Hestat/lw-yara Hestat/lw-yara

  • Stars
    star
    100
  • Rank 340,703 (Top 7 %)
  • Language YARA
  • License
    GNU General Publi...
  • Created over 6 years ago
  • Updated over 3 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
Hestat/lw-yara
github

Hestat

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Yara Ruleset for scanning Linux servers for shells, spamming, phishing and other webserver baddies

lw-yara

Yara rulset based on php shells and other webserver malware.

I will be moving to a new role soon which will take me away from front line server investigations. If you would like to keep this dataset up to date report back new malware using my scanner:

https://github.com/Hestat/blazescan

Using the following will allow you to report new malware so I can add signatures:

blazescan -R

Installation instruction

git clone https://github.com/Hestat/lw-yara.git

scanning using clamav with custom rules

example at https://laskowski-tech.com/2018/04/26/eitest-cleanup-part-2-using-clamav-and-custom-yara-rules/

clamscan -ir -l /root/scanresults.txt -d /root/lw-yara/lw-rules_index.yar -d /root/lw-yara/lw.hdb /path/to/scan/

In clamscan

-ir flag will only report infected files and will scan recursively

-d flag allows you to specify a custom database, here we have 2 a hash database and a yara ruleset

-l creates a log of the scan

need to have clamav 98 or newer to parse Yara signatures

More info here:

https://laskowski-tech.com/2018/05/17/malware-databased-custom-malware-signatures/

Want a scanner to run this check out:

https://github.com/Hestat/blazescan

More Repositories

1

ossec-sysmon

A Ruleset to enhance detection capabilities of Ossec using Sysmon
PowerShell
83
star
2

blazescan

Blazescan is a linux webserver malware scanning and incident response tool, with built in support for cPanel servers, but will run on any linux based server.
Shell
60
star
3

minerchk

Bash script to Check for malicious Cryptomining
Shell
38
star
4

calamity

A script to assist in processing forensic RAM captures for malware triage
Shell
27
star
5

soc-threat-hunting

Repo of python/bash scripts for identifying IoC's in threat feed and other online tools
Python
25
star
6

intel-sharing

Repository of Information sharing on threats and indicators
12
star
7

cryptojacking-scanner

Python scanner for scanning websites for crypto-jacking miners.
Python
6
star
8

ClamAV-CortexAnalyzer

Analyzer for TheHive Cortex Soc platform. Allows you to run observables against default and custom ClamAV rules.
Python
5
star
9

drupal-check

Tool to dive Apache logs for evidence of exploitation of CVE-2018-7600
Shell
2
star
10

vt.py

Python
2
star
11

liquid

Shell
1
star