Permalink
Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.
Sign up
d9b7742
Jun 26, 2018
jvoisin
xarkes
| import "hash" | |
| include "whitelist.yar" | |
| /* | |
| Detect: | |
| - phpencode.org | |
| - http://www.pipsomania.com/best_php_obfuscator.do | |
| - http://atomiku.com/online-php-code-obfuscator/ | |
| - http://www.webtoolsvn.com/en-decode/ | |
| - http://obfuscator.uk/example/ | |
| - http://w3webtools.com/encode-php-online/ | |
| - http://www.joeswebtools.com/security/php-obfuscator/ | |
| - https://github.com/epinna/weevely3 | |
| - http://cipherdesign.co.uk/service/php-obfuscator | |
| - http://sysadmin.cyklodev.com/online-php-obfuscator/ | |
| - http://mohssen.org/SpinObf.php | |
| - https://code.google.com/p/carbylamine/ | |
| - https://github.com/tennc/webshell | |
| - https://github.com/wireghoul/htshells | |
| Thanks to: | |
| - https://stackoverflow.com/questions/3115559/exploitable-php-functions | |
| */ | |
| global private rule IsPhp | |
| { | |
| strings: | |
| $php = /<\?[^x]/ | |
| condition: | |
| $php and filesize < 5MB | |
| } | |
| rule NonPrintableChars | |
| { | |
| strings: | |
| /* | |
| Searching only for non-printable characters completely kills the perf, | |
| so we have to use atoms (https://gist.github.com/Neo23x0/e3d4e316d7441d9143c7) | |
| to get an acceptable speed. | |
| */ | |
| $non_printables = /(function|return|base64_decode).{,256}[^\x09-\x0d\x20-\x7E]{3}/ | |
| condition: | |
| (any of them) and not IsWhitelisted | |
| } | |
| rule PasswordProtection | |
| { | |
| strings: | |
| $md5 = /md5\s*\(\s*\$_(GET|REQUEST|POST|COOKIE|SERVER)[^)]+\)\s*===?\s*['"][0-9a-f]{32}['"]/ nocase | |
| $sha1 = /sha1\s*\(\s*\$_(GET|REQUEST|POST|COOKIE|SERVER)[^)]+\)\s*===?\s*['"][0-9a-f]{40}['"]/ nocase | |
| condition: | |
| (any of them) and not IsWhitelisted | |
| } | |
| rule ObfuscatedPhp | |
| { | |
| strings: | |
| $eval = /(<\?php|[;{}])[ \t]*@?(eval|preg_replace|system|assert|passthru|(pcntl_)?exec|shell_exec|call_user_func(_array)?)\s*\(/ nocase // ;eval( <- this is dodgy | |
| $eval_comment = /(eval|preg_replace|system|assert|passthru|(pcntl_)?exec|shell_exec|call_user_func(_array)?)\/\*[^\*]*\*\/\(/ nocase // eval/*lol*/( <- this is dodgy | |
| $b374k = "'ev'.'al'" | |
| $align = /(\$\w+=[^;]*)*;\$\w+=@?\$\w+\(/ //b374k | |
| $weevely3 = /\$\w=\$[a-zA-Z]\('',\$\w\);\$\w\(\);/ // weevely3 launcher | |
| $c99_launcher = /;\$\w+\(\$\w+(,\s?\$\w+)+\);/ // http://bartblaze.blogspot.fr/2015/03/c99shell-not-dead.html | |
| $nano = /\$[a-z0-9-_]+\[[^]]+\]\(/ //https://github.com/UltimateHackers/nano | |
| $ninja = /base64_decode[^;]+getallheaders/ //https://github.com/UltimateHackers/nano | |
| $variable_variable = /\${\$[0-9a-zA-z]+}/ | |
| $too_many_chr = /(chr\([\d]+\)\.){8}/ // concatenation of more than eight `chr()` | |
| $concat = /(\$[^\n\r]+\.){5}/ // concatenation of more than 5 words | |
| $concat_with_spaces = /(\$[^\n\r]+\. ){5}/ // concatenation of more than 5 words, with spaces | |
| $var_as_func = /\$_(GET|POST|COOKIE|REQUEST|SERVER)\s*\[[^\]]+\]\s*\(/ | |
| $comment = /\/\*([^*]|\*[^\/])*\*\/\s*\(/ // eval /* comment */ (php_code) | |
| condition: | |
| (any of them) and not IsWhitelisted | |
| } | |
| rule DodgyPhp | |
| { | |
| strings: | |
| $basedir_bypass = /curl_init\s*\(\s*["']file:\/\// nocase | |
| $basedir_bypass2 = "file:file:///" // https://www.intelligentexploit.com/view-details.html?id=8719 | |
| $disable_magic_quotes = /set_magic_quotes_runtime\s*\(\s*0/ nocase | |
| $execution = /\b(eval|assert|passthru|exec|include|system|pcntl_exec|shell_exec|base64_decode|`|array_map|ob_start|call_user_func(_array)?)\s*\(\s*(base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|pack|\\?\$_(GET|REQUEST|POST|COOKIE|SERVER))/ nocase // function that takes a callback as 1st parameter | |
| $execution2 = /\b(array_filter|array_reduce|array_walk(_recursive)?|array_walk|assert_options|uasort|uksort|usort|preg_replace_callback|iterator_apply)\s*\(\s*[^,]+,\s*(base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|pack|\\?\$_(GET|REQUEST|POST|COOKIE|SERVER))/ nocase // functions that takes a callback as 2nd parameter | |
| $execution3 = /\b(array_(diff|intersect)_u(key|assoc)|array_udiff)\s*\(\s*([^,]+\s*,?)+\s*(base64_decode|php:\/\/input|str_rot13|gz(inflate|uncompress)|getenv|pack|\\?\$_(GET|REQUEST|POST|COOKIE|SERVER))\s*\[[^]]+\]\s*\)+\s*;/ nocase // functions that takes a callback as 2nd parameter | |
| $htaccess = "SetHandler application/x-httpd-php" | |
| $iis_com = /IIS:\/\/localhost\/w3svc/ | |
| $include = /include\s*\(\s*[^\.]+\.(png|jpg|gif|bmp)/ // Clever includes | |
| $ini_get = /ini_(get|set|restore)\s*\(\s*['"](safe_mode|open_basedir|disable_(function|classe)s|safe_mode_exec_dir|safe_mode_include_dir|register_globals|allow_url_include)/ nocase | |
| $pr = /(preg_replace(_callback)?|mb_ereg_replace|preg_filter)\s*\(.+(\/|\\x2f)(e|\\x65)['"]/ nocase // http://php.net/manual/en/function.preg-replace.php | |
| $register_function = /register_[a-z]+_function\s*\(\s*['"]\s*(eval|assert|passthru|exec|include|system|shell_exec|`)/ // https://github.com/nbs-system/php-malware-finder/issues/41 | |
| $safemode_bypass = /\x00\/\.\.\/|LD_PRELOAD/ | |
| $shellshock = /\(\)\s*{\s*[a-z:]\s*;\s*}\s*;/ | |
| $udp_dos = /fsockopen\s*\(\s*['"]udp:\/\// nocase | |
| $various = "<!--#exec cmd=" //http://www.w3.org/Jigsaw/Doc/User/SSI.html#exec | |
| $at_eval = /@eval\s*\(/ nocase | |
| $double_var = /\${\s*\${/ | |
| $extract = /extract\s*\(\s*\$_(GET|POST|REQUEST|COOKIE|SERVER)/ | |
| $reversed = /noitcnuf_etaerc|metsys|urhtssap|edulcni|etucexe_llehs/ nocase | |
| $silenced_include =/@\s*include\s*/ nocase | |
| condition: | |
| (any of them) and not IsWhitelisted | |
| } | |
| rule DangerousPhp | |
| { | |
| strings: | |
| $system = "system" fullword nocase // localroot bruteforcers have a lot of this | |
| $ = "array_filter" fullword nocase | |
| $ = "assert" fullword nocase | |
| $ = "backticks" fullword nocase | |
| $ = "call_user_func" fullword nocase | |
| $ = "eval" fullword nocase | |
| $ = "exec" fullword nocase | |
| $ = "fpassthru" fullword nocase | |
| $ = "fsockopen" fullword nocase | |
| $ = "function_exists" fullword nocase | |
| $ = "getmygid" fullword nocase | |
| $ = "shmop_open" fullword nocase | |
| $ = "mb_ereg_replace_callback" fullword nocase | |
| $ = "passthru" fullword nocase | |
| $ = /pcntl_(exec|fork)/ fullword nocase | |
| $ = "php_uname" fullword nocase | |
| $ = "phpinfo" fullword nocase | |
| $ = "posix_geteuid" fullword nocase | |
| $ = "posix_getgid" fullword nocase | |
| $ = "posix_getpgid" fullword nocase | |
| $ = "posix_getppid" fullword nocase | |
| $ = "posix_getpwnam" fullword nocase | |
| $ = "posix_getpwuid" fullword nocase | |
| $ = "posix_getsid" fullword nocase | |
| $ = "posix_getuid" fullword nocase | |
| $ = "posix_kill" fullword nocase | |
| $ = "posix_setegid" fullword nocase | |
| $ = "posix_seteuid" fullword nocase | |
| $ = "posix_setgid" fullword nocase | |
| $ = "posix_setpgid" fullword nocase | |
| $ = "posix_setsid" fullword nocase | |
| $ = "posix_setsid" fullword nocase | |
| $ = "posix_setuid" fullword nocase | |
| $ = "preg_replace_callback" fullword | |
| $ = "proc_open" fullword nocase | |
| $ = "proc_close" fullword nocase | |
| $ = "popen" fullword nocase | |
| $ = "register_shutdown_function" fullword nocase | |
| $ = "register_tick_function" fullword nocase | |
| $ = "shell_exec" fullword nocase | |
| $ = "shm_open" fullword nocase | |
| $ = "show_source" fullword nocase | |
| $ = "socket_create(AF_INET, SOCK_STREAM, SOL_TCP)" nocase | |
| $ = "stream_socket_pair" nocase | |
| $ = "suhosin.executor.func.blacklist" nocase | |
| $ = "unregister_tick_function" fullword nocase | |
| $ = "win32_create_service" fullword nocase | |
| $ = "xmlrpc_decode" fullword nocase nocase | |
| $ = /ob_start\s*\(\s*[^\)]/ //ob_start('assert'); echo $_REQUEST['pass']; ob_end_flush(); | |
| $whitelist = /escapeshellcmd|escapeshellarg/ nocase | |
| condition: | |
| (not $whitelist and (5 of them or #system > 250)) and not IsWhitelisted | |
| } | |
| rule HiddenInAFile | |
| { | |
| strings: | |
| $gif = {47 49 46 38 ?? 61} // GIF8[version]a | |
| $png = {89 50 4E 47 0D 0a 1a 0a} // \X89png\X0D\X0A\X1A\X0A | |
| $jpeg = {FF D8 FF E0 ?? ?? 4A 46 49 46 } // https://raw.githubusercontent.com/corkami/pics/master/JPG.png | |
| condition: | |
| ($gif at 0 or $png at 0 or $jpeg at 0) and (PasswordProtection or ObfuscatedPhp or DodgyPhp or DangerousPhp) and not IsWhitelisted | |
| } | |
| rule CloudFlareBypass | |
| { | |
| strings: | |
| $ = "chk_jschl" | |
| $ = "jschl_vc" | |
| $ = "jschl_answer" | |
| condition: | |
| 2 of them // Better be safe than sorry | |
| } | |
| private rule IRC | |
| { | |
| strings: | |
| $ = "USER" fullword nocase | |
| $ = "PASS" fullword nocase | |
| $ = "PRIVMSG" fullword nocase | |
| $ = "MODE" fullword nocase | |
| $ = "PING" fullword nocase | |
| $ = "PONG" fullword nocase | |
| $ = "JOIN" fullword nocase | |
| $ = "PART" fullword nocase | |
| condition: | |
| 5 of them | |
| } | |
| private rule base64 | |
| { | |
| strings: | |
| $user_agent = "SFRUUF9VU0VSX0FHRU5UCg" | |
| $eval = "ZXZhbCg" | |
| $system = "c3lzdGVt" | |
| $preg_replace = "cHJlZ19yZXBsYWNl" | |
| $exec = "ZXhlYyg" | |
| $base64_decode = "YmFzZTY0X2RlY29kZ" | |
| $perl_shebang = "IyEvdXNyL2Jpbi9wZXJsCg" | |
| $cmd_exe = "Y21kLmV4ZQ" | |
| $powershell = "cG93ZXJzaGVsbC5leGU" | |
| condition: | |
| any of them | |
| } | |
| private rule hex | |
| { | |
| strings: | |
| $globals = "\\x47\\x4c\\x4f\\x42\\x41\\x4c\\x53" nocase | |
| $eval = "\\x65\\x76\\x61\\x6C\\x28" nocase | |
| $exec = "\\x65\\x78\\x65\\x63" nocase | |
| $system = "\\x73\\x79\\x73\\x74\\x65\\x6d" nocase | |
| $preg_replace = "\\x70\\x72\\x65\\x67\\x5f\\x72\\x65\\x70\\x6c\\x61\\x63\\x65" nocase | |
| $http_user_agent = "\\x48\\124\\x54\\120\\x5f\\125\\x53\\105\\x52\\137\\x41\\107\\x45\\116\\x54" nocase | |
| $base64_decode = "\\x61\\x73\\x65\\x36\\x34\\x5f\\x64\\x65\\x63\\x6f\\x64\\x65\\x28\\x67\\x7a\\x69\\x6e\\x66\\x6c\\x61\\x74\\x65\\x28" nocase | |
| condition: | |
| any of them | |
| } | |
| private rule Hpack | |
| { | |
| strings: | |
| $globals = "474c4f42414c53" nocase | |
| $eval = "6576616C28" nocase | |
| $exec = "65786563" nocase | |
| $system = "73797374656d" nocase | |
| $preg_replace = "707265675f7265706c616365" nocase | |
| $base64_decode = "61736536345f6465636f646528677a696e666c61746528" nocase | |
| condition: | |
| any of them | |
| } | |
| private rule strrev | |
| { | |
| strings: | |
| $globals = "slabolg" nocase fullword | |
| $preg_replace = "ecalper_gerp" nocase fullword | |
| $base64_decode = "edoced_46esab" nocase fullword | |
| $gzinflate = "etalfnizg" nocase fullword | |
| condition: | |
| any of them | |
| } | |
| rule SuspiciousEncoding | |
| { | |
| condition: | |
| (base64 or hex or strrev or Hpack) and not IsWhitelisted | |
| } | |
| rule DodgyStrings | |
| { | |
| strings: | |
| $ = ".bash_history" | |
| $ = /AddType\s+application\/x-httpd-(php|cgi)/ nocase | |
| $ = /php_value\s*auto_prepend_file/ nocase | |
| $ = /SecFilterEngine\s+Off/ nocase // disable modsec | |
| $ = /Add(Handler|Type|OutputFilter)\s+[^\s]+\s+\.htaccess/ nocase | |
| $ = ".mysql_history" | |
| $ = ".ssh/authorized_keys" | |
| $ = "/(.*)/e" // preg_replace code execution | |
| $ = "/../../../" | |
| $ = "/etc/passwd" | |
| $ = "/etc/proftpd.conf" | |
| $ = "/etc/resolv.conf" | |
| $ = "/etc/shadow" | |
| $ = "/etc/syslog.conf" | |
| $ = "/proc/cpuinfo" fullword | |
| $ = "/var/log/lastlog" | |
| $ = "/windows/system32/" | |
| $ = "LOAD DATA LOCAL INFILE" nocase | |
| $ = "WScript.Shell" | |
| $ = "WinExec" | |
| $ = "b374k" fullword nocase | |
| $ = "backdoor" fullword nocase | |
| $ = /(c99|r57|fx29)shell/ | |
| $ = "cmd.exe" fullword nocase | |
| $ = "powershell.exe" fullword nocase | |
| $ = /defac(ed|er|ement|ing)/ fullword nocase | |
| $ = "evilc0ders" fullword nocase | |
| $ = "exploit" fullword nocase | |
| $ = "find . -type f" fullword | |
| $ = "hashcrack" nocase | |
| $ = "id_rsa" fullword | |
| $ = "ipconfig" fullword nocase | |
| $ = "kernel32.dll" fullword nocase | |
| $ = "kingdefacer" nocase | |
| $ = "Wireghoul" nocase fullword | |
| $ = "LD_PRELOAD" fullword | |
| $ = "libpcprofile" // CVE-2010-3856 local root | |
| $ = "locus7s" nocase | |
| $ = "ls -la" fullword | |
| $ = "meterpreter" fullword | |
| $ = "nc -l" fullword | |
| $ = "netstat -an" fullword | |
| $ = "php://" | |
| $ = "ps -aux" fullword | |
| $ = "rootkit" fullword nocase | |
| $ = "slowloris" fullword nocase | |
| $ = "suhosin" fullword | |
| $ = "sun-tzu" fullword nocase // Because quotes from the Art of War is mandatory for any cool webshell. | |
| $ = /trojan (payload)?/ | |
| $ = "uname -a" fullword | |
| $ = "visbot" nocase fullword | |
| $ = "warez" fullword nocase | |
| $ = "whoami" fullword | |
| $ = /(r[e3]v[e3]rs[e3]|w[3e]b|cmd)\s*sh[e3]ll/ nocase | |
| $ = /-perm -0[24]000/ // find setuid files | |
| $ = /\/bin\/(ba)?sh/ fullword | |
| $ = /hack(ing|er|ed)/ nocase | |
| $ = /(safe_mode|open_basedir) bypass/ nocase | |
| $ = /xp_(execresultset|regenumkeys|cmdshell|filelist)/ | |
| $vbs = /language\s*=\s*vbscript/ nocase | |
| $asp = "scripting.filesystemobject" nocase | |
| condition: | |
| (IRC or 2 of them) and not IsWhitelisted | |
| } | |
| rule Websites | |
| { | |
| strings: | |
| $ = "1337day.com" nocase | |
| $ = "antichat.ru" nocase | |
| $ = "b374k" nocase | |
| $ = "ccteam.ru" nocase | |
| $ = "crackfor" nocase | |
| $ = "darkc0de" nocase | |
| $ = "egyspider.eu" nocase | |
| $ = "exploit-db.com" nocase | |
| $ = "fopo.com.ar" nocase /* Free Online Php Obfuscator */ | |
| $ = "hashchecker.com" nocase | |
| $ = "hashkiller.com" nocase | |
| $ = "md5crack.com" nocase | |
| $ = "md5decrypter.com" nocase | |
| $ = "milw0rm.com" nocase | |
| $ = "milw00rm.com" nocase | |
| $ = "packetstormsecurity" nocase | |
| $ = "pentestmonkey.net" nocase | |
| $ = "phpjiami.com" nocase | |
| $ = "rapid7.com" nocase | |
| $ = "securityfocus" nocase | |
| $ = "shodan.io" nocase | |
| $ = "github.com/b374k/b374k" nocase | |
| $ = "mumaasp.com" nocase | |
| condition: | |
| (any of them) and not IsWhitelisted | |
| } | |