20 lines
436 B
Text
20 lines
436 B
Text
|
rule shell_functions
|
||
|
{
|
||
|
meta:
|
||
|
author = "@patrickrolsen"
|
||
|
version = "0.1"
|
||
|
data = "08/19/2014"
|
||
|
reference = "N/A"
|
||
|
strings:
|
||
|
$s1 = "function listDatabases()"
|
||
|
$s2 = "function dropDatabase()"
|
||
|
$s3 = "mysql_drop_db("
|
||
|
$s4 = "function listTables()"
|
||
|
$s5 = "passthru($cmd)"
|
||
|
$s6 = "function check_file()"
|
||
|
$s7 = "$id==\"fake-mail\""
|
||
|
$s8 = "Shell_Exec($cmd)"
|
||
|
$s9 = "move_uploaded_file("
|
||
|
condition:
|
||
|
not uint16(0) == 0x5A4D and any of ($s*)
|
||
|
}
|