From 5409bc63c57442ace2e9aaa71f43e2d201597927 Mon Sep 17 00:00:00 2001
From: Julien Voisin
Date: Fri, 12 Feb 2016 13:13:30 +0100
Subject: Add a few artefacts taken from `assdick.php`, aka "fuhosin"

---
 php-malware-finder/malwares.yara | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/php-malware-finder/malwares.yara b/php-malware-finder/malwares.yara
index 5652b0a..4bff547 100644
--- a/php-malware-finder/malwares.yara
+++ b/php-malware-finder/malwares.yara
@@ -143,6 +143,7 @@ rule DangerousPhp
         $ = "mb_ereg_replace_callback" fullword
         $ = "passthru" fullword
         $ = "pcntl_exec" fullword
+        $ = "pcntl_fork" fullword
         $ = "php_uname" fullword
         $ = "phpinfo" fullword
         $ = "posix_geteuid" fullword
@@ -158,6 +159,7 @@ rule DangerousPhp
         $ = "shm_open" fullword
         $ = "show_source" fullword
         $ = "socket_create(AF_INET, SOCK_STREAM, SOL_TCP)"
+        $ = "stream_socket_pair"
         $ = "win32_create_service" fullword
         $ = "win_shell_execute" fullword
         $ = "xmlrpc_decode" fullword
@@ -172,6 +174,8 @@ rule DangerousPhp
 rule DodgyStrings
 {
     strings:
+        $ = ".ssh/authorized_keys"
+        $ = "/(.*)/e"  // preg_replace code execution
         $ = "/../../../"
         $ = "/etc/passwd"
         $ = "/etc/proftpd.conf"
@@ -193,12 +197,15 @@ rule DodgyStrings
         $ = "id_rsa" fullword
         $ = "ipconfig" fullword nocase
         $ = "kingdefacer" nocase
+        $ = "libpcprofile"  // CVE-2010-3856 local root
         $ = "locus7s" nocase
         $ = "ls -la" fullword
+        $ = "meterpreter" fullword"
         $ = "nc -l" fullword
         $ = "ps -aux" fullword
         $ = "rootkit" fullword nocase
         $ = "slowloris" fullword nocase
+        $ = "suhosin.executor.func.blacklist"
         $ = "uname -a" fullword
         $ = "warez" fullword nocase
         $ = /(reverse|web)\s*shell/ nocase
-- 
cgit v1.3