rule misc_php_exploits { meta: author = "@patrickrolsen" version = "0.5" data = "08/19/2014" reference = "Virus Total Downloading PHP files and reviewing them..." strings: $php = "" $s9 = "'o'.'w'.'s'" // 'Wi'.'nd'.'o'.'w'.'s' $s10 = "preg_replace(\"/.*/\".'e',chr" $s11 = "exp1ode" $s12 = "cmdexec(\"killall ping;" $s13 = "ms-mx.ru" $s14 = "N3tsh_" $s15 = "eval(\"?>\".gzinflate(base64_decode(" $s16 = "Your MySQL database has been backed up" $s17 = "Idea Conceived By" $s18 = "ncftpput -u $ftp_user_name -p $ftp_user_pass" $s19 = "eval(gzinflate(base64_decode(" $s20 = "DTool Pro" condition: not uint16(0) == 0x5A4D and $php and any of ($s*) }