Showing preview only (378K chars total). Download the full file or copy to clipboard to get everything.
Repository: heikanet/whohk
Branch: master
Commit: 1143af45b06c
Files: 24
Total size: 359.5 KB
Directory structure:
gitextract_jbnhp2b8/
├── README.md
├── rules/
│ ├── malware/
│ │ ├── MALW_BackdoorSSH.yar
│ │ ├── MALW_BlackRev.yar
│ │ ├── MALW_PE_sections.yar
│ │ ├── ddg.yar
│ │ ├── h2miner.yar
│ │ ├── lsdminer.yar
│ │ ├── rainbowminer.yar
│ │ ├── skipmap.yar
│ │ ├── startminer.yar
│ │ ├── sysupdataminer.yar
│ │ ├── teamtnt.yar
│ │ └── watchbogminer.yar
│ ├── utils/
│ │ └── wget.yar
│ ├── webshell.yar
│ ├── webshells/
│ │ ├── WShell_APT_Laudanum.yar
│ │ ├── WShell_ASPXSpy.yar
│ │ ├── WShell_Behinder.yar
│ │ ├── WShell_Drupalgeddon2_icos.yar
│ │ ├── WShell_PHP_Anuna.yar
│ │ ├── WShell_PHP_in_images.yar
│ │ └── WShell_THOR_Webshells.yar
│ └── xunjian.yar
└── whohk.py
================================================
FILE CONTENTS
================================================
================================================
FILE: README.md
================================================
# whohk
whohk,linux下一款强大的应急响应工具
<a href="https://github.com/wgpsec/whohk"><img alt="Release" src="https://img.shields.io/badge/python-3.x-9cf"></a>
<a href="https://github.com/wgpsec/whohk"><img alt="Release" src="https://img.shields.io/badge/whohk-1.1-ff69b4"></a>
<a href="https://github.com/wgpsec/whohk"><img alt="Release" src="https://img.shields.io/badge/LICENSE-GPL-important"></a>
在linux下的应急响应往往需要通过繁琐的命令行来查看各个点的情况,有的时候还需要做一些格式处理,这对于linux下命令不是很熟悉的人比较不友好。本工具将linux下应急响应中常用的一些操作给集合了起来,并处理成了较为友好的格式,只需要通过一个参数就能代替繁琐复杂的命令来实现对各个点的检查。
支持主流的Linux,包含centos、redhat、ubuntu、debian、opensuse。
## 使用指南
```
optional arguments:
-h, --help show this help message and exit
-user 用于查看系统可登录账户和空口令账户(无参数)
-history 用于查看所有用户的敏感历史命令(无参数)
-cron 用于查看所有用户的定时任务(无参数)
-ip 用于查看外连ip(无参数)
--pid 1234 用于定位进程物理路径(参数为pid号)
--ssh-fip 用于查看ssh登录失败的ip和次数(无参数)
--ssh-fuser 用于查看ssh登录失败的用户和次数(无参数)
--ssh-sip 用于查看ssh登录成功的ip和次数(无参数)
--ssh-sinfo 用于查看ssh登录成功的用户详情(无参数)
--file-cron 7 用于查看系统各个级别定时任务目录中,n天内被修改的文件(参数为天数)
--file-starup 7 用于查看系统启动项目录中,n天内被修改的文件(参数为天数)
--file-os 7 用于查看系统重要目录中,n天内被修改的文件(参数为天数)
--file-change /www 7 php
用于查看在n天内指定目录中指定后缀的被修改的文件(参数为物理路径、天数、后缀)
--file-perm /www jsp 777
用于查看指定目录下指定后缀指定权限的文件(参数为物理路径、后缀、天数)
--s-backdoor /home 用于检测指定路径下的恶意样本(参数为物理路径)
--s-webshell /var/www
用于检测指定路径下的webshell(参数为物理路径)
```
## 细节
由于懒得重新截图,所以就直接放公众号之前发的图了
- whohk,一款强大的linux应急响应辅助工具:[点击跳转](https://mp.weixin.qq.com/s?__biz=MzIyNDkwNjQ5Ng==&mid=2247484224&idx=1&sn=616be624b7936abef282c5611f710a6a&chksm=e8069f2fdf71163973a712de55de80b042fb6224fa9179b4a655b5fe2e5be647f63d7f038e60&token=1653316416&lang=zh_CN#rd)
- [更新]Linux下应急响应工具whohk v1.1版本:[点击跳转](https://mp.weixin.qq.com/s?__biz=MzIyNDkwNjQ5Ng==&mid=2247485371&idx=1&sn=8f6a32e28bf06e100edcd9241a8923e4&chksm=e8069bd4df7112c28a416e740b6025982d1d4a920906f9e3aa2f6244c5a691af6cf9a96bb55d#rd)
- 如何打造一款自己的恶意样本检测工具:[点击跳转](https://mp.weixin.qq.com/s?__biz=MzIyNDkwNjQ5Ng==&mid=2247484475&idx=1&sn=7180cb7a18335c71ef561f9ec468f601&chksm=e8069854df7111425708634704d07832764f02545065717fd45424abb960938cbc121a417eb5&token=393884268&lang=zh_CN#rd)
## 碎碎念
- 2020-09-21
> 在历次的Linux系统下应急中感受到了敲命令的繁琐,以及有些太长记不住的命令当着客户面去百度的尴尬,决定把Linux下应急检查的一些点的命令用工具来集合到一起。在这个工具之前其实还做过一个windows/Linux系统下的安全巡检小工具,但由于对我的工作意义不大,所以最后经过一顿操作,有了`whohk`这一款小工具。
- 2021-08-26
> 在过去的近一年里应急的次数不那么频繁了,基本无视这个工具。不过有一次登录公众号后,发现有一些粉丝私信提新功能以及反馈了一些问题(原谅我半年登一次公众号),所以这次根据之前的反馈,进行了一些更新。
- 2022-04-30
> 发现这个工具居然成为了我GitHub stars最多的一个项目,或许真的帮助到了一些人。
> 决定开源。代码写的很简单,也可以说比较烂,本次上传的是2021.08.26的版本,也是目前最新版(因为只要没有新的需求就不会更新,以及我~~没有时间~~懒也不会更新🐶)。
>
> ~~不会摆烂。目前有一些新的想法,但是很模糊,大家有好的建议欢迎提issue。~~ 摆烂中...
## TODO
- [ ] 重构,代码写的优雅点
- [ ] Windows支持
- [ ] server端
- [ ] 多台主机数据聚合分析
## 交流
================================================
FILE: rules/malware/MALW_BackdoorSSH.yar
================================================
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
rule SSH_backdoor
{
meta:
description = "Custome SSH backdoor based on python and paramiko - file server.py"
author = "Florian Roth"
reference = "https://goo.gl/S46L3o"
date = "2015-05-14"
hash = "0953b6c2181249b94282ca5736471f85d80d41c9"
strings:
$s0 = "command= raw_input(\"Enter command: \").strip('n')" fullword ascii
$s1 = "print '[-] (Failed to load moduli -- gex will be unsupported.)'" fullword ascii
$s2 = "print '[-] Listen/bind/accept failed: ' + str(e)" fullword ascii
$s3 = "chan.send(command)" fullword ascii
$s4 = "print '[-] SSH negotiation failed.'" fullword ascii
$s5 = "except paramiko.SSHException, x:" fullword ascii
condition:
filesize < 10KB and 5 of them
}
================================================
FILE: rules/malware/MALW_BlackRev.yar
================================================
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as
long as you use it under this license.
*/
rule BlackRev_BotNet
{
meta:
author = "Dennis Schwarz"
date = "2013-05-21"
description = "Black Revolution DDoS Malware. http://www.arbornetworks.com/asert/2013/05/the-revolution-will-be-written-in-delphi/"
origin = "https://github.com/arbor/yara/blob/master/blackrev.yara"
strings:
$base1 = "http"
$base2 = "simple"
$base3 = "loginpost"
$base4 = "datapost"
$opt1 = "blackrev"
$opt2 = "stop"
$opt3 = "die"
$opt4 = "sleep"
$opt5 = "syn"
$opt6 = "udp"
$opt7 = "udpdata"
$opt8 = "icmp"
$opt9 = "antiddos"
$opt10 = "range"
$opt11 = "fastddos"
$opt12 = "slowhttp"
$opt13 = "allhttp"
$opt14 = "tcpdata"
$opt15 = "dataget"
condition:
all of ($base*) and 5 of ($opt*)
}
================================================
FILE: rules/malware/MALW_PE_sections.yar
================================================
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
import "pe"
rule packered : packer PE {
meta:
author = "@j0sm1"
date = "2016/10/21"
description = "The packer/protector section names/keywords"
reference = "http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/"
filetype = "binary"
strings:
$s1 = ".aspack" wide ascii
$s2 = ".adata" wide ascii
$s3 = "ASPack" wide ascii
$s4 = ".ASPack" wide ascii
$s5 = ".ccg" wide ascii
$s6 = "BitArts" wide ascii
$s7 = "DAStub" wide ascii
$s8 = "!EPack" wide ascii
$s9 = "FSG!" wide ascii
$s10 = "kkrunchy" wide ascii
$s11 = ".mackt" wide ascii
$s12 = ".MaskPE" wide ascii
$s13 = "MEW" wide ascii
$s14 = ".MPRESS1" wide ascii
$s15 = ".MPRESS2" wide ascii
$s16 = ".neolite" wide ascii
$s17 = ".neolit" wide ascii
$s18 = ".nsp1" wide ascii
$s19 = ".nsp2" wide ascii
$s20 = ".nsp0" wide ascii
$s21 = "nsp0" wide ascii
$s22 = "nsp1" wide ascii
$s23 = "nsp2" wide ascii
$s24 = ".packed" wide ascii
$s25 = "pebundle" wide ascii
$s26 = "PEBundle" wide ascii
$s27 = "PEC2TO" wide ascii
$s28 = "PECompact2" wide ascii
$s29 = "PEC2" wide ascii
$s30 = "pec1" wide ascii
$s31 = "pec2" wide ascii
$s32 = "PEC2MO" wide ascii
$s33 = "PELOCKnt" wide ascii
$s34 = ".perplex" wide ascii
$s35 = "PESHiELD" wide ascii
$s36 = ".petite" wide ascii
$s37 = "ProCrypt" wide ascii
$s38 = ".RLPack" wide ascii
$s39 = "RCryptor" wide ascii
$s40 = ".RPCrypt" wide ascii
$s41 = ".sforce3" wide ascii
$s42 = ".spack" wide ascii
$s43 = ".svkp" wide ascii
$s44 = "Themida" wide ascii
$s45 = ".Themida" wide ascii
$s46 = ".packed" wide ascii
$s47 = ".Upack" wide ascii
$s48 = ".ByDwing" wide ascii
$s49 = "UPX0" wide ascii
$s50 = "UPX1" wide ascii
$s51 = "UPX2" wide ascii
$s52 = ".UPX0" wide ascii
$s53 = ".UPX1" wide ascii
$s54 = ".UPX2" wide ascii
$s55 = ".vmp0" wide ascii
$s56 = ".vmp1" wide ascii
$s57 = ".vmp2" wide ascii
$s58 = "VProtect" wide ascii
$s59 = "WinLicen" wide ascii
$s60 = "WWPACK" wide ascii
$s61 = ".yP" wide ascii
$s62 = ".y0da" wide ascii
$s63 = "UPX!" wide ascii
condition:
// DOS stub signature PE signature
uint16(0) == 0x5a4d and uint32be(uint32(0x3c)) == 0x50450000 and (
for any of them : ( $ in (0..1024) )
)
}
================================================
FILE: rules/malware/ddg.yar
================================================
// ddg脚本通配规则
rule linux_miner_ddg_script_gen
{
meta:
description = "ddg shell script general"
author = "G4rb3n"
reference = "https://blog.netlab.360.com/ddg-a-mining-botnet-aiming-at-database-server"
date = "2020-5-13"
strings:
$s1 = "/i.sh"
$s2 = "/ddgs"
$c1 = "/var/spool/cron/root"
$c2 = "crontab -"
condition:
( filesize < 50KB ) and ( all of ($s*) ) and ( 1 of ($c*) )
}
// v5000以上版本的规则
rule linux_miner_ddg_script_v5
{
meta:
description = "ddg shell script v5000+"
author = "G4rb3n"
reference = "https://blog.netlab.360.com/ddg-upgrade-to-new-p2p-hybrid-model"
date = "2020-5-13"
url = "http://67.205.168.20:8000/i.sh"
md5_v5023 = "FE0D7BCF06779EF0CC6702FBB7C330E7"
md5_v5019 = "D6F402F6DCB75EA1A81A7C596CDA50C5"
strings:
$s1 = "/i.sh"
$s2 = /\/50[0-9]{2}\/ddgs.+/
$c1 = "/var/spool/cron/root"
$c2 = "crontab -"
condition:
( filesize < 50KB ) and ( all of ($s*) ) and ( 1 of ($c*) )
}
================================================
FILE: rules/malware/h2miner.yar
================================================
// H2Miner脚本通配规则
rule linux_miner_h2miner_script_gen
{
meta:
description = "h2miner script general"
author = "G4rb3n"
reference = "https://mp.weixin.qq.com/s/iNq8SdTZ9IrttAoQYLJw5A"
date = "2020-7-31"
md5_2001 = "A626C7274F51C55FDFF1F398BB10BAD5"
md5_2005 = "E600632DA9A710BBA3C53C1DFDD7BAC1"
md5_2007 = "BE17040E1A4EAF7E2DF8C0273FF2DFD2"
md5_2008 = "69886742CF56F9FC97B97DF0A19FC8F0"
strings:
$s1 = "echo \"P OK\""
$s2 = "echo \"T DIR $DIR\""
$s3 = "echo \"No md5sum\""
$s4 = "echo \"P NOT EXISTS\""
$s5 = "case $sum in"
$x1 = "ulimit -n 65535"
$x2 = "https://bitbucket.org"
$c1 = "kingsing"
$c2 = "salt-store"
$c3 = "195.3.146.118"
$c4 = "217.12.210.192"
condition:
( filesize < 50KB ) and ( ( 4 of ($s*) ) and ( ( 2 of ($x*) ) or ( 2 of ($c*) ) ) )
}
================================================
FILE: rules/malware/lsdminer.yar
================================================
// LSDMiner脚本通配规则
rule linux_miner_lsdminer_script_gen
{
meta:
description = "lsdminer script general"
author = "G4rb3n"
reference = "https://www.anquanke.com/post/id/193116"
date = "2020-5-21"
strings:
$s1 = "hwlh3wlh44lh"
$s2 = "Circle_MI"
$s3 = "thyrsi.com"
$s4 = "img.sobot.com"
$s5 = "cdn.xiaoduoai.com"
$s6 = "res.cloudinary.com"
$s7 = "pastebin.com"
$s8 = "user-images.githubusercontent.com"
condition:
( filesize < 50KB ) and ( 4 of ($s*) )
}
================================================
FILE: rules/malware/rainbowminer.yar
================================================
// StartMiner脚本通配规则
rule linux_miner_rainbowminer_script_gen
{
meta:
description = "rainbowminer script general"
author = "G4rb3n"
reference = "https://mp.weixin.qq.com/s/KUK2hW7oRA2hN_cJ5QaYUA"
date = "2020-5-21"
strings:
$s1 = "=\"/lib64/"
$s2 = "pdflushType=\""
$s3 = "kthreadds"
$s4 = "processhider"
$s5 = "paDKiUwmHNUSW7E1S18Cl" // ssh公钥片段
$s6 = "cron.py"
$s7 = "/pdflushs"
$x1 = "Rainbow66"
$x2 = "47.106.187.104"
condition:
( filesize < 50KB ) and ( ( 4 of ($s*) ) or ( 1 of ($x*) ) )
}
================================================
FILE: rules/malware/skipmap.yar
================================================
// SkipMap脚本通配规则
rule linux_miner_skipmap_script_gen
{
meta:
description = "skipmap shell script general"
author = "G4rb3n"
reference = "https://blog.trendmicro.com/trendlabs-security-intelligence/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload"
date = "2020-8-7"
strings:
$s1 = "chmod +x /var/lib/"
$s2 = "/bin/get"
$s3 = "/bin/cur"
$c1 = "pm.ipfswallet.tk"
$c2 = "a.powerofwish.com"
condition:
( filesize < 10KB ) and ( all of ($s*) ) and ( 1 of ($c*) )
}
================================================
FILE: rules/malware/startminer.yar
================================================
// StartMiner脚本通配规则
rule linux_miner_startminer_script_gen
{
meta:
description = "startminer script general"
author = "G4rb3n"
reference = "https://s.tencent.com/research/report/978.html"
date = "2020-5-20"
strings:
$s1 = "echo \"P OK\""
$s2 = "echo \"T DIR $DIR\""
$s3 = "echo \"No md5sum\""
$s4 = "echo \"P NOT EXISTS\""
$s5 = "case $sum in"
$x1 = "f2=\""
$x2 = "downloadIfNeed()"
$x3 = "judge()"
$x4 = "judge2()"
$x5 = "start.jpg"
$c1 = "jukesxdbrxd.xyz"
$c2 = "37.44.212.223"
$c3 = "107.189.11.170"
condition:
( filesize < 50KB ) and ( ( 4 of ($s*) ) and ( ( 2 of ($x*) ) or ( 1 of ($c*) ) ) )
}
================================================
FILE: rules/malware/sysupdataminer.yar
================================================
// SysUpdataMiner脚本通配规则
rule linux_miner_sysupdataminer_script_gen
{
meta:
description = "sysupdataminer script general"
author = "G4rb3n"
reference = "https://www.freebuf.com/articles/system/172987.html"
date = "2020-6-4"
strings:
$s1 = "miner_url"
$s2 = "miner_size"
$s3 = "sh_url"
$s4 = "config_url"
$s5 = "config_size"
$s6 = "scan_url"
$s7 = "scan_size"
$s8 = "watchdog_url"
$s9 = "watchdog_size"
$x1 = "/etc/update.sh"
$x2 = "/etc/sysupdate"
$x3 = "/etc/networkservice"
$x4 = "/usr/bin/cur" fullword ascii
$x5 = "/usr/bin/wge" fullword ascii
$c1 = "185.181.10.234"
$c2 = "de.gsearch.com.de"
$c3 = "AAAAB3NzaC1yc2EAAAADAQABAAABAQC9WKiJ7yQ6HcafmwzDMv1RKxPdJI"
condition:
( filesize < 50KB ) and ( ( ( 3 of ($s*) ) or ( 2 of ($x*) ) ) and ( 2 of ($c*) ) )
}
================================================
FILE: rules/malware/teamtnt.yar
================================================
// TeamTNT脚本通配规则
rule linux_miner_teamtnt_script_gen
{
meta:
description = "teamtnt shell script general"
author = "G4rb3n"
reference = "https://x.threatbook.cn/nodev4/vb4/article?threatInfoID=2813"
date = "2020-8-8"
md5_2008 = "BE5B1BE30CF430AF6F76776FEBE805F2"
md5_2009 = "856109FAFF327638BA3A8EC5800E988C"
strings:
$s1 = "LDR=\"wget -q -O -\""
$s2 = "LDR=\"curl\""
$s3 = "echo \"cron good\""
$s4 = "echo \"setup cron\""
$s5 = "downloadxmin()"
$s6 = "startxmin()"
$s7 = "setupmyapps()"
$s8 = "loadthisfile()"
$s9 = "uploadthersa()"
$s10 = "getsomelanssh()"
$s11 = "localgo()"
$c1 = "85.214.149.236"
condition:
( filesize < 10KB ) and ( 2 of ($s*) ) and ( 1 of ($c*) )
}
================================================
FILE: rules/malware/watchbogminer.yar
================================================
// WatchBogMiner脚本通配规则
rule linux_miner_watchbogminer_script_gen
{
meta:
description = "watchbogminer shell script general"
author = "G4rb3n"
reference = "https://s.tencent.com/research/report/1056.html"
date = "2020-8-17"
strings:
$s1 = "pastebin.com"
$s2 = "kill_miner_proc()"
$s3 = "gettarfile()"
$s4 = "base -d"
$c1 = "UhUmR517"
$c2 = "/JavaUpdates"
$c3 = "tmpdropoff"
condition:
( filesize < 50KB ) and ( 2 of ($s*) ) and ( 2 of ($c*) )
}
================================================
FILE: rules/utils/wget.yar
================================================
rule wget {
meta:
author = "yiansec"
strings:
$url_regex = /wget https?:\/\// wide ascii
condition:
$url_regex
}
================================================
FILE: rules/webshell.yar
================================================
/*
yiansec
2020.5.1
*/
include "./webshells/WShell_APT_Laudanum.yar"
include "./webshells/WShell_ASPXSpy.yar"
include "./webshells/WShell_Drupalgeddon2_icos.yar"
include "./webshells/WShell_PHP_Anuna.yar"
include "./webshells/WShell_PHP_in_images.yar"
include "./webshells/WShell_THOR_Webshells.yar"
include "./webshells/WShell_Behinder.yar"
================================================
FILE: rules/webshells/WShell_APT_Laudanum.yar
================================================
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
rule asp_file : webshell {
meta:
description = "Laudanum Injector Tools - file file.asp"
author = "Florian Roth"
reference = "http://laudanum.inguardians.com/"
date = "2015-06-22"
hash = "ff5b1a9598735440bdbaa768b524c639e22f53c5"
strings:
$s1 = "' *** Written by Tim Medin <tim@counterhack.com>" fullword ascii
$s2 = "Response.BinaryWrite(stream.Read)" fullword ascii
$s3 = "Response.Write(Response.Status & Request.ServerVariables(\"REMOTE_ADDR\"))" fullword ascii /* PEStudio Blacklist: strings */
$s4 = "%><a href=\"<%=Request.ServerVariables(\"URL\")%>\">web root</a><br/><%" fullword ascii /* PEStudio Blacklist: strings */
$s5 = "set folder = fso.GetFolder(path)" fullword ascii
$s6 = "Set file = fso.GetFile(filepath)" fullword ascii
condition:
uint16(0) == 0x253c and filesize < 30KB and 5 of them
}
rule php_killnc : webshell {
meta:
description = "Laudanum Injector Tools - file killnc.php"
author = "Florian Roth"
reference = "http://laudanum.inguardians.com/"
date = "2015-06-22"
hash = "c0dee56ee68719d5ec39e773621ffe40b144fda5"
strings:
$s1 = "if ($_SERVER[\"REMOTE_ADDR\"] == $IP)" fullword ascii /* PEStudio Blacklist: strings */
$s2 = "header(\"HTTP/1.0 404 Not Found\");" fullword ascii
$s3 = "<?php echo exec('killall nc');?>" fullword ascii /* PEStudio Blacklist: strings */
$s4 = "<title>Laudanum Kill nc</title>" fullword ascii /* PEStudio Blacklist: strings */
$s5 = "foreach ($allowedIPs as $IP) {" fullword ascii
condition:
filesize < 15KB and 4 of them
}
rule asp_shell : webshell {
meta:
description = "Laudanum Injector Tools - file shell.asp"
author = "Florian Roth"
reference = "http://laudanum.inguardians.com/"
date = "2015-06-22"
hash = "8bf1ff6f8edd45e3102be5f8a1fe030752f45613"
strings:
$s1 = "<form action=\"shell.asp\" method=\"POST\" name=\"shell\">" fullword ascii /* PEStudio Blacklist: strings */
$s2 = "%ComSpec% /c dir" fullword ascii /* PEStudio Blacklist: strings */
$s3 = "Set objCmd = wShell.Exec(cmd)" fullword ascii /* PEStudio Blacklist: strings */
$s4 = "Server.ScriptTimeout = 180" fullword ascii /* PEStudio Blacklist: strings */
$s5 = "cmd = Request.Form(\"cmd\")" fullword ascii /* PEStudio Blacklist: strings */
$s6 = "' *** http://laudanum.secureideas.net" fullword ascii
$s7 = "Dim wshell, intReturn, strPResult" fullword ascii /* PEStudio Blacklist: strings */
condition:
filesize < 15KB and 4 of them
}
rule settings : webshell {
meta:
description = "Laudanum Injector Tools - file settings.php"
author = "Florian Roth"
reference = "http://laudanum.inguardians.com/"
date = "2015-06-22"
hash = "588739b9e4ef2dbb0b4cf630b73295d8134cc801"
strings:
$s1 = "Port: <input name=\"port\" type=\"text\" value=\"8888\">" fullword ascii /* PEStudio Blacklist: strings */
$s2 = "<li>Reverse Shell - " fullword ascii /* PEStudio Blacklist: strings */
$s3 = "<li><a href=\"<?php echo plugins_url('file.php', __FILE__);?>\">File Browser</a>" ascii /* PEStudio Blacklist: strings */
condition:
filesize < 13KB and all of them
}
rule asp_proxy : webshell {
meta:
description = "Laudanum Injector Tools - file proxy.asp"
author = "Florian Roth"
reference = "http://laudanum.inguardians.com/"
date = "2015-06-22"
hash = "51e97040d1737618b1775578a772fa6c5a31afd8"
strings:
$s1 = "'response.write \"<br/> -value:\" & request.querystring(key)(j)" fullword ascii /* PEStudio Blacklist: strings */
$s2 = "q = q & \"&\" & key & \"=\" & request.querystring(key)(j)" fullword ascii /* PEStudio Blacklist: strings */
$s3 = "for each i in Split(http.getAllResponseHeaders, vbLf)" fullword ascii
$s4 = "'urlquery = mid(urltemp, instr(urltemp, \"?\") + 1)" fullword ascii /* PEStudio Blacklist: strings */
$s5 = "s = urlscheme & urlhost & urlport & urlpath" fullword ascii /* PEStudio Blacklist: strings */
$s6 = "Set http = Server.CreateObject(\"Microsoft.XMLHTTP\")" fullword ascii /* PEStudio Blacklist: strings */
condition:
filesize < 50KB and all of them
}
rule cfm_shell : webshell {
meta:
description = "Laudanum Injector Tools - file shell.cfm"
author = "Florian Roth"
reference = "http://laudanum.inguardians.com/"
date = "2015-06-22"
hash = "885e1783b07c73e7d47d3283be303c9719419b92"
strings:
$s1 = "Executable: <Input type=\"text\" name=\"cmd\" value=\"cmd.exe\"><br>" fullword ascii /* PEStudio Blacklist: strings */
$s2 = "<cfif ( #suppliedCode# neq secretCode )>" fullword ascii /* PEStudio Blacklist: strings */
$s3 = "<cfif IsDefined(\"form.cmd\")>" fullword ascii
condition:
filesize < 20KB and 2 of them
}
rule aspx_shell : webshell{
meta:
description = "Laudanum Injector Tools - file shell.aspx"
author = "Florian Roth"
reference = "http://laudanum.inguardians.com/"
date = "2015-06-22"
hash = "076aa781a004ecb2bf545357fd36dcbafdd68b1a"
strings:
$s1 = "remoteIp = HttpContext.Current.Request.Headers[\"X-Forwarded-For\"].Split(new" ascii /* PEStudio Blacklist: strings */
$s2 = "remoteIp = Request.UserHostAddress;" fullword ascii /* PEStudio Blacklist: strings */
$s3 = "<form method=\"post\" name=\"shell\">" fullword ascii /* PEStudio Blacklist: strings */
$s4 = "<body onload=\"document.shell.c.focus()\">" fullword ascii /* PEStudio Blacklist: strings */
condition:
filesize < 20KB and all of them
}
rule php_shell : webshell{
meta:
description = "Laudanum Injector Tools - file shell.php"
author = "Florian Roth"
reference = "http://laudanum.inguardians.com/"
date = "2015-06-22"
hash = "dc5c03a21267d024ef0f5ab96a34e3f6423dfcd6"
strings:
$s1 = "command_hist[current_line] = document.shell.command.value;" fullword ascii /* PEStudio Blacklist: strings */
$s2 = "if (e.keyCode == 38 && current_line < command_hist.length-1) {" fullword ascii /* PEStudio Blacklist: strings */
$s3 = "array_unshift($_SESSION['history'], $command);" fullword ascii /* PEStudio Blacklist: strings */
$s4 = "if (preg_match('/^[[:blank:]]*cd[[:blank:]]*$/', $command)) {" fullword ascii /* PEStudio Blacklist: strings */
condition:
filesize < 40KB and all of them
}
rule php_reverse_shell : webshell {
meta:
description = "Laudanum Injector Tools - file php-reverse-shell.php"
author = "Florian Roth"
reference = "http://laudanum.inguardians.com/"
date = "2015-06-22"
hash = "3ef03bbe3649535a03315dcfc1a1208a09cea49d"
strings:
$s1 = "$process = proc_open($shell, $descriptorspec, $pipes);" fullword ascii /* PEStudio Blacklist: strings */
$s2 = "printit(\"Successfully opened reverse shell to $ip:$port\");" fullword ascii /* PEStudio Blacklist: strings */
$s3 = "$input = fread($pipes[1], $chunk_size);" fullword ascii /* PEStudio Blacklist: strings */
condition:
filesize < 15KB and all of them
}
rule php_dns : webshell{
meta:
description = "Laudanum Injector Tools - file dns.php"
author = "Florian Roth"
reference = "http://laudanum.inguardians.com/"
date = "2015-06-22"
hash = "01d5d16d876c55d77e094ce2b9c237de43b21a16"
strings:
$s1 = "$query = isset($_POST['query']) ? $_POST['query'] : '';" fullword ascii /* PEStudio Blacklist: strings */
$s2 = "$result = dns_get_record($query, $types[$type], $authns, $addtl);" fullword ascii /* PEStudio Blacklist: strings */
$s3 = "if ($_SERVER[\"REMOTE_ADDR\"] == $IP)" fullword ascii /* PEStudio Blacklist: strings */
$s4 = "foreach (array_keys($types) as $t) {" fullword ascii
condition:
filesize < 15KB and all of them
}
rule WEB_INF_web : webshell{
meta:
description = "Laudanum Injector Tools - file web.xml"
author = "Florian Roth"
reference = "http://laudanum.inguardians.com/"
date = "2015-06-22"
hash = "0251baed0a16c451f9d67dddce04a45dc26cb4a3"
strings:
$s1 = "<servlet-name>Command</servlet-name>" fullword ascii /* PEStudio Blacklist: strings */
$s2 = "<jsp-file>/cmd.jsp</jsp-file>" fullword ascii
condition:
filesize < 1KB and all of them
}
rule jsp_cmd : webshell {
meta:
description = "Laudanum Injector Tools - file cmd.war"
author = "Florian Roth"
reference = "http://laudanum.inguardians.com/"
date = "2015-06-22"
hash = "55e4c3dc00cfab7ac16e7cfb53c11b0c01c16d3d"
strings:
$s0 = "cmd.jsp}" fullword ascii
$s1 = "cmd.jspPK" fullword ascii
$s2 = "WEB-INF/web.xml" fullword ascii /* Goodware String - occured 1 times */
$s3 = "WEB-INF/web.xmlPK" fullword ascii /* Goodware String - occured 1 times */
$s4 = "META-INF/MANIFEST.MF" fullword ascii /* Goodware String - occured 12 times */
condition:
uint16(0) == 0x4b50 and filesize < 2KB and all of them
}
rule laudanum : webshell {
meta:
description = "Laudanum Injector Tools - file laudanum.php"
author = "Florian Roth"
reference = "http://laudanum.inguardians.com/"
date = "2015-06-22"
hash = "fd498c8b195967db01f68776ff5e36a06c9dfbfe"
strings:
$s1 = "public function __activate()" fullword ascii
$s2 = "register_activation_hook(__FILE__, array('WP_Laudanum', 'activate'));" fullword ascii /* PEStudio Blacklist: strings */
condition:
filesize < 5KB and all of them
}
rule php_file : webshell{
meta:
description = "Laudanum Injector Tools - file file.php"
author = "Florian Roth"
reference = "http://laudanum.inguardians.com/"
date = "2015-06-22"
hash = "7421d33e8007c92c8642a36cba7351c7f95a4335"
strings:
$s1 = "$allowedIPs =" fullword ascii /* PEStudio Blacklist: strings */
$s2 = "<a href=\"<?php echo $_SERVER['PHP_SELF'] ?>\">Home</a><br/>" fullword ascii /* PEStudio Blacklist: strings */
$s3 = "$dir = isset($_GET[\"dir\"]) ? $_GET[\"dir\"] : \".\";" fullword ascii
$s4 = "$curdir .= substr($curdir, -1) != \"/\" ? \"/\" : \"\";" fullword ascii
condition:
filesize < 10KB and all of them
}
rule warfiles_cmd : webshell {
meta:
description = "Laudanum Injector Tools - file cmd.jsp"
author = "Florian Roth"
reference = "http://laudanum.inguardians.com/"
date = "2015-06-22"
hash = "3ae3d837e7b362de738cf7fad78eded0dccf601f"
strings:
$s1 = "Process p = Runtime.getRuntime().exec(request.getParameter(\"cmd\"));" fullword ascii /* PEStudio Blacklist: strings */
$s2 = "out.println(\"Command: \" + request.getParameter(\"cmd\") + \"<BR>\");" fullword ascii /* PEStudio Blacklist: strings */
$s3 = "<FORM METHOD=\"GET\" NAME=\"myform\" ACTION=\"\">" fullword ascii
$s4 = "String disr = dis.readLine();" fullword ascii
condition:
filesize < 2KB and all of them
}
rule asp_dns : webshell{
meta:
description = "Laudanum Injector Tools - file dns.asp"
author = "Florian Roth"
reference = "http://laudanum.inguardians.com/"
date = "2015-06-22"
hash = "5532154dd67800d33dace01103e9b2c4f3d01d51"
strings:
$s1 = "command = \"nslookup -type=\" & qtype & \" \" & query " fullword ascii /* PEStudio Blacklist: strings */
$s2 = "Set objCmd = objWShell.Exec(command)" fullword ascii /* PEStudio Blacklist: strings */
$s3 = "Response.Write command & \"<br>\"" fullword ascii /* PEStudio Blacklist: strings */
$s4 = "<form name=\"dns\" method=\"POST\">" fullword ascii /* PEStudio Blacklist: strings */
condition:
filesize < 21KB and all of them
}
rule php_reverse_shell_2 : webshell{
meta:
description = "Laudanum Injector Tools - file php-reverse-shell.php"
author = "Florian Roth"
reference = "http://laudanum.inguardians.com/"
date = "2015-06-22"
hash = "025db3c3473413064f0606d93d155c7eb5049c42"
strings:
$s1 = "$process = proc_open($shell, $descriptorspec, $pipes);" fullword ascii /* PEStudio Blacklist: strings */
$s7 = "$shell = 'uname -a; w; id; /bin/sh -i';" fullword ascii /* PEStudio Blacklist: strings */
condition:
filesize < 10KB and all of them
}
rule Laudanum_Tools_Generic : webshell Toolkit{
meta:
description = "Laudanum Injector Tools"
author = "Florian Roth"
reference = "http://laudanum.inguardians.com/"
date = "2015-06-22"
super_rule = 1
hash0 = "076aa781a004ecb2bf545357fd36dcbafdd68b1a"
hash1 = "885e1783b07c73e7d47d3283be303c9719419b92"
hash2 = "01d5d16d876c55d77e094ce2b9c237de43b21a16"
hash3 = "7421d33e8007c92c8642a36cba7351c7f95a4335"
hash4 = "f49291aef9165ee4904d2d8c3cf5a6515ca0794f"
hash5 = "c0dee56ee68719d5ec39e773621ffe40b144fda5"
hash6 = "f32b9c2cc3a61fa326e9caebce28ef94a7a00c9a"
hash7 = "dc5c03a21267d024ef0f5ab96a34e3f6423dfcd6"
hash8 = "fd498c8b195967db01f68776ff5e36a06c9dfbfe"
hash9 = "b50ae35fcf767466f6ca25984cc008b7629676b8"
hash10 = "5570d10244d90ef53b74e2ac287fc657e38200f0"
hash11 = "42bcb491a11b4703c125daf1747cf2a40a1b36f3"
hash12 = "83e4eaaa2cf6898d7f83ab80158b64b1d48096f4"
hash13 = "dec7ea322898690a7f91db9377f035ad7072b8d7"
hash14 = "a2272b8a4221c6cc373915f0cc555fe55d65ac4d"
hash15 = "588739b9e4ef2dbb0b4cf630b73295d8134cc801"
hash16 = "43320dc23fb2ed26b882512e7c0bfdc64e2c1849"
strings:
$s1 = "*** laudanum@secureideas.net" fullword ascii
$s2 = "*** Laudanum Project" fullword ascii
condition:
filesize < 60KB and all of them
}
================================================
FILE: rules/webshells/WShell_ASPXSpy.yar
================================================
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
rule ASPXSpy
{
meta:
description= "Detect ASPXSpy"
author = "xylitol@temari.fr"
date = "2019-02-26"
// May only the challenge guide you
strings:
$string1 = "CmdShell" wide ascii
$string2 = "ADSViewer" wide ascii
$string3 = "ASPXSpy.Bin" wide ascii
$string4 = "PortScan" wide ascii
$plugin = "Test.AspxSpyPlugins" wide ascii
condition:
3 of ($string*) or $plugin
}
================================================
FILE: rules/webshells/WShell_Behinder.yar
================================================
rule Behinder_aspx {
meta:
description = "Behinder - file shell.aspx"
author = "yarGen Rule Generator"
reference = "https://github.com/Neo23x0/yarGen"
date = "2021-08-26"
hash1 = "224c7f43f72938e44b4f164c1c899c398a9c099a92c6d084856f5e227761e3b0"
strings:
$x1 = "<%@ Page Language=\"C#\" %><%@Import Namespace=\"System.Reflection\"%><%Session.Add(\"k\",;" ascii
$s3 = "ssion[0] + \"\"),c = Request.BinaryRead(Request.ContentLength);Assembly.Load(new System.Security.Cryptography.RijndaelManaged()." ascii
$s4 = "eateDecryptor(k, k).TransformFinalBlock(c, 0, c.Length)).CreateInstance(\"U\").Equals(this);%>" fullword ascii
condition:
uint16(0) == 0x253c and filesize < 1KB and
1 of ($x*) and all of them
}
rule Behinder_php {
meta:
description = "Behinder - file shell.php"
author = "yarGen Rule Generator"
reference = "https://github.com/Neo23x0/yarGen"
date = "2021-08-26"
hash1 = "3566561d818e868a96f2bc8db9c93663a4fb81c06041259f66d04147d50ce8ab"
strings:
$s1 = "$post=openssl_decrypt($post, \"AES128\", $key);" fullword ascii
$s2 = "$post=file_get_contents(\"php://input\");" fullword ascii
$s3 = " $post[$i] = $post[$i]^$key[$i+1&15]; " fullword ascii
$s4 = "$_SESSION['k']=$key;" fullword ascii
$s5 = "@error_reporting(0);" fullword ascii
$s6 = "$post=$t($post.\"\");" fullword ascii
$s7 = "for($i=0;$i<strlen($post);$i++) {" fullword ascii
$s8 = "$t=\"base64_\".\"decode\";" fullword ascii
$s9 = "if(!extension_loaded('openssl'))" fullword ascii
$s10 = " $arr=explode('|',$post);" fullword ascii
$s11 = "class C{public function __invoke($p) {eval($p.\"\");}}" fullword ascii
condition:
uint16(0) == 0x3f3c and filesize < 1KB and
8 of them
}
rule shell_jspx {
meta:
description = "Behinder - file shell.jspx.jsp"
author = "yarGen Rule Generator"
reference = "https://github.com/Neo23x0/yarGen"
date = "2021-08-26"
hash1 = "a8d79695c9b23ad3a157f112863144fd8a196aae5c3fcb4e52b0ab4d1bf64367"
strings:
$x1 = "<jsp:root xmlns:jsp=\"http://java.sun.com/JSP/Page\" version=\"1.2\"><jsp:directive.page import=\"java.util.*,javax.crypto.*,jav" ascii
$s2 = ";c.init(2,new SecretKeySpec((session.getValue(\"u\")+\"\").getBytes(),\"AES\"));new U(this.getClass().getClassLoader()).g(c.doFi" ascii
$s3 = "<jsp:root xmlns:jsp=\"http://java.sun.com/JSP/Page\" version=\"1.2\"><jsp:directive.page import=\"java.util.*,javax.crypto.*,jav" ascii
$s4 = "ypto.spec.*\"/><jsp:declaration> class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.de" ascii
$s5 = "w sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext);</jsp:scriptlet></js" ascii
$s6 = "session.putValue(\"u\",k);Cipher c=Cipher.getInstance(\"" ascii
$s7 = "p:root>" fullword ascii
condition:
uint16(0) == 0x6a3c and filesize < 1KB and
1 of ($x*) and all of them
}
rule Behinder_asp {
meta:
description = "Behinder - file shell.asp"
author = "yarGen Rule Generator"
reference = "https://github.com/Neo23x0/yarGen"
date = "2021-08-26"
hash1 = "2c87faf7c25688c83c86c8b1e9f706f98a4195b84d1f5ce3169de6f2997320f7"
strings:
$s1 = "content=Request.BinaryRead(size)" fullword ascii
$s2 = "execute(result)" fullword ascii
$s3 = "result=result&Chr(ascb(midb(content,i,1)) Xor Asc(Mid(k,(i and 15)+1,1)))" fullword ascii
$s4 = "Session(\"k\")=k" fullword ascii
$s5 = "Response.CharSet = \"UTF-8\" " fullword ascii
$s6 = "size=Request.TotalBytes" fullword ascii
$s7 = "For i=1 To size" fullword ascii
condition:
uint16(0) == 0x253c and filesize < 1KB and
all of them
}
rule Behinder_jsp {
meta:
description = "Behinder - file shell.jsp"
author = "yarGen Rule Generator"
reference = "https://github.com/Neo23x0/yarGen"
date = "2021-08-26"
hash1 = "5c8c2d64aef4e586b077b5fde7d8fc3aea16ae9d15438b516ec277c42a7164a5"
strings:
$x1 = "<%@page import=\"java.util.*,javax.crypto.*,javax.crypto.spec.*\"%><%!class U extends ClassLoader{U(ClassLoader c){super(c);}pub" ascii
$s2 = "ader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext" ascii
$s3 = "<%@page import=\"java.util.*,javax.crypto.*,javax.crypto.spec.*\"%><%!class U extends ClassLoader{U(ClassLoader c){super(c);}pub" ascii
$s4 = "c Class g(byte []b){return super.defineClass(b,0,b.length);}}%><%if (request.getMethod().equals(\"POST\"))" ascii
$s5 = "Value(\"u\",k);Cipher c=Cipher.getInstance(\"AES\");c.init(2,new SecretKeySpec(k.getBytes(),\"AES\"));new U(this.getClass().getC" ascii
condition:
uint16(0) == 0x253c and filesize < 1KB and
1 of ($x*) and all of them
}
rule shell_java9 {
meta:
description = "Behinder - file shell_java9.jsp"
author = "yarGen Rule Generator"
reference = "https://github.com/Neo23x0/yarGen"
date = "2021-08-26"
hash1 = "cfd86cc11928d594f4ccfb6be371a09383f83bbe82d4d6d86703f5fa6b5233f2"
strings:
$x1 = "<%@page import=\"java.util.*,javax.crypto.*,javax.crypto.spec.*\"%><%!class U extends ClassLoader{U(ClassLoader c){super(c);}pub" ascii
$s2 = "ader()).g(c.doFinal(Base64.getDecoder().decode(request.getReader().readLine()))).newInstance().equals(pageContext);}%>" fullword ascii
$s3 = "<%@page import=\"java.util.*,javax.crypto.*,javax.crypto.spec.*\"%><%!class U extends ClassLoader{U(ClassLoader c){super(c);}pub" ascii
$s4 = "c Class g(byte []b){return super.defineClass(b,0,b.length);}}%><%if (request.getMethod().equals(\"POST\")){String k=" ascii
$s5 = "Value(\"u\",k);Cipher c=Cipher.getInstance(\"AES\");c.init(2,new SecretKeySpec(k.getBytes(),\"AES\"));new U(this.getClass().getC" ascii
condition:
uint16(0) == 0x253c and filesize < 1KB and
1 of ($x*) and all of them
}
================================================
FILE: rules/webshells/WShell_Drupalgeddon2_icos.yar
================================================
/*
This Yara ruleset is under the GNU-GPLv2 license
(http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or
organization, as long as you use it under this license.
*/
/*
Author: Luis Fueris
Date: 4 october, 2019
Description: Drupalgeddon 2 - Web Shells Extract. This rules matchs with
webshells that inserts the Drupal core vulnerability SA-CORE-2018-002
(https://www.drupal.org/sa-core-2018-002)
*/
rule Dotico_PHP_webshell : webshell {
meta:
description = ".ico PHP webshell - file <eight-num-letter-chars>.ico"
author = "Luis Fueris"
reference = "https://rankinstudio.com/Drupal_ico_index_hack"
date = "2019/12/04"
strings:
$php = "<?php" ascii
$regexp = /basename\/\*[a-z0-9]{,6}\*\/\(\/\*[a-z0-9]{,5}\*\/trim\/\*[a-z0-9]{,5}\*\/\(\/\*[a-z0-9]{,5}\*\//
condition:
$php at 0 and $regexp and filesize > 70KB and filesize < 110KB
}
================================================
FILE: rules/webshells/WShell_PHP_Anuna.yar
================================================
/*
I first found this in May 2016, appeared in every PHP file on the
server, cleaned it with `sed` and regex magic. Second time was
in June 2016, same decoded content, different encoding/naming.
https://www.symantec.com/security_response/writeup.jsp?docid=2015-111911-4342-99
*/
rule php_anuna
{
meta:
author = "Vlad https://github.com/vlad-s"
date = "2016/07/18"
description = "Catches a PHP Trojan"
strings:
$a = /<\?php \$[a-z]+ = '/
$b = /\$[a-z]+=explode\(chr\(\([0-9]+[-+][0-9]+\)\)/
$c = /\$[a-z]+=\([0-9]+[-+][0-9]+\)/
$d = /if \(!function_exists\('[a-z]+'\)\)/
condition:
all of them
}
================================================
FILE: rules/webshells/WShell_PHP_in_images.yar
================================================
/*
Finds PHP code in JP(E)Gs, GIFs, PNGs.
Magic numbers via Wikipedia.
*/
rule php_in_image
{
meta:
author = "Vlad https://github.com/vlad-s"
date = "2016/07/18"
description = "Finds image files w/ PHP code in images"
strings:
$gif = /^GIF8[79]a/
$jfif = { ff d8 ff e? 00 10 4a 46 49 46 }
$png = { 89 50 4e 47 0d 0a 1a 0a }
$php_tag = "<?php"
condition:
(($gif at 0) or
($jfif at 0) or
($png at 0)) and
$php_tag
}
================================================
FILE: rules/webshells/WShell_THOR_Webshells.yar
================================================
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
/*
THOR APT Scanner - Web Shells Extract
This rulset is a subset of all hack tool rules included in our
APT Scanner THOR - the full featured APT scanner
We will frequently update this file with new rules rated TLP:WHITE
Florian Roth
BSK Consulting GmbH
Web: bsk-consulting.de
revision: 20150122
*/
rule Weevely_Webshell : webshell {
meta:
description = "Weevely Webshell - Generic Rule - heavily scrambled tiny web shell"
author = "Florian Roth"
reference = "http://www.ehacking.net/2014/12/weevely-php-stealth-web-backdoor-kali.html"
date = "2014/12/14"
score = 60
strings:
$php = "<?php" ascii
$s0 = /\$[a-z]{4} = \$[a-z]{4}\("[a-z][a-z]?",[\s]?"",[\s]?"/ ascii
$s1 = /\$[a-z]{4} = str_replace\("[a-z][a-z]?","","/ ascii
$s2 = /\$[a-z]{4}\.\$[a-z]{4}\.\$[a-z]{4}\.\$[a-z]{4}\)\)\); \$[a-z]{4}\(\);/ ascii
$s4 = /\$[a-z]{4}="[a-zA-Z0-9]{70}/ ascii
condition:
$php at 0 and all of ($s*) and filesize > 570 and filesize < 800
}
rule webshell_h4ntu_shell_powered_by_tsoi_ : webshell {
meta:
description = "Web Shell - file h4ntu shell [powered by tsoi].php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "06ed0b2398f8096f1bebf092d0526137"
strings:
$s0 = " <TD><DIV STYLE=\"font-family: verdana; font-size: 10px;\"><b>Server Adress:</b"
$s3 = " <TD><DIV STYLE=\"font-family: verdana; font-size: 10px;\"><b>User Info:</b> ui"
$s4 = " <TD><DIV STYLE=\"font-family: verdana; font-size: 10px;\"><?= $info ?>: <?= "
$s5 = "<INPUT TYPE=\"text\" NAME=\"cmd\" value=\"<?php echo stripslashes(htmlentities($"
condition:
all of them
}
rule webshell_PHP_sql : webshell {
meta:
description = "Web Shell - file sql.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "2cf20a207695bbc2311a998d1d795c35"
strings:
$s0 = "$result=mysql_list_tables($db) or die (\"$h_error<b>\".mysql_error().\"</b>$f_"
$s4 = "print \"<a href=\\\"$_SERVER[PHP_SELF]?s=$s&login=$login&passwd=$passwd&"
condition:
all of them
}
rule webshell_PHP_a : webshell {
meta:
description = "Web Shell - file a.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "e3b461f7464d81f5022419d87315a90d"
strings:
$s1 = "echo \"<option value=\\\"\". strrev(substr(strstr(strrev($work_dir), \"/\""
$s2 = "echo \"<option value=\\\"$work_dir\\\" selected>Current Directory</option>"
$s4 = "<input name=\"submit_btn\" type=\"submit\" value=\"Execute Command\"></p> " fullword
condition:
2 of them
}
rule webshell_iMHaPFtp_2 : webshell{
meta:
description = "Web Shell - file iMHaPFtp.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "12911b73bc6a5d313b494102abcf5c57"
strings:
$s8 = "if ($l) echo '<a href=\"' . $self . '?action=permission&file=' . urlencode($"
$s9 = "return base64_decode('R0lGODlhEQANAJEDAMwAAP///5mZmf///yH5BAHoAwMALAAAAAARAA0AAA"
condition:
1 of them
}
rule webshell_Jspspyweb : webshell{
meta:
description = "Web Shell - file Jspspyweb.jsp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "4e9be07e95fff820a9299f3fb4ace059"
strings:
$s0 = " out.print(\"<tr><td width='60%'>\"+strCut(convertPath(list[i].getPath()),7"
$s3 = " \"reg add \\\"HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Control"
condition:
all of them
}
rule webshell_Safe_Mode_Bypass_PHP_4_4_2_and_PHP_5_1_2 : webshell{
meta:
description = "Web Shell - file Safe_Mode Bypass PHP 4.4.2 and PHP 5.1.2.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "49ad9117c96419c35987aaa7e2230f63"
strings:
$s0 = "die(\"\\nWelcome.. By This script you can jump in the (Safe Mode=ON) .. Enjoy\\n"
$s1 = "Mode Shell v1.0</font></span></a></font><font face=\"Webdings\" size=\"6\" color"
condition:
1 of them
}
rule webshell_SimAttacker_Vrsion_1_0_0_priv8_4_My_friend : webshell{
meta:
description = "Web Shell - file SimAttacker - Vrsion 1.0.0 - priv8 4 My friend.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "089ff24d978aeff2b4b2869f0c7d38a3"
strings:
$s2 = "echo \"<a href='?id=fm&fchmod=$dir$file'><span style='text-decoration: none'><fo"
$s3 = "fputs ($fp ,\"\\n*********************************************\\nWelcome T0 Sim"
condition:
1 of them
}
rule webshell_phpshell_2_1_pwhash : webshell{
meta:
description = "Web Shell - file pwhash.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "ba120abac165a5a30044428fac1970d8"
strings:
$s1 = "<tt> </tt>\" (space), \"<tt>[</tt>\" (left bracket), \"<tt>|</tt>\" (pi"
$s3 = "word: \"<tt>null</tt>\", \"<tt>yes</tt>\", \"<tt>no</tt>\", \"<tt>true</tt>\","
condition:
1 of them
}
rule webshell_PHPRemoteView : webshell{
meta:
description = "Web Shell - file PHPRemoteView.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "29420106d9a81553ef0d1ca72b9934d9"
strings:
$s2 = "<input type=submit value='\".mm(\"Delete all dir/files recursive\").\" (rm -fr)'"
$s4 = "<a href='$self?c=delete&c2=$c2&confirm=delete&d=\".urlencode($d).\"&f=\".u"
condition:
1 of them
}
rule webshell_jsp_12302 : webshell{
meta:
description = "Web Shell - file 12302.jsp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "a3930518ea57d899457a62f372205f7f"
strings:
$s0 = "</font><%out.print(request.getRealPath(request.getServletPath())); %>" fullword
$s1 = "<%@page import=\"java.io.*,java.util.*,java.net.*\"%>" fullword
$s4 = "String path=new String(request.getParameter(\"path\").getBytes(\"ISO-8859-1\""
condition:
all of them
}
rule webshell_caidao_shell_guo : webshell{
meta:
description = "Web Shell - file guo.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "9e69a8f499c660ee0b4796af14dc08f0"
strings:
$s0 = "<?php ($www= $_POST['ice'])!"
$s1 = "@preg_replace('/ad/e','@'.str_rot13('riny').'($ww"
condition:
1 of them
}
rule webshell_PHP_redcod : webshell{
meta:
description = "Web Shell - file redcod.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "5c1c8120d82f46ff9d813fbe3354bac5"
strings:
$s0 = "H8p0bGFOEy7eAly4h4E4o88LTSVHoAglJ2KLQhUw" fullword
$s1 = "HKP7dVyCf8cgnWFy8ocjrP5ffzkn9ODroM0/raHm" fullword
condition:
all of them
}
rule webshell_remview_fix : webshell{
meta:
description = "Web Shell - file remview_fix.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "a24b7c492f5f00e2a19b0fa2eb9c3697"
strings:
$s4 = "<a href='$self?c=delete&c2=$c2&confirm=delete&d=\".urlencode($d).\"&f=\".u"
$s5 = "echo \"<P><hr size=1 noshade>\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n"
condition:
1 of them
}
rule webshell_asp_cmd : webshell {
meta:
description = "Web Shell - file cmd.asp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "895ca846858c315a3ff8daa7c55b3119"
strings:
$s0 = "<%= \"\\\\\" & oScriptNet.ComputerName & \"\\\" & oScriptNet.UserName %>" fullword
$s1 = "Set oFileSys = Server.CreateObject(\"Scripting.FileSystemObject\")" fullword
$s3 = "Call oScript.Run (\"cmd.exe /c \" & szCMD & \" > \" & szTempFile, 0, True)" fullword
condition:
1 of them
}
rule webshell_php_sh_server : webshell {
meta:
description = "Web Shell - file server.php"
author = "Florian Roth"
date = "2014/01/28"
score = 50
hash = "d87b019e74064aa90e2bb143e5e16cfa"
strings:
$s0 = "eval(getenv('HTTP_CODE'));" fullword
condition:
all of them
}
rule webshell_PH_Vayv_PH_Vayv : webshell {
meta:
description = "Web Shell - file PH Vayv.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "35fb37f3c806718545d97c6559abd262"
strings:
$s0 = "style=\"BACKGROUND-COLOR: #eae9e9; BORDER-BOTTOM: #000000 1px in"
$s4 = "<font color=\"#858585\">SHOPEN</font></a></font><font face=\"Verdana\" style"
condition:
1 of them
}
rule webshell_caidao_shell_ice : webshell{
meta:
description = "Web Shell - file ice.asp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "6560b436d3d3bb75e2ef3f032151d139"
strings:
$s0 = "<%eval request(\"ice\")%>" fullword
condition:
all of them
}
rule webshell_cihshell_fix : webshell {
meta:
description = "Web Shell - file cihshell_fix.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "3823ac218032549b86ee7c26f10c4cb5"
strings:
$s7 = "<tr style='background:#242424;' ><td style='padding:10px;'><form action='' encty"
$s8 = "if (isset($_POST['mysqlw_host'])){$dbhost = $_POST['mysqlw_host'];} else {$dbhos"
condition:
1 of them
}
rule webshell_asp_shell : webshell {
meta:
description = "Web Shell - file shell.asp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "e63f5a96570e1faf4c7b8ca6df750237"
strings:
$s7 = "<input type=\"submit\" name=\"Send\" value=\"GO!\">" fullword
$s8 = "<TEXTAREA NAME=\"1988\" ROWS=\"18\" COLS=\"78\"></TEXTAREA>" fullword
condition:
all of them
}
rule webshell_Private_i3lue : webshell{
meta:
description = "Web Shell - file Private-i3lue.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "13f5c7a035ecce5f9f380967cf9d4e92"
strings:
$s8 = "case 15: $image .= \"\\21\\0\\"
condition:
all of them
}
rule webshell_php_up : webshell {
meta:
description = "Web Shell - file up.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "7edefb8bd0876c41906f4b39b52cd0ef"
strings:
$s0 = "copy($HTTP_POST_FILES['userfile']['tmp_name'], $_POST['remotefile']);" fullword
$s3 = "if(is_uploaded_file($HTTP_POST_FILES['userfile']['tmp_name'])) {" fullword
$s8 = "echo \"Uploaded file: \" . $HTTP_POST_FILES['userfile']['name'];" fullword
condition:
2 of them
}
rule webshell_Mysql_interface_v1_0 {
meta:
description = "Web Shell - file Mysql interface v1.0.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "a12fc0a3d31e2f89727b9678148cd487"
strings:
$s0 = "echo \"<td><a href='$PHP_SELF?action=dropDB&dbname=$dbname' onClick=\\\"return"
condition:
all of them
}
rule webshell_php_s_u {
meta:
description = "Web Shell - file s-u.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "efc7ba1a4023bcf40f5e912f1dd85b5a"
strings:
$s6 = "<a href=\"?act=do\"><font color=\"red\">Go Execute</font></a></b><br /><textarea"
condition:
all of them
}
rule webshell_phpshell_2_1_config {
meta:
description = "Web Shell - file config.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "bd83144a649c5cc21ac41b505a36a8f3"
strings:
$s1 = "; (choose good passwords!). Add uses as simple 'username = \"password\"' lines." fullword
condition:
all of them
}
rule webshell_asp_EFSO_2 {
meta:
description = "Web Shell - file EFSO_2.asp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "a341270f9ebd01320a7490c12cb2e64c"
strings:
$s0 = "%8@#@&P~,P,PP,MV~4BP^~,NS~m~PXc3,_PWbSPU W~~[u3Fffs~/%@#@&~~,PP~~,M!PmS,4S,mBPNB"
condition:
all of them
}
rule webshell_jsp_up {
meta:
description = "Web Shell - file up.jsp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "515a5dd86fe48f673b72422cccf5a585"
strings:
$s9 = "// BUG: Corta el fichero si es mayor de 640Ks" fullword
condition:
all of them
}
rule webshell_NetworkFileManagerPHP {
meta:
description = "Web Shell - file NetworkFileManagerPHP.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "acdbba993a5a4186fd864c5e4ea0ba4f"
strings:
$s9 = " echo \"<br><center>All the data in these tables:<br> \".$tblsv.\" were putted "
condition:
all of them
}
rule webshell_Server_Variables {
meta:
description = "Web Shell - file Server Variables.asp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "47fb8a647e441488b30f92b4d39003d7"
strings:
$s7 = "<% For Each Vars In Request.ServerVariables %>" fullword
$s9 = "Variable Name</B></font></p>" fullword
condition:
all of them
}
rule webshell_caidao_shell_ice_2 {
meta:
description = "Web Shell - file ice.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "1d6335247f58e0a5b03e17977888f5f2"
strings:
$s0 = "<?php ${${eval($_POST[ice])}};?>" fullword
condition:
all of them
}
rule webshell_caidao_shell_mdb {
meta:
description = "Web Shell - file mdb.asp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "fbf3847acef4844f3a0d04230f6b9ff9"
strings:
$s1 = "<% execute request(\"ice\")%>a " fullword
condition:
all of them
}
rule webshell_jsp_guige {
meta:
description = "Web Shell - file guige.jsp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "2c9f2dafa06332957127e2c713aacdd2"
strings:
$s0 = "if(damapath!=null &&!damapath.equals(\"\")&&content!=null"
condition:
all of them
}
rule webshell_phpspy2010 {
meta:
description = "Web Shell - file phpspy2010.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "14ae0e4f5349924a5047fed9f3b105c5"
strings:
$s3 = "eval(gzinflate(base64_decode("
$s5 = "//angel" fullword
$s8 = "$admin['cookiedomain'] = '';" fullword
condition:
all of them
}
rule webshell_asp_ice {
meta:
description = "Web Shell - file ice.asp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "d141e011a92f48da72728c35f1934a2b"
strings:
$s0 = "D,'PrjknD,J~[,EdnMP[,-4;DS6@#@&VKobx2ldd,'~JhC"
condition:
all of them
}
rule webshell_drag_system {
meta:
description = "Web Shell - file system.jsp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "15ae237cf395fb24cf12bff141fb3f7c"
strings:
$s9 = "String sql = \"SELECT * FROM DBA_TABLES WHERE TABLE_NAME not like '%$%' and num_"
condition:
all of them
}
rule webshell_DarkBlade1_3_asp_indexx {
meta:
description = "Web Shell - file indexx.asp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "b7f46693648f534c2ca78e3f21685707"
strings:
$s3 = "Const strs_toTransform=\"command|Radmin|NTAuThenabled|FilterIp|IISSample|PageCou"
condition:
all of them
}
rule webshell_phpshell3 {
meta:
description = "Web Shell - file phpshell3.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "76117b2ee4a7ac06832d50b2d04070b8"
strings:
$s2 = "<input name=\"nounce\" type=\"hidden\" value=\"<?php echo $_SESSION['nounce'];"
$s5 = "<p>Username: <input name=\"username\" type=\"text\" value=\"<?php echo $userna"
$s7 = "$_SESSION['output'] .= \"cd: could not change to: $new_dir\\n\";" fullword
condition:
2 of them
}
rule webshell_jsp_hsxa {
meta:
description = "Web Shell - file hsxa.jsp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "d0e05f9c9b8e0b3fa11f57d9ab800380"
strings:
$s0 = "<%@ page language=\"java\" pageEncoding=\"gbk\"%><jsp:directive.page import=\"ja"
condition:
all of them
}
rule webshell_jsp_utils {
meta:
description = "Web Shell - file utils.jsp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "9827ba2e8329075358b8e8a53e20d545"
strings:
$s0 = "ResultSet r = c.getMetaData().getTables(null, null, \"%\", t);" fullword
$s4 = "String cs = request.getParameter(\"z0\")==null?\"gbk\": request.getParameter(\"z"
condition:
all of them
}
rule webshell_asp_01 {
meta:
description = "Web Shell - file 01.asp"
author = "Florian Roth"
date = "2014/01/28"
score = 50
hash = "61a687b0bea0ef97224c7bd2df118b87"
strings:
$s0 = "<%eval request(\"pass\")%>" fullword
condition:
all of them
}
rule webshell_asp_404 {
meta:
description = "Web Shell - file 404.asp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "d9fa1e8513dbf59fa5d130f389032a2d"
strings:
$s0 = "lFyw6pd^DKV^4CDRWmmnO1GVKDl:y& f+2"
condition:
all of them
}
rule webshell_webshell_cnseay02_1 {
meta:
description = "Web Shell - file webshell-cnseay02-1.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "95fc76081a42c4f26912826cb1bd24b1"
strings:
$s0 = "(93).$_uU(41).$_uU(59);$_fF=$_uU(99).$_uU(114).$_uU(101).$_uU(97).$_uU(116).$_uU"
condition:
all of them
}
rule webshell_php_fbi {
meta:
description = "Web Shell - file fbi.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "1fb32f8e58c8deb168c06297a04a21f1"
strings:
$s7 = "erde types','Getallen','Datum en tijd','Tekst','Binaire gegevens','Netwerk','Geo"
condition:
all of them
}
rule webshell_B374kPHP_B374k {
meta:
description = "Web Shell - file B374k.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "bed7388976f8f1d90422e8795dff1ea6"
strings:
$s0 = "Http://code.google.com/p/b374k-shell" fullword
$s1 = "$_=str_rot13('tm'.'vas'.'yngr');$_=str_rot13(strrev('rqb'.'prq'.'_'.'46r'.'fno'"
$s3 = "Jayalah Indonesiaku & Lyke @ 2013" fullword
$s4 = "B374k Vip In Beautify Just For Self" fullword
condition:
1 of them
}
rule webshell_cmd_asp_5_1 {
meta:
description = "Web Shell - file cmd-asp-5.1.asp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "8baa99666bf3734cbdfdd10088e0cd9f"
strings:
$s9 = "Call oS.Run(\"win.com cmd.exe /c \"\"\" & szCMD & \" > \" & szTF &" fullword
condition:
all of them
}
rule webshell_php_dodo_zip {
meta:
description = "Web Shell - file zip.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "b7800364374077ce8864796240162ad5"
strings:
$s0 = "$hexdtime = '\\x' . $dtime[6] . $dtime[7] . '\\x' . $dtime[4] . $dtime[5] . '\\x"
$s3 = "$datastr = \"\\x50\\x4b\\x03\\x04\\x0a\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
condition:
all of them
}
rule webshell_aZRaiLPhp_v1_0 {
meta:
description = "Web Shell - file aZRaiLPhp v1.0.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "26b2d3943395682e36da06ed493a3715"
strings:
$s5 = "echo \" <font color='#0000FF'>CHMODU \".substr(base_convert(@fileperms($"
$s7 = "echo \"<a href='./$this_file?op=efp&fname=$path/$file&dismi=$file&yol=$path'><fo"
condition:
all of them
}
rule webshell_php_list {
meta:
description = "Web Shell - file list.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "922b128ddd90e1dc2f73088956c548ed"
strings:
$s1 = "// list.php = Directory & File Listing" fullword
$s2 = " echo \"( ) <a href=?file=\" . $fichero . \"/\" . $filename . \">\" . $filena"
$s9 = "// by: The Dark Raver" fullword
condition:
1 of them
}
rule webshell_ironshell {
meta:
description = "Web Shell - file ironshell.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "8bfa2eeb8a3ff6afc619258e39fded56"
strings:
$s4 = "print \"<form action=\\\"\".$me.\"?p=cmd&dir=\".realpath('.').\""
$s8 = "print \"<td id=f><a href=\\\"?p=rename&file=\".realpath($file).\"&di"
condition:
all of them
}
rule webshell_caidao_shell_404 {
meta:
description = "Web Shell - file 404.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "ee94952dc53d9a29bdf4ece54c7a7aa7"
strings:
$s0 = "<?php $K=sTr_RepLaCe('`','','a`s`s`e`r`t');$M=$_POST[ice];IF($M==NuLl)HeaDeR('St"
condition:
all of them
}
rule webshell_ASP_aspydrv {
meta:
description = "Web Shell - file aspydrv.asp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "de0a58f7d1e200d0b2c801a94ebce330"
strings:
$s3 = "<%=thingy.DriveLetter%> </td><td><tt> <%=thingy.DriveType%> </td><td><tt> <%=thi"
condition:
all of them
}
rule webshell_jsp_web {
meta:
description = "Web Shell - file web.jsp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "4bc11e28f5dccd0c45a37f2b541b2e98"
strings:
$s0 = "<%@page import=\"java.io.*\"%><%@page import=\"java.net.*\"%><%String t=request."
condition:
all of them
}
rule webshell_mysqlwebsh {
meta:
description = "Web Shell - file mysqlwebsh.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "babfa76d11943a22484b3837f105fada"
strings:
$s3 = " <TR><TD bgcolor=\"<? echo (!$CONNECT && $action == \"chparam\")?\"#660000\":\"#"
condition:
all of them
}
rule webshell_jspShell {
meta:
description = "Web Shell - file jspShell.jsp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "0d5b5a17552254be6c1c8f1eb3a5fdc1"
strings:
$s0 = "<input type=\"checkbox\" name=\"autoUpdate\" value=\"AutoUpdate\" on"
$s1 = "onblur=\"document.shell.autoUpdate.checked= this.oldValue;"
condition:
all of them
}
rule webshell_Dx_Dx {
meta:
description = "Web Shell - file Dx.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "9cfe372d49fe8bf2fac8e1c534153d9b"
strings:
$s1 = "print \"\\n\".'Tip: to view the file \"as is\" - open the page in <a href=\"'.Dx"
$s9 = "class=linelisting><nobr>POST (php eval)</td><"
condition:
1 of them
}
rule webshell_asp_ntdaddy {
meta:
description = "Web Shell - file ntdaddy.asp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "c5e6baa5d140f73b4e16a6cfde671c68"
strings:
$s9 = "if FP = \"RefreshFolder\" or "
$s10 = "request.form(\"cmdOption\")=\"DeleteFolder\" "
condition:
1 of them
}
rule webshell_MySQL_Web_Interface_Version_0_8 {
meta:
description = "Web Shell - file MySQL Web Interface Version 0.8.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "36d4f34d0a22080f47bb1cb94107c60f"
strings:
$s2 = "href='$PHP_SELF?action=dumpTable&dbname=$dbname&tablename=$tablename'>Dump</a>"
condition:
all of them
}
rule webshell_elmaliseker_2 {
meta:
description = "Web Shell - file elmaliseker.asp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "b32d1730d23a660fd6aa8e60c3dc549f"
strings:
$s1 = "<td<%if (FSO.GetExtensionName(path & \"\\\" & oFile.Name)=\"lnk\") or (FSO.GetEx"
$s6 = "<input type=button value=Save onclick=\"EditorCommand('Save')\"> <input type=but"
condition:
all of them
}
rule webshell_ASP_RemExp {
meta:
description = "Web Shell - file RemExp.asp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "aa1d8491f4e2894dbdb91eec1abc2244"
strings:
$s0 = "<td bgcolor=\"<%=BgColor%>\" title=\"<%=SubFolder.Name%>\"> <a href= \"<%=Reques"
$s1 = "Private Function ConvertBinary(ByVal SourceNumber, ByVal MaxValuePerIndex, ByVal"
condition:
all of them
}
rule webshell_jsp_list1 {
meta:
description = "Web Shell - file list1.jsp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "8d9e5afa77303c9c01ff34ea4e7f6ca6"
strings:
$s1 = "case 's':ConnectionDBM(out,encodeChange(request.getParameter(\"drive"
$s9 = "return \"<a href=\\\"javascript:delFile('\"+folderReplace(file)+\"')\\\""
condition:
all of them
}
rule webshell_phpkit_1_0_odd {
meta:
description = "Web Shell - file odd.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "594d1b1311bbef38a0eb3d6cbb1ab538"
strings:
$s0 = "include('php://input');" fullword
$s1 = "// No eval() calls, no system() calls, nothing normally seen as malicious." fullword
$s2 = "ini_set('allow_url_include, 1'); // Allow url inclusion in this script" fullword
condition:
all of them
}
rule webshell_jsp_123 {
meta:
description = "Web Shell - file 123.jsp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "c691f53e849676cac68a38d692467641"
strings:
$s0 = "<font color=\"blue\">??????????????????:</font><input type=\"text\" size=\"7"
$s3 = "String path=new String(request.getParameter(\"path\").getBytes(\"ISO-8859-1\""
$s9 = "<input type=\"submit\" name=\"btnSubmit\" value=\"Upload\"> " fullword
condition:
all of them
}
rule webshell_asp_1 {
meta:
description = "Web Shell - file 1.asp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "8991148adf5de3b8322ec5d78cb01bdb"
strings:
$s4 = "!22222222222222222222222222222222222222222222222222" fullword
$s8 = "<%eval request(\"pass\")%>" fullword
condition:
all of them
}
rule webshell_ASP_tool {
meta:
description = "Web Shell - file tool.asp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "4ab68d38527d5834e9c1ff64407b34fb"
strings:
$s0 = "Response.Write \"<FORM action=\"\"\" & Request.ServerVariables(\"URL\") & \"\"\""
$s3 = "Response.Write \"<tr><td><font face='arial' size='2'><b><DIR> <a href='\" "
$s9 = "Response.Write \"<font face='arial' size='1'><a href=\"\"#\"\" onclick=\"\"javas"
condition:
2 of them
}
rule webshell_cmd_win32 {
meta:
description = "Web Shell - file cmd_win32.jsp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "cc4d4d6cc9a25984aa9a7583c7def174"
strings:
$s0 = "Process p = Runtime.getRuntime().exec(\"cmd.exe /c \" + request.getParam"
$s1 = "<FORM METHOD=\"POST\" NAME=\"myform\" ACTION=\"\">" fullword
condition:
2 of them
}
rule webshell_jsp_jshell {
meta:
description = "Web Shell - file jshell.jsp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "124b22f38aaaf064cef14711b2602c06"
strings:
$s0 = "kXpeW[\"" fullword
$s4 = "[7b:g0W@W<" fullword
$s5 = "b:gHr,g<" fullword
$s8 = "RhV0W@W<" fullword
$s9 = "S_MR(u7b" fullword
condition:
all of them
}
rule webshell_ASP_zehir4 {
meta:
description = "Web Shell - file zehir4.asp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "7f4e12e159360743ec016273c3b9108c"
strings:
$s9 = "Response.Write \"<a href='\"&dosyaPath&\"?status=7&Path=\"&Path&\"/"
condition:
all of them
}
rule webshell_wsb_idc {
meta:
description = "Web Shell - file idc.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "7c5b1b30196c51f1accbffb80296395f"
strings:
$s1 = "if (md5($_GET['usr'])==$user && md5($_GET['pass'])==$pass)" fullword
$s3 = "{eval($_GET['idc']);}" fullword
condition:
1 of them
}
rule webshell_cpg_143_incl_xpl {
meta:
description = "Web Shell - file cpg_143_incl_xpl.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "5937b131b67d8e0afdbd589251a5e176"
strings:
$s3 = "$data=\"username=\".urlencode($USER).\"&password=\".urlencode($PA"
$s5 = "fputs($sun_tzu,\"<?php echo \\\"Hi Master!\\\";ini_set(\\\"max_execution_time"
condition:
1 of them
}
rule webshell_mumaasp_com {
meta:
description = "Web Shell - file mumaasp.com.asp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "cce32b2e18f5357c85b6d20f564ebd5d"
strings:
$s0 = "&9K_)P82ai,A}I92]R\"q!C:RZ}S6]=PaTTR"
condition:
all of them
}
rule webshell_php_404 {
meta:
description = "Web Shell - file 404.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "ced050df5ca42064056a7ad610a191b3"
strings:
$s0 = "$pass = md5(md5(md5($pass)));" fullword
condition:
all of them
}
rule webshell_webshell_cnseay_x {
meta:
description = "Web Shell - file webshell-cnseay-x.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "a0f9f7f5cd405a514a7f3be329f380e5"
strings:
$s9 = "$_F_F.='_'.$_P_P[5].$_P_P[20].$_P_P[13].$_P_P[2].$_P_P[19].$_P_P[8].$_P_"
condition:
all of them
}
rule webshell_asp_up {
meta:
description = "Web Shell - file up.asp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "f775e721cfe85019fe41c34f47c0d67c"
strings:
$s0 = "Pos = InstrB(BoundaryPos,RequestBin,getByteString(\"Content-Dispositio"
$s1 = "ContentType = getString(MidB(RequestBin,PosBeg,PosEnd-PosBeg))" fullword
condition:
1 of them
}
rule webshell_phpkit_0_1a_odd {
meta:
description = "Web Shell - file odd.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "3c30399e7480c09276f412271f60ed01"
strings:
$s1 = "include('php://input');" fullword
$s3 = "ini_set('allow_url_include, 1'); // Allow url inclusion in this script" fullword
$s4 = "// uses include('php://input') to execute arbritary code" fullword
$s5 = "// php://input based backdoor" fullword
condition:
2 of them
}
rule webshell_ASP_cmd {
meta:
description = "Web Shell - file cmd.asp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "97af88b478422067f23b001dd06d56a9"
strings:
$s0 = "<%= \"\\\\\" & oScriptNet.ComputerName & \"\\\" & oScriptNet.UserName %>" fullword
condition:
all of them
}
rule webshell_PHP_Shell_x3 {
meta:
description = "Web Shell - file PHP Shell.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "a2f8fa4cce578fc9c06f8e674b9e63fd"
strings:
$s4 = " <?php echo buildUrl(\"<font color=\\\"navy\\\">["
$s6 = "echo \"</form><form action=\\\"$SFileName?$urlAdd\\\" method=\\\"post\\\"><input"
$s9 = "if ( ( (isset($http_auth_user) ) && (isset($http_auth_pass)) ) && ( !isset("
condition:
2 of them
}
rule webshell_PHP_g00nv13 {
meta:
description = "Web Shell - file g00nv13.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "35ad2533192fe8a1a76c3276140db820"
strings:
$s1 = "case \"zip\": case \"tar\": case \"rar\": case \"gz\": case \"cab\": cas"
$s4 = "if(!($sqlcon = @mysql_connect($_SESSION['sql_host'] . ':' . $_SESSION['sql_p"
condition:
all of them
}
rule webshell_php_h6ss {
meta:
description = "Web Shell - file h6ss.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "272dde9a4a7265d6c139287560328cd5"
strings:
$s0 = "<?php eval(gzuncompress(base64_decode(\""
condition:
all of them
}
rule webshell_jsp_zx {
meta:
description = "Web Shell - file zx.jsp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "67627c264db1e54a4720bd6a64721674"
strings:
$s0 = "if(request.getParameter(\"f\")!=null)(new java.io.FileOutputStream(application.g"
condition:
all of them
}
rule webshell_Ani_Shell {
meta:
description = "Web Shell - file Ani-Shell.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "889bfc9fbb8ee7832044fc575324d01a"
strings:
$s0 = "$Python_CODE = \"I"
$s6 = "$passwordPrompt = \"\\n================================================="
$s7 = "fputs ($sockfd ,\"\\n==============================================="
condition:
1 of them
}
rule webshell_jsp_k8cmd {
meta:
description = "Web Shell - file k8cmd.jsp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "b39544415e692a567455ff033a97a682"
strings:
$s2 = "if(request.getSession().getAttribute(\"hehe\").toString().equals(\"hehe\"))" fullword
condition:
all of them
}
rule webshell_jsp_cmd {
meta:
description = "Web Shell - file cmd.jsp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "5391c4a8af1ede757ba9d28865e75853"
strings:
$s6 = "out.println(\"Command: \" + request.getParameter(\"cmd\") + \"<BR>\");" fullword
condition:
all of them
}
rule webshell_jsp_k81 {
meta:
description = "Web Shell - file k81.jsp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "41efc5c71b6885add9c1d516371bd6af"
strings:
$s1 = "byte[] binary = BASE64Decoder.class.newInstance().decodeBuffer(cmd);" fullword
$s9 = "if(cmd.equals(\"Szh0ZWFt\")){out.print(\"[S]\"+dir+\"[E]\");}" fullword
condition:
1 of them
}
rule webshell_ASP_zehir {
meta:
description = "Web Shell - file zehir.asp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "0061d800aee63ccaf41d2d62ec15985d"
strings:
$s9 = "Response.Write \"<font face=wingdings size=3><a href='\"&dosyaPath&\"?status=18&"
condition:
all of them
}
rule webshell_Worse_Linux_Shell {
meta:
description = "Web Shell - file Worse Linux Shell.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "8338c8d9eab10bd38a7116eb534b5fa2"
strings:
$s0 = "system(\"mv \".$_FILES['_upl']['tmp_name'].\" \".$currentWD"
condition:
all of them
}
rule webshell_zacosmall {
meta:
description = "Web Shell - file zacosmall.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "5295ee8dc2f5fd416be442548d68f7a6"
strings:
$s0 = "if($cmd!==''){ echo('<strong>'.htmlspecialchars($cmd).\"</strong><hr>"
condition:
all of them
}
rule webshell_Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit {
meta:
description = "Web Shell - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "c6eeacbe779518ea78b8f7ed5f63fc11"
strings:
$s1 = "<option value=\"cat /etc/passwd\">/etc/passwd</option>" fullword
condition:
all of them
}
rule webshell_redirect {
meta:
description = "Web Shell - file redirect.asp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "97da83c6e3efbba98df270cc70beb8f8"
strings:
$s7 = "var flag = \"?txt=\" + (document.getElementById(\"dl\").checked ? \"2\":\"1\" "
condition:
all of them
}
rule webshell_jsp_cmdjsp {
meta:
description = "Web Shell - file cmdjsp.jsp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "b815611cc39f17f05a73444d699341d4"
strings:
$s5 = "<FORM METHOD=GET ACTION='cmdjsp.jsp'>" fullword
condition:
all of them
}
rule webshell_Java_Shell {
meta:
description = "Web Shell - file Java Shell.jsp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "36403bc776eb12e8b7cc0eb47c8aac83"
strings:
$s4 = "public JythonShell(int columns, int rows, int scrollback) {" fullword
$s9 = "this(null, Py.getSystemState(), columns, rows, scrollback);" fullword
condition:
1 of them
}
rule webshell_asp_1d {
meta:
description = "Web Shell - file 1d.asp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "fad7504ca8a55d4453e552621f81563c"
strings:
$s0 = "+9JkskOfKhUxZJPL~\\(mD^W~[,{@#@&EO"
condition:
all of them
}
rule webshell_jsp_IXRbE {
meta:
description = "Web Shell - file IXRbE.jsp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "e26e7e0ebc6e7662e1123452a939e2cd"
strings:
$s0 = "<%if(request.getParameter(\"f\")!=null)(new java.io.FileOutputStream(application"
condition:
all of them
}
rule webshell_PHP_G5 {
meta:
description = "Web Shell - file G5.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "95b4a56140a650c74ed2ec36f08d757f"
strings:
$s3 = "echo \"Hacking Mode?<br><select name='htype'><option >--------SELECT--------</op"
condition:
all of them
}
rule webshell_PHP_r57142 {
meta:
description = "Web Shell - file r57142.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "0911b6e6b8f4bcb05599b2885a7fe8a8"
strings:
$s0 = "$downloaders = array('wget','fetch','lynx','links','curl','get','lwp-mirror');" fullword
condition:
all of them
}
rule webshell_jsp_tree {
meta:
description = "Web Shell - file tree.jsp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "bcdf7bbf7bbfa1ffa4f9a21957dbcdfa"
strings:
$s5 = "$('#tt2').tree('options').url = \"selectChild.action?checki"
$s6 = "String basePath = request.getScheme()+\"://\"+request.getServerName()+\":\"+requ"
condition:
all of them
}
rule webshell_C99madShell_v_3_0_smowu {
meta:
description = "Web Shell - file smowu.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "74e1e7c7a6798f1663efb42882b85bee"
strings:
$s2 = "<tr><td width=\"50%\" height=\"1\" valign=\"top\"><center><b>:: Enter ::</b><for"
$s8 = "<p><font color=red>Wordpress Not Found! <input type=text id=\"wp_pat\"><input ty"
condition:
1 of them
}
rule webshell_simple_backdoor {
meta:
description = "Web Shell - file simple-backdoor.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "f091d1b9274c881f8e41b2f96e6b9936"
strings:
$s0 = "$cmd = ($_REQUEST['cmd']);" fullword
$s1 = "if(isset($_REQUEST['cmd'])){" fullword
$s4 = "system($cmd);" fullword
condition:
2 of them
}
rule webshell_PHP_404 {
meta:
description = "Web Shell - file 404.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "078c55ac475ab9e028f94f879f548bca"
strings:
$s4 = "<span>Posix_getpwuid (\"Read\" /etc/passwd)"
condition:
all of them
}
rule webshell_Macker_s_Private_PHPShell {
meta:
description = "Web Shell - file Macker's Private PHPShell.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "e24cbf0e294da9ac2117dc660d890bb9"
strings:
$s3 = "echo \"<tr><td class=\\\"silver border\\\"> <strong>Server's PHP Version:&n"
$s4 = " <?php echo buildUrl(\"<font color=\\\"navy\\\">["
$s7 = "echo \"<form action=\\\"$SFileName?$urlAdd\\\" method=\\\"POST\\\"><input type="
condition:
all of them
}
rule webshell_Antichat_Shell_v1_3_2 {
meta:
description = "Web Shell - file Antichat Shell v1.3.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "40d0abceba125868be7f3f990f031521"
strings:
$s3 = "$header='<html><head><title>'.getenv(\"HTTP_HOST\").' - Antichat Shell</title><m"
condition:
all of them
}
rule webshell_Safe_mode_breaker {
meta:
description = "Web Shell - file Safe mode breaker.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "5bd07ccb1111950a5b47327946bfa194"
strings:
$s5 = "preg_match(\"/SAFE\\ MODE\\ Restriction\\ in\\ effect\\..*whose\\ uid\\ is("
$s6 = "$path =\"{$root}\".((substr($root,-1)!=\"/\") ? \"/\" : NULL)."
condition:
1 of them
}
rule webshell_Sst_Sheller {
meta:
description = "Web Shell - file Sst-Sheller.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "d93c62a0a042252f7531d8632511ca56"
strings:
$s2 = "echo \"<a href='?page=filemanager&id=fm&fchmod=$dir$file'>"
$s3 = "<? unlink($filename); unlink($filename1); unlink($filename2); unlink($filename3)"
condition:
all of them
}
rule webshell_jsp_list {
meta:
description = "Web Shell - file list.jsp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "1ea290ff4259dcaeb680cec992738eda"
strings:
$s0 = "<FORM METHOD=\"POST\" NAME=\"myform\" ACTION=\"\">" fullword
$s2 = "out.print(\") <A Style='Color: \" + fcolor.toString() + \";' HRef='?file=\" + fn"
$s7 = "if(flist[i].canRead() == true) out.print(\"r\" ); else out.print(\"-\");" fullword
condition:
all of them
}
rule webshell_PHPJackal_v1_5 {
meta:
description = "Web Shell - file PHPJackal v1.5.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "d76dc20a4017191216a0315b7286056f"
strings:
$s7 = "echo \"<center>${t}MySQL cilent:</td><td bgcolor=\\\"#333333\\\"></td></tr><form"
$s8 = "echo \"<center>${t}Wordlist generator:</td><td bgcolor=\\\"#333333\\\"></td></tr"
condition:
all of them
}
rule webshell_customize {
meta:
description = "Web Shell - file customize.jsp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "d55578eccad090f30f5d735b8ec530b1"
strings:
$s4 = "String cs = request.getParameter(\"z0\")==null?\"gbk\": request.getParameter(\"z"
condition:
all of them
}
rule webshell_s72_Shell_v1_1_Coding {
meta:
description = "Web Shell - file s72 Shell v1.1 Coding.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "c2e8346a5515c81797af36e7e4a3828e"
strings:
$s5 = "<font face=\"Verdana\" style=\"font-size: 8pt\" color=\"#800080\">Buradan Dosya "
condition:
all of them
}
rule webshell_jsp_sys3 {
meta:
description = "Web Shell - file sys3.jsp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "b3028a854d07674f4d8a9cf2fb6137ec"
strings:
$s1 = "<input type=\"submit\" name=\"btnSubmit\" value=\"Upload\">" fullword
$s4 = "String path=new String(request.getParameter(\"path\").getBytes(\"ISO-8859-1\""
$s9 = "<%@page contentType=\"text/html;charset=gb2312\"%>" fullword
condition:
all of them
}
rule webshell_jsp_guige02 {
meta:
description = "Web Shell - file guige02.jsp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "a3b8b2280c56eaab777d633535baf21d"
strings:
$s0 = "????????????????%><html><head><title>hahahaha</title></head><body bgcolor=\"#fff"
$s1 = "<%@page contentType=\"text/html; charset=GBK\" import=\"java.io.*;\"%><%!private"
condition:
all of them
}
rule webshell_php_ghost {
meta:
description = "Web Shell - file ghost.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "38dc8383da0859dca82cf0c943dbf16d"
strings:
$s1 = "<?php $OOO000000=urldecode('%61%68%36%73%62%65%68%71%6c%61%34%63%6f%5f%73%61%64'"
$s6 = "//<img width=1 height=1 src=\"http://websafe.facaiok.com/just7z/sx.asp?u=***.***"
$s7 = "preg_replace('\\'a\\'eis','e'.'v'.'a'.'l'.'(KmU(\"" fullword
condition:
all of them
}
rule webshell_WinX_Shell {
meta:
description = "Web Shell - file WinX Shell.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "17ab5086aef89d4951fe9b7c7a561dda"
strings:
$s5 = "print \"<font face=\\\"Verdana\\\" size=\\\"1\\\" color=\\\"#990000\\\">Filenam"
$s8 = "print \"<font face=\\\"Verdana\\\" size=\\\"1\\\" color=\\\"#990000\\\">File: </"
condition:
all of them
}
rule webshell_Crystal_Crystal {
meta:
description = "Web Shell - file Crystal.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "fdbf54d5bf3264eb1c4bff1fac548879"
strings:
$s1 = "show opened ports</option></select><input type=\"hidden\" name=\"cmd_txt\" value"
$s6 = "\" href=\"?act=tools\"><font color=#CC0000 size=\"3\">Tools</font></a></span></f"
condition:
all of them
}
rule webshell_r57_1_4_0 {
meta:
description = "Web Shell - file r57.1.4.0.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "574f3303e131242568b0caf3de42f325"
strings:
$s4 = "@ini_set('error_log',NULL);" fullword
$s6 = "$pass='abcdef1234567890abcdef1234567890';" fullword
$s7 = "@ini_restore(\"disable_functions\");" fullword
$s9 = "@ini_restore(\"safe_mode_exec_dir\");" fullword
condition:
all of them
}
rule webshell_jsp_hsxa1 {
meta:
description = "Web Shell - file hsxa1.jsp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "5686d5a38c6f5b8c55095af95c2b0244"
strings:
$s0 = "<%@ page language=\"java\" pageEncoding=\"gbk\"%><jsp:directive.page import=\"ja"
condition:
all of them
}
rule webshell_asp_ajn {
meta:
description = "Web Shell - file ajn.asp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "aaafafc5d286f0bff827a931f6378d04"
strings:
$s1 = "seal.write \"Set WshShell = CreateObject(\"\"WScript.Shell\"\")\" & vbcrlf" fullword
$s6 = "seal.write \"BinaryStream.SaveToFile \"\"c:\\downloaded.zip\"\", adSaveCreateOve"
condition:
all of them
}
rule webshell_php_cmd {
meta:
description = "Web Shell - file cmd.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "c38ae5ba61fd84f6bbbab98d89d8a346"
strings:
$s0 = "if($_GET['cmd']) {" fullword
$s1 = "// cmd.php = Command Execution" fullword
$s7 = " system($_GET['cmd']);" fullword
condition:
all of them
}
rule webshell_asp_list {
meta:
description = "Web Shell - file list.asp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "1cfa493a165eb4b43e6d4cc0f2eab575"
strings:
$s0 = "<INPUT TYPE=\"hidden\" NAME=\"type\" value=\"<%=tipo%>\">" fullword
$s4 = "Response.Write(\"<h3>FILE: \" & file & \"</h3>\")" fullword
condition:
all of them
}
rule webshell_PHP_co {
meta:
description = "Web Shell - file co.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "62199f5ac721a0cb9b28f465a513874c"
strings:
$s0 = "cGX6R9q733WvRRjISKHOp9neT7wa6ZAD8uthmVJV" fullword
$s11 = "6Mk36lz/HOkFfoXX87MpPhZzBQH6OaYukNg1OE1j" fullword
condition:
all of them
}
rule webshell_PHP_150 {
meta:
description = "Web Shell - file 150.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "400c4b0bed5c90f048398e1d268ce4dc"
strings:
$s0 = "HJ3HjqxclkZfp"
$s1 = "<? eval(gzinflate(base64_decode('" fullword
condition:
all of them
}
rule webshell_jsp_cmdjsp_2 {
meta:
description = "Web Shell - file cmdjsp.jsp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "1b5ae3649f03784e2a5073fa4d160c8b"
strings:
$s0 = "Process p = Runtime.getRuntime().exec(\"cmd.exe /C \" + cmd);" fullword
$s4 = "<FORM METHOD=GET ACTION='cmdjsp.jsp'>" fullword
condition:
all of them
}
rule webshell_PHP_c37 {
meta:
description = "Web Shell - file c37.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "d01144c04e7a46870a8dd823eb2fe5c8"
strings:
$s3 = "array('cpp','cxx','hxx','hpp','cc','jxx','c++','vcproj'),"
$s9 = "++$F; $File = urlencode($dir[$dirFILE]); $eXT = '.:'; if (strpos($dir[$dirFILE],"
condition:
all of them
}
rule webshell_PHP_b37 {
meta:
description = "Web Shell - file b37.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "0421445303cfd0ec6bc20b3846e30ff0"
strings:
$s0 = "xmg2/G4MZ7KpNveRaLgOJvBcqa2A8/sKWp9W93NLXpTTUgRc"
condition:
all of them
}
rule webshell_php_backdoor {
meta:
description = "Web Shell - file php-backdoor.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "2b5cb105c4ea9b5ebc64705b4bd86bf7"
strings:
$s1 = "if(!move_uploaded_file($HTTP_POST_FILES['file_name']['tmp_name'], $dir.$fname))" fullword
$s2 = "<pre><form action=\"<? echo $PHP_SELF; ?>\" METHOD=GET >execute command: <input "
condition:
all of them
}
rule webshell_asp_dabao {
meta:
description = "Web Shell - file dabao.asp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "3919b959e3fa7e86d52c2b0a91588d5d"
strings:
$s2 = " Echo \"<input type=button name=Submit onclick=\"\"document.location ='\" &"
$s8 = " Echo \"document.Frm_Pack.FileName.value=\"\"\"\"+year+\"\"-\"\"+(month+1)+\"\"-"
condition:
all of them
}
rule webshell_php_2 {
meta:
description = "Web Shell - file 2.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "267c37c3a285a84f541066fc5b3c1747"
strings:
$s0 = "<?php assert($_REQUEST[\"c\"]);?> " fullword
condition:
all of them
}
rule webshell_asp_cmdasp {
meta:
description = "Web Shell - file cmdasp.asp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "57b51418a799d2d016be546f399c2e9b"
strings:
$s0 = "<%= \"\\\\\" & oScriptNet.ComputerName & \"\\\" & oScriptNet.UserName %>" fullword
$s7 = "Call oScript.Run (\"cmd.exe /c \" & szCMD & \" > \" & szTempFile, 0, True)" fullword
condition:
all of them
}
rule webshell_spjspshell {
meta:
description = "Web Shell - file spjspshell.jsp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "d39d51154aaad4ba89947c459a729971"
strings:
$s7 = "Unix:/bin/sh -c tar vxf xxx.tar Windows:c:\\winnt\\system32\\cmd.exe /c type c:"
condition:
all of them
}
rule webshell_jsp_action {
meta:
description = "Web Shell - file action.jsp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "5a7d931094f5570aaf5b7b3b06c3d8c0"
strings:
$s1 = "String url=\"jdbc:oracle:thin:@localhost:1521:orcl\";" fullword
$s6 = "<%@ page contentType=\"text/html;charset=gb2312\"%>" fullword
condition:
all of them
}
rule webshell_Inderxer {
meta:
description = "Web Shell - file Inderxer.asp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "9ea82afb8c7070817d4cdf686abe0300"
strings:
$s4 = "<td>Nereye :<td><input type=\"text\" name=\"nereye\" size=25></td><td><input typ"
condition:
all of them
}
rule webshell_asp_Rader {
meta:
description = "Web Shell - file Rader.asp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "ad1a362e0a24c4475335e3e891a01731"
strings:
$s1 = "FONT-WEIGHT: bold; FONT-SIZE: 10px; BACKGROUND: none transparent scroll repeat 0"
$s3 = "m\" target=inf onClick=\"window.open('?action=help','inf','width=450,height=400 "
condition:
all of them
}
rule webshell_c99_madnet_smowu {
meta:
description = "Web Shell - file smowu.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "3aaa8cad47055ba53190020311b0fb83"
strings:
$s0 = "//Authentication" fullword
$s1 = "$login = \"" fullword
$s2 = "eval(gzinflate(base64_decode('"
$s4 = "//Pass"
$s5 = "$md5_pass = \""
$s6 = "//If no pass then hash"
condition:
all of them
}
rule webshell_php_moon {
meta:
description = "Web Shell - file moon.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "2a2b1b783d3a2fa9a50b1496afa6e356"
strings:
$s2 = "echo '<option value=\"create function backshell returns string soname"
$s3 = "echo \"<input name='p' type='text' size='27' value='\".dirname(_FILE_).\""
$s8 = "echo '<option value=\"select cmdshell(\\'net user "
condition:
2 of them
}
rule webshell_jsp_jdbc {
meta:
description = "Web Shell - file jdbc.jsp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "23b0e6f91a8f0d93b9c51a2a442119ce"
strings:
$s4 = "String cs = request.getParameter(\"z0\")==null?\"gbk\": request.getParameter(\"z"
condition:
all of them
}
rule webshell_minupload {
meta:
description = "Web Shell - file minupload.jsp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "ec905a1395d176c27f388d202375bdf9"
strings:
$s0 = "<input type=\"submit\" name=\"btnSubmit\" value=\"Upload\"> " fullword
$s9 = "String path=new String(request.getParameter(\"path\").getBytes(\"ISO-8859"
condition:
all of them
}
rule webshell_ELMALISEKER_Backd00r {
meta:
description = "Web Shell - file ELMALISEKER Backd00r.asp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "3aa403e0a42badb2c23d4a54ef43e2f4"
strings:
$s0 = "response.write(\"<tr><td bgcolor=#F8F8FF><input type=submit name=cmdtxtFileOptio"
$s2 = "if FP = \"RefreshFolder\" or request.form(\"cmdOption\")=\"DeleteFolder\" or req"
condition:
all of them
}
rule webshell_PHP_bug_1_ {
meta:
description = "Web Shell - file bug (1).php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "91c5fae02ab16d51fc5af9354ac2f015"
strings:
$s0 = "@include($_GET['bug']);" fullword
condition:
all of them
}
rule webshell_caidao_shell_hkmjj {
meta:
description = "Web Shell - file hkmjj.asp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "e7b994fe9f878154ca18b7cde91ad2d0"
strings:
$s6 = "codeds=\"Li#uhtxhvw+%{{%,#@%{%#wkhq#hydo#uhtxhvw+%knpmm%,#hqg#li\" " fullword
condition:
all of them
}
rule webshell_jsp_asd {
meta:
description = "Web Shell - file asd.jsp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "a042c2ca64176410236fcc97484ec599"
strings:
$s3 = "<%@ page language=\"java\" pageEncoding=\"gbk\"%>" fullword
$s6 = "<input size=\"100\" value=\"<%=application.getRealPath(\"/\") %>\" name=\"url"
condition:
all of them
}
rule webshell_jsp_inback3 {
meta:
description = "Web Shell - file inback3.jsp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "ea5612492780a26b8aa7e5cedd9b8f4e"
strings:
$s0 = "<%if(request.getParameter(\"f\")!=null)(new java.io.FileOutputStream(application"
condition:
all of them
}
rule webshell_metaslsoft {
meta:
description = "Web Shell - file metaslsoft.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "aa328ed1476f4a10c0bcc2dde4461789"
strings:
$s7 = "$buff .= \"<tr><td><a href=\\\"?d=\".$pwd.\"\\\">[ $folder ]</a></td><td>LINK</t"
condition:
all of them
}
rule webshell_asp_Ajan {
meta:
description = "Web Shell - file Ajan.asp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
hash = "b6f468252407efc2318639da22b08af0"
strings:
$s3 = "entrika.write \"BinaryStream.SaveToFile \"\"c:\\downloaded.zip\"\", adSaveCreate"
condition:
all of them
}
rule webshell_config_myxx_zend {
meta:
description = "Web Shell - from files config.jsp, myxx.jsp, zend.jsp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
super_rule = 1
hash0 = "d44df8b1543b837e57cc8f25a0a68d92"
hash1 = "e0354099bee243702eb11df8d0e046df"
hash2 = "591ca89a25f06cf01e4345f98a22845c"
strings:
$s3 = ".println(\"<a href=\\\"javascript:alert('You Are In File Now ! Can Not Pack !');"
condition:
all of them
}
rule webshell_browser_201_3_ma_download {
meta:
description = "Web Shell - from files browser.jsp, 201.jsp, 3.jsp, ma.jsp, download.jsp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
super_rule = 1
hash0 = "37603e44ee6dc1c359feb68a0d566f76"
hash1 = "a7e25b8ac605753ed0c438db93f6c498"
hash2 = "fb8c6c3a69b93e5e7193036fd31a958d"
hash3 = "4cc68fa572e88b669bce606c7ace0ae9"
hash4 = "fa87bbd7201021c1aefee6fcc5b8e25a"
strings:
$s2 = "<small>jsp File Browser version <%= VERSION_NR%> by <a"
$s3 = "else if (fName.endsWith(\".mpg\") || fName.endsWith(\".mpeg\") || fName.endsWith"
condition:
all of them
}
rule webshell_itsec_itsecteam_shell_jHn {
meta:
description = "Web Shell - from files itsec.php, itsecteam_shell.php, jHn.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
super_rule = 1
hash0 = "8ae9d2b50dc382f0571cd7492f079836"
hash1 = "bd6d3b2763c705a01cc2b3f105a25fa4"
hash2 = "40c6ecf77253e805ace85f119fe1cebb"
strings:
$s4 = "echo $head.\"<font face='Tahoma' size='2'>Operating System : \".php_uname().\"<b"
$s5 = "echo \"<center><form name=client method='POST' action='$_SERVER[PHP_SELF]?do=db'"
condition:
all of them
}
rule webshell_ghost_source_icesword_silic {
meta:
description = "Web Shell - from files ghost_source.php, icesword.php, silic.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
super_rule = 1
hash0 = "cbf64a56306c1b5d98898468fc1fdbd8"
hash1 = "6e20b41c040efb453d57780025a292ae"
hash2 = "437d30c94f8eef92dc2f064de4998695"
strings:
$s3 = "if(eregi('WHERE|LIMIT',$_POST['nsql']) && eregi('SELECT|FROM',$_POST['nsql'])) $"
$s6 = "if(!empty($_FILES['ufp']['name'])){if($_POST['ufn'] != '') $upfilename = $_POST["
condition:
all of them
}
rule webshell_JspSpy_JspSpyJDK5_JspSpyJDK51_luci_jsp_spy2009_m_ma3_xxx {
meta:
description = "Web Shell - from files 000.jsp, 403.jsp, 807.jsp, a.jsp, c5.jsp, css.jsp, dm.jsp, he1p.jsp, JspSpy.jsp, JspSpyJDK5.jsp, JspSpyJDK51.jsp, luci.jsp.spy2009.jsp, m.jsp, ma3.jsp, mmym520.jsp, nogfw.jsp, ok.jsp, queryDong.jsp, spyjsp2010.jsp, style.jsp, t00ls.jsp, u.jsp, xia.jsp, cofigrue.jsp, 1.jsp, jspspy.jsp, jspspy_k8.jsp, JspSpy.jsp, JspSpyJDK5.jsp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
super_rule = 1
hash0 = "2eeb8bf151221373ee3fd89d58ed4d38"
hash1 = "059058a27a7b0059e2c2f007ad4675ef"
hash2 = "ae76c77fb7a234380cd0ebb6fe1bcddf"
hash3 = "76037ebd781ad0eac363d56fc81f4b4f"
hash4 = "8b457934da3821ba58b06a113e0d53d9"
hash5 = "fc44f6b4387a2cb50e1a63c66a8cb81c"
hash6 = "14e9688c86b454ed48171a9d4f48ace8"
hash7 = "b330a6c2d49124ef0729539761d6ef0b"
hash8 = "d71716df5042880ef84427acee8b121e"
hash9 = "341298482cf90febebb8616426080d1d"
hash10 = "29aebe333d6332f0ebc2258def94d57e"
hash11 = "42654af68e5d4ea217e6ece5389eb302"
hash12 = "88fc87e7c58249a398efd5ceae636073"
hash13 = "4a812678308475c64132a9b56254edbc"
hash14 = "9626eef1a8b9b8d773a3b2af09306a10"
hash15 = "344f9073576a066142b2023629539ebd"
hash16 = "32dea47d9c13f9000c4c807561341bee"
hash17 = "90a5ba0c94199269ba33a58bc6a4ad99"
hash18 = "655722eaa6c646437c8ae93daac46ae0"
hash19 = "b9744f6876919c46a29ea05b1d95b1c3"
hash20 = "9c94637f76e68487fa33f7b0030dd932"
hash21 = "6acc82544be056580c3a1caaa4999956"
hash22 = "6aa32a6392840e161a018f3907a86968"
hash23 = "349ec229e3f8eda0f9eb918c74a8bf4c"
hash24 = "3ea688e3439a1f56b16694667938316d"
hash25 = "ab77e4d1006259d7cbc15884416ca88c"
hash26 = "71097537a91fac6b01f46f66ee2d7749"
hash27 = "2434a7a07cb47ce25b41d30bc291cacc"
hash28 = "7a4b090619ecce6f7bd838fe5c58554b"
strings:
$s8 = "\"<form action=\\\"\"+SHELL_NAME+\"?o=upload\\\" method=\\\"POST\\\" enctype="
$s9 = "<option value='reg query \\\"HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\T"
condition:
all of them
}
rule webshell_2_520_job_ma1_ma4_2 {
meta:
description = "Web Shell - from files 2.jsp, 520.jsp, job.jsp, ma1.jsp, ma4.jsp, 2.jsp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
super_rule = 1
hash0 = "64a3bf9142b045b9062b204db39d4d57"
hash1 = "9abd397c6498c41967b4dd327cf8b55a"
hash2 = "56c005690da2558690c4aa305a31ad37"
hash3 = "532b93e02cddfbb548ce5938fe2f5559"
hash4 = "6e0fa491d620d4af4b67bae9162844ae"
hash5 = "7eabe0f60975c0c73d625b7ddf7b9cbd"
strings:
$s4 = "_url = \"jdbc:microsoft:sqlserver://\" + dbServer + \":\" + dbPort + \";User=\" "
$s9 = "result += \"<meta http-equiv=\\\"refresh\\\" content=\\\"2;url=\" + request.getR"
condition:
all of them
}
rule webshell_000_403_807_a_c5_config_css_dm_he1p_JspSpy_JspSpyJDK5_JspSpyJDK51_luci_jsp_xxx {
meta:
description = "Web Shell - from files 000.jsp, 403.jsp, 807.jsp, a.jsp, c5.jsp, config.jsp, css.jsp, dm.jsp, he1p.jsp, JspSpy.jsp, JspSpyJDK5.jsp, JspSpyJDK51.jsp, luci.jsp.spy2009.jsp, m.jsp, ma3.jsp, mmym520.jsp, myxx.jsp, nogfw.jsp, ok.jsp, queryDong.jsp, spyjsp2010.jsp, style.jsp, t00ls.jsp, u.jsp, xia.jsp, zend.jsp, cofigrue.jsp, 1.jsp, jspspy.jsp, jspspy_k8.jsp, JspSpy.jsp, JspSpyJDK5.jsp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
super_rule = 1
hash0 = "2eeb8bf151221373ee3fd89d58ed4d38"
hash1 = "059058a27a7b0059e2c2f007ad4675ef"
hash2 = "ae76c77fb7a234380cd0ebb6fe1bcddf"
hash3 = "76037ebd781ad0eac363d56fc81f4b4f"
hash4 = "8b457934da3821ba58b06a113e0d53d9"
hash5 = "d44df8b1543b837e57cc8f25a0a68d92"
hash6 = "fc44f6b4387a2cb50e1a63c66a8cb81c"
hash7 = "14e9688c86b454ed48171a9d4f48ace8"
hash8 = "b330a6c2d49124ef0729539761d6ef0b"
hash9 = "d71716df5042880ef84427acee8b121e"
hash10 = "341298482cf90febebb8616426080d1d"
hash11 = "29aebe333d6332f0ebc2258def94d57e"
hash12 = "42654af68e5d4ea217e6ece5389eb302"
hash13 = "88fc87e7c58249a398efd5ceae636073"
hash14 = "4a812678308475c64132a9b56254edbc"
hash15 = "9626eef1a8b9b8d773a3b2af09306a10"
hash16 = "e0354099bee243702eb11df8d0e046df"
hash17 = "344f9073576a066142b2023629539ebd"
hash18 = "32dea47d9c13f9000c4c807561341bee"
hash19 = "90a5ba0c94199269ba33a58bc6a4ad99"
hash20 = "655722eaa6c646437c8ae93daac46ae0"
hash21 = "b9744f6876919c46a29ea05b1d95b1c3"
hash22 = "9c94637f76e68487fa33f7b0030dd932"
hash23 = "6acc82544be056580c3a1caaa4999956"
hash24 = "6aa32a6392840e161a018f3907a86968"
hash25 = "591ca89a25f06cf01e4345f98a22845c"
hash26 = "349ec229e3f8eda0f9eb918c74a8bf4c"
hash27 = "3ea688e3439a1f56b16694667938316d"
hash28 = "ab77e4d1006259d7cbc15884416ca88c"
hash29 = "71097537a91fac6b01f46f66ee2d7749"
hash30 = "2434a7a07cb47ce25b41d30bc291cacc"
hash31 = "7a4b090619ecce6f7bd838fe5c58554b"
strings:
$s0 = "ports = \"21,25,80,110,1433,1723,3306,3389,4899,5631,43958,65500\";" fullword
$s1 = "private static class VEditPropertyInvoker extends DefaultInvoker {" fullword
condition:
all of them
}
rule webshell_wso2_5_1_wso2_5_wso2 {
meta:
description = "Web Shell - from files wso2.5.1.php, wso2.5.php, wso2.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
super_rule = 1
hash0 = "dbeecd555a2ef80615f0894027ad75dc"
hash1 = "7c8e5d31aad28eb1f0a9a53145551e05"
hash2 = "cbc44fb78220958f81b739b493024688"
strings:
$s7 = "$opt_charsets .= '<option value=\"'.$item.'\" '.($_POST['charset']==$item?'selec"
$s8 = ".'</td><td><a href=\"#\" onclick=\"g(\\'FilesTools\\',null,\\''.urlencode($f['na"
condition:
all of them
}
rule webshell_000_403_c5_queryDong_spyjsp2010_t00ls {
meta:
description = "Web Shell - from files 000.jsp, 403.jsp, c5.jsp, queryDong.jsp, spyjsp2010.jsp, t00ls.jsp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
super_rule = 1
hash0 = "2eeb8bf151221373ee3fd89d58ed4d38"
hash1 = "059058a27a7b0059e2c2f007ad4675ef"
hash2 = "8b457934da3821ba58b06a113e0d53d9"
hash3 = "90a5ba0c94199269ba33a58bc6a4ad99"
hash4 = "655722eaa6c646437c8ae93daac46ae0"
hash5 = "9c94637f76e68487fa33f7b0030dd932"
strings:
$s8 = "table.append(\"<td nowrap> <a href=\\\"#\\\" onclick=\\\"view('\"+tbName+\"')"
$s9 = "\"<p><input type=\\\"hidden\\\" name=\\\"selectDb\\\" value=\\\"\"+selectDb+\""
condition:
all of them
}
rule webshell_404_data_suiyue {
meta:
description = "Web Shell - from files 404.jsp, data.jsp, suiyue.jsp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
super_rule = 1
hash0 = "7066f4469c3ec20f4890535b5f299122"
hash1 = "9f54aa7b43797be9bab7d094f238b4ff"
hash2 = "c93d5bdf5cf62fe22e299d0f2b865ea7"
strings:
$s3 = " sbCopy.append(\"<input type=button name=goback value=' \"+strBack[languageNo]+"
condition:
all of them
}
rule webshell_r57shell_r57shell127_SnIpEr_SA_Shell_EgY_SpIdEr_ShElL_V2_r57_xxx {
meta:
description = "Web Shell - from files r57shell.php, r57shell127.php, SnIpEr_SA Shell.php, EgY_SpIdEr ShElL V2.php, r57_iFX.php, r57_kartal.php, r57_Mohajer22.php, r57.php, r57.php, Backdoor.PHP.Agent.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
super_rule = 1
hash0 = "ef43fef943e9df90ddb6257950b3538f"
hash1 = "ae025c886fbe7f9ed159f49593674832"
hash2 = "911195a9b7c010f61b66439d9048f400"
hash3 = "697dae78c040150daff7db751fc0c03c"
hash4 = "513b7be8bd0595c377283a7c87b44b2e"
hash5 = "1d912c55b96e2efe8ca873d6040e3b30"
hash6 = "e5b2131dd1db0dbdb43b53c5ce99016a"
hash7 = "4108f28a9792b50d95f95b9e5314fa1e"
hash8 = "41af6fd253648885c7ad2ed524e0692d"
hash9 = "6fcc283470465eed4870bcc3e2d7f14d"
strings:
$s2 = "echo sr(15,\"<b>\".$lang[$language.'_text58'].$arrow.\"</b>\",in('text','mk_name"
$s3 = "echo sr(15,\"<b>\".$lang[$language.'_text21'].$arrow.\"</b>\",in('checkbox','nf1"
$s9 = "echo sr(40,\"<b>\".$lang[$language.'_text26'].$arrow.\"</b>\",\"<select size="
condition:
all of them
}
rule webshell_807_a_css_dm_he1p_JspSpy_xxx {
meta:
description = "Web Shell - from files 807.jsp, a.jsp, css.jsp, dm.jsp, he1p.jsp, JspSpy.jsp, JspSpyJDK5.jsp, JspSpyJDK51.jsp, luci.jsp.spy2009.jsp, m.jsp, ma3.jsp, mmym520.jsp, nogfw.jsp, ok.jsp, style.jsp, u.jsp, xia.jsp, cofigrue.jsp, 1.jsp, jspspy.jsp, jspspy_k8.jsp, JspSpy.jsp, JspSpyJDK5.jsp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
super_rule = 1
hash0 = "ae76c77fb7a234380cd0ebb6fe1bcddf"
hash1 = "76037ebd781ad0eac363d56fc81f4b4f"
hash2 = "fc44f6b4387a2cb50e1a63c66a8cb81c"
hash3 = "14e9688c86b454ed48171a9d4f48ace8"
hash4 = "b330a6c2d49124ef0729539761d6ef0b"
hash5 = "d71716df5042880ef84427acee8b121e"
hash6 = "341298482cf90febebb8616426080d1d"
hash7 = "29aebe333d6332f0ebc2258def94d57e"
hash8 = "42654af68e5d4ea217e6ece5389eb302"
hash9 = "88fc87e7c58249a398efd5ceae636073"
hash10 = "4a812678308475c64132a9b56254edbc"
hash11 = "9626eef1a8b9b8d773a3b2af09306a10"
hash12 = "344f9073576a066142b2023629539ebd"
hash13 = "32dea47d9c13f9000c4c807561341bee"
hash14 = "b9744f6876919c46a29ea05b1d95b1c3"
hash15 = "6acc82544be056580c3a1caaa4999956"
hash16 = "6aa32a6392840e161a018f3907a86968"
hash17 = "349ec229e3f8eda0f9eb918c74a8bf4c"
hash18 = "3ea688e3439a1f56b16694667938316d"
hash19 = "ab77e4d1006259d7cbc15884416ca88c"
hash20 = "71097537a91fac6b01f46f66ee2d7749"
hash21 = "2434a7a07cb47ce25b41d30bc291cacc"
hash22 = "7a4b090619ecce6f7bd838fe5c58554b"
strings:
$s1 = "\"<h2>Remote Control »</h2><input class=\\\"bt\\\" onclick=\\\"var"
$s2 = "\"<p>Current File (import new file name and new file)<br /><input class=\\\"inpu"
$s3 = "\"<p>Current file (fullpath)<br /><input class=\\\"input\\\" name=\\\"file\\\" i"
condition:
all of them
}
rule webshell_201_3_ma_download {
meta:
description = "Web Shell - from files 201.jsp, 3.jsp, ma.jsp, download.jsp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
super_rule = 1
hash0 = "a7e25b8ac605753ed0c438db93f6c498"
hash1 = "fb8c6c3a69b93e5e7193036fd31a958d"
hash2 = "4cc68fa572e88b669bce606c7ace0ae9"
hash3 = "fa87bbd7201021c1aefee6fcc5b8e25a"
strings:
$s0 = "<input title=\"Upload selected file to the current working directory\" type=\"Su"
$s5 = "<input title=\"Launch command in current directory\" type=\"Submit\" class=\"but"
$s6 = "<input title=\"Delete all selected files and directories incl. subdirs\" class="
condition:
all of them
}
rule webshell_browser_201_3_400_in_JFolder_jfolder01_jsp_leo_ma_warn_webshell_nc_download {
meta:
description = "Web Shell - from files browser.jsp, 201.jsp, 3.jsp, 400.jsp, in.jsp, JFolder.jsp, jfolder01.jsp, jsp.jsp, leo.jsp, ma.jsp, warn.jsp, webshell-nc.jsp, download.jsp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
super_rule = 1
hash0 = "37603e44ee6dc1c359feb68a0d566f76"
hash1 = "a7e25b8ac605753ed0c438db93f6c498"
hash2 = "fb8c6c3a69b93e5e7193036fd31a958d"
hash3 = "36331f2c81bad763528d0ae00edf55be"
hash4 = "793b3d0a740dbf355df3e6f68b8217a4"
hash5 = "8979594423b68489024447474d113894"
hash6 = "ec482fc969d182e5440521c913bab9bd"
hash7 = "f98d2b33cd777e160d1489afed96de39"
hash8 = "4b4c12b3002fad88ca6346a873855209"
hash9 = "4cc68fa572e88b669bce606c7ace0ae9"
hash10 = "e9a5280f77537e23da2545306f6a19ad"
hash11 = "598eef7544935cf2139d1eada4375bb5"
hash12 = "fa87bbd7201021c1aefee6fcc5b8e25a"
strings:
$s4 = "UplInfo info = UploadMonitor.getInfo(fi.clientFileName);" fullword
$s5 = "long time = (System.currentTimeMillis() - starttime) / 1000l;" fullword
condition:
all of them
}
rule webshell_shell_phpspy_2006_arabicspy {
meta:
description = "Web Shell - from files shell.php, phpspy_2006.php, arabicspy.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
super_rule = 1
hash0 = "791708057d8b429d91357d38edf43cc0"
hash1 = "40a1f840111996ff7200d18968e42cfe"
hash2 = "e0202adff532b28ef1ba206cf95962f2"
strings:
$s0 = "elseif(($regwrite) AND !empty($_POST['writeregname']) AND !empty($_POST['regtype"
$s8 = "echo \"<form action=\\\"?action=shell&dir=\".urlencode($dir).\"\\\" method=\\\"P"
condition:
all of them
}
rule webshell_in_JFolder_jfolder01_jsp_leo_warn {
meta:
description = "Web Shell - from files in.jsp, JFolder.jsp, jfolder01.jsp, jsp.jsp, leo.jsp, warn.jsp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
super_rule = 1
hash0 = "793b3d0a740dbf355df3e6f68b8217a4"
hash1 = "8979594423b68489024447474d113894"
hash2 = "ec482fc969d182e5440521c913bab9bd"
hash3 = "f98d2b33cd777e160d1489afed96de39"
hash4 = "4b4c12b3002fad88ca6346a873855209"
hash5 = "e9a5280f77537e23da2545306f6a19ad"
strings:
$s4 = "sbFile.append(\" <a href=\\\"javascript:doForm('down','\"+formatPath(strD"
$s9 = "sbFile.append(\" <a href=\\\"javascript:doForm('edit','\"+formatPath(strDi"
condition:
all of them
}
rule webshell_2_520_icesword_job_ma1_ma4_2 {
meta:
description = "Web Shell - from files 2.jsp, 520.jsp, icesword.jsp, job.jsp, ma1.jsp, ma4.jsp, 2.jsp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
super_rule = 1
hash0 = "64a3bf9142b045b9062b204db39d4d57"
hash1 = "9abd397c6498c41967b4dd327cf8b55a"
hash2 = "077f4b1b6d705d223b6d644a4f3eebae"
hash3 = "56c005690da2558690c4aa305a31ad37"
hash4 = "532b93e02cddfbb548ce5938fe2f5559"
hash5 = "6e0fa491d620d4af4b67bae9162844ae"
hash6 = "7eabe0f60975c0c73d625b7ddf7b9cbd"
strings:
$s2 = "private String[] _textFileTypes = {\"txt\", \"htm\", \"html\", \"asp\", \"jsp\","
$s3 = "\\\" name=\\\"upFile\\\" size=\\\"8\\\" class=\\\"textbox\\\" /> <input typ"
$s9 = "if (request.getParameter(\"password\") == null && session.getAttribute(\"passwor"
condition:
all of them
}
rule webshell_phpspy_2005_full_phpspy_2005_lite_PHPSPY {
meta:
description = "Web Shell - from files phpspy_2005_full.php, phpspy_2005_lite.php, PHPSPY.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
super_rule = 1
hash0 = "b68bfafc6059fd26732fa07fb6f7f640"
hash1 = "42f211cec8032eb0881e87ebdb3d7224"
hash2 = "0712e3dc262b4e1f98ed25760b206836"
strings:
$s6 = "<input type=\"text\" name=\"command\" size=\"60\" value=\"<?=$_POST['comma"
$s7 = "echo $msg=@copy($_FILES['uploadmyfile']['tmp_name'],\"\".$uploaddir.\"/\".$_FILE"
$s8 = "<option value=\"passthru\" <? if ($execfunc==\"passthru\") { echo \"selected\"; "
condition:
2 of them
}
rule webshell_shell_phpspy_2006_arabicspy_hkrkoz {
meta:
description = "Web Shell - from files shell.php, phpspy_2006.php, arabicspy.php, hkrkoz.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
super_rule = 1
hash0 = "791708057d8b429d91357d38edf43cc0"
hash1 = "40a1f840111996ff7200d18968e42cfe"
hash2 = "e0202adff532b28ef1ba206cf95962f2"
hash3 = "802f5cae46d394b297482fd0c27cb2fc"
strings:
$s5 = "$prog = isset($_POST['prog']) ? $_POST['prog'] : \"/c net start > \".$pathname."
condition:
all of them
}
rule webshell_c99_Shell_ci_Biz_was_here_c100_v_xxx {
meta:
description = "Web Shell - from files c99.php, Shell [ci] .Biz was here.php, c100 v. 777shell v. Undetectable #18a Modded by 777 - Don.php, c66.php, c99-shadows-mod.php, c99shell.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
super_rule = 1
hash0 = "61a92ce63369e2fa4919ef0ff7c51167"
hash1 = "f2fa878de03732fbf5c86d656467ff50"
hash2 = "27786d1e0b1046a1a7f67ee41c64bf4c"
hash3 = "0f5b9238d281bc6ac13406bb24ac2a5b"
hash4 = "68c0629d08b1664f5bcce7d7f5f71d22"
hash5 = "048ccc01b873b40d57ce25a4c56ea717"
strings:
$s8 = "else {echo \"Running datapipe... ok! Connect to <b>\".getenv(\"SERVER_ADDR\""
condition:
all of them
}
rule webshell_2008_2009lite_2009mssql {
meta:
description = "Web Shell - from files 2008.php, 2009lite.php, 2009mssql.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
super_rule = 1
hash0 = "3e4ba470d4c38765e4b16ed930facf2c"
hash1 = "3f4d454d27ecc0013e783ed921eeecde"
hash2 = "aa17b71bb93c6789911bd1c9df834ff9"
strings:
$s0 = "<a href=\"javascript:godir(\\''.$drive->Path.'/\\');"
$s7 = "p('<h2>File Manager - Current disk free '.sizecount($free).' of '.sizecount($all"
condition:
all of them
}
rule webshell_shell_phpspy_2005_full_phpspy_2005_lite_phpspy_2006_arabicspy_PHPSPY_hkrkoz {
meta:
description = "Web Shell - from files shell.php, phpspy_2005_full.php, phpspy_2005_lite.php, phpspy_2006.php, arabicspy.php, PHPSPY.php, hkrkoz.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
super_rule = 1
hash0 = "791708057d8b429d91357d38edf43cc0"
hash1 = "b68bfafc6059fd26732fa07fb6f7f640"
hash2 = "42f211cec8032eb0881e87ebdb3d7224"
hash3 = "40a1f840111996ff7200d18968e42cfe"
hash4 = "e0202adff532b28ef1ba206cf95962f2"
hash5 = "0712e3dc262b4e1f98ed25760b206836"
hash6 = "802f5cae46d394b297482fd0c27cb2fc"
strings:
$s0 = "$mainpath_info = explode('/', $mainpath);" fullword
$s6 = "if (!isset($_GET['action']) OR empty($_GET['action']) OR ($_GET['action'] == \"d"
condition:
all of them
}
rule webshell_807_dm_JspSpyJDK5_m_cofigrue {
meta:
description = "Web Shell - from files 807.jsp, dm.jsp, JspSpyJDK5.jsp, m.jsp, cofigrue.jsp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
super_rule = 1
hash0 = "ae76c77fb7a234380cd0ebb6fe1bcddf"
hash1 = "14e9688c86b454ed48171a9d4f48ace8"
hash2 = "341298482cf90febebb8616426080d1d"
hash3 = "88fc87e7c58249a398efd5ceae636073"
hash4 = "349ec229e3f8eda0f9eb918c74a8bf4c"
strings:
$s1 = "url_con.setRequestProperty(\"REFERER\", \"\"+fckal+\"\");" fullword
$s9 = "FileLocalUpload(uc(dx())+sxm,request.getRequestURL().toString(), \"GBK\");" fullword
condition:
1 of them
}
rule webshell_Dive_Shell_1_0_Emperor_Hacking_Team_xxx {
meta:
description = "Web Shell - from files Dive Shell 1.0 - Emperor Hacking Team.php, phpshell.php, SimShell 1.0 - Simorgh Security MGZ.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
super_rule = 1
hash0 = "1b5102bdc41a7bc439eea8f0010310a5"
hash1 = "f8a6d5306fb37414c5c772315a27832f"
hash2 = "37cb1db26b1b0161a4bf678a6b4565bd"
strings:
$s1 = "if (($i = array_search($_REQUEST['command'], $_SESSION['history'])) !== fals"
$s9 = "if (ereg('^[[:blank:]]*cd[[:blank:]]*$', $_REQUEST['command'])) {" fullword
condition:
all of them
}
rule webshell_404_data_in_JFolder_jfolder01_xxx {
meta:
description = "Web Shell - from files 404.jsp, data.jsp, in.jsp, JFolder.jsp, jfolder01.jsp, jsp.jsp, leo.jsp, suiyue.jsp, warn.jsp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
super_rule = 1
hash0 = "7066f4469c3ec20f4890535b5f299122"
hash1 = "9f54aa7b43797be9bab7d094f238b4ff"
hash2 = "793b3d0a740dbf355df3e6f68b8217a4"
hash3 = "8979594423b68489024447474d113894"
hash4 = "ec482fc969d182e5440521c913bab9bd"
hash5 = "f98d2b33cd777e160d1489afed96de39"
hash6 = "4b4c12b3002fad88ca6346a873855209"
hash7 = "c93d5bdf5cf62fe22e299d0f2b865ea7"
hash8 = "e9a5280f77537e23da2545306f6a19ad"
strings:
$s4 = " <TEXTAREA NAME=\"cqq\" ROWS=\"20\" COLS=\"100%\"><%=sbCmd.toString()%></TE"
condition:
all of them
}
rule webshell_jsp_reverse_jsp_reverse_jspbd {
meta:
description = "Web Shell - from files jsp-reverse.jsp, jsp-reverse.jsp, jspbd.jsp"
author = "Florian Roth"
date = "2014/01/28"
super_rule = 1
hash0 = "8b0e6779f25a17f0ffb3df14122ba594"
hash1 = "ea87f0c1f0535610becadf5a98aca2fc"
hash2 = "7d5e9732766cf5b8edca9b7ae2b6028f"
score = 50
strings:
$s0 = "osw = new BufferedWriter(new OutputStreamWriter(os));" fullword
$s7 = "sock = new Socket(ipAddress, (new Integer(ipPort)).intValue());" fullword
$s9 = "isr = new BufferedReader(new InputStreamReader(is));" fullword
condition:
all of them
}
rule webshell_400_in_JFolder_jfolder01_jsp_leo_warn_webshell_nc {
meta:
description = "Web Shell - from files 400.jsp, in.jsp, JFolder.jsp, jfolder01.jsp, jsp.jsp, leo.jsp, warn.jsp, webshell-nc.jsp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
super_rule = 1
hash0 = "36331f2c81bad763528d0ae00edf55be"
hash1 = "793b3d0a740dbf355df3e6f68b8217a4"
hash2 = "8979594423b68489024447474d113894"
hash3 = "ec482fc969d182e5440521c913bab9bd"
hash4 = "f98d2b33cd777e160d1489afed96de39"
hash5 = "4b4c12b3002fad88ca6346a873855209"
hash6 = "e9a5280f77537e23da2545306f6a19ad"
hash7 = "598eef7544935cf2139d1eada4375bb5"
strings:
$s0 = "sbFolder.append(\"<tr><td > </td><td>\");" fullword
$s1 = "return filesize / intDivisor + \".\" + strAfterComma + \" \" + strUnit;" fullword
$s5 = "FileInfo fi = (FileInfo) ht.get(\"cqqUploadFile\");" fullword
$s6 = "<input type=\"hidden\" name=\"cmd\" value=\"<%=strCmd%>\">" fullword
condition:
2 of them
}
rule webshell_2_520_job_JspWebshell_1_2_ma1_ma4_2 {
meta:
description = "Web Shell - from files 2.jsp, 520.jsp, job.jsp, JspWebshell 1.2.jsp, ma1.jsp, ma4.jsp, 2.jsp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
super_rule = 1
hash0 = "64a3bf9142b045b9062b204db39d4d57"
hash1 = "9abd397c6498c41967b4dd327cf8b55a"
hash2 = "56c005690da2558690c4aa305a31ad37"
hash3 = "70a0ee2624e5bbe5525ccadc467519f6"
hash4 = "532b93e02cddfbb548ce5938fe2f5559"
hash5 = "6e0fa491d620d4af4b67bae9162844ae"
hash6 = "7eabe0f60975c0c73d625b7ddf7b9cbd"
strings:
$s1 = "while ((nRet = insReader.read(tmpBuffer, 0, 1024)) != -1) {" fullword
$s6 = "password = (String)session.getAttribute(\"password\");" fullword
$s7 = "insReader = new InputStreamReader(proc.getInputStream(), Charset.forName(\"GB231"
condition:
2 of them
}
rule webshell_shell_2008_2009mssql_phpspy_2005_full_phpspy_2006_arabicspy_hkrkoz {
meta:
description = "Web Shell - from files shell.php, 2008.php, 2009mssql.php, phpspy_2005_full.php, phpspy_2006.php, arabicspy.php, hkrkoz.php"
author = "Florian Roth"
date = "2014/01/28"
score = 60
super_rule = 1
hash0 = "791708057d8b429d91357d38edf43cc0"
hash1 = "3e4ba470d4c38765e4b16ed930facf2c"
hash2 = "aa17b71bb93c6789911bd1c9df834ff9"
hash3 = "b68bfafc6059fd26732fa07fb6f7f640"
hash4 = "40a1f840111996ff7200d18968e42cfe"
hash5 = "e0202adff532b28ef1ba206cf95962f2"
hash6 = "802f5cae46d394b297482fd0c27cb2fc"
strings:
$s0 = "$tabledump .= \"'\".mysql_escape_string($row[$fieldcounter]).\"'\";" fullword
$s5 = "while(list($kname, $columns) = @each($index)) {" fullword
$s6 = "$tabledump = \"DROP TABLE IF EXISTS $table;\\n\";" fullword
$s9 = "$tabledump .= \" PRIMARY KEY ($colnames)\";" fullword
$fn = "filename: backup"
condition:
2 of ($s*) and not $fn
}
rule webshell_gfs_sh_r57shell_r57shell127_SnIpEr_SA_xxx {
meta:
description = "Web Shell - from files gfs_sh.php, r57shell.php, r57shell127.php, SnIpEr_SA Shell.php, EgY_SpIdEr ShElL V2.php, r57_iFX.php, r57_kartal.php, r57_Mohajer22.php, r57.php, r57.php, Backdoor.PHP.Agent.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
super_rule = 1
hash0 = "a2516ac6ee41a7cf931cbaef1134a9e4"
hash1 = "ef43fef943e9df90ddb6257950b3538f"
hash2 = "ae025c886fbe7f9ed159f49593674832"
hash3 = "911195a9b7c010f61b66439d9048f400"
hash4 = "697dae78c040150daff7db751fc0c03c"
hash5 = "513b7be8bd0595c377283a7c87b44b2e"
hash6 = "1d912c55b96e2efe8ca873d6040e3b30"
hash7 = "e5b2131dd1db0dbdb43b53c5ce99016a"
hash8 = "4108f28a9792b50d95f95b9e5314fa1e"
hash9 = "41af6fd253648885c7ad2ed524e0692d"
hash10 = "6fcc283470465eed4870bcc3e2d7f14d"
strings:
$s0 = "kVycm9yOiAkIVxuIik7DQpjb25uZWN0KFNPQ0tFVCwgJHBhZGRyKSB8fCBkaWUoIkVycm9yOiAkIVxuI"
$s11 = "Aoc3RydWN0IHNvY2thZGRyICopICZzaW4sIHNpemVvZihzdHJ1Y3Qgc29ja2FkZHIpKSk8MCkgew0KIC"
condition:
all of them
}
rule webshell_itsec_PHPJackal_itsecteam_shell_jHn {
meta:
description = "Web Shell - from files itsec.php, PHPJackal.php, itsecteam_shell.php, jHn.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
super_rule = 1
hash0 = "8ae9d2b50dc382f0571cd7492f079836"
hash1 = "e2830d3286001d1455479849aacbbb38"
hash2 = "bd6d3b2763c705a01cc2b3f105a25fa4"
hash3 = "40c6ecf77253e805ace85f119fe1cebb"
strings:
$s0 = "$link=pg_connect(\"host=$host dbname=$db user=$user password=$pass\");" fullword
$s6 = "while($data=ocifetchinto($stm,$data,OCI_ASSOC+OCI_RETURN_NULLS))$res.=implode('|"
$s9 = "while($data=pg_fetch_row($result))$res.=implode('|-|-|-|-|-|',$data).'|+|+|+|+|+"
condition:
2 of them
}
rule webshell_Shell_ci_Biz_was_here_c100_v_xxx {
meta:
description = "Web Shell - from files Shell [ci] .Biz was here.php, c100 v. 777shell v. Undetectable #18a Modded by 777 - Don.php, c99-shadows-mod.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
super_rule = 1
hash0 = "f2fa878de03732fbf5c86d656467ff50"
hash1 = "27786d1e0b1046a1a7f67ee41c64bf4c"
hash2 = "68c0629d08b1664f5bcce7d7f5f71d22"
strings:
$s2 = "if ($data{0} == \"\\x99\" and $data{1} == \"\\x01\") {return \"Error: \".$stri"
$s3 = "<OPTION VALUE=\"find /etc/ -type f -perm -o+w 2> /dev/null\""
$s4 = "<OPTION VALUE=\"cat /proc/version /proc/cpuinfo\">CPUINFO" fullword
$s7 = "<OPTION VALUE=\"wget http://ftp.powernet.com.tr/supermail/de"
$s9 = "<OPTION VALUE=\"cut -d: -f1,2,3 /etc/passwd | grep ::\">USER"
condition:
2 of them
}
rule webshell_NIX_REMOTE_WEB_SHELL_NIX_REMOTE_WEB_xxx1 {
meta:
description = "Web Shell - from files NIX REMOTE WEB-SHELL.php, NIX REMOTE WEB-SHELL v.0.5 alpha Lite Public Version.php, KAdot Universal Shell v0.1.6.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
super_rule = 1
hash0 = "0b19e9de790cd2f4325f8c24b22af540"
hash1 = "f3ca29b7999643507081caab926e2e74"
hash2 = "527cf81f9272919bf872007e21c4bdda"
strings:
$s1 = "<td><input size=\"48\" value=\"$docr/\" name=\"path\" type=\"text\"><input type="
$s2 = "$uploadfile = $_POST['path'].$_FILES['file']['name'];" fullword
$s6 = "elseif (!empty($_POST['ac'])) {$ac = $_POST['ac'];}" fullword
$s7 = "if ($_POST['path']==\"\"){$uploadfile = $_FILES['file']['name'];}" fullword
condition:
2 of them
}
rule webshell_c99_c99shell_c99_w4cking_Shell_xxx {
meta:
description = "Web Shell - from files c99.php, c99shell.php, c99_w4cking.php, Shell [ci] .Biz was here.php, acid.php, c100 v. 777shell v. Undetectable #18a Modded by 777 - Don.php, c66.php, c99-shadows-mod.php, c99.php, c99shell.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
super_rule = 1
hash0 = "61a92ce63369e2fa4919ef0ff7c51167"
hash1 = "d3f38a6dc54a73d304932d9227a739ec"
hash2 = "9c34adbc8fd8d908cbb341734830f971"
hash3 = "f2fa878de03732fbf5c86d656467ff50"
hash4 = "b8f261a3cdf23398d573aaf55eaf63b5"
hash5 = "27786d1e0b1046a1a7f67ee41c64bf4c"
hash6 = "0f5b9238d281bc6ac13406bb24ac2a5b"
hash7 = "68c0629d08b1664f5bcce7d7f5f71d22"
hash8 = "157b4ac3c7ba3a36e546e81e9279eab5"
hash9 = "048ccc01b873b40d57ce25a4c56ea717"
strings:
$s0 = "echo \"<b>HEXDUMP:</b><nobr>"
$s4 = "if ($filestealth) {$stat = stat($d.$f);}" fullword
$s5 = "while ($row = mysql_fetch_array($result, MYSQL_NUM)) { echo \"<tr><td>\".$r"
$s6 = "if ((mysql_create_db ($sql_newdb)) and (!empty($sql_newdb))) {echo \"DB "
$s8 = "echo \"<center><b>Server-status variables:</b><br><br>\";" fullword
$s9 = "echo \"<textarea cols=80 rows=10>\".htmlspecialchars($encoded).\"</textarea>"
condition:
2 of them
}
rule webshell_2008_2009mssql_phpspy_2005_full_phpspy_2006_arabicspy_hkrkoz {
meta:
description = "Web Shell - from files 2008.php, 2009mssql.php, phpspy_2005_full.php, phpspy_2006.php, arabicspy.php, hkrkoz.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
super_rule = 1
hash0 = "3e4ba470d4c38765e4b16ed930facf2c"
hash1 = "aa17b71bb93c6789911bd1c9df834ff9"
hash2 = "b68bfafc6059fd26732fa07fb6f7f640"
hash3 = "40a1f840111996ff7200d18968e42cfe"
hash4 = "e0202adff532b28ef1ba206cf95962f2"
hash5 = "802f5cae46d394b297482fd0c27cb2fc"
strings:
$s0 = "$this -> addFile($content, $filename);" fullword
$s3 = "function addFile($data, $name, $time = 0) {" fullword
$s8 = "function unix2DosTime($unixtime = 0) {" fullword
$s9 = "foreach($filelist as $filename){" fullword
condition:
all of them
}
rule webshell_c99_c66_c99_shadows_mod_c99shell {
meta:
description = "Web Shell - from files c99.php, c66.php, c99-shadows-mod.php, c99shell.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
super_rule = 1
hash0 = "61a92ce63369e2fa4919ef0ff7c51167"
hash1 = "0f5b9238d281bc6ac13406bb24ac2a5b"
hash2 = "68c0629d08b1664f5bcce7d7f5f71d22"
hash3 = "048ccc01b873b40d57ce25a4c56ea717"
strings:
$s2 = " if (unlink(_FILE_)) {@ob_clean(); echo \"Thanks for using c99shell v.\".$shv"
$s3 = " \"c99sh_backconn.pl\"=>array(\"Using PERL\",\"perl %path %host %port\")," fullword
$s4 = "<br><TABLE style=\"BORDER-COLLAPSE: collapse\" cellSpacing=0 borderColorDark=#66"
$s7 = " elseif (!$data = c99getsource($bind[\"src\"])) {echo \"Can't download sources"
$s8 = " \"c99sh_datapipe.pl\"=>array(\"Using PERL\",\"perl %path %localport %remotehos"
$s9 = " elseif (!$data = c99getsource($bc[\"src\"])) {echo \"Can't download sources!"
condition:
2 of them
}
rule webshell_he1p_JspSpy_nogfw_ok_style_1_JspSpy1 {
meta:
description = "Web Shell - from files he1p.jsp, JspSpy.jsp, nogfw.jsp, ok.jsp, style.jsp, 1.jsp, JspSpy.jsp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
super_rule = 1
hash0 = "b330a6c2d49124ef0729539761d6ef0b"
hash1 = "d71716df5042880ef84427acee8b121e"
hash2 = "344f9073576a066142b2023629539ebd"
hash3 = "32dea47d9c13f9000c4c807561341bee"
hash4 = "b9744f6876919c46a29ea05b1d95b1c3"
hash5 = "3ea688e3439a1f56b16694667938316d"
hash6 = "2434a7a07cb47ce25b41d30bc291cacc"
strings:
$s0 = "\"\"+f.canRead()+\" / \"+f.canWrite()+\" / \"+f.canExecute()+\"</td>\"+" fullword
$s4 = "out.println(\"<h2>File Manager - Current disk "\"+(cr.indexOf(\"/\") == 0?"
$s7 = "String execute = f.canExecute() ? \"checked=\\\"checked\\\"\" : \"\";" fullword
$s8 = "\"<td nowrap>\"+f.canRead()+\" / \"+f.canWrite()+\" / \"+f.canExecute()+\"</td>"
condition:
2 of them
}
rule webshell_000_403_c5_config_myxx_queryDong_spyjsp2010_zend {
meta:
description = "Web Shell - from files 000.jsp, 403.jsp, c5.jsp, config.jsp, myxx.jsp, queryDong.jsp, spyjsp2010.jsp, zend.jsp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
super_rule = 1
hash0 = "2eeb8bf151221373ee3fd89d58ed4d38"
hash1 = "059058a27a7b0059e2c2f007ad4675ef"
hash2 = "8b457934da3821ba58b06a113e0d53d9"
hash3 = "d44df8b1543b837e57cc8f25a0a68d92"
hash4 = "e0354099bee243702eb11df8d0e046df"
hash5 = "90a5ba0c94199269ba33a58bc6a4ad99"
hash6 = "655722eaa6c646437c8ae93daac46ae0"
hash7 = "591ca89a25f06cf01e4345f98a22845c"
strings:
$s0 = "return new Double(format.format(value)).doubleValue();" fullword
$s5 = "File tempF = new File(savePath);" fullword
$s9 = "if (tempF.isDirectory()) {" fullword
condition:
2 of them
}
rule webshell_c99_c99shell_c99_c99shell {
meta:
description = "Web Shell - from files c99.php, c99shell.php, c99.php, c99shell.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
super_rule = 1
hash0 = "61a92ce63369e2fa4919ef0ff7c51167"
hash1 = "d3f38a6dc54a73d304932d9227a739ec"
hash2 = "157b4ac3c7ba3a36e546e81e9279eab5"
hash3 = "048ccc01b873b40d57ce25a4c56ea717"
strings:
$s2 = "$bindport_pass = \"c99\";" fullword
$s5 = " else {echo \"<b>Execution PHP-code</b>\"; if (empty($eval_txt)) {$eval_txt = tr"
condition:
1 of them
}
rule webshell_r57shell127_r57_iFX_r57_kartal_r57_antichat {
meta:
description = "Web Shell - from files r57shell127.php, r57_iFX.php, r57_kartal.php, r57.php, antichat.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
super_rule = 1
hash0 = "ae025c886fbe7f9ed159f49593674832"
hash1 = "513b7be8bd0595c377283a7c87b44b2e"
hash2 = "1d912c55b96e2efe8ca873d6040e3b30"
hash3 = "4108f28a9792b50d95f95b9e5314fa1e"
hash4 = "3f71175985848ee46cc13282fbed2269"
strings:
$s6 = "$res = @mysql_query(\"SHOW CREATE TABLE `\".$_POST['mysql_tbl'].\"`\", $d"
$s7 = "$sql1 .= $row[1].\"\\r\\n\\r\\n\";" fullword
$s8 = "if(!empty($_POST['dif'])&&$fp) { @fputs($fp,$sql1.$sql2); }" fullword
$s9 = "foreach($values as $k=>$v) {$values[$k] = addslashes($v);}" fullword
condition:
2 of them
}
rule webshell_NIX_REMOTE_WEB_SHELL_nstview_xxx {
meta:
description = "Web Shell - from files NIX REMOTE WEB-SHELL.php, nstview.php, NIX REMOTE WEB-SHELL v.0.5 alpha Lite Public Version.php, Cyber Shell (v 1.0).php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
super_rule = 1
hash0 = "0b19e9de790cd2f4325f8c24b22af540"
hash1 = "4745d510fed4378e4b1730f56f25e569"
hash2 = "f3ca29b7999643507081caab926e2e74"
hash3 = "46a18979750fa458a04343cf58faa9bd"
strings:
$s3 = "BODY, TD, TR {" fullword
$s5 = "$d=str_replace(\"\\\\\",\"/\",$d);" fullword
$s6 = "if ($file==\".\" || $file==\"..\") continue;" fullword
condition:
2 of them
}
rule webshell_000_403_807_a_c5_config_css_dm_he1p_xxx {
meta:
description = "Web Shell - from files 000.jsp, 403.jsp, 807.jsp, a.jsp, c5.jsp, config.jsp, css.jsp, dm.jsp, he1p.jsp, JspSpy.jsp, JspSpyJDK5.jsp, JspSpyJDK51.jsp, luci.jsp.spy2009.jsp, m.jsp, ma3.jsp, mmym520.jsp, myxx.jsp, nogfw.jsp, ok.jsp, queryDong.jsp, spyjsp2010.jsp, style.jsp, u.jsp, xia.jsp, zend.jsp, cofigrue.jsp, 1.jsp, jspspy.jsp, jspspy_k8.jsp, JspSpy.jsp, JspSpyJDK5.jsp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
super_rule = 1
hash0 = "2eeb8bf151221373ee3fd89d58ed4d38"
hash1 = "059058a27a7b0059e2c2f007ad4675ef"
hash2 = "ae76c77fb7a234380cd0ebb6fe1bcddf"
hash3 = "76037ebd781ad0eac363d56fc81f4b4f"
hash4 = "8b457934da3821ba58b06a113e0d53d9"
hash5 = "d44df8b1543b837e57cc8f25a0a68d92"
hash6 = "fc44f6b4387a2cb50e1a63c66a8cb81c"
hash7 = "14e9688c86b454ed48171a9d4f48ace8"
hash8 = "b330a6c2d49124ef0729539761d6ef0b"
hash9 = "d71716df5042880ef84427acee8b121e"
hash10 = "341298482cf90febebb8616426080d1d"
hash11 = "29aebe333d6332f0ebc2258def94d57e"
hash12 = "42654af68e5d4ea217e6ece5389eb302"
hash13 = "88fc87e7c58249a398efd5ceae636073"
hash14 = "4a812678308475c64132a9b56254edbc"
hash15 = "9626eef1a8b9b8d773a3b2af09306a10"
hash16 = "e0354099bee243702eb11df8d0e046df"
hash17 = "344f9073576a066142b2023629539ebd"
hash18 = "32dea47d9c13f9000c4c807561341bee"
hash19 = "90a5ba0c94199269ba33a58bc6a4ad99"
hash20 = "655722eaa6c646437c8ae93daac46ae0"
hash21 = "b9744f6876919c46a29ea05b1d95b1c3"
hash22 = "6acc82544be056580c3a1caaa4999956"
hash23 = "6aa32a6392840e161a018f3907a86968"
hash24 = "591ca89a25f06cf01e4345f98a22845c"
hash25 = "349ec229e3f8eda0f9eb918c74a8bf4c"
hash26 = "3ea688e3439a1f56b16694667938316d"
hash27 = "ab77e4d1006259d7cbc15884416ca88c"
hash28 = "71097537a91fac6b01f46f66ee2d7749"
hash29 = "2434a7a07cb47ce25b41d30bc291cacc"
hash30 = "7a4b090619ecce6f7bd838fe5c58554b"
strings:
$s3 = "String savePath = request.getParameter(\"savepath\");" fullword
$s4 = "URL downUrl = new URL(downFileUrl);" fullword
$s5 = "if (Util.isEmpty(downFileUrl) || Util.isEmpty(savePath))" fullword
$s6 = "String downFileUrl = request.getParameter(\"url\");" fullword
$s7 = "FileInputStream fInput = new FileInputStream(f);" fullword
$s8 = "URLConnection conn = downUrl.openConnection();" fullword
$s9 = "sis = request.getInputStream();" fullword
condition:
4 of them
}
rule webshell_2_520_icesword_job_ma1 {
meta:
description = "Web Shell - from files 2.jsp, 520.jsp, icesword.jsp, job.jsp, ma1.jsp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
super_rule = 1
hash0 = "64a3bf9142b045b9062b204db39d4d57"
hash1 = "9abd397c6498c41967b4dd327cf8b55a"
hash2 = "077f4b1b6d705d223b6d644a4f3eebae"
hash3 = "56c005690da2558690c4aa305a31ad37"
hash4 = "532b93e02cddfbb548ce5938fe2f5559"
strings:
$s1 = "<meta http-equiv=\"Content-Type\" content=\"text/html; charset=gb2312\"></head>" fullword
$s3 = "<input type=\"hidden\" name=\"_EVENTTARGET\" value=\"\" />" fullword
$s8 = "<input type=\"hidden\" name=\"_EVENTARGUMENT\" value=\"\" />" fullword
condition:
2 of them
}
rule webshell_404_data_in_JFolder_jfolder01_jsp_suiyue_warn {
meta:
description = "Web Shell - from files 404.jsp, data.jsp, in.jsp, JFolder.jsp, jfolder01.jsp, jsp.jsp, suiyue.jsp, warn.jsp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
super_rule = 1
hash0 = "7066f4469c3ec20f4890535b5f299122"
hash1 = "9f54aa7b43797be9bab7d094f238b4ff"
hash2 = "793b3d0a740dbf355df3e6f68b8217a4"
hash3 = "8979594423b68489024447474d113894"
hash4 = "ec482fc969d182e5440521c913bab9bd"
hash5 = "f98d2b33cd777e160d1489afed96de39"
hash6 = "c93d5bdf5cf62fe22e299d0f2b865ea7"
hash7 = "e9a5280f77537e23da2545306f6a19ad"
strings:
$s0 = "<table width=\"100%\" border=\"1\" cellspacing=\"0\" cellpadding=\"5\" bordercol"
$s2 = " KB </td>" fullword
$s3 = "<table width=\"98%\" border=\"0\" cellspacing=\"0\" cellpadding=\""
$s4 = "<!-- <tr align=\"center\"> " fullword
condition:
all of them
}
rule webshell_phpspy_2005_full_phpspy_2005_lite_phpspy_2006_PHPSPY {
meta:
description = "Web Shell - from files phpspy_2005_full.php, phpspy_2005_lite.php, phpspy_2006.php, PHPSPY.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
super_rule = 1
hash0 = "b68bfafc6059fd26732fa07fb6f7f640"
hash1 = "42f211cec8032eb0881e87ebdb3d7224"
hash2 = "40a1f840111996ff7200d18968e42cfe"
hash3 = "0712e3dc262b4e1f98ed25760b206836"
strings:
$s4 = "http://www.4ngel.net" fullword
$s5 = "</a> | <a href=\"?action=phpenv\">PHP" fullword
$s8 = "echo $msg=@fwrite($fp,$_POST['filecontent']) ? \"" fullword
$s9 = "Codz by Angel" fullword
condition:
2 of them
}
rule webshell_c99_locus7s_c99_w4cking_xxx {
meta:
description = "Web Shell - from files c99_locus7s.php, c99_w4cking.php, r57shell.php, r57shell127.php, SnIpEr_SA Shell.php, EgY_SpIdEr ShElL V2.php, r57_iFX.php, r57_kartal.php, r57_Mohajer22.php, r57.php, acid.php, newsh.php, r57.php, Backdoor.PHP.Agent.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
super_rule = 1
hash0 = "38fd7e45f9c11a37463c3ded1c76af4c"
hash1 = "9c34adbc8fd8d908cbb341734830f971"
hash2 = "ef43fef943e9df90ddb6257950b3538f"
hash3 = "ae025c886fbe7f9ed159f49593674832"
hash4 = "911195a9b7c010f61b66439d9048f400"
hash5 = "697dae78c040150daff7db751fc0c03c"
hash6 = "513b7be8bd0595c377283a7c87b44b2e"
hash7 = "1d912c55b96e2efe8ca873d6040e3b30"
hash8 = "e5b2131dd1db0dbdb43b53c5ce99016a"
hash9 = "4108f28a9792b50d95f95b9e5314fa1e"
hash10 = "b8f261a3cdf23398d573aaf55eaf63b5"
hash11 = "0d2c2c151ed839e6bafc7aa9c69be715"
hash12 = "41af6fd253648885c7ad2ed524e0692d"
hash13 = "6fcc283470465eed4870bcc3e2d7f14d"
strings:
$s1 = "$res = @shell_exec($cfe);" fullword
$s8 = "$res = @ob_get_contents();" fullword
$s9 = "@exec($cfe,$res);" fullword
condition:
2 of them
}
rule webshell_browser_201_3_ma_ma2_download {
meta:
description = "Web Shell - from files browser.jsp, 201.jsp, 3.jsp, ma.jsp, ma2.jsp, download.jsp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
super_rule = 1
hash0 = "37603e44ee6dc1c359feb68a0d566f76"
hash1 = "a7e25b8ac605753ed0c438db93f6c498"
hash2 = "fb8c6c3a69b93e5e7193036fd31a958d"
hash3 = "4cc68fa572e88b669bce606c7ace0ae9"
hash4 = "4b45715fa3fa5473640e17f49ef5513d"
hash5 = "fa87bbd7201021c1aefee6fcc5b8e25a"
strings:
$s1 = "private static final int EDITFIELD_ROWS = 30;" fullword
$s2 = "private static String tempdir = \".\";" fullword
$s6 = "<input type=\"hidden\" name=\"dir\" value=\"<%=request.getAttribute(\"dir\")%>\""
condition:
2 of them
}
rule webshell_000_403_c5_queryDong_spyjsp2010 {
meta:
description = "Web Shell - from files 000.jsp, 403.jsp, c5.jsp, queryDong.jsp, spyjsp2010.jsp"
author = "Florian Roth"
date = "2014/01/28"
score = 70
super_rule = 1
hash0 = "2eeb8bf151221373ee3fd89d58ed4d38"
hash1 = "059058a27a7b0059e2c2f007ad4675ef"
hash2 = "8b457934da3821ba58b06a113e0d53d9"
hash3 = "90a5ba0c94199269ba33a58bc6a4ad99"
hash4 = "655722eaa6c646437c8ae93daac46ae0"
strings:
$s2 = "\" <select name='encode' class='input'><option value=''>ANSI</option><option val"
$s7 = "JSession.setAttribute(\"MSG\",\"<span style='color:red'>Upload File Failed!</spa"
$s8 = "File f = new File(JSession.getAttribute(CURRENT_DIR)+\"/\"+fileBean.getFileName("
$s9 = "((Invoker)ins.get(\"vd\")).invoke(request,response,JSession);" fullword
condition:
2 of them
}
rule webshell_r57shell127_r57_kartal_r57 {
meta:
description = "Web Shell - from files r57shell127.php, r57_kartal.php, r57.php"
author = "Florian Roth"
date = "2014/01/28"
score = 70
super_rule = 1
hash0 = "ae025c886fbe7f9ed159f49593674832"
hash1 = "1d912c55b96e2efe8ca873d6040e3b30"
hash2 = "4108f28a9792b50d95f95b9e5314fa1e"
strings:
$s2 = "$handle = @opendir($dir) or die(\"Can't open directory $dir\");" fullword
$s3 = "if(!empty($_POST['mysql_db'])) { @mssql_select_db($_POST['mysql_db'],$db); }" fullword
$s5 = "if (!isset($_SERVER['PHP_AUTH_USER']) || $_SERVER['PHP_AUTH_USER']!==$name || $_"
condition:
2 of them
}
rule webshell_webshells_new_con2 {
meta:
description = "Web shells - generated from file con2.asp"
author = "Florian Roth"
date = "2014/03/28"
score = 70
hash = "d3584159ab299d546bd77c9654932ae3"
strings:
$s7 = ",htaPrewoP(ecalper=htaPrewoP:fI dnE:0=KOtidE:1 - eulaVtni = eulaVtni:nehT 1 => e"
$s10 = "j \"<Form action='\"&URL&\"?Action2=Post' method='post' name='EditForm'><input n"
condition:
1 of them
}
rule webshell_webshells_new_make2 {
meta:
description = "Web shells - generated from file make2.php"
author = "Florian Roth"
date = "2014/03/28"
hash = "9af195491101e0816a263c106e4c145e"
score = 50
strings:
$s1 = "error_reporting(0);session_start();header(\"Content-type:text/html;charset=utf-8"
condition:
all of them
}
rule webshell_webshells_new_aaa {
meta:
description = "Web shells - generated from file aaa.asp"
author = "Florian Roth"
date = "2014/03/28"
score = 70
hash = "68483788ab171a155db5266310c852b2"
strings:
$s0 = "Function fvm(jwv):If jwv=\"\"Then:fvm=jwv:Exit Function:End If:Dim tt,sru:tt=\""
$s5 = "<option value=\"\"DROP TABLE [jnc];exec mast\"&kvp&\"er..xp_regwrite 'HKEY_LOCAL"
$s17 = "if qpv=\"\" then qpv=\"x:\\Program Files\\MySQL\\MySQL Server 5.0\\my.ini\"&br&"
condition:
1 of them
}
rule webshell_Expdoor_com_ASP {
meta:
description = "Web shells - generated from file Expdoor.com ASP.asp"
author = "Florian Roth"
date = "2014/03/28"
score = 70
hash = "caef01bb8906d909f24d1fa109ea18a7"
strings:
$s4 = "\">www.Expdoor.com</a>" fullword
$s5 = " <input name=\"FileName\" type=\"text\" value=\"Asp_ver.Asp\" size=\"20\" max"
$s10 = "set file=fs.OpenTextFile(server.MapPath(FileName),8,True) '" fullword
$s14 = "set fs=server.CreateObject(\"Scripting.FileSystemObject\") '" fullword
$s16 = "<TITLE>Expdoor.com ASP" fullword
condition:
2 of them
}
rule webshell_webshells_new_php2 {
meta:
description = "Web shells - generated from file php2.php"
author = "Florian Roth"
date = "2014/03/28"
score = 70
hash = "fbf2e76e6f897f6f42b896c855069276"
strings:
$s0 = "<?php $s=@$_GET[2];if(md5($s.$s)=="
condition:
all of them
}
rule webshell_bypass_iisuser_p {
meta:
description = "Web shells - generated from file bypass-iisuser-p.asp"
author = "Florian Roth"
date = "2014/03/28"
score = 70
hash = "924d294400a64fa888a79316fb3ccd90"
strings:
$s0 = "<%Eval(Request(chr(112))):Set fso=CreateObject"
condition:
all of them
}
rule webshell_sig_404super {
meta:
description = "Web shells - generated from file 404super.php"
author = "Florian Roth"
date = "2014/03/28"
score = 70
hash = "7ed63176226f83d36dce47ce82507b28"
strings:
$s4 = "$i = pack('c*', 0x70, 0x61, 99, 107);" fullword
$s6 = " 'h' => $i('H*', '687474703a2f2f626c616b696e2e64756170702e636f6d2f7631')," fullword
$s7 = "//http://require.duapp.com/session.php" fullword
$s8 = "if(!isset($_SESSION['t'])){$_SESSION['t'] = $GLOBALS['f']($GLOBALS['h']);}" fullword
$s12 = "//define('pass','123456');" fullword
$s13 = "$GLOBALS['c']($GLOBALS['e'](null, $GLOBALS['s']('%s',$GLOBALS['p']('H*',$_SESSIO"
condition:
1 of them
}
rule webshell_webshells_new_JSP {
meta:
description = "Web shells - generated from file JSP.jsp"
author = "Florian Roth"
date = "2014/03/28"
score = 70
hash = "495f1a0a4c82f986f4bdf51ae1898ee7"
strings:
$s1 = "void AA(StringBuffer sb)throws Exception{File r[]=File.listRoots();for(int i=0;i"
$s5 = "bw.write(z2);bw.close();sb.append(\"1\");}else if(Z.equals(\"E\")){EE(z1);sb.app"
$s11 = "if(Z.equals(\"A\")){String s=new File(application.getRealPath(request.getRequest"
condition:
1 of them
}
rule webshell_webshell_123 {
meta:
description = "Web shells - generated from file webshell-123.php"
author = "Florian Roth"
date = "2014/03/28"
score = 70
hash = "2782bb170acaed3829ea9a04f0ac7218"
strings:
$s0 = "// Web Shell!!" fullword
$s1 = "@preg_replace(\"/.*/e\",\"\\x65\\x76\\x61\\x6C\\x28\\x67\\x7A\\x69\\x6E\\x66\\x6"
$s3 = "$default_charset = \"UTF-8\";" fullword
$s4 = "// url:http://www.weigongkai.com/shell/" fullword
condition:
2 of them
}
rule webshell_dev_core {
meta:
description = "Web shells - generated from file dev_core.php"
author = "Florian Roth"
date = "2014/03/28"
score = 70
hash = "55ad9309b006884f660c41e53150fc2e"
strings:
$s1 = "if (strpos($_SERVER['HTTP_USER_AGENT'], 'EBSD') == false) {" fullword
$s9 = "setcookie('key', $_POST['pwd'], time() + 3600 * 24 * 30);" fullword
$s10 = "$_SESSION['code'] = _REQUEST(sprintf(\"%s?%s\",pack(\"H*\",'6874"
$s11 = "if (preg_match(\"/^HTTP\\/\\d\\.\\d\\s([\\d]+)\\s.*$/\", $status, $matches))"
$s12 = "eval(gzuncompress(gzuncompress(Crypt::decrypt($_SESSION['code'], $_C"
$s15 = "if (($fsock = fsockopen($url2['host'], 80, $errno, $errstr, $fsock_timeout))"
condition:
1 of them
}
rule webshell_webshells_new_pHp {
meta:
description = "Web shells - generated from file pHp.php"
author = "Florian Roth"
date = "2014/03/28"
score = 70
hash = "b0e842bdf83396c3ef8c71ff94e64167"
strings:
$s0 = "if(is_readable($path)) antivirus($path.'/',$exs,$matches);" fullword
$s1 = "'/(eval|assert|include|require|include\\_once|require\\_once|array\\_map|arr"
$s13 = "'/(exec|shell\\_exec|system|passthru)+\\s*\\(\\s*\\$\\_(\\w+)\\[(.*)\\]\\s*"
$s14 = "'/(include|require|include\\_once|require\\_once)+\\s*\\(\\s*[\\'|\\\"](\\w+"
$s19 = "'/\\$\\_(\\w+)(.*)(eval|assert|include|require|include\\_once|require\\_once"
condition:
1 of them
}
rule webshell_webshells_new_pppp {
meta:
description = "Web shells - generated from file pppp.php"
author = "Florian Roth"
date = "2014/03/28"
score = 70
hash = "cf01cb6e09ee594545693c5d327bdd50"
strings:
$s0 = "Mail: chinese@hackermail.com" fullword
$s3 = "if($_GET[\"hackers\"]==\"2b\"){if ($_SERVER['REQUEST_METHOD'] == 'POST') { echo "
$s6 = "Site: http://blog.weili.me" fullword
condition:
1 of them
}
rule webshell_webshells_new_code {
meta:
description = "Web shells - generated from file code.php"
author = "Florian Roth"
date = "2014/03/28"
score = 70
hash = "a444014c134ff24c0be5a05c02b81a79"
strings:
$s1 = "<a class=\"high2\" href=\"javascript:;;;\" name=\"action=show&dir=$_ipage_fi"
$s7 = "$file = !empty($_POST[\"dir\"]) ? urldecode(self::convert_to_utf8(rtrim($_PO"
$s10 = "if (true==@move_uploaded_file($_FILES['userfile']['tmp_name'],self::convert_"
$s14 = "Processed in <span id=\"runtime\"></span> second(s) {gzip} usage:"
$s17 = "<a href=\"javascript:;;;\" name=\"{return_link}\" onclick=\"fileperm"
condition:
1 of them
}
rule webshell_webshells_new_jspyyy {
meta:
description = "Web shells - generated from file jspyyy.jsp"
author = "Florian Roth"
date = "2014/03/28"
score = 70
hash = "b291bf3ccc9dac8b5c7e1739b8fa742e"
strings:
$s0 = "<%@page import=\"java.io.*\"%><%if(request.getParameter(\"f\")"
condition:
all of them
}
rule webshell_webshells_new_xxxx {
meta:
description = "Web shells - generated from file xxxx.php"
author = "Florian Roth"
date = "2014/03/28"
score = 70
hash = "5bcba70b2137375225d8eedcde2c0ebb"
strings:
$s0 = "<?php eval($_POST[1]);?> " fullword
condition:
all of them
}
rule webshell_webshells_new_JJjsp3 {
meta:
description = "Web shells - generated from file JJjsp3.jsp"
author = "Florian Roth"
date = "2014/03/28"
score = 70
hash = "949ffee1e07a1269df7c69b9722d293e"
strings:
$s0 = "<%@page import=\"java.io.*,java.util.*,java.net.*,java.sql.*,java.text.*\"%><%!S"
condition:
all of them
}
rule webshell_webshells_new_PHP1 {
meta:
description = "Web shells - generated from file PHP1.php"
author = "Florian Roth"
date = "2014/03/28"
score = 70
hash = "14c7281fdaf2ae004ca5fec8753ce3cb"
strings:
$s0 = "<[url=mailto:?@array_map($_GET[]?@array_map($_GET['f'],$_GET[/url]);?>" fullword
$s2 = ":https://forum.90sec.org/forum.php?mod=viewthread&tid=7316" fullword
$s3 = "@preg_replace(\"/f/e\",$_GET['u'],\"fengjiao\"); " fullword
condition:
1 of them
}
rule webshell_webshells_new_JJJsp2 {
meta:
description = "Web shells - generated from file JJJsp2.jsp"
author = "Florian Roth"
date = "2014/03/28"
score = 70
hash = "5a9fec45236768069c99f0bfd566d754"
strings:
$s2 = "QQ(cs, z1, z2, sb,z2.indexOf(\"-to:\")!=-1?z2.substring(z2.indexOf(\"-to:\")+4,z"
$s8 = "sb.append(l[i].getName() + \"/\\t\" + sT + \"\\t\" + l[i].length()+ \"\\t\" + sQ"
$s10 = "ResultSet r = s.indexOf(\"jdbc:oracle\")!=-1?c.getMetaData()"
$s11 = "return DriverManager.getConnection(x[1].trim()+\":\"+x[4],x[2].equalsIgnoreCase("
condition:
1 of them
}
rule webshell_webshells_new_radhat {
meta:
description = "Web shells - generated from file radhat.asp"
author = "Florian Roth"
date = "2014/03/28"
score = 70
hash = "72cb5ef226834ed791144abaa0acdfd4"
strings:
$s1 = "sod=Array(\"D\",\"7\",\"S"
condition:
all of them
}
rule webshell_webshells_new_asp1 {
meta:
description = "Web shells - generated from file asp1.asp"
author = "Florian Roth"
date = "2014/03/28"
score = 70
hash = "b63e708cd58ae1ec85cf784060b69cad"
strings:
$s0 = " http://www.baidu.com/fuck.asp?a=)0(tseuqer%20lave " fullword
$s2 = " <% a=request(chr(97)) ExecuteGlobal(StrReverse(a)) %>" fullword
condition:
1 of them
}
rule webshell_webshells_new_php6 {
meta:
description = "Web shells - generated from file php6.php"
author = "Florian Roth"
date = "2014/03/28"
score = 70
hash = "ea75280224a735f1e445d244acdfeb7b"
strings:
$s1 = "array_map(\"asx73ert\",(ar"
$s3 = "preg_replace(\"/[errorpage]/e\",$page,\"saft\");" fullword
$s4 = "shell.php?qid=zxexp " fullword
condition:
1 of them
}
rule webshell_webshells_new_xxx {
meta:
description = "Web shells - generated from file xxx.php"
author = "Florian Roth"
date = "2014/03/28"
score = 70
hash = "0e71428fe68b39b70adb6aeedf260ca0"
strings:
$s3 = "<?php array_map(\"ass\\x65rt\",(array)$_REQUEST['expdoor']);?>" fullword
condition:
all of them
}
rule webshell_GetPostpHp {
meta:
description = "Web shells - generated from file GetPostpHp.php"
author = "Florian Roth"
date = "2014/03/28"
score = 70
hash = "20ede5b8182d952728d594e6f2bb5c76"
strings:
$s0 = "<?php eval(str_rot13('riny($_CBFG[cntr]);'));?>" fullword
condition:
all of them
}
rule webshell_webshells_new_php5 {
meta:
description = "Web shells - generated from file php5.php"
author = "Florian Roth"
date = "2014/03/28"
score = 70
hash = "cf2ab009cbd2576a806bfefb74906fdf"
strings:
$s0 = "<?$_uU=chr(99).chr(104).chr(114);$_cC=$_uU(101).$_uU(118).$_uU(97).$_uU(108).$_u"
condition:
all of them
}
rule webshell_webshells_new_PHP {
meta:
description = "Web shells - generated from file PHP.php"
author = "Florian Roth"
date = "2014/03/28"
score = 70
hash = "a524e7ae8d71e37d2fd3e5fbdab405ea"
strings:
$s1 = "echo \"<font color=blue>Error!</font>\";" fullword
$s2 = "<input type=\"text\" size=61 name=\"f\" value='<?php echo $_SERVER[\"SCRIPT_FILE"
$s5 = " - ExpDoor.com</title>" fullword
$s10 = "$f=fopen($_POST[\"f\"],\"w\");" fullword
$s12 = "<textarea name=\"c\" cols=60 rows=15></textarea><br>" fullword
condition:
1 of them
}
rule webshell_webshells_new_Asp {
meta:
description = "Web shells - generated from file Asp.asp"
author = "Florian Roth"
date = "2014/03/28"
score = 70
hash = "32c87744ea404d0ea0debd55915010b7"
strings:
$s1 = "Execute MorfiCoder(\")/*/z/*/(tseuqer lave\")" fullword
$s2 = "Function MorfiCoder(Code)" fullword
$s3 = "MorfiCoder=Replace(Replace(StrReverse(Code),\"/*/\",\"\"\"\"),\"\\*\\\",vbCrlf)" fullword
condition:
1 of them
}
/* Update from hackers tool pack */
rule perlbot_pl {
meta:
description = "Semi-Auto-generated - file perlbot.pl.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "7e4deb9884ffffa5d82c22f8dc533a45"
strings:
$s0 = "my @adms=(\"Kelserific\",\"Puna\",\"nod32\")"
$s1 = "#Acesso a Shel - 1 ON 0 OFF"
condition:
1 of them
}
rule php_backdoor_php {
meta:
description = "Semi-Auto-generated - file php-backdoor.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "2b5cb105c4ea9b5ebc64705b4bd86bf7"
strings:
$s0 = "http://michaeldaw.org 2006"
$s1 = "or http://<? echo $SERVER_NAME.$REQUEST_URI; ?>?d=c:/windows on win"
$s3 = "coded by z0mbie"
condition:
1 of them
}
rule Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit_php {
meta:
description = "Semi-Auto-generated - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "c6eeacbe779518ea78b8f7ed5f63fc11"
strings:
$s0 = "<option value=\"cat /var/cpanel/accounting.log\">/var/cpanel/accounting.log</opt"
$s1 = "Liz0ziM Private Safe Mode Command Execuriton Bypass"
$s2 = "echo \"<b><font color=red>Kimim Ben :=)</font></b>:$uid<br>\";" fullword
condition:
1 of them
}
rule Nshell__1__php_php {
meta:
description = "Semi-Auto-generated - file Nshell (1).php.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "973fc89694097a41e684b43a21b1b099"
strings:
$s0 = "echo \"Command : <INPUT TYPE=text NAME=cmd value=\".@stripslashes(htmlentities($"
$s1 = "if(!$whoami)$whoami=exec(\"whoami\"); echo \"whoami :\".$whoami.\"<br>\";" fullword
condition:
1 of them
}
rule shankar_php_php {
meta:
description = "Semi-Auto-generated - file shankar.php.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "6eb9db6a3974e511b7951b8f7e7136bb"
strings:
$sAuthor = "ShAnKaR"
$s0 = "<input type=checkbox name='dd' \".(isset($_POST['dd'])?'checked':'').\">DB<input"
$s3 = "Show<input type=text size=5 value=\".((isset($_POST['br_st']) && isset($_POST['b"
condition:
1 of ($s*) and $sAuthor
}
rule Casus15_php_php {
meta:
description = "Semi-Auto-generated - file Casus15.php.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "5e2ede2d1c4fa1fcc3cbfe0c005d7b13"
strings:
$s0 = "copy ( $dosya_gonder2, \"$dir/$dosya_gonder2_name\") ? print(\"$dosya_gonder2_na"
$s2 = "echo \"<center><font size='$sayi' color='#FFFFFF'>HACKLERIN<font color='#008000'"
$s3 = "value='Calistirmak istediginiz "
condition:
1 of them
}
rule small_php_php {
meta:
description = "Semi-Auto-generated - file small.php.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "fcee6226d09d150bfa5f103bee61fbde"
strings:
$s1 = "$pass='abcdef1234567890abcdef1234567890';" fullword
$s2 = "eval(gzinflate(base64_decode('FJzHkqPatkU/550IGnjXxHvv6bzAe0iE5+svFVGtKqXMZq05x1"
$s4 = "@ini_set('error_log',NULL);" fullword
condition:
2 of them
}
rule shellbot_pl {
meta:
description = "Semi-Auto-generated - file shellbot.pl.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "b2a883bc3c03a35cfd020dd2ace4bab8"
strings:
$s0 = "ShellBOT"
$s1 = "PacktsGr0up"
$s2 = "CoRpOrAtIoN"
$s3 = "# Servidor de irc que vai ser usado "
$s4 = "/^ctcpflood\\s+(\\d+)\\s+(\\S+)"
condition:
2 of them
}
rule fuckphpshell_php {
meta:
description = "Semi-Auto-generated - file fuckphpshell.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "554e50c1265bb0934fcc8247ec3b9052"
strings:
$s0 = "$succ = \"Warning! "
$s1 = "Don`t be stupid .. this is a priv3 server, so take extra care!"
$s2 = "\\*=-- MEMBERS AREA --=*/"
$s3 = "preg_match('/(\\n[^\\n]*){' . $cache_lines . '}$/', $_SESSION['o"
condition:
2 of them
}
rule ngh_php_php {
meta:
description = "Semi-Auto-generated - file ngh.php.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "c372b725419cdfd3f8a6371cfeebc2fd"
strings:
$s0 = "Cr4sh_aka_RKL"
$s1 = "NGH edition"
$s2 = "/* connectback-backdoor on perl"
$s3 = "<form action=<?=$script?>?act=bindshell method=POST>"
$s4 = "$logo = \"R0lGODlhMAAwAOYAAAAAAP////r"
condition:
1 of them
}
rule jsp_reverse_jsp {
meta:
description = "Semi-Auto-generated - file jsp-reverse.jsp.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "8b0e6779f25a17f0ffb3df14122ba594"
strings:
$s0 = "// backdoor.jsp"
$s1 = "JSP Backdoor Reverse Shell"
$s2 = "http://michaeldaw.org"
condition:
2 of them
}
rule Tool_asp {
meta:
description = "Semi-Auto-generated - file Tool.asp.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "8febea6ca6051ae5e2ad4c78f4b9c1f2"
strings:
$s0 = "mailto:rhfactor@antisocial.com"
$s2 = "?raiz=root"
$s3 = "DIGO CORROMPIDO<BR>CORRUPT CODE"
$s4 = "key = \"5DCADAC1902E59F7273E1902E5AD8414B1902E5ABF3E661902E5B554FC41902E53205CA0"
condition:
2 of them
}
rule NT_Addy_asp {
meta:
description = "Semi-Auto-generated - file NT Addy.asp.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "2e0d1bae844c9a8e6e351297d77a1fec"
strings:
$s0 = "NTDaddy v1.9 by obzerve of fux0r inc"
$s2 = "<ERROR: THIS IS NOT A TEXT FILE>"
$s4 = "RAW D.O.S. COMMAND INTERFACE"
condition:
1 of them
}
rule SimAttacker___Vrsion_1_0_0___priv8_4_My_friend_php {
meta:
description = "Semi-Auto-generated - file SimAttacker - Vrsion 1.0.0 - priv8 4 My friend.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "089ff24d978aeff2b4b2869f0c7d38a3"
strings:
$s0 = "SimAttacker - Vrsion : 1.0.0 - priv8 4 My friend"
$s3 = " fputs ($fp ,\"\\n*********************************************\\nWelcome T0 Sim"
$s4 = "echo \"<a target='_blank' href='?id=fm&fedit=$dir$file'><span style='text-decora"
condition:
1 of them
}
rule RemExp_asp {
meta:
description = "Semi-Auto-generated - file RemExp.asp.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "aa1d8491f4e2894dbdb91eec1abc2244"
strings:
$s0 = "<title>Remote Explorer</title>"
$s3 = " FSO.CopyFile Request.QueryString(\"FolderPath\") & Request.QueryString(\"CopyFi"
$s4 = "<td bgcolor=\"<%=BgColor%>\" title=\"<%=File.Name%>\"> <a href= \"showcode.asp?f"
condition:
2 of them
}
rule phvayvv_php_php {
meta:
description = "Semi-Auto-generated - file phvayvv.php.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "35fb37f3c806718545d97c6559abd262"
strings:
$s0 = "{mkdir(\"$dizin/$duzenx2\",777)"
$s1 = "$baglan=fopen($duzkaydet,'w');"
$s2 = "PHVayv 1.0"
condition:
1 of them
}
rule klasvayv_asp {
meta:
description = "Semi-Auto-generated - file klasvayv.asp.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "2b3e64bf8462fc3d008a3d1012da64ef"
strings:
$s1 = "set aktifklas=request.querystring(\"aktifklas\")"
$s2 = "action=\"klasvayv.asp?klasorac=1&aktifklas=<%=aktifklas%>&klas=<%=aktifklas%>"
$s3 = "<font color=\"#858585\">www.aventgrup.net"
$s4 = "style=\"BACKGROUND-COLOR: #95B4CC; BORDER-BOTTOM: #000000 1px inset; BORDER-LEFT"
condition:
1 of them
}
rule r57shell_php_php {
meta:
description = "Semi-Auto-generated - file r57shell.php.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "d28445de424594a5f14d0fe2a7c4e94f"
strings:
$s0 = "r57shell" fullword
$s1 = " else if ($HTTP_POST_VARS['with'] == \"lynx\") { $HTTP_POST_VARS['cmd']= \"lynx "
$s2 = "RusH security team"
$s3 = "'ru_text12' => 'back-connect"
condition:
1 of them
}
rule rst_sql_php_php {
meta:
description = "Semi-Auto-generated - file rst_sql.php.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "0961641a4ab2b8cb4d2beca593a92010"
strings:
$s0 = "C:\\tmp\\dump_"
$s1 = "RST MySQL"
$s2 = "http://rst.void.ru"
$s3 = "$st_form_bg='R0lGODlhCQAJAIAAAOfo6u7w8yH5BAAAAAAALAAAAAAJAAkAAAIPjAOnuJfNHJh0qtfw0lcVADs=';"
condition:
2 of them
}
rule wh_bindshell_py {
meta:
description = "Semi-Auto-generated - file wh_bindshell.py.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "fab20902862736e24aaae275af5e049c"
strings:
$s0 = "#Use: python wh_bindshell.py [port] [password]"
$s2 = "python -c\"import md5;x=md5.new('you_password');print x.hexdigest()\"" fullword
$s3 = "#bugz: ctrl+c etc =script stoped=" fullword
condition:
1 of them
}
rule lurm_safemod_on_cgi {
meta:
description = "Semi-Auto-generated - file lurm_safemod_on.cgi.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "5ea4f901ce1abdf20870c214b3231db3"
strings:
$s0 = "Network security team :: CGI Shell" fullword
$s1 = "#########################<<KONEC>>#####################################" fullword
$s2 = "##if (!defined$param{pwd}){$param{pwd}='Enter_Password'};##" fullword
condition:
1 of them
}
rule c99madshell_v2_0_php_php {
meta:
description = "Semi-Auto-generated - file c99madshell_v2.0.php.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "d27292895da9afa5b60b9d3014f39294"
strings:
$s2 = "eval(gzinflate(base64_decode('HJ3HkqNQEkU/ZzqCBd4t8V4YAQI2E3jvPV8/1Gw6orsVFLyXef"
condition:
all of them
}
rule backupsql_php_often_with_c99shell {
meta:
description = "Semi-Auto-generated - file backupsql.php.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "ab1a06ab1a1fe94e3f3b7f80eedbc12f"
strings:
$s2 = "//$message.= \"--{$mime_boundary}\\n\" .\"Content-Type: {$fileatt_type};\\n\" ."
$s4 = "$ftpconnect = \"ncftpput -u $ftp_user_name -p $ftp_user_pass -d debsender_ftplog"
condition:
all of them
}
rule uploader_php_php {
meta:
description = "Semi-Auto-generated - file uploader.php.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "0b53b67bb3b004a8681e1458dd1895d0"
strings:
$s2 = "move_uploaded_file($userfile, \"entrika.php\"); " fullword
$s3 = "Send this file: <INPUT NAME=\"userfile\" TYPE=\"file\">" fullword
$s4 = "<INPUT TYPE=\"hidden\" name=\"MAX_FILE_SIZE\" value=\"100000\">" fullword
condition:
2 of them
}
rule telnet_pl {
meta:
description = "Semi-Auto-generated - file telnet.pl.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "dd9dba14383064e219e29396e242c1ec"
strings:
$s0 = "W A R N I N G: Private Server"
$s2 = "$Message = q$<pre><font color=\"#669999\"> _____ _____ _____ _____ "
condition:
all of them
}
rule w3d_php_php {
meta:
description = "Semi-Auto-generated - file w3d.php.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "987f66b29bfb209a0b4f097f84f57c3b"
strings:
$s0 = "W3D Shell"
$s1 = "By: Warpboy"
$s2 = "No Query Executed"
condition:
2 of them
}
rule WebShell_cgi {
meta:
description = "Semi-Auto-generated - file WebShell.cgi.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "bc486c2e00b5fc3e4e783557a2441e6f"
strings:
$s0 = "WebShell.cgi"
$s2 = "<td><code class=\"entry-[% if entry.all_rights %]mine[% else"
condition:
all of them
}
rule WinX_Shell_html {
meta:
description = "Semi-Auto-generated - file WinX Shell.html.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "17ab5086aef89d4951fe9b7c7a561dda"
strings:
$s0 = "WinX Shell"
$s1 = "Created by greenwood from n57"
$s2 = "<td><font color=\\\"#990000\\\">Win Dir:</font></td>"
condition:
2 of them
}
rule Dx_php_php {
meta:
description = "Semi-Auto-generated - file Dx.php.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "9cfe372d49fe8bf2fac8e1c534153d9b"
strings:
$s0 = "print \"\\n\".'Tip: to view the file \"as is\" - open the page in <a href=\"'.Dx"
$s2 = "$DEF_PORTS=array (1=>'tcpmux (TCP Port Service Multiplexer)',2=>'Management Util"
$s3 = "$ra44 = rand(1,99999);$sj98 = \"sh-$ra44\";$ml = \"$sd98\";$a5 = $_SERVER['HTTP"
condition:
1 of them
}
rule csh_php_php {
meta:
description = "Semi-Auto-generated - file csh.php.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "194a9d3f3eac8bc56d9a7c55c016af96"
strings:
$s0 = ".::[c0derz]::. web-shell"
$s1 = "http://c0derz.org.ua"
$s2 = "vint21h@c0derz.org.ua"
$s3 = "$name='63a9f0ea7bb98050796b649e85481845';//root"
condition:
1 of them
}
rule pHpINJ_php_php {
meta:
description = "Semi-Auto-generated - file pHpINJ.php.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "d7a4b0df45d34888d5a09f745e85733f"
strings:
$s1 = "News Remote PHP Shell Injection"
$s3 = "Php Shell <br />" fullword
$s4 = "<input type = \"text\" name = \"url\" value = \""
condition:
2 of them
}
rule sig_2008_php_php {
meta:
description = "Semi-Auto-generated - file 2008.php.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "3e4ba470d4c38765e4b16ed930facf2c"
strings:
$s0 = "Codz by angel(4ngel)"
$s1 = "Web: http://www.4ngel.net"
$s2 = "$admin['cookielife'] = 86400;"
$s3 = "$errmsg = 'The file you want Downloadable was nonexistent';"
condition:
1 of them
}
rule ak74shell_php_php {
meta:
description = "Semi-Auto-generated - file ak74shell.php.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "7f83adcb4c1111653d30c6427a94f66f"
strings:
$s1 = "$res .= '<td align=\"center\"><a href=\"'.$xshell.'?act=chmod&file='.$_SESSION["
$s2 = "AK-74 Security Team Web Site: www.ak74-team.net"
$s3 = "$xshell"
condition:
2 of them
}
rule Rem_View_php_php {
meta:
description = "Semi-Auto-generated - file Rem View.php.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "29420106d9a81553ef0d1ca72b9934d9"
strings:
$s0 = "$php=\"/* line 1 */\\n\\n// \".mm(\"for example, uncomment next line\").\""
$s2 = "<input type=submit value='\".mm(\"Delete all dir/files recursive\").\" (rm -fr)'"
$s4 ="Welcome to phpRemoteView (RemView)"
condition:
1 of them
}
rule Java_Shell_js {
meta:
description = "Semi-Auto-generated - file Java Shell.js.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "36403bc776eb12e8b7cc0eb47c8aac83"
strings:
$s2 = "PySystemState.initialize(System.getProperties(), null, argv);" fullword
$s3 = "public class JythonShell extends JPanel implements Runnable {" fullword
$s4 = "public static int DEFAULT_SCROLLBACK = 100"
condition:
2 of them
}
rule STNC_php_php {
meta:
description = "Semi-Auto-generated - file STNC.php.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "2e56cfd5b5014cbbf1c1e3f082531815"
strings:
$s0 = "drmist.ru" fullword
$s1 = "hidden(\"action\",\"download\").hidden_pwd().\"<center><table><tr><td width=80"
$s2 = "STNC WebShell"
$s3 = "http://www.security-teams.net/index.php?showtopic="
condition:
1 of them
}
rule aZRaiLPhp_v1_0_php {
meta:
description = "Semi-Auto-generated - file aZRaiLPhp v1.0.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "26b2d3943395682e36da06ed493a3715"
strings:
$s0 = "azrailphp"
$s1 = "<br><center><INPUT TYPE='SUBMIT' NAME='dy' VALUE='Dosya Yolla!'></center>"
$s3 = "<center><INPUT TYPE='submit' name='okmf' value='TAMAM'></center>"
condition:
2 of them
}
rule Moroccan_Spamers_Ma_EditioN_By_GhOsT_php {
meta:
description = "Semi-Auto-generated - file Moroccan Spamers Ma-EditioN By GhOsT.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "d1b7b311a7ffffebf51437d7cd97dc65"
strings:
$s0 = ";$sd98=\"john.barker446@gmail.com\""
$s1 = "print \"Sending mail to $to....... \";"
$s2 = "<td colspan=\"2\" width=\"715\" background=\"/simparts/images/cellpic1.gif\" hei"
condition:
1 of them
}
rule zacosmall_php {
meta:
description = "Semi-Auto-generated - file zacosmall.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "5295ee8dc2f5fd416be442548d68f7a6"
strings:
$s0 = "rand(1,99999);$sj98"
$s1 = "$dump_file.='`'.$rows2[0].'`"
$s3 = "filename=\\\"dump_{$db_dump}_${table_d"
condition:
2 of them
}
rule CmdAsp_asp {
meta:
description = "Semi-Auto-generated - file CmdAsp.asp.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "64f24f09ec6efaa904e2492dffc518b9"
strings:
$s0 = "CmdAsp.asp"
$s1 = "Set oFileSys = Server.CreateObject(\"Scripting.FileSystemObject\")" fullword
$s2 = "-- Use a poor man's pipe ... a temp file --"
$s3 = "maceo @ dogmile.com"
condition:
2 of them
}
rule simple_backdoor_php {
meta:
description = "Semi-Auto-generated - file simple-backdoor.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "f091d1b9274c881f8e41b2f96e6b9936"
strings:
$s0 = "$cmd = ($_REQUEST['cmd']);" fullword
$s1 = "<!-- Simple PHP backdoor by DK (http://michaeldaw.org) -->"
$s2 = "Usage: http://target.com/simple-backdoor.php?cmd=cat+/etc/passwd" fullword
condition:
2 of them
}
rule mysql_shell_php {
meta:
description = "Semi-Auto-generated - file mysql_shell.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "d42aec2891214cace99b3eb9f3e21a63"
strings:
$s0 = "SooMin Kim"
$s1 = "smkim@popeye.snu.ac.kr"
$s2 = "echo \"<td><a href='$PHP_SELF?action=deleteData&dbname=$dbname&tablename=$tablen"
condition:
1 of them
}
rule Dive_Shell_1_0___Emperor_Hacking_Team_php {
meta:
description = "Semi-Auto-generated - file Dive Shell 1.0 - Emperor Hacking Team.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "1b5102bdc41a7bc439eea8f0010310a5"
strings:
$s0 = "Emperor Hacking TEAM"
$s1 = "Simshell" fullword
$s2 = "ereg('^[[:blank:]]*cd[[:blank:]]"
$s3 = "<form name=\"shell\" action=\"<?php echo $_SERVER['PHP_SELF'] ?>\" method=\"POST"
condition:
2 of them
}
rule Asmodeus_v0_1_pl {
meta:
description = "Semi-Auto-generated - file Asmodeus v0.1.pl.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "0978b672db0657103c79505df69cb4bb"
strings:
$s0 = "[url=http://www.governmentsecurity.org"
$s1 = "perl asmodeus.pl client 6666 127.0.0.1"
$s2 = "print \"Asmodeus Perl Remote Shell"
$s4 = "$internet_addr = inet_aton(\"$host\") or die \"ALOA:$!\\n\";" fullword
condition:
2 of them
}
rule backup_php_often_with_c99shell {
meta:
description = "Semi-Auto-generated - file backup.php.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "aeee3bae226ad57baf4be8745c3f6094"
strings:
$s0 = "#phpMyAdmin MySQL-Dump" fullword
$s2 = ";db_connect();header('Content-Type: application/octetstr"
$s4 = "$data .= \"#Database: $database" fullword
condition:
all of them
}
rule Reader_asp {
meta:
description = "Semi-Auto-generated - file Reader.asp.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "ad1a362e0a24c4475335e3e891a01731"
strings:
$s1 = "Mehdi & HolyDemon"
$s2 = "www.infilak."
$s3 = "'*T@*r@#@&mms^PdbYbVuBcAAA==^#~@%><form method=post name=inf><table width=\"75%"
condition:
2 of them
}
rule phpshell17_php {
meta:
description = "Semi-Auto-generated - file phpshell17.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "9a928d741d12ea08a624ee9ed5a8c39d"
strings:
$s0 = "<input name=\"submit_btn\" type=\"submit\" value=\"Execute Command\"></p>" fullword
$s1 = "<title>[ADDITINAL TITTLE]-phpShell by:[YOURNAME]<?php echo PHPSHELL_VERSION ?></"
$s2 = "href=\"mailto: [YOU CAN ENTER YOUR MAIL HERE]- [ADDITIONAL TEXT]</a></i>" fullword
condition:
1 of them
}
rule myshell_php_php {
meta:
description = "Semi-Auto-generated - file myshell.php.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "62783d1db52d05b1b6ae2403a7044490"
strings:
$s0 = "@chdir($work_dir) or ($shellOutput = \"MyShell: can't change directory."
$s1 = "echo \"<font color=$linkColor><b>MyShell file editor</font> File:<font color"
$s2 = " $fileEditInfo = \" ::::::: Owner: <font color=$"
condition:
2 of them
}
rule SimShell_1_0___Simorgh_Security_MGZ_php {
meta:
description = "Semi-Auto-generated - file SimShell 1.0 - Simorgh Security MGZ.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "37cb1db26b1b0161a4bf678a6b4565bd"
strings:
$s0 = "Simorgh Security Magazine "
$s1 = "Simshell.css"
$s2 = "} elseif (ereg('^[[:blank:]]*cd[[:blank:]]+([^;]+)$', $_REQUEST['command'], "
$s3 = "www.simorgh-ev.com"
condition:
2 of them
}
rule jspshall_jsp {
meta:
description = "Semi-Auto-generated - file jspshall.jsp.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "efe0f6edaa512c4e1fdca4eeda77b7ee"
strings:
$s0 = "kj021320"
$s1 = "case 'T':systemTools(out);break;"
$s2 = "out.println(\"<tr><td>\"+ico(50)+f[i].getName()+\"</td><td> file"
condition:
2 of them
}
rule webshell_php {
meta:
description = "Semi-Auto-generated - file webshell.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "e425241b928e992bde43dd65180a4894"
strings:
$s2 = "<die(\"Couldn't Read directory, Blocked!!!\");"
$s3 = "PHP Web Shell"
condition:
all of them
}
rule rootshell_php {
meta:
description = "Semi-Auto-generated - file rootshell.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "265f3319075536030e59ba2f9ef3eac6"
strings:
$s0 = "shells.dl.am"
$s1 = "This server has been infected by $owner"
$s2 = "<input type=\"submit\" value=\"Include!\" name=\"inc\"></p>"
$s4 = "Could not write to file! (Maybe you didn't enter any text?)"
condition:
2 of them
}
rule connectback2_pl {
meta:
description = "Semi-Auto-generated - file connectback2.pl.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "473b7d226ea6ebaacc24504bd740822e"
strings:
$s0 = "#We Are: MasterKid, AleXutz, FatMan & MiKuTuL "
$s1 = "echo --==Userinfo==-- ; id;echo;echo --==Directory==-- ; pwd;echo; echo --==Shel"
$s2 = "ConnectBack Backdoor"
condition:
1 of them
}
rule DefaceKeeper_0_2_php {
meta:
description = "Semi-Auto-generated - file DefaceKeeper_0.2.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "713c54c3da3031bc614a8a55dccd7e7f"
strings:
$s0 = "target fi1e:<br><input type=\"text\" name=\"target\" value=\"index.php\"></br>" fullword
$s1 = "eval(base64_decode(\"ZXZhbChiYXNlNjRfZGVjb2RlKCJhV2R1YjNKbFgzVnpaWEpmWVdKdmNuUW9"
$s2 = "<img src=\"http://s43.radikal.ru/i101/1004/d8/ced1f6b2f5a9.png\" align=\"center"
condition:
1 of them
}
rule shells_PHP_wso {
meta:
description = "Semi-Auto-generated - file wso.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "33e2891c13b78328da9062fbfcf898b6"
strings:
$s0 = "$back_connect_p=\"IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KJGlhZGRyPWluZXRfYXRvbi"
$s3 = "echo '<h1>Execution PHP-code</h1><div class=content><form name=pf method=pos"
condition:
1 of them
}
rule backdoor1_php {
meta:
description = "Semi-Auto-generated - file backdoor1.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "e1adda1f866367f52de001257b4d6c98"
strings:
$s1 = "echo \"[DIR] <A HREF=\\\"\".$_SERVER['PHP_SELF'].\"?rep=\".realpath($rep.\".."
$s2 = "class backdoor {"
$s4 = "echo \"<a href=\\\"\".$_SERVER['PHP_SELF'].\"?copy=1\\\">Copier un fichier</a> <"
condition:
1 of them
}
rule elmaliseker_asp {
meta:
description = "Semi-Auto-generated - file elmaliseker.asp.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "b32d1730d23a660fd6aa8e60c3dc549f"
strings:
$s0 = "if Int((1-0+1)*Rnd+0)=0 then makeEmail=makeText(8) & \"@\" & makeText(8) & \".\""
$s1 = "<form name=frmCMD method=post action=\"<%=gURL%>\">"
$s2 = "dim zombie_array,special_array"
$s3 = "http://vnhacker.org"
condition:
1 of them
}
rule indexer_asp {
meta:
description = "Semi-Auto-generated - file indexer.asp.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "9ea82afb8c7070817d4cdf686abe0300"
strings:
$s0 = "<td>Nereye :<td><input type=\"text\" name=\"nereye\" size=25></td><td><input typ"
$s2 = "D7nD7l.km4snk`JzKnd{n_ejq;bd{KbPur#kQ8AAA==^#~@%>></td><td><input type=\"submit"
condition:
1 of them
}
rule DxShell_php_php {
meta:
description = "Semi-Auto-generated - file DxShell.php.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "33a2b31810178f4c2e71fbdeb4899244"
strings:
$s0 = "print \"\\n\".'Tip: to view the file \"as is\" - open the page in <a href=\"'.Dx"
$s2 = "print \"\\n\".'<tr><td width=100pt class=linelisting><nobr>POST (php eval)</td><"
condition:
1 of them
}
rule s72_Shell_v1_1_Coding_html {
meta:
description = "Semi-Auto-generated - file s72 Shell v1.1 Coding.html.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "c2e8346a5515c81797af36e7e4a3828e"
strings:
$s0 = "Dizin</font></b></font><font face=\"Verdana\" style=\"font-size: 8pt\"><"
$s1 = "s72 Shell v1.0 Codinf by Cr@zy_King"
$s3 = "echo \"<p align=center>Dosya Zaten Bulunuyor</p>\""
condition:
1 of them
}
rule hidshell_php_php {
meta:
description = "Semi-Auto-generated - file hidshell.php.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "c2f3327d60884561970c63ffa09439a4"
strings:
$s0 = "<?$d='G7mHWQ9vvXiL/QX2oZ2VTDpo6g3FYAa6X+8DMIzcD0eHZaBZH7jFpZzUz7XNenxSYvBP2Wy36U"
condition:
all of them
}
rule kacak_asp {
meta:
description = "Semi-Auto-generated - file kacak.asp.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "907d95d46785db21331a0324972dda8c"
strings:
$s0 = "Kacak FSO 1.0"
$s1 = "if request.querystring(\"TGH\") = \"1\" then"
$s3 = "<font color=\"#858585\">BuqX</font></a></font><font face=\"Verdana\" style="
$s4 = "mailto:BuqX@hotmail.com"
condition:
1 of them
}
rule PHP_Backdoor_Connect_pl_php {
meta:
description = "Semi-Auto-generated - file PHP Backdoor Connect.pl.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "57fcd9560dac244aeaf95fd606621900"
strings:
$s0 = "LorD of IRAN HACKERS SABOTAGE"
$s1 = "LorD-C0d3r-NT"
$s2 = "echo --==Userinfo==-- ;"
condition:
1 of them
}
rule Antichat_Socks5_Server_php_php {
meta:
description = "Semi-Auto-generated - file Antichat Socks5 Server.php.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "cbe9eafbc4d86842a61a54d98e5b61f1"
strings:
$s0 = "$port = base_convert(bin2hex(substr($reqmessage[$id], 3+$reqlen+1, 2)), 16, 10);" fullword
$s3 = "# [+] Domain name address type"
$s4 = "www.antichat.ru"
condition:
1 of them
}
rule Antichat_Shell_v1_3_php {
meta:
description = "Semi-Auto-generated - file Antichat Shell v1.3.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "40d0abceba125868be7f3f990f031521"
strings:
$s0 = "Antichat"
$s1 = "Can't open file, permission denide"
$s2 = "$ra44"
condition:
2 of them
}
rule Safe_Mode_Bypass_PHP_4_4_2_and_PHP_5_1_2_php {
meta:
description = "Semi-Auto-generated - file Safe_Mode Bypass PHP 4.4.2 and PHP 5.1.2.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "49ad9117c96419c35987aaa7e2230f63"
strings:
$s0 = "Welcome.. By This script you can jump in the (Safe Mode=ON) .. Enjoy"
$s1 = "Mode Shell v1.0</font></span>"
$s2 = "has been already loaded. PHP Emperor <xb5@hotmail."
condition:
1 of them
}
rule mysql_php_php {
meta:
description = "Semi-Auto-generated - file mysql.php.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "12bbdf6ef403720442a47a3cc730d034"
strings:
$s0 = "action=mysqlread&mass=loadmass\">load all defaults"
$s2 = "if (@passthru($cmd)) { echo \" -->\"; $this->output_state(1, \"passthru"
$s3 = "$ra44 = rand(1,99999);$sj98 = \"sh-$ra44\";$ml = \"$sd98\";$a5 = "
condition:
1 of them
}
rule Worse_Linux_Shell_php {
meta:
description = "Semi-Auto-generated - file Worse Linux Shell.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "8338c8d9eab10bd38a7116eb534b5fa2"
strings:
$s1 = "print \"<tr><td><b>Server is:</b></td><td>\".$_SERVER['SERVER_SIGNATURE'].\"</td"
$s2 = "print \"<tr><td><b>Execute command:</b></td><td><input size=100 name=\\\"_cmd"
condition:
1 of them
}
rule cyberlords_sql_php_php {
meta:
description = "Semi-Auto-generated - file cyberlords_sql.php.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "03b06b4183cb9947ccda2c3d636406d4"
strings:
$s0 = "Coded by n0 [nZer0]"
$s1 = " www.cyberlords.net"
$s2 = "U29mdHdhcmUAQWRvYmUgSW1hZ2VSZWFkeXHJZTwAAAAMUExURf///wAAAJmZzAAAACJoURkAAAAE"
$s3 = "return \"<BR>Dump error! Can't write to \".htmlspecialchars($file);"
condition:
1 of them
}
rule cmd_asp_5_1_asp {
meta:
description = "Semi-Auto-generated - file cmd-asp-5.1.asp.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "8baa99666bf3734cbdfdd10088e0cd9f"
strings:
$s0 = "Call oS.Run(\"win.com cmd.exe /c del \"& szTF,0,True)" fullword
$s3 = "Call oS.Run(\"win.com cmd.exe /c \"\"\" & szCMD & \" > \" & szTF &" fullword
condition:
1 of them
}
rule pws_php_php {
meta:
description = "Semi-Auto-generated - file pws.php.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "ecdc6c20f62f99fa265ec9257b7bf2ce"
strings:
$s0 = "<div align=\"left\"><font size=\"1\">Input command :</font></div>" fullword
$s1 = "<input type=\"text\" name=\"cmd\" size=\"30\" class=\"input\"><br>" fullword
$s4 = "<input type=\"text\" name=\"dir\" size=\"30\" value=\"<? passthru(\"pwd\"); ?>"
condition:
2 of them
}
rule PHP_Shell_php_php {
meta:
description = "Semi-Auto-generated - file PHP Shell.php.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "a2f8fa4cce578fc9c06f8e674b9e63fd"
strings:
$s0 = "echo \"</form><form action=\\\"$SFileName?$urlAdd\\\" method=\\\"post\\\"><input"
$s1 = "echo \"<form action=\\\"$SFileName?$urlAdd\\\" method=\\\"POST\\\"><input type="
condition:
all of them
}
rule Ayyildiz_Tim___AYT__Shell_v_2_1_Biz_html {
meta:
description = "Semi-Auto-generated - file Ayyildiz Tim -AYT- Shell v 2.1 Biz.html.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "8a8c8bb153bd1ee097559041f2e5cf0a"
strings:
$s0 = "Ayyildiz"
$s1 = "TouCh By iJOo"
$s2 = "First we check if there has been asked for a working directory"
$s3 = "http://ayyildiz.org/images/whosonline2.gif"
condition:
2 of them
}
rule EFSO_2_asp {
meta:
description = "Semi-Auto-generated - file EFSO_2.asp.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "b5fde9682fd63415ae211d53c6bfaa4d"
strings:
$s0 = "Ejder was HERE"
$s1 = "*~PU*&BP[_)f!8c2F*@#@&~,P~P,~P&q~8BPmS~9~~lB~X`V,_,F&*~,jcW~~[_c3TRFFzq@#@&PP,~~"
condition:
2 of them
}
rule lamashell_php {
meta:
description = "Semi-Auto-generated - file lamashell.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "de9abc2e38420cad729648e93dfc6687"
strings:
$s0 = "lama's'hell" fullword
$s1 = "if($_POST['king'] == \"\") {"
$s2 = "if (move_uploaded_file($_FILES['fila']['tmp_name'], $curdir.\"/\".$_FILES['f"
condition:
1 of them
}
rule Ajax_PHP_Command_Shell_php {
meta:
description = "Semi-Auto-generated - file Ajax_PHP Command Shell.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "93d1a2e13a3368a2472043bd6331afe9"
strings:
$s1 = "newhtml = '<b>File browser is under construction! Use at your own risk!</b> <br>"
$s2 = "Empty Command..type \\\"shellhelp\\\" for some ehh...help"
$s3 = "newhtml = '<font size=0><b>This will reload the page... :(</b><br><br><form enct"
condition:
1 of them
}
rule JspWebshell_1_2_jsp {
meta:
description = "Semi-Auto-generated - file JspWebshell 1.2.jsp.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "70a0ee2624e5bbe5525ccadc467519f6"
strings:
$s0 = "JspWebshell"
$s1 = "CreateAndDeleteFolder is error:"
$s2 = "<td width=\"70%\" height=\"22\"> <%=env.queryHashtable(\"java.c"
$s3 = "String _password =\"111\";"
condition:
2 of them
}
rule Sincap_php_php {
meta:
description = "Semi-Auto-generated - file Sincap.php.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "b68b90ff6012a103e57d141ed38a7ee9"
strings:
$s0 = "$baglan=fopen(\"/tmp/$ekinci\",'r');"
$s2 = "$tampon4=$tampon3-1"
$s3 = "@aventgrup.net"
condition:
2 of them
}
rule Test_php_php {
meta:
description = "Semi-Auto-generated - file Test.php.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "77e331abd03b6915c6c6c7fe999fcb50"
strings:
$s0 = "$yazi = \"test\" . \"\\r\\n\";" fullword
$s2 = "fwrite ($fp, \"$yazi\");" fullword
$s3 = "$entry_line=\"HACKed by EntriKa\";" fullword
condition:
1 of them
}
rule Phyton_Shell_py {
meta:
description = "Semi-Auto-generated - file Phyton Shell.py.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "92b3c897090867c65cc169ab037a0f55"
strings:
$s1 = "sh_out=os.popen(SHELL+\" \"+cmd).readlines()" fullword
$s2 = "# d00r.py 0.3a (reverse|bind)-shell in python by fQ" fullword
$s3 = "print \"error; help: head -n 16 d00r.py\"" fullword
$s4 = "print \"PW:\",PW,\"PORT:\",PORT,\"HOST:\",HOST" fullword
condition:
1 of them
}
rule mysql_tool_php_php {
meta:
description = "Semi-Auto-generated - file mysql_tool.php.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "5fbe4d8edeb2769eda5f4add9bab901e"
strings:
$s0 = "$error_text = '<strong>Failed selecting database \"'.$this->db['"
$s1 = "$ra44 = rand(1,99999);$sj98 = \"sh-$ra44\";$ml = \"$sd98\";$a5 = $_SERV"
$s4 = "<div align=\"center\">The backup process has now started<br "
condition:
1 of them
}
rule Zehir_4_asp {
meta:
description = "Semi-Auto-generated - file Zehir 4.asp.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "7f4e12e159360743ec016273c3b9108c"
strings:
$s2 = "</a><a href='\"&dosyapath&\"?status=10&dPath=\"&f1.path&\"&path=\"&path&\"&Time="
$s4 = "<input type=submit value=\"Test Et!\" onclick=\""
condition:
1 of them
}
rule sh_php_php {
meta:
description = "Semi-Auto-generated - file sh.php.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "330af9337ae51d0bac175ba7076d6299"
strings:
$s1 = "$ar_file=array('/etc/passwd','/etc/shadow','/etc/master.passwd','/etc/fstab','/e"
$s2 = "Show <input type=text size=5 value=\".((isset($_POST['br_st']))?$_POST['br_st']:"
condition:
1 of them
}
rule phpbackdoor15_php {
meta:
description = "Semi-Auto-generated - file phpbackdoor15.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "0fdb401a49fc2e481e3dfd697078334b"
strings:
$s1 = "echo \"fichier telecharge dans \".good_link(\"./\".$_FILES[\"fic\"][\"na"
$s2 = "if(move_uploaded_file($_FILES[\"fic\"][\"tmp_name\"],good_link(\"./\".$_FI"
$s3 = "echo \"Cliquez sur un nom de fichier pour lancer son telechargement. Cliquez s"
condition:
1 of them
}
rule phpjackal_php {
meta:
description = "Semi-Auto-generated - file phpjackal.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "ab230817bcc99acb9bdc0ec6d264d76f"
strings:
$s3 = "$dl=$_REQUEST['downloaD'];"
$s4 = "else shelL(\"perl.exe $name $port\");"
condition:
1 of them
}
rule sql_php_php {
meta:
description = "Semi-Auto-generated - file sql.php.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "8334249cbb969f2d33d678fec2b680c5"
strings:
$s1 = "fputs ($fp, \"# RST MySQL tools\\r\\n# Home page: http://rst.void.ru\\r\\n#"
$s2 = "http://rst.void.ru"
$s3 = "print \"<a href=\\\"$_SERVER[PHP_SELF]?s=$s&login=$login&passwd=$passwd&"
condition:
1 of them
}
rule cgi_python_py {
meta:
description = "Semi-Auto-generated - file cgi-python.py.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "0a15f473e2232b89dae1075e1afdac97"
strings:
$s0 = "a CGI by Fuzzyman"
$s1 = "\"\"\"+fontline +\"Version : \" + versionstring + \"\"\", Running on : \"\"\" + "
$s2 = "values = map(lambda x: x.value, theform[field]) # allows for"
condition:
1 of them
}
rule ru24_post_sh_php_php {
meta:
description = "Semi-Auto-generated - file ru24_post_sh.php.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "5b334d494564393f419af745dc1eeec7"
strings:
$s1 = "<title>Ru24PostWebShell - \".$_POST['cmd'].\"</title>" fullword
$s3 = "if ((!$_POST['cmd']) || ($_POST['cmd']==\"\")) { $_POST['cmd']=\"id;pwd;uname -a"
$s4 = "Writed by DreAmeRz" fullword
condition:
1 of them
}
rule DTool_Pro_php {
meta:
description = "Semi-Auto-generated - file DTool Pro.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "366ad973a3f327dfbfb915b0faaea5a6"
strings:
$s0 = "r3v3ng4ns\\nDigite"
$s1 = "if(!@opendir($chdir)) $ch_msg=\"dtool: line 1: chdir: It seems that the permissi"
$s3 = "if (empty($cmd) and $ch_msg==\"\") echo (\"Comandos Exclusivos do DTool Pro\\n"
condition:
1 of them
}
rule telnetd_pl {
meta:
description = "Semi-Auto-generated - file telnetd.pl.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "5f61136afd17eb025109304bd8d6d414"
strings:
$s0 = "0ldW0lf" fullword
$s1 = "However you are lucky :P"
$s2 = "I'm FuCKeD"
$s3 = "ioctl($CLIENT{$client}->{shell}, &TIOCSWINSZ, $winsize);#"
$s4 = "atrix@irc.brasnet.org"
condition:
1 of them
}
rule php_include_w_shell_php {
meta:
description = "Semi-Auto-generated - file php-include-w-shell.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "4e913f159e33867be729631a7ca46850"
strings:
$s0 = "$dataout .= \"<td><a href='$MyLoc?$SREQ&incdbhost=$myhost&incdbuser=$myuser&incd"
$s1 = "if($run == 1 && $phpshellapp && $phpshellhost && $phpshellport) $strOutput .= DB"
condition:
1 of them
}
rule Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php {
meta:
description = "Semi-Auto-generated - file Safe0ver Shell -Safe Mod Bypass By Evilc0der.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "6163b30600f1e80d2bb5afaa753490b6"
strings:
$s0 = "Safe0ver" fullword
$s1 = "Script Gecisi Tamamlayamadi!"
$s2 = "document.write(unescape('%3C%68%74%6D%6C%3E%3C%62%6F%64%79%3E%3C%53%43%52%49%50%"
condition:
1 of them
}
rule shell_php_php {
meta:
description = "Semi-Auto-generated - file shell.php.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "1a95f0163b6dea771da1694de13a3d8d"
strings:
$s1 = "/* We have found the parent dir. We must be carefull if the parent " fullword
$s2 = "$tmpfile = tempnam('/tmp', 'phpshell');"
$s3 = "if (ereg('^[[:blank:]]*cd[[:blank:]]+([^;]+)$', $command, $regs)) {" fullword
condition:
1 of them
}
rule telnet_cgi {
meta:
description = "Semi-Auto-generated - file telnet.cgi.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "dee697481383052980c20c48de1598d1"
strings:
$s0 = "www.rohitab.com"
$s1 = "W A R N I N G: Private Server"
$s2 = "print \"Set-Cookie: SAVEDPWD=;\\n\"; # remove password cookie"
$s3 = "$Prompt = $WinNT ? \"$CurrentDir> \" : \"[admin\\@$ServerName $C"
condition:
1 of them
}
rule ironshell_php {
meta:
description = "Semi-Auto-generated - file ironshell.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "8bfa2eeb8a3ff6afc619258e39fded56"
strings:
$s0 = "www.ironwarez.info"
$s1 = "$cookiename = \"wieeeee\";"
$s2 = "~ Shell I"
$s3 = "www.rootshell-team.info"
$s4 = "setcookie($cookiename, $_POST['pass'], time()+3600);"
condition:
1 of them
}
rule backdoorfr_php {
meta:
description = "Semi-Auto-generated - file backdoorfr.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "91e4afc7444ed258640e85bcaf0fecfc"
strings:
$s1 = "www.victime.com/index.php?page=http://emplacement_de_la_backdoor.php , ou en tan"
$s2 = "print(\"<br>Provenance du mail : <input type=\\\"text\\\" name=\\\"provenanc"
condition:
1 of them
}
rule aspydrv_asp {
meta:
description = "Semi-Auto-generated - file aspydrv.asp.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "1c01f8a88baee39aa1cebec644bbcb99"
score = 60
strings:
$s0 = "If mcolFormElem.Exists(LCase(sIndex)) Then Form = mcolFormElem.Item(LCase(sIndex))"
$s1 = "password"
$s2 = "session(\"shagman\")="
condition:
2 of them
}
rule cmdjsp_jsp {
meta:
description = "Semi-Auto-generated - file cmdjsp.jsp.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "b815611cc39f17f05a73444d699341d4"
strings:
$s0 = "// note that linux = cmd and windows = \"cmd.exe /c + cmd\" " fullword
$s1 = "Process p = Runtime.getRuntime().exec(\"cmd.exe /C \" + cmd);" fullword
$s2 = "cmdjsp.jsp"
$s3 = "michaeldaw.org" fullword
condition:
2 of them
}
rule h4ntu_shell__powered_by_tsoi_ {
meta:
description = "Semi-Auto-generated - file h4ntu shell [powered by tsoi].txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "06ed0b2398f8096f1bebf092d0526137"
strings:
$s0 = "h4ntu shell"
$s1 = "system(\"$cmd 1> /tmp/cmdtemp 2>&1; cat /tmp/cmdtemp; rm /tmp/cmdtemp\");"
condition:
1 of them
}
rule Ajan_asp {
meta:
description = "Semi-Auto-generated - file Ajan.asp.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "b6f468252407efc2318639da22b08af0"
strings:
$s1 = "c:\\downloaded.zip"
$s2 = "Set entrika = entrika.CreateTextFile(\"c:\\net.vbs\", True)" fullword
$s3 = "http://www35.websamba.com/cybervurgun/"
condition:
1 of them
}
rule PHANTASMA_php {
meta:
description = "Semi-Auto-generated - file PHANTASMA.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "52779a27fa377ae404761a7ce76a5da7"
strings:
$s0 = ">[*] Safemode Mode Run</DIV>"
$s1 = "$file1 - $file2 - <a href=$SCRIPT_NAME?$QUERY_STRING&see=$file>$file</a><br>"
$s2 = "[*] Spawning Shell"
$s3 = "Cha0s"
condition:
2 of them
}
rule MySQL_Web_Interface_Version_0_8_php {
meta:
description = "Semi-Auto-generated - file MySQL Web Interface Version 0.8.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "36d4f34d0a22080f47bb1cb94107c60f"
strings:
$s0 = "SooMin Kim"
$s1 = "http://popeye.snu.ac.kr/~smkim/mysql"
$s2 = "href='$PHP_SELF?action=dropField&dbname=$dbname&tablename=$tablename"
$s3 = "<th>Type</th><th> M </th><th> D </th><th>unsigned</th><th>zerofi"
condition:
2 of them
}
rule simple_cmd_html {
meta:
description = "Semi-Auto-generated - file simple_cmd.html.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
hash = "c6381412df74dbf3bcd5a2b31522b544"
strings:
$s1 = "<title>G-Security Webshell</title>" fullword
$s2 = "<input type=TEXT name=\"-cmd\" size=64 value=\"<?=$cmd?>\" " fullword
$s3 = "<? if($cmd != \"\") print Shell_Exec($cmd);?>" fullword
$s4 = "<? $cmd = $_REQUEST[\"-cmd\"];?>" fullword
condition:
all of them
}
rule multiple_webshells_0001 {
meta:
description = "Semi-Auto-generated - from files 1.txt, c2007.php.php.txt, c100.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
super_rule = 1
was = "_1_c2007_php_php_c100_php"
hash0 = "44542e5c3e9790815c49d5f9beffbbf2"
hash1 = "d089e7168373a0634e1ac18c0ee00085"
hash2 = "38fd7e45f9c11a37463c3ded1c76af4c"
strings:
$s0 = "echo \"<b>Changing file-mode (\".$d.$f.\"), \".view_perms_color($d.$f).\" (\""
$s3 = "echo \"<td> <a href=\\\"\".$sql_surl.\"sql_act=query&sql_query=\".ur"
condition:
1 of them
}
rule multiple_webshells_0002 {
meta:
description = "Semi-Auto-generated - from files nst.php.php.txt, img.php.php.txt, nstview.php.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
super_rule = 1
was = "_nst_php_php_img_php_php_nstview_php_php"
hash0 = "ddaf9f1986d17284de83a17fe5f9fd94"
hash1 = "17a07bb84e137b8aa60f87cd6bfab748"
hash2 = "4745d510fed4378e4b1730f56f25e569"
strings:
$s0 = "<tr><form method=post><td><font color=red><b>Back connect:</b></font></td><td><i"
$s1 = "$perl_proxy_scp = \"IyEvdXNyL2Jpbi9wZXJsICANCiMhL3Vzci91c2MvcGVybC81LjAwNC9iaW4v"
$s2 = "<tr><form method=post><td><font color=red><b>Backdoor:</b></font></td><td><input"
condition:
1 of them
}
rule multiple_webshells_0003 {
meta:
description = "Semi-Auto-generated - from files network.php.php.txt, xinfo.php.php.txt, nfm.php.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
super_rule = 1
was = "_network_php_php_xinfo_php_php_nfm_php_php"
hash0 = "acdbba993a5a4186fd864c5e4ea0ba4f"
hash1 = "2601b6fc1579f263d2f3960ce775df70"
hash2 = "401fbae5f10283051c39e640b77e4c26"
strings:
$s0 = ".textbox { background: White; border: 1px #000000 solid; color: #000099; font-fa"
$s2 = "<input class='inputbox' type='text' name='pass_de' size=50 onclick=this.value=''"
condition:
all of them
}
rule multiple_webshells_0004 {
meta:
description = "Semi-Auto-generated - from files w.php.php.txt, c99madshell_v2.1.php.php.txt, wacking.php.php.txt, SpecialShell_99.php.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
super_rule = 1
was = "_w_php_php_c99madshell_v2_1_php_php_wacking_php_php_SpecialShell_99_php_php"
hash0 = "38a3f9f2aa47c2e940695f3dba6a7bb2"
hash1 = "3ca5886cd54d495dc95793579611f59a"
hash2 = "9c5bb5e3a46ec28039e8986324e42792"
hash3 = "09609851caa129e40b0d56e90dfc476c"
strings:
$s2 = "echo \"<hr size=\\\"1\\\" noshade><b>Done!</b><br>Total time (secs.): \".$ft"
$s3 = "$fqb_log .= \"\\r\\n------------------------------------------\\r\\nDone!\\r"
condition:
1 of them
}
rule multiple_webshells_0005 {
meta:
description = "Semi-Auto-generated - from files r577.php.php.txt, SnIpEr_SA Shell.php.txt, r57.php.php.txt, r57 Shell.php.php.txt, spy.php.php.txt, s.php.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
super_rule = 1
was = "_r577_php_php_SnIpEr_SA_Shell_php_r57_php_php_r57_Shell_php_php_spy_php_php_s_php_php"
hash0 = "0714f80f35c1fddef1f8938b8d42a4c8"
hash1 = "911195a9b7c010f61b66439d9048f400"
hash2 = "eddf7a8fde1e50a7f2a817ef7cece24f"
hash3 = "8023394542cddf8aee5dec6072ed02b5"
hash4 = "eed14de3907c9aa2550d95550d1a2d5f"
hash5 = "817671e1bdc85e04cc3440bbd9288800"
strings:
$s2 = "'eng_text71'=>\"Second commands param is:\\r\\n- for CHOWN - name of new owner o"
$s4 = "if(!empty($_POST['s_mask']) && !empty($_POST['m'])) { $sr = new SearchResult"
condition:
1 of them
}
rule multiple_webshells_0006 {
meta:
description = "Semi-Auto-generated - from files c99shell_v1.0.php.php.txt, c99php.txt, SsEs.php.php.txt, ctt_sh.php.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
super_rule = 1
was = "_c99shell_v1_0_php_php_c99php_SsEs_php_php_ctt_sh_php_php"
hash0 = "d8ae5819a0a2349ec552cbcf3a62c975"
hash1 = "9e9ae0332ada9c3797d6cee92c2ede62"
hash2 = "6cd50a14ea0da0df6a246a60c8f6f9c9"
hash3 = "671cad517edd254352fe7e0c7c981c39"
strings:
$s0 = "\"AAAAACH5BAEAAAkALAAAAAAUABQAAAR0MMlJqyzFalqEQJuGEQSCnWg6FogpkHAMF4HAJsWh7/ze\""
$s2 = "\"mTP/zDP//2YAAGYAM2YAZmYAmWYAzGYA/2YzAGYzM2YzZmYzmWYzzGYz/2ZmAGZmM2ZmZmZmmWZm\""
$s4 = "\"R0lGODlhFAAUAKL/AP/4/8DAwH9/AP/4AL+/vwAAAAAAAAAAACH5BAEAAAEALAAAAAAUABQAQAMo\""
condition:
2 of them
}
rule multiple_webshells_0007 {
meta:
description = "Semi-Auto-generated - from files r577.php.php.txt, spy.php.php.txt, s.php.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
super_rule = 1
was = "_r577_php_php_spy_php_php_s_php_php"
hash0 = "0714f80f35c1fddef1f8938b8d42a4c8"
hash1 = "eed14de3907c9aa2550d95550d1a2d5f"
hash2 = "817671e1bdc85e04cc3440bbd9288800"
strings:
$s2 = "echo $te.\"<div align=center><textarea cols=35 name=db_query>\".(!empty($_POST['"
$s3 = "echo sr(45,\"<b>\".$lang[$language.'_text80'].$arrow.\"</b>\",\"<select name=db>"
condition:
1 of them
}
rule multiple_webshells_0008 {
meta:
description = "Semi-Auto-generated - from files w.php.php.txt, c99madshell_v2.1.php.php.txt, wacking.php.php.txt, c99shell_v1.0.php.php.txt, c99php.txt, SpecialShell_99.php.php.txt, ctt_sh.php.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
super_rule = 1
was = "_w_php_php_c99madshell_v2_1_php_php_wacking_php_php_c99shell_v1_0_php_php_c99php_SpecialShell_99_php_php_ctt_sh_php_php"
hash0 = "38a3f9f2aa47c2e940695f3dba6a7bb2"
hash1 = "3ca5886cd54d495dc95793579611f59a"
hash2 = "9c5bb5e3a46ec28039e8986324e42792"
hash3 = "d8ae5819a0a2349ec552cbcf3a62c975"
hash4 = "9e9ae0332ada9c3797d6cee92c2ede62"
hash5 = "09609851caa129e40b0d56e90dfc476c"
hash6 = "671cad517edd254352fe7e0c7c981c39"
strings:
$s0 = " if ($copy_unset) {foreach($sess_data[\"copy\"] as $k=>$v) {unset($sess_data[\""
$s1 = " if (file_exists($mkfile)) {echo \"<b>Make File \\\"\".htmlspecialchars($mkfile"
$s2 = " echo \"<center><b>MySQL \".mysql_get_server_info().\" (proto v.\".mysql_get_pr"
$s3 = " elseif (!fopen($mkfile,\"w\")) {echo \"<b>Make File \\\"\".htmlspecialchars($m"
condition:
all of them
}
rule multiple_webshells_0009 {
meta:
description = "Semi-Auto-generated - from files w.php.php.txt, c99madshell_v2.1.php.php.txt, wacking.php.php.txt, c99shell_v1.0.php.php.txt, c99php.txt, SpecialShell_99.php.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
super_rule = 1
was = "_w_php_php_c99madshell_v2_1_php_php_wacking_php_php_c99shell_v1_0_php_php_c99php_SpecialShell_99_php_php"
hash0 = "38a3f9f2aa47c2e940695f3dba6a7bb2"
hash1 = "3ca5886cd54d495dc95793579611f59a"
hash2 = "9c5bb5e3a46ec28039e8986324e42792"
hash3 = "d8ae5819a0a2349ec552cbcf3a62c975"
hash4 = "9e9ae0332ada9c3797d6cee92c2ede62"
hash5 = "09609851caa129e40b0d56e90dfc476c"
strings:
$s0 = "$sess_data[\"cut\"] = array(); c99_s"
$s3 = "if ((!eregi(\"http://\",$uploadurl)) and (!eregi(\"https://\",$uploadurl))"
condition:
1 of them
}
rule multiple_webshells_0010 {
meta:
description = "Semi-Auto-generated - from files w.php.php.txt, wacking.php.php.txt, SpecialShell_99.php.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
super_rule = 1
was = "_w_php_php_wacking_php_php_SpecialShell_99_php_php"
hash0 = "38a3f9f2aa47c2e940695f3dba6a7bb2"
hash1 = "9c5bb5e3a46ec28039e8986324e42792"
hash2 = "09609851caa129e40b0d56e90dfc476c"
strings:
$s0 = "\"<td> <a href=\\\"\".$sql_surl.\"sql_act=query&sql_query=\".ur"
$s2 = "c99sh_sqlquery"
condition:
1 of them
}
rule multiple_webshells_0011 {
meta:
description = "Semi-Auto-generated - from files w.php.php.txt, c99madshell_v2.1.php.php.txt, wacking.php.php.txt, SsEs.php.php.txt, SpecialShell_99.php.php.txt"
author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
super_rule = 1
was = "_w_php_php_c99madshell_v2_1_php_php_wacking_php_php_SsEs_php_php_SpecialShell_99_php_php"
hash0 = "38a3f9f2aa47c2e940695f3dba6a7bb2"
hash1 = "3ca5886cd54d495dc95793579611f59a"
hash2 = "9c5bb5e3a46ec28039e8986324e42792"
hash3 = "6cd50a14ea0da0df6a246a60c8f6f9c9"
hash4 = "09
gitextract_jbnhp2b8/ ├── README.md ├── rules/ │ ├── malware/ │ │ ├── MALW_BackdoorSSH.yar │ │ ├── MALW_BlackRev.yar │ │ ├── MALW_PE_sections.yar │ │ ├── ddg.yar │ │ ├── h2miner.yar │ │ ├── lsdminer.yar │ │ ├── rainbowminer.yar │ │ ├── skipmap.yar │ │ ├── startminer.yar │ │ ├── sysupdataminer.yar │ │ ├── teamtnt.yar │ │ └── watchbogminer.yar │ ├── utils/ │ │ └── wget.yar │ ├── webshell.yar │ ├── webshells/ │ │ ├── WShell_APT_Laudanum.yar │ │ ├── WShell_ASPXSpy.yar │ │ ├── WShell_Behinder.yar │ │ ├── WShell_Drupalgeddon2_icos.yar │ │ ├── WShell_PHP_Anuna.yar │ │ ├── WShell_PHP_in_images.yar │ │ └── WShell_THOR_Webshells.yar │ └── xunjian.yar └── whohk.py
SYMBOL INDEX (31 symbols across 1 files)
FILE: whohk.py
function checkroot (line 15) | def checkroot():
function system_state (line 19) | def system_state(): # 系统状态
class CzIp (line 30) | class CzIp: # 读取解析纯真IP数据库的类
method __init__ (line 31) | def __init__(self, db_file='config/qqwry.dat'):
method _get_area_addr (line 40) | def _get_area_addr(self, offset=0):
method _get_addr (line 55) | def _get_addr(self, offset):
method dump (line 85) | def dump(self, first, last):
method _set_ip_range (line 101) | def _set_ip_range(self, index):
method get_addr_by_ip (line 111) | def get_addr_by_ip(self, ip):
method get_ip_range (line 141) | def get_ip_range(self, ip):
method get_offset_string (line 154) | def get_offset_string(self, offset=0):
method ip2str (line 171) | def ip2str(self, ip):
method str2ip (line 179) | def str2ip(self, s):
method getLong3 (line 188) | def getLong3(self, offset=0):
function network (line 201) | def network(): # 获取对外网络连接情况
function ostype (line 224) | def ostype(): # 判断系统类型和版本
function pid_fileinfo (line 258) | def pid_fileinfo(pid): # 根据pid获取进程路径等信息
function log_burp_ip (line 262) | def log_burp_ip(system): # 定位有哪些IP在爆破
function log_burp_user (line 276) | def log_burp_user(system): # 被爆破用户名是什么
function log_success_ip (line 290) | def log_success_ip(system): # 登录成功的 IP 有哪些
function log_success_info (line 304) | def log_success_info(system): # 登录成功的日期、用户名、IP
function cron (line 315) | def cron(): # 所有用户的定时任务
function cron_file (line 331) | def cron_file(day): # 按时间检查crontab文件或脚本
function starup (line 342) | def starup(day): # 按检查启动项
function osfile (line 357) | def osfile(day):#查看系统进程是否被劫持
function changefile (line 361) | def changefile(all):#查看系统中指定类型文件的修改
function permfile (line 365) | def permfile(all):#查看系统中指定权限的文件
function account_check (line 369) | def account_check(): # 检查账户情况
function history (line 384) | def history():
function webshell_scan (line 399) | def webshell_scan(path):
function file_scan (line 436) | def file_scan(path):
Condensed preview — 24 files, each showing path, character count, and a content snippet. Download the .json file or copy for the full structured content (416K chars).
[
{
"path": "README.md",
"chars": 3226,
"preview": "# whohk\n\nwhohk,linux下一款强大的应急响应工具\n\n<a href=\"https://github.com/wgpsec/whohk\"><img alt=\"Release\" src=\"https://img.shields."
},
{
"path": "rules/malware/MALW_BackdoorSSH.yar",
"chars": 979,
"preview": "/*\n This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user "
},
{
"path": "rules/malware/MALW_BlackRev.yar",
"chars": 1007,
"preview": "/*\n This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user "
},
{
"path": "rules/malware/MALW_PE_sections.yar",
"chars": 2940,
"preview": "/*\n This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user "
},
{
"path": "rules/malware/ddg.yar",
"chars": 1053,
"preview": "// ddg脚本通配规则\nrule linux_miner_ddg_script_gen\n{\n meta:\n description = \"ddg shell script general\"\n author"
},
{
"path": "rules/malware/h2miner.yar",
"chars": 909,
"preview": "// H2Miner脚本通配规则\nrule linux_miner_h2miner_script_gen\n{\n meta:\n description = \"h2miner script general\"\n "
},
{
"path": "rules/malware/lsdminer.yar",
"chars": 548,
"preview": "// LSDMiner脚本通配规则\nrule linux_miner_lsdminer_script_gen\n{\n meta:\n description = \"lsdminer script general\"\n "
},
{
"path": "rules/malware/rainbowminer.yar",
"chars": 607,
"preview": "// StartMiner脚本通配规则\nrule linux_miner_rainbowminer_script_gen\n{\n meta:\n description = \"rainbowminer script gene"
},
{
"path": "rules/malware/skipmap.yar",
"chars": 576,
"preview": "// SkipMap脚本通配规则\nrule linux_miner_skipmap_script_gen\n{\n meta:\n description = \"skipmap shell script general\"\n "
},
{
"path": "rules/malware/startminer.yar",
"chars": 737,
"preview": "// StartMiner脚本通配规则\nrule linux_miner_startminer_script_gen\n{\n meta:\n description = \"startminer script general\""
},
{
"path": "rules/malware/sysupdataminer.yar",
"chars": 919,
"preview": "// SysUpdataMiner脚本通配规则\nrule linux_miner_sysupdataminer_script_gen\n{\n meta:\n description = \"sysupdataminer scr"
},
{
"path": "rules/malware/teamtnt.yar",
"chars": 810,
"preview": "// TeamTNT脚本通配规则\nrule linux_miner_teamtnt_script_gen\n{\n meta:\n description = \"teamtnt shell script general\"\n "
},
{
"path": "rules/malware/watchbogminer.yar",
"chars": 536,
"preview": "// WatchBogMiner脚本通配规则\nrule linux_miner_watchbogminer_script_gen\n{\n meta:\n description = \"watchbogminer shell "
},
{
"path": "rules/utils/wget.yar",
"chars": 155,
"preview": "rule wget {\r\n meta:\r\n author = \"yiansec\"\r\n strings:\r\n $url_regex = /wget https?:\\/\\// wide ascii\r\n "
},
{
"path": "rules/webshell.yar",
"chars": 343,
"preview": "/*\nyiansec\n2020.5.1\n*/\ninclude \"./webshells/WShell_APT_Laudanum.yar\"\ninclude \"./webshells/WShell_ASPXSpy.yar\"\ninclude \"."
},
{
"path": "rules/webshells/WShell_APT_Laudanum.yar",
"chars": 13085,
"preview": "/*\n This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user "
},
{
"path": "rules/webshells/WShell_ASPXSpy.yar",
"chars": 601,
"preview": "/*\n This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user "
},
{
"path": "rules/webshells/WShell_Behinder.yar",
"chars": 6111,
"preview": "rule Behinder_aspx {\n meta:\n description = \"Behinder - file shell.aspx\"\n author = \"yarGen Rule Generator\"\n "
},
{
"path": "rules/webshells/WShell_Drupalgeddon2_icos.yar",
"chars": 918,
"preview": "/*\nThis Yara ruleset is under the GNU-GPLv2 license \n(http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or "
},
{
"path": "rules/webshells/WShell_PHP_Anuna.yar",
"chars": 700,
"preview": "/*\n I first found this in May 2016, appeared in every PHP file on the\n server, cleaned it with `sed` and regex mag"
},
{
"path": "rules/webshells/WShell_PHP_in_images.yar",
"chars": 536,
"preview": "/*\n Finds PHP code in JP(E)Gs, GIFs, PNGs.\n Magic numbers via Wikipedia.\n*/\nrule php_in_image\n{\n meta:\n "
},
{
"path": "rules/webshells/WShell_THOR_Webshells.yar",
"chars": 306810,
"preview": "/*\n This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user "
},
{
"path": "rules/xunjian.yar",
"chars": 756,
"preview": "/*\nshuoshuren\n2020.9.7\n*/\ninclude \"./malware/MALW_BackdoorSSH.yar\"\ninclude \"./malware/MALW_BlackRev.yar\"\ninclude \"./malw"
},
{
"path": "whohk.py",
"chars": 23258,
"preview": "# -*- coding:utf-8 -*- -\r\nimport os\r\nimport re\r\nimport time\r\nimport psutil\r\nimport yara\r\nimport sys\r\nimport socket\r\nimpo"
}
]
About this extraction
This page contains the full source code of the heikanet/whohk GitHub repository, extracted and formatted as plain text for AI agents and large language models (LLMs). The extraction includes 24 files (359.5 KB), approximately 139.0k tokens, and a symbol index with 31 extracted functions, classes, methods, constants, and types. Use this with OpenClaw, Claude, ChatGPT, Cursor, Windsurf, or any other AI tool that accepts text input. You can copy the full output to your clipboard or download it as a .txt file.
Extracted by GitExtract — free GitHub repo to text converter for AI. Built by Nikandr Surkov.