/* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ import "pe" rule Weevely_Webshell { meta: description = "Weevely Webshell - Generic Rule - heavily scrambled tiny web shell" author = "Florian Roth" reference = "http://www.ehacking.net/2014/12/weevely-php-stealth-web-backdoor-kali.html" date = "2014/12/14" score = 60 strings: $php = " 570 and filesize < 800 } rule webshell_h4ntu_shell_powered_by_tsoi_ { meta: description = "Web Shell - file h4ntu shell [powered by tsoi].php" author = "Florian Roth" date = "2014/01/28" score = 70 hash = "06ed0b2398f8096f1bebf092d0526137" strings: $s0 = "
Server Adress:User Info: ui" $s4 = "
: \".mysql_error().\"$f_" $s4 = "print \"Current Directory" $s4 = "

" fullword condition: 2 of them } rule webshell_iMHaPFtp_2 { meta: description = "Web Shell - file iMHaPFtp.php" author = "Florian Roth" date = "2014/01/28" score = 70 hash = "12911b73bc6a5d313b494102abcf5c57" strings: $s8 = "if ($l) echo '
\"+strCut(convertPath(list[i].getPath()),7" $s3 = " \"reg add \\\"HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Control" condition: all of them } rule webshell_Safe_Mode_Bypass_PHP_4_4_2_and_PHP_5_1_2 { meta: description = "Web Shell - file Safe_Mode Bypass PHP 4.4.2 and PHP 5.1.2.php" author = "Florian Roth" date = "2014/01/28" score = 70 hash = "49ad9117c96419c35987aaa7e2230f63" strings: $s0 = "die(\"\\nWelcome.. By This script you can jump in the (Safe Mode=ON) .. Enjoy\\n" $s1 = "Mode Shell v1.0[\" (left bracket), \"|\" (pi" $s3 = "word: \"null\", \"yes\", \"no\", \"true\"," condition: 1 of them } rule webshell_PHPRemoteView { meta: description = "Web Shell - file PHPRemoteView.php" author = "Florian Roth" date = "2014/01/28" score = 70 hash = "29420106d9a81553ef0d1ca72b9934d9" strings: $s2 = "" fullword $s4 = "String path=new String(request.getParameter(\"path\").getBytes(\"ISO-8859-1\"" condition: all of them } rule webshell_caidao_shell_guo { meta: description = "Web Shell - file guo.php" author = "Florian Roth" date = "2014/01/28" score = 70 hash = "9e69a8f499c660ee0b4796af14dc08f0" strings: $s0 = "
\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n" condition: 1 of them } rule webshell_asp_cmd { meta: description = "Web Shell - file cmd.asp" author = "Florian Roth" date = "2014/01/28" score = 70 hash = "895ca846858c315a3ff8daa7c55b3119" strings: $s0 = "<%= \"\\\\\" & oScriptNet.ComputerName & \"\\\" & oScriptNet.UserName %>" fullword $s1 = "Set oFileSys = Server.CreateObject(\"Scripting.FileSystemObject\")" fullword $s3 = "Call oScript.Run (\"cmd.exe /c \" & szCMD & \" > \" & szTempFile, 0, True)" fullword condition: 1 of them } rule webshell_php_sh_server { meta: description = "Web Shell - file server.php" author = "Florian Roth" date = "2014/01/28" score = 50 hash = "d87b019e74064aa90e2bb143e5e16cfa" strings: $s0 = "eval(getenv('HTTP_CODE'));" fullword condition: all of them } rule webshell_PH_Vayv_PH_Vayv { meta: description = "Web Shell - file PH Vayv.php" author = "Florian Roth" date = "2014/01/28" score = 70 hash = "35fb37f3c806718545d97c6559abd262" strings: $s0 = "style=\"BACKGROUND-COLOR: #eae9e9; BORDER-BOTTOM: #000000 1px in" $s4 = "SHOPEN
" fullword condition: all of them } rule webshell_cihshell_fix { meta: description = "Web Shell - file cihshell_fix.php" author = "Florian Roth" date = "2014/01/28" score = 70 hash = "3823ac218032549b86ee7c26f10c4cb5" strings: $s7 = "
" fullword $s8 = "" fullword condition: all of them } rule webshell_Private_i3lue { meta: description = "Web Shell - file Private-i3lue.php" author = "Florian Roth" date = "2014/01/28" score = 70 hash = "13f5c7a035ecce5f9f380967cf9d4e92" strings: $s8 = "case 15: $image .= \"\\21\\0\\" condition: all of them } rule webshell_php_up { meta: description = "Web Shell - file up.php" author = "Florian Roth" date = "2014/01/28" score = 70 hash = "7edefb8bd0876c41906f4b39b52cd0ef" strings: $s0 = "copy($HTTP_POST_FILES['userfile']['tmp_name'], $_POST['remotefile']);" fullword $s3 = "if(is_uploaded_file($HTTP_POST_FILES['userfile']['tmp_name'])) {" fullword $s8 = "echo \"Uploaded file: \" . $HTTP_POST_FILES['userfile']['name'];" fullword condition: 2 of them } rule webshell_Mysql_interface_v1_0 { meta: description = "Web Shell - file Mysql interface v1.0.php" author = "Florian Roth" date = "2014/01/28" score = 70 hash = "a12fc0a3d31e2f89727b9678148cd487" strings: $s0 = "echo \"Go Execute
All the data in these tables:
\".$tblsv.\" were putted " condition: all of them } rule webshell_Server_Variables { meta: description = "Web Shell - file Server Variables.asp" author = "Florian Roth" date = "2014/01/28" score = 70 hash = "47fb8a647e441488b30f92b4d39003d7" strings: $s7 = "<% For Each Vars In Request.ServerVariables %>" fullword $s9 = "Variable Name

" fullword condition: all of them } rule webshell_caidao_shell_ice_2 { meta: description = "Web Shell - file ice.php" author = "Florian Roth" date = "2014/01/28" score = 70 hash = "1d6335247f58e0a5b03e17977888f5f2" strings: $s0 = "" fullword condition: all of them } rule webshell_caidao_shell_mdb { meta: description = "Web Shell - file mdb.asp" author = "Florian Roth" date = "2014/01/28" score = 70 hash = "fbf3847acef4844f3a0d04230f6b9ff9" strings: $s1 = "<% execute request(\"ice\")%>a " fullword condition: all of them } rule webshell_jsp_guige { meta: description = "Web Shell - file guige.jsp" author = "Florian Roth" date = "2014/01/28" score = 70 hash = "2c9f2dafa06332957127e2c713aacdd2" strings: $s0 = "if(damapath!=null &&!damapath.equals(\"\")&&content!=null" condition: all of them } rule webshell_phpspy2010 { meta: description = "Web Shell - file phpspy2010.php" author = "Florian Roth" date = "2014/01/28" score = 70 hash = "14ae0e4f5349924a5047fed9f3b105c5" strings: $s3 = "eval(gzinflate(base64_decode(" $s5 = "//angel" fullword $s8 = "$admin['cookiedomain'] = '';" fullword condition: all of them } rule webshell_asp_ice { meta: description = "Web Shell - file ice.asp" author = "Florian Roth" date = "2014/01/28" score = 70 hash = "d141e011a92f48da72728c35f1934a2b" strings: $s0 = "D,'PrjknD,J~[,EdnMP[,-4;DS6@#@&VKobx2ldd,'~JhC" condition: all of them } rule webshell_drag_system { meta: description = "Web Shell - file system.jsp" author = "Florian Roth" date = "2014/01/28" score = 70 hash = "15ae237cf395fb24cf12bff141fb3f7c" strings: $s9 = "String sql = \"SELECT * FROM DBA_TABLES WHERE TABLE_NAME not like '%$%' and num_" condition: all of them } rule webshell_DarkBlade1_3_asp_indexx { meta: description = "Web Shell - file indexx.asp" author = "Florian Roth" date = "2014/01/28" score = 70 hash = "b7f46693648f534c2ca78e3f21685707" strings: $s3 = "Const strs_toTransform=\"command|Radmin|NTAuThenabled|FilterIp|IISSample|PageCou" condition: all of them } rule webshell_phpshell3 { meta: description = "Web Shell - file phpshell3.php" author = "Florian Roth" date = "2014/01/28" score = 70 hash = "76117b2ee4a7ac06832d50b2d04070b8" strings: $s2 = "" fullword condition: all of them } rule webshell_asp_404 { meta: description = "Web Shell - file 404.asp" author = "Florian Roth" date = "2014/01/28" score = 70 hash = "d9fa1e8513dbf59fa5d130f389032a2d" strings: $s0 = "lFyw6pd^DKV^4CDRWmmnO1GVKDl:y& f+2" condition: all of them } rule webshell_webshell_cnseay02_1 { meta: description = "Web Shell - file webshell-cnseay02-1.php" author = "Florian Roth" date = "2014/01/28" score = 70 hash = "95fc76081a42c4f26912826cb1bd24b1" strings: $s0 = "(93).$_uU(41).$_uU(59);$_fF=$_uU(99).$_uU(114).$_uU(101).$_uU(97).$_uU(116).$_uU" condition: all of them } rule webshell_php_fbi { meta: description = "Web Shell - file fbi.php" author = "Florian Roth" date = "2014/01/28" score = 70 hash = "1fb32f8e58c8deb168c06297a04a21f1" strings: $s7 = "erde types','Getallen','Datum en tijd','Tekst','Binaire gegevens','Netwerk','Geo" condition: all of them } rule webshell_B374kPHP_B374k { meta: description = "Web Shell - file B374k.php" author = "Florian Roth" date = "2014/01/28" score = 70 hash = "bed7388976f8f1d90422e8795dff1ea6" strings: $s0 = "Http://code.google.com/p/b374k-shell" fullword $s1 = "$_=str_rot13('tm'.'vas'.'yngr');$_=str_rot13(strrev('rqb'.'prq'.'_'.'46r'.'fno'" $s3 = "Jayalah Indonesiaku & Lyke @ 2013" fullword $s4 = "B374k Vip In Beautify Just For Self" fullword condition: 1 of them } rule webshell_cmd_asp_5_1 { meta: description = "Web Shell - file cmd-asp-5.1.asp" author = "Florian Roth" date = "2014/01/28" score = 70 hash = "8baa99666bf3734cbdfdd10088e0cd9f" strings: $s9 = "Call oS.Run(\"win.com cmd.exe /c \"\"\" & szCMD & \" > \" & szTF &" fullword condition: all of them } rule webshell_php_dodo_zip { meta: description = "Web Shell - file zip.php" author = "Florian Roth" date = "2014/01/28" score = 70 hash = "b7800364374077ce8864796240162ad5" strings: $s0 = "$hexdtime = '\\x' . $dtime[6] . $dtime[7] . '\\x' . $dtime[4] . $dtime[5] . '\\x" $s3 = "$datastr = \"\\x50\\x4b\\x03\\x04\\x0a\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" condition: all of them } rule webshell_aZRaiLPhp_v1_0 { meta: description = "Web Shell - file aZRaiLPhp v1.0.php" author = "Florian Roth" date = "2014/01/28" score = 70 hash = "26b2d3943395682e36da06ed493a3715" strings: $s5 = "echo \" CHMODU \".substr(base_convert(@fileperms($" $s7 = "echo \"\" . $filena" $s9 = "// by: The Dark Raver" fullword condition: 1 of them } rule webshell_ironshell { meta: description = "Web Shell - file ironshell.php" author = "Florian Roth" date = "2014/01/28" score = 70 hash = "8bfa2eeb8a3ff6afc619258e39fded56" strings: $s4 = "print \"<%@page import=\"java.net.*\"%><%String t=request." condition: all of them } rule webshell_mysqlwebsh { meta: description = "Web Shell - file mysqlwebsh.php" author = "Florian Roth" date = "2014/01/28" score = 70 hash = "babfa76d11943a22484b3837f105fada" strings: $s3 = " \" title=\"<%=SubFolder.Name%>\"> ??????????????????: " fullword condition: all of them } rule webshell_asp_1 { meta: description = "Web Shell - file 1.asp" author = "Florian Roth" date = "2014/01/28" score = 70 hash = "8991148adf5de3b8322ec5d78cb01bdb" strings: $s4 = "!22222222222222222222222222222222222222222222222222" fullword $s8 = "<%eval request(\"pass\")%>" fullword condition: all of them } rule webshell_ASP_tool { meta: description = "Web Shell - file tool.asp" author = "Florian Roth" date = "2014/01/28" score = 70 hash = "4ab68d38527d5834e9c1ff64407b34fb" strings: $s0 = "Response.Write \"<DIR> " fullword condition: 2 of them } rule webshell_jsp_jshell { meta: description = "Web Shell - file jshell.jsp" author = "Florian Roth" date = "2014/01/28" score = 70 hash = "124b22f38aaaf064cef14711b2602c06" strings: $s0 = "kXpeW[\"" fullword $s4 = "[7b:g0W@W<" fullword $s5 = "b:gHr,g<" fullword $s8 = "RhV0W@W<" fullword $s9 = "S_MR(u7b" fullword condition: all of them } rule webshell_ASP_zehir4 { meta: description = "Web Shell - file zehir4.asp" author = "Florian Roth" date = "2014/01/28" score = 70 hash = "7f4e12e159360743ec016273c3b9108c" strings: $s9 = "Response.Write \"" fullword condition: all of them } rule webshell_PHP_Shell_x3 { meta: description = "Web Shell - file PHP Shell.php" author = "Florian Roth" date = "2014/01/28" score = 70 hash = "a2f8fa4cce578fc9c06f8e674b9e63fd" strings: $s4 = "  [" $s6 = "echo \"
\");" fullword condition: all of them } rule webshell_jsp_k81 { meta: description = "Web Shell - file k81.jsp" author = "Florian Roth" date = "2014/01/28" score = 70 hash = "41efc5c71b6885add9c1d516371bd6af" strings: $s1 = "byte[] binary = BASE64Decoder.class.newInstance().decodeBuffer(cmd);" fullword $s9 = "if(cmd.equals(\"Szh0ZWFt\")){out.print(\"[S]\"+dir+\"[E]\");}" fullword condition: 1 of them } rule webshell_ASP_zehir { meta: description = "Web Shell - file zehir.asp" author = "Florian Roth" date = "2014/01/28" score = 70 hash = "0061d800aee63ccaf41d2d62ec15985d" strings: $s9 = "Response.Write \"
" condition: all of them } rule webshell_Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit { meta: description = "Web Shell - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php" author = "Florian Roth" date = "2014/01/28" score = 70 hash = "c6eeacbe779518ea78b8f7ed5f63fc11" strings: $s1 = "" fullword condition: all of them } rule webshell_redirect { meta: description = "Web Shell - file redirect.asp" author = "Florian Roth" date = "2014/01/28" score = 70 hash = "97da83c6e3efbba98df270cc70beb8f8" strings: $s7 = "var flag = \"?txt=\" + (document.getElementById(\"dl\").checked ? \"2\":\"1\" " condition: all of them } rule webshell_jsp_cmdjsp { meta: description = "Web Shell - file cmdjsp.jsp" author = "Florian Roth" date = "2014/01/28" score = 70 hash = "b815611cc39f17f05a73444d699341d4" strings: $s5 = "" fullword condition: all of them } rule webshell_Java_Shell { meta: description = "Web Shell - file Java Shell.jsp" author = "Florian Roth" date = "2014/01/28" score = 70 hash = "36403bc776eb12e8b7cc0eb47c8aac83" strings: $s4 = "public JythonShell(int columns, int rows, int scrollback) {" fullword $s9 = "this(null, Py.getSystemState(), columns, rows, scrollback);" fullword condition: 1 of them } rule webshell_asp_1d { meta: description = "Web Shell - file 1d.asp" author = "Florian Roth" date = "2014/01/28" score = 70 hash = "fad7504ca8a55d4453e552621f81563c" strings: $s0 = "+9JkskOfKhUxZJPL~\\(mD^W~[,{@#@&EO" condition: all of them } rule webshell_jsp_IXRbE { meta: description = "Web Shell - file IXRbE.jsp" author = "Florian Roth" date = "2014/01/28" score = 70 hash = "e26e7e0ebc6e7662e1123452a939e2cd" strings: $s0 = "<%if(request.getParameter(\"f\")!=null)(new java.io.FileOutputStream(application" condition: all of them } rule webshell_PHP_G5 { meta: description = "Web Shell - file G5.php" author = "Florian Roth" date = "2014/01/28" score = 70 hash = "95b4a56140a650c74ed2ec36f08d757f" strings: $s3 = "echo \"Hacking Mode?
 Server's PHP Version:&n" $s4 = "  [" $s7 = "echo \"" $s3 = "" fullword $s2 = "out.print(\")
Filenam" $s8 = "print \"File: Tools\">" fullword $s4 = "Response.Write(\"

FILE: \" & file & \"

\")" fullword condition: all of them } rule webshell_PHP_co { meta: description = "Web Shell - file co.php" author = "Florian Roth" date = "2014/01/28" score = 70 hash = "62199f5ac721a0cb9b28f465a513874c" strings: $s0 = "cGX6R9q733WvRRjISKHOp9neT7wa6ZAD8uthmVJV" fullword $s11 = "6Mk36lz/HOkFfoXX87MpPhZzBQH6OaYukNg1OE1j" fullword condition: all of them } rule webshell_PHP_150 { meta: description = "Web Shell - file 150.php" author = "Florian Roth" date = "2014/01/28" score = 70 hash = "400c4b0bed5c90f048398e1d268ce4dc" strings: $s0 = "HJ3HjqxclkZfp" $s1 = "" fullword condition: all of them } rule webshell_PHP_c37 { meta: description = "Web Shell - file c37.php" author = "Florian Roth" date = "2014/01/28" score = 70 hash = "d01144c04e7a46870a8dd823eb2fe5c8" strings: $s3 = "array('cpp','cxx','hxx','hpp','cc','jxx','c++','vcproj')," $s9 = "++$F; $File = urlencode($dir[$dirFILE]); $eXT = '.:'; if (strpos($dir[$dirFILE]," condition: all of them } rule webshell_PHP_b37 { meta: description = "Web Shell - file b37.php" author = "Florian Roth" date = "2014/01/28" score = 70 hash = "0421445303cfd0ec6bc20b3846e30ff0" strings: $s0 = "xmg2/G4MZ7KpNveRaLgOJvBcqa2A8/sKWp9W93NLXpTTUgRc" condition: all of them } rule webshell_php_backdoor { meta: description = "Web Shell - file php-backdoor.php" author = "Florian Roth" date = "2014/01/28" score = 70 hash = "2b5cb105c4ea9b5ebc64705b4bd86bf7" strings: $s1 = "if(!move_uploaded_file($HTTP_POST_FILES['file_name']['tmp_name'], $dir.$fname))" fullword $s2 = "
\" METHOD=GET >execute command:  " fullword
	condition:
		all of them
}
rule webshell_asp_cmdasp {
	meta:
		description = "Web Shell - file cmdasp.asp"
		author = "Florian Roth"
		date = "2014/01/28"
		score = 70
		hash = "57b51418a799d2d016be546f399c2e9b"
	strings:
		$s0 = "<%= \"\\\\\" & oScriptNet.ComputerName & \"\\\" & oScriptNet.UserName %>" fullword
		$s7 = "Call oScript.Run (\"cmd.exe /c \" & szCMD & \" > \" & szTempFile, 0, True)" fullword
	condition:
		all of them
}
rule webshell_spjspshell {
	meta:
		description = "Web Shell - file spjspshell.jsp"
		author = "Florian Roth"
		date = "2014/01/28"
		score = 70
		hash = "d39d51154aaad4ba89947c459a729971"
	strings:
		$s7 = "Unix:/bin/sh -c tar vxf xxx.tar Windows:c:\\winnt\\system32\\cmd.exe /c type c:"
	condition:
		all of them
}
rule webshell_jsp_action {
	meta:
		description = "Web Shell - file action.jsp"
		author = "Florian Roth"
		date = "2014/01/28"
		score = 70
		hash = "5a7d931094f5570aaf5b7b3b06c3d8c0"
	strings:
		$s1 = "String url=\"jdbc:oracle:thin:@localhost:1521:orcl\";" fullword
		$s6 = "<%@ page contentType=\"text/html;charset=gb2312\"%>" fullword
	condition:
		all of them
}
rule webshell_Inderxer {
	meta:
		description = "Web Shell - file Inderxer.asp"
		author = "Florian Roth"
		date = "2014/01/28"
		score = 70
		hash = "9ea82afb8c7070817d4cdf686abe0300"
	strings:
		$s4 = "Nereye :   " fullword
		$s9 = "String path=new String(request.getParameter(\"path\").getBytes(\"ISO-8859"
	condition:
		all of them
}
rule webshell_ELMALISEKER_Backd00r {
	meta:
		description = "Web Shell - file ELMALISEKER Backd00r.asp"
		author = "Florian Roth"
		date = "2014/01/28"
		score = 70
		hash = "3aa403e0a42badb2c23d4a54ef43e2f4"
	strings:
		$s0 = "response.write(\"" fullword
		$s6 = "\" name=\"url"
	condition:
		all of them
}
rule webshell_jsp_inback3 {
	meta:
		description = "Web Shell - file inback3.jsp"
		author = "Florian Roth"
		date = "2014/01/28"
		score = 70
		hash = "ea5612492780a26b8aa7e5cedd9b8f4e"
	strings:
		$s0 = "<%if(request.getParameter(\"f\")!=null)(new java.io.FileOutputStream(application"
	condition:
		all of them
}
rule webshell_metaslsoft {
	meta:
		description = "Web Shell - file metaslsoft.php"
		author = "Florian Roth"
		date = "2014/01/28"
		score = 70
		hash = "aa328ed1476f4a10c0bcc2dde4461789"
	strings:
		$s7 = "$buff .= \"[ $folder ]LINKOperating System : \".php_uname().\" \",in('text','mk_name"
		$s3 = "echo sr(15,\"\".$lang[$language.'_text21'].$arrow.\"\",in('checkbox','nf1"
		$s9 = "echo sr(40,\"\".$lang[$language.'_text26'].$arrow.\"\",\"Current File (import new file name and new file)
Current file (fullpath)
  \".$pathname." condition: all of them } rule webshell_c99_Shell_ci_Biz_was_here_c100_v_xxx { meta: description = "Web Shell - from files c99.php, Shell [ci] .Biz was here.php, c100 v. 777shell v. Undetectable #18a Modded by 777 - Don.php, c66.php, c99-shadows-mod.php, c99shell.php" author = "Florian Roth" date = "2014/01/28" score = 70 super_rule = 1 hash0 = "61a92ce63369e2fa4919ef0ff7c51167" hash1 = "f2fa878de03732fbf5c86d656467ff50" hash2 = "27786d1e0b1046a1a7f67ee41c64bf4c" hash3 = "0f5b9238d281bc6ac13406bb24ac2a5b" hash4 = "68c0629d08b1664f5bcce7d7f5f71d22" hash5 = "048ccc01b873b40d57ce25a4c56ea717" strings: $s8 = "else {echo \"Running datapipe... ok! Connect to \".getenv(\"SERVER_ADDR\"" condition: all of them } rule webshell_2008_2009lite_2009mssql { meta: description = "Web Shell - from files 2008.php, 2009lite.php, 2009mssql.php" author = "Florian Roth" date = "2014/01/28" score = 70 super_rule = 1 hash0 = "3e4ba470d4c38765e4b16ed930facf2c" hash1 = "3f4d454d27ecc0013e783ed921eeecde" hash2 = "aa17b71bb93c6789911bd1c9df834ff9" strings: $s0 = "
Path.'/\\');" $s7 = "p('

File Manager - Current disk free '.sizecount($free).' of '.sizecount($all" condition: all of them } rule webshell_shell_phpspy_2005_full_phpspy_2005_lite_phpspy_2006_arabicspy_PHPSPY_hkrkoz { meta: description = "Web Shell - from files shell.php, phpspy_2005_full.php, phpspy_2005_lite.php, phpspy_2006.php, arabicspy.php, PHPSPY.php, hkrkoz.php" author = "Florian Roth" date = "2014/01/28" score = 70 super_rule = 1 hash0 = "791708057d8b429d91357d38edf43cc0" hash1 = "b68bfafc6059fd26732fa07fb6f7f640" hash2 = "42f211cec8032eb0881e87ebdb3d7224" hash3 = "40a1f840111996ff7200d18968e42cfe" hash4 = "e0202adff532b28ef1ba206cf95962f2" hash5 = "0712e3dc262b4e1f98ed25760b206836" hash6 = "802f5cae46d394b297482fd0c27cb2fc" strings: $s0 = "$mainpath_info = explode('/', $mainpath);" fullword $s6 = "if (!isset($_GET['action']) OR empty($_GET['action']) OR ($_GET['action'] == \"d" condition: all of them } rule webshell_807_dm_JspSpyJDK5_m_cofigrue { meta: description = "Web Shell - from files 807.jsp, dm.jsp, JspSpyJDK5.jsp, m.jsp, cofigrue.jsp" author = "Florian Roth" date = "2014/01/28" score = 70 super_rule = 1 hash0 = "ae76c77fb7a234380cd0ebb6fe1bcddf" hash1 = "14e9688c86b454ed48171a9d4f48ace8" hash2 = "341298482cf90febebb8616426080d1d" hash3 = "88fc87e7c58249a398efd5ceae636073" hash4 = "349ec229e3f8eda0f9eb918c74a8bf4c" strings: $s1 = "url_con.setRequestProperty(\"REFERER\", \"\"+fckal+\"\");" fullword $s9 = "FileLocalUpload(uc(dx())+sxm,request.getRequestURL().toString(), \"GBK\");" fullword condition: 1 of them } rule webshell_Dive_Shell_1_0_Emperor_Hacking_Team_xxx { meta: description = "Web Shell - from files Dive Shell 1.0 - Emperor Hacking Team.php, phpshell.php, SimShell 1.0 - Simorgh Security MGZ.php" author = "Florian Roth" date = "2014/01/28" score = 70 super_rule = 1 hash0 = "1b5102bdc41a7bc439eea8f0010310a5" hash1 = "f8a6d5306fb37414c5c772315a27832f" hash2 = "37cb1db26b1b0161a4bf678a6b4565bd" strings: $s1 = "if (($i = array_search($_REQUEST['command'], $_SESSION['history'])) !== fals" $s9 = "if (ereg('^[[:blank:]]*cd[[:blank:]]*$', $_REQUEST['command'])) {" fullword condition: all of them } rule webshell_404_data_in_JFolder_jfolder01_xxx { meta: description = "Web Shell - from files 404.jsp, data.jsp, in.jsp, JFolder.jsp, jfolder01.jsp, jsp.jsp, leo.jsp, suiyue.jsp, warn.jsp" author = "Florian Roth" date = "2014/01/28" score = 70 super_rule = 1 hash0 = "7066f4469c3ec20f4890535b5f299122" hash1 = "9f54aa7b43797be9bab7d094f238b4ff" hash2 = "793b3d0a740dbf355df3e6f68b8217a4" hash3 = "8979594423b68489024447474d113894" hash4 = "ec482fc969d182e5440521c913bab9bd" hash5 = "f98d2b33cd777e160d1489afed96de39" hash6 = "4b4c12b3002fad88ca6346a873855209" hash7 = "c93d5bdf5cf62fe22e299d0f2b865ea7" hash8 = "e9a5280f77537e23da2545306f6a19ad" strings: $s4 = " " condition: 2 of them } rule webshell_2008_2009mssql_phpspy_2005_full_phpspy_2006_arabicspy_hkrkoz { meta: description = "Web Shell - from files 2008.php, 2009mssql.php, phpspy_2005_full.php, phpspy_2006.php, arabicspy.php, hkrkoz.php" author = "Florian Roth" date = "2014/01/28" score = 70 super_rule = 1 hash0 = "3e4ba470d4c38765e4b16ed930facf2c" hash1 = "aa17b71bb93c6789911bd1c9df834ff9" hash2 = "b68bfafc6059fd26732fa07fb6f7f640" hash3 = "40a1f840111996ff7200d18968e42cfe" hash4 = "e0202adff532b28ef1ba206cf95962f2" hash5 = "802f5cae46d394b297482fd0c27cb2fc" strings: $s0 = "$this -> addFile($content, $filename);" fullword $s3 = "function addFile($data, $name, $time = 0) {" fullword $s8 = "function unix2DosTime($unixtime = 0) {" fullword $s9 = "foreach($filelist as $filename){" fullword condition: all of them } rule webshell_c99_c66_c99_shadows_mod_c99shell { meta: description = "Web Shell - from files c99.php, c66.php, c99-shadows-mod.php, c99shell.php" author = "Florian Roth" date = "2014/01/28" score = 70 super_rule = 1 hash0 = "61a92ce63369e2fa4919ef0ff7c51167" hash1 = "0f5b9238d281bc6ac13406bb24ac2a5b" hash2 = "68c0629d08b1664f5bcce7d7f5f71d22" hash3 = "048ccc01b873b40d57ce25a4c56ea717" strings: $s2 = " if (unlink(_FILE_)) {@ob_clean(); echo \"Thanks for using c99shell v.\".$shv" $s3 = " \"c99sh_backconn.pl\"=>array(\"Using PERL\",\"perl %path %host %port\")," fullword $s4 = "
array(\"Using PERL\",\"perl %path %localport %remotehos" $s9 = " elseif (!$data = c99getsource($bc[\"src\"])) {echo \"Can't download sources!" condition: 2 of them } rule webshell_he1p_JspSpy_nogfw_ok_style_1_JspSpy1 { meta: description = "Web Shell - from files he1p.jsp, JspSpy.jsp, nogfw.jsp, ok.jsp, style.jsp, 1.jsp, JspSpy.jsp" author = "Florian Roth" date = "2014/01/28" score = 70 super_rule = 1 hash0 = "b330a6c2d49124ef0729539761d6ef0b" hash1 = "d71716df5042880ef84427acee8b121e" hash2 = "344f9073576a066142b2023629539ebd" hash3 = "32dea47d9c13f9000c4c807561341bee" hash4 = "b9744f6876919c46a29ea05b1d95b1c3" hash5 = "3ea688e3439a1f56b16694667938316d" hash6 = "2434a7a07cb47ce25b41d30bc291cacc" strings: $s0 = "\"\"+f.canRead()+\" / \"+f.canWrite()+\" / \"+f.canExecute()+\"\"+" fullword $s4 = "out.println(\"

File Manager - Current disk "\"+(cr.indexOf(\"/\") == 0?" $s7 = "String execute = f.canExecute() ? \"checked=\\\"checked\\\"\" : \"\";" fullword $s8 = "\"

" condition: 2 of them } rule webshell_000_403_c5_config_myxx_queryDong_spyjsp2010_zend { meta: description = "Web Shell - from files 000.jsp, 403.jsp, c5.jsp, config.jsp, myxx.jsp, queryDong.jsp, spyjsp2010.jsp, zend.jsp" author = "Florian Roth" date = "2014/01/28" score = 70 super_rule = 1 hash0 = "2eeb8bf151221373ee3fd89d58ed4d38" hash1 = "059058a27a7b0059e2c2f007ad4675ef" hash2 = "8b457934da3821ba58b06a113e0d53d9" hash3 = "d44df8b1543b837e57cc8f25a0a68d92" hash4 = "e0354099bee243702eb11df8d0e046df" hash5 = "90a5ba0c94199269ba33a58bc6a4ad99" hash6 = "655722eaa6c646437c8ae93daac46ae0" hash7 = "591ca89a25f06cf01e4345f98a22845c" strings: $s0 = "return new Double(format.format(value)).doubleValue();" fullword $s5 = "File tempF = new File(savePath);" fullword $s9 = "if (tempF.isDirectory()) {" fullword condition: 2 of them } rule webshell_c99_c99shell_c99_c99shell { meta: description = "Web Shell - from files c99.php, c99shell.php, c99.php, c99shell.php" author = "Florian Roth" date = "2014/01/28" score = 70 super_rule = 1 hash0 = "61a92ce63369e2fa4919ef0ff7c51167" hash1 = "d3f38a6dc54a73d304932d9227a739ec" hash2 = "157b4ac3c7ba3a36e546e81e9279eab5" hash3 = "048ccc01b873b40d57ce25a4c56ea717" strings: $s2 = "$bindport_pass = \"c99\";" fullword $s5 = " else {echo \"Execution PHP-code\"; if (empty($eval_txt)) {$eval_txt = tr" condition: 1 of them } rule webshell_r57shell127_r57_iFX_r57_kartal_r57_antichat { meta: description = "Web Shell - from files r57shell127.php, r57_iFX.php, r57_kartal.php, r57.php, antichat.php" author = "Florian Roth" date = "2014/01/28" score = 70 super_rule = 1 hash0 = "ae025c886fbe7f9ed159f49593674832" hash1 = "513b7be8bd0595c377283a7c87b44b2e" hash2 = "1d912c55b96e2efe8ca873d6040e3b30" hash3 = "4108f28a9792b50d95f95b9e5314fa1e" hash4 = "3f71175985848ee46cc13282fbed2269" strings: $s6 = "$res = @mysql_query(\"SHOW CREATE TABLE `\".$_POST['mysql_tbl'].\"`\", $d" $s7 = "$sql1 .= $row[1].\"\\r\\n\\r\\n\";" fullword $s8 = "if(!empty($_POST['dif'])&&$fp) { @fputs($fp,$sql1.$sql2); }" fullword $s9 = "foreach($values as $k=>$v) {$values[$k] = addslashes($v);}" fullword condition: 2 of them } rule webshell_NIX_REMOTE_WEB_SHELL_nstview_xxx { meta: description = "Web Shell - from files NIX REMOTE WEB-SHELL.php, nstview.php, NIX REMOTE WEB-SHELL v.0.5 alpha Lite Public Version.php, Cyber Shell (v 1.0).php" author = "Florian Roth" date = "2014/01/28" score = 70 super_rule = 1 hash0 = "0b19e9de790cd2f4325f8c24b22af540" hash1 = "4745d510fed4378e4b1730f56f25e569" hash2 = "f3ca29b7999643507081caab926e2e74" hash3 = "46a18979750fa458a04343cf58faa9bd" strings: $s3 = "BODY, TD, TR {" fullword $s5 = "$d=str_replace(\"\\\\\",\"/\",$d);" fullword $s6 = "if ($file==\".\" || $file==\"..\") continue;" fullword condition: 2 of them } rule webshell_000_403_807_a_c5_config_css_dm_he1p_xxx { meta: description = "Web Shell - from files 000.jsp, 403.jsp, 807.jsp, a.jsp, c5.jsp, config.jsp, css.jsp, dm.jsp, he1p.jsp, JspSpy.jsp, JspSpyJDK5.jsp, JspSpyJDK51.jsp, luci.jsp.spy2009.jsp, m.jsp, ma3.jsp, mmym520.jsp, myxx.jsp, nogfw.jsp, ok.jsp, queryDong.jsp, spyjsp2010.jsp, style.jsp, u.jsp, xia.jsp, zend.jsp, cofigrue.jsp, 1.jsp, jspspy.jsp, jspspy_k8.jsp, JspSpy.jsp, JspSpyJDK5.jsp" author = "Florian Roth" date = "2014/01/28" score = 70 super_rule = 1 hash0 = "2eeb8bf151221373ee3fd89d58ed4d38" hash1 = "059058a27a7b0059e2c2f007ad4675ef" hash2 = "ae76c77fb7a234380cd0ebb6fe1bcddf" hash3 = "76037ebd781ad0eac363d56fc81f4b4f" hash4 = "8b457934da3821ba58b06a113e0d53d9" hash5 = "d44df8b1543b837e57cc8f25a0a68d92" hash6 = "fc44f6b4387a2cb50e1a63c66a8cb81c" hash7 = "14e9688c86b454ed48171a9d4f48ace8" hash8 = "b330a6c2d49124ef0729539761d6ef0b" hash9 = "d71716df5042880ef84427acee8b121e" hash10 = "341298482cf90febebb8616426080d1d" hash11 = "29aebe333d6332f0ebc2258def94d57e" hash12 = "42654af68e5d4ea217e6ece5389eb302" hash13 = "88fc87e7c58249a398efd5ceae636073" hash14 = "4a812678308475c64132a9b56254edbc" hash15 = "9626eef1a8b9b8d773a3b2af09306a10" hash16 = "e0354099bee243702eb11df8d0e046df" hash17 = "344f9073576a066142b2023629539ebd" hash18 = "32dea47d9c13f9000c4c807561341bee" hash19 = "90a5ba0c94199269ba33a58bc6a4ad99" hash20 = "655722eaa6c646437c8ae93daac46ae0" hash21 = "b9744f6876919c46a29ea05b1d95b1c3" hash22 = "6acc82544be056580c3a1caaa4999956" hash23 = "6aa32a6392840e161a018f3907a86968" hash24 = "591ca89a25f06cf01e4345f98a22845c" hash25 = "349ec229e3f8eda0f9eb918c74a8bf4c" hash26 = "3ea688e3439a1f56b16694667938316d" hash27 = "ab77e4d1006259d7cbc15884416ca88c" hash28 = "71097537a91fac6b01f46f66ee2d7749" hash29 = "2434a7a07cb47ce25b41d30bc291cacc" hash30 = "7a4b090619ecce6f7bd838fe5c58554b" strings: $s3 = "String savePath = request.getParameter(\"savepath\");" fullword $s4 = "URL downUrl = new URL(downFileUrl);" fullword $s5 = "if (Util.isEmpty(downFileUrl) || Util.isEmpty(savePath))" fullword $s6 = "String downFileUrl = request.getParameter(\"url\");" fullword $s7 = "FileInputStream fInput = new FileInputStream(f);" fullword $s8 = "URLConnection conn = downUrl.openConnection();" fullword $s9 = "sis = request.getInputStream();" fullword condition: 4 of them } rule webshell_2_520_icesword_job_ma1 { meta: description = "Web Shell - from files 2.jsp, 520.jsp, icesword.jsp, job.jsp, ma1.jsp" author = "Florian Roth" date = "2014/01/28" score = 70 super_rule = 1 hash0 = "64a3bf9142b045b9062b204db39d4d57" hash1 = "9abd397c6498c41967b4dd327cf8b55a" hash2 = "077f4b1b6d705d223b6d644a4f3eebae" hash3 = "56c005690da2558690c4aa305a31ad37" hash4 = "532b93e02cddfbb548ce5938fe2f5559" strings: $s1 = "" fullword $s3 = "" fullword $s8 = "" fullword condition: 2 of them } rule webshell_404_data_in_JFolder_jfolder01_jsp_suiyue_warn { meta: description = "Web Shell - from files 404.jsp, data.jsp, in.jsp, JFolder.jsp, jfolder01.jsp, jsp.jsp, suiyue.jsp, warn.jsp" author = "Florian Roth" date = "2014/01/28" score = 70 super_rule = 1 hash0 = "7066f4469c3ec20f4890535b5f299122" hash1 = "9f54aa7b43797be9bab7d094f238b4ff" hash2 = "793b3d0a740dbf355df3e6f68b8217a4" hash3 = "8979594423b68489024447474d113894" hash4 = "ec482fc969d182e5440521c913bab9bd" hash5 = "f98d2b33cd777e160d1489afed96de39" hash6 = "c93d5bdf5cf62fe22e299d0f2b865ea7" hash7 = "e9a5280f77537e23da2545306f6a19ad" strings: $s0 = "
\"+f.canRead()+\" / \"+f.canWrite()+\" / \"+f.canExecute()+\"
" fullword condition: all of them } rule webshell_phpspy_2005_full_phpspy_2005_lite_phpspy_2006_PHPSPY { meta: description = "Web Shell - from files phpspy_2005_full.php, phpspy_2005_lite.php, phpspy_2006.php, PHPSPY.php" author = "Florian Roth" date = "2014/01/28" score = 70 super_rule = 1 hash0 = "b68bfafc6059fd26732fa07fb6f7f640" hash1 = "42f211cec8032eb0881e87ebdb3d7224" hash2 = "40a1f840111996ff7200d18968e42cfe" hash3 = "0712e3dc262b4e1f98ed25760b206836" strings: $s4 = "http://www.4ngel.net" fullword $s5 = " | PHP" fullword $s8 = "echo $msg=@fwrite($fp,$_POST['filecontent']) ? \"" fullword $s9 = "Codz by Angel" fullword condition: 2 of them } rule webshell_c99_locus7s_c99_w4cking_xxx { meta: description = "Web Shell - from files c99_locus7s.php, c99_w4cking.php, r57shell.php, r57shell127.php, SnIpEr_SA Shell.php, EgY_SpIdEr ShElL V2.php, r57_iFX.php, r57_kartal.php, r57_Mohajer22.php, r57.php, acid.php, newsh.php, r57.php, Backdoor.PHP.Agent.php" author = "Florian Roth" date = "2014/01/28" score = 70 super_rule = 1 hash0 = "38fd7e45f9c11a37463c3ded1c76af4c" hash1 = "9c34adbc8fd8d908cbb341734830f971" hash2 = "ef43fef943e9df90ddb6257950b3538f" hash3 = "ae025c886fbe7f9ed159f49593674832" hash4 = "911195a9b7c010f61b66439d9048f400" hash5 = "697dae78c040150daff7db751fc0c03c" hash6 = "513b7be8bd0595c377283a7c87b44b2e" hash7 = "1d912c55b96e2efe8ca873d6040e3b30" hash8 = "e5b2131dd1db0dbdb43b53c5ce99016a" hash9 = "4108f28a9792b50d95f95b9e5314fa1e" hash10 = "b8f261a3cdf23398d573aaf55eaf63b5" hash11 = "0d2c2c151ed839e6bafc7aa9c69be715" hash12 = "41af6fd253648885c7ad2ed524e0692d" hash13 = "6fcc283470465eed4870bcc3e2d7f14d" strings: $s1 = "$res = @shell_exec($cfe);" fullword $s8 = "$res = @ob_get_contents();" fullword $s9 = "@exec($cfe,$res);" fullword condition: 2 of them } rule webshell_browser_201_3_ma_ma2_download { meta: description = "Web Shell - from files browser.jsp, 201.jsp, 3.jsp, ma.jsp, ma2.jsp, download.jsp" author = "Florian Roth" date = "2014/01/28" score = 70 super_rule = 1 hash0 = "37603e44ee6dc1c359feb68a0d566f76" hash1 = "a7e25b8ac605753ed0c438db93f6c498" hash2 = "fb8c6c3a69b93e5e7193036fd31a958d" hash3 = "4cc68fa572e88b669bce606c7ace0ae9" hash4 = "4b45715fa3fa5473640e17f49ef5513d" hash5 = "fa87bbd7201021c1aefee6fcc5b8e25a" strings: $s1 = "private static final int EDITFIELD_ROWS = 30;" fullword $s2 = "private static String tempdir = \".\";" fullword $s6 = "\"" condition: 2 of them } rule webshell_000_403_c5_queryDong_spyjsp2010 { meta: description = "Web Shell - from files 000.jsp, 403.jsp, c5.jsp, queryDong.jsp, spyjsp2010.jsp" author = "Florian Roth" date = "2014/01/28" score = 70 super_rule = 1 hash0 = "2eeb8bf151221373ee3fd89d58ed4d38" hash1 = "059058a27a7b0059e2c2f007ad4675ef" hash2 = "8b457934da3821ba58b06a113e0d53d9" hash3 = "90a5ba0c94199269ba33a58bc6a4ad99" hash4 = "655722eaa6c646437c8ae93daac46ae0" strings: $s2 = "\" www.Expdoor.com" fullword $s5 = " second(s) {gzip} usage:" $s17 = "<%if(request.getParameter(\"f\")" condition: all of them } rule webshell_webshells_new_xxxx { meta: description = "Web shells - generated from file xxxx.php" author = "Florian Roth" date = "2014/03/28" score = 70 hash = "5bcba70b2137375225d8eedcde2c0ebb" strings: $s0 = " " fullword condition: all of them } rule webshell_webshells_new_JJjsp3 { meta: description = "Web shells - generated from file JJjsp3.jsp" author = "Florian Roth" date = "2014/03/28" score = 70 hash = "949ffee1e07a1269df7c69b9722d293e" strings: $s0 = "<%@page import=\"java.io.*,java.util.*,java.net.*,java.sql.*,java.text.*\"%><%!S" condition: all of them } rule webshell_webshells_new_PHP1 { meta: description = "Web shells - generated from file PHP1.php" author = "Florian Roth" date = "2014/03/28" score = 70 hash = "14c7281fdaf2ae004ca5fec8753ce3cb" strings: $s0 = "<[url=mailto:?@array_map($_GET[]?@array_map($_GET['f'],$_GET[/url]);?>" fullword $s2 = ":https://forum.90sec.org/forum.php?mod=viewthread&tid=7316" fullword $s3 = "@preg_replace(\"/f/e\",$_GET['u'],\"fengjiao\"); " fullword condition: 1 of them } rule webshell_webshells_new_JJJsp2 { meta: description = "Web shells - generated from file JJJsp2.jsp" author = "Florian Roth" date = "2014/03/28" score = 70 hash = "5a9fec45236768069c99f0bfd566d754" strings: $s2 = "QQ(cs, z1, z2, sb,z2.indexOf(\"-to:\")!=-1?z2.substring(z2.indexOf(\"-to:\")+4,z" $s8 = "sb.append(l[i].getName() + \"/\\t\" + sT + \"\\t\" + l[i].length()+ \"\\t\" + sQ" $s10 = "ResultSet r = s.indexOf(\"jdbc:oracle\")!=-1?c.getMetaData()" $s11 = "return DriverManager.getConnection(x[1].trim()+\":\"+x[4],x[2].equalsIgnoreCase(" condition: 1 of them } rule webshell_webshells_new_radhat { meta: description = "Web shells - generated from file radhat.asp" author = "Florian Roth" date = "2014/03/28" score = 70 hash = "72cb5ef226834ed791144abaa0acdfd4" strings: $s1 = "sod=Array(\"D\",\"7\",\"S" condition: all of them } rule webshell_webshells_new_asp1 { meta: description = "Web shells - generated from file asp1.asp" author = "Florian Roth" date = "2014/03/28" score = 70 hash = "b63e708cd58ae1ec85cf784060b69cad" strings: $s0 = " http://www.baidu.com/fuck.asp?a=)0(tseuqer%20lave " fullword $s2 = " <% a=request(chr(97)) ExecuteGlobal(StrReverse(a)) %>" fullword condition: 1 of them } rule webshell_webshells_new_php6 { meta: description = "Web shells - generated from file php6.php" author = "Florian Roth" date = "2014/03/28" score = 70 hash = "ea75280224a735f1e445d244acdfeb7b" strings: $s1 = "array_map(\"asx73ert\",(ar" $s3 = "preg_replace(\"/[errorpage]/e\",$page,\"saft\");" fullword $s4 = "shell.php?qid=zxexp " fullword condition: 1 of them } rule webshell_webshells_new_xxx { meta: description = "Web shells - generated from file xxx.php" author = "Florian Roth" date = "2014/03/28" score = 70 hash = "0e71428fe68b39b70adb6aeedf260ca0" strings: $s3 = "" fullword condition: all of them } rule webshell_GetPostpHp { meta: description = "Web shells - generated from file GetPostpHp.php" author = "Florian Roth" date = "2014/03/28" score = 70 hash = "20ede5b8182d952728d594e6f2bb5c76" strings: $s0 = "" fullword condition: all of them } rule webshell_webshells_new_php5 { meta: description = "Web shells - generated from file php5.php" author = "Florian Roth" date = "2014/03/28" score = 70 hash = "cf2ab009cbd2576a806bfefb74906fdf" strings: $s0 = "Error!\";" fullword $s2 = "
\" method=\"POST" condition: 2 of them } rule Asmodeus_v0_1_pl { meta: description = "Semi-Auto-generated - file Asmodeus v0.1.pl.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "0978b672db0657103c79505df69cb4bb" strings: $s0 = "[url=http://www.governmentsecurity.org" $s1 = "perl asmodeus.pl client 6666 127.0.0.1" $s2 = "print \"Asmodeus Perl Remote Shell" $s4 = "$internet_addr = inet_aton(\"$host\") or die \"ALOA:$!\\n\";" fullword condition: 2 of them } rule backup_php_often_with_c99shell { meta: description = "Semi-Auto-generated - file backup.php.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "aeee3bae226ad57baf4be8745c3f6094" strings: $s0 = "#phpMyAdmin MySQL-Dump" fullword $s2 = ";db_connect();header('Content-Type: application/octetstr" $s4 = "$data .= \"#Database: $database" fullword condition: all of them } rule Reader_asp { meta: description = "Semi-Auto-generated - file Reader.asp.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "ad1a362e0a24c4475335e3e891a01731" strings: $s1 = "Mehdi & HolyDemon" $s2 = "www.infilak." $s3 = "'*T@*r@#@&mms^PdbYbVuBcAAA==^#~@%>

" fullword $s1 = "[ADDITINAL TITTLE]-phpShell by:[YOURNAME]<?php echo PHPSHELL_VERSION ?></" $s2 = "href=\"mailto: [YOU CAN ENTER YOUR MAIL HERE]- [ADDITIONAL TEXT]</a></i>" fullword condition: 1 of them } rule myshell_php_php { meta: description = "Semi-Auto-generated - file myshell.php.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "62783d1db52d05b1b6ae2403a7044490" strings: $s0 = "@chdir($work_dir) or ($shellOutput = \"MyShell: can't change directory." $s1 = "echo \"<font color=$linkColor><b>MyShell file editor</font> File:<font color" $s2 = " $fileEditInfo = \"  :::::::  Owner: <font color=$" condition: 2 of them } rule SimShell_1_0___Simorgh_Security_MGZ_php { meta: description = "Semi-Auto-generated - file SimShell 1.0 - Simorgh Security MGZ.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "37cb1db26b1b0161a4bf678a6b4565bd" strings: $s0 = "Simorgh Security Magazine " $s1 = "Simshell.css" $s2 = "} elseif (ereg('^[[:blank:]]*cd[[:blank:]]+([^;]+)$', $_REQUEST['command'], " $s3 = "www.simorgh-ev.com" condition: 2 of them } rule jspshall_jsp { meta: description = "Semi-Auto-generated - file jspshall.jsp.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "efe0f6edaa512c4e1fdca4eeda77b7ee" strings: $s0 = "kj021320" $s1 = "case 'T':systemTools(out);break;" $s2 = "out.println(\"<tr><td>\"+ico(50)+f[i].getName()+\"</td><td> file" condition: 2 of them } rule webshell_php { meta: description = "Semi-Auto-generated - file webshell.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "e425241b928e992bde43dd65180a4894" strings: $s2 = "<die(\"Couldn't Read directory, Blocked!!!\");" $s3 = "PHP Web Shell" condition: all of them } rule rootshell_php { meta: description = "Semi-Auto-generated - file rootshell.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "265f3319075536030e59ba2f9ef3eac6" strings: $s0 = "shells.dl.am" $s1 = "This server has been infected by $owner" $s2 = "<input type=\"submit\" value=\"Include!\" name=\"inc\"></p>" $s4 = "Could not write to file! (Maybe you didn't enter any text?)" condition: 2 of them } rule connectback2_pl { meta: description = "Semi-Auto-generated - file connectback2.pl.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "473b7d226ea6ebaacc24504bd740822e" strings: $s0 = "#We Are: MasterKid, AleXutz, FatMan & MiKuTuL " $s1 = "echo --==Userinfo==-- ; id;echo;echo --==Directory==-- ; pwd;echo; echo --==Shel" $s2 = "ConnectBack Backdoor" condition: 1 of them } rule DefaceKeeper_0_2_php { meta: description = "Semi-Auto-generated - file DefaceKeeper_0.2.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "713c54c3da3031bc614a8a55dccd7e7f" strings: $s0 = "target fi1e:<br><input type=\"text\" name=\"target\" value=\"index.php\"></br>" fullword $s1 = "eval(base64_decode(\"ZXZhbChiYXNlNjRfZGVjb2RlKCJhV2R1YjNKbFgzVnpaWEpmWVdKdmNuUW9" $s2 = "<img src=\"http://s43.radikal.ru/i101/1004/d8/ced1f6b2f5a9.png\" align=\"center" condition: 1 of them } rule shells_PHP_wso { meta: description = "Semi-Auto-generated - file wso.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "33e2891c13b78328da9062fbfcf898b6" strings: $s0 = "$back_connect_p=\"IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KJGlhZGRyPWluZXRfYXRvbi" $s3 = "echo '<h1>Execution PHP-code</h1><div class=content><form name=pf method=pos" condition: 1 of them } rule backdoor1_php { meta: description = "Semi-Auto-generated - file backdoor1.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "e1adda1f866367f52de001257b4d6c98" strings: $s1 = "echo \"[DIR] <A HREF=\\\"\".$_SERVER['PHP_SELF'].\"?rep=\".realpath($rep.\".." $s2 = "class backdoor {" $s4 = "echo \"<a href=\\\"\".$_SERVER['PHP_SELF'].\"?copy=1\\\">Copier un fichier</a> <" condition: 1 of them } rule elmaliseker_asp { meta: description = "Semi-Auto-generated - file elmaliseker.asp.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "b32d1730d23a660fd6aa8e60c3dc549f" strings: $s0 = "if Int((1-0+1)*Rnd+0)=0 then makeEmail=makeText(8) & \"@\" & makeText(8) & \".\"" $s1 = "<form name=frmCMD method=post action=\"<%=gURL%>\">" $s2 = "dim zombie_array,special_array" $s3 = "http://vnhacker.org" condition: 1 of them } rule indexer_asp { meta: description = "Semi-Auto-generated - file indexer.asp.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "9ea82afb8c7070817d4cdf686abe0300" strings: $s0 = "<td>Nereye :<td><input type=\"text\" name=\"nereye\" size=25></td><td><input typ" $s2 = "D7nD7l.km4snk`JzKnd{n_ejq;bd{KbPur#kQ8AAA==^#~@%>></td><td><input type=\"submit" condition: 1 of them } rule DxShell_php_php { meta: description = "Semi-Auto-generated - file DxShell.php.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "33a2b31810178f4c2e71fbdeb4899244" strings: $s0 = "print \"\\n\".'Tip: to view the file \"as is\" - open the page in <a href=\"'.Dx" $s2 = "print \"\\n\".'<tr><td width=100pt class=linelisting><nobr>POST (php eval)</td><" condition: 1 of them } rule s72_Shell_v1_1_Coding_html { meta: description = "Semi-Auto-generated - file s72 Shell v1.1 Coding.html.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "c2e8346a5515c81797af36e7e4a3828e" strings: $s0 = "Dizin</font></b></font><font face=\"Verdana\" style=\"font-size: 8pt\"><" $s1 = "s72 Shell v1.0 Codinf by Cr@zy_King" $s3 = "echo \"<p align=center>Dosya Zaten Bulunuyor</p>\"" condition: 1 of them } rule hidshell_php_php { meta: description = "Semi-Auto-generated - file hidshell.php.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "c2f3327d60884561970c63ffa09439a4" strings: $s0 = "<?$d='G7mHWQ9vvXiL/QX2oZ2VTDpo6g3FYAa6X+8DMIzcD0eHZaBZH7jFpZzUz7XNenxSYvBP2Wy36U" condition: all of them } rule kacak_asp { meta: description = "Semi-Auto-generated - file kacak.asp.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "907d95d46785db21331a0324972dda8c" strings: $s0 = "Kacak FSO 1.0" $s1 = "if request.querystring(\"TGH\") = \"1\" then" $s3 = "<font color=\"#858585\">BuqX</font></a></font><font face=\"Verdana\" style=" $s4 = "mailto:BuqX@hotmail.com" condition: 1 of them } rule PHP_Backdoor_Connect_pl_php { meta: description = "Semi-Auto-generated - file PHP Backdoor Connect.pl.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "57fcd9560dac244aeaf95fd606621900" strings: $s0 = "LorD of IRAN HACKERS SABOTAGE" $s1 = "LorD-C0d3r-NT" $s2 = "echo --==Userinfo==-- ;" condition: 1 of them } rule Antichat_Socks5_Server_php_php { meta: description = "Semi-Auto-generated - file Antichat Socks5 Server.php.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "cbe9eafbc4d86842a61a54d98e5b61f1" strings: $s0 = "$port = base_convert(bin2hex(substr($reqmessage[$id], 3+$reqlen+1, 2)), 16, 10);" fullword $s3 = "# [+] Domain name address type" $s4 = "www.antichat.ru" condition: 1 of them } rule Antichat_Shell_v1_3_php { meta: description = "Semi-Auto-generated - file Antichat Shell v1.3.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "40d0abceba125868be7f3f990f031521" strings: $s0 = "Antichat" $s1 = "Can't open file, permission denide" $s2 = "$ra44" condition: 2 of them } rule Safe_Mode_Bypass_PHP_4_4_2_and_PHP_5_1_2_php { meta: description = "Semi-Auto-generated - file Safe_Mode Bypass PHP 4.4.2 and PHP 5.1.2.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "49ad9117c96419c35987aaa7e2230f63" strings: $s0 = "Welcome.. By This script you can jump in the (Safe Mode=ON) .. Enjoy" $s1 = "Mode Shell v1.0</font></span>" $s2 = "has been already loaded. PHP Emperor <xb5@hotmail." condition: 1 of them } rule mysql_php_php { meta: description = "Semi-Auto-generated - file mysql.php.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "12bbdf6ef403720442a47a3cc730d034" strings: $s0 = "action=mysqlread&mass=loadmass\">load all defaults" $s2 = "if (@passthru($cmd)) { echo \" -->\"; $this->output_state(1, \"passthru" $s3 = "$ra44 = rand(1,99999);$sj98 = \"sh-$ra44\";$ml = \"$sd98\";$a5 = " condition: 1 of them } rule Worse_Linux_Shell_php { meta: description = "Semi-Auto-generated - file Worse Linux Shell.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "8338c8d9eab10bd38a7116eb534b5fa2" strings: $s1 = "print \"<tr><td><b>Server is:</b></td><td>\".$_SERVER['SERVER_SIGNATURE'].\"</td" $s2 = "print \"<tr><td><b>Execute command:</b></td><td><input size=100 name=\\\"_cmd" condition: 1 of them } rule cyberlords_sql_php_php { meta: description = "Semi-Auto-generated - file cyberlords_sql.php.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "03b06b4183cb9947ccda2c3d636406d4" strings: $s0 = "Coded by n0 [nZer0]" $s1 = " www.cyberlords.net" $s2 = "U29mdHdhcmUAQWRvYmUgSW1hZ2VSZWFkeXHJZTwAAAAMUExURf///wAAAJmZzAAAACJoURkAAAAE" $s3 = "return \"<BR>Dump error! Can't write to \".htmlspecialchars($file);" condition: 1 of them } rule cmd_asp_5_1_asp { meta: description = "Semi-Auto-generated - file cmd-asp-5.1.asp.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "8baa99666bf3734cbdfdd10088e0cd9f" strings: $s0 = "Call oS.Run(\"win.com cmd.exe /c del \"& szTF,0,True)" fullword $s3 = "Call oS.Run(\"win.com cmd.exe /c \"\"\" & szCMD & \" > \" & szTF &" fullword condition: 1 of them } rule pws_php_php { meta: description = "Semi-Auto-generated - file pws.php.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "ecdc6c20f62f99fa265ec9257b7bf2ce" strings: $s0 = "<div align=\"left\"><font size=\"1\">Input command :</font></div>" fullword $s1 = "<input type=\"text\" name=\"cmd\" size=\"30\" class=\"input\"><br>" fullword $s4 = "<input type=\"text\" name=\"dir\" size=\"30\" value=\"<? passthru(\"pwd\"); ?>" condition: 2 of them } rule PHP_Shell_php_php { meta: description = "Semi-Auto-generated - file PHP Shell.php.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "a2f8fa4cce578fc9c06f8e674b9e63fd" strings: $s0 = "echo \"</form><form action=\\\"$SFileName?$urlAdd\\\" method=\\\"post\\\"><input" $s1 = "echo \"<form action=\\\"$SFileName?$urlAdd\\\" method=\\\"POST\\\"><input type=" condition: all of them } rule Ayyildiz_Tim___AYT__Shell_v_2_1_Biz_html { meta: description = "Semi-Auto-generated - file Ayyildiz Tim -AYT- Shell v 2.1 Biz.html.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "8a8c8bb153bd1ee097559041f2e5cf0a" strings: $s0 = "Ayyildiz" $s1 = "TouCh By iJOo" $s2 = "First we check if there has been asked for a working directory" $s3 = "http://ayyildiz.org/images/whosonline2.gif" condition: 2 of them } rule EFSO_2_asp { meta: description = "Semi-Auto-generated - file EFSO_2.asp.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "b5fde9682fd63415ae211d53c6bfaa4d" strings: $s0 = "Ejder was HERE" $s1 = "*~PU*&BP[_)f!8c2F*@#@&~,P~P,~P&q~8BPmS~9~~lB~X`V,_,F&*~,jcW~~[_c3TRFFzq@#@&PP,~~" condition: 2 of them } rule lamashell_php { meta: description = "Semi-Auto-generated - file lamashell.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "de9abc2e38420cad729648e93dfc6687" strings: $s0 = "lama's'hell" fullword $s1 = "if($_POST['king'] == \"\") {" $s2 = "if (move_uploaded_file($_FILES['fila']['tmp_name'], $curdir.\"/\".$_FILES['f" condition: 1 of them } rule Ajax_PHP_Command_Shell_php { meta: description = "Semi-Auto-generated - file Ajax_PHP Command Shell.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "93d1a2e13a3368a2472043bd6331afe9" strings: $s1 = "newhtml = '<b>File browser is under construction! Use at your own risk!</b> <br>" $s2 = "Empty Command..type \\\"shellhelp\\\" for some ehh...help" $s3 = "newhtml = '<font size=0><b>This will reload the page... :(</b><br><br><form enct" condition: 1 of them } rule JspWebshell_1_2_jsp { meta: description = "Semi-Auto-generated - file JspWebshell 1.2.jsp.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "70a0ee2624e5bbe5525ccadc467519f6" strings: $s0 = "JspWebshell" $s1 = "CreateAndDeleteFolder is error:" $s2 = "<td width=\"70%\" height=\"22\"> <%=env.queryHashtable(\"java.c" $s3 = "String _password =\"111\";" condition: 2 of them } rule Sincap_php_php { meta: description = "Semi-Auto-generated - file Sincap.php.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "b68b90ff6012a103e57d141ed38a7ee9" strings: $s0 = "$baglan=fopen(\"/tmp/$ekinci\",'r');" $s2 = "$tampon4=$tampon3-1" $s3 = "@aventgrup.net" condition: 2 of them } rule Test_php_php { meta: description = "Semi-Auto-generated - file Test.php.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "77e331abd03b6915c6c6c7fe999fcb50" strings: $s0 = "$yazi = \"test\" . \"\\r\\n\";" fullword $s2 = "fwrite ($fp, \"$yazi\");" fullword $s3 = "$entry_line=\"HACKed by EntriKa\";" fullword condition: 1 of them } rule Phyton_Shell_py { meta: description = "Semi-Auto-generated - file Phyton Shell.py.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "92b3c897090867c65cc169ab037a0f55" strings: $s1 = "sh_out=os.popen(SHELL+\" \"+cmd).readlines()" fullword $s2 = "# d00r.py 0.3a (reverse|bind)-shell in python by fQ" fullword $s3 = "print \"error; help: head -n 16 d00r.py\"" fullword $s4 = "print \"PW:\",PW,\"PORT:\",PORT,\"HOST:\",HOST" fullword condition: 1 of them } rule mysql_tool_php_php { meta: description = "Semi-Auto-generated - file mysql_tool.php.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "5fbe4d8edeb2769eda5f4add9bab901e" strings: $s0 = "$error_text = '<strong>Failed selecting database \"'.$this->db['" $s1 = "$ra44 = rand(1,99999);$sj98 = \"sh-$ra44\";$ml = \"$sd98\";$a5 = $_SERV" $s4 = "<div align=\"center\">The backup process has now started<br " condition: 1 of them } rule Zehir_4_asp { meta: description = "Semi-Auto-generated - file Zehir 4.asp.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "7f4e12e159360743ec016273c3b9108c" strings: $s2 = "</a><a href='\"&dosyapath&\"?status=10&dPath=\"&f1.path&\"&path=\"&path&\"&Time=" $s4 = "<input type=submit value=\"Test Et!\" onclick=\"" condition: 1 of them } rule sh_php_php { meta: description = "Semi-Auto-generated - file sh.php.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "330af9337ae51d0bac175ba7076d6299" strings: $s1 = "$ar_file=array('/etc/passwd','/etc/shadow','/etc/master.passwd','/etc/fstab','/e" $s2 = "Show <input type=text size=5 value=\".((isset($_POST['br_st']))?$_POST['br_st']:" condition: 1 of them } rule phpbackdoor15_php { meta: description = "Semi-Auto-generated - file phpbackdoor15.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "0fdb401a49fc2e481e3dfd697078334b" strings: $s1 = "echo \"fichier telecharge dans \".good_link(\"./\".$_FILES[\"fic\"][\"na" $s2 = "if(move_uploaded_file($_FILES[\"fic\"][\"tmp_name\"],good_link(\"./\".$_FI" $s3 = "echo \"Cliquez sur un nom de fichier pour lancer son telechargement. Cliquez s" condition: 1 of them } rule phpjackal_php { meta: description = "Semi-Auto-generated - file phpjackal.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "ab230817bcc99acb9bdc0ec6d264d76f" strings: $s3 = "$dl=$_REQUEST['downloaD'];" $s4 = "else shelL(\"perl.exe $name $port\");" condition: 1 of them } rule sql_php_php { meta: description = "Semi-Auto-generated - file sql.php.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "8334249cbb969f2d33d678fec2b680c5" strings: $s1 = "fputs ($fp, \"# RST MySQL tools\\r\\n# Home page: http://rst.void.ru\\r\\n#" $s2 = "http://rst.void.ru" $s3 = "print \"<a href=\\\"$_SERVER[PHP_SELF]?s=$s&login=$login&passwd=$passwd&" condition: 1 of them } rule cgi_python_py { meta: description = "Semi-Auto-generated - file cgi-python.py.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "0a15f473e2232b89dae1075e1afdac97" strings: $s0 = "a CGI by Fuzzyman" $s1 = "\"\"\"+fontline +\"Version : \" + versionstring + \"\"\", Running on : \"\"\" + " $s2 = "values = map(lambda x: x.value, theform[field]) # allows for" condition: 1 of them } rule ru24_post_sh_php_php { meta: description = "Semi-Auto-generated - file ru24_post_sh.php.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "5b334d494564393f419af745dc1eeec7" strings: $s1 = "<title>Ru24PostWebShell - \".$_POST['cmd'].\"" fullword $s3 = "if ((!$_POST['cmd']) || ($_POST['cmd']==\"\")) { $_POST['cmd']=\"id;pwd;uname -a" $s4 = "Writed by DreAmeRz" fullword condition: 1 of them } rule DTool_Pro_php { meta: description = "Semi-Auto-generated - file DTool Pro.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "366ad973a3f327dfbfb915b0faaea5a6" strings: $s0 = "r3v3ng4ns\\nDigite" $s1 = "if(!@opendir($chdir)) $ch_msg=\"dtool: line 1: chdir: It seems that the permissi" $s3 = "if (empty($cmd) and $ch_msg==\"\") echo (\"Comandos Exclusivos do DTool Pro\\n" condition: 1 of them } rule telnetd_pl { meta: description = "Semi-Auto-generated - file telnetd.pl.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "5f61136afd17eb025109304bd8d6d414" strings: $s0 = "0ldW0lf" fullword $s1 = "However you are lucky :P" $s2 = "I'm FuCKeD" $s3 = "ioctl($CLIENT{$client}->{shell}, &TIOCSWINSZ, $winsize);#" $s4 = "atrix@irc.brasnet.org" condition: 1 of them } rule php_include_w_shell_php { meta: description = "Semi-Auto-generated - file php-include-w-shell.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "4e913f159e33867be729631a7ca46850" strings: $s0 = "$dataout .= \"
\" : \"[admin\\@$ServerName $C" condition: 1 of them } rule ironshell_php { meta: description = "Semi-Auto-generated - file ironshell.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "8bfa2eeb8a3ff6afc619258e39fded56" strings: $s0 = "www.ironwarez.info" $s1 = "$cookiename = \"wieeeee\";" $s2 = "~ Shell I" $s3 = "www.rootshell-team.info" $s4 = "setcookie($cookiename, $_POST['pass'], time()+3600);" condition: 1 of them } rule backdoorfr_php { meta: description = "Semi-Auto-generated - file backdoorfr.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "91e4afc7444ed258640e85bcaf0fecfc" strings: $s1 = "www.victime.com/index.php?page=http://emplacement_de_la_backdoor.php , ou en tan" $s2 = "print(\"
Provenance du mail : /tmp/cmdtemp 2>&1; cat /tmp/cmdtemp; rm /tmp/cmdtemp\");" condition: 1 of them } rule Ajan_asp { meta: description = "Semi-Auto-generated - file Ajan.asp.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "b6f468252407efc2318639da22b08af0" strings: $s1 = "c:\\downloaded.zip" $s2 = "Set entrika = entrika.CreateTextFile(\"c:\\net.vbs\", True)" fullword $s3 = "http://www35.websamba.com/cybervurgun/" condition: 1 of them } rule PHANTASMA_php { meta: description = "Semi-Auto-generated - file PHANTASMA.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "52779a27fa377ae404761a7ce76a5da7" strings: $s0 = ">[*] Safemode Mode Run" $s1 = "$file1 - $file2 -
$file
" $s2 = "[*] Spawning Shell" $s3 = "Cha0s" condition: 2 of them } rule MySQL_Web_Interface_Version_0_8_php { meta: description = "Semi-Auto-generated - file MySQL Web Interface Version 0.8.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "36d4f34d0a22080f47bb1cb94107c60f" strings: $s0 = "SooMin Kim" $s1 = "http://popeye.snu.ac.kr/~smkim/mysql" $s2 = "href='$PHP_SELF?action=dropField&dbname=$dbname&tablename=$tablename" $s3 = "
Type M  D unsignedzerofi" condition: 2 of them } rule simple_cmd_html { meta: description = "Semi-Auto-generated - file simple_cmd.html.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "c6381412df74dbf3bcd5a2b31522b544" strings: $s1 = "G-Security Webshell" fullword $s2 = "\" " fullword $s3 = "" fullword $s4 = "" fullword condition: all of them } rule _1_c2007_php_php_c100_php { meta: description = "Semi-Auto-generated - from files 1.txt, c2007.php.php.txt, c100.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" super_rule = 1 hash0 = "44542e5c3e9790815c49d5f9beffbbf2" hash1 = "d089e7168373a0634e1ac18c0ee00085" hash2 = "38fd7e45f9c11a37463c3ded1c76af4c" strings: $s0 = "echo \"Changing file-mode (\".$d.$f.\"), \".view_perms_color($d.$f).\" (\"" $s3 = "echo \" Done!
Total time (secs.): \".$ft" $s3 = "$fqb_log .= \"\\r\\n------------------------------------------\\r\\nDone!\\r" condition: 1 of them } rule _r577_php_php_SnIpEr_SA_Shell_php_r57_php_php_r57_Shell_php_php_spy_php_php_s_php_php { meta: description = "Semi-Auto-generated - from files r577.php.php.txt, SnIpEr_SA Shell.php.txt, r57.php.php.txt, r57 Shell.php.php.txt, spy.php.php.txt, s.php.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" super_rule = 1 hash0 = "0714f80f35c1fddef1f8938b8d42a4c8" hash1 = "911195a9b7c010f61b66439d9048f400" hash2 = "eddf7a8fde1e50a7f2a817ef7cece24f" hash3 = "8023394542cddf8aee5dec6072ed02b5" hash4 = "eed14de3907c9aa2550d95550d1a2d5f" hash5 = "817671e1bdc85e04cc3440bbd9288800" strings: $s2 = "'eng_text71'=>\"Second commands param is:\\r\\n- for CHOWN - name of new owner o" $s4 = "if(!empty($_POST['s_mask']) && !empty($_POST['m'])) { $sr = new SearchResult" condition: 1 of them } rule _c99shell_v1_0_php_php_c99php_SsEs_php_php_ctt_sh_php_php { meta: description = "Semi-Auto-generated - from files c99shell_v1.0.php.php.txt, c99php.txt, SsEs.php.php.txt, ctt_sh.php.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" super_rule = 1 hash0 = "d8ae5819a0a2349ec552cbcf3a62c975" hash1 = "9e9ae0332ada9c3797d6cee92c2ede62" hash2 = "6cd50a14ea0da0df6a246a60c8f6f9c9" hash3 = "671cad517edd254352fe7e0c7c981c39" strings: $s0 = "\"AAAAACH5BAEAAAkALAAAAAAUABQAAAR0MMlJqyzFalqEQJuGEQSCnWg6FogpkHAMF4HAJsWh7/ze\"" $s2 = "\"mTP/zDP//2YAAGYAM2YAZmYAmWYAzGYA/2YzAGYzM2YzZmYzmWYzzGYz/2ZmAGZmM2ZmZmZmmWZm\"" $s4 = "\"R0lGODlhFAAUAKL/AP/4/8DAwH9/AP/4AL+/vwAAAAAAAAAAACH5BAEAAAEALAAAAAAUABQAQAMo\"" condition: 2 of them } rule _r577_php_php_spy_php_php_s_php_php { meta: description = "Semi-Auto-generated - from files r577.php.php.txt, spy.php.php.txt, s.php.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" super_rule = 1 hash0 = "0714f80f35c1fddef1f8938b8d42a4c8" hash1 = "eed14de3907c9aa2550d95550d1a2d5f" hash2 = "817671e1bdc85e04cc3440bbd9288800" strings: $s2 = "echo $te.\"
XXXX\" title=\"<%=SubFolder.Name%>\"> \" title=\"<%=File.Name%>\"> \" align=\"right\"><%=Attributes(SubFolder.Attributes)%>\">" condition: all of them } rule byloader { meta: description = "Webshells Auto-generated - file byloader.exe" author = "Yara Bulk Rule Generator by Florian Roth" hash = "0f0d6dc26055653f5844ded906ce52df" strings: $s0 = "SYSTEM\\CurrentControlSet\\Services\\NtfsChk" $s1 = "Failure ... Access is Denied !" $s2 = "NTFS Disk Driver Checking Service" $s3 = "Dumping Description to Registry..." $s4 = "Opening Service .... Failure !" condition: all of them } rule shelltools_g0t_root_Fport { meta: description = "Webshells Auto-generated - file Fport.exe" author = "Yara Bulk Rule Generator by Florian Roth" hash = "dbb75488aa2fa22ba6950aead1ef30d5" strings: $s4 = "Copyright 2000 by Foundstone, Inc." $s5 = "You must have administrator privileges to run fport - exiting..." condition: all of them } rule BackDooR__fr_ { meta: description = "Webshells Auto-generated - file BackDooR (fr).php" author = "Yara Bulk Rule Generator by Florian Roth" hash = "a79cac2cf86e073a832aaf29a664f4be" strings: $s3 = "print(\"

Exploit include " condition: all of them } rule FSO_s_ntdaddy { meta: description = "Webshells Auto-generated - file ntdaddy.asp" author = "Yara Bulk Rule Generator by Florian Roth" hash = "f6262f3ad9f73b8d3e7d9ea5ec07a357" strings: $s1 = "\"> &X\\\";open STDERR,\\\">&X\\\";exec(\\\"/bin/sh -i\\\");" condition: all of them } rule HYTop_DevPack_upload { meta: description = "Webshells Auto-generated - file upload.asp" author = "Yara Bulk Rule Generator by Florian Roth" hash = "b09852bda534627949f0259828c967de" strings: $s0 = "" condition: all of them } rule PasswordReminder { meta: description = "Webshells Auto-generated - file PasswordReminder.exe" author = "Yara Bulk Rule Generator by Florian Roth" hash = "ea49d754dc609e8bfa4c0f95d14ef9bf" strings: $s3 = "The encoded password is found at 0x%8.8lx and has a length of %d." condition: all of them } rule Pack_InjectT { meta: description = "Webshells Auto-generated - file InjectT.exe" author = "Yara Bulk Rule Generator by Florian Roth" hash = "983b74ccd57f6195a0584cdfb27d55e8" strings: $s3 = "ail To Open Registry" $s4 = "32fDssignim" $s5 = "vide Internet S" $s6 = "d]Software\\M" $s7 = "TInject.Dll" condition: all of them } rule FSO_s_RemExp_2 { meta: description = "Webshells Auto-generated - file RemExp.asp" author = "Yara Bulk Rule Generator by Florian Roth" hash = "b69670ecdbb40012c73686cd22696eeb" strings: $s2 = " Then Response.Write \"" $s3 = "" condition: all of them } rule FSO_s_c99 { meta: description = "Webshells Auto-generated - file c99.php" author = "Yara Bulk Rule Generator by Florian Roth" hash = "5f9ba02eb081bba2b2434c603af454d0" strings: $s2 = "\"txt\",\"conf\",\"bat\",\"sh\",\"js\",\"bak\",\"doc\",\"log\",\"sfc\",\"cfg\",\"htacce" condition: all of them } rule rknt_zip_Folder_RkNT { meta: description = "Webshells Auto-generated - file RkNT.dll" author = "Yara Bulk Rule Generator by Florian Roth" hash = "5f97386dfde148942b7584aeb6512b85" strings: $s0 = "PathStripPathA" $s1 = "`cLGet!Addr%" $s2 = "$Info: This file is packed with the UPX executable packer http://upx.tsx.org $" $s3 = "oQToOemBuff* <=" $s4 = "ionCdunAsw[Us'" $s6 = "CreateProcessW: %S" $s7 = "ImageDirectoryEntryToData" condition: all of them } rule dbgntboot { meta: description = "Webshells Auto-generated - file dbgntboot.dll" author = "Yara Bulk Rule Generator by Florian Roth" hash = "4d87543d4d7f73c1529c9f8066b475ab" strings: $s2 = "now DOS is working at mode %d,faketype %d,against %s,has worked %d minutes,by sp" $s3 = "sth junk the M$ Wind0wZ retur" condition: all of them } rule PHP_shell { meta: description = "Webshells Auto-generated - file shell.php" author = "Yara Bulk Rule Generator by Florian Roth" hash = "45e8a00567f8a34ab1cccc86b4bc74b9" strings: $s0 = "AR8iROET6mMnrqTpC6W1Kp/DsTgxNby9H1xhiswfwgoAtED0y6wEXTihoAtICkIX6L1+vTUYWuWz" $s11 = "1HLp1qnlCyl5gko8rDlWHqf8/JoPKvGwEm9Q4nVKvEh0b0PKle3zeFiJNyjxOiVepMSpflJkPv5s" condition: all of them } rule hxdef100 { meta: description = "Webshells Auto-generated - file hxdef100.exe" author = "Yara Bulk Rule Generator by Florian Roth" hash = "55cc1769cef44910bd91b7b73dee1f6c" strings: $s0 = "RtlAnsiStringToUnicodeString" $s8 = "SYSTEM\\CurrentControlSet\\Control\\SafeBoot\\" $s9 = "\\\\.\\mailslot\\hxdef-rk100sABCDEFGH" condition: all of them } rule rdrbs100 { meta: description = "Webshells Auto-generated - file rdrbs100.exe" author = "Yara Bulk Rule Generator by Florian Roth" hash = "7c752bcd6da796d80a6830c61a632bff" strings: $s3 = "Server address must be IP in A.B.C.D format." $s4 = " mapped ports in the list. Currently " condition: all of them } rule Mithril_Mithril { meta: description = "Webshells Auto-generated - file Mithril.exe" author = "Yara Bulk Rule Generator by Florian Roth" hash = "017191562d72ab0ca551eb89256650bd" strings: $s0 = "OpenProcess error!" $s1 = "WriteProcessMemory error!" $s4 = "GetProcAddress error!" $s5 = "HHt`HHt\\" $s6 = "Cmaudi0" $s7 = "CreateRemoteThread error!" $s8 = "Kernel32" $s9 = "VirtualAllocEx error!" condition: all of them } rule hxdef100_2 { meta: description = "Webshells Auto-generated - file hxdef100.exe" author = "Yara Bulk Rule Generator by Florian Roth" hash = "1b393e2e13b9c57fb501b7cd7ad96b25" strings: $s0 = "\\\\.\\mailslot\\hxdef-rkc000" $s2 = "Shared Components\\On Access Scanner\\BehaviourBlo" $s6 = "SYSTEM\\CurrentControlSet\\Control\\SafeBoot\\" condition: all of them } rule Release_dllTest { meta: description = "Webshells Auto-generated - file dllTest.dll" author = "Yara Bulk Rule Generator by Florian Roth" hash = "76a59fc3242a2819307bb9d593bef2e0" strings: $s0 = ";;;Y;`;d;h;l;p;t;x;|;" $s1 = "0 0&00060K0R0X0f0l0q0w0" $s2 = ": :$:(:,:0:4:8:D:`=d=" $s3 = "4@5P5T5\\5T7\\7d7l7t7|7" $s4 = "1,121>1C1K1Q1X1^1e1k1s1y1" $s5 = "9 9$9(9,9P9X9\\9`9d9h9l9p9t9x9|9" $s6 = "0)0O0\\0a0o0\"1E1P1q1" $s7 = "<.\".ws(2).\"HDD Free : \".view_size($free).\" HDD Total : \".view_" condition: all of them } rule Mithril_v1_45_dllTest { meta: description = "Webshells Auto-generated - file dllTest.dll" author = "Yara Bulk Rule Generator by Florian Roth" hash = "1b9e518aaa62b15079ff6edb412b21e9" strings: $s3 = "syspath" $s4 = "\\Mithril" $s5 = "--list the services in the computer" condition: all of them } rule dbgiis6cli { meta: description = "Webshells Auto-generated - file dbgiis6cli.exe" author = "Yara Bulk Rule Generator by Florian Roth" hash = "3044dceb632b636563f66fee3aaaf8f3" strings: $s0 = "User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)" $s5 = "###command:(NO more than 100 bytes!)" condition: all of them } rule remview_2003_04_22 { meta: description = "Webshells Auto-generated - file remview_2003_04_22.php" author = "Yara Bulk Rule Generator by Florian Roth" hash = "17d3e4e39fbca857344a7650f7ea55e3" strings: $s1 = "\"\".mm(\"Eval PHP code\").\" (\".mm(\"don't type\").\" \\\"<?\\\"" condition: all of them } rule FSO_s_test { meta: description = "Webshells Auto-generated - file test.php" author = "Yara Bulk Rule Generator by Florian Roth" hash = "82cf7b48da8286e644f575b039a99c26" strings: $s0 = "$yazi = \"test\" . \"\\r\\n\";" $s2 = "fwrite ($fp, \"$yazi\");" condition: all of them } rule Debug_cress { meta: description = "Webshells Auto-generated - file cress.exe" author = "Yara Bulk Rule Generator by Florian Roth" hash = "36a416186fe010574c9be68002a7286a" strings: $s0 = "\\Mithril " $s4 = "Mithril.exe" condition: all of them } rule webshell { meta: description = "Webshells Auto-generated - file webshell.php" author = "Yara Bulk Rule Generator by Florian Roth" hash = "f2f8c02921f29368234bfb4d4622ad19" strings: $s0 = "RhViRYOzz" $s1 = "d\\O!jWW" $s2 = "bc!jWW" $s3 = "0W[&{l" $s4 = "[INhQ@\\" condition: all of them } rule FSO_s_EFSO_2 { meta: description = "Webshells Auto-generated - file EFSO_2.asp" author = "Yara Bulk Rule Generator by Florian Roth" hash = "a341270f9ebd01320a7490c12cb2e64c" strings: $s0 = ";!+/DRknD7+.\\mDrC(V+kcJznndm\\f|nzKuJb'r@!&0KUY@*Jb@#@&Xl\"dKVcJ\\CslU,),@!0KxD~mKV" $s4 = "\\co!VV2CDtSJ'E*#@#@&mKx/DP14lM/nY{JC81N+6LtbL3^hUWa;M/OE-AXX\"b~/fAs!u&9|J\\grKp\"j" condition: all of them } rule thelast_index3 { meta: description = "Webshells Auto-generated - file index3.php" author = "Yara Bulk Rule Generator by Florian Roth" hash = "cceff6dc247aaa25512bad22120a14b4" strings: $s5 = "$err = \"Your Name Not Entered!Sorry, \\\"Your Name\\\" field is r" condition: all of them } rule adjustcr { meta: description = "Webshells Auto-generated - file adjustcr.exe" author = "Yara Bulk Rule Generator by Florian Roth" hash = "17037fa684ef4c90a25ec5674dac2eb6" strings: $s0 = "$Info: This file is packed with the UPX executable packer $" $s2 = "$License: NRV for UPX is distributed under special license $" $s6 = "AdjustCR Carr" $s7 = "ION\\System\\FloatingPo" condition: all of them } rule FeliksPack3___PHP_Shells_xIShell { meta: description = "Webshells Auto-generated - file xIShell.php" author = "Yara Bulk Rule Generator by Florian Roth" hash = "997c8437c0621b4b753a546a53a88674" strings: $s3 = "if (!$nix) { $xid = implode(explode(\"\\\\\",$xid),\"\\\\\\\\\");}echo (\"

\")" condition: all of them } rule EditServer_2 { meta: description = "Webshells Auto-generated - file EditServer.exe" author = "Yara Bulk Rule Generator by Florian Roth" hash = "5c1f25a4d206c83cdfb006b3eb4c09ba" strings: $s0 = "@HOTMAIL.COM" $s1 = "Press Any Ke" $s3 = "glish MenuZ" condition: all of them } rule by064cli { meta: description = "Webshells Auto-generated - file by064cli.exe" author = "Yara Bulk Rule Generator by Florian Roth" hash = "10e0dff366968b770ae929505d2a9885" strings: $s7 = "packet dropped,redirecting" $s9 = "input the password(the default one is 'by')" condition: all of them } rule Mithril_dllTest { meta: description = "Webshells Auto-generated - file dllTest.dll" author = "Yara Bulk Rule Generator by Florian Roth" hash = "a8d25d794d8f08cd4de0c3d6bf389e6d" strings: $s0 = "please enter the password:" $s3 = "\\dllTest.pdb" condition: all of them } rule peek_a_boo { meta: description = "Webshells Auto-generated - file peek-a-boo.exe" author = "Yara Bulk Rule Generator by Florian Roth" hash = "aca339f60d41fdcba83773be5d646776" strings: $s0 = "__vbaHresultCheckObj" $s1 = "\\VB\\VB5.OLB" $s2 = "capGetDriverDescriptionA" $s3 = "__vbaExceptHandler" $s4 = "EVENT_SINK_Release" $s8 = "__vbaErrorOverflow" condition: all of them } rule fmlibraryv3 { meta: description = "Webshells Auto-generated - file fmlibraryv3.asp" author = "Yara Bulk Rule Generator by Florian Roth" hash = "c34c248fed6d5a20d8203924a2088acc" strings: $s3 = "ExeNewRs.CommandText = \"UPDATE \" & tablename & \" SET \" & ExeNewRsValues & \" WHER" condition: all of them } rule Debug_dllTest_2 { meta: description = "Webshells Auto-generated - file dllTest.dll" author = "Yara Bulk Rule Generator by Florian Roth" hash = "1b9e518aaa62b15079ff6edb412b21e9" strings: $s4 = "\\Debug\\dllTest.pdb" $s5 = "--list the services in the computer" condition: all of them } rule connector { meta: description = "Webshells Auto-generated - file connector.asp" author = "Yara Bulk Rule Generator by Florian Roth" hash = "3ba1827fca7be37c8296cd60be9dc884" strings: $s2 = "If ( AttackID = BROADCAST_ATTACK )" $s4 = "Add UNIQUE ID for victims / zombies" condition: all of them } rule shelltools_g0t_root_HideRun { meta: description = "Webshells Auto-generated - file HideRun.exe" author = "Yara Bulk Rule Generator by Florian Roth" hash = "45436d9bfd8ff94b71eeaeb280025afe" strings: $s0 = "Usage -- hiderun [AppName]" $s7 = "PVAX SW, Alexey A. Popoff, Moscow, 1997." condition: all of them } rule regshell { meta: description = "Webshells Auto-generated - file regshell.exe" author = "Yara Bulk Rule Generator by Florian Roth" hash = "db2fdc821ca6091bab3ebd0d8bc46ded" strings: $s0 = "Changes the base hive to HKEY_CURRENT_USER." $s4 = "Displays a list of values and sub-keys in a registry Hive." $s5 = "Enter a menu selection number (1 - 3) or 99 to Exit: " condition: all of them } rule PHP_Shell_v1_7 { meta: description = "Webshells Auto-generated - file PHP_Shell_v1.7.php" author = "Yara Bulk Rule Generator by Florian Roth" hash = "b5978501c7112584532b4ca6fb77cba5" strings: $s8 = "[ADDITINAL TITTLE]-phpShell by:[YOURNAME]" condition: all of them } rule xssshell_save { meta: description = "Webshells Auto-generated - file save.asp" author = "Yara Bulk Rule Generator by Florian Roth" hash = "865da1b3974e940936fe38e8e1964980" strings: $s4 = "RawCommand = Command & COMMAND_SEPERATOR & Param & COMMAND_SEPERATOR & AttackID" $s5 = "VictimID = fm_NStr(Victims(i))" condition: all of them } rule screencap { meta: description = "Webshells Auto-generated - file screencap.exe" author = "Yara Bulk Rule Generator by Florian Roth" hash = "51139091dea7a9418a50f2712ea72aa6" strings: $s0 = "GetDIBColorTable" $s1 = "Screen.bmp" $s2 = "CreateDCA" condition: all of them } rule FSO_s_phpinj_2 { meta: description = "Webshells Auto-generated - file phpinj.php" author = "Yara Bulk Rule Generator by Florian Roth" hash = "dd39d17e9baca0363cc1c3664e608929" strings: $s9 = "<? system(\\$_GET[cpc]);exit; ?>' ,0 ,0 ,0 ,0 INTO" condition: all of them } rule ZXshell2_0_rar_Folder_zxrecv { meta: description = "Webshells Auto-generated - file zxrecv.exe" author = "Yara Bulk Rule Generator by Florian Roth" hash = "5d3d12a39f41d51341ef4cb7ce69d30f" strings: $s0 = "RyFlushBuff" $s1 = "teToWideChar^FiYP" $s2 = "mdesc+8F D" $s3 = "\\von76std" $s4 = "5pur+virtul" $s5 = "- Kablto io" $s6 = "ac#f{lowi8a" condition: all of them } rule FSO_s_ajan { meta: description = "Webshells Auto-generated - file ajan.asp" author = "Yara Bulk Rule Generator by Florian Roth" hash = "22194f8c44524f80254e1b5aec67b03e" strings: $s4 = "entrika.write \"BinaryStream.SaveToFile" condition: all of them } rule c99shell { meta: description = "Webshells Auto-generated - file c99shell.php" author = "Yara Bulk Rule Generator by Florian Roth" hash = "90b86a9c63e2cd346fe07cea23fbfc56" strings: $s0 = "<br />Input URL: <input name=\\\"uploadurl\\\" type=\\\"text\\\"&" condition: all of them } rule phpspy_2005_full { meta: description = "Webshells Auto-generated - file phpspy_2005_full.php" author = "Yara Bulk Rule Generator by Florian Roth" hash = "d1c69bb152645438440e6c903bac16b2" strings: $s7 = "echo \" <td align=\\\"center\\\" nowrap valign=\\\"top\\\"><a href=\\\"?downfile=\".urlenco" condition: all of them } rule FSO_s_zehir4_2 { meta: description = "Webshells Auto-generated - file zehir4.asp" author = "Yara Bulk Rule Generator by Florian Roth" hash = "5b496a61363d304532bcf52ee21f5d55" strings: $s4 = "\"Program Files\\Serv-u\\Serv" condition: all of them } rule httpdoor { meta: description = "Webshells Auto-generated - file httpdoor.exe" author = "Yara Bulk Rule Generator by Florian Roth" hash = "6097ea963455a09474471a9864593dc3" strings: $s4 = "''''''''''''''''''DaJKHPam" $s5 = "o,WideCharR]!n]" $s6 = "HAutoComplete" $s7 = "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?> <assembly xmlns=\"urn:sch" condition: all of them } rule FSO_s_indexer_2 { meta: description = "Webshells Auto-generated - file indexer.asp" author = "Yara Bulk Rule Generator by Florian Roth" hash = "135fc50f85228691b401848caef3be9e" strings: $s5 = "<td>Nerden :<td><input type=\"text\" name=\"nerden\" size=25 value=index.html></td>" condition: all of them } rule HYTop_DevPack_2005 { meta: description = "Webshells Auto-generated - file 2005.asp" author = "Yara Bulk Rule Generator by Florian Roth" hash = "63d9fd24fa4d22a41fc5522fc7050f9f" strings: $s7 = "theHref=encodeForUrl(mid(replace(lcase(list.path),lcase(server.mapPath(\"/\")),\"\")" $s8 = "scrollbar-darkshadow-color:#9C9CD3;" $s9 = "scrollbar-face-color:#E4E4F3;" condition: all of them } rule _root_040_zip_Folder_deploy { meta: description = "Webshells Auto-generated - file deploy.exe" author = "Yara Bulk Rule Generator by Florian Roth" hash = "2c9f9c58999256c73a5ebdb10a9be269" strings: $s5 = "halon synscan 127.0.0.1 1-65536" $s8 = "Obviously you replace the ip address with that of the target." condition: all of them } rule by063cli { meta: description = "Webshells Auto-generated - file by063cli.exe" author = "Yara Bulk Rule Generator by Florian Roth" hash = "49ce26eb97fd13b6d92a5e5d169db859" strings: $s2 = "#popmsghello,are you all right?" $s4 = "connect failed,check your network and remote ip." condition: all of them } rule icyfox007v1_10_rar_Folder_asp { meta: description = "Webshells Auto-generated - file asp.asp" author = "Yara Bulk Rule Generator by Florian Roth" hash = "2c412400b146b7b98d6e7755f7159bb9" strings: $s0 = "<SCRIPT RUNAT=SERVER LANGUAGE=JAVASCRIPT>eval(Request.form('#')+'')</SCRIPT>" condition: all of them } rule FSO_s_EFSO_2_2 { meta: description = "Webshells Auto-generated - file EFSO_2.asp" author = "Yara Bulk Rule Generator by Florian Roth" hash = "a341270f9ebd01320a7490c12cb2e64c" strings: $s0 = ";!+/DRknD7+.\\mDrC(V+kcJznndm\\f|nzKuJb'r@!&0KUY@*Jb@#@&Xl\"dKVcJ\\CslU,),@!0KxD~mKV" $s4 = "\\co!VV2CDtSJ'E*#@#@&mKx/DP14lM/nY{JC81N+6LtbL3^hUWa;M/OE-AXX\"b~/fAs!u&9|J\\grKp\"j" condition: all of them } rule byshell063_ntboot_2 { meta: description = "Webshells Auto-generated - file ntboot.dll" author = "Yara Bulk Rule Generator by Florian Roth" hash = "cb9eb5a6ff327f4d6c46aacbbe9dda9d" strings: $s6 = "OK,job was done,cuz we have localsystem & SE_DEBUG_NAME:)" condition: all of them } rule u_uay { meta: description = "Webshells Auto-generated - file uay.exe" author = "Yara Bulk Rule Generator by Florian Roth" hash = "abbc7b31a24475e4c5d82fc4c2b8c7c4" strings: $s1 = "exec \"c:\\WINDOWS\\System32\\freecell.exe" $s9 = "SYSTEM\\CurrentControlSet\\Services\\uay.sys\\Security" condition: 1 of them } rule bin_wuaus { meta: description = "Webshells Auto-generated - file wuaus.dll" author = "Yara Bulk Rule Generator by Florian Roth" hash = "46a365992bec7377b48a2263c49e4e7d" strings: $s1 = "9(90989@9V9^9f9n9v9" $s2 = ":(:,:0:4:8:C:H:N:T:Y:_:e:o:y:" $s3 = ";(=@=G=O=T=X=\\=" $s4 = "TCP Send Error!!" $s5 = "1\"1;1X1^1e1m1w1~1" $s8 = "=$=)=/=<=Y=_=j=p=z=" condition: all of them } rule pwreveal { meta: description = "Webshells Auto-generated - file pwreveal.exe" author = "Yara Bulk Rule Generator by Florian Roth" hash = "b4e8447826a45b76ca45ba151a97ad50" strings: $s0 = "*<Blank - no es" $s3 = "JDiamondCS " $s8 = "sword set> [Leith=0 bytes]" $s9 = "ION\\System\\Floating-" condition: all of them } rule shelltools_g0t_root_xwhois { meta: description = "Webshells Auto-generated - file xwhois.exe" author = "Yara Bulk Rule Generator by Florian Roth" hash = "0bc98bd576c80d921a3460f8be8816b4" strings: $s1 = "rting! " $s2 = "aTypCog(" $s5 = "Diamond" $s6 = "r)r=rQreryr" condition: all of them } rule vanquish_2 { meta: description = "Webshells Auto-generated - file vanquish.exe" author = "Yara Bulk Rule Generator by Florian Roth" hash = "2dcb9055785a2ee01567f52b5a62b071" strings: $s2 = "Vanquish - DLL injection failed:" condition: all of them } rule down_rar_Folder_down { meta: description = "Webshells Auto-generated - file down.asp" author = "Yara Bulk Rule Generator by Florian Roth" hash = "db47d7a12b3584a2e340567178886e71" strings: $s0 = "response.write \"<font color=blue size=2>NetBios Name: \\\\\" & Snet.ComputerName &" condition: all of them } rule cmdShell { meta: description = "Webshells Auto-generated - file cmdShell.asp" author = "Yara Bulk Rule Generator by Florian Roth" hash = "8a9fef43209b5d2d4b81dfbb45182036" strings: $s1 = "if cmdPath=\"wscriptShell\" then" condition: all of them } rule ZXshell2_0_rar_Folder_nc { meta: description = "Webshells Auto-generated - file nc.exe" author = "Yara Bulk Rule Generator by Florian Roth" hash = "2cd1bf15ae84c5f6917ddb128827ae8b" strings: $s0 = "WSOCK32.dll" $s1 = "?bSUNKNOWNV" $s7 = "p@gram Jm6h)" $s8 = "ser32.dllCONFP@" condition: all of them } rule portlessinst { meta: description = "Webshells Auto-generated - file portlessinst.exe" author = "Yara Bulk Rule Generator by Florian Roth" hash = "74213856fc61475443a91cd84e2a6c2f" strings: $s2 = "Fail To Open Registry" $s3 = "f<-WLEggDr\"" $s6 = "oMemoryCreateP" condition: all of them } rule SetupBDoor { meta: description = "Webshells Auto-generated - file SetupBDoor.exe" author = "Yara Bulk Rule Generator by Florian Roth" hash = "41f89e20398368e742eda4a3b45716b6" strings: $s1 = "\\BDoor\\SetupBDoor" condition: all of them } rule phpshell_3 { meta: description = "Webshells Auto-generated - file phpshell.php" author = "Yara Bulk Rule Generator by Florian Roth" hash = "e8693a2d4a2ffea4df03bb678df3dc6d" strings: $s3 = "<input name=\"submit_btn\" type=\"submit\" value=\"Execute Command\"></p>" $s5 = " echo \"<option value=\\\"$work_dir\\\" selected>Current Directory</option>\\n\";" condition: all of them } rule BIN_Server { meta: description = "Webshells Auto-generated - file Server.exe" author = "Yara Bulk Rule Generator by Florian Roth" hash = "1d5aa9cbf1429bb5b8bf600335916dcd" strings: $s0 = "configserver" $s1 = "GetLogicalDrives" $s2 = "WinExec" $s4 = "fxftest" $s5 = "upfileok" $s7 = "upfileer" condition: all of them } rule HYTop2006_rar_Folder_2006 { meta: description = "Webshells Auto-generated - file 2006.asp" author = "Yara Bulk Rule Generator by Florian Roth" hash = "c19d6f4e069188f19b08fa94d44bc283" strings: $s6 = "strBackDoor = strBackDoor " condition: all of them } rule r57shell_3 { meta: description = "Webshells Auto-generated - file r57shell.php" author = "Yara Bulk Rule Generator by Florian Roth" hash = "87995a49f275b6b75abe2521e03ac2c0" strings: $s1 = "<b>\".$_POST['cmd']" condition: all of them } rule HDConfig { meta: description = "Webshells Auto-generated - file HDConfig.exe" author = "Yara Bulk Rule Generator by Florian Roth" hash = "7d60e552fdca57642fd30462416347bd" strings: $s0 = "An encryption key is derived from the password hash. " $s3 = "A hash object has been created. " $s4 = "Error during CryptCreateHash!" $s5 = "A new key container has been created." $s6 = "The password has been added to the hash. " condition: all of them } rule FSO_s_ajan_2 { meta: description = "Webshells Auto-generated - file ajan.asp" author = "Yara Bulk Rule Generator by Florian Roth" hash = "22194f8c44524f80254e1b5aec67b03e" strings: $s2 = "\"Set WshShell = CreateObject(\"\"WScript.Shell\"\")" $s3 = "/file.zip" condition: all of them } rule Webshell_and_Exploit_CN_APT_HK : Webshell { meta: author = "Florian Roth" description = "Webshell and Exploit Code in relation with APT against Honk Kong protesters" date = "10.10.2014" score = 50 strings: $a0 = "<script language=javascript src=http://java-se.com/o.js</script>" fullword $s0 = "<span style=\"font:11px Verdana;\">Password: </span><input name=\"password\" type=\"password\" size=\"20\">" $s1 = "<input type=\"hidden\" name=\"doing\" value=\"login\">" condition: $a0 or ( all of ($s*) ) } rule JSP_Browser_APT_webshell { meta: description = "VonLoesch JSP Browser used as web shell by APT groups - jsp File browser 1.1a" author = "F.Roth" date = "10.10.2014" score = 60 strings: $a1a = "private static final String[] COMMAND_INTERPRETER = {\"" ascii $a1b = "cmd\", \"/C\"}; // Dos,Windows" ascii $a2 = "Process ls_proc = Runtime.getRuntime().exec(comm, null, new File(dir));" ascii $a3 = "ret.append(\"!!!! Process has timed out, destroyed !!!!!\");" ascii condition: all of them } rule JSP_jfigueiredo_APT_webshell { meta: description = "JSP Browser used as web shell by APT groups - author: jfigueiredo" author = "F.Roth" date = "12.10.2014" score = 60 reference = "http://ceso.googlecode.com/svn/web/bko/filemanager/Browser.jsp" strings: $a1 = "String fhidden = new String(Base64.encodeBase64(path.getBytes()));" ascii $a2 = "<form id=\"upload\" name=\"upload\" action=\"ServFMUpload\" method=\"POST\" enctype=\"multipart/form-data\">" ascii condition: all of them } rule JSP_jfigueiredo_APT_webshell_2 { meta: description = "JSP Browser used as web shell by APT groups - author: jfigueiredo" author = "F.Roth" date = "12.10.2014" score = 60 reference = "http://ceso.googlecode.com/svn/web/bko/filemanager/" strings: $a1 = "<div id=\"bkorotator\"><img alt=\"\" src=\"images/rotator/1.jpg\"></div>" ascii $a2 = "$(\"#dialog\").dialog(\"destroy\");" ascii $s1 = "<form id=\"form\" action=\"ServFMUpload\" method=\"post\" enctype=\"multipart/form-data\">" ascii $s2 = "<input type=\"hidden\" id=\"fhidden\" name=\"fhidden\" value=\"L3BkZi8=\" />" ascii condition: all of ($a*) or all of ($s*) } rule AJAX_FileUpload_webshell { meta: description = "AJAX JS/CSS components providing web shell by APT groups" author = "F.Roth" date = "12.10.2014" score = 75 reference = "http://ceso.googlecode.com/svn/web/bko/filemanager/ajaxfileupload.js" strings: $a1 = "var frameId = 'jUploadFrame' + id;" ascii $a2 = "var form = jQuery('<form action=\"\" method=\"POST\" name=\"' + formId + '\" id=\"' + formId + '\" enctype=\"multipart/form-data\"></form>');" ascii $a3 = "jQuery(\"<div>\").html(data).evalScripts();" ascii condition: all of them } rule Webshell_Insomnia { meta: description = "Insomnia Webshell - file InsomniaShell.aspx" author = "Florian Roth" reference = "http://www.darknet.org.uk/2014/12/insomniashell-asp-net-reverse-shell-bind-shell/" date = "2014/12/09" hash = "e0cfb2ffaa1491aeaf7d3b4ee840f72d42919d22" score = 80 strings: $s0 = "Response.Write(\"- Failed to create named pipe:\");" fullword ascii $s1 = "Response.Output.Write(\"+ Sending {0}<br>\", command);" fullword ascii $s2 = "String command = \"exec master..xp_cmdshell 'dir > \\\\\\\\127.0.0.1" ascii $s3 = "Response.Write(\"- Error Getting User Info<br>\");" fullword ascii $s4 = "string lpCommandLine, ref SECURITY_ATTRIBUTES lpProcessAttributes," fullword ascii $s5 = "[DllImport(\"Advapi32.dll\", SetLastError = true)]" fullword ascii $s9 = "username = DumpAccountSid(tokUser.User.Sid);" fullword ascii $s14 = "//Response.Output.Write(\"Opened process PID: {0} : {1}<br>\", p" ascii condition: 3 of them } rule HawkEye_PHP_Panel { meta: description = "Detects HawkEye Keyloggers PHP Panel" author = "Florian Roth" date = "2014/12/14" score = 60 strings: $s0 = "$fname = $_GET['fname'];" ascii fullword $s1 = "$data = $_GET['data'];" ascii fullword $s2 = "unlink($fname);" ascii fullword $s3 = "echo \"Success\";" fullword ascii condition: all of ($s*) and filesize < 600 } rule SoakSoak_Infected_Wordpress { meta: description = "Detects a SoakSoak infected Wordpress site http://goo.gl/1GzWUX" reference = "http://goo.gl/1GzWUX" author = "Florian Roth" date = "2014/12/15" score = 60 strings: $s0 = "wp_enqueue_script(\"swfobject\");" ascii fullword $s1 = "function FuncQueueObject()" ascii fullword $s2 = "add_action(\"wp_enqueue_scripts\", 'FuncQueueObject');" ascii fullword condition: all of ($s*) } rule Pastebin_Webshell { meta: description = "Detects a web shell that downloads content from pastebin.com http://goo.gl/7dbyZs" author = "Florian Roth" score = 70 date = "13.01.2015" reference = "http://goo.gl/7dbyZs" strings: $s0 = "file_get_contents(\"http://pastebin.com" ascii $s1 = "xcurl('http://pastebin.com/download.php" ascii $s2 = "xcurl('http://pastebin.com/raw.php" ascii $x0 = "if($content){unlink('evex.php');" ascii $x1 = "$fh2 = fopen(\"evex.php\", 'a');" ascii $y0 = "file_put_contents($pth" ascii $y1 = "echo \"<login_ok>" ascii $y2 = "str_replace('* @package Wordpress',$temp" ascii condition: 1 of ($s*) or all of ($x*) or all of ($y*) } rule ASPXspy2 { meta: description = "Web shell - file ASPXspy2.aspx" author = "Florian Roth" reference = "not set" date = "2015/01/24" hash = "5642387d92139bfe9ae11bfef6bfe0081dcea197" strings: $s0 = "string iVDT=\"-SETUSERSETUP\\r\\n-IP=0.0.0.0\\r\\n-PortNo=52521\\r\\n-User=bin" ascii $s1 = "SQLExec : <asp:DropDownList runat=\"server\" ID=\"FGEy\" AutoPostBack=\"True\" O" ascii $s3 = "Process[] p=Process.GetProcesses();" fullword ascii $s4 = "Response.Cookies.Add(new HttpCookie(vbhLn,Password));" fullword ascii $s5 = "[DllImport(\"kernel32.dll\",EntryPoint=\"GetDriveTypeA\")]" fullword ascii $s6 = "<p>ConnString : <asp:TextBox id=\"MasR\" style=\"width:70%;margin:0 8px;\" CssCl" ascii $s7 = "ServiceController[] kQmRu=System.ServiceProcess.ServiceController.GetServices();" fullword ascii $s8 = "Copyright © 2009 Bin -- <a href=\"http://www.rootkit.net.cn\" target=\"_bla" ascii $s10 = "Response.AddHeader(\"Content-Disposition\",\"attachment;filename=\"+HttpUtility." ascii $s11 = "nxeDR.Command+=new CommandEventHandler(this.iVk);" fullword ascii $s12 = "<%@ import Namespace=\"System.ServiceProcess\"%>" fullword ascii $s13 = "foreach(string innerSubKey in sk.GetSubKeyNames())" fullword ascii $s17 = "Response.Redirect(\"http://www.rootkit.net.cn\");" fullword ascii $s20 = "else if(Reg_Path.StartsWith(\"HKEY_USERS\"))" fullword ascii condition: 6 of them }