diff options
| author | jvoisin | 2017-07-26 20:47:31 +0200 |
|---|---|---|
| committer | jvoisin | 2017-07-26 20:47:31 +0200 |
| commit | 4a9899a9c1b5d675599379ed42b08dd802713866 (patch) | |
| tree | 981198553ca712db2cfbeb477cedea5be633c09f | |
| parent | dd4598b35843644b0b4dd9a12b9612cac5cf8938 (diff) | |
Add some detections
| -rw-r--r-- | php-malware-finder/common.yar | 2 | ||||
| -rw-r--r-- | php-malware-finder/php.yar | 6 | ||||
| -rw-r--r-- | php-malware-finder/samples/artificial/dodgy.php | 4 | ||||
| -rwxr-xr-x | php-malware-finder/tests.sh | 14 |
4 files changed, 14 insertions, 12 deletions
diff --git a/php-malware-finder/common.yar b/php-malware-finder/common.yar index 3559b79..f9d4573 100644 --- a/php-malware-finder/common.yar +++ b/php-malware-finder/common.yar | |||
| @@ -139,7 +139,7 @@ rule DodgyStrings | |||
| 139 | $ = "ps -aux" fullword | 139 | $ = "ps -aux" fullword |
| 140 | $ = "rootkit" fullword nocase | 140 | $ = "rootkit" fullword nocase |
| 141 | $ = "slowloris" fullword nocase | 141 | $ = "slowloris" fullword nocase |
| 142 | $ = "suhosin.executor.func.blacklist" | 142 | $ = "suhosin" fullword |
| 143 | $ = "sun-tzu" fullword nocase // Because quotes from the Art of War is mandatory for any cool webshell. | 143 | $ = "sun-tzu" fullword nocase // Because quotes from the Art of War is mandatory for any cool webshell. |
| 144 | $ = /trojan (payload)?/ | 144 | $ = /trojan (payload)?/ |
| 145 | $ = "uname -a" fullword | 145 | $ = "uname -a" fullword |
diff --git a/php-malware-finder/php.yar b/php-malware-finder/php.yar index 644419c..4af8116 100644 --- a/php-malware-finder/php.yar +++ b/php-malware-finder/php.yar | |||
| @@ -89,11 +89,11 @@ rule DodgyPhp | |||
| 89 | $htaccess = "SetHandler application/x-httpd-php" | 89 | $htaccess = "SetHandler application/x-httpd-php" |
| 90 | $iis_com = /IIS:\/\/localhost\/w3svc/ | 90 | $iis_com = /IIS:\/\/localhost\/w3svc/ |
| 91 | $include = /include\s*\(\s*[^\.]+\.(png|jpg|gif|bmp)/ // Clever includes | 91 | $include = /include\s*\(\s*[^\.]+\.(png|jpg|gif|bmp)/ // Clever includes |
| 92 | $ini_get = /ini_(get|set|restore)\s*\(\s*['"](safe_mode|open_basedir|disable_function|safe_mode_exec_dir|safe_mode_include_dir|register_globals|allow_url_include)/ nocase | 92 | $ini_get = /ini_(get|set|restore)\s*\(\s*['"](safe_mode|open_basedir|disable_(function|classe)s|safe_mode_exec_dir|safe_mode_include_dir|register_globals|allow_url_include)/ nocase |
| 93 | $pr = /(preg_replace(_callback)?|mb_ereg_replace|preg_filter)\s*\(.+(\/|\\x2f)(e|\\x65)['"]/ nocase // http://php.net/manual/en/function.preg-replace.php | 93 | $pr = /(preg_replace(_callback)?|mb_ereg_replace|preg_filter)\s*\(.+(\/|\\x2f)(e|\\x65)['"]/ nocase // http://php.net/manual/en/function.preg-replace.php |
| 94 | $register_function = /register_[a-z]+_function\s*\(\s*['"]\s*(eval|assert|passthru|exec|include|system|shell_execute|`)/ // https://github.com/nbs-system/php-malware-finder/issues/41 | 94 | $register_function = /register_[a-z]+_function\s*\(\s*['"]\s*(eval|assert|passthru|exec|include|system|shell_execute|`)/ // https://github.com/nbs-system/php-malware-finder/issues/41 |
| 95 | $safemode_bypass = /\x00\/\.\.\/|LD_PRELOAD/ | 95 | $safemode_bypass = /\x00\/\.\.\/|LD_PRELOAD/ |
| 96 | $shellshock = /\(\)\s*{\s*:\s*;\s*}\s*;/ | 96 | $shellshock = /\(\)\s*{\s*[a-z:]\s*;\s*}\s*;/ |
| 97 | $udp_dos = /fsockopen\s*\(\s*['"]udp:\/\// nocase | 97 | $udp_dos = /fsockopen\s*\(\s*['"]udp:\/\// nocase |
| 98 | $various = "<!--#exec cmd=" //http://www.w3.org/Jigsaw/Doc/User/SSI.html#exec | 98 | $various = "<!--#exec cmd=" //http://www.w3.org/Jigsaw/Doc/User/SSI.html#exec |
| 99 | $at_eval = /@eval\s*\(/ nocase | 99 | $at_eval = /@eval\s*\(/ nocase |
| @@ -152,6 +152,8 @@ rule DangerousPhp | |||
| 152 | $ = "show_source" fullword nocase | 152 | $ = "show_source" fullword nocase |
| 153 | $ = "socket_create(AF_INET, SOCK_STREAM, SOL_TCP)" nocase | 153 | $ = "socket_create(AF_INET, SOCK_STREAM, SOL_TCP)" nocase |
| 154 | $ = "stream_socket_pair" nocase | 154 | $ = "stream_socket_pair" nocase |
| 155 | $ = "suhosin.executor.func.blacklist" nocase | ||
| 156 | $ = "unregister_tick_function" fullword nocase | ||
| 155 | $ = "win32_create_service" fullword nocase | 157 | $ = "win32_create_service" fullword nocase |
| 156 | $ = "xmlrpc_decode" fullword nocase nocase | 158 | $ = "xmlrpc_decode" fullword nocase nocase |
| 157 | $ = /ob_start\s*\(\s*[^\)]/ //ob_start('assert'); echo $_REQUEST['pass']; ob_end_flush(); | 159 | $ = /ob_start\s*\(\s*[^\)]/ //ob_start('assert'); echo $_REQUEST['pass']; ob_end_flush(); |
diff --git a/php-malware-finder/samples/artificial/dodgy.php b/php-malware-finder/samples/artificial/dodgy.php index 3aac254..e127588 100644 --- a/php-malware-finder/samples/artificial/dodgy.php +++ b/php-malware-finder/samples/artificial/dodgy.php | |||
| @@ -7,8 +7,8 @@ eval(base64_decode($_GET['lol'])); | |||
| 7 | $a= "SetHandler application/x-httpd-php"; | 7 | $a= "SetHandler application/x-httpd-php"; |
| 8 | $b = "IIS://localhost/w3svc"; | 8 | $b = "IIS://localhost/w3svc"; |
| 9 | include ( 'lol.png'); | 9 | include ( 'lol.png'); |
| 10 | ini_get ( 'disable_function'); | 10 | ini_get ( 'disable_functions'); |
| 11 | ini_set("disable_function", ""); | 11 | ini_set("disable_functions", ""); |
| 12 | ini_restore("allow_url_include"); | 12 | ini_restore("allow_url_include"); |
| 13 | preg_replace ("/*/e"); | 13 | preg_replace ("/*/e"); |
| 14 | $c = "env x='() { :;}; echo vulnerable' bash -c 'echo this is a test'"; | 14 | $c = "env x='() { :;}; echo vulnerable' bash -c 'echo this is a test'"; |
diff --git a/php-malware-finder/tests.sh b/php-malware-finder/tests.sh index 39ad3bd..b4bb91d 100755 --- a/php-malware-finder/tests.sh +++ b/php-malware-finder/tests.sh | |||
| @@ -75,13 +75,13 @@ run_test artificial/dodgy.php '$execution: base64_decode($_GET' | |||
| 75 | run_test artificial/dodgy.php '$htaccess:' | 75 | run_test artificial/dodgy.php '$htaccess:' |
| 76 | run_test artificial/dodgy.php '0xd7:$iis_com: IIS://localhost/w3svc' | 76 | run_test artificial/dodgy.php '0xd7:$iis_com: IIS://localhost/w3svc' |
| 77 | run_test artificial/dodgy.php "0xef:\$include: include ( 'lol.png" | 77 | run_test artificial/dodgy.php "0xef:\$include: include ( 'lol.png" |
| 78 | run_test artificial/dodgy.php "0x106:\$ini_get: ini_get ( 'disable_function" | 78 | run_test artificial/dodgy.php "\$ini_get: ini_get ( 'disable_functions" |
| 79 | run_test artificial/dodgy.php '0x126:$ini_get: ini_set("disable_function' | 79 | run_test artificial/dodgy.php '$ini_get: ini_set("disable_functions' |
| 80 | run_test artificial/dodgy.php '0x147:$ini_get: ini_restore("allow_url_include' | 80 | run_test artificial/dodgy.php '$ini_get: ini_restore("allow_url_include' |
| 81 | run_test artificial/dodgy.php '0x18d:$shellshock: () { :;};' | 81 | run_test artificial/dodgy.php '$shellshock: () { :;};' |
| 82 | run_test artificial/dodgy.php '0x169:$pr: preg_replace ("/\*/e' | 82 | run_test artificial/dodgy.php '$pr: preg_replace ("/\*/e' |
| 83 | run_test artificial/dodgy.php '0x1fd:$various: <!--#exec cmd=' | 83 | run_test artificial/dodgy.php '$various: <!--#exec cmd=' |
| 84 | run_test artificial/dodgy.php '0x214:$: AddType application/x-httpd-php .htaccess' | 84 | run_test artificial/dodgy.php '$: AddType application/x-httpd-php .htaccess' |
| 85 | 85 | ||
| 86 | run_test artificial/bypasses.php 'DodgyPhp' | 86 | run_test artificial/bypasses.php 'DodgyPhp' |
| 87 | run_test artificial/bypasses.php '0x6d:$execution: call_user_func_array($_POST' | 87 | run_test artificial/bypasses.php '0x6d:$execution: call_user_func_array($_POST' |