From d5030794503901bc94121663d0a8d96ba6533f5f Mon Sep 17 00:00:00 2001
From: Julien "shaddai" Reveret
Date: Fri, 9 Oct 2015 16:52:10 +0200
Subject: tested php-malware-finder against many webshells, completed the
 signature lists

---
 debian/changelog                 |  8 ++++++++
 php-malware-finder/malwares.yara | 13 ++++++++++---
 2 files changed, 18 insertions(+), 3 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index 2489d7a..64332b4 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+nbs-phpmalwarefinder (0.2.0-1~deb##version+nbs20151009) wheezy; urgency=medium
+  
+  * Now supports whitelist using yara hash function
+  * New detection rules added (tested against
+    https://github.com/tennc/webshell malware collection)
+
+ -- jre <jre@nbs-system.com>  Fri, 09 Oct 2015 14:58:45 +0200
+
 nbs-phpmalwarefinder (0.1.1-1~deb##version+nbs20150428) wheezy; urgency=medium
 
   * new dependecy on util-linux since the script is using ionice
diff --git a/php-malware-finder/malwares.yara b/php-malware-finder/malwares.yara
index 569f16c..27ba8bf 100644
--- a/php-malware-finder/malwares.yara
+++ b/php-malware-finder/malwares.yara
@@ -15,6 +15,7 @@ include "whitelist.yara"
         - http://sysadmin.cyklodev.com/online-php-obfuscator/
         - http://mohssen.org/SpinObf.php
         - https://code.google.com/p/carbylamine/
+        - https://github.com/tennc/webshell
 */
 
 global private rule IsPhp
@@ -57,11 +58,13 @@ rule ObfuscatedPhp
 {
     strings:
         $eval = /[;}][\t ]*@?(eval|preg_replace|system|exec|assert|passthru)\(/  // ;eval( <- this is dodgy
+        $b374k = /'ev'\.'al'/
         $align = /(\$\w+=[^;]*)*;\$\w+=@?\$\w+\(/  //b374k
         $oneliner = /<\?php\s*\n*\r*\s*(eval|preg_replace|system|exec|assert|passthru)\(/
         $weevely3 = /\$\w=\$[a-zA-Z]\('',\$\w\);\$\w\(\);/  // weevely3 launcher
         $c99_launcher = /;\$\w+\(\$\w+(,\s?\$\w+)+\);/  // http://bartblaze.blogspot.fr/2015/03/c99shell-not-dead.html
         $strange_arg = /\${\$[0-9a-zA-z]+}/
+        $too_many_chr = /(chr\([\d]+\)\.){2,}?/
     condition:
         any of them and not IsWhitelisted
 }
@@ -100,17 +103,19 @@ rule SuspiciousEncoding
 rule DodgyPhp
 {
     strings:
-        $vars = /\$___+/ // $__ is rarely used in legitimate scripts
-        $execution = /(eval|assert|passthru|exec|system|win_shell_execute|base64_decode)\s*\(\s*(base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|pack|\\?\$_(GET|REQUEST|POST))/
+        $vars = /\$__+/ // $__ is rarely used in legitimate scripts
+        $execution = /(eval|assert|passthru|exec|system|win_shell_execute|base64_decode)*?\s*\(\s*(base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|pack|\\?\$_(GET|REQUEST|POST))/
         $basedir_bypass = /(curl_init\([\"']file:[\"']|file:file:\/\/)/
         $safemode_bypass = /\x00\/\.\.\/|LD_PRELOAD/
         $shellshock = /putenv\(["']PHP_[^=]=\(\) { [^}] };/
-        $restore_bypass = /ini_restore\(['"](safe_mode|open_basedir)['"]\)/
+        $restore_bypass = /ini_restore\(['"](safe_mode|open_basedir|disable_function|safe_mode_exec_dir|safe_mode_include_dir)['"]\)/
         $various = "<!--#exec cmd="  //http://www.w3.org/Jigsaw/Doc/User/SSI.html#exec
         $pr = /(preg_replace(_callback)?|mb_ereg_replace|preg_filter)\s*\(['"]\/[^\/]*\/e['"]/  // http://php.net/manual/en/function.preg-replace.php
         $include = /include\([^\.]+\.(png|jpg|gif|bmp)/  // Clever includes
         $htaccess = "SetHandler application/x-httpd-php"
         $udp_dos = /sockopen\s*\(['"]udp:\/\//
+        $iniset_urlinclude = /ini_set\('allow_url_include,\ * 1'\)/
+        $iis_com = /IIS:\/\/localhost\/w3svc/
 
     condition:
         (any of them or CloudFlareBypass) and not IsWhitelisted
@@ -219,6 +224,8 @@ rule Websites
         $ = "www.fopo.com.ar"  /* Free Online Php Obfuscator */
         $ = "ccteam.ru"
         $ = "locus7s.com"
+        $ = "b374k"
+        $ = "www.egyspider.eu"
 
     condition:
         any of them and not IsWhitelisted
-- 
cgit v1.3