Add ASP webshell detection

jvoisin · Mar 31, 2016 · e3b724a · e3b724a
1 parent fe59511
commit e3b724a
Show file tree

Hide file tree

Showing 8 changed files with 317 additions and 150 deletions.
diff --git a/php-malware-finder/asp.yara b/php-malware-finder/asp.yara
@@ -0,0 +1,46 @@
+import "hash"
+include "whitelist.yara"
+include "common.yara"
+
+global private rule IsAsp
+{
+    strings:
+        $asp = /<%|@{}/
+        $cs = /using .{4,25};/
+
+    condition:
+        ($asp or $cs) and filesize < 5MB
+}
+
+rule ObfuscatedAsp
+{
+    strings:
+        $ = /LANGUAGE\s*=\s*VBScript.Encode/ nocase
+        $ = /(".{1,5}"&){5,}/ // "e"&"v"&"a"&"l"
+        $ = /(chr\s*\(\s*\d{1,3}\s*\)[+\)\s]*){5,}/ nocase // chr(114)+chr(101)+chr(113)+chr(117)+chr(101)
+        $stunnix = /execute\("dIm [a-z]*"\):[a-z]* = unescape/ nocase // http://stunnix.com/
+
+    condition:
+        any of them and not IsWhitelisted 
+}
+
+rule ObfuscatedEncodingAsp
+{
+    strings:
+        $unicode = /\\u[a-f0-9]/ nocase
+        $html_encode = /&#([0-9]{3}|x[a-f0-9]{2});/ nocase
+
+    condition:
+        (#unicode >= 10 or #html_encode >= 10) and not IsWhitelisted 
+}
+
+rule DangerousAsp
+{
+    strings:
+        $ = /createobject\s*\(\s*"(WScript\.Shell|WScript\.Network|Shell\.Application|Scripting\.FileSystemObject|ScriptControl)/ nocase
+        $ = /eval\s*\({0,1}\s*request/ nocase
+
+    condition:
+        2 of them and not IsWhitelisted
+}
+
diff --git a/php-malware-finder/common.yara b/php-malware-finder/common.yara
@@ -0,0 +1,145 @@
+private rule IRC
+{
+    strings:
+        $ = "USER" fullword
+        $ = "PASS" fullword
+        $ = "PRIVMSG" fullword
+        $ = "MODE" fullword
+        $ = "PING" fullword
+        $ = "PONG" fullword
+        $ = "JOIN" fullword
+        $ = "PART" fullword
+
+    condition:
+        5 of them
+}
+
+private rule base64
+{
+    strings:
+        $eval = "ZXZhbCg"
+        $system = "c3lzdGVt"
+        $preg_replace = "cHJlZ19yZXBsYWNl"
+        $exec = "ZXhlYyg"
+        $base64_decode = "YmFzZTY0X2RlY29kZ"
+        $perl_shebang = "IyEvdXNyL2Jpbi9wZXJsCg"
+        $cmd_exe = "Y21kLmV4ZQ"
+        $powershell = "cG93ZXJzaGVsbC5leGU"
+
+    condition:
+        any of them
+}
+
+private rule hex
+{
+    strings:
+        $globals = "\\x47\\x4c\\x4f\\x42\\x41\\x4c\\x53" nocase
+        $eval = "\\x65\\x76\\x61\\x6C\\x28" nocase
+        $exec = "\\x65\\x78\\x65\\x63" nocase
+        $system = "\\x73\\x79\\x73\\x74\\x65\\x6d" nocase
+        $preg_replace = "\\x70\\x72\\x65\\x67\\x5f\\x72\\x65\\x70\\x6c\\x61\\x63\\x65" nocase
+        $http_user_agent = "\\x48\\124\\x54\\120\\x5f\\125\\x53\\105\\x52\\137\\x41\\107\\x45\\116\\x54" nocase
+    
+    condition:
+        any of them
+}
+
+rule SuspiciousEncoding
+{
+    condition:
+        base64 or hex
+}
+
+rule DodgyStrings
+{
+    strings:
+        $ = ".bash_history"
+        $ = /AddType\s+application\/x-httpd-php/ nocase
+        $ = /php_value\s*auto_prepend_file/ nocase
+        $ = /SecFilterEngine\s+Off/ nocase  // disable modsec
+        $ = /Add(Handler|Type|OutputFilter)\s+[^\s]+\s+\.htaccess/ nocase
+        $ = ".mysql_history"
+        $ = ".ssh/authorized_keys"
+        $ = "/(.*)/e"  // preg_replace code execution
+        $ = "/../../../"
+        $ = "/etc/passwd"
+        $ = "/etc/proftpd.conf"
+        $ = "/etc/resolv.conf"
+        $ = "/etc/shadow"
+        $ = "/etc/syslog.conf"
+        $ = "/proc/cpuinfo" fullword
+        $ = "/var/log/lastlog"
+        $ = "/windows/system32/"
+        $ = "LOAD DATA LOCAL INFILE" nocase
+        $ = "WScript.Shell"
+        $ = "WinExec"
+        $ = "b374k" fullword nocase
+        $ = "backdoor" fullword nocase
+        $ = /(c99|r57|fx29)shell/
+        $ = "cmd.exe" fullword nocase
+        $ = "powershell.exe" fullword nocase
+        $ = /defac(ed|er|ement|ing)/ fullword nocase
+        $ = "evilc0ders" fullword nocase
+        $ = "exploit" fullword nocase
+        $ = "find . -type f" fullword
+        $ = "hashcrack" nocase
+        $ = "id_rsa" fullword
+        $ = "ipconfig" fullword nocase
+        $ = "kernel32.dll" fullword nocase
+        $ = "kingdefacer" nocase
+        $ = "Wireghoul" nocase fullword
+        $ = "libpcprofile"  // CVE-2010-3856 local root
+        $ = "locus7s" nocase
+        $ = "ls -la" fullword
+        $ = "meterpreter" fullword
+        $ = "nc -l" fullword
+        $ = "php://"
+        $ = "ps -aux" fullword
+        $ = "rootkit" fullword nocase
+        $ = "slowloris" fullword nocase
+        $ = "suhosin.executor.func.blacklist"
+        $ = "sun-tzu" fullword nocase // Because quotes from the Art of War is mandatory for any cool webshell.
+        $ = "uname -a" fullword
+        $ = "warez" fullword nocase
+        $ = "whoami" fullword
+        $ = /(reverse|web|cmd)\s*shell/ nocase
+        $ = /-perm -0[24]000/ // find setuid files
+        $ = /\/bin\/(ba)?sh/ fullword
+        $ = /hack(ing|er|ed)/ nocase
+        $ = /xp_(execresultset|regenumkeys|cmdshell|filelist)/
+
+        $vbs = /language\s*=\s*vbscript/ nocase
+        $asp = "scripting.filesystemobject" nocase
+
+    condition:
+        IRC or 2 of them and not IsWhitelisted
+}
+
+rule Websites
+{
+    strings:
+        $ = "1337day.com" nocase
+        $ = "antichat.ru" nocase
+        $ = "ccteam.ru" nocase
+        $ = "crackfor" nocase
+        $ = "darkc0de" nocase
+        $ = "egyspider.eu" nocase
+        $ = "exploit-db.com" nocase
+        $ = "fopo.com.ar" nocase  /* Free Online Php Obfuscator */
+        $ = "hashchecker.com" nocase
+        $ = "hashkiller.com" nocase
+        $ = "md5crack.com" nocase
+        $ = "md5decrypter.com" nocase
+        $ = "milw0rm.com" nocase
+        $ = "milw00rm.com" nocase
+        $ = "packetstormsecurity" nocase
+        $ = "rapid7.com" nocase
+        $ = "securityfocus" nocase
+        $ = "shodan.io" nocase
+        $ = "github.com/b374k/b374k" nocase
+        $ = "mumaasp.com" nocase
+
+    condition:
+        any of them and not IsWhitelisted
+}
+
diff --git a/php-malware-finder/docroot-check.sh b/php-malware-finder/docroot-check.sh
@@ -2,7 +2,7 @@
 
 PATH=/usr/bin:/bin:/sbin:/usr/sbin
 apache_confdir="/etc/apache2/sites-available"
-pmf_conf="/etc/phpmalwarefinder/malwares.yara"
+pmf_conf="/etc/phpmalwarefinder/php.yara"
 pmf_cachedir="/tmp"
 
 # grab the different document roots to scan each and everyone of them

diff --git a/php-malware-finder/generate_whitelist.py b/php-malware-finder/generate_whitelist.py
@@ -13,8 +13,13 @@
 
 if len(sys.argv) != 3:
     print 'Usage: %s name_of_the_rule_and_version folder_to_scan' % sys.argv[0]
+    sys.exit(1)
+
+if not os.path.isdir(sys.argv[2]):
+    print '%s is not a folder !' % sys.argv[2]
+    sys.exit(1)
 
-rules = yara.compile('./malwares.yara', includes=True, error_on_warning=True)
+rules = yara.compile('./php.yara', includes=True, error_on_warning=True)
 
 output_list = list()
 

diff --git a/php-malware-finder/malwares.yara → php-malware-finder/php.yara b/php-malware-finder/malwares.yara → php-malware-finder/php.yara
@@ -1,5 +1,6 @@
 import "hash"
 include "whitelist.yara"
+include "common.yara"
 
 /*
     Detect:
@@ -32,22 +33,6 @@ global private rule IsPhp
         $php and filesize < 5MB
 }
 
-private rule IRC
-{
-    strings:
-        $ = "USER" fullword
-        $ = "PASS" fullword
-        $ = "PRIVMSG" fullword
-        $ = "MODE" fullword
-        $ = "PING" fullword
-        $ = "PONG" fullword
-        $ = "JOIN" fullword
-        $ = "PART" fullword
-
-    condition:
-        5 of them
-}
-
 private rule CloudFlareBypass
 {
     strings:
@@ -76,39 +61,6 @@ condition:
         any of them and not IsWhitelisted
 }
 
-private rule base64
-{
-    strings:
-        $eval = "ZXZhbCg"
-        $system = "c3lzdGVt"
-        $preg_replace = "cHJlZ19yZXBsYWNl"
-        $exec = "ZXhlYyg"
-        $base64_decode = "YmFzZTY0X2RlY29kZ"
-        $perl_shebang = "IyEvdXNyL2Jpbi9wZXJsCg"
-    condition:
-        any of them
-}
-
-private rule hex
-{
-    strings:
-        $globals = "\\x47\\x4c\\x4f\\x42\\x41\\x4c\\x53" nocase
-        $eval = "\\x65\\x76\\x61\\x6C\\x28" nocase
-        $exec = "\\x65\\x78\\x65\\x63" nocase
-        $system = "\\x73\\x79\\x73\\x74\\x65\\x6d" nocase
-        $preg_replace = "\\x70\\x72\\x65\\x67\\x5f\\x72\\x65\\x70\\x6c\\x61\\x63\\x65" nocase
-        $http_user_agent = "\\x48\\124\\x54\\120\\x5f\\125\\x53\\105\\x52\\137\\x41\\107\\x45\\116\\x54" nocase
-    
-    condition:
-        any of them
-}
-
-rule SuspiciousEncoding
-{
-    condition:
-        base64 or hex
-}
-
 rule DodgyPhp
 {
     strings:
@@ -191,93 +143,3 @@ rule DangerousPhp
         not $whitelist and (5 of them or #system > 250) and not IsWhitelisted
 }
 
-rule DodgyStrings
-{
-    strings:
-        $ = ".bash_history"
-        $ = /AddType\s+application\/x-httpd-php/ nocase
-        $ = /php_value\s*auto_prepend_file/ nocase
-        $ = /SecFilterEngine\s+Off/ nocase  // disable modsec
-        $ = /Add(Handler|Type|OutputFilter)\s+[^\s]+\s+\.htaccess/ nocase
-        $ = ".mysql_history"
-        $ = ".ssh/authorized_keys"
-        $ = "/(.*)/e"  // preg_replace code execution
-        $ = "/../../../"
-        $ = "/etc/passwd"
-        $ = "/etc/proftpd.conf"
-        $ = "/etc/resolv.conf"
-        $ = "/etc/shadow"
-        $ = "/etc/syslog.conf"
-        $ = "/proc/cpuinfo" fullword
-        $ = "/var/log/lastlog"
-        $ = "/windows/system32/"
-        $ = "LOAD DATA LOCAL INFILE" nocase
-        $ = "WScript.Shell"
-        $ = "WinExec"
-        $ = "b374k" fullword nocase
-        $ = "backdoor" fullword nocase
-        $ = /(c99|r57|fx29)shell/
-        $ = "cmd.exe" fullword nocase
-        $ = /defac(ed|er|ement|ing)/ fullword nocase
-        $ = "evilc0ders" fullword nocase
-        $ = "exploit" fullword nocase
-        $ = "find . -type f" fullword
-        $ = "hashcrack" nocase
-        $ = "id_rsa" fullword
-        $ = "ipconfig" fullword nocase
-        $ = "kernel32.dll" fullword nocase
-        $ = "kingdefacer" nocase
-        $ = "Wireghoul" nocase fullword
-        $ = "libpcprofile"  // CVE-2010-3856 local root
-        $ = "locus7s" nocase
-        $ = "ls -la" fullword
-        $ = "meterpreter" fullword
-        $ = "nc -l" fullword
-        $ = "php://"
-        $ = "ps -aux" fullword
-        $ = "rootkit" fullword nocase
-        $ = "slowloris" fullword nocase
-        $ = "suhosin.executor.func.blacklist"
-        $ = "sun-tzu" fullword nocase // Because quotes from the Art of War is mandatory for any cool webshell.
-        $ = "uname -a" fullword
-        $ = "warez" fullword nocase
-        $ = "whoami" fullword
-        $ = /(reverse|web)\s*shell/ nocase
-        $ = /-perm -0[24]000/ // find setuid files
-        $ = /\/bin\/(ba)?sh/ fullword
-        $ = /hack(ing|er|ed)/ nocase
-        $ = /xp_(execresultset|regenumkeys|cmdshell|filelist)/
-
-        $vbs = /language\s*=\s*vbscript/ nocase
-        $asp = "scripting.filesystemobject" nocase
-
-    condition:
-        IRC or 2 of them and not IsWhitelisted
-}
-
-rule Websites
-{
-    strings:
-        $ = "1337day.com" nocase
-        $ = "antichat.ru" nocase
-        $ = "ccteam.ru" nocase
-        $ = "crackfor" nocase
-        $ = "darkc0de" nocase
-        $ = "egyspider.eu" nocase
-        $ = "exploit-db.com" nocase
-        $ = "fopo.com.ar" nocase  /* Free Online Php Obfuscator */
-        $ = "hashchecker.com" nocase
-        $ = "hashkiller.com" nocase
-        $ = "md5crack.com" nocase
-        $ = "md5decrypter.com" nocase
-        $ = "milw0rm.com" nocase
-        $ = "milw00rm.com" nocase
-        $ = "packetstormsecurity" nocase
-        $ = "rapid7.com" nocase
-        $ = "securityfocus" nocase
-        $ = "shodan.io" nocase
-        $ = "github.com/b374k/b374k" nocase
-
-    condition:
-        any of them and not IsWhitelisted
-}