-
Notifications
You must be signed in to change notification settings - Fork 1
/
WatchBog_Linux.yara
100 lines (88 loc) · 4.04 KB
/
WatchBog_Linux.yara
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
rule WatchDog_Botnet: botnet linuxmalware exploitation cve_2019_11581 cve_2019_10149
{
meta:
Author = "Adam M. Swanda"
Website = "https://www.deadbits.org"
Repo = "https://github.com/deadbits/yara-rules"
Date = "2019-07-22"
Reference = "https://twitter.com/polarply/status/1153232987762376704"
strings:
// $email = "jeff4r@watchbog.com"
$py0 = "libpython" ascii
//$py1 = "jail.py" ascii fullword
//$rcpt1 = "RCPT TO:<${run{\x2Fbin\x2Fsh\t-c\t\x22bash\x20\x2Ftmp\x2Fbaby\x22}}@localhost>" ascii fullword
//$rcpt2 = /RCPT TO:<\$\{run\{\\x2Fbin\\x2Fsh\\t-c\\t\\x22curl\\x20https\\x3a\\x2F\\x2Fpastebin.com\\x2Fraw/
$str0 = "*/3 * * * * root wget -q -O- https://pastebin.com/raw/" ascii
$str1 = "*/1 * * * * root curl -fsSL https://pastebin.com/raw/" ascii
$str6 = "onion.to"
$str7 = /https?:\/\/pastebin.com\/raw/ nocase
$str8 = "http://icanhazip.com/"
$str9 = "http://ident.me/"
$scan0 = "Scan_run"
$scan1 = "scan_nexus"
$scan2 = "scan_couchdb"
$scan3 = "scan_jenkins"
$scan4 = "scan_laravel"
$scan5 = "scan_redis"
$exploit01 = "CVE_2015_4335"
$exploit02 = "CVE_2018_1000861"
$exploit03 = "CVE_2018_8007"
$exploit04 = "CVE_2019_1014"
$exploit05 = "CVE_2019_11581"
$exploit06 = "CVE_2019_7238"
$pwn0 = "pwn_couchdb"
$pwn1 = "pwn_jenkins"
$pwn2 = "pwn_jira"
$pwn3 = "pwn_nexus"
$pwn4 = "pwn_redis"
$pwn5 = "pwn_exim"
$payload = /payload(s)/ nocase
$jira_token = "atlassian.xsrf.token=%s" ascii fullword
$jira_cmd = "set ($cmd=\"%s\")" ascii fullword
$jira_id = "JSESSIONID=%s" ascii fullword
/*
dont know if i really want to add these
$user_agent00 = "Mozilla_4_0_compatible_MSIE_6_0"
$user_agent00 = "Mozilla_4_0_compatible_MSIE_6_0_2"
$user_agent00 = "Mozilla_4_0_compatible_MSIE_6_0_3"
$user_agent00 = "Mozilla_4_0_compatible_MSIE_7_0"
$user_agent00 = "Mozilla_4_0_compatible_MSIE_7_0_2"
$user_agent00 = "Mozilla_4_0_compatible_MSIE_7_0_3"
$user_agent00 = "Mozilla_4_0_compatible_MSIE_7_0_4"
$user_agent00 = "Mozilla_4_0_compatible_MSIE_7_0b"
$user_agent00 = "Mozilla_5_0_Macintosh_Intel_Mac"
$user_agent00 = "Mozilla_5_0_Windows_NT_5_1_Apple"
$user_agent00 = "Mozilla_5_0_Windows_NT_6_1_WOW64"
$user_agent00 = "Mozilla_5_0_Windows_NT_6_1_WOW64_2"
$user_agent00 = "Mozilla_5_0_Windows_NT_6_1_WOW64_3"
$user_agent00 = "Mozilla_5_0_Windows_NT_6_1_WOW64_4"
$user_agent00 = "Mozilla_5_0_Windows_NT_6_1_WOW64_5"
$user_agent00 = "Mozilla_5_0_Windows_NT_6_1_WOW64_6"
$user_agent00 = "Mozilla_5_0_Windows_NT_6_1_Win64"
$user_agent00 = "Mozilla_5_0_Windows_U_MSIE_9_0_W"
$user_agent00 = "Mozilla_5_0_Windows_U_Windows_NT"
$user_agent00 = "Mozilla_5_0_Windows_U_Windows_NT_2"
$user_agent00 = "Mozilla_5_0_Windows_U_Windows_NT_3"
$user_agent00 = "Mozilla_5_0_X11_Linux_i686_U_Gec"
$user_agent00 = "Mozilla_5_0_X11_U_Linux_en_US_Ap"
$user_agent00 = "Mozilla_5_0_X11_U_Linux_i686_en"
$user_agent00 = "Mozilla_5_0_X11_U_Linux_x86_64_z"
$user_agent00 = "Mozilla_5_0_X11_Ubuntu_Linux_x86"
$user_agent00 = "Mozilla_5_0_compatible_MSIE_8_0"
$user_agent00 = "Mozilla_5_0_compatible_MSIE_9_0"
$user_agent00 = "Mozilla_5_0_compatible_MSIE_9_0_2"
$user_agent00 = "Mozilla_5_0_compatible_MSIE_9_0_3"
$user_agent00 = "Mozilla_5_0_iPad_U_CPU_OS_4_2_1"
*/
condition:
uint32be(0x0) == 0x7f454c46
and $py0
and
(
(all of ($pwn*) and all of ($scan*))
or
($payload and all of ($jira*) and 5 of ($str*))
or
(all of ($str*) and all of ($exploit*))
)
}