Sneed-Reactivity/yara-mikesxrs/patrickrolsen/misc_php_exploits.yar
Sam Sneed 08e8d462fe OMG ISTG PLS WORK
RED PILL 🔴 💊
2024-07-25 12:43:35 -05:00

32 lines
No EOL
928 B
Text

rule misc_php_exploits
{
meta:
author = "@patrickrolsen"
version = "0.5"
data = "08/19/2014"
reference = "Virus Total Downloading PHP files and reviewing them..."
strings:
$php = "<?php" nocase
$s1 = "eval(gzinflate(str_rot13(base64_decode("
$s2 = "eval(base64_decode("
$s3 = "eval(gzinflate(base64_decode("
$s4 = "cmd.exe /c"
$s5 = "eva1"
$s6 = "urldecode(stripslashes("
$s7 = "preg_replace(\"/.*/e\",\"\\x"
$s8 = "<?php echo \"<script>"
$s9 = "'o'.'w'.'s'" // 'Wi'.'nd'.'o'.'w'.'s'
$s10 = "preg_replace(\"/.*/\".'e',chr"
$s11 = "exp1ode"
$s12 = "cmdexec(\"killall ping;"
$s13 = "ms-mx.ru"
$s14 = "N3tsh_"
$s15 = "eval(\"?>\".gzinflate(base64_decode("
$s16 = "Your MySQL database has been backed up"
$s17 = "Idea Conceived By"
$s18 = "ncftpput -u $ftp_user_name -p $ftp_user_pass"
$s19 = "eval(gzinflate(base64_decode("
$s20 = "DTool Pro"
condition:
not uint16(0) == 0x5A4D and $php and any of ($s*)
}