rule web_shell_crews { meta: author = "@patrickrolsen" maltype = "Web Shell Crews" version = "0.6" reference = "http://www.exploit-db.com/exploits/24905/" date = "08/19/2014" strings: $s1 = "v0pCr3w" $s2 = "BENJOLSHELL" $s3 = "EgY_SpIdEr" $s4 = "HcJ" $s5 = "0wn3d" $s6 = "OnLy FoR QbH" $s7 = "wSiLm" $s8 = "b374k r3c0d3d" $s9 = "x'1n73ct|d" $s10 = "## CREATED BY KATE ##" $s11 = "Ikram Ali" $s12 = "FeeLCoMz" $s13 = "s3n4t00r" $s14 = "FaTaLisTiCz_Fx" $s15 = "feelscanz.pl" $s16 = "##[ KONFIGURASI" $s17 = "Created by Kiss_Me" $s18 = "Casper_Cell" $s19 = "# [ CREWET ] #" $s20 = "BY MACKER" $s21 = "FraNGky" $s22 = "1dt.w0lf" $s23 = "Modification By iFX" $s24 = "Dumped by C99madShell.SQL" $s25 = "Hacked By Alaa" $s26 = "XXx_Death_xXX" $s27 = "zehir3" $s28 = "zehirhacker" $s29 = "Shell Tcrew" $s30 = "w4ck1ng" $s31 = "TriCkz" $s32 = "TambukCrew" $s33 = "Dumped by c100.SQL" $s34 = "Hacker By Task QQ" $s35 = "JyHackTeam" $s36 = "byMesaj" $s37 = "by STHx" $s38 = "hacker!@#" $s39 = "Fucked by 7sign" $s40 = "Hacked By:NsQk" $s41 = "Ch1na HLD Secur1ty Team" $s42 = "hackxsy.net" $s43 = "[Black Tie]" $s44 = "[ Black Tie ]" $s45 = "X4ck By Death" $s46 = "Recoded bY 0x14113" $s47 = "0x14113_Server Shell" $s48 = "BY 0x14113" $s49 = "[ 0x14113 ASP Shell ]" $s50 = "ASP Shell" $s51 = "Hacked by @iSecGroup" $s52 = "@iSecGroup" $s53 = "Lulzsecroot" $s54 = "KingDefacer" $s55 = "Turkish H4CK3RZ" $s56 = "by q1w2e3r4" $s57 = "By Ironfist" $s58 = "AK-74 Security" $s59 = "ak74-team.net" $s60 = "ANTICHAT.RU" nocase $s61 = "ADMINSTRATORS TOOLKIT" $s62 = "ASPSpyder" $s63 = "Shell v 2.1 Biz" $s64 = "Ayyildiz Tim" $s65 = "b374k" $s66 = "Cool Surfer" $s67 = "vINT 21h" $s68 = "c0derz shell" $s69 = "Emperor Hacking TEAM" $s70 = "Comandos Exclusivos" $s71 = "Gamma Group" $s72 = "GFS Web-Shell" $s73 = "Group Freedom Search" $s74 = "h4ntu shell" $s75 = "powered by tsoi" $s76 = "SaNaLTeRoR" $s77 = "inDEXER" $s78 = "ReaDer" $s79 = "JspWebshell" $s80 = "zero.cnbct.org" $s81 = "Aventis KlasVayv" $s82 = "KlasVayv" nocase $s825 = "Kodlama by BLaSTER" $s83 = "TurkGuvenligi" $s84 = "BLaSTER" $s85 = "lama's'hell" $s86 = "Liz0ziM" $s87 = "Loader'z WEB Shell" $s88 = "Loader Pro-Hack.ru" $s89 = "D3vilc0de" $s90 = "lostDC shell" $s91 = "MAX666" $s92 = "Hacked by Silver" $s93 = ".:NCC:." $s94 = "National Cracker Crew" $s95 = "n-c-c.6x.to" $s96 = "Cr4sh_aka_RKL" $s97 = "PHANTASMA" $s98 = "NeW CmD" $s99 = "z0mbie" $s100 = "phpRemoteView" $s101 = "php.spb.ru" $s102 = "Mehdi" $s103 = "HolyDemon" $s104 = "infilak" $s105 = "Rootshell" $s106 = "Emperor" $s107 = "Iranian Hackers" $s108 = "G-Security" $s109 = "by DK" $s110 = "Simorgh" $s111 = "SimShell" $s112 = "AventGrup" $s113 = "Sincap" $s114 = "zyklon" $s115 = "lovealihack" $s116 = "alihack" condition: not uint16(0) == 0x5A4D and any of ($s*) }