diff options
| -rw-r--r-- | php-malware-finder/common.yar | 12 | ||||
| -rw-r--r-- | php-malware-finder/php.yar | 8 |
2 files changed, 15 insertions, 5 deletions
diff --git a/php-malware-finder/common.yar b/php-malware-finder/common.yar index 0dd373f..4c36084 100644 --- a/php-malware-finder/common.yar +++ b/php-malware-finder/common.yar | |||
| @@ -1,3 +1,14 @@ | |||
| 1 | rule CloudFlareBypass | ||
| 2 | { | ||
| 3 | strings: | ||
| 4 | $ = "chk_jschl" | ||
| 5 | $ = "jschl_vc" | ||
| 6 | $ = "jschl_answer" | ||
| 7 | |||
| 8 | condition: | ||
| 9 | 2 of them // Better be safe than sorry | ||
| 10 | } | ||
| 11 | |||
| 1 | private rule IRC | 12 | private rule IRC |
| 2 | { | 13 | { |
| 3 | strings: | 14 | strings: |
| @@ -125,6 +136,7 @@ rule Websites | |||
| 125 | strings: | 136 | strings: |
| 126 | $ = "1337day.com" nocase | 137 | $ = "1337day.com" nocase |
| 127 | $ = "antichat.ru" nocase | 138 | $ = "antichat.ru" nocase |
| 139 | $ = "b374k" nocase | ||
| 128 | $ = "ccteam.ru" nocase | 140 | $ = "ccteam.ru" nocase |
| 129 | $ = "crackfor" nocase | 141 | $ = "crackfor" nocase |
| 130 | $ = "darkc0de" nocase | 142 | $ = "darkc0de" nocase |
diff --git a/php-malware-finder/php.yar b/php-malware-finder/php.yar index 1659754..cd31593 100644 --- a/php-malware-finder/php.yar +++ b/php-malware-finder/php.yar | |||
| @@ -33,15 +33,13 @@ global private rule IsPhp | |||
| 33 | $php and filesize < 5MB | 33 | $php and filesize < 5MB |
| 34 | } | 34 | } |
| 35 | 35 | ||
| 36 | rule CloudFlareBypass | 36 | rule HiddenInAFile |
| 37 | { | 37 | { |
| 38 | strings: | 38 | strings: |
| 39 | $ = "chk_jschl" | 39 | $gif = {47 49 46 38 ?? 61} // GIF8[version]a |
| 40 | $ = "jschl_vc" | ||
| 41 | $ = "jschl_answer" | ||
| 42 | 40 | ||
| 43 | condition: | 41 | condition: |
| 44 | 2 of them // Better be safe than sorry | 42 | $gif at 0 |
| 45 | } | 43 | } |
| 46 | 44 | ||
| 47 | rule PasswordProtection | 45 | rule PasswordProtection |