Skip to content
Permalink
Browse files

osint wordpress bots code

  • Loading branch information...
brian
brian committed Jul 4, 2019
1 parent fd271cf commit 2d4e6df6be7a61535408e8aaa5da778d2e6f17ac
Showing with 53 additions and 0 deletions.
  1. +52 −0 includes/wordpress-bot-070419.yar
  2. +1 −0 lw-rules_index.yar
@@ -0,0 +1,52 @@
/*
Yara Rule Set
Author: Brian Laskowski
Date: 2019-07-04
Identifier: 07-04-19
Reference: https://github.com/Hestat/lw-yara/
*/

/* Rule Set ----------------------------------------------------------------- */

rule wordpress_bot2 {
meta:
description = "07-04-19 - file wordpress-bot2.php"
author = "Brian Laskowski"
reference = "https://github.com/Hestat/lw-yara/"
date = "2019-07-04"
hash1 = "a0fa8c69341cd91679d06a576772d5154b9318a84f46f88acfb49490b678df6d"
strings:
$s1 = "goto XljGS; nMNd4: $Y_JLM = file_get_contents(trim($rOWLw)); goto jRAr_; qUhpk: echo \"\\141\\x75\\x78\\x36\\x54\\150\\x65\\151" ascii
$s2 = "1c; iCbpx: exec($pgcps); goto DJ29v; qgWl4: if (!($_POST[\"\\x63\\160\"] == \"\\x64\\157\\167\\156\\x6c\\x6f\\141\\x64\")) { got" ascii
$s3 = "XdH2U: qtfL9: goto UA1tk; XljGS: error_reporting(0); goto e2htE; o6j1c: $rOWLw = $_POST[\"\\165\\162\\154\"]; goto k5Ofv; jRAr_:" ascii
$s4 = "goto XljGS; nMNd4: $Y_JLM = file_get_contents(trim($rOWLw)); goto jRAr_; qUhpk: echo \"\\141\\x75\\x78\\x36\\x54\\150\\x65\\151" ascii
$s5 = "$aXH4D); goto RC55t; DJ29v: echo \"\\x6f\\153\"; goto XdH2U; UA1tk: hr6VR:" fullword ascii
$s6 = "\\156\\165\\154\\154\\x20\\x32\\76\\x2f\\x64\\145\\166\\57\\x6e\\x75\\x6c\\x6c\\x20\\46\"; goto iCbpx; GwGpj: exec(\"\\160\\153" ascii
$s7 = "o qUhpk; RC55t: exec(\"\\x70\\153\\151\\154\\154\\x20\\x2d\\x39\\40\\x2d\\146\\x20\\x73\\x74\\145\\x61\\154\\164\\150\"); goto G" ascii
condition:
( uint16(0) == 0x3f3c and
filesize < 4KB and
( all of them )
) or ( all of them )
}

rule wordpress_bot1 {
meta:
description = "07-04-19 - file wordpress-bot1.php"
author = "Brian Laskowski"
reference = "https://github.com/Hestat/lw-yara/"
date = "2019-07-04"
hash1 = "6a6eac7d84738c14320d18d43b8806a1f1c58b2e7693a9320ef97d89c3847527"
strings:
//$s1 = "\" . \"\\145\" . '' . \"\\162\" . \"\\x63\" . '' . ''); goto gCXGN; OMTcw: $zWk0S();" fullword ascii
$s2 = "<?php"
$s3 = "goto Foltw"
$s4 = "$SsrUL < strlen($d38Ix)"
$s5 = "foreach"
condition:
( uint16(0) == 0x3f3c and
filesize < 1000KB and
( all of them )
) or ( all of them )
}

@@ -165,3 +165,4 @@ include "./includes/emotet-dropper.yar"
include "./includes/memoris.yar"
include "./includes/index-injection033019.yar"
include "./includes/xaishell.yar"
include "./includes/wordpress-bot-070419.yar"

0 comments on commit 2d4e6df

Please sign in to comment.
You can’t perform that action at this time.