Detect backdoor-looking authentication schemes

author: Julien (jvoisin) Voisin 2016-06-16 13:15:00 +0200
committer: Julien (jvoisin) Voisin 2016-06-16 13:15:00 +0200
commit: 83e28980af29c7942c4ce1c8705f967285f34d30 (patch)
tree: c43a6d980d62a068ee05ee06cbd03fdd949dea4b
parent: 94ebe7c23c60e9b15fed69feca34a11344692547 (diff)
1 files changed, 9 insertions, 0 deletions
diff --git a/php-malware-finder/php.yar b/php-malware-finder/php.yar
index 50dcf98..527615e 100644
--- a/php-malware-finder/php.yar
+++ b/php-malware-finder/php.yar
@@ -44,6 +44,15 @@ rule CloudFlareBypass
        2 of them // Better be safe than sorry
 }
+rule PasswordProtection
+{
+    strings:
+        $md5 = /md5\s*\(\s*\$_(GET|REQUEST|POST|COOKIE)[^)]+\)\s*===?\s*['"][0-9a-f]{32}['"]/ nocase
+        $sha1 = /sha1\s*\(\s*\$_(GET|REQUEST|POST|COOKIE)[^)]+\)\s*===?\s*['"][0-9a-f]{32}['"]/ nocase
+    condition:
+        any of them
+}
 rule ObfuscatedPhp
 {
    strings:
author	Julien (jvoisin) Voisin	2016-06-16 13:15:00 +0200
committer	Julien (jvoisin) Voisin	2016-06-16 13:15:00 +0200
commit	83e28980af29c7942c4ce1c8705f967285f34d30 (patch)
tree	c43a6d980d62a068ee05ee06cbd03fdd949dea4b
parent	94ebe7c23c60e9b15fed69feca34a11344692547 (diff)

diff --git a/php-malware-finder/php.yar b/php-malware-finder/php.yar index 50dcf98..527615e 100644 --- a/php-malware-finder/php.yar +++ b/php-malware-finder/php.yar
@@ -44,6 +44,15 @@ rule CloudFlareBypass
44	2 of them // Better be safe than sorry	44	2 of them // Better be safe than sorry
45	}	45	}
46		46
		47	rule PasswordProtection
		48	{
		49	strings:
		50	$md5 = /md5\s\(\s\$_(GET\|REQUEST\|POST\|COOKIE)[^)]+\)\s===?\s['"][0-9a-f]{32}['"]/ nocase
		51	$sha1 = /sha1\s\(\s\$_(GET\|REQUEST\|POST\|COOKIE)[^)]+\)\s===?\s['"][0-9a-f]{32}['"]/ nocase
		52	condition:
		53	any of them
		54	}
		55
47	rule ObfuscatedPhp	56	rule ObfuscatedPhp
48	{	57	{
49	strings:	58	strings: