1 files changed, 9 insertions, 0 deletions
diff --git a/php-malware-finder/php.yar b/php-malware-finder/php.yar
index 50dcf98..527615e 100644
--- a/php-malware-finder/php.yar
+++ b/php-malware-finder/php.yar
@@ -44,6 +44,15 @@ rule CloudFlareBypass
        2 of them // Better be safe than sorry
 }
+rule PasswordProtection
+{
+    strings:
+        $md5 = /md5\s*\(\s*\$_(GET|REQUEST|POST|COOKIE)[^)]+\)\s*===?\s*['"][0-9a-f]{32}['"]/ nocase
+        $sha1 = /sha1\s*\(\s*\$_(GET|REQUEST|POST|COOKIE)[^)]+\)\s*===?\s*['"][0-9a-f]{32}['"]/ nocase
+    condition:
+        any of them
+}
 rule ObfuscatedPhp
 {
    strings:

diff --git a/php-malware-finder/php.yar b/php-malware-finder/php.yar index 50dcf98..527615e 100644 --- a/php-malware-finder/php.yar +++ b/php-malware-finder/php.yar
@@ -44,6 +44,15 @@ rule CloudFlareBypass
44	2 of them // Better be safe than sorry	44	2 of them // Better be safe than sorry
45	}	45	}
46		46
		47	rule PasswordProtection
		48	{
		49	strings:
		50	$md5 = /md5\s\(\s\$_(GET\|REQUEST\|POST\|COOKIE)[^)]+\)\s===?\s['"][0-9a-f]{32}['"]/ nocase
		51	$sha1 = /sha1\s\(\s\$_(GET\|REQUEST\|POST\|COOKIE)[^)]+\)\s===?\s['"][0-9a-f]{32}['"]/ nocase
		52	condition:
		53	any of them
		54	}
		55
47	rule ObfuscatedPhp	56	rule ObfuscatedPhp
48	{	57	{
49	strings:	58	strings: