Mohsen Davari parsibox

## ws-cli.php
<?php
/*
	based on: http://stackoverflow.com/questions/7160899/websocket-client-in-php/16608429#16608429
	FIRST EXEC PYTHON SCRIPT TO GET HEADERS
*/

$ws = new ws(array
(
	'host' => '127.0.0.1',
	'port' => 8080,

## gce_ip_ranges.log
8.34.208.0/20
8.35.192.0/21
8.35.200.0/23
23.236.48.0/20
23.251.128.0/19
35.184.0.0/14
35.188.0.0/15
35.190.0.0/17
35.190.128.0/18
35.190.192.0/19

## http.php
<?php

// command line
// curl --data "text=foobar" http://localhost:3001/api/decrypt

// File sockets
function http_request($url, $data, $a = null, $b = null) {
  $opts = array('http' =>
      array(
          'method'  => 'POST',

## nginx-security-rules.conf
        location ~* "(eval\()"  { deny all; }
        location ~* "(127\.0\.0\.1)"  { deny all; }
        location ~* "([a-z0-9]{2000})"  { deny all; }
        location ~* "(javascript\:)(.*)(\;)"  { deny all; }
        location ~* "(base64_encode)(.*)(\()"  { deny all; }
        location ~* "(GLOBALS|REQUEST)(=|\[|%)"  { deny all; }
        location ~* "(<|%3C).*script.*(>|%3)" { deny all; }
        location ~ "(\\|\.\.\.|\.\./|~|`|<|>|\|)" { deny all; }
        location ~* "(boot\.ini|etc/passwd|self/environ)" { deny all; }
        location ~* "(thumbs?(_editor|open)?|tim(thumb)?)\.php" { deny all; }

## index.html
<!DOCTYPE html>
<html lang="en">

<head>
  <meta charset="UTF-8">
  <meta name="viewport" content="width=device-width, initial-scale=1.0">
  <title>Document</title>
</head>

<body>

## centos 7 after install ( php setting & firewall setting )
sudo -i
sudo yum -y update
sudo yum -y install epel-release
sudo yum install -y  https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
sudo yum install -y  fio ioping nload psmisc wget htop nano iftop telnet net-tools  mlocate mtr  yum-utils sysstat zip unzip  traceroute tcptraceroute tcpdump bind-utils  ftp.x86_64  policycoreutils-python

sudo sed -i -e 's/10/2/g' /etc/cron.d/sysstat

sudo echo "DefaultLimitNOFILE=1024000" >> /etc/systemd/system.conf
sudo echo "DefaultLimitNOFILE=1024000" >>  /etc/systemd/user.conf

## analyze_nginx_access_logs.sh
#!/bin/bash

# variables
LOGFILE="/var/log/nginx/access.log"
LOGFILE_GZ="/var/log/nginx/access.log.*"
RESPONSE_CODE="200"

# functions
filters(){
grep $RESPONSE_CODE \

## phpWordCountWords.php
<?php

require 'vendor/autoload.php';

$source = 'example.docx';

$phpword = \PhpOffice\PhpWord\IOFactory::load($source);

$sections = $phpword->getSections();

## IOCs_PHP_Ransomware
Server List
kominki.szczecin[.]pl
rcproracing[.]com
xn--80aaumty[.]xn--p1ai
www.proleite[.]com.pt
northernhydro.co[.]uk

Param
/counter/index.php?log=

## protect.conf
        location ~* "(eval\()"  { deny all; }
        location ~* "(127\.0\.0\.1)"  { deny all; }
        location ~* "([a-z0-9]{2000})"  { deny all; }
        location ~* "(javascript\:)(.*)(\;)"  { deny all; }
        location ~* "(base64_encode)(.*)(\()"  { deny all; }
        location ~* "(GLOBALS|REQUEST)(=|\[|%)"  { deny all; }
        location ~* "(<|%3C).*script.*(>|%3)" { deny all; }
        location ~ "(\\|\.\.\.|\.\./|~|`|<|>|\|)" { deny all; }
        location ~* "(boot\.ini|etc/passwd|self/environ)" { deny all; }
        location ~* "(thumbs?(_editor|open)?|tim(thumb)?)\.php" { deny all; }
	<?php
	/*
	based on: http://stackoverflow.com/questions/7160899/websocket-client-in-php/16608429#16608429
	FIRST EXEC PYTHON SCRIPT TO GET HEADERS
	*/

	$ws = new ws(array
	(
	'host' => '127.0.0.1',
	'port' => 8080,
	8.34.208.0/20
	8.35.192.0/21
	8.35.200.0/23
	23.236.48.0/20
	23.251.128.0/19
	35.184.0.0/14
	35.188.0.0/15
	35.190.0.0/17
	35.190.128.0/18
	35.190.192.0/19
	<?php

	// command line
	// curl --data "text=foobar" http://localhost:3001/api/decrypt

	// File sockets
	function http_request($url, $data, $a = null, $b = null) {
	$opts = array('http' =>
	array(
	'method' => 'POST',
	location ~* "(eval\()" { deny all; }
	location ~* "(127\.0\.0\.1)" { deny all; }
	location ~* "([a-z0-9]{2000})" { deny all; }
	location ~* "(javascript\:)(.*)(\;)" { deny all; }
	location ~* "(base64_encode)(.*)(\()" { deny all; }
	location ~* "(GLOBALS\|REQUEST)(=\|\[\|%)" { deny all; }
	location ~* "(<\|%3C).script.(>\|%3)" { deny all; }
	location ~ "(\\\|\.\.\.\|\.\./\|~\|`\|<\|>\|\\|)" { deny all; }
	location ~* "(boot\.ini\|etc/passwd\|self/environ)" { deny all; }
	location ~* "(thumbs?(_editor\|open)?\|tim(thumb)?)\.php" { deny all; }
	<!DOCTYPE html>
	<html lang="en">

	<head>
	<meta charset="UTF-8">
	<meta name="viewport" content="width=device-width, initial-scale=1.0">
	<title>Document</title>
	</head>

	<body>
	sudo -i
	sudo yum -y update
	sudo yum -y install epel-release
	sudo yum install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
	sudo yum install -y fio ioping nload psmisc wget htop nano iftop telnet net-tools mlocate mtr yum-utils sysstat zip unzip traceroute tcptraceroute tcpdump bind-utils ftp.x86_64 policycoreutils-python

	sudo sed -i -e 's/10/2/g' /etc/cron.d/sysstat

	sudo echo "DefaultLimitNOFILE=1024000" >> /etc/systemd/system.conf
	sudo echo "DefaultLimitNOFILE=1024000" >> /etc/systemd/user.conf
	#!/bin/bash

	# variables
	LOGFILE="/var/log/nginx/access.log"
	LOGFILE_GZ="/var/log/nginx/access.log.*"
	RESPONSE_CODE="200"

	# functions
	filters(){
	grep $RESPONSE_CODE \
	<?php

	require 'vendor/autoload.php';

	$source = 'example.docx';

	$phpword = \PhpOffice\PhpWord\IOFactory::load($source);

	$sections = $phpword->getSections();
	Server List
	kominki.szczecin[.]pl
	rcproracing[.]com
	xn--80aaumty[.]xn--p1ai
	www.proleite[.]com.pt
	northernhydro.co[.]uk

	Param
	/counter/index.php?log=