From 9e21c935a9424c750e9bacead451fef791fa8733 Mon Sep 17 00:00:00 2001
From: Julien (jvoisin) Voisin
Date: Tue, 1 Mar 2016 14:55:37 +0100
Subject: Add detection for backdoored .htaccess

---
 php-malware-finder/malwares.yara | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/php-malware-finder/malwares.yara b/php-malware-finder/malwares.yara
index 287ebd3..929164b 100644
--- a/php-malware-finder/malwares.yara
+++ b/php-malware-finder/malwares.yara
@@ -16,6 +16,11 @@ include "whitelist.yara"
         - http://mohssen.org/SpinObf.php
         - https://code.google.com/p/carbylamine/
         - https://github.com/tennc/webshell
+
+        - https://github.com/wireghoul/htshells
+
+    Thanks to:
+        - https://stackoverflow.com/questions/3115559/exploitable-php-functions
 */
 
 global private rule IsPhp
@@ -110,7 +115,9 @@ rule DodgyPhp
         $basedir_bypass = /curl_init\s*\(\s*["']file:\/\//
         $basedir_bypass2 = "file:file:///" // https://www.intelligentexploit.com/view-details.html?id=8719
         $disable_magic_quotes = /set_magic_quotes_runtime\s*\(\s*0/
-        $execution = /(eval|assert|passthru|exec|include|system|pcntl_exec|win_shell_execute|base64_decode|`|call_user_func(_array)?)\s*\(\s*(base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|pack|\\?\$_(GET|REQUEST|POST|COOKIE))/ nocase
+        $execution = /(eval|assert|passthru|exec|include|system|pcntl_exec|win_shell_execute|base64_decode|`|array_map|call_user_func(_array)?)\s*\(\s*(base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|pack|\\?\$_(GET|REQUEST|POST|COOKIE))/ nocase
+        $execution2 = /(array_filter|array_reduce|array_walk(_recursive)?|array_walk|assert_options|uasort|uksort|usort|preg_replace_callback|iterator_apply)\s*\(\s*[^,]+,\s*(base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|pack|\\?\$_(GET|REQUEST|POST|COOKIE))/ nocase  // functions that takes a callback as 2nd parameter
+
         $htaccess = "SetHandler application/x-httpd-php"
         $iis_com = /IIS:\/\/localhost\/w3svc/
         $include = /include\s*\(\s*[^\.]+\.(png|jpg|gif|bmp)/  // Clever includes
@@ -165,6 +172,7 @@ rule DangerousPhp
         $ = "posix_setuid" fullword nocase
         $ = "preg_replace_callback" fullword
         $ = "proc_open" fullword nocase
+        $ = "popen" fullword nocase
         $ = "register_shutdown_function" fullword nocase
         $ = "register_tick_function" fullword nocase
         $ = "shell_exec" fullword nocase
@@ -187,7 +195,10 @@ rule DodgyStrings
 {
     strings:
         $ = ".bash_history"
-        $ = /AddType\s+application\/x-httpd-php/
+        $ = /AddType\s+application\/x-httpd-php/ nocase
+        $ = /php_value\s*auto_prepend_file/ nocase
+        $ = /SecFilterEngine\s+Off/ nocase  // disable modsec
+        $ = /Add(Handler|Type|OutputFilter)\s+[^\s]+\s+\.htaccess/ nocase
         $ = ".mysql_history"
         $ = ".ssh/authorized_keys"
         $ = "/(.*)/e"  // preg_replace code execution
@@ -216,6 +227,7 @@ rule DodgyStrings
         $ = "ipconfig" fullword nocase
         $ = "kernel32.dll" fullword nocase
         $ = "kingdefacer" nocase
+        $ = "Wireghoul" nocase fullword
         $ = "libpcprofile"  // CVE-2010-3856 local root
         $ = "locus7s" nocase
         $ = "ls -la" fullword
-- 
cgit v1.3