Add detection for backdoored .htaccess

author: Julien (jvoisin) Voisin 2016-03-01 14:55:37 +0100
committer: Julien (jvoisin) Voisin 2016-03-01 14:55:37 +0100
commit: 9e21c935a9424c750e9bacead451fef791fa8733 (patch)
tree: 0f1c457aa4df14edede491113f615af7f846c8c1
parent: 7e47407a8988aa73627dfa482abced236b0ca963 (diff)
1 files changed, 14 insertions, 2 deletions
diff --git a/php-malware-finder/malwares.yara b/php-malware-finder/malwares.yara
index 287ebd3..929164b 100644
--- a/php-malware-finder/malwares.yara
+++ b/php-malware-finder/malwares.yara
@@ -16,6 +16,11 @@ include "whitelist.yara"
        - http://mohssen.org/SpinObf.php
        - https://code.google.com/p/carbylamine/
        - https://github.com/tennc/webshell
+        - https://github.com/wireghoul/htshells
+    Thanks to:
+        - https://stackoverflow.com/questions/3115559/exploitable-php-functions
 */
 global private rule IsPhp
@@ -110,7 +115,9 @@ rule DodgyPhp
        $basedir_bypass = /curl_init\s*\(\s*["']file:\/\//
        $basedir_bypass2 = "file:file:///" // https://www.intelligentexploit.com/view-details.html?id=8719
        $disable_magic_quotes = /set_magic_quotes_runtime\s*\(\s*0/
-        $execution = /(eval|assert|passthru|exec|include|system|pcntl_exec|win_shell_execute|base64_decode|`|call_user_func(_array)?)\s*\(\s*(base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|pack|\\?\$_(GET|REQUEST|POST|COOKIE))/ nocase
+        $execution = /(eval|assert|passthru|exec|include|system|pcntl_exec|win_shell_execute|base64_decode|`|array_map|call_user_func(_array)?)\s*\(\s*(base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|pack|\\?\$_(GET|REQUEST|POST|COOKIE))/ nocase
+        $execution2 = /(array_filter|array_reduce|array_walk(_recursive)?|array_walk|assert_options|uasort|uksort|usort|preg_replace_callback|iterator_apply)\s*\(\s*[^,]+,\s*(base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|pack|\\?\$_(GET|REQUEST|POST|COOKIE))/ nocase  // functions that takes a callback as 2nd parameter
        $htaccess = "SetHandler application/x-httpd-php"
        $iis_com = /IIS:\/\/localhost\/w3svc/
        $include = /include\s*\(\s*[^\.]+\.(png|jpg|gif|bmp)/  // Clever includes
@@ -165,6 +172,7 @@ rule DangerousPhp
        $ = "posix_setuid" fullword nocase
        $ = "preg_replace_callback" fullword
        $ = "proc_open" fullword nocase
+        $ = "popen" fullword nocase
        $ = "register_shutdown_function" fullword nocase
        $ = "register_tick_function" fullword nocase
        $ = "shell_exec" fullword nocase
@@ -187,7 +195,10 @@ rule DodgyStrings
 {
    strings:
        $ = ".bash_history"
-        $ = /AddType\s+application\/x-httpd-php/
+        $ = /AddType\s+application\/x-httpd-php/ nocase
+        $ = /php_value\s*auto_prepend_file/ nocase
+        $ = /SecFilterEngine\s+Off/ nocase  // disable modsec
+        $ = /Add(Handler|Type|OutputFilter)\s+[^\s]+\s+\.htaccess/ nocase
        $ = ".mysql_history"
        $ = ".ssh/authorized_keys"
        $ = "/(.*)/e"  // preg_replace code execution
@@ -216,6 +227,7 @@ rule DodgyStrings
        $ = "ipconfig" fullword nocase
        $ = "kernel32.dll" fullword nocase
        $ = "kingdefacer" nocase
+        $ = "Wireghoul" nocase fullword
        $ = "libpcprofile"  // CVE-2010-3856 local root
        $ = "locus7s" nocase
        $ = "ls -la" fullword
author	Julien (jvoisin) Voisin	2016-03-01 14:55:37 +0100
committer	Julien (jvoisin) Voisin	2016-03-01 14:55:37 +0100
commit	9e21c935a9424c750e9bacead451fef791fa8733 (patch)
tree	0f1c457aa4df14edede491113f615af7f846c8c1
parent	7e47407a8988aa73627dfa482abced236b0ca963 (diff)