├── .gitignore ├── .gitattributes ├── kit_hunter_example.jpg ├── tag_files ├── shell_scan │ ├── Shell_Detection_URL.tag │ ├── Shell_Detection_WSO.tag │ ├── Shell_Detection_Authors_Brands.tag │ └── Shell_Detection_Function.tag ├── WeTransfer_Phishing_Detection.tag ├── Monzo_Phishing_Detection.tag ├── GlobalSources_Phishing_Detection.tag ├── Bell_Phishing_Detection.tag ├── BT_Phishing_Detection.tag ├── AT&T_Phishing_Detection.tag ├── SPM55_Phishing_Detection.tag ├── Comcast_Phishing_Detection.tag ├── ING_Phishing_Detection.tag ├── Proofpoint_Phishing_Detection.tag ├── Discover_Phishing_Detection.tag ├── ABSA_Phishing_Kit_Detection.tag ├── Knockout-Template_Phishing_Detection.tag ├── XBALTI_Phishing_Kit_Detection.tag ├── DEWA_Phishing_Detection.tag ├── Generic_Spectrum_Phishing_Detection.tag ├── YASSCOM_Phishing_Detection.tag ├── 1-and-1_Phishing_Kit_Detection.tag ├── Dropbox-DocuSign_Phishing_Detection.tag ├── INTERAC_Financial_Phishing_Detection.tag ├── cPanel_Phishing_Detection.tag ├── USPS_or_UPS_Phishing_Detection.tag ├── DHL_Phishing_Detection.tag ├── AOL_Phishing_Kit_Detection.tag ├── Alibaba_Phishing_Kit_Detection.tag ├── Adobe_Phishing_Kit_Detection.tag ├── Kr3pto_Phishing_Kit_Detection.tag ├── Chase_Phishing_Detection.tag ├── Apple_Phishing_Detection.tag ├── Phishing_Kit_General_Indicators.tag ├── LogoKit_Phishing_Kit_Detection.tag ├── chalbhai_Phishing_Detection.tag ├── BulletPro_Phishing_Detection.tag ├── Ex-Robotos_Phishing_Detection.tag ├── PayPal_Phishing_Detection.tag ├── Z118_Phishing_Kit_Detection.tag ├── Bank-of-America_Phishing_Detection.tag ├── Phishing_Kit_Setup_Detection.tag ├── American_Express_Phishing_Kit_Detection.tag ├── True-Login_Phishing_Detection.tag ├── Fake-AV_Phishing_Detection.tag ├── Microsoft_Phishing_Detection.tag ├── Amazon_Phishing_Kit_Detected.tag ├── Obfuscation_Detection.tag ├── Netflix_Phishing_Detection.tag ├── Phishing_Kit_Security_Indicators.tag ├── Generic_Webmail_Phishing_Detection.tag ├── Telegram_Phishing_Exfiltration_Detection.tag ├── Blockchain_Phishing_Detection.tag ├── Phishing_Kit_Function_Indicators.tag ├── Phishing_Kit_Brand_Indicators.tag ├── Phishing_Kit_Author_Indicators.tag ├── Phishing_Kit_URL_Indicators.tag └── quick_scan │ └── Phishing_Quick_Scan_Indicators.tag ├── changelog.md ├── Readme.md ├── kit_hunter_2.py └── LICENSE /.gitignore: -------------------------------------------------------------------------------- 1 | 2 | *.bak 3 | -------------------------------------------------------------------------------- /.gitattributes: -------------------------------------------------------------------------------- 1 | # Auto detect text files and perform LF normalization 2 | * text=auto 3 | -------------------------------------------------------------------------------- /kit_hunter_example.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SteveD3/kit_hunter/HEAD/kit_hunter_example.jpg -------------------------------------------------------------------------------- /tag_files/shell_scan/Shell_Detection_URL.tag: -------------------------------------------------------------------------------- 1 | 0x5a455553.github.io 2 | 109.248.203.114 3 | 162.241.127.123 4 | 185.213.209.151 5 | 198.50.168.213:4563 6 | 208.68.38.81 7 | 7jyewu.cn 8 | 91.193.180.161 9 | banksstop.tech 10 | blog.ub.ac.id 11 | fopo.com.ar 12 | gailey-white.com 13 | leafmailer.pw 14 | lp.kerbermix.com.br 15 | magichottrade.su 16 | newzealandpolicy.wang 17 | owlmailer.io 18 | pastebin.com/raw/1xZGzW7B 19 | pastebin.com/raw/6DuKx17b 20 | pastebin.com/raw/E8J1Rb9v 21 | pastebin.com/raw/HC4jSj4K 22 | pastebin.com/raw/NE6MLDK7 23 | pastebin.com/raw/vDLdynjj 24 | PHPJiaMi.Com 25 | pjxzzmih.pw 26 | res7ock.org 27 | smarttoolsshop.cc 28 | smarttoolsshop.com 29 | tools.niod-tech.com 30 | uupload.ir 31 | wziflcey.icu 32 | zerobyte-id.github.io/PHP-Backdoor/inc 33 | zone-h.com 34 | zone-h.org 35 | -------------------------------------------------------------------------------- /tag_files/WeTransfer_Phishing_Detection.tag: -------------------------------------------------------------------------------- 1 | #------------------------------------------------------------------------------------------------------------------------ 2 | # WeTransfer PHISHING KIT 3 | #------------------------------------------------------------------------------------------------------------------------ 4 | # Detections made by the indicators in this tag file are associated with WeTransfer phishing kits. 5 | #------------------------------------------------------------------------------------------------------------------------ 6 | we-llc.com 7 | $message .= "Domain: Hotm/Outlk 8 | WEtransfer Logx 9 | WeTransfer 10 | #------------------------------------------------------------------------------------------------------------------------ 11 | -------------------------------------------------------------------------------- /tag_files/Monzo_Phishing_Detection.tag: -------------------------------------------------------------------------------- 1 | #------------------------------------------------------------------------------------------------------------------------ 2 | # Monzo PHISHING KIT 3 | #------------------------------------------------------------------------------------------------------------------------ 4 | # Detections made by the indicators in this tag file are associated with known Monzo phishing kits. 5 | #------------------------------------------------------------------------------------------------------------------------ 6 | -monzo. 7 | monzo- 8 | .monzo.com 9 | monzo.com 10 | Monzo 11 | content="@monzo" 12 | monzoname 13 | monzoemail 14 | monzopass 15 | monzopin 16 | M0nz0 Log 17 | #------------------------------------------------------------------------------------------------------------------------ 18 | -------------------------------------------------------------------------------- /tag_files/GlobalSources_Phishing_Detection.tag: -------------------------------------------------------------------------------- 1 | #------------------------------------------------------------------------------------------------------------------------ 2 | # Global Sources PHISHING KIT Detection 3 | #------------------------------------------------------------------------------------------------------------------------ 4 | # The files detected by tags in this list have been connected to Global Sources phishing attacks. 5 | #------------------------------------------------------------------------------------------------------------------------ 6 | .globalsources.com 7 | >Global Sources< 8 | "Global Source. Log!" 9 | Reliable exporters: find them and meet them 10 | Publishers Representatives Limited. 11 | #------------------------------------------------------------------------------------------------------------------------ 12 | -------------------------------------------------------------------------------- /tag_files/Bell_Phishing_Detection.tag: -------------------------------------------------------------------------------- 1 | #------------------------------------------------------------------------------------------------------------------------ 2 | # Bell PHISHING KIT 3 | #------------------------------------------------------------------------------------------------------------------------ 4 | # Detections made by the indicators in this tag file are associated with known Bell (Sympatico) phishing kits. 5 | #------------------------------------------------------------------------------------------------------------------------ 6 | bank.minnedosacu.mb.ca 7 | posh.org 8 | sympatico.ca 9 | bell.net 10 | sympatico-Logo-Font 11 | $subject = "Bell Email Updates!" 12 | $headers = "From: SYMPATICO.CA 13 | Bell Email Updates 14 | #------------------------------------------------------------------------------------------------------------------------ 15 | -------------------------------------------------------------------------------- /tag_files/BT_Phishing_Detection.tag: -------------------------------------------------------------------------------- 1 | #------------------------------------------------------------------------------------------------------------------------ 2 | # BT PHISHING KIT 3 | #------------------------------------------------------------------------------------------------------------------------ 4 | # Detections made by the indicators in this tag file are associated with known BT (BT Broadband) phishing kits. 5 | #------------------------------------------------------------------------------------------------------------------------ 6 | .bt.com 7 | .custhelp.com 8 | bt.co.uk 9 | btinternet.com 10 | var customView = 'mybt' 11 | if (customView === "btmail") 12 | var pageType='MyBT Login Page' 13 | $headers = "From: manBt" 14 | BT ID 15 | BT Yahoo! Mail 16 | My BT App 17 | Log in to My BT 18 | #------------------------------------------------------------------------------------------------------------------------ 19 | -------------------------------------------------------------------------------- /tag_files/AT&T_Phishing_Detection.tag: -------------------------------------------------------------------------------- 1 | #------------------------------------------------------------------------------------------------------------------------ 2 | # AT&T PHISHING KIT 3 | #------------------------------------------------------------------------------------------------------------------------ 4 | # Detections made by the indicators in this tag file are associated with known AT&T-based phishing kits. 5 | #------------------------------------------------------------------------------------------------------------------------ 6 | .att.net 7 | .att.com 8 | attplans.com 9 | currently.att.yahoo.com 10 | com.sbc.idm.igate_edam.forms.LoginFormBean 11 | IV_JCT=%2FcommonLogin 12 | $headers = "From: AT&T" 13 | $headers = "From: ATT " 14 | $subject = "SBCGLOBAL" 15 | AT&T - Login 16 | coinbxe log GOD 1ST SON 17 | AT&T 18 | #------------------------------------------------------------------------------------------------------------------------ 19 | -------------------------------------------------------------------------------- /tag_files/SPM55_Phishing_Detection.tag: -------------------------------------------------------------------------------- 1 | #------------------------------------------------------------------------------------------------------------------------ 2 | # SPM55 PHISHING KIT Detection 3 | #------------------------------------------------------------------------------------------------------------------------ 4 | # The files detected by tags in this list have been connected to SPM55 phishing attacks, which targets 5 | # a number of consumer and corporate brands. Detections should be immediately investigated. 6 | #------------------------------------------------------------------------------------------------------------------------ 7 | 5.183.11.112 8 | spm55.com 9 | spm55-v2.com 10 | $spm55_ 11 | spm55bot 12 | $SPM55_ 13 | $head .= "From: SPM55 < 14 | if (!isset($_POST['kontolasu'])) 15 | SPM55 - PRIVATE COINBASE 16 | SPM55 Panel Scampage 17 | #------------------------------------------------------------------------------------------------------------------------ 18 | -------------------------------------------------------------------------------- /tag_files/Comcast_Phishing_Detection.tag: -------------------------------------------------------------------------------- 1 | #------------------------------------------------------------------------------------------------------------------------ 2 | # Comcast PHISHING KIT 3 | #------------------------------------------------------------------------------------------------------------------------ 4 | # Detections made by the indicators in this tag file are associated with known Comcast (Xfinity) phishing kits. 5 | #------------------------------------------------------------------------------------------------------------------------ 6 | .comcast.net 7 | .xfinity.com 8 | mrmoz.com 9 | .comcast.com 10 | $headers = "From: comcastfula 11 | Comcast LOGS 12 | Comcast User Notification 13 | content="Get the most out of Xfinity from Comcast by signing in to your account. 14 | >Sign in to Xfinity< 15 | xc-header--xfinity-logo 16 | Comcast 17 | Xfinity 18 | #------------------------------------------------------------------------------------------------------------------------ 19 | -------------------------------------------------------------------------------- /tag_files/ING_Phishing_Detection.tag: -------------------------------------------------------------------------------- 1 | #------------------------------------------------------------------------------------------------------------------------ 2 | # ING PHISHING KIT Detection 3 | #------------------------------------------------------------------------------------------------------------------------ 4 | # The files detected by tags in this list have been connected to ING phishing attacks, which targets 5 | # personal and financial informaion. 6 | #------------------------------------------------------------------------------------------------------------------------ 7 | .ing.fr 8 | .ing.it 9 | .ing.com 10 | .ing.jobs 11 | ing.blueconic.net 12 | .ing.de 13 | ING PIN- 14 | -ING LOGIN- 15 | -ING Question- 16 | -ING SMS- 17 | >ING< 18 | >ING Login< 19 | >Log in bij Mijn ING - ING Bankieren< 20 | "./ING_files/ 21 | "./ING Login_files 22 | ING Groep N.V. 23 | #------------------------------------------------------------------------------------------------------------------------ 24 | -------------------------------------------------------------------------------- /tag_files/Proofpoint_Phishing_Detection.tag: -------------------------------------------------------------------------------- 1 | #------------------------------------------------------------------------------------------------------------------------ 2 | # Proofpoint PHISHING KIT Detection 3 | #------------------------------------------------------------------------------------------------------------------------ 4 | # The files detected by tags in this list have been connected to Proofpoint phishing attacks, which targets 5 | # the widely used email security vendor. Detections on the brandname alone could indicate proactive security blocking by 6 | # phishing kits. 7 | #------------------------------------------------------------------------------------------------------------------------ 8 | proofpoint.com 9 | 139.59.50.21 10 | class="proofimg" 11 | class="formsproof" 12 | ANd9GcTeqhHP5-VS1258-BOt3Ex1M8WHT-igGXsvVcz_6VYhN-zS6KlxgQ 13 | Proofpoint 14 | #------------------------------------------------------------------------------------------------------------------------ 15 | -------------------------------------------------------------------------------- /tag_files/Discover_Phishing_Detection.tag: -------------------------------------------------------------------------------- 1 | #------------------------------------------------------------------------------------------------------------------------ 2 | # Discover PHISHING KIT 3 | #------------------------------------------------------------------------------------------------------------------------ 4 | # Detections made by the indicators in this tag file are associated with known Discover phishing kits. 5 | # This includes Discover brands and cards. 6 | #------------------------------------------------------------------------------------------------------------------------ 7 | .discover.com 8 | $fuck_tor 9 | $fuck_vpn 10 | $fuck_crawler 11 | $sendgrid 12 | $sendgrid_user 13 | $sendgrid_pass 14 | acsh33nz0key 15 | [{$card} {$email}] 16 | API-CODE-KaSha-uzBx5xRrsquMMyigfPmj 17 | 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 18 | Disvoer 19 | #------------------------------------------------------------------------------------------------------------------------ 20 | -------------------------------------------------------------------------------- /tag_files/ABSA_Phishing_Kit_Detection.tag: -------------------------------------------------------------------------------- 1 | #------------------------------------------------------------------------------------------------------------------------ 2 | # ABSA PHISHING KIT 3 | #------------------------------------------------------------------------------------------------------------------------ 4 | # Kits associated with ABSA phishing campaigns will contain these indicators. 5 | #------------------------------------------------------------------------------------------------------------------------ 6 | abodecrafter.com 7 | b3119820020-30447.portmap.io 8 | songstall.us 9 | absa.co.za 10 | $subject = "ABSA 11 | $subject = "CELLPHONE A B S A 12 | $ccn = $_SESSION['param']['AccessAccount'] 13 | $csp = $_GET['PIN'] 14 | $atm = $_GET['Operator'] 15 | INSERT INTO result (subject,message,isread,date_time) 16 | NEW DEVICE A B S A 17 | Welcome to Absa Online 18 | Security SurePhrase 19 | #------------------------------------------------------------------------------------------------------------------------ 20 | -------------------------------------------------------------------------------- /tag_files/Knockout-Template_Phishing_Detection.tag: -------------------------------------------------------------------------------- 1 | #------------------------------------------------------------------------------------------------------------------------ 2 | # KnockOut Template PHISHING KIT 3 | #------------------------------------------------------------------------------------------------------------------------ 4 | # Detections made by the indicators in this tag file are associated with known KnockOut templates often used in phishing kits. 5 | # Detections by this indicator list are not instantly malicious, but files flagged should be inspected if they are not already known as harmless. 6 | #------------------------------------------------------------------------------------------------------------------------ 7 | 12 | src='knockout- 13 | /ajax/knockout/knockout- 14 | /ajax/libs/knockout/ 15 | #------------------------------------------------------------------------------------------------------------------------ 16 | -------------------------------------------------------------------------------- /tag_files/XBALTI_Phishing_Kit_Detection.tag: -------------------------------------------------------------------------------- 1 | #------------------------------------------------------------------------------------------------------------------------ 2 | # XBALTI PHISHING KIT 3 | #------------------------------------------------------------------------------------------------------------------------ 4 | # Kits associated with XBALTI phishing campaigns will contain these indicators. 5 | # XBALTI is commonly associated with Amazon phishing kits, as well as other financial kits. 6 | # Matches to this actors indicators is a clear sign that something is wrong. 7 | #------------------------------------------------------------------------------------------------------------------------ 8 | function XB_OS($USER_AGENT) 9 | function XB_Browser($USER_AGENT) 10 | $headers .= "From: " 11 | $khraha = fopen("../../admin/rezulta.php" 12 | $_SESSION['ps'] 13 | header("location: index.php?ta_mlk_azebi_mbawe9") 14 | XBALTI 15 | #------------------------------------------------------------------------------------------------------------------------ 16 | -------------------------------------------------------------------------------- /tag_files/DEWA_Phishing_Detection.tag: -------------------------------------------------------------------------------- 1 | #------------------------------------------------------------------------------------------------------------------------ 2 | # DEWA PHISHING KIT Detection 3 | #------------------------------------------------------------------------------------------------------------------------ 4 | # The files detected by tags in this list have been connected to DEWA phishing attacks, which targets 5 | # customers and businesses working with the Dubai Electricity and Water Authority. 6 | #------------------------------------------------------------------------------------------------------------------------ 7 | By Moha404 8 | [ Dewa ] 9 | >DEWA Supplier Portal< 10 | Dubai Electricity & Water Authority 11 | >Dubai Electricity & Water Authority (DEWA) | Login as consumer< 12 | Dubai Electricity and Water Authority 13 | name="passzayani" 14 | name="userzayani" 15 | rid=9576e2f867ba77fcc32cc77d1093b6f8 16 | >SAP Template (Supplier)< 17 | srm.dewa.gov.ae:443 18 | #------------------------------------------------------------------------------------------------------------------------ 19 | -------------------------------------------------------------------------------- /tag_files/Generic_Spectrum_Phishing_Detection.tag: -------------------------------------------------------------------------------- 1 | #------------------------------------------------------------------------------------------------------------------------ 2 | # Generic Spectrum PHISHING KIT Detection 3 | #------------------------------------------------------------------------------------------------------------------------ 4 | # The files detected by tags in this list have been connected to Spectrum phishing attacks within general phishing kits, 5 | # where the kit offers logins via various email services. Detections from this tag file should be investigated immediately. 6 | #------------------------------------------------------------------------------------------------------------------------ 7 | .roadrunner.com 8 | .rr.com 9 | .spectrum.net 10 | .charter.com 11 | .timewarnercable.com 12 | .brighthouse.com 13 | d1ff979u6gd5fc.cloudfront.net 14 | spectrum-icon[ 15 | spectrum-error-paragraph[ 16 | fts.ft.FedID.SSO 17 | form.errorCode === ' 18 | >Spectrum 19 | webmail version: 4.4.7 - 20180110a-twc 20 | #------------------------------------------------------------------------------------------------------------------------ 21 | -------------------------------------------------------------------------------- /tag_files/YASSCOM_Phishing_Detection.tag: -------------------------------------------------------------------------------- 1 | #------------------------------------------------------------------------------------------------------------------------ 2 | # YASSCOM PHISHING KIT Detection 3 | #------------------------------------------------------------------------------------------------------------------------ 4 | # The files detected by tags in this list have been connected to YASSCOM phishing kits, which target 5 | # PayPal and Apple. Detections should be immediately investigated. 6 | #------------------------------------------------------------------------------------------------------------------------ 7 | $_SESSION['xcountryCodex'] 8 | $_SESSION['xfilelangx'] 9 | $_SESSION['xyscardnumberx'] 10 | $xDIRx = 11 | echo $sms1zz 12 | echo $xys1 13 | echo $xys2 14 | echo $xys3 15 | echo $xys4 16 | echo $xys5 17 | echo $xys6 18 | echo $xys7 19 | echo $xys8 20 | echo $zazz 21 | XYASSCOM_KILLEDX 22 | XYSANBBX 23 | XYSASSETSX 24 | XYS_CONFIG_EMAIL_X 25 | XYSINCLUDEDX 26 | XYSLANGSX 27 | xysrecurse_copyx($YSS, $FOL) 28 | XYSSENDX 29 | #------------------------------------------------------------------------------------------------------------------------ 30 | -------------------------------------------------------------------------------- /tag_files/shell_scan/Shell_Detection_WSO.tag: -------------------------------------------------------------------------------- 1 | base64_decode(stream_get_contents(${${ 2 | define('VERSION','kaylin') 3 | eval(base64_decode(II1111I11l($O0OO0OO0OO 4 | eval(htmlspecialchars_decode(urldecode(base64_decode( 5 | function uE0in( 6 | function wsoLogin( 7 | function wsoPerms( 8 | function wsoPermsColor( 9 | function wsoRecursiveGlob( 10 | function wsoScandir( 11 | function WSOsetcookie( 12 | function wsoViewSize( 13 | function wsoWhich( 14 | wsoEx( 15 | wsoFooter( 16 | wsoHeader( 17 | wsoSecParam( 18 | fdgfdhgcx($QA2743 19 | ipga515($wksh287 20 | irmcjaowlfxc($gbVclGM7976 21 | iuqb940($unev273 22 | yprr503($vcbf840 23 | $An0n_3xPloiTeR = 24 | $auth_pass = "2cb00388f2110209ccb15e8ec3ab5835" 25 | $auth_pass = "58e1e24b2288940ef37472aa267e499e" 26 | $auth_pass = "59e8d97dbcc1d0f65dea6ecd0e9fbe39" 27 | $auth_pass = "66e70d37e21ebc3540741373ae51059b" 28 | $auth_pass = '9aa9b6d702d54e3b55d7f2331b9c6ac7' 29 | $auth_pass = "c4e46f57b15df77facc8ed29354ec442" 30 | $auth_pass = "c4e46f57b15df77facc8ed29354ec442" 31 | $auth_pass = "cfd54d1e84e5fd91a5a5cb6d42d4d997" 32 | $Err0r = 33 | $O644264 = O650621($O761536[8] 34 | $t=base64_decode($t) 35 | $Th3 = 36 | $UeXploiT = 37 | $wp_nonce = "fa085cc2ff83613e562b305a95e343be" 38 | @define('WSO_VERSION' -------------------------------------------------------------------------------- /tag_files/1-and-1_Phishing_Kit_Detection.tag: -------------------------------------------------------------------------------- 1 | #------------------------------------------------------------------------------------------------------------------------ 2 | # 1-and-1 PHISHING KIT 3 | #------------------------------------------------------------------------------------------------------------------------ 4 | # Kits associated with 1&1 and IONOS phishing campaigns will contain these indicators. 5 | #------------------------------------------------------------------------------------------------------------------------ 6 | 1and1.com 7 | 1and1.co.uk 8 | ionos.de 9 | ionos.es 10 | 1and1.fr 11 | ionos.com 12 | mail.ionos.ca 13 | mail.ionos.co.uk 14 | mail.ionos.de 15 | mail.ionos.es 16 | mail.ionos.es 17 | mail.ionos.fr 18 | mail.ionos.it 19 | mail.ionos.mx 20 | $subject = "1&1 21 | $subject = "1and1 SMTP 22 | 1&1 Info 23 | 1&1 IONOS E-Mail login 24 | oao.login.cookie.information 25 | oao.login.cookie.more-info.link 26 | oao.login.description 27 | oao.login.email 28 | oao.login.field.password 29 | oao.login.forgotpw.link 30 | oao.login.heading 31 | oao.login.ionos.link 32 | oao.login.title 33 | #------------------------------------------------------------------------------------------------------------------------ 34 | -------------------------------------------------------------------------------- /tag_files/Dropbox-DocuSign_Phishing_Detection.tag: -------------------------------------------------------------------------------- 1 | #------------------------------------------------------------------------------------------------------------------------ 2 | # Document PHISHING KIT 3 | #------------------------------------------------------------------------------------------------------------------------ 4 | # Detections made by the indicators in this tag file are associated with known DocuSign and Dropbox phishing kits. 5 | # It's important to note that DocuSign and Dropbox phishing attacks are often closely related to Office365 and financial phishing. 6 | # The goal is credentials and future access. 7 | #------------------------------------------------------------------------------------------------------------------------ 8 | $headers = "From: Docusign 9 | cfl.dropboxstatic.com 10 | >confirm identity< 11 | + Docusign + 12 | Docu Sign 13 | DocuSign 14 | .docusign.com 15 | Docusign, Inc 16 | .docusign.net 17 | DocuSlgn 18 | downinspector.com 19 | DropB0x Info 20 | Dropboox 21 | Dropbox 22 | .dropbox.com 23 | Good News Sha 24 | Good NEWS We works On 25 | id="ds_docubody" 26 | >New Business document(s) available for 27 | #------------------------------------------------------------------------------------------------------------------------ 28 | -------------------------------------------------------------------------------- /tag_files/INTERAC_Financial_Phishing_Detection.tag: -------------------------------------------------------------------------------- 1 | #------------------------------------------------------------------------------------------------------------------------ 2 | # INTERAC e-Transfer PHISHING KIT Detection 3 | #------------------------------------------------------------------------------------------------------------------------ 4 | # The files detected by tags in this list have been connected to INTERAC phishing fraud, which targets financial instutitions. 5 | # Detections should be immediately investigated. 6 | #------------------------------------------------------------------------------------------------------------------------ 7 | interac.ca 8 | canada-revenue-agency.canada.refund.qc.powercurrency.net 9 | s3.amazonaws.com/etransfer-notification.interac.ca 10 | ?0hrcode-myonportal=6&cmdONLINE=transfer-code 11 | id="depositForm" 12 | id="paymentRefNum" 13 | filabel=" 14 | id="province" 15 | INTERAC%20e-Transfer 16 | Deposit your INTERAC e-Transfer 17 | Receiving an INTERAC e-Transfer 18 | GTM-5SR238 19 | finishmsg.html?sslchannel=true&sessionid= 20 | -- Google Code for 1453925707204 Interac eTransfer - Gateway Page 21 | #------------------------------------------------------------------------------------------------------------------------ 22 | -------------------------------------------------------------------------------- /tag_files/cPanel_Phishing_Detection.tag: -------------------------------------------------------------------------------- 1 | #------------------------------------------------------------------------------------------------------------------------ 2 | # cPanel PHISHING KIT 3 | #------------------------------------------------------------------------------------------------------------------------ 4 | # Detections made by the indicators in this tag file are associated with known cPanel phishing kits. 5 | # cPanel and WHM are the backend applicaions used by shared, dedicated, and reseller webhosting. 6 | # Criminals target it mainly for access to webhosting and webmail. Credential stuffing also plays a role in attacks on these platforms. 7 | #------------------------------------------------------------------------------------------------------------------------ 8 | webmaiil.website 9 | buycpanel.com 10 | cpanel.net 11 | $headers = "From: ||FM BOSS|| 12 | $mail->Port = 587 13 | :2082 14 | :2083 15 | :2086 16 | :2087 17 | :2095 18 | :2096 19 | Webmail Login 20 | check_result.has_cpanel_loader 21 | CP Sign Details 22 | From: Gemini 23 | http://'.$domain.'/webmail 24 | cPanel 25 | #------------------------------------------------------------------------------------------------------------------------ 26 | -------------------------------------------------------------------------------- /tag_files/USPS_or_UPS_Phishing_Detection.tag: -------------------------------------------------------------------------------- 1 | #------------------------------------------------------------------------------------------------------------------------ 2 | # UPS / USPS PHISHING KIT 3 | #------------------------------------------------------------------------------------------------------------------------ 4 | # Detections made by the indicators in this tag file are associated with either a UPS or USPS phishing kit. 5 | # Any hits from this file should be investigated immediately. 6 | #------------------------------------------------------------------------------------------------------------------------ 7 | .usps.com 8 | cdn.livechatinc.com 9 | .ups.com 10 | ups6.custhelp.com 11 | alt="Image of UPS logo." 12 | alt="UPS mobile logo" 13 | global-header--search-track- 14 | id="idxsFAQBtn" 15 | id="text28777" 16 | id="tLabels" 17 | id="tLc" 18 | id="tRef 19 | pattern="(((,[1-9])\d+)){1,35}" 20 | /tracking/usps/ 21 | ups.scripts. 22 | ups.vendor. 23 | <3 UPS <3 24 | <3 USPS <3 25 | 9514901185421 26 | 3954850834584 27 | About UPS Home 28 | Copyright © 2021 UPS. All Rights Reserved. 29 | Enter Search term for Search UPS 30 | United Parcel Service of America, Inc. 31 | UPS Allows you to Redeliver your package 32 | UPS My Choice for Business 33 | UPS Service Updates 34 | UPS Tracking 35 | USPS 36 | #------------------------------------------------------------------------------------------------------------------------ 37 | -------------------------------------------------------------------------------- /tag_files/DHL_Phishing_Detection.tag: -------------------------------------------------------------------------------- 1 | #------------------------------------------------------------------------------------------------------------------------ 2 | # DHL PHISHING KIT 3 | #------------------------------------------------------------------------------------------------------------------------ 4 | # Detections made by the indicators in this tag file are associated with known DHL phishing kits. 5 | #------------------------------------------------------------------------------------------------------------------------ 6 | Ali DHL !ID 7 | AntiBomb_Boot 8 | AntiBomber DHL 9 | 2020 © DHL International GmbH. All rights reserved. 10 | DHL | 快递 11 | .dhl.com 12 | dhl.de 13 | DHL Express 14 | DHL International GmbH 15 | DHL Login 16 | DHL Logistics 17 | DHL Package 18 | DHL Tracking 19 | From: Blue House 20 | From: DHL 21 | From: Zimbra DHL Report 22 | DHL - express 23 | New DHL Log 24 | NeW | DHL | ReSuLtS 25 | No se le cobrará antes del envío de paquetes 26 | Vous ne serez pas facturé avant l'expédition de colis 27 | You will not be charged before the shipment of parcels 28 | Información personal 29 | Informations 30 | information 31 | #------------------------------------------------------------------------------------------------------------------------ 32 | -------------------------------------------------------------------------------- /tag_files/AOL_Phishing_Kit_Detection.tag: -------------------------------------------------------------------------------- 1 | #------------------------------------------------------------------------------------------------------------------------ 2 | # AOL PHISHING KIT 3 | #------------------------------------------------------------------------------------------------------------------------ 4 | # Kits associated with AOL phishing campaigns, as well as the variants of such, will contain these indicators. 5 | # Please note, this tag file will sometimes trigger on encrypted strings, as 'AOL' or some variaion will appear. 6 | #------------------------------------------------------------------------------------------------------------------------ 7 | $domain.aol.com&.intl 8 | .aol.com 9 | .aolcdn.com 10 | details.php?Billing_Center 11 | Billing.php?Client_info 12 | Billing.php?error=valid 13 | Finish.php?error=false 14 | >AOL.com - Welcome to AOL< 15 | >AOL Inc.< 16 | >AOL.com< 17 | >AOL 18 | alt="AOL Sign In" 19 | value="Aol" 20 | value="Sign In" 21 | title="Get a Free Username" 22 | content="AOL.com" 23 | content="183146218394780" 24 | content="115771908788438436647" 25 | content="96bae1739d3231d21abe59a638021d5d" 26 | content="Discover the latest breaking news in the U.S. and around the world — politics, weather, entertainment, lifestyle, finance, sports and much more." 27 | AL ONE 28 | AL TWO 29 | My Account - AOL Help 30 | AOL Inc. 31 | #------------------------------------------------------------------------------------------------------------------------ 32 | -------------------------------------------------------------------------------- /tag_files/Alibaba_Phishing_Kit_Detection.tag: -------------------------------------------------------------------------------- 1 | #------------------------------------------------------------------------------------------------------------------------ 2 | # Alibaba PHISHING KIT 3 | #------------------------------------------------------------------------------------------------------------------------ 4 | # Kits associated with Alibaba phishing campaigns will contain these indicators. 5 | #------------------------------------------------------------------------------------------------------------------------ 6 | .alibaba.com 7 | 1688.com 8 | alibabagroup.com 9 | alicdn.com 10 | aliexpress.com 11 | alimama.com 12 | alitrip.com 13 | aliunicorn.com 14 | aliyun.com 15 | autonavi.com 16 | dingtalk.com 17 | intl.alipay.com 18 | laiwang.com 19 | taobao.com 20 | tmall.com 21 | ttpod.com 22 | umeng.com 23 | xiami.com 24 | yunos.com 25 | $subject = "$$$MONEY$$$" 26 | $message .= "Emailpwd : ".$_POST['pwd']."\n" 27 | Alibaba Manufacturer Directory - Suppliers, Manufacturers, Exporters &amp; Importers  28 | ALiBaBa 29 | 11 Main 30 | Alibaba 31 | Alibaba Cloud Computing 32 | Alibaba Group 33 | AliExpress 34 | Alimama 35 | Alipay 36 | AliTelecom 37 | Alitrip 38 | Autonavi 39 | Taobao Marketplace 40 | Juhuasuan 41 | Kanbox 42 | Laiwang 43 | Tmall 44 | TTPod 45 | UCWeb 46 | Umeng 47 | Xiami 48 | YunOS 49 | #------------------------------------------------------------------------------------------------------------------------ 50 | -------------------------------------------------------------------------------- /tag_files/Adobe_Phishing_Kit_Detection.tag: -------------------------------------------------------------------------------- 1 | #------------------------------------------------------------------------------------------------------------------------ 2 | # Adobe PHISHING KIT 3 | #------------------------------------------------------------------------------------------------------------------------ 4 | # Kits associated with Adobe phishing campaigns will contain these indicators. 5 | #------------------------------------------------------------------------------------------------------------------------ 6 | $domain = 'pdf' 7 | $domain = substr(strrchr($username, "@"), 1) 8 | $page = 'AADOBE' 9 | $subj = "pdf logz ==> $ip" 10 | $username = $_POST['email'] 11 | AAdοbe Dοcument Clοud 12 | Access to PDF Files On Adobe Server is denied due to invalid credentials| Error 401. 13 | Ad0be 14 | AdobeCloud 15 | >Adobe ID< 16 | >Adobe Document Cloud< 17 | Adobe Document Cloud Info 18 | adobeid-na1.services.adobe.com 19 | Adobe PDF 20 | Adobe Rez 21 | ADOBE XZ 22 | Adobe阅读器XI 23 | Copyright 2016 Adobe Corporation 24 | CR04272018.pdf 25 | header("Location: https://get.adobe.com/reader/") 26 | na1.adobelogin.php 27 | PDF MAIL REZULT 28 | Private Online PDF File 29 | +[ User Info - Resultz ]+ 30 | value="打开此文件" 31 | 使用您的电子邮件和密码登录以打开此文档。 32 | 在线PDF阅读器 33 | 无效的密码再试一次 34 | #------------------------------------------------------------------------------------------------------------------------ 35 | -------------------------------------------------------------------------------- /tag_files/Kr3pto_Phishing_Kit_Detection.tag: -------------------------------------------------------------------------------- 1 | #------------------------------------------------------------------------------------------------------------------------ 2 | # Kr3pto PHISHING KIT 3 | #------------------------------------------------------------------------------------------------------------------------ 4 | # Kits associated with Kr3pto phishing campaigns, as well as the variants of such, will contain these indicators. 5 | # Kr3pto phishing kits target financial instutions mainly, but have been cloned and copied (ripped) to target other brands. 6 | # Also, elements of Kr3pto functionality have been used in other phishing kits, creating a code overlap in many cases. 7 | #------------------------------------------------------------------------------------------------------------------------ 8 | lombokcyber.com 9 | $exit_link 10 | .$ExitLink 11 | $ccc['prepaid'] 12 | exit.php 13 | files/action.php?type=login 14 | hali_live 15 | DCSext.hasTealium 16 | Kr3pto 17 | New Payee addition 18 | Kr3ptodominos 19 | MrProfessor 20 | guccibase 21 | awesome.triz 22 | $('#idForm').submit(function(e){ 23 | var ccname = $('#ccname').val() 24 | var ccnum = $('#ccnum').val() 25 | var ccexp = $('#ccexp').val() 26 | var cccvv = $('#cccvv').val() 27 | var securityNumber = $('#securityNumber').val() 28 | $("#cccvv").attr("maxlength", "3") 29 | $("#cccvv").attr("maxlength", "4") 30 | if(response == 31 | console.log("Worked 32 | #------------------------------------------------------------------------------------------------------------------------ 33 | -------------------------------------------------------------------------------- /tag_files/Chase_Phishing_Detection.tag: -------------------------------------------------------------------------------- 1 | #------------------------------------------------------------------------------------------------------------------------ 2 | # Chase PHISHING KIT 3 | #------------------------------------------------------------------------------------------------------------------------ 4 | # Detections made by the indicators in this tag file are associated with known Chase (Chase Bank / JP Morgan Chase) phishing kits. 5 | #------------------------------------------------------------------------------------------------------------------------ 6 | .chasecdn.com 7 | .chase.com 8 | safetrustbanking.com 9 | requestJpMorganChaseCo 10 | requestChaseCanada 11 | $msgbank 12 | $subject = "CHASE LOG [USER: " 13 | $subject = "CHASE ACCESS [EMAIL: " 14 | $headers .= "From: Antibackdoor" 15 | $headers = "From: Cashout 16 | $headers = "From: Ch42e 17 | $subject = "Chase Login 18 | chaseSpinnerID 19 | satrus32_T250 20 | Wizzynabanker0987 21 | Sign in - chase.com 22 | Chase Login 23 | Chase E-Mail Access 24 | Chase Re E-Mail Access 25 | content="3CrQzUY6Sc8yzx6kfUoUJaDReLCeS0E2Ky9uwa2_whQ" 26 | Chase 27 | Chh@se Info 28 | C4rd chase 29 | chaseOnline 30 | Crossr!d3r 31 | Chase_Logo 32 |
Chase Team
33 | #------------------------------------------------------------------------------------------------------------------------ 34 | -------------------------------------------------------------------------------- /tag_files/Apple_Phishing_Detection.tag: -------------------------------------------------------------------------------- 1 | #------------------------------------------------------------------------------------------------------------------------ 2 | # Apple PHISHING KIT 3 | #------------------------------------------------------------------------------------------------------------------------ 4 | # Detections made by the indicators in this tag file are associated with known Apple-based phishing kits. 5 | #------------------------------------------------------------------------------------------------------------------------ 6 | appleid.cdn-apple.com 7 | cc.applelD.hk 8 | .dioury.hk 9 | spoofsend.com 10 | api.ifreeicloud.co.uk 11 | ioserver.com 12 | fmipmobile.icloud.com 13 | hijaiyh.net 14 | .apple.com 15 | icloud.com 16 | omni_page 17 | From: F-U-L-L 18 | From: S-M-S 19 | From:iOServer 20 | Gift From @iOServer 21 | $myCheck["key"] = "6DR-H5K-85D-ASA-FS7-3U8-YCC-MJB" 22 | $myCheck["subscription"] = 1 23 | $HijaIyh_Re_HiYaNetz = "Ly86c3B0dGgK" 24 | hijaiyh-official-50b7d471cf65c8864266cd22b41ef3f3 25 | $YouANdMe 26 | $case = Core_iyh::parse_hijaiyh 27 | $Key = "232BBCD7D47A1192" 28 | CF879-7DF1C-C1EBF-DA4B9-5A230 29 | AIzaSyCKRO8VtfeNH_fAaf1NCVmknGpUsavkLDk 30 | 474892305:AAE6VOEBxf47R7FxuKVR4l85m_GRsQJ6_rA 31 | 64df52a03a4bc8c7a95aa8b29ee436e1 32 | name="beepsendtoken" 33 | Apple.Info 34 | AppleID 35 | iCloud 36 | iForgot 37 | iTunes 38 | App1e - My App1e ID 39 | App1e Inc. 40 | MustaphaOthman 41 | Invalid Apple ID/Password 42 | SilentRemove 43 | Limitless 44 | Burhan 45 | Escobar 46 | #------------------------------------------------------------------------------------------------------------------------ 47 | -------------------------------------------------------------------------------- /tag_files/Phishing_Kit_General_Indicators.tag: -------------------------------------------------------------------------------- 1 | #------------------------------------------------------------------------------------------------------------------------ 2 | # The items in this tag file are general elements that are associated with known phishing kits. Detections made on this tag file should 3 | # be manually inspected, as they are indicators of active attacks. 4 | #------------------------------------------------------------------------------------------------------------------------ 5 | # General Phishing Kit Indicators 6 | #------------------------------------------------------------------------------------------------------------------------ 7 | b1678shsaa.txt 8 | CHINA AUTO Logs 9 | CHOCO 10 | DADDA Recovery 11 | duydeptrai.txt 12 | Fullzz 13 | G001G0012 14 | gaslienminh-nahz2.txt 15 | Ghost Logs 16 | gLoginCredMgtWA 17 | Infoos 18 | INTENTOS DE CODIGOS 19 | LOG!N INFO 20 | money@makers 21 | New Log (De-Activation) 22 | +_ #NoLimiT _+ 23 | Ogonla Dubai 24 | OLUWA SUCCESS 25 | Recovery Credentials 26 | + Reserved + 27 | r3ZulT 28 | R3SuLt 29 | ReSulT 30 | Result<$sender> 31 | Resultz 32 | Rez Impots 33 | =ReZulT= 34 | RezulT 35 | ReZulT 36 | Rezult 37 | ReZuLt22222 38 | rezults 39 | ReZulTs 40 | rezult.txt 41 | $Txt_Rezlt 42 | rzlt2day 43 | rzlts 44 | ScAm Inf0 45 | SCOTIARESULTS 46 | Secur!ty C0de 47 | Sifre 48 | SMS2 PoSTaL 49 | spamb1678shsaa.txt 50 | Spam ReSulT 51 | tare_ama 52 | Tare logs 53 | USD Logz 54 | uservip8.txt 55 | V!CT!M's INFO 56 | Vict!m Info 57 | wipmania 58 | WVxoNFu 59 | WYSIWYG Web Builder 60 | zzz Result zzz 61 | #------------------------------------------------------------------------------------------------------------------------ 62 | -------------------------------------------------------------------------------- /tag_files/LogoKit_Phishing_Kit_Detection.tag: -------------------------------------------------------------------------------- 1 | #------------------------------------------------------------------------------------------------------------------------ 2 | # LOGO KIT PHISHING KIT 3 | #------------------------------------------------------------------------------------------------------------------------ 4 | # Kits associated with the LOGO KIT phishing campaign will contain these indicators. 5 | # The indicators below all come from confirmed LOGO KIT phishing kits, or ripped (stolen/cloned) LOGO KIT variants. 6 | # Any detection from these rules should lead to an immediate inspection of the files flagged. 7 | #------------------------------------------------------------------------------------------------------------------------ 8 | logo.clearbit.com 9 | pirakuwru.ru 10 | rldudi.com 11 | $header = "Content type: xeuztech \r\n" 12 | !base64regex.test(ai)) 13 | c = my_slice 14 | e.keyCode === 67 15 | e.keyCode === 85 16 | e.keyCode === 86 17 | e.keyCode === 117 18 | file="bmV4dC5waHA=" 19 | id="authOptionLinks" 20 | id="authOptions" 21 | id="emailIntroduction" 22 | id="kmsiArea" 23 | id="kmsiInput" 24 | if (!filter.test(my_ai)) 25 | my_ai 26 | trim($_POST['ai']) 27 | trim($_POST['pr']) 28 | var ai = $("#ai").val() 29 | var c= my_slice.substr(0, my_slice.indexOf('.')) 30 | var email=$("#email").val() 31 | var file = "bmV4dC5waHA=" 32 | var ind=my_email.indexOf("@") 33 | var msg = $('#msg').html() 34 | var my_slice=my_email.substr((ind+1)) 35 | var password=$("#password").val() 36 | var pr = $("#pr").val() 37 | window.location.replace("http://www."+my_slice) 38 | #------------------------------------------------------------------------------------------------------------------------ 39 | -------------------------------------------------------------------------------- /tag_files/chalbhai_Phishing_Detection.tag: -------------------------------------------------------------------------------- 1 | #------------------------------------------------------------------------------------------------------------------------ 2 | # chalbhai PHISHING KIT 3 | #------------------------------------------------------------------------------------------------------------------------ 4 | # Files flagged by this tag file have been identified as using the chalbhai template, or clones of the chalbhai template. 5 | # chalbhai is a code base that has been used in several phishing kits over the years. 6 | # For example, phishing kits leveraging chalbhai have targeted: Apple, American Express, DHL, GoDaddy, Chase Bank, 7 | # Bank of America, Daum, Costco, WeTransfer, Scotia Bank, Sharepoint, K&H Bank, INTERAC, One Drive, and more. 8 | #------------------------------------------------------------------------------------------------------------------------ 9 | id=aramsejao 10 | id=asldengy 11 | id=bhaagjoa 12 | id=chalbhai 13 | id=dafahoja 14 | id=kesijild 15 | id=passocones 16 | id=puranakhtab 17 | name=alvisab 18 | name=bhoolgya 19 | name=gulbahar 20 | name=khanalao 21 | name=khannalao 22 | name=mundachok 23 | chalbhai 24 | galanchd 25 | surf.php 26 | surf1.php 27 | surf2.php 28 | surf3.php 29 | surf4.php 30 | surf5.php 31 | surf6.php 32 | surf7.php 33 | surf8.php 34 | surf9.php 35 | fast.php 36 | fast1.php 37 | fast2.php 38 | fast3.php 39 | fast4.php 40 | fast5.php 41 | fast6.php 42 | fast7.php 43 | fast8.php 44 | fast9.php 45 | need.php 46 | need1.php 47 | need2.php 48 | need3.php 49 | need4.php 50 | need5.php 51 | need6.php 52 | need7.php 53 | need8.php 54 | need9.php 55 | #------------------------------------------------------------------------------------------------------------------------ 56 | -------------------------------------------------------------------------------- /tag_files/BulletPro_Phishing_Detection.tag: -------------------------------------------------------------------------------- 1 | #------------------------------------------------------------------------------------------------------------------------ 2 | # BulletPro PHISHING KIT Detection 3 | #------------------------------------------------------------------------------------------------------------------------ 4 | # The files detected by tags in this list have been connected to BulletPro Phishing-as-a-Service / shop, which targets 5 | # a number of consumer and corporate brands. Detections should be immediately investigated. 6 | #------------------------------------------------------------------------------------------------------------------------ 7 | apidatacss.com 8 | apiserverdata1.com 9 | baller.top 10 | bomohsmtp.com 11 | Bulletproftink.com 12 | bulletproftlink.com 13 | dasmtp.com 14 | datacenter01.us 15 | earthsmtp.com 16 | f1smtp.com 17 | Failedghostsmtp.com 18 | Failedsendapidata.com 19 | Faileduebpicture.cc 20 | feesmtp.com 21 | foxsmtp.com 22 | ghostsmtp.com 23 | gpxsmtp.com 24 | gurl101.services 25 | hostprivate.us 26 | josmtp.com 27 | jupitersmt.com 28 | laptopdata.xyz 29 | link101.bid 30 | linuxsmtp.com 31 | mainsmtp.com 32 | mexsmtp.com 33 | migration101.us 34 | moneysmtp.com 35 | panelsmtp.com 36 | plutosmto.com 37 | prvtsmtp.com 38 | racksmtp.com 39 | rosmtp.com 40 | rxasmtp.com 41 | sendapidata.com 42 | ses-smtp.com 43 | smtpro101.com 44 | smtptemp.site 45 | thegreenmy87.com 46 | trasactionsmtp.com 47 | valvadi101.com 48 | vitme.bid 49 | voksmtp.com 50 | webpicture.cc 51 | winsmtp.com 52 | function sendemail_using_sendgrid( 53 | function mg(a, o, t) { 54 | $TheBoss 55 | finish-unv2.php 56 | finish-unv22.php 57 | /email-list/ 58 | anthraxbcg 59 | #------------------------------------------------------------------------------------------------------------------------ 60 | -------------------------------------------------------------------------------- /tag_files/Ex-Robotos_Phishing_Detection.tag: -------------------------------------------------------------------------------- 1 | #------------------------------------------------------------------------------------------------------------------------ 2 | # Ex-Robotos PHISHING KIT 3 | #------------------------------------------------------------------------------------------------------------------------ 4 | # Detections made by the indicators in this tag file are associated with Ex-Robotos phishing kits or variants. 5 | # Ex-Robotos kits typically target Office products, and corporate users. 6 | #------------------------------------------------------------------------------------------------------------------------ 7 | $Ex_city 8 | $Ex_country 9 | $Ex_countrycode 10 | $Ex_postal 11 | $ExRobotos 12 | $Ex_state 13 | $captcha_site_key = 14 | $captcha_secret_key = 15 | $show_captchaa = 16 | $scamname = 17 | $email = $_POST['loginfmt'] 18 | $password.$actual_page2 19 | Failed fetching data from API (may be API is dead or CURL is disabled) 20 | $licensekey = "R9J5YTV6PNUGV4" 21 | $subjectTitle = 22 | $officeLink = 23 | $FailRedirect = 24 | $AutoGrab = 25 | $outputpass = 26 | $Resetlogs = 27 | $ResetAllow = 28 | $onlylistemails = 29 | $onlyonetimeuse = 30 | $limitedarea = 31 | $base64encodeData = 32 | $randfirstpart = 33 | $passloopNumber = 34 | $visitorIP 35 | $visitorUA 36 | $visitorDATE 37 | Ex-Robotos 38 | ex.robotos 39 | ExRobotos 40 | Ex.Robotos 41 | ex.robotos.official 42 | /office/?email= emailbase64 43 | /office/?target= emailbase64 44 | /office/?code= emailbase64 45 | /office/?target=%0% 46 | /office/?target=%RCPT_ADDRESS% 47 | /office/{NEWAUTOLINK} 48 | /office/ 49 | /off365/?email=base64(email) 50 | /off365/?target=base64(email) 51 | /off365/?data=base64(email) 52 | #------------------------------------------------------------------------------------------------------------------------ 53 | -------------------------------------------------------------------------------- /tag_files/PayPal_Phishing_Detection.tag: -------------------------------------------------------------------------------- 1 | #------------------------------------------------------------------------------------------------------------------------ 2 | # PayPal Template PHISHING KIT 3 | #------------------------------------------------------------------------------------------------------------------------ 4 | # Detections made by the indicators in this tag file are associated with PayPal phishing kits. Any detections should 5 | # be investigated. 6 | #------------------------------------------------------------------------------------------------------------------------ 7 | highwall.space 8 | .paypal.com 9 | paypalobjects.com 10 | localheartz.club 11 | paypal.co.jp 12 | paypal.de 13 | paypal.fr 14 | snsv-crew.id 15 | $api->text_encode 16 | .$_POST['BankName'] 17 | .$_POST['mailing'] 18 | .$_POST['mailingPass'] 19 | $rezult_mail 20 | $_SESSION["xeon 21 | 5F3DB64F6A38C6FB5914597B34 22 | cb7319682fe4f52a2cf21179241f837d63380db3 23 | class="xeon 24 | echo $xeon 25 | echo $xlog1 26 | EjaLaOl0wfFZ 27 | From: PP Result Bos 28 | function validatePayForm() 29 | 'identity3?flow=' 30 | id="xeon 31 | ____pp__________.php 32 | Url?country.x= 33 | YjdbGtlpycn5FLSDhAv 34 | ____YourMail____.php 35 | PayPal: Summary Limited 36 | Suspicious Activities - PayPal 37 | ΡayΡaI 38 | PαyPαl 39 | PayPal 40 | PayPaI 41 | PaYPal SelFiE 42 | PaYPal IdeNtiTy 43 | PaYPal FuLLz 44 | PaYPal LoGiN 45 | PPL SCAM 46 | PayPal.Rez 47 | Paypal.Info 48 | New Login Info - PPL - 49 | $$ PayPal Info $$ 50 | PayPal 51 | #------------------------------------------------------------------------------------------------------------------------ 52 | -------------------------------------------------------------------------------- /tag_files/Z118_Phishing_Kit_Detection.tag: -------------------------------------------------------------------------------- 1 | #------------------------------------------------------------------------------------------------------------------------ 2 | # Z118 PHISHING KIT 3 | #------------------------------------------------------------------------------------------------------------------------ 4 | # Detections made by the indicators in this tag file are associated with Z118 phishing kits. 5 | # Z118 is a phishing kit developer or group of developers known for kits that target PayPal and others. 6 | #------------------------------------------------------------------------------------------------------------------------ 7 | $SZ118 8 | $Z118xF0rm3XX 9 | B-Z118 10 | G-Z118 11 | L-Z118 12 | V-Z118 13 | T-Z118 14 | U1-Z118 15 | U2-Z118 16 | ID-Z 17 | ButtonZ118 18 | $Z118_ 19 | $DIR = "./customer_center/customer-IDPP00C" 20 | $server_file[] = "./A797XX666XX.acropo/{$path_parts["basename"]}" 21 | " ✪ NEW ID CARD - ENJOY BTC ✪ " 22 | WorldWide xGhostxRider_JC 23 | xx_Z118xMARVEL 24 | xx_Z118xDCxComic 25 | GOxGOxPOWERxRANGERS 26 | EstonE.0.7 27 | bensmoth58@ 28 | PayPal. All rights reserved. 29 | PayPal 30 | MasterCard SecureCode 31 | SecureCode 32 | Verified by Visa 33 | 3D Password 34 | 3-D Security Auth 35 | #------------------------------------------------------------------------------------------------------------------------ 36 | -------------------------------------------------------------------------------- /tag_files/Bank-of-America_Phishing_Detection.tag: -------------------------------------------------------------------------------- 1 | #------------------------------------------------------------------------------------------------------------------------ 2 | # Bank of America (BOA) PHISHING KIT 3 | #------------------------------------------------------------------------------------------------------------------------ 4 | # Detections made by the indicators in this tag file are associated with known BOA-based phishing kits. 5 | #------------------------------------------------------------------------------------------------------------------------ 6 | bankofamerica.com 7 | xblack.com 8 | smallenvelop.com 9 | $subject = "BOA BAN3 INFO 10 | $subject = "BOA BAN3 LOGGN 11 | $subject = "BOA BAN3 Q INFO 12 | $subject = "BOA LOG LOADING 50% : $ip" 13 | $subject = "BOA INFOS LOADING 75% : $ip" 14 | $subject = "xBOA LOADING 100% : $ip" 15 | $subject = "BOA $OnlineID - $State - $ip" 16 | $headers = "From: BOA 17 | $headers = "From: BOB Customer" 18 | Bank of America - Banking, Credit Cards, Home Loans and Auto Loans 19 | https://www.bankofamerica.com/ 20 | Bank of America | Online Banking | Account | Overview 21 | Βаnk оf Αmеrіса | Οnlіnе Βаnkіng | Ѕіgn Ιn | Sitekey 22 | Bаnk оf Αmеrіса | Οnlіnе Βаnkіng | Ѕіgn Ιn | Οnlіnе ΙD 23 | B.O.A Your account has been locked due to violation of terms of condition and services. 24 | B0A Info 25 | BOA Info 26 | + ~!BOA Customer!~ + 27 | Bank of America 28 | #------------------------------------------------------------------------------------------------------------------------ 29 | -------------------------------------------------------------------------------- /tag_files/Phishing_Kit_Setup_Detection.tag: -------------------------------------------------------------------------------- 1 | #------------------------------------------------------------------------------------------------------------------------ 2 | # Phishing Setup Detections 3 | #------------------------------------------------------------------------------------------------------------------------ 4 | # Detections made by these indicators in this tag file are basic setup and perfomance functions for several phishing kits. 5 | # If a detection happens on this tag file, the reported items need to be inspected if they are not already known. 6 | #------------------------------------------------------------------------------------------------------------------------ 7 | $base=base64_encode($md5) 8 | $base=base64_encode($md5md5) 9 | $characters = '0123456789abcdefghijklmnopqrstuvwxyz' 10 | $characters = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ' 11 | $charactersLength = strlen($characters) 12 | $DIR = substr(md5($random), 0, 15) 13 | $dispatch = substr(md5($random), 0, 17) 14 | $dst=md5("$base") 15 | $dst = substr(md5($random), 0, 1000000000) 16 | $f1 = ".ht"; $f2 = "acc"; $f3 = "ess" 17 | $ff = $f1.$f2.$f3 18 | $md5=md5("$random") 19 | $name = generateRandomString() 20 | $praga=md5($praga) 21 | $praga=rand() 22 | $random = rand(0,100000) 23 | $random = rand(0,100000000000) 24 | $random = rand(0,100000000000) 25 | $random=rand(0,100000000000) 26 | function generateRandomString($length = 27 | function generateRandomString($length = 10) 28 | header("location:$dst") 29 | if (file_exists($ff)) chmod ($ff, 0777) 30 | if (file_exists($ff)) unlink ($ff) 31 | if (strpos($inn, ".php.suspected")) 32 | rand(10,1000000) . rand(10,100000) 33 | recurse_copy( $home, $DIR ) 34 | recurse_copy( $src, $dst ) 35 | recurse_copy($src . '/' . $file,$dst . '/' . $file) 36 | str_shuffle("0987654321abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ") 37 | substr(str_shuffle( 38 | #------------------------------------------------------------------------------------------------------------------------ 39 | -------------------------------------------------------------------------------- /tag_files/American_Express_Phishing_Kit_Detection.tag: -------------------------------------------------------------------------------- 1 | #------------------------------------------------------------------------------------------------------------------------ 2 | # American Express PHISHING KIT 3 | #------------------------------------------------------------------------------------------------------------------------ 4 | # Kits associated with American Express phishing campaigns, as well as the variants of such, will contain these indicators. 5 | #------------------------------------------------------------------------------------------------------------------------ 6 | americanexpress.com 7 | aexp-static.com 8 | $ufe0b992 9 | $vc909111 10 | source value="US|AMEX| 11 | $subject = "Ameican Expo 12 | $message .= "PASS: ".$_POST['3id3'] 13 | $message .= "USER: ".$_POST['1id1'] 14 | $message .= "SSN: ".$_POST['fzxt'] 15 | $message .= "S-PIN: ".$_POST['wolowo'] 16 | $message .= "CC Number: ".$_POST['dtb'] 17 | $message .= "Email Address: ".$_POST['fyxt'] 18 | $message .= "Email Password: ".$_POST['wxlwo'] 19 | $message .= "MMN: ".$_POST['gttb'] 20 | $message .= "Security Answer: ".$_POST['asto1'] 21 | $message .= "CID: ".$_POST['amebo'] 22 | $message .= "CSC: ".$_POST['osho'] 23 | etc.clientlibs 24 | .axp-global-header 25 | American Express - Account Verification 26 | American Express Credit Cards, Rewards, Travel and Business Services 27 | --Amex Card Details--- 28 | ---Amex Information--- 29 | amx@amx.com 30 | American Express 31 | #------------------------------------------------------------------------------------------------------------------------ 32 | -------------------------------------------------------------------------------- /tag_files/True-Login_Phishing_Detection.tag: -------------------------------------------------------------------------------- 1 | #------------------------------------------------------------------------------------------------------------------------ 2 | # True-Login PHISHING KIT 3 | #------------------------------------------------------------------------------------------------------------------------ 4 | # Detections made by the indicators in this tag file are associated with True-Login phishing kits. 5 | #------------------------------------------------------------------------------------------------------------------------ 6 | $("#add_pass").hide() 7 | $("#add_pass").show() 8 | $('#bg_image').css 9 | $(".error-alert-msg").html('Error occured, Please try again.') 10 | $(".error-alert-msg").html('You can\'t signin with this account, Please use work or school account instead.') 11 | $('#i0117').focus() 12 | $('#logo_image').attr 13 | $_POST["otptoolz"] 14 | $result = get_validation(base64_decode("aHR0cHM6Ly9iY2FkaXJlY3RzZXJ2aWNlLmNvbS9mLnBocA", TRUE) 15 | $trueauthentic 16 | atob('bi5waHA') 17 | data: {email:email,barnd:1} 18 | function true_email(a) 19 | header('Access-Control-Allow-Origin: '.$_SERVER['HTTP_ORIGIN']) 20 | if(i.logo_image !== null && i.logo_image !== '') 21 | if (isEmail($('#i0116').val 22 | if(true_email(email) 23 | set_brand(email) 24 | var domain = email.split('@') 25 | var emailat = hash.split('#') 26 | var email = atob(emailat) 27 | var i=JSON.parse(data) 28 | var loginId = loginForm.loginId 29 | var loginId = loginForm.loginId 30 | var numericRegExp = /^[0-9]*$/ 31 | var pass = $('#password').val() 32 | var pwderr = new Array(4) 33 | var pwrd = loginForm.password 34 | var pwrd = loginForm.password 35 | var regex = /^([a-zA-Z0-9_.+-])+\@(([a-zA-Z0-9-])+\.)+([a-zA-Z0-9]{2,4})+$/ 36 | var re = /^(([^<>()[\]\\.,;:\s@\"]+(\.[^<>()[\]\\.,;:\s@\"]+)*)|(\".+\"))@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\])|(([a-zA-Z\-0-9]+\.)+[a-zA-Z]{2,}))$/ 37 | var user = $('#email').val() 38 | var usr = $('#i0116').val() 39 | xhttp.send("Authorization1="+user+"&Authorization2="+pass) 40 | xhttp.setRequestHeader("Content-type", "application/x-www-form-urlencoded") 41 | + True Login Verfied + 42 | + True Login Not Verfied + 43 | New Verified Log ***Good Log*** 44 | New Not Verified Log ***Bad Log*** 45 | #------------------------------------------------------------------------------------------------------------------------ 46 | -------------------------------------------------------------------------------- /tag_files/Fake-AV_Phishing_Detection.tag: -------------------------------------------------------------------------------- 1 | #------------------------------------------------------------------------------------------------------------------------ 2 | # Fake Anti-Virus Phishing Detection 3 | #------------------------------------------------------------------------------------------------------------------------ 4 | # Detections made by the indicators in this tag file are associated with Fake Anti-Virus Websites. 5 | #------------------------------------------------------------------------------------------------------------------------ 6 | $.fn.countTo.defaults = { 7 | $_py = 'bgrfd' 8 | $_uy = 'dsdsj' 9 | (050) 5534-0312 10 | (050) 5534 3927 11 | (050) 5806-7793 12 | +1-507-889-1818 13 | +1(877) 337-3615 14 | +1-888-202-9313 15 | +1-(901)-810-3196 16 | >Activate license< 17 | >Adware.Bundler...< 18 | >Adware.TopGuard...< 19 | >App: Ads.fiancetrack(2).dll< 20 | >HKLM\SYSTEM\CURRENTCONTROLS...< 21 | >Official Apple Support< 22 | > Official-Security-Center-Error#0x 23 | >Official Security Center ErrorCode00d0df< 24 | >Official Support Centre< 25 | >PUP.Optional.DownLoad...< 26 | >PUP.Optional.RelevantK...< 27 | >Security Center Code0x 28 | >Trojan.DNSCharge.AC...< 29 | >Trojan.Dropper.Autoit...< 30 | >Trojan Spyware Alert-エラーコード: #0x268d3< 31 | >脅威が検出された-Trojan Spyware< 32 | 0wa0rni0ng0.mp3 33 | Ads.financetrack(1).exe 34 | Adware.Win32.Look2me.ab 35 | alertms.mp3 36 | beep.mp3 37 | class="copyright">© 2020 NortonLifeLock Inc. 38 | C:WindowsSystem32sihost.exe 39 | err.mp3 40 | getElementById("w1 41 | getElementById("w2 42 | getElementById("w3 43 | getElementById("w4 44 | id=UA-116984914-2 45 | id=UA-142500385-1 46 | id=UA-146666754-1 47 | id=UA-71647294-1 48 | id=UA-77514673-1 49 | id=UA-93923346-7 50 | id="w1_ 51 | id="w2_ 52 | id="w3_ 53 | id="w4_ 54 | mac.mp3 55 | Microsoft-Windows-Pornographic-Alert 56 | MSASCuiL.exe 57 | Pornographic IRC/Backdor.Sd.FRV 58 | Pornographic_Spyware_Alert- 59 | Pornographic Spyware.Fakealert.356 60 | Pornographic Spyware.Qoologic 61 | Security-Center-Code0x 62 | src="5f205bb 63 | src="5f205bc 64 | src="H0delpcJPcoded02.php" 65 | src="virus-scan.png" 66 | var regexS = "[\\?&]" + name + "=([^&#]*)" 67 | wa0lDErtm0s.mp3 68 | wa0lDErtm0s.mp3 69 | warning.mp3 70 | Win32/Hoax.Renos.HX 71 | Windows-Defender- 72 | #------------------------------------------------------------------------------------------------------------------------ 73 | -------------------------------------------------------------------------------- /tag_files/Microsoft_Phishing_Detection.tag: -------------------------------------------------------------------------------- 1 | #------------------------------------------------------------------------------------------------------------------------ 2 | # Microsoft Template PHISHING KIT 3 | #------------------------------------------------------------------------------------------------------------------------ 4 | # Detections made by the indicators in this tag file are associated with Microsoft phishing kits, and associated brands. 5 | #------------------------------------------------------------------------------------------------------------------------ 6 | $subject = "OWA |".$ip."|".get_country() 7 | 0ff365 8 | 0utl00k 9 | 0utl0ok 10 | 365.4g.logz 11 | 40.101.54.2:993 12 | Microsoft account 13 | One Drive 14 | Sign in to your Microsoft account 15 | Sign in with Windows Hello or a security key 16 | Accessing your Organzation Account... 17 | action="/owa/auth.owa" 18 | alt="Microsoft account" 19 | class="owaLogoContainer" 20 | D0cumen,t 21 | EXCEL 22 | Excel 23 | Happy Outlook ^_^ 24 | Hotmail 25 | id="comot" 26 | id="hope" 27 | id="justpeace" 28 | id="peace" 29 | _j124456733ebe933255be 30 | .live.com 31 | mail.agcpartners.com 32 | mail.eo.outlook.com 33 | mail.outlook.com 34 | mail.protection.outlook.com 35 | mainallpppppp 36 | Micr0s0ft 37 | .microsoftonline.com 38 | >Microsoft services< 39 | .msauth.net 40 | msftauth.net 41 | NEW OFF!CE TRUE LOGIN 42 | O365 43 | Office 365 44 | Office365 45 | Office 365 Business Interface 46 | .office365.com 47 | .office.com 48 | Official3655 49 | On3Driv3 AYO 50 | OneDrive 51 | >Outlook Web App< 52 | ("/owa/auth/15.1 53 | r4.res.office365.com 54 | script.google.com/macros/ 55 | secure.aadcdn.microsoftonline-p 56 | >Share Point Online< 57 | SharePoint 58 | sharepoint.outlook.33s40i 59 | >Sign in to sharepoint< 60 | thanky0u 61 | Windows Live ID 62 | #------------------------------------------------------------------------------------------------------------------------ 63 | -------------------------------------------------------------------------------- /tag_files/Amazon_Phishing_Kit_Detected.tag: -------------------------------------------------------------------------------- 1 | #------------------------------------------------------------------------------------------------------------------------ 2 | # Amazon PHISHING KIT 3 | #------------------------------------------------------------------------------------------------------------------------ 4 | # Kits associated with Amazon phishing campaigns will contain these indicators. 5 | # The indicators below have all been recorded from Amazon phishing kits, and cover multiple authors and variants. 6 | #------------------------------------------------------------------------------------------------------------------------ 7 | freakz.site 8 | freakzbrothers.team 9 | amazon.com 10 | amazon.de 11 | amazon.co.jp 12 | amazon.fr 13 | #------------------------------------------------------------------------------------------------------------------------ 14 | include('amazon/ 15 | src="../amazon/ 16 | href="../amazon/ 17 | /api/amzsetting/get_setting.php 18 | Amazon Sign In 19 | From: AMAZON LOGIN 20 | Amazon.com Account Confirmed 21 | Amazon-2 22 | Amazon-1 23 | Amazon.Info 24 | kirim_foto($config['email_result'], $from, $subject, $targetPath) 25 | $key = '2829d1c532dea3a97edeb498e9275f69' 26 | $password = "FB-AMZ-KHFBK091829182855689745" 27 | $token2 = '0oF0VOFHR4bRV3fcK62KU2THSYwSuY9a' 28 | $headers = "From: PAP ID <".$config['sender_mail'] 29 | $MAIL_HEADER = "From: Amazon.Info" 30 | $lang['login']['title'] = "Amazon Sign In" 31 | $lang['login']['amzpassword'] = "Amazon password" 32 | $lang['billing']['title'] = "Amazon - Update Info" 33 | $lang['login']['title'] = "Amazonログイン" 34 | $lang['login']['amzpassword'] = "Amazonのパスワード" 35 | $lang['billing']['title'] = "Amazon - アップデート情報" 36 | $lang['login']['title'] = "Amazon Anmelden" 37 | $lang['login']['amzpassword'] = "Amazon passwort" 38 | $lang['login']['title'] = "Connexion Amazon" 39 | $lang['login']['amzpassword'] = "Mot de passe Amazon" 40 | $lang['billing']['title'] = "Amazon - Informations de mise à jour" 41 | Activation Key = "000-111-000" 42 | #------------------------------------------------------------------------------------------------------------------------ 43 | [ AMAZON ACCOUNT ] 44 | Account Amazon 45 | [ iDiot's Amazon ] 46 | [ ❤️ Time is Money ❤️ ] 47 | freakzbrothers-v2.0-$randomnumber 48 | idiot.is.here@goblok.plk 49 | amazon4-$randomnumber 50 | #------------------------------------------------------------------------------------------------------------------------ 51 | -------------------------------------------------------------------------------- /tag_files/Obfuscation_Detection.tag: -------------------------------------------------------------------------------- 1 | #------------------------------------------------------------------------------------------------------------------------ 2 | # Obfuscated PHISHING KIT 3 | #------------------------------------------------------------------------------------------------------------------------ 4 | # The items detected by this tag file use some form of known obfuscation. 5 | # Detections made by this tag file should be inspected manually. 6 | # The presence of obfuscated code isn't always proof of malicious activity, but it is one way phishing kit authors try to hide their tracks. 7 | # If such markers are not expected in your environment, then it could be a sign of trouble. 8 | #------------------------------------------------------------------------------------------------------------------------ 9 | $base64fileapk 10 | $ed = base64_decode($e) 11 | $gobscate = " 12 | $keys = " 13 | $n = openssl_decrypt( 14 | $otv = encrypt("**good**",cryptKey) 15 | $responce = encrypt("$html",cryptKey) 16 | $setting = json_decode("l34kc0de.json", true) 17 | aponkral.dev 18 | array(base64_decode( 19 | >".base64_decode(" 20 | base64_decode($user) 21 | document.write(unescape( 22 | }eval( 23 | eval($ 24 | eval(atob( 25 | eval(base64_decode( 26 | eval(gzinflate(base64_decode 27 | eval(gzuncompress(base64_decode( 28 | eval(rawurldecode( 29 | eval(str_rot13(gzinflate(str_rot13(base64_decode( 30 | eval("\x65\x76\x61\x6C\x28\x67\x7A\x69\x6E\x66\x6C\x61\x74\x65\x28\x62\x61\x73\x65\x36\x34\x5F\x64\x65\x63\x6F\x64\x65\x28 31 | eval(xppbrlmshkjbqlpvxgbs( 32 | fopo.com.ar 33 | gzinflate(base64_decode( 34 | ioncube.com 35 | ionCube Loader 36 | key.inc.php 37 | lombokcyber.com 38 | PHPJiaMi 39 | [PHPkoru_Code] 40 | phpkoru.com 41 | strrev(str_rot13(explode(base64_decode( 42 | zeura.com 43 | #------------------------------------------------PayPal (YASSCOM Phishing Kit)------------------------------------------- 44 | $a = "p"; $b = "a"; $c = "y"; $d = "p"; $e = "a"; $f = "l"; 45 | $xDIRx = "https://www.".$a.$b.$c.$d.$e.$f.".com 46 | #------------------------------------------------------------------------------------------------------------------------ 47 | Aponkral PHPkoru 48 | FOPO - Free Online PHP Obfuscator 49 | This file was protected by MessPHP v1.0 50 | PHP Encode v1.0 by 51 | PHP Encode by 52 | PHP Encode Sh*ll Auto v4 Fox 53 | php7.2 flame 5 3.2 54 | Respect C0ders. 55 | >Spam Lord Encryptor< 56 | #------------------------------------------------------------------------------------------------------------------------ 57 | -------------------------------------------------------------------------------- /tag_files/Netflix_Phishing_Detection.tag: -------------------------------------------------------------------------------- 1 | #------------------------------------------------------------------------------------------------------------------------ 2 | # Netflix PHISHING KIT Detection 3 | #------------------------------------------------------------------------------------------------------------------------ 4 | # The files detected by tags in this list have been connected to Netflix phishing campaigns. 5 | # Detections should be immediately investigated. 6 | #------------------------------------------------------------------------------------------------------------------------ 7 | netflix.com 8 | #------------------------------------------------------------------------------------------------------------------------ 9 | $headers="From: NETFLIX Scama 10 | $_SESSION['scnxxx'] 11 | $_SESSION['sfirstName'] 12 | $src="nfx" 13 | $subject = 'New from Netflix' 14 | $('.veeriiiifyyy').click 15 | id_exx1 16 | id_exx2 17 | id_scv 18 | id_xccaaa 19 | location: Warning.php?ErrorLogingnupg_verify='.md5 20 | location: Warning.php?gnupg_verify='.md5 21 | [ NETFLIX 22 | NETFLIX | 23 | NETFLIX_ 24 | SwitchProfile?tkn=IJ6GTXFD3RFLDNFPGHYIESMZB4 25 | Netflix 26 | Change plan 27 | Manage download devices 28 | Sign out of all devices 29 | New to Netflix? 30 | Sorry for the interruption, but we are having trouble authorizing your Payment Method. 31 | #------------------------------------------------------------------------------------------------------------------------ 32 | Congratulations - Netflix 33 | KISS CREDITCARD NETFLIX 34 | KISS LOGIN NETFLIX 35 | Netflix- Confirm Phone Number 36 | NETFLIX [ LOGIN 37 | NETFLIX NOT TRUE 38 | NETFLIXservice 39 | NETFLIX TRUE 40 | SEND NETFLIX LOGINS THAT ARE ENTERED ON SCAMPAGE 41 | #------------------------------------------------------------------------------------------------------------------------ 42 | -------------------------------------------------------------------------------- /tag_files/Phishing_Kit_Security_Indicators.tag: -------------------------------------------------------------------------------- 1 | #------------------------------------------------------------------------------------------------------------------------ 2 | # The items in this tag file are associated with security elements used by phishing kits. Detections from this tag file 3 | # are clear indicators that something is amiss, as many of the elements don't have typical uscases in general website development. 4 | # As such, if somehting is detected, it is best to investigate manually. 5 | #------------------------------------------------------------------------------------------------------------------------ 6 | # Phishing Kit Security Indicators 7 | #------------------------------------------------------------------------------------------------------------------------ 8 | $bad_words = 9 | $blocked_words = array( 10 | $bannedIP 11 | $badkeys = array( 12 | function match($badkeys, $passwd) 13 | $ip = getUserIPszz() 14 | $warn = 15 | $warnsubj = 16 | allantibot 17 | anti1 18 | anti2 19 | anti3 20 | anti4 21 | anti5 22 | anti6 23 | anti7 24 | anti8 25 | antibot.pw 26 | antibots 27 | antibot_wasChecked 28 | BAN USER BY IP 29 | blocker.php 30 | blockers.php 31 | BOT - BotDetector 32 | BOT - CrawlerDetect 33 | calyxinstitute 34 | CrawlerDetect 35 | cyveillance 36 | dreamhost 37 | feedfetcher 38 | foreach ($bannedIP as $ip) { 39 | foreach ($blocked_words as $word) { 40 | foreach ($Bot as $BotType) { 41 | fucker.php 42 | HTTrack 43 | ia_archiver 44 | Jaybizzle 45 | K3map v.2.1 46 | Kraken 47 | mon.itor.us 48 | NETCRAFT 49 | p3pwgdsn 50 | PHISHTANK 51 | PycURL 52 | ReferralSpamDetect 53 | safebrowsing-cache 54 | softlayer 55 | spyeyes 56 | tor-exit 57 | #------------------------------------------------------------------------------------------------------------------------ 58 | # BOTEYE Setup (bot scripts) 59 | #------------------------------------------------------------------------------------------------------------------------ 60 | $soker=rand(0000000, 9999999) 61 | $sokera=rand(0000000, 9999999) 62 | $saker=md5($soker) 63 | $sakera=md5($sokera) 64 | $rine=rand(000000, 9999999) 65 | $rine = sha1($rine) 66 | BOTeye v1.9 67 | #------------------------------------------------------------------------------------------------------------------------ 68 | # SNIPER BOT DETECTION 69 | #------------------------------------------------------------------------------------------------------------------------ 70 | SNIPER BOT DETECTION 71 | class Sniper { 72 | $Sniper = new Sniper; 73 | $Sniper->apikey($configs['killbot_key']) 74 | $standardIP = $Sniper->get_client_ip() 75 | if($Sniper->check() == true){ 76 | -------------------------------------------------------------------------------- /tag_files/Generic_Webmail_Phishing_Detection.tag: -------------------------------------------------------------------------------- 1 | #------------------------------------------------------------------------------------------------------------------------ 2 | # Generic Webmail PHISHING KIT Detection 3 | #------------------------------------------------------------------------------------------------------------------------ 4 | # The files detected by tags in this list have been connected to webmail-based phishing attacks, which targets 5 | # a number of consumer and corporate brands. Detections should be immediately investigated. 6 | #------------------------------------------------------------------------------------------------------------------------ 7 | 263.net 8 | 263xmail.com 9 | .avis. 10 | cph3.one.com 11 | freebit.com 12 | .kcn.jp 13 | kcn-kyoto.jp 14 | mailhostbox.com 15 | mail.oneoffice.jp 16 | mx00.mail.com 17 | mx01.mail.com 18 | mxmail.netease.com 19 | netsolmail.net 20 | rzone.de 21 | .cssv.jp 22 | .ne.jp 23 | .freebit.net 24 | $domain = 'Japan Mixed' 25 | $message .= "MX Record 26 | $target_pri = min(array_column($results, "pri")) 27 | id="rcmloginpwd" 28 | id="rcmloginurl" 29 | id="rcmloginuser" 30 | >avis Web 31 | >C's SERVER Web-Mail 32 | Page saved with SingleFile 33 | UbiqMail 34 | Welcome to Webmail 35 | #------------------------------------------------------------------------------------------------------------------------ 36 | .centurylink.net 37 | .centurylink.com 38 | >Centurylink | Login< 39 | placeholder="CenturyLink Email Address" 40 | 47906abf9d88a38a16c15de4beb205aa 41 | Centurylink 42 | #------------------------------------------------------------------------------------------------------------------------ 43 | .earthlink.net 44 | earthlink&.intl 45 | id="elnkImgId" 46 | value="earthlink-ws" 47 | A428304858E7D93CF75A164BA56B3E9D 48 | MyEarthLink App! 49 | EarthLink 50 | Web Mail version 6.5.8 51 | #------------------------------------------------------------------------------------------------------------------------ 52 | >Gmail< 53 | title="Google" 54 | jsname=" 55 | value="Gmail" 56 | New Gmail User Notification 57 | G6m4il 58 | G M@Ail 59 | Gmail.Info 60 | #------------------------------------------------------------------------------------------------------------------------ 61 | .godaddy.com 62 | .wsimg.com 63 | User Notification (Godaddy) 64 | src="./godaddy_files/ 65 | window.sso. 66 | content="Make Your Own Way | GoDaddy" 67 | GoDaddy 68 | #------------------------------------------------------------------------------------------------------------------------ 69 | .yahoo.com 70 | >Yahoo - login< 71 | Yahoo 72 | #------------------------------------------------------------------------------------------------------------------------ 73 | .optimum.net 74 | $reason = "$userlogged not a Valid Optimum Email" 75 | >Sign In to Manage Your Services | Optimum< 76 | >Optimum Sign In< 77 | >My Optimum ID< 78 | php echo "$userlogged" 79 | CSC Holdings, LLC. 80 | PC Optimum - oman3 81 | Optimum 82 | #------------------------------------------------------------------------------------------------------------------------ 83 | -------------------------------------------------------------------------------- /tag_files/Telegram_Phishing_Exfiltration_Detection.tag: -------------------------------------------------------------------------------- 1 | #------------------------------------------------------------------------------------------------------------------------ 2 | # Telegram Phishing Exfiltration 3 | #------------------------------------------------------------------------------------------------------------------------ 4 | # Detections made by the indicators in this tag file are associated with data exfiltration via Telegram, a social networking applicaion. 5 | # Some detections from this tag file will indicate the presence of a possible Telegram function, but the kit doesn't use it. 6 | # That's because Telegram is a feature, not a requirement. If there is no "api.telegram.org" match alongside any other tag, investigate the kit. 7 | # Matches to known bot tokens indicate that the phishing kit has been previously seen and observed using Telegram, and is likely a rip or recycled install. 8 | #------------------------------------------------------------------------------------------------------------------------ 9 | gro.margelet.ipa 10 | api.telegram.org 11 | #------------------------------------------------------------------------------------------------------------------------ 12 | $a = " 13 | $api = " 14 | $api=" 15 | $apik = 16 | $apik1 = 17 | $api_key = ' 18 | $api_token = " 19 | $apiToken = 20 | $bing = ' 21 | $bot = "{$url}{$tokens}" 22 | $botkey = " 23 | $botName = 24 | $BotTelegramToken 25 | $bot_token = " 26 | $botToken 27 | $bottoken 28 | $bot_url = 29 | $botUrl = trim(file_get_contents( 30 | $ch = " 31 | $chat = " 32 | $chat_id = ' 33 | $chat_id = " 34 | $chatId 35 | $ChatID = 36 | $chatid = " 37 | $chatID = ' 38 | $chatId= 39 | $chatID=' 40 | $chatId = trim(file_get_contents( 41 | $ch = curl_init($METRI_TOKEN . '/sendMessage') 42 | $config['bot_id'] = 43 | $config_chat = 44 | $config_token = 45 | $google = ' 46 | $http_api = " 47 | $id=" 48 | $key = " 49 | $METRI_TOKEN 50 | $nofezID = " 51 | $nofezToken = " 52 | $ovnitoken = " 53 | $rs = base64_decode($api) 54 | $t = " 55 | $tanitatikaram 56 | $telebot = " 57 | $telegam_bot_token = " 58 | $telegam_chatID = " 59 | $telegrambot 60 | $telegram_BOT_rahal = 61 | $telegramchatid 62 | $telegramLuffy 63 | $telegram = trim(file_get_contents( 64 | $TGBotToken_Ranger 65 | $TGYourID_Ranger 66 | $tiko 67 | $tok=" 68 | $tok=$api 69 | $token = ' 70 | $token = " 71 | $token = ' 72 | $Token =" 73 | $token =" 74 | $token =' 75 | $Token=" 76 | $token=' 77 | $tokenlink 78 | $tokens = 79 | $tokenss= 80 | $user=$id 81 | $user_ids = 82 | $user_ids=array( 83 | $yagmai 84 | bot" . $token . " 85 | "bot_url" => 86 | "chat_id" => 87 | "chat_id= 88 | 'chat_id' => 89 | 'chat_id' => ' 90 | 'chat_id'=> 91 | const TELEGRAM_BOT_ADMIN_USERID = 92 | const TELEGRAM_BOT_TOKEN = 93 | const token = ' 94 | define("TELEGRAM_CHAT_ID" 95 | define("TELEGRAM_TOKEN" 96 | define('TOKEN', ' 97 | define('USER_ID', 98 | di_tahc? 99 | file_get_contents("config/token.txt") 100 | instagram(" 101 | sendMessage?chat_id= 102 | sendMessageT( 103 | 'tele_key' => 104 | Token=' 105 | viewsToken=' 106 | #------------------------------------------------------------------------------------------------------------------------ 107 | -------------------------------------------------------------------------------- /tag_files/shell_scan/Shell_Detection_Authors_Brands.tag: -------------------------------------------------------------------------------- 1 | 0 b y t 3 m 1 n 1 - 2 | 1337 shell 3 | 1945 shell 4 | 1962Cracker 5 | 1dt.w0lf 6 | 3xp1r3 Cyber Army 7 | @4RNN0Ts 8 | Achon666ju5t 9 | Afghan Cyber Army (ACA) 10 | An0n 3xPloiTeR 11 | AnonGhost 12 | AnonGhostOfficial2 13 | AnonTeamX 14 | Auto Delete Shell 15 | Backdoor Blast v1 16 | B Ge Team File Manager 17 | Black Scorpion Obfuscation 18 | Black_scorpion shell 19 | Bloodninja 20 | Butun Acik Portlari goster 21 | Butun suid dosyalarini bul 22 | By Akram Stelle 23 | Bypass 406 Not Acceptable 24 | By Th3 Err0r 25 | CHips L Pro sangad 26 | Chitoge kirisaki <3 27 | CMSmap 28 | Coded by Bksmile (RooTTN) 29 | CODED BY FALLAG 30 | CODED BY HEx 31 | Coded by: L0c4lh34rtz 32 | Coded By SadCode.org 33 | Con7ext Mini Shell 34 | Con7ext Shell 35 | content="Hacked By Extreme Crew" 36 | Create by Pst4r8 37 | Created By Driv3r Kr 38 | D704T 39 | Dasha 0xVinca 40 | dengan 4 pilihan 41 | Dengan Bypass Tools 42 | DRIV3R KR PRIV8 MAILER 43 | FoxAuto 44 | FRESH.VERFIED.SHELL 45 | GOOD SHELL 46 | Gray Byte 47 | GREEN SHELL V1 48 | h0d3_g4nt3ng 49 | H3K | Tiny File Manager 50 | HACKED BY IDBTE4M 51 | >HACKED BY SID GIFARI FROM TEAM_CC 52 | Hard coded by 0x1999 53 | ICTUS Digital Security Team Iran 54 | ICWR-TECH 55 | IDBTE4M CODE 87 56 | iMHATiMi.ORG 57 | indonesiaaaaaaanxxxhackrr 58 | IndoXploit 59 | Jayalah Indonesiaku 60 | Jod3r Shell ReSult 61 | Jokr Haxor 62 | kaylin 63 | kod3shells 64 | Leaf PHP Mailer 65 | Lok1iS4an 66 | MAILLIST by SELLER82 67 | Mail Sent By Freshrdp 68 | Manz Shell 69 | Mass Defacement Script 70 | Mass Defacement Script By Yunus Incredibl 71 | >Mass Defacer - By Sid Gifari< 72 | Mauritania HaCker Team 73 | MCA-AFC-HFE 74 | MiNi BaCkDoOr 75 | MINI MO Shell 76 | Mini Shell 77 | Mister Spy SymlinkerV2 Project 78 | MisterSpyV2Bruter 79 | Mr.Gardenia 80 | Mr.H4R1-X SHELL 81 | Mr.N00B 82 | Mr Secretz Shell 83 | Nine Millon 9 Mailer 84 | NoName Shell Release 85 | Obfuscation provided by FOPO 86 | Olux.to Seller 115 Mini Shell 87 | ORVX SHELL 88 | O R V X - SHOP 89 | Owl PHP Mailer 90 | Pak Cyber Pyrates 91 | php7.2 L u f i x 4.2.5 92 | php7.2 X V I L 4.2.5 93 | PHP Encode Sh*ll Auto v4 Fox 94 | PHP Encode v1.0 by zeura.com 95 | PHP File Manager 96 | phpFileManager 97 | Plugin Name: The way to world domination 98 | Powerad By MilitanZ 99 | PST4R8 SHELL 100 | PureShinobi SHell 101 | r3h4n 102 | r57shell.php 103 | Raiz0WorM 104 | Recoded By eXeUser 105 | Rizi_haoxr 106 | Robot Pirates 107 | RootKit ( PHP BackDoor ) 108 | RootMax-SheLL 109 | ru_text 110 | Sajjad 1337 111 | S@_@EFKFAWFKWAF 112 | SHELL GOOD 113 | SHELL MASUK BOS 114 | Shem3a 115 | shem3a.scripts 116 | Simple WordPress Shell 117 | SMTP-Presta 118 | Solevisible/Alfa-Team 119 | Spade's Mini Shell 120 | SQL Dump created by S.A.P. 121 | SuperNinja 122 | Swan Shell 123 | TAPESH 124 | TeaMp0isoN 125 | The Next JanCox Shell 126 | ./Trenggalek Mafia 127 | Tryag File Manager 128 | ./TuanDestroy Shell 129 | United Bangladeshi Hackers 130 | WAF Evasion Shell 131 | Web Console v0.9.7 132 | WebShellOrb 2.6 - With PHP 7 133 | WHO SHELL 2018 134 | WHY MINI SHELL 135 | X0MB13 136 | Xai Syndicate 137 | ~xAn0nPH 138 | X-Blackerz INC. 139 | xGhost Mailer 140 | Xpl0!T3r SheLL 141 | Zerion Mini Shell 142 | (С) 04.2015 Pirat 143 | (С) 12.2015 mitryz 144 | -------------------------------------------------------------------------------- /changelog.md: -------------------------------------------------------------------------------- 1 | ## March 07 2022 2 | - [x] Updated Telegram Exfiltration Indicators. 3 | - [x] Updated Author Indicators. 4 | - [x] Updated Brand Indicators. 5 | - [x] Updated Function Indicators. 6 | - [x] Updated General Indicators. 7 | - [x] Updated Microsoft Phishing detection rules. 8 | - [x] Added Monzo Phishing detection rules. 9 | - [x] Added Fake Anti-Virus detection rules. 10 | 11 | --- 12 | ## February 07 2022 13 | - [x] Updated DHL Phishing detection rules. 14 | - [x] Updated Microsoft Phishing detection rules. 15 | - [x] Updated Author Indicators. 16 | - [x] Updated Brand Indicators. 17 | - [x] Updated Function Indicators. 18 | - [x] Updated URL Indicators. 19 | - [x] Updated Adobe Phishing detection rules. 20 | - [x] Updated Dropbox Phishing detection rules. 21 | - [x] Updated Telegram Exfiltration Indicators. 22 | 23 | --- 24 | ## January 22 2022 25 | - [x] Kit Hunter v2.6.5 Minor Release 26 | - Added detection support for *.ini and *.xml files, based on recent scanning. 27 | - Several phishing kits have started using *.ini files and *.xml files for variable control, 28 | this update ensures that the tags will detect elements in those file types. 29 | 30 | - [x] Updated DHL Phishing detection rules. 31 | - [x] Updated Microsoft Phishing detection rules. 32 | - [x] Updated Author Indicators. 33 | - [x] Updated Brand Indicators. 34 | - [x] Updated Function Indicators. 35 | - [x] Updated URL Indicators. 36 | - [x] Updated Shell Detection Indicators. 37 | - [x] Updated Obfuscation Detections. 38 | 39 | --- 40 | ## January 09 2022 41 | - [x] Updated all tag files and detections. Too many changes to list. 42 | - Tag files reduced in size. 43 | - Duplicate or overlapping detections were cleaned up / removed. 44 | - New detections added based on scanning towards the end of December 2021, and the first week of January 2022. 45 | - Quick Scan detection rules were updated. 46 | - Unless otherwise needed due to significant changes or new detections, tag updates will now happen as needed instead of weekly. 47 | 48 | --- 49 | ## 2021 Updates 50 | - [x] Kit Hunter v2.6.0 Minor Release 51 | - [x] Kit Hunter v2.5.9 Major Release 52 | - [x] Added detections for BulletPro Phishing-as-a-Service kits 53 | - [x] Added Generic Webmail Phishing Detection 54 | - [x] Added INTERAC detection rules for financial phishing 55 | - [x] Added Netflix detection rules 56 | - [x] Added UPS indicators to USPS detection rules 57 | - [x] Added YASSCOM detection rules 58 | - [x] Bank of America Indicators 59 | - [x] Updated Adobe detection rules 60 | - [x] Updated Amazon detection rules 61 | - [x] Updated Author Indicators 62 | - [x] Updated Bank of America Indicators 63 | - [x] Updated Brand Indicators 64 | - [x] Updated Chalbhai Indicators 65 | - [x] Updated Chase detection rules 66 | - [x] Updated cPanel detection rules 67 | - [x] Updated Discover detection rules 68 | - [x] Updated Function Indicators 69 | - [x] Updated General Indicators 70 | - [x] Updated Generic Phishing Setup Indicators 71 | - [x] Updated LogoKit detection rules 72 | - [x] Updated Microsoft detection rules 73 | - [x] Updated Obfuscation Indicators 74 | - [x] Updated PayPal detection rules 75 | - [x] Updated Quick Scan Indicators 76 | - [x] Updated script documentation under help. 77 | - [x] Updated Security Indicators 78 | - [x] Updated Telegram Exfiltration Indicators 79 | - [x] Updated True-Login detection rules 80 | - [x] Updated URL Indicators 81 | - [x] Updated Z118 detection rules -------------------------------------------------------------------------------- /Readme.md: -------------------------------------------------------------------------------- 1 | # Kit Hunter: A basic phishing kit detection tool 2 | 3 | * Version 2.6.0 4 | * 28 September 2021 5 | 6 | Testing and development took place on Python 3.7.3 (Linux) 7 | 8 | ## What is Kit Hunter? 9 | Kit Hunter is a personal project to learn Python, and a basic scanning tool that will search directories and locate phishing kits based on established markers. As detection happens, a report is generated for administrators. 10 | 11 | By default the script will generate a report that shows the files that were detected as potentially problematic, list the markers that indicated them as problematic (a.k.a. tags), and then show the exact line of code where the detection happened. 12 | 13 | ![Kit Hunter Log Example](https://raw.githubusercontent.com/SteveD3/kit_hunter/master/kit_hunter_example.jpg "Example of Kit Hunter log showing kit detection") 14 | 15 | ## Usage: 16 | 17 | Detailed [installation and usage instructions](https://steved3.io/data/Kit-Hunter-2.0-Getting-Started/2021/09/07/) are available at SteveD3.io 18 | 19 | ### Help 20 | To get quick help: `python3 kit_hunter_2.py -h` 21 | 22 | ### Default scan 23 | To launch a full scan using the default settings: 24 | `python3 kit_hunter_2.py` 25 | 26 | ### Quick scan 27 | To launch a quick scan, using minimal detection rules: 28 | `python3 kit_hunter_2.py -q` 29 | 30 | ### Custom scan 31 | To launch a custom scan: 32 | `python3 kit_hunter_2.py -c` 33 | 34 | >**Note:** When using the `-c` switch, you must place a tag file in the same location as Kit Hunter. You can name this file whatever you want, but the extension must be `.tag`. Please remember that the formatting is important. There should only be one item per line, and no whitespaces. You can look at the other tag files if you need examples. 35 | 36 | ### Directory selected scanning 37 | You can run `kit_hunter_2.py` from any location using the `-d` switch to select a directory to scan: 38 | 39 | `python3 kit_hunter_2.py -d /path/to/directory` 40 | 41 | However, it is easier if you place `kit_hunter_2.py` in the directory above your web root (e.g. `/www/` or `/public_html/`) and call the script from there. 42 | 43 | The final report will be generated in the directory being scanned. 44 | 45 | >In my usage, I call Kit Hunter from my `/kit/download/` directory where new phishing kits are saved. My reports are then generated and saved to that folder. However, if I call Kit Hunter and scan my `/PHISHING/Archive/` folder using the `-d` switch, then the report will save to `/PHISHING/Archive/`. 46 | 47 | ### Shell detection 48 | This latest release of Kit Hunter comes with shell detection. Shell scripts are often packaged with phishing kits, or used to deploy phishing kits on webservers. Kit Hunter will scan for some common shell script elements. The process works exactly the same way as regular scanning, only the shell detections are called with the `-s` switch. This is a standalone scan, so you can't run it with other types. You can however leverage the `-m` and `-l` flags with shell scanning. See the script's help section for more details. 49 | 50 | Once scanning is complete, output from the script will point you to the location of the saved scan report. 51 | 52 | ## Tag Files: 53 | 54 | When it comes to the tag files, there are 41 tag files shipping with v2.5.8 Kit Hunter. These tag files detect targeted phishing campaigns, as well as various types of phishing tricks, such as obfuscation, templating, theming, and even branded kits like Kr3pto and Ex-Robotos. New tag files will be added, and existing tag files will be updated on a semi-regular basis. See the changelog for details. 55 | 56 | As was the case with v1.0, the longer the tag file is, the longer it will take for the script to read it. 57 | -------------------------------------------------------------------------------- /tag_files/Blockchain_Phishing_Detection.tag: -------------------------------------------------------------------------------- 1 | #------------------------------------------------------------------------------------------------------------------------ 2 | # Blockchain PHISHING KIT 3 | #------------------------------------------------------------------------------------------------------------------------ 4 | # Detections made by the indicators in this tag file are associated with known Blockchain / Bitcoin / Crypto currency phishing kits. 5 | #------------------------------------------------------------------------------------------------------------------------ 6 | coinbase-go.000webhostapp.com 7 | walletactivation.site 8 | restorewallets.com 9 | .coinbase.com 10 | safemoon.net 11 | #------------------------------------------------------------------------------------------------------------------------ 12 | $email_body = "private wallet key : $phrase.\n" 13 | $email_body = "Private wallet name : $user.\n" 14 | $email_body = "Wallet logs from $serial.\n" 15 | $email_subject = "wallet Log" 16 | $linkX9 17 | $pegardados 18 | $subject = "$ip Coinbase 2FA " 19 | $tipo = $_POST["tipo"] 20 | $walletSeed 21 | A1%ScvQMFtKn 22 | AAVE.Wallet-Phrase 23 | Aeternity-Phrase 24 | Aion-Privatekey 25 | Aktionariat.Wallet-Phrase 26 | AtWallet-Phrase 27 | Authereum-Phrase 28 | BinanceSmartChain-Privatekey 29 | Bitkeep-Phrase 30 | Bitpay.Wallet-Phrase 31 | bittrex-logo-mark 32 | BNB-Privatekey 33 | Callisto-Privatekey 34 | Coin98Wallet-Privatekey 35 | Coinbase.Views.Sessions.New 36 | Cosmos.Wallet-Phrase 37 | crypkzyy_cbase 38 | crypkzyy_root 39 | DefiatWallet-Phrase 40 | Digitex-Phrase 41 | Electrum-Privatekey 42 | Elrond-Privatekey 43 | Enjin-Phrase 44 | Ethereum.Classic-Phrase 45 | Ex6K-hvRIr9b]igc 46 | Exodus-Privatekey 47 | ExodusWallet-Phrase 48 | Filecoin-Phrase 49 | FIO.Wallet-Phrase 50 | Flare.Wallet-Phrase 51 | FortisWallet-Phrase 52 | Fortmatic-Phrase 53 | gebruikersnaam 54 | GochainWallet-Privatekey 55 | GuardWallet-Privatekey 56 | Harmony-Privatekey 57 | ICon.Wallet-Phrase 58 | id15556965_cbase 59 | id15556965_root 60 | Iotex-Privatekey 61 | Kava-Privatekey 62 | KIn.Wallet-Phrase 63 | LedgerWallet-Phrase 64 | LOG Binance Chain 65 | login-body btx-intl 66 | logizdvi_comprei 67 | LOG Wallet Connect 68 | Math.Wallet-Phrase 69 | Nano-Privatekey 70 | nimiq-ChainWallet-Privatekey 71 | Ontology-Privatekey 72 | Polkadot-Privatekey 73 | ScatterWallet-Phrase 74 | Skale-Privatekey 75 | Solana-Phrase 76 | Stellar-Privatekey 77 | TezosWallet-Phrase 78 | Theta-Phrase 79 | Thunder.Token-Phrase 80 | Thunder.Token-Privatekey 81 | Tomo-ChainWallet-Privatekey 82 | TorusWallet-Privatekey 83 | TrezorWallet-Privatekey 84 | Tron-Phrase 85 | VechainWallet-Privatekey 86 | Wanchain-Privatekey 87 | Waves-Phrase 88 | XRP-Privatekey 89 | Zelcore-Privatekey 90 | Zilliqa-Phrase 91 | #------------------------------------------------------------------------------------------------------------------------ 92 | Atomic Wallet 93 | Atomic Wallet | Universal Cryptocurrency Wallet 94 | B10ckcha!n Info 95 | Binance Smart Chain 96 | BitKeep 97 | BitPay 98 | Bïttrex.com - 99 | Britrtrex 100 | Callisto 101 | Coin98 102 | Cosmos 103 | Defiat 104 | Digitex 105 | Electrum 106 | Elrond 107 | Enjin 108 | Ethereum Classic 109 | Exodus 110 | Filecoin 111 | Flare Wallet 112 | FortMatic 113 | GoChain 114 | Guard Wallet 115 | Harmony 116 | Home - Bïttrex.com 117 | Import Wallet 118 | Kava 119 | L0gin - Wallet 120 | MetaMask 121 | Nebulas 122 | Nimiq 123 | Ontology 124 | Parsiq 125 | POA Network 126 | SafeMoon 127 | Scatter Wallet 128 | Stellar 129 | Tezos 130 | Theta 131 | Thunder Token 132 | Tomo Chain 133 | Trust Vault 134 | Trust Wallet 135 | Wallect Connect 136 | Wallets to Dapps 137 | Wanchain 138 | Zelcore 139 | Zilliqa 140 | #------------------------------------------------------------------------------------------------------------------------ 141 | -------------------------------------------------------------------------------- /tag_files/shell_scan/Shell_Detection_Function.tag: -------------------------------------------------------------------------------- 1 | $An0n_3xPloiTeR 2 | $auth_pass = " 3 | $back_connect_p=" 4 | $backdor_code 5 | $backdor_write 6 | $bind_port_p=" 7 | $Black_Scorpion= 8 | $C5L9i7e3iI = 9 | $CO11KKK1OO= 10 | $COK1O11KKO= 11 | $con7ext 12 | $_COOKIE['b374k'] 13 | $D42uk = substr(str_shuffle(str_repeat( 14 | $data = base64_decode(base64_decode(base64_decode($value 15 | $data = file_get_contents('php://input') 16 | $domain:2082 17 | $domain:2083 18 | $fc = str_replace('function wp_is_mobile() 19 | $file_info['is_group_ 20 | $file_info['is_owner_ 21 | $file_info['is_world_ 22 | $fsgw="wpyzsv" 23 | $func="cr"."eat"."e_fun"."cti"."on";$b374k= 24 | $_GET['ch'] 25 | $_GET['deld'] 26 | $_GET['delf'] 27 | $_GET['filesrc'] 28 | $_GET['ndir'] 29 | $_GET['tp'] == 'DgxfWBRNXg9BXw==') 30 | $id=$sr/*+/*+*/("ri"."d_"."si") 31 | $I=file(__FILE__) 32 | $indexphp_pass = 33 | $info .= ( 34 | $is_wp_mobile = ($_SERVER['HTTP_USER_AGENT'] == 'wp_is_mobile') 35 | $l___J='base'.(128/2).'_de'.'code' 36 | $l___WP='base'.(128/2).'_de'.'code' 37 | $lYsVJuM='VN RG.aV9Y+L= 7' 38 | $msg8873 = "$b75 $a45 $m22" 39 | $newpass = "Fuck!!NO&&WOSA!!TSWO6&&12" 40 | $OI0IO10101OI0I01=__FILE__ 41 | $OO00_O_0_O='1' 42 | $O_OO00O0__ 43 | $pass="0028f8cbf649819ff18dc7b005d550d5" 44 | $Password="T9HJBPMmBlT1CD3" 45 | $payload_code 46 | $payload_write 47 | $ROCHKoW2uu = 48 | $services[' 49 | $s = eval(gzuncompress(base64_decode( 50 | $shell_content1 51 | $shell_content2 52 | $shell_content3 53 | $shell_fake_name 54 | $shell_name 55 | $shell_password 56 | $shell_source5 57 | $shell_version 58 | $sp0b39f9 59 | $sp536e72 60 | $sp53dcff 61 | $sp7d2336 62 | $s_pass = "4421f43ca0a5cc86833ad77e3d68891d" 63 | $s_pass = "c667028c306083b9636ba9fbf2f1c5ae2591834a" 64 | $sr="st"./*+/*+*/"rr"/*+/*+*/."ev" 65 | $style_2020 66 | $target_host 67 | $target_port 68 | $target_uri 69 | $target_url 70 | $tmssbn 71 | $tmzn="sgzms" 72 | $T=str_replace('RG','','RGcRGrRGeate_fuRGRGncRGtion') 73 | $UeXploiT 74 | $vpna 75 | $W00P0DPDDP 76 | $WPDD0D0P0P 77 | $x=$func(" 78 | $x=$func("\$c","e"."v"."al"."('?>'.base"."64"."_dec"."ode( 79 | $__________________='X19sYW1iZGE=' 80 | $XnNhAWEnhoiqwciqpoHH=file( 81 | $xyn='tunafeesh' 82 | $zoUdl1u2MM35rLMf = file_get_contents(trim 83 | 00369e3b2397a9995eb7bbb9f66cba66 84 | 098f6bcd4621d373cade4e832627b4f6 85 | 0d107d09f5bbe40cade3de5c71e9e9b7 86 | 188162e90b88271030885b3bd7cfd523 87 | 2f9631831988616d2435b736bd93d8b9 88 | 3bc810e81a9db01dfc324ae72b4b63a3 89 | 3cixosqnd9vt56jpk2lg8z0ba_e41mfw7yrh-u 90 | 48ba8138756afc71fa1b3c37fa27d2a5 91 | 4b43b0aee35624cd95b910189b3dc231 92 | 4ea4b142c6b0178b8cc3cd73bdc77fef 93 | 4ff9fc6e4e5d5f590c4f2134a8cc96d1 94 | 6bb61e3b7bce0931da574d19d1d82c88 95 | 73fee192744f842a611a5ec336459f5c 96 | 7663f1b3555993ad229183b0efad3261 97 | 7b4939a8af28c814f0c757bb10f40d3d 98 | 8437A170C6AC57C46C4A93808B7557B9 99 | 9aa9b6d702d54e3b55d7f2331b9c6ac7 100 | abdb392f09c7376fe5ce059f045de38b 101 | Ce0ec8263a4781af 102 | class c5f3c34b8786c3 103 | class c5f5f1526ce348 104 | class c5f609ac271025 105 | class c5f87ded995765 106 | class c5f87dedadf2f0 107 | class c5fe08a4bd4577 108 | Class_UC_key( 109 | copy('/'.$home.'/'.$user.'/ 110 | copy('/var/www/ 111 | count($g) == 8 && $is_wp_mobile) 112 | default pass: Dab 113 | ?dir=$dir&to=cmd 114 | ?dir=$dir&to=mass 115 | ?dir=$dir&to=sym 116 | ?dir=$dir&to=zoneh 117 | download_big__stat.txt 118 | e1(Array( 119 | edb52876-33b7-4405-9287-2e4fa382dab0 120 | edbc761d111e1b86fb47681d9f641468 121 | ee71530fcc4323331be35082732d2041 122 | errrrrrrr_big__stat.txt 123 | ?file=/etc/passwd 124 | ?file=/etc/resolv.conf 125 | ?file=/etc/shadow 126 | file_put_contents($outfilepath 127 | function actionRC( 128 | function let_him_in() 129 | goto JV6mi 130 | goto QR7wV 131 | goto Y6MGF 132 | gryC3yIHUJX 133 | home$home$usr/.contactemail 134 | home$home$usr/.cpanel 135 | home$home$usr/etc 136 | home$home$usr/etc/shadow 137 | home$home$usr/mail 138 | kvs.php?e= 139 | l1(Array( 140 | md5($_SERVER['HTTP_USER_AGENT']) 141 | md5_pass" => 142 | md5_user" => 143 | mkdir("/home$home$usr/ 144 | oH3Xza@%FlZOLf87&mRr*Pd9xuvktp6gQbs! 145 | owlClear( 146 | owlTrim( 147 | Pass : hacker0882 148 | Pass : iseeyou1999 149 | private $r5f5f1526ce3c9 150 | public function d5f3c34b87876a($spfbd4b0) 151 | public function d5f5f1526ce44e($s) 152 | public function d5f609ac271b71($s) 153 | public function d5f87ded9964c3($s) 154 | public function d5f87dedae1bdd($s) 155 | public function d5fe08a4bd61a2($s) 156 | public function p5f3c34b8786cf() 157 | public function p5f5f1526ce38c() 158 | public function p5f609ac27112a() 159 | public function p5f87ded99588b() 160 | public function p5f87dedadf632() 161 | public function p5fe08a4bd47bc() 162 | p_univ.php [NC] 163 | q1(Array( 164 | .substr(sprintf('%o' 165 | symlink('/'.$home.'/'.$user.'/ 166 | symlink('/var/www/ 167 | urldecode($_COOKIE[ 168 | w1(Array( 169 | window.location="?hari" 170 | window.location="?indoxploit" 171 | -------------------------------------------------------------------------------- /tag_files/Phishing_Kit_Function_Indicators.tag: -------------------------------------------------------------------------------- 1 | #------------------------------------------------------------------------------------------------------------------------ 2 | # The items in this tag file are functional elements found within known phishing kits. They are script calls, API keys, form elements, 3 | # and more. They're cause for an immediate inspection, as these code elements are often not used for legitimate reasons, and instead are 4 | # recycled and used by crimials in their phishing kit development. 5 | #------------------------------------------------------------------------------------------------------------------------ 6 | # XML Phishing Functions 7 | $xml=simplexml_load_file 8 | echo $xml->htmltitle 9 | echo $xml->step1title 10 | echo $xml->step1subtitle 11 | echo $xml->step2title 12 | echo $xml->step2subtitle 13 | echo $xml->cardholder 14 | echo $xml->notice 15 | echo $xml->step3title 16 | echo $xml->step3subtitle 17 | echo $xml->sendcode 18 | echo $xml->msgimportant 19 | echo $xml->copyright 20 | # OAUTH App Phishing 21 | auth?client_id= 22 | authorize?client_id= 23 | &response_mode=query&scope=People.Read 24 | userinfo.email 25 | userinfo.profile 26 | # Google Firebase 27 | firebase- 28 | firebasestorage.googleapis.com 29 | # Email Filter - Ameli 30 | pattern="([a-zA-Z0-9]+([_|\.|-]{1})?[a-zA-Z0-9]+)([_|\.|-]{1})?([a-zA-Z0-9]?){1,}@(orange|wanadoo|gmail|hotmail|aol|yahoo|laposte|sfr|numericable|free|neuf|netcourrier|)\.(com|net|fr)" 31 | # CodeIgnighter Calls / Cazanova Haxor 32 | define('X_RESULT_NAME 33 | define('X_RESULT_EMAIL 34 | define('X_TEXT_ENCRYPTION 35 | define('X_ANTIBOT 36 | define('X_CAPTCHA 37 | define('X_USE_SMTP 38 | define('X_SMTP_ 39 | $config['sess_cookie_name'] = 'cazanova' 40 | # Google Safe Browsing API calls (Often Obfuscated) 41 | AIzaSyCtXgqFgLIeo8DzI-Xn571TcLl2F2TGLbA 42 | const SAFE_BROWSING_API_KEY = 43 | const SAFE_BROWSING_CHECK_INTERVAL = 44 | const SAFE_BROWSING_CLIENT_ID = 45 | const SAFE_BROWSING_CLIENT_VERSION = 46 | /v4/threatMatches:find?key= 47 | # TodayZoo Phishing Kits (MSFT Research) 48 | $('#Tombol1') 49 | vcoominctodayq.php 50 | todayzoo.php 51 | data: { u : email, p : password_v} 52 | # Zimbra Phishing Kits 53 | id="ZLoginAppName" 54 | class="zLoginField" 55 | # Phishing Forwarding Script 56 | $BOT_LOOKUP_COUNTRY_CODE = 57 | $BOT_LOOKUP_ORG = 58 | $BOT_LOOKUP_COUNTRY = 59 | $BOT_COUNTRY = 60 | # Known Phishing Kit Function Calls 61 | $a370a 62 | $a4ade 63 | $Abuse_Filter 64 | $ak47_Hacker 65 | _AREA16 66 | $c28dd9c 67 | $c5d6b 68 | $c97e57ec 69 | $('#CardNumber').mask('0000 0000 0000 0000') 70 | $config_3dsecure 71 | $config_apikey 72 | $config_blocker 73 | $config_filter 74 | $config_identity 75 | $config_smtp 76 | $config_translate 77 | $('#Cvv').mask('000') 78 | $domain 79 | $email_result 80 | $('#ExpirationDate').mask('00/0000') 81 | $_F=__FILE__;$_X 82 | $final = strtolower($p10) 83 | $handle=fopen("usernames.txt","a"); 84 | $headers .= $_POST['ZMailXdd'] 85 | $icoooo->email 86 | $icoooo->password 87 | $judul 88 | $keyword = str_replace(" ", "+", $keyword) 89 | $loginfmt 90 | $One_Time_Access=1 91 | $password='azerty123.0@10' 92 | $parcel_tracking = 93 | $pwd = crypt($password,'$6$roottn$') 94 | $sambisa .= 95 | $scamname 96 | $('#SecurityNumber').mask('000-00-0000') 97 | $_SESSION['cntname'] 98 | $("#spinarrrrrr").hide() 99 | $subject = "Card | $ip" 100 | $SYPHER_NAME 101 | $SYPHER_SUBJECT 102 | $VictimInfo 103 | $WELLS_SESSION_SPOX 104 | $xqiswxnwxf= 105 | $yahya_email 106 | $zabi 107 | .$userIa. 108 | .$userIb. 109 | .$userIc. 110 | 13InboxLight 111 | 16lnboxLight 112 | 19lnboxLight 113 | 1KDL23 114 | .1#{OS{3GbAq 115 | 3m4il 116 | 6LffMGcUAAAAABRJmPd1mUqhxUg7w5iktOIsbgMI 117 | 6LffMGcUAAAAACw-0oBJ13czW1dsl_0HbXbxEVUY 118 | All Boot Crypted 119 | anubisdb 120 | AP___ 121 | av88f16Deus102030 122 | BCL easyConverter SDK 123 | bin2hex 124 | cardNumberInputLabel 125 | cazanova_helper.php 126 | cc_validate.js 127 | Checksum: b2d1bed66c34c0d462e33111a6d08c37 128 | coopetyx_copo 129 | curl_setopt($ch, CURLOPT_URL, 'http://'.$cl0ip.''.$cl1ip.''.$cl2ip.''.$cl3ip.'/'.$cloudipphp.'.php') 130 | curl-to-PHP 131 | data-ad-client="ca-pub-6563733770190681" 132 | EA1610330223UK 133 | function Redirect($url, $permanent = false) 134 | FZ32FEZ234 135 | geoiptool 136 | geoplugin 137 | geoplugincode 138 | gethostbyaddr($ip) 139 | git/uadmin/gate.php 140 | /uadmin/gate.php 141 | googletagmanager 142 | header('Location: ' . $url, true, ($permanent === true) ? 301 : 302) 143 | id82927 144 | id="formimage1" 145 | idv.log.php 146 | if (! formbreeze_email( 147 | if (! formbreeze_filledin( 148 | INV - 10031622 149 | ip2location 150 | IPQ_API 151 | J9QGYobZy3jVIV1MEHXWlORmqxCeu8PW 152 | jpui 153 | kaptcha.php 154 | kerio_ 155 | >{keyword}< 156 | kirim = mail($emailku, $subjek, $pesan, $headers) 157 | KLNDRR2 158 | knkgd6u1_sirus 159 | Kullanici Adi 160 | lintex.png 161 | LKRFDR 162 | localhost/uadmin/gates/ 163 | >...Login...< 164 | Login Type Selection -- 165 | + LOGS + 166 | ".md5('XCLAY')." 167 | Mengunjungi 168 | news- 169 | NV 6588123 170 | office365-rd40.js 171 | onsubmit="return validateANZ()" 172 | ot-arrow 173 | otp1 174 | otp2 175 | otp2status 176 | P4ssw0rd 177 | Pa.ssw0rd 178 | PHP_URL_HOST 179 | PrinceDuScam1 180 | PrinceDuScam2 181 | PrinceDuScam3 182 | PrinceDuScam4 183 | PrinceDuScam5 184 | PrinceDuScam6 185 | PrinceDuScam7 186 | PrinceDuScam8 187 | Product Code: LKD-1-0173 188 | qsdq21sd5s4d4s1 189 | rand=13 190 | .rand=13vqcr8bp0gud&lc=1033 191 | rc21x6p3 192 | "/reg/?cid= 193 | saved from url 194 | sendgo 195 | seth_db 196 | shellg2corecss 197 | SingleFile 198 | [⚠️] SMS 199 | Spry.Widget. 200 | STOR AKUN ML BOSKUR! 201 | tbn:ANd9GcSAxbW97fpHJXh7lSdvCdrvBQP-1nWnRuE1_CRB8yBjMBzqkbFp 202 | @Tesla_Tm PHP Encoder 203 | Th@ w@s yOur LOG : SeNt tO 204 | t-online.de.tp2 205 | UA-23581568-13 206 | UA-46020583-1 207 | urlredirectresolver 208 | Validate_cc.js 209 | var firebaseConfig 210 | [⚠️] VICTIM 211 | vultr 212 | whoer 213 | WorldOfHack 214 | xTAN.txt 215 | xwwx1111 216 | zajoba130997 217 | zanubis 218 | Z?fl??-In???-???l?? 219 | ZmlsZXMvZGF0YS9zc28ucGhw 220 | #------------------------------------------------------------------------------------------------------------------------ 221 | -------------------------------------------------------------------------------- /tag_files/Phishing_Kit_Brand_Indicators.tag: -------------------------------------------------------------------------------- 1 | #------------------------------------------------------------------------------------------------------------------------ 2 | # The items in this tag file are brand related, are found within phishing kits targeting various brands and services. 3 | # In addition to direct names, there are also variation of brand names, as criminals use them for identity and obfuscation. 4 | # Detections made from this tag should be inspected immediately. 5 | #------------------------------------------------------------------------------------------------------------------------ 6 | # Credit Monitoring 7 | Credit Karma 8 | +Credit Karma infoS+ 9 | Equifax 10 | +www.econsumer.equifax.ca infoS+ 11 | TransUnion 12 | +members.transunion.ca infoS+ 13 | #------------------------------------------------------------------------------------------------------------------------ 14 | # Financial Brands 15 | Agence du revenu du Canada 16 | Alaska USA 17 | Alterna Bank 18 | American Express 19 | ANZ Australia Internet Banking 20 | ANZ Info 21 | ANZ Internet Banking 22 | ATB Financial 23 | Australia and New Zealand Banking Group 24 | Banca por Internet - Interbank 25 | Banca Sella S.p.A. - P.I. 02224410023 26 | Banco De Oro Online Banking 27 | BANCOGALICIA 28 | Banco Itaú 29 | Banco Pichincha 30 | BANKIA 31 | BankofGuam 32 | Banque Populaire 33 | Barclays 34 | BDO Unibank, Inc. 35 | BECU 36 | Bitconnect 37 | Bitfinex 38 | Bittrex 39 | BMO Bank of Montreal 40 | BNP Paribas 41 | Brannen Bank 42 | Caisse Epargne 43 | CaiхaBank 44 | Canada Revenue Agency 45 | Canadian Direct Financial 46 | Canadian Western Bank 47 | Capital1 48 | Capital One 49 | Carrefour Banque 50 | Cash App 51 | [CHEGOU] INFOCC ITAU 52 | CIBC 53 | Citi 54 | Clydesdale 55 | Coinbase 56 | Coinhive 57 | Commerce Bank 58 | Contacto BBVA 59 | Co-operative bank 60 | Co-operatives 61 | CREDIT AGRICOLE 62 | Crédit Agricole 63 | Crédit Agricole Brie Picardie 64 | Crédit Mutuel 65 | CTC Bank of Canada 66 | D0Nfl0w-WELLS-@donflow 67 | DBS Bank LTD. Co. 68 | DBS iBanking 69 | DBS OTP Vérification 70 | DCBank 71 | Desjardins 72 | EQ Bank 73 | Fibank 74 | Fifth Third Bank 75 | First Islamic Bank Of The World 76 | First Nations Bank of Canada 77 | Glacierbank 78 | Glacier Bank 79 | Gruppo BPER 80 | Halifax 81 | hitBTC 82 | HLFX-RG 83 | HMRC 84 | HMRC Full Info 85 | HSBC 86 | HSBC Bank Canada 87 | Huntington 88 | Huntington Results 89 | Huntington ReZulT 90 | Info Itau 91 | International Card Services BV 92 | JPMorgan Chase 93 | KeyBank 94 | KeyBank INFO 1 BY A2ZTOOLZ 95 | KeyBank INFO 2 BY A2ZTOOLZ 96 | KeyBank INFO 3 BY A2ZTOOLZ 97 | La banque Postal 98 | La Banque Postale 99 | LakeBTC 100 | Laurentian Bank of Canada 101 | login scotia 102 | Luno 1st Result 103 | Manulife Bank of Canada 104 | Metro Bank 105 | METROBANK ACCOUNT 106 | MetroBank RezultX 107 | + MTB Info + 108 | mtb LOGIN ! xDD+ 109 | myAlpha Web 110 | National Bank of Canada 111 | National Bank-Partnership 112 | Navy Federal Credit Union 113 | NED 2015 Access dETAILS 114 | PayTabs 115 | Peace Hills Trust 116 | Piraeus Bank 117 | PNC Online Banking 118 | Poloniex 119 | President's Choice Financial 120 | QuickBooks 121 | RBC Royal Bank 122 | RegioNs 123 | Regions Bank 124 | RelaxBanking 125 | Result from ANZ| 126 | Santander 127 | SANTANDER ES 128 | San.tan'der Info 129 | Scotiabank 130 | scotia full 131 | Société Générale 132 | Solutions Banking-Investors Group 133 | SQSpace Info 134 | SQSpace Login 135 | Standard Bank Namibia 136 | [stripe] login 137 | SunNet Online Banking 138 | Swisscom - Espace Clients 139 | Tangerine Bank 140 | -TD $dev- 141 | TD Canada Trust 142 | Tesco Bank 143 | TUrbo Acc Result 144 | TUrbo Email Access 145 | TurboTax 146 | USAA 147 | USAA SpammeD AUTO REzulTY 148 | Wealth One Bank of Canada 149 | Wells Fargo 150 | -WELLS-@fucksocietyshop- 151 | Wells L0g 152 | Western Union 153 | Wetspac Acc Info 154 | Winbank 155 | Вход в Моята Fibank 156 | #------------------------------------------------------------------------------------------------------------------------ 157 | # Government 158 | California State COVID-19 159 | COVID-19 Check your eligibility 160 | COVID-19 Financial Support 161 | Department of Labor 162 | Massachusetts Pandemic Unemployment Assistance 163 | + MASS Login + 164 | New Jersey Department of Labor and Workforce Development(NJLWD) 165 | New York State COVID-19 166 | NYS FULL 167 | Pennsylvania's Pandemic Unemployment Assistance Portal 168 | State of Missouri 169 | Wisconsin Unemployment Insurance 170 | #------------------------------------------------------------------------------------------------------------------------ 171 | # Internet Services (ISP) 172 | Frontier 173 | HughesNet 174 | iiNet 175 | MagicMail WebMail 176 | mega.bw 177 | Optus 178 | SDA Webmail 179 | Seanet 180 | signin.shaw.ca Info 181 | Socket Telecom 182 | Telekom Deutschland 183 | T-ONLINE.DE 184 | Verizon Wireless.Info 185 | Weebly 186 | Westnet 187 | WOWWAY 188 | #------------------------------------------------------------------------------------------------------------------------ 189 | # Internet Services (Non-ISP) 190 | Deloitte 191 | HiNet 192 | MTS Mail 193 | Netflix 194 | ProtonMail 195 | Rackspace 196 | RACKSPACE 197 | Reddit 198 | Salesforce 199 | Spotify 200 | Tutanota 201 | WhatsApp 202 | #------------------------------------------------------------------------------------------------------------------------ 203 | # Misc. Brands 204 | Canada Air 205 | Air Canada 206 | Aix-Marseille Université 207 | Anmeldung bei nmail1/MU-Leoben/AT 208 | BIG GLOBE Result 209 | BUDWEISER 210 | HK Electric 211 | HKELECTRIC 212 | Hn3ww-PNW 213 | IMS Member Login 214 | JeruxShop 215 | Lodi Associaiton of REALTORS 216 | Lund University 217 | MLBB International 218 | QUALITIA CO., LTD. 219 | Secured by Zix 220 | Stewart Title Guaranty Company 221 | Szatr 222 | The Hongkong Electric Co., Ltd. 223 | Universidad Nacional de Villa Mercedes 224 | #------------------------------------------------------------------------------------------------------------------------ 225 | # Retail 226 | Correos de Chile 227 | Correos - Tarifa de envío 228 | Costco 229 | eBay 230 | Etsy 231 | FedEx 232 | FEDEX 233 | Hermes 234 | JT EXPRESS 235 | kijiji.ca Info 236 | maerskline 237 | Maersk Line Shipping 238 | Maersk Logs|| 239 | Overstock 240 | RoyalMail 241 | SF Express Rezult 242 | Shopify 243 | Windcave Payment Page 244 | #------------------------------------------------------------------------------------------------------------------------ 245 | # Social 246 | F4ceb00k 247 | Facebook 248 | Facebook.Info 249 | Flickr 250 | LinkedIn 251 | LinkedIn Result 252 | match by Brent 253 | Match-Logs 254 | OurTime Logs b00merang.cc 255 | OURtme Detailz 256 | #------------------------------------------------------------------------------------------------------------------------ 257 | # Zimbra Phishing Kits 258 | Acc Login ReZult Zim 259 | Synacor 260 | Zimbra 261 | #------------------------------------------------------------------------------------------------------------------------ 262 | -------------------------------------------------------------------------------- /tag_files/Phishing_Kit_Author_Indicators.tag: -------------------------------------------------------------------------------- 1 | #------------------------------------------------------------------------------------------------------------------------ 2 | # The items in this tag file are phishing kit author and developer tags. They are the calling cards of those who develop 3 | # and distribute the kits themselves. Any detection of these tags should be inspected immediately, as they are a clear sign 4 | # of problems. 5 | #------------------------------------------------------------------------------------------------------------------------ 6 | $$-ALEMAO DA LE$TE CC-$$ 7 | $$ Anonymous $$ 8 | $$ Dr.Don $$ 9 | $$ World Wide On My Hand $$ 10 | $4ridon 11 | 1GW3 HACKZ 12 | 4hm4dcmd 13 | +6tboi+ 14 | A2Ztoolz 15 | abdel.sykrit 16 | acxXxLORDxXxkey 17 | Agung Satrio Kuy 18 | AhMad 19 | aid3n173 20 | AJONWA 21 | aKangRudin 22 | Akun PP 23 | ALIBOBO 360 24 | AmeMoney 25 | Aniel 26 | Anonisma 27 | +[ Anonymous ]+ 28 | Anonymous Cyber Team 29 | AnonymoX9ja 30 | ANTIBOTS DZEB 31 | Aokville voodoo 32 | A.O.L Zboon 33 | ARDUINO_DAS 34 | Atila 35 | Atom!c Bomb 36 | @author avatar 37 | *B0y 38 | BA3BA3 SERGIO 39 | BESMELLAH 40 | < Bex > 41 | B i g s e c C o m m u n i t y 42 | b i g s e c c o m m u n i t y 43 | billionairel0g3 44 | billiondollarsman 45 | BISMILLAH GG 46 | Bitcoinm19 47 | Blackmon3y.ID 48 | BLAZERS CYBER TEAM 49 | =Bl@cktiger DiD tHiS= 50 | Blessed E Moni 51 | Blessed Jboi 52 | bNX Lab 53 | BocahShop X BocahTeam 54 | Bodibag 55 | BoyXD 56 | BR4D3SC0 57 | BrnV3y 58 | Brothers V!rus 59 | Built By HustleLogic 60 | Built By MMM 61 | BULDREG 62 | Burhan 63 | BY AnTiBoTs7 64 | By Bams 65 | by CO-DEAD 66 | By Cole 67 | by Cyborg99 68 | by dan 69 | BY FR4UDS 70 | BY FredyQuimby 71 | By fSOCIETY 72 | BY Great Wall 73 | By HCrew 74 | by Hoye 75 | by HURTICE 76 | by ImSrabon 77 | by JFZ 78 | By JoCk 79 | By Lulz 80 | By M3dL4m!n3 81 | By M3RC1 82 | By madman 83 | By Manisso 84 | BY M.C 85 | By Medhachim 86 | BY MEGRIA 87 | By METRI 88 | BY MOET 89 | BY Mr.fnetwork 90 | BY Mr Oreo 91 | BY Mr S!CKICK 92 | BY NGUYEN THU WANN 93 | BY @RAFTAARSIR 94 | BY RANGER 95 | BY rYan 96 | BY SHADY ELKADY 97 | By Shaun 98 | by T.DOX 99 | BY TMNUVO 100 | By Uce 101 | By VMA 102 | by w3sts1d3 103 | BY WEALTH 104 | BY XCLAY 105 | by Z10n 106 | By Zae3m 107 | by ZaiTsev X 108 | by zazzy 109 | C0d3d by Cybersuperstar 110 | Cazanova 111 | CiPhErHat 112 | CODED BY ARON-TN 113 | CODED BY BLACK JACK 114 | CODED BY CYBER_SOFT 115 | Coded By Dsox DZ 116 | CODED BY MIRCBOOT 117 | Coded by vikky_banti 118 | Coded By x-Phisher 119 | Coded & Tools By Hitman 120 | CODE~SPIRIT 121 | Codewizard 122 | ?Cov!D19? 123 | Created By (~) 124 | Created BY $PG Bon 125 | created by 1gb4l0d3 126 | Created by Agba 127 | Created BY Benhacki 128 | CrEaTeD bY BurHan 129 | Created By Cokeboi 130 | Created BY DC 131 | Created By drey 132 | Created By EMMA 133 | Created BY EZE 134 | Created BY INCWorld 135 | Created By JaSpEr 136 | Created BY Machine 137 | created by medpage[679849675] 138 | Created By MNP 139 | Created BY MORAN 2017 140 | Created BY Morodo 141 | created by n0b0dy 142 | Created By NymSmith Wirer 143 | Created by OVO-360 144 | Created By Oza 145 | Created by Priv8 146 | created by Rbc 147 | Created BY SB 148 | Created By ShellsHost 149 | CrEaTeD BY VeNzA 150 | Created BY vi3nas 151 | Created By yb 152 | Created in burhan 153 | Created One Chop & Crew 154 | cyb3r7 TeaM 155 | CyberTeamRox 156 | D3R3K 157 | D4rkL4B 158 | d4rkl4b 159 | Dangerous Mailer 160 | Dark-Attacker 161 | Darkx_Coder 162 | Da Street 163 | Davidluna27 164 | Designed By Akira 165 | devilscream 166 | Dhapi 167 | DNThirTeen 168 | DOCX 2019 169 | DOLLAR 170 | DoubiLA 171 | dr.cole15 172 | dr.dkrzlt 173 | Dr Hard 174 | [DR.hossni] 175 | Dr.jOker 176 | [Drspam] 177 | dr-sykrit 178 | Dsox 179 | Dudiix 180 | D-Young 181 | E54N B01 182 | EL GH03T 183 | ELGH03T 184 | El Senor 185 | Equa CZ log 186 | ErrorMan 187 | Escobar 188 | Esraa3zzo 189 | EVO J4CK3R 190 | Fallag MàhDi 191 | fallag.mahdi.tn 192 | FaLLaGMous 193 | FawadKHAN 194 | @Fiddlerl 195 | FilesMan 196 | FM MASTER 197 | fr13nds.teams 198 | FR33M4N 199 | francescoolmeo45 200 | [ ❤️ FreakzBrothers ❤️ ] 201 | FREAKZBROTHERS 202 | [ FREAKZBROTHERS V2.0 ] 203 | Freazbrother 204 | FreeMobile 205 | FRESH [SPAM] TOOLS DOT COM 206 | From:orsted 207 | fudpages 208 | FUDPAGEs [.] RU 209 | FUDPAGES [.] RU 210 | fudsender(dot)com 211 | FUDTOOL 212 | fudtools 213 | Fudtools 214 | Fully Undetected by LulzSec 215 | G4lici4 216 | G66K 217 | Gh0St_kSa 218 | GhostMode 219 | |Ghost Rider| 220 | GMGANG 221 | GOBE 222 | GreyHatPakistan 223 | GRooT 224 | Gucci 225 | Gwaraminds 226 | H2CKWAR3Z THUND3R 227 | H4rKy H4rK 228 | Hacked by BynaLab 229 | Hacked By C3NGKR3z 230 | Hacked by futo 231 | hackedbykoko 232 | HACKED BY OPIO 233 | Hackery Tm. 234 | Hacklilc 235 | Hadila 236 | HARDC0D3R 237 | hardc0d3r 238 | hgillck2014 239 | HijaIyh 240 | Hitman 241 | Hot-UK-> 242 | iamcoke.boi 243 | iDiot's 244 | imanhalal 245 | IMANHALAL 246 | IndoXploit 247 | Indramayu CyBer 248 | \\ ISI PESAN // 249 | IzlAden BenGazi 250 | JBoy® 251 | jdpoweredx 252 | [+] J E A N [+] 253 | JOkEr7 254 | JSARZ 255 | @Kako1336 256 | KamenKun Coder 257 | -Kareem- 258 | KaSha 259 | keith.luis 260 | keithmoraga20 261 | KinGz 262 | KRIS WOY 263 | KTS team 264 | L0 JuaL gu4 B3li 265 | L33bo phishers 266 | L34K.C0de 267 | Last Kvng 268 | Limitless 269 | LINGCHI 270 | Lord PoPpA 271 | Lvrd 272 | M0D1F1ED 3Y S194R 273 | Maded By Legendary 274 | MADEMEN CYBER TEAM 275 | =-> MADMAN <= 276 | ?Mafiousia? 277 | MaguZCoder 278 | MAJNOONJREMA 279 | Malo-Baba 280 | MaLo-BabA 281 | man4ever 282 | Mangawang10 283 | M a n i A k a R i s k 284 | MaurJoline 2019 285 | Mcavy 286 | Mckuzinno 287 | MerLin 288 | Modsrule 289 | Moka 290 | momoh0003 291 | :Mon3y 292 | MONSTRONIX 293 | MonStroNix 294 | Mr-Anobs 295 | MR AT888 296 | mrbesfort 297 | MR DUDU 298 | MrGhost 299 | mr.hosam 300 | Mr.K4w4! 301 | *MR?LT•MRC404* 302 | Mr-Sace 303 | Mr.Undetected 304 | Mr-Unknown 305 | MrWeeBee 306 | Mrx Joker 307 | N1xon 308 | N1Y3R0 309 | New redirect Thor: 310 | Ngecek Saja 311 | +nJoY+ 312 | NoBODY 313 | nOob-Assasin 314 | nOobAssas!n 315 | Noob Assassin 316 | Notify HackeD NOOBS 317 | Nourblog1 318 | Nzube Post 319 | Oakvillee 320 | ODIN LIF3 321 | oluxshop 322 | Onye Mpa X 323 | OPETE WIRE 324 | OReo0o 325 | OUTLAWZ 326 | || outlook don || 327 | Ownedby|v!nc3 328 | PaperBoy® 329 | *Pinky* 330 | Pira17dz 331 | [PP V LITE] 332 | PremierGhost 333 | Prince Du Scam 334 | Priv8 Mailer 335 | PYR3X 336 | - RAZ - 337 | RBC LOGIN 338 | rbcResults 339 | rboxx16 340 | ReDeYeS$$$ 341 | RedFOx 342 | REDSON 343 | Reporte_G4lici4 344 | Rezult GSX 345 | RichEfe 346 | Ricko X Wolf 347 | =RiZoRT= 348 | Rr crack 349 | Saha Bouhmid 350 | Scofy 351 | Scripted by Machine 352 | Semngka2K18 353 | [SFR] 354 | sgreg1501 355 | SH33NZ0 356 | =Shadow= 357 | |shadow| 358 | SHANkS™ 359 | Shevi 360 | shutdown57 361 | sIaP_Team 362 | SiL3NT 363 | SINIX 364 | Sir D 365 | Sir ShOcKs 366 | Slackerc0de 367 | SLYUGOS 368 | SNIPNET 369 | Spaghy 370 | SPAIROW DA_VINCCI 371 | [SPAM] 372 | SpamLord00 373 | spf-masters-2 374 | Spox_dz 375 | STARBOY 376 | Sudah Isi Email Account 377 | swagkarn 378 | S.Wire 379 | SykRit 380 | SYPHER-PK 381 | Talal 382 | Techroins 383 | TeeJay NuNULogs 384 | TH3MRXYEAR 385 | THckingE TO GOD 386 | +[ The - Apprentice ]+ 387 | TheLords 388 | therez87bez 389 | Thuglife_Legend+ 390 | TIKTAK 2017 391 | Time Levelz 392 | Time-Thingz 393 | tin4.cole 394 | Tn Ph0enix 395 | TN-TN-Hackers 396 | Tornido 397 | UNCHEK YUDHA GANZ 398 | VINOX 399 | vinz.iDiots 400 | Virus-ma 401 | W3LL BOSS 402 | Walid Nabil 403 | WAY 2K20 404 | WeStGiRl 405 | Wolfost 406 | X1 Fullz 407 | XaMaNi 408 | xAthena 409 | X-Black Cat 410 | X-BlackCat 411 | Xclusiv-3D-Logs 412 | xDD+ 413 | X-GHOST MA 414 | | xLs | 415 | XM-HACK 416 | xMR.Salehx 417 | ~xrobotos 418 | xSanchx 419 | xSmayer 420 | X-SniPer 421 | _XSPTX 422 | XSR.404 423 | xWaliGhost 424 | Xwanted - Rezlt 425 | xX Majid NEXI Xx 426 | xX SAISON Xx 427 | xxxcashout 428 | XXX-MJ 429 | xXx-SNIPER-xXx 430 | YAH-ALLAH 431 | Yasser Sa 432 | Yass ht 433 | YomZee 434 | YOUNG XA+MA+Ni 435 | yulio6166 436 | z0n51 437 | Zetas Oujdi 438 | ZOMRA Result 439 | Zooks Info 440 | ZUchiha 441 | Zіflаг 442 | #------------------------------------------------------------------------------------------------------------------------ 443 | -------------------------------------------------------------------------------- /tag_files/Phishing_Kit_URL_Indicators.tag: -------------------------------------------------------------------------------- 1 | #------------------------------------------------------------------------------------------------------------------------ 2 | # The URLs in this tag file have been observed in phishing kits, or victimized by phishing kits. Detections should be 3 | # treated as suspicious and confirmed manually. When detections happen within this tag file and other tag files, 4 | # the weighted view should be seen as cause for investigation. 5 | #------------------------------------------------------------------------------------------------------------------------ 6 | # Banking 7 | 53.com 8 | akessiefbehrporle.com 9 | alaskausa.org 10 | anz.com.au 11 | anz.co.nz 12 | anz.com 13 | bancogalicia.com.ar 14 | bankia.es 15 | banqueentreprise.bnpparibas 16 | banquepopulaire.fr 17 | bcpzonasegurabeta.viabcp.com 18 | bpergroup.net 19 | bper.it 20 | bdo.com.ph 21 | caisse-epargne.fr 22 | caixabank.es 23 | cic.fr 24 | citi.com 25 | commercebank.com 26 | connect.secure.wellsfargo.com 27 | cra-arc.gc.ca 28 | credicard.com.br 29 | credit-agricole.fr 30 | credit-card-information.elliottback.com 31 | creditmutuel.fr 32 | ebank.dibpak.com 33 | eldni.com 34 | equabank.cz 35 | fibank.bg 36 | group.bnpparibas 37 | hellobank.fr 38 | ibx.key.co 39 | ing.nl 40 | internet-banking.dbs.com.sg 41 | itau24horas.ml 42 | itau.com.br 43 | labanquepostale.fr 44 | leboncoin.fr 45 | login.regions.com 46 | mabanque.bnpparibas 47 | mabanqueprivee.bnpparibas 48 | moneyissues.ng 49 | mtb.com 50 | navyfederal.org 51 | nedbank.co.za 52 | nwolb.com 53 | online.adp.com 54 | onlinebanking.firstcaribbeanbank.com 55 | onlinebanking.pnc.com 56 | openknowledge.worldbank.org 57 | portal.pnb.com.ph 58 | parsian-bank.ir 59 | relaxbanking.it 60 | regions.com 61 | santander.com.br 62 | secure.alpha.gr 63 | sella.it 64 | standardbank.com.na 65 | squareup.com 66 | tescobank.com 67 | .ubs.com 68 | visaprepaidprocessing.com 69 | western-security.net 70 | wetransfer.com 71 | www13.bmo.com 72 | www.kh.hu 73 | # Credit Monitoring 74 | creditkarma.ca 75 | creditkarma.com 76 | econsumer.equifax.ca 77 | equifax.ca 78 | equifax.com 79 | equifaxcreditwatch.ca 80 | members.transunion.ca 81 | transunion.ca 82 | transunion.com 83 | # Costco Phishing Kits 84 | costco.ca 85 | costco.com 86 | costco.co.uk 87 | costcophotocenter.com 88 | costcotravel.ca 89 | costcotravel.co 90 | # Document Scams 91 | app.lawofficeneal.online 92 | app.nealrose-lawoffices.online 93 | files.lawoffice-nealroseberg.online 94 | files.lawofficesof-nealrose.online 95 | secured.lawfirmnearl.online 96 | secured.rosellawassocciates.online 97 | secure.lawoffices-of-neal.online 98 | secure.nealrose-lawofficerecords.online 99 | # Education 100 | adfs.lu.se 101 | correo.bl.fcen.uba.ar 102 | ident.univ-amu.fr 103 | luservicedesk.service-now.com 104 | mail.bl.fcen.uba.ar 105 | mail.ethz.ch 106 | nmail.unileoben.ac.at 107 | osu.edu 108 | webmail.lu.se 109 | webmail.unvime.edu.ar 110 | wmail.hines.hokudai.ac.jp 111 | # Government 112 | acq.osd.mil 113 | benefits.ides.illinois.gov 114 | cdph.ca.gov 115 | edd.ca.gov 116 | gov.uk 117 | health.mo.gov 118 | health.ny.gov 119 | idot.illinois.gov 120 | labor.maryland.gov 121 | labor.ny.gov 122 | mass.gov 123 | my.ny.gov 124 | nj.gov 125 | pua.benefits.uc.pa.gov 126 | recruiting.jcf.gov.jm 127 | ui-cares-act.mass.gov 128 | wisconsin.gov 129 | # ISPs and Tech Services 130 | accounts.login.idm.telekom.com 131 | ad.aruba.it 132 | akamaihd.net 133 | akamaized.net 134 | app-id=com.vzw.hss.myverizon 135 | bitrix24.com 136 | csolve.net 137 | deloitte.com 138 | deloitteresources.com 139 | ftcdn.net 140 | iinet.net.au 141 | kyivstar.net 142 | login.frontier.com 143 | login.t-online.de 144 | mega.bw 145 | mobile.de 146 | myhughesnet.com 147 | nexmo.com 148 | onetrust.com 149 | onlinehome.de 150 | optusnet.com.au 151 | orange.fr 152 | rackspace.com 153 | rackspacemail.com 154 | sailpoint.com 155 | seanet.com 156 | siteserve.jp 157 | socket.net 158 | spotify.com 159 | spark.co.nz 160 | static.licdn.com 161 | swisscom.ch 162 | t-online.de 163 | tatic-exp1.licdn.com 164 | tawk.to 165 | telekom.de 166 | tiqcdn.com 167 | tlh.ro 168 | weebly.com 169 | westnet.com.au 170 | wowway.net 171 | wvtc.com 172 | www.nutopia.com.au 173 | # Kit Functions 174 | 2no.co 175 | api.ipapi.com 176 | apilayer.net 177 | api.nichicodex.xyz 178 | api.npoint.io 179 | api.userstack.com 180 | bincodes.com 181 | binlist.net 182 | bins.pro 183 | bins.ribbon.co 184 | cdnii.e-i.com 185 | ci4.googleusercontent.com 186 | ci5.googleusercontent.com 187 | cookiebot.com 188 | countryflags.io 189 | curl.haxx.se 190 | cutt.ly 191 | dancevida.com 192 | dclic-resolver.e-i.com 193 | dox2x.com 194 | evil-payment.com 195 | extreme-ip-lookup.com 196 | i.ibb.co 197 | ip2geo.com 198 | ipapi.co 199 | ip-api.com 200 | ip-api.org 201 | ip-geo.ru 202 | ipinfodb.com 203 | ipinfo.io 204 | iplocationtools.com 205 | ipqualityscore.com 206 | iptool.xyz 207 | ipwhois.app 208 | killbot.org 209 | likemyphp.com 210 | lookup.binlist.net 211 | me2mekrf.com 212 | mx-api.com 213 | nullrefer.com 214 | postimg.org 215 | proxy.mind-media.com 216 | remotemysql.com 217 | safebrowsing.googleapis.com 218 | site4now.net 219 | smtp.mailtrap.io 220 | trublcon.com 221 | upcloud.host 222 | xooimage.com 223 | yimg.com 224 | # Kit Markets and Advertising 225 | 7812w.pl 226 | 7jyewu.cn 227 | a2ztoolz.com 228 | anonymousfox.com 229 | buyshellsites.com 230 | cdnsw.com 231 | fudscript.com 232 | ghc.ru 233 | indoxploit.blogspot.co.id 234 | jerux.to 235 | kuzuluy.app 236 | l34kc0de.today 237 | leafmailer.pw 238 | Market0day.com 239 | marketx.bz 240 | orvx.pw 241 | priv8tool.club 242 | rst.void.ru 243 | s3curity.tn 244 | sh33nz0.com 245 | shem3a.com 246 | soundbible.com 247 | theseotools.net 248 | top4top.com 249 | top4top.io 250 | top4top.net 251 | topscript.xyz 252 | tpa.uma.ac.id 253 | ubhteam.org 254 | webtoolhub.com 255 | withoutshadow.org 256 | wos-linuxers.blogspot.com 257 | www.a-l-e-x-u-s.ru 258 | # Mail 259 | antispam.spg-llc.com 260 | arsmtp.com 261 | banglamail.com 262 | emailsrvr.com 263 | email.t-online.de 264 | gallery.mailchimp.com 265 | gandi.net 266 | groupmail.io 267 | inbound-2.mimecast.com 268 | itwconnect.com 269 | login.t-online.de 270 | mailanyone.net 271 | mailfence.com 272 | mail.herkules-polska.pl 273 | mail.mpi-cbg.de 274 | mail.ru 275 | mail.sina.com.cn 276 | msgsafe.io 277 | mtaroutes.com 278 | mtsmail.ca 279 | mxthunder.co 280 | parsons-peebles.com 281 | portail.free.fr 282 | ppe-hosted.com 283 | pphosted.com 284 | secureserver.net 285 | skynet.be 286 | verizon.yahoo.com 287 | wakwak.com 288 | webmail.canvas.ne.jp 289 | webmail.sda.it 290 | webmail.shaw.ca 291 | yandex.com 292 | yandex.ru 293 | ymail.com 294 | # Media 295 | 2m.ma 296 | comrise.ru 297 | # Postal Scams 298 | bancoposta.poste.it 299 | correos.cl 300 | epg.ae 301 | fedex.com 302 | postandparcel.info 303 | postepay.poste.it 304 | postoffice.co.uk 305 | royalclass.com.ar 306 | royalmail.com 307 | # Retail 308 | shopifycdn.com 309 | shopify.com 310 | etsy.com 311 | etsystatic.com 312 | # Social Media 313 | 126.com 314 | 163.com 315 | 163.goooo 316 | daum.net 317 | match.com 318 | naver.com 319 | ourtime.com 320 | sina.com 321 | static.xx.fbcdn.net 322 | wa.me 323 | # Spam Links Discovered in Kits 324 | clearmen.lienquan.garena.vn 325 | 1thang5.lienquan.garena.vn 326 | vida-lp.ch 327 | # Quiz / Survey Scams 328 | fsuxeua2yzwtgh.bar 329 | opgarwfw.hf28x.cn 330 | vxlwdyo.cn 331 | uzyivzf.cn 332 | # Miscellaneous 333 | 34.127.100.133 334 | acs4.3dsecure.no 335 | api.bestfriendstore.net 336 | bluehouselondon.com 337 | boyxd.com 338 | centraletermo.ro 339 | clubonerealtors.com 340 | d2papa.com 341 | etraxer.com 342 | firb.br 343 | forwallpaper.com 344 | hkelectric.com 345 | ikhbaljb.com 346 | ims.connectlar.org 347 | intuitcdn.net 348 | intuit.com 349 | linde.com 350 | jeann8.com 351 | maersk.com 352 | newlife.com 353 | o54eavgyktxh5wts.onion 354 | oijhgbfvergyt4res.appspot.com 355 | okinawa-grandmer.com 356 | oneprosec.com 357 | sgp.fas.org 358 | shopget24.com 359 | spKINGS.com 360 | stewart.com 361 | surveygizmo.com 362 | szatr.com 363 | tmd-sa.co.za 364 | tourdeindia.asia 365 | tsbdumbs.com 366 | vdsafvdfgfdhdgfh.cz 367 | zixcorp.com 368 | #------------------------------------------------------------------------------------------------------------------------ 369 | -------------------------------------------------------------------------------- /tag_files/quick_scan/Phishing_Quick_Scan_Indicators.tag: -------------------------------------------------------------------------------- 1 | #------------------------------------------------------------------------------------------------------------------------ 2 | # Quick Scan Indicators 3 | #------------------------------------------------------------------------------------------------------------------------ 4 | # The Quick Scan indicator tag list leverages the top tags (with at least 10 detections) found when scanning the phishing kits 5 | # collected in 2021. There were over 5,000 kits collected, and this list is sorted from highest to lowest. This tag file includes 6 | # elements of the generic, brand, author, URL, security, obfuscation, and Telegram indicator lists. Dectections made from this 7 | # file should be investigated immediately. 8 | #------------------------------------------------------------------------------------------------------------------------ 9 | Microsoft 10 | dreamhost 11 | softlayer 12 | calyxinstitute 13 | cyveillance 14 | tor-exit 15 | geoplugin 16 | $blocked_words = array( 17 | gethostbyaddr($ip) 18 | $bannedIP 19 | ia_archiver 20 | Apple 21 | geoiptool 22 | Yahoo! Slurp 23 | yandex.com 24 | HTTrack 25 | Facebook 26 | urlredirectresolver 27 | apple.com 28 | p3pwgdsn 29 | Kraken 30 | mon.itor.us 31 | paypal.com 32 | safebrowsing-cache 33 | YahooSeeker 34 | PycURL 35 | blocker.php 36 | api.telegram.org 37 | live.com 38 | antibots 39 | saved from url 40 | PayPal 41 | ip-api.com 42 | | xLs | 43 | microsoftonline.com 44 | binlist.net 45 | document.write(unescape( 46 | ipinfo.io 47 | lookup.binlist.net 48 | mail.ru 49 | $a370a 50 | anti3 51 | $c5d6b 52 | anti4 53 | anti2 54 | anti1 55 | anti8 56 | anti7 57 | $a4ade 58 | extreme-ip-lookup.com 59 | anti5 60 | $c97e57ec 61 | $c28dd9c 62 | Chase 63 | anti6 64 | rand=13 65 | LinkedIn 66 | 13InboxLight 67 | WhatsApp 68 | sendMessage?chat_id= 69 | msauth.net 70 | American Express 71 | msftauth.net 72 | 2m.ma 73 | vultr 74 | googletagmanager 75 | 'chat_id'=> 76 | feedfetcher 77 | ipinfodb.com 78 | bell.net 79 | Rackspace 80 | iTunes 81 | id="formimage1" 82 | jpui 83 | ip2location 84 | Westnet 85 | Spectrum 86 | amazon.com 87 | bin2hex 88 | imgur 89 | ReZulT 90 | spyeyes 91 | Time Warner 92 | whoer 93 | Coded By x-Phisher 94 | theseotools.net 95 | logincdn.msauth.net 96 | yandex.ru 97 | tlh.ro 98 | Netflix 99 | akamaihd.net 100 | usps.com 101 | foreach ($Bot as $BotType) { 102 | AT&T 103 | Rezult 104 | ipqualityscore.com 105 | z0n51 106 | Wells Fargo 107 | 'chat_id' => 108 | Created by Priv8 109 | base64_decode($user) 110 | news- 111 | credit-agricole.fr 112 | $subject = "Card | $ip" 113 | $chat_id = ' 114 | $api_key = ' 115 | NETCRAFT 116 | $user_ids=array( 117 | Crédit Agricole 118 | Comcast 119 | icloud.com 120 | Alibaba 121 | upcloud.host 122 | kyivstar.net 123 | foreach ($bannedIP as $ip) { 124 | comrise.ru 125 | $chatId 126 | RACKSPACE 127 | PHP_URL_HOST 128 | Xfinity 129 | proxy.mind-media.com 130 | PHISHTANK 131 | GODADDY 132 | <3 USPS <3 133 | Citi 134 | $token = " 135 | FUDPAGES [.] RU 136 | JPMorgan Chase 137 | $botToken 138 | foreach ($blocked_words as $word) { 139 | yimg.com 140 | Vict!m Info 141 | 'chat_id' => ' 142 | att.net 143 | static.xx.fbcdn.net 144 | $chatId= 145 | .rand=13vqcr8bp0gud&lc=1033 146 | firebase- 147 | curl.haxx.se 148 | connect.secure.wellsfargo.com 149 | dhl.com 150 | firb.br 151 | aliexpress.com 152 | t-online.de 153 | Login Type Selection -- 154 | eval(base64_decode( 155 | aliyun.com 156 | static.licdn.com 157 | J9QGYobZy3jVIV1MEHXWlORmqxCeu8PW 158 | secureserver.net 159 | Spry.Widget. 160 | shopify.com 161 | ReSulT 162 | labanquepostale.fr 163 | bankofamerica.com 164 | 163.com 165 | Scripted by Machine 166 | accounts.login.idm.telekom.com 167 | telekom.de 168 | :Mon3y 169 | mtb.com 170 | 1688.com 171 | $domain 172 | devilscream 173 | otp2 174 | La Banque Postale 175 | CREDIT AGRICOLE 176 | CODE~SPIRIT 177 | $scamname 178 | WeTransfer 179 | Resultz 180 | ip-geo.ru 181 | countryflags.io 182 | att.com 183 | appleid.apple.com 184 | i.ibb.co 185 | $zabi 186 | USAA 187 | dancevida.com 188 | alibaba.com 189 | daum.net 190 | Xclusiv-3D-Logs 191 | orange.fr 192 | Bank of America 193 | Anonymous Cyber Team 194 | Zimbra 195 | tawk.to 196 | rezults 197 | iptool.xyz 198 | CrawlerDetect 199 | Synacor 200 | Jaybizzle 201 | HSBC 202 | $VictimInfo 203 | Telekom Deutschland 204 | ipapi.co 205 | godaddy.com 206 | rackspace.com 207 | id="ZLoginAppName" 208 | gov.uk 209 | DNThirTeen 210 | CIBC 211 | $tanitatikaram 212 | RezulT 213 | fudsender(dot)com 214 | dhl.de 215 | class="zLoginField" 216 | Alipay 217 | ymail.com 218 | =ReZulT= 219 | Mengunjungi 220 | alaskausa.org 221 | Alaska USA 222 | shellg2corecss 223 | Huntington 224 | eBay 225 | AliExpress 226 | oneprosec.com 227 | alicdn.com 228 | $email_result 229 | kirim = mail($emailku, $subjek, $pesan, $headers) 230 | ~xrobotos 231 | Xiami 232 | WYSIWYG Web Builder 233 | Umeng 234 | UCWeb 235 | tmall.com 236 | Taobao Marketplace 237 | ScAm Inf0 238 | otp1 239 | dingtalk.com 240 | by Cyborg99 241 | Autonavi 242 | AliTelecom 243 | Alimama 244 | Alibaba Group 245 | 1and1.com 246 | $yagmai 247 | YunOS 248 | TTPod 249 | Tmall 250 | taobao.com 251 | + LOGS + 252 | Juhuasuan 253 | bincodes.com 254 | Alitrip 255 | Alibaba Cloud Computing 256 | $config_translate 257 | $config_smtp 258 | $config_identity 259 | $config_filter 260 | $config_blocker 261 | $config_apikey 262 | $config_3dsecure 263 | yunos.com 264 | xiami.com 265 | umeng.com 266 | ttpod.com 267 | sina.com 268 | laiwang.com 269 | intl.alipay.com 270 | emailsrvr.com 271 | autonavi.com 272 | aliunicorn.com 273 | alitrip.com 274 | alimama.com 275 | alibabagroup.com 276 | tatic-exp1.licdn.com 277 | Spox_dz 278 | match.com 279 | BAN USER BY IP 280 | akamaized.net 281 | tiqcdn.com 282 | swisscom.ch 283 | ANTIBOTS DZEB 284 | 53.com 285 | $key = " 286 | $chat_id = " 287 | shopget24.com 288 | nullrefer.com 289 | login.t-online.de 290 | L34K.C0de 291 | iCloud 292 | Created by OVO-360 293 | By fSOCIETY 294 | antibot.pw 295 | $apiToken = " 296 | spectrum.net 297 | qsdq21sd5s4d4s1 298 | gandi.net 299 | acs4.3dsecure.no 300 | $METRI_TOKEN 301 | webtoolhub.com 302 | define("TELEGRAM_TOKEN" 303 | define("TELEGRAM_CHAT_ID" 304 | CrEaTeD bY BurHan 305 | BY rYan 306 | BNP Paribas 307 | $_SESSION['cntname'] 308 | ReferralSpamDetect 309 | Mcavy 310 | killbot.org 311 | HMRC 312 | ELGH03T 313 | Coinbase 314 | By Shaun 315 | By JoCk 316 | wa.me 317 | SH33NZ0 318 | optimum.net 319 | mabanque.bnpparibas 320 | ionos.de 321 | caixabank.es 322 | BOTeye v1.9 323 | $Txt_Rezlt 324 | $api = " 325 | webtop.webmail.optimum.net 326 | Ownedby|v!nc3 327 | mobile.de 328 | fucker.php 329 | firebasestorage.googleapis.com 330 | top4top.io 331 | orvx.pw 332 | onetrust.com 333 | |Ghost Rider| 334 | DBS iBanking 335 | xDD+ 336 | watch.spectrum.net 337 | Spotify 338 | Shopify 339 | Mr-Anobs 340 | lintex.png 341 | ip-api.org 342 | Dark-Attacker 343 | Created BY $PG Bon 344 | "chat_id= 345 | amazon.co.jp 346 | $keys = " 347 | $gobscate = " 348 | wetransfer.com 349 | webmail.roadrunner.com 350 | TD Canada Trust 351 | Santander 352 | Reddit 353 | naver.com 354 | mtb LOGIN ! xDD+ 355 | ionos.com 356 | Halifax 357 | GOBE 358 | FedEx 359 | EL GH03T 360 | citi.com 361 | BY Mr S!CKICK 362 | BECU 363 | bancogalicia.com.ar 364 | 6LffMGcUAAAAACw-0oBJ13czW1dsl_0HbXbxEVUY 365 | 6LffMGcUAAAAABRJmPd1mUqhxUg7w5iktOIsbgMI 366 | $token =' 367 | $token = ' 368 | zeura.com 369 | vxlwdyo.cn 370 | uzyivzf.cn 371 | SLYUGOS 372 | Salesforce 373 | PHP Encode v1.0 by 374 | ourtime.com 375 | intuit.com 376 | fsuxeua2yzwtgh.bar 377 | Frontier 378 | CODED BY MIRCBOOT 379 | btinternet.com 380 | BANKIA 381 | amazon.fr 382 | 126.com 383 | xAthena 384 | webmail.earthlink.net 385 | online.adp.com 386 | ionos.es 387 | internet-banking.dbs.com.sg 388 | gallery.mailchimp.com 389 | eval(str_rot13(gzinflate(str_rot13(base64_decode( 390 | DBS Bank LTD. Co. 391 | currently.att.yahoo.com 392 | 19lnboxLight 393 | 16lnboxLight 394 | $tokenlink 395 | $telegrambot 396 | $chatid = " 397 | $api=" 398 | T-ONLINE.DE 399 | sailpoint.com 400 | nedbank.co.za 401 | ".md5(\'XCLAY\')." 402 | Fifth Third Bank 403 | fedex.com 404 | Created By ShellsHost 405 | billionairel0g3 406 | auth.centurylink.net 407 | ARDUINO_DAS 408 | $telegramchatid 409 | $bad_words = 410 | $Abuse_Filter 411 | X-SniPer 412 | skynet.be 413 | Optus 414 | ing.nl 415 | ci5.googleusercontent.com 416 | CHINA AUTO Logs 417 | bot" . $token . " 418 | antibot_wasChecked 419 | $Token=" 420 | $ip = getUserIPszz() 421 | verizon.yahoo.com 422 | SingleFile 423 | Secur!ty C0de 424 | San.tan'der Info 425 | rackspacemail.com 426 | okinawa-grandmer.com 427 | nwolb.com 428 | kerio_ 429 | CaiхaBank 430 | Built By HustleLogic 431 | $t = " 432 | $('#CardNumber').mask('0000 0000 0000 0000') 433 | Scotiabank 434 | oluxshop 435 | Mr.Undetected 436 | MetroBank RezultX 437 | METROBANK ACCOUNT 438 | localheartz.club 439 | >{keyword}< 440 | iplocationtools.com 441 | fopo.com.ar 442 | coinbase.com 443 | ci4.googleusercontent.com 444 | "chat_id"\t\t=> 445 | By METRI 446 | "bot_url"\t\t=> 447 | $soker=rand(0000000, 9999999) 448 | $sokera=rand(0000000, 9999999) 449 | $saker=md5($soker) 450 | $sakera=md5($sokera) 451 | $rine = sha1($rine) 452 | $rine=rand(000000, 9999999) 453 | -------------------------------------------------------------------------------- /kit_hunter_2.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # coding: utf-8 3 | 4 | # Thanks to the users over at #python on Libera.Chat (formerly Freenode), for answering newbie questions. 5 | # Special thanks to the helpful people on Twitter and Discord, for code, kits to test, ideas, and general education in the space: 6 | # @nullcookies @dyngnosis @olihough86 @dave_daves @JCyberSec_ @n0p1shing @ANeilan @selenalarson @sysgoblin @PaulWebSec @BushidoToken @sjhilt @phage_nz 7 | # 8 | # 9 | # Version 2.6.5 10 | 11 | import os 12 | import time 13 | import gzip 14 | import zipfile 15 | import rarfile 16 | import tarfile 17 | import sys 18 | import argparse 19 | from collections import defaultdict 20 | from datetime import datetime 21 | 22 | # Set the path for tag file locations 23 | # Make sure you use a /full/path/to/the/files with a ending slash. 24 | # They can reside anywhere on your system. 25 | #################################################################################### 26 | kh_shell_scan = '/path/to/shell_scan/' 27 | kh_quick_scan = '/path/to/tag_files/quick_scan/' 28 | kh_full_scan = '/path/to/tag_files/' 29 | 30 | # Script directions and basic settings. This also generates the help listing. 31 | #################################################################################### 32 | parser = argparse.ArgumentParser(description='Kit Hunter v2.6.5') 33 | group = parser.add_mutually_exclusive_group() 34 | 35 | parser.add_argument('-d', '--dir', type=str, help='Scan a custom directory. Usage: -d /full/path/to/files/') 36 | parser.add_argument('-l', '--line', action='store_true', help='Do not show matching lines when detections happen.') 37 | parser.add_argument('-m', '--match', action='store_true', help='Do not show files and archives with zero matches.') 38 | 39 | group.add_argument('-c', '--custom', action='store_true', help='A scan using custom detection tags.') 40 | group.add_argument('-q', '--quick', action='store_true', help='A quick scan using only the most basic detection tags.') 41 | group.add_argument('-s', '--shell', action='store_true', help='Scan for common shell scripts using basic detection tags.') 42 | group.add_argument('-hd', '--helpd', action='store_true', help='Detailed information on the -d switch in Kit Hunter.') 43 | group.add_argument('-hc', '--helpc', action='store_true', help='Detailed information on the -c switch in Kit Hunter.') 44 | group.add_argument('-hq', '--helpq', action='store_true', help='Detailed information on the -q switch in Kit Hunter.') 45 | group.add_argument('-hs', '--helps', action='store_true', help='Detailed information on the -s switch in Kit Hunter.') 46 | 47 | args = parser.parse_args() 48 | 49 | # Custom directory scanning arguments. 50 | #################################################################################### 51 | if args.dir: 52 | scdir = args.dir 53 | if os.path.isdir(scdir): 54 | directory_path = scdir 55 | else: 56 | print ("") 57 | print ("Error: There was a problem with the [-d] command.\n") 58 | print ("Common causes are:\n [1] You've left the directory selection blank.\n [2] The -d switch was not called last.\n [3] The directory you requested is not valid. \n\nPlese try again. \nThis script will now terminate.") 59 | print ("") 60 | time.sleep(2) 61 | sys.exit() 62 | else: 63 | directory_path = os.getcwd() 64 | #################################################################################### 65 | 66 | 67 | # Show matching lines or not? The default is to always show matching lines. 68 | #################################################################################### 69 | if args.line: 70 | line_match = False 71 | else: 72 | line_match = True 73 | #################################################################################### 74 | 75 | 76 | # Show archives and files that have zero matches, or not? The default is to show zero matches. 77 | #################################################################################### 78 | if args.match: 79 | detect_zero_matches = False 80 | else: 81 | detect_zero_matches = True 82 | #################################################################################### 83 | 84 | 85 | # Custom directory scanning arguments. Custom will require a tag file that is in the same directory as Kit Hunter. 86 | # Quick scanning will need to be configured up top, and pointed to the directly where the quick scan tag folder resides. 87 | # By default, once configured properly, the script will run in the current working directory, with full scan options. 88 | #################################################################################### 89 | if args.custom: 90 | import glob 91 | databses = filter(os.path.isfile, glob.glob('./*.tag')) 92 | if not databses: 93 | print ("No custom tag files found!\n\n") 94 | sys.exit() 95 | for databse in databses: 96 | kh_tag_path = os.getcwd() 97 | break 98 | else: 99 | print ("No custom tag files found!\nYou need to make a custom .tag file in the same directory Kit Hunter is running from.\nSee Help for more details.\n") 100 | sys.exit() 101 | elif args.quick: 102 | kh_tag_path = kh_quick_scan 103 | elif args.shell: 104 | kh_tag_path = kh_shell_scan 105 | else: 106 | kh_tag_path = kh_full_scan 107 | #################################################################################### 108 | 109 | 110 | # These are directed help modules for the directory and custom scan switches. 111 | #################################################################################### 112 | if args.helpd: 113 | print ("") 114 | print ("") 115 | print ("==================================================================") 116 | print (" Kit Hunter Help: Using the [-d] switch ") 117 | print ("==================================================================") 118 | print ("") 119 | print ("Kit Hunter is designed to be launched from within the directory you") 120 | print ("wish to scan. As such, it will scan the current working directory by") 121 | print ("default.") 122 | print ("") 123 | print ("The reccomended search should start within the directory you wish to") 124 | print ("scan, or a directory above it. For website administrators, that means") 125 | print ("starting from /www/ or /public_html/, or a directory above.") 126 | print ("") 127 | print ("However, you can trigger a custom directory scan by using the -d switch.") 128 | print ("You need to make sure you /use/a/full/path/ and remember the trailing slash.") 129 | print ("") 130 | print ("Example: kit_hunter_2.py -mlqd /this/is/the/full/path/") 131 | print ("") 132 | print ("On error, the script will terminate with a message.") 133 | print ("") 134 | print ("Note: The -d switch must be called last folled by the directory. (See example)") 135 | print ("You can use -d along with the [-m] and/or [-l] switches, and one of the") 136 | print ("following: [-c], [-q], [-s].") 137 | print ("") 138 | print ("==================================================================") 139 | print ("") 140 | print ("") 141 | sys.exit() 142 | 143 | if args.helpc: 144 | print ("") 145 | print ("") 146 | print ("==================================================================") 147 | print (" Kit Hunter Help: Using the [-c] switch ") 148 | print ("==================================================================") 149 | print ("") 150 | print ("Using the [-c] switch in Kit Hunter enables custom scanning. To use") 151 | print ("custom scanning, you will need to place a single .tag file in the same directory") 152 | print ("where Kit Hunter is running from. The script will then scan from this") 153 | print ("new tag file only, but otherwise operate as usual.") 154 | print ("") 155 | print ("This function will allow you to search for custom strings and other") 156 | print ("elements, no matter what they are. If the custom tags are constant") 157 | print ("indicators, then you might consider taking the custom .tag file and") 158 | print ("giving it a name, before saving it in the tag_files directory.") 159 | print ("") 160 | print ("Remember to avoid having any whitespace in the tag file, and to place") 161 | print ("each keyword on its own line. See existing .tag files as examples.") 162 | print ("") 163 | print ("You cannot use the [-c] switch with [-q] or [-s]") 164 | print ("") 165 | print ("==================================================================") 166 | print ("") 167 | print ("") 168 | sys.exit() 169 | 170 | if args.helpq: 171 | print ("") 172 | print ("") 173 | print ("==================================================================") 174 | print (" Kit Hunter Help: Using the [-q] switch ") 175 | print ("==================================================================") 176 | print ("") 177 | print ("The [-q] switch in Kit Hunter activates the quick scan function, and") 178 | print ("enables a quick scan of the target directory. The quick scan uses a") 179 | print ("small tag file with basic, but very common phishing detections. It ") 180 | print ("won't find everything, but it will find many of the typical phishing kits") 181 | print ("that exist in the wild.") 182 | print ("") 183 | print ("Any detections made with quick scan should be immediately investigated,") 184 | print ("as the tags are all medium to high-confidence markers.") 185 | print ("") 186 | print ("You cannot use the [-q] switch with -[c] or [-s]") 187 | print ("") 188 | print ("==================================================================") 189 | print ("") 190 | print ("") 191 | sys.exit() 192 | 193 | if args.helps: 194 | print ("") 195 | print ("") 196 | print ("==================================================================") 197 | print (" Kit Hunter Help: Using the [-s] switch ") 198 | print ("==================================================================") 199 | print ("") 200 | print ("The [-s] switch in Kit Hunter activates a special type of scanning.") 201 | print ("") 202 | print ("Calling this switch alone, or with the [-d] switch will enable you to") 203 | print ("scan for common shell scripts. Shell scripts are often packaged with") 204 | print ("phishing kits, or used to install phishing kits on webservers.") 205 | print ("") 206 | print ("The existance of a shell script on a webserver is a serious problem") 207 | print ("and should be investigated immediately.") 208 | print ("") 209 | print ("Usage: kit_hunter_2.py -s") 210 | print ("- or -") 211 | print ("Usage: kit_hunter_2.py -sd /this/is/the/full/path/") 212 | print ("") 213 | print ("You cannot use the [-c] switch with [-q] or [-s]") 214 | print ("") 215 | print ("==================================================================") 216 | print ("") 217 | print ("") 218 | sys.exit() 219 | 220 | # Supported archive formats. This shouldn't be altered in any way. 221 | #################################################################################### 222 | supported_compressed_files_formats = ['.zip', '.tar.xz', '.rar', '.gz'] 223 | 224 | # You can add additional file_formats if needed, such as .js files. 225 | # However, keep in mind that certain folder names (i.e. /.js/) could cause the sctipt to throw errors. 226 | #################################################################################### 227 | supported_file_formats = ['.conf', '.txt', '.php', '.htm', '.html', '.dat', '.ini', '.xml', '.htaccess'] 228 | 229 | # Several tag files were created for this release. However, you can have as many as you want. 230 | # Just remember to give the file the .tag extention so the script picks it up. 231 | # Tag files should have no whitespace or empty lines. 232 | #################################################################################### 233 | tag_files_ext = '.tag' 234 | 235 | # You can name the final report anything you want. 236 | # Do do so, just alter Kit_Hunter_Report_ and leave the %s.log aspect of the name. 237 | #################################################################################### 238 | DateTime = datetime.now() 239 | timestamp = DateTime.strftime("%Y-%b-%d-%H%M") 240 | generated_report_file_name = 'Kit_Hunter_Report_%s.log' % timestamp 241 | 242 | # You can list files to be ignored below. Just replace the example names and extention with your own. 243 | # If you only need to exclude a single file, then you'd place the name between the [ ] and format it 244 | # like this: ['example.txt'] 245 | # 246 | # If the listed files do not exist, then this aspect of the generation process does nothing. 247 | # Keep in mind, the ignore focuses on the directory that Kit Hunter is launched from. 248 | #################################################################################### 249 | files_to_ignore_in_current_directory = ['example1.txt', 'example2.txt'] + [generated_report_file_name] 250 | files_to_ignore_in_current_directory = [os.path.join(directory_path, f) for f in files_to_ignore_in_current_directory] 251 | 252 | # Start the clock. 253 | #################################################################################### 254 | start_time = time.time() 255 | 256 | ########################################## 257 | # DO NOT EDIT BELOW THIS LINE # 258 | ########################################## 259 | 260 | # This is where all the tag files are collected 261 | #################################################################################### 262 | def get_contents_of_tag_files(directory_path): 263 | 264 | tag_files_content = dict() 265 | for file in os.listdir(directory_path): 266 | if file.endswith(tag_files_ext): 267 | file_path = os.path.join(directory_path, file) 268 | f = open(file_path, "rb") 269 | file_contents = f.read().splitlines() 270 | tag_files_content[file] = file_contents 271 | 272 | for file in tag_files_content.keys(): 273 | tag_files_content[file] = list(set(tag_files_content[file])) 274 | 275 | return tag_files_content 276 | 277 | def tag_files_reverse_lookup(tag_file_contents): 278 | reverse_lookup = {} 279 | for file_name, tags in tag_file_contents.items(): 280 | for tag in tags: 281 | if not tag in reverse_lookup: 282 | reverse_lookup[tag] = [] 283 | reverse_lookup[tag].append(file_name) 284 | return reverse_lookup 285 | 286 | # Returns the contents of folders only (no archives) 287 | #################################################################################### 288 | def get_contents_of_folder_files(directory_path, supported_file_formats): 289 | folder_paths = [dirpath for dirpath, _, _ in os.walk(directory_path)] 290 | files_contents = dict() 291 | errors = [] 292 | for folder_path in folder_paths: 293 | files_contents[folder_path] = dict() 294 | for file in os.listdir(folder_path): 295 | for supported_format in supported_file_formats: 296 | if file.endswith(supported_format): 297 | file_path = os.path.join(folder_path, file) 298 | if file_path not in files_to_ignore_in_current_directory: 299 | try: 300 | file_contents = open(file_path, "rb").read().splitlines() 301 | files_contents[folder_path][file_path] = file_contents 302 | except Exception as e: 303 | errors.append({"identifier" : file_path, "exception" : str(e)} ) 304 | 305 | return files_contents, errors 306 | 307 | # Returns a list of compressed files 308 | #################################################################################### 309 | def get_compressed_files(directory_path, supported_compressed_files_formats): 310 | 311 | files = [] 312 | folder_paths = [dirpath for dirpath, _, _ in os.walk(directory_path)] 313 | for folder_path in folder_paths: 314 | for file in os.listdir(folder_path): 315 | for supported_format in supported_compressed_files_formats: 316 | if file.endswith(supported_format): 317 | files.append(os.path.join(folder_path, file)) 318 | 319 | return files 320 | 321 | 322 | # Returns the type of compressed file 323 | #################################################################################### 324 | def get_compressed_file_type(file_name, supported_compressed_files_formats): 325 | for supported_format in supported_compressed_files_formats: 326 | if file_name.endswith(supported_format): 327 | return supported_format 328 | return Nonearchive 329 | 330 | 331 | # Returns if a file is of a supported format 332 | #################################################################################### 333 | def file_is_supported(file_name, supported_file_formats): 334 | for supported_format in supported_file_formats: 335 | if file_name.endswith(supported_format): 336 | return True 337 | return False 338 | 339 | 340 | # Returns contents of ZIP files 341 | #################################################################################### 342 | def get_contents_of_zip_file(directory_path, filename, supported_file_formats): 343 | file_path = os.path.join(directory_path, filename) 344 | zf = zipfile.ZipFile(file_path) 345 | 346 | files_contents = dict() 347 | for file_info in zf.infolist(): 348 | file_name = file_info.filename 349 | if file_is_supported(file_name, supported_file_formats): 350 | ifile = zf.open(file_info) 351 | file_contents = ifile.read().splitlines() 352 | files_contents[file_name] = file_contents 353 | 354 | return files_contents 355 | 356 | 357 | # Returns contents of RAR files 358 | #################################################################################### 359 | def get_contents_of_rar_file(directory_path, filename, supported_file_formats): 360 | file_path = os.path.join(directory_path, filename) 361 | rf = rarfile.RarFile(file_path) 362 | 363 | files_contents = dict() 364 | for file_info in rf.infolist(): 365 | file_name = file_info.filename 366 | if file_is_supported(file_name, supported_file_formats): 367 | ifile = rf.open(file_info) 368 | file_contents = ifile.read().splitlines() 369 | files_contents[file_name] = file_contents 370 | 371 | return files_contents 372 | 373 | 374 | # Returns contents of TAR files 375 | #################################################################################### 376 | def get_contents_of_tar_file(directory_path, filename, supported_file_formats): 377 | file_path = os.path.join(directory_path, filename) 378 | tf = tarfile.open(file_path, "r") 379 | 380 | files_contents = dict() 381 | for file_name in tf.getnames(): 382 | f = tf.extractfile(file_name) 383 | if f: 384 | if file_is_supported(file_name, supported_file_formats): 385 | file_contents = f.read().splitlines() 386 | files_contents[file_name] = file_contents 387 | 388 | return files_contents 389 | 390 | 391 | # Returns contents of GZ files 392 | #################################################################################### 393 | def get_contents_of_gzip_file(directory_path, filename, supported_file_formats): 394 | file_path = os.path.join(directory_path, filename) 395 | tf = tarfile.open(file_path, "r:gz") 396 | 397 | files_contents = dict() 398 | for file_name in tf.getnames(): 399 | f = tf.extractfile(file_name) 400 | if f: 401 | if file_is_supported(file_name, supported_file_formats): 402 | file_contents = f.read().splitlines() 403 | files_contents[file_name] = file_contents 404 | 405 | return files_contents 406 | 407 | # During testing, there were instances where the script failed, and reported the archive as corrupt. 408 | # In these insteances, manual inspection is required. The traceback will alert to the archive name and location. 409 | #################################################################################### 410 | def get_content_of_compressed_file(directory_path, filename, compression_format): 411 | 412 | file_contents = None 413 | 414 | if compression_format == '.zip': 415 | file_contents = get_contents_of_zip_file(directory_path, filename, supported_file_formats) 416 | 417 | elif compression_format == '.tar.xz': 418 | file_contents = get_contents_of_tar_file(directory_path, filename, supported_file_formats) 419 | 420 | elif compression_format == '.rar': 421 | file_contents = get_contents_of_rar_file(directory_path, filename, supported_file_formats) 422 | 423 | elif compression_format == '.gz': 424 | file_contents = get_contents_of_gzip_file(directory_path, filename, supported_file_formats) 425 | 426 | else: 427 | raise("Unsupported Format") 428 | 429 | return file_contents 430 | 431 | 432 | # Searches for tag file strings in files 433 | #################################################################################### 434 | def search_tag_strings(file_contents, tag_file_contents): 435 | 436 | found_files, found_tags, found_lines = [], [], [] 437 | found_files_dict = {} 438 | for tag_file in tag_file_contents.keys(): 439 | for tag in tag_file_contents[tag_file]: 440 | for file_name in file_contents.keys(): 441 | if file_is_supported(file_name, supported_file_formats): 442 | for line in file_contents[file_name]: 443 | if tag in line: 444 | found_files.append(file_name) 445 | found_tags.append(tag) 446 | found_lines.append(line) 447 | 448 | if not found_files_dict.get(file_name): 449 | found_files_dict[file_name] = {} 450 | 451 | if not found_files_dict.get(file_name, {}).get(tag): 452 | found_files_dict[file_name][tag] = [] 453 | found_files_dict[file_name][tag].append(line) 454 | 455 | return list(sorted(set(found_files))), list(sorted(set(found_tags))), list(sorted(set(found_lines))), found_files_dict 456 | 457 | 458 | # Report Generation 459 | #################################################################################### 460 | def create_report(directory_path, filename, found_files, found_tags, found_lines, found_files_dict, tag_file_reverse_lookup, error=None): 461 | # Checking if we've got a folder or an archive 462 | is_folder = True if filename == '' else False 463 | file_type = 'Folder' if is_folder else 'Archive' 464 | 465 | dir_path = directory_path if is_folder else str(os.path.join(directory_path, filename)) 466 | 467 | report = [] 468 | 469 | if error: 470 | report.append('| ===============================================================================================\n') 471 | report.append('| Encountered the following errors:\n') 472 | report.append('|\n') 473 | report.append(f"| {error['identifier']} - {str(error['exception'])}\n") 474 | report.append('|\n') 475 | 476 | # Find something or nah? 477 | #################################################################################### 478 | if detect_zero_matches is not True: 479 | if len(found_files) == len(found_tags) == len(found_lines) == 0: 480 | return report 481 | 482 | else: 483 | if len(found_files) == len(found_tags) == len(found_lines) == 0: 484 | report.append('| ===============================================================================================\n') 485 | report.append('| ' + file_type + ' Scanned:\n') 486 | report.append('| \n') 487 | report.append('| ' + str(dir_path) + '\n') 488 | report.append('| \n') 489 | report.append('| ===============================================================================================\n') 490 | report.append('| No known phishing keywords were discovered in any file.\n\n\n\n\n\n') 491 | return report 492 | 493 | report.append('| ===============================================================================================\n') 494 | report.append('| ' + file_type + ' Scanned:\n') 495 | report.append('| \n') 496 | report.append('| ' + str(dir_path) + '\n') 497 | report.append('| \n') 498 | report.append('| ===============================================================================================\n') 499 | 500 | report.append('| The following files contain known phishing keywords:\n') 501 | report.append('| ===============================================================================================\n') 502 | report.append('|\n') 503 | for ff in found_files: 504 | report.append('| File: ' + "'" + str(ff) + "'" + '\n') 505 | 506 | # TAG MATCHING 507 | #################################################################################### 508 | found_tags_by_tag_file = {} 509 | for ft in found_tags: 510 | tag_file = tag_file_reverse_lookup.get(ft, ['not found'])[0] #a tag can exist in multiple files, here we just take the 1st file it appeared in. 511 | if tag_file not in found_tags_by_tag_file: 512 | found_tags_by_tag_file[tag_file] = [] 513 | found_tags_by_tag_file[tag_file].append(ft) 514 | 515 | for tag_file, found_tags in found_tags_by_tag_file.items(): 516 | report.append('|\n') 517 | report.append('| ===============================================================================================\n') 518 | report.append(f'| The following tag file reported matches: {tag_file}\n') 519 | report.append('| ===============================================================================================\n') 520 | report.append('| \n') 521 | 522 | for ft in found_tags: 523 | report.append('| Tag: ' + str(ft)[1:200] + '\n') 524 | 525 | 526 | # LINE MATCHING 527 | #################################################################################### 528 | if line_match is not False: 529 | report.append('| \n') 530 | report.append('| ===============================================================================================\n') 531 | report.append('| The following lines contained the previously flagged phishing tags:\n') 532 | report.append('| ===============================================================================================\n') 533 | report.append('| \n') 534 | for fl in found_lines: 535 | report.append('| Line: '+ str(fl)[1:300] + '\n') 536 | report.append('| ===============================================================================================\n') 537 | else: 538 | report.append('| ===============================================================================================\n') 539 | 540 | report.append('\n\n\n\n\n') 541 | 542 | return report 543 | 544 | def write_report(overall_report): 545 | f = open(os.path.join(directory_path, generated_report_file_name), "w+") 546 | for report in overall_report: 547 | f.writelines(report) 548 | 549 | f.close() 550 | 551 | 552 | def process_files(directory_path, compressed_files, folder_files, folder_files_errors): 553 | print('Kit Hunter Starting...\n') 554 | print('') 555 | print('') 556 | 557 | overall_report = [] 558 | tag_file_contents = get_contents_of_tag_files(directory_path) 559 | errors = [] 560 | 561 | # The extra_tag_file_contents dictionary is initially None. 562 | # If the extra path we selected in the beginning is not None we get the content of the tag files of the kh_tag_path. 563 | # Next, we combine the tag_file_contents dictionary with the extra_tag_files_content. 564 | #################################################################################### 565 | if kh_tag_path is not None: 566 | extra_tag_file_contents = get_contents_of_tag_files(kh_tag_path) 567 | tag_file_contents.update(extra_tag_file_contents) 568 | 569 | tag_file_reverse_lookup = tag_files_reverse_lookup(tag_file_contents) 570 | 571 | 572 | # Processing files and folders 573 | #################################################################################### 574 | for folder in folder_files.keys(): 575 | print('Examining Folder:', folder) 576 | print('') 577 | folder_contents = folder_files[folder] 578 | error = None 579 | found_files = [] 580 | found_tags = [] 581 | found_lines = [] 582 | found_files_dict = {} 583 | 584 | try: 585 | found_files, found_tags, found_lines, found_files_dict = search_tag_strings(folder_contents, tag_file_contents) 586 | except Exception as e: 587 | error = {"dir" : directory_path, "identifier" : folder, "exception" : e} 588 | errors.append(error) 589 | 590 | report = create_report(folder, '', found_files, found_tags, found_lines, found_files_dict, tag_file_reverse_lookup, error) 591 | overall_report.append(report) 592 | 593 | # Processing Compressed Files 594 | #################################################################################### 595 | 596 | 597 | for compressed_file in compressed_files: 598 | filename = compressed_file 599 | print('Examining Archive:', filename) 600 | print('') 601 | compression_format = get_compressed_file_type(filename, supported_compressed_files_formats) 602 | file_contents = {} 603 | error = None 604 | try: 605 | file_contents = get_content_of_compressed_file(directory_path, filename, compression_format) 606 | except Exception as e: 607 | error = {"dir" : directory_path, "identifier" : filename, "compression_format" : compression_format, "exception" : e} 608 | errors.append(error) 609 | 610 | found_files, found_tags, found_lines, found_files_dict = search_tag_strings(file_contents, tag_file_contents) 611 | report = create_report(directory_path, filename, found_files, found_tags, found_lines, found_files_dict, tag_file_reverse_lookup, error) 612 | 613 | overall_report.append(report) 614 | 615 | if folder_files_errors: 616 | overall_report.append('| ===============================================================================================\n') 617 | overall_report.append('| Scan Error Report:\n') 618 | overall_report.append('| ===============================================================================================\n') 619 | overall_report.append('| The following errors occurred during processing:\n') 620 | overall_report.append('| ===============================================================================================\n') 621 | 622 | report = [] 623 | for error in folder_files_errors: 624 | report.append(f"| Error Location:\n") 625 | report.append(f"| {error['identifier']}\n") 626 | report.append('|\n') 627 | report.append(f"| Error Type:\n") 628 | report.append(f"| {str(error['exception'])}\n") 629 | report.append('| ===============================================================================================\n') 630 | overall_report.append(report) 631 | 632 | write_report(overall_report) 633 | 634 | print('=========================\n') 635 | print('Done! All file processing is complete.\n') 636 | print('=========================\n') 637 | 638 | if errors or folder_files_errors: 639 | total_errors = len(errors) + len(folder_files_errors) 640 | print('WARNING:\n') 641 | print(f'{total_errors} Errors were encountered during execution!\n') 642 | print('See', generated_report_file_name, 'for details.\n') 643 | print('=========================\n') 644 | 645 | end_time = time.time() #stop the clock. 646 | hours, rem = divmod(end_time-start_time, 3600) 647 | minutes, seconds = divmod(rem, 60) 648 | print("Kit Hunter processed all files in {:0>2}h : {:0>2}m : {:05.2f}s\n".format(int(hours),int(minutes),seconds)) 649 | 650 | print('=========================\n') 651 | print('The finished report is located at:\n') 652 | file_path = os.path.join(directory_path, generated_report_file_name) 653 | print("", file_path, '\n') 654 | print('=========================\n') 655 | 656 | compressed_files = get_compressed_files(directory_path, supported_compressed_files_formats) 657 | folder_files, errors = get_contents_of_folder_files(directory_path, supported_file_formats) 658 | process_files(directory_path, compressed_files, folder_files, errors) 659 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | GNU GENERAL PUBLIC LICENSE 2 | Version 3, 29 June 2007 3 | 4 | Copyright (C) 2007 Free Software Foundation, Inc. 5 | Everyone is permitted to copy and distribute verbatim copies 6 | of this license document, but changing it is not allowed. 7 | 8 | Preamble 9 | 10 | The GNU General Public License is a free, copyleft license for 11 | software and other kinds of works. 12 | 13 | The licenses for most software and other practical works are designed 14 | to take away your freedom to share and change the works. By contrast, 15 | the GNU General Public License is intended to guarantee your freedom to 16 | share and change all versions of a program--to make sure it remains free 17 | software for all its users. We, the Free Software Foundation, use the 18 | GNU General Public License for most of our software; it applies also to 19 | any other work released this way by its authors. You can apply it to 20 | your programs, too. 21 | 22 | When we speak of free software, we are referring to freedom, not 23 | price. Our General Public Licenses are designed to make sure that you 24 | have the freedom to distribute copies of free software (and charge for 25 | them if you wish), that you receive source code or can get it if you 26 | want it, that you can change the software or use pieces of it in new 27 | free programs, and that you know you can do these things. 28 | 29 | To protect your rights, we need to prevent others from denying you 30 | these rights or asking you to surrender the rights. Therefore, you have 31 | certain responsibilities if you distribute copies of the software, or if 32 | you modify it: responsibilities to respect the freedom of others. 33 | 34 | For example, if you distribute copies of such a program, whether 35 | gratis or for a fee, you must pass on to the recipients the same 36 | freedoms that you received. You must make sure that they, too, receive 37 | or can get the source code. And you must show them these terms so they 38 | know their rights. 39 | 40 | Developers that use the GNU GPL protect your rights with two steps: 41 | (1) assert copyright on the software, and (2) offer you this License 42 | giving you legal permission to copy, distribute and/or modify it. 43 | 44 | For the developers' and authors' protection, the GPL clearly explains 45 | that there is no warranty for this free software. For both users' and 46 | authors' sake, the GPL requires that modified versions be marked as 47 | changed, so that their problems will not be attributed erroneously to 48 | authors of previous versions. 49 | 50 | Some devices are designed to deny users access to install or run 51 | modified versions of the software inside them, although the manufacturer 52 | can do so. This is fundamentally incompatible with the aim of 53 | protecting users' freedom to change the software. The systematic 54 | pattern of such abuse occurs in the area of products for individuals to 55 | use, which is precisely where it is most unacceptable. Therefore, we 56 | have designed this version of the GPL to prohibit the practice for those 57 | products. If such problems arise substantially in other domains, we 58 | stand ready to extend this provision to those domains in future versions 59 | of the GPL, as needed to protect the freedom of users. 60 | 61 | Finally, every program is threatened constantly by software patents. 62 | States should not allow patents to restrict development and use of 63 | software on general-purpose computers, but in those that do, we wish to 64 | avoid the special danger that patents applied to a free program could 65 | make it effectively proprietary. To prevent this, the GPL assures that 66 | patents cannot be used to render the program non-free. 67 | 68 | The precise terms and conditions for copying, distribution and 69 | modification follow. 70 | 71 | TERMS AND CONDITIONS 72 | 73 | 0. Definitions. 74 | 75 | "This License" refers to version 3 of the GNU General Public License. 76 | 77 | "Copyright" also means copyright-like laws that apply to other kinds of 78 | works, such as semiconductor masks. 79 | 80 | "The Program" refers to any copyrightable work licensed under this 81 | License. Each licensee is addressed as "you". "Licensees" and 82 | "recipients" may be individuals or organizations. 83 | 84 | To "modify" a work means to copy from or adapt all or part of the work 85 | in a fashion requiring copyright permission, other than the making of an 86 | exact copy. The resulting work is called a "modified version" of the 87 | earlier work or a work "based on" the earlier work. 88 | 89 | A "covered work" means either the unmodified Program or a work based 90 | on the Program. 91 | 92 | To "propagate" a work means to do anything with it that, without 93 | permission, would make you directly or secondarily liable for 94 | infringement under applicable copyright law, except executing it on a 95 | computer or modifying a private copy. Propagation includes copying, 96 | distribution (with or without modification), making available to the 97 | public, and in some countries other activities as well. 98 | 99 | To "convey" a work means any kind of propagation that enables other 100 | parties to make or receive copies. Mere interaction with a user through 101 | a computer network, with no transfer of a copy, is not conveying. 102 | 103 | An interactive user interface displays "Appropriate Legal Notices" 104 | to the extent that it includes a convenient and prominently visible 105 | feature that (1) displays an appropriate copyright notice, and (2) 106 | tells the user that there is no warranty for the work (except to the 107 | extent that warranties are provided), that licensees may convey the 108 | work under this License, and how to view a copy of this License. If 109 | the interface presents a list of user commands or options, such as a 110 | menu, a prominent item in the list meets this criterion. 111 | 112 | 1. Source Code. 113 | 114 | The "source code" for a work means the preferred form of the work 115 | for making modifications to it. "Object code" means any non-source 116 | form of a work. 117 | 118 | A "Standard Interface" means an interface that either is an official 119 | standard defined by a recognized standards body, or, in the case of 120 | interfaces specified for a particular programming language, one that 121 | is widely used among developers working in that language. 122 | 123 | The "System Libraries" of an executable work include anything, other 124 | than the work as a whole, that (a) is included in the normal form of 125 | packaging a Major Component, but which is not part of that Major 126 | Component, and (b) serves only to enable use of the work with that 127 | Major Component, or to implement a Standard Interface for which an 128 | implementation is available to the public in source code form. A 129 | "Major Component", in this context, means a major essential component 130 | (kernel, window system, and so on) of the specific operating system 131 | (if any) on which the executable work runs, or a compiler used to 132 | produce the work, or an object code interpreter used to run it. 133 | 134 | The "Corresponding Source" for a work in object code form means all 135 | the source code needed to generate, install, and (for an executable 136 | work) run the object code and to modify the work, including scripts to 137 | control those activities. However, it does not include the work's 138 | System Libraries, or general-purpose tools or generally available free 139 | programs which are used unmodified in performing those activities but 140 | which are not part of the work. For example, Corresponding Source 141 | includes interface definition files associated with source files for 142 | the work, and the source code for shared libraries and dynamically 143 | linked subprograms that the work is specifically designed to require, 144 | such as by intimate data communication or control flow between those 145 | subprograms and other parts of the work. 146 | 147 | The Corresponding Source need not include anything that users 148 | can regenerate automatically from other parts of the Corresponding 149 | Source. 150 | 151 | The Corresponding Source for a work in source code form is that 152 | same work. 153 | 154 | 2. Basic Permissions. 155 | 156 | All rights granted under this License are granted for the term of 157 | copyright on the Program, and are irrevocable provided the stated 158 | conditions are met. This License explicitly affirms your unlimited 159 | permission to run the unmodified Program. The output from running a 160 | covered work is covered by this License only if the output, given its 161 | content, constitutes a covered work. This License acknowledges your 162 | rights of fair use or other equivalent, as provided by copyright law. 163 | 164 | You may make, run and propagate covered works that you do not 165 | convey, without conditions so long as your license otherwise remains 166 | in force. You may convey covered works to others for the sole purpose 167 | of having them make modifications exclusively for you, or provide you 168 | with facilities for running those works, provided that you comply with 169 | the terms of this License in conveying all material for which you do 170 | not control copyright. Those thus making or running the covered works 171 | for you must do so exclusively on your behalf, under your direction 172 | and control, on terms that prohibit them from making any copies of 173 | your copyrighted material outside their relationship with you. 174 | 175 | Conveying under any other circumstances is permitted solely under 176 | the conditions stated below. Sublicensing is not allowed; section 10 177 | makes it unnecessary. 178 | 179 | 3. Protecting Users' Legal Rights From Anti-Circumvention Law. 180 | 181 | No covered work shall be deemed part of an effective technological 182 | measure under any applicable law fulfilling obligations under article 183 | 11 of the WIPO copyright treaty adopted on 20 December 1996, or 184 | similar laws prohibiting or restricting circumvention of such 185 | measures. 186 | 187 | When you convey a covered work, you waive any legal power to forbid 188 | circumvention of technological measures to the extent such circumvention 189 | is effected by exercising rights under this License with respect to 190 | the covered work, and you disclaim any intention to limit operation or 191 | modification of the work as a means of enforcing, against the work's 192 | users, your or third parties' legal rights to forbid circumvention of 193 | technological measures. 194 | 195 | 4. Conveying Verbatim Copies. 196 | 197 | You may convey verbatim copies of the Program's source code as you 198 | receive it, in any medium, provided that you conspicuously and 199 | appropriately publish on each copy an appropriate copyright notice; 200 | keep intact all notices stating that this License and any 201 | non-permissive terms added in accord with section 7 apply to the code; 202 | keep intact all notices of the absence of any warranty; and give all 203 | recipients a copy of this License along with the Program. 204 | 205 | You may charge any price or no price for each copy that you convey, 206 | and you may offer support or warranty protection for a fee. 207 | 208 | 5. Conveying Modified Source Versions. 209 | 210 | You may convey a work based on the Program, or the modifications to 211 | produce it from the Program, in the form of source code under the 212 | terms of section 4, provided that you also meet all of these conditions: 213 | 214 | a) The work must carry prominent notices stating that you modified 215 | it, and giving a relevant date. 216 | 217 | b) The work must carry prominent notices stating that it is 218 | released under this License and any conditions added under section 219 | 7. This requirement modifies the requirement in section 4 to 220 | "keep intact all notices". 221 | 222 | c) You must license the entire work, as a whole, under this 223 | License to anyone who comes into possession of a copy. This 224 | License will therefore apply, along with any applicable section 7 225 | additional terms, to the whole of the work, and all its parts, 226 | regardless of how they are packaged. This License gives no 227 | permission to license the work in any other way, but it does not 228 | invalidate such permission if you have separately received it. 229 | 230 | d) If the work has interactive user interfaces, each must display 231 | Appropriate Legal Notices; however, if the Program has interactive 232 | interfaces that do not display Appropriate Legal Notices, your 233 | work need not make them do so. 234 | 235 | A compilation of a covered work with other separate and independent 236 | works, which are not by their nature extensions of the covered work, 237 | and which are not combined with it such as to form a larger program, 238 | in or on a volume of a storage or distribution medium, is called an 239 | "aggregate" if the compilation and its resulting copyright are not 240 | used to limit the access or legal rights of the compilation's users 241 | beyond what the individual works permit. Inclusion of a covered work 242 | in an aggregate does not cause this License to apply to the other 243 | parts of the aggregate. 244 | 245 | 6. Conveying Non-Source Forms. 246 | 247 | You may convey a covered work in object code form under the terms 248 | of sections 4 and 5, provided that you also convey the 249 | machine-readable Corresponding Source under the terms of this License, 250 | in one of these ways: 251 | 252 | a) Convey the object code in, or embodied in, a physical product 253 | (including a physical distribution medium), accompanied by the 254 | Corresponding Source fixed on a durable physical medium 255 | customarily used for software interchange. 256 | 257 | b) Convey the object code in, or embodied in, a physical product 258 | (including a physical distribution medium), accompanied by a 259 | written offer, valid for at least three years and valid for as 260 | long as you offer spare parts or customer support for that product 261 | model, to give anyone who possesses the object code either (1) a 262 | copy of the Corresponding Source for all the software in the 263 | product that is covered by this License, on a durable physical 264 | medium customarily used for software interchange, for a price no 265 | more than your reasonable cost of physically performing this 266 | conveying of source, or (2) access to copy the 267 | Corresponding Source from a network server at no charge. 268 | 269 | c) Convey individual copies of the object code with a copy of the 270 | written offer to provide the Corresponding Source. This 271 | alternative is allowed only occasionally and noncommercially, and 272 | only if you received the object code with such an offer, in accord 273 | with subsection 6b. 274 | 275 | d) Convey the object code by offering access from a designated 276 | place (gratis or for a charge), and offer equivalent access to the 277 | Corresponding Source in the same way through the same place at no 278 | further charge. You need not require recipients to copy the 279 | Corresponding Source along with the object code. If the place to 280 | copy the object code is a network server, the Corresponding Source 281 | may be on a different server (operated by you or a third party) 282 | that supports equivalent copying facilities, provided you maintain 283 | clear directions next to the object code saying where to find the 284 | Corresponding Source. Regardless of what server hosts the 285 | Corresponding Source, you remain obligated to ensure that it is 286 | available for as long as needed to satisfy these requirements. 287 | 288 | e) Convey the object code using peer-to-peer transmission, provided 289 | you inform other peers where the object code and Corresponding 290 | Source of the work are being offered to the general public at no 291 | charge under subsection 6d. 292 | 293 | A separable portion of the object code, whose source code is excluded 294 | from the Corresponding Source as a System Library, need not be 295 | included in conveying the object code work. 296 | 297 | A "User Product" is either (1) a "consumer product", which means any 298 | tangible personal property which is normally used for personal, family, 299 | or household purposes, or (2) anything designed or sold for incorporation 300 | into a dwelling. In determining whether a product is a consumer product, 301 | doubtful cases shall be resolved in favor of coverage. For a particular 302 | product received by a particular user, "normally used" refers to a 303 | typical or common use of that class of product, regardless of the status 304 | of the particular user or of the way in which the particular user 305 | actually uses, or expects or is expected to use, the product. A product 306 | is a consumer product regardless of whether the product has substantial 307 | commercial, industrial or non-consumer uses, unless such uses represent 308 | the only significant mode of use of the product. 309 | 310 | "Installation Information" for a User Product means any methods, 311 | procedures, authorization keys, or other information required to install 312 | and execute modified versions of a covered work in that User Product from 313 | a modified version of its Corresponding Source. The information must 314 | suffice to ensure that the continued functioning of the modified object 315 | code is in no case prevented or interfered with solely because 316 | modification has been made. 317 | 318 | If you convey an object code work under this section in, or with, or 319 | specifically for use in, a User Product, and the conveying occurs as 320 | part of a transaction in which the right of possession and use of the 321 | User Product is transferred to the recipient in perpetuity or for a 322 | fixed term (regardless of how the transaction is characterized), the 323 | Corresponding Source conveyed under this section must be accompanied 324 | by the Installation Information. But this requirement does not apply 325 | if neither you nor any third party retains the ability to install 326 | modified object code on the User Product (for example, the work has 327 | been installed in ROM). 328 | 329 | The requirement to provide Installation Information does not include a 330 | requirement to continue to provide support service, warranty, or updates 331 | for a work that has been modified or installed by the recipient, or for 332 | the User Product in which it has been modified or installed. Access to a 333 | network may be denied when the modification itself materially and 334 | adversely affects the operation of the network or violates the rules and 335 | protocols for communication across the network. 336 | 337 | Corresponding Source conveyed, and Installation Information provided, 338 | in accord with this section must be in a format that is publicly 339 | documented (and with an implementation available to the public in 340 | source code form), and must require no special password or key for 341 | unpacking, reading or copying. 342 | 343 | 7. Additional Terms. 344 | 345 | "Additional permissions" are terms that supplement the terms of this 346 | License by making exceptions from one or more of its conditions. 347 | Additional permissions that are applicable to the entire Program shall 348 | be treated as though they were included in this License, to the extent 349 | that they are valid under applicable law. If additional permissions 350 | apply only to part of the Program, that part may be used separately 351 | under those permissions, but the entire Program remains governed by 352 | this License without regard to the additional permissions. 353 | 354 | When you convey a copy of a covered work, you may at your option 355 | remove any additional permissions from that copy, or from any part of 356 | it. (Additional permissions may be written to require their own 357 | removal in certain cases when you modify the work.) You may place 358 | additional permissions on material, added by you to a covered work, 359 | for which you have or can give appropriate copyright permission. 360 | 361 | Notwithstanding any other provision of this License, for material you 362 | add to a covered work, you may (if authorized by the copyright holders of 363 | that material) supplement the terms of this License with terms: 364 | 365 | a) Disclaiming warranty or limiting liability differently from the 366 | terms of sections 15 and 16 of this License; or 367 | 368 | b) Requiring preservation of specified reasonable legal notices or 369 | author attributions in that material or in the Appropriate Legal 370 | Notices displayed by works containing it; or 371 | 372 | c) Prohibiting misrepresentation of the origin of that material, or 373 | requiring that modified versions of such material be marked in 374 | reasonable ways as different from the original version; or 375 | 376 | d) Limiting the use for publicity purposes of names of licensors or 377 | authors of the material; or 378 | 379 | e) Declining to grant rights under trademark law for use of some 380 | trade names, trademarks, or service marks; or 381 | 382 | f) Requiring indemnification of licensors and authors of that 383 | material by anyone who conveys the material (or modified versions of 384 | it) with contractual assumptions of liability to the recipient, for 385 | any liability that these contractual assumptions directly impose on 386 | those licensors and authors. 387 | 388 | All other non-permissive additional terms are considered "further 389 | restrictions" within the meaning of section 10. If the Program as you 390 | received it, or any part of it, contains a notice stating that it is 391 | governed by this License along with a term that is a further 392 | restriction, you may remove that term. If a license document contains 393 | a further restriction but permits relicensing or conveying under this 394 | License, you may add to a covered work material governed by the terms 395 | of that license document, provided that the further restriction does 396 | not survive such relicensing or conveying. 397 | 398 | If you add terms to a covered work in accord with this section, you 399 | must place, in the relevant source files, a statement of the 400 | additional terms that apply to those files, or a notice indicating 401 | where to find the applicable terms. 402 | 403 | Additional terms, permissive or non-permissive, may be stated in the 404 | form of a separately written license, or stated as exceptions; 405 | the above requirements apply either way. 406 | 407 | 8. Termination. 408 | 409 | You may not propagate or modify a covered work except as expressly 410 | provided under this License. Any attempt otherwise to propagate or 411 | modify it is void, and will automatically terminate your rights under 412 | this License (including any patent licenses granted under the third 413 | paragraph of section 11). 414 | 415 | However, if you cease all violation of this License, then your 416 | license from a particular copyright holder is reinstated (a) 417 | provisionally, unless and until the copyright holder explicitly and 418 | finally terminates your license, and (b) permanently, if the copyright 419 | holder fails to notify you of the violation by some reasonable means 420 | prior to 60 days after the cessation. 421 | 422 | Moreover, your license from a particular copyright holder is 423 | reinstated permanently if the copyright holder notifies you of the 424 | violation by some reasonable means, this is the first time you have 425 | received notice of violation of this License (for any work) from that 426 | copyright holder, and you cure the violation prior to 30 days after 427 | your receipt of the notice. 428 | 429 | Termination of your rights under this section does not terminate the 430 | licenses of parties who have received copies or rights from you under 431 | this License. If your rights have been terminated and not permanently 432 | reinstated, you do not qualify to receive new licenses for the same 433 | material under section 10. 434 | 435 | 9. Acceptance Not Required for Having Copies. 436 | 437 | You are not required to accept this License in order to receive or 438 | run a copy of the Program. Ancillary propagation of a covered work 439 | occurring solely as a consequence of using peer-to-peer transmission 440 | to receive a copy likewise does not require acceptance. However, 441 | nothing other than this License grants you permission to propagate or 442 | modify any covered work. These actions infringe copyright if you do 443 | not accept this License. Therefore, by modifying or propagating a 444 | covered work, you indicate your acceptance of this License to do so. 445 | 446 | 10. Automatic Licensing of Downstream Recipients. 447 | 448 | Each time you convey a covered work, the recipient automatically 449 | receives a license from the original licensors, to run, modify and 450 | propagate that work, subject to this License. You are not responsible 451 | for enforcing compliance by third parties with this License. 452 | 453 | An "entity transaction" is a transaction transferring control of an 454 | organization, or substantially all assets of one, or subdividing an 455 | organization, or merging organizations. If propagation of a covered 456 | work results from an entity transaction, each party to that 457 | transaction who receives a copy of the work also receives whatever 458 | licenses to the work the party's predecessor in interest had or could 459 | give under the previous paragraph, plus a right to possession of the 460 | Corresponding Source of the work from the predecessor in interest, if 461 | the predecessor has it or can get it with reasonable efforts. 462 | 463 | You may not impose any further restrictions on the exercise of the 464 | rights granted or affirmed under this License. For example, you may 465 | not impose a license fee, royalty, or other charge for exercise of 466 | rights granted under this License, and you may not initiate litigation 467 | (including a cross-claim or counterclaim in a lawsuit) alleging that 468 | any patent claim is infringed by making, using, selling, offering for 469 | sale, or importing the Program or any portion of it. 470 | 471 | 11. Patents. 472 | 473 | A "contributor" is a copyright holder who authorizes use under this 474 | License of the Program or a work on which the Program is based. The 475 | work thus licensed is called the contributor's "contributor version". 476 | 477 | A contributor's "essential patent claims" are all patent claims 478 | owned or controlled by the contributor, whether already acquired or 479 | hereafter acquired, that would be infringed by some manner, permitted 480 | by this License, of making, using, or selling its contributor version, 481 | but do not include claims that would be infringed only as a 482 | consequence of further modification of the contributor version. For 483 | purposes of this definition, "control" includes the right to grant 484 | patent sublicenses in a manner consistent with the requirements of 485 | this License. 486 | 487 | Each contributor grants you a non-exclusive, worldwide, royalty-free 488 | patent license under the contributor's essential patent claims, to 489 | make, use, sell, offer for sale, import and otherwise run, modify and 490 | propagate the contents of its contributor version. 491 | 492 | In the following three paragraphs, a "patent license" is any express 493 | agreement or commitment, however denominated, not to enforce a patent 494 | (such as an express permission to practice a patent or covenant not to 495 | sue for patent infringement). To "grant" such a patent license to a 496 | party means to make such an agreement or commitment not to enforce a 497 | patent against the party. 498 | 499 | If you convey a covered work, knowingly relying on a patent license, 500 | and the Corresponding Source of the work is not available for anyone 501 | to copy, free of charge and under the terms of this License, through a 502 | publicly available network server or other readily accessible means, 503 | then you must either (1) cause the Corresponding Source to be so 504 | available, or (2) arrange to deprive yourself of the benefit of the 505 | patent license for this particular work, or (3) arrange, in a manner 506 | consistent with the requirements of this License, to extend the patent 507 | license to downstream recipients. "Knowingly relying" means you have 508 | actual knowledge that, but for the patent license, your conveying the 509 | covered work in a country, or your recipient's use of the covered work 510 | in a country, would infringe one or more identifiable patents in that 511 | country that you have reason to believe are valid. 512 | 513 | If, pursuant to or in connection with a single transaction or 514 | arrangement, you convey, or propagate by procuring conveyance of, a 515 | covered work, and grant a patent license to some of the parties 516 | receiving the covered work authorizing them to use, propagate, modify 517 | or convey a specific copy of the covered work, then the patent license 518 | you grant is automatically extended to all recipients of the covered 519 | work and works based on it. 520 | 521 | A patent license is "discriminatory" if it does not include within 522 | the scope of its coverage, prohibits the exercise of, or is 523 | conditioned on the non-exercise of one or more of the rights that are 524 | specifically granted under this License. You may not convey a covered 525 | work if you are a party to an arrangement with a third party that is 526 | in the business of distributing software, under which you make payment 527 | to the third party based on the extent of your activity of conveying 528 | the work, and under which the third party grants, to any of the 529 | parties who would receive the covered work from you, a discriminatory 530 | patent license (a) in connection with copies of the covered work 531 | conveyed by you (or copies made from those copies), or (b) primarily 532 | for and in connection with specific products or compilations that 533 | contain the covered work, unless you entered into that arrangement, 534 | or that patent license was granted, prior to 28 March 2007. 535 | 536 | Nothing in this License shall be construed as excluding or limiting 537 | any implied license or other defenses to infringement that may 538 | otherwise be available to you under applicable patent law. 539 | 540 | 12. No Surrender of Others' Freedom. 541 | 542 | If conditions are imposed on you (whether by court order, agreement or 543 | otherwise) that contradict the conditions of this License, they do not 544 | excuse you from the conditions of this License. If you cannot convey a 545 | covered work so as to satisfy simultaneously your obligations under this 546 | License and any other pertinent obligations, then as a consequence you may 547 | not convey it at all. For example, if you agree to terms that obligate you 548 | to collect a royalty for further conveying from those to whom you convey 549 | the Program, the only way you could satisfy both those terms and this 550 | License would be to refrain entirely from conveying the Program. 551 | 552 | 13. Use with the GNU Affero General Public License. 553 | 554 | Notwithstanding any other provision of this License, you have 555 | permission to link or combine any covered work with a work licensed 556 | under version 3 of the GNU Affero General Public License into a single 557 | combined work, and to convey the resulting work. The terms of this 558 | License will continue to apply to the part which is the covered work, 559 | but the special requirements of the GNU Affero General Public License, 560 | section 13, concerning interaction through a network will apply to the 561 | combination as such. 562 | 563 | 14. Revised Versions of this License. 564 | 565 | The Free Software Foundation may publish revised and/or new versions of 566 | the GNU General Public License from time to time. Such new versions will 567 | be similar in spirit to the present version, but may differ in detail to 568 | address new problems or concerns. 569 | 570 | Each version is given a distinguishing version number. If the 571 | Program specifies that a certain numbered version of the GNU General 572 | Public License "or any later version" applies to it, you have the 573 | option of following the terms and conditions either of that numbered 574 | version or of any later version published by the Free Software 575 | Foundation. If the Program does not specify a version number of the 576 | GNU General Public License, you may choose any version ever published 577 | by the Free Software Foundation. 578 | 579 | If the Program specifies that a proxy can decide which future 580 | versions of the GNU General Public License can be used, that proxy's 581 | public statement of acceptance of a version permanently authorizes you 582 | to choose that version for the Program. 583 | 584 | Later license versions may give you additional or different 585 | permissions. However, no additional obligations are imposed on any 586 | author or copyright holder as a result of your choosing to follow a 587 | later version. 588 | 589 | 15. Disclaimer of Warranty. 590 | 591 | THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY 592 | APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT 593 | HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY 594 | OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, 595 | THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 596 | PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM 597 | IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF 598 | ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 599 | 600 | 16. Limitation of Liability. 601 | 602 | IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING 603 | WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS 604 | THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY 605 | GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE 606 | USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF 607 | DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD 608 | PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), 609 | EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF 610 | SUCH DAMAGES. 611 | 612 | 17. Interpretation of Sections 15 and 16. 613 | 614 | If the disclaimer of warranty and limitation of liability provided 615 | above cannot be given local legal effect according to their terms, 616 | reviewing courts shall apply local law that most closely approximates 617 | an absolute waiver of all civil liability in connection with the 618 | Program, unless a warranty or assumption of liability accompanies a 619 | copy of the Program in return for a fee. 620 | 621 | END OF TERMS AND CONDITIONS 622 | 623 | How to Apply These Terms to Your New Programs 624 | 625 | If you develop a new program, and you want it to be of the greatest 626 | possible use to the public, the best way to achieve this is to make it 627 | free software which everyone can redistribute and change under these terms. 628 | 629 | To do so, attach the following notices to the program. It is safest 630 | to attach them to the start of each source file to most effectively 631 | state the exclusion of warranty; and each file should have at least 632 | the "copyright" line and a pointer to where the full notice is found. 633 | 634 | 635 | Copyright (C) 636 | 637 | This program is free software: you can redistribute it and/or modify 638 | it under the terms of the GNU General Public License as published by 639 | the Free Software Foundation, either version 3 of the License, or 640 | (at your option) any later version. 641 | 642 | This program is distributed in the hope that it will be useful, 643 | but WITHOUT ANY WARRANTY; without even the implied warranty of 644 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 645 | GNU General Public License for more details. 646 | 647 | You should have received a copy of the GNU General Public License 648 | along with this program. If not, see . 649 | 650 | Also add information on how to contact you by electronic and paper mail. 651 | 652 | If the program does terminal interaction, make it output a short 653 | notice like this when it starts in an interactive mode: 654 | 655 | Copyright (C) 656 | This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'. 657 | This is free software, and you are welcome to redistribute it 658 | under certain conditions; type `show c' for details. 659 | 660 | The hypothetical commands `show w' and `show c' should show the appropriate 661 | parts of the General Public License. Of course, your program's commands 662 | might be different; for a GUI interface, you would use an "about box". 663 | 664 | You should also get your employer (if you work as a programmer) or school, 665 | if any, to sign a "copyright disclaimer" for the program, if necessary. 666 | For more information on this, and how to apply and follow the GNU GPL, see 667 | . 668 | 669 | The GNU General Public License does not permit incorporating your program 670 | into proprietary programs. If your program is a subroutine library, you 671 | may consider it more useful to permit linking proprietary applications with 672 | the library. If this is what you want to do, use the GNU Lesser General 673 | Public License instead of this License. But first, please read 674 | . --------------------------------------------------------------------------------