2024-01-22 09:45:56 +00:00
id : defacement-detect
info :
name : Defacement Content - Detection
author : ricardomaia
severity : info
description : |
This template detects defacement content in the response body, using a list of commom paths as payload.It also detects spamdexing and hacktivism signatures and extracts a text snippet with the match.The URL paths and regex rules were based on research from several sources.Other rules are based in the author's experience and are not exhaustive.
reference :
- https://www.zone-h.org
- https://zone-xsec.com
- https://hax.or.id
- https://www.haxor.id
- https://www.defacer.net
- https://www.radware.com/security/threat-advisories-and-attack-reports/hacktivism-unveiled-april-2023
metadata :
verified : true
2024-01-29 11:58:34 +00:00
max-request : 85
2024-03-19 15:20:31 +00:00
tags : misc,defacement,spam,hacktivism,fuzz
2024-01-22 09:45:56 +00:00
http :
- method : GET
path :
- "{{BaseURL}}{{path}}"
redirects : true
max-redirects : 1
stop-at-first-match : true
matchers-condition : and
matchers :
- type : regex
part : body
regex :
2024-01-22 17:02:29 +00:00
# Commom defacement signatures
2024-01-22 09:45:56 +00:00
- '(?i)\bhack[e|3]d.?(by)?\b'
- '(?i)\bwh(00|oo)pz\b'
- '(?i)\bdefaced.?(by)?\b'
- '(?i)\bPa?wn(e|3)d.?(by)?\b'
- '(?i)\b0wned.?(by)?\b'
- '(?i)\bGreetz.?(to)?\b'
- '(?i)\bXploit\b'
- '(?i)\brulez\b'
- '(?i)\buid=0(root).?gid=0(root).?groups=0(root)\b'
- '(?i)\bh(a|4)x(o|0)r\b'
- '(?i)\bHack.Team\b'
- '(?i)\bpwnted.?(by)?\b'
- '(?i)\bBUY.WEBSHELL\b'
- '(?i)\bHello.Admin\b'
- '(?i)\bShootz\b'
2024-01-22 17:02:29 +00:00
- '(?i)\bTouched\sby\b'
- '(?i)\bHas.*been.*hacked\b'
- '(?i)\bStamped\sBy\b'
# Spamdexing
2024-01-22 09:45:56 +00:00
- '(?i)\bcialis\b'
- '(?i)\btadacip\b'
- '(?i)\bpurinethol\b'
- '(?i)\bbactrim\b'
- '(?i)\bfemale-cialis\b'
- '(?i)\btoprol-xl\b'
- '(?i)\bbupropion\b'
- '(?i)\blevitra\b'
- '(?i)\bfeldene\b'
- '(?i)\bapcalis\b'
- '(?i)\batacand\b'
- '(?i)\bzerit\b'
- '(?i)\bisordil\b'
- '(?i)\bviagra-soft\b'
- '(?i)\bdanazol\b'
- '(?i)\blasix\b'
- '(?i)\bapcalis-sx\b'
- '(?i)\btadalafil\b'
- '(?i)\bviagra-jelly\b'
- '(?i)\btadalis-sx\b'
- '(?i)\btelmisartan\b'
- '(?i)\bcialis-soft\b'
- '(?i)\brevia\b'
- '(?i)\bcardura\b'
- '(?i)\bfempro\b'
- '(?i)\bfemale-viagra\b'
- '(?i)\berectalis\b'
- '(?i)\bforzest\b'
- '(?i)\bisoptin-sr\b'
- '(?i)\bkamagra-soft\b'
- '(?i)\blioresal\b'
- '(?i)\bneoral\b'
- '(?i)\bcytoxan\b'
- '(?i)\bphenytoin\b'
- '(?i)\bvibramycin\b'
- '(?i)\binstant.fortune\b'
- '(?i)\win.the.lottery\b'
- '(?i)\bwin.the.lotto\b'
- '(?i)\bcassino\b'
2024-01-22 17:02:29 +00:00
# Attackets - Zone-H Top 50
2024-01-22 09:45:56 +00:00
- '(?i)\bHmei7\b'
- '(?i)\bd3b~x\b'
- '(?i)\bIndex Php\b'
- '(?i)\biskorpitx\b'
- '(?i)\bchinafans\b'
- '(?i)\bSejeal\b'
- '(?i)\b1923Turk\b'
- '(?i)\bmuhmademad\b'
- '(?i)\bTeam_CC\b'
- '(?i)\bimam\b'
- '(?i)\bmisafir\b'
- '(?i)\bZoRRoKiN\b'
- '(?i)\bpanataran\b'
- '(?i)\bGHoST61\b'
- '(?i)\bAshiyane Digital Security Team\b'
- '(?i)\bFatal Error\b'
- '(?i)\bErrOr SquaD\b'
- '(?i)\bw4l3xzy3\b'
- '(?i)\bBD GREY HAT HACKERS\b'
- '(?i)\bSA3D HaCk3D\b'
- '(?i)\bjok3r\b'
- '(?i)\bHighTech\b'
- '(?i)\bMr.Kro0oz\b'
- '(?i)\bTheWayEnd\b'
- '(?i)\bLUN4T1C0\b'
- '(?i)\bKaMtiEz\b'
- '(?i)\bHolaKo\b'
- '(?i)\bMiSh\b'
- '(?i)\bMister Spy\b'
- '(?i)\bClash Hackers\b'
- '(?i)\bKkK1337\b'
- '(?i)\bKuroi\b'
- '(?i)\bBALA SNIPER\b'
- '(?i)\bRayzky_\b'
- '(?i)\bRXR\b'
- '(?i)\bTOP-TEAM\b'
- '(?i)\bMagelang6etar\b'
- '(?i)\bifactoryx\b'
- '(?i)\bthe_warri0r\b'
- '(?i)\bRed Eye\b'
- '(?i)\bdarkshadow-tn\b'
- '(?i)\bs13doeL\b'
- '(?i)\bFallaga Team\b'
- '(?i)\bulow\b'
- '(?i)\bSPYKIDS\b'
- '(?i)\bCyb3r_Sw0rd\b'
- '(?i)\blinuXploit_crew\b'
2024-01-22 17:02:29 +00:00
- '(?i)\bIr4dex 735\b'
2024-01-22 09:45:56 +00:00
- '(?i)\bKingSam\b'
2024-01-22 17:02:29 +00:00
# Others groups or attackers
2024-01-22 09:45:56 +00:00
- '(?i)\bLapsus$\b'
- '(?i)\bLulzSec\b'
- '(?i)\bmilw0rm\b'
- '(?i)\bNoName05\b'
- '(?i)\bAnonymousSudan\b'
- '(?i)\bAnon_by\b'
- '(?i)\bAnonGhost\b'
- '(?i)\bTeam.Insane\b'
- '(?i)\bEagle Cyber\b'
- '(?i)\bOpIsrael\b'
- '(?i)\bOpRussia\b'
- '(?i)\bOpIran\b'
- '(?i)\bOpPhilippines\b'
- '(?i)\bOpAustralia\b'
- '(?i)\bAnonymousItalia\b'
- '(?i)\bStopRussia\b'
- '(?i)\bStopInvasion\b'
- '(?i)\bWe.are.legion\b'
- '(?i)\bAnonOps\b'
- '(?i)\bOpGOP\b'
- '(?i)\bOpStonewall\b'
- '(?i)\bTangoDown\b'
- '(?i)\bFREE_PALESTINE\b'
- '(?i)\bFREE_AL-AQSA\b'
- type : status
status :
- 200
2024-01-22 17:02:29 +00:00
extractors :
- type : regex
part : body
name : defacement-signature
regex :
- '.{0,5}(?i)\bhack[e|3]d.?(by)?\b.{0,5}'
- '.{0,5}(?i)\bwh(00|oo)pz\b.{0,5}'
- '.{0,5}(?i)\bdefaced.?(by)?\b.{0,5}'
- '.{0,5}(?i)\bPa?wn(e|3)d.?(by)?\b.{0,5}'
- '.{0,5}(?i)\b0wned.?(by)?\b.{0,5}'
- '.{0,5}(?i)\bGreetz.?(to)?\b.{0,5}'
- '.{0,5}(?i)\bXploit\b.{0,5}'
- '.{0,5}(?i)\brulez\b.{0,5}'
- '.{0,5}(?i)\buid=0(root).?gid=0(root).?groups=0(root)\b.{0,5}'
- '.{0,5}(?i)\bh(a|4)x(o|0)r\b.{0,5}'
- '.{0,5}(?i)\bHack.Team\b.{0,5}'
- '.{0,5}(?i)\bpwnted.?(by)?\b.{0,5}'
- '.{0,5}(?i)\bBUY.WEBSHELL\b.{0,5}'
- '.{0,5}(?i)\bHello.Admin\b.{0,5}'
- '.{0,5}(?i)\bShootz\b.{0,5}'
- '.{0,5}(?i)\bTouched\sby\b.{0,5}'
- '.{0,5}(?i)\bHas.*been.*hacked\b.{0,5}'
- '.{0,5}(?i)\bStamped\sBy\b.{0,5}'
- type : regex
part : body
name : spamdexing
regex :
- '.{0,5}(?i)\bcialis\b.{0,5}'
- '.{0,5}(?i)\btadacip\b.{0,5}'
- '.{0,5}(?i)\bpurinethol\b.{0,5}'
- '.{0,5}(?i)\bbactrim\b.{0,5}'
- '.{0,5}(?i)\bfemale-cialis\b.{0,5}'
- '.{0,5}(?i)\btoprol-xl\b.{0,5}'
- '.{0,5}(?i)\bbupropion\b.{0,5}'
- '.{0,5}(?i)\blevitra\b.{0,5}'
- '.{0,5}(?i)\bfeldene\b.{0,5}'
- '.{0,5}(?i)\bapcalis\b.{0,5}'
- '.{0,5}(?i)\batacand\b.{0,5}'
- '.{0,5}(?i)\bzerit\b.{0,5}'
- '.{0,5}(?i)\bisordil\b.{0,5}'
- '.{0,5}(?i)\bviagra-soft\b.{0,5}'
- '.{0,5}(?i)\bdanazol\b.{0,5}'
- '.{0,5}(?i)\blasix\b.{0,5}'
- '.{0,5}(?i)\bapcalis-sx\b.{0,5}'
- '.{0,5}(?i)\btadalafil\b.{0,5}'
- '.{0,5}(?i)\bviagra-jelly\b.{0,5}'
- '.{0,5}(?i)\btadalis-sx\b.{0,5}'
- '.{0,5}(?i)\btelmisartan\b.{0,5}'
- '.{0,5}(?i)\bcialis-soft\b.{0,5}'
- '.{0,5}(?i)\brevia\b.{0,5}'
- '.{0,5}(?i)\bcardura\b.{0,5}'
- '.{0,5}(?i)\bfempro\b.{0,5}'
- '.{0,5}(?i)\bfemale-viagra\b.{0,5}'
- '.{0,5}(?i)\berectalis\b.{0,5}'
- '.{0,5}(?i)\bforzest\b.{0,5}'
- '.{0,5}(?i)\bisoptin-sr\b.{0,5}'
- '.{0,5}(?i)\bkamagra-soft\b.{0,5}'
- '.{0,5}(?i)\blioresal\b.{0,5}'
- '.{0,5}(?i)\bneoral\b.{0,5}'
- '.{0,5}(?i)\bcytoxan\b.{0,5}'
- '.{0,5}(?i)\bphenytoin\b.{0,5}'
- '.{0,5}(?i)\bvibramycin\b.{0,5}'
- '.{0,5}(?i)\binstant.fortune\b.{0,5}'
- '.{0,5}(?i)\win.the.lottery\b.{0,5}'
- '.{0,5}(?i)\bwin.the.lotto\b.{0,5}'
- '.{0,5}(?i)\bcassino\b.{0,5}'
- type : regex
part : body
name : zone-h-top-50
regex :
- '.{0,5}(?i)\bHmei7\b.{0,5}'
- '.{0,5}(?i)\bd3b~x\b.{0,5}'
- '.{0,5}(?i)\bIndex Php\b.{0,5}'
- '.{0,5}(?i)\biskorpitx\b.{0,5}'
- '.{0,5}(?i)\bchinafans\b.{0,5}'
- '.{0,5}(?i)\bSejeal\b.{0,5}'
- '.{0,5}(?i)\b1923Turk\b.{0,5}'
- '.{0,5}(?i)\bmuhmademad\b.{0,5}'
- '.{0,5}(?i)\bTeam_CC\b.{0,5}'
- '.{0,5}(?i)\bimam\b.{0,5}'
- '.{0,5}(?i)\bmisafir\b.{0,5}'
- '.{0,5}(?i)\bZoRRoKiN\b.{0,5}'
- '.{0,5}(?i)\bpanataran\b.{0,5}'
- '.{0,5}(?i)\bGHoST61\b.{0,5}'
- '.{0,5}(?i)\bAshiyane Digital Security Team\b.{0,5}'
- '.{0,5}(?i)\bFatal Error\b.{0,5}'
- '.{0,5}(?i)\bErrOr SquaD\b.{0,5}'
- '.{0,5}(?i)\bw4l3xzy3\b.{0,5}'
- '.{0,5}(?i)\bBD GREY HAT HACKERS\b.{0,5}'
- '.{0,5}(?i)\bSA3D HaCk3D\b.{0,5}'
- '.{0,5}(?i)\bjok3r\b.{0,5}'
- '.{0,5}(?i)\bHighTech\b.{0,5}'
- '.{0,5}(?i)\bMr.Kro0oz\b.{0,5}'
- '.{0,5}(?i)\bTheWayEnd\b.{0,5}'
- '.{0,5}(?i)\bLUN4T1C0\b.{0,5}'
- '.{0,5}(?i)\bKaMtiEz\b.{0,5}'
- '.{0,5}(?i)\bHolaKo\b.{0,5}'
- '.{0,5}(?i)\bMiSh\b.{0,5}'
- '.{0,5}(?i)\bMister Spy\b.{0,5}'
- '.{0,5}(?i)\bClash Hackers\b.{0,5}'
- '.{0,5}(?i)\bKkK1337\b.{0,5}'
- '.{0,5}(?i)\bKuroi\b.{0,5}'
- '.{0,5}(?i)\bBALA SNIPER\b.{0,5}'
- '.{0,5}(?i)\bRayzky_\b.{0,5}'
- '.{0,5}(?i)\bRXR\b.{0,5}'
- '.{0,5}(?i)\bTOP-TEAM\b.{0,5}'
- '.{0,5}(?i)\bMagelang6etar\b.{0,5}'
- '.{0,5}(?i)\bifactoryx\b.{0,5}'
- '.{0,5}(?i)\bthe_warri0r\b.{0,5}'
- '.{0,5}(?i)\bRed Eye\b.{0,5}'
- '.{0,5}(?i)\bdarkshadow-tn\b.{0,5}'
- '.{0,5}(?i)\bs13doeL\b.{0,5}'
- '.{0,5}(?i)\bFallaga Team\b.{0,5}'
- '.{0,5}(?i)\bulow\b.{0,5}'
- '.{0,5}(?i)\bSPYKIDS\b.{0,5}'
- '.{0,5}(?i)\bCyb3r_Sw0rd\b.{0,5}'
- '.{0,5}(?i)\blinuXploit_crew\b.{0,5}'
- '.{0,5}(?i)\bIr4dex 735\b.{0,5}'
- '.{0,5}(?i)\bKingSam\b.{0,5}'
- type : regex
part : body
name : other-groups-attacker
regex :
- '.{0,5}(?i)\bLapsus$\b.{0,5}'
- '.{0,5}(?i)\bLulzSec\b.{0,5}'
- '.{0,5}(?i)\bmilw0rm\b.{0,5}'
- '.{0,5}(?i)\bNoName05\b.{0,5}'
- '.{0,5}(?i)\bAnonymousSudan\b.{0,5}'
- '.{0,5}(?i)\bAnon_by\b.{0,5}'
- '.{0,5}(?i)\bAnonGhost\b.{0,5}'
- '.{0,5}(?i)\bTeam.Insane\b.{0,5}'
- '.{0,5}(?i)\bEagle Cyber\b.{0,5}'
- type : regex
part : body
name : hacktivism-operation
regex :
- '.{0,5}(?i)\bOpIsrael\b.{0,5}'
- '.{0,5}(?i)\bOpRussia\b.{0,5}'
- '.{0,5}(?i)\bOpIran\b.{0,5}'
- '.{0,5}(?i)\bOpPhilippines\b.{0,5}'
- '.{0,5}(?i)\bOpAustralia\b.{0,5}'
- '.{0,5}(?i)\bAnonymousItalia\b.{0,5}'
- '.{0,5}(?i)\bStopRussia\b.{0,5}'
- '.{0,5}(?i)\bStopInvasion\b.{0,5}'
- '.{0,5}(?i)\bWe.are.legion\b.{0,5}'
- '.{0,5}(?i)\bAnonOps\b.{0,5}'
- '.{0,5}(?i)\bOpGOP\b.{0,5}'
- '.{0,5}(?i)\bOpStonewall\b.{0,5}'
- '.{0,5}(?i)\bTangoDown\b.{0,5}'
2024-01-22 09:45:56 +00:00
payloads :
path :
- /
- /old
- /ssh
- /tmp
- /uploads
- /index.html
- /index.php
- /indexx.html
- /defaced.html
- /readme.html
- /readme.php
- /kurd.html
- /kurd1943.html
- /evil.html
- /ghost.htm
- /pwnd.html
- /pwn.html
- /hacked.html
- /hacked.txt
- /1.php
- /1.txt
- /1.html
- /a.htm
- /a.html
- /a.php
- /V.txt
- /0day.txt
- /1337.txt
- /r00t.php
- /root.html
- /id.htm
- /by.html
- /by.htm
- /me.php
- /o.htm
- /O.html
- /a.php
- /a.html
- /z.php
- /zz.txt
- /z.txt
- /M.html
- /ie.txt
- /xxx.html
- /x.txt
- /logs.txt
- /ownz.html
- /update_note.txt
- /k.html
- /y.txt
- /T.html
- /ts.html
- /tr.html
- /core.html
- /el.htm
- /ie.htm
- /si.html
- /sad.html
- /fake.html
- /broken.html
- /buy.html
- /access.php
- /info.php
- /jquery.php
- /news.php
- /services.php
- /boxed.php
- /main.php
- /pbw.txt
- /aw.txt
- /hx.txt
- /vz.txt
- /cl.html
- /asi.html
- /public
- /cache
- /info.txt
- /ir.html
- /me.html
- /px.html
- /px.php
- /F.html
- /frost.txt
- /-.txt
- /!.txt
2024-03-19 16:40:41 +00:00
# digest: 4a0a00473045022100a121574bdd704d284d1675f8721914e3c675e5c66a64c266753135d55836c43502206ab7dff5cb3dad67f1cb2e163b6c7d49d464498f2b1195d03bd3629a7a056f1f:922c64590222798bb761d5b6d8e72950