19 lines
1.2 KiB
Plaintext
19 lines
1.2 KiB
Plaintext
|
|
rule Backdoor_Linux_LaoShu_A{
|
|
meta:
|
|
description = "Backdoor:Linux/LaoShu.A,SIGNATURE_TYPE_MACHOHSTR_EXT,0c 00 0c 00 08 00 00 02 00 "
|
|
|
|
strings :
|
|
$a_01_0 = {48 74 59 47 45 34 66 46 52 6a 34 44 4d 74 39 53 39 56 2f 38 47 } //02 00 HtYGE4fFRj4DMt9S9V/8G
|
|
$a_01_1 = {5f 6d 73 67 53 65 6e 64 53 75 70 65 72 32 } //02 00 _msgSendSuper2
|
|
$a_03_2 = {43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 61 74 74 61 63 68 6d 65 6e 74 3b 20 6e 61 6d 65 3d 22 90 02 10 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 25 40 90 00 } //02 00
|
|
$a_03_3 = {63 79 63 3a 3a 90 02 05 79 63 79 3a 90 02 05 65 6e 64 3a 6b 65 79 3a 90 00 } //02 00
|
|
$a_01_4 = {2f 75 73 72 2f 62 69 6e 2f 7a 69 70 00 2d 73 00 32 35 6d 00 2d 72 00 61 00 25 40 25 40 00 2e 7a 69 70 } //02 00 甯牳戯湩稯灩ⴀs㔲m爭愀─╀@種灩
|
|
$a_01_5 = {79 61 6e 67 2f 6c 61 73 74 75 70 64 61 74 65 75 70 6c 6f 61 64 65 72 } //02 00 yang/lastupdateuploader
|
|
$a_01_6 = {77 6f 72 74 00 65 71 6f 78 00 62 6f 76 78 00 63 78 78 } //02 00 潷瑲攀潱x潢硶挀硸
|
|
$a_01_7 = {63 6f 6d 2e 61 6e 64 72 65 77 2e 75 74 69 6c 69 74 79 } //00 00 com.andrew.utility
|
|
$a_00_8 = {5d 04 00 00 0c 13 } //03 80
|
|
condition:
|
|
any of ($a_*)
|
|
|
|
} |