.

lib/plugins/webshell_rule/WShell_THOR_Webshells.yar

@@ -8636,3 +8636,36 @@ rule Webshell_zehir {
 	condition:
 		filesize < 200KB and 1 of them
 }
+rule webshell_webshells_new_shell1 {
+	meta:
+		description = "Web shells"
+		author = "grayddq"
+		date = "2019/11/29"
+	strings:
+		$s0 = "Response.Write(eval"
+		$s1 = "eval(Request.Item"
+		$s2 = "eval request("
+		$s3 = "eval(GET"
+		$s4 = "eval(POST"
+		$s5 = "exec(request.getParameter"
+		$s6 = "Response.Write(eval("
+		$s7 = "eval($_POST"
+		$s8 = "eval($_GET"
+		$s8 = "eval($_GET"
+
+	condition:
+		any of them
+}
+rule webshell_webshells_new_shell1 {
+	meta:
+		description = "Web shells"
+		author = "grayddq"
+		date = "2019/11/29"
+	strings:
+		$s0 = "Request.Form(\"pass\")"
+		$s1 = "eval(fun()"
+	condition:
+		all of them
+}
+
+

lib/plugins/webshell_rule/detect_generic_maliciousness_BROAD_SCAN.yar

@@ -0,0 +1,98 @@
+import "magic"
+
+rule generic_dangerous_php_call {
+        meta:
+                description = "Generic - dangerous file with many dangerous php call"
+                author = "Farhan Faisal"
+                date = "2018/07/17"
+                score = 40
+        strings:
+                $s0 = "base64_decode"
+                $s1 = "file_put_contents"
+             	$s2 = "is_callable"
+                $s3 = "$_SERVER"
+                $s4 = "move_uploaded_file"
+                $s5 = "eval"
+                $s6 = "gzuncompress"
+                $s7 = "ini_set"
+                $s8 = "set_time_limit"
+                $s9 = "error_reporting"
+                $s10 = "memory_limit"
+                $s11 = "stream_context_create"
+                $s12 = "stream_socket_client"
+		$s13 = "scandir"
+		$s14 = "pathinfo"
+		$s15 = "php_uname"
+		$s16 = "is_readable"
+		$s17 = "get_magic_quotes_gpc"
+		$a1 = "SMTP"  			/* exclude phpmailer */
+		$a2 = "CutyCapt"		/* exclude thumb.php */
+		$a3 = "HighlightRules"		/* exclude textHighlighter */
+		$a4 = "array_filter"		/* exclude wpide function list js file*/
+		$a5 = "preview_theme_stylesheet_filter"
+        condition:
+                (8 of ($s*)) and not ($a1 or $a2 or $a3 or ($a4 or $a5))
+}
+
+
+
+rule generic_obfuscated_code_PROBABLE_scan {
+        meta:
+             	description = "Generic - detection of obfuscated code (base64_decode)"
+                author = "Farhan Faisal"
+                date = "2018/07/17"
+                score = 60
+        strings:
+                $s1 = /= \"[0-9a-zA-Z]{1000-600000}/
+                $s2 = /=\"[0-9a-zA-Z]{1000-600000}/
+                $s3 = /[0-9a-zA-Z]{1000-600000}/
+                $aa1 = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ012345678900000000000000000000000000000000000000000000000000000000000000000000000000000000000000011111111111111111222"
+                $aa2 = "effgghhiijjkkllmmnnooppqqrrssttuuvvwwxxyyzz11223344556677889900abacbcbdcdcededfefegfgfhghgihihjijikjkjlklkmlmlnmnmononpopoqpqprqrqsrsrtstsubcbcdcdedefefgfabcadefbghicjkl"
+                $bb = /[0-9a-zA-Z]{80}/
+                /* exclusion list by strings content */
+                /*$cc1 = "image/png;base64"
+                $cc2 = "application/font-woff"
+                $cc3 = "data:application/x-font-woff"
+                $cc4 = "image/gif"
+                $cc5 = "image/svg+xml"
+                $cc6 = "data:img/png"
+                $cc7 = "data:image/jpeg;base64"
+                $cc8 = "data:application/json" */
+        condition:
+                ($s1 or $s2 or $s3) or (#bb > 10 and #bb < 600)   /*and #bb < 600  */
+                /*and not ( $cc1 or $cc2 or $cc3 or $cc4 or $cc5 or $cc6 or $cc7 or $cc8 )  */
+                and
+                  ( magic.mime_type() != "application/vnd.ms-opentype" ) and
+                  ( magic.mime_type() != "application/octet-stream" ) and
+                  ( magic.mime_type() != "image/png" ) and
+                  ( magic.mime_type() != "image/jpeg" ) and
+                  ( magic.mime_type() != "application/pdf" ) and
+                  ( magic.mime_type() != "image/vnd.adobe.photoshop" )
+                and not
+                ($aa1 or $aa2)
+		and
+		  (
+                        magic.mime_type() == "text/x-php" or
+                        magic.mime_type() == "text/x-c++"
+                  )
+}
+
+rule generic_webshell_long_base64code {
+        meta:
+                description = "Webshell-GENERIC. Obfuscated/long base46 code."
+                author = "Farhan Faisal"
+                date = "2018/07/21"
+                score = 60
+        strings:
+		        $s1 = /= \"[0-9a-zA-Z]{1000-600000}/
+                $s2 = /=\"[0-9a-zA-Z]{1000-600000}/
+                $s3 = /[0-9a-zA-Z]{1000-600000}/
+                $bb = /[0-9a-zA-Z]{80}/  
+        condition:
+                ($s1 or $s2 or $s3) or (#bb > 600) and not (#bb < 599) 
+		and 
+			(
+			magic.mime_type() == "text/x-php" or
+			magic.mime_type() == "text/x-c++"
+			)
+}

lib/plugins/webshell_rule/detect_obfuscation.yar

@@ -0,0 +1,131 @@
+import "magic"
+
+rule Webshell_obfuscated_1 {
+	meta:
+		description = "Webshell-obfuscated. Need further analysis /missed/helper.php"
+        author = "Farhan Faisal"
+        date = "2018/07/17"
+        score = 60
+		hash = "316c188bbbf34d92c840e32f7c1b148f"
+	strings:
+		$ss1 = "foreach(array"
+		$ss2 = "''.''."
+		$ss3 = "()"
+	condition:
+		filesize > 110KB and filesize < 130KB and (#ss1 > 1) and (#ss2 > 8) and $ss3
+}
+
+rule Webshell_obfuscated_2 {
+	meta:
+		description = "Webshell-obfuscated. Need further analysis /missed/decode.php"
+        author = "Farhan Faisal"
+        date = "2018/07/21"
+        score = 60
+        hash = "d8577ec2847469fefcfb6839af524166"
+	strings:
+		$ss1 = "GLOBALS"
+		$ss2 = "]."
+		$aa1 = "foreach ($_POST"
+		$aa2 = "str_split"
+		$aa3 = "rawurldecode"
+		$aa4 = "str_rot13"
+		$aa5 = "phpversion"
+		$aa6 = "is_writable"
+		$aa7 = "file_put_contents"
+	condition:
+		(#ss1 > 1) and (#ss2 > 90) and (all of ($aa*))
+}
+
+
+rule Webshell_obfuscated_3 {
+	meta:
+		description = "Webshell-obfuscated. Need further analysis /missed/baer.php"
+        author = "Farhan Faisal"
+        date = "2018/07/21"
+        score = 60
+        hash = "f2d7553b97d8e0a0258e48c3ca42a7d2"
+	strings:
+		$bb = /[0-9a-zA-Z]{80}/
+		$aa1 = "array"
+		$aa2 = "();"
+		$xx1 = "TextareaAutosize.prototype.componentDidMount"
+		$xx2 = "ZoneScore.prototype.scoreOffsetAt"
+	condition:
+		(#bb > 40000) and (#aa1 > 3) and ($aa2) and not (any of ($xx*))
+}
+
+rule Webshell_obfuscated_4_hexa {
+	meta:
+		description = "Webshell-obfuscated. Need further analysis /missed/prv8.php"
+        author = "Farhan Faisal"
+        date = "2018/07/21"
+        score = 60
+        hash = "994efbd230e21cc85a5acf39652cee26"
+	strings:
+		$s = "\\x"
+		$xx1 = "SimplePie"
+		$xx2 = "CRYPT_DES_MODE"
+		$xx3 = "Nette Framework"
+		$xx4 = "X-Poedit-KeywordsList"  /* Evolve theme language file PO*/
+		$xx5 = "PREG_CLASS_SEARCH_EXCLUDE"  /*prestashop search.php core file */
+		$xx6 = "SwiftMailer"
+		$xx7 = "minify@mullie.eu"
+		$xx8 = "e.moment=a()"
+		$xx9 = "underscorejs.org"
+	condition:
+		(#s > 200) and not (any of ($xx*))
+}
+
+
+
+rule Webshell_obfuscated_5_GLOBAL_sort {
+	meta:
+		description = "Webshell-obfuscated 5. Use GLOBAL and sort. Need further analysis /missed/db_connector.php"
+        author = "Farhan Faisal"
+        date = "2018/07/21"
+        score = 60
+        hash = "e1cf9ccce21bb609ba3c19cc6a7d0b80"
+	strings:
+		$s1 = "GLOBALS"
+		$s2 = "eval"
+		$xx1 = "]["
+		$xx2 = "\\x"
+	condition:
+		(all of ($s*)) and (#xx1 > 30) and (#xx2 > 20) and (filesize < 30KB)
+}
+
+
+rule Webshell_obfuscated_6_weirdChar {
+	meta:
+		description = "Webshell-obfuscated 6. weird char. Need further analysis /missed/baklswty.php"
+        author = "Farhan Faisal"
+        date = "2018/07/22"
+        score = 60
+        hash = "3454e48b6d84b816c0dcd6abd79ad05a"
+	strings:
+		$s1 = "php"
+		$s2 = "function"
+		$s3 = "rawurl"
+		$s4 = "decode"
+		$s5 = "eval"
+		$xx1 = "=>"
+	condition:
+		(all of ($s*)) and (#xx1 > 40) and filesize < 8KB
+}
+
+rule Webshell_obfuscated_IRCBOT_1 {
+	meta:
+		description = "Webshell-obfuscated 6. weird char. Need further analysis /missed/boxpeiur.php"
+        author = "Farhan Faisal"
+        date = "2018/07/22"
+        score = 60
+        hash = "18b07c5e3f4521ef7a3b141250ef9707"
+	strings:
+		$s1 = "gethostbyaddr"
+		$s2 = "CURLOPT"
+		$s3 = "chmod"
+		$xx1 = "'#"
+	condition:
+		filesize < 8KB and (#xx1 > 10) and (all of ($s*))
+}
+

lib/plugins/webshell_rule/detect_phpmailer.yar

@@ -0,0 +1,98 @@
+
+
+rule phpmailer_Real_Leaf_phpMailer {
+	meta:
+		description = "phpMailer - Real Leaf phpMailer"
+                author = "Farhan Faisal"
+                date = "2018/07/19"
+                score = 60
+	strings:
+		$s1 = "leafmailer.pw"
+	condition:
+		$s1
+}
+
+
+rule phpmailer_shock_priv8_phpMailer {
+        meta:
+                description = "phpMailer - Shock Priv8 phpMailer"
+                author = "Farhan Faisal"
+                date = "2018/07/19"
+                score = 60
+        strings:
+		$s1 = "PHP Mailer"
+                $s2 = "Priv8"
+		$s3 = "Mailer"
+		$s4 = "abcdefghijklmnopqrstuvwxyz0123456789"
+		$s5 = "multipart/form-data"
+		$a1 = "lrtrim"
+		$a2 = "str_replace"
+		$a3 = "whitespace"
+        condition:
+                ($s1 and $s2 and $s3 and $s4 and $s5) and (#a1 > 14) and (#a2 > 11) and (#a3 > 8)
+}
+
+
+
+rule phpmailer_Xsender_phpmailer {
+	meta:
+             	description = "phpMailer - Xsender mailer"
+                author = "Farhan Faisal"
+                date = "2018/07/19"
+                score = 60
+	strings:
+		$s1 = "multipart/form-data"
+		$s5 = "chunk_split"
+		$s6 = "base64_encode"
+		$s7 = "MIME-Version"
+		$s8 = "xsenderid"
+		$a1 = "str_replace"
+		$a2 = "sanitize"
+		$a3 = "textarea"
+	condition:
+		(all of ($s*)) and ( #a1 > 24) and (#a2 > 7) and (#a3 > 6)
+}
+
+rule phpmailer_Xsender_V1_phpmailer {
+        meta:
+             	description = "phpMailer - Xsender V1 mailer"
+                author = "Farhan Faisal"
+                date = "2018/07/19"
+                score = 60
+        strings:
+                $s1 = "multipart/form-data"
+                $s2 = "ob_gzhandler"
+                $s3 = "fuck"
+                $s4 = "shit"
+                $s5 = "chunk_split"
+                $s6 = "base64_encode"
+             	$s7 = "MIME-Version"
+                $s8 = "xsenderid"
+		$s9 = "tatata"
+                $s10 = "Ukraine (UA)"
+		$s11 = "Randommix"
+		$s12 = "xSenderV1"
+		$s13 = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"
+                $a1 = "str_replace"
+                $a2 = "sanitize"
+                $a3 = "textarea"
+        condition:
+                (all of ($s*)) and ( #a1 > 30) and (#a2 > 6) and (#a3 > 4)
+}
+
+
+
+rule phpMailer_class_generic_customized_by_Acyba {
+	meta:
+		description = "phpMailer class - phpmailer.sourceforge.net - Customized by Acyba"
+                author = "Farhan Faisal"
+                date = "2018/07/19"
+                score = 60
+	strings:
+		$s1 = "phpmailer.sourceforge.net"
+		$s2 = "Andy Prevost"
+		$s3 = "PHPMAILER_LANG"
+		$aa = "mail("
+	condition:
+		(#aa > 5) and (all of ($s*))
+}