├── .gitignore
├── LICENSE
├── README.md
├── md5ref.json
├── phpmalwarescanner.py
├── phpscanner.py
└── yara
    ├── clamavphp.yara
    ├── phpbackdoor.yara
    ├── phpsuspicious.yara
    └── suspicious.yara


/.gitignore:
--------------------------------------------------------------------------------
1 | *.swp
2 | *.pyc
3 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | The MIT License (MIT)
 2 | 
 3 | Copyright (c) 2014-2015 Planet-Work SARL.
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in
13 | all copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
21 | THE SOFTWARE.
22 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | ## PHP Scanner
 2 | 
 3 | PHP scanner is a tool for identifying php backdoors and php malicious code. It uses three different methods:
 4 | * Check signatures through yara rules (these rules were gathered from ClamAV, [php-malware-finder](https://github.com/nbs-system/php-malware-finder) or created specially for this tool)
 5 | * Check abnormal php syntax by reusing the [php-malware-scanner](https://github.com/planet-work/php-malware-scanner)
 6 | * Check for abnormal MD5 by using a database of hashes for Wordpress, Joomla and Drupal
 7 | 
 8 | #### Usage
 9 | 
10 | ```
11 | usage: phpscanner.py [-h] [-s] [-O] [-v] [-1] [-2] [-3] [-q] FILE [FILE ...]
12 | 
13 | Look for malicious php
14 | 
15 | positional arguments:
16 |   FILE               List of files or directories to be analyzed
17 | 
18 | optional arguments:
19 |   -h, --help         show this help message and exit
20 |   -s, --suspicious   Add rules for suspicious files (more FP)
21 |   -O, --fingerprint  Fingerprint the framework version
22 |   -v, --verbose      verbose level... repeat up to three times.
23 |   -1, --signature    Uses only the signatures
24 |   -2, --pms          Uses only the Php Malware Scanner tool
25 |   -3, --hash         Uses only the hash comparison
26 |   -q, --quiet        Hide scan summary
27 | 
28 | ```
29 | 
30 | #### Example
31 | 
32 | ```
33 | phpscanner.py  .
34 | ./proxy.php -> [SIGNATURE (phpobfuscator)] [PMS]
35 | ./index.php -> [PMS] [HASH]
36 | ./misc/farbtastic/leftpanelsin.php -> [SIGNATURE (phpobfuscator)] [PMS]
37 | ./sites/default/settings.php -> [HASH]
38 | ./sites/default/files/ajax.php -> [PMS]
39 | ./sites/default/files/js/help.php -> [SIGNATURE (phpobfuscator_global)] [PMS]
40 | ./sites/default/files/js/cache.php -> [SIGNATURE (phpobfuscator_global)] [PMS]
41 | ./sites/default/files/data_export_import_extendedstayminnesota.com/info45.php -> [SIGNATURE (phpobfuscator_global)] [PMS]
42 | ./sites/default/files/xmlsitemap/general63.php -> [SIGNATURE (phpobfuscator_global)] [PMS]
43 | ./sites/default/files/xmlsitemap/model.php -> [PMS]
44 | ./sites/default/files/xmlsitemap/user99.php -> [SIGNATURE (phpobfuscator_global)] [PMS]
45 | ./sites/default/files/xmlsitemap/file.php -> [SIGNATURE (phpobfuscator_global)] [PMS]
46 | ./modules/profile/ykdizt.php -> [SIGNATURE (wso)] [PMS]
47 | ./modules/menu/xqxi.php -> [SIGNATURE (phpobfuscator)] [PMS]
48 | ./modules/forum/mn.php -> [SIGNATURE (phpobfuscator)] [PMS]
49 | --------------------------------------------
50 | 5432 files scanned
51 | 15 suspicious files found
52 | Execution time: 95.2635200024 seconds
53 | ```
54 | 
55 | #### Fingerprint
56 | 
57 | As the tool embedds a list of md5 hashes for Drupal, Joomla and Wordpress files, it is possible to use it to fingeprint the version of a CMS:
58 | ```
59 | phpscanner.py  -O .
60 | Seems to be DRUPAL7.17 (115 files)
61 | Can also be DRUPAL7.18 (115), DRUPAL7.19 (115), DRUPAL7.21 (115), DRUPAL7.20 (115)
62 | ```
63 | 
64 | Last CMS versions included are:
65 | * Wordpress 4.5.2
66 | * Drupal 8.x-dev
67 | * Joomla 3.6 alpha
68 | 
69 | #### Licence
70 | 
71 | * PHPscanner is under [MIT licence](https://github.com/Te-k/phpscanner/blob/master/LICENSE)
72 | * [php-malware-scanner](https://github.com/planet-work/php-malware-scanner/) is under [MIT licence](https://github.com/planet-work/php-malware-scanner/blob/master/LICENSE)
73 | * [php-malware-finder](https://github.com/nbs-system/php-malware-finder/) is under [GPLv3 licence](https://github.com/nbs-system/php-malware-finder/blob/master/php-malware-finder/LICENSE)
74 | * The YARA project is licensed under the Apache v2.0 licence
75 | * [ClamAV](https://www.clamav.net/) is under GPL licence
76 | 


--------------------------------------------------------------------------------
/phpmalwarescanner.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/env python
  2 | # -*- coding: utf-8 -*-
  3 | 
  4 | # Copyright 2014-2015 Planet-Work <f.vanniere@planet-work.com>
  5 | # Source: https://github.com/planet-work/php-malware-scanner
  6 | # License: MIT https://github.com/planet-work/php-malware-scanner/blob/master/LICENSE
  7 | 
  8 | import os,sys
  9 | import re
 10 | import fnmatch
 11 | 
 12 | whitelist = [
 13 |   '/._',
 14 |   'cache/object/000000/',
 15 |   'libraries/simplepie/simplepie.php',
 16 |   '/smarty/cache/',
 17 |   'SimplePie/Misc.php',
 18 |   'libraries/phpxmlrpc/xmlrpc.php',
 19 |   '/typography/googlefonts.php',
 20 |   '/var/cache/deliverycache_',
 21 |   'GPAO/ajouter_clients.php',
 22 |   '/GPAO/modifier_clients2.php',
 23 |   'libraries/openid/Auth/OpenID/Consumer.php',
 24 |   '/includes/utf/data/',
 25 |   'libraries/openid/Auth/OpenID/Association.php',
 26 |   '/module_courriel/form_courriel.php',
 27 |   '/pro-settings.php',
 28 |   '/themes/MmoPress/header.php',
 29 |   '/themes/MmoPress/functions.php',
 30 |   'tcpdf.php',
 31 |   '/wp-includes/upgrade.php',
 32 |   '/includes/et_lb_sample_layouts.php',
 33 |   '/sp_compatibility_test.php',
 34 |   '/tmp/cache/skel/html____',
 35 |   '/assets/styles/css-',
 36 |   '/help.inc.php',
 37 |   'achat/fin_commande.php',
 38 |   '/accessibility.inc.php',
 39 |   '/optimizePressPlugin/lib/',
 40 |   '/wfBrowscapCache.php',
 41 |   'kick-it-2x/footer.php',
 42 |   '/blueidea-10/footer.php',
 43 |   '/three_tennis_balls_scoreboard_spj005/footer.php',
 44 |   '/page-google-maps/view/widget_js.php',
 45 |   '/gardens-amidst-jungle/footer.php',
 46 |   '/With_Rainbows/footer.php',
 47 |   '/naturetravel/footer.php',
 48 |   '/pages/1250793045.php',
 49 |   '/tinymce/preview.php',
 50 |   'polldata/session.php',
 51 |   '/tmplvars.inc.php',
 52 |   '/Command/Factory/FactoryInterface.php',
 53 |   '/Service/Exception/DescriptionBuilderException.php',
 54 |   'iconic-navigation/iconavs_icons.php',
 55 |   '/classes/TinyPspellShell.class.php',
 56 |   'aklazy/aklazy/main.php',
 57 |   '/inc/RecupDocsTheme.php',
 58 |   '/function.eval.php',
 59 |   '/trans_box.php',
 60 |   'newstoday/footer.php',
 61 |   '/md_mix.inc.php',
 62 |   '/import.inc.php',
 63 |   '/cache/twig/',
 64 |   '/transliteration/data/',
 65 |   '/Transliterator/data/x',
 66 |   '/patterns/',
 67 |   '/ecrire/lang/public_',
 68 |   'phocagallery/render/renderinfo.php',
 69 |   'Faker/Provider',
 70 |   '/ecrire/lang/ecrire_',
 71 |   '/ecrire/lang/spip_',
 72 |   '/symfony/vendors.php',
 73 |   'stat/images/os.php',
 74 |   'js_composer/config/templates.php',
 75 |   'leaflet-maps-marker/leaflet-exportcsv.php',
 76 |   '/auth/iso639-2.php',
 77 |   '/includes/lang/.*\.inc\.php',
 78 |   '.yml.php',
 79 |   '.js.php',
 80 |   'cache/siteCache.idx.php',
 81 |   '/wpsr-services-selector.php',
 82 |   '/mpdf56/examples',
 83 |   '/mpdf50/examples',
 84 |   'wp-admin-bar-removal/wp-admin-bar-removal.php',
 85 |   'includes/admin/dummy.php',
 86 |   'tcpdf/fonts/',
 87 |   '/shortcodes/googlemaps.php',
 88 |   '/infocus/activation.php',
 89 |   'admin/core/core-help-text.php',
 90 |   '/theme-check/checks/badthings.php',
 91 |   '_compatibility_test/sdk_compatibility_test.php',
 92 |   'compatibility_test/sp_compatibility_test.php',
 93 |   '/panel/shortcodes/ui.php',
 94 |   #'tiny_mce/plugins/ajaxfilemanager/',
 95 |   'tcpdf/fonts/pdfasymbol.php',
 96 |   'libraries/facebook-php-sdk/src/base_facebook.php',
 97 |   'Auth/NTLMAuthenticatorTest.php',
 98 |   'vendor/vendors.php',
 99 |   '/bin/vendors.php',
100 |   'ap_ProdProjectContainer.php',
101 |   'lib/htmLawed.php',
102 |   '/editors/xinha.php',
103 |   '/akismet/views/notice.php',
104 |   'System/Model/Base/RouteGateway.php',
105 |   'System/Model/Base/AdminrouteGateway.php ',
106 |   'Comment/Model/Base/PostGateway.php',
107 |   '/Sluggable/Util/data/x',
108 |   '/ttfontdata/',
109 |   'GDEFdata.php',
110 |   'includes/facebook-php-sdk/base_facebook.php',
111 |   'wp-content/plugins/wysija-newsletters/helpers/render_engine.php',
112 |   'wp-content/plugins/wysija-newsletters/views/back/campaigns.php',
113 |   'wp-content/plugins/wysija-newsletters/helpers/render_engine.php', 
114 |   'wp-content/plugins/broken-link-checker/idn/uctc.php',
115 |   'wp-includes/class-IXR.php',
116 |   'wp-includes/SimplePie/Sanitize.php',
117 |   'wp-admin/includes/ajax-actions.php',
118 |   'wp-content/plugins/codestyling-localization/codestyling-localization.php',
119 |   '/nusoap.php',
120 |   'shortcodes/vc_raw_html.php',
121 |   '/class-pclzip.php',
122 |   '/pclzip/pclzip.lib.php',
123 |   '/pclzip/pclzip.php',
124 |   '/inc_php/framework/base_admin.class.php',
125 |   'wp-includes/class-wp-atom-server.php',
126 |   'wp-includes/class-simplepie.php',
127 |   'wp-includes/class-wp-customize-widgets.php',
128 |   'wp-admin/includes/file.php',  
129 |   'wp-admin/js/revisions-js.php',
130 |   '/wp-app.php',
131 |   '/CallbackColumn.php',
132 |   'sitepress-multilingual-cms/res/languages.csv.php',
133 |   'content/plugins/better-wp-security/core/class-itsec-core.php',
134 |   'content/plugins/w3-total-cache/lib/W3/Plugin/Minify.php',
135 |   'content/plugins/w3-total-cache/lib/SNS/sdk.class.php',
136 |   'content/plugins/codestyling-localization/codestyling-localization.php',
137 |   '_tcpdf/tcpdf.php',
138 |   'tcpdf/examples/example_',
139 |   'src/ext/htmlsql.class.php',
140 |   'plugins/wplite/wplite.php',
141 |   'plugins/nospamnx/ws1.php',
142 |   'bepro-listings/bepro_listings.php',
143 |   '/wpposticon.php',
144 |   '/better-wp-security/core/class-itsec-core.php',
145 |   '/app/cache/dev/',
146 |   '/app/cache/prod/',
147 |   'administrator/components/com_remository/admin.remository.html.php',
148 |   'administrator/components/com_remository/admin.remository.html.php',
149 |   'ultimate-coming-soon-page/framework/framework.php',
150 |   'wp-content/plugins/shortcodes-ultimate/inc/core/shortcodes.php',
151 |   'wp-content/plugins/shortcodes-ultimate/inc/vendor/sunrise.php',
152 |   'wp-content/plugins/ultimate-coming-soon-page/framework/framework.php',
153 |   '/XmlRpcClientRemote/XmlRpc.php',
154 |   'sitepress-multilingual-cms/inc/installer/includes/installer.class.php',
155 |   '/Amf/Server.php',
156 |   'src/facebook.php',
157 |   '/spellchecker.php',
158 |   'util/php/ajax/filters.php',
159 |   'lib/class/SEO_URL.class.php',
160 |   'ebservice/dispatcher.php',
161 |   'include/js/jsval.php',
162 |   'include/js/lytebox.php',
163 |   'include/class.TCPDF.php',
164 |   'SimplePie/Sanitize.php',
165 |   'plugins/gravityforms/common.php',
166 |   'plugins/gravityforms/form_detail.php',
167 |   'gravityforms/includes/addon/class-gf-results.php',
168 |   'w3-total-cache/inc/functions/multisite.php',
169 |   '/ezpublish/cache/',
170 | ]
171 | 
172 | debug = True
173 | line_early = 15
174 | scoring = {
175 |   'WHITELISTED'             : ( -10, u'fichier en whitelist manuelle'),
176 |   'WHITELISTED_LINE'        : ( -10, u'ligne en whitelist manuelle'),
177 |   'PHP_COMMENTS'            : ( -10, u'Fichier commence proprement avec une description'),
178 |   'CLASS_FUNCTION'          : ( -10, u'Fonction ou classe définie au tout début'),
179 |   'BASE64_STRING'           : ( 50, u'Motif base64 trouvé'),
180 |   'CRYPT_PHP'               : ( 50, u'Script CryptPHP qui inclue social.png'),
181 |   'PHP_SHELL'               : ( 50, u'Script Shell'),
182 |   'PHP_OBFUSC_SHELL'        : ( 50, u'Script Shell caché'),
183 |   'ACCESS_DENIED'           : (-30, u'Execution bloquée en tout début de fichier'),
184 |   'JAVASCRIPT_HACK'         : (50, u'Hack javascript'),
185 |   'HAS_EVAL'                : (2,u'Contient eval()'),
186 |   'HAS_EVAL_EARLY'          : (10,u'Contient eval() en début de fichier'),
187 |   'HAS_CALL_FUNC_EARLY'     : (3,u'Contient call_user_func() en début de fichier'),
188 |   'HAS_BASE64DECODE'        : (2,u'Contient base64_decode() ou str_rot13()'),
189 |   'HAS_BASE64DECODE_EARLY'  : (10,u'Contient base64_decode() ou str_rot13() en début de fichier'),
190 |   'HAS_MAIL'                : (1,u'Contient mail()'),
191 |   'HAS_MAIL_EARLY'          : (2,u'Contient mail() en début de fichier'),
192 |   'LONG_LINE'               : (5,u'Contient une ligne de plus de 1000 caractères'),
193 |   'LONG_LINE_EARLY'         : (10,u'Contient une ligne de plus de 1000 caractères début de fichier'),
194 |   'VERY_LONG_LINE'          : (5,u'Contient une ligne de plus de 3000 caractères'),
195 |   'VERY_LONG_LINE_EARLY'    : (10,u'Contient une ligne de plus de 3000 caractères en début de fichier'),
196 |   'MD5_VAR'                 : (10,u'Contient une variable encodée en MD5'),
197 |   'INCLUDE_REQUIRE'         : (-2,u'Contient include() ou require() sans http'),
198 |   'COOKIE_FORM1'            : (20,u'Contient form1=@$_COOKIE'),
199 |   'MAIL_X_HEADER'           : (5,u'Contient mail.add_x_header'),
200 |   'SET_TIME_0'              : (5,u'Contient set_time_limit(0)'),
201 |   'SET_ERRORREPORTING_0'    : (2,u'Contient error_reporting(0)'),
202 |   'SET_TIMELIMIT_0'         : (2,u'Contient memory_limit(0)'),
203 |   'SET_IGNOREUSERABORT_0'   : (2,u'Contient ignore_user_abort()'),
204 |   'UPLOAD_FILE'             : (2,u'Contient move_uploaded_file()'),
205 |   'FEW_LINES'               : (0,u'Contient peu de lignes'), 
206 |   'EMPTY_FILE'               : (-100,u'Fichier vide'), 
207 |   'MANY_LINES'              : (-2,u'Contient beaucoup de lignes'), 
208 |   'MANY_LINES2'             : (-5,u'Gros fichier avec de lignes'), 
209 |   'MANY_LINES3'             : (-10,u'Très gros fichier avec de lignes'), 
210 |   'BAD_NEWLINES'            : (-5,u'Ficher sur 1 ligne sans saut de ligne'),
211 |   'NO_PHP_START'            : (-5,u'Ne commence pas par <?'),
212 |   'UA_GOOGLE'               : (5,u'Vérifie le User-Agent contre Google'),
213 |   'EXEC_SHELL'              : (5,u'Utilise system() ou shell_exec()'),
214 |   'CONCAT_STRING'           : (10,u'Chaine cachée par concaténation'), 
215 |   'MANY_GLOBALS'           : (20,u'Contient très souvent $GLOBALS'), 
216 |   'BIN_HOST'                : (10,u'contient /bin/host'), 
217 |   'SHELL_COMPACT'           : (5,u'2eme ligne louche (shell?)'),
218 |   'CURL_HTTP'               : (5,u'téléchargement HTTP'),
219 |   'XXTEA_ENCRYPT'           : (20,u'Code source encode avec XXTEA (possible ransomware)'),
220 | }
221 | 
222 | 
223 | def is_hacked(filename):
224 |    if '/cache/object/000000/' in filename or '/cache/db/000000/' in filename or \
225 |       'cache/js-' in filename or 'cache/css-' in filename or '/css/css-' in filename:
226 |        return False
227 |    score = []
228 |    line_num = 0
229 |    whitelisted = False
230 |    clean_PCT4 = False
231 |    clean_evalbase64 = False
232 |    cleanup_available = False
233 |    first_lines = []
234 |    try:
235 |       f = open(filename,'rU')
236 |    except IOError:
237 |        return False
238 | 
239 |    for i in range(15):
240 |       first_lines.append(f.readline().rstrip())
241 |    f.close()
242 | 
243 |    f = open(filename,'rU')
244 | 
245 |    php_code = f.read();
246 |    php_code = php_code.replace("'.\n      '",'').replace('\'.\n\'','')
247 |    has_var_http = False
248 |    has_long_line = False
249 |    has_very_long_line = False
250 |    previous_line = ''
251 | 
252 |    for w in whitelist:
253 |       if w in filename:
254 |          score.append(('WHITELISTED',w))
255 | 
256 |    ## Javascript file
257 |    if fnmatch.fnmatch(filename, '*.js'):
258 |        for l in php_code.split('\n'):
259 |            if 'eval(function(p,a,c,k,e,d)' in l and '|http|' in l and ('|blackberry|' in l):
260 |                score.append(('JAVASCRIPT_HACK',''))
261 |        total_score = 0
262 |        score_details = []
263 |        score_done = []
264 |        for sco,detail in score:
265 |            if sco in score_done:
266 |               continue
267 |            score_done.append(sco)
268 |            total_score += scoring[sco][0]
269 |            score_details.append({'rule' : sco, 
270 |                                  'details' : detail.encode('utf-8'), 
271 |                                  'score' : scoring[sco][0], 
272 |                                  'description' :  scoring[sco][1].encode('utf-8')})
273 | 
274 |        if filename[0] != '/':
275 |            filename = os.getcwd()  + '/' + filename
276 | 
277 |        return {'filename' : filename,
278 |                'score' : total_score,
279 |                'mtime' : os.stat(filename).st_mtime,
280 |                'ctime' : os.stat(filename).st_ctime,
281 |                'details' : score_details,
282 |                'cleanup' : cleanup_available}
283 | 
284 |    ## PHP file
285 |    for l in php_code.split('\n'):
286 |       if len(l.strip()) == 0:
287 |           continue
288 |       line_num += 1
289 | 
290 |       if l.strip()[0] in ['#','*']:
291 |          continue
292 | 
293 |       if l.count('"."') + l.count("'.'") > 50:
294 |          score.append(('CONCAT_STRING' ,'%i concat' % (l.count('","') + l.count("'.'") ) ))
295 |       if l.count('$GLOBALS[') > 20:
296 |          score.append(('MANY_GLOBALS' ,'%i globals' % (l.count('","') + l.count("'.'") ) ))
297 |       l = l.replace('","','').replace("'.'",'')
298 |       if ( 'die("Access Denied");' in l or '<?php return; ?>' in l or '<?php exit' in l or '<?php exit;?>' in l \
299 |            or l.find('<?php die (') == 0  or l.find('<?php die (') == 0\
300 |            or '<?php die(' in l or '<?php die; ?>' in l or '<?php /* Smarty version' in l \
301 |            or  "if( !defined( '_VALID_MOS' )" in l or "if (!defined ('ABSPATH')" in l\
302 |            or "if (!defined('BB2_CORE'))" in l \
303 |            or l.find('<?php @Zend;') == 0 \
304 |            or l.find('<?php defined(') == 0 \
305 |            or ( l.find('<?php /* The commercial version is not encoded. This file') == 0  and line_num == 1)\
306 |            or ( l.find('// Before trying to crack the plugin, please consider buying a pro license at ') == 0  and line_num == 1)\
307 |            or l.find('<?php return array(') == 0 \
308 |            or l.find("#<?php die('") == 0) and line_num == 1: 
309 |          score.append(('ACCESS_DENIED' ,''))
310 |       if l.find('/bin/host') >= 0:
311 |           score.append(('BIN_HOST',''))
312 |       if ( 'if( !isset($gCms) ) exit;' in l or \
313 |             "if( !defined( '_VALID_MOS' )" in l or \
314 |             "if (!defined('IN_PHPBB')" in l or \
315 |             "defined('_JEXEC') " in l or "or more information: see languages.txt in the la" in l) \
316 |             and line_num == 2:
317 |          score.append(('ACCESS_DENIED' ,''))
318 |       #if 'Restricted access' in l:
319 |       #    print line_num
320 |       if line_num in [2,3] and ('Direct Access to this location is not allo' in l or 'Restricted access' in l or 'defined(\'_JEXEC\') or die' in l):
321 |           score.append(('ACCESS_DENIED' ,''))
322 |       if line_num == 1 and not l.strip().find('<?')  == 0: 
323 |          score.append(('NO_PHP_START' ,''))
324 | 
325 |       if line_num == 2 and (l.strip().find('class ') == 0 or l.strip().find('function ') == 0) and len(first_lines[0]) < 10:
326 |          score.append(('CLASS_FUNCTION' ,''))
327 | 
328 |       if re.compile('.*=\s*"[a-zA-Z0-9/=]{32}";').match(l):
329 |           score.append(('MD5_VAR' ,''))
330 |       if re.compile('.*=\s*"http://[a-z0-9].*";').match(l) or re.compile(".*=\s*'http:.*';").match(l) :
331 |          if not 'simpletest.org' in l and not 'facebook.com' in l:
332 |             has_var_http = True
333 |       if has_var_http and ('curl_exec' in l or 'xxxxxxxxxx' in l) and line_num < 20:
334 |           score.append(('CURL_HTTP' ,''))
335 |       if ( 'eval(' in l or 'eval (' in l ) and not "eval('?>' . $contents);" in l and not "_eval(" in l:
336 |          if line_num < line_early:
337 |               score.append(('HAS_EVAL_EARLY','line %i' % line_num))
338 |          else:
339 |               score.append(('HAS_EVAL','line %i' % line_num))
340 |       if l.find('mail(') == 0 or ' mail(' in l:
341 |          if line_num < line_early:
342 |               score.append(('HAS_MAIL_EARLY','line %i' % line_num))
343 |          else:
344 |               score.append(('HAS_MAIL','line %i' % line_num))
345 |       if line_num < line_early and 'call_user_func' in l:
346 |           score.append(('HAS_CALL_FUNC_EARLY','line %i' % line_num))
347 |  
348 |       if 'agent' in l.lower() and 'google' in l.lower():
349 |           score.append(('UA_GOOGLE',''))
350 | 
351 |       if 'base64_decode(' in l or 'base64_decode (' in l \
352 |           or 'str_rot13(' in l or 'str_rot13 (' in l:
353 |          if 'CmVycm9yX3JlcG9ydGluZygwKTsKJHFhe' in l or 'FZY1EuQIEkXvMlZ3yBBTrCVmLkH' in l or '<? /**/eval(base64_decode(' in l:
354 |              score.append(('BASE64_STRING',''))
355 |              clean_evalbase64 = True
356 |          elif line_num < line_early:
357 |               score.append(('HAS_BASE64DECODE_EARLY','line %i' % line_num))
358 |          else:
359 |               score.append(('HAS_BASE64DECODE','line %i' % line_num))
360 |       elif "<!-- :### -->" in l or 'b+=String.fromCharCode(a.charCodeAt(i)^2' in l:
361 |            score.append(('JAVASCRIPT_HACK',''))
362 |       elif "'FilesMan';" in l or '"FilesMan";' in l or 'Web Shell by Guest' in l or 'File uppato senza problemi' in l or 'echo"<b>gagal"' in l \
363 |            or "wpplugin_action = 'WPcheckInstall'" in l or "'bas'.'e6'.'4_d'.'ecode'" in l \
364 |            or 'shell_exec("sh inst")' in l or 'index.php replaced successufuly!</font' in l \
365 |            or 'Your browser does not support our Online Store' in l or '\\x62\\141\\x73\\145\\x36\\64\\x5f\\144\\x65\\143\\x6f\\144\\x65' in l \
366 |            or '"b".""."as"."e"."".""."6"."4"."_"."de".""' in l \
367 |            or 'ww.rootshell-team.info' in l \
368 |            or "'bas'.'e6'.'4_d'.'ecode'" in l \
369 |            or "'Upload files on server'" in l \
370 |            or "'md5 cracker'," in l \
371 |            or '"tar -xzpf"' in l\
372 |            or 'convertIpToString($ip){return long2ip' in l\
373 |            or 'dis Shell Commander' in l \
374 |            or '"\\x52EQ\\x55E\\x53T_\\x55R\\x49"' in l\
375 |            or '8Of6V9BaZ0kmlmTZua0V' in l \
376 |            or '0LKuioz9grFttM2I0K' in l\
377 |            or 'a5zNPHhK21eSn+FKZ' in l\
378 |            or 'infectslab:' in l \
379 |            or 'HV0X2J1ZmZlc' in l\
380 |            or "file_get_contents('/etc/passwd" in l \
381 |            or 'r57shell.net' in l \
382 |            or 'CBF Team - Mailer' in l \
383 |            or '[+] FOI</span>' in l \
384 |            or 'NShell t35' in l \
385 |            or 'CorporateSignonTelecode' in l \
386 |            or 'UDP Shell!' in l \
387 |            or 'eval("?>".gzuncompress(base64_decode(' in l \
388 |            or 'Mr.HarchaLi' in l \
389 |            or ('eval(gzinflate(base64_decode(' in l  and line_num < 5)\
390 |            or 'DamaneDz' in l \
391 |            or "$s='str_r'.'o'.'t13';" in l \
392 |            or '){type1_send();exit();}elseif(isset' in l \
393 |            or '\\x65\\x76\\x61\\x6c\\x20\\x28\\x20\\x67\\x7a\\x69\\x6e\\x66\\x6c\\x61\\x74' in l \
394 |            or 'CH (UBS Spam) ' in l \
395 |            or "$words['cantbeshown']" in l \
396 |            or '"netstat -an' in l \
397 |            or "strrev('edoced_46esab')" in l \
398 |            or (l.find("return base64_decode($") == 0 and 'for($i=0; $i < strlen($' in previous_line) \
399 |            or 'function multiRequest($data, $options = array(), $oneoptions = array())' in l \
400 |            or (l.find('GIF89') == 0 and line_num == 1) \
401 |            or (line_num == 1 and "@$_COOKIE[" in l and "();}?>" in l) \
402 |            or (line_num == 1 and '@move_uploaded_file' in l) \
403 |            or 'Database Emails Extractor' in l\
404 |            or ("<h4>!PhpSend!</h4>" in l) \
405 |            or '<b>Done ==> $userfile_name</b></center>' in l \
406 |            or ('$files=fopen(\'../../../\'.$filepaths.' in l and ',"w+");' in l) \
407 |            or "chmod ($_REQUEST['p1'], $_REQUEST['p2']);" in l \
408 |            or "\\x62\\x61\\x73\\x65\\x36\\x34\\x5F\\x64\\x65\\x63\\x6F\\x64\\x65" in l\
409 |            or (line_num == 2 and "$ref = $_SERVER['HTTP_USER_AGENT'];" in l) \
410 |            or (line_num < 4 and "passthru($_POST[" in l) \
411 |            or (line_num == 1 and '$stg="ba"."se"."64_d"."ecode";eval($stg(' in l) \
412 |            or "file_put_contents('1.txt', print_r" in l:
413 |            score.append(('PHP_SHELL',''))
414 | 
415 |       if 'move_uploaded_file(' in l:
416 |            score.append(('UPLOAD_FILE',''))
417 | 
418 |       if ('<?php foreach(explode("\\' in l and line_num == 1) \
419 |          or ('($_SERVER["\\x48\\124\\x54\\120\\x5f' in l and line_num == 1) \
420 |          or (']) {move_uploaded_file($_FILES[' in l and line_num == 2) \
421 |          or '*Wsfuvso!%x5c%x7825bss%x5' in l \
422 |          or ('<?php eval(gzinflate(base64_decode' in l and "')));?>" in l ) \
423 |          or (line_num == 1 and 'eval(' in l and '$_REQUEST[' in l and ' = fopen' in l and '; exit(); } ?>' in l) \
424 |          or (line_num == 1 and 'if(!isset($GLOBALS[' in l) \
425 |          or (line_num == 2 and 'if(!empty($_POST[' in l and '){eval($_POST' in l) \
426 |          or (line_num == 2 and 'if(isset($_POST[' in l and 'eval($_POST[' in l) \
427 |          or '%x5c%x7825-bubE' in l :
428 |           cleanup_available = True
429 |           score.append(('PHP_SHELL',''))
430 |           
431 |         
432 | 
433 |       if ('"' in l or "'" in l) and not '$UTF8_TO_ASCII' in previous_line:
434 |           if len(l) > 3000 and not has_very_long_line:
435 |              has_long_line = has_very_long_line = True
436 |              if line_num < line_early:
437 |                   score.append(('VERY_LONG_LINE_EARLY','line %i' % line_num))
438 |              else:
439 |                   score.append(('VERY_LONG_LINE','line %i' % line_num))
440 |           elif len(l) > 1000 and not has_very_long_line and not has_long_line:
441 |              has_long_line = True
442 |              if line_num < line_early:
443 |                   score.append(('LONG_LINE_EARLY','line %i' % line_num))
444 |              else:
445 |                   score.append(('LONG_LINE','line %i' % line_num))
446 | 
447 | 
448 |       if "$cidinfo['uni2cid'] = array(" in l or 'php return unserialize(' in l \
449 |          or ('<?php // $Id: ' in l and line_num == 1) \
450 |          or ('/////////////////////////////////////////////////////' in l and line_num == 2) \
451 |          or ('* Squelette : ' in l and line_num == 3) \
452 |          or ('bVRRb9owEH4eEv/hGrVzUhGYtmkPhYCqrdNe1' in l) \
453 |          or ('<?php if(!function_exists("timezone_identifiers_list")){function timezone_identifi' in l) \
454 |          or ('bVBBasMwELwX+odFF6UXCZ' in l) \
455 |          or ('// ************************************************************' in l and line_num == 2):
456 |           score.append(('WHITELISTED_LINE',''))
457 | 
458 |       if 'form1=@$_COOKIE' in l:
459 |           score.append(('COOKIE_FORM1',''))
460 |       if ('require_once(' in l or 'require(' in l or 'include(' in l) and not 'http' in l:
461 |           score.append(('INCLUDE_REQUIRE',''))
462 |       if 'mail.add_x_header' in l:
463 |           score.append(('MAIL_X_HEADER',''))
464 |       if 'set_time_limit(0)' in l or 'max_execution_time\',' in l or 'set_time_limit(' in l:
465 |           score.append(('SET_TIME_0',''))
466 |       if 'error_reporting(0)' in l or 'error_reporting\',0' in l:
467 |           score.append(('SET_ERRORREPORTING_0',''))
468 |       if 'ignore_user_abort(' in l or 'ignore_user_abort (' in l:
469 |           score.append(('SET_IGNOREUSERABORT_0',''))
470 |       if 'memory_limit","-1"' in l or 'memory_limit",-1' in l:
471 |           score.append(('SET_MEMORYLIMIT_0',''))
472 |       if ('system(' in l or 'system (' in l  or 'shell_exec(' in l or 'shell_exec (' in l or 'passthru(' in l) and not 'filesystem' in l.lower():
473 |           score.append(('EXEC_SHELL',''))
474 |       if 'PCT4BA6ODSE_' in l or 'eval($s21($s22))' in l or '$qV="stop_"' in l:
475 |           score.append(('BASE64_STRING',''))
476 |           clean_PCT4 = True
477 |       if 'include' in l and 'social.png' in l:
478 |           score.append(('CRYPT_PHP',''))
479 |           cleanup_available = True
480 |       if 'eval(xxtea_decrypt(base64_decode(' in l:
481 |           score.append(('XXTEA_ENCRYPT',''))
482 |       previous_line = l
483 | 
484 |    if line_num < 20:
485 |         score.append(('FEW_LINES','%i lines' % line_num)) 
486 |    elif line_num < 100:
487 |         score.append(('MANY_LINES','%i lines' % line_num)) 
488 |    elif line_num < 1000:
489 |         score.append(('MANY_LINES2','%i lines' % line_num)) 
490 |    else:
491 |         score.append(('MANY_LINES3','%i lines' % line_num)) 
492 | 
493 | 
494 |    ## Shell super bien caché, toutes les lignes ont la même longueur   
495 |    if len(first_lines) > 12 and line_num < 30  and first_lines[0] == '<?php' and \
496 |       len(first_lines[1]) == len(first_lines[2]) == len(first_lines[3]) == len(first_lines[4]) == len(first_lines[5]) == len(first_lines[6])  == len(first_lines[7])  == len(first_lines[8]) and len(first_lines[3]) > 40 and first_lines[3][0] == ' ' :
497 |         score.append(('PHP_OBFUSC_SHELL',''))
498 |    
499 | 
500 | 
501 |    if line_num == 0 or (line_num == 1 and ( len(first_lines[0]) < 10 or 'Silence is golden.' in first_lines[0])) \
502 |                     or (line_num == 2 and len(first_lines[0]) < 10 and 'Silence is golden.' in first_lines[1]):
503 |        score.append(('EMPTY_FILE','')) 
504 |    if line_num == 1 and ( '<div' in first_lines[0] or 'class=' in first_lines[0]):
505 |        score.append(('BAD_NEWLINES',''))
506 | 
507 |    if line_num > 7 and ( first_lines[0] == '<?php' or first_lines[0] == '<?') and first_lines[1] == '/**' and (first_lines[2].find(' * ') == 0 or first_lines[2].find('* ') == 0):
508 |        score.append(['PHP_COMMENTS',w])
509 |    if len(first_lines) >3 and ('@author : ' in first_lines[1] or '@author : ' in first_lines[0] or '@version' in first_lines[2] or 'Legacy Mode compatibility' in first_lines[2] ):
510 |        score.append(['PHP_COMMENTS',w])
511 | 
512 |    total_score = 0
513 |    score_details = []
514 |    score_done = []
515 |    for sco,detail in score:
516 |        if sco in score_done:
517 |           continue
518 |        score_done.append(sco)
519 |        total_score += scoring[sco][0]
520 |        score_details.append({'rule' : sco, 
521 |                              'details' : detail.encode('utf-8'), 
522 |                              'score' : scoring[sco][0], 
523 |                              'description' :  scoring[sco][1].encode('utf-8')})
524 | 
525 |    if filename[0] != '/':
526 |        filename = os.getcwd()  + '/' + filename
527 | 
528 |    
529 |    if clean_PCT4 or clean_evalbase64:
530 |       cleanup_available = True
531 |    if cleanup_available and line_num == 1:
532 |        cleanup_available = False
533 |    return {'filename' : filename,
534 |            'score' : total_score,
535 |            'mtime' : os.stat(filename).st_mtime,
536 |            'ctime' : os.stat(filename).st_ctime,
537 |            'details' : score_details,
538 |            'cleanup' : cleanup_available}
539 |    #print  total_score, filename, '::'.join(score_details).encode('utf-8')
540 | 
541 |    #from subprocess import Popen
542 |    #if clean_PCT4:
543 |    #    print "PCT4", filename, "CLEANED"
544 |    #     Popen(['perl', '-pi', '-e','s/<\?php.*$sF=.PCT4B.*}\?>//g',filename])
545 |    #elif clean_evalbase64:
546 |    #    print "EVAL+BASE64", filename, "CLEANED"
547 |    #    Popen(['perl', '-pi', '-e','s/\?php\s*eval\(base64_decode\("[a-zA-Z0-9\/=]*"\)\);/?php/g',filename])
548 | 
549 | 
550 | if __name__ == '__main__':
551 | 	SERIALIZER='json'
552 |         import argparse 
553 | 	try:
554 |         	import yaml
555 | 	        SERIALIZER = 'yaml'
556 | 	except ImportError:
557 | 		import json
558 | 
559 |         parser = argparse.ArgumentParser(description='Check directory for PHP malwares.')
560 |         parser.add_argument('directory', help='directory to check', type=str)
561 |         parser.add_argument('--post', dest='post',  type=str, default=None,
562 |                                    help='POST the result to an URL "%%TOKEN%%" will be replaced by a uuid random token and "%%HOSTNAME%%" by hostname (default: no post)')
563 |         parser.add_argument('--minscore', dest='minscore', type=int, default=-5, help='Minimum score (default: -5)')
564 |         parser.add_argument('--maxresults', dest='maxresults', type=int, default=500, help='Maximum number or results (default: 500)')
565 |         
566 |         args = parser.parse_args()
567 |         basedir = args.directory
568 |         RESULT_POST = args.post
569 |         MIN_SCORE = args.minscore
570 |         MAX_RESULTS = args.maxresults
571 |         print args
572 | 	##import socket
573 | 	## RESULT_POST = 'https://xxx.com/%s/%s' % (socket.gethostname(),token)
574 | 
575 |         if RESULT_POST:
576 |             import socket
577 | 	    import uuid
578 |             RESULT_POST = RESULT_POST.replace('%HOSTNAME%', socket.gethostname())
579 |             RESULT_POST = RESULT_POST.replace('%TOKEN%','%s' % uuid.uuid1())
580 |         
581 | 	results = []
582 | 	for root, dirnames, filenames in os.walk(basedir):
583 | 		for filename in filenames:
584 | 			if fnmatch.fnmatch(filename, '*.php') or fnmatch.fnmatch(filename, '*.js'):
585 | 				hacked = is_hacked(os.path.join(root, filename))
586 | 				if hacked!= False and hacked['score'] > MIN_SCORE:
587 | 					results.append(hacked)
588 | 
589 | 	results.sort(key=lambda x:x['score'], reverse=True)
590 | 
591 | 	if SERIALIZER == 'yaml':
592 | 		print yaml.dump(results[0:MAX_RESULTS])
593 | 	else:
594 | 		print json.dumps(results[0:MAX_RESULTS], indent=4)
595 | 
596 | 	if RESULT_POST:
597 | 		import requests
598 | 		import urllib
599 | 		headers = {"Content-type": "application/x-yaml; charset=utf-8", "Accept": "text/plain"}
600 | 		if basedir[0] == '/':
601 | 			path = urllib.quote_plus(basedir[1::])
602 | 		else:
603 | 			path = urllib.quote_plus(basedir)
604 | 		r = requests.post(RESULT_POST +'/' + path, data=yaml.dump(results[0:MAX_RESULTS]), headers = headers)
605 | 		print r
606 | 		print "="*100
607 | 		print r.text
608 | 		print "URL : ", RESULT_POST
609 | 
610 | 


--------------------------------------------------------------------------------
/phpscanner.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/env python2
  2 | import yara
  3 | import argparse
  4 | import os
  5 | import fnmatch
  6 | import json
  7 | import hashlib
  8 | import time
  9 | from phpmalwarescanner import is_hacked
 10 | from collections import Counter
 11 | 
 12 | 
 13 | class PhpAnalyzer(object):
 14 |     def __init__(self):
 15 |         self.hashdb = json.load(open(
 16 |             os.path.join(
 17 |                 os.path.dirname(os.path.realpath(__file__)),
 18 |                 'md5ref.json'
 19 |             )
 20 |         ))
 21 | 
 22 |     def _md5_file(self, path):
 23 |         """Generate the md5 of a file"""
 24 |         hash_md5 = hashlib.md5()
 25 |         with open(path, "rb") as f:
 26 |             for chunk in iter(lambda: f.read(4096), b""):
 27 |                 hash_md5.update(chunk)
 28 |         return hash_md5.hexdigest()
 29 | 
 30 |     def check_known_hash(self, path):
 31 |         """Compare the file with a known database"""
 32 |         known = False
 33 |         suspicious = False
 34 |         try:
 35 |             md5 = self._md5_file(path)
 36 |             for fn in self.hashdb.keys():
 37 |                 if fn in path:
 38 |                     known = True
 39 |                     suspicious = True
 40 |                     try:
 41 |                         return True, False, self.hashdb[fn][md5]
 42 |                     except KeyError:
 43 |                         pass
 44 |         except IOError:
 45 |             pass
 46 | 
 47 |         return known, suspicious, []
 48 | 
 49 | 
 50 | class PhpScanner(PhpAnalyzer):
 51 |     def __init__(
 52 |             self, signature=True, pms=True, hashes=True,
 53 |             suspicious=False, verbosity=0
 54 |             ):
 55 |         super(PhpScanner, self).__init__()
 56 |         self.yara_files = [
 57 |             "yara/phpbackdoor.yara",
 58 |             "yara/clamavphp.yara"
 59 |         ]
 60 |         self.suspicious = suspicious
 61 |         self.verbosity = verbosity
 62 |         self.signature = signature
 63 |         self.pms = pms
 64 |         self.hashes = hashes
 65 |         if suspicious:
 66 |             self.yara_files.extend(
 67 |                     ['yara/suspicious.yara', 'yara/phpsuspicious.yara']
 68 |             )
 69 |             self.pms_score = 5
 70 |         else:
 71 |             self.pms_score = 10
 72 |         self.rules = []
 73 |         for f in self.yara_files:
 74 |             self.rules.append(yara.compile(
 75 |                 os.path.join(os.path.dirname(os.path.realpath(__file__)), f)
 76 |             ))
 77 | 
 78 |     def check_file_signature(self, path):
 79 |         """Check Yara signatures provided on the file"""
 80 |         res = []
 81 |         for rule in self.rules:
 82 |             try:
 83 |                 res += rule.match(path)
 84 |             except yara.Error:
 85 |                 pass
 86 |             except UnicodeEncodeError:
 87 |                 pass
 88 |         return res
 89 | 
 90 |     def check_file(self, path):
 91 |         """Check file with means selected"""
 92 |         results = {'suspicious': False}
 93 |         if self.signature:
 94 |             sigs = self.check_file_signature(path)
 95 |             if len(sigs) > 0:
 96 |                 results['suspicious'] = True
 97 |                 results['signatures'] = sigs
 98 |         if self.pms:
 99 |             if fnmatch.fnmatch(path, '*.php') or fnmatch.fnmatch(path, '*.js'):
100 |                 pms = is_hacked(path)
101 |                 if pms['score'] > self.pms_score:
102 |                     results['suspicious'] = True
103 |                     results['pms'] = pms
104 |         if self.hashes:
105 |             knownhash = self.check_known_hash(path)
106 |             if knownhash[0] and knownhash[1]:
107 |                 results['suspicious'] = True
108 |                 results['hash'] = 'BAD'
109 | 
110 |         return results
111 | 
112 |     def print_results(self, path, results):
113 |         """Display results"""
114 |         if results['suspicious']:
115 |             reason = ""
116 |             if 'signatures' in results.keys():
117 |                 reason += '[SIGNATURE (' + ", ".join(map(
118 |                     lambda x: x.rule,
119 |                     results['signatures']
120 |                     )) + ')] '
121 |             if 'pms' in results.keys():
122 |                 if self.verbosity == 0:
123 |                     reason += "[PMS] "
124 |                 else:
125 |                     reason += "[PMS (score: %i, %s)] " % (results['pms']['score'], ', '.join(map(lambda x: x['rule'], results['pms']['details'])))
126 |             if 'hash' in results.keys():
127 |                 reason += "[HASH]"
128 | 
129 |             print('%s -> %s' % (path, reason))
130 |         else:
131 |             if self.verbosity > 3:
132 |                 print('%s : CLEAN' % path)
133 | 
134 |     def scan_file(self, path, display=True):
135 |         """Scan files with all means possible"""
136 |         # For each file, make all the tests
137 |         path = path.decode('utf-8')
138 |         res = self.check_file(path)
139 |         if display:
140 |             self.print_results(path, res)
141 |         return res
142 | 
143 | 
144 | class Fingerprinter(PhpAnalyzer):
145 |     def do(self, path):
146 |         """Fingerprint the framework of the given directory"""
147 |         versions = []
148 |         for root, dirs, files in os.walk(path):
149 |             for name in files:
150 |                 if name.endswith(".php"):
151 |                     path = os.path.join(root, name)
152 |                     known, suspicious, v = self.check_known_hash(path)
153 |                     if known and not suspicious:
154 |                         versions.extend(v)
155 |         result = Counter(versions)
156 |         return result.most_common()[:5]
157 | 
158 |     def go(self, path):
159 |         """Fingerprint and print result"""
160 |         versions = self.do(path)
161 |         print("Seems to be %s (%i files)" % (versions[0]))
162 |         print("Can also be " + ", ".join(map(lambda x: "%s (%i)" % x, versions[1:])))
163 | 
164 | 
165 | if __name__ == '__main__':
166 |     parser = argparse.ArgumentParser(description='Look for malicious php')
167 |     parser.add_argument(
168 |             'FILE', nargs='+',
169 |             help='List of files or directories to be analyzed')
170 |     parser.add_argument(
171 |             '-s', '--suspicious', action='store_true',
172 |             help="Add rules for suspicious files (more FP)")
173 |     parser.add_argument(
174 |             '-O', '--fingerprint', action='store_true',
175 |             help="Fingerprint the framework version")
176 |     parser.add_argument(
177 |             '-v', '--verbose', action="count", default=0,
178 |             help="verbose level... repeat up to three times.")
179 |     parser.add_argument(
180 |             '-1', '--signature', action='store_true',
181 |             help="Uses only the signatures")
182 |     parser.add_argument(
183 |             '-2', '--pms', action='store_true',
184 |             help="Uses only the Php Malware Scanner tool")
185 |     parser.add_argument(
186 |             '-3', '--hash', action='store_true',
187 |             help="Uses only the hash comparison")
188 |     parser.add_argument(
189 |             '-q', '--quiet', action='store_true',
190 |             help="Hide scan summary")
191 | 
192 |     args = parser.parse_args()
193 | 
194 |     if args.fingerprint:
195 |         fingerprinter = Fingerprinter()
196 |     else:
197 |         if not args.signature and not args.pms and not args.hash:
198 |             scanner = PhpScanner(
199 |                 True,
200 |                 True,
201 |                 True,
202 |                 args.suspicious,
203 |                 args.verbose
204 |             )
205 |         else:
206 |             scanner = PhpScanner(
207 |                 args.signature,
208 |                 args.pms,
209 |                 args.hash,
210 |                 args.suspicious,
211 |                 args.verbose
212 |             )
213 |     suspicious_files = 0
214 |     scanned_files = 0
215 |     start_time = time.time()
216 | 
217 |     # Browse directories
218 |     try:
219 |         for target in args.FILE:
220 |             if os.path.isfile(target):
221 |                 if args.fingerprint:
222 |                     print("Impossible de fingerprint a file")
223 |                 else:
224 |                     scanner.scan_file(target)
225 |             elif os.path.isdir(target):
226 |                 if args.fingerprint:
227 |                     fingerprinter.go(target)
228 |                 else:
229 |                     for root, dirs, files in os.walk(target):
230 |                         for name in files:
231 |                             res = scanner.scan_file(os.path.join(root, name))
232 |                             if res['suspicious']:
233 |                                 suspicious_files += 1
234 |                             scanned_files += 1
235 | 
236 |                     if not args.quiet:
237 |                         print("--------------------------------------------")
238 |                         print("%i files scanned" % scanned_files)
239 |                         print("%i suspicious files found" % suspicious_files)
240 |                         print("Execution time: %s seconds" % (time.time() - start_time))
241 | 
242 |     except KeyboardInterrupt:
243 |         print("Whoooo, ok, I quit...")
244 | 


--------------------------------------------------------------------------------
/yara/clamavphp.yara:
--------------------------------------------------------------------------------
   1 | rule Php_Trojan_Sysbat_1
   2 | {
   3 | strings:
   4 | 	$a0 = { 0d0a2f2f205359534241542e504850205649525553200d0a2f2f20427920586d6f726669632c207777772e736861646f7776782e636f6d2f626376672c2054686520426c61636b204361742056697269692047726f75700d0a2f2f205359534241542e504850202d205468 }
   5 | 
   6 | condition:
   7 | 	$a0
   8 | }
   9 | rule Php_Trojan_Pbot_3
  10 | {
  11 | strings:
  12 | 	$a0 = { 707269766d736728746869732d3e636f6e6669675b276368616e275d2c225b5c32707363616e5c325d3a20222e6d636d645b315d2e223a222e6d636d645b325d2e22206973205c326f70656e5c3222293b20656c736520746869732d3e707269766d736728746869732d3e636f6e6669675b276368616e275d2c225b5c32707363616e5c325d3a20222e6d636d645b315d2e }
  13 | 
  14 | condition:
  15 | 	$a0
  16 | }
  17 | rule Php_Trojan_MSShellcode_82
  18 | {
  19 | strings:
  20 | 	$a0 = { 696620282169737365742824474c4f42414c535b276368616e6e656c73275d2929207b2024474c4f42414c535b276368616e6e656c73275d203d206172726179 }
  21 | 
  22 | condition:
  23 | 	$a0
  24 | }
  25 | rule Php_Trojan_MSShellcode_81
  26 | {
  27 | strings:
  28 | 	$a0 = { 73797374656d286261736536345f6465636f64652827634756796243417454556c504943316c4943636b6344316d62334a724b436b375a586870644378705a69 }
  29 | 
  30 | condition:
  31 | 	$a0
  32 | }
  33 | rule Php_Trojan_Agent_36999
  34 | {
  35 | strings:
  36 | 	$a0 = { 3c3f706870[0-15]6563686f206578656328276364202f746d703b6375726c202d6f[0-150]6563686f206578656328276364202f746d703b6c77702d646f776e6c6f6164[0-150]6563686f206578656328276364202f746d703b77676574[0-150]6563686f206578656328276364202f746d703b6665746368[0-150]6563686f20706173737468727528276364202f746d703b6665746368 }
  37 | 
  38 | condition:
  39 | 	$a0
  40 | }
  41 | rule Php_Trojan_Agent_36998
  42 | {
  43 | strings:
  44 | 	$a0 = { 69662821656d70747928245f6765745b2766696c65275d2929202466696c653d245f6765745b2266696c65225d3b }
  45 | 	$a1 = { 69662866616c73653d3d6375726c5f65786563282463682929206469652827[0-150]6375726c5f636c6f736528246368293b203f3e20627970617373207368656c6c3a }
  46 | 
  47 | condition:
  48 | 	$a0 and $a1
  49 | }
  50 | rule Php_Trojan_Agent_36992
  51 | {
  52 | strings:
  53 | 	$a0 = { 2463686469723d67657463776428293b20696628212477686f616d69292477686f616d693d65786563282277686f616d6922293b203f3e3c3f70687020407365745f74696d655f6c696d69742830293b }
  54 | 	$a1 = { 61646d696e6973747261746f7273203b2f6164642061646d696e3b206e6574206c6f63616c67726f75703b2075736572733b202f64656c2061646d696e273b2024626e203d20246d686f73743b }
  55 | 
  56 | condition:
  57 | 	$a0 and $a1
  58 | }
  59 | rule Php_Trojan_Agent_36811
  60 | {
  61 | strings:
  62 | 	$a0 = { 7b20657865632824636d642c246f293b202472657a203d206a6f696e28726e2c246f293b207d20656c736569662028656e61626c6564287368656c6c5f657865632929207b202472657a203d207368656c6c5f657865632824636d64293b207d20656c736569662028656e61626c65642873797374656d2929207b20406f625f737461727428293b204073797374656d2824636d64293b202472657a203d20406f625f6765745f636f6e74656e747328293b20406f625f656e645f636c65616e28293b207d20656c736569662028656e61626c65642870617373746872752929 }
  63 | 
  64 | condition:
  65 | 	$a0
  66 | }
  67 | rule Php_Trojan_Agent_37000
  68 | {
  69 | strings:
  70 | 	$a0 = { 61727261792861646d696e203d3e20617272617928226e616d6522203d3e2061646d696e2c20227061737322203d3e20626f745f70617373776f72642c20226175746822203d3e20312c2273746174757322203d3e202261646d696e2229293b }
  71 | 
  72 | condition:
  73 | 	$a0
  74 | }
  75 | rule Php_Trojan_Agent_36982
  76 | {
  77 | strings:
  78 | 	$a0 = { 3c3f70687020247b225c7834375c7834635c78346642414c5c783533227d5b2262705c7836615c78363475635c783738225d3d225c7836365c7837355c78366563223b247b22474c4f42415c7834635c783533227d5b225c7837387a5c783738655c7836665c7836616b715c7836365c7836335c7837356d225d3d225c783638 }
  79 | 
  80 | condition:
  81 | 	$a0
  82 | }
  83 | rule Php_Trojan_Agent_36983
  84 | {
  85 | strings:
  86 | 	$a0 = { 3c3f706870206576616c28677a696e666c617465286261736536345f6465636f646528224263464a6b716f7741414451752f5371753178416c4c473665694569436a4961426e487a43306b5967786943674a7a2b7634656e6a487958612f3073534462693730664773435438517a6a764566372b306e4c44616d6b2f372f6436 }
  87 | 
  88 | condition:
  89 | 	$a0
  90 | }
  91 | 
  92 | rule Php_Trojan_Uploader_2
  93 | {
  94 |     strings:
  95 | 	$a1 = "$s21=strtolower($sf[4].$sf[5].$sf[9].$sf[10].$sf[6].$sf[3].$sf[11].$sf[8].$sf[10].$sf[1].$sf[7].$sf[8].$sf[10])" nocase
  96 | 	$a2 =  "$s20=strtoupper($sf[11].$sf[0].$sf[7].$sf[9].$sf[2])" nocase
  97 | 
  98 |     condition:
  99 |         all of them
 100 | }
 101 | 
 102 | rule Php_Trojan_itsoknoproblembro_2
 103 | {
 104 | strings:
 105 | 	$a0 = { 6576616c28677a696e666c617465286261736536345f6465636f646528277679356e73387177656962766776396877616f396c733579756e676d636571706e6e7970686d6562367361716c35766a3676727274767375706d33782b373770306b67643768706e716f743978652b696574727a626f676a6d36756f78346a6e3874776362356671676c646a31657866336770323967636a786a6b7269396e78616a357163737766647675733362366474386177686f78763332376c636d312f79656567626b756477757761727a626269386f726c63643075636b677865622b356969776c6c7332657764756633776a6b66666335636d6e6b6a7674736776772b6a677a6b766b6d3065316874753367656e6830773063672f3274726f65777a6d777878746a6e656b647161636c707a6d736d762f782b786e6b7172333969696671727277393373772b7539767a342f7062626537766164272929293b }
 106 | 
 107 | condition:
 108 | 	$a0
 109 | }
 110 | rule Php_Trojan_itsoknoproblembro_3
 111 | {
 112 | strings:
 113 | 	$a0 = { 69662866756e6374696f6e5f65786973747328276578656327292940657865632824636d64293b }
 114 | 	$a1 = { 656c736569662866756e6374696f6e5f657869737473282770617373746872752729294070617373746872752824636d64293b }
 115 | 	$a2 = { 656c736569662866756e6374696f6e5f65786973747328277368656c6c5f65786563272929407368656c6c5f657865632824636d64293b }
 116 | 	$a3 = { 656c736569662866756e6374696f6e5f657869737473282773797374656d2729294073797374656d2824636d64293b }
 117 | 	$a4 = { 656c736569662866756e6374696f6e5f6578697374732827706f70656e27292940706f70656e2824636d642c227222293b }
 118 | 
 119 | condition:
 120 | 	$a0 and $a1 and $a2 and $a3 and $a4
 121 | }
 122 | rule Php_Trojan_Agent_36933
 123 | {
 124 | strings:
 125 | 	$a0 = { 2f2f206e6f206d616c77617265206f6e207468697320636f64652c20796f752063616e20636865636b20697420627920796f757273656c66203b[0-200]6576616c28223f3e222e677a696e666c617465286261736536345f6465636f64652822 }
 126 | 
 127 | condition:
 128 | 	$a0
 129 | }
 130 | rule Php_Malware_ProPOS_3
 131 | {
 132 | strings:
 133 | 	$a0 = { 2469643d223c6120687265663d223f73686f773d6c6f677326687769643d22202e2068746d6c656e7469746965732824726f775b2768776964275d29202e2027223e27202e2068746d6c656e7469746965732824726f775b2768776964275d29202e20273c2f613e4027202e2068746d6c656e7469746965732824726f775b2770636e275d202e20272069703a2027202e2068746d6c656e7469746965732824726f775b276c6173746970275d292029202e2027202827202e2068746d6c656e7469746965732824726f775b2776657273696f6e275d29202e202729202e206c617374207365656e206f6e2027202e2064617465282720683a693a73272c2024726f775b277365656e275d29 }
 134 | 
 135 | condition:
 136 | 	$a0
 137 | }
 138 | rule Php_Trojan_Mailer_14
 139 | {
 140 | strings:
 141 | 	$a0 = { 6966286d61696c2824656d61696c312c2024617373756e746f2c20245f7365727665725b27687474705f686f7374275d202e20245f7365727665725b27726571756573745f757269275d2c202468656164657329297b206563686f20226f70612c20656e766961646f21223b206578697428293b207d20656c73657b206563686f20226e3f6f20656e766965692e2e223b206578697428293b20 }
 142 | 
 143 | condition:
 144 | 	$a0
 145 | }
 146 | rule Php_Exploit_CVE_2011_4885_1
 147 | {
 148 | strings:
 149 | 	$a0 = { 3d26457a457a457a457a457a[6]3d26457a457a457a457a457a[6]3d26457a457a457a457a457a[6]3d26457a457a457a457a457a }
 150 | 
 151 | condition:
 152 | 	$a0
 153 | }
 154 | rule Php_Trojan_Rebots_1
 155 | {
 156 | strings:
 157 | 	$a0 = { 3c736372697074[0-5]207372633d[1]687474703a2f2f }
 158 | 	$a1 = { 2f7265626f74732e706870 }
 159 | 
 160 | condition:
 161 | 	$a0 and $a1
 162 | }
 163 | rule Php_Trojan_MSShellcode_77
 164 | {
 165 | strings:
 166 | 	$a0 = { 202020200a202020202020407365745f74696d655f6c696d69742830293b204069676e6f72655f757365725f61626f72742831293b2040696e695f7365742827 }
 167 | 
 168 | condition:
 169 | 	$a0
 170 | }
 171 | rule Php_Trojan_itsoknoproblembro_1
 172 | {
 173 | strings:
 174 | 	$a0 = { 7072696e7420223c73746f70636c65616e646f733e73746f70202620636c65616e3c2f73746f70636c65616e646f733e22 }
 175 | 	$a1 = { 5b27616374696f6e275d3d3d227374617475732229 }
 176 | 
 177 | condition:
 178 | 	$a0 and $a1
 179 | }
 180 | rule Php_Trojan_MSShellcode_79
 181 | {
 182 | strings:
 183 | 	$a0 = { 2463203d206261736536345f6465636f646528225a574e6f6279416964473976636a6f364d446f774f6a6f364c324a706269396959584e6f496a34765a58526a }
 184 | 
 185 | condition:
 186 | 	$a0
 187 | }
 188 | rule Php_Trojan_WebShell_10
 189 | {
 190 | strings:
 191 | 	$a0 = { 677a756e636f6d7072657373286261736536345f6465636f64652822656a7a7376773270716b72336e2f682b6b766b6f382b352f6a2f396b61716839627a6e6a6a6f3063696f6a6e717276736279796f6e6b79706c6e31742b2f74707a3632717773626476612f6863392b7a7375356f7a6434327572776531322b746b6f722f362f2f2b707a616e787079707666362b6565722f7038766d667367322f2b6f2f78746768776c766c6836766170666c34657467647462656c737a687a6a2b }
 192 | 
 193 | condition:
 194 | 	$a0
 195 | }
 196 | rule Php_Trojan_WebShell_11
 197 | {
 198 | strings:
 199 | 	$a0 = { 245f5f5f203d20225c7836325c3134315c7837335c3134355c7833365c36345c7835665c3134345c7836355c3134335c7836665c3134345c783635223b6576616c28245f5f5f28245f5f2929 }
 200 | 
 201 | condition:
 202 | 	$a0
 203 | }
 204 | rule Php_Trojan_Agent_36995
 205 | {
 206 | strings:
 207 | 	$a0 = { 6576616c28677a696e666c617465286261736536345f6465636f646528272037663135662b6f32726a676f2f33382f6e2f73656e67706f6a323463623368326a71337832696c33207a352b7a6a3065327a666e78696b6573313935353777396175686b313268676d37626e6e666e396e2032686e627865637162656561626d68666c6e2f }
 208 | 
 209 | condition:
 210 | 	$a0
 211 | }
 212 | rule Php_Trojan_Agent_36994
 213 | {
 214 | strings:
 215 | 	$a0 = { 22646f6d61696e3d74657272612e636f6d2e627226757365726e616d653d22202e2024656d61696c5b305d202e20222670617373776f72643d22202e2024617574685b315d3b2024686561646572203d2022706f7374202f61746d61696c2e7068703f }
 216 | 	$a1 = { 24636d64203d206578706c6f6465282220222c202464617461293b2069662824636d645b305d203d3d202273656e6422297b2069662824636d645b325d20213d2024676c6f5b2273656e6861225d29 }
 217 | 
 218 | condition:
 219 | 	$a0 and $a1
 220 | }
 221 | rule Php_Trojan_Agent_36993
 222 | {
 223 | strings:
 224 | 	$a0 = { 6576616c286261736536345f6465636f646528276c796f716b696f716b696f716b696f716b696f716b696f716b696f716b696f716b696f716b696f716b696f716b696f716b696f716b696f716b696f716b696f716b69386e6369387163716c747a7872306177356e63 }
 225 | 
 226 | condition:
 227 | 	$a0
 228 | }
 229 | rule Php_Trojan_Agent_36961
 230 | {
 231 | strings:
 232 | 	$a0 = { 6563686f28677a696e666c617465286261736536345f6465636f646528223556624e63707377454c37334b53676e4744 }
 233 | 
 234 | condition:
 235 | 	$a0
 236 | }
 237 | rule Php_Trojan_Turame_1
 238 | {
 239 | strings:
 240 | 	$a0 = { 57304435307a62444d34512b54565257736d664955734877635a39425a695837754762344f47464c4b662b457a66424a516a39425646617954354949355a2b794464326e546d2b456e77316d4a6673306f6339697372465061795036616247456f2f7935514661797a784436484662386a42627a4d796f2b4f6b5038455a38644870714f597a5973392b4a2f567a3679517655452f33334a794a4b323853396b4969744b78714d3633697a726c5944377750335044694c797570384839684370746c704f527264363862494d4872497155687053396a4471304a7875503056576a6877685854476470696d7a463358534337763935466946504d50654d4b515a796a5a466e664443626a2f5031554b656156584d6f706c4b39614a4f31724a75503076554d703574566379683256354664436a6c6c506f522f2f4f4e395431397246514f7237464653485039327549444a612f43714e33517779706b4f4c79756a524878586d337848564c41564f3336686f3547786e6968566275494676713178656447555a334a76596e563851583239694264344e6357587858467a556274786c62574c49507464653246744d53764c543465466e61597465745a4231396b3156354d462f6d3178546643346d367a64675072356b767372554736784b38745067575739756d6e624f78725a5831386d5656374f56336d317859722f7556624465366d6572615672374271723651722f4e70694271336359665267617a33627756665a32344a306c563962544b505333535a334239764e56317531792b687176375a5970706564623343334e4c4c7a5a52792f726c314f312f693178544b36664d436f33646250426e6946765356494b377a61754e386647544c487370304e7965422b5862754b5676713178617971476a56726437425247657176617a4e613764635773346f644d32763373574d38616d3848307168665738797174644e6d375834327a57757332725730787138745a6c587476446e79 }
 241 | 
 242 | condition:
 243 | 	$a0
 244 | }
 245 | rule Php_Trojan_Turame_2
 246 | {
 247 | strings:
 248 | 	$a0 = { 6334636134323338613062393233383230646363353039613666373538343962613238346439623465396464616635363665613763373436316563376461313062633131663036616662396232373037303637333437316132336563633661395a6e52774f693876 }
 249 | 
 250 | condition:
 251 | 	$a0
 252 | }
 253 | rule Php_Trojan_IRCBot_865
 254 | {
 255 | strings:
 256 | 	$a0 = { 72746a696f3965656b6678626377656b656b7774767a306c6b7972776d787a62666b643377646375657a6d726876376d6530636a723077642b73767072786e7075742f38657a786a6d646b6a3677673675336a6e73386b757a2b33732f6e6a3d3d223b406576616c28677a696e666c617465286261736536345f6465636f6465287374725f726f7431332824636f646529292929 }
 257 | 
 258 | condition:
 259 | 	$a0
 260 | }
 261 | rule Php_Trojan_IRCBot_864
 262 | {
 263 | strings:
 264 | 	$a0 = { 726f743133286261736536345f6465636f646528273766316d74366e6c6b69676d72717038796b33727276767772352f6972367a726573757064626967696a7079666a6e316169716167746b6a2f746b64716d796a6b726f376631692f396c752f39747633727671786e6e697a2f6c6a377a706677796b79717536727a6e63756a6e727a36327a617a65676f646171636b75653778346c6b726c626b6c656c6f39773876736d2f7475786f6b6d792b79742f782f37707a6979666665763337376c746f327072356f38716c2f392f6e6e63733070627874657676762b332f2f7a637336646e3363 }
 265 | 
 266 | condition:
 267 | 	$a0
 268 | }
 269 | rule Php_Malware_SoakSoakRedirect_1
 270 | {
 271 | strings:
 272 | 	$a0 = { 6563686f20223c616c6c5f6f6b5f73716c5e222e24706173735f776f72642e223a222e24756e6d652e223e5c6e223b }
 273 | 
 274 | condition:
 275 | 	$a0
 276 | }
 277 | rule Php_Trojan_Script_9
 278 | {
 279 | strings:
 280 | 	$a0 = { 3c3f206576616c28677a696e666c617465286261736536345f6465636f64652827 }
 281 | 	$a1 = { 27292929 }
 282 | 
 283 | condition:
 284 | 	$a0 and $a1
 285 | }
 286 | rule Php_Trojan_Rayman_2
 287 | {
 288 | strings:
 289 | 	$a0 = { 3c623e72656d6f7661626c65207368656c6c206279207261796d616e3c2f623e }
 290 | 
 291 | condition:
 292 | 	$a0
 293 | }
 294 | rule Php_Exploit_Shell_63
 295 | {
 296 | strings:
 297 | 	$a0 = { 686a33686a7574636b6f72667078663961317a716f326177647272726579397567767465657a37397161616f316130726775646b7a6b72387261702f2f6f2f2f2f6f6466787a6e302f3172766d357a397368662f6270763633337861796673666e6e6b6b61767476786d727478767a7a62306c627078757973723433796a6e79366a62353561637a6a7934797a75662f6f6a2f64636172303968626b6e72696c622f6f6b65632b7073786138667a }
 298 | 
 299 | condition:
 300 | 	$a0
 301 | }
 302 | rule Php_Trojan_MSShellcode_107
 303 | {
 304 | strings:
 305 | 	$a0 = { 0a202020202020407365745f74696d655f6c696d69742830293b204069676e6f72655f757365725f61626f72742831293b2040696e695f73657428276d61785f }
 306 | 
 307 | condition:
 308 | 	$a0
 309 | }
 310 | rule Php_Trojan_MSShellcode_106
 311 | {
 312 | strings:
 313 | 	$a0 = { 20202020246970616464723d2731302e372e37372e313836273b0a2020202024706f72743d343434343b0a202020200a202020202020407365745f74696d655f }
 314 | 
 315 | condition:
 316 | 	$a0
 317 | }
 318 | rule Php_Trojan_MSShellcode_109
 319 | {
 320 | strings:
 321 | 	$a0 = { 233c3f7068700a0a6572726f725f7265706f7274696e672830293b0a2320546865207061796c6f61642068616e646c6572206f76657277726974657320746869 }
 322 | 
 323 | condition:
 324 | 	$a0
 325 | }
 326 | rule Php_Trojan_MSShellcode_108
 327 | {
 328 | strings:
 329 | 	$a0 = { 233c3f7068700a0a2320546865207061796c6f61642068616e646c6572206f766572777269746573207468697320776974682074686520636f7272656374204c }
 330 | 
 331 | condition:
 332 | 	$a0
 333 | }
 334 | rule Php_Trojan_Webshell_5
 335 | {
 336 | strings:
 337 | 	$a0 = { 27687474702f312e31203530302027 }
 338 | 	$a1 = { 297b[0-2]73797374656d2824??293b7d }
 339 | 	$a2 = { 7b24??3b[0-2]657865632824??2c24??293b6563686f20[0-2]696d706c6f646528225c6e222c24??293b7d }
 340 | 	$a3 = { 227768696368207375706572666574636820313e202f6465762f6e756c6c20323e202f6465762f6e756c6c202626206563686f206f6b2229 }
 341 | 
 342 | condition:
 343 | 	$a0 and $a1 and $a2 and $a3
 344 | }
 345 | rule Php_Trojan_C99Shell_3
 346 | {
 347 | strings:
 348 | 	$a0 = { 3c3f206576616c28677a696e666c617465286261736536345f6465636f64652827203762337065756a69306a64362b35336e6d787471717433646468736a7768677276376d6831637a6d206236397664747863636a627a686375626e763377627a31722b7035397633796963706673637a6175207175357a7a76726d743165756b7a66627a65726b7a6d72766a78392b6d77366d662f326c6f7271632031786b6d73762f73316e68692f7574666a6a36302b6134336d32696f79753775397366646475786e207561383779306f7a746d }
 349 | 
 350 | condition:
 351 | 	$a0
 352 | }
 353 | rule Php_Trojan_C99Shell_2
 354 | {
 355 | strings:
 356 | 	$a0 = { 6578706c6f646528223a222c6667657473282466702c3230343829293b[1-8]696620286339396674706272757465636865636b28226c6f63616c686f7374222c32312c312c247374725b305d2c247374725b305d2c247374725b365d2c246671625f6f6e6c797769746873682929[3-18]6563686f20223c623e436f6e6e656374656420746f20222e }
 357 | 
 358 | condition:
 359 | 	$a0
 360 | }
 361 | rule Php_Trojan_C99Shell_5
 362 | {
 363 | strings:
 364 | 	$a0 = { 37696776346178713764716f766c32666b7a636277616861676467666e637962697a777a76636d756764786e687a32756e6367306b707a346e63673d3d223b6576616c286261736536345f6465636f6465282471626462353165323562663961376633643234373530373238303364316333366429293b3f3e }
 365 | 
 366 | condition:
 367 | 	$a0
 368 | }
 369 | rule Php_Trojan_C99Shell_4
 370 | {
 371 | strings:
 372 | 	$a0 = { 6677717a773777336e2f706c71766c6c776b79203373642b35742f366b313466687a7a316a736263746876623975636e6a7873626b6262737475647075686a6572712f6432746e7839392b62726c6a71616f6c776e6833686677653d223b406576616c28677a696e666c617465286261736536345f6465636f6465282461677a2929293b3f3e }
 373 | 
 374 | condition:
 375 | 	$a0
 376 | }
 377 | rule Php_Exploit_CVE_2011_4153_1
 378 | {
 379 | strings:
 380 | 	$a0 = { 3c3f }
 381 | 	$a1 = { 74696479[0-50]2d3e646961676e6f73652829 }
 382 | 
 383 | condition:
 384 | 	$a0 and $a1
 385 | }
 386 | rule Php_Trojan_CryptoPHP_1
 387 | {
 388 | strings:
 389 | 	$a0 = { 3c3f70687020696e636c756465202827696d616765732f736f6369616c2e706e6727293b203f3e }
 390 | 
 391 | condition:
 392 | 	$a0
 393 | }
 394 | rule Php_Trojan_Agent_36974
 395 | {
 396 | strings:
 397 | 	$a0 = { 3c3f2024474c4f42414c535b275f3433333330353834365f275d3d4172726179286261736536345f6465636f6465282727202e275a4727202e27566d6127202e2757356c27292c6261736536345f6465636f646528275a6d6c735a56396e27202e275a585266593227 }
 398 | 
 399 | condition:
 400 | 	$a0
 401 | }
 402 | rule Php_Exploit_CVE_2011_4153_2
 403 | {
 404 | strings:
 405 | 	$a0 = { 3c3f }
 406 | 	$a1 = { 646566696e6528[0-20]7374725f72657065617428[0-5]22??222c[0-4]2461726776 }
 407 | 
 408 | condition:
 409 | 	$a0 and $a1
 410 | }
 411 | rule Php_Trojan_Envl_1
 412 | {
 413 | strings:
 414 | 	$a0 = { 7368656c6c6e616d65 }
 415 | 	$a1 = { 656e766c70617373 }
 416 | 	$a2 = { 687474703a2f2f7777772e376a796577752e636e2f }
 417 | 
 418 | condition:
 419 | 	$a0 and $a1 and $a2
 420 | }
 421 | rule Php_Trojan_Agent_36956
 422 | {
 423 | strings:
 424 | 	$a0 = { 646566696e6528275041535f524553272c2027633938396637323232373763346332356132323627293b0d0a646566696e6528275041535f524551272c2027333139316665376361613461623665346633653927293b0d0a646566696e6528275253415f4c454e272c20273235362729 }
 425 | 
 426 | condition:
 427 | 	$a0
 428 | }
 429 | rule Php_Trojan_Spambot_292
 430 | {
 431 | strings:
 432 | 	$a0 = { 7b20646965285048505f4f532e636872283439292e636872283438292e636872283433292e6d6435283039383736353433323129293b207d }
 433 | 
 434 | condition:
 435 | 	$a0
 436 | }
 437 | rule Php_Trojan_Spambot_293
 438 | {
 439 | strings:
 440 | 	$a0 = { 665b3c70616c64667c5d7d6d407e37392f6f386b785c72683672262d63356b5c6e33782c797a68713e2063705c5c777575326a676f623b30695f736e5c746e257667297a695e73747279766c7b5c243a3d312a6d652b6a772871342e74276061215c22236564623f }
 441 | 
 442 | condition:
 443 | 	$a0
 444 | }
 445 | rule Php_Trojan_Anonghost_1
 446 | {
 447 | strings:
 448 | 	$a0 = { 247a643435666635613d225c7836325c7836315c3136335c7836355c7833365c36345c3133375c783634 }
 449 | 
 450 | condition:
 451 | 	$a0
 452 | }
 453 | rule Php_Trojan_Scew_1
 454 | {
 455 | strings:
 456 | 	$a0 = { 3c3f7068702040246f75747075743d73797374656d28245f706f73745b22636f6d6d616e64225d293b }
 457 | 	$a1 = { 6f72206120636f6e6e656374206261636b207368656c6c2c207573653a203c693e6e63202d6520636d }
 458 | 
 459 | condition:
 460 | 	$a0 and $a1
 461 | }
 462 | rule Php_Trojan_Io_1
 463 | {
 464 | strings:
 465 | 	$a0 = { 0d0a2f2f205048502e496f4261726163756461206f72205048502e496f2069732061207068702076697275732e200d0a2f2f200909427920586d6f726966632f4243564720616e642044722e542f4243564720323030310d0a2f2f696e6665637473206175746f65786563 }
 466 | 
 467 | condition:
 468 | 	$a0
 469 | }
 470 | rule Php_Trojan_Agent_36804
 471 | {
 472 | strings:
 473 | 	$a0 = { 3c3f206576616c28677a696e666c617465286261736536345f6465636f64652827203762313777397469736a6a38642f7a35396a736f676d796764387933696f6573796d6f786a6d6567206a6130656b767938736933627768637a7362797832787a3374366f767572636b6735706d376f34352037386d75623773763164337633647876317878356570746834376733 }
 474 | 
 475 | condition:
 476 | 	$a0
 477 | }
 478 | rule Php_Trojan_Agent_36803
 479 | {
 480 | strings:
 481 | 	$a0 = { 247832343d225c31363374725c313534655c783665223b20247832353d225c783733795c3136335c3136345c7836355c313535223b2066756e6374696f6e20636f6e7665727462797465732824783062297b20676c6f62616c20247831632c247831642c247831652c247831662c247832302c247832312c247832322c247832332c247832342c247832353b2024783063203d20247832342824783062293b69662824783063203c2034297b72657475726e20247832 }
 482 | 
 483 | condition:
 484 | 	$a0
 485 | }
 486 | rule Php_Trojan_Agent_36802
 487 | {
 488 | strings:
 489 | 	$a0 = { 246f6f6f306f306f30303d5f5f66696c655f5f3b246f30306f30306f30303d5f5f6c696e655f5f3b246f6f30306f303030303d34323839363b6576616c28677a756e636f6d7072657373286261736536345f6465636f64652827656e706c6a386475776b617968662f6730753471726c6d6934346173682b69647062646c35706b37676275376c73647462787265686b6b7a30326a6d6b307a69 }
 490 | 
 491 | condition:
 492 | 	$a0
 493 | }
 494 | rule Php_Trojan_Agent_36801
 495 | {
 496 | strings:
 497 | 	$a0 = { 6576616c28677a696e666c617465286261736536345f6465636f64652827666a33686471766d656b796635353631676a64746b6368797a706f3763636b64796f6e70667a793062 }
 498 | 	$a1 = { 666c6c6677777265353464737a6f6a6f6d78637870797a306d6c686864676974746d34676a3171617a2b6836736271303163656c34346761673163616f77777169697a7732347634756237706c2b7068742f316479616162666532382f696d78 }
 499 | 
 500 | condition:
 501 | 	$a0 and $a1
 502 | }
 503 | rule Php_Trojan_Agent_1388761
 504 | {
 505 | strings:
 506 | 	$a0 = { 6d61696c2822736e65616b657231393732407765622e6465 }
 507 | 
 508 | condition:
 509 | 	$a0
 510 | }
 511 | rule Php_Trojan_IRCBot_868
 512 | {
 513 | strings:
 514 | 	$a0 = { 656c7365696620282464636f6d5b305d3d3d276e6f746963652729207b2024636f6d203d206578706c6f6465282220222c202464617461293b206966202824636f6d5b335d3d3d273a6b62272026262024636f6d5b345d2026262024636f6d5b355d2026262024636f6d5b365d29207b20246d7367203d207374725f7265706c6163652827272c27272c2464617461293b20246d7367203d2073747273747228246d73672c223a6b6222293b }
 515 | 	$a1 = { 636179616e6b28246e69636b293b }
 516 | 
 517 | condition:
 518 | 	$a0 and $a1
 519 | }
 520 | rule Php_Trojan_MSShellcode_78
 521 | {
 522 | strings:
 523 | 	$a0 = { 20202020696620282166756e6374696f6e5f65786973747328277379735f6765745f74656d705f646972272929207b0a20202020202066756e6374696f6e2073 }
 524 | 
 525 | condition:
 526 | 	$a0
 527 | }
 528 | rule Php_Trojan_Rst_1
 529 | {
 530 | strings:
 531 | 	$a0 = { 24706f72745f62696e645f62645f706c3d224979457664584e794c324a70626939775a584a7344516f6b55306846544577394969396961573476596d467a6143417461534937445170705a69416f5145465352315967502a623e6f2d2d2d5b207235377368656c6c202d20687474702d7368656c6c206279205253542f474843 }
 532 | 
 533 | condition:
 534 | 	$a0
 535 | }
 536 | rule Win_Trojan_Shell_24
 537 | {
 538 | strings:
 539 | 	$a0 = { 5f737461727428293b2073797374656d2824636d64293b20246f7574707574203d20406f625f6765745f636f6e74656e747328293b20406f625f656e645f636c65616e28293b207d20656c73656966202820656e61626c656428226578656322292029207b20657865632824636d642c246f293b20246f7574707574203d206a6f696e28225c725c6e222c246f293b207d20656c73656966202820656e61626c656428227368656c6c5f6578656322292029207b20246f7574707574203d207368656c6c5f657865632824636d64293b207d2072657475726e20246f75747075743b207d2066756e6374696f6e206678323965786563322824636d6429207b20246f7574707574203d2022223b206966 }
 540 | 
 541 | condition:
 542 | 	$a0
 543 | }
 544 | rule Win_Trojan_Shell_25
 545 | {
 546 | strings:
 547 | 	$a0 = { 6f6e732c27657865632729297b657865632824636f6d6d616e642c246f7574707574293b246f75747075743d6a6f696e28225c6e222c246f7574707574293b24657865633d246f75747075743b7d20656c736569662869735f63616c6c61626c6528277368656c6c5f6578656327292026262021737472737472282464697361626c6566756e6374696f6e732c277368656c6c5f657865632729297b24657865633d7368656c6c5f657865632824636f6d6d616e64293b7d20656c736569662869735f7265736f7572636528246f75747075743d706f70656e2824636f6d6d616e642c2272222929297b7768696c65282166656f6628246f757470757429297b24657865633d666765747328246f7574707574293b7d70636c6f736528246f75 }
 548 | 
 549 | condition:
 550 | 	$a0
 551 | }
 552 | rule Win_Trojan_Shell_60
 553 | {
 554 | strings:
 555 | 	$a0 = { 377175653969743273786c3578636c66736e6c6d2f6167647976346f6363346e696d6372647037756e7565346e61736c34356d707530686c6b36696e617a3062627265717032616272766c6a7476366173677a6c34772b6a65672b6b7536766e6d3363796678676b77716b3574763767 }
 556 | 
 557 | condition:
 558 | 	$a0
 559 | }
 560 | rule Win_Trojan_Shell_61
 561 | {
 562 | strings:
 563 | 	$a0 = { 6563686f206578656328276364202f746d703b6375726c202d4f20687474703a2f2f3130302d6d61747261736f762e72752f776562737461742f68616e7961722e7478743b7065726c2068616e7961722e7478743b726d202d72662068616e7961722e7478742a3b27293b }
 564 | 
 565 | condition:
 566 | 	$a0
 567 | }
 568 | rule Win_Trojan_Shell_16
 569 | {
 570 | strings:
 571 | 	$a0 = { 245f706f73745b27636d64275d3d226c73202d6c61223b207d206563686f20223c666f6e7420666163653d76657264616e612073697a653d2d323e222e246c616e675b246c616e67756167652e5f74657874315d2e223a203c623e222e245f706f73745b27636d64275d2e223c2f623e3c2f666f6e743e3c2f74643e3c2f74723e3c74723e3c74643e223b206563686f20223c623e223b206563686f20223c64697620616c69676e3d63656e7465723e3c7465787461726561206e616d653d7265706f727420636f6c733d31323220726f77733d31353e223b206563686f2022222e706173737468727528245f706f73745b27636d64275d292e22223b }
 572 | 
 573 | condition:
 574 | 	$a0
 575 | }
 576 | rule Win_Trojan_Shell_11
 577 | {
 578 | strings:
 579 | 	$a0 = { 66756e6374696f6e206578282463666529207b2024726573203d2027273b206966202821656d70747928246366652929207b2069662866756e6374696f6e5f657869737473282765786563272929207b20406578656328246366652c24726573293b2024726573203d206a6f696e28225c6e222c24726573293b207d20656c736569662866756e6374696f6e5f65786973747328277368656c6c5f65786563 }
 580 | 
 581 | condition:
 582 | 	$a0
 583 | }
 584 | rule Win_Trojan_Shell_13
 585 | {
 586 | strings:
 587 | 	$a0 = { 6563686f20246f75743d282273797374656d223d3d2473656c65746566756e63293f73797374656d28247368656c6c636d64293a28282473656c65746566756e633d3d226578656322293f6578656328247368656c6c636d64293a28282473656c65746566756e633d3d227368656c6c5f6578656322293f7368656c6c5f6578656328247368656c6c636d64293a28282473656c65746566756e633d3d22706173737468727522293f706173737468727528247368656c6c636d64293a73797374656d28247368656c6c636d642929 }
 588 | 
 589 | condition:
 590 | 	$a0
 591 | }
 592 | rule Win_Trojan_Shell_12
 593 | {
 594 | strings:
 595 | 	$a0 = { 6966202821656d707479282463666529297b2069662866756e6374696f6e5f6578697374732827657865632729297b20406578656328246366652c24726573293b20247265733d6a6f696e28225c6e222c24726573293b207d2e2c2c617320406f625f656e6420656c736569662866756e6374696f6e5f65786973747328277368656c6c5f657865632729297b20247265733d407368656c6c5f657865632824636665293b207d20656c736569662866756e6374696f6e5f657869737473282773797374656d2729297b }
 596 | 
 597 | condition:
 598 | 	$a0
 599 | }
 600 | rule Win_Trojan_Shell_46
 601 | {
 602 | strings:
 603 | 	$a0 = { 717765333234613d227322262268652226226c2226226c2e2226226170706c22262269222622636122262274692226226f6e2273657420713d64662e6372656174656f626a65637428717765333234612c22222961736477723d226f70222622652226226e22712e7368656c6c65786563757465 }
 604 | 
 605 | condition:
 606 | 	$a0
 607 | }
 608 | rule Win_Trojan_Shell_42
 609 | {
 610 | strings:
 611 | 	$a0 = { 696620284066756e6374696f6e5f657869737473282765786563272929207b2040657865632824636f6d6d616e642c2024726573293b20247265733d406a6f696e28225c6e222c2024726573293b207d20656c7365696620284066756e6374696f6e5f65786973747328277368656c6c5f65786563272929207b20247265733d407368656c6c5f657865632824636f6d6d616e64293b207d20656c73656966284066756e6374696f6e5f657869737473282773797374656d272929207b20406f625f737461727428293b204073797374656d2824636f6d6d616e64293b20247265733d406f625f6765745f636f6e74656e747328293b20406f625f656e645f636c65616e28293b207d20656c7365696620284066756e6374696f6e5f65786973747328277061737374687275272929 }
 612 | 
 613 | condition:
 614 | 	$a0
 615 | }
 616 | rule Win_Trojan_Shell_43
 617 | {
 618 | strings:
 619 | 	$a0 = { 69662866756e6374696f6e5f6578697374732827657865632729297b20657865632824636f6d642c24726573293b20247265733d696d706c6f646528225c6e222c24726573293b207d656c736569662866756e6374696f6e5f65786973747328277368656c6c5f657865632729297b20247265733d7368656c6c5f657865632824636f6d64293b207d656c736569662866756e6374696f6e5f657869737473282773797374656d2729297b206f625f737461727428293b2073797374656d2824636f6d64293b20247265733d6f625f6765745f636f6e74656e747328293b206f625f656e645f636c65616e28293b207d656c736569662866756e6374696f6e5f657869737473282770617373746872752729297b206f625f737461727428293b2070617373746872752824636f6d64293b }
 620 | 
 621 | condition:
 622 | 	$a0
 623 | }
 624 | rule Win_Trojan_Shell_41
 625 | {
 626 | strings:
 627 | 	$a0 = { 737472696e67205b5d62617368636d643d7b222f62696e2f7368222c222d63222c636d647d3b2068746d6c3d726571756573742e676574706172616d65746572282268746d6c22293b206966202868746d6c20213d6e756c6c29207b206f75742e7072696e746c6e28223c68746d6c3e22293b207d2070203d2072756e74696d652e67657472756e74696d6528292e657865632862617368636d64293b }
 628 | 
 629 | condition:
 630 | 	$a0
 631 | }
 632 | rule Win_Trojan_Shell_22
 633 | {
 634 | strings:
 635 | 	$a0 = { 76616c287375627374722873747273747228246d73672c246d636d645b315d292c7374726c656e28246d636d645b315d2929293b20627265616b3b2063617365202265786563223a2024636f6d6d616e64203d207375627374722873747273747228246d73672c246d636d645b305d292c7374726c656e28246d636d645b305d292b31293b202465786563203d207368656c6c5f657865632824636f6d6d616e64293b2024726574203d206578706c6f646528225c6e222c2465786563293b2024746869732d3e707269766d73672824746869732d3e636f6e6669675b276368616e275d2c225b5c32657865635c325d3a2024636f6d6d616e6422293b20666f722824693d303b24693c636f756e742824726574293b24692b2b292069662824 }
 636 | 
 637 | condition:
 638 | 	$a0
 639 | }
 640 | rule Win_Trojan_Shell_23
 641 | {
 642 | strings:
 643 | 	$a0 = { 7328226d797368656c6c65786563222929207b2066756e6374696f6e206d797368656c6c657865632824636d6429207b2024726573756c74203d2022223b206966202821656d7074792824636d642929207b206966202869735f63616c6c61626c65282265786563222929207b657865632824636d642c24726573756c74293b2024726573756c74203d206a6f696e28225c6e222c24726573756c74293b7d20656c73656966202869735f63616c6c61626c6528227368656c6c5f65786563222929207b24726573756c74203d207368656c6c5f657865632824636d64293b7d20656c73656966202869735f63616c6c61626c65282273797374656d222929207b406f625f737461727428293b2073797374656d2824636d64293b2024726573756c74203d20406f625f6765745f636f }
 644 | 
 645 | condition:
 646 | 	$a0
 647 | }
 648 | rule Win_Trojan_Shell_26
 649 | {
 650 | strings:
 651 | 	$a0 = { 7475726e202e3d6672656164282470702c2032303936293b2070636c6f736528247070293b207d656c73657b202472657475726e202e3d20282273797374656d223d3d2473656c65746566756e63293f73797374656d28247368656c6c636d64293a28282473656c65746566756e633d3d226578656322293f6578656328247368656c6c636d64293a28282473656c65746566756e633d3d227368656c6c5f6578656322293f7368656c6c5f6578656328247368656c6c636d64293a28282473656c65746566756e633d3d22706173737468727522293f706173737468727528247368656c6c636d64293a73797374656d28247368656c6c636d64292929293b }
 652 | 
 653 | condition:
 654 | 	$a0
 655 | }
 656 | rule Win_Trojan_Shell_27
 657 | {
 658 | strings:
 659 | 	$a0 = { 662866756e6374696f6e5f6578697374732870617373746872752929207b2070617373746872752824636d64293b207d20656c7365207b2069662866756e6374696f6e5f65786973747328657865632929207b206578656328226c73202d6c61222c24726573756c74293b20666f72656163682824726573756c7420617320246f757470757429207b207072696e7420246f75747075742e223c62723e223b207d207d20656c7365207b2069662866756e6374696f6e5f6578697374732873797374656d2929207b2073797374656d2824636d64293b207d20656c7365207b2069662866756e6374696f6e5f657869737473287368656c6c5f657865632929207b207072696e74207368656c6c5f657865632824636d64293b207d20656c7365 }
 660 | 
 661 | condition:
 662 | 	$a0
 663 | }
 664 | rule Win_Trojan_Shell_68
 665 | {
 666 | strings:
 667 | 	$a0 = { 3c3f7068700a[0-64]24636f6c6f72203d202223646635223b0a2464656661756c745f616374696f6e203d202746696c65734d616e273b0a2464656661756c745f7573655f616a6178203d20747275653b0a2464656661756c745f63686172736574203d202757696e646f77732d31323531273b0a707265675f7265706c61636528222f2e2a2f65222c22 }
 668 | 
 669 | condition:
 670 | 	$a0
 671 | }
 672 | rule Win_Trojan_Shell_69
 673 | {
 674 | strings:
 675 | 	$a0 = { 247a656e645f6672616d65776f726b3d225c7836335c3136325c7836355c3134315c7837345c3134355c7835665c3134365c7837355c3135365c7836335c3136345c7836395c3135375c783665223b20406572726f725f7265706f7274696e672830293b20247a656e645f6672616d65776f726b2822222c }
 676 | 
 677 | condition:
 678 | 	$a0
 679 | }
 680 | rule Win_Trojan_Shell_30
 681 | {
 682 | strings:
 683 | 	$a0 = { 706870206563686f2024736868636d643b203f3e22202f3e203c696e70757420747970653d227375626d6974222076616c75653d226578656375746522202f3e3c6272202f3e3c3f706870206563686f20223c746578746172656120777261703d5c226f66665c2220726561646f6e6c7920726f77733d5c2232355c2220636f6c733d5c223130305c223e223b2069662828247368687074723d3d2730272926262824736868636d64213d272729297b20696628657865632824736868636d642c20246f757429297b206563686f2068746d6c656e74697469657328696d706c6f646528225c6e222c246f75 }
 684 | 
 685 | condition:
 686 | 	$a0
 687 | }
 688 | rule Win_Trojan_Shell_51
 689 | {
 690 | strings:
 691 | 	$a0 = { 69662866756e6374696f6e5f6578697374732827657865632729297b406578656328246366652c24726573293b247265733d6a6f696e28225c6e222c24726573293b7d656c736569662866756e6374696f6e5f65786973747328227368656c6c5f657865632229297b247265733d407368656c6c5f657865632824636665293b7d656c736569662866756e6374696f6e5f657869737473282273797374656d2229297b406f625f737461727428293b407379737465 }
 692 | 
 693 | condition:
 694 | 	$a0
 695 | }
 696 | rule Win_Trojan_Shell_50
 697 | {
 698 | strings:
 699 | 	$a0 = { 6966202866756e6374696f6e5f657869737473282765786563272929207b20406578656328246366652c24726573293b2024726573203d206a6f696e28225c6e222c24726573293b207d20656c73656966202866756e6374696f6e5f65786973747328277368656c6c5f65786563272929207b2024726573203d20407368656c6c5f657865632824636665293b207d20656c73656966202866756e6374696f6e5f657869737473282773797374656d272929207b20406f625f737461727428293b204073797374656d2824636665293b2024726573203d20406f625f6765745f636f6e74656e747328293b20406f625f656e645f636c65616e28293b207d20656c73656966202866756e6374696f6e5f65786973747328277061737374687275272929207b20406f625f737461727428293b204070617373746872752824636665293b }
 700 | 
 701 | condition:
 702 | 	$a0
 703 | }
 704 | rule Win_Trojan_Shell_53
 705 | {
 706 | strings:
 707 | 	$a0 = { 69662866756e6374696f6e5f657869737473282765786563272929207b2040657865632824696e2c246f7574293b20246f75743d406a6f696e28225c6e222c246f7574293b207d656c736569662866756e6374696f6e5f65786973747328277061737374687275272929207b206f625f737461727428293b204070617373746872752824696e293b20246f75743d6f625f6765745f636c65616e28293b207d656c736569662866756e6374696f6e5f657869737473282773797374656d272929207b206f625f737461727428293b204073797374656d2824696e293b20246f75743d6f625f6765745f636c65616e28293b207d656c736569662866756e6374696f6e5f65786973747328277368656c6c5f65786563272929 }
 708 | 
 709 | condition:
 710 | 	$a0
 711 | }
 712 | rule Win_Trojan_Shell_52
 713 | {
 714 | strings:
 715 | 	$a0 = { 696620282066756e6374696f6e5f657869737473282027657865632720292029207b2040657865632820246366652c202472657320293b2024726573203d206a6f696e2820225c6e222c202472657320293b207d20656c7365696620282066756e6374696f6e5f6578697374732820277368656c6c5f657865632720292029207b2024726573203d20407368656c6c5f6578656328202463666520293b207d20656c7365696620282066756e6374696f6e5f65786973747328202773797374656d2720292029 }
 716 | 
 717 | condition:
 718 | 	$a0
 719 | }
 720 | rule Win_Trojan_Shell_55
 721 | {
 722 | strings:
 723 | 	$a0 = { 736d616c6c2070687020776562207368656c6c206279207a61636f }
 724 | 
 725 | condition:
 726 | 	$a0
 727 | }
 728 | rule Win_Trojan_Shell_54
 729 | {
 730 | strings:
 731 | 	$a0 = { 69662866756e6374696f6e5f657869737473282765786563272929207b2040657865632824636d642c24726573756c74293b2024726573756c74203d20696d706c6f646528225c6e222c24726573756c74293b207d20656c736569662866756e6374696f6e5f65786973747328277368656c6c5f657865632729292024726573756c74203d20407368656c6c5f657865632824636d64293b20656c736569662866756e6374696f6e5f657869737473282773797374656d272929 }
 732 | 
 733 | condition:
 734 | 	$a0
 735 | }
 736 | rule Win_Trojan_Shell_57
 737 | {
 738 | strings:
 739 | 	$a0 = { 6563686f28227075747261222e225f222e226172656d61222e2240796d61696c222e22636f6d22293b6563686f2822636b72696422293b }
 740 | 
 741 | condition:
 742 | 	$a0
 743 | }
 744 | rule Win_Trojan_Shell_56
 745 | {
 746 | strings:
 747 | 	$a0 = { 6563686f2822786f646f78222e225f222e226e676f72656b222e22407961686f6f222e22636f6d22293b6563686f2822636b72696422293b }
 748 | 
 749 | condition:
 750 | 	$a0
 751 | }
 752 | rule Win_Trojan_Shell_59
 753 | {
 754 | strings:
 755 | 	$a0 = { 2f2f7261772069726320636f6d6d616e6420666978656420627920746f777a616f }
 756 | 
 757 | condition:
 758 | 	$a0
 759 | }
 760 | rule Win_Trojan_Shell_58
 761 | {
 762 | strings:
 763 | 	$a0 = { 6a66397970776a68633275326e66396b7a776e767a67756f6a6639796b74736b78316739633372796468696f6a6639796c6363786d6a6d306e747a68623376707a7363736a32667664776c6c6d74697a6e6475326a796b376a663973707776797a776466636d76776267666a7a73676e78313967737578667831386e6c63696e6969346b78307975696963696c63726677636b377a787a686263676b783169706f797266756a30776f797266776430776f773d3d }
 764 | 
 765 | condition:
 766 | 	$a0
 767 | }
 768 | rule Win_Trojan_Shell_45
 769 | {
 770 | strings:
 771 | 	$a0 = { 6966202821656d7074792824636d642929207b206966202869735f63616c6c61626c65282265786563222920616e642021696e5f6172726179282265786563222c2464697361626c6566756e632929207b20657865632824636d642c24726573756c74293b2024726573756c74203d206a6f696e28225c6e222c24726573756c74293b207d20656c73656966202869735f63616c6c61626c65282273797374656d222920616e642021696e5f6172726179282273797374656d222c2464697361626c6566756e632929207b202476203d20406f625f6765745f636f6e74656e747328293b20406f625f636c65616e28293b2073797374656d2824636d64293b20 }
 772 | 
 773 | condition:
 774 | 	$a0
 775 | }
 776 | rule Win_Trojan_Shell_48
 777 | {
 778 | strings:
 779 | 	$a0 = { 3c3f706870206563686f5c2268696d6173746572215c223b696e695f736574285c226d61785f657865637574696f6e5f74696d655c222c30293b73797374656d285c2473756e747a75293b3f3e }
 780 | 
 781 | condition:
 782 | 	$a0
 783 | }
 784 | rule Win_Trojan_Shell_49
 785 | {
 786 | strings:
 787 | 	$a0 = { 6966202866756e6374696f6e5f657869737473282765786563272929207b2040657865632824696e2c246f7574293b20246f7574203d20406a6f696e28225c6e222c246f7574293b207d20656c73656966202866756e6374696f6e5f65786973747328277061737374687275272929207b206f625f737461727428293b204070617373746872752824696e293b20246f7574203d206f625f6765745f636c65616e28293b207d20656c73656966202866756e6374696f6e5f657869737473282773797374656d272929207b206f625f737461727428293b204073797374656d2824696e293b20246f7574203d206f625f6765745f636c65616e28293b207d20656c73656966202866756e6374696f6e5f65786973747328277368656c6c5f65786563272929207b20246f7574203d207368656c6c5f657865632824696e293b }
 788 | 
 789 | condition:
 790 | 	$a0
 791 | }
 792 | rule Win_Trojan_Shell_44
 793 | {
 794 | strings:
 795 | 	$a0 = { 696628245f706f73745b27[0-20]275d29207b20696e695f726573746f72652822736166655f6d6f646522293b20696e695f726573746f726528226f70656e5f6261736564697222293b2024736166656d6f646765633d7368656c6c5f65786563282465 }
 796 | 
 797 | condition:
 798 | 	$a0
 799 | }
 800 | rule Win_Trojan_Shell_15
 801 | {
 802 | strings:
 803 | 	$a0 = { 7368656c6c5f6578656329297b2473636d643d7368656c6c5f657865632824636d6e64293b20246e73636d643d68746d6c7370656369616c6368617273282473636d64293b7072696e7420246e73636d643b7d20656c73656966282166756e6374696f6e5f657869737473287368656c6c5f6578656329297b657865632824636d6e642c2465636d64293b202465636d64203d206a6f696e28225c6e222c2465636d64293b246e65636d643d68746d6c7370656369616c6368617273282465636d64293b7072696e7420246e65636d643b7d20656c73656966282166756e6374696f6e5f657869737473286578656329297b2470636d64203d20706f70656e2824636d6e642c22 }
 804 | 
 805 | condition:
 806 | 	$a0
 807 | }
 808 | rule Win_Trojan_Shell_14
 809 | {
 810 | strings:
 811 | 	$a0 = { 69662866652822657865632229297b657865632824732c2472293b24723d6a6f696e28225c6e222c2472293b7d20656c7365696628666528227368656c6c5f6578656322292924723d7368656c6c5f65786563282473293b20656c73656966286665282273797374656d2229297b6f625f737461727428293b73797374656d282473293b24723d6f625f6765745f636f6e74656e747328293b6f625f656e645f636c65616e28293b7d20656c73656966286665282270617373746872752229297b6f625f737461727428293b7061737374687275282473293b24723d6f625f67 }
 812 | 
 813 | condition:
 814 | 	$a0
 815 | }
 816 | rule Win_Trojan_Shell_17
 817 | {
 818 | strings:
 819 | 	$a0 = { 65786973747328226d797368656c6c65786563222929207b2066756e6374696f6e206d797368656c6c657865632824636d6429207b20676c6f62616c202464697361626c6566756e633b2024726573756c74203d2022223b206966202821656d7074792824636d642929207b206966202869735f63616c6c61626c65282265786563222920616e642021696e5f6172726179282265786563222c2464697361626c6566756e632929207b657865632824636d642c24726573756c74293b2024726573756c74203d206a6f696e28225c6e222c24726573756c74293b7d20656c7365696620282824726573756c74203d206024636d64602920213d3d2066616c736529207b7d20656c73656966202869735f63616c6c61626c65282273797374656d222920616e642021696e5f6172726179282273797374656d222c2464697361 }
 820 | 
 821 | condition:
 822 | 	$a0
 823 | }
 824 | rule Win_Trojan_Shell_19
 825 | {
 826 | strings:
 827 | 	$a0 = { 5f706f73745b27636f6d6d616e64275d2929207b2069662028246578656366756e633d3d2273797374656d2229207b2073797374656d28245f706f73745b27636f6d6d616e64275d293b207d20656c736569662028246578656366756e633d3d2270617373746872752229207b20706173737468727528245f706f73745b27636f6d6d616e64275d293b207d20656c736569662028246578656366756e633d3d22657865632229207b2024726573756c743d6578656328245f706f73745b22636f6d6d616e64225d293b206563686f2024726573756c743b207d20656c736569662028246578656366756e633d3d227368656c6c5f657865632229207b2024726573756c743d7368656c6c5f6578656328245f706f73745b22636f6d6d616e64225d293b206563686f2024726573756c }
 828 | 
 829 | condition:
 830 | 	$a0
 831 | }
 832 | rule Win_Trojan_Shell_18
 833 | {
 834 | strings:
 835 | 	$a0 = { 756e6374696f6e5f657869737473282765786563272929207b206966202821656d7074792824636d64292920657865632824636d642c20246f75742c2024726574293b202f2a2066756c6c206172726179206f7574707574202a2f2072657475726e20617272617928747275652c747275652c2765786563272c202727293b207d20656c73656966202866756e6374696f6e5f65786973747328277368656c6c5f65786563272929207b206966202821656d7074792824636d64292920246f75745b305d3d7368656c6c5f657865632824636d64293b202f2a2066756c6c20737472696e67206f75747075742c206e6f2072657475726e202a2f2072657475726e20617272617928747275652c66616c73652c277368656c6c5f65786563272c }
 836 | 
 837 | condition:
 838 | 	$a0
 839 | }
 840 | rule Win_Trojan_Shell_28
 841 | {
 842 | strings:
 843 | 	$a0 = { 73797374656d2824636d64293b2024726573756c74203d20406f625f6765745f636f6e74656e747328293b20406f625f636c65616e28293b206563686f2024763b207d20656c73656966202869735f63616c6c61626c6528227061737374687275222920616e642021696e5f617272617928227061737374687275222c2464697361626c6566756e632929207b202476203d20406f625f6765745f636f6e74656e747328293b20406f625f636c65616e28293b2070617373746872752824636d64293b2024726573756c74203d20406f625f6765745f636f6e74656e747328293b20406f625f636c65616e28293b206563686f2024763b207d20656c73656966202869735f7265736f7572636528246670203d20706f70656e2824636d642c227222 }
 844 | 
 845 | condition:
 846 | 	$a0
 847 | }
 848 | rule Win_Trojan_Shell_29
 849 | {
 850 | strings:
 851 | 	$a0 = { 3c3f706870206966202869737365742824636864697229292040636864697228246368646972293b206f625f73746172742820293b207061737374687275282224636d6420323e263122293b20246f7574707574203d206f625f6765745f636f6e74656e747328293b206f625f656e645f636c65616e2820293b203f3e203c3f706870206966202821656d }
 852 | 
 853 | condition:
 854 | 	$a0
 855 | }
 856 | rule Win_Trojan_ShellcodeBindTcp_1
 857 | {
 858 | strings:
 859 | 	$a0 = { fce8890000006089e531d2648b52308b520c8b52148b72280fb74a2631ff31c0ac3c617c022c20c1cf0d01c7e2f052578b52108b423c01d08b407885c0744a01d0508b48188b582001d3e33c498b348b01d631ff31c0acc1cf0d01c738e075f4037df83b7d2475e2588b582401d3668b0c4b8b581c01d38b048b01d0894424245b5b61595a51ffe0585f5a8b12eb865d6833320000687773325f54684c772607ffd5b89001000029c454506829806b00ffd5505050504050405068ea0fdfe0ffd589c731db53680200[2]89e66a10565768c2db3767ffd5535768b7e938ffffd55353576874ec3be1ffd55789c768756e4d61ffd568636d640089e357575731f66a125956e2fd66c744243c01018d442410c60044545056565646564e565653566879cc3f86ffd589e04e5646ff306808871d60ffd5bb[4]68a695bd9dffd53c067c0a80fbe07505bb4713726f6a0053ffd5 }
 860 | 
 861 | condition:
 862 | 	$a0
 863 | }
 864 | rule Win_Trojan_ShellcodeBindTcp_2
 865 | {
 866 | strings:
 867 | 	$a0 = { e856000000535556578b6c24188b453c8b54057801ea8b4a188b5a2001ebe332498b348b01ee31fffc31c0ac38e07407c1cf0d01c7ebf23b7c241475e18b5a2401eb668b0c4b8b5a1c01eb8b048b01e8eb0231c05f5e5d5bc208005e6a3059648b198b5b0c8b5b1c8b1b8b5b0853688e4e0eecffd689c781ec0001000057565389e5e82700000090010000b61918e7a41970e9e5498649a41a70c7a4ad2ee9d909f5adcbedfc3b5753325f3332005b8d4b2051ffd789df89c38d75146a07595153ff348fff55045989048ee2f22b2754ff37ff553031c05050505040504050ff552c89c7897d0ce8060000004f4c45333200ff550889c656681b06c80dff55046a026a00ffd0566880c8266eff550489c7e820000000f58a89f7c4ca3246a2ecda06e5111af242e94c30396ed840943ab913c40c9cd458508d75ec56506a016a0083c01050ffd78d4de0518b55ec8b028b4dec518b501cffd28d45f8508b4de08b118b45e0508b4a1cffd131c0508b55f88b028b4df8518b5024ffd231db5353680200[2]89e06a10508b7d0c57ff55245357ff5528535457ff552089c768434d440089e387fa31c08d7c24ac6a1559f3ab87fa83ec54c64424104466c744243c0101897c2448897c244c897c24508d442410545051515141514951515351ff75006872feb316ff5504ffd089e6ff750068add905ceff550489c36affff36ffd3ff750068[4]ff550431db53ffd0 }
 868 | 
 869 | condition:
 870 | 	$a0
 871 | }
 872 | rule Win_Trojan_ShellHook_6
 873 | {
 874 | strings:
 875 | 	$a0 = { bcbb0a0054e805160000b19bf644242c0174050fb75c24308bc35eb42ed8445bc3a8f9f9b17ca4a09cf9f9f9f99894908c014016d85356bed065833e00753a684406207682396a00f78bc8e002390185c9750533c05ea1cc0040c7828901890d33d28bc203c08d44c1048b1ee2ba0000891889064283fa6475ec8b068b10891690895aaf0de9400426a84ce0 }
 876 | 
 877 | condition:
 878 | 	$a0
 879 | }
 880 | rule Win_Trojan_Shell_33
 881 | {
 882 | strings:
 883 | 	$a0 = { 28656e61626c6564282265786563222929207b20657865632824636d642c246f293b202472657a203d206a6f696e28225c725c6e222c246f293b207d20656c736569662028656e61626c656428227368656c6c5f65786563222929207b202472657a203d207368656c6c5f657865632824636d64293b207d20656c736569662028656e61626c6564282273797374656d222929207b20406f625f737461727428293b204073797374656d2824636d64293b202472657a203d20406f625f6765745f636f6e74656e747328293b20406f625f656e645f636c65616e28293b207d }
 884 | 
 885 | condition:
 886 | 	$a0
 887 | }
 888 | rule Win_Trojan_Shell_32
 889 | {
 890 | strings:
 891 | 	$a0 = { 696620282821245f706f73745b27636d64275d29207c7c2028245f706f73745b27636d64275d3d3d22222929207b20245f706f73745b27636d64275d3d2269643b7077643b756e616d65202d613b6c73202d6c6164223b207d206966202828245f706f73745b27616c696173275d2920616e642028245f706f73745b27616c696173275d213d3d22222929207b20666f7265616368202824616c69617365732061732024616c6961735f6e616d653d3e24616c6961735f636d6429207b2069662028245f706f73745b27616c696173275d203d3d2024616c6961735f6e616d6529207b245f706f73745b27636d64275d3d24616c6961735f636d643b7d }
 892 | 
 893 | condition:
 894 | 	$a0
 895 | }
 896 | rule Win_Trojan_Shell_37
 897 | {
 898 | strings:
 899 | 	$a0 = { 3c746578746172656120726561646f6e6c7920726f77733d5c2231355c2220636f6c733d5c223135305c223e222e4068746d6c7370656369616c6368617273287368656c6c28245f706f73745b27636f6d6d616e64275d29292e223c2f74657874617265613e3c62723e3c696e70757420747970653d5c227375626d69745c222076616c75653d5c22657865637574655c223e }
 900 | 
 901 | condition:
 902 | 	$a0
 903 | }
 904 | rule Win_Trojan_Shell_39
 905 | {
 906 | strings:
 907 | 	$a0 = { 2f623e3c666f726d20616374696f6e3d2473656c66206d6574686f643d706f73743e3c696e70757420747970653d68696464656e206e616d653d632076616c75653d743e3c7465787461726561206e616d653d7368656c6c20726f77733d222e282169737365742824736b69707368656c6c293f31303a34292e2220636f6c733d3630207374796c653d2277696474683a313030253b223e247368656c6c3c2f74657874617265613e3c62723e3c696e70757420747970653d7375626d69743e3c2f666f726d3e3c703e223b20696620282169737365742824736b69707368656c6c2929207b206563686f20223c68722073697a653d31206e6f73686164653e5c6e5c6e5c6e5c6e5c6e5c6e5c6e5c6e5c6e5c6e5c6e5c6e5c6e5c6e5c6e5c6e5c6e5c6e5c6e5c6e5c6e5c6e5c6e5c6e3c786d703e223b20696620282473797374656d5f616363657373292073797374656d28247368656c6c293b20656c73652064696528 }
 908 | 
 909 | condition:
 910 | 	$a0
 911 | }
 912 | rule Win_Trojan_Shell_38
 913 | {
 914 | strings:
 915 | 	$a0 = { 5c273b206966202821656d70747928246366652929207b2069662866756e6374696f6e5f657869737473285c27657865635c272929207b20406578656328246366652c24726573293b2024726573203d206a6f696e285c225c5c6e5c222c24726573293b207d20656c736569662866756e6374696f6e5f657869737473285c277368656c6c5f657865635c272929207b2024726573203d20407368656c6c5f657865632824636665293b207d20656c736569662866756e6374696f6e5f657869737473285c2773797374656d5c272929207b20406f625f737461727428293b204073797374656d2824636665293b2024726573203d20406f625f6765745f636f6e74656e747328293b20406f625f656e645f636c65616e28293b207d20656c736569662866756e6374696f6e5f657869737473285c2770617373746872755c272929207b20406f625f737461727428293b204070617373746872752824636665293b2024726573203d20406f625f6765 }
 916 | 
 917 | condition:
 918 | 	$a0
 919 | }
 920 | rule Win_Trojan_Shell_64
 921 | {
 922 | strings:
 923 | 	$a0 = { 3c3f706870202f2a207072697661746520212121207072697661746520212121207072697661746520212121 }
 924 | 	$a1 = { 2d2d20646f206e6f74206469737469627574652074686973207368656c6c202d2d20646f206e6f742073656c6c2074686973207368656c6c202d2d20646f206e6f742067697665206974206576656e20746f20796f7572206d6f74686572202d2d }
 925 | 
 926 | condition:
 927 | 	$a0 and $a1
 928 | }
 929 | rule Win_Trojan_Shell_65
 930 | {
 931 | strings:
 932 | 	$a0 = { 6a0089e583e4f083ec108b5d04895c24008d4d08894c240483c301c1e30201cb895c24088b0383c30485c075f7895c240ce82c00000089442400e845300000f4e80000000058ffb04f0000008b805b220000ffe0e800000000588b804b220000ffe05589e55383ec04e8000000005b8d832a000000ffd0b80000000083c4045bc9c3 }
 933 | 
 934 | condition:
 935 | 	$a0
 936 | }
 937 | rule Win_Trojan_Shell_66
 938 | {
 939 | strings:
 940 | 	$a0 = { 7072697661746520212121[0-200]6576616c28223f3e222e677a756e636f6d7072657373286261736536345f6465636f64652822 }
 941 | 
 942 | condition:
 943 | 	$a0
 944 | }
 945 | rule Win_Trojan_Shell_67
 946 | {
 947 | strings:
 948 | 	$a0 = { 24617574685f70617373203d20223633613966306561376262393830353037393662363439653835343831383435223b0d0a24636f6c6f72203d202223646635223b0d0a2464656661756c745f616374696f6e203d202746696c65734d616e273b0d0a2464656661756c745f7573655f616a6178203d2074727565 }
 949 | 
 950 | condition:
 951 | 	$a0
 952 | }
 953 | rule Win_Trojan_Shell_62
 954 | {
 955 | strings:
 956 | 	$a0 = { 66756e6374696f6e20642824732c20246b3d2727297b696628246b3d3d2727297b666f722824693d303b24693c7374726c656e282473293b2469297b24642e3d63687228686578646563287375627374722824732c2024692c20322929293b24693d28666c6f617429282469292b323b7d72657475726e2024643b7d656c73657b24723d27273b24663d642827363236313733363533363334356636343635363336663634363527293b24753d246628275a337070626d5a735958526c27293b24733d247528246628247329293b666f722824693d303b24693c7374726c656e282473293b24692b2b297b24633d7375627374722824732c2024692c2031293b246b633d73756273747228246b2c20282469257374726c656e28246b29292d312c2031293b24633d636872286f7264282463292d6f726428246b6329293b24722e3d24633b7d72657475726e }
 957 | 
 958 | condition:
 959 | 	$a0
 960 | }
 961 | rule Win_Trojan_Shell_20
 962 | {
 963 | strings:
 964 | 	$a0 = { 206966202821656d7074792824636f6d2929207b2069662866756e6374696f6e5f657869737473282765786563272929207b20657865632824636f6d2c24617272293b206563686f20696d706c6f6465282720272c24617272293b207d20656c736569662866756e6374696f6e5f65786973747328277368656c6c5f65786563272929207b206563686f207368656c6c5f657865632824636f6d293b207d20656c736569662866756e6374696f6e5f657869737473282773797374656d272929207b206563686f2073797374656d2824636f6d293b207d20656c736569662866756e6374696f6e5f65786973747328277061737374687275272929207b206563686f2070617373746872752824636f6d }
 965 | 
 966 | condition:
 967 | 	$a0
 968 | }
 969 | rule Win_Trojan_Shell_21
 970 | {
 971 | strings:
 972 | 	$a0 = { 66756e6374696f6e5f657869737473282765786563272929207b20406578656328246366652c24726573293b2024726573203d206a6f696e28225c6e222c24726573293b207d20656c73656966284066756e6374696f6e5f65786973747328277368656c6c5f65786563272929207b2024726573203d20407368656c6c5f657865632824636665293b207d20656c73656966284066756e6374696f6e5f657869737473282773797374656d272929207b20406f625f737461727428293b204073797374656d28272463666527293b2024726573203d20406f625f6765745f636f6e74656e747328293b20406f625f656e645f636c65616e28293b207d20656c73656966284066756e6374696f6e5f657869737473282770617373746872752729 }
 973 | 
 974 | condition:
 975 | 	$a0
 976 | }
 977 | rule Win_Trojan_ShellHook_4
 978 | {
 979 | strings:
 980 | 	$a0 = { 5c496e50726f6353657276657233320041706172746d656e74000000546872656164696e674d6f64656c00007b????????????????2d????????2d????????2d????????2d????????????????????????7d0000534f4654574152455c4d6963726f736f66745c57696e646f77735c43757272656e7456657273696f6e5c4578706c6f7265725c5368656c6c45786563757465486f6f6b73 }
 981 | 
 982 | condition:
 983 | 	$a0
 984 | }
 985 | rule Win_Trojan_ShellHook_5
 986 | {
 987 | strings:
 988 | 	$a0 = { 434c5349445c0000484f4f4b0000000000000000ffffffff0f0000005c496e50726f6353657276657233320041706172746d656e74000000546872656164696e674d6f64656c0000534f4654574152455c4d6963726f736f66745c57696e646f77735c43757272656e7456657273696f6e5c4578706c6f7265725c5368656c6c45786563757465486f6f6b73 }
 989 | 
 990 | condition:
 991 | 	$a0
 992 | }
 993 | rule Win_Trojan_ShellHook_1
 994 | {
 995 | strings:
 996 | 	$a0 = { 5c496e70726f6353657276657233320000000000ffffffff0900000041706172746d656e74000000546872656164696e674d6f64656c0000536f6674776172655c4d6963726f736f66745c57696e646f77735c43757272656e7456657273696f6e5c6578706c6f7265725c5368656c6c45786563757465486f6f6b73 }
 997 | 
 998 | condition:
 999 | 	$a0
1000 | }
1001 | rule Win_Trojan_ShellHook_2
1002 | {
1003 | strings:
1004 | 	$a0 = { 484f4f4b0aa3de014d5f544c421654ee9a22a40f0c420125777a449a950a0b5a3a1304bd13614604446d5b28530f6717b75dff9fb2015669727475616c51756530015318657020885772069a3bb5db93cd100f41 }
1005 | 
1006 | condition:
1007 | 	$a0
1008 | }
1009 | rule Win_Trojan_ShellHook_3
1010 | {
1011 | strings:
1012 | 	$a0 = { 484f4f4b0000882ccfff0f5c496e50726f635365725b0040587633320041706172746d656e7479160070546872656164696e674d6f64656c4f92ba7600db04754d6963736f66745c576e02a098646f77735c437572721600d6495673696f6e5c4578706c6f59801380725c53686cdabc01a06563757465486f6f6b73 }
1013 | 
1014 | condition:
1015 | 	$a0
1016 | }
1017 | rule Win_Trojan_Shell_31
1018 | {
1019 | strings:
1020 | 	$a0 = { 3c3f2073797374656d28245f6765745b27636d64275d293b20646965202822 }
1021 | 
1022 | condition:
1023 | 	$a0
1024 | }
1025 | rule Win_Trojan_Shell_36
1026 | {
1027 | strings:
1028 | 	$a0 = { 69662866756e6374696f6e5f6578697374732827657865632729297b20406578656328246366652c24726573293b2024726573203d206a6f696e28225c6e222c24726573293b207d20656c736569662866756e6374696f6e5f65786973747328277368656c6c5f657865632729297b2024726573203d20407368656c6c5f657865632824636665293b207d20656c736569662866756e6374696f6e5f657869737473282773797374656d2729297b20406f625f737461727428293b204073797374656d2824636665293b2024726573203d20406f625f6765745f636f6e74656e747328293b20406f625f656e645f636c65616e28293b207d20656c73656966202866756e6374696f6e5f657869737473282770617373746872752729297b20406f625f737461727428293b204070617373746872752824636665293b }
1029 | 
1030 | condition:
1031 | 	$a0
1032 | }
1033 | rule Win_Trojan_Shell_35
1034 | {
1035 | strings:
1036 | 	$a0 = { 40696e695f726573746f72652822736166655f6d6f646522293b[0-4]40696e695f726573746f726528226f70656e5f6261736564697222293b[0-4]40696e695f726573746f72652822736166655f6d6f64655f696e636c7564655f64697222293b[0-4]40696e695f726573746f72652822736166655f6d6f64655f657865635f64697222293b[0-4]40696e695f726573746f7265282264697361626c655f66756e6374696f6e7322293b[0-4]40696e695f726573746f72652822616c6c6f775f75726c }
1037 | 
1038 | condition:
1039 | 	$a0
1040 | }
1041 | rule Win_Trojan_Shell_34
1042 | {
1043 | strings:
1044 | 	$a0 = { 69662866756e6374696f6e5f6578697374732827657865632729297b20406578656328246366652c24726573293b20247265733d6a6f696e28225c6e222c24726573293b207d20656c736569662866756e6374696f6e5f65786973747328277368656c6c5f657865632729297b20247265733d407368656c6c5f657865632824636665293b207d20656c736569662866756e6374696f6e5f657869737473282773797374656d2729297b20406f625f737461727428293b204073797374656d2824636665293b }
1045 | 
1046 | condition:
1047 | 	$a0
1048 | }
1049 | rule Win_Trojan_ShellExec_2
1050 | {
1051 | strings:
1052 | 	$a0 = { 24616374696f6e20213d20227370616d3122 }
1053 | 	$a1 = { 213d22627275745f66747022 }
1054 | 	$a2 = { 213d2022646f776e6c6f61645f6d61696c22 }
1055 | 
1056 | condition:
1057 | 	$a0 and $a1 and $a2
1058 | }
1059 | rule Win_Trojan_ShellExec_3
1060 | {
1061 | strings:
1062 | 	$a0 = { 24706f72747363616e2c24706f72745f61646472657332 }
1063 | 	$a1 = { 246174746163683d246669 }
1064 | 	$a2 = { 6861636b7275 }
1065 | 
1066 | condition:
1067 | 	$a0 and $a1 and $a2
1068 | }
1069 | rule Win_Trojan_ShellExec_1
1070 | {
1071 | strings:
1072 | 	$a0 = { 69662866756e6374696f6e5f657869737473282765786563272929[0-30]406578656328[0-50]69662866756e6374696f6e5f65786973747328277368656c6c5f65786563272929[0-30]407368656c6c5f6578656328[0-50]69662866756e6374696f6e5f657869737473282773797374656d272929[0-30]4073797374656d28[0-80]69662866756e6374696f6e5f65786973747328277061737374687275272929[0-30]40706173737468727528 }
1073 | 
1074 | condition:
1075 | 	$a0
1076 | }
1077 | rule Win_Trojan_ShellExec_4
1078 | {
1079 | strings:
1080 | 	$a0 = { 662028656e61626c6564282273797374656d222929207b20406f625f737461727428293b2073797374656d2824636d64293b202472657a203d20406f625f6765745f636f6e74656e747328293b20406f625f656e645f636c65616e28293b207d20656c736569662028656e61626c6564282265786563222929207b20657865632824636d642c246f293b202472657a203d206a6f696e28225c725c6e222c246f293b207d20656c736569662028656e61626c656428227368656c6c5f65786563 }
1081 | 
1082 | condition:
1083 | 	$a0
1084 | }
1085 | rule Win_Trojan_ShellcodeFindKernel32_1
1086 | {
1087 | strings:
1088 | 	$a0 = { 31d2b27731c9648b71308b760c8b761c8b46088b7e208b36384f1875f35901d1ffe1608b6c24248b453c8b54287801ea8b4a188b5a2001ebe334498b348b01ee31ff31c0fcac84c07407c1cf0d01c7ebf43b7c242875e18b5a2401eb668b0c4b8b5a1c01eb8b048b01e88944241c61c3 }
1089 | 
1090 | condition:
1091 | 	$a0
1092 | }
1093 | rule Win_Trojan_Shell_1
1094 | {
1095 | strings:
1096 | 	$a0 = { 0f823e01b440b96429ba00001e0e1fcd21 }
1097 | 
1098 | condition:
1099 | 	$a0
1100 | }
1101 | rule Win_Trojan_Shell_47
1102 | {
1103 | strings:
1104 | 	$a0 = { 3c3f706870206f625f636c65616e28293b6563686f5c226869206d6173746572215c223b696e695f736574285c226d61785f657865637574696f6e5f74696d655c222c30293b7061737374687275285c245f6765745b636d645d293b6469653b }
1105 | 
1106 | condition:
1107 | 	$a0
1108 | }
1109 | rule Win_Trojan_Shell_40
1110 | {
1111 | strings:
1112 | 	$a0 = { 2463757272656e74636d64203d2022636420222e2463757272656e7477642e223b222e2463757272656e74636d643b2073797374656d28222463757272656e74636d6420313e202f746d702f73656d626f6e7368656c6c20323e26313b20636174202f746d702f73656d626f6e7368656c6c3b20726d202d7266202f746d702f73656d626f6e7368656c6c22293b }
1113 | 
1114 | condition:
1115 | 	$a0
1116 | }
1117 | rule Win_Trojan_ShellcodeReverseTcp_1
1118 | {
1119 | strings:
1120 | 	$a0 = { fce8890000006089e531d2648b52308b520c8b52148b72280fb74a2631ff31c0ac3c617c022c20c1cf0d01c7e2f052578b52108b423c01d08b407885c0744a01d0508b48188b582001d3e33c498b348b01d631ff31c0acc1cf0d01c738e075f4037df83b7d2475e2588b582401d3668b0c4b8b581c01d38b048b01d0894424245b5b61595a51ffe0585f5a8b12eb865d6833320000687773325f54684c772607ffd5b89001000029c454506829806b00ffd5505050504050405068ea0fdfe0ffd589c768[4]680200[2]89e66a1056576899a57461ffd568636d640089e357575731f66a125956e2fd66c744243c01018d442410c60044545056565646564e565653566879cc3f86ffd589e04e5646ff306808871d60ffd5bb[4]68a695bd9dffd53c067c0a80fbe07505bb4713726f6a0053ffd5 }
1121 | 
1122 | condition:
1123 | 	$a0
1124 | }
1125 | 
1126 | rule Php_Trojan_StopPost1 {
1127 |     strings:
1128 |         $a = { 3D 22 73 74 6F 70 5F 22 3B 24 ?? ?? ?? 3D 73 74 72 74 6F 75 70 70 65 72 28 24 ?? ?? 5B 34 5D 2E 24 ?? ?? 5B 33 5D 2E 24 ?? ?? 5B 32 5D 2E 24 ?? ?? 5B 30 5D 2E 24 ?? ?? 5B 31 5D 29 3B }
1129 |     condition:
1130 |         $a
1131 | }
1132 | 
1133 | rule Php_Malware_Mailbot45 {
1134 |     strings:
1135 |         $a = "echo php_os." nocase
1136 |         $b = "'](0987654321)."
1137 |         $c = "'](2222222222)."
1138 | 
1139 |     condition:
1140 |         all of them
1141 | }
1142 | 


--------------------------------------------------------------------------------
/yara/phpbackdoor.yara:
--------------------------------------------------------------------------------
  1 | rule  ajaxcommand
  2 | {
  3 |     meta:
  4 |         description = "Ajax Command shell"
  5 |         url = "https://github.com/tennc/webshell/blob/master/xakep-shells/PHP/Ajax_PHP%20Command%20Shell.php.txt"
  6 | 
  7 |     strings:
  8 |         $a = "Ajax Command Shell by"
  9 |         $b = "a href=http://www.ironwarez.info"
 10 |         $c = "'Clear History' => 'ClearHistory()'"
 11 |         $d = "for some ehh...help"
 12 | 
 13 |     condition:
 14 |         any of them
 15 | }
 16 | 
 17 | rule angel_shell {
 18 |     meta:
 19 |         decsription = "rule for angel shell"
 20 |         url = "https://github.com/tennc/webshell/blob/master/xakep-shells/PHP/2008.php.php.txt"
 21 | 
 22 |     strings:
 23 |         $a = "Codz by angel(4ngel)"
 24 |         $b = "http://www.4ngel.net"
 25 |         $c = "程序配置"
 26 |         $d = "DROP TABLE tmp_angel"
 27 |         $e = "cf('/tmp/angel_bc',$back_connect)"
 28 |         $f = "$res = execute('gcc -o /tmp/angel_bc /tmp/angel_bc.c')"
 29 |         $g = "Security Angel Team [S4T]"
 30 | 
 31 |     condition:
 32 |         any of them
 33 | }
 34 | 
 35 | rule b374k {
 36 |     meta:
 37 |         description = "b374k shell"
 38 | 
 39 |     strings:
 40 |         $a = "fb621f5060b9f65acf8eb4232e3024140dea2b34"
 41 |         $b = "'ev'.'al'.'(\"?>\".gz'.'in'.'fla'.'te(ba'.'se'.'64'.'_de'.'co'.'de($x)));'"
 42 |         $c = "$b374k=$func("
 43 |         $d = "$x=gzin\".\"flate(base\".\"64_de\".\"code"
 44 |         $e = "0de664ecd2be02cdd54234a0d1229b43"
 45 |         $f = "'$x,$y','ev'.'al'.'(\"\\$s_pass=\\\"$y\\\";?>\".gz'.'inf'.'late'.'( bas'.'e64'.'_de'.'co'.'de($x)));'"
 46 |         $g = "$_COOKIE['b374k']"
 47 | 
 48 |     condition:
 49 |         any of them
 50 | }
 51 | 
 52 | rule c100 {
 53 |     meta:
 54 |         description = "c100 webshell"
 55 | 
 56 |     strings:
 57 |         $a = "$_REQUEST[\"k1r4_surl\"]"
 58 |         $b = "MeTaLTeaM (ORG) was here"
 59 |         $c = "http://emp3ror.com/kira/"
 60 |         $d = "Owned by MeTaLTeaM"
 61 |         $e = "k1r4_buff_prepare"
 62 |         $f = "k1r4_datapipe_c.txt"
 63 |         $g = "Undetectable version by <br> Spyk1r4 <br>"
 64 |         $h = "Thanks for using MeTaLTeaM"
 65 |         $i = "FTP Quick Brute (called MeTaLTeaM . oRg"
 66 | 
 67 |     condition:
 68 |         any of them
 69 | 
 70 | }
 71 | 
 72 | rule c99 {
 73 |     meta:
 74 |         description = "c99 webshell"
 75 | 
 76 |     strings:
 77 |         $a = "$_REQUEST[\"c999sh_surl\"]"
 78 |         $b = "http://ccteam.ru/"
 79 |         $c = "c999ftpbrutecheck"
 80 |         $d = "Owned by hacker"
 81 |         $e = "c999_sess_put"
 82 |         $f = "Dumped by c999Shell.SQL v. "
 83 |         $g = "Kernel attack (Krad.c) PT2"
 84 |         $h = "http://r57shell.net"
 85 |         $i = "RootShell Security Group"
 86 | 
 87 |     condition:
 88 |         any of them
 89 | }
 90 | 
 91 | rule cyb3rsh3ll {
 92 |     meta:
 93 |         description = "cyb3rsh3ll"
 94 | 
 95 |     strings:
 96 |         $a = "cyb3r.gladiat0r@gmail.com"
 97 |         $b = "cyb3r sh3ll :)"
 98 |         $c = "Owned by cyb3r.gladiat0r"
 99 |         $d = "Your Shell(cyb3r-Sh3ll) located at"
100 |         $e = "http://s15.postimage.org/94kp4a0ej"
101 |         $f = "cyb3r 9ladiat0r"
102 | 
103 |     condition:
104 |         any of them
105 | }
106 | 
107 | rule r57 {
108 |     meta:
109 |         description = "r57 webshell"
110 | 
111 |     strings:
112 |         $a = "<a href=http://rst.void.ru>r57shell</a>"
113 |         $b = "'eng_text1' =>'Executed command'"
114 |         $c = "http://127.0.0.1/r57shell/"
115 |         $d = "$_POST['from'] = 'billy@microsoft.com'"
116 | 
117 |     condition:
118 |         any of them
119 | }
120 | 
121 | rule simatacker {
122 |     meta:
123 |         description = "simatacker"
124 | 
125 |     strings:
126 |         $a = "SimAttacker - Vrsion :"
127 |         $b = " - priv8 4 My friend"
128 |         $c = "primission Not Allow change Chmod"
129 |         $d = "Iranian Hackers : WWW.SIMORGH-EV.COM"
130 |         $e= "admin(at)simorgh-ev(dot)com"
131 |         $f = "Fake Mail- DOS E-mail By Victim Server"
132 |         $g = "Welcome T0 SimAttacker 1.00  ready 2 USe"
133 |         $h = "www.r57.biz"
134 | 
135 |     condition:
136 |         any of them
137 | }
138 | 
139 | rule sosyete {
140 |     meta:
141 |         description = "sosyete"
142 | 
143 |     strings:
144 |         $a = "Sosyete Safe Mode Bypass Shell"
145 |         $b = "in ortak karisimi olarak sunulmustur"
146 | 
147 |     condition:
148 |         any of them
149 | }
150 | 
151 | rule phpobfuscator {
152 |     meta:
153 |         description = "rule for different php obfuscators"
154 |         url = "https://github.com/Te-k/php-malicious-sample/blob/master/full-width.php"
155 |         author = "@tenacioustek"
156 | 
157 |     strings:
158 |         $a = "$O10I0I01O1OI01OIOI"
159 |         $b = "$OI0IO10101OI0I01"
160 |         $c = "PHP Encode v1.0 by zeura.com"
161 |         $d = "file(__FILE__);eval(base64_decode("
162 |         $e = "$_POST['g__g_']"
163 |         $f = "$_uU(101).$_uU(118).$_uU(97).$_uU(108)"
164 |         $g = "$O00O0OO___"
165 |         $h = "$O0__O00O_O"
166 |         $i = "_$(edoced_46esab"
167 |         $j = "str_rot13(chr(113).\"rsva\""
168 |         $k = "\"b\".\"\".\"as\".\"e\".\"\".\"\".\"6\".\"4\".\"_\".\"de\".\"\".\"c\".\"o\".\"\".\"d\".\"e\""
169 |         $l = "\"b\".\"\".\"as\".\"e\".\"\".\"\".\"6\".\"4\".\"_\".\"de\".\"\".\"c\".\"o\". \"\".\"d\".\"e\""
170 |         $m = ";global$auth;function sh_decrypt_phase($data,$key)"
171 |         $n = /\$GLOBALS\['[\w\d]+'\];global\$[\w\d]+;\$[\w\d]+=\$GLOBALS;\$[\w\d]+\['[\w\d]+'\]=/
172 | 
173 |     condition:
174 |         any of them
175 | }
176 | 
177 | rule phpobfuscator_global {
178 |     meta:
179 |         description = "detect obfuscation using $GLOBAL"
180 | 
181 |     strings:
182 |         $global = "$GLOBALS["
183 |     condition:
184 |         #global > 30
185 | }
186 | 
187 | rule wso {
188 |     meta:
189 |         description = "WSO webshell"
190 |         url = "https://github.com/tennc/webshell/tree/master/php/wso"
191 |         author = "@tenacioustek"
192 | 
193 |     strings:
194 |         $a = "63a9f0ea7bb98050796b649e85481845"
195 |         $b = "$default_action = 'FilesMan'"
196 |         $c = "function WSOstripslashes"
197 |         $d = "function WSOsetcookie"
198 |         $e = "WSO_VERSION"
199 |         $f = "<h1>Suicide</h1><div class=content>Really want to remove the shell?"
200 |         $g = "CREATE TABLE wso2(file text);"
201 | 
202 |     condition:
203 |         any of them
204 | }
205 | 
206 | 
207 | rule koplak {
208 |     meta:
209 |         description = "koplak webshell"
210 | 
211 |     strings:
212 |         $a = "Hacked by sky_oot"
213 |         $b = "fuck_malaysia"
214 | 
215 |     condition:
216 |         any of them
217 | 
218 | }
219 | 
220 | rule darkshell {
221 |     meta:
222 |         author = "@tenacioustek"
223 |         description= "Darkshell"
224 | 
225 |     strings:
226 |         $a = "<center><h1>Dark Shell</h1></center><p><hr><p>"
227 |         $b = "$current = htmlentities ($_SERVER ['PHP_SELF'] . \"?dir=\" . $dir)"
228 | 
229 |     condition:
230 |         any of them
231 | }
232 | 
233 | rule webshell_functions {
234 |     meta:
235 |         description = "rules for basic webshell functions"
236 |         author = "@tenacioustek"
237 | 
238 |     strings:
239 |         $a = "find / -type f -name .htpasswd"
240 |         $b = "find . -type f -name .bash_history"
241 |         $c = "/usr/local/apache/conf/httpd.conf"
242 |         $d = "/var/cpanel/accounting.log"
243 |         $e = "http://www.packetstormsecurity.org"
244 |         $f = "which wget curl w3m lynx"
245 |         $g = "sysctl -n kernel.osrelease"
246 |         $h = "ipconfig /all"
247 |         $i = "dir /s /w /b index.php"
248 | 
249 |     condition:
250 |         any of them
251 | }
252 | private rule IRC
253 | {
254 |     strings:
255 |         $ = "USER" fullword
256 |         $ = "PASS" fullword
257 |         $ = "PRIVMSG" fullword
258 |         $ = "MODE" fullword
259 |         $ = "PING" fullword
260 |         $ = "PONG" fullword
261 |         $ = "JOIN" fullword
262 |         $ = "PART" fullword
263 | 
264 |     condition:
265 |         5 of them
266 | }
267 | 
268 | rule Websites
269 | {
270 |     strings:
271 |         $ = "1337day.com" nocase
272 |         $ = "antichat.ru" nocase
273 |         $ = "ccteam.ru" nocase
274 |         $ = "crackfor" nocase
275 |         $ = "darkc0de" nocase
276 |         $ = "egyspider.eu" nocase
277 |         $ = "exploit-db.com" nocase
278 |         $ = "fopo.com.ar" nocase  /* Free Online Php Obfuscator */
279 |         $ = "hashchecker.com" nocase
280 |         $ = "hashkiller.com" nocase
281 |         $ = "md5crack.com" nocase
282 |         $ = "md5decrypter.com" nocase
283 |         $ = "milw0rm.com" nocase
284 |         $ = "milw00rm.com" nocase
285 |         $ = "packetstormsecurity" nocase
286 |         $ = "rapid7.com" nocase
287 |         $ = "securityfocus" nocase
288 |         $ = "shodan.io" nocase
289 |         $ = "github.com/b374k/b374k" nocase
290 |         $ = "mumaasp.com" nocase
291 | 
292 |     condition:
293 |         any of them
294 | }
295 | 
296 | rule php_exploit_GIF
297 | {
298 | meta:
299 | 	author = "@patrickrolsen"
300 | 	maltype = "GIF Exploits"
301 | 	version = "0.1"
302 | 	reference = "code.google.com/p/caffsec-malware-analysis"
303 | 	date = "2013-12-14"
304 | strings:
305 | 	$magic = {47 49 46 38 ?? 61} // GIF8<version>a
306 | 	$string1 = "; // md5 Login" nocase
307 | 	$string2 = "; // md5 Password" nocase
308 | 	$string3 = "shell_exec"
309 | 	$string4 = "(base64_decode"
310 | 	$string5 = "<?php"
311 | 	$string6 = "(str_rot13"
312 | 	$string7 = {3c 3f 70 68 70} // <?php
313 | condition:
314 | 	($magic at 0) and any of ($string*)
315 | }
316 | 
317 | rule html_exploit_GIF
318 | {
319 | meta:
320 | 	author = "@patrickrolsen"
321 | 	maltype = "Web Shells"
322 | 	version = "0.1"
323 | 	reference = "code.google.com/p/caffsec-malware-analysis"
324 | 	date = "2013-12-14"
325 | strings:
326 | 	$magic = {47 49 46 38 ?? 61} // GIF8<version>a
327 | 	$string1 = {3c 68 74 6d 6c 3e} // <html>
328 | 	$string2 = {3c 48 54 4d 4c 3e} // <HTML>
329 | condition:
330 | 	($magic at 0) and (any of ($string*))
331 | }
332 | 
333 | rule web_shell_crews
334 | {
335 | meta:
336 | 	author = "@patrickrolsen"
337 | 	maltype = "Web Shell Crews"
338 | 	version = "0.4"
339 | 	reference = "http://www.exploit-db.com/exploits/24905/"
340 | 	date = "12/29/2013"
341 | strings:
342 | 	$mz = { 4d 5a } // MZ
343 | 
344 | 	$string1 = "v0pCr3w"
345 | 	$string2 = "BENJOLSHELL"
346 | 	$string3 = "EgY_SpIdEr"
347 | 	$string4 = "<title>HcJ"
348 | 	$string5 = "0wn3d"
349 | 	$string6 = "OnLy FoR QbH"
350 | 	$string7 = "wSiLm"
351 | 	$string8 = "b374k r3c0d3d"
352 | 	$string9 = "x'1n73ct|d"
353 | 	$string10 = "## CREATED BY KATE ##"
354 | 	$string11 = "Ikram Ali"
355 | 	$string12 = "FeeLCoMz"
356 | 	$string13 = "s3n4t00r"
357 | 	$string14 = "FaTaLisTiCz_Fx"
358 | 	$string15 = "feelscanz.pl"
359 | 	$string16 = "##[ KONFIGURASI"
360 | 	$string17 = "Created by Kiss_Me"
361 | 	$string18 = "Casper_Cell"
362 | 	$string19 = "# [ CREWET ] #"
363 |     	$string20 = "BY MACKER"
364 |     	$string21 = "FraNGky"
365 |     	$string22 = "1dt.w0lf"
366 |     	$string23 = "Modification By iFX" nocase
367 | condition:
368 | 	not $mz at 0 and any of ($string*)
369 | }
370 | 
371 | rule misc_php_backdoor
372 | {
373 |     meta:
374 |         author = "@patrickrolsen"
375 |         version = "0.4"
376 |         data = "12/29/2013"
377 |         reference = "Virus Total Downloading PHP files and reviewing them..."
378 |     strings:
379 |         $mz = { 4d 5a } // MZ
380 |         $php = "<?php"
381 |         $string1 = "eval(gzinflate(str_rot13(base64_decode("
382 |         $string2 = "eval(base64_decode("
383 |         $string3 = "eval(gzinflate(base64_decode("
384 |         $string4 = "cmd.exe /c"
385 |         $string5 = "eva1"
386 |         $string6 = "urldecode(stripslashes("
387 |         $string7 = "preg_replace(\"/.*/e\",\"\\x"
388 |         $string8 = "<?php echo \"<script>"
389 |         $string9 = "'o'.'w'.'s'" // 'Wi'.'nd'.'o'.'w'.'s'
390 |         $string10 = "preg_replace(\"/.*/\".'e',chr"
391 |         $string11 = "exp1ode"
392 |         $string12 = "cmdexec(\"killall ping;"
393 |         $string13 = "r57shell.php"
394 |         $string14 = "eval(\"?>\".gzuncompress(base64_decode("
395 |         $string15 = /eval\(\$_POST\[[a-zA-Z0-9]+\]\)/
396 |         $string16 = "tistittirti_rtietipltiatice"
397 |         $string17 = "$qV[4].$qV[3].$qV[2].$qV[0].$qV[1]"
398 |         $string18 = "$xsser=base64_decode($_POST"
399 |         $string19 = "preg_replace('/(.*)/e', @$_POST["
400 |         $string20 = "eval(\"?>\".base64_decode("
401 |         $string21 = "$k=\"ass\".\"ert\"; $k(${\"_PO\".\"ST\"}"
402 |         $string22 = "eval(\"return eval("
403 |         $string23 = "preg_replace('/ad/e','@'.str_rot13("
404 |     condition:
405 |         not $mz at 0 and $php and any of ($string*)
406 | }
407 | 
408 | rule pseudo_darkleech {
409 |     meta:
410 |         author = "@tenacioustek"
411 |         description = "rule for pseudo darkleech malicious code"
412 |         url = "https://blog.sucuri.net/2015/12/evolution-of-pseudo-darkleech.html"
413 | 
414 |     strings:
415 |         $a = "function request_url_data"
416 |         $b = "$url .= chr(ord($encrypted_url[$i]) ^ 3)"
417 |         $c = "curl_init and fsockopen disabled"
418 | 
419 |     condition:
420 |         any of them
421 | }
422 | 
423 | rule jpg_web_shell
424 | {
425 | meta:
426 | 	author = "@patrickrolsen"
427 | 	version = "0.1"
428 | 	data = "12/19/2013"
429 | 	reference = "http://www.securelist.com/en/blog/208214192/Malware_in_metadata"
430 | strings:
431 | 	$magic = { ff d8 ff e? } // e0, e1, e8
432 | 	$string1 = "<script src"
433 | 	$string2 = "/.*/e"
434 | 	$string3 = "base64_decode"
435 | condition:
436 | 	($magic at 0) and 1 of ($string*)
437 | }
438 | 
439 | rule phpmailer {
440 |     meta:
441 |         description = "php mass mailer"
442 | 
443 |     strings:
444 |         $a = "SUNT LA emailul"
445 |         $b = "(EMAIL VERIFICARE)"
446 |         $c = "phpmailerException"
447 |         $d = "addAddress('tsegadora@yahoo.com'"
448 |         $e = "class PHPMailer"
449 |         $f = "1af98609adf796b21c9fc735e31c57b7"
450 |         $g = "$SANDY_NR = rand($SandyNRA,$SandyNRB)"
451 |         $h = "uplod Sucess By w4l3XzY3"
452 |         $i = "B L E S S E D S I N N E R"
453 |         $j = "BlesseD MAILER 2014"
454 | 
455 |     condition:
456 |         any of them
457 | }
458 | 
459 | rule phpuploader {
460 |     meta:
461 |         author = "@tenacioustek"
462 |         description = "rule for several php uploader"
463 |     strings:
464 |         $a0 = "if(isset($_POST['Submit'])){"
465 |         $a1 = "$userfile_name = $_FILES['image']['name']"
466 |         $a2 = "$abod = $filedir.$userfile_name"
467 |     condition:
468 |         all of them
469 | }
470 | 
471 | rule phpshell1 {
472 |     meta:
473 |         author = "@tenacioustek"
474 |         url = "https://github.com/Te-k/php-malicious-sample/blob/master/Rss.php"
475 | 
476 |     strings:
477 |         $a = "I_have_problem_with_Curl"
478 |         $b = "I_have_problem_with_base64_decode"
479 |         $c = "str_ireplace(\"ADMINTASKHERE\""
480 |         $d = "str_ireplace(urldecode(\"%5BSERVERURLHERE%5D\")"
481 | 
482 |     condition:
483 |         any of them
484 | }
485 | 


--------------------------------------------------------------------------------
/yara/phpsuspicious.yara:
--------------------------------------------------------------------------------
  1 | private rule base64
  2 | {
  3 |     strings:
  4 |         $eval = "ZXZhbCg"
  5 |         $system = "c3lzdGVt"
  6 |         $preg_replace = "cHJlZ19yZXBsYWNl"
  7 |         $exec = "ZXhlYyg"
  8 |         $base64_decode = "YmFzZTY0X2RlY29kZ"
  9 |         $perl_shebang = "IyEvdXNyL2Jpbi9wZXJsCg"
 10 |         $cmd_exe = "Y21kLmV4ZQ"
 11 |         $powershell = "cG93ZXJzaGVsbC5leGU"
 12 | 
 13 |     condition:
 14 |         any of them
 15 | }
 16 | 
 17 | private rule hex
 18 | {
 19 |     strings:
 20 |         $globals = "\\x47\\x4c\\x4f\\x42\\x41\\x4c\\x53" nocase
 21 |         $eval = "\\x65\\x76\\x61\\x6C\\x28" nocase
 22 |         $exec = "\\x65\\x78\\x65\\x63" nocase
 23 |         $system = "\\x73\\x79\\x73\\x74\\x65\\x6d" nocase
 24 |         $preg_replace = "\\x70\\x72\\x65\\x67\\x5f\\x72\\x65\\x70\\x6c\\x61\\x63\\x65" nocase
 25 |         $http_user_agent = "\\x48\\124\\x54\\120\\x5f\\125\\x53\\105\\x52\\137\\x41\\107\\x45\\116\\x54" nocase
 26 | 
 27 |     condition:
 28 |         any of them
 29 | }
 30 | 
 31 | rule SuspiciousEncoding
 32 | {
 33 |     condition:
 34 |         base64 or hex
 35 | }
 36 | 
 37 | rule DodgyStrings
 38 | {
 39 |     strings:
 40 |         $ = ".bash_history"
 41 |         $ = /AddType\s+application\/x-httpd-php/ nocase
 42 |         $ = /php_value\s*auto_prepend_file/ nocase
 43 |         $ = /SecFilterEngine\s+Off/ nocase  // disable modsec
 44 |         $ = /Add(Handler|Type|OutputFilter)\s+[^\s]+\s+\.htaccess/ nocase
 45 |         $ = ".mysql_history"
 46 |         $ = ".ssh/authorized_keys"
 47 |         $ = "/(.*)/e"  // preg_replace code execution
 48 |         $ = "/../../../"
 49 |         $ = "/etc/passwd"
 50 |         $ = "/etc/proftpd.conf"
 51 |         $ = "/etc/resolv.conf"
 52 |         $ = "/etc/shadow"
 53 |         $ = "/etc/syslog.conf"
 54 |         $ = "/proc/cpuinfo" fullword
 55 |         $ = "/var/log/lastlog"
 56 |         $ = "/windows/system32/"
 57 |         $ = "LOAD DATA LOCAL INFILE" nocase
 58 |         $ = "WScript.Shell"
 59 |         $ = "WinExec"
 60 |         $ = "b374k" fullword nocase
 61 |         $ = "backdoor" fullword nocase
 62 |         $ = /(c99|r57|fx29)shell/
 63 |         $ = "cmd.exe" fullword nocase
 64 |         $ = "powershell.exe" fullword nocase
 65 |         $ = /defac(ed|er|ement|ing)/ fullword nocase
 66 |         $ = "evilc0ders" fullword nocase
 67 |         $ = "exploit" fullword nocase
 68 |         $ = "find . -type f" fullword
 69 |         $ = "hashcrack" nocase
 70 |         $ = "id_rsa" fullword
 71 |         $ = "ipconfig" fullword nocase
 72 |         $ = "kernel32.dll" fullword nocase
 73 |         $ = "kingdefacer" nocase
 74 |         $ = "Wireghoul" nocase fullword
 75 |         $ = "libpcprofile"  // CVE-2010-3856 local root
 76 |         $ = "locus7s" nocase
 77 |         $ = "ls -la" fullword
 78 |         $ = "meterpreter" fullword
 79 |         $ = "nc -l" fullword
 80 |         $ = "php://"
 81 |         $ = "ps -aux" fullword
 82 |         $ = "rootkit" fullword nocase
 83 |         $ = "slowloris" fullword nocase
 84 |         $ = "suhosin.executor.func.blacklist"
 85 |         $ = "sun-tzu" fullword nocase // Because quotes from the Art of War is mandatory for any cool webshell.
 86 |         $ = "uname -a" fullword
 87 |         $ = "warez" fullword nocase
 88 |         $ = "whoami" fullword
 89 |         $ = /(reverse|web|cmd)\s*shell/ nocase
 90 |         $ = /-perm -0[24]000/ // find setuid files
 91 |         $ = /\/bin\/(ba)?sh/ fullword
 92 |         $ = /hack(ing|er|ed)/ nocase
 93 |         $ = /xp_(execresultset|regenumkeys|cmdshell|filelist)/
 94 | 
 95 |         $vbs = /language\s*=\s*vbscript/ nocase
 96 |         $asp = "scripting.filesystemobject" nocase
 97 | 
 98 |     condition:
 99 |         2 of them
100 | }
101 | 


--------------------------------------------------------------------------------
/yara/suspicious.yara:
--------------------------------------------------------------------------------
 1 | rule pharmacy {
 2 |     meta:
 3 |         author = "@tenacioustek"
 4 |         description = "Search for pharmacy related words"
 5 | 
 6 |     strings:
 7 |         $a = "cialis"
 8 |         $b = "viagra"
 9 |         $c = "pharmacy"
10 |         $d = "best generic"
11 |     condition:
12 |         2 of them
13 | }
14 | 
15 | 
16 | 
17 | rule hidden {
18 |     meta:
19 |         author = "@tenacioustek"
20 |         description = "Hidden frames"
21 | 
22 |     strings:
23 |         $a = "<div style=\"position:absolute; left:-3485px; top:-3976px;\">"
24 | 
25 |     condition:
26 |         any of them
27 | }
28 | 


--------------------------------------------------------------------------------