From 43492826c7e8f89bf067a81855100903cc8dfb02 Mon Sep 17 00:00:00 2001 From: jvoisin Date: Wed, 21 Feb 2018 11:35:45 +0100 Subject: Remove a leftover file from the previous commit/great purge --- php-malware-finder/common.yar | 193 ------------------------------------------ 1 file changed, 193 deletions(-) delete mode 100644 php-malware-finder/common.yar diff --git a/php-malware-finder/common.yar b/php-malware-finder/common.yar deleted file mode 100644 index f9d4573..0000000 --- a/php-malware-finder/common.yar +++ /dev/null @@ -1,193 +0,0 @@ -rule CloudFlareBypass -{ - strings: - $ = "chk_jschl" - $ = "jschl_vc" - $ = "jschl_answer" - - condition: - 2 of them // Better be safe than sorry -} - -private rule IRC -{ - strings: - $ = "USER" fullword nocase - $ = "PASS" fullword nocase - $ = "PRIVMSG" fullword nocase - $ = "MODE" fullword nocase - $ = "PING" fullword nocase - $ = "PONG" fullword nocase - $ = "JOIN" fullword nocase - $ = "PART" fullword nocase - - condition: - 5 of them -} - -private rule base64 -{ - strings: - $user_agent = "SFRUUF9VU0VSX0FHRU5UCg" - $eval = "ZXZhbCg" - $system = "c3lzdGVt" - $preg_replace = "cHJlZ19yZXBsYWNl" - $exec = "ZXhlYyg" - $base64_decode = "YmFzZTY0X2RlY29kZ" - $perl_shebang = "IyEvdXNyL2Jpbi9wZXJsCg" - $cmd_exe = "Y21kLmV4ZQ" - $powershell = "cG93ZXJzaGVsbC5leGU" - - condition: - any of them -} - -private rule hex -{ - strings: - $globals = "\\x47\\x4c\\x4f\\x42\\x41\\x4c\\x53" nocase - $eval = "\\x65\\x76\\x61\\x6C\\x28" nocase - $exec = "\\x65\\x78\\x65\\x63" nocase - $system = "\\x73\\x79\\x73\\x74\\x65\\x6d" nocase - $preg_replace = "\\x70\\x72\\x65\\x67\\x5f\\x72\\x65\\x70\\x6c\\x61\\x63\\x65" nocase - $http_user_agent = "\\x48\\124\\x54\\120\\x5f\\125\\x53\\105\\x52\\137\\x41\\107\\x45\\116\\x54" nocase - $base64_decode = "\\x61\\x73\\x65\\x36\\x34\\x5f\\x64\\x65\\x63\\x6f\\x64\\x65\\x28\\x67\\x7a\\x69\\x6e\\x66\\x6c\\x61\\x74\\x65\\x28" nocase - - condition: - any of them -} - -private rule Hpack -{ - strings: - $globals = "474c4f42414c53" nocase - $eval = "6576616C28" nocase - $exec = "65786563" nocase - $system = "73797374656d" nocase - $preg_replace = "707265675f7265706c616365" nocase - $base64_decode = "61736536345f6465636f646528677a696e666c61746528" nocase - - condition: - any of them -} - -private rule strrev -{ - strings: - $globals = "slabolg" nocase fullword - $preg_replace = "ecalper_gerp" nocase fullword - $base64_decode = "edoced_46esab" nocase fullword - $gzinflate = "etalfnizg" nocase fullword - - condition: - any of them -} - - -rule SuspiciousEncoding -{ - condition: - (base64 or hex or strrev or Hpack) and not IsWhitelisted -} - -rule DodgyStrings -{ - strings: - $ = ".bash_history" - $ = /AddType\s+application\/x-httpd-(php|cgi)/ nocase - $ = /php_value\s*auto_prepend_file/ nocase - $ = /SecFilterEngine\s+Off/ nocase // disable modsec - $ = /Add(Handler|Type|OutputFilter)\s+[^\s]+\s+\.htaccess/ nocase - $ = ".mysql_history" - $ = ".ssh/authorized_keys" - $ = "/(.*)/e" // preg_replace code execution - $ = "/../../../" - $ = "/etc/passwd" - $ = "/etc/proftpd.conf" - $ = "/etc/resolv.conf" - $ = "/etc/shadow" - $ = "/etc/syslog.conf" - $ = "/proc/cpuinfo" fullword - $ = "/var/log/lastlog" - $ = "/windows/system32/" - $ = "LOAD DATA LOCAL INFILE" nocase - $ = "WScript.Shell" - $ = "WinExec" - $ = "b374k" fullword nocase - $ = "backdoor" fullword nocase - $ = /(c99|r57|fx29)shell/ - $ = "cmd.exe" fullword nocase - $ = "powershell.exe" fullword nocase - $ = /defac(ed|er|ement|ing)/ fullword nocase - $ = "evilc0ders" fullword nocase - $ = "exploit" fullword nocase - $ = "find . -type f" fullword - $ = "hashcrack" nocase - $ = "id_rsa" fullword - $ = "ipconfig" fullword nocase - $ = "kernel32.dll" fullword nocase - $ = "kingdefacer" nocase - $ = "Wireghoul" nocase fullword - $ = "LD_PRELOAD" fullword - $ = "libpcprofile" // CVE-2010-3856 local root - $ = "locus7s" nocase - $ = "ls -la" fullword - $ = "meterpreter" fullword - $ = "nc -l" fullword - $ = "netstat -an" fullword - $ = "php://" - $ = "ps -aux" fullword - $ = "rootkit" fullword nocase - $ = "slowloris" fullword nocase - $ = "suhosin" fullword - $ = "sun-tzu" fullword nocase // Because quotes from the Art of War is mandatory for any cool webshell. - $ = /trojan (payload)?/ - $ = "uname -a" fullword - $ = "visbot" nocase fullword - $ = "warez" fullword nocase - $ = "whoami" fullword - $ = /(r[e3]v[e3]rs[e3]|w[3e]b|cmd)\s*sh[e3]ll/ nocase - $ = /-perm -0[24]000/ // find setuid files - $ = /\/bin\/(ba)?sh/ fullword - $ = /hack(ing|er|ed)/ nocase - $ = /(safe_mode|open_basedir) bypass/ nocase - $ = /xp_(execresultset|regenumkeys|cmdshell|filelist)/ - - $vbs = /language\s*=\s*vbscript/ nocase - $asp = "scripting.filesystemobject" nocase - - condition: - (IRC or 2 of them) and not IsWhitelisted -} - -rule Websites -{ - strings: - $ = "1337day.com" nocase - $ = "antichat.ru" nocase - $ = "b374k" nocase - $ = "ccteam.ru" nocase - $ = "crackfor" nocase - $ = "darkc0de" nocase - $ = "egyspider.eu" nocase - $ = "exploit-db.com" nocase - $ = "fopo.com.ar" nocase /* Free Online Php Obfuscator */ - $ = "hashchecker.com" nocase - $ = "hashkiller.com" nocase - $ = "md5crack.com" nocase - $ = "md5decrypter.com" nocase - $ = "milw0rm.com" nocase - $ = "milw00rm.com" nocase - $ = "packetstormsecurity" nocase - $ = "pentestmonkey.net" nocase - $ = "phpjiami.com" nocase - $ = "rapid7.com" nocase - $ = "securityfocus" nocase - $ = "shodan.io" nocase - $ = "github.com/b374k/b374k" nocase - $ = "mumaasp.com" nocase - - condition: - (any of them) and not IsWhitelisted -} - -- cgit v1.3