Open-source PHP malware detection signatures maintained by the Panelica security team.
| Type | Count | Format | Description |
|---|---|---|---|
| Pattern Rules | 154 | YARA + JSON | Regex-based detection for PHP webshells, backdoors, obfuscation, cryptominers, SEO spam, phishing kits, mailers |
| Hash Signatures | 20 | SHA256 | Known PHP webshell one-liner exact hashes |
| Category | Patterns | Description |
|---|---|---|
| Webshell | 44 | Command execution, eval injection, dynamic function calls, known shell names |
| Obfuscation | 35 | Base64/gzip/rot13 chains, XOR decode, hex encoding, reflection, goto flow |
| Backdoor | 16 | Reverse shells, bind shells, netcat, /dev/tcp, Python/Perl pivots |
| Persistence | 10 | Crontab, SSH keys, systemd units, .bashrc, auto_prepend_file, mu-plugins |
| Dropper | 10 | wget/curl download, remote include, temp file execution |
| SEO Spam | 8 | Hidden links, cloaking, Japanese spam, doorway pages, link injection |
| Info Disclosure | 7 | /etc/passwd, /etc/shadow, wp-config, /proc, env vars |
| Phishing | 5 | Telegram exfil, credit card harvest, brand impersonation |
| SQL Injection | 4 | Direct queries, PDO exec, XPath, WordPress $wpdb |
| Cryptominer | 4 | Stratum protocol, mining pools, Monero wallets |
| Mailer | 4 | Mass mailers, SMTP relay, header injection, known tools |
| Uploader | 3 | File write, fwrite, move_uploaded_file with user input |
| LFI/RFI | 2 | Include/require with user input, directory traversal |
| Deserialization | 1 | Unserialize with user input |
| Redirect | 1 | Open redirect via header() |
# Scan a directory with all rules
yara -r yara/index.yar /var/www/html/
# Scan with a specific ruleset
yara -r yara/php_webshells.yar /var/www/html/# Check a file against known-bad hashes
sha256sum suspicious.php | awk '{print $1}' | grep -Ff hashes/sha256.txtimport json
with open('json/patterns.json') as f:
patterns = json.load(f)
for p in patterns:
print(f"[{p['category']}] {p['name']}: {p['description']}")yara/
index.yar # Master include file
php_webshells.yar # Webshell detection (44 rules)
php_obfuscation.yar # Obfuscation detection (35 rules)
php_backdoors.yar # Backdoor detection (16 rules)
php_persistence.yar # Persistence mechanisms (10 rules)
php_droppers.yar # Dropper/downloader detection (10 rules)
php_seospam.yar # SEO spam injection (8 rules)
php_info_disclosure.yar # Information disclosure (7 rules)
php_phishing.yar # Phishing kit indicators (5 rules)
php_sqli.yar # SQL injection patterns (4 rules)
php_cryptominers.yar # Cryptominer detection (4 rules)
php_mailers.yar # Mailer/spammer scripts (4 rules)
php_uploaders.yar # Malicious uploaders (3 rules)
php_misc.yar # LFI, deserialization, redirect (4 rules)
json/
patterns.json # All patterns in machine-readable format
hashes.json # All hash signatures in JSON
hashes/
sha256.txt # One hash per line (grep-friendly)
These signatures power Panelica Shield — a 5-layer malware detection engine:
- K1 — Hash Lookup: Exact SHA256 match against known-bad samples
- K2 — Pattern Matching: Regex-based detection (this repository)
- K3 — Obfuscation Analysis: Deep decode chain detection
- K4 — Entropy Analysis: Shannon entropy for packed/encrypted content
- K5 — Behavioral/Taint Analysis: User input to dangerous sink flow tracking
We welcome contributions! Please see CONTRIBUTING.md for guidelines.
- New patterns: Open a PR with the YARA rule + test sample
- False positives: Open an issue with the file that was flagged
- New hashes: Submit SHA256 hashes with malware family name and source
MIT License. See LICENSE for details.