[ADDITINAL TITTLE]-phpShell by:[YOURNAME]<?php echo PHPSHELL_VERSION ?></" $s2 = "href=\"mailto: [YOU CAN ENTER YOUR MAIL HERE]- [ADDITIONAL TEXT]</a></i>" fullword condition: 1 of them } rule myshell_php_php { meta: description = "Semi-Auto-generated - file myshell.php.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "62783d1db52d05b1b6ae2403a7044490" strings: $s0 = "@chdir($work_dir) or ($shellOutput = \"MyShell: can't change directory." $s1 = "echo \"<font color=$linkColor><b>MyShell file editor</font> File:<font color" $s2 = " $fileEditInfo = \" ::::::: Owner: <font color=$" condition: 2 of them } rule SimShell_1_0___Simorgh_Security_MGZ_php { meta: description = "Semi-Auto-generated - file SimShell 1.0 - Simorgh Security MGZ.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "37cb1db26b1b0161a4bf678a6b4565bd" strings: $s0 = "Simorgh Security Magazine " $s1 = "Simshell.css" $s2 = "} elseif (ereg('^[[:blank:]]*cd[[:blank:]]+([^;]+)$', $_REQUEST['command'], " $s3 = "www.simorgh-ev.com" condition: 2 of them } rule jspshall_jsp { meta: description = "Semi-Auto-generated - file jspshall.jsp.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "efe0f6edaa512c4e1fdca4eeda77b7ee" strings: $s0 = "kj021320" $s1 = "case 'T':systemTools(out);break;" $s2 = "out.println(\"<tr><td>\"+ico(50)+f[i].getName()+\"</td><td> file" condition: 2 of them } rule webshell_php { meta: description = "Semi-Auto-generated - file webshell.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "e425241b928e992bde43dd65180a4894" strings: $s2 = "<die(\"Couldn't Read directory, Blocked!!!\");" $s3 = "PHP Web Shell" condition: all of them } rule rootshell_php { meta: description = "Semi-Auto-generated - file rootshell.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "265f3319075536030e59ba2f9ef3eac6" strings: $s0 = "shells.dl.am" $s1 = "This server has been infected by $owner" $s2 = "<input type=\"submit\" value=\"Include!\" name=\"inc\"></p>" $s4 = "Could not write to file! (Maybe you didn't enter any text?)" condition: 2 of them } rule connectback2_pl { meta: description = "Semi-Auto-generated - file connectback2.pl.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "473b7d226ea6ebaacc24504bd740822e" strings: $s0 = "#We Are: MasterKid, AleXutz, FatMan & MiKuTuL " $s1 = "echo --==Userinfo==-- ; id;echo;echo --==Directory==-- ; pwd;echo; echo --==Shel" $s2 = "ConnectBack Backdoor" condition: 1 of them } rule DefaceKeeper_0_2_php { meta: description = "Semi-Auto-generated - file DefaceKeeper_0.2.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "713c54c3da3031bc614a8a55dccd7e7f" strings: $s0 = "target fi1e:<br><input type=\"text\" name=\"target\" value=\"index.php\"></br>" fullword $s1 = "eval(base64_decode(\"ZXZhbChiYXNlNjRfZGVjb2RlKCJhV2R1YjNKbFgzVnpaWEpmWVdKdmNuUW9" $s2 = "<img src=\"http://s43.radikal.ru/i101/1004/d8/ced1f6b2f5a9.png\" align=\"center" condition: 1 of them } rule shells_PHP_wso { meta: description = "Semi-Auto-generated - file wso.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "33e2891c13b78328da9062fbfcf898b6" strings: $s0 = "$back_connect_p=\"IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KJGlhZGRyPWluZXRfYXRvbi" $s3 = "echo '<h1>Execution PHP-code</h1><div class=content><form name=pf method=pos" condition: 1 of them } rule backdoor1_php { meta: description = "Semi-Auto-generated - file backdoor1.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "e1adda1f866367f52de001257b4d6c98" strings: $s1 = "echo \"[DIR] <A HREF=\\\"\".$_SERVER['PHP_SELF'].\"?rep=\".realpath($rep.\".." $s2 = "class backdoor {" $s4 = "echo \"<a href=\\\"\".$_SERVER['PHP_SELF'].\"?copy=1\\\">Copier un fichier</a> <" condition: 1 of them } rule elmaliseker_asp { meta: description = "Semi-Auto-generated - file elmaliseker.asp.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "b32d1730d23a660fd6aa8e60c3dc549f" strings: $s0 = "if Int((1-0+1)*Rnd+0)=0 then makeEmail=makeText(8) & \"@\" & makeText(8) & \".\"" $s1 = "<form name=frmCMD method=post action=\"<%=gURL%>\">" $s2 = "dim zombie_array,special_array" $s3 = "http://vnhacker.org" condition: 1 of them } rule indexer_asp { meta: description = "Semi-Auto-generated - file indexer.asp.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "9ea82afb8c7070817d4cdf686abe0300" strings: $s0 = "<td>Nereye :<td><input type=\"text\" name=\"nereye\" size=25></td><td><input typ" $s2 = "D7nD7l.km4snk`JzKnd{n_ejq;bd{KbPur#kQ8AAA==^#~@%>></td><td><input type=\"submit" condition: 1 of them } rule DxShell_php_php { meta: description = "Semi-Auto-generated - file DxShell.php.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "33a2b31810178f4c2e71fbdeb4899244" strings: $s0 = "print \"\\n\".'Tip: to view the file \"as is\" - open the page in <a href=\"'.Dx" $s2 = "print \"\\n\".'<tr><td width=100pt class=linelisting><nobr>POST (php eval)</td><" condition: 1 of them } rule s72_Shell_v1_1_Coding_html { meta: description = "Semi-Auto-generated - file s72 Shell v1.1 Coding.html.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "c2e8346a5515c81797af36e7e4a3828e" strings: $s0 = "Dizin</font></b></font><font face=\"Verdana\" style=\"font-size: 8pt\"><" $s1 = "s72 Shell v1.0 Codinf by Cr@zy_King" $s3 = "echo \"<p align=center>Dosya Zaten Bulunuyor</p>\"" condition: 1 of them } rule hidshell_php_php { meta: description = "Semi-Auto-generated - file hidshell.php.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "c2f3327d60884561970c63ffa09439a4" strings: $s0 = "<?$d='G7mHWQ9vvXiL/QX2oZ2VTDpo6g3FYAa6X+8DMIzcD0eHZaBZH7jFpZzUz7XNenxSYvBP2Wy36U" condition: all of them } rule kacak_asp { meta: description = "Semi-Auto-generated - file kacak.asp.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "907d95d46785db21331a0324972dda8c" strings: $s0 = "Kacak FSO 1.0" $s1 = "if request.querystring(\"TGH\") = \"1\" then" $s3 = "<font color=\"#858585\">BuqX</font></a></font><font face=\"Verdana\" style=" $s4 = "mailto:BuqX@hotmail.com" condition: 1 of them } rule PHP_Backdoor_Connect_pl_php { meta: description = "Semi-Auto-generated - file PHP Backdoor Connect.pl.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "57fcd9560dac244aeaf95fd606621900" strings: $s0 = "LorD of IRAN HACKERS SABOTAGE" $s1 = "LorD-C0d3r-NT" $s2 = "echo --==Userinfo==-- ;" condition: 1 of them } rule Antichat_Socks5_Server_php_php { meta: description = "Semi-Auto-generated - file Antichat Socks5 Server.php.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "cbe9eafbc4d86842a61a54d98e5b61f1" strings: $s0 = "$port = base_convert(bin2hex(substr($reqmessage[$id], 3+$reqlen+1, 2)), 16, 10);" fullword $s3 = "# [+] Domain name address type" $s4 = "www.antichat.ru" condition: 1 of them } rule Antichat_Shell_v1_3_php { meta: description = "Semi-Auto-generated - file Antichat Shell v1.3.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "40d0abceba125868be7f3f990f031521" strings: $s0 = "Antichat" $s1 = "Can't open file, permission denide" $s2 = "$ra44" condition: 2 of them } rule Safe_Mode_Bypass_PHP_4_4_2_and_PHP_5_1_2_php { meta: description = "Semi-Auto-generated - file Safe_Mode Bypass PHP 4.4.2 and PHP 5.1.2.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "49ad9117c96419c35987aaa7e2230f63" strings: $s0 = "Welcome.. By This script you can jump in the (Safe Mode=ON) .. Enjoy" $s1 = "Mode Shell v1.0</font></span>" $s2 = "has been already loaded. PHP Emperor <xb5@hotmail." condition: 1 of them } rule mysql_php_php { meta: description = "Semi-Auto-generated - file mysql.php.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "12bbdf6ef403720442a47a3cc730d034" strings: $s0 = "action=mysqlread&mass=loadmass\">load all defaults" $s2 = "if (@passthru($cmd)) { echo \" -->\"; $this->output_state(1, \"passthru" $s3 = "$ra44 = rand(1,99999);$sj98 = \"sh-$ra44\";$ml = \"$sd98\";$a5 = " condition: 1 of them } rule Worse_Linux_Shell_php { meta: description = "Semi-Auto-generated - file Worse Linux Shell.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "8338c8d9eab10bd38a7116eb534b5fa2" strings: $s1 = "print \"<tr><td><b>Server is:</b></td><td>\".$_SERVER['SERVER_SIGNATURE'].\"</td" $s2 = "print \"<tr><td><b>Execute command:</b></td><td><input size=100 name=\\\"_cmd" condition: 1 of them } rule cyberlords_sql_php_php { meta: description = "Semi-Auto-generated - file cyberlords_sql.php.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "03b06b4183cb9947ccda2c3d636406d4" strings: $s0 = "Coded by n0 [nZer0]" $s1 = " www.cyberlords.net" $s2 = "U29mdHdhcmUAQWRvYmUgSW1hZ2VSZWFkeXHJZTwAAAAMUExURf///wAAAJmZzAAAACJoURkAAAAE" $s3 = "return \"<BR>Dump error! Can't write to \".htmlspecialchars($file);" condition: 1 of them } rule cmd_asp_5_1_asp { meta: description = "Semi-Auto-generated - file cmd-asp-5.1.asp.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "8baa99666bf3734cbdfdd10088e0cd9f" strings: $s0 = "Call oS.Run(\"win.com cmd.exe /c del \"& szTF,0,True)" fullword $s3 = "Call oS.Run(\"win.com cmd.exe /c \"\"\" & szCMD & \" > \" & szTF &" fullword condition: 1 of them } rule pws_php_php { meta: description = "Semi-Auto-generated - file pws.php.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "ecdc6c20f62f99fa265ec9257b7bf2ce" strings: $s0 = "<div align=\"left\"><font size=\"1\">Input command :</font></div>" fullword $s1 = "<input type=\"text\" name=\"cmd\" size=\"30\" class=\"input\"><br>" fullword $s4 = "<input type=\"text\" name=\"dir\" size=\"30\" value=\"<? passthru(\"pwd\"); ?>" condition: 2 of them } rule PHP_Shell_php_php { meta: description = "Semi-Auto-generated - file PHP Shell.php.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "a2f8fa4cce578fc9c06f8e674b9e63fd" strings: $s0 = "echo \"</form><form action=\\\"$SFileName?$urlAdd\\\" method=\\\"post\\\"><input" $s1 = "echo \"<form action=\\\"$SFileName?$urlAdd\\\" method=\\\"POST\\\"><input type=" condition: all of them } rule Ayyildiz_Tim___AYT__Shell_v_2_1_Biz_html { meta: description = "Semi-Auto-generated - file Ayyildiz Tim -AYT- Shell v 2.1 Biz.html.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "8a8c8bb153bd1ee097559041f2e5cf0a" strings: $s0 = "Ayyildiz" $s1 = "TouCh By iJOo" $s2 = "First we check if there has been asked for a working directory" $s3 = "http://ayyildiz.org/images/whosonline2.gif" condition: 2 of them } rule EFSO_2_asp { meta: description = "Semi-Auto-generated - file EFSO_2.asp.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "b5fde9682fd63415ae211d53c6bfaa4d" strings: $s0 = "Ejder was HERE" $s1 = "*~PU*&BP[_)f!8c2F*@#@&~,P~P,~P&q~8BPmS~9~~lB~X`V,_,F&*~,jcW~~[_c3TRFFzq@#@&PP,~~" condition: 2 of them } rule lamashell_php { meta: description = "Semi-Auto-generated - file lamashell.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "de9abc2e38420cad729648e93dfc6687" strings: $s0 = "lama's'hell" fullword $s1 = "if($_POST['king'] == \"\") {" $s2 = "if (move_uploaded_file($_FILES['fila']['tmp_name'], $curdir.\"/\".$_FILES['f" condition: 1 of them } rule Ajax_PHP_Command_Shell_php { meta: description = "Semi-Auto-generated - file Ajax_PHP Command Shell.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "93d1a2e13a3368a2472043bd6331afe9" strings: $s1 = "newhtml = '<b>File browser is under construction! Use at your own risk!</b> <br>" $s2 = "Empty Command..type \\\"shellhelp\\\" for some ehh...help" $s3 = "newhtml = '<font size=0><b>This will reload the page... :(</b><br><br><form enct" condition: 1 of them } rule JspWebshell_1_2_jsp { meta: description = "Semi-Auto-generated - file JspWebshell 1.2.jsp.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "70a0ee2624e5bbe5525ccadc467519f6" strings: $s0 = "JspWebshell" $s1 = "CreateAndDeleteFolder is error:" $s2 = "<td width=\"70%\" height=\"22\"> <%=env.queryHashtable(\"java.c" $s3 = "String _password =\"111\";" condition: 2 of them } rule Sincap_php_php { meta: description = "Semi-Auto-generated - file Sincap.php.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "b68b90ff6012a103e57d141ed38a7ee9" strings: $s0 = "$baglan=fopen(\"/tmp/$ekinci\",'r');" $s2 = "$tampon4=$tampon3-1" $s3 = "@aventgrup.net" condition: 2 of them } rule Test_php_php { meta: description = "Semi-Auto-generated - file Test.php.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "77e331abd03b6915c6c6c7fe999fcb50" strings: $s0 = "$yazi = \"test\" . \"\\r\\n\";" fullword $s2 = "fwrite ($fp, \"$yazi\");" fullword $s3 = "$entry_line=\"HACKed by EntriKa\";" fullword condition: 1 of them } rule Phyton_Shell_py { meta: description = "Semi-Auto-generated - file Phyton Shell.py.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "92b3c897090867c65cc169ab037a0f55" strings: $s1 = "sh_out=os.popen(SHELL+\" \"+cmd).readlines()" fullword $s2 = "# d00r.py 0.3a (reverse|bind)-shell in python by fQ" fullword $s3 = "print \"error; help: head -n 16 d00r.py\"" fullword $s4 = "print \"PW:\",PW,\"PORT:\",PORT,\"HOST:\",HOST" fullword condition: 1 of them } rule mysql_tool_php_php { meta: description = "Semi-Auto-generated - file mysql_tool.php.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "5fbe4d8edeb2769eda5f4add9bab901e" strings: $s0 = "$error_text = '<strong>Failed selecting database \"'.$this->db['" $s1 = "$ra44 = rand(1,99999);$sj98 = \"sh-$ra44\";$ml = \"$sd98\";$a5 = $_SERV" $s4 = "<div align=\"center\">The backup process has now started<br " condition: 1 of them } rule Zehir_4_asp { meta: description = "Semi-Auto-generated - file Zehir 4.asp.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "7f4e12e159360743ec016273c3b9108c" strings: $s2 = "</a><a href='\"&dosyapath&\"?status=10&dPath=\"&f1.path&\"&path=\"&path&\"&Time=" $s4 = "<input type=submit value=\"Test Et!\" onclick=\"" condition: 1 of them } rule sh_php_php { meta: description = "Semi-Auto-generated - file sh.php.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "330af9337ae51d0bac175ba7076d6299" strings: $s1 = "$ar_file=array('/etc/passwd','/etc/shadow','/etc/master.passwd','/etc/fstab','/e" $s2 = "Show <input type=text size=5 value=\".((isset($_POST['br_st']))?$_POST['br_st']:" condition: 1 of them } rule phpbackdoor15_php { meta: description = "Semi-Auto-generated - file phpbackdoor15.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "0fdb401a49fc2e481e3dfd697078334b" strings: $s1 = "echo \"fichier telecharge dans \".good_link(\"./\".$_FILES[\"fic\"][\"na" $s2 = "if(move_uploaded_file($_FILES[\"fic\"][\"tmp_name\"],good_link(\"./\".$_FI" $s3 = "echo \"Cliquez sur un nom de fichier pour lancer son telechargement. Cliquez s" condition: 1 of them } rule phpjackal_php { meta: description = "Semi-Auto-generated - file phpjackal.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "ab230817bcc99acb9bdc0ec6d264d76f" strings: $s3 = "$dl=$_REQUEST['downloaD'];" $s4 = "else shelL(\"perl.exe $name $port\");" condition: 1 of them } rule sql_php_php { meta: description = "Semi-Auto-generated - file sql.php.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "8334249cbb969f2d33d678fec2b680c5" strings: $s1 = "fputs ($fp, \"# RST MySQL tools\\r\\n# Home page: http://rst.void.ru\\r\\n#" $s2 = "http://rst.void.ru" $s3 = "print \"<a href=\\\"$_SERVER[PHP_SELF]?s=$s&login=$login&passwd=$passwd&" condition: 1 of them } rule cgi_python_py { meta: description = "Semi-Auto-generated - file cgi-python.py.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "0a15f473e2232b89dae1075e1afdac97" strings: $s0 = "a CGI by Fuzzyman" $s1 = "\"\"\"+fontline +\"Version : \" + versionstring + \"\"\", Running on : \"\"\" + " $s2 = "values = map(lambda x: x.value, theform[field]) # allows for" condition: 1 of them } rule ru24_post_sh_php_php { meta: description = "Semi-Auto-generated - file ru24_post_sh.php.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "5b334d494564393f419af745dc1eeec7" strings: $s1 = "<title>Ru24PostWebShell

Server Adress:User Info: ui" $s4 = "

: \".mysql_error().\"$f_" $s4 = "print \"Current Directory" $s4 = "

" fullword condition: 2 of them } rule webshell_iMHaPFtp_2 { meta: description = "Web Shell - file iMHaPFtp.php" author = "Florian Roth" date = "2014/01/28" score = 70 hash = "12911b73bc6a5d313b494102abcf5c57" strings: $s8 = "if ($l) echo '\"+strCut(convertPath(list[i].getPath()),7" $s3 = " \"reg add \\\"HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Control" condition: all of them } rule webshell_Safe_Mode_Bypass_PHP_4_4_2_and_PHP_5_1_2 { meta: description = "Web Shell - file Safe_Mode Bypass PHP 4.4.2 and PHP 5.1.2.php" author = "Florian Roth" date = "2014/01/28" score = 70 hash = "49ad9117c96419c35987aaa7e2230f63" strings: $s0 = "die(\"\\nWelcome.. By This script you can jump in the (Safe Mode=ON) .. Enjoy\\n" $s1 = "Mode Shell v1.0[\" (left bracket), \"|\" (pi" $s3 = "word: \"null\", \"yes\", \"no\", \"true\"," condition: 1 of them } rule webshell_PHPRemoteView { meta: description = "Web Shell - file PHPRemoteView.php" author = "Florian Roth" date = "2014/01/28" score = 70 hash = "29420106d9a81553ef0d1ca72b9934d9" strings: $s2 = "" fullword $s4 = "String path=new String(request.getParameter(\"path\").getBytes(\"ISO-8859-1\"" condition: all of them } rule webshell_caidao_shell_guo { meta: description = "Web Shell - file guo.php" author = "Florian Roth" date = "2014/01/28" score = 70 hash = "9e69a8f499c660ee0b4796af14dc08f0" strings: $s0 = "

\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n" condition: 1 of them } rule webshell_asp_cmd { meta: description = "Web Shell - file cmd.asp" author = "Florian Roth" date = "2014/01/28" score = 70 hash = "895ca846858c315a3ff8daa7c55b3119" strings: $s0 = "<%= \"\\\\\" & oScriptNet.ComputerName & \"\\\" & oScriptNet.UserName %>" fullword $s1 = "Set oFileSys = Server.CreateObject(\"Scripting.FileSystemObject\")" fullword $s3 = "Call oScript.Run (\"cmd.exe /c \" & szCMD & \" > \" & szTempFile, 0, True)" fullword condition: 1 of them } rule webshell_php_sh_server { meta: description = "Web Shell - file server.php" author = "Florian Roth" date = "2014/01/28" score = 50 hash = "d87b019e74064aa90e2bb143e5e16cfa" strings: $s0 = "eval(getenv('HTTP_CODE'));" fullword condition: all of them } rule webshell_PH_Vayv_PH_Vayv { meta: description = "Web Shell - file PH Vayv.php" author = "Florian Roth" date = "2014/01/28" score = 70 hash = "35fb37f3c806718545d97c6559abd262" strings: $s0 = "style=\"BACKGROUND-COLOR: #eae9e9; BORDER-BOTTOM: #000000 1px in" $s4 = "SHOPEN" fullword condition: all of them } rule webshell_cihshell_fix { meta: description = "Web Shell - file cihshell_fix.php" author = "Florian Roth" date = "2014/01/28" score = 70 hash = "3823ac218032549b86ee7c26f10c4cb5" strings: $s7 = "

" fullword $s8 = "" fullword condition: all of them } rule webshell_Private_i3lue { meta: description = "Web Shell - file Private-i3lue.php" author = "Florian Roth" date = "2014/01/28" score = 70 hash = "13f5c7a035ecce5f9f380967cf9d4e92" strings: $s8 = "case 15: $image .= \"\\21\\0\\" condition: all of them } rule webshell_php_up { meta: description = "Web Shell - file up.php" author = "Florian Roth" date = "2014/01/28" score = 70 hash = "7edefb8bd0876c41906f4b39b52cd0ef" strings: $s0 = "copy($HTTP_POST_FILES['userfile']['tmp_name'], $_POST['remotefile']);" fullword $s3 = "if(is_uploaded_file($HTTP_POST_FILES['userfile']['tmp_name'])) {" fullword $s8 = "echo \"Uploaded file: \" . $HTTP_POST_FILES['userfile']['name'];" fullword condition: 2 of them } rule webshell_Mysql_interface_v1_0 { meta: description = "Web Shell - file Mysql interface v1.0.php" author = "Florian Roth" date = "2014/01/28" score = 70 hash = "a12fc0a3d31e2f89727b9678148cd487" strings: $s0 = "echo \"Go Execute
All the data in these tables:
\".$tblsv.\" were putted " condition: all of them } rule webshell_Server_Variables { meta: description = "Web Shell - file Server Variables.asp" author = "Florian Roth" date = "2014/01/28" score = 70 hash = "47fb8a647e441488b30f92b4d39003d7" strings: $s7 = "<% For Each Vars In Request.ServerVariables %>" fullword $s9 = "Variable Name

" fullword condition: all of them } rule webshell_caidao_shell_ice_2 { meta: description = "Web Shell - file ice.php" author = "Florian Roth" date = "2014/01/28" score = 70 hash = "1d6335247f58e0a5b03e17977888f5f2" strings: $s0 = "" fullword condition: all of them } rule webshell_caidao_shell_mdb { meta: description = "Web Shell - file mdb.asp" author = "Florian Roth" date = "2014/01/28" score = 70 hash = "fbf3847acef4844f3a0d04230f6b9ff9" strings: $s1 = "<% execute request(\"ice\")%>a " fullword condition: all of them } rule webshell_jsp_guige { meta: description = "Web Shell - file guige.jsp" author = "Florian Roth" date = "2014/01/28" score = 70 hash = "2c9f2dafa06332957127e2c713aacdd2" strings: $s0 = "if(damapath!=null &&!damapath.equals(\"\")&&content!=null" condition: all of them } rule webshell_phpspy2010 { meta: description = "Web Shell - file phpspy2010.php" author = "Florian Roth" date = "2014/01/28" score = 70 hash = "14ae0e4f5349924a5047fed9f3b105c5" strings: $s3 = "eval(gzinflate(base64_decode(" $s5 = "//angel" fullword $s8 = "$admin['cookiedomain'] = '';" fullword condition: all of them } rule webshell_asp_ice { meta: description = "Web Shell - file ice.asp" author = "Florian Roth" date = "2014/01/28" score = 70 hash = "d141e011a92f48da72728c35f1934a2b" strings: $s0 = "D,'PrjknD,J~[,EdnMP[,-4;DS6@#@&VKobx2ldd,'~JhC" condition: all of them } rule webshell_drag_system { meta: description = "Web Shell - file system.jsp" author = "Florian Roth" date = "2014/01/28" score = 70 hash = "15ae237cf395fb24cf12bff141fb3f7c" strings: $s9 = "String sql = \"SELECT * FROM DBA_TABLES WHERE TABLE_NAME not like '%$%' and num_" condition: all of them } rule webshell_DarkBlade1_3_asp_indexx { meta: description = "Web Shell - file indexx.asp" author = "Florian Roth" date = "2014/01/28" score = 70 hash = "b7f46693648f534c2ca78e3f21685707" strings: $s3 = "Const strs_toTransform=\"command|Radmin|NTAuThenabled|FilterIp|IISSample|PageCou" condition: all of them } rule webshell_phpshell3 { meta: description = "Web Shell - file phpshell3.php" author = "Florian Roth" date = "2014/01/28" score = 70 hash = "76117b2ee4a7ac06832d50b2d04070b8" strings: $s2 = "" fullword condition: all of them } rule webshell_asp_404 { meta: description = "Web Shell - file 404.asp" author = "Florian Roth" date = "2014/01/28" score = 70 hash = "d9fa1e8513dbf59fa5d130f389032a2d" strings: $s0 = "lFyw6pd^DKV^4CDRWmmnO1GVKDl:y& f+2" condition: all of them } rule webshell_webshell_cnseay02_1 { meta: description = "Web Shell - file webshell-cnseay02-1.php" author = "Florian Roth" date = "2014/01/28" score = 70 hash = "95fc76081a42c4f26912826cb1bd24b1" strings: $s0 = "(93).$_uU(41).$_uU(59);$_fF=$_uU(99).$_uU(114).$_uU(101).$_uU(97).$_uU(116).$_uU" condition: all of them } rule webshell_php_fbi { meta: description = "Web Shell - file fbi.php" author = "Florian Roth" date = "2014/01/28" score = 70 hash = "1fb32f8e58c8deb168c06297a04a21f1" strings: $s7 = "erde types','Getallen','Datum en tijd','Tekst','Binaire gegevens','Netwerk','Geo" condition: all of them } rule webshell_B374kPHP_B374k { meta: description = "Web Shell - file B374k.php" author = "Florian Roth" date = "2014/01/28" score = 70 hash = "bed7388976f8f1d90422e8795dff1ea6" strings: $s0 = "Http://code.google.com/p/b374k-shell" fullword $s1 = "$_=str_rot13('tm'.'vas'.'yngr');$_=str_rot13(strrev('rqb'.'prq'.'_'.'46r'.'fno'" $s3 = "Jayalah Indonesiaku & Lyke @ 2013" fullword $s4 = "B374k Vip In Beautify Just For Self" fullword condition: 1 of them } rule webshell_cmd_asp_5_1 { meta: description = "Web Shell - file cmd-asp-5.1.asp" author = "Florian Roth" date = "2014/01/28" score = 70 hash = "8baa99666bf3734cbdfdd10088e0cd9f" strings: $s9 = "Call oS.Run(\"win.com cmd.exe /c \"\"\" & szCMD & \" > \" & szTF &" fullword condition: all of them } rule webshell_php_dodo_zip { meta: description = "Web Shell - file zip.php" author = "Florian Roth" date = "2014/01/28" score = 70 hash = "b7800364374077ce8864796240162ad5" strings: $s0 = "$hexdtime = '\\x' . $dtime[6] . $dtime[7] . '\\x' . $dtime[4] . $dtime[5] . '\\x" $s3 = "$datastr = \"\\x50\\x4b\\x03\\x04\\x0a\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" condition: all of them } rule webshell_aZRaiLPhp_v1_0 { meta: description = "Web Shell - file aZRaiLPhp v1.0.php" author = "Florian Roth" date = "2014/01/28" score = 70 hash = "26b2d3943395682e36da06ed493a3715" strings: $s5 = "echo \" CHMODU \".substr(base_convert(@fileperms($" $s7 = "echo \"\" . $filena" $s9 = "// by: The Dark Raver" fullword condition: 1 of them } rule webshell_ironshell { meta: description = "Web Shell - file ironshell.php" author = "Florian Roth" date = "2014/01/28" score = 70 hash = "8bfa2eeb8a3ff6afc619258e39fded56" strings: $s4 = "print \"<%@page import=\"java.net.*\"%><%String t=request." condition: all of them } rule webshell_mysqlwebsh { meta: description = "Web Shell - file mysqlwebsh.php" author = "Florian Roth" date = "2014/01/28" score = 70 hash = "babfa76d11943a22484b3837f105fada" strings: $s3 = " \" title=\"<%=SubFolder.Name%>\"> ??????????????????: " fullword condition: all of them } rule webshell_asp_1 { meta: description = "Web Shell - file 1.asp" author = "Florian Roth" date = "2014/01/28" score = 70 hash = "8991148adf5de3b8322ec5d78cb01bdb" strings: $s4 = "!22222222222222222222222222222222222222222222222222" fullword $s8 = "<%eval request(\"pass\")%>" fullword condition: all of them } rule webshell_ASP_tool { meta: description = "Web Shell - file tool.asp" author = "Florian Roth" date = "2014/01/28" score = 70 hash = "4ab68d38527d5834e9c1ff64407b34fb" strings: $s0 = "Response.Write \"<DIR> " fullword condition: 2 of them } rule webshell_jsp_jshell { meta: description = "Web Shell - file jshell.jsp" author = "Florian Roth" date = "2014/01/28" score = 70 hash = "124b22f38aaaf064cef14711b2602c06" strings: $s0 = "kXpeW[\"" fullword $s4 = "[7b:g0W@W<" fullword $s5 = "b:gHr,g<" fullword $s8 = "RhV0W@W<" fullword $s9 = "S_MR(u7b" fullword condition: all of them } rule webshell_ASP_zehir4 { meta: description = "Web Shell - file zehir4.asp" author = "Florian Roth" date = "2014/01/28" score = 70 hash = "7f4e12e159360743ec016273c3b9108c" strings: $s9 = "Response.Write \"" fullword condition: all of them } rule webshell_PHP_Shell_x3 { meta: description = "Web Shell - file PHP Shell.php" author = "Florian Roth" date = "2014/01/28" score = 70 hash = "a2f8fa4cce578fc9c06f8e674b9e63fd" strings: $s4 = "  [" $s6 = "echo \"
\");" fullword condition: all of them } rule webshell_jsp_k81 { meta: description = "Web Shell - file k81.jsp" author = "Florian Roth" date = "2014/01/28" score = 70 hash = "41efc5c71b6885add9c1d516371bd6af" strings: $s1 = "byte[] binary = BASE64Decoder.class.newInstance().decodeBuffer(cmd);" fullword $s9 = "if(cmd.equals(\"Szh0ZWFt\")){out.print(\"[S]\"+dir+\"[E]\");}" fullword condition: 1 of them } rule webshell_ASP_zehir { meta: description = "Web Shell - file zehir.asp" author = "Florian Roth" date = "2014/01/28" score = 70 hash = "0061d800aee63ccaf41d2d62ec15985d" strings: $s9 = "Response.Write \"
" condition: all of them } rule webshell_Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit { meta: description = "Web Shell - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php" author = "Florian Roth" date = "2014/01/28" score = 70 hash = "c6eeacbe779518ea78b8f7ed5f63fc11" strings: $s1 = "" fullword condition: all of them } rule webshell_redirect { meta: description = "Web Shell - file redirect.asp" author = "Florian Roth" date = "2014/01/28" score = 70 hash = "97da83c6e3efbba98df270cc70beb8f8" strings: $s7 = "var flag = \"?txt=\" + (document.getElementById(\"dl\").checked ? \"2\":\"1\" " condition: all of them } rule webshell_jsp_cmdjsp { meta: description = "Web Shell - file cmdjsp.jsp" author = "Florian Roth" date = "2014/01/28" score = 70 hash = "b815611cc39f17f05a73444d699341d4" strings: $s5 = "" fullword condition: all of them } rule webshell_Java_Shell { meta: description = "Web Shell - file Java Shell.jsp" author = "Florian Roth" date = "2014/01/28" score = 70 hash = "36403bc776eb12e8b7cc0eb47c8aac83" strings: $s4 = "public JythonShell(int columns, int rows, int scrollback) {" fullword $s9 = "this(null, Py.getSystemState(), columns, rows, scrollback);" fullword condition: 1 of them } rule webshell_asp_1d { meta: description = "Web Shell - file 1d.asp" author = "Florian Roth" date = "2014/01/28" score = 70 hash = "fad7504ca8a55d4453e552621f81563c" strings: $s0 = "+9JkskOfKhUxZJPL~\\(mD^W~[,{@#@&EO" condition: all of them } rule webshell_jsp_IXRbE { meta: description = "Web Shell - file IXRbE.jsp" author = "Florian Roth" date = "2014/01/28" score = 70 hash = "e26e7e0ebc6e7662e1123452a939e2cd" strings: $s0 = "<%if(request.getParameter(\"f\")!=null)(new java.io.FileOutputStream(application" condition: all of them } rule webshell_PHP_G5 { meta: description = "Web Shell - file G5.php" author = "Florian Roth" date = "2014/01/28" score = 70 hash = "95b4a56140a650c74ed2ec36f08d757f" strings: $s3 = "echo \"Hacking Mode?
Server's PHP Version:&n" $s4 = "  [" $s7 = "echo \"" $s3 = "" fullword $s2 = "out.print(\") Filenam" $s8 = "print \"File: Tools\">" fullword $s4 = "Response.Write(\"
FILE: \" & file & \"
\")" fullword condition: all of them } rule webshell_PHP_co { meta: description = "Web Shell - file co.php" author = "Florian Roth" date = "2014/01/28" score = 70 hash = "62199f5ac721a0cb9b28f465a513874c" strings: $s0 = "cGX6R9q733WvRRjISKHOp9neT7wa6ZAD8uthmVJV" fullword $s11 = "6Mk36lz/HOkFfoXX87MpPhZzBQH6OaYukNg1OE1j" fullword condition: all of them } rule webshell_PHP_150 { meta: description = "Web Shell - file 150.php" author = "Florian Roth" date = "2014/01/28" score = 70 hash = "400c4b0bed5c90f048398e1d268ce4dc" strings: $s0 = "HJ3HjqxclkZfp" $s1 = "" fullword condition: all of them } rule webshell_PHP_c37 { meta: description = "Web Shell - file c37.php" author = "Florian Roth" date = "2014/01/28" score = 70 hash = "d01144c04e7a46870a8dd823eb2fe5c8" strings: $s3 = "array('cpp','cxx','hxx','hpp','cc','jxx','c++','vcproj')," $s9 = "++$F; $File = urlencode($dir[$dirFILE]); $eXT = '.:'; if (strpos($dir[$dirFILE]," condition: all of them } rule webshell_PHP_b37 { meta: description = "Web Shell - file b37.php" author = "Florian Roth" date = "2014/01/28" score = 70 hash = "0421445303cfd0ec6bc20b3846e30ff0" strings: $s0 = "xmg2/G4MZ7KpNveRaLgOJvBcqa2A8/sKWp9W93NLXpTTUgRc" condition: all of them } rule webshell_php_backdoor { meta: description = "Web Shell - file php-backdoor.php" author = "Florian Roth" date = "2014/01/28" score = 70 hash = "2b5cb105c4ea9b5ebc64705b4bd86bf7" strings: $s1 = "if(!move_uploaded_file($HTTP_POST_FILES['file_name']['tmp_name'], $dir.$fname))" fullword $s2 = "
\" METHOD=GET >execute command: " fullword condition: all of them } rule webshell_asp_cmdasp { meta: description = "Web Shell - file cmdasp.asp" author = "Florian Roth" date = "2014/01/28" score = 70 hash = "57b51418a799d2d016be546f399c2e9b" strings: $s0 = "<%= \"\\\\\" & oScriptNet.ComputerName & \"\\\" & oScriptNet.UserName %>" fullword $s7 = "Call oScript.Run (\"cmd.exe /c \" & szCMD & \" > \" & szTempFile, 0, True)" fullword condition: all of them } rule webshell_spjspshell { meta: description = "Web Shell - file spjspshell.jsp" author = "Florian Roth" date = "2014/01/28" score = 70 hash = "d39d51154aaad4ba89947c459a729971" strings: $s7 = "Unix:/bin/sh -c tar vxf xxx.tar Windows:c:\\winnt\\system32\\cmd.exe /c type c:" condition: all of them } rule webshell_jsp_action { meta: description = "Web Shell - file action.jsp" author = "Florian Roth" date = "2014/01/28" score = 70 hash = "5a7d931094f5570aaf5b7b3b06c3d8c0" strings: $s1 = "String url=\"jdbc:oracle:thin:@localhost:1521:orcl\";" fullword $s6 = "<%@ page contentType=\"text/html;charset=gb2312\"%>" fullword condition: all of them } rule webshell_Inderxer { meta: description = "Web Shell - file Inderxer.asp" author = "Florian Roth" date = "2014/01/28" score = 70 hash = "9ea82afb8c7070817d4cdf686abe0300" strings: $s4 = "Nereye : " fullword $s9 = "String path=new String(request.getParameter(\"path\").getBytes(\"ISO-8859" condition: all of them } rule webshell_ELMALISEKER_Backd00r { meta: description = "Web Shell - file ELMALISEKER Backd00r.asp" author = "Florian Roth" date = "2014/01/28" score = 70 hash = "3aa403e0a42badb2c23d4a54ef43e2f4" strings: $s0 = "response.write(\"" fullword $s6 = "\" name=\"url" condition: all of them } rule webshell_jsp_inback3 { meta: description = "Web Shell - file inback3.jsp" author = "Florian Roth" date = "2014/01/28" score = 70 hash = "ea5612492780a26b8aa7e5cedd9b8f4e" strings: $s0 = "<%if(request.getParameter(\"f\")!=null)(new java.io.FileOutputStream(application" condition: all of them } rule webshell_metaslsoft { meta: description = "Web Shell - file metaslsoft.php" author = "Florian Roth" date = "2014/01/28" score = 70 hash = "aa328ed1476f4a10c0bcc2dde4461789" strings: $s7 = "$buff .= \"[ $folder ]LINKOperating System : \".php_uname().\" \",in('text','mk_name" $s3 = "echo sr(15,\"\".$lang[$language.'_text21'].$arrow.\"\",in('checkbox','nf1" $s9 = "echo sr(40,\"\".$lang[$language.'_text26'].$arrow.\"\",\"Current File (import new file name and new file)
Current file (fullpath)
\".$pathname." condition: all of them } rule webshell_c99_Shell_ci_Biz_was_here_c100_v_xxx { meta: description = "Web Shell" author = "Florian Roth" date = "2014/01/28" score = 70 super_rule = 1 hash0 = "61a92ce63369e2fa4919ef0ff7c51167" hash1 = "f2fa878de03732fbf5c86d656467ff50" hash2 = "27786d1e0b1046a1a7f67ee41c64bf4c" hash3 = "0f5b9238d281bc6ac13406bb24ac2a5b" hash4 = "68c0629d08b1664f5bcce7d7f5f71d22" hash5 = "048ccc01b873b40d57ce25a4c56ea717" strings: $s8 = "else {echo \"Running datapipe... ok! Connect to \".getenv(\"SERVER_ADDR\"" condition: all of them } rule webshell_2008_2009lite_2009mssql { meta: description = "Web Shell - from files 2008.php, 2009lite.php, 2009mssql.php" author = "Florian Roth" date = "2014/01/28" score = 70 super_rule = 1 hash0 = "3e4ba470d4c38765e4b16ed930facf2c" hash1 = "3f4d454d27ecc0013e783ed921eeecde" hash2 = "aa17b71bb93c6789911bd1c9df834ff9" strings: $s0 = "Path.'/\\');" $s7 = "p('
File Manager - Current disk free '.sizecount($free).' of '.sizecount($all" condition: all of them } rule webshell_shell_phpspy_2005_full_phpspy_2005_lite_phpspy_2006_arabicspy_PHPSPY_hkrkoz { meta: description = "Web Shell" author = "Florian Roth" date = "2014/01/28" score = 70 super_rule = 1 hash0 = "791708057d8b429d91357d38edf43cc0" hash1 = "b68bfafc6059fd26732fa07fb6f7f640" hash2 = "42f211cec8032eb0881e87ebdb3d7224" hash3 = "40a1f840111996ff7200d18968e42cfe" hash4 = "e0202adff532b28ef1ba206cf95962f2" hash5 = "0712e3dc262b4e1f98ed25760b206836" hash6 = "802f5cae46d394b297482fd0c27cb2fc" strings: $s0 = "$mainpath_info = explode('/', $mainpath);" fullword $s6 = "if (!isset($_GET['action']) OR empty($_GET['action']) OR ($_GET['action'] == \"d" condition: all of them } rule webshell_807_dm_JspSpyJDK5_m_cofigrue { meta: description = "Web Shell - from files 807.jsp, dm.jsp, JspSpyJDK5.jsp, m.jsp, cofigrue.jsp" author = "Florian Roth" date = "2014/01/28" score = 70 super_rule = 1 hash0 = "ae76c77fb7a234380cd0ebb6fe1bcddf" hash1 = "14e9688c86b454ed48171a9d4f48ace8" hash2 = "341298482cf90febebb8616426080d1d" hash3 = "88fc87e7c58249a398efd5ceae636073" hash4 = "349ec229e3f8eda0f9eb918c74a8bf4c" strings: $s1 = "url_con.setRequestProperty(\"REFERER\", \"\"+fckal+\"\");" fullword $s9 = "FileLocalUpload(uc(dx())+sxm,request.getRequestURL().toString(), \"GBK\");" fullword condition: 1 of them } rule webshell_Dive_Shell_1_0_Emperor_Hacking_Team_xxx { meta: description = "Web Shell" author = "Florian Roth" date = "2014/01/28" score = 70 super_rule = 1 hash0 = "1b5102bdc41a7bc439eea8f0010310a5" hash1 = "f8a6d5306fb37414c5c772315a27832f" hash2 = "37cb1db26b1b0161a4bf678a6b4565bd" strings: $s1 = "if (($i = array_search($_REQUEST['command'], $_SESSION['history'])) !== fals" $s9 = "if (ereg('^[[:blank:]]*cd[[:blank:]]*$', $_REQUEST['command'])) {" fullword condition: all of them } rule webshell_404_data_in_JFolder_jfolder01_xxx { meta: description = "Web Shell" author = "Florian Roth" date = "2014/01/28" score = 70 super_rule = 1 hash0 = "7066f4469c3ec20f4890535b5f299122" hash1 = "9f54aa7b43797be9bab7d094f238b4ff" hash2 = "793b3d0a740dbf355df3e6f68b8217a4" hash3 = "8979594423b68489024447474d113894" hash4 = "ec482fc969d182e5440521c913bab9bd" hash5 = "f98d2b33cd777e160d1489afed96de39" hash6 = "4b4c12b3002fad88ca6346a873855209" hash7 = "c93d5bdf5cf62fe22e299d0f2b865ea7" hash8 = "e9a5280f77537e23da2545306f6a19ad" strings: $s4 = " <%=sbCmd.toString()%></TE" condition: all of them } rule webshell_jsp_reverse_jsp_reverse_jspbd { meta: description = "Web Shell - from files jsp-reverse.jsp, jsp-reverse.jsp, jspbd.jsp" author = "Florian Roth" date = "2014/01/28" super_rule = 1 hash0 = "8b0e6779f25a17f0ffb3df14122ba594" hash1 = "ea87f0c1f0535610becadf5a98aca2fc" hash2 = "7d5e9732766cf5b8edca9b7ae2b6028f" score = 50 strings: $s0 = "osw = new BufferedWriter(new OutputStreamWriter(os));" fullword $s7 = "sock = new Socket(ipAddress, (new Integer(ipPort)).intValue());" fullword $s9 = "isr = new BufferedReader(new InputStreamReader(is));" fullword condition: all of them } rule webshell_400_in_JFolder_jfolder01_jsp_leo_warn_webshell_nc { meta: description = "Web Shell - from files 400.jsp, in.jsp, JFolder.jsp, jfolder01.jsp, jsp.jsp, leo.jsp, warn.jsp, webshell-nc.jsp" author = "Florian Roth" date = "2014/01/28" score = 70 super_rule = 1 hash0 = "36331f2c81bad763528d0ae00edf55be" hash1 = "793b3d0a740dbf355df3e6f68b8217a4" hash2 = "8979594423b68489024447474d113894" hash3 = "ec482fc969d182e5440521c913bab9bd" hash4 = "f98d2b33cd777e160d1489afed96de39" hash5 = "4b4c12b3002fad88ca6346a873855209" hash6 = "e9a5280f77537e23da2545306f6a19ad" hash7 = "598eef7544935cf2139d1eada4375bb5" strings: $s0 = "sbFolder.append(\"<tr><td > </td><td>\");" fullword $s1 = "return filesize / intDivisor + \".\" + strAfterComma + \" \" + strUnit;" fullword $s5 = "FileInfo fi = (FileInfo) ht.get(\"cqqUploadFile\");" fullword $s6 = "<input type=\"hidden\" name=\"cmd\" value=\"<%=strCmd%>\">" fullword condition: 2 of them } rule webshell_2_520_job_JspWebshell_1_2_ma1_ma4_2 { meta: description = "Web Shell - from files 2.jsp, 520.jsp, job.jsp, JspWebshell 1.2.jsp, ma1.jsp, ma4.jsp, 2.jsp" author = "Florian Roth" date = "2014/01/28" score = 70 super_rule = 1 hash0 = "64a3bf9142b045b9062b204db39d4d57" hash1 = "9abd397c6498c41967b4dd327cf8b55a" hash2 = "56c005690da2558690c4aa305a31ad37" hash3 = "70a0ee2624e5bbe5525ccadc467519f6" hash4 = "532b93e02cddfbb548ce5938fe2f5559" hash5 = "6e0fa491d620d4af4b67bae9162844ae" hash6 = "7eabe0f60975c0c73d625b7ddf7b9cbd" strings: $s1 = "while ((nRet = insReader.read(tmpBuffer, 0, 1024)) != -1) {" fullword $s6 = "password = (String)session.getAttribute(\"password\");" fullword $s7 = "insReader = new InputStreamReader(proc.getInputStream(), Charset.forName(\"GB231" condition: 2 of them } rule webshell_shell_2008_2009mssql_phpspy_2005_full_phpspy_2006_arabicspy_hkrkoz { meta: description = "Web Shell" author = "Florian Roth" date = "2014/01/28" score = 60 super_rule = 1 hash0 = "791708057d8b429d91357d38edf43cc0" hash1 = "3e4ba470d4c38765e4b16ed930facf2c" hash2 = "aa17b71bb93c6789911bd1c9df834ff9" hash3 = "b68bfafc6059fd26732fa07fb6f7f640" hash4 = "40a1f840111996ff7200d18968e42cfe" hash5 = "e0202adff532b28ef1ba206cf95962f2" hash6 = "802f5cae46d394b297482fd0c27cb2fc" strings: $s0 = "$tabledump .= \"'\".mysql_escape_string($row[$fieldcounter]).\"'\";" fullword $s5 = "while(list($kname, $columns) = @each($index)) {" fullword $s6 = "$tabledump = \"DROP TABLE IF EXISTS $table;\\n\";" fullword $s9 = "$tabledump .= \" PRIMARY KEY ($colnames)\";" fullword $fn = "filename: backup" condition: 2 of ($s*) and not $fn } rule webshell_gfs_sh_r57shell_r57shell127_SnIpEr_SA_xxx { meta: description = "Web Shell" author = "Florian Roth" date = "2014/01/28" score = 70 super_rule = 1 hash0 = "a2516ac6ee41a7cf931cbaef1134a9e4" hash1 = "ef43fef943e9df90ddb6257950b3538f" hash2 = "ae025c886fbe7f9ed159f49593674832" hash3 = "911195a9b7c010f61b66439d9048f400" hash4 = "697dae78c040150daff7db751fc0c03c" hash5 = "513b7be8bd0595c377283a7c87b44b2e" hash6 = "1d912c55b96e2efe8ca873d6040e3b30" hash7 = "e5b2131dd1db0dbdb43b53c5ce99016a" hash8 = "4108f28a9792b50d95f95b9e5314fa1e" hash9 = "41af6fd253648885c7ad2ed524e0692d" hash10 = "6fcc283470465eed4870bcc3e2d7f14d" strings: $s0 = "kVycm9yOiAkIVxuIik7DQpjb25uZWN0KFNPQ0tFVCwgJHBhZGRyKSB8fCBkaWUoIkVycm9yOiAkIVxuI" $s11 = "Aoc3RydWN0IHNvY2thZGRyICopICZzaW4sIHNpemVvZihzdHJ1Y3Qgc29ja2FkZHIpKSk8MCkgew0KIC" condition: all of them } rule webshell_itsec_PHPJackal_itsecteam_shell_jHn { meta: description = "Web Shell - from files itsec.php, PHPJackal.php, itsecteam_shell.php, jHn.php" author = "Florian Roth" date = "2014/01/28" score = 70 super_rule = 1 hash0 = "8ae9d2b50dc382f0571cd7492f079836" hash1 = "e2830d3286001d1455479849aacbbb38" hash2 = "bd6d3b2763c705a01cc2b3f105a25fa4" hash3 = "40c6ecf77253e805ace85f119fe1cebb" strings: $s0 = "$link=pg_connect(\"host=$host dbname=$db user=$user password=$pass\");" fullword $s6 = "while($data=ocifetchinto($stm,$data,OCI_ASSOC+OCI_RETURN_NULLS))$res.=implode('|" $s9 = "while($data=pg_fetch_row($result))$res.=implode('|-|-|-|-|-|',$data).'|+|+|+|+|+" condition: 2 of them } rule webshell_Shell_ci_Biz_was_here_c100_v_xxx { meta: description = "Web Shell" author = "Florian Roth" date = "2014/01/28" score = 70 super_rule = 1 hash0 = "f2fa878de03732fbf5c86d656467ff50" hash1 = "27786d1e0b1046a1a7f67ee41c64bf4c" hash2 = "68c0629d08b1664f5bcce7d7f5f71d22" strings: $s2 = "if ($data{0} == \"\\x99\" and $data{1} == \"\\x01\") {return \"Error: \".$stri" $s3 = "<OPTION VALUE=\"find /etc/ -type f -perm -o+w 2> /dev/null\"" $s4 = "<OPTION VALUE=\"cat /proc/version /proc/cpuinfo\">CPUINFO" fullword $s7 = "<OPTION VALUE=\"wget http://ftp.powernet.com.tr/supermail/de" $s9 = "<OPTION VALUE=\"cut -d: -f1,2,3 /etc/passwd | grep ::\">USER" condition: 2 of them } rule webshell_NIX_REMOTE_WEB_SHELL_NIX_REMOTE_WEB_xxx1 { meta: description = "Web Shell" author = "Florian Roth" date = "2014/01/28" score = 70 super_rule = 1 hash0 = "0b19e9de790cd2f4325f8c24b22af540" hash1 = "f3ca29b7999643507081caab926e2e74" hash2 = "527cf81f9272919bf872007e21c4bdda" strings: $s1 = "<td><input size=\"48\" value=\"$docr/\" name=\"path\" type=\"text\"><input type=" $s2 = "$uploadfile = $_POST['path'].$_FILES['file']['name'];" fullword $s6 = "elseif (!empty($_POST['ac'])) {$ac = $_POST['ac'];}" fullword $s7 = "if ($_POST['path']==\"\"){$uploadfile = $_FILES['file']['name'];}" fullword condition: 2 of them } rule webshell_c99_c99shell_c99_w4cking_Shell_xxx { meta: description = "Web Shell" author = "Florian Roth" date = "2014/01/28" score = 70 super_rule = 1 hash0 = "61a92ce63369e2fa4919ef0ff7c51167" hash1 = "d3f38a6dc54a73d304932d9227a739ec" hash2 = "9c34adbc8fd8d908cbb341734830f971" hash3 = "f2fa878de03732fbf5c86d656467ff50" hash4 = "b8f261a3cdf23398d573aaf55eaf63b5" hash5 = "27786d1e0b1046a1a7f67ee41c64bf4c" hash6 = "0f5b9238d281bc6ac13406bb24ac2a5b" hash7 = "68c0629d08b1664f5bcce7d7f5f71d22" hash8 = "157b4ac3c7ba3a36e546e81e9279eab5" hash9 = "048ccc01b873b40d57ce25a4c56ea717" strings: $s0 = "echo \"<b>HEXDUMP:</b><nobr>" $s4 = "if ($filestealth) {$stat = stat($d.$f);}" fullword $s5 = "while ($row = mysql_fetch_array($result, MYSQL_NUM)) { echo \"<tr><td>\".$r" $s6 = "if ((mysql_create_db ($sql_newdb)) and (!empty($sql_newdb))) {echo \"DB " $s8 = "echo \"<center><b>Server-status variables:</b><br><br>\";" fullword $s9 = "echo \"<textarea cols=80 rows=10>\".htmlspecialchars($encoded).\"" condition: 2 of them } rule webshell_2008_2009mssql_phpspy_2005_full_phpspy_2006_arabicspy_hkrkoz { meta: description = "Web Shell" author = "Florian Roth" date = "2014/01/28" score = 70 super_rule = 1 hash0 = "3e4ba470d4c38765e4b16ed930facf2c" hash1 = "aa17b71bb93c6789911bd1c9df834ff9" hash2 = "b68bfafc6059fd26732fa07fb6f7f640" hash3 = "40a1f840111996ff7200d18968e42cfe" hash4 = "e0202adff532b28ef1ba206cf95962f2" hash5 = "802f5cae46d394b297482fd0c27cb2fc" strings: $s0 = "$this -> addFile($content, $filename);" fullword $s3 = "function addFile($data, $name, $time = 0) {" fullword $s8 = "function unix2DosTime($unixtime = 0) {" fullword $s9 = "foreach($filelist as $filename){" fullword condition: all of them } rule webshell_c99_c66_c99_shadows_mod_c99shell { meta: description = "Web Shell - from files c99.php, c66.php, c99-shadows-mod.php, c99shell.php" author = "Florian Roth" date = "2014/01/28" score = 70 super_rule = 1 hash0 = "61a92ce63369e2fa4919ef0ff7c51167" hash1 = "0f5b9238d281bc6ac13406bb24ac2a5b" hash2 = "68c0629d08b1664f5bcce7d7f5f71d22" hash3 = "048ccc01b873b40d57ce25a4c56ea717" strings: $s2 = " if (unlink(_FILE_)) {@ob_clean(); echo \"Thanks for using c99shell v.\".$shv" $s3 = " \"c99sh_backconn.pl\"=>array(\"Using PERL\",\"perl %path %host %port\")," fullword $s4 = "
array(\"Using PERL\",\"perl %path %localport %remotehos" $s9 = " elseif (!$data = c99getsource($bc[\"src\"])) {echo \"Can't download sources!" condition: 2 of them } rule webshell_he1p_JspSpy_nogfw_ok_style_1_JspSpy1 { meta: description = "Web Shell - from files he1p.jsp, JspSpy.jsp, nogfw.jsp, ok.jsp, style.jsp, 1.jsp, JspSpy.jsp" author = "Florian Roth" date = "2014/01/28" score = 70 super_rule = 1 hash0 = "b330a6c2d49124ef0729539761d6ef0b" hash1 = "d71716df5042880ef84427acee8b121e" hash2 = "344f9073576a066142b2023629539ebd" hash3 = "32dea47d9c13f9000c4c807561341bee" hash4 = "b9744f6876919c46a29ea05b1d95b1c3" hash5 = "3ea688e3439a1f56b16694667938316d" hash6 = "2434a7a07cb47ce25b41d30bc291cacc" strings: $s0 = "\"\"+f.canRead()+\" / \"+f.canWrite()+\" / \"+f.canExecute()+\"\"+" fullword $s4 = "out.println(\"
File Manager - Current disk "\"+(cr.indexOf(\"/\") == 0?" $s7 = "String execute = f.canExecute() ? \"checked=\\\"checked\\\"\" : \"\";" fullword $s8 = "\"
" condition: 2 of them } rule webshell_000_403_c5_config_myxx_queryDong_spyjsp2010_zend { meta: description = "Web Shell - from files 000.jsp, 403.jsp, c5.jsp, config.jsp, myxx.jsp, queryDong.jsp, spyjsp2010.jsp, zend.jsp" author = "Florian Roth" date = "2014/01/28" score = 70 super_rule = 1 hash0 = "2eeb8bf151221373ee3fd89d58ed4d38" hash1 = "059058a27a7b0059e2c2f007ad4675ef" hash2 = "8b457934da3821ba58b06a113e0d53d9" hash3 = "d44df8b1543b837e57cc8f25a0a68d92" hash4 = "e0354099bee243702eb11df8d0e046df" hash5 = "90a5ba0c94199269ba33a58bc6a4ad99" hash6 = "655722eaa6c646437c8ae93daac46ae0" hash7 = "591ca89a25f06cf01e4345f98a22845c" strings: $s0 = "return new Double(format.format(value)).doubleValue();" fullword $s5 = "File tempF = new File(savePath);" fullword $s9 = "if (tempF.isDirectory()) {" fullword condition: 2 of them } rule webshell_c99_c99shell_c99_c99shell { meta: description = "Web Shell - from files c99.php, c99shell.php, c99.php, c99shell.php" author = "Florian Roth" date = "2014/01/28" score = 70 super_rule = 1 hash0 = "61a92ce63369e2fa4919ef0ff7c51167" hash1 = "d3f38a6dc54a73d304932d9227a739ec" hash2 = "157b4ac3c7ba3a36e546e81e9279eab5" hash3 = "048ccc01b873b40d57ce25a4c56ea717" strings: $s2 = "$bindport_pass = \"c99\";" fullword $s5 = " else {echo \"Execution PHP-code\"; if (empty($eval_txt)) {$eval_txt = tr" condition: 1 of them } rule webshell_r57shell127_r57_iFX_r57_kartal_r57_antichat { meta: description = "Web Shell - from files r57shell127.php, r57_iFX.php, r57_kartal.php, r57.php, antichat.php" author = "Florian Roth" date = "2014/01/28" score = 70 super_rule = 1 hash0 = "ae025c886fbe7f9ed159f49593674832" hash1 = "513b7be8bd0595c377283a7c87b44b2e" hash2 = "1d912c55b96e2efe8ca873d6040e3b30" hash3 = "4108f28a9792b50d95f95b9e5314fa1e" hash4 = "3f71175985848ee46cc13282fbed2269" strings: $s6 = "$res = @mysql_query(\"SHOW CREATE TABLE `\".$_POST['mysql_tbl'].\"`\", $d" $s7 = "$sql1 .= $row[1].\"\\r\\n\\r\\n\";" fullword $s8 = "if(!empty($_POST['dif'])&&$fp) { @fputs($fp,$sql1.$sql2); }" fullword $s9 = "foreach($values as $k=>$v) {$values[$k] = addslashes($v);}" fullword condition: 2 of them } rule webshell_NIX_REMOTE_WEB_SHELL_nstview_xxx { meta: description = "Web Shell" author = "Florian Roth" date = "2014/01/28" score = 70 super_rule = 1 hash0 = "0b19e9de790cd2f4325f8c24b22af540" hash1 = "4745d510fed4378e4b1730f56f25e569" hash2 = "f3ca29b7999643507081caab926e2e74" hash3 = "46a18979750fa458a04343cf58faa9bd" strings: $s3 = "BODY, TD, TR {" fullword $s5 = "$d=str_replace(\"\\\\\",\"/\",$d);" fullword $s6 = "if ($file==\".\" || $file==\"..\") continue;" fullword condition: 2 of them } rule webshell_000_403_807_a_c5_config_css_dm_he1p_xxx { meta: description = "Web Shell" author = "Florian Roth" date = "2014/01/28" score = 70 super_rule = 1 hash0 = "2eeb8bf151221373ee3fd89d58ed4d38" hash1 = "059058a27a7b0059e2c2f007ad4675ef" hash2 = "ae76c77fb7a234380cd0ebb6fe1bcddf" hash3 = "76037ebd781ad0eac363d56fc81f4b4f" hash4 = "8b457934da3821ba58b06a113e0d53d9" hash5 = "d44df8b1543b837e57cc8f25a0a68d92" hash6 = "fc44f6b4387a2cb50e1a63c66a8cb81c" hash7 = "14e9688c86b454ed48171a9d4f48ace8" hash8 = "b330a6c2d49124ef0729539761d6ef0b" hash9 = "d71716df5042880ef84427acee8b121e" hash10 = "341298482cf90febebb8616426080d1d" hash11 = "29aebe333d6332f0ebc2258def94d57e" hash12 = "42654af68e5d4ea217e6ece5389eb302" hash13 = "88fc87e7c58249a398efd5ceae636073" hash14 = "4a812678308475c64132a9b56254edbc" hash15 = "9626eef1a8b9b8d773a3b2af09306a10" hash16 = "e0354099bee243702eb11df8d0e046df" hash17 = "344f9073576a066142b2023629539ebd" hash18 = "32dea47d9c13f9000c4c807561341bee" hash19 = "90a5ba0c94199269ba33a58bc6a4ad99" hash20 = "655722eaa6c646437c8ae93daac46ae0" hash21 = "b9744f6876919c46a29ea05b1d95b1c3" hash22 = "6acc82544be056580c3a1caaa4999956" hash23 = "6aa32a6392840e161a018f3907a86968" hash24 = "591ca89a25f06cf01e4345f98a22845c" hash25 = "349ec229e3f8eda0f9eb918c74a8bf4c" hash26 = "3ea688e3439a1f56b16694667938316d" hash27 = "ab77e4d1006259d7cbc15884416ca88c" hash28 = "71097537a91fac6b01f46f66ee2d7749" hash29 = "2434a7a07cb47ce25b41d30bc291cacc" hash30 = "7a4b090619ecce6f7bd838fe5c58554b" strings: $s3 = "String savePath = request.getParameter(\"savepath\");" fullword $s4 = "URL downUrl = new URL(downFileUrl);" fullword $s5 = "if (Util.isEmpty(downFileUrl) || Util.isEmpty(savePath))" fullword $s6 = "String downFileUrl = request.getParameter(\"url\");" fullword $s7 = "FileInputStream fInput = new FileInputStream(f);" fullword $s8 = "URLConnection conn = downUrl.openConnection();" fullword $s9 = "sis = request.getInputStream();" fullword condition: 4 of them } rule webshell_2_520_icesword_job_ma1 { meta: description = "Web Shell - from files 2.jsp, 520.jsp, icesword.jsp, job.jsp, ma1.jsp" author = "Florian Roth" date = "2014/01/28" score = 70 super_rule = 1 hash0 = "64a3bf9142b045b9062b204db39d4d57" hash1 = "9abd397c6498c41967b4dd327cf8b55a" hash2 = "077f4b1b6d705d223b6d644a4f3eebae" hash3 = "56c005690da2558690c4aa305a31ad37" hash4 = "532b93e02cddfbb548ce5938fe2f5559" strings: $s1 = "" fullword $s3 = "" fullword $s8 = "" fullword condition: 2 of them } rule webshell_404_data_in_JFolder_jfolder01_jsp_suiyue_warn { meta: description = "Web Shell - from files 404.jsp, data.jsp, in.jsp, JFolder.jsp, jfolder01.jsp, jsp.jsp, suiyue.jsp, warn.jsp" author = "Florian Roth" date = "2014/01/28" score = 70 super_rule = 1 hash0 = "7066f4469c3ec20f4890535b5f299122" hash1 = "9f54aa7b43797be9bab7d094f238b4ff" hash2 = "793b3d0a740dbf355df3e6f68b8217a4" hash3 = "8979594423b68489024447474d113894" hash4 = "ec482fc969d182e5440521c913bab9bd" hash5 = "f98d2b33cd777e160d1489afed96de39" hash6 = "c93d5bdf5cf62fe22e299d0f2b865ea7" hash7 = "e9a5280f77537e23da2545306f6a19ad" strings: $s0 = "
\"+f.canRead()+\" / \"+f.canWrite()+\" / \"+f.canExecute()+\"
" fullword condition: all of them } rule webshell_phpspy_2005_full_phpspy_2005_lite_phpspy_2006_PHPSPY { meta: description = "Web Shell - from files phpspy_2005_full.php, phpspy_2005_lite.php, phpspy_2006.php, PHPSPY.php" author = "Florian Roth" date = "2014/01/28" score = 70 super_rule = 1 hash0 = "b68bfafc6059fd26732fa07fb6f7f640" hash1 = "42f211cec8032eb0881e87ebdb3d7224" hash2 = "40a1f840111996ff7200d18968e42cfe" hash3 = "0712e3dc262b4e1f98ed25760b206836" strings: $s4 = "http://www.4ngel.net" fullword $s5 = " | PHP" fullword $s8 = "echo $msg=@fwrite($fp,$_POST['filecontent']) ? \"" fullword $s9 = "Codz by Angel" fullword condition: 2 of them } rule webshell_c99_locus7s_c99_w4cking_xxx { meta: description = "Web Shell" author = "Florian Roth" date = "2014/01/28" score = 70 super_rule = 1 hash0 = "38fd7e45f9c11a37463c3ded1c76af4c" hash1 = "9c34adbc8fd8d908cbb341734830f971" hash2 = "ef43fef943e9df90ddb6257950b3538f" hash3 = "ae025c886fbe7f9ed159f49593674832" hash4 = "911195a9b7c010f61b66439d9048f400" hash5 = "697dae78c040150daff7db751fc0c03c" hash6 = "513b7be8bd0595c377283a7c87b44b2e" hash7 = "1d912c55b96e2efe8ca873d6040e3b30" hash8 = "e5b2131dd1db0dbdb43b53c5ce99016a" hash9 = "4108f28a9792b50d95f95b9e5314fa1e" hash10 = "b8f261a3cdf23398d573aaf55eaf63b5" hash11 = "0d2c2c151ed839e6bafc7aa9c69be715" hash12 = "41af6fd253648885c7ad2ed524e0692d" hash13 = "6fcc283470465eed4870bcc3e2d7f14d" strings: $s1 = "$res = @shell_exec($cfe);" fullword $s8 = "$res = @ob_get_contents();" fullword $s9 = "@exec($cfe,$res);" fullword condition: 2 of them } rule webshell_browser_201_3_ma_ma2_download { meta: description = "Web Shell - from files browser.jsp, 201.jsp, 3.jsp, ma.jsp, ma2.jsp, download.jsp" author = "Florian Roth" date = "2014/01/28" score = 70 super_rule = 1 hash0 = "37603e44ee6dc1c359feb68a0d566f76" hash1 = "a7e25b8ac605753ed0c438db93f6c498" hash2 = "fb8c6c3a69b93e5e7193036fd31a958d" hash3 = "4cc68fa572e88b669bce606c7ace0ae9" hash4 = "4b45715fa3fa5473640e17f49ef5513d" hash5 = "fa87bbd7201021c1aefee6fcc5b8e25a" strings: $s1 = "private static final int EDITFIELD_ROWS = 30;" fullword $s2 = "private static String tempdir = \".\";" fullword $s6 = "\"" condition: 2 of them } rule webshell_000_403_c5_queryDong_spyjsp2010 { meta: description = "Web Shell - from files 000.jsp, 403.jsp, c5.jsp, queryDong.jsp, spyjsp2010.jsp" author = "Florian Roth" date = "2014/01/28" score = 70 super_rule = 1 hash0 = "2eeb8bf151221373ee3fd89d58ed4d38" hash1 = "059058a27a7b0059e2c2f007ad4675ef" hash2 = "8b457934da3821ba58b06a113e0d53d9" hash3 = "90a5ba0c94199269ba33a58bc6a4ad99" hash4 = "655722eaa6c646437c8ae93daac46ae0" strings: $s2 = "\" www.Expdoor.com" fullword $s5 = " second(s) {gzip} usage:" $s17 = "<%if(request.getParameter(\"f\")" condition: all of them } rule webshell_webshells_new_xxxx { meta: description = "Web shells - generated from file xxxx.php" author = "Florian Roth" date = "2014/03/28" score = 70 hash = "5bcba70b2137375225d8eedcde2c0ebb" strings: $s0 = " " fullword condition: all of them } rule webshell_webshells_new_JJjsp3 { meta: description = "Web shells - generated from file JJjsp3.jsp" author = "Florian Roth" date = "2014/03/28" score = 70 hash = "949ffee1e07a1269df7c69b9722d293e" strings: $s0 = "<%@page import=\"java.io.*,java.util.*,java.net.*,java.sql.*,java.text.*\"%><%!S" condition: all of them } rule webshell_webshells_new_PHP1 { meta: description = "Web shells - generated from file PHP1.php" author = "Florian Roth" date = "2014/03/28" score = 70 hash = "14c7281fdaf2ae004ca5fec8753ce3cb" strings: $s0 = "<[url=mailto:?@array_map($_GET[]?@array_map($_GET['f'],$_GET[/url]);?>" fullword $s2 = ":https://forum.90sec.org/forum.php?mod=viewthread&tid=7316" fullword $s3 = "@preg_replace(\"/f/e\",$_GET['u'],\"fengjiao\"); " fullword condition: 1 of them } rule webshell_webshells_new_JJJsp2 { meta: description = "Web shells - generated from file JJJsp2.jsp" author = "Florian Roth" date = "2014/03/28" score = 70 hash = "5a9fec45236768069c99f0bfd566d754" strings: $s2 = "QQ(cs, z1, z2, sb,z2.indexOf(\"-to:\")!=-1?z2.substring(z2.indexOf(\"-to:\")+4,z" $s8 = "sb.append(l[i].getName() + \"/\\t\" + sT + \"\\t\" + l[i].length()+ \"\\t\" + sQ" $s10 = "ResultSet r = s.indexOf(\"jdbc:oracle\")!=-1?c.getMetaData()" $s11 = "return DriverManager.getConnection(x[1].trim()+\":\"+x[4],x[2].equalsIgnoreCase(" condition: 1 of them } rule webshell_webshells_new_radhat { meta: description = "Web shells - generated from file radhat.asp" author = "Florian Roth" date = "2014/03/28" score = 70 hash = "72cb5ef226834ed791144abaa0acdfd4" strings: $s1 = "sod=Array(\"D\",\"7\",\"S" condition: all of them } rule webshell_webshells_new_asp1 { meta: description = "Web shells - generated from file asp1.asp" author = "Florian Roth" date = "2014/03/28" score = 70 hash = "b63e708cd58ae1ec85cf784060b69cad" strings: $s0 = " http://www.baidu.com/fuck.asp?a=)0(tseuqer%20lave " fullword $s2 = " <% a=request(chr(97)) ExecuteGlobal(StrReverse(a)) %>" fullword condition: 1 of them } rule webshell_webshells_new_php6 { meta: description = "Web shells - generated from file php6.php" author = "Florian Roth" date = "2014/03/28" score = 70 hash = "ea75280224a735f1e445d244acdfeb7b" strings: $s1 = "array_map(\"asx73ert\",(ar" $s3 = "preg_replace(\"/[errorpage]/e\",$page,\"saft\");" fullword $s4 = "shell.php?qid=zxexp " fullword condition: 1 of them } rule webshell_webshells_new_xxx { meta: description = "Web shells - generated from file xxx.php" author = "Florian Roth" date = "2014/03/28" score = 70 hash = "0e71428fe68b39b70adb6aeedf260ca0" strings: $s3 = "" fullword condition: all of them } rule webshell_GetPostpHp { meta: description = "Web shells - generated from file GetPostpHp.php" author = "Florian Roth" date = "2014/03/28" score = 70 hash = "20ede5b8182d952728d594e6f2bb5c76" strings: $s0 = "" fullword condition: all of them } rule webshell_webshells_new_php5 { meta: description = "Web shells - generated from file php5.php" author = "Florian Roth" date = "2014/03/28" score = 70 hash = "cf2ab009cbd2576a806bfefb74906fdf" strings: $s0 = "Error!\";" fullword $s2 = "DBHACKLERIN&klas=<%=aktifklas%>" $s3 = "www.aventgrup.net" $s4 = "style=\"BACKGROUND-COLOR: #95B4CC; BORDER-BOTTOM: #000000 1px inset; BORDER-LEFT" condition: 1 of them } rule r57shell_php_php { meta: description = "Semi-Auto-generated - file r57shell.php.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "d28445de424594a5f14d0fe2a7c4e94f" strings: $s1 = " else if ($HTTP_POST_VARS['with'] == \"lynx\") { $HTTP_POST_VARS['cmd']= \"lynx " $s2 = "RusH security team" $s3 = "'ru_text12' => 'back-connect" condition: 1 of them } rule rst_sql_php_php { meta: description = "Semi-Auto-generated - file rst_sql.php.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "0961641a4ab2b8cb4d2beca593a92010" strings: $s0 = "C:\\tmp\\dump_" $s1 = "RST MySQL" $s2 = "http://rst.void.ru" $s3 = "$st_form_bg='R0lGODlhCQAJAIAAAOfo6u7w8yH5BAAAAAAALAAAAAAJAAkAAAIPjAOnuJfNHJh0qtfw0lcVADs=';" condition: 2 of them } rule wh_bindshell_py { meta: description = "Semi-Auto-generated - file wh_bindshell.py.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "fab20902862736e24aaae275af5e049c" strings: $s0 = "#Use: python wh_bindshell.py [port] [password]" $s2 = "python -c\"import md5;x=md5.new('you_password');print x.hexdigest()\"" fullword $s3 = "#bugz: ctrl+c etc =script stoped=" fullword condition: 1 of them } rule lurm_safemod_on_cgi { meta: description = "Semi-Auto-generated - file lurm_safemod_on.cgi.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "5ea4f901ce1abdf20870c214b3231db3" strings: $s0 = "Network security team :: CGI Shell" fullword $s1 = "#########################<>#####################################" fullword $s2 = "##if (!defined$param{pwd}){$param{pwd}='Enter_Password'};##" fullword condition: 1 of them } rule c99madshell_v2_0_php_php { meta: description = "Semi-Auto-generated - file c99madshell_v2.0.php.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "d27292895da9afa5b60b9d3014f39294" strings: $s2 = "eval(gzinflate(base64_decode('HJ3HkqNQEkU/ZzqCBd4t8V4YAQI2E3jvPV8/1Gw6orsVFLyXef" condition: all of them } rule backupsql_php_often_with_c99shell { meta: description = "Semi-Auto-generated - file backupsql.php.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "ab1a06ab1a1fe94e3f3b7f80eedbc12f" strings: $s2 = "//$message.= \"--{$mime_boundary}\\n\" .\"Content-Type: {$fileatt_type};\\n\" ." $s4 = "$ftpconnect = \"ncftpput -u $ftp_user_name -p $ftp_user_pass -d debsender_ftplog" condition: all of them } rule uploader_php_php { meta: description = "Semi-Auto-generated - file uploader.php.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "0b53b67bb3b004a8681e1458dd1895d0" strings: $s2 = "move_uploaded_file($userfile, \"entrika.php\"); " fullword $s3 = "Send this file: " fullword $s4 = "" fullword condition: 2 of them } rule telnet_pl { meta: description = "Semi-Auto-generated - file telnet.pl.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "dd9dba14383064e219e29396e242c1ec" strings: $s0 = "W A R N I N G: Private Server" $s2 = "$Message = q$
_____ _____ _____ _____ " condition: all of them } rule w3d_php_php { meta: description = "Semi-Auto-generated - file w3d.php.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "987f66b29bfb209a0b4f097f84f57c3b" strings: $s0 = "W3D Shell" $s1 = "By: Warpboy" $s2 = "No Query Executed" condition: 2 of them } rule WebShell_cgi { meta: description = "Semi-Auto-generated - file WebShell.cgi.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "bc486c2e00b5fc3e4e783557a2441e6f" strings: $s0 = "WebShell.cgi" $s2 = "
" condition: 2 of them } rule Dx_php_php { meta: description = "Semi-Auto-generated - file Dx.php.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "9cfe372d49fe8bf2fac8e1c534153d9b" strings: $s0 = "print \"\\n\".'Tip: to view the file \"as is\" - open the page in
Win Dir:
\" method=\"POST" condition: 2 of them } rule Asmodeus_v0_1_pl { meta: description = "Semi-Auto-generated - file Asmodeus v0.1.pl.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "0978b672db0657103c79505df69cb4bb" strings: $s0 = "[url=http://www.governmentsecurity.org" $s1 = "perl asmodeus.pl client 6666 127.0.0.1" $s2 = "print \"Asmodeus Perl Remote Shell" $s4 = "$internet_addr = inet_aton(\"$host\") or die \"ALOA:$!\\n\";" fullword condition: 2 of them } rule backup_php_often_with_c99shell { meta: description = "Semi-Auto-generated - file backup.php.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "aeee3bae226ad57baf4be8745c3f6094" strings: $s0 = "#phpMyAdmin MySQL-Dump" fullword $s2 = ";db_connect();header('Content-Type: application/octetstr" $s4 = "$data .= \"#Database: $database" fullword condition: all of them } rule Reader_asp { meta: description = "Semi-Auto-generated - file Reader.asp.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "ad1a362e0a24c4475335e3e891a01731" strings: $s1 = "Mehdi & HolyDemon" $s2 = "www.infilak." $s3 = "'*T@*r@#@&mms^PdbYbVuBcAAA==^#~@%>
" fullword $s1 = "[ADDITINAL TITTLE]-phpShell by:[YOURNAME]<?php echo PHPSHELL_VERSION ?></" $s2 = "href=\"mailto: [YOU CAN ENTER YOUR MAIL HERE]- [ADDITIONAL TEXT]</a></i>" fullword condition: 1 of them } rule myshell_php_php { meta: description = "Semi-Auto-generated - file myshell.php.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "62783d1db52d05b1b6ae2403a7044490" strings: $s0 = "@chdir($work_dir) or ($shellOutput = \"MyShell: can't change directory." $s1 = "echo \"<font color=$linkColor><b>MyShell file editor</font> File:<font color" $s2 = " $fileEditInfo = \"  :::::::  Owner: <font color=$" condition: 2 of them } rule SimShell_1_0___Simorgh_Security_MGZ_php { meta: description = "Semi-Auto-generated - file SimShell 1.0 - Simorgh Security MGZ.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "37cb1db26b1b0161a4bf678a6b4565bd" strings: $s0 = "Simorgh Security Magazine " $s1 = "Simshell.css" $s2 = "} elseif (ereg('^[[:blank:]]*cd[[:blank:]]+([^;]+)$', $_REQUEST['command'], " $s3 = "www.simorgh-ev.com" condition: 2 of them } rule jspshall_jsp { meta: description = "Semi-Auto-generated - file jspshall.jsp.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "efe0f6edaa512c4e1fdca4eeda77b7ee" strings: $s0 = "kj021320" $s1 = "case 'T':systemTools(out);break;" $s2 = "out.println(\"<tr><td>\"+ico(50)+f[i].getName()+\"</td><td> file" condition: 2 of them } rule webshell_php { meta: description = "Semi-Auto-generated - file webshell.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "e425241b928e992bde43dd65180a4894" strings: $s2 = "<die(\"Couldn't Read directory, Blocked!!!\");" $s3 = "PHP Web Shell" condition: all of them } rule rootshell_php { meta: description = "Semi-Auto-generated - file rootshell.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "265f3319075536030e59ba2f9ef3eac6" strings: $s0 = "shells.dl.am" $s1 = "This server has been infected by $owner" $s2 = "<input type=\"submit\" value=\"Include!\" name=\"inc\"></p>" $s4 = "Could not write to file! (Maybe you didn't enter any text?)" condition: 2 of them } rule connectback2_pl { meta: description = "Semi-Auto-generated - file connectback2.pl.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "473b7d226ea6ebaacc24504bd740822e" strings: $s0 = "#We Are: MasterKid, AleXutz, FatMan & MiKuTuL " $s1 = "echo --==Userinfo==-- ; id;echo;echo --==Directory==-- ; pwd;echo; echo --==Shel" $s2 = "ConnectBack Backdoor" condition: 1 of them } rule DefaceKeeper_0_2_php { meta: description = "Semi-Auto-generated - file DefaceKeeper_0.2.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "713c54c3da3031bc614a8a55dccd7e7f" strings: $s0 = "target fi1e:<br><input type=\"text\" name=\"target\" value=\"index.php\"></br>" fullword $s1 = "eval(base64_decode(\"ZXZhbChiYXNlNjRfZGVjb2RlKCJhV2R1YjNKbFgzVnpaWEpmWVdKdmNuUW9" $s2 = "<img src=\"http://s43.radikal.ru/i101/1004/d8/ced1f6b2f5a9.png\" align=\"center" condition: 1 of them } rule shells_PHP_wso { meta: description = "Semi-Auto-generated - file wso.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "33e2891c13b78328da9062fbfcf898b6" strings: $s0 = "$back_connect_p=\"IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KJGlhZGRyPWluZXRfYXRvbi" $s3 = "echo '<h1>Execution PHP-code</h1><div class=content><form name=pf method=pos" condition: 1 of them } rule backdoor1_php { meta: description = "Semi-Auto-generated - file backdoor1.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "e1adda1f866367f52de001257b4d6c98" strings: $s1 = "echo \"[DIR] <A HREF=\\\"\".$_SERVER['PHP_SELF'].\"?rep=\".realpath($rep.\".." $s2 = "class backdoor {" $s4 = "echo \"<a href=\\\"\".$_SERVER['PHP_SELF'].\"?copy=1\\\">Copier un fichier</a> <" condition: 1 of them } rule elmaliseker_asp { meta: description = "Semi-Auto-generated - file elmaliseker.asp.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "b32d1730d23a660fd6aa8e60c3dc549f" strings: $s0 = "if Int((1-0+1)*Rnd+0)=0 then makeEmail=makeText(8) & \"@\" & makeText(8) & \".\"" $s1 = "<form name=frmCMD method=post action=\"<%=gURL%>\">" $s2 = "dim zombie_array,special_array" $s3 = "http://vnhacker.org" condition: 1 of them } rule indexer_asp { meta: description = "Semi-Auto-generated - file indexer.asp.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "9ea82afb8c7070817d4cdf686abe0300" strings: $s0 = "<td>Nereye :<td><input type=\"text\" name=\"nereye\" size=25></td><td><input typ" $s2 = "D7nD7l.km4snk`JzKnd{n_ejq;bd{KbPur#kQ8AAA==^#~@%>></td><td><input type=\"submit" condition: 1 of them } rule DxShell_php_php { meta: description = "Semi-Auto-generated - file DxShell.php.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "33a2b31810178f4c2e71fbdeb4899244" strings: $s0 = "print \"\\n\".'Tip: to view the file \"as is\" - open the page in <a href=\"'.Dx" $s2 = "print \"\\n\".'<tr><td width=100pt class=linelisting><nobr>POST (php eval)</td><" condition: 1 of them } rule s72_Shell_v1_1_Coding_html { meta: description = "Semi-Auto-generated - file s72 Shell v1.1 Coding.html.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "c2e8346a5515c81797af36e7e4a3828e" strings: $s0 = "Dizin</font></b></font><font face=\"Verdana\" style=\"font-size: 8pt\"><" $s1 = "s72 Shell v1.0 Codinf by Cr@zy_King" $s3 = "echo \"<p align=center>Dosya Zaten Bulunuyor</p>\"" condition: 1 of them } rule hidshell_php_php { meta: description = "Semi-Auto-generated - file hidshell.php.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "c2f3327d60884561970c63ffa09439a4" strings: $s0 = "<?$d='G7mHWQ9vvXiL/QX2oZ2VTDpo6g3FYAa6X+8DMIzcD0eHZaBZH7jFpZzUz7XNenxSYvBP2Wy36U" condition: all of them } rule kacak_asp { meta: description = "Semi-Auto-generated - file kacak.asp.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "907d95d46785db21331a0324972dda8c" strings: $s0 = "Kacak FSO 1.0" $s1 = "if request.querystring(\"TGH\") = \"1\" then" $s3 = "<font color=\"#858585\">BuqX</font></a></font><font face=\"Verdana\" style=" $s4 = "mailto:BuqX@hotmail.com" condition: 1 of them } rule PHP_Backdoor_Connect_pl_php { meta: description = "Semi-Auto-generated - file PHP Backdoor Connect.pl.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "57fcd9560dac244aeaf95fd606621900" strings: $s0 = "LorD of IRAN HACKERS SABOTAGE" $s1 = "LorD-C0d3r-NT" $s2 = "echo --==Userinfo==-- ;" condition: 1 of them } rule Antichat_Socks5_Server_php_php { meta: description = "Semi-Auto-generated - file Antichat Socks5 Server.php.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "cbe9eafbc4d86842a61a54d98e5b61f1" strings: $s0 = "$port = base_convert(bin2hex(substr($reqmessage[$id], 3+$reqlen+1, 2)), 16, 10);" fullword $s3 = "# [+] Domain name address type" $s4 = "www.antichat.ru" condition: 1 of them } rule Antichat_Shell_v1_3_php { meta: description = "Semi-Auto-generated - file Antichat Shell v1.3.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "40d0abceba125868be7f3f990f031521" strings: $s0 = "Antichat" $s1 = "Can't open file, permission denide" $s2 = "$ra44" condition: 2 of them } rule Safe_Mode_Bypass_PHP_4_4_2_and_PHP_5_1_2_php { meta: description = "Semi-Auto-generated - file Safe_Mode Bypass PHP 4.4.2 and PHP 5.1.2.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "49ad9117c96419c35987aaa7e2230f63" strings: $s0 = "Welcome.. By This script you can jump in the (Safe Mode=ON) .. Enjoy" $s1 = "Mode Shell v1.0</font></span>" $s2 = "has been already loaded. PHP Emperor <xb5@hotmail." condition: 1 of them } rule mysql_php_php { meta: description = "Semi-Auto-generated - file mysql.php.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "12bbdf6ef403720442a47a3cc730d034" strings: $s0 = "action=mysqlread&mass=loadmass\">load all defaults" $s2 = "if (@passthru($cmd)) { echo \" -->\"; $this->output_state(1, \"passthru" $s3 = "$ra44 = rand(1,99999);$sj98 = \"sh-$ra44\";$ml = \"$sd98\";$a5 = " condition: 1 of them } rule Worse_Linux_Shell_php { meta: description = "Semi-Auto-generated - file Worse Linux Shell.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "8338c8d9eab10bd38a7116eb534b5fa2" strings: $s1 = "print \"<tr><td><b>Server is:</b></td><td>\".$_SERVER['SERVER_SIGNATURE'].\"</td" $s2 = "print \"<tr><td><b>Execute command:</b></td><td><input size=100 name=\\\"_cmd" condition: 1 of them } rule cyberlords_sql_php_php { meta: description = "Semi-Auto-generated - file cyberlords_sql.php.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "03b06b4183cb9947ccda2c3d636406d4" strings: $s0 = "Coded by n0 [nZer0]" $s1 = " www.cyberlords.net" $s2 = "U29mdHdhcmUAQWRvYmUgSW1hZ2VSZWFkeXHJZTwAAAAMUExURf///wAAAJmZzAAAACJoURkAAAAE" $s3 = "return \"<BR>Dump error! Can't write to \".htmlspecialchars($file);" condition: 1 of them } rule cmd_asp_5_1_asp { meta: description = "Semi-Auto-generated - file cmd-asp-5.1.asp.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "8baa99666bf3734cbdfdd10088e0cd9f" strings: $s0 = "Call oS.Run(\"win.com cmd.exe /c del \"& szTF,0,True)" fullword $s3 = "Call oS.Run(\"win.com cmd.exe /c \"\"\" & szCMD & \" > \" & szTF &" fullword condition: 1 of them } rule pws_php_php { meta: description = "Semi-Auto-generated - file pws.php.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "ecdc6c20f62f99fa265ec9257b7bf2ce" strings: $s0 = "<div align=\"left\"><font size=\"1\">Input command :</font></div>" fullword $s1 = "<input type=\"text\" name=\"cmd\" size=\"30\" class=\"input\"><br>" fullword $s4 = "<input type=\"text\" name=\"dir\" size=\"30\" value=\"<? passthru(\"pwd\"); ?>" condition: 2 of them } rule PHP_Shell_php_php { meta: description = "Semi-Auto-generated - file PHP Shell.php.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "a2f8fa4cce578fc9c06f8e674b9e63fd" strings: $s0 = "echo \"</form><form action=\\\"$SFileName?$urlAdd\\\" method=\\\"post\\\"><input" $s1 = "echo \"<form action=\\\"$SFileName?$urlAdd\\\" method=\\\"POST\\\"><input type=" condition: all of them } rule Ayyildiz_Tim___AYT__Shell_v_2_1_Biz_html { meta: description = "Semi-Auto-generated - file Ayyildiz Tim -AYT- Shell v 2.1 Biz.html.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "8a8c8bb153bd1ee097559041f2e5cf0a" strings: $s0 = "Ayyildiz" $s1 = "TouCh By iJOo" $s2 = "First we check if there has been asked for a working directory" $s3 = "http://ayyildiz.org/images/whosonline2.gif" condition: 2 of them } rule EFSO_2_asp { meta: description = "Semi-Auto-generated - file EFSO_2.asp.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "b5fde9682fd63415ae211d53c6bfaa4d" strings: $s0 = "Ejder was HERE" $s1 = "*~PU*&BP[_)f!8c2F*@#@&~,P~P,~P&q~8BPmS~9~~lB~X`V,_,F&*~,jcW~~[_c3TRFFzq@#@&PP,~~" condition: 2 of them } rule lamashell_php { meta: description = "Semi-Auto-generated - file lamashell.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "de9abc2e38420cad729648e93dfc6687" strings: $s0 = "lama's'hell" fullword $s1 = "if($_POST['king'] == \"\") {" $s2 = "if (move_uploaded_file($_FILES['fila']['tmp_name'], $curdir.\"/\".$_FILES['f" condition: 1 of them } rule Ajax_PHP_Command_Shell_php { meta: description = "Semi-Auto-generated - file Ajax_PHP Command Shell.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "93d1a2e13a3368a2472043bd6331afe9" strings: $s1 = "newhtml = '<b>File browser is under construction! Use at your own risk!</b> <br>" $s2 = "Empty Command..type \\\"shellhelp\\\" for some ehh...help" $s3 = "newhtml = '<font size=0><b>This will reload the page... :(</b><br><br><form enct" condition: 1 of them } rule JspWebshell_1_2_jsp { meta: description = "Semi-Auto-generated - file JspWebshell 1.2.jsp.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "70a0ee2624e5bbe5525ccadc467519f6" strings: $s0 = "JspWebshell" $s1 = "CreateAndDeleteFolder is error:" $s2 = "<td width=\"70%\" height=\"22\"> <%=env.queryHashtable(\"java.c" $s3 = "String _password =\"111\";" condition: 2 of them } rule Sincap_php_php { meta: description = "Semi-Auto-generated - file Sincap.php.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "b68b90ff6012a103e57d141ed38a7ee9" strings: $s0 = "$baglan=fopen(\"/tmp/$ekinci\",'r');" $s2 = "$tampon4=$tampon3-1" $s3 = "@aventgrup.net" condition: 2 of them } rule Test_php_php { meta: description = "Semi-Auto-generated - file Test.php.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "77e331abd03b6915c6c6c7fe999fcb50" strings: $s0 = "$yazi = \"test\" . \"\\r\\n\";" fullword $s2 = "fwrite ($fp, \"$yazi\");" fullword $s3 = "$entry_line=\"HACKed by EntriKa\";" fullword condition: 1 of them } rule Phyton_Shell_py { meta: description = "Semi-Auto-generated - file Phyton Shell.py.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "92b3c897090867c65cc169ab037a0f55" strings: $s1 = "sh_out=os.popen(SHELL+\" \"+cmd).readlines()" fullword $s2 = "# d00r.py 0.3a (reverse|bind)-shell in python by fQ" fullword $s3 = "print \"error; help: head -n 16 d00r.py\"" fullword $s4 = "print \"PW:\",PW,\"PORT:\",PORT,\"HOST:\",HOST" fullword condition: 1 of them } rule mysql_tool_php_php { meta: description = "Semi-Auto-generated - file mysql_tool.php.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "5fbe4d8edeb2769eda5f4add9bab901e" strings: $s0 = "$error_text = '<strong>Failed selecting database \"'.$this->db['" $s1 = "$ra44 = rand(1,99999);$sj98 = \"sh-$ra44\";$ml = \"$sd98\";$a5 = $_SERV" $s4 = "<div align=\"center\">The backup process has now started<br " condition: 1 of them } rule Zehir_4_asp { meta: description = "Semi-Auto-generated - file Zehir 4.asp.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "7f4e12e159360743ec016273c3b9108c" strings: $s2 = "</a><a href='\"&dosyapath&\"?status=10&dPath=\"&f1.path&\"&path=\"&path&\"&Time=" $s4 = "<input type=submit value=\"Test Et!\" onclick=\"" condition: 1 of them } rule sh_php_php { meta: description = "Semi-Auto-generated - file sh.php.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "330af9337ae51d0bac175ba7076d6299" strings: $s1 = "$ar_file=array('/etc/passwd','/etc/shadow','/etc/master.passwd','/etc/fstab','/e" $s2 = "Show <input type=text size=5 value=\".((isset($_POST['br_st']))?$_POST['br_st']:" condition: 1 of them } rule phpbackdoor15_php { meta: description = "Semi-Auto-generated - file phpbackdoor15.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "0fdb401a49fc2e481e3dfd697078334b" strings: $s1 = "echo \"fichier telecharge dans \".good_link(\"./\".$_FILES[\"fic\"][\"na" $s2 = "if(move_uploaded_file($_FILES[\"fic\"][\"tmp_name\"],good_link(\"./\".$_FI" $s3 = "echo \"Cliquez sur un nom de fichier pour lancer son telechargement. Cliquez s" condition: 1 of them } rule phpjackal_php { meta: description = "Semi-Auto-generated - file phpjackal.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "ab230817bcc99acb9bdc0ec6d264d76f" strings: $s3 = "$dl=$_REQUEST['downloaD'];" $s4 = "else shelL(\"perl.exe $name $port\");" condition: 1 of them } rule sql_php_php { meta: description = "Semi-Auto-generated - file sql.php.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "8334249cbb969f2d33d678fec2b680c5" strings: $s1 = "fputs ($fp, \"# RST MySQL tools\\r\\n# Home page: http://rst.void.ru\\r\\n#" $s2 = "http://rst.void.ru" $s3 = "print \"<a href=\\\"$_SERVER[PHP_SELF]?s=$s&login=$login&passwd=$passwd&" condition: 1 of them } rule cgi_python_py { meta: description = "Semi-Auto-generated - file cgi-python.py.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "0a15f473e2232b89dae1075e1afdac97" strings: $s0 = "a CGI by Fuzzyman" $s1 = "\"\"\"+fontline +\"Version : \" + versionstring + \"\"\", Running on : \"\"\" + " $s2 = "values = map(lambda x: x.value, theform[field]) # allows for" condition: 1 of them } rule ru24_post_sh_php_php { meta: description = "Semi-Auto-generated - file ru24_post_sh.php.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "5b334d494564393f419af745dc1eeec7" strings: $s1 = "<title>Ru24PostWebShell - \".$_POST['cmd'].\"" fullword $s3 = "if ((!$_POST['cmd']) || ($_POST['cmd']==\"\")) { $_POST['cmd']=\"id;pwd;uname -a" $s4 = "Writed by DreAmeRz" fullword condition: 1 of them } rule DTool_Pro_php { meta: description = "Semi-Auto-generated - file DTool Pro.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "366ad973a3f327dfbfb915b0faaea5a6" strings: $s0 = "r3v3ng4ns\\nDigite" $s1 = "if(!@opendir($chdir)) $ch_msg=\"dtool: line 1: chdir: It seems that the permissi" $s3 = "if (empty($cmd) and $ch_msg==\"\") echo (\"Comandos Exclusivos do DTool Pro\\n" condition: 1 of them } rule telnetd_pl { meta: description = "Semi-Auto-generated - file telnetd.pl.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "5f61136afd17eb025109304bd8d6d414" strings: $s0 = "0ldW0lf" fullword $s1 = "However you are lucky :P" $s2 = "I'm FuCKeD" $s3 = "ioctl($CLIENT{$client}->{shell}, &TIOCSWINSZ, $winsize);#" $s4 = "atrix@irc.brasnet.org" condition: 1 of them } rule php_include_w_shell_php { meta: description = "Semi-Auto-generated - file php-include-w-shell.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "4e913f159e33867be729631a7ca46850" strings: $s0 = "$dataout .= \"
\" : \"[admin\\@$ServerName $C" condition: 1 of them } rule ironshell_php { meta: description = "Semi-Auto-generated - file ironshell.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "8bfa2eeb8a3ff6afc619258e39fded56" strings: $s0 = "www.ironwarez.info" $s1 = "$cookiename = \"wieeeee\";" $s2 = "~ Shell I" $s3 = "www.rootshell-team.info" $s4 = "setcookie($cookiename, $_POST['pass'], time()+3600);" condition: 1 of them } rule backdoorfr_php { meta: description = "Semi-Auto-generated - file backdoorfr.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "91e4afc7444ed258640e85bcaf0fecfc" strings: $s1 = "www.victime.com/index.php?page=http://emplacement_de_la_backdoor.php , ou en tan" $s2 = "print(\"
Provenance du mail : /tmp/cmdtemp 2>&1; cat /tmp/cmdtemp; rm /tmp/cmdtemp\");" condition: 1 of them } rule Ajan_asp { meta: description = "Semi-Auto-generated - file Ajan.asp.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "b6f468252407efc2318639da22b08af0" strings: $s1 = "c:\\downloaded.zip" $s2 = "Set entrika = entrika.CreateTextFile(\"c:\\net.vbs\", True)" fullword $s3 = "http://www35.websamba.com/cybervurgun/" condition: 1 of them } rule PHANTASMA_php { meta: description = "Semi-Auto-generated - file PHANTASMA.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "52779a27fa377ae404761a7ce76a5da7" strings: $s0 = ">[*] Safemode Mode Run" $s1 = "$file1 - $file2 - $file
" $s2 = "[*] Spawning Shell" $s3 = "Cha0s" condition: 2 of them } rule MySQL_Web_Interface_Version_0_8_php { meta: description = "Semi-Auto-generated - file MySQL Web Interface Version 0.8.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "36d4f34d0a22080f47bb1cb94107c60f" strings: $s0 = "SooMin Kim" $s1 = "http://popeye.snu.ac.kr/~smkim/mysql" $s2 = "href='$PHP_SELF?action=dropField&dbname=$dbname&tablename=$tablename" $s3 = " Type M D unsigned zerofi" condition: 2 of them } rule simple_cmd_html { meta: description = "Semi-Auto-generated - file simple_cmd.html.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" hash = "c6381412df74dbf3bcd5a2b31522b544" strings: $s1 = "G-Security Webshell" fullword $s2 = "\" " fullword $s3 = "" fullword $s4 = "" fullword condition: all of them } rule _1_c2007_php_php_c100_php { meta: description = "Semi-Auto-generated - from files 1.txt, c2007.php.php.txt, c100.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" super_rule = 1 hash0 = "44542e5c3e9790815c49d5f9beffbbf2" hash1 = "d089e7168373a0634e1ac18c0ee00085" hash2 = "38fd7e45f9c11a37463c3ded1c76af4c" strings: $s0 = "echo \"Changing file-mode (\".$d.$f.\"), \".view_perms_color($d.$f).\" (\"" $s3 = "echo \" Done!
Total time (secs.): \".$ft" $s3 = "$fqb_log .= \"\\r\\n------------------------------------------\\r\\nDone!\\r" condition: 1 of them } rule _r577_php_php_SnIpEr_SA_Shell_php_r57_php_php_r57_Shell_php_php_spy_php_php_s_php_php { meta: description = "Semi-Auto-generated " author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" super_rule = 1 hash0 = "0714f80f35c1fddef1f8938b8d42a4c8" hash1 = "911195a9b7c010f61b66439d9048f400" hash2 = "eddf7a8fde1e50a7f2a817ef7cece24f" hash3 = "8023394542cddf8aee5dec6072ed02b5" hash4 = "eed14de3907c9aa2550d95550d1a2d5f" hash5 = "817671e1bdc85e04cc3440bbd9288800" strings: $s2 = "'eng_text71'=>\"Second commands param is:\\r\\n- for CHOWN - name of new owner o" $s4 = "if(!empty($_POST['s_mask']) && !empty($_POST['m'])) { $sr = new SearchResult" condition: 1 of them } rule _c99shell_v1_0_php_php_c99php_SsEs_php_php_ctt_sh_php_php { meta: description = "Semi-Auto-generated - from files c99shell_v1.0.php.php.txt, c99php.txt, SsEs.php.php.txt, ctt_sh.php.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" super_rule = 1 hash0 = "d8ae5819a0a2349ec552cbcf3a62c975" hash1 = "9e9ae0332ada9c3797d6cee92c2ede62" hash2 = "6cd50a14ea0da0df6a246a60c8f6f9c9" hash3 = "671cad517edd254352fe7e0c7c981c39" strings: $s0 = "\"AAAAACH5BAEAAAkALAAAAAAUABQAAAR0MMlJqyzFalqEQJuGEQSCnWg6FogpkHAMF4HAJsWh7/ze\"" $s2 = "\"mTP/zDP//2YAAGYAM2YAZmYAmWYAzGYA/2YzAGYzM2YzZmYzmWYzzGYz/2ZmAGZmM2ZmZmZmmWZm\"" $s4 = "\"R0lGODlhFAAUAKL/AP/4/8DAwH9/AP/4AL+/vwAAAAAAAAAAACH5BAEAAAEALAAAAAAUABQAQAMo\"" condition: 2 of them } rule _r577_php_php_spy_php_php_s_php_php { meta: description = "Semi-Auto-generated - from files r577.php.php.txt, spy.php.php.txt, s.php.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" super_rule = 1 hash0 = "0714f80f35c1fddef1f8938b8d42a4c8" hash1 = "eed14de3907c9aa2550d95550d1a2d5f" hash2 = "817671e1bdc85e04cc3440bbd9288800" strings: $s2 = "echo $te.\"
\".(!empty($_POST['" $s3 = "echo sr(45,\"<b>\".$lang[$language.'_text80'].$arrow.\"</b>\",\"<select name=db>" condition: 1 of them } rule webshell_c99_generic { meta: description = "Semi-Auto-generated " author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" super_rule = 1 hash0 = "38a3f9f2aa47c2e940695f3dba6a7bb2" hash1 = "3ca5886cd54d495dc95793579611f59a" hash2 = "9c5bb5e3a46ec28039e8986324e42792" hash3 = "d8ae5819a0a2349ec552cbcf3a62c975" hash4 = "9e9ae0332ada9c3797d6cee92c2ede62" hash5 = "09609851caa129e40b0d56e90dfc476c" hash6 = "671cad517edd254352fe7e0c7c981c39" strings: $s0 = " if ($copy_unset) {foreach($sess_data[\"copy\"] as $k=>$v) {unset($sess_data[\"" $s1 = " if (file_exists($mkfile)) {echo \"<b>Make File \\\"\".htmlspecialchars($mkfile" $s2 = " echo \"<center><b>MySQL \".mysql_get_server_info().\" (proto v.\".mysql_get_pr" $s3 = " elseif (!fopen($mkfile,\"w\")) {echo \"<b>Make File \\\"\".htmlspecialchars($m" condition: all of them } rule _w_php_php_c99madshell_v2_1_php_php_wacking_php_php_c99shell_v1_0_php_php_c99php_SpecialShell_99_php_php { meta: description = "Semi-Auto-generated " author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" super_rule = 1 hash0 = "38a3f9f2aa47c2e940695f3dba6a7bb2" hash1 = "3ca5886cd54d495dc95793579611f59a" hash2 = "9c5bb5e3a46ec28039e8986324e42792" hash3 = "d8ae5819a0a2349ec552cbcf3a62c975" hash4 = "9e9ae0332ada9c3797d6cee92c2ede62" hash5 = "09609851caa129e40b0d56e90dfc476c" strings: $s0 = "$sess_data[\"cut\"] = array(); c99_s" $s3 = "if ((!eregi(\"http://\",$uploadurl)) and (!eregi(\"https://\",$uploadurl))" condition: 1 of them } rule _w_php_php_wacking_php_php_SpecialShell_99_php_php { meta: description = "Semi-Auto-generated - from files w.php.php.txt, wacking.php.php.txt, SpecialShell_99.php.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" super_rule = 1 hash0 = "38a3f9f2aa47c2e940695f3dba6a7bb2" hash1 = "9c5bb5e3a46ec28039e8986324e42792" hash2 = "09609851caa129e40b0d56e90dfc476c" strings: $s0 = "\"<td> <a href=\\\"\".$sql_surl.\"sql_act=query&sql_query=\".ur" $s2 = "c99sh_sqlquery" condition: 1 of them } rule _w_php_php_c99madshell_v2_1_php_php_wacking_php_php_SsEs_php_php_SpecialShell_99_php_php { meta: description = "Semi-Auto-generated " author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" super_rule = 1 hash0 = "38a3f9f2aa47c2e940695f3dba6a7bb2" hash1 = "3ca5886cd54d495dc95793579611f59a" hash2 = "9c5bb5e3a46ec28039e8986324e42792" hash3 = "6cd50a14ea0da0df6a246a60c8f6f9c9" hash4 = "09609851caa129e40b0d56e90dfc476c" strings: $s0 = "else {$act = \"f\"; $d = dirname($mkfile); if (substr($d,-1) != DIRECTORY_SEPA" $s3 = "else {echo \"<b>File \\\"\".$sql_getfile.\"\\\":</b><br>\".nl2br(htmlspec" condition: 1 of them } rule _r577_php_php_SnIpEr_SA_Shell_php_r57_php_php_spy_php_php_s_php_php { meta: description = "Semi-Auto-generated " author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" super_rule = 1 hash0 = "0714f80f35c1fddef1f8938b8d42a4c8" hash1 = "911195a9b7c010f61b66439d9048f400" hash2 = "eddf7a8fde1e50a7f2a817ef7cece24f" hash3 = "eed14de3907c9aa2550d95550d1a2d5f" hash4 = "817671e1bdc85e04cc3440bbd9288800" strings: $s0 = "echo sr(15,\"<b>\".$lang[$language.'_text" $s1 = ".$arrow.\"</b>\",in('text','" condition: 2 of them } rule _r577_php_php_SnIpEr_SA_Shell_php_r57_php_php { meta: description = "Semi-Auto-generated - from files r577.php.php.txt, SnIpEr_SA Shell.php.txt, r57.php.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" super_rule = 1 hash0 = "0714f80f35c1fddef1f8938b8d42a4c8" hash1 = "911195a9b7c010f61b66439d9048f400" hash2 = "eddf7a8fde1e50a7f2a817ef7cece24f" strings: $s0 = "'ru_text9' =>'???????? ????? ? ???????? ??? ? /bin/bash'," fullword $s1 = "$name='ec371748dc2da624b35a4f8f685dd122'" $s2 = "rst.void.ru" condition: 3 of them } rule _r577_php_php_r57_Shell_php_php_spy_php_php_s_php_php { meta: description = "Semi-Auto-generated - from files r577.php.php.txt, r57 Shell.php.php.txt, spy.php.php.txt, s.php.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" super_rule = 1 hash0 = "0714f80f35c1fddef1f8938b8d42a4c8" hash1 = "8023394542cddf8aee5dec6072ed02b5" hash2 = "eed14de3907c9aa2550d95550d1a2d5f" hash3 = "817671e1bdc85e04cc3440bbd9288800" strings: $s0 = "echo ws(2).$lb.\" <a" $s1 = "$sql = \"LOAD DATA INFILE \\\"\".$_POST['test3_file']" $s3 = "if (empty($_POST['cmd'])&&!$safe_mode) { $_POST['cmd']=($windows)?(\"dir\"):(\"l" condition: 2 of them } rule _wacking_php_php_1_SpecialShell_99_php_php_c100_php { meta: description = "Semi-Auto-generated - from files wacking.php.php.txt, 1.txt, SpecialShell_99.php.php.txt, c100.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" super_rule = 1 hash0 = "9c5bb5e3a46ec28039e8986324e42792" hash1 = "44542e5c3e9790815c49d5f9beffbbf2" hash2 = "09609851caa129e40b0d56e90dfc476c" hash3 = "38fd7e45f9c11a37463c3ded1c76af4c" strings: $s0 = "if(eregi(\"./shbd $por\",$scan))" $s1 = "$_POST['backconnectip']" $s2 = "$_POST['backcconnmsg']" condition: 1 of them } rule _r577_php_php_r57_php_php_r57_Shell_php_php_spy_php_php_s_php_php { meta: description = "Semi-Auto-generated - from files r577.php.php.txt, r57.php.php.txt, r57 Shell.php.php.txt, spy.php.php.txt, s.php.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" super_rule = 1 hash0 = "0714f80f35c1fddef1f8938b8d42a4c8" hash1 = "eddf7a8fde1e50a7f2a817ef7cece24f" hash2 = "8023394542cddf8aee5dec6072ed02b5" hash3 = "eed14de3907c9aa2550d95550d1a2d5f" hash4 = "817671e1bdc85e04cc3440bbd9288800" strings: $s1 = "if(rmdir($_POST['mk_name']))" $s2 = "$r .= '<tr><td>'.ws(3).'<font face=Verdana size=-2><b>'.$key.'</b></font></td>" $s3 = "if(unlink($_POST['mk_name'])) echo \"<table width=100% cellpadding=0 cell" condition: 2 of them } rule _w_php_php_wacking_php_php_SsEs_php_php_SpecialShell_99_php_php { meta: description = "Semi-Auto-generated - from files w.php.php.txt, wacking.php.php.txt, SsEs.php.php.txt, SpecialShell_99.php.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" super_rule = 1 hash0 = "38a3f9f2aa47c2e940695f3dba6a7bb2" hash1 = "9c5bb5e3a46ec28039e8986324e42792" hash2 = "6cd50a14ea0da0df6a246a60c8f6f9c9" hash3 = "09609851caa129e40b0d56e90dfc476c" strings: $s0 = "\"ext_avi\"=>array(\"ext_avi\",\"ext_mov\",\"ext_mvi" $s1 = "echo \"<b>Execute file:</b><form action=\\\"\".$surl.\"\\\" method=POST><inpu" $s2 = "\"ext_htaccess\"=>array(\"ext_htaccess\",\"ext_htpasswd" condition: 1 of them } rule multiple_php_webshells { meta: description = "Semi-Auto-generated - from files multiple_php_webshells" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" super_rule = 1 hash0 = "0714f80f35c1fddef1f8938b8d42a4c8" hash1 = "911195a9b7c010f61b66439d9048f400" hash2 = "be0f67f3e995517d18859ed57b4b4389" hash3 = "eddf7a8fde1e50a7f2a817ef7cece24f" hash4 = "8023394542cddf8aee5dec6072ed02b5" hash5 = "eed14de3907c9aa2550d95550d1a2d5f" hash6 = "817671e1bdc85e04cc3440bbd9288800" hash7 = "7101fe72421402029e2629f3aaed6de7" hash8 = "f618f41f7ebeb5e5076986a66593afd1" strings: $s0 = "kVycm9yOiAkIVxuIik7DQpjb25uZWN0KFNPQ0tFVCwgJHBhZGRyKSB8fCBkaWUoIkVycm9yOiAkIVxuI" $s2 = "sNCiRwcm90bz1nZXRwcm90b2J5bmFtZSgndGNwJyk7DQpzb2NrZXQoU09DS0VULCBQRl9JTkVULCBTT0" $s4 = "A8c3lzL3NvY2tldC5oPg0KI2luY2x1ZGUgPG5ldGluZXQvaW4uaD4NCiNpbmNsdWRlIDxlcnJuby5oPg" condition: 2 of them } rule _w_php_php_c99madshell_v2_1_php_php_wacking_php_php { meta: description = "Semi-Auto-generated - from files w.php.php.txt, c99madshell_v2.1.php.php.txt, wacking.php.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" super_rule = 1 hash0 = "38a3f9f2aa47c2e940695f3dba6a7bb2" hash1 = "3ca5886cd54d495dc95793579611f59a" hash2 = "9c5bb5e3a46ec28039e8986324e42792" strings: $s0 = "<b>Dumped! Dump has been writed to " $s1 = "if ((!empty($donated_html)) and (in_array($act,$donated_act))) {echo \"<TABLE st" $s2 = "<input type=submit name=actarcbuff value=\\\"Pack buffer to archive" condition: 1 of them } rule _w_php_php_c99madshell_v2_1_php_php_wacking_php_php_c99shell_v1_0_php_php_c99php { meta: description = "Semi-Auto-generated " author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" super_rule = 1 hash0 = "38a3f9f2aa47c2e940695f3dba6a7bb2" hash1 = "3ca5886cd54d495dc95793579611f59a" hash2 = "9c5bb5e3a46ec28039e8986324e42792" hash3 = "d8ae5819a0a2349ec552cbcf3a62c975" hash4 = "9e9ae0332ada9c3797d6cee92c2ede62" strings: $s0 = "@ini_set(\"highlight" fullword $s1 = "echo \"<b>Result of execution this PHP-code</b>:<br>\";" fullword $s2 = "{$row[] = \"<b>Owner/Group</b>\";}" fullword condition: 2 of them } rule _GFS_web_shell_ver_3_1_7___PRiV8_php_nshell_php_php_gfs_sh_php_php { meta: description = "Semi-Auto-generated - from files GFS web-shell ver 3.1.7 - PRiV8.php.txt, nshell.php.php.txt, gfs_sh.php.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" super_rule = 1 hash0 = "be0f67f3e995517d18859ed57b4b4389" hash1 = "4a44d82da21438e32d4f514ab35c26b6" hash2 = "f618f41f7ebeb5e5076986a66593afd1" strings: $s2 = "echo $uname.\"</font><br><b>\";" fullword $s3 = "while(!feof($f)) { $res.=fread($f,1024); }" fullword $s4 = "echo \"user=\".@get_current_user().\" uid=\".@getmyuid().\" gid=\".@getmygid()" condition: 2 of them } rule _w_php_php_c99madshell_v2_1_php_php_wacking_php_php_c99shell_v1_0_php_php_SpecialShell_99_php_php { meta: description = "Semi-Auto-generated " author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" super_rule = 1 hash0 = "38a3f9f2aa47c2e940695f3dba6a7bb2" hash1 = "3ca5886cd54d495dc95793579611f59a" hash2 = "9c5bb5e3a46ec28039e8986324e42792" hash3 = "d8ae5819a0a2349ec552cbcf3a62c975" hash4 = "09609851caa129e40b0d56e90dfc476c" strings: $s0 = "c99ftpbrutecheck" $s1 = "$ftpquick_t = round(getmicrotime()-$ftpquick_st,4);" fullword $s2 = "$fqb_lenght = $nixpwdperpage;" fullword $s3 = "$sock = @ftp_connect($host,$port,$timeout);" fullword condition: 2 of them } rule _w_php_php_wacking_php_php_c99shell_v1_0_php_php_c99php_SpecialShell_99_php_php { meta: description = "Semi-Auto-generated " author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" super_rule = 1 hash0 = "38a3f9f2aa47c2e940695f3dba6a7bb2" hash1 = "9c5bb5e3a46ec28039e8986324e42792" hash2 = "d8ae5819a0a2349ec552cbcf3a62c975" hash3 = "9e9ae0332ada9c3797d6cee92c2ede62" hash4 = "09609851caa129e40b0d56e90dfc476c" strings: $s0 = "$sqlquicklaunch[] = array(\"" $s1 = "else {echo \"<center><b>File does not exists (\".htmlspecialchars($d.$f).\")!<" condition: all of them } rule _antichat_php_php_Fatalshell_php_php_a_gedit_php_php { meta: description = "Semi-Auto-generated - from files antichat.php.php.txt, Fatalshell.php.php.txt, a_gedit.php.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" super_rule = 1 hash0 = "128e90b5e2df97e21e96d8e268cde7e3" hash1 = "b15583f4eaad10a25ef53ab451a4a26d" hash2 = "ab9c6b24ca15f4a1b7086cad78ff0f78" strings: $s0 = "if(@$_POST['save'])writef($file,$_POST['data']);" fullword $s1 = "if($action==\"phpeval\"){" fullword $s2 = "$uploadfile = $dirupload.\"/\".$_POST['filename'];" fullword $s3 = "$dir=getcwd().\"/\";" fullword condition: 2 of them } rule _c99shell_v1_0_php_php_c99php_SsEs_php_php { meta: description = "Semi-Auto-generated - from files c99shell_v1.0.php.php.txt, c99php.txt, SsEs.php.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" super_rule = 1 hash0 = "d8ae5819a0a2349ec552cbcf3a62c975" hash1 = "9e9ae0332ada9c3797d6cee92c2ede62" hash2 = "6cd50a14ea0da0df6a246a60c8f6f9c9" strings: $s3 = "if (!empty($delerr)) {echo \"<b>Deleting with errors:</b><br>\".$delerr;}" fullword condition: 1 of them } rule _Crystal_php_nshell_php_php_load_shell_php_php { meta: description = "Semi-Auto-generated - from files Crystal.php.txt, nshell.php.php.txt, load_shell.php.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" super_rule = 1 hash0 = "fdbf54d5bf3264eb1c4bff1fac548879" hash1 = "4a44d82da21438e32d4f514ab35c26b6" hash2 = "0c5d227f4aa76785e4760cdcff78a661" strings: $s0 = "if ($filename != \".\" and $filename != \"..\"){" fullword $s1 = "$dires = $dires . $directory;" fullword $s4 = "$arr = array_merge($arr, glob(\"*\"));" fullword condition: 2 of them } rule _nst_php_php_cybershell_php_php_img_php_php_nstview_php_php { meta: description = "Semi-Auto-generated - from files nst.php.php.txt, cybershell.php.php.txt, img.php.php.txt, nstview.php.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" super_rule = 1 hash0 = "ddaf9f1986d17284de83a17fe5f9fd94" hash1 = "ef8828e0bc0641a655de3932199c0527" hash2 = "17a07bb84e137b8aa60f87cd6bfab748" hash3 = "4745d510fed4378e4b1730f56f25e569" strings: $s0 = "@$rto=$_POST['rto'];" fullword $s2 = "SCROLLBAR-TRACK-COLOR: #91AAFF" fullword $s3 = "$to1=str_replace(\"//\",\"/\",$to1);" fullword condition: 2 of them } rule _w_php_php_c99madshell_v2_1_php_php_wacking_php_php_dC3_Security_Crew_Shell_PRiV_php_SpecialShell_99_php_php { meta: description = "Semi-Auto-generated " author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" super_rule = 1 hash0 = "38a3f9f2aa47c2e940695f3dba6a7bb2" hash1 = "3ca5886cd54d495dc95793579611f59a" hash2 = "9c5bb5e3a46ec28039e8986324e42792" hash3 = "433706fdc539238803fd47c4394b5109" hash4 = "09609851caa129e40b0d56e90dfc476c" strings: $s0 = " if ($mode & 0x200) {$world[\"execute\"] = ($world[\"execute\"] == \"x\")?\"t\":" $s1 = " $group[\"execute\"] = ($mode & 00010)?\"x\":\"-\";" fullword condition: all of them } rule _c99shell_v1_0_php_php_c99php_1_c2007_php_php_c100_php { meta: description = "Semi-Auto-generated - from files c99shell_v1.0.php.php.txt, c99php.txt, 1.txt, c2007.php.php.txt, c100.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" super_rule = 1 hash0 = "d8ae5819a0a2349ec552cbcf3a62c975" hash1 = "9e9ae0332ada9c3797d6cee92c2ede62" hash2 = "44542e5c3e9790815c49d5f9beffbbf2" hash3 = "d089e7168373a0634e1ac18c0ee00085" hash4 = "38fd7e45f9c11a37463c3ded1c76af4c" strings: $s0 = "$result = mysql_query(\"SHOW PROCESSLIST\", $sql_sock); " fullword condition: all of them } rule multiple_php_webshells_2 { meta: description = "Semi-Auto-generated " author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" super_rule = 1 hash0 = "38a3f9f2aa47c2e940695f3dba6a7bb2" hash1 = "3ca5886cd54d495dc95793579611f59a" hash2 = "9c5bb5e3a46ec28039e8986324e42792" hash3 = "d8ae5819a0a2349ec552cbcf3a62c975" hash4 = "9e9ae0332ada9c3797d6cee92c2ede62" hash5 = "6cd50a14ea0da0df6a246a60c8f6f9c9" hash6 = "09609851caa129e40b0d56e90dfc476c" hash7 = "671cad517edd254352fe7e0c7c981c39" strings: $s0 = "elseif (!empty($ft)) {echo \"<center><b>Manually selected type is incorrect. I" $s1 = "else {echo \"<center><b>Unknown extension (\".$ext.\"), please, select type ma" $s3 = "$s = \"!^(\".implode(\"|\",$tmp).\")$!i\";" fullword condition: all of them } rule _w_php_php_c99madshell_v2_1_php_php_wacking_php_php_1_SpecialShell_99_php_php { meta: description = "Semi-Auto-generated " author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" super_rule = 1 hash0 = "38a3f9f2aa47c2e940695f3dba6a7bb2" hash1 = "3ca5886cd54d495dc95793579611f59a" hash2 = "9c5bb5e3a46ec28039e8986324e42792" hash3 = "44542e5c3e9790815c49d5f9beffbbf2" hash4 = "09609851caa129e40b0d56e90dfc476c" strings: $s0 = "if ($total === FALSE) {$total = 0;}" fullword $s1 = "$free_percent = round(100/($total/$free),2);" fullword $s2 = "if (!$bool) {$bool = is_dir($letter.\":\\\\\");}" fullword $s3 = "$bool = $isdiskette = in_array($letter,$safemode_diskettes);" fullword condition: 2 of them } rule _r577_php_php_r57_php_php_spy_php_php_s_php_php { meta: description = "Semi-Auto-generated - from files r577.php.php.txt, r57.php.php.txt, spy.php.php.txt, s.php.php.txt" author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" super_rule = 1 hash0 = "0714f80f35c1fddef1f8938b8d42a4c8" hash1 = "eddf7a8fde1e50a7f2a817ef7cece24f" hash2 = "eed14de3907c9aa2550d95550d1a2d5f" hash3 = "817671e1bdc85e04cc3440bbd9288800" strings: $s0 = "$res = mssql_query(\"select * from r57_temp_table\",$db);" fullword $s2 = "'eng_text30'=>'Cat file'," fullword $s3 = "@mssql_query(\"drop table r57_temp_table\",$db);" fullword condition: 1 of them } rule _nixrem_php_php_c99shell_v1_0_php_php_c99php_NIX_REMOTE_WEB_SHELL_v_0_5_alpha_Lite_Public_Version_php { meta: description = "Semi-Auto-generated " author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls" super_rule = 1 hash0 = "40a3e86a63d3d7f063a86aab5b5f92c6" hash1 = "d8ae5819a0a2349ec552cbcf3a62c975" hash2 = "9e9ae0332ada9c3797d6cee92c2ede62" hash3 = "f3ca29b7999643507081caab926e2e74" strings: $s0 = "$num = $nixpasswd + $nixpwdperpage;" fullword $s1 = "$ret = posix_kill($pid,$sig);" fullword $s2 = "if ($uid) {echo join(\":\",$uid).\"<br>\";}" fullword $s3 = "$i = $nixpasswd;" fullword condition: 2 of them } /* GIF Header webshell */ rule DarkSecurityTeam_Webshell { meta: description = "Dark Security Team Webshell" author = "Florian Roth" hash = "f1c95b13a71ca3629a0bb79601fcacf57cdfcf768806a71b26f2448f8c1d5d24" score = 50 strings: $s0 = "form method=post><input type=hidden name=\"\"#\"\" value=Execute(Session(\"\"#\"\"))><input name=thePath value=\"\"\"&HtmlEncode(Server.MapPath(\".\"))&" ascii condition: 1 of them } rule GIFCloaked_Webshell_A { meta: description = "Looks like a webshell cloaked as GIF" author = "Florian Roth" hash = "f1c95b13a71ca3629a0bb79601fcacf57cdfcf768806a71b26f2448f8c1d5d24" score = 50 strings: $magic = { 47 49 46 38 } /* GIF8 ... */ $s0 = "input type" $s1 = "<%eval request" $s2 = "<%eval(Request.Item[" $s3 = "LANGUAGE='VBScript'" $fp1 = "<form name=\"social_form\"" condition: ( $magic at 0 ) and ( 1 of ($s*) ) and not filepath contains "AppData" and not 1 of ($fp*) } rule PHP_Cloaked_Webshell_SuperFetchExec { meta: description = "Looks like a webshell cloaked as GIF - http://goo.gl/xFvioC" reference = "http://goo.gl/xFvioC" author = "Florian Roth" score = 50 strings: $s0 = "else{$d.=@chr(($h[$e[$o]]<<4)+($h[$e[++$o]]));}}eval($d);" condition: $s0 } /* PHP Webshell Update - August 2014 - deducted from https://github.com/JohnTroony/php-webshells */ rule WebShell_RemExp_asp_php { meta: description = "PHP Webshells Github Archive - file RemExp.asp.php.txt" author = "Florian Roth" hash = "d9919dcf94a70d5180650de8b81669fa1c10c5a2" strings: $s0 = "lsExt = Right(FileName, Len(FileName) - liCount)" fullword $s7 = "<td bgcolor=\"<%=BgColor%>\" title=\"<%=File.Name%>\"> <a href= \"showcode.asp?f" $s13 = "Response.Write Drive.ShareName & \" [share]\"" fullword $s19 = "If Request.QueryString(\"CopyFile\") <> \"\" Then" fullword $s20 = "<td width=\"40%\" height=\"20\" bgcolor=\"silver\"> Name</td>" fullword condition: all of them } rule WebShell_dC3_Security_Crew_Shell_PRiV { meta: description = "PHP Webshells Github Archive - file dC3_Security_Crew_Shell_PRiV.php" author = "Florian Roth" hash = "1b2a4a7174ca170b4e3a8cdf4814c92695134c8a" strings: $s0 = "@rmdir($_GET['file']) or die (\"[-]Error deleting dir!\");" fullword $s4 = "$ps=str_replace(\"\\\\\",\"/\",getenv('DOCUMENT_ROOT'));" fullword $s5 = "header(\"Expires: \".date(\"r\",mktime(0,0,0,1,1,2030)));" fullword $s15 = "search_file($_POST['search'],urldecode($_POST['dir']));" fullword $s16 = "echo base64_decode($images[$_GET['pic']]);" fullword $s20 = "if (isset($_GET['rename_all'])) {" fullword condition: 3 of them } rule WebShell_simattacker { meta: description = "PHP Webshells Github Archive - file simattacker.php" author = "Florian Roth" hash = "258297b62aeaf4650ce04642ad5f19be25ec29c9" strings: $s1 = "$from = rand (71,1020000000).\"@\".\"Attacker.com\";" fullword $s4 = " Turkish Hackers : WWW.ALTURKS.COM <br>" fullword $s5 = " Programer : SimAttacker - Edited By KingDefacer<br>" fullword $s6 = "//fake mail = Use victim server 4 DOS - fake mail " fullword $s10 = " e-mail : kingdefacer@msn.com<br>" fullword $s17 = "error_reporting(E_ERROR | E_WARNING | E_PARSE);" fullword $s18 = "echo \"<font size='1' color='#999999'>Dont in windows\";" fullword $s20 = "$Comments=$_POST['Comments'];" fullword condition: 2 of them } rule WebShell_DTool_Pro { meta: description = "PHP Webshells Github Archive - file DTool Pro.php" author = "Florian Roth" hash = "e2ee1c7ba7b05994f65710b7bbf935954f2c3353" strings: $s1 = "function PHPget(){inclVar(); if(confirm(\"O PHPget agora oferece uma lista pront" $s2 = "<font size=3>by r3v3ng4ns - revengans@gmail.com </font>" fullword $s3 = "function PHPwriter(){inclVar();var url=prompt(\"[ PHPwriter ] by r3v3ng4ns\\nDig" $s11 = "//Turns the 'ls' command more usefull, showing it as it looks in the shell" fullword $s13 = "if (@file_exists(\"/usr/bin/wget\")) $pro3=\"<i>wget</i> at /usr/bin/wget, \";" fullword $s14 = "//To keep the changes in the url, when using the 'GET' way to send php variables" fullword $s16 = "function PHPf(){inclVar();var o=prompt(\"[ PHPfilEditor ] by r3v3ng4ns\\nDigite " $s18 = "if(empty($fu)) $fu = @$_GET['fu'];" fullword condition: 3 of them } rule WebShell_ironshell { meta: description = "PHP Webshells Github Archive - file ironshell.php" author = "Florian Roth" hash = "d47b8ba98ea8061404defc6b3a30839c4444a262" strings: $s0 = "<title>'.getenv(\"HTTP_HOST\").' ~ Shell I</title>" fullword $s2 = "$link = mysql_connect($_POST['host'], $_POST['username'], $_POST" $s4 = "error_reporting(0); //If there is an error, we'll show it, k?" fullword $s8 = "print \"<form action=\\\"\".$me.\"?p=chmod&file=\".$content.\"&d" $s15 = "if(!is_numeric($_POST['timelimit']))" fullword $s16 = "if($_POST['chars'] == \"9999\")" fullword $s17 = "<option value=\\\"az\\\">a - zzzzz</option>" fullword $s18 = "print shell_exec($command);" fullword condition: 3 of them } rule WebShell_indexer_asp_php { meta: description = "PHP Webshells Github Archive - file indexer.asp.php.txt" author = "Florian Roth" hash = "e9a7aa5eb1fb228117dc85298c7d3ecd8e288a2d" strings: $s0 = "<meta http-equiv=\"Content-Language\" content=\"tr\">" fullword $s1 = "<title>WwW.SaNaLTeRoR.OrG - inDEXER And ReaDer</title>" fullword $s2 = "<form action=\"?Gonder\" method=\"post\">" fullword $s4 = "<form action=\"?oku\" method=\"post\">" fullword $s7 = "var message=\"SaNaLTeRoR - " fullword $s8 = "nDexEr - Reader\"" fullword condition: 3 of them } rule WebShell_toolaspshell { meta: description = "PHP Webshells Github Archive - file toolaspshell.php" author = "Florian Roth" hash = "11d236b0d1c2da30828ffd2f393dd4c6a1022e3f" strings: $s0 = "cprthtml = \"<font face='arial' size='1'>RHTOOLS 1.5 BETA(PVT) Edited By KingDef" $s12 = "barrapos = CInt(InstrRev(Left(raiz,Len(raiz) - 1),\"\\\")) - 1" fullword $s20 = "destino3 = folderItem.path & \"\\index.asp\"" fullword condition: 2 of them } rule WebShell_b374k_mini_shell_php_php { meta: description = "PHP Webshells Github Archive - file b374k-mini-shell-php.php.php" author = "Florian Roth" hash = "afb88635fbdd9ebe86b650cc220d3012a8c35143" strings: $s0 = "@error_reporting(0);" fullword $s2 = "@eval(gzinflate(base64_decode($code)));" fullword $s3 = "@set_time_limit(0); " fullword condition: all of them } rule WebShell_Sincap_1_0 { meta: description = "PHP Webshells Github Archive - file Sincap 1.0.php" author = "Florian Roth" hash = "9b72635ff1410fa40c4e15513ae3a496d54f971c" strings: $s4 = "</font></span><a href=\"mailto:shopen@aventgrup.net\">" fullword $s5 = "<title>:: AventGrup ::.. - Sincap 1.0 | Session(Oturum) B" fullword $s9 = "</span>Avrasya Veri ve NetWork Teknolojileri Geli" fullword $s12 = "while (($ekinci=readdir ($sedat))){" fullword $s19 = "$deger2= \"$ich[$tampon4]\";" fullword condition: 2 of them } rule WebShell_b374k_php { meta: description = "PHP Webshells Github Archive - file b374k.php.php" author = "Florian Roth" hash = "04c99efd187cf29dc4e5603c51be44170987bce2" strings: $s0 = "// encrypt your password to md5 here http://kerinci.net/?x=decode" fullword $s6 = "// password (default is: b374k)" $s8 = "//******************************************************************************" $s9 = "// b374k 2.2" fullword $s10 = "eval(\"?>\".gzinflate(base64_decode(" condition: 3 of them } rule WebShell_SimAttacker___Vrsion_1_0_0___priv8_4_My_friend { meta: description = "PHP Webshells Github Archive - file SimAttacker - Vrsion 1.0.0 - priv8 4 My friend.php" author = "Florian Roth" hash = "6454cc5ab73143d72cf0025a81bd1fe710351b44" strings: $s4 = " Iranian Hackers : WWW.SIMORGH-EV.COM <br>" fullword $s5 = "//fake mail = Use victim server 4 DOS - fake mail " fullword $s10 = "<a style=\"TEXT-DECORATION: none\" href=\"http://www.simorgh-ev.com\">" fullword $s16 = "error_reporting(E_ERROR | E_WARNING | E_PARSE);" fullword $s17 = "echo \"<font size='1' color='#999999'>Dont in windows\";" fullword $s19 = "$Comments=$_POST['Comments'];" fullword $s20 = "Victim Mail :<br><input type='text' name='to' ><br>" fullword condition: 3 of them } rule WebShell_h4ntu_shell__powered_by_tsoi_ { meta: description = "PHP Webshells Github Archive - file h4ntu shell [powered by tsoi].php" author = "Florian Roth" hash = "cbca8cd000e705357e2a7e0cf8262678706f18f9" strings: $s11 = "<title>h4ntu shell [powered by tsoi]</title>" fullword $s13 = "$cmd = $_POST['cmd'];" fullword $s16 = "$uname = posix_uname( );" fullword $s17 = "if(!$whoami)$whoami=exec(\"whoami\");" fullword $s18 = "echo \"<p><font size=2 face=Verdana><b>This Is The Server Information</b></font>" $s20 = "ob_end_clean();" fullword condition: 3 of them } rule WebShell_php_webshells_MyShell { meta: description = "PHP Webshells Github Archive - file MyShell.php" author = "Florian Roth" hash = "42e283c594c4d061f80a18f5ade0717d3fb2f76d" strings: $s3 = "<title>MyShell error - Access Denied</title>" fullword $s4 = "$adminEmail = \"youremail@yourserver.com\";" fullword $s5 = "//A workdir has been asked for - we chdir to that dir." fullword $s6 = "system($command . \" 1> /tmp/output.txt 2>&1; cat /tmp/output.txt; rm /tmp/o" $s13 = "#$autoErrorTrap Enable automatic error traping if command returns error." fullword $s14 = "/* No work_dir - we chdir to $DOCUMENT_ROOT */" fullword $s19 = "#every command you excecute." fullword $s20 = "<form name=\"shell\" method=\"post\">" fullword condition: 3 of them } rule WebShell_php_webshells_pws { meta: description = "PHP Webshells Github Archive - file pws.php" author = "Florian Roth" hash = "7a405f1c179a84ff8ac09a42177a2bcd8a1a481b" strings: $s6 = "if ($_POST['cmd']){" fullword $s7 = "$cmd = $_POST['cmd'];" fullword $s10 = "echo \"FILE UPLOADED TO $dez\";" fullword $s11 = "if (file_exists($uploaded)) {" fullword $s12 = "copy($uploaded, $dez);" fullword $s17 = "passthru($cmd);" fullword condition: 4 of them } rule WebShell_reader_asp_php { meta: description = "PHP Webshells Github Archive - file reader.asp.php.txt" author = "Florian Roth" hash = "70656f3495e2b3ad391a77d5208eec0fb9e2d931" strings: $s5 = "ster\" name=submit> </Font> <a href=mailto:mailbomb@hotmail" $s12 = " HACKING " fullword $s16 = "FONT-WEIGHT: bold; BACKGROUND: #ffffff url('images/cellpic1.gif'); TEXT-INDENT: " $s20 = "PADDING-RIGHT: 8px; PADDING-LEFT: 8px; FONT-WEIGHT: bold; FONT-SIZE: 11px; BACKG" condition: 3 of them } rule WebShell_Safe_Mode_Bypass_PHP_4_4_2_and_PHP_5_1_2 { meta: description = "PHP Webshells Github Archive - file Safe_Mode_Bypass_PHP_4.4.2_and_PHP_5.1.2.php" author = "Florian Roth" hash = "db076b7c80d2a5279cab2578aa19cb18aea92832" strings: $s1 = "<option value=\"/etc/passwd\">Get /etc/passwd</option>" fullword $s6 = "by PHP Emperor<xb5@hotmail.com>" fullword $s9 = "\".htmlspecialchars($file).\" has been already loaded. PHP Emperor <xb5@hotmail." $s11 = "die(\"<FONT COLOR=\\\"RED\\\"><CENTER>Sorry... File" fullword $s15 = "if(empty($_GET['file'])){" fullword $s16 = "echo \"<head><title>Safe Mode Shell</title></head>\"; " fullword condition: 3 of them } rule WebShell_Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit { meta: description = "PHP Webshells Github Archive - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php" author = "Florian Roth" hash = "b2b797707e09c12ff5e632af84b394ad41a46fa4" strings: $s4 = "$liz0zim=shell_exec($_POST[liz0]); " fullword $s6 = "$liz0=shell_exec($_POST[baba]); " fullword $s9 = "echo \"<b><font color=blue>Liz0ziM Private Safe Mode Command Execuriton Bypass E" $s12 = " :=) :</font><select size=\"1\" name=\"liz0\">" fullword $s13 = "<option value=\"cat /etc/passwd\">/etc/passwd</option>" fullword condition: 1 of them } rule WebShell_php_backdoor { meta: description = "PHP Webshells Github Archive - file php-backdoor.php" author = "Florian Roth" hash = "b190c03af4f3fb52adc20eb0f5d4d151020c74fe" strings: $s5 = "http://<? echo $SERVER_NAME.$REQUEST_URI; ?>?d=/etc on *nix" fullword $s6 = "// a simple php backdoor | coded by z0mbie [30.08.03] | http://freenet.am/~zombi" $s11 = "if(!isset($_REQUEST['dir'])) die('hey,specify directory!');" fullword $s13 = "else echo \"<a href='$PHP_SELF?f=$d/$dir'><font color=black>\";" fullword $s15 = "<pre><form action=\"<? echo $PHP_SELF; ?>\" METHOD=GET >execute command: <input " condition: 1 of them } rule WebShell_Worse_Linux_Shell { meta: description = "PHP Webshells Github Archive - file Worse Linux Shell.php" author = "Florian Roth" hash = "64623ab1246bc8f7d256b25f244eb2b41f543e96" strings: $s4 = "if( $_POST['_act'] == \"Upload!\" ) {" fullword $s5 = "print \"<center><h1>#worst @dal.net</h1></center>\";" fullword $s7 = "print \"<center><h1>Linux Shells</h1></center>\";" fullword $s8 = "$currentCMD = \"ls -la\";" fullword $s14 = "print \"<tr><td><b>System type:</b></td><td>$UName</td></tr>\";" fullword $s19 = "$currentCMD = str_replace(\"\\\\\\\\\",\"\\\\\",$_POST['_cmd']);" fullword condition: 2 of them } rule WebShell_php_webshells_pHpINJ { meta: description = "PHP Webshells Github Archive - file pHpINJ.php" author = "Florian Roth" hash = "75116bee1ab122861b155cc1ce45a112c28b9596" strings: $s3 = "echo '<a href='.$expurl.'> Click Here to Exploit </a> <br />';" fullword $s10 = "<form action = \"<?php echo \"$_SERVER[PHP_SELF]\" ; ?>\" method = \"post\">" fullword $s11 = "$sql = \"0' UNION SELECT '0' , '<? system(\\$_GET[cpc]);exit; ?>' ,0 ,0 ,0 ,0 IN" $s13 = "Full server path to a writable file which will contain the Php Shell <br />" fullword $s14 = "$expurl= $url.\"?id=\".$sql ;" fullword $s15 = "<header>|| .::News PHP Shell Injection::. ||</header> <br /> <br />" fullword $s16 = "<input type = \"submit\" value = \"Create Exploit\"> <br /> <br />" fullword condition: 1 of them } rule WebShell_php_webshells_NGH { meta: description = "PHP Webshells Github Archive - file NGH.php" author = "Florian Roth" hash = "c05b5deecfc6de972aa4652cb66da89cfb3e1645" strings: $s0 = "<title>Webcommander at <?=$_SERVER[\"HTTP_HOST\"]?></title>" fullword $s2 = "/* Webcommander by Cr4sh_aka_RKL v0.3.9 NGH edition :p */" fullword $s5 = "<form action=<?=$script?>?act=bindshell method=POST>" fullword $s9 = "<form action=<?=$script?>?act=backconnect method=POST>" fullword $s11 = "<form action=<?=$script?>?act=mkdir method=POST>" fullword $s16 = "die(\"<font color=#DF0000>Login error</font>\");" fullword $s20 = "<b>Bind /bin/bash at port: </b><input type=text name=port size=8>" fullword condition: 2 of them } rule WebShell_php_webshells_matamu { meta: description = "PHP Webshells Github Archive - file matamu.php" author = "Florian Roth" hash = "d477aae6bd2f288b578dbf05c1c46b3aaa474733" strings: $s2 = "$command .= ' -F';" fullword $s3 = "/* We try and match a cd command. */" fullword $s4 = "directory... Trust me - it works :-) */" fullword $s5 = "$command .= \" 1> $tmpfile 2>&1; \" ." fullword $s10 = "$new_dir = $regs[1]; // 'cd /something/...'" fullword $s16 = "/* The last / in work_dir were the first charecter." fullword condition: 2 of them } rule WebShell_ru24_post_sh { meta: description = "PHP Webshells Github Archive - file ru24_post_sh.php" author = "Florian Roth" hash = "d2c18766a1cd4dda928c12ff7b519578ccec0769" strings: $s1 = "http://www.ru24-team.net" fullword $s4 = "if ((!$_POST['cmd']) || ($_POST['cmd']==\"\")) { $_POST['cmd']=\"id;pwd;uname -a" $s6 = "Ru24PostWebShell" $s7 = "Writed by DreAmeRz" fullword $s9 = "$function=passthru; // system, exec, cmd" fullword condition: 1 of them } rule WebShell_hiddens_shell_v1 { meta: description = "PHP Webshells Github Archive - file hiddens shell v1.php" author = "Florian Roth" hash = "1674bd40eb98b48427c547bf9143aa7fbe2f4a59" strings: $s0 = "<?$d='G7mHWQ9vvXiL/QX2oZ2VTDpo6g3FYAa6X+8DMIzcD0eHZaBZH7jFpZzUz7XNenxSYvBP2Wy36U" condition: all of them } rule WebShell_c99_madnet { meta: description = "PHP Webshells Github Archive - file c99_madnet.php" author = "Florian Roth" hash = "17613df393d0a99fd5bea18b2d4707f566cff219" strings: $s0 = "$md5_pass = \"\"; //If no pass then hash" fullword $s1 = "eval(gzinflate(base64_decode('" $s2 = "$pass = \"pass\"; //Pass" fullword $s3 = "$login = \"user\"; //Login" fullword $s4 = " //Authentication" fullword condition: all of them } rule WebShell_c99_locus7s { meta: description = "PHP Webshells Github Archive - file c99_locus7s.php" author = "Florian Roth" hash = "d413d4700daed07561c9f95e1468fb80238fbf3c" strings: $s8 = "$encoded = base64_encode(file_get_contents($d.$f)); " fullword $s9 = "$file = $tmpdir.\"dump_\".getenv(\"SERVER_NAME\").\"_\".$db.\"_\".date(\"d-m-Y" $s10 = "else {$tmp = htmlspecialchars(\"./dump_\".getenv(\"SERVER_NAME\").\"_\".$sq" $s11 = "$c99sh_sourcesurl = \"http://locus7s.com/\"; //Sources-server " fullword $s19 = "$nixpwdperpage = 100; // Get first N lines from /etc/passwd " fullword condition: 2 of them } rule WebShell_JspWebshell_1_2 { meta: description = "PHP Webshells Github Archive - file JspWebshell_1.2.php" author = "Florian Roth" hash = "0bed4a1966117dd872ac9e8dceceb54024a030fa" strings: $s0 = "System.out.println(\"CreateAndDeleteFolder is error:\"+ex); " fullword $s1 = "String password=request.getParameter(\"password\");" fullword $s3 = "<%@ page contentType=\"text/html; charset=GBK\" language=\"java\" import=\"java." $s7 = "String editfile=request.getParameter(\"editfile\");" fullword $s8 = "//String tempfilename=request.getParameter(\"file\");" fullword $s12 = "password = (String)session.getAttribute(\"password\");" fullword condition: 3 of them } rule WebShell_safe0ver { meta: description = "PHP Webshells Github Archive - file safe0ver.php" author = "Florian Roth" hash = "366639526d92bd38ff7218b8539ac0f154190eb8" strings: $s3 = "$scriptident = \"$scriptTitle By Evilc0der.com\";" fullword $s4 = "while (file_exists(\"$lastdir/newfile$i.txt\"))" fullword $s5 = "else { /*  */" fullword $s7 = "$contents .= htmlentities( $line ) ;" fullword $s8 = "<br><p><br>Safe Mode ByPAss<p><form method=\"POST\">" fullword $s14 = "elseif ( $cmd==\"upload\" ) { /*  */ " fullword $s20 = "/*  */" fullword condition: 3 of them } rule WebShell_Uploader { meta: description = "PHP Webshells Github Archive - file Uploader.php" author = "Florian Roth" hash = "e216c5863a23fde8a449c31660fd413d77cce0b7" strings: $s1 = "move_uploaded_file($userfile, \"entrika.php\"); " fullword condition: all of them } rule WebShell_php_webshells_kral { meta: description = "PHP Webshells Github Archive - file kral.php" author = "Florian Roth" hash = "4cd1d1a2fd448cecc605970e3a89f3c2e5c80dfc" strings: $s1 = "$adres=gethostbyname($ip);" fullword $s3 = "curl_setopt($ch,CURLOPT_POSTFIELDS,\"domain=\".$site);" fullword $s4 = "$ekle=\"/index.php?option=com_user&view=reset&layout=confirm\";" fullword $s16 = "echo $son.' <br> <font color=\"green\">Access</font><br>';" fullword $s17 = "<p>kodlama by <a href=\"mailto:priv8coder@gmail.com\">BLaSTER</a><br /" $s20 = "<p><strong>Server listeleyici</strong><br />" fullword condition: 2 of them } rule WebShell_cgitelnet { meta: description = "PHP Webshells Github Archive - file cgitelnet.php" author = "Florian Roth" hash = "72e5f0e4cd438e47b6454de297267770a36cbeb3" strings: $s9 = "# Author Homepage: http://www.rohitab.com/" fullword $s10 = "elsif($Action eq \"command\") # user wants to run a command" fullword $s18 = "# in a command line on Windows NT." fullword $s20 = "print \"Transfered $TargetFileSize Bytes.<br>\";" fullword condition: 2 of them } rule WebShell_simple_backdoor { meta: description = "PHP Webshells Github Archive - file simple-backdoor.php" author = "Florian Roth" hash = "edcd5157a68fa00723a506ca86d6cbb8884ef512" strings: $s0 = "" fullword $s1 = "" fullword $s2 = "Usage: http://target.com/simple-backdoor.php?cmd=cat+/etc/passwd" fullword $s3 = " echo \"</pre>\";" fullword $s4 = " $cmd = ($_REQUEST['cmd']);" fullword $s5 = " echo \"<pre>\";" fullword $s6 = "if(isset($_REQUEST['cmd'])){" fullword $s7 = " die;" fullword $s8 = " system($cmd);" fullword condition: all of them } rule WebShell_Safe_Mode_Bypass_PHP_4_4_2_and_PHP_5_1_2_2 { meta: description = "PHP Webshells Github Archive - file Safe_Mode Bypass PHP 4.4.2 and PHP 5.1.2.php" author = "Florian Roth" hash = "8fdd4e0e87c044177e9e1c97084eb5b18e2f1c25" strings: $s1 = "<option value=\"/etc/passwd\">Get /etc/passwd</option>" fullword $s3 = "xb5@hotmail.com</FONT></CENTER></B>\");" fullword $s4 = "$v = @ini_get(\"open_basedir\");" fullword $s6 = "by PHP Emperor<xb5@hotmail.com>" fullword condition: 2 of them } rule WebShell_NTDaddy_v1_9 { meta: description = "PHP Webshells Github Archive - file NTDaddy v1.9.php" author = "Florian Roth" hash = "79519aa407fff72b7510c6a63c877f2e07d7554b" strings: $s2 = "| -obzerve : mr_o@ihateclowns.com |" fullword $s6 = "szTempFile = \"C:\\\" & oFileSys.GetTempName( )" fullword $s13 = "<form action=ntdaddy.asp method=post>" fullword $s17 = "response.write(\"<ERROR: THIS IS NOT A TEXT FILE>\")" fullword condition: 2 of them } rule WebShell_lamashell { meta: description = "PHP Webshells Github Archive - file lamashell.php" author = "Florian Roth" hash = "b71181e0d899b2b07bc55aebb27da6706ea1b560" strings: $s0 = "if(($_POST['exe']) == \"Execute\") {" fullword $s8 = "$curcmd = $_POST['king'];" fullword $s16 = "\"http://www.w3.org/TR/html4/loose.dtd\">" fullword $s18 = "<title>lama's'hell v. 3.0</title>" fullword $s19 = "_|_ O _ O _|_" fullword $s20 = "$curcmd = \"ls -lah\";" fullword condition: 2 of them } rule WebShell_Simple_PHP_backdoor_by_DK { meta: description = "PHP Webshells Github Archive - file Simple_PHP_backdoor_by_DK.php" author = "Florian Roth" hash = "03f6215548ed370bec0332199be7c4f68105274e" strings: $s0 = "" fullword $s1 = "" fullword $s2 = "Usage: http://target.com/simple-backdoor.php?cmd=cat+/etc/passwd" fullword $s6 = "if(isset($_REQUEST['cmd'])){" fullword $s8 = "system($cmd);" fullword condition: 2 of them } rule WebShell_Moroccan_Spamers_Ma_EditioN_By_GhOsT { meta: description = "PHP Webshells Github Archive - file Moroccan Spamers Ma-EditioN By GhOsT.php" author = "Florian Roth" hash = "31e5473920a2cc445d246bc5820037d8fe383201" strings: $s4 = "$content = chunk_split(base64_encode($content)); " fullword $s12 = "print \"Sending mail to $to....... \"; " fullword $s16 = "if (!$from && !$subject && !$message && !$emaillist){ " fullword condition: all of them } rule WebShell_C99madShell_v__2_0_madnet_edition { meta: description = "PHP Webshells Github Archive - file C99madShell v. 2.0 madnet edition.php" author = "Florian Roth" hash = "f99f8228eb12746847f54bad45084f19d1a7e111" strings: $s0 = "$md5_pass = \"\"; //If no pass then hash" fullword $s1 = "eval(gzinflate(base64_decode('" $s2 = "$pass = \"\"; //Pass" fullword $s3 = "$login = \"\"; //Login" fullword $s4 = "//Authentication" fullword condition: all of them } rule WebShell_CmdAsp_asp_php { meta: description = "PHP Webshells Github Archive - file CmdAsp.asp.php.txt" author = "Florian Roth" hash = "cb18e1ac11e37e236e244b96c2af2d313feda696" strings: $s1 = "szTempFile = \"C:\\\" & oFileSys.GetTempName( )" fullword $s4 = "' Author: Maceo <maceo @ dogmile.com>" fullword $s5 = "' -- Use a poor man's pipe ... a temp file -- '" fullword $s6 = "' --------------------o0o--------------------" fullword $s8 = "' File: CmdAsp.asp" fullword $s11 = "<-- CmdAsp.asp -->" fullword $s14 = "Call oScript.Run (\"cmd.exe /c \" & szCMD & \" > \" & szTempFile, 0, True)" fullword $s16 = "Set oScriptNet = Server.CreateObject(\"WSCRIPT.NETWORK\")" fullword $s19 = "<%= \"\\\\\" & oScriptNet.ComputerName & \"\\\" & oScriptNet.UserName %>" fullword condition: 4 of them } rule WebShell_NCC_Shell { meta: description = "PHP Webshells Github Archive - file NCC-Shell.php" author = "Florian Roth" hash = "64d4495875a809b2730bd93bec2e33902ea80a53" strings: $s0 = " if (isset($_FILES['probe']) and ! $_FILES['probe']['error']) {" fullword $s1 = "<b>--Coded by Silver" fullword $s2 = "<title>Upload - Shell/Datei</title>" fullword $s8 = "<a href=\"http://www.n-c-c.6x.to\" target=\"_blank\">-->NCC<--</a></center></b><" $s14 = "~|_Team .:National Cracker Crew:._|~<br>" fullword $s18 = "printf(\"Sie ist %u Bytes gro" fullword condition: 3 of them } rule WebShell_php_webshells_README { meta: description = "PHP Webshells Github Archive - file README.md" author = "Florian Roth" hash = "ef2c567b4782c994db48de0168deb29c812f7204" strings: $s0 = "Common php webshells. Do not host the file(s) in your server!" fullword $s1 = "php-webshells" fullword condition: all of them } rule WebShell_backupsql { meta: description = "PHP Webshells Github Archive - file backupsql.php" author = "Florian Roth" hash = "863e017545ec8e16a0df5f420f2d708631020dd4" strings: $s0 = "$headers .= \"\\nMIME-Version: 1.0\\n\" .\"Content-Type: multipart/mixed;\\n\" ." $s1 = "$ftpconnect = \"ncftpput -u $ftp_user_name -p $ftp_user_pass -d debsender_ftplog" $s2 = "* as email attachment, or send to a remote ftp server by" fullword $s16 = "* Neagu Mihai<neagumihai@hotmail.com>" fullword $s17 = "$from = \"Neu-Cool@email.com\"; // Who should the emails be sent from?, may " condition: 2 of them } rule WebShell_AK_74_Security_Team_Web_Shell_Beta_Version { meta: description = "PHP Webshells Github Archive - file AK-74 Security Team Web Shell Beta Version.php" author = "Florian Roth" hash = "c90b0ba575f432ecc08f8f292f3013b5532fe2c4" strings: $s8 = "- AK-74 Security Team Web Site: www.ak74-team.net" fullword $s9 = "<b><font color=#830000>8. X Forwarded For IP - </font></b><font color=#830000>'." $s10 = "<b><font color=#83000>Execute system commands!</font></b>" fullword condition: 1 of them } rule WebShell_php_webshells_cpanel { meta: description = "PHP Webshells Github Archive - file cpanel.php" author = "Florian Roth" hash = "433dab17106b175c7cf73f4f094e835d453c0874" strings: $s0 = "function ftp_check($host,$user,$pass,$timeout){" fullword $s3 = "curl_setopt($ch, CURLOPT_URL, \"http://$host:2082\");" fullword $s4 = "[ user@alturks.com ]# info<b><br><font face=tahoma><br>" fullword $s12 = "curl_setopt($ch, CURLOPT_FTPLISTONLY, 1);" fullword $s13 = "Powerful tool , ftp and cPanel brute forcer , php 5.2.9 safe_mode & open_basedir" $s20 = "<br><b>Please enter your USERNAME and PASSWORD to logon<br>" fullword condition: 2 of them } rule WebShell_accept_language { meta: description = "PHP Webshells Github Archive - file accept_language.php" author = "Florian Roth" hash = "180b13576f8a5407ab3325671b63750adbcb62c9" strings: $s0 = "<?php passthru(getenv(\"HTTP_ACCEPT_LANGUAGE\")); echo '<br> by q1w2e3r4'; ?>" fullword condition: all of them } rule WebShell_php_webshells_529 { meta: description = "PHP Webshells Github Archive - file 529.php" author = "Florian Roth" hash = "ba3fb2995528307487dff7d5b624d9f4c94c75d3" strings: $s0 = "<p>More: <a href=\"/\">Md5Cracking.Com Crew</a> " fullword $s7 = "href=\"/\" title=\"Securityhouse\">Security House - Shell Center - Edited By Kin" $s9 = "echo '<PRE><P>This is exploit from <a " fullword $s10 = "This Exploit Was Edited By KingDefacer" fullword $s13 = "safe_mode and open_basedir Bypass PHP 5.2.9 " fullword $s14 = "$hardstyle = explode(\"/\", $file); " fullword $s20 = "while($level--) chdir(\"..\"); " fullword condition: 2 of them } rule WebShell_STNC_WebShell_v0_8 { meta: description = "PHP Webshells Github Archive - file STNC WebShell v0.8.php" author = "Florian Roth" hash = "52068c9dff65f1caae8f4c60d0225708612bb8bc" strings: $s3 = "if(isset($_POST[\"action\"])) $action = $_POST[\"action\"];" fullword $s8 = "elseif(fe(\"system\")){ob_start();system($s);$r=ob_get_contents();ob_end_clean()" $s13 = "{ $pwd = $_POST[\"pwd\"]; $type = filetype($pwd); if($type === \"dir\")chdir($pw" condition: 2 of them } rule WebShell_php_webshells_tryag { meta: description = "PHP Webshells Github Archive - file tryag.php" author = "Florian Roth" hash = "42d837e9ab764e95ed11b8bd6c29699d13fe4c41" strings: $s1 = "<title>TrYaG Team - TrYaG.php - Edited By KingDefacer</title>" fullword $s3 = "$tabledump = \"DROP TABLE IF EXISTS $table;\\n\"; " fullword $s6 = "$string = !empty($_POST['string']) ? $_POST['string'] : 0; " fullword $s7 = "$tabledump .= \"CREATE TABLE $table (\\n\"; " fullword $s14 = "echo \"<center><div id=logostrip>Edit file: $editfile </div><form action='$REQUE" condition: 3 of them } rule WebShell_dC3_Security_Crew_Shell_PRiV_2 { meta: description = "PHP Webshells Github Archive - file dC3 Security Crew Shell PRiV.php" author = "Florian Roth" hash = "9077eb05f4ce19c31c93c2421430dd3068a37f17" strings: $s0 = "@rmdir($_GET['file']) or die (\"[-]Error deleting dir!\");" fullword $s9 = "header(\"Last-Modified: \".date(\"r\",filemtime(__FILE__)));" fullword $s13 = "header(\"Content-type: image/gif\");" fullword $s14 = "@copy($file,$to) or die (\"[-]Error copying file!\");" fullword $s20 = "if (isset($_GET['rename_all'])) {" fullword condition: 3 of them } rule WebShell_qsd_php_backdoor { meta: description = "PHP Webshells Github Archive - file qsd-php-backdoor.php" author = "Florian Roth" hash = "4856bce45fc5b3f938d8125f7cdd35a8bbae380f" strings: $s1 = "// A robust backdoor script made by Daniel Berliner - http://www.qsdconsulting.c" $s2 = "if(isset($_POST[\"newcontent\"]))" fullword $s3 = "foreach($parts as $val)//Assemble the path back together" fullword $s7 = "$_POST[\"newcontent\"]=urldecode(base64_decode($_POST[\"newcontent\"]));" fullword condition: 2 of them } rule WebShell_php_webshells_spygrup { meta: description = "PHP Webshells Github Archive - file spygrup.php" author = "Florian Roth" hash = "12f9105332f5dc5d6360a26706cd79afa07fe004" strings: $s2 = "kingdefacer@msn.com</FONT></CENTER></B>\");" fullword $s6 = "if($_POST['root']) $root = $_POST['root'];" fullword $s12 = "\".htmlspecialchars($file).\" Bu Dosya zaten Goruntuleniyor<kingdefacer@msn.com>" fullword $s18 = "By KingDefacer From Spygrup.org>" fullword condition: 3 of them } rule WebShell_Web_shell__c_ShAnKaR { meta: description = "PHP Webshells Github Archive - file Web-shell (c)ShAnKaR.php" author = "Florian Roth" hash = "3dd4f25bd132beb59d2ae0c813373c9ea20e1b7a" strings: $s0 = "header(\"Content-Length: \".filesize($_POST['downf']));" fullword $s5 = "if($_POST['save']==0){echo \"<textarea cols=70 rows=10>\".htmlspecialchars($dump" $s6 = "write(\"#\\n#Server : \".getenv('SERVER_NAME').\"" fullword $s12 = "foreach(@file($_POST['passwd']) as $fed)echo $fed;" fullword condition: 2 of them } rule WebShell_Ayyildiz_Tim___AYT__Shell_v_2_1_Biz { meta: description = "PHP Webshells Github Archive - file Ayyildiz Tim -AYT- Shell v 2.1 Biz.php" author = "Florian Roth" hash = "5fe8c1d01dc5bc70372a8a04410faf8fcde3cb68" strings: $s7 = "<meta name=\"Copyright\" content=TouCh By iJOo\">" fullword $s11 = "directory... Trust me - it works :-) */" fullword $s15 = "/* ls looks much better with ' -F', IMHO. */" fullword $s16 = "} else if ($command == 'ls') {" fullword condition: 3 of them } rule WebShell_Gamma_Web_Shell { meta: description = "PHP Webshells Github Archive - file Gamma Web Shell.php" author = "Florian Roth" hash = "7ef773df7a2f221468cc8f7683e1ace6b1e8139a" strings: $s4 = "$ok_commands = ['ls', 'ls -l', 'pwd', 'uptime'];" fullword $s8 = "### Gamma Group <http://www.gammacenter.com>" fullword $s15 = "my $error = \"This command is not available in the restricted mode.\\n\";" fullword $s20 = "my $command = $self->query('command');" fullword condition: 2 of them } rule WebShell_php_webshells_aspydrv { meta: description = "PHP Webshells Github Archive - file aspydrv.php" author = "Florian Roth" hash = "3d8996b625025dc549d73cdb3e5fa678ab35d32a" strings: $s0 = "Target = \"D:\\hshome\\masterhr\\masterhr.com\\\" ' ---Directory to which files" $s1 = "nPos = InstrB(nPosEnd, biData, CByteString(\"Content-Type:\"))" fullword $s3 = "Document.frmSQL.mPage.value = Document.frmSQL.mPage.value - 1" fullword $s17 = "If request.querystring(\"getDRVs\")=\"@\" then" fullword $s20 = "' ---Copy Too Folder routine Start" fullword condition: 3 of them } rule WebShell_JspWebshell_1_2_2 { meta: description = "PHP Webshells Github Archive - file JspWebshell 1.2.php" author = "Florian Roth" hash = "184fc72b51d1429c44a4c8de43081e00967cf86b" strings: $s0 = "System.out.println(\"CreateAndDeleteFolder is error:\"+ex); " fullword $s3 = "<%@ page contentType=\"text/html; charset=GBK\" language=\"java\" import=\"java." $s4 = "// String tempfilepath=request.getParameter(\"filepath\");" fullword $s15 = "endPoint=random1.getFilePointer();" fullword $s20 = "if (request.getParameter(\"command\") != null) {" fullword condition: 3 of them } rule WebShell_g00nshell_v1_3 { meta: description = "PHP Webshells Github Archive - file g00nshell-v1.3.php" author = "Florian Roth" hash = "70fe072e120249c9e2f0a8e9019f984aea84a504" strings: $s10 = "#To execute commands, simply include ?cmd=___ in the url. #" fullword $s15 = "$query = \"SHOW COLUMNS FROM \" . $_GET['table'];" fullword $s16 = "$uakey = \"724ea055b975621b9d679f7077257bd9\"; // MD5 encoded user-agent" fullword $s17 = "echo(\"<form method='GET' name='shell'>\");" fullword $s18 = "echo(\"<form method='post' action='?act=sql'>\");" fullword condition: 2 of them } rule WebShell_WinX_Shell { meta: description = "PHP Webshells Github Archive - file WinX Shell.php" author = "Florian Roth" hash = "a94d65c168344ad9fa406d219bdf60150c02010e" strings: $s4 = "// It's simple shell for all Win OS." fullword $s5 = "//------- [netstat -an] and [ipconfig] and [tasklist] ------------" fullword $s6 = "<html><head><title>-:[GreenwooD]:- WinX Shell</title></head>" fullword $s13 = "// Created by greenwood from n57" fullword $s20 = " if (is_uploaded_file($userfile)) {" fullword condition: 3 of them } rule WebShell_PHANTASMA { meta: description = "PHP Webshells Github Archive - file PHANTASMA.php" author = "Florian Roth" hash = "cd12d42abf854cd34ff9e93a80d464620af6d75e" strings: $s12 = "\" printf(\\\"Usage: %s [Host] <port>\\\\n\\\", argv[0]);\\n\" ." fullword $s15 = "if ($portscan != \"\") {" fullword $s16 = "echo \"<br>Banner: $get <br><br>\";" fullword $s20 = "$dono = get_current_user( );" fullword condition: 3 of them } rule WebShell_php_webshells_cw { meta: description = "PHP Webshells Github Archive - file cw.php" author = "Florian Roth" hash = "e65e0670ef6edf0a3581be6fe5ddeeffd22014bf" strings: $s1 = "// Dump Database [pacucci.com]" fullword $s2 = "$dump = \"-- Database: \".$_POST['db'] .\" \\n\";" fullword $s7 = "$aids = passthru(\"perl cbs.pl \".$_POST['connhost'].\" \".$_POST['connport']);" fullword $s8 = "<b>IP:</b> <u>\" . $_SERVER['REMOTE_ADDR'] .\"</u> - Server IP:</b> <a href='htt" $s14 = "$dump .= \"-- Cyber-Warrior.Org\\n\";" fullword $s20 = "if(isset($_POST['doedit']) && $_POST['editfile'] != $dir)" fullword condition: 3 of them } rule WebShell_php_include_w_shell { meta: description = "PHP Webshells Github Archive - file php-include-w-shell.php" author = "Florian Roth" hash = "1a7f4868691410830ad954360950e37c582b0292" strings: $s13 = "# dump variables (DEBUG SCRIPT) NEEDS MODIFINY FOR B64 STATUS!!" fullword $s17 = "\"phpshellapp\" => \"export TERM=xterm; bash -i\"," fullword $s19 = "else if($numhosts == 1) $strOutput .= \"On 1 host..\\n\";" fullword condition: 1 of them } rule WebShell_mysql_tool { meta: description = "PHP Webshells Github Archive - file mysql_tool.php" author = "Florian Roth" hash = "c9cf8cafcd4e65d1b57fdee5eef98f0f2de74474" strings: $s12 = "$dump .= \"-- Dumping data for table '$table'\\n\";" fullword $s20 = "$dump .= \"CREATE TABLE $table (\\n\";" fullword condition: 2 of them } rule WebShell_PhpSpy_Ver_2006 { meta: description = "PHP Webshells Github Archive - file PhpSpy Ver 2006.php" author = "Florian Roth" hash = "34a89e0ab896c3518d9a474b71ee636ca595625d" strings: $s2 = "var_dump(@$shell->RegRead($_POST['readregname']));" fullword $s12 = "$prog = isset($_POST['prog']) ? $_POST['prog'] : \"/c net start > \".$pathname." $s19 = "$program = isset($_POST['program']) ? $_POST['program'] : \"c:\\winnt\\system32" $s20 = "$regval = isset($_POST['regval']) ? $_POST['regval'] : 'c:\\winnt\\backdoor.exe'" condition: 1 of them } rule WebShell_ZyklonShell { meta: description = "PHP Webshells Github Archive - file ZyklonShell.php" author = "Florian Roth" hash = "3fa7e6f3566427196ac47551392e2386a038d61c" strings: $s0 = "The requested URL /Nemo/shell/zyklonshell.txt was not found on this server.<P>" fullword $s1 = "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">" fullword $s2 = "<TITLE>404 Not Found</TITLE>" fullword $s3 = "<H1>Not Found</H1>" fullword condition: all of them } rule WebShell_php_webshells_myshell { meta: description = "PHP Webshells Github Archive - file myshell.php" author = "Florian Roth" hash = "5bd52749872d1083e7be076a5e65ffcde210e524" strings: $s0 = "if($ok==false &&$status && $autoErrorTrap)system($command . \" 1> /tmp/outpu" $s5 = "system($command . \" 1> /tmp/output.txt 2>&1; cat /tmp/output.txt; rm /tmp/o" $s15 = "<title>$MyShellVersion - Access Denied</title>" fullword $s16 = "}$ra44 = rand(1,99999);$sj98 = \"sh-$ra44\";$ml = \"$sd98\";$a5 = $_SERVER['HTT" condition: 1 of them } rule WebShell_php_webshells_lolipop { meta: description = "PHP Webshells Github Archive - file lolipop.php" author = "Florian Roth" hash = "86f23baabb90c93465e6851e40104ded5a5164cb" strings: $s3 = "$commander = $_POST['commander']; " fullword $s9 = "$sourcego = $_POST['sourcego']; " fullword $s20 = "$result = mysql_query($loli12) or die (mysql_error()); " fullword condition: all of them } rule WebShell_simple_cmd { meta: description = "PHP Webshells Github Archive - file simple_cmd.php" author = "Florian Roth" hash = "466a8caf03cdebe07aa16ad490e54744f82e32c2" strings: $s1 = "<input type=TEXT name=\"-cmd\" size=64 value=\"<?=$cmd?>\" " fullword $s2 = "<title>G-Security Webshell</title>" fullword $s4 = "<? if($cmd != \"\") print Shell_Exec($cmd);?>" fullword $s6 = "<? $cmd = $_REQUEST[\"-cmd\"];?>" fullword condition: 1 of them } rule WebShell_go_shell { meta: description = "PHP Webshells Github Archive - file go-shell.php" author = "Florian Roth" hash = "3dd85981bec33de42c04c53d081c230b5fc0e94f" strings: $s0 = "#change this password; for power security - delete this file =)" fullword $s2 = "if (!defined$param{cmd}){$param{cmd}=\"ls -la\"};" fullword $s11 = "open(FILEHANDLE, \"cd $param{dir}&&$param{cmd}|\");" fullword $s12 = "print << \"[kalabanga]\";" fullword $s13 = "<title>GO.cgi</title>" fullword condition: 1 of them } rule WebShell_aZRaiLPhp_v1_0 { meta: description = "PHP Webshells Github Archive - file aZRaiLPhp v1.0.php" author = "Florian Roth" hash = "a2c609d1a8c8ba3d706d1d70bef69e63f239782b" strings: $s0 = "<font size='+1'color='#0000FF'>aZRaiLPhP'nin URL'si: http://$HTTP_HOST$RED" $s4 = "$fileperm=base_convert($_POST['fileperm'],8,10);" fullword $s19 = "touch (\"$path/$dismi\") or die(\"Dosya Olu" fullword $s20 = "echo \"<div align=left><a href='./$this_file?dir=$path/$file'>G" fullword condition: 2 of them } rule WebShell_webshells_zehir4 { meta: description = "Webshells Github Archive - file zehir4" author = "Florian Roth" hash = "788928ae87551f286d189e163e55410acbb90a64" score = 55 strings: $s0 = "frames.byZehir.document.execCommand(command, false, option);" fullword $s8 = "response.Write \"<title>ZehirIV --> Powered By Zehir <zehirhacker@hotmail.com" condition: 1 of them } rule WebShell_zehir4_asp_php { meta: description = "PHP Webshells Github Archive - file zehir4.asp.php.txt" author = "Florian Roth" hash = "1d9b78b5b14b821139541cc0deb4cbbd994ce157" strings: $s4 = "response.Write \"<title>zehir3 --> powered by zehir <zehirhacker@hotmail.com&" $s11 = "frames.byZehir.document.execCommand(" $s15 = "frames.byZehir.document.execCommand(co" condition: 2 of them } rule WebShell_php_webshells_lostDC { meta: description = "PHP Webshells Github Archive - file lostDC.php" author = "Florian Roth" hash = "d54fe07ea53a8929620c50e3a3f8fb69fdeb1cde" strings: $s0 = "$info .= '[~]Server: ' .$_SERVER['HTTP_HOST'] .'<br />';" fullword $s4 = "header ( \"Content-Description: Download manager\" );" fullword $s5 = "print \"<center>[ Generation time: \".round(getTime()-startTime,4).\" second" $s9 = "if (mkdir($_POST['dir'], 0777) == false) {" fullword $s12 = "$ret = shellexec($command);" fullword condition: 2 of them } rule WebShell_CasuS_1_5 { meta: description = "PHP Webshells Github Archive - file CasuS 1.5.php" author = "Florian Roth" hash = "7eee8882ad9b940407acc0146db018c302696341" strings: $s2 = "<font size='+1'color='#0000FF'><u>CasuS 1.5'in URL'si</u>: http://$HTTP_HO" $s8 = "$fonk_kap = get_cfg_var(\"fonksiyonlary_kapat\");" fullword $s18 = "if (file_exists(\"F:\\\\\")){" fullword condition: 1 of them } rule WebShell_ftpsearch { meta: description = "PHP Webshells Github Archive - file ftpsearch.php" author = "Florian Roth" hash = "c945f597552ccb8c0309ad6d2831c8cabdf4e2d6" strings: $s0 = "echo \"[-] Error : coudn't read /etc/passwd\";" fullword $s9 = "@$ftp=ftp_connect('127.0.0.1');" fullword $s12 = "echo \"<title>Edited By KingDefacer</title><body>\";" fullword $s19 = "echo \"[+] Founded \".sizeof($users).\" entrys in /etc/passwd\\n\";" fullword condition: 2 of them } rule WebShell__Cyber_Shell_cybershell_Cyber_Shell__v_1_0_ { meta: description = "PHP Webshells Github Archive - from files Cyber Shell.php, cybershell.php, Cyber Shell (v 1.0).php" author = "Florian Roth" super_rule = 1 hash0 = "ef7f7c45d26614cea597f2f8e64a85d54630fe38" hash1 = "cabf47b96e3b2c46248f075bdbc46197db28a25f" hash2 = "9e165d4ed95e0501cd9a90155ac60546eb5b1076" strings: $s4 = " <a href=\"http://www.cyberlords.net\" target=\"_blank\">Cyber Lords Community</" $s10 = "echo \"<meta http-equiv=Refresh content=\\\"0; url=$PHP_SELF?edit=$nameoffile&sh" $s11 = " * Coded by Pixcher" fullword $s16 = "<input type=text size=55 name=newfile value=\"$d/newfile.php\">" fullword condition: 2 of them } rule WebShell__Ajax_PHP_Command_Shell_Ajax_PHP_Command_Shell_soldierofallah { meta: description = "PHP Webshells Github Archive - from files Ajax_PHP Command Shell.php, Ajax_PHP_Command_Shell.php, soldierofallah.php" author = "Florian Roth" super_rule = 1 hash0 = "fa11deaee821ca3de7ad1caafa2a585ee1bc8d82" hash1 = "c0a4ba3e834fb63e0a220a43caaf55c654f97429" hash2 = "16fa789b20409c1f2ffec74484a30d0491904064" strings: $s1 = "'Read /etc/passwd' => \"runcommand('etcpasswdfile','GET')\"," fullword $s2 = "'Running processes' => \"runcommand('ps -aux','GET')\"," fullword $s3 = "$dt = $_POST['filecontent'];" fullword $s4 = "'Open ports' => \"runcommand('netstat -an | grep -i listen','GET')\"," fullword $s6 = "print \"Sorry, none of the command functions works.\";" fullword $s11 = "document.cmdform.command.value='';" fullword $s12 = "elseif(isset($_GET['savefile']) && !empty($_POST['filetosave']) && !empty($_POST" condition: 3 of them } rule WebShell_Generic_PHP_7 { meta: description = "PHP Webshells Github Archive" author = "Florian Roth" super_rule = 1 hash0 = "de98f890790756f226f597489844eb3e53a867a9" hash1 = "128988c8ef5294d51c908690d27f69dffad4e42e" hash2 = "fd64f2bf77df8bcf4d161ec125fa5c3695fe1267" hash3 = "715f17e286416724e90113feab914c707a26d456" strings: $s0 = "header(\"Content-disposition: filename=$filename.sql\");" fullword $s1 = "else if( $action == \"dumpTable\" || $action == \"dumpDB\" ) {" fullword $s2 = "echo \"<font color=blue>[$USERNAME]</font> - \\n\";" fullword $s4 = "if( $action == \"dumpTable\" )" fullword condition: 2 of them } rule WebShell__Small_Web_Shell_by_ZaCo_small_zaco_zacosmall { meta: description = "PHP Webshells Github Archive - from files Small Web Shell by ZaCo.php, small.php, zaco.php, zacosmall.php" author = "Florian Roth" super_rule = 1 hash0 = "b148ead15d34a55771894424ace2a92983351dda" hash1 = "e4ba288f6d46dc77b403adf7d411a280601c635b" hash2 = "e5713d6d231c844011e9a74175a77e8eb835c856" hash3 = "1b836517164c18caf2c92ee2a06c645e26936a0c" strings: $s2 = "if(!$result2)$dump_file.='#error table '.$rows[0];" fullword $s4 = "if(!(@mysql_select_db($db_dump,$mysql_link)))echo('DB error');" fullword $s6 = "header('Content-Length: '.strlen($dump_file).\"\\n\");" fullword $s20 = "echo('Dump for '.$db_dump.' now in '.$to_file);" fullword condition: 2 of them } rule WebShell_Generic_PHP_8 { meta: description = "PHP Webshells Github Archive" author = "Florian Roth" super_rule = 1 hash0 = "fc1ae242b926d70e32cdb08bbe92628bc5bd7f99" hash1 = "9ad55629c4576e5a31dd845012d13a08f1c1f14e" hash2 = "c4aa2cf665c784553740c3702c3bfcb5d7af65a3" strings: $s1 = "elseif ( $cmd==\"file\" ) { /*  */" fullword $s2 = "elseif ( $cmd==\"upload\" ) { /*  */ " fullword $s3 = "/* I added this to ensure the script will run correctly..." fullword $s14 = "" fullword $s15 = "<form action=\\\"$SFileName?$urlAdd\\\" method=\\\"POST\\\">" fullword $s20 = "elseif ( $cmd==\"downl\" ) { /* */" fullword condition: 3 of them } rule WebShell__PH_Vayv_PHVayv_PH_Vayv_klasvayv_asp_php { meta: description = "PHP Webshells Github Archive - from files PH Vayv.php, PHVayv.php, PH_Vayv.php, klasvayv.asp.php.txt" author = "Florian Roth" super_rule = 1 hash0 = "b51962a1ffa460ec793317571fc2f46042fd13ee" hash1 = "408ac9ca3d435c0f78bda370b33e84ba25afc357" hash2 = "4003ae289e3ae036755976f8d2407c9381ff5653" hash3 = "4f83bc2836601225a115b5ad54496428a507a361" strings: $s1 = "<font color=\"#000000\">Sil</font></a></font></td>" fullword $s5 = "<td width=\"122\" height=\"17\" bgcolor=\"#9F9F9F\">" fullword $s6 = "onfocus=\"if (this.value == 'Kullan" fullword $s16 = "<img border=\"0\" src=\"http://www.aventgrup.net/arsiv/klasvayv/1.0/2.gif\">" condition: 2 of them } rule WebShell_Generic_PHP_9 { meta: description = "PHP Webshells Github Archive - from files KAdot Universal Shell v0.1.6.php, KAdot_Universal_Shell_v0.1.6.php, KA_uShell 0.1.6.php" author = "Florian Roth" super_rule = 1 hash0 = "89f2a7007a2cd411e0a7abd2ff5218d212b84d18" hash1 = "2266178ad4eb72c2386c0a4d536e5d82bb7ed6a2" hash2 = "0daed818cac548324ad0c5905476deef9523ad73" strings: $s2 = ":<b>\" .base64_decode($_POST['tot']). \"</b>\";" fullword $s6 = "if (isset($_POST['wq']) && $_POST['wq']<>\"\") {" fullword $s12 = "if (!empty($_POST['c'])){" fullword $s13 = "passthru($_POST['c']);" fullword $s16 = "<input type=\"radio\" name=\"tac\" value=\"1\">B64 Decode<br>" fullword $s20 = "<input type=\"radio\" name=\"tac\" value=\"3\">md5 Hash" fullword condition: 3 of them } rule WebShell__PH_Vayv_PHVayv_PH_Vayv { meta: description = "PHP Webshells Github Archive - from files PH Vayv.php, PHVayv.php, PH_Vayv.php" author = "Florian Roth" super_rule = 1 hash0 = "b51962a1ffa460ec793317571fc2f46042fd13ee" hash1 = "408ac9ca3d435c0f78bda370b33e84ba25afc357" hash2 = "4003ae289e3ae036755976f8d2407c9381ff5653" strings: $s4 = "<form method=\"POST\" action=\"<?echo \"PHVayv.php?duzkaydet=$dizin/$duzenle" $s12 = "<? if ($ekinci==\".\" or $ekinci==\"..\") {" fullword $s17 = "name=\"duzenx2\" value=\"Klas" fullword condition: 2 of them } rule WebShell_Generic_PHP_1 { meta: description = "PHP Webshells Github Archive - from files Dive Shell 1.0" author = "Florian Roth" super_rule = 1 hash0 = "3b086b9b53cf9d25ff0d30b1d41bb2f45c7cda2b" hash1 = "2558e728184b8efcdb57cfab918d95b06d45de04" hash2 = "203a8021192531d454efbc98a3bbb8cabe09c85c" hash3 = "b79709eb7801a28d02919c41cc75ac695884db27" strings: $s1 = "$token = substr($_REQUEST['command'], 0, $length);" fullword $s4 = "var command_hist = new Array(<?php echo $js_command_hist ?>);" fullword $s7 = "$_SESSION['output'] .= htmlspecialchars(fgets($io[1])," fullword $s9 = "document.shell.command.value = command_hist[current_line];" fullword $s16 = "$_REQUEST['command'] = $aliases[$token] . substr($_REQUEST['command'], $" $s19 = "if (empty($_SESSION['cwd']) || !empty($_REQUEST['reset'])) {" fullword $s20 = "if (e.keyCode == 38 && current_line < command_hist.length-1) {" fullword condition: 5 of them } rule WebShell_Generic_PHP_2 { meta: description = "PHP Webshells Github Archive - from files CrystalShell v.1.php, load_shell.php, Loaderz WEB Shell.php, stres.php" author = "Florian Roth" super_rule = 1 hash0 = "335a0851304acedc3f117782b61479bbc0fd655a" hash1 = "ca9fcfb50645dc0712abdf18d613ed2196e66241" hash2 = "36d8782d749638fdcaeed540d183dd3c8edc6791" hash3 = "03f88f494654f2ad0361fb63e805b6bbfc0c86de" strings: $s3 = "if((isset($_POST['fileto']))||(isset($_POST['filefrom'])))" fullword $s4 = "\\$port = {$_POST['port']};" fullword $s5 = "$_POST['installpath'] = \"temp.pl\";}" fullword $s14 = "if(isset($_POST['post']) and $_POST['post'] == \"yes\" and @$HTTP_POST_FILES[\"u" $s16 = "copy($HTTP_POST_FILES[\"userfile\"][\"tmp_name\"],$HTTP_POST_FILES[\"userfile\"]" condition: 4 of them } rule WebShell__CrystalShell_v_1_erne_stres { meta: description = "PHP Webshells Github Archive - from files CrystalShell v.1.php, erne.php, stres.php" author = "Florian Roth" super_rule = 1 hash0 = "335a0851304acedc3f117782b61479bbc0fd655a" hash1 = "6eb4ab630bd25bec577b39fb8a657350bf425687" hash2 = "03f88f494654f2ad0361fb63e805b6bbfc0c86de" strings: $s1 = "<input type='submit' value=' open (shill.txt) '>" fullword $s4 = "var_dump(curl_exec($ch));" fullword $s7 = "if(empty($_POST['Mohajer22'])){" fullword $s10 = "$m=$_POST['curl'];" fullword $s13 = "$u1p=$_POST['copy'];" fullword $s14 = "if(empty(\\$_POST['cmd'])){" fullword $s15 = "$string = explode(\"|\",$string);" fullword $s16 = "$stream = imap_open(\"/etc/passwd\", \"\", \"\");" fullword condition: 5 of them } rule WebShell_Generic_PHP_3 { meta: description = "PHP Webshells Github Archive" author = "Florian Roth" super_rule = 1 hash0 = "d829e87b3ce34460088c7775a60bded64e530cd4" hash1 = "d710c95d9f18ec7c76d9349a28dd59c3605c02be" hash2 = "f044d44e559af22a1a7f9db72de1206f392b8976" hash3 = "41780a3e8c0dc3cbcaa7b4d3c066ae09fb74a289" strings: $s0 = "header('Content-Length:'.filesize($file).'');" fullword $s4 = "<textarea name=\\\"command\\\" rows=\\\"5\\\" cols=\\\"150\\\">\".@$_POST['comma" $s7 = "if(filetype($dir . $file)==\"file\")$files[]=$file;" fullword $s14 = "elseif (($perms & 0x6000) == 0x6000) {$info = 'b';} " fullword $s20 = "$info .= (($perms & 0x0004) ? 'r' : '-');" fullword condition: all of them } rule WebShell_Generic_PHP_4 { meta: description = "PHP Webshells Github Archive - from files CrystalShell v.1.php, load_shell.php, nshell.php, Loaderz WEB Shell.php, stres.php" author = "Florian Roth" super_rule = 1 hash0 = "335a0851304acedc3f117782b61479bbc0fd655a" hash1 = "ca9fcfb50645dc0712abdf18d613ed2196e66241" hash2 = "86bc40772de71b1e7234d23cab355e1ff80c474d" hash3 = "36d8782d749638fdcaeed540d183dd3c8edc6791" hash4 = "03f88f494654f2ad0361fb63e805b6bbfc0c86de" strings: $s0 = "if ($filename != \".\" and $filename != \"..\"){" fullword $s2 = "$owner[\"write\"] = ($mode & 00200) ? 'w' : '-';" fullword $s5 = "$owner[\"execute\"] = ($mode & 00100) ? 'x' : '-';" fullword $s6 = "$world[\"write\"] = ($mode & 00002) ? 'w' : '-';" fullword $s7 = "$world[\"execute\"] = ($mode & 00001) ? 'x' : '-';" fullword $s10 = "foreach ($arr as $filename) {" fullword $s19 = "else if( $mode & 0x6000 ) { $type='b'; }" fullword condition: all of them } rule WebShell_GFS { meta: description = "PHP Webshells Github Archive - from files GFS web-shell ver 3.1.7 - PRiV8.php, Predator.php, GFS_web-shell_ver_3.1.7_-_PRiV8.php" author = "Florian Roth" super_rule = 1 hash0 = "c2f1ef6b11aaec255d4dd31efad18a3869a2a42c" hash1 = "34f6640985b07009dbd06cd70983451aa4fe9822" hash2 = "d25ef72bdae3b3cb0fc0fdd81cfa58b215812a50" strings: $s0 = "OKTsNCmNsb3NlKFNURE9VVCk7DQpjbG9zZShTVERFUlIpOw==\";" fullword $s1 = "lIENPTk47DQpleGl0IDA7DQp9DQp9\";" fullword $s2 = "Ow0KIGR1cDIoZmQsIDIpOw0KIGV4ZWNsKCIvYmluL3NoIiwic2ggLWkiLCBOVUxMKTsNCiBjbG9zZShm" condition: all of them } rule WebShell__CrystalShell_v_1_sosyete_stres { meta: description = "PHP Webshells Github Archive - from files CrystalShell v.1.php, sosyete.php, stres.php" author = "Florian Roth" super_rule = 1 hash0 = "335a0851304acedc3f117782b61479bbc0fd655a" hash1 = "e32405e776e87e45735c187c577d3a4f98a64059" hash2 = "03f88f494654f2ad0361fb63e805b6bbfc0c86de" strings: $s1 = "A:visited { COLOR:blue; TEXT-DECORATION: none}" fullword $s4 = "A:active {COLOR:blue; TEXT-DECORATION: none}" fullword $s11 = "scrollbar-darkshadow-color: #101842;" fullword $s15 = "<a bookmark=\"minipanel\">" fullword $s16 = "background-color: #EBEAEA;" fullword $s18 = "color: #D5ECF9;" fullword $s19 = "<center><TABLE style=\"BORDER-COLLAPSE: collapse\" height=1 cellSpacing=0 border" condition: all of them } rule WebShell_Generic_PHP_10 { meta: description = "PHP Webshells Github Archive - from files Cyber Shell.php, cybershell.php, Cyber Shell (v 1.0).php, PHPRemoteView.php" author = "Florian Roth" super_rule = 1 hash0 = "ef7f7c45d26614cea597f2f8e64a85d54630fe38" hash1 = "cabf47b96e3b2c46248f075bdbc46197db28a25f" hash2 = "9e165d4ed95e0501cd9a90155ac60546eb5b1076" hash3 = "7d5b54c7cab6b82fb7d131d7bbb989fd53cb1b57" strings: $s2 = "$world[\"execute\"] = ($world['execute']=='x') ? 't' : 'T'; " fullword $s6 = "$owner[\"write\"] = ($mode & 00200) ? 'w' : '-'; " fullword $s11 = "$world[\"execute\"] = ($mode & 00001) ? 'x' : '-'; " fullword $s12 = "else if( $mode & 0xA000 ) " fullword $s17 = "$s=sprintf(\"%1s\", $type); " fullword $s20 = "font-size: 8pt;" fullword condition: all of them } rule WebShell_Generic_PHP_11 { meta: description = "PHP Webshells Github Archive - from files rootshell.php, Rootshell.v.1.0.php, s72 Shell v1.1 Coding.php, s72_Shell_v1.1_Coding.php" author = "Florian Roth" super_rule = 1 hash0 = "31a82cbee8dffaf8eb7b73841f3f3e8e9b3e78cf" hash1 = "838c7191cb10d5bb0fc7460b4ad0c18c326764c6" hash2 = "8dfcd919d8ddc89335307a7b2d5d467b1fd67351" hash3 = "80aba3348434c66ac471daab949871ab16c50042" strings: $s5 = "$filename = $backupstring.\"$filename\";" fullword $s6 = "while ($file = readdir($folder)) {" fullword $s7 = "if($file != \".\" && $file != \"..\")" fullword $s9 = "$backupstring = \"copy_of_\";" fullword $s10 = "if( file_exists($file_name))" fullword $s13 = "global $file_name, $filename;" fullword $s16 = "copy($file,\"$filename\");" fullword $s18 = "<td width=\"49%\" height=\"142\">" fullword condition: all of them } rule WebShell__findsock_php_findsock_shell_php_reverse_shell { meta: description = "PHP Webshells Github Archive - from files findsock.c, php-findsock-shell.php, php-reverse-shell.php" author = "Florian Roth" super_rule = 1 hash0 = "5622c9841d76617bfc3cd4cab1932d8349b7044f" hash1 = "4a20f36035bbae8e342aab0418134e750b881d05" hash2 = "40dbdc0bdf5218af50741ba011c5286a723fa9bf" strings: $s1 = "// me at pentestmonkey@pentestmonkey.net" fullword condition: all of them } rule WebShell_Generic_PHP_6 { meta: description = "PHP Webshells Github Archive" author = "Florian Roth" super_rule = 1 hash0 = "1a08f5260c4a2614636dfc108091927799776b13" hash1 = "335a0851304acedc3f117782b61479bbc0fd655a" hash2 = "ca9fcfb50645dc0712abdf18d613ed2196e66241" hash3 = "36d8782d749638fdcaeed540d183dd3c8edc6791" hash4 = "03f88f494654f2ad0361fb63e805b6bbfc0c86de" strings: $s2 = "@eval(stripslashes($_POST['phpcode']));" fullword $s5 = "echo shell_exec($com);" fullword $s7 = "if($sertype == \"winda\"){" fullword $s8 = "function execute($com)" fullword $s12 = "echo decode(execute($cmd));" fullword $s15 = "echo system($com);" fullword condition: 4 of them } rule Unpack_Injectt { meta: description = "Webshells Auto-generated - file Injectt.exe" author = "Florian Roth" hash = "8a5d2158a566c87edc999771e12d42c5" strings: $s2 = "%s -Run -->To Install And Run The Service" $s3 = "%s -Uninstall -->To Uninstall The Service" $s4 = "(STANDARD_RIGHTS_REQUIRED |SC_MANAGER_CONNECT |SC_MANAGER_CREATE_SERVICE |SC_MAN" condition: all of them } rule HYTop_DevPack_fso { meta: description = "Webshells Auto-generated - file fso.asp" author = "Florian Roth" hash = "b37f3cde1a08890bd822a182c3a881f6" strings: $s0 = "" $s1 = "theFile.writeLine(\"<script language=\"\"vbscript\"\" runat=server>if request(\"\"\"&cli" condition: all of them } rule FeliksPack3___PHP_Shells_ssh { meta: description = "Webshells Auto-generated - file ssh.php" author = "Florian Roth" hash = "1aa5307790d72941589079989b4f900e" strings: $s0 = "eval(gzinflate(str_rot13(base64_decode('" condition: all of them } rule Debug_BDoor { meta: description = "Webshells Auto-generated - file BDoor.dll" author = "Florian Roth" hash = "e4e8e31dd44beb9320922c5f49739955" strings: $s1 = "\\BDoor\\" $s4 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" condition: all of them } rule bin_Client { meta: description = "Webshells Auto-generated - file Client.exe" author = "Florian Roth" hash = "5f91a5b46d155cacf0cc6673a2a5461b" strings: $s0 = "Recieved respond from server!!" $s4 = "packet door client" $s5 = "input source port(whatever you want):" $s7 = "Packet sent,waiting for reply..." condition: all of them } rule ZXshell2_0_rar_Folder_ZXshell { meta: description = "Webshells Auto-generated - file ZXshell.exe" author = "Florian Roth" hash = "246ce44502d2f6002d720d350e26c288" strings: $s0 = "WPreviewPagesn" $s1 = "DA!OLUTELY N" condition: all of them } rule RkNTLoad { meta: description = "Webshells Auto-generated - file RkNTLoad.exe" author = "Florian Roth" hash = "262317c95ced56224f136ba532b8b34f" strings: $s1 = "$Info: This file is packed with the UPX executable packer http://upx.tsx.org $" $s2 = "5pur+virtu!" $s3 = "ugh spac#n" $s4 = "xcEx3WriL4" $s5 = "runtime error" $s6 = "loseHWait.Sr." $s7 = "essageBoxAw" $s8 = "$Id: UPX 1.07 Copyright (C) 1996-2001 the UPX Team. All Rights Reserved. $" condition: all of them } rule binder2_binder2 { meta: description = "Webshells Auto-generated - file binder2.exe" author = "Florian Roth" hash = "d594e90ad23ae0bc0b65b59189c12f11" strings: $s0 = "IsCharAlphaNumericA" $s2 = "WideCharToM" $s4 = "g 5pur+virtu!" $s5 = "\\syslog.en" $s6 = "heap7'7oqk?not=" $s8 = "- Kablto in" condition: all of them } rule thelast_orice2 { meta: description = "Webshells Auto-generated - file orice2.php" author = "Florian Roth" hash = "aa63ffb27bde8d03d00dda04421237ae" strings: $s0 = " $aa = $_GET['aa'];" $s1 = "echo $aa;" condition: all of them } rule FSO_s_sincap { meta: description = "Webshells Auto-generated - file sincap.php" author = "Florian Roth" hash = "dc5c2c2392b84a1529abd92e98e9aa5b" strings: $s0 = " <font color=\"#E5E5E5\" style=\"font-size: 8pt; font-weight: 700\" face=\"Arial\">" $s4 = "<body text=\"#008000\" bgcolor=\"#808080\" topmargin=\"0\" leftmargin=\"0\" rightmargin=" condition: all of them } rule PhpShell { meta: description = "Webshells Auto-generated - file PhpShell.php" author = "Florian Roth" hash = "539baa0d39a9cf3c64d65ee7a8738620" strings: $s2 = "href=\"http://www.gimpster.com/wiki/PhpShell\">www.gimpster.com/wiki/PhpShell</a>." condition: all of them } rule HYTop_DevPack_config { meta: description = "Webshells Auto-generated - file config.asp" author = "Florian Roth" hash = "b41d0e64e64a685178a3155195921d61" strings: $s0 = "const adminPassword=\"" $s2 = "const userPassword=\"" $s3 = "const mVersion=" condition: all of them } rule sendmail { meta: description = "Webshells Auto-generated - file sendmail.exe" author = "Florian Roth" hash = "75b86f4a21d8adefaf34b3a94629bd17" strings: $s3 = "_NextPyC808" $s6 = "Copyright (C) 2000, Diamond Computer Systems Pty. Ltd. (www.diamondcs.com.au)" condition: all of them } rule FSO_s_zehir4 { meta: description = "Webshells Auto-generated - file zehir4.asp" author = "Florian Roth" hash = "5b496a61363d304532bcf52ee21f5d55" strings: $s5 = " byMesaj " condition: all of them } rule hkshell_hkshell { meta: description = "Webshells Auto-generated - file hkshell.exe" author = "Florian Roth" hash = "168cab58cee59dc4706b3be988312580" strings: $s1 = "PrSessKERNELU" $s2 = "Cur3ntV7sion" $s3 = "Explorer8" condition: all of them } rule iMHaPFtp { meta: description = "Webshells Auto-generated - file iMHaPFtp.php" author = "Florian Roth" hash = "12911b73bc6a5d313b494102abcf5c57" strings: $s1 = "echo \"\\t<th class=\\\"permission_header\\\"><a href=\\\"$self?{$d}sort=permission$r\\\">" condition: all of them } rule Unpack_TBack { meta: description = "Webshells Auto-generated - file TBack.dll" author = "Florian Roth" hash = "a9d1007823bf96fb163ab38726b48464" strings: $s5 = "\\final\\new\\lcc\\public.dll" condition: all of them } rule DarkSpy105 { meta: description = "Webshells Auto-generated - file DarkSpy105.exe" author = "Florian Roth" hash = "f0b85e7bec90dba829a3ede1ab7d8722" strings: $s7 = "Sorry,DarkSpy got an unknown exception,please re-run it,thanks!" condition: all of them } rule EditServer_EXE { meta: description = "Webshells Auto-generated - file EditServer.exe" author = "Florian Roth" hash = "f945de25e0eba3bdaf1455b3a62b9832" strings: $s2 = "Server %s Have Been Configured" $s5 = "The Server Password Exceeds 32 Characters" $s8 = "9--Set Procecess Name To Inject DLL" condition: all of them } rule FSO_s_reader { meta: description = "Webshells Auto-generated - file reader.asp" author = "Florian Roth" hash = "b598c8b662f2a1f6cc61f291fb0a6fa2" strings: $s2 = "mailto:mailbomb@hotmail." condition: all of them } rule ASP_CmdAsp { meta: description = "Webshells Auto-generated - file CmdAsp.asp" author = "Florian Roth" hash = "79d4f3425f7a89befb0ef3bafe5e332f" strings: $s2 = "' -- Read the output from our command and remove the temp file -- '" $s6 = "Call oScript.Run (\"cmd.exe /c \" & szCMD & \" > \" & szTempFile, 0, True)" $s9 = "' -- create the COM objects that we will be using -- '" condition: all of them } rule KA_uShell { meta: description = "Webshells Auto-generated - file KA_uShell.php" author = "Florian Roth" hash = "685f5d4f7f6751eaefc2695071569aab" strings: $s5 = "if(empty($_SERVER['PHP_AUTH_PW']) || $_SERVER['PHP_AUTH_PW']<>$pass" $s6 = "if ($_POST['path']==\"\"){$uploadfile = $_FILES['file']['name'];}" condition: all of them } rule PHP_Backdoor_v1 { meta: description = "Webshells Auto-generated - file PHP Backdoor v1.php" author = "Florian Roth" hash = "0506ba90759d11d78befd21cabf41f3d" strings: $s5 = "echo\"<form method=\\\"POST\\\" action=\\\"\".$_SERVER['PHP_SELF'].\"?edit=\".$th" $s8 = "echo \"<a href=\\\"\".$_SERVER['PHP_SELF'].\"?proxy" condition: all of them } rule svchostdll { meta: description = "Webshells Auto-generated - file svchostdll.dll" author = "Florian Roth" hash = "0f6756c8cb0b454c452055f189e4c3f4" strings: $s0 = "InstallService" $s1 = "RundllInstallA" $s2 = "UninstallService" $s3 = "&G3 Users In RegistryD" $s4 = "OL_SHUTDOWN;I" $s5 = "SvcHostDLL.dll" $s6 = "RundllUninstallA" $s7 = "InternetOpenA" $s8 = "Check Cloneomplete" condition: all of them } rule HYTop_DevPack_server { meta: description = "Webshells Auto-generated - file server.asp" author = "Florian Roth" hash = "1d38526a215df13c7373da4635541b43" strings: $s0 = "" condition: all of them } rule vanquish { meta: description = "Webshells Auto-generated - file vanquish.dll" author = "Florian Roth" hash = "684450adde37a93e8bb362994efc898c" strings: $s3 = "You cannot delete protected files/folders! Instead, your attempt has been logged" $s8 = "?VCreateProcessA@@YGHPBDPADPAU_SECURITY_ATTRIBUTES@@2HKPAX0PAU_STARTUPINFOA@@PAU" $s9 = "?VFindFirstFileExW@@YGPAXPBGW4_FINDEX_INFO_LEVELS@@PAXW4_FINDEX_SEARCH_OPS@@2K@Z" condition: all of them } rule winshell { meta: description = "Webshells Auto-generated - file winshell.exe" author = "Florian Roth" hash = "3144410a37dd4c29d004a814a294ea26" strings: $s0 = "Software\\Microsoft\\Windows\\CurrentVersion\\RunServices" $s1 = "WinShell Service" $s2 = "__GLOBAL_HEAP_SELECTED" $s3 = "__MSVCRT_HEAP_SELECT" $s4 = "Provide Windows CmdShell Service" $s5 = "URLDownloadToFileA" $s6 = "RegisterServiceProcess" $s7 = "GetModuleBaseNameA" $s8 = "WinShell v5.0 (C)2002 janker.org" condition: all of them } rule FSO_s_remview { meta: description = "Webshells Auto-generated - file remview.php" author = "Florian Roth" hash = "b4a09911a5b23e00b55abe546ded691c" strings: $s2 = " echo \"<hr size=1 noshade>\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\"" $s3 = " echo \"<script>str$i=\\\"\".str_replace(\"\\\"\",\"\\\\\\\"\",str_replace(\"\\\\\",\"\\\\\\\\\"" $s4 = " echo \"<hr size=1 noshade>\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n<" condition: all of them } rule saphpshell { meta: description = "Webshells Auto-generated - file saphpshell.php" author = "Florian Roth" hash = "d7bba8def713512ddda14baf9cd6889a" strings: $s0 = "<td><input type=\"text\" name=\"command\" size=\"60\" value=\"<?=$_POST['command']?>" condition: all of them } rule HYTop2006_rar_Folder_2006Z { meta: description = "Webshells Auto-generated - file 2006Z.exe" author = "Florian Roth" hash = "fd1b6129abd4ab177fed135e3b665488" strings: $s1 = "wangyong,czy,allen,lcx,Marcos,kEvin1986,myth" $s8 = "System\\CurrentControlSet\\Control\\Keyboard Layouts\\%.8x" condition: all of them } rule admin_ad { meta: description = "Webshells Auto-generated - file admin-ad.asp" author = "Florian Roth" hash = "e6819b8f8ff2f1073f7d46a0b192f43b" strings: $s6 = "<td align=\"center\"> <input name=\"cmd\" type=\"text\" id=\"cmd\" siz" $s7 = "Response.write\"<a href='\"&url&\"?path=\"&Request(\"oldpath\")&\"&attrib=\"&attrib&\"'><" condition: all of them } rule FSO_s_casus15 { meta: description = "Webshells Auto-generated - file casus15.php" author = "Florian Roth" hash = "8d155b4239d922367af5d0a1b89533a3" strings: $s6 = "if((is_dir(\"$deldir/$file\")) AND ($file!=\".\") AND ($file!=\"..\"))" condition: all of them } rule BIN_Client { meta: description = "Webshells Auto-generated - file Client.exe" author = "Florian Roth" hash = "9f0a74ec81bc2f26f16c5c172b80eca7" strings: $s0 = "=====Remote Shell Closed=====" $s2 = "All Files(*.*)|*.*||" $s6 = "WSAStartup Error!" $s7 = "SHGetFileInfoA" $s8 = "CreateThread False!" $s9 = "Port Number Error" condition: 4 of them } rule shelltools_g0t_root_uptime { meta: description = "Webshells Auto-generated - file uptime.exe" author = "Florian Roth" hash = "d1f56102bc5d3e2e37ab3ffa392073b9" strings: $s0 = "JDiamondCSlC~" $s1 = "CharactQA" $s2 = "$Info: This file is packed with the UPX executable packer $" $s5 = "HandlereateConso" $s7 = "ION\\System\\FloatingPo" condition: all of them } rule Simple_PHP_BackDooR { meta: description = "Webshells Auto-generated - file Simple_PHP_BackDooR.php" author = "Florian Roth" hash = "a401132363eecc3a1040774bec9cb24f" strings: $s0 = "<hr>to browse go to http://<? echo $SERVER_NAME.$REQUEST_URI; ?>?d=[directory he" $s6 = "if(!move_uploaded_file($HTTP_POST_FILES['file_name']['tmp_name'], $dir.$fn" $s9 = "// a simple php backdoor" condition: 1 of them } rule sig_2005Gray { meta: description = "Webshells Auto-generated - file 2005Gray.asp" author = "Florian Roth" hash = "75dbe3d3b70a5678225d3e2d78b604cc" strings: $s0 = "SCROLLBAR-FACE-COLOR: #e8e7e7;" $s4 = "echo \" <a href=\"\"/\"&encodeForUrl(theHref,false)&\"\"\" target=_blank>\"&replace" $s8 = "theHref=mid(replace(lcase(list.path),lcase(server.mapPath(\"/\")),\"\"),2)" $s9 = "SCROLLBAR-3DLIGHT-COLOR: #cccccc;" condition: all of them } rule DllInjection { meta: description = "Webshells Auto-generated - file DllInjection.exe" author = "Florian Roth" hash = "a7b92283a5102886ab8aee2bc5c8d718" strings: $s0 = "\\BDoor\\DllInjecti" condition: all of them } rule Mithril_v1_45_Mithril { meta: description = "Webshells Auto-generated - file Mithril.exe" author = "Florian Roth" hash = "f1484f882dc381dde6eaa0b80ef64a07" strings: $s2 = "cress.exe" $s7 = "\\Debug\\Mithril." condition: all of them } rule hkshell_hkrmv { meta: description = "Webshells Auto-generated - file hkrmv.exe" author = "Florian Roth" hash = "bd3a0b7a6b5536f8d96f50956560e9bf" strings: $s5 = "/THUMBPOSITION7" $s6 = "\\EvilBlade\\" condition: all of them } rule phpshell { meta: description = "Webshells Auto-generated - file phpshell.php" author = "Florian Roth" hash = "1dccb1ea9f24ffbd085571c88585517b" strings: $s1 = "echo \"<input size=\\\"100\\\" type=\\\"text\\\" name=\\\"newfile\\\" value=\\\"$inputfile\\\"><b" $s2 = "$img[$id] = \"<img height=\\\"16\\\" width=\\\"16\\\" border=\\\"0\\\" src=\\\"$REMOTE_IMAGE_UR" $s3 = "$file = str_replace(\"\\\\\", \"/\", str_replace(\"//\", \"/\", str_replace(\"\\\\\\\\\", \"\\\\\", " condition: all of them } rule FSO_s_cmd { meta: description = "Webshells Auto-generated - file cmd.asp" author = "Florian Roth" hash = "cbe8e365d41dd3cd8e462ca434cf385f" strings: $s0 = "<%= \"\\\\\" & oScriptNet.ComputerName & \"\\\" & oScriptNet.UserName %>" $s1 = "Call oScript.Run (\"cmd.exe /c \" & szCMD & \" > \" & szTempFile, 0, True)" condition: all of them } rule FeliksPack3___PHP_Shells_phpft { meta: description = "Webshells Auto-generated - file phpft.php" author = "Florian Roth" hash = "60ef80175fcc6a879ca57c54226646b1" strings: $s6 = "PHP Files Thief" $s11 = "http://www.4ngel.net" condition: all of them } rule FSO_s_indexer { meta: description = "Webshells Auto-generated - file indexer.asp" author = "Florian Roth" hash = "135fc50f85228691b401848caef3be9e" strings: $s3 = "<td>Nereye :<td><input type=\"text\" name=\"nereye\" size=25></td><td><input type=\"r" condition: all of them } rule r57shell { meta: description = "Webshells Auto-generated - file r57shell.php" author = "Florian Roth" hash = "8023394542cddf8aee5dec6072ed02b5" strings: $s11 = " $_POST['cmd']=\"echo \\\"Now script try connect to" condition: all of them } rule bdcli100 { meta: description = "Webshells Auto-generated - file bdcli100.exe" author = "Florian Roth" hash = "b12163ac53789fb4f62e4f17a8c2e028" strings: $s5 = "unable to connect to " $s8 = "backdoor is corrupted on " condition: all of them } rule HYTop_DevPack_2005Red { meta: description = "Webshells Auto-generated - file 2005Red.asp" author = "Florian Roth" hash = "d8ccda2214b3f6eabd4502a050eb8fe8" strings: $s0 = "scrollbar-darkshadow-color:#FF9DBB;" $s3 = "echo \" <a href=\"\"/\"&encodeForUrl(theHref,false)&\"\"\" target=_blank>\"&replace" $s9 = "theHref=mid(replace(lcase(list.path),lcase(server.mapPath(\"/\")),\"\"),2)" condition: all of them } rule HYTop2006_rar_Folder_2006X2 { meta: description = "Webshells Auto-generated - file 2006X2.exe" author = "Florian Roth" hash = "cc5bf9fc56d404ebbc492855393d7620" strings: $s2 = "Powered By " $s3 = " \" onClick=\"this.form.sharp.name=this.form.password.value;this.form.action=this." condition: all of them } rule rdrbs084 { meta: description = "Webshells Auto-generated - file rdrbs084.exe" author = "Florian Roth" hash = "ed30327b255816bdd7590bf891aa0020" strings: $s0 = "Create mapped port. You have to specify domain when using HTTP type." $s8 = "<LOCAL PORT> <MAPPING SERVER> <MAPPING SERVER PORT> <TARGET SERVER> <TARGET" condition: all of them } rule HYTop_CaseSwitch_2005 { meta: description = "Webshells Auto-generated - file 2005.exe" author = "Florian Roth" hash = "8bf667ee9e21366bc0bd3491cb614f41" strings: $s1 = "MSComDlg.CommonDialog" $s2 = "CommonDialog1" $s3 = "__vbaExceptHandler" $s4 = "EVENT_SINK_Release" $s5 = "EVENT_SINK_AddRef" $s6 = "By Marcos" $s7 = "EVENT_SINK_QueryInterface" $s8 = "MethCallEngine" condition: all of them } rule eBayId_index3 { meta: description = "Webshells Auto-generated - file index3.php" author = "Florian Roth" hash = "0412b1e37f41ea0d002e4ed11608905f" strings: $s8 = "$err = \"<i>Your Name</i> Not Entered!</font></h2>Sorry, \\\"You" condition: all of them } rule FSO_s_phvayv { meta: description = "Webshells Auto-generated - file phvayv.php" author = "Florian Roth" hash = "205ecda66c443083403efb1e5c7f7878" strings: $s2 = "wrap=\"OFF\">XXXXXXXX\" title=\"<%=SubFolder.Name%>\"> \" title=\"<%=File.Name%>\"> \" align=\"right\"><%=Attributes(SubFolder.Attributes)%>\">" condition: all of them } rule byloader { meta: description = "Webshells Auto-generated - file byloader.exe" author = "Florian Roth" hash = "0f0d6dc26055653f5844ded906ce52df" strings: $s0 = "SYSTEM\\CurrentControlSet\\Services\\NtfsChk" $s1 = "Failure ... Access is Denied !" $s2 = "NTFS Disk Driver Checking Service" $s3 = "Dumping Description to Registry..." $s4 = "Opening Service .... Failure !" condition: all of them } rule shelltools_g0t_root_Fport { meta: description = "Webshells Auto-generated - file Fport.exe" author = "Florian Roth" hash = "dbb75488aa2fa22ba6950aead1ef30d5" strings: $s4 = "Copyright 2000 by Foundstone, Inc." $s5 = "You must have administrator privileges to run fport - exiting..." condition: all of them } rule BackDooR__fr_ { meta: description = "Webshells Auto-generated - file BackDooR (fr).php" author = "Florian Roth" hash = "a79cac2cf86e073a832aaf29a664f4be" strings: $s3 = "print(\"
Exploit include " condition: all of them } rule FSO_s_ntdaddy { meta: description = "Webshells Auto-generated - file ntdaddy.asp" author = "Florian Roth" hash = "f6262f3ad9f73b8d3e7d9ea5ec07a357" strings: $s1 = "\"> &X\\\";open STDERR,\\\">&X\\\";exec(\\\"/bin/sh -i\\\");" condition: all of them } rule HYTop_DevPack_upload { meta: description = "Webshells Auto-generated - file upload.asp" author = "Florian Roth" hash = "b09852bda534627949f0259828c967de" strings: $s0 = "" condition: all of them } rule PasswordReminder { meta: description = "Webshells Auto-generated - file PasswordReminder.exe" author = "Florian Roth" hash = "ea49d754dc609e8bfa4c0f95d14ef9bf" strings: $s3 = "The encoded password is found at 0x%8.8lx and has a length of %d." condition: all of them } rule Pack_InjectT { meta: description = "Webshells Auto-generated - file InjectT.exe" author = "Florian Roth" hash = "983b74ccd57f6195a0584cdfb27d55e8" strings: $s3 = "ail To Open Registry" $s4 = "32fDssignim" $s5 = "vide Internet S" $s6 = "d]Software\\M" $s7 = "TInject.Dll" condition: all of them } rule FSO_s_RemExp_2 { meta: description = "Webshells Auto-generated - file RemExp.asp" author = "Florian Roth" hash = "b69670ecdbb40012c73686cd22696eeb" strings: $s2 = " Then Response.Write \"" $s3 = "" condition: all of them } rule FSO_s_c99 { meta: description = "Webshells Auto-generated - file c99.php" author = "Florian Roth" hash = "5f9ba02eb081bba2b2434c603af454d0" strings: $s2 = "\"txt\",\"conf\",\"bat\",\"sh\",\"js\",\"bak\",\"doc\",\"log\",\"sfc\",\"cfg\",\"htacce" condition: all of them } rule rknt_zip_Folder_RkNT { meta: description = "Webshells Auto-generated - file RkNT.dll" author = "Florian Roth" hash = "5f97386dfde148942b7584aeb6512b85" strings: $s0 = "PathStripPathA" $s1 = "`cLGet!Addr%" $s2 = "$Info: This file is packed with the UPX executable packer http://upx.tsx.org $" $s3 = "oQToOemBuff* <=" $s4 = "ionCdunAsw[Us'" $s6 = "CreateProcessW: %S" $s7 = "ImageDirectoryEntryToData" condition: all of them } rule dbgntboot { meta: description = "Webshells Auto-generated - file dbgntboot.dll" author = "Florian Roth" hash = "4d87543d4d7f73c1529c9f8066b475ab" strings: $s2 = "now DOS is working at mode %d,faketype %d,against %s,has worked %d minutes,by sp" $s3 = "sth junk the M$ Wind0wZ retur" condition: all of them } rule PHP_shell { meta: description = "Webshells Auto-generated - file shell.php" author = "Florian Roth" hash = "45e8a00567f8a34ab1cccc86b4bc74b9" strings: $s0 = "AR8iROET6mMnrqTpC6W1Kp/DsTgxNby9H1xhiswfwgoAtED0y6wEXTihoAtICkIX6L1+vTUYWuWz" $s11 = "1HLp1qnlCyl5gko8rDlWHqf8/JoPKvGwEm9Q4nVKvEh0b0PKle3zeFiJNyjxOiVepMSpflJkPv5s" condition: all of them } rule hxdef100 { meta: description = "Webshells Auto-generated - file hxdef100.exe" author = "Florian Roth" hash = "55cc1769cef44910bd91b7b73dee1f6c" strings: $s0 = "RtlAnsiStringToUnicodeString" $s8 = "SYSTEM\\CurrentControlSet\\Control\\SafeBoot\\" $s9 = "\\\\.\\mailslot\\hxdef-rk100sABCDEFGH" condition: all of them } rule rdrbs100 { meta: description = "Webshells Auto-generated - file rdrbs100.exe" author = "Florian Roth" hash = "7c752bcd6da796d80a6830c61a632bff" strings: $s3 = "Server address must be IP in A.B.C.D format." $s4 = " mapped ports in the list. Currently " condition: all of them } rule Mithril_Mithril { meta: description = "Webshells Auto-generated - file Mithril.exe" author = "Florian Roth" hash = "017191562d72ab0ca551eb89256650bd" strings: $s0 = "OpenProcess error!" $s1 = "WriteProcessMemory error!" $s4 = "GetProcAddress error!" $s5 = "HHt`HHt\\" $s6 = "Cmaudi0" $s7 = "CreateRemoteThread error!" $s8 = "Kernel32" $s9 = "VirtualAllocEx error!" condition: all of them } rule hxdef100_2 { meta: description = "Webshells Auto-generated - file hxdef100.exe" author = "Florian Roth" hash = "1b393e2e13b9c57fb501b7cd7ad96b25" strings: $s0 = "\\\\.\\mailslot\\hxdef-rkc000" $s2 = "Shared Components\\On Access Scanner\\BehaviourBlo" $s6 = "SYSTEM\\CurrentControlSet\\Control\\SafeBoot\\" condition: all of them } rule Release_dllTest { meta: description = "Webshells Auto-generated - file dllTest.dll" author = "Florian Roth" hash = "76a59fc3242a2819307bb9d593bef2e0" strings: $s0 = ";;;Y;`;d;h;l;p;t;x;|;" $s1 = "0 0&00060K0R0X0f0l0q0w0" $s2 = ": :$:(:,:0:4:8:D:`=d=" $s3 = "4@5P5T5\\5T7\\7d7l7t7|7" $s4 = "1,121>1C1K1Q1X1^1e1k1s1y1" $s5 = "9 9$9(9,9P9X9\\9`9d9h9l9p9t9x9|9" $s6 = "0)0O0\\0a0o0\"1E1P1q1" $s7 = "<.\".ws(2).\"HDD Free : \".view_size($free).\" HDD Total : \".view_" condition: all of them } rule Mithril_v1_45_dllTest { meta: description = "Webshells Auto-generated - file dllTest.dll" author = "Florian Roth" hash = "1b9e518aaa62b15079ff6edb412b21e9" strings: $s3 = "syspath" $s4 = "\\Mithril" $s5 = "--list the services in the computer" condition: all of them } rule dbgiis6cli { meta: description = "Webshells Auto-generated - file dbgiis6cli.exe" author = "Florian Roth" hash = "3044dceb632b636563f66fee3aaaf8f3" strings: $s0 = "User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)" $s5 = "###command:(NO more than 100 bytes!)" condition: all of them } rule remview_2003_04_22 { meta: description = "Webshells Auto-generated - file remview_2003_04_22.php" author = "Florian Roth" hash = "17d3e4e39fbca857344a7650f7ea55e3" strings: $s1 = "\"\".mm(\"Eval PHP code\").\" (\".mm(\"don't type\").\" \\\"<?\\\"" condition: all of them } rule FSO_s_test { meta: description = "Webshells Auto-generated - file test.php" author = "Florian Roth" hash = "82cf7b48da8286e644f575b039a99c26" strings: $s0 = "$yazi = \"test\" . \"\\r\\n\";" $s2 = "fwrite ($fp, \"$yazi\");" condition: all of them } rule Debug_cress { meta: description = "Webshells Auto-generated - file cress.exe" author = "Florian Roth" hash = "36a416186fe010574c9be68002a7286a" strings: $s0 = "\\Mithril " $s4 = "Mithril.exe" condition: all of them } rule webshell { meta: description = "Webshells Auto-generated - file webshell.php" author = "Florian Roth" hash = "f2f8c02921f29368234bfb4d4622ad19" strings: $s0 = "RhViRYOzz" $s1 = "d\\O!jWW" $s2 = "bc!jWW" $s3 = "0W[&{l" $s4 = "[INhQ@\\" condition: all of them } rule FSO_s_EFSO_2 { meta: description = "Webshells Auto-generated - file EFSO_2.asp" author = "Florian Roth" hash = "a341270f9ebd01320a7490c12cb2e64c" strings: $s0 = ";!+/DRknD7+.\\mDrC(V+kcJznndm\\f|nzKuJb'r@!&0KUY@*Jb@#@&Xl\"dKVcJ\\CslU,),@!0KxD~mKV" $s4 = "\\co!VV2CDtSJ'E*#@#@&mKx/DP14lM/nY{JC81N+6LtbL3^hUWa;M/OE-AXX\"b~/fAs!u&9|J\\grKp\"j" condition: all of them } rule thelast_index3 { meta: description = "Webshells Auto-generated - file index3.php" author = "Florian Roth" hash = "cceff6dc247aaa25512bad22120a14b4" strings: $s5 = "$err = \"Your Name Not Entered!Sorry, \\\"Your Name\\\" field is r" condition: all of them } rule adjustcr { meta: description = "Webshells Auto-generated - file adjustcr.exe" author = "Florian Roth" hash = "17037fa684ef4c90a25ec5674dac2eb6" strings: $s0 = "$Info: This file is packed with the UPX executable packer $" $s2 = "$License: NRV for UPX is distributed under special license $" $s6 = "AdjustCR Carr" $s7 = "ION\\System\\FloatingPo" condition: all of them } rule FeliksPack3___PHP_Shells_xIShell { meta: description = "Webshells Auto-generated - file xIShell.php" author = "Florian Roth" hash = "997c8437c0621b4b753a546a53a88674" strings: $s3 = "if (!$nix) { $xid = implode(explode(\"\\\\\",$xid),\"\\\\\\\\\");}echo (\"
\")" condition: all of them } rule EditServer_2 { meta: description = "Webshells Auto-generated - file EditServer.exe" author = "Florian Roth" hash = "5c1f25a4d206c83cdfb006b3eb4c09ba" strings: $s0 = "@HOTMAIL.COM" $s1 = "Press Any Ke" $s3 = "glish MenuZ" condition: all of them } rule by064cli { meta: description = "Webshells Auto-generated - file by064cli.exe" author = "Florian Roth" hash = "10e0dff366968b770ae929505d2a9885" strings: $s7 = "packet dropped,redirecting" $s9 = "input the password(the default one is 'by')" condition: all of them } rule Mithril_dllTest { meta: description = "Webshells Auto-generated - file dllTest.dll" author = "Florian Roth" hash = "a8d25d794d8f08cd4de0c3d6bf389e6d" strings: $s0 = "please enter the password:" $s3 = "\\dllTest.pdb" condition: all of them } rule peek_a_boo { meta: description = "Webshells Auto-generated - file peek-a-boo.exe" author = "Florian Roth" hash = "aca339f60d41fdcba83773be5d646776" strings: $s0 = "__vbaHresultCheckObj" $s1 = "\\VB\\VB5.OLB" $s2 = "capGetDriverDescriptionA" $s3 = "__vbaExceptHandler" $s4 = "EVENT_SINK_Release" $s8 = "__vbaErrorOverflow" condition: all of them } rule fmlibraryv3 { meta: description = "Webshells Auto-generated - file fmlibraryv3.asp" author = "Florian Roth" hash = "c34c248fed6d5a20d8203924a2088acc" strings: $s3 = "ExeNewRs.CommandText = \"UPDATE \" & tablename & \" SET \" & ExeNewRsValues & \" WHER" condition: all of them } rule Debug_dllTest_2 { meta: description = "Webshells Auto-generated - file dllTest.dll" author = "Florian Roth" hash = "1b9e518aaa62b15079ff6edb412b21e9" strings: $s4 = "\\Debug\\dllTest.pdb" $s5 = "--list the services in the computer" condition: all of them } rule connector { meta: description = "Webshells Auto-generated - file connector.asp" author = "Florian Roth" hash = "3ba1827fca7be37c8296cd60be9dc884" strings: $s2 = "If ( AttackID = BROADCAST_ATTACK )" $s4 = "Add UNIQUE ID for victims / zombies" condition: all of them } rule shelltools_g0t_root_HideRun { meta: description = "Webshells Auto-generated - file HideRun.exe" author = "Florian Roth" hash = "45436d9bfd8ff94b71eeaeb280025afe" strings: $s0 = "Usage -- hiderun [AppName]" $s7 = "PVAX SW, Alexey A. Popoff, Moscow, 1997." condition: all of them } rule PHP_Shell_v1_7 { meta: description = "Webshells Auto-generated - file PHP_Shell_v1.7.php" author = "Florian Roth" hash = "b5978501c7112584532b4ca6fb77cba5" strings: $s8 = "[ADDITINAL TITTLE]-phpShell by:[YOURNAME]" condition: all of them } rule xssshell_save { meta: description = "Webshells Auto-generated - file save.asp" author = "Florian Roth" hash = "865da1b3974e940936fe38e8e1964980" strings: $s4 = "RawCommand = Command & COMMAND_SEPERATOR & Param & COMMAND_SEPERATOR & AttackID" $s5 = "VictimID = fm_NStr(Victims(i))" condition: all of them } rule screencap { meta: description = "Webshells Auto-generated - file screencap.exe" author = "Florian Roth" hash = "51139091dea7a9418a50f2712ea72aa6" strings: $s0 = "GetDIBColorTable" $s1 = "Screen.bmp" $s2 = "CreateDCA" condition: all of them } rule FSO_s_phpinj_2 { meta: description = "Webshells Auto-generated - file phpinj.php" author = "Florian Roth" hash = "dd39d17e9baca0363cc1c3664e608929" strings: $s9 = "<? system(\\$_GET[cpc]);exit; ?>' ,0 ,0 ,0 ,0 INTO" condition: all of them } rule ZXshell2_0_rar_Folder_zxrecv { meta: description = "Webshells Auto-generated - file zxrecv.exe" author = "Florian Roth" hash = "5d3d12a39f41d51341ef4cb7ce69d30f" strings: $s0 = "RyFlushBuff" $s1 = "teToWideChar^FiYP" $s2 = "mdesc+8F D" $s3 = "\\von76std" $s4 = "5pur+virtul" $s5 = "- Kablto io" $s6 = "ac#f{lowi8a" condition: all of them } rule FSO_s_ajan { meta: description = "Webshells Auto-generated - file ajan.asp" author = "Florian Roth" hash = "22194f8c44524f80254e1b5aec67b03e" strings: $s4 = "entrika.write \"BinaryStream.SaveToFile" condition: all of them } rule c99shell { meta: description = "Webshells Auto-generated - file c99shell.php" author = "Florian Roth" hash = "90b86a9c63e2cd346fe07cea23fbfc56" strings: $s0 = "<br />Input URL: <input name=\\\"uploadurl\\\" type=\\\"text\\\"&" condition: all of them } rule phpspy_2005_full { meta: description = "Webshells Auto-generated - file phpspy_2005_full.php" author = "Florian Roth" hash = "d1c69bb152645438440e6c903bac16b2" strings: $s7 = "echo \" <td align=\\\"center\\\" nowrap valign=\\\"top\\\"><a href=\\\"?downfile=\".urlenco" condition: all of them } rule FSO_s_zehir4_2 { meta: description = "Webshells Auto-generated - file zehir4.asp" author = "Florian Roth" hash = "5b496a61363d304532bcf52ee21f5d55" strings: $s4 = "\"Program Files\\Serv-u\\Serv" condition: all of them } rule FSO_s_indexer_2 { meta: description = "Webshells Auto-generated - file indexer.asp" author = "Florian Roth" hash = "135fc50f85228691b401848caef3be9e" strings: $s5 = "<td>Nerden :<td><input type=\"text\" name=\"nerden\" size=25 value=index.html></td>" condition: all of them } rule HYTop_DevPack_2005 { meta: description = "Webshells Auto-generated - file 2005.asp" author = "Florian Roth" hash = "63d9fd24fa4d22a41fc5522fc7050f9f" strings: $s7 = "theHref=encodeForUrl(mid(replace(lcase(list.path),lcase(server.mapPath(\"/\")),\"\")" $s8 = "scrollbar-darkshadow-color:#9C9CD3;" $s9 = "scrollbar-face-color:#E4E4F3;" condition: all of them } rule _root_040_zip_Folder_deploy { meta: description = "Webshells Auto-generated - file deploy.exe" author = "Florian Roth" hash = "2c9f9c58999256c73a5ebdb10a9be269" strings: $s5 = "halon synscan 127.0.0.1 1-65536" $s8 = "Obviously you replace the ip address with that of the target." condition: all of them } rule by063cli { meta: description = "Webshells Auto-generated - file by063cli.exe" author = "Florian Roth" hash = "49ce26eb97fd13b6d92a5e5d169db859" strings: $s2 = "#popmsghello,are you all right?" $s4 = "connect failed,check your network and remote ip." condition: all of them } rule icyfox007v1_10_rar_Folder_asp { meta: description = "Webshells Auto-generated - file asp.asp" author = "Florian Roth" hash = "2c412400b146b7b98d6e7755f7159bb9" strings: $s0 = "<SCRIPT RUNAT=SERVER LANGUAGE=JAVASCRIPT>eval(Request.form('#')+'')</SCRIPT>" condition: all of them } rule FSO_s_EFSO_2_2 { meta: description = "Webshells Auto-generated - file EFSO_2.asp" author = "Florian Roth" hash = "a341270f9ebd01320a7490c12cb2e64c" strings: $s0 = ";!+/DRknD7+.\\mDrC(V+kcJznndm\\f|nzKuJb'r@!&0KUY@*Jb@#@&Xl\"dKVcJ\\CslU,),@!0KxD~mKV" $s4 = "\\co!VV2CDtSJ'E*#@#@&mKx/DP14lM/nY{JC81N+6LtbL3^hUWa;M/OE-AXX\"b~/fAs!u&9|J\\grKp\"j" condition: all of them } rule byshell063_ntboot_2 { meta: description = "Webshells Auto-generated - file ntboot.dll" author = "Florian Roth" hash = "cb9eb5a6ff327f4d6c46aacbbe9dda9d" strings: $s6 = "OK,job was done,cuz we have localsystem & SE_DEBUG_NAME:)" condition: all of them } rule u_uay { meta: description = "Webshells Auto-generated - file uay.exe" author = "Florian Roth" hash = "abbc7b31a24475e4c5d82fc4c2b8c7c4" strings: $s1 = "exec \"c:\\WINDOWS\\System32\\freecell.exe" $s9 = "SYSTEM\\CurrentControlSet\\Services\\uay.sys\\Security" condition: 1 of them } rule bin_wuaus { meta: description = "Webshells Auto-generated - file wuaus.dll" author = "Florian Roth" hash = "46a365992bec7377b48a2263c49e4e7d" strings: $s1 = "9(90989@9V9^9f9n9v9" $s2 = ":(:,:0:4:8:C:H:N:T:Y:_:e:o:y:" $s3 = ";(=@=G=O=T=X=\\=" $s4 = "TCP Send Error!!" $s5 = "1\"1;1X1^1e1m1w1~1" $s8 = "=$=)=/=<=Y=_=j=p=z=" condition: all of them } rule pwreveal { meta: description = "Webshells Auto-generated - file pwreveal.exe" author = "Florian Roth" hash = "b4e8447826a45b76ca45ba151a97ad50" strings: $s0 = "*<Blank - no es" $s3 = "JDiamondCS " $s8 = "sword set> [Leith=0 bytes]" $s9 = "ION\\System\\Floating-" condition: all of them } rule shelltools_g0t_root_xwhois { meta: description = "Webshells Auto-generated - file xwhois.exe" author = "Florian Roth" hash = "0bc98bd576c80d921a3460f8be8816b4" strings: $s1 = "rting! " $s2 = "aTypCog(" $s5 = "Diamond" $s6 = "r)r=rQreryr" condition: all of them } rule vanquish_2 { meta: description = "Webshells Auto-generated - file vanquish.exe" author = "Florian Roth" hash = "2dcb9055785a2ee01567f52b5a62b071" strings: $s2 = "Vanquish - DLL injection failed:" condition: all of them } rule down_rar_Folder_down { meta: description = "Webshells Auto-generated - file down.asp" author = "Florian Roth" hash = "db47d7a12b3584a2e340567178886e71" strings: $s0 = "response.write \"<font color=blue size=2>NetBios Name: \\\\\" & Snet.ComputerName &" condition: all of them } rule cmdShell { meta: description = "Webshells Auto-generated - file cmdShell.asp" author = "Florian Roth" hash = "8a9fef43209b5d2d4b81dfbb45182036" strings: $s1 = "if cmdPath=\"wscriptShell\" then" condition: all of them } rule ZXshell2_0_rar_Folder_nc { meta: description = "Webshells Auto-generated - file nc.exe" author = "Florian Roth" hash = "2cd1bf15ae84c5f6917ddb128827ae8b" strings: $s0 = "WSOCK32.dll" $s1 = "?bSUNKNOWNV" $s7 = "p@gram Jm6h)" $s8 = "ser32.dllCONFP@" condition: all of them } rule portlessinst { meta: description = "Webshells Auto-generated - file portlessinst.exe" author = "Florian Roth" hash = "74213856fc61475443a91cd84e2a6c2f" strings: $s2 = "Fail To Open Registry" $s3 = "f<-WLEggDr\"" $s6 = "oMemoryCreateP" condition: all of them } rule SetupBDoor { meta: description = "Webshells Auto-generated - file SetupBDoor.exe" author = "Florian Roth" hash = "41f89e20398368e742eda4a3b45716b6" strings: $s1 = "\\BDoor\\SetupBDoor" condition: all of them } rule phpshell_3 { meta: description = "Webshells Auto-generated - file phpshell.php" author = "Florian Roth" hash = "e8693a2d4a2ffea4df03bb678df3dc6d" strings: $s3 = "<input name=\"submit_btn\" type=\"submit\" value=\"Execute Command\"></p>" $s5 = " echo \"<option value=\\\"$work_dir\\\" selected>Current Directory</option>\\n\";" condition: all of them } rule BIN_Server { meta: description = "Webshells Auto-generated - file Server.exe" author = "Florian Roth" hash = "1d5aa9cbf1429bb5b8bf600335916dcd" strings: $s0 = "configserver" $s1 = "GetLogicalDrives" $s2 = "WinExec" $s4 = "fxftest" $s5 = "upfileok" $s7 = "upfileer" condition: all of them } rule HYTop2006_rar_Folder_2006 { meta: description = "Webshells Auto-generated - file 2006.asp" author = "Florian Roth" hash = "c19d6f4e069188f19b08fa94d44bc283" strings: $s6 = "strBackDoor = strBackDoor " condition: all of them } rule r57shell_3 { meta: description = "Webshells Auto-generated - file r57shell.php" author = "Florian Roth" hash = "87995a49f275b6b75abe2521e03ac2c0" strings: $s1 = "<b>\".$_POST['cmd']" condition: all of them } rule HDConfig { meta: description = "Webshells Auto-generated - file HDConfig.exe" author = "Florian Roth" hash = "7d60e552fdca57642fd30462416347bd" strings: $s0 = "An encryption key is derived from the password hash. " $s3 = "A hash object has been created. " $s4 = "Error during CryptCreateHash!" $s5 = "A new key container has been created." $s6 = "The password has been added to the hash. " condition: all of them } rule FSO_s_ajan_2 { meta: description = "Webshells Auto-generated - file ajan.asp" author = "Florian Roth" hash = "22194f8c44524f80254e1b5aec67b03e" strings: $s2 = "\"Set WshShell = CreateObject(\"\"WScript.Shell\"\")" $s3 = "/file.zip" condition: all of them } rule Webshell_and_Exploit_CN_APT_HK : Webshell { meta: author = "Florian Roth" description = "Webshell and Exploit Code in relation with APT against Honk Kong protesters" date = "10.10.2014" score = 50 strings: $a0 = "<script language=javascript src=http://java-se.com/o.js</script>" fullword $s0 = "<span style=\"font:11px Verdana;\">Password: </span><input name=\"password\" type=\"password\" size=\"20\">" $s1 = "<input type=\"hidden\" name=\"doing\" value=\"login\">" condition: $a0 or ( all of ($s*) ) } rule JSP_Browser_APT_webshell { meta: description = "VonLoesch JSP Browser used as web shell by APT groups - jsp File browser 1.1a" author = "F.Roth" date = "10.10.2014" score = 60 strings: $a1a = "private static final String[] COMMAND_INTERPRETER = {\"" ascii $a1b = "cmd\", \"/C\"}; // Dos,Windows" ascii $a2 = "Process ls_proc = Runtime.getRuntime().exec(comm, null, new File(dir));" ascii $a3 = "ret.append(\"!!!! Process has timed out, destroyed !!!!!\");" ascii condition: all of them } rule JSP_jfigueiredo_APT_webshell { meta: description = "JSP Browser used as web shell by APT groups - author: jfigueiredo" author = "F.Roth" date = "12.10.2014" score = 60 reference = "http://ceso.googlecode.com/svn/web/bko/filemanager/Browser.jsp" strings: $a1 = "String fhidden = new String(Base64.encodeBase64(path.getBytes()));" ascii $a2 = "<form id=\"upload\" name=\"upload\" action=\"ServFMUpload\" method=\"POST\" enctype=\"multipart/form-data\">" ascii condition: all of them } rule JSP_jfigueiredo_APT_webshell_2 { meta: description = "JSP Browser used as web shell by APT groups - author: jfigueiredo" author = "F.Roth" date = "12.10.2014" score = 60 reference = "http://ceso.googlecode.com/svn/web/bko/filemanager/" strings: $a1 = "<div id=\"bkorotator\"><img alt=\"\" src=\"images/rotator/1.jpg\"></div>" ascii $a2 = "$(\"#dialog\").dialog(\"destroy\");" ascii $s1 = "<form id=\"form\" action=\"ServFMUpload\" method=\"post\" enctype=\"multipart/form-data\">" ascii $s2 = "<input type=\"hidden\" id=\"fhidden\" name=\"fhidden\" value=\"L3BkZi8=\" />" ascii condition: all of ($a*) or all of ($s*) } rule Webshell_Insomnia { meta: description = "Insomnia Webshell - file InsomniaShell.aspx" author = "Florian Roth" reference = "http://www.darknet.org.uk/2014/12/insomniashell-asp-net-reverse-shell-bind-shell/" date = "2014/12/09" hash = "e0cfb2ffaa1491aeaf7d3b4ee840f72d42919d22" score = 80 strings: $s0 = "Response.Write(\"- Failed to create named pipe:\");" fullword ascii $s1 = "Response.Output.Write(\"+ Sending {0}<br>\", command);" fullword ascii $s2 = "String command = \"exec master..xp_cmdshell 'dir > \\\\\\\\127.0.0.1" ascii $s3 = "Response.Write(\"- Error Getting User Info<br>\");" fullword ascii $s4 = "string lpCommandLine, ref SECURITY_ATTRIBUTES lpProcessAttributes," fullword ascii $s5 = "[DllImport(\"Advapi32.dll\", SetLastError = true)]" fullword ascii $s9 = "username = DumpAccountSid(tokUser.User.Sid);" fullword ascii $s14 = "//Response.Output.Write(\"Opened process PID: {0} : {1}<br>\", p" ascii condition: 3 of them } rule HawkEye_PHP_Panel { meta: description = "Detects HawkEye Keyloggers PHP Panel" author = "Florian Roth" date = "2014/12/14" score = 60 strings: $s0 = "$fname = $_GET['fname'];" ascii fullword $s1 = "$data = $_GET['data'];" ascii fullword $s2 = "unlink($fname);" ascii fullword $s3 = "echo \"Success\";" fullword ascii condition: all of ($s*) and filesize < 600 } rule SoakSoak_Infected_Wordpress { meta: description = "Detects a SoakSoak infected Wordpress site http://goo.gl/1GzWUX" reference = "http://goo.gl/1GzWUX" author = "Florian Roth" date = "2014/12/15" score = 60 strings: $s0 = "wp_enqueue_script(\"swfobject\");" ascii fullword $s1 = "function FuncQueueObject()" ascii fullword $s2 = "add_action(\"wp_enqueue_scripts\", 'FuncQueueObject');" ascii fullword condition: all of ($s*) } rule Pastebin_Webshell { meta: description = "Detects a web shell that downloads content from pastebin.com http://goo.gl/7dbyZs" author = "Florian Roth" score = 70 date = "13.01.2015" reference = "http://goo.gl/7dbyZs" strings: $s0 = "file_get_contents(\"http://pastebin.com" ascii $s1 = "xcurl('http://pastebin.com/download.php" ascii $s2 = "xcurl('http://pastebin.com/raw.php" ascii $x0 = "if($content){unlink('evex.php');" ascii $x1 = "$fh2 = fopen(\"evex.php\", 'a');" ascii $y0 = "file_put_contents($pth" ascii $y1 = "echo \"<login_ok>" ascii $y2 = "str_replace('* @package Wordpress',$temp" ascii condition: 1 of ($s*) or all of ($x*) or all of ($y*) } rule ASPXspy2 { meta: description = "Web shell - file ASPXspy2.aspx" author = "Florian Roth" reference = "not set" date = "2015/01/24" hash = "5642387d92139bfe9ae11bfef6bfe0081dcea197" strings: $s0 = "string iVDT=\"-SETUSERSETUP\\r\\n-IP=0.0.0.0\\r\\n-PortNo=52521\\r\\n-User=bin" ascii $s1 = "SQLExec : <asp:DropDownList runat=\"server\" ID=\"FGEy\" AutoPostBack=\"True\" O" ascii $s3 = "Process[] p=Process.GetProcesses();" fullword ascii $s4 = "Response.Cookies.Add(new HttpCookie(vbhLn,Password));" fullword ascii $s5 = "[DllImport(\"kernel32.dll\",EntryPoint=\"GetDriveTypeA\")]" fullword ascii $s6 = "<p>ConnString : <asp:TextBox id=\"MasR\" style=\"width:70%;margin:0 8px;\" CssCl" ascii $s7 = "ServiceController[] kQmRu=System.ServiceProcess.ServiceController.GetServices();" fullword ascii $s8 = "Copyright © 2009 Bin -- <a href=\"http://www.rootkit.net.cn\" target=\"_bla" ascii $s10 = "Response.AddHeader(\"Content-Disposition\",\"attachment;filename=\"+HttpUtility." ascii $s11 = "nxeDR.Command+=new CommandEventHandler(this.iVk);" fullword ascii $s12 = "<%@ import Namespace=\"System.ServiceProcess\"%>" fullword ascii $s13 = "foreach(string innerSubKey in sk.GetSubKeyNames())" fullword ascii $s17 = "Response.Redirect(\"http://www.rootkit.net.cn\");" fullword ascii $s20 = "else if(Reg_Path.StartsWith(\"HKEY_USERS\"))" fullword ascii condition: 6 of them } /* Yara Rule Set Author: Florian Roth Date: 2016-01-11 Identifier: Web Shell Repo Reference: https://github.com/nikicat/web-malware-collection */ rule Webshell_27_9_c66_c99 { meta: description = "Detects Webshell - rule generated from from files 27.9.txt, c66.php, c99-shadows-mod.php, c99.php ..." author = "Florian Roth" reference = "https://github.com/nikicat/web-malware-collection" date = "2016-01-11" score = 70 hash1 = "2b8aed49f50acd0c1b89a399647e1218f2a8545da96631ac0882da28810eecc4" hash2 = "5d7709a33879d1060a6cff5bae119de7d5a3c17f65415822fd125af56696778c" hash3 = "c377f9316a4c953602879eb8af1fd7cbb0dd35de6bb4747fa911234082c45596" hash4 = "80ec7831ae888d5603ed28d81225ed8b256c831077bb8feb235e0a1a9b68b748" hash5 = "6ce99e07aa98ba6dc521c34cf16fbd89654d0ba59194878dffca857a4c34e57b" hash6 = "383d771b55bbe5343bab946fd7650fd42de1933c4c8f32449d9a40c898444ef1" hash7 = "07f9ec716fb199e00a90091ffba4c2ee1a328a093a64e610e51ab9dd6d33357a" hash8 = "615e768522447558970c725909e064558f33d38e6402c63c92a1a8bc62b64966" hash9 = "ef3a7cd233a880fc61efc3884f127dd8944808babd1203be2400144119b6057f" hash10 = "a4db77895228f02ea17ff48976e03100ddfaef7c9f48c1d40462872f103451d5" strings: $s4 = "if (!empty($unset_surl)) {setcookie(\"c99sh_surl\"); $surl = \"\";}" fullword ascii $s6 = "@extract($_REQUEST[\"c99shcook\"]);" fullword ascii $s7 = "if (!function_exists(\"c99_buff_prepare\"))" fullword ascii condition: filesize < 685KB and 1 of them } rule Webshell_acid_AntiSecShell_3 { meta: description = "Detects Webshell Acid" author = "Florian Roth" reference = "https://github.com/nikicat/web-malware-collection" date = "2016-01-11" score = 70 hash1 = "2b8aed49f50acd0c1b89a399647e1218f2a8545da96631ac0882da28810eecc4" hash2 = "7a69466dbd18182ce7da5d9d1a9447228dcebd365e0fe855d0e02024f4117549" hash3 = "0202f72b3e8b62e5ebc99164c7d4eb8ec5be6a7527286e9059184aa8321e0092" hash4 = "d4424c61fe29d2ee3d8503f7d65feb48341ac2fc0049119f83074950e41194d5" hash5 = "5d7709a33879d1060a6cff5bae119de7d5a3c17f65415822fd125af56696778c" hash6 = "21dd06ec423f0b49732e4289222864dcc055967922d0fcec901d38a57ed77f06" hash7 = "c377f9316a4c953602879eb8af1fd7cbb0dd35de6bb4747fa911234082c45596" hash8 = "816e699014be9a6d02d5d184eb958c49469d687b7c6fb88e878bca64688a19c9" hash9 = "383d771b55bbe5343bab946fd7650fd42de1933c4c8f32449d9a40c898444ef1" hash10 = "07f9ec716fb199e00a90091ffba4c2ee1a328a093a64e610e51ab9dd6d33357a" hash11 = "615e768522447558970c725909e064558f33d38e6402c63c92a1a8bc62b64966" hash12 = "bbe0f7278041cb3a6338844aa12c3df6b700a12a78b0a58bce3dce14f1c37b96" hash13 = "d0edca7539ef2d30f0b3189b21a779c95b5815c1637829b5594e2601e77cb4dc" hash14 = "65e7edf10ffb355bed81b7413c77d13d592f63d39e95948cdaea4ea0a376d791" hash15 = "ef3a7cd233a880fc61efc3884f127dd8944808babd1203be2400144119b6057f" hash16 = "ba87d26340f799e65c771ccb940081838afe318ecb20ee543f32d32db8533e7f" hash17 = "a4db77895228f02ea17ff48976e03100ddfaef7c9f48c1d40462872f103451d5" hash18 = "1fdf6e142135a34ae1caf1d84adf5e273b253ca46c409b2530ca06d65a55ecbd" strings: $s0 = "echo \"<option value=delete\".($dspact == \"delete\"?\" selected\":\"\").\">Delete</option>\";" fullword ascii $s1 = "if (!is_readable($o)) {return \"<font color=red>\".view_perms(fileperms($o)).\"</font>\";}" fullword ascii condition: filesize < 900KB and all of them } rule Webshell_c99_4 { meta: description = "Detects C99 Webshell" author = "Florian Roth" reference = "https://github.com/nikicat/web-malware-collection" date = "2016-01-11" score = 70 hash1 = "2b8aed49f50acd0c1b89a399647e1218f2a8545da96631ac0882da28810eecc4" hash2 = "0202f72b3e8b62e5ebc99164c7d4eb8ec5be6a7527286e9059184aa8321e0092" hash3 = "d4424c61fe29d2ee3d8503f7d65feb48341ac2fc0049119f83074950e41194d5" hash4 = "5d7709a33879d1060a6cff5bae119de7d5a3c17f65415822fd125af56696778c" hash5 = "21dd06ec423f0b49732e4289222864dcc055967922d0fcec901d38a57ed77f06" hash6 = "c377f9316a4c953602879eb8af1fd7cbb0dd35de6bb4747fa911234082c45596" hash7 = "816e699014be9a6d02d5d184eb958c49469d687b7c6fb88e878bca64688a19c9" hash8 = "383d771b55bbe5343bab946fd7650fd42de1933c4c8f32449d9a40c898444ef1" hash9 = "07f9ec716fb199e00a90091ffba4c2ee1a328a093a64e610e51ab9dd6d33357a" hash10 = "615e768522447558970c725909e064558f33d38e6402c63c92a1a8bc62b64966" hash11 = "bbe0f7278041cb3a6338844aa12c3df6b700a12a78b0a58bce3dce14f1c37b96" hash12 = "ef3a7cd233a880fc61efc3884f127dd8944808babd1203be2400144119b6057f" hash13 = "a4db77895228f02ea17ff48976e03100ddfaef7c9f48c1d40462872f103451d5" hash14 = "1fdf6e142135a34ae1caf1d84adf5e273b253ca46c409b2530ca06d65a55ecbd" strings: $s1 = "displaysecinfo(\"List of Attributes\",myshellexec(\"lsattr -a\"));" fullword ascii $s2 = "displaysecinfo(\"RAM\",myshellexec(\"free -m\"));" fullword ascii $s3 = "displaysecinfo(\"Where is perl?\",myshellexec(\"whereis perl\"));" fullword ascii $s4 = "$ret = myshellexec($handler);" fullword ascii $s5 = "if (posix_kill($pid,$sig)) {echo \"OK.\";}" fullword ascii condition: filesize < 900KB and 1 of them } rule Webshell_r57shell_2 { meta: description = "Detects Webshell R57" author = "Florian Roth" reference = "https://github.com/nikicat/web-malware-collection" date = "2016-01-11" score = 70 hash1 = "e46777e5f1ac1652db3ce72dd0a2475ea515b37a737fffd743126772525a47e6" hash2 = "aa957ca4154b7816093d667873cf6bdaded03f820e84d8f1cd5ad75296dd5d4d" hash3 = "aa957ca4154b7816093d667873cf6bdaded03f820e84d8f1cd5ad75296dd5d4d" hash4 = "756b788401aad4bfd4dbafd15c382d98e3ba079390addb5b0cea7ff7f985f881" hash5 = "756b788401aad4bfd4dbafd15c382d98e3ba079390addb5b0cea7ff7f985f881" hash6 = "16b6ec4b80f404f4616e44d8c21978dcdad9f52c84d23ba27660ee8e00984ff2" hash7 = "59105e4623433d5bf93b9e17d72a43a40a4d8ac99e4a703f1d8851ad1276cd88" hash8 = "1db0549066f294f814ec14ba4e9f63d88c4460d68477e5895236173df437d2b8" hash9 = "c6a5148c81411ec9200810619fa5eec6616800a4d76c988431c272bc8679254f" hash10 = "c6a5148c81411ec9200810619fa5eec6616800a4d76c988431c272bc8679254f" hash11 = "59ea6cf16ea06ff47cf0e6a398df2eaec4d329707b8c3201fc63cbf0b7c85519" hash12 = "0e0227a0001b38fb59fc07749e80c9d298ff0e6aca126ea8f4ea68ebc9a3661f" hash13 = "ef74644065925aa8d64913f5f124fe73d8d289d5f019a104bf5f56689f49ba92" strings: $s1 = "$connection = @ftp_connect($ftp_server,$ftp_port,10);" fullword ascii $s2 = "echo $lang[$language.'_text98'].$suc.\"\\r\\n\";" fullword ascii condition: filesize < 900KB and all of them } rule Webshell_27_9_acid_c99_locus7s { meta: description = "Detects Webshell - rule generated from from files 27.9.txt, acid.php, c99_locus7s.txt" author = "Florian Roth" reference = "https://github.com/nikicat/web-malware-collection" date = "2016-01-11" score = 70 hash1 = "2b8aed49f50acd0c1b89a399647e1218f2a8545da96631ac0882da28810eecc4" hash2 = "7a69466dbd18182ce7da5d9d1a9447228dcebd365e0fe855d0e02024f4117549" hash3 = "960feb502f913adff6b322bc9815543e5888bbf9058ba0eb46ceb1773ea67668" hash4 = "07f9ec716fb199e00a90091ffba4c2ee1a328a093a64e610e51ab9dd6d33357a" hash5 = "bbe0f7278041cb3a6338844aa12c3df6b700a12a78b0a58bce3dce14f1c37b96" hash6 = "5ae121f868555fba112ca2b1a9729d4414e795c39d14af9e599ce1f0e4e445d3" hash7 = "ef3a7cd233a880fc61efc3884f127dd8944808babd1203be2400144119b6057f" hash8 = "ba87d26340f799e65c771ccb940081838afe318ecb20ee543f32d32db8533e7f" strings: $s0 = "$blah = ex($p2.\" /tmp/back \".$_POST['backconnectip'].\" \".$_POST['backconnectport'].\" &\");" fullword ascii $s1 = "$_POST['backcconnmsge']=\"</br></br><b><font color=red size=3>Error:</font> Can't backdoor host!</b>\";" fullword ascii condition: filesize < 1711KB and 1 of them } rule Webshell_Backdoor_PHP_Agent_r57_mod_bizzz_shell_r57 { meta: description = "Detects Webshell - rule generated from from files Backdoor.PHP.Agent.php, r57.mod-bizzz.shell.txt ..." author = "Florian Roth" reference = "https://github.com/nikicat/web-malware-collection" date = "2016-01-11" score = 70 hash1 = "e46777e5f1ac1652db3ce72dd0a2475ea515b37a737fffd743126772525a47e6" hash2 = "f51a5c5775d9cca0b137ddb28ff3831f4f394b7af6f6a868797b0df3dcdb01ba" hash3 = "16b6ec4b80f404f4616e44d8c21978dcdad9f52c84d23ba27660ee8e00984ff2" hash4 = "59105e4623433d5bf93b9e17d72a43a40a4d8ac99e4a703f1d8851ad1276cd88" hash5 = "6dc417db9e07420a618d44217932ca8baf3541c08d5e68281e1be10af4280e4a" hash6 = "5d07fdfee2dc6d81da26f05028f79badd10dec066909932129d398627b2f4e94" hash7 = "1db0549066f294f814ec14ba4e9f63d88c4460d68477e5895236173df437d2b8" hash8 = "c6a5148c81411ec9200810619fa5eec6616800a4d76c988431c272bc8679254f" hash9 = "59ea6cf16ea06ff47cf0e6a398df2eaec4d329707b8c3201fc63cbf0b7c85519" hash10 = "0e0227a0001b38fb59fc07749e80c9d298ff0e6aca126ea8f4ea68ebc9a3661f" hash11 = "ef74644065925aa8d64913f5f124fe73d8d289d5f019a104bf5f56689f49ba92" strings: $s1 = "$_POST['cmd'] = which('" ascii $s2 = "$blah = ex(" fullword ascii condition: filesize < 600KB and all of them } rule Webshell_c100 { meta: description = "Detects Webshell - rule generated from from files c100 v. 777shell" author = "Florian Roth" reference = "https://github.com/nikicat/web-malware-collection" date = "2016-01-11" score = 70 hash1 = "0202f72b3e8b62e5ebc99164c7d4eb8ec5be6a7527286e9059184aa8321e0092" hash2 = "d4424c61fe29d2ee3d8503f7d65feb48341ac2fc0049119f83074950e41194d5" hash3 = "21dd06ec423f0b49732e4289222864dcc055967922d0fcec901d38a57ed77f06" hash4 = "c377f9316a4c953602879eb8af1fd7cbb0dd35de6bb4747fa911234082c45596" hash5 = "816e699014be9a6d02d5d184eb958c49469d687b7c6fb88e878bca64688a19c9" hash6 = "bbe0f7278041cb3a6338844aa12c3df6b700a12a78b0a58bce3dce14f1c37b96" hash7 = "ef3a7cd233a880fc61efc3884f127dd8944808babd1203be2400144119b6057f" strings: $s0 = "<OPTION VALUE=\"wget http://ftp.powernet.com.tr/supermail/debug/k3\">Kernel attack (Krad.c) PT1 (If wget installed)" fullword ascii $s1 = "<center>Kernel Info: <form name=\"form1\" method=\"post\" action=\"http://google.com/search\">" fullword ascii $s3 = "cut -d: -f1,2,3 /etc/passwd | grep ::" ascii $s4 = "which wget curl w3m lynx" ascii $s6 = "netstat -atup | grep IST" ascii condition: filesize < 685KB and 2 of them } rule Webshell_AcidPoison { meta: description = "Detects Poison Sh3ll - Webshell" author = "Florian Roth" reference = "https://github.com/nikicat/web-malware-collection" date = "2016-01-11" score = 70 hash1 = "7a69466dbd18182ce7da5d9d1a9447228dcebd365e0fe855d0e02024f4117549" hash2 = "7a69466dbd18182ce7da5d9d1a9447228dcebd365e0fe855d0e02024f4117549" hash3 = "d0edca7539ef2d30f0b3189b21a779c95b5815c1637829b5594e2601e77cb4dc" hash4 = "d0edca7539ef2d30f0b3189b21a779c95b5815c1637829b5594e2601e77cb4dc" hash5 = "65e7edf10ffb355bed81b7413c77d13d592f63d39e95948cdaea4ea0a376d791" hash6 = "65e7edf10ffb355bed81b7413c77d13d592f63d39e95948cdaea4ea0a376d791" hash7 = "be541cf880a8e389a0767b85f1686443f35b508d1975ee25e1ce3f08fa32cfb5" hash8 = "be541cf880a8e389a0767b85f1686443f35b508d1975ee25e1ce3f08fa32cfb5" hash9 = "ba87d26340f799e65c771ccb940081838afe318ecb20ee543f32d32db8533e7f" hash10 = "ba87d26340f799e65c771ccb940081838afe318ecb20ee543f32d32db8533e7f" strings: $s1 = "elseif ( enabled(\"exec\") ) { exec($cmd,$o); $output = join(\"\\r\\n\",$o); }" fullword ascii condition: filesize < 550KB and all of them } rule Webshell_acid_FaTaLisTiCz_Fx_fx_p0isoN_sh3ll_x0rg_byp4ss_256 { meta: description = "Detects Webshell" author = "Florian Roth" reference = "https://github.com/nikicat/web-malware-collection" date = "2016-01-11" score = 70 hash1 = "7a69466dbd18182ce7da5d9d1a9447228dcebd365e0fe855d0e02024f4117549" hash2 = "d0edca7539ef2d30f0b3189b21a779c95b5815c1637829b5594e2601e77cb4dc" hash3 = "65e7edf10ffb355bed81b7413c77d13d592f63d39e95948cdaea4ea0a376d791" hash4 = "ba87d26340f799e65c771ccb940081838afe318ecb20ee543f32d32db8533e7f" hash5 = "1fdf6e142135a34ae1caf1d84adf5e273b253ca46c409b2530ca06d65a55ecbd" strings: $s0 = "<form method=\"POST\"><input type=hidden name=act value=\"ls\">" fullword ascii $s2 = "foreach($quicklaunch2 as $item) {" fullword ascii condition: filesize < 882KB and all of them } rule Webshell_Ayyildiz { meta: description = "Detects Webshell" author = "Florian Roth" reference = "https://github.com/nikicat/web-malware-collection" date = "2016-01-11" score = 70 hash1 = "0e25aec0a9131e8c7bd7d5004c5c5ffad0e3297f386675bccc07f6ea527dded5" hash2 = "9c43aada0d5429f8c47595f79a7cdd5d4eb2ba5c559fb5da5a518a6c8c7c330a" hash3 = "2ebf3e5f5dde4a27bbd60e15c464e08245a35d15cc370b4be6b011aa7a46eaca" hash4 = "77a63b26f52ba341dd2f5e8bbf5daf05ebbdef6b3f7e81cec44ce97680e820f9" hash5 = "61c4fcb6e788c0dffcf0b672ae42b1676f8a9beaa6ec7453fc59ad821a4a8127" strings: $s0 = "echo \"<option value=\\\"\". strrev(substr(strstr(strrev($work_dir), \"/\"), 1)) .\"\\\">Parent Directory</option>\\n\";" fullword ascii $s1 = "echo \"<option value=\\\"$work_dir\\\" selected>Current Directory</option>\\n\";" fullword ascii condition: filesize < 112KB and all of them } rule Webshell_zehir { meta: description = "Detects Webshell - rule generated from from files elmaliseker.asp, zehir.asp, zehir.txt, zehir4.asp, zehir4.txt" author = "Florian Roth" reference = "https://github.com/nikicat/web-malware-collection" date = "2016-01-11" score = 70 hash1 = "16e1e886576d0c70af0f96e3ccedfd2e72b8b7640f817c08a82b95ff5d4b1218" hash2 = "0c5f8a2ed62d10986a2dd39f52886c0900a18c03d6d279207b8de8e2ed14adf6" hash3 = "cb9d5427a83a0fc887e49f07f20849985bd2c3850f272ae1e059a08ac411ff66" hash4 = "b57bf397984545f419045391b56dcaf7b0bed8b6ee331b5c46cee35c92ffa13d" hash5 = "febf37a9e8ba8ece863f506ae32ad398115106cc849a9954cbc0277474cdba5c" strings: $s1 = "for (i=1; i<=frmUpload.max.value; i++) str+='File '+i+': <input type=file name=file'+i+'><br>';" fullword ascii $s2 = "if (frmUpload.max.value<=0) frmUpload.max.value=1;" fullword ascii condition: filesize < 200KB and 1 of them } /* Yara Rule Set Author: Florian Roth Date: 2016-09-10 Identifier: Webshells PHP bartblaze */ /* Rule Set ----------------------------------------------------------------- */ rule UploadShell_98038f1efa4203432349badabad76d44337319a6 { meta: description = "Detects a web shell" author = "Florian Roth" reference = "https://github.com/bartblaze/PHP-backdoors" date = "2016-09-10" hash1 = "506a6ab6c49e904b4adc1f969c91e4f1a7dde164be549c6440e766de36c93215" strings: $s2 = "$lol = file_get_contents(\"../../../../../wp-config.php\");" fullword ascii $s6 = "@unlink(\"./export-check-settings.php\");" fullword ascii $s7 = "$xos = \"Safe-mode:[Safe-mode:\".$hsafemode.\"] " fullword ascii condition: ( uint16(0) == 0x3f3c and filesize < 6KB and ( all of ($s*) ) ) or ( all of them ) } rule DKShell_f0772be3c95802a2d1e7a4a3f5a45dcdef6997f3 { meta: description = "Detects a web shell" author = "Florian Roth" reference = "https://github.com/bartblaze/PHP-backdoors" date = "2016-09-10" hash1 = "7ea49d5c29f1242f81f2393b514798ff7caccb50d46c60bdfcf61db00043473b" strings: $s1 = "<?php Error_Reporting(0); $s_pass = \"" ascii $s2 = "$s_func=\"cr\".\"eat\".\"e_fun\".\"cti\".\"on" ascii condition: ( uint16(0) == 0x3c0a and filesize < 300KB and all of them ) } rule Unknown_8af033424f9590a15472a23cc3236e68070b952e { meta: description = "Detects a web shell" author = "Florian Roth" reference = "https://github.com/bartblaze/PHP-backdoors" date = "2016-09-10" hash1 = "3382b5eaaa9ad651ab4793e807032650667f9d64356676a16ae3e9b02740ccf3" strings: $s1 = "$check = $_SERVER['DOCUMENT_ROOT']" fullword ascii $s2 = "$fp=fopen(\"$check\",\"w+\");" fullword ascii $s3 = "fwrite($fp,base64_decode('" ascii condition: ( uint16(0) == 0x6324 and filesize < 6KB and ( all of ($s*) ) ) or ( all of them ) } rule DkShell_4000bd83451f0d8501a9dfad60dce39e55ae167d { meta: description = "Detects a web shell" author = "Florian Roth" reference = "https://github.com/bartblaze/PHP-backdoors" date = "2016-09-10" hash1 = "51a16b09520a3e063adf10ff5192015729a5de1add8341a43da5326e626315bd" strings: $x1 = "DK Shell - Took the Best made it Better..!!" fullword ascii $x2 = "preg_replace(\"/.*/e\",\"\\x65\\x76\\x61\\x6C\\x28\\x67\\x7A\\x69\\x6E\\x66\\x6C\\x61\\x74\\x65\\x28\\x62\\x61\\x73\\x65\\x36\\x" ascii $x3 = "echo '<b>Sw Bilgi<br><br>'.php_uname().'<br></b>';" fullword ascii $s1 = "echo '<form action=\"\" method=\"post\" enctype=\"multipart/form-data\" name=\"uploader\" id=\"uploader\">';" fullword ascii $s9 = "$x = $_GET[\"x\"];" fullword ascii condition: ( uint16(0) == 0x3f3c and filesize < 200KB and 1 of ($x*) ) or ( 3 of them ) } rule WebShell_5786d7d9f4b0df731d79ed927fb5a124195fc901 { meta: description = "Detects a web shell" author = "Florian Roth" reference = "https://github.com/bartblaze/PHP-backdoors" date = "2016-09-10" hash1 = "b1733cbb0eb3d440c4174cc67ca693ba92308ded5fc1069ed650c3c78b1da4bc" strings: $s1 = "preg_replace(\"\\x2F\\x2E\\x2A\\x2F\\x65\",\"\\x65\\x76\\x61\\x6C\\x28\\x67\\x7A\\x69\\x6E\\x66\\x6C\\x61\\x74\\x65\\x28\\x62\\x" ascii $s2 = "input[type=text], input[type=password]{" fullword ascii condition: ( uint16(0) == 0x6c3c and filesize < 80KB and all of them ) } rule webshell_e8eaf8da94012e866e51547cd63bb996379690bf { meta: description = "Detects a web shell" author = "Florian Roth" reference = "https://github.com/bartblaze/PHP-backdoors" date = "2016-09-10" hash1 = "027544baa10259939780e97dc908bd43f0fb940510119fc4cce0883f3dd88275" strings: $x1 = "@exec('./bypass/ln -s /etc/passwd 1.php');" fullword ascii $x2 = "echo \"<iframe src=mysqldumper/index.php width=100% height=100% frameborder=0></iframe> \";" fullword ascii $x3 = "@exec('tar -xvf mysqldumper.tar.gz');" fullword ascii condition: ( uint16(0) == 0x213c and filesize < 100KB and 1 of ($x*) ) or ( 2 of them ) } rule Unknown_0f06c5d1b32f4994c3b3abf8bb76d5468f105167 { meta: description = "Detects a web shell" author = "Florian Roth" reference = "https://github.com/bartblaze/PHP-backdoors" date = "2016-09-10" hash1 = "6362372850ac7455fa9461ed0483032a1886543f213a431f81a2ac76d383b47e" strings: $s1 = "$check = $_SERVER['DOCUMENT_ROOT'] . \"/libraries/lola.php\" ;" fullword ascii $s2 = "$fp=fopen(\"$check\",\"w+\");" fullword ascii $s3 = "fwrite($fp,base64_decode('" ascii condition: ( uint16(0) == 0x6324 and filesize < 2KB and all of them ) } rule WSOShell_0bbebaf46f87718caba581163d4beed56ddf73a7 { meta: description = "Detects a web shell" author = "Florian Roth" reference = "https://github.com/bartblaze/PHP-backdoors" date = "2016-09-10" hash1 = "d053086907aed21fbb6019bf9e644d2bae61c63563c4c3b948d755db3e78f395" strings: $s8 = "$default_charset='Wi'.'ndo.'.'ws-12'.'51';" fullword ascii $s9 = "$mosimage_session = \"" fullword ascii condition: ( uint16(0) == 0x3f3c and filesize < 300KB and all of them ) } rule WebShell_Generic_1609_A { meta: description = "Auto-generated rule" author = "Florian Roth" reference = "https://github.com/bartblaze/PHP-backdoors" date = "2016-09-10" super_rule = 1 hash1 = "c817a490cfd4d6377c15c9ac9bcfa136f4a45ff5b40c74f15216c030f657d035" hash3 = "69b9d55ea2eb4a0d9cfe3b21b0c112c31ea197d1cb00493d1dddc78b90c5745e" strings: $s1 = "return $qwery45234dws($b);" fullword ascii condition: ( uint16(0) == 0x3f3c and 1 of them ) } rule Nishang_Webshell { meta: description = "Detects a ASPX web shell" author = "Florian Roth" reference = "https://github.com/samratashok/nishang" date = "2016-09-11" strings: $s1 = "psi.Arguments = \"-noninteractive \" + \"-executionpolicy bypass \" + arg;" ascii $s2 = "output.Text += \"\nPS> \" + console.Text + \"\n\" + do_ps(console.Text);" ascii $s3 = "<title>Antak Webshell" fullword ascii $s4 = "@phpversion(),\"\\x" ascii /* Decloaked version */ $s1 = "$i=Array(\"pv\"=>@phpversion(),\"sv\"" ascii $s3 = "$data = @unserialize(sh_decrypt(@base64_decode($data),$data_key));" ascii condition: ( $h1 at 0 and 1 of them ) or 2 of them } rule Webshell_Tiny_JSP_2 { meta: description = "Detects a tiny webshell - chine chopper" author = "Florian Roth" date = "2015-12-05" score = 100 strings: $s1 = "<%eval(Request(" nocase condition: uint16(0) == 0x253c and filesize < 40 and all of them } /* Yara Rule Set Author: Florian Roth Date: 2017-06-25 Identifier: Wordpress Webshell Reference: Internal Research */ /* Rule Set ----------------------------------------------------------------- */ rule Wordpress_Config_Webshell_Preprend { meta: description = "Webshell that uses standard Wordpress wp-config.php file and appends the malicious code in front of it" author = "Florian Roth" reference = "Internal Research" date = "2017-06-25" score = 65 strings: $x1 = " * @package WordPress" fullword ascii $s1 = "define('DB_NAME'," ascii $s2 = "require_once(ABSPATH . 'wp-settings.php');" ascii $fp1 = "iThemes Security Config" ascii condition: uint32(0) == 0x68703f3c and filesize < 400KB and $x1 and all of ($s*) and not $x1 in (0..1000) and not 1 of ($fp*) } /* Yara Rule Set Author: Florian Roth Date: 2017-07-11 Identifier: PAS Webshell */ /* Rule Set ----------------------------------------------------------------- */ rule PAS_Webshell_Encoded { meta: description = "Detects a PAS webshell" author = "Florian Roth" reference = "http://blog.talosintelligence.com/2017/07/the-medoc-connection.html" date = "2017-07-11" score = 80 strings: $head1 = "" $foot2 = "();}} @header(\"Status: 404 Not Found\"); ?>" condition: ( uint32(0) == 0x68703f3c and filesize < 80KB and ( 3 of them or $head1 at 0 or $head2 in (0..20) or 1 of ($x*) ) ) or $foot1 at (filesize-52) or $foot2 at (filesize-44) } /* Yara Rule Set Author: Florian Roth Date: 2017-09-21 Identifier: ALFA Shell Reference: Internal Research - APT33 */ /* Rule Set ----------------------------------------------------------------- */ rule ALFA_SHELL { meta: description = "Detects web shell often used by Iranian APT groups" author = "Florian Roth" reference = "Internal Research - APT33" date = "2017-09-21" hash1 = "a39d8823d54c55e60a7395772e50d116408804c1a5368391a1e5871dbdc83547" strings: $x1 = "$OOO000000=urldecode('%66%67%36%73%62%65%68%70%72%61%34%63%6f%5f%74%6e%64')" ascii $x2 = "#solevisible@gmail.com" fullword ascii $x3 = "'login_page' => '500',//gui or 500 or 403 or 404" fullword ascii $x4 = "$GLOBALS['__ALFA__']" fullword ascii $x5 = "if(!function_exists('b'.'as'.'e6'.'4_'.'en'.'co'.'de')" ascii $f1 = { 76 2F 38 76 2F 36 76 2F 2B 76 2F 2F 66 38 46 27 29 3B 3F 3E 0D 0A } condition: ( filesize < 900KB and 1 of ($x*) or $f1 at (filesize-22) ) } rule Webshell_FOPO_Obfuscation_APT_ON_Nov17_1 { meta: description = "Detects malware from NK APT incident DE" author = "Florian Roth" reference = "Internal Research - ON" date = "2017-11-17" hash1 = "ed6e2e0027d3f564f5ce438984dc8a54577df822ce56ce079c60c99a91d5ffb1" strings: $x1 = "Obfuscation provided by FOPO" fullword ascii $s1 = "\";@eval($" ascii $f1 = { 22 29 29 3B 0D 0A 3F 3E } condition: uint16(0) == 0x3f3c and filesize < 800KB and ( $x1 or ( $s1 in (0..350) and $f1 at (filesize-23) ) ) }