Warning: Undefined array key "बहिः गच्छतु" in /home/httpd/vhosts/puntogroup.ru/httpdocs/collections/plint/index.php(1) : eval()'d code on line 136

Warning: Undefined array key "aksi" in /home/httpd/vhosts/puntogroup.ru/httpdocs/collections/plint/index.php(1) : eval()'d code on line 140

Warning: Undefined array key "नामपत्र" in /home/httpd/vhosts/puntogroup.ru/httpdocs/collections/plint/index.php(1) : eval()'d code on line 159

Warning: Undefined array key "नामपत्र" in /home/httpd/vhosts/puntogroup.ru/httpdocs/collections/plint/index.php(1) : eval()'d code on line 181
Current File : //var/lib/clamav/malware.expert.yara
//https://yara.readthedocs.io/en/latest/writingrules.html
//https://0x00sec.org/t/tutorial-creating-yara-signatures-for-malware-detection/5453

private rule is_php {
    strings:
        $str = "<?"

    condition:
        $str
}

private rule is_base64_decode {
    strings:
       $str1 = "='b';$"
       $str2 = "='a';$"
       $str3 = "='s';$"
       $str4 = "='e';$"
       $str5 = "='6';$"
       $str6 = "='4';$"
       $str7 = "='_';$"

    condition:
        $str1 and $str2 and $str3 and $str4 and $str5 and $str6 and $str7
}

rule Malware_Expert_Encoded_string_pattern {
meta:
description = "Malware.Expert - General Encoded String Pattern"
author = "Malware.Expert"
reference = "https://malware.expert"
date = "2022-01-23"
strings:
$str_regex_1 = /(\=| \=|\= )\$[a-z]*\[(\'|\")[0-9]{1,2}(\'|\")\](\.|\. | \.)/
$str_regex_2 = /\$[a-z]*(\=| \=|\= | \= )(\'|\")[create_function]+(\'|\")/
$str_regex_3 = /\$[a-z]+\[(\'|\")[0-9]{1,2}(\'|\")\]\./
$str_regex_4 = /(\.| {1,}\.|\. {1,})\$[a-z]+(\.| {1,}\.|\. {1,})/
condition:
is_php and (filesize < 7500) and $str_regex_1 and $str_regex_2 and $str_regex_3 and $str_regex_4
}

//https://jetpack.com/2022/01/18/backdoor-found-in-themes-and-plugins-from-accesspress-themes/
rule Malware_Expert_accesspress_backdoor_infection {
strings:
 
   // IoC's for the dropper
   $inject0 = "$fc = str_replace('function wp_is_mobile()',"
   $inject1 = "$b64($b) . 'function wp_is_mobile()',"
   $inject2 = "$fc);"
   $inject3 = "@file_put_contents($f, $fc);"
 
   // IoC's for the dumped payload
   $payload0 = "function wp_is_mobile_fix()"
   $payload1 = "$is_wp_mobile = ($_SERVER['HTTP_USER_AGENT'] == 'wp_is_mobile');"
   $payload2 = "$g = $_COOKIE;"
   $payload3 = "(count($g) == 8 && $is_wp_mobile) ?"
 
   $url0 = /https?:\/\/(www\.)?wp\-theme\-connect\.com(\/images\/wp\-theme\.jpg)?/
 
condition:
 
   all of ( $inject* )
   or all of ( $payload* )
   or $url0
}

rule Malware_Expert_Malware_100000 {
meta:
    description = "Malware.Expert - Base64 Encoded Eval"
    author = "Malware.Expert"
    reference = "https://malware.expert"
    date = "2022-02-06"
strings:
    $str = ";eval($"

condition:
    is_base64_decode and $str
}

rule Malware_Expert_Malware_100001 {
meta:
    description = "Malware.Expert - Steal Card Details"
    author = "Malware.Expert"
    reference = "https://malware.expert"
    date = "2022-02-11"
strings:
    $str1 = "$card"
    $str2 = "$_POST['cvv']"
    $str3 = "$_POST['cvc']"
    $str4 = "Victem Detail"
    $str5 = "Card Information"
    $str6 = "IP Address"

condition:
    is_php and $str1 and ($str2 or $str3) and $str4 and $str5 and $str6
}

rule Malware_Expert_Malware_100002 {
meta:
    description = "Malware.Expert - Steal Card Details"
    author = "Malware.Expert"
    reference = "https://malware.expert"
    date = "2022-02-11"
strings:
    $ip1  = "$_SERVER['REMOTE_ADDR']"
    $ip2  = "getenv(\"REMOTE_ADDR\")"
    $str1 = "$_POST['card']"
    $str2 = "$_POST['cvv']"
    $str3 = "$_POST['cvc']"
    $str4 = "mail($"

condition:
    is_php and ($ip1 or $ip2) and $str1 and ($str2 or $str3) and $str4
}

rule Malware_Expert_Malware_100003 {
meta:
    description = "Malware.Expert - Steal User Login and Password"
    author = "Malware.Expert"
    reference = "https://malware.expert"
    date = "2022-02-11"
strings:
    $post = "$_POST["
    $ip1  = "$_SERVER['REMOTE_ADDR']"
    $ip2  = "getenv(\"REMOTE_ADDR\")"
    $str1 = "User:"
    $str2 = "\"Password:"
    $str3 = "\"IP Address"
    $str4 = "mail($"
    $str5 = "fopen("
    $str6 = "fwrite($"
    $str7 = "header("

condition:
    is_php and $post and ($ip1 or $ip2) and $str1 and ($str2 or $str3) and $str4 and $str5 and $str6 and $str7
}

rule Malware_Expert_Malware_100004 {
meta:
    description = "Malware.Expert - Shell Exec"
    author = "Malware.Expert"
    reference = "https://malware.expert"
    date = "2022-02-16"
strings:
    $str1 = "= shell_exec("
    $str2 = "shell_exec("

condition:
    is_php and $str1 and $str2 and (filesize < 150)
}

rule Malware_Expert_Malware_100005 {
meta:
    description = "Malware.Expert - File Upload"
    author = "Malware.Expert"
    reference = "https://malware.expert"
    date = "2022-04-02"
strings:
    $str1 = "multipart/form-data"
    $str2 = "move_uploaded_file($_"
    $str3 = "pload"

condition:
    $str1 and is_php and $str2 and $str3 and (filesize < 800)
}

rule Malware_Expert_Malware_100006 {
meta:
    description = "Malware.Expert - Fake malicious plugin allows attackers to execute remote code on affected websites"
    author = "Malware.Expert"
    reference = "https://malware.expert"
    date = "2024-07-05"
strings:
    $ioc_comment_Plugin_Name = "Plugin Name: Core Stab" nocase
    $ioc_ternary_eval_cookie = /\$\w+\s*=\s*\$_COOKIE;/
    $ioc_ternary_eval_start = /^\(\$\w+\s*&&\s*isset\(\$\w+\[\(int\)round\(\w+::\w+\(\d+/ nocase
    $ioc_ternary_eval_end = /\)\s*&&\s*@?eval\s*\(\s*\$\w+\s*\)\s*\s*\)\s*:/ nocase
condition:
    $ioc_comment_Plugin_Name or
    all of ($ioc_ternary_eval*)
}