.

.gitignore

@@ -0,0 +1,5 @@
+*.iml
+.idea/
+.DS_Store
+target
+

db/hash_db.txt

@@ -0,0 +1,85 @@
+/bin/cat||523218bc2a29d217da65c78feb327a73||1575031052.76
+/bin/echo||00dbb2b01752cec021415f55e4ebd0bf||1575031052.76
+/bin/df||81164469cf7add4a64a67fc25d1f7e8a||1575031052.76
+/bin/pwd||690256cf80f35cf79764797ac928de77||1575031052.76
+/bin/test||938349e08664eb5ed2999a259e7c3972||1575031052.76
+/bin/date||e1d20c480fcdc1ac4646170b1d9ca7c7||1575031052.76
+/bin/bash||a17c5d0e7f7f4f69c6218066c2a3e1b6||1575031052.76
+/bin/kill||9beb55ee74d185d46c3316454d528896||1575031052.76
+/bin/sh||8aa60b22a5d30418a002b340989384dc||1575031052.76
+/bin/ps||792e18b1417ac1f184680d2423206e4f||1575031052.76
+/bin/mv||7f791dd4bef08d618fece911d6e3398a||1575031052.76
+/bin/ls||d77c1dd5bb8e39c2dd27c96c3fd2263e||1575031052.76
+/bin/cp||57fc302d74610c3350e683c6c9771076||1575031052.76
+/bin/chmod||30e3e10a3e7ad9adfd37662b2e9b4f8a||1575031052.76
+/sbin/fsck||e2a45253e23c963491974f5ac8d1aef1||1575031052.76
+/sbin/ping||d91d8718ec1f2d5bcd4c02e7cad8282a||1575031052.76
+/sbin/route||28e19d4273aa79d971954b6a18ef07db||1575031052.76
+/sbin/ifconfig||f81633f11f5fc0db70078b5ed1fedcec||1575031052.76
+/sbin/dmesg||56415b6dfb7e5a1c1902403ee1fb39b8||1575031052.76
+/sbin/mount||7801e142a28dc96333c8acac0dd0999f||1575031052.76
+/sbin/nologin||29a082d7b826f4b14543c5397fbfc50a||1575031052.76
+/usr/bin/top||90ca9316e194a789333f192ff90cea53||1575031052.76
+/usr/bin/strings||29a156643b097fe313522226ccd955b6||1575031052.76
+/usr/bin/pkill||96a4d2f3aecec616f31f66589f196205||1575031052.76
+/usr/bin/basename||22e3ead0b1fc8282c92bda50d5a66cf3||1575031052.76
+/usr/bin/last||3460a6691d1cba9ed9a6bf9a87068efd||1575031052.76
+/usr/bin/du||7ec837ed9848a937a8474f0fd2cc113f||1575031052.76
+/usr/bin/logger||8fb2cc32a2c0d36bd6dd2a5c727b6bdd||1575031052.76
+/usr/bin/sort||500c6c1c6da73b4d1fb72c9f664c6ea8||1575031052.76
+/usr/bin/whoami||24c45eb23e1aae68c572939d1a906018||1575031052.76
+/usr/bin/file||8690270bbe6612ab42b2eb2a6a6ebc65||1575031052.76
+/usr/bin/less||d744731fb4f251370ca4aed7e64bb289||1575031052.76
+/usr/bin/touch||4aacabad02929f18b00a9b6ef85e0605||1575031052.76
+/usr/bin/sed||3ce65a2b18129c9ddc6f15204c329603||1575031052.76
+/usr/bin/awk||fa9db7f6c4a0287ceb78a3bd34524ada||1575031052.76
+/usr/bin/mail||1d0e8450f06b63e4bb0be0157800c287||1575031052.76
+/usr/bin/uname||b1c1eadf36eaaad76210c21573f65b47||1575031052.76
+/usr/bin/perl||3f7543a237c09638bf211765fd00a1b0||1575031052.76
+/usr/bin/readlink||17dfcc6f29cc40343887f2c52d2fc61c||1575031052.76
+/usr/bin/wc||b89949ce6a1929257e5c0c157027cbfe||1575031052.76
+/usr/bin/diff||cac57bd479f1c4c8646929d7ce718106||1575031052.76
+/usr/bin/groups||24c45eb23e1aae68c572939d1a906018||1575031052.76
+/usr/bin/tail||4f763e9d4a6b9f0ea936a13eb1c802ae||1575031052.76
+/usr/bin/grep||2b3efb273296881708ea2914c612e0eb||1575031052.76
+/usr/bin/more||d744731fb4f251370ca4aed7e64bb289||1575031052.76
+/usr/bin/env||5b01662dd2c87ce237e8d968c9e52508||1575031052.76
+/usr/bin/head||bb2984cc21ccc7343bed41f2b577c011||1575031052.76
+/usr/bin/uniq||db23b79cc1846c51e2c5fffd2880d902||1575031052.76
+/usr/bin/curl||078cd73f58d3d8f875eed22522ff73f7||1575031052.76
+/usr/bin/newgrp||6e192bea57dfc3eb8a0ee4449e8a762f||1575031052.76
+/usr/bin/killall||5769a155934f60f4e5205493307e244f||1575031052.76
+/usr/bin/su||85c13392f7e945526bc6473f0941384d||1575031052.76
+/usr/bin/ssh||b4bb5a2bf1a39a863a90bd1fd179d53c||1575031052.76
+/usr/bin/stat||17dfcc6f29cc40343887f2c52d2fc61c||1575031052.76
+/usr/bin/users||856ebf8c465698ca8e30895034c4e647||1575031052.76
+/usr/bin/who||1a53fc46069f9a8efb9521577fe800e1||1575031052.76
+/usr/bin/mktemp||bde62e74078e03c2aa99824c21769a2a||1575031052.76
+/usr/bin/cut||e27c92637d672468ea846d377b500eb1||1575031052.76
+/usr/bin/mailx||1d0e8450f06b63e4bb0be0157800c287||1575031052.76
+/usr/bin/ipcs||ffb27f8aca8b57598f619e6878c72923||1575031052.76
+/usr/bin/dirname||1c3b57818c27cfff8e7a7596709d6791||1575031052.76
+/usr/bin/id||24c45eb23e1aae68c572939d1a906018||1575031052.76
+/usr/bin/fuser||ab2265ed63ed1da563573ded878dfce6||1575031052.76
+/usr/bin/egrep||2b3efb273296881708ea2914c612e0eb||1575031052.76
+/usr/bin/whereis||24a06f6c8099b5896bb932303f98b0aa||1575031052.76
+/usr/bin/find||1a070f1b112a0bbf99581914d1035970||1575031052.76
+/usr/bin/size||96cb5835bd4663a771486799fbcc0cc6||1575031052.76
+/usr/bin/pgrep||96a4d2f3aecec616f31f66589f196205||1575031052.76
+/usr/bin/fgrep||2b3efb273296881708ea2914c612e0eb||1575031052.76
+/usr/bin/login||6ddb73606071fa8d7f63886d38971353||1575031052.76
+/usr/bin/which||347ef1bc98f052a94ca232e99cb0fb44||1575031052.76
+/usr/bin/tr||df6af8d5f7c6d71ea9ac52a82e7d4e58||1575031052.76
+/usr/bin/passwd||c3dcb58a7f27bb45f1c2a889790d3676||1575031052.76
+/usr/bin/w||dc0a97c1b333a194825645d345603810||1575031052.76
+/usr/sbin/sysctl||dc0558d3d932acb68af969ace5df58cc||1575031052.76
+/usr/sbin/sshd||3ef55c29b52ee60e7f4854efc4fad7d3||1575031052.76
+/usr/sbin/lsof||072af749bc43e6f33adcc86b9d96b444||1575031052.76
+/usr/sbin/netstat||a52d737ac4df49a9492affd1b8991d06||1575031052.76
+/usr/sbin/chroot||9f1f332a5db08d493b63c852079d2401||1575031052.76
+/usr/sbin/chown||cc600d309dc91e491f52c51e0b1821ec||1575031052.76
+/usr/sbin/vipw||51e179616740ec2fe102ca09c4f37e5d||1575031052.76
+/usr/local/sbin/test||e016c3389666a21bc759590c58ad1273||1575031052.76
+/usr/local/sbin/ps||58f0cd8c26461ef86f916a17b11b0769||1575031052.76
+/usr/local/sbin/mv||b26fd012b1faf7eb46053d520a4306f7||1575031052.76
+/usr/local/bin/wget||9a5cb2d870bc6064cc643b12fb9fa0b3||1575031052.76

lib/plugins/webshell_rule/WShell_THOR_Webshells.yar

@@ -8636,3 +8636,32 @@ rule Webshell_zehir {
 	condition:
 		filesize < 200KB and 1 of them
 }
+rule webshells_grayddq_shell1 {
+	meta:
+		description = "Web shells"
+		author = "grayddq"
+		date = "2019/11/29"
+	strings:
+		$s0 = "Response.Write(eval"
+		$s1 = "eval(Request.Item"
+		$s2 = "eval request("
+		$s3 = "eval(GET"
+		$s4 = "eval(POST"
+		$s5 = "exec(request.getParameter"
+		$s6 = "Response.Write(eval("
+		$s7 = "eval($_POST"
+		$s8 = "eval($_GET"
+	condition:
+		filesize < 10KB and any of them
+}
+rule webshells_grayddq_shell2 {
+	meta:
+		description = "Web shellss"
+		author = "grayddq"
+		date = "2019/11/29"
+	strings:
+		$s0 = "Request.Form(\"pass\")"
+		$s1 = "eval(fun()"
+	condition:
+		filesize < 10KB and all of them
+}

log/gscan.log

@@ -0,0 +1,7 @@
+开始扫描当前系统安全状态...
+
+开始Webshell安全扫描
+ [1]Webshell安全扫描                    [ 存在风险  ]
+------------------------------
+Webshell安全检测
+{"进程PID": "", "手工排查确认": "[1]cat /tmp/1.php", "异常时间": "2019-11-29 20:30:37", "异常文件": "/tmp/1.php", "风险名称": "webshell安全检测", "处理方案": "rm /tmp/1.php #删除webshell文件", "异常信息": "文件匹配上webshell特征，规则：webshells_grayddq_shell1", "检测项": "Webshell安全检测", "风险级别": "风险", "所属用户": "grayddq"}