From 8277b307068b9ad4dddb0632ae5d412eea2924a0 Mon Sep 17 00:00:00 2001
From: shaddai
Date: Thu, 26 Nov 2015 15:13:25 +0100
Subject: new rules

some samples from this repo weren't detected : https://github.com/tennc/webshell
Fixes #3---
 malwares.yara | 28 +++++++++++++++++++++-------
 1 file changed, 21 insertions(+), 7 deletions(-)

diff --git a/malwares.yara b/malwares.yara
index c901d06..73195da 100644
--- a/malwares.yara
+++ b/malwares.yara
@@ -15,6 +15,7 @@ include "whitelist.yara"
         - http://sysadmin.cyklodev.com/online-php-obfuscator/
         - http://mohssen.org/SpinObf.php
         - https://code.google.com/p/carbylamine/
+        - https://github.com/tennc/webshell
 */
 
 global private rule IsPhp
@@ -56,13 +57,15 @@ private rule CloudFlareBypass
 rule ObfuscatedPhp
 {
     strings:
-        $eval = /[;}][\t ]*@?(eval|preg_replace|system|exec)\(/  // ;eval( <- this is dodgy
+        $eval = /[;{}][\t ]*@?(eval|preg_replace|system|exec|assert|passthru)\(/  // ;eval( <- this is dodgy
+        $b374k = /'ev'\.'al'/
         $align = /(\$\w+=[^;]*)*;\$\w+=@?\$\w+\(/  //b374k
-        $oneliner = /<\?php\s*\n*\r*\s*(eval|preg_replace|system|exec)\(/
+        $oneliner = /<\?php\s*\n*\r*\s*(eval|preg_replace|system|exec|assert|passthru)\(/
         $weevely3 = /\$\w=\$[a-zA-Z]\('',\$\w\);\$\w\(\);/  // weevely3 launcher
         $c99_launcher = /;\$\w+\(\$\w+(,\s?\$\w+)+\);/  // http://bartblaze.blogspot.fr/2015/03/c99shell-not-dead.html
-        $danone = /\$s20=strtoupper\((\$[0-9A-Za-z]{1,4}\[\d+\]\.){2,9}[^\)]*\);if/
         $strange_arg = /\${\$[0-9a-zA-z]+}/
+        $too_many_chr = /(chr\([\d]+\)\.){2,}?/
+        $b64_concat = /('[A-Za-z0-9=+]*'\.){4,8}?/
     condition:
         any of them and not IsWhitelisted
 }
@@ -74,6 +77,7 @@ private rule base64
         $system = "c3lzdGVt"
         $preg_replace = "cHJlZ19yZXBsYWNl"
         $exec = "ZXhlYyg"
+        $base64_decode = "YmFzZTY0X2RlY29kZ"
     condition:
         any of them
 }
@@ -100,18 +104,20 @@ rule SuspiciousEncoding
 rule DodgyPhp
 {
     strings:
-        $vars = /\$___+/ // $__ is rarely used in legitimate scripts
-        $execution = /(eval|assert|passthru|exec|system|win_shell_execute) *\((base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|\\?\$_(GET|REQUEST|POST))/
+        $vars = /\$__+/ // $__ is rarely used in legitimate scripts
         $double_encoding = /(base64_decode\s*\(\s*){2}/
+        $execution = /(eval|assert|passthru|exec|system|win_shell_execute|base64_decode)\s*\(\s*(base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|pack|\\?\$_(GET|REQUEST|POST))/
         $basedir_bypass = /(curl_init\([\"']file:[\"']|file:file:\/\/)/
         $safemode_bypass = /\x00\/\.\.\/|LD_PRELOAD/
         $shellshock = /putenv\(["']PHP_[^=]=\(\) { [^}] };/
-        $restore_bypass = /ini_restore\(['"](safe_mode|open_basedir)['"]\)/
+        $restore_bypass = /ini_restore\(['"](safe_mode|open_basedir|disable_function|safe_mode_exec_dir|safe_mode_include_dir)['"]\)/
         $various = "<!--#exec cmd="  //http://www.w3.org/Jigsaw/Doc/User/SSI.html#exec
-        $pr = /preg_replace\s*\(['"]\/[^\/]*\/e['"]/  // http://php.net/manual/en/function.preg-replace.php
+        $pr = /(preg_replace(_callback)?|mb_ereg_replace|preg_filter)\s*\(['"]\/[^\/]*\/e['"]/  // http://php.net/manual/en/function.preg-replace.php
         $include = /include\([^\.]+\.(png|jpg|gif|bmp)/  // Clever includes
         $htaccess = "SetHandler application/x-httpd-php"
         $udp_dos = /sockopen\s*\(['"]udp:\/\//
+        $iniset_urlinclude = /ini_set\('allow_url_include,\ * 1'\)/
+        $iis_com = /IIS:\/\/localhost\/w3svc/
 
     condition:
         (any of them or CloudFlareBypass) and not IsWhitelisted
@@ -148,6 +154,12 @@ rule DangerousPhp
         $ = "show_source" fullword
         $ = "pcntl_exec" fullword
         $ = "array_filter" fullword
+        $ = "call_user_func" fullword
+        $ = "register_shutdown_function" fullword
+        $ = "register_tick_function" fullword
+        $ = /ob_start\s*\(\s*[^\)]/  //ob_start('assert'); echo $_REQUEST['pass']; ob_end_flush();
+        $ = "mb_ereg_replace_callback" fullword
+        $ = "preg_replace_callback" fullword
 
         $whitelist = /escapeshellcmd|escapeshellarg/
 
@@ -214,6 +226,8 @@ rule Websites
         $ = "www.fopo.com.ar"  /* Free Online Php Obfuscator */
         $ = "ccteam.ru"
         $ = "locus7s.com"
+        $ = "b374k"
+        $ = "www.egyspider.eu"
 
     condition:
         any of them and not IsWhitelisted
-- 
cgit v1.3


From ccbefed99a639c5c91463bf3edc343cc13b65d36 Mon Sep 17 00:00:00 2001
From: shaddai
Date: Thu, 26 Nov 2015 15:17:22 +0100
Subject: added tennc repo to the list

---
 README.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/README.md b/README.md
index 69d4e11..9e8abd6 100644
--- a/README.md
+++ b/README.md
@@ -30,6 +30,7 @@ The following list of encoders/obfuscators/webshells are also detected:
 * [cobra obfuscator]( http://obfuscator.uk/example/ )
 * [phpencode]( http://phpencode.org )
 * [webtoolsvn]( http://www.webtoolsvn.com/en-decode/ )
+* [tennc]( http://tennc.github.io/webshell/ )
 
 
 ## How does it work?
-- 
cgit v1.3


From 79bdee48721c6a023cbea9c66e825f0b8834038f Mon Sep 17 00:00:00 2001
From: jvoisin
Date: Mon, 4 Jan 2016 15:15:56 +0100
Subject: Simplify a bit some rules

- Remove `b64_concat` since it was close to useless
- Make `too_many_chr` non-greddy

Those changes will make our malwares.yara rules
yara-git friendly.
---
 malwares.yara | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/malwares.yara b/malwares.yara
index 73195da..4f08a9b 100644
--- a/malwares.yara
+++ b/malwares.yara
@@ -64,8 +64,7 @@ rule ObfuscatedPhp
         $weevely3 = /\$\w=\$[a-zA-Z]\('',\$\w\);\$\w\(\);/  // weevely3 launcher
         $c99_launcher = /;\$\w+\(\$\w+(,\s?\$\w+)+\);/  // http://bartblaze.blogspot.fr/2015/03/c99shell-not-dead.html
         $strange_arg = /\${\$[0-9a-zA-z]+}/
-        $too_many_chr = /(chr\([\d]+\)\.){2,}?/
-        $b64_concat = /('[A-Za-z0-9=+]*'\.){4,8}?/
+        $too_many_chr = /(chr\([\d]+\)\.){2,}/
     condition:
         any of them and not IsWhitelisted
 }
-- 
cgit v1.3


From 8039662c4ec5e407d23d19a27df34286e398ad45 Mon Sep 17 00:00:00 2001
From: jvoisin
Date: Mon, 4 Jan 2016 15:47:28 +0100
Subject: Perf optimization and rules completion

---
 malwares.yara | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/malwares.yara b/malwares.yara
index 4f08a9b..98e11cb 100644
--- a/malwares.yara
+++ b/malwares.yara
@@ -57,10 +57,10 @@ private rule CloudFlareBypass
 rule ObfuscatedPhp
 {
     strings:
-        $eval = /[;{}][\t ]*@?(eval|preg_replace|system|exec|assert|passthru)\(/  // ;eval( <- this is dodgy
-        $b374k = /'ev'\.'al'/
+        $eval = /[;{}][\t ]*@?(eval|preg_replace|system|exec|assert|passthru|win_shell_execute)\(/  // ;eval( <- this is dodgy
+        $b374k = "'ev'.'al'"
         $align = /(\$\w+=[^;]*)*;\$\w+=@?\$\w+\(/  //b374k
-        $oneliner = /<\?php\s*\n*\r*\s*(eval|preg_replace|system|exec|assert|passthru)\(/
+        $oneliner = /<\?php\s*\n*\r*\s*(eval|preg_replace|system|exec|assert|passthru|win_shell_execute)\(/
         $weevely3 = /\$\w=\$[a-zA-Z]\('',\$\w\);\$\w\(\);/  // weevely3 launcher
         $c99_launcher = /;\$\w+\(\$\w+(,\s?\$\w+)+\);/  // http://bartblaze.blogspot.fr/2015/03/c99shell-not-dead.html
         $strange_arg = /\${\$[0-9a-zA-z]+}/
@@ -105,7 +105,7 @@ rule DodgyPhp
     strings:
         $vars = /\$__+/ // $__ is rarely used in legitimate scripts
         $double_encoding = /(base64_decode\s*\(\s*){2}/
-        $execution = /(eval|assert|passthru|exec|system|win_shell_execute|base64_decode)\s*\(\s*(base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|pack|\\?\$_(GET|REQUEST|POST))/
+        $execution = /(eval|assert|passthru|exec|system|win_shell_execute|base64_decode)\s*\(\s*(base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|pack|\\?\$_(GET|REQUEST|POST|COOKIE))/
         $basedir_bypass = /(curl_init\([\"']file:[\"']|file:file:\/\/)/
         $safemode_bypass = /\x00\/\.\.\/|LD_PRELOAD/
         $shellshock = /putenv\(["']PHP_[^=]=\(\) { [^}] };/
-- 
cgit v1.3


From a16310d442a72cd50f6eb7f1f493988f8a87a2f3 Mon Sep 17 00:00:00 2001
From: jvoisin
Date: Mon, 4 Jan 2016 15:56:18 +0100
Subject: Add a whitelist for wordpress 4.4

---
 whitelist.yara | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/whitelist.yara b/whitelist.yara
index 858860d..84da6b1 100644
--- a/whitelist.yara
+++ b/whitelist.yara
@@ -13,7 +13,11 @@ private rule Wordpress : Blog
         /* Wordpress 3.2.1 */
         hash.sha1(0, filesize)  == "b4f53b8c360f9e47cc63047305a0ce2e3ff6a251" or // wp-includes/functions.php
         hash.sha1(0, filesize)  == "ac8298df16a560c80fb213ef3f51f90df8ef5292" or // wp-includes/class-phpmailer.php
-        hash.sha1(0, filesize)  == "232e4705e3aa28269c4d5e4a4a700bb7a2d06f24" // wp-admin/includes/menu.php
+        hash.sha1(0, filesize)  == "232e4705e3aa28269c4d5e4a4a700bb7a2d06f24" or // wp-admin/includes/menu.php
+
+        /* Wordpress 4.4 */
+        hash.sha1(0, filesize)  == "2fdf93ae88735d062a8635ac1d22a6904cb89ab8" or // wp-includes/formatting.php
+        hash.sha1(0, filesize)  == "ccd23ef96a588840943fba081bfa6f88531c4abc" // wp-admin/includes/class-pclzip.php
 }
 
 private rule Prestashop : ECommerce
-- 
cgit v1.3


From 8f2560344f84b6cac651d7dc73ff327af23ac65d Mon Sep 17 00:00:00 2001
From: jvoisin
Date: Mon, 4 Jan 2016 16:18:44 +0100
Subject: Add `-t` to specify the number of threads to use

---
 phpmalwarefinder | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/phpmalwarefinder b/phpmalwarefinder
index c49a7bd..354ab91 100755
--- a/phpmalwarefinder
+++ b/phpmalwarefinder
@@ -33,12 +33,13 @@ Usage ${0##*/} [-cfhw] <file|folder> ...
     -c  Optional path to a configuration file
     -f  Fast mode
     -h  Show this help message
+    -t  Specify the number of threads to use (8 by default)
     -v  Verbose mode
 EOF
 }
 
 OPTIND=1
-while getopts "c:fhv" opt; do
+while getopts "c:fht:v" opt; do
     case "$opt" in
         h)
             show_help
@@ -50,6 +51,9 @@ while getopts "c:fhv" opt; do
         c)
             CONFIG_PATH=${OPTARG}
             ;;
+        t)
+            OPTS="${OPTS} --threads=${OPTARG}"
+            ;;
         v)
             OPTS="${OPTS} -s"
             ;;
-- 
cgit v1.3


From de3e79edacea28320170bec145dbaf28cc31064c Mon Sep 17 00:00:00 2001
From: jvoisin
Date: Mon, 4 Jan 2016 16:27:56 +0100
Subject: Fix a stupid typo

`eval(` patterns are now much better detected.
---
 malwares.yara | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/malwares.yara b/malwares.yara
index 98e11cb..de735a7 100644
--- a/malwares.yara
+++ b/malwares.yara
@@ -57,7 +57,7 @@ private rule CloudFlareBypass
 rule ObfuscatedPhp
 {
     strings:
-        $eval = /[;{}][\t ]*@?(eval|preg_replace|system|exec|assert|passthru|win_shell_execute)\(/  // ;eval( <- this is dodgy
+        $eval = /[;{}]*[\t ]*@?(eval|preg_replace|system|exec|assert|passthru|win_shell_execute)\(/  // ;eval( <- this is dodgy
         $b374k = "'ev'.'al'"
         $align = /(\$\w+=[^;]*)*;\$\w+=@?\$\w+\(/  //b374k
         $oneliner = /<\?php\s*\n*\r*\s*(eval|preg_replace|system|exec|assert|passthru|win_shell_execute)\(/
@@ -188,6 +188,7 @@ rule DodgyStrings
         $ = "webshell" fullword nocase
         $ = "exploit" fullword nocase
         $ = "hacking" fullword nocase
+        $ = "hacker" fullword nocase
         $ = "/proc/cpuinfo" fullword
         $ = "/bin/sh" fullword
         $ = "/bin/bash" fullword
-- 
cgit v1.3


From 71a34f643b135fc8d0d1fad26029fdbdfefe0f64 Mon Sep 17 00:00:00 2001
From: shaddai
Date: Mon, 4 Jan 2016 16:48:19 +0100
Subject: one_line_trick function

The newly added function allows to check for files containing oneliners webshells, these files are mostly composed of one or two very long lines---
 phpmalwarefinder | 51 +++++++++++++++++++++++++++++++++------------------
 1 file changed, 33 insertions(+), 18 deletions(-)

diff --git a/phpmalwarefinder b/phpmalwarefinder
index 354ab91..20d3cee 100755
--- a/phpmalwarefinder
+++ b/phpmalwarefinder
@@ -7,39 +7,55 @@ NICE_BIN=$(type -P nice)
 
 if [ ! -f "$YARA" ]
 then
-	YARA='./yara'
+    YARA='./yara'
 fi
 
 if [ ! -f "$CONFIG_PATH" ]
 then
-	CONFIG_PATH='./malwares.yara'
+    CONFIG_PATH='./malwares.yara'
 fi
 
 if [ -f "${IONICE_BIN}" ]
 then
-	NICE=${IONICE_BIN}
-	NICE_OPTS="-c 3"
+    NICE=${IONICE_BIN}
+    NICE_OPTS="-c 3"
 else
-	if [ -f "${NICE_BIN}" ]
-	then
-		NICE=${NICE_BIN}
-		NICE_OPTS="-n 20"
-	fi
+    if [ -f "${NICE_BIN}" ]
+    then
+        NICE=${NICE_BIN}
+        NICE_OPTS="-n 20"
+    fi
 fi
 
+# before starting yara, check if the file
+one_line_trick() {
+
+  for file in $(find $@ -type f); do
+    line_num=$(wc -l $file | cut -d' ' -f1)
+    char_num=$(wc -c $file | cut -d' ' -f1)
+
+    if [ "$line_num" -le "2" ]; then
+        # humm, 2 lines long file ?
+        if [ "$char_num" -ge "300" ]; then
+            echo TooShort $file
+        fi;
+    fi;
+  done;
+
+}
+
 show_help() {
     cat << EOF
 Usage ${0##*/} [-cfhw] <file|folder> ...
     -c  Optional path to a configuration file
     -f  Fast mode
     -h  Show this help message
-    -t  Specify the number of threads to use (8 by default)
     -v  Verbose mode
 EOF
 }
 
 OPTIND=1
-while getopts "c:fht:v" opt; do
+while getopts "c:fhv" opt; do
     case "$opt" in
         h)
             show_help
@@ -51,9 +67,6 @@ while getopts "c:fht:v" opt; do
         c)
             CONFIG_PATH=${OPTARG}
             ;;
-        t)
-            OPTS="${OPTS} --threads=${OPTARG}"
-            ;;
         v)
             OPTS="${OPTS} -s"
             ;;
@@ -79,16 +92,18 @@ fi
 
 if [ -z $@ ]
 then
-	show_help
-	exit 1
+    show_help
+    exit 1
 fi
 
 if [ ! -e ${NICE} ]
 then
-	echo "No nice program available. Please install ionice or nice."
-	exit 1
+    echo "No nice program available. Please install ionice or nice."
+    exit 1
 fi
 
 OPTS="${OPTS} -r ${CONFIG_PATH}"
 
+one_line_trick $@
+
 ${NICE} ${NICE_OPTS} $YARA $OPTS $@
-- 
cgit v1.3


From 9d0858ea4d31eaf670c44a338b7068bd836b03c5 Mon Sep 17 00:00:00 2001
From: shaddai
Date: Mon, 4 Jan 2016 16:58:23 +0100
Subject: fix overwrite by previous commit

---
 phpmalwarefinder | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/phpmalwarefinder b/phpmalwarefinder
index 20d3cee..186218a 100755
--- a/phpmalwarefinder
+++ b/phpmalwarefinder
@@ -50,12 +50,13 @@ Usage ${0##*/} [-cfhw] <file|folder> ...
     -c  Optional path to a configuration file
     -f  Fast mode
     -h  Show this help message
+    -t Specify the number of threads to use (8 by default)
     -v  Verbose mode
 EOF
 }
 
 OPTIND=1
-while getopts "c:fhv" opt; do
+while getopts "c:fht:v" opt; do
     case "$opt" in
         h)
             show_help
@@ -67,6 +68,9 @@ while getopts "c:fhv" opt; do
         c)
             CONFIG_PATH=${OPTARG}
             ;;
+        t)
+            OPTS="${OPTS} --threads=${OPTARG}"
+            ;;
         v)
             OPTS="${OPTS} -s"
             ;;
-- 
cgit v1.3


From 6b46436de856e51c68eb68999185a6d41a9ef07a Mon Sep 17 00:00:00 2001
From: jvoisin
Date: Mon, 4 Jan 2016 17:34:48 +0100
Subject: Add some rules

---
 malwares.yara | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/malwares.yara b/malwares.yara
index de735a7..7167708 100644
--- a/malwares.yara
+++ b/malwares.yara
@@ -117,6 +117,7 @@ rule DodgyPhp
         $udp_dos = /sockopen\s*\(['"]udp:\/\//
         $iniset_urlinclude = /ini_set\('allow_url_include,\ * 1'\)/
         $iis_com = /IIS:\/\/localhost\/w3svc/
+        $user_function = /(call_user_func|create_function)/
 
     condition:
         (any of them or CloudFlareBypass) and not IsWhitelisted
@@ -174,6 +175,8 @@ rule DodgyStrings
         $ = "/etc/resolv.conf"
         $ = "/etc/syslog.conf"
         $ = "/etc/proftpd.conf"
+        $ = "/windows/system32/"
+        $ = "WScript.Shell"
         $ = "WinExec"
         $ = "uname -a" fullword
         $ = "nc -l" fullword
-- 
cgit v1.3


From e6c04caba89f6915c84b247990382461851e08f3 Mon Sep 17 00:00:00 2001
From: jvoisin
Date: Mon, 4 Jan 2016 17:34:54 +0100
Subject: Add a rule to match multiplescomments

---
 malwares.yara | 1 +
 1 file changed, 1 insertion(+)

diff --git a/malwares.yara b/malwares.yara
index 7167708..ee6ea07 100644
--- a/malwares.yara
+++ b/malwares.yara
@@ -65,6 +65,7 @@ rule ObfuscatedPhp
         $c99_launcher = /;\$\w+\(\$\w+(,\s?\$\w+)+\);/  // http://bartblaze.blogspot.fr/2015/03/c99shell-not-dead.html
         $strange_arg = /\${\$[0-9a-zA-z]+}/
         $too_many_chr = /(chr\([\d]+\)\.){2,}/
+        $many_comments = /\/\*.{,28}\*\/[^\/]*\/\*/  // Something like as/* */ser/* */t
     condition:
         any of them and not IsWhitelisted
 }
-- 
cgit v1.3


From 1c6cf5f703c3ddeafa43237150f750d4b4ca6a1f Mon Sep 17 00:00:00 2001
From: jvoisin
Date: Mon, 4 Jan 2016 18:09:53 +0100
Subject: Revert a broken/wip commit

---
 malwares.yara    |  1 +
 phpmalwarefinder | 22 ++--------------------
 2 files changed, 3 insertions(+), 20 deletions(-)

diff --git a/malwares.yara b/malwares.yara
index ee6ea07..c3679b2 100644
--- a/malwares.yara
+++ b/malwares.yara
@@ -199,6 +199,7 @@ rule DodgyStrings
         $ = "ps -aux" fullword
         $ = "b374k" fullword
         $ = /(reverse|web)\s*shell/ nocase
+        $ = /\t{16,}?/
 
         $vbs = /language\s*=\s*vbscript/ nocase
         $asp = "scripting.filesystemobject" nocase
diff --git a/phpmalwarefinder b/phpmalwarefinder
index 186218a..2c11fe0 100755
--- a/phpmalwarefinder
+++ b/phpmalwarefinder
@@ -1,5 +1,6 @@
 #!/usr/bin/env bash
 
+
 YARA=$(type -P yara)
 CONFIG_PATH='/etc/phpmalwarefinder/malwares.yara'
 IONICE_BIN=$(type -P ionice)
@@ -27,23 +28,6 @@ else
     fi
 fi
 
-# before starting yara, check if the file
-one_line_trick() {
-
-  for file in $(find $@ -type f); do
-    line_num=$(wc -l $file | cut -d' ' -f1)
-    char_num=$(wc -c $file | cut -d' ' -f1)
-
-    if [ "$line_num" -le "2" ]; then
-        # humm, 2 lines long file ?
-        if [ "$char_num" -ge "300" ]; then
-            echo TooShort $file
-        fi;
-    fi;
-  done;
-
-}
-
 show_help() {
     cat << EOF
 Usage ${0##*/} [-cfhw] <file|folder> ...
@@ -94,7 +78,7 @@ then
     exit 1
 fi
 
-if [ -z $@ ]
+if [ -z "$@" ]
 then
     show_help
     exit 1
@@ -108,6 +92,4 @@ fi
 
 OPTS="${OPTS} -r ${CONFIG_PATH}"
 
-one_line_trick $@
-
 ${NICE} ${NICE_OPTS} $YARA $OPTS $@
-- 
cgit v1.3


From 44dd7450c5f957f37f9d55a69cd24c9a24332a30 Mon Sep 17 00:00:00 2001
From: jvoisin
Date: Tue, 5 Jan 2016 10:44:38 +0100
Subject: Cleanup the wordlist

---
 malwares.yara | 69 +++++++++++++++++++++++++++++------------------------------
 1 file changed, 34 insertions(+), 35 deletions(-)

diff --git a/malwares.yara b/malwares.yara
index c3679b2..5bf6dd3 100644
--- a/malwares.yara
+++ b/malwares.yara
@@ -171,35 +171,39 @@ rule DangerousPhp
 rule DodgyStrings
 {
     strings:
+        $ = "/../../../"
+        $ = /\/bin\/(ba)?sh/ fullword
         $ = "/etc/passwd"
-        $ = "/etc/shadow"
+        $ = "/etc/proftpd.conf"
         $ = "/etc/resolv.conf"
+        $ = "/etc/shadow"
         $ = "/etc/syslog.conf"
-        $ = "/etc/proftpd.conf"
+        $ = "/proc/cpuinfo" fullword
         $ = "/windows/system32/"
         $ = "WScript.Shell"
         $ = "WinExec"
-        $ = "uname -a" fullword
-        $ = "nc -l" fullword
-        $ = "ls -la" fullword
+        $ = "b374k" fullword nocase
+        $ = "backdoor" fullword nocase
+        $ = "c99shell" fullword nocase
         $ = "cmd.exe" fullword nocase
-        $ = "ipconfig" fullword nocase
-        $ = "find . -type f" fullword
         $ = "defaced" fullword nocase
-        $ = "slowloris" fullword nocase
-        $ = "id_rsa" fullword
-        $ = "backdoor" fullword nocase
-        $ = "webshell" fullword nocase
         $ = "exploit" fullword nocase
-        $ = "hacking" fullword nocase
-        $ = "hacker" fullword nocase
-        $ = "/proc/cpuinfo" fullword
-        $ = "/bin/sh" fullword
-        $ = "/bin/bash" fullword
+        $ = "find . -type f" fullword
+        $ = /hack(ing|er)/ nocase
+        $ = "hashcrack" nocase
+        $ = "id_rsa" fullword
+        $ = "ipconfig" fullword nocase
+        $ = "kingdefacer" nocase
+        $ = "locus7s" nocase
+        $ = "ls -la" fullword
+        $ = "nc -l" fullword
         $ = "ps -aux" fullword
-        $ = "b374k" fullword
+        $ = "rootkit" fullword nocase
+        $ = "slowloris" fullword nocase
+        $ = "uname -a" fullword
+        $ = "warez" fullword nocase
         $ = /(reverse|web)\s*shell/ nocase
-        $ = /\t{16,}?/
+        $ = /\t{16,}?/  /* a lot of spaces */
 
         $vbs = /language\s*=\s*vbscript/ nocase
         $asp = "scripting.filesystemobject" nocase
@@ -211,28 +215,23 @@ rule DodgyStrings
 rule Websites
 {
     strings:
-        $ = "milw0rm.com"
-        $ = "exploit-db.com"
         $ = "1337day.com"
-        $ = "rapid7.com"
-        $ = "shodan.io"
-        $ = "packetstormsecurity"
+        $ = "antichat.ru"
+        $ = "ccteam.ru"
         $ = "crackfor" nocase
-        $ = "md5.rednoize"
-        $ = "hashcracking" nocase
         $ = "darkc0de" nocase
-        $ = "securityfocus" nocase
-        $ = "antichat.ru"
-        $ = "KingDefacer" nocase
+        $ = "egyspider.eu"
+        $ = "exploit-db.com"
+        $ = "fopo.com.ar"  /* Free Online Php Obfuscator */
+        $ = "hashchecker.com"
+        $ = "hashkiller.com" nocase
         $ = "md5crack.com"
         $ = "md5decrypter.com"
-        $ = "hashkiller.com"
-        $ = "hashchecker.com"
-        $ = "www.fopo.com.ar"  /* Free Online Php Obfuscator */
-        $ = "ccteam.ru"
-        $ = "locus7s.com"
-        $ = "b374k"
-        $ = "www.egyspider.eu"
+        $ = "milw0rm.com"
+        $ = "packetstormsecurity" nocase
+        $ = "rapid7.com"
+        $ = "securityfocus" nocase
+        $ = "shodan.io"
 
     condition:
         any of them and not IsWhitelisted
-- 
cgit v1.3


From f43dbd42d43f227fc45fd6a9d648b91929c1bdf9 Mon Sep 17 00:00:00 2001
From: jvoisin
Date: Tue, 5 Jan 2016 13:29:27 +0100
Subject: Refactor the `;eval(` rule

---
 malwares.yara | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/malwares.yara b/malwares.yara
index 5bf6dd3..dd656ef 100644
--- a/malwares.yara
+++ b/malwares.yara
@@ -57,10 +57,10 @@ private rule CloudFlareBypass
 rule ObfuscatedPhp
 {
     strings:
-        $eval = /[;{}]*[\t ]*@?(eval|preg_replace|system|exec|assert|passthru|win_shell_execute)\(/  // ;eval( <- this is dodgy
+        $eval = /(<\?php\s*\n*\r*|[;{}])\s*@?(eval|preg_replace|system|exec|assert|passthru|win_shell_execute)/  // ;eval( <- this is dodgy
         $b374k = "'ev'.'al'"
         $align = /(\$\w+=[^;]*)*;\$\w+=@?\$\w+\(/  //b374k
-        $oneliner = /<\?php\s*\n*\r*\s*(eval|preg_replace|system|exec|assert|passthru|win_shell_execute)\(/
+        $oneliner = /<\?php\s*\n*\r*\s*@?(eval|preg_replace|system|exec|assert|passthru|win_shell_execute)\(/
         $weevely3 = /\$\w=\$[a-zA-Z]\('',\$\w\);\$\w\(\);/  // weevely3 launcher
         $c99_launcher = /;\$\w+\(\$\w+(,\s?\$\w+)+\);/  // http://bartblaze.blogspot.fr/2015/03/c99shell-not-dead.html
         $strange_arg = /\${\$[0-9a-zA-z]+}/
@@ -203,7 +203,6 @@ rule DodgyStrings
         $ = "uname -a" fullword
         $ = "warez" fullword nocase
         $ = /(reverse|web)\s*shell/ nocase
-        $ = /\t{16,}?/  /* a lot of spaces */
 
         $vbs = /language\s*=\s*vbscript/ nocase
         $asp = "scripting.filesystemobject" nocase
-- 
cgit v1.3


From 692db78fed2beae3f8fee2de350df678052228b1 Mon Sep 17 00:00:00 2001
From: jvoisin
Date: Tue, 5 Jan 2016 14:11:54 +0100
Subject: Update the documentation

---
 README.md | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index 9e8abd6..6bb566b 100644
--- a/README.md
+++ b/README.md
@@ -14,7 +14,8 @@ Detect potentially malicious PHP files.
 
 ## What does it detect?
 
-PHP-malware-finder does its very best to detect obfuscated/dodgy code as well as files using PHP functions often used in malwares/webshells.
+PHP-malware-finder does its very best to detect obfuscated/dodgy code as well as
+files using PHP functions often used in malwares/webshells.
 
 The following list of encoders/obfuscators/webshells are also detected:
 
@@ -32,10 +33,13 @@ The following list of encoders/obfuscators/webshells are also detected:
 * [webtoolsvn]( http://www.webtoolsvn.com/en-decode/ )
 * [tennc]( http://tennc.github.io/webshell/ )
 
+Of course it's easy to bypass PMF, but its goal is to catch kiddies and idiots,
+not people with a working brain.
 
 ## How does it work?
 
-Detection is performed by crawling the filesystem and testing files against a [set]( https://github.com/nbs-system/php-malware-finder/blob/master/malwares.yara )
+Detection is performed by crawling the filesystem and testing files against a
+[set]( https://github.com/nbs-system/php-malware-finder/blob/master/malwares.yara )
 of [YARA](https://plusvic.github.io/yara/) rules. Yes, it's that simple!
 
 
@@ -47,6 +51,7 @@ Usage phpmalwarefinder [-cfhw] <file|folder> ...
 	-c  Optional path to a configuration file
 	-f  Fast mode
 	-h  Show this help message
+    -t  Specify the number of threads to use (8 by default)
 	-v  Verbose mode
 ```
 
@@ -59,7 +64,8 @@ $ yara -r ./malwares.yara /var/www
 ## Whitelisting
 
 Check the [whitelist.yara]( https://github.com/nbs-system/php-malware-finder/blob/master/whitelist.yara ) file.
-If you're lazy, you can generate whitelists for entire folders with the [generate_whitelist.py]( https://github.com/nbs-system/php-malware-finder/blob/master/generate_whitelist.py ) script.
+If you're lazy, you can generate whitelists for entire folders with the
+[generate_whitelist.py]( https://github.com/nbs-system/php-malware-finder/blob/master/generate_whitelist.py ) script.
 
 ## Licensing
 
-- 
cgit v1.3


From 8a8b9f69e8f163d5c8d9653ff8484aaf699f2897 Mon Sep 17 00:00:00 2001
From: shaddai
Date: Tue, 12 Jan 2016 11:31:26 +0100
Subject: new malware repository added

---
 README.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/README.md b/README.md
index 6bb566b..67dad30 100644
--- a/README.md
+++ b/README.md
@@ -32,6 +32,8 @@ The following list of encoders/obfuscators/webshells are also detected:
 * [phpencode]( http://phpencode.org )
 * [webtoolsvn]( http://www.webtoolsvn.com/en-decode/ )
 * [tennc]( http://tennc.github.io/webshell/ )
+* [web-malware-collection]( https://github.com/nikicat/web-malware-collection )
+
 
 Of course it's easy to bypass PMF, but its goal is to catch kiddies and idiots,
 not people with a working brain.
-- 
cgit v1.3


From 002f75633c6968ec824e7da8fa6682a248e719ad Mon Sep 17 00:00:00 2001
From: shaddai
Date: Tue, 12 Jan 2016 11:34:09 +0100
Subject: new rules : ini_get, disable_magic_quotes and restore_bypass updated

these rules were added in order to detect new malware samples from https://github.com/nikicat/web-malware-collection---
 malwares.yara | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/malwares.yara b/malwares.yara
index dd656ef..3f7ee83 100644
--- a/malwares.yara
+++ b/malwares.yara
@@ -110,7 +110,9 @@ rule DodgyPhp
         $basedir_bypass = /(curl_init\([\"']file:[\"']|file:file:\/\/)/
         $safemode_bypass = /\x00\/\.\.\/|LD_PRELOAD/
         $shellshock = /putenv\(["']PHP_[^=]=\(\) { [^}] };/
-        $restore_bypass = /ini_restore\(['"](safe_mode|open_basedir|disable_function|safe_mode_exec_dir|safe_mode_include_dir)['"]\)/
+        $restore_bypass = /ini_restore\(['"](safe_mode|open_basedir|disable_function|safe_mode_exec_dir|safe_mode_include_dir|register_globals)['"]\)/
+        $ini_get = /ini_get\(['"](safe_mode|open_basedir|disable_function|safe_mode_exec_dir|safe_mode_include_dir|register_globals)['"]\)/
+     
         $various = "<!--#exec cmd="  //http://www.w3.org/Jigsaw/Doc/User/SSI.html#exec
         $pr = /(preg_replace(_callback)?|mb_ereg_replace|preg_filter)\s*\(['"]\/[^\/]*\/e['"]/  // http://php.net/manual/en/function.preg-replace.php
         $include = /include\([^\.]+\.(png|jpg|gif|bmp)/  // Clever includes
@@ -119,6 +121,8 @@ rule DodgyPhp
         $iniset_urlinclude = /ini_set\('allow_url_include,\ * 1'\)/
         $iis_com = /IIS:\/\/localhost\/w3svc/
         $user_function = /(call_user_func|create_function)/
+        $disable_magic_quotes = /set_magic_quotes_runtime\(0\)/
+
 
     condition:
         (any of them or CloudFlareBypass) and not IsWhitelisted
-- 
cgit v1.3