1 files changed, 374 insertions, 0 deletions
diff --git a/data/php.yar b/data/php.yar
new file mode 100644
index 0000000..4470e1b
--- /dev/null
+++ b/data/php.yar
@@ -0,0 +1,374 @@
+import "hash"
+include "whitelist.yar"
+/*
+    Detect:
+        - phpencode.org
+        - http://www.pipsomania.com/best_php_obfuscator.do
+        - http://atomiku.com/online-php-code-obfuscator/
+        - http://www.webtoolsvn.com/en-decode/
+        - http://obfuscator.uk/example/
+        - http://w3webtools.com/encode-php-online/
+        - http://www.joeswebtools.com/security/php-obfuscator/
+        - https://github.com/epinna/weevely3
+        - http://cipherdesign.co.uk/service/php-obfuscator
+        - http://sysadmin.cyklodev.com/online-php-obfuscator/
+        - http://mohssen.org/SpinObf.php
+        - https://code.google.com/p/carbylamine/
+        - https://github.com/tennc/webshell
+        - https://github.com/wireghoul/htshells
+    Thanks to:
+        - https://stackoverflow.com/questions/3115559/exploitable-php-functions
+*/
+global private rule IsPhp
+{
+    strings:
+        $php = /<\?[^x]/
+    condition:
+        $php and filesize < 5MB
+}
+rule NonPrintableChars
+{
+  strings:
+    /*
+    Searching only for non-printable characters completely kills the perf,
+    so we have to use atoms (https://gist.github.com/Neo23x0/e3d4e316d7441d9143c7)
+    to get an acceptable speed.
+    */
+    $non_printables = /(function|return|base64_decode).{,256}[^\x09-\x0d\x20-\x7E]{3}/
+  condition:
+        (any of them) and not IsWhitelisted
+}
+rule PasswordProtection
+{
+    strings:
+        $md5 = /md5\s*\(\s*\$_(GET|REQUEST|POST|COOKIE|SERVER)[^)]+\)\s*===?\s*['"][0-9a-f]{32}['"]/ nocase
+        $sha1 = /sha1\s*\(\s*\$_(GET|REQUEST|POST|COOKIE|SERVER)[^)]+\)\s*===?\s*['"][0-9a-f]{40}['"]/ nocase
+    condition:
+        (any of them) and not IsWhitelisted
+}
+rule ObfuscatedPhp
+{
+    strings:
+        $eval = /(<\?php|[;{}])[ \t]*@?(eval|preg_replace|system|assert|passthru|(pcntl_)?exec|shell_exec|call_user_func(_array)?)\s*\(/ nocase  // ;eval( <- this is dodgy
+        $eval_comment = /(eval|preg_replace|system|assert|passthru|(pcntl_)?exec|shell_exec|call_user_func(_array)?)\/\*[^\*]*\*\/\(/ nocase  // eval/*lol*/( <- this is dodgy
+        $b374k = "'ev'.'al'"
+        $align = /(\$\w+=[^;]*)*;\$\w+=@?\$\w+\(/  //b374k
+        $weevely3 = /\$\w=\$[a-zA-Z]\('',\$\w\);\$\w\(\);/  // weevely3 launcher
+        $c99_launcher = /;\$\w+\(\$\w+(,\s?\$\w+)+\);/  // http://bartblaze.blogspot.fr/2015/03/c99shell-not-dead.html
+        $nano = /\$[a-z0-9-_]+\[[^]]+\]\(/ //https://github.com/UltimateHackers/nano
+        $ninja = /base64_decode[^;]+getallheaders/ //https://github.com/UltimateHackers/nano
+        $variable_variable = /\${\$[0-9a-zA-z]+}/
+        $too_many_chr = /(chr\([\d]+\)\.){8}/  // concatenation of more than eight `chr()`
+        $concat = /(\$[^\n\r]+\.){5}/  // concatenation of more than 5 words
+        $concat_with_spaces = /(\$[^\n\r]+\. ){5}/  // concatenation of more than 5 words, with spaces
+        $var_as_func = /\$_(GET|POST|COOKIE|REQUEST|SERVER)\s*\[[^\]]+\]\s*\(/
+        $comment = /\/\*([^*]|\*[^\/])*\*\/\s*\(/  // eval /* comment */ (php_code)
+condition:
+        (any of them) and not IsWhitelisted
+}
+rule DodgyPhp
+{
+    strings:
+        $basedir_bypass = /curl_init\s*\(\s*["']file:\/\// nocase
+        $basedir_bypass2 = "file:file:///" // https://www.intelligentexploit.com/view-details.html?id=8719
+        $disable_magic_quotes = /set_magic_quotes_runtime\s*\(\s*0/ nocase
+        $execution = /\b(popen|eval|assert|passthru|exec|include|system|pcntl_exec|shell_exec|base64_decode|`|array_map|ob_start|call_user_func(_array)?)\s*\(\s*(base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|pack|\\?\$_(GET|REQUEST|POST|COOKIE|SERVER))/ nocase  // function that takes a callback as 1st parameter
+        $execution2 = /\b(array_filter|array_reduce|array_walk(_recursive)?|array_walk|assert_options|uasort|uksort|usort|preg_replace_callback|iterator_apply)\s*\(\s*[^,]+,\s*(base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|pack|\\?\$_(GET|REQUEST|POST|COOKIE|SERVER))/ nocase  // functions that takes a callback as 2nd parameter
+        $execution3 = /\b(array_(diff|intersect)_u(key|assoc)|array_udiff)\s*\(\s*([^,]+\s*,?)+\s*(base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|pack|\\?\$_(GET|REQUEST|POST|COOKIE|SERVER))\s*\[[^]]+\]\s*\)+\s*;/ nocase  // functions that takes a callback as 2nd parameter
+        $htaccess = "SetHandler application/x-httpd-php"
+        $iis_com = /IIS:\/\/localhost\/w3svc/
+        $include = /include\s*\(\s*[^\.]+\.(png|jpg|gif|bmp)/  // Clever includes
+        $ini_get = /ini_(get|set|restore)\s*\(\s*['"](safe_mode|open_basedir|disable_(function|classe)s|safe_mode_exec_dir|safe_mode_include_dir|register_globals|allow_url_include)/ nocase
+        $pr = /(preg_replace(_callback)?|mb_ereg_replace|preg_filter)\s*\([^)]*(\/|\\x2f)(e|\\x65)['"]/  nocase // http://php.net/manual/en/function.preg-replace.php
+        $register_function = /register_[a-z]+_function\s*\(\s*['"]\s*(eval|assert|passthru|exec|include|system|shell_exec|`)/  // https://github.com/nbs-system/php-malware-finder/issues/41
+        $safemode_bypass = /\x00\/\.\.\/|LD_PRELOAD/
+        $shellshock = /\(\)\s*{\s*[a-z:]\s*;\s*}\s*;/
+        $udp_dos = /fsockopen\s*\(\s*['"]udp:\/\// nocase
+        $various = "<!--#exec cmd="  //http://www.w3.org/Jigsaw/Doc/User/SSI.html#exec
+        $at_eval = /@eval\s*\(/ nocase
+        $double_var = /\${\s*\${/
+        $extract = /extract\s*\(\s*\$_(GET|POST|REQUEST|COOKIE|SERVER)/
+        $reversed = /noitcnuf_etaerc|metsys|urhtssap|edulcni|etucexe_llehs/ nocase
+                                $silenced_include =/@\s*include\s*/ nocase
+    condition:
+        (any of them) and not IsWhitelisted
+}
+rule DangerousPhp
+{
+    strings:
+        $system = "system" fullword nocase  // localroot bruteforcers have a lot of this
+        $ = "array_filter" fullword nocase
+        $ = "assert" fullword nocase
+        $ = "backticks" fullword nocase
+        $ = "call_user_func" fullword nocase
+        $ = "eval" fullword nocase
+        $ = "exec" fullword nocase
+        $ = "fpassthru" fullword nocase
+        $ = "fsockopen" fullword nocase
+        $ = "function_exists" fullword nocase
+        $ = "getmygid" fullword nocase
+        $ = "shmop_open" fullword nocase
+        $ = "mb_ereg_replace_callback" fullword nocase
+        $ = "passthru" fullword nocase
+        $ = /pcntl_(exec|fork)/ fullword nocase
+        $ = "php_uname" fullword nocase
+        $ = "phpinfo" fullword nocase
+        $ = "posix_geteuid" fullword nocase
+        $ = "posix_getgid" fullword nocase
+        $ = "posix_getpgid" fullword nocase
+        $ = "posix_getppid" fullword nocase
+        $ = "posix_getpwnam" fullword nocase
+        $ = "posix_getpwuid" fullword nocase
+        $ = "posix_getsid" fullword nocase
+        $ = "posix_getuid" fullword nocase
+        $ = "posix_kill" fullword nocase
+        $ = "posix_setegid" fullword nocase
+        $ = "posix_seteuid" fullword nocase
+        $ = "posix_setgid" fullword nocase
+        $ = "posix_setpgid" fullword nocase
+        $ = "posix_setsid" fullword nocase
+        $ = "posix_setsid" fullword nocase
+        $ = "posix_setuid" fullword nocase
+        $ = "preg_replace_callback" fullword
+        $ = "proc_open" fullword nocase
+        $ = "proc_close" fullword nocase
+        $ = "popen" fullword nocase
+        $ = "register_shutdown_function" fullword nocase
+        $ = "register_tick_function" fullword nocase
+        $ = "shell_exec" fullword nocase
+        $ = "shm_open" fullword nocase
+        $ = "show_source" fullword nocase
+        $ = "socket_create(AF_INET, SOCK_STREAM, SOL_TCP)" nocase
+        $ = "stream_socket_pair" nocase
+        $ = "suhosin.executor.func.blacklist" nocase
+        $ = "unregister_tick_function" fullword nocase
+        $ = "win32_create_service" fullword nocase
+        $ = "xmlrpc_decode" fullword nocase 
+        $ = /ob_start\s*\(\s*[^\)]/  //ob_start('assert'); echo $_REQUEST['pass']; ob_end_flush();
+        $whitelist = /escapeshellcmd|escapeshellarg/ nocase
+    condition:
+        (not $whitelist and (5 of them or #system > 250)) and not IsWhitelisted
+}
+rule HiddenInAFile
+{
+    strings:
+        $gif = {47 49 46 38 ?? 61} // GIF8[version]a
+        $png = {89 50 4E 47 0D 0a 1a 0a} // \X89png\X0D\X0A\X1A\X0A
+        $jpeg = {FF D8 FF E0 ?? ?? 4A 46 49 46 } // https://raw.githubusercontent.com/corkami/pics/master/JPG.png
+    condition:
+        ($gif at 0 or $png at 0 or $jpeg at 0) and (PasswordProtection or ObfuscatedPhp or DodgyPhp or DangerousPhp) and not IsWhitelisted
+}
+rule CloudFlareBypass
+{
+    strings:
+        $ = "chk_jschl"
+        $ = "jschl_vc"
+        $ = "jschl_answer"
+    condition:
+        2 of them // Better be safe than sorry
+}
+private rule IRC
+{
+    strings:
+        $ = "USER" fullword nocase
+        $ = "PASS" fullword nocase
+        $ = "PRIVMSG" fullword nocase
+        $ = "MODE" fullword nocase
+        $ = "PING" fullword nocase
+        $ = "PONG" fullword nocase
+        $ = "JOIN" fullword nocase
+        $ = "PART" fullword nocase
+    condition:
+        5 of them
+}
+private rule b64
+{
+    strings:
+        $user_agent = "SFRUUF9VU0VSX0FHRU5UCg"
+        $eval = "ZXZhbCg"
+        $system = "c3lzdGVt"
+        $preg_replace = "cHJlZ19yZXBsYWNl"
+        $exec = "ZXhlYyg"
+        $base64_decode = "YmFzZTY0X2RlY29kZ"
+        $perl_shebang = "IyEvdXNyL2Jpbi9wZXJsCg"
+        $cmd_exe = "Y21kLmV4ZQ"
+        $powershell = "cG93ZXJzaGVsbC5leGU"
+    condition:
+        any of them
+}
+private rule hex
+{
+    strings:
+        $globals = "\\x47\\x4c\\x4f\\x42\\x41\\x4c\\x53" nocase
+        $eval = "\\x65\\x76\\x61\\x6C\\x28" nocase
+        $exec = "\\x65\\x78\\x65\\x63" nocase
+        $system = "\\x73\\x79\\x73\\x74\\x65\\x6d" nocase
+        $preg_replace = "\\x70\\x72\\x65\\x67\\x5f\\x72\\x65\\x70\\x6c\\x61\\x63\\x65" nocase
+        $http_user_agent = "\\x48\\124\\x54\\120\\x5f\\125\\x53\\105\\x52\\137\\x41\\107\\x45\\116\\x54" nocase
+        $base64_decode = "\\x61\\x73\\x65\\x36\\x34\\x5f\\x64\\x65\\x63\\x6f\\x64\\x65\\x28\\x67\\x7a\\x69\\x6e\\x66\\x6c\\x61\\x74\\x65\\x28" nocase
+    
+    condition:
+        any of them
+}
+private rule Hpack
+{
+    strings:
+    $globals = "474c4f42414c53" nocase
+        $eval = "6576616C28" nocase
+        $exec = "65786563" nocase
+        $system = "73797374656d" nocase
+        $preg_replace = "707265675f7265706c616365" nocase
+        $base64_decode = "61736536345f6465636f646528677a696e666c61746528" nocase
+    
+    condition:
+        any of them
+}
+private rule strrev
+{
+    strings:
+        $globals = "slabolg" nocase fullword
+        $preg_replace = "ecalper_gerp" nocase fullword
+        $base64_decode = "edoced_46esab" nocase fullword
+        $gzinflate = "etalfnizg" nocase fullword
+    
+    condition:
+        any of them
+}
+rule SuspiciousEncoding
+{
+    condition:
+        (b64 or hex or strrev or Hpack) and not IsWhitelisted
+}
+rule DodgyStrings
+{
+    strings:
+        $ = ".bash_history"
+        $ = /AddType\s+application\/x-httpd-(php|cgi)/ nocase
+        $ = /php_value\s*auto_prepend_file/ nocase
+        $ = /SecFilterEngine\s+Off/ nocase  // disable modsec
+        $ = /Add(Handler|Type|OutputFilter)\s+[^\s]+\s+\.htaccess/ nocase
+        $ = ".mysql_history"
+        $ = ".ssh/authorized_keys"
+        $ = "/(.*)/e"  // preg_replace code execution
+        $ = "/../../../"
+        $ = "/etc/passwd"
+        $ = "/etc/proftpd.conf"
+        $ = "/etc/resolv.conf"
+        $ = "/etc/shadow"
+        $ = "/etc/syslog.conf"
+        $ = "/proc/cpuinfo" fullword
+        $ = "/var/log/lastlog"
+        $ = "/windows/system32/"
+        $ = "LOAD DATA LOCAL INFILE" nocase
+        $ = "WScript.Shell"
+        $ = "WinExec"
+        $ = "b374k" fullword nocase
+        $ = "backdoor" fullword nocase
+        $ = /(c99|r57|fx29)shell/
+        $ = "cmd.exe" fullword nocase
+        $ = "powershell.exe" fullword nocase
+        $ = /defac(ed|er|ement|ing)/ fullword nocase
+        $ = "evilc0ders" fullword nocase
+        $ = "exploit" fullword nocase
+        $ = "find . -type f" fullword
+        $ = "hashcrack" nocase
+        $ = "id_rsa" fullword
+        $ = "ipconfig" fullword nocase
+        $ = "kernel32.dll" fullword nocase
+        $ = "kingdefacer" nocase
+        $ = "Wireghoul" nocase fullword
+        $ = "LD_PRELOAD" fullword
+        $ = "libpcprofile"  // CVE-2010-3856 local root
+        $ = "locus7s" nocase
+        $ = "ls -la" fullword
+        $ = "meterpreter" fullword
+        $ = "nc -l" fullword
+        $ = "netstat -an" fullword
+        $ = "php://"
+        $ = "ps -aux" fullword
+        $ = "rootkit" fullword nocase
+        $ = "slowloris" fullword nocase
+        $ = "suhosin" fullword
+        $ = "sun-tzu" fullword nocase // Because quotes from the Art of War is mandatory for any cool webshell.
+    $ = /trojan (payload)?/
+        $ = "uname -a" fullword
+        $ = "visbot" nocase fullword
+        $ = "warez" fullword nocase
+        $ = "whoami" fullword
+        $ = /(r[e3]v[e3]rs[e3]|w[3e]b|cmd)\s*sh[e3]ll/ nocase
+        $ = /-perm -0[24]000/ // find setuid files
+        $ = /\/bin\/(ba)?sh/ fullword
+        $ = /hack(ing|er|ed)/ nocase
+        $ = /(safe_mode|open_basedir) bypass/ nocase
+        $ = /xp_(execresultset|regenumkeys|cmdshell|filelist)/
+        $vbs = /language\s*=\s*vbscript/ nocase
+        $asp = "scripting.filesystemobject" nocase
+    condition:
+        (IRC or 2 of them) and not IsWhitelisted
+}
+rule Websites
+{
+    strings:
+        $ = "1337day.com" nocase
+        $ = "antichat.ru" nocase
+        $ = "b374k" nocase
+        $ = "ccteam.ru" nocase
+        $ = "crackfor" nocase
+        $ = "darkc0de" nocase
+        $ = "egyspider.eu" nocase
+        $ = "exploit-db.com" nocase
+        $ = "fopo.com.ar" nocase  /* Free Online Php Obfuscator */
+        $ = "hashchecker.com" nocase
+        $ = "hashkiller.com" nocase
+        $ = "md5crack.com" nocase
+        $ = "md5decrypter.com" nocase
+        $ = "milw0rm.com" nocase
+        $ = "milw00rm.com" nocase
+        $ = "packetstormsecurity" nocase
+        $ = "pentestmonkey.net" nocase
+        $ = "phpjiami.com" nocase
+        $ = "rapid7.com" nocase
+        $ = "securityfocus" nocase
+        $ = "shodan.io" nocase
+        $ = "github.com/b374k/b374k" nocase
+        $ = "mumaasp.com" nocase
+    condition:
+        (any of them) and not IsWhitelisted
+}

diff --git a/data/php.yar b/data/php.yar new file mode 100644 index 0000000..4470e1b --- /dev/null +++ b/data/php.yar
@@ -0,0 +1,374 @@
	1	import "hash"
	2	include "whitelist.yar"
	3
	4	/*
	5	Detect:
	6	- phpencode.org
	7	- http://www.pipsomania.com/best_php_obfuscator.do
	8	- http://atomiku.com/online-php-code-obfuscator/
	9	- http://www.webtoolsvn.com/en-decode/
	10	- http://obfuscator.uk/example/
	11	- http://w3webtools.com/encode-php-online/
	12	- http://www.joeswebtools.com/security/php-obfuscator/
	13	- https://github.com/epinna/weevely3
	14	- http://cipherdesign.co.uk/service/php-obfuscator
	15	- http://sysadmin.cyklodev.com/online-php-obfuscator/
	16	- http://mohssen.org/SpinObf.php
	17	- https://code.google.com/p/carbylamine/
	18	- https://github.com/tennc/webshell
	19
	20	- https://github.com/wireghoul/htshells
	21
	22	Thanks to:
	23	- https://stackoverflow.com/questions/3115559/exploitable-php-functions
	24	*/
	25
	26	global private rule IsPhp
	27	{
	28	strings:
	29	$php = /<\?[^x]/
	30
	31	condition:
	32	$php and filesize < 5MB
	33	}
	34
	35	rule NonPrintableChars
	36	{
	37	strings:
	38	/*
	39	Searching only for non-printable characters completely kills the perf,
	40	so we have to use atoms (https://gist.github.com/Neo23x0/e3d4e316d7441d9143c7)
	41	to get an acceptable speed.
	42	*/
	43	$non_printables = /(function\|return\|base64_decode).{,256}[^\x09-\x0d\x20-\x7E]{3}/
	44
	45	condition:
	46	(any of them) and not IsWhitelisted
	47	}
	48
	49
	50	rule PasswordProtection
	51	{
	52	strings:
	53	$md5 = /md5\s\(\s\$_(GET\|REQUEST\|POST\|COOKIE\|SERVER)[^)]+\)\s===?\s['"][0-9a-f]{32}['"]/ nocase
	54	$sha1 = /sha1\s\(\s\$_(GET\|REQUEST\|POST\|COOKIE\|SERVER)[^)]+\)\s===?\s['"][0-9a-f]{40}['"]/ nocase
	55	condition:
	56	(any of them) and not IsWhitelisted
	57	}
	58
	59	rule ObfuscatedPhp
	60	{
	61	strings:
	62	$eval = /(<\?php\|[;{}])[ \t]@?(eval\|preg_replace\|system\|assert\|passthru\|(pcntl_)?exec\|shell_exec\|call_user_func(_array)?)\s\(/ nocase // ;eval( <- this is dodgy
	63	$eval_comment = /(eval\|preg_replace\|system\|assert\|passthru\|(pcntl_)?exec\|shell_exec\|call_user_func(_array)?)\/\[^\]\\/\(/ nocase // eval/lol/( <- this is dodgy
	64	$b374k = "'ev'.'al'"
	65	$align = /(\$\w+=[^;]);\$\w+=@?\$\w+\(/ //b374k
	66	$weevely3 = /\$\w=\$[a-zA-Z]\('',\$\w\);\$\w\(\);/ // weevely3 launcher
	67	$c99_launcher = /;\$\w+\(\$\w+(,\s?\$\w+)+\);/ // http://bartblaze.blogspot.fr/2015/03/c99shell-not-dead.html
	68	$nano = /\$[a-z0-9-_]+\[[^]]+\]\(/ //https://github.com/UltimateHackers/nano
	69	$ninja = /base64_decode[^;]+getallheaders/ //https://github.com/UltimateHackers/nano
	70	$variable_variable = /\${\$[0-9a-zA-z]+}/
	71	$too_many_chr = /(chr\([\d]+\)\.){8}/ // concatenation of more than eight `chr()`
	72	$concat = /(\$[^\n\r]+\.){5}/ // concatenation of more than 5 words
	73	$concat_with_spaces = /(\$[^\n\r]+\. ){5}/ // concatenation of more than 5 words, with spaces
	74	$var_as_func = /\$_(GET\|POST\|COOKIE\|REQUEST\|SERVER)\s\[[^\]]+\]\s\(/
	75	$comment = /\/\([^]\|\[^\/])\\/\s\(/ // eval /* comment */ (php_code)
	76	condition:
	77	(any of them) and not IsWhitelisted
	78	}
	79
	80	rule DodgyPhp
	81	{
	82	strings:
	83	$basedir_bypass = /curl_init\s\(\s["']file:\/\// nocase
	84	$basedir_bypass2 = "file:file:///" // https://www.intelligentexploit.com/view-details.html?id=8719
	85	$disable_magic_quotes = /set_magic_quotes_runtime\s\(\s0/ nocase
	86
	87	$execution = /\b(popen\|eval\|assert\|passthru\|exec\|include\|system\|pcntl_exec\|shell_exec\|base64_decode\|`\|array_map\|ob_start\|call_user_func(_array)?)\s\(\s(base64_decode\|php:\/\/input\|str_rot13\|gz(inflate\|uncompress)\|getenv\|pack\|\\?\$_(GET\|REQUEST\|POST\|COOKIE\|SERVER))/ nocase // function that takes a callback as 1st parameter
	88	$execution2 = /\b(array_filter\|array_reduce\|array_walk(_recursive)?\|array_walk\|assert_options\|uasort\|uksort\|usort\|preg_replace_callback\|iterator_apply)\s\(\s[^,]+,\s*(base64_decode\|php:\/\/input\|str_rot13\|gz(inflate\|uncompress)\|getenv\|pack\|\\?\$_(GET\|REQUEST\|POST\|COOKIE\|SERVER))/ nocase // functions that takes a callback as 2nd parameter
	89	$execution3 = /\b(array_(diff\|intersect)_u(key\|assoc)\|array_udiff)\s\(\s([^,]+\s,?)+\s(base64_decode\|php:\/\/input\|str_rot13\|gz(inflate\|uncompress)\|getenv\|pack\|\\?\$_(GET\|REQUEST\|POST\|COOKIE\|SERVER))\s\[[^]]+\]\s\)+\s*;/ nocase // functions that takes a callback as 2nd parameter
	90
	91	$htaccess = "SetHandler application/x-httpd-php"
	92	$iis_com = /IIS:\/\/localhost\/w3svc/
	93	$include = /include\s\(\s[^\.]+\.(png\|jpg\|gif\|bmp)/ // Clever includes
	94	$ini_get = /ini_(get\|set\|restore)\s\(\s['"](safe_mode\|open_basedir\|disable_(function\|classe)s\|safe_mode_exec_dir\|safe_mode_include_dir\|register_globals\|allow_url_include)/ nocase
	95	$pr = /(preg_replace(_callback)?\|mb_ereg_replace\|preg_filter)\s\([^)](\/\|\\x2f)(e\|\\x65)['"]/ nocase // http://php.net/manual/en/function.preg-replace.php
	96	$register_function = /register_[a-z]+_function\s\(\s['"]\s*(eval\|assert\|passthru\|exec\|include\|system\|shell_exec\|`)/ // https://github.com/nbs-system/php-malware-finder/issues/41
	97	$safemode_bypass = /\x00\/\.\.\/\|LD_PRELOAD/
	98	$shellshock = /\(\)\s{\s[a-z:]\s;\s}\s*;/
	99	$udp_dos = /fsockopen\s\(\s['"]udp:\/\// nocase
	100	$various = "<!--#exec cmd=" //http://www.w3.org/Jigsaw/Doc/User/SSI.html#exec
	101	$at_eval = /@eval\s*\(/ nocase
	102	$double_var = /\${\s*\${/
	103	$extract = /extract\s\(\s\$_(GET\|POST\|REQUEST\|COOKIE\|SERVER)/
	104	$reversed = /noitcnuf_etaerc\|metsys\|urhtssap\|edulcni\|etucexe_llehs/ nocase
	105	$silenced_include =/@\sinclude\s/ nocase
	106
	107	condition:
	108	(any of them) and not IsWhitelisted
	109	}
	110
	111	rule DangerousPhp
	112	{
	113	strings:
	114	$system = "system" fullword nocase // localroot bruteforcers have a lot of this
	115
	116	$ = "array_filter" fullword nocase
	117	$ = "assert" fullword nocase
	118	$ = "backticks" fullword nocase
	119	$ = "call_user_func" fullword nocase
	120	$ = "eval" fullword nocase
	121	$ = "exec" fullword nocase
	122	$ = "fpassthru" fullword nocase
	123	$ = "fsockopen" fullword nocase
	124	$ = "function_exists" fullword nocase
	125	$ = "getmygid" fullword nocase
	126	$ = "shmop_open" fullword nocase
	127	$ = "mb_ereg_replace_callback" fullword nocase
	128	$ = "passthru" fullword nocase
	129	$ = /pcntl_(exec\|fork)/ fullword nocase
	130	$ = "php_uname" fullword nocase
	131	$ = "phpinfo" fullword nocase
	132	$ = "posix_geteuid" fullword nocase
	133	$ = "posix_getgid" fullword nocase
	134	$ = "posix_getpgid" fullword nocase
	135	$ = "posix_getppid" fullword nocase
	136	$ = "posix_getpwnam" fullword nocase
	137	$ = "posix_getpwuid" fullword nocase
	138	$ = "posix_getsid" fullword nocase
	139	$ = "posix_getuid" fullword nocase
	140	$ = "posix_kill" fullword nocase
	141	$ = "posix_setegid" fullword nocase
	142	$ = "posix_seteuid" fullword nocase
	143	$ = "posix_setgid" fullword nocase
	144	$ = "posix_setpgid" fullword nocase
	145	$ = "posix_setsid" fullword nocase
	146	$ = "posix_setsid" fullword nocase
	147	$ = "posix_setuid" fullword nocase
	148	$ = "preg_replace_callback" fullword
	149	$ = "proc_open" fullword nocase
	150	$ = "proc_close" fullword nocase
	151	$ = "popen" fullword nocase
	152	$ = "register_shutdown_function" fullword nocase
	153	$ = "register_tick_function" fullword nocase
	154	$ = "shell_exec" fullword nocase
	155	$ = "shm_open" fullword nocase
	156	$ = "show_source" fullword nocase
	157	$ = "socket_create(AF_INET, SOCK_STREAM, SOL_TCP)" nocase
	158	$ = "stream_socket_pair" nocase
	159	$ = "suhosin.executor.func.blacklist" nocase
	160	$ = "unregister_tick_function" fullword nocase
	161	$ = "win32_create_service" fullword nocase
	162	$ = "xmlrpc_decode" fullword nocase
	163	$ = /ob_start\s\(\s[^\)]/ //ob_start('assert'); echo $_REQUEST['pass']; ob_end_flush();
	164
	165	$whitelist = /escapeshellcmd\|escapeshellarg/ nocase
	166
	167	condition:
	168	(not $whitelist and (5 of them or #system > 250)) and not IsWhitelisted
	169	}
	170
	171	rule HiddenInAFile
	172	{
	173	strings:
	174	$gif = {47 49 46 38 ?? 61} // GIF8[version]a
	175	$png = {89 50 4E 47 0D 0a 1a 0a} // \X89png\X0D\X0A\X1A\X0A
	176	$jpeg = {FF D8 FF E0 ?? ?? 4A 46 49 46 } // https://raw.githubusercontent.com/corkami/pics/master/JPG.png
	177
	178	condition:
	179	($gif at 0 or $png at 0 or $jpeg at 0) and (PasswordProtection or ObfuscatedPhp or DodgyPhp or DangerousPhp) and not IsWhitelisted
	180	}
	181
	182	rule CloudFlareBypass
	183	{
	184	strings:
	185	$ = "chk_jschl"
	186	$ = "jschl_vc"
	187	$ = "jschl_answer"
	188
	189	condition:
	190	2 of them // Better be safe than sorry
	191	}
	192
	193	private rule IRC
	194	{
	195	strings:
	196	$ = "USER" fullword nocase
	197	$ = "PASS" fullword nocase
	198	$ = "PRIVMSG" fullword nocase
	199	$ = "MODE" fullword nocase
	200	$ = "PING" fullword nocase
	201	$ = "PONG" fullword nocase
	202	$ = "JOIN" fullword nocase
	203	$ = "PART" fullword nocase
	204
	205	condition:
	206	5 of them
	207	}
	208
	209	private rule b64
	210	{
	211	strings:
	212	$user_agent = "SFRUUF9VU0VSX0FHRU5UCg"
	213	$eval = "ZXZhbCg"
	214	$system = "c3lzdGVt"
	215	$preg_replace = "cHJlZ19yZXBsYWNl"
	216	$exec = "ZXhlYyg"
	217	$base64_decode = "YmFzZTY0X2RlY29kZ"
	218	$perl_shebang = "IyEvdXNyL2Jpbi9wZXJsCg"
	219	$cmd_exe = "Y21kLmV4ZQ"
	220	$powershell = "cG93ZXJzaGVsbC5leGU"
	221
	222	condition:
	223	any of them
	224	}
	225
	226	private rule hex
	227	{
	228	strings:
	229	$globals = "\\x47\\x4c\\x4f\\x42\\x41\\x4c\\x53" nocase
	230	$eval = "\\x65\\x76\\x61\\x6C\\x28" nocase
	231	$exec = "\\x65\\x78\\x65\\x63" nocase
	232	$system = "\\x73\\x79\\x73\\x74\\x65\\x6d" nocase
	233	$preg_replace = "\\x70\\x72\\x65\\x67\\x5f\\x72\\x65\\x70\\x6c\\x61\\x63\\x65" nocase
	234	$http_user_agent = "\\x48\\124\\x54\\120\\x5f\\125\\x53\\105\\x52\\137\\x41\\107\\x45\\116\\x54" nocase
	235	$base64_decode = "\\x61\\x73\\x65\\x36\\x34\\x5f\\x64\\x65\\x63\\x6f\\x64\\x65\\x28\\x67\\x7a\\x69\\x6e\\x66\\x6c\\x61\\x74\\x65\\x28" nocase
	236
	237	condition:
	238	any of them
	239	}
	240
	241	private rule Hpack
	242	{
	243	strings:
	244	$globals = "474c4f42414c53" nocase
	245	$eval = "6576616C28" nocase
	246	$exec = "65786563" nocase
	247	$system = "73797374656d" nocase
	248	$preg_replace = "707265675f7265706c616365" nocase
	249	$base64_decode = "61736536345f6465636f646528677a696e666c61746528" nocase
	250
	251	condition:
	252	any of them
	253	}
	254
	255	private rule strrev
	256	{
	257	strings:
	258	$globals = "slabolg" nocase fullword
	259	$preg_replace = "ecalper_gerp" nocase fullword
	260	$base64_decode = "edoced_46esab" nocase fullword
	261	$gzinflate = "etalfnizg" nocase fullword
	262
	263	condition:
	264	any of them
	265	}
	266
	267
	268	rule SuspiciousEncoding
	269	{
	270	condition:
	271	(b64 or hex or strrev or Hpack) and not IsWhitelisted
	272	}
	273
	274	rule DodgyStrings
	275	{
	276	strings:
	277	$ = ".bash_history"
	278	$ = /AddType\s+application\/x-httpd-(php\|cgi)/ nocase
	279	$ = /php_value\s*auto_prepend_file/ nocase
	280	$ = /SecFilterEngine\s+Off/ nocase // disable modsec
	281	$ = /Add(Handler\|Type\|OutputFilter)\s+[^\s]+\s+\.htaccess/ nocase
	282	$ = ".mysql_history"
	283	$ = ".ssh/authorized_keys"
	284	$ = "/(.*)/e" // preg_replace code execution
	285	$ = "/../../../"
	286	$ = "/etc/passwd"
	287	$ = "/etc/proftpd.conf"
	288	$ = "/etc/resolv.conf"
	289	$ = "/etc/shadow"
	290	$ = "/etc/syslog.conf"
	291	$ = "/proc/cpuinfo" fullword
	292	$ = "/var/log/lastlog"
	293	$ = "/windows/system32/"
	294	$ = "LOAD DATA LOCAL INFILE" nocase
	295	$ = "WScript.Shell"
	296	$ = "WinExec"
	297	$ = "b374k" fullword nocase
	298	$ = "backdoor" fullword nocase
	299	$ = /(c99\|r57\|fx29)shell/
	300	$ = "cmd.exe" fullword nocase
	301	$ = "powershell.exe" fullword nocase
	302	$ = /defac(ed\|er\|ement\|ing)/ fullword nocase
	303	$ = "evilc0ders" fullword nocase
	304	$ = "exploit" fullword nocase
	305	$ = "find . -type f" fullword
	306	$ = "hashcrack" nocase
	307	$ = "id_rsa" fullword
	308	$ = "ipconfig" fullword nocase
	309	$ = "kernel32.dll" fullword nocase
	310	$ = "kingdefacer" nocase
	311	$ = "Wireghoul" nocase fullword
	312	$ = "LD_PRELOAD" fullword
	313	$ = "libpcprofile" // CVE-2010-3856 local root
	314	$ = "locus7s" nocase
	315	$ = "ls -la" fullword
	316	$ = "meterpreter" fullword
	317	$ = "nc -l" fullword
	318	$ = "netstat -an" fullword
	319	$ = "php://"
	320	$ = "ps -aux" fullword
	321	$ = "rootkit" fullword nocase
	322	$ = "slowloris" fullword nocase
	323	$ = "suhosin" fullword
	324	$ = "sun-tzu" fullword nocase // Because quotes from the Art of War is mandatory for any cool webshell.
	325	$ = /trojan (payload)?/
	326	$ = "uname -a" fullword
	327	$ = "visbot" nocase fullword
	328	$ = "warez" fullword nocase
	329	$ = "whoami" fullword
	330	$ = /(r[e3]v[e3]rs[e3]\|w[3e]b\|cmd)\s*sh[e3]ll/ nocase
	331	$ = /-perm -0[24]000/ // find setuid files
	332	$ = /\/bin\/(ba)?sh/ fullword
	333	$ = /hack(ing\|er\|ed)/ nocase
	334	$ = /(safe_mode\|open_basedir) bypass/ nocase
	335	$ = /xp_(execresultset\|regenumkeys\|cmdshell\|filelist)/
	336
	337	$vbs = /language\s=\svbscript/ nocase
	338	$asp = "scripting.filesystemobject" nocase
	339
	340	condition:
	341	(IRC or 2 of them) and not IsWhitelisted
	342	}
	343
	344	rule Websites
	345	{
	346	strings:
	347	$ = "1337day.com" nocase
	348	$ = "antichat.ru" nocase
	349	$ = "b374k" nocase
	350	$ = "ccteam.ru" nocase
	351	$ = "crackfor" nocase
	352	$ = "darkc0de" nocase
	353	$ = "egyspider.eu" nocase
	354	$ = "exploit-db.com" nocase
	355	$ = "fopo.com.ar" nocase /* Free Online Php Obfuscator */
	356	$ = "hashchecker.com" nocase
	357	$ = "hashkiller.com" nocase
	358	$ = "md5crack.com" nocase
	359	$ = "md5decrypter.com" nocase
	360	$ = "milw0rm.com" nocase
	361	$ = "milw00rm.com" nocase
	362	$ = "packetstormsecurity" nocase
	363	$ = "pentestmonkey.net" nocase
	364	$ = "phpjiami.com" nocase
	365	$ = "rapid7.com" nocase
	366	$ = "securityfocus" nocase
	367	$ = "shodan.io" nocase
	368	$ = "github.com/b374k/b374k" nocase
	369	$ = "mumaasp.com" nocase
	370
	371	condition:
	372	(any of them) and not IsWhitelisted
	373	}
	374