Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Remove webshells without match_string and add new webshell detections #62

Merged
merged 1 commit into from
Apr 22, 2024
Merged

Remove webshells without match_string and add new webshell detections #62

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
87 changes: 49 additions & 38 deletions tachyon/data/files.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -977,124 +977,135 @@
]
},
{
"description": "Comon backdoors",
"description": "Common backdoors",
"data": [
{
"no_suffix": true,
"url": "r57shell.php",
"severity": "critical",
"description": "Common backdoor",
"type": "malware"
"type": "malware",
"match_string": "r57 Shell"
},
{
"no_suffix": true,
"url": "r57.php",
"severity": "critical",
"description": "Common backdoor",
"type": "malware"
"type": "malware",
"match_string": "r57shell"
},
{
"no_suffix": true,
"url": "c99shell.php",
"severity": "critical",
"description": "Common backdoor",
"type": "malware",
"match_string": "c999shell"
"match_string": "c99shell"
},
{
"no_suffix": true,
"url": "c99.php",
"severity": "critical",
"description": "Common backdoor",
"type": "malware"
"type": "malware",
"match_string": "c99shell"
},
{
"no_suffix": true,
"url": "nstview.php",
"severity": "critical",
"description": "Common backdoor",
"type": "malware"
"type": "malware",
"match_string": "nsT"
},
{
"no_suffix": true,
"url": "nst.php",
"url": "cmdasp.asp",
"severity": "critical",
"description": "Common backdoor",
"type": "malware"
"type": "malware",
"match_string": "<!-- http://michaeldaw.org 2006 -->"
},
{
"no_suffix": true,
"url": "rst.php",
"url": "cmdasp.aspx",
"severity": "critical",
"description": "Common backdoor",
"type": "malware"
"type": "malware",
"match_string": "awen asp.net webshell"
},
{
"no_suffix": true,
"url": "r57eng.php",
"url": "cmdjsp.jsp",
"severity": "critical",
"description": "Common backdoor",
"type": "malware"
"type": "malware",
"match_string": "<FORM METHOD=GET ACTION='cmdjsp.jsp'>\n<INPUT name='cmd' type=text>\n<INPUT type=submit value='Run'>\n</FORM>"
},
{
"no_suffix": true,
"url": "r.php",
"url": "jsp-reverse.jsp",
"severity": "critical",
"description": "Common backdoor",
"type": "malware"
"type": "malware",
"match_string": "JSP Backdoor Reverse Shell"
},
{
"no_suffix": true,
"url": "lol.php",
"url": "jspwebshell12.jsp",
"severity": "critical",
"description": "Common backdoor",
"type": "malware"
"type": "malware",
"match_string": "JspWebShell By"
},
{
"no_suffix": true,
"url": "zenhir.php",
"url": "simple-backdoor.php",
"severity": "critical",
"description": "Common backdoor",
"type": "malware"
"type": "malware",
"match_string": "Usage: http://target.com/simple-backdoor.php?cmd=cat+/etc/passwd"
},
{
"no_suffix": true,
"url": "c-h.v2.php",
"url": "qsd-php-backdoor.php",
"severity": "critical",
"description": "Common backdoor",
"type": "malware"
"type": "malware",
"match_string": "<form action=\"\" METHOD=\"GET\">\n<table>\n<tr><td>host</td><td><input type=\"text\" name=\"host\"value=\"localhost\"></td></tr>\n<tr><td>user</td><td><input type=\"text\" name=\"usr\" value=\"root\"></td></tr>\n<tr><td>password</td><td><input type=\"text\" name=\"passwd\"></td></tr>\n<tr><td>database</td><td><input type=\"text\" name=\"db\"></td></tr>\n<tr><td valign=\"top\">query</td><td><textarea name=\"mquery\" rows=\"6\" cols=\"65\"></textarea></td></tr>\n<tr><td colspan=\"2\"><input type=\"submit\" value=\"Execute\"></td></tr>\n</table>\n</form>"
},
{
"no_suffix": true,
"url": "php-backdoor.php",
"severity": "critical",
"description": "Common backdoor",
"type": "malware"
"type": "malware",
"match_string": "host:<input type=\"text\" name=\"host\"value=\"localhost\"> user: <input type=\"text\" name=\"usr\" value=root> password: <input type=\"text\" name=\"passwd\">\n\ndatabase: <input type=\"text\" name=\"db\"> query: <input type=\"text\" name=\"mquery\"> <input type=\"submit\" value=\"execute\">\n</form>"
},
{
"no_suffix": true,
"url": "cmdasp.asp",
"url": "perl-reverse-shell.pl",
"severity": "critical",
"description": "Common backdoor",
"type": "malware"
},
{
"url": "shell",
"description": "Common backdoor",
"type": "malware",
"severity": "critical"
"match_string": "Browser IP address appears to be: "
},
{
"url": "backdoor",
"no_suffix": true,
"url": "perlcmd.cgi",
"severity": "critical",
"description": "Common backdoor",
"type": "malware",
"severity": "critical"
"match_string": "Usage: http://target.com/perlcmd.cgi?cat /etc/passwd"
},
{
"url": "cmd",
"no_suffix": true,
"url": "cfexec.cfm",
"severity": "critical",
"description": "Common backdoor",
"type": "malware",
"severity": "critical"
"match_string": "Prefix DOS commands with \"c:\\windows\\system32\\cmd.exe /c &lt;command&gt;\" or wherever cmd.exe is"
}
]
},
Expand Down Expand Up @@ -1269,16 +1280,16 @@
},
{
"description": "Apache server files",
"data" : [
"data": [
{
"url" : "/server-info",
"description" : "Apache debug server information",
"url": "/server-info",
"description": "Apache debug server information",
"severity": "critical",
"no_suffix": true
},
{
"url" : "/server-status",
"description" : "Apache debug server status",
"url": "/server-status",
"description": "Apache debug server status",
"severity": "critical",
"no_suffix": true
}
Expand Down Expand Up @@ -1440,4 +1451,4 @@
}
]
}
]
]