Merge branch 'master' of gitlab.nbs-system.com:packages/php-malware-finder

author: Julien Voisin 2016-02-03 14:34:05 +0100
committer: Julien Voisin 2016-02-03 14:34:05 +0100
commit: a9c88dc4db86a5ff6a05fe50ceed9b7b16e6cd2a (patch)
tree: 1587024afb22a8192fb9091f798fcdd2f2c193d4
parent: 4d0a0dcfc783a58acdeb49b40c8a8621e1577e25 (diff)
parent: 5a8f30ff2f5b93793305e46015097d822d8846c6 (diff)
1 files changed, 48 insertions, 0 deletions
diff --git a/php-malware-finder/bad_php.yara b/php-malware-finder/bad_php.yara
new file mode 100644
index 0000000..e3bdb76
--- /dev/null
+++ b/php-malware-finder/bad_php.yara
@@ -0,0 +1,48 @@
+rule Sqli
+{
+    strings:
+        $mysql = /mysqli?_.*[[:space:]]*\(.*\$.*\)/
+        $pg = /pg_.*[[:space:]]*\(.*\$.*\)/
+        $sqlite = /sqlite_.*[[:space:]]*\(.*\$.*\)/
+    condition:
+        any of them
+}
+rule Xss
+{
+    strings:
+        $xss1 = /(echo|print(_r)?)([[:space:]]|\()+.*\$(_ENV|_GET|_POST|_COOKIE|_REQUEST|_SERVER|HTTP|http).*/
+    condition:
+        any of them
+}
+rule CodeExec
+{
+    strings:
+        $eval = /eval\s*\(\s*.\$.*\s*\)/
+        $file = /(readfile|fopen|file(_get_contents)?)\s*\(.\$.*\)/
+        $include = /(include|require)(_once)?\s*\(.*\$.*\)/
+        $system = /(system|shell_exec)([[:space:]]*\(|[[:space:]]+).*\)?/
+    condition:
+        any of them
+}
+rule Misc
+{
+    strings:
+        $header_splitting = /header\s*\(.*\$_(GET|POST|REQUEST|COOKIE).*\)/
+        $serialize = /unserialize\s*\(.*\)|unserialize_callback_func/
+    condition:
+        any of them
+}
+rule Infoleak
+{
+    strings:
+        $php = /php(info|credits|version|_logo_guid|_uname)\s*\(.*\)/
+        $zend = /zend(_logo_guid|_version)\s*\(.*\)/
+        $extensions = /get_loaded_extensions\s*\(.*\)/
+    condition:
+        any of them
+}
author	Julien Voisin	2016-02-03 14:34:05 +0100
committer	Julien Voisin	2016-02-03 14:34:05 +0100
commit	a9c88dc4db86a5ff6a05fe50ceed9b7b16e6cd2a (patch)
tree	1587024afb22a8192fb9091f798fcdd2f2c193d4
parent	4d0a0dcfc783a58acdeb49b40c8a8621e1577e25 (diff)
parent	5a8f30ff2f5b93793305e46015097d822d8846c6 (diff)

diff --git a/php-malware-finder/bad_php.yara b/php-malware-finder/bad_php.yara new file mode 100644 index 0000000..e3bdb76 --- /dev/null +++ b/php-malware-finder/bad_php.yara
@@ -0,0 +1,48 @@
	1	rule Sqli
	2	{
	3	strings:
	4	$mysql = /mysqli?_.[[:space:]]\(.\$.\)/
	5	$pg = /pg_.[[:space:]]\(.\$.\)/
	6	$sqlite = /sqlite_.[[:space:]]\(.\$.\)/
	7	condition:
	8	any of them
	9	}
	10
	11	rule Xss
	12	{
	13	strings:
	14	$xss1 = /(echo\|print(_r)?)([[:space:]]\|\()+.\$(_ENV\|_GET\|_POST\|_COOKIE\|_REQUEST\|_SERVER\|HTTP\|http)./
	15	condition:
	16	any of them
	17	}
	18
	19	rule CodeExec
	20	{
	21	strings:
	22	$eval = /eval\s\(\s.\$.\s\)/
	23	$file = /(readfile\|fopen\|file(_get_contents)?)\s\(.\$.\)/
	24	$include = /(include\|require)(_once)?\s\(.\$.*\)/
	25	$system = /(system\|shell_exec)([[:space:]]\(\|[[:space:]]+).\)?/
	26	condition:
	27	any of them
	28	}
	29
	30
	31	rule Misc
	32	{
	33	strings:
	34	$header_splitting = /header\s\(.\$_(GET\|POST\|REQUEST\|COOKIE).*\)/
	35	$serialize = /unserialize\s\(.\)\|unserialize_callback_func/
	36	condition:
	37	any of them
	38	}
	39
	40	rule Infoleak
	41	{
	42	strings:
	43	$php = /php(info\|credits\|version\|_logo_guid\|_uname)\s\(.\)/
	44	$zend = /zend(_logo_guid\|_version)\s\(.\)/
	45	$extensions = /get_loaded_extensions\s\(.\)/
	46	condition:
	47	any of them
	48	}