Merge pull request Yara-Rules#357 from leviathan2701/master

Webshells/WShell_Drupalgeddon2_icos.yar has been added in order to de…
k0ko380 · Jan 7, 2020 · b979e00 · b979e00
2 parents ce92a41 + e84f73d
commit b979e00
Show file tree

Hide file tree

Showing 2 changed files with 27 additions and 0 deletions.
diff --git a/Webshells/WShell_Drupalgeddon2_icos.yar b/Webshells/WShell_Drupalgeddon2_icos.yar
@@ -0,0 +1,26 @@
+/*
+This Yara ruleset is under the GNU-GPLv2 license 
+(http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or 
+organization, as long as you use it under this license.
+*/
+
+/*
+Author: Luis Fueris 
+Date: 4 october, 2019
+Description: Drupalgeddon 2 - Web Shells Extract. This rules matchs with
+webshells that inserts the Drupal core vulnerability SA-CORE-2018-002 
+(https://www.drupal.org/sa-core-2018-002)
+*/
+
+rule Dotico_PHP_webshell : webshell {
+    meta:
+        description = ".ico PHP webshell - file <eight-num-letter-chars>.ico"
+        author = "Luis Fueris"
+        reference = "https://rankinstudio.com/Drupal_ico_index_hack"
+        date = "2019/12/04"
+    strings:
+        $php = "<?php" ascii
+        $regexp = /basename\/\*[a-z0-9]{,6}\*\/\(\/\*[a-z0-9]{,5}\*\/trim\/\*[a-z0-9]{,5}\*\/\(\/\*[a-z0-9]{,5}\*\//
+    condition:
+        $php at 0 and $regexp and filesize > 70KB and filesize < 110KB
+}
diff --git a/Webshells_index.yar b/Webshells_index.yar
@@ -9,3 +9,4 @@ include "./Webshells/WShell_PHP_in_images.yar"
 include "./Webshells/WShell_THOR_Webshells.yar"
 include "./Webshells/Wshell_ChineseSpam.yar"
 include "./Webshells/Wshell_fire2013.yar"
+include "./Webshells/WShell_Drupalgeddon2_icos.yar"