Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
R
rules
Overview
Overview
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
fact-depend
rules
Commits
0d49336b
Commit
0d49336b
authored
Jul 20, 2016
by
Vlad S
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Added PHP!Anuna
parent
e48f522e
Hide whitespace changes
Inline
Side-by-side
Showing
1 changed file
with
21 additions
and
0 deletions
+21
-0
WShell_PHP_Anuna.yar
Webshells/WShell_PHP_Anuna.yar
+21
-0
No files found.
Webshells/WShell_PHP_Anuna.yar
0 → 100644
View file @
0d49336b
/*
I first found this in May 2016, appeared in every PHP file on the
server, cleaned it with `sed` and regex magic. Second time was
in June 2016, same decoded content, different encoding/naming.
https://www.symantec.com/security_response/writeup.jsp?docid=2015-111911-4342-99
*/
rule php_anuna
{
meta:
author = "Vlad https://github.com/vlad-s"
date = "2016/07/18"
description = "Catches a PHP Trojan"
strings:
$a = /<\?php \$[a-z]+ = '/
$b = /\$[a-z]+=explode\(chr\(\([0-9]+[-+][0-9]+\)\)/
$c = /\$[a-z]+=\([0-9]+[-+][0-9]+\)/
$d = /if \(!function_exists\('[a-z]+'\)\)/
condition:
all of them
}
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment
