Sneed-Reactivity/yara-Neo23x0/vul_php_zlib_backdoor.yar

16 lines
561 B
Text
Raw Normal View History

rule VULN_PHP_Hack_Backdoored_Zlib_Zerodium_Mar21_1 {
meta:
description = "Detects backdoored PHP zlib version"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.bleepingcomputer.com/news/security/phps-git-server-hacked-to-add-backdoors-to-php-source-code/"
date = "2021-03-29"
id = "5e0ab8f8-776a-52b0-b5be-ff1d34bccfd1"
strings:
$x1 = "REMOVETHIS: sold to zerodium, mid 2017" fullword ascii
$x2 = "HTTP_USER_AGENTT" ascii fullword
condition:
filesize < 3000KB and
all of them
}