Remove a leftover file from the previous commit/great purge

author: jvoisin 2018-02-21 11:35:45 +0100
committer: jvoisin 2018-02-21 11:35:45 +0100
commit: 43492826c7e8f89bf067a81855100903cc8dfb02 (patch)
tree: cf5d60c606589349d475eaf10d415a422bceb3a7
parent: 3724a206fcfaf3578945acfb5fbcb4a85ef33441 (diff)
1 files changed, 0 insertions, 193 deletions
diff --git a/php-malware-finder/common.yar b/php-malware-finder/common.yar
deleted file mode 100644
index f9d4573..0000000
--- a/php-malware-finder/common.yar
+++ /dev/null
@@ -1,193 +0,0 @@
-rule CloudFlareBypass
-{
-    strings:
-        $ = "chk_jschl"
-        $ = "jschl_vc"
-        $ = "jschl_answer"
-    condition:
-        2 of them // Better be safe than sorry
-}
-private rule IRC
-{
-    strings:
-        $ = "USER" fullword nocase
-        $ = "PASS" fullword nocase
-        $ = "PRIVMSG" fullword nocase
-        $ = "MODE" fullword nocase
-        $ = "PING" fullword nocase
-        $ = "PONG" fullword nocase
-        $ = "JOIN" fullword nocase
-        $ = "PART" fullword nocase
-    condition:
-        5 of them
-}
-private rule base64
-{
-    strings:
-        $user_agent = "SFRUUF9VU0VSX0FHRU5UCg"
-        $eval = "ZXZhbCg"
-        $system = "c3lzdGVt"
-        $preg_replace = "cHJlZ19yZXBsYWNl"
-        $exec = "ZXhlYyg"
-        $base64_decode = "YmFzZTY0X2RlY29kZ"
-        $perl_shebang = "IyEvdXNyL2Jpbi9wZXJsCg"
-        $cmd_exe = "Y21kLmV4ZQ"
-        $powershell = "cG93ZXJzaGVsbC5leGU"
-    condition:
-        any of them
-}
-private rule hex
-{
-    strings:
-        $globals = "\\x47\\x4c\\x4f\\x42\\x41\\x4c\\x53" nocase
-        $eval = "\\x65\\x76\\x61\\x6C\\x28" nocase
-        $exec = "\\x65\\x78\\x65\\x63" nocase
-        $system = "\\x73\\x79\\x73\\x74\\x65\\x6d" nocase
-        $preg_replace = "\\x70\\x72\\x65\\x67\\x5f\\x72\\x65\\x70\\x6c\\x61\\x63\\x65" nocase
-        $http_user_agent = "\\x48\\124\\x54\\120\\x5f\\125\\x53\\105\\x52\\137\\x41\\107\\x45\\116\\x54" nocase
-        $base64_decode = "\\x61\\x73\\x65\\x36\\x34\\x5f\\x64\\x65\\x63\\x6f\\x64\\x65\\x28\\x67\\x7a\\x69\\x6e\\x66\\x6c\\x61\\x74\\x65\\x28" nocase
-    
-    condition:
-        any of them
-}
-private rule Hpack
-{
-    strings:
-                $globals = "474c4f42414c53" nocase
-        $eval = "6576616C28" nocase
-        $exec = "65786563" nocase
-        $system = "73797374656d" nocase
-        $preg_replace = "707265675f7265706c616365" nocase
-        $base64_decode = "61736536345f6465636f646528677a696e666c61746528" nocase
-    
-    condition:
-        any of them
-}
-private rule strrev
-{
-    strings:
-        $globals = "slabolg" nocase fullword
-        $preg_replace = "ecalper_gerp" nocase fullword
-        $base64_decode = "edoced_46esab" nocase fullword
-        $gzinflate = "etalfnizg" nocase fullword
-    
-    condition:
-        any of them
-}
-rule SuspiciousEncoding
-{
-    condition:
-        (base64 or hex or strrev or Hpack) and not IsWhitelisted
-}
-rule DodgyStrings
-{
-    strings:
-        $ = ".bash_history"
-        $ = /AddType\s+application\/x-httpd-(php|cgi)/ nocase
-        $ = /php_value\s*auto_prepend_file/ nocase
-        $ = /SecFilterEngine\s+Off/ nocase  // disable modsec
-        $ = /Add(Handler|Type|OutputFilter)\s+[^\s]+\s+\.htaccess/ nocase
-        $ = ".mysql_history"
-        $ = ".ssh/authorized_keys"
-        $ = "/(.*)/e"  // preg_replace code execution
-        $ = "/../../../"
-        $ = "/etc/passwd"
-        $ = "/etc/proftpd.conf"
-        $ = "/etc/resolv.conf"
-        $ = "/etc/shadow"
-        $ = "/etc/syslog.conf"
-        $ = "/proc/cpuinfo" fullword
-        $ = "/var/log/lastlog"
-        $ = "/windows/system32/"
-        $ = "LOAD DATA LOCAL INFILE" nocase
-        $ = "WScript.Shell"
-        $ = "WinExec"
-        $ = "b374k" fullword nocase
-        $ = "backdoor" fullword nocase
-        $ = /(c99|r57|fx29)shell/
-        $ = "cmd.exe" fullword nocase
-        $ = "powershell.exe" fullword nocase
-        $ = /defac(ed|er|ement|ing)/ fullword nocase
-        $ = "evilc0ders" fullword nocase
-        $ = "exploit" fullword nocase
-        $ = "find . -type f" fullword
-        $ = "hashcrack" nocase
-        $ = "id_rsa" fullword
-        $ = "ipconfig" fullword nocase
-        $ = "kernel32.dll" fullword nocase
-        $ = "kingdefacer" nocase
-        $ = "Wireghoul" nocase fullword
-        $ = "LD_PRELOAD" fullword
-        $ = "libpcprofile"  // CVE-2010-3856 local root
-        $ = "locus7s" nocase
-        $ = "ls -la" fullword
-        $ = "meterpreter" fullword
-        $ = "nc -l" fullword
-        $ = "netstat -an" fullword
-        $ = "php://"
-        $ = "ps -aux" fullword
-        $ = "rootkit" fullword nocase
-        $ = "slowloris" fullword nocase
-        $ = "suhosin" fullword
-        $ = "sun-tzu" fullword nocase // Because quotes from the Art of War is mandatory for any cool webshell.
-                $ = /trojan (payload)?/
-        $ = "uname -a" fullword
-        $ = "visbot" nocase fullword
-        $ = "warez" fullword nocase
-        $ = "whoami" fullword
-        $ = /(r[e3]v[e3]rs[e3]|w[3e]b|cmd)\s*sh[e3]ll/ nocase
-        $ = /-perm -0[24]000/ // find setuid files
-        $ = /\/bin\/(ba)?sh/ fullword
-        $ = /hack(ing|er|ed)/ nocase
-        $ = /(safe_mode|open_basedir) bypass/ nocase
-        $ = /xp_(execresultset|regenumkeys|cmdshell|filelist)/
-        $vbs = /language\s*=\s*vbscript/ nocase
-        $asp = "scripting.filesystemobject" nocase
-    condition:
-        (IRC or 2 of them) and not IsWhitelisted
-}
-rule Websites
-{
-    strings:
-        $ = "1337day.com" nocase
-        $ = "antichat.ru" nocase
-        $ = "b374k" nocase
-        $ = "ccteam.ru" nocase
-        $ = "crackfor" nocase
-        $ = "darkc0de" nocase
-        $ = "egyspider.eu" nocase
-        $ = "exploit-db.com" nocase
-        $ = "fopo.com.ar" nocase  /* Free Online Php Obfuscator */
-        $ = "hashchecker.com" nocase
-        $ = "hashkiller.com" nocase
-        $ = "md5crack.com" nocase
-        $ = "md5decrypter.com" nocase
-        $ = "milw0rm.com" nocase
-        $ = "milw00rm.com" nocase
-        $ = "packetstormsecurity" nocase
-        $ = "pentestmonkey.net" nocase
-        $ = "phpjiami.com" nocase
-        $ = "rapid7.com" nocase
-        $ = "securityfocus" nocase
-        $ = "shodan.io" nocase
-        $ = "github.com/b374k/b374k" nocase
-        $ = "mumaasp.com" nocase
-    condition:
-        (any of them) and not IsWhitelisted
-}
author	jvoisin	2018-02-21 11:35:45 +0100
committer	jvoisin	2018-02-21 11:35:45 +0100
commit	43492826c7e8f89bf067a81855100903cc8dfb02 (patch)
tree	cf5d60c606589349d475eaf10d415a422bceb3a7
parent	3724a206fcfaf3578945acfb5fbcb4a85ef33441 (diff)

diff --git a/php-malware-finder/common.yar b/php-malware-finder/common.yar deleted file mode 100644 index f9d4573..0000000 --- a/php-malware-finder/common.yar +++ /dev/null
@@ -1,193 +0,0 @@
1	rule CloudFlareBypass
2	{
3	strings:
4	$ = "chk_jschl"
5	$ = "jschl_vc"
6	$ = "jschl_answer"
7
8	condition:
9	2 of them // Better be safe than sorry
10	}
11
12	private rule IRC
13	{
14	strings:
15	$ = "USER" fullword nocase
16	$ = "PASS" fullword nocase
17	$ = "PRIVMSG" fullword nocase
18	$ = "MODE" fullword nocase
19	$ = "PING" fullword nocase
20	$ = "PONG" fullword nocase
21	$ = "JOIN" fullword nocase
22	$ = "PART" fullword nocase
23
24	condition:
25	5 of them
26	}
27
28	private rule base64
29	{
30	strings:
31	$user_agent = "SFRUUF9VU0VSX0FHRU5UCg"
32	$eval = "ZXZhbCg"
33	$system = "c3lzdGVt"
34	$preg_replace = "cHJlZ19yZXBsYWNl"
35	$exec = "ZXhlYyg"
36	$base64_decode = "YmFzZTY0X2RlY29kZ"
37	$perl_shebang = "IyEvdXNyL2Jpbi9wZXJsCg"
38	$cmd_exe = "Y21kLmV4ZQ"
39	$powershell = "cG93ZXJzaGVsbC5leGU"
40
41	condition:
42	any of them
43	}
44
45	private rule hex
46	{
47	strings:
48	$globals = "\\x47\\x4c\\x4f\\x42\\x41\\x4c\\x53" nocase
49	$eval = "\\x65\\x76\\x61\\x6C\\x28" nocase
50	$exec = "\\x65\\x78\\x65\\x63" nocase
51	$system = "\\x73\\x79\\x73\\x74\\x65\\x6d" nocase
52	$preg_replace = "\\x70\\x72\\x65\\x67\\x5f\\x72\\x65\\x70\\x6c\\x61\\x63\\x65" nocase
53	$http_user_agent = "\\x48\\124\\x54\\120\\x5f\\125\\x53\\105\\x52\\137\\x41\\107\\x45\\116\\x54" nocase
54	$base64_decode = "\\x61\\x73\\x65\\x36\\x34\\x5f\\x64\\x65\\x63\\x6f\\x64\\x65\\x28\\x67\\x7a\\x69\\x6e\\x66\\x6c\\x61\\x74\\x65\\x28" nocase
55
56	condition:
57	any of them
58	}
59
60	private rule Hpack
61	{
62	strings:
63	$globals = "474c4f42414c53" nocase
64	$eval = "6576616C28" nocase
65	$exec = "65786563" nocase
66	$system = "73797374656d" nocase
67	$preg_replace = "707265675f7265706c616365" nocase
68	$base64_decode = "61736536345f6465636f646528677a696e666c61746528" nocase
69
70	condition:
71	any of them
72	}
73
74	private rule strrev
75	{
76	strings:
77	$globals = "slabolg" nocase fullword
78	$preg_replace = "ecalper_gerp" nocase fullword
79	$base64_decode = "edoced_46esab" nocase fullword
80	$gzinflate = "etalfnizg" nocase fullword
81
82	condition:
83	any of them
84	}
85
86
87	rule SuspiciousEncoding
88	{
89	condition:
90	(base64 or hex or strrev or Hpack) and not IsWhitelisted
91	}
92
93	rule DodgyStrings
94	{
95	strings:
96	$ = ".bash_history"
97	$ = /AddType\s+application\/x-httpd-(php\|cgi)/ nocase
98	$ = /php_value\s*auto_prepend_file/ nocase
99	$ = /SecFilterEngine\s+Off/ nocase // disable modsec
100	$ = /Add(Handler\|Type\|OutputFilter)\s+[^\s]+\s+\.htaccess/ nocase
101	$ = ".mysql_history"
102	$ = ".ssh/authorized_keys"
103	$ = "/(.*)/e" // preg_replace code execution
104	$ = "/../../../"
105	$ = "/etc/passwd"
106	$ = "/etc/proftpd.conf"
107	$ = "/etc/resolv.conf"
108	$ = "/etc/shadow"
109	$ = "/etc/syslog.conf"
110	$ = "/proc/cpuinfo" fullword
111	$ = "/var/log/lastlog"
112	$ = "/windows/system32/"
113	$ = "LOAD DATA LOCAL INFILE" nocase
114	$ = "WScript.Shell"
115	$ = "WinExec"
116	$ = "b374k" fullword nocase
117	$ = "backdoor" fullword nocase
118	$ = /(c99\|r57\|fx29)shell/
119	$ = "cmd.exe" fullword nocase
120	$ = "powershell.exe" fullword nocase
121	$ = /defac(ed\|er\|ement\|ing)/ fullword nocase
122	$ = "evilc0ders" fullword nocase
123	$ = "exploit" fullword nocase
124	$ = "find . -type f" fullword
125	$ = "hashcrack" nocase
126	$ = "id_rsa" fullword
127	$ = "ipconfig" fullword nocase
128	$ = "kernel32.dll" fullword nocase
129	$ = "kingdefacer" nocase
130	$ = "Wireghoul" nocase fullword
131	$ = "LD_PRELOAD" fullword
132	$ = "libpcprofile" // CVE-2010-3856 local root
133	$ = "locus7s" nocase
134	$ = "ls -la" fullword
135	$ = "meterpreter" fullword
136	$ = "nc -l" fullword
137	$ = "netstat -an" fullword
138	$ = "php://"
139	$ = "ps -aux" fullword
140	$ = "rootkit" fullword nocase
141	$ = "slowloris" fullword nocase
142	$ = "suhosin" fullword
143	$ = "sun-tzu" fullword nocase // Because quotes from the Art of War is mandatory for any cool webshell.
144	$ = /trojan (payload)?/
145	$ = "uname -a" fullword
146	$ = "visbot" nocase fullword
147	$ = "warez" fullword nocase
148	$ = "whoami" fullword
149	$ = /(r[e3]v[e3]rs[e3]\|w[3e]b\|cmd)\s*sh[e3]ll/ nocase
150	$ = /-perm -0[24]000/ // find setuid files
151	$ = /\/bin\/(ba)?sh/ fullword
152	$ = /hack(ing\|er\|ed)/ nocase
153	$ = /(safe_mode\|open_basedir) bypass/ nocase
154	$ = /xp_(execresultset\|regenumkeys\|cmdshell\|filelist)/
155
156	$vbs = /language\s=\svbscript/ nocase
157	$asp = "scripting.filesystemobject" nocase
158
159	condition:
160	(IRC or 2 of them) and not IsWhitelisted
161	}
162
163	rule Websites
164	{
165	strings:
166	$ = "1337day.com" nocase
167	$ = "antichat.ru" nocase
168	$ = "b374k" nocase
169	$ = "ccteam.ru" nocase
170	$ = "crackfor" nocase
171	$ = "darkc0de" nocase
172	$ = "egyspider.eu" nocase
173	$ = "exploit-db.com" nocase
174	$ = "fopo.com.ar" nocase /* Free Online Php Obfuscator */
175	$ = "hashchecker.com" nocase
176	$ = "hashkiller.com" nocase
177	$ = "md5crack.com" nocase
178	$ = "md5decrypter.com" nocase
179	$ = "milw0rm.com" nocase
180	$ = "milw00rm.com" nocase
181	$ = "packetstormsecurity" nocase
182	$ = "pentestmonkey.net" nocase
183	$ = "phpjiami.com" nocase
184	$ = "rapid7.com" nocase
185	$ = "securityfocus" nocase
186	$ = "shodan.io" nocase
187	$ = "github.com/b374k/b374k" nocase
188	$ = "mumaasp.com" nocase
189
190	condition:
191	(any of them) and not IsWhitelisted
192	}
193