diff options
| -rw-r--r-- | php-malware-finder/common.yar | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/php-malware-finder/common.yar b/php-malware-finder/common.yar index 2add775..0dd373f 100644 --- a/php-malware-finder/common.yar +++ b/php-malware-finder/common.yar | |||
| @@ -95,6 +95,7 @@ rule DodgyStrings | |||
| 95 | $ = "ls -la" fullword | 95 | $ = "ls -la" fullword |
| 96 | $ = "meterpreter" fullword | 96 | $ = "meterpreter" fullword |
| 97 | $ = "nc -l" fullword | 97 | $ = "nc -l" fullword |
| 98 | $ = "netstat -an" fullword | ||
| 98 | $ = "php://" | 99 | $ = "php://" |
| 99 | $ = "ps -aux" fullword | 100 | $ = "ps -aux" fullword |
| 100 | $ = "rootkit" fullword nocase | 101 | $ = "rootkit" fullword nocase |
| @@ -105,10 +106,11 @@ rule DodgyStrings | |||
| 105 | $ = "visbot" nocase fullword | 106 | $ = "visbot" nocase fullword |
| 106 | $ = "warez" fullword nocase | 107 | $ = "warez" fullword nocase |
| 107 | $ = "whoami" fullword | 108 | $ = "whoami" fullword |
| 108 | $ = /(reverse|web|cmd)\s*shell/ nocase | 109 | $ = /(r[e3]v[e3]rs[e3]|w[3e]b|cmd)\s*sh[e3]ll/ nocase |
| 109 | $ = /-perm -0[24]000/ // find setuid files | 110 | $ = /-perm -0[24]000/ // find setuid files |
| 110 | $ = /\/bin\/(ba)?sh/ fullword | 111 | $ = /\/bin\/(ba)?sh/ fullword |
| 111 | $ = /hack(ing|er|ed)/ nocase | 112 | $ = /hack(ing|er|ed)/ nocase |
| 113 | $ = /(safe_mode|open_basedir) bypass/ nocase | ||
| 112 | $ = /xp_(execresultset|regenumkeys|cmdshell|filelist)/ | 114 | $ = /xp_(execresultset|regenumkeys|cmdshell|filelist)/ |
| 113 | 115 | ||
| 114 | $vbs = /language\s*=\s*vbscript/ nocase | 116 | $vbs = /language\s*=\s*vbscript/ nocase |
| @@ -136,6 +138,7 @@ rule Websites | |||
| 136 | $ = "milw0rm.com" nocase | 138 | $ = "milw0rm.com" nocase |
| 137 | $ = "milw00rm.com" nocase | 139 | $ = "milw00rm.com" nocase |
| 138 | $ = "packetstormsecurity" nocase | 140 | $ = "packetstormsecurity" nocase |
| 141 | $ = "pentestmonkey.net" nocase | ||
| 139 | $ = "rapid7.com" nocase | 142 | $ = "rapid7.com" nocase |
| 140 | $ = "securityfocus" nocase | 143 | $ = "securityfocus" nocase |
| 141 | $ = "shodan.io" nocase | 144 | $ = "shodan.io" nocase |
