Sneed-Reactivity/yara-Neo23x0/vul_php_zlib_backdoor.yar


rule VULN_PHP_Hack_Backdoored_Zlib_Zerodium_Mar21_1 {
   meta:
      description = "Detects backdoored PHP zlib version"
      author = "Florian Roth (Nextron Systems)"
      reference = "https://www.bleepingcomputer.com/news/security/phps-git-server-hacked-to-add-backdoors-to-php-source-code/"
      date = "2021-03-29"
      id = "5e0ab8f8-776a-52b0-b5be-ff1d34bccfd1"
   strings:
      $x1 = "REMOVETHIS: sold to zerodium, mid 2017" fullword ascii
      $x2 = "HTTP_USER_AGENTT" ascii fullword
   condition:
      filesize < 3000KB and
      all of them
}
OMG ISTG PLS WORK RED PILL :red_circle: :pill: 2024-07-25 12:43:35 -05:00
			`rule VULN_PHP_Hack_Backdoored_Zlib_Zerodium_Mar21_1 {`
			`meta:`
			`description = "Detects backdoored PHP zlib version"`
			`author = "Florian Roth (Nextron Systems)"`
			`reference = "https://www.bleepingcomputer.com/news/security/phps-git-server-hacked-to-add-backdoors-to-php-source-code/"`
			`date = "2021-03-29"`
			`id = "5e0ab8f8-776a-52b0-b5be-ff1d34bccfd1"`
			`strings:`
			`$x1 = "REMOVETHIS: sold to zerodium, mid 2017" fullword ascii`
			`$x2 = "HTTP_USER_AGENTT" ascii fullword`
			`condition:`
			`filesize < 3000KB and`
			`all of them`
			`}`