08e8d462fe
RED PILL 🔴 💊
78 lines
No EOL
2 KiB
Text
78 lines
No EOL
2 KiB
Text
rule misc_shells
|
|
{
|
|
meta:
|
|
author = "@patrickrolsen"
|
|
version = "0.3"
|
|
data = "08/19/2014"
|
|
strings:
|
|
$s1 = "second stage dropper"
|
|
$s2 = "SO dumped "
|
|
$s3 = "killall -9 "
|
|
$s4 = "1.sh"
|
|
$s5 = "faim.php"
|
|
$s6 = "file_get_contents("
|
|
$s7 = "$auth_pass ="
|
|
$s8 = "eval($" // Possible FPs
|
|
$s9 = "Find *config*.php"
|
|
$s10 = "Show running services"
|
|
$s11 = "Show computers"
|
|
$s12 = "Show active connections"
|
|
$s13 = "ARP Table"
|
|
$s14 = "Last Directory"
|
|
$s15 = ".htpasswd files"
|
|
$s16 = "suid files"
|
|
$s17 = "writable folders"
|
|
$s18 = "config* files"
|
|
$s19 = "show opened ports"
|
|
$s20 = ".pwd files"
|
|
$s21 = "locate config."
|
|
$s22 = "history files"
|
|
$s23 = "<?php @eval($_POST['cmd']);?>"
|
|
$s24 = "securityprobe.net"
|
|
$s25 = "ccteam.ru"
|
|
$s26 = "c99sh_sources"
|
|
$s27 = "c99mad"
|
|
$s28 = "31373"
|
|
$s29 = "c99_sess_put"
|
|
$s30 = "(\"fs_move_"
|
|
$s31 = "c99sh_bindport_"
|
|
$s32 = "mysql_dump"
|
|
$s33 = "Change this to your password"
|
|
$s34 = "ps -aux"
|
|
$s35 = "p4ssw0rD"
|
|
$s36 = "Ajax Command Shell by"
|
|
$s37 = "greetings to everyone in rootshell"
|
|
$s38 = "We now update $work_dir to avoid things like"
|
|
$s39 = "ls looks much better with"
|
|
$s40 = "I Always Love Sha"
|
|
$s41 = "fileperm=substr(base_convert(fileperms"
|
|
$s42 = "W A R N I N G: Private Server"
|
|
$s43 = "for power security"
|
|
$s44 = "[kalabanga]"
|
|
$s45 = "GO.cgi"
|
|
$s46 = "eval(gzuncompress(base64_decode("
|
|
$s47 = "ls -lah"
|
|
$s48 = "uname -a"
|
|
$s49 = "imageshack.us"
|
|
$s50 = "For Server Hacking"
|
|
$s51 = "Private Exploit"
|
|
$s52 = "chunk_split(base64_encode("
|
|
$s53 = "ending mail to $to......."
|
|
$s54 = "Mysql interface"
|
|
$s55 = "MySQL Database Backup"
|
|
$s56 = "mysql_tool.php?act=logout"
|
|
$s57 = "Directory Lister"
|
|
$s58 = "username and pass here"
|
|
$s59 = "echo base64_decode($"
|
|
$s60 = "get_current_user("
|
|
$s61 = "hey,specify directory!"
|
|
$s62 = "execute command:"
|
|
$s63 = "FILE UPLOADED TO $"
|
|
$s64 = "This server has been infected by"
|
|
$s65 = "Safe_Mode Bypass"
|
|
$s66 = "Safe Mode Shell"
|
|
$s67 = "CMD ExeCute"
|
|
$s68 = "/etc/passwd"
|
|
condition:
|
|
not uint16(0) == 0x5A4D and any of ($s*)
|
|
} |