moved to definitions

moved to definitions

definitions/patterns_raw.txt

@@ -0,0 +1,325 @@
+#Raw string patterns
+#All strings in this file are case sensitive
+#Comments are supported, but '#' must be the first character (index[0]) on the line.
+#More critical patterns should be higher in the file as only the first pattern match is reported.
+
+#Backdoor patterns
+@eval($_POST['
+Backdoor
+@include($_GET[
+system($_GET[
+md5($_GET[
+fwrite($fpsetv, getenv("HTTP_COOKIE")
+system\"$cmd 1> /tmp/
+
+#Web-Shell patterns
+$sh3llColor
+w4ck1ng shell
+private Shell by m4rco
+Shell by Mawar_Hitam
+SHELL_PASSWORD
+ConnectBackShell
+ShellBOT
+== "bindshell"
+
+#Remote Code
+curl_get_from_webpage
+file_get_contents('http://codepad.org
+
+
+#Base64 String Samples.  Each plain text string should have 3 base64 equivalents
+
+# "shell" in base64
+c2hlbG
+NoZWxs
+zaGVsb
+
+# "<?php" in base64
+PD9waH
+w/cGhw
+8P3Boc
+
+# "stat" in base64
+c3Rhd
+N0YX
+zdGF0
+
+# "copy" in base64
+Y29we
+NvcH
+jb3B5
+
+# "chr" in base64
+Y2hy
+
+# "system" in base64
+c3lzdGVt
+N5c3Rlb
+zeXN0ZW
+
+# "replace" in base64
+cmVwbGFjZ
+JlcGxhY2
+yZXBsYWNl
+
+# "str_" in base64
+c3RyX
+N0cl
+zdHJf
+
+# "exec" in base64
+ZXhlYy
+V4ZWMo
+leGVjK
+
+# "echo" in base64
+ZWNob
+VjaG
+lY2hv
+
+# "function" in base64
+ZnVuY3Rpb2
+Z1bmN0aW9u
+mdW5jdGlvb
+
+# "include" in base64
+aW5jbHVkZ
+luY2x1ZG
+pbmNsdWRl
+
+# "require" in base64
+cmVxdWlyZ
+JlcXVpcm
+yZXF1aXJl
+
+# "base64" in base64
+YmFzZTY0
+Jhc2U2N
+iYXNlNj
+
+# "eval" in base64
+ZXZhb
+V2YW
+ldmFs
+
+# "HTTP_USER_AGENT" in base64
+SFRUUF9VU0VSX0FHRU5U
+hUVFBfVVNFUl9BR0VOV
+IVFRQX1VTRVJfQUdFTl
+
+# "file" in base64
+ZmlsZ
+ZpbG
+maWxl
+
+# "gzinflate" in base64
+Z3ppbmZsYXRl
+d6aW5mbGF0Z
+nemluZmxhdG
+
+# "open" in base64
+b3Blb
+9wZW
+vcGVu
+
+# "close" in base64
+Y2xvc2
+Nsb3Nl
+jbG9zZ
+
+# "array_" in base64
+YXJyYXlf
+FycmF5X
+hcnJheV
+
+# "cslashes" in base64
+Y3NsYXNoZX
+NzbGFzaGVz
+jc2xhc2hlc
+
+# "extract" in base64
+ZXh0cmFjd
+V4dHJhY3
+leHRyYWN0
+
+# "$_GET" in base64
+JF9HRV
+RfR0VU
+kX0dFV
+
+# "$_POST" in base64
+JF9QT1NU
+RfUE9TV
+kX1BPU1
+
+# "$_COOKIE" in base64
+JF9DT09LSU
+RfQ09PS0lF
+kX0NPT0tJR
+
+# "$_REQUEST" in base64
+JF9SRVFVRVNU
+RfUkVRVUVTV
+kX1JFUVVFU1
+
+# "GLOBALS" in base64
+R0xPQkFMU
+dMT0JBTF
+HTE9CQUxT
+
+# "sizeof" in base64
+c2l6ZW9m
+NpemVvZ
+zaXplb2
+
+# "printf" in base64
+cHJpbnRm
+ByaW50Z
+wcmludG
+
+# "define" in base64
+ZGVmaW5l
+RlZmluZ
+kZWZpbm
+
+# Obfuscation related code
+eval("?>
+"base64_decode"
+='base'.(32*2).'_de'.'code'
+"p"."r"."e"."g"."_"
+WSOstripslashes
+\x73\x79\x73\x74\x65\x6d' /* case, dec/hex issue? */, // system
+\x70\x72\x65\x67\x5f\x72\x65\x70\x6c\x61\x63\x65' /* case, dec/hex issue? */, // preg_replace
+\x65\x78\x65\x63' /* dec/hex issue? */, // exec
+ev\x61l
+\x65\166\x61\154\x28' /* dec/hex issue? */,
+\x65\x76\x61\x6C' /* case, dec/hex issue? */,
+'ev'.'al'.'
+eval(base64_decode(
+<?php eval
+$data = base64_decode("
+edoced_46esab
+base=base64_encode
+cr"."eat"."e_fun"."cti"."on
+gz'.'inf'.'late
+# fopo.com.ar - free online php obfuscator. It conveniently leaves comments in the code.
+http://www.fopo.com.ar/
+
+
+#Malware/Attack specific strings/fingerprints/signatures
+MagelangCyber
+//rasta//
+Baby_Drakon
+Created By EMMA
+3xp1r3
+NinjaVirus Here
+<dot>IrIsT
+Hacked By EnDLeSs
+Punker2Bot
+Zed0x
+darkminz
+ReaL_PuNiShEr
+OoN_Boy
+Pashkela
+Webcommander at
+YENI3ERI
+d3lete
+Made by Delorean
+Cybester90
+K!LL3r
+MrHazem
+BY MMNBOBZ
+Hackeado
+bgeteam
+VOBRA GANGO
+Asmodeus
+Cautam fisierele de configurare
+BRUTEFORCING
+FaTaLisTiCz_Fx Fx29Sh
+DX_Header_drawn
+Dr.abolalh
+C0derz.com
+Mr.HiTman
+IrSecTeam
+FLoodeR
+eriuqer
+zehirhacker
+freetellafriend.com
+casus15
+temp_r57_table
+By Psych0
+c99ftpbrutecheck
+d3b~X
+profexor.hell
+ZOBUGTEL
+The Dark Raver
+<kuku>
+M4ll3r
+itsoknoproblembro
+tmhapbzcerff
+IndoXploit
+FaisaL Ahmed aka rEd X
+
+
+#Miscellaneous
+uname -a
+/etc/shadow
+/etc/passwd
+\x47\x4c\x4f\x42\x41LS
+${${
+PHPJiaMi
+DisablePHP=
+moban.html
+a,b,c,d,e,f,g
+@x0powo
+@preg_replace
+1@1.com
+META http-equiv="refresh" content="0;
+="create_";global
+Net@ddress Mail
+__VIEWSTATEENCRYPTED
+createFilesForInputOutput
+R0lGODlhEwAQALMAAAAAAP///5ycAM7OY///nP//zv/OnPf39////wAAAAAA
+ayu pr1 pr2 pr3 pr4 pr5 pr6
+f0VMRgEBAQA
+0d0a0d0a676c6f62616c20246d795f736d7
+etalfnizg
+JHZpc2l0Y291bnQgPSAkSFRUUF9DT09LSUVf
+R2aXNpdGNvdW50ID0gJEhUVFBfQ09PS0lFX
+kdmlzaXRjb3VudCA9ICRIVFRQX0NPT0tJRV
+HTTP flood complete after
+exploitcookie
+az88pix00q98
+Q3JlZGl0IDogVW5kZXJncm91bmQgRGV2aWwgJm5ic3A7ICB8DQo8YSBocmVmP
+463839610c000b00800100ffffffffffff21f90401000001002c000
+AAAAAAAAMAAwABAAAAeAUAADQAAADsCQAAAAAAADQAIAADACgAFwAUAAEA
+HJ3HjutckoRfpXf9A1zQO2AwDRrRey9uGvTeez79qAao1a0rgudkZkR8Ra
+Ly83MTg3OWQyMTJkYzhjYmY0ZDRmZDA0NGEzZDE3Zjk3ZmI2N
+DJ7VIU7RICXr6sEEV2cBtHDSOe9nVdpEGhEmvRVRNURfw1wQ
+LS0gRHVtcDNkIGJ5IFBpcnVsaW4uUEhQIFdlYnNoM2xsIHYxLjAgYzBkZWQgYnkgcjBkcjEgOkw\=
+5jb20iKW9yIHN0cmlzdHIoJHJlZmVyZXIsImFwb3J0Iikgb3Igc3RyaXN0cigkcmVmZXJlciwibmlnbWEiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJ3ZWJhbHRhIikgb3Igc3RyaXN0cigk
+X1NFU1NJT05bJ3R4dGF1dGhpbiddID0gdHJ1ZTsNCiAgICBpZiAoJF9QT1NUWydybSddKSB7DQogICAgICBzZXRjb29raWUoJ3R4dGF1dGhfJy4kcm1ncm91cCwgbW
+R0lGODlhFAAUAKIAAAAAAP///93d3cDAwIaGhgQEBP///wAAACH5BAEAAAYALAAAAAAUABQAA
+m91dCwgJGVvdXQpOw0Kc2VsZWN0KCRyb3V0ID0gJHJpbiwgdW5kZWYsICRlb3V0ID0gJHJpbiwgMTIwKTsNCmlmICghJHJvdXQgICYmICAhJGVvdX
+CB2aTZpIDEwMjQtDQojLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ0KI3JlcXVp
+BDAQkJCQwLDBgNDRgyIRwhMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjL/wAARCAAQABADASIAAhEBA
+REREFER_PTTH
+Joomla_brute_Force
+/usr/sbin/httpd
+sshkeys
+eggdrop
+rwxrwxrwx
+GIF89A;<?php
+putbot $bot
+bind join - *
+privmsg $chan
+\u003c\u0069\u006d\u0067\u0020\u0073\u0072\u0063\u003d\u0022\u0068\u0074\u0074\u0070\u003a\u002f\u002f
+\x31\xdb\xf7\xe3\x53\x43\x53\x6a\x02\x89\xe1\xb0\x66\xcd
+find / \-type f \-name \.htpasswd
+find / \-type f \-perm \-02000 \-ls
+find / \-type f \-perm \-04000 \-ls
+if(''==($df=@ini_get('disable_functions
+ncftpput -u
+wsoEx(
+WSOsetcookie(
+\x47\x4c\x4f\x42\x41\x4c\x53