIpEr_SA Shell.php, EgY_SpIdEr ShElL V2.php, r57_iFX.php, r57_kartal.php, r57_Mohajer22.php, r57.php, r57.php, Backdoor.PHP.Agent.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
super_rule = 1
hash0 = "a2516ac6ee41a7cf931cbaef1134a9e4"
hash1 = "ef43fef943e9df90ddb6257950b3538f"
hash2 = "ae025c886fbe7f9ed159f49593674832"
hash3 = "911195a9b7c010f61b66439d9048f400"
hash4 = "697dae78c040150daff7db751fc0c03c"
hash5 = "513b7be8bd0595c377283a7c87b44b2e"
hash6 = "1d912c55b96e2efe8ca873d6040e3b30"
hash7 = "e5b2131dd1db0dbdb43b53c5ce99016a"
hash8 = "4108f28a9792b50d95f95b9e5314fa1e"
hash9 = "41af6fd253648885c7ad2ed524e0692d"
hash10 = "6fcc283470465eed4870bcc3e2d7f14d"
strings:
$s0 = "kVycm9yOiAkIVxuIik7DQpjb25uZWN0KFNPQ0tFVCwgJHBhZGRyKSB8fCBkaWUoIkVycm9yOiAkIVxuI"
$s11 = "Aoc3RydWN0IHNvY2thZGRyICopICZzaW4sIHNpemVvZihzdHJ1Y3Qgc29ja2FkZHIpKSk8MCkgew0KIC"
condition:
all of them
}
rule webshell_itsec_PHPJackal_itsecteam_shell_jHn {
meta:
description = "Web Shell - from files itsec.php, PHPJackal.php, itsecteam_shell.php, jHn.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
super_rule = 1
hash0 = "8ae9d2b50dc382f0571cd7492f079836"
hash1 = "e2830d3286001d1455479849aacbbb38"
hash2 = "bd6d3b2763c705a01cc2b3f105a25fa4"
hash3 = "40c6ecf77253e805ace85f119fe1cebb"
strings:
$s0 = "$link=pg_connect(\"host=$host dbname=$db user=$user password=$pass\");" fullword
$s6 = "while($data=ocifetchinto($stm,$data,OCI_ASSOC+OCI_RETURN_NULLS))$res.=implode('|"
$s9 = "while($data=pg_fetch_row($result))$res.=implode('|-|-|-|-|-|',$data).'|+|+|+|+|+"
condition:
2 of them
}
rule webshell_Shell_ci_Biz_was_here_c100_v_xxx {
meta:
description = "Web Shell - from files Shell [ci] .Biz was here.php, c100 v. 777shell v. Undetectable #18a Modded by 777 - Don.php, c99-shadows-mod.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
super_rule = 1
hash0 = "f2fa878de03732fbf5c86d656467ff50"
hash1 = "27786d1e0b1046a1a7f67ee41c64bf4c"
hash2 = "68c0629d08b1664f5bcce7d7f5f71d22"
strings:
$s2 = "if ($data{0} == \"\\x99\" and $data{1} == \"\\x01\") {return \"Error: \".$stri"
$s3 = "<OPTION VALUE=\"find /etc/ -type f -perm -o+w 2> /dev/null\""
$s4 = "<OPTION VALUE=\"cat /proc/version /proc/cpuinfo\">CPUINFO" fullword
$s7 = "<OPTION VALUE=\"wget http://ftp.powernet.com.tr/supermail/de"
$s9 = "<OPTION VALUE=\"cut -d: -f1,2,3 /etc/passwd | grep ::\">USER"
condition:
2 of them
}
rule webshell_NIX_REMOTE_WEB_SHELL_NIX_REMOTE_WEB_xxx1 {
meta:
description = "Web Shell - from files NIX REMOTE WEB-SHELL.php, NIX REMOTE WEB-SHELL v.0.5 alpha Lite Public Version.php, KAdot Universal Shell v0.1.6.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
super_rule = 1
hash0 = "0b19e9de790cd2f4325f8c24b22af540"
hash1 = "f3ca29b7999643507081caab926e2e74"
hash2 = "527cf81f9272919bf872007e21c4bdda"
strings:
$s1 = "<td><input size=\"48\" value=\"$docr/\" name=\"path\" type=\"text\"><input type="
$s2 = "$uploadfile = $_POST['path'].$_FILES['file']['name'];" fullword
$s6 = "elseif (!empty($_POST['ac'])) {$ac = $_POST['ac'];}" fullword
$s7 = "if ($_POST['path']==\"\"){$uploadfile = $_FILES['file']['name'];}" fullword
condition:
2 of them
}
rule webshell_c99_c99shell_c99_w4cking_Shell_xxx {
meta:
description = "Web Shell - from files c99.php, c99shell.php, c99_w4cking.php, Shell [ci] .Biz was here.php, acid.php, c100 v. 777shell v. Undetectable #18a Modded by 777 - Don.php, c66.php, c99-shadows-mod.php, c99.php, c99shell.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
super_rule = 1
hash0 = "61a92ce63369e2fa4919ef0ff7c51167"
hash1 = "d3f38a6dc54a73d304932d9227a739ec"
hash2 = "9c34adbc8fd8d908cbb341734830f971"
hash3 = "f2fa878de03732fbf5c86d656467ff50"
hash4 = "b8f261a3cdf23398d573aaf55eaf63b5"
hash5 = "27786d1e0b1046a1a7f67ee41c64bf4c"
hash6 = "0f5b9238d281bc6ac13406bb24ac2a5b"
hash7 = "68c0629d08b1664f5bcce7d7f5f71d22"
hash8 = "157b4ac3c7ba3a36e546e81e9279eab5"
hash9 = "048ccc01b873b40d57ce25a4c56ea717"
strings:
$s0 = "echo \"<b>HEXDUMP:</b><nobr>"
$s4 = "if ($filestealth) {$stat = stat($d.$f);}" fullword
$s5 = "while ($row = mysql_fetch_array($result, MYSQL_NUM)) { echo \"<tr><td>\".$r"
$s6 = "if ((mysql_create_db ($sql_newdb)) and (!empty($sql_newdb))) {echo \"DB "
$s8 = "echo \"<center><b>Server-status variables:</b><br><br>\";" fullword
$s9 = "echo \"<textarea cols=80 rows=10>\".htmlspecialchars($encoded).\"</textarea>"
condition:
2 of them
}
rule webshell_2008_2009mssql_phpspy_2005_full_phpspy_2006_arabicspy_hkrkoz {
meta:
description = "Web Shell - from files 2008.php, 2009mssql.php, phpspy_2005_full.php, phpspy_2006.php, arabicspy.php, hkrkoz.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
super_rule = 1
hash0 = "3e4ba470d4c38765e4b16ed930facf2c"
hash1 = "aa17b71bb93c6789911bd1c9df834ff9"
hash2 = "b68bfafc6059fd26732fa07fb6f7f640"
hash3 = "40a1f840111996ff7200d18968e42cfe"
hash4 = "e0202adff532b28ef1ba206cf95962f2"
hash5 = "802f5cae46d394b297482fd0c27cb2fc"
strings:
$s0 = "$this -> addFile($content, $filename);" fullword
$s3 = "function addFile($data, $name, $time = 0) {" fullword
$s8 = "function unix2DosTime($unixtime = 0) {" fullword
$s9 = "foreach($filelist as $filename){" fullword
condition:
all of them
}
rule webshell_c99_c66_c99_shadows_mod_c99shell {
meta:
description = "Web Shell - from files c99.php, c66.php, c99-shadows-mod.php, c99shell.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
super_rule = 1
hash0 = "61a92ce63369e2fa4919ef0ff7c51167"
hash1 = "0f5b9238d281bc6ac13406bb24ac2a5b"
hash2 = "68c0629d08b1664f5bcce7d7f5f71d22"
hash3 = "048ccc01b873b40d57ce25a4c56ea717"
strings:
$s2 = " if (unlink(_FILE_)) {@ob_clean(); echo \"Thanks for using c99shell v.\".$shv"
$s3 = " \"c99sh_backconn.pl\"=>array(\"Using PERL\",\"perl %path %host %port\")," fullword
$s4 = "<br><TABLE style=\"BORDER-COLLAPSE: collapse\" cellSpacing=0 borderColorDark=#66"
$s7 = " elseif (!$data = c99getsource($bind[\"src\"])) {echo \"Can't download sources"
$s8 = " \"c99sh_datapipe.pl\"=>array(\"Using PERL\",\"perl %path %localport %remotehos"
$s9 = " elseif (!$data = c99getsource($bc[\"src\"])) {echo \"Can't download sources!"
condition:
2 of them
}
rule webshell_he1p_JspSpy_nogfw_ok_style_1_JspSpy1 {
meta:
description = "Web Shell - from files he1p.jsp, JspSpy.jsp, nogfw.jsp, ok.jsp, style.jsp, 1.jsp, JspSpy.jsp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
super_rule = 1
hash0 = "b330a6c2d49124ef0729539761d6ef0b"
hash1 = "d71716df5042880ef84427acee8b121e"
hash2 = "344f9073576a066142b2023629539ebd"
hash3 = "32dea47d9c13f9000c4c807561341bee"
hash4 = "b9744f6876919c46a29ea05b1d95b1c3"
hash5 = "3ea688e3439a1f56b16694667938316d"
hash6 = "2434a7a07cb47ce25b41d30bc291cacc"
strings:
$s0 = "\"\"+f.canRead()+\" / \"+f.canWrite()+\" / \"+f.canExecute()+\"</td>\"+" fullword
$s4 = "out.println(\"<h2>File Manager - Current disk "\"+(cr.indexOf(\"/\") == 0?"
$s7 = "String execute = f.canExecute() ? \"checked=\\\"checked\\\"\" : \"\";" fullword
$s8 = "\"<td nowrap>\"+f.canRead()+\" / \"+f.canWrite()+\" / \"+f.canExecute()+\"</td>"
condition:
2 of them
}
rule webshell_000_403_c5_config_myxx_queryDong_spyjsp2010_zend {
meta:
description = "Web Shell - from files 000.jsp, 403.jsp, c5.jsp, config.jsp, myxx.jsp, queryDong.jsp, spyjsp2010.jsp, zend.jsp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
super_rule = 1
hash0 = "2eeb8bf151221373ee3fd89d58ed4d38"
hash1 = "059058a27a7b0059e2c2f007ad4675ef"
hash2 = "8b457934da3821ba58b06a113e0d53d9"
hash3 = "d44df8b1543b837e57cc8f25a0a68d92"
hash4 = "e0354099bee243702eb11df8d0e046df"
hash5 = "90a5ba0c94199269ba33a58bc6a4ad99"
hash6 = "655722eaa6c646437c8ae93daac46ae0"
hash7 = "591ca89a25f06cf01e4345f98a22845c"
strings:
$s0 = "return new Double(format.format(value)).doubleValue();" fullword
$s5 = "File tempF = new File(savePath);" fullword
$s9 = "if (tempF.isDirectory()) {" fullword
condition:
2 of them
}
rule webshell_c99_c99shell_c99_c99shell {
meta:
description = "Web Shell - from files c99.php, c99shell.php, c99.php, c99shell.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
super_rule = 1
hash0 = "61a92ce63369e2fa4919ef0ff7c51167"
hash1 = "d3f38a6dc54a73d304932d9227a739ec"
hash2 = "157b4ac3c7ba3a36e546e81e9279eab5"
hash3 = "048ccc01b873b40d57ce25a4c56ea717"
strings:
$s2 = "$bindport_pass = \"c99\";" fullword
$s5 = " else {echo \"<b>Execution PHP-code</b>\"; if (empty($eval_txt)) {$eval_txt = tr"
condition:
1 of them
}
rule webshell_r57shell127_r57_iFX_r57_kartal_r57_antichat {
meta:
description = "Web Shell - from files r57shell127.php, r57_iFX.php, r57_kartal.php, r57.php, antichat.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
super_rule = 1
hash0 = "ae025c886fbe7f9ed159f49593674832"
hash1 = "513b7be8bd0595c377283a7c87b44b2e"
hash2 = "1d912c55b96e2efe8ca873d6040e3b30"
hash3 = "4108f28a9792b50d95f95b9e5314fa1e"
hash4 = "3f71175985848ee46cc13282fbed2269"
strings:
$s6 = "$res = @mysql_query(\"SHOW CREATE TABLE `\".$_POST['mysql_tbl'].\"`\", $d"
$s7 = "$sql1 .= $row[1].\"\\r\\n\\r\\n\";" fullword
$s8 = "if(!empty($_POST['dif'])&&$fp) { @fputs($fp,$sql1.$sql2); }" fullword
$s9 = "foreach($values as $k=>$v) {$values[$k] = addslashes($v);}" fullword
condition:
2 of them
}
rule webshell_NIX_REMOTE_WEB_SHELL_nstview_xxx {
meta:
description = "Web Shell - from files NIX REMOTE WEB-SHELL.php, nstview.php, NIX REMOTE WEB-SHELL v.0.5 alpha Lite Public Version.php, Cyber Shell (v 1.0).php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
super_rule = 1
hash0 = "0b19e9de790cd2f4325f8c24b22af540"
hash1 = "4745d510fed4378e4b1730f56f25e569"
hash2 = "f3ca29b7999643507081caab926e2e74"
hash3 = "46a18979750fa458a04343cf58faa9bd"
strings:
$s3 = "BODY, TD, TR {" fullword
$s5 = "$d=str_replace(\"\\\\\",\"/\",$d);" fullword
$s6 = "if ($file==\".\" || $file==\"..\") continue;" fullword
condition:
2 of them
}
rule webshell_000_403_807_a_c5_config_css_dm_he1p_xxx {
meta:
description = "Web Shell - from files 000.jsp, 403.jsp, 807.jsp, a.jsp, c5.jsp, config.jsp, css.jsp, dm.jsp, he1p.jsp, JspSpy.jsp, JspSpyJDK5.jsp, JspSpyJDK51.jsp, luci.jsp.spy2009.jsp, m.jsp, ma3.jsp, mmym520.jsp, myxx.jsp, nogfw.jsp, ok.jsp, queryDong.jsp, spyjsp2010.jsp, style.jsp, u.jsp, xia.jsp, zend.jsp, cofigrue.jsp, 1.jsp, jspspy.jsp, jspspy_k8.jsp, JspSpy.jsp, JspSpyJDK5.jsp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
super_rule = 1
hash0 = "2eeb8bf151221373ee3fd89d58ed4d38"
hash1 = "059058a27a7b0059e2c2f007ad4675ef"
hash2 = "ae76c77fb7a234380cd0ebb6fe1bcddf"
hash3 = "76037ebd781ad0eac363d56fc81f4b4f"
hash4 = "8b457934da3821ba58b06a113e0d53d9"
hash5 = "d44df8b1543b837e57cc8f25a0a68d92"
hash6 = "fc44f6b4387a2cb50e1a63c66a8cb81c"
hash7 = "14e9688c86b454ed48171a9d4f48ace8"
hash8 = "b330a6c2d49124ef0729539761d6ef0b"
hash9 = "d71716df5042880ef84427acee8b121e"
hash10 = "341298482cf90febebb8616426080d1d"
hash11 = "29aebe333d6332f0ebc2258def94d57e"
hash12 = "42654af68e5d4ea217e6ece5389eb302"
hash13 = "88fc87e7c58249a398efd5ceae636073"
hash14 = "4a812678308475c64132a9b56254edbc"
hash15 = "9626eef1a8b9b8d773a3b2af09306a10"
hash16 = "e0354099bee243702eb11df8d0e046df"
hash17 = "344f9073576a066142b2023629539ebd"
hash18 = "32dea47d9c13f9000c4c807561341bee"
hash19 = "90a5ba0c94199269ba33a58bc6a4ad99"
hash20 = "655722eaa6c646437c8ae93daac46ae0"
hash21 = "b9744f6876919c46a29ea05b1d95b1c3"
hash22 = "6acc82544be056580c3a1caaa4999956"
hash23 = "6aa32a6392840e161a018f3907a86968"
hash24 = "591ca89a25f06cf01e4345f98a22845c"
hash25 = "349ec229e3f8eda0f9eb918c74a8bf4c"
hash26 = "3ea688e3439a1f56b16694667938316d"
hash27 = "ab77e4d1006259d7cbc15884416ca88c"
hash28 = "71097537a91fac6b01f46f66ee2d7749"
hash29 = "2434a7a07cb47ce25b41d30bc291cacc"
hash30 = "7a4b090619ecce6f7bd838fe5c58554b"
strings:
$s3 = "String savePath = request.getParameter(\"savepath\");" fullword
$s4 = "URL downUrl = new URL(downFileUrl);" fullword
$s5 = "if (Util.isEmpty(downFileUrl) || Util.isEmpty(savePath))" fullword
$s6 = "String downFileUrl = request.getParameter(\"url\");" fullword
$s7 = "FileInputStream fInput = new FileInputStream(f);" fullword
$s8 = "URLConnection conn = downUrl.openConnection();" fullword
$s9 = "sis = request.getInputStream();" fullword
condition:
4 of them
}
rule webshell_2_520_icesword_job_ma1 {
meta:
description = "Web Shell - from files 2.jsp, 520.jsp, icesword.jsp, job.jsp, ma1.jsp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
super_rule = 1
hash0 = "64a3bf9142b045b9062b204db39d4d57"
hash1 = "9abd397c6498c41967b4dd327cf8b55a"
hash2 = "077f4b1b6d705d223b6d644a4f3eebae"
hash3 = "56c005690da2558690c4aa305a31ad37"
hash4 = "532b93e02cddfbb548ce5938fe2f5559"
strings:
$s1 = "<meta http-equiv=\"Content-Type\" content=\"text/html; charset=gb2312\"></head>" fullword
$s3 = "<input type=\"hidden\" name=\"_EVENTTARGET\" value=\"\" />" fullword
$s8 = "<input type=\"hidden\" name=\"_EVENTARGUMENT\" value=\"\" />" fullword
condition:
2 of them
}
rule webshell_404_data_in_JFolder_jfolder01_jsp_suiyue_warn {
meta:
description = "Web Shell - from files 404.jsp, data.jsp, in.jsp, JFolder.jsp, jfolder01.jsp, jsp.jsp, suiyue.jsp, warn.jsp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
super_rule = 1
hash0 = "7066f4469c3ec20f4890535b5f299122"
hash1 = "9f54aa7b43797be9bab7d094f238b4ff"
hash2 = "793b3d0a740dbf355df3e6f68b8217a4"
hash3 = "8979594423b68489024447474d113894"
hash4 = "ec482fc969d182e5440521c913bab9bd"
hash5 = "f98d2b33cd777e160d1489afed96de39"
hash6 = "c93d5bdf5cf62fe22e299d0f2b865ea7"
hash7 = "e9a5280f77537e23da2545306f6a19ad"
strings:
$s0 = "<table width=\"100%\" border=\"1\" cellspacing=\"0\" cellpadding=\"5\" bordercol"
$s2 = " KB </td>" fullword
$s3 = "<table width=\"98%\" border=\"0\" cellspacing=\"0\" cellpadding=\""
$s4 = "<!-- <tr align=\"center\"> " fullword
condition:
all of them
}
rule webshell_phpspy_2005_full_phpspy_2005_lite_phpspy_2006_PHPSPY {
meta:
description = "Web Shell - from files phpspy_2005_full.php, phpspy_2005_lite.php, phpspy_2006.php, PHPSPY.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
super_rule = 1
hash0 = "b68bfafc6059fd26732fa07fb6f7f640"
hash1 = "42f211cec8032eb0881e87ebdb3d7224"
hash2 = "40a1f840111996ff7200d18968e42cfe"
hash3 = "0712e3dc262b4e1f98ed25760b206836"
strings:
$s4 = "http://www.4ngel.net" fullword
$s5 = "</a> | <a href=\"?action=phpenv\">PHP" fullword
$s8 = "echo $msg=@fwrite($fp,$_POST['filecontent']) ? \"" fullword
$s9 = "Codz by Angel" fullword
condition:
2 of them
}
rule webshell_c99_locus7s_c99_w4cking_xxx {
meta:
description = "Web Shell - from files c99_locus7s.php, c99_w4cking.php, r57shell.php, r57shell127.php, SnIpEr_SA Shell.php, EgY_SpIdEr ShElL V2.php, r57_iFX.php, r57_kartal.php, r57_Mohajer22.php, r57.php, acid.php, newsh.php, r57.php, Backdoor.PHP.Agent.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
super_rule = 1
hash0 = "38fd7e45f9c11a37463c3ded1c76af4c"
hash1 = "9c34adbc8fd8d908cbb341734830f971"
hash2 = "ef43fef943e9df90ddb6257950b3538f"
hash3 = "ae025c886fbe7f9ed159f49593674832"
hash4 = "911195a9b7c010f61b66439d9048f400"
hash5 = "697dae78c040150daff7db751fc0c03c"
hash6 = "513b7be8bd0595c377283a7c87b44b2e"
hash7 = "1d912c55b96e2efe8ca873d6040e3b30"
hash8 = "e5b2131dd1db0dbdb43b53c5ce99016a"
hash9 = "4108f28a9792b50d95f95b9e5314fa1e"
hash10 = "b8f261a3cdf23398d573aaf55eaf63b5"
hash11 = "0d2c2c151ed839e6bafc7aa9c69be715"
hash12 = "41af6fd253648885c7ad2ed524e0692d"
hash13 = "6fcc283470465eed4870bcc3e2d7f14d"
strings:
$s1 = "$res = @shell_exec($cfe);" fullword
$s8 = "$res = @ob_get_contents();" fullword
$s9 = "@exec($cfe,$res);" fullword
condition:
2 of them
}
rule webshell_browser_201_3_ma_ma2_download {
meta:
description = "Web Shell - from files browser.jsp, 201.jsp, 3.jsp, ma.jsp, ma2.jsp, download.jsp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
super_rule = 1
hash0 = "37603e44ee6dc1c359feb68a0d566f76"
hash1 = "a7e25b8ac605753ed0c438db93f6c498"
hash2 = "fb8c6c3a69b93e5e7193036fd31a958d"
hash3 = "4cc68fa572e88b669bce606c7ace0ae9"
hash4 = "4b45715fa3fa5473640e17f49ef5513d"
hash5 = "fa87bbd7201021c1aefee6fcc5b8e25a"
strings:
$s1 = "private static final int EDITFIELD_ROWS = 30;" fullword
$s2 = "private static String tempdir = \".\";" fullword
$s6 = "<input type=\"hidden\" name=\"dir\" value=\"<%=request.getAttribute(\"dir\")%>\""
condition:
2 of them
}
rule webshell_000_403_c5_queryDong_spyjsp2010 {
meta:
description = "Web Shell - from files 000.jsp, 403.jsp, c5.jsp, queryDong.jsp, spyjsp2010.jsp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
super_rule = 1
hash0 = "2eeb8bf151221373ee3fd89d58ed4d38"
hash1 = "059058a27a7b0059e2c2f007ad4675ef"
hash2 = "8b457934da3821ba58b06a113e0d53d9"
hash3 = "90a5ba0c94199269ba33a58bc6a4ad99"
hash4 = "655722eaa6c646437c8ae93daac46ae0"
strings:
$s2 = "\" <select name='encode' class='input'><option value=''>ANSI</option><option val"
$s7 = "JSession.setAttribute(\"MSG\",\"<span style='color:red'>Upload File Failed!</spa"
$s8 = "File f = new File(JSession.getAttribute(CURRENT_DIR)+\"/\"+fileBean.getFileName("
$s9 = "((Invoker)ins.get(\"vd\")).invoke(request,response,JSession);" fullword
condition:
2 of them
}
rule webshell_r57shell127_r57_kartal_r57 {
meta:
description = "Web Shell - from files r57shell127.php, r57_kartal.php, r57.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
super_rule = 1
hash0 = "ae025c886fbe7f9ed159f49593674832"
hash1 = "1d912c55b96e2efe8ca873d6040e3b30"
hash2 = "4108f28a9792b50d95f95b9e5314fa1e"
strings:
$s2 = "$handle = @opendir($dir) or die(\"Can't open directory $dir\");" fullword
$s3 = "if(!empty($_POST['mysql_db'])) { @mssql_select_db($_POST['mysql_db'],$db); }" fullword
$s5 = "if (!isset($_SERVER['PHP_AUTH_USER']) || $_SERVER['PHP_AUTH_USER']!==$name || $_"
condition:
2 of them
}
rule webshell_webshells_new_con2 {
meta:
description = "Web shells - generated from file con2.asp"
author = "Florian Roth"
date = "2014/03/28"
score = 70
hash = "d3584159ab299d546bd77c9654932ae3"
strings:
$s7 = ",htaPrewoP(ecalper=htaPrewoP:fI dnE:0=KOtidE:1 - eulaVtni = eulaVtni:nehT 1 => e"
$s10 = "j \"<Form action='\"&URL&\"?Action2=Post' method='post' name='EditForm'><input n"
condition:
1 of them
}
rule webshell_webshells_new_make2 {
meta:
description = "Web shells - generated from file make2.php"
author = "Florian Roth"
date = "2014/03/28"
hash = "9af195491101e0816a263c106e4c145e"
score = 50
strings:
$s1 = "error_reporting(0);session_start();header(\"Content-type:text/html;charset=utf-8"
condition:
all of them
}
rule webshell_webshells_new_aaa {
meta:
description = "Web shells - generated from file aaa.asp"
author = "Florian Roth"
date = "2014/03/28"
score = 70
hash = "68483788ab171a155db5266310c852b2"
strings:
$s0 = "Function fvm(jwv):If jwv=\"\"Then:fvm=jwv:Exit Function:End If:Dim tt,sru:tt=\""
$s5 = "<option value=\"\"DROP TABLE [jnc];exec mast\"&kvp&\"er..xp_regwrite 'HKEY_LOCAL"
$s17 = "if qpv=\"\" then qpv=\"x:\\Program Files\\MySQL\\MySQL Server 5.0\\my.ini\"&br&"
condition:
1 of them
}
rule webshell_Expdoor_com_ASP {
meta:
description = "Web shells - generated from file Expdoor.com ASP.asp"
author = "Florian Roth"
date = "2014/03/28"
score = 70
hash = "caef01bb8906d909f24d1fa109ea18a7"
strings:
$s4 = "\">www.Expdoor.com</a>" fullword
$s5 = " <input name=\"FileName\" type=\"text\" value=\"Asp_ver.Asp\" size=\"20\" max"
$s10 = "set file=fs.OpenTextFile(server.MapPath(FileName),8,True) '" fullword
$s14 = "set fs=server.CreateObject(\"Scripting.FileSystemObject\") '" fullword
$s16 = "<TITLE>Expdoor.com ASP" fullword
condition:
2 of them
}
rule webshell_webshells_new_php2 {
meta:
description = "Web shells - generated from file php2.php"
author = "Florian Roth"
date = "2014/03/28"
score = 70
hash = "fbf2e76e6f897f6f42b896c855069276"
strings:
$s0 = "<?php $s=@$_GET[2];if(md5($s.$s)=="
condition:
all of them
}
rule webshell_bypass_iisuser_p {
meta:
description = "Web shells - generated from file bypass-iisuser-p.asp"
author = "Florian Roth"
date = "2014/03/28"
score = 70
hash = "924d294400a64fa888a79316fb3ccd90"
strings:
$s0 = "<%Eval(Request(chr(112))):Set fso=CreateObject"
condition:
all of them
}
rule webshell_sig_404super {
meta:
description = "Web shells - generated from file 404super.php"
author = "Florian Roth"
date = "2014/03/28"
score = 70
hash = "7ed63176226f83d36dce47ce82507b28"
strings:
$s4 = "$i = pack('c*', 0x70, 0x61, 99, 107);" fullword
$s6 = " 'h' => $i('H*', '687474703a2f2f626c616b696e2e64756170702e636f6d2f7631')," fullword
$s7 = "//http://require.duapp.com/session.php" fullword
$s8 = "if(!isset($_SESSION['t'])){$_SESSION['t'] = $GLOBALS['f']($GLOBALS['h']);}" fullword
$s12 = "//define('pass','123456');" fullword
$s13 = "$GLOBALS['c']($GLOBALS['e'](null, $GLOBALS['s']('%s',$GLOBALS['p']('H*',$_SESSIO"
condition:
1 of them
}
rule webshell_webshells_new_JSP {
meta:
description = "Web shells - generated from file JSP.jsp"
author = "Florian Roth"
date = "2014/03/28"
score = 70
hash = "495f1a0a4c82f986f4bdf51ae1898ee7"
strings:
$s1 = "void AA(StringBuffer sb)throws Exception{File r[]=File.listRoots();for(int i=0;i"
$s5 = "bw.write(z2);bw.close();sb.append(\"1\");}else if(Z.equals(\"E\")){EE(z1);sb.app"
$s11 = "if(Z.equals(\"A\")){String s=new File(application.getRealPath(request.getRequest"
condition:
1 of them
}
rule webshell_webshell_123 {
meta:
description = "Web shells - generated from file webshell-123.php"
author = "Florian Roth"
date = "2014/03/28"
score = 70
hash = "2782bb170acaed3829ea9a04f0ac7218"
strings:
$s0 = "// Web Shell!!" fullword
$s1 = "@preg_replace(\"/.*/e\",\"\\x65\\x76\\x61\\x6C\\x28\\x67\\x7A\\x69\\x6E\\x66\\x6"
$s3 = "$default_charset = \"UTF-8\";" fullword
$s4 = "// url:http://www.weigongkai.com/shell/" fullword
condition:
2 of them
}
rule webshell_dev_core {
meta:
description = "Web shells - generated from file dev_core.php"
author = "Florian Roth"
date = "2014/03/28"
score = 70
hash = "55ad9309b006884f660c41e53150fc2e"
strings:
$s1 = "if (strpos($_SERVER['HTTP_USER_AGENT'], 'EBSD') == false) {" fullword
$s9 = "setcookie('key', $_POST['pwd'], time() + 3600 * 24 * 30);" fullword
$s10 = "$_SESSION['code'] = _REQUEST(sprintf(\"%s?%s\",pack(\"H*\",'6874"
$s11 = "if (preg_match(\"/^HTTP\\/\\d\\.\\d\\s([\\d]+)\\s.*$/\", $status, $matches))"
$s12 = "eval(gzuncompress(gzuncompress(Crypt::decrypt($_SESSION['code'], $_C"
$s15 = "if (($fsock = fsockopen($url2['host'], 80, $errno, $errstr, $fsock_timeout))"
condition:
1 of them
}
rule webshell_webshells_new_pHp {
meta:
description = "Web shells - generated from file pHp.php"
author = "Florian Roth"
date = "2014/03/28"
score = 70
hash = "b0e842bdf83396c3ef8c71ff94e64167"
strings:
$s0 = "if(is_readable($path)) antivirus($path.'/',$exs,$matches);" fullword
$s1 = "'/(eval|assert|include|require|include\\_once|require\\_once|array\\_map|arr"
$s13 = "'/(exec|shell\\_exec|system|passthru)+\\s*\\(\\s*\\$\\_(\\w+)\\[(.*)\\]\\s*"
$s14 = "'/(include|require|include\\_once|require\\_once)+\\s*\\(\\s*[\\'|\\\"](\\w+"
$s19 = "'/\\$\\_(\\w+)(.*)(eval|assert|include|require|include\\_once|require\\_once"
condition:
1 of them
}
rule webshell_webshells_new_pppp {
meta:
description = "Web shells - generated from file pppp.php"
author = "Florian Roth"
date = "2014/03/28"
score = 70
hash = "cf01cb6e09ee594545693c5d327bdd50"
strings:
$s0 = "Mail: chinese@hackermail.com" fullword
$s3 = "if($_GET[\"hackers\"]==\"2b\"){if ($_SERVER['REQUEST_METHOD'] == 'POST') { echo "
$s6 = "Site: http://blog.weili.me" fullword
condition:
1 of them
}
rule webshell_webshells_new_code {
meta:
description = "Web shells - generated from file code.php"
author = "Florian Roth"
date = "2014/03/28"
score = 70
hash = "a444014c134ff24c0be5a05c02b81a79"
strings:
$s1 = "<a class=\"high2\" href=\"javascript:;;;\" name=\"action=show&dir=$_ipage_fi"
$s7 = "$file = !empty($_POST[\"dir\"]) ? urldecode(self::convert_to_utf8(rtrim($_PO"
$s10 = "if (true==@move_uploaded_file($_FILES['userfile']['tmp_name'],self::convert_"
$s14 = "Processed in <span id=\"runtime\"></span> second(s) {gzip} usage:"
$s17 = "<a href=\"javascript:;;;\" name=\"{return_link}\" onclick=\"fileperm"
condition:
1 of them
}
rule webshell_webshells_new_jspyyy {
meta:
description = "Web shells - generated from file jspyyy.jsp"
author = "Florian Roth"
date = "2014/03/28"
score = 70
hash = "b291bf3ccc9dac8b5c7e1739b8fa742e"
strings:
$s0 = "<%@page import=\"java.io.*\"%><%if(request.getParameter(\"f\")"
condition:
all of them
}
rule webshell_webshells_new_xxxx {
meta:
description = "Web shells - generated from file xxxx.php"
author = "Florian Roth"
date = "2014/03/28"
score = 70
hash = "5bcba70b2137375225d8eedcde2c0ebb"
strings:
$s0 = "<?php eval($_POST[1]);?> " fullword
condition:
all of them
}
rule webshell_webshells_new_JJjsp3 {
meta:
description = "Web shells - generated from file JJjsp3.jsp"
author = "Florian Roth"
date = "2014/03/28"
score = 70
hash = "949ffee1e07a1269df7c69b9722d293e"
strings:
$s0 = "<%@page import=\"java.io.*,java.util.*,java.net.*,java.sql.*,java.text.*\"%><%!S"
condition:
all of them
}
rule webshell_webshells_new_PHP1 {
meta:
description = "Web shells - generated from file PHP1.php"
author = "Florian Roth"
date = "2014/03/28"
score = 70
hash = "14c7281fdaf2ae004ca5fec8753ce3cb"
strings:
$s0 = "<[url=mailto:?@array_map($_GET[]?@array_map($_GET['f'],$_GET[/url]);?>" fullword
$s2 = ":https://forum.90sec.org/forum.php?mod=viewthread&tid=7316" fullword
$s3 = "@preg_replace(\"/f/e\",$_GET['u'],\"fengjiao\"); " fullword
condition:
1 of them
}
rule webshell_webshells_new_JJJsp2 {
meta:
description = "Web shells - generated from file JJJsp2.jsp"
author = "Florian Roth"
date = "2014/03/28"
score = 70
hash = "5a9fec45236768069c99f0bfd566d754"
strings:
$s2 = "QQ(cs, z1, z2, sb,z2.indexOf(\"-to:\")!=-1?z2.substring(z2.indexOf(\"-to:\")+4,z"
$s8 = "sb.append(l[i].getName() + \"/\\t\" + sT + \"\\t\" + l[i].length()+ \"\\t\" + sQ"
$s10 = "ResultSet r = s.indexOf(\"jdbc:oracle\")!=-1?c.getMetaData()"
$s11 = "return DriverManager.getConnection(x[1].trim()+\":\"+x[4],x[2].equalsIgnoreCase("
condition:
1 of them
}
rule webshell_webshells_new_radhat {
meta:
description = "Web shells - generated from file radhat.asp"
author = "Florian Roth"
date = "2014/03/28"
score = 70
hash = "72cb5ef226834ed791144abaa0acdfd4"
strings:
$s1 = "sod=Array(\"D\",\"7\",\"S"
condition:
all of them
}
rule webshell_webshells_new_asp1 {
meta:
description = "Web shells - generated from file asp1.asp"
author = "Florian Roth"
date = "2014/03/28"
score = 70
hash = "b63e708cd58ae1ec85cf784060b69cad"
strings:
$s0 = " http://www.baidu.com/fuck.asp?a=)0(tseuqer%20lave " fullword
$s2 = " <% a=request(chr(97)) ExecuteGlobal(StrReverse(a)) %>" fullword
condition:
1 of them
}
rule webshell_webshells_new_php6 {
meta:
description = "Web shells - generated from file php6.php"
author = "Florian Roth"
date = "2014/03/28"
score = 70
hash = "ea75280224a735f1e445d244acdfeb7b"
strings:
$s1 = "array_map(\"asx73ert\",(ar"
$s3 = "preg_replace(\"/[errorpage]/e\",$page,\"saft\");" fullword
$s4 = "shell.php?qid=zxexp " fullword
condition:
1 of them
}
rule webshell_webshells_new_xxx {
meta:
description = "Web shells - generated from file xxx.php"
author = "Florian Roth"
date = "2014/03/28"
score = 70
hash = "0e71428fe68b39b70adb6aeedf260ca0"
strings:
$s3 = "<?php array_map(\"ass\\x65rt\",(array)$_REQUEST['expdoor']);?>" fullword
condition:
all of them
}
rule webshell_GetPostpHp {
meta:
description = "Web shells - generated from file GetPostpHp.php"
author = "Florian Roth"
date = "2014/03/28"
score = 70
hash = "20ede5b8182d952728d594e6f2bb5c76"
strings:
$s0 = "<?php eval(str_rot13('riny($_CBFG[cntr]);'));?>" fullword
condition:
all of them
}
rule webshell_webshells_new_php5 {
meta:
description = "Web shells - generated from file php5.php"
author = "Florian Roth"
date = "2014/03/28"
score = 70
hash = "cf2ab009cbd2576a806bfefb74906fdf"
strings:
$s0 = "<?$_uU=chr(99).chr(104).chr(114);$_cC=$_uU(101).$_uU(118).$_uU(97).$_uU(108).$_u"
condition:
all of them
}
rule webshell_webshells_new_PHP {
meta:
description = "Web shells - generated from file PHP.php"
author = "Florian Roth"
date = "2014/03/28"
score = 70
hash = "a524e7ae8d71e37d2fd3e5fbdab405ea"
strings:
$s1 = "echo \"<font color=blue>Error!</font>\";" fullword
$s2 = "<input type=\"text\" size=61 name=\"f\" value='<?php echo $_SERVER[\"SCRIPT_FILE"
$s5 = " - ExpDoor.com</title>" fullword
$s10 = "$f=fopen($_POST[\"f\"],\"w\");" fullword
$s12 = "<textarea name=\"c\" cols=60 rows=15></textarea><br>" fullword
condition:
1 of them
}
rule webshell_webshells_new_Asp {
meta:
description = "Web shells - generated from file Asp.asp"
author = "Florian Roth"
date = "2014/03/28"
score = 70
hash = "32c87744ea404d0ea0debd55915010b7"
strings:
$s1 = "Execute MorfiCoder(\")/*/z/*/(tseuqer lave\")" fullword
$s2 = "Function MorfiCoder(Code)" fullword
$s3 = "MorfiCoder=Replace(Replace(StrReverse(Code),\"/*/\",\"\"\"\"),\"\\*\\\",vbCrlf)" fullword
condition:
1 of them
}
/* Update from hackers tool pack */
rule perlbot_pl {
meta:
description = "Semi-Auto-generated - file perlbot.pl.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "7e4deb9884ffffa5d82c22f8dc533a45"
strings:
$s0 = "my @adms=(\"Kelserific\",\"Puna\",\"nod32\")"
$s1 = "#Acesso a Shel - 1 ON 0 OFF"
condition:
1 of them
}
rule php_backdoor_php {
meta:
description = "Semi-Auto-generated - file php-backdoor.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "2b5cb105c4ea9b5ebc64705b4bd86bf7"
strings:
$s0 = "http://michaeldaw.org 2006"
$s1 = "or http://<? echo $SERVER_NAME.$REQUEST_URI; ?>?d=c:/windows on win"
$s3 = "coded by z0mbie"
condition:
1 of them
}
rule Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit_php {
meta:
description = "Semi-Auto-generated - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "c6eeacbe779518ea78b8f7ed5f63fc11"
strings:
$s0 = "<option value=\"cat /var/cpanel/accounting.log\">/var/cpanel/accounting.log</opt"
$s1 = "Liz0ziM Private Safe Mode Command Execuriton Bypass"
$s2 = "echo \"<b><font color=red>Kimim Ben :=)</font></b>:$uid<br>\";" fullword
condition:
1 of them
}
rule Nshell__1__php_php {
meta:
description = "Semi-Auto-generated - file Nshell (1).php.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "973fc89694097a41e684b43a21b1b099"
strings:
$s0 = "echo \"Command : <INPUT TYPE=text NAME=cmd value=\".@stripslashes(htmlentities($"
$s1 = "if(!$whoami)$whoami=exec(\"whoami\"); echo \"whoami :\".$whoami.\"<br>\";" fullword
condition:
1 of them
}
rule shankar_php_php {
meta:
description = "Semi-Auto-generated - file shankar.php.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "6eb9db6a3974e511b7951b8f7e7136bb"
strings:
$sAuthor = "ShAnKaR"
$s0 = "<input type=checkbox name='dd' \".(isset($_POST['dd'])?'checked':'').\">DB<input"
$s3 = "Show<input type=text size=5 value=\".((isset($_POST['br_st']) && isset($_POST['b"
condition:
1 of ($s*) and $sAuthor
}
rule Casus15_php_php {
meta:
description = "Semi-Auto-generated - file Casus15.php.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "5e2ede2d1c4fa1fcc3cbfe0c005d7b13"
strings:
$s0 = "copy ( $dosya_gonder2, \"$dir/$dosya_gonder2_name\") ? print(\"$dosya_gonder2_na"
$s2 = "echo \"<center><font size='$sayi' color='#FFFFFF'>HACKLERIN<font color='#008000'"
$s3 = "value='Calistirmak istediginiz "
condition:
1 of them
}
rule small_php_php {
meta:
description = "Semi-Auto-generated - file small.php.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "fcee6226d09d150bfa5f103bee61fbde"
strings:
$s1 = "$pass='abcdef1234567890abcdef1234567890';" fullword
$s2 = "eval(gzinflate(base64_decode('FJzHkqPatkU/550IGnjXxHvv6bzAe0iE5+svFVGtKqXMZq05x1"
$s4 = "@ini_set('error_log',NULL);" fullword
condition:
2 of them
}
rule shellbot_pl {
meta:
description = "Semi-Auto-generated - file shellbot.pl.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "b2a883bc3c03a35cfd020dd2ace4bab8"
strings:
$s0 = "ShellBOT"
$s1 = "PacktsGr0up"
$s2 = "CoRpOrAtIoN"
$s3 = "# Servidor de irc que vai ser usado "
$s4 = "/^ctcpflood\\s+(\\d+)\\s+(\\S+)"
condition:
2 of them
}
rule fuckphpshell_php {
meta:
description = "Semi-Auto-generated - file fuckphpshell.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "554e50c1265bb0934fcc8247ec3b9052"
strings:
$s0 = "$succ = \"Warning! "
$s1 = "Don`t be stupid .. this is a priv3 server, so take extra care!"
$s2 = "\\*=-- MEMBERS AREA --=*/"
$s3 = "preg_match('/(\\n[^\\n]*){' . $cache_lines . '}$/', $_SESSION['o"
condition:
2 of them
}
rule ngh_php_php {
meta:
description = "Semi-Auto-generated - file ngh.php.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "c372b725419cdfd3f8a6371cfeebc2fd"
strings:
$s0 = "Cr4sh_aka_RKL"
$s1 = "NGH edition"
$s2 = "/* connectback-backdoor on perl"
$s3 = "<form action=<?=$script?>?act=bindshell method=POST>"
$s4 = "$logo = \"R0lGODlhMAAwAOYAAAAAAP////r"
condition:
1 of them
}
rule jsp_reverse_jsp {
meta:
description = "Semi-Auto-generated - file jsp-reverse.jsp.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "8b0e6779f25a17f0ffb3df14122ba594"
strings:
$s0 = "// backdoor.jsp"
$s1 = "JSP Backdoor Reverse Shell"
$s2 = "http://michaeldaw.org"
condition:
2 of them
}
rule Tool_asp {
meta:
description = "Semi-Auto-generated - file Tool.asp.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "8febea6ca6051ae5e2ad4c78f4b9c1f2"
strings:
$s0 = "mailto:rhfactor@antisocial.com"
$s2 = "?raiz=root"
$s3 = "DIGO CORROMPIDO<BR>CORRUPT CODE"
$s4 = "key = \"5DCADAC1902E59F7273E1902E5AD8414B1902E5ABF3E661902E5B554FC41902E53205CA0"
condition:
2 of them
}
rule NT_Addy_asp {
meta:
description = "Semi-Auto-generated - file NT Addy.asp.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "2e0d1bae844c9a8e6e351297d77a1fec"
strings:
$s0 = "NTDaddy v1.9 by obzerve of fux0r inc"
$s2 = "<ERROR: THIS IS NOT A TEXT FILE>"
$s4 = "RAW D.O.S. COMMAND INTERFACE"
condition:
1 of them
}
rule SimAttacker___Vrsion_1_0_0___priv8_4_My_friend_php {
meta:
description = "Semi-Auto-generated - file SimAttacker - Vrsion 1.0.0 - priv8 4 My friend.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "089ff24d978aeff2b4b2869f0c7d38a3"
strings:
$s0 = "SimAttacker - Vrsion : 1.0.0 - priv8 4 My friend"
$s3 = " fputs ($fp ,\"\\n*********************************************\\nWelcome T0 Sim"
$s4 = "echo \"<a target='_blank' href='?id=fm&fedit=$dir$file'><span style='text-decora"
condition:
1 of them
}
rule RemExp_asp {
meta:
description = "Semi-Auto-generated - file RemExp.asp.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "aa1d8491f4e2894dbdb91eec1abc2244"
strings:
$s0 = "<title>Remote Explorer</title>"
$s3 = " FSO.CopyFile Request.QueryString(\"FolderPath\") & Request.QueryString(\"CopyFi"
$s4 = "<td bgcolor=\"<%=BgColor%>\" title=\"<%=File.Name%>\"> <a href= \"showcode.asp?f"
condition:
2 of them
}
rule phvayvv_php_php {
meta:
description = "Semi-Auto-generated - file phvayvv.php.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "35fb37f3c806718545d97c6559abd262"
strings:
$s0 = "{mkdir(\"$dizin/$duzenx2\",777)"
$s1 = "$baglan=fopen($duzkaydet,'w');"
$s2 = "PHVayv 1.0"
condition:
1 of them
}
rule klasvayv_asp {
meta:
description = "Semi-Auto-generated - file klasvayv.asp.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "2b3e64bf8462fc3d008a3d1012da64ef"
strings:
$s1 = "set aktifklas=request.querystring(\"aktifklas\")"
$s2 = "action=\"klasvayv.asp?klasorac=1&aktifklas=<%=aktifklas%>&klas=<%=aktifklas%>"
$s3 = "<font color=\"#858585\">www.aventgrup.net"
$s4 = "style=\"BACKGROUND-COLOR: #95B4CC; BORDER-BOTTOM: #000000 1px inset; BORDER-LEFT"
condition:
1 of them
}
rule r57shell_php_php {
meta:
description = "Semi-Auto-generated - file r57shell.php.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "d28445de424594a5f14d0fe2a7c4e94f"
strings:
$s0 = "r57shell" fullword
$s1 = " else if ($HTTP_POST_VARS['with'] == \"lynx\") { $HTTP_POST_VARS['cmd']= \"lynx "
$s2 = "RusH security team"
$s3 = "'ru_text12' => 'back-connect"
condition:
1 of them
}
rule rst_sql_php_php {
meta:
description = "Semi-Auto-generated - file rst_sql.php.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "0961641a4ab2b8cb4d2beca593a92010"
strings:
$s0 = "C:\\tmp\\dump_"
$s1 = "RST MySQL"
$s2 = "http://rst.void.ru"
$s3 = "$st_form_bg='R0lGODlhCQAJAIAAAOfo6u7w8yH5BAAAAAAALAAAAAAJAAkAAAIPjAOnuJfNHJh0qtfw0lcVADs=';"
condition:
2 of them
}
rule wh_bindshell_py {
meta:
description = "Semi-Auto-generated - file wh_bindshell.py.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "fab20902862736e24aaae275af5e049c"
strings:
$s0 = "#Use: python wh_bindshell.py [port] [password]"
$s2 = "python -c\"import md5;x=md5.new('you_password');print x.hexdigest()\"" fullword
$s3 = "#bugz: ctrl+c etc =script stoped=" fullword
condition:
1 of them
}
rule lurm_safemod_on_cgi {
meta:
description = "Semi-Auto-generated - file lurm_safemod_on.cgi.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "5ea4f901ce1abdf20870c214b3231db3"
strings:
$s0 = "Network security team :: CGI Shell" fullword
$s1 = "#########################<<KONEC>>#####################################" fullword
$s2 = "##if (!defined$param{pwd}){$param{pwd}='Enter_Password'};##" fullword
condition:
1 of them
}
rule c99madshell_v2_0_php_php {
meta:
description = "Semi-Auto-generated - file c99madshell_v2.0.php.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "d27292895da9afa5b60b9d3014f39294"
strings:
$s2 = "eval(gzinflate(base64_decode('HJ3HkqNQEkU/ZzqCBd4t8V4YAQI2E3jvPV8/1Gw6orsVFLyXef"
condition:
all of them
}
rule backupsql_php_often_with_c99shell {
meta:
description = "Semi-Auto-generated - file backupsql.php.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "ab1a06ab1a1fe94e3f3b7f80eedbc12f"
strings:
$s2 = "//$message.= \"--{$mime_boundary}\\n\" .\"Content-Type: {$fileatt_type};\\n\" ."
$s4 = "$ftpconnect = \"ncftpput -u $ftp_user_name -p $ftp_user_pass -d debsender_ftplog"
condition:
all of them
}
rule uploader_php_php {
meta:
description = "Semi-Auto-generated - file uploader.php.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "0b53b67bb3b004a8681e1458dd1895d0"
strings:
$s2 = "move_uploaded_file($userfile, \"entrika.php\"); " fullword
$s3 = "Send this file: <INPUT NAME=\"userfile\" TYPE=\"file\">" fullword
$s4 = "<INPUT TYPE=\"hidden\" name=\"MAX_FILE_SIZE\" value=\"100000\">" fullword
condition:
2 of them
}
rule telnet_pl {
meta:
description = "Semi-Auto-generated - file telnet.pl.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "dd9dba14383064e219e29396e242c1ec"
strings:
$s0 = "W A R N I N G: Private Server"
$s2 = "$Message = q$<pre><font color=\"#669999\"> _____ _____ _____ _____ "
condition:
all of them
}
rule w3d_php_php {
meta:
description = "Semi-Auto-generated - file w3d.php.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "987f66b29bfb209a0b4f097f84f57c3b"
strings:
$s0 = "W3D Shell"
$s1 = "By: Warpboy"
$s2 = "No Query Executed"
condition:
2 of them
}
rule WebShell_cgi {
meta:
description = "Semi-Auto-generated - file WebShell.cgi.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "bc486c2e00b5fc3e4e783557a2441e6f"
strings:
$s0 = "WebShell.cgi"
$s2 = "<td><code class=\"entry-[% if entry.all_rights %]mine[% else"
condition:
all of them
}
rule WinX_Shell_html {
meta:
description = "Semi-Auto-generated - file WinX Shell.html.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "17ab5086aef89d4951fe9b7c7a561dda"
strings:
$s0 = "WinX Shell"
$s1 = "Created by greenwood from n57"
$s2 = "<td><font color=\\\"#990000\\\">Win Dir:</font></td>"
condition:
2 of them
}
rule Dx_php_php {
meta:
description = "Semi-Auto-generated - file Dx.php.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "9cfe372d49fe8bf2fac8e1c534153d9b"
strings:
$s0 = "print \"\\n\".'Tip: to view the file \"as is\" - open the page in <a href=\"'.Dx"
$s2 = "$DEF_PORTS=array (1=>'tcpmux (TCP Port Service Multiplexer)',2=>'Management Util"
$s3 = "$ra44 = rand(1,99999);$sj98 = \"sh-$ra44\";$ml = \"$sd98\";$a5 = $_SERVER['HTTP"
condition:
1 of them
}
rule csh_php_php {
meta:
description = "Semi-Auto-generated - file csh.php.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "194a9d3f3eac8bc56d9a7c55c016af96"
strings:
$s0 = ".::[c0derz]::. web-shell"
$s1 = "http://c0derz.org.ua"
$s2 = "vint21h@c0derz.org.ua"
$s3 = "$name='63a9f0ea7bb98050796b649e85481845';//root"
condition:
1 of them
}
rule pHpINJ_php_php {
meta:
description = "Semi-Auto-generated - file pHpINJ.php.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "d7a4b0df45d34888d5a09f745e85733f"
strings:
$s1 = "News Remote PHP Shell Injection"
$s3 = "Php Shell <br />" fullword
$s4 = "<input type = \"text\" name = \"url\" value = \""
condition:
2 of them
}
rule sig_2008_php_php {
meta:
description = "Semi-Auto-generated - file 2008.php.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "3e4ba470d4c38765e4b16ed930facf2c"
strings:
$s0 = "Codz by angel(4ngel)"
$s1 = "Web: http://www.4ngel.net"
$s2 = "$admin['cookielife'] = 86400;"
$s3 = "$errmsg = 'The file you want Downloadable was nonexistent';"
condition:
1 of them
}
rule ak74shell_php_php {
meta:
description = "Semi-Auto-generated - file ak74shell.php.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "7f83adcb4c1111653d30c6427a94f66f"
strings:
$s1 = "$res .= '<td align=\"center\"><a href=\"'.$xshell.'?act=chmod&file='.$_SESSION["
$s2 = "AK-74 Security Team Web Site: www.ak74-team.net"
$s3 = "$xshell"
condition:
2 of them
}
rule Rem_View_php_php {
meta:
description = "Semi-Auto-generated - file Rem View.php.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "29420106d9a81553ef0d1ca72b9934d9"
strings:
$s0 = "$php=\"/* line 1 */\\n\\n// \".mm(\"for example, uncomment next line\").\""
$s2 = "<input type=submit value='\".mm(\"Delete all dir/files recursive\").\" (rm -fr)'"
$s4 ="Welcome to phpRemoteView (RemView)"
condition:
1 of them
}
rule Java_Shell_js {
meta:
description = "Semi-Auto-generated - file Java Shell.js.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "36403bc776eb12e8b7cc0eb47c8aac83"
strings:
$s2 = "PySystemState.initialize(System.getProperties(), null, argv);" fullword
$s3 = "public class JythonShell extends JPanel implements Runnable {" fullword
$s4 = "public static int DEFAULT_SCROLLBACK = 100"
condition:
2 of them
}
rule STNC_php_php {
meta:
description = "Semi-Auto-generated - file STNC.php.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "2e56cfd5b5014cbbf1c1e3f082531815"
strings:
$s0 = "drmist.ru" fullword
$s1 = "hidden(\"action\",\"download\").hidden_pwd().\"<center><table><tr><td width=80"
$s2 = "STNC WebShell"
$s3 = "http://www.security-teams.net/index.php?showtopic="
condition:
1 of them
}
rule aZRaiLPhp_v1_0_php {
meta:
description = "Semi-Auto-generated - file aZRaiLPhp v1.0.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "26b2d3943395682e36da06ed493a3715"
strings:
$s0 = "azrailphp"
$s1 = "<br><center><INPUT TYPE='SUBMIT' NAME='dy' VALUE='Dosya Yolla!'></center>"
$s3 = "<center><INPUT TYPE='submit' name='okmf' value='TAMAM'></center>"
condition:
2 of them
}
rule Moroccan_Spamers_Ma_EditioN_By_GhOsT_php {
meta:
description = "Semi-Auto-generated - file Moroccan Spamers Ma-EditioN By GhOsT.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "d1b7b311a7ffffebf51437d7cd97dc65"
strings:
$s0 = ";$sd98=\"john.barker446@gmail.com\""
$s1 = "print \"Sending mail to $to....... \";"
$s2 = "<td colspan=\"2\" width=\"715\" background=\"/simparts/images/cellpic1.gif\" hei"
condition:
1 of them
}
rule zacosmall_php {
meta:
description = "Semi-Auto-generated - file zacosmall.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "5295ee8dc2f5fd416be442548d68f7a6"
strings:
$s0 = "rand(1,99999);$sj98"
$s1 = "$dump_file.='`'.$rows2[0].'`"
$s3 = "filename=\\\"dump_{$db_dump}_${table_d"
condition:
2 of them
}
rule CmdAsp_asp {
meta:
description = "Semi-Auto-generated - file CmdAsp.asp.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "64f24f09ec6efaa904e2492dffc518b9"
strings:
$s0 = "CmdAsp.asp"
$s1 = "Set oFileSys = Server.CreateObject(\"Scripting.FileSystemObject\")" fullword
$s2 = "-- Use a poor man's pipe ... a temp file --"
$s3 = "maceo @ dogmile.com"
condition:
2 of them
}
rule simple_backdoor_php {
meta:
description = "Semi-Auto-generated - file simple-backdoor.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "f091d1b9274c881f8e41b2f96e6b9936"
strings:
$s0 = "$cmd = ($_REQUEST['cmd']);" fullword
$s1 = "<!-- Simple PHP backdoor by DK (http://michaeldaw.org) -->"
$s2 = "Usage: http://target.com/simple-backdoor.php?cmd=cat+/etc/passwd" fullword
condition:
2 of them
}
rule mysql_shell_php {
meta:
description = "Semi-Auto-generated - file mysql_shell.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "d42aec2891214cace99b3eb9f3e21a63"
strings:
$s0 = "SooMin Kim"
$s1 = "smkim@popeye.snu.ac.kr"
$s2 = "echo \"<td><a href='$PHP_SELF?action=deleteData&dbname=$dbname&tablename=$tablen"
condition:
1 of them
}
rule Dive_Shell_1_0___Emperor_Hacking_Team_php {
meta:
description = "Semi-Auto-generated - file Dive Shell 1.0 - Emperor Hacking Team.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "1b5102bdc41a7bc439eea8f0010310a5"
strings:
$s0 = "Emperor Hacking TEAM"
$s1 = "Simshell" fullword
$s2 = "ereg('^[[:blank:]]*cd[[:blank:]]"
$s3 = "<form name=\"shell\" action=\"<?php echo $_SERVER['PHP_SELF'] ?>\" method=\"POST"
condition:
2 of them
}
rule Asmodeus_v0_1_pl {
meta:
description = "Semi-Auto-generated - file Asmodeus v0.1.pl.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "0978b672db0657103c79505df69cb4bb"
strings:
$s0 = "[url=http://www.governmentsecurity.org"
$s1 = "perl asmodeus.pl client 6666 127.0.0.1"
$s2 = "print \"Asmodeus Perl Remote Shell"
$s4 = "$internet_addr = inet_aton(\"$host\") or die \"ALOA:$!\\n\";" fullword
condition:
2 of them
}
rule backup_php_often_with_c99shell {
meta:
description = "Semi-Auto-generated - file backup.php.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "aeee3bae226ad57baf4be8745c3f6094"
strings:
$s0 = "#phpMyAdmin MySQL-Dump" fullword
$s2 = ";db_connect();header('Content-Type: application/octetstr"
$s4 = "$data .= \"#Database: $database" fullword
condition:
all of them
}
rule Reader_asp {
meta:
description = "Semi-Auto-generated - file Reader.asp.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "ad1a362e0a24c4475335e3e891a01731"
strings:
$s1 = "Mehdi & HolyDemon"
$s2 = "www.infilak."
$s3 = "'*T@*r@#@&mms^PdbYbVuBcAAA==^#~@%><form method=post name=inf><table width=\"75%"
condition:
2 of them
}
rule phpshell17_php {
meta:
description = "Semi-Auto-generated - file phpshell17.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "9a928d741d12ea08a624ee9ed5a8c39d"
strings:
$s0 = "<input name=\"submit_btn\" type=\"submit\" value=\"Execute Command\"></p>" fullword
$s1 = "<title>[ADDITINAL TITTLE]-phpShell by:[YOURNAME]<?php echo PHPSHELL_VERSION ?></"
$s2 = "href=\"mailto: [YOU CAN ENTER YOUR MAIL HERE]- [ADDITIONAL TEXT]</a></i>" fullword
condition:
1 of them
}
rule myshell_php_php {
meta:
description = "Semi-Auto-generated - file myshell.php.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "62783d1db52d05b1b6ae2403a7044490"
strings:
$s0 = "@chdir($work_dir) or ($shellOutput = \"MyShell: can't change directory."
$s1 = "echo \"<font color=$linkColor><b>MyShell file editor</font> File:<font color"
$s2 = " $fileEditInfo = \" ::::::: Owner: <font color=$"
condition:
2 of them
}
rule SimShell_1_0___Simorgh_Security_MGZ_php {
meta:
description = "Semi-Auto-generated - file SimShell 1.0 - Simorgh Security MGZ.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "37cb1db26b1b0161a4bf678a6b4565bd"
strings:
$s0 = "Simorgh Security Magazine "
$s1 = "Simshell.css"
$s2 = "} elseif (ereg('^[[:blank:]]*cd[[:blank:]]+([^;]+)$', $_REQUEST['command'], "
$s3 = "www.simorgh-ev.com"
condition:
2 of them
}
rule jspshall_jsp {
meta:
description = "Semi-Auto-generated - file jspshall.jsp.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "efe0f6edaa512c4e1fdca4eeda77b7ee"
strings:
$s0 = "kj021320"
$s1 = "case 'T':systemTools(out);break;"
$s2 = "out.println(\"<tr><td>\"+ico(50)+f[i].getName()+\"</td><td> file"
condition:
2 of them
}
rule webshell_php {
meta:
description = "Semi-Auto-generated - file webshell.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "e425241b928e992bde43dd65180a4894"
strings:
$s2 = "<die(\"Couldn't Read directory, Blocked!!!\");"
$s3 = "PHP Web Shell"
condition:
all of them
}
rule rootshell_php {
meta:
description = "Semi-Auto-generated - file rootshell.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "265f3319075536030e59ba2f9ef3eac6"
strings:
$s0 = "shells.dl.am"
$s1 = "This server has been infected by $owner"
$s2 = "<input type=\"submit\" value=\"Include!\" name=\"inc\"></p>"
$s4 = "Could not write to file! (Maybe you didn't enter any text?)"
condition:
2 of them
}
rule connectback2_pl {
meta:
description = "Semi-Auto-generated - file connectback2.pl.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "473b7d226ea6ebaacc24504bd740822e"
strings:
$s0 = "#We Are: MasterKid, AleXutz, FatMan & MiKuTuL "
$s1 = "echo --==Userinfo==-- ; id;echo;echo --==Directory==-- ; pwd;echo; echo --==Shel"
$s2 = "ConnectBack Backdoor"
condition:
1 of them
}
rule DefaceKeeper_0_2_php {
meta:
description = "Semi-Auto-generated - file DefaceKeeper_0.2.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "713c54c3da3031bc614a8a55dccd7e7f"
strings:
$s0 = "target fi1e:<br><input type=\"text\" name=\"target\" value=\"index.php\"></br>" fullword
$s1 = "eval(base64_decode(\"ZXZhbChiYXNlNjRfZGVjb2RlKCJhV2R1YjNKbFgzVnpaWEpmWVdKdmNuUW9"
$s2 = "<img src=\"http://s43.radikal.ru/i101/1004/d8/ced1f6b2f5a9.png\" align=\"center"
condition:
1 of them
}
rule shells_PHP_wso {
meta:
description = "Semi-Auto-generated - file wso.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "33e2891c13b78328da9062fbfcf898b6"
strings:
$s0 = "$back_connect_p=\"IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KJGlhZGRyPWluZXRfYXRvbi"
$s3 = "echo '<h1>Execution PHP-code</h1><div class=content><form name=pf method=pos"
condition:
1 of them
}
rule backdoor1_php {
meta:
description = "Semi-Auto-generated - file backdoor1.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "e1adda1f866367f52de001257b4d6c98"
strings:
$s1 = "echo \"[DIR] <A HREF=\\\"\".$_SERVER['PHP_SELF'].\"?rep=\".realpath($rep.\".."
$s2 = "class backdoor {"
$s4 = "echo \"<a href=\\\"\".$_SERVER['PHP_SELF'].\"?copy=1\\\">Copier un fichier</a> <"
condition:
1 of them
}
rule elmaliseker_asp {
meta:
description = "Semi-Auto-generated - file elmaliseker.asp.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "b32d1730d23a660fd6aa8e60c3dc549f"
strings:
$s0 = "if Int((1-0+1)*Rnd+0)=0 then makeEmail=makeText(8) & \"@\" & makeText(8) & \".\""
$s1 = "<form name=frmCMD method=post action=\"<%=gURL%>\">"
$s2 = "dim zombie_array,special_array"
$s3 = "http://vnhacker.org"
condition:
1 of them
}
rule indexer_asp {
meta:
description = "Semi-Auto-generated - file indexer.asp.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "9ea82afb8c7070817d4cdf686abe0300"
strings:
$s0 = "<td>Nereye :<td><input type=\"text\" name=\"nereye\" size=25></td><td><input typ"
$s2 = "D7nD7l.km4snk`JzKnd{n_ejq;bd{KbPur#kQ8AAA==^#~@%>></td><td><input type=\"submit"
condition:
1 of them
}
rule DxShell_php_php {
meta:
description = "Semi-Auto-generated - file DxShell.php.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "33a2b31810178f4c2e71fbdeb4899244"
strings:
$s0 = "print \"\\n\".'Tip: to view the file \"as is\" - open the page in <a href=\"'.Dx"
$s2 = "print \"\\n\".'<tr><td width=100pt class=linelisting><nobr>POST (php eval)</td><"
condition:
1 of them
}
rule s72_Shell_v1_1_Coding_html {
meta:
description = "Semi-Auto-generated - file s72 Shell v1.1 Coding.html.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "c2e8346a5515c81797af36e7e4a3828e"
strings:
$s0 = "Dizin</font></b></font><font face=\"Verdana\" style=\"font-size: 8pt\"><"
$s1 = "s72 Shell v1.0 Codinf by Cr@zy_King"
$s3 = "echo \"<p align=center>Dosya Zaten Bulunuyor</p>\""
condition:
1 of them
}
rule hidshell_php_php {
meta:
description = "Semi-Auto-generated - file hidshell.php.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "c2f3327d60884561970c63ffa09439a4"
strings:
$s0 = "<?$d='G7mHWQ9vvXiL/QX2oZ2VTDpo6g3FYAa6X+8DMIzcD0eHZaBZH7jFpZzUz7XNenxSYvBP2Wy36U"
condition:
all of them
}
rule kacak_asp {
meta:
description = "Semi-Auto-generated - file kacak.asp.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "907d95d46785db21331a0324972dda8c"
strings:
$s0 = "Kacak FSO 1.0"
$s1 = "if request.querystring(\"TGH\") = \"1\" then"
$s3 = "<font color=\"#858585\">BuqX</font></a></font><font face=\"Verdana\" style="
$s4 = "mailto:BuqX@hotmail.com"
condition:
1 of them
}
rule PHP_Backdoor_Connect_pl_php {
meta:
description = "Semi-Auto-generated - file PHP Backdoor Connect.pl.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "57fcd9560dac244aeaf95fd606621900"
strings:
$s0 = "LorD of IRAN HACKERS SABOTAGE"
$s1 = "LorD-C0d3r-NT"
$s2 = "echo --==Userinfo==-- ;"
condition:
1 of them
}
rule Antichat_Socks5_Server_php_php {
meta:
description = "Semi-Auto-generated - file Antichat Socks5 Server.php.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "cbe9eafbc4d86842a61a54d98e5b61f1"
strings:
$s0 = "$port = base_convert(bin2hex(substr($reqmessage[$id], 3+$reqlen+1, 2)), 16, 10);" fullword
$s3 = "# [+] Domain name address type"
$s4 = "www.antichat.ru"
condition:
1 of them
}
rule Antichat_Shell_v1_3_php {
meta:
description = "Semi-Auto-generated - file Antichat Shell v1.3.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "40d0abceba125868be7f3f990f031521"
strings:
$s0 = "Antichat"
$s1 = "Can't open file, permission denide"
$s2 = "$ra44"
condition:
2 of them
}
rule Safe_Mode_Bypass_PHP_4_4_2_and_PHP_5_1_2_php {
meta:
description = "Semi-Auto-generated - file Safe_Mode Bypass PHP 4.4.2 and PHP 5.1.2.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "49ad9117c96419c35987aaa7e2230f63"
strings:
$s0 = "Welcome.. By This script you can jump in the (Safe Mode=ON) .. Enjoy"
$s1 = "Mode Shell v1.0</font></span>"
$s2 = "has been already loaded. PHP Emperor <xb5@hotmail."
condition:
1 of them
}
rule mysql_php_php {
meta:
description = "Semi-Auto-generated - file mysql.php.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "12bbdf6ef403720442a47a3cc730d034"
strings:
$s0 = "action=mysqlread&mass=loadmass\">load all defaults"
$s2 = "if (@passthru($cmd)) { echo \" -->\"; $this->output_state(1, \"passthru"
$s3 = "$ra44 = rand(1,99999);$sj98 = \"sh-$ra44\";$ml = \"$sd98\";$a5 = "
condition:
1 of them
}
rule Worse_Linux_Shell_php {
meta:
description = "Semi-Auto-generated - file Worse Linux Shell.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "8338c8d9eab10bd38a7116eb534b5fa2"
strings:
$s1 = "print \"<tr><td><b>Server is:</b></td><td>\".$_SERVER['SERVER_SIGNATURE'].\"</td"
$s2 = "print \"<tr><td><b>Execute command:</b></td><td><input size=100 name=\\\"_cmd"
condition:
1 of them
}
rule cyberlords_sql_php_php {
meta:
description = "Semi-Auto-generated - file cyberlords_sql.php.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "03b06b4183cb9947ccda2c3d636406d4"
strings:
$s0 = "Coded by n0 [nZer0]"
$s1 = " www.cyberlords.net"
$s2 = "U29mdHdhcmUAQWRvYmUgSW1hZ2VSZWFkeXHJZTwAAAAMUExURf///wAAAJmZzAAAACJoURkAAAAE"
$s3 = "return \"<BR>Dump error! Can't write to \".htmlspecialchars($file);"
condition:
1 of them
}
rule cmd_asp_5_1_asp {
meta:
description = "Semi-Auto-generated - file cmd-asp-5.1.asp.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "8baa99666bf3734cbdfdd10088e0cd9f"
strings:
$s0 = "Call oS.Run(\"win.com cmd.exe /c del \"& szTF,0,True)" fullword
$s3 = "Call oS.Run(\"win.com cmd.exe /c \"\"\" & szCMD & \" > \" & szTF &" fullword
condition:
1 of them
}
rule pws_php_php {
meta:
description = "Semi-Auto-generated - file pws.php.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "ecdc6c20f62f99fa265ec9257b7bf2ce"
strings:
$s0 = "<div align=\"left\"><font size=\"1\">Input command :</font></div>" fullword
$s1 = "<input type=\"text\" name=\"cmd\" size=\"30\" class=\"input\"><br>" fullword
$s4 = "<input type=\"text\" name=\"dir\" size=\"30\" value=\"<? passthru(\"pwd\"); ?>"
condition:
2 of them
}
rule PHP_Shell_php_php {
meta:
description = "Semi-Auto-generated - file PHP Shell.php.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "a2f8fa4cce578fc9c06f8e674b9e63fd"
strings:
$s0 = "echo \"</form><form action=\\\"$SFileName?$urlAdd\\\" method=\\\"post\\\"><input"
$s1 = "echo \"<form action=\\\"$SFileName?$urlAdd\\\" method=\\\"POST\\\"><input type="
condition:
all of them
}
rule Ayyildiz_Tim___AYT__Shell_v_2_1_Biz_html {
meta:
description = "Semi-Auto-generated - file Ayyildiz Tim -AYT- Shell v 2.1 Biz.html.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "8a8c8bb153bd1ee097559041f2e5cf0a"
strings:
$s0 = "Ayyildiz"
$s1 = "TouCh By iJOo"
$s2 = "First we check if there has been asked for a working directory"
$s3 = "http://ayyildiz.org/images/whosonline2.gif"
condition:
2 of them
}
rule EFSO_2_asp {
meta:
description = "Semi-Auto-generated - file EFSO_2.asp.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "b5fde9682fd63415ae211d53c6bfaa4d"
strings:
$s0 = "Ejder was HERE"
$s1 = "*~PU*&BP[_)f!8c2F*@#@&~,P~P,~P&q~8BPmS~9~~lB~X`V,_,F&*~,jcW~~[_c3TRFFzq@#@&PP,~~"
condition:
2 of them
}
rule lamashell_php {
meta:
description = "Semi-Auto-generated - file lamashell.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "de9abc2e38420cad729648e93dfc6687"
strings:
$s0 = "lama's'hell" fullword
$s1 = "if($_POST['king'] == \"\") {"
$s2 = "if (move_uploaded_file($_FILES['fila']['tmp_name'], $curdir.\"/\".$_FILES['f"
condition:
1 of them
}
rule Ajax_PHP_Command_Shell_php {
meta:
description = "Semi-Auto-generated - file Ajax_PHP Command Shell.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "93d1a2e13a3368a2472043bd6331afe9"
strings:
$s1 = "newhtml = '<b>File browser is under construction! Use at your own risk!</b> <br>"
$s2 = "Empty Command..type \\\"shellhelp\\\" for some ehh...help"
$s3 = "newhtml = '<font size=0><b>This will reload the page... :(</b><br><br><form enct"
condition:
1 of them
}
rule JspWebshell_1_2_jsp {
meta:
description = "Semi-Auto-generated - file JspWebshell 1.2.jsp.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "70a0ee2624e5bbe5525ccadc467519f6"
strings:
$s0 = "JspWebshell"
$s1 = "CreateAndDeleteFolder is error:"
$s2 = "<td width=\"70%\" height=\"22\"> <%=env.queryHashtable(\"java.c"
$s3 = "String _password =\"111\";"
condition:
2 of them
}
rule Sincap_php_php {
meta:
description = "Semi-Auto-generated - file Sincap.php.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "b68b90ff6012a103e57d141ed38a7ee9"
strings:
$s0 = "$baglan=fopen(\"/tmp/$ekinci\",'r');"
$s2 = "$tampon4=$tampon3-1"
$s3 = "@aventgrup.net"
condition:
2 of them
}
rule Test_php_php {
meta:
description = "Semi-Auto-generated - file Test.php.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "77e331abd03b6915c6c6c7fe999fcb50"
strings:
$s0 = "$yazi = \"test\" . \"\\r\\n\";" fullword
$s2 = "fwrite ($fp, \"$yazi\");" fullword
$s3 = "$entry_line=\"HACKed by EntriKa\";" fullword
condition:
1 of them
}
rule Phyton_Shell_py {
meta:
description = "Semi-Auto-generated - file Phyton Shell.py.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "92b3c897090867c65cc169ab037a0f55"
strings:
$s1 = "sh_out=os.popen(SHELL+\" \"+cmd).readlines()" fullword
$s2 = "# d00r.py 0.3a (reverse|bind)-shell in python by fQ" fullword
$s3 = "print \"error; help: head -n 16 d00r.py\"" fullword
$s4 = "print \"PW:\",PW,\"PORT:\",PORT,\"HOST:\",HOST" fullword
condition:
1 of them
}
rule mysql_tool_php_php {
meta:
description = "Semi-Auto-generated - file mysql_tool.php.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "5fbe4d8edeb2769eda5f4add9bab901e"
strings:
$s0 = "$error_text = '<strong>Failed selecting database \"'.$this->db['"
$s1 = "$ra44 = rand(1,99999);$sj98 = \"sh-$ra44\";$ml = \"$sd98\";$a5 = $_SERV"
$s4 = "<div align=\"center\">The backup process has now started<br "
condition:
1 of them
}
rule Zehir_4_asp {
meta:
description = "Semi-Auto-generated - file Zehir 4.asp.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "7f4e12e159360743ec016273c3b9108c"
strings:
$s2 = "</a><a href='\"&dosyapath&\"?status=10&dPath=\"&f1.path&\"&path=\"&path&\"&Time="
$s4 = "<input type=submit value=\"Test Et!\" onclick=\""
condition:
1 of them
}
rule sh_php_php {
meta:
description = "Semi-Auto-generated - file sh.php.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "330af9337ae51d0bac175ba7076d6299"
strings:
$s1 = "$ar_file=array('/etc/passwd','/etc/shadow','/etc/master.passwd','/etc/fstab','/e"
$s2 = "Show <input type=text size=5 value=\".((isset($_POST['br_st']))?$_POST['br_st']:"
condition:
1 of them
}
rule phpbackdoor15_php {
meta:
description = "Semi-Auto-generated - file phpbackdoor15.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "0fdb401a49fc2e481e3dfd697078334b"
strings:
$s1 = "echo \"fichier telecharge dans \".good_link(\"./\".$_FILES[\"fic\"][\"na"
$s2 = "if(move_uploaded_file($_FILES[\"fic\"][\"tmp_name\"],good_link(\"./\".$_FI"
$s3 = "echo \"Cliquez sur un nom de fichier pour lancer son telechargement. Cliquez s"
condition:
1 of them
}
rule phpjackal_php {
meta:
description = "Semi-Auto-generated - file phpjackal.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "ab230817bcc99acb9bdc0ec6d264d76f"
strings:
$s3 = "$dl=$_REQUEST['downloaD'];"
$s4 = "else shelL(\"perl.exe $name $port\");"
condition:
1 of them
}
rule sql_php_php {
meta:
description = "Semi-Auto-generated - file sql.php.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "8334249cbb969f2d33d678fec2b680c5"
strings:
$s1 = "fputs ($fp, \"# RST MySQL tools\\r\\n# Home page: http://rst.void.ru\\r\\n#"
$s2 = "http://rst.void.ru"
$s3 = "print \"<a href=\\\"$_SERVER[PHP_SELF]?s=$s&login=$login&passwd=$passwd&"
condition:
1 of them
}
rule cgi_python_py {
meta:
description = "Semi-Auto-generated - file cgi-python.py.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "0a15f473e2232b89dae1075e1afdac97"
strings:
$s0 = "a CGI by Fuzzyman"
$s1 = "\"\"\"+fontline +\"Version : \" + versionstring + \"\"\", Running on : \"\"\" + "
$s2 = "values = map(lambda x: x.value, theform[field]) # allows for"
condition:
1 of them
}
rule ru24_post_sh_php_php {
meta:
description = "Semi-Auto-generated - file ru24_post_sh.php.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "5b334d494564393f419af745dc1eeec7"
strings:
$s1 = "<title>Ru24PostWebShell - \".$_POST['cmd'].\"</title>" fullword
$s3 = "if ((!$_POST['cmd']) || ($_POST['cmd']==\"\")) { $_POST['cmd']=\"id;pwd;uname -a"
$s4 = "Writed by DreAmeRz" fullword
condition:
1 of them
}
rule DTool_Pro_php {
meta:
description = "Semi-Auto-generated - file DTool Pro.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "366ad973a3f327dfbfb915b0faaea5a6"
strings:
$s0 = "r3v3ng4ns\\nDigite"
$s1 = "if(!@opendir($chdir)) $ch_msg=\"dtool: line 1: chdir: It seems that the permissi"
$s3 = "if (empty($cmd) and $ch_msg==\"\") echo (\"Comandos Exclusivos do DTool Pro\\n"
condition:
1 of them
}
rule telnetd_pl {
meta:
description = "Semi-Auto-generated - file telnetd.pl.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "5f61136afd17eb025109304bd8d6d414"
strings:
$s0 = "0ldW0lf" fullword
$s1 = "However you are lucky :P"
$s2 = "I'm FuCKeD"
$s3 = "ioctl($CLIENT{$client}->{shell}, &TIOCSWINSZ, $winsize);#"
$s4 = "atrix@irc.brasnet.org"
condition:
1 of them
}
rule php_include_w_shell_php {
meta:
description = "Semi-Auto-generated - file php-include-w-shell.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "4e913f159e33867be729631a7ca46850"
strings:
$s0 = "$dataout .= \"<td><a href='$MyLoc?$SREQ&incdbhost=$myhost&incdbuser=$myuser&incd"
$s1 = "if($run == 1 && $phpshellapp && $phpshellhost && $phpshellport) $strOutput .= DB"
condition:
1 of them
}
rule Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php {
meta:
description = "Semi-Auto-generated - file Safe0ver Shell -Safe Mod Bypass By Evilc0der.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "6163b30600f1e80d2bb5afaa753490b6"
strings:
$s0 = "Safe0ver" fullword
$s1 = "Script Gecisi Tamamlayamadi!"
$s2 = "document.write(unescape('%3C%68%74%6D%6C%3E%3C%62%6F%64%79%3E%3C%53%43%52%49%50%"
condition:
1 of them
}
rule shell_php_php {
meta:
description = "Semi-Auto-generated - file shell.php.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "1a95f0163b6dea771da1694de13a3d8d"
strings:
$s1 = "/* We have found the parent dir. We must be carefull if the parent " fullword
$s2 = "$tmpfile = tempnam('/tmp', 'phpshell');"
$s3 = "if (ereg('^[[:blank:]]*cd[[:blank:]]+([^;]+)$', $command, $regs)) {" fullword
condition:
1 of them
}
rule telnet_cgi {
meta:
description = "Semi-Auto-generated - file telnet.cgi.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "dee697481383052980c20c48de1598d1"
strings:
$s0 = "www.rohitab.com"
$s1 = "W A R N I N G: Private Server"
$s2 = "print \"Set-Cookie: SAVEDPWD=;\\n\"; # remove password cookie"
$s3 = "$Prompt = $WinNT ? \"$CurrentDir> \" : \"[admin\\@$ServerName $C"
condition:
1 of them
}
rule ironshell_php {
meta:
description = "Semi-Auto-generated - file ironshell.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "8bfa2eeb8a3ff6afc619258e39fded56"
strings:
$s0 = "www.ironwarez.info"
$s1 = "$cookiename = \"wieeeee\";"
$s2 = "~ Shell I"
$s3 = "www.rootshell-team.info"
$s4 = "setcookie($cookiename, $_POST['pass'], time()+3600);"
condition:
1 of them
}
rule backdoorfr_php {
meta:
description = "Semi-Auto-generated - file backdoorfr.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "91e4afc7444ed258640e85bcaf0fecfc"
strings:
$s1 = "www.victime.com/index.php?page=http://emplacement_de_la_backdoor.php , ou en tan"
$s2 = "print(\"<br>Provenance du mail : <input type=\\\"text\\\" name=\\\"provenanc"
condition:
1 of them
}
rule aspydrv_asp {
meta:
description = "Semi-Auto-generated - file aspydrv.asp.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "1c01f8a88baee39aa1cebec644bbcb99"
score = 60
strings:
$s0 = "If mcolFormElem.Exists(LCase(sIndex)) Then Form = mcolFormElem.Item(LCase(sIndex))"
$s1 = "password"
$s2 = "session(\"shagman\")="
condition:
2 of them
}
rule cmdjsp_jsp {
meta:
description = "Semi-Auto-generated - file cmdjsp.jsp.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "b815611cc39f17f05a73444d699341d4"
strings:
$s0 = "// note that linux = cmd and windows = \"cmd.exe /c + cmd\" " fullword
$s1 = "Process p = Runtime.getRuntime().exec(\"cmd.exe /C \" + cmd);" fullword
$s2 = "cmdjsp.jsp"
$s3 = "michaeldaw.org" fullword
condition:
2 of them
}
rule h4ntu_shell__powered_by_tsoi_ {
meta:
description = "Semi-Auto-generated - file h4ntu shell [powered by tsoi].txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "06ed0b2398f8096f1bebf092d0526137"
strings:
$s0 = "h4ntu shell"
$s1 = "system(\"$cmd 1> /tmp/cmdtemp 2>&1; cat /tmp/cmdtemp; rm /tmp/cmdtemp\");"
condition:
1 of them
}
rule Ajan_asp {
meta:
description = "Semi-Auto-generated - file Ajan.asp.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "b6f468252407efc2318639da22b08af0"
strings:
$s1 = "c:\\downloaded.zip"
$s2 = "Set entrika = entrika.CreateTextFile(\"c:\\net.vbs\", True)" fullword
$s3 = "http://www35.websamba.com/cybervurgun/"
condition:
1 of them
}
rule PHANTASMA_php {
meta:
description = "Semi-Auto-generated - file PHANTASMA.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "52779a27fa377ae404761a7ce76a5da7"
strings:
$s0 = ">[*] Safemode Mode Run</DIV>"
$s1 = "$file1 - $file2 - <a href=$SCRIPT_NAME?$QUERY_STRING&see=$file>$file</a><br>"
$s2 = "[*] Spawning Shell"
$s3 = "Cha0s"
condition:
2 of them
}
rule MySQL_Web_Interface_Version_0_8_php {
meta:
description = "Semi-Auto-generated - file MySQL Web Interface Version 0.8.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "36d4f34d0a22080f47bb1cb94107c60f"
strings:
$s0 = "SooMin Kim"
$s1 = "http://popeye.snu.ac.kr/~smkim/mysql"
$s2 = "href='$PHP_SELF?action=dropField&dbname=$dbname&tablename=$tablename"
$s3 = "<th>Type</th><th> M </th><th> D </th><th>unsigned</th><th>zerofi"
condition:
2 of them
}
rule simple_cmd_html {
meta:
description = "Semi-Auto-generated - file simple_cmd.html.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "c6381412df74dbf3bcd5a2b31522b544"
strings:
$s1 = "<title>G-Security Webshell</title>" fullword
$s2 = "<input type=TEXT name=\"-cmd\" size=64 value=\"<?=$cmd?>\" " fullword
$s3 = "<? if($cmd != \"\") print Shell_Exec($cmd);?>" fullword
$s4 = "<? $cmd = $_REQUEST[\"-cmd\"];?>" fullword
condition:
all of them
}
rule multiple_webshells_0001 {
meta:
description = "Semi-Auto-generated - from files 1.txt, c2007.php.php.txt, c100.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
super_rule = 1
was = "_1_c2007_php_php_c100_php"
hash0 = "44542e5c3e9790815c49d5f9beffbbf2"
hash1 = "d089e7168373a0634e1ac18c0ee00085"
hash2 = "38fd7e45f9c11a37463c3ded1c76af4c"
strings:
$s0 = "echo \"<b>Changing file-mode (\".$d.$f.\"), \".view_perms_color($d.$f).\" (\""
$s3 = "echo \"<td> <a href=\\\"\".$sql_surl.\"sql_act=query&sql_query=\".ur"
condition:
1 of them
}
rule multiple_webshells_0002 {
meta:
description = "Semi-Auto-generated - from files nst.php.php.txt, img.php.php.txt, nstview.php.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
super_rule = 1
was = "_nst_php_php_img_php_php_nstview_php_php"
hash0 = "ddaf9f1986d17284de83a17fe5f9fd94"
hash1 = "17a07bb84e137b8aa60f87cd6bfab748"
hash2 = "4745d510fed4378e4b1730f56f25e569"
strings:
$s0 = "<tr><form method=post><td><font color=red><b>Back connect:</b></font></td><td><i"
$s1 = "$perl_proxy_scp = \"IyEvdXNyL2Jpbi9wZXJsICANCiMhL3Vzci91c2MvcGVybC81LjAwNC9iaW4v"
$s2 = "<tr><form method=post><td><font color=red><b>Backdoor:</b></font></td><td><input"
condition:
1 of them
}
rule multiple_webshells_0003 {
meta:
description = "Semi-Auto-generated - from files network.php.php.txt, xinfo.php.php.txt, nfm.php.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
super_rule = 1
was = "_network_php_php_xinfo_php_php_nfm_php_php"
hash0 = "acdbba993a5a4186fd864c5e4ea0ba4f"
hash1 = "2601b6fc1579f263d2f3960ce775df70"
hash2 = "401fbae5f10283051c39e640b77e4c26"
strings:
$s0 = ".textbox { background: White; border: 1px #000000 solid; color: #000099; font-fa"
$s2 = "<input class='inputbox' type='text' name='pass_de' size=50 onclick=this.value=''"
condition:
all of them
}
rule multiple_webshells_0004 {
meta:
description = "Semi-Auto-generated - from files w.php.php.txt, c99madshell_v2.1.php.php.txt, wacking.php.php.txt, SpecialShell_99.php.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
super_rule = 1
was = "_w_php_php_c99madshell_v2_1_php_php_wacking_php_php_SpecialShell_99_php_php"
hash0 = "38a3f9f2aa47c2e940695f3dba6a7bb2"
hash1 = "3ca5886cd54d495dc95793579611f59a"
hash2 = "9c5bb5e3a46ec28039e8986324e42792"
hash3 = "09609851caa129e40b0d56e90dfc476c"
strings:
$s2 = "echo \"<hr size=\\\"1\\\" noshade><b>Done!</b><br>Total time (secs.): \".$ft"
$s3 = "$fqb_log .= \"\\r\\n------------------------------------------\\r\\nDone!\\r"
condition:
1 of them
}
rule multiple_webshells_0005 {
meta:
description = "Semi-Auto-generated - from files r577.php.php.txt, SnIpEr_SA Shell.php.txt, r57.php.php.txt, r57 Shell.php.php.txt, spy.php.php.txt, s.php.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
super_rule = 1
was = "_r577_php_php_SnIpEr_SA_Shell_php_r57_php_php_r57_Shell_php_php_spy_php_php_s_php_php"
hash0 = "0714f80f35c1fddef1f8938b8d42a4c8"
hash1 = "911195a9b7c010f61b66439d9048f400"
hash2 = "eddf7a8fde1e50a7f2a817ef7cece24f"
hash3 = "8023394542cddf8aee5dec6072ed02b5"
hash4 = "eed14de3907c9aa2550d95550d1a2d5f"
hash5 = "817671e1bdc85e04cc3440bbd9288800"
strings:
$s2 = "'eng_text71'=>\"Second commands param is:\\r\\n- for CHOWN - name of new owner o"
$s4 = "if(!empty($_POST['s_mask']) && !empty($_POST['m'])) { $sr = new SearchResult"
condition:
1 of them
}
rule multiple_webshells_0006 {
meta:
description = "Semi-Auto-generated - from files c99shell_v1.0.php.php.txt, c99php.txt, SsEs.php.php.txt, ctt_sh.php.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
super_rule = 1
was = "_c99shell_v1_0_php_php_c99php_SsEs_php_php_ctt_sh_php_php"
hash0 = "d8ae5819a0a2349ec552cbcf3a62c975"
hash1 = "9e9ae0332ada9c3797d6cee92c2ede62"
hash2 = "6cd50a14ea0da0df6a246a60c8f6f9c9"
hash3 = "671cad517edd254352fe7e0c7c981c39"
strings:
$s0 = "\"AAAAACH5BAEAAAkALAAAAAAUABQAAAR0MMlJqyzFalqEQJuGEQSCnWg6FogpkHAMF4HAJsWh7/ze\""
$s2 = "\"mTP/zDP//2YAAGYAM2YAZmYAmWYAzGYA/2YzAGYzM2YzZmYzmWYzzGYz/2ZmAGZmM2ZmZmZmmWZm\""
$s4 = "\"R0lGODlhFAAUAKL/AP/4/8DAwH9/AP/4AL+/vwAAAAAAAAAAACH5BAEAAAEALAAAAAAUABQAQAMo\""
condition:
2 of them
}
rule multiple_webshells_0007 {
meta:
description = "Semi-Auto-generated - from files r577.php.php.txt, spy.php.php.txt, s.php.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
super_rule = 1
was = "_r577_php_php_spy_php_php_s_php_php"
hash0 = "0714f80f35c1fddef1f8938b8d42a4c8"
hash1 = "eed14de3907c9aa2550d95550d1a2d5f"
hash2 = "817671e1bdc85e04cc3440bbd9288800"
strings:
$s2 = "echo $te.\"<div align=center><textarea cols=35 name=db_query>\".(!empty($_POST['"
$s3 = "echo sr(45,\"<b>\".$lang[$language.'_text80'].$arrow.\"</b>\",\"<select name=db>"
condition:
1 of them
}
rule multiple_webshells_0008 {
meta:
description = "Semi-Auto-generated - from files w.php.php.txt, c99madshell_v2.1.php.php.txt, wacking.php.php.txt, c99shell_v1.0.php.php.txt, c99php.txt, SpecialShell_99.php.php.txt, ctt_sh.php.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
super_rule = 1
was = "_w_php_php_c99madshell_v2_1_php_php_wacking_php_php_c99shell_v1_0_php_php_c99php_SpecialShell_99_php_php_ctt_sh_php_php"
hash0 = "38a3f9f2aa47c2e940695f3dba6a7bb2"
hash1 = "3ca5886cd54d495dc95793579611f59a"
hash2 = "9c5bb5e3a46ec28039e8986324e42792"
hash3 = "d8ae5819a0a2349ec552cbcf3a62c975"
hash4 = "9e9ae0332ada9c3797d6cee92c2ede62"
hash5 = "09609851caa129e40b0d56e90dfc476c"
hash6 = "671cad517edd254352fe7e0c7c981c39"
strings:
$s0 = " if ($copy_unset) {foreach($sess_data[\"copy\"] as $k=>$v) {unset($sess_data[\""
$s1 = " if (file_exists($mkfile)) {echo \"<b>Make File \\\"\".htmlspecialchars($mkfile"
$s2 = " echo \"<center><b>MySQL \".mysql_get_server_info().\" (proto v.\".mysql_get_pr"
$s3 = " elseif (!fopen($mkfile,\"w\")) {echo \"<b>Make File \\\"\".htmlspecialchars($m"
condition:
all of them
}
rule multiple_webshells_0009 {
meta:
description = "Semi-Auto-generated - from files w.php.php.txt, c99madshell_v2.1.php.php.txt, wacking.php.php.txt, c99shell_v1.0.php.php.txt, c99php.txt, SpecialShell_99.php.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
super_rule = 1
was = "_w_php_php_c99madshell_v2_1_php_php_wacking_php_php_c99shell_v1_0_php_php_c99php_SpecialShell_99_php_php"
hash0 = "38a3f9f2aa47c2e940695f3dba6a7bb2"
hash1 = "3ca5886cd54d495dc95793579611f59a"
hash2 = "9c5bb5e3a46ec28039e8986324e42792"
hash3 = "d8ae5819a0a2349ec552cbcf3a62c975"
hash4 = "9e9ae0332ada9c3797d6cee92c2ede62"
hash5 = "09609851caa129e40b0d56e90dfc476c"
strings:
$s0 = "$sess_data[\"cut\"] = array(); c99_s"
$s3 = "if ((!eregi(\"http://\",$uploadurl)) and (!eregi(\"https://\",$uploadurl))"
condition:
1 of them
}
rule multiple_webshells_0010 {
meta:
description = "Semi-Auto-generated - from files w.php.php.txt, wacking.php.php.txt, SpecialShell_99.php.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
super_rule = 1
was = "_w_php_php_wacking_php_php_SpecialShell_99_php_php"
hash0 = "38a3f9f2aa47c2e940695f3dba6a7bb2"
hash1 = "9c5bb5e3a46ec28039e8986324e42792"
hash2 = "09609851caa129e40b0d56e90dfc476c"
strings:
$s0 = "\"<td> <a href=\\\"\".$sql_surl.\"sql_act=query&sql_query=\".ur"
$s2 = "c99sh_sqlquery"
condition:
1 of them
}
rule multiple_webshells_0011 {
meta:
description = "Semi-Auto-generated - from files w.php.php.txt, c99madshell_v2.1.php.php.txt, wacking.php.php.txt, SsEs.php.php.txt, SpecialShell_99.php.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
super_rule = 1
was = "_w_php_php_c99madshell_v2_1_php_php_wacking_php_php_SsEs_php_php_SpecialShell_99_php_php"
hash0 = "38a3f9f2aa47c2e940695f3dba6a7bb2"
hash1 = "3ca5886cd54d495dc95793579611f59a"
hash2 = "9c5bb5e3a46ec28039e8986324e42792"
hash3 = "6cd50a14ea0da0df6a246a60c8f6f9c9"
hash4 = "09609851caa129e40b0d56e90dfc476c"
strings:
$s0 = "else {$act = \"f\"; $d = dirname($mkfile); if (substr($d,-1) != DIRECTORY_SEPA"
$s3 = "else {echo \"<b>File \\\"\".$sql_getfile.\"\\\":</b><br>\".nl2br(htmlspec"
condition:
1 of them
}
rule multiple_webshells_0012 {
meta:
description = "Semi-Auto-generated - from files r577.php.php.txt, SnIpEr_SA Shell.php.txt, r57.php.php.txt, spy.php.php.txt, s.php.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
super_rule = 1
was = "_r577_php_php_SnIpEr_SA_Shell_php_r57_php_php_spy_php_php_s_php_php"
hash0 = "0714f80f35c1fddef1f8938b8d42a4c8"
hash1 = "911195a9b7c010f61b66439d9048f400"
hash2 = "eddf7a8fde1e50a7f2a817ef7cece24f"
hash3 = "eed14de3907c9aa2550d95550d1a2d5f"
hash4 = "817671e1bdc85e04cc3440bbd9288800"
strings:
$s0 = "echo sr(15,\"<b>\".$lang[$language.'_text"
$s1 = ".$arrow.\"</b>\",in('text','"
condition:
2 of them
}
rule multiple_webshells_0013 {
meta:
description = "Semi-Auto-generated - from files r577.php.php.txt, SnIpEr_SA Shell.php.txt, r57.php.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
super_rule = 1
was = "_r577_php_php_SnIpEr_SA_Shell_php_r57_php_php"
hash0 = "0714f80f35c1fddef1f8938b8d42a4c8"
hash1 = "911195a9b7c010f61b66439d9048f400"
hash2 = "eddf7a8fde1e50a7f2a817ef7cece24f"
strings:
$s0 = "'ru_text9' =>'???????? ????? ? ???????? ??? ? /bin/bash'," fullword
$s1 = "$name='ec371748dc2da624b35a4f8f685dd122'"
$s2 = "rst.void.ru"
condition:
3 of them
}
rule multiple_webshells_0014 {
meta:
description = "Semi-Auto-generated - from files r577.php.php.txt, r57 Shell.php.php.txt, spy.php.php.txt, s.php.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
super_rule = 1
was = "_r577_php_php_r57_Shell_php_php_spy_php_php_s_php_php"
hash0 = "0714f80f35c1fddef1f8938b8d42a4c8"
hash1 = "8023394542cddf8aee5dec6072ed02b5"
hash2 = "eed14de3907c9aa2550d95550d1a2d5f"
hash3 = "817671e1bdc85e04cc3440bbd9288800"
strings:
$s0 = "echo ws(2).$lb.\" <a"
$s1 = "$sql = \"LOAD DATA INFILE \\\"\".$_POST['test3_file']"
$s3 = "if (empty($_POST['cmd'])&&!$safe_mode) { $_POST['cmd']=($windows)?(\"dir\"):(\"l"
condition:
2 of them
}
rule multiple_webshells_0015 {
meta:
description = "Semi-Auto-generated - from files wacking.php.php.txt, 1.txt, SpecialShell_99.php.php.txt, c100.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
super_rule = 1
was = "_wacking_php_php_1_SpecialShell_99_php_php_c100_php"
hash0 = "9c5bb5e3a46ec28039e8986324e42792"
hash1 = "44542e5c3e9790815c49d5f9beffbbf2"
hash2 = "09609851caa129e40b0d56e90dfc476c"
hash3 = "38fd7e45f9c11a37463c3ded1c76af4c"
strings:
$s0 = "if(eregi(\"./shbd $por\",$scan))"
$s1 = "$_POST['backconnectip']"
$s2 = "$_POST['backcconnmsg']"
condition:
1 of them
}
rule multiple_webshells_0016 {
meta:
description = "Semi-Auto-generated - from files r577.php.php.txt, r57.php.php.txt, r57 Shell.php.php.txt, spy.php.php.txt, s.php.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
super_rule = 1
was = "_r577_php_php_r57_php_php_r57_Shell_php_php_spy_php_php_s_php_php"
hash0 = "0714f80f35c1fddef1f8938b8d42a4c8"
hash1 = "eddf7a8fde1e50a7f2a817ef7cece24f"
hash2 = "8023394542cddf8aee5dec6072ed02b5"
hash3 = "eed14de3907c9aa2550d95550d1a2d5f"
hash4 = "817671e1bdc85e04cc3440bbd9288800"
strings:
$s1 = "if(rmdir($_POST['mk_name']))"
$s2 = "$r .= '<tr><td>'.ws(3).'<font face=Verdana size=-2><b>'.$key.'</b></font></td>"
$s3 = "if(unlink($_POST['mk_name'])) echo \"<table width=100% cellpadding=0 cell"
condition:
2 of them
}
rule multiple_webshells_0017 {
meta:
description = "Semi-Auto-generated - from files w.php.php.txt, wacking.php.php.txt, SsEs.php.php.txt, SpecialShell_99.php.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
super_rule = 1
was = "_w_php_php_wacking_php_php_SsEs_php_php_SpecialShell_99_php_php"
hash0 = "38a3f9f2aa47c2e940695f3dba6a7bb2"
hash1 = "9c5bb5e3a46ec28039e8986324e42792"
hash2 = "6cd50a14ea0da0df6a246a60c8f6f9c9"
hash3 = "09609851caa129e40b0d56e90dfc476c"
strings:
$s0 = "\"ext_avi\"=>array(\"ext_avi\",\"ext_mov\",\"ext_mvi"
$s1 = "echo \"<b>Execute file:</b><form action=\\\"\".$surl.\"\\\" method=POST><inpu"
$s2 = "\"ext_htaccess\"=>array(\"ext_htaccess\",\"ext_htpasswd"
condition:
1 of them
}
rule multiple_webshells_0018 {
meta:
description = "Semi-Auto-generated - from files webadmin.php.php.txt, iMHaPFtp.php.php.txt, Private-i3lue.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
super_rule = 1
was = "_webadmin_php_php_iMHaPFtp_php_php_Private_i3lue_php"
hash0 = "b268e6fa3bf3fe496cffb4ea574ec4c7"
hash1 = "12911b73bc6a5d313b494102abcf5c57"
hash2 = "13f5c7a035ecce5f9f380967cf9d4e92"
strings:
$s0 = "return $type . $owner . $group . $other;" fullword
$s1 = "$owner = ($mode & 00400) ? 'r' : '-';" fullword
condition:
all of them
}
rule multiple_php_webshells {
meta:
description = "Semi-Auto-generated - from files multiple_php_webshells"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
super_rule = 1
hash0 = "0714f80f35c1fddef1f8938b8d42a4c8"
hash1 = "911195a9b7c010f61b66439d9048f400"
hash2 = "be0f67f3e995517d18859ed57b4b4389"
hash3 = "eddf7a8fde1e50a7f2a817ef7cece24f"
hash4 = "8023394542cddf8aee5dec6072ed02b5"
hash5 = "eed14de3907c9aa2550d95550d1a2d5f"
hash6 = "817671e1bdc85e04cc3440bbd9288800"
hash7 = "7101fe72421402029e2629f3aaed6de7"
hash8 = "f618f41f7ebeb5e5076986a66593afd1"
strings:
$s0 = "kVycm9yOiAkIVxuIik7DQpjb25uZWN0KFNPQ0tFVCwgJHBhZGRyKSB8fCBkaWUoIkVycm9yOiAkIVxuI"
$s2 = "sNCiRwcm90bz1nZXRwcm90b2J5bmFtZSgndGNwJyk7DQpzb2NrZXQoU09DS0VULCBQRl9JTkVULCBTT0"
$s4 = "A8c3lzL3NvY2tldC5oPg0KI2luY2x1ZGUgPG5ldGluZXQvaW4uaD4NCiNpbmNsdWRlIDxlcnJuby5oPg"
condition:
2 of them
}
rule multiple_webshells_0019 {
meta:
description = "Semi-Auto-generated - from files w.php.php.txt, c99madshell_v2.1.php.php.txt, wacking.php.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
super_rule = 1
was = "_w_php_php_c99madshell_v2_1_php_php_wacking_php_php"
hash0 = "38a3f9f2aa47c2e940695f3dba6a7bb2"
hash1 = "3ca5886cd54d495dc95793579611f59a"
hash2 = "9c5bb5e3a46ec28039e8986324e42792"
strings:
$s0 = "<b>Dumped! Dump has been writed to "
$s1 = "if ((!empty($donated_html)) and (in_array($act,$donated_act))) {echo \"<TABLE st"
$s2 = "<input type=submit name=actarcbuff value=\\\"Pack buffer to archive"
condition:
1 of them
}
rule multiple_webshells_0020 {
meta:
description = "Semi-Auto-generated - from files w.php.php.txt, c99madshell_v2.1.php.php.txt, wacking.php.php.txt, c99shell_v1.0.php.php.txt, c99php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
super_rule = 1
was = "_w_php_php_c99madshell_v2_1_php_php_wacking_php_php_c99shell_v1_0_php_php_c99php"
hash0 = "38a3f9f2aa47c2e940695f3dba6a7bb2"
hash1 = "3ca5886cd54d495dc95793579611f59a"
hash2 = "9c5bb5e3a46ec28039e8986324e42792"
hash3 = "d8ae5819a0a2349ec552cbcf3a62c975"
hash4 = "9e9ae0332ada9c3797d6cee92c2ede62"
strings:
$s0 = "@ini_set(\"highlight" fullword
$s1 = "echo \"<b>Result of execution this PHP-code</b>:<br>\";" fullword
$s2 = "{$row[] = \"<b>Owner/Group</b>\";}" fullword
condition:
2 of them
}
rule multiple_webshells_0021 {
meta:
description = "Semi-Auto-generated - from files GFS web-shell ver 3.1.7 - PRiV8.php.txt, nshell.php.php.txt, gfs_sh.php.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
super_rule = 1
was = "_GFS_web_shell_ver_3_1_7___PRiV8_php_nshell_php_php_gfs_sh_php_php"
hash0 = "be0f67f3e995517d18859ed57b4b4389"
hash1 = "4a44d82da21438e32d4f514ab35c26b6"
hash2 = "f618f41f7ebeb5e5076986a66593afd1"
strings:
$s2 = "echo $uname.\"</font><br><b>\";" fullword
$s3 = "while(!feof($f)) { $res.=fread($f,1024); }" fullword
$s4 = "echo \"user=\".@get_current_user().\" uid=\".@getmyuid().\" gid=\".@getmygid()"
condition:
2 of them
}
rule multiple_webshells_0022 {
meta:
description = "Semi-Auto-generated - from files w.php.php.txt, c99madshell_v2.1.php.php.txt, wacking.php.php.txt, c99shell_v1.0.php.php.txt, SpecialShell_99.php.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
super_rule = 1
was = "_w_php_php_c99madshell_v2_1_php_php_wacking_php_php_c99shell_v1_0_php_php_SpecialShell_99_php_php"
hash0 = "38a3f9f2aa47c2e940695f3dba6a7bb2"
hash1 = "3ca5886cd54d495dc95793579611f59a"
hash2 = "9c5bb5e3a46ec28039e8986324e42792"
hash3 = "d8ae5819a0a2349ec552cbcf3a62c975"
hash4 = "09609851caa129e40b0d56e90dfc476c"
strings:
$s0 = "c99ftpbrutecheck"
$s1 = "$ftpquick_t = round(getmicrotime()-$ftpquick_st,4);" fullword
$s2 = "$fqb_lenght = $nixpwdperpage;" fullword
$s3 = "$sock = @ftp_connect($host,$port,$timeout);" fullword
condition:
2 of them
}
rule multiple_webshells_0023 {
meta:
description = "Semi-Auto-generated - from files w.php.php.txt, wacking.php.php.txt, c99shell_v1.0.php.php.txt, c99php.txt, SpecialShell_99.php.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
super_rule = 1
was = "_w_php_php_wacking_php_php_c99shell_v1_0_php_php_c99php_SpecialShell_99_php_php"
hash0 = "38a3f9f2aa47c2e940695f3dba6a7bb2"
hash1 = "9c5bb5e3a46ec28039e8986324e42792"
hash2 = "d8ae5819a0a2349ec552cbcf3a62c975"
hash3 = "9e9ae0332ada9c3797d6cee92c2ede62"
hash4 = "09609851caa129e40b0d56e90dfc476c"
strings:
$s0 = "$sqlquicklaunch[] = array(\""
$s1 = "else {echo \"<center><b>File does not exists (\".htmlspecialchars($d.$f).\")!<"
condition:
all of them
}
rule multiple_webshells_0024 {
meta:
description = "Semi-Auto-generated - from files antichat.php.php.txt, Fatalshell.php.php.txt, a_gedit.php.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
super_rule = 1
was = "_antichat_php_php_Fatalshell_php_php_a_gedit_php_php"
hash0 = "128e90b5e2df97e21e96d8e268cde7e3"
hash1 = "b15583f4eaad10a25ef53ab451a4a26d"
hash2 = "ab9c6b24ca15f4a1b7086cad78ff0f78"
strings:
$s0 = "if(@$_POST['save'])writef($file,$_POST['data']);" fullword
$s1 = "if($action==\"phpeval\"){" fullword
$s2 = "$uploadfile = $dirupload.\"/\".$_POST['filename'];" fullword
$s3 = "$dir=getcwd().\"/\";" fullword
condition:
2 of them
}
rule multiple_webshells_0025 {
meta:
description = "Semi-Auto-generated - from files c99shell_v1.0.php.php.txt, c99php.txt, SsEs.php.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
super_rule = 1
was = "_c99shell_v1_0_php_php_c99php_SsEs_php_php"
hash0 = "d8ae5819a0a2349ec552cbcf3a62c975"
hash1 = "9e9ae0332ada9c3797d6cee92c2ede62"
hash2 = "6cd50a14ea0da0df6a246a60c8f6f9c9"
strings:
$s3 = "if (!empty($delerr)) {echo \"<b>Deleting with errors:</b><br>\".$delerr;}" fullword
condition:
1 of them
}
rule multiple_webshells_0026 {
meta:
description = "Semi-Auto-generated - from files Crystal.php.txt, nshell.php.php.txt, load_shell.php.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
super_rule = 1
was = "_Crystal_php_nshell_php_php_load_shell_php_php"
hash0 = "fdbf54d5bf3264eb1c4bff1fac548879"
hash1 = "4a44d82da21438e32d4f514ab35c26b6"
hash2 = "0c5d227f4aa76785e4760cdcff78a661"
strings:
$s0 = "if ($filename != \".\" and $filename != \"..\"){" fullword
$s1 = "$dires = $dires . $directory;" fullword
$s4 = "$arr = array_merge($arr, glob(\"*\"));" fullword
condition:
2 of them
}
rule multiple_webshells_0027 {
meta:
description = "Semi-Auto-generated - from files nst.php.php.txt, cybershell.php.php.txt, img.php.php.txt, nstview.php.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
super_rule = 1
was = "_nst_php_php_cybershell_php_php_img_php_php_nstview_php_php"
hash0 = "ddaf9f1986d17284de83a17fe5f9fd94"
hash1 = "ef8828e0bc0641a655de3932199c0527"
hash2 = "17a07bb84e137b8aa60f87cd6bfab748"
hash3 = "4745d510fed4378e4b1730f56f25e569"
strings:
$s0 = "@$rto=$_POST['rto'];" fullword
$s2 = "SCROLLBAR-TRACK-COLOR: #91AAFF" fullword
$s3 = "$to1=str_replace(\"//\",\"/\",$to1);" fullword
condition:
2 of them
}
rule multiple_webshells_0028 {
meta:
description = "Semi-Auto-generated - from files w.php.php.txt, c99madshell_v2.1.php.php.txt, wacking.php.php.txt, dC3 Security Crew Shell PRiV.php.txt, SpecialShell_99.php.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
super_rule = 1
was = "_w_php_php_c99madshell_v2_1_php_php_wacking_php_php_dC3_Security_Crew_Shell_PRiV_php_SpecialShell_99_php_php"
hash0 = "38a3f9f2aa47c2e940695f3dba6a7bb2"
hash1 = "3ca5886cd54d495dc95793579611f59a"
hash2 = "9c5bb5e3a46ec28039e8986324e42792"
hash3 = "433706fdc539238803fd47c4394b5109"
hash4 = "09609851caa129e40b0d56e90dfc476c"
strings:
$s0 = " if ($mode & 0x200) {$world[\"execute\"] = ($world[\"execute\"] == \"x\")?\"t\":"
$s1 = " $group[\"execute\"] = ($mode & 00010)?\"x\":\"-\";" fullword
condition:
all of them
}
rule multiple_webshells_0029 {
meta:
description = "Semi-Auto-generated - from files c99shell_v1.0.php.php.txt, c99php.txt, 1.txt, c2007.php.php.txt, c100.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
super_rule = 1
was = "_c99shell_v1_0_php_php_c99php_1_c2007_php_php_c100_php"
hash0 = "d8ae5819a0a2349ec552cbcf3a62c975"
hash1 = "9e9ae0332ada9c3797d6cee92c2ede62"
hash2 = "44542e5c3e9790815c49d5f9beffbbf2"
hash3 = "d089e7168373a0634e1ac18c0ee00085"
hash4 = "38fd7e45f9c11a37463c3ded1c76af4c"
strings:
$s0 = "$result = mysql_query(\"SHOW PROCESSLIST\", $sql_sock); " fullword
condition:
all of them
}
rule multiple_php_webshells_2 {
meta:
description = "Semi-Auto-generated - from files w.php.php.txt, c99madshell_v2.1.php.php.txt, wacking.php.php.txt, c99shell_v1.0.php.php.txt, c99php.txt, SsEs.php.php.txt, SpecialShell_99.php.php.txt, ctt_sh.php.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
super_rule = 1
hash0 = "38a3f9f2aa47c2e940695f3dba6a7bb2"
hash1 = "3ca5886cd54d495dc95793579611f59a"
hash2 = "9c5bb5e3a46ec28039e8986324e42792"
hash3 = "d8ae5819a0a2349ec552cbcf3a62c975"
hash4 = "9e9ae0332ada9c3797d6cee92c2ede62"
hash5 = "6cd50a14ea0da0df6a246a60c8f6f9c9"
hash6 = "09609851caa129e40b0d56e90dfc476c"
hash7 = "671cad517edd254352fe7e0c7c981c39"
strings:
$s0 = "elseif (!empty($ft)) {echo \"<center><b>Manually selected type is incorrect. I"
$s1 = "else {echo \"<center><b>Unknown extension (\".$ext.\"), please, select type ma"
$s3 = "$s = \"!^(\".implode(\"|\",$tmp).\")$!i\";" fullword
condition:
all of them
}
rule multiple_webshells_0030 {
meta:
description = "Semi-Auto-generated - from files w.php.php.txt, c99madshell_v2.1.php.php.txt, wacking.php.php.txt, 1.txt, SpecialShell_99.php.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
super_rule = 1
was = "_w_php_php_c99madshell_v2_1_php_php_wacking_php_php_1_SpecialShell_99_php_php"
hash0 = "38a3f9f2aa47c2e940695f3dba6a7bb2"
hash1 = "3ca5886cd54d495dc95793579611f59a"
hash2 = "9c5bb5e3a46ec28039e8986324e42792"
hash3 = "44542e5c3e9790815c49d5f9beffbbf2"
hash4 = "09609851caa129e40b0d56e90dfc476c"
strings:
$s0 = "if ($total === FALSE) {$total = 0;}" fullword
$s1 = "$free_percent = round(100/($total/$free),2);" fullword
$s2 = "if (!$bool) {$bool = is_dir($letter.\":\\\\\");}" fullword
$s3 = "$bool = $isdiskette = in_array($letter,$safemode_diskettes);" fullword
condition:
2 of them
}
rule multiple_webshells_0031 {
meta:
description = "Semi-Auto-generated - from files r577.php.php.txt, r57.php.php.txt, spy.php.php.txt, s.php.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
super_rule = 1
was = "_r577_php_php_r57_php_php_spy_php_php_s_php_php"
hash0 = "0714f80f35c1fddef1f8938b8d42a4c8"
hash1 = "eddf7a8fde1e50a7f2a817ef7cece24f"
hash2 = "eed14de3907c9aa2550d95550d1a2d5f"
hash3 = "817671e1bdc85e04cc3440bbd9288800"
strings:
$s0 = "$res = mssql_query(\"select * from r57_temp_table\",$db);" fullword
$s2 = "'eng_text30'=>'Cat file'," fullword
$s3 = "@mssql_query(\"drop table r57_temp_table\",$db);" fullword
condition:
1 of them
}
rule multiple_webshells_0032 {
meta:
description = "Semi-Auto-generated - from files nixrem.php.php.txt, c99shell_v1.0.php.php.txt, c99php.txt, NIX REMOTE WEB-SHELL v.0.5 alpha Lite Public Version.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
super_rule = 1
was = "_nixrem_php_php_c99shell_v1_0_php_php_c99php_NIX_REMOTE_WEB_SHELL_v_0_5_alpha_Lite_Public_Version_php"
hash0 = "40a3e86a63d3d7f063a86aab5b5f92c6"
hash1 = "d8ae5819a0a2349ec552cbcf3a62c975"
hash2 = "9e9ae0332ada9c3797d6cee92c2ede62"
hash3 = "f3ca29b7999643507081caab926e2e74"
strings:
$s0 = "$num = $nixpasswd + $nixpwdperpage;" fullword
$s1 = "$ret = posix_kill($pid,$sig);" fullword
$s2 = "if ($uid) {echo join(\":\",$uid).\"<br>\";}" fullword
$s3 = "$i = $nixpasswd;" fullword
condition:
2 of them
}
/* GIF Header webshell */
rule DarkSecurityTeam_Webshell {
meta:
description = "Dark Security Team Webshell"
author = "Florian Roth"
hash = "f1c95b13a71ca3629a0bb79601fcacf57cdfcf768806a71b26f2448f8c1d5d24"
score = 50
strings:
$s0 = "form method=post><input type=hidden name=\"\"#\"\" value=Execute(Session(\"\"#\"\"))><input name=thePath value=\"\"\"&HtmlEncode(Server.MapPath(\".\"))&" ascii
condition:
1 of them
}
rule PHP_Cloaked_Webshell_SuperFetchExec {
meta:
description = "Looks like a webshell cloaked as GIF - http://goo.gl/xFvioC"
reference = "http://goo.gl/xFvioC"
author = "Florian Roth"
score = 50
strings:
$s0 = "else{$d.=@chr(($h[$e[$o]]<<4)+($h[$e[++$o]]));}}eval($d);"
condition:
$s0
}
/* PHP Webshell Update - August 2014 - deducted from https://github.com/JohnTroony/php-webshells */
rule WebShell_RemExp_asp_php {
meta:
description = "PHP Webshells Github Archive - file RemExp.asp.php.txt"
author = "Florian Roth"
hash = "d9919dcf94a70d5180650de8b81669fa1c10c5a2"
strings:
$s0 = "lsExt = Right(FileName, Len(FileName) - liCount)" fullword
$s7 = "<td bgcolor=\"<%=BgColor%>\" title=\"<%=File.Name%>\"> <a href= \"showcode.asp?f"
$s13 = "Response.Write Drive.ShareName & \" [share]\"" fullword
$s19 = "If Request.QueryString(\"CopyFile\") <> \"\" Then" fullword
$s20 = "<td width=\"40%\" height=\"20\" bgcolor=\"silver\"> Name</td>" fullword
condition:
all of them
}
rule WebShell_dC3_Security_Crew_Shell_PRiV {
meta:
description = "PHP Webshells Github Archive - file dC3_Security_Crew_Shell_PRiV.php"
author = "Florian Roth"
hash = "1b2a4a7174ca170b4e3a8cdf4814c92695134c8a"
strings:
$s0 = "@rmdir($_GET['file']) or die (\"[-]Error deleting dir!\");" fullword
$s4 = "$ps=str_replace(\"\\\\\",\"/\",getenv('DOCUMENT_ROOT'));" fullword
$s5 = "header(\"Expires: \".date(\"r\",mktime(0,0,0,1,1,2030)));" fullword
$s15 = "search_file($_POST['search'],urldecode($_POST['dir']));" fullword
$s16 = "echo base64_decode($images[$_GET['pic']]);" fullword
$s20 = "if (isset($_GET['rename_all'])) {" fullword
condition:
3 of them
}
rule WebShell_simattacker {
meta:
description = "PHP Webshells Github Archive - file simattacker.php"
author = "Florian Roth"
hash = "258297b62aeaf4650ce04642ad5f19be25ec29c9"
strings:
$s1 = "$from = rand (71,1020000000).\"@\".\"Attacker.com\";" fullword
$s4 = " Turkish Hackers : WWW.ALTURKS.COM <br>" fullword
$s5 = " Programer : SimAttacker - Edited By KingDefacer<br>" fullword
$s6 = "//fake mail = Use victim server 4 DOS - fake mail " fullword
$s10 = " e-mail : kingdefacer@msn.com<br>" fullword
$s17 = "error_reporting(E_ERROR | E_WARNING | E_PARSE);" fullword
$s18 = "echo \"<font size='1' color='#999999'>Dont in windows\";" fullword
$s20 = "$Comments=$_POST['Comments'];" fullword
condition:
2 of them
}
rule WebShell_DTool_Pro {
meta:
description = "PHP Webshells Github Archive - file DTool Pro.php"
author = "Florian Roth"
hash = "e2ee1c7ba7b05994f65710b7bbf935954f2c3353"
strings:
$s1 = "function PHPget(){inclVar(); if(confirm(\"O PHPget agora oferece uma lista pront"
$s2 = "<font size=3>by r3v3ng4ns - revengans@gmail.com </font>" fullword
$s3 = "function PHPwriter(){inclVar();var url=prompt(\"[ PHPwriter ] by r3v3ng4ns\\nDig"
$s11 = "//Turns the 'ls' command more usefull, showing it as it looks in the shell" fullword
$s13 = "if (@file_exists(\"/usr/bin/wget\")) $pro3=\"<i>wget</i> at /usr/bin/wget, \";" fullword
$s14 = "//To keep the changes in the url, when using the 'GET' way to send php variables" fullword
$s16 = "function PHPf(){inclVar();var o=prompt(\"[ PHPfilEditor ] by r3v3ng4ns\\nDigite "
$s18 = "if(empty($fu)) $fu = @$_GET['fu'];" fullword
condition:
3 of them
}
rule WebShell_ironshell {
meta:
description = "PHP Webshells Github Archive - file ironshell.php"
author = "Florian Roth"
hash = "d47b8ba98ea8061404defc6b3a30839c4444a262"
strings:
$s0 = "<title>'.getenv(\"HTTP_HOST\").' ~ Shell I</title>" fullword
$s2 = "$link = mysql_connect($_POST['host'], $_POST['username'], $_POST"
$s4 = "error_reporting(0); //If there is an error, we'll show it, k?" fullword
$s8 = "print \"<form action=\\\"\".$me.\"?p=chmod&file=\".$content.\"&d"
$s15 = "if(!is_numeric($_POST['timelimit']))" fullword
$s16 = "if($_POST['chars'] == \"9999\")" fullword
$s17 = "<option value=\\\"az\\\">a - zzzzz</option>" fullword
$s18 = "print shell_exec($command);" fullword
condition:
3 of them
}
rule WebShell_indexer_asp_php {
meta:
description = "PHP Webshells Github Archive - file indexer.asp.php.txt"
author = "Florian Roth"
hash = "e9a7aa5eb1fb228117dc85298c7d3ecd8e288a2d"
strings:
$s0 = "<meta http-equiv=\"Content-Language\" content=\"tr\">" fullword
$s1 = "<title>WwW.SaNaLTeRoR.OrG - inDEXER And ReaDer</title>" fullword
$s2 = "<form action=\"?Gonder\" method=\"post\">" fullword
$s4 = "<form action=\"?oku\" method=\"post\">" fullword
$s7 = "var message=\"SaNaLTeRoR - " fullword
$s8 = "nDexEr - Reader\"" fullword
condition:
3 of them
}
rule WebShell_toolaspshell {
meta:
description = "PHP Webshells Github Archive - file toolaspshell.php"
author = "Florian Roth"
hash = "11d236b0d1c2da30828ffd2f393dd4c6a1022e3f"
strings:
$s0 = "cprthtml = \"<font face='arial' size='1'>RHTOOLS 1.5 BETA(PVT) Edited By KingDef"
$s12 = "barrapos = CInt(InstrRev(Left(raiz,Len(raiz) - 1),\"\\\")) - 1" fullword
$s20 = "destino3 = folderItem.path & \"\\index.asp\"" fullword
condition:
2 of them
}
rule WebShell_b374k_mini_shell_php_php {
meta:
description = "PHP Webshells Github Archive - file b374k-mini-shell-php.php.php"
author = "Florian Roth"
hash = "afb88635fbdd9ebe86b650cc220d3012a8c35143"
strings:
$s0 = "@error_reporting(0);" fullword
$s2 = "@eval(gzinflate(base64_decode($code)));" fullword
$s3 = "@set_time_limit(0); " fullword
condition:
all of them
}
rule WebShell_Sincap_1_0 {
meta:
description = "PHP Webshells Github Archive - file Sincap 1.0.php"
author = "Florian Roth"
hash = "9b72635ff1410fa40c4e15513ae3a496d54f971c"
strings:
$s4 = "</font></span><a href=\"mailto:shopen@aventgrup.net\">" fullword
$s5 = "<title>:: AventGrup ::.. - Sincap 1.0 | Session(Oturum) B" fullword
$s9 = "</span>Avrasya Veri ve NetWork Teknolojileri Geli" fullword
$s12 = "while (($ekinci=readdir ($sedat))){" fullword
$s19 = "$deger2= \"$ich[$tampon4]\";" fullword
condition:
2 of them
}
rule WebShell_b374k_php {
meta:
description = "PHP Webshells Github Archive - file b374k.php.php"
author = "Florian Roth"
hash = "04c99efd187cf29dc4e5603c51be44170987bce2"
strings:
$s0 = "// encrypt your password to md5 here http://kerinci.net/?x=decode" fullword
$s6 = "// password (default is: b374k)"
$s8 = "//******************************************************************************"
$s9 = "// b374k 2.2" fullword
$s10 = "eval(\"?>\".gzinflate(base64_decode("
condition:
3 of them
}
rule WebShell_SimAttacker___Vrsion_1_0_0___priv8_4_My_friend {
meta:
description = "PHP Webshells Github Archive - file SimAttacker - Vrsion 1.0.0 - priv8 4 My friend.php"
author = "Florian Roth"
hash = "6454cc5ab73143d72cf0025a81bd1fe710351b44"
strings:
$s4 = " Iranian Hackers : WWW.SIMORGH-EV.COM <br>" fullword
$s5 = "//fake mail = Use victim server 4 DOS - fake mail " fullword
$s10 = "<a style=\"TEXT-DECORATION: none\" href=\"http://www.simorgh-ev.com\">" fullword
$s16 = "error_reporting(E_ERROR | E_WARNING | E_PARSE);" fullword
$s17 = "echo \"<font size='1' color='#999999'>Dont in windows\";" fullword
$s19 = "$Comments=$_POST['Comments'];" fullword
$s20 = "Victim Mail :<br><input type='text' name='to' ><br>" fullword
condition:
3 of them
}
rule WebShell_h4ntu_shell__powered_by_tsoi_ {
meta:
description = "PHP Webshells Github Archive - file h4ntu shell [powered by tsoi].php"
author = "Florian Roth"
hash = "cbca8cd000e705357e2a7e0cf8262678706f18f9"
strings:
$s11 = "<title>h4ntu shell [powered by tsoi]</title>" fullword
$s13 = "$cmd = $_POST['cmd'];" fullword
$s16 = "$uname = posix_uname( );" fullword
$s17 = "if(!$whoami)$whoami=exec(\"whoami\");" fullword
$s18 = "echo \"<p><font size=2 face=Verdana><b>This Is The Server Information</b></font>"
$s20 = "ob_end_clean();" fullword
condition:
3 of them
}
rule WebShell_php_webshells_MyShell {
meta:
description = "PHP Webshells Github Archive - file MyShell.php"
author = "Florian Roth"
hash = "42e283c594c4d061f80a18f5ade0717d3fb2f76d"
strings:
$s3 = "<title>MyShell error - Access Denied</title>" fullword
$s4 = "$adminEmail = \"youremail@yourserver.com\";" fullword
$s5 = "//A workdir has been asked for - we chdir to that dir." fullword
$s6 = "system($command . \" 1> /tmp/output.txt 2>&1; cat /tmp/output.txt; rm /tmp/o"
$s13 = "#$autoErrorTrap Enable automatic error traping if command returns error." fullword
$s14 = "/* No work_dir - we chdir to $DOCUMENT_ROOT */" fullword
$s19 = "#every command you excecute." fullword
$s20 = "<form name=\"shell\" method=\"post\">" fullword
condition:
3 of them
}
rule WebShell_php_webshells_pws {
meta:
description = "PHP Webshells Github Archive - file pws.php"
author = "Florian Roth"
hash = "7a405f1c179a84ff8ac09a42177a2bcd8a1a481b"
strings:
$s6 = "if ($_POST['cmd']){" fullword
$s7 = "$cmd = $_POST['cmd'];" fullword
$s10 = "echo \"FILE UPLOADED TO $dez\";" fullword
$s11 = "if (file_exists($uploaded)) {" fullword
$s12 = "copy($uploaded, $dez);" fullword
$s17 = "passthru($cmd);" fullword
condition:
4 of them
}
rule WebShell_reader_asp_php {
meta:
description = "PHP Webshells Github Archive - file reader.asp.php.txt"
author = "Florian Roth"
hash = "70656f3495e2b3ad391a77d5208eec0fb9e2d931"
strings:
$s5 = "ster\" name=submit> </Font> <a href=mailto:mailbomb@hotmail"
$s12 = " HACKING " fullword
$s16 = "FONT-WEIGHT: bold; BACKGROUND: #ffffff url('images/cellpic1.gif'); TEXT-INDENT: "
$s20 = "PADDING-RIGHT: 8px; PADDING-LEFT: 8px; FONT-WEIGHT: bold; FONT-SIZE: 11px; BACKG"
condition:
3 of them
}
rule WebShell_Safe_Mode_Bypass_PHP_4_4_2_and_PHP_5_1_2 {
meta:
description = "PHP Webshells Github Archive - file Safe_Mode_Bypass_PHP_4.4.2_and_PHP_5.1.2.php"
author = "Florian Roth"
hash = "db076b7c80d2a5279cab2578aa19cb18aea92832"
strings:
$s1 = "<option value=\"/etc/passwd\">Get /etc/passwd</option>" fullword
$s6 = "by PHP Emperor<xb5@hotmail.com>" fullword
$s9 = "\".htmlspecialchars($file).\" has been already loaded. PHP Emperor <xb5@hotmail."
$s11 = "die(\"<FONT COLOR=\\\"RED\\\"><CENTER>Sorry... File" fullword
$s15 = "if(empty($_GET['file'])){" fullword
$s16 = "echo \"<head><title>Safe Mode Shell</title></head>\"; " fullword
condition:
3 of them
}
rule WebShell_Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit {
meta:
description = "PHP Webshells Github Archive - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php"
author = "Florian Roth"
hash = "b2b797707e09c12ff5e632af84b394ad41a46fa4"
strings:
$s4 = "$liz0zim=shell_exec($_POST[liz0]); " fullword
$s6 = "$liz0=shell_exec($_POST[baba]); " fullword
$s9 = "echo \"<b><font color=blue>Liz0ziM Private Safe Mode Command Execuriton Bypass E"
$s12 = " :=) :</font><select size=\"1\" name=\"liz0\">" fullword
$s13 = "<option value=\"cat /etc/passwd\">/etc/passwd</option>" fullword
condition:
1 of them
}
rule WebShell_php_backdoor {
meta:
description = "PHP Webshells Github Archive - file php-backdoor.php"
author = "Florian Roth"
hash = "b190c03af4f3fb52adc20eb0f5d4d151020c74fe"
strings:
$s5 = "http://<? echo $SERVER_NAME.$REQUEST_URI; ?>?d=/etc on *nix" fullword
$s6 = "// a simple php backdoor | coded by z0mbie [30.08.03] | http://freenet.am/~zombi"
$s11 = "if(!isset($_REQUEST['dir'])) die('hey,specify directory!');" fullword
$s13 = "else echo \"<a href='$PHP_SELF?f=$d/$dir'><font color=black>\";" fullword
$s15 = "<pre><form action=\"<? echo $PHP_SELF; ?>\" METHOD=GET >execute command: <input "
condition:
1 of them
}
rule WebShell_Worse_Linux_Shell {
meta:
description = "PHP Webshells Github Archive - file Worse Linux Shell.php"
author = "Florian Roth"
hash = "64623ab1246bc8f7d256b25f244eb2b41f543e96"
strings:
$s4 = "if( $_POST['_act'] == \"Upload!\" ) {" fullword
$s5 = "print \"<center><h1>#worst @dal.net</h1></center>\";" fullword
$s7 = "print \"<center><h1>Linux Shells</h1></center>\";" fullword
$s8 = "$currentCMD = \"ls -la\";" fullword
$s14 = "print \"<tr><td><b>System type:</b></td><td>$UName</td></tr>\";" fullword
$s19 = "$currentCMD = str_replace(\"\\\\\\\\\",\"\\\\\",$_POST['_cmd']);" fullword
condition:
2 of them
}
rule WebShell_php_webshells_pHpINJ {
meta:
description = "PHP Webshells Github Archive - file pHpINJ.php"
author = "Florian Roth"
hash = "75116bee1ab122861b155cc1ce45a112c28b9596"
strings:
$s3 = "echo '<a href='.$expurl.'> Click Here to Exploit </a> <br />';" fullword
$s10 = "<form action = \"<?php echo \"$_SERVER[PHP_SELF]\" ; ?>\" method = \"post\">" fullword
$s11 = "$sql = \"0' UNION SELECT '0' , '<? system(\\$_GET[cpc]);exit; ?>' ,0 ,0 ,0 ,0 IN"
$s13 = "Full server path to a writable file which will contain the Php Shell <br />" fullword
$s14 = "$expurl= $url.\"?id=\".$sql ;" fullword
$s15 = "<header>|| .::News PHP Shell Injection::. ||</header> <br /> <br />" fullword
$s16 = "<input type = \"submit\" value = \"Create Exploit\"> <br /> <br />" fullword
condition:
1 of them
}
rule WebShell_php_webshells_NGH {
meta:
description = "PHP Webshells Github Archive - file NGH.php"
author = "Florian Roth"
hash = "c05b5deecfc6de972aa4652cb66da89cfb3e1645"
strings:
$s0 = "<title>Webcommander at <?=$_SERVER[\"HTTP_HOST\"]?></title>" fullword
$s2 = "/* Webcommander by Cr4sh_aka_RKL v0.3.9 NGH edition :p */" fullword
$s5 = "<form action=<?=$script?>?act=bindshell method=POST>" fullword
$s9 = "<form action=<?=$script?>?act=backconnect method=POST>" fullword
$s11 = "<form action=<?=$script?>?act=mkdir method=POST>" fullword
$s16 = "die(\"<font color=#DF0000>Login error</font>\");" fullword
$s20 = "<b>Bind /bin/bash at port: </b><input type=text name=port size=8>" fullword
condition:
2 of them
}
rule WebShell_php_webshells_matamu {
meta:
description = "PHP Webshells Github Archive - file matamu.php"
author = "Florian Roth"
hash = "d477aae6bd2f288b578dbf05c1c46b3aaa474733"
strings:
$s2 = "$command .= ' -F';" fullword
$s3 = "/* We try and match a cd command. */" fullword
$s4 = "directory... Trust me - it works :-) */" fullword
$s5 = "$command .= \" 1> $tmpfile 2>&1; \" ." fullword
$s10 = "$new_dir = $regs[1]; // 'cd /something/...'" fullword
$s16 = "/* The last / in work_dir were the first charecter." fullword
condition:
2 of them
}
rule WebShell_ru24_post_sh {
meta:
description = "PHP Webshells Github Archive - file ru24_post_sh.php"
author = "Florian Roth"
hash = "d2c18766a1cd4dda928c12ff7b519578ccec0769"
strings:
$s1 = "http://www.ru24-team.net" fullword
$s4 = "if ((!$_POST['cmd']) || ($_POST['cmd']==\"\")) { $_POST['cmd']=\"id;pwd;uname -a"
$s6 = "Ru24PostWebShell"
$s7 = "Writed by DreAmeRz" fullword
$s9 = "$function=passthru; // system, exec, cmd" fullword
condition:
1 of them
}
rule WebShell_hiddens_shell_v1 {
meta:
description = "PHP Webshells Github Archive - file hiddens shell v1.php"
author = "Florian Roth"
hash = "1674bd40eb98b48427c547bf9143aa7fbe2f4a59"
strings:
$s0 = "<?$d='G7mHWQ9vvXiL/QX2oZ2VTDpo6g3FYAa6X+8DMIzcD0eHZaBZH7jFpZzUz7XNenxSYvBP2Wy36U"
condition:
all of them
}
rule WebShell_c99_madnet {
meta:
description = "PHP Webshells Github Archive - file c99_madnet.php"
author = "Florian Roth"
hash = "17613df393d0a99fd5bea18b2d4707f566cff219"
strings:
$s0 = "$md5_pass = \"\"; //If no pass then hash" fullword
$s1 = "eval(gzinflate(base64_decode('"
$s2 = "$pass = \"pass\"; //Pass" fullword
$s3 = "$login = \"user\"; //Login" fullword
$s4 = " //Authentication" fullword
condition:
all of them
}
rule WebShell_c99_locus7s {
meta:
description = "PHP Webshells Github Archive - file c99_locus7s.php"
author = "Florian Roth"
hash = "d413d4700daed07561c9f95e1468fb80238fbf3c"
strings:
$s8 = "$encoded = base64_encode(file_get_contents($d.$f)); " fullword
$s9 = "$file = $tmpdir.\"dump_\".getenv(\"SERVER_NAME\").\"_\".$db.\"_\".date(\"d-m-Y"
$s10 = "else {$tmp = htmlspecialchars(\"./dump_\".getenv(\"SERVER_NAME\").\"_\".$sq"
$s11 = "$c99sh_sourcesurl = \"http://locus7s.com/\"; //Sources-server " fullword
$s19 = "$nixpwdperpage = 100; // Get first N lines from /etc/passwd " fullword
condition:
2 of them
}
rule WebShell_JspWebshell_1_2 {
meta:
description = "PHP Webshells Github Archive - file JspWebshell_1.2.php"
author = "Florian Roth"
hash = "0bed4a1966117dd872ac9e8dceceb54024a030fa"
strings:
$s0 = "System.out.println(\"CreateAndDeleteFolder is error:\"+ex); " fullword
$s1 = "String password=request.getParameter(\"password\");" fullword
$s3 = "<%@ page contentType=\"text/html; charset=GBK\" language=\"java\" import=\"java."
$s7 = "String editfile=request.getParameter(\"editfile\");" fullword
$s8 = "//String tempfilename=request.getParameter(\"file\");" fullword
$s12 = "password = (String)session.getAttribute(\"password\");" fullword
condition:
3 of them
}
rule WebShell_safe0ver {
meta:
description = "PHP Webshells Github Archive - file safe0ver.php"
author = "Florian Roth"
hash = "366639526d92bd38ff7218b8539ac0f154190eb8"
strings:
$s3 = "$scriptident = \"$scriptTitle By Evilc0der.com\";" fullword
$s4 = "while (file_exists(\"$lastdir/newfile$i.txt\"))" fullword
$s5 = "else { /* <!-- Then it must be a File... --> */" fullword
$s7 = "$contents .= htmlentities( $line ) ;" fullword
$s8 = "<br><p><br>Safe Mode ByPAss<p><form method=\"POST\">" fullword
$s14 = "elseif ( $cmd==\"upload\" ) { /* <!-- Upload File form --> */ " fullword
$s20 = "/* <!-- End of Actions --> */" fullword
condition:
3 of them
}
rule WebShell_Uploader {
meta:
description = "PHP Webshells Github Archive - file Uploader.php"
author = "Florian Roth"
hash = "e216c5863a23fde8a449c31660fd413d77cce0b7"
strings:
$s1 = "move_uploaded_file($userfile, \"entrika.php\"); " fullword
condition:
all of them
}
rule WebShell_php_webshells_kral {
meta:
description = "PHP Webshells Github Archive - file kral.php"
author = "Florian Roth"
hash = "4cd1d1a2fd448cecc605970e3a89f3c2e5c80dfc"
strings:
$s1 = "$adres=gethostbyname($ip);" fullword
$s3 = "curl_setopt($ch,CURLOPT_POSTFIELDS,\"domain=\".$site);" fullword
$s4 = "$ekle=\"/index.php?option=com_user&view=reset&layout=confirm\";" fullword
$s16 = "echo $son.' <br> <font color=\"green\">Access</font><br>';" fullword
$s17 = "<p>kodlama by <a href=\"mailto:priv8coder@gmail.com\">BLaSTER</a><br /"
$s20 = "<p><strong>Server listeleyici</strong><br />" fullword
condition:
2 of them
}
rule WebShell_cgitelnet {
meta:
description = "PHP Webshells Github Archive - file cgitelnet.php"
author = "Florian Roth"
hash = "72e5f0e4cd438e47b6454de297267770a36cbeb3"
strings:
$s9 = "# Author Homepage: http://www.rohitab.com/" fullword
$s10 = "elsif($Action eq \"command\") # user wants to run a command" fullword
$s18 = "# in a command line on Windows NT." fullword
$s20 = "print \"Transfered $TargetFileSize Bytes.<br>\";" fullword
condition:
2 of them
}
rule WebShell_simple_backdoor {
meta:
description = "PHP Webshells Github Archive - file simple-backdoor.php"
author = "Florian Roth"
hash = "edcd5157a68fa00723a506ca86d6cbb8884ef512"
strings:
$s0 = "<!-- Simple PHP backdoor by DK (http://michaeldaw.org) -->" fullword
$s1 = "<!-- http://michaeldaw.org 2006 -->" fullword
$s2 = "Usage: http://target.com/simple-backdoor.php?cmd=cat+/etc/passwd" fullword
$s3 = " echo \"</pre>\";" fullword
$s4 = " $cmd = ($_REQUEST['cmd']);" fullword
$s5 = " echo \"<pre>\";" fullword
$s6 = "if(isset($_REQUEST['cmd'])){" fullword
$s7 = " die;" fullword
$s8 = " system($cmd);" fullword
condition:
all of them
}
rule WebShell_Safe_Mode_Bypass_PHP_4_4_2_and_PHP_5_1_2_2 {
meta:
description = "PHP Webshells Github Archive - file Safe_Mode Bypass PHP 4.4.2 and PHP 5.1.2.php"
author = "Florian Roth"
hash = "8fdd4e0e87c044177e9e1c97084eb5b18e2f1c25"
strings:
$s1 = "<option value=\"/etc/passwd\">Get /etc/passwd</option>" fullword
$s3 = "xb5@hotmail.com</FONT></CENTER></B>\");" fullword
$s4 = "$v = @ini_get(\"open_basedir\");" fullword
$s6 = "by PHP Emperor<xb5@hotmail.com>" fullword
condition:
2 of them
}
rule WebShell_NTDaddy_v1_9 {
meta:
description = "PHP Webshells Github Archive - file NTDaddy v1.9.php"
author = "Florian Roth"
hash = "79519aa407fff72b7510c6a63c877f2e07d7554b"
strings:
$s2 = "| -obzerve : mr_o@ihateclowns.com |" fullword
$s6 = "szTempFile = \"C:\\\" & oFileSys.GetTempName( )" fullword
$s13 = "<form action=ntdaddy.asp method=post>" fullword
$s17 = "response.write(\"<ERROR: THIS IS NOT A TEXT FILE>\")" fullword
condition:
2 of them
}
rule WebShell_lamashell {
meta:
description = "PHP Webshells Github Archive - file lamashell.php"
author = "Florian Roth"
hash = "b71181e0d899b2b07bc55aebb27da6706ea1b560"
strings:
$s0 = "if(($_POST['exe']) == \"Execute\") {" fullword
$s8 = "$curcmd = $_POST['king'];" fullword
$s16 = "\"http://www.w3.org/TR/html4/loose.dtd\">" fullword
$s18 = "<title>lama's'hell v. 3.0</title>" fullword
$s19 = "_|_ O _ O _|_" fullword
$s20 = "$curcmd = \"ls -lah\";" fullword
condition:
2 of them
}
rule WebShell_Simple_PHP_backdoor_by_DK {
meta:
description = "PHP Webshells Github Archive - file Simple_PHP_backdoor_by_DK.php"
author = "Florian Roth"
hash = "03f6215548ed370bec0332199be7c4f68105274e"
strings:
$s0 = "<!-- Simple PHP backdoor by DK (http://michaeldaw.org) -->" fullword
$s1 = "<!-- http://michaeldaw.org 2006 -->" fullword
$s2 = "Usage: http://target.com/simple-backdoor.php?cmd=cat+/etc/passwd" fullword
$s6 = "if(isset($_REQUEST['cmd'])){" fullword
$s8 = "system($cmd);" fullword
condition:
2 of them
}
rule WebShell_Moroccan_Spamers_Ma_EditioN_By_GhOsT {
meta:
description = "PHP Webshells Github Archive - file Moroccan Spamers Ma-EditioN By GhOsT.php"
author = "Florian Roth"
hash = "31e5473920a2cc445d246bc5820037d8fe383201"
strings:
$s4 = "$content = chunk_split(base64_encode($content)); " fullword
$s12 = "print \"Sending mail to $to....... \"; " fullword
$s16 = "if (!$from && !$subject && !$message && !$emaillist){ " fullword
condition:
all of them
}
rule WebShell_C99madShell_v__2_0_madnet_edition {
meta:
description = "PHP Webshells Github Archive - file C99madShell v. 2.0 madnet edition.php"
author = "Florian Roth"
hash = "f99f8228eb12746847f54bad45084f19d1a7e111"
strings:
$s0 = "$md5_pass = \"\"; //If no pass then hash" fullword
$s1 = "eval(gzinflate(base64_decode('"
$s2 = "$pass = \"\"; //Pass" fullword
$s3 = "$login = \"\"; //Login" fullword
$s4 = "//Authentication" fullword
condition:
all of them
}
rule WebShell_CmdAsp_asp_php {
meta:
description = "PHP Webshells Github Archive - file CmdAsp.asp.php.txt"
author = "Florian Roth"
hash = "cb18e1ac11e37e236e244b96c2af2d313feda696"
strings:
$s1 = "szTempFile = \"C:\\\" & oFileSys.GetTempName( )" fullword
$s4 = "' Author: Maceo <maceo @ dogmile.com>" fullword
$s5 = "' -- Use a poor man's pipe ... a temp file -- '" fullword
$s6 = "' --------------------o0o--------------------" fullword
$s8 = "' File: CmdAsp.asp" fullword
$s11 = "<-- CmdAsp.asp -->" fullword
$s14 = "Call oScript.Run (\"cmd.exe /c \" & szCMD & \" > \" & szTempFile, 0, True)" fullword
$s16 = "Set oScriptNet = Server.CreateObject(\"WSCRIPT.NETWORK\")" fullword
$s19 = "<%= \"\\\\\" & oScriptNet.ComputerName & \"\\\" & oScriptNet.UserName %>" fullword
condition:
4 of them
}
rule WebShell_NCC_Shell {
meta:
description = "PHP Webshells Github Archive - file NCC-Shell.php"
author = "Florian Roth"
hash = "64d4495875a809b2730bd93bec2e33902ea80a53"
strings:
$s0 = " if (isset($_FILES['probe']) and ! $_FILES['probe']['error']) {" fullword
$s1 = "<b>--Coded by Silver" fullword
$s2 = "<title>Upload - Shell/Datei</title>" fullword
$s8 = "<a href=\"http://www.n-c-c.6x.to\" target=\"_blank\">-->NCC<--</a></center></b><"
$s14 = "~|_Team .:National Cracker Crew:._|~<br>" fullword
$s18 = "printf(\"Sie ist %u Bytes gro" fullword
condition:
3 of them
}
rule WebShell_php_webshells_README {
meta:
description = "PHP Webshells Github Archive - file README.md"
author = "Florian Roth"
hash = "ef2c567b4782c994db48de0168deb29c812f7204"
strings:
$s0 = "Common php webshells. Do not host the file(s) in your server!" fullword
$s1 = "php-webshells" fullword
condition:
all of them
}
rule WebShell_backupsql {
meta:
description = "PHP Webshells Github Archive - file backupsql.php"
author = "Florian Roth"
hash = "863e017545ec8e16a0df5f420f2d708631020dd4"
strings:
$s0 = "$headers .= \"\\nMIME-Version: 1.0\\n\" .\"Content-Type: multipart/mixed;\\n\" ."
$s1 = "$ftpconnect = \"ncftpput -u $ftp_user_name -p $ftp_user_pass -d debsender_ftplog"
$s2 = "* as email attachment, or send to a remote ftp server by" fullword
$s16 = "* Neagu Mihai<neagumihai@hotmail.com>" fullword
$s17 = "$from = \"Neu-Cool@email.com\"; // Who should the emails be sent from?, may "
condition:
2 of them
}
rule WebShell_AK_74_Security_Team_Web_Shell_Beta_Version {
meta:
description = "PHP Webshells Github Archive - file AK-74 Security Team Web Shell Beta Version.php"
author = "Florian Roth"
hash = "c90b0ba575f432ecc08f8f292f3013b5532fe2c4"
strings:
$s8 = "- AK-74 Security Team Web Site: www.ak74-team.net" fullword
$s9 = "<b><font color=#830000>8. X Forwarded For IP - </font></b><font color=#830000>'."
$s10 = "<b><font color=#83000>Execute system commands!</font></b>" fullword
condition:
1 of them
}
rule WebShell_php_webshells_cpanel {
meta:
description = "PHP Webshells Github Archive - file cpanel.php"
author = "Florian Roth"
hash = "433dab17106b175c7cf73f4f094e835d453c0874"
strings:
$s0 = "function ftp_check($host,$user,$pass,$timeout){" fullword
$s3 = "curl_setopt($ch, CURLOPT_URL, \"http://$host:2082\");" fullword
$s4 = "[ user@alturks.com ]# info<b><br><font face=tahoma><br>" fullword
$s12 = "curl_setopt($ch, CURLOPT_FTPLISTONLY, 1);" fullword
$s13 = "Powerful tool , ftp and cPanel brute forcer , php 5.2.9 safe_mode & open_basedir"
$s20 = "<br><b>Please enter your USERNAME and PASSWORD to logon<br>" fullword
condition:
2 of them
}
rule WebShell_accept_language {
meta:
description = "PHP Webshells Github Archive - file accept_language.php"
author = "Florian Roth"
hash = "180b13576f8a5407ab3325671b63750adbcb62c9"
strings:
$s0 = "<?php passthru(getenv(\"HTTP_ACCEPT_LANGUAGE\")); echo '<br> by q1w2e3r4'; ?>" fullword
condition:
all of them
}
rule WebShell_php_webshells_529 {
meta:
description = "PHP Webshells Github Archive - file 529.php"
author = "Florian Roth"
hash = "ba3fb2995528307487dff7d5b624d9f4c94c75d3"
strings:
$s0 = "<p>More: <a href=\"/\">Md5Cracking.Com Crew</a> " fullword
$s7 = "href=\"/\" title=\"Securityhouse\">Security House - Shell Center - Edited By Kin"
$s9 = "echo '<PRE><P>This is exploit from <a " fullword
$s10 = "This Exploit Was Edited By KingDefacer" fullword
$s13 = "safe_mode and open_basedir Bypass PHP 5.2.9 " fullword
$s14 = "$hardstyle = explode(\"/\", $file); " fullword
$s20 = "while($level--) chdir(\"..\"); " fullword
condition:
2 of them
}
rule WebShell_STNC_WebShell_v0_8 {
meta:
description = "PHP Webshells Github Archive - file STNC WebShell v0.8.php"
author = "Florian Roth"
hash = "52068c9dff65f1caae8f4c60d0225708612bb8bc"
strings:
$s3 = "if(isset($_POST[\"action\"])) $action = $_POST[\"action\"];" fullword
$s8 = "elseif(fe(\"system\")){ob_start();system($s);$r=ob_get_contents();ob_end_clean()"
$s13 = "{ $pwd = $_POST[\"pwd\"]; $type = filetype($pwd); if($type === \"dir\")chdir($pw"
condition:
2 of them
}
rule WebShell_php_webshells_tryag {
meta:
description = "PHP Webshells Github Archive - file tryag.php"
author = "Florian Roth"
hash = "42d837e9ab764e95ed11b8bd6c29699d13fe4c41"
strings:
$s1 = "<title>TrYaG Team - TrYaG.php - Edited By KingDefacer</title>" fullword
$s3 = "$tabledump = \"DROP TABLE IF EXISTS $table;\\n\"; " fullword
$s6 = "$string = !empty($_POST['string']) ? $_POST['string'] : 0; " fullword
$s7 = "$tabledump .= \"CREATE TABLE $table (\\n\"; " fullword
$s14 = "echo \"<center><div id=logostrip>Edit file: $editfile </div><form action='$REQUE"
condition:
3 of them
}
rule WebShell_dC3_Security_Crew_Shell_PRiV_2 {
meta:
description = "PHP Webshells Github Archive - file dC3 Security Crew Shell PRiV.php"
author = "Florian Roth"
hash = "9077eb05f4ce19c31c93c2421430dd3068a37f17"
strings:
$s0 = "@rmdir($_GET['file']) or die (\"[-]Error deleting dir!\");" fullword
$s9 = "header(\"Last-Modified: \".date(\"r\",filemtime(__FILE__)));" fullword
$s13 = "header(\"Content-type: image/gif\");" fullword
$s14 = "@copy($file,$to) or die (\"[-]Error copying file!\");" fullword
$s20 = "if (isset($_GET['rename_all'])) {" fullword
condition:
3 of them
}
rule WebShell_qsd_php_backdoor {
meta:
description = "PHP Webshells Github Archive - file qsd-php-backdoor.php"
author = "Florian Roth"
hash = "4856bce45fc5b3f938d8125f7cdd35a8bbae380f"
strings:
$s1 = "// A robust backdoor script made by Daniel Berliner - http://www.qsdconsulting.c"
$s2 = "if(isset($_POST[\"newcontent\"]))" fullword
$s3 = "foreach($parts as $val)//Assemble the path back together" fullword
$s7 = "$_POST[\"newcontent\"]=urldecode(base64_decode($_POST[\"newcontent\"]));" fullword
condition:
2 of them
}
rule WebShell_php_webshells_spygrup {
meta:
description = "PHP Webshells Github Archive - file spygrup.php"
author = "Florian Roth"
hash = "12f9105332f5dc5d6360a26706cd79afa07fe004"
strings:
$s2 = "kingdefacer@msn.com</FONT></CENTER></B>\");" fullword
$s6 = "if($_POST['root']) $root = $_POST['root'];" fullword
$s12 = "\".htmlspecialchars($file).\" Bu Dosya zaten Goruntuleniyor<kingdefacer@msn.com>" fullword
$s18 = "By KingDefacer From Spygrup.org>" fullword
condition:
3 of them
}
rule WebShell_Web_shell__c_ShAnKaR {
meta:
description = "PHP Webshells Github Archive - file Web-shell (c)ShAnKaR.php"
author = "Florian Roth"
hash = "3dd4f25bd132beb59d2ae0c813373c9ea20e1b7a"
strings:
$s0 = "header(\"Content-Length: \".filesize($_POST['downf']));" fullword
$s5 = "if($_POST['save']==0){echo \"<textarea cols=70 rows=10>\".htmlspecialchars($dump"
$s6 = "write(\"#\\n#Server : \".getenv('SERVER_NAME').\"" fullword
$s12 = "foreach(@file($_POST['passwd']) as $fed)echo $fed;" fullword
condition:
2 of them
}
rule WebShell_Ayyildiz_Tim___AYT__Shell_v_2_1_Biz {
meta:
description = "PHP Webshells Github Archive - file Ayyildiz Tim -AYT- Shell v 2.1 Biz.php"
author = "Florian Roth"
hash = "5fe8c1d01dc5bc70372a8a04410faf8fcde3cb68"
strings:
$s7 = "<meta name=\"Copyright\" content=TouCh By iJOo\">" fullword
$s11 = "directory... Trust me - it works :-) */" fullword
$s15 = "/* ls looks much better with ' -F', IMHO. */" fullword
$s16 = "} else if ($command == 'ls') {" fullword
condition:
3 of them
}
rule WebShell_Gamma_Web_Shell {
meta:
description = "PHP Webshells Github Archive - file Gamma Web Shell.php"
author = "Florian Roth"
hash = "7ef773df7a2f221468cc8f7683e1ace6b1e8139a"
strings:
$s4 = "$ok_commands = ['ls', 'ls -l', 'pwd', 'uptime'];" fullword
$s8 = "### Gamma Group <http://www.gammacenter.com>" fullword
$s15 = "my $error = \"This command is not available in the restricted mode.\\n\";" fullword
$s20 = "my $command = $self->query('command');" fullword
condition:
2 of them
}
rule WebShell_php_webshells_aspydrv {
meta:
description = "PHP Webshells Github Archive - file aspydrv.php"
author = "Florian Roth"
hash = "3d8996b625025dc549d73cdb3e5fa678ab35d32a"
strings:
$s0 = "Target = \"D:\\hshome\\masterhr\\masterhr.com\\\" ' ---Directory to which files"
$s1 = "nPos = InstrB(nPosEnd, biData, CByteString(\"Content-Type:\"))" fullword
$s3 = "Document.frmSQL.mPage.value = Document.frmSQL.mPage.value - 1" fullword
$s17 = "If request.querystring(\"getDRVs\")=\"@\" then" fullword
$s20 = "' ---Copy Too Folder routine Start" fullword
condition:
3 of them
}
rule WebShell_JspWebshell_1_2_2 {
meta:
description = "PHP Webshells Github Archive - file JspWebshell 1.2.php"
author = "Florian Roth"
hash = "184fc72b51d1429c44a4c8de43081e00967cf86b"
strings:
$s0 = "System.out.println(\"CreateAndDeleteFolder is error:\"+ex); " fullword
$s3 = "<%@ page contentType=\"text/html; charset=GBK\" language=\"java\" import=\"java."
$s4 = "// String tempfilepath=request.getParameter(\"filepath\");" fullword
$s15 = "endPoint=random1.getFilePointer();" fullword
$s20 = "if (request.getParameter(\"command\") != null) {" fullword
condition:
3 of them
}
rule WebShell_g00nshell_v1_3 {
meta:
description = "PHP Webshells Github Archive - file g00nshell-v1.3.php"
author = "Florian Roth"
hash = "70fe072e120249c9e2f0a8e9019f984aea84a504"
strings:
$s10 = "#To execute commands, simply include ?cmd=___ in the url. #" fullword
$s15 = "$query = \"SHOW COLUMNS FROM \" . $_GET['table'];" fullword
$s16 = "$uakey = \"724ea055b975621b9d679f7077257bd9\"; // MD5 encoded user-agent" fullword
$s17 = "echo(\"<form method='GET' name='shell'>\");" fullword
$s18 = "echo(\"<form method='post' action='?act=sql'>\");" fullword
condition:
2 of them
}
rule WebShell_WinX_Shell {
meta:
description = "PHP Webshells Github Archive - file WinX Shell.php"
author = "Florian Roth"
hash = "a94d65c168344ad9fa406d219bdf60150c02010e"
strings:
$s4 = "// It's simple shell for all Win OS." fullword
$s5 = "//------- [netstat -an] and [ipconfig] and [tasklist] ------------" fullword
$s6 = "<html><head><title>-:[GreenwooD]:- WinX Shell</title></head>" fullword
$s13 = "// Created by greenwood from n57" fullword
$s20 = " if (is_uploaded_file($userfile)) {" fullword
condition:
3 of them
}
rule WebShell_PHANTASMA {
meta:
description = "PHP Webshells Github Archive - file PHANTASMA.php"
author = "Florian Roth"
hash = "cd12d42abf854cd34ff9e93a80d464620af6d75e"
strings:
$s12 = "\" printf(\\\"Usage: %s [Host] <port>\\\\n\\\", argv[0]);\\n\" ." fullword
$s15 = "if ($portscan != \"\") {" fullword
$s16 = "echo \"<br>Banner: $get <br><br>\";" fullword
$s20 = "$dono = get_current_user( );" fullword
condition:
3 of them
}
rule WebShell_php_webshells_cw {
meta:
description = "PHP Webshells Github Archive - file cw.php"
author = "Florian Roth"
hash = "e65e0670ef6edf0a3581be6fe5ddeeffd22014bf"
strings:
$s1 = "// Dump Database [pacucci.com]" fullword
$s2 = "$dump = \"-- Database: \".$_POST['db'] .\" \\n\";" fullword
$s7 = "$aids = passthru(\"perl cbs.pl \".$_POST['connhost'].\" \".$_POST['connport']);" fullword
$s8 = "<b>IP:</b> <u>\" . $_SERVER['REMOTE_ADDR'] .\"</u> - Server IP:</b> <a href='htt"
$s14 = "$dump .= \"-- Cyber-Warrior.Org\\n\";" fullword
$s20 = "if(isset($_POST['doedit']) && $_POST['editfile'] != $dir)" fullword
condition:
3 of them
}
rule WebShell_php_include_w_shell {
meta:
description = "PHP Webshells Github Archive - file php-include-w-shell.php"
author = "Florian Roth"
hash = "1a7f4868691410830ad954360950e37c582b0292"
strings:
$s13 = "# dump variables (DEBUG SCRIPT) NEEDS MODIFINY FOR B64 STATUS!!" fullword
$s17 = "\"phpshellapp\" => \"export TERM=xterm; bash -i\"," fullword
$s19 = "else if($numhosts == 1) $strOutput .= \"On 1 host..\\n\";" fullword
condition:
1 of them
}
rule WebShell_mysql_tool {
meta:
description = "PHP Webshells Github Archive - file mysql_tool.php"
author = "Florian Roth"
hash = "c9cf8cafcd4e65d1b57fdee5eef98f0f2de74474"
strings:
$s12 = "$dump .= \"-- Dumping data for table '$table'\\n\";" fullword
$s20 = "$dump .= \"CREATE TABLE $table (\\n\";" fullword
condition:
2 of them
}
rule WebShell_PhpSpy_Ver_2006 {
meta:
description = "PHP Webshells Github Archive - file PhpSpy Ver 2006.php"
author = "Florian Roth"
hash = "34a89e0ab896c3518d9a474b71ee636ca595625d"
strings:
$s2 = "var_dump(@$shell->RegRead($_POST['readregname']));" fullword
$s12 = "$prog = isset($_POST['prog']) ? $_POST['prog'] : \"/c net start > \".$pathname."
$s19 = "$program = isset($_POST['program']) ? $_POST['program'] : \"c:\\winnt\\system32"
$s20 = "$regval = isset($_POST['regval']) ? $_POST['regval'] : 'c:\\winnt\\backdoor.exe'"
condition:
1 of them
}
rule WebShell_ZyklonShell {
meta:
description = "PHP Webshells Github Archive - file ZyklonShell.php"
author = "Florian Roth"
hash = "3fa7e6f3566427196ac47551392e2386a038d61c"
strings:
$s0 = "The requested URL /Nemo/shell/zyklonshell.txt was not found on this server.<P>" fullword
$s1 = "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">" fullword
$s2 = "<TITLE>404 Not Found</TITLE>" fullword
$s3 = "<H1>Not Found</H1>" fullword
condition:
all of them
}
rule WebShell_php_webshells_myshell {
meta:
description = "PHP Webshells Github Archive - file myshell.php"
author = "Florian Roth"
hash = "5bd52749872d1083e7be076a5e65ffcde210e524"
strings:
$s0 = "if($ok==false &&$status && $autoErrorTrap)system($command . \" 1> /tmp/outpu"
$s5 = "system($command . \" 1> /tmp/output.txt 2>&1; cat /tmp/output.txt; rm /tmp/o"
$s15 = "<title>$MyShellVersion - Access Denied</title>" fullword
$s16 = "}$ra44 = rand(1,99999);$sj98 = \"sh-$ra44\";$ml = \"$sd98\";$a5 = $_SERVER['HTT"
condition:
1 of them
}
rule WebShell_php_webshells_lolipop {
meta:
description = "PHP Webshells Github Archive - file lolipop.php"
author = "Florian Roth"
hash = "86f23baabb90c93465e6851e40104ded5a5164cb"
strings:
$s3 = "$commander = $_POST['commander']; " fullword
$s9 = "$sourcego = $_POST['sourcego']; " fullword
$s20 = "$result = mysql_query($loli12) or die (mysql_error()); " fullword
condition:
all of them
}
rule WebShell_simple_cmd {
meta:
description = "PHP Webshells Github Archive - file simple_cmd.php"
author = "Florian Roth"
hash = "466a8caf03cdebe07aa16ad490e54744f82e32c2"
strings:
$s1 = "<input type=TEXT name=\"-cmd\" size=64 value=\"<?=$cmd?>\" " fullword
$s2 = "<title>G-Security Webshell</title>" fullword
$s4 = "<? if($cmd != \"\") print Shell_Exec($cmd);?>" fullword
$s6 = "<? $cmd = $_REQUEST[\"-cmd\"];?>" fullword
condition:
1 of them
}
rule WebShell_go_shell {
meta:
description = "PHP Webshells Github Archive - file go-shell.php"
author = "Florian Roth"
hash = "3dd85981bec33de42c04c53d081c230b5fc0e94f"
strings:
$s0 = "#change this password; for power security - delete this file =)" fullword
$s2 = "if (!defined$param{cmd}){$param{cmd}=\"ls -la\"};" fullword
$s11 = "open(FILEHANDLE, \"cd $param{dir}&&$param{cmd}|\");" fullword
$s12 = "print << \"[kalabanga]\";" fullword
$s13 = "<title>GO.cgi</title>" fullword
condition:
1 of them
}
rule WebShell_aZRaiLPhp_v1_0 {
meta:
description = "PHP Webshells Github Archive - file aZRaiLPhp v1.0.php"
author = "Florian Roth"
hash = "a2c609d1a8c8ba3d706d1d70bef69e63f239782b"
strings:
$s0 = "<font size='+1'color='#0000FF'>aZRaiLPhP'nin URL'si: http://$HTTP_HOST$RED"
$s4 = "$fileperm=base_convert($_POST['fileperm'],8,10);" fullword
$s19 = "touch (\"$path/$dismi\") or die(\"Dosya Olu" fullword
$s20 = "echo \"<div align=left><a href='./$this_file?dir=$path/$file'>G" fullword
condition:
2 of them
}
rule WebShell_webshells_zehir4 {
meta:
description = "Webshells Github Archive - file zehir4"
author = "Florian Roth"
hash = "788928ae87551f286d189e163e55410acbb90a64"
score = 55
strings:
$s0 = "frames.byZehir.document.execCommand(command, false, option);" fullword
$s8 = "response.Write \"<title>ZehirIV --> Powered By Zehir <zehirhacker@hotmail.com"
condition:
1 of them
}
rule WebShell_zehir4_asp_php {
meta:
description = "PHP Webshells Github Archive - file zehir4.asp.php.txt"
author = "Florian Roth"
hash = "1d9b78b5b14b821139541cc0deb4cbbd994ce157"
strings:
$s4 = "response.Write \"<title>zehir3 --> powered by zehir <zehirhacker@hotmail.com&"
$s11 = "frames.byZehir.document.execCommand("
$s15 = "frames.byZehir.document.execCommand(co"
condition:
2 of them
}
rule WebShell_php_webshells_lostDC {
meta:
description = "PHP Webshells Github Archive - file lostDC.php"
author = "Florian Roth"
hash = "d54fe07ea53a8929620c50e3a3f8fb69fdeb1cde"
strings:
$s0 = "$info .= '[~]Server: ' .$_SERVER['HTTP_HOST'] .'<br />';" fullword
$s4 = "header ( \"Content-Description: Download manager\" );" fullword
$s5 = "print \"<center>[ Generation time: \".round(getTime()-startTime,4).\" second"
$s9 = "if (mkdir($_POST['dir'], 0777) == false) {" fullword
$s12 = "$ret = shellexec($command);" fullword
condition:
2 of them
}
rule WebShell_CasuS_1_5 {
meta:
description = "PHP Webshells Github Archive - file CasuS 1.5.php"
author = "Florian Roth"
hash = "7eee8882ad9b940407acc0146db018c302696341"
strings:
$s2 = "<font size='+1'color='#0000FF'><u>CasuS 1.5'in URL'si</u>: http://$HTTP_HO"
$s8 = "$fonk_kap = get_cfg_var(\"fonksiyonlary_kapat\");" fullword
$s18 = "if (file_exists(\"F:\\\\\")){" fullword
condition:
1 of them
}
rule WebShell_ftpsearch {
meta:
description = "PHP Webshells Github Archive - file ftpsearch.php"
author = "Florian Roth"
hash = "c945f597552ccb8c0309ad6d2831c8cabdf4e2d6"
strings:
$s0 = "echo \"[-] Error : coudn't read /etc/passwd\";" fullword
$s9 = "@$ftp=ftp_connect('127.0.0.1');" fullword
$s12 = "echo \"<title>Edited By KingDefacer</title><body>\";" fullword
$s19 = "echo \"[+] Founded \".sizeof($users).\" entrys in /etc/passwd\\n\";" fullword
condition:
2 of them
}
rule WebShell__Cyber_Shell_cybershell_Cyber_Shell__v_1_0_ {
meta:
description = "PHP Webshells Github Archive - from files Cyber Shell.php, cybershell.php, Cyber Shell (v 1.0).php"
author = "Florian Roth"
super_rule = 1
hash0 = "ef7f7c45d26614cea597f2f8e64a85d54630fe38"
hash1 = "cabf47b96e3b2c46248f075bdbc46197db28a25f"
hash2 = "9e165d4ed95e0501cd9a90155ac60546eb5b1076"
strings:
$s4 = " <a href=\"http://www.cyberlords.net\" target=\"_blank\">Cyber Lords Community</"
$s10 = "echo \"<meta http-equiv=Refresh content=\\\"0; url=$PHP_SELF?edit=$nameoffile&sh"
$s11 = " * Coded by Pixcher" fullword
$s16 = "<input type=text size=55 name=newfile value=\"$d/newfile.php\">" fullword
condition:
2 of them
}
rule WebShell__Ajax_PHP_Command_Shell_Ajax_PHP_Command_Shell_soldierofallah {
meta:
description = "PHP Webshells Github Archive - from files Ajax_PHP Command Shell.php, Ajax_PHP_Command_Shell.php, soldierofallah.php"
author = "Florian Roth"
super_rule = 1
hash0 = "fa11deaee821ca3de7ad1caafa2a585ee1bc8d82"
hash1 = "c0a4ba3e834fb63e0a220a43caaf55c654f97429"
hash2 = "16fa789b20409c1f2ffec74484a30d0491904064"
strings:
$s1 = "'Read /etc/passwd' => \"runcommand('etcpasswdfile','GET')\"," fullword
$s2 = "'Running processes' => \"runcommand('ps -aux','GET')\"," fullword
$s3 = "$dt = $_POST['filecontent'];" fullword
$s4 = "'Open ports' => \"runcommand('netstat -an | grep -i listen','GET')\"," fullword
$s6 = "print \"Sorry, none of the command functions works.\";" fullword
$s11 = "document.cmdform.command.value='';" fullword
$s12 = "elseif(isset($_GET['savefile']) && !empty($_POST['filetosave']) && !empty($_POST"
condition:
3 of them
}
rule WebShell_Generic_PHP_7 {
meta:
description = "PHP Webshells Github Archive - from files Mysql interface v1.0.php, MySQL Web Interface Version 0.8.php, Mysql_interface_v1.0.php, MySQL_Web_Interface_Version_0.8.php"
author = "Florian Roth"
super_rule = 1
hash0 = "de98f890790756f226f597489844eb3e53a867a9"
hash1 = "128988c8ef5294d51c908690d27f69dffad4e42e"
hash2 = "fd64f2bf77df8bcf4d161ec125fa5c3695fe1267"
hash3 = "715f17e286416724e90113feab914c707a26d456"
strings:
$s0 = "header(\"Content-disposition: filename=$filename.sql\");" fullword
$s1 = "else if( $action == \"dumpTable\" || $action == \"dumpDB\" ) {" fullword
$s2 = "echo \"<font color=blue>[$USERNAME]</font> - \\n\";" fullword
$s4 = "if( $action == \"dumpTable\" )" fullword
condition:
2 of them
}
rule WebShell__Small_Web_Shell_by_ZaCo_small_zaco_zacosmall {
meta:
description = "PHP Webshells Github Archive - from files Small Web Shell by ZaCo.php, small.php, zaco.php, zacosmall.php"
author = "Florian Roth"
super_rule = 1
hash0 = "b148ead15d34a55771894424ace2a92983351dda"
hash1 = "e4ba288f6d46dc77b403adf7d411a280601c635b"
hash2 = "e5713d6d231c844011e9a74175a77e8eb835c856"
hash3 = "1b836517164c18caf2c92ee2a06c645e26936a0c"
strings:
$s2 = "if(!$result2)$dump_file.='#error table '.$rows[0];" fullword
$s4 = "if(!(@mysql_select_db($db_dump,$mysql_link)))echo('DB error');" fullword
$s6 = "header('Content-Length: '.strlen($dump_file).\"\\n\");" fullword
$s20 = "echo('Dump for '.$db_dump.' now in '.$to_file);" fullword
condition:
2 of them
}
rule WebShell_Generic_PHP_8 {
meta:
description = "PHP Webshells Github Archive - from files Macker's Private PHPShell.php, PHP Shell.php, Safe0ver Shell -Safe Mod Bypass By Evilc0der.php"
author = "Florian Roth"
super_rule = 1
hash0 = "fc1ae242b926d70e32cdb08bbe92628bc5bd7f99"
hash1 = "9ad55629c4576e5a31dd845012d13a08f1c1f14e"
hash2 = "c4aa2cf665c784553740c3702c3bfcb5d7af65a3"
strings:
$s1 = "elseif ( $cmd==\"file\" ) { /* <!-- View a file in text --> */" fullword
$s2 = "elseif ( $cmd==\"upload\" ) { /* <!-- Upload File form --> */ " fullword
$s3 = "/* I added this to ensure the script will run correctly..." fullword
$s14 = "<!-- </form> -->" fullword
$s15 = "<form action=\\\"$SFileName?$urlAdd\\\" method=\\\"POST\\\">" fullword
$s20 = "elseif ( $cmd==\"downl\" ) { /*<!-- Save the edited file back to a file --> */" fullword
condition:
3 of them
}
rule WebShell__PH_Vayv_PHVayv_PH_Vayv_klasvayv_asp_php {
meta:
description = "PHP Webshells Github Archive - from files PH Vayv.php, PHVayv.php, PH_Vayv.php, klasvayv.asp.php.txt"
author = "Florian Roth"
super_rule = 1
hash0 = "b51962a1ffa460ec793317571fc2f46042fd13ee"
hash1 = "408ac9ca3d435c0f78bda370b33e84ba25afc357"
hash2 = "4003ae289e3ae036755976f8d2407c9381ff5653"
hash3 = "4f83bc2836601225a115b5ad54496428a507a361"
strings:
$s1 = "<font color=\"#000000\">Sil</font></a></font></td>" fullword
$s5 = "<td width=\"122\" height=\"17\" bgcolor=\"#9F9F9F\">" fullword
$s6 = "onfocus=\"if (this.value == 'Kullan" fullword
$s16 = "<img border=\"0\" src=\"http://www.aventgrup.net/arsiv/klasvayv/1.0/2.gif\">"
condition:
2 of them
}
rule WebShell_Generic_PHP_9 {
meta:
description = "PHP Webshells Github Archive - from files KAdot Universal Shell v0.1.6.php, KAdot_Universal_Shell_v0.1.6.php, KA_uShell 0.1.6.php"
author = "Florian Roth"
super_rule = 1
hash0 = "89f2a7007a2cd411e0a7abd2ff5218d212b84d18"
hash1 = "2266178ad4eb72c2386c0a4d536e5d82bb7ed6a2"
hash2 = "0daed818cac548324ad0c5905476deef9523ad73"
strings:
$s2 = ":<b>\" .base64_decode($_POST['tot']). \"</b>\";" fullword
$s6 = "if (isset($_POST['wq']) && $_POST['wq']<>\"\") {" fullword
$s12 = "if (!empty($_POST['c'])){" fullword
$s13 = "passthru($_POST['c']);" fullword
$s16 = "<input type=\"radio\" name=\"tac\" value=\"1\">B64 Decode<br>" fullword
$s20 = "<input type=\"radio\" name=\"tac\" value=\"3\">md5 Hash" fullword
condition:
3 of them
}
rule WebShell__PH_Vayv_PHVayv_PH_Vayv {
meta:
description = "PHP Webshells Github Archive - from files PH Vayv.php, PHVayv.php, PH_Vayv.php"
author = "Florian Roth"
super_rule = 1
hash0 = "b51962a1ffa460ec793317571fc2f46042fd13ee"
hash1 = "408ac9ca3d435c0f78bda370b33e84ba25afc357"
hash2 = "4003ae289e3ae036755976f8d2407c9381ff5653"
strings:
$s4 = "<form method=\"POST\" action=\"<?echo \"PHVayv.php?duzkaydet=$dizin/$duzenle"
$s12 = "<? if ($ekinci==\".\" or $ekinci==\"..\") {" fullword
$s17 = "name=\"duzenx2\" value=\"Klas" fullword
condition:
2 of them
}
rule WebShell_Generic_PHP_1 {
meta:
description = "PHP Webshells Github Archive - from files Dive Shell 1.0 - Emperor Hacking Team.php, Dive_Shell_1.0_Emperor_Hacking_Team.php, SimShell 1.0 - Simorgh Security MGZ.php, SimShell_1.0_-_Simorgh_Security_MGZ.php"
author = "Florian Roth"
super_rule = 1
hash0 = "3b086b9b53cf9d25ff0d30b1d41bb2f45c7cda2b"
hash1 = "2558e728184b8efcdb57cfab918d95b06d45de04"
hash2 = "203a8021192531d454efbc98a3bbb8cabe09c85c"
hash3 = "b79709eb7801a28d02919c41cc75ac695884db27"
strings:
$s1 = "$token = substr($_REQUEST['command'], 0, $length);" fullword
$s4 = "var command_hist = new Array(<?php echo $js_command_hist ?>);" fullword
$s7 = "$_SESSION['output'] .= htmlspecialchars(fgets($io[1])," fullword
$s9 = "document.shell.command.value = command_hist[current_line];" fullword
$s16 = "$_REQUEST['command'] = $aliases[$token] . substr($_REQUEST['command'], $"
$s19 = "if (empty($_SESSION['cwd']) || !empty($_REQUEST['reset'])) {" fullword
$s20 = "if (e.keyCode == 38 && current_line < command_hist.length-1) {" fullword
condition:
5 of them
}
rule WebShell_Generic_PHP_2 {
meta:
description = "PHP Webshells Github Archive - from files CrystalShell v.1.php, load_shell.php, Loaderz WEB Shell.php, stres.php"
author = "Florian Roth"
super_rule = 1
hash0 = "335a0851304acedc3f117782b61479bbc0fd655a"
hash1 = "ca9fcfb50645dc0712abdf18d613ed2196e66241"
hash2 = "36d8782d749638fdcaeed540d183dd3c8edc6791"
hash3 = "03f88f494654f2ad0361fb63e805b6bbfc0c86de"
strings:
$s3 = "if((isset($_POST['fileto']))||(isset($_POST['filefrom'])))" fullword
$s4 = "\\$port = {$_POST['port']};" fullword
$s5 = "$_POST['installpath'] = \"temp.pl\";}" fullword
$s14 = "if(isset($_POST['post']) and $_POST['post'] == \"yes\" and @$HTTP_POST_FILES[\"u"
$s16 = "copy($HTTP_POST_FILES[\"userfile\"][\"tmp_name\"],$HTTP_POST_FILES[\"userfile\"]"
condition:
4 of them
}
rule WebShell__CrystalShell_v_1_erne_stres {
meta:
description = "PHP Webshells Github Archive - from files CrystalShell v.1.php, erne.php, stres.php"
author = "Florian Roth"
super_rule = 1
hash0 = "335a0851304acedc3f117782b61479bbc0fd655a"
hash1 = "6eb4ab630bd25bec577b39fb8a657350bf425687"
hash2 = "03f88f494654f2ad0361fb63e805b6bbfc0c86de"
strings:
$s1 = "<input type='submit' value=' open (shill.txt) '>" fullword
$s4 = "var_dump(curl_exec($ch));" fullword
$s7 = "if(empty($_POST['Mohajer22'])){" fullword
$s10 = "$m=$_POST['curl'];" fullword
$s13 = "$u1p=$_POST['copy'];" fullword
$s14 = "if(empty(\\$_POST['cmd'])){" fullword
$s15 = "$string = explode(\"|\",$string);" fullword
$s16 = "$stream = imap_open(\"/etc/passwd\", \"\", \"\");" fullword
condition:
5 of them
}
rule WebShell_Generic_PHP_3 {
meta:
description = "PHP Webshells Github Archive - from files Antichat Shell v1.3.php, Antichat Shell. Modified by Go0o$E.php, Antichat Shell.php, fatal.php"
author = "Florian Roth"
super_rule = 1
hash0 = "d829e87b3ce34460088c7775a60bded64e530cd4"
hash1 = "d710c95d9f18ec7c76d9349a28dd59c3605c02be"
hash2 = "f044d44e559af22a1a7f9db72de1206f392b8976"
hash3 = "41780a3e8c0dc3cbcaa7b4d3c066ae09fb74a289"
strings:
$s0 = "header('Content-Length:'.filesize($file).'');" fullword
$s4 = "<textarea name=\\\"command\\\" rows=\\\"5\\\" cols=\\\"150\\\">\".@$_POST['comma"
$s7 = "if(filetype($dir . $file)==\"file\")$files[]=$file;" fullword
$s14 = "elseif (($perms & 0x6000) == 0x6000) {$info = 'b';} " fullword
$s20 = "$info .= (($perms & 0x0004) ? 'r' : '-');" fullword
condition:
all of them
}
rule WebShell_Generic_PHP_4 {
meta:
description = "PHP Webshells Github Archive - from files CrystalShell v.1.php, load_shell.php, nshell.php, Loaderz WEB Shell.php, stres.php"
author = "Florian Roth"
super_rule = 1
hash0 = "335a0851304acedc3f117782b61479bbc0fd655a"
hash1 = "ca9fcfb50645dc0712abdf18d613ed2196e66241"
hash2 = "86bc40772de71b1e7234d23cab355e1ff80c474d"
hash3 = "36d8782d749638fdcaeed540d183dd3c8edc6791"
hash4 = "03f88f494654f2ad0361fb63e805b6bbfc0c86de"
strings:
$s0 = "if ($filename != \".\" and $filename != \"..\"){" fullword
$s2 = "$owner[\"write\"] = ($mode & 00200) ? 'w' : '-';" fullword
$s5 = "$owner[\"execute\"] = ($mode & 00100) ? 'x' : '-';" fullword
$s6 = "$world[\"write\"] = ($mode & 00002) ? 'w' : '-';" fullword
$s7 = "$world[\"execute\"] = ($mode & 00001) ? 'x' : '-';" fullword
$s10 = "foreach ($arr as $filename) {" fullword
$s19 = "else if( $mode & 0x6000 ) { $type='b'; }" fullword
condition:
all of them
}
/*
rule WebShell_Generic_PHP_5 {
meta:
description = "PHP Webshells Github Archive - from files ex0shell.php, megabor.php, GRP WebShell 2.0 release build 2018 (C)2006,Great.php"
author = "Florian Roth"
super_rule = 1
hash0 = "64461ad8d8f23ea078201a31d747157f701a4e00"
hash1 = "3df1afbcfa718da6fc8af27554834ff6d1a86562"
hash2 = "ad86ef7f24f75081318146edc788e5466722a629"
strings:
$s0 = "(($perms & 0x0400) ? 'S' : '-'));" fullword
$s10 = "} elseif (($perms & 0x8000) == 0x8000) {" fullword
$s11 = "if (($perms & 0xC000) == 0xC000) {" fullword
$s12 = "$info .= (($perms & 0x0008) ?" fullword
$s16 = "// Block special" fullword
$s18 = "$info = 's';" fullword
condition:
all of them
}
*/
rule WebShell_GFS {
meta:
description = "PHP Webshells Github Archive - from files GFS web-shell ver 3.1.7 - PRiV8.php, Predator.php, GFS_web-shell_ver_3.1.7_-_PRiV8.php"
author = "Florian Roth"
super_rule = 1
hash0 = "c2f1ef6b11aaec255d4dd31efad18a3869a2a42c"
hash1 = "34f6640985b07009dbd06cd70983451aa4fe9822"
hash2 = "d25ef72bdae3b3cb0fc0fdd81cfa58b215812a50"
strings:
$s0 = "OKTsNCmNsb3NlKFNURE9VVCk7DQpjbG9zZShTVERFUlIpOw==\";" fullword
$s1 = "lIENPTk47DQpleGl0IDA7DQp9DQp9\";" fullword
$s2 = "Ow0KIGR1cDIoZmQsIDIpOw0KIGV4ZWNsKCIvYmluL3NoIiwic2ggLWkiLCBOVUxMKTsNCiBjbG9zZShm"
condition:
all of them
}
rule WebShell__CrystalShell_v_1_sosyete_stres {
meta:
description = "PHP Webshells Github Archive - from files CrystalShell v.1.php, sosyete.php, stres.php"
author = "Florian Roth"
super_rule = 1
hash0 = "335a0851304acedc3f117782b61479bbc0fd655a"
hash1 = "e32405e776e87e45735c187c577d3a4f98a64059"
hash2 = "03f88f494654f2ad0361fb63e805b6bbfc0c86de"
strings:
$s1 = "A:visited { COLOR:blue; TEXT-DECORATION: none}" fullword
$s4 = "A:active {COLOR:blue; TEXT-DECORATION: none}" fullword
$s11 = "scrollbar-darkshadow-color: #101842;" fullword
$s15 = "<a bookmark=\"minipanel\">" fullword
$s16 = "background-color: #EBEAEA;" fullword
$s18 = "color: #D5ECF9;" fullword
$s19 = "<center><TABLE style=\"BORDER-COLLAPSE: collapse\" height=1 cellSpacing=0 border"
condition:
all of them
}
rule WebShell_Generic_PHP_10 {
meta:
description = "PHP Webshells Github Archive - from files Cyber Shell.php, cybershell.php, Cyber Shell (v 1.0).php, PHPRemoteView.php"
author = "Florian Roth"
super_rule = 1
hash0 = "ef7f7c45d26614cea597f2f8e64a85d54630fe38"
hash1 = "cabf47b96e3b2c46248f075bdbc46197db28a25f"
hash2 = "9e165d4ed95e0501cd9a90155ac60546eb5b1076"
hash3 = "7d5b54c7cab6b82fb7d131d7bbb989fd53cb1b57"
strings:
$s2 = "$world[\"execute\"] = ($world['execute']=='x') ? 't' : 'T'; " fullword
$s6 = "$owner[\"write\"] = ($mode & 00200) ? 'w' : '-'; " fullword
$s11 = "$world[\"execute\"] = ($mode & 00001) ? 'x' : '-'; " fullword
$s12 = "else if( $mode & 0xA000 ) " fullword
$s17 = "$s=sprintf(\"%1s\", $type); " fullword
$s20 = "font-size: 8pt;" fullword
condition:
all of them
}
rule WebShell_Generic_PHP_11 {
meta:
description = "PHP Webshells Github Archive - from files rootshell.php, Rootshell.v.1.0.php, s72 Shell v1.1 Coding.php, s72_Shell_v1.1_Coding.php"
author = "Florian Roth"
super_rule = 1
hash0 = "31a82cbee8dffaf8eb7b73841f3f3e8e9b3e78cf"
hash1 = "838c7191cb10d5bb0fc7460b4ad0c18c326764c6"
hash2 = "8dfcd919d8ddc89335307a7b2d5d467b1fd67351"
hash3 = "80aba3348434c66ac471daab949871ab16c50042"
strings:
$s5 = "$filename = $backupstring.\"$filename\";" fullword
$s6 = "while ($file = readdir($folder)) {" fullword
$s7 = "if($file != \".\" && $file != \"..\")" fullword
$s9 = "$backupstring = \"copy_of_\";" fullword
$s10 = "if( file_exists($file_name))" fullword
$s13 = "global $file_name, $filename;" fullword
$s16 = "copy($file,\"$filename\");" fullword
$s18 = "<td width=\"49%\" height=\"142\">" fullword
condition:
all of them
}
rule WebShell__findsock_php_findsock_shell_php_reverse_shell {
meta:
description = "PHP Webshells Github Archive - from files findsock.c, php-findsock-shell.php, php-reverse-shell.php"
author = "Florian Roth"
super_rule = 1
hash0 = "5622c9841d76617bfc3cd4cab1932d8349b7044f"
hash1 = "4a20f36035bbae8e342aab0418134e750b881d05"
hash2 = "40dbdc0bdf5218af50741ba011c5286a723fa9bf"
strings:
$s1 = "// me at pentestmonkey@pentestmonkey.net" fullword
condition:
all of them
}
rule WebShell_Generic_PHP_6 {
meta:
description = "PHP Webshells Github Archive - from files c0derz shell [csh] v. 0.1.1 release.php, CrystalShell v.1.php, load_shell.php, Loaderz WEB Shell.php, stres.php"
author = "Florian Roth"
super_rule = 1
hash0 = "1a08f5260c4a2614636dfc108091927799776b13"
hash1 = "335a0851304acedc3f117782b61479bbc0fd655a"
hash2 = "ca9fcfb50645dc0712abdf18d613ed2196e66241"
hash3 = "36d8782d749638fdcaeed540d183dd3c8edc6791"
hash4 = "03f88f494654f2ad0361fb63e805b6bbfc0c86de"
strings:
$s2 = "@eval(stripslashes($_POST['phpcode']));" fullword
$s5 = "echo shell_exec($com);" fullword
$s7 = "if($sertype == \"winda\"){" fullword
$s8 = "function execute($com)" fullword
$s12 = "echo decode(execute($cmd));" fullword
$s15 = "echo system($com);" fullword
condition:
4 of them
}
rule Unpack_Injectt {
meta:
description = "Webshells Auto-generated - file Injectt.exe"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "8a5d2158a566c87edc999771e12d42c5"
strings:
$s2 = "%s -Run -->To Install And Run The Service"
$s3 = "%s -Uninstall -->To Uninstall The Service"
$s4 = "(STANDARD_RIGHTS_REQUIRED |SC_MANAGER_CONNECT |SC_MANAGER_CREATE_SERVICE |SC_MAN"
condition:
all of them
}
rule HYTop_DevPack_fso {
meta:
description = "Webshells Auto-generated - file fso.asp"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "b37f3cde1a08890bd822a182c3a881f6"
strings:
$s0 = "<!-- PageFSO Below -->"
$s1 = "theFile.writeLine(\"<script language=\"\"vbscript\"\" runat=server>if request(\"\"\"&cli"
condition:
all of them
}
rule FeliksPack3___PHP_Shells_ssh {
meta:
description = "Webshells Auto-generated - file ssh.php"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "1aa5307790d72941589079989b4f900e"
strings:
$s0 = "eval(gzinflate(str_rot13(base64_decode('"
condition:
all of them
}
rule Debug_BDoor {
meta:
description = "Webshells Auto-generated - file BDoor.dll"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "e4e8e31dd44beb9320922c5f49739955"
strings:
$s1 = "\\BDoor\\"
$s4 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
condition:
all of them
}
rule bin_Client {
meta:
description = "Webshells Auto-generated - file Client.exe"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "5f91a5b46d155cacf0cc6673a2a5461b"
strings:
$s0 = "Recieved respond from server!!"
$s4 = "packet door client"
$s5 = "input source port(whatever you want):"
$s7 = "Packet sent,waiting for reply..."
condition:
all of them
}
rule ZXshell2_0_rar_Folder_ZXshell {
meta:
description = "Webshells Auto-generated - file ZXshell.exe"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "246ce44502d2f6002d720d350e26c288"
strings:
$s0 = "WPreviewPagesn"
$s1 = "DA!OLUTELY N"
condition:
all of them
}
rule RkNTLoad {
meta:
description = "Webshells Auto-generated - file RkNTLoad.exe"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "262317c95ced56224f136ba532b8b34f"
strings:
$s1 = "$Info: This file is packed with the UPX executable packer http://upx.tsx.org $"
$s2 = "5pur+virtu!"
$s3 = "ugh spac#n"
$s4 = "xcEx3WriL4"
$s5 = "runtime error"
$s6 = "loseHWait.Sr."
$s7 = "essageBoxAw"
$s8 = "$Id: UPX 1.07 Copyright (C) 1996-2001 the UPX Team. All Rights Reserved. $"
condition:
all of them
}
rule binder2_binder2 {
meta:
description = "Webshells Auto-generated - file binder2.exe"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "d594e90ad23ae0bc0b65b59189c12f11"
strings:
$s0 = "IsCharAlphaNumericA"
$s2 = "WideCharToM"
$s4 = "g 5pur+virtu!"
$s5 = "\\syslog.en"
$s6 = "heap7'7oqk?not="
$s8 = "- Kablto in"
condition:
all of them
}
rule thelast_orice2 {
meta:
description = "Webshells Auto-generated - file orice2.php"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "aa63ffb27bde8d03d00dda04421237ae"
strings:
$s0 = " $aa = $_GET['aa'];"
$s1 = "echo $aa;"
condition:
all of them
}
rule FSO_s_sincap {
meta:
description = "Webshells Auto-generated - file sincap.php"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "dc5c2c2392b84a1529abd92e98e9aa5b"
strings:
$s0 = " <font color=\"#E5E5E5\" style=\"font-size: 8pt; font-weight: 700\" face=\"Arial\">"
$s4 = "<body text=\"#008000\" bgcolor=\"#808080\" topmargin=\"0\" leftmargin=\"0\" rightmargin="
condition:
all of them
}
rule PhpShell {
meta:
description = "Webshells Auto-generated - file PhpShell.php"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "539baa0d39a9cf3c64d65ee7a8738620"
strings:
$s2 = "href=\"http://www.gimpster.com/wiki/PhpShell\">www.gimpster.com/wiki/PhpShell</a>."
condition:
all of them
}
rule HYTop_DevPack_config {
meta:
description = "Webshells Auto-generated - file config.asp"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "b41d0e64e64a685178a3155195921d61"
strings:
$s0 = "const adminPassword=\""
$s2 = "const userPassword=\""
$s3 = "const mVersion="
condition:
all of them
}
rule sendmail {
meta:
description = "Webshells Auto-generated - file sendmail.exe"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "75b86f4a21d8adefaf34b3a94629bd17"
strings:
$s3 = "_NextPyC808"
$s6 = "Copyright (C) 2000, Diamond Computer Systems Pty. Ltd. (www.diamondcs.com.au)"
condition:
all of them
}
rule FSO_s_zehir4 {
meta:
description = "Webshells Auto-generated - file zehir4.asp"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "5b496a61363d304532bcf52ee21f5d55"
strings:
$s5 = " byMesaj "
condition:
all of them
}
rule hkshell_hkshell {
meta:
description = "Webshells Auto-generated - file hkshell.exe"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "168cab58cee59dc4706b3be988312580"
strings:
$s1 = "PrSessKERNELU"
$s2 = "Cur3ntV7sion"
$s3 = "Explorer8"
condition:
all of them
}
rule iMHaPFtp {
meta:
description = "Webshells Auto-generated - file iMHaPFtp.php"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "12911b73bc6a5d313b494102abcf5c57"
strings:
$s1 = "echo \"\\t<th class=\\\"permission_header\\\"><a href=\\\"$self?{$d}sort=permission$r\\\">"
condition:
all of them
}
rule Unpack_TBack {
meta:
description = "Webshells Auto-generated - file TBack.dll"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "a9d1007823bf96fb163ab38726b48464"
strings:
$s5 = "\\final\\new\\lcc\\public.dll"
condition:
all of them
}
rule DarkSpy105 {
meta:
description = "Webshells Auto-generated - file DarkSpy105.exe"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "f0b85e7bec90dba829a3ede1ab7d8722"
strings:
$s7 = "Sorry,DarkSpy got an unknown exception,please re-run it,thanks!"
condition:
all of them
}
rule EditServer_Webshell {
meta:
description = "Webshells Auto-generated - file EditServer.exe"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "f945de25e0eba3bdaf1455b3a62b9832"
strings:
$s2 = "Server %s Have Been Configured"
$s5 = "The Server Password Exceeds 32 Characters"
$s8 = "9--Set Procecess Name To Inject DLL"
condition:
all of them
}
rule FSO_s_reader {
meta:
description = "Webshells Auto-generated - file reader.asp"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "b598c8b662f2a1f6cc61f291fb0a6fa2"
strings:
$s2 = "mailto:mailbomb@hotmail."
condition:
all of them
}
rule ASP_CmdAsp {
meta:
description = "Webshells Auto-generated - file CmdAsp.asp"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "79d4f3425f7a89befb0ef3bafe5e332f"
strings:
$s2 = "' -- Read the output from our command and remove the temp file -- '"
$s6 = "Call oScript.Run (\"cmd.exe /c \" & szCMD & \" > \" & szTempFile, 0, True)"
$s9 = "' -- create the COM objects that we will be using -- '"
condition:
all of them
}
rule KA_uShell {
meta:
description = "Webshells Auto-generated - file KA_uShell.php"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "685f5d4f7f6751eaefc2695071569aab"
strings:
$s5 = "if(empty($_SERVER['PHP_AUTH_PW']) || $_SERVER['PHP_AUTH_PW']<>$pass"
$s6 = "if ($_POST['path']==\"\"){$uploadfile = $_FILES['file']['name'];}"
condition:
all of them
}
rule PHP_Backdoor_v1 {
meta:
description = "Webshells Auto-generated - file PHP Backdoor v1.php"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "0506ba90759d11d78befd21cabf41f3d"
strings:
$s5 = "echo\"<form method=\\\"POST\\\" action=\\\"\".$_SERVER['PHP_SELF'].\"?edit=\".$th"
$s8 = "echo \"<a href=\\\"\".$_SERVER['PHP_SELF'].\"?proxy"
condition:
all of them
}
rule svchostdll {
meta:
description = "Webshells Auto-generated - file svchostdll.dll"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "0f6756c8cb0b454c452055f189e4c3f4"
strings:
$s0 = "InstallService"
$s1 = "RundllInstallA"
$s2 = "UninstallService"
$s3 = "&G3 Users In RegistryD"
$s4 = "OL_SHUTDOWN;I"
$s5 = "SvcHostDLL.dll"
$s6 = "RundllUninstallA"
$s7 = "InternetOpenA"
$s8 = "Check Cloneomplete"
condition:
all of them
}
rule HYTop_DevPack_server {
meta:
description = "Webshells Auto-generated - file server.asp"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "1d38526a215df13c7373da4635541b43"
strings:
$s0 = "<!-- PageServer Below -->"
condition:
all of them
}
rule vanquish {
meta:
description = "Webshells Auto-generated - file vanquish.dll"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "684450adde37a93e8bb362994efc898c"
strings:
$s3 = "You cannot delete protected files/folders! Instead, your attempt has been logged"
$s8 = "?VCreateProcessA@@YGHPBDPADPAU_SECURITY_ATTRIBUTES@@2HKPAX0PAU_STARTUPINFOA@@PAU"
$s9 = "?VFindFirstFileExW@@YGPAXPBGW4_FINDEX_INFO_LEVELS@@PAXW4_FINDEX_SEARCH_OPS@@2K@Z"
condition:
all of them
}
rule winshell {
meta:
description = "Webshells Auto-generated - file winshell.exe"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "3144410a37dd4c29d004a814a294ea26"
strings:
$s0 = "Software\\Microsoft\\Windows\\CurrentVersion\\RunServices"
$s1 = "WinShell Service"
$s2 = "__GLOBAL_HEAP_SELECTED"
$s3 = "__MSVCRT_HEAP_SELECT"
$s4 = "Provide Windows CmdShell Service"
$s5 = "URLDownloadToFileA"
$s6 = "RegisterServiceProcess"
$s7 = "GetModuleBaseNameA"
$s8 = "WinShell v5.0 (C)2002 janker.org"
condition:
all of them
}
rule FSO_s_remview {
meta:
description = "Webshells Auto-generated - file remview.php"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "b4a09911a5b23e00b55abe546ded691c"
strings:
$s2 = " echo \"<hr size=1 noshade>\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\""
$s3 = " echo \"<script>str$i=\\\"\".str_replace(\"\\\"\",\"\\\\\\\"\",str_replace(\"\\\\\",\"\\\\\\\\\""
$s4 = " echo \"<hr size=1 noshade>\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n<"
condition:
all of them
}
rule saphpshell {
meta:
description = "Webshells Auto-generated - file saphpshell.php"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "d7bba8def713512ddda14baf9cd6889a"
strings:
$s0 = "<td><input type=\"text\" name=\"command\" size=\"60\" value=\"<?=$_POST['command']?>"
condition:
all of them
}
rule HYTop2006_rar_Folder_2006Z {
meta:
description = "Webshells Auto-generated - file 2006Z.exe"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "fd1b6129abd4ab177fed135e3b665488"
strings:
$s1 = "wangyong,czy,allen,lcx,Marcos,kEvin1986,myth"
$s8 = "System\\CurrentControlSet\\Control\\Keyboard Layouts\\%.8x"
condition:
all of them
}
rule admin_ad {
meta:
description = "Webshells Auto-generated - file admin-ad.asp"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "e6819b8f8ff2f1073f7d46a0b192f43b"
strings:
$s6 = "<td align=\"center\"> <input name=\"cmd\" type=\"text\" id=\"cmd\" siz"
$s7 = "Response.write\"<a href='\"&url&\"?path=\"&Request(\"oldpath\")&\"&attrib=\"&attrib&\"'><"
condition:
all of them
}
rule FSO_s_casus15 {
meta:
description = "Webshells Auto-generated - file casus15.php"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "8d155b4239d922367af5d0a1b89533a3"
strings:
$s6 = "if((is_dir(\"$deldir/$file\")) AND ($file!=\".\") AND ($file!=\"..\"))"
condition:
all of them
}
rule BIN_Client {
meta:
description = "Webshells Auto-generated - file Client.exe"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "9f0a74ec81bc2f26f16c5c172b80eca7"
strings:
$s0 = "=====Remote Shell Closed====="
$s2 = "All Files(*.*)|*.*||"
$s6 = "WSAStartup Error!"
$s7 = "SHGetFileInfoA"
$s8 = "CreateThread False!"
$s9 = "Port Number Error"
condition:
4 of them
}
rule shelltools_g0t_root_uptime {
meta:
description = "Webshells Auto-generated - file uptime.exe"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "d1f56102bc5d3e2e37ab3ffa392073b9"
strings:
$s0 = "JDiamondCSlC~"
$s1 = "CharactQA"
$s2 = "$Info: This file is packed with the UPX executable packer $"
$s5 = "HandlereateConso"
$s7 = "ION\\System\\FloatingPo"
condition:
all of them
}
rule Simple_PHP_BackDooR {
meta:
description = "Webshells Auto-generated - file Simple_PHP_BackDooR.php"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "a401132363eecc3a1040774bec9cb24f"
strings:
$s0 = "<hr>to browse go to http://<? echo $SERVER_NAME.$REQUEST_URI; ?>?d=[directory he"
$s6 = "if(!move_uploaded_file($HTTP_POST_FILES['file_name']['tmp_name'], $dir.$fn"
$s9 = "// a simple php backdoor"
condition:
1 of them
}
rule sig_2005Gray {
meta:
description = "Webshells Auto-generated - file 2005Gray.asp"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "75dbe3d3b70a5678225d3e2d78b604cc"
strings:
$s0 = "SCROLLBAR-FACE-COLOR: #e8e7e7;"
$s4 = "echo \" <a href=\"\"/\"&encodeForUrl(theHref,false)&\"\"\" target=_blank>\"&replace"
$s8 = "theHref=mid(replace(lcase(list.path),lcase(server.mapPath(\"/\")),\"\"),2)"
$s9 = "SCROLLBAR-3DLIGHT-COLOR: #cccccc;"
condition:
all of them
}
rule DllInjection {
meta:
description = "Webshells Auto-generated - file DllInjection.exe"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "a7b92283a5102886ab8aee2bc5c8d718"
strings:
$s0 = "\\BDoor\\DllInjecti"
condition:
all of them
}
rule Mithril_v1_45_Mithril {
meta:
description = "Webshells Auto-generated - file Mithril.exe"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "f1484f882dc381dde6eaa0b80ef64a07"
strings:
$s2 = "cress.exe"
$s7 = "\\Debug\\Mithril."
condition:
all of them
}
rule hkshell_hkrmv {
meta:
description = "Webshells Auto-generated - file hkrmv.exe"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "bd3a0b7a6b5536f8d96f50956560e9bf"
strings:
$s5 = "/THUMBPOSITION7"
$s6 = "\\EvilBlade\\"
condition:
all of them
}
rule phpshell {
meta:
description = "Webshells Auto-generated - file phpshell.php"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "1dccb1ea9f24ffbd085571c88585517b"
strings:
$s1 = "echo \"<input size=\\\"100\\\" type=\\\"text\\\" name=\\\"newfile\\\" value=\\\"$inputfile\\\"><b"
$s2 = "$img[$id] = \"<img height=\\\"16\\\" width=\\\"16\\\" border=\\\"0\\\" src=\\\"$REMOTE_IMAGE_UR"
$s3 = "$file = str_replace(\"\\\\\", \"/\", str_replace(\"//\", \"/\", str_replace(\"\\\\\\\\\", \"\\\\\", "
condition:
all of them
}
rule FSO_s_cmd {
meta:
description = "Webshells Auto-generated - file cmd.asp"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "cbe8e365d41dd3cd8e462ca434cf385f"
strings:
$s0 = "<%= \"\\\\\" & oScriptNet.ComputerName & \"\\\" & oScriptNet.UserName %>"
$s1 = "Call oScript.Run (\"cmd.exe /c \" & szCMD & \" > \" & szTempFile, 0, True)"
condition:
all of them
}
rule FeliksPack3___PHP_Shells_phpft {
meta:
description = "Webshells Auto-generated - file phpft.php"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "60ef80175fcc6a879ca57c54226646b1"
strings:
$s6 = "PHP Files Thief"
$s11 = "http://www.4ngel.net"
condition:
all of them
}
rule FSO_s_indexer {
meta:
description = "Webshells Auto-generated - file indexer.asp"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "135fc50f85228691b401848caef3be9e"
strings:
$s3 = "<td>Nereye :<td><input type=\"text\" name=\"nereye\" size=25></td><td><input type=\"r"
condition:
all of them
}
rule r57shell {
meta:
description = "Webshells Auto-generated - file r57shell.php"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "8023394542cddf8aee5dec6072ed02b5"
strings:
$s11 = " $_POST['cmd']=\"echo \\\"Now script try connect to"
condition:
all of them
}
rule bdcli100 {
meta:
description = "Webshells Auto-generated - file bdcli100.exe"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "b12163ac53789fb4f62e4f17a8c2e028"
strings:
$s5 = "unable to connect to "
$s8 = "backdoor is corrupted on "
condition:
all of them
}
rule HYTop_DevPack_2005Red {
meta:
description = "Webshells Auto-generated - file 2005Red.asp"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "d8ccda2214b3f6eabd4502a050eb8fe8"
strings:
$s0 = "scrollbar-darkshadow-color:#FF9DBB;"
$s3 = "echo \" <a href=\"\"/\"&encodeForUrl(theHref,false)&\"\"\" target=_blank>\"&replace"
$s9 = "theHref=mid(replace(lcase(list.path),lcase(server.mapPath(\"/\")),\"\"),2)"
condition:
all of them
}
rule HYTop2006_rar_Folder_2006X2 {
meta:
description = "Webshells Auto-generated - file 2006X2.exe"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "cc5bf9fc56d404ebbc492855393d7620"
strings:
$s2 = "Powered By "
$s3 = " \" onClick=\"this.form.sharp.name=this.form.password.value;this.form.action=this."
condition:
all of them
}
rule rdrbs084 {
meta:
description = "Webshells Auto-generated - file rdrbs084.exe"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "ed30327b255816bdd7590bf891aa0020"
strings:
$s0 = "Create mapped port. You have to specify domain when using HTTP type."
$s8 = "<LOCAL PORT> <MAPPING SERVER> <MAPPING SERVER PORT> <TARGET SERVER> <TARGET"
condition:
all of them
}
rule HYTop_CaseSwitch_2005 {
meta:
description = "Webshells Auto-generated - file 2005.exe"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "8bf667ee9e21366bc0bd3491cb614f41"
strings:
$s1 = "MSComDlg.CommonDialog"
$s2 = "CommonDialog1"
$s3 = "__vbaExceptHandler"
$s4 = "EVENT_SINK_Release"
$s5 = "EVENT_SINK_AddRef"
$s6 = "By Marcos"
$s7 = "EVENT_SINK_QueryInterface"
$s8 = "MethCallEngine"
condition:
all of them
}
rule eBayId_index3 {
meta:
description = "Webshells Auto-generated - file index3.php"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "0412b1e37f41ea0d002e4ed11608905f"
strings:
$s8 = "$err = \"<i>Your Name</i> Not Entered!</font></h2>Sorry, \\\"You"
condition:
all of them
}
rule FSO_s_phvayv {
meta:
description = "Webshells Auto-generated - file phvayv.php"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "205ecda66c443083403efb1e5c7f7878"
strings:
$s2 = "wrap=\"OFF\">XXXX</textarea></font><font face"
condition:
all of them
}
rule byshell063_ntboot {
meta:
description = "Webshells Auto-generated - file ntboot.exe"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "99b5f49db6d6d9a9faeffb29fd8e6d8c"
strings:
$s0 = "SYSTEM\\CurrentControlSet\\Services\\NtBoot"
$s1 = "Failure ... Access is Denied !"
$s2 = "Dumping Description to Registry..."
$s3 = "Opening Service .... Failure !"
condition:
all of them
}
rule FSO_s_casus15_2 {
meta:
description = "Webshells Auto-generated - file casus15.php"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "8d155b4239d922367af5d0a1b89533a3"
strings:
$s0 = "copy ( $dosya_gonder"
condition:
all of them
}
rule installer {
meta:
description = "Webshells Auto-generated - file installer.cmd"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "a507919ae701cf7e42fa441d3ad95f8f"
strings:
$s0 = "Restore Old Vanquish"
$s4 = "ReInstall Vanquish"
condition:
all of them
}
rule uploader {
meta:
description = "Webshells Auto-generated - file uploader.php"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "b9a9aab319964351b46bd5fc9d6246a8"
strings:
$s0 = "move_uploaded_file($userfile, \"entrika.php\"); "
condition:
all of them
}
rule FSO_s_remview_2 {
meta:
description = "Webshells Auto-generated - file remview.php"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "b4a09911a5b23e00b55abe546ded691c"
strings:
$s0 = "<xmp>$out</"
$s1 = ".mm(\"Eval PHP code\")."
condition:
all of them
}
rule FeliksPack3___PHP_Shells_r57 {
meta:
description = "Webshells Auto-generated - file r57.php"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "903908b77a266b855262cdbce81c3f72"
strings:
$s1 = "$sql = \"LOAD DATA INFILE \\\"\".$_POST['test3_file']."
condition:
all of them
}
rule HYTop2006_rar_Folder_2006X {
meta:
description = "Webshells Auto-generated - file 2006X.exe"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "cf3ee0d869dd36e775dfcaa788db8e4b"
strings:
$s1 = "<input name=\"password\" type=\"password\" id=\"password\""
$s6 = "name=\"theAction\" type=\"text\" id=\"theAction\""
condition:
all of them
}
rule FSO_s_phvayv_2 {
meta:
description = "Webshells Auto-generated - file phvayv.php"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "205ecda66c443083403efb1e5c7f7878"
strings:
$s2 = "rows=\"24\" cols=\"122\" wrap=\"OFF\">XXXX</textarea></font><font"
condition:
all of them
}
rule elmaliseker {
meta:
description = "Webshells Auto-generated - file elmaliseker.asp"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "ccf48af0c8c09bbd038e610a49c9862e"
strings:
$s0 = "javascript:Command('Download'"
$s5 = "zombie_array=array("
condition:
all of them
}
rule shelltools_g0t_root_resolve {
meta:
description = "Webshells Auto-generated - file resolve.exe"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "69bf9aa296238610a0e05f99b5540297"
strings:
$s0 = "3^n6B(Ed3"
$s1 = "^uldn'Vt(x"
$s2 = "\\= uPKfp"
$s3 = "'r.axV<ad"
$s4 = "p,modoi$=sr("
$s5 = "DiamondC8S t"
$s6 = "`lQ9fX<ZvJW"
condition:
all of them
}
rule FSO_s_RemExp {
meta:
description = "Webshells Auto-generated - file RemExp.asp"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "b69670ecdbb40012c73686cd22696eeb"
strings:
$s1 = "<td bgcolor=\"<%=BgColor%>\" title=\"<%=SubFolder.Name%>\"> <a href= \"<%=Request.Ser"
$s5 = "<td bgcolor=\"<%=BgColor%>\" title=\"<%=File.Name%>\"> <a href= \"showcode.asp?f=<%=F"
$s6 = "<td bgcolor=\"<%=BgColor%>\" align=\"right\"><%=Attributes(SubFolder.Attributes)%></"
condition:
all of them
}
rule FSO_s_tool {
meta:
description = "Webshells Auto-generated - file tool.asp"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "3a1e1e889fdd974a130a6a767b42655b"
strings:
$s7 = "\"\"%windir%\\\\calc.exe\"\")"
condition:
all of them
}
rule FeliksPack3___PHP_Shells_2005 {
meta:
description = "Webshells Auto-generated - file 2005.asp"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "97f2552c2fafc0b2eb467ee29cc803c8"
strings:
$s0 = "window.open(\"\"&url&\"?id=edit&path=\"+sfile+\"&op=copy&attrib=\"+attrib+\"&dpath=\"+lp"
$s3 = "<input name=\"dbname\" type=\"hidden\" id=\"dbname\" value=\"<%=request(\"dbname\")%>\">"
condition:
all of them
}
rule byloader {
meta:
description = "Webshells Auto-generated - file byloader.exe"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "0f0d6dc26055653f5844ded906ce52df"
strings:
$s0 = "SYSTEM\\CurrentControlSet\\Services\\NtfsChk"
$s1 = "Failure ... Access is Denied !"
$s2 = "NTFS Disk Driver Checking Service"
$s3 = "Dumping Description to Registry..."
$s4 = "Opening Service .... Failure !"
condition:
all of them
}
rule shelltools_g0t_root_Fport {
meta:
description = "Webshells Auto-generated - file Fport.exe"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "dbb75488aa2fa22ba6950aead1ef30d5"
strings:
$s4 = "Copyright 2000 by Foundstone, Inc."
$s5 = "You must have administrator privileges to run fport - exiting..."
condition:
all of them
}
rule BackDooR__fr_ {
meta:
description = "Webshells Auto-generated - file BackDooR (fr).php"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "a79cac2cf86e073a832aaf29a664f4be"
strings:
$s3 = "print(\"<p align=\\\"center\\\"><font size=\\\"5\\\">Exploit include "
condition:
all of them
}
rule FSO_s_ntdaddy {
meta:
description = "Webshells Auto-generated - file ntdaddy.asp"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "f6262f3ad9f73b8d3e7d9ea5ec07a357"
strings:
$s1 = "<input type=\"text\" name=\".CMD\" size=\"45\" value=\"<%= szCMD %>\"> <input type=\"s"
condition:
all of them
}
rule nstview_nstview {
meta:
description = "Webshells Auto-generated - file nstview.php"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "3871888a0c1ac4270104918231029a56"
strings:
$s4 = "open STDIN,\\\"<&X\\\";open STDOUT,\\\">&X\\\";open STDERR,\\\">&X\\\";exec(\\\"/bin/sh -i\\\");"
condition:
all of them
}
rule HYTop_DevPack_upload {
meta:
description = "Webshells Auto-generated - file upload.asp"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "b09852bda534627949f0259828c967de"
strings:
$s0 = "<!-- PageUpload Below -->"
condition:
all of them
}
rule PasswordReminder {
meta:
description = "Webshells Auto-generated - file PasswordReminder.exe"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "ea49d754dc609e8bfa4c0f95d14ef9bf"
strings:
$s3 = "The encoded password is found at 0x%8.8lx and has a length of %d."
condition:
all of them
}
rule Pack_InjectT {
meta:
description = "Webshells Auto-generated - file InjectT.exe"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "983b74ccd57f6195a0584cdfb27d55e8"
strings:
$s3 = "ail To Open Registry"
$s4 = "32fDssignim"
$s5 = "vide Internet S"
$s6 = "d]Software\\M"
$s7 = "TInject.Dll"
condition:
all of them
}
rule FSO_s_RemExp_2 {
meta:
description = "Webshells Auto-generated - file RemExp.asp"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "b69670ecdbb40012c73686cd22696eeb"
strings:
$s2 = " Then Response.Write \""
$s3 = "<a href= \"<%=Request.ServerVariables(\"script_name\")%>"
condition:
all of them
}
rule FSO_s_c99 {
meta:
description = "Webshells Auto-generated - file c99.php"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "5f9ba02eb081bba2b2434c603af454d0"
strings:
$s2 = "\"txt\",\"conf\",\"bat\",\"sh\",\"js\",\"bak\",\"doc\",\"log\",\"sfc\",\"cfg\",\"htacce"
condition:
all of them
}
rule rknt_zip_Folder_RkNT {
meta:
description = "Webshells Auto-generated - file RkNT.dll"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "5f97386dfde148942b7584aeb6512b85"
strings:
$s0 = "PathStripPathA"
$s1 = "`cLGet!Addr%"
$s2 = "$Info: This file is packed with the UPX executable packer http://upx.tsx.org $"
$s3 = "oQToOemBuff* <="
$s4 = "ionCdunAsw[Us'"
$s6 = "CreateProcessW: %S"
$s7 = "ImageDirectoryEntryToData"
condition:
all of them
}
rule dbgntboot {
meta:
description = "Webshells Auto-generated - file dbgntboot.dll"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "4d87543d4d7f73c1529c9f8066b475ab"
strings:
$s2 = "now DOS is working at mode %d,faketype %d,against %s,has worked %d minutes,by sp"
$s3 = "sth junk the M$ Wind0wZ retur"
condition:
all of them
}
rule PHP_shell {
meta:
description = "Webshells Auto-generated - file shell.php"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "45e8a00567f8a34ab1cccc86b4bc74b9"
strings:
$s0 = "AR8iROET6mMnrqTpC6W1Kp/DsTgxNby9H1xhiswfwgoAtED0y6wEXTihoAtICkIX6L1+vTUYWuWz"
$s11 = "1HLp1qnlCyl5gko8rDlWHqf8/JoPKvGwEm9Q4nVKvEh0b0PKle3zeFiJNyjxOiVepMSpflJkPv5s"
condition:
all of them
}
rule hxdef100 {
meta:
description = "Webshells Auto-generated - file hxdef100.exe"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "55cc1769cef44910bd91b7b73dee1f6c"
strings:
$s0 = "RtlAnsiStringToUnicodeString"
$s8 = "SYSTEM\\CurrentControlSet\\Control\\SafeBoot\\"
$s9 = "\\\\.\\mailslot\\hxdef-rk100sABCDEFGH"
condition:
all of them
}
rule rdrbs100 {
meta:
description = "Webshells Auto-generated - file rdrbs100.exe"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "7c752bcd6da796d80a6830c61a632bff"
strings:
$s3 = "Server address must be IP in A.B.C.D format."
$s4 = " mapped ports in the list. Currently "
condition:
all of them
}
rule Mithril_Mithril {
meta:
description = "Webshells Auto-generated - file Mithril.exe"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "017191562d72ab0ca551eb89256650bd"
strings:
$s0 = "OpenProcess error!"
$s1 = "WriteProcessMemory error!"
$s4 = "GetProcAddress error!"
$s5 = "HHt`HHt\\"
$s6 = "Cmaudi0"
$s7 = "CreateRemoteThread error!"
$s8 = "Kernel32"
$s9 = "VirtualAllocEx error!"
condition:
all of them
}
rule hxdef100_2 {
meta:
description = "Webshells Auto-generated - file hxdef100.exe"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "1b393e2e13b9c57fb501b7cd7ad96b25"
strings:
$s0 = "\\\\.\\mailslot\\hxdef-rkc000"
$s2 = "Shared Components\\On Access Scanner\\BehaviourBlo"
$s6 = "SYSTEM\\CurrentControlSet\\Control\\SafeBoot\\"
condition:
all of them
}
rule Release_dllTest {
meta:
description = "Webshells Auto-generated - file dllTest.dll"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "76a59fc3242a2819307bb9d593bef2e0"
strings:
$s0 = ";;;Y;`;d;h;l;p;t;x;|;"
$s1 = "0 0&00060K0R0X0f0l0q0w0"
$s2 = ": :$:(:,:0:4:8:D:`=d="
$s3 = "4@5P5T5\\5T7\\7d7l7t7|7"
$s4 = "1,121>1C1K1Q1X1^1e1k1s1y1"
$s5 = "9 9$9(9,9P9X9\\9`9d9h9l9p9t9x9|9"
$s6 = "0)0O0\\0a0o0\"1E1P1q1"
$s7 = "<.<I<d<h<l<p<t<x<|<"
$s8 = "3&31383>3F3Q3X3`3f3w3|3"
$s9 = "8@;D;H;L;P;T;X;\\;a;9=W=z="
condition:
all of them
}
rule webadmin {
meta:
description = "Webshells Auto-generated - file webadmin.php"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "3a90de401b30e5b590362ba2dde30937"
strings:
$s0 = "<input name=\\\"editfilename\\\" type=\\\"text\\\" class=\\\"style1\\\" value='\".$this->inpu"
condition:
all of them
}
rule commands {
meta:
description = "Webshells Auto-generated - file commands.asp"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "174486fe844cb388e2ae3494ac2d1ec2"
strings:
$s1 = "If CheckRecord(\"SELECT COUNT(ID) FROM VictimDetail WHERE VictimID = \" & VictimID"
$s2 = "proxyArr = Array (\"HTTP_X_FORWARDED_FOR\",\"HTTP_VIA\",\"HTTP_CACHE_CONTROL\",\"HTTP_F"
condition:
all of them
}
rule hkdoordll {
meta:
description = "Webshells Auto-generated - file hkdoordll.dll"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "b715c009d47686c0e62d0981efce2552"
strings:
$s6 = "Can't uninstall,maybe the backdoor is not installed or,the Password you INPUT is"
condition:
all of them
}
rule r57shell_2 {
meta:
description = "Webshells Auto-generated - file r57shell.php"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "8023394542cddf8aee5dec6072ed02b5"
strings:
$s2 = "echo \"<br>\".ws(2).\"HDD Free : <b>\".view_size($free).\"</b> HDD Total : <b>\".view_"
condition:
all of them
}
rule Mithril_v1_45_dllTest {
meta:
description = "Webshells Auto-generated - file dllTest.dll"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "1b9e518aaa62b15079ff6edb412b21e9"
strings:
$s3 = "syspath"
$s4 = "\\Mithril"
$s5 = "--list the services in the computer"
condition:
all of them
}
rule dbgiis6cli {
meta:
description = "Webshells Auto-generated - file dbgiis6cli.exe"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "3044dceb632b636563f66fee3aaaf8f3"
strings:
$s0 = "User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"
$s5 = "###command:(NO more than 100 bytes!)"
condition:
all of them
}
rule remview_2003_04_22 {
meta:
description = "Webshells Auto-generated - file remview_2003_04_22.php"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "17d3e4e39fbca857344a7650f7ea55e3"
strings:
$s1 = "\"<b>\".mm(\"Eval PHP code\").\"</b> (\".mm(\"don't type\").\" \\\"<?\\\""
condition:
all of them
}
rule FSO_s_test {
meta:
description = "Webshells Auto-generated - file test.php"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "82cf7b48da8286e644f575b039a99c26"
strings:
$s0 = "$yazi = \"test\" . \"\\r\\n\";"
$s2 = "fwrite ($fp, \"$yazi\");"
condition:
all of them
}
rule Debug_cress {
meta:
description = "Webshells Auto-generated - file cress.exe"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "36a416186fe010574c9be68002a7286a"
strings:
$s0 = "\\Mithril "
$s4 = "Mithril.exe"
condition:
all of them
}
rule webshell {
meta:
description = "Webshells Auto-generated - file webshell.php"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "f2f8c02921f29368234bfb4d4622ad19"
strings:
$s0 = "RhViRYOzz"
$s1 = "d\\O!jWW"
$s2 = "bc!jWW"
$s3 = "0W[&{l"
$s4 = "[INhQ@\\"
condition:
all of them
}
rule FSO_s_EFSO_2 {
meta:
description = "Webshells Auto-generated - file EFSO_2.asp"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "a341270f9ebd01320a7490c12cb2e64c"
strings:
$s0 = ";!+/DRknD7+.\\mDrC(V+kcJznndm\\f|nzKuJb'r@!&0KUY@*Jb@#@&Xl\"dKVcJ\\CslU,),@!0KxD~mKV"
$s4 = "\\co!VV2CDtSJ'E*#@#@&mKx/DP14lM/nY{JC81N+6LtbL3^hUWa;M/OE-AXX\"b~/fAs!u&9|J\\grKp\"j"
condition:
all of them
}
rule thelast_index3 {
meta:
description = "Webshells Auto-generated - file index3.php"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "cceff6dc247aaa25512bad22120a14b4"
strings:
$s5 = "$err = \"<i>Your Name</i> Not Entered!</font></h2>Sorry, \\\"Your Name\\\" field is r"
condition:
all of them
}
rule adjustcr {
meta:
description = "Webshells Auto-generated - file adjustcr.exe"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "17037fa684ef4c90a25ec5674dac2eb6"
strings:
$s0 = "$Info: This file is packed with the UPX executable packer $"
$s2 = "$License: NRV for UPX is distributed under special license $"
$s6 = "AdjustCR Carr"
$s7 = "ION\\System\\FloatingPo"
condition:
all of them
}
rule FeliksPack3___PHP_Shells_xIShell {
meta:
description = "Webshells Auto-generated - file xIShell.php"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "997c8437c0621b4b753a546a53a88674"
strings:
$s3 = "if (!$nix) { $xid = implode(explode(\"\\\\\",$xid),\"\\\\\\\\\");}echo (\"<td><a href='Java"
condition:
all of them
}
rule HYTop_AppPack_2005 {
meta:
description = "Webshells Auto-generated - file 2005.asp"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "63d9fd24fa4d22a41fc5522fc7050f9f"
strings:
$s6 = "\" onclick=\"this.form.sqlStr.value='e:\\hytop.mdb"
condition:
all of them
}
rule xssshell {
meta:
description = "Webshells Auto-generated - file xssshell.asp"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "8fc0ffc5e5fbe85f7706ffc45b3f79b4"
strings:
$s1 = "if( !getRequest(COMMANDS_URL + \"?v=\" + VICTIM + \"&r=\" + generateID(), \"pushComma"
condition:
all of them
}
rule FeliksPack3___PHP_Shells_usr {
meta:
description = "Webshells Auto-generated - file usr.php"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "ade3357520325af50c9098dc8a21a024"
strings:
$s0 = "<?php $id_info = array('notify' => 'off','sub' => 'aasd','s_name' => 'nurullahor"
condition:
all of them
}
rule FSO_s_phpinj {
meta:
description = "Webshells Auto-generated - file phpinj.php"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "dd39d17e9baca0363cc1c3664e608929"
strings:
$s4 = "echo '<a href='.$expurl.'> Click Here to Exploit </a> <br />';"
condition:
all of them
}
rule xssshell_db {
meta:
description = "Webshells Auto-generated - file db.asp"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "cb62e2ec40addd4b9930a9e270f5b318"
strings:
$s8 = "'// By Ferruh Mavituna | http://ferruh.mavituna.com"
condition:
all of them
}
rule PHP_sh {
meta:
description = "Webshells Auto-generated - file sh.php"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "1e9e879d49eb0634871e9b36f99fe528"
strings:
$s1 = "\"@$SERVER_NAME \".exec(\"pwd\")"
condition:
all of them
}
rule xssshell_default {
meta:
description = "Webshells Auto-generated - file default.asp"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "d156782ae5e0b3724de3227b42fcaf2f"
strings:
$s3 = "If ProxyData <> \"\" Then ProxyData = Replace(ProxyData, DATA_SEPERATOR, \"<br />\")"
condition:
all of them
}
rule EditServer_Webshell_2 {
meta:
description = "Webshells Auto-generated - file EditServer.exe"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "5c1f25a4d206c83cdfb006b3eb4c09ba"
strings:
$s0 = "@HOTMAIL.COM"
$s1 = "Press Any Ke"
$s3 = "glish MenuZ"
condition:
all of them
}
rule by064cli {
meta:
description = "Webshells Auto-generated - file by064cli.exe"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "10e0dff366968b770ae929505d2a9885"
strings:
$s7 = "packet dropped,redirecting"
$s9 = "input the password(the default one is 'by')"
condition:
all of them
}
rule Mithril_dllTest {
meta:
description = "Webshells Auto-generated - file dllTest.dll"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "a8d25d794d8f08cd4de0c3d6bf389e6d"
strings:
$s0 = "please enter the password:"
$s3 = "\\dllTest.pdb"
condition:
all of them
}
rule peek_a_boo {
meta:
description = "Webshells Auto-generated - file peek-a-boo.exe"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "aca339f60d41fdcba83773be5d646776"
strings:
$s0 = "__vbaHresultCheckObj"
$s1 = "\\VB\\VB5.OLB"
$s2 = "capGetDriverDescriptionA"
$s3 = "__vbaExceptHandler"
$s4 = "EVENT_SINK_Release"
$s8 = "__vbaErrorOverflow"
condition:
all of them
}
rule fmlibraryv3 {
meta:
description = "Webshells Auto-generated - file fmlibraryv3.asp"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "c34c248fed6d5a20d8203924a2088acc"
strings:
$s3 = "ExeNewRs.CommandText = \"UPDATE \" & tablename & \" SET \" & ExeNewRsValues & \" WHER"
condition:
all of them
}
rule Debug_dllTest_2 {
meta:
description = "Webshells Auto-generated - file dllTest.dll"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "1b9e518aaa62b15079ff6edb412b21e9"
strings:
$s4 = "\\Debug\\dllTest.pdb"
$s5 = "--list the services in the computer"
condition:
all of them
}
rule connector {
meta:
description = "Webshells Auto-generated - file connector.asp"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "3ba1827fca7be37c8296cd60be9dc884"
strings:
$s2 = "If ( AttackID = BROADCAST_ATTACK )"
$s4 = "Add UNIQUE ID for victims / zombies"
condition:
all of them
}
rule shelltools_g0t_root_HideRun {
meta:
description = "Webshells Auto-generated - file HideRun.exe"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "45436d9bfd8ff94b71eeaeb280025afe"
strings:
$s0 = "Usage -- hiderun [AppName]"
$s7 = "PVAX SW, Alexey A. Popoff, Moscow, 1997."
condition:
all of them
}
rule regshell {
meta:
description = "Webshells Auto-generated - file regshell.exe"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "db2fdc821ca6091bab3ebd0d8bc46ded"
strings:
$s0 = "Changes the base hive to HKEY_CURRENT_USER."
$s4 = "Displays a list of values and sub-keys in a registry Hive."
$s5 = "Enter a menu selection number (1 - 3) or 99 to Exit: "
condition:
all of them
}
rule PHP_Shell_v1_7 {
meta:
description = "Webshells Auto-generated - file PHP_Shell_v1.7.php"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "b5978501c7112584532b4ca6fb77cba5"
strings:
$s8 = "<title>[ADDITINAL TITTLE]-phpShell by:[YOURNAME]"
condition:
all of them
}
rule xssshell_save {
meta:
description = "Webshells Auto-generated - file save.asp"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "865da1b3974e940936fe38e8e1964980"
strings:
$s4 = "RawCommand = Command & COMMAND_SEPERATOR & Param & COMMAND_SEPERATOR & AttackID"
$s5 = "VictimID = fm_NStr(Victims(i))"
condition:
all of them
}
rule screencap {
meta:
description = "Webshells Auto-generated - file screencap.exe"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "51139091dea7a9418a50f2712ea72aa6"
strings:
$s0 = "GetDIBColorTable"
$s1 = "Screen.bmp"
$s2 = "CreateDCA"
condition:
all of them
}
rule FSO_s_phpinj_2 {
meta:
description = "Webshells Auto-generated - file phpinj.php"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "dd39d17e9baca0363cc1c3664e608929"
strings:
$s9 = "<? system(\\$_GET[cpc]);exit; ?>' ,0 ,0 ,0 ,0 INTO"
condition:
all of them
}
rule ZXshell2_0_rar_Folder_zxrecv {
meta:
description = "Webshells Auto-generated - file zxrecv.exe"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "5d3d12a39f41d51341ef4cb7ce69d30f"
strings:
$s0 = "RyFlushBuff"
$s1 = "teToWideChar^FiYP"
$s2 = "mdesc+8F D"
$s3 = "\\von76std"
$s4 = "5pur+virtul"
$s5 = "- Kablto io"
$s6 = "ac#f{lowi8a"
condition:
all of them
}
rule FSO_s_ajan {
meta:
description = "Webshells Auto-generated - file ajan.asp"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "22194f8c44524f80254e1b5aec67b03e"
strings:
$s4 = "entrika.write \"BinaryStream.SaveToFile"
condition:
all of them
}
rule c99shell {
meta:
description = "Webshells Auto-generated - file c99shell.php"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "90b86a9c63e2cd346fe07cea23fbfc56"
strings:
$s0 = "<br />Input URL: <input name=\\\"uploadurl\\\" type=\\\"text\\\"&"
condition:
all of them
}
rule phpspy_2005_full {
meta:
description = "Webshells Auto-generated - file phpspy_2005_full.php"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "d1c69bb152645438440e6c903bac16b2"
strings:
$s7 = "echo \" <td align=\\\"center\\\" nowrap valign=\\\"top\\\"><a href=\\\"?downfile=\".urlenco"
condition:
all of them
}
rule FSO_s_zehir4_2 {
meta:
description = "Webshells Auto-generated - file zehir4.asp"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "5b496a61363d304532bcf52ee21f5d55"
strings:
$s4 = "\"Program Files\\Serv-u\\Serv"
condition:
all of them
}
rule httpdoor {
meta:
description = "Webshells Auto-generated - file httpdoor.exe"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "6097ea963455a09474471a9864593dc3"
strings:
$s4 = "''''''''''''''''''DaJKHPam"
$s5 = "o,WideCharR]!n]"
$s6 = "HAutoComplete"
$s7 = "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?> <assembly xmlns=\"urn:sch"
condition:
all of them
}
rule FSO_s_indexer_2 {
meta:
description = "Webshells Auto-generated - file indexer.asp"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "135fc50f85228691b401848caef3be9e"
strings:
$s5 = "<td>Nerden :<td><input type=\"text\" name=\"nerden\" size=25 value=index.html></td>"
condition:
all of them
}
rule HYTop_DevPack_2005 {
meta:
description = "Webshells Auto-generated - file 2005.asp"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "63d9fd24fa4d22a41fc5522fc7050f9f"
strings:
$s7 = "theHref=encodeForUrl(mid(replace(lcase(list.path),lcase(server.mapPath(\"/\")),\"\")"
$s8 = "scrollbar-darkshadow-color:#9C9CD3;"
$s9 = "scrollbar-face-color:#E4E4F3;"
condition:
all of them
}
rule _root_040_zip_Folder_deploy {
meta:
description = "Webshells Auto-generated - file deploy.exe"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "2c9f9c58999256c73a5ebdb10a9be269"
strings:
$s5 = "halon synscan 127.0.0.1 1-65536"
$s8 = "Obviously you replace the ip address with that of the target."
condition:
all of them
}
rule by063cli {
meta:
description = "Webshells Auto-generated - file by063cli.exe"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "49ce26eb97fd13b6d92a5e5d169db859"
strings:
$s2 = "#popmsghello,are you all right?"
$s4 = "connect failed,check your network and remote ip."
condition:
all of them
}
rule icyfox007v1_10_rar_Folder_asp {
meta:
description = "Webshells Auto-generated - file asp.asp"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "2c412400b146b7b98d6e7755f7159bb9"
strings:
$s0 = "<SCRIPT RUNAT=SERVER LANGUAGE=JAVASCRIPT>eval(Request.form('#')+'')</SCRIPT>"
condition:
all of them
}
rule FSO_s_EFSO_2_2 {
meta:
description = "Webshells Auto-generated - file EFSO_2.asp"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "a341270f9ebd01320a7490c12cb2e64c"
strings:
$s0 = ";!+/DRknD7+.\\mDrC(V+kcJznndm\\f|nzKuJb'r@!&0KUY@*Jb@#@&Xl\"dKVcJ\\CslU,),@!0KxD~mKV"
$s4 = "\\co!VV2CDtSJ'E*#@#@&mKx/DP14lM/nY{JC81N+6LtbL3^hUWa;M/OE-AXX\"b~/fAs!u&9|J\\grKp\"j"
condition:
all of them
}
rule byshell063_ntboot_2 {
meta:
description = "Webshells Auto-generated - file ntboot.dll"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "cb9eb5a6ff327f4d6c46aacbbe9dda9d"
strings:
$s6 = "OK,job was done,cuz we have localsystem & SE_DEBUG_NAME:)"
condition:
all of them
}
rule u_uay {
meta:
description = "Webshells Auto-generated - file uay.exe"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "abbc7b31a24475e4c5d82fc4c2b8c7c4"
strings:
$s1 = "exec \"c:\\WINDOWS\\System32\\freecell.exe"
$s9 = "SYSTEM\\CurrentControlSet\\Services\\uay.sys\\Security"
condition:
1 of them
}
rule bin_wuaus {
meta:
description = "Webshells Auto-generated - file wuaus.dll"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "46a365992bec7377b48a2263c49e4e7d"
strings:
$s1 = "9(90989@9V9^9f9n9v9"
$s2 = ":(:,:0:4:8:C:H:N:T:Y:_:e:o:y:"
$s3 = ";(=@=G=O=T=X=\\="
$s4 = "TCP Send Error!!"
$s5 = "1\"1;1X1^1e1m1w1~1"
$s8 = "=$=)=/=<=Y=_=j=p=z="
condition:
all of them
}
rule pwreveal {
meta:
description = "Webshells Auto-generated - file pwreveal.exe"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "b4e8447826a45b76ca45ba151a97ad50"
strings:
$s0 = "*<Blank - no es"
$s3 = "JDiamondCS "
$s8 = "sword set> [Leith=0 bytes]"
$s9 = "ION\\System\\Floating-"
condition:
all of them
}
rule shelltools_g0t_root_xwhois {
meta:
description = "Webshells Auto-generated - file xwhois.exe"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "0bc98bd576c80d921a3460f8be8816b4"
strings:
$s1 = "rting! "
$s2 = "aTypCog("
$s5 = "Diamond"
$s6 = "r)r=rQreryr"
condition:
all of them
}
rule vanquish_2 {
meta:
description = "Webshells Auto-generated - file vanquish.exe"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "2dcb9055785a2ee01567f52b5a62b071"
strings:
$s2 = "Vanquish - DLL injection failed:"
condition:
all of them
}
rule down_rar_Folder_down {
meta:
description = "Webshells Auto-generated - file down.asp"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "db47d7a12b3584a2e340567178886e71"
strings:
$s0 = "response.write \"<font color=blue size=2>NetBios Name: \\\\\" & Snet.ComputerName &"
condition:
all of them
}
rule cmdShell {
meta:
description = "Webshells Auto-generated - file cmdShell.asp"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "8a9fef43209b5d2d4b81dfbb45182036"
strings:
$s1 = "if cmdPath=\"wscriptShell\" then"
condition:
all of them
}
rule ZXshell2_0_rar_Folder_nc {
meta:
description = "Webshells Auto-generated - file nc.exe"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "2cd1bf15ae84c5f6917ddb128827ae8b"
strings:
$s0 = "WSOCK32.dll"
$s1 = "?bSUNKNOWNV"
$s7 = "p@gram Jm6h)"
$s8 = "ser32.dllCONFP@"
condition:
all of them
}
rule portlessinst {
meta:
description = "Webshells Auto-generated - file portlessinst.exe"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "74213856fc61475443a91cd84e2a6c2f"
strings:
$s2 = "Fail To Open Registry"
$s3 = "f<-WLEggDr\""
$s6 = "oMemoryCreateP"
condition:
all of them
}
rule SetupBDoor {
meta:
description = "Webshells Auto-generated - file SetupBDoor.exe"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "41f89e20398368e742eda4a3b45716b6"
strings:
$s1 = "\\BDoor\\SetupBDoor"
condition:
all of them
}
rule phpshell_3 {
meta:
description = "Webshells Auto-generated - file phpshell.php"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "e8693a2d4a2ffea4df03bb678df3dc6d"
strings:
$s3 = "<input name=\"submit_btn\" type=\"submit\" value=\"Execute Command\"></p>"
$s5 = " echo \"<option value=\\\"$work_dir\\\" selected>Current Directory</option>\\n\";"
condition:
all of them
}
rule BIN_Server {
meta:
description = "Webshells Auto-generated - file Server.exe"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "1d5aa9cbf1429bb5b8bf600335916dcd"
strings:
$s0 = "configserver"
$s1 = "GetLogicalDrives"
$s2 = "WinExec"
$s4 = "fxftest"
$s5 = "upfileok"
$s7 = "upfileer"
condition:
all of them
}
rule HYTop2006_rar_Folder_2006 {
meta:
description = "Webshells Auto-generated - file 2006.asp"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "c19d6f4e069188f19b08fa94d44bc283"
strings:
$s6 = "strBackDoor = strBackDoor "
condition:
all of them
}
rule r57shell_3 {
meta:
description = "Webshells Auto-generated - file r57shell.php"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "87995a49f275b6b75abe2521e03ac2c0"
strings:
$s1 = "<b>\".$_POST['cmd']"
condition:
all of them
}
rule HDConfig {
meta:
description = "Webshells Auto-generated - file HDConfig.exe"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "7d60e552fdca57642fd30462416347bd"
strings:
$s0 = "An encryption key is derived from the password hash. "
$s3 = "A hash object has been created. "
$s4 = "Error during CryptCreateHash!"
$s5 = "A new key container has been created."
$s6 = "The password has been added to the hash. "
condition:
all of them
}
rule FSO_s_ajan_2 {
meta:
description = "Webshells Auto-generated - file ajan.asp"
author = "Yara Bulk Rule Generator by Florian Roth"
hash = "22194f8c44524f80254e1b5aec67b03e"
strings:
$s2 = "\"Set WshShell = CreateObject(\"\"WScript.Shell\"\")"
$s3 = "/file.zip"
condition:
all of them
}
rule Webshell_and_Exploit_CN_APT_HK : Webshell
{
meta:
author = "Florian Roth"
description = "Webshell and Exploit Code in relation with APT against Honk Kong protesters"
date = "10.10.2014"
score = 50
strings:
$a0 = "<script language=javascript src=http://java-se.com/o.js</script>" fullword
$s0 = "<span style=\"font:11px Verdana;\">Password: </span><input name=\"password\" type=\"password\" size=\"20\">"
$s1 = "<input type=\"hidden\" name=\"doing\" value=\"login\">"
condition:
$a0 or ( all of ($s*) )
}
rule JSP_Browser_APT_webshell {
meta:
description = "VonLoesch JSP Browser used as web shell by APT groups - jsp File browser 1.1a"
author = "F.Roth"
date = "10.10.2014"
score = 60
strings:
$a1a = "private static final String[] COMMAND_INTERPRETER = {\"" ascii
$a1b = "cmd\", \"/C\"}; // Dos,Windows" ascii
$a2 = "Process ls_proc = Runtime.getRuntime().exec(comm, null, new File(dir));" ascii
$a3 = "ret.append(\"!!!! Process has timed out, destroyed !!!!!\");" ascii
condition:
all of them
}
rule JSP_jfigueiredo_APT_webshell {
meta:
description = "JSP Browser used as web shell by APT groups - author: jfigueiredo"
author = "F.Roth"
date = "12.10.2014"
score = 60
reference = "http://ceso.googlecode.com/svn/web/bko/filemanager/Browser.jsp"
strings:
$a1 = "String fhidden = new String(Base64.encodeBase64(path.getBytes()));" ascii
$a2 = "<form id=\"upload\" name=\"upload\" action=\"ServFMUpload\" method=\"POST\" enctype=\"multipart/form-data\">" ascii
condition:
all of them
}
rule JSP_jfigueiredo_APT_webshell_2 {
meta:
description = "JSP Browser used as web shell by APT groups - author: jfigueiredo"
author = "F.Roth"
date = "12.10.2014"
score = 60
reference = "http://ceso.googlecode.com/svn/web/bko/filemanager/"
strings:
$a1 = "<div id=\"bkorotator\"><img alt=\"\" src=\"images/rotator/1.jpg\"></div>" ascii
$a2 = "$(\"#dialog\").dialog(\"destroy\");" ascii
$s1 = "<form id=\"form\" action=\"ServFMUpload\" method=\"post\" enctype=\"multipart/form-data\">" ascii
$s2 = "<input type=\"hidden\" id=\"fhidden\" name=\"fhidden\" value=\"L3BkZi8=\" />" ascii
condition:
all of ($a*) or all of ($s*)
}
rule AJAX_FileUpload_webshell {
meta:
description = "AJAX JS/CSS components providing web shell by APT groups"
author = "F.Roth"
date = "12.10.2014"
score = 75
reference = "http://ceso.googlecode.com/svn/web/bko/filemanager/ajaxfileupload.js"
strings:
$a1 = "var frameId = 'jUploadFrame' + id;" ascii
$a2 = "var form = jQuery('<form action=\"\" method=\"POST\" name=\"' + formId + '\" id=\"' + formId + '\" enctype=\"multipart/form-data\"></form>');" ascii
$a3 = "jQuery(\"<div>\").html(data).evalScripts();" ascii
condition:
all of them
}
rule Webshell_Insomnia {
meta:
description = "Insomnia Webshell - file InsomniaShell.aspx"
author = "Florian Roth"
reference = "http://www.darknet.org.uk/2014/12/insomniashell-asp-net-reverse-shell-bind-shell/"
date = "2014/12/09"
hash = "e0cfb2ffaa1491aeaf7d3b4ee840f72d42919d22"
score = 80
strings:
$s0 = "Response.Write(\"- Failed to create named pipe:\");" fullword ascii
$s1 = "Response.Output.Write(\"+ Sending {0}<br>\", command);" fullword ascii
$s2 = "String command = \"exec master..xp_cmdshell 'dir > \\\\\\\\127.0.0.1" ascii
$s3 = "Response.Write(\"- Error Getting User Info<br>\");" fullword ascii
$s4 = "string lpCommandLine, ref SECURITY_ATTRIBUTES lpProcessAttributes," fullword ascii
$s5 = "[DllImport(\"Advapi32.dll\", SetLastError = true)]" fullword ascii
$s9 = "username = DumpAccountSid(tokUser.User.Sid);" fullword ascii
$s14 = "//Response.Output.Write(\"Opened process PID: {0} : {1}<br>\", p" ascii
condition:
3 of them
}
rule HawkEye_PHP_Panel {
meta:
description = "Detects HawkEye Keyloggers PHP Panel"
author = "Florian Roth"
date = "2014/12/14"
score = 60
strings:
$s0 = "$fname = $_GET['fname'];" ascii fullword
$s1 = "$data = $_GET['data'];" ascii fullword
$s2 = "unlink($fname);" ascii fullword
$s3 = "echo \"Success\";" fullword ascii
condition:
all of ($s*) and filesize < 600
}
rule SoakSoak_Infected_Wordpress {
meta:
description = "Detects a SoakSoak infected Wordpress site http://goo.gl/1GzWUX"
reference = "http://goo.gl/1GzWUX"
author = "Florian Roth"
date = "2014/12/15"
score = 60
strings:
$s0 = "wp_enqueue_script(\"swfobject\");" ascii fullword
$s1 = "function FuncQueueObject()" ascii fullword
$s2 = "add_action(\"wp_enqueue_scripts\", 'FuncQueueObject');" ascii fullword
condition:
all of ($s*)
}
rule Pastebin_Webshell {
meta:
description = "Detects a web shell that downloads content from pastebin.com http://goo.gl/7dbyZs"
author = "Florian Roth"
score = 70
date = "13.01.2015"
reference = "http://goo.gl/7dbyZs"
strings:
$s0 = "file_get_contents(\"http://pastebin.com" ascii
$s1 = "xcurl('http://pastebin.com/download.php" ascii
$s2 = "xcurl('http://pastebin.com/raw.php" ascii
$x0 = "if($content){unlink('evex.php');" ascii
$x1 = "$fh2 = fopen(\"evex.php\", 'a');" ascii
$y0 = "file_put_contents($pth" ascii
$y1 = "echo \"<login_ok>" ascii
$y2 = "str_replace('* @package Wordpress',$temp" ascii
condition:
1 of ($s*) or all of ($x*) or all of ($y*)
}
rule ASPXspy2 {
meta:
description = "Web shell - file ASPXspy2.aspx"
author = "Florian Roth"
reference = "not set"
date = "2015/01/24"
hash = "5642387d92139bfe9ae11bfef6bfe0081dcea197"
strings:
$s0 = "string iVDT=\"-SETUSERSETUP\\r\\n-IP=0.0.0.0\\r\\n-PortNo=52521\\r\\n-User=bin" ascii
$s1 = "SQLExec : <asp:DropDownList runat=\"server\" ID=\"FGEy\" AutoPostBack=\"True\" O" ascii
$s3 = "Process[] p=Process.GetProcesses();" fullword ascii
$s4 = "Response.Cookies.Add(new HttpCookie(vbhLn,Password));" fullword ascii
$s5 = "[DllImport(\"kernel32.dll\",EntryPoint=\"GetDriveTypeA\")]" fullword ascii
$s6 = "<p>ConnString : <asp:TextBox id=\"MasR\" style=\"width:70%;margin:0 8px;\" CssCl" ascii
$s7 = "ServiceController[] kQmRu=System.ServiceProcess.ServiceController.GetServices();" fullword ascii
$s8 = "Copyright © 2009 Bin -- <a href=\"http://www.rootkit.net.cn\" target=\"_bla" ascii
$s10 = "Response.AddHeader(\"Content-Disposition\",\"attachment;filename=\"+HttpUtility." ascii
$s11 = "nxeDR.Command+=new CommandEventHandler(this.iVk);" fullword ascii
$s12 = "<%@ import Namespace=\"System.ServiceProcess\"%>" fullword ascii
$s13 = "foreach(string innerSubKey in sk.GetSubKeyNames())" fullword ascii
$s17 = "Response.Redirect(\"http://www.rootkit.net.cn\");" fullword ascii
$s20 = "else if(Reg_Path.StartsWith(\"HKEY_USERS\"))" fullword ascii
condition:
6 of them
}
/*
Yara Rule Set
Author: Florian Roth
Date: 2016-01-11
Identifier: Web Shell Repo
Reference: https://github.com/nikicat/web-malware-collection
*/
rule Webshell_27_9_c66_c99 {
meta:
description = "Detects Webshell - rule generated from from files 27.9.txt, c66.php, c99-shadows-mod.php, c99.php ..."
author = "Florian Roth"
reference = "https://github.com/nikicat/web-malware-collection"
date = "2016-01-11"
score = 70
hash1 = "2b8aed49f50acd0c1b89a399647e1218f2a8545da96631ac0882da28810eecc4"
hash2 = "5d7709a33879d1060a6cff5bae119de7d5a3c17f65415822fd125af56696778c"
hash3 = "c377f9316a4c953602879eb8af1fd7cbb0dd35de6bb4747fa911234082c45596"
hash4 = "80ec7831ae888d5603ed28d81225ed8b256c831077bb8feb235e0a1a9b68b748"
hash5 = "6ce99e07aa98ba6dc521c34cf16fbd89654d0ba59194878dffca857a4c34e57b"
hash6 = "383d771b55bbe5343bab946fd7650fd42de1933c4c8f32449d9a40c898444ef1"
hash7 = "07f9ec716fb199e00a90091ffba4c2ee1a328a093a64e610e51ab9dd6d33357a"
hash8 = "615e768522447558970c725909e064558f33d38e6402c63c92a1a8bc62b64966"
hash9 = "ef3a7cd233a880fc61efc3884f127dd8944808babd1203be2400144119b6057f"
hash10 = "a4db77895228f02ea17ff48976e03100ddfaef7c9f48c1d40462872f103451d5"
strings:
$s4 = "if (!empty($unset_surl)) {setcookie(\"c99sh_surl\"); $surl = \"\";}" fullword ascii
$s6 = "@extract($_REQUEST[\"c99shcook\"]);" fullword ascii
$s7 = "if (!function_exists(\"c99_buff_prepare\"))" fullword ascii
condition:
filesize < 685KB and 1 of them
}
rule Webshell_acid_AntiSecShell_3 {
meta:
description = "Detects Webshell Acid"
author = "Florian Roth"
reference = "https://github.com/nikicat/web-malware-collection"
date = "2016-01-11"
score = 70
hash1 = "2b8aed49f50acd0c1b89a399647e1218f2a8545da96631ac0882da28810eecc4"
hash2 = "7a69466dbd18182ce7da5d9d1a9447228dcebd365e0fe855d0e02024f4117549"
hash3 = "0202f72b3e8b62e5ebc99164c7d4eb8ec5be6a7527286e9059184aa8321e0092"
hash4 = "d4424c61fe29d2ee3d8503f7d65feb48341ac2fc0049119f83074950e41194d5"
hash5 = "5d7709a33879d1060a6cff5bae119de7d5a3c17f65415822fd125af56696778c"
hash6 = "21dd06ec423f0b49732e4289222864dcc055967922d0fcec901d38a57ed77f06"
hash7 = "c377f9316a4c953602879eb8af1fd7cbb0dd35de6bb4747fa911234082c45596"
hash8 = "816e699014be9a6d02d5d184eb958c49469d687b7c6fb88e878bca64688a19c9"
hash9 = "383d771b55bbe5343bab946fd7650fd42de1933c4c8f32449d9a40c898444ef1"
hash10 = "07f9ec716fb199e00a90091ffba4c2ee1a328a093a64e610e51ab9dd6d33357a"
hash11 = "615e768522447558970c725909e064558f33d38e6402c63c92a1a8bc62b64966"
hash12 = "bbe0f7278041cb3a6338844aa12c3df6b700a12a78b0a58bce3dce14f1c37b96"
hash13 = "d0edca7539ef2d30f0b3189b21a779c95b5815c1637829b5594e2601e77cb4dc"
hash14 = "65e7edf10ffb355bed81b7413c77d13d592f63d39e95948cdaea4ea0a376d791"
hash15 = "ef3a7cd233a880fc61efc3884f127dd8944808babd1203be2400144119b6057f"
hash16 = "ba87d26340f799e65c771ccb940081838afe318ecb20ee543f32d32db8533e7f"
hash17 = "a4db77895228f02ea17ff48976e03100ddfaef7c9f48c1d40462872f103451d5"
hash18 = "1fdf6e142135a34ae1caf1d84adf5e273b253ca46c409b2530ca06d65a55ecbd"
strings:
$s0 = "echo \"<option value=delete\".($dspact == \"delete\"?\" selected\":\"\").\">Delete</option>\";" fullword ascii
$s1 = "if (!is_readable($o)) {return \"<font color=red>\".view_perms(fileperms($o)).\"</font>\";}" fullword ascii
condition:
filesize < 900KB and all of them
}
rule Webshell_c99_4 {
meta:
description = "Detects C99 Webshell"
author = "Florian Roth"
reference = "https://github.com/nikicat/web-malware-collection"
date = "2016-01-11"
score = 70
hash1 = "2b8aed49f50acd0c1b89a399647e1218f2a8545da96631ac0882da28810eecc4"
hash2 = "0202f72b3e8b62e5ebc99164c7d4eb8ec5be6a7527286e9059184aa8321e0092"
hash3 = "d4424c61fe29d2ee3d8503f7d65feb48341ac2fc0049119f83074950e41194d5"
hash4 = "5d7709a33879d1060a6cff5bae119de7d5a3c17f65415822fd125af56696778c"
hash5 = "21dd06ec423f0b49732e4289222864dcc055967922d0fcec901d38a57ed77f06"
hash6 = "c377f9316a4c953602879eb8af1fd7cbb0dd35de6bb4747fa911234082c45596"
hash7 = "816e699014be9a6d02d5d184eb958c49469d687b7c6fb88e878bca64688a19c9"
hash8 = "383d771b55bbe5343bab946fd7650fd42de1933c4c8f32449d9a40c898444ef1"
hash9 = "07f9ec716fb199e00a90091ffba4c2ee1a328a093a64e610e51ab9dd6d33357a"
hash10 = "615e768522447558970c725909e064558f33d38e6402c63c92a1a8bc62b64966"
hash11 = "bbe0f7278041cb3a6338844aa12c3df6b700a12a78b0a58bce3dce14f1c37b96"
hash12 = "ef3a7cd233a880fc61efc3884f127dd8944808babd1203be2400144119b6057f"
hash13 = "a4db77895228f02ea17ff48976e03100ddfaef7c9f48c1d40462872f103451d5"
hash14 = "1fdf6e142135a34ae1caf1d84adf5e273b253ca46c409b2530ca06d65a55ecbd"
strings:
$s1 = "displaysecinfo(\"List of Attributes\",myshellexec(\"lsattr -a\"));" fullword ascii
$s2 = "displaysecinfo(\"RAM\",myshellexec(\"free -m\"));" fullword ascii
$s3 = "displaysecinfo(\"Where is perl?\",myshellexec(\"whereis perl\"));" fullword ascii
$s4 = "$ret = myshellexec($handler);" fullword ascii
$s5 = "if (posix_kill($pid,$sig)) {echo \"OK.\";}" fullword ascii
condition:
filesize < 900KB and 1 of them
}
rule Webshell_r57shell_2 {
meta:
description = "Detects Webshell R57"
author = "Florian Roth"
reference = "https://github.com/nikicat/web-malware-collection"
date = "2016-01-11"
score = 70
hash1 = "e46777e5f1ac1652db3ce72dd0a2475ea515b37a737fffd743126772525a47e6"
hash2 = "aa957ca4154b7816093d667873cf6bdaded03f820e84d8f1cd5ad75296dd5d4d"
hash3 = "aa957ca4154b7816093d667873cf6bdaded03f820e84d8f1cd5ad75296dd5d4d"
hash4 = "756b788401aad4bfd4dbafd15c382d98e3ba079390addb5b0cea7ff7f985f881"
hash5 = "756b788401aad4bfd4dbafd15c382d98e3ba079390addb5b0cea7ff7f985f881"
hash6 = "16b6ec4b80f404f4616e44d8c21978dcdad9f52c84d23ba27660ee8e00984ff2"
hash7 = "59105e4623433d5bf93b9e17d72a43a40a4d8ac99e4a703f1d8851ad1276cd88"
hash8 = "1db0549066f294f814ec14ba4e9f63d88c4460d68477e5895236173df437d2b8"
hash9 = "c6a5148c81411ec9200810619fa5eec6616800a4d76c988431c272bc8679254f"
hash10 = "c6a5148c81411ec9200810619fa5eec6616800a4d76c988431c272bc8679254f"
hash11 = "59ea6cf16ea06ff47cf0e6a398df2eaec4d329707b8c3201fc63cbf0b7c85519"
hash12 = "0e0227a0001b38fb59fc07749e80c9d298ff0e6aca126ea8f4ea68ebc9a3661f"
hash13 = "ef74644065925aa8d64913f5f124fe73d8d289d5f019a104bf5f56689f49ba92"
strings:
$s1 = "$connection = @ftp_connect($ftp_server,$ftp_port,10);" fullword ascii
$s2 = "echo $lang[$language.'_text98'].$suc.\"\\r\\n\";" fullword ascii
condition:
filesize < 900KB and all of them
}
rule Webshell_27_9_acid_c99_locus7s {
meta:
description = "Detects Webshell - rule generated from from files 27.9.txt, acid.php, c99_locus7s.txt"
author = "Florian Roth"
reference = "https://github.com/nikicat/web-malware-collection"
date = "2016-01-11"
score = 70
hash1 = "2b8aed49f50acd0c1b89a399647e1218f2a8545da96631ac0882da28810eecc4"
hash2 = "7a69466dbd18182ce7da5d9d1a9447228dcebd365e0fe855d0e02024f4117549"
hash3 = "960feb502f913adff6b322bc9815543e5888bbf9058ba0eb46ceb1773ea67668"
hash4 = "07f9ec716fb199e00a90091ffba4c2ee1a328a093a64e610e51ab9dd6d33357a"
hash5 = "bbe0f7278041cb3a6338844aa12c3df6b700a12a78b0a58bce3dce14f1c37b96"
hash6 = "5ae121f868555fba112ca2b1a9729d4414e795c39d14af9e599ce1f0e4e445d3"
hash7 = "ef3a7cd233a880fc61efc3884f127dd8944808babd1203be2400144119b6057f"
hash8 = "ba87d26340f799e65c771ccb940081838afe318ecb20ee543f32d32db8533e7f"
strings:
$s0 = "$blah = ex($p2.\" /tmp/back \".$_POST['backconnectip'].\" \".$_POST['backconnectport'].\" &\");" fullword ascii
$s1 = "$_POST['backcconnmsge']=\"</br></br><b><font color=red size=3>Error:</font> Can't backdoor host!</b>\";" fullword ascii
condition:
filesize < 1711KB and 1 of them
}
rule Webshell_Backdoor_PHP_Agent_r57_mod_bizzz_shell_r57 {
meta:
description = "Detects Webshell - rule generated from from files Backdoor.PHP.Agent.php, r57.mod-bizzz.shell.txt ..."
author = "Florian Roth"
reference = "https://github.com/nikicat/web-malware-collection"
date = "2016-01-11"
score = 70
hash1 = "e46777e5f1ac1652db3ce72dd0a2475ea515b37a737fffd743126772525a47e6"
hash2 = "f51a5c5775d9cca0b137ddb28ff3831f4f394b7af6f6a868797b0df3dcdb01ba"
hash3 = "16b6ec4b80f404f4616e44d8c21978dcdad9f52c84d23ba27660ee8e00984ff2"
hash4 = "59105e4623433d5bf93b9e17d72a43a40a4d8ac99e4a703f1d8851ad1276cd88"
hash5 = "6dc417db9e07420a618d44217932ca8baf3541c08d5e68281e1be10af4280e4a"
hash6 = "5d07fdfee2dc6d81da26f05028f79badd10dec066909932129d398627b2f4e94"
hash7 = "1db0549066f294f814ec14ba4e9f63d88c4460d68477e5895236173df437d2b8"
hash8 = "c6a5148c81411ec9200810619fa5eec6616800a4d76c988431c272bc8679254f"
hash9 = "59ea6cf16ea06ff47cf0e6a398df2eaec4d329707b8c3201fc63cbf0b7c85519"
hash10 = "0e0227a0001b38fb59fc07749e80c9d298ff0e6aca126ea8f4ea68ebc9a3661f"
hash11 = "ef74644065925aa8d64913f5f124fe73d8d289d5f019a104bf5f56689f49ba92"
strings:
$s1 = "$_POST['cmd'] = which('" ascii
$s2 = "$blah = ex(" fullword ascii
condition:
filesize < 600KB and all of them
}
rule Webshell_c100 {
meta:
description = "Detects Webshell - rule generated from from files c100 v. 777shell"
author = "Florian Roth"
reference = "https://github.com/nikicat/web-malware-collection"
date = "2016-01-11"
score = 70
hash1 = "0202f72b3e8b62e5ebc99164c7d4eb8ec5be6a7527286e9059184aa8321e0092"
hash2 = "d4424c61fe29d2ee3d8503f7d65feb48341ac2fc0049119f83074950e41194d5"
hash3 = "21dd06ec423f0b49732e4289222864dcc055967922d0fcec901d38a57ed77f06"
hash4 = "c377f9316a4c953602879eb8af1fd7cbb0dd35de6bb4747fa911234082c45596"
hash5 = "816e699014be9a6d02d5d184eb958c49469d687b7c6fb88e878bca64688a19c9"
hash6 = "bbe0f7278041cb3a6338844aa12c3df6b700a12a78b0a58bce3dce14f1c37b96"
hash7 = "ef3a7cd233a880fc61efc3884f127dd8944808babd1203be2400144119b6057f"
strings:
$s0 = "<OPTION VALUE=\"wget http://ftp.powernet.com.tr/supermail/debug/k3\">Kernel attack (Krad.c) PT1 (If wget installed)" fullword ascii
$s1 = "<center>Kernel Info: <form name=\"form1\" method=\"post\" action=\"http://google.com/search\">" fullword ascii
$s3 = "cut -d: -f1,2,3 /etc/passwd | grep ::" ascii
$s4 = "which wget curl w3m lynx" ascii
$s6 = "netstat -atup | grep IST" ascii
condition:
filesize < 685KB and 2 of them
}
rule Webshell_AcidPoison {
meta:
description = "Detects Poison Sh3ll - Webshell"
author = "Florian Roth"
reference = "https://github.com/nikicat/web-malware-collection"
date = "2016-01-11"
score = 70
hash1 = "7a69466dbd18182ce7da5d9d1a9447228dcebd365e0fe855d0e02024f4117549"
hash2 = "7a69466dbd18182ce7da5d9d1a9447228dcebd365e0fe855d0e02024f4117549"
hash3 = "d0edca7539ef2d30f0b3189b21a779c95b5815c1637829b5594e2601e77cb4dc"
hash4 = "d0edca7539ef2d30f0b3189b21a779c95b5815c1637829b5594e2601e77cb4dc"
hash5 = "65e7edf10ffb355bed81b7413c77d13d592f63d39e95948cdaea4ea0a376d791"
hash6 = "65e7edf10ffb355bed81b7413c77d13d592f63d39e95948cdaea4ea0a376d791"
hash7 = "be541cf880a8e389a0767b85f1686443f35b508d1975ee25e1ce3f08fa32cfb5"
hash8 = "be541cf880a8e389a0767b85f1686443f35b508d1975ee25e1ce3f08fa32cfb5"
hash9 = "ba87d26340f799e65c771ccb940081838afe318ecb20ee543f32d32db8533e7f"
hash10 = "ba87d26340f799e65c771ccb940081838afe318ecb20ee543f32d32db8533e7f"
strings:
$s1 = "elseif ( enabled(\"exec\") ) { exec($cmd,$o); $output = join(\"\\r\\n\",$o); }" fullword ascii
condition:
filesize < 550KB and all of them
}
rule Webshell_acid_FaTaLisTiCz_Fx_fx_p0isoN_sh3ll_x0rg_byp4ss_256 {
meta:
description = "Detects Webshell - rule generated from from files acid.php, FaTaLisTiCz_Fx.txt, fx.txt, p0isoN.sh3ll.txt, x0rg.byp4ss.txt"
author = "Florian Roth"
reference = "https://github.com/nikicat/web-malware-collection"
date = "2016-01-11"
score = 70
hash1 = "7a69466dbd18182ce7da5d9d1a9447228dcebd365e0fe855d0e02024f4117549"
hash2 = "d0edca7539ef2d30f0b3189b21a779c95b5815c1637829b5594e2601e77cb4dc"
hash3 = "65e7edf10ffb355bed81b7413c77d13d592f63d39e95948cdaea4ea0a376d791"
hash4 = "ba87d26340f799e65c771ccb940081838afe318ecb20ee543f32d32db8533e7f"
hash5 = "1fdf6e142135a34ae1caf1d84adf5e273b253ca46c409b2530ca06d65a55ecbd"
strings:
$s0 = "<form method=\"POST\"><input type=hidden name=act value=\"ls\">" fullword ascii
$s2 = "foreach($quicklaunch2 as $item) {" fullword ascii
condition:
filesize < 882KB and all of them
}
rule Webshell_Ayyildiz {
meta:
description = "Detects Webshell - rule generated from from files Ayyildiz Tim -AYT- Shell v 2.1 Biz.txt, Macker's Private PHPShell.php, matamu.txt, myshell.txt, PHP Shell.txt"
author = "Florian Roth"
reference = "https://github.com/nikicat/web-malware-collection"
date = "2016-01-11"
score = 70
hash1 = "0e25aec0a9131e8c7bd7d5004c5c5ffad0e3297f386675bccc07f6ea527dded5"
hash2 = "9c43aada0d5429f8c47595f79a7cdd5d4eb2ba5c559fb5da5a518a6c8c7c330a"
hash3 = "2ebf3e5f5dde4a27bbd60e15c464e08245a35d15cc370b4be6b011aa7a46eaca"
hash4 = "77a63b26f52ba341dd2f5e8bbf5daf05ebbdef6b3f7e81cec44ce97680e820f9"
hash5 = "61c4fcb6e788c0dffcf0b672ae42b1676f8a9beaa6ec7453fc59ad821a4a8127"
strings:
$s0 = "echo \"<option value=\\\"\". strrev(substr(strstr(strrev($work_dir), \"/\"), 1)) .\"\\\">Parent Directory</option>\\n\";" fullword ascii
$s1 = "echo \"<option value=\\\"$work_dir\\\" selected>Current Directory</option>\\n\";" fullword ascii
condition:
filesize < 112KB and all of them
}
rule Webshell_zehir {
meta:
description = "Detects Webshell - rule generated from from files elmaliseker.asp, zehir.asp, zehir.txt, zehir4.asp, zehir4.txt"
author = "Florian Roth"
reference = "https://github.com/nikicat/web-malware-collection"
date = "2016-01-11"
score = 70
hash1 = "16e1e886576d0c70af0f96e3ccedfd2e72b8b7640f817c08a82b95ff5d4b1218"
hash2 = "0c5f8a2ed62d10986a2dd39f52886c0900a18c03d6d279207b8de8e2ed14adf6"
hash3 = "cb9d5427a83a0fc887e49f07f20849985bd2c3850f272ae1e059a08ac411ff66"
hash4 = "b57bf397984545f419045391b56dcaf7b0bed8b6ee331b5c46cee35c92ffa13d"
hash5 = "febf37a9e8ba8ece863f506ae32ad398115106cc849a9954cbc0277474cdba5c"
strings:
$s1 = "for (i=1; i<=frmUpload.max.value; i++) str+='File '+i+': <input type=file name=file'+i+'><br>';" fullword ascii
$s2 = "if (frmUpload.max.value<=0) frmUpload.max.value=1;" fullword ascii
condition:
filesize < 200KB and 1 of them
}
/*
PHP file(s) (spreader) that, using multiple remote
servers, use file_get_contents() to get more PHP
content that it writes in files with random name
(echoers), file(s) which use file_get_contents()
to get and echo the HTML (chinese blog/shop/???).
*/
rule chinese_spam_spreader : webshell
{
meta:
author = "Vlad https://github.com/vlad-s"
date = "2016/07/18"
description = "Catches chinese PHP spam files (autospreaders)"
strings:
$a = "User-Agent: aQ0O010O"
$b = "<font color='red'><b>Connection Error!</b></font>"
$c = /if ?\(\$_POST\[Submit\]\) ?{/
condition:
all of them
}
rule chinese_spam_echoer : webshell
{
meta:
author = "Vlad https://github.com/vlad-s"
date = "2016/07/18"
description = "Catches chinese PHP spam files (printers)"
strings:
$a = "set_time_limit(0)"
$b = "date_default_timezone_set('PRC');"
$c = "$Content_mb;"
$d = "/index.php?host="
condition:
all of them
}
/*
Webshell "fire2013.php" - shell apended to PHP!Anuna code,
found in the wild both appended and single.
Shell prints a fake "404 not found" Apache message, while
the user has to post "pass=Fuck1950xx=" to enable it.
As written in the original (decoded PHP) file,
@define('VERSION', 'v4 by Sp4nksta');
Shell is also backdoored, it mails the shell location and
info on "h4x4rwow@yahoo.com" as written in the "system32()"
function.
*/
rule fire2013 : webshell
{
meta:
author = "Vlad https://github.com/vlad-s"
date = "2016/07/18"
description = "Catches a webshell"
strings:
$a = "eval(\"\\x65\\x76\\x61\\x6C\\x28\\x67\\x7A\\x69\\x6E\\x66\\x6C\\x61"
$b = "yc0CJYb+O//Xgj9/y+U/dd//vkf'\\x29\\x29\\x29\\x3B\")"
condition:
all of them
}
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
// Linux/Moose yara rules
// For feedback or questions contact us at: github@eset.com
// https://github.com/eset/malware-ioc/
//
// These yara rules are provided to the community under the two-clause BSD
// license as follows:
//
// Copyright (c) 2015, ESET
// All rights reserved.
//
// Redistribution and use in source and binary forms, with or without
// modification, are permitted provided that the following conditions are met:
//
// 1. Redistributions of source code must retain the above copyright notice, this
// list of conditions and the following disclaimer.
//
// 2. Redistributions in binary form must reproduce the above copyright notice,
// this list of conditions and the following disclaimer in the documentation
// and/or other materials provided with the distribution.
//
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
// AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
// IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
// DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
// FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
// DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
// CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
// OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
//
private rule is_elf
{
strings:
$header = { 7F 45 4C 46 }
condition:
$header at 0
}
rule moose
{
meta:
Author = "Thomas Dupuy"
Date = "2015/04/21"
Description = "Linux/Moose malware"
Reference = "http://www.welivesecurity.com/wp-content/uploads/2015/05/Dissecting-LinuxMoose.pdf"
Source = "https://github.com/eset/malware-ioc/"
Contact = "github@eset.com"
License = "BSD 2-Clause"
strings:
$s0 = "Status: OK"
$s1 = "--scrypt"
$s2 = "stratum+tcp://"
$s3 = "cmd.so"
$s4 = "/Challenge"
$s7 = "processor"
$s9 = "cpu model"
$s21 = "password is wrong"
$s22 = "password:"
$s23 = "uthentication failed"
$s24 = "sh"
$s25 = "ps"
$s26 = "echo -n -e "
$s27 = "chmod"
$s28 = "elan2"
$s29 = "elan3"
$s30 = "chmod: not found"
$s31 = "cat /proc/cpuinfo"
$s32 = "/proc/%s/cmdline"
$s33 = "kill %s"
condition:
is_elf and all of them
}
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as
long as you use it under this license.
*/
rule ELF_Linux_Torte : Linux ELF
{
meta:
author = "@mmorenog,@yararules"
description = "Detects ELF Linux/Torte infection"
ref = "http://blog.malwaremustdie.org/2016/01/mmd-0050-2016-incident-report-elf.html"
hash1 = "1faf27f6b8e8a9cadb611f668a01cf73"
hash2 = "cb0477445fef9c5f1a5b6689bbfb941e"
strings:
$s0 = "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.6)"
$s1 = "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)"
$s2 = "?sessd="
$s3 = "&sessc="
$s4 = "&sessk="
$s5 = "3a08fe7b8c4da6ed09f21c3ef97efce2"
$s6 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
$s7 = "_ZN11CThreadPool10getBatchesERSt6vectorISt4pairISsiESaIS2_EE"
$s8 = "_ZNSs4_Rep10_M_destroyERKSaIcE@@GLIBCXX_3.4"
$s9 = "_ZNSt6vectorImSaImEE13_M_insert_auxEN9__gnu_cxx17__normal_iteratorIPmS1_EERKm"
$s10 = "_ZNSt6vectorISt4pairISsiESaIS1_EE13_M_insert_auxEN9__gnu_cxx17__normal_iteratorIPS1_S3_EERKS1_"
$s11 = "_ZSt20__throw_out_of_rangePKc@@GLIBCXX_3.4"
condition:
is_elf and all of ($s*)
}
rule ELF_Linux_Torte_domains {
meta:
author = "@mmorenog,@yararules"
description = "Detects ELF Linux/Torte infection"
ref1 = "http://blog.malwaremustdie.org/2016/01/mmd-0050-2016-incident-report-elf.html"
strings:
$1 = "pages.touchpadz.com" ascii wide nocase
$2 = "bat.touchpadz.com" ascii wide nocase
$3 = "stat.touchpadz.com" ascii wide nocase
$4 = "sk2.touchpadz.com" ascii wide nocase
condition:
any of them
}
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
/*
ref : https://github.com/gwillem/magento-malware-scanner/blob/master/rules/backend.yar
author : https://github.com/gwillem
*/
rule dump_sales_quote_payment {
strings: $ = "include '../../../../../../../../../../app/Mage.php'; Mage::app(); $q = Mage::getModel('sales/quote_payment')->getCollection();"
condition: any of them
}
rule dump_sales_order {
strings: $ = "../../../../../../app/Mage.php'; Mage::app(); var_dump(Mage::getModel('sales/order')"
condition: any of them
}
rule md5_64651cede2467fdeb1b3b7e6ff3f81cb {
strings: $ = "rUl6QttVEP5eqf9usxfJjgoOvdNWFSGoHDgluk+4ONwXQNbGniQLttfyrgkB8d9"
condition: any of them
}
rule md5_6bf4910b01aa4f296e590b75a3d25642 {
strings: $ = "base64_decode('b25lcGFnZXxnY19hZG1pbg==')"
condition: any of them
}
rule fopo_webshell {
strings:
$ = "DNEcHdQbWtXU3dSMDA1VmZ1c29WUVFXdUhPT0xYb0k3ZDJyWmFVZlF5Y0ZEeHV4K2FnVmY0OUtjbzhnc0"
$ = "U3hkTVVibSt2MTgyRjY0VmZlQWo3d1VlaFJVNVNnSGZUVUhKZXdEbGxJUTlXWWlqWSt0cEtacUZOSXF4c"
$ = "rb2JHaTJVdURMNlhQZ1ZlTGVjVnFobVdnMk5nbDlvbEdBQVZKRzJ1WmZUSjdVOWNwWURZYlZ0L1BtNCt"
condition: any of them
}
rule eval_post {
strings:
$ = "eval(base64_decode($_POST"
$ = "eval($undecode($tongji))"
$ = "eval($_POST"
condition: any of them
}
rule spam_mailer {
strings:
$ = "<strong>WwW.Zone-Org</strong>"
$ = "echo eval(urldecode("
condition: any of them
}
rule md5_0105d05660329704bdb0ecd3fd3a473b {
/*
)){eval (${ $njap58}['q9e5e25' ])
) ) { eval ( ${$yed7 }['
*/
strings: $ = /\)\s*\)\s*\{\s*eval\s*\(\s*\$\{/
condition: any of them
}
rule md5_0b1bfb0bdc7e017baccd05c6af6943ea {
/*
eval(hnsqqh($llmkuhieq, $dbnlftqgr));?>
eval(vW91692($v7U7N9K, $v5N9NGE));?>
*/
strings: $ = /eval\([\w\d]+\(\$[\w\d]+, \$[\w\d]+\)\);/
condition: any of them
}
rule md5_2495b460f28f45b40d92da406be15627 {
strings: $ = "$dez = $pwddir.\"/\".$real;copy($uploaded, $dez);"
condition: any of them
}
rule md5_2c37d90dd2c9c743c273cb955dd83ef6 {
strings: $ = "@$_($_REQUEST['"
condition: any of them
}
rule md5_3ccdd51fe616c08daafd601589182d38 {
strings: $ = "eval(xxtea_decrypt"
condition: any of them
}
rule md5_4b69af81b89ba444204680d506a8e0a1 {
strings: $ = "** Scam Redirector"
condition: any of them
}
rule md5_71a7c769e644d8cf3cf32419239212c7 {
/*
// $GLOBALS['ywanc2']($GLOBALS['ggbdg61']
*/
strings: $ = /\$GLOBALS\['[\w\d]+'\]\(\$GLOBALS\['[\w\d]+'\]/
condition: any of them
}
rule md5_825a3b2a6abbe6abcdeda64a73416b3d {
/*
// $ooooo00oo0000oo0oo0oo00ooo0ooo0o0o0 = gethostbyname($_SERVER["SERVER_NAME"]);
// if(!oo00o0OOo0o00O("fsockopen"))
// strings: $ = "$ooooo00oo0000oo0"
*/
strings: $ = /[o0O]{3}\("fsockopen"\)/
condition: any of them
}
rule md5_87cf8209494eedd936b28ff620e28780 {
strings: $ = "curl_close($cu);eval($o);};die();"
condition: any of them
}
rule md5_9b59cb5b557e46e1487ef891cedaccf7 {
strings:
$jpg = { FF D8 FF E0 ?? ?? 4A 46 49 46 00 01 }
/*
// https://en.wikipedia.org/wiki/List_of_file_signatures
// magic module is not standard compiled in on our platform
// otherwise: condition: magic.mime_type() == /^image/
// $jpg = { 4A 46 49 46 00 01 }
*/
$php = "<?php"
condition: ($jpg at 0) and $php
}
rule md5_c647e85ad77fd9971ba709a08566935d {
strings: $ = "fopen(\"cache.php\", \"w+\")"
condition: any of them
}
rule md5_fb9e35bf367a106d18eb6aa0fe406437 {
strings: $ = "0B6KVua7D2SLCNDN2RW1ORmhZRWs/sp_tilang.js"
condition: any of them
}
rule md5_8e5f7f6523891a5dcefcbb1a79e5bbe9 {
strings: $ = "if(@copy($_FILES['file']['tmp_name'],$_FILES['file']['name'])) {echo '<b>up!!!</b><br><br>';}}"
condition: any of them
}
rule indoexploit_autoexploiter {
strings: $ = "echo \"IndoXploit - Auto Xploiter\""
condition: any of them
}
rule eval_base64_decode_a {
strings: $ = "eval(base64_decode($a));"
condition: any of them
}
rule obfuscated_eval {
strings:
$ = /\\x65\s*\\x76\s*\\x61\s*\\x6C/
$ = "\"/.*/e\""
condition: any of them
}
rule md5_50be694a82a8653fa8b31d049aac721a {
strings: $ = "(preg_match('/\\/admin\\/Cms_Wysiwyg\\/directive\\/index\\//', $_SERVER['REQUEST_URI']))"
condition: any of them
}
rule md5_ab63230ee24a988a4a9245c2456e4874 {
strings: $ = "eval(gzinflate(base64_decode(str_rot13(strrev("
condition: any of them
}
rule md5_b579bff90970ec58862ea8c26014d643 {
/* forces php execution of image files, dropped in an .htaccess file under media */
strings: $ = /<Files [^>]+.(jpg|png|gif)>\s*ForceType application\/x-httpd-php/
condition: any of them
}
rule md5_d30b23d1224438518d18e90c218d7c8b {
strings: $ = "attribute_code=0x70617373776f72645f68617368"
condition: any of them
}
rule md5_24f2df1b9d49cfb02d8954b08dba471f {
strings: $ = "))unlink('../media/catalog/category/'.basename($"
condition: any of them
}
rule base64_hidden_in_image {
strings: $ = /JPEG-1\.1[a-zA-Z0-9\-\/]{32}/
condition: any of them
}
rule hide_data_in_jpeg {
strings: $ = /file_put_contents\(\$.{2,3},'JPEG-1\.1'\.base64_encode/
condition: any of them
}
rule hidden_file_upload_in_503 {
strings: $ = /error_reporting\(0\);\$f=\$_FILES\[\w+\];copy\(\$f\[tmp_name\],\$f\[name\]\);error_reporting\(E_ALL\);/
condition: any of them
}
rule md5_fd141197c89d27b30821f3de8627ac38 {
strings: $ = "if(isset($_GET['do'])){$g0='adminhtml/default/default/images'"
condition: any of them
}
rule visbot {
strings:
$ = "stripos($buf, 'Visbot')!==false && stripos($buf, 'Pong')!==false"
$ = "stripos($buf, 'Visbot') !== false && stripos($buf, 'Pong')"
condition: any of them
}
rule md5_39ca2651740c2cef91eb82161575348b {
strings: $ = /if\(md5\(@\$_COOKIE\[..\]\)=='.{32}'\) \(\$_=@\$_REQUEST\[.\]\).@\$_\(\$_REQUEST\[.\]\);/
condition: any of them
}
rule md5_4c4b3d4ba5bce7191a5138efa2468679 {
strings:
$ = "<?PHP /*** Magento** NOTICE OF LICENSE** This source file is subject to the Open Software License (OSL 3.0)* that is bundled with this package in the file LICENSE.txt.* It is also available through the world-wide-web at this URL:* http://opensource.org/licenses/osl-3.0.php**/$"
$ = "$_SERVER['HTTP_USER_AGENT'] == 'Visbot/2.0 (+http://www.visvo.com/en/webmasters.jsp;bot@visvo.com)'"
condition: any of them
}
rule md5_6eb201737a6ef3c4880ae0b8983398a9 {
strings:
$ = "if(md5(@$_COOKIE[qz])=="
$ = "($_=@$_REQUEST[q]).@$_($_REQUEST[z]);"
condition: all of them
}
rule md5_d201d61510f7889f1a47257d52b15fa2 {
strings: $ = "@eval(stripslashes($_REQUEST[q]));"
condition: any of them
}
rule md5_06e3ed58854daeacf1ed82c56a883b04 {
strings: $ = "$log_entry = serialize($ARINFO)"
condition: any of them
}
rule md5_28690a72362e021f65bb74eecc54255e {
strings: $ = "curl_setopt($ch, CURLOPT_POSTFIELDS,http_build_query(array('data'=>$data,'utmp'=>$id)));"
condition: any of them
}
rule overwrite_globals_hack {
strings: $ = /\$GLOBALS\['[^']{,20}'\]=Array\(/
condition: any of them
}
rule md5_4adef02197f50b9cc6918aa06132b2f6 {
/* { eval($cco37(${ $kasd1}[ 'n46b398' ] ) );} */
strings: $ = /\{\s*eval\s*\(\s*\$.{1,5}\s*\(\$\{\s*\$.{1,5}\s*\}\[\s*'.{1,10}'\s*\]\s*\)\s*\);\}/
condition: any of them
}
rule obfuscated_globals {
/* $GLOBALS['y63581'] = "\x43 */
strings: $ = /\$GLOBALS\['.{1,10}'\] = "\\x/
condition: any of them
}
rule ld_preload_backdoor {
strings: $ = "killall -9 \".basename(\"/usr/bin/host"
condition: any of them
}
rule fake_magentoupdate_site {
strings: $ = "magentopatchupdate.com"
condition: any of them
}
rule md5_b3ee7ea209d2ff0d920dfb870bad8ce5 {
strings:
$ = /\$mysql_key\s*=\s*@?base64_decode/
$ = /eval\(\s*\$mysql_key\s*\)/
condition: all of them
}
rule md5_e03b5df1fa070675da8b6340ff4a67c2 {
strings:
$ = /if\(preg_match\("\/onepage\|admin\/",\s*\$_SERVER\['REQUEST_URI'\]\)\)\{\s*@?file_put_contents/
$ = /@?base64_encode\(serialize\(\$_REQUEST\)\."--"\.serialize\(\$_COOKIE\)\)\."\\n",\s*FILE_APPEND\)/
condition: any of them
}
rule md5_023a80d10d10d911989e115b477e42b5 {
strings: $ = /chr\(\d{,3}\)\.\"\"\.chr\(\d{,3}\)/
condition: any of them
}
rule md5_4aa900ddd4f1848a15c61a9b7acd5035 {
strings: $ = "'base'.(128/2).'_de'.'code'"
condition: any of them
}
rule md5_f797dd5d8e13fe5c8898dbe3beb3cc5b {
strings: $ = "echo(\"FILE_Bad\");"
condition: any of them
}
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
/*
ref : https://github.com/gwillem/magento-malware-scanner
author : https://github.com/gwillem
*/
rule onepage_or_checkout {
strings: $ = "\\x6F\\x6E\\x65\\x70\\x61\\x67\\x65\\x7C\\x63\\x68\\x65\\x63\\x6B\\x6F\\x75\\x74"
condition: any of them
}
rule sinlesspleasure_com {
strings: $ = "5e908r948q9e605j8t9b915n5o9f8r5e5d969g9d795b4s6p8t9h9f978o8p8s9590936l6k8j9670524p7490915l5f8r90878t917f7g8p8o8p8k9c605i8d937t7m8i8q8o8q959h7p828e7r8e7q7e8m8o5g5e9199918o9g7q7c8c8t99905a5i8l94989h7r7g8i8t8m5f5o92917q7k9i9e948c919h925a5d8j915h608t8p8t9f937b7k9i9e948c919h92"
condition: any of them
}
rule amasty_biz {
strings: $ = "118,97,114,32,115,110,100,32,61,110,117,108,108,59,10,10,102,117"
condition: any of them
}
rule amasty_biz_js {
strings: $ = "t_p#0.qlb#0.#1Blsjj#1@#.?#.?dslargml#0.qr_pr#06#07#5@#.?#0"
condition: any of them
}
rule returntosender {
strings: $ = "\\x2F\\x6D\\x65\\x64\\x69\\x61\\x2F\\x63\\x61\\x74\\x61\\x6C\\x6F\\x67\\x2F\\x70\\x72\\x6F\\x64\\x75\\x63\\x74\\x2F\\x63\\x61\\x63\\x68\\x65\\x2F\\x31\\x2F\\x74\\x68\\x75\\x6D\\x62\\x6E\\x61\\x69\\x6C\\x2F\\x37\\x30\\x30\\x78\\x2F\\x32\\x62\\x66\\x38\\x66\\x32\\x62\\x38\\x64\\x30\\x32\\x38\\x63\\x63\\x65\\x39\\x36\\x2F\\x42\\x2F\\x57\\x2F\\x64\\x61\\x34\\x31\\x38\\x30\\x33\\x63\\x63\\x39\\x38\\x34\\x62\\x38\\x63\\x2E\\x70\\x68\\x70"
condition: any of them
}
rule ip_5uu8_com {
strings: $ = "\\x69\\x70\\x2e\\x35\\x75\\x75\\x38\\x2e\\x63\\x6f\\x6d"
condition: any of them
}
rule cloudfusion_me {
strings: $ = "cloudfusion.me"
condition: any of them
}
rule grelos_v {
strings: $ = "var grelos_v"
condition: any of them
}
rule hacked_domains {
strings:
$ = "infopromo.biz"
$ = "jquery-code.su"
$ = "jquery-css.su"
$ = "megalith-games.com"
$ = "cdn-cloud.pw"
$ = "animalzz921.pw"
$ = "statsdot.eu"
condition: any of them
}
rule mage_cdn_link {
strings: $ = "\\x6D\\x61\\x67\\x65\\x2D\\x63\\x64\\x6E\\x2E\\x6C\\x69\\x6E\\x6B"
condition: any of them
}
rule credit_card_regex {
strings: $ = "RegExp(\"[0-9]{13,16}\")"
condition: any of them
}
rule jquery_code_su {
strings: $ = "105,102,40,40,110,101,119,32,82,101,103,69,120,112,40,39,111,110,101,112,97,103,101"
condition: any of them
}
rule jquery_code_su_multi {
strings: $ = "=oQKpkyJ8dCK0lGbwNnLn42bpRXYj9GbENDft12bkBjM8V2Ypx2c8Rnbl52bw12bDlkUVVGZvNWZkZ0M85WavpGfsJXd8R1UPB1NywXZtFmb0N3box"
condition: any of them
}
rule Trafficanalyzer_js {
strings: $ = "z=x['length'];for(i=0;i<z;i++){y+=String['fromCharCode'](x['charCodeAt'](i)-10) }w=this['unescape'](y);this['eval'](w);"
condition: any of them
}
rule atob_js {
strings: $ = "this['eval'](this['atob']('"
condition: any of them
}
rule gate_php_js {
/* token=KjsS29Msl&host= */
strings:
$re =/\/gate.php\?token=.{,10}&host=/ nocase
condition: any of them
}
rule googieplay_js {
strings: $ = "tdsjqu!tsd>#iuuq;00hpphjfqmbz/jogp0nbhfoup`hpphjfqmbz/kt#?=0tdsjqu?"
condition: any of them
}
rule mag_php_js {
strings:
$ = "onepage|checkout|onestep|firecheckout|onestepcheckout"
$ = "'one|check'"
condition: any of them
}
rule thetech_org_js {
strings: $ = "|RegExp|onepage|checkout|"
condition: any of them
}
rule md5_cdn_js_link_js {
strings: $ = "grelos_v= null"
condition: any of them
}
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
rule AnglerEKredirector : EK
{
meta:
description = "Angler Exploit Kit Redirector"
ref = "http://blog.xanda.org/2015/08/28/yara-rule-for-angler-ek-redirector-js/"
author = "adnan.shukor@gmail.com"
date = "08-July-2015"
impact = "5"
version = "1"
strings:
$ekr1 = "<script>var date = new Date(new Date().getTime() + 60*60*24*7*1000);" fullword
$ekr2 = "document.cookie=\"PHP_SESSION_PHP="
$ekr3 = "path=/; expires=\"+date.toUTCString();</script>" fullword
$ekr4 = "<iframe src=" fullword
$ekr5 = "</iframe></div>" fullword
condition:
all of them
}
rule angler_flash : EK
{
meta:
author = "Josh Berry"
date = "2016-06-26"
description = "Angler Exploit Kit Detection"
hash0 = "8081397c30b53119716c374dd58fc653"
sample_filetype = "unknown"
yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
strings:
$string0 = "(9OOSp"
$string1 = "r$g@ 0'[A"
$string2 = ";R-1qTP"
$string3 = "xwBtR4"
$string4 = "YbVjxp"
$string5 = "ddgXkF"
$string6 = ")n'URF"
$string7 = "vAzq@W"
$string8 = "rOkX$6m<"
$string9 = "@@DB}q "
$string10 = "TiKV'iV"
$string11 = "538x;B"
$string12 = "9pEM{d"
$string13 = ".SIy/O"
$string14 = "ER<Gu,"
condition:
14 of them
}
rule angler_flash2 : EK
{
meta:
author = "Josh Berry"
date = "2016-06-26"
description = "Angler Exploit Kit Detection"
hash0 = "23812c5a1d33c9ce61b0882f860d79d6"
sample_filetype = "unknown"
yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
strings:
$string0 = "4yOOUj"
$string1 = "CSvI4e"
$string2 = "'fwaEnkI"
$string3 = "'y4m%X"
$string4 = "eOc)a,"
$string5 = "'0{Q5<"
$string6 = "1BdX;P"
$string7 = "D _J)C"
$string8 = "-epZ.E"
$string9 = "QpRkP."
$string10 = "<o/]atel"
$string11 = "@B.,X<"
$string12 = "5r[c)U"
$string13 = "52R7F'"
$string14 = "NZ[FV'P"
condition:
14 of them
}
rule angler_flash4 : EK
{
meta:
author = "Josh Berry"
date = "2016-06-26"
description = "Angler Exploit Kit Detection"
hash0 = "dbb3f5e90c05602d92e5d6e12f8c1421"
sample_filetype = "unknown"
yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
strings:
$string0 = "_u;cwD;"
$string1 = "lhNp74"
$string2 = "Y0GQ%v"
$string3 = "qjqCb,nx"
$string4 = "vn{l{Wl"
$string5 = "5j5jz5"
$string6 = "a3EWwhM"
$string7 = "hVJb/4Aut"
$string8 = ",lm4v,"
$string9 = ",6MekS"
$string10 = "YM.mxzO"
$string11 = ";6 -$E"
$string12 = "QA%: fy"
$string13 = "<@{qvR"
$string14 = "b9'$'6l"
$string15 = ",x:pQ@-"
$string16 = "2Dyyr9"
condition:
16 of them
}
rule angler_flash5 : EK
{
meta:
author = "Josh Berry"
date = "2016-06-26"
description = "Angler Exploit Kit Detection"
hash0 = "9f809272e59ee9ecd71093035b31eec6"
sample_filetype = "unknown"
yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
strings:
$string0 = "0k%2{u"
$string1 = "\\Pb@(R"
$string2 = "ys)dVI"
$string3 = "tk4_y["
$string4 = "LM2Grx"
$string5 = "n}s5fb"
$string6 = "jT Nx<hKO"
$string7 = "5xL>>}"
$string8 = "S%,1{b"
$string9 = "C'3g7j"
$string10 = "}gfoh]"
$string11 = ",KFVQb"
$string12 = "LA;{Dx"
condition:
12 of them
}
rule angler_flash_uncompressed : EK
{
meta:
author = "Josh Berry"
date = "2016-06-26"
description = "Angler Exploit Kit Detection"
hash0 = "2543855d992b2f9a576f974c2630d851"
sample_filetype = "unknown"
yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
strings:
$string0 = "DisplayObjectContainer"
$string1 = "Xtime2"
$string2 = "(HMRTQ"
$string3 = "flash.events:EventDispatcher$flash.display:DisplayObjectContainer"
$string4 = "_e_-___-__"
$string5 = "ZviJbf"
$string6 = "random-"
$string7 = "_e_-_-_-_"
$string8 = "_e_------"
$string9 = "817677162"
$string10 = "_e_-__-"
$string11 = "-[vNnZZ"
$string12 = "5:unpad: Invalid padding value. expected ["
$string13 = "writeByte/"
$string14 = "enumerateFonts"
$string15 = "_e_---___"
$string16 = "_e_-_-"
$string17 = "f(fOJ4"
condition:
17 of them
}
rule angler_html : EK
{
meta:
author = "Josh Berry"
date = "2016-06-26"
description = "Angler Exploit Kit Detection"
hash0 = "afca949ab09c5583a2ea5b2006236666"
sample_filetype = "js-html"
yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
strings:
$string0 = " A9 3E AF D5 9AQ FA 14 BC F2 A0H EA 7FfJ A58 A3 B1 BD 85 DB F3 B4 B6 FB B2 B4 14 82 19 88 28 D0 EA 2"
$string1 = " 2BS 25 26p 20 3F 81 0E D3 9C 84 C7 EC C3 C41M C48 D3 B5N 09 C2z 98 7B 09. DF 05 5EQ DF A3 B6 EE D5 "
$string2 = "9 A1Fg A8 837 9A A9 0A 1D 40b02 A5U6 22o 16 DC 5D F5 F5 FA BE FB EDX F0 87 DB C9 7B D6 AC F6D 10 1AJ"
$string3 = "24 AA 17 FB B0 96d DBN 05 EE F6 0F 24 D4 D0 C0 E4 96 03 A3 03 20/ 04 40 DB 8F 7FI A6 DC F5 09 0FWV 1"
$string4 = "Fq B3 94 E3 3E EFw E6 AA9 3A 5B 9E2 D2 EC AF6 10c 83 0F DF BB FBx AF B4 1BV 5C DD F8 9BR 97v D0U 9EG"
$string5 = "29 9B 01E C85 86 B0 09 EC E07 AFCY 19 E5 11 1C 92 E2 DA A9 5D 19P 3A BF AB D6 B3 3FZ B4 92 FF E1 27 "
$string6 = "B A9 88 B8 F0 EBLd 8E 08 18 11P EE BFk 15 5BM D6 B7 CEh AF 9C 8F 04 89 88 5E F6 ED 13 8EN1p 86Vk BC "
$string7 = "w F4 C8 16pV 22 0A BB EB 83 7D BC 89 B6 E06 8B 2A DC E6 7D CE. 0Dh 18 0A8 5E 60 0C BF A4 00M 00 E3 3"
$string8 = "B7 C6 E3 8E DC 3BR 60L 94h D8 AA7k5s 0D 7Fb 8B 80P E0 1BP EBT B5 03zE D0o 2A B97 18 F39 7C 94 99 11 "
$string9 = "kY 24 8E 3E 94 84 D2 00 1EB 16 A4 9C 28 24 C1B BB 22 7D 97c F5 BA AD C4 5C 23 5D 3D 5C A7d5 0C F6 EA"
$string10 = "08 01 3A 15 3B E0 1A E2 89 5B A2 F4 ED 87O F9l A99 124 27 BF BB A1c 2BW 12Z 07 AA D9 81 B7 A6-5 E2 E"
$string11 = " 16 BF A7 0E 00 16 BB 8FB CBn FC D8 9C C7 EA AC C2q 85n A96I D1 9B FC8 BDl B8 3Ajf 7B ADH FD 20 88 F"
$string12 = " ML "
$string13 = " AEJ 3B C7 BFy EF F07X D3 A0 1E B4q C4 BE 3A 10 E7 A0 FE D1Jhp 89 A0sj 1CW 08 D5 F7 C8 C6 D5I 81 D2 "
$string14 = "B 24 90 ED CEP C8 C9 9B E5 25 09 C6B- 2B 3B C7 28 C9 C62 EB D3 D5 ED DE A8 7F A9mNs 87 12 82 03 A2 8"
$string15 = "A 3A A2L DFa 18 11P 00 7F1 BBbY FA 5E 04 C4 5D 89 F3S DAN B5 CAi 8D 0A AC A8 0A ABI E6 1E 89 BB 07 D"
$string16 = "C B5 FD 0B F9 0Ch CE 01 14 8Dp AF 24 E0 E3 D90 DD FF B0 07 2Ad 0B 7D B0 B2 D8 BD E6 A7 CE E1 E4 3E5 "
$string17 = "19 0C 85 14r/ 8C F3 84 2B 8C CF 90 93 E2 F6zo C3 D40 A6 94 01 02Q 21G AB B9 CDx 9D FB 21 2C 10 C3 3C"
$string18 = "FAV D7y A0 C7Ld4 01 22 EE B0 1EY FAB BA E0 01 24 15g C5 DA6 19 EEsl BF C7O 9F 8B E8 AF 93 F52 00 06 "
condition:
18 of them
}
rule angler_html2 : EK
{
meta:
author = "Josh Berry"
date = "2016-06-26"
description = "Angler Exploit Kit Detection"
hash0 = "6c926bf25d1a8a80ab988c8a34c0102e"
sample_filetype = "js-html"
yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
strings:
$string0 = "E 06 E7i 1E 91q 9C D0J 1D 9B 14 E7g 1D DD ECK 20c 40 C6 0C AFR5 3D 03 9Em EC 0CB C9 A9 DFw C9 ADP 5B"
$string1 = "14Bc 5C 3Bp CB 2A 12 3D A56 AA 14 87 E3 81 8A 80h 27 1C 3A4 CE 12 AE FAy F0 8A 21 B8I AD 1E B9 2C D1"
$string2 = "0J 95 83 CC 1C 95D CAD 1A EA F3 00 E9 DA_ F2 ED 3CM1 A0 01t 1B EE 2C B6AWKq BF CAY FE D8 F2 7C 96 92"
$string3 = "A8MTCsn C9 DBu D3 10 A0 D4 AC A9 97 06Rn 01 DAK EFFN ADP AE 0E 8FJd 8F DA B6 25RO 18 2A 00 EA F9 8B "
$string4 = "A3 EB C1 CE 1E C4ok C4 19 F2 A7 17 9FCoz B6- C6 25J BB 0B 8C1OZ E4 7B AEz F6 06A 5D C0 D7 E8 FF DB D"
$string5 = " 07 DE A3 F8 B0 B3 20V A4 B2 C8 60 BD EEG 95 BB 04 1Ckw A4 80 E6 23 F02 FA 9C 9A 14F BDC 18 BE BD B4"
$string6 = "7 D1 B9 9B AC 2AN BA D3 00 A9 1CJ3J C0V 8F 8E FC B6p9 00 E1 01 21j B3 27 FF C3 8E 2B 92 8B DEiUI C3 "
$string7 = " 99 2C AF9 F9 3F5 A8 F0 1BU C8e/ 00Q B4 10 DD BC 9D 8A BF B2 17 8F BFd DB D1 B7 E66 21 96 86 1E B2 1"
$string8 = "E86 DF9 22Tg E93 9Em 29 0A 5B B5m E2 DCIF D6 D2 F5B CF F7XkRv BE EA A6 C5 82p 5E B3 B4aD B9 3A E0 22"
$string9 = " 7C 95.q D6f E8 1AE 17 82T 84 F1/O 82 C2q C7 FE 05C E4 E5W F5 0A E4l 12 3Brt 8A E0 E7 DDJ 1F 1F C4 A"
$string10 = "4t 91iE BD 2C 95U E9 1C AE 5B 5B A3 9D B2 F9 0B B5 15S9 AB 9D 94 85 A6 F1 AF B6 FC CAt 91iE BD 2C 95"
$string11 = " </input>"
$string12 = "2 D12 93 FD AB 0DKK AEN 40 DA 88 7B FA 3B 18 EE 09 92 ED AF A8b 07 002 0A A3S 04 29 F9 A3 EA BB E9 7"
$string13 = "40 C6 0C AFR5E 15 07 EE CBg B3 C6 60G 92tFt D7E 7D F0 C4 A89 29 EC BA E1 D9 3D 23 F0 0B E0o 3E2c B3 "
$string14 = "2 A3. A3 F1 D8 D4 A83K 9C AEu FF EA 02 F4 B8 A0 EE C9 7B 15 C1 07D 80 7C 10 864 96 E3 AA F8 99bgve D"
$string15 = "C 7D DC 0A E9 0D A1k 85s 9D 24 8C D0k E1 7E 3AH E2 052 D8q 16 FC 96 0AR C0 EC 99K4 3F BE ED CC DBE A"
$string16 = "40 DA 88 7B 9E 1A B3 FA DE 90U 5B BD6x 9A 0C 163 AB EA ED B4 B5 98 ADL B7 06 EE E5y B8 9B C9Q 00 E9 "
$string17 = "F BF_ F9 AC 5B CC 0B1 7B 60 20c 40 C6 0C AFR5 0B C7D 09 9D E30 14 AC 027 B2 B9B A7 06 E3z DC- B2 60 "
$string18 = "0 80 97Oi 8C 85 D2 1Bp CDv 11 05 D4 26 E7 FC 3DlO AE 96 D2 1B 89 7C 16H 11 86 D0 A6 B95 FC 01 C5 8E "
condition:
18 of them
}
rule angler_jar : EK
{
meta:
author = "Josh Berry"
date = "2016-06-26"
description = "Angler Exploit Kit Detection"
hash0 = "3de78737b728811af38ea780de5f5ed7"
sample_filetype = "unknown"
yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
strings:
$string0 = "myftysbrth"
$string1 = "classPK"
$string2 = "8aoadN"
$string3 = "j5/_<F"
$string4 = "FXPreloader.class"
$string5 = "V4w\\K,"
$string6 = "W\\Vr2a"
$string7 = "META-INF/MANIFEST.MF"
$string8 = "Na8$NS"
$string9 = "_YJjB'"
condition:
9 of them
}
rule angler_js : EK
{
meta:
author = "Josh Berry"
date = "2016-06-26"
description = "Angler Exploit Kit Detection"
hash0 = "482d6c24a824103f0bcd37fa59e19452"
sample_filetype = "js-html"
yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
strings:
$string0 = " 2654435769, Be"
$string1 = "DFOMIqka "
$string2 = ", Zydr$>>16"
$string3 = "DFOMIqka( 'OPPj_phuPuiwzDFo')"
$string4 = "U0BNJWZ9J0vM43TnlNZcWnZjZSelQZlb1HGTTllZTm19emc0dlsYF13GvhQJmTZmbVMxallMdhWW948YWi t P b50GW"
$string5 = " auSt;"
$string6 = " eval (NDbMFR "
$string7 = "jWUwYDZhNVyMI2TzykEYjWk0MDM5MA%ZQ1TD1gEMzj 3 D ',"
$string8 = "('fE').substr (2 , 1 "
$string9 = ", -1 "
$string10 = " ) );Zydr$ [ 1]"
$string11 = " 11;PsKnARPQuNNZMP<9;PsKnARPQuNNZMP"
$string12 = "new Array (2), Ykz"
$string13 = "<script> "
$string14 = "); CYxin "
$string15 = "Zydr$ [ 1]"
$string16 = "var tKTGVbw,auSt, vnEihY, gftiUIdV, XnHs, UGlMHG, KWlqCKLfCV;"
$string17 = "reXKyQsob1reXKyQsob3 "
condition:
17 of them
}
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
rule blackhole2_jar : EK
{
meta:
author = "Josh Berry"
date = "2016-06-27"
description = "BlackHole2 Exploit Kit Detection"
hash0 = "86946ec2d2031f2b456e804cac4ade6d"
sample_filetype = "unknown"
yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
strings:
$string0 = "k0/3;N"
$string1 = "g:WlY0"
$string2 = "(ww6Ou"
$string3 = "SOUGX["
$string4 = "7X2ANb"
$string5 = "r8L<;zYH)"
$string6 = "fbeatbea/fbeatbee.classPK"
$string7 = "fbeatbea/fbeatbec.class"
$string8 = "fbeatbea/fbeatbef.class"
$string9 = "fbeatbea/fbeatbef.classPK"
$string10 = "fbeatbea/fbeatbea.class"
$string11 = "fbeatbea/fbeatbeb.classPK"
$string12 = "nOJh-2"
$string13 = "[af:Fr"
condition:
13 of them
}
rule blackhole2_jar2 : EK
{
meta:
author = "Josh Berry"
date = "2016-06-27"
description = "BlackHole2 Exploit Kit Detection"
hash0 = "add1d01ba06d08818ff6880de2ee74e8"
sample_filetype = "unknown"
yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
strings:
$string0 = "6_O6d09"
$string1 = "juqirvs.classPK"
$string2 = "hw.classPK"
$string3 = "a.classPK"
$string4 = "w.classuS]w"
$string5 = "w.classPK"
$string6 = "YE}0vCZ"
$string7 = "v)Q,Ff"
$string8 = "%8H%t("
$string9 = "hw.class"
$string10 = "a.classmV"
$string11 = "2CniYFU"
$string12 = "juqirvs.class"
condition:
12 of them
}
rule blackhole2_jar3 : EK
{
meta:
author = "Josh Berry"
date = "2016-06-27"
description = "BlackHole2 Exploit Kit Detection"
hash0 = "c7abd2142f121bd64e55f145d4b860fa"
sample_filetype = "unknown"
yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
strings:
$string0 = "69/sj]]o"
$string1 = "GJk5Nd"
$string2 = "vcs.classu"
$string3 = "T<EssB"
$string4 = "1vmQmQ"
$string5 = "Kf1Ewr"
$string6 = "c$WuuuKKu5"
$string7 = "m.classPK"
$string8 = "chcyih.classPK"
$string9 = "hw.class"
$string10 = "f';;;;{"
$string11 = "vcs.classPK"
$string12 = "Vbhf_6"
condition:
12 of them
}
rule blackhole2_pdf : EK PDF
{
meta:
author = "Josh Berry"
date = "2016-06-27"
description = "BlackHole2 Exploit Kit Detection"
hash0 = "d1e2ff36a6c882b289d3b736d915a6cc"
sample_filetype = "pdf"
yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
strings:
$string0 = "/StructTreeRoot 5 0 R/Type/Catalog>>"
$string1 = "0000036095 00000 n"
$string2 = "http://www.xfa.org/schema/xfa-locale-set/2.1/"
$string3 = "subform[0].ImageField1[0])/Subtype/Widget/TU(Image Field)/Parent 22 0 R/F 4/P 8 0 R/T<FEFF0049006D00"
$string4 = "0000000026 65535 f"
$string5 = "0000029039 00000 n"
$string6 = "0000029693 00000 n"
$string7 = "%PDF-1.6"
$string8 = "27 0 obj<</Subtype/Type0/DescendantFonts 28 0 R/BaseFont/KLGNYZ"
$string9 = "0000034423 00000 n"
$string10 = "0000000010 65535 f"
$string11 = ">stream"
$string12 = "/Pages 2 0 R%/StructTreeRoot 5 0 R/Type/Catalog>>"
$string13 = "19 0 obj<</Subtype/Type1C/Length 23094/Filter/FlateDecode>>stream"
$string14 = "0000003653 00000 n"
$string15 = "0000000023 65535 f"
$string16 = "0000028250 00000 n"
$string17 = "iceRGB>>>>/XStep 9.0/Type/Pattern/TilingType 2/YStep 9.0/BBox[0 0 9 9]>>stream"
$string18 = "<</Root 1 0 R>>"
condition:
18 of them
}
rule blackhole1_jar
{
meta:
author = "Josh Berry"
date = "2016-06-26"
description = "BlackHole1 Exploit Kit Detection"
hash0 = "724acccdcf01cf2323aa095e6ce59cae"
sample_filetype = "unknown"
yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
strings:
$string0 = "Created-By: 1.6.0_18 (Sun Microsystems Inc.)"
$string1 = "workpack/decoder.classmQ]S"
$string2 = "workpack/decoder.classPK"
$string3 = "workpack/editor.classPK"
$string4 = "xmleditor/GUI.classmO"
$string5 = "xmleditor/GUI.classPK"
$string6 = "xmleditor/peers.classPK"
$string7 = "v(SiS]T"
$string8 = ",R3TiV"
$string9 = "META-INF/MANIFEST.MFPK"
$string10 = "xmleditor/PK"
$string11 = "Z[Og8o"
$string12 = "workpack/PK"
condition:
12 of them
}
rule blackhole2_css : EK
{
meta:
author = "Josh Berry"
date = "2016-06-27"
description = "BlackHole2 Exploit Kit Detection"
hash0 = "9664a16c65782d56f02789e7d52359cd"
sample_filetype = "js-html"
yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
strings:
$string1 = "background:url('%%?a=img&img=countries.gif')"
$string2 = "background:url('%%?a=img&img=exploit.gif')"
$string3 = "background:url('%%?a=img&img=oses.gif')"
$string4 = "background:url('%%?a=img&img=browsers.gif')"
$string5 = "background:url('%%?a=img&img=edit.png')"
$string6 = "background:url('%%?a=img&img=add.png')"
$string7 = "background:url('%%?a=img&img=accept.png')"
$string8 = "background:url('%%?a=img&img=del.png')"
$string9 = "background:url('%%?a=img&img=stat.gif')"
condition:
18 of them
}
rule blackhole2_htm : EK
{
meta:
author = "Josh Berry"
date = "2016-06-27"
description = "BlackHole2 Exploit Kit Detection"
hash0 = "92e21e491a90e24083449fd906515684"
hash1 = "98b302a504a7ad0e3515ab6b96d623f9"
hash2 = "a91d885ef4c4a0d16c88b956db9c6f43"
hash3 = "d8336f7ae9b3a4db69317aea105f49be"
hash4 = "eba5daf0442dff5b249274c99552177b"
hash5 = "02d8e6daef5a4723621c25cfb766a23d"
hash6 = "dadf69ce2124283a59107708ffa9c900"
hash7 = "467199178ac940ca311896c7d116954f"
hash8 = "17ab5b85f2e1f2b5da436555ea94f859"
sample_filetype = "js-html"
yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
strings:
$string0 = ">links/</a></td><td align"
$string1 = ">684K</td><td>"
$string2 = "> 36K</td><td>"
$string3 = "move_logs.php"
$string4 = "files/"
$string5 = "cron_updatetor.php"
$string6 = ">12-Sep-2012 23:45 </td><td align"
$string7 = "> - </td><td>"
$string8 = "cron_check.php"
$string9 = "-//W3C//DTD HTML 3.2 Final//EN"
$string10 = "bhadmin.php"
$string11 = ">21-Sep-2012 15:25 </td><td align"
$string12 = ">data/</a></td><td align"
$string13 = ">3.3K</td><td>"
$string14 = "cron_update.php"
condition:
14 of them
}
rule blackhole2_htm10 : EK
{
meta:
author = "Josh Berry"
date = "2016-06-27"
description = "BlackHole2 Exploit Kit Detection"
hash0 = "83704d531c9826727016fec285675eb1"
hash1 = "103ef0314607d28b3c54cd07e954cb25"
hash2 = "16c002dc45976caae259d7cabc95b2c3"
hash3 = "fd84d695ac3f2ebfb98d3255b3a4e1de"
hash4 = "c7b417a4d650c72efebc2c45eefbac2a"
hash5 = "c3c35e465e316a71abccca296ff6cd22"
hash2 = "16c002dc45976caae259d7cabc95b2c3"
hash7 = "10ce7956266bfd98fe310d7568bfc9d0"
hash8 = "60024caf40f4239d7e796916fb52dc8c"
sample_filetype = "js-html"
yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
strings:
$string0 = "</body></html>"
$string1 = "/icons/back.gif"
$string2 = ">373K</td><td>"
$string3 = "/icons/unknown.gif"
$string4 = ">Last modified</a></th><th><a href"
$string5 = "tmp.gz"
$string6 = ">tmp.gz</a></td><td align"
$string7 = "nbsp;</td><td align"
$string8 = "</table>"
$string9 = "> - </td><td>"
$string10 = ">filefdc7aaf4a3</a></td><td align"
$string11 = ">19-Sep-2012 07:06 </td><td align"
$string12 = "><img src"
$string13 = "file3fa7bdd7dc"
$string14 = " <title>Index of /files</title>"
$string15 = "0da49e042d"
condition:
15 of them
}
rule blackhole2_htm11 : EK
{
meta:
author = "Josh Berry"
date = "2016-06-27"
description = "BlackHole2 Exploit Kit Detection"
hash0 = "e89b56df597688c489f06a0a6dd9efed"
hash1 = "06ba331ac5ae3cd1986c82cb1098029e"
hash2 = "a899dedb50ad81d9dbba660747828c7b"
hash3 = "7cbb58412554327fe8b643204a046e2b"
hash2 = "a899dedb50ad81d9dbba660747828c7b"
hash0 = "e89b56df597688c489f06a0a6dd9efed"
hash2 = "a899dedb50ad81d9dbba660747828c7b"
hash7 = "530d31a0c45b79c1ee0c5c678e242c02"
hash2 = "a899dedb50ad81d9dbba660747828c7b"
sample_filetype = "js-html"
yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
strings:
$string0 = "></th><th><a href"
$string1 = "/icons/back.gif"
$string2 = ">Description</a></th></tr><tr><th colspan"
$string3 = "nbsp;</td><td align"
$string4 = "nbsp;</td></tr>"
$string5 = "> - </td><td>"
$string6 = "-//W3C//DTD HTML 3.2 Final//EN"
$string7 = "<h1>Index of /dummy</h1>"
$string8 = ">Size</a></th><th><a href"
$string9 = " </head>"
$string10 = "/icons/blank.gif"
$string11 = "><hr></th></tr>"
condition:
11 of them
}
rule blackhole2_htm12 : EK
{
meta:
author = "Josh Berry"
date = "2016-06-27"
description = "BlackHole2 Exploit Kit Detection"
hash0 = "0d3acb5285cfe071e30be051d2aaf28a"
hash1 = "6f27377115ba5fd59f007d2cb3f50b35"
hash2 = "f7ffe1fd1a57d337a04d3c777cddc065"
hash3 = "06997228f2769859ef5e4cd8a454d650"
hash4 = "11062eea9b7f2a2675c1e60047e8735c"
hash0 = "0d3acb5285cfe071e30be051d2aaf28a"
hash2 = "f7ffe1fd1a57d337a04d3c777cddc065"
hash7 = "4ec720cfafabd1c9b1034bb82d368a30"
hash8 = "ecd7d11dc9bb6ee842e2a2dce56edc6f"
sample_filetype = "js-html"
yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
strings:
$string0 = " <title>Index of /data</title>"
$string1 = "<tr><th colspan"
$string2 = "</body></html>"
$string3 = "> 20K</td><td>"
$string4 = "/icons/layout.gif"
$string5 = " <body>"
$string6 = ">Name</a></th><th><a href"
$string7 = ">spn.jar</a></td><td align"
$string8 = ">spn2.jar</a></td><td align"
$string9 = " <head>"
$string10 = "-//W3C//DTD HTML 3.2 Final//EN"
$string11 = "> 10K</td><td>"
$string12 = ">7.9K</td><td>"
$string13 = ">Size</a></th><th><a href"
$string14 = "><hr></th></tr>"
condition:
14 of them
}
rule blackhole2_htm3 : EK
{
meta:
author = "Josh Berry"
date = "2016-06-27"
description = "BlackHole2 Exploit Kit Detection"
hash0 = "018ef031bc68484587eafeefa66c7082"
sample_filetype = "js-html"
yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
strings:
$string0 = "/download.php"
$string1 = "./files/fdc7aaf4a3 md5 is 3169969e91f5fe5446909bbab6e14d5d"
$string2 = "321e774d81b2c3ae"
$string3 = "/files/new00010/554-0002.exe md5 is 8a497cf4ffa8a173a7ac75f0de1f8d8b"
$string4 = "./files/3fa7bdd7dc md5 is 8a497cf4ffa8a173a7ac75f0de1f8d8b"
$string5 = "1603256636530120915 md5 is 425ebdfcf03045917d90878d264773d2"
condition:
3 of them
}
rule blackhole2_htm4 : EK
{
meta:
author = "Josh Berry"
date = "2016-06-27"
description = "BlackHole2 Exploit Kit Detection"
hash0 = "926429bf5fe1fbd531eb100fc6e53524"
hash1 = "7b6cdc67077fc3ca75a54dea0833afe3"
hash2 = "82f108d4e6f997f8fc4cc02aad02629a"
hash3 = "bd819c3714dffb5d4988d2f19d571918"
hash4 = "9bc9f925f60bd8a7b632ae3a6147cb9e"
hash0 = "926429bf5fe1fbd531eb100fc6e53524"
hash2 = "82f108d4e6f997f8fc4cc02aad02629a"
hash7 = "386cb76d46b281778c8c54ac001d72dc"
hash8 = "0d95c666ea5d5c28fca5381bd54304b3"
sample_filetype = "js-html"
yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
strings:
$string0 = "words.dat"
$string1 = "/icons/back.gif"
$string2 = "data.dat"
$string3 = "files.php"
$string4 = "js.php"
$string5 = "template.php"
$string6 = "kcaptcha"
$string7 = "/icons/blank.gif"
$string8 = "java.dat"
condition:
8 of them
}
rule blackhole2_htm5 : EK
{
meta:
author = "Josh Berry"
date = "2016-06-27"
description = "BlackHole2 Exploit Kit Detection"
hash0 = "fccb8f71663620a5a8b53dcfb396cfb5"
hash1 = "a09bcf1a1bdabe4e6e7e52e7f8898012"
hash2 = "40db66bf212dd953a169752ba9349c6a"
hash3 = "25a87e6da4baa57a9d6a2cdcb2d43249"
hash4 = "6f4c64a1293c03c9f881a4ef4e1491b3"
hash0 = "fccb8f71663620a5a8b53dcfb396cfb5"
hash2 = "40db66bf212dd953a169752ba9349c6a"
hash7 = "4bdfff8de0bb5ea2d623333a4a82c7f9"
hash8 = "b43b6a1897c2956c2a0c9407b74c4232"
sample_filetype = "js-html"
yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
strings:
$string0 = "ruleEdit.php"
$string1 = "domains.php"
$string2 = "menu.php"
$string3 = "browsers_stat.php"
$string4 = "Index of /library/templates"
$string5 = "/icons/unknown.gif"
$string6 = "browsers_bstat.php"
$string7 = "oses_stat.php"
$string8 = "exploits_bstat.php"
$string9 = "block_config.php"
$string10 = "threads_bstat.php"
$string11 = "browsers_bstat.php"
$string12 = "settings.php"
condition:
12 of them
}
rule blackhole2_htm6 : EK
{
meta:
author = "Josh Berry"
date = "2016-06-27"
description = "BlackHole2 Exploit Kit Detection"
hash0 = "a5f94d7bdeb88b57be67132473e48286"
hash1 = "2e72a317d07aa1603f8d138787a2c582"
hash2 = "9440d49e1ed0794c90547758ef6023f7"
hash3 = "58265fc893ed5a001e3a7c925441298c"
hash2 = "9440d49e1ed0794c90547758ef6023f7"
hash0 = "a5f94d7bdeb88b57be67132473e48286"
hash2 = "9440d49e1ed0794c90547758ef6023f7"
hash7 = "95c6462d0f21181c5003e2a74c8d3529"
hash8 = "9236e7f96207253b4684f3497bcd2b3d"
sample_filetype = "js-html"
yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
strings:
$string0 = "uniq1.png"
$string1 = "edit.png"
$string2 = "left.gif"
$string3 = "infin.png"
$string4 = "outdent.gif"
$string5 = "exploit.gif"
$string6 = "sem_g.png"
$string7 = "Index of /library/templates/img"
$string8 = "uniq1.png"
condition:
8 of them
}
rule blackhole2_htm8 : EK
{
meta:
author = "Josh Berry"
date = "2016-06-27"
description = "BlackHole2 Exploit Kit Detection"
hash0 = "3f47452c1e40f68160beff4bb2a3e5f4"
hash1 = "1e2ba0176787088e3580dfce0245bc16"
hash2 = "1c78d96bb8d8f8a71294bc1e6d374b0f"
hash3 = "f5e16a6cd2c2ac71289aaf1c087224ee"
hash2 = "1c78d96bb8d8f8a71294bc1e6d374b0f"
hash0 = "3f47452c1e40f68160beff4bb2a3e5f4"
hash2 = "1c78d96bb8d8f8a71294bc1e6d374b0f"
hash7 = "6702efdee17e0cd6c29349978961d9fa"
hash8 = "287dca9469c8f7f0cb6e5bdd9e2055cd"
sample_filetype = "js-html"
yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
strings:
$string0 = ">Description</a></th></tr><tr><th colspan"
$string1 = ">Name</a></th><th><a href"
$string2 = "main.js"
$string3 = "datepicker.js"
$string4 = "form.js"
$string5 = "<address>Apache/2.2.15 (CentOS) Server at online-moo-viii.net Port 80</address>"
$string6 = "wysiwyg.js"
condition:
6 of them
}
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
rule crimepack_jar : EK
{
meta:
author = "Josh Berry"
date = "2016-06-26"
description = "CrimePack Exploit Kit Detection"
hash0 = "d48e70d538225bc1807842ac13a8e188"
sample_filetype = "unknown"
yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
strings:
$string0 = "r.JM,IM"
$string1 = "cpak/Crimepack$1.classPK"
$string2 = "cpak/KAVS.classPK"
$string3 = "cpak/KAVS.classmQ"
$string4 = "cpak/Crimepack$1.classmP[O"
$string5 = "META-INF/MANIFEST.MF"
$string6 = "META-INF/MANIFEST.MFPK"
condition:
6 of them
}
rule crimepack_jar3 : EK
{
meta:
author = "Josh Berry"
date = "2016-06-26"
description = "CrimePack Exploit Kit Detection"
hash0 = "40ed977adc009e1593afcb09d70888c4"
sample_filetype = "unknown"
yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
strings:
$string0 = "payload.serPK"
$string1 = "vE/JD[j"
$string2 = "payload.ser["
$string3 = "Exploit$2.classPK"
$string4 = "Exploit$2.class"
$string5 = "Ho((i/"
$string6 = "META-INF/MANIFEST.MF"
$string7 = "H5641Yk"
$string8 = "Exploit$1.classPK"
$string9 = "Payloader.classPK"
$string10 = "%p6$MCS"
$string11 = "Exploit$1$1.classPK"
condition:
11 of them
}
rule eleonore_jar : EK
{
meta:
author = "Josh Berry"
date = "2016-06-26"
description = "Eleonore Exploit Kit Detection"
hash0 = "ad829f4315edf9c2611509f3720635d2"
sample_filetype = "unknown"
yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
strings:
$string0 = "r.JM,IM"
$string1 = "dev/s/DyesyasZ.classPK"
$string2 = "k4kjRv"
$string3 = "dev/s/LoaderX.class}V[t"
$string4 = "dev/s/PK"
$string5 = "Hsz6%y"
$string6 = "META-INF/MANIFEST.MF"
$string7 = "dev/PK"
$string8 = "dev/s/AdgredY.class"
$string9 = "dev/s/DyesyasZ.class"
$string10 = "dev/s/LoaderX.classPK"
$string11 = "eS0L5d"
$string12 = "8E{4ON"
condition:
12 of them
}
rule eleonore_jar2 : EK
{
meta:
author = "Josh Berry"
date = "2016-06-26"
description = "Eleonore Exploit Kit Detection"
hash0 = "94e99de80c357d01e64abf7dc5bd0ebd"
sample_filetype = "unknown"
yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
strings:
$string0 = "META-INF/MANIFEST.MFManifest-Version: 1.0"
$string1 = "wPVvVyz"
$string2 = "JavaFX.class"
$string3 = "{%D@'\\"
$string4 = "JavaFXColor.class"
$string5 = "bWxEBI}Y"
$string6 = "$(2}UoD"
$string7 = "j%4muR"
$string8 = "vqKBZi"
$string9 = "l6gs8;"
$string10 = "JavaFXTrueColor.classeSKo"
$string11 = "ZyYQx "
$string12 = "META-INF/"
$string13 = "JavaFX.classPK"
$string14 = ";Ie8{A"
condition:
14 of them
}
rule eleonore_jar3 : EK
{
meta:
author = "Josh Berry"
date = "2016-06-26"
description = "Eleonore Exploit Kit Detection"
hash0 = "f65f3b9b809ebf221e73502480ab6ea7"
sample_filetype = "unknown"
yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
strings:
$string0 = "16lNYF2V"
$string1 = "META-INF/MANIFEST.MFPK"
$string2 = "ghsdr/Jewredd.classPK"
$string3 = "ghsdr/Gedsrdc.class"
$string4 = "e[<n55"
$string5 = "ghsdr/Gedsrdc.classPK"
$string6 = "META-INF/"
$string7 = "na}pyO"
$string8 = "9A1.F\\"
$string9 = "ghsdr/Kocer.class"
$string10 = "MXGXO8"
$string11 = "ghsdr/Kocer.classPK"
$string12 = "ghsdr/Jewredd.class"
condition:
12 of them
}
rule eleonore_js : EK
{
meta:
author = "Josh Berry"
date = "2016-06-26"
description = "Eleonore Exploit Kit Detection"
hash0 = "08f8488f1122f2388a0fd65976b9becd"
sample_filetype = "js-html"
yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
strings:
$string0 = "var de"
$string1 = "sdjk];"
$string2 = "return dfshk;"
$string3 = "function jkshdk(){"
$string4 = "'val';"
$string5 = "var sdjk"
$string6 = "return fsdjkl;"
$string7 = " window[d"
$string8 = "var fsdjkl"
$string9 = "function jklsdjfk() {"
$string10 = "function rewiry(yiyr,fjkhd){"
$string11 = " sdjd "
condition:
11 of them
}
rule eleonore_js2 : EK
{
meta:
author = "Josh Berry"
date = "2016-06-26"
description = "Eleonore Exploit Kit Detection"
hash0 = "2f5ace22e886972a8dccc6aa5deb1e79"
sample_filetype = "js-html"
yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
strings:
$string0 = "var dfshk "
$string1 = "arrow_next_down"
$string2 = "return eval('yiyr.replac'"
$string3 = "arrow_next_over"
$string4 = "arrow_prev_over"
$string5 = "xcCSSWeekdayBlock"
$string6 = "xcCSSHeadBlock"
$string7 = "xcCSSDaySpecial"
$string8 = "xcCSSDay"
$string9 = " window[df "
$string10 = "day_special"
$string11 = "var df"
$string12 = "function jklsdjfk() {"
$string13 = " sdjd "
$string14 = "'e(/kljf hdfk sdf/g,fjkhd);');"
$string15 = "arrow_next"
condition:
15 of them
}
rule eleonore_js3 : EK
{
meta:
author = "Josh Berry"
date = "2016-06-26"
description = "Eleonore Exploit Kit Detection"
hash0 = "9dcb8cd8d4f418324f83d914ab4d4650"
sample_filetype = "js-html"
yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
strings:
$string0 = "@mozilla.org/file/directory_service;1"
$string1 = "var exe "
$string2 = "var file "
$string3 = "foStream.write(data, data.length);"
$string4 = " var file_data "
$string5 = "return "
$string6 = " Components.classes["
$string7 = "url : "
$string8 = "].createInstance(Components.interfaces.nsILocalFile);"
$string9 = " var bstream "
$string10 = " bstream.readBytes(size); "
$string11 = "@mozilla.org/supports-string;1"
$string12 = " var channel "
$string13 = "tmp.exe"
$string14 = " if (channel instanceof Components.interfaces.nsIHttpChannel "
$string15 = "@mozilla.org/network/io-service;1"
$string16 = " bstream.available()) { "
$string17 = "].getService(Components.interfaces.nsIIOService); "
condition:
17 of them
}
rule fragus_htm : EK
{
meta:
author = "Josh Berry"
date = "2016-06-26"
description = "Fragus Exploit Kit Detection"
hash0 = "f76deec07a61b4276acc22beef41ea47"
sample_filetype = "js-html"
yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
strings:
$string0 = ">Hello, "
$string1 = "http://www.clantemplates.com"
$string2 = "this template was created by Bl1nk and is downloadable at <B>ClanTemplates.com<BR></B>Replace "
$string3 = "></TD></TR></TABLE> "
$string4 = "Image21"
$string5 = "scrollbar etc.<BR><BR>Enjoy, Bl1nk</FONT></TD></TR></TABLE><BR></CENTER></TD></TR> "
$string6 = "to this WarCraft Template"
$string7 = " document.getElementById) x"
$string8 = " if (a[i].indexOf("
$string9 = "x.oSrc;"
$string10 = "x.src; x.src"
$string11 = "<HTML>"
$string12 = "FFFFFF"
$string13 = " CELLSPACING"
$string14 = "images/layoutnormal_03.gif"
$string15 = "<TR> <TD "
$string16 = " CELLPADDING"
condition:
16 of them
}
rule fragus_js : EK
{
meta:
author = "Josh Berry"
date = "2016-06-26"
description = "Fragus Exploit Kit Detection"
hash0 = "f234c11b5da9a782cb1e554f520a66cf"
sample_filetype = "js-html"
yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
strings:
$string0 = "));ELI6Q3PZ"
$string1 = "VGhNU2pWQmMyUXhPSFI2TTNCVGVEUXpSR3huYm1aeE5UaFhXRFI0ZFhCQVMxWkRNVGh0V0hZNFZVYzBXWFJpTVRoVFpFUklaVGxG"
$string2 = "eFgweDNaek5YZDFkaWFtTlhZbDlmV2tGa09Va3pSMlEyT0dwSFFIQlZRblpEYzBKRWNFeGZOVmx6V0RSU1JEYzJjRlY0TVY5SFkw"
$string3 = "TkhXa0ZrT1haNGRFSXhRM3BrTkRoVGMxZEJSMmcyT0dwNlkzSTJYM1pCYkZnMVVqQmpWMEZIYURZNGFucGpjalpmZGtGc1dERXpT"
$string4 = "byKZKkpZU<<18"
$string5 = ");CUer0x"
$string6 = "bzWRebpU3yE>>16"
$string7 = "RUJEWlVvMGNsVTVNMEpNWDNaNGJVSkpPRUJrUlVwRVQwQlNaR2cyY0ZWSE5GbDBRVFZ5UjFnMk9HVldOWGhMYUdFelRIZG5NMWQz"
$string8 = "WnZSVGxuT1ZSRkwwaFZSelZGUm5GRlJFVTBLVHQ0UWxKQ1drdzBiWEJ5WkhSdVBtdG9XVWd6TVVGSGFFeDVTMlk3ZUVKU1FscE1O"
$string9 = "QmZjMGN4YjBCd1oyOXBURUJJZEhvMFdYcGtOamhFV1ZwU01GVlZZbXBpUUZKV1lqTXpWMDAwY0dSNlF6aE1SekZ5ZEc4ME9FeEtN"
$string10 = "SCpMaWXOuME("
$string11 = "VjJKcVkxZGlYMTlhUVdRNVNUTkhaRFk0YWpsYWJsWkRNVGh0V0hZNFZVYzBXWFJ2Tm5CVmFEUlpWVmhDT0ZWV05YaDBRa1ZTUkUw"
$string12 = "2;}else{Yuii37DWU"
$string13 = "ELI6Q3PZ"
$string14 = "ZUhNNVZYQlZlRFY0UUZnMk9HMVlORkpFYkRsNGMxbEpPRUJSTVY5SGNETllPRXB0YjBsaloySnhPVVZ3UkZWQVgzTllORGgwV0RS"
$string15 = "S05GbE1lalk0Vm1ORmVEWnpXbEpXZDBWaU5ubzJjRlkzVjFsbFgwVmlURlpuYnpCUE5HNTBhRFpaVEZrMVFYTjZObkIwWTBVNE4x"
$string16 = "Vm5CWFFVZG9OamhxZW1OeU5sOTJRV3hZTVROSlpEWTRVM294V1VSUFFFdFdZalE0WlVjeGNsSmtObmhBYURVNFZVZEFjRlZDZGtO"
$string17 = "Yuii37DWU<<12"
$string18 = ";while(hdnR9eo3pZ6E3<ZZeD3LjJQ.length){eMImGB"
condition:
18 of them
}
rule fragus_js2 : EK
{
meta:
author = "Josh Berry"
date = "2016-06-26"
description = "Fragus Exploit Kit Detection"
hash0 = "f234c11b5da9a782cb1e554f520a66cf"
sample_filetype = "js-html"
yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
strings:
$string0 = "(ELI6Q3PZ"
$string1 = "SnJTbVJqV2tOa09VbGZSMHcwY0ZWZmRrRjBjRFY0Y3psVmNGVjROWGhBV0RZNGJWZzBVa1J4TjNCVlgwVmlhRjkyZURaS1NWOUhj"
$string2 = "eFgweDNaek5YZDFkaWFtTlhZbDlmV2tGa09Va3pSMlEyT0dwSFFIQlZRblpEYzBKRWNFeGZOVmx6V0RSU1JEYzJjRlY0TVY5SFkw"
$string3 = "VUpKUVdWS05ISlZjMXBTTUdWRlNFQmpaMjlrVDBCTFYzY3pZbGRpZG5oeldFUndkSE16YjB4M2JXSnFZMWRpZVY4ellreDNaMko1"
$string4 = "((Yuii37DWU"
$string5 = "YURVNFZXUlhjRlZDZGxsQVJ6UlNaRTlBUzFkM00ySlhiekU0ZEhnMWNrUjZZM0kyWDNaQmJGZ3hNMGxrTmpoVGVqRlpkSEUyV1dW"
$string6 = "String.fromCharCode(ZZeD3LjJQ);}else if(QIyZsvvbEmVOpp"
$string7 = "1);ELI6Q3PZ"
$string8 = "));Yuii37DWU"
$string9 = ");CUer0x"
$string10 = "T1ZaQ05IUkRTVGhqT1VWd1ZWOUpRMlZLZG5oNlQwQkxWM2N6WWxkQmRrRkFPVmR3VlRsYWJsWnNOWGhKT1ZkeFZWazFRbEU1UlZK"
$string11 = "TlpkM2wxS3lzcExUUTRYU2s4UEhocFVqRk9jazA3SUdsbUtIaHBVakZPY2swcGV5QkdWek5NVnlzOVVrSklWVE0wVDJ0NlpTZzJP"
$string12 = "String.fromCharCode(((eMImGB"
$string13 = "RGRDUkV0WFV6VkJkRkV4WHpCalYwRkhhRFk0YW5wamNqWmZka0ZzV0RaSWExZzBXWEZDUlZsQVpEWkJOMEoyZUhwd1duSlRXVE5J"
$string14 = "SCpMaWXOuME(mi1mm8bu87rL0W);eval(Pcii3iVk1AG);</script></body></html>"
$string15 = "Yuii37DWU"
$string16 = "Yuii37DWU<<12"
$string17 = "eTVzWlc1bmRHZ3NJRWhWUnpWRlJuRkZSRVUwUFRFd01qUXNJR2hQVlZsRVJFVmxVaXdnZUVKU1FscE1ORzF3Y21SMGJpd2dSbGN6"
condition:
17 of them
}
rule fragus_js_flash : EK
{
meta:
author = "Josh Berry"
date = "2016-06-26"
description = "Fragus Exploit Kit Detection"
hash0 = "377431417b34de8592afecaea9aab95d"
sample_filetype = "js-html"
yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
strings:
$string0 = "document.appendChild(bdy);try{for (i"
$string1 = "0; i<10; i"
$string2 = "default"
$string3 = "var m "
$string4 = "/g, document.getElementById('divid').innerHTML));"
$string5 = " n.substring(0,r/2);"
$string6 = "document.getElementById('f').innerHTML"
$string7 = "'atk' onclick"
$string8 = "function MAKEHEAP()"
$string9 = "document.createElement('div');"
$string10 = "<button id"
$string11 = "/g, document.getElementById('divid').innerHTML);"
$string12 = "document.body.appendChild(gg);"
$string13 = "var bdy "
$string14 = "var gg"
$string15 = " unescape(gg);while(n.length<r/2) { n"
condition:
15 of them
}
rule fragus_js_java : EK
{
meta:
author = "Josh Berry"
date = "2016-06-26"
description = "Fragus Exploit Kit Detection"
hash0 = "7398e435e68a2fa31607518befef30fb"
sample_filetype = "js-html"
yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
strings:
$string0 = "I></XML><SPAN DATASRC"
$string1 = "setTimeout('vparivatel()',8000);function vparivatel(){document.write('<iframe src"
$string2 = "I DATAFLD"
$string3 = " unescape("
$string4 = ", 1);swf.setAttribute("
$string5 = "function XMLNEW(){var spray "
$string6 = "vparivatel.php"
$string7 = "6) ){if ( (lv"
$string8 = "'WIN 9,0,16,0')"
$string9 = "d:/Program Files/Outlook Express/WAB.EXE"
$string10 = "<XML ID"
$string11 = "new ActiveXObject("
$string12 = "'7.1.0') ){SHOWPDF('iepdf.php"
$string13 = "function SWF(){try{sv"
$string14 = "'WIN 9,0,28,0')"
$string15 = "C DATAFORMATAS"
$string16 = " shellcode;xmlcode "
$string17 = "function SNAPSHOT(){var a"
condition:
17 of them
}
rule fragus_js_quicktime : EK
{
meta:
author = "Josh Berry"
date = "2016-06-26"
description = "Fragus Exploit Kit Detection"
hash0 = "6bfc7bb877e1a79be24bd9563c768ffd"
sample_filetype = "js-html"
yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
strings:
$string0 = " setTimeout("
$string1 = "wnd.location"
$string2 = "window;"
$string3 = " var pls "
$string4 = " mem_flag "
$string5 = ", 1500);} else{ PRyyt4O3wvgz(1);}"
$string6 = " } catch(e) { }"
$string7 = " mem_flag) JP7RXLyEu();"
$string8 = " 0x400000;"
$string9 = "----------------------------------------------------------------------------------------------------"
$string10 = " heapBlocks "
$string11 = " return mm;"
$string12 = "0x38);"
$string13 = " h();"
$string14 = " getb(b,bSize);"
$string15 = "getfile.php"
condition:
15 of them
}
rule fragus_js_vml : EK
{
meta:
author = "Josh Berry"
date = "2016-06-26"
description = "Fragus Exploit Kit Detection"
hash0 = "8ab72337c815e0505fcfbc97686c3562"
sample_filetype = "js-html"
yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
strings:
$string0 = " 0x100000;"
$string1 = " var gg "
$string2 = "/g, document.getElementById('divid').innerHTML));"
$string3 = " var sss "
$string4 = " }"
$string5 = " document.body.appendChild(obj);"
$string6 = " var hbs "
$string7 = " shcode; }"
$string8 = " '<div id"
$string9 = " hbs - (shcode.length"
$string10 = "){ m[i] "
$string11 = " unescape(gg);"
$string12 = " var z "
$string13 = " var hb "
$string14 = " Math.ceil('0'"
condition:
14 of them
}
rule phoenix_html : EK
{
meta:
author = "Josh Berry"
date = "2016-06-26"
description = "Phoenix Exploit Kit Detection"
hash0 = "8395f08f1371eb7b2a2e131b92037f9a"
sample_filetype = "js-html"
yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
strings:
$string1 = "'></applet><body id"
$string2 = "<applet mayscript"
$string3 = "/gmi,String.fromCharCode(2"
$string4 = "/gmi,' ').replace(/"
$string5 = "pe;i;;.j1s->c"
$string6 = "es4Det"
$string7 = "<textarea>function"
$string8 = ".replace(/"
$string9 = ".jar' code"
$string10 = ";iFc;ft'b)h{s"
condition:
10 of them
}
rule phoenix_html10 : EK
{
meta:
author = "Josh Berry"
date = "2016-06-26"
description = "Phoenix Exploit Kit Detection"
hash0 = "f5f8dceca74a50076070f2593e82ec43"
sample_filetype = "js-html"
yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
strings:
$string0 = "pae>crAeahoilL"
$string1 = "D11C0002C0069733E60656F6462070D000402DFF200696E"
$string2 = "nbte)bbn"
$string3 = "v9o16,0')0B80002328203;)82F00223A216ifA160A262A462(a"
$string4 = "0442DFD2E30EC80E42D2E00AC3F3D53C9CAEBFF7E1E805080B044057CB1C0EF7F263DC64E0CBE47C2A21E370EE4A"
$string5 = ";)npeits0e.uvr;][tvr"
$string6 = "433EBE90242003E00C606D04036563435805000102000v020E656wa.i118,0',9F902F282620''C62022646660}{A780232A"
$string7 = "350;var ysjzyq"
$string8 = "aSmd'lm/t/im.}d.-Ljg,l-"
$string9 = "0017687F6164706E6967060002008101'2176045ckb"
$string10 = "63(dcma)nenn869"
$string11 = "').replace(/"
$string12 = "xd'c0lrls09sare"
$string13 = "(]t.(7u(<p"
$string14 = "d{et;bdBcriYtc:eayF20'F62;23C4AABA3B84FE21C2B0B066C0038B8353AF5C0B4DF8FF43E85FB6F05CEC4080236F3CDE6E"
$string15 = "/var another;</textarea>"
$string16 = "Fa527496C62eShHmar(bA,pPec"
$string17 = "FaA244A676C,150e62A5B2B61,'2F"
condition:
17 of them
}
rule phoenix_html11 : EK
{
meta:
author = "Josh Berry"
date = "2016-06-26"
description = "Phoenix Exploit Kit Detection"
hash0 = "be8c81288f9650e205ed13f3167ce256"
sample_filetype = "js-html"
yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
strings:
$string0 = "D'0009F0C6941617C43427A76080001000F47020C606volv99,0,6,"
$string1 = "';)nWd"
$string2 = "IW'eeCn)s.a9e;0CF300FF379011078E047873754163636960496270486264416455747D69737812060209011301010104D0"
$string3 = "D8D51F5100019006D60667F2E056940170E01010747"
$string4 = "515F2F436WemBh2A4560683aFanoi(utse.o1/f;pistelzi"
$string5 = "/p(e/oah)FHw'aaarDsnwi-"
$string6 = "COa506u%db10u%1057u%f850u%f500u%0683u%05a8u%0030u%0706u%d300u%585du%38d0u%0080u%5612u'u%A2DdF6u%1M:."
$string7 = "S(yt)Dj"
$string8 = "FaA26285325,150e8292A6968,'2F"
$string9 = "0200e{b<0:D>r5d4u%c005u%0028u%251eu%a095u%6028u%0028u%2500u%f7f7u%70d7u%2025u%9008u%08f8u%c607usu%37"
$string10 = "(mEtlltopo{{e"
$string11 = "aSmd'lm/t/im.}d.-Ljg,l-"
$string12 = "r)C4snfapfuo}"
$string13 = "').replace(/"
$string14 = "A282A5ifA160F2628206(a"
$string15 = "obn0cf"
$string16 = "d(i'C)rtr.'pvif)iv1ilW)S((Ltl.)2,0,9;0se"
$string17 = "E23s3003476B18703C179396D08B841BC554F11678F0FEB9505FB355E044F33A540F61743738327E32D97D070FA37D87s000"
$string18 = "603742E545904575'294E20680,6F902E292A60''E6202A4E6468},e))tep"
condition:
18 of them
}
rule phoenix_html2 : EK
{
meta:
author = "Josh Berry"
date = "2016-06-26"
description = "Phoenix Exploit Kit Detection"
hash0 = "2fd263f5d988a92715f4146a0006cb31"
sample_filetype = "js-html"
yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
strings:
$string0 = "Pec.lilsD)E)i-gonP(mgge.eOmn"
$string1 = "(trt;oo"
$string2 = "aceeC:0h"
$string3 = "Vubb.oec.n)a."
$string4 = "t;o{(bspd}ci:0OO[g(cfjdh}1sN}ntnrlt;0pwf{-"
$string5 = "seierb)gMle(}ev;is{(b;ga"
$string6 = "e)}ift"
$string7 = "Dud{rt"
$string8 = "blecroeely}diuFI-"
$string9 = "ttec]tr"
$string10 = "fSgcso"
$string11 = "eig.t)eR{t}aeesbdtbl{1sr)m"
$string12 = ").}n,Raa.s"
$string13 = "sLtfcb.nrf{Wiantscncad1ac)scb0eo]}Diuu(nar"
$string14 = "dxc.,:tfr(ucxRn"
$string15 = "eDnnforbyri(tbmns).[i.ee;dl(aNimp(l(h[u[ti;u)"
$string16 = "}tn)i{ebr,_.ns(Nes,,gm(ar.t"
$string17 = "l]it}N(pe3,iaaLds.)lqea:Ps00Hc;[{Euihlc)LiLI"
condition:
17 of them
}
rule phoenix_html3 : EK
{
meta:
author = "Josh Berry"
date = "2016-06-26"
description = "Phoenix Exploit Kit Detection"
hash0 = "d7cacbff6438d866998fc8bfee18102d"
sample_filetype = "js-html"
yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
strings:
$string0 = "mtfla/,)asaf)'}"
$string1 = "72267E7C'A3035CFC415DFAAA834B208D8C230FD303E2EFFE386BE05960C588C6E85650746E690C39F706F97DC74349BA134"
$string2 = "N'eiui7F6e617e00F145A002645E527BFF264842F877B2FFC1FE84BCC6A50F0305B5B0C36A019F53674FD4D3736C494BD5C2"
$string3 = "lndl}})<>"
$string4 = "otodc};b<0:D>r5d4u%c005u%0028u%251eu%a095u%6028u%0028u%2500u%f7f7u%70d7u%2025u%9008u%08f8u%c607usu%3"
$string5 = "tuJaboaopb"
$string6 = "a(vxf{p'tSowa.i,1NIWm("
$string7 = "2004et"
$string8 = "2054sttE5356496478"
$string9 = "yi%A%%A%%A%%A%Cvld3,5314,004,6211,931,,,011394617,983,1154,5,1,,1,1,13,08,4304,1"
$string10 = "0ovel04ervEeieeem)h))B(ihsAE;u%04b8u%1c08u%0e50u%a000u%1010u%4000u%20afu%0006u%2478u%0020u%1065u%210"
$string11 = "/gmi,String.fromCharCode(2"
$string12 = "ncBcaocta.ye"
$string13 = "0201010030004A033102090;na"
$string14 = "66u%0(ec'h{iis%%A%%A%%A%%A%frS1,,8187,1,4,11,91516,,61,,10841,1,13,,,11248,01818849,23,,,,791meits0e"
$string15 = "D11C0002C0069733E60656F6462070D000402DFF200696E"
$string16 = "810p0y98"
$string17 = "9,0,e'Fm692E583760"
$string18 = "57784234633a)(u"
condition:
18 of them
}
rule phoenix_html4 : EK
{
meta:
author = "Josh Berry"
date = "2016-06-26"
description = "Phoenix Exploit Kit Detection"
hash0 = "61fde003211ac83c2884fbecefe1fc80"
sample_filetype = "js-html"
yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
strings:
$string0 = "/dr.php"
$string1 = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
$string2 = "launchjnlp"
$string3 = "clsid:CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA"
$string4 = "urlmon.dll"
$string5 = "<body>"
$string6 = " docbase"
$string7 = "</html>"
$string8 = " classid"
$string9 = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
$string10 = "63AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
$string11 = "</object>"
$string12 = "application/x-java-applet"
$string13 = "java_obj"
condition:
13 of them
}
rule phoenix_html5 : EK
{
meta:
author = "Josh Berry"
date = "2016-06-26"
description = "Phoenix Exploit Kit Detection"
hash0 = "30afdca94d301905819e00a7458f4a4e"
sample_filetype = "js-html"
yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
strings:
$string0 = "dtesu}"
$string1 = "<textarea>function gvgsxoy(gwcqg1){return gwcqg1.replace(/"
$string2 = "v}Ahnhxwet"
$string3 = "0125C6BBA2B84F7A1D2940C04C8B7449A40EEB0D14C8003535C0042D75E05F0D7F3E0A7B4E33EB4D8D47119290FC"
$string4 = "a2Fs2325223869e'Fm2873367130"
$string5 = "m0000F0F6E66607C71646F6607000107FA61021F6060(aeWWIN"
$string6 = ")(r>hd1/dNasmd(fpas"
$string7 = "9,0,e'Fm692E583760"
$string8 = "5ud(dis"
$string9 = "nacmambuntcmi"
$string10 = "Fa078597467,1C0e674366871,'2F"
$string11 = "Fa56F386A76,180e828592024,'2F"
$string12 = "alA)(2avoyOi;ic)t6])teptp,an}tnv0i'fms<uic"
$string13 = "iR'nandee"
$string14 = "('0.aEa-9leal"
$string15 = "bsD0seF"
$string16 = "t.ck263/6F3a001CE7A2684067F98BEC18B738801EF1F7F7E49A088695050C000865FC38080FE23727E0E8DE9CB53E748472"
condition:
16 of them
}
rule phoenix_html6 : EK
{
meta:
author = "Josh Berry"
date = "2016-06-26"
description = "Phoenix Exploit Kit Detection"
hash0 = "4aabb710cf04240d26c13dd2b0ccd6cc"
sample_filetype = "js-html"
yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
strings:
$string0 = "F4B6B2E67)A780A373A633;ast2316363677fa'es6F3635244"
$string1 = "piia.a}rneecc.cnuoir"
$string2 = "0448D5A54BE10A5DA628100AC3F3D53C9CAEBFF7E1E805080B044057CB1C0EF7F263DC64E0CBE47C2A21E55E9EA620000106"
$string3 = "],enEn..o"
$string4 = "o;1()sna"
$string5 = "(eres(0.,"
$string6 = "}fs2he}o.t"
$string7 = "f'u>jisch3;)Ie)C'eO"
$string8 = "refhiacei"
$string9 = "0026632528(sCE7A2684067F98BEC1s00000F512Fm286631666"
$string10 = "vev%80b4u%ee18u%28b8u%2617u%5c08u%0e50u%a000u%9006u%76efu%b1cbu%ba2fu%6850u%0524u%9720u%f70<}1msa950"
$string11 = "pdu,xziien,ie"
$string12 = "rr)l;.)vr.nbl"
$string13 = "ii)ruccs)1e"
$string14 = "F30476737930anD<tAhnhxwet"
$string15 = ")yf{(ee..erneef"
$string16 = "ieiiXuMkCSwetEet"
$string17 = "F308477E7A7itme"
condition:
17 of them
}
rule phoenix_html7 : EK
{
meta:
author = "Josh Berry"
date = "2016-06-26"
description = "Phoenix Exploit Kit Detection"
hash0 = "f0e1b391ec3ce515fd617648bec11681"
sample_filetype = "js-html"
yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
strings:
$string0 = "EBF0a0001B05D266503046C7A491A0C00044F0002035D0D0twl''WIN"
$string1 = "ah80672528657"
$string2 = "n);tctt)Eltc(Dj"
$string3 = ";cnt2<tEf"
$string4 = "iwkne){bvfvgzg5"
$string5 = "..'an{ea-Ect'8-huJ.)/l'/tCaaa}<Ct95l"
$string6 = "'WIWhaFtF662F6577IseFe427347637"
$string7 = "ddTh75e{"
$string8 = "Ae'n,,9"
$string9 = "%E7E3Vemtyi"
$string10 = "cf'treran"
$string11 = "ncBcaocta.ye"
$string12 = ")'0,p8k"
$string13 = "0;{tc4F}c;eptdpduoCuuedPl80evD"
$string14 = "iq,q,Nd(nccfr'Bearc'nBtpw"
$string15 = ";)npeits0e.uvhF$I'"
$string16 = "nvasai0.-"
$string17 = "lmzv'is'"
condition:
17 of them
}
rule phoenix_html8 : EK
{
meta:
author = "Josh Berry"
date = "2016-06-26"
description = "Phoenix Exploit Kit Detection"
hash0 = "1c19a863fc4f8b13c0c7eb5e231bc3d1"
sample_filetype = "js-html"
yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
strings:
$string0 = "0x5)).replace(/"
$string1 = "%A%%A%%nc(,145,9,84037,1711,,4121,56,1,,0505,,651,,3,514101,01,29,7868,90"
$string2 = "/gmi,String.fromCharCode(2"
$string3 = "turt;oo)s"
$string4 = "91;var jtdpar"
$string5 = "R(,13,7,63,48140601,5057,,319,,6,1,1,2,,110,0,1011171,2319,,,,10vEAs)tfmneyeh%A%%A%%A%%A%s<u91,4693,"
$string6 = "y%%A%%A%%A%%A.meo21117,7,1,,10,1,9,8,1,9,100,6,141003,74181,163,441114,43,207,,remc'ut"
$string7 = "epjtjqe){jtdpar"
$string8 = "/gmi,'"
$string9 = "<font></font><body id"
$string10 = " epjtjqe; fqczi > 0; fqczi--){for (bwjmgl7 "
$string11 = "nbte)bb(egs%A%%A%%A%%A%%m"
$string12 = "fvC9614165,,,1,1801151030,,0,,487641114,,1,141,914810036,,888,201te.)'etdc:ysaA%%A%%A%%A%%5sao,61,0,"
$string13 = "(tiAmrd{/tnA%%A%%A%%A%%Aiin11,,1637,34191,626958314,11007,,61145,411,7,9,1821,,43,8311,26;d'ebt.dyvs"
$string14 = "A%%A%%A%%Ao"
$string15 = "hrksywd(cpkwisk4);/"
$string16 = ";</script>"
condition:
16 of them
}
rule phoenix_html9 : EK
{
meta:
author = "Josh Berry"
date = "2016-06-26"
description = "Phoenix Exploit Kit Detection"
hash0 = "742d012b9df0c27ed6ccf3b234db20db"
sample_filetype = "js-html"
yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
strings:
$string0 = "tute)bbr:"
$string1 = "nfho(tghRx"
$string2 = "()irfE/Rt..cOcC"
$string3 = "NcEnevbf"
$string4 = "63FB8B4296BBC290A0.'0000079'Fh20216B6A6arA;<"
$string5 = "wHe(cLnyeyet(a.i,r.{.."
$string6 = "tute)bbdfiiix'bcr"
$string7 = "itifdf)d1L2f'asau%d004u%8e00u%0419u%a58du%2093u%ec10u%0050u%00d4u%4622u%bcd1u%b1ceu%5000u%f7f5u%5606"
$string8 = "2F4693529783'82F076676C38'te"
$string9 = "sm(teoeoi)cfh))pihnipeeeo}.,(.(("
$string10 = "ao)ntavlll{))ynlcoix}hiN.il'tes1ad)bm;"
$string11 = "i)}m0f(eClei(/te"
$string12 = "}aetsc"
$string13 = "irefnig.pT"
$string14 = "a0mrIif/tbne,(wsk,"
$string15 = "500F14B06000000630E6B72636F60632C6E711C6E762E646F147F44767F650A0804061901020009006B120005A2006L"
$string16 = ".hB.Csf)ddeSs"
$string17 = "tnne,IPd4Le"
$string18 = "hMdarc'nBtpw"
condition:
18 of them
}
rule phoenix_jar : EK
{
meta:
author = "Josh Berry"
date = "2016-06-26"
description = "Phoenix Exploit Kit Detection"
hash0 = "a8a18219b02d30f44799415ff19c518e"
sample_filetype = "unknown"
yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
strings:
$string0 = "r.JM,IM"
$string1 = "qX$8$a"
$string2 = "META-INF/services/javax.sound.midi.spi.MidiDeviceProvider5"
$string3 = "a.classPK"
$string4 = "6;\\Q]Q"
$string5 = "h[s] X"
$string6 = "ToolsDemoSubClass.classPK"
$string7 = "a.class"
$string8 = "META-INF/MANIFEST.MFPK"
$string9 = "ToolsDemoSubClass.classeO"
$string10 = "META-INF/services/javax.sound.midi.spi.MidiDeviceProviderPK"
condition:
10 of them
}
rule phoenix_jar2 : EK
{
meta:
author = "Josh Berry"
date = "2016-06-26"
description = "Phoenix Exploit Kit Detection"
hash0 = "989c5b5eaddf48010e62343d7a4db6f4"
sample_filetype = "unknown"
yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
strings:
$string0 = "a66d578f084.classeQ"
$string1 = "a4cb9b1a8a5.class"
$string2 = ")szNu\\MutK"
$string3 = "qCCwBU"
$string4 = "META-INF/MANIFEST.MF"
$string5 = "QR,GOX"
$string6 = "ab5601d4848.classmT"
$string7 = "a6a7a760c0e["
$string8 = "2ZUK[L"
$string9 = "2VT(Au5"
$string10 = "a6a7a760c0ePK"
$string11 = "aa79d1019d8.class"
$string12 = "aa79d1019d8.classPK"
$string13 = "META-INF/MANIFEST.MFPK"
$string14 = "ab5601d4848.classPK"
condition:
14 of them
}
rule phoenix_jar3 : EK Jar
{
meta:
author = "Josh Berry"
date = "2016-06-26"
description = "Phoenix Exploit Kit Detection"
hash0 = "c5655c496949f8071e41ea9ac011cab2"
sample_filetype = "unknown"
yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
strings:
$string0 = "'> >$>"
$string1 = "bpac/PK"
$string2 = "bpac/purok$1.classmP]K"
$string3 = "bpac/KAVS.classmQ"
$string4 = "'n n$n"
$string5 = "bpac/purok$1.classPK"
$string6 = "$.4aX,Gt<"
$string7 = "bpac/KAVS.classPK"
$string8 = "bpac/b.classPK"
$string9 = "bpac/b.class"
condition:
9 of them
}
rule phoenix_pdf : EK PDF
{
meta:
author = "Josh Berry"
date = "2016-06-26"
description = "Phoenix Exploit Kit Detection"
hash0 = "16de68e66cab08d642a669bf377368da"
hash1 = "bab281fe0cf3a16a396550b15d9167d5"
sample_filetype = "pdf"
yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
strings:
$string0 = "0000000254 00000 n"
$string1 = "0000000295 00000 n"
$string2 = "trailer<</Root 1 0 R /Size 7>>"
$string3 = "0000000000 65535 f"
$string4 = "3 0 obj<</JavaScript 5 0 R >>endobj"
$string5 = "0000000120 00000 n"
$string6 = "%PDF-1.0"
$string7 = "startxref"
$string8 = "0000000068 00000 n"
$string9 = "endobjxref"
$string10 = ")6 0 R ]>>endobj"
$string11 = "0000000010 00000 n"
condition:
11 of them
}
rule phoenix_pdf2 : EK PDF
{
meta:
author = "Josh Berry"
date = "2016-06-26"
description = "Phoenix Exploit Kit Detection"
hash0 = "33cb6c67f58609aa853e80f718ab106a"
sample_filetype = "pdf"
yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
strings:
$string0 = "\\nQb<%"
$string1 = "0000000254 00000 n"
$string2 = ":S3>v0$EF"
$string3 = "trailer<</Root 1 0 R /Size 7>>"
$string4 = "%PDF-1.0"
$string5 = "0000000000 65535 f"
$string6 = "endstream"
$string7 = "0000000010 00000 n"
$string8 = "6 0 obj<</JS 7 0 R/S/JavaScript>>endobj"
$string9 = "3 0 obj<</JavaScript 5 0 R >>endobj"
$string10 = "}pr2IE"
$string11 = "0000000157 00000 n"
$string12 = "1 0 obj<</Type/Catalog/Pages 2 0 R /Names 3 0 R >>endobj"
$string13 = "5 0 obj<</Names[("
condition:
13 of them
}
rule phoenix_pdf3 : EK PDF
{
meta:
author = "Josh Berry"
date = "2016-06-26"
description = "Phoenix Exploit Kit Detection"
hash0 = "bab281fe0cf3a16a396550b15d9167d5"
sample_filetype = "pdf"
yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
strings:
$string0 = "trailer<</Root 1 0 R /Size 7>>"
$string1 = "stream"
$string2 = ";_oI5z"
$string3 = "0000000010 00000 n"
$string4 = "3 0 obj<</JavaScript 5 0 R >>endobj"
$string5 = "7 0 obj<</Filter[ /FlateDecode /ASCIIHexDecode /ASCII85Decode ]/Length 3324>>"
$string6 = "endobjxref"
$string7 = "L%}gE("
$string8 = "0000000157 00000 n"
$string9 = "1 0 obj<</Type/Catalog/Pages 2 0 R /Names 3 0 R >>endobj"
$string10 = "0000000120 00000 n"
$string11 = "4 0 obj<</Type/Page/Parent 2 0 R /Contents 12 0 R>>endobj"
condition:
11 of them
}
rule sakura_jar : EK
{
meta:
author = "Josh Berry"
date = "2016-06-26"
description = "Sakura Exploit Kit Detection"
hash0 = "a566ba2e3f260c90e01366e8b0d724eb"
sample_filetype = "unknown"
yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
strings:
$string0 = "Rotok.classPK"
$string1 = "nnnolg"
$string2 = "X$Z'\\4^=aEbIdUmiprsxt}v<" wide
$string3 = "()Ljava/util/Set;"
$string4 = "(Ljava/lang/String;)V"
$string5 = "Ljava/lang/Exception;"
$string6 = "oooy32"
$string7 = "Too.java"
$string8 = "bbfwkd"
$string9 = "Ljava/lang/Process;"
$string10 = "getParameter"
$string11 = "length"
$string12 = "Simio.java"
$string13 = "Ljavax/swing/JList;"
$string14 = "-(Ljava/lang/String;)Ljava/lang/StringBuilder;"
$string15 = "Ljava/io/InputStream;"
$string16 = "vfnnnrof.exnnnroe"
$string17 = "Olsnnfw"
condition:
17 of them
}
rule sakura_jar2 : EK jar
{
meta:
author = "Josh Berry"
date = "2016-06-26"
description = "Sakura Exploit Kit Detection"
hash0 = "d21b4e2056e5ef9f9432302f445bcbe1"
sample_filetype = "unknown"
yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
strings:
$string0 = "getProperty"
$string1 = "java/io/FileNotFoundException"
$string2 = "LLolp;"
$string3 = "cjhgreshhnuf "
$string4 = "StackMapTable"
$string5 = "onfwwa"
$string6 = "(C)Ljava/lang/StringBuilder;"
$string7 = "replace"
$string8 = "LEsia$fffgss;"
$string9 = "<clinit>"
$string10 = "()Ljava/io/InputStream;"
$string11 = "openConnection"
$string12 = " gjhgreshhnijhgreshhrtSjhgreshhot.sjhgreshhihjhgreshht;)"
$string13 = "Oi.class"
$string14 = " rjhgreshhorjhgreshhre rajhgreshhv"
$string15 = "java/lang/String"
$string16 = "java/net/URL"
$string17 = "Created-By: 1.7.0-b147 (Oracle Corporation)"
condition:
17 of them
}
rule zeroaccess_css : EK
{
meta:
author = "Josh Berry"
date = "2016-06-27"
description = "ZeroAccess Exploit Kit Detection"
hash0 = "4944324bad3b020618444ee131dce3d0"
sample_filetype = "js-html"
yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
strings:
$string0 = "close-mail{right:130px "
$string1 = "ccc;box-shadow:0 0 5px 1px "
$string2 = "757575;border-bottom:1px solid "
$string3 = "777;height:1.8em;line-height:1.9em;display:block;float:left;padding:1px 15px;margin:0;text-shadow:-1"
$string4 = "C4C4C4;}"
$string5 = "999;-webkit-box-shadow:0 0 3px "
$string6 = "header div.service-links ul{display:inline;margin:10px 0 0;}"
$string7 = "t div h2.title{padding:0;margin:0;}.box5-condition-news h2.pane-title{display:block;margin:0 0 9px;p"
$string8 = "footer div.comp-info p{color:"
$string9 = "pcmi-listing-center .full-page-listing{width:490px;}"
$string10 = "pcmi-content-top .photo img,"
$string11 = "333;}div.tfw-header a var{display:inline-block;margin:0;line-height:20px;height:20px;width:120px;bac"
$string12 = "ay:none;text-decoration:none;outline:none;padding:4px;text-align:center;font-size:9px;color:"
$string13 = "333;}body.page-videoplayer div"
$string14 = "373737;position:relative;}body.node-type-video div"
$string15 = "pcmi-content-sidebara,.page-error-page "
$string16 = "fff;text-decoration:none;}"
$string17 = "qtabs-list li a,"
$string18 = "cdn2.dailyrx.com"
condition:
18 of them
}
rule zeroaccess_css2 : EK css
{
meta:
author = "Josh Berry"
date = "2016-06-27"
description = "ZeroAccess Exploit Kit Detection"
hash0 = "e300d6a36b9bfc3389f64021e78b1503"
sample_filetype = "js-html"
yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
strings:
$string0 = "er div.panel-hide{display:block;position:absolute;z-index:200;margin-top:-1.5em;}div.panel-pane div."
$string1 = "ve.gif) right center no-repeat;}div.ctools-ajaxing{float:left;width:18px;background:url(http://cdn3."
$string2 = "cdn2.dailyrx.com"
$string3 = "efefef;margin:5px 0 5px 0;}"
$string4 = "node{margin:0;padding:0;}div.panel-pane div.feed a{float:right;}"
$string5 = ":0 5px 0 0;float:left;}div.tweets-pulled-listing div.tweet-authorphoto img{max-height:40px;max-width"
$string6 = "i a{color:"
$string7 = ":bold;}div.tweets-pulled-listing .tweet-time a{color:silver;}div.tweets-pulled-listing div.tweet-di"
$string8 = "div.panel-pane div.admin-links{font-size:xx-small;margin-right:1em;}div.panel-pane div.admin-links l"
$string9 = "div.tweets-pulled-listing ul{list-style:none;}div.tweets-pulled-listing div.tweet-authorphoto{margin"
$string10 = "FFFFDD none repeat scroll 0 0;border:1px solid "
$string11 = "vider{clear:left;border-bottom:1px solid "
condition:
11 of them
}
rule zeroaccess_htm : EK html
{
meta:
author = "Josh Berry"
date = "2016-06-27"
description = "ZeroAccess Exploit Kit Detection"
hash0 = "0e7d72749b60c8f05d4ff40da7e0e937"
sample_filetype = "js-html"
yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
strings:
$string0 = "screen.height:"
$string1 = "</script></head><body onload"
$string2 = "Fx0ZAQRKXUVgbh0qNDRJVxYwGg4tGh8aHQoAVQQSNyo0NElXFjAaDi0NFQYESl1FBBNnTFoSPiBmADwnPTQxPSdKWUUEE2UcGR0z"
$string3 = "0);-10<b"
$string4 = "function fl(){var a"
$string5 = "0);else if(navigator.mimeTypes"
$string6 = ");b.href"
$string7 = "/presults.jsp"
$string8 = "128.164.107.221"
$string9 = ")[0].clientWidth"
$string10 = "presults.jsp"
$string11 = ":escape(c),e"
$string12 = "navigator.plugins.length)navigator.plugins["
$string13 = "window;d"
$string14 = "gr(),j"
$string15 = "VIEWPORT"
$string16 = "FQV2D0ZAH1VGDxgZVg9COwYCAwkcTzAcBxscBFoKAAMHUFVuWF5EVVYVdVtUR18bA1QdAU8HQjgeUFYeAEZ4SBEcEk1FTxsdUlVA"
condition:
16 of them
}
rule zeroaccess_js : EK js
{
meta:
author = "Josh Berry"
date = "2016-06-27"
description = "ZeroAccess Exploit Kit Detection"
hash0 = "a9f30483a197cfdc65b4a70b8eb738ab"
sample_filetype = "js-html"
yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
strings:
$string0 = "Square ad tag (tile"
$string1 = " adRandNum "
$string2 = " cellspacing"
$string3 = "\\n//-->\\n</script>"
$string4 = "format"
$string5 = "//-->' "
$string6 = "2287974446"
$string7 = "NoScrBeg "
$string8 = "-- start adblade -->' "
$string9 = "3427054556"
$string10 = " while (i >"
$string11 = "return '<table width"
$string12 = "</scr' "
$string13 = " s.substring(0, i"
$string14 = " /></a></noscript>' "
$string15 = " else { isEmail "
$string16 = ").submit();"
$string17 = " border"
$string18 = "pub-8301011321395982"
condition:
18 of them
}
rule zeroaccess_js2 : EK js
{
meta:
author = "Josh Berry"
date = "2016-06-27"
description = "ZeroAccess Exploit Kit Detection"
hash0 = "b5fda04856b98c254d33548cc1c1216c"
sample_filetype = "js-html"
yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
strings:
$string0 = "ApiClientConfig"
$string1 = "function/.test(pa.toString())"
$string2 = "background-image:url(http:\\/\\/static.ak.fbcdn.net\\/rsrc.php\\/v2\\/y6\\/x\\/s816eWC-2sl.gif)}"
$string3 = "Music.init"
$string4 = "',header:'bool',recommendations:'bool',site:'hostname'},create_event_button:{},degrees:{href:'url'},"
$string5 = "cca6477272fc5cb805f85a84f20fca1d"
$string6 = "document.createElement('form');c.action"
$string7 = "javascript:false"
$string8 = "s.onMessage){j.error('An instance without whenReady or onMessage makes no sense');throw new Error('A"
$string9 = "NaN;}else h"
$string10 = "sprintf"
$string11 = "window,j"
$string12 = "o.getUserID(),da"
$string13 = "FB.Runtime.getLoginStatus();if(b"
$string14 = ")');k.toString"
$string15 = "rovide('XFBML.Send',{Dimensions:{width:80,height:25}});"
$string16 = "{log:i};e.exports"
$string17 = "a;FB.api('/fql','GET',f,function(g){if(g.error){ES5(ES5('Object','keys',false,b),'forEach',true,func"
$string18 = "true;}}var ia"
condition:
18 of them
}
rule zeroaccess_js3 : EK js
{
meta:
author = "Josh Berry"
date = "2016-06-27"
description = "ZeroAccess Exploit Kit Detection"
hash0 = "5f13fdfb53a3e60e93d7d1d7bbecff4f"
sample_filetype = "js-html"
yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
strings:
$string0 = "document.createDocumentFragment();img.src"
$string1 = "typeOf(events)"
$string2 = "var i,x,y,ARRcookies"
$string3 = "callbacks.length;j<l;j"
$string4 = "encodeURIComponent(value);if(options.domain)value"
$string5 = "event,HG.components.get('windowEvent_'"
$string6 = "'read'in Cookie){return Cookie.read(c_name);}"
$string7 = "item;},get:function(name,def){return HG.components.exists(name)"
$string8 = "){window.addEvent(windowEvents[i],function(){var callbacks"
$string9 = "reunload:function(callback){HG.events.add('beforeunload',callback);},add:function(event,callback){HG"
$string10 = "name){if(HG.components.exists(name)){delete HG.componentList[name];}}},util:{uuid:function(){return'"
$string11 = "window.HG"
$string12 = "x.replace(/"
$string13 = "encodeURIComponent(this.attr[key]));}"
$string14 = "options.domain;if(options.path)value"
$string15 = "this.page_sid;this.attr.user_sid"
condition:
15 of them
}
rule zeroaccess_js4 : EK js
{
meta:
author = "Josh Berry"
date = "2016-06-27"
description = "ZeroAccess Exploit Kit Detection"
hash0 = "268ae96254e423e9d670ebe172d1a444"
sample_filetype = "js-html"
yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
strings:
$string0 = ").join("
$string1 = "JSON.stringify:function(o){if(o"
$string2 = "){try{var a"
$string3 = ");return $.jqotecache[i]"
$string4 = "o.getUTCFullYear(),hours"
$string5 = "seconds"
$string6 = "')');};$.secureEvalJSON"
$string7 = "isFinite(n);},secondsToTime:function(sec_numb){sec_numb"
$string8 = "')');}else{throw new SyntaxError('Error parsing JSON, source is not valid.');}};$.quoteString"
$string9 = "o[name];var ret"
$string10 = "a[m].substr(2)"
$string11 = ");if(d){return true;}}}catch(e){return false;}}"
$string12 = "a.length;m<k;m"
$string13 = "if(parentClasses.length"
$string14 = "o.getUTCHours(),minutes"
$string15 = "$.jqote(e,d,t),$$"
$string16 = "q.test(x)){e"
$string17 = "{};HGWidget.creator"
condition:
17 of them
}
rule zerox88_js2
{
meta:
author = "Josh Berry"
date = "2016-06-26"
description = "0x88 Exploit Kit Detection"
hash0 = "cad8b652338f5e3bc93069c8aa329301"
sample_filetype = "js-html"
yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
strings:
$string0 = "function gSH() {"
$string1 = "200 HEIGHT"
$string2 = "'sh.js'><\\/SCRIPT>"
$string3 = " 2 - 26;"
$string4 = "<IFRAME ID"
$string5 = ",100);"
$string6 = "200></IFRAME>"
$string7 = "setTimeout("
$string8 = "'about:blank' WIDTH"
$string9 = "mf.document.write("
$string10 = "document.write("
$string11 = "Kasper "
condition:
11 of them
}
rule zerox88_js3
{
meta:
author = "Josh Berry"
date = "2016-06-26"
description = "0x88 Exploit Kit Detection"
hash0 = "9df0ac2fa92e602ec11bac53555e2d82"
sample_filetype = "js-html"
yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
strings:
$string0 = " new ActiveXObject(szHTTP); "
$string1 = " Csa2;"
$string2 = "var ADO "
$string3 = " new ActiveXObject(szOx88);"
$string4 = " unescape("
$string5 = "/test.exe"
$string6 = " szEtYij;"
$string7 = "var HTTP "
$string8 = "%41%44%4F%44%42%2E"
$string9 = "%4D%65%64%69%61"
$string10 = "var szSRjq"
$string11 = "%43%3A%5C%5C%50%72%6F%67%72%61%6D"
$string12 = "var METHOD "
$string13 = "ADO.Mode "
$string14 = "%61%79%65%72"
$string15 = "%2E%58%4D%4C%48%54%54%50"
$string16 = " 7 - 6; HTTP.Open(METHOD, szURL, i-3); "
condition:
16 of them
}
rule zeus_js : EK
{
meta:
author = "Josh Berry"
date = "2016-06-26"
description = "Zeus Exploit Kit Detection"
hash0 = "c87ac7a25168df49a64564afb04dc961"
sample_filetype = "js-html"
yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
strings:
$string0 = "var jsmLastMenu "
$string1 = "position:absolute; z-index:99' "
$string2 = " -1)jsmSetDisplayStyle('popupmenu' "
$string3 = " '<tr><td><a href"
$string4 = " jsmLastMenu "
$string5 = " var ids "
$string6 = "this.target"
$string7 = " jsmPrevMenu, 'none');"
$string8 = " if(jsmPrevMenu "
$string9 = ")if(MenuData[i])"
$string10 = " '<div style"
$string11 = "popupmenu"
$string12 = " jsmSetDisplayStyle('popupmenu' "
$string13 = "function jsmHideLastMenu()"
$string14 = " MenuData.length; i"
condition:
14 of them
}
rule Backdoor_PHP_WPVCD_TempExecution {
meta:
description = "Backdoor script associated with WP-VCD."
strings:
$re = /extract\s*\(\s*wp_temp_setupx?\s*\(\s*\$\w+\s*\)\s*\)/ nocase
condition:
$re
}
rule Backdoor_PHP_WPVCD_DivCodeName {
meta:
description = "Backdoor script associated with WP-VCD"
strings:
$re = /\$div_code_name\s*\=\s*['"]wp_vcd['"];/ nocase
condition:
$re
}
rule Backdoor_PHP_WPVCD_Deployer {
meta:
description = "Deployment script associated with WP-VCD."
strings:
$re = /strpos\s*\(\s*\$\w{1,40}\s*,\s*['"]WP_V_CD['"]\s*\)\s*===\s*false/ nocase
condition:
$re
}
rule Spam_PHP_WPVCD_ContentInjection {
meta:
description = "Content injection script associated with WP-VCD."
strings:
$re = /\$ip\s*=\s*\@file_get_contents\s*\(\s*ABSPATH\s*\.\s*['"]wp\-includes\/wp\-feed\.php['"]/ nocase
condition:
$re
}
rule Suspicious_PHP_PrependedInclude {
meta:
description = "Suspicious PHP include often associated with WP-VCD."
strings:
$re = /^\<\?php\s+if\s*\(\s*file_exists\s*\(\s*dirname\s*\(\s*__FILE__\s*\)\s*\.\s*['"][^'"]+['"]\s*\)\s*\)\s*(include|require)(_once)?\s*\(\s*dirname\s*\(\s*__FILE__\s*\)\s*\.\s*['"][^'"]+['"]\s*\)\s*\;\s*\?\>\s*\<\?/ nocase
condition:
$re
}
SEA-GHOST - SHELL CODING BY SEA-GHOST