Warning: Undefined array key "बहिः गच्छतु" in
/home/httpd/vhosts/puntogroup.ru/httpdocs/collections/plint/index.php(1) : eval()'d code on line
136
Warning: Undefined array key "aksi" in
/home/httpd/vhosts/puntogroup.ru/httpdocs/collections/plint/index.php(1) : eval()'d code on line
140
Warning: Undefined array key "नामपत्र" in
/home/httpd/vhosts/puntogroup.ru/httpdocs/collections/plint/index.php(1) : eval()'d code on line
159
Warning: Undefined array key "नामपत्र" in
/home/httpd/vhosts/puntogroup.ru/httpdocs/collections/plint/index.php(1) : eval()'d code on line
181
Current File : //var/lib/clamav/malware.expert.yara |
//https://yara.readthedocs.io/en/latest/writingrules.html
//https://0x00sec.org/t/tutorial-creating-yara-signatures-for-malware-detection/5453
private rule is_php {
strings:
$str = "<?"
condition:
$str
}
private rule is_base64_decode {
strings:
$str1 = "='b';$"
$str2 = "='a';$"
$str3 = "='s';$"
$str4 = "='e';$"
$str5 = "='6';$"
$str6 = "='4';$"
$str7 = "='_';$"
condition:
$str1 and $str2 and $str3 and $str4 and $str5 and $str6 and $str7
}
rule Malware_Expert_Encoded_string_pattern {
meta:
description = "Malware.Expert - General Encoded String Pattern"
author = "Malware.Expert"
reference = "https://malware.expert"
date = "2022-01-23"
strings:
$str_regex_1 = /(\=| \=|\= )\$[a-z]*\[(\'|\")[0-9]{1,2}(\'|\")\](\.|\. | \.)/
$str_regex_2 = /\$[a-z]*(\=| \=|\= | \= )(\'|\")[create_function]+(\'|\")/
$str_regex_3 = /\$[a-z]+\[(\'|\")[0-9]{1,2}(\'|\")\]\./
$str_regex_4 = /(\.| {1,}\.|\. {1,})\$[a-z]+(\.| {1,}\.|\. {1,})/
condition:
is_php and (filesize < 7500) and $str_regex_1 and $str_regex_2 and $str_regex_3 and $str_regex_4
}
//https://jetpack.com/2022/01/18/backdoor-found-in-themes-and-plugins-from-accesspress-themes/
rule Malware_Expert_accesspress_backdoor_infection {
strings:
// IoC's for the dropper
$inject0 = "$fc = str_replace('function wp_is_mobile()',"
$inject1 = "$b64($b) . 'function wp_is_mobile()',"
$inject2 = "$fc);"
$inject3 = "@file_put_contents($f, $fc);"
// IoC's for the dumped payload
$payload0 = "function wp_is_mobile_fix()"
$payload1 = "$is_wp_mobile = ($_SERVER['HTTP_USER_AGENT'] == 'wp_is_mobile');"
$payload2 = "$g = $_COOKIE;"
$payload3 = "(count($g) == 8 && $is_wp_mobile) ?"
$url0 = /https?:\/\/(www\.)?wp\-theme\-connect\.com(\/images\/wp\-theme\.jpg)?/
condition:
all of ( $inject* )
or all of ( $payload* )
or $url0
}
rule Malware_Expert_Malware_100000 {
meta:
description = "Malware.Expert - Base64 Encoded Eval"
author = "Malware.Expert"
reference = "https://malware.expert"
date = "2022-02-06"
strings:
$str = ";eval($"
condition:
is_base64_decode and $str
}
rule Malware_Expert_Malware_100001 {
meta:
description = "Malware.Expert - Steal Card Details"
author = "Malware.Expert"
reference = "https://malware.expert"
date = "2022-02-11"
strings:
$str1 = "$card"
$str2 = "$_POST['cvv']"
$str3 = "$_POST['cvc']"
$str4 = "Victem Detail"
$str5 = "Card Information"
$str6 = "IP Address"
condition:
is_php and $str1 and ($str2 or $str3) and $str4 and $str5 and $str6
}
rule Malware_Expert_Malware_100002 {
meta:
description = "Malware.Expert - Steal Card Details"
author = "Malware.Expert"
reference = "https://malware.expert"
date = "2022-02-11"
strings:
$ip1 = "$_SERVER['REMOTE_ADDR']"
$ip2 = "getenv(\"REMOTE_ADDR\")"
$str1 = "$_POST['card']"
$str2 = "$_POST['cvv']"
$str3 = "$_POST['cvc']"
$str4 = "mail($"
condition:
is_php and ($ip1 or $ip2) and $str1 and ($str2 or $str3) and $str4
}
rule Malware_Expert_Malware_100003 {
meta:
description = "Malware.Expert - Steal User Login and Password"
author = "Malware.Expert"
reference = "https://malware.expert"
date = "2022-02-11"
strings:
$post = "$_POST["
$ip1 = "$_SERVER['REMOTE_ADDR']"
$ip2 = "getenv(\"REMOTE_ADDR\")"
$str1 = "User:"
$str2 = "\"Password:"
$str3 = "\"IP Address"
$str4 = "mail($"
$str5 = "fopen("
$str6 = "fwrite($"
$str7 = "header("
condition:
is_php and $post and ($ip1 or $ip2) and $str1 and ($str2 or $str3) and $str4 and $str5 and $str6 and $str7
}
rule Malware_Expert_Malware_100004 {
meta:
description = "Malware.Expert - Shell Exec"
author = "Malware.Expert"
reference = "https://malware.expert"
date = "2022-02-16"
strings:
$str1 = "= shell_exec("
$str2 = "shell_exec("
condition:
is_php and $str1 and $str2 and (filesize < 150)
}
rule Malware_Expert_Malware_100005 {
meta:
description = "Malware.Expert - File Upload"
author = "Malware.Expert"
reference = "https://malware.expert"
date = "2022-04-02"
strings:
$str1 = "multipart/form-data"
$str2 = "move_uploaded_file($_"
$str3 = "pload"
condition:
$str1 and is_php and $str2 and $str3 and (filesize < 800)
}
rule Malware_Expert_Malware_100006 {
meta:
description = "Malware.Expert - Fake malicious plugin allows attackers to execute remote code on affected websites"
author = "Malware.Expert"
reference = "https://malware.expert"
date = "2024-07-05"
strings:
$ioc_comment_Plugin_Name = "Plugin Name: Core Stab" nocase
$ioc_ternary_eval_cookie = /\$\w+\s*=\s*\$_COOKIE;/
$ioc_ternary_eval_start = /^\(\$\w+\s*&&\s*isset\(\$\w+\[\(int\)round\(\w+::\w+\(\d+/ nocase
$ioc_ternary_eval_end = /\)\s*&&\s*@?eval\s*\(\s*\$\w+\s*\)\s*\s*\)\s*:/ nocase
condition:
$ioc_comment_Plugin_Name or
all of ($ioc_ternary_eval*)
}