[ { "path": "README.md", "content": "# whohk\n\nwhohk,linux下一款强大的应急响应工具\n\n\"Release\"\n\"Release\"\n\"Release\"\n![GitHub Repo stars](https://img.shields.io/github/stars/wgpsec/whohk?color=success)\n![GitHub forks](https://img.shields.io/github/forks/wgpsec/whohk)\n![GitHub all release](https://img.shields.io/github/downloads/wgpsec/whohk/total?color=blueviolet) \n\n在linux下的应急响应往往需要通过繁琐的命令行来查看各个点的情况,有的时候还需要做一些格式处理,这对于linux下命令不是很熟悉的人比较不友好。本工具将linux下应急响应中常用的一些操作给集合了起来,并处理成了较为友好的格式,只需要通过一个参数就能代替繁琐复杂的命令来实现对各个点的检查。\n\n支持主流的Linux,包含centos、redhat、ubuntu、debian、opensuse。\n\n## 使用指南\n```\noptional arguments:\n -h, --help show this help message and exit\n -user 用于查看系统可登录账户和空口令账户(无参数)\n -history 用于查看所有用户的敏感历史命令(无参数)\n -cron 用于查看所有用户的定时任务(无参数)\n -ip 用于查看外连ip(无参数)\n --pid 1234 用于定位进程物理路径(参数为pid号)\n --ssh-fip 用于查看ssh登录失败的ip和次数(无参数)\n --ssh-fuser 用于查看ssh登录失败的用户和次数(无参数)\n --ssh-sip 用于查看ssh登录成功的ip和次数(无参数)\n --ssh-sinfo 用于查看ssh登录成功的用户详情(无参数)\n --file-cron 7 用于查看系统各个级别定时任务目录中,n天内被修改的文件(参数为天数)\n --file-starup 7 用于查看系统启动项目录中,n天内被修改的文件(参数为天数)\n --file-os 7 用于查看系统重要目录中,n天内被修改的文件(参数为天数)\n --file-change /www 7 php\n 用于查看在n天内指定目录中指定后缀的被修改的文件(参数为物理路径、天数、后缀)\n --file-perm /www jsp 777\n 用于查看指定目录下指定后缀指定权限的文件(参数为物理路径、后缀、天数)\n --s-backdoor /home 用于检测指定路径下的恶意样本(参数为物理路径)\n --s-webshell /var/www\n 用于检测指定路径下的webshell(参数为物理路径)\n```\n\n## 细节\n\n由于懒得重新截图,所以就直接放公众号之前发的图了\n- whohk,一款强大的linux应急响应辅助工具:[点击跳转](https://mp.weixin.qq.com/s?__biz=MzIyNDkwNjQ5Ng==&mid=2247484224&idx=1&sn=616be624b7936abef282c5611f710a6a&chksm=e8069f2fdf71163973a712de55de80b042fb6224fa9179b4a655b5fe2e5be647f63d7f038e60&token=1653316416&lang=zh_CN#rd)\n\n- [更新]Linux下应急响应工具whohk v1.1版本:[点击跳转](https://mp.weixin.qq.com/s?__biz=MzIyNDkwNjQ5Ng==&mid=2247485371&idx=1&sn=8f6a32e28bf06e100edcd9241a8923e4&chksm=e8069bd4df7112c28a416e740b6025982d1d4a920906f9e3aa2f6244c5a691af6cf9a96bb55d#rd)\n\n- 如何打造一款自己的恶意样本检测工具:[点击跳转](https://mp.weixin.qq.com/s?__biz=MzIyNDkwNjQ5Ng==&mid=2247484475&idx=1&sn=7180cb7a18335c71ef561f9ec468f601&chksm=e8069854df7111425708634704d07832764f02545065717fd45424abb960938cbc121a417eb5&token=393884268&lang=zh_CN#rd)\n\n## 碎碎念\n- 2020-09-21 \n> 在历次的Linux系统下应急中感受到了敲命令的繁琐,以及有些太长记不住的命令当着客户面去百度的尴尬,决定把Linux下应急检查的一些点的命令用工具来集合到一起。在这个工具之前其实还做过一个windows/Linux系统下的安全巡检小工具,但由于对我的工作意义不大,所以最后经过一顿操作,有了`whohk`这一款小工具。\n\n- 2021-08-26\n> 在过去的近一年里应急的次数不那么频繁了,基本无视这个工具。不过有一次登录公众号后,发现有一些粉丝私信提新功能以及反馈了一些问题(原谅我半年登一次公众号),所以这次根据之前的反馈,进行了一些更新。\n\n- 2022-04-30\n> 发现这个工具居然成为了我GitHub stars最多的一个项目,或许真的帮助到了一些人。\n> 决定开源。代码写的很简单,也可以说比较烂,本次上传的是2021.08.26的版本,也是目前最新版(因为只要没有新的需求就不会更新,以及我~~没有时间~~懒也不会更新🐶)。\n> \n> ~~不会摆烂。目前有一些新的想法,但是很模糊,大家有好的建议欢迎提issue。~~ 摆烂中...\n\n## TODO\n- [ ] 重构,代码写的优雅点\n- [ ] Windows支持\n- [ ] server端\n- [ ] 多台主机数据聚合分析\n\n## 交流\n\n![](img/taixiayanshu.png)\n![](img/wgpsec.png)\n\n\n" }, { "path": "rules/malware/MALW_BackdoorSSH.yar", "content": "/*\n This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.\n\n*/\n\nrule SSH_backdoor\n{\n\n meta:\n description = \"Custome SSH backdoor based on python and paramiko - file server.py\"\n author = \"Florian Roth\"\n reference = \"https://goo.gl/S46L3o\"\n date = \"2015-05-14\"\n hash = \"0953b6c2181249b94282ca5736471f85d80d41c9\"\n\n strings:\n $s0 = \"command= raw_input(\\\"Enter command: \\\").strip('n')\" fullword ascii\n $s1 = \"print '[-] (Failed to load moduli -- gex will be unsupported.)'\" fullword ascii\n $s2 = \"print '[-] Listen/bind/accept failed: ' + str(e)\" fullword ascii\n $s3 = \"chan.send(command)\" fullword ascii\n $s4 = \"print '[-] SSH negotiation failed.'\" fullword ascii\n $s5 = \"except paramiko.SSHException, x:\" fullword ascii\n\n condition:\n filesize < 10KB and 5 of them\n}\n" }, { "path": "rules/malware/MALW_BlackRev.yar", "content": "/*\n This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as\n long as you use it under this license.\n\n*/\n\nrule BlackRev_BotNet\n{\n meta:\n author = \"Dennis Schwarz\"\n date = \"2013-05-21\"\n description = \"Black Revolution DDoS Malware. http://www.arbornetworks.com/asert/2013/05/the-revolution-will-be-written-in-delphi/\"\n origin = \"https://github.com/arbor/yara/blob/master/blackrev.yara\"\n\n strings: \n $base1 = \"http\"\n $base2 = \"simple\"\n $base3 = \"loginpost\"\n $base4 = \"datapost\"\n\n $opt1 = \"blackrev\"\n $opt2 = \"stop\"\n $opt3 = \"die\"\n $opt4 = \"sleep\"\n $opt5 = \"syn\"\n $opt6 = \"udp\"\n $opt7 = \"udpdata\"\n $opt8 = \"icmp\"\n $opt9 = \"antiddos\"\n $opt10 = \"range\"\n $opt11 = \"fastddos\"\n $opt12 = \"slowhttp\"\n $opt13 = \"allhttp\"\n $opt14 = \"tcpdata\"\n $opt15 = \"dataget\"\n\n condition:\n all of ($base*) and 5 of ($opt*)\n}\n" }, { "path": "rules/malware/MALW_PE_sections.yar", "content": "/*\n This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.\n\n*/\n\nimport \"pe\"\n\nrule packered : packer PE {\n\n meta:\n\n author = \"@j0sm1\"\n date = \"2016/10/21\"\n description = \"The packer/protector section names/keywords\"\n reference = \"http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/\"\n filetype = \"binary\"\n\n strings:\n\n $s1 = \".aspack\" wide ascii\n $s2 = \".adata\" wide ascii\n $s3 = \"ASPack\" wide ascii\n $s4 = \".ASPack\" wide ascii\n $s5 = \".ccg\" wide ascii\n $s6 = \"BitArts\" wide ascii\n $s7 = \"DAStub\" wide ascii\n $s8 = \"!EPack\" wide ascii\n $s9 = \"FSG!\" wide ascii\n $s10 = \"kkrunchy\" wide ascii\n $s11 = \".mackt\" wide ascii\n $s12 = \".MaskPE\" wide ascii\n $s13 = \"MEW\" wide ascii\n $s14 = \".MPRESS1\" wide ascii\n $s15 = \".MPRESS2\" wide ascii\n $s16 = \".neolite\" wide ascii\n $s17 = \".neolit\" wide ascii\n $s18 = \".nsp1\" wide ascii\n $s19 = \".nsp2\" wide ascii\n $s20 = \".nsp0\" wide ascii\n $s21 = \"nsp0\" wide ascii\n $s22 = \"nsp1\" wide ascii\n $s23 = \"nsp2\" wide ascii\n $s24 = \".packed\" wide ascii\n $s25 = \"pebundle\" wide ascii\n $s26 = \"PEBundle\" wide ascii\n $s27 = \"PEC2TO\" wide ascii\n $s28 = \"PECompact2\" wide ascii\n $s29 = \"PEC2\" wide ascii\n $s30 = \"pec1\" wide ascii\n $s31 = \"pec2\" wide ascii\n $s32 = \"PEC2MO\" wide ascii\n $s33 = \"PELOCKnt\" wide ascii\n $s34 = \".perplex\" wide ascii\n $s35 = \"PESHiELD\" wide ascii\n $s36 = \".petite\" wide ascii\n $s37 = \"ProCrypt\" wide ascii\n $s38 = \".RLPack\" wide ascii\n $s39 = \"RCryptor\" wide ascii\n $s40 = \".RPCrypt\" wide ascii\n $s41 = \".sforce3\" wide ascii\n $s42 = \".spack\" wide ascii\n $s43 = \".svkp\" wide ascii\n $s44 = \"Themida\" wide ascii\n $s45 = \".Themida\" wide ascii\n $s46 = \".packed\" wide ascii\n $s47 = \".Upack\" wide ascii\n $s48 = \".ByDwing\" wide ascii\n $s49 = \"UPX0\" wide ascii\n $s50 = \"UPX1\" wide ascii\n $s51 = \"UPX2\" wide ascii\n $s52 = \".UPX0\" wide ascii\n $s53 = \".UPX1\" wide ascii\n $s54 = \".UPX2\" wide ascii\n $s55 = \".vmp0\" wide ascii\n $s56 = \".vmp1\" wide ascii\n $s57 = \".vmp2\" wide ascii\n $s58 = \"VProtect\" wide ascii\n $s59 = \"WinLicen\" wide ascii\n $s60 = \"WWPACK\" wide ascii\n $s61 = \".yP\" wide ascii\n $s62 = \".y0da\" wide ascii\n $s63 = \"UPX!\" wide ascii\n\n condition:\n // DOS stub signature PE signature\n uint16(0) == 0x5a4d and uint32be(uint32(0x3c)) == 0x50450000 and (\n for any of them : ( $ in (0..1024) )\n )\n}\n" }, { "path": "rules/malware/ddg.yar", "content": "// ddg脚本通配规则\nrule linux_miner_ddg_script_gen\n{\n meta:\n description = \"ddg shell script general\"\n author = \"G4rb3n\"\n reference = \"https://blog.netlab.360.com/ddg-a-mining-botnet-aiming-at-database-server\"\n date = \"2020-5-13\"\n\n strings:\n $s1 = \"/i.sh\"\n $s2 = \"/ddgs\"\n\n $c1 = \"/var/spool/cron/root\"\n $c2 = \"crontab -\"\n\n condition:\n ( filesize < 50KB ) and ( all of ($s*) ) and ( 1 of ($c*) )\n}\n\n// v5000以上版本的规则\nrule linux_miner_ddg_script_v5\n{\n meta:\n description = \"ddg shell script v5000+\"\n author = \"G4rb3n\"\n reference = \"https://blog.netlab.360.com/ddg-upgrade-to-new-p2p-hybrid-model\"\n date = \"2020-5-13\"\n url = \"http://67.205.168.20:8000/i.sh\"\n md5_v5023 = \"FE0D7BCF06779EF0CC6702FBB7C330E7\"\n md5_v5019 = \"D6F402F6DCB75EA1A81A7C596CDA50C5\"\n\n strings:\n $s1 = \"/i.sh\"\n $s2 = /\\/50[0-9]{2}\\/ddgs.+/\n\n $c1 = \"/var/spool/cron/root\"\n $c2 = \"crontab -\"\n\n condition:\n ( filesize < 50KB ) and ( all of ($s*) ) and ( 1 of ($c*) )\n}" }, { "path": "rules/malware/h2miner.yar", "content": "// H2Miner脚本通配规则\nrule linux_miner_h2miner_script_gen\n{\n meta:\n description = \"h2miner script general\"\n author = \"G4rb3n\"\n reference = \"https://mp.weixin.qq.com/s/iNq8SdTZ9IrttAoQYLJw5A\"\n date = \"2020-7-31\"\n md5_2001 = \"A626C7274F51C55FDFF1F398BB10BAD5\"\n md5_2005 = \"E600632DA9A710BBA3C53C1DFDD7BAC1\"\n md5_2007 = \"BE17040E1A4EAF7E2DF8C0273FF2DFD2\"\n md5_2008 = \"69886742CF56F9FC97B97DF0A19FC8F0\"\n\n strings:\n $s1 = \"echo \\\"P OK\\\"\"\n $s2 = \"echo \\\"T DIR $DIR\\\"\"\n $s3 = \"echo \\\"No md5sum\\\"\"\n $s4 = \"echo \\\"P NOT EXISTS\\\"\"\n $s5 = \"case $sum in\"\n \n $x1 = \"ulimit -n 65535\"\n $x2 = \"https://bitbucket.org\"\n\n $c1 = \"kingsing\"\n $c2 = \"salt-store\"\n $c3 = \"195.3.146.118\"\n $c4 = \"217.12.210.192\"\n\n condition:\n ( filesize < 50KB ) and ( ( 4 of ($s*) ) and ( ( 2 of ($x*) ) or ( 2 of ($c*) ) ) )\n}" }, { "path": "rules/malware/lsdminer.yar", "content": "// LSDMiner脚本通配规则\nrule linux_miner_lsdminer_script_gen\n{\n meta:\n description = \"lsdminer script general\"\n author = \"G4rb3n\"\n reference = \"https://www.anquanke.com/post/id/193116\"\n date = \"2020-5-21\"\n\n strings:\n $s1 = \"hwlh3wlh44lh\"\n $s2 = \"Circle_MI\"\n $s3 = \"thyrsi.com\"\n $s4 = \"img.sobot.com\"\n $s5 = \"cdn.xiaoduoai.com\"\n $s6 = \"res.cloudinary.com\"\n $s7 = \"pastebin.com\"\n $s8 = \"user-images.githubusercontent.com\"\n\n condition:\n ( filesize < 50KB ) and ( 4 of ($s*) )\n}" }, { "path": "rules/malware/rainbowminer.yar", "content": "// StartMiner脚本通配规则\nrule linux_miner_rainbowminer_script_gen\n{\n meta:\n description = \"rainbowminer script general\"\n author = \"G4rb3n\"\n reference = \"https://mp.weixin.qq.com/s/KUK2hW7oRA2hN_cJ5QaYUA\"\n date = \"2020-5-21\"\n\n strings:\n $s1 = \"=\\\"/lib64/\"\n $s2 = \"pdflushType=\\\"\"\n $s3 = \"kthreadds\"\n $s4 = \"processhider\"\n $s5 = \"paDKiUwmHNUSW7E1S18Cl\" // ssh公钥片段\n $s6 = \"cron.py\"\n $s7 = \"/pdflushs\"\n \n $x1 = \"Rainbow66\"\n $x2 = \"47.106.187.104\"\n\n condition:\n ( filesize < 50KB ) and ( ( 4 of ($s*) ) or ( 1 of ($x*) ) )\n}" }, { "path": "rules/malware/skipmap.yar", "content": "// SkipMap脚本通配规则\nrule linux_miner_skipmap_script_gen\n{\n meta:\n description = \"skipmap shell script general\"\n author = \"G4rb3n\"\n reference = \"https://blog.trendmicro.com/trendlabs-security-intelligence/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload\"\n date = \"2020-8-7\"\n\n strings:\n $s1 = \"chmod +x /var/lib/\"\n $s2 = \"/bin/get\"\n $s3 = \"/bin/cur\"\n\n $c1 = \"pm.ipfswallet.tk\"\n $c2 = \"a.powerofwish.com\"\n\n condition:\n ( filesize < 10KB ) and ( all of ($s*) ) and ( 1 of ($c*) )\n}" }, { "path": "rules/malware/startminer.yar", "content": "// StartMiner脚本通配规则\nrule linux_miner_startminer_script_gen\n{\n meta:\n description = \"startminer script general\"\n author = \"G4rb3n\"\n reference = \"https://s.tencent.com/research/report/978.html\"\n date = \"2020-5-20\"\n\n strings:\n $s1 = \"echo \\\"P OK\\\"\"\n $s2 = \"echo \\\"T DIR $DIR\\\"\"\n $s3 = \"echo \\\"No md5sum\\\"\"\n $s4 = \"echo \\\"P NOT EXISTS\\\"\"\n $s5 = \"case $sum in\"\n \n $x1 = \"f2=\\\"\"\n $x2 = \"downloadIfNeed()\"\n $x3 = \"judge()\"\n $x4 = \"judge2()\"\n $x5 = \"start.jpg\"\n\n $c1 = \"jukesxdbrxd.xyz\"\n $c2 = \"37.44.212.223\"\n $c3 = \"107.189.11.170\"\n\n condition:\n ( filesize < 50KB ) and ( ( 4 of ($s*) ) and ( ( 2 of ($x*) ) or ( 1 of ($c*) ) ) )\n}\n\n" }, { "path": "rules/malware/sysupdataminer.yar", "content": "// SysUpdataMiner脚本通配规则\nrule linux_miner_sysupdataminer_script_gen\n{\n meta:\n description = \"sysupdataminer script general\"\n author = \"G4rb3n\"\n reference = \"https://www.freebuf.com/articles/system/172987.html\"\n date = \"2020-6-4\"\n\n strings:\n $s1 = \"miner_url\"\n $s2 = \"miner_size\"\n $s3 = \"sh_url\"\n $s4 = \"config_url\"\n $s5 = \"config_size\"\n $s6 = \"scan_url\"\n $s7 = \"scan_size\"\n $s8 = \"watchdog_url\"\n $s9 = \"watchdog_size\"\n \n $x1 = \"/etc/update.sh\"\n $x2 = \"/etc/sysupdate\"\n $x3 = \"/etc/networkservice\"\n $x4 = \"/usr/bin/cur\" fullword ascii\n $x5 = \"/usr/bin/wge\" fullword ascii\n\n $c1 = \"185.181.10.234\"\n $c2 = \"de.gsearch.com.de\"\n $c3 = \"AAAAB3NzaC1yc2EAAAADAQABAAABAQC9WKiJ7yQ6HcafmwzDMv1RKxPdJI\"\n\n condition:\n ( filesize < 50KB ) and ( ( ( 3 of ($s*) ) or ( 2 of ($x*) ) ) and ( 2 of ($c*) ) )\n}" }, { "path": "rules/malware/teamtnt.yar", "content": "// TeamTNT脚本通配规则\nrule linux_miner_teamtnt_script_gen\n{\n meta:\n description = \"teamtnt shell script general\"\n author = \"G4rb3n\"\n reference = \"https://x.threatbook.cn/nodev4/vb4/article?threatInfoID=2813\"\n date = \"2020-8-8\"\n md5_2008 = \"BE5B1BE30CF430AF6F76776FEBE805F2\"\n md5_2009 = \"856109FAFF327638BA3A8EC5800E988C\"\n\n strings:\n $s1 = \"LDR=\\\"wget -q -O -\\\"\"\n $s2 = \"LDR=\\\"curl\\\"\"\n $s3 = \"echo \\\"cron good\\\"\"\n $s4 = \"echo \\\"setup cron\\\"\"\n $s5 = \"downloadxmin()\"\n $s6 = \"startxmin()\"\n $s7 = \"setupmyapps()\"\n $s8 = \"loadthisfile()\"\n $s9 = \"uploadthersa()\"\n $s10 = \"getsomelanssh()\"\n $s11 = \"localgo()\"\n\n $c1 = \"85.214.149.236\"\n\n condition:\n ( filesize < 10KB ) and ( 2 of ($s*) ) and ( 1 of ($c*) )\n}" }, { "path": "rules/malware/watchbogminer.yar", "content": "// WatchBogMiner脚本通配规则\nrule linux_miner_watchbogminer_script_gen\n{\n meta:\n description = \"watchbogminer shell script general\"\n author = \"G4rb3n\"\n reference = \"https://s.tencent.com/research/report/1056.html\"\n date = \"2020-8-17\"\n\n strings:\n $s1 = \"pastebin.com\"\n $s2 = \"kill_miner_proc()\"\n $s3 = \"gettarfile()\"\n $s4 = \"base -d\"\n\n $c1 = \"UhUmR517\"\n $c2 = \"/JavaUpdates\"\n $c3 = \"tmpdropoff\"\n\n condition:\n ( filesize < 50KB ) and ( 2 of ($s*) ) and ( 2 of ($c*) )\n}" }, { "path": "rules/utils/wget.yar", "content": "rule wget {\r\n meta:\r\n author = \"yiansec\"\r\n strings:\r\n $url_regex = /wget https?:\\/\\// wide ascii\r\n condition:\r\n $url_regex\r\n}" }, { "path": "rules/webshell.yar", "content": "/*\nyiansec\n2020.5.1\n*/\ninclude \"./webshells/WShell_APT_Laudanum.yar\"\ninclude \"./webshells/WShell_ASPXSpy.yar\"\ninclude \"./webshells/WShell_Drupalgeddon2_icos.yar\"\ninclude \"./webshells/WShell_PHP_Anuna.yar\"\ninclude \"./webshells/WShell_PHP_in_images.yar\"\ninclude \"./webshells/WShell_THOR_Webshells.yar\"\ninclude \"./webshells/WShell_Behinder.yar\"\n\n" }, { "path": "rules/webshells/WShell_APT_Laudanum.yar", "content": "/*\n This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.\n\n*/\nrule asp_file : webshell {\n\tmeta:\n\t\tdescription = \"Laudanum Injector Tools - file file.asp\"\n\t\tauthor = \"Florian Roth\"\n\t\treference = \"http://laudanum.inguardians.com/\"\n\t\tdate = \"2015-06-22\"\n\t\thash = \"ff5b1a9598735440bdbaa768b524c639e22f53c5\"\n\tstrings:\n\t\t$s1 = \"' *** Written by Tim Medin \" fullword ascii\n\t\t$s2 = \"Response.BinaryWrite(stream.Read)\" fullword ascii\n\t\t$s3 = \"Response.Write(Response.Status & Request.ServerVariables(\\\"REMOTE_ADDR\\\"))\" fullword ascii /* PEStudio Blacklist: strings */\n\t\t$s4 = \"%>\\\">web root
<%\" fullword ascii /* PEStudio Blacklist: strings */\n\t\t$s5 = \"set folder = fso.GetFolder(path)\" fullword ascii\n\t\t$s6 = \"Set file = fso.GetFile(filepath)\" fullword ascii\n\tcondition:\n\t\tuint16(0) == 0x253c and filesize < 30KB and 5 of them\n}\n\nrule php_killnc : webshell {\n\tmeta:\n\t\tdescription = \"Laudanum Injector Tools - file killnc.php\"\n\t\tauthor = \"Florian Roth\"\n\t\treference = \"http://laudanum.inguardians.com/\"\n\t\tdate = \"2015-06-22\"\n\t\thash = \"c0dee56ee68719d5ec39e773621ffe40b144fda5\"\n\tstrings:\n\t\t$s1 = \"if ($_SERVER[\\\"REMOTE_ADDR\\\"] == $IP)\" fullword ascii /* PEStudio Blacklist: strings */\n\t\t$s2 = \"header(\\\"HTTP/1.0 404 Not Found\\\");\" fullword ascii\n\t\t$s3 = \"\" fullword ascii /* PEStudio Blacklist: strings */\n\t\t$s4 = \"Laudanum Kill nc\" fullword ascii /* PEStudio Blacklist: strings */\n\t\t$s5 = \"foreach ($allowedIPs as $IP) {\" fullword ascii\n\tcondition:\n\t\tfilesize < 15KB and 4 of them\n}\n\nrule asp_shell : webshell {\n\tmeta:\n\t\tdescription = \"Laudanum Injector Tools - file shell.asp\"\n\t\tauthor = \"Florian Roth\"\n\t\treference = \"http://laudanum.inguardians.com/\"\n\t\tdate = \"2015-06-22\"\n\t\thash = \"8bf1ff6f8edd45e3102be5f8a1fe030752f45613\"\n\tstrings:\n\t\t$s1 = \"
\" fullword ascii /* PEStudio Blacklist: strings */\n\t\t$s2 = \"%ComSpec% /c dir\" fullword ascii /* PEStudio Blacklist: strings */\n\t\t$s3 = \"Set objCmd = wShell.Exec(cmd)\" fullword ascii /* PEStudio Blacklist: strings */\n\t\t$s4 = \"Server.ScriptTimeout = 180\" fullword ascii /* PEStudio Blacklist: strings */\n\t\t$s5 = \"cmd = Request.Form(\\\"cmd\\\")\" fullword ascii /* PEStudio Blacklist: strings */\n\t\t$s6 = \"' *** http://laudanum.secureideas.net\" fullword ascii\n\t\t$s7 = \"Dim wshell, intReturn, strPResult\" fullword ascii /* PEStudio Blacklist: strings */\n\tcondition:\n\t\tfilesize < 15KB and 4 of them\n}\n\nrule settings : webshell {\n\tmeta:\n\t\tdescription = \"Laudanum Injector Tools - file settings.php\"\n\t\tauthor = \"Florian Roth\"\n\t\treference = \"http://laudanum.inguardians.com/\"\n\t\tdate = \"2015-06-22\"\n\t\thash = \"588739b9e4ef2dbb0b4cf630b73295d8134cc801\"\n\tstrings:\n\t\t$s1 = \"Port: \" fullword ascii /* PEStudio Blacklist: strings */\n\t\t$s2 = \"
  • Reverse Shell - \" fullword ascii /* PEStudio Blacklist: strings */\n\t\t$s3 = \"
  • \\\">File Browser\" ascii /* PEStudio Blacklist: strings */\n\tcondition:\n\t\tfilesize < 13KB and all of them\n}\n\nrule asp_proxy : webshell {\n\tmeta:\n\t\tdescription = \"Laudanum Injector Tools - file proxy.asp\"\n\t\tauthor = \"Florian Roth\"\n\t\treference = \"http://laudanum.inguardians.com/\"\n\t\tdate = \"2015-06-22\"\n\t\thash = \"51e97040d1737618b1775578a772fa6c5a31afd8\"\n\tstrings:\n\t\t$s1 = \"'response.write \\\"
    -value:\\\" & request.querystring(key)(j)\" fullword ascii /* PEStudio Blacklist: strings */\n\t\t$s2 = \"q = q & \\\"&\\\" & key & \\\"=\\\" & request.querystring(key)(j)\" fullword ascii /* PEStudio Blacklist: strings */\n\t\t$s3 = \"for each i in Split(http.getAllResponseHeaders, vbLf)\" fullword ascii\n\t\t$s4 = \"'urlquery = mid(urltemp, instr(urltemp, \\\"?\\\") + 1)\" fullword ascii /* PEStudio Blacklist: strings */\n\t\t$s5 = \"s = urlscheme & urlhost & urlport & urlpath\" fullword ascii /* PEStudio Blacklist: strings */\n\t\t$s6 = \"Set http = Server.CreateObject(\\\"Microsoft.XMLHTTP\\\")\" fullword ascii /* PEStudio Blacklist: strings */\n\tcondition:\n\t\tfilesize < 50KB and all of them\n}\n\nrule cfm_shell : webshell {\n\tmeta:\n\t\tdescription = \"Laudanum Injector Tools - file shell.cfm\"\n\t\tauthor = \"Florian Roth\"\n\t\treference = \"http://laudanum.inguardians.com/\"\n\t\tdate = \"2015-06-22\"\n\t\thash = \"885e1783b07c73e7d47d3283be303c9719419b92\"\n\tstrings:\n\t\t$s1 = \"Executable:
    \" fullword ascii /* PEStudio Blacklist: strings */\n\t\t$s2 = \"\" fullword ascii /* PEStudio Blacklist: strings */\n\t\t$s3 = \"\" fullword ascii\n\tcondition:\n\t\tfilesize < 20KB and 2 of them\n}\n\nrule aspx_shell : webshell{\n\tmeta:\n\t\tdescription = \"Laudanum Injector Tools - file shell.aspx\"\n\t\tauthor = \"Florian Roth\"\n\t\treference = \"http://laudanum.inguardians.com/\"\n\t\tdate = \"2015-06-22\"\n\t\thash = \"076aa781a004ecb2bf545357fd36dcbafdd68b1a\"\n\tstrings:\n\t\t$s1 = \"remoteIp = HttpContext.Current.Request.Headers[\\\"X-Forwarded-For\\\"].Split(new\" ascii /* PEStudio Blacklist: strings */\n\t\t$s2 = \"remoteIp = Request.UserHostAddress;\" fullword ascii /* PEStudio Blacklist: strings */\n\t\t$s3 = \"\" fullword ascii /* PEStudio Blacklist: strings */\n\t\t$s4 = \"\" fullword ascii /* PEStudio Blacklist: strings */\n\tcondition:\n\t\tfilesize < 20KB and all of them\n}\n\nrule php_shell : webshell{\n\tmeta:\n\t\tdescription = \"Laudanum Injector Tools - file shell.php\"\n\t\tauthor = \"Florian Roth\"\n\t\treference = \"http://laudanum.inguardians.com/\"\n\t\tdate = \"2015-06-22\"\n\t\thash = \"dc5c03a21267d024ef0f5ab96a34e3f6423dfcd6\"\n\tstrings:\n\t\t$s1 = \"command_hist[current_line] = document.shell.command.value;\" fullword ascii /* PEStudio Blacklist: strings */\n\t\t$s2 = \"if (e.keyCode == 38 && current_line < command_hist.length-1) {\" fullword ascii /* PEStudio Blacklist: strings */\n\t\t$s3 = \"array_unshift($_SESSION['history'], $command);\" fullword ascii /* PEStudio Blacklist: strings */\n\t\t$s4 = \"if (preg_match('/^[[:blank:]]*cd[[:blank:]]*$/', $command)) {\" fullword ascii /* PEStudio Blacklist: strings */\n\tcondition:\n\t\tfilesize < 40KB and all of them\n}\n\nrule php_reverse_shell : webshell {\n\tmeta:\n\t\tdescription = \"Laudanum Injector Tools - file php-reverse-shell.php\"\n\t\tauthor = \"Florian Roth\"\n\t\treference = \"http://laudanum.inguardians.com/\"\n\t\tdate = \"2015-06-22\"\n\t\thash = \"3ef03bbe3649535a03315dcfc1a1208a09cea49d\"\n\tstrings:\n\t\t$s1 = \"$process = proc_open($shell, $descriptorspec, $pipes);\" fullword ascii /* PEStudio Blacklist: strings */\n\t\t$s2 = \"printit(\\\"Successfully opened reverse shell to $ip:$port\\\");\" fullword ascii /* PEStudio Blacklist: strings */\n\t\t$s3 = \"$input = fread($pipes[1], $chunk_size);\" fullword ascii /* PEStudio Blacklist: strings */\n\tcondition:\n\t\tfilesize < 15KB and all of them\n}\n\nrule php_dns : webshell{\n\tmeta:\n\t\tdescription = \"Laudanum Injector Tools - file dns.php\"\n\t\tauthor = \"Florian Roth\"\n\t\treference = \"http://laudanum.inguardians.com/\"\n\t\tdate = \"2015-06-22\"\n\t\thash = \"01d5d16d876c55d77e094ce2b9c237de43b21a16\"\n\tstrings:\n\t\t$s1 = \"$query = isset($_POST['query']) ? $_POST['query'] : '';\" fullword ascii /* PEStudio Blacklist: strings */\n\t\t$s2 = \"$result = dns_get_record($query, $types[$type], $authns, $addtl);\" fullword ascii /* PEStudio Blacklist: strings */\n\t\t$s3 = \"if ($_SERVER[\\\"REMOTE_ADDR\\\"] == $IP)\" fullword ascii /* PEStudio Blacklist: strings */\n\t\t$s4 = \"foreach (array_keys($types) as $t) {\" fullword ascii\n\tcondition:\n\t\tfilesize < 15KB and all of them\n}\n\nrule WEB_INF_web : webshell{\n\tmeta:\n\t\tdescription = \"Laudanum Injector Tools - file web.xml\"\n\t\tauthor = \"Florian Roth\"\n\t\treference = \"http://laudanum.inguardians.com/\"\n\t\tdate = \"2015-06-22\"\n\t\thash = \"0251baed0a16c451f9d67dddce04a45dc26cb4a3\"\n\tstrings:\n\t\t$s1 = \"Command\" fullword ascii /* PEStudio Blacklist: strings */\n\t\t$s2 = \"/cmd.jsp\" fullword ascii\n\tcondition:\n\t\tfilesize < 1KB and all of them\n}\n\nrule jsp_cmd : webshell {\n\tmeta:\n\t\tdescription = \"Laudanum Injector Tools - file cmd.war\"\n\t\tauthor = \"Florian Roth\"\n\t\treference = \"http://laudanum.inguardians.com/\"\n\t\tdate = \"2015-06-22\"\n\t\thash = \"55e4c3dc00cfab7ac16e7cfb53c11b0c01c16d3d\"\n\tstrings:\n\t\t$s0 = \"cmd.jsp}\" fullword ascii\n\t\t$s1 = \"cmd.jspPK\" fullword ascii\n\t\t$s2 = \"WEB-INF/web.xml\" fullword ascii /* Goodware String - occured 1 times */\n\t\t$s3 = \"WEB-INF/web.xmlPK\" fullword ascii /* Goodware String - occured 1 times */\n\t\t$s4 = \"META-INF/MANIFEST.MF\" fullword ascii /* Goodware String - occured 12 times */\n\tcondition:\n\t\tuint16(0) == 0x4b50 and filesize < 2KB and all of them\n}\n\nrule laudanum : webshell {\n\tmeta:\n\t\tdescription = \"Laudanum Injector Tools - file laudanum.php\"\n\t\tauthor = \"Florian Roth\"\n\t\treference = \"http://laudanum.inguardians.com/\"\n\t\tdate = \"2015-06-22\"\n\t\thash = \"fd498c8b195967db01f68776ff5e36a06c9dfbfe\"\n\tstrings:\n\t\t$s1 = \"public function __activate()\" fullword ascii\n\t\t$s2 = \"register_activation_hook(__FILE__, array('WP_Laudanum', 'activate'));\" fullword ascii /* PEStudio Blacklist: strings */\n\tcondition:\n\t\tfilesize < 5KB and all of them\n}\n\nrule php_file : webshell{\n\tmeta:\n\t\tdescription = \"Laudanum Injector Tools - file file.php\"\n\t\tauthor = \"Florian Roth\"\n\t\treference = \"http://laudanum.inguardians.com/\"\n\t\tdate = \"2015-06-22\"\n\t\thash = \"7421d33e8007c92c8642a36cba7351c7f95a4335\"\n\tstrings:\n\t\t$s1 = \"$allowedIPs =\" fullword ascii /* PEStudio Blacklist: strings */\n\t\t$s2 = \"\\\">Home
    \" fullword ascii /* PEStudio Blacklist: strings */\n\t\t$s3 = \"$dir = isset($_GET[\\\"dir\\\"]) ? $_GET[\\\"dir\\\"] : \\\".\\\";\" fullword ascii\n\t\t$s4 = \"$curdir .= substr($curdir, -1) != \\\"/\\\" ? \\\"/\\\" : \\\"\\\";\" fullword ascii\n\tcondition:\n\t\tfilesize < 10KB and all of them\n}\n\nrule warfiles_cmd : webshell {\n\tmeta:\n\t\tdescription = \"Laudanum Injector Tools - file cmd.jsp\"\n\t\tauthor = \"Florian Roth\"\n\t\treference = \"http://laudanum.inguardians.com/\"\n\t\tdate = \"2015-06-22\"\n\t\thash = \"3ae3d837e7b362de738cf7fad78eded0dccf601f\"\n\tstrings:\n\t\t$s1 = \"Process p = Runtime.getRuntime().exec(request.getParameter(\\\"cmd\\\"));\" fullword ascii /* PEStudio Blacklist: strings */\n\t\t$s2 = \"out.println(\\\"Command: \\\" + request.getParameter(\\\"cmd\\\") + \\\"
    \\\");\" fullword ascii /* PEStudio Blacklist: strings */\n\t\t$s3 = \"\" fullword ascii\n\t\t$s4 = \"String disr = dis.readLine();\" fullword ascii\n\tcondition:\n\t\tfilesize < 2KB and all of them\n}\n\nrule asp_dns : webshell{\n\tmeta:\n\t\tdescription = \"Laudanum Injector Tools - file dns.asp\"\n\t\tauthor = \"Florian Roth\"\n\t\treference = \"http://laudanum.inguardians.com/\"\n\t\tdate = \"2015-06-22\"\n\t\thash = \"5532154dd67800d33dace01103e9b2c4f3d01d51\"\n\tstrings:\n\t\t$s1 = \"command = \\\"nslookup -type=\\\" & qtype & \\\" \\\" & query \" fullword ascii /* PEStudio Blacklist: strings */\n\t\t$s2 = \"Set objCmd = objWShell.Exec(command)\" fullword ascii /* PEStudio Blacklist: strings */\n\t\t$s3 = \"Response.Write command & \\\"
    \\\"\" fullword ascii /* PEStudio Blacklist: strings */\n\t\t$s4 = \"\" fullword ascii /* PEStudio Blacklist: strings */\n\tcondition:\n\t\tfilesize < 21KB and all of them\n}\n\nrule php_reverse_shell_2 : webshell{\n\tmeta:\n\t\tdescription = \"Laudanum Injector Tools - file php-reverse-shell.php\"\n\t\tauthor = \"Florian Roth\"\n\t\treference = \"http://laudanum.inguardians.com/\"\n\t\tdate = \"2015-06-22\"\n\t\thash = \"025db3c3473413064f0606d93d155c7eb5049c42\"\n\tstrings:\n\t\t$s1 = \"$process = proc_open($shell, $descriptorspec, $pipes);\" fullword ascii /* PEStudio Blacklist: strings */\n\t\t$s7 = \"$shell = 'uname -a; w; id; /bin/sh -i';\" fullword ascii /* PEStudio Blacklist: strings */\n\tcondition:\n\t\tfilesize < 10KB and all of them\n}\n\nrule Laudanum_Tools_Generic : webshell Toolkit{\n\tmeta:\n\t\tdescription = \"Laudanum Injector Tools\"\n\t\tauthor = \"Florian Roth\"\n\t\treference = \"http://laudanum.inguardians.com/\"\n\t\tdate = \"2015-06-22\"\n\t\tsuper_rule = 1\n\t\thash0 = \"076aa781a004ecb2bf545357fd36dcbafdd68b1a\"\n\t\thash1 = \"885e1783b07c73e7d47d3283be303c9719419b92\"\n\t\thash2 = \"01d5d16d876c55d77e094ce2b9c237de43b21a16\"\n\t\thash3 = \"7421d33e8007c92c8642a36cba7351c7f95a4335\"\n\t\thash4 = \"f49291aef9165ee4904d2d8c3cf5a6515ca0794f\"\n\t\thash5 = \"c0dee56ee68719d5ec39e773621ffe40b144fda5\"\n\t\thash6 = \"f32b9c2cc3a61fa326e9caebce28ef94a7a00c9a\"\n\t\thash7 = \"dc5c03a21267d024ef0f5ab96a34e3f6423dfcd6\"\n\t\thash8 = \"fd498c8b195967db01f68776ff5e36a06c9dfbfe\"\n\t\thash9 = \"b50ae35fcf767466f6ca25984cc008b7629676b8\"\n\t\thash10 = \"5570d10244d90ef53b74e2ac287fc657e38200f0\"\n\t\thash11 = \"42bcb491a11b4703c125daf1747cf2a40a1b36f3\"\n\t\thash12 = \"83e4eaaa2cf6898d7f83ab80158b64b1d48096f4\"\n\t\thash13 = \"dec7ea322898690a7f91db9377f035ad7072b8d7\"\n\t\thash14 = \"a2272b8a4221c6cc373915f0cc555fe55d65ac4d\"\n\t\thash15 = \"588739b9e4ef2dbb0b4cf630b73295d8134cc801\"\n\t\thash16 = \"43320dc23fb2ed26b882512e7c0bfdc64e2c1849\"\n\tstrings:\n\t\t$s1 = \"*** laudanum@secureideas.net\" fullword ascii\n\t\t$s2 = \"*** Laudanum Project\" fullword ascii\n\tcondition:\n\t\tfilesize < 60KB and all of them\n}\n" }, { "path": "rules/webshells/WShell_ASPXSpy.yar", "content": "/*\n This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.\n*/\n\nrule ASPXSpy\n{\n meta:\n description= \"Detect ASPXSpy\"\n author = \"xylitol@temari.fr\"\n date = \"2019-02-26\"\n // May only the challenge guide you\n strings:\n $string1 = \"CmdShell\" wide ascii\n $string2 = \"ADSViewer\" wide ascii\n $string3 = \"ASPXSpy.Bin\" wide ascii\n $string4 = \"PortScan\" wide ascii\n $plugin = \"Test.AspxSpyPlugins\" wide ascii\n \n condition:\n 3 of ($string*) or $plugin\n}\n" }, { "path": "rules/webshells/WShell_Behinder.yar", "content": "rule Behinder_aspx {\n meta:\n description = \"Behinder - file shell.aspx\"\n author = \"yarGen Rule Generator\"\n reference = \"https://github.com/Neo23x0/yarGen\"\n date = \"2021-08-26\"\n hash1 = \"224c7f43f72938e44b4f164c1c899c398a9c099a92c6d084856f5e227761e3b0\"\n strings:\n $x1 = \"<%@ Page Language=\\\"C#\\\" %><%@Import Namespace=\\\"System.Reflection\\\"%><%Session.Add(\\\"k\\\",;\" ascii\n $s3 = \"ssion[0] + \\\"\\\"),c = Request.BinaryRead(Request.ContentLength);Assembly.Load(new System.Security.Cryptography.RijndaelManaged().\" ascii\n $s4 = \"eateDecryptor(k, k).TransformFinalBlock(c, 0, c.Length)).CreateInstance(\\\"U\\\").Equals(this);%>\" fullword ascii\n condition:\n uint16(0) == 0x253c and filesize < 1KB and\n 1 of ($x*) and all of them\n}\n\nrule Behinder_php {\n meta:\n description = \"Behinder - file shell.php\"\n author = \"yarGen Rule Generator\"\n reference = \"https://github.com/Neo23x0/yarGen\"\n date = \"2021-08-26\"\n hash1 = \"3566561d818e868a96f2bc8db9c93663a4fb81c06041259f66d04147d50ce8ab\"\n strings:\n $s1 = \"$post=openssl_decrypt($post, \\\"AES128\\\", $key);\" fullword ascii\n $s2 = \"$post=file_get_contents(\\\"php://input\\\");\" fullword ascii\n $s3 = \" $post[$i] = $post[$i]^$key[$i+1&15]; \" fullword ascii\n $s4 = \"$_SESSION['k']=$key;\" fullword ascii\n $s5 = \"@error_reporting(0);\" fullword ascii\n $s6 = \"$post=$t($post.\\\"\\\");\" fullword ascii\n $s7 = \"for($i=0;$i class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.de\" ascii\n $s5 = \"w sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext);\" fullword ascii\n condition:\n uint16(0) == 0x6a3c and filesize < 1KB and\n 1 of ($x*) and all of them\n}\n\nrule Behinder_asp {\n meta:\n description = \"Behinder - file shell.asp\"\n author = \"yarGen Rule Generator\"\n reference = \"https://github.com/Neo23x0/yarGen\"\n date = \"2021-08-26\"\n hash1 = \"2c87faf7c25688c83c86c8b1e9f706f98a4195b84d1f5ce3169de6f2997320f7\"\n strings:\n $s1 = \"content=Request.BinaryRead(size)\" fullword ascii\n $s2 = \"execute(result)\" fullword ascii\n $s3 = \"result=result&Chr(ascb(midb(content,i,1)) Xor Asc(Mid(k,(i and 15)+1,1)))\" fullword ascii\n $s4 = \"Session(\\\"k\\\")=k\" fullword ascii\n $s5 = \"Response.CharSet = \\\"UTF-8\\\" \" fullword ascii\n $s6 = \"size=Request.TotalBytes\" fullword ascii\n $s7 = \"For i=1 To size\" fullword ascii\n condition:\n uint16(0) == 0x253c and filesize < 1KB and\n all of them\n}\n\nrule Behinder_jsp {\n meta:\n description = \"Behinder - file shell.jsp\"\n author = \"yarGen Rule Generator\"\n reference = \"https://github.com/Neo23x0/yarGen\"\n date = \"2021-08-26\"\n hash1 = \"5c8c2d64aef4e586b077b5fde7d8fc3aea16ae9d15438b516ec277c42a7164a5\"\n strings:\n $x1 = \"<%@page import=\\\"java.util.*,javax.crypto.*,javax.crypto.spec.*\\\"%><%!class U extends ClassLoader{U(ClassLoader c){super(c);}pub\" ascii\n $s2 = \"ader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext\" ascii\n $s3 = \"<%@page import=\\\"java.util.*,javax.crypto.*,javax.crypto.spec.*\\\"%><%!class U extends ClassLoader{U(ClassLoader c){super(c);}pub\" ascii\n $s4 = \"c Class g(byte []b){return super.defineClass(b,0,b.length);}}%><%if (request.getMethod().equals(\\\"POST\\\"))\" ascii\n $s5 = \"Value(\\\"u\\\",k);Cipher c=Cipher.getInstance(\\\"AES\\\");c.init(2,new SecretKeySpec(k.getBytes(),\\\"AES\\\"));new U(this.getClass().getC\" ascii\n condition:\n uint16(0) == 0x253c and filesize < 1KB and\n 1 of ($x*) and all of them\n}\n\nrule shell_java9 {\n meta:\n description = \"Behinder - file shell_java9.jsp\"\n author = \"yarGen Rule Generator\"\n reference = \"https://github.com/Neo23x0/yarGen\"\n date = \"2021-08-26\"\n hash1 = \"cfd86cc11928d594f4ccfb6be371a09383f83bbe82d4d6d86703f5fa6b5233f2\"\n strings:\n $x1 = \"<%@page import=\\\"java.util.*,javax.crypto.*,javax.crypto.spec.*\\\"%><%!class U extends ClassLoader{U(ClassLoader c){super(c);}pub\" ascii\n $s2 = \"ader()).g(c.doFinal(Base64.getDecoder().decode(request.getReader().readLine()))).newInstance().equals(pageContext);}%>\" fullword ascii\n $s3 = \"<%@page import=\\\"java.util.*,javax.crypto.*,javax.crypto.spec.*\\\"%><%!class U extends ClassLoader{U(ClassLoader c){super(c);}pub\" ascii\n $s4 = \"c Class g(byte []b){return super.defineClass(b,0,b.length);}}%><%if (request.getMethod().equals(\\\"POST\\\")){String k=\" ascii\n $s5 = \"Value(\\\"u\\\",k);Cipher c=Cipher.getInstance(\\\"AES\\\");c.init(2,new SecretKeySpec(k.getBytes(),\\\"AES\\\"));new U(this.getClass().getC\" ascii\n condition:\n uint16(0) == 0x253c and filesize < 1KB and\n 1 of ($x*) and all of them\n}\n\n\n" }, { "path": "rules/webshells/WShell_Drupalgeddon2_icos.yar", "content": "/*\nThis Yara ruleset is under the GNU-GPLv2 license \n(http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or \norganization, as long as you use it under this license.\n*/\n\n/*\nAuthor: Luis Fueris \nDate: 4 october, 2019\nDescription: Drupalgeddon 2 - Web Shells Extract. This rules matchs with\nwebshells that inserts the Drupal core vulnerability SA-CORE-2018-002 \n(https://www.drupal.org/sa-core-2018-002)\n*/\n\nrule Dotico_PHP_webshell : webshell {\n meta:\n description = \".ico PHP webshell - file .ico\"\n author = \"Luis Fueris\"\n reference = \"https://rankinstudio.com/Drupal_ico_index_hack\"\n date = \"2019/12/04\"\n strings:\n $php = \" 70KB and filesize < 110KB\n}\n" }, { "path": "rules/webshells/WShell_PHP_Anuna.yar", "content": "/*\n I first found this in May 2016, appeared in every PHP file on the\n server, cleaned it with `sed` and regex magic. Second time was\n in June 2016, same decoded content, different encoding/naming.\n\n https://www.symantec.com/security_response/writeup.jsp?docid=2015-111911-4342-99\n*/\nrule php_anuna\n{\n meta:\n author = \"Vlad https://github.com/vlad-s\"\n date = \"2016/07/18\"\n description = \"Catches a PHP Trojan\"\n strings:\n $a = /<\\?php \\$[a-z]+ = '/\n $b = /\\$[a-z]+=explode\\(chr\\(\\([0-9]+[-+][0-9]+\\)\\)/\n $c = /\\$[a-z]+=\\([0-9]+[-+][0-9]+\\)/\n $d = /if \\(!function_exists\\('[a-z]+'\\)\\)/\n condition:\n all of them\n}\n" }, { "path": "rules/webshells/WShell_PHP_in_images.yar", "content": "/*\n Finds PHP code in JP(E)Gs, GIFs, PNGs.\n Magic numbers via Wikipedia.\n*/\nrule php_in_image\n{\n meta:\n author = \"Vlad https://github.com/vlad-s\"\n date = \"2016/07/18\"\n description = \"Finds image files w/ PHP code in images\"\n strings:\n $gif = /^GIF8[79]a/\n $jfif = { ff d8 ff e? 00 10 4a 46 49 46 }\n $png = { 89 50 4e 47 0d 0a 1a 0a }\n\n $php_tag = \" 570 and filesize < 800\n}\n\nrule webshell_h4ntu_shell_powered_by_tsoi_ : webshell {\n\tmeta:\n\t\tdescription = \"Web Shell - file h4ntu shell [powered by tsoi].php\"\n\t\tauthor = \"Florian Roth\"\n\t\tdate = \"2014/01/28\"\n\t\tscore = 70\n\t\thash = \"06ed0b2398f8096f1bebf092d0526137\"\n\tstrings:\n\t\t$s0 = \"
    Server Adress:
    User Info: ui\"\n\t\t$s4 = \"
    : \\\".mysql_error().\\\"$f_\"\n\t\t$s4 = \"print \\\"Current Directory\"\n\t\t$s4 = \"

    \" fullword\n\tcondition:\n\t\t2 of them\n}\nrule webshell_iMHaPFtp_2 : webshell{\n\tmeta:\n\t\tdescription = \"Web Shell - file iMHaPFtp.php\"\n\t\tauthor = \"Florian Roth\"\n\t\tdate = \"2014/01/28\"\n\t\tscore = 70\n\t\thash = \"12911b73bc6a5d313b494102abcf5c57\"\n\tstrings:\n\t\t$s8 = \"if ($l) echo '    \\\"+strCut(convertPath(list[i].getPath()),7\"\n\t\t$s3 = \" \\\"reg add \\\\\\\"HKEY_LOCAL_MACHINE\\\\\\\\SYSTEM\\\\\\\\CurrentControlSet\\\\\\\\Control\"\n\tcondition:\n\t\tall of them\n}\nrule webshell_Safe_Mode_Bypass_PHP_4_4_2_and_PHP_5_1_2 : webshell{\n\tmeta:\n\t\tdescription = \"Web Shell - file Safe_Mode Bypass PHP 4.4.2 and PHP 5.1.2.php\"\n\t\tauthor = \"Florian Roth\"\n\t\tdate = \"2014/01/28\"\n\t\tscore = 70\n\t\thash = \"49ad9117c96419c35987aaa7e2230f63\"\n\tstrings:\n\t\t$s0 = \"die(\\\"\\\\nWelcome.. By This script you can jump in the (Safe Mode=ON) .. Enjoy\\\\n\"\n\t\t$s1 = \"Mode Shell v1.0 \\\" (space), \\\"[\\\" (left bracket), \\\"|\\\" (pi\"\n\t\t$s3 = \"word: \\\"null\\\", \\\"yes\\\", \\\"no\\\", \\\"true\\\",\"\n\tcondition:\n\t\t1 of them\n}\nrule webshell_PHPRemoteView : webshell{\n\tmeta:\n\t\tdescription = \"Web Shell - file PHPRemoteView.php\"\n\t\tauthor = \"Florian Roth\"\n\t\tdate = \"2014/01/28\"\n\t\tscore = 70\n\t\thash = \"29420106d9a81553ef0d1ca72b9934d9\"\n\tstrings:\n\t\t$s2 = \"SHOPEN\" fullword\n\tcondition:\n\t\tall of them\n}\nrule webshell_cihshell_fix : webshell {\n\tmeta:\n\t\tdescription = \"Web Shell - file cihshell_fix.php\"\n\t\tauthor = \"Florian Roth\"\n\t\tdate = \"2014/01/28\"\n\t\tscore = 70\n\t\thash = \"3823ac218032549b86ee7c26f10c4cb5\"\n\tstrings:\n\t\t$s7 = \"\" fullword\n\t\t$s8 = \"\" fullword\n\tcondition:\n\t\tall of them\n}\nrule webshell_Private_i3lue : webshell{\n\tmeta:\n\t\tdescription = \"Web Shell - file Private-i3lue.php\"\n\t\tauthor = \"Florian Roth\"\n\t\tdate = \"2014/01/28\"\n\t\tscore = 70\n\t\thash = \"13f5c7a035ecce5f9f380967cf9d4e92\"\n\tstrings:\n\t\t$s8 = \"case 15: $image .= \\\"\\\\21\\\\0\\\\\"\n\tcondition:\n\t\tall of them\n}\nrule webshell_php_up : webshell {\n\tmeta:\n\t\tdescription = \"Web Shell - file up.php\"\n\t\tauthor = \"Florian Roth\"\n\t\tdate = \"2014/01/28\"\n\t\tscore = 70\n\t\thash = \"7edefb8bd0876c41906f4b39b52cd0ef\"\n\tstrings:\n\t\t$s0 = \"copy($HTTP_POST_FILES['userfile']['tmp_name'], $_POST['remotefile']);\" fullword\n\t\t$s3 = \"if(is_uploaded_file($HTTP_POST_FILES['userfile']['tmp_name'])) {\" fullword\n\t\t$s8 = \"echo \\\"Uploaded file: \\\" . $HTTP_POST_FILES['userfile']['name'];\" fullword\n\tcondition:\n\t\t2 of them\n}\nrule webshell_Mysql_interface_v1_0 {\n\tmeta:\n\t\tdescription = \"Web Shell - file Mysql interface v1.0.php\"\n\t\tauthor = \"Florian Roth\"\n\t\tdate = \"2014/01/28\"\n\t\tscore = 70\n\t\thash = \"a12fc0a3d31e2f89727b9678148cd487\"\n\tstrings:\n\t\t$s0 = \"echo \\\"Go Execute
    All the data in these tables:
    \\\".$tblsv.\\\" were putted \"\n\tcondition:\n\t\tall of them\n}\nrule webshell_Server_Variables {\n\tmeta:\n\t\tdescription = \"Web Shell - file Server Variables.asp\"\n\t\tauthor = \"Florian Roth\"\n\t\tdate = \"2014/01/28\"\n\t\tscore = 70\n\t\thash = \"47fb8a647e441488b30f92b4d39003d7\"\n\tstrings:\n\t\t$s7 = \"<% For Each Vars In Request.ServerVariables %>\" fullword\n\t\t$s9 = \"Variable Name

    \" fullword\n\tcondition:\n\t\tall of them\n}\nrule webshell_caidao_shell_ice_2 {\n\tmeta:\n\t\tdescription = \"Web Shell - file ice.php\"\n\t\tauthor = \"Florian Roth\"\n\t\tdate = \"2014/01/28\"\n\t\tscore = 70\n\t\thash = \"1d6335247f58e0a5b03e17977888f5f2\"\n\tstrings:\n\t\t$s0 = \"\" fullword\n\tcondition:\n\t\tall of them\n}\nrule webshell_caidao_shell_mdb {\n\tmeta:\n\t\tdescription = \"Web Shell - file mdb.asp\"\n\t\tauthor = \"Florian Roth\"\n\t\tdate = \"2014/01/28\"\n\t\tscore = 70\n\t\thash = \"fbf3847acef4844f3a0d04230f6b9ff9\"\n\tstrings:\n\t\t$s1 = \"<% execute request(\\\"ice\\\")%>a \" fullword\n\tcondition:\n\t\tall of them\n}\nrule webshell_jsp_guige {\n\tmeta:\n\t\tdescription = \"Web Shell - file guige.jsp\"\n\t\tauthor = \"Florian Roth\"\n\t\tdate = \"2014/01/28\"\n\t\tscore = 70\n\t\thash = \"2c9f2dafa06332957127e2c713aacdd2\"\n\tstrings:\n\t\t$s0 = \"if(damapath!=null &&!damapath.equals(\\\"\\\")&&content!=null\"\n\tcondition:\n\t\tall of them\n}\nrule webshell_phpspy2010 {\n\tmeta:\n\t\tdescription = \"Web Shell - file phpspy2010.php\"\n\t\tauthor = \"Florian Roth\"\n\t\tdate = \"2014/01/28\"\n\t\tscore = 70\n\t\thash = \"14ae0e4f5349924a5047fed9f3b105c5\"\n\tstrings:\n\t\t$s3 = \"eval(gzinflate(base64_decode(\"\n\t\t$s5 = \"//angel\" fullword\n\t\t$s8 = \"$admin['cookiedomain'] = '';\" fullword\n\tcondition:\n\t\tall of them\n}\nrule webshell_asp_ice {\n\tmeta:\n\t\tdescription = \"Web Shell - file ice.asp\"\n\t\tauthor = \"Florian Roth\"\n\t\tdate = \"2014/01/28\"\n\t\tscore = 70\n\t\thash = \"d141e011a92f48da72728c35f1934a2b\"\n\tstrings:\n\t\t$s0 = \"D,'PrjknD,J~[,EdnMP[,-4;DS6@#@&VKobx2ldd,'~JhC\"\n\tcondition:\n\t\tall of them\n}\nrule webshell_drag_system {\n\tmeta:\n\t\tdescription = \"Web Shell - file system.jsp\"\n\t\tauthor = \"Florian Roth\"\n\t\tdate = \"2014/01/28\"\n\t\tscore = 70\n\t\thash = \"15ae237cf395fb24cf12bff141fb3f7c\"\n\tstrings:\n\t\t$s9 = \"String sql = \\\"SELECT * FROM DBA_TABLES WHERE TABLE_NAME not like '%$%' and num_\"\n\tcondition:\n\t\tall of them\n}\nrule webshell_DarkBlade1_3_asp_indexx {\n\tmeta:\n\t\tdescription = \"Web Shell - file indexx.asp\"\n\t\tauthor = \"Florian Roth\"\n\t\tdate = \"2014/01/28\"\n\t\tscore = 70\n\t\thash = \"b7f46693648f534c2ca78e3f21685707\"\n\tstrings:\n\t\t$s3 = \"Const strs_toTransform=\\\"command|Radmin|NTAuThenabled|FilterIp|IISSample|PageCou\"\n\tcondition:\n\t\tall of them\n}\nrule webshell_phpshell3 {\n\tmeta:\n\t\tdescription = \"Web Shell - file phpshell3.php\"\n\t\tauthor = \"Florian Roth\"\n\t\tdate = \"2014/01/28\"\n\t\tscore = 70\n\t\thash = \"76117b2ee4a7ac06832d50b2d04070b8\"\n\tstrings:\n\t\t$s2 = \"Username: \" fullword\n\tcondition:\n\t\tall of them\n}\nrule webshell_asp_404 {\n\tmeta:\n\t\tdescription = \"Web Shell - file 404.asp\"\n\t\tauthor = \"Florian Roth\"\n\t\tdate = \"2014/01/28\"\n\t\tscore = 70\n\t\thash = \"d9fa1e8513dbf59fa5d130f389032a2d\"\n\tstrings:\n\t\t$s0 = \"lFyw6pd^DKV^4CDRWmmnO1GVKDl:y& f+2\"\n\tcondition:\n\t\tall of them\n}\nrule webshell_webshell_cnseay02_1 {\n\tmeta:\n\t\tdescription = \"Web Shell - file webshell-cnseay02-1.php\"\n\t\tauthor = \"Florian Roth\"\n\t\tdate = \"2014/01/28\"\n\t\tscore = 70\n\t\thash = \"95fc76081a42c4f26912826cb1bd24b1\"\n\tstrings:\n\t\t$s0 = \"(93).$_uU(41).$_uU(59);$_fF=$_uU(99).$_uU(114).$_uU(101).$_uU(97).$_uU(116).$_uU\"\n\tcondition:\n\t\tall of them\n}\nrule webshell_php_fbi {\n\tmeta:\n\t\tdescription = \"Web Shell - file fbi.php\"\n\t\tauthor = \"Florian Roth\"\n\t\tdate = \"2014/01/28\"\n\t\tscore = 70\n\t\thash = \"1fb32f8e58c8deb168c06297a04a21f1\"\n\tstrings:\n\t\t$s7 = \"erde types','Getallen','Datum en tijd','Tekst','Binaire gegevens','Netwerk','Geo\"\n\tcondition:\n\t\tall of them\n}\nrule webshell_B374kPHP_B374k {\n\tmeta:\n\t\tdescription = \"Web Shell - file B374k.php\"\n\t\tauthor = \"Florian Roth\"\n\t\tdate = \"2014/01/28\"\n\t\tscore = 70\n\t\thash = \"bed7388976f8f1d90422e8795dff1ea6\"\n\tstrings:\n\t\t$s0 = \"Http://code.google.com/p/b374k-shell\" fullword\n\t\t$s1 = \"$_=str_rot13('tm'.'vas'.'yngr');$_=str_rot13(strrev('rqb'.'prq'.'_'.'46r'.'fno'\"\n\t\t$s3 = \"Jayalah Indonesiaku & Lyke @ 2013\" fullword\n\t\t$s4 = \"B374k Vip In Beautify Just For Self\" fullword\n\tcondition:\n\t\t1 of them\n}\nrule webshell_cmd_asp_5_1 {\n\tmeta:\n\t\tdescription = \"Web Shell - file cmd-asp-5.1.asp\"\n\t\tauthor = \"Florian Roth\"\n\t\tdate = \"2014/01/28\"\n\t\tscore = 70\n\t\thash = \"8baa99666bf3734cbdfdd10088e0cd9f\"\n\tstrings:\n\t\t$s9 = \"Call oS.Run(\\\"win.com cmd.exe /c \\\"\\\"\\\" & szCMD & \\\" > \\\" & szTF &\" fullword\n\tcondition:\n\t\tall of them\n}\nrule webshell_php_dodo_zip {\n\tmeta:\n\t\tdescription = \"Web Shell - file zip.php\"\n\t\tauthor = \"Florian Roth\"\n\t\tdate = \"2014/01/28\"\n\t\tscore = 70\n\t\thash = \"b7800364374077ce8864796240162ad5\"\n\tstrings:\n\t\t$s0 = \"$hexdtime = '\\\\x' . $dtime[6] . $dtime[7] . '\\\\x' . $dtime[4] . $dtime[5] . '\\\\x\"\n\t\t$s3 = \"$datastr = \\\"\\\\x50\\\\x4b\\\\x03\\\\x04\\\\x0a\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\"\n\tcondition:\n\t\tall of them\n}\nrule webshell_aZRaiLPhp_v1_0 {\n\tmeta:\n\t\tdescription = \"Web Shell - file aZRaiLPhp v1.0.php\"\n\t\tauthor = \"Florian Roth\"\n\t\tdate = \"2014/01/28\"\n\t\tscore = 70\n\t\thash = \"26b2d3943395682e36da06ed493a3715\"\n\tstrings:\n\t\t$s5 = \"echo \\\" CHMODU \\\".substr(base_convert(@fileperms($\"\n\t\t$s7 = \"echo \\\"\\\" . $filena\"\n\t\t$s9 = \"// by: The Dark Raver\" fullword\n\tcondition:\n\t\t1 of them\n}\nrule webshell_ironshell {\n\tmeta:\n\t\tdescription = \"Web Shell - file ironshell.php\"\n\t\tauthor = \"Florian Roth\"\n\t\tdate = \"2014/01/28\"\n\t\tscore = 70\n\t\thash = \"8bfa2eeb8a3ff6afc619258e39fded56\"\n\tstrings:\n\t\t$s4 = \"print \\\" <%=thingy.DriveType%> <%=thi\"\n\tcondition:\n\t\tall of them\n}\nrule webshell_jsp_web {\n\tmeta:\n\t\tdescription = \"Web Shell - file web.jsp\"\n\t\tauthor = \"Florian Roth\"\n\t\tdate = \"2014/01/28\"\n\t\tscore = 70\n\t\thash = \"4bc11e28f5dccd0c45a37f2b541b2e98\"\n\tstrings:\n\t\t$s0 = \"<%@page import=\\\"java.io.*\\\"%><%@page import=\\\"java.net.*\\\"%><%String t=request.\"\n\tcondition:\n\t\tall of them\n}\nrule webshell_mysqlwebsh {\n\tmeta:\n\t\tdescription = \"Web Shell - file mysqlwebsh.php\"\n\t\tauthor = \"Florian Roth\"\n\t\tdate = \"2014/01/28\"\n\t\tscore = 70\n\t\thash = \"babfa76d11943a22484b3837f105fada\"\n\tstrings:\n\t\t$s3 = \" POST (php eval)<\"\n\tcondition:\n\t\t1 of them\n}\nrule webshell_asp_ntdaddy {\n\tmeta:\n\t\tdescription = \"Web Shell - file ntdaddy.asp\"\n\t\tauthor = \"Florian Roth\"\n\t\tdate = \"2014/01/28\"\n\t\tscore = 70\n\t\thash = \"c5e6baa5d140f73b4e16a6cfde671c68\"\n\tstrings:\n\t\t$s9 = \"if FP = \\\"RefreshFolder\\\" or \"\n\t\t$s10 = \"request.form(\\\"cmdOption\\\")=\\\"DeleteFolder\\\" \"\n\tcondition:\n\t\t1 of them\n}\nrule webshell_MySQL_Web_Interface_Version_0_8 {\n\tmeta:\n\t\tdescription = \"Web Shell - file MySQL Web Interface Version 0.8.php\"\n\t\tauthor = \"Florian Roth\"\n\t\tdate = \"2014/01/28\"\n\t\tscore = 70\n\t\thash = \"36d4f34d0a22080f47bb1cb94107c60f\"\n\tstrings:\n\t\t$s2 = \"href='$PHP_SELF?action=dumpTable&dbname=$dbname&tablename=$tablename'>Dump\"\n\tcondition:\n\t\tall of them\n}\nrule webshell_elmaliseker_2 {\n\tmeta:\n\t\tdescription = \"Web Shell - file elmaliseker.asp\"\n\t\tauthor = \"Florian Roth\"\n\t\tdate = \"2014/01/28\"\n\t\tscore = 70\n\t\thash = \"b32d1730d23a660fd6aa8e60c3dc549f\"\n\tstrings:\n\t\t$s1 = \" \\\" title=\\\"<%=SubFolder.Name%>\\\"> ??????????????????: \" fullword\n\tcondition:\n\t\tall of them\n}\nrule webshell_asp_1 {\n\tmeta:\n\t\tdescription = \"Web Shell - file 1.asp\"\n\t\tauthor = \"Florian Roth\"\n\t\tdate = \"2014/01/28\"\n\t\tscore = 70\n\t\thash = \"8991148adf5de3b8322ec5d78cb01bdb\"\n\tstrings:\n\t\t$s4 = \"!22222222222222222222222222222222222222222222222222\" fullword\n\t\t$s8 = \"<%eval request(\\\"pass\\\")%>\" fullword\n\tcondition:\n\t\tall of them\n}\nrule webshell_ASP_tool {\n\tmeta:\n\t\tdescription = \"Web Shell - file tool.asp\"\n\t\tauthor = \"Florian Roth\"\n\t\tdate = \"2014/01/28\"\n\t\tscore = 70\n\t\thash = \"4ab68d38527d5834e9c1ff64407b34fb\"\n\tstrings:\n\t\t$s0 = \"Response.Write \\\"<DIR> \" fullword\n\tcondition:\n\t\t2 of them\n}\nrule webshell_jsp_jshell {\n\tmeta:\n\t\tdescription = \"Web Shell - file jshell.jsp\"\n\t\tauthor = \"Florian Roth\"\n\t\tdate = \"2014/01/28\"\n\t\tscore = 70\n\t\thash = \"124b22f38aaaf064cef14711b2602c06\"\n\tstrings:\n\t\t$s0 = \"kXpeW[\\\"\" fullword\n\t\t$s4 = \"[7b:g0W@W<\" fullword\n\t\t$s5 = \"b:gHr,g<\" fullword\n\t\t$s8 = \"RhV0W@W<\" fullword\n\t\t$s9 = \"S_MR(u7b\" fullword\n\tcondition:\n\t\tall of them\n}\nrule webshell_ASP_zehir4 {\n\tmeta:\n\t\tdescription = \"Web Shell - file zehir4.asp\"\n\t\tauthor = \"Florian Roth\"\n\t\tdate = \"2014/01/28\"\n\t\tscore = 70\n\t\thash = \"7f4e12e159360743ec016273c3b9108c\"\n\tstrings:\n\t\t$s9 = \"Response.Write \\\"\" fullword\n\tcondition:\n\t\tall of them\n}\nrule webshell_PHP_Shell_x3 {\n\tmeta:\n\t\tdescription = \"Web Shell - file PHP Shell.php\"\n\t\tauthor = \"Florian Roth\"\n\t\tdate = \"2014/01/28\"\n\t\tscore = 70\n\t\thash = \"a2f8fa4cce578fc9c06f8e674b9e63fd\"\n\tstrings:\n\t\t$s4 = \"  [\"\n\t\t$s6 = \"echo \\\"
    \\\");\" fullword\n\tcondition:\n\t\tall of them\n}\nrule webshell_jsp_k81 {\n\tmeta:\n\t\tdescription = \"Web Shell - file k81.jsp\"\n\t\tauthor = \"Florian Roth\"\n\t\tdate = \"2014/01/28\"\n\t\tscore = 70\n\t\thash = \"41efc5c71b6885add9c1d516371bd6af\"\n\tstrings:\n\t\t$s1 = \"byte[] binary = BASE64Decoder.class.newInstance().decodeBuffer(cmd);\" fullword\n\t\t$s9 = \"if(cmd.equals(\\\"Szh0ZWFt\\\")){out.print(\\\"[S]\\\"+dir+\\\"[E]\\\");}\" fullword\n\tcondition:\n\t\t1 of them\n}\nrule webshell_ASP_zehir {\n\tmeta:\n\t\tdescription = \"Web Shell - file zehir.asp\"\n\t\tauthor = \"Florian Roth\"\n\t\tdate = \"2014/01/28\"\n\t\tscore = 70\n\t\thash = \"0061d800aee63ccaf41d2d62ec15985d\"\n\tstrings:\n\t\t$s9 = \"Response.Write \\\"'.htmlspecialchars($cmd).\\\"
    \"\n\tcondition:\n\t\tall of them\n}\nrule webshell_Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit {\n\tmeta:\n\t\tdescription = \"Web Shell - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php\"\n\t\tauthor = \"Florian Roth\"\n\t\tdate = \"2014/01/28\"\n\t\tscore = 70\n\t\thash = \"c6eeacbe779518ea78b8f7ed5f63fc11\"\n\tstrings:\n\t\t$s1 = \"\" fullword\n\tcondition:\n\t\tall of them\n}\nrule webshell_redirect {\n\tmeta:\n\t\tdescription = \"Web Shell - file redirect.asp\"\n\t\tauthor = \"Florian Roth\"\n\t\tdate = \"2014/01/28\"\n\t\tscore = 70\n\t\thash = \"97da83c6e3efbba98df270cc70beb8f8\"\n\tstrings:\n\t\t$s7 = \"var flag = \\\"?txt=\\\" + (document.getElementById(\\\"dl\\\").checked ? \\\"2\\\":\\\"1\\\" \"\n\tcondition:\n\t\tall of them\n}\nrule webshell_jsp_cmdjsp {\n\tmeta:\n\t\tdescription = \"Web Shell - file cmdjsp.jsp\"\n\t\tauthor = \"Florian Roth\"\n\t\tdate = \"2014/01/28\"\n\t\tscore = 70\n\t\thash = \"b815611cc39f17f05a73444d699341d4\"\n\tstrings:\n\t\t$s5 = \"\" fullword\n\tcondition:\n\t\tall of them\n}\nrule webshell_Java_Shell {\n\tmeta:\n\t\tdescription = \"Web Shell - file Java Shell.jsp\"\n\t\tauthor = \"Florian Roth\"\n\t\tdate = \"2014/01/28\"\n\t\tscore = 70\n\t\thash = \"36403bc776eb12e8b7cc0eb47c8aac83\"\n\tstrings:\n\t\t$s4 = \"public JythonShell(int columns, int rows, int scrollback) {\" fullword\n\t\t$s9 = \"this(null, Py.getSystemState(), columns, rows, scrollback);\" fullword\n\tcondition:\n\t\t1 of them\n}\nrule webshell_asp_1d {\n\tmeta:\n\t\tdescription = \"Web Shell - file 1d.asp\"\n\t\tauthor = \"Florian Roth\"\n\t\tdate = \"2014/01/28\"\n\t\tscore = 70\n\t\thash = \"fad7504ca8a55d4453e552621f81563c\"\n\tstrings:\n\t\t$s0 = \"+9JkskOfKhUxZJPL~\\\\(mD^W~[,{@#@&EO\"\n\tcondition:\n\t\tall of them\n}\nrule webshell_jsp_IXRbE {\n\tmeta:\n\t\tdescription = \"Web Shell - file IXRbE.jsp\"\n\t\tauthor = \"Florian Roth\"\n\t\tdate = \"2014/01/28\"\n\t\tscore = 70\n\t\thash = \"e26e7e0ebc6e7662e1123452a939e2cd\"\n\tstrings:\n\t\t$s0 = \"<%if(request.getParameter(\\\"f\\\")!=null)(new java.io.FileOutputStream(application\"\n\tcondition:\n\t\tall of them\n}\nrule webshell_PHP_G5 {\n\tmeta:\n\t\tdescription = \"Web Shell - file G5.php\"\n\t\tauthor = \"Florian Roth\"\n\t\tdate = \"2014/01/28\"\n\t\tscore = 70\n\t\thash = \"95b4a56140a650c74ed2ec36f08d757f\"\n\tstrings:\n\t\t$s3 = \"echo \\\"Hacking Mode?
    Posix_getpwuid (\\\"Read\\\" /etc/passwd)\"\n\tcondition:\n\t\tall of them\n}\nrule webshell_Macker_s_Private_PHPShell {\n\tmeta:\n\t\tdescription = \"Web Shell - file Macker's Private PHPShell.php\"\n\t\tauthor = \"Florian Roth\"\n\t\tdate = \"2014/01/28\"\n\t\tscore = 70\n\t\thash = \"e24cbf0e294da9ac2117dc660d890bb9\"\n\tstrings:\n\t\t$s3 = \"echo \\\" Server's PHP Version:&n\"\n\t\t$s4 = \"  [\"\n\t\t$s7 = \"echo \\\"\"\n\t\t$s3 = \"\" fullword\n\t\t$s2 = \"out.print(\\\")     Filenam\"\n\t\t$s8 = \"print \\\"File: Tools\\\">\" fullword\n\t\t$s4 = \"Response.Write(\\\"

    FILE: \\\" & file & \\\"

    \\\")\" fullword\n\tcondition:\n\t\tall of them\n}\nrule webshell_PHP_co {\n\tmeta:\n\t\tdescription = \"Web Shell - file co.php\"\n\t\tauthor = \"Florian Roth\"\n\t\tdate = \"2014/01/28\"\n\t\tscore = 70\n\t\thash = \"62199f5ac721a0cb9b28f465a513874c\"\n\tstrings:\n\t\t$s0 = \"cGX6R9q733WvRRjISKHOp9neT7wa6ZAD8uthmVJV\" fullword\n\t\t$s11 = \"6Mk36lz/HOkFfoXX87MpPhZzBQH6OaYukNg1OE1j\" fullword\n\tcondition:\n\t\tall of them\n}\nrule webshell_PHP_150 {\n\tmeta:\n\t\tdescription = \"Web Shell - file 150.php\"\n\t\tauthor = \"Florian Roth\"\n\t\tdate = \"2014/01/28\"\n\t\tscore = 70\n\t\thash = \"400c4b0bed5c90f048398e1d268ce4dc\"\n\tstrings:\n\t\t$s0 = \"HJ3HjqxclkZfp\"\n\t\t$s1 = \"\" fullword\n\tcondition:\n\t\tall of them\n}\nrule webshell_PHP_c37 {\n\tmeta:\n\t\tdescription = \"Web Shell - file c37.php\"\n\t\tauthor = \"Florian Roth\"\n\t\tdate = \"2014/01/28\"\n\t\tscore = 70\n\t\thash = \"d01144c04e7a46870a8dd823eb2fe5c8\"\n\tstrings:\n\t\t$s3 = \"array('cpp','cxx','hxx','hpp','cc','jxx','c++','vcproj'),\"\n\t\t$s9 = \"++$F; $File = urlencode($dir[$dirFILE]); $eXT = '.:'; if (strpos($dir[$dirFILE],\"\n\tcondition:\n\t\tall of them\n}\nrule webshell_PHP_b37 {\n\tmeta:\n\t\tdescription = \"Web Shell - file b37.php\"\n\t\tauthor = \"Florian Roth\"\n\t\tdate = \"2014/01/28\"\n\t\tscore = 70\n\t\thash = \"0421445303cfd0ec6bc20b3846e30ff0\"\n\tstrings:\n\t\t$s0 = \"xmg2/G4MZ7KpNveRaLgOJvBcqa2A8/sKWp9W93NLXpTTUgRc\"\n\tcondition:\n\t\tall of them\n}\nrule webshell_php_backdoor {\n\tmeta:\n\t\tdescription = \"Web Shell - file php-backdoor.php\"\n\t\tauthor = \"Florian Roth\"\n\t\tdate = \"2014/01/28\"\n\t\tscore = 70\n\t\thash = \"2b5cb105c4ea9b5ebc64705b4bd86bf7\"\n\tstrings:\n\t\t$s1 = \"if(!move_uploaded_file($HTTP_POST_FILES['file_name']['tmp_name'], $dir.$fname))\" fullword\n\t\t$s2 = \"
    \\\" METHOD=GET >execute command:  \" fullword\n\tcondition:\n\t\tall of them\n}\nrule webshell_asp_cmdasp {\n\tmeta:\n\t\tdescription = \"Web Shell - file cmdasp.asp\"\n\t\tauthor = \"Florian Roth\"\n\t\tdate = \"2014/01/28\"\n\t\tscore = 70\n\t\thash = \"57b51418a799d2d016be546f399c2e9b\"\n\tstrings:\n\t\t$s0 = \"<%= \\\"\\\\\\\\\\\" & oScriptNet.ComputerName & \\\"\\\\\\\" & oScriptNet.UserName %>\" fullword\n\t\t$s7 = \"Call oScript.Run (\\\"cmd.exe /c \\\" & szCMD & \\\" > \\\" & szTempFile, 0, True)\" fullword\n\tcondition:\n\t\tall of them\n}\nrule webshell_spjspshell {\n\tmeta:\n\t\tdescription = \"Web Shell - file spjspshell.jsp\"\n\t\tauthor = \"Florian Roth\"\n\t\tdate = \"2014/01/28\"\n\t\tscore = 70\n\t\thash = \"d39d51154aaad4ba89947c459a729971\"\n\tstrings:\n\t\t$s7 = \"Unix:/bin/sh -c tar vxf xxx.tar Windows:c:\\\\winnt\\\\system32\\\\cmd.exe /c type c:\"\n\tcondition:\n\t\tall of them\n}\nrule webshell_jsp_action {\n\tmeta:\n\t\tdescription = \"Web Shell - file action.jsp\"\n\t\tauthor = \"Florian Roth\"\n\t\tdate = \"2014/01/28\"\n\t\tscore = 70\n\t\thash = \"5a7d931094f5570aaf5b7b3b06c3d8c0\"\n\tstrings:\n\t\t$s1 = \"String url=\\\"jdbc:oracle:thin:@localhost:1521:orcl\\\";\" fullword\n\t\t$s6 = \"<%@ page contentType=\\\"text/html;charset=gb2312\\\"%>\" fullword\n\tcondition:\n\t\tall of them\n}\nrule webshell_Inderxer {\n\tmeta:\n\t\tdescription = \"Web Shell - file Inderxer.asp\"\n\t\tauthor = \"Florian Roth\"\n\t\tdate = \"2014/01/28\"\n\t\tscore = 70\n\t\thash = \"9ea82afb8c7070817d4cdf686abe0300\"\n\tstrings:\n\t\t$s4 = \"Nereye :   \" fullword\n\t\t$s9 = \"String path=new String(request.getParameter(\\\"path\\\").getBytes(\\\"ISO-8859\"\n\tcondition:\n\t\tall of them\n}\nrule webshell_ELMALISEKER_Backd00r {\n\tmeta:\n\t\tdescription = \"Web Shell - file ELMALISEKER Backd00r.asp\"\n\t\tauthor = \"Florian Roth\"\n\t\tdate = \"2014/01/28\"\n\t\tscore = 70\n\t\thash = \"3aa403e0a42badb2c23d4a54ef43e2f4\"\n\tstrings:\n\t\t$s0 = \"response.write(\\\"\" fullword\n\t\t$s6 = \"\\\" name=\\\"url\"\n\tcondition:\n\t\tall of them\n}\nrule webshell_jsp_inback3 {\n\tmeta:\n\t\tdescription = \"Web Shell - file inback3.jsp\"\n\t\tauthor = \"Florian Roth\"\n\t\tdate = \"2014/01/28\"\n\t\tscore = 70\n\t\thash = \"ea5612492780a26b8aa7e5cedd9b8f4e\"\n\tstrings:\n\t\t$s0 = \"<%if(request.getParameter(\\\"f\\\")!=null)(new java.io.FileOutputStream(application\"\n\tcondition:\n\t\tall of them\n}\nrule webshell_metaslsoft {\n\tmeta:\n\t\tdescription = \"Web Shell - file metaslsoft.php\"\n\t\tauthor = \"Florian Roth\"\n\t\tdate = \"2014/01/28\"\n\t\tscore = 70\n\t\thash = \"aa328ed1476f4a10c0bcc2dde4461789\"\n\tstrings:\n\t\t$s7 = \"$buff .= \\\"[ $folder ]LINKjsp File Browser version <%= VERSION_NR%> by Operating System : \\\".php_uname().\\\" \\\",in('text','mk_name\"\n\t\t$s3 = \"echo sr(15,\\\"\\\".$lang[$language.'_text21'].$arrow.\\\"\\\",in('checkbox','nf1\"\n\t\t$s9 = \"echo sr(40,\\\"\\\".$lang[$language.'_text26'].$arrow.\\\"\\\",\\\"Current File (import new file name and new file)
    Current file (fullpath)
      \\\".$pathname.\"\n\tcondition:\n\t\tall of them\n}\nrule webshell_c99_Shell_ci_Biz_was_here_c100_v_xxx {\n\tmeta:\n\t\tdescription = \"Web Shell - from files c99.php, Shell [ci] .Biz was here.php, c100 v. 777shell v. Undetectable #18a Modded by 777 - Don.php, c66.php, c99-shadows-mod.php, c99shell.php\"\n\t\tauthor = \"Florian Roth\"\n\t\tdate = \"2014/01/28\"\n\t\tscore = 70\n\t\tsuper_rule = 1\n\t\thash0 = \"61a92ce63369e2fa4919ef0ff7c51167\"\n\t\thash1 = \"f2fa878de03732fbf5c86d656467ff50\"\n\t\thash2 = \"27786d1e0b1046a1a7f67ee41c64bf4c\"\n\t\thash3 = \"0f5b9238d281bc6ac13406bb24ac2a5b\"\n\t\thash4 = \"68c0629d08b1664f5bcce7d7f5f71d22\"\n\t\thash5 = \"048ccc01b873b40d57ce25a4c56ea717\"\n\tstrings:\n\t\t$s8 = \"else {echo \\\"Running datapipe... ok! Connect to \\\".getenv(\\\"SERVER_ADDR\\\"\"\n\tcondition:\n\t\tall of them\n}\nrule webshell_2008_2009lite_2009mssql {\n\tmeta:\n\t\tdescription = \"Web Shell - from files 2008.php, 2009lite.php, 2009mssql.php\"\n\t\tauthor = \"Florian Roth\"\n\t\tdate = \"2014/01/28\"\n\t\tscore = 70\n\t\tsuper_rule = 1\n\t\thash0 = \"3e4ba470d4c38765e4b16ed930facf2c\"\n\t\thash1 = \"3f4d454d27ecc0013e783ed921eeecde\"\n\t\thash2 = \"aa17b71bb93c6789911bd1c9df834ff9\"\n\tstrings:\n\t\t$s0 = \"    Path.'/\\\\');\"\n\t\t$s7 = \"p('
    File Manager - Current disk free '.sizecount($free).' of '.sizecount($all\"\n\tcondition:\n\t\tall of them\n}\nrule webshell_shell_phpspy_2005_full_phpspy_2005_lite_phpspy_2006_arabicspy_PHPSPY_hkrkoz {\n\tmeta:\n\t\tdescription = \"Web Shell - from files shell.php, phpspy_2005_full.php, phpspy_2005_lite.php, phpspy_2006.php, arabicspy.php, PHPSPY.php, hkrkoz.php\"\n\t\tauthor = \"Florian Roth\"\n\t\tdate = \"2014/01/28\"\n\t\tscore = 70\n\t\tsuper_rule = 1\n\t\thash0 = \"791708057d8b429d91357d38edf43cc0\"\n\t\thash1 = \"b68bfafc6059fd26732fa07fb6f7f640\"\n\t\thash2 = \"42f211cec8032eb0881e87ebdb3d7224\"\n\t\thash3 = \"40a1f840111996ff7200d18968e42cfe\"\n\t\thash4 = \"e0202adff532b28ef1ba206cf95962f2\"\n\t\thash5 = \"0712e3dc262b4e1f98ed25760b206836\"\n\t\thash6 = \"802f5cae46d394b297482fd0c27cb2fc\"\n\tstrings:\n\t\t$s0 = \"$mainpath_info           = explode('/', $mainpath);\" fullword\n\t\t$s6 = \"if (!isset($_GET['action']) OR empty($_GET['action']) OR ($_GET['action'] == \\\"d\"\n\tcondition:\n\t\tall of them\n}\nrule webshell_807_dm_JspSpyJDK5_m_cofigrue {\n\tmeta:\n\t\tdescription = \"Web Shell - from files 807.jsp, dm.jsp, JspSpyJDK5.jsp, m.jsp, cofigrue.jsp\"\n\t\tauthor = \"Florian Roth\"\n\t\tdate = \"2014/01/28\"\n\t\tscore = 70\n\t\tsuper_rule = 1\n\t\thash0 = \"ae76c77fb7a234380cd0ebb6fe1bcddf\"\n\t\thash1 = \"14e9688c86b454ed48171a9d4f48ace8\"\n\t\thash2 = \"341298482cf90febebb8616426080d1d\"\n\t\thash3 = \"88fc87e7c58249a398efd5ceae636073\"\n\t\thash4 = \"349ec229e3f8eda0f9eb918c74a8bf4c\"\n\tstrings:\n\t\t$s1 = \"url_con.setRequestProperty(\\\"REFERER\\\", \\\"\\\"+fckal+\\\"\\\");\" fullword\n\t\t$s9 = \"FileLocalUpload(uc(dx())+sxm,request.getRequestURL().toString(),  \\\"GBK\\\");\" fullword\n\tcondition:\n\t\t1 of them\n}\nrule webshell_Dive_Shell_1_0_Emperor_Hacking_Team_xxx {\n\tmeta:\n\t\tdescription = \"Web Shell - from files Dive Shell 1.0 - Emperor Hacking Team.php, phpshell.php, SimShell 1.0 - Simorgh Security MGZ.php\"\n\t\tauthor = \"Florian Roth\"\n\t\tdate = \"2014/01/28\"\n\t\tscore = 70\n\t\tsuper_rule = 1\n\t\thash0 = \"1b5102bdc41a7bc439eea8f0010310a5\"\n\t\thash1 = \"f8a6d5306fb37414c5c772315a27832f\"\n\t\thash2 = \"37cb1db26b1b0161a4bf678a6b4565bd\"\n\tstrings:\n\t\t$s1 = \"if (($i = array_search($_REQUEST['command'], $_SESSION['history'])) !== fals\"\n\t\t$s9 = \"if (ereg('^[[:blank:]]*cd[[:blank:]]*$', $_REQUEST['command'])) {\" fullword\n\tcondition:\n\t\tall of them\n}\nrule webshell_404_data_in_JFolder_jfolder01_xxx {\n\tmeta:\n\t\tdescription = \"Web Shell - from files 404.jsp, data.jsp, in.jsp, JFolder.jsp, jfolder01.jsp, jsp.jsp, leo.jsp, suiyue.jsp, warn.jsp\"\n\t\tauthor = \"Florian Roth\"\n\t\tdate = \"2014/01/28\"\n\t\tscore = 70\n\t\tsuper_rule = 1\n\t\thash0 = \"7066f4469c3ec20f4890535b5f299122\"\n\t\thash1 = \"9f54aa7b43797be9bab7d094f238b4ff\"\n\t\thash2 = \"793b3d0a740dbf355df3e6f68b8217a4\"\n\t\thash3 = \"8979594423b68489024447474d113894\"\n\t\thash4 = \"ec482fc969d182e5440521c913bab9bd\"\n\t\thash5 = \"f98d2b33cd777e160d1489afed96de39\"\n\t\thash6 = \"4b4c12b3002fad88ca6346a873855209\"\n\t\thash7 = \"c93d5bdf5cf62fe22e299d0f2b865ea7\"\n\t\thash8 = \"e9a5280f77537e23da2545306f6a19ad\"\n\tstrings:\n\t\t$s4 = \" \"\n\tcondition:\n\t\t2 of them\n}\nrule webshell_2008_2009mssql_phpspy_2005_full_phpspy_2006_arabicspy_hkrkoz {\n\tmeta:\n\t\tdescription = \"Web Shell - from files 2008.php, 2009mssql.php, phpspy_2005_full.php, phpspy_2006.php, arabicspy.php, hkrkoz.php\"\n\t\tauthor = \"Florian Roth\"\n\t\tdate = \"2014/01/28\"\n\t\tscore = 70\n\t\tsuper_rule = 1\n\t\thash0 = \"3e4ba470d4c38765e4b16ed930facf2c\"\n\t\thash1 = \"aa17b71bb93c6789911bd1c9df834ff9\"\n\t\thash2 = \"b68bfafc6059fd26732fa07fb6f7f640\"\n\t\thash3 = \"40a1f840111996ff7200d18968e42cfe\"\n\t\thash4 = \"e0202adff532b28ef1ba206cf95962f2\"\n\t\thash5 = \"802f5cae46d394b297482fd0c27cb2fc\"\n\tstrings:\n\t\t$s0 = \"$this -> addFile($content, $filename);\" fullword\n\t\t$s3 = \"function addFile($data, $name, $time = 0) {\" fullword\n\t\t$s8 = \"function unix2DosTime($unixtime = 0) {\" fullword\n\t\t$s9 = \"foreach($filelist as $filename){\" fullword\n\tcondition:\n\t\tall of them\n}\nrule webshell_c99_c66_c99_shadows_mod_c99shell {\n\tmeta:\n\t\tdescription = \"Web Shell - from files c99.php, c66.php, c99-shadows-mod.php, c99shell.php\"\n\t\tauthor = \"Florian Roth\"\n\t\tdate = \"2014/01/28\"\n\t\tscore = 70\n\t\tsuper_rule = 1\n\t\thash0 = \"61a92ce63369e2fa4919ef0ff7c51167\"\n\t\thash1 = \"0f5b9238d281bc6ac13406bb24ac2a5b\"\n\t\thash2 = \"68c0629d08b1664f5bcce7d7f5f71d22\"\n\t\thash3 = \"048ccc01b873b40d57ce25a4c56ea717\"\n\tstrings:\n\t\t$s2 = \"  if (unlink(_FILE_)) {@ob_clean(); echo \\\"Thanks for using c99shell v.\\\".$shv\"\n\t\t$s3 = \"  \\\"c99sh_backconn.pl\\\"=>array(\\\"Using PERL\\\",\\\"perl %path %host %port\\\"),\" fullword\n\t\t$s4 = \"
    array(\\\"Using PERL\\\",\\\"perl %path %localport %remotehos\"\n\t\t$s9 = \"   elseif (!$data = c99getsource($bc[\\\"src\\\"])) {echo \\\"Can't download sources!\"\n\tcondition:\n\t\t2 of them\n}\nrule webshell_he1p_JspSpy_nogfw_ok_style_1_JspSpy1 {\n\tmeta:\n\t\tdescription = \"Web Shell - from files he1p.jsp, JspSpy.jsp, nogfw.jsp, ok.jsp, style.jsp, 1.jsp, JspSpy.jsp\"\n\t\tauthor = \"Florian Roth\"\n\t\tdate = \"2014/01/28\"\n\t\tscore = 70\n\t\tsuper_rule = 1\n\t\thash0 = \"b330a6c2d49124ef0729539761d6ef0b\"\n\t\thash1 = \"d71716df5042880ef84427acee8b121e\"\n\t\thash2 = \"344f9073576a066142b2023629539ebd\"\n\t\thash3 = \"32dea47d9c13f9000c4c807561341bee\"\n\t\thash4 = \"b9744f6876919c46a29ea05b1d95b1c3\"\n\t\thash5 = \"3ea688e3439a1f56b16694667938316d\"\n\t\thash6 = \"2434a7a07cb47ce25b41d30bc291cacc\"\n\tstrings:\n\t\t$s0 = \"\\\"\\\"+f.canRead()+\\\" / \\\"+f.canWrite()+\\\" / \\\"+f.canExecute()+\\\"\\\"+\" fullword\n\t\t$s4 = \"out.println(\\\"
    File Manager - Current disk "\\\"+(cr.indexOf(\\\"/\\\") == 0?\"\n\t\t$s7 = \"String execute = f.canExecute() ? \\\"checked=\\\\\\\"checked\\\\\\\"\\\" : \\\"\\\";\" fullword\n\t\t$s8 = \"\\\"
    \"\n\tcondition:\n\t\t2 of them\n}\nrule webshell_000_403_c5_config_myxx_queryDong_spyjsp2010_zend {\n\tmeta:\n\t\tdescription = \"Web Shell - from files 000.jsp, 403.jsp, c5.jsp, config.jsp, myxx.jsp, queryDong.jsp, spyjsp2010.jsp, zend.jsp\"\n\t\tauthor = \"Florian Roth\"\n\t\tdate = \"2014/01/28\"\n\t\tscore = 70\n\t\tsuper_rule = 1\n\t\thash0 = \"2eeb8bf151221373ee3fd89d58ed4d38\"\n\t\thash1 = \"059058a27a7b0059e2c2f007ad4675ef\"\n\t\thash2 = \"8b457934da3821ba58b06a113e0d53d9\"\n\t\thash3 = \"d44df8b1543b837e57cc8f25a0a68d92\"\n\t\thash4 = \"e0354099bee243702eb11df8d0e046df\"\n\t\thash5 = \"90a5ba0c94199269ba33a58bc6a4ad99\"\n\t\thash6 = \"655722eaa6c646437c8ae93daac46ae0\"\n\t\thash7 = \"591ca89a25f06cf01e4345f98a22845c\"\n\tstrings:\n\t\t$s0 = \"return new Double(format.format(value)).doubleValue();\" fullword\n\t\t$s5 = \"File tempF = new File(savePath);\" fullword\n\t\t$s9 = \"if (tempF.isDirectory()) {\" fullword\n\tcondition:\n\t\t2 of them\n}\nrule webshell_c99_c99shell_c99_c99shell {\n\tmeta:\n\t\tdescription = \"Web Shell - from files c99.php, c99shell.php, c99.php, c99shell.php\"\n\t\tauthor = \"Florian Roth\"\n\t\tdate = \"2014/01/28\"\n\t\tscore = 70\n\t\tsuper_rule = 1\n\t\thash0 = \"61a92ce63369e2fa4919ef0ff7c51167\"\n\t\thash1 = \"d3f38a6dc54a73d304932d9227a739ec\"\n\t\thash2 = \"157b4ac3c7ba3a36e546e81e9279eab5\"\n\t\thash3 = \"048ccc01b873b40d57ce25a4c56ea717\"\n\tstrings:\n\t\t$s2 = \"$bindport_pass = \\\"c99\\\";\" fullword\n\t\t$s5 = \" else {echo \\\"Execution PHP-code\\\"; if (empty($eval_txt)) {$eval_txt = tr\"\n\tcondition:\n\t\t1 of them\n}\nrule webshell_r57shell127_r57_iFX_r57_kartal_r57_antichat {\n\tmeta:\n\t\tdescription = \"Web Shell - from files r57shell127.php, r57_iFX.php, r57_kartal.php, r57.php, antichat.php\"\n\t\tauthor = \"Florian Roth\"\n\t\tdate = \"2014/01/28\"\n\t\tscore = 70\n\t\tsuper_rule = 1\n\t\thash0 = \"ae025c886fbe7f9ed159f49593674832\"\n\t\thash1 = \"513b7be8bd0595c377283a7c87b44b2e\"\n\t\thash2 = \"1d912c55b96e2efe8ca873d6040e3b30\"\n\t\thash3 = \"4108f28a9792b50d95f95b9e5314fa1e\"\n\t\thash4 = \"3f71175985848ee46cc13282fbed2269\"\n\tstrings:\n\t\t$s6 = \"$res   = @mysql_query(\\\"SHOW CREATE TABLE `\\\".$_POST['mysql_tbl'].\\\"`\\\", $d\"\n\t\t$s7 = \"$sql1 .= $row[1].\\\"\\\\r\\\\n\\\\r\\\\n\\\";\" fullword\n\t\t$s8 = \"if(!empty($_POST['dif'])&&$fp) { @fputs($fp,$sql1.$sql2); }\" fullword\n\t\t$s9 = \"foreach($values as $k=>$v) {$values[$k] = addslashes($v);}\" fullword\n\tcondition:\n\t\t2 of them\n}\nrule webshell_NIX_REMOTE_WEB_SHELL_nstview_xxx {\n\tmeta:\n\t\tdescription = \"Web Shell - from files NIX REMOTE WEB-SHELL.php, nstview.php, NIX REMOTE WEB-SHELL v.0.5 alpha Lite Public Version.php, Cyber Shell (v 1.0).php\"\n\t\tauthor = \"Florian Roth\"\n\t\tdate = \"2014/01/28\"\n\t\tscore = 70\n\t\tsuper_rule = 1\n\t\thash0 = \"0b19e9de790cd2f4325f8c24b22af540\"\n\t\thash1 = \"4745d510fed4378e4b1730f56f25e569\"\n\t\thash2 = \"f3ca29b7999643507081caab926e2e74\"\n\t\thash3 = \"46a18979750fa458a04343cf58faa9bd\"\n\tstrings:\n\t\t$s3 = \"BODY, TD, TR {\" fullword\n\t\t$s5 = \"$d=str_replace(\\\"\\\\\\\\\\\",\\\"/\\\",$d);\" fullword\n\t\t$s6 = \"if ($file==\\\".\\\" || $file==\\\"..\\\") continue;\" fullword\n\tcondition:\n\t\t2 of them\n}\nrule webshell_000_403_807_a_c5_config_css_dm_he1p_xxx {\n\tmeta:\n\t\tdescription = \"Web Shell - from files 000.jsp, 403.jsp, 807.jsp, a.jsp, c5.jsp, config.jsp, css.jsp, dm.jsp, he1p.jsp, JspSpy.jsp, JspSpyJDK5.jsp, JspSpyJDK51.jsp, luci.jsp.spy2009.jsp, m.jsp, ma3.jsp, mmym520.jsp, myxx.jsp, nogfw.jsp, ok.jsp, queryDong.jsp, spyjsp2010.jsp, style.jsp, u.jsp, xia.jsp, zend.jsp, cofigrue.jsp, 1.jsp, jspspy.jsp, jspspy_k8.jsp, JspSpy.jsp, JspSpyJDK5.jsp\"\n\t\tauthor = \"Florian Roth\"\n\t\tdate = \"2014/01/28\"\n\t\tscore = 70\n\t\tsuper_rule = 1\n\t\thash0 = \"2eeb8bf151221373ee3fd89d58ed4d38\"\n\t\thash1 = \"059058a27a7b0059e2c2f007ad4675ef\"\n\t\thash2 = \"ae76c77fb7a234380cd0ebb6fe1bcddf\"\n\t\thash3 = \"76037ebd781ad0eac363d56fc81f4b4f\"\n\t\thash4 = \"8b457934da3821ba58b06a113e0d53d9\"\n\t\thash5 = \"d44df8b1543b837e57cc8f25a0a68d92\"\n\t\thash6 = \"fc44f6b4387a2cb50e1a63c66a8cb81c\"\n\t\thash7 = \"14e9688c86b454ed48171a9d4f48ace8\"\n\t\thash8 = \"b330a6c2d49124ef0729539761d6ef0b\"\n\t\thash9 = \"d71716df5042880ef84427acee8b121e\"\n\t\thash10 = \"341298482cf90febebb8616426080d1d\"\n\t\thash11 = \"29aebe333d6332f0ebc2258def94d57e\"\n\t\thash12 = \"42654af68e5d4ea217e6ece5389eb302\"\n\t\thash13 = \"88fc87e7c58249a398efd5ceae636073\"\n\t\thash14 = \"4a812678308475c64132a9b56254edbc\"\n\t\thash15 = \"9626eef1a8b9b8d773a3b2af09306a10\"\n\t\thash16 = \"e0354099bee243702eb11df8d0e046df\"\n\t\thash17 = \"344f9073576a066142b2023629539ebd\"\n\t\thash18 = \"32dea47d9c13f9000c4c807561341bee\"\n\t\thash19 = \"90a5ba0c94199269ba33a58bc6a4ad99\"\n\t\thash20 = \"655722eaa6c646437c8ae93daac46ae0\"\n\t\thash21 = \"b9744f6876919c46a29ea05b1d95b1c3\"\n\t\thash22 = \"6acc82544be056580c3a1caaa4999956\"\n\t\thash23 = \"6aa32a6392840e161a018f3907a86968\"\n\t\thash24 = \"591ca89a25f06cf01e4345f98a22845c\"\n\t\thash25 = \"349ec229e3f8eda0f9eb918c74a8bf4c\"\n\t\thash26 = \"3ea688e3439a1f56b16694667938316d\"\n\t\thash27 = \"ab77e4d1006259d7cbc15884416ca88c\"\n\t\thash28 = \"71097537a91fac6b01f46f66ee2d7749\"\n\t\thash29 = \"2434a7a07cb47ce25b41d30bc291cacc\"\n\t\thash30 = \"7a4b090619ecce6f7bd838fe5c58554b\"\n\tstrings:\n\t\t$s3 = \"String savePath = request.getParameter(\\\"savepath\\\");\" fullword\n\t\t$s4 = \"URL downUrl = new URL(downFileUrl);\" fullword\n\t\t$s5 = \"if (Util.isEmpty(downFileUrl) || Util.isEmpty(savePath))\" fullword\n\t\t$s6 = \"String downFileUrl = request.getParameter(\\\"url\\\");\" fullword\n\t\t$s7 = \"FileInputStream fInput = new FileInputStream(f);\" fullword\n\t\t$s8 = \"URLConnection conn = downUrl.openConnection();\" fullword\n\t\t$s9 = \"sis = request.getInputStream();\" fullword\n\tcondition:\n\t\t4 of them\n}\nrule webshell_2_520_icesword_job_ma1 {\n\tmeta:\n\t\tdescription = \"Web Shell - from files 2.jsp, 520.jsp, icesword.jsp, job.jsp, ma1.jsp\"\n\t\tauthor = \"Florian Roth\"\n\t\tdate = \"2014/01/28\"\n\t\tscore = 70\n\t\tsuper_rule = 1\n\t\thash0 = \"64a3bf9142b045b9062b204db39d4d57\"\n\t\thash1 = \"9abd397c6498c41967b4dd327cf8b55a\"\n\t\thash2 = \"077f4b1b6d705d223b6d644a4f3eebae\"\n\t\thash3 = \"56c005690da2558690c4aa305a31ad37\"\n\t\thash4 = \"532b93e02cddfbb548ce5938fe2f5559\"\n\tstrings:\n\t\t$s1 = \"\" fullword\n\t\t$s3 = \"\" fullword\n\t\t$s8 = \"\" fullword\n\tcondition:\n\t\t2 of them\n}\nrule webshell_404_data_in_JFolder_jfolder01_jsp_suiyue_warn {\n\tmeta:\n\t\tdescription = \"Web Shell - from files 404.jsp, data.jsp, in.jsp, JFolder.jsp, jfolder01.jsp, jsp.jsp, suiyue.jsp, warn.jsp\"\n\t\tauthor = \"Florian Roth\"\n\t\tdate = \"2014/01/28\"\n\t\tscore = 70\n\t\tsuper_rule = 1\n\t\thash0 = \"7066f4469c3ec20f4890535b5f299122\"\n\t\thash1 = \"9f54aa7b43797be9bab7d094f238b4ff\"\n\t\thash2 = \"793b3d0a740dbf355df3e6f68b8217a4\"\n\t\thash3 = \"8979594423b68489024447474d113894\"\n\t\thash4 = \"ec482fc969d182e5440521c913bab9bd\"\n\t\thash5 = \"f98d2b33cd777e160d1489afed96de39\"\n\t\thash6 = \"c93d5bdf5cf62fe22e299d0f2b865ea7\"\n\t\thash7 = \"e9a5280f77537e23da2545306f6a19ad\"\n\tstrings:\n\t\t$s0 = \"
    \\\"+f.canRead()+\\\" / \\\"+f.canWrite()+\\\" / \\\"+f.canExecute()+\\\"
    \" fullword\n\t\t$s3 = \"
     \" fullword\n\tcondition:\n\t\tall of them\n}\n\nrule webshell_phpspy_2005_full_phpspy_2005_lite_phpspy_2006_PHPSPY {\n\tmeta:\n\t\tdescription = \"Web Shell - from files phpspy_2005_full.php, phpspy_2005_lite.php, phpspy_2006.php, PHPSPY.php\"\n\t\tauthor = \"Florian Roth\"\n\t\tdate = \"2014/01/28\"\n\t\tscore = 70\n\t\tsuper_rule = 1\n\t\thash0 = \"b68bfafc6059fd26732fa07fb6f7f640\"\n\t\thash1 = \"42f211cec8032eb0881e87ebdb3d7224\"\n\t\thash2 = \"40a1f840111996ff7200d18968e42cfe\"\n\t\thash3 = \"0712e3dc262b4e1f98ed25760b206836\"\n\tstrings:\n\t\t$s4 = \"http://www.4ngel.net\" fullword\n\t\t$s5 = \" | PHP\" fullword\n\t\t$s8 = \"echo $msg=@fwrite($fp,$_POST['filecontent']) ? \\\"\" fullword\n\t\t$s9 = \"Codz by Angel\" fullword\n\tcondition:\n\t\t2 of them\n}\nrule webshell_c99_locus7s_c99_w4cking_xxx {\n\tmeta:\n\t\tdescription = \"Web Shell - from files c99_locus7s.php, c99_w4cking.php, r57shell.php, r57shell127.php, SnIpEr_SA Shell.php, EgY_SpIdEr ShElL V2.php, r57_iFX.php, r57_kartal.php, r57_Mohajer22.php, r57.php, acid.php, newsh.php, r57.php, Backdoor.PHP.Agent.php\"\n\t\tauthor = \"Florian Roth\"\n\t\tdate = \"2014/01/28\"\n\t\tscore = 70\n\t\tsuper_rule = 1\n\t\thash0 = \"38fd7e45f9c11a37463c3ded1c76af4c\"\n\t\thash1 = \"9c34adbc8fd8d908cbb341734830f971\"\n\t\thash2 = \"ef43fef943e9df90ddb6257950b3538f\"\n\t\thash3 = \"ae025c886fbe7f9ed159f49593674832\"\n\t\thash4 = \"911195a9b7c010f61b66439d9048f400\"\n\t\thash5 = \"697dae78c040150daff7db751fc0c03c\"\n\t\thash6 = \"513b7be8bd0595c377283a7c87b44b2e\"\n\t\thash7 = \"1d912c55b96e2efe8ca873d6040e3b30\"\n\t\thash8 = \"e5b2131dd1db0dbdb43b53c5ce99016a\"\n\t\thash9 = \"4108f28a9792b50d95f95b9e5314fa1e\"\n\t\thash10 = \"b8f261a3cdf23398d573aaf55eaf63b5\"\n\t\thash11 = \"0d2c2c151ed839e6bafc7aa9c69be715\"\n\t\thash12 = \"41af6fd253648885c7ad2ed524e0692d\"\n\t\thash13 = \"6fcc283470465eed4870bcc3e2d7f14d\"\n\tstrings:\n\t\t$s1 = \"$res = @shell_exec($cfe);\" fullword\n\t\t$s8 = \"$res = @ob_get_contents();\" fullword\n\t\t$s9 = \"@exec($cfe,$res);\" fullword\n\tcondition:\n\t\t2 of them\n}\nrule webshell_browser_201_3_ma_ma2_download {\n\tmeta:\n\t\tdescription = \"Web Shell - from files browser.jsp, 201.jsp, 3.jsp, ma.jsp, ma2.jsp, download.jsp\"\n\t\tauthor = \"Florian Roth\"\n\t\tdate = \"2014/01/28\"\n\t\tscore = 70\n\t\tsuper_rule = 1\n\t\thash0 = \"37603e44ee6dc1c359feb68a0d566f76\"\n\t\thash1 = \"a7e25b8ac605753ed0c438db93f6c498\"\n\t\thash2 = \"fb8c6c3a69b93e5e7193036fd31a958d\"\n\t\thash3 = \"4cc68fa572e88b669bce606c7ace0ae9\"\n\t\thash4 = \"4b45715fa3fa5473640e17f49ef5513d\"\n\t\thash5 = \"fa87bbd7201021c1aefee6fcc5b8e25a\"\n\tstrings:\n\t\t$s1 = \"private static final int EDITFIELD_ROWS = 30;\" fullword\n\t\t$s2 = \"private static String tempdir = \\\".\\\";\" fullword\n\t\t$s6 = \"\\\"\"\n\tcondition:\n\t\t2 of them\n}\nrule webshell_000_403_c5_queryDong_spyjsp2010 {\n\tmeta:\n\t\tdescription = \"Web Shell - from files 000.jsp, 403.jsp, c5.jsp, queryDong.jsp, spyjsp2010.jsp\"\n\t\tauthor = \"Florian Roth\"\n\t\tdate = \"2014/01/28\"\n\t\tscore = 70\n\t\tsuper_rule = 1\n\t\thash0 = \"2eeb8bf151221373ee3fd89d58ed4d38\"\n\t\thash1 = \"059058a27a7b0059e2c2f007ad4675ef\"\n\t\thash2 = \"8b457934da3821ba58b06a113e0d53d9\"\n\t\thash3 = \"90a5ba0c94199269ba33a58bc6a4ad99\"\n\t\thash4 = \"655722eaa6c646437c8ae93daac46ae0\"\n\tstrings:\n\t\t$s2 = \"\\\" www.Expdoor.com\" fullword\n\t\t$s5 = \"    Expdoor.com ASP\" fullword\n\tcondition:\n\t\t2 of them\n}\nrule webshell_webshells_new_php2 {\n\tmeta:\n\t\tdescription = \"Web shells - generated from file php2.php\"\n\t\tauthor = \"Florian Roth\"\n\t\tdate = \"2014/03/28\"\n\t\tscore = 70\n\t\thash = \"fbf2e76e6f897f6f42b896c855069276\"\n\tstrings:\n\t\t$s0 = \" $i('H*', '687474703a2f2f626c616b696e2e64756170702e636f6d2f7631'),\" fullword\n\t\t$s7 = \"//http://require.duapp.com/session.php\" fullword\n\t\t$s8 = \"if(!isset($_SESSION['t'])){$_SESSION['t'] = $GLOBALS['f']($GLOBALS['h']);}\" fullword\n\t\t$s12 = \"//define('pass','123456');\" fullword\n\t\t$s13 = \"$GLOBALS['c']($GLOBALS['e'](null, $GLOBALS['s']('%s',$GLOBALS['p']('H*',$_SESSIO\"\n\tcondition:\n\t\t1 of them\n}\nrule webshell_webshells_new_JSP {\n\tmeta:\n\t\tdescription = \"Web shells - generated from file JSP.jsp\"\n\t\tauthor = \"Florian Roth\"\n\t\tdate = \"2014/03/28\"\n\t\tscore = 70\n\t\thash = \"495f1a0a4c82f986f4bdf51ae1898ee7\"\n\tstrings:\n\t\t$s1 = \"void AA(StringBuffer sb)throws Exception{File r[]=File.listRoots();for(int i=0;i\"\n\t\t$s5 = \"bw.write(z2);bw.close();sb.append(\\\"1\\\");}else if(Z.equals(\\\"E\\\")){EE(z1);sb.app\"\n\t\t$s11 = \"if(Z.equals(\\\"A\\\")){String s=new File(application.getRealPath(request.getRequest\"\n\tcondition:\n\t\t1 of them\n}\nrule webshell_webshell_123 {\n\tmeta:\n\t\tdescription = \"Web shells - generated from file webshell-123.php\"\n\t\tauthor = \"Florian Roth\"\n\t\tdate = \"2014/03/28\"\n\t\tscore = 70\n\t\thash = \"2782bb170acaed3829ea9a04f0ac7218\"\n\tstrings:\n\t\t$s0 = \"// Web Shell!!\" fullword\n\t\t$s1 = \"@preg_replace(\\\"/.*/e\\\",\\\"\\\\x65\\\\x76\\\\x61\\\\x6C\\\\x28\\\\x67\\\\x7A\\\\x69\\\\x6E\\\\x66\\\\x6\"\n\t\t$s3 = \"$default_charset = \\\"UTF-8\\\";\" fullword\n\t\t$s4 = \"// url:http://www.weigongkai.com/shell/\" fullword\n\tcondition:\n\t\t2 of them\n}\nrule webshell_dev_core {\n\tmeta:\n\t\tdescription = \"Web shells - generated from file dev_core.php\"\n\t\tauthor = \"Florian Roth\"\n\t\tdate = \"2014/03/28\"\n\t\tscore = 70\n\t\thash = \"55ad9309b006884f660c41e53150fc2e\"\n\tstrings:\n\t\t$s1 = \"if (strpos($_SERVER['HTTP_USER_AGENT'], 'EBSD') == false) {\" fullword\n\t\t$s9 = \"setcookie('key', $_POST['pwd'], time() + 3600 * 24 * 30);\" fullword\n\t\t$s10 = \"$_SESSION['code'] = _REQUEST(sprintf(\\\"%s?%s\\\",pack(\\\"H*\\\",'6874\"\n\t\t$s11 = \"if (preg_match(\\\"/^HTTP\\\\/\\\\d\\\\.\\\\d\\\\s([\\\\d]+)\\\\s.*$/\\\", $status, $matches))\"\n\t\t$s12 = \"eval(gzuncompress(gzuncompress(Crypt::decrypt($_SESSION['code'], $_C\"\n\t\t$s15 = \"if (($fsock = fsockopen($url2['host'], 80, $errno, $errstr, $fsock_timeout))\"\n\tcondition:\n\t\t1 of them\n}\nrule webshell_webshells_new_pHp {\n\tmeta:\n\t\tdescription = \"Web shells - generated from file pHp.php\"\n\t\tauthor = \"Florian Roth\"\n\t\tdate = \"2014/03/28\"\n\t\tscore = 70\n\t\thash = \"b0e842bdf83396c3ef8c71ff94e64167\"\n\tstrings:\n\t\t$s0 = \"if(is_readable($path)) antivirus($path.'/',$exs,$matches);\" fullword\n\t\t$s1 = \"'/(eval|assert|include|require|include\\\\_once|require\\\\_once|array\\\\_map|arr\"\n\t\t$s13 = \"'/(exec|shell\\\\_exec|system|passthru)+\\\\s*\\\\(\\\\s*\\\\$\\\\_(\\\\w+)\\\\[(.*)\\\\]\\\\s*\"\n\t\t$s14 = \"'/(include|require|include\\\\_once|require\\\\_once)+\\\\s*\\\\(\\\\s*[\\\\'|\\\\\\\"](\\\\w+\"\n\t\t$s19 = \"'/\\\\$\\\\_(\\\\w+)(.*)(eval|assert|include|require|include\\\\_once|require\\\\_once\"\n\tcondition:\n\t\t1 of them\n}\nrule webshell_webshells_new_pppp {\n\tmeta:\n\t\tdescription = \"Web shells - generated from file pppp.php\"\n\t\tauthor = \"Florian Roth\"\n\t\tdate = \"2014/03/28\"\n\t\tscore = 70\n\t\thash = \"cf01cb6e09ee594545693c5d327bdd50\"\n\tstrings:\n\t\t$s0 = \"Mail: chinese@hackermail.com\" fullword\n\t\t$s3 = \"if($_GET[\\\"hackers\\\"]==\\\"2b\\\"){if ($_SERVER['REQUEST_METHOD'] == 'POST') { echo \"\n\t\t$s6 = \"Site: http://blog.weili.me\" fullword\n\tcondition:\n\t\t1 of them\n}\nrule webshell_webshells_new_code {\n\tmeta:\n\t\tdescription = \"Web shells - generated from file code.php\"\n\t\tauthor = \"Florian Roth\"\n\t\tdate = \"2014/03/28\"\n\t\tscore = 70\n\t\thash = \"a444014c134ff24c0be5a05c02b81a79\"\n\tstrings:\n\t\t$s1 = \" second(s) {gzip} usage:\"\n\t\t$s17 = \"<%if(request.getParameter(\\\"f\\\")\"\n\tcondition:\n\t\tall of them\n}\nrule webshell_webshells_new_xxxx {\n\tmeta:\n\t\tdescription = \"Web shells - generated from file xxxx.php\"\n\t\tauthor = \"Florian Roth\"\n\t\tdate = \"2014/03/28\"\n\t\tscore = 70\n\t\thash = \"5bcba70b2137375225d8eedcde2c0ebb\"\n\tstrings:\n\t\t$s0 = \"  \" fullword\n\tcondition:\n\t\tall of them\n}\nrule webshell_webshells_new_JJjsp3 {\n\tmeta:\n\t\tdescription = \"Web shells - generated from file JJjsp3.jsp\"\n\t\tauthor = \"Florian Roth\"\n\t\tdate = \"2014/03/28\"\n\t\tscore = 70\n\t\thash = \"949ffee1e07a1269df7c69b9722d293e\"\n\tstrings:\n\t\t$s0 = \"<%@page import=\\\"java.io.*,java.util.*,java.net.*,java.sql.*,java.text.*\\\"%><%!S\"\n\tcondition:\n\t\tall of them\n}\nrule webshell_webshells_new_PHP1 {\n\tmeta:\n\t\tdescription = \"Web shells - generated from file PHP1.php\"\n\t\tauthor = \"Florian Roth\"\n\t\tdate = \"2014/03/28\"\n\t\tscore = 70\n\t\thash = \"14c7281fdaf2ae004ca5fec8753ce3cb\"\n\tstrings:\n\t\t$s0 = \"<[url=mailto:?@array_map($_GET[]?@array_map($_GET['f'],$_GET[/url]);?>\" fullword\n\t\t$s2 = \":https://forum.90sec.org/forum.php?mod=viewthread&tid=7316\" fullword\n\t\t$s3 = \"@preg_replace(\\\"/f/e\\\",$_GET['u'],\\\"fengjiao\\\"); \" fullword\n\tcondition:\n\t\t1 of them\n}\nrule webshell_webshells_new_JJJsp2 {\n\tmeta:\n\t\tdescription = \"Web shells - generated from file JJJsp2.jsp\"\n\t\tauthor = \"Florian Roth\"\n\t\tdate = \"2014/03/28\"\n\t\tscore = 70\n\t\thash = \"5a9fec45236768069c99f0bfd566d754\"\n\tstrings:\n\t\t$s2 = \"QQ(cs, z1, z2, sb,z2.indexOf(\\\"-to:\\\")!=-1?z2.substring(z2.indexOf(\\\"-to:\\\")+4,z\"\n\t\t$s8 = \"sb.append(l[i].getName() + \\\"/\\\\t\\\" + sT + \\\"\\\\t\\\" + l[i].length()+ \\\"\\\\t\\\" + sQ\"\n\t\t$s10 = \"ResultSet r = s.indexOf(\\\"jdbc:oracle\\\")!=-1?c.getMetaData()\"\n\t\t$s11 = \"return DriverManager.getConnection(x[1].trim()+\\\":\\\"+x[4],x[2].equalsIgnoreCase(\"\n\tcondition:\n\t\t1 of them\n}\nrule webshell_webshells_new_radhat {\n\tmeta:\n\t\tdescription = \"Web shells - generated from file radhat.asp\"\n\t\tauthor = \"Florian Roth\"\n\t\tdate = \"2014/03/28\"\n\t\tscore = 70\n\t\thash = \"72cb5ef226834ed791144abaa0acdfd4\"\n\tstrings:\n\t\t$s1 = \"sod=Array(\\\"D\\\",\\\"7\\\",\\\"S\"\n\tcondition:\n\t\tall of them\n}\nrule webshell_webshells_new_asp1 {\n\tmeta:\n\t\tdescription = \"Web shells - generated from file asp1.asp\"\n\t\tauthor = \"Florian Roth\"\n\t\tdate = \"2014/03/28\"\n\t\tscore = 70\n\t\thash = \"b63e708cd58ae1ec85cf784060b69cad\"\n\tstrings:\n\t\t$s0 = \" http://www.baidu.com/fuck.asp?a=)0(tseuqer%20lave \" fullword\n\t\t$s2 = \" <% a=request(chr(97)) ExecuteGlobal(StrReverse(a)) %>\" fullword\n\tcondition:\n\t\t1 of them\n}\nrule webshell_webshells_new_php6 {\n\tmeta:\n\t\tdescription = \"Web shells - generated from file php6.php\"\n\t\tauthor = \"Florian Roth\"\n\t\tdate = \"2014/03/28\"\n\t\tscore = 70\n\t\thash = \"ea75280224a735f1e445d244acdfeb7b\"\n\tstrings:\n\t\t$s1 = \"array_map(\\\"asx73ert\\\",(ar\"\n\t\t$s3 = \"preg_replace(\\\"/[errorpage]/e\\\",$page,\\\"saft\\\");\" fullword\n\t\t$s4 = \"shell.php?qid=zxexp  \" fullword\n\tcondition:\n\t\t1 of them\n}\nrule webshell_webshells_new_xxx {\n\tmeta:\n\t\tdescription = \"Web shells - generated from file xxx.php\"\n\t\tauthor = \"Florian Roth\"\n\t\tdate = \"2014/03/28\"\n\t\tscore = 70\n\t\thash = \"0e71428fe68b39b70adb6aeedf260ca0\"\n\tstrings:\n\t\t$s3 = \"\" fullword\n\tcondition:\n\t\tall of them\n}\nrule webshell_GetPostpHp {\n\tmeta:\n\t\tdescription = \"Web shells - generated from file GetPostpHp.php\"\n\t\tauthor = \"Florian Roth\"\n\t\tdate = \"2014/03/28\"\n\t\tscore = 70\n\t\thash = \"20ede5b8182d952728d594e6f2bb5c76\"\n\tstrings:\n\t\t$s0 = \"\" fullword\n\tcondition:\n\t\tall of them\n}\nrule webshell_webshells_new_php5 {\n\tmeta:\n\t\tdescription = \"Web shells - generated from file php5.php\"\n\t\tauthor = \"Florian Roth\"\n\t\tdate = \"2014/03/28\"\n\t\tscore = 70\n\t\thash = \"cf2ab009cbd2576a806bfefb74906fdf\"\n\tstrings:\n\t\t$s0 = \"Error!\\\";\" fullword\n\t\t$s2 = \"DBHACKLERIN?act=bindshell method=POST>\"\n\t\t$s4 = \"$logo = \\\"R0lGODlhMAAwAOYAAAAAAP////r\"\n\tcondition:\n\t\t1 of them\n}\nrule jsp_reverse_jsp {\n\tmeta:\n\t\tdescription = \"Semi-Auto-generated  - file jsp-reverse.jsp.txt\"\n\t\tauthor = \"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls\"\n\t\thash = \"8b0e6779f25a17f0ffb3df14122ba594\"\n\tstrings:\n\t\t$s0 = \"// backdoor.jsp\"\n\t\t$s1 = \"JSP Backdoor Reverse Shell\"\n\t\t$s2 = \"http://michaeldaw.org\"\n\tcondition:\n\t\t2 of them\n}\nrule Tool_asp {\n\tmeta:\n\t\tdescription = \"Semi-Auto-generated  - file Tool.asp.txt\"\n\t\tauthor = \"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls\"\n\t\thash = \"8febea6ca6051ae5e2ad4c78f4b9c1f2\"\n\tstrings:\n\t\t$s0 = \"mailto:rhfactor@antisocial.com\"\n\t\t$s2 = \"?raiz=root\"\n\t\t$s3 = \"DIGO CORROMPIDO
    CORRUPT CODE\"\n\t\t$s4 = \"key = \\\"5DCADAC1902E59F7273E1902E5AD8414B1902E5ABF3E661902E5B554FC41902E53205CA0\"\n\tcondition:\n\t\t2 of them\n}\nrule NT_Addy_asp {\n\tmeta:\n\t\tdescription = \"Semi-Auto-generated  - file NT Addy.asp.txt\"\n\t\tauthor = \"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls\"\n\t\thash = \"2e0d1bae844c9a8e6e351297d77a1fec\"\n\tstrings:\n\t\t$s0 = \"NTDaddy v1.9 by obzerve of fux0r inc\"\n\t\t$s2 = \"\"\n\t\t$s4 = \"RAW D.O.S. COMMAND INTERFACE\"\n\tcondition:\n\t\t1 of them\n}\nrule SimAttacker___Vrsion_1_0_0___priv8_4_My_friend_php {\n\tmeta:\n\t\tdescription = \"Semi-Auto-generated  - file SimAttacker - Vrsion 1.0.0 - priv8 4 My friend.php.txt\"\n\t\tauthor = \"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls\"\n\t\thash = \"089ff24d978aeff2b4b2869f0c7d38a3\"\n\tstrings:\n\t\t$s0 = \"SimAttacker - Vrsion : 1.0.0 - priv8 4 My friend\"\n\t\t$s3 = \" fputs ($fp ,\\\"\\\\n*********************************************\\\\nWelcome T0 Sim\"\n\t\t$s4 = \"echo \\\"    &klas=<%=aktifklas%>\"\n\t\t$s3 = \"www.aventgrup.net\"\n\t\t$s4 = \"style=\\\"BACKGROUND-COLOR: #95B4CC; BORDER-BOTTOM: #000000 1px inset; BORDER-LEFT\"\n\tcondition:\n\t\t1 of them\n}\nrule r57shell_php_php {\n\tmeta:\n\t\tdescription = \"Semi-Auto-generated  - file r57shell.php.php.txt\"\n\t\tauthor = \"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls\"\n\t\thash = \"d28445de424594a5f14d0fe2a7c4e94f\"\n\tstrings:\n\t\t$s0 = \"r57shell\" fullword\n\t\t$s1 = \" else if ($HTTP_POST_VARS['with'] == \\\"lynx\\\") { $HTTP_POST_VARS['cmd']= \\\"lynx \"\n\t\t$s2 = \"RusH security team\"\n\t\t$s3 = \"'ru_text12' => 'back-connect\"\n\tcondition:\n\t\t1 of them\n}\nrule rst_sql_php_php {\n\tmeta:\n\t\tdescription = \"Semi-Auto-generated  - file rst_sql.php.php.txt\"\n\t\tauthor = \"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls\"\n\t\thash = \"0961641a4ab2b8cb4d2beca593a92010\"\n\tstrings:\n\t\t$s0 = \"C:\\\\tmp\\\\dump_\"\n\t\t$s1 = \"RST MySQL\"\n\t\t$s2 = \"http://rst.void.ru\"\n\t\t$s3 = \"$st_form_bg='R0lGODlhCQAJAIAAAOfo6u7w8yH5BAAAAAAALAAAAAAJAAkAAAIPjAOnuJfNHJh0qtfw0lcVADs=';\"\n\tcondition:\n\t\t2 of them\n}\nrule wh_bindshell_py {\n\tmeta:\n\t\tdescription = \"Semi-Auto-generated  - file wh_bindshell.py.txt\"\n\t\tauthor = \"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls\"\n\t\thash = \"fab20902862736e24aaae275af5e049c\"\n\tstrings:\n\t\t$s0 = \"#Use: python wh_bindshell.py [port] [password]\"\n\t\t$s2 = \"python -c\\\"import md5;x=md5.new('you_password');print x.hexdigest()\\\"\" fullword\n\t\t$s3 = \"#bugz: ctrl+c etc =script stoped=\" fullword\n\tcondition:\n\t\t1 of them\n}\nrule lurm_safemod_on_cgi {\n\tmeta:\n\t\tdescription = \"Semi-Auto-generated  - file lurm_safemod_on.cgi.txt\"\n\t\tauthor = \"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls\"\n\t\thash = \"5ea4f901ce1abdf20870c214b3231db3\"\n\tstrings:\n\t\t$s0 = \"Network security team :: CGI Shell\" fullword\n\t\t$s1 = \"#########################<>#####################################\" fullword\n\t\t$s2 = \"##if (!defined$param{pwd}){$param{pwd}='Enter_Password'};##\" fullword\n\tcondition:\n\t\t1 of them\n}\nrule c99madshell_v2_0_php_php {\n\tmeta:\n\t\tdescription = \"Semi-Auto-generated  - file c99madshell_v2.0.php.php.txt\"\n\t\tauthor = \"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls\"\n\t\thash = \"d27292895da9afa5b60b9d3014f39294\"\n\tstrings:\n\t\t$s2 = \"eval(gzinflate(base64_decode('HJ3HkqNQEkU/ZzqCBd4t8V4YAQI2E3jvPV8/1Gw6orsVFLyXef\"\n\tcondition:\n\t\tall of them\n}\nrule backupsql_php_often_with_c99shell {\n\tmeta:\n\t\tdescription = \"Semi-Auto-generated  - file backupsql.php.php.txt\"\n\t\tauthor = \"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls\"\n\t\thash = \"ab1a06ab1a1fe94e3f3b7f80eedbc12f\"\n\tstrings:\n\t\t$s2 = \"//$message.= \\\"--{$mime_boundary}\\\\n\\\" .\\\"Content-Type: {$fileatt_type};\\\\n\\\" .\"\n\t\t$s4 = \"$ftpconnect = \\\"ncftpput -u $ftp_user_name -p $ftp_user_pass -d debsender_ftplog\"\n\tcondition:\n\t\tall of them\n}\nrule uploader_php_php {\n\tmeta:\n\t\tdescription = \"Semi-Auto-generated  - file uploader.php.php.txt\"\n\t\tauthor = \"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls\"\n\t\thash = \"0b53b67bb3b004a8681e1458dd1895d0\"\n\tstrings:\n\t\t$s2 = \"move_uploaded_file($userfile, \\\"entrika.php\\\"); \" fullword\n\t\t$s3 = \"Send this file: \" fullword\n\t\t$s4 = \"\" fullword\n\tcondition:\n\t\t2 of them\n}\nrule telnet_pl {\n\tmeta:\n\t\tdescription = \"Semi-Auto-generated  - file telnet.pl.txt\"\n\t\tauthor = \"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls\"\n\t\thash = \"dd9dba14383064e219e29396e242c1ec\"\n\tstrings:\n\t\t$s0 = \"W A R N I N G: Private Server\"\n\t\t$s2 = \"$Message = q$
     _____  _____  _____          _____   \"\n\tcondition:\n\t\tall of them\n}\nrule w3d_php_php {\n\tmeta:\n\t\tdescription = \"Semi-Auto-generated  - file w3d.php.php.txt\"\n\t\tauthor = \"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls\"\n\t\thash = \"987f66b29bfb209a0b4f097f84f57c3b\"\n\tstrings:\n\t\t$s0 = \"W3D Shell\"\n\t\t$s1 = \"By: Warpboy\"\n\t\t$s2 = \"No Query Executed\"\n\tcondition:\n\t\t2 of them\n}\nrule WebShell_cgi {\n\tmeta:\n\t\tdescription = \"Semi-Auto-generated  - file WebShell.cgi.txt\"\n\t\tauthor = \"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls\"\n\t\thash = \"bc486c2e00b5fc3e4e783557a2441e6f\"\n\tstrings:\n\t\t$s0 = \"WebShell.cgi\"\n\t\t$s2 = \"
    \"\n\tcondition:\n\t\t2 of them\n}\nrule Dx_php_php {\n\tmeta:\n\t\tdescription = \"Semi-Auto-generated  - file Dx.php.php.txt\"\n\t\tauthor = \"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls\"\n\t\thash = \"9cfe372d49fe8bf2fac8e1c534153d9b\"\n\tstrings:\n\t\t$s0 = \"print \\\"\\\\n\\\".'Tip: to view the file \\\"as is\\\" - open the page in 'tcpmux (TCP Port Service Multiplexer)',2=>'Management Util\"\n\t\t$s3 = \"$ra44  = rand(1,99999);$sj98 = \\\"sh-$ra44\\\";$ml = \\\"$sd98\\\";$a5 = $_SERVER['HTTP\"\n\tcondition:\n\t\t1 of them\n}\nrule csh_php_php {\n\tmeta:\n\t\tdescription = \"Semi-Auto-generated  - file csh.php.php.txt\"\n\t\tauthor = \"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls\"\n\t\thash = \"194a9d3f3eac8bc56d9a7c55c016af96\"\n\tstrings:\n\t\t$s0 = \".::[c0derz]::. web-shell\"\n\t\t$s1 = \"http://c0derz.org.ua\"\n\t\t$s2 = \"vint21h@c0derz.org.ua\"\n\t\t$s3 = \"$name='63a9f0ea7bb98050796b649e85481845';//root\"\n\tcondition:\n\t\t1 of them\n}\nrule pHpINJ_php_php {\n\tmeta:\n\t\tdescription = \"Semi-Auto-generated  - file pHpINJ.php.php.txt\"\n\t\tauthor = \"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls\"\n\t\thash = \"d7a4b0df45d34888d5a09f745e85733f\"\n\tstrings:\n\t\t$s1 = \"News Remote PHP Shell Injection\"\n\t\t$s3 = \"Php Shell 
    \" fullword\n\t\t$s4 = \"
    Win Dir:
    \"\n\t\t$s3 = \"
    \"\n\tcondition:\n\t\t2 of them\n}\nrule Moroccan_Spamers_Ma_EditioN_By_GhOsT_php {\n\tmeta:\n\t\tdescription = \"Semi-Auto-generated  - file Moroccan Spamers Ma-EditioN By GhOsT.php.txt\"\n\t\tauthor = \"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls\"\n\t\thash = \"d1b7b311a7ffffebf51437d7cd97dc65\"\n\tstrings:\n\t\t$s0 = \";$sd98=\\\"john.barker446@gmail.com\\\"\"\n\t\t$s1 = \"print \\\"Sending mail to $to....... \\\";\"\n\t\t$s2 = \"    		\"\n\t\t$s2 = \"Usage: http://target.com/simple-backdoor.php?cmd=cat+/etc/passwd\" fullword\n\tcondition:\n\t\t2 of them\n}\nrule mysql_shell_php {\n\tmeta:\n\t\tdescription = \"Semi-Auto-generated  - file mysql_shell.php.txt\"\n\t\tauthor = \"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls\"\n\t\thash = \"d42aec2891214cace99b3eb9f3e21a63\"\n\tstrings:\n\t\t$s0 = \"SooMin Kim\"\n\t\t$s1 = \"smkim@popeye.snu.ac.kr\"\n\t\t$s2 = \"echo \\\"\\\" method=\\\"POST\"\n\tcondition:\n\t\t2 of them\n}\nrule Asmodeus_v0_1_pl {\n\tmeta:\n\t\tdescription = \"Semi-Auto-generated  - file Asmodeus v0.1.pl.txt\"\n\t\tauthor = \"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls\"\n\t\thash = \"0978b672db0657103c79505df69cb4bb\"\n\tstrings:\n\t\t$s0 = \"[url=http://www.governmentsecurity.org\"\n\t\t$s1 = \"perl asmodeus.pl client 6666 127.0.0.1\"\n\t\t$s2 = \"print \\\"Asmodeus Perl Remote Shell\"\n\t\t$s4 = \"$internet_addr = inet_aton(\\\"$host\\\") or die \\\"ALOA:$!\\\\n\\\";\" fullword\n\tcondition:\n\t\t2 of them\n}\nrule backup_php_often_with_c99shell {\n\tmeta:\n\t\tdescription = \"Semi-Auto-generated  - file backup.php.php.txt\"\n\t\tauthor = \"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls\"\n\t\thash = \"aeee3bae226ad57baf4be8745c3f6094\"\n\tstrings:\n\t\t$s0 = \"#phpMyAdmin MySQL-Dump\" fullword\n\t\t$s2 = \";db_connect();header('Content-Type: application/octetstr\"\n\t\t$s4 = \"$data .= \\\"#Database: $database\" fullword\n\tcondition:\n\t\tall of them\n}\nrule Reader_asp {\n\tmeta:\n\t\tdescription = \"Semi-Auto-generated  - file Reader.asp.txt\"\n\t\tauthor = \"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls\"\n\t\thash = \"ad1a362e0a24c4475335e3e891a01731\"\n\tstrings:\n\t\t$s1 = \"Mehdi & HolyDemon\"\n\t\t$s2 = \"www.infilak.\"\n\t\t$s3 = \"'*T@*r@#@&mms^PdbYbVuBcAAA==^#~@%>
    \" fullword\n\t\t$s1 = \"[ADDITINAL TITTLE]-phpShell by:[YOURNAME]<?php echo PHPSHELL_VERSION ?></\"\n\t\t$s2 = \"href=\\\"mailto: [YOU CAN ENTER YOUR MAIL HERE]- [ADDITIONAL TEXT]</a></i>\" fullword\n\tcondition:\n\t\t1 of them\n}\nrule myshell_php_php {\n\tmeta:\n\t\tdescription = \"Semi-Auto-generated  - file myshell.php.php.txt\"\n\t\tauthor = \"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls\"\n\t\thash = \"62783d1db52d05b1b6ae2403a7044490\"\n\tstrings:\n\t\t$s0 = \"@chdir($work_dir) or ($shellOutput = \\\"MyShell: can't change directory.\"\n\t\t$s1 = \"echo \\\"<font color=$linkColor><b>MyShell file editor</font> File:<font color\"\n\t\t$s2 = \" $fileEditInfo = \\\"  :::::::  Owner: <font color=$\"\n\tcondition:\n\t\t2 of them\n}\nrule SimShell_1_0___Simorgh_Security_MGZ_php {\n\tmeta:\n\t\tdescription = \"Semi-Auto-generated  - file SimShell 1.0 - Simorgh Security MGZ.php.txt\"\n\t\tauthor = \"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls\"\n\t\thash = \"37cb1db26b1b0161a4bf678a6b4565bd\"\n\tstrings:\n\t\t$s0 = \"Simorgh Security Magazine \"\n\t\t$s1 = \"Simshell.css\"\n\t\t$s2 = \"} elseif (ereg('^[[:blank:]]*cd[[:blank:]]+([^;]+)$', $_REQUEST['command'], \"\n\t\t$s3 = \"www.simorgh-ev.com\"\n\tcondition:\n\t\t2 of them\n}\nrule jspshall_jsp {\n\tmeta:\n\t\tdescription = \"Semi-Auto-generated  - file jspshall.jsp.txt\"\n\t\tauthor = \"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls\"\n\t\thash = \"efe0f6edaa512c4e1fdca4eeda77b7ee\"\n\tstrings:\n\t\t$s0 = \"kj021320\"\n\t\t$s1 = \"case 'T':systemTools(out);break;\"\n\t\t$s2 = \"out.println(\\\"<tr><td>\\\"+ico(50)+f[i].getName()+\\\"</td><td> file\"\n\tcondition:\n\t\t2 of them\n}\nrule webshell_php {\n\tmeta:\n\t\tdescription = \"Semi-Auto-generated  - file webshell.php.txt\"\n\t\tauthor = \"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls\"\n\t\thash = \"e425241b928e992bde43dd65180a4894\"\n\tstrings:\n\t\t$s2 = \"<die(\\\"Couldn't Read directory, Blocked!!!\\\");\"\n\t\t$s3 = \"PHP Web Shell\"\n\tcondition:\n\t\tall of them\n}\nrule rootshell_php {\n\tmeta:\n\t\tdescription = \"Semi-Auto-generated  - file rootshell.php.txt\"\n\t\tauthor = \"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls\"\n\t\thash = \"265f3319075536030e59ba2f9ef3eac6\"\n\tstrings:\n\t\t$s0 = \"shells.dl.am\"\n\t\t$s1 = \"This server has been infected by $owner\"\n\t\t$s2 = \"<input type=\\\"submit\\\" value=\\\"Include!\\\" name=\\\"inc\\\"></p>\"\n\t\t$s4 = \"Could not write to file! (Maybe you didn't enter any text?)\"\n\tcondition:\n\t\t2 of them\n}\nrule connectback2_pl {\n\tmeta:\n\t\tdescription = \"Semi-Auto-generated  - file connectback2.pl.txt\"\n\t\tauthor = \"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls\"\n\t\thash = \"473b7d226ea6ebaacc24504bd740822e\"\n\tstrings:\n\t\t$s0 = \"#We Are: MasterKid, AleXutz, FatMan & MiKuTuL                                   \"\n\t\t$s1 = \"echo --==Userinfo==-- ; id;echo;echo --==Directory==-- ; pwd;echo; echo --==Shel\"\n\t\t$s2 = \"ConnectBack Backdoor\"\n\tcondition:\n\t\t1 of them\n}\nrule DefaceKeeper_0_2_php {\n\tmeta:\n\t\tdescription = \"Semi-Auto-generated  - file DefaceKeeper_0.2.php.txt\"\n\t\tauthor = \"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls\"\n\t\thash = \"713c54c3da3031bc614a8a55dccd7e7f\"\n\tstrings:\n\t\t$s0 = \"target fi1e:<br><input type=\\\"text\\\" name=\\\"target\\\" value=\\\"index.php\\\"></br>\" fullword\n\t\t$s1 = \"eval(base64_decode(\\\"ZXZhbChiYXNlNjRfZGVjb2RlKCJhV2R1YjNKbFgzVnpaWEpmWVdKdmNuUW9\"\n\t\t$s2 = \"<img src=\\\"http://s43.radikal.ru/i101/1004/d8/ced1f6b2f5a9.png\\\" align=\\\"center\"\n\tcondition:\n\t\t1 of them\n}\nrule shells_PHP_wso {\n\tmeta:\n\t\tdescription = \"Semi-Auto-generated  - file wso.txt\"\n\t\tauthor = \"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls\"\n\t\thash = \"33e2891c13b78328da9062fbfcf898b6\"\n\tstrings:\n\t\t$s0 = \"$back_connect_p=\\\"IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KJGlhZGRyPWluZXRfYXRvbi\"\n\t\t$s3 = \"echo '<h1>Execution PHP-code</h1><div class=content><form name=pf method=pos\"\n\tcondition:\n\t\t1 of them\n}\nrule backdoor1_php {\n\tmeta:\n\t\tdescription = \"Semi-Auto-generated  - file backdoor1.php.txt\"\n\t\tauthor = \"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls\"\n\t\thash = \"e1adda1f866367f52de001257b4d6c98\"\n\tstrings:\n\t\t$s1 = \"echo \\\"[DIR] <A HREF=\\\\\\\"\\\".$_SERVER['PHP_SELF'].\\\"?rep=\\\".realpath($rep.\\\"..\"\n\t\t$s2 = \"class backdoor {\"\n\t\t$s4 = \"echo \\\"<a href=\\\\\\\"\\\".$_SERVER['PHP_SELF'].\\\"?copy=1\\\\\\\">Copier un fichier</a> <\"\n\tcondition:\n\t\t1 of them\n}\nrule elmaliseker_asp {\n\tmeta:\n\t\tdescription = \"Semi-Auto-generated  - file elmaliseker.asp.txt\"\n\t\tauthor = \"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls\"\n\t\thash = \"b32d1730d23a660fd6aa8e60c3dc549f\"\n\tstrings:\n\t\t$s0 = \"if Int((1-0+1)*Rnd+0)=0 then makeEmail=makeText(8) & \\\"@\\\" & makeText(8) & \\\".\\\"\"\n\t\t$s1 = \"<form name=frmCMD method=post action=\\\"<%=gURL%>\\\">\"\n\t\t$s2 = \"dim zombie_array,special_array\"\n\t\t$s3 = \"http://vnhacker.org\"\n\tcondition:\n\t\t1 of them\n}\nrule indexer_asp {\n\tmeta:\n\t\tdescription = \"Semi-Auto-generated  - file indexer.asp.txt\"\n\t\tauthor = \"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls\"\n\t\thash = \"9ea82afb8c7070817d4cdf686abe0300\"\n\tstrings:\n\t\t$s0 = \"<td>Nereye :<td><input type=\\\"text\\\" name=\\\"nereye\\\" size=25></td><td><input typ\"\n\t\t$s2 = \"D7nD7l.km4snk`JzKnd{n_ejq;bd{KbPur#kQ8AAA==^#~@%>></td><td><input type=\\\"submit\"\n\tcondition:\n\t\t1 of them\n}\nrule DxShell_php_php {\n\tmeta:\n\t\tdescription = \"Semi-Auto-generated  - file DxShell.php.php.txt\"\n\t\tauthor = \"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls\"\n\t\thash = \"33a2b31810178f4c2e71fbdeb4899244\"\n\tstrings:\n\t\t$s0 = \"print \\\"\\\\n\\\".'Tip: to view the file \\\"as is\\\" - open the page in <a href=\\\"'.Dx\"\n\t\t$s2 = \"print \\\"\\\\n\\\".'<tr><td width=100pt class=linelisting><nobr>POST (php eval)</td><\"\n\tcondition:\n\t\t1 of them\n}\nrule s72_Shell_v1_1_Coding_html {\n\tmeta:\n\t\tdescription = \"Semi-Auto-generated  - file s72 Shell v1.1 Coding.html.txt\"\n\t\tauthor = \"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls\"\n\t\thash = \"c2e8346a5515c81797af36e7e4a3828e\"\n\tstrings:\n\t\t$s0 = \"Dizin</font></b></font><font face=\\\"Verdana\\\" style=\\\"font-size: 8pt\\\"><\"\n\t\t$s1 = \"s72 Shell v1.0 Codinf by Cr@zy_King\"\n\t\t$s3 = \"echo \\\"<p align=center>Dosya Zaten Bulunuyor</p>\\\"\"\n\tcondition:\n\t\t1 of them\n}\nrule hidshell_php_php {\n\tmeta:\n\t\tdescription = \"Semi-Auto-generated  - file hidshell.php.php.txt\"\n\t\tauthor = \"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls\"\n\t\thash = \"c2f3327d60884561970c63ffa09439a4\"\n\tstrings:\n\t\t$s0 = \"<?$d='G7mHWQ9vvXiL/QX2oZ2VTDpo6g3FYAa6X+8DMIzcD0eHZaBZH7jFpZzUz7XNenxSYvBP2Wy36U\"\n\tcondition:\n\t\tall of them\n}\nrule kacak_asp {\n\tmeta:\n\t\tdescription = \"Semi-Auto-generated  - file kacak.asp.txt\"\n\t\tauthor = \"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls\"\n\t\thash = \"907d95d46785db21331a0324972dda8c\"\n\tstrings:\n\t\t$s0 = \"Kacak FSO 1.0\"\n\t\t$s1 = \"if request.querystring(\\\"TGH\\\") = \\\"1\\\" then\"\n\t\t$s3 = \"<font color=\\\"#858585\\\">BuqX</font></a></font><font face=\\\"Verdana\\\" style=\"\n\t\t$s4 = \"mailto:BuqX@hotmail.com\"\n\tcondition:\n\t\t1 of them\n}\nrule PHP_Backdoor_Connect_pl_php {\n\tmeta:\n\t\tdescription = \"Semi-Auto-generated  - file PHP Backdoor Connect.pl.php.txt\"\n\t\tauthor = \"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls\"\n\t\thash = \"57fcd9560dac244aeaf95fd606621900\"\n\tstrings:\n\t\t$s0 = \"LorD of IRAN HACKERS SABOTAGE\"\n\t\t$s1 = \"LorD-C0d3r-NT\"\n\t\t$s2 = \"echo --==Userinfo==-- ;\"\n\tcondition:\n\t\t1 of them\n}\nrule Antichat_Socks5_Server_php_php {\n\tmeta:\n\t\tdescription = \"Semi-Auto-generated  - file Antichat Socks5 Server.php.php.txt\"\n\t\tauthor = \"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls\"\n\t\thash = \"cbe9eafbc4d86842a61a54d98e5b61f1\"\n\tstrings:\n\t\t$s0 = \"$port = base_convert(bin2hex(substr($reqmessage[$id], 3+$reqlen+1, 2)), 16, 10);\" fullword\n\t\t$s3 = \"#   [+] Domain name address type\"\n\t\t$s4 = \"www.antichat.ru\"\n\tcondition:\n\t\t1 of them\n}\nrule Antichat_Shell_v1_3_php {\n\tmeta:\n\t\tdescription = \"Semi-Auto-generated  - file Antichat Shell v1.3.php.txt\"\n\t\tauthor = \"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls\"\n\t\thash = \"40d0abceba125868be7f3f990f031521\"\n\tstrings:\n\t\t$s0 = \"Antichat\"\n\t\t$s1 = \"Can't open file, permission denide\"\n\t\t$s2 = \"$ra44\"\n\tcondition:\n\t\t2 of them\n}\nrule Safe_Mode_Bypass_PHP_4_4_2_and_PHP_5_1_2_php {\n\tmeta:\n\t\tdescription = \"Semi-Auto-generated  - file Safe_Mode Bypass PHP 4.4.2 and PHP 5.1.2.php.txt\"\n\t\tauthor = \"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls\"\n\t\thash = \"49ad9117c96419c35987aaa7e2230f63\"\n\tstrings:\n\t\t$s0 = \"Welcome.. By This script you can jump in the (Safe Mode=ON) .. Enjoy\"\n\t\t$s1 = \"Mode Shell v1.0</font></span>\"\n\t\t$s2 = \"has been already loaded. PHP Emperor <xb5@hotmail.\"\n\tcondition:\n\t\t1 of them\n}\nrule mysql_php_php {\n\tmeta:\n\t\tdescription = \"Semi-Auto-generated  - file mysql.php.php.txt\"\n\t\tauthor = \"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls\"\n\t\thash = \"12bbdf6ef403720442a47a3cc730d034\"\n\tstrings:\n\t\t$s0 = \"action=mysqlread&mass=loadmass\\\">load all defaults\"\n\t\t$s2 = \"if (@passthru($cmd)) { echo \\\" -->\\\"; $this->output_state(1, \\\"passthru\"\n\t\t$s3 = \"$ra44  = rand(1,99999);$sj98 = \\\"sh-$ra44\\\";$ml = \\\"$sd98\\\";$a5 = \"\n\tcondition:\n\t\t1 of them\n}\nrule Worse_Linux_Shell_php {\n\tmeta:\n\t\tdescription = \"Semi-Auto-generated  - file Worse Linux Shell.php.txt\"\n\t\tauthor = \"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls\"\n\t\thash = \"8338c8d9eab10bd38a7116eb534b5fa2\"\n\tstrings:\n\t\t$s1 = \"print \\\"<tr><td><b>Server is:</b></td><td>\\\".$_SERVER['SERVER_SIGNATURE'].\\\"</td\"\n\t\t$s2 = \"print \\\"<tr><td><b>Execute command:</b></td><td><input size=100 name=\\\\\\\"_cmd\"\n\tcondition:\n\t\t1 of them\n}\nrule cyberlords_sql_php_php {\n\tmeta:\n\t\tdescription = \"Semi-Auto-generated  - file cyberlords_sql.php.php.txt\"\n\t\tauthor = \"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls\"\n\t\thash = \"03b06b4183cb9947ccda2c3d636406d4\"\n\tstrings:\n\t\t$s0 = \"Coded by n0 [nZer0]\"\n\t\t$s1 = \" www.cyberlords.net\"\n\t\t$s2 = \"U29mdHdhcmUAQWRvYmUgSW1hZ2VSZWFkeXHJZTwAAAAMUExURf///wAAAJmZzAAAACJoURkAAAAE\"\n\t\t$s3 = \"return \\\"<BR>Dump error! Can't write to \\\".htmlspecialchars($file);\"\n\tcondition:\n\t\t1 of them\n}\nrule cmd_asp_5_1_asp {\n\tmeta:\n\t\tdescription = \"Semi-Auto-generated  - file cmd-asp-5.1.asp.txt\"\n\t\tauthor = \"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls\"\n\t\thash = \"8baa99666bf3734cbdfdd10088e0cd9f\"\n\tstrings:\n\t\t$s0 = \"Call oS.Run(\\\"win.com cmd.exe /c del \\\"& szTF,0,True)\" fullword\n\t\t$s3 = \"Call oS.Run(\\\"win.com cmd.exe /c \\\"\\\"\\\" & szCMD & \\\" > \\\" & szTF &\" fullword\n\tcondition:\n\t\t1 of them\n}\nrule pws_php_php {\n\tmeta:\n\t\tdescription = \"Semi-Auto-generated  - file pws.php.php.txt\"\n\t\tauthor = \"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls\"\n\t\thash = \"ecdc6c20f62f99fa265ec9257b7bf2ce\"\n\tstrings:\n\t\t$s0 = \"<div align=\\\"left\\\"><font size=\\\"1\\\">Input command :</font></div>\" fullword\n\t\t$s1 = \"<input type=\\\"text\\\" name=\\\"cmd\\\" size=\\\"30\\\" class=\\\"input\\\"><br>\" fullword\n\t\t$s4 = \"<input type=\\\"text\\\" name=\\\"dir\\\" size=\\\"30\\\" value=\\\"<? passthru(\\\"pwd\\\"); ?>\"\n\tcondition:\n\t\t2 of them\n}\nrule PHP_Shell_php_php {\n\tmeta:\n\t\tdescription = \"Semi-Auto-generated  - file PHP Shell.php.php.txt\"\n\t\tauthor = \"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls\"\n\t\thash = \"a2f8fa4cce578fc9c06f8e674b9e63fd\"\n\tstrings:\n\t\t$s0 = \"echo \\\"</form><form action=\\\\\\\"$SFileName?$urlAdd\\\\\\\" method=\\\\\\\"post\\\\\\\"><input\"\n\t\t$s1 = \"echo \\\"<form action=\\\\\\\"$SFileName?$urlAdd\\\\\\\" method=\\\\\\\"POST\\\\\\\"><input type=\"\n\tcondition:\n\t\tall of them\n}\nrule Ayyildiz_Tim___AYT__Shell_v_2_1_Biz_html {\n\tmeta:\n\t\tdescription = \"Semi-Auto-generated  - file Ayyildiz Tim  -AYT- Shell v 2.1 Biz.html.txt\"\n\t\tauthor = \"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls\"\n\t\thash = \"8a8c8bb153bd1ee097559041f2e5cf0a\"\n\tstrings:\n\t\t$s0 = \"Ayyildiz\"\n\t\t$s1 = \"TouCh By iJOo\"\n\t\t$s2 = \"First we check if there has been asked for a working directory\"\n\t\t$s3 = \"http://ayyildiz.org/images/whosonline2.gif\"\n\tcondition:\n\t\t2 of them\n}\nrule EFSO_2_asp {\n\tmeta:\n\t\tdescription = \"Semi-Auto-generated  - file EFSO_2.asp.txt\"\n\t\tauthor = \"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls\"\n\t\thash = \"b5fde9682fd63415ae211d53c6bfaa4d\"\n\tstrings:\n\t\t$s0 = \"Ejder was HERE\"\n\t\t$s1 = \"*~PU*&BP[_)f!8c2F*@#@&~,P~P,~P&q~8BPmS~9~~lB~X`V,_,F&*~,jcW~~[_c3TRFFzq@#@&PP,~~\"\n\tcondition:\n\t\t2 of them\n}\nrule lamashell_php {\n\tmeta:\n\t\tdescription = \"Semi-Auto-generated  - file lamashell.php.txt\"\n\t\tauthor = \"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls\"\n\t\thash = \"de9abc2e38420cad729648e93dfc6687\"\n\tstrings:\n\t\t$s0 = \"lama's'hell\" fullword\n\t\t$s1 = \"if($_POST['king'] == \\\"\\\") {\"\n\t\t$s2 = \"if (move_uploaded_file($_FILES['fila']['tmp_name'], $curdir.\\\"/\\\".$_FILES['f\"\n\tcondition:\n\t\t1 of them\n}\nrule Ajax_PHP_Command_Shell_php {\n\tmeta:\n\t\tdescription = \"Semi-Auto-generated  - file Ajax_PHP Command Shell.php.txt\"\n\t\tauthor = \"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls\"\n\t\thash = \"93d1a2e13a3368a2472043bd6331afe9\"\n\tstrings:\n\t\t$s1 = \"newhtml = '<b>File browser is under construction! Use at your own risk!</b> <br>\"\n\t\t$s2 = \"Empty Command..type \\\\\\\"shellhelp\\\\\\\" for some ehh...help\"\n\t\t$s3 = \"newhtml = '<font size=0><b>This will reload the page... :(</b><br><br><form enct\"\n\tcondition:\n\t\t1 of them\n}\nrule JspWebshell_1_2_jsp {\n\tmeta:\n\t\tdescription = \"Semi-Auto-generated  - file JspWebshell 1.2.jsp.txt\"\n\t\tauthor = \"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls\"\n\t\thash = \"70a0ee2624e5bbe5525ccadc467519f6\"\n\tstrings:\n\t\t$s0 = \"JspWebshell\"\n\t\t$s1 = \"CreateAndDeleteFolder is error:\"\n\t\t$s2 = \"<td width=\\\"70%\\\" height=\\\"22\\\"> <%=env.queryHashtable(\\\"java.c\"\n\t\t$s3 = \"String _password =\\\"111\\\";\"\n\tcondition:\n\t\t2 of them\n}\nrule Sincap_php_php {\n\tmeta:\n\t\tdescription = \"Semi-Auto-generated  - file Sincap.php.php.txt\"\n\t\tauthor = \"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls\"\n\t\thash = \"b68b90ff6012a103e57d141ed38a7ee9\"\n\tstrings:\n\t\t$s0 = \"$baglan=fopen(\\\"/tmp/$ekinci\\\",'r');\"\n\t\t$s2 = \"$tampon4=$tampon3-1\"\n\t\t$s3 = \"@aventgrup.net\"\n\tcondition:\n\t\t2 of them\n}\nrule Test_php_php {\n\tmeta:\n\t\tdescription = \"Semi-Auto-generated  - file Test.php.php.txt\"\n\t\tauthor = \"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls\"\n\t\thash = \"77e331abd03b6915c6c6c7fe999fcb50\"\n\tstrings:\n\t\t$s0 = \"$yazi = \\\"test\\\" . \\\"\\\\r\\\\n\\\";\" fullword\n\t\t$s2 = \"fwrite ($fp, \\\"$yazi\\\");\" fullword\n\t\t$s3 = \"$entry_line=\\\"HACKed by EntriKa\\\";\" fullword\n\tcondition:\n\t\t1 of them\n}\nrule Phyton_Shell_py {\n\tmeta:\n\t\tdescription = \"Semi-Auto-generated  - file Phyton Shell.py.txt\"\n\t\tauthor = \"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls\"\n\t\thash = \"92b3c897090867c65cc169ab037a0f55\"\n\tstrings:\n\t\t$s1 = \"sh_out=os.popen(SHELL+\\\" \\\"+cmd).readlines()\" fullword\n\t\t$s2 = \"#   d00r.py 0.3a (reverse|bind)-shell in python by fQ\" fullword\n\t\t$s3 = \"print \\\"error; help: head -n 16 d00r.py\\\"\" fullword\n\t\t$s4 = \"print \\\"PW:\\\",PW,\\\"PORT:\\\",PORT,\\\"HOST:\\\",HOST\" fullword\n\tcondition:\n\t\t1 of them\n}\nrule mysql_tool_php_php {\n\tmeta:\n\t\tdescription = \"Semi-Auto-generated  - file mysql_tool.php.php.txt\"\n\t\tauthor = \"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls\"\n\t\thash = \"5fbe4d8edeb2769eda5f4add9bab901e\"\n\tstrings:\n\t\t$s0 = \"$error_text = '<strong>Failed selecting database \\\"'.$this->db['\"\n\t\t$s1 = \"$ra44  = rand(1,99999);$sj98 = \\\"sh-$ra44\\\";$ml = \\\"$sd98\\\";$a5 = $_SERV\"\n\t\t$s4 = \"<div align=\\\"center\\\">The backup process has now started<br \"\n\tcondition:\n\t\t1 of them\n}\nrule Zehir_4_asp {\n\tmeta:\n\t\tdescription = \"Semi-Auto-generated  - file Zehir 4.asp.txt\"\n\t\tauthor = \"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls\"\n\t\thash = \"7f4e12e159360743ec016273c3b9108c\"\n\tstrings:\n\t\t$s2 = \"</a><a href='\\\"&dosyapath&\\\"?status=10&dPath=\\\"&f1.path&\\\"&path=\\\"&path&\\\"&Time=\"\n\t\t$s4 = \"<input type=submit value=\\\"Test Et!\\\" onclick=\\\"\"\n\tcondition:\n\t\t1 of them\n}\nrule sh_php_php {\n\tmeta:\n\t\tdescription = \"Semi-Auto-generated  - file sh.php.php.txt\"\n\t\tauthor = \"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls\"\n\t\thash = \"330af9337ae51d0bac175ba7076d6299\"\n\tstrings:\n\t\t$s1 = \"$ar_file=array('/etc/passwd','/etc/shadow','/etc/master.passwd','/etc/fstab','/e\"\n\t\t$s2 = \"Show <input type=text size=5 value=\\\".((isset($_POST['br_st']))?$_POST['br_st']:\"\n\tcondition:\n\t\t1 of them\n}\nrule phpbackdoor15_php {\n\tmeta:\n\t\tdescription = \"Semi-Auto-generated  - file phpbackdoor15.php.txt\"\n\t\tauthor = \"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls\"\n\t\thash = \"0fdb401a49fc2e481e3dfd697078334b\"\n\tstrings:\n\t\t$s1 = \"echo \\\"fichier telecharge dans \\\".good_link(\\\"./\\\".$_FILES[\\\"fic\\\"][\\\"na\"\n\t\t$s2 = \"if(move_uploaded_file($_FILES[\\\"fic\\\"][\\\"tmp_name\\\"],good_link(\\\"./\\\".$_FI\"\n\t\t$s3 = \"echo \\\"Cliquez sur un nom de fichier pour lancer son telechargement. Cliquez s\"\n\tcondition:\n\t\t1 of them\n}\nrule phpjackal_php {\n\tmeta:\n\t\tdescription = \"Semi-Auto-generated  - file phpjackal.php.txt\"\n\t\tauthor = \"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls\"\n\t\thash = \"ab230817bcc99acb9bdc0ec6d264d76f\"\n\tstrings:\n\t\t$s3 = \"$dl=$_REQUEST['downloaD'];\"\n\t\t$s4 = \"else shelL(\\\"perl.exe $name $port\\\");\"\n\tcondition:\n\t\t1 of them\n}\nrule sql_php_php {\n\tmeta:\n\t\tdescription = \"Semi-Auto-generated  - file sql.php.php.txt\"\n\t\tauthor = \"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls\"\n\t\thash = \"8334249cbb969f2d33d678fec2b680c5\"\n\tstrings:\n\t\t$s1 = \"fputs ($fp, \\\"# RST MySQL tools\\\\r\\\\n# Home page: http://rst.void.ru\\\\r\\\\n#\"\n\t\t$s2 = \"http://rst.void.ru\"\n\t\t$s3 = \"print \\\"<a href=\\\\\\\"$_SERVER[PHP_SELF]?s=$s&login=$login&passwd=$passwd&\"\n\tcondition:\n\t\t1 of them\n}\nrule cgi_python_py {\n\tmeta:\n\t\tdescription = \"Semi-Auto-generated  - file cgi-python.py.txt\"\n\t\tauthor = \"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls\"\n\t\thash = \"0a15f473e2232b89dae1075e1afdac97\"\n\tstrings:\n\t\t$s0 = \"a CGI by Fuzzyman\"\n\t\t$s1 = \"\\\"\\\"\\\"+fontline +\\\"Version : \\\" + versionstring + \\\"\\\"\\\", Running on : \\\"\\\"\\\" + \"\n\t\t$s2 = \"values = map(lambda x: x.value, theform[field])     # allows for\"\n\tcondition:\n\t\t1 of them\n}\nrule ru24_post_sh_php_php {\n\tmeta:\n\t\tdescription = \"Semi-Auto-generated  - file ru24_post_sh.php.php.txt\"\n\t\tauthor = \"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls\"\n\t\thash = \"5b334d494564393f419af745dc1eeec7\"\n\tstrings:\n\t\t$s1 = \"<title>Ru24PostWebShell - \\\".$_POST['cmd'].\\\"\" fullword\n\t\t$s3 = \"if ((!$_POST['cmd']) || ($_POST['cmd']==\\\"\\\")) { $_POST['cmd']=\\\"id;pwd;uname -a\"\n\t\t$s4 = \"Writed by DreAmeRz\" fullword\n\tcondition:\n\t\t1 of them\n}\nrule DTool_Pro_php {\n\tmeta:\n\t\tdescription = \"Semi-Auto-generated  - file DTool Pro.php.txt\"\n\t\tauthor = \"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls\"\n\t\thash = \"366ad973a3f327dfbfb915b0faaea5a6\"\n\tstrings:\n\t\t$s0 = \"r3v3ng4ns\\\\nDigite\"\n\t\t$s1 = \"if(!@opendir($chdir)) $ch_msg=\\\"dtool: line 1: chdir: It seems that the permissi\"\n\t\t$s3 = \"if (empty($cmd) and $ch_msg==\\\"\\\") echo (\\\"Comandos Exclusivos do DTool Pro\\\\n\"\n\tcondition:\n\t\t1 of them\n}\nrule telnetd_pl {\n\tmeta:\n\t\tdescription = \"Semi-Auto-generated  - file telnetd.pl.txt\"\n\t\tauthor = \"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls\"\n\t\thash = \"5f61136afd17eb025109304bd8d6d414\"\n\tstrings:\n\t\t$s0 = \"0ldW0lf\" fullword\n\t\t$s1 = \"However you are lucky :P\"\n\t\t$s2 = \"I'm FuCKeD\"\n\t\t$s3 = \"ioctl($CLIENT{$client}->{shell}, &TIOCSWINSZ, $winsize);#\"\n\t\t$s4 = \"atrix@irc.brasnet.org\"\n\tcondition:\n\t\t1 of them\n}\nrule php_include_w_shell_php {\n\tmeta:\n\t\tdescription = \"Semi-Auto-generated  - file php-include-w-shell.php.txt\"\n\t\tauthor = \"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls\"\n\t\thash = \"4e913f159e33867be729631a7ca46850\"\n\tstrings:\n\t\t$s0 = \"$dataout .= \\\"
     \\\" : \\\"[admin\\\\@$ServerName $C\"\n\tcondition:\n\t\t1 of them\n}\nrule ironshell_php {\n\tmeta:\n\t\tdescription = \"Semi-Auto-generated  - file ironshell.php.txt\"\n\t\tauthor = \"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls\"\n\t\thash = \"8bfa2eeb8a3ff6afc619258e39fded56\"\n\tstrings:\n\t\t$s0 = \"www.ironwarez.info\"\n\t\t$s1 = \"$cookiename = \\\"wieeeee\\\";\"\n\t\t$s2 = \"~ Shell I\"\n\t\t$s3 = \"www.rootshell-team.info\"\n\t\t$s4 = \"setcookie($cookiename, $_POST['pass'], time()+3600);\"\n\tcondition:\n\t\t1 of them\n}\nrule backdoorfr_php {\n\tmeta:\n\t\tdescription = \"Semi-Auto-generated  - file backdoorfr.php.txt\"\n\t\tauthor = \"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls\"\n\t\thash = \"91e4afc7444ed258640e85bcaf0fecfc\"\n\tstrings:\n\t\t$s1 = \"www.victime.com/index.php?page=http://emplacement_de_la_backdoor.php , ou en tan\"\n\t\t$s2 = \"print(\\\"
    Provenance du mail :  /tmp/cmdtemp 2>&1; cat /tmp/cmdtemp; rm /tmp/cmdtemp\\\");\"\n\tcondition:\n\t\t1 of them\n}\nrule Ajan_asp {\n\tmeta:\n\t\tdescription = \"Semi-Auto-generated  - file Ajan.asp.txt\"\n\t\tauthor = \"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls\"\n\t\thash = \"b6f468252407efc2318639da22b08af0\"\n\tstrings:\n\t\t$s1 = \"c:\\\\downloaded.zip\"\n\t\t$s2 = \"Set entrika = entrika.CreateTextFile(\\\"c:\\\\net.vbs\\\", True)\" fullword\n\t\t$s3 = \"http://www35.websamba.com/cybervurgun/\"\n\tcondition:\n\t\t1 of them\n}\nrule PHANTASMA_php {\n\tmeta:\n\t\tdescription = \"Semi-Auto-generated  - file PHANTASMA.php.txt\"\n\t\tauthor = \"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls\"\n\t\thash = \"52779a27fa377ae404761a7ce76a5da7\"\n\tstrings:\n\t\t$s0 = \">[*] Safemode Mode Run\"\n\t\t$s1 = \"$file1 - $file2 -     $file
    \"\n\t\t$s2 = \"[*] Spawning Shell\"\n\t\t$s3 = \"Cha0s\"\n\tcondition:\n\t\t2 of them\n}\nrule MySQL_Web_Interface_Version_0_8_php {\n\tmeta:\n\t\tdescription = \"Semi-Auto-generated  - file MySQL Web Interface Version 0.8.php.txt\"\n\t\tauthor = \"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls\"\n\t\thash = \"36d4f34d0a22080f47bb1cb94107c60f\"\n\tstrings:\n\t\t$s0 = \"SooMin Kim\"\n\t\t$s1 = \"http://popeye.snu.ac.kr/~smkim/mysql\"\n\t\t$s2 = \"href='$PHP_SELF?action=dropField&dbname=$dbname&tablename=$tablename\"\n\t\t$s3 = \"    		Type M  D unsignedzerofi\"\n\tcondition:\n\t\t2 of them\n}\nrule simple_cmd_html {\n\tmeta:\n\t\tdescription = \"Semi-Auto-generated  - file simple_cmd.html.txt\"\n\t\tauthor = \"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls\"\n\t\thash = \"c6381412df74dbf3bcd5a2b31522b544\"\n\tstrings:\n\t\t$s1 = \"G-Security Webshell\" fullword\n\t\t$s2 = \"\\\" \" fullword\n\t\t$s3 = \"\" fullword\n\t\t$s4 = \"\" fullword\n\tcondition:\n\t\tall of them\n}\nrule multiple_webshells_0001 {\n\tmeta:\n\t\tdescription = \"Semi-Auto-generated  - from files 1.txt, c2007.php.php.txt, c100.php.txt\"\n\t\tauthor = \"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls\"\n\t\tsuper_rule = 1\n\t\twas = \"_1_c2007_php_php_c100_php\"\n\t\thash0 = \"44542e5c3e9790815c49d5f9beffbbf2\"\n\t\thash1 = \"d089e7168373a0634e1ac18c0ee00085\"\n\t\thash2 = \"38fd7e45f9c11a37463c3ded1c76af4c\"\n\tstrings:\n\t\t$s0 = \"echo \\\"Changing file-mode (\\\".$d.$f.\\\"), \\\".view_perms_color($d.$f).\\\" (\\\"\"\n\t\t$s3 = \"echo \\\" Back connect:Backdoor:Done!
    Total time (secs.): \\\".$ft\"\n\t\t$s3 = \"$fqb_log .= \\\"\\\\r\\\\n------------------------------------------\\\\r\\\\nDone!\\\\r\"\n\tcondition:\n\t\t1 of them\n}\nrule multiple_webshells_0005 {\n\tmeta:\n\t\tdescription = \"Semi-Auto-generated  - from files r577.php.php.txt, SnIpEr_SA Shell.php.txt, r57.php.php.txt, r57 Shell.php.php.txt, spy.php.php.txt, s.php.php.txt\"\n\t\tauthor = \"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls\"\n\t\tsuper_rule = 1\n\t\twas = \"_r577_php_php_SnIpEr_SA_Shell_php_r57_php_php_r57_Shell_php_php_spy_php_php_s_php_php\"\n\t\thash0 = \"0714f80f35c1fddef1f8938b8d42a4c8\"\n\t\thash1 = \"911195a9b7c010f61b66439d9048f400\"\n\t\thash2 = \"eddf7a8fde1e50a7f2a817ef7cece24f\"\n\t\thash3 = \"8023394542cddf8aee5dec6072ed02b5\"\n\t\thash4 = \"eed14de3907c9aa2550d95550d1a2d5f\"\n\t\thash5 = \"817671e1bdc85e04cc3440bbd9288800\"\n\tstrings:\n\t\t$s2 = \"'eng_text71'=>\\\"Second commands param is:\\\\r\\\\n- for CHOWN - name of new owner o\"\n\t\t$s4 = \"if(!empty($_POST['s_mask']) && !empty($_POST['m'])) { $sr = new SearchResult\"\n\tcondition:\n\t\t1 of them\n}\nrule multiple_webshells_0006 {\n\tmeta:\n\t\tdescription = \"Semi-Auto-generated  - from files c99shell_v1.0.php.php.txt, c99php.txt, SsEs.php.php.txt, ctt_sh.php.php.txt\"\n\t\tauthor = \"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls\"\n\t\tsuper_rule = 1\n\t\twas = \"_c99shell_v1_0_php_php_c99php_SsEs_php_php_ctt_sh_php_php\"\n\t\thash0 = \"d8ae5819a0a2349ec552cbcf3a62c975\"\n\t\thash1 = \"9e9ae0332ada9c3797d6cee92c2ede62\"\n\t\thash2 = \"6cd50a14ea0da0df6a246a60c8f6f9c9\"\n\t\thash3 = \"671cad517edd254352fe7e0c7c981c39\"\n\tstrings:\n\t\t$s0 = \"\\\"AAAAACH5BAEAAAkALAAAAAAUABQAAAR0MMlJqyzFalqEQJuGEQSCnWg6FogpkHAMF4HAJsWh7/ze\\\"\"\n\t\t$s2 = \"\\\"mTP/zDP//2YAAGYAM2YAZmYAmWYAzGYA/2YzAGYzM2YzZmYzmWYzzGYz/2ZmAGZmM2ZmZmZmmWZm\\\"\"\n\t\t$s4 = \"\\\"R0lGODlhFAAUAKL/AP/4/8DAwH9/AP/4AL+/vwAAAAAAAAAAACH5BAEAAAEALAAAAAAUABQAQAMo\\\"\"\n\tcondition:\n\t\t2 of them\n}\nrule multiple_webshells_0007 {\n\tmeta:\n\t\tdescription = \"Semi-Auto-generated  - from files r577.php.php.txt, spy.php.php.txt, s.php.php.txt\"\n\t\tauthor = \"Neo23x0 Yara BRG + customization by Stefan -dfate- Molls\"\n\t\tsuper_rule = 1\n\t\twas = \"_r577_php_php_spy_php_php_s_php_php\"\n\t\thash0 = \"0714f80f35c1fddef1f8938b8d42a4c8\"\n\t\thash1 = \"eed14de3907c9aa2550d95550d1a2d5f\"\n\t\thash2 = \"817671e1bdc85e04cc3440bbd9288800\"\n\tstrings:\n\t\t$s2 = \"echo $te.\\\"
    $outXXXX\\\" title=\\\"<%=SubFolder.Name%>\\\"> \\\" title=\\\"<%=File.Name%>\\\"> \\\" align=\\\"right\\\"><%=Attributes(SubFolder.Attributes)%>\\\">\"\n\tcondition:\n\t\tall of them\n}\nrule byloader {\n\tmeta:\n\t\tdescription = \"Webshells Auto-generated - file byloader.exe\"\n\t\tauthor = \"Yara Bulk Rule Generator by Florian Roth\"\n\t\thash = \"0f0d6dc26055653f5844ded906ce52df\"\n\tstrings:\n\t\t$s0 = \"SYSTEM\\\\CurrentControlSet\\\\Services\\\\NtfsChk\"\n\t\t$s1 = \"Failure ... Access is Denied !\"\n\t\t$s2 = \"NTFS Disk Driver Checking Service\"\n\t\t$s3 = \"Dumping Description to Registry...\"\n\t\t$s4 = \"Opening Service .... Failure !\"\n\tcondition:\n\t\tall of them\n}\nrule shelltools_g0t_root_Fport {\n\tmeta:\n\t\tdescription = \"Webshells Auto-generated - file Fport.exe\"\n\t\tauthor = \"Yara Bulk Rule Generator by Florian Roth\"\n\t\thash = \"dbb75488aa2fa22ba6950aead1ef30d5\"\n\tstrings:\n\t\t$s4 = \"Copyright 2000 by Foundstone, Inc.\"\n\t\t$s5 = \"You must have administrator privileges to run fport - exiting...\"\n\tcondition:\n\t\tall of them\n}\nrule BackDooR__fr_ {\n\tmeta:\n\t\tdescription = \"Webshells Auto-generated - file BackDooR (fr).php\"\n\t\tauthor = \"Yara Bulk Rule Generator by Florian Roth\"\n\t\thash = \"a79cac2cf86e073a832aaf29a664f4be\"\n\tstrings:\n\t\t$s3 = \"print(\\\"
    Exploit include \"\n\tcondition:\n\t\tall of them\n}\nrule FSO_s_ntdaddy {\n\tmeta:\n\t\tdescription = \"Webshells Auto-generated - file ntdaddy.asp\"\n\t\tauthor = \"Yara Bulk Rule Generator by Florian Roth\"\n\t\thash = \"f6262f3ad9f73b8d3e7d9ea5ec07a357\"\n\tstrings:\n\t\t$s1 = \"\\\"> &X\\\\\\\";open STDERR,\\\\\\\">&X\\\\\\\";exec(\\\\\\\"/bin/sh -i\\\\\\\");\"\n\tcondition:\n\t\tall of them\n}\nrule HYTop_DevPack_upload {\n\tmeta:\n\t\tdescription = \"Webshells Auto-generated - file upload.asp\"\n\t\tauthor = \"Yara Bulk Rule Generator by Florian Roth\"\n\t\thash = \"b09852bda534627949f0259828c967de\"\n\tstrings:\n\t\t$s0 = \"\"\n\tcondition:\n\t\tall of them\n}\nrule PasswordReminder {\n\tmeta:\n\t\tdescription = \"Webshells Auto-generated - file PasswordReminder.exe\"\n\t\tauthor = \"Yara Bulk Rule Generator by Florian Roth\"\n\t\thash = \"ea49d754dc609e8bfa4c0f95d14ef9bf\"\n\tstrings:\n\t\t$s3 = \"The encoded password is found at 0x%8.8lx and has a length of %d.\"\n\tcondition:\n\t\tall of them\n}\nrule Pack_InjectT {\n\tmeta:\n\t\tdescription = \"Webshells Auto-generated - file InjectT.exe\"\n\t\tauthor = \"Yara Bulk Rule Generator by Florian Roth\"\n\t\thash = \"983b74ccd57f6195a0584cdfb27d55e8\"\n\tstrings:\n\t\t$s3 = \"ail To Open Registry\"\n\t\t$s4 = \"32fDssignim\"\n\t\t$s5 = \"vide Internet S\"\n\t\t$s6 = \"d]Software\\\\M\"\n\t\t$s7 = \"TInject.Dll\"\n\tcondition:\n\t\tall of them\n}\nrule FSO_s_RemExp_2 {\n\tmeta:\n\t\tdescription = \"Webshells Auto-generated - file RemExp.asp\"\n\t\tauthor = \"Yara Bulk Rule Generator by Florian Roth\"\n\t\thash = \"b69670ecdbb40012c73686cd22696eeb\"\n\tstrings:\n\t\t$s2 = \" Then Response.Write \\\"\"\n\t\t$s3 = \"\"\n\tcondition:\n\t\tall of them\n}\nrule FSO_s_c99 {\n\tmeta:\n\t\tdescription = \"Webshells Auto-generated - file c99.php\"\n\t\tauthor = \"Yara Bulk Rule Generator by Florian Roth\"\n\t\thash = \"5f9ba02eb081bba2b2434c603af454d0\"\n\tstrings:\n\t\t$s2 = \"\\\"txt\\\",\\\"conf\\\",\\\"bat\\\",\\\"sh\\\",\\\"js\\\",\\\"bak\\\",\\\"doc\\\",\\\"log\\\",\\\"sfc\\\",\\\"cfg\\\",\\\"htacce\"\n\tcondition:\n\t\tall of them\n}\nrule rknt_zip_Folder_RkNT {\n\tmeta:\n\t\tdescription = \"Webshells Auto-generated - file RkNT.dll\"\n\t\tauthor = \"Yara Bulk Rule Generator by Florian Roth\"\n\t\thash = \"5f97386dfde148942b7584aeb6512b85\"\n\tstrings:\n\t\t$s0 = \"PathStripPathA\"\n\t\t$s1 = \"`cLGet!Addr%\"\n\t\t$s2 = \"$Info: This file is packed with the UPX executable packer http://upx.tsx.org $\"\n\t\t$s3 = \"oQToOemBuff* <=\"\n\t\t$s4 = \"ionCdunAsw[Us'\"\n\t\t$s6 = \"CreateProcessW: %S\"\n\t\t$s7 = \"ImageDirectoryEntryToData\"\n\tcondition:\n\t\tall of them\n}\nrule dbgntboot {\n\tmeta:\n\t\tdescription = \"Webshells Auto-generated - file dbgntboot.dll\"\n\t\tauthor = \"Yara Bulk Rule Generator by Florian Roth\"\n\t\thash = \"4d87543d4d7f73c1529c9f8066b475ab\"\n\tstrings:\n\t\t$s2 = \"now DOS is working at mode %d,faketype %d,against %s,has worked %d minutes,by sp\"\n\t\t$s3 = \"sth junk the M$ Wind0wZ retur\"\n\tcondition:\n\t\tall of them\n}\nrule PHP_shell {\n\tmeta:\n\t\tdescription = \"Webshells Auto-generated - file shell.php\"\n\t\tauthor = \"Yara Bulk Rule Generator by Florian Roth\"\n\t\thash = \"45e8a00567f8a34ab1cccc86b4bc74b9\"\n\tstrings:\n\t\t$s0 = \"AR8iROET6mMnrqTpC6W1Kp/DsTgxNby9H1xhiswfwgoAtED0y6wEXTihoAtICkIX6L1+vTUYWuWz\"\n\t\t$s11 = \"1HLp1qnlCyl5gko8rDlWHqf8/JoPKvGwEm9Q4nVKvEh0b0PKle3zeFiJNyjxOiVepMSpflJkPv5s\"\n\tcondition:\n\t\tall of them\n}\nrule hxdef100 {\n\tmeta:\n\t\tdescription = \"Webshells Auto-generated - file hxdef100.exe\"\n\t\tauthor = \"Yara Bulk Rule Generator by Florian Roth\"\n\t\thash = \"55cc1769cef44910bd91b7b73dee1f6c\"\n\tstrings:\n\t\t$s0 = \"RtlAnsiStringToUnicodeString\"\n\t\t$s8 = \"SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\\"\n\t\t$s9 = \"\\\\\\\\.\\\\mailslot\\\\hxdef-rk100sABCDEFGH\"\n\tcondition:\n\t\tall of them\n}\nrule rdrbs100 {\n\tmeta:\n\t\tdescription = \"Webshells Auto-generated - file rdrbs100.exe\"\n\t\tauthor = \"Yara Bulk Rule Generator by Florian Roth\"\n\t\thash = \"7c752bcd6da796d80a6830c61a632bff\"\n\tstrings:\n\t\t$s3 = \"Server address must be IP in A.B.C.D format.\"\n\t\t$s4 = \" mapped ports in the list. Currently \"\n\tcondition:\n\t\tall of them\n}\nrule Mithril_Mithril {\n\tmeta:\n\t\tdescription = \"Webshells Auto-generated - file Mithril.exe\"\n\t\tauthor = \"Yara Bulk Rule Generator by Florian Roth\"\n\t\thash = \"017191562d72ab0ca551eb89256650bd\"\n\tstrings:\n\t\t$s0 = \"OpenProcess error!\"\n\t\t$s1 = \"WriteProcessMemory error!\"\n\t\t$s4 = \"GetProcAddress error!\"\n\t\t$s5 = \"HHt`HHt\\\\\"\n\t\t$s6 = \"Cmaudi0\"\n\t\t$s7 = \"CreateRemoteThread error!\"\n\t\t$s8 = \"Kernel32\"\n\t\t$s9 = \"VirtualAllocEx error!\"\n\tcondition:\n\t\tall of them\n}\nrule hxdef100_2 {\n\tmeta:\n\t\tdescription = \"Webshells Auto-generated - file hxdef100.exe\"\n\t\tauthor = \"Yara Bulk Rule Generator by Florian Roth\"\n\t\thash = \"1b393e2e13b9c57fb501b7cd7ad96b25\"\n\tstrings:\n\t\t$s0 = \"\\\\\\\\.\\\\mailslot\\\\hxdef-rkc000\"\n\t\t$s2 = \"Shared Components\\\\On Access Scanner\\\\BehaviourBlo\"\n\t\t$s6 = \"SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot\\\\\"\n\tcondition:\n\t\tall of them\n}\nrule Release_dllTest {\n\tmeta:\n\t\tdescription = \"Webshells Auto-generated - file dllTest.dll\"\n\t\tauthor = \"Yara Bulk Rule Generator by Florian Roth\"\n\t\thash = \"76a59fc3242a2819307bb9d593bef2e0\"\n\tstrings:\n\t\t$s0 = \";;;Y;`;d;h;l;p;t;x;|;\"\n\t\t$s1 = \"0 0&00060K0R0X0f0l0q0w0\"\n\t\t$s2 = \": :$:(:,:0:4:8:D:`=d=\"\n\t\t$s3 = \"4@5P5T5\\\\5T7\\\\7d7l7t7|7\"\n\t\t$s4 = \"1,121>1C1K1Q1X1^1e1k1s1y1\"\n\t\t$s5 = \"9 9$9(9,9P9X9\\\\9`9d9h9l9p9t9x9|9\"\n\t\t$s6 = \"0)0O0\\\\0a0o0\\\"1E1P1q1\"\n\t\t$s7 = \"<.3F3Q3X3`3f3w3|3\"\n\t\t$s9 = \"8@;D;H;L;P;T;X;\\\\;a;9=W=z=\"\n\tcondition:\n\t\tall of them\n}\nrule webadmin {\n\tmeta:\n\t\tdescription = \"Webshells Auto-generated - file webadmin.php\"\n\t\tauthor = \"Yara Bulk Rule Generator by Florian Roth\"\n\t\thash = \"3a90de401b30e5b590362ba2dde30937\"\n\tstrings:\n\t\t$s0 = \"\\\".ws(2).\\\"HDD Free : \\\".view_size($free).\\\" HDD Total : \\\".view_\"\n\tcondition:\n\t\tall of them\n}\nrule Mithril_v1_45_dllTest {\n\tmeta:\n\t\tdescription = \"Webshells Auto-generated - file dllTest.dll\"\n\t\tauthor = \"Yara Bulk Rule Generator by Florian Roth\"\n\t\thash = \"1b9e518aaa62b15079ff6edb412b21e9\"\n\tstrings:\n\t\t$s3 = \"syspath\"\n\t\t$s4 = \"\\\\Mithril\"\n\t\t$s5 = \"--list the services in the computer\"\n\tcondition:\n\t\tall of them\n}\nrule dbgiis6cli {\n\tmeta:\n\t\tdescription = \"Webshells Auto-generated - file dbgiis6cli.exe\"\n\t\tauthor = \"Yara Bulk Rule Generator by Florian Roth\"\n\t\thash = \"3044dceb632b636563f66fee3aaaf8f3\"\n\tstrings:\n\t\t$s0 = \"User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)\"\n\t\t$s5 = \"###command:(NO more than 100 bytes!)\"\n\tcondition:\n\t\tall of them\n}\nrule remview_2003_04_22 {\n\tmeta:\n\t\tdescription = \"Webshells Auto-generated - file remview_2003_04_22.php\"\n\t\tauthor = \"Yara Bulk Rule Generator by Florian Roth\"\n\t\thash = \"17d3e4e39fbca857344a7650f7ea55e3\"\n\tstrings:\n\t\t$s1 = \"\\\"\\\".mm(\\\"Eval PHP code\\\").\\\" (\\\".mm(\\\"don't type\\\").\\\" \\\\\\\"<?\\\\\\\"\"\n\tcondition:\n\t\tall of them\n}\nrule FSO_s_test {\n\tmeta:\n\t\tdescription = \"Webshells Auto-generated - file test.php\"\n\t\tauthor = \"Yara Bulk Rule Generator by Florian Roth\"\n\t\thash = \"82cf7b48da8286e644f575b039a99c26\"\n\tstrings:\n\t\t$s0 = \"$yazi = \\\"test\\\" . \\\"\\\\r\\\\n\\\";\"\n\t\t$s2 = \"fwrite ($fp, \\\"$yazi\\\");\"\n\tcondition:\n\t\tall of them\n}\nrule Debug_cress {\n\tmeta:\n\t\tdescription = \"Webshells Auto-generated - file cress.exe\"\n\t\tauthor = \"Yara Bulk Rule Generator by Florian Roth\"\n\t\thash = \"36a416186fe010574c9be68002a7286a\"\n\tstrings:\n\t\t$s0 = \"\\\\Mithril \"\n\t\t$s4 = \"Mithril.exe\"\n\tcondition:\n\t\tall of them\n}\nrule webshell {\n\tmeta:\n\t\tdescription = \"Webshells Auto-generated - file webshell.php\"\n\t\tauthor = \"Yara Bulk Rule Generator by Florian Roth\"\n\t\thash = \"f2f8c02921f29368234bfb4d4622ad19\"\n\tstrings:\n\t\t$s0 = \"RhViRYOzz\"\n\t\t$s1 = \"d\\\\O!jWW\"\n\t\t$s2 = \"bc!jWW\"\n\t\t$s3 = \"0W[&{l\"\n\t\t$s4 = \"[INhQ@\\\\\"\n\tcondition:\n\t\tall of them\n}\nrule FSO_s_EFSO_2 {\n\tmeta:\n\t\tdescription = \"Webshells Auto-generated - file EFSO_2.asp\"\n\t\tauthor = \"Yara Bulk Rule Generator by Florian Roth\"\n\t\thash = \"a341270f9ebd01320a7490c12cb2e64c\"\n\tstrings:\n\t\t$s0 = \";!+/DRknD7+.\\\\mDrC(V+kcJznndm\\\\f|nzKuJb'r@!&0KUY@*Jb@#@&Xl\\\"dKVcJ\\\\CslU,),@!0KxD~mKV\"\n\t\t$s4 = \"\\\\co!VV2CDtSJ'E*#@#@&mKx/DP14lM/nY{JC81N+6LtbL3^hUWa;M/OE-AXX\\\"b~/fAs!u&9|J\\\\grKp\\\"j\"\n\tcondition:\n\t\tall of them\n}\nrule thelast_index3 {\n\tmeta:\n\t\tdescription = \"Webshells Auto-generated - file index3.php\"\n\t\tauthor = \"Yara Bulk Rule Generator by Florian Roth\"\n\t\thash = \"cceff6dc247aaa25512bad22120a14b4\"\n\tstrings:\n\t\t$s5 = \"$err = \\\"Your Name Not Entered!Sorry, \\\\\\\"Your Name\\\\\\\" field is r\"\n\tcondition:\n\t\tall of them\n}\nrule adjustcr {\n\tmeta:\n\t\tdescription = \"Webshells Auto-generated - file adjustcr.exe\"\n\t\tauthor = \"Yara Bulk Rule Generator by Florian Roth\"\n\t\thash = \"17037fa684ef4c90a25ec5674dac2eb6\"\n\tstrings:\n\t\t$s0 = \"$Info: This file is packed with the UPX executable packer $\"\n\t\t$s2 = \"$License: NRV for UPX is distributed under special license $\"\n\t\t$s6 = \"AdjustCR Carr\"\n\t\t$s7 = \"ION\\\\System\\\\FloatingPo\"\n\tcondition:\n\t\tall of them\n}\nrule FeliksPack3___PHP_Shells_xIShell {\n\tmeta:\n\t\tdescription = \"Webshells Auto-generated - file xIShell.php\"\n\t\tauthor = \"Yara Bulk Rule Generator by Florian Roth\"\n\t\thash = \"997c8437c0621b4b753a546a53a88674\"\n\tstrings:\n\t\t$s3 = \"if (!$nix) { $xid = implode(explode(\\\"\\\\\\\\\\\",$xid),\\\"\\\\\\\\\\\\\\\\\\\");}echo (\\\"
    		 'off','sub' => 'aasd','s_name' => 'nurullahor\"\n\tcondition:\n\t\tall of them\n}\nrule FSO_s_phpinj {\n\tmeta:\n\t\tdescription = \"Webshells Auto-generated - file phpinj.php\"\n\t\tauthor = \"Yara Bulk Rule Generator by Florian Roth\"\n\t\thash = \"dd39d17e9baca0363cc1c3664e608929\"\n\tstrings:\n\t\t$s4 = \"echo ' Click Here to Exploit  
    ';\"\n\tcondition:\n\t\tall of them\n}\nrule xssshell_db {\n\tmeta:\n\t\tdescription = \"Webshells Auto-generated - file db.asp\"\n\t\tauthor = \"Yara Bulk Rule Generator by Florian Roth\"\n\t\thash = \"cb62e2ec40addd4b9930a9e270f5b318\"\n\tstrings:\n\t\t$s8 = \"'// By Ferruh Mavituna | http://ferruh.mavituna.com\"\n\tcondition:\n\t\tall of them\n}\nrule PHP_sh {\n\tmeta:\n\t\tdescription = \"Webshells Auto-generated - file sh.php\"\n\t\tauthor = \"Yara Bulk Rule Generator by Florian Roth\"\n\t\thash = \"1e9e879d49eb0634871e9b36f99fe528\"\n\tstrings:\n\t\t$s1 = \"\\\"@$SERVER_NAME \\\".exec(\\\"pwd\\\")\"\n\tcondition:\n\t\tall of them\n}\nrule xssshell_default {\n\tmeta:\n\t\tdescription = \"Webshells Auto-generated - file default.asp\"\n\t\tauthor = \"Yara Bulk Rule Generator by Florian Roth\"\n\t\thash = \"d156782ae5e0b3724de3227b42fcaf2f\"\n\tstrings:\n\t\t$s3 = \"If ProxyData <> \\\"\\\" Then ProxyData = Replace(ProxyData, DATA_SEPERATOR, \\\"
    \\\")\"\n\tcondition:\n\t\tall of them\n}\nrule EditServer_Webshell_2 {\n\tmeta:\n\t\tdescription = \"Webshells Auto-generated - file EditServer.exe\"\n\t\tauthor = \"Yara Bulk Rule Generator by Florian Roth\"\n\t\thash = \"5c1f25a4d206c83cdfb006b3eb4c09ba\"\n\tstrings:\n\t\t$s0 = \"@HOTMAIL.COM\"\n\t\t$s1 = \"Press Any Ke\"\n\t\t$s3 = \"glish MenuZ\"\n\tcondition:\n\t\tall of them\n}\nrule by064cli {\n\tmeta:\n\t\tdescription = \"Webshells Auto-generated - file by064cli.exe\"\n\t\tauthor = \"Yara Bulk Rule Generator by Florian Roth\"\n\t\thash = \"10e0dff366968b770ae929505d2a9885\"\n\tstrings:\n\t\t$s7 = \"packet dropped,redirecting\"\n\t\t$s9 = \"input the password(the default one is 'by')\"\n\tcondition:\n\t\tall of them\n}\nrule Mithril_dllTest {\n\tmeta:\n\t\tdescription = \"Webshells Auto-generated - file dllTest.dll\"\n\t\tauthor = \"Yara Bulk Rule Generator by Florian Roth\"\n\t\thash = \"a8d25d794d8f08cd4de0c3d6bf389e6d\"\n\tstrings:\n\t\t$s0 = \"please enter the password:\"\n\t\t$s3 = \"\\\\dllTest.pdb\"\n\tcondition:\n\t\tall of them\n}\nrule peek_a_boo {\n\tmeta:\n\t\tdescription = \"Webshells Auto-generated - file peek-a-boo.exe\"\n\t\tauthor = \"Yara Bulk Rule Generator by Florian Roth\"\n\t\thash = \"aca339f60d41fdcba83773be5d646776\"\n\tstrings:\n\t\t$s0 = \"__vbaHresultCheckObj\"\n\t\t$s1 = \"\\\\VB\\\\VB5.OLB\"\n\t\t$s2 = \"capGetDriverDescriptionA\"\n\t\t$s3 = \"__vbaExceptHandler\"\n\t\t$s4 = \"EVENT_SINK_Release\"\n\t\t$s8 = \"__vbaErrorOverflow\"\n\tcondition:\n\t\tall of them\n}\nrule fmlibraryv3 {\n\tmeta:\n\t\tdescription = \"Webshells Auto-generated - file fmlibraryv3.asp\"\n\t\tauthor = \"Yara Bulk Rule Generator by Florian Roth\"\n\t\thash = \"c34c248fed6d5a20d8203924a2088acc\"\n\tstrings:\n\t\t$s3 = \"ExeNewRs.CommandText = \\\"UPDATE \\\" & tablename & \\\" SET \\\" & ExeNewRsValues & \\\" WHER\"\n\tcondition:\n\t\tall of them\n}\nrule Debug_dllTest_2 {\n\tmeta:\n\t\tdescription = \"Webshells Auto-generated - file dllTest.dll\"\n\t\tauthor = \"Yara Bulk Rule Generator by Florian Roth\"\n\t\thash = \"1b9e518aaa62b15079ff6edb412b21e9\"\n\tstrings:\n\t\t$s4 = \"\\\\Debug\\\\dllTest.pdb\"\n\t\t$s5 = \"--list the services in the computer\"\n\tcondition:\n\t\tall of them\n}\nrule connector {\n\tmeta:\n\t\tdescription = \"Webshells Auto-generated - file connector.asp\"\n\t\tauthor = \"Yara Bulk Rule Generator by Florian Roth\"\n\t\thash = \"3ba1827fca7be37c8296cd60be9dc884\"\n\tstrings:\n\t\t$s2 = \"If ( AttackID = BROADCAST_ATTACK )\"\n\t\t$s4 = \"Add UNIQUE ID for victims / zombies\"\n\tcondition:\n\t\tall of them\n}\nrule shelltools_g0t_root_HideRun {\n\tmeta:\n\t\tdescription = \"Webshells Auto-generated - file HideRun.exe\"\n\t\tauthor = \"Yara Bulk Rule Generator by Florian Roth\"\n\t\thash = \"45436d9bfd8ff94b71eeaeb280025afe\"\n\tstrings:\n\t\t$s0 = \"Usage -- hiderun [AppName]\"\n\t\t$s7 = \"PVAX SW, Alexey A. Popoff, Moscow, 1997.\"\n\tcondition:\n\t\tall of them\n}\nrule regshell {\n\tmeta:\n\t\tdescription = \"Webshells Auto-generated - file regshell.exe\"\n\t\tauthor = \"Yara Bulk Rule Generator by Florian Roth\"\n\t\thash = \"db2fdc821ca6091bab3ebd0d8bc46ded\"\n\tstrings:\n\t\t$s0 = \"Changes the base hive to HKEY_CURRENT_USER.\"\n\t\t$s4 = \"Displays a list of values and sub-keys in a registry Hive.\"\n\t\t$s5 = \"Enter a menu selection number (1 - 3) or 99 to Exit: \"\n\tcondition:\n\t\tall of them\n}\nrule PHP_Shell_v1_7 {\n\tmeta:\n\t\tdescription = \"Webshells Auto-generated - file PHP_Shell_v1.7.php\"\n\t\tauthor = \"Yara Bulk Rule Generator by Florian Roth\"\n\t\thash = \"b5978501c7112584532b4ca6fb77cba5\"\n\tstrings:\n\t\t$s8 = \"[ADDITINAL TITTLE]-phpShell by:[YOURNAME]\"\n\tcondition:\n\t\tall of them\n}\nrule xssshell_save {\n\tmeta:\n\t\tdescription = \"Webshells Auto-generated - file save.asp\"\n\t\tauthor = \"Yara Bulk Rule Generator by Florian Roth\"\n\t\thash = \"865da1b3974e940936fe38e8e1964980\"\n\tstrings:\n\t\t$s4 = \"RawCommand = Command & COMMAND_SEPERATOR & Param & COMMAND_SEPERATOR & AttackID\"\n\t\t$s5 = \"VictimID = fm_NStr(Victims(i))\"\n\tcondition:\n\t\tall of them\n}\nrule screencap {\n\tmeta:\n\t\tdescription = \"Webshells Auto-generated - file screencap.exe\"\n\t\tauthor = \"Yara Bulk Rule Generator by Florian Roth\"\n\t\thash = \"51139091dea7a9418a50f2712ea72aa6\"\n\tstrings:\n\t\t$s0 = \"GetDIBColorTable\"\n\t\t$s1 = \"Screen.bmp\"\n\t\t$s2 = \"CreateDCA\"\n\tcondition:\n\t\tall of them\n}\nrule FSO_s_phpinj_2 {\n\tmeta:\n\t\tdescription = \"Webshells Auto-generated - file phpinj.php\"\n\t\tauthor = \"Yara Bulk Rule Generator by Florian Roth\"\n\t\thash = \"dd39d17e9baca0363cc1c3664e608929\"\n\tstrings:\n\t\t$s9 = \"<? system(\\\\$_GET[cpc]);exit; ?>' ,0 ,0 ,0 ,0 INTO\"\n\tcondition:\n\t\tall of them\n}\nrule ZXshell2_0_rar_Folder_zxrecv {\n\tmeta:\n\t\tdescription = \"Webshells Auto-generated - file zxrecv.exe\"\n\t\tauthor = \"Yara Bulk Rule Generator by Florian Roth\"\n\t\thash = \"5d3d12a39f41d51341ef4cb7ce69d30f\"\n\tstrings:\n\t\t$s0 = \"RyFlushBuff\"\n\t\t$s1 = \"teToWideChar^FiYP\"\n\t\t$s2 = \"mdesc+8F D\"\n\t\t$s3 = \"\\\\von76std\"\n\t\t$s4 = \"5pur+virtul\"\n\t\t$s5 = \"- Kablto io\"\n\t\t$s6 = \"ac#f{lowi8a\"\n\tcondition:\n\t\tall of them\n}\nrule FSO_s_ajan {\n\tmeta:\n\t\tdescription = \"Webshells Auto-generated - file ajan.asp\"\n\t\tauthor = \"Yara Bulk Rule Generator by Florian Roth\"\n\t\thash = \"22194f8c44524f80254e1b5aec67b03e\"\n\tstrings:\n\t\t$s4 = \"entrika.write \\\"BinaryStream.SaveToFile\"\n\tcondition:\n\t\tall of them\n}\nrule c99shell {\n\tmeta:\n\t\tdescription = \"Webshells Auto-generated - file c99shell.php\"\n\t\tauthor = \"Yara Bulk Rule Generator by Florian Roth\"\n\t\thash = \"90b86a9c63e2cd346fe07cea23fbfc56\"\n\tstrings:\n\t\t$s0 = \"<br />Input URL: <input name=\\\\\\\"uploadurl\\\\\\\" type=\\\\\\\"text\\\\\\\"&\"\n\tcondition:\n\t\tall of them\n}\nrule phpspy_2005_full {\n\tmeta:\n\t\tdescription = \"Webshells Auto-generated - file phpspy_2005_full.php\"\n\t\tauthor = \"Yara Bulk Rule Generator by Florian Roth\"\n\t\thash = \"d1c69bb152645438440e6c903bac16b2\"\n\tstrings:\n\t\t$s7 = \"echo \\\"  <td align=\\\\\\\"center\\\\\\\" nowrap valign=\\\\\\\"top\\\\\\\"><a href=\\\\\\\"?downfile=\\\".urlenco\"\n\tcondition:\n\t\tall of them\n}\nrule FSO_s_zehir4_2 {\n\tmeta:\n\t\tdescription = \"Webshells Auto-generated - file zehir4.asp\"\n\t\tauthor = \"Yara Bulk Rule Generator by Florian Roth\"\n\t\thash = \"5b496a61363d304532bcf52ee21f5d55\"\n\tstrings:\n\t\t$s4 = \"\\\"Program Files\\\\Serv-u\\\\Serv\"\n\tcondition:\n\t\tall of them\n}\nrule httpdoor {\n\tmeta:\n\t\tdescription = \"Webshells Auto-generated - file httpdoor.exe\"\n\t\tauthor = \"Yara Bulk Rule Generator by Florian Roth\"\n\t\thash = \"6097ea963455a09474471a9864593dc3\"\n\tstrings:\n\t\t$s4 = \"''''''''''''''''''DaJKHPam\"\n\t\t$s5 = \"o,WideCharR]!n]\"\n\t\t$s6 = \"HAutoComplete\"\n\t\t$s7 = \"<?xml version=\\\"1.0\\\" encoding=\\\"UTF-8\\\" standalone=\\\"yes\\\"?> <assembly xmlns=\\\"urn:sch\"\n\tcondition:\n\t\tall of them\n}\nrule FSO_s_indexer_2 {\n\tmeta:\n\t\tdescription = \"Webshells Auto-generated - file indexer.asp\"\n\t\tauthor = \"Yara Bulk Rule Generator by Florian Roth\"\n\t\thash = \"135fc50f85228691b401848caef3be9e\"\n\tstrings:\n\t\t$s5 = \"<td>Nerden :<td><input type=\\\"text\\\" name=\\\"nerden\\\" size=25 value=index.html></td>\"\n\tcondition:\n\t\tall of them\n}\nrule HYTop_DevPack_2005 {\n\tmeta:\n\t\tdescription = \"Webshells Auto-generated - file 2005.asp\"\n\t\tauthor = \"Yara Bulk Rule Generator by Florian Roth\"\n\t\thash = \"63d9fd24fa4d22a41fc5522fc7050f9f\"\n\tstrings:\n\t\t$s7 = \"theHref=encodeForUrl(mid(replace(lcase(list.path),lcase(server.mapPath(\\\"/\\\")),\\\"\\\")\"\n\t\t$s8 = \"scrollbar-darkshadow-color:#9C9CD3;\"\n\t\t$s9 = \"scrollbar-face-color:#E4E4F3;\"\n\tcondition:\n\t\tall of them\n}\nrule _root_040_zip_Folder_deploy {\n\tmeta:\n\t\tdescription = \"Webshells Auto-generated - file deploy.exe\"\n\t\tauthor = \"Yara Bulk Rule Generator by Florian Roth\"\n\t\thash = \"2c9f9c58999256c73a5ebdb10a9be269\"\n\tstrings:\n\t\t$s5 = \"halon synscan 127.0.0.1 1-65536\"\n\t\t$s8 = \"Obviously you replace the ip address with that of the target.\"\n\n\tcondition:\n\t\tall of them\n}\nrule by063cli {\n\tmeta:\n\t\tdescription = \"Webshells Auto-generated - file by063cli.exe\"\n\t\tauthor = \"Yara Bulk Rule Generator by Florian Roth\"\n\t\thash = \"49ce26eb97fd13b6d92a5e5d169db859\"\n\tstrings:\n\t\t$s2 = \"#popmsghello,are you all right?\"\n\t\t$s4 = \"connect failed,check your network and remote ip.\"\n\tcondition:\n\t\tall of them\n}\nrule icyfox007v1_10_rar_Folder_asp {\n\tmeta:\n\t\tdescription = \"Webshells Auto-generated - file asp.asp\"\n\t\tauthor = \"Yara Bulk Rule Generator by Florian Roth\"\n\t\thash = \"2c412400b146b7b98d6e7755f7159bb9\"\n\tstrings:\n\t\t$s0 = \"<SCRIPT RUNAT=SERVER LANGUAGE=JAVASCRIPT>eval(Request.form('#')+'')</SCRIPT>\"\n\tcondition:\n\t\tall of them\n}\nrule FSO_s_EFSO_2_2 {\n\tmeta:\n\t\tdescription = \"Webshells Auto-generated - file EFSO_2.asp\"\n\t\tauthor = \"Yara Bulk Rule Generator by Florian Roth\"\n\t\thash = \"a341270f9ebd01320a7490c12cb2e64c\"\n\tstrings:\n\t\t$s0 = \";!+/DRknD7+.\\\\mDrC(V+kcJznndm\\\\f|nzKuJb'r@!&0KUY@*Jb@#@&Xl\\\"dKVcJ\\\\CslU,),@!0KxD~mKV\"\n\t\t$s4 = \"\\\\co!VV2CDtSJ'E*#@#@&mKx/DP14lM/nY{JC81N+6LtbL3^hUWa;M/OE-AXX\\\"b~/fAs!u&9|J\\\\grKp\\\"j\"\n\tcondition:\n\t\tall of them\n}\nrule byshell063_ntboot_2 {\n\tmeta:\n\t\tdescription = \"Webshells Auto-generated - file ntboot.dll\"\n\t\tauthor = \"Yara Bulk Rule Generator by Florian Roth\"\n\t\thash = \"cb9eb5a6ff327f4d6c46aacbbe9dda9d\"\n\tstrings:\n\t\t$s6 = \"OK,job was done,cuz we have localsystem & SE_DEBUG_NAME:)\"\n\tcondition:\n\t\tall of them\n}\nrule u_uay {\n\tmeta:\n\t\tdescription = \"Webshells Auto-generated - file uay.exe\"\n\t\tauthor = \"Yara Bulk Rule Generator by Florian Roth\"\n\t\thash = \"abbc7b31a24475e4c5d82fc4c2b8c7c4\"\n\tstrings:\n\t\t$s1 = \"exec \\\"c:\\\\WINDOWS\\\\System32\\\\freecell.exe\"\n\t\t$s9 = \"SYSTEM\\\\CurrentControlSet\\\\Services\\\\uay.sys\\\\Security\"\n\tcondition:\n\t\t1 of them\n}\nrule bin_wuaus {\n\tmeta:\n\t\tdescription = \"Webshells Auto-generated - file wuaus.dll\"\n\t\tauthor = \"Yara Bulk Rule Generator by Florian Roth\"\n\t\thash = \"46a365992bec7377b48a2263c49e4e7d\"\n\tstrings:\n\t\t$s1 = \"9(90989@9V9^9f9n9v9\"\n\t\t$s2 = \":(:,:0:4:8:C:H:N:T:Y:_:e:o:y:\"\n\t\t$s3 = \";(=@=G=O=T=X=\\\\=\"\n\t\t$s4 = \"TCP Send Error!!\"\n\t\t$s5 = \"1\\\"1;1X1^1e1m1w1~1\"\n\t\t$s8 = \"=$=)=/=<=Y=_=j=p=z=\"\n\tcondition:\n\t\tall of them\n}\nrule pwreveal {\n\tmeta:\n\t\tdescription = \"Webshells Auto-generated - file pwreveal.exe\"\n\t\tauthor = \"Yara Bulk Rule Generator by Florian Roth\"\n\t\thash = \"b4e8447826a45b76ca45ba151a97ad50\"\n\tstrings:\n\t\t$s0 = \"*<Blank - no es\"\n\t\t$s3 = \"JDiamondCS \"\n\t\t$s8 = \"sword set> [Leith=0 bytes]\"\n\t\t$s9 = \"ION\\\\System\\\\Floating-\"\n\tcondition:\n\t\tall of them\n}\nrule shelltools_g0t_root_xwhois {\n\tmeta:\n\t\tdescription = \"Webshells Auto-generated - file xwhois.exe\"\n\t\tauthor = \"Yara Bulk Rule Generator by Florian Roth\"\n\t\thash = \"0bc98bd576c80d921a3460f8be8816b4\"\n\tstrings:\n\t\t$s1 = \"rting! \"\n\t\t$s2 = \"aTypCog(\"\n\t\t$s5 = \"Diamond\"\n\t\t$s6 = \"r)r=rQreryr\"\n\tcondition:\n\t\tall of them\n}\nrule vanquish_2 {\n\tmeta:\n\t\tdescription = \"Webshells Auto-generated - file vanquish.exe\"\n\t\tauthor = \"Yara Bulk Rule Generator by Florian Roth\"\n\t\thash = \"2dcb9055785a2ee01567f52b5a62b071\"\n\tstrings:\n\t\t$s2 = \"Vanquish - DLL injection failed:\"\n\tcondition:\n\t\tall of them\n}\nrule down_rar_Folder_down {\n\tmeta:\n\t\tdescription = \"Webshells Auto-generated - file down.asp\"\n\t\tauthor = \"Yara Bulk Rule Generator by Florian Roth\"\n\t\thash = \"db47d7a12b3584a2e340567178886e71\"\n\tstrings:\n\t\t$s0 = \"response.write \\\"<font color=blue size=2>NetBios Name: \\\\\\\\\\\"  & Snet.ComputerName &\"\n\tcondition:\n\t\tall of them\n}\nrule cmdShell {\n\tmeta:\n\t\tdescription = \"Webshells Auto-generated - file cmdShell.asp\"\n\t\tauthor = \"Yara Bulk Rule Generator by Florian Roth\"\n\t\thash = \"8a9fef43209b5d2d4b81dfbb45182036\"\n\tstrings:\n\t\t$s1 = \"if cmdPath=\\\"wscriptShell\\\" then\"\n\tcondition:\n\t\tall of them\n}\nrule ZXshell2_0_rar_Folder_nc {\n\tmeta:\n\t\tdescription = \"Webshells Auto-generated - file nc.exe\"\n\t\tauthor = \"Yara Bulk Rule Generator by Florian Roth\"\n\t\thash = \"2cd1bf15ae84c5f6917ddb128827ae8b\"\n\tstrings:\n\t\t$s0 = \"WSOCK32.dll\"\n\t\t$s1 = \"?bSUNKNOWNV\"\n\t\t$s7 = \"p@gram Jm6h)\"\n\t\t$s8 = \"ser32.dllCONFP@\"\n\tcondition:\n\t\tall of them\n}\nrule portlessinst {\n\tmeta:\n\t\tdescription = \"Webshells Auto-generated - file portlessinst.exe\"\n\t\tauthor = \"Yara Bulk Rule Generator by Florian Roth\"\n\t\thash = \"74213856fc61475443a91cd84e2a6c2f\"\n\tstrings:\n\t\t$s2 = \"Fail To Open Registry\"\n\t\t$s3 = \"f<-WLEggDr\\\"\"\n\t\t$s6 = \"oMemoryCreateP\"\n\tcondition:\n\t\tall of them\n}\nrule SetupBDoor {\n\tmeta:\n\t\tdescription = \"Webshells Auto-generated - file SetupBDoor.exe\"\n\t\tauthor = \"Yara Bulk Rule Generator by Florian Roth\"\n\t\thash = \"41f89e20398368e742eda4a3b45716b6\"\n\tstrings:\n\t\t$s1 = \"\\\\BDoor\\\\SetupBDoor\"\n\tcondition:\n\t\tall of them\n}\nrule phpshell_3 {\n\tmeta:\n\t\tdescription = \"Webshells Auto-generated - file phpshell.php\"\n\t\tauthor = \"Yara Bulk Rule Generator by Florian Roth\"\n\t\thash = \"e8693a2d4a2ffea4df03bb678df3dc6d\"\n\tstrings:\n\t\t$s3 = \"<input name=\\\"submit_btn\\\" type=\\\"submit\\\" value=\\\"Execute Command\\\"></p>\"\n\t\t$s5 = \"      echo \\\"<option value=\\\\\\\"$work_dir\\\\\\\" selected>Current Directory</option>\\\\n\\\";\"\n\tcondition:\n\t\tall of them\n}\nrule BIN_Server {\n\tmeta:\n\t\tdescription = \"Webshells Auto-generated - file Server.exe\"\n\t\tauthor = \"Yara Bulk Rule Generator by Florian Roth\"\n\t\thash = \"1d5aa9cbf1429bb5b8bf600335916dcd\"\n\tstrings:\n\t\t$s0 = \"configserver\"\n\t\t$s1 = \"GetLogicalDrives\"\n\t\t$s2 = \"WinExec\"\n\t\t$s4 = \"fxftest\"\n\t\t$s5 = \"upfileok\"\n\t\t$s7 = \"upfileer\"\n\tcondition:\n\t\tall of them\n}\nrule HYTop2006_rar_Folder_2006 {\n\tmeta:\n\t\tdescription = \"Webshells Auto-generated - file 2006.asp\"\n\t\tauthor = \"Yara Bulk Rule Generator by Florian Roth\"\n\t\thash = \"c19d6f4e069188f19b08fa94d44bc283\"\n\tstrings:\n\t\t$s6 = \"strBackDoor = strBackDoor \"\n\tcondition:\n\t\tall of them\n}\nrule r57shell_3 {\n\tmeta:\n\t\tdescription = \"Webshells Auto-generated - file r57shell.php\"\n\t\tauthor = \"Yara Bulk Rule Generator by Florian Roth\"\n\t\thash = \"87995a49f275b6b75abe2521e03ac2c0\"\n\tstrings:\n\t\t$s1 = \"<b>\\\".$_POST['cmd']\"\n\tcondition:\n\t\tall of them\n}\nrule HDConfig {\n\tmeta:\n\t\tdescription = \"Webshells Auto-generated - file HDConfig.exe\"\n\t\tauthor = \"Yara Bulk Rule Generator by Florian Roth\"\n\t\thash = \"7d60e552fdca57642fd30462416347bd\"\n\tstrings:\n\t\t$s0 = \"An encryption key is derived from the password hash. \"\n\t\t$s3 = \"A hash object has been created. \"\n\t\t$s4 = \"Error during CryptCreateHash!\"\n\t\t$s5 = \"A new key container has been created.\"\n\t\t$s6 = \"The password has been added to the hash. \"\n\tcondition:\n\t\tall of them\n}\nrule FSO_s_ajan_2 {\n\tmeta:\n\t\tdescription = \"Webshells Auto-generated - file ajan.asp\"\n\t\tauthor = \"Yara Bulk Rule Generator by Florian Roth\"\n\t\thash = \"22194f8c44524f80254e1b5aec67b03e\"\n\tstrings:\n\t\t$s2 = \"\\\"Set WshShell = CreateObject(\\\"\\\"WScript.Shell\\\"\\\")\"\n\t\t$s3 = \"/file.zip\"\n\tcondition:\n\t\tall of them\n}\n\nrule Webshell_and_Exploit_CN_APT_HK : Webshell\n{\nmeta:\n\tauthor = \"Florian Roth\"\n\tdescription = \"Webshell and Exploit Code in relation with APT against Honk Kong protesters\"\n\tdate = \"10.10.2014\"\n\tscore = 50\nstrings:\n\t$a0 = \"<script language=javascript src=http://java-se.com/o.js</script>\" fullword\n\t$s0 = \"<span style=\\\"font:11px Verdana;\\\">Password: </span><input name=\\\"password\\\" type=\\\"password\\\" size=\\\"20\\\">\"\n\t$s1 = \"<input type=\\\"hidden\\\" name=\\\"doing\\\" value=\\\"login\\\">\"\ncondition:\n\t$a0 or ( all of ($s*) )\n}\n\nrule JSP_Browser_APT_webshell {\n\tmeta:\n\t\tdescription = \"VonLoesch JSP Browser used as web shell by APT groups - jsp File browser 1.1a\"\n\t\tauthor = \"F.Roth\"\n\t\tdate = \"10.10.2014\"\n\t\tscore = 60\n\tstrings:\n\t\t$a1a = \"private static final String[] COMMAND_INTERPRETER = {\\\"\" ascii\n\t\t$a1b = \"cmd\\\", \\\"/C\\\"}; // Dos,Windows\" ascii\n\t\t$a2 = \"Process ls_proc = Runtime.getRuntime().exec(comm, null, new File(dir));\" ascii\n\t\t$a3 = \"ret.append(\\\"!!!! Process has timed out, destroyed !!!!!\\\");\" ascii\n\tcondition:\n\t\tall of them\n}\n\nrule JSP_jfigueiredo_APT_webshell {\n\tmeta:\n\t\tdescription = \"JSP Browser used as web shell by APT groups - author: jfigueiredo\"\n\t\tauthor = \"F.Roth\"\n\t\tdate = \"12.10.2014\"\n\t\tscore = 60\n\t\treference = \"http://ceso.googlecode.com/svn/web/bko/filemanager/Browser.jsp\"\n\tstrings:\n\t\t$a1 = \"String fhidden = new String(Base64.encodeBase64(path.getBytes()));\" ascii\n\t\t$a2 = \"<form id=\\\"upload\\\" name=\\\"upload\\\" action=\\\"ServFMUpload\\\" method=\\\"POST\\\" enctype=\\\"multipart/form-data\\\">\" ascii\n\tcondition:\n\t\tall of them\n}\n\nrule JSP_jfigueiredo_APT_webshell_2 {\n\tmeta:\n\t\tdescription = \"JSP Browser used as web shell by APT groups - author: jfigueiredo\"\n\t\tauthor = \"F.Roth\"\n\t\tdate = \"12.10.2014\"\n\t\tscore = 60\n\t\treference = \"http://ceso.googlecode.com/svn/web/bko/filemanager/\"\n\tstrings:\n\t\t$a1 = \"<div id=\\\"bkorotator\\\"><img alt=\\\"\\\" src=\\\"images/rotator/1.jpg\\\"></div>\" ascii\n\t\t$a2 = \"$(\\\"#dialog\\\").dialog(\\\"destroy\\\");\" ascii\n\t\t$s1 = \"<form id=\\\"form\\\" action=\\\"ServFMUpload\\\" method=\\\"post\\\" enctype=\\\"multipart/form-data\\\">\" ascii\n\t\t$s2 = \"<input type=\\\"hidden\\\" id=\\\"fhidden\\\" name=\\\"fhidden\\\" value=\\\"L3BkZi8=\\\" />\" ascii\n\tcondition:\n\t\tall of ($a*) or all of ($s*)\n}\n\nrule AJAX_FileUpload_webshell {\n\tmeta:\n\t\tdescription = \"AJAX JS/CSS components providing web shell by APT groups\"\n\t\tauthor = \"F.Roth\"\n\t\tdate = \"12.10.2014\"\n\t\tscore = 75\n\t\treference = \"http://ceso.googlecode.com/svn/web/bko/filemanager/ajaxfileupload.js\"\n\tstrings:\n\t\t$a1 = \"var frameId = 'jUploadFrame' + id;\" ascii\n\t\t$a2 = \"var form = jQuery('<form  action=\\\"\\\" method=\\\"POST\\\" name=\\\"' + formId + '\\\" id=\\\"' + formId + '\\\" enctype=\\\"multipart/form-data\\\"></form>');\" ascii\n\t\t$a3 = \"jQuery(\\\"<div>\\\").html(data).evalScripts();\" ascii\n\tcondition:\n\t\tall of them\n}\n\nrule Webshell_Insomnia {\n\tmeta:\n\t\tdescription = \"Insomnia Webshell - file InsomniaShell.aspx\"\n\t\tauthor = \"Florian Roth\"\n\t\treference = \"http://www.darknet.org.uk/2014/12/insomniashell-asp-net-reverse-shell-bind-shell/\"\n\t\tdate = \"2014/12/09\"\n\t\thash = \"e0cfb2ffaa1491aeaf7d3b4ee840f72d42919d22\"\n\t\tscore = 80\n\tstrings:\n\t\t$s0 = \"Response.Write(\\\"- Failed to create named pipe:\\\");\" fullword ascii\n\t\t$s1 = \"Response.Output.Write(\\\"+ Sending {0}<br>\\\", command);\" fullword ascii\n\t\t$s2 = \"String command = \\\"exec master..xp_cmdshell 'dir > \\\\\\\\\\\\\\\\127.0.0.1\" ascii\n\t\t$s3 = \"Response.Write(\\\"- Error Getting User Info<br>\\\");\" fullword ascii\n\t\t$s4 = \"string lpCommandLine, ref SECURITY_ATTRIBUTES lpProcessAttributes,\" fullword ascii\n\t\t$s5 = \"[DllImport(\\\"Advapi32.dll\\\", SetLastError = true)]\" fullword ascii\n\t\t$s9 = \"username = DumpAccountSid(tokUser.User.Sid);\" fullword ascii\n\t\t$s14 = \"//Response.Output.Write(\\\"Opened process PID: {0} : {1}<br>\\\", p\" ascii\n\tcondition:\n\t\t3 of them\n}\n\nrule HawkEye_PHP_Panel {\n\tmeta:\n\t\tdescription = \"Detects HawkEye Keyloggers PHP Panel\"\n\t\tauthor = \"Florian Roth\"\n\t\tdate = \"2014/12/14\"\n\t\tscore = 60\n\tstrings:\n\t\t$s0 = \"$fname = $_GET['fname'];\" ascii fullword\n\t\t$s1 = \"$data = $_GET['data'];\" ascii fullword\n\t\t$s2 = \"unlink($fname);\" ascii fullword\n\t\t$s3 = \"echo \\\"Success\\\";\" fullword ascii\n\tcondition:\n\t\tall of ($s*) and filesize < 600\n}\n\nrule SoakSoak_Infected_Wordpress {\n\tmeta:\n\t\tdescription = \"Detects a SoakSoak infected Wordpress site http://goo.gl/1GzWUX\"\n\t\treference = \"http://goo.gl/1GzWUX\"\n\t\tauthor = \"Florian Roth\"\n\t\tdate = \"2014/12/15\"\n\t\tscore = 60\n\tstrings:\n\t\t$s0 = \"wp_enqueue_script(\\\"swfobject\\\");\" ascii fullword\n\t\t$s1 = \"function FuncQueueObject()\" ascii fullword\n\t\t$s2 = \"add_action(\\\"wp_enqueue_scripts\\\", 'FuncQueueObject');\" ascii fullword\n\tcondition:\n\t\tall of ($s*)\n}\n\nrule Pastebin_Webshell {\n\tmeta:\n\t\tdescription = \"Detects a web shell that downloads content from pastebin.com http://goo.gl/7dbyZs\"\n\t\tauthor = \"Florian Roth\"\n\t\tscore = 70\n\t\tdate = \"13.01.2015\"\n\t\treference = \"http://goo.gl/7dbyZs\"\n\tstrings:\n\t\t$s0 = \"file_get_contents(\\\"http://pastebin.com\" ascii\n\t\t$s1 = \"xcurl('http://pastebin.com/download.php\" ascii\n\t\t$s2 = \"xcurl('http://pastebin.com/raw.php\" ascii\n\n\t\t$x0 = \"if($content){unlink('evex.php');\" ascii\n\t\t$x1 = \"$fh2 = fopen(\\\"evex.php\\\", 'a');\" ascii\n\n\t\t$y0 = \"file_put_contents($pth\" ascii\n\t\t$y1 = \"echo \\\"<login_ok>\" ascii\n\t\t$y2 = \"str_replace('* @package Wordpress',$temp\" ascii\n\tcondition:\n\t\t1 of ($s*) or all of ($x*) or all of ($y*)\n}\n\nrule ASPXspy2 {\n\tmeta:\n\t\tdescription = \"Web shell - file ASPXspy2.aspx\"\n\t\tauthor = \"Florian Roth\"\n\t\treference = \"not set\"\n\t\tdate = \"2015/01/24\"\n\t\thash = \"5642387d92139bfe9ae11bfef6bfe0081dcea197\"\n\tstrings:\n\t\t$s0 = \"string iVDT=\\\"-SETUSERSETUP\\\\r\\\\n-IP=0.0.0.0\\\\r\\\\n-PortNo=52521\\\\r\\\\n-User=bin\" ascii\n\t\t$s1 = \"SQLExec : <asp:DropDownList runat=\\\"server\\\" ID=\\\"FGEy\\\" AutoPostBack=\\\"True\\\" O\" ascii\n\t\t$s3 = \"Process[] p=Process.GetProcesses();\" fullword ascii\n\t\t$s4 = \"Response.Cookies.Add(new HttpCookie(vbhLn,Password));\" fullword ascii\n\t\t$s5 = \"[DllImport(\\\"kernel32.dll\\\",EntryPoint=\\\"GetDriveTypeA\\\")]\" fullword ascii\n\t\t$s6 = \"<p>ConnString : <asp:TextBox id=\\\"MasR\\\" style=\\\"width:70%;margin:0 8px;\\\" CssCl\" ascii\n\t\t$s7 = \"ServiceController[] kQmRu=System.ServiceProcess.ServiceController.GetServices();\" fullword ascii\n\t\t$s8 = \"Copyright © 2009 Bin -- <a href=\\\"http://www.rootkit.net.cn\\\" target=\\\"_bla\" ascii\n\t\t$s10 = \"Response.AddHeader(\\\"Content-Disposition\\\",\\\"attachment;filename=\\\"+HttpUtility.\" ascii\n\t\t$s11 = \"nxeDR.Command+=new CommandEventHandler(this.iVk);\" fullword ascii\n\t\t$s12 = \"<%@ import Namespace=\\\"System.ServiceProcess\\\"%>\" fullword ascii\n\t\t$s13 = \"foreach(string innerSubKey in sk.GetSubKeyNames())\" fullword ascii\n\t\t$s17 = \"Response.Redirect(\\\"http://www.rootkit.net.cn\\\");\" fullword ascii\n\t\t$s20 = \"else if(Reg_Path.StartsWith(\\\"HKEY_USERS\\\"))\" fullword ascii\n\tcondition:\n\t\t6 of them\n}\n\n\n/*\n\tYara Rule Set\n\tAuthor: Florian Roth\n\tDate: 2016-01-11\n\tIdentifier: Web Shell Repo\n\tReference: https://github.com/nikicat/web-malware-collection\n*/\n\nrule Webshell_27_9_c66_c99 {\n\tmeta:\n\t\tdescription = \"Detects Webshell - rule generated from from files 27.9.txt, c66.php, c99-shadows-mod.php, c99.php ...\"\n\t\tauthor = \"Florian Roth\"\n\t\treference = \"https://github.com/nikicat/web-malware-collection\"\n\t\tdate = \"2016-01-11\"\n\t\tscore = 70\n\t\thash1 = \"2b8aed49f50acd0c1b89a399647e1218f2a8545da96631ac0882da28810eecc4\"\n\t\thash2 = \"5d7709a33879d1060a6cff5bae119de7d5a3c17f65415822fd125af56696778c\"\n\t\thash3 = \"c377f9316a4c953602879eb8af1fd7cbb0dd35de6bb4747fa911234082c45596\"\n\t\thash4 = \"80ec7831ae888d5603ed28d81225ed8b256c831077bb8feb235e0a1a9b68b748\"\n\t\thash5 = \"6ce99e07aa98ba6dc521c34cf16fbd89654d0ba59194878dffca857a4c34e57b\"\n\t\thash6 = \"383d771b55bbe5343bab946fd7650fd42de1933c4c8f32449d9a40c898444ef1\"\n\t\thash7 = \"07f9ec716fb199e00a90091ffba4c2ee1a328a093a64e610e51ab9dd6d33357a\"\n\t\thash8 = \"615e768522447558970c725909e064558f33d38e6402c63c92a1a8bc62b64966\"\n\t\thash9 = \"ef3a7cd233a880fc61efc3884f127dd8944808babd1203be2400144119b6057f\"\n\t\thash10 = \"a4db77895228f02ea17ff48976e03100ddfaef7c9f48c1d40462872f103451d5\"\n\tstrings:\n\t\t$s4 = \"if (!empty($unset_surl)) {setcookie(\\\"c99sh_surl\\\"); $surl = \\\"\\\";}\" fullword ascii\n\t\t$s6 = \"@extract($_REQUEST[\\\"c99shcook\\\"]);\" fullword ascii\n\t\t$s7 = \"if (!function_exists(\\\"c99_buff_prepare\\\"))\" fullword ascii\n\tcondition:\n\t\tfilesize < 685KB and 1 of them\n}\n\nrule Webshell_acid_AntiSecShell_3 {\n\tmeta:\n\t\tdescription = \"Detects Webshell Acid\"\n\t\tauthor = \"Florian Roth\"\n\t\treference = \"https://github.com/nikicat/web-malware-collection\"\n\t\tdate = \"2016-01-11\"\n\t\tscore = 70\n\t\thash1 = \"2b8aed49f50acd0c1b89a399647e1218f2a8545da96631ac0882da28810eecc4\"\n\t\thash2 = \"7a69466dbd18182ce7da5d9d1a9447228dcebd365e0fe855d0e02024f4117549\"\n\t\thash3 = \"0202f72b3e8b62e5ebc99164c7d4eb8ec5be6a7527286e9059184aa8321e0092\"\n\t\thash4 = \"d4424c61fe29d2ee3d8503f7d65feb48341ac2fc0049119f83074950e41194d5\"\n\t\thash5 = \"5d7709a33879d1060a6cff5bae119de7d5a3c17f65415822fd125af56696778c\"\n\t\thash6 = \"21dd06ec423f0b49732e4289222864dcc055967922d0fcec901d38a57ed77f06\"\n\t\thash7 = \"c377f9316a4c953602879eb8af1fd7cbb0dd35de6bb4747fa911234082c45596\"\n\t\thash8 = \"816e699014be9a6d02d5d184eb958c49469d687b7c6fb88e878bca64688a19c9\"\n\t\thash9 = \"383d771b55bbe5343bab946fd7650fd42de1933c4c8f32449d9a40c898444ef1\"\n\t\thash10 = \"07f9ec716fb199e00a90091ffba4c2ee1a328a093a64e610e51ab9dd6d33357a\"\n\t\thash11 = \"615e768522447558970c725909e064558f33d38e6402c63c92a1a8bc62b64966\"\n\t\thash12 = \"bbe0f7278041cb3a6338844aa12c3df6b700a12a78b0a58bce3dce14f1c37b96\"\n\t\thash13 = \"d0edca7539ef2d30f0b3189b21a779c95b5815c1637829b5594e2601e77cb4dc\"\n\t\thash14 = \"65e7edf10ffb355bed81b7413c77d13d592f63d39e95948cdaea4ea0a376d791\"\n\t\thash15 = \"ef3a7cd233a880fc61efc3884f127dd8944808babd1203be2400144119b6057f\"\n\t\thash16 = \"ba87d26340f799e65c771ccb940081838afe318ecb20ee543f32d32db8533e7f\"\n\t\thash17 = \"a4db77895228f02ea17ff48976e03100ddfaef7c9f48c1d40462872f103451d5\"\n\t\thash18 = \"1fdf6e142135a34ae1caf1d84adf5e273b253ca46c409b2530ca06d65a55ecbd\"\n\tstrings:\n\t\t$s0 = \"echo \\\"<option value=delete\\\".($dspact == \\\"delete\\\"?\\\" selected\\\":\\\"\\\").\\\">Delete</option>\\\";\" fullword ascii\n\t\t$s1 = \"if (!is_readable($o)) {return \\\"<font color=red>\\\".view_perms(fileperms($o)).\\\"</font>\\\";}\" fullword ascii\n\tcondition:\n\t\tfilesize < 900KB and all of them\n}\n\nrule Webshell_c99_4 {\n\tmeta:\n\t\tdescription = \"Detects C99 Webshell\"\n\t\tauthor = \"Florian Roth\"\n\t\treference = \"https://github.com/nikicat/web-malware-collection\"\n\t\tdate = \"2016-01-11\"\n\t\tscore = 70\n\t\thash1 = \"2b8aed49f50acd0c1b89a399647e1218f2a8545da96631ac0882da28810eecc4\"\n\t\thash2 = \"0202f72b3e8b62e5ebc99164c7d4eb8ec5be6a7527286e9059184aa8321e0092\"\n\t\thash3 = \"d4424c61fe29d2ee3d8503f7d65feb48341ac2fc0049119f83074950e41194d5\"\n\t\thash4 = \"5d7709a33879d1060a6cff5bae119de7d5a3c17f65415822fd125af56696778c\"\n\t\thash5 = \"21dd06ec423f0b49732e4289222864dcc055967922d0fcec901d38a57ed77f06\"\n\t\thash6 = \"c377f9316a4c953602879eb8af1fd7cbb0dd35de6bb4747fa911234082c45596\"\n\t\thash7 = \"816e699014be9a6d02d5d184eb958c49469d687b7c6fb88e878bca64688a19c9\"\n\t\thash8 = \"383d771b55bbe5343bab946fd7650fd42de1933c4c8f32449d9a40c898444ef1\"\n\t\thash9 = \"07f9ec716fb199e00a90091ffba4c2ee1a328a093a64e610e51ab9dd6d33357a\"\n\t\thash10 = \"615e768522447558970c725909e064558f33d38e6402c63c92a1a8bc62b64966\"\n\t\thash11 = \"bbe0f7278041cb3a6338844aa12c3df6b700a12a78b0a58bce3dce14f1c37b96\"\n\t\thash12 = \"ef3a7cd233a880fc61efc3884f127dd8944808babd1203be2400144119b6057f\"\n\t\thash13 = \"a4db77895228f02ea17ff48976e03100ddfaef7c9f48c1d40462872f103451d5\"\n\t\thash14 = \"1fdf6e142135a34ae1caf1d84adf5e273b253ca46c409b2530ca06d65a55ecbd\"\n\tstrings:\n\t\t$s1 = \"displaysecinfo(\\\"List of Attributes\\\",myshellexec(\\\"lsattr -a\\\"));\" fullword ascii\n\t\t$s2 = \"displaysecinfo(\\\"RAM\\\",myshellexec(\\\"free -m\\\"));\" fullword ascii\n\t\t$s3 = \"displaysecinfo(\\\"Where is perl?\\\",myshellexec(\\\"whereis perl\\\"));\" fullword ascii\n\t\t$s4 = \"$ret = myshellexec($handler);\" fullword ascii\n\t\t$s5 = \"if (posix_kill($pid,$sig)) {echo \\\"OK.\\\";}\" fullword ascii\n\tcondition:\n\t\tfilesize < 900KB and 1 of them\n}\n\nrule Webshell_r57shell_2 {\n\tmeta:\n\t\tdescription = \"Detects Webshell R57\"\n\t\tauthor = \"Florian Roth\"\n\t\treference = \"https://github.com/nikicat/web-malware-collection\"\n\t\tdate = \"2016-01-11\"\n\t\tscore = 70\n\t\thash1 = \"e46777e5f1ac1652db3ce72dd0a2475ea515b37a737fffd743126772525a47e6\"\n\t\thash2 = \"aa957ca4154b7816093d667873cf6bdaded03f820e84d8f1cd5ad75296dd5d4d\"\n\t\thash3 = \"aa957ca4154b7816093d667873cf6bdaded03f820e84d8f1cd5ad75296dd5d4d\"\n\t\thash4 = \"756b788401aad4bfd4dbafd15c382d98e3ba079390addb5b0cea7ff7f985f881\"\n\t\thash5 = \"756b788401aad4bfd4dbafd15c382d98e3ba079390addb5b0cea7ff7f985f881\"\n\t\thash6 = \"16b6ec4b80f404f4616e44d8c21978dcdad9f52c84d23ba27660ee8e00984ff2\"\n\t\thash7 = \"59105e4623433d5bf93b9e17d72a43a40a4d8ac99e4a703f1d8851ad1276cd88\"\n\t\thash8 = \"1db0549066f294f814ec14ba4e9f63d88c4460d68477e5895236173df437d2b8\"\n\t\thash9 = \"c6a5148c81411ec9200810619fa5eec6616800a4d76c988431c272bc8679254f\"\n\t\thash10 = \"c6a5148c81411ec9200810619fa5eec6616800a4d76c988431c272bc8679254f\"\n\t\thash11 = \"59ea6cf16ea06ff47cf0e6a398df2eaec4d329707b8c3201fc63cbf0b7c85519\"\n\t\thash12 = \"0e0227a0001b38fb59fc07749e80c9d298ff0e6aca126ea8f4ea68ebc9a3661f\"\n\t\thash13 = \"ef74644065925aa8d64913f5f124fe73d8d289d5f019a104bf5f56689f49ba92\"\n\tstrings:\n\t\t$s1 = \"$connection = @ftp_connect($ftp_server,$ftp_port,10);\" fullword ascii\n\t\t$s2 = \"echo $lang[$language.'_text98'].$suc.\\\"\\\\r\\\\n\\\";\" fullword ascii\n\tcondition:\n\t\tfilesize < 900KB and all of them\n}\n\nrule Webshell_27_9_acid_c99_locus7s {\n\tmeta:\n\t\tdescription = \"Detects Webshell - rule generated from from files 27.9.txt, acid.php, c99_locus7s.txt\"\n\t\tauthor = \"Florian Roth\"\n\t\treference = \"https://github.com/nikicat/web-malware-collection\"\n\t\tdate = \"2016-01-11\"\n\t\tscore = 70\n\t\thash1 = \"2b8aed49f50acd0c1b89a399647e1218f2a8545da96631ac0882da28810eecc4\"\n\t\thash2 = \"7a69466dbd18182ce7da5d9d1a9447228dcebd365e0fe855d0e02024f4117549\"\n\t\thash3 = \"960feb502f913adff6b322bc9815543e5888bbf9058ba0eb46ceb1773ea67668\"\n\t\thash4 = \"07f9ec716fb199e00a90091ffba4c2ee1a328a093a64e610e51ab9dd6d33357a\"\n\t\thash5 = \"bbe0f7278041cb3a6338844aa12c3df6b700a12a78b0a58bce3dce14f1c37b96\"\n\t\thash6 = \"5ae121f868555fba112ca2b1a9729d4414e795c39d14af9e599ce1f0e4e445d3\"\n\t\thash7 = \"ef3a7cd233a880fc61efc3884f127dd8944808babd1203be2400144119b6057f\"\n\t\thash8 = \"ba87d26340f799e65c771ccb940081838afe318ecb20ee543f32d32db8533e7f\"\n\tstrings:\n\t\t$s0 = \"$blah = ex($p2.\\\" /tmp/back \\\".$_POST['backconnectip'].\\\" \\\".$_POST['backconnectport'].\\\" &\\\");\" fullword ascii\n\t\t$s1 = \"$_POST['backcconnmsge']=\\\"</br></br><b><font color=red size=3>Error:</font> Can't backdoor host!</b>\\\";\" fullword ascii\n\tcondition:\n\t\tfilesize < 1711KB and 1 of them\n}\n\nrule Webshell_Backdoor_PHP_Agent_r57_mod_bizzz_shell_r57 {\n\tmeta:\n\t\tdescription = \"Detects Webshell - rule generated from from files Backdoor.PHP.Agent.php, r57.mod-bizzz.shell.txt ...\"\n\t\tauthor = \"Florian Roth\"\n\t\treference = \"https://github.com/nikicat/web-malware-collection\"\n\t\tdate = \"2016-01-11\"\n\t\tscore = 70\n\t\thash1 = \"e46777e5f1ac1652db3ce72dd0a2475ea515b37a737fffd743126772525a47e6\"\n\t\thash2 = \"f51a5c5775d9cca0b137ddb28ff3831f4f394b7af6f6a868797b0df3dcdb01ba\"\n\t\thash3 = \"16b6ec4b80f404f4616e44d8c21978dcdad9f52c84d23ba27660ee8e00984ff2\"\n\t\thash4 = \"59105e4623433d5bf93b9e17d72a43a40a4d8ac99e4a703f1d8851ad1276cd88\"\n\t\thash5 = \"6dc417db9e07420a618d44217932ca8baf3541c08d5e68281e1be10af4280e4a\"\n\t\thash6 = \"5d07fdfee2dc6d81da26f05028f79badd10dec066909932129d398627b2f4e94\"\n\t\thash7 = \"1db0549066f294f814ec14ba4e9f63d88c4460d68477e5895236173df437d2b8\"\n\t\thash8 = \"c6a5148c81411ec9200810619fa5eec6616800a4d76c988431c272bc8679254f\"\n\t\thash9 = \"59ea6cf16ea06ff47cf0e6a398df2eaec4d329707b8c3201fc63cbf0b7c85519\"\n\t\thash10 = \"0e0227a0001b38fb59fc07749e80c9d298ff0e6aca126ea8f4ea68ebc9a3661f\"\n\t\thash11 = \"ef74644065925aa8d64913f5f124fe73d8d289d5f019a104bf5f56689f49ba92\"\n\tstrings:\n\t\t$s1 = \"$_POST['cmd'] = which('\" ascii\n\t\t$s2 = \"$blah = ex(\" fullword ascii\n\tcondition:\n\t\tfilesize < 600KB and all of them\n}\n\nrule Webshell_c100 {\n\tmeta:\n\t\tdescription = \"Detects Webshell - rule generated from from files c100 v. 777shell\"\n\t\tauthor = \"Florian Roth\"\n\t\treference = \"https://github.com/nikicat/web-malware-collection\"\n\t\tdate = \"2016-01-11\"\n\t\tscore = 70\n\t\thash1 = \"0202f72b3e8b62e5ebc99164c7d4eb8ec5be6a7527286e9059184aa8321e0092\"\n\t\thash2 = \"d4424c61fe29d2ee3d8503f7d65feb48341ac2fc0049119f83074950e41194d5\"\n\t\thash3 = \"21dd06ec423f0b49732e4289222864dcc055967922d0fcec901d38a57ed77f06\"\n\t\thash4 = \"c377f9316a4c953602879eb8af1fd7cbb0dd35de6bb4747fa911234082c45596\"\n\t\thash5 = \"816e699014be9a6d02d5d184eb958c49469d687b7c6fb88e878bca64688a19c9\"\n\t\thash6 = \"bbe0f7278041cb3a6338844aa12c3df6b700a12a78b0a58bce3dce14f1c37b96\"\n\t\thash7 = \"ef3a7cd233a880fc61efc3884f127dd8944808babd1203be2400144119b6057f\"\n\tstrings:\n\t\t$s0 = \"<OPTION VALUE=\\\"wget http://ftp.powernet.com.tr/supermail/debug/k3\\\">Kernel attack (Krad.c) PT1 (If wget installed)\" fullword ascii\n\t\t$s1 = \"<center>Kernel Info: <form name=\\\"form1\\\" method=\\\"post\\\" action=\\\"http://google.com/search\\\">\" fullword ascii\n\t\t$s3 = \"cut -d: -f1,2,3 /etc/passwd | grep ::\" ascii\n\t\t$s4 = \"which wget curl w3m lynx\" ascii\n\t\t$s6 = \"netstat -atup | grep IST\"  ascii\n\tcondition:\n\t\tfilesize < 685KB and 2 of them\n}\n\nrule Webshell_AcidPoison {\n\tmeta:\n\t\tdescription = \"Detects Poison Sh3ll - Webshell\"\n\t\tauthor = \"Florian Roth\"\n\t\treference = \"https://github.com/nikicat/web-malware-collection\"\n\t\tdate = \"2016-01-11\"\n\t\tscore = 70\n\t\thash1 = \"7a69466dbd18182ce7da5d9d1a9447228dcebd365e0fe855d0e02024f4117549\"\n\t\thash2 = \"7a69466dbd18182ce7da5d9d1a9447228dcebd365e0fe855d0e02024f4117549\"\n\t\thash3 = \"d0edca7539ef2d30f0b3189b21a779c95b5815c1637829b5594e2601e77cb4dc\"\n\t\thash4 = \"d0edca7539ef2d30f0b3189b21a779c95b5815c1637829b5594e2601e77cb4dc\"\n\t\thash5 = \"65e7edf10ffb355bed81b7413c77d13d592f63d39e95948cdaea4ea0a376d791\"\n\t\thash6 = \"65e7edf10ffb355bed81b7413c77d13d592f63d39e95948cdaea4ea0a376d791\"\n\t\thash7 = \"be541cf880a8e389a0767b85f1686443f35b508d1975ee25e1ce3f08fa32cfb5\"\n\t\thash8 = \"be541cf880a8e389a0767b85f1686443f35b508d1975ee25e1ce3f08fa32cfb5\"\n\t\thash9 = \"ba87d26340f799e65c771ccb940081838afe318ecb20ee543f32d32db8533e7f\"\n\t\thash10 = \"ba87d26340f799e65c771ccb940081838afe318ecb20ee543f32d32db8533e7f\"\n\tstrings:\n\t\t$s1 = \"elseif ( enabled(\\\"exec\\\") ) { exec($cmd,$o); $output = join(\\\"\\\\r\\\\n\\\",$o); }\" fullword ascii\n\tcondition:\n\t\tfilesize < 550KB and all of them\n}\n\nrule Webshell_acid_FaTaLisTiCz_Fx_fx_p0isoN_sh3ll_x0rg_byp4ss_256 {\n\tmeta:\n\t\tdescription = \"Detects Webshell - rule generated from from files acid.php, FaTaLisTiCz_Fx.txt, fx.txt, p0isoN.sh3ll.txt, x0rg.byp4ss.txt\"\n\t\tauthor = \"Florian Roth\"\n\t\treference = \"https://github.com/nikicat/web-malware-collection\"\n\t\tdate = \"2016-01-11\"\n\t\tscore = 70\n\t\thash1 = \"7a69466dbd18182ce7da5d9d1a9447228dcebd365e0fe855d0e02024f4117549\"\n\t\thash2 = \"d0edca7539ef2d30f0b3189b21a779c95b5815c1637829b5594e2601e77cb4dc\"\n\t\thash3 = \"65e7edf10ffb355bed81b7413c77d13d592f63d39e95948cdaea4ea0a376d791\"\n\t\thash4 = \"ba87d26340f799e65c771ccb940081838afe318ecb20ee543f32d32db8533e7f\"\n\t\thash5 = \"1fdf6e142135a34ae1caf1d84adf5e273b253ca46c409b2530ca06d65a55ecbd\"\n\tstrings:\n\t\t$s0 = \"<form method=\\\"POST\\\"><input type=hidden name=act value=\\\"ls\\\">\" fullword ascii\n\t\t$s2 = \"foreach($quicklaunch2 as $item) {\" fullword ascii\n\tcondition:\n\t\tfilesize < 882KB and all of them\n}\n\nrule Webshell_Ayyildiz {\n\tmeta:\n\t\tdescription = \"Detects Webshell - rule generated from from files Ayyildiz Tim  -AYT- Shell v 2.1 Biz.txt, Macker's Private PHPShell.php, matamu.txt, myshell.txt, PHP Shell.txt\"\n\t\tauthor = \"Florian Roth\"\n\t\treference = \"https://github.com/nikicat/web-malware-collection\"\n\t\tdate = \"2016-01-11\"\n\t\tscore = 70\n\t\thash1 = \"0e25aec0a9131e8c7bd7d5004c5c5ffad0e3297f386675bccc07f6ea527dded5\"\n\t\thash2 = \"9c43aada0d5429f8c47595f79a7cdd5d4eb2ba5c559fb5da5a518a6c8c7c330a\"\n\t\thash3 = \"2ebf3e5f5dde4a27bbd60e15c464e08245a35d15cc370b4be6b011aa7a46eaca\"\n\t\thash4 = \"77a63b26f52ba341dd2f5e8bbf5daf05ebbdef6b3f7e81cec44ce97680e820f9\"\n\t\thash5 = \"61c4fcb6e788c0dffcf0b672ae42b1676f8a9beaa6ec7453fc59ad821a4a8127\"\n\tstrings:\n\t\t$s0 = \"echo \\\"<option value=\\\\\\\"\\\". strrev(substr(strstr(strrev($work_dir), \\\"/\\\"), 1)) .\\\"\\\\\\\">Parent Directory</option>\\\\n\\\";\" fullword ascii\n\t\t$s1 = \"echo \\\"<option value=\\\\\\\"$work_dir\\\\\\\" selected>Current Directory</option>\\\\n\\\";\" fullword ascii\n\tcondition:\n\t\tfilesize < 112KB and all of them\n}\n\nrule Webshell_zehir {\n\tmeta:\n\t\tdescription = \"Detects Webshell - rule generated from from files elmaliseker.asp, zehir.asp, zehir.txt, zehir4.asp, zehir4.txt\"\n\t\tauthor = \"Florian Roth\"\n\t\treference = \"https://github.com/nikicat/web-malware-collection\"\n\t\tdate = \"2016-01-11\"\n\t\tscore = 70\n\t\thash1 = \"16e1e886576d0c70af0f96e3ccedfd2e72b8b7640f817c08a82b95ff5d4b1218\"\n\t\thash2 = \"0c5f8a2ed62d10986a2dd39f52886c0900a18c03d6d279207b8de8e2ed14adf6\"\n\t\thash3 = \"cb9d5427a83a0fc887e49f07f20849985bd2c3850f272ae1e059a08ac411ff66\"\n\t\thash4 = \"b57bf397984545f419045391b56dcaf7b0bed8b6ee331b5c46cee35c92ffa13d\"\n\t\thash5 = \"febf37a9e8ba8ece863f506ae32ad398115106cc849a9954cbc0277474cdba5c\"\n\tstrings:\n\t\t$s1 = \"for (i=1; i<=frmUpload.max.value; i++) str+='File '+i+': <input type=file name=file'+i+'><br>';\" fullword ascii\n\t\t$s2 = \"if (frmUpload.max.value<=0) frmUpload.max.value=1;\" fullword ascii\n\tcondition:\n\t\tfilesize < 200KB and 1 of them\n}\n"
  },
  {
    "path": "rules/xunjian.yar",
    "content": "/*\nshuoshuren\n2020.9.7\n*/\ninclude \"./malware/MALW_BackdoorSSH.yar\"\ninclude \"./malware/MALW_BlackRev.yar\"\ninclude \"./malware/MALW_PE_sections.yar\"\ninclude \"./webshells/WShell_APT_Laudanum.yar\"\ninclude \"./webshells/WShell_ASPXSpy.yar\"\ninclude \"./webshells/WShell_Drupalgeddon2_icos.yar\"\ninclude \"./webshells/WShell_PHP_Anuna.yar\"\ninclude \"./webshells/WShell_PHP_in_images.yar\"\ninclude \"./webshells/WShell_THOR_Webshells.yar\"\ninclude \"./utils/wget.yar\"\ninclude \"./malware/ddg.yar\"\ninclude \"./malware/h2miner.yar\"\ninclude \"./malware/lsdminer.yar\"\ninclude \"./malware/rainbowminer.yar\"\ninclude \"./malware/skipmap.yar\"\ninclude \"./malware/startminer.yar\"\ninclude \"./malware/sysupdataminer.yar\"\ninclude \"./malware/teamtnt.yar\"\ninclude \"./malware/watchbogminer.yar\"\n"
  },
  {
    "path": "whohk.py",
    "content": "# -*- coding:utf-8 -*- -\r\nimport os\r\nimport re\r\nimport time\r\nimport psutil\r\nimport yara\r\nimport sys\r\nimport socket\r\nimport struct\r\nimport prettytable as pt\r\nimport argparse\r\n\r\n\r\n# 检查是否root运行\r\ndef checkroot():\r\n    if os.popen(\"whoami\").read() != 'root\\n':\r\n        print('[\\033[1;33mwaring\\033[0m]检测到当前为非root权限,部分功能可能受限哦~')\r\n\r\ndef system_state():  # 系统状态\r\n    cpu = '{}{}'.format(str(psutil.cpu_percent(1)), '%')\r\n    mem = '{}{}'.format(str(psutil.virtual_memory()[2]), '%')\r\n    disk = '{}{}'.format(psutil.disk_usage('/')[3], '%')\r\n    login=os.popen(\"who\").read()\r\n    system_state = pt.PrettyTable()\r\n    system_state.field_names = ['CPU', 'MEM', 'DISK','ONLINE']\r\n    system_state.add_row([cpu, mem, disk,login.replace('    ',' ').replace('   ',' ')])\r\n    return system_state\r\n\r\n########查外连模块#############\r\nclass CzIp:  # 读取解析纯真IP数据库的类\r\n    def __init__(self, db_file='config/qqwry.dat'):\r\n        self.f_db = open(db_file, \"rb\")\r\n        bs = self.f_db.read(8)\r\n        (self.first_index, self.last_index) = struct.unpack('II', bs)\r\n        self.index_count = int((self.last_index - self.first_index) / 7 + 1)\r\n        self.cur_start_ip = None\r\n        self.cur_end_ip_offset = None\r\n        self.cur_end_ip = None\r\n\r\n    def _get_area_addr(self, offset=0):\r\n        if offset:\r\n            self.f_db.seek(offset)\r\n        bs = self.f_db.read(1)\r\n        (byte,) = struct.unpack('B', bs)\r\n        if byte == 0x01 or byte == 0x02:\r\n            p = self.getLong3()\r\n            if p:\r\n                return self.get_offset_string(p)\r\n            else:\r\n                return \"\"\r\n        else:\r\n            self.f_db.seek(-1, 1)\r\n            return self.get_offset_string(offset)\r\n\r\n    def _get_addr(self, offset):\r\n        '''\r\n        获取offset处记录区地址信息(包含国家和地区)\r\n        如果是中国ip,则是 \"xx省xx市 xxxxx地区\" 这样的形式\r\n        (比如:\"福建省 电信\", \"澳大利亚 墨尔本Goldenit有限公司\")\r\n        :param offset:\r\n        :return:str\r\n        '''\r\n        self.f_db.seek(offset + 4)\r\n        bs = self.f_db.read(1)\r\n        (byte,) = struct.unpack('B', bs)\r\n        if byte == 0x01:  # 重定向模式1\r\n            country_offset = self.getLong3()\r\n            self.f_db.seek(country_offset)\r\n            bs = self.f_db.read(1)\r\n            (b,) = struct.unpack('B', bs)\r\n            if b == 0x02:\r\n                country_addr = self.get_offset_string(self.getLong3())\r\n                self.f_db.seek(country_offset + 4)\r\n            else:\r\n                country_addr = self.get_offset_string(country_offset)\r\n            area_addr = self._get_area_addr()\r\n        elif byte == 0x02:  # 重定向模式2\r\n            country_addr = self.get_offset_string(self.getLong3())\r\n            area_addr = self._get_area_addr(offset + 8)\r\n        else:  # 字符串模式\r\n            country_addr = self.get_offset_string(offset + 4)\r\n            area_addr = self._get_area_addr()\r\n        return country_addr + \" \" + area_addr\r\n\r\n    def dump(self, first, last):\r\n        '''\r\n        打印数据库中索引为first到索引为last(不包含last)的记录\r\n        :param first:\r\n        :param last:\r\n        :return:\r\n        '''\r\n        if last > self.index_count:\r\n            last = self.index_count\r\n        for index in range(first, last):\r\n            offset = self.first_index + index * 7\r\n            self.f_db.seek(offset)\r\n            buf = self.f_db.read(7)\r\n            (ip, of1, of2) = struct.unpack(\"IHB\", buf)\r\n            address = self._get_addr(of1 + (of2 << 16))\r\n\r\n    def _set_ip_range(self, index):\r\n        offset = self.first_index + index * 7\r\n        self.f_db.seek(offset)\r\n        buf = self.f_db.read(7)\r\n        (self.cur_start_ip, of1, of2) = struct.unpack(\"IHB\", buf)\r\n        self.cur_end_ip_offset = of1 + (of2 << 16)\r\n        self.f_db.seek(self.cur_end_ip_offset)\r\n        buf = self.f_db.read(4)\r\n        (self.cur_end_ip,) = struct.unpack(\"I\", buf)\r\n\r\n    def get_addr_by_ip(self, ip):\r\n        '''\r\n        通过ip查找其地址\r\n        :param ip: (int or str)\r\n        :return: str\r\n        '''\r\n        if type(ip) == str:\r\n            ip = self.str2ip(ip)\r\n        L = 0\r\n        R = self.index_count - 1\r\n        while L < R - 1:\r\n            M = int((L + R) / 2)\r\n            self._set_ip_range(M)\r\n            if ip == self.cur_start_ip:\r\n                L = M\r\n                break\r\n            if ip > self.cur_start_ip:\r\n                L = M\r\n            else:\r\n                R = M\r\n        self._set_ip_range(L)\r\n        # version information, 255.255.255.X, urgy but useful\r\n        if ip & 0xffffff00 == 0xffffff00:\r\n            self._set_ip_range(R)\r\n        if self.cur_start_ip <= ip <= self.cur_end_ip:\r\n            address = self._get_addr(self.cur_end_ip_offset)\r\n        else:\r\n            address = \"未找到该IP的地址\"\r\n        return address\r\n\r\n    def get_ip_range(self, ip):\r\n        '''\r\n        返回ip所在记录的IP段\r\n        :param ip: ip(str or int)\r\n        :return: str\r\n        '''\r\n        if type(ip) == str:\r\n            ip = self.str2ip(ip)\r\n        self.get_addr_by_ip(ip)\r\n        range = self.ip2str(self.cur_start_ip) + ' - ' \\\r\n                + self.ip2str(self.cur_end_ip)\r\n        return range\r\n\r\n    def get_offset_string(self, offset=0):\r\n        '''\r\n        获取文件偏移处的字符串(以'\\0'结尾)\r\n        :param offset: 偏移\r\n        :return: str\r\n        '''\r\n        if offset:\r\n            self.f_db.seek(offset)\r\n        bs = b''\r\n        ch = self.f_db.read(1)\r\n        (byte,) = struct.unpack('B', ch)\r\n        while byte != 0:\r\n            bs += ch\r\n            ch = self.f_db.read(1)\r\n            (byte,) = struct.unpack('B', ch)\r\n        return bs.decode('gbk')\r\n\r\n    def ip2str(self, ip):\r\n        '''\r\n        整数IP转化为IP字符串\r\n        :param ip:\r\n        :return:\r\n        '''\r\n        return str(ip >> 24) + '.' + str((ip >> 16) & 0xff) + '.' + str((ip >> 8) & 0xff) + '.' + str(ip & 0xff)\r\n\r\n    def str2ip(self, s):\r\n        '''\r\n        IP字符串转换为整数IP\r\n        :param s:\r\n        :return:\r\n        '''\r\n        (ip,) = struct.unpack('I', socket.inet_aton(s))\r\n        return ((ip >> 24) & 0xff) | ((ip & 0xff) << 24) | ((ip >> 8) & 0xff00) | ((ip & 0xff00) << 8)\r\n\r\n    def getLong3(self, offset=0):\r\n        '''\r\n        3字节的数值\r\n        :param offset:\r\n        :return:\r\n        '''\r\n        if offset:\r\n            self.f_db.seek(offset)\r\n        bs = self.f_db.read(3)\r\n        (a, b) = struct.unpack('HB', bs)\r\n        return (b << 16) + a\r\n\r\n\r\ndef network():  # 获取对外网络连接情况\r\n    addr_list = str(psutil.net_connections()).split('sconn')\r\n    iptb = pt.PrettyTable()\r\n    iptb.field_names = ['进程名', 'IP', '端口', 'PID', '归属地址']\r\n    for addr in addr_list:\r\n        try:\r\n            if re.findall(r'raddr', addr) != []:  # 如果存在远程地址,就取出来\r\n                remote = addr.split('raddr')[-1]\r\n                local = addr.split('laddr')[-1]\r\n                ip = re.findall(r'ip=\\'(.+?)\\'', remote)[0]\r\n                port = re.findall(r'port=(.+?)\\)', local)[0]\r\n                pid = re.findall(r'pid=(.+?)\\)', remote)[0]\r\n                process = psutil.Process(int(pid)).name()\r\n                if ip != '127.0.0.1' and ip != '::1':\r\n                    IP_addr = CzIp().get_addr_by_ip(ip)\r\n                    iptb.add_row([process, ip, port, pid, IP_addr])\r\n        except:\r\n            pass\r\n    network = iptb\r\n    return network\r\n\r\n\r\n################日志分析模块#####################\r\ndef ostype():  # 判断系统类型和版本\r\n    try:\r\n        os_info = os.popen(\"cat /proc/version\").read()\r\n        sysnum = int(re.findall(r' (\\d+?)\\.', os_info, re.S)[0])  # 取出版本号\r\n        system = ''\r\n        try:\r\n            system = re.search('CentOS', os_info).group()\r\n        except:\r\n            pass\r\n        try:\r\n            system = re.search('Ubuntu', os_info).group()\r\n        except:\r\n            pass\r\n        try:\r\n            system = re.search('openSUSE', os_info).group()\r\n        except:\r\n            pass\r\n        try:\r\n            system = re.search('Red Hat', os_info).group()\r\n        except:\r\n            pass\r\n        try:\r\n            system = re.search('Debian', os_info).group()\r\n        except:\r\n            pass\r\n    except:\r\n        print('\\033[1;33m提示:系统类型获取失败,请手动输入系统类型和版本号\\033[0m')\r\n        print(\"\\033[1;33m系统类型只能'CentOS','Ubuntu','openSUSE','Red Hat','Debian' 其中一个,注意空格和大小写,输入其他无效\\033[0m\")\r\n        print(\"\\033[1;33m版本号请输入整数,如:6\\033[0m\")\r\n        system = input('系统类型:')\r\n        sysnum = int(input('版本号:'))\r\n    return system, sysnum\r\n\r\n\r\ndef pid_fileinfo(pid):  # 根据pid获取进程路径等信息\r\n    fileinfo = os.popen(\"ls -all /proc/{} |grep \\\"exe ->\\\"\".format(pid)).read()\r\n    return fileinfo\r\n\r\ndef log_burp_ip(system):  # 定位有哪些IP在爆破\r\n    burp_ip = \"\"\r\n    if system == 'CentOS' or system == 'Red Hat':\r\n        burp_ip = os.popen(\r\n            \"grep \\\"Failed\\\" /var/log/secure*|grep -E -o \\\"(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\\"|uniq -c\").read()\r\n    elif system == 'Ubuntu' or system == 'Debian':\r\n        burp_ip = os.popen(\r\n            \"grep \\\"Failed\\\" /var/log/auth.log*|grep -E -o \\\"(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\\"|uniq -c\").read()\r\n    elif system == 'openSUSE':\r\n        burp_ip = os.popen(\r\n            \"grep \\\"Failed\\\" /var/log/messages*|grep -E -o \\\"(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\\"|uniq -c\").read()\r\n    return burp_ip\r\n\r\n\r\ndef log_burp_user(system):  # 被爆破用户名是什么\r\n    burp_user = ''\r\n    if system == 'CentOS' or system == 'Red Hat':\r\n        burp_user = os.popen(\r\n            \"grep \\\"Failed\\\" /var/log/secure*|perl -e 'while($_=<>){ /for(.*?) from/; print \\\"$1\\n\\\";}'|uniq -c|sort -nr\").read()\r\n    elif system == 'Ubuntu' or system == 'Debian':\r\n        burp_user = os.popen(\r\n            \"grep \\\"Failed\\\" /var/log/auth.log*|perl -e 'while($_=<>){ /for(.*?) from/; print \\\"$1\\n\\\";}'|uniq -c|sort -nr\").read()\r\n    elif system == 'openSUSE':\r\n        burp_user = os.popen(\r\n            \"grep \\\"Failed\\\" /var/log/messages*|perl -e 'while($_=<>){ /for(.*?) from/; print \\\"$1\\n\\\";}'|uniq -c|sort -nr\").read()\r\n    return burp_user\r\n\r\n\r\ndef log_success_ip(system):  # 登录成功的 IP 有哪些\r\n    success_ip = ''\r\n    if system == 'CentOS' or system == 'Red Hat':\r\n        success_ip = os.popen(\r\n            \"grep \\\"Accepted \\\" /var/log/secure* | awk '{print $11}' | sort | uniq -c | sort -nr | more\").read()\r\n    elif system == 'Ubuntu' or system == 'Debian':\r\n        success_ip = os.popen(\r\n            \"grep \\\"Accepted \\\" /var/log/auth.log* | awk '{print $11}' | sort | uniq -c | sort -nr | more\").read()\r\n    elif system == 'openSUSE':\r\n        success_ip = os.popen(\r\n            \"grep \\\"Accepted \\\" /var/log/messages* | awk '{print $11}' | sort | uniq -c | sort -nr | more\").read()\r\n    return success_ip\r\n\r\n\r\ndef log_success_info(system):  # 登录成功的日期、用户名、IP\r\n    success_info = ''\r\n    if system == 'CentOS' or system == 'Red Hat':\r\n        success_info = os.popen(\"grep \\\"Accepted \\\" /var/log/secure* | awk '{print $1,$2,$3,$9,$11}'\").read()\r\n    elif system == 'Ubuntu' or system == 'Debian':\r\n        success_info = os.popen(\"grep \\\"Accepted \\\" /var/log/auth.log* | awk '{print $1,$2,$3,$9,$11}'\").read()\r\n    elif system == 'openSUSE':\r\n        success_info = os.popen(\"grep \\\"Accepted \\\" /var/log/messages* | awk '{print $1,$2,$3,$9,$11}'\").read()\r\n    return success_info\r\n\r\n\r\ndef cron():  # 所有用户的定时任务\r\n    cmd = os.popen(\"cd /var/spool/cron && ls\").read()  # 直接到定时任务保存的位置看有没有\r\n    timingtask_list = re.split(r'\\n', cmd)\r\n    del (timingtask_list[-1])  # 删除最后一个空值\r\n    if timingtask_list != []:\r\n        all_timingtask = ''\r\n        for user in timingtask_list:\r\n            path = \"cat /var/spool/cron/{0}\".format(user)\r\n            info = os.popen(path).read()\r\n            timingtask = '\\033[1;33m用户【{0}】的定时任务有:\\033[0m\\n{1}\\n'.format(user, info)\r\n            all_timingtask = all_timingtask + timingtask\r\n    else:\r\n        all_timingtask = '\\033[1;33m没有定时任务\\033[0m'\r\n    return all_timingtask\r\n\r\n\r\ndef cron_file(day):  # 按时间检查crontab文件或脚本\r\n    cron.d = os.popen(\"find /etc/cron.d/ -mtime -{}\".format(day)).read()\r\n    cron.hourly = os.popen(\"find /etc/cron.hourly/ -mtime -{}\".format(day)).read()\r\n    cron.daily = os.popen(\"find /etc/cron.daily/ -mtime -{}\".format(day)).read()\r\n    cron.weekly = os.popen(\"find /etc/cron.weekly/ -mtime -{}\".format(day)).read()\r\n    cron.monthly = os.popen(\"find /etc/cron.monthly/ -mtime -{}\".format(day)).read()\r\n    cron_file_output = \"\\033[1;33m------------------------------/etc/cron.d/-------------------------------\\033[0m\\n{}\\n\\033[1;33m---------------------------/etc/cron.hourly/-----------------------------\\033[0m\\n{}\\n\\033[1;33m----------------------------/etc/cron.daily/-----------------------------\\033[0m\\n{}\\n\\033[1;33m---------------------------/etc/cron.weekly/-----------------------------\\033[0m\\n{}\\n\\033[1;33m---------------------------/etc/cron.monthly/----------------------------\\033[0m\\n{}\\n\".format(\r\n        cron.d, cron.hourly, cron.daily, cron.weekly, cron.monthly)\r\n    return cron_file_output\r\n\r\n\r\ndef starup(day):  # 按检查启动项\r\n    rc_local = os.popen(\"cat /etc/rc.local\").read()\r\n    init_d = os.popen(\"find /etc/init.d/ -mtime -{}\".format(day)).read()\r\n    rc0_d = os.popen(\"find /etc/rc0.d/ -mtime -{}\".format(day)).read()\r\n    rc1_d = os.popen(\"find /etc/rc1.d/ -mtime -{}\".format(day)).read()\r\n    rc2_d = os.popen(\"find /etc/rc2.d/ -mtime -{}\".format(day)).read()\r\n    rc3_d = os.popen(\"find /etc/rc3.d/ -mtime -{}\".format(day)).read()\r\n    rc4_d = os.popen(\"find /etc/rc4.d/ -mtime -{}\".format(day)).read()\r\n    rc5_d = os.popen(\"find /etc/rc5.d/ -mtime -{}\".format(day)).read()\r\n    rc6_d = os.popen(\"find /etc/rc6.d/ -mtime -{}\".format(day)).read()\r\n    rc_d = os.popen(\"find /etc/init/rc.d/ -mtime -{}\".format(day)).read()\r\n    starup_output = \"\\033[1;33m------------------------------/etc/rc.local------------------------------\\033[0m\\n{}\\n\\033[1;33m-------------------------------/etc/init.d/------------------------------\\033[0m\\n{}\\n\\033[1;33m-------------------------------/etc/rc0.d/-------------------------------\\033[0m\\n{}\\n\\033[1;33m-------------------------------/etc/rc1.d/-------------------------------\\033[0m\\n{}\\n\\033[1;33m-------------------------------/etc/rc2.d/-------------------------------\\033[0m\\n{}\\n\\033[1;33m-------------------------------/etc/rc3.d/-------------------------------\\033[0m\\n{}\\n\\033[1;33m-------------------------------/etc/rc4.d/-------------------------------\\033[0m\\n{}\\n\\033[1;33m-------------------------------/etc/rc5.d/-------------------------------\\033[0m\\n{}\\n\\033[1;33m-------------------------------/etc/rc6.d/-------------------------------\\033[0m\\n{}\\n\\033[1;33m-----------------------------/etc/init/rc.d/-----------------------------\\033[0m\\n\".format(\r\n        rc_local, init_d, rc0_d, rc1_d, rc2_d, rc3_d, rc4_d, rc5_d, rc6_d, rc_d)\r\n    return starup_output\r\n\r\ndef osfile(day):#查看系统进程是否被劫持\r\n    osfile=os.popen(\"find /usr/bin/ /usr/sbin/ /bin/ /usr/local/bin/ -mtime -{}\".format(day)).read()\r\n    return osfile\r\n\r\ndef changefile(all):#查看系统中指定类型文件的修改\r\n    changefile=os.popen(\"find {} -mtime -{} -name \\\"*.{}\\\"\".format(all[0],all[1],all[2])).read()\r\n    return changefile\r\n\r\ndef permfile(all):#查看系统中指定权限的文件\r\n    permfile=os.popen(\"find {} -name \\\"*.{}\\\" -perm {}\".format(all[0],all[1],all[2])).read()\r\n    return permfile\r\n\r\ndef account_check():  # 检查账户情况\r\n    account_list = []\r\n    cmd = os.popen(\"cat /etc/passwd | grep '/bin/bash'\").read()\r\n    user_list = re.split(r'\\n', cmd)[:-1]\r\n    result=''\r\n    for i in user_list:\r\n        user=re.findall('(.+?):',i)[0]\r\n        account_list.append(user)\r\n        user_info=os.popen(\"chage --list {}\".format(user)).read().replace(' ','')\r\n        result+=\"\\033[1;33m可登录的账户:\\033[0m{0}\\n\\033[1;33m账户详情:\\033[0m\\n{1}\\n\".format(user,user_info)\r\n\r\n    anonymous_account = os.popen(\"awk -F: 'length($2)==0 {print $1}' /etc/shadow\").read()\r\n    account = '{0}\\n\\033[1;33m空口令用户:\\033[0m\\n{1}\\n'.format(result, anonymous_account)\r\n    return account_list,account\r\n\r\ndef history():\r\n    history=\"\"\r\n    user_list=account_check()[0]\r\n    try:\r\n        for user in user_list:\r\n            if user!='root':\r\n                minggan=os.popen(\"cat /home/{}/.bash_history |grep -E \\\"wget|curl|http|rsync|sftp|ssh|scp|rcp|python|java|chmod|ftp|bash|zip|tar\\\"\".format(user)).read()\r\n                history+=\"\\033[1;33m{}用户下的敏感历史命令:\\033[0m\\n{}\\n\".format(user,minggan)\r\n            else:\r\n                minggan = os.popen(\"cat /root/.bash_history |grep -E \\\"wget|curl|http|rsync|sftp|ssh|scp|rcp|python|java|chmod|ftp|bash|zip|tar\\\"\").read()\r\n                history += \"\\033[1;33m{}用户下的敏感历史命令:\\033[0m\\n{}\\n\".format(user, minggan)\r\n    except:\r\n        pass\r\n    return history\r\n\r\ndef webshell_scan(path):\r\n    webshell = pt.PrettyTable()\r\n    webshell.field_names = ['Path', 'LastChange']\r\n    webshell.align[\"Path\"] = \"l\"  # 路径字段靠右显示\r\n    rule = yara.compile(filepath=r'rules/webshell.yar')\r\n    print('\\033[1;34m读取待检测文件中...\\033[0m')\r\n    all = os.popen(\"find \" + path).read().split('\\n')\r\n    file_list = []  # 过滤后的文件列表\r\n    print('\\033[1;32m读取完毕,开始过滤...\\033[0m')\r\n    for file in all:  # 过滤掉部分文件\r\n        try:\r\n            fsize = os.path.getsize(file) / float(1024 * 1024)\r\n        except:\r\n            fsize = 6\r\n        if fsize <= 5:  # 只检测小于5M的文件\r\n            file_list.append(file)\r\n    print('\\033[1;32m过滤完毕,开始扫描...\\033[0m')\r\n    for i in range(len(file_list)):\r\n        sys.stdout.write('\\033[K' + '\\r')\r\n        print('\\r','[{0}/{1}]检测中,耐心等待哦~'.format(str(i), str(len(file_list))),end=' ')\r\n        try:\r\n            with open(file_list[i], 'rb') as f:\r\n                matches = rule.match(data=f.read())\r\n        except:\r\n            matches = []\r\n        try:\r\n            if matches != []:\r\n                time_chuo = time.localtime(os.path.getmtime(file_list[i]))  # 最后修改时间戳\r\n                lasttime = time.strftime(\"%Y--%m--%d %H:%M:%S\", time_chuo)  # 最后修改时间\r\n                warning = ('\\033[1;31m\\n告警:检测到标签{0},文件位置{1}\\033[0m'.format(matches, file_list[i]))\r\n                webshell.add_row([file_list[i], lasttime])\r\n                print(warning)\r\n        except:\r\n            pass\r\n    print('\\033[1;32m\\n所有文件扫描完成,结果如下:\\n\\033[0m')\r\n    print(webshell)\r\n\r\ndef file_scan(path):\r\n    webshell = pt.PrettyTable()\r\n    webshell.field_names = ['Path', 'LastChange']\r\n    webshell.align[\"Path\"] = \"l\"  # 路径字段靠右显示\r\n    rule = yara.compile(filepath=r'rules/xunjian.yar')\r\n    print('\\033[1;34m读取待检测文件中...\\033[0m')\r\n    all = os.popen(\"find \" + path).read().split('\\n')\r\n    file_list = []  # 过滤后的文件列表\r\n    print('\\033[1;32m读取完毕,开始过滤...\\033[0m')\r\n    for file in all:  # 过滤掉部分文件\r\n        try:\r\n            fsize = os.path.getsize(file) / float(1024 * 1024)\r\n        except:\r\n            fsize = 6\r\n        if fsize <= 5:  # 只检测小于5M的文件\r\n            file_list.append(file)\r\n    print('\\033[1;32m过滤完毕,开始扫描...\\033[0m')\r\n    for i in range(len(file_list)):\r\n        sys.stdout.write('\\033[K' + '\\r')\r\n        print('\\r','[{0}/{1}]检测中,耐心等待哦~'.format(str(i), str(len(file_list))),end=' ')\r\n        try:\r\n            with open(file_list[i], 'rb') as f:\r\n                matches = rule.match(data=f.read())\r\n        except:\r\n            matches = []\r\n        try:\r\n            if matches != []:\r\n                time_chuo = time.localtime(os.path.getmtime(file_list[i]))  # 最后修改时间戳\r\n                lasttime = time.strftime(\"%Y--%m--%d %H:%M:%S\", time_chuo)  # 最后修改时间\r\n                warning = ('\\033[1;31m\\n告警:检测到标签{0},文件位置{1}\\033[0m'.format(matches, file_list[i]))\r\n                webshell.add_row([file_list[i], lasttime])\r\n                print(warning)\r\n        except:\r\n            pass\r\n    print('\\033[1;32m\\n所有文件扫描完成,结果如下:\\n\\033[0m')\r\n    print(webshell)\r\n\r\n################################################\r\nparser = argparse.ArgumentParser(description='本工具可帮你快速定位很多关键问题,将化复杂繁琐的命令为简单。\\n应急响应工具为辅,但不要只依赖于工具哦')\r\nparser.add_argument(\"-user\", action='store_true',help='用于查看系统可登录账户和空口令账户(无参数)')\r\nparser.add_argument(\"-history\", action='store_true',help='用于查看所有用户的敏感历史命令(无参数)')\r\nparser.add_argument(\"-cron\", action='store_true',help='用于查看所有用户的定时任务(无参数)')\r\nparser.add_argument(\"-ip\", action='store_true',help='用于查看外连ip(无参数)')\r\nparser.add_argument(\"--pid\", type=str,metavar='1234',help='用于定位进程物理路径(参数为pid号)')\r\nparser.add_argument(\"--ssh-fip\", action='store_true',help='用于查看ssh登录失败的ip和次数(无参数)')\r\nparser.add_argument(\"--ssh-fuser\", action='store_true',help='用于查看ssh登录失败的用户和次数(无参数)')\r\nparser.add_argument(\"--ssh-sip\", action='store_true',help='用于查看ssh登录成功的ip和次数(无参数)')\r\nparser.add_argument(\"--ssh-sinfo\", action='store_true',help='用于查看ssh登录成功的用户详情(无参数)')\r\nparser.add_argument(\"--file-cron\", type=str,metavar='7',help='用于查看系统各个级别定时任务目录中,n天内被修改的文件(参数为天数)')\r\nparser.add_argument(\"--file-starup\", type=str,metavar='7',help='用于查看系统启动项目录中,n天内被修改的文件(参数为天数)')\r\nparser.add_argument(\"--file-os\", type=str,metavar='7',help='用于查看系统重要目录中,n天内被修改的文件(参数为天数)')\r\nparser.add_argument(\"--file-change\", nargs=3,metavar=('/www', '7', 'php'),help='用于查看在n天内指定目录中指定后缀的被修改的文件(参数为物理路径、天数、后缀)')\r\nparser.add_argument(\"--file-perm\", nargs=3,metavar=('/www', 'jsp', '777'),help='用于查看指定目录下指定后缀指定权限的文件(参数为物理路径、后缀、天数)')\r\nparser.add_argument(\"--s-backdoor\", type=str,metavar='/home',help='用于检测指定路径下的恶意样本(参数为物理路径)')\r\nparser.add_argument(\"--s-webshell\", type=str,metavar='/var/www',help='用于检测指定路径下的webshell(参数为物理路径)')\r\nargs = parser.parse_args()\r\n\r\n\r\nsys_tup = ostype()  # 判断系统类型\r\nsystem = sys_tup[0]\r\nsysnum = sys_tup[1]\r\n\r\nbanner = '''\\033[1;34m\r\n           ██╗    ██╗██╗  ██╗ ██████╗ ██████╗ ██╗  ██╗██╗  ██╗\r\n           ██║    ██║██║  ██║██╔═══██╗╚════██╗██║  ██║██║ ██╔╝\r\n           ██║ █╗ ██║███████║██║   ██║  ▄███╔╝███████║█████╔╝ \r\n           ██║███╗██║██╔══██║██║   ██║  ▀▀══╝ ██╔══██║██╔═██╗ \r\n           ╚███╔███╔╝██║  ██║╚██████╔╝  ██╗   ██║  ██║██║  ██╗\r\n            ╚══╝╚══╝ ╚═╝  ╚═╝ ╚═════╝   ╚═╝   ╚═╝  ╚═╝╚═╝  ╚═╝\r\n        \r\n           公众号:台下言书     作者:说书人     版本:v1.1\\033[0m\r\n           \r\n\\033[1;36m-------------------------------系统信息----------------------------------\\033[0m\r\n{}\r\n\\033[1;36m-------------------------------output------------------------------------\\033[0m\r\n'''.format(system_state())\r\nprint(banner)\r\ncheckroot()\r\n\r\nif args.ip:\r\n    print(network())\r\nelif args.pid:\r\n    print(pid_fileinfo(args.pid))\r\nelif args.ssh_fip:\r\n    print(log_burp_ip(system))\r\nelif args.ssh_fuser:\r\n    print(log_burp_user(system))\r\nelif args.ssh_sip:\r\n    print(log_success_ip(system))\r\nelif args.ssh_sinfo:\r\n    print(log_success_info(system))\r\nelif args.cron:\r\n    print(cron())\r\nelif args.file_cron:\r\n    print(cron_file(args.file_cron))\r\nelif args.file_starup:\r\n    print(starup(args.file_starup))\r\nelif args.file_os:\r\n    print(osfile(args.file_os))\r\nelif args.file_change:\r\n    print(changefile(args.file_change))\r\nelif args.file_perm:\r\n    print(permfile(args.file_perm))\r\nelif args.user:\r\n    print(account_check()[1])\r\nelif args.history:\r\n    print(history())\r\nelif args.s_backdoor:\r\n    file_scan(args.s_backdoor)\r\nelif args.s_webshell:\r\n    webshell_scan(args.s_webshell)\r\nelse:\r\n    print(\"\\033[1;33m可以带上参数 -h 或者 --help 来查看工具使用说明哦~\\033[0m\")\r\nprint(\"\\033[1;36m-------------------------------------------------------------------------\\033[0m\")"
  }
]