Gecko [ finalhopeacademy.com ]

Name	Size	Permission
csig.dat	13.97 KB	-rw-------
custom.hex.dat	0 B	-rw-r--r--
custom.md5.dat	0 B	-rw-r--r--
hex.dat	501.66 KB	-rw-r--r--
maldet.sigs.ver	14 B	-rw-r--r--
md5.dat	2.46 MB	-rw-r--r--
md5v2.dat	2.68 MB	-rw-r--r--
rfxn.hdb	2.49 MB	-rw-r--r--
rfxn.ndb	510.61 KB	-rw-r--r--
rfxn.yara	1.34 KB	-rw-r--r--
rfxn.yara.bk	0 B	-rw-r--r--
rfxn.yara.patch	546 B	-rw-r--r--
sha256v2.dat	3.79 MB	-rw-------

Code Editor : rfxn.yara

rule Backdoor_PHP_WPVCD_TempExecution {
    meta:
       description = "Backdoor script associated with WP-VCD."

strings:
       $re = /extract\s*$\s*wp_temp_setupx?\s*\(\s*\$\w+\s*$\s*\)/ nocase

condition:
       $re
}

rule Backdoor_PHP_WPVCD_DivCodeName {
    meta:
       description = "Backdoor script associated with WP-VCD"

strings:
       $re = /\$div_code_name\s*\=\s*['"]wp_vcd['"];/ nocase

condition:
       $re
}

rule Backdoor_PHP_WPVCD_Deployer {
    meta:
       description = "Deployment script associated with WP-VCD."

strings:
       $re = /strpos\s*$\s*\$\w{1,40}\s*,\s*['"]WP_V_CD['"]\s*$\s*===\s*false/ nocase

condition:
       $re
}

rule Spam_PHP_WPVCD_ContentInjection {
    meta:
       description = "Content injection script associated with WP-VCD."

strings:
       $re = /\$ip\s*=\s*\@file_get_contents\s*\(\s*ABSPATH\s*\.\s*['"]wp\-includes\/wp\-feed\.php['"]/ nocase

condition:
       $re
}

rule Suspicious_PHP_PrependedInclude {
    meta:
       description = "Suspicious PHP include often associated with WP-VCD."

strings:
       $re = /^\<\?php\s+if\s*$\s*file_exists\s*\(\s*dirname\s*\(\s*__FILE__\s*$\s*\.\s*['"][^'"]+['"]\s*\)\s*\)\s*(include|require)(_once)?\s*$\s*dirname\s*\(\s*__FILE__\s*$\s*\.\s*['"][^'"]+['"]\s*\)\s*\;\s*\?\>\s*\<\?/ nocase

condition:
       $re
}

${this.title}

Code Editor : rfxn.yara