From 83e28980af29c7942c4ce1c8705f967285f34d30 Mon Sep 17 00:00:00 2001
From: Julien (jvoisin) Voisin
Date: Thu, 16 Jun 2016 13:15:00 +0200
Subject: Detect backdoor-looking authentication schemes

---
 php-malware-finder/php.yar | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/php-malware-finder/php.yar b/php-malware-finder/php.yar
index 50dcf98..527615e 100644
--- a/php-malware-finder/php.yar
+++ b/php-malware-finder/php.yar
@@ -44,6 +44,15 @@ rule CloudFlareBypass
         2 of them // Better be safe than sorry
 }
 
+rule PasswordProtection
+{
+    strings:
+        $md5 = /md5\s*\(\s*\$_(GET|REQUEST|POST|COOKIE)[^)]+\)\s*===?\s*['"][0-9a-f]{32}['"]/ nocase
+        $sha1 = /sha1\s*\(\s*\$_(GET|REQUEST|POST|COOKIE)[^)]+\)\s*===?\s*['"][0-9a-f]{32}['"]/ nocase
+    condition:
+        any of them
+}
+
 rule ObfuscatedPhp
 {
     strings:
-- 
cgit v1.3