Sneed-Reactivity/yara-mikesxrs/patrickrolsen/misc_shells.yar

78 lines
2 KiB
Text
Raw Normal View History

rule misc_shells
{
meta:
author = "@patrickrolsen"
version = "0.3"
data = "08/19/2014"
strings:
$s1 = "second stage dropper"
$s2 = "SO dumped "
$s3 = "killall -9 "
$s4 = "1.sh"
$s5 = "faim.php"
$s6 = "file_get_contents("
$s7 = "$auth_pass ="
$s8 = "eval($" // Possible FPs
$s9 = "Find *config*.php"
$s10 = "Show running services"
$s11 = "Show computers"
$s12 = "Show active connections"
$s13 = "ARP Table"
$s14 = "Last Directory"
$s15 = ".htpasswd files"
$s16 = "suid files"
$s17 = "writable folders"
$s18 = "config* files"
$s19 = "show opened ports"
$s20 = ".pwd files"
$s21 = "locate config."
$s22 = "history files"
$s23 = "<?php @eval($_POST['cmd']);?>"
$s24 = "securityprobe.net"
$s25 = "ccteam.ru"
$s26 = "c99sh_sources"
$s27 = "c99mad"
$s28 = "31373"
$s29 = "c99_sess_put"
$s30 = "(\"fs_move_"
$s31 = "c99sh_bindport_"
$s32 = "mysql_dump"
$s33 = "Change this to your password"
$s34 = "ps -aux"
$s35 = "p4ssw0rD"
$s36 = "Ajax Command Shell by"
$s37 = "greetings to everyone in rootshell"
$s38 = "We now update $work_dir to avoid things like"
$s39 = "ls looks much better with"
$s40 = "I Always Love Sha"
$s41 = "fileperm=substr(base_convert(fileperms"
$s42 = "W A R N I N G: Private Server"
$s43 = "for power security"
$s44 = "[kalabanga]"
$s45 = "GO.cgi"
$s46 = "eval(gzuncompress(base64_decode("
$s47 = "ls -lah"
$s48 = "uname -a"
$s49 = "imageshack.us"
$s50 = "For Server Hacking"
$s51 = "Private Exploit"
$s52 = "chunk_split(base64_encode("
$s53 = "ending mail to $to......."
$s54 = "Mysql interface"
$s55 = "MySQL Database Backup"
$s56 = "mysql_tool.php?act=logout"
$s57 = "Directory Lister"
$s58 = "username and pass here"
$s59 = "echo base64_decode($"
$s60 = "get_current_user("
$s61 = "hey,specify directory!"
$s62 = "execute command:"
$s63 = "FILE UPLOADED TO $"
$s64 = "This server has been infected by"
$s65 = "Safe_Mode Bypass"
$s66 = "Safe Mode Shell"
$s67 = "CMD ExeCute"
$s68 = "/etc/passwd"
condition:
not uint16(0) == 0x5A4D and any of ($s*)
}