Sneed-Reactivity/yara-Neo23x0/apt_laudanum_webshells.yar

346 lines
15 KiB
Text
Raw Normal View History

/*
Yara Rule Set
Author: Florian Roth
Date: 2015-06-22
Identifier: Laudanum
*/
rule asp_file {
meta:
description = "Laudanum Injector Tools - file file.asp"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://laudanum.inguardians.com/"
date = "2015-06-22"
hash = "ff5b1a9598735440bdbaa768b524c639e22f53c5"
id = "e2a80d1f-f2bb-573b-b68c-71e4dfa6e1fa"
strings:
$s1 = "' *** Written by Tim Medin <tim@counterhack.com>" fullword ascii
$s2 = "Response.BinaryWrite(stream.Read)" fullword ascii
$s3 = "Response.Write(Response.Status & Request.ServerVariables(\"REMOTE_ADDR\"))" fullword ascii /* PEStudio Blacklist: strings */
$s4 = "%><a href=\"<%=Request.ServerVariables(\"URL\")%>\">web root</a><br/><%" fullword ascii /* PEStudio Blacklist: strings */
$s5 = "set folder = fso.GetFolder(path)" fullword ascii
$s6 = "Set file = fso.GetFile(filepath)" fullword ascii
condition:
uint16(0) == 0x253c and filesize < 30KB and 5 of them
}
rule php_killnc {
meta:
description = "Laudanum Injector Tools - file killnc.php"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://laudanum.inguardians.com/"
date = "2015-06-22"
hash = "c0dee56ee68719d5ec39e773621ffe40b144fda5"
id = "241611d3-3636-5a25-b3c3-d45d6cb81c78"
strings:
$s1 = "if ($_SERVER[\"REMOTE_ADDR\"] == $IP)" fullword ascii /* PEStudio Blacklist: strings */
$s2 = "header(\"HTTP/1.0 404 Not Found\");" fullword ascii
$s3 = "<?php echo exec('killall nc');?>" fullword ascii /* PEStudio Blacklist: strings */
$s4 = "<title>Laudanum Kill nc</title>" fullword ascii /* PEStudio Blacklist: strings */
$s5 = "foreach ($allowedIPs as $IP) {" fullword ascii
condition:
filesize < 15KB and 4 of them
}
rule asp_shell {
meta:
description = "Laudanum Injector Tools - file shell.asp"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://laudanum.inguardians.com/"
date = "2015-06-22"
hash = "8bf1ff6f8edd45e3102be5f8a1fe030752f45613"
id = "3ae27254-325a-5358-b5aa-ab24b43ad5a6"
strings:
$s1 = "<form action=\"shell.asp\" method=\"POST\" name=\"shell\">" fullword ascii /* PEStudio Blacklist: strings */
$s2 = "%ComSpec% /c dir" fullword ascii /* PEStudio Blacklist: strings */
$s3 = "Set objCmd = wShell.Exec(cmd)" fullword ascii /* PEStudio Blacklist: strings */
$s4 = "Server.ScriptTimeout = 180" fullword ascii /* PEStudio Blacklist: strings */
$s5 = "cmd = Request.Form(\"cmd\")" fullword ascii /* PEStudio Blacklist: strings */
$s6 = "' *** http://laudanum.secureideas.net" fullword ascii
$s7 = "Dim wshell, intReturn, strPResult" fullword ascii /* PEStudio Blacklist: strings */
condition:
filesize < 15KB and 4 of them
}
rule settings {
meta:
description = "Laudanum Injector Tools - file settings.php"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://laudanum.inguardians.com/"
date = "2015-06-22"
hash = "588739b9e4ef2dbb0b4cf630b73295d8134cc801"
id = "054b8723-fdfa-51dc-91ae-b915e40b2e54"
strings:
$s1 = "Port: <input name=\"port\" type=\"text\" value=\"8888\">" fullword ascii /* PEStudio Blacklist: strings */
$s2 = "<li>Reverse Shell - " fullword ascii /* PEStudio Blacklist: strings */
$s3 = "<li><a href=\"<?php echo plugins_url('file.php', __FILE__);?>\">File Browser</a>" ascii /* PEStudio Blacklist: strings */
condition:
filesize < 13KB and all of them
}
rule asp_proxy {
meta:
description = "Laudanum Injector Tools - file proxy.asp"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://laudanum.inguardians.com/"
date = "2015-06-22"
hash = "51e97040d1737618b1775578a772fa6c5a31afd8"
id = "6193b48a-b3da-5c1e-84e8-0035d9e7ade6"
strings:
$s1 = "'response.write \"<br/> -value:\" & request.querystring(key)(j)" fullword ascii /* PEStudio Blacklist: strings */
$s2 = "q = q & \"&\" & key & \"=\" & request.querystring(key)(j)" fullword ascii /* PEStudio Blacklist: strings */
$s3 = "for each i in Split(http.getAllResponseHeaders, vbLf)" fullword ascii
$s4 = "'urlquery = mid(urltemp, instr(urltemp, \"?\") + 1)" fullword ascii /* PEStudio Blacklist: strings */
$s5 = "s = urlscheme & urlhost & urlport & urlpath" fullword ascii /* PEStudio Blacklist: strings */
$s6 = "Set http = Server.CreateObject(\"Microsoft.XMLHTTP\")" fullword ascii /* PEStudio Blacklist: strings */
condition:
filesize < 50KB and all of them
}
rule cfm_shell {
meta:
description = "Laudanum Injector Tools - file shell.cfm"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://laudanum.inguardians.com/"
date = "2015-06-22"
hash = "885e1783b07c73e7d47d3283be303c9719419b92"
id = "5308eecf-a59f-5100-ab60-5034c5b73e7e"
strings:
$s1 = "Executable: <Input type=\"text\" name=\"cmd\" value=\"cmd.exe\"><br>" fullword ascii /* PEStudio Blacklist: strings */
$s2 = "<cfif ( #suppliedCode# neq secretCode )>" fullword ascii /* PEStudio Blacklist: strings */
$s3 = "<cfif IsDefined(\"form.cmd\")>" fullword ascii
condition:
filesize < 20KB and 2 of them
}
rule aspx_shell {
meta:
description = "Laudanum Injector Tools - file shell.aspx"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://laudanum.inguardians.com/"
date = "2015-06-22"
hash = "076aa781a004ecb2bf545357fd36dcbafdd68b1a"
id = "d4287007-79af-59fa-b8c8-3ac08d75b3bd"
strings:
$s1 = "remoteIp = HttpContext.Current.Request.Headers[\"X-Forwarded-For\"].Split(new" ascii /* PEStudio Blacklist: strings */
$s2 = "remoteIp = Request.UserHostAddress;" fullword ascii /* PEStudio Blacklist: strings */
$s3 = "<form method=\"post\" name=\"shell\">" fullword ascii /* PEStudio Blacklist: strings */
$s4 = "<body onload=\"document.shell.c.focus()\">" fullword ascii /* PEStudio Blacklist: strings */
condition:
filesize < 20KB and all of them
}
rule php_shell {
meta:
description = "Laudanum Injector Tools - file shell.php"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://laudanum.inguardians.com/"
date = "2015-06-22"
hash = "dc5c03a21267d024ef0f5ab96a34e3f6423dfcd6"
id = "8d3dcb16-090b-5a9f-b3d2-3822ec467f69"
strings:
$s1 = "command_hist[current_line] = document.shell.command.value;" fullword ascii /* PEStudio Blacklist: strings */
$s2 = "if (e.keyCode == 38 && current_line < command_hist.length-1) {" fullword ascii /* PEStudio Blacklist: strings */
$s3 = "array_unshift($_SESSION['history'], $command);" fullword ascii /* PEStudio Blacklist: strings */
$s4 = "if (preg_match('/^[[:blank:]]*cd[[:blank:]]*$/', $command)) {" fullword ascii /* PEStudio Blacklist: strings */
condition:
filesize < 40KB and all of them
}
rule php_reverse_shell {
meta:
description = "Laudanum Injector Tools - file php-reverse-shell.php"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://laudanum.inguardians.com/"
date = "2015-06-22"
hash = "3ef03bbe3649535a03315dcfc1a1208a09cea49d"
id = "306d150f-95a8-57fd-8f5e-786c429af6b3"
strings:
$s1 = "$process = proc_open($shell, $descriptorspec, $pipes);" fullword ascii /* PEStudio Blacklist: strings */
$s2 = "printit(\"Successfully opened reverse shell to $ip:$port\");" fullword ascii /* PEStudio Blacklist: strings */
$s3 = "$input = fread($pipes[1], $chunk_size);" fullword ascii /* PEStudio Blacklist: strings */
condition:
filesize < 15KB and all of them
}
rule php_dns {
meta:
description = "Laudanum Injector Tools - file dns.php"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://laudanum.inguardians.com/"
date = "2015-06-22"
hash = "01d5d16d876c55d77e094ce2b9c237de43b21a16"
id = "a52e453b-07aa-58b9-91e7-f2426a8e8976"
strings:
$s1 = "$query = isset($_POST['query']) ? $_POST['query'] : '';" fullword ascii /* PEStudio Blacklist: strings */
$s2 = "$result = dns_get_record($query, $types[$type], $authns, $addtl);" fullword ascii /* PEStudio Blacklist: strings */
$s3 = "if ($_SERVER[\"REMOTE_ADDR\"] == $IP)" fullword ascii /* PEStudio Blacklist: strings */
$s4 = "foreach (array_keys($types) as $t) {" fullword ascii
condition:
filesize < 15KB and all of them
}
rule WEB_INF_web {
meta:
description = "Laudanum Injector Tools - file web.xml"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://laudanum.inguardians.com/"
date = "2015-06-22"
hash = "0251baed0a16c451f9d67dddce04a45dc26cb4a3"
id = "8d0a008c-56d1-59ef-8521-0697add21ba9"
strings:
$s1 = "<servlet-name>Command</servlet-name>" fullword ascii /* PEStudio Blacklist: strings */
$s2 = "<jsp-file>/cmd.jsp</jsp-file>" fullword ascii
condition:
filesize < 1KB and all of them
}
rule jsp_cmd {
meta:
description = "Laudanum Injector Tools - file cmd.war"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://laudanum.inguardians.com/"
date = "2015-06-22"
hash = "55e4c3dc00cfab7ac16e7cfb53c11b0c01c16d3d"
id = "74db62b8-82d5-5a34-aa72-2f85053715a4"
strings:
$s0 = "cmd.jsp}" fullword ascii
$s1 = "cmd.jspPK" fullword ascii
$s2 = "WEB-INF/web.xml" fullword ascii /* Goodware String - occured 1 times */
$s3 = "WEB-INF/web.xmlPK" fullword ascii /* Goodware String - occured 1 times */
$s4 = "META-INF/MANIFEST.MF" fullword ascii /* Goodware String - occured 12 times */
condition:
uint16(0) == 0x4b50 and filesize < 2KB and all of them
}
rule laudanum {
meta:
description = "Laudanum Injector Tools - file laudanum.php"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://laudanum.inguardians.com/"
date = "2015-06-22"
hash = "fd498c8b195967db01f68776ff5e36a06c9dfbfe"
id = "8c836aba-3644-5914-a3ff-937d0a6cd378"
strings:
$s1 = "public function __activate()" fullword ascii
$s2 = "register_activation_hook(__FILE__, array('WP_Laudanum', 'activate'));" fullword ascii /* PEStudio Blacklist: strings */
condition:
filesize < 5KB and all of them
}
rule php_file {
meta:
description = "Laudanum Injector Tools - file file.php"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://laudanum.inguardians.com/"
date = "2015-06-22"
hash = "7421d33e8007c92c8642a36cba7351c7f95a4335"
id = "68456891-6828-5e42-b8a0-67ecaf83cdc0"
strings:
$s1 = "$allowedIPs =" fullword ascii /* PEStudio Blacklist: strings */
$s2 = "<a href=\"<?php echo $_SERVER['PHP_SELF'] ?>\">Home</a><br/>" fullword ascii /* PEStudio Blacklist: strings */
$s3 = "$dir = isset($_GET[\"dir\"]) ? $_GET[\"dir\"] : \".\";" fullword ascii
$s4 = "$curdir .= substr($curdir, -1) != \"/\" ? \"/\" : \"\";" fullword ascii
condition:
filesize < 10KB and all of them
}
rule warfiles_cmd {
meta:
description = "Laudanum Injector Tools - file cmd.jsp"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://laudanum.inguardians.com/"
date = "2015-06-22"
hash = "3ae3d837e7b362de738cf7fad78eded0dccf601f"
id = "f974255b-cfbe-57b0-af1f-eddb7f12f5ed"
strings:
$s1 = "Process p = Runtime.getRuntime().exec(request.getParameter(\"cmd\"));" fullword ascii /* PEStudio Blacklist: strings */
$s2 = "out.println(\"Command: \" + request.getParameter(\"cmd\") + \"<BR>\");" fullword ascii /* PEStudio Blacklist: strings */
$s3 = "<FORM METHOD=\"GET\" NAME=\"myform\" ACTION=\"\">" fullword ascii
$s4 = "String disr = dis.readLine();" fullword ascii
condition:
filesize < 2KB and all of them
}
rule asp_dns {
meta:
description = "Laudanum Injector Tools - file dns.asp"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://laudanum.inguardians.com/"
date = "2015-06-22"
hash = "5532154dd67800d33dace01103e9b2c4f3d01d51"
id = "b0e30ca0-7163-5731-98c5-5a1893b8ea80"
strings:
$s1 = "command = \"nslookup -type=\" & qtype & \" \" & query " fullword ascii /* PEStudio Blacklist: strings */
$s2 = "Set objCmd = objWShell.Exec(command)" fullword ascii /* PEStudio Blacklist: strings */
$s3 = "Response.Write command & \"<br>\"" fullword ascii /* PEStudio Blacklist: strings */
$s4 = "<form name=\"dns\" method=\"POST\">" fullword ascii /* PEStudio Blacklist: strings */
condition:
filesize < 21KB and all of them
}
rule php_reverse_shell_2 {
meta:
description = "Laudanum Injector Tools - file php-reverse-shell.php"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://laudanum.inguardians.com/"
date = "2015-06-22"
hash = "025db3c3473413064f0606d93d155c7eb5049c42"
id = "f10cc33e-0cb6-5d08-af1f-5ef76368de9d"
strings:
$s1 = "$process = proc_open($shell, $descriptorspec, $pipes);" fullword ascii /* PEStudio Blacklist: strings */
$s7 = "$shell = 'uname -a; w; id; /bin/sh -i';" fullword ascii /* PEStudio Blacklist: strings */
condition:
filesize < 10KB and all of them
}
rule Laudanum_Tools_Generic {
meta:
description = "Laudanum Injector Tools"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://laudanum.inguardians.com/"
date = "2015-06-22"
super_rule = 1
hash0 = "076aa781a004ecb2bf545357fd36dcbafdd68b1a"
hash1 = "885e1783b07c73e7d47d3283be303c9719419b92"
hash2 = "01d5d16d876c55d77e094ce2b9c237de43b21a16"
hash3 = "7421d33e8007c92c8642a36cba7351c7f95a4335"
hash4 = "f49291aef9165ee4904d2d8c3cf5a6515ca0794f"
hash5 = "c0dee56ee68719d5ec39e773621ffe40b144fda5"
hash6 = "f32b9c2cc3a61fa326e9caebce28ef94a7a00c9a"
hash7 = "dc5c03a21267d024ef0f5ab96a34e3f6423dfcd6"
hash8 = "fd498c8b195967db01f68776ff5e36a06c9dfbfe"
hash9 = "b50ae35fcf767466f6ca25984cc008b7629676b8"
hash10 = "5570d10244d90ef53b74e2ac287fc657e38200f0"
hash11 = "42bcb491a11b4703c125daf1747cf2a40a1b36f3"
hash12 = "83e4eaaa2cf6898d7f83ab80158b64b1d48096f4"
hash13 = "dec7ea322898690a7f91db9377f035ad7072b8d7"
hash14 = "a2272b8a4221c6cc373915f0cc555fe55d65ac4d"
hash15 = "588739b9e4ef2dbb0b4cf630b73295d8134cc801"
hash16 = "43320dc23fb2ed26b882512e7c0bfdc64e2c1849"
id = "15738788-5f34-54d0-92fe-f7024c998a54"
strings:
$s1 = "*** laudanum@secureideas.net" fullword ascii
$s2 = "*** Laudanum Project" fullword ascii
condition:
filesize < 60KB and all of them
}