Defacement Content - Detection
ID: defacement-detect
Severity: info
Author: ricardomaia
Tags: misc,defacement,spam,hacktivism,fuzz,miscellaneous
Description
Section titled “Description”This template detects defacement content in the response body, using a list of commom paths as payload.It also detects spamdexing and hacktivism signatures and extracts a text snippet with the match.The URL paths and regex rules were based on research from several sources.Other rules are based in the author’s experience and are not exhaustive.
YAML Source
Section titled “YAML Source”id: defacement-detect
info: name: Defacement Content - Detection author: ricardomaia severity: info description: | This template detects defacement content in the response body, using a list of commom paths as payload.It also detects spamdexing and hacktivism signatures and extracts a text snippet with the match.The URL paths and regex rules were based on research from several sources.Other rules are based in the author's experience and are not exhaustive. reference: - https://www.zone-h.org - https://zone-xsec.com - https://hax.or.id - https://www.haxor.id - https://www.defacer.net - https://www.radware.com/security/threat-advisories-and-attack-reports/hacktivism-unveiled-april-2023 metadata: verified: true max-request: 85 tags: misc,defacement,spam,hacktivism,fuzz,miscellaneous
http: - method: GET path: - "{{BaseURL}}{{path}}"
redirects: true max-redirects: 1
stop-at-first-match: true
matchers-condition: and matchers: - type: regex part: body regex: # Commom defacement signatures - '(?i)\bhack[e|3]d.?(by)?\b' - '(?i)\bwh(00|oo)pz\b' - '(?i)\bdefaced.?(by)?\b' - '(?i)\bPa?wn(e|3)d.?(by)?\b' - '(?i)\b0wned.?(by)?\b' - '(?i)\bGreetz.?(to)?\b' - '(?i)\bXploit\b' - '(?i)\brulez\b' - '(?i)\buid=0(root).?gid=0(root).?groups=0(root)\b' - '(?i)\bh(a|4)x(o|0)r\b' - '(?i)\bHack.Team\b' - '(?i)\bpwnted.?(by)?\b' - '(?i)\bBUY.WEBSHELL\b' - '(?i)\bHello.Admin\b' - '(?i)\bShootz\b' - '(?i)\bTouched\sby\b' - '(?i)\bHas.*been.*hacked\b' - '(?i)\bStamped\sBy\b' # Spamdexing - '(?i)\bcialis\b' - '(?i)\btadacip\b' - '(?i)\bpurinethol\b' - '(?i)\bbactrim\b' - '(?i)\bfemale-cialis\b' - '(?i)\btoprol-xl\b' - '(?i)\bbupropion\b' - '(?i)\blevitra\b' - '(?i)\bfeldene\b' - '(?i)\bapcalis\b' - '(?i)\batacand\b' - '(?i)\bzerit\b' - '(?i)\bisordil\b' - '(?i)\bviagra-soft\b' - '(?i)\bdanazol\b' - '(?i)\blasix\b' - '(?i)\bapcalis-sx\b' - '(?i)\btadalafil\b' - '(?i)\bviagra-jelly\b' - '(?i)\btadalis-sx\b' - '(?i)\btelmisartan\b' - '(?i)\bcialis-soft\b' - '(?i)\brevia\b' - '(?i)\bcardura\b' - '(?i)\bfempro\b' - '(?i)\bfemale-viagra\b' - '(?i)\berectalis\b' - '(?i)\bforzest\b' - '(?i)\bisoptin-sr\b' - '(?i)\bkamagra-soft\b' - '(?i)\blioresal\b' - '(?i)\bneoral\b' - '(?i)\bcytoxan\b' - '(?i)\bphenytoin\b' - '(?i)\bvibramycin\b' - '(?i)\binstant.fortune\b' - '(?i)\win.the.lottery\b' - '(?i)\bwin.the.lotto\b' - '(?i)\bcassino\b' # Attackets - Zone-H Top 50 - '(?i)\bHmei7\b' - '(?i)\bd3b~x\b' - '(?i)\bIndex Php\b' - '(?i)\biskorpitx\b' - '(?i)\bchinafans\b' - '(?i)\bSejeal\b' - '(?i)\b1923Turk\b' - '(?i)\bmuhmademad\b' - '(?i)\bTeam_CC\b' - '(?i)\bimam\b' - '(?i)\bmisafir\b' - '(?i)\bZoRRoKiN\b' - '(?i)\bpanataran\b' - '(?i)\bGHoST61\b' - '(?i)\bAshiyane Digital Security Team\b' - '(?i)\bFatal Error\b' - '(?i)\bErrOr SquaD\b' - '(?i)\bw4l3xzy3\b' - '(?i)\bBD GREY HAT HACKERS\b' - '(?i)\bSA3D HaCk3D\b' - '(?i)\bjok3r\b' - '(?i)\bHighTech\b' - '(?i)\bMr.Kro0oz\b' - '(?i)\bTheWayEnd\b' - '(?i)\bLUN4T1C0\b' - '(?i)\bKaMtiEz\b' - '(?i)\bHolaKo\b' - '(?i)\bMiSh\b' - '(?i)\bMister Spy\b' - '(?i)\bClash Hackers\b' - '(?i)\bKkK1337\b' - '(?i)\bKuroi\b' - '(?i)\bBALA SNIPER\b' - '(?i)\bRayzky_\b' - '(?i)\bRXR\b' - '(?i)\bTOP-TEAM\b' - '(?i)\bMagelang6etar\b' - '(?i)\bifactoryx\b' - '(?i)\bthe_warri0r\b' - '(?i)\bRed Eye\b' - '(?i)\bdarkshadow-tn\b' - '(?i)\bs13doeL\b' - '(?i)\bFallaga Team\b' - '(?i)\bulow\b' - '(?i)\bSPYKIDS\b' - '(?i)\bCyb3r_Sw0rd\b' - '(?i)\blinuXploit_crew\b' - '(?i)\bIr4dex 735\b' - '(?i)\bKingSam\b' # Others groups or attackers - '(?i)\bLapsus$\b' - '(?i)\bLulzSec\b' - '(?i)\bmilw0rm\b' - '(?i)\bNoName05\b' - '(?i)\bAnonymousSudan\b' - '(?i)\bAnon_by\b' - '(?i)\bAnonGhost\b' - '(?i)\bTeam.Insane\b' - '(?i)\bEagle Cyber\b' - '(?i)\bOpIsrael\b' - '(?i)\bOpRussia\b' - '(?i)\bOpIran\b' - '(?i)\bOpPhilippines\b' - '(?i)\bOpAustralia\b' - '(?i)\bAnonymousItalia\b' - '(?i)\bStopRussia\b' - '(?i)\bStopInvasion\b' - '(?i)\bWe.are.legion\b' - '(?i)\bAnonOps\b' - '(?i)\bOpGOP\b' - '(?i)\bOpStonewall\b' - '(?i)\bTangoDown\b' - '(?i)\bFREE_PALESTINE\b' - '(?i)\bFREE_AL-AQSA\b'
- type: status status: - 200
extractors: - type: regex part: body name: defacement-signature regex: - '.{0,5}(?i)\bhack[e|3]d.?(by)?\b.{0,5}' - '.{0,5}(?i)\bwh(00|oo)pz\b.{0,5}' - '.{0,5}(?i)\bdefaced.?(by)?\b.{0,5}' - '.{0,5}(?i)\bPa?wn(e|3)d.?(by)?\b.{0,5}' - '.{0,5}(?i)\b0wned.?(by)?\b.{0,5}' - '.{0,5}(?i)\bGreetz.?(to)?\b.{0,5}' - '.{0,5}(?i)\bXploit\b.{0,5}' - '.{0,5}(?i)\brulez\b.{0,5}' - '.{0,5}(?i)\buid=0(root).?gid=0(root).?groups=0(root)\b.{0,5}' - '.{0,5}(?i)\bh(a|4)x(o|0)r\b.{0,5}' - '.{0,5}(?i)\bHack.Team\b.{0,5}' - '.{0,5}(?i)\bpwnted.?(by)?\b.{0,5}' - '.{0,5}(?i)\bBUY.WEBSHELL\b.{0,5}' - '.{0,5}(?i)\bHello.Admin\b.{0,5}' - '.{0,5}(?i)\bShootz\b.{0,5}' - '.{0,5}(?i)\bTouched\sby\b.{0,5}' - '.{0,5}(?i)\bHas.*been.*hacked\b.{0,5}' - '.{0,5}(?i)\bStamped\sBy\b.{0,5}'
- type: regex part: body name: spamdexing regex: - '.{0,5}(?i)\bcialis\b.{0,5}' - '.{0,5}(?i)\btadacip\b.{0,5}' - '.{0,5}(?i)\bpurinethol\b.{0,5}' - '.{0,5}(?i)\bbactrim\b.{0,5}' - '.{0,5}(?i)\bfemale-cialis\b.{0,5}' - '.{0,5}(?i)\btoprol-xl\b.{0,5}' - '.{0,5}(?i)\bbupropion\b.{0,5}' - '.{0,5}(?i)\blevitra\b.{0,5}' - '.{0,5}(?i)\bfeldene\b.{0,5}' - '.{0,5}(?i)\bapcalis\b.{0,5}' - '.{0,5}(?i)\batacand\b.{0,5}' - '.{0,5}(?i)\bzerit\b.{0,5}' - '.{0,5}(?i)\bisordil\b.{0,5}' - '.{0,5}(?i)\bviagra-soft\b.{0,5}' - '.{0,5}(?i)\bdanazol\b.{0,5}' - '.{0,5}(?i)\blasix\b.{0,5}' - '.{0,5}(?i)\bapcalis-sx\b.{0,5}' - '.{0,5}(?i)\btadalafil\b.{0,5}' - '.{0,5}(?i)\bviagra-jelly\b.{0,5}' - '.{0,5}(?i)\btadalis-sx\b.{0,5}' - '.{0,5}(?i)\btelmisartan\b.{0,5}' - '.{0,5}(?i)\bcialis-soft\b.{0,5}' - '.{0,5}(?i)\brevia\b.{0,5}' - '.{0,5}(?i)\bcardura\b.{0,5}' - '.{0,5}(?i)\bfempro\b.{0,5}' - '.{0,5}(?i)\bfemale-viagra\b.{0,5}' - '.{0,5}(?i)\berectalis\b.{0,5}' - '.{0,5}(?i)\bforzest\b.{0,5}' - '.{0,5}(?i)\bisoptin-sr\b.{0,5}' - '.{0,5}(?i)\bkamagra-soft\b.{0,5}' - '.{0,5}(?i)\blioresal\b.{0,5}' - '.{0,5}(?i)\bneoral\b.{0,5}' - '.{0,5}(?i)\bcytoxan\b.{0,5}' - '.{0,5}(?i)\bphenytoin\b.{0,5}' - '.{0,5}(?i)\bvibramycin\b.{0,5}' - '.{0,5}(?i)\binstant.fortune\b.{0,5}' - '.{0,5}(?i)\win.the.lottery\b.{0,5}' - '.{0,5}(?i)\bwin.the.lotto\b.{0,5}' - '.{0,5}(?i)\bcassino\b.{0,5}'
- type: regex part: body name: zone-h-top-50 regex: - '.{0,5}(?i)\bHmei7\b.{0,5}' - '.{0,5}(?i)\bd3b~x\b.{0,5}' - '.{0,5}(?i)\bIndex Php\b.{0,5}' - '.{0,5}(?i)\biskorpitx\b.{0,5}' - '.{0,5}(?i)\bchinafans\b.{0,5}' - '.{0,5}(?i)\bSejeal\b.{0,5}' - '.{0,5}(?i)\b1923Turk\b.{0,5}' - '.{0,5}(?i)\bmuhmademad\b.{0,5}' - '.{0,5}(?i)\bTeam_CC\b.{0,5}' - '.{0,5}(?i)\bimam\b.{0,5}' - '.{0,5}(?i)\bmisafir\b.{0,5}' - '.{0,5}(?i)\bZoRRoKiN\b.{0,5}' - '.{0,5}(?i)\bpanataran\b.{0,5}' - '.{0,5}(?i)\bGHoST61\b.{0,5}' - '.{0,5}(?i)\bAshiyane Digital Security Team\b.{0,5}' - '.{0,5}(?i)\bFatal Error\b.{0,5}' - '.{0,5}(?i)\bErrOr SquaD\b.{0,5}' - '.{0,5}(?i)\bw4l3xzy3\b.{0,5}' - '.{0,5}(?i)\bBD GREY HAT HACKERS\b.{0,5}' - '.{0,5}(?i)\bSA3D HaCk3D\b.{0,5}' - '.{0,5}(?i)\bjok3r\b.{0,5}' - '.{0,5}(?i)\bHighTech\b.{0,5}' - '.{0,5}(?i)\bMr.Kro0oz\b.{0,5}' - '.{0,5}(?i)\bTheWayEnd\b.{0,5}' - '.{0,5}(?i)\bLUN4T1C0\b.{0,5}' - '.{0,5}(?i)\bKaMtiEz\b.{0,5}' - '.{0,5}(?i)\bHolaKo\b.{0,5}' - '.{0,5}(?i)\bMiSh\b.{0,5}' - '.{0,5}(?i)\bMister Spy\b.{0,5}' - '.{0,5}(?i)\bClash Hackers\b.{0,5}' - '.{0,5}(?i)\bKkK1337\b.{0,5}' - '.{0,5}(?i)\bKuroi\b.{0,5}' - '.{0,5}(?i)\bBALA SNIPER\b.{0,5}' - '.{0,5}(?i)\bRayzky_\b.{0,5}' - '.{0,5}(?i)\bRXR\b.{0,5}' - '.{0,5}(?i)\bTOP-TEAM\b.{0,5}' - '.{0,5}(?i)\bMagelang6etar\b.{0,5}' - '.{0,5}(?i)\bifactoryx\b.{0,5}' - '.{0,5}(?i)\bthe_warri0r\b.{0,5}' - '.{0,5}(?i)\bRed Eye\b.{0,5}' - '.{0,5}(?i)\bdarkshadow-tn\b.{0,5}' - '.{0,5}(?i)\bs13doeL\b.{0,5}' - '.{0,5}(?i)\bFallaga Team\b.{0,5}' - '.{0,5}(?i)\bulow\b.{0,5}' - '.{0,5}(?i)\bSPYKIDS\b.{0,5}' - '.{0,5}(?i)\bCyb3r_Sw0rd\b.{0,5}' - '.{0,5}(?i)\blinuXploit_crew\b.{0,5}' - '.{0,5}(?i)\bIr4dex 735\b.{0,5}' - '.{0,5}(?i)\bKingSam\b.{0,5}'
- type: regex part: body name: other-groups-attacker regex: - '.{0,5}(?i)\bLapsus$\b.{0,5}' - '.{0,5}(?i)\bLulzSec\b.{0,5}' - '.{0,5}(?i)\bmilw0rm\b.{0,5}' - '.{0,5}(?i)\bNoName05\b.{0,5}' - '.{0,5}(?i)\bAnonymousSudan\b.{0,5}' - '.{0,5}(?i)\bAnon_by\b.{0,5}' - '.{0,5}(?i)\bAnonGhost\b.{0,5}' - '.{0,5}(?i)\bTeam.Insane\b.{0,5}' - '.{0,5}(?i)\bEagle Cyber\b.{0,5}'
- type: regex part: body name: hacktivism-operation regex: - '.{0,5}(?i)\bOpIsrael\b.{0,5}' - '.{0,5}(?i)\bOpRussia\b.{0,5}' - '.{0,5}(?i)\bOpIran\b.{0,5}' - '.{0,5}(?i)\bOpPhilippines\b.{0,5}' - '.{0,5}(?i)\bOpAustralia\b.{0,5}' - '.{0,5}(?i)\bAnonymousItalia\b.{0,5}' - '.{0,5}(?i)\bStopRussia\b.{0,5}' - '.{0,5}(?i)\bStopInvasion\b.{0,5}' - '.{0,5}(?i)\bWe.are.legion\b.{0,5}' - '.{0,5}(?i)\bAnonOps\b.{0,5}' - '.{0,5}(?i)\bOpGOP\b.{0,5}' - '.{0,5}(?i)\bOpStonewall\b.{0,5}' - '.{0,5}(?i)\bTangoDown\b.{0,5}'
payloads: path: - / - /old - /ssh - /tmp - /uploads - /index.html - /index.php - /indexx.html - /defaced.html - /readme.html - /readme.php - /kurd.html - /kurd1943.html - /evil.html - /ghost.htm - /pwnd.html - /pwn.html - /hacked.html - /hacked.txt - /1.php - /1.txt - /1.html - /a.htm - /a.html - /a.php - /V.txt - /0day.txt - /1337.txt - /r00t.php - /root.html - /id.htm - /by.html - /by.htm - /me.php - /o.htm - /O.html - /a.php - /a.html - /z.php - /zz.txt - /z.txt - /M.html - /ie.txt - /xxx.html - /x.txt - /logs.txt - /ownz.html - /update_note.txt - /k.html - /y.txt - /T.html - /ts.html - /tr.html - /core.html - /el.htm - /ie.htm - /si.html - /sad.html - /fake.html - /broken.html - /buy.html - /access.php - /info.php - /jquery.php - /news.php - /services.php - /boxed.php - /main.php - /pbw.txt - /aw.txt - /hx.txt - /vz.txt - /cl.html - /asi.html - /public - /cache - /info.txt - /ir.html - /me.html - /px.html - /px.php - /F.html - /frost.txt - /-.txt - /!.txt# digest: 4b0a00483046022100a072d903eb3189e08923995ed5f6ef09e37cee8fe7c2096c9261d513c0af7e63022100817df10241287d746136f1c73918516feda1c7b1dfb617504e4ca4f459e455de:922c64590222798bb761d5b6d8e72950Guide to check the vulnerabilities
Section titled “Guide to check the vulnerabilities”This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.
$ nuclei -u "URL" -t "http/miscellaneous/defacement-detect.yaml"