// https://otx.alienvault.com/pulse/5977d20f481b4c736cf5f810 rule WMI_VM_Detect : WMI_VM_Detect { meta: version = 2 threat = "Using WMI to detect virtual machines via querying video card information" behaviour_class = "Evasion" author = "Joe Giron" date = "2015-09-25" description = "Detection of Virtual Appliances through the use of WMI for use of evasion." strings: $selstr = "SELECT Description FROM Win32_VideoController" nocase ascii wide $selstr2 = "SELECT * FROM Win32_VideoController" nocase ascii wide $vm1 = "virtualbox graphics adapter" nocase ascii wide $vm2 = "vmware svga ii" nocase ascii wide $vm3 = "vm additions s3 trio32/64" nocase ascii wide $vm4 = "parallel" nocase ascii wide $vm5 = "remotefx" nocase ascii wide $vm6 = "cirrus logic" nocase ascii wide $vm7 = "matrox" nocase ascii wide condition: any of ($selstr*) and any of ($vm*) } // https://otx.alienvault.com/pulse/5977d4dbf7cda57edf57bdbd rule bleedinglife2_adobe_2010_2884_exploit : EK { meta: author = "Josh Berry" date = "2016-06-26" description = "BleedingLife2 Exploit Kit Detection" hash0 = "b22ac6bea520181947e7855cd317c9ac" sample_filetype = "unknown" yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator" strings: $string0 = "_autoRepeat" $string1 = "embedFonts" $string2 = "KeyboardEvent" $string3 = "instanceStyles" $string4 = "InvalidationType" $string5 = "autoRepeat" $string6 = "getScaleX" $string7 = "RadioButton_selectedDownIcon" $string8 = "configUI" $string9 = "deactivate" $string10 = "fl.controls:Button" $string11 = "_mouseStateLocked" $string12 = "fl.core.ComponentShim" $string13 = "toString" $string14 = "_group" $string15 = "addRadioButton" $string16 = "inCallLaterPhase" $string17 = "oldMouseState" condition: 17 of them } rule bleedinglife2_jar2 : EK { meta: author = "Josh Berry" date = "2016-06-26" description = "BleedingLife2 Exploit Kit Detection" hash0 = "2bc0619f9a0c483f3fd6bce88148a7ab" sample_filetype = "unknown" yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator" strings: $string0 = "META-INF/MANIFEST.MFPK" $string1 = "RequiredJavaComponent.classPK" $string2 = "META-INF/JAVA.SFm" $string3 = "RequiredJavaComponent.class" $string4 = "META-INF/MANIFEST.MF" $string5 = "META-INF/JAVA.DSAPK" $string6 = "META-INF/JAVA.SFPK" $string7 = "5EVTwkx" $string8 = "META-INF/JAVA.DSA3hb" $string9 = "y\\Dw -" condition: 9 of them } rule bleedinglife2_adobe_2010_1297_exploit : EK PDF { meta: author = "Josh Berry" date = "2016-06-26" description = "BleedingLife2 Exploit Kit Detection" hash0 = "8179a7f91965731daa16722bd95f0fcf" sample_filetype = "unknown" yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator" strings: $string0 = "getSharedStyle" $string1 = "currentCount" $string2 = "String" $string3 = "setSelection" $string4 = "BOTTOM" $string5 = "classToInstancesDict" $string6 = "buttonDown" $string7 = "focusRect" $string8 = "pill11" $string9 = "TEXT_INPUT" $string10 = "restrict" $string11 = "defaultButtonEnabled" $string12 = "copyStylesToChild" $string13 = " xmlns:xmpMM" $string14 = "_editable" $string15 = "classToDefaultStylesDict" $string16 = "IMEConversionMode" $string17 = "Scene 1" condition: 17 of them } // https://otx.alienvault.com/pulse/560c150e67db8c47d4ce2b14 rule LinuxTsunami { meta: Author = "@benkow_" Date = "2014/09/12" Description = "Strings inside" Reference = "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3483" strings: $a = "PRIVMSG %s :[STD]Hitting %s" $b = "NOTICE %s :TSUNAMI " $c = "NOTICE %s :I'm having a problem resolving my host, someone will have to SPOOFS me manually." condition: $a or $b or $c } rule LinuxElknot { meta: Author = "@benkow_" Date = "2013/12/24" Description = "Strings inside" Reference = "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3099" strings: $a = "ZN8CUtility7DeCryptEPciPKci" $b = "ZN13CThreadAttack5StartEP11CCmdMessage" condition: all of them } rule exploit { meta: author="xorseed" reference= "https://stuff.rop.io/" strings: $xpl1 = "set_fs_root" nocase ascii wide $xpl2 = "set_fs_pwd" nocase ascii wide $xpl3 = "__virt_addr_valid" nocase ascii wide $xpl4 = "init_task" nocase ascii wide $xpl5 = "init_fs" nocase ascii wide $xpl6 = "bad_file_ops" nocase ascii wide $xpl7 = "bad_file_aio_read" nocase ascii wide $xpl8 = "security_ops" nocase ascii wide $xpl9 = "default_security_ops" nocase ascii wide $xpl10 = "audit_enabled" nocase ascii wide $xpl11 = "commit_creds" nocase ascii wide $xpl12 = "prepare_kernel_cred" nocase ascii wide $xpl13 = "ptmx_fops" nocase ascii wide $xpl14 = "node_states" nocase ascii wide condition: 7 of them } rule LinuxMrBlack { meta: Author = "@benkow_" Date = "2014/09/12" Description = "Strings inside" Reference = "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3483" strings: $a = "Mr.Black" $b = "VERS0NEX:%s|%d|%d|%s" condition: $a and $b } rule LinuxBillGates { meta: Author = "@benkow_" Date = "2014/08/11" Description = "Strings inside" Reference = "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3429" strings: $a= "12CUpdateGates" $b= "11CUpdateBill" condition: $a and $b } rule rootkit { meta: author="xorseed" reference= "https://stuff.rop.io/" strings: $sys1 = "sys_write" nocase ascii wide $sys2 = "sys_getdents" nocase ascii wide $sys3 = "sys_getdents64" nocase ascii wide $sys4 = "sys_getpgid" nocase ascii wide $sys5 = "sys_getsid" nocase ascii wide $sys6 = "sys_setpgid" nocase ascii wide $sys7 = "sys_kill" nocase ascii wide $sys8 = "sys_tgkill" nocase ascii wide $sys9 = "sys_tkill" nocase ascii wide $sys10 = "sys_sched_setscheduler" nocase ascii wide $sys11 = "sys_sched_setparam" nocase ascii wide $sys12 = "sys_sched_getscheduler" nocase ascii wide $sys13 = "sys_sched_getparam" nocase ascii wide $sys14 = "sys_sched_setaffinity" nocase ascii wide $sys15 = "sys_sched_getaffinity" nocase ascii wide $sys16 = "sys_sched_rr_get_interval" nocase ascii wide $sys17 = "sys_wait4" nocase ascii wide $sys18 = "sys_waitid" nocase ascii wide $sys19 = "sys_rt_tgsigqueueinfo" nocase ascii wide $sys20 = "sys_rt_sigqueueinfo" nocase ascii wide $sys21 = "sys_prlimit64" nocase ascii wide $sys22 = "sys_ptrace" nocase ascii wide $sys23 = "sys_migrate_pages" nocase ascii wide $sys24 = "sys_move_pages" nocase ascii wide $sys25 = "sys_get_robust_list" nocase ascii wide $sys26 = "sys_perf_event_open" nocase ascii wide $sys27 = "sys_uname" nocase ascii wide $sys28 = "sys_unlink" nocase ascii wide $sys29 = "sys_unlikat" nocase ascii wide $sys30 = "sys_rename" nocase ascii wide $sys31 = "sys_read" nocase ascii wide $sys32 = "kobject_del" nocase ascii wide $sys33 = "list_del_init" nocase ascii wide $sys34 = "inet_ioctl" nocase ascii wide condition: 9 of them } // https://otx.alienvault.com/pulse/59152852e159ed10ba8631ec rule invalid_XObject_js : PDF raw { meta: author = "Glenn Edwards (@hiddenillusion)" description = "XObject's require v1.4+" ref = "https://blogs.adobe.com/ReferenceXObjects/" version = "0.1" weight = 2 strings: $magic = { 25 50 44 46 } $ver = /%PDF-1\.[4-9]/ $attrib0 = /\/XObject/ $attrib1 = /\/JavaScript/ condition: $magic in (0..1024) and not $ver and all of ($attrib*) } rule suspicious_creator : PDF raw { meta: author = "Glenn Edwards (@hiddenillusion)" version = "0.1" weight = 3 strings: $magic = { 25 50 44 46 } $header = /%PDF-1\.(3|4|6)/ $creator0 = "yen vaw" $creator1 = "Scribus" $creator2 = "Viraciregavi" condition: $magic in (0..1024) and $header and 1 of ($creator*) } rule XDP_embedded_PDF : PDF raw { meta: author = "Glenn Edwards (@hiddenillusion)" version = "0.1" ref = "http://blog.9bplus.com/av-bypass-for-malicious-pdfs-using-xdp" weight = 1 strings: $s1 = "" $s3 = "" $header0 = "%PDF" $header1 = "JVBERi0" condition: all of ($s*) and 1 of ($header*) } rule multiple_filtering : PDF raw { meta: author = "Glenn Edwards (@hiddenillusion)" version = "0.2" weight = 3 strings: $magic = { 25 50 44 46 } $attrib = /\/Filter.*(\/ASCIIHexDecode\W+|\/LZWDecode\W+|\/ASCII85Decode\W+|\/FlateDecode\W+|\/RunLengthDecode){2}/ // left out: /CCITTFaxDecode, JBIG2Decode, DCTDecode, JPXDecode, Crypt condition: $magic in (0..1024) and $attrib } rule suspicious_author : PDF raw { meta: author = "Glenn Edwards (@hiddenillusion)" version = "0.1" weight = 4 strings: $magic = { 25 50 44 46 } $header = /%PDF-1\.(3|4|6)/ $author0 = "Ubzg1QUbzuzgUbRjvcUb14RjUb1" $author1 = "ser pes" $author2 = "Miekiemoes" $author3 = "Nsarkolke" condition: $magic in (0..1024) and $header and 1 of ($author*) } rule suspicious_js : PDF raw { meta: author = "Glenn Edwards (@hiddenillusion)" version = "0.1" weight = 3 strings: $magic = { 25 50 44 46 } $attrib0 = /\/OpenAction / $attrib1 = /\/JavaScript / $js0 = "eval" $js1 = "Array" $js2 = "String.fromCharCode" condition: $magic in (0..1024) and all of ($attrib*) and 2 of ($js*) } rule suspicious_obfuscation : PDF raw { meta: author = "Glenn Edwards (@hiddenillusion)" version = "0.1" weight = 2 strings: $magic = { 25 50 44 46 } $reg = /\/\w#[a-zA-Z0-9]{2}#[a-zA-Z0-9]{2}/ condition: $magic in (0..1024) and #reg > 5 } rule PDF_Embedded_Exe : PDF { meta: ref = "https://github.com/jacobsoo/Yara-Rules/blob/master/PDF_Embedded_Exe.yar" strings: $header = {25 50 44 46} $Launch_Action = {3C 3C 2F 53 2F 4C 61 75 6E 63 68 2F 54 79 70 65 2F 41 63 74 69 6F 6E 2F 57 69 6E 3C 3C 2F 46} $exe = {3C 3C 2F 45 6D 62 65 64 64 65 64 46 69 6C 65 73} condition: $header at 0 and $Launch_Action and $exe } rule suspicious_creation : PDF raw { meta: author = "Glenn Edwards (@hiddenillusion)" version = "0.1" weight = 2 strings: $magic = { 25 50 44 46 } $header = /%PDF-1\.(3|4|6)/ $create0 = /CreationDate \(D:20101015142358\)/ $create1 = /CreationDate \(2008312053854\)/ condition: $magic in (0..1024) and $header and 1 of ($create*) } rule shellcode_blob_metadata : PDF raw { meta: author = "Glenn Edwards (@hiddenillusion)" version = "0.1" description = "When there's a large Base64 blob inserted into metadata fields it often indicates shellcode to later be decoded" weight = 4 strings: $magic = { 25 50 44 46 } $reg_keyword = /\/Keywords.?\(([a-zA-Z0-9]{200,})/ //~6k was observed in BHEHv2 PDF exploits holding the shellcode $reg_author = /\/Author.?\(([a-zA-Z0-9]{200,})/ $reg_title = /\/Title.?\(([a-zA-Z0-9]{200,})/ $reg_producer = /\/Producer.?\(([a-zA-Z0-9]{200,})/ $reg_creator = /\/Creator.?\(([a-zA-Z0-9]{300,})/ $reg_create = /\/CreationDate.?\(([a-zA-Z0-9]{200,})/ condition: $magic in (0..1024) and 1 of ($reg*) } rule suspicious_producer : PDF raw { meta: author = "Glenn Edwards (@hiddenillusion)" version = "0.1" weight = 2 strings: $magic = { 25 50 44 46 } $header = /%PDF-1\.(3|4|6)/ $producer0 = /Producer \(Scribus PDF Library/ $producer1 = "Notepad" condition: $magic in (0..1024) and $header and 1 of ($producer*) } rule suspicious_title : PDF raw { meta: author = "Glenn Edwards (@hiddenillusion)" version = "0.1" weight = 4 strings: $magic = { 25 50 44 46 } $header = /%PDF-1\.(3|4|6)/ $title0 = "who cis" $title1 = "P66N7FF" $title2 = "Fohcirya" condition: $magic in (0..1024) and $header and 1 of ($title*) } rule suspicious_launch_action : PDF raw { meta: author = "Glenn Edwards (@hiddenillusion)" version = "0.1" weight = 2 strings: $magic = { 25 50 44 46 } $attrib0 = /\/Launch/ $attrib1 = /\/URL / $attrib2 = /\/Action/ $attrib3 = /\/OpenAction/ $attrib4 = /\/F / condition: $magic in (0..1024) and 3 of ($attrib*) } rule BlackHole_v2 : PDF raw { meta: author = "Glenn Edwards (@hiddenillusion)" version = "0.1" ref = "http://fortknoxnetworks.blogspot.no/2012/10/blackhhole-exploit-kit-v-20-url-pattern.html" weight = 3 strings: $magic = { 25 50 44 46 } $content = "Index[5 1 7 1 9 4 23 4 50" condition: $magic in (0..1024) and $content } rule suspicious_embed : PDF raw { meta: author = "Glenn Edwards (@hiddenillusion)" version = "0.1" ref = "https://feliam.wordpress.com/2010/01/13/generic-pdf-exploit-hider-embedpdf-py-and-goodbye-av-detection-012010/" weight = 2 strings: $magic = { 25 50 44 46 } $meth0 = /\/Launch/ $meth1 = /\/GoTo(E|R)/ //means go to embedded or remote $attrib0 = /\/URL / $attrib1 = /\/Action/ $attrib2 = /\/Filespec/ condition: $magic in (0..1024) and 1 of ($meth*) and 2 of ($attrib*) } // https://otx.alienvault.com/pulse/5621208f4637f21ecf2aac36 rule SLServer_command_and_control { meta: author = "Matt Brooks, @cmatthewbrooks" desc = "Searches for the C2 server." ref = "https://citizenlab.org/2016/04/between-hong-kong-and-burma/" strings: $c2 = "safetyssl.security-centers.com" condition: //MZ header //PE signature uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and $c2 } rule dubseven_dropper_registry_checks { meta: author = "Matt Brooks, @cmatthewbrooks" desc = "Searches for registry keys checked for by the dropper" strings: $reg1 = "SOFTWARE\\360Safe\\Liveup" $reg2 = "Software\\360safe" $reg3 = "SOFTWARE\\kingsoft\\Antivirus" $reg4 = "SOFTWARE\\Avira\\Avira Destop" $reg5 = "SOFTWARE\\rising\\RAV" $reg6 = "SOFTWARE\\JiangMin" $reg7 = "SOFTWARE\\Micropoint\\Anti-Attack" condition: //MZ header //PE signature uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and all of ($reg*) } rule dubseven_dropper_dialog_remains { meta: author = "Matt Brooks, @cmatthewbrooks" desc = "Searches for related dialog remnants. How rude." strings: $dia1 = "fuckMessageBox 1.0" wide $dia2 = "Rundll 1.0" wide condition: //MZ header //PE signature uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and any of them } rule dubseven_file_set { meta: author = "Matt Brooks, @cmatthewbrooks" desc = "Searches for service files loading UP007" strings: $file1 = "\\Microsoft\\Internet Explorer\\conhost.exe" $file2 = "\\Microsoft\\Internet Explorer\\dll2.xor" $file3 = "\\Microsoft\\Internet Explorer\\HOOK.DLL" $file4 = "\\Microsoft\\Internet Explorer\\main.dll" $file5 = "\\Microsoft\\Internet Explorer\\nvsvc.exe" $file6 = "\\Microsoft\\Internet Explorer\\SBieDll.dll" $file7 = "\\Microsoft\\Internet Explorer\\mon" $file8 = "\\Microsoft\\Internet Explorer\\runas.exe" condition: //MZ header //PE signature //Just a few of these as they differ uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and 3 of ($file*) } rule SLServer_mutex { meta: author = "Matt Brooks, @cmatthewbrooks" desc = "Searches for the mutex." ref = "https://citizenlab.org/2016/04/between-hong-kong-and-burma/" strings: $mutex = "M&GX^DSF&DA@F" condition: //MZ header //PE signature uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and $mutex } rule SLServer_campaign_code { meta: author = "Matt Brooks, @cmatthewbrooks" desc = "Searches for the related campaign code." ref = "https://citizenlab.org/2016/04/between-hong-kong-and-burma/" strings: $campaign = "wthkdoc0106" condition: //MZ header //PE signature uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and $campaign } rule SLServer_unknown_string { meta: author = "Matt Brooks, @cmatthewbrooks" desc = "Searches for a unique string." ref = "https://citizenlab.org/2016/04/between-hong-kong-and-burma/" strings: $string = "test-b7fa835a39" condition: //MZ header //PE signature uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and $string } rule maindll_mutex { meta: author = "Matt Brooks, @cmatthewbrooks" desc = "Matches on the maindll mutex" ref = "https://citizenlab.org/2016/04/between-hong-kong-and-burma/" strings: $mutex = "h31415927tttt" condition: //MZ header //PE signature uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and $mutex } // https://otx.alienvault.com/pulse/577c802c52c9260135acd45f rule spyeye : banker { meta: author = "Jean-Philippe Teissier / @Jipe_" description = "SpyEye X.Y memory" date = "2012-05-23" version = "1.0" filetype = "memory" strings: $spyeye = "SpyEye" $a = "%BOTNAME%" $b = "globplugins" $c = "data_inject" $d = "data_before" $e = "data_after" $f = "data_end" $g = "bot_version" $h = "bot_guid" $i = "TakeBotGuid" $j = "TakeGateToCollector" $k = "[ERROR] : Omfg! Process is still active? Lets kill that mazafaka!" $l = "[ERROR] : Update is not successfull for some reason" $m = "[ERROR] : dwErr == %u" $n = "GRABBED DATA" condition: $spyeye or (any of ($a,$b,$c,$d,$e,$f,$g,$h,$i,$j,$k,$l,$m,$n)) } // https://otx.alienvault.com/pulse/58a3af44ac64af2dd71c3985 rule OlyxStrings : Olyx Family { meta: description = "Olyx Identifying Strings" author = "Seth Hardy" last_modified = "2014-06-19" strings: $ = "/Applications/Automator.app/Contents/MacOS/DockLight" condition: any of them } rule OlyxCode : Olyx Family { meta: description = "Olyx code tricks" author = "Seth Hardy" last_modified = "2014-06-19" strings: $six = { C7 40 04 36 36 36 36 C7 40 08 36 36 36 36 } $slash = { C7 40 04 5C 5C 5C 5C C7 40 08 5C 5C 5C 5C } condition: any of them } rule PubSabStrings : PubSab Family { meta: description = "PubSab Identifying Strings" author = "Seth Hardy" last_modified = "2014-06-19" strings: $ = "_deamon_init" $ = "com.apple.PubSabAgent" $ = "/tmp/screen.jpeg" condition: any of them } rule PubSabCode : PubSab Family { meta: description = "PubSab code tricks" author = "Seth Hardy" last_modified = "2014-06-19" strings: $decrypt = { 6B 45 E4 37 89 CA 29 C2 89 55 E4 } condition: any of them } rule RookieStrings : Rookie Family { meta: description = "Rookie Identifying Strings" author = "Seth Hardy" last_modified = "2014-06-25" strings: $ = "RookIE/1.0" condition: any of them } rule RookieCode : Rookie Family { meta: description = "Rookie code features" author = "Seth Hardy" last_modified = "2014-06-25" strings: // hidden AutoConfigURL $ = { C6 ?? ?? ?? 41 C6 ?? ?? ?? 75 [4] C6 ?? ?? ?? 6F C6 ?? ?? ?? 43 C6 ?? ?? ?? 6F C6 ?? ?? ?? 6E C6 ?? ?? ?? 66 } // hidden ProxyEnable $ = { C6 ?? ?? ?? 50 [4] C6 ?? ?? ?? 6F C6 ?? ?? ?? 78 C6 ?? ?? ?? 79 C6 ?? ?? ?? 45 C6 ?? ?? ?? 6E C6 ?? ?? ?? 61 } // xor on rand value? $ = { 8B 1D 10 A1 40 00 [18] FF D3 8A 16 32 D0 88 16 } condition: any of them } rule RooterCode : Rooter Family { meta: description = "Rooter code features" author = "Seth Hardy" last_modified = "2014-07-10" strings: // xor 0x30 decryption $ = { 80 B0 ?? ?? ?? ?? 30 40 3D 00 50 00 00 7C F1 } condition: any of them } rule SafeNetCode : SafeNet Family { meta: description = "SafeNet code features" author = "Seth Hardy" last_modified = "2014-07-16" strings: // add edi, 14h; cmp edi, 50D0F8h $ = { 83 C7 14 81 FF F8 D0 40 00 } condition: any of them } rule SafeNetStrings : SafeNet Family { meta: description = "Strings used by SafeNet" author = "Seth Hardy" last_modified = "2014-07-16" strings: $ = "6dNfg8Upn5fBzGgj8licQHblQvLnUY19z5zcNKNFdsDhUzuI8otEsBODrzFCqCKr" $ = "/safe/record.php" $ = "_Rm.bat" wide ascii $ = "try\x0d\x0a\x09\x09\x09\x09 del %s" wide ascii $ = "Ext.org" wide ascii condition: any of them } rule ScarhiknStrings : Scarhikn Family { meta: description = "Scarhikn Identifying Strings" author = "Seth Hardy" last_modified = "2014-06-25" strings: $ = "9887___skej3sd" $ = "haha123" condition: any of them } rule ScarhiknCode : Scarhikn Family { meta: description = "Scarhikn code features" author = "Seth Hardy" last_modified = "2014-06-25" strings: // decryption $ = { 8B 06 8A 8B ?? ?? ?? ?? 30 0C 38 03 C7 55 43 E8 ?? ?? ?? ?? 3B D8 59 72 E7 } $ = { 8B 02 8A 8D ?? ?? ?? ?? 30 0C 30 03 C6 8B FB 83 C9 FF 33 C0 45 F2 AE F7 D1 49 3B E9 72 E2 } condition: any of them } rule WimmieShellcode : Wimmie Family { meta: description = "Wimmie code features" author = "Seth Hardy" last_modified = "2014-07-17" strings: // decryption loop $ = { 49 30 24 39 83 F9 00 77 F7 8D 3D 4D 10 40 00 B9 0C 03 00 00 } $xordecrypt = {B9 B4 1D 00 00 [8] 49 30 24 39 83 F9 00 } condition: any of them } // https://otx.alienvault.com/pulse/5810d51fbe8776217ed00f4a rule network_traffic_njRAT { meta: author = "info@fidelissecurity.com" descripion = "njRAT - Remote Access Trojan" comment = "Rule to alert on network traffic indicators" filetype = "PCAP - Network Traffic" date = "2013-07-15" version = "1.0" hash1 = "92ee1fb5df21d8cfafa2b02b6a25bd3b" hash2 ="3576d40ce18bb0349f9dfa42b8911c3a" hash3 ="24cc5b811a7f9591e7f2cb9a818be104" hash4 = "3ad5fded9d7fdf1c2f6102f4874b2d52" hash5 = "a98b4c99f64315aac9dd992593830f35" hash6 = "5fcb5282da1a2a0f053051c8da1686ef" hash7 = "a669c0da6309a930af16381b18ba2f9d" hash8 = "79dce17498e1997264346b162b09bde8" hash9 = "fc96a7e27b1d3dab715b2732d5c86f80" ref1 = "http://bit.ly/19tlf4s" ref2 = "http://www.fidelissecurity.com/threatadvisory" ref3 = "http://www.threatgeek.com/2013/06/fidelis-threat-advisory-1009-njrat-uncovered.html" ref4 = "http://threatgeek.typepad.com/files/fta-1009---njrat-uncovered.pdf" strings: $string1 = "FM|'|'|" // File Manager $string2 = "nd|'|'|" // File Manager $string3 = "rn|'|'|" // Run File $string4 = "sc~|'|'|" // Remote Desktop $string5 = "scPK|'|'|" // Remote Desktop $string6 = "CAM|'|'|" // Remote Cam $string7 = "USB Video Device[endof]" // Remote Cam $string8 = "rs|'|'|" // Reverse Shell $string9 = "proc|'|'|" // Process Manager $string10 = "k|'|'|" // Process Manager $string11 = "RG|'|'|~|'|'|" // Registry Manipulation $string12 = "kl|'|'|" // Keylogger file $string13 = "ret|'|'|" // Get Browser Passwords $string14 = "pl|'|'|" // Get Browser Passwords $string15 = "lv|'|'|" // General $string16 = "prof|'|'|~|'|'|" // Server rename $string17 = "un|'|'|~[endof]" // Uninstall $idle_string = "P[endof]" // Idle Connection condition: any of ($string*) or #idle_string > 4 } rule njrat1: RAT { meta: author = "Brian Wallace @botnet_hunter" author_email = "bwall@ballastsecurity.net" date = "2015-05-27" description = "Identify njRat" strings: $a1 = "netsh firewall add allowedprogram " wide $a2 = "SEE_MASK_NOZONECHECKS" wide $b1 = "[TAP]" wide $b2 = " & exit" wide $c1 = "md.exe /k ping 0 & del " wide $c2 = "cmd.exe /c ping 127.0.0.1 & del" wide $c3 = "cmd.exe /c ping" wide condition: 1 of ($a*) and 1 of ($b*) and 1 of ($c*) } // https://otx.alienvault.com/pulse/5975eded481b4c7c5af5f810 // https://otx.alienvault.com/pulse/58ab817bac3cdc0d5b2c7b4d rule BANGAT_APT1 { meta: author = "AlienVault Labs" info = "CommentCrew-threat-apt1" strings: $s1 = "superhard corp." wide ascii $s2 = "microsoft corp." wide ascii $s3 = "[Insert]" wide ascii $s4 = "[Delete]" wide ascii $s5 = "[End]" wide ascii $s6 = "!(*@)(!@KEY" wide ascii $s7 = "!(*@)(!@SID=" wide ascii $s8 = "end binary output" wide ascii $s9 = "XriteProcessMemory" wide ascii $s10 = "IE:Password-Protected sites" wide ascii $s11 = "pstorec.dll" wide ascii condition: all of them } rule APT1_TARSIP_ECLIPSE { meta: author = "AlienVault Labs" info = "CommentCrew-threat-apt1" strings: $1 = "\\pipe\\ssnp" wide ascii $2 = "toobu.ini" wide ascii $3 = "Serverfile is not bigger than Clientfile" wide ascii $4 = "URL download success" wide ascii condition: 3 of them } rule AURIGA_APT1 { meta: author = "AlienVault Labs" info = "CommentCrew-threat-apt1" strings: $s1 = "superhard corp." wide ascii $s2 = "microsoft corp." wide ascii $s3 = "[Insert]" wide ascii $s4 = "[Delete]" wide ascii $s5 = "[End]" wide ascii $s6 = "!(*@)(!@KEY" wide ascii $s7 = "!(*@)(!@SID=" wide ascii condition: all of them } rule HACKSFASE1_APT1 { meta: author = "AlienVault Labs" info = "CommentCrew-threat-apt1" strings: $s1 = {cb 39 82 49 42 be 1f 3a} condition: all of them } rule APT1_WEBC2_HEAD { meta: author = "AlienVault Labs" info = "CommentCrew-threat-apt1" strings: $1 = "Ready!" wide ascii $2 = "connect ok" wide ascii $3 = "WinHTTP 1.0" wide ascii $4 = "" wide ascii condition: all of them } rule CALENDAR_APT1 { meta: author = "AlienVault Labs" info = "CommentCrew-threat-apt1" strings: $s1 = "content" wide ascii $s2 = "title" wide ascii $s3 = "entry" wide ascii $s4 = "feed" wide ascii $s5 = "DownRun success" wide ascii $s6 = "%s@gmail.com" wide ascii $s7 = "" wide ascii $b8 = "W4qKihsb+So=" wide ascii $b9 = "PoqKigY7ggH+VcnqnTcmhFCo9w==" wide ascii $b10 = "8oqKiqb5880/uJLzAsY=" wide ascii condition: all of ($s*) or all of ($b*) } rule APT1_WEBC2_Y21K { meta: author = "AlienVault Labs" info = "CommentCrew-threat-apt1" strings: $1 = "Y29ubmVjdA" wide ascii // connect $2 = "c2xlZXA" wide ascii // sleep $3 = "cXVpdA" wide ascii // quit $4 = "Y21k" wide ascii // cmd $5 = "dW5zdXBwb3J0" wide ascii // unsupport condition: 4 of them } rule APT1_WEBC2_CSON { meta: author = "AlienVault Labs" info = "CommentCrew-threat-apt1" strings: $httpa1 = "/Default.aspx?INDEX=" wide ascii $httpa2 = "/Default.aspx?ID=" wide ascii $httpb1 = "Win32" wide ascii $httpb2 = "Accept: text*/*" wide ascii $exe1 = "xcmd.exe" wide ascii $exe2 = "Google.exe" wide ascii condition: 1 of ($exe*) and 1 of ($httpa*) and all of ($httpb*) } rule APT1_WEBC2_TOCK { meta: author = "AlienVault Labs" info = "CommentCrew-threat-apt1" strings: $1 = "InprocServer32" wide ascii $2 = "HKEY_PERFORMANCE_DATA" wide ascii $3 = "" $s2 = "Usage: http://target.com/simple-backdoor.php?cmd=cat+/etc/passwd" fullword condition: 2 of them } rule WebShell_Safe_Mode_Bypass_PHP_4_4_2_and_PHP_5_1_2 { meta: description = "PHP Webshells Github Archive - file Safe_Mode_Bypass_PHP_4.4.2_and_PHP_5.1.2.php" author = "Florian Roth" hash = "db076b7c80d2a5279cab2578aa19cb18aea92832" strings: $s1 = "" fullword $s6 = "by PHP Emperor" fullword $s9 = "\".htmlspecialchars($file).\" has been already loaded. PHP Emperor
Sorry... File" fullword $s15 = "if(empty($_GET['file'])){" fullword $s16 = "echo \"Safe Mode Shell\"; " fullword condition: 3 of them } rule Ajax_PHP_Command_Shell_php { meta: description = "Semi-Auto-generated - file Ajax_PHP Command Shell.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "93d1a2e13a3368a2472043bd6331afe9" strings: $s1 = "newhtml = 'File browser is under construction! Use at your own risk!
" $s2 = "Empty Command..type \\\"shellhelp\\\" for some ehh...help" $s3 = "newhtml = 'This will reload the page... :(
      Parent Directory\\n\";" fullword ascii $s1 = "echo \"\\n\";" fullword ascii condition: filesize < 112KB and all of them } rule webshell_webshells_new_radhat { meta: description = "Web shells - generated from file radhat.asp" author = "Florian Roth" date = "2014/03/28" score = 70 hash = "72cb5ef226834ed791144abaa0acdfd4" strings: $s1 = "sod=Array(\"D\",\"7\",\"S" condition: all of them } rule phpshell17_php { meta: description = "Semi-Auto-generated - file phpshell17.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "9a928d741d12ea08a624ee9ed5a8c39d" strings: $s0 = "

" fullword $s1 = "[ADDITINAL TITTLE]-phpShell by:[YOURNAME]<?php echo PHPSHELL_VERSION ?></" $s2 = "href=\"mailto: [YOU CAN ENTER YOUR MAIL HERE]- [ADDITIONAL TEXT]</a></i>" fullword condition: 1 of them } rule backupsql_php_often_with_c99shell { meta: description = "Semi-Auto-generated - file backupsql.php.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "ab1a06ab1a1fe94e3f3b7f80eedbc12f" strings: $s2 = "//$message.= \"--{$mime_boundary}\\n\" .\"Content-Type: {$fileatt_type};\\n\" ." $s4 = "$ftpconnect = \"ncftpput -u $ftp_user_name -p $ftp_user_pass -d debsender_ftplog" condition: all of them } rule webshell_caidao_shell_ice_2 { meta: description = "Web Shell - file ice.php" author = "Florian Roth" date = "2014/01/28" score = 70 hash = "1d6335247f58e0a5b03e17977888f5f2" strings: $s0 = "<?php ${${eval($_POST[ice])}};?>" fullword condition: all of them } rule WebShell_php_include_w_shell { meta: description = "PHP Webshells Github Archive - file php-include-w-shell.php" author = "Florian Roth" hash = "1a7f4868691410830ad954360950e37c582b0292" strings: $s13 = "# dump variables (DEBUG SCRIPT) NEEDS MODIFINY FOR B64 STATUS!!" fullword $s17 = "\"phpshellapp\" => \"export TERM=xterm; bash -i\"," fullword $s19 = "else if($numhosts == 1) $strOutput .= \"On 1 host..\\n\";" fullword condition: 1 of them } rule ak74shell_php_php { meta: description = "Semi-Auto-generated - file ak74shell.php.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "7f83adcb4c1111653d30c6427a94f66f" strings: $s1 = "$res .= '<td align=\"center\"><a href=\"'.$xshell.'?act=chmod&file='.$_SESSION[" $s2 = "AK-74 Security Team Web Site: www.ak74-team.net" $s3 = "$xshell" condition: 2 of them } rule DarkSecurityTeam_Webshell { meta: description = "Dark Security Team Webshell" author = "Florian Roth" hash = "f1c95b13a71ca3629a0bb79601fcacf57cdfcf768806a71b26f2448f8c1d5d24" score = 50 strings: $s0 = "form method=post><input type=hidden name=\"\"#\"\" value=Execute(Session(\"\"#\"\"))><input name=thePath value=\"\"\"&HtmlEncode(Server.MapPath(\".\"))&" ascii condition: 1 of them } rule commands { meta: description = "Webshells Auto-generated - file commands.asp" author = "Yara Bulk Rule Generator by Florian Roth" hash = "174486fe844cb388e2ae3494ac2d1ec2" strings: $s1 = "If CheckRecord(\"SELECT COUNT(ID) FROM VictimDetail WHERE VictimID = \" & VictimID" $s2 = "proxyArr = Array (\"HTTP_X_FORWARDED_FOR\",\"HTTP_VIA\",\"HTTP_CACHE_CONTROL\",\"HTTP_F" condition: all of them } rule r57shell_3 { meta: description = "Webshells Auto-generated - file r57shell.php" author = "Yara Bulk Rule Generator by Florian Roth" hash = "87995a49f275b6b75abe2521e03ac2c0" strings: $s1 = "<b>\".$_POST['cmd']" condition: all of them } rule webshell_simple_backdoor { meta: description = "Web Shell - file simple-backdoor.php" author = "Florian Roth" date = "2014/01/28" score = 70 hash = "f091d1b9274c881f8e41b2f96e6b9936" strings: $s0 = "$cmd = ($_REQUEST['cmd']);" fullword $s1 = "if(isset($_REQUEST['cmd'])){" fullword $s4 = "system($cmd);" fullword condition: 2 of them } rule webshell_php_sh_server : webshell { meta: description = "Web Shell - file server.php" author = "Florian Roth" date = "2014/01/28" score = 50 hash = "d87b019e74064aa90e2bb143e5e16cfa" strings: $s0 = "eval(getenv('HTTP_CODE'));" fullword condition: all of them } rule webshell_redirect { meta: description = "Web Shell - file redirect.asp" author = "Florian Roth" date = "2014/01/28" score = 70 hash = "97da83c6e3efbba98df270cc70beb8f8" strings: $s7 = "var flag = \"?txt=\" + (document.getElementById(\"dl\").checked ? \"2\":\"1\" " condition: all of them } rule WebShell_RemExp_asp_php { meta: description = "PHP Webshells Github Archive - file RemExp.asp.php.txt" author = "Florian Roth" hash = "d9919dcf94a70d5180650de8b81669fa1c10c5a2" strings: $s0 = "lsExt = Right(FileName, Len(FileName) - liCount)" fullword $s7 = "<td bgcolor=\"<%=BgColor%>\" title=\"<%=File.Name%>\"> <a href= \"showcode.asp?f" $s13 = "Response.Write Drive.ShareName & \" [share]\"" fullword $s19 = "If Request.QueryString(\"CopyFile\") <> \"\" Then" fullword $s20 = "<td width=\"40%\" height=\"20\" bgcolor=\"silver\"> Name</td>" fullword condition: all of them } rule lamashell_php { meta: description = "Semi-Auto-generated - file lamashell.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "de9abc2e38420cad729648e93dfc6687" strings: $s0 = "lama's'hell" fullword $s1 = "if($_POST['king'] == \"\") {" $s2 = "if (move_uploaded_file($_FILES['fila']['tmp_name'], $curdir.\"/\".$_FILES['f" condition: 1 of them } rule WebShell_php_webshells_lolipop { meta: description = "PHP Webshells Github Archive - file lolipop.php" author = "Florian Roth" hash = "86f23baabb90c93465e6851e40104ded5a5164cb" strings: $s3 = "$commander = $_POST['commander']; " fullword $s9 = "$sourcego = $_POST['sourcego']; " fullword $s20 = "$result = mysql_query($loli12) or die (mysql_error()); " fullword condition: all of them } rule PHP_Shell_php_php { meta: description = "Semi-Auto-generated - file PHP Shell.php.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "a2f8fa4cce578fc9c06f8e674b9e63fd" strings: $s0 = "echo \"</form><form action=\\\"$SFileName?$urlAdd\\\" method=\\\"post\\\"><input" $s1 = "echo \"<form action=\\\"$SFileName?$urlAdd\\\" method=\\\"POST\\\"><input type=" condition: all of them } rule WebShell_JspWebshell_1_2_2 { meta: description = "PHP Webshells Github Archive - file JspWebshell 1.2.php" author = "Florian Roth" hash = "184fc72b51d1429c44a4c8de43081e00967cf86b" strings: $s0 = "System.out.println(\"CreateAndDeleteFolder is error:\"+ex); " fullword $s3 = "<%@ page contentType=\"text/html; charset=GBK\" language=\"java\" import=\"java." $s4 = "// String tempfilepath=request.getParameter(\"filepath\");" fullword $s15 = "endPoint=random1.getFilePointer();" fullword $s20 = "if (request.getParameter(\"command\") != null) {" fullword condition: 3 of them } rule PHP_Backdoor_v1 { meta: description = "Webshells Auto-generated - file PHP Backdoor v1.php" author = "Yara Bulk Rule Generator by Florian Roth" hash = "0506ba90759d11d78befd21cabf41f3d" strings: $s5 = "echo\"<form method=\\\"POST\\\" action=\\\"\".$_SERVER['PHP_SELF'].\"?edit=\".$th" $s8 = "echo \"<a href=\\\"\".$_SERVER['PHP_SELF'].\"?proxy" condition: all of them } rule webshell_php_2 { meta: description = "Web Shell - file 2.php" author = "Florian Roth" date = "2014/01/28" score = 70 hash = "267c37c3a285a84f541066fc5b3c1747" strings: $s0 = "<?php assert($_REQUEST[\"c\"]);?> " fullword condition: all of them } rule WebShell_simattacker { meta: description = "PHP Webshells Github Archive - file simattacker.php" author = "Florian Roth" hash = "258297b62aeaf4650ce04642ad5f19be25ec29c9" strings: $s1 = "$from = rand (71,1020000000).\"@\".\"Attacker.com\";" fullword $s4 = " Turkish Hackers : WWW.ALTURKS.COM <br>" fullword $s5 = " Programer : SimAttacker - Edited By KingDefacer<br>" fullword $s6 = "//fake mail = Use victim server 4 DOS - fake mail " fullword $s10 = " e-mail : kingdefacer@msn.com<br>" fullword $s17 = "error_reporting(E_ERROR | E_WARNING | E_PARSE);" fullword $s18 = "echo \"<font size='1' color='#999999'>Dont in windows\";" fullword $s20 = "$Comments=$_POST['Comments'];" fullword condition: 2 of them } rule WebShell_php_webshells_README { meta: description = "PHP Webshells Github Archive - file README.md" author = "Florian Roth" hash = "ef2c567b4782c994db48de0168deb29c812f7204" strings: $s0 = "Common php webshells. Do not host the file(s) in your server!" fullword $s1 = "php-webshells" fullword condition: all of them } rule webshell_DarkBlade1_3_asp_indexx { meta: description = "Web Shell - file indexx.asp" author = "Florian Roth" date = "2014/01/28" score = 70 hash = "b7f46693648f534c2ca78e3f21685707" strings: $s3 = "Const strs_toTransform=\"command|Radmin|NTAuThenabled|FilterIp|IISSample|PageCou" condition: all of them } rule WebShell_backupsql { meta: description = "PHP Webshells Github Archive - file backupsql.php" author = "Florian Roth" hash = "863e017545ec8e16a0df5f420f2d708631020dd4" strings: $s0 = "$headers .= \"\\nMIME-Version: 1.0\\n\" .\"Content-Type: multipart/mixed;\\n\" ." $s1 = "$ftpconnect = \"ncftpput -u $ftp_user_name -p $ftp_user_pass -d debsender_ftplog" $s2 = "* as email attachment, or send to a remote ftp server by" fullword $s16 = "* Neagu Mihai<neagumihai@hotmail.com>" fullword $s17 = "$from = \"Neu-Cool@email.com\"; // Who should the emails be sent from?, may " condition: 2 of them } rule FSO_s_phvayv { meta: description = "Webshells Auto-generated - file phvayv.php" author = "Yara Bulk Rule Generator by Florian Roth" hash = "205ecda66c443083403efb1e5c7f7878" strings: $s2 = "wrap=\"OFF\">XXXX</textarea></font><font face" condition: all of them } rule webshell_webshells_new_pppp { meta: description = "Web shells - generated from file pppp.php" author = "Florian Roth" date = "2014/03/28" score = 70 hash = "cf01cb6e09ee594545693c5d327bdd50" strings: $s0 = "Mail: chinese@hackermail.com" fullword $s3 = "if($_GET[\"hackers\"]==\"2b\"){if ($_SERVER['REQUEST_METHOD'] == 'POST') { echo " $s6 = "Site: http://blog.weili.me" fullword condition: 1 of them } rule rootshell_php { meta: description = "Semi-Auto-generated - file rootshell.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "265f3319075536030e59ba2f9ef3eac6" strings: $s0 = "shells.dl.am" $s1 = "This server has been infected by $owner" $s2 = "<input type=\"submit\" value=\"Include!\" name=\"inc\"></p>" $s4 = "Could not write to file! (Maybe you didn't enter any text?)" condition: 2 of them } rule WebShell__Small_Web_Shell_by_ZaCo_small_zaco_zacosmall { meta: description = "PHP Webshells Github Archive - from files Small Web Shell by ZaCo.php, small.php, zaco.php, zacosmall.php" author = "Florian Roth" super_rule = 1 hash0 = "b148ead15d34a55771894424ace2a92983351dda" hash1 = "e4ba288f6d46dc77b403adf7d411a280601c635b" hash2 = "e5713d6d231c844011e9a74175a77e8eb835c856" hash3 = "1b836517164c18caf2c92ee2a06c645e26936a0c" strings: $s2 = "if(!$result2)$dump_file.='#error table '.$rows[0];" fullword $s4 = "if(!(@mysql_select_db($db_dump,$mysql_link)))echo('DB error');" fullword $s6 = "header('Content-Length: '.strlen($dump_file).\"\\n\");" fullword $s20 = "echo('Dump for '.$db_dump.' now in '.$to_file);" fullword condition: 2 of them } rule jsp_reverse_jsp { meta: description = "Semi-Auto-generated - file jsp-reverse.jsp.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "8b0e6779f25a17f0ffb3df14122ba594" strings: $s0 = "// backdoor.jsp" $s1 = "JSP Backdoor Reverse Shell" $s2 = "http://michaeldaw.org" condition: 2 of them } rule webshell_php_list { meta: description = "Web Shell - file list.php" author = "Florian Roth" date = "2014/01/28" score = 70 hash = "922b128ddd90e1dc2f73088956c548ed" strings: $s1 = "// list.php = Directory & File Listing" fullword $s2 = " echo \"( ) <a href=?file=\" . $fichero . \"/\" . $filename . \">\" . $filena" $s9 = "// by: The Dark Raver" fullword condition: 1 of them } rule h4ntu_shell__powered_by_tsoi_ { meta: description = "Semi-Auto-generated - file h4ntu shell [powered by tsoi].txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "06ed0b2398f8096f1bebf092d0526137" strings: $s0 = "h4ntu shell" $s1 = "system(\"$cmd 1> /tmp/cmdtemp 2>&1; cat /tmp/cmdtemp; rm /tmp/cmdtemp\");" condition: 1 of them } rule WebShell_php_backdoor { meta: description = "PHP Webshells Github Archive - file php-backdoor.php" author = "Florian Roth" hash = "b190c03af4f3fb52adc20eb0f5d4d151020c74fe" strings: $s5 = "http://<? echo $SERVER_NAME.$REQUEST_URI; ?>?d=/etc on *nix" fullword $s6 = "// a simple php backdoor | coded by z0mbie [30.08.03] | http://freenet.am/~zombi" $s11 = "if(!isset($_REQUEST['dir'])) die('hey,specify directory!');" fullword $s13 = "else echo \"<a href='$PHP_SELF?f=$d/$dir'><font color=black>\";" fullword $s15 = "<pre><form action=\"<? echo $PHP_SELF; ?>\" METHOD=GET >execute command: <input " condition: 1 of them } rule Webshell_and_Exploit_CN_APT_HK : Webshell { meta: author = "Florian Roth" description = "Webshell and Exploit Code in relation with APT against Honk Kong protesters" date = "10.10.2014" score = 50 strings: $a0 = "<script language=javascript src=http://java-se.com/o.js</script>" fullword $s0 = "<span style=\"font:11px Verdana;\">Password: </span><input name=\"password\" type=\"password\" size=\"20\">" $s1 = "<input type=\"hidden\" name=\"doing\" value=\"login\">" condition: $a0 or ( all of ($s*) ) } rule multiple_webshells_0005 { meta: description = "Semi-Auto-generated - from files r577.php.php.txt, SnIpEr_SA Shell.php.txt, r57.php.php.txt, r57 Shell.php.php.txt, spy.php.php.txt, s.php.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" super_rule = 1 was = "_r577_php_php_SnIpEr_SA_Shell_php_r57_php_php_r57_Shell_php_php_spy_php_php_s_php_php" hash0 = "0714f80f35c1fddef1f8938b8d42a4c8" hash1 = "911195a9b7c010f61b66439d9048f400" hash2 = "eddf7a8fde1e50a7f2a817ef7cece24f" hash3 = "8023394542cddf8aee5dec6072ed02b5" hash4 = "eed14de3907c9aa2550d95550d1a2d5f" hash5 = "817671e1bdc85e04cc3440bbd9288800" strings: $s2 = "'eng_text71'=>\"Second commands param is:\\r\\n- for CHOWN - name of new owner o" $s4 = "if(!empty($_POST['s_mask']) && !empty($_POST['m'])) { $sr = new SearchResult" condition: 1 of them } rule fmlibraryv3 { meta: description = "Webshells Auto-generated - file fmlibraryv3.asp" author = "Yara Bulk Rule Generator by Florian Roth" hash = "c34c248fed6d5a20d8203924a2088acc" strings: $s3 = "ExeNewRs.CommandText = \"UPDATE \" & tablename & \" SET \" & ExeNewRsValues & \" WHER" condition: all of them } rule EditServer_Webshell { meta: description = "Webshells Auto-generated - file EditServer.exe" author = "Yara Bulk Rule Generator by Florian Roth" hash = "f945de25e0eba3bdaf1455b3a62b9832" strings: $s2 = "Server %s Have Been Configured" $s5 = "The Server Password Exceeds 32 Characters" $s8 = "9--Set Procecess Name To Inject DLL" condition: all of them } rule webshell_Server_Variables { meta: description = "Web Shell - file Server Variables.asp" author = "Florian Roth" date = "2014/01/28" score = 70 hash = "47fb8a647e441488b30f92b4d39003d7" strings: $s7 = "<% For Each Vars In Request.ServerVariables %>" fullword $s9 = "Variable Name</B></font></p>" fullword condition: all of them } rule webshell_webshells_new_JJJsp2 { meta: description = "Web shells - generated from file JJJsp2.jsp" author = "Florian Roth" date = "2014/03/28" score = 70 hash = "5a9fec45236768069c99f0bfd566d754" strings: $s2 = "QQ(cs, z1, z2, sb,z2.indexOf(\"-to:\")!=-1?z2.substring(z2.indexOf(\"-to:\")+4,z" $s8 = "sb.append(l[i].getName() + \"/\\t\" + sT + \"\\t\" + l[i].length()+ \"\\t\" + sQ" $s10 = "ResultSet r = s.indexOf(\"jdbc:oracle\")!=-1?c.getMetaData()" $s11 = "return DriverManager.getConnection(x[1].trim()+\":\"+x[4],x[2].equalsIgnoreCase(" condition: 1 of them } rule FSO_s_casus15_2 { meta: description = "Webshells Auto-generated - file casus15.php" author = "Yara Bulk Rule Generator by Florian Roth" hash = "8d155b4239d922367af5d0a1b89533a3" strings: $s0 = "copy ( $dosya_gonder" condition: all of them } rule jspshall_jsp { meta: description = "Semi-Auto-generated - file jspshall.jsp.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "efe0f6edaa512c4e1fdca4eeda77b7ee" strings: $s0 = "kj021320" $s1 = "case 'T':systemTools(out);break;" $s2 = "out.println(\"<tr><td>\"+ico(50)+f[i].getName()+\"</td><td> file" condition: 2 of them } rule WebShell_lamashell { meta: description = "PHP Webshells Github Archive - file lamashell.php" author = "Florian Roth" hash = "b71181e0d899b2b07bc55aebb27da6706ea1b560" strings: $s0 = "if(($_POST['exe']) == \"Execute\") {" fullword $s8 = "$curcmd = $_POST['king'];" fullword $s16 = "\"http://www.w3.org/TR/html4/loose.dtd\">" fullword $s18 = "<title>lama's'hell v. 3.0" fullword $s19 = "_|_ O _ O _|_" fullword $s20 = "$curcmd = \"ls -lah\";" fullword condition: 2 of them } rule webshell_php_fbi { meta: description = "Web Shell - file fbi.php" author = "Florian Roth" date = "2014/01/28" score = 70 hash = "1fb32f8e58c8deb168c06297a04a21f1" strings: $s7 = "erde types','Getallen','Datum en tijd','Tekst','Binaire gegevens','Netwerk','Geo" condition: all of them } rule webshell_minupload { meta: description = "Web Shell - file minupload.jsp" author = "Florian Roth" date = "2014/01/28" score = 70 hash = "ec905a1395d176c27f388d202375bdf9" strings: $s0 = " " fullword $s9 = "String path=new String(request.getParameter(\"path\").getBytes(\"ISO-8859" condition: all of them } rule shankar_php_php { meta: description = "Semi-Auto-generated - file shankar.php.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "6eb9db6a3974e511b7951b8f7e7136bb" strings: $sAuthor = "ShAnKaR" $s0 = "DB" fullword condition: all of them } rule icyfox007v1_10_rar_Folder_asp { meta: description = "Webshells Auto-generated - file asp.asp" author = "Yara Bulk Rule Generator by Florian Roth" hash = "2c412400b146b7b98d6e7755f7159bb9" strings: $s0 = "" condition: all of them } rule PhpShell { meta: description = "Webshells Auto-generated - file PhpShell.php" author = "Yara Bulk Rule Generator by Florian Roth" hash = "539baa0d39a9cf3c64d65ee7a8738620" strings: $s2 = "href=\"http://www.gimpster.com/wiki/PhpShell\">www.gimpster.com/wiki/PhpShell
." condition: all of them } rule webshell_Worse_Linux_Shell { meta: description = "Web Shell - file Worse Linux Shell.php" author = "Florian Roth" date = "2014/01/28" score = 70 hash = "8338c8d9eab10bd38a7116eb534b5fa2" strings: $s0 = "system(\"mv \".$_FILES['_upl']['tmp_name'].\" \".$currentWD" condition: all of them } rule FSO_s_test { meta: description = "Webshells Auto-generated - file test.php" author = "Yara Bulk Rule Generator by Florian Roth" hash = "82cf7b48da8286e644f575b039a99c26" strings: $s0 = "$yazi = \"test\" . \"\\r\\n\";" $s2 = "fwrite ($fp, \"$yazi\");" condition: all of them } rule HYTop_DevPack_server { meta: description = "Webshells Auto-generated - file server.asp" author = "Yara Bulk Rule Generator by Florian Roth" hash = "1d38526a215df13c7373da4635541b43" strings: $s0 = "" condition: all of them } rule PHP_sh { meta: description = "Webshells Auto-generated - file sh.php" author = "Yara Bulk Rule Generator by Florian Roth" hash = "1e9e879d49eb0634871e9b36f99fe528" strings: $s1 = "\"@$SERVER_NAME \".exec(\"pwd\")" condition: all of them } rule r57shell_2 { meta: description = "Webshells Auto-generated - file r57shell.php" author = "Yara Bulk Rule Generator by Florian Roth" hash = "8023394542cddf8aee5dec6072ed02b5" strings: $s2 = "echo \"
\".ws(2).\"HDD Free : \".view_size($free).\" HDD Total : \".view_" condition: all of them } rule webshell_jsp_cmdjsp_2 { meta: description = "Web Shell - file cmdjsp.jsp" author = "Florian Roth" date = "2014/01/28" score = 70 hash = "1b5ae3649f03784e2a5073fa4d160c8b" strings: $s0 = "Process p = Runtime.getRuntime().exec(\"cmd.exe /C \" + cmd);" fullword $s4 = "" fullword condition: all of them } rule multiple_webshells_0032 { meta: description = "Semi-Auto-generated - from files nixrem.php.php.txt, c99shell_v1.0.php.php.txt, c99php.txt, NIX REMOTE WEB-SHELL v.0.5 alpha Lite Public Version.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" super_rule = 1 was = "_nixrem_php_php_c99shell_v1_0_php_php_c99php_NIX_REMOTE_WEB_SHELL_v_0_5_alpha_Lite_Public_Version_php" hash0 = "40a3e86a63d3d7f063a86aab5b5f92c6" hash1 = "d8ae5819a0a2349ec552cbcf3a62c975" hash2 = "9e9ae0332ada9c3797d6cee92c2ede62" hash3 = "f3ca29b7999643507081caab926e2e74" strings: $s0 = "$num = $nixpasswd + $nixpwdperpage;" fullword $s1 = "$ret = posix_kill($pid,$sig);" fullword $s2 = "if ($uid) {echo join(\":\",$uid).\"
\";}" fullword $s3 = "$i = $nixpasswd;" fullword condition: 2 of them } rule zacosmall_php { meta: description = "Semi-Auto-generated - file zacosmall.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "5295ee8dc2f5fd416be442548d68f7a6" strings: $s0 = "rand(1,99999);$sj98" $s1 = "$dump_file.='`'.$rows2[0].'`" $s3 = "filename=\\\"dump_{$db_dump}_${table_d" condition: 2 of them } rule WebShell_Generic_PHP_7 { meta: description = "PHP Webshells Github Archive - from files Mysql interface v1.0.php, MySQL Web Interface Version 0.8.php, Mysql_interface_v1.0.php, MySQL_Web_Interface_Version_0.8.php" author = "Florian Roth" super_rule = 1 hash0 = "de98f890790756f226f597489844eb3e53a867a9" hash1 = "128988c8ef5294d51c908690d27f69dffad4e42e" hash2 = "fd64f2bf77df8bcf4d161ec125fa5c3695fe1267" hash3 = "715f17e286416724e90113feab914c707a26d456" strings: $s0 = "header(\"Content-disposition: filename=$filename.sql\");" fullword $s1 = "else if( $action == \"dumpTable\" || $action == \"dumpDB\" ) {" fullword $s2 = "echo \"[$USERNAME] - \\n\";" fullword $s4 = "if( $action == \"dumpTable\" )" fullword condition: 2 of them } rule webshell_PHP_c37 { meta: description = "Web Shell - file c37.php" author = "Florian Roth" date = "2014/01/28" score = 70 hash = "d01144c04e7a46870a8dd823eb2fe5c8" strings: $s3 = "array('cpp','cxx','hxx','hpp','cc','jxx','c++','vcproj')," $s9 = "++$F; $File = urlencode($dir[$dirFILE]); $eXT = '.:'; if (strpos($dir[$dirFILE]," condition: all of them } rule portlessinst { meta: description = "Webshells Auto-generated - file portlessinst.exe" author = "Yara Bulk Rule Generator by Florian Roth" hash = "74213856fc61475443a91cd84e2a6c2f" strings: $s2 = "Fail To Open Registry" $s3 = "f<-WLEggDr\"" $s6 = "oMemoryCreateP" condition: all of them } rule webshell_201_3_ma_download { meta: description = "Web Shell - from files 201.jsp, 3.jsp, ma.jsp, download.jsp" author = "Florian Roth" date = "2014/01/28" score = 70 super_rule = 1 hash0 = "a7e25b8ac605753ed0c438db93f6c498" hash1 = "fb8c6c3a69b93e5e7193036fd31a958d" hash2 = "4cc68fa572e88b669bce606c7ace0ae9" hash3 = "fa87bbd7201021c1aefee6fcc5b8e25a" strings: $s0 = "\";" fullword $s4 = " $cmd = ($_REQUEST['cmd']);" fullword $s5 = " echo \"
\";" fullword   
   		$s6 = "if(isset($_REQUEST['cmd'])){" fullword   
   		$s7 = "        die;" fullword   
   		$s8 = "        system($cmd);" fullword   
   	condition:   
   		all of them   
   }
rule HYTop2006_rar_Folder_2006 {   
   	meta:   
   		description = "Webshells Auto-generated - file 2006.asp"   
   		author = "Yara Bulk Rule Generator by Florian Roth"   
   		hash = "c19d6f4e069188f19b08fa94d44bc283"   
   	strings:   
   		$s6 = "strBackDoor = strBackDoor "   
   	condition:   
   		all of them   
   }
rule lurm_safemod_on_cgi {   
   	meta:   
   		description = "Semi-Auto-generated  - file lurm_safemod_on.cgi.txt"   
   		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"   
   		hash = "5ea4f901ce1abdf20870c214b3231db3"   
   	strings:   
   		$s0 = "Network security team :: CGI Shell" fullword   
   		$s1 = "#########################<>#####################################" fullword   
   		$s2 = "##if (!defined$param{pwd}){$param{pwd}='Enter_Password'};##" fullword   
   	condition:   
   		1 of them   
   }
rule multiple_webshells_0006 {   
   	meta:   
   		description = "Semi-Auto-generated  - from files c99shell_v1.0.php.php.txt, c99php.txt, SsEs.php.php.txt, ctt_sh.php.php.txt"   
   		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"   
   		super_rule = 1   
   		was = "_c99shell_v1_0_php_php_c99php_SsEs_php_php_ctt_sh_php_php"   
   		hash0 = "d8ae5819a0a2349ec552cbcf3a62c975"   
   		hash1 = "9e9ae0332ada9c3797d6cee92c2ede62"   
   		hash2 = "6cd50a14ea0da0df6a246a60c8f6f9c9"   
   		hash3 = "671cad517edd254352fe7e0c7c981c39"   
   	strings:   
   		$s0 = "\"AAAAACH5BAEAAAkALAAAAAAUABQAAAR0MMlJqyzFalqEQJuGEQSCnWg6FogpkHAMF4HAJsWh7/ze\""   
   		$s2 = "\"mTP/zDP//2YAAGYAM2YAZmYAmWYAzGYA/2YzAGYzM2YzZmYzmWYzzGYz/2ZmAGZmM2ZmZmZmmWZm\""   
   		$s4 = "\"R0lGODlhFAAUAKL/AP/4/8DAwH9/AP/4AL+/vwAAAAAAAAAAACH5BAEAAAEALAAAAAAUABQAQAMo\""   
   	condition:   
   		2 of them   
   }
rule FSO_s_EFSO_2 {   
   	meta:   
   		description = "Webshells Auto-generated - file EFSO_2.asp"   
   		author = "Yara Bulk Rule Generator by Florian Roth"   
   		hash = "a341270f9ebd01320a7490c12cb2e64c"   
   	strings:   
   		$s0 = ";!+/DRknD7+.\\mDrC(V+kcJznndm\\f|nzKuJb'r@!&0KUY@*Jb@#@&Xl\"dKVcJ\\CslU,),@!0KxD~mKV"   
   		$s4 = "\\co!VV2CDtSJ'E*#@#@&mKx/DP14lM/nY{JC81N+6LtbL3^hUWa;M/OE-AXX\"b~/fAs!u&9|J\\grKp\"j"   
   	condition:   
   		all of them   
   }
rule Mithril_dllTest {   
   	meta:   
   		description = "Webshells Auto-generated - file dllTest.dll"   
   		author = "Yara Bulk Rule Generator by Florian Roth"   
   		hash = "a8d25d794d8f08cd4de0c3d6bf389e6d"   
   	strings:   
   		$s0 = "please enter the password:"   
   		$s3 = "\\dllTest.pdb"   
   	condition:   
   		all of them   
   }
rule bin_wuaus {   
   	meta:   
   		description = "Webshells Auto-generated - file wuaus.dll"   
   		author = "Yara Bulk Rule Generator by Florian Roth"   
   		hash = "46a365992bec7377b48a2263c49e4e7d"   
   	strings:   
   		$s1 = "9(90989@9V9^9f9n9v9"   
   		$s2 = ":(:,:0:4:8:C:H:N:T:Y:_:e:o:y:"   
   		$s3 = ";(=@=G=O=T=X=\\="   
   		$s4 = "TCP Send Error!!"   
   		$s5 = "1\"1;1X1^1e1m1w1~1"   
   		$s8 = "=$=)=/=<=Y=_=j=p=z="   
   	condition:   
   		all of them   
   }
rule peek_a_boo {   
   	meta:   
   		description = "Webshells Auto-generated - file peek-a-boo.exe"   
   		author = "Yara Bulk Rule Generator by Florian Roth"   
   		hash = "aca339f60d41fdcba83773be5d646776"   
   	strings:   
   		$s0 = "__vbaHresultCheckObj"   
   		$s1 = "\\VB\\VB5.OLB"   
   		$s2 = "capGetDriverDescriptionA"   
   		$s3 = "__vbaExceptHandler"   
   		$s4 = "EVENT_SINK_Release"   
   		$s8 = "__vbaErrorOverflow"   
   	condition:   
   		all of them   
   }
rule multiple_webshells_0023 {   
   	meta:   
   		description = "Semi-Auto-generated  - from files w.php.php.txt, wacking.php.php.txt, c99shell_v1.0.php.php.txt, c99php.txt, SpecialShell_99.php.php.txt"   
   		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"   
   		super_rule = 1   
   		was = "_w_php_php_wacking_php_php_c99shell_v1_0_php_php_c99php_SpecialShell_99_php_php"   
   		hash0 = "38a3f9f2aa47c2e940695f3dba6a7bb2"   
   		hash1 = "9c5bb5e3a46ec28039e8986324e42792"   
   		hash2 = "d8ae5819a0a2349ec552cbcf3a62c975"   
   		hash3 = "9e9ae0332ada9c3797d6cee92c2ede62"   
   		hash4 = "09609851caa129e40b0d56e90dfc476c"   
   	strings:   
   		$s0 = "$sqlquicklaunch[] = array(\""   
   		$s1 = "else {echo \"
File does not exists (\".htmlspecialchars($d.$f).\")!<" condition: all of them } rule multiple_webshells_0013 { meta: description = "Semi-Auto-generated - from files r577.php.php.txt, SnIpEr_SA Shell.php.txt, r57.php.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" super_rule = 1 was = "_r577_php_php_SnIpEr_SA_Shell_php_r57_php_php" hash0 = "0714f80f35c1fddef1f8938b8d42a4c8" hash1 = "911195a9b7c010f61b66439d9048f400" hash2 = "eddf7a8fde1e50a7f2a817ef7cece24f" strings: $s0 = "'ru_text9' =>'???????? ????? ? ???????? ??? ? /bin/bash'," fullword $s1 = "$name='ec371748dc2da624b35a4f8f685dd122'" $s2 = "rst.void.ru" condition: 3 of them } rule pws_php_php { meta: description = "Semi-Auto-generated - file pws.php.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "ecdc6c20f62f99fa265ec9257b7bf2ce" strings: $s0 = "
Input command :
" fullword $s1 = "
" fullword $s4 = "" condition: 2 of them } rule WebShell__PH_Vayv_PHVayv_PH_Vayv_klasvayv_asp_php { meta: description = "PHP Webshells Github Archive - from files PH Vayv.php, PHVayv.php, PH_Vayv.php, klasvayv.asp.php.txt" author = "Florian Roth" super_rule = 1 hash0 = "b51962a1ffa460ec793317571fc2f46042fd13ee" hash1 = "408ac9ca3d435c0f78bda370b33e84ba25afc357" hash2 = "4003ae289e3ae036755976f8d2407c9381ff5653" hash3 = "4f83bc2836601225a115b5ad54496428a507a361" strings: $s1 = "Sil" fullword $s5 = "" fullword $s6 = "onfocus=\"if (this.value == 'Kullan" fullword $s16 = "" condition: 2 of them } rule multiple_webshells_0017 { meta: description = "Semi-Auto-generated - from files w.php.php.txt, wacking.php.php.txt, SsEs.php.php.txt, SpecialShell_99.php.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" super_rule = 1 was = "_w_php_php_wacking_php_php_SsEs_php_php_SpecialShell_99_php_php" hash0 = "38a3f9f2aa47c2e940695f3dba6a7bb2" hash1 = "9c5bb5e3a46ec28039e8986324e42792" hash2 = "6cd50a14ea0da0df6a246a60c8f6f9c9" hash3 = "09609851caa129e40b0d56e90dfc476c" strings: $s0 = "\"ext_avi\"=>array(\"ext_avi\",\"ext_mov\",\"ext_mvi" $s1 = "echo \"Execute file:array(\"ext_htaccess\",\"ext_htpasswd" condition: 1 of them } rule pHpINJ_php_php { meta: description = "Semi-Auto-generated - file pHpINJ.php.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "d7a4b0df45d34888d5a09f745e85733f" strings: $s1 = "News Remote PHP Shell Injection" $s3 = "Php Shell
" fullword $s4 = "
" fullword $s1 = "eval(base64_decode(\"ZXZhbChiYXNlNjRfZGVjb2RlKCJhV2R1YjNKbFgzVnpaWEpmWVdKdmNuUW9" $s2 = "" fullword ascii /* PEStudio Blacklist: strings */ $s2 = "
  • Reverse Shell - " fullword ascii /* PEStudio Blacklist: strings */ $s3 = "
  • \">File Browser" ascii /* PEStudio Blacklist: strings */ condition: filesize < 13KB and all of them } rule WinX_Shell_html { meta: description = "Semi-Auto-generated - file WinX Shell.html.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "17ab5086aef89d4951fe9b7c7a561dda" strings: $s0 = "WinX Shell" $s1 = "Created by greenwood from n57" $s2 = "Win Dir:" condition: 2 of them } rule WebShell_php_webshells_aspydrv { meta: description = "PHP Webshells Github Archive - file aspydrv.php" author = "Florian Roth" hash = "3d8996b625025dc549d73cdb3e5fa678ab35d32a" strings: $s0 = "Target = \"D:\\hshome\\masterhr\\masterhr.com\\\" ' ---Directory to which files" $s1 = "nPos = InstrB(nPosEnd, biData, CByteString(\"Content-Type:\"))" fullword $s3 = "Document.frmSQL.mPage.value = Document.frmSQL.mPage.value - 1" fullword $s17 = "If request.querystring(\"getDRVs\")=\"@\" then" fullword $s20 = "' ---Copy Too Folder routine Start" fullword condition: 3 of them } rule RkNTLoad { meta: description = "Webshells Auto-generated - file RkNTLoad.exe" author = "Yara Bulk Rule Generator by Florian Roth" hash = "262317c95ced56224f136ba532b8b34f" strings: $s1 = "$Info: This file is packed with the UPX executable packer http://upx.tsx.org $" $s2 = "5pur+virtu!" $s3 = "ugh spac#n" $s4 = "xcEx3WriL4" $s5 = "runtime error" $s6 = "loseHWait.Sr." $s7 = "essageBoxAw" $s8 = "$Id: UPX 1.07 Copyright (C) 1996-2001 the UPX Team. All Rights Reserved. $" condition: all of them } rule webshell_jsp_up { meta: description = "Web Shell - file up.jsp" author = "Florian Roth" date = "2014/01/28" score = 70 hash = "515a5dd86fe48f673b72422cccf5a585" strings: $s9 = "// BUG: Corta el fichero si es mayor de 640Ks" fullword condition: all of them } rule FSO_s_reader { meta: description = "Webshells Auto-generated - file reader.asp" author = "Yara Bulk Rule Generator by Florian Roth" hash = "b598c8b662f2a1f6cc61f291fb0a6fa2" strings: $s2 = "mailto:mailbomb@hotmail." condition: all of them } rule WebShell_cgi { meta: description = "Semi-Auto-generated - file WebShell.cgi.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "bc486c2e00b5fc3e4e783557a2441e6f" strings: $s0 = "WebShell.cgi" $s2 = "\".@$_POST['comma" $s7 = "if(filetype($dir . $file)==\"file\")$files[]=$file;" fullword $s14 = "elseif (($perms & 0x6000) == 0x6000) {$info = 'b';} " fullword $s20 = "$info .= (($perms & 0x0004) ? 'r' : '-');" fullword condition: all of them } rule Webshell_c99_4 { meta: description = "Detects C99 Webshell" author = "Florian Roth" reference = "https://github.com/nikicat/web-malware-collection" date = "2016-01-11" score = 70 hash1 = "2b8aed49f50acd0c1b89a399647e1218f2a8545da96631ac0882da28810eecc4" hash2 = "0202f72b3e8b62e5ebc99164c7d4eb8ec5be6a7527286e9059184aa8321e0092" hash3 = "d4424c61fe29d2ee3d8503f7d65feb48341ac2fc0049119f83074950e41194d5" hash4 = "5d7709a33879d1060a6cff5bae119de7d5a3c17f65415822fd125af56696778c" hash5 = "21dd06ec423f0b49732e4289222864dcc055967922d0fcec901d38a57ed77f06" hash6 = "c377f9316a4c953602879eb8af1fd7cbb0dd35de6bb4747fa911234082c45596" hash7 = "816e699014be9a6d02d5d184eb958c49469d687b7c6fb88e878bca64688a19c9" hash8 = "383d771b55bbe5343bab946fd7650fd42de1933c4c8f32449d9a40c898444ef1" hash9 = "07f9ec716fb199e00a90091ffba4c2ee1a328a093a64e610e51ab9dd6d33357a" hash10 = "615e768522447558970c725909e064558f33d38e6402c63c92a1a8bc62b64966" hash11 = "bbe0f7278041cb3a6338844aa12c3df6b700a12a78b0a58bce3dce14f1c37b96" hash12 = "ef3a7cd233a880fc61efc3884f127dd8944808babd1203be2400144119b6057f" hash13 = "a4db77895228f02ea17ff48976e03100ddfaef7c9f48c1d40462872f103451d5" hash14 = "1fdf6e142135a34ae1caf1d84adf5e273b253ca46c409b2530ca06d65a55ecbd" strings: $s1 = "displaysecinfo(\"List of Attributes\",myshellexec(\"lsattr -a\"));" fullword ascii $s2 = "displaysecinfo(\"RAM\",myshellexec(\"free -m\"));" fullword ascii $s3 = "displaysecinfo(\"Where is perl?\",myshellexec(\"whereis perl\"));" fullword ascii $s4 = "$ret = myshellexec($handler);" fullword ascii $s5 = "if (posix_kill($pid,$sig)) {echo \"OK.\";}" fullword ascii condition: filesize < 900KB and 1 of them } rule webshell_php_moon { meta: description = "Web Shell - file moon.php" author = "Florian Roth" date = "2014/01/28" score = 70 hash = "2a2b1b783d3a2fa9a50b1496afa6e356" strings: $s2 = "echo 'Cyber Lords Community" fullword condition: 2 of them } rule sendmail { meta: description = "Webshells Auto-generated - file sendmail.exe" author = "Yara Bulk Rule Generator by Florian Roth" hash = "75b86f4a21d8adefaf34b3a94629bd17" strings: $s3 = "_NextPyC808" $s6 = "Copyright (C) 2000, Diamond Computer Systems Pty. Ltd. (www.diamondcs.com.au)" condition: all of them } rule sql_php_php { meta: description = "Semi-Auto-generated - file sql.php.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "8334249cbb969f2d33d678fec2b680c5" strings: $s1 = "fputs ($fp, \"# RST MySQL tools\\r\\n# Home page: http://rst.void.ru\\r\\n#" $s2 = "http://rst.void.ru" $s3 = "print \"" fullword $s2 = "$link = mysql_connect($_POST['host'], $_POST['username'], $_POST" $s4 = "error_reporting(0); //If there is an error, we'll show it, k?" fullword $s8 = "print \"a - zzzzz" fullword $s18 = "print shell_exec($command);" fullword condition: 3 of them } rule WebShell_STNC_WebShell_v0_8 { meta: description = "PHP Webshells Github Archive - file STNC WebShell v0.8.php" author = "Florian Roth" hash = "52068c9dff65f1caae8f4c60d0225708612bb8bc" strings: $s3 = "if(isset($_POST[\"action\"])) $action = $_POST[\"action\"];" fullword $s8 = "elseif(fe(\"system\")){ob_start();system($s);$r=ob_get_contents();ob_end_clean()" $s13 = "{ $pwd = $_POST[\"pwd\"]; $type = filetype($pwd); if($type === \"dir\")chdir($pw" condition: 2 of them } rule WebShell_dC3_Security_Crew_Shell_PRiV { meta: description = "PHP Webshells Github Archive - file dC3_Security_Crew_Shell_PRiV.php" author = "Florian Roth" hash = "1b2a4a7174ca170b4e3a8cdf4814c92695134c8a" strings: $s0 = "@rmdir($_GET['file']) or die (\"[-]Error deleting dir!\");" fullword $s4 = "$ps=str_replace(\"\\\\\",\"/\",getenv('DOCUMENT_ROOT'));" fullword $s5 = "header(\"Expires: \".date(\"r\",mktime(0,0,0,1,1,2030)));" fullword $s15 = "search_file($_POST['search'],urldecode($_POST['dir']));" fullword $s16 = "echo base64_decode($images[$_GET['pic']]);" fullword $s20 = "if (isset($_GET['rename_all'])) {" fullword condition: 3 of them } rule webshell_PHP_g00nv13 { meta: description = "Web Shell - file g00nv13.php" author = "Florian Roth" date = "2014/01/28" score = 70 hash = "35ad2533192fe8a1a76c3276140db820" strings: $s1 = "case \"zip\": case \"tar\": case \"rar\": case \"gz\": case \"cab\": cas" $s4 = "if(!($sqlcon = @mysql_connect($_SESSION['sql_host'] . ':' . $_SESSION['sql_p" condition: all of them } rule webshell_webshells_new_php2 { meta: description = "Web shells - generated from file php2.php" author = "Florian Roth" date = "2014/03/28" score = 70 hash = "fbf2e76e6f897f6f42b896c855069276" strings: $s0 = "Error!\";" fullword $s2 = "" fullword $s3 = "if ((!$_POST['cmd']) || ($_POST['cmd']==\"\")) { $_POST['cmd']=\"id;pwd;uname -a" $s4 = "Writed by DreAmeRz" fullword condition: 1 of them } rule FSO_s_phpinj_2 { meta: description = "Webshells Auto-generated - file phpinj.php" author = "Yara Bulk Rule Generator by Florian Roth" hash = "dd39d17e9baca0363cc1c3664e608929" strings: $s9 = "' ,0 ,0 ,0 ,0 INTO" condition: all of them } rule multiple_webshells_0004 { meta: description = "Semi-Auto-generated - from files w.php.php.txt, c99madshell_v2.1.php.php.txt, wacking.php.php.txt, SpecialShell_99.php.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" super_rule = 1 was = "_w_php_php_c99madshell_v2_1_php_php_wacking_php_php_SpecialShell_99_php_php" hash0 = "38a3f9f2aa47c2e940695f3dba6a7bb2" hash1 = "3ca5886cd54d495dc95793579611f59a" hash2 = "9c5bb5e3a46ec28039e8986324e42792" hash3 = "09609851caa129e40b0d56e90dfc476c" strings: $s2 = "echo \"
    Done!
    Total time (secs.): \".$ft" $s3 = "$fqb_log .= \"\\r\\n------------------------------------------\\r\\nDone!\\r" condition: 1 of them } rule webshell_807_a_css_dm_he1p_JspSpy_xxx { meta: description = "Web Shell - from files 807.jsp, a.jsp, css.jsp, dm.jsp, he1p.jsp, JspSpy.jsp, JspSpyJDK5.jsp, JspSpyJDK51.jsp, luci.jsp.spy2009.jsp, m.jsp, ma3.jsp, mmym520.jsp, nogfw.jsp, ok.jsp, style.jsp, u.jsp, xia.jsp, cofigrue.jsp, 1.jsp, jspspy.jsp, jspspy_k8.jsp, JspSpy.jsp, JspSpyJDK5.jsp" author = "Florian Roth" date = "2014/01/28" score = 70 super_rule = 1 hash0 = "ae76c77fb7a234380cd0ebb6fe1bcddf" hash1 = "76037ebd781ad0eac363d56fc81f4b4f" hash2 = "fc44f6b4387a2cb50e1a63c66a8cb81c" hash3 = "14e9688c86b454ed48171a9d4f48ace8" hash4 = "b330a6c2d49124ef0729539761d6ef0b" hash5 = "d71716df5042880ef84427acee8b121e" hash6 = "341298482cf90febebb8616426080d1d" hash7 = "29aebe333d6332f0ebc2258def94d57e" hash8 = "42654af68e5d4ea217e6ece5389eb302" hash9 = "88fc87e7c58249a398efd5ceae636073" hash10 = "4a812678308475c64132a9b56254edbc" hash11 = "9626eef1a8b9b8d773a3b2af09306a10" hash12 = "344f9073576a066142b2023629539ebd" hash13 = "32dea47d9c13f9000c4c807561341bee" hash14 = "b9744f6876919c46a29ea05b1d95b1c3" hash15 = "6acc82544be056580c3a1caaa4999956" hash16 = "6aa32a6392840e161a018f3907a86968" hash17 = "349ec229e3f8eda0f9eb918c74a8bf4c" hash18 = "3ea688e3439a1f56b16694667938316d" hash19 = "ab77e4d1006259d7cbc15884416ca88c" hash20 = "71097537a91fac6b01f46f66ee2d7749" hash21 = "2434a7a07cb47ce25b41d30bc291cacc" hash22 = "7a4b090619ecce6f7bd838fe5c58554b" strings: $s1 = "\"

    Remote Control »

    Current File (import new file name and new file)
    Current file (fullpath)
    " fullword condition: all of them } rule webshell_webshells_new_code { meta: description = "Web shells - generated from file code.php" author = "Florian Roth" date = "2014/03/28" score = 70 hash = "a444014c134ff24c0be5a05c02b81a79" strings: $s1 = "
    second(s) {gzip} usage:" $s17 = "
    :: Enter ::Path.'/\\');" $s7 = "p('

    File Manager - Current disk free '.sizecount($free).' of '.sizecount($all" condition: all of them } rule webshell_bypass_iisuser_p { meta: description = "Web shells - generated from file bypass-iisuser-p.asp" author = "Florian Roth" date = "2014/03/28" score = 70 hash = "924d294400a64fa888a79316fb3ccd90" strings: $s0 = "<%Eval(Request(chr(112))):Set fso=CreateObject" condition: all of them } rule webshell_php_s_u { meta: description = "Web Shell - file s-u.php" author = "Florian Roth" date = "2014/01/28" score = 70 hash = "efc7ba1a4023bcf40f5e912f1dd85b5a" strings: $s6 = "Go Execute
    zehir3 --> powered by zehir <zehirhacker@hotmail.com&" $s11 = "frames.byZehir.document.execCommand(" $s15 = "frames.byZehir.document.execCommand(co" condition: 2 of them } rule hxdef100 { meta: description = "Webshells Auto-generated - file hxdef100.exe" author = "Yara Bulk Rule Generator by Florian Roth" hash = "55cc1769cef44910bd91b7b73dee1f6c" strings: $s0 = "RtlAnsiStringToUnicodeString" $s8 = "SYSTEM\\CurrentControlSet\\Control\\SafeBoot\\" $s9 = "\\\\.\\mailslot\\hxdef-rk100sABCDEFGH" condition: all of them } rule FeliksPack3___PHP_Shells_phpft { meta: description = "Webshells Auto-generated - file phpft.php" author = "Yara Bulk Rule Generator by Florian Roth" hash = "60ef80175fcc6a879ca57c54226646b1" strings: $s6 = "PHP Files Thief" $s11 = "http://www.4ngel.net" condition: all of them } rule hkshell_hkrmv { meta: description = "Webshells Auto-generated - file hkrmv.exe" author = "Yara Bulk Rule Generator by Florian Roth" hash = "bd3a0b7a6b5536f8d96f50956560e9bf" strings: $s5 = "/THUMBPOSITION7" $s6 = "\\EvilBlade\\" condition: all of them } rule WebShell_mysql_tool { meta: description = "PHP Webshells Github Archive - file mysql_tool.php" author = "Florian Roth" hash = "c9cf8cafcd4e65d1b57fdee5eef98f0f2de74474" strings: $s12 = "$dump .= \"-- Dumping data for table '$table'\\n\";" fullword $s20 = "$dump .= \"CREATE TABLE $table (\\n\";" fullword condition: 2 of them } rule webshell_asp_up { meta: description = "Web Shell - file up.asp" author = "Florian Roth" date = "2014/01/28" score = 70 hash = "f775e721cfe85019fe41c34f47c0d67c" strings: $s0 = "Pos = InstrB(BoundaryPos,RequestBin,getByteString(\"Content-Dispositio" $s1 = "ContentType = getString(MidB(RequestBin,PosBeg,PosEnd-PosBeg))" fullword condition: 1 of them } rule bdcli100 { meta: description = "Webshells Auto-generated - file bdcli100.exe" author = "Yara Bulk Rule Generator by Florian Roth" hash = "b12163ac53789fb4f62e4f17a8c2e028" strings: $s5 = "unable to connect to " $s8 = "backdoor is corrupted on " condition: all of them } rule multiple_webshells_0012 { meta: description = "Semi-Auto-generated - from files r577.php.php.txt, SnIpEr_SA Shell.php.txt, r57.php.php.txt, spy.php.php.txt, s.php.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" super_rule = 1 was = "_r577_php_php_SnIpEr_SA_Shell_php_r57_php_php_spy_php_php_s_php_php" hash0 = "0714f80f35c1fddef1f8938b8d42a4c8" hash1 = "911195a9b7c010f61b66439d9048f400" hash2 = "eddf7a8fde1e50a7f2a817ef7cece24f" hash3 = "eed14de3907c9aa2550d95550d1a2d5f" hash4 = "817671e1bdc85e04cc3440bbd9288800" strings: $s0 = "echo sr(15,\"\".$lang[$language.'_text" $s1 = ".$arrow.\"\",in('text','" condition: 2 of them } rule multiple_webshells_0008 { meta: description = "Semi-Auto-generated - from files w.php.php.txt, c99madshell_v2.1.php.php.txt, wacking.php.php.txt, c99shell_v1.0.php.php.txt, c99php.txt, SpecialShell_99.php.php.txt, ctt_sh.php.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" super_rule = 1 was = "_w_php_php_c99madshell_v2_1_php_php_wacking_php_php_c99shell_v1_0_php_php_c99php_SpecialShell_99_php_php_ctt_sh_php_php" hash0 = "38a3f9f2aa47c2e940695f3dba6a7bb2" hash1 = "3ca5886cd54d495dc95793579611f59a" hash2 = "9c5bb5e3a46ec28039e8986324e42792" hash3 = "d8ae5819a0a2349ec552cbcf3a62c975" hash4 = "9e9ae0332ada9c3797d6cee92c2ede62" hash5 = "09609851caa129e40b0d56e90dfc476c" hash6 = "671cad517edd254352fe7e0c7c981c39" strings: $s0 = " if ($copy_unset) {foreach($sess_data[\"copy\"] as $k=>$v) {unset($sess_data[\"" $s1 = " if (file_exists($mkfile)) {echo \"Make File \\\"\".htmlspecialchars($mkfile" $s2 = " echo \"
    MySQL \".mysql_get_server_info().\" (proto v.\".mysql_get_pr" $s3 = " elseif (!fopen($mkfile,\"w\")) {echo \"Make File \\\"\".htmlspecialchars($m" condition: all of them } rule php_reverse_shell : webshell { meta: description = "Laudanum Injector Tools - file php-reverse-shell.php" author = "Florian Roth" reference = "http://laudanum.inguardians.com/" date = "2015-06-22" hash = "3ef03bbe3649535a03315dcfc1a1208a09cea49d" strings: $s1 = "$process = proc_open($shell, $descriptorspec, $pipes);" fullword ascii /* PEStudio Blacklist: strings */ $s2 = "printit(\"Successfully opened reverse shell to $ip:$port\");" fullword ascii /* PEStudio Blacklist: strings */ $s3 = "$input = fread($pipes[1], $chunk_size);" fullword ascii /* PEStudio Blacklist: strings */ condition: filesize < 15KB and all of them } rule webshell_he1p_JspSpy_nogfw_ok_style_1_JspSpy1 { meta: description = "Web Shell - from files he1p.jsp, JspSpy.jsp, nogfw.jsp, ok.jsp, style.jsp, 1.jsp, JspSpy.jsp" author = "Florian Roth" date = "2014/01/28" score = 70 super_rule = 1 hash0 = "b330a6c2d49124ef0729539761d6ef0b" hash1 = "d71716df5042880ef84427acee8b121e" hash2 = "344f9073576a066142b2023629539ebd" hash3 = "32dea47d9c13f9000c4c807561341bee" hash4 = "b9744f6876919c46a29ea05b1d95b1c3" hash5 = "3ea688e3439a1f56b16694667938316d" hash6 = "2434a7a07cb47ce25b41d30bc291cacc" strings: $s0 = "\"\"+f.canRead()+\" / \"+f.canWrite()+\" / \"+f.canExecute()+\"\"+" fullword $s4 = "out.println(\"

    File Manager - Current disk "\"+(cr.indexOf(\"/\") == 0?" $s7 = "String execute = f.canExecute() ? \"checked=\\\"checked\\\"\" : \"\";" fullword $s8 = "\"\"+f.canRead()+\" / \"+f.canWrite()+\" / \"+f.canExecute()+\"" condition: 2 of them } rule WebShell_php_webshells_pws { meta: description = "PHP Webshells Github Archive - file pws.php" author = "Florian Roth" hash = "7a405f1c179a84ff8ac09a42177a2bcd8a1a481b" strings: $s6 = "if ($_POST['cmd']){" fullword $s7 = "$cmd = $_POST['cmd'];" fullword $s10 = "echo \"FILE UPLOADED TO $dez\";" fullword $s11 = "if (file_exists($uploaded)) {" fullword $s12 = "copy($uploaded, $dez);" fullword $s17 = "passthru($cmd);" fullword condition: 4 of them } rule Worse_Linux_Shell_php { meta: description = "Semi-Auto-generated - file Worse Linux Shell.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "8338c8d9eab10bd38a7116eb534b5fa2" strings: $s1 = "print \"Server is:\".$_SERVER['SERVER_SIGNATURE'].\"Execute command:" fullword $s5 = ":: AventGrup ::.. - Sincap 1.0 | Session(Oturum) B" fullword $s9 = "</span>Avrasya Veri ve NetWork Teknolojileri Geli" fullword $s12 = "while (($ekinci=readdir ($sedat))){" fullword $s19 = "$deger2= \"$ich[$tampon4]\";" fullword condition: 2 of them } rule webshell_jsp_sys3 { meta: description = "Web Shell - file sys3.jsp" author = "Florian Roth" date = "2014/01/28" score = 70 hash = "b3028a854d07674f4d8a9cf2fb6137ec" strings: $s1 = "<input type=\"submit\" name=\"btnSubmit\" value=\"Upload\">" fullword $s4 = "String path=new String(request.getParameter(\"path\").getBytes(\"ISO-8859-1\"" $s9 = "<%@page contentType=\"text/html;charset=gb2312\"%>" fullword condition: all of them } rule multiple_webshells_0028 { meta: description = "Semi-Auto-generated - from files w.php.php.txt, c99madshell_v2.1.php.php.txt, wacking.php.php.txt, dC3 Security Crew Shell PRiV.php.txt, SpecialShell_99.php.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" super_rule = 1 was = "_w_php_php_c99madshell_v2_1_php_php_wacking_php_php_dC3_Security_Crew_Shell_PRiV_php_SpecialShell_99_php_php" hash0 = "38a3f9f2aa47c2e940695f3dba6a7bb2" hash1 = "3ca5886cd54d495dc95793579611f59a" hash2 = "9c5bb5e3a46ec28039e8986324e42792" hash3 = "433706fdc539238803fd47c4394b5109" hash4 = "09609851caa129e40b0d56e90dfc476c" strings: $s0 = " if ($mode & 0x200) {$world[\"execute\"] = ($world[\"execute\"] == \"x\")?\"t\":" $s1 = " $group[\"execute\"] = ($mode & 00010)?\"x\":\"-\";" fullword condition: all of them } rule webshell_PHP_Shell_x3 { meta: description = "Web Shell - file PHP Shell.php" author = "Florian Roth" date = "2014/01/28" score = 70 hash = "a2f8fa4cce578fc9c06f8e674b9e63fd" strings: $s4 = "  <?php echo buildUrl(\"<font color=\\\"navy\\\">[" $s6 = "echo \"</form><form action=\\\"$SFileName?$urlAdd\\\" method=\\\"post\\\"><input" $s9 = "if ( ( (isset($http_auth_user) ) && (isset($http_auth_pass)) ) && ( !isset(" condition: 2 of them } rule webshell_jsp_reverse_jsp_reverse_jspbd { meta: description = "Web Shell - from files jsp-reverse.jsp, jsp-reverse.jsp, jspbd.jsp" author = "Florian Roth" date = "2014/01/28" super_rule = 1 hash0 = "8b0e6779f25a17f0ffb3df14122ba594" hash1 = "ea87f0c1f0535610becadf5a98aca2fc" hash2 = "7d5e9732766cf5b8edca9b7ae2b6028f" score = 50 strings: $s0 = "osw = new BufferedWriter(new OutputStreamWriter(os));" fullword $s7 = "sock = new Socket(ipAddress, (new Integer(ipPort)).intValue());" fullword $s9 = "isr = new BufferedReader(new InputStreamReader(is));" fullword condition: all of them } rule webshell_Inderxer { meta: description = "Web Shell - file Inderxer.asp" author = "Florian Roth" date = "2014/01/28" score = 70 hash = "9ea82afb8c7070817d4cdf686abe0300" strings: $s4 = "<td>Nereye :<td><input type=\"text\" name=\"nereye\" size=25></td><td><input typ" condition: all of them } rule webshell_webshells_new_Asp { meta: description = "Web shells - generated from file Asp.asp" author = "Florian Roth" date = "2014/03/28" score = 70 hash = "32c87744ea404d0ea0debd55915010b7" strings: $s1 = "Execute MorfiCoder(\")/*/z/*/(tseuqer lave\")" fullword $s2 = "Function MorfiCoder(Code)" fullword $s3 = "MorfiCoder=Replace(Replace(StrReverse(Code),\"/*/\",\"\"\"\"),\"\\*\\\",vbCrlf)" fullword condition: 1 of them } rule webshell_Crystal_Crystal { meta: description = "Web Shell - file Crystal.php" author = "Florian Roth" date = "2014/01/28" score = 70 hash = "fdbf54d5bf3264eb1c4bff1fac548879" strings: $s1 = "show opened ports</option></select><input type=\"hidden\" name=\"cmd_txt\" value" $s6 = "\" href=\"?act=tools\"><font color=#CC0000 size=\"3\">Tools</font></a></span></f" condition: all of them } rule rst_sql_php_php { meta: description = "Semi-Auto-generated - file rst_sql.php.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "0961641a4ab2b8cb4d2beca593a92010" strings: $s0 = "C:\\tmp\\dump_" $s1 = "RST MySQL" $s2 = "http://rst.void.ru" $s3 = "$st_form_bg='R0lGODlhCQAJAIAAAOfo6u7w8yH5BAAAAAAALAAAAAAJAAkAAAIPjAOnuJfNHJh0qtfw0lcVADs=';" condition: 2 of them } rule Webshell_acid_FaTaLisTiCz_Fx_fx_p0isoN_sh3ll_x0rg_byp4ss_256 { meta: description = "Detects Webshell - rule generated from from files acid.php, FaTaLisTiCz_Fx.txt, fx.txt, p0isoN.sh3ll.txt, x0rg.byp4ss.txt" author = "Florian Roth" reference = "https://github.com/nikicat/web-malware-collection" date = "2016-01-11" score = 70 hash1 = "7a69466dbd18182ce7da5d9d1a9447228dcebd365e0fe855d0e02024f4117549" hash2 = "d0edca7539ef2d30f0b3189b21a779c95b5815c1637829b5594e2601e77cb4dc" hash3 = "65e7edf10ffb355bed81b7413c77d13d592f63d39e95948cdaea4ea0a376d791" hash4 = "ba87d26340f799e65c771ccb940081838afe318ecb20ee543f32d32db8533e7f" hash5 = "1fdf6e142135a34ae1caf1d84adf5e273b253ca46c409b2530ca06d65a55ecbd" strings: $s0 = "<form method=\"POST\"><input type=hidden name=act value=\"ls\">" fullword ascii $s2 = "foreach($quicklaunch2 as $item) {" fullword ascii condition: filesize < 882KB and all of them } rule HYTop_CaseSwitch_2005 { meta: description = "Webshells Auto-generated - file 2005.exe" author = "Yara Bulk Rule Generator by Florian Roth" hash = "8bf667ee9e21366bc0bd3491cb614f41" strings: $s1 = "MSComDlg.CommonDialog" $s2 = "CommonDialog1" $s3 = "__vbaExceptHandler" $s4 = "EVENT_SINK_Release" $s5 = "EVENT_SINK_AddRef" $s6 = "By Marcos" $s7 = "EVENT_SINK_QueryInterface" $s8 = "MethCallEngine" condition: all of them } rule uploader { meta: description = "Webshells Auto-generated - file uploader.php" author = "Yara Bulk Rule Generator by Florian Roth" hash = "b9a9aab319964351b46bd5fc9d6246a8" strings: $s0 = "move_uploaded_file($userfile, \"entrika.php\"); " condition: all of them } rule webshell_jsp_cmd { meta: description = "Web Shell - file cmd.jsp" author = "Florian Roth" date = "2014/01/28" score = 70 hash = "5391c4a8af1ede757ba9d28865e75853" strings: $s6 = "out.println(\"Command: \" + request.getParameter(\"cmd\") + \"<BR>\");" fullword condition: all of them } rule webshell_browser_201_3_ma_ma2_download { meta: description = "Web Shell - from files browser.jsp, 201.jsp, 3.jsp, ma.jsp, ma2.jsp, download.jsp" author = "Florian Roth" date = "2014/01/28" score = 70 super_rule = 1 hash0 = "37603e44ee6dc1c359feb68a0d566f76" hash1 = "a7e25b8ac605753ed0c438db93f6c498" hash2 = "fb8c6c3a69b93e5e7193036fd31a958d" hash3 = "4cc68fa572e88b669bce606c7ace0ae9" hash4 = "4b45715fa3fa5473640e17f49ef5513d" hash5 = "fa87bbd7201021c1aefee6fcc5b8e25a" strings: $s1 = "private static final int EDITFIELD_ROWS = 30;" fullword $s2 = "private static String tempdir = \".\";" fullword $s6 = "<input type=\"hidden\" name=\"dir\" value=\"<%=request.getAttribute(\"dir\")%>\"" condition: 2 of them } rule WebShell_php_webshells_lostDC { meta: description = "PHP Webshells Github Archive - file lostDC.php" author = "Florian Roth" hash = "d54fe07ea53a8929620c50e3a3f8fb69fdeb1cde" strings: $s0 = "$info .= '[~]Server: ' .$_SERVER['HTTP_HOST'] .'<br />';" fullword $s4 = "header ( \"Content-Description: Download manager\" );" fullword $s5 = "print \"<center>[ Generation time: \".round(getTime()-startTime,4).\" second" $s9 = "if (mkdir($_POST['dir'], 0777) == false) {" fullword $s12 = "$ret = shellexec($command);" fullword condition: 2 of them } rule asp_shell : webshell { meta: description = "Laudanum Injector Tools - file shell.asp" author = "Florian Roth" reference = "http://laudanum.inguardians.com/" date = "2015-06-22" hash = "8bf1ff6f8edd45e3102be5f8a1fe030752f45613" strings: $s1 = "<form action=\"shell.asp\" method=\"POST\" name=\"shell\">" fullword ascii /* PEStudio Blacklist: strings */ $s2 = "%ComSpec% /c dir" fullword ascii /* PEStudio Blacklist: strings */ $s3 = "Set objCmd = wShell.Exec(cmd)" fullword ascii /* PEStudio Blacklist: strings */ $s4 = "Server.ScriptTimeout = 180" fullword ascii /* PEStudio Blacklist: strings */ $s5 = "cmd = Request.Form(\"cmd\")" fullword ascii /* PEStudio Blacklist: strings */ $s6 = "' *** http://laudanum.secureideas.net" fullword ascii $s7 = "Dim wshell, intReturn, strPResult" fullword ascii /* PEStudio Blacklist: strings */ condition: filesize < 15KB and 4 of them } rule webshell_asp_01 { meta: description = "Web Shell - file 01.asp" author = "Florian Roth" date = "2014/01/28" score = 50 hash = "61a687b0bea0ef97224c7bd2df118b87" strings: $s0 = "<%eval request(\"pass\")%>" fullword condition: all of them } rule eBayId_index3 { meta: description = "Webshells Auto-generated - file index3.php" author = "Yara Bulk Rule Generator by Florian Roth" hash = "0412b1e37f41ea0d002e4ed11608905f" strings: $s8 = "$err = \"<i>Your Name</i> Not Entered!</font></h2>Sorry, \\\"You" condition: all of them } rule webshell_jspShell { meta: description = "Web Shell - file jspShell.jsp" author = "Florian Roth" date = "2014/01/28" score = 70 hash = "0d5b5a17552254be6c1c8f1eb3a5fdc1" strings: $s0 = "<input type=\"checkbox\" name=\"autoUpdate\" value=\"AutoUpdate\" on" $s1 = "onblur=\"document.shell.autoUpdate.checked= this.oldValue;" condition: all of them } rule webshell_JspSpy_JspSpyJDK5_JspSpyJDK51_luci_jsp_spy2009_m_ma3_xxx { meta: description = "Web Shell - from files 000.jsp, 403.jsp, 807.jsp, a.jsp, c5.jsp, css.jsp, dm.jsp, he1p.jsp, JspSpy.jsp, JspSpyJDK5.jsp, JspSpyJDK51.jsp, luci.jsp.spy2009.jsp, m.jsp, ma3.jsp, mmym520.jsp, nogfw.jsp, ok.jsp, queryDong.jsp, spyjsp2010.jsp, style.jsp, t00ls.jsp, u.jsp, xia.jsp, cofigrue.jsp, 1.jsp, jspspy.jsp, jspspy_k8.jsp, JspSpy.jsp, JspSpyJDK5.jsp" author = "Florian Roth" date = "2014/01/28" score = 70 super_rule = 1 hash0 = "2eeb8bf151221373ee3fd89d58ed4d38" hash1 = "059058a27a7b0059e2c2f007ad4675ef" hash2 = "ae76c77fb7a234380cd0ebb6fe1bcddf" hash3 = "76037ebd781ad0eac363d56fc81f4b4f" hash4 = "8b457934da3821ba58b06a113e0d53d9" hash5 = "fc44f6b4387a2cb50e1a63c66a8cb81c" hash6 = "14e9688c86b454ed48171a9d4f48ace8" hash7 = "b330a6c2d49124ef0729539761d6ef0b" hash8 = "d71716df5042880ef84427acee8b121e" hash9 = "341298482cf90febebb8616426080d1d" hash10 = "29aebe333d6332f0ebc2258def94d57e" hash11 = "42654af68e5d4ea217e6ece5389eb302" hash12 = "88fc87e7c58249a398efd5ceae636073" hash13 = "4a812678308475c64132a9b56254edbc" hash14 = "9626eef1a8b9b8d773a3b2af09306a10" hash15 = "344f9073576a066142b2023629539ebd" hash16 = "32dea47d9c13f9000c4c807561341bee" hash17 = "90a5ba0c94199269ba33a58bc6a4ad99" hash18 = "655722eaa6c646437c8ae93daac46ae0" hash19 = "b9744f6876919c46a29ea05b1d95b1c3" hash20 = "9c94637f76e68487fa33f7b0030dd932" hash21 = "6acc82544be056580c3a1caaa4999956" hash22 = "6aa32a6392840e161a018f3907a86968" hash23 = "349ec229e3f8eda0f9eb918c74a8bf4c" hash24 = "3ea688e3439a1f56b16694667938316d" hash25 = "ab77e4d1006259d7cbc15884416ca88c" hash26 = "71097537a91fac6b01f46f66ee2d7749" hash27 = "2434a7a07cb47ce25b41d30bc291cacc" hash28 = "7a4b090619ecce6f7bd838fe5c58554b" strings: $s8 = "\"<form action=\\\"\"+SHELL_NAME+\"?o=upload\\\" method=\\\"POST\\\" enctype=" $s9 = "<option value='reg query \\\"HKLM\\\\System\\\\CurrentControlSet\\\\Control\\\\T" condition: all of them } rule phpjackal_php { meta: description = "Semi-Auto-generated - file phpjackal.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "ab230817bcc99acb9bdc0ec6d264d76f" strings: $s3 = "$dl=$_REQUEST['downloaD'];" $s4 = "else shelL(\"perl.exe $name $port\");" condition: 1 of them } rule webshell_shell_phpspy_2005_full_phpspy_2005_lite_phpspy_2006_arabicspy_PHPSPY_hkrkoz { meta: description = "Web Shell - from files shell.php, phpspy_2005_full.php, phpspy_2005_lite.php, phpspy_2006.php, arabicspy.php, PHPSPY.php, hkrkoz.php" author = "Florian Roth" date = "2014/01/28" score = 70 super_rule = 1 hash0 = "791708057d8b429d91357d38edf43cc0" hash1 = "b68bfafc6059fd26732fa07fb6f7f640" hash2 = "42f211cec8032eb0881e87ebdb3d7224" hash3 = "40a1f840111996ff7200d18968e42cfe" hash4 = "e0202adff532b28ef1ba206cf95962f2" hash5 = "0712e3dc262b4e1f98ed25760b206836" hash6 = "802f5cae46d394b297482fd0c27cb2fc" strings: $s0 = "$mainpath_info = explode('/', $mainpath);" fullword $s6 = "if (!isset($_GET['action']) OR empty($_GET['action']) OR ($_GET['action'] == \"d" condition: all of them } rule WebShell_Moroccan_Spamers_Ma_EditioN_By_GhOsT { meta: description = "PHP Webshells Github Archive - file Moroccan Spamers Ma-EditioN By GhOsT.php" author = "Florian Roth" hash = "31e5473920a2cc445d246bc5820037d8fe383201" strings: $s4 = "$content = chunk_split(base64_encode($content)); " fullword $s12 = "print \"Sending mail to $to....... \"; " fullword $s16 = "if (!$from && !$subject && !$message && !$emaillist){ " fullword condition: all of them } rule WebShell_Safe_Mode_Bypass_PHP_4_4_2_and_PHP_5_1_2_2 { meta: description = "PHP Webshells Github Archive - file Safe_Mode Bypass PHP 4.4.2 and PHP 5.1.2.php" author = "Florian Roth" hash = "8fdd4e0e87c044177e9e1c97084eb5b18e2f1c25" strings: $s1 = "<option value=\"/etc/passwd\">Get /etc/passwd</option>" fullword $s3 = "xb5@hotmail.com</FONT></CENTER></B>\");" fullword $s4 = "$v = @ini_get(\"open_basedir\");" fullword $s6 = "by PHP Emperor<xb5@hotmail.com>" fullword condition: 2 of them } rule WebShell_Generic_PHP_8 { meta: description = "PHP Webshells Github Archive - from files Macker's Private PHPShell.php, PHP Shell.php, Safe0ver Shell -Safe Mod Bypass By Evilc0der.php" author = "Florian Roth" super_rule = 1 hash0 = "fc1ae242b926d70e32cdb08bbe92628bc5bd7f99" hash1 = "9ad55629c4576e5a31dd845012d13a08f1c1f14e" hash2 = "c4aa2cf665c784553740c3702c3bfcb5d7af65a3" strings: $s1 = "elseif ( $cmd==\"file\" ) { /* <!-- View a file in text --> */" fullword $s2 = "elseif ( $cmd==\"upload\" ) { /* <!-- Upload File form --> */ " fullword $s3 = "/* I added this to ensure the script will run correctly..." fullword $s14 = "<!-- </form> -->" fullword $s15 = "<form action=\\\"$SFileName?$urlAdd\\\" method=\\\"POST\\\">" fullword $s20 = "elseif ( $cmd==\"downl\" ) { /*<!-- Save the edited file back to a file --> */" fullword condition: 3 of them } rule Webshell_acid_AntiSecShell_3 { meta: description = "Detects Webshell Acid" author = "Florian Roth" reference = "https://github.com/nikicat/web-malware-collection" date = "2016-01-11" score = 70 hash1 = "2b8aed49f50acd0c1b89a399647e1218f2a8545da96631ac0882da28810eecc4" hash2 = "7a69466dbd18182ce7da5d9d1a9447228dcebd365e0fe855d0e02024f4117549" hash3 = "0202f72b3e8b62e5ebc99164c7d4eb8ec5be6a7527286e9059184aa8321e0092" hash4 = "d4424c61fe29d2ee3d8503f7d65feb48341ac2fc0049119f83074950e41194d5" hash5 = "5d7709a33879d1060a6cff5bae119de7d5a3c17f65415822fd125af56696778c" hash6 = "21dd06ec423f0b49732e4289222864dcc055967922d0fcec901d38a57ed77f06" hash7 = "c377f9316a4c953602879eb8af1fd7cbb0dd35de6bb4747fa911234082c45596" hash8 = "816e699014be9a6d02d5d184eb958c49469d687b7c6fb88e878bca64688a19c9" hash9 = "383d771b55bbe5343bab946fd7650fd42de1933c4c8f32449d9a40c898444ef1" hash10 = "07f9ec716fb199e00a90091ffba4c2ee1a328a093a64e610e51ab9dd6d33357a" hash11 = "615e768522447558970c725909e064558f33d38e6402c63c92a1a8bc62b64966" hash12 = "bbe0f7278041cb3a6338844aa12c3df6b700a12a78b0a58bce3dce14f1c37b96" hash13 = "d0edca7539ef2d30f0b3189b21a779c95b5815c1637829b5594e2601e77cb4dc" hash14 = "65e7edf10ffb355bed81b7413c77d13d592f63d39e95948cdaea4ea0a376d791" hash15 = "ef3a7cd233a880fc61efc3884f127dd8944808babd1203be2400144119b6057f" hash16 = "ba87d26340f799e65c771ccb940081838afe318ecb20ee543f32d32db8533e7f" hash17 = "a4db77895228f02ea17ff48976e03100ddfaef7c9f48c1d40462872f103451d5" hash18 = "1fdf6e142135a34ae1caf1d84adf5e273b253ca46c409b2530ca06d65a55ecbd" strings: $s0 = "echo \"<option value=delete\".($dspact == \"delete\"?\" selected\":\"\").\">Delete</option>\";" fullword ascii $s1 = "if (!is_readable($o)) {return \"<font color=red>\".view_perms(fileperms($o)).\"</font>\";}" fullword ascii condition: filesize < 900KB and all of them } rule webshell_webshells_new_make2 { meta: description = "Web shells - generated from file make2.php" author = "Florian Roth" date = "2014/03/28" hash = "9af195491101e0816a263c106e4c145e" score = 50 strings: $s1 = "error_reporting(0);session_start();header(\"Content-type:text/html;charset=utf-8" condition: all of them } rule webshell_jsp_jshell { meta: description = "Web Shell - file jshell.jsp" author = "Florian Roth" date = "2014/01/28" score = 70 hash = "124b22f38aaaf064cef14711b2602c06" strings: $s0 = "kXpeW[\"" fullword $s4 = "[7b:g0W@W<" fullword $s5 = "b:gHr,g<" fullword $s8 = "RhV0W@W<" fullword $s9 = "S_MR(u7b" fullword condition: all of them } rule down_rar_Folder_down { meta: description = "Webshells Auto-generated - file down.asp" author = "Yara Bulk Rule Generator by Florian Roth" hash = "db47d7a12b3584a2e340567178886e71" strings: $s0 = "response.write \"<font color=blue size=2>NetBios Name: \\\\\" & Snet.ComputerName &" condition: all of them } rule Casus15_php_php { meta: description = "Semi-Auto-generated - file Casus15.php.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "5e2ede2d1c4fa1fcc3cbfe0c005d7b13" strings: $s0 = "copy ( $dosya_gonder2, \"$dir/$dosya_gonder2_name\") ? print(\"$dosya_gonder2_na" $s2 = "echo \"<center><font size='$sayi' color='#FFFFFF'>HACKLERIN<font color='#008000'" $s3 = "value='Calistirmak istediginiz " condition: 1 of them } rule Weevely_Webshell : webshell { meta: description = "Weevely Webshell - Generic Rule - heavily scrambled tiny web shell" author = "Florian Roth" reference = "http://www.ehacking.net/2014/12/weevely-php-stealth-web-backdoor-kali.html" date = "2014/12/14" score = 60 strings: $php = "<?php" ascii $s0 = /\$[a-z]{4} = \$[a-z]{4}\("[a-z][a-z]?",[\s]?"",[\s]?"/ ascii $s1 = /\$[a-z]{4} = str_replace\("[a-z][a-z]?","","/ ascii $s2 = /\$[a-z]{4}\.\$[a-z]{4}\.\$[a-z]{4}\.\$[a-z]{4}\)\)\); \$[a-z]{4}\(\);/ ascii $s4 = /\$[a-z]{4}="[a-zA-Z0-9]{70}/ ascii condition: $php at 0 and all of ($s*) and filesize > 570 and filesize < 800 } rule webshell_c99_c66_c99_shadows_mod_c99shell { meta: description = "Web Shell - from files c99.php, c66.php, c99-shadows-mod.php, c99shell.php" author = "Florian Roth" date = "2014/01/28" score = 70 super_rule = 1 hash0 = "61a92ce63369e2fa4919ef0ff7c51167" hash1 = "0f5b9238d281bc6ac13406bb24ac2a5b" hash2 = "68c0629d08b1664f5bcce7d7f5f71d22" hash3 = "048ccc01b873b40d57ce25a4c56ea717" strings: $s2 = " if (unlink(_FILE_)) {@ob_clean(); echo \"Thanks for using c99shell v.\".$shv" $s3 = " \"c99sh_backconn.pl\"=>array(\"Using PERL\",\"perl %path %host %port\")," fullword $s4 = "<br><TABLE style=\"BORDER-COLLAPSE: collapse\" cellSpacing=0 borderColorDark=#66" $s7 = " elseif (!$data = c99getsource($bind[\"src\"])) {echo \"Can't download sources" $s8 = " \"c99sh_datapipe.pl\"=>array(\"Using PERL\",\"perl %path %localport %remotehos" $s9 = " elseif (!$data = c99getsource($bc[\"src\"])) {echo \"Can't download sources!" condition: 2 of them } rule webshell_wsb_idc { meta: description = "Web Shell - file idc.php" author = "Florian Roth" date = "2014/01/28" score = 70 hash = "7c5b1b30196c51f1accbffb80296395f" strings: $s1 = "if (md5($_GET['usr'])==$user && md5($_GET['pass'])==$pass)" fullword $s3 = "{eval($_GET['idc']);}" fullword condition: 1 of them } rule cmdjsp_jsp { meta: description = "Semi-Auto-generated - file cmdjsp.jsp.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "b815611cc39f17f05a73444d699341d4" strings: $s0 = "// note that linux = cmd and windows = \"cmd.exe /c + cmd\" " fullword $s1 = "Process p = Runtime.getRuntime().exec(\"cmd.exe /C \" + cmd);" fullword $s2 = "cmdjsp.jsp" $s3 = "michaeldaw.org" fullword condition: 2 of them } rule webshell_PHP_150 { meta: description = "Web Shell - file 150.php" author = "Florian Roth" date = "2014/01/28" score = 70 hash = "400c4b0bed5c90f048398e1d268ce4dc" strings: $s0 = "HJ3HjqxclkZfp" $s1 = "<? eval(gzinflate(base64_decode('" fullword condition: all of them } rule multiple_webshells_0031 { meta: description = "Semi-Auto-generated - from files r577.php.php.txt, r57.php.php.txt, spy.php.php.txt, s.php.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" super_rule = 1 was = "_r577_php_php_r57_php_php_spy_php_php_s_php_php" hash0 = "0714f80f35c1fddef1f8938b8d42a4c8" hash1 = "eddf7a8fde1e50a7f2a817ef7cece24f" hash2 = "eed14de3907c9aa2550d95550d1a2d5f" hash3 = "817671e1bdc85e04cc3440bbd9288800" strings: $s0 = "$res = mssql_query(\"select * from r57_temp_table\",$db);" fullword $s2 = "'eng_text30'=>'Cat file'," fullword $s3 = "@mssql_query(\"drop table r57_temp_table\",$db);" fullword condition: 1 of them } rule webshell_Dx_Dx { meta: description = "Web Shell - file Dx.php" author = "Florian Roth" date = "2014/01/28" score = 70 hash = "9cfe372d49fe8bf2fac8e1c534153d9b" strings: $s1 = "print \"\\n\".'Tip: to view the file \"as is\" - open the page in <a href=\"'.Dx" $s9 = "class=linelisting><nobr>POST (php eval)</td><" condition: 1 of them } rule webshell_jsp_zx { meta: description = "Web Shell - file zx.jsp" author = "Florian Roth" date = "2014/01/28" score = 70 hash = "67627c264db1e54a4720bd6a64721674" strings: $s0 = "if(request.getParameter(\"f\")!=null)(new java.io.FileOutputStream(application.g" condition: all of them } rule webshell_jsp_guige { meta: description = "Web Shell - file guige.jsp" author = "Florian Roth" date = "2014/01/28" score = 70 hash = "2c9f2dafa06332957127e2c713aacdd2" strings: $s0 = "if(damapath!=null &&!damapath.equals(\"\")&&content!=null" condition: all of them } rule Safe_Mode_Bypass_PHP_4_4_2_and_PHP_5_1_2_php { meta: description = "Semi-Auto-generated - file Safe_Mode Bypass PHP 4.4.2 and PHP 5.1.2.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "49ad9117c96419c35987aaa7e2230f63" strings: $s0 = "Welcome.. By This script you can jump in the (Safe Mode=ON) .. Enjoy" $s1 = "Mode Shell v1.0</font></span>" $s2 = "has been already loaded. PHP Emperor <xb5@hotmail." condition: 1 of them } rule webshell_400_in_JFolder_jfolder01_jsp_leo_warn_webshell_nc { meta: description = "Web Shell - from files 400.jsp, in.jsp, JFolder.jsp, jfolder01.jsp, jsp.jsp, leo.jsp, warn.jsp, webshell-nc.jsp" author = "Florian Roth" date = "2014/01/28" score = 70 super_rule = 1 hash0 = "36331f2c81bad763528d0ae00edf55be" hash1 = "793b3d0a740dbf355df3e6f68b8217a4" hash2 = "8979594423b68489024447474d113894" hash3 = "ec482fc969d182e5440521c913bab9bd" hash4 = "f98d2b33cd777e160d1489afed96de39" hash5 = "4b4c12b3002fad88ca6346a873855209" hash6 = "e9a5280f77537e23da2545306f6a19ad" hash7 = "598eef7544935cf2139d1eada4375bb5" strings: $s0 = "sbFolder.append(\"<tr><td > </td><td>\");" fullword $s1 = "return filesize / intDivisor + \".\" + strAfterComma + \" \" + strUnit;" fullword $s5 = "FileInfo fi = (FileInfo) ht.get(\"cqqUploadFile\");" fullword $s6 = "<input type=\"hidden\" name=\"cmd\" value=\"<%=strCmd%>\">" fullword condition: 2 of them } rule shell_php_php { meta: description = "Semi-Auto-generated - file shell.php.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "1a95f0163b6dea771da1694de13a3d8d" strings: $s1 = "/* We have found the parent dir. We must be carefull if the parent " fullword $s2 = "$tmpfile = tempnam('/tmp', 'phpshell');" $s3 = "if (ereg('^[[:blank:]]*cd[[:blank:]]+([^;]+)$', $command, $regs)) {" fullword condition: 1 of them } rule FSO_s_indexer_2 { meta: description = "Webshells Auto-generated - file indexer.asp" author = "Yara Bulk Rule Generator by Florian Roth" hash = "135fc50f85228691b401848caef3be9e" strings: $s5 = "<td>Nerden :<td><input type=\"text\" name=\"nerden\" size=25 value=index.html></td>" condition: all of them } rule webshell_jsp_tree { meta: description = "Web Shell - file tree.jsp" author = "Florian Roth" date = "2014/01/28" score = 70 hash = "bcdf7bbf7bbfa1ffa4f9a21957dbcdfa" strings: $s5 = "$('#tt2').tree('options').url = \"selectChild.action?checki" $s6 = "String basePath = request.getScheme()+\"://\"+request.getServerName()+\":\"+requ" condition: all of them } rule webshell_mumaasp_com { meta: description = "Web Shell - file mumaasp.com.asp" author = "Florian Roth" date = "2014/01/28" score = 70 hash = "cce32b2e18f5357c85b6d20f564ebd5d" strings: $s0 = "&9K_)P82ai,A}I92]R\"q!C:RZ}S6]=PaTTR" condition: all of them } rule webshell_webshells_new_asp1 { meta: description = "Web shells - generated from file asp1.asp" author = "Florian Roth" date = "2014/03/28" score = 70 hash = "b63e708cd58ae1ec85cf784060b69cad" strings: $s0 = " http://www.baidu.com/fuck.asp?a=)0(tseuqer%20lave " fullword $s2 = " <% a=request(chr(97)) ExecuteGlobal(StrReverse(a)) %>" fullword condition: 1 of them } rule WebShell_Uploader { meta: description = "PHP Webshells Github Archive - file Uploader.php" author = "Florian Roth" hash = "e216c5863a23fde8a449c31660fd413d77cce0b7" strings: $s1 = "move_uploaded_file($userfile, \"entrika.php\"); " fullword condition: all of them } rule asp_proxy : webshell { meta: description = "Laudanum Injector Tools - file proxy.asp" author = "Florian Roth" reference = "http://laudanum.inguardians.com/" date = "2015-06-22" hash = "51e97040d1737618b1775578a772fa6c5a31afd8" strings: $s1 = "'response.write \"<br/> -value:\" & request.querystring(key)(j)" fullword ascii /* PEStudio Blacklist: strings */ $s2 = "q = q & \"&\" & key & \"=\" & request.querystring(key)(j)" fullword ascii /* PEStudio Blacklist: strings */ $s3 = "for each i in Split(http.getAllResponseHeaders, vbLf)" fullword ascii $s4 = "'urlquery = mid(urltemp, instr(urltemp, \"?\") + 1)" fullword ascii /* PEStudio Blacklist: strings */ $s5 = "s = urlscheme & urlhost & urlport & urlpath" fullword ascii /* PEStudio Blacklist: strings */ $s6 = "Set http = Server.CreateObject(\"Microsoft.XMLHTTP\")" fullword ascii /* PEStudio Blacklist: strings */ condition: filesize < 50KB and all of them } rule ZXshell2_0_rar_Folder_nc { meta: description = "Webshells Auto-generated - file nc.exe" author = "Yara Bulk Rule Generator by Florian Roth" hash = "2cd1bf15ae84c5f6917ddb128827ae8b" strings: $s0 = "WSOCK32.dll" $s1 = "?bSUNKNOWNV" $s7 = "p@gram Jm6h)" $s8 = "ser32.dllCONFP@" condition: all of them } rule phpspy_2005_full { meta: description = "Webshells Auto-generated - file phpspy_2005_full.php" author = "Yara Bulk Rule Generator by Florian Roth" hash = "d1c69bb152645438440e6c903bac16b2" strings: $s7 = "echo \" <td align=\\\"center\\\" nowrap valign=\\\"top\\\"><a href=\\\"?downfile=\".urlenco" condition: all of them } rule webshell_caidao_shell_hkmjj { meta: description = "Web Shell - file hkmjj.asp" author = "Florian Roth" date = "2014/01/28" score = 70 hash = "e7b994fe9f878154ca18b7cde91ad2d0" strings: $s6 = "codeds=\"Li#uhtxhvw+%{{%,#@%{%#wkhq#hydo#uhtxhvw+%knpmm%,#hqg#li\" " fullword condition: all of them } rule backup_php_often_with_c99shell { meta: description = "Semi-Auto-generated - file backup.php.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "aeee3bae226ad57baf4be8745c3f6094" strings: $s0 = "#phpMyAdmin MySQL-Dump" fullword $s2 = ";db_connect();header('Content-Type: application/octetstr" $s4 = "$data .= \"#Database: $database" fullword condition: all of them } rule JspWebshell_1_2_jsp { meta: description = "Semi-Auto-generated - file JspWebshell 1.2.jsp.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "70a0ee2624e5bbe5525ccadc467519f6" strings: $s0 = "JspWebshell" $s1 = "CreateAndDeleteFolder is error:" $s2 = "<td width=\"70%\" height=\"22\"> <%=env.queryHashtable(\"java.c" $s3 = "String _password =\"111\";" condition: 2 of them } rule webshell_asp_ajn { meta: description = "Web Shell - file ajn.asp" author = "Florian Roth" date = "2014/01/28" score = 70 hash = "aaafafc5d286f0bff827a931f6378d04" strings: $s1 = "seal.write \"Set WshShell = CreateObject(\"\"WScript.Shell\"\")\" & vbcrlf" fullword $s6 = "seal.write \"BinaryStream.SaveToFile \"\"c:\\downloaded.zip\"\", adSaveCreateOve" condition: all of them } rule webshell_2_520_icesword_job_ma1_ma4_2 { meta: description = "Web Shell - from files 2.jsp, 520.jsp, icesword.jsp, job.jsp, ma1.jsp, ma4.jsp, 2.jsp" author = "Florian Roth" date = "2014/01/28" score = 70 super_rule = 1 hash0 = "64a3bf9142b045b9062b204db39d4d57" hash1 = "9abd397c6498c41967b4dd327cf8b55a" hash2 = "077f4b1b6d705d223b6d644a4f3eebae" hash3 = "56c005690da2558690c4aa305a31ad37" hash4 = "532b93e02cddfbb548ce5938fe2f5559" hash5 = "6e0fa491d620d4af4b67bae9162844ae" hash6 = "7eabe0f60975c0c73d625b7ddf7b9cbd" strings: $s2 = "private String[] _textFileTypes = {\"txt\", \"htm\", \"html\", \"asp\", \"jsp\"," $s3 = "\\\" name=\\\"upFile\\\" size=\\\"8\\\" class=\\\"textbox\\\" /> <input typ" $s9 = "if (request.getParameter(\"password\") == null && session.getAttribute(\"passwor" condition: all of them } rule FSO_s_tool { meta: description = "Webshells Auto-generated - file tool.asp" author = "Yara Bulk Rule Generator by Florian Roth" hash = "3a1e1e889fdd974a130a6a767b42655b" strings: $s7 = "\"\"%windir%\\\\calc.exe\"\")" condition: all of them } rule remview_2003_04_22 { meta: description = "Webshells Auto-generated - file remview_2003_04_22.php" author = "Yara Bulk Rule Generator by Florian Roth" hash = "17d3e4e39fbca857344a7650f7ea55e3" strings: $s1 = "\"<b>\".mm(\"Eval PHP code\").\"</b> (\".mm(\"don't type\").\" \\\"<?\\\"" condition: all of them } rule Test_php_php { meta: description = "Semi-Auto-generated - file Test.php.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "77e331abd03b6915c6c6c7fe999fcb50" strings: $s0 = "$yazi = \"test\" . \"\\r\\n\";" fullword $s2 = "fwrite ($fp, \"$yazi\");" fullword $s3 = "$entry_line=\"HACKed by EntriKa\";" fullword condition: 1 of them } rule FeliksPack3___PHP_Shells_r57 { meta: description = "Webshells Auto-generated - file r57.php" author = "Yara Bulk Rule Generator by Florian Roth" hash = "903908b77a266b855262cdbce81c3f72" strings: $s1 = "$sql = \"LOAD DATA INFILE \\\"\".$_POST['test3_file']." condition: all of them } rule WebShell_hiddens_shell_v1 { meta: description = "PHP Webshells Github Archive - file hiddens shell v1.php" author = "Florian Roth" hash = "1674bd40eb98b48427c547bf9143aa7fbe2f4a59" strings: $s0 = "<?$d='G7mHWQ9vvXiL/QX2oZ2VTDpo6g3FYAa6X+8DMIzcD0eHZaBZH7jFpZzUz7XNenxSYvBP2Wy36U" condition: all of them } rule connector { meta: description = "Webshells Auto-generated - file connector.asp" author = "Yara Bulk Rule Generator by Florian Roth" hash = "3ba1827fca7be37c8296cd60be9dc884" strings: $s2 = "If ( AttackID = BROADCAST_ATTACK )" $s4 = "Add UNIQUE ID for victims / zombies" condition: all of them } rule fire2013 : webshell { meta: author = "Vlad https://github.com/vlad-s" date = "2016/07/18" description = "Catches a webshell" strings: $a = "eval(\"\\x65\\x76\\x61\\x6C\\x28\\x67\\x7A\\x69\\x6E\\x66\\x6C\\x61" $b = "yc0CJYb+O//Xgj9/y+U/dd//vkf'\\x29\\x29\\x29\\x3B\")" condition: all of them } rule WebShell_php_webshells_spygrup { meta: description = "PHP Webshells Github Archive - file spygrup.php" author = "Florian Roth" hash = "12f9105332f5dc5d6360a26706cd79afa07fe004" strings: $s2 = "kingdefacer@msn.com</FONT></CENTER></B>\");" fullword $s6 = "if($_POST['root']) $root = $_POST['root'];" fullword $s12 = "\".htmlspecialchars($file).\" Bu Dosya zaten Goruntuleniyor<kingdefacer@msn.com>" fullword $s18 = "By KingDefacer From Spygrup.org>" fullword condition: 3 of them } rule HawkEye_PHP_Panel { meta: description = "Detects HawkEye Keyloggers PHP Panel" author = "Florian Roth" date = "2014/12/14" score = 60 strings: $s0 = "$fname = $_GET['fname'];" ascii fullword $s1 = "$data = $_GET['data'];" ascii fullword $s2 = "unlink($fname);" ascii fullword $s3 = "echo \"Success\";" fullword ascii condition: all of ($s*) and filesize < 600 } rule webshell_404_data_in_JFolder_jfolder01_xxx { meta: description = "Web Shell - from files 404.jsp, data.jsp, in.jsp, JFolder.jsp, jfolder01.jsp, jsp.jsp, leo.jsp, suiyue.jsp, warn.jsp" author = "Florian Roth" date = "2014/01/28" score = 70 super_rule = 1 hash0 = "7066f4469c3ec20f4890535b5f299122" hash1 = "9f54aa7b43797be9bab7d094f238b4ff" hash2 = "793b3d0a740dbf355df3e6f68b8217a4" hash3 = "8979594423b68489024447474d113894" hash4 = "ec482fc969d182e5440521c913bab9bd" hash5 = "f98d2b33cd777e160d1489afed96de39" hash6 = "4b4c12b3002fad88ca6346a873855209" hash7 = "c93d5bdf5cf62fe22e299d0f2b865ea7" hash8 = "e9a5280f77537e23da2545306f6a19ad" strings: $s4 = " <TEXTAREA NAME=\"cqq\" ROWS=\"20\" COLS=\"100%\"><%=sbCmd.toString()%></TE" condition: all of them } rule webshell_c99_locus7s_c99_w4cking_xxx { meta: description = "Web Shell - from files c99_locus7s.php, c99_w4cking.php, r57shell.php, r57shell127.php, SnIpEr_SA Shell.php, EgY_SpIdEr ShElL V2.php, r57_iFX.php, r57_kartal.php, r57_Mohajer22.php, r57.php, acid.php, newsh.php, r57.php, Backdoor.PHP.Agent.php" author = "Florian Roth" date = "2014/01/28" score = 70 super_rule = 1 hash0 = "38fd7e45f9c11a37463c3ded1c76af4c" hash1 = "9c34adbc8fd8d908cbb341734830f971" hash2 = "ef43fef943e9df90ddb6257950b3538f" hash3 = "ae025c886fbe7f9ed159f49593674832" hash4 = "911195a9b7c010f61b66439d9048f400" hash5 = "697dae78c040150daff7db751fc0c03c" hash6 = "513b7be8bd0595c377283a7c87b44b2e" hash7 = "1d912c55b96e2efe8ca873d6040e3b30" hash8 = "e5b2131dd1db0dbdb43b53c5ce99016a" hash9 = "4108f28a9792b50d95f95b9e5314fa1e" hash10 = "b8f261a3cdf23398d573aaf55eaf63b5" hash11 = "0d2c2c151ed839e6bafc7aa9c69be715" hash12 = "41af6fd253648885c7ad2ed524e0692d" hash13 = "6fcc283470465eed4870bcc3e2d7f14d" strings: $s1 = "$res = @shell_exec($cfe);" fullword $s8 = "$res = @ob_get_contents();" fullword $s9 = "@exec($cfe,$res);" fullword condition: 2 of them } rule FSO_s_zehir4_2 { meta: description = "Webshells Auto-generated - file zehir4.asp" author = "Yara Bulk Rule Generator by Florian Roth" hash = "5b496a61363d304532bcf52ee21f5d55" strings: $s4 = "\"Program Files\\Serv-u\\Serv" condition: all of them } rule FSO_s_RemExp_2 { meta: description = "Webshells Auto-generated - file RemExp.asp" author = "Yara Bulk Rule Generator by Florian Roth" hash = "b69670ecdbb40012c73686cd22696eeb" strings: $s2 = " Then Response.Write \"" $s3 = "<a href= \"<%=Request.ServerVariables(\"script_name\")%>" condition: all of them } rule WebShell_php_webshells_cw { meta: description = "PHP Webshells Github Archive - file cw.php" author = "Florian Roth" hash = "e65e0670ef6edf0a3581be6fe5ddeeffd22014bf" strings: $s1 = "// Dump Database [pacucci.com]" fullword $s2 = "$dump = \"-- Database: \".$_POST['db'] .\" \\n\";" fullword $s7 = "$aids = passthru(\"perl cbs.pl \".$_POST['connhost'].\" \".$_POST['connport']);" fullword $s8 = "<b>IP:</b> <u>\" . $_SERVER['REMOTE_ADDR'] .\"</u> - Server IP:</b> <a href='htt" $s14 = "$dump .= \"-- Cyber-Warrior.Org\\n\";" fullword $s20 = "if(isset($_POST['doedit']) && $_POST['editfile'] != $dir)" fullword condition: 3 of them } rule uploader_php_php { meta: description = "Semi-Auto-generated - file uploader.php.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "0b53b67bb3b004a8681e1458dd1895d0" strings: $s2 = "move_uploaded_file($userfile, \"entrika.php\"); " fullword $s3 = "Send this file: <INPUT NAME=\"userfile\" TYPE=\"file\">" fullword $s4 = "<INPUT TYPE=\"hidden\" name=\"MAX_FILE_SIZE\" value=\"100000\">" fullword condition: 2 of them } rule WebShell_Generic_PHP_9 { meta: description = "PHP Webshells Github Archive - from files KAdot Universal Shell v0.1.6.php, KAdot_Universal_Shell_v0.1.6.php, KA_uShell 0.1.6.php" author = "Florian Roth" super_rule = 1 hash0 = "89f2a7007a2cd411e0a7abd2ff5218d212b84d18" hash1 = "2266178ad4eb72c2386c0a4d536e5d82bb7ed6a2" hash2 = "0daed818cac548324ad0c5905476deef9523ad73" strings: $s2 = ":<b>\" .base64_decode($_POST['tot']). \"</b>\";" fullword $s6 = "if (isset($_POST['wq']) && $_POST['wq']<>\"\") {" fullword $s12 = "if (!empty($_POST['c'])){" fullword $s13 = "passthru($_POST['c']);" fullword $s16 = "<input type=\"radio\" name=\"tac\" value=\"1\">B64 Decode<br>" fullword $s20 = "<input type=\"radio\" name=\"tac\" value=\"3\">md5 Hash" fullword condition: 3 of them } rule Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php { meta: description = "Semi-Auto-generated - file Safe0ver Shell -Safe Mod Bypass By Evilc0der.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "6163b30600f1e80d2bb5afaa753490b6" strings: $s0 = "Safe0ver" fullword $s1 = "Script Gecisi Tamamlayamadi!" $s2 = "document.write(unescape('%3C%68%74%6D%6C%3E%3C%62%6F%64%79%3E%3C%53%43%52%49%50%" condition: 1 of them } rule Release_dllTest { meta: description = "Webshells Auto-generated - file dllTest.dll" author = "Yara Bulk Rule Generator by Florian Roth" hash = "76a59fc3242a2819307bb9d593bef2e0" strings: $s0 = ";;;Y;`;d;h;l;p;t;x;|;" $s1 = "0 0&00060K0R0X0f0l0q0w0" $s2 = ": :$:(:,:0:4:8:D:`=d=" $s3 = "4@5P5T5\\5T7\\7d7l7t7|7" $s4 = "1,121>1C1K1Q1X1^1e1k1s1y1" $s5 = "9 9$9(9,9P9X9\\9`9d9h9l9p9t9x9|9" $s6 = "0)0O0\\0a0o0\"1E1P1q1" $s7 = "<.<I<d<h<l<p<t<x<|<" $s8 = "3&31383>3F3Q3X3`3f3w3|3" $s9 = "8@;D;H;L;P;T;X;\\;a;9=W=z=" condition: all of them } rule webshell_000_403_c5_queryDong_spyjsp2010_t00ls { meta: description = "Web Shell - from files 000.jsp, 403.jsp, c5.jsp, queryDong.jsp, spyjsp2010.jsp, t00ls.jsp" author = "Florian Roth" date = "2014/01/28" score = 70 super_rule = 1 hash0 = "2eeb8bf151221373ee3fd89d58ed4d38" hash1 = "059058a27a7b0059e2c2f007ad4675ef" hash2 = "8b457934da3821ba58b06a113e0d53d9" hash3 = "90a5ba0c94199269ba33a58bc6a4ad99" hash4 = "655722eaa6c646437c8ae93daac46ae0" hash5 = "9c94637f76e68487fa33f7b0030dd932" strings: $s8 = "table.append(\"<td nowrap> <a href=\\\"#\\\" onclick=\\\"view('\"+tbName+\"')" $s9 = "\"<p><input type=\\\"hidden\\\" name=\\\"selectDb\\\" value=\\\"\"+selectDb+\"" condition: all of them } rule WebShell_php_webshells_cpanel { meta: description = "PHP Webshells Github Archive - file cpanel.php" author = "Florian Roth" hash = "433dab17106b175c7cf73f4f094e835d453c0874" strings: $s0 = "function ftp_check($host,$user,$pass,$timeout){" fullword $s3 = "curl_setopt($ch, CURLOPT_URL, \"http://$host:2082\");" fullword $s4 = "[ user@alturks.com ]# info<b><br><font face=tahoma><br>" fullword $s12 = "curl_setopt($ch, CURLOPT_FTPLISTONLY, 1);" fullword $s13 = "Powerful tool , ftp and cPanel brute forcer , php 5.2.9 safe_mode & open_basedir" $s20 = "<br><b>Please enter your USERNAME and PASSWORD to logon<br>" fullword condition: 2 of them } rule WebShell_Generic_PHP_4 { meta: description = "PHP Webshells Github Archive - from files CrystalShell v.1.php, load_shell.php, nshell.php, Loaderz WEB Shell.php, stres.php" author = "Florian Roth" super_rule = 1 hash0 = "335a0851304acedc3f117782b61479bbc0fd655a" hash1 = "ca9fcfb50645dc0712abdf18d613ed2196e66241" hash2 = "86bc40772de71b1e7234d23cab355e1ff80c474d" hash3 = "36d8782d749638fdcaeed540d183dd3c8edc6791" hash4 = "03f88f494654f2ad0361fb63e805b6bbfc0c86de" strings: $s0 = "if ($filename != \".\" and $filename != \"..\"){" fullword $s2 = "$owner[\"write\"] = ($mode & 00200) ? 'w' : '-';" fullword $s5 = "$owner[\"execute\"] = ($mode & 00100) ? 'x' : '-';" fullword $s6 = "$world[\"write\"] = ($mode & 00002) ? 'w' : '-';" fullword $s7 = "$world[\"execute\"] = ($mode & 00001) ? 'x' : '-';" fullword $s10 = "foreach ($arr as $filename) {" fullword $s19 = "else if( $mode & 0x6000 ) { $type='b'; }" fullword condition: all of them } rule webshell_PHP_r57142 { meta: description = "Web Shell - file r57142.php" author = "Florian Roth" date = "2014/01/28" score = 70 hash = "0911b6e6b8f4bcb05599b2885a7fe8a8" strings: $s0 = "$downloaders = array('wget','fetch','lynx','links','curl','get','lwp-mirror');" fullword condition: all of them } rule php_backdoor_php { meta: description = "Semi-Auto-generated - file php-backdoor.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "2b5cb105c4ea9b5ebc64705b4bd86bf7" strings: $s0 = "http://michaeldaw.org 2006" $s1 = "or http://<? echo $SERVER_NAME.$REQUEST_URI; ?>?d=c:/windows on win" $s3 = "coded by z0mbie" condition: 1 of them } rule webshell_metaslsoft { meta: description = "Web Shell - file metaslsoft.php" author = "Florian Roth" date = "2014/01/28" score = 70 hash = "aa328ed1476f4a10c0bcc2dde4461789" strings: $s7 = "$buff .= \"<tr><td><a href=\\\"?d=\".$pwd.\"\\\">[ $folder ]</a></td><td>LINK</t" condition: all of them } rule PHANTASMA_php { meta: description = "Semi-Auto-generated - file PHANTASMA.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "52779a27fa377ae404761a7ce76a5da7" strings: $s0 = ">[*] Safemode Mode Run</DIV>" $s1 = "$file1 - $file2 - <a href=$SCRIPT_NAME?$QUERY_STRING&see=$file>$file</a><br>" $s2 = "[*] Spawning Shell" $s3 = "Cha0s" condition: 2 of them } rule webshell_Macker_s_Private_PHPShell { meta: description = "Web Shell - file Macker's Private PHPShell.php" author = "Florian Roth" date = "2014/01/28" score = 70 hash = "e24cbf0e294da9ac2117dc660d890bb9" strings: $s3 = "echo \"<tr><td class=\\\"silver border\\\"> <strong>Server's PHP Version:&n" $s4 = "  <?php echo buildUrl(\"<font color=\\\"navy\\\">[" $s7 = "echo \"<form action=\\\"$SFileName?$urlAdd\\\" method=\\\"POST\\\"><input type=" condition: all of them } rule multiple_webshells_0009 { meta: description = "Semi-Auto-generated - from files w.php.php.txt, c99madshell_v2.1.php.php.txt, wacking.php.php.txt, c99shell_v1.0.php.php.txt, c99php.txt, SpecialShell_99.php.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" super_rule = 1 was = "_w_php_php_c99madshell_v2_1_php_php_wacking_php_php_c99shell_v1_0_php_php_c99php_SpecialShell_99_php_php" hash0 = "38a3f9f2aa47c2e940695f3dba6a7bb2" hash1 = "3ca5886cd54d495dc95793579611f59a" hash2 = "9c5bb5e3a46ec28039e8986324e42792" hash3 = "d8ae5819a0a2349ec552cbcf3a62c975" hash4 = "9e9ae0332ada9c3797d6cee92c2ede62" hash5 = "09609851caa129e40b0d56e90dfc476c" strings: $s0 = "$sess_data[\"cut\"] = array(); c99_s" $s3 = "if ((!eregi(\"http://\",$uploadurl)) and (!eregi(\"https://\",$uploadurl))" condition: 1 of them } rule webshell_GetPostpHp { meta: description = "Web shells - generated from file GetPostpHp.php" author = "Florian Roth" date = "2014/03/28" score = 70 hash = "20ede5b8182d952728d594e6f2bb5c76" strings: $s0 = "<?php eval(str_rot13('riny($_CBFG[cntr]);'));?>" fullword condition: all of them } rule webshell_gfs_sh_r57shell_r57shell127_SnIpEr_SA_xxx { meta: description = "Web Shell - from files gfs_sh.php, r57shell.php, r57shell127.php, SnIpEr_SA Shell.php, EgY_SpIdEr ShElL V2.php, r57_iFX.php, r57_kartal.php, r57_Mohajer22.php, r57.php, r57.php, Backdoor.PHP.Agent.php" author = "Florian Roth" date = "2014/01/28" score = 70 super_rule = 1 hash0 = "a2516ac6ee41a7cf931cbaef1134a9e4" hash1 = "ef43fef943e9df90ddb6257950b3538f" hash2 = "ae025c886fbe7f9ed159f49593674832" hash3 = "911195a9b7c010f61b66439d9048f400" hash4 = "697dae78c040150daff7db751fc0c03c" hash5 = "513b7be8bd0595c377283a7c87b44b2e" hash6 = "1d912c55b96e2efe8ca873d6040e3b30" hash7 = "e5b2131dd1db0dbdb43b53c5ce99016a" hash8 = "4108f28a9792b50d95f95b9e5314fa1e" hash9 = "41af6fd253648885c7ad2ed524e0692d" hash10 = "6fcc283470465eed4870bcc3e2d7f14d" strings: $s0 = "kVycm9yOiAkIVxuIik7DQpjb25uZWN0KFNPQ0tFVCwgJHBhZGRyKSB8fCBkaWUoIkVycm9yOiAkIVxuI" $s11 = "Aoc3RydWN0IHNvY2thZGRyICopICZzaW4sIHNpemVvZihzdHJ1Y3Qgc29ja2FkZHIpKSk8MCkgew0KIC" condition: all of them } rule webshell_asp_shell : webshell { meta: description = "Web Shell - file shell.asp" author = "Florian Roth" date = "2014/01/28" score = 70 hash = "e63f5a96570e1faf4c7b8ca6df750237" strings: $s7 = "<input type=\"submit\" name=\"Send\" value=\"GO!\">" fullword $s8 = "<TEXTAREA NAME=\"1988\" ROWS=\"18\" COLS=\"78\"></TEXTAREA>" fullword condition: all of them } rule multiple_webshells_0018 { meta: description = "Semi-Auto-generated - from files webadmin.php.php.txt, iMHaPFtp.php.php.txt, Private-i3lue.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" super_rule = 1 was = "_webadmin_php_php_iMHaPFtp_php_php_Private_i3lue_php" hash0 = "b268e6fa3bf3fe496cffb4ea574ec4c7" hash1 = "12911b73bc6a5d313b494102abcf5c57" hash2 = "13f5c7a035ecce5f9f380967cf9d4e92" strings: $s0 = "return $type . $owner . $group . $other;" fullword $s1 = "$owner = ($mode & 00400) ? 'r' : '-';" fullword condition: all of them } rule shells_PHP_wso { meta: description = "Semi-Auto-generated - file wso.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "33e2891c13b78328da9062fbfcf898b6" strings: $s0 = "$back_connect_p=\"IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KJGlhZGRyPWluZXRfYXRvbi" $s3 = "echo '<h1>Execution PHP-code</h1><div class=content><form name=pf method=pos" condition: 1 of them } rule multiple_webshells_0015 { meta: description = "Semi-Auto-generated - from files wacking.php.php.txt, 1.txt, SpecialShell_99.php.php.txt, c100.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" super_rule = 1 was = "_wacking_php_php_1_SpecialShell_99_php_php_c100_php" hash0 = "9c5bb5e3a46ec28039e8986324e42792" hash1 = "44542e5c3e9790815c49d5f9beffbbf2" hash2 = "09609851caa129e40b0d56e90dfc476c" hash3 = "38fd7e45f9c11a37463c3ded1c76af4c" strings: $s0 = "if(eregi(\"./shbd $por\",$scan))" $s1 = "$_POST['backconnectip']" $s2 = "$_POST['backcconnmsg']" condition: 1 of them } rule webshell_jsp_list1 { meta: description = "Web Shell - file list1.jsp" author = "Florian Roth" date = "2014/01/28" score = 70 hash = "8d9e5afa77303c9c01ff34ea4e7f6ca6" strings: $s1 = "case 's':ConnectionDBM(out,encodeChange(request.getParameter(\"drive" $s9 = "return \"<a href=\\\"javascript:delFile('\"+folderReplace(file)+\"')\\\"" condition: all of them } rule byshell063_ntboot_2 { meta: description = "Webshells Auto-generated - file ntboot.dll" author = "Yara Bulk Rule Generator by Florian Roth" hash = "cb9eb5a6ff327f4d6c46aacbbe9dda9d" strings: $s6 = "OK,job was done,cuz we have localsystem & SE_DEBUG_NAME:)" condition: all of them } rule phpshell_3 { meta: description = "Webshells Auto-generated - file phpshell.php" author = "Yara Bulk Rule Generator by Florian Roth" hash = "e8693a2d4a2ffea4df03bb678df3dc6d" strings: $s3 = "<input name=\"submit_btn\" type=\"submit\" value=\"Execute Command\"></p>" $s5 = " echo \"<option value=\\\"$work_dir\\\" selected>Current Directory</option>\\n\";" condition: all of them } rule php_in_image { meta: author = "Vlad https://github.com/vlad-s" date = "2016/07/18" description = "Finds image files w/ PHP code in images" strings: $gif = /^GIF8[79]a/ $jfif = { ff d8 ff e? 00 10 4a 46 49 46 } $png = { 89 50 4e 47 0d 0a 1a 0a } $php_tag = "<?php" condition: (($gif at 0) or ($jfif at 0) or ($png at 0)) and $php_tag } rule webshell_itsec_itsecteam_shell_jHn { meta: description = "Web Shell - from files itsec.php, itsecteam_shell.php, jHn.php" author = "Florian Roth" date = "2014/01/28" score = 70 super_rule = 1 hash0 = "8ae9d2b50dc382f0571cd7492f079836" hash1 = "bd6d3b2763c705a01cc2b3f105a25fa4" hash2 = "40c6ecf77253e805ace85f119fe1cebb" strings: $s4 = "echo $head.\"<font face='Tahoma' size='2'>Operating System : \".php_uname().\"<b" $s5 = "echo \"<center><form name=client method='POST' action='$_SERVER[PHP_SELF]?do=db'" condition: all of them } rule Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit_php { meta: description = "Semi-Auto-generated - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "c6eeacbe779518ea78b8f7ed5f63fc11" strings: $s0 = "<option value=\"cat /var/cpanel/accounting.log\">/var/cpanel/accounting.log</opt" $s1 = "Liz0ziM Private Safe Mode Command Execuriton Bypass" $s2 = "echo \"<b><font color=red>Kimim Ben :=)</font></b>:$uid<br>\";" fullword condition: 1 of them } rule WebShell_php_webshells_NGH { meta: description = "PHP Webshells Github Archive - file NGH.php" author = "Florian Roth" hash = "c05b5deecfc6de972aa4652cb66da89cfb3e1645" strings: $s0 = "<title>Webcommander at <?=$_SERVER[\"HTTP_HOST\"]?>" fullword $s2 = "/* Webcommander by Cr4sh_aka_RKL v0.3.9 NGH edition :p */" fullword $s5 = "?act=bindshell method=POST>" fullword $s9 = "?act=backconnect method=POST>" fullword $s11 = "?act=mkdir method=POST>" fullword $s16 = "die(\"Login error\");" fullword $s20 = "Bind /bin/bash at port: " fullword condition: 2 of them } rule Asmodeus_v0_1_pl { meta: description = "Semi-Auto-generated - file Asmodeus v0.1.pl.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "0978b672db0657103c79505df69cb4bb" strings: $s0 = "[url=http://www.governmentsecurity.org" $s1 = "perl asmodeus.pl client 6666 127.0.0.1" $s2 = "print \"Asmodeus Perl Remote Shell" $s4 = "$internet_addr = inet_aton(\"$host\") or die \"ALOA:$!\\n\";" fullword condition: 2 of them } rule WebShell_Generic_PHP_5 { meta: description = "PHP Webshells Github Archive - from files ex0shell.php, megabor.php, GRP WebShell 2.0 release build 2018 (C)2006,Great.php" author = "Florian Roth" super_rule = 1 hash0 = "64461ad8d8f23ea078201a31d747157f701a4e00" hash1 = "3df1afbcfa718da6fc8af27554834ff6d1a86562" hash2 = "ad86ef7f24f75081318146edc788e5466722a629" strings: $s0 = "(($perms & 0x0400) ? 'S' : '-'));" fullword $s10 = "} elseif (($perms & 0x8000) == 0x8000) {" fullword $s11 = "if (($perms & 0xC000) == 0xC000) {" fullword $s12 = "$info .= (($perms & 0x0008) ?" fullword $s16 = "// Block special" fullword $s18 = "$info = 's';" fullword condition: all of them } rule Pack_InjectT { meta: description = "Webshells Auto-generated - file InjectT.exe" author = "Yara Bulk Rule Generator by Florian Roth" hash = "983b74ccd57f6195a0584cdfb27d55e8" strings: $s3 = "ail To Open Registry" $s4 = "32fDssignim" $s5 = "vide Internet S" $s6 = "d]Software\\M" $s7 = "TInject.Dll" condition: all of them } rule webshell_PHP_a : webshell { meta: description = "Web Shell - file a.php" author = "Florian Roth" date = "2014/01/28" score = 70 hash = "e3b461f7464d81f5022419d87315a90d" strings: $s1 = "echo \"" $s4 = "

    " fullword condition: 2 of them } rule HYTop_DevPack_config { meta: description = "Webshells Auto-generated - file config.asp" author = "Yara Bulk Rule Generator by Florian Roth" hash = "b41d0e64e64a685178a3155195921d61" strings: $s0 = "const adminPassword=\"" $s2 = "const userPassword=\"" $s3 = "const mVersion=" condition: all of them } rule Rem_View_php_php { meta: description = "Semi-Auto-generated - file Rem View.php.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "29420106d9a81553ef0d1ca72b9934d9" strings: $s0 = "$php=\"/* line 1 */\\n\\n// \".mm(\"for example, uncomment next line\").\"" $s2 = " \".$pathname." condition: all of them } rule Unpack_Injectt { meta: description = "Webshells Auto-generated - file Injectt.exe" author = "Yara Bulk Rule Generator by Florian Roth" hash = "8a5d2158a566c87edc999771e12d42c5" strings: $s2 = "%s -Run -->To Install And Run The Service" $s3 = "%s -Uninstall -->To Uninstall The Service" $s4 = "(STANDARD_RIGHTS_REQUIRED |SC_MANAGER_CONNECT |SC_MANAGER_CREATE_SERVICE |SC_MAN" condition: all of them } rule DxShell_php_php { meta: description = "Semi-Auto-generated - file DxShell.php.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "33a2b31810178f4c2e71fbdeb4899244" strings: $s0 = "print \"\\n\".'Tip: to view the file \"as is\" - open the page in POST (php eval)<" condition: 1 of them } rule FSO_s_zehir4 { meta: description = "Webshells Auto-generated - file zehir4.asp" author = "Yara Bulk Rule Generator by Florian Roth" hash = "5b496a61363d304532bcf52ee21f5d55" strings: $s5 = " byMesaj " condition: all of them } rule shelltools_g0t_root_HideRun { meta: description = "Webshells Auto-generated - file HideRun.exe" author = "Yara Bulk Rule Generator by Florian Roth" hash = "45436d9bfd8ff94b71eeaeb280025afe" strings: $s0 = "Usage -- hiderun [AppName]" $s7 = "PVAX SW, Alexey A. Popoff, Moscow, 1997." condition: all of them } rule telnetd_pl { meta: description = "Semi-Auto-generated - file telnetd.pl.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "5f61136afd17eb025109304bd8d6d414" strings: $s0 = "0ldW0lf" fullword $s1 = "However you are lucky :P" $s2 = "I'm FuCKeD" $s3 = "ioctl($CLIENT{$client}->{shell}, &TIOCSWINSZ, $winsize);#" $s4 = "atrix@irc.brasnet.org" condition: 1 of them } rule webshell_webshells_new_jspyyy { meta: description = "Web shells - generated from file jspyyy.jsp" author = "Florian Roth" date = "2014/03/28" score = 70 hash = "b291bf3ccc9dac8b5c7e1739b8fa742e" strings: $s0 = "<%@page import=\"java.io.*\"%><%if(request.getParameter(\"f\")" condition: all of them } rule FSO_s_indexer { meta: description = "Webshells Auto-generated - file indexer.asp" author = "Yara Bulk Rule Generator by Florian Roth" hash = "135fc50f85228691b401848caef3be9e" strings: $s3 = "Nereye :Server Adress:User Info: ui" $s4 = "
    : Your Name Not Entered!

    Sorry, \\\"Your Name\\\" field is r" condition: all of them } rule multiple_webshells_0029 { meta: description = "Semi-Auto-generated - from files c99shell_v1.0.php.php.txt, c99php.txt, 1.txt, c2007.php.php.txt, c100.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" super_rule = 1 was = "_c99shell_v1_0_php_php_c99php_1_c2007_php_php_c100_php" hash0 = "d8ae5819a0a2349ec552cbcf3a62c975" hash1 = "9e9ae0332ada9c3797d6cee92c2ede62" hash2 = "44542e5c3e9790815c49d5f9beffbbf2" hash3 = "d089e7168373a0634e1ac18c0ee00085" hash4 = "38fd7e45f9c11a37463c3ded1c76af4c" strings: $s0 = "$result = mysql_query(\"SHOW PROCESSLIST\", $sql_sock); " fullword condition: all of them } rule Moroccan_Spamers_Ma_EditioN_By_GhOsT_php { meta: description = "Semi-Auto-generated - file Moroccan Spamers Ma-EditioN By GhOsT.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "d1b7b311a7ffffebf51437d7cd97dc65" strings: $s0 = ";$sd98=\"john.barker446@gmail.com\"" $s1 = "print \"Sending mail to $to....... \";" $s2 = "" fullword $s6 = "\" name=\"url" condition: all of them } rule webshell_PHP_sql : webshell { meta: description = "Web Shell - file sql.php" author = "Florian Roth" date = "2014/01/28" score = 70 hash = "2cf20a207695bbc2311a998d1d795c35" strings: $s0 = "$result=mysql_list_tables($db) or die (\"$h_error\".mysql_error().\"$f_" $s4 = "print \"" condition: all of them } rule multiple_webshells_0007 { meta: description = "Semi-Auto-generated - from files r577.php.php.txt, spy.php.php.txt, s.php.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" super_rule = 1 was = "_r577_php_php_spy_php_php_s_php_php" hash0 = "0714f80f35c1fddef1f8938b8d42a4c8" hash1 = "eed14de3907c9aa2550d95550d1a2d5f" hash2 = "817671e1bdc85e04cc3440bbd9288800" strings: $s2 = "echo $te.\"
    " condition: 2 of them } rule shelltools_g0t_root_xwhois { meta: description = "Webshells Auto-generated - file xwhois.exe" author = "Yara Bulk Rule Generator by Florian Roth" hash = "0bc98bd576c80d921a3460f8be8816b4" strings: $s1 = "rting! " $s2 = "aTypCog(" $s5 = "Diamond" $s6 = "r)r=rQreryr" condition: all of them } rule HYTop_DevPack_2005 { meta: description = "Webshells Auto-generated - file 2005.asp" author = "Yara Bulk Rule Generator by Florian Roth" hash = "63d9fd24fa4d22a41fc5522fc7050f9f" strings: $s7 = "theHref=encodeForUrl(mid(replace(lcase(list.path),lcase(server.mapPath(\"/\")),\"\")" $s8 = "scrollbar-darkshadow-color:#9C9CD3;" $s9 = "scrollbar-face-color:#E4E4F3;" condition: all of them } rule webshell_c99_madnet_smowu { meta: description = "Web Shell - file smowu.php" author = "Florian Roth" date = "2014/01/28" score = 70 hash = "3aaa8cad47055ba53190020311b0fb83" strings: $s0 = "//Authentication" fullword $s1 = "$login = \"" fullword $s2 = "eval(gzinflate(base64_decode('" $s4 = "//Pass" $s5 = "$md5_pass = \"" $s6 = "//If no pass then hash" condition: all of them } rule webshell_PHP_G5 { meta: description = "Web Shell - file G5.php" author = "Florian Roth" date = "2014/01/28" score = 70 hash = "95b4a56140a650c74ed2ec36f08d757f" strings: $s3 = "echo \"Hacking Mode?
    \";" fullword condition: 2 of them } rule backdoor1_php { meta: description = "Semi-Auto-generated - file backdoor1.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "e1adda1f866367f52de001257b4d6c98" strings: $s1 = "echo \"[DIR]
    Copier un fichier <" condition: 1 of them } rule webshell_webshells_new_xxxx { meta: description = "Web shells - generated from file xxxx.php" author = "Florian Roth" date = "2014/03/28" score = 70 hash = "5bcba70b2137375225d8eedcde2c0ebb" strings: $s0 = " " fullword condition: all of them } rule WebShell_Generic_PHP_2 { meta: description = "PHP Webshells Github Archive - from files CrystalShell v.1.php, load_shell.php, Loaderz WEB Shell.php, stres.php" author = "Florian Roth" super_rule = 1 hash0 = "335a0851304acedc3f117782b61479bbc0fd655a" hash1 = "ca9fcfb50645dc0712abdf18d613ed2196e66241" hash2 = "36d8782d749638fdcaeed540d183dd3c8edc6791" hash3 = "03f88f494654f2ad0361fb63e805b6bbfc0c86de" strings: $s3 = "if((isset($_POST['fileto']))||(isset($_POST['filefrom'])))" fullword $s4 = "\\$port = {$_POST['port']};" fullword $s5 = "$_POST['installpath'] = \"temp.pl\";}" fullword $s14 = "if(isset($_POST['post']) and $_POST['post'] == \"yes\" and @$HTTP_POST_FILES[\"u" $s16 = "copy($HTTP_POST_FILES[\"userfile\"][\"tmp_name\"],$HTTP_POST_FILES[\"userfile\"]" condition: 4 of them } rule JSP_jfigueiredo_APT_webshell_2 { meta: description = "JSP Browser used as web shell by APT groups - author: jfigueiredo" author = "F.Roth" date = "12.10.2014" score = 60 reference = "http://ceso.googlecode.com/svn/web/bko/filemanager/" strings: $a1 = "
    \"\"
    " ascii $a2 = "$(\"#dialog\").dialog(\"destroy\");" ascii $s1 = "" ascii $s2 = "" ascii condition: all of ($a*) or all of ($s*) } rule hkdoordll { meta: description = "Webshells Auto-generated - file hkdoordll.dll" author = "Yara Bulk Rule Generator by Florian Roth" hash = "b715c009d47686c0e62d0981efce2552" strings: $s6 = "Can't uninstall,maybe the backdoor is not installed or,the Password you INPUT is" condition: all of them } rule webshell_phpkit_0_1a_odd { meta: description = "Web Shell - file odd.php" author = "Florian Roth" date = "2014/01/28" score = 70 hash = "3c30399e7480c09276f412271f60ed01" strings: $s1 = "include('php://input');" fullword $s3 = "ini_set('allow_url_include, 1'); // Allow url inclusion in this script" fullword $s4 = "// uses include('php://input') to execute arbritary code" fullword $s5 = "// php://input based backdoor" fullword condition: 2 of them } rule wh_bindshell_py { meta: description = "Semi-Auto-generated - file wh_bindshell.py.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "fab20902862736e24aaae275af5e049c" strings: $s0 = "#Use: python wh_bindshell.py [port] [password]" $s2 = "python -c\"import md5;x=md5.new('you_password');print x.hexdigest()\"" fullword $s3 = "#bugz: ctrl+c etc =script stoped=" fullword condition: 1 of them } rule webshell_Shell_ci_Biz_was_here_c100_v_xxx { meta: description = "Web Shell - from files Shell [ci] .Biz was here.php, c100 v. 777shell v. Undetectable #18a Modded by 777 - Don.php, c99-shadows-mod.php" author = "Florian Roth" date = "2014/01/28" score = 70 super_rule = 1 hash0 = "f2fa878de03732fbf5c86d656467ff50" hash1 = "27786d1e0b1046a1a7f67ee41c64bf4c" hash2 = "68c0629d08b1664f5bcce7d7f5f71d22" strings: $s2 = "if ($data{0} == \"\\x99\" and $data{1} == \"\\x01\") {return \"Error: \".$stri" $s3 = "