diff options
| author | Julien Voisin | 2015-04-17 11:46:23 +0200 |
|---|---|---|
| committer | Julien Voisin | 2015-04-17 11:46:23 +0200 |
| commit | f01f3837eaa2aab4fca3cddae83b899eb12456e9 (patch) | |
| tree | 4df8294bdbcdbababa45f607e32b631fca229ead | |
| parent | 946c70b200f76aec8fed0a9e0bd475a9dcc6a3ca (diff) | |
Ajout de sites dodgy
| -rw-r--r-- | malwares.yara | 20 |
1 files changed, 15 insertions, 5 deletions
diff --git a/malwares.yara b/malwares.yara index 63e9376..2962102 100644 --- a/malwares.yara +++ b/malwares.yara | |||
| @@ -108,6 +108,7 @@ rule DodgyPhp | |||
| 108 | $include = /include\([^\.]+\.(png|jpg|gif|bmp)/ // Clever includes | 108 | $include = /include\([^\.]+\.(png|jpg|gif|bmp)/ // Clever includes |
| 109 | $htaccess = "SetHandler application/x-httpd-php" | 109 | $htaccess = "SetHandler application/x-httpd-php" |
| 110 | $obvious_preg = /['"]\/\.\*\/e["']/ fullword // "/.*/e" <- this is suspicious | 110 | $obvious_preg = /['"]\/\.\*\/e["']/ fullword // "/.*/e" <- this is suspicious |
| 111 | $udp_dos = /sockopen\s*\(['"]udp:\/\// | ||
| 111 | 112 | ||
| 112 | condition: | 113 | condition: |
| 113 | IsPhp and (any of them or CloudFlareBypass) | 114 | IsPhp and (any of them or CloudFlareBypass) |
| @@ -184,7 +185,7 @@ rule DodgyStrings | |||
| 184 | IsPhp and (IRC or 2 of them) | 185 | IsPhp and (IRC or 2 of them) |
| 185 | } | 186 | } |
| 186 | 187 | ||
| 187 | rule ExploitsWebsites | 188 | rule Websites |
| 188 | { | 189 | { |
| 189 | strings: | 190 | strings: |
| 190 | $milw0rm = "milw0rm" | 191 | $milw0rm = "milw0rm" |
| @@ -193,11 +194,20 @@ rule ExploitsWebsites | |||
| 193 | $rapid7 = "rapid7.com" | 194 | $rapid7 = "rapid7.com" |
| 194 | $shodan = "shodan.io" | 195 | $shodan = "shodan.io" |
| 195 | $packetstorm = "packetstormsecurity" | 196 | $packetstorm = "packetstormsecurity" |
| 196 | $crackfor = "crackfor" | 197 | $crackfor = "crackfor" nocase |
| 197 | $rednoize = "md5.rednoize" | 198 | $rednoize = "md5.rednoize" |
| 198 | $hashcracking = "hashcracking" | 199 | $hashcracking = "hashcracking" nocase |
| 199 | $darkc0de = "darkc0de" | 200 | $darkc0de = "darkc0de" nocase |
| 200 | $securityfocus = "securityfocus" | 201 | $securityfocus = "securityfocus" nocase |
| 202 | $antichat = "antichat.ru" | ||
| 203 | $kingdefacer = "KingDefacer" nocase | ||
| 204 | $md5crack = "md5crack.com" | ||
| 205 | $md5crack = "md5decrypter.com" | ||
| 206 | $hashkiller = "hashkiller.com" | ||
| 207 | $hashchecker = "hashchecker.com" | ||
| 208 | $fopo = "http://www.fopo.com.ar/" | ||
| 209 | $ccteam = "ccteam.ru" | ||
| 210 | $locus = "locus7s.com" | ||
| 201 | 211 | ||
| 202 | condition: | 212 | condition: |
| 203 | IsPhp and any of them | 213 | IsPhp and any of them |