/*
    Detect:
        - phpencode.org
        - http://www.pipsomania.com/best_php_obfuscator.do
        - http://atomiku.com/online-php-code-obfuscator/
        - http://www.webtoolsvn.com/en-decode/
        - http://obfuscator.uk/example/
        - http://w3webtools.com/encode-php-online/
        - http://www.joeswebtools.com/security/php-obfuscator/
        - https://github.com/epinna/weevely3
        - http://cipherdesign.co.uk/service/php-obfuscator
        - http://sysadmin.cyklodev.com/online-php-obfuscator/
        - http://mohssen.org/SpinObf.php
        - https://code.google.com/p/carbylamine/
*/

private rule IsPhp
{
    strings:
        $php = "<?"
        $xml = "<?xml"

    condition:
        $php and not $xml
}

private rule IRC
{
    strings:
        $a = "USER" fullword
        $b = "PASS" fullword
        $c = "PRIVMSG" fullword
        $d = "MODE" fullword
        $e = "PING" fullword
        $f = "PONG" fullword
        $g = "JOIN" fullword
        $h = "PART" fullword

    condition:
        5 of them
}

private rule CloudFlareBypass
{
    strings:
        $chk_jschl = "chk_jschl"
        $jschl_vc = "jschl_vc"
        $jschl_answer = "jschl_answer"

    condition:
        2 of them // Better be safe than sorry
}

rule ObfuscatedPhp
{
    strings:
        $vars = /\$__+/ // $__ is rarely used in legitimate scripts
        $eval = /[;}][\t ]*@?(eval|preg_replace|system|exec)\(/  // ;eval( <- this is dodgy
        $align = /(\$\w+=[^;]*)*;\$\w+=@?\$\w+\(/  //b374k
        $oneliner = /<\?php\s*\n*\r*\s*(eval|preg_replace|system|exec)\(/
        $weevely3 = /\$\w=\$[a-zA-Z]\('',\$\w\);\$\w\(\);/  // weevely3 launcher
        $launcher = /;\$\w+\(\$\w+(,\s?\$\w+)+\);/  // http://bartblaze.blogspot.fr/2015/03/c99shell-not-dead.html
        $danone = /\$s20=strtoupper\((\$[0-9A-Za-z]{1,4}\[\d+\]\.){2,9}[^\)]*\);if/
        $strange_arg = /\${\$[0-9a-zA-z]+}/
    condition:
        IsPhp and ($align or $oneliner or $eval or $launcher or $strange_arg or #vars > 5 or $weevely3 or $danone)
}

private rule base64
{
    strings:
        $eval = "ZXZhbCg"
        $system = "c3lzdGVt"
        $preg_replace = "cHJlZ19yZXBsYWNl"
        $exec = "ZXhlYyg"
    condition:
        any of them
}

private rule hex
{
    strings:
      $eval = "\\x65\\x76\\x61\\x6C\\x28" nocase
      $exec = "\\x65\\x78\\x65\\x63" nocase
      $system = "\\x73\\x79\\x73\\x74\\x65\\x6d" nocase
      $preg_replace = "\\x70\\x72\\x65\\x67\\x5f\\x72\\x65\\x70\\x6c\\x61\\x63\\x65" nocase
    
    condition:
        any of them
}

rule SuspiciousEncoding
{
    condition:
        IsPhp and (base64 or hex)
}

rule DodgyPhp
{
    strings:
        $execution = /(eval|passthru|exec|system|win_shell_execute)\((base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|\\?\$_(GET|REQUEST|POST))/
        $double_encoding = /(base64_decode\s*\(\s*){2}/
        $basedir_bypass = /(curl_init\([\"']file:[\"']|file:file:\/\/)/
        $safemode_bypass = /\x00\/\.\.\/|LD_PRELOAD/
        $shellshock = /putenv\(["']PHP_[^=]=\(\) { [^}] };/
        $restore_bypass = /ini_restore\(['"](safe_mode|open_basedir)['"]\)/
        $various = "<!--#exec cmd="  //http://www.w3.org/Jigsaw/Doc/User/SSI.html#exec
        $pr = /preg_replace\s*\(['"]\/[^\/]*\/e['"]/  // http://php.net/manual/en/function.preg-replace.php
        $include = /include\([^\.]+\.(png|jpg|gif|bmp)/  // Clever includes
        $htaccess = "SetHandler application/x-httpd-php"
        $udp_dos = /sockopen\s*\(['"]udp:\/\//

    condition:
        IsPhp and (any of them or CloudFlareBypass)
}

rule DangerousPhp
{
    strings:
        $system = "system" fullword  // localroot bruteforcers have a lot of this

        $a = "exec" fullword
        $b = "eval" fullword
        $c = "shell_exec" fullword
        $v = "passthru" fullword
        $e = "posix_getuid" fullword
        $f = "posix_geteuid" fullword
        $g = "posix_getgid" fullword
        $h = "phpinfo" fullword
        $i = "backticks" fullword
        $j = "proc_open" fullword
        $k = "win_shell_execute" fullword
        $l = "win32_create_service" fullword
        $m = "posix_getpwuid" fullword
        $n = "shm_open" fullword
        $o = "assert" fullword
        $p = "fsockopen" fullword
        $q = "function_exists" fullword
        $r = "getmygid" fullword
        $s = "php_uname" fullword
        $t = "socket_create(AF_INET, SOCK_STREAM, SOL_TCP)"
        $u = "fpassthru" fullword
        $v = "posix_setuid" fullword
        $w = "xmlrpc_decode" fullword
        $x = "show_source" fullword
        $y = "pcntl_exec" fullword

        $whitelist = /escapeshellcmd|escapeshellarg/

    condition:
        IsPhp and not $whitelist and (5 of them or #system > 250)
}

rule DodgyStrings
{
    strings:
        $a = "/etc/passwd"
        $b = "/etc/shadow"
        $c = "/etc/resolv.conf"
        $d = "/etc/syslog.conf"
        $e = "/etc/proftpd.conf"
        $e = "WinExec"
        $f = "uname -a" fullword
        $g = "nc -l" fullword
        $h = "ls -la" fullword
        $i = "cmd.exe" fullword nocase
        $j = "ipconfig" fullword nocase
        $k = "find . -type f" fullword
        $l = "defaced" fullword nocase
        $m = "slowloris" fullword nocase
        $o = "id_rsa" fullword
        $p = "backdoor" fullword nocase
        $q = "webshell" fullword nocase
        $r = "exploit" fullword nocase
        $s = "hacking" fullword nocase
        $t = "/proc/cpuinfo" fullword
        $u = "/bin/sh" fullword
        $v = "/bin/bash" fullword
        $w = "ps -aux" fullword
        $x = "b374k" fullword
        $y = /(reverse|web)\s*shell/ nocase

        $vbs = /language\s*=\s*vbscript/ nocase
        $asp = "scripting.filesystemobject" nocase

    condition:
        IsPhp and (IRC or 2 of them)
}

rule Websites
{
    strings:
        $milw0rm = "milw0rm.com"
        $exploitsdb = "exploit-db.com"
        $injector = "1337day.com"
        $rapid7 = "rapid7.com"
        $shodan = "shodan.io"
        $packetstorm = "packetstormsecurity"
        $crackfor = "crackfor" nocase
        $rednoize = "md5.rednoize"
        $hashcracking = "hashcracking" nocase
        $darkc0de = "darkc0de" nocase
        $securityfocus = "securityfocus" nocase
        $antichat = "antichat.ru"
        $kingdefacer = "KingDefacer" nocase
        $md5crack = "md5crack.com"
        $md5crack = "md5decrypter.com"
        $hashkiller = "hashkiller.com"
        $hashchecker = "hashchecker.com"
        $fopo = "http://www.fopo.com.ar/"
        $ccteam = "ccteam.ru"
        $locus = "locus7s.com"

    condition:
        IsPhp and any of them
}