24 lines
1.0 KiB
Plaintext
24 lines
1.0 KiB
Plaintext
# This list contains patterns of various web shells, backdoors and similar
|
|
# software written in ASP language. There is no way how to automatically update
|
|
# this list, so it must be done by hand. Here is a recommended way how to add
|
|
# new malicious software:
|
|
# 1.) As patterns are matched against RESPONSE_BODY, you need to run a malicious
|
|
# software (ideally in an isolated environment) and catch the output.
|
|
# 2.) In the output, search for static pattern unique enough to match only
|
|
# the software in question and to not do any FPs. The best pick is usually
|
|
# a part of HTML code with software name.
|
|
# 3.) Include software name and URL (if available) in the comment above
|
|
# the pattern.
|
|
#
|
|
# Data comes from multiple places of which some doesn't work anymore. Few are
|
|
# listed below:
|
|
# - https://www.localroot.net/
|
|
# - Google search (keywords like webshells, asp backdoor and similar)
|
|
|
|
# Akmal archtte id ASPX shell
|
|
<title>Webshell Akmal archtte id</title>
|
|
# ASPYDrv shell
|
|
<html><title>ASPYDrvsInfo</title>
|
|
# RHTOOLS shell
|
|
<html><head><title>RHTOOLS
|