summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJulien Voisin2016-02-23 15:25:28 +0100
committerJulien Voisin2016-02-23 15:25:28 +0100
commite07b47d18e10027d5967de21c56b8721b89bb58d (patch)
tree76ed238508ac8c48caef77a6c43f052febd33883
parenteb2945d111559269198fdd38840db972318967bf (diff)
Add more simple signatures
Diffstat
-rw-r--r--php-malware-finder/malwares.yara5
1 files changed, 5 insertions, 0 deletions
diff --git a/php-malware-finder/malwares.yara b/php-malware-finder/malwares.yara
index 0d8ca4e..4603b76 100644
--- a/php-malware-finder/malwares.yara
+++ b/php-malware-finder/malwares.yara
@@ -185,6 +185,9 @@ rule DodgyStrings
185{ 185{
186 strings: 186 strings:
187 $ = ".ssh/authorized_keys" 187 $ = ".ssh/authorized_keys"
188 $ = ".bash_history"
189 $ = ".mysql_history"
190 $ = /-perm -0[24]000/ // find setuid files
188 $ = "/(.*)/e" // preg_replace code execution 191 $ = "/(.*)/e" // preg_replace code execution
189 $ = "/../../../" 192 $ = "/../../../"
190 $ = "/etc/passwd" 193 $ = "/etc/passwd"
@@ -202,6 +205,7 @@ rule DodgyStrings
202 $ = "c99shell" fullword nocase 205 $ = "c99shell" fullword nocase
203 $ = "cmd.exe" fullword nocase 206 $ = "cmd.exe" fullword nocase
204 $ = "defaced" fullword nocase 207 $ = "defaced" fullword nocase
208 $ = "evilc0ders" fullword nocase
205 $ = "exploit" fullword nocase 209 $ = "exploit" fullword nocase
206 $ = "find . -type f" fullword 210 $ = "find . -type f" fullword
207 $ = "hashcrack" nocase 211 $ = "hashcrack" nocase
@@ -253,6 +257,7 @@ rule Websites
253 $ = "rapid7.com" nocase 257 $ = "rapid7.com" nocase
254 $ = "securityfocus" nocase 258 $ = "securityfocus" nocase
255 $ = "shodan.io" nocase 259 $ = "shodan.io" nocase
260 $ = "github.com/b374k/b374k" nocase
256 261
257 condition: 262 condition:
258 any of them and not IsWhitelisted 263 any of them and not IsWhitelisted