From e07b47d18e10027d5967de21c56b8721b89bb58d Mon Sep 17 00:00:00 2001
From: Julien Voisin
Date: Tue, 23 Feb 2016 15:25:28 +0100
Subject: Add more simple signatures

---
 php-malware-finder/malwares.yara | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/php-malware-finder/malwares.yara b/php-malware-finder/malwares.yara
index 0d8ca4e..4603b76 100644
--- a/php-malware-finder/malwares.yara
+++ b/php-malware-finder/malwares.yara
@@ -185,6 +185,9 @@ rule DodgyStrings
 {
     strings:
         $ = ".ssh/authorized_keys"
+        $ = ".bash_history"
+        $ = ".mysql_history"
+        $ = /-perm -0[24]000/ // find setuid files
         $ = "/(.*)/e"  // preg_replace code execution
         $ = "/../../../"
         $ = "/etc/passwd"
@@ -202,6 +205,7 @@ rule DodgyStrings
         $ = "c99shell" fullword nocase
         $ = "cmd.exe" fullword nocase
         $ = "defaced" fullword nocase
+        $ = "evilc0ders" fullword nocase
         $ = "exploit" fullword nocase
         $ = "find . -type f" fullword
         $ = "hashcrack" nocase
@@ -253,6 +257,7 @@ rule Websites
         $ = "rapid7.com" nocase
         $ = "securityfocus" nocase
         $ = "shodan.io" nocase
+        $ = "github.com/b374k/b374k" nocase
 
     condition:
         any of them and not IsWhitelisted
-- 
cgit v1.3