32 lines
928 B
Text
32 lines
928 B
Text
|
rule misc_php_exploits
|
||
|
{
|
||
|
meta:
|
||
|
author = "@patrickrolsen"
|
||
|
version = "0.5"
|
||
|
data = "08/19/2014"
|
||
|
reference = "Virus Total Downloading PHP files and reviewing them..."
|
||
|
strings:
|
||
|
$php = "<?php" nocase
|
||
|
$s1 = "eval(gzinflate(str_rot13(base64_decode("
|
||
|
$s2 = "eval(base64_decode("
|
||
|
$s3 = "eval(gzinflate(base64_decode("
|
||
|
$s4 = "cmd.exe /c"
|
||
|
$s5 = "eva1"
|
||
|
$s6 = "urldecode(stripslashes("
|
||
|
$s7 = "preg_replace(\"/.*/e\",\"\\x"
|
||
|
$s8 = "<?php echo \"<script>"
|
||
|
$s9 = "'o'.'w'.'s'" // 'Wi'.'nd'.'o'.'w'.'s'
|
||
|
$s10 = "preg_replace(\"/.*/\".'e',chr"
|
||
|
$s11 = "exp1ode"
|
||
|
$s12 = "cmdexec(\"killall ping;"
|
||
|
$s13 = "ms-mx.ru"
|
||
|
$s14 = "N3tsh_"
|
||
|
$s15 = "eval(\"?>\".gzinflate(base64_decode("
|
||
|
$s16 = "Your MySQL database has been backed up"
|
||
|
$s17 = "Idea Conceived By"
|
||
|
$s18 = "ncftpput -u $ftp_user_name -p $ftp_user_pass"
|
||
|
$s19 = "eval(gzinflate(base64_decode("
|
||
|
$s20 = "DTool Pro"
|
||
|
condition:
|
||
|
not uint16(0) == 0x5A4D and $php and any of ($s*)
|
||
|
}
|