08e8d462fe
RED PILL 🔴 💊
129 lines
No EOL
2.8 KiB
Text
129 lines
No EOL
2.8 KiB
Text
rule web_shell_crews
|
|
{
|
|
meta:
|
|
author = "@patrickrolsen"
|
|
maltype = "Web Shell Crews"
|
|
version = "0.6"
|
|
reference = "http://www.exploit-db.com/exploits/24905/"
|
|
date = "08/19/2014"
|
|
strings:
|
|
$s1 = "v0pCr3w"
|
|
$s2 = "BENJOLSHELL"
|
|
$s3 = "EgY_SpIdEr"
|
|
$s4 = "<title>HcJ"
|
|
$s5 = "0wn3d"
|
|
$s6 = "OnLy FoR QbH"
|
|
$s7 = "wSiLm"
|
|
$s8 = "b374k r3c0d3d"
|
|
$s9 = "x'1n73ct|d"
|
|
$s10 = "## CREATED BY KATE ##"
|
|
$s11 = "Ikram Ali"
|
|
$s12 = "FeeLCoMz"
|
|
$s13 = "s3n4t00r"
|
|
$s14 = "FaTaLisTiCz_Fx"
|
|
$s15 = "feelscanz.pl"
|
|
$s16 = "##[ KONFIGURASI"
|
|
$s17 = "Created by Kiss_Me"
|
|
$s18 = "Casper_Cell"
|
|
$s19 = "# [ CREWET ] #"
|
|
$s20 = "BY MACKER"
|
|
$s21 = "FraNGky"
|
|
$s22 = "1dt.w0lf"
|
|
$s23 = "Modification By iFX"
|
|
$s24 = "Dumped by C99madShell.SQL"
|
|
$s25 = "Hacked By Alaa"
|
|
$s26 = "XXx_Death_xXX"
|
|
$s27 = "zehir3"
|
|
$s28 = "zehirhacker"
|
|
$s29 = "Shell Tcrew"
|
|
$s30 = "w4ck1ng"
|
|
$s31 = "TriCkz"
|
|
$s32 = "TambukCrew"
|
|
$s33 = "Dumped by c100.SQL"
|
|
$s34 = "Hacker By Task QQ"
|
|
$s35 = "JyHackTeam"
|
|
$s36 = "byMesaj"
|
|
$s37 = "by STHx"
|
|
$s38 = "hacker!@#"
|
|
$s39 = "Fucked by 7sign"
|
|
$s40 = "Hacked By:NsQk"
|
|
$s41 = "Ch1na HLD Secur1ty Team"
|
|
$s42 = "hackxsy.net"
|
|
$s43 = "[Black Tie]"
|
|
$s44 = "[ Black Tie ]"
|
|
$s45 = "X4ck By Death"
|
|
$s46 = "Recoded bY 0x14113"
|
|
$s47 = "0x14113_Server Shell"
|
|
$s48 = "BY 0x14113"
|
|
$s49 = "[ 0x14113 ASP Shell ]"
|
|
$s50 = "ASP Shell"
|
|
$s51 = "Hacked by @iSecGroup"
|
|
$s52 = "@iSecGroup"
|
|
$s53 = "Lulzsecroot"
|
|
$s54 = "KingDefacer"
|
|
$s55 = "Turkish H4CK3RZ"
|
|
$s56 = "by q1w2e3r4"
|
|
$s57 = "By Ironfist"
|
|
$s58 = "AK-74 Security"
|
|
$s59 = "ak74-team.net"
|
|
$s60 = "ANTICHAT.RU" nocase
|
|
$s61 = "ADMINSTRATORS TOOLKIT"
|
|
$s62 = "ASPSpyder"
|
|
$s63 = "Shell v 2.1 Biz"
|
|
$s64 = "Ayyildiz Tim"
|
|
$s65 = "b374k"
|
|
$s66 = "Cool Surfer"
|
|
$s67 = "vINT 21h"
|
|
$s68 = "c0derz shell"
|
|
$s69 = "Emperor Hacking TEAM"
|
|
$s70 = "Comandos Exclusivos"
|
|
$s71 = "Gamma Group"
|
|
$s72 = "GFS Web-Shell"
|
|
$s73 = "Group Freedom Search"
|
|
$s74 = "h4ntu shell"
|
|
$s75 = "powered by tsoi"
|
|
$s76 = "SaNaLTeRoR"
|
|
$s77 = "inDEXER"
|
|
$s78 = "ReaDer"
|
|
$s79 = "JspWebshell"
|
|
$s80 = "zero.cnbct.org"
|
|
$s81 = "Aventis KlasVayv"
|
|
$s82 = "KlasVayv" nocase
|
|
$s825 = "Kodlama by BLaSTER"
|
|
$s83 = "TurkGuvenligi"
|
|
$s84 = "BLaSTER"
|
|
$s85 = "lama's'hell"
|
|
$s86 = "Liz0ziM"
|
|
$s87 = "Loader'z WEB Shell"
|
|
$s88 = "Loader Pro-Hack.ru"
|
|
$s89 = "D3vilc0de"
|
|
$s90 = "lostDC shell"
|
|
$s91 = "MAX666"
|
|
$s92 = "Hacked by Silver"
|
|
$s93 = ".:NCC:."
|
|
$s94 = "National Cracker Crew"
|
|
$s95 = "n-c-c.6x.to"
|
|
$s96 = "Cr4sh_aka_RKL"
|
|
$s97 = "PHANTASMA"
|
|
$s98 = "NeW CmD"
|
|
$s99 = "z0mbie"
|
|
$s100 = "phpRemoteView"
|
|
$s101 = "php.spb.ru"
|
|
$s102 = "Mehdi"
|
|
$s103 = "HolyDemon"
|
|
$s104 = "infilak"
|
|
$s105 = "Rootshell"
|
|
$s106 = "Emperor"
|
|
$s107 = "Iranian Hackers"
|
|
$s108 = "G-Security"
|
|
$s109 = "by DK"
|
|
$s110 = "Simorgh"
|
|
$s111 = "SimShell"
|
|
$s112 = "AventGrup"
|
|
$s113 = "Sincap"
|
|
$s114 = "zyklon"
|
|
$s115 = "lovealihack"
|
|
$s116 = "alihack"
|
|
condition:
|
|
not uint16(0) == 0x5A4D and any of ($s*)
|
|
} |