rule web_shell_crews
{
meta:
author = "@patrickrolsen"
maltype = "Web Shell Crews"
version = "0.6"
reference = "http://www.exploit-db.com/exploits/24905/"
date = "08/19/2014"
strings:
$s1 = "v0pCr3w"
$s2 = "BENJOLSHELL"
$s3 = "EgY_SpIdEr"
$s4 = "
HcJ"
$s5 = "0wn3d"
$s6 = "OnLy FoR QbH"
$s7 = "wSiLm"
$s8 = "b374k r3c0d3d"
$s9 = "x'1n73ct|d"
$s10 = "## CREATED BY KATE ##"
$s11 = "Ikram Ali"
$s12 = "FeeLCoMz"
$s13 = "s3n4t00r"
$s14 = "FaTaLisTiCz_Fx"
$s15 = "feelscanz.pl"
$s16 = "##[ KONFIGURASI"
$s17 = "Created by Kiss_Me"
$s18 = "Casper_Cell"
$s19 = "# [ CREWET ] #"
$s20 = "BY MACKER"
$s21 = "FraNGky"
$s22 = "1dt.w0lf"
$s23 = "Modification By iFX"
$s24 = "Dumped by C99madShell.SQL"
$s25 = "Hacked By Alaa"
$s26 = "XXx_Death_xXX"
$s27 = "zehir3"
$s28 = "zehirhacker"
$s29 = "Shell Tcrew"
$s30 = "w4ck1ng"
$s31 = "TriCkz"
$s32 = "TambukCrew"
$s33 = "Dumped by c100.SQL"
$s34 = "Hacker By Task QQ"
$s35 = "JyHackTeam"
$s36 = "byMesaj"
$s37 = "by STHx"
$s38 = "hacker!@#"
$s39 = "Fucked by 7sign"
$s40 = "Hacked By:NsQk"
$s41 = "Ch1na HLD Secur1ty Team"
$s42 = "hackxsy.net"
$s43 = "[Black Tie]"
$s44 = "[ Black Tie ]"
$s45 = "X4ck By Death"
$s46 = "Recoded bY 0x14113"
$s47 = "0x14113_Server Shell"
$s48 = "BY 0x14113"
$s49 = "[ 0x14113 ASP Shell ]"
$s50 = "ASP Shell"
$s51 = "Hacked by @iSecGroup"
$s52 = "@iSecGroup"
$s53 = "Lulzsecroot"
$s54 = "KingDefacer"
$s55 = "Turkish H4CK3RZ"
$s56 = "by q1w2e3r4"
$s57 = "By Ironfist"
$s58 = "AK-74 Security"
$s59 = "ak74-team.net"
$s60 = "ANTICHAT.RU" nocase
$s61 = "ADMINSTRATORS TOOLKIT"
$s62 = "ASPSpyder"
$s63 = "Shell v 2.1 Biz"
$s64 = "Ayyildiz Tim"
$s65 = "b374k"
$s66 = "Cool Surfer"
$s67 = "vINT 21h"
$s68 = "c0derz shell"
$s69 = "Emperor Hacking TEAM"
$s70 = "Comandos Exclusivos"
$s71 = "Gamma Group"
$s72 = "GFS Web-Shell"
$s73 = "Group Freedom Search"
$s74 = "h4ntu shell"
$s75 = "powered by tsoi"
$s76 = "SaNaLTeRoR"
$s77 = "inDEXER"
$s78 = "ReaDer"
$s79 = "JspWebshell"
$s80 = "zero.cnbct.org"
$s81 = "Aventis KlasVayv"
$s82 = "KlasVayv" nocase
$s825 = "Kodlama by BLaSTER"
$s83 = "TurkGuvenligi"
$s84 = "BLaSTER"
$s85 = "lama's'hell"
$s86 = "Liz0ziM"
$s87 = "Loader'z WEB Shell"
$s88 = "Loader Pro-Hack.ru"
$s89 = "D3vilc0de"
$s90 = "lostDC shell"
$s91 = "MAX666"
$s92 = "Hacked by Silver"
$s93 = ".:NCC:."
$s94 = "National Cracker Crew"
$s95 = "n-c-c.6x.to"
$s96 = "Cr4sh_aka_RKL"
$s97 = "PHANTASMA"
$s98 = "NeW CmD"
$s99 = "z0mbie"
$s100 = "phpRemoteView"
$s101 = "php.spb.ru"
$s102 = "Mehdi"
$s103 = "HolyDemon"
$s104 = "infilak"
$s105 = "Rootshell"
$s106 = "Emperor"
$s107 = "Iranian Hackers"
$s108 = "G-Security"
$s109 = "by DK"
$s110 = "Simorgh"
$s111 = "SimShell"
$s112 = "AventGrup"
$s113 = "Sincap"
$s114 = "zyklon"
$s115 = "lovealihack"
$s116 = "alihack"
condition:
not uint16(0) == 0x5A4D and any of ($s*)
}