summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJulien "shaddai" Reveret2015-10-09 16:52:10 +0200
committerJulien "shaddai" Reveret2015-10-09 16:52:10 +0200
commit2a023bb2862d9df4987e241d95e8d646001bd7ba (patch)
treee8c4f3ac1ee0d0106969d8ff4ec8a46bf80f9c6c
parent68a104402875c5210b948e5b74c0fb25deba6979 (diff)
tested php-malware-finder against many webshells, completed the signature lists
Diffstat
-rw-r--r--debian/changelog8
-rw-r--r--php-malware-finder/malwares.yara13
2 files changed, 18 insertions, 3 deletions
diff --git a/debian/changelog b/debian/changelog
index 2489d7a..64332b4 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
1nbs-phpmalwarefinder (0.2.0-1~deb##version+nbs20151009) wheezy; urgency=medium
2
3 * Now supports whitelist using yara hash function
4 * New detection rules added (tested against
5 https://github.com/tennc/webshell malware collection)
6
7 -- jre <jre@nbs-system.com> Fri, 09 Oct 2015 14:58:45 +0200
8
1nbs-phpmalwarefinder (0.1.1-1~deb##version+nbs20150428) wheezy; urgency=medium 9nbs-phpmalwarefinder (0.1.1-1~deb##version+nbs20150428) wheezy; urgency=medium
2 10
3 * new dependecy on util-linux since the script is using ionice 11 * new dependecy on util-linux since the script is using ionice
diff --git a/php-malware-finder/malwares.yara b/php-malware-finder/malwares.yara
index c3664f0..3bc15c2 100644
--- a/php-malware-finder/malwares.yara
+++ b/php-malware-finder/malwares.yara
@@ -15,6 +15,7 @@ include "whitelist.yara"
15 - http://sysadmin.cyklodev.com/online-php-obfuscator/ 15 - http://sysadmin.cyklodev.com/online-php-obfuscator/
16 - http://mohssen.org/SpinObf.php 16 - http://mohssen.org/SpinObf.php
17 - https://code.google.com/p/carbylamine/ 17 - https://code.google.com/p/carbylamine/
18 - https://github.com/tennc/webshell
18*/ 19*/
19 20
20global private rule IsPhp 21global private rule IsPhp
@@ -57,11 +58,13 @@ rule ObfuscatedPhp
57{ 58{
58 strings: 59 strings:
59 $eval = /[;}][\t ]*@?(eval|preg_replace|system|exec|assert|passthru)\(/ // ;eval( <- this is dodgy 60 $eval = /[;}][\t ]*@?(eval|preg_replace|system|exec|assert|passthru)\(/ // ;eval( <- this is dodgy
61 $b374k = /'ev'\.'al'/
60 $align = /(\$\w+=[^;]*)*;\$\w+=@?\$\w+\(/ //b374k 62 $align = /(\$\w+=[^;]*)*;\$\w+=@?\$\w+\(/ //b374k
61 $oneliner = /<\?php\s*\n*\r*\s*(eval|preg_replace|system|exec|assert|passthru)\(/ 63 $oneliner = /<\?php\s*\n*\r*\s*(eval|preg_replace|system|exec|assert|passthru)\(/
62 $weevely3 = /\$\w=\$[a-zA-Z]\('',\$\w\);\$\w\(\);/ // weevely3 launcher 64 $weevely3 = /\$\w=\$[a-zA-Z]\('',\$\w\);\$\w\(\);/ // weevely3 launcher
63 $c99_launcher = /;\$\w+\(\$\w+(,\s?\$\w+)+\);/ // http://bartblaze.blogspot.fr/2015/03/c99shell-not-dead.html 65 $c99_launcher = /;\$\w+\(\$\w+(,\s?\$\w+)+\);/ // http://bartblaze.blogspot.fr/2015/03/c99shell-not-dead.html
64 $strange_arg = /\${\$[0-9a-zA-z]+}/ 66 $strange_arg = /\${\$[0-9a-zA-z]+}/
67 $too_many_chr = /(chr\([\d]+\)\.){2,}?/
65 condition: 68 condition:
66 any of them and not IsWhitelisted 69 any of them and not IsWhitelisted
67} 70}
@@ -99,17 +102,19 @@ rule SuspiciousEncoding
99rule DodgyPhp 102rule DodgyPhp
100{ 103{
101 strings: 104 strings:
102 $vars = /\$___+/ // $__ is rarely used in legitimate scripts 105 $vars = /\$__+/ // $__ is rarely used in legitimate scripts
103 $execution = /(eval|assert|passthru|exec|system|win_shell_execute|base64_decode)\s*\(\s*(base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|pack|\\?\$_(GET|REQUEST|POST))/ 106 $execution = /(eval|assert|passthru|exec|system|win_shell_execute|base64_decode)*?\s*\(\s*(base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|pack|\\?\$_(GET|REQUEST|POST))/
104 $basedir_bypass = /(curl_init\([\"']file:[\"']|file:file:\/\/)/ 107 $basedir_bypass = /(curl_init\([\"']file:[\"']|file:file:\/\/)/
105 $safemode_bypass = /\x00\/\.\.\/|LD_PRELOAD/ 108 $safemode_bypass = /\x00\/\.\.\/|LD_PRELOAD/
106 $shellshock = /putenv\(["']PHP_[^=]=\(\) { [^}] };/ 109 $shellshock = /putenv\(["']PHP_[^=]=\(\) { [^}] };/
107 $restore_bypass = /ini_restore\(['"](safe_mode|open_basedir)['"]\)/ 110 $restore_bypass = /ini_restore\(['"](safe_mode|open_basedir|disable_function|safe_mode_exec_dir|safe_mode_include_dir)['"]\)/
108 $various = "<!--#exec cmd=" //http://www.w3.org/Jigsaw/Doc/User/SSI.html#exec 111 $various = "<!--#exec cmd=" //http://www.w3.org/Jigsaw/Doc/User/SSI.html#exec
109 $pr = /(preg_replace(_callback)?|mb_ereg_replace|preg_filter)\s*\(['"]\/[^\/]*\/e['"]/ // http://php.net/manual/en/function.preg-replace.php 112 $pr = /(preg_replace(_callback)?|mb_ereg_replace|preg_filter)\s*\(['"]\/[^\/]*\/e['"]/ // http://php.net/manual/en/function.preg-replace.php
110 $include = /include\([^\.]+\.(png|jpg|gif|bmp)/ // Clever includes 113 $include = /include\([^\.]+\.(png|jpg|gif|bmp)/ // Clever includes
111 $htaccess = "SetHandler application/x-httpd-php" 114 $htaccess = "SetHandler application/x-httpd-php"
112 $udp_dos = /sockopen\s*\(['"]udp:\/\// 115 $udp_dos = /sockopen\s*\(['"]udp:\/\//
116 $iniset_urlinclude = /ini_set\('allow_url_include,\ * 1'\)/
117 $iis_com = /IIS:\/\/localhost\/w3svc/
113 118
114 condition: 119 condition:
115 (any of them or CloudFlareBypass) and not IsWhitelisted 120 (any of them or CloudFlareBypass) and not IsWhitelisted
@@ -218,6 +223,8 @@ rule Websites
218 $ = "www.fopo.com.ar" /* Free Online Php Obfuscator */ 223 $ = "www.fopo.com.ar" /* Free Online Php Obfuscator */
219 $ = "ccteam.ru" 224 $ = "ccteam.ru"
220 $ = "locus7s.com" 225 $ = "locus7s.com"
226 $ = "b374k"
227 $ = "www.egyspider.eu"
221 228
222 condition: 229 condition:
223 any of them and not IsWhitelisted 230 any of them and not IsWhitelisted