Yara rulset based on php shells and other webserver malware.
git clone https://github.com/Hestat/lw-yara.git
scanning using clamav with custom rules
clamscan -ir -l /root/scanresults.txt -d /root/lw-yara/lw-rules_index.yar -d /root/lw-yara/lw.hdb /path/to/scan/
-ir flag will only report infected files and will scan recursively
-d flag allows you to specify a custom database, here we have 2 a hash database and a yara ruleset
-l creates a log of the scan
need to have clamav 98 or newer to parse Yara signatures
More info here:
This is still work in progress
Includes an install script to allow for the rules to be added to the maldet scanner.
Can be used indepentent of maldet if yara is already installed.
To add to maldet run the install-rules.sh script.