Yara Ruleset for scanning Linux servers for shells, spamming, phishing and other webserver baddies
Switch branches/tags
Clone or download
brian cleanup
Latest commit a7d894c Dec 10, 2018
Type Name Latest commit message Commit time
Failed to load latest commit information.
includes cleanup Dec 10, 2018
LICENSE Create LICENSE May 7, 2018
README.md updating readme Jul 4, 2018
local_whitelist.ign2 removed repeated rules on combined and updated to include whitelist f… Aug 19, 2018
lw-rules_index.yar cleanup Dec 10, 2018
lw.hdb router malware Oct 20, 2018
lw.ldb cert util sig Oct 24, 2018



Yara rulset based on php shells and other webserver malware.

I will be moving to a new role soon which will take me away from front line server investigations. If you would like to keep this dataset up to date report back new malware using my scanner:


Using the following will allow you to report new malware so I can add signatures:

blazescan -R

Installation instruction

git clone https://github.com/Hestat/lw-yara.git

scanning using clamav with custom rules

example at https://laskowski-tech.com/2018/04/26/eitest-cleanup-part-2-using-clamav-and-custom-yara-rules/

clamscan -ir -l /root/scanresults.txt -d /root/lw-yara/lw-rules_index.yar -d /root/lw-yara/lw.hdb /path/to/scan/

In clamscan

-ir flag will only report infected files and will scan recursively

-d flag allows you to specify a custom database, here we have 2 a hash database and a yara ruleset

-l creates a log of the scan

need to have clamav 98 or newer to parse Yara signatures

More info here:


Want a scanner to run this check out: