/* Yara Rule Set Author: Florian Roth Date: 2015-06-22 Identifier: Laudanum */ rule asp_file { meta: description = "Laudanum Injector Tools - file file.asp" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "http://laudanum.inguardians.com/" date = "2015-06-22" hash = "ff5b1a9598735440bdbaa768b524c639e22f53c5" id = "e2a80d1f-f2bb-573b-b68c-71e4dfa6e1fa" strings: $s1 = "' *** Written by Tim Medin " fullword ascii $s2 = "Response.BinaryWrite(stream.Read)" fullword ascii $s3 = "Response.Write(Response.Status & Request.ServerVariables(\"REMOTE_ADDR\"))" fullword ascii /* PEStudio Blacklist: strings */ $s4 = "%>\">web root
<%" fullword ascii /* PEStudio Blacklist: strings */ $s5 = "set folder = fso.GetFolder(path)" fullword ascii $s6 = "Set file = fso.GetFile(filepath)" fullword ascii condition: uint16(0) == 0x253c and filesize < 30KB and 5 of them } rule php_killnc { meta: description = "Laudanum Injector Tools - file killnc.php" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "http://laudanum.inguardians.com/" date = "2015-06-22" hash = "c0dee56ee68719d5ec39e773621ffe40b144fda5" id = "241611d3-3636-5a25-b3c3-d45d6cb81c78" strings: $s1 = "if ($_SERVER[\"REMOTE_ADDR\"] == $IP)" fullword ascii /* PEStudio Blacklist: strings */ $s2 = "header(\"HTTP/1.0 404 Not Found\");" fullword ascii $s3 = "" fullword ascii /* PEStudio Blacklist: strings */ $s4 = "Laudanum Kill nc" fullword ascii /* PEStudio Blacklist: strings */ $s5 = "foreach ($allowedIPs as $IP) {" fullword ascii condition: filesize < 15KB and 4 of them } rule asp_shell { meta: description = "Laudanum Injector Tools - file shell.asp" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "http://laudanum.inguardians.com/" date = "2015-06-22" hash = "8bf1ff6f8edd45e3102be5f8a1fe030752f45613" id = "3ae27254-325a-5358-b5aa-ab24b43ad5a6" strings: $s1 = "
" fullword ascii /* PEStudio Blacklist: strings */ $s2 = "%ComSpec% /c dir" fullword ascii /* PEStudio Blacklist: strings */ $s3 = "Set objCmd = wShell.Exec(cmd)" fullword ascii /* PEStudio Blacklist: strings */ $s4 = "Server.ScriptTimeout = 180" fullword ascii /* PEStudio Blacklist: strings */ $s5 = "cmd = Request.Form(\"cmd\")" fullword ascii /* PEStudio Blacklist: strings */ $s6 = "' *** http://laudanum.secureideas.net" fullword ascii $s7 = "Dim wshell, intReturn, strPResult" fullword ascii /* PEStudio Blacklist: strings */ condition: filesize < 15KB and 4 of them } rule settings { meta: description = "Laudanum Injector Tools - file settings.php" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "http://laudanum.inguardians.com/" date = "2015-06-22" hash = "588739b9e4ef2dbb0b4cf630b73295d8134cc801" id = "054b8723-fdfa-51dc-91ae-b915e40b2e54" strings: $s1 = "Port: " fullword ascii /* PEStudio Blacklist: strings */ $s2 = "
  • Reverse Shell - " fullword ascii /* PEStudio Blacklist: strings */ $s3 = "
  • \">File Browser" ascii /* PEStudio Blacklist: strings */ condition: filesize < 13KB and all of them } rule asp_proxy { meta: description = "Laudanum Injector Tools - file proxy.asp" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "http://laudanum.inguardians.com/" date = "2015-06-22" hash = "51e97040d1737618b1775578a772fa6c5a31afd8" id = "6193b48a-b3da-5c1e-84e8-0035d9e7ade6" strings: $s1 = "'response.write \"
    -value:\" & request.querystring(key)(j)" fullword ascii /* PEStudio Blacklist: strings */ $s2 = "q = q & \"&\" & key & \"=\" & request.querystring(key)(j)" fullword ascii /* PEStudio Blacklist: strings */ $s3 = "for each i in Split(http.getAllResponseHeaders, vbLf)" fullword ascii $s4 = "'urlquery = mid(urltemp, instr(urltemp, \"?\") + 1)" fullword ascii /* PEStudio Blacklist: strings */ $s5 = "s = urlscheme & urlhost & urlport & urlpath" fullword ascii /* PEStudio Blacklist: strings */ $s6 = "Set http = Server.CreateObject(\"Microsoft.XMLHTTP\")" fullword ascii /* PEStudio Blacklist: strings */ condition: filesize < 50KB and all of them } rule cfm_shell { meta: description = "Laudanum Injector Tools - file shell.cfm" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "http://laudanum.inguardians.com/" date = "2015-06-22" hash = "885e1783b07c73e7d47d3283be303c9719419b92" id = "5308eecf-a59f-5100-ab60-5034c5b73e7e" strings: $s1 = "Executable:
    " fullword ascii /* PEStudio Blacklist: strings */ $s2 = "" fullword ascii /* PEStudio Blacklist: strings */ $s3 = "" fullword ascii condition: filesize < 20KB and 2 of them } rule aspx_shell { meta: description = "Laudanum Injector Tools - file shell.aspx" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "http://laudanum.inguardians.com/" date = "2015-06-22" hash = "076aa781a004ecb2bf545357fd36dcbafdd68b1a" id = "d4287007-79af-59fa-b8c8-3ac08d75b3bd" strings: $s1 = "remoteIp = HttpContext.Current.Request.Headers[\"X-Forwarded-For\"].Split(new" ascii /* PEStudio Blacklist: strings */ $s2 = "remoteIp = Request.UserHostAddress;" fullword ascii /* PEStudio Blacklist: strings */ $s3 = "" fullword ascii /* PEStudio Blacklist: strings */ $s4 = "" fullword ascii /* PEStudio Blacklist: strings */ condition: filesize < 20KB and all of them } rule php_shell { meta: description = "Laudanum Injector Tools - file shell.php" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "http://laudanum.inguardians.com/" date = "2015-06-22" hash = "dc5c03a21267d024ef0f5ab96a34e3f6423dfcd6" id = "8d3dcb16-090b-5a9f-b3d2-3822ec467f69" strings: $s1 = "command_hist[current_line] = document.shell.command.value;" fullword ascii /* PEStudio Blacklist: strings */ $s2 = "if (e.keyCode == 38 && current_line < command_hist.length-1) {" fullword ascii /* PEStudio Blacklist: strings */ $s3 = "array_unshift($_SESSION['history'], $command);" fullword ascii /* PEStudio Blacklist: strings */ $s4 = "if (preg_match('/^[[:blank:]]*cd[[:blank:]]*$/', $command)) {" fullword ascii /* PEStudio Blacklist: strings */ condition: filesize < 40KB and all of them } rule php_reverse_shell { meta: description = "Laudanum Injector Tools - file php-reverse-shell.php" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "http://laudanum.inguardians.com/" date = "2015-06-22" hash = "3ef03bbe3649535a03315dcfc1a1208a09cea49d" id = "306d150f-95a8-57fd-8f5e-786c429af6b3" strings: $s1 = "$process = proc_open($shell, $descriptorspec, $pipes);" fullword ascii /* PEStudio Blacklist: strings */ $s2 = "printit(\"Successfully opened reverse shell to $ip:$port\");" fullword ascii /* PEStudio Blacklist: strings */ $s3 = "$input = fread($pipes[1], $chunk_size);" fullword ascii /* PEStudio Blacklist: strings */ condition: filesize < 15KB and all of them } rule php_dns { meta: description = "Laudanum Injector Tools - file dns.php" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "http://laudanum.inguardians.com/" date = "2015-06-22" hash = "01d5d16d876c55d77e094ce2b9c237de43b21a16" id = "a52e453b-07aa-58b9-91e7-f2426a8e8976" strings: $s1 = "$query = isset($_POST['query']) ? $_POST['query'] : '';" fullword ascii /* PEStudio Blacklist: strings */ $s2 = "$result = dns_get_record($query, $types[$type], $authns, $addtl);" fullword ascii /* PEStudio Blacklist: strings */ $s3 = "if ($_SERVER[\"REMOTE_ADDR\"] == $IP)" fullword ascii /* PEStudio Blacklist: strings */ $s4 = "foreach (array_keys($types) as $t) {" fullword ascii condition: filesize < 15KB and all of them } rule WEB_INF_web { meta: description = "Laudanum Injector Tools - file web.xml" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "http://laudanum.inguardians.com/" date = "2015-06-22" hash = "0251baed0a16c451f9d67dddce04a45dc26cb4a3" id = "8d0a008c-56d1-59ef-8521-0697add21ba9" strings: $s1 = "Command" fullword ascii /* PEStudio Blacklist: strings */ $s2 = "/cmd.jsp" fullword ascii condition: filesize < 1KB and all of them } rule jsp_cmd { meta: description = "Laudanum Injector Tools - file cmd.war" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "http://laudanum.inguardians.com/" date = "2015-06-22" hash = "55e4c3dc00cfab7ac16e7cfb53c11b0c01c16d3d" id = "74db62b8-82d5-5a34-aa72-2f85053715a4" strings: $s0 = "cmd.jsp}" fullword ascii $s1 = "cmd.jspPK" fullword ascii $s2 = "WEB-INF/web.xml" fullword ascii /* Goodware String - occured 1 times */ $s3 = "WEB-INF/web.xmlPK" fullword ascii /* Goodware String - occured 1 times */ $s4 = "META-INF/MANIFEST.MF" fullword ascii /* Goodware String - occured 12 times */ condition: uint16(0) == 0x4b50 and filesize < 2KB and all of them } rule laudanum { meta: description = "Laudanum Injector Tools - file laudanum.php" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "http://laudanum.inguardians.com/" date = "2015-06-22" hash = "fd498c8b195967db01f68776ff5e36a06c9dfbfe" id = "8c836aba-3644-5914-a3ff-937d0a6cd378" strings: $s1 = "public function __activate()" fullword ascii $s2 = "register_activation_hook(__FILE__, array('WP_Laudanum', 'activate'));" fullword ascii /* PEStudio Blacklist: strings */ condition: filesize < 5KB and all of them } rule php_file { meta: description = "Laudanum Injector Tools - file file.php" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "http://laudanum.inguardians.com/" date = "2015-06-22" hash = "7421d33e8007c92c8642a36cba7351c7f95a4335" id = "68456891-6828-5e42-b8a0-67ecaf83cdc0" strings: $s1 = "$allowedIPs =" fullword ascii /* PEStudio Blacklist: strings */ $s2 = "\">Home
    " fullword ascii /* PEStudio Blacklist: strings */ $s3 = "$dir = isset($_GET[\"dir\"]) ? $_GET[\"dir\"] : \".\";" fullword ascii $s4 = "$curdir .= substr($curdir, -1) != \"/\" ? \"/\" : \"\";" fullword ascii condition: filesize < 10KB and all of them } rule warfiles_cmd { meta: description = "Laudanum Injector Tools - file cmd.jsp" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "http://laudanum.inguardians.com/" date = "2015-06-22" hash = "3ae3d837e7b362de738cf7fad78eded0dccf601f" id = "f974255b-cfbe-57b0-af1f-eddb7f12f5ed" strings: $s1 = "Process p = Runtime.getRuntime().exec(request.getParameter(\"cmd\"));" fullword ascii /* PEStudio Blacklist: strings */ $s2 = "out.println(\"Command: \" + request.getParameter(\"cmd\") + \"
    \");" fullword ascii /* PEStudio Blacklist: strings */ $s3 = "" fullword ascii $s4 = "String disr = dis.readLine();" fullword ascii condition: filesize < 2KB and all of them } rule asp_dns { meta: description = "Laudanum Injector Tools - file dns.asp" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "http://laudanum.inguardians.com/" date = "2015-06-22" hash = "5532154dd67800d33dace01103e9b2c4f3d01d51" id = "b0e30ca0-7163-5731-98c5-5a1893b8ea80" strings: $s1 = "command = \"nslookup -type=\" & qtype & \" \" & query " fullword ascii /* PEStudio Blacklist: strings */ $s2 = "Set objCmd = objWShell.Exec(command)" fullword ascii /* PEStudio Blacklist: strings */ $s3 = "Response.Write command & \"
    \"" fullword ascii /* PEStudio Blacklist: strings */ $s4 = "" fullword ascii /* PEStudio Blacklist: strings */ condition: filesize < 21KB and all of them } rule php_reverse_shell_2 { meta: description = "Laudanum Injector Tools - file php-reverse-shell.php" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "http://laudanum.inguardians.com/" date = "2015-06-22" hash = "025db3c3473413064f0606d93d155c7eb5049c42" id = "f10cc33e-0cb6-5d08-af1f-5ef76368de9d" strings: $s1 = "$process = proc_open($shell, $descriptorspec, $pipes);" fullword ascii /* PEStudio Blacklist: strings */ $s7 = "$shell = 'uname -a; w; id; /bin/sh -i';" fullword ascii /* PEStudio Blacklist: strings */ condition: filesize < 10KB and all of them } rule Laudanum_Tools_Generic { meta: description = "Laudanum Injector Tools" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "http://laudanum.inguardians.com/" date = "2015-06-22" super_rule = 1 hash0 = "076aa781a004ecb2bf545357fd36dcbafdd68b1a" hash1 = "885e1783b07c73e7d47d3283be303c9719419b92" hash2 = "01d5d16d876c55d77e094ce2b9c237de43b21a16" hash3 = "7421d33e8007c92c8642a36cba7351c7f95a4335" hash4 = "f49291aef9165ee4904d2d8c3cf5a6515ca0794f" hash5 = "c0dee56ee68719d5ec39e773621ffe40b144fda5" hash6 = "f32b9c2cc3a61fa326e9caebce28ef94a7a00c9a" hash7 = "dc5c03a21267d024ef0f5ab96a34e3f6423dfcd6" hash8 = "fd498c8b195967db01f68776ff5e36a06c9dfbfe" hash9 = "b50ae35fcf767466f6ca25984cc008b7629676b8" hash10 = "5570d10244d90ef53b74e2ac287fc657e38200f0" hash11 = "42bcb491a11b4703c125daf1747cf2a40a1b36f3" hash12 = "83e4eaaa2cf6898d7f83ab80158b64b1d48096f4" hash13 = "dec7ea322898690a7f91db9377f035ad7072b8d7" hash14 = "a2272b8a4221c6cc373915f0cc555fe55d65ac4d" hash15 = "588739b9e4ef2dbb0b4cf630b73295d8134cc801" hash16 = "43320dc23fb2ed26b882512e7c0bfdc64e2c1849" id = "15738788-5f34-54d0-92fe-f7024c998a54" strings: $s1 = "*** laudanum@secureideas.net" fullword ascii $s2 = "*** Laudanum Project" fullword ascii condition: filesize < 60KB and all of them }