Did you know that php functions aren't case-sensitive ?

author: Julien (jvoisin) Voisin 2016-02-26 11:53:40 +0100
committer: Julien (jvoisin) Voisin 2016-02-26 11:53:40 +0100
commit: 1c7deb02ca805a28d6485f76e44ee0b7fe6f31d4 (patch)
tree: ea40081896eb3ba0c5e1fe0c3a5324b295941c08
parent: d6d411e5143adcc2e7ef9d18903fa6429982b719 (diff)
1 files changed, 55 insertions, 53 deletions
diff --git a/php-malware-finder/malwares.yara b/php-malware-finder/malwares.yara
index a326ef3..81de9e5 100644
--- a/php-malware-finder/malwares.yara
+++ b/php-malware-finder/malwares.yara
@@ -57,7 +57,7 @@ private rule CloudFlareBypass
 rule ObfuscatedPhp
 {
    strings:
-        $eval = /(<\?php|[;{}])\s*@?(eval|preg_replace|system|exec|assert|passthru|win_shell_execute)\s*\(/  // ;eval( <- this is dodgy
+        $eval = /(<\?php|[;{}])\s*@?(eval|preg_replace|system|exec|assert|passthru|win_shell_execute)\s*\(/ nocase  // ;eval( <- this is dodgy
        $b374k = "'ev'.'al'"
        $align = /(\$\w+=[^;]*)*;\$\w+=@?\$\w+\(/  //b374k
        $weevely3 = /\$\w=\$[a-zA-Z]\('',\$\w\);\$\w\(\);/  // weevely3 launcher
@@ -108,16 +108,16 @@ rule DodgyPhp
        $basedir_bypass = /curl_init\s*\(\s*["']file:\/\//
        $basedir_bypass2 = "file:file:///" // https://www.intelligentexploit.com/view-details.html?id=8719
        $disable_magic_quotes = /set_magic_quotes_runtime\s*\(\s*0/
-        $execution = /(eval|assert|passthru|exec|system|win_shell_execute|base64_decode)\s*\(\s*(base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|pack|\\?\$_(GET|REQUEST|POST|COOKIE))/
+        $execution = /(eval|assert|passthru|exec|include|system|win_shell_execute|base64_decode)\s*\(\s*(base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|pack|\\?\$_(GET|REQUEST|POST|COOKIE))/ nocase
        $htaccess = "SetHandler application/x-httpd-php"
        $iis_com = /IIS:\/\/localhost\/w3svc/
        $include = /include\s*\(\s*[^\.]+\.(png|jpg|gif|bmp)/  // Clever includes
-        $ini_get = /ini_(get|set|restore)\s*\(\s*['"](safe_mode|open_basedir|disable_function|safe_mode_exec_dir|safe_mode_include_dir|register_globals|allow_url_include)/
+        $ini_get = /ini_(get|set|restore)\s*\(\s*['"](safe_mode|open_basedir|disable_function|safe_mode_exec_dir|safe_mode_include_dir|register_globals|allow_url_include)/ nocase
-        $pr = /(preg_replace(_callback)?|mb_ereg_replace|preg_filter)\s*\(\s*['"]\/[^\/]*\/e/  // http://php.net/manual/en/function.preg-replace.php
+        $pr = /(preg_replace(_callback)?|mb_ereg_replace|preg_filter)\s*\(\s*['"]\/[^\/]*\/e/  nocase // http://php.net/manual/en/function.preg-replace.php
        $safemode_bypass = /\x00\/\.\.\/|LD_PRELOAD/
        $shellshock = /\(\)\s*{\s*:\s*;\s*}\s*;/
        $udp_dos = /fsockopen\s*\(\s*['"]udp:\/\//
-        $user_function = /(call_user_func|create_function)/
+        $user_function = /(call_user_func|create_function)/ nocase
        $various = "<!--#exec cmd="  //http://www.w3.org/Jigsaw/Doc/User/SSI.html#exec
    condition:
@@ -127,56 +127,56 @@ rule DodgyPhp
 rule DangerousPhp
 {
    strings:
-        $system = "system" fullword  // localroot bruteforcers have a lot of this
+        $system = "system" fullword nocase  // localroot bruteforcers have a lot of this
-        $ = "array_filter" fullword
+        $ = "array_filter" fullword nocase
-        $ = "assert" fullword
+        $ = "assert" fullword nocase
-        $ = "backticks" fullword
+        $ = "backticks" fullword nocase
-        $ = "call_user_func" fullword
+        $ = "call_user_func" fullword nocase
-        $ = "eval" fullword
+        $ = "eval" fullword nocase
-        $ = "exec" fullword
+        $ = "exec" fullword nocase
-        $ = "fpassthru" fullword
+        $ = "fpassthru" fullword nocase
-        $ = "fsockopen" fullword
+        $ = "fsockopen" fullword nocase
-        $ = "function_exists" fullword
+        $ = "function_exists" fullword nocase
-        $ = "getmygid" fullword
+        $ = "getmygid" fullword nocase
-        $ = "shmop_open" fullword
+        $ = "shmop_open" fullword nocase
-        $ = "mb_ereg_replace_callback" fullword
+        $ = "mb_ereg_replace_callback" fullword nocase
-        $ = "passthru" fullword
+        $ = "passthru" fullword nocase
-        $ = "pcntl_exec" fullword
+        $ = "pcntl_exec" fullword nocase
-        $ = "pcntl_fork" fullword
+        $ = "pcntl_fork" fullword nocase
-        $ = "php_uname" fullword
+        $ = "php_uname" fullword nocase
-        $ = "phpinfo" fullword
+        $ = "phpinfo" fullword nocase
-        $ = "posix_geteuid" fullword
+        $ = "posix_geteuid" fullword nocase
-        $ = "posix_getgid" fullword
+        $ = "posix_getgid" fullword nocase
-        $ = "posix_getpgid" fullword
+        $ = "posix_getpgid" fullword nocase
-        $ = "posix_getppid" fullword
+        $ = "posix_getppid" fullword nocase
-        $ = "posix_getpwnam" fullword
+        $ = "posix_getpwnam" fullword nocase
-        $ = "posix_getpwuid" fullword
+        $ = "posix_getpwuid" fullword nocase
-        $ = "posix_getsid" fullword
+        $ = "posix_getsid" fullword nocase
-        $ = "posix_getuid" fullword
+        $ = "posix_getuid" fullword nocase
-        $ = "posix_kill" fullword
+        $ = "posix_kill" fullword nocase
-        $ = "posix_setegid" fullword
+        $ = "posix_setegid" fullword nocase
-        $ = "posix_seteuid" fullword
+        $ = "posix_seteuid" fullword nocase
-        $ = "posix_setgid" fullword
+        $ = "posix_setgid" fullword nocase
-        $ = "posix_setpgid" fullword
+        $ = "posix_setpgid" fullword nocase
-        $ = "posix_setsid" fullword
+        $ = "posix_setsid" fullword nocase
-        $ = "posix_setsid" fullword
+        $ = "posix_setsid" fullword nocase
-        $ = "posix_setuid" fullword
+        $ = "posix_setuid" fullword nocase
        $ = "preg_replace_callback" fullword
-        $ = "proc_open" fullword
+        $ = "proc_open" fullword nocase
-        $ = "register_shutdown_function" fullword
+        $ = "register_shutdown_function" fullword nocase
-        $ = "register_tick_function" fullword
+        $ = "register_tick_function" fullword nocase
-        $ = "shell_exec" fullword
+        $ = "shell_exec" fullword nocase
-        $ = "shm_open" fullword
+        $ = "shm_open" fullword nocase
-        $ = "show_source" fullword
+        $ = "show_source" fullword nocase
-        $ = "socket_create(AF_INET, SOCK_STREAM, SOL_TCP)"
+        $ = "socket_create(AF_INET, SOCK_STREAM, SOL_TCP)" nocase
-        $ = "stream_socket_pair"
+        $ = "stream_socket_pair" nocase
-        $ = "win32_create_service" fullword
+        $ = "win32_create_service" fullword nocase
-        $ = "win_shell_execute" fullword
+        $ = "win_shell_execute" fullword nocase
-        $ = "xmlrpc_decode" fullword
+        $ = "xmlrpc_decode" fullword nocase nocase
        $ = /ob_start\s*\(\s*[^\)]/  //ob_start('assert'); echo $_REQUEST['pass']; ob_end_flush();
-        $whitelist = /escapeshellcmd|escapeshellarg/
+        $whitelist = /escapeshellcmd|escapeshellarg/ nocase
    condition:
        not $whitelist and (5 of them or #system > 250) and not IsWhitelisted
@@ -205,7 +205,7 @@ rule DodgyStrings
        $ = "backdoor" fullword nocase
        $ = /(c99|r57|fx29)shell/
        $ = "cmd.exe" fullword nocase
-        $ = "defaced" fullword nocase
+        $ = /defac(ed|er|ement|ing)/ fullword nocase
        $ = "evilc0ders" fullword nocase
        $ = "exploit" fullword nocase
        $ = "find . -type f" fullword
@@ -224,12 +224,14 @@ rule DodgyStrings
        $ = "rootkit" fullword nocase
        $ = "slowloris" fullword nocase
        $ = "suhosin.executor.func.blacklist"
+        $ = "sun-tzu" fullword nocase // Because quotes from the Art of War is mandatory for any cool webshell.
        $ = "uname -a" fullword
        $ = "warez" fullword nocase
+        $ = "whoami" fullword
        $ = /(reverse|web)\s*shell/ nocase
        $ = /-perm -0[24]000/ // find setuid files
        $ = /\/bin\/(ba)?sh/ fullword
-        $ = /hack(ing|er)/ nocase
+        $ = /hack(ing|er|ed)/ nocase
        $ = /xp_(execresultset|regenumkeys|cmdshell|filelist)/
        $vbs = /language\s*=\s*vbscript/ nocase
author	Julien (jvoisin) Voisin	2016-02-26 11:53:40 +0100
committer	Julien (jvoisin) Voisin	2016-02-26 11:53:40 +0100
commit	1c7deb02ca805a28d6485f76e44ee0b7fe6f31d4 (patch)
tree	ea40081896eb3ba0c5e1fe0c3a5324b295941c08
parent	d6d411e5143adcc2e7ef9d18903fa6429982b719 (diff)

diff --git a/php-malware-finder/malwares.yara b/php-malware-finder/malwares.yara index a326ef3..81de9e5 100644 --- a/php-malware-finder/malwares.yara +++ b/php-malware-finder/malwares.yara
@@ -57,7 +57,7 @@ private rule CloudFlareBypass
57	rule ObfuscatedPhp	57	rule ObfuscatedPhp
58	{	58	{
59	strings:	59	strings:
60	$eval = /(<\?php\|[;{}])\s@?(eval\|preg_replace\|system\|exec\|assert\|passthru\|win_shell_execute)\s\(/ // ;eval( <- this is dodgy	60	$eval = /(<\?php\|[;{}])\s@?(eval\|preg_replace\|system\|exec\|assert\|passthru\|win_shell_execute)\s\(/ nocase // ;eval( <- this is dodgy
61	$b374k = "'ev'.'al'"	61	$b374k = "'ev'.'al'"
62	$align = /(\$\w+=[^;]);\$\w+=@?\$\w+\(/ //b374k	62	$align = /(\$\w+=[^;]);\$\w+=@?\$\w+\(/ //b374k
63	$weevely3 = /\$\w=\$[a-zA-Z]\('',\$\w\);\$\w\(\);/ // weevely3 launcher	63	$weevely3 = /\$\w=\$[a-zA-Z]\('',\$\w\);\$\w\(\);/ // weevely3 launcher
@@ -108,16 +108,16 @@ rule DodgyPhp
108	$basedir_bypass = /curl_init\s\(\s["']file:\/\//	108	$basedir_bypass = /curl_init\s\(\s["']file:\/\//
109	$basedir_bypass2 = "file:file:///" // https://www.intelligentexploit.com/view-details.html?id=8719	109	$basedir_bypass2 = "file:file:///" // https://www.intelligentexploit.com/view-details.html?id=8719
110	$disable_magic_quotes = /set_magic_quotes_runtime\s\(\s0/	110	$disable_magic_quotes = /set_magic_quotes_runtime\s\(\s0/
111	$execution = /(eval\|assert\|passthru\|exec\|system\|win_shell_execute\|base64_decode)\s\(\s(base64_decode\|php:\/\/input\|str_rot13\|gz(inflate\|uncompress)\|getenv\|pack\|\\?\$_(GET\|REQUEST\|POST\|COOKIE))/	111	$execution = /(eval\|assert\|passthru\|exec\|include\|system\|win_shell_execute\|base64_decode)\s\(\s(base64_decode\|php:\/\/input\|str_rot13\|gz(inflate\|uncompress)\|getenv\|pack\|\\?\$_(GET\|REQUEST\|POST\|COOKIE))/ nocase
112	$htaccess = "SetHandler application/x-httpd-php"	112	$htaccess = "SetHandler application/x-httpd-php"
113	$iis_com = /IIS:\/\/localhost\/w3svc/	113	$iis_com = /IIS:\/\/localhost\/w3svc/
114	$include = /include\s\(\s[^\.]+\.(png\|jpg\|gif\|bmp)/ // Clever includes	114	$include = /include\s\(\s[^\.]+\.(png\|jpg\|gif\|bmp)/ // Clever includes
115	$ini_get = /ini_(get\|set\|restore)\s\(\s['"](safe_mode\|open_basedir\|disable_function\|safe_mode_exec_dir\|safe_mode_include_dir\|register_globals\|allow_url_include)/	115	$ini_get = /ini_(get\|set\|restore)\s\(\s['"](safe_mode\|open_basedir\|disable_function\|safe_mode_exec_dir\|safe_mode_include_dir\|register_globals\|allow_url_include)/ nocase
116	$pr = /(preg_replace(_callback)?\|mb_ereg_replace\|preg_filter)\s\(\s['"]\/[^\/]*\/e/ // http://php.net/manual/en/function.preg-replace.php	116	$pr = /(preg_replace(_callback)?\|mb_ereg_replace\|preg_filter)\s\(\s['"]\/[^\/]*\/e/ nocase // http://php.net/manual/en/function.preg-replace.php
117	$safemode_bypass = /\x00\/\.\.\/\|LD_PRELOAD/	117	$safemode_bypass = /\x00\/\.\.\/\|LD_PRELOAD/
118	$shellshock = /\(\)\s{\s:\s;\s}\s*;/	118	$shellshock = /\(\)\s{\s:\s;\s}\s*;/
119	$udp_dos = /fsockopen\s\(\s['"]udp:\/\//	119	$udp_dos = /fsockopen\s\(\s['"]udp:\/\//
120	$user_function = /(call_user_func\|create_function)/	120	$user_function = /(call_user_func\|create_function)/ nocase
121	$various = "<!--#exec cmd=" //http://www.w3.org/Jigsaw/Doc/User/SSI.html#exec	121	$various = "<!--#exec cmd=" //http://www.w3.org/Jigsaw/Doc/User/SSI.html#exec
122		122
123	condition:	123	condition:
@@ -127,56 +127,56 @@ rule DodgyPhp
127	rule DangerousPhp	127	rule DangerousPhp
128	{	128	{
129	strings:	129	strings:
130	$system = "system" fullword // localroot bruteforcers have a lot of this	130	$system = "system" fullword nocase // localroot bruteforcers have a lot of this
131		131
132	$ = "array_filter" fullword	132	$ = "array_filter" fullword nocase
133	$ = "assert" fullword	133	$ = "assert" fullword nocase
134	$ = "backticks" fullword	134	$ = "backticks" fullword nocase
135	$ = "call_user_func" fullword	135	$ = "call_user_func" fullword nocase
136	$ = "eval" fullword	136	$ = "eval" fullword nocase
137	$ = "exec" fullword	137	$ = "exec" fullword nocase
138	$ = "fpassthru" fullword	138	$ = "fpassthru" fullword nocase
139	$ = "fsockopen" fullword	139	$ = "fsockopen" fullword nocase
140	$ = "function_exists" fullword	140	$ = "function_exists" fullword nocase
141	$ = "getmygid" fullword	141	$ = "getmygid" fullword nocase
142	$ = "shmop_open" fullword	142	$ = "shmop_open" fullword nocase
143	$ = "mb_ereg_replace_callback" fullword	143	$ = "mb_ereg_replace_callback" fullword nocase
144	$ = "passthru" fullword	144	$ = "passthru" fullword nocase
145	$ = "pcntl_exec" fullword	145	$ = "pcntl_exec" fullword nocase
146	$ = "pcntl_fork" fullword	146	$ = "pcntl_fork" fullword nocase
147	$ = "php_uname" fullword	147	$ = "php_uname" fullword nocase
148	$ = "phpinfo" fullword	148	$ = "phpinfo" fullword nocase
149	$ = "posix_geteuid" fullword	149	$ = "posix_geteuid" fullword nocase
150	$ = "posix_getgid" fullword	150	$ = "posix_getgid" fullword nocase
151	$ = "posix_getpgid" fullword	151	$ = "posix_getpgid" fullword nocase
152	$ = "posix_getppid" fullword	152	$ = "posix_getppid" fullword nocase
153	$ = "posix_getpwnam" fullword	153	$ = "posix_getpwnam" fullword nocase
154	$ = "posix_getpwuid" fullword	154	$ = "posix_getpwuid" fullword nocase
155	$ = "posix_getsid" fullword	155	$ = "posix_getsid" fullword nocase
156	$ = "posix_getuid" fullword	156	$ = "posix_getuid" fullword nocase
157	$ = "posix_kill" fullword	157	$ = "posix_kill" fullword nocase
158	$ = "posix_setegid" fullword	158	$ = "posix_setegid" fullword nocase
159	$ = "posix_seteuid" fullword	159	$ = "posix_seteuid" fullword nocase
160	$ = "posix_setgid" fullword	160	$ = "posix_setgid" fullword nocase
161	$ = "posix_setpgid" fullword	161	$ = "posix_setpgid" fullword nocase
162	$ = "posix_setsid" fullword	162	$ = "posix_setsid" fullword nocase
163	$ = "posix_setsid" fullword	163	$ = "posix_setsid" fullword nocase
164	$ = "posix_setuid" fullword	164	$ = "posix_setuid" fullword nocase
165	$ = "preg_replace_callback" fullword	165	$ = "preg_replace_callback" fullword
166	$ = "proc_open" fullword	166	$ = "proc_open" fullword nocase
167	$ = "register_shutdown_function" fullword	167	$ = "register_shutdown_function" fullword nocase
168	$ = "register_tick_function" fullword	168	$ = "register_tick_function" fullword nocase
169	$ = "shell_exec" fullword	169	$ = "shell_exec" fullword nocase
170	$ = "shm_open" fullword	170	$ = "shm_open" fullword nocase
171	$ = "show_source" fullword	171	$ = "show_source" fullword nocase
172	$ = "socket_create(AF_INET, SOCK_STREAM, SOL_TCP)"	172	$ = "socket_create(AF_INET, SOCK_STREAM, SOL_TCP)" nocase
173	$ = "stream_socket_pair"	173	$ = "stream_socket_pair" nocase
174	$ = "win32_create_service" fullword	174	$ = "win32_create_service" fullword nocase
175	$ = "win_shell_execute" fullword	175	$ = "win_shell_execute" fullword nocase
176	$ = "xmlrpc_decode" fullword	176	$ = "xmlrpc_decode" fullword nocase nocase
177	$ = /ob_start\s\(\s[^\)]/ //ob_start('assert'); echo $_REQUEST['pass']; ob_end_flush();	177	$ = /ob_start\s\(\s[^\)]/ //ob_start('assert'); echo $_REQUEST['pass']; ob_end_flush();
178		178
179	$whitelist = /escapeshellcmd\|escapeshellarg/	179	$whitelist = /escapeshellcmd\|escapeshellarg/ nocase
180		180
181	condition:	181	condition:
182	not $whitelist and (5 of them or #system > 250) and not IsWhitelisted	182	not $whitelist and (5 of them or #system > 250) and not IsWhitelisted
@@ -205,7 +205,7 @@ rule DodgyStrings
205	$ = "backdoor" fullword nocase	205	$ = "backdoor" fullword nocase
206	$ = /(c99\|r57\|fx29)shell/	206	$ = /(c99\|r57\|fx29)shell/
207	$ = "cmd.exe" fullword nocase	207	$ = "cmd.exe" fullword nocase
208	$ = "defaced" fullword nocase	208	$ = /defac(ed\|er\|ement\|ing)/ fullword nocase
209	$ = "evilc0ders" fullword nocase	209	$ = "evilc0ders" fullword nocase
210	$ = "exploit" fullword nocase	210	$ = "exploit" fullword nocase
211	$ = "find . -type f" fullword	211	$ = "find . -type f" fullword
@@ -224,12 +224,14 @@ rule DodgyStrings
224	$ = "rootkit" fullword nocase	224	$ = "rootkit" fullword nocase
225	$ = "slowloris" fullword nocase	225	$ = "slowloris" fullword nocase
226	$ = "suhosin.executor.func.blacklist"	226	$ = "suhosin.executor.func.blacklist"
		227	$ = "sun-tzu" fullword nocase // Because quotes from the Art of War is mandatory for any cool webshell.
227	$ = "uname -a" fullword	228	$ = "uname -a" fullword
228	$ = "warez" fullword nocase	229	$ = "warez" fullword nocase
		230	$ = "whoami" fullword
229	$ = /(reverse\|web)\s*shell/ nocase	231	$ = /(reverse\|web)\s*shell/ nocase
230	$ = /-perm -0[24]000/ // find setuid files	232	$ = /-perm -0[24]000/ // find setuid files
231	$ = /\/bin\/(ba)?sh/ fullword	233	$ = /\/bin\/(ba)?sh/ fullword
232	$ = /hack(ing\|er)/ nocase	234	$ = /hack(ing\|er\|ed)/ nocase
233	$ = /xp_(execresultset\|regenumkeys\|cmdshell\|filelist)/	235	$ = /xp_(execresultset\|regenumkeys\|cmdshell\|filelist)/
234		236
235	$vbs = /language\s=\svbscript/ nocase	237	$vbs = /language\s=\svbscript/ nocase