17 lines
656 B
Text
17 lines
656 B
Text
rule Doki_Attack
|
|
{
|
|
meta:
|
|
copyright = "Intezer Labs"
|
|
author = "Intezer Labs"
|
|
reference = "https://www.intezer.com"
|
|
|
|
strings:
|
|
|
|
$a1 = /curl --retry 3 -m 60 -o \/tmp\w{6}\/tmp\/tmp.{37}.*\\{3}\"http:\/{2}.*\.ngrok\.io[\s\S]*\\{3}\";/ nocase
|
|
$a2 = /rm -rf \/tmp\w{6}\/etc\/crontab;/ nocase
|
|
$s1 = /echo \\{3}\"(\*\s){4}\* root sh \/tmp\/tmp.*\\{3}\" \\{2}u003e\/tmp\w{6}\/etc\/cron.d\/1m;/ nocase
|
|
$s2 = /echo \\{3}\"(\*\s){4}\* root sh \/tmp\/tmp\w*\\{3}\" \\{2}u003e\/tmp\w{6}\/etc\/crontab;/ nocase
|
|
$s3 = /chroot \/tmp\w{6} sh -c \\{3}\"cron \|\| crond/ nocase
|
|
condition:
|
|
all of them
|
|
}
|