This repository has been archived by the owner on Feb 11, 2024. It is now read-only.
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
xarkes
authored and
Julien (jvoisin) Voisin
committed
Mar 31, 2016
1 parent
fe59511
commit e3b724a
Showing
8 changed files
with
317 additions
and
150 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,46 @@ | ||
import "hash" | ||
include "whitelist.yara" | ||
include "common.yara" | ||
|
||
global private rule IsAsp | ||
{ | ||
strings: | ||
$asp = /<%|@{}/ | ||
$cs = /using .{4,25};/ | ||
condition: | ||
($asp or $cs) and filesize < 5MB | ||
} | ||
|
||
rule ObfuscatedAsp | ||
{ | ||
strings: | ||
$ = /LANGUAGE\s*=\s*VBScript.Encode/ nocase | ||
$ = /(".{1,5}"&){5,}/ // "e"&"v"&"a"&"l" | ||
$ = /(chr\s*\(\s*\d{1,3}\s*\)[+\)\s]*){5,}/ nocase // chr(114)+chr(101)+chr(113)+chr(117)+chr(101) | ||
$stunnix = /execute\("dIm [a-z]*"\):[a-z]* = unescape/ nocase // http://stunnix.com/ | ||
condition: | ||
any of them and not IsWhitelisted | ||
} | ||
|
||
rule ObfuscatedEncodingAsp | ||
{ | ||
strings: | ||
$unicode = /\\u[a-f0-9]/ nocase | ||
$html_encode = /&#([0-9]{3}|x[a-f0-9]{2});/ nocase | ||
condition: | ||
(#unicode >= 10 or #html_encode >= 10) and not IsWhitelisted | ||
} | ||
|
||
rule DangerousAsp | ||
{ | ||
strings: | ||
$ = /createobject\s*\(\s*"(WScript\.Shell|WScript\.Network|Shell\.Application|Scripting\.FileSystemObject|ScriptControl)/ nocase | ||
$ = /eval\s*\({0,1}\s*request/ nocase | ||
condition: | ||
2 of them and not IsWhitelisted | ||
} | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,145 @@ | ||
private rule IRC | ||
{ | ||
strings: | ||
$ = "USER" fullword | ||
$ = "PASS" fullword | ||
$ = "PRIVMSG" fullword | ||
$ = "MODE" fullword | ||
$ = "PING" fullword | ||
$ = "PONG" fullword | ||
$ = "JOIN" fullword | ||
$ = "PART" fullword | ||
condition: | ||
5 of them | ||
} | ||
|
||
private rule base64 | ||
{ | ||
strings: | ||
$eval = "ZXZhbCg" | ||
$system = "c3lzdGVt" | ||
$preg_replace = "cHJlZ19yZXBsYWNl" | ||
$exec = "ZXhlYyg" | ||
$base64_decode = "YmFzZTY0X2RlY29kZ" | ||
$perl_shebang = "IyEvdXNyL2Jpbi9wZXJsCg" | ||
$cmd_exe = "Y21kLmV4ZQ" | ||
$powershell = "cG93ZXJzaGVsbC5leGU" | ||
condition: | ||
any of them | ||
} | ||
|
||
private rule hex | ||
{ | ||
strings: | ||
$globals = "\\x47\\x4c\\x4f\\x42\\x41\\x4c\\x53" nocase | ||
$eval = "\\x65\\x76\\x61\\x6C\\x28" nocase | ||
$exec = "\\x65\\x78\\x65\\x63" nocase | ||
$system = "\\x73\\x79\\x73\\x74\\x65\\x6d" nocase | ||
$preg_replace = "\\x70\\x72\\x65\\x67\\x5f\\x72\\x65\\x70\\x6c\\x61\\x63\\x65" nocase | ||
$http_user_agent = "\\x48\\124\\x54\\120\\x5f\\125\\x53\\105\\x52\\137\\x41\\107\\x45\\116\\x54" nocase | ||
condition: | ||
any of them | ||
} | ||
|
||
rule SuspiciousEncoding | ||
{ | ||
condition: | ||
base64 or hex | ||
} | ||
|
||
rule DodgyStrings | ||
{ | ||
strings: | ||
$ = ".bash_history" | ||
$ = /AddType\s+application\/x-httpd-php/ nocase | ||
$ = /php_value\s*auto_prepend_file/ nocase | ||
$ = /SecFilterEngine\s+Off/ nocase // disable modsec | ||
$ = /Add(Handler|Type|OutputFilter)\s+[^\s]+\s+\.htaccess/ nocase | ||
$ = ".mysql_history" | ||
$ = ".ssh/authorized_keys" | ||
$ = "/(.*)/e" // preg_replace code execution | ||
$ = "/../../../" | ||
$ = "/etc/passwd" | ||
$ = "/etc/proftpd.conf" | ||
$ = "/etc/resolv.conf" | ||
$ = "/etc/shadow" | ||
$ = "/etc/syslog.conf" | ||
$ = "/proc/cpuinfo" fullword | ||
$ = "/var/log/lastlog" | ||
$ = "/windows/system32/" | ||
$ = "LOAD DATA LOCAL INFILE" nocase | ||
$ = "WScript.Shell" | ||
$ = "WinExec" | ||
$ = "b374k" fullword nocase | ||
$ = "backdoor" fullword nocase | ||
$ = /(c99|r57|fx29)shell/ | ||
$ = "cmd.exe" fullword nocase | ||
$ = "powershell.exe" fullword nocase | ||
$ = /defac(ed|er|ement|ing)/ fullword nocase | ||
$ = "evilc0ders" fullword nocase | ||
$ = "exploit" fullword nocase | ||
$ = "find . -type f" fullword | ||
$ = "hashcrack" nocase | ||
$ = "id_rsa" fullword | ||
$ = "ipconfig" fullword nocase | ||
$ = "kernel32.dll" fullword nocase | ||
$ = "kingdefacer" nocase | ||
$ = "Wireghoul" nocase fullword | ||
$ = "libpcprofile" // CVE-2010-3856 local root | ||
$ = "locus7s" nocase | ||
$ = "ls -la" fullword | ||
$ = "meterpreter" fullword | ||
$ = "nc -l" fullword | ||
$ = "php://" | ||
$ = "ps -aux" fullword | ||
$ = "rootkit" fullword nocase | ||
$ = "slowloris" fullword nocase | ||
$ = "suhosin.executor.func.blacklist" | ||
$ = "sun-tzu" fullword nocase // Because quotes from the Art of War is mandatory for any cool webshell. | ||
$ = "uname -a" fullword | ||
$ = "warez" fullword nocase | ||
$ = "whoami" fullword | ||
$ = /(reverse|web|cmd)\s*shell/ nocase | ||
$ = /-perm -0[24]000/ // find setuid files | ||
$ = /\/bin\/(ba)?sh/ fullword | ||
$ = /hack(ing|er|ed)/ nocase | ||
$ = /xp_(execresultset|regenumkeys|cmdshell|filelist)/ | ||
$vbs = /language\s*=\s*vbscript/ nocase | ||
$asp = "scripting.filesystemobject" nocase | ||
condition: | ||
IRC or 2 of them and not IsWhitelisted | ||
} | ||
|
||
rule Websites | ||
{ | ||
strings: | ||
$ = "1337day.com" nocase | ||
$ = "antichat.ru" nocase | ||
$ = "ccteam.ru" nocase | ||
$ = "crackfor" nocase | ||
$ = "darkc0de" nocase | ||
$ = "egyspider.eu" nocase | ||
$ = "exploit-db.com" nocase | ||
$ = "fopo.com.ar" nocase /* Free Online Php Obfuscator */ | ||
$ = "hashchecker.com" nocase | ||
$ = "hashkiller.com" nocase | ||
$ = "md5crack.com" nocase | ||
$ = "md5decrypter.com" nocase | ||
$ = "milw0rm.com" nocase | ||
$ = "milw00rm.com" nocase | ||
$ = "packetstormsecurity" nocase | ||
$ = "rapid7.com" nocase | ||
$ = "securityfocus" nocase | ||
$ = "shodan.io" nocase | ||
$ = "github.com/b374k/b374k" nocase | ||
$ = "mumaasp.com" nocase | ||
condition: | ||
any of them and not IsWhitelisted | ||
} | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.