summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--php-malware-finder/common.yar5
1 files changed, 4 insertions, 1 deletions
diff --git a/php-malware-finder/common.yar b/php-malware-finder/common.yar
index 2add775..0dd373f 100644
--- a/php-malware-finder/common.yar
+++ b/php-malware-finder/common.yar
@@ -95,6 +95,7 @@ rule DodgyStrings
95 $ = "ls -la" fullword 95 $ = "ls -la" fullword
96 $ = "meterpreter" fullword 96 $ = "meterpreter" fullword
97 $ = "nc -l" fullword 97 $ = "nc -l" fullword
98 $ = "netstat -an" fullword
98 $ = "php://" 99 $ = "php://"
99 $ = "ps -aux" fullword 100 $ = "ps -aux" fullword
100 $ = "rootkit" fullword nocase 101 $ = "rootkit" fullword nocase
@@ -105,10 +106,11 @@ rule DodgyStrings
105 $ = "visbot" nocase fullword 106 $ = "visbot" nocase fullword
106 $ = "warez" fullword nocase 107 $ = "warez" fullword nocase
107 $ = "whoami" fullword 108 $ = "whoami" fullword
108 $ = /(reverse|web|cmd)\s*shell/ nocase 109 $ = /(r[e3]v[e3]rs[e3]|w[3e]b|cmd)\s*sh[e3]ll/ nocase
109 $ = /-perm -0[24]000/ // find setuid files 110 $ = /-perm -0[24]000/ // find setuid files
110 $ = /\/bin\/(ba)?sh/ fullword 111 $ = /\/bin\/(ba)?sh/ fullword
111 $ = /hack(ing|er|ed)/ nocase 112 $ = /hack(ing|er|ed)/ nocase
113 $ = /(safe_mode|open_basedir) bypass/ nocase
112 $ = /xp_(execresultset|regenumkeys|cmdshell|filelist)/ 114 $ = /xp_(execresultset|regenumkeys|cmdshell|filelist)/
113 115
114 $vbs = /language\s*=\s*vbscript/ nocase 116 $vbs = /language\s*=\s*vbscript/ nocase
@@ -136,6 +138,7 @@ rule Websites
136 $ = "milw0rm.com" nocase 138 $ = "milw0rm.com" nocase
137 $ = "milw00rm.com" nocase 139 $ = "milw00rm.com" nocase
138 $ = "packetstormsecurity" nocase 140 $ = "packetstormsecurity" nocase
141 $ = "pentestmonkey.net" nocase
139 $ = "rapid7.com" nocase 142 $ = "rapid7.com" nocase
140 $ = "securityfocus" nocase 143 $ = "securityfocus" nocase
141 $ = "shodan.io" nocase 144 $ = "shodan.io" nocase