YARA rules for UPPERCUT
4 rules · scoped to tool · back to UPPERCUT
YARA rules whose family, name, or description matches this tool or its tooling. Use these for binary-pattern hunts.
rule WebShell_php_webshells_cpanel {
meta:
description = "PHP Webshells Github Archive - file cpanel.php"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
hash = "433dab17106b175c7cf73f4f094e835d453c0874"
id = "393e738a-b4c2-5630-a55f-c3caee4ff75e"
strings:
$s0 = "function ftp_check($host,$user,$pass,$timeout){" fullword
$s3 = "curl_setopt($ch, CURLOPT_URL, \"http://$host:2082\");" fullword
$s4 = "[ user@alturks.com ]# info<b><br><font face=tahoma><br>" fullword
$s12 = "curl_setopt($ch, CURLOPT_FTPLISTONLY, 1);" fullword
$s13 = "Powerful tool , ftp and cPanel brute forcer , php 5.2.9 safe_mode & open_basedir"
$s20 = "<br><b>Please enter your USERNAME and PASSWORD to logon<br>" fullword
condition:
2 of them
}
rule HawkEye_PHP_Panel {
meta:
description = "Detects HawkEye Keyloggers PHP Panel"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
date = "2014/12/14"
score = 60
id = "1d185345-6684-538f-954a-45d57a618a7a"
strings:
$s0 = "$fname = $_GET['fname'];" ascii fullword
$s1 = "$data = $_GET['data'];" ascii fullword
$s2 = "unlink($fname);" ascii fullword
$s3 = "echo \"Success\";" fullword ascii
condition:
all of ($s*) and filesize < 600
}
rule Rombertik_CarbonGrabber_Panel_InstallScript {
meta:
description = "Detects CarbonGrabber alias Rombertik panel install script - file install.php"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://blogs.cisco.com/security/talos/rombertik"
date = "2015-05-05"
hash = "cd6c152dd1e0689e0bede30a8bd07fef465fbcfa"
id = "f6c04e27-bbab-5012-a4f9-71d49d252b83"
strings:
$s0 = "$insert = \"INSERT INTO `logs` (`id`, `ip`, `name`, `host`, `post`, `time`, `bro" ascii
$s3 = "`post` text NOT NULL," fullword ascii
$s4 = "`host` text NOT NULL," fullword ascii
$s5 = ") ENGINE=InnoDB DEFAULT CHARSET=latin1 AUTO_INCREMENT=5 ;\" ;" fullword ascii
$s6 = "$db->exec($columns); //or die(print_r($db->errorInfo(), true));;" fullword ascii
$s9 = "$db->exec($insert);" fullword ascii
$s10 = "`browser` text NOT NULL," fullword ascii
$s13 = "`ip` text NOT NULL," fullword ascii
condition:
filesize < 3KB and all of them
}
rule Rombertik_CarbonGrabber_Panel {
meta:
description = "Detects CarbonGrabber alias Rombertik Panel - file index.php"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://blogs.cisco.com/security/talos/rombertik"
date = "2015-05-05"
hash = "e6e9e4fc3772ff33bbeeda51f217e9149db60082"
id = "f6c04e27-bbab-5012-a4f9-71d49d252b83"
strings:
$s0 = "echo '<meta http-equiv=\"refresh\" content=\"0;url=index.php?a=login\">';" fullword ascii
$s1 = "echo '<meta http-equiv=\"refresh\" content=\"2;url='.$website.'/index.php?a=login" ascii
$s2 = "header(\"location: $website/index.php?a=login\");" fullword ascii
$s3 = "$insertLogSQL -> execute(array(':id' => NULL, ':ip' => $ip, ':name' => $name, ':" ascii
$s16 = "if($_POST['username'] == $username && $_POST['password'] == $password){" fullword ascii
$s17 = "$SQL = $db -> prepare(\"TRUNCATE TABLE `logs`\");" fullword ascii
condition:
filesize < 46KB and all of them
}