From f64970d0cf4c66158d023d8e60edcc4e336d7692 Mon Sep 17 00:00:00 2001
From: Julien (jvoisin) Voisin
Date: Thu, 16 Jun 2016 13:14:15 +0200
Subject: Add some dodgy strings

---
 php-malware-finder/common.yar | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/php-malware-finder/common.yar b/php-malware-finder/common.yar
index 2add775..0dd373f 100644
--- a/php-malware-finder/common.yar
+++ b/php-malware-finder/common.yar
@@ -95,6 +95,7 @@ rule DodgyStrings
         $ = "ls -la" fullword
         $ = "meterpreter" fullword
         $ = "nc -l" fullword
+        $ = "netstat -an" fullword
         $ = "php://"
         $ = "ps -aux" fullword
         $ = "rootkit" fullword nocase
@@ -105,10 +106,11 @@ rule DodgyStrings
         $ = "visbot" nocase fullword
         $ = "warez" fullword nocase
         $ = "whoami" fullword
-        $ = /(reverse|web|cmd)\s*shell/ nocase
+        $ = /(r[e3]v[e3]rs[e3]|w[3e]b|cmd)\s*sh[e3]ll/ nocase
         $ = /-perm -0[24]000/ // find setuid files
         $ = /\/bin\/(ba)?sh/ fullword
         $ = /hack(ing|er|ed)/ nocase
+        $ = /(safe_mode|open_basedir) bypass/ nocase
         $ = /xp_(execresultset|regenumkeys|cmdshell|filelist)/
 
         $vbs = /language\s*=\s*vbscript/ nocase
@@ -136,6 +138,7 @@ rule Websites
         $ = "milw0rm.com" nocase
         $ = "milw00rm.com" nocase
         $ = "packetstormsecurity" nocase
+        $ = "pentestmonkey.net" nocase
         $ = "rapid7.com" nocase
         $ = "securityfocus" nocase
         $ = "shodan.io" nocase
-- 
cgit v1.3