Mini Shell
private rule PHP
{
strings:
$magic = "<?php"
$short_open_tag = "<?"
condition:
$short_open_tag at 0 or $magic in (0..4096)
}
private rule PHP_MAGIC
{
strings:
$magic = "<?php"
$short_open_tag = "<?"
condition:
$magic at 0 or $short_open_tag at 0
}
rule imh_php_base64_obfuscated
{
strings:
$a = "<?php $_F=__FILE__;$_X="
condition:
$a at 0
}
rule imh_php_base64d_obfuscated
{
strings:
// obfuscated string "4_deco"
$a = "chr(52).chr(95).chr(100).chr(101).chr(99).chr(111)"
$b = "edoced_46esab"
$c = "array('ode', 'e', '_dec', 'bas')"
$str_rot = "\\163\\164\\x72\\x5f\\162\\x6f\\164"
condition:
PHP and any of them
}
rule imh_php_mailer_generic
{
strings:
$a = "PRO Mailer V2"
$b = "title>Ofux Mailer"
$c = "MaILER Password"
condition:
any of them
}
rule imh_php_malware_downloader
{
meta:
description = "Malware that pulls and executes data from another server, like pastebin"
strings:
$pastebin_1 = /file_get_contents\(['"]https:\/\/pastebin.com\/raw\/.{6,15}include/
condition:
any of them
}
rule imh_php_malware_inject
{
meta:
description = "Malware injected into otherwise fine files"
strings:
$obfuscated_include = /\n@?include "([^"]{0,10}\\[0-9]{3}){2}/
condition:
$obfuscated_include in (0..30)
}
rule imh_php_malware_literal
{
strings:
$generic_a = "D@rk sH@d0w"
$generic_b = "ln -s /home/$i/public_html/wp-config.php"
$generic_c = "base'.(32*2)"
$generic_d = "a5b0f6efa9662ef6acd2a6e6ea88f765"
$generic_e = "config['botnet_timeout']"
$generic_f = "substr_count($shellPath"
$generic_g = "<input type=hidden name=a value='FilesMAn'>"
$generic_h = "$option(\"/438/e\",$au,438);"
$generic_i = "system file do not delete"
$generic_j = "new motherFucker();"
$generic_k = "bfakeprocb"
$generic_l = "PHP_OS.chr(49)"
$generic_m = "%28%0D%0A%66%75%6E%63%74%69%6F%6E%28"
$generic_n = "Grab Usernames from /home/"
$generic_o = "die(PHP_OS.chr(49).chr(48).chr(43).md5(0987654321"
$generic_p = "ZHCtehUnstopable"
$generic_q = "$v4af189b="
$generic_r = "$i437e2fb="
$generic_s = "af5f492a2"
$generic_t = "$EEkRtL8DY="
$generic_u = "function _68758598"
$generic_v = "$O00OO0=urldecode"
// a similar but not exact rule to the following is also in heuristic
$generic_w = "@error_reporting(0);@set_time_limit(0)"
$generic_x = "return $g.''.$o.''.$i;"
$generic_y = "$code = iget_data($_REQUEST['o']);\neval(\"?>\".$code);"
$uploader_1 = "$_FILES[\"\\165\\x70\\154\\x6f\\x61\\x64\\x73\"]"
$wc_ajax_try_2020 = "md5(md5(md5($_POST['token_admin"
$generic_z = "substr(md5(time()), 0, 8) . \".php\""
$fake_log_file = "$filename=Class_UC_key(\"2470617373776F72643D27\").$password."
$vuln = "<title>Vuln!! patch it Now!</title><?php"
$uploader_2 = "<?php error_reporting(0); $path = __DIR__; if($_GET[\"rands\"]=="
$trage_uploader = ");if(move_uploaded_file($_FILES[\"tragefile"
$foxauto = "FoxAutoV5"
$dns_spammer = "$wp_t=array"
condition:
PHP and any of them
}
rule imh_php_malware_literal_2
{
strings:
$backdoor_1 = "eval(TC9A16C47DA8EEE87(\"QAIAPD9waHAgABEkY29s"
$spammer = "kmbske ($dcokepc, $dyuyue) { return $dcokepc ^ str_repeat"
$backdoor_2 = "64_decode(\"aWYoIWVtcHR5KCRfR"
$obfu = "ecode('eNqVWvtTFFfa/lc"
$widgetmalware_1 = "ecode('JGY9ZGlybmFtZShfX2Zpb"
$annizod = "9HJ>\nu H/L6: ="
$ali181091 = "ali181091@yahoo.com"
$key = ".hyib/;dq4ux9*zjmclp3_r80)t(vakng1s2foe75w6"
$globals = "${\"\\x47\\x4c\\x4fB\\x41\\x4c\\x53\"}"
$h4250d5 = "$h4250d5[j5f5dd]"
$backdoor = "ecode(\"UEsDBBQAAAAIAEMl70ysSqmPSQcAALMTAAAMAAA"
$wso_shell = "4k5yui1k5yu='5b37Wxs30zD8Zm1d/R/E1mrXQYyx"
$shadow_mangler = "$b=fopen('/home/'.$user.'/etc/'.$t.'/shadow','ab');fwrit"
$ubh_shell = "add_object_page(\"UBH\",\"U\\x42\\x48\""
$k2ll33d_shell = "ecode(\"PD9waHAKLy8gYnkgazJsbDMz"
$generic_a = "fsockopen(\"udp://$_15\",round(0+13"
$obfuscated = "$jtvyc[7]($_COOKIE, $_POST) as $whezkpg => $mzjyuh)"
$act = "<tr><td>>Anonymous Cyber Team<</td></tr>"
$darkshadow = "<title>darkshadow File Manager"
$ofux = "title>Ofux Mailer"
$generic_b = "A='';@eval(base64_decode('QG9iX3N0YXJ0KC"
$shadowdelete = "unlink('/home/'.$user.'/etc/'.$site.'/shadow')"
$toolkit = "64_decode(\"UEsDBAoAAAAAALELCU0AAAAAAAAAAAA"
$uploader_1 = "$f1 = \".ht\"; $f2 = \"acc\"; $f3 = \"ess\";"
$lestershell = "<title>Lester Hax0r"
$docdownloader = "77841099('ZXJyb3JfcmVwb3J0aW5"
$generic_c = "bh4dy2k = \"G%03B%11E%06T%03%5E"
$generic_d = "cf4050bc('ZXJyb3JfcmVwb3J0aW"
$downloader = "fn5b7c5e7aaf705('6261736536345f6465636f6465'"
$passwordreset = "':2083/resetpass?user=' . get_current_user()"
$generic_e = "$_klgsMO(\"\\x65\\x76\\x61\\x6c\\x28\\x62"
$docmalware_1 = "fn5b887ea9aabcf('6261736536345f6465636f6465"
$generic = "$rjiqlbk[31].$rjiqlbk[32].$rjiqlbk"
$docmalware_2 = "fn5b8667d2b6bc3('6261736536345f6465636f6465"
$i47_shell = "$lktd = \"eNrsvGmT40iSKPZ5xmz/Q6mszaZH2B0AxEH"
$bangledeshi = ">#Bangladeshi HackeR<"
$dx1z1_shell = "title>Mr.DX1Z1<"
$generic_4 = "$_f2k1cg3 = \"GR%13%1A%16WU_"
$generic_5 = "vxvxgddrtwrewfdsf($e,$q,$w)"
$brute_force = "createBrutePass($_GET['wordsList']"
$cookie_thief = "$GLOBALS['_79565595_']=Array('str_' .'rot13'"
$shell = "ecode(\"PD9waHANCmhlYWRlcignQ2"
$malware_unpacker = "new PclZip(\"ytpovuie.zip\")"
$arbitrary_curl = "$ch, CURLOPT_URL, $_GET['url'])"
$generic_6 = "$zUaDnOj408.\"'1X1rd9u2suj3rJX/gGjrhFIjyZI"
$minexmr = "0@pool.minexmr.com"
$downloader_2 = "$n5b98460961ddd('ZXJyb3JfcmVwb3J0aW5nKDA"
$generic_1 = "tbz74e1 = \"GP%17M%16P%5C%04%0C%40%0C%07G"
$backdoor_3 = "base64_decode('PD9waHANCmVjaG8gIlRoaXMgc2hpdCB3b3JrcyEiOw0"
$stylewpp = "Array('UkVRVUVTVF9VUkk=','P3JlYm9vdD15ZXM='"
$document_downloader = "$x = ''; for ($i = 0, $n = strlen($s); $i < $n; $i +="
$generic_2 = "s($q, $d){ for($g=0;$g<strlen($q);) for($u=0;$u<strlen($d);$u++, $g++)"
$generic_3 = "$xvofz ^ bppyu($zjcpk, $yblei, $zjcpk[8]($xvofz)"
$fir3hwk_passwd = "/etc/passwd/tmp/passwd.bakfir3hawk"
$sym = "SYMLINKER BY HO4R KOD3"
$pwd_protected = /basename\(\$c\)==basename\(\$i\)&&isset\(\$_REQUEST\["q"]\)&&md5\(\$_REQUEST\["q"]\)/
condition:
PHP_MAGIC and any of them
}
rule imh_php_malware_literal_3
{
strings:
$base64_decode_1 = "\\163\\164\\x72\\x5f\\162\\x6f\\164"
$uploader_mushtik = "ecode('ZWNobyAiPHRpdGxlPm11aHN0aWs8L"
$simple_shell = "ecode('rUl6Yts2EP68APkPDHRANk3"
$symlink_attack = "ecode('7Vf/T9tGFP89Uv6H1yOT7ZHaSRBrReKUrj"
$b0ff_shell = "gzinflate($D('7X1te9s2suh3/QqY1QZiItGSnHSzkinb"
$wp_slave = "createBrutePass($wordsList"
$wp_bruteforce = "AgICBXb3JkUHJlc3MgQnJ1dGVGb3JjZSA"
$shell_generic = "$fp = fopen($_POST['path']"
$bloodninja_1 = "64_decode('eNpdUs1u00AQfpWNlYMdrDhO89dEOZTKol"
$arbitrary_eval_2 = "$a = \"7VdrT+NGFP1eqf9hiCIcKwHFj7ClIQh2B"
$uploader_2 = "$_eafg5l = \"G%03B%1CE%5D%07T%0B%40%0C%07G%09%16%16"
$arbitrary_eval_1 = "ecode('fSBpZighZGVmaW5lZCgiUEhQX0VPTCIpKQp7CiAgICBkZW"
$generic_4 = "\\x63\\x6F\\x64\\x65\\x28'xJ3HzoPQdoXfJZMkYkBvijKg92I66E7ozf"
$doc_downloader = "$sp58859d = new O(); echo $sp58859d->execute"
$arbitrary_eval = "ecode(\"PD9waHAgJFpUZUo9Y3JlYX"
$unpacker_1 = "PclZip(\"zlvkejwe.zip"
$bloodninja = "ecode('eNq1fflvU2f677/iieaqQDPhbD7HbsWtQqFAy9ZCp6UDNzq2j2M3jp3aDkk"
$phploot = "http://5.188.86.29:7000"
$z879 = "targetpthrowinticksEntimeType"
$uploader_4 = "file_put_contents($_SERVER[\"DOCUMENT_ROOT\"].\"/\".$_POST["
$spam_script = "$jfnbrsjfq = mail($jewrqwbnlk, $xaouf"
$tuhan_shell = "title>SH3LL TUHAN"
$orb_shell_1 = "ecode(YiunIUY76bBhuhNYIO8($XnNhAWEn"
$indoxploit_shell = "title>IndoXploit"
$outbound_stealth = "_dt2wacy = \"GS%19%19%19%5C%5DUX%40%0C%07G%09"
$shell_1 = "if(isset($_REQUEST['clr_htacc']) == true)\n {\n CheckSecureValue();\n ClearHtaccess();\n exit();"
$filebrowser = "function ShowPage($sFullPathToFile)\n{\n $sOutContent = '';\n $stFileHandle = fopen($sFullPathToFile, 'r');"
$downloader = "exec(\"\\160\\x6b\\151\\154\\x6c\\x20\\x2d\\x39\\40\\55\\x66\\x20\\163\\x74\\x65\\x61\\x6c\\164\\150\");"
$downloader_1 = "<?php goto O847931477431386"
$3xf = "eval(base64_decode(getmal($_getf)));eval(returnmal(getmal($_getf,2),getmal($_getf,1)));__halt_compiler();"
$htaccess = "$mchwdwfn=\"DQoJCUBlcnJvcl9yZXBvc"
$orb_shell = ")) . \"\\x27\\x37\\130\\x31\\x72\\145\\71\\x72\\x47\\x45\\x76\\104\\x6e\\x6e\\x4f\\143\\x35\\x2f"
$cloudswarm = "echo \"\\x61\\x75\\x78\\x36\\124\\x68\\x65\\x69\\157\\107\\150\\165\\x65\\121\\x75\\63\""
$generic_7 = "ttes = 't-yH#\\'m6vgn41o_8kbs5exr73pfad9l*2ciu"
$outbound_1 = "_WRITE failed.\n\n$Info: This file is packed with "
$generic = "fcic = 'g3#of\\'1kc9ubmtHxvls_r6p4e-08idnya*'"
condition:
PHP_MAGIC and any of them
}
rule imh_php_mass_mailer_base64
{
strings:
$a = "if (mail(stripslashes(base64_decode($fr[0])), stripslashes(base64_decode($fr[1])), base64_decode($fr[2]), stripslashes(base64_decode($fr[3]))))"
condition:
PHP and any of them
}
rule imh_php_mass_mailer_leaf
{
strings:
$a = "leafmailer.pw"
condition:
PHP_MAGIC and $a in (0..100)
}
rule imh_php_mass_mailer_sandy2013
{
strings:
$a = "Sandy 2013 - Best Email Marketing Tool"
condition:
PHP and any of them
}
rule imh_php_obfuscated_globals
{
// Match ${"\x47\x4c\x4fB\x41\x4c\x53"}
strings:
$re1 = /\${\"(\\x47|G)(\\x4c|L)(\\x4f|O)(\\x42|B)(\\x41|A)(\\x4c|L)(\\x53|S)\"\}/
condition:
PHP and $re1
}
rule imh_php_shell_generic
{
// Generic shells that are kind enough to label themselves.
// need to add a condition to prevent false positives then move to malware sigs
strings:
$a = "[sS]hell by "
$b = "AnonGhost"
$c = "Automatic cPanel Finder/Cracker"
$d = "Config Grabber v1.0"
$e = "Cpanel Cracker"
$f = "Mohajer22"
$h = "Plugin Name: Docs"
$i = "SpyHackerz"
$j = "Symlink Based Cpanel Cracker By Team IndiShell"
$k = "Yuklendi"
$m = "rednoize.com"
$n = "wso shell"
$o = "z0mbie"
$p = "zeroscience"
$q = "TC9A16C47DA8EEE87"
$r = /(r57|c99|Dx|Crystal|SpY|Indi|jampot)[Ss]h[e3]ll/
$s = "WeB.Sniper"
$t = "phpshell.sourceforge.net"
$u = "KaiserMalware"
$v = "EbRaHiM-VaKeR"
$w = "Satanic Socks Server"
$x = "dz48-coders"
$y = "hashcrack.com"
$z = "Mr.Alsa3ek"
$aa = "dz48-coders"
$indoxploit = "title>IndoXploit"
$spiritokiller = "<title>spiritokiller</title>"
$cheetah_shell = "code(\"PD9waHANCiRjb2xvciA9ICIjYTNlOTU2"
$anonymousfoux = "anonymousfox.com"
$generic = /\(isset\(\$.....\[\$_POST\['fm_usr']]\) && \$_POST\['fm_pwd'] === \$.....\[\$_POST\['fm_usr']]\)/
$scp173 = /array\('','}'\.\$[a-z0-9]{1,12}\.'\/\/'\)\);\/\/scp-173\?>$/
$scp173_2 = /^<\?php ?\x0d\n\/\/scp-173/ // \r\n
$reseller_finder = "coded by: ~Rizi_haxor" // PHP, but no magic
condition:
filesize < 1MB and PHP and any of them
}
Zerion Mini Shell 1.0