YARA rules for Hive
95 rules · scoped to actor · back to Hive
YARA rules whose family, name, or description matches this actor or its tooling. Use these for binary-pattern hunts.
rule WebShell_simattacker {
meta:
description = "PHP Webshells Github Archive - file simattacker.php"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
hash = "258297b62aeaf4650ce04642ad5f19be25ec29c9"
id = "2408fad8-780f-50de-a309-99d14a1d87b6"
strings:
$s1 = "$from = rand (71,1020000000).\"@\".\"Attacker.com\";" fullword
$s4 = " Turkish Hackers : WWW.ALTURKS.COM <br>" fullword
$s5 = " Programer : SimAttacker - Edited By KingDefacer<br>" fullword
$s6 = "//fake mail = Use victim server 4 DOS - fake mail " fullword
$s10 = " e-mail : kingdefacer@msn.com<br>" fullword
$s17 = "error_reporting(E_ERROR | E_WARNING | E_PARSE);" fullword
$s18 = "echo \"<font size='1' color='#999999'>Dont in windows\";" fullword
$s20 = "$Comments=$_POST['Comments'];" fullword
condition:
2 of them
}
rule WebShell_DTool_Pro {
meta:
description = "PHP Webshells Github Archive - file DTool Pro.php"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
hash = "e2ee1c7ba7b05994f65710b7bbf935954f2c3353"
id = "9f2922d1-b2af-58ae-b194-ecb33577effa"
strings:
$s1 = "function PHPget(){inclVar(); if(confirm(\"O PHPget agora oferece uma lista pront"
$s2 = "<font size=3>by r3v3ng4ns - revengans@gmail.com </font>" fullword
$s3 = "function PHPwriter(){inclVar();var url=prompt(\"[ PHPwriter ] by r3v3ng4ns\\nDig"
$s11 = "//Turns the 'ls' command more usefull, showing it as it looks in the shell" fullword
$s13 = "if (@file_exists(\"/usr/bin/wget\")) $pro3=\"<i>wget</i> at /usr/bin/wget, \";" fullword
$s14 = "//To keep the changes in the url, when using the 'GET' way to send php variables" fullword
$s16 = "function PHPf(){inclVar();var o=prompt(\"[ PHPfilEditor ] by r3v3ng4ns\\nDigite "
$s18 = "if(empty($fu)) $fu = @$_GET['fu'];" fullword
condition:
3 of them
}
rule WebShell_IronShell_4 {
meta:
description = "PHP Webshells Github Archive - file ironshell.php"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
old_rule_name = "WebShell_ironshell"
hash = "d47b8ba98ea8061404defc6b3a30839c4444a262"
id = "06e87e02-372b-5d4e-be52-5515a068665b"
strings:
$s0 = "<title>'.getenv(\"HTTP_HOST\").' ~ Shell I</title>" fullword
$s2 = "$link = mysql_connect($_POST['host'], $_POST['username'], $_POST"
$s4 = "error_reporting(0); //If there is an error, we'll show it, k?" fullword
$s8 = "print \"<form action=\\\"\".$me.\"?p=chmod&file=\".$content.\"&d"
$s15 = "if(!is_numeric($_POST['timelimit']))" fullword
$s16 = "if($_POST['chars'] == \"9999\")" fullword
$s17 = "<option value=\\\"az\\\">a - zzzzz</option>" fullword
$s18 = "print shell_exec($command);" fullword
condition:
3 of them
}
rule WebShell_indexer_asp_php {
meta:
description = "PHP Webshells Github Archive - file indexer.asp.php.txt"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
hash = "e9a7aa5eb1fb228117dc85298c7d3ecd8e288a2d"
id = "d6e17429-1b58-5a1b-846d-f5dbfd74cf3a"
strings:
$s0 = "<meta http-equiv=\"Content-Language\" content=\"tr\">" fullword
$s1 = "<title>WwW.SaNaLTeRoR.OrG - inDEXER And ReaDer</title>" fullword
$s2 = "<form action=\"?Gonder\" method=\"post\">" fullword
$s4 = "<form action=\"?oku\" method=\"post\">" fullword
$s7 = "var message=\"SaNaLTeRoR - " fullword
$s8 = "nDexEr - Reader\"" fullword
condition:
3 of them
}
rule WebShell_toolaspshell {
meta:
description = "PHP Webshells Github Archive - file toolaspshell.php"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
hash = "11d236b0d1c2da30828ffd2f393dd4c6a1022e3f"
id = "016af030-4991-583c-aab5-a2933ae0eeec"
strings:
$s0 = "cprthtml = \"<font face='arial' size='1'>RHTOOLS 1.5 BETA(PVT) Edited By KingDef"
$s12 = "barrapos = CInt(InstrRev(Left(raiz,Len(raiz) - 1),\"\\\")) - 1" fullword
$s20 = "destino3 = folderItem.path & \"\\index.asp\"" fullword
condition:
2 of them
}
rule WebShell_b374k_mini_shell_php_php {
meta:
description = "PHP Webshells Github Archive - file b374k-mini-shell-php.php.php"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
hash = "afb88635fbdd9ebe86b650cc220d3012a8c35143"
id = "d5b0dfa5-46b5-5323-a8e8-b119d8c2c8e5"
strings:
$s0 = "@error_reporting(0);" fullword
$s2 = "@eval(gzinflate(base64_decode($code)));" fullword
$s3 = "@set_time_limit(0); " fullword
condition:
all of them
}
rule WebShell_Sincap_1_0 {
meta:
description = "PHP Webshells Github Archive - file Sincap 1.0.php"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
hash = "9b72635ff1410fa40c4e15513ae3a496d54f971c"
id = "38d39739-660f-596d-a297-1f0dfe530797"
strings:
$s4 = "</font></span><a href=\"mailto:shopen@aventgrup.net\">" fullword
$s5 = "<title>:: AventGrup ::.. - Sincap 1.0 | Session(Oturum) B" fullword
$s9 = "</span>Avrasya Veri ve NetWork Teknolojileri Geli" fullword
$s12 = "while (($ekinci=readdir ($sedat))){" fullword
$s19 = "$deger2= \"$ich[$tampon4]\";" fullword
condition:
2 of them
}
rule WebShell_b374k_php {
meta:
description = "PHP Webshells Github Archive - file b374k.php.php"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
hash = "04c99efd187cf29dc4e5603c51be44170987bce2"
id = "73eb7d8d-14bb-5bc2-90b2-90b6bd603bd1"
strings:
$s0 = "// encrypt your password to md5 here http://kerinci.net/?x=decode" fullword
$s6 = "// password (default is: b374k)"
$s8 = "//******************************************************************************"
$s9 = "// b374k 2.2" fullword
$s10 = "eval(\"?>\".gzinflate(base64_decode("
condition:
3 of them
}
rule WebShell_SimAttacker___Vrsion_1_0_0___priv8_4_My_friend {
meta:
description = "PHP Webshells Github Archive - file SimAttacker - Vrsion 1.0.0 - priv8 4 My friend.php"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
hash = "6454cc5ab73143d72cf0025a81bd1fe710351b44"
id = "3e0bae7d-77a1-5439-bbe7-177bec23cea0"
strings:
$s4 = " Iranian Hackers : WWW.SIMORGH-EV.COM <br>" fullword
$s5 = "//fake mail = Use victim server 4 DOS - fake mail " fullword
$s10 = "<a style=\"TEXT-DECORATION: none\" href=\"http://www.simorgh-ev.com\">" fullword
$s16 = "error_reporting(E_ERROR | E_WARNING | E_PARSE);" fullword
$s17 = "echo \"<font size='1' color='#999999'>Dont in windows\";" fullword
$s19 = "$Comments=$_POST['Comments'];" fullword
$s20 = "Victim Mail :<br><input type='text' name='to' ><br>" fullword
condition:
3 of them
}
rule WEBSHELL_H4ntu_Shell_Powered_Tsoi_2 {
meta:
description = "PHP Webshells Github Archive - file h4ntu shell [powered by tsoi].php"
author = "Florian Roth"
date = "2014-04-06"
modified = "2025-03-21"
old_rule_name = "WebShell_h4ntu_shell__powered_by_tsoi_"
hash = "cbca8cd000e705357e2a7e0cf8262678706f18f9"
strings:
$s1 = "<title>h4ntu shell [powered by tsoi]</title>" fullword
$s2 = "$uname = posix_uname( );" fullword
$s3 = "if(!$whoami)$whoami=exec(\"whoami\");" fullword
$s4 = "echo \"<p><font size=2 face=Verdana><b>This Is The Server Information</b></font>"
condition:
filesize <2MB and 2 of them
}
rule WebShell_php_webshells_MyShell {
meta:
description = "PHP Webshells Github Archive - file MyShell.php"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
hash = "42e283c594c4d061f80a18f5ade0717d3fb2f76d"
id = "393e738a-b4c2-5630-a55f-c3caee4ff75e"
strings:
$s3 = "<title>MyShell error - Access Denied</title>" fullword
$s4 = "$adminEmail = \"youremail@yourserver.com\";" fullword
$s5 = "//A workdir has been asked for - we chdir to that dir." fullword
$s6 = "system($command . \" 1> /tmp/output.txt 2>&1; cat /tmp/output.txt; rm /tmp/o"
$s13 = "#$autoErrorTrap Enable automatic error traping if command returns error." fullword
$s14 = "/* No work_dir - we chdir to $DOCUMENT_ROOT */" fullword
$s19 = "#every command you excecute." fullword
$s20 = "<form name=\"shell\" method=\"post\">" fullword
condition:
3 of them
}
rule WebShell_php_webshells_pws {
meta:
description = "PHP Webshells Github Archive - file pws.php"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
hash = "7a405f1c179a84ff8ac09a42177a2bcd8a1a481b"
id = "393e738a-b4c2-5630-a55f-c3caee4ff75e"
strings:
$s6 = "if ($_POST['cmd']){" fullword
$s7 = "$cmd = $_POST['cmd'];" fullword
$s10 = "echo \"FILE UPLOADED TO $dez\";" fullword
$s11 = "if (file_exists($uploaded)) {" fullword
$s12 = "copy($uploaded, $dez);" fullword
$s17 = "passthru($cmd);" fullword
condition:
4 of them
}
rule WebShell_reader_asp_php {
meta:
description = "PHP Webshells Github Archive - file reader.asp.php.txt"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
hash = "70656f3495e2b3ad391a77d5208eec0fb9e2d931"
id = "80ec18e1-6f41-5188-b2d5-f4228c975fa1"
strings:
$s5 = "ster\" name=submit> </Font> <a href=mailto:mailbomb@hotmail"
$s12 = " HACKING " fullword
$s16 = "FONT-WEIGHT: bold; BACKGROUND: #ffffff url('images/cellpic1.gif'); TEXT-INDENT: "
$s20 = "PADDING-RIGHT: 8px; PADDING-LEFT: 8px; FONT-WEIGHT: bold; FONT-SIZE: 11px; BACKG"
condition:
3 of them
}
rule WebShell_Safe_Mode_Bypass_PHP_4_4_2_and_PHP_5_1_2_3 {
meta:
description = "PHP Webshells Github Archive - file Safe_Mode_Bypass_PHP_4.4.2_and_PHP_5.1.2.php"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
old_rule_name = "WebShell_Safe_Mode_Bypass_PHP_4_4_2_and_PHP_5_1_2"
hash = "db076b7c80d2a5279cab2578aa19cb18aea92832"
id = "349cf6ac-92b3-59f7-a6e4-c23e69b454c6"
strings:
$s1 = "<option value=\"/etc/passwd\">Get /etc/passwd</option>" fullword
$s6 = "by PHP Emperor<xb5@hotmail.com>" fullword
$s9 = "\".htmlspecialchars($file).\" has been already loaded. PHP Emperor <xb5@hotmail."
$s11 = "die(\"<FONT COLOR=\\\"RED\\\"><CENTER>Sorry... File" fullword
$s15 = "if(empty($_GET['file'])){" fullword
$s16 = "echo \"<head><title>Safe Mode Shell</title></head>\"; " fullword
condition:
3 of them
}
rule WebShell_Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit_2 {
meta:
description = "PHP Webshells Github Archive - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
old_rule_name = "WebShell_Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit"
hash = "b2b797707e09c12ff5e632af84b394ad41a46fa4"
id = "b647f529-be81-51ad-b671-84aec410e133"
strings:
$s4 = "$liz0zim=shell_exec($_POST[liz0]); " fullword
$s6 = "$liz0=shell_exec($_POST[baba]); " fullword
$s9 = "echo \"<b><font color=blue>Liz0ziM Private Safe Mode Command Execuriton Bypass E"
$s12 = " :=) :</font><select size=\"1\" name=\"liz0\">" fullword
$s13 = "<option value=\"cat /etc/passwd\">/etc/passwd</option>" fullword
condition:
1 of them
}
rule WebShell_PHP_Backdoor_2 {
meta:
description = "PHP Webshells Github Archive - file php-backdoor.php"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
old_rule_name = "WebShell_php_backdoor"
hash = "b190c03af4f3fb52adc20eb0f5d4d151020c74fe"
id = "65e1305b-4fc7-5885-b3df-92846bb57fe3"
strings:
$s5 = "http://<? echo $SERVER_NAME.$REQUEST_URI; ?>?d=/etc on *nix" fullword
$s6 = "// a simple php backdoor | coded by z0mbie [30.08.03] | http://freenet.am/~zombi"
$s11 = "if(!isset($_REQUEST['dir'])) die('hey,specify directory!');" fullword
$s13 = "else echo \"<a href='$PHP_SELF?f=$d/$dir'><font color=black>\";" fullword
$s15 = "<pre><form action=\"<? echo $PHP_SELF; ?>\" METHOD=GET >execute command: <input "
condition:
1 of them
}
rule WebShell_Worse_Linux_Shell_2 {
meta:
description = "PHP Webshells Github Archive - file Worse Linux Shell.php"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
old_rule_name = "WebShell_Worse_Linux_Shell"
hash = "64623ab1246bc8f7d256b25f244eb2b41f543e96"
id = "04ed7464-29d1-54b9-98ff-afc03475b220"
strings:
$s4 = "if( $_POST['_act'] == \"Upload!\" ) {" fullword
$s5 = "print \"<center><h1>#worst @dal.net</h1></center>\";" fullword
$s7 = "print \"<center><h1>Linux Shells</h1></center>\";" fullword
$s8 = "$currentCMD = \"ls -la\";" fullword
$s14 = "print \"<tr><td><b>System type:</b></td><td>$UName</td></tr>\";" fullword
$s19 = "$currentCMD = str_replace(\"\\\\\\\\\",\"\\\\\",$_POST['_cmd']);" fullword
condition:
2 of them
}
rule WebShell_php_webshells_pHpINJ {
meta:
description = "PHP Webshells Github Archive - file pHpINJ.php"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
hash = "75116bee1ab122861b155cc1ce45a112c28b9596"
id = "393e738a-b4c2-5630-a55f-c3caee4ff75e"
strings:
$s3 = "echo '<a href='.$expurl.'> Click Here to Exploit </a> <br />';" fullword
$s10 = "<form action = \"<?php echo \"$_SERVER[PHP_SELF]\" ; ?>\" method = \"post\">" fullword
$s11 = "$sql = \"0' UNION SELECT '0' , '<? system(\\$_GET[cpc]);exit; ?>' ,0 ,0 ,0 ,0 IN"
$s13 = "Full server path to a writable file which will contain the Php Shell <br />" fullword
$s14 = "$expurl= $url.\"?id=\".$sql ;" fullword
$s15 = "<header>|| .::News PHP Shell Injection::. ||</header> <br /> <br />" fullword
$s16 = "<input type = \"submit\" value = \"Create Exploit\"> <br /> <br />" fullword
condition:
1 of them
}
rule WebShell_php_webshells_NGH {
meta:
description = "PHP Webshells Github Archive - file NGH.php"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
hash = "c05b5deecfc6de972aa4652cb66da89cfb3e1645"
id = "393e738a-b4c2-5630-a55f-c3caee4ff75e"
strings:
$s0 = "<title>Webcommander at <?=$_SERVER[\"HTTP_HOST\"]?></title>" fullword
$s2 = "/* Webcommander by Cr4sh_aka_RKL v0.3.9 NGH edition :p */" fullword
$s5 = "<form action=<?=$script?>?act=bindshell method=POST>" fullword
$s9 = "<form action=<?=$script?>?act=backconnect method=POST>" fullword
$s11 = "<form action=<?=$script?>?act=mkdir method=POST>" fullword
$s16 = "die(\"<font color=#DF0000>Login error</font>\");" fullword
$s20 = "<b>Bind /bin/bash at port: </b><input type=text name=port size=8>" fullword
condition:
2 of them
}
rule WebShell_php_webshells_matamu {
meta:
description = "PHP Webshells Github Archive - file matamu.php"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
hash = "d477aae6bd2f288b578dbf05c1c46b3aaa474733"
id = "393e738a-b4c2-5630-a55f-c3caee4ff75e"
strings:
$s2 = "$command .= ' -F';" fullword
$s3 = "/* We try and match a cd command. */" fullword
$s4 = "directory... Trust me - it works :-) */" fullword
$s5 = "$command .= \" 1> $tmpfile 2>&1; \" ." fullword
$s10 = "$new_dir = $regs[1]; // 'cd /something/...'" fullword
$s16 = "/* The last / in work_dir were the first charecter." fullword
condition:
2 of them
}
rule WebShell_ru24_post_sh {
meta:
description = "PHP Webshells Github Archive - file ru24_post_sh.php"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
hash = "d2c18766a1cd4dda928c12ff7b519578ccec0769"
id = "86a45d72-c42d-58d5-9969-d3ebfc22853d"
strings:
$s1 = "http://www.ru24-team.net" fullword
$s4 = "if ((!$_POST['cmd']) || ($_POST['cmd']==\"\")) { $_POST['cmd']=\"id;pwd;uname -a"
$s6 = "Ru24PostWebShell"
$s7 = "Writed by DreAmeRz" fullword
$s9 = "$function=passthru; // system, exec, cmd" fullword
condition:
1 of them
}
rule WebShell_hiddens_shell_v1 {
meta:
description = "PHP Webshells Github Archive - file hiddens shell v1.php"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
hash = "1674bd40eb98b48427c547bf9143aa7fbe2f4a59"
id = "7194998e-c84c-5f59-92fe-857ecf7e8e88"
strings:
$s0 = "<?$d='G7mHWQ9vvXiL/QX2oZ2VTDpo6g3FYAa6X+8DMIzcD0eHZaBZH7jFpZzUz7XNenxSYvBP2Wy36U"
condition:
all of them
}
rule WebShell_c99_madnet {
meta:
description = "PHP Webshells Github Archive - file c99_madnet.php"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
hash = "17613df393d0a99fd5bea18b2d4707f566cff219"
id = "f2b9c3d1-1c55-59cb-a9bf-8b4011f86a3b"
strings:
$s0 = "$md5_pass = \"\"; //If no pass then hash" fullword
$s1 = "eval(gzinflate(base64_decode('"
$s2 = "$pass = \"pass\"; //Pass" fullword
$s3 = "$login = \"user\"; //Login" fullword
$s4 = " //Authentication" fullword
condition:
all of them
}
rule WebShell_c99_locus7s {
meta:
description = "PHP Webshells Github Archive - file c99_locus7s.php"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
hash = "d413d4700daed07561c9f95e1468fb80238fbf3c"
id = "f92fe5a2-e465-56ed-a77b-b32ea4c2c105"
strings:
$s8 = "$encoded = base64_encode(file_get_contents($d.$f)); " fullword
$s9 = "$file = $tmpdir.\"dump_\".getenv(\"SERVER_NAME\").\"_\".$db.\"_\".date(\"d-m-Y"
$s10 = "else {$tmp = htmlspecialchars(\"./dump_\".getenv(\"SERVER_NAME\").\"_\".$sq"
$s11 = "$c99sh_sourcesurl = \"http://locus7s.com/\"; //Sources-server " fullword
$s19 = "$nixpwdperpage = 100; // Get first N lines from /etc/passwd " fullword
condition:
2 of them
}
rule WebShell_JspWebshell_1_2 {
meta:
description = "PHP Webshells Github Archive - file JspWebshell_1.2.php"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
hash = "0bed4a1966117dd872ac9e8dceceb54024a030fa"
id = "dfd8c88d-4fe2-5786-9d71-65dba525c358"
strings:
$s0 = "System.out.println(\"CreateAndDeleteFolder is error:\"+ex); " fullword
$s1 = "String password=request.getParameter(\"password\");" fullword
$s3 = "<%@ page contentType=\"text/html; charset=GBK\" language=\"java\" import=\"java."
$s7 = "String editfile=request.getParameter(\"editfile\");" fullword
$s8 = "//String tempfilename=request.getParameter(\"file\");" fullword
$s12 = "password = (String)session.getAttribute(\"password\");" fullword
condition:
3 of them
}
rule WebShell_safe0ver {
meta:
description = "PHP Webshells Github Archive - file safe0ver.php"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
hash = "366639526d92bd38ff7218b8539ac0f154190eb8"
id = "a7fc8c89-f7a1-5958-823a-763dedb3066d"
strings:
$s3 = "$scriptident = \"$scriptTitle By Evilc0der.com\";" fullword
$s4 = "while (file_exists(\"$lastdir/newfile$i.txt\"))" fullword
$s5 = "else { /* <!-- Then it must be a File... --> */" fullword
$s7 = "$contents .= htmlentities( $line ) ;" fullword
$s8 = "<br><p><br>Safe Mode ByPAss<p><form method=\"POST\">" fullword
$s14 = "elseif ( $cmd==\"upload\" ) { /* <!-- Upload File form --> */ " fullword
$s20 = "/* <!-- End of Actions --> */" fullword
condition:
3 of them
}
rule WebShell_Uploader {
meta:
description = "PHP Webshells Github Archive - file Uploader.php"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
hash = "e216c5863a23fde8a449c31660fd413d77cce0b7"
id = "c68e15d9-865e-5269-a91c-00619fe76305"
strings:
$s1 = "move_uploaded_file($userfile, \"entrika.php\"); " fullword
condition:
all of them
}
rule WebShell_php_webshells_kral {
meta:
description = "PHP Webshells Github Archive - file kral.php"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
hash = "4cd1d1a2fd448cecc605970e3a89f3c2e5c80dfc"
id = "393e738a-b4c2-5630-a55f-c3caee4ff75e"
strings:
$s1 = "$adres=gethostbyname($ip);" fullword
$s3 = "curl_setopt($ch,CURLOPT_POSTFIELDS,\"domain=\".$site);" fullword
$s4 = "$ekle=\"/index.php?option=com_user&view=reset&layout=confirm\";" fullword
$s16 = "echo $son.' <br> <font color=\"green\">Access</font><br>';" fullword
$s17 = "<p>kodlama by <a href=\"mailto:priv8coder@gmail.com\">BLaSTER</a><br /"
$s20 = "<p><strong>Server listeleyici</strong><br />" fullword
condition:
2 of them
}
rule WebShell_cgitelnet {
meta:
description = "PHP Webshells Github Archive - file cgitelnet.php"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
hash = "72e5f0e4cd438e47b6454de297267770a36cbeb3"
id = "b02d8549-ebfe-522c-9a6d-8657273da3ed"
strings:
$s9 = "# Author Homepage: http://www.rohitab.com/" fullword
$s10 = "elsif($Action eq \"command\") # user wants to run a command" fullword
$s18 = "# in a command line on Windows NT." fullword
$s20 = "print \"Transfered $TargetFileSize Bytes.<br>\";" fullword
condition:
2 of them
}
rule WebShell_simple_backdoor_2 {
meta:
description = "PHP Webshells Github Archive - file simple-backdoor.php"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
old_rule_name = "WebShell_simple_backdoor"
hash = "edcd5157a68fa00723a506ca86d6cbb8884ef512"
id = "faddd38e-d0c6-5299-9983-53351af1ece5"
strings:
$s0 = "<!-- Simple PHP backdoor by DK (http://michaeldaw.org) -->" fullword
$s1 = "<!-- http://michaeldaw.org 2006 -->" fullword
$s2 = "Usage: http://target.com/simple-backdoor.php?cmd=cat+/etc/passwd" fullword
$s3 = " echo \"</pre>\";" fullword
$s4 = " $cmd = ($_REQUEST['cmd']);" fullword
$s5 = " echo \"<pre>\";" fullword
$s6 = "if(isset($_REQUEST['cmd'])){" fullword
$s7 = " die;" fullword
$s8 = " system($cmd);" fullword
condition:
all of them
}
rule WebShell_Safe_Mode_Bypass_PHP_4_4_2_and_PHP_5_1_2_2 {
meta:
description = "PHP Webshells Github Archive - file Safe_Mode Bypass PHP 4.4.2 and PHP 5.1.2.php"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
hash = "8fdd4e0e87c044177e9e1c97084eb5b18e2f1c25"
id = "a504442f-85f2-55a1-8a07-1e0faccf8bc0"
strings:
$s1 = "<option value=\"/etc/passwd\">Get /etc/passwd</option>" fullword
$s3 = "xb5@hotmail.com</FONT></CENTER></B>\");" fullword
$s4 = "$v = @ini_get(\"open_basedir\");" fullword
$s6 = "by PHP Emperor<xb5@hotmail.com>" fullword
condition:
2 of them
}
rule WebShell_NTDaddy_v1_9 {
meta:
description = "PHP Webshells Github Archive - file NTDaddy v1.9.php"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
hash = "79519aa407fff72b7510c6a63c877f2e07d7554b"
id = "a175fd28-5dc2-5827-87f0-4117e889e90e"
strings:
$s2 = "| -obzerve : mr_o@ihateclowns.com |" fullword
$s6 = "szTempFile = \"C:\\\" & oFileSys.GetTempName( )" fullword
$s13 = "<form action=ntdaddy.asp method=post>" fullword
$s17 = "response.write(\"<ERROR: THIS IS NOT A TEXT FILE>\")" fullword
condition:
2 of them
}
rule WebShell_lamashell {
meta:
description = "PHP Webshells Github Archive - file lamashell.php"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
hash = "b71181e0d899b2b07bc55aebb27da6706ea1b560"
id = "60e39eed-baa2-5999-8560-0a0242ce2608"
strings:
$s0 = "if(($_POST['exe']) == \"Execute\") {" fullword
$s8 = "$curcmd = $_POST['king'];" fullword
$s16 = "\"http://www.w3.org/TR/html4/loose.dtd\">" fullword
$s18 = "<title>lama's'hell v. 3.0</title>" fullword
$s19 = "_|_ O _ O _|_"
$s20 = "$curcmd = \"ls -lah\";" fullword
condition:
2 of them
}
rule WebShell_Simple_PHP_backdoor_by_DK {
meta:
description = "PHP Webshells Github Archive - file Simple_PHP_backdoor_by_DK.php"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
hash = "03f6215548ed370bec0332199be7c4f68105274e"
id = "2c424714-1d2c-5b89-b1bc-a201e37a0a5d"
strings:
$s0 = "<!-- Simple PHP backdoor by DK (http://michaeldaw.org) -->" fullword
$s1 = "<!-- http://michaeldaw.org 2006 -->" fullword
$s2 = "Usage: http://target.com/simple-backdoor.php?cmd=cat+/etc/passwd" fullword
$s6 = "if(isset($_REQUEST['cmd'])){" fullword
$s8 = "system($cmd);" fullword
condition:
2 of them
}
rule WebShell_Moroccan_Spamers_Ma_EditioN_By_GhOsT {
meta:
description = "PHP Webshells Github Archive - file Moroccan Spamers Ma-EditioN By GhOsT.php"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
hash = "31e5473920a2cc445d246bc5820037d8fe383201"
id = "4fa9ce70-d300-55fe-bf98-636f026317ec"
strings:
$s4 = "$content = chunk_split(base64_encode($content)); " fullword
$s12 = "print \"Sending mail to $to....... \"; " fullword
$s16 = "if (!$from && !$subject && !$message && !$emaillist){ " fullword
condition:
all of them
}
rule WebShell_C99madShell_v__2_0_madnet_edition {
meta:
description = "PHP Webshells Github Archive - file C99madShell v. 2.0 madnet edition.php"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
hash = "f99f8228eb12746847f54bad45084f19d1a7e111"
id = "51db0495-14f3-527e-865b-1405db57ff27"
strings:
$s0 = "$md5_pass = \"\"; //If no pass then hash" fullword
$s1 = "eval(gzinflate(base64_decode('"
$s2 = "$pass = \"\"; //Pass" fullword
$s3 = "$login = \"\"; //Login" fullword
$s4 = "//Authentication" fullword
condition:
all of them
}
rule WebShell_CmdAsp_asp_php {
meta:
description = "PHP Webshells Github Archive - file CmdAsp.asp.php.txt"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
hash = "cb18e1ac11e37e236e244b96c2af2d313feda696"
id = "184b1731-31a9-5040-aa25-d145e8064758"
strings:
$s1 = "szTempFile = \"C:\\\" & oFileSys.GetTempName( )" fullword
$s4 = "' Author: Maceo <maceo @ dogmile.com>" fullword
$s5 = "' -- Use a poor man's pipe ... a temp file -- '" fullword
$s6 = "' --------------------o0o--------------------" fullword
$s8 = "' File: CmdAsp.asp" fullword
$s11 = "<-- CmdAsp.asp -->" fullword
$s14 = "Call oScript.Run (\"cmd.exe /c \" & szCMD & \" > \" & szTempFile, 0, True)" fullword
$s16 = "Set oScriptNet = Server.CreateObject(\"WSCRIPT.NETWORK\")" fullword
$s19 = "<%= \"\\\\\" & oScriptNet.ComputerName & \"\\\" & oScriptNet.UserName %>" fullword
condition:
4 of them
}
rule WebShell_NCC_Shell {
meta:
description = "PHP Webshells Github Archive - file NCC-Shell.php"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
hash = "64d4495875a809b2730bd93bec2e33902ea80a53"
id = "3a2dab3d-faf0-52a5-b114-db402885c618"
strings:
$s0 = " if (isset($_FILES['probe']) and ! $_FILES['probe']['error']) {" fullword
$s1 = "<b>--Coded by Silver" fullword
$s2 = "<title>Upload - Shell/Datei</title>" fullword
$s8 = "<a href=\"http://www.n-c-c.6x.to\" target=\"_blank\">-->NCC<--</a></center></b><"
$s14 = "~|_Team .:National Cracker Crew:._|~<br>" fullword
$s18 = "printf(\"Sie ist %u Bytes gro" fullword
condition:
3 of them
}
rule WebShell_php_webshells_README {
meta:
description = "PHP Webshells Github Archive - file README.md"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
hash = "ef2c567b4782c994db48de0168deb29c812f7204"
id = "393e738a-b4c2-5630-a55f-c3caee4ff75e"
strings:
$s0 = "Common php webshells. Do not host the file(s) in your server!" fullword
$s1 = "php-webshells" fullword
condition:
all of them
}
rule WebShell_backupsql {
meta:
description = "PHP Webshells Github Archive - file backupsql.php"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
hash = "863e017545ec8e16a0df5f420f2d708631020dd4"
id = "15d6e967-1e53-53b4-a2cf-7786452495d4"
strings:
$s0 = "$headers .= \"\\nMIME-Version: 1.0\\n\" .\"Content-Type: multipart/mixed;\\n\" ."
$s1 = "$ftpconnect = \"ncftpput -u $ftp_user_name -p $ftp_user_pass -d debsender_ftplog"
$s2 = "* as email attachment, or send to a remote ftp server by" fullword
$s16 = "* Neagu Mihai<neagumihai@hotmail.com>" fullword
$s17 = "$from = \"Neu-Cool@email.com\"; // Who should the emails be sent from?, may "
condition:
2 of them
}
rule WebShell_AK_74_Security_Team_Web_Shell_Beta_Version {
meta:
description = "PHP Webshells Github Archive - file AK-74 Security Team Web Shell Beta Version.php"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
hash = "c90b0ba575f432ecc08f8f292f3013b5532fe2c4"
id = "e93a6ac3-080f-53d3-8368-b9feb509a2ea"
strings:
$s8 = "- AK-74 Security Team Web Site: www.ak74-team.net" fullword
$s9 = "<b><font color=#830000>8. X Forwarded For IP - </font></b><font color=#830000>'."
$s10 = "<b><font color=#83000>Execute system commands!</font></b>" fullword
condition:
1 of them
}
rule WebShell_php_webshells_cpanel {
meta:
description = "PHP Webshells Github Archive - file cpanel.php"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
hash = "433dab17106b175c7cf73f4f094e835d453c0874"
id = "393e738a-b4c2-5630-a55f-c3caee4ff75e"
strings:
$s0 = "function ftp_check($host,$user,$pass,$timeout){" fullword
$s3 = "curl_setopt($ch, CURLOPT_URL, \"http://$host:2082\");" fullword
$s4 = "[ user@alturks.com ]# info<b><br><font face=tahoma><br>" fullword
$s12 = "curl_setopt($ch, CURLOPT_FTPLISTONLY, 1);" fullword
$s13 = "Powerful tool , ftp and cPanel brute forcer , php 5.2.9 safe_mode & open_basedir"
$s20 = "<br><b>Please enter your USERNAME and PASSWORD to logon<br>" fullword
condition:
2 of them
}
rule WebShell_accept_language {
meta:
description = "PHP Webshells Github Archive - file accept_language.php"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
hash = "180b13576f8a5407ab3325671b63750adbcb62c9"
id = "343ed2a4-4bed-5e73-8d05-f9573b0147af"
strings:
$s0 = "<?php passthru(getenv(\"HTTP_ACCEPT_LANGUAGE\")); echo '<br> by q1w2e3r4'; ?>" fullword
condition:
all of them
}
rule WebShell_php_webshells_529 {
meta:
description = "PHP Webshells Github Archive - file 529.php"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
hash = "ba3fb2995528307487dff7d5b624d9f4c94c75d3"
id = "393e738a-b4c2-5630-a55f-c3caee4ff75e"
strings:
$s0 = "<p>More: <a href=\"/\">Md5Cracking.Com Crew</a> " fullword
$s7 = "href=\"/\" title=\"Securityhouse\">Security House - Shell Center - Edited By Kin"
$s9 = "echo '<PRE><P>This is exploit from <a " fullword
$s10 = "This Exploit Was Edited By KingDefacer" fullword
$s13 = "safe_mode and open_basedir Bypass PHP 5.2.9 " fullword
$s14 = "$hardstyle = explode(\"/\", $file); " fullword
$s20 = "while($level--) chdir(\"..\"); " fullword
condition:
2 of them
}
rule WebShell_STNC_WebShell_v0_8 {
meta:
description = "PHP Webshells Github Archive - file STNC WebShell v0.8.php"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
hash = "52068c9dff65f1caae8f4c60d0225708612bb8bc"
id = "5dc300a2-9965-52e3-a382-b8d327eb7029"
strings:
$s3 = "if(isset($_POST[\"action\"])) $action = $_POST[\"action\"];" fullword
$s8 = "elseif(fe(\"system\")){ob_start();system($s);$r=ob_get_contents();ob_end_clean()"
$s13 = "{ $pwd = $_POST[\"pwd\"]; $type = filetype($pwd); if($type === \"dir\")chdir($pw"
condition:
2 of them
}