diff options
| author | Julien Voisin | 2016-02-12 13:13:30 +0100 |
|---|---|---|
| committer | Julien Voisin | 2016-02-12 15:05:05 +0100 |
| commit | 5409bc63c57442ace2e9aaa71f43e2d201597927 (patch) | |
| tree | 631370bc54d66d79e98c28220ab07a374372b7b9 | |
| parent | fde93ed05adc8d84bda4a3e6d46047b41b89c9a4 (diff) | |
Add a few artefacts taken from `assdick.php`, aka "fuhosin"
| -rw-r--r-- | php-malware-finder/malwares.yara | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/php-malware-finder/malwares.yara b/php-malware-finder/malwares.yara index 5652b0a..4bff547 100644 --- a/php-malware-finder/malwares.yara +++ b/php-malware-finder/malwares.yara | |||
| @@ -143,6 +143,7 @@ rule DangerousPhp | |||
| 143 | $ = "mb_ereg_replace_callback" fullword | 143 | $ = "mb_ereg_replace_callback" fullword |
| 144 | $ = "passthru" fullword | 144 | $ = "passthru" fullword |
| 145 | $ = "pcntl_exec" fullword | 145 | $ = "pcntl_exec" fullword |
| 146 | $ = "pcntl_fork" fullword | ||
| 146 | $ = "php_uname" fullword | 147 | $ = "php_uname" fullword |
| 147 | $ = "phpinfo" fullword | 148 | $ = "phpinfo" fullword |
| 148 | $ = "posix_geteuid" fullword | 149 | $ = "posix_geteuid" fullword |
| @@ -158,6 +159,7 @@ rule DangerousPhp | |||
| 158 | $ = "shm_open" fullword | 159 | $ = "shm_open" fullword |
| 159 | $ = "show_source" fullword | 160 | $ = "show_source" fullword |
| 160 | $ = "socket_create(AF_INET, SOCK_STREAM, SOL_TCP)" | 161 | $ = "socket_create(AF_INET, SOCK_STREAM, SOL_TCP)" |
| 162 | $ = "stream_socket_pair" | ||
| 161 | $ = "win32_create_service" fullword | 163 | $ = "win32_create_service" fullword |
| 162 | $ = "win_shell_execute" fullword | 164 | $ = "win_shell_execute" fullword |
| 163 | $ = "xmlrpc_decode" fullword | 165 | $ = "xmlrpc_decode" fullword |
| @@ -172,6 +174,8 @@ rule DangerousPhp | |||
| 172 | rule DodgyStrings | 174 | rule DodgyStrings |
| 173 | { | 175 | { |
| 174 | strings: | 176 | strings: |
| 177 | $ = ".ssh/authorized_keys" | ||
| 178 | $ = "/(.*)/e" // preg_replace code execution | ||
| 175 | $ = "/../../../" | 179 | $ = "/../../../" |
| 176 | $ = "/etc/passwd" | 180 | $ = "/etc/passwd" |
| 177 | $ = "/etc/proftpd.conf" | 181 | $ = "/etc/proftpd.conf" |
| @@ -193,12 +197,15 @@ rule DodgyStrings | |||
| 193 | $ = "id_rsa" fullword | 197 | $ = "id_rsa" fullword |
| 194 | $ = "ipconfig" fullword nocase | 198 | $ = "ipconfig" fullword nocase |
| 195 | $ = "kingdefacer" nocase | 199 | $ = "kingdefacer" nocase |
| 200 | $ = "libpcprofile" // CVE-2010-3856 local root | ||
| 196 | $ = "locus7s" nocase | 201 | $ = "locus7s" nocase |
| 197 | $ = "ls -la" fullword | 202 | $ = "ls -la" fullword |
| 203 | $ = "meterpreter" fullword" | ||
| 198 | $ = "nc -l" fullword | 204 | $ = "nc -l" fullword |
| 199 | $ = "ps -aux" fullword | 205 | $ = "ps -aux" fullword |
| 200 | $ = "rootkit" fullword nocase | 206 | $ = "rootkit" fullword nocase |
| 201 | $ = "slowloris" fullword nocase | 207 | $ = "slowloris" fullword nocase |
| 208 | $ = "suhosin.executor.func.blacklist" | ||
| 202 | $ = "uname -a" fullword | 209 | $ = "uname -a" fullword |
| 203 | $ = "warez" fullword nocase | 210 | $ = "warez" fullword nocase |
| 204 | $ = /(reverse|web)\s*shell/ nocase | 211 | $ = /(reverse|web)\s*shell/ nocase |